Baldur, The PHP client is the behavior I would expect-- Only the /samlValidate endpoint expects a TARGET parameter as per the spec [1]. The /login endpoint expects a "service" parameter if you want a ST issued for a particular service.
I am guessing that the way SAML1.1 [2] is baked into the CAS server, /login will accept a TARGET parameter. The response to redirect with the TARGET parameter intact may be appropriate for a SAML1.1 client (based on my brief review of the Wikipedia article). I think there are 2 scenarios: 1) The CAS server can actually support the SAML1.1 protocol for the entire conversation (this is what the Java client is doing). 2) The CAS server can speak the CAS protocol to the user-agent, but still speak SAML1.1 during validation (this is what the PHP client is doing). The overlap is somewhat confusing, and this is mostly guesswork on my part. Thanks, Carl [1] https://github.com/Jasig/cas/blob/master/cas-server-protocol/3.0/cas_protocol_3_0.md#42-samlvalidate-cas-30 [2] http://en.wikipedia.org/wiki/SAML_1.1 ----- Original Message ----- From: "Baldur Dae" <[email protected]> To: [email protected] Sent: Friday, September 5, 2014 3:02:24 AM Subject: Re: [cas-user] How to remove TARGET parameter Thank you Carl ;) I've mentioned php cas client because I get a different behaviour in comparison to java cas client. In php I get the following redirections ("portal" is the client webapp): Request:https://localhost/portal/ Response: (Status Code 302) https://cas-server/cas/login?service=https%3A%2F%2Flocalhost%2Fportal%2F&gateway=true Request URL: https://cas-server/cas/login?service=https%3A%2F%2Flocalhost%2Fportal%2F&gateway=true Response: (Status Code 302) https://localhost/portal/ And with java cas client: Request URL:https://localhost:8043/portal/ Response: (Status Code 302) https://cas-server/cas/login?TARGET=https%3A%2F%2Flocalhost%3A8043%2Fportal%2F&gateway=true Request URL: https://cas-server/cas/login?TARGET=https%3A%2F%2Flocalhost%3A8043%2Fportal%2F&gateway=true Response: (Status Code 302) https://localhost:8043/portal?TARGET=https%3A%2F%2Flocalhost%3A8043%2Fportal Both applications are configured to use SAML protocol. My doubt is that I always get TARGET parameter with java cas client, and I expected this would be transparent to the user, without TARGET parameter in subsequent requests. Thank you very much! 2014-09-04 15:07 GMT+02:00 Waldbieser, Carl <[email protected]>: > Baldur, > > If you want to use the CAS protocol (no TARGET) and not SAML (uses > TARGET), then initialize your client like: > > // Initialize phpCAS > #phpCAS::client(SAML_VERSION_1_1, $cas_host, $cas_port, $cas_uri); # > This uses SAML - TARGET param > phpCAS::client(CAS_VERSION_3_0, $cas_host, $cas_port, $cas_uri); # > This uses CAS protocol v3.0 - No TARGET > > Thanks, > Carl > > > ----- Original Message ----- > From: "Baldur Dae" <[email protected]> > To: [email protected] > Sent: Thursday, September 4, 2014 2:44:16 AM > Subject: Re: [cas-user] How to remove TARGET parameter > > Thanks for the response > > At first glance it seems to be that. But I've followed this guide to code > my php cas client ( > > https://github.com/Jasig/phpCAS/blob/master/docs/examples/example_advanced_saml11.php > ): > > ... > // Initialize phpCAS > phpCAS::client(*SAML_VERSION_1_1*, $cas_host, $cas_port, $cas_context); > // Force CAS authentication on any page that includes this file //phpCAS:: > forceAuthentication(); > .... > > So I'm stuck :( > > I'd really appreciate if you can shed some light on this > > Thnx very much > > > > 2014-09-03 15:12 GMT+02:00 Waldbieser, Carl <[email protected]>: > > > Baldur, > > > > It sounds like when you are using the .NET client you are using the SAML > > protocol [1], and when you are using the PHP client you are using the CAS > > protocol [2][3]. > > > > Thanks, > > Carl Waldbieser > > Systems Programmer > > Lafayette College > > > > [1] > > > https://github.com/Jasig/cas/blob/master/cas-server-protocol/3.0/cas_protocol_3_0.md#421-parameters > > [2] > > > https://github.com/Jasig/cas/blob/master/cas-server-protocol/3.0/cas_protocol_3_0.md#24-validate-cas-10 > > [3] > > > https://github.com/Jasig/cas/blob/master/cas-server-protocol/3.0/cas_protocol_3_0.md#251-parameters > > > > ----- Original Message ----- > > From: "Baldur Dae" <[email protected]> > > To: [email protected] > > Sent: Wednesday, September 3, 2014 3:53:14 AM > > Subject: Re: [cas-user] How to remove TARGET parameter > > > > Thanks very much for the answer :) > > > > However, it's really curious the difference between php and java. As > noted > > here (https://wiki.jasig.org/display/casc/.net+cas+client) the last > > comment > > indicates: "...the query string passed to the CAS logon page is different > > when using the .NET client; the redirect URL query string parameter has a > > name of TARGET, whereas when using the php CAS client it has a name of > > service". This is just my case. Currently I use php cas client in gateway > > mode and I don't get redirected with the TARGET parameter in the URL. So > > I'm trying to do the same thing replacing php with java. > > > > Is that posible? or is just a feature of the java client? > > > > > > > > 2014-09-02 15:02 GMT+02:00 Marvin Addison <[email protected]>: > > > > > > I always get the TARGET parameter in the url until the > > > > user authenticates. How can I remove this TARGET parameter? > > > > > > TARGET == ticket for the SAML feature in CAS, so it's naturally > > > present until you authenticate. That's to say you can't and shouldn't > > > remove it. > > > > > > M > > > > > > -- > > > You are currently subscribed to [email protected] as: > > > [email protected] > > > To unsubscribe, change settings or access archives, see > > > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > > > -- > > You are currently subscribed to [email protected] as: > > [email protected] > > To unsubscribe, change settings or access archives, see > > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > > You are currently subscribed to [email protected] as: > > [email protected] > > To unsubscribe, change settings or access archives, see > > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
