https://apereo.github.io/cas/5.2.x/installation/Logout-Single-Signout.html
Usage Warning! Single Logout is turned on by default. Documentation states that it will trigger when the TGT is explicitly expired, which I think means calling the logout end point. On Fri, 2021-03-05 at 21:17 +0000, 'Richard Frovarp' via CAS Community wrote: > It's doing something with Single Logout. Turn it off / block it, or > something: > > https://community.canvaslms.com/t5/Integration-Documents/Configuring-CAS-and-Canvas-Authentication/ta-p/387390 > > Look at the end for "User is randomly logged out of Canvas" > > On Fri, 2021-03-05 at 12:41 -0800, Mike Osterman wrote: > > Hi Bill, > > > > I was dealing with people getting logged out Canvas frequently, and > > ended up changing a couple config properties. I had our CSM team > > set the Canvas-side timeout really high, but it didn't work. > > There's something unusual about the way the Canvas application > > interacts with CAS protocol. I had checked for callbacks from the > > Instructure servers, but it really does seem to be managing the > > session after the initial SSO flow. By the way, do you use a > > Discovery URL? That's when our session behavior seemed to change, > > but it may just be correlation rather than causation. > > > > I eventually set two properties and got it to behave as expected, > > but never figured out which one did the trick: > > > > cas.ticket.tgt.timeout.maxTimeToLiveInSeconds: > > https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#timeout > > AND > > server.session.timeout: > > https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#web-application-session > > > > It sounds like you've found that it was the first one, so I wanted > > to corroborate that for you. > > > > I just ended up setting these properties server-wide in > > cas.properties, which isn't ideal, because you have a single > > service dictating timeout behavior for all services using CAS. > > > > I've also considered switching over to using CAS's SAML2 IdP > > functionality for Canvas, but need to wait for an appropriate time > > to make that change. > > > > Finally, so as not to hijack the thread and keep the proxy ticket > > service configuration comment from Ray alive, I think this is how > > the service would be configured for it: > > https://apereo.github.io/cas/5.2.x/installation/Configuring-Service-Proxy-Policy.html > > > > I did look for server-side traffic from Canvas as Ray suggested, > > but didn't find any as mentioned above. I just checked for an > > iFrame, which would be client-side traffic, but didn't see anything > > in the Network tab of developer tools. > > > > -Mike > > > > > > > > On Fri, Mar 5, 2021 at 12:01 PM Bill Scully <fwscu...@gmail.com> > > wrote: > > > Hi Ray, > > > > > > > Another possibility, Canvas is using is a proxy ticket. > > > > Does your service definition allow proxying? > > > > > > > > > > I would say, no. It's pretty straightforward: > > > { > > > "@class" : "org.apereo.cas.services.RegexRegisteredService", > > > "serviceId" : "^https://[omitted]/.*";, > > > "name" : "Canvas", > > > "id" : [omitted], > > > "evaluationOrder" : [omitted] > > > } > > > > > > I looked at what I think covers proxy ticketing ( > > > https://apereo.github.io/cas/5.2.x/installation/Configuring-Ticket-Expiration-Policy.html#proxy-ticket-policies > > > ), but didn't see how to configure. > > > > > > Any example I could try? > > > > > > Thanks. > > > > > > Bill > > > -- > > > - Website: https://apereo.github.io/cas > > > - Gitter Chatroom: https://gitter.im/apereo/cas > > > - List Guidelines: https://goo.gl/1VRrw7 > > > - Contributions: https://goo.gl/mh7qDG > > > --- > > > You received this message because you are subscribed to the > > > Google Groups "CAS Community" group. > > > To unsubscribe from this group and stop receiving emails from it, > > > send an email to cas-user+unsubscr...@apereo.org. > > > To view this discussion on the web visit > > > https://groups.google.com/a/apereo.org/d/msgid/cas-user/de81107e-2895-4ac6-8241-c0337a0ccfb6n%40apereo.org > > > . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/50e4df06c1aa010f75da95b65d0da9e5e8d73796.camel%40ndsu.edu.
