You need a separate end-state for SAML 2 services like GoogleApps that presents the warning message auto-submits a hidden form with the SAML response. I opened a JIRA ticket for the issue and a pull request (https://github.com/Jasig/cas/pull/335) with a fix.
-- Eric Pierce Identity Management Architect Information Technology University of South Florida (813) 974-8868 -- [email protected] ________________________________ From: David Warden <[email protected]> Sent: Tuesday, October 08, 2013 2:44 PM To: [email protected] Subject: [cas-user] Interaction between LPPE and Google/SAML 2.0 in CAS 3.5.2 I'm working on refreshing our CAS infrastructure with CAS 3.5.2. We're aiming for LDAP Password Policy Enforcement (LPPE) and SAML 2.0 support for our Google Apps for Education domain. I ran in to a problem with the "password will expire soon" warning page directing the user to the Google service they were trying to log in to. I was able to hack together a workaround, but I'm wondering if I've gone about this the right way or if someone else has "solved" this or I've simply misconfigured CAS. The root of the problem is that when users hit the "your password will expire soon", the URL that users can manually click (but will be automatically redirected to after X seconds) is the URL of the service with the service ticket appended as a GET parameter. For most CAS-aware services, this works fine. But based on what I have seen from the Spring debug logs from CAS and Google's SSO documentation, Google expects their service URL to be hit with POST and see SAML-specific information in that payload. What ends up happening is users are automatically redirected to a generic CAS login success page. My workaround was to modify the "your password will expire soon" (casWarnPassView.jsp) page so that the URL the user can click/is redirected to is simply the current URL. Doing so bypasses the LPPE check (since it is not a POST to the login URL) and the user is redirected to their requested service, be it a Google SAML service or a "normal" CAS service. This does seem to create an extra Service Ticket, however. I should add that the only way we get to the "passwordPolicyCheck" action state in the login webflow is via the "success" transition on the "realSubmit" action state. We do not run the policy check on the "warn" transition of "realSubmit". I am not attaching configs to this message because I believe I have configured LPPE and Google Apps/SAML 2.0 correctly (per https://wiki.jasig.org/pages/viewpage.action?pageId=26149328 and https://wiki.jasig.org/pages/viewpage.action?pageId=6063484) but I would definitely be willing to do so if I haven't offered enough to go on. David Warden SUNY Geneseo -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
