Hi Ray,
Thanks for your answer.
For now, I have a single CAS server.
On the old production server I am trying to migrate (don't know exactly which version it is, from around 13 years ago) it's working flawlessly but I don't see anything about specific TGC and TGT configuration.
On the new test server, nothing special had been set so default values were used.
I just gave a try with those two lines but nothing has changed :
cas.ticket.tgt.primary.time-to-kill-in-seconds=7200
cas.ticket.tgt.primary.max-time-to-live-in-seconds=28800
I am still not able to clearly understand what all those parameters mean, but here is what the current ticket policies look like (/cas/actuator/ticketExpirationPolicies) :
{
"org.apereo.cas.ticket.TransientSessionTicket": "{\"@class\":\"org.apereo.cas.ticket.expiration.MultiTimeUseOrTimeoutExpirationPolicy$TransientSessionTicketExpirationPolicy\",\"numberOfUses\":1,\"timeToLive\":300,\"name\":\"TransientSessionTicketExpirationPolicy-798e92e9-c25f-442e-ab4b-0bff4589eac1\"}",
"org.apereo.cas.ticket.proxy.ProxyTicket": "{\"@class\":\"org.apereo.cas.ticket.expiration.MultiTimeUseOrTimeoutExpirationPolicy$ProxyTicketExpirationPolicy\",\"numberOfUses\":1,\"timeToLive\":10,\"name\":\"ProxyTicketExpirationPolicy-62b1ad7b-0820-4982-aa4e-72d727f98879\"}",
"org.apereo.cas.ticket.proxy.ProxyGrantingTicket": "{\"@class\":\"org.apereo.cas.ticket.expiration.TicketGrantingTicketExpirationPolicy\",\"timeToLive\":28800,\"timeToIdle\":7200,\"name\":\"TicketGrantingTicketExpirationPolicy-f76fe582-cbdd-4349-b257-c86db4e5083d\"}",
"org.apereo.cas.ticket.ServiceTicket": "{\"@class\":\"org.apereo.cas.ticket.expiration.MultiTimeUseOrTimeoutExpirationPolicy$ServiceTicketExpirationPolicy\",\"numberOfUses\":1,\"timeToLive\":10,\"name\":\"ServiceTicketExpirationPolicy-3cac0624-d94b-4b70-808f-1d314c0e819c\"}",
"org.apereo.cas.ticket.TicketGrantingTicket": "{\"@class\":\"org.apereo.cas.ticket.expiration.TicketGrantingTicketExpirationPolicy\",\"timeToLive\":28800,\"timeToIdle\":7200,\"name\":\"TicketGrantingTicketExpirationPolicy-00e0763f-6397-42c9-bcf5-fa35ea203806\"}",
"org.apereo.cas.ticket.artifact.SamlArtifactTicket": "{\"@class\":\"org.apereo.cas.ticket.query.SamlAttributeQueryTicketExpirationPolicy\",\"timeToLive\":10,\"name\":\"SamlAttributeQueryTicketExpirationPolicy-cbdb5a57-279e-4313-b02d-5f5517f4db34\"}"
}
You pointed something : TGC, I never had a look at policies about it. Should investigate and find how it is configured.
I have ported the very complex service configuration we always had, which is :
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "sn", "givenName", "displayName", "mail", "eduPersonPrimaryAffiliation", "departmentNumber" ] ]
},
"serviceId" : "^https?://([A-Za-z0-9_-]+\\.)*OUR\\.DOMAIN.*",
"name" : "ALL",
"description" : "Allows HTTP and HTTP(S) protocols on OUR.DOMAIN",
"evaluationOrder" : "1003",
"allowedToProxy" : "False",
"enabled" : "True",
"ssoEnabled" : "True",
"anonymousAccess" : "False",
"ignoreAttributes" : "False",
"id" : "1003"
}
I will now try to debug communication between clients and servers
I have captured logs but there is so much informations that I don't want to flood the post if I was not looking at the right place.
Regards