Mahalo! We'll look into these. I think I found CAS documentation for the the X-Frame stuff at < https://apereo.github.io/cas/7.3.x/services/Configuring-Service-Http-Security-Headers.html#cashttpwebrequestheaderxframePropertyConfig >.
However I couldn't find docs for the cas.tgc.crypto properties. The search function at < https://apereo.github.io/cas/7.3.x/configuration/Configuration-Properties.html> can find the properties, but does not provide any links to documentation that elaborates on them in terms of possible values, etc. Do you know where they may be found? On Tue, Feb 10, 2026 at 8:14 AM Erik Mallory <[email protected]> wrote: > > the TGT crypto algorithm configuration has changed. We ran into similar > but different issues with our banner environment (currently on 7.2.7 in > prod and 7.3 in dev) > cas.tgc.crypto.alg=A256CBC-HS512 #the new algorithm > cas.tgc.crypto.encryption.key= <can be found in the cas logs on startup> > cas.tgc.crypto.encryption.key-size=512 > cas.tgc.crypto.signing.key=512 > cas.tgc.crypto.signing.key=<can be found in the cas logs on startup> > > We also tried cas.http-web-request.header.xframe-options config, it didn't > have any effect for us, updating the tgc crypto did. > > On Tue, Feb 10, 2026 at 11:20 AM Baron Fujimoto <[email protected]> wrote: > >> When we attempted to upgrade from CAS 7.0.x to CAS 7.2.x, we ran into a >> problem with some Banner apps we integrate with. This problem is still >> present with CAS 7.3.x, but we are now obligated to upgrade to 7.3 to >> handle the Duo expiring certificate issue. >> >> This is what the Banner side reports when they encounter the problem that >> prevents their authentication: >> ===== >> Cookie "" has been rejected as third-party. >> Request to access cookie or storage on "‹URL›" was blocked because we are >> blocking all third-party storage access requests and Enhanced Tracking >> Protection is enabled. >> Cookie "session=e30=; path=/; expires=Mon, 09 Feb 2026 22:28:30 GMT; >> samesite=none; secure; httponly" has been rejected as third-party. >> Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; expires=Mon, 09 >> Feb 2026 22:28:30 GMT; samesite=none; secure; httponly" has been rejected >> as third-party. >> Cookie "session=e30=; path=/; expires-Mon, 09 Feb 2026 22:28:30 GMT; >> samesite=none; secure; httponly" has been rejected as third-party. >> Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; expires=Mon, 09 >> Feb 2026 22:28:30 GNT; samesite=none; secure; httponly" has been rejected >> as third-party. >> The loading of " >> https://cas.example.edu/cas/login?service=https%3%2F%2Fbanner.example.edu%3A9000%2FBannerAdmin.ws&2Fi >> <https://urldefense.com/v3/__https://cas.example.edu/cas/login?service=https*3*2F*2Fbanner.example.edu*3A9000*2FBannerAdmin.ws&2Fi__;JSUlJSU!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97ifck6DYILw$> >> spring cas security check" in a frame is denied by "X-Frame-Options" >> directive set to "deny". >> ===== >> >> They want us to try setting "X-Frame-Options" SAMEORIGIN to ALWAYS. >> >> Is this even a CAS thing? From what I gather, it's applicable to the web >> server? But we were using the same web server (Tomcat 10.1.x for CAS 7.2, >> and now Tomcat 11.0.x for CAS 7.3), and we don't encounter these issues for >> other apps. >> >> If this is something controlled by CAS after all? If so, can we tweak it >> as requested – preferably just for their service registrations? >> >> Because only these Banner apps suffer from this as far as we know, we >> were inclined to think that the problem is on the application side. But >> ultimately because these apps are so important to the institution, we need >> to find a workaround one way or another. >> >> Any ideas or suggestions would be appreciated. >> >> -- >> Baron Fujimoto <[email protected]> ::: UH Information Technology Services >> minutas cantorum, minutas balorum, minutas carboratum descendus pantorum >> >> -- >> - Website: https://apereo.github.io/cas >> <https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97iffKJpYl9w$> >> - List Guidelines: https://goo.gl/1VRrw7 >> <https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97ifeb4nvK5Q$> >> - Contributions: https://goo.gl/mh7qDG >> <https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97ifdhrfeLRg$> >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL1xoLy6jxkayrK8%2B7fyz259OV7W4WUcFYFax2zHZZwgVQ%40mail.gmail.com >> <https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL1xoLy6jxkayrK8*2B7fyz259OV7W4WUcFYFax2zHZZwgVQ*40mail.gmail.com?utm_medium=email&utm_source=footer__;JSU!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97ifcnOyghXg$> >> . >> > > > -- > Erik Mallory > > ------------------------ > "A happy man's paradise is his own good nature." - Edward Abbey > > > -- > - Website: https://apereo.github.io/cas > <https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97iffKJpYl9w$> > - List Guidelines: https://goo.gl/1VRrw7 > <https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97ifeb4nvK5Q$> > - Contributions: https://goo.gl/mh7qDG > <https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97ifdhrfeLRg$> > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANgg2%2Bz0LsAwmMoA6AuO4URFX7q0P%2B79H2xdaDiRnnc8ym7b-Q%40mail.gmail.com > <https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANgg2*2Bz0LsAwmMoA6AuO4URFX7q0P*2B79H2xdaDiRnnc8ym7b-Q*40mail.gmail.com?utm_medium=email&utm_source=footer__;JSUl!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97ifc3ckeUhA$> > . > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0B%2BsTF_P5_cK%2BfYvm4rPeZt%2Bq_6MBLFo_EDpzXu8JurQ%40mail.gmail.com.
