roup membership and needed it to get a
>>>> new IP address for the AD LDAP server(s).
>>>>
>>>> -Mike
>>>>
>>>> On Fri, Nov 13, 2020 at 11:18 AM Nathan Lewan
>>>> wrote:
>>>>
>>>>> very inter
>> 1. I don't know if a cheat like that would actually work (this is just
>>> temporary, proof of concept, no way would I leave it like that in
>>> production)
>>> 2. I have not restarted CAS. I did do a dig -x on the CAS host, and it
>>> successfully reverse-resolved t
We just ran into this recently with an older version of CAS (5.2.9).
CAS populates the SubjectLocality by doing a reverse DNS lookup on the IP
address of the entity that's calling it (the application the user is trying
to log into). If the DNS lookup fails, then it doesn't put anything in
there,
In our case, we run five servers (cas-srv01, cas-srv02, etc.) behind an F5
load balancer. The VIP on the F5 identifies as "sso.newschool.edu". We use
one "regular" SSL/TLS certificate for "sso.newschool.edu" and install it
both on the F5 AND on each of the CAS servers (in the Tomcat keystore) so
Lam <
naphaluan211...@gmail.com> wrote:
> Dear Mr David.
> I have success.
> Thank you very much.
>
> Vào Th 3, 25 thg 8, 2020 vào lúc 21:21 Nguyen Tran Thanh Lam <
> naphaluan211...@gmail.com> đã viết:
>
>> Dear Mr David Curry,
>> I have read the guide
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu
On Tue, Aug 25, 2020 at 8:21 AM Nguyen Tran Thanh Lam <
naphaluan211...@gmail.com> wrote:
> Hi Mr David Curry,
> I understand your point.
> But when I use CAS server, I want to register my new servi
It doesn't do that because it's not supposed to.
Populating an alternate service registry (MongoDB or whatever) from the
JSON files is a one-time thing the server does to help you "bootstrap" the
alternate service registry. After that, you don't need the JSON files any
more (and should turn that
d.cu...@newschool.edu
On Tue, Jul 14, 2020 at 2:56 PM Vikash Chandra Ansh <
vikasharnav0...@gmail.com> wrote:
> Hi David.
>
> I am seeing this in cas log. Can we connect David?
>
> On Wed 15 Jul, 2020, 00:21 David Curry, wrote:
>
>> When you say you're "g
nks & Regards
>
> On Mon 13 Jul, 2020, 17:43 Vikash Chandra Ansh,
> wrote:
>
>> Thanks Ray,
>> I will check and let you know in case of any issues.
>>
>> On Mon, Jul 13, 2020 at 3:58 AM David Curry
>> wrote:
>>
>>> The Shibboleth SP l
The Shibboleth SP lets web services use SAML2 to authenticate and do single
sign-on. So if you have configured an Apache server with mod_shib, then you
would use the Apache config files to define a protected area on your web
server, and put your web-based application into that protected area. When
The CAS server (Tomcat) cannot validate the TLS certificate being returned
by your LDAP server. This could be for a few different reasons:
1. The LDAP server's TLS certificate is not for the host name you're
using to access the LDAP server (walnut.wccnet.edu)
2. The LDAP server's TLS
ave". Secondary accounts are for administrator
>> or test access for the most part in our environment. Splitting something
>> like email is a pain, and that has spawned a great many threads over on the
>> Educause IAM (née Idm) list. Bigger issue is making sure others know which
several hundred people with dual accounts.
>
> Thank you,
> Mike
>
> On Monday, May 18, 2020 at 2:05:05 PM UTC-4, David Curry wrote:
>>
>> We do pretty much the same thing Richard is doing. The different accounts
>> are in different OUs in AD, and IAM handles
We do pretty much the same thing Richard is doing. The different accounts
are in different OUs in AD, and IAM handles the provisioning. Way back
when, we configured CAS with multiple "directories" that are the same AD
server with different DNs (one for each OU). We could probably stop doing
that
We're running it with CAS 5.2.x as a SAML2 service. I didn't personally set
it up, but the guy who did says it was just a "regular" SAML2 setup
(they're pretty routine for us these days). Release the attributes Zoom
wants and tell it which attribute is what, and you're good to go.
--Dave
--
Just to add to what Richard said, you'll also want to put
spring.thymeleaf.cache: false
in your cas.properties so that you can edit the files and see the changes
"immediately" without having to bounce Tomcat. Note that it seems to only
refresh every 60 seconds though; so my usual approach was to
We're running 5.2.9.
