Hi Nathan, I highly expect that #2 is why it's not yet working. Java, by default, never lets go of a DNS resolution record until the application restarts. You have to pass an argument at startup of your CAS application to indicate an expiry TTL.
I did this recently on our CAS server when we did some work with our Activity Directory that provides group membership and needed it to get a new IP address for the AD LDAP server(s). -Mike On Fri, Nov 13, 2020 at 11:18 AM Nathan Lewan <nathanle...@gmail.com> wrote: > very interesting, thanks! > > so i tried to do a reverse dns lookup on the entity host based on the > shibboleth entityid's hostname, and came up with no record. > > they are not being super helpful with me, so I tried to cheat. I just > added a reverse lookup zone on the dns server that CAS talks to, and added > the entry in there as a test. It did not seem to help, but: > > 1. I don't know if a cheat like that would actually work (this is just > temporary, proof of concept, no way would I leave it like that in > production) > 2. I have not restarted CAS. I did do a dig -x on the CAS host, and it > successfully reverse-resolved the IP of the entity server > > thanks very much for the quick response, i have a lead which feels very > good! > > > > On Fri, Nov 13, 2020 at 1:30 PM David Curry <david.cu...@newschool.edu> > wrote: > >> We just ran into this recently with an older version of CAS (5.2.9). >> >> CAS populates the SubjectLocality by doing a reverse DNS lookup on the IP >> address of the entity that's calling it (the application the user is trying >> to log into). If the DNS lookup fails, then it doesn't put anything in >> there, which makes Shibboleth very unhappy. >> >> In our case, the fix was to get the company running the application that >> was calling CAS to register DNS entries for their IP addresses. All of a >> sudden everything started working. >> >> --Dave >> >> >> -- >> >> DAVID A. CURRY, CISSP >> *DIRECTOR • INFORMATION SECURITY & PRIVACY* >> THE NEW SCHOOL • INFORMATION TECHNOLOGY >> >> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >> +1 646 909-4728 • david.cu...@newschool.edu >> >> >> On Fri, Nov 13, 2020 at 1:12 PM Nathan Lewan <nathanle...@gmail.com> >> wrote: >> >>> hello! >>> >>> I am trying to get CAS 6.1.0 to integrate with a SP that uses shibboleth. >>> >>> i appear to have everything in place, however they are requiring my >>> responses to have in the *AuthnStatement* a *SubjectLocality* entry. >>> >>> It is currently empty in all my responses. Here's what it looks like: >>> >>> <saml2:AuthnStatement AuthnInstant="[removed]" SessionIndex="[removed]" >>> > >>> *<saml2:SubjectLocality/>* >>> <saml2:AuthnContext> >>> <saml2:AuthnContextClassRef> >>> >>> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport >>> </saml2:AuthnContextClassRef> >>> </saml2:AuthnContext> >>> </saml2:AuthnStatement> >>> >>> As you can see, it's blank, and I have no idea how to get it populated! >>> Any hints would be appreciated. Looking for info on this, you can find >>> much related to shibboleth, but I have not found anything on how one could >>> get CAS to populate this. >>> >>> thanks! >>> >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to cas-user+unsubscr...@apereo.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABeAwjkrJ8hk5geJbz_tbN1NgVSxESjAGUAfqcmOd8vpTHuUYQ%40mail.gmail.com >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABeAwjkrJ8hk5geJbz_tbN1NgVSxESjAGUAfqcmOd8vpTHuUYQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+unsubscr...@apereo.org. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPbf2nhAiOuG7_R8-M7v4KUgjbCDnJunNU47V%2BVc%2BgHsw%40mail.gmail.com >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPbf2nhAiOuG7_R8-M7v4KUgjbCDnJunNU47V%2BVc%2BgHsw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABeAwjmoAjjV4ryjQ3yhXfMsky9gWAQZf2CBi7FtzDJ8m-yt2w%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABeAwjmoAjjV4ryjQ3yhXfMsky9gWAQZf2CBi7FtzDJ8m-yt2w%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUDC2zLKpqD2%3DezAZbJnBQHe2HO8MX2m-ZaKrONLC3Oeg%40mail.gmail.com.
