I was out of commission with Covid for a while there... Thanks for the suggestions. A URL rewrite sounds promising. I'll have to test this idea out.
On Saturday, January 6, 2024 at 12:00:58 AM UTC-5 Ray Bon wrote: > Jeremiah, > > Could a URL rewrite (that strips :8443) work? > After updating metadata ... > > Ray > > On Fri, 2024-01-05 at 12:40 -0800, Jeremiah Garmatter wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Thanks for the reply Baron, > > Unfortunately, it seems that changing the cas.server.name only shifts the > problem instead of getting around it. > I can choose whether to require the port in the URL or not, but I can not > allow both situations by changing that configuration. > Ideally, I would be able to login in both situations, port specified or > not, as I could with the older versions of CAS. > > This behavior is important to me because I use CAS to authenticate CAS > apps and SAML2 apps. > Unfortunately, we were not consistent in registering apps so many of the > CAS apps were configured without the port specified and the opposite goes > for our SAML2 apps. > It looks like I may have to make them all consistent now. > > > On Fri, Jan 5, 2024 at 2:25 PM Baron Fujimoto <[email protected]> wrote: > > Hi Jeremiah, > > We don't use the embedded Tomcat and have a load balancer forwarding port > 443 to 8443 on Tomcat, but I ran into the "MFA provider unavailable" issue > when testing with an individual backend cluster node's hostname rather than > the cluster's public CNAME. I was able to work around it for our testing > purposes by setting cas.server.name in cas.properties to match what CAS > is apparently expecting. Perhaps a similar approach may work for you? > > > #cas.server.name=publicname.example.edu > cas.server.name=nodename.example.edu:8443 > > Aloha, > -baron > > On Fri, Jan 5, 2024 at 6:59 AM Jeremiah Garmatter <[email protected]> > wrote: > > Hello, > > I am trying out CAS 7 with the embedded Tomcat instance. I noticed a > change in behavior that will impact my authentication flow and wanted to > see if anyone else has come across it and found a work around. > > I run my CAS server over port 8443 but, for user convenience, I forward > traffic from port 443 to 8443. This way my users can access SSO without > specifying a port number. In the past I have had no issues visiting > https://my.cas.server/cas/login > <https://urldefense.com/v3/__https://my.cas.server/cas/login__;!!PvDODwlR4mBZyAb0!QoQMEAM60loEdjgYt8UemE_t0LZ6mcxeEJNAdjm6KQyGXmtjfPtppvUBFWeK9PGrWTo-wGqf3vu2JpHZvRj4$>, > > authenticating via LDAP, then MFA via Duo. > > On CAS 7, it seems like CAS is more aware of the URL used during > authentication though. When I visit the URL without port 8443 specified, I > can LDAP auth and MFA through Duo, but upon*return* from Duo to CAS I > receive the "MFA provider unavailable" message. If I specify the port, > https://my.cas.server > <https://urldefense.com/v3/__https://my.cas.server__;!!PvDODwlR4mBZyAb0!QoQMEAM60loEdjgYt8UemE_t0LZ6mcxeEJNAdjm6KQyGXmtjfPtppvUBFWeK9PGrWTo-wGqf3vu2JjWwbYiz$> > *:8443*/cas/login, I have no trouble returning to CAS after Duo MFA. > > > If I can't get this to work, I'll have to reach out to all my CAS services > and notify my organization to update any links. > > -- > - Website: https://apereo.github.io/cas > <https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!QoQMEAM60loEdjgYt8UemE_t0LZ6mcxeEJNAdjm6KQyGXmtjfPtppvUBFWeK9PGrWTo-wGqf3vu2JnQSZ0r9$> > - Gitter Chatroom: https://gitter.im/apereo/cas > <https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!PvDODwlR4mBZyAb0!QoQMEAM60loEdjgYt8UemE_t0LZ6mcxeEJNAdjm6KQyGXmtjfPtppvUBFWeK9PGrWTo-wGqf3vu2Ji7acVJu$> > - List Guidelines: https://goo.gl/1VRrw7 > <https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!QoQMEAM60loEdjgYt8UemE_t0LZ6mcxeEJNAdjm6KQyGXmtjfPtppvUBFWeK9PGrWTo-wGqf3vu2Js4ifmqt$> > - Contributions: https://goo.gl/mh7qDG > <https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!QoQMEAM60loEdjgYt8UemE_t0LZ6mcxeEJNAdjm6KQyGXmtjfPtppvUBFWeK9PGrWTo-wGqf3vu2Jl_IiXe-$> > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/5be8a8f9-9921-498d-8219- > 773ab3011248n%40apereo.org > <https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/5be8a8f9-9921-498d-8219-773ab3011248n*40apereo.org?utm_medium=email&utm_source=footer__;JQ!!PvDODwlR4mBZyAb0!QoQMEAM60loEdjgYt8UemE_t0LZ6mcxeEJNAdjm6KQyGXmtjfPtppvUBFWeK9PGrWTo-wGqf3vu2Jj6lUi7W$> > . > > > > -- > Baron Fujimoto <[email protected]> ::: UH Information Technology Services > minutas cantorum, minutas balorum, minutas carboratum descendus pantorum > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0641c0d7-eea8-4231-8ba7-d0627032489fn%40apereo.org.
