Hi Christian,

Which version of CAS do you use ?

It seems to be a version below CAS 5.0.x (org.jasig packages and XML spring
configurations). SPNEGO client selection strategy was working on 4.x
version, but I cannot make it work after having upgrade to CAS 5.1.x....

Regards,

Charles

<http://www.amoae.com/>
12, impasse du Malrigou, 31140 Montberon
cont...@amoae.com | 06 24 73 04 98 | *amoae.com* <http://amoae.com/>


Le jeu. 17 mai 2018 à 15:25, Christian Poirier <chrispt...@gmail.com> a
écrit :

> Hi Nicolas,
>
> In our organization, we need to let the user choose between the default
> login and SPNEGO upon a list of criteria and sometimes we need to go
> directly to the SPNEGO authentication upon other criteria. For this
> feature, I extended the SPNEGO module. I show a button with the label
> "LOGIN WITH MY WINDOWS ACCOUNT" when the IP address matches a regular
> expression. When the service matches a regular expression and the IP
> address also matches its regular expression, I force SPNEGO authentication
> without giving the user the chance to authenticate otherwise. If none of
> the previous conditions are present, then the user must authenticate
> normally with his user ID and password.
> If you look the following webflow, you will find this logic inside.
>
> <var name="credentials" class=
> "org.jasig.cas.authentication.principal.UsernamePasswordCredentials" />
>
> <on-start>
>
> <evaluate expression="initialFlowSetupAction" />
>
>        <set name="flowScope.displaySPNegoButton" value="false" />
>
> </on-start>
>
>
> <decision-state id="ticketGrantingTicketExistsCheck">
>
>   <if test="flowScope.ticketGrantingTicketId neq null" then=
> "hasServiceCheck" else="gatewayRequestCheck" />
>
> </decision-state>
>
>
> <decision-state id="gatewayRequestCheck">
>
>       <if test="externalContext.requestParameterMap['gateway'] neq ''
> &amp;&amp; externalContext.requestParameterMap['gateway'] neq null
> &amp;&amp; flowScope.service neq null" then=
> "gatewayServicesManagementCheck" else="startAuthenticateCheck" />
>
> </decision-state>
>
>
> <decision-state id="hasServiceCheck">
>
>   <if test="flowScope.service != null" then="renewRequestCheck" else=
> "viewGenericLoginSuccess" />
>
> </decision-state>
>
>
> <decision-state id="renewRequestCheck">
>
> <if test="externalContext.requestParameterMap['renew'] neq '' &amp;&amp;
> externalContext.requestParameterMap['renew'] neq null" then=
> "startAuthenticateCheck" else="generateServiceTicket" />
>
> </decision-state>
>
>
> <!--
>
>    The "warn" action makes the determination of whether to redirect
> directly to the requested
>
>      service or display the "confirmation" page to go back to the server.
>
> -->
>
> <decision-state id="warn">
>
>       <if test="flowScope.warnCookieValue" then="showWarningView" else=
> "redirect" />
>
> </decision-state>
>
>
> <!--
>
> <action-state id="startAuthenticate">
>
>      <action bean="x509Check" />
>
>     <transition on="success" to="sendTicketGrantingTicket" />
>
>       <transition on="warn" to="warn" />
>
>      <transition on="error" to="generateLoginTicket" />
>
> </action-state>
>
> -->
>
> <decision-state id="startAuthenticateCheck">
>
>       <if test="externalContext.requestParameterMap['spnego'] neq ''
> &amp;&amp; externalContext.requestParameterMap['spnego'] neq null
> &amp;&amp; externalContext.requestParameterMap['spnego'] eq 'off'" then=
> "generateLoginTicket" else="spnegoForceCheckAction" />
>
> </decision-state>
>
>
> <decision-state id="spnegoForceCheckAction">
>
>    <if test="externalContext.requestParameterMap['forcespnego'] neq ''
> &amp;&amp; externalContext.requestParameterMap['forcespnego'] neq null
> &amp;&amp; externalContext.requestParameterMap['forcespnego'] eq 'true'"
> then="spnegoIPCheckAction2" else="spnegoAppCheckAction" />
>
> </decision-state>
>
>
> <action-state id="spnegoAppCheckAction">
>
>        <evaluate expression="spNegoAppCheck" />
>
>        <transition on="yes" to="spnegoIPCheckAction2" />
>
>       <transition on="no" to="spnegoIPCheckAction" />
>
> </action-state>
>
>
> <action-state id="spnegoIPCheckAction">
>
> <evaluate expression="spNegoIPCheck" />
>
