Hi Ray, Thanks for your answer. For now, I have a single CAS server. On
the old production server I am trying to migrate (don't know exactly which
version it is, from around 13 years ago) it's working flawlessly but I don't
see anything about specific TGC and TGT configuration. On the new test
server, nothing special had been set so default values were used. I just gave
a try with those two lines but nothing has changed :
cas.ticket.tgt.primary.time-to-kill-in-seconds=7200
cas.ticket.tgt.primary.max-time-to-live-in-seconds=28800 I am still not
able to clearly understand what all those parameters mean, but here is what the
current ticket policies look like (/cas/actuator/ticketExpirationPolicies) :
{
"org.apereo.cas.ticket.TransientSessionTicket":
"{\"@class\":\"org.apereo.cas.ticket.expiration.MultiTimeUseOrTimeoutExpirationPolicy$TransientSessionTicketExpirationPolicy\",\"numberOfUses\":1,\"timeToLive\":300,\"name\":\"TransientSessionTicketExpirationPolicy-798e92e9-c25f-442e-ab4b-0bff4589eac1\"}",
"org.apereo.cas.ticket.proxy.ProxyTicket":
"{\"@class\":\"org.apereo.cas.ticket.expiration.MultiTimeUseOrTimeoutExpirationPolicy$ProxyTicketExpirationPolicy\",\"numberOfUses\":1,\"timeToLive\":10,\"name\":\"ProxyTicketExpirationPolicy-62b1ad7b-0820-4982-aa4e-72d727f98879\"}",
"org.apereo.cas.ticket.proxy.ProxyGrantingTicket":
"{\"@class\":\"org.apereo.cas.ticket.expiration.TicketGrantingTicketExpirationPolicy\",\"timeToLive\":28800,\"timeToIdle\":7200,\"name\":\"TicketGrantingTicketExpirationPolicy-f76fe582-cbdd-4349-b257-c86db4e5083d\"}",
"org.apereo.cas.ticket.ServiceTicket":
"{\"@class\":\"org.apereo.cas.ticket.expiration.MultiTimeUseOrTimeoutExpirationPolicy$ServiceTicketExpirationPolicy\",\"numberOfUses\":1,\"timeToLive\":10,\"name\":\"ServiceTicketExpirationPolicy-3cac0624-d94b-4b70-808f-1d314c0e819c\"}",
"org.apereo.cas.ticket.TicketGrantingTicket":
"{\"@class\":\"org.apereo.cas.ticket.expiration.TicketGrantingTicketExpirationPolicy\",\"timeToLive\":28800,\"timeToIdle\":7200,\"name\":\"TicketGrantingTicketExpirationPolicy-00e0763f-6397-42c9-bcf5-fa35ea203806\"}",
"org.apereo.cas.ticket.artifact.SamlArtifactTicket":
"{\"@class\":\"org.apereo.cas.ticket.query.SamlAttributeQueryTicketExpirationPolicy\",\"timeToLive\":10,\"name\":\"SamlAttributeQueryTicketExpirationPolicy-cbdb5a57-279e-4313-b02d-5f5517f4db34\"}"
} You pointed something : TGC, I never had a look at policies about it. Should
investigate and find how it is configured. I have ported the very complex
service configuration we always had, which is :
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "sn", "givenName",
"displayName", "mail", "eduPersonPrimaryAffiliation", "departmentNumber" ] ]
},
"serviceId" : "^https?://([A-Za-z0-9_-]+\\.)*OUR\\.DOMAIN.*",
"name" : "ALL",
"description" : "Allows HTTP and HTTP(S) protocols on OUR.DOMAIN",
"evaluationOrder" : "1003",
"allowedToProxy" : "False",
"enabled" : "True",
"ssoEnabled" : "True",
"anonymousAccess" : "False",
"ignoreAttributes" : "False",
"id" : "1003"
} I will now try to debug communication between clients and servers I have
captured logs but there is so much informations that I don't want to flood the
post if I was not looking at the right place. Regards
Le 11-May-2022 18:03:12 +0200, r...@uvic.ca a crit:
I assume your log in attempts are within seconds of each other and that you
have only a single cas server. Check your service definition to see if it
requires a new authentication. Check what your service is sending to cas, it
may be asking for new authentication (use browser developer tools). Check your
TGT and TGC expiration policies to be sure they are still valid for subsequent
logins. By default ST can only be used once. There are logs saying what ST is
being processed. Ray On Wed, 2022-05-11 at 17:38 +0200,
spfma.t...@e.mail.fr wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Hi, I am experiencing something strange on a 6.4.5 instance : when I try to
access a service (starting from scratch with a closed browser) I get the login
form and the I am granted the right to reach it. In the logfiles, I can
clearly see I get TGT after authentication, then a ST for the service. But if
I open a second tab on my browser and try to reach the service again, the login
form appears again. If I don't reauth, my SSO session is like invalid, I am
asked to re-auth all the time, even when I try to reach another service. But
with other services, I can start my SSO session, access a firtst service, a
second one and the same problem occurs with the third one. Or with the second
one, it depends on the services. Of course, none of these services is
performing a logout neither I do click on such a link. I'm not able to
explain what's happening, so I hope someone here has a clue. I see lines like
this one : DEBUG
[org.apereo.cas.ticket.expiration.MultiTimeUseOrTimeoutExpirationPolicy] -
Is there a link ? Regards
-------------------------------------------------------------------------------------------------
FreeMail powered by mail.fr
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20220511153848.D49ACC0056%40smtp04.mail.de.
-- Ray Bon Programmer Analyst Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca I acknowledge and respect the lək̓ʷəŋən
peoples on whose traditional territory the university stands, and the Songhees,
Esquimalt and WSNEĆ peoples whose historical relationships with the land
continue to this day.
-------------------------------------------------------------------------------------------------
FreeMail powered by mail.fr
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20220512071107.E184AC00BF%40smtp04.mail.de.
