[cas-user] Why we got stale TCP connections in CLOSE_WAIT status for a long time and how to resolve this?
To whom it may concern, We are using Apereo CAS 6.2.2 with CAS 2.0/3.0 and SAML 2.0 supported. >From time to time, maybe rotate after hours or day, we saw some stale TCP connections in CLOSE_WAIT status like the following: java74936 root 109u IPv65558780 0t0 TCP olc.wccnet.edu:39944->cust-64.79.132.101.switchnap.com:https (CLOSE_WAIT) java74936 root 113u IPv65667290 0t0 TCP olc.wccnet.edu:48712->server-65-8-49-109.ord52.r.cloudfront.net:https (CLOSE_WAIT) java74936 root 118u IPv65138832 0t0 TCP olc.wccnet.edu:45586->ec2-3-14-202-102.us-east-2.compute.amazonaws.com:https (CLOSE_WAIT) java74936 root 119u IPv65613790 0t0 TCP olc.wccnet.edu:50148->na07.alma.exlibrisgroup.com:https (CLOSE_WAIT) java74936 root 120u IPv65529494 0t0 TCP olc.wccnet.edu:54112->ec2-52-1-97-220.compute-1.amazonaws.com:https (CLOSE_WAIT) We suspect those might be used for SAML metadata connections or some other SAML related connections. I tried to use pktcap-uw to catch what's there, however it seemed that we got nothing in a short time window which could show us any network traffic related to those connections. Is there any new version of CAS software or any way to get this resolved ? Appreciate your help very much! Joe -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMr51Mdy83CGesFq454oyNceWz335ss_Zm8PAZe-8fBv_Zb_gA%40mail.gmail.com.
Re: [cas-user] Configure SAML2 IdP functionality to provide SSO for G Suite
We have got the answers for my questions, feel free to ignore them please.
For those experiencing the same issue: The answers are , 1. "
https://login/cas/idp/profile/SAML2/Redirect/SSO; for "Sign-in page URL"
needs to be set to get the contents decrypted, did not find other ways so
far to keep it on https://login/cas/login. 2. After the decryption worked,
we would get https://login/..service=..
On Sunday, February 13, 2022 at 10:27:33 AM UTC-5 Joseph Zhou wrote:
> Hi, Doug,
>
> This is a great article we came across !
> We met the same issue - could not redirect back to Google after a
> successful log in our 3rd party IDp server running CAS 6.2.2 and configured
> mostly as what your instruction indicated. We are having an old version CAS
> 3.5.2 server working well with Google Workspace. However, we'd like to get
> it replaced with the new version server. Then we hit this problem.
>
> We tried to match with the old certificate by renaming the copied
> certificate/key to idp-signing.crt/key from the old server to the new one.
> Tested again, still not working and the Web browser staled at the
> following, could not go back to Google site:
>
>
> https://login/cas/login?SAMLRequest=fVJNT%2BMwEL2vxH%2BwfM8nIK2sJqiAEJXYJaLpHrg5zjRxccbB4zTLv980BQGH7fX5zfsYz%2BLqb2fYHhxpixlPwpgzQGVrjU3GN%2BVd8JNf5Wc%2FFiQ704vl4Ft8gtcByLNpEknMDxkfHAorSZNA2QEJr8R6%2BetBpGEseme9VdZwtrrNeN9UuFMN9C22IF92qNRLA92ut7qqK2x3pq23VaM5%2B%2FMRKz3EWhENsELyEv0ExWkaxGmQnJdJLNJEXF48c1a8O11rPDY4Fas6kkjcl2URFI%2FrchbY6xrc74md8cbaxkCobHewLySR3k%2FwVhoCzpZE4PwU8MYiDR24Nbi9VrB5esh4631PIorGcQw%2FZSIZjUoh%2BBDqIZKKeD5vVszl3JeVno4uP6x5%2Fim%2BiL5I5e8%2Fdiiyui2s0eqNLY2x440D6acW3g1TiTvrOun%2F75aEyYzoOtjOVDEg9aD0VkPNWZQfXb%2BfxnQw%2FwA%3D=https%3A%2F%2Faccounts.google.com%2FCheckCookie%3Fcontinue%3Dhttps%253A%252F%252Fmail.google.com%252Fmail%252F%26service%3Dmail%26ifkv%3DAU9NCcypcYDQKWRdjhacvr7DhikwSR09KKGWWYVDKWiE9idgAlBNjzjnURt0QKtiOLKcOXmR1iAB-g
>
> My questions are:
>
> For your instruction step 8 - b. Entered "
> https://login/cas/idp/profile/SAML2/Redirect/SSO; for "Sign-in page URL",
> is that mandatory that needs to be set?