The release schedule moves way too quickly for us to keep up with, and so
far, the features that have been added, while a couple of them are
interesting, are not significant enough to justify the effort to move.
The one thing that concerns us is that 5.2.x is no longer
We're running CAS 5.2 and have not had any reported issues with Canvas or
any of the other applications that log in through it.
--Dave
--
DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646
>> 2020-02-06 17:31:56,248 ERROR
>> [org.apereo.cas.web.flow.executor.EncryptedTranscoder] -
>> java.lang.IllegalArgumentException: Null input buffer
>> at javax.crypto.Cipher.doFinal(Unknown Source) ~[?:?]
>> at
>> org.apereo.cas.util.cipher.BaseBinaryCipherExecutor.decode(BaseBinaryCipherExecutor.java:92)
>
Maksim,
If you don't want to ever lose tickets, then you would want all nodes to
back up all other nodes. So if you have 3 member nodes, you would want 2
async backup nodes (asyncBackupCount) and also you'd probably want to
disable the default sync backup (backupCount) node since it will block.
Since the first and last messages in the thread Andy points to were mine,
I'll add a follow-up with current information. We did indeed switch from a
MongoDB ticket registry (which seemed to have issues under heavy-ish load)
to a Hazelcast ticket registry, based on what we learned from that thread.
You might want to experiment with turning the passivator off, or changing
its setting. Not sure that's it, but it might help?
https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#why-passivators
--
DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE
We did this when we rolled out CAS 5 as well. New servers, new DNS names,
the whole deal.
To answer your specific questions:
1. We generated new ones. I don't think you have to, but it just seemed
to make more sense to "start fresh" so we knew what components we had
installed.
2. It
Do you have the cas-server-support-mongo-service-registry dependency in
the cas-management pom.xml as well as the cas server pom.xml? I didn't see
it in the excerpt you provided.
--Dave
--
DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION
I have not done this with Tomcat 9 / Java 11 or CAS 6.x, but it seems to
me you need to fix this:
07-Nov-2019 05:57:51.789 WARNING [main]
com.hazelcast.instance.HazelcastInstanceFactory.null Hazelcast is starting
in a Java modular environment (Java 9 and newer) but without proper access
to
t;
> On Fri, Oct 25, 2019 at 3:45 AM David Curry
> wrote:
>
>> At first blush it looks like your cas.properties property names are
>> wrong; there might be other things too that you didn't happen to quote.
>> Here's a step-by-step for enabling them all, if you find it h
At first blush it looks like your cas.properties property names are wrong;
there might be other things too that you didn't happen to quote. Here's a
step-by-step for enabling them all, if you find it helpful:
d.cu...@newschool.edu
Sent from my phone; please excuse typos and inane auto-corrections.
On Thu, Oct 24, 2019, 16:20 David Hawes wrote:
> On Thu, 24 Oct 2019 at 08:44, David Curry
> wrote:
> >
> > You should be safe from SAML messes; CASv2 attribute release via SAML
> 1.1 has been a
ht CASAuthNHeader is not an On/Off directive but it takes a string
> value to set the header name.
>
> Regards.
>
> On Thu, 24 Oct 2019 08:13:18 -0400
> David Curry wrote:
>
> > In your service registry:
> >
> > {
> > *
In your service registry:
{
*...*
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
*...*}
In /etc/httpd/conf.d/cas.conf:
LoadModule auth_cas_module modules/mod_auth_cas.so
AuthTypeCAS
CASAuthNHeader
The way I usually test things, since we have a cluster of CAS servers, is:
1. Start an incognito/private mode browser so there are no cookies
2. Log in to Application 1 through CAS
3. Check the CAS logs to figure out which server handled my login
4. Shut that CAS server down
5. Go
Your properties should be named cas.ticket.registry.hazelcast.cluster.
**, not cas.cluster.**. See here:
https://apereo.github.io/cas/development/configuration/Configuration-Properties.html#hazelcast-ticket-registry
For example, this is what we're using in our three-server development
I got this solution from Misagh way back when:
1. Install the SAML Chrome Panel extension in your Chrome browser.
2. Go to your application (or the CAS login screen if it redirects you
there).
3. Right-click and select "Inspect" to open the Chrome developer console
and click on the
tion for those on the 5.2 branch is to upgrade to 5.2.7
>> Also, that thread suggests that if you're using an alternative MFA
>> solution (we're using Duo) then we're unaffected.
