Mandatory entry point before authentication
25 views
Skip to first unread message
Julien Gribonvald
Apr 17, 2019, 2:42:54 PM4/17/19
to CAS Community
Hi,
Is there a simple way to force user to come from a service before to
authenticate ?
I mean before accessing to some services (not all) a user should come
from an entry point (a service on which he will be authenticated after,
like a portal), if not he should be redirected to this entry point.
If not is it the a thing to define a service policy from the service
management to do that ? Or are you seing a better way ?
Thanks,
--
Julien Gribonvald
Is there a simple way to force user to come from a service before to
authenticate ?
I mean before accessing to some services (not all) a user should come
from an entry point (a service on which he will be authenticated after,
like a portal), if not he should be redirected to this entry point.
If not is it the a thing to define a service policy from the service
management to do that ? Or are you seing a better way ?
Thanks,
--
Julien Gribonvald
Ray Bon
Apr 17, 2019, 2:57:51 PM4/17/19
to cas-...@apereo.org
Julien,
Check this setting:
cas.view.defaultRedirectUrl=https://${cas.server.name}/mypage
If user goes to CAS first (without a service), they get redirected to defaultRedirectUrl.
Ray
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
Pascal Rigaux
Apr 17, 2019, 3:39:28 PM4/17/19
to cas-...@apereo.org
Hi,
I'm not sure it helps in your case, but we had a similar issue with
some applications:
- the application creates a session and store information before going to CAS
- the application redirects to CAS which asks password
- CAS redirects to the application
- the user clicks on "back" button
- CAS session is valid, so it goes back to the application again. In
some cases, the application is not happy to receive an expected ticket
[*]. And even if it works, the user wonders why "back" did not work
The solution we used:
- on CAS form asking for login&password, we added
onsubmit="ignore_on_history_back()"
function ignore_on_history_back() {
// on back, do not autolog nor prompt, go back to the app
try { window.history.replaceState({}, null,
location.href.replace('/cas/login',
'/cas/authentification-en-cours.html')) } catch (e) {}
}
- we added a static page authentification-en-cours.html
<script>
var isForward = (history.state || {}).isForward;
try {
history.replaceState({ isForward: !isForward }, null, null);
} catch (e) {}
history.go(isForward ? 1 : -1);
</script>
Page temporaire d'authentification. Nous vous redirigeons vers la
page précédente...
(cf https://cas.univ-paris1.fr/cas/authentification-en-cours.html)
[*] we have this issue with shibboleth-idp that is configured to
delegate to CAS
Julien Gribonvald <julien.g...@recia.fr> a écrit :
--
Pascal Rigaux
I'm not sure it helps in your case, but we had a similar issue with
some applications:
- the application creates a session and store information before going to CAS
- the application redirects to CAS which asks password
- CAS redirects to the application
- the user clicks on "back" button
- CAS session is valid, so it goes back to the application again. In
some cases, the application is not happy to receive an expected ticket
[*]. And even if it works, the user wonders why "back" did not work
The solution we used:
- on CAS form asking for login&password, we added
onsubmit="ignore_on_history_back()"
function ignore_on_history_back() {
// on back, do not autolog nor prompt, go back to the app
try { window.history.replaceState({}, null,
location.href.replace('/cas/login',
'/cas/authentification-en-cours.html')) } catch (e) {}
}
- we added a static page authentification-en-cours.html
<script>
var isForward = (history.state || {}).isForward;
try {
history.replaceState({ isForward: !isForward }, null, null);
} catch (e) {}
history.go(isForward ? 1 : -1);
</script>
Page temporaire d'authentification. Nous vous redirigeons vers la
page précédente...
(cf https://cas.univ-paris1.fr/cas/authentification-en-cours.html)
[*] we have this issue with shibboleth-idp that is configured to
delegate to CAS
Julien Gribonvald <julien.g...@recia.fr> a écrit :
Pascal Rigaux
Julien Gribonvald
Apr 25, 2019, 10:21:36 AM4/25/19
to cas-...@apereo.org
Thanks Ray but that's not exactly my use case.
Your use case admit that users can authenticate from any service, on my case I need that they must come from one service to be able to authenticate. But your redirect is welcome !
Thanks
Julien
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6f6cdffc229472b76ba097cf453afd8990093e18.camel%40uvic.ca.
--
Julien Gribonvald
Julien Gribonvald
Reply all
Reply to author
Forward
0 new messages