Sorry I'm late to this discussion... Our password expiration implementation requires me to hand off the user to a separate password manager app within our enterprise before "establishing*" an SSO session either 1) immediately in case of an expired/locked account, or 2) when the user clicks "update now" in case of a warning state.
If in the warning state the user clicks "remind me later," I continue the flow**. I chose to put the TGT ID in the flow scope before entering our custom warning view state. I could have created a new action state to move the TGT ID back into the request scope for the subsequent request, but rather chose to modify WebUtils to pull it from flow scope when it's missing in request scope. * Before the TGT is sent and an ST created. ** This seemed simpler and easier to understand/maintain than handling a password-warning-skip flag and just restarting the login flow. ________________________________ From: Scott Battaglia [[email protected]] Sent: Monday, July 23, 2012 6:03 PM To: [email protected] Subject: Re: [cas-dev] TGT in Flow Scope? Its typically been request scope because its all its needed to be and we typically discourage other things from having a handle on it. I'm not completely against moving it to a different scope, though I also wonder at the end what is actually appropriate to put in the login flow (i.e. should Password Manager really be considered part of the flow). Cheers, Scott On Mon, Jul 23, 2012 at 9:14 AM, Drew Mazurek <[email protected]<mailto:[email protected]>> wrote: After authentication, can we put the TGT ID in the flow scope rather than the request scope? WebUtils puts it in the request scope, but the password manager occasionally needs to hijack the login flow after authentication but before the user is redirected to the requested service. The problem is that when the password manager is done, the TGT ID that was in the request scope is long gone, and the generateServiceTicket action fails. Unless there was a particular reason why request scope was chosen over flow scope (aside from the fact that the request scope was good enough until now), can I propose the TGT goes into the flow scope? Any thoughts? Thanks, Drew -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
