Voila! Turns out the application is using the ISAPI filter. Here are the notes for the ISAPI filter on the CAS site: https://wiki.jasig.org/display/CASC/ISAPI+Filter
In the bullet list of gotchas, #1 is: "The filter will not work for an initial authentication request with request parameters." Thanks for your time, but it looks like the problem is a known issue with that code, and I've encouraged them to use one of the official CAS clients. Tim On 2012/06/22 10:49 AM, "Tim McLaughlin" <[email protected]> wrote: >Still waiting for an answer on the CAS client they're using, but I did >notice that the UserAgent info for the serviceValidate requests is like >so: >"Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" > >I don't see that for any of the other serviceValidate requests, so I'm >wondering if that implies a home-grown client solution... we don't have a >lot of other Windows-based applications using CAS. > >Their application does set a CASIIS cookie that contains the ST -- seems >odd and I can't remember ever seeing that before. > >Tim > >From: Scott Battaglia ><[email protected]<mailto:[email protected]>> >Reply-To: "[email protected]<mailto:[email protected]>" ><[email protected]<mailto:[email protected]>> >Date: Friday, June 22, 2012 10:20 AM >To: "[email protected]<mailto:[email protected]>" ><[email protected]<mailto:[email protected]>> >Subject: Re: [cas-user] Help: URLencoded service redirection after >successful login > >As far as I know the major CAS clients do it correctly. We typically see >problems with custom CAS clients. Of course, its always possible one of >our clients has a bug around that, but its typically not been that way. > > >On Fri, Jun 22, 2012 at 1:18 PM, Tim McLaughlin ><[email protected]<mailto:[email protected]>> wrote: >I'm not sure -- they mentioned something about mod_auth_cas but not in a >way that was specific enough. I'll find out. > >Is this something that should be handled by the CAS client that the >application uses? > >Thanks! >Tim > >From: Scott Battaglia ><[email protected]<mailto:[email protected]><mailto:scott. >[email protected]<mailto:[email protected]>>> >Reply-To: >"[email protected]<mailto:[email protected]><mailto:cas-user >@lists.jasig.org<mailto:[email protected]>>" ><[email protected]<mailto:[email protected]><mailto:cas-user >@lists.jasig.org<mailto:[email protected]>>> >Date: Friday, June 22, 2012 10:10 AM >To: >"[email protected]<mailto:[email protected]><mailto:cas-user >@lists.jasig.org<mailto:[email protected]>>" ><[email protected]<mailto:[email protected]><mailto:cas-user >@lists.jasig.org<mailto:[email protected]>>> >Subject: Re: [cas-user] Help: URLencoded service redirection after >successful login > >What CAS client are they using to redirect to CAS? > >On Fri, Jun 22, 2012 at 1:08 PM, Tim McLaughlin ><[email protected]<mailto:[email protected]><mailto:Tim.McLaughl >[email protected]<mailto:[email protected]>>> wrote: >Hello, > >We've got an off-site service using CAS that involves really long service >URLs like so: > >https://illiad.wwu.edu/illiad/illiad.dll/OpenURL?genre=article&issn=1360-3 >1 >08&title=Perspectives+%28Association+of+University+Administrators+%28U.K.% >2 >9%29&aulast=Taylor%2C+Barry&volume=15&issue=4&date=2011&atitle=Reflections >+ >on+higher+education+and+the+media.&spage=117&sid=EBSCO%253AAcademic%2BSear >c >h%2BComplete%28via%253A%2B360Link%29&pid=Interlibrary%20Loan > > >The CAS URL, while the user is on the login form, is this: > >https://websso.wwu.edu/cas//login?service=https://illiad.wwu.edu/illiad/il >l >iad.dll/OpenURL%3fgenre%3darticle%26issn%3d1360-3108%26title%3dPerspective >s >%2b%28Association%2bof%2bUniversity%2bAdministrators%2b%28U.K.%29%29%26aul >a >st%3dTaylor%2C%2bBarry%26volume%3d15%26issue%3d4%26date%3d2011%26atitle%3d >R >eflections%2bon%2bhigher%2beducation%2band%2bthe%2bmedia.%26spage%3d117%26 >s >id%3dEBSCO%253AAcademic%2BSearch%2BComplete%28via%253A%2B360Link%29%26pid% >3 >dInterlibrary%20Loan > >Most of the service is properly URLencoded, but notice that the first >part, https://illiad.wwu.edu/illiad/illiad.dll/OpenURL isn't. I don't >know if that's important, but it seems odd. > >Here's the kicker, though: when the user is authenticated, the URL that >CAS redirects to is the URLencoded version, not the "original" version, so >the user gets a 404 from the application. > >We have other services that use CAS and a couple have complicated URLs >like this, but they get handled properly. Is that something that the >application is responsible for resolving, or should CAS be redirecting to >the URLdecoded version? > >I'm wondering if anyone has an idea as to what could be going on with this >one? > >Thanks, >Tim > > >-- >You are currently subscribed to >[email protected]<mailto:[email protected]><mailto:cas-user@ >lists.jasig.org<mailto:[email protected]>> as: >[email protected]<mailto:[email protected]><mailto:scott.b >[email protected]<mailto:[email protected]>> >To unsubscribe, change settings or access archives, see >http://www.ja-sig.org/wiki/display/JSG/cas-user > > > >-- >You are currently subscribed to >[email protected]<mailto:[email protected]><mailto:cas-user@ >lists.jasig.org<mailto:[email protected]>> as: >[email protected]<mailto:[email protected]><mailto:tim.mclaughli >[email protected]<mailto:[email protected]>> >To unsubscribe, change settings or access archives, see >http://www.ja-sig.org/wiki/display/JSG/cas-user > >-- >You are currently subscribed to >[email protected]<mailto:[email protected]> as: >[email protected]<mailto:[email protected]> >To unsubscribe, change settings or access archives, see >http://www.ja-sig.org/wiki/display/JSG/cas-user > > > >-- >You are currently subscribed to >[email protected]<mailto:[email protected]> as: >[email protected]<mailto:[email protected]> >To unsubscribe, change settings or access archives, see >http://www.ja-sig.org/wiki/display/JSG/cas-user > >-- >You are currently subscribed to [email protected] as: >[email protected] >To unsubscribe, change settings or access archives, see >http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
