Marvin, Dealing with warn before generating the service ticket (or other service response in lieu of service ticket) is desirable anyway so as to delay starting the clock on service ticket expiration until after the warn interstitial screen is dismissed.
As was discussed recently in another thread, "warn" is feeling questionable as a CAS feature at all at this point. Many users are going to be ill-prepared to cope with what warn is trying to tell them and actually provide informed consent to authenticate to services. "warn" dates from a time when most CAS configurations were wide open such that any service could use CAS for authentication and predates using service registries to manage which services may use CAS how. So, you might solve this locally by eliminating the "warn" feature outright, and if that feels right, maybe it's a pattern to carry into the CAS server product by default. If eliminating "warn" feels wrong enough, that's interesting too. Andrew On Jan 27, 2012, at 2:34 PM, Marvin Addison wrote: > Based on my review of the implementation of GoogleAccountService and > the warn workflow, it appears the two are simply incompatible. The > service ID of a Google service is the SAML2 Assertion Consumer Service > (ACS), which is not a suitable target for a redirect in the warn view. > The root problem is that the warn view assumes that the service will > be accessed via GET with the ticket appended (via a link on the warn > page), but that assumption does not hold for a SAML2 service such as > Google Apps that sends a POST message. Anyone want to confirm this > analysis? Is this new information? I'd invite workarounds, but I > simply don't see any. The only solution I can imagine is rendering > the warn view _before_ generation of the service response, which would > allow proper behavior for all services. > > M > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: ape...@unicon.net > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
