Hi Ray, I have confirmed there are no stale TGC's hanging around. Once we sign into the test site, opening another tab and going to the same test web page is SSO'd. It also works when I remove the Session cookie, open another tab and go to the same test site.
When I open an incognito browser, authenticate through the CAS page and am redirected to the registered test site. I think as expected no session cookie is set, however when I open a browser tab and put in the URL for the test site, I'm properly logged into the site through SSO. The issue is happening where I authenticate through the test site and then attempt to go to https://www.google.com/calendar/hosted/testdomain.ca I'm redirected to the CAS login page. Whereas with our very old implementation the SSO kicks in and works. I'll look up how to increase logging in the CAS server. Thank you, Rod On Thursday, 2 December 2021 at 09:59:46 UTC-8 Ray Bon wrote: > Rod, > > Use your browser developer tools to see the TGC sent from and to cas. > Verify that there are no stale TGCs (there should only be one and it should > not change during an sso session). > Does this behaviour happen in a new private window? > > You can test repeated logins to your test app by removing its session > cookie (NOT the TGC). This should trigger the test app to go to cas where > you 'should' be SSOed. > > You may want to turn up logging on the cas server to see what it thinks is > going on. > > Ray > > On Thu, 2021-12-02 at 08:50 -0800, Rod B wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hi Andy, > > I've attached our cleansed cas.properties file. We do use https. I'm also > including our virtual hosts set up that shows we redirect to https if a > http request to the CAS server comes in. > > Many thanks for having your eyes on this. > > Rod > > On Wednesday, 1 December 2021 at 22:55:06 UTC-8 Andy Ng wrote: > > Hi Rod, > > Usually this happen when you setup your CAS as *http *instead of https. > - When CAS is in http, SSO will not work. Making sure it is https should > make it work again. > - The services you provided seems fine, didn't see any issue on them. > - But the ssoEnabled part should be not neccesary since that would be the > default > > If the above still not able to solve your issue, then you might need to > provide a little bit more information, like a full cas.properties > (sensitive data removed of course). > > Cheers! > - Andy > > On Thursday, 2 December 2021 at 08:49:09 UTC+8 [email protected] wrote: > > Hello Everyone! > > I'm held up deploying 6.4.2 so I'm back on 6.1 for the Google App > integration provided by it. > > I'm able to log into a testing site in the /etc/cas/services directory. > I'm redirected to the CAS login page. Once I authenticate, I continue to > the testing site. > > I'm also able to log into Google calendar where I'm redirected to the CAS > login page. Once I authenticate I continue to the Google calendar. > > However, when I log into the testing site and then attempt on another tab > go to Google calendar, I'm redirected to the CAS login page and not SSO'd > into Google Calendar. > > This happens also if I log into Google Calendar and then attempt to access > the testing site. > > I believe this is the relevant bits of the /etc/cas/config/cas.properties > file (I could be missing something) > > > cas.tgc.crypto.encryption.key=**redacted** > cas.tgc.crypto.signing.key=**redacted** > cas.webflow.crypto.signing.key=**redacted** > cas.webflow.crypto.encryption.key=**redacted** > > This is how it looks for the two /etc/cas/services JSON files: > > google_apps-44.json > > { > > "@class" : "org.apereo.cas.services.RegexRegisteredService", > "serviceId" : "https://www.google.com/a/example.com/acs";, > "name" : "Google Apps", > "theme" : "ourschool", > "id" : 44, > "accessStrategy" : { > "@class" : > "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", > "ssoEnabled" : true > } > "evaluationOrder" : 10 > } > For the test site: > > { > "@class" : "org.apereo.cas.services.RegexRegisteredService" > "serviceId" : "http://cas-test.dev.ourschool.ca/wp-login.php*";, > "name" : "CasTest", > "id" : 1, > "accessStrategy" : { > "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy" > "ssoEnabled" : true > } > "theme" : "ourschool" > "evaluationOrder" : 1 > } > I'm thinking I'm missing something in cas.properties as I don't think I > need to put in the accessStrategy part, I was just seeing if it would work. > > I do see that a TGC cookie is granted on the browser. > > Thank you for any suggestions and help. > > Rod > > > > > > > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | [email protected] > > I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional > territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ > peoples whose historical relationships with the land continue to this day. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fbd66460-6988-4b5a-b815-682f9e57a08dn%40apereo.org.
