I was out of commission with Covid for a while there... Thanks for the suggestions. A URL rewrite sounds promising. I'll have to test this idea out.
On Saturday, January 6, 2024 at 12:00:58 AM UTC-5 Ray Bon wrote: > Jeremiah, > > Could a URL rewrite (that strips :8443) work? > After updating metadata ... > > Ray > > On Fri, 2024-01-05 at 12:40 -0800, Jeremiah Garmatter wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Thanks for the reply Baron, > > Unfortunately, it seems that changing the cas.server.name only shifts the > problem instead of getting around it. > I can choose whether to require the port in the URL or not, but I can not > allow both situations by changing that configuration. > Ideally, I would be able to login in both situations, port specified or > not, as I could with the older versions of CAS. > > This behavior is important to me because I use CAS to authenticate CAS > apps and SAML2 apps. > Unfortunately, we were not consistent in registering apps so many of the > CAS apps were configured without the port specified and the opposite goes > for our SAML2 apps. > It looks like I may have to make them all consistent now. > > > On Fri, Jan 5, 2024 at 2:25 PM Baron Fujimoto <ba...@hawaii.edu> wrote: > > Hi Jeremiah, > > We don't use the embedded Tomcat and have a load balancer forwarding port > 443 to 8443 on Tomcat, but I ran into the "MFA provider unavailable" issue > when testing with an individual backend cluster node's hostname rather than > the cluster's public CNAME. I was able to work around it for our testing > purposes by setting cas.server.name in cas.properties to match what CAS > is apparently expecting. Perhaps a similar approach may work for you? > > > #cas.server.name=publicname.example.edu > cas.server.name=nodename.example.edu:8443 > > Aloha, > -baron > > On Fri, Jan 5, 2024 at 6:59 AM Jeremiah Garmatter <j-gar...@onu.edu> > wrote: > > Hello, > > I am trying out CAS 7 with the embedded Tomcat instance. I noticed a > change in behavior that will impact my authentication flow and wanted to > see if anyone else has come across it and found a work around. > > I run my CAS server over port 8443 but, for user convenience, I forward > traffic from port 443 to 8443. This way my users can access SSO without > specifying a port number. In the past I have had no issues visiting > https://my.cas.server/cas/login > <https://urldefense.com/v3/__https://my.cas.server/cas/login__;!!PvDODwlR4mBZyAb0!QoQMEAM60loEdjgYt8UemE_t0LZ6mcxeEJNAdjm6KQyGXmtjfPtppvUBFWeK9PGrWTo-wGqf3vu2JpHZvRj4$>, > > authenticating via LDAP, then MFA via Duo. > > On CAS 7, it seems like CAS is more aware of the URL used during > authentication though. When I visit the URL without port 8443 specified, I > can LDAP auth and MFA through Duo, but upon*return* from Duo to CAS I > receive the "MFA provider unavailable" message. If I specify the port, > https://my.cas.server > <https://urldefense.com/v3/__https://my.cas.server__;!!PvDODwlR4mBZyAb0!QoQMEAM60loEdjgYt8UemE_t0LZ6mcxeEJNAdjm6KQyGXmtjfPtppvUBFWeK9PGrWTo-wGqf3vu2JjWwbYiz$> > *:8443*/cas/login, I have no trouble returning to CAS after Duo MFA. > > > If I can't get this to work, I'll have to reach out to all my CAS services > and notify my organization to update any links. > > -- > - Website: https://apereo.github.io/cas > <https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!QoQMEAM60loEdjgYt8UemE_t0LZ6mcxeEJNAdjm6KQyGXmtjfPtppvUBFWeK9PGrWTo-wGqf3vu2JnQSZ0r9$> > - Gitter Chatroom: https://gitter.im/apereo/cas > <https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!PvDODwlR4mBZyAb0!QoQMEAM60loEdjgYt8UemE_t0LZ6mcxeEJNAdjm6KQyGXmtjfPtppvUBFWeK9PGrWTo-wGqf3vu2Ji7acVJu$> > - List Guidelines: https://goo.gl/1VRrw7 > <https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!QoQMEAM60loEdjgYt8UemE_t0LZ6mcxeEJNAdjm6KQyGXmtjfPtppvUBFWeK9PGrWTo-wGqf3vu2Js4ifmqt$> > - Contributions: https://goo.gl/mh7qDG > <https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!QoQMEAM60loEdjgYt8UemE_t0LZ6mcxeEJNAdjm6KQyGXmtjfPtppvUBFWeK9PGrWTo-wGqf3vu2Jl_IiXe-$> > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email tocas-user+unsubscr...@apereo.org. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/5be8a8f9-9921-498d-8219- > 773ab3011248n%40apereo.org > <https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/5be8a8f9-9921-498d-8219-773ab3011248n*40apereo.org?utm_medium=email&utm_source=footer__;JQ!!PvDODwlR4mBZyAb0!QoQMEAM60loEdjgYt8UemE_t0LZ6mcxeEJNAdjm6KQyGXmtjfPtppvUBFWeK9PGrWTo-wGqf3vu2Jj6lUi7W$> > . > > > > -- > Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services > minutas cantorum, minutas balorum, minutas carboratum descendus pantorum > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0641c0d7-eea8-4231-8ba7-d0627032489fn%40apereo.org.
