SSO + Local Authentication

54 views
Skip to first unread message

Maxime Marty-Dessus

unread,
Mar 26, 2018, 11:14:48 AM3/26/18
to CAS Community
Hello everybody :)

So here's my problem
I work currently on a login interface project for our application. The client wants to have two ways of login to our app :
  • Login via their CAS (we don't own this CAS)
  • Login via a "local" login/password, if, for instance, the client wants an external consultant to access the application without registering him in the CAS

We already managed to develop the interface. This is a simple webpage, where the client can either click on a "Connect" button, redirecting him to the CAS, or a "Local LogOn" button, which redirect him to a form to fill with local credentials. In both cases, the user is redirected to our app and logged in with correct credentials.


BUT, the client doesn't want to click on the "Connect" button, but wants to be automatically redirected to our app if he is already connected on the CAS

The problem is, if I automatically redirect him to the CAS, the user can't use the Local LogOn way because he will be blocked on the CAS.


Is there a way to query the CAS if the user is already logged, without redirecting him to it ? Or another way to do the trick?


If you have any hint to solve this problem, it will be very much appreciated.


Thank you in advance for your future answers !

Ray Bon

unread,
Mar 26, 2018, 12:28:23 PM3/26/18
to cas-...@apereo.org
Maxime,

If you are not able to modify CAS, you might be able to check the user's ip address.

Ray
-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

Andy Ng

unread,
Mar 26, 2018, 9:33:25 PM3/26/18
to CAS Community
Hello :)

If your app you mean a web application, then I might able to help you. (Even if you are implementing with Android / iSO app, this might also help you)

A few months back, my colleague want to understand how to check if CAS is login success without actually showing the login page to the user. (like your case)

So I wrote this simple one page html + javascript demo, to help my colleague implement the check CAS logic. (The page is at the bottom of this email)

You might be able to reference this and understand how to implement such a check yourself. 

Cheers,
- Andy

What you need:
- Your service ID (You should be able to ask your client to provide you this):https://example.client.com/check_cas
- Your desitnation CAS server: https://their.cas.server

Few things to note for this program:

l   This page just ack as a demo, use it carefully and understand I am not responsible for any risk involved

l   Since I have no right for https://example.client.com/check_cas, hence this HTML was written without concerning  before running this script you need to disable the same origin policy (You may find this link useful: https://stackoverflow.com/questions/3102819/disable-same-origin-policy-in-chrome)

n   Disabling same origin policy might cause security concern for your browser, make sure to only access this HTML page when disabling same origin policy

l   Detail usage of this page is contained inside the code (i.e. Click on Step 1 button, then click on Step 2 button)

n   The time interval between clicking the first button and the second button should be less than 5 seconds

n   Ultimately, both step 1 and step 2 should be done via programs, hence the ticket timeout duration should not matter


index.html (The same as the attached file)

<html>

  <head>

    <title>Simple CAS Ticket Usage</title>

    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>

 

 

    <script type="text/javascript">

      //Allow easy access to get parameter

      $.urlParam = function(url, name){

          var results = new RegExp('[\?&]' + name + '=([^&#]*)').exec(url);

          if (results==null){

             return null;

          }

          else{

             return decodeURI(results[1]) || 0;

          }

      }

      //Allow easy access to get parameter end

 

      $(function(){

 

        var casUrl = "https://their.cas.server";

        var step1Url = casUrl+"/cas/login?service=http%3A%2F%2Fexample.client.com%2Fcheck_cas";

        var step2Url = casUrl+"/cas/p3/serviceValidate?service=http%3A%2F%2Fexample.client.com%2Fcheck_cas&ticket={{TICKET_INSERT_HERE}}";

 

        $("#step1Url").text(step1Url);

        $("#step2Url").text(step2Url);

 

        /////////////////////////////////////////STEP 1 LOGIC

        $("#step1_checkCas").click(function(){

          document.getElementById('step1_iframe').src = step1Url;

        });

 

        $('#step1_iframe').on('load', function() {

          var step1FinalUrl = document.getElementById("step1_iframe").contentWindow.location.href;

          var ticket = $.urlParam(step1FinalUrl, 'ticket');

          $("#step1_finalUrl").val(step1FinalUrl);

          if(ticket == null){

            alert("User Not Login, please login user in the same browser");

            step2Url = casUrl+"/cas/p3/serviceValidate?service=http%3A%2F%2Fexample.client.com%2Fcheck_cas&ticket=" + "{{TICKET_INSERT_HERE}}";

          }else{

            $("#step1_Ticket").val(ticket);

            step2Url = casUrl+"/cas/p3/serviceValidate?service=http%3A%2F%2Fexample.client.com%2Fcheck_cas&ticket=" + ticket;

            $("#step2Url").text(step2Url);

          }

        });

        /////////////////////////////////////////STEP 1 LOGIC ENDS

 

        /////////////////////////////////////////STEP 2 LOGIC

 

        $("#step2_getUserInfo").click(function(){

 

 

          $.ajax({

              url: step2Url,

              type: "GET",

              dataType: "text",

              success: function(data) {

                console.log( "Step 2 Loaded: ", data );

                $("#step2_result").text(data);

              }

          });

        });

        /////////////////////////////////////////STEP 2 LOGIC ENDS

 

      })

 

    </script>

 

  </head>

  <body>

    <p style="color:red;">Make sure to disable the same origin policy while using this html program</p>

    <p>For Chrome, you can open chrome.exe like this[chrome.exe --disable-web-security --user-data-dir="D:/Chrome]</p>

    <p style="color:red;">Note: disable the same origin policy have security concern for your browser, please review this code first, and only use the "same orgin policy disabled" browser for this page</p>

    <p>For more info, read this <a href="https://stackoverflow.com/questions/3102819/disable-same-origin-policy-in-chrome">https://stackoverflow.com/questions/3102819/disable-same-origin-policy-in-chrome</a> page</p>

    <h1>Step 1:</h1>

    <iframe id="step1_iframe" src="" style="height: 300px;width: 500px;"></iframe><br/>

 

    <button id="step1_checkCas">Step 1: Get Ticket </button> <br/>

    [Accessing: <span id="step1Url" style="color:blue;"></span>]<br/>

    Step 1 Final Url: <input id="step1_finalUrl" type="text" style="width: 700px;"/><br/>

    Step 1 Ticket: <input id="step1_Ticket" type="text" style="width: 700px;"/><br/>

 

    <h1>Step 2:</h1>

    <button id="step2_getUserInfo">Step 2: Get User Information (UID)</button> <br/>

    [Accessing: <span id="step2Url" style="color:blue;"></span>]<br/>

   Step 2 Results:<br/>

 

    <pre><code id="step2_result" class="xml">

 

    </code></pre>

 

  </body>

</html>

 

Man H

unread,
Mar 26, 2018, 11:40:03 PM3/26/18
to cas-...@apereo.org
Try connectButton href <cas-url>/cas/login?service=<app-url>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/92235380-351b-460e-b3de-b78f9d4f99a7%40apereo.org.
Reply all
Reply to author
Forward
0 new messages