I agree. That would work just as well.
We're now stuck at 5.2.x and cannot move forward until this is patched. We
have too many external vendor integrations that are impacted by this.
On Thursday, September 6, 2018 at 4:04:15 PM UTC-4, Curtis Ruck wrote:
>
> or at least have a boolean that can
Hi Everyone,
I'll be the first to admin I'm no CAS expert. In fact, I don't even manage
our deployments here. Instead, I work with applications which interface
with it so I do understand to some degree. That being said, I have a
question which came up in internal discussions I'm hoping to g
There is a rumor roaming around my office right now that Microsoft is
terminating some SDK that CAS uses to integrate with ADFS. I can't seem to
get to the root of it, as with all rumors everyone heard it from some one
else, and some one heard it from an official blog post, though no one knows
I am trying to implement the Java Client on my Tomcat server but I am now
running into this exception:
java.lang.ClassCastException: org.jasig.cas.client.validation.AssertionImpl
cannot be cast to org.jasig.cas.client.validation.Assertion
at
org.jasig.cas.client.tomcat.AuthenticatorDelegat
Thanks for the suggestion, I figured out something that is strange to me.
I am building cas.war and deploy to tomcat8.
I have externalized a directory containing three configuration files:
application.yml, log4j2.xml and cas.properties.
if I put this following in cas.properties, it does not
I've built CAS 5.3.2 successfully from the CAS Overlay, but when I try to
run CAS with "./build.sh run" I get an exception
that CasCommandLineShellConfiguration.class can't be found.
Caused by: java.lang.IllegalStateException: Unable to read meta-data for
class org.apereo.cas.config.CasComma
Matt,
It depends. If during CAS ticket validation, the validation result can assert
that MFA took place for the authentication that created the TGT, then I think
that would be sufficient if your requirement is simply that MFA took place
already in the SSO session.
However, suppose not all ser
Hello,
I am enabling JWT Service Ticket in CAS 5.3 server. My flow stops here:
http://localhost:8080/myapp/login/cas?redirect=true&ticket=
I suppose the client (myapp) has to change something in order to read the
JWT ticket? But I did not see any documentation on that, does App need
Carl,
This is very helpful. We actually run two CAS instances because of our IDP
configuration. One (the one in question here) requires MFA while the other
does not. So, if the CAS ticket in question is only valid in the MFA CAS
instance, we can be certain the user has performed MFA. In th
Matt,
Yes. I would say that if establishing a CAS web SSO session requires MFA, then
one could infer that MFA had to have happened if ticket validation takes place
successfully.
It might not leave you in the best position if you ever want to swap components
around. E.g. if one day you decide
I agree. We will discuss architecture but it's nice to confirm my logic.
Again, thank you very much!
On Friday, September 7, 2018 at 11:05:47 AM UTC-5, waldbiec wrote:
>
> Matt,
>
> Yes. I would say that if establishing a CAS web SSO session requires MFA,
> then one could infer that MFA had
Matt,
I can confirm that log in to non MFA service and then MFA service requires a
reissue of TGT. Are tickets shared between the two CAS servers? If not, then I
could see multiple logins required as user is shuffled between servers.
At present I have only one MFA service to test against. But a
Yan,
Have you changed spring.application.name (should be cas by default)? See
https://apereo.github.io/cas/5.3.x/installation/Configuration-Server-Management.html#standalone
In default 5.3, I do not see application.yml. Do you need it? Does
cas.properties load if you delete application.yml?
Ray
Hi all,
We have Duo working in our test CAS 5.1.2 environment. Now we'd like to
point different CAS-protected services at different Duo Protected
Applications so we can set different group policies for each. I created
2 CAS applications inside Duo's admin portal, I called them
"CAS ID=mfa-du
This PR https://github.com/apereo/cas/pull/3498, against 5.3.x addresses
this issue.
On Fri, Sep 7, 2018 at 11:42 AM Brian Gibson <
gibson_br...@wheatoncollege.edu> wrote:
> Hi all,
>
> We have Duo working in our test CAS 5.1.2 environment. Now we'd like to
> point different CAS-protected servic
Was using globally_quoted_identifiers successfully in 5.1.x, now in 5.3.x,
seems like it does not follow the setting and the queries are not being
quoted properly. Any ideas?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://go
Thanks Travis,
Moving to a newer version of CAS 5 is not an option for us now. Our Duo
rep said that he has customers doing what I asked but before I bug him
for help I was hoping someone on this list had this scenario working in
a 5.1 environment?
On 9/7/2018 2:48 PM, Travis Schmidt wrot
The first entry is what is used as the name for the auth context. You most
likely Iikely authed against the second Duo, but it will just return the
first one. I also think that the two are treated equally in an sso
situation. So one fills MFA requirement for the other and vice versa.
On Fri, Se
that was it!!
i changed spring.application.name without realizing it has an impact on
property loading.
Thx so much.
Yan
On Friday, September 7, 2018 at 1:24:18 PM UTC-4, rbon wrote:
>
> Yan,
>
> Have you changed spring.application.name (should be cas by default)? See
> https://apereo.github.
A closer review of the cas properties documentation suggests that setting
cas.authn.mfa.globalFailureMode=NONE wouldn't have the desired effect after
all. It doesn't disable MFA, just assumes the MFA provider is avialable. So I
should back up and reformulate my question:
Is there a way to confi
Does anyone have suggestions or ideas on how we could troubleshoot this further?
On Wed, Sep 05, 2018 at 05:10:10PM -1000, Baron Fujimoto wrote:
>The service is defined as a cluster using hazelcast, but I had shut down the
>other node prior to conducting these tests. Hazelcast still seems to deco
21 matches
Mail list logo