When we attempted to upgrade from CAS 7.0.x to CAS 7.2.x, we ran into a problem with some Banner apps we integrate with. This problem is still present with CAS 7.3.x, but we are now obligated to upgrade to 7.3 to handle the Duo expiring certificate issue.
This is what the Banner side reports when they encounter the problem that prevents their authentication: ===== Cookie "" has been rejected as third-party. Request to access cookie or storage on "‹URL›" was blocked because we are blocking all third-party storage access requests and Enhanced Tracking Protection is enabled. Cookie "session=e30=; path=/; expires=Mon, 09 Feb 2026 22:28:30 GMT; samesite=none; secure; httponly" has been rejected as third-party. Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; expires=Mon, 09 Feb 2026 22:28:30 GMT; samesite=none; secure; httponly" has been rejected as third-party. Cookie "session=e30=; path=/; expires-Mon, 09 Feb 2026 22:28:30 GMT; samesite=none; secure; httponly" has been rejected as third-party. Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; expires=Mon, 09 Feb 2026 22:28:30 GNT; samesite=none; secure; httponly" has been rejected as third-party. The loading of " https://cas.example.edu/cas/login?service=https%3%2F%2Fbanner.example.edu%3A9000%2FBannerAdmin.ws&2Fi spring cas security check" in a frame is denied by "X-Frame-Options" directive set to "deny". ===== They want us to try setting "X-Frame-Options" SAMEORIGIN to ALWAYS. Is this even a CAS thing? From what I gather, it's applicable to the web server? But we were using the same web server (Tomcat 10.1.x for CAS 7.2, and now Tomcat 11.0.x for CAS 7.3), and we don't encounter these issues for other apps. If this is something controlled by CAS after all? If so, can we tweak it as requested – preferably just for their service registrations? Because only these Banner apps suffer from this as far as we know, we were inclined to think that the problem is on the application side. But ultimately because these apps are so important to the institution, we need to find a workaround one way or another. Any ideas or suggestions would be appreciated. -- Baron Fujimoto <[email protected]> ::: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum descendus pantorum -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL1xoLy6jxkayrK8%2B7fyz259OV7W4WUcFYFax2zHZZwgVQ%40mail.gmail.com.
