quot; manually. I just
>> generated a uuid4, but you can use any ID unique to your keystore from what
>> I understand.
>> The kid then appears on the endpoint.
>>
>> Thanks,
>> Carl Waldbieser
>> ITS
>> Lafayette College
>>
>> On Tue, Mar 7,
, though, so I'd be interested in what the
particular symptoms are.
Thanks,
Carl Waldbieser
ITS
Lafayette College
On Wed, Mar 8, 2023 at 2:57 PM 'Richard Frovarp' via CAS Community <
cas-user@apereo.org> wrote:
> On CAS 6.6.6 and using the Duo Universal Prompt, it is exposing my
> inter
en appears on the endpoint.
Thanks,
Carl Waldbieser
ITS
Lafayette College
On Tue, Mar 7, 2023 at 12:13 AM Yan Zhou wrote:
> Hi,,
>
> CAS 6.4 OIDC JWKS endpoint looks like this. Our vendor has problem with
> its missing fields such as alg, kid, and use.
>
> Anyone knows how
a
day? It really depends on the policies in your organization.
Thanks,
Carl Waldbieser
On Wed, Jul 27, 2022 at 3:16 PM Pablo Vidaurri wrote:
> Currently CAS TGT is an 8hr session, ST is a 2hr session. Client is
> requesting to enable certain parts of their site (protected) to include a
&g
need to indicate that alias entries
should be dereferenced.
I'm not sure if CAS supports this without getting into some magical Java
bean territory.
Thanks,
Carl Waldbieser
On Wed, May 18, 2022 at 7:09 PM Ray Bon wrote:
> Carl,
>
> Are you referring to surrogate authentication?
>
> htt
from the documentation how one might configure that, or
even if it is possible.
Thanks,
Carl Waldbieser
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this
The lifetime of a service ticket is usually set pretty short-- 15 or 20
seconds max. Alice needs to leak her ST within that timeframe for it to be
valid, or else Bob should get an invalid ticket error at the client.
You may want to examine the ST lifetime and shorten it.
Thanks,
Carl Waldbieser
whether or not this type of access should be granted. But it is
*typically* the application's responsibility to enforce that kind of access
control.
Thanks,
Carl Waldbieser
On Tue, Feb 22, 2022 at 3:15 PM Ray Bon wrote:
> Pablo,
>
> That kind of behaviour is in your application and ha
.
Trying to replicate the CAS server functionality from the REST API seems
like a pretty big undertaking. The REST API is really meant to model
"applications as users".
>From my point of view this doesn't seem like the best way to use CAS.
Thanks,
Carl Waldbieser
ITS
Lafayette College
O
is OK, since the user will
likely be first introduced to CAS on a valid resource and the browser will
remember the header setting for the site.
If this *is* an issue, is there a way to configure CAS to just apply the
security response headers to *all* resources that it serves up?
Thanks,
Carl
ultRegisteredServiceProperty",
"values": [
"java.util.HashSet",
[
"https://help.example.org/service-example-net;
]
]
}
}
}
The idea is to just redirect to an "
JDK 11 an exact requirement? Or are later versions of the JDK also
acceptable? I don't follow Java development too closely, but I did see
that JDK 17 is in general availability, so it just got me wondering.
Thanks,
Carl Waldbieser
ITS
Lafayette College
--
- Website: https://apereo.github.io/cas
-
your DR LDAP service, but you could just
configure it to use the DR LDAP service's current name if you just wanted
to quickly verify the service starts up. Presumably the DR DNS name will
still be around during a fail over?
Thanks,
Carl Waldbieser
ITS
Lafayette College
On Mon, Oct 4, 2021 at 2:53 PM
Baron,
Couldn't you just put a subject alternative names on the certificate to
include both the DR name and the production service name?
