CAS: 6.1.7 Hazelcast ticket storage, ldap auth and attribute storage, duo MFA
Recently experienced and issue where an attribute for Person A was released during Person B session. This caused Person B to have access to Person A's mailbox (Office365). Trying to track down if this is due to a hashkey collision in the attribute cache, or an issue with the attribute resolved itself? We use an inline groovy script to create the attributes that were mixed up. I've disabled releasing cached attributes <https://github.com/apereo/cas/blob/6.1.x/docs/cas-server-documentation/integration/Attribute-Release-Caching.md> for this service as it's the only one where we have heard of this happening. See in the logs how the attribute windowsaccountname shows PersonA, and the UPN shows PersonB. 60397 2022-10-16 17:59:58,415 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN 60398 ============================================================= 60399 WHO: PersonA 60400 WHAT: ST-15460616-qgcEiZFoXWfW3unFtlo8EbuTGWc-vlpcas01 for https://cas.example.edu/cas/idp/profile/SAML2/Callback?entityId=http%3A%2F%2Fcas-1.example.edu%2Fadfs%2Fservices%2Ftrust&SAMLReq ... 60401 ACTION: SERVICE_TICKET_CREATED 60402 APPLICATION: CAS 60403 WHEN: Sun Oct 16 17:59:58 EDT 2022 60404 CLIENT IP ADDRESS: 2600:8805:a980:e500:*:*:*:66ab 60405 SERVER IP ADDRESS: 10.19.*.* 60406 ============================================================= 60407 60408 60409 2022-10-16 17:59:58,419 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN 60410 ============================================================= 60411 WHO: PersonB 60412 WHAT: ST-15460617-b9UL3ypUQKwGlb79Ax4AmyMN84c-vlpcas01 for https://cas.example.edu/cas/idp/profile/SAML2/Callback?entityId=http%3A%2F%2Fcas-1.example.edu%2Fadfs%2Fservices%2Ftrust&SAMLReq ... 60413 ACTION: SERVICE_TICKET_CREATED 60414 APPLICATION: CAS 60415 WHEN: Sun Oct 16 17:59:58 EDT 2022 60416 CLIENT IP ADDRESS: 68.9.*.102 60417 SERVER IP ADDRESS: 10.19.*.* 60418 ============================================================= 60419 60420 60421 2022-10-16 17:59:58,528 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN 60422 ============================================================= 60423 WHO: audit:unknown 60424 WHAT: [result=Service Access Granted,service=http://cas-1.example.edu/adfs/services/t...,principal=SimplePrincipal(id=PersonB, attributes={http://schemas.microsoft.com/ws/2008/06/identi ty/claims/windowsaccountname=[DOMAIN\PersonA], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=[pers...@domain.example.edu]}),requiredAttributes={}] 60425 ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED 60426 APPLICATION: CAS 60427 WHEN: Sun Oct 16 17:59:58 EDT 2022 60428 CLIENT IP ADDRESS: 10.19.*.* 60429 SERVER IP ADDRESS: 10.19.*.249 60430 ============================================================= 60431 -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/433a7455-4d0d-4751-9b13-1cfc6d996f5fn%40apereo.org.
