My goal intersects with what's described here. If a user has already logged in with CAS on another SP, I would like for my SP, which is a react app, to detect this and automatically start the CAS workflow without the user needing to click any 'sign in' button.
As the comment in the post suggests, I can look in the document's cookies for some artifact of a CAS session. However, the only two cookies I'm aware of that reveal this (JSESSIONID= and TGC=) set their path as cas.example.com, making them inaccessible to mysite.example.com.
Are there any other surefire ways of telling whether a user has already initiated a CAS session?
Are there any other surefire ways of telling whether a user has already initiated a CAS session?
If your SP is using the CAS protocol, then a more traditional approach would be to try to take advantage of the gateway feature of the CAS protocol:
If this parameter is set, CAS will not ask the client for credentials. If the client has a pre-existing single sign-on session with CAS, or if a single sign-on session can be established through non-interactive means (i.e. trust authentication), CAS MAY redirect the client to the URL specified by the service parameter, appending a valid service ticket…If the client does not have a single sign-on session with CAS, and a non-interactive authentication cannot be established, CAS MUST redirect the client to the URL specified by the service parameter with no “ticket” parameter appended to the URL.
Other protocols such as OpenID Connect have similar features.
This blog post might also be useful.
In general, you either have to modify the cookie path or create a custom cookie inside CAS both of which require access to the CAS server. There is no other option for cookie-based SSO solutions, other than the likes of gateway, etc.