Disable SSO session

Andrew Morgan morgan at orst.edu
Thu Jan 7 17:44:10 EST 2016


On Thu, 7 Jan 2016, Cantor, Scott wrote:

>> Hmmm, that's not the behavior I'm seeing here.
>
> It is, actually.
>
>> 10.214.121.42 - - [07/Jan/2016:11:28:44 -0800] "GET
>> /idp/profile/SAML2/Redirect/SSO?execution=e2s1 HTTP/1.1" 302 300
>> 10.214.121.42 - - [07/Jan/2016:11:28:44 -0800] "GET
>> /idp/Authn/RemoteUser?conversation=e2s1 HTTP/1.1" 302 301
>> 10.214.121.42 - - [07/Jan/2016:11:28:44 -0800] "GET
>> /idp/profile/SAML2/Redirect/SSO?execution=e2s1&_eventId_proceed=1
>> HTTP/1.1" 200 12199
>
> That redirect to /Authn/RemoteUser demonstrates that it's starting over 
> (from the IdP's PoV). You're confusing the CAS client's session with the 
> IdP.
>
> If the IdP was doing SSO, it would not pass control to a login-related 
> "sublocation", but just run straight through on the profile URL.

I looked at the HTTP calls with IDP sessions enabled or not, and I 
understand what you are saying now.  When there is an IDP session, the IDP 
does not redirect to the RemoteUser handler.  When the IDP session is 
disabled, the IDP redirects to the RemoteUser handler, but it picks up the 
CAS client's session and never redirects to CAS.

>
>> There is no redirection back through CAS in this case.  I notice that the
>> conversation variable incremented on the second attempt from "e1s1" to
>> "e2s1".
>
> CAS is a SSO system. The client would be expected to cache and remember a session.

Yep, you're right!  Apparently, I went through all of this before with IDP 
v2.4 but forgot about it:

   https://www.mail-archive.com/cas-user@lists.jasig.org/msg13105.html

I assumed I had v2.4 configured to delegate to CAS, but I guess not!  So 
at least there is no change when I upgraded to v3.2.  :)

I haven't figured out any way to configure the CAS client session yet.

 	Andy


More information about the users mailing list