Jeremiah, It is simpler to change cas to run on 443 instead, i.e. no port specified. (One bit of work for you instead of many bits of work for all service providers). Cas does not need to know the port if you are forwarding. We front our tomcat (running 8443) with apache (default ports) which forwards to tomcat.
Ray On Fri, 2024-01-05 at 08:28 -0800, Jeremiah Garmatter wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hello, I am trying out CAS 7 with the embedded Tomcat instance. I noticed a change in behavior that will impact my authentication flow and wanted to see if anyone else has come across it and found a work around. I run my CAS server over port 8443 but, for user convenience, I forward traffic from port 443 to 8443. This way my users can access SSO without specifying a port number. In the past I have had no issues visiting https://my.cas.server/cas/login, authenticating via LDAP, then MFA via Duo. On CAS 7, it seems like CAS is more aware of the URL used during authentication though. When I visit the URL without port 8443 specified, I can LDAP auth and MFA through Duo, but uponreturn from Duo to CAS I receive the "MFA provider unavailable" message. If I specify the port, https://my.cas.server:8443/cas/login, I have no trouble returning to CAS after Duo MFA. If I can't get this to work, I'll have to reach out to all my CAS services and notify my organization to update any links. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20fceec8cc177c1e841fdb138ca3ca7e4e33ef81.camel%40uvic.ca.