> <transition on="yes" to="generateLoginTicket" >
>
>         <set name="flowScope.displaySPNegoButton" value="true" />
>
>
>       </transition>
>
>   <transition on="no" to="generateLoginTicket" />
>
> </action-state>
>
>
> <action-state id="spnegoIPCheckAction2">
>
>        <evaluate expression="spNegoIPCheck" />
>
> <transition on="yes" to="startAuthenticate" />
>
>  <transition on="no" to="generateLoginTicket" />
>
> </action-state>
>
>
> <action-state id="startAuthenticate">
>
>   <evaluate expression="negociateSpnego" />
>
>       <transition on="success" to="spnego" />
>
> </action-state>
>
>
> <action-state id="spnego">
>
>      <evaluate expression="spnego" />
>
>        <transition on="success" to="sendTicketGrantingTicket" />
>
>       <transition on="error" to="generateLoginTicket" />
>
> </action-state>
>
>
> <action-state id="generateLoginTicket">
>
> <evaluate expression=
> "generateLoginTicketAction.generate(flowRequestContext)" />
>
>        <transition on="success" to="viewLoginForm" />
>
> </action-state>
>
>
> Here are my new spnego.properties
> # cas.authn.spnego.spnegoMode=direct: indicates to go directly to the
> SPNEGO by changing the succes transition of initialLoginForm action-state
> to startSpnegoAuthenticate
> # cas.authn.spnego.spnegoMode=evaluateClient: indicates to evaluate the
> client based on the client action strategy defined in 
> evaluateClientActionStrategy.
>
> #                                                     It changes the
> success transition of initialLoginForm action-state to evaluateClientRequest
> cas.authn.spnego.spnegoMode=evaluateClient|direct
> # The following property is deprecated
>
> #cas.authn.spnego.hostNameClientActionStrategy=serviceNameSpnegoClientAction
> # cas.authn.spnego.evaluateClientActionStrategy=hostnameSpnegoClientAction
> where CAS checks to see if the request?s remote hostname matches a
> predefine pattern
> # cas.authn.spnego.evaluateClientActionStrategy=ldapSpnegoClientAction
> where CAS checks an LDAP instance for the remote hostname,
> #
>      to locate a pre-defined attribute whose mere existence would allow the
> webflow to resume to SPNEGO
> # cas.authn.spnego.evaluateClientActionStrategy=serviceNameSpnegoClientAction
> where CAS checks if the service corresponds to a regularExpression
> #                                        defined in
> serviceNamePatternString and the ip corresponds to ipsToCheckPattern
> implemented
> #                                        in baseSpnegoClientAction
> cas.authn.spnego.evaluateClientActionStrategy=
> serviceNameSpnegoClientAction
> cas.authn.spnego.ipsToCheckPattern=((127\.0)|(122.110))(\.[0-9]{1,3}){2}
>
> cas.authn.spnego.serviceNamePatternString=(app1\.domain\.ca)|(app2\.domain\.ca)
>
>
> It works well for me. If you want it, I could send you the code.
>
> Le jeudi 17 mai 2018 01:47:54 UTC-4, Nicholas Wylie a écrit :
>>
>> Hi CAS Community,
>>
>> I've successfully configured CAS 5.2 with LDAP/SPNEGO authentication
>> against our Active Directory.
>>
>> What we have noticed though is that non-domain joined computers see a
>> pop-up prompt for credentials when they visit the CAS login page. From my
>> reading, I believe we can fix this by configuring the LDAP Client Selection
>> Strategy for SPNEGO, but the documentation for which properties need to be
>> configured seems to be a bit scarce.
>>
>> Can someone offer any guidance (or a link to some documentation) as to
>> which properties I need to configure to use the LDAP Client Selection
>> Strategy?
>>
>> Thanks,
>> Nicholas
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "CAS Community" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/a/apereo.org/d/topic/cas-user/_jUtK7VnhFs/unsubscribe
> .
> To unsubscribe from this group and all its topics, send an email to
> cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/deeb374f-38e0-4bb0-8b18-35cc3ee46a7c%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/deeb374f-38e0-4bb0-8b18-35cc3ee46a7c%40apereo.org?utm_medium=email&utm_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANjq9ChHNPOLZSeU%3DmHs1MP3cyB1F69imxA7LzrDrc56oSWzTQ%40mail.gmail.com.

Reply via email to