>>
>> I'm not the authority on this, but that's what I'm piecing together.
>> - Jim
>>
&
Bump. We have the same questions that Jim asked...
--
DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu
On Mon, Sep 30, 2019 at 11:16 AM Jim Mulvey
t;
> Thanks,
>
> 20 Eylül 2019 Cuma 14:46:15 UTC+3 tarihinde David Curry yazdı:
>>
>> That's how it's supposed to work. The CAS cookies are session cookies.
>> When you end the session (close your browser), the cookies are deleted.
>>
>> Managing application se
That's how it's supposed to work. The CAS cookies are session cookies. When
you end the session (close your browser), the cookies are deleted.
Managing application sessions is outside of CAS' scope. If an application
wants to stay logged in across browser sessions, then that application
should
We had a similar problem when using MongoDB as our ticket cache.
We were able to alleviate it temporarily using the solution Ray suggests,
of making one of the CAS servers primary on the load balancer. But we
didn't like that as a long-term answer.
Once we were able to, we replaced MongoDB with
onfig
>> ens192: flags=4163 mtu 1500
>> inet 192.168.200.11 netmask 255.255.255.0 broadcast
>> 192.168.200.255
>> inet6 fe80::250:56ff:fe95:689b prefixlen 64 scopeid 0x20
>> ether 00:50:56:95:68:9b txqueuelen 1000 (Ethernet)
>>
Are the CAS dashboard and CAS management server running on the same host?
Is your DNS doing the wrong thing and you're connecting to localhost
(127.0.0.1) instead of the interface where Tomcat is listening?
I would turn on some logging or tracing and verify that the IP/port your
client is
rties...
>
> Thanks.
> Pedro Rosas
>
>
>
> On Tuesday, August 20, 2019 at 5:11:14 PM UTC+1, David Curry wrote:
>>
>> It's been a while since I messed with this stuff, but did you remember to
>> update your custom casLoginView.html to use your custom layou
It's been a while since I messed with this stuff, but did you remember to
update your custom casLoginView.html to use your custom layout.html by
changing the layout:decorate attribute of the html tag from ~{layout} to
~{cas-overlay/layout}?
--
DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION
rver.tomcat.port-header=X-Forwarded-Port
>> server.tomcat.protocol-header=X-Forwarded-Proto
>> server.tomcat.protocol-header-https-value=https
>> server.tomcat.remote-ip-header=X-FORWARDED-FOR
>> server.tomcat.uri-encoding=UTF-8
>>
>> Could you share your Tomcat con
2012
> What else is running on the server (nothing, hopefully)?
> Nothing
> Is the server paging or swapping (you don't want it to be)?
> The default of Windows Server
>
>
>
> On Sun, Jul 28, 2019 at 4:44 PM David Curry
> wrote:
>
>> How many CPUs?
>&
How many CPUs?
How much memory?
What operating system?
What else is running on the server (nothing, hopefully)?
Is the server paging or swapping (you don't want it to be)?
If you're running on Linux VMs, do you have an entropy source for the
crypto (you should)?
--
DAVID A. CURRY, CISSP
ext4defaults0
> 2
> /dev/mapper/casermgnt--vg-var /varext4defaults0
> 2
> /dev/mapper/casermgnt--vg-swap_1 noneswapsw 0
> 0
> /dev/sr0/media/cdrom0 udf,iso9660 user,noauto 0 0
>
id. And i doesn't work.
>
> How to do this ?
>
> Best regard
>
> Le mercredi 24 juillet 2019 13:30:30 UTC+2, David Curry a écrit :
>>
>> [2019-07-22 08:57:45] [info] 2019-07-22 08:57:45,023 main ERROR
>> RollingFileManager (/var/log/cas-management/cas-man
[2019-07-22 08:57:45] [info] 2019-07-22 08:57:45,023 main ERROR
RollingFileManager (/var/log/cas-management/cas-management.log)
java.io.FileNotFoundException:
/var/log/cas-management/cas-management.log (Read-only
file system)
Is your file system mounted read-only? Is the directory writable by the
where am making a mistake? I have referred docs at:
> https://dacurry-tns.github.io/deploying-apereo-cas/building_svcmgmt_configure-webapp-properties.html
> too.
>
> On Friday, 23 February 2018 14:48:32 UTC-5, David Curry wrote:
>>
>> > Someone should pay you for them.
