Gateway with sign in button on site

[satnamsarai]

We would like to log in user automatically if user already logged into one of our other site. If not, then show login button on page and perform login via redirected to cas. We have sign button on landing page which redirect user to CAS logon (without gateway flag). CAS logon works, but when cas .net client try to validate service ticket it encounter an error that Service Ticket url and site url does not match. CAS .net client assume that we are using gateway flag and add gatewayResponse=”true” to url which does not match CAS service ticket. Can cas client modify to add this function

[phantomtypist]

@satnamsarai forgive me, but I'm not sure I fully understand. ¯\_(ツ)_/¯

Is there any way you could explain the problem and solution a bit more in-depth... or submit a PR with the solution and then comment here describing the solution implemented in the PR?

If you submit a PR, please try to keep in mind backwards compatibility (i.e. no breaking changes with existing configurations and expected behavior.)

[TheHokieCoder]

@satnamsarai I am with @phantomtypist here. The ideal mode of operation that you want IS do-able as I have several separate web applications that all share a CAS session via one CAS server. So my guess is that you are simply experiencing a misconfiguration error, OR we are misunderstanding your setup. More details will most certainly help.

In my setups, all applications point to the same CAS server address with very similar configs for the DotNetCasClient. The only thing that really changes between the applications is the serverName attribute.

It would help if you could share at least two examples of portions of your config files (just the casClientConfig and forms elements), and feel free to substitute in dummy URLs to keep your real application URLs out of public view. Hopefully this will help us determine where the source of your errors are.

[satnamsarai]

We want user to login automatically if they are already logged into one of our other site (without clicking on extra sign button). We can do this by setting gateway flag to true. However, if user is not logged, then we want to show page with pubic accessible information and sign button (user will choice to login to get private information.). We try to use following

(1) User go to app

(2) Cas.net client redirect to CAS with gateway flag = true

(3) Cas return service ticket if user already logged in (return ST and process to login- this works as expected), if user is not logged in return without ST

(4) Return to application, show login button on page with other public information, user only required to login to get private information.

(5) If user click on sign in button

(6) Call DotNetCasClient.CasAuthentication.RedirectToLoginPage(), which call https://cas.example.com/login?service=url (without gateway flag)

(7) Cas present login form

(8) After successfully login, CAS issue ST-123456789 to application.

(9) Application try to validate service ticket with url+ gatewayResponse=”true”

(10)CAS issued ST to just URL with gatewayResponse=”true” If try creating cookie to keep track if call was made using gateway flag or not. However, we had few issues. Is there any other way to do this? web.config <casClientConfig casServerLoginUrl="https://test:8443/login" casServerUrlPrefix="https://test:8443/" serverName="https://localhost:44300/" notAuthorizedUrl="~/NotAuthorized" cookiesRequiredUrl="~/CookiesRequired" redirectAfterValidation="true" renew="false" singleSignOut="true" gateway="true" ticketValidatorName="Cas20" proxyTicketManager="" serviceTicketManager="DotNetCasClient.State.DBServiceTicketManager,DotNetCasClient" />

let me know if you need more information

Thanks, Satnam From: Jason Kanaris [mailto:notifications@github.com] Sent: Thursday, October 05, 2017 9:30 PM To: apereo/dotnet-cas-client dotnet-cas-client@noreply.github.com Cc: Sarai, Satnam@POST Satnam.Sarai@post.ca.gov; Mention mention@noreply.github.com Subject: Re: [apereo/dotnet-cas-client] Gateway with sign in button on site (#70)

@satnamsaraihttps://github.com/satnamsarai forgive me, but I'm not sure I fully understand. ¯_(ツ)_/¯

Is there any way you could explain the problem and solution a bit more in-depth... or submit a PR with the solution and then comment here describing the solution implemented in the PR?

If you submit a PR, please try to keep in mind backwards compatibility (i.e. no breaking changes with existing configurations and expected behavior.)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/apereo/dotnet-cas-client/issues/70#issuecomment-334655320, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AQH9P5IvZ3iC7602dDEqT5jZe_GvIva-ks5spazQgaJpZM4Pv8co.

[TheHokieCoder]

@satnamsarai Have you tried your configuration with gateway=false? The mode of operation between your applications and CAS that you described should not need the gateway feature, as far as I understand it. I accomplish what you are wanting in my applications and I always have gateway=false.

I have never used it, but it seems that when operating in gateway mode, your application will never intend to have the CAS server directly authenticate the user. Instead, the application will use a CAS session initiated by another application or will use some other indirect method to authenticate the user and establish a service ticket. If my understanding of the gateway mode is correct, then this is NOT what you are looking for in your setup. With gateway=false, you can have the workflow illustrated in the CAS protocol documentation. Note how the SSO session with the CAS server is used to create a new service ticket for the second application, and all of that happens transparently to the user.

Now, you will need to have a "login" page in each application that allows anonymous access in order to implement the login button feature you describe. On page load, a check can be performed to see if the user is already authenticated, and if so, redirect them to the access-controlled portion of your application(s). If they are unauthenticated, show them your public information and allow them to click on the login button, which would redirect them to the access-controlled portion of your application(s), forcing the CAS authentication to take place.

[satnamsarai]

@TheHokieCoder yes, we are currently using with gateway=false. With this option user need to click on sign button to login even when they are already logged into another site. We not sure how to automatically log users in if they are logged into another site (if we force DotNetCasClient.CasAuthentication.RedirectToLoginPage(), then user is force to logged in). if they are not logged in, then we still want to display public page without having them login. Is there a way to check authenticate status without forcing login?

[TheHokieCoder]

Ahh, I see what you mean. I was confusing the CAS SSO authentication with the .NET forms authentication, but I now see your predicament. I am not sure if that is possible, and if so, how to configure it, so I will let one of the other devs chime in until I can find the time to look through the code and see how it may be accomplished. Sorry for the confusion!

[phantomtypist]

I think I get it now. Let me think about the whole thing this weekend when I have more time to digest it.

[satnamsarai]

thanks for the follow up.. it is not major issue,, user just needs to click on button to trigger login, but it would be nice if we can do it automatically.