> I am asking this question is due to usually we had our "Sign-in page
> URL" set to https://login/cas/login, and it was working well for all
> other websites running SAML 2, and it is also configured as is on Google
> Workspace currently for our old version server, we did not try to change it
> yet.
>
> My 2nd question is:
> On your current configuration running well, are you getting the web link
> from Google in the format of:
> https://login/cas/login?SAMLRequest=. or something like
> https://login/..service=..
>
> Appreciated your kind help and time very much!
>
> Joe
>
> On Wednesday, September 23, 2020 at 11:46:37 PM UTC-4 Doug C wrote:
>
>> Yep. The certificate was the issue. I do have it working now but I have
>> two questions regarding warnings I am seeing.
>>
>>
>>
>> I get the following warning:
>>
>>
>>
>> WARN [org.opensaml.saml.common.binding.SAMLBindingSupport] - > exceeds 80 bytes:
>> https://www.google.com/a/example.com/ServiceLogin?service=mail=true=false=https%3A%2F%2Fmail.google.com%2Fmail%2F=1=default=2=1=1
>> >
>>
>>
>>
>> Is this normal and a result of the way G Suite does SAML? Or is there
>> something I can configure to make CAS happy and not feel the need to warn
>> me.
>>
>>
>>
>> Also, I get this warning upon signing out of G Suite:
>>
>>
>>
>> WARN
>> [org.apereo.cas.support.saml.web.idp.profile.slo.SamlIdPSingleLogoutServiceLogoutUrlBuilder]
>>
>> - > google.com/a/example.com]>
>>
>>
>>
>> I read somewhere online that Google does not provide Single Log Out
>> (SLO). Is there a way to disable SLO for a service so I don't get this
>> warning? I want to keep SLO enabled in general.
>>
>>
>>
>> Thanks!
>>
>>
>>
>> *Instructions for Others*
>>
>>
>>
>> In case someone else is trying to figure this out. Here are what I think
>> constitutes all the steps that I took to get this working. You should
>> replace all instances of example.com and cas-server-url with what is
>> appropriate the system being configured.
>>
>>
>>
>> 1. Add the following dependency in the WAR overlay build.gradle
>> file.
>>
>>
>>
>> implementation
>> "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
>>
>>
>>
>> 2. Add the fol
Re: [cas-user] Configure SAML2 IdP functionality to provide SSO for G Suite
Hi, Doug,
This is a great article we came across !
We met the same issue - could not redirect back to Google after a
successful log in our 3rd party IDp server running CAS 6.2.2 and configured
mostly as what your instruction indicated. We are having an old version CAS
3.5.2 server working well with Google Workspace. However, we'd like to get
it replaced with the new version server. Then we hit this problem.
We tried to match with the old certificate by renaming the copied
certificate/key to idp-signing.crt/key from the old server to the new one.
