The use of public key in service configuration is not related to a client web browser connecting to your CAS server over https. CAS requires the use public/private keys when releasing sensitive information as part of the returned attributes. The proxy service is one such case due to the option to return the PGT-IOU as an attribute rather than requiring the target application to provide a pgtURL. This is documented here:
https://apereo.github.io/cas/5.3.x/installation/Configuring-Proxy-Authentication.html#pgt-in-validation-response You should only implement this if your use case fits the description in the first paragraph. Knowing if you are using a pgtURL callback or attribute release will help to answer other questions. -dirk On Tue, Oct 2, 2018 at 7:18 PM Bryan Wooten <[email protected]> wrote: > All, > > I am trying to implement our first CAS proxy. > > I have read > https://apereo.github.io/cas/5.0.x/installation/Configuring-Proxy-Authentication.html > > This is our exact use case. But I am having trouble truly understanding. > > Currently our JSON service registry has this entry for the desired server: > > > "@class": "org.apereo.cas.services.RegexRegisteredService", > "serviceId": "^https://gatetest.acs.utah.edu/.*";, > "name": "testCis", > "id": 4, > "description": "Test Portal", > "evaluationOrder": 4, > "proxyPolicy": { > "@class": > "org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy", > "pattern": "^https?://.*" > }, > "accessStrategy": { > "@class": > "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", > "enabled": true, > "ssoEnabled": true > } > } > > Our CAS server is behind a Citrix Load Balancer that does SSL termination. > So I am not sure if I need SSL on the CAS server itself for this. > > Also my JSON service registry file does not seem to match this (from above > link): > > { > "@class" : "org.apereo.cas.services.RegexRegisteredService", > "serviceId" : "^https://.+";, > "name" : "test", > "id" : 1, > "evaluationOrder" : 0, > "attributeReleasePolicy" : { > "@class" : > "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", > "principalAttributesRepository" : { > "@class" : > "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository" > }, > "authorizedToReleaseCredentialPassword" : false, > "authorizedToReleaseProxyGrantingTicket" : true > }, > "publicKey" : { > "@class" : "org.apereo.cas.services.RegisteredServicePublicKeyImpl", > "location" : "classpath:RSA1024Public.key", > "algorithm" : "RSA" > } > } > > All endpoints are Java. > > I would love examples of client side Java filter configuration and CAS > server side JSON service registry configuration. > > Do I really need SSL and associated keys if the Load Balancer is doing SSL > offloading? > > Thanks for any and all help, > > Bryan > > University of Utah > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GUzXxsnRdGebkP5bvGr4ckLeGQ45YmrGsKB_-5zQ9_YEA%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GUzXxsnRdGebkP5bvGr4ckLeGQ45YmrGsKB_-5zQ9_YEA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZyMU-fDXjuwojgRQN1EANMD2WDVDMnCA0TcwUSydQ3ZCQ%40mail.gmail.com.
