Hi Nathan, I highly expect that #2 is why it's not yet working. Java, by default, never lets go of a DNS resolution record until the application restarts. You have to pass an argument at startup of your CAS application to indicate an expiry TTL.
I did this recently on our CAS server when we did some work with our Activity Directory that provides group membership and needed it to get a new IP address for the AD LDAP server(s). -Mike On Fri, Nov 13, 2020 at 11:18 AM Nathan Lewan <[email protected]> wrote: > very interesting, thanks! > > so i tried to do a reverse dns lookup on the entity host based on the > shibboleth entityid's hostname, and came up with no record. > > they are not being super helpful with me, so I tried to cheat. I just > added a reverse lookup zone on the dns server that CAS talks to, and added > the entry in there as a test. It did not seem to help, but: > > 1. I don't know if a cheat like that would actually work (this is just > temporary, proof of concept, no way would I leave it like that in > production) > 2. I have not restarted CAS. I did do a dig -x on the CAS host, and it > successfully reverse-resolved the IP of the entity server > > thanks very much for the quick response, i have a lead which feels very > good! > > > > On Fri, Nov 13, 2020 at 1:30 PM David Curry <[email protected]> > wrote: > >> We just ran into this recently with an older version of CAS (5.2.9). >> >> CAS populates the SubjectLocality by doing a reverse DNS lookup on the IP >> address of the entity that's calling it (the application the user is trying >> to log into). If the DNS lookup fails, then it doesn't put anything in >> there, which makes Shibboleth very unhappy. >> >> In our case, the fix was to get the company running the application that >> was calling CAS to register DNS entries for their IP addresses. All of a >> sudden everything started working. >> >> --Dave >> >> >> -- >> >> DAVID A. CURRY, CISSP >> *DIRECTOR • INFORMATION SECURITY & PRIVACY* >> THE NEW SCHOOL • INFORMATION TECHNOLOGY >> >> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >> +1 646 909-4728 • [email protected] >> >> >> On Fri, Nov 13, 2020 at 1:12 PM Nathan Lewan <[email protected]> >> wrote: >> >>> hello! >>> >>> I am trying to get CAS 6.1.0 to integrate with a SP that uses shibboleth. >>> >>> i appear to have everything in place, however they are requiring my >>> responses to have in the *AuthnStatement* a *SubjectLocality* entry. >>> >>> It is currently empty in all my responses. Here's what it looks like: >>> >>> <saml2:AuthnStatement AuthnInstant="[removed]" SessionIndex="[removed]" >>> > >>> *<saml2:SubjectLocality/>* >>> <saml2:AuthnContext> >>> <saml2:AuthnContextClassRef> >>> >>> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport >>> </saml2:AuthnContextClassRef> >>> </saml2:AuthnContext> >>> </saml2:AuthnStatement> >>> >>> As you can see, it's blank, and I have no idea how to get it populated! >>> Any hints would be appreciated. Looking for info on this, you can find >>> much related to shibboleth, but I have not found anything on how one could >>> get CAS to populate this. >>> >>> thanks! >>> >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABeAwjkrJ8hk5geJbz_tbN1NgVSxESjAGUAfqcmOd8vpTHuUYQ%40mail.gmail.com >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABeAwjkrJ8hk5geJbz_tbN1NgVSxESjAGUAfqcmOd8vpTHuUYQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPbf2nhAiOuG7_R8-M7v4KUgjbCDnJunNU47V%2BVc%2BgHsw%40mail.gmail.com >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPbf2nhAiOuG7_R8-M7v4KUgjbCDnJunNU47V%2BVc%2BgHsw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABeAwjmoAjjV4ryjQ3yhXfMsky9gWAQZf2CBi7FtzDJ8m-yt2w%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABeAwjmoAjjV4ryjQ3yhXfMsky9gWAQZf2CBi7FtzDJ8m-yt2w%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUDC2zLKpqD2%3DezAZbJnBQHe2HO8MX2m-ZaKrONLC3Oeg%40mail.gmail.com.
