- HITS ON THE VIRTUAL HOST REDIRECT PROPERLY TO THE SSO SYSTEM
- THE AJAX V. HTML V. MOBILE UI IS CHOSEN BASED ON BROWSER USER-AGENT
- EXPLICIT LOGOUT FROM ZWC REDIRECTS TO THE SSO SYSTEM
POSSIBLE ISSUES:
- IS THERE AN ARGUMENT THAT I CAN PASS TO /SERVICE/PREAUTH TO FORCE A SPECIFIC CLIENT, LIKE /H/ INSTEAD OF /M/ ON AN IPAD?
- COOKIE TIMEOUTS, INVALIDATED SESSIONS, AND MAINTENANCE MODE SEEM TO GO TO THE BUILT-IN ZCS LOGIN PAGE. THIS IS ACCEPTABLE AND MAYBE EVEN PREFERRED BECAUSE THE SSO SYSTEM CAN'T GIVE A SPECIFIC ERROR. IS THAT CORRECT, OR IS THIS JUST AN ARTIFACT OF THE TEST BEING A NON-DEFAULT VIRTUAL HOST AND THE NGINX PROXY NOT HAVING BEEN RESTARTED SINCE CONFIGURING THE VHOST?
- IS THERE A WAY TO BYPASS SSO FOR SPECIFIC ACCOUNTS, FORCING USE OF THE INTERNAL LOGIN PAGE? USER-AGENT IS NOT THE ANSWER I'M LOOKING FOR.
- ARE THERE OTHER EDGE CASES I HAVEN'T CONSIDERED?
WE ARE QUASI-HOSTED SO I DON'T THINK I WANT TO USE SAML, WHICH WHILE POSSIBLY MORE SECURE THAN A PRE-SHARED KEY, IS NEWER AND LESS DOCUMENTED. OR DOES ANYONE HERE HAPPEN TO USE AND RECOMMEND NATIVE SAML BETWEEN SHIBBOLETH 2.4.1 AND ZCS 8?