>>
>&
Lafayette College provided their load testing results for CAS 5.1.x back in
2017:
https://apereo.github.io/2017/09/25/cas51-perfresults-LafayetteCollege/
The Locust configuration they used for this is available on Github:
https://github.com/cwaldbieser/locustfiles
--
DAVID A. CURRY, CISSP
Don't change the default configuration. Add the service to your service
registry, wherever that is. If you don't have a service registry, you
should set one of those up first.
And unless the CAS server actually has an SSL certificate with
localhost. as a valid CN, you should be using the
running CAS 5.3 with the following release:
> https://github.com/apereo/cas-gradle-overlay-template.
>
> quinta-feira, 27 de Junho de 2019 às 16:02:27 UTC+1, David Curry escreveu:
>>
>> I'm not running CAS 6, so I can't tell you specifically for that release;
>> maybe some
.edu
On Thu, Jun 27, 2019 at 10:51 AM 123 456 wrote:
> Still not working ..
>
> The used template is the right one? I used the following:
> https://github.com/apereo/cas-overlay-template
>
>
> quinta-feira, 27 de Junho de 2019 às 12:46:12 UTC+1, David Curry escreveu:
>>
.edu
On Thu, Jun 27, 2019 at 4:46 AM 123 456 wrote:
> I have commented out this line, but still doesn't work. I get the
> following error message when trying to access cas/status :
>
> [image: Capture.PNG]
>
>
> quarta-feira, 26 de Junho de 2019 às 18:07:19 UTC+1, David Curry e
Unless you really want it to only be accessible from the local host that
the server is running on, you need to comment out this line:
cas.adminPagesSecurity.ip=127\.0\.0\.1
Or more appropriately, set it to a value that matches the IPs you want to
be able to reach the status page. It's a Java
You might find this helpful; it takes you step by step from an
out-of-the-box RHEL 7 install to a full-blown CAS implementation:
https://dacurry-tns.github.io/deploying-apereo-cas/
Note however that it's based on CAS 5.2.x, not CAS 6.x.
For the most part that shouldn't matter, except that
If you don't feel like (or can't) setting up a web server as an SP, you can
also use this:
https://sptest.iamshowcase.com/
Click on Instructions > SP Initiated SSO to begin.
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH
> But I am not sure if this is needed - but CAS loads it successfully on
boot.
At least in CAS 5, SAML2 will not work if you do not have that service. I
don't know if CAS 6 still requires it, but I would assume that it does
unless you can find something that says it doesn't.
--Dave
--
DAVID A.
> portals as only one new page like "CAS for Dummy" , "CAS for lazy admin" or
> "CAS in 20 minutes" :)
>
> Kindest regards
>
>
>
>
>
> Am Donnerstag, 16. Mai 2019 14:02:00 UTC+2 schrieb David Curry:
>>
>> Va,
>>
>> If
t to use *for free*. I support some paid software with worse
>> documentation. I do understand the frustration, as the learning curve is
>> steep, but that's where this community comes in. Everyone here tries to be
>> very helpful, giving one another their time *for free*. I've b
It's working fine for us (CAS 5.2.x).
That error looks familiar though... I won't swear it's the same one, but
there was an outage a couple of months ago too, and that was a problem on
the Duo side.
--Dave
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION
At least on CAS 5.2.x with a Mongo DB service registry, the way you did it
was:
1. Edit the dependencies in pom.xml and:
1. REMOVE the cas-server-support-json-service-registry dependency
2. ADD the cas-server-support-mongo-service-registry dependency
2. Rebuild the server.
3.
it be like that?
> Thank you David
>
> Sent from my iPhone
>
> On 5 Apr 2019, at 18.45, David Curry wrote:
>
> For CAS 5.2.x, you configure the "stub" attribute repository with all the
> attribute names you want the management app to be able to work with (add
>
When we were using mongodb as our ticket repository (CAS 5.2.x), we just
took the default ticket registry cleaner that came out of the box, and it
worked pretty well.
However, mongodb itself as a ticket registry gave us some problems under
heavier load (like when a few thousand students were all
For CAS 5.2.x, you configure the "stub" attribute repository with all the
attribute names you want the management app to be able to work with (add
these to the management.properties file, not cas.properties):
cas.authn.attributeRepository.stub.attributes.UDC_IDENTIFIER:
UDC_IDENTIFIER
Just a quick off the cuff thought, but could there be a syntax error in the
properties file somewhere before the dn setting that's causing that line to
be misread?
