Jeremiah, Could a URL rewrite (that strips :8443) work? After updating metadata ...
Ray On Fri, 2024-01-05 at 12:40 -0800, Jeremiah Garmatter wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Thanks for the reply Baron, Unfortunately, it seems that changing the cas.server.name only shifts the problem instead of getting around it. I can choose whether to require the port in the URL or not, but I can not allow both situations by changing that configuration. Ideally, I would be able to login in both situations, port specified or not, as I could with the older versions of CAS. This behavior is important to me because I use CAS to authenticate CAS apps and SAML2 apps. Unfortunately, we were not consistent in registering apps so many of the CAS apps were configured without the port specified and the opposite goes for our SAML2 apps. It looks like I may have to make them all consistent now. On Fri, Jan 5, 2024 at 2:25 PM Baron Fujimoto <[email protected]> wrote: Hi Jeremiah, We don't use the embedded Tomcat and have a load balancer forwarding port 443 to 8443 on Tomcat, but I ran into the "MFA provider unavailable" issue when testing with an individual backend cluster node's hostname rather than the cluster's public CNAME. I was able to work around it for our testing purposes by setting cas.server.name<http://cas.server.name> in cas.properties to match what CAS is apparently expecting. Perhaps a similar approach may work for you? #cas.server.name<http://cas.server.name>=publicname.example.edu<http://publicname.example.edu> cas.server.name<http://cas.server.name>=nodename.example.edu:8443<http://nodename.example.edu:8443> Aloha, -baron On Fri, Jan 5, 2024 at 6:59 AM Jeremiah Garmatter <[email protected]<mailto:[email protected]>> wrote: Hello, I am trying out CAS 7 with the embedded Tomcat instance. I noticed a change in behavior that will impact my authentication flow and wanted to see if anyone else has come across it and found a work around. I run my CAS server over port 8443 but, for user convenience, I forward traffic from port 443 to 8443. This way my users can access SSO without specifying a port number. In the past I have had no issues visitinghttps://my.cas.server/cas/login<https://urldefense.com/v3/__https://my.cas.server/cas/login__;!!PvDODwlR4mBZyAb0!QoQMEAM60loEdjgYt8UemE_t0LZ6mcxeEJNAdjm6KQyGXmtjfPtppvUBFWeK9PGrWTo-wGqf3vu2JpHZvRj4$>, authenticating via LDAP, then MFA via Duo. On CAS 7, it seems like CAS is more aware of the URL used during authentication though. When I visit the URL without port 8443 specified, I can LDAP auth and MFA through Duo, but uponreturn from Duo to CAS I receive the "MFA provider unavailable" message. If I specify the port,https://my.cas.server<https://urldefense.com/v3/__https://my.cas.server__;!!PvDODwlR4mBZyAb0!QoQMEAM60loEdjgYt8UemE_t0LZ6mcxeEJNAdjm6KQyGXmtjfPtppvUBFWeK9PGrWTo-wGqf3vu2JjWwbYiz$>:8443/cas/login, I have no trouble returning to CAS after Duo MFA. If I can't get this to work, I'll have to reach out to all my CAS services and notify my organization to update any links. -- - Website: https://apereo.github.io/cas<https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!QoQMEAM60loEdjgYt8UemE_t0LZ6mcxeEJNAdjm6KQyGXmtjfPtppvUBFWeK9PGrWTo-wGqf3vu2JnQSZ0r9$> - Gitter Chatroom: https://gitter.im/apereo/cas<https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!PvDODwlR4mBZyAb0!QoQMEAM60loEdjgYt8UemE_t0LZ6mcxeEJNAdjm6KQyGXmtjfPtppvUBFWeK9PGrWTo-wGqf3vu2Ji7acVJu$> - List Guidelines: https://goo.gl/1VRrw7<https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!QoQMEAM60loEdjgYt8UemE_t0LZ6mcxeEJNAdjm6KQyGXmtjfPtppvUBFWeK9PGrWTo-wGqf3vu2Js4ifmqt$> - Contributions: https://goo.gl/mh7qDG<https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!QoQMEAM60loEdjgYt8UemE_t0LZ6mcxeEJNAdjm6KQyGXmtjfPtppvUBFWeK9PGrWTo-wGqf3vu2Jl_IiXe-$> --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5be8a8f9-9921-498d-8219-773ab3011248n%40apereo.org<https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/5be8a8f9-9921-498d-8219-773ab3011248n*40apereo.org?utm_medium=email&utm_source=footer__;JQ!!PvDODwlR4mBZyAb0!QoQMEAM60loEdjgYt8UemE_t0LZ6mcxeEJNAdjm6KQyGXmtjfPtppvUBFWeK9PGrWTo-wGqf3vu2Jj6lUi7W$>. -- Baron Fujimoto <[email protected]<mailto:[email protected]>> ::: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum descendus pantorum -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9c815d0914983ad4ed60cc814bb73b0590c4290e.camel%40uvic.ca.
