also posted in the "Pac4j users mailing list" group as well. Hi, I'm hoping my usage is pretty common & someone has already made this scenario work properly.
My objective is to use the bujio-pac4j-demo-master (3.2.0-SNAPSHOT) project as a starting point as a CAS client, having CAS delegate via the pac4j webflow support, eventually I want to make use of the SSO, ticket management in CAS 5.2.x (5.2.2 currently). The intended webflow: demo app (buji-pac4j-demo-master) security filter redirects to CAS via the buji-pac4j CasClient.loginUrl= https://localhost:8443/cas/login which will redirect to Google OIDC auth url, with flow eventually returning credentials, profile info to the SecurityFilter to redirect to original requested URL (eg. https://localhost:8449/cas/index.jsp) I've got the buji-pac4j-demo-master configured so I can test using jetty (using https on port 8449). initial CAS 5.2.3 setup is with 1 delegated IDP. per https://apereo.github.io/cas/5.2.x/integration/Delegate-Authentication.html, I added the cas-server-support-pac4j-webflow (5.2.3) artifact to the CAS overlay's pom. my CAS 5.2.2 server is listening for incoming https connections on port 8443. So, my understanding is that CAS will not bother with the CAS generated login page, but (autoRedirect==true) will just redirect the login request to the 1 configured delegated IDP. This works as I expect, I get the usual Google login page, I authenticate & I get redirected but only back to the CAS login page. BUT, while it looks as though CAS is processing the redirect from Google [see below log msgs involving org.pac4j.oidc.credentials.extractor.OidcExtractor], no sign that it is responding to the application's request - lots of gory details below gives me reason to suspect that. First is the response code of 200 on the redirect for CAS to process Google's response. So my embarrassingly large post boils down to: What am I missing to get CAS to finish the webflow by returning the response with the authenticated credentials back the initial requesting app, the pac4j demo's SecurityFilter? Any chance it's related to the below response header showing for a Set-Cookie field with the following: Secure; HttpOnly ? Thank you for any insights. -steve my cas.properties contains the following cas.authn.pac4j.* settings. cas.authn.pac4j.autoRedirect=true cas.authn.pac4j.oidc[0].id=******.apps.googleusercontent.com cas.authn.pac4j.oidc[0].secret=****my-secret**** cas.authn.pac4j.oidc[0].type=GOOGLE cas.authn.pac4j.oidc[0].scope=openid profile cas.authn.pac4j.oidc[0].clientName=GoogleOIDC cas.pac4j.oidc.discoveryUri= https://accounts.google.com/.well-known/openid-configuration My Google console authorized redirect URIs has 1: https://localhost:8443/cas/login?client_name=GoogleOIDC So the following is working: SecurityFilter is generating a 302 redirect response to the initial (unauthenticated) request for https://localhost:8449/cas/index.jsp reponse header has location= https://localhost:8443/cas/login?service=https%3A%2F%2Flocalhost%3A8449%2Fcallback%3Fclient_name%3DCasClient Server: Jetty(9.3.8.v20160314) redirect sent to CAS is: https://localhost:8443/cas/login?service=https%3A%2F%2Flocalhost%3A8449%2Fcallback%3Fclient_name%3DCasClient response header has location=https://accounts.google.com/o/oauth2/v2/auth? response_type=code&client_id=****myclientID*****.apps.googleusercontent.com &redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fcas%2Flogin%3Fclient_name%3DGoogleOIDC&scope=openid+profile&state=jLX6iCY6siWaOmH7VtwjuzpROtM3k_HL8K70LidaZAw response header also has Set-Cookie: JSESSIONID=79B39C7E5E5693B5BF61884B52E09FCD; Path=/cas; Secure; HttpOnly This results in the CAS instance redirecting via 302 response the following request URL (same as response location above): https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=****myclientID*****.