David A. Curry, CISSP
Director of Information Security
The New School - Information Technology
71 Fifth Ave., 9th Fl. ~ New York,
1. If you're only using a single server, then you don't need a ticket
registry at all beyond the in-memory one that CAS uses by default. If
you're using multiple servers, then the ticket registry lets the servers
cross-validate each others' issued tickets. But there is no need for this
registry to
Thanks to everyone who responded to this thread. I switched our dev servers
over to a Hazelcast ticket registry (keeping MongoDb for the service
registry) this afternoon, and assuming no problems, we'll gradually move it
from dev to test to production.
--Dave
--
DAVID A. CURRY, CISSP
*DIRECTOR
Just passing along that we heard back from Duo support late this afternoon
that the issue had been escalated to engineering and that a fix has now
been rolled out.
But given that it's late on Friday afternoon we're waiting until Monday to
try it, so I can't say for sure whether it's really been
It quit working for us (or at least we first received complaints) as well
around 3:30pm EST yesterday (2/21). We have a ticket open with Duo,
although I'm not aware that we've heard anything back from them yet. I'll
share anything we learn as well.
--Dave
--
DAVID A. CURRY, CISSP
*DIRECTOR OF
For SAML2 to work, you need a single entry like this in your service
registry:
{
"@class" :"org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "
https://cas.example.org/cas/idp/profile/SAML2/Callback.+;,
"name" : "SAML Authentication Request",
Ray is right, the best answer is upgrade. But, assuming that's not an
immediate option...
I don't believe CAS 3.x had any of its own support for SSL/TLS; I think it
just relied on what the underlying Java JVM gave it. So... what version of
Java are you using?
TLSv1.2 was not supported in Java 6
Hi Daniel, thanks for your response. I spent a lot of time looking at
those. And although it's likely that we will ultimately need to write our
own policy or authentication handler, I was wanting to play with the
existing ones to see if we could do anything interesting with them.
But I was having
"Ellucian" - from the Latin for "software crap-fest" :-)
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu
On Wed, Dec 19, 2018 at 12:13 PM Jennifer
Thanks, Andres! That was exactly the problem.
--Dave
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu
On Thu, Dec 13, 2018 at 10:43 AM Andres Rattur
By default, the CAS server keeps the service registry in memory. So if you
make changes to it, and then shut down or restart the server, all your
changes will be lost.
You should look into setting up a JSON (file-based) service registry at a
minimum, or a more flexible one based on some sort of
Check your Tomcat logs (especially catalina.out) -- did the CAS server
successfully start?
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu
On Wed,
So while I'm eating lunch I did a bit of fiddling around...
It looks like you can do:
openssl genrsa -des3 -out tmp.key 2048
When it prompts for a password, enter "" (or whatever, just remember
it). This gives you an encrypted key file. Then run:
openssl rsa -in tmp.key -out
wait for a CAS release at the moment.
>
> On Tuesday, December 4, 2018 at 12:12:29 PM UTC-5, David Curry wrote:
>>
>> This doesn't really answer your question (I don't know the answer), but
>> can't you just start CAS and let it generate the keys (they end up in
>> /etc/cas/s
This doesn't really answer your question (I don't know the answer), but
can't you just start CAS and let it generate the keys (they end up in
/etc/cas/saml), then stop CAS and copy the keys somewhere for
safekeeping/redistribution?
For our installation with multiple CAS servers behind a load
Directory works fine with mod_auth_cas. For example, I usually use some
variation on this for /etc/httpd/conf.d/cas.conf:
LoadModule auth_cas_module modules/mod_auth_cas.so
AuthTypeCAS
CASAuthNHeader On
Require valid-user
CASLoginUrl
You do need to create a metadata file; Workday won't do it for you. We use
this site:
https://www.samltool.com/sp_metadata.php
Once you've created it for one Workday tenant, you can just copy it and
edit the XML directly for the other tenants; you don't have to use this
site for each tenant.
> [image: photo]
> S.Sudhanraj
> Network Engineer
>
> A: 309 Kent Street, Sydney, NSW 2000
> <https://maps.google.com/?q=309+Kent+Street,+Sydney,+NSW=gmail=g>
>
>
>
> Email: helpd...@eluminaelearning.com.au
>
>
> On Tue, Nov 27, 2018 at 12:29 AM David Curry
&
What version of CAS are you using?
What "login error" are you getting (include the actual text of the error)?
Do you see any errors in your log file(s) about it? If so, what are they
(copy and paste relevant lines)?
