Maybe bypassSPNEGO could be set as a persistent cookie instead of as a request parameter. Can you access cookies through Spring Web Flow's externalContext? You could then provide a link somewhere on the CAS server's login page where your off-site users can click, which would run code to set the cookie. (You could also provide a way to clear the cookie, too.)
Nathan Kopp Applications Strategist Information Technology Group Campus Crusade for Christ, Int'l 407-826-2939 Office | 407-484-8485 Mobile | 407-826-2968 Fax -----Original Message----- From: Arnaud Claden [mailto:[email protected]] Sent: Friday, July 31, 2009 1:07 PM To: [email protected] Subject: RE : [cas-user] Multi-mode CAS Hello Thomas :) Thanks a lot for this tip, however this needs that the users change the URL to access the application, which I'm not allowed to do. However, this solution is great :) Arnaud. ________________________________________ De : Healey, Thomas [[email protected]] Date d'envoi : jeudi 30 juillet 2009 16:10 À : [email protected] Objet : RE: [cas-user] Multi-mode CAS Arnaud, You could try this addition your login-webflow.xml. So users who are in offshore offices to use the URL. https://<yourcasserver>/login?bypassSPNEGO=true&service=<your service name> Also you can ask them to put the casserver (https://<yourcasserver>) in their INTERNET zone as a trusted server as at least one of our users has done with some success. Hope this helps. Tom <decision-state id="ticketGrantingTicketExistsCheck"> <if test="${flowScope.ticketGrantingTicketId != null}" then="hasServiceCheck" else="bypassSPNEGO" /> </decision-state> <decision-state id="bypassSPNEGO"> <if test="${externalContext.requestParameterMap['bypassSPNEGO'] != '' && externalContext.requestParameterMap['bypassSSO'] != null}" then="viewLoginForm" else="gatewayRequestCheck" /> </decision-state> <decision-state id="gatewayRequestCheck"> <if test="${externalContext.requestParameterMap['gateway'] != '' && externalContext.requestParameterMap['gateway'] != null && flowScope.service != null}" then="redirect" else="startAuthenticate" /> </decision-state> <decision-state id="renewRequestCheck"> <if test="${externalContext.requestParameterMap['renew'] != '' && externalContext.requestParameterMap['renew'] != null}" then="startAuthenticate" else="generateServiceTicket" /> </decision-state> > -----Original Message----- > From: Arnaud Claden [mailto:[email protected]] > Sent: Thursday, July 30, 2009 2:17 AM > To: [email protected] > Subject: RE : [cas-user] Multi-mode CAS > > Hello Heinz, > > Unforntunately, this is not possible as the URL of the casified web > applications is the same for everyone, either from our internal network > or from foreign offices, and we can't change it as it would mean > changing all links on all workstations worldwide. > > @Michael: > We can't do that either, as we don't have access to browsers' > configuration. > > ________________________________________ > De : Heinz Drews [[email protected]] > Date d'envoi : mercredi 29 juillet 2009 13:13 > À : [email protected] > Objet : Re: [cas-user] Multi-mode CAS > > Hello Arnaud, > > IE only uses the SPNEGO/NTLM handshake to servers which are in the > intranet zone. > > You could specify a DNS name which are seen as "foreign". > > Regards, > Heinz > > On Wed, Jul 29, 2009 at 11:51, Arnaud Claden<[email protected]> > wrote: > > Hello everyone, > > > > I have a little problem with my implementation of CAS. > > > > I have tested the Active Directory SSO with SPNEGO : it works like a > charm. > > I have tested the fallback to LDAP : it works like a charm. > > > > The problem I have is the following : > > > > Some workstations are in offshore offices, which means they are not > connected to the Active Directory. For them, the LDAP fallback is the > solution. However, when Internet Explorer browses to a site with SSO, > it displays a domain logon window. > > This is natural as these workstations have no security option > configured (and they are not intended to have these modifications). > > > > Is there a way to prevent this from happening ? > > > > If there is none, we are implementing another CAS server for these > cases (a server only validating on LDAP), but how can I have it work > right, as the web applications are only configured for one CAS server, > and not two. Is there a way to check the browser's IP address and, > depending on it, sending auth to SPNEGO or to LDAP ? > > > > Thanks in advance for your answers. > > > > A. Claden > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see http://www.ja- > sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see http://www.ja- > sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