Tested again, still not working and the Web browser staled at the
following, could not go back to Google site:
https://login/cas/login?SAMLRequest=fVJNT%2BMwEL2vxH%2BwfM8nIK2sJqiAEJXYJaLpHrg5zjRxccbB4zTLv980BQGH7fX5zfsYz%2BLqb2fYHhxpixlPwpgzQGVrjU3GN%2BVd8JNf5Wc%2FFiQ704vl4Ft8gtcByLNpEknMDxkfHAorSZNA2QEJr8R6%2BetBpGEseme9VdZwtrrNeN9UuFMN9C22IF92qNRLA92ut7qqK2x3pq23VaM5%2B%2FMRKz3EWhENsELyEv0ExWkaxGmQnJdJLNJEXF48c1a8O11rPDY4Fas6kkjcl2URFI%2FrchbY6xrc74md8cbaxkCobHewLySR3k%2FwVhoCzpZE4PwU8MYiDR24Nbi9VrB5esh4631PIorGcQw%2FZSIZjUoh%2BBDqIZKKeD5vVszl3JeVno4uP6x5%2Fim%2BiL5I5e8%2Fdiiyui2s0eqNLY2x440D6acW3g1TiTvrOun%2F75aEyYzoOtjOVDEg9aD0VkPNWZQfXb%2BfxnQw%2FwA%3D=https%3A%2F%2Faccounts.google.com%2FCheckCookie%3Fcontinue%3Dhttps%253A%252F%252Fmail.google.com%252Fmail%252F%26service%3Dmail%26ifkv%3DAU9NCcypcYDQKWRdjhacvr7DhikwSR09KKGWWYVDKWiE9idgAlBNjzjnURt0QKtiOLKcOXmR1iAB-g
My questions are:
For your instruction step 8 - b. Entered
"https://login/cas/idp/profile/SAML2/Redirect/SSO; for "Sign-in page URL",
is that mandatory that needs to be set?
I am asking this question is due to usually we had our "Sign-in page URL"
set to https://login/cas/login, and it was working well for all other
websites running SAML 2, and it is also configured as is on Google
Workspace currently for our old version server, we did not try to change it
yet.
My 2nd question is:
On your current configuration running well, are you getting the web link
from Google in the format of:
https://login/cas/login?SAMLRequest=. or something like
https://login/..service=..
Appreciated your kind help and time very much!
Joe
On Wednesday, September 23, 2020 at 11:46:37 PM UTC-4 Doug C wrote:
> Yep. The certificate was the issue. I do have it working now but I have
> two questions regarding warnings I am seeing.
>
>
>
> I get the following warning:
>
>
>
> WARN [org.opensaml.saml.common.binding.SAMLBindingSupport] - exceeds 80 bytes:
> https://www.google.com/a/example.com/ServiceLogin?service=mail=true=false=https%3A%2F%2Fmail.google.com%2Fmail%2F=1=default=2=1=1
> >
>
>
>
> Is this normal and a result of the way G Suite does SAML? Or is there
> something I can configure to make CAS happy and not feel the need to warn
> me.
>
>
>
> Also, I get this warning upon signing out of G Suite:
>
>
>
> WARN
> [org.apereo.cas.support.saml.web.idp.profile.slo.SamlIdPSingleLogoutServiceLogoutUrlBuilder]
>
> - google.com/a/example.com]>
>
>
>
> I read somewhere online that Google does not provide Single Log Out (SLO).
> Is there a way to disable SLO for a service so I don't get this warning?
> I want to keep SLO enabled in general.
>
>
>
> Thanks!
>
>
>
> *Instructions for Others*
>
>
>
> In case someone else is trying to figure this out. Here are what I think
> constitutes all the steps that I took to get this working. You should
> replace all instances of example.com and cas-server-url with what is
> appropriate the system being configured.
>
>
>
> 1. Add the following dependency in the WAR overlay build.gradle
> file.
>
>
>
> implementation
> "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
>
>
>
> 2. Add the following line to cas.properties.
>
>
>
> cas.authn.saml-idp.entity-id=https://cas-server-url/cas/idp
>
>
>
> 3. Create a service definition file in /etc/cas/services.
