Versions Compared

Old Version 109

changes.mady.by.user Baron Fujimoto

Saved on

compared with

New Version 110

changes.mady.by.user Baron Fujimoto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Contents

...

  1. Will authentication include the release of attributes to your application?
    1. If yes, UH Data Governance guidelines apply.  For each unique application you must submit a separate request.  What that means is that you cannot register a single URL and host multiple applications under it.  
  2. Is your application hosted on a non-UH server?
    1. If yes, your request may be subject to the UH Data Sharing Request process. Please send an inquiry to datagov@hawaii.edu or call 956-7487.

Anchor
register
register
Register Your Application URL

...

  • url (DISABLED)

    Note

    Although Aperero's CAS protocol documentation describes the use the the url parameter, the Aperero developers have disabled it in recent versions of CAS to prevent potential abuse. Their explanation of the situation may be found in this thread from the cas-users mailing list. The url parameter defined in the former CAS 2.0 specification is not a valid parameter in CAS 3.0 anymore. CAS Servers MUST ignore given url parameters.


Examples

  • To logout a user and prevent her from automatically logging back into a Web application, the Web application can forward the user to the Logout URL of UH Login. That URL will destroy the ticket-granting cookie that enables the single sign-on feature and gives the user a page that informs them that they have logged out of UH Login.

    No Format
    https://$WEBLOGIN-HOST/cas/logout


  • To logout a user and prevent her from automatically logging back into a Web application, the Web application can forward the user to the Logout URL of UH Login. That URL will destroy the ticket-granting cookie that enables the single sign-on feature and redirect the user to the URL identified by the service parameter.

    No Format
    https://$WEBLOGIN-HOST/cas/logout?service=https://myserver/myapp


    Info

    The URL provided by the service parameter must be registered to use UH Login.


...

The following issues have been encountered by some of our developers.

Application

...

Not Authorized to Use UH Login

Problem:

Your application cannot successfully authentication against CAS.

Example error message:

Expand
Panel

The application you attempted to authenticate to is not authorized to use UH Login.


Solutions:

Expand


Panel
  • If you have requested attributes, make sure you are using https.
  • Check that the URL matches the URL specified in your original CAS URL registration request.
    • Common errors
      • Adding or leaving out "www" not in registered registered URL
      • Using "http" as the protocol rather than "https"


...

SSLv3 is being deprecated as a weak encryption protocol. As it is disabled on servers, clients that attempt to use SSLv3 for their connections will fail to do so.

Example error messages:

...

Java:

...

Panel

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Expand
title

PHP, Python:

...

Panel

error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure


Solutions:

Configure applications to use TLS instead of SSL for encrypted connections. Current versions of SSL/TLS (e.g. OpenSSL, Java) libraries disable SSLv3 by default. However if you are using an older version, you may need to explicitly disable SSLv3 and use TLS instead.

...

Expand
titlePHP: Click here to expand...

PHP developers may need the following (or equivalent):

Panel

curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'TLSv1');

Reference: PHP curl_setopt documentation

Note

Until we also expand the available ciphers CURLOPT_SSL_CIPHER_LIST may need to be adjusted as well. Currently only SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA ciphers are enabled.

The PHP reference above suggests "RC4-SHA and TLSv1 are valid cipher lists". If "TLSv1" works for you, that's probably what you want and it should be forward compatible. We have also seen references that suggest that PHP can accept OpenSSL format cipher lists, but this has not been verified.This page seems to be a decent overview of using TLS with PHP.

This page also seems to be a decent overview of using TLS with PHP: Insufficient Transport Layer Security (HTTPS, TLS and SSL)

...

No Format
2009-08-13 16:30:58,313 DEBUG [org.jasig.cas.client.validation.Saml11TicketValidator] - <skipping assertion that's not yet valid...>
2009-08-13 16:30:58,316 WARN [org.jasig.cas.client.validation.Saml11TicketValidationFilter] - <org.jasig.cas.client.validation.TicketValidationException: No valid assertions from the SAML response found.>
org.jasig.cas.client.validation.TicketValidationException: No valid assertions from the SAML response found.

Solutions:

Expand
  • Our CAS servers have their time synchronized via the NTP protocol. Client systems that also use NTP are presumably unlikely to encounter this problem.
    • (info) This should be the preferred approach.

  • The Java client has a tolerance init parameter to specify the a timing tolerance in ms:

    Code Block
    xml
    xml
    <init-param>
 <param-name>tolerance</param-name>
 <param-value>60000</param-value>
</init-param>

  • The DotNetCasClient 3rd party plugin for .NET projects has an attribute to specify ticket timing tolerance in ms:

    Code Block
    ticketTimeTolerance="30000"

...


Reference: CAS Users mailing list thread on time synchronization


Reference: CAS Users mailing list thread on time synchronization

...