Thanks, Ray! I appreciate the pointer. It's nice to have another lead to chase down.
On Mon, Aug 24, 2020 at 9:41 AM Ray Bon <[email protected]> wrote: > Mike, > > This sounds like a proxy failure. The user successfully logs in, but when > a proxy ticket is required, there is a failure and the user is returned to > the log in page (am I understanding correctly?). > > Check your access logs for Canvas and cas to see if communication is > successful when a PT is needed. > You can use the below to get some logging from cas: > > <!-- see what cas is sending / receiving --> > <AsyncLogger name="org.apache.http" level="debug" /> > > <!-- DEBUG Response code from server matched [###] may be useful > for debugging proxy > Created HTTP post message payload [POST URL] on logout > --> > <AsyncLogger name="org.apereo.cas.util.http.SimpleHttpClient" > level="error" /> > > Ray > > On Fri, 2020-08-21 at 19:43 -0700, Mike Osterman wrote: > > Disclaimer: I know this is a CAS list, not a Canvas list, but the > combination of the two is having issues, and I've run out of road working > with Instructure support. > > Late last semester, we started experiencing issues where Canvas users were > getting logged out frequently. I believe it started around the time that we > switched Canvas from CAS 3.x to our CAS 5.3.x IdP. We also made the switch > from defaulting login to CAS for all users, where external "guest" accounts > had to know the native Canvas account login URL, to the Discovery page > setup, where users are presented with Door #1 (Institutional SSO) and Door > #2 (native Canvas accounts). > > I worked with Instructure support, and they insisted that the cause was > our CAS server, which doesn't track with the pattern I see with most > CASified applications: app redirect to CAS to authenticate and get returned > some attributes, but upon successful login flow, the app manages its own > internal session state and timeout. > > That said, in testing out a different CAS IdP implementation with Canvas > provided by Technolutions in the Slate platform, I learned that the CAS > client that Canvas uses only uses proxyValidate. (The Slate IdP only > supports /serviceValidate). I'm not sure this is in any way related, but > it's another data point. > > Finally, we had Instructure hard-code our Canvas application session > timeout to 8 hours, which has had zero impact on the short session timeouts > in CAS. > > Has anyone else dealt with this issue with CAS + Canvas, and better still, > solved it? > > Thanks for any and all pointers, suggestions, etc. > > -Mike > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/11b6ce7d3ad57e30b5448244d6ef02f1c8f1617e.camel%40uvic.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/11b6ce7d3ad57e30b5448244d6ef02f1c8f1617e.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHVSzjjW7pRqsEw-Ezj_H%2BKFRG5Fr7Wi_ZOkApkPEf81XQ%40mail.gmail.com.
