CAS 7 problems with Banner apps?
155 views
Skip to first unread message
Baron Fujimoto
Feb 10, 2026, 12:20:25 PMFeb 10
to CAS Community
When we attempted to upgrade from CAS 7.0.x to CAS 7.2.x, we ran into a problem with some Banner apps we integrate with. This problem is still present with CAS 7.3.x, but we are now obligated to upgrade to 7.3 to handle the Duo expiring certificate issue.
This is what the Banner side reports when they encounter the problem that prevents their authentication:
=====
Cookie "" has been rejected as third-party.
Request to access cookie or storage on "‹URL›" was blocked because we are blocking all third-party storage access requests and Enhanced Tracking Protection is enabled.
Cookie "session=e30=; path=/; expires=Mon, 09 Feb 2026 22:28:30 GMT; samesite=none; secure; httponly" has been rejected as third-party.
Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; expires=Mon, 09 Feb 2026 22:28:30 GMT; samesite=none; secure; httponly" has been rejected as third-party.
Cookie "session=e30=; path=/; expires-Mon, 09 Feb 2026 22:28:30 GMT; samesite=none; secure; httponly" has been rejected as third-party.
Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; expires=Mon, 09 Feb 2026 22:28:30 GNT; samesite=none; secure; httponly" has been rejected as third-party.
The loading of "https://cas.example.edu/cas/login?service=https%3%2F%2Fbanner.example.edu%3A9000%2FBannerAdmin.ws&2Fi spring cas security check" in a frame is denied by "X-Frame-Options" directive set to "deny".
Request to access cookie or storage on "‹URL›" was blocked because we are blocking all third-party storage access requests and Enhanced Tracking Protection is enabled.
Cookie "session=e30=; path=/; expires=Mon, 09 Feb 2026 22:28:30 GMT; samesite=none; secure; httponly" has been rejected as third-party.
Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; expires=Mon, 09 Feb 2026 22:28:30 GMT; samesite=none; secure; httponly" has been rejected as third-party.
Cookie "session=e30=; path=/; expires-Mon, 09 Feb 2026 22:28:30 GMT; samesite=none; secure; httponly" has been rejected as third-party.
Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; expires=Mon, 09 Feb 2026 22:28:30 GNT; samesite=none; secure; httponly" has been rejected as third-party.
The loading of "https://cas.example.edu/cas/login?service=https%3%2F%2Fbanner.example.edu%3A9000%2FBannerAdmin.ws&2Fi spring cas security check" in a frame is denied by "X-Frame-Options" directive set to "deny".
=====
They want us to try setting "X-Frame-Options" SAMEORIGIN to ALWAYS.
Is this even a CAS thing? From what I gather, it's applicable to the web server? But we were using the same web server (Tomcat 10.1.x for CAS 7.2, and now Tomcat 11.0.x for CAS 7.3), and we don't encounter these issues for other apps.
If this is something controlled by CAS after all? If so, can we tweak it as requested – preferably just for their service registrations?
Because only these Banner apps suffer from this as far as we know, we were inclined to think that the problem is on the application side. But ultimately because these apps are so important to the institution, we need to find a workaround one way or another.
Any ideas or suggestions would be appreciated.
Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
Noelette Stout
Feb 10, 2026, 12:27:29 PMFeb 10
to cas-...@apereo.org
I think the configuration option you need is "cas.http-web-request.header.xframe-options". We moved our Banner apps off our local CAS server quite some time ago, but this was the option I had to set to deal with some of the frame issues we were seeing.
Noelette Stout
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL1xoLy6jxkayrK8%2B7fyz259OV7W4WUcFYFax2zHZZwgVQ%40mail.gmail.com.
Noelette Stout
Enterprise Access Manager
Senior Application Administrator
Idaho State University
I am sending this message now because it suits me, but I don’t expect that you will read, respond to, or act on it outside of comfortable hours for your time zone.
Erik Mallory
Feb 10, 2026, 1:14:39 PMFeb 10
to cas-...@apereo.org
the TGT crypto algorithm configuration has changed. We ran into similar but different issues with our banner environment (currently on 7.2.7 in prod and 7.3 in dev)
cas.tgc.crypto.alg=A256CBC-HS512 #the new algorithm
cas.tgc.crypto.encryption.key= <can be found in the cas logs on startup>cas.tgc.crypto.encryption.key-size=512
cas.tgc.crypto.signing.key=512
cas.tgc.crypto.signing.key=<can be found in the cas logs on startup>
cas.tgc.crypto.signing.key=512
cas.tgc.crypto.signing.key=<can be found in the cas logs on startup>
We also tried cas.http-web-request.header.xframe-options config, it didn't have any effect for us, updating the tgc crypto did.
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL1xoLy6jxkayrK8%2B7fyz259OV7W4WUcFYFax2zHZZwgVQ%40mail.gmail.com.
Erik Mallory
------------------------ "A happy man's paradise is his own good nature." - Edward Abbey
Baron Fujimoto
Feb 10, 2026, 2:56:44 PMFeb 10
to cas-...@apereo.org
Mahalo! We'll look into these.
I think I found CAS documentation for the the X-Frame stuff at <https://apereo.github.io/cas/7.3.x/services/Configuring-Service-Http-Security-Headers.html#cashttpwebrequestheaderxframePropertyConfig>.
However I couldn't find docs for the cas.tgc.crypto properties. The search function at <https://apereo.github.io/cas/7.3.x/configuration/Configuration-Properties.html> can find the properties, but does not provide any links to documentation that elaborates on them in terms of possible values, etc. Do you know where they may be found?
Erik Mallory
Feb 10, 2026, 3:38:04 PMFeb 10
to cas-...@apereo.org
Baron Fujimoto
Feb 12, 2026, 4:31:47 PM (14 days ago) Feb 12
to cas-...@apereo.org
FWIW, setting the XFrame-Options to "SAMEORIGIN" didn't resolve the issue – it denied loading for that instead, and ALLOW-FROM was interpreted as invalid. From what I can tell, XFrame-Options is generally deprecated in favor of Content Security Policy these days anyway?
However were able to get past the XFrame-Option browser errors by disabling them completely in the application's service registration with the inclusion of the following:
"properties" : {
"@class" : "java.util.HashMap",
"httpHeaderEnableXFrameOptions" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "false" ] ]
}
},
"@class" : "java.util.HashMap",
"httpHeaderEnableXFrameOptions" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "false" ] ]
}
},
Unfortunately, there's still some unresolved issue with the Banner applications since the upgrade so we are continuing to troubleshoot that. The application itself only unhelpfully reports to the user "Problem in external authentication service." when it is presumably trying to leverage the SSO session.
Baron Fujimoto
Feb 12, 2026, 10:06:04 PM (14 days ago) Feb 12
to cas-...@apereo.org
And it looks like the updated TGC encryption algorithm and incompatible key (length) were the root cause after all. The indicators in the logs that point to this were not obvious, imo.
Thank you nui loa and mahalo very much!
Reply all
Reply to author
Forward
0 new messages