Have you tried turning on debug-level logging? Did it tell you anything? If
so,
t account i want to log
> in. You said that there's a way to return a multi-value attribute, can you
> show me how to return multi-value attribute?
>
> Thank You!
>
>
>
>
> Em sexta-feira, 16 de novembro de 2018 14:39:26 UTC-2, David Curry
> escreveu:
>>
>&
itory.ldap[0].useStartTls=false
> cas.authn.attributeRepository.ldap[0].name=AD
> cas.authn.attributeRepository.expirationTime=30
> cas.authn.attributeRepository.expirationTimeUnit=MINUTES
> cas.authn.attributeRepository.maximumCacheSize=1
> cas.authn.attributeRepository.merger=MER
n json.
> I need the SAML response to be like this
>
> 1 <
> AttributeValue>2 3 Attribute>
>
> Can you help me on this man?
>
> Regards
>
> Em quarta-feira, 16 de maio de 2018 11:49:10 UTC-3, David Curry escreveu:
>>
>>
>>
>
> On Fri, 2018-11-02 at 15:05 -0400, David Curry wrote:
>
> We already had to turn off SLO because of that issue between tabs (people
> would log into Luminis in one tab and Canvas in another, and get kicked out
> of Canvas when Luminis timed out). My position is that this was
ence either, since the timeout just calls the
> cas/logout endpoint resulting in the destruction of the TGTs. You may at
> least want to revisit the timeout values for AppNav, etc...
>
> Matt
>
> On Friday, November 2, 2018 at 12:13:39 PM UTC-6, David Curry wrote:
>>
in a browser instance, not a
> tab instance; in some cases a new window is still not enough.
> It sounds like your client does not understand how web browser technology
> works.
>
> You could always offer to build a custom browser ;)
>
> Ray
>
> On Fri, 2018-11-02 at 13:01
you mention, you lose the essential use of a SSO. If you're
> renew for the follwoing tab, you will lose the authentication of the first
> tab.
>
> Christian Poirier
> Université TÉLUQ
> Québec, QC CANADA
>
>
> Le ven. 2 nov. 2018, à 10 h 41, David Curry a
> écrit :
>
&
in to the app? Sounds like it's an
> issue of controlling the user's application session rather than the user's
> CAS SSO session.
>
> Dan
>
> Dan Ellentuck
> Columbia University I.T.
>
> On Fri, Nov 2, 2018 at 10:41 AM David Curry
> wrote:
>
>>
>> C
Can I force a service to authenticate every time from the CAS server side,
e.g., by setting something in the service registry? Basically, I want to
mimic the behavior of "=true" but not have to change anything on the
client side.
I thought setting "accessStrategy.ssoEnabled: false" in the service
For those of you who have been waiting (and waiting, and waiting, ...) for
me to update my *Deploying Apereo CAS* documentation, I have finally gotten
enough time to do that. Aside from dozens of minor updates and corrections
accumulated over the last 8 or 9 months, the following major sections
Ganesh,
Our CAS 5.2.7 WAR file is 121MB with the following dependencies:
cas-server-support-mongo-service-registry
cas-server-support-ldap
cas-server-support-saml
cas-server-support-saml-idp
cas-server-support-saml-googleapps
cas-server-support-duo
cas-server-support-mongo-ticket-registry
We
You should be using the samlValidate endpoint, not the serviceValidate
endpoint in the CASValidateUrl. See the mod_auth_cas documentation.
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 •
The static/themes/skeleton and templates/skeleton subdirectories do not
belong in etc/cas/config; they belong in src/main/resources in your overlay
so that they get bundled into cas.war.
Like this:
/opt/workspace/cas-overlay-template/
├── LICENSE.txt
├── README.md
├── build.cmd
├── build.sh*
├──
I think Andy's right here... when I try this on my CAS server, which does
*not* have the wildcard service registry entry, I get (correctly)
redirected to the "Application not authorized to use SSO" page.
--Dave
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY
Using casuer/Mellon shouldn't make any difference.
Try turning mod_auth_cas debug logging on (CASDebug on) and see what it
tells you. Note that you also need to set the Apache logging level on the
virtual host to Debug to see the logs.
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
That's usually a certificate problem. Are you using a self-signed
certificate on the CAS server? If so, you need to have
CASCertificatePath/etc/pki/tls/certs/casserver.crt
in the mod_auth_cas configuration.
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY
1 - 100 of 291 matches
Mail list logo