Thanks,
Carl Waldbieser
ITS
Lafayette College
On Mon, Oct 4, 2021 at 2:01 PM Baron Fujimoto wrote:
> This isn't strictly a CAS issue, but we're encounter
du/authorized;
]
]
}
},
"logo": "https://cdn.lafayette.edu/images/logos/example-100x100.png;,
"properties": {
"@class": "java.util.HashMap",
"InformationURL": {
"@class":
"org
for is at
"./WEB-INF/lib/duo-client-0.2.2.jar". There are also a couple "okhttp"
JARs in there, too. I think I needed one of those as well.
Thanks,
Carl Waldbieser
ITS
Lafayette College
On Tue, May 11, 2021 at 3:01 PM 'Zachary Dunham' via CAS Community <
cas-user@ape
I am working around this by having the JAR files (duo and okhttp-2.3.0.jar)
locally in the build environment and tweaking the Gradle build script to
use those. Seems to work for now with 6.2.8.
Thanks,
Carl Waldbieser
ITS
Lafayette College
On Mon, May 10, 2021 at 5:14 PM 'Zachary Dunham' via
normally require authentication.
Historically, I believe CAS used to have a "login ticket" which was a
nonce. It dropped it somewhere between 3.x and 5.x, I believe.
Thanks,
Carl Waldbieser
ITS
Lafayette College
On Wed, Apr 21, 2021 at 5:24 AM Paul Roemer wrote:
>
> Hey guys
Mark,
If your web site uses some kind of session to persist authentication
between requests, you could just have separate login resources for CAS or
for an alternative authN/authZ method. Either one could establish the
session and you could proceed from there.
Thanks,
Carl Waldbieser
ITS
directory. CAS brokers the authentication and provides the
information necessary to make policy enforcement decisions.
Thanks,
Carl Waldbieser
ITS
Lafayette College
On Thu, Feb 11, 2021 at 6:32 PM KC Pullen wrote:
> Hello,
>
> I'm currently using CAS to protect web directories on Li
determine a better way to get the
container to do a health check without some kind of rudimentary shell.
We do use Duo MFA integration.
I'm not certain what CAS interruption is-- I'm pretty sure we don't use it.
Thanks,
Carl Waldbieser
ITS
Lafayette College
On Wed, Dec 16, 2020 at 5:33 PM Geng
questions, let me know.
Thanks,
Carl Waldbieser
ITS
Lafayette College
On Tue, Dec 15, 2020, 3:30 PM Geng, Kelly wrote:
> Hi All,
>
> Is there anyone that is successfully running CAS v5+ on AWS either
> exclusively or in hybrid mode? We are trying to migrate CAS 6.0 to AWS and
&g
ments for signing.",
"logo": "https://cdn.lafayette.edu/images/logos/docusign-100x100.png;,
"properties": {
"@class": "java.util.HashMap",
"InformationURL": {
"@class":
"org.apereo.ca
ser to be redirected to a static "Unauthorized" page that
explains that the user is not authorized for this service.
Is that something I can do using CAS views? Or would I be better off just
setting up an external web page somewhere?
Thanks,
Carl Waldbieser
ITS
Lafayette College
--
- W
was asserted. Again, I'm not sure how one would
configure something like that in practice.
Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College
- Original Message -
From: "Matt T"
To: "cas-user"
Sent: Friday, 7 September, 2018 11:47:43
Subject: Re: [cas-
session
or it will not. Any call to our IdP will always pass though to CAS to verify
an SSO session exists. Users are only prompted for MFA once per session.
Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College
- Original Message -
From: "Matt T"
To: "
"surname"
]
]
},
The "attributeReleasePolicy" is used to filer the "memberOf" attribute down to
a specific value (because he attribute is multi-valued, and you usually only
want to release only one or a few of the values to a
, it should
act like its own unique CAS instance.
Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College
- Original Message -
From: "Andy Ng" <long...@gmail.com>
To: "cas-user" <cas-user@apereo.org>
Sent: Wednesday, April 25, 2018 5:20:01 AM
Subject:
John,
Unless you're developing for the CAS server, you probably just want to use the
WAR overlay method[1].
Basically, you set up a pom.xml file and run the `maven` command, and all the
relevant Java libs are pulled from remote repositories and assembled for you.
Thanks,
Carl Waldbieser
ITS
29 matches
Mail list logo