https://apereo.github.io/cas/7.3.x/authentication/Configuring-SSO-Cookie.html https://apereo.github.io/cas/7.2.x/authentication/Configuring-SSO-Cookie.html
On Tue, Feb 10, 2026 at 1:56 PM Baron Fujimoto <[email protected]> wrote: > Mahalo! We'll look into these. > > I think I found CAS documentation for the the X-Frame stuff at < > https://apereo.github.io/cas/7.3.x/services/Configuring-Service-Http-Security-Headers.html#cashttpwebrequestheaderxframePropertyConfig > >. > > However I couldn't find docs for the cas.tgc.crypto properties. The > search function at < > https://apereo.github.io/cas/7.3.x/configuration/Configuration-Properties.html> > can find the properties, but does not provide any links to documentation > that elaborates on them in terms of possible values, etc. Do you know where > they may be found? > > > On Tue, Feb 10, 2026 at 8:14 AM Erik Mallory <[email protected]> > wrote: > >> >> the TGT crypto algorithm configuration has changed. We ran into similar >> but different issues with our banner environment (currently on 7.2.7 in >> prod and 7.3 in dev) >> cas.tgc.crypto.alg=A256CBC-HS512 #the new algorithm >> cas.tgc.crypto.encryption.key= <can be found in the cas logs on startup> >> cas.tgc.crypto.encryption.key-size=512 >> cas.tgc.crypto.signing.key=512 >> cas.tgc.crypto.signing.key=<can be found in the cas logs on startup> >> >> We also tried cas.http-web-request.header.xframe-options config, it >> didn't have any effect for us, updating the tgc crypto did. >> >> On Tue, Feb 10, 2026 at 11:20 AM Baron Fujimoto <[email protected]> wrote: >> >>> When we attempted to upgrade from CAS 7.0.x to CAS 7.2.x, we ran into a >>> problem with some Banner apps we integrate with. This problem is still >>> present with CAS 7.3.x, but we are now obligated to upgrade to 7.3 to >>> handle the Duo expiring certificate issue. >>> >>> This is what the Banner side reports when they encounter the problem >>> that prevents their authentication: >>> ===== >>> Cookie "" has been rejected as third-party. >>> Request to access cookie or storage on "‹URL›" was blocked because we >>> are blocking all third-party storage access requests and Enhanced Tracking >>> Protection is enabled. >>> Cookie "session=e30=; path=/; expires=Mon, 09 Feb 2026 22:28:30 GMT; >>> samesite=none; secure; httponly" has been rejected as third-party. >>> Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; expires=Mon, 09 >>> Feb 2026 22:28:30 GMT; samesite=none; secure; httponly" has been rejected >>> as third-party. >>> Cookie "session=e30=; path=/; expires-Mon, 09 Feb 2026 22:28:30 GMT; >>> samesite=none; secure; httponly" has been rejected as third-party. >>> Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; expires=Mon, 09 >>> Feb 2026 22:28:30 GNT; samesite=none; secure; httponly" has been rejected >>> as third-party. >>> The loading of " >>> https://cas.example.edu/cas/login?service=https%3%2F%2Fbanner.example.edu%3A9000%2FBannerAdmin.ws&2Fi >>> <https://urldefense.com/v3/__https://cas.example.edu/cas/login?service=https*3*2F*2Fbanner.example.edu*3A9000*2FBannerAdmin.ws&2Fi__;JSUlJSU!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97ifck6DYILw$> >>> spring cas security check" in a frame is denied by "X-Frame-Options" >>> directive set to "deny". >>> ===== >>> >>> They want us to try setting "X-Frame-Options" SAMEORIGIN to ALWAYS. >>> >>> Is this even a CAS thing? From what I gather, it's applicable to the web >>> server? But we were using the same web server (Tomcat 10.1.x for CAS 7.2, >>> and now Tomcat 11.0.x for CAS 7.3), and we don't encounter these issues for >>> other apps. >>> >>> If this is something controlled by CAS after all? If so, can we tweak it >>> as requested – preferably just for their service registrations? >>> >>> Because only these Banner apps suffer from this as far as we know, we >>> were inclined to think that the problem is on the application side. But >>> ultimately because these apps are so important to the institution, we need >>> to find a workaround one way or another. >>> >>> Any ideas or suggestions would be appreciated. >>> >>> -- >>> Baron Fujimoto <[email protected]> ::: UH Information Technology Services >>> minutas cantorum, minutas balorum, minutas carboratum descendus pantorum >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> <https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97iffKJpYl9w$> >>> - List Guidelines: https://goo.gl/1VRrw7 >>> <https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97ifeb4nvK5Q$> >>> - Contributions: https://goo.gl/mh7qDG >>> <https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97ifdhrfeLRg$> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL1xoLy6jxkayrK8%2B7fyz259OV7W4WUcFYFax2zHZZwgVQ%40mail.gmail.com >>> <https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL1xoLy6jxkayrK8*2B7fyz259OV7W4WUcFYFax2zHZZwgVQ*40mail.gmail.com?utm_medium=email&utm_source=footer__;JSU!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97ifcnOyghXg$> >>> . >>> >> >> >> -- >> Erik Mallory >> >> ------------------------ >> "A happy man's paradise is his own good nature." - Edward Abbey >> >> >> -- >> - Website: https://apereo.github.io/cas >> <https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97iffKJpYl9w$> >> - List Guidelines: https://goo.gl/1VRrw7 >> <https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97ifeb4nvK5Q$> >> - Contributions: https://goo.gl/mh7qDG >> <https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97ifdhrfeLRg$> >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANgg2%2Bz0LsAwmMoA6AuO4URFX7q0P%2B79H2xdaDiRnnc8ym7b-Q%40mail.gmail.com >> <https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANgg2*2Bz0LsAwmMoA6AuO4URFX7q0P*2B79H2xdaDiRnnc8ym7b-Q*40mail.gmail.com?utm_medium=email&utm_source=footer__;JSUl!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97ifc3ckeUhA$> >> . >> > -- > - Website: https://apereo.github.io/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0B%2BsTF_P5_cK%2BfYvm4rPeZt%2Bq_6MBLFo_EDpzXu8JurQ%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0B%2BsTF_P5_cK%2BfYvm4rPeZt%2Bq_6MBLFo_EDpzXu8JurQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- Erik Mallory ------------------------ "A happy man's paradise is his own good nature." - Edward Abbey -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANgg2%2BzcjXo9NEmefb0WQhF_j_uKxbmy4NytpFO0NwsEhYiQxg%40mail.gmail.com.
