Scott, I can replicate this. (at Thunderbird, 3 days ago we went live with CAS3.3.5, Google Apps, Moodle, and some internally developed web apps, all working off MS-AD accounts)
When I go to Gapps mail interface, with Firefox 3.5.7 with Javascript disabled, I get redirected to our CAS login page. The returned, hung page has an onload=submit() as follows, and thus you're dead in the water! Johan I&IT Thunderbird School of Global Management CAS @ https://login.thunderbird.edu ================== "Hung" URL (shortened the saml request for readability): https://login.thunderbird.edu/cas/login?SAMLRequest=fVLJbt....&RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fglobal.t-bird.edu%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttp%253A%252F%252Fmail.google.com%252Fa%252Fglobal.t-bird.edu%252F%26bsv%3Dzpwhtygjntrz%26ltmpl%3Ddefault%26ltmplcache%3D2 HTML Content of above (saml keys somewhat shortened): <html> <body onload="document.acsForm.submit();"> <form name="acsForm" action="https://www.google.com/a/global.t-bird.edu/acs"; method="post"> <div style="display: none"> <textarea rows=10 cols=80 name="SAMLResponse"><?xml version="1.0" encoding="UTF-8"?> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" ID="iaakapbhfmfkngflfngoopdplmhgjaofhccjjala" IssueInstant="2010-01-14T16:12:45Z" Version="2.0"><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>m0mTxxyJj3cXrJjilwjpibB7zXk=</DigestValue></Reference></SignedInfo><SignatureValue>t91KQtTk6eaXNNU3HGK8pJm7Ua9hbEn35eOhjqUh9v7SZ94wSg1ziEtYuJYqvYI889MNC7YLMjd4 fECJr4AOrzOfcEFEKgpBMi/SKcc+UgHuQUer9g==</SignatureValue><KeyInfo><KeyValue><RSAKeyValue><Modulus>uWn6/TurLUy6W70rMIkcAfLNMr4/1Ra/ju7MgNi1kjL5VRkgCGQuozMH7/jKbzIDdQxnNrGaor8o VnYFblIaIq05ngKGcr1ulBPreUzXagpyTU2QLQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue></KeyInfo></Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="pfjeimfgpknnnionmnhceanbpjnilphmalgmhgdo" IssueInstant="2003-04-17T00:46:02Z" Version="2.0"><Issuer>https://www.opensaml.org/IDP</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress">[email protected]</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="lcphjmnkcimmdockldcfhaekkagokofkkpbkoemk" NotOnOrAfter="2011-01-14T16:12:45Z" Recipient="https://www.google.com/a/global.t-bird.edu/acs" /></SubjectConfirmation></Subject><Conditions NotBefore="2003-04-17T00:46:02Z" NotOnOrAfter="2011-01-14T16:12:45Z"><AudienceRestriction><Audience>https://www.google.com/a/global.t-bird.edu/acs</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant="2010-01-14T16:12:45Z"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response> </textarea> <textarea rows=10 cols=80 name="RelayState">https://www.google.com/a/global.t-bird.edu/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fa%2Fglobal.t-bird.edu%2F&bsv=zpwhtygjntrz&ltmpl=default&ltmplcache=2</textarea> </div> </form> </body> </html> ----- Original Message ----- From: Scott Battaglia To: [email protected] Sent: Thursday, January 14, 2010 8:59 AM Subject: Re: [cas-user] CAS 3.3.4 login fails when javascript is disabled That doesn't make much sense because most apps don't use the JavaScript method for redirecting back. Can you let me know what steps you've taken to repeat this? We have one user at RU that uses our Google Apps support so I can maybe ask him to try and execute the same steps you are. Thanks Scott On Thu, Jan 14, 2010 at 10:12 AM, Curtis Garman <[email protected]> wrote: I've got google apps configured with cas and when I try to login to a totally different app without javascript enabled, I get a white screen. Looking closer at the page source shows that it is part of a saml request and it is failing because it is depending on an automatic form submission via javascript. It looks to me like the saml stuff is being checked first, failing because of having javascript disabled, and thus causing all other authentications to halt. Is there anyway around this or is this a side effect of having google apps configured? -- Curtis Garman Web Programmer Heartland Community College -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
