It's doing something with Single Logout. Turn it off / block it, or something:
https://community.canvaslms.com/t5/Integration-Documents/Configuring-CAS-and-Canvas-Authentication/ta-p/387390 Look at the end for "User is randomly logged out of Canvas" On Fri, 2021-03-05 at 12:41 -0800, Mike Osterman wrote: Hi Bill, I was dealing with people getting logged out Canvas frequently, and ended up changing a couple config properties. I had our CSM team set the Canvas-side timeout really high, but it didn't work. There's something unusual about the way the Canvas application interacts with CAS protocol. I had checked for callbacks from the Instructure servers, but it really does seem to be managing the session after the initial SSO flow. By the way, do you use a Discovery URL? That's when our session behavior seemed to change, but it may just be correlation rather than causation. I eventually set two properties and got it to behave as expected, but never figured out which one did the trick: cas.ticket.tgt.timeout.maxTimeToLiveInSeconds: https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#timeout AND server.session.timeout: https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#web-application-session It sounds like you've found that it was the first one, so I wanted to corroborate that for you. I just ended up setting these properties server-wide in cas.properties, which isn't ideal, because you have a single service dictating timeout behavior for all services using CAS. I've also considered switching over to using CAS's SAML2 IdP functionality for Canvas, but need to wait for an appropriate time to make that change. Finally, so as not to hijack the thread and keep the proxy ticket service configuration comment from Ray alive, I think this is how the service would be configured for it: https://apereo.github.io/cas/5.2.x/installation/Configuring-Service-Proxy-Policy.html I did look for server-side traffic from Canvas as Ray suggested, but didn't find any as mentioned above. I just checked for an iFrame, which would be client-side traffic, but didn't see anything in the Network tab of developer tools. -Mike On Fri, Mar 5, 2021 at 12:01 PM Bill Scully <fwscu...@gmail.com<mailto:fwscu...@gmail.com>> wrote: Hi Ray, Another possibility, Canvas is using is a proxy ticket. Does your service definition allow proxying? I would say, no. It's pretty straightforward: { "@class" : "org.apereo.cas.services.RegexRegisteredService", "serviceId" : "^https://[omitted]/.*";, "name" : "Canvas", "id" : [omitted], "evaluationOrder" : [omitted] } I looked at what I think covers proxy ticketing (https://apereo.github.io/cas/5.2.x/installation/Configuring-Ticket-Expiration-Policy.html#proxy-ticket-policies), but didn't see how to configure. Any example I could try? Thanks. Bill -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/de81107e-2895-4ac6-8241-c0337a0ccfb6n%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/de81107e-2895-4ac6-8241-c0337a0ccfb6n%40apereo.org?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1d907f2351205b366137f746965de4aece69943c.camel%40ndsu.edu.
