Mike,
This sounds like a proxy failure. The user successfully logs in, but when a
proxy ticket is required, there is a failure and the user is returned to the
log in page (am I understanding correctly?).
Check your access logs for Canvas and cas to see if communication is successful
when a PT is needed.
You can use the below to get some logging from cas:
<!-- see what cas is sending / receiving -->
<AsyncLogger name="org.apache.http" level="debug" />
<!-- DEBUG Response code from server matched [###] may be useful for
debugging proxy
Created HTTP post message payload [POST URL] on logout -->
<AsyncLogger name="org.apereo.cas.util.http.SimpleHttpClient"
level="error" />
Ray
On Fri, 2020-08-21 at 19:43 -0700, Mike Osterman wrote:
Disclaimer: I know this is a CAS list, not a Canvas list, but the combination
of the two is having issues, and I've run out of road working with Instructure
support.
Late last semester, we started experiencing issues where Canvas users were
getting logged out frequently. I believe it started around the time that we
switched Canvas from CAS 3.x to our CAS 5.3.x IdP. We also made the switch from
defaulting login to CAS for all users, where external "guest" accounts had to
know the native Canvas account login URL, to the Discovery page setup, where
users are presented with Door #1 (Institutional SSO) and Door #2 (native Canvas
accounts).
I worked with Instructure support, and they insisted that the cause was our CAS
server, which doesn't track with the pattern I see with most CASified
applications: app redirect to CAS to authenticate and get returned some
attributes, but upon successful login flow, the app manages its own internal
session state and timeout.
That said, in testing out a different CAS IdP implementation with Canvas
provided by Technolutions in the Slate platform, I learned that the CAS client
that Canvas uses only uses proxyValidate. (The Slate IdP only supports
/serviceValidate). I'm not sure this is in any way related, but it's another
data point.
Finally, we had Instructure hard-code our Canvas application session timeout to
8 hours, which has had zero impact on the short session timeouts in CAS.
Has anyone else dealt with this issue with CAS + Canvas, and better still,
solved it?
Thanks for any and all pointers, suggestions, etc.
-Mike
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<mailto:[email protected]>
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/11b6ce7d3ad57e30b5448244d6ef02f1c8f1617e.camel%40uvic.ca.
