Actually, I think my problem in this case was using mod_auth_cas to test it. Maybe that little cookie cache it has was affecting the results.
When we unchecked the "participate in sso" access strategy for the actual application in question (Banner 9), it started behaving the way they wanted. Subject to more exhaustive testing, anyway. I know all about how the cookies work and so on. But those technical details are completely irrelevant to business people who just want the new version (using CAS) to work like the old version (not using CAS). Thanks for everyone's suggestions, though. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu On Fri, Nov 2, 2018 at 1:52 PM Ray Bon <r...@uvic.ca> wrote: > I agree with Christian on this. Cookies exist in a browser instance, not a > tab instance; in some cases a new window is still not enough. > It sounds like your client does not understand how web browser technology > works. > > You could always offer to build a custom browser ;) > > Ray > > On Fri, 2018-11-02 at 13:01 -0400, David Curry wrote: > > Well, If I had my way, we wouldn't be doing it at all. :-) > > But one of the business units here wants their application to (a) use the > "standard" login page provided by the CAS server but (b) prompt for > credentials every time you open a tab/window and go to it. "But that's not > single sign-on," I say. "But it's what we want," they say. Sigh. > > --Dave > > -- > > DAVID A. CURRY, CISSP > *DIRECTOR OF INFORMATION SECURITY* > INFORMATION TECHNOLOGY > > 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 > +1 212 229-5300 x4728 • david.cu...@newschool.edu > > > > > On Fri, Nov 2, 2018 at 12:31 PM Christian Poirier <chrispt...@gmail.com> > wrote: > > Hi Dave > > I think the better way to do this is to open a new instance of your > browser application instead of open a new tab. The new tab is in the same > context of your first tab and then using the same authentication cookie. If > you want CAS as you mention, you lose the essential use of a SSO. If you're > renew for the follwoing tab, you will lose the authentication of the first > tab. > > Christian Poirier > Université TÉLUQ > Québec, QC CANADA > > > Le ven. 2 nov. 2018, à 10 h 41, David Curry <david.cu...@newschool.edu> a > écrit : > > > Can I force a service to authenticate every time from the CAS server side, > e.g., by setting something in the service registry? Basically, I want to > mimic the behavior of "&renew=true" but not have to change anything on the > client side. > > I thought setting "accessStrategy.ssoEnabled: false" in the service > registry entry would do this, but in testing this morning, it appears > that's not the case. That setting forces the service to prompt for login > even if you've signed into something else through CAS, but it doesn't > require you to re-enter your credentials every time you access the same > service. What I want is "Open tab, go to X, enter credentials. Open another > tab, go to X again, have to enter credentials again." > > CAS 5.2.x, BTW. > > Thanks, > --Dave > > -- > > DAVID A. CURRY, CISSP > *DIRECTOR OF INFORMATION SECURITY* > INFORMATION TECHNOLOGY > > 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 > +1 212 229-5300 x4728 • david.cu...@newschool.edu > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAO0A_FHTayuNX25UxC0rpY2DPzy5_d1xuyk%3DVSfCqR18g%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAO0A_FHTayuNX25UxC0rpY2DPzy5_d1xuyk%3DVSfCqR18g%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bg7XAnSc3604EUQLPe0qGf71UnDdDJG%2B-Wrqm6RsCVYgO5o9g%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bg7XAnSc3604EUQLPe0qGf71UnDdDJG%2B-Wrqm6RsCVYgO5o9g%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > Ray Bon > Programmer analyst > Development Services, University Systems > 2507218831 | CLE 019 | r...@uvic.ca > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/1541181137.2870.97.camel%40uvic.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1541181137.2870.97.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMbLJwn4VAa47UeQW8HBtWg88bAtG1FdiL_tbKg2NixBw%40mail.gmail.com.