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fcas%2Flogin%3Fclient_name%3DGoogleOIDC&scope=openid+profile&state=jLX6iCY6siWaOmH7VtwjuzpROtM3k_HL8K70LidaZAw I get the Google login page, enter my credentials and the generated response is a 302 redirect reponse header has location= https://localhost:8443/cas/login?client_name=GoogleOIDC&state=jLX6iCY6siWaOmH7VtwjuzpROtM3k_HL8K70LidaZAw&code=4/AAA9qlRlbkuWmFzJO1nvr23LnRf4HVoMu9eqJeQ-nzq922D375okGqD52Dv_haMQIYAkV5ikouz3NAtLbJg2csA&authuser=0&session_state=da7bae9eb4fa3459e15f94e81f06a8258c41c9c1..b186&prompt=none# state value matches the value provided in above CAS (pac4j oidc code) redirect - good. The redirect response has a status code: 200. request cookie has TGC key, SESSIONID=79B39C7E5E5693B5BF61884B52E09FCD; JSESSIONID=sghbip4bak977llku5mld199 and Referer: https://localhost:8449/ So the cas_audit.log has: (time matches Chrome's display of the request/response details) WHO: null WHAT: Supplied credentials: [org.apereo.cas.authentication.principal.ClientCredential@365bbddf[id=<null>]] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Tue Apr 17 10:28:23 EDT 2018BUJI PAC4J DEMO 10:28:22.604 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - Starting authentication BUJI PAC4J DEMO 10:28:22.604 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - requestedUrl: https://localhost:8449/cas/index.jsp CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 in the cas.log: 2018-04-17 10:28:22,773 DEBUG [org.apereo.cas.web.flow.InitialFlowSetupAction] - <Warning cookie path is set to [null] and path [/cas/]> 2018-04-17 10:28:22,774 DEBUG [org.apereo.cas.web.flow.InitialFlowSetupAction] - <TGC cookie path is set to [null] and path [/cas/]> 2018-04-17 10:28:22,774 DEBUG [org.apereo.cas.web.support.CookieRetrievingCookieGenerator] - <null> java.lang.NullPointerException: null at org.apereo.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue(DefaultCasCookieValueManager.java:62) ~[cas-server-support-cookie-5.2.3.jar!/:5.2.3] [... stack dump deleted] 2018-04-17 10:28:22,775 DEBUG [org.apereo.cas.web.support.DefaultArgumentExtractor] - <Created [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@66a4100b[id= https://localhost:8449/callback?client_name=CasClient,originalUrl=https://localhost:8449/callback?client_name=CasClient,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML]] based on [org.apereo.cas.authentication.principal.WebApplicationServiceFactory@638341b0[]]> 2018-04-17 10:28:22,775 DEBUG [org.apereo.cas.web.support.AbstractArgumentExtractor] - <Extractor generated service type [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl] for: [https://localhost:8449/callback?client_name=CasClient]> 2018-04-17 10:28:22,775 DEBUG [org.apereo.cas.web.flow.InitialFlowSetupAction] - <Placing service in context scope: [https://localhost:8449/callback?client_name=CasClient]> 2018-04-17 10:28:22,776 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <clientName: [null]> 2018-04-17 10:28:22,775 DEBUG [org.apereo.cas.web.support.DefaultArgumentExtractor] - <Created [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@66a4100b[id= https://localhost:8449/callback?client_name=CasClient,originalUrl=https://localhost:8449/callback?client_name=CasClient,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML]] based on [org.apereo.cas.authentication.principal.WebApplicationServiceFactory@638341b0[]]> 2018-04-17 10:28:22,775 DEBUG [org.apereo.cas.web.support.AbstractArgumentExtractor] - <Extractor generated service type [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl] for: [https://localhost:8449/callback?client_name=CasClient]> 2018-04-17 10:28:22,775 DEBUG [org.apereo.cas.web.flow.InitialFlowSetupAction] - <Placing service in context scope: [https://localhost:8449/callback?client_name=CasClient]> 2018-04-17 10:28:22,776 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <clientName: [null]> 2018-04-17 10:28:22,777 DEBUG [org.pac4j.oidc.redirect.OidcRedirectActionBuilder] - <Authentication request url: https://accounts.google.com/o/oauth2/v2/auth?resp onse_type=code&client_id=****myclientID*****.apps.googleusercontent.com &redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fcas%2Flogin%3Fclie nt_name%3DGoogleOIDC&scope=openid+profile&state=jLX6iCY6siWaOmH7VtwjuzpROtM3k_HL8K70LidaZAw> 2018-04-17 10:28:22,777 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <[GoogleOIDC] -> [ https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=****myclientID*****.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fcas%2Flogin%3Fclient_name%3DGoogleOIDC&scope=openid+profile&state=jLX6iCY6siWaOmH7VtwjuzpROtM3k_HL8K70LidaZAw ]> 2018-04-17 10:28:22,777 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationActiorg.pac4j.oidc.credentials.extractor.OidcExtractoron] - <cssClass for GoogleOIDC is fa fa-lock GoogleOIDC > 2018-04-17 10:28:22,777 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <Auto-redirecting to client url [ https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=****myclientID*****.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fcas%2Flogin%3Fclient_name%3DGoogleOIDC&scope=openid+profile&state=jLX6iCY6siWaOmH7VtwjuzpROtM3k_HL8K70LidaZAw ]> 2018-04-17 10:28:22,973 DEBUG [org.apereo.cas.web.support.CookieRetrievingCookieGenerator] - <null> java.lang.NullPointerException: null at org.apereo.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue(DefaultCasCookieValueManager.java:62) ~[cas-server-support-cookie-5.2.3.jar!/:5.2.3] [... stack dump deleted] 2018-04-17 10:28:22,983 DEBUG [org.apereo.cas.authentication.principal.WebApplicationServiceFactory] - <No service is specified in the request. Skipping service creation> 2018-04-17 10:28:22,986 DEBUG [org.apereo.cas.web.support.DefaultArgumentExtractor] - <No service could be extracted based on the given request> 2018-04-17 10:28:22,986 DEBUG [org.apereo.cas.web.support.AbstractArgumentExtractor] - <Extractor did not generate service.> 2018-04-17 10:28:22,990 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <clientName: [GoogleOIDC]> 2018-04-17 10:28:22,990 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <Client: [#GoogleOidcClient# | name: GoogleOIDC | callbackUrl: https://localhost:8443/cas/login?client_name=GoogleOIDC | urlResolver: org.pac4j.core.http.DefaultUrlResolver@1e0cd3ba | ajaxRequestResolver: org.pac4j.core.http.DefaultAjaxRequestResolver@10319bc1 | redirectActionBuilder: #OidcRedirectActionBuilder# | configuration: #OidcConfiguration# | clientId: ****myClientID*****. apps.googleusercontent.com | secret: [protected] | discoveryURI: https://accounts.google.com/.well-known/openid-configuration | scope: openid profile | customParams: {} | clientAuthenticationMethod: null | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 0 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@63e21f95 | callbackUrl: https://localhost:8443/cas/login?client_name=GoogleOIDC | responseType: null | responseMode: null | logoutUrl: null | | | credentialsExtractor: #OidcExtractor# | configuration: #OidcConfiguration# | clientId: ****myClientID*****.apps.googleusercontent.com | secret: [protected] | discoveryURI: https://accounts.google.com/.well-known/openid-configuration | scope: openid profile | customParams: {} | clientAuthenticationMethod: null | uorg.pac4j.oidc.credentials.extractor.OidcExtractorseNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 0 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@63e21f95 | callbackUrl: https://localhost:8443/cas/login?client_name=GoogleOIDC | responseType: null | responseMode: null | logoutUrl: null | | clientName: GoogleOIDC | | authenticator: #OidcAuthenticator# | configuration: #OidcConfiguration# | clientId: ****myClientID*****.apps.googleusercontent.com | secret: [protected] | discoveryURI: https://accounts.google.com/.well-known/openid-configuration | scope: openid profile | customParams: {} | clientAuthenticationMethod: null | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 0 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@63e21f95 | callbackUrl: https://localhost:8443/cas/login?client_name=GoogleOIDC | responseType: null | responseMode: null | logoutUrl: null | | clientAuthentication: com.nimbusds.oauth2.sdk.auth.ClientSecretPost@60d65eb5 | | profileCreator: #OidcProfileCreator# | configuration: #OidcConfiguration# | clientId: ****myClientID*****.apps.googleusercontent.com | secret: [protected] | discoveryURI: https://accounts.google.com/.well-known/openid-configuration | scope: openid profile | customParams: {} | clientAuthenticationMethod: null | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 0 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@63e21f95 | callbackUrl: https://localhost:8443/cas/login?client_name=GoogleOIDC | responseType: null | responseMode: null | logoutUrl: null | | | logoutActionBuilder: org.pac4j.core.logout.GoogleLogoutActionBuilder@62ab27eb | configuration: #OidcConfiguration# |: 2018-04-17 10:28:22,991 DEBUG [org.pac4j.oidc.credentials.extractor.OidcExtractor] - <Authentication response successful> 2018-04-17 10:28:23,188 DEBUG [org.pac4j.oidc.credentials.authenticator.OidcAuthenticator] - <Token response: status=200, content={ "access_token": "ya29.GlygBV8fhxUWJ1VFv9n7_WdEpxsGAe-govM6B8eIkqlig3SheZdFj-8k2JQetxaNpnCsiqzuxVe5myRRHP0Kws4MGadlrhB2yO7vzV7jkmO2uWFQH5FKzQ2YWt6YnA", "token_type": "Bearer", "expires_in": 3599, "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjU0MjViYjg0NjE2ZWJmOTczYWU4MGJjNjJhYzY4OGQyYTcyNzE1YWQifQ.eyJhenAiOiIxMDU4NTQ3ODc5OTctNXZsM2dtdWo4b2ptYWNraXE4NnJldHJlN2JiNXF1b3EuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiIxMDU4NTQ3ODc5OTctNXZsM2dtdWo4b2ptYWNraXE4NnJldHJlN2JiNXF1b3EuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMTQ3NTYwNzQ2MTA0NjY3NTE5MDAiLCJhdF9oYXNoIjoiNzBxNGU5ejZmY1FKWG1mSjRVajdHQSIsImV4cCI6MTUyMzk3ODkwMywiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tIiwiaWF0IjoxNTIzOTc1MzAzLCJuYW1lIjoiU3RldmUgSGVzcGVsdCIsInBpY3R1cmUiOiJodHRwczovL2xoMy5nb29nbGV1c2VyY29udGVudC5jb20vLVFydzN5LVJ1cWwwL0FBQUFBQUFBQUFJL0FBQUFBQUFBQUFBL0FDTEd5V0FpWll1S0E3NVZTQ1JiUWdSdFgwakNCRU9DckEvczk2LWMvcGhvdG8uanBnIiwiZ2l2ZW5fbmFtZSI6IlN0ZXZlIiwiZmFtaWx5X25hbWUiOiJIZXNwZWx0IiwibG9jYWxlIjoiZW4ifQ.BF3PSAdB76QDiMFCAATermVenFYt_qXcTNQiZyf4xct1L5hClWuPPs2YQK1PDGJk4_Vg7mkZEjSSAIwqAhzH8qn5p62PpuxDNYkvjhtQXUZhQWnd0DdFUNwMGRR_La3sBMLj_X0-1tAyZ37Rib2hmTz7fa-pJjsiDQfbYmbX8LCSXNdnPy8madHjdzGXvTbGvsSQBulNEvBUOr83yD7TEmhLO49vpZK7hlX3Cg8eqDY0DwIZ0TuZ6yZsuQCrjS6MPFwDnJRztMj-w_KnwBeYlv2tpOBd5MGai-fr0FBy5PiMcQp_8xR0IyHpagp7onyh1n0o-JZEOmRdHLbffCFQcQ" 2018-04-17 10:28:23,189 DEBUG [org.pac4j.oidc.credentials.authenticator.OidcAuthenticator] - <Token response successful> 2018-04-17 10:28:23,189 DEBUG [org.pac4j.oidc.client.GoogleOidcClient] - <Credentials validation took: 198 ms> 2018-04-17 10:28:23,189 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <Retrieved credentials: [#OidcCredentials# | code: 4/AAA9qlRlbkuWmFzJO1nvr23LnRf4HVoMu9eqJeQ-nzq922D375okGqD52Dv_haMQIYAkV5ikouz3NAtLbJg2csA | clientName: GoogleOIDC | accessToken: ya29.GlygBV8fhxUWJ1VFv9n7_WdEpxsGAe-govM6B8eIkqlig3SheZdFj-8k2JQetxaNpnCsiqzuxVe5myRRHP0Kws4MGadlrhB2yO7vzV7jkmO2uWFQH5FKzQ2YWt6YnA | refreshToken: null | idToken: com.nimbusds.jwt.SignedJWT@6dcc4216 |]> 2018-04-17 10:28:23,189 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <Retrieve service: [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@66a4100b[id= https://localhost:8449/callback?client_name=CasClient,originalUrl=https://localhost:8449/callback?client_name=CasClient,artifactId= <null>,principal=<null>,loggedOutAlready=false,format=XML]]> 2018-04-17 10:28:23,190 WARN [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] - <Service [null] is not allowed to use SSO.> 2018-04-17 10:28:23,191 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN 2018-04-17 10:28:24,137 DEBUG [org.apereo.cas.web.support.CookieRetrievingCookieGenerator] - <null> java.lang.NullPointerException: null at org.apereo.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue(DefaultCasCookieValueManager.java:62) ~[cas-server-support-cookie-5.2.3.jar!/:5.2.3] nothing further to indicate that CAS is responding to the initial request with the authentication info. from the buji-pac4j-demo-master log: BUJI PAC4J DEMO 10:28:22.603 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - === SECURITY === BUJI PAC4J DEMO 10:28:22.603 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - url: https://localhost:8449/cas/index.jsp BUJI PAC4J DEMO 10:28:22.603 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - matchers: null BUJI PAC4J DEMO 10:28:22.603 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - clients: CasClient BUJI PAC4J DEMO 10:28:22.603 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - currentClients: [#CasClient# | name: CasClient | callbackUrl: https://localhost:8449/callback?client_name=CasClient | urlResolver: org.pac4j.core.http.DefaultUrlResolver@22fcc3fc | ajaxRequestResolver: org.pac4j.core.http.DefaultAjaxRequestResolver@75f46400 | redirectActionBuilder: org.pac4j.cas.redirect.CasRedirectActionBuilder@61d03c5 | credentialsExtractor: org.pac4j.cas.credentials.extractor.TicketAndLogoutRequestExtractor@1d86c6cf | authenticator: org.pac4j.cas.credentials.authenticator.CasAuthenticator@5aba8cdb | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@7c5323ec | logoutActionBuilder: #CasLogoutActionBuilder# | serverLogoutUrl: https://localhost:8443/cas/logout | postLogoutUrlParameter: service | | configuration: #CasConfiguration# | loginUrl: https://localhost:8443/cas/login | prefixUrl: https://localhost:8443/cas/ | restUrl: https://localhost:8443/cas/v1/tickets | protocol: CAS30 | renew: false | gateway: false | encoding: UTF-8 | logoutHandler: #ShiroCasLogoutHandler# | store: #GuavaStore# | size: 10000 | timeout: 30 | timeUnit: MINUTES | | destroySession: false | | acceptAnyProxy: false | allowedProxyChains: [] | proxyReceptor: null | timeTolerance: 1000 | postLogoutUrlParameter: service | defaultTicketValidator: null | urlResolver: org.pac4j.core.http.DefaultUrlResolver@22fcc3fc | |] BUJI PAC4J DEMO 10:28:22.604 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - loadProfilesFromSession: true BUJI PAC4J DEMO 10:28:22.604 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - profiles: [] BUJI PAC4J DEMO 10:28:22.604 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - Starting authentication BUJI PAC4J DEMO 10:28:22.604 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - requestedUrl: https://localhost:8449/cas/index.jsp that's it. no response processing log msgs, -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ca692d8-2406-433e-8ded-30b326c24e94%40apereo.org.