>
>
>
> {
>
> "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
>
> "serviceId" : "google.com/a/example.com",
>
> "name" : "G Suite",
>
> "id" : 1002,
>
> "evaluationOrder" : 1,
>
> "attributeReleasePolicy" : {
>
> "@class" :
> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
>
> "allowedAttributes" : [ "java.util.ArrayList", [ "mail" ] ]
>
> },
>
> "usernameAttributeProvider" : {
>
> "@class" :
> "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
>
> "usernameAttribute" : "mail"
>
> }
>
> "metadataLocation" : "/etc/cas/saml/sp-metadata.xml",
>
> "metadataSignatureLocation" : "/etc/cas/saml/idp-signing.crt"
>
> }
>
>
>
> 4. Create a directory /etc/cas/saml.
>
> 5. Generate certificates.
>
>
>
> openssl genrsa -out /etc/cas/saml/idp-encryption.key 2048
>
> openssl req -new -x509 -key /etc/cas/small/idp-encryption.key -out
> /etc/cas/saml/idp-encryption.crt -days 3650
>
> openssl genrsa -out
Re: [cas-user] Questions about migrating CAS 3.5.2 to CAS 6.2.2
Hi, Ray,
Thank you very much for your quick response!
I'll try test again, and see how it goes.
Appreciated your time and kind help very much!
Best Regards,
Joe
On Thursday, January 28, 2021 at 12:14:06 PM UTC-5 Ray Bon wrote:
> Joseph,
>
> To see what the cas server is finding for attributes, use this logger:
>
>
> name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
>
> level="debug"/>
>
> We also use map UDC_IDENTIFIER in the service definition. See,
> https://apereo.github.io/cas/6.2.x/integration/Attribute-Release-Policies.html#return-mapped
> .
>
> Ray
>
> On Thu, 2021-01-28 at 07:03 -0800, Joseph Zhou wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
>
> Hi, folks,
>
> We are having issue to migrate SP from an old CAS 3.5.2 to a new CAS 6.2.2
> server.
>
> In the old server 3.5.2, it was configured as:
>
>
>
>
>
> https://ban.*.wccnet.edu
> (:443)?/.*"/>
>
>
> UDC_IDENTIFIER
>
>
>
>
>
> On the new server 6.2.2 we tried different ways (no luck on any one), now
> it is:
>
> {
> "@class": "org.apereo.cas.services.RegexRegisteredService",
> "serviceId": "https://banner-dev.wccnet.edu/balancer-manager;,
> "name": "CASbanfrontdev",
> "id": 1010,
> "evaluationOrder": 20,
>
> "usernameAttributeProvider" : {
> "@class" :
> "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",
> "usernameAttribute" : "username"
> }
> "attributeReleasePolicy" : {
> "@class" :
> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
> "allowedAttributes" : [ "java.util.ArrayList", ["username"]]
> }
>
> }
>
> When connecting to the old server, we got in the SP httpd log (the SP
> needs username):
>
> 207.73.128.2 - hpjozou [27/Jan/2021:17:23:08 -0500] "GET
> /balancer-manager?ticket=ST-235770-aDCGnkjkNkZDuaZ11w
> 1f-login.wccnet.edu HTTP/1.1" 302 234 "
> https://login.wccnet.edu/cas/login?service=https%3a%2f%2fbanner-dev.wc
> cnet.edu%2fbalancer-manager" "Mozilla/5.0 (Windows NT 10.0; Win64; x64;
> rv:78.0) Gecko/20100101 Firefox/78.0"
> "-" - 443 banner-dev.wccnet.edu 0 43528 98087m -,-
> 207.73.128.2 - hpjozou [27/Jan/2021:17:23:08 -0500] "GET /balancer-manager
> HTTP/1.1" 200 980 "https://login.wc
>
> cnet.edu/cas/login?service=https%3a%2f%2fbanner-dev.wccnet.edu%2fbalancer-manager"
>
> "Mozilla/5.0 (Windows NT 1
> 0.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0" "-" on 443
> banner-dev.wccnet.edu 0 43528 877m -,-
>
> On connecting to the new one, we got in the SP httpd log:
>
>
> 207.73.128.2 - - [27/Jan/2021:17:31:34 -0500] "GET /balancer-manager
> HTTP/1.1" 302 280 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)
> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36"
> "-" - 443 banner-dev.wccnet.edu 0 43962 260m -,-
> 207.73.128.2 - - [27/Jan/2021:17:31:59 -0500] "GET
> /balancer-manager?ticket=ST-1-mm7K5F-4Bu-nqhrLD-3DDcJiuws-cas2 HTTP/1.1"
> 401 381 "https://cas2.wccnet.edu/; "Mozilla/5.0 (Windows NT 10.0; Win64;
> x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141
> Safari/537.36" "-" - 443 banner-dev.wccnet.edu 0 43962 93523m -,-
>
> Then, we ended up to Unauthorized in the SP page after CAS authentication
> going through the new CAS.
