Gabriel, I ended up setting cas.server.name and cas.server.prefix, neither config has a port specified. For SAML, I left the port specified in cas.authn.saml-idp.core.entity-id, that way I can keep my old metadata.
Turns out CAS is the touchy one, SAML doesn't care where you hit as long the entity id and session state info is there. The error I experienced is actually more with the interaction between the CAS and Duo modules. CAS passes the URL you accessed it by (including port info) to the Duo prompt when you're redirected. Then Duo passes that URL back to CAS and if it doesn't match the cas.server.name and cas.server.prefix then you'll see an "MFA provider unavailable" error. Most of our CAS applications were set up without the port specified. I tested all the apps I had access to and concluded that only a small portion of our apps would have login issues. We bit the bullet and decided to push the update to CAS 7 and correct the few services that had issues. Turns out we got pretty lucky and only one app had the port specified. <https://www.google.com/url?q=https://onu.edu&source=gmail-html&ust=1674828335432000&usg=AOvVaw28_De1JtB-AXSBY3ffLqIg> <https://www.google.com/url?q=https://www.instagram.com/ohionorthern/?hl%3Den&source=gmail-html&ust=1674828335432000&usg=AOvVaw2T5Mr7Skb1malhmRz_e6L7> <https://www.google.com/url?q=https://www.facebook.com/OhioNorthern/&source=gmail-html&ust=1674828335432000&usg=AOvVaw3nAxUn3wIQnybVvpceEIDC> <https://www.google.com/url?q=https://twitter.com/ohionorthern?ref_src%3Dtwsrc%255Egoogle%257Ctwcamp%255Eserp%257Ctwgr%255Eauthor&source=gmail-html&ust=1674828335432000&usg=AOvVaw2gJCHRWcjlGtZi5ft71zQz> <https://www.google.com/url?q=https://www.youtube.com/channel/UCvdGjbOWVUkVJZVm0l-px7g&source=gmail-html&ust=1674828335432000&usg=AOvVaw1nIUlB6-a3l6ENfFlK-WfL> *Jeremiah Garmatter* Linux Systems Administrator Office of Information Technology IT Building 107 419-772-1074 [email protected] On Wed, Aug 21, 2024 at 4:05 PM Gabriel Antonio Batista Nascimento < [email protected]> wrote: > Hi Jeremiah, > > I'm running CAS 6.6.x with an embedded Tomcat and trying to do exactly > what you said: > access it without specifing the port, so I can reach it with > https://my.domain.com.br/cas/login > Now I'm unable to do it. Even if I set the server name without the port > I'm unable to reach the application for logging in. > > Which properties you set to do so? Did you configured anything else > outside the application or tomcat to reach it? > Em sexta-feira, 5 de janeiro de 2024 às 13:58:59 UTC-3, Jeremiah Garmatter > escreveu: > >> Hello, >> >> I am trying out CAS 7 with the embedded Tomcat instance. I noticed a >> change in behavior that will impact my authentication flow and wanted to >> see if anyone else has come across it and found a work around. >> >> I run my CAS server over port 8443 but, for user convenience, I forward >> traffic from port 443 to 8443. This way my users can access SSO without >> specifying a port number. In the past I have had no issues visiting >> https://my.cas.server/cas/login, authenticating via LDAP, then MFA via >> Duo. >> >> On CAS 7, it seems like CAS is more aware of the URL used during >> authentication though. When I visit the URL without port 8443 specified, I >> can LDAP auth and MFA through Duo, but upon *return* from Duo to CAS I >> receive the "MFA provider unavailable" message. If I specify the port, >> https://my.cas.server*:8443*/cas/login, I have no trouble returning to >> CAS after Duo MFA. >> >> If I can't get this to work, I'll have to reach out to all my CAS >> services and notify my organization to update any links. >> > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABX%3DCB0xym23fbBmnvXYj1fqv7qExN%3DCsX8wEp2U3CxgHiZx9g%40mail.gmail.com.
