the TGT crypto algorithm configuration has changed. We ran into similar but different issues with our banner environment (currently on 7.2.7 in prod and 7.3 in dev) cas.tgc.crypto.alg=A256CBC-HS512 #the new algorithm cas.tgc.crypto.encryption.key= <can be found in the cas logs on startup> cas.tgc.crypto.encryption.key-size=512 cas.tgc.crypto.signing.key=512 cas.tgc.crypto.signing.key=<can be found in the cas logs on startup>
We also tried cas.http-web-request.header.xframe-options config, it didn't have any effect for us, updating the tgc crypto did. On Tue, Feb 10, 2026 at 11:20 AM Baron Fujimoto <[email protected]> wrote: > When we attempted to upgrade from CAS 7.0.x to CAS 7.2.x, we ran into a > problem with some Banner apps we integrate with. This problem is still > present with CAS 7.3.x, but we are now obligated to upgrade to 7.3 to > handle the Duo expiring certificate issue. > > This is what the Banner side reports when they encounter the problem that > prevents their authentication: > ===== > Cookie "" has been rejected as third-party. > Request to access cookie or storage on "‹URL›" was blocked because we are > blocking all third-party storage access requests and Enhanced Tracking > Protection is enabled. > Cookie "session=e30=; path=/; expires=Mon, 09 Feb 2026 22:28:30 GMT; > samesite=none; secure; httponly" has been rejected as third-party. > Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; expires=Mon, 09 > Feb 2026 22:28:30 GMT; samesite=none; secure; httponly" has been rejected > as third-party. > Cookie "session=e30=; path=/; expires-Mon, 09 Feb 2026 22:28:30 GMT; > samesite=none; secure; httponly" has been rejected as third-party. > Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; expires=Mon, 09 > Feb 2026 22:28:30 GNT; samesite=none; secure; httponly" has been rejected > as third-party. > The loading of " > https://cas.example.edu/cas/login?service=https%3%2F%2Fbanner.example.edu%3A9000%2FBannerAdmin.ws&2Fi > spring cas security check" in a frame is denied by "X-Frame-Options" > directive set to "deny". > ===== > > They want us to try setting "X-Frame-Options" SAMEORIGIN to ALWAYS. > > Is this even a CAS thing? From what I gather, it's applicable to the web > server? But we were using the same web server (Tomcat 10.1.x for CAS 7.2, > and now Tomcat 11.0.x for CAS 7.3), and we don't encounter these issues for > other apps. > > If this is something controlled by CAS after all? If so, can we tweak it > as requested – preferably just for their service registrations? > > Because only these Banner apps suffer from this as far as we know, we were > inclined to think that the problem is on the application side. But > ultimately because these apps are so important to the institution, we need > to find a workaround one way or another. > > Any ideas or suggestions would be appreciated. > > -- > Baron Fujimoto <[email protected]> ::: UH Information Technology Services > minutas cantorum, minutas balorum, minutas carboratum descendus pantorum > > -- > - Website: https://apereo.github.io/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL1xoLy6jxkayrK8%2B7fyz259OV7W4WUcFYFax2zHZZwgVQ%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL1xoLy6jxkayrK8%2B7fyz259OV7W4WUcFYFax2zHZZwgVQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- Erik Mallory ------------------------ "A happy man's paradise is his own good nature." - Edward Abbey -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANgg2%2Bz0LsAwmMoA6AuO4URFX7q0P%2B79H2xdaDiRnnc8ym7b-Q%40mail.gmail.com.