>
> Our questions:
>
> - How could we make sure the username was responded to the SP?
> - How could we see the xml file responded in the new CAS 6.2.2 server for
> CAS 2.0?
> - How could we see the xml file responded in the SP httpd log?
>
> Thank you very much for your help!
>
> Joe
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3eced208-3515-4095-88c0-d6981ccbc80en%40apereo.org.
[cas-user] Questions about migrating CAS 3.5.2 to CAS 6.2.2
Hi, folks,
We are having issue to migrate SP from an old CAS 3.5.2 to a new CAS 6.2.2
server.
In the old server 3.5.2, it was configured as:
https://ban.*.wccnet.edu(:443)?/.*"/>
UDC_IDENTIFIER
On the new server 6.2.2 we tried different ways (no luck on any one), now
it is:
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "https://banner-dev.wccnet.edu/balancer-manager;,
"name": "CASbanfrontdev",
"id": 1010,
"evaluationOrder": 20,
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",
"usernameAttribute" : "username"
}
"attributeReleasePolicy" : {
"@class" :
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", ["username"]]
}
}
When connecting to the old server, we got in the SP httpd log (the SP needs
username):
207.73.128.2 - hpjozou [27/Jan/2021:17:23:08 -0500] "GET
/balancer-manager?ticket=ST-235770-aDCGnkjkNkZDuaZ11w
1f-login.wccnet.edu HTTP/1.1" 302 234
"https://login.wccnet.edu/cas/login?service=https%3a%2f%2fbanner-dev.wc
cnet.edu%2fbalancer-manager" "Mozilla/5.0 (Windows NT 10.0; Win64; x64;
rv:78.0) Gecko/20100101 Firefox/78.0"
"-" - 443 banner-dev.wccnet.edu 0 43528 98087m -,-
207.73.128.2 - hpjozou [27/Jan/2021:17:23:08 -0500] "GET /balancer-manager
HTTP/1.1" 200 980 "https://login.wc
cnet.edu/cas/login?service=https%3a%2f%2fbanner-dev.wccnet.edu%2fbalancer-manager"
"Mozilla/5.0 (Windows NT 1
0.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0" "-" on 443
banner-dev.wccnet.edu 0 43528 877m -,-
On connecting to the new one, we got in the SP httpd log:
207.73.128.2 - - [27/Jan/2021:17:31:34 -0500] "GET /balancer-manager
HTTP/1.1" 302 280 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36"
"-" - 443 banner-dev.wccnet.edu 0 43962 260m -,-
207.73.128.2 - - [27/Jan/2021:17:31:59 -0500] "GET
/balancer-manager?ticket=ST-1-mm7K5F-4Bu-nqhrLD-3DDcJiuws-cas2 HTTP/1.1"
401 381 "https://cas2.wccnet.edu/; "Mozilla/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141
Safari/537.36" "-" - 443 banner-dev.wccnet.edu 0 43962 93523m -,-
Then, we ended up to Unauthorized in the SP page after CAS authentication
going through the new CAS.
Our questions:
- How could we make sure the username was responded to the SP?
- How could we see the xml file responded in the new CAS 6.2.2 server for
CAS 2.0?
- How could we see the xml file responded in the SP httpd log?
Thank you very much for your help!
Joe
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d7342927-4d68-410b-af27-51fb7ebd2c2fn%40apereo.org.
