CAS gateway mode, triggered by sending the gateway=true parameter during the initial CAS login request is no longer supported after moving to Microsoft Entra ID for our MFA provider. We have received a handful of reports of applications that were still using this functionality and have put together this page to go over mitigation for each case we've seen so far.
Problem Description
When logging in via CAS, our Shibboleth IdP acts as the CAS server. It takes the login request and proxies it via SAML through Microsoft Entra ID for authorization. During this proxy step, Shibboleth maps the CAS gateway parameter, if present, to the equivalent SAML IsPassive flag. The problem is that when Entra receives a SAML authorization request with IsPassive set to true and the user does not already have an active Entra ID authorization session, Entra ID will stop the login process and display an error message to the user. This is non-standard behavior according to the SAML spec, and in this case the IdP should return a status code of "urn:oasis:names:tc:SAML:2.0:status:NoPassive" silently to the calling application. Due to this non-standard behavior Microsoft has implemented, we can no longer support either the CAS gateway or SAML IsPassive flags.
General Mitigation
Any apps that currently use either the CAS gateway mode or the SAML IsPassive flag should move away from using them in the initial login/authorization request. Unfortunately, this means that there is no longer any way to silently check if a user is logged in via SSO. If you would like to have anonymous content on something like a web portal, we recommend that you add a manual log in button to the anonymous page view.
phpCAS Specific Mitigation
We have determined that several cases of the gateway flag being set in the initial CAS login request have been caused by using the phpCAS CAS_Client::checkAuthentication() function. This function kicks off a gateway mode CAS login. At this time we are recommending anyone affected replace any calls to CAS_Client::checkAuthentication() with CAS_Client::forceAuthentication() instead. This will kick off a standard interactive CAS logon if a user is currently not logged in, and will simply return true if a user is already logged in.
Still need help? Click the 'Purdue IT Request' button to start a ticket.