So you want to turn CAS into a SAML 2 SP? You'll need to follow this documentation:
https://apereo.github.io/cas/5.3.x/integration/Delegate-Authentication.html On Thu, 2021-01-21 at 17:09 -0800, Yan Zhou wrote: > Hi, > > Try to implement this: people logged into their app (that does not > use CAS), they click a link in their webapp, that triggers a POST to > CAS /login endpoint, with SAML Assertion in POST body. My CAS > implementation will detect the payload and then follow a different > route of validating SAML, etc. (the CAS login page does not show up, > instead, we are validating SAML Assertion). I thought the non- > interactive type of login also comes in through the /login endpoint. > Because we still want it to go through service validation, TGT/ST > generation, etc., so it has to go through CAS login flow. > > But we noticed that such POST made by another Webapp on /cas endpoint > fails in FF and Chrome, it works in IE. > > CAS 5.3.x runs on Tomcat, the access logs shows 403, but I donot see > anything in CAS or Tomcat logs (after turn on DEBUG). My guess is > there is some kind of CSRF type of protection in CAS preventing such > post? I placed "executionKey" in the form post, made no difference, > still 403. > > How would such non-interactive flow work? If CAS indeed has > something prevent such POST, why does IE work and what that is? > > Thanks, > Yan > > On Thursday, January 21, 2021 at 7:09:35 PM UTC-5 richard.frovarp > wrote: > > Why are you trying to POST to the login URL? It looks like this > > isn't > > the POST from the login page? What do the CAS logs say? > > > > On Thu, 2021-01-21 at 15:27 -0800, Yan Zhou wrote: > > > Hello, > > > > > > i am using CAS 5.3.X, but I think the same would apply to CAS4 > > or > > > CA5. > > > > > > <form method="POST" > > > action="https://.....MyCASEndPoint,,,,,,>/cas/login"> > > > <input type="submit" name="submit" value="submit"></input> > > > > > > In browser, when I submit this form, I get 403, > > > > > > But, when I use PostMan, it returns CAS login page. > > > > > > I do not understand why in browser (FF and Chrome), I am getting > > 403, > > > is that because of CSRF? I tried to put in "execution" as hidden > > > value, but that did not help). > > > > > > Why does Postman return a different result as Chrome/FF? > > > > > > Thanks, > > > Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b96028c548f64cb999893535a69aff01b7b5aa0d.camel%40ndsu.edu.
