...
| View Name | Description | Requires CSRF protection e.g. uses HTML Form POST to the IdP |
|---|---|---|
| footer.vm | XML cas service response footer | No |
| header.vm | XML cas service response header | No |
| logoutService.vm | Propogates a CAS logout to the SP | No/Yes. Main form is posted to the SP with a SAML 2 logout request hence CSRF token is not required. However, the underlaying flow itself is finalised by directing the propagation iFrame back to the IdP and resuming the conversation. This is done by modifying the iFrame src, and requires the CSRF token in the URL set into the sessionStorage e.g. see U1. Alternatively you could exclude this view (ShowServiceLogoutView) from CSRF protection - probably makes sense. |
| postBack.vm | When service ticket request method is POST | No. Main form is posting the service ticket to the SP, hence an CSRF token is not required from the IdP. |
| proxyFailure.vm | XML cas proxy failure response | No |
| proxySuccess.vm | XML cas proxy success response | No |
| validateFailure.vm | XML cas authentication failure response | No |
| validateSuccess.vm | XML cas authentication success response | No |
...