Hello
trying to deploy cas server for delegate azure ad auth
I'm working with docker image apereo/cas:latest
I added cas.properties file as below
cas.authn.pac4j.oidc[0].azure.display-name= cas
cas.authn.pac4j.oidc[0].azure.auto-redirect-type= SERVER
cas.authn.pac4j.oidc[0].azure.client-name= cas
cas.authn.pac4j.oidc[0].azure.enabled= true
cas.authn.pac4j.oidc[0].azure.id= xxxxxxxxxxxx
cas.authn.pac4j.oidc[0].azure.response-mode= form_post
cas.authn.pac4j.oidc[0].azure.response-type= id_token
cas.authn.pac4j.oidc[0].azure.scope= openid
cas.authn.pac4j.oidc[0].azure.secret= xxxxxxxxxxxx
cas.authn.pac4j.oidc[0].azure.tenant= xxxxxxxxxxxxxx
cas.authn.pac4j.oidc[0].azure.use-nonce= true
cas.authn.pac4j.oidc[0].azure.discovery-uri=
https://login.microsoftonline.com/xxxxxxxxxxxxx/v2.0/.well-known/openid-configuration
cas.authn.pac4j.oidc[0].azure.logout-url=
https://login.microsoftonline.com/common/oauth2/logout
cas.serviceRegistry.json.location: file:/etc/cas/services
test-1.json
{
"@class" : "org.apereo.cas.services.CasRegisteredService",
"serviceId" : "^(https?)://.*",
"name" : "test",
"id" : 1,
"evaluationOrder" : 1
}
on azure side
https://x.x.x.x/cas/login?client_name=AzureClient
public address no dns
when I'm trying to authenticate on my app portal
06:10:07 ERROR
[o.a.c.s.w.s.RegisteredServiceResponseHeadersEnforcementFilter] - <Service
unauthorized
RegisteredServiceAccessStrategyAuditableEnforcer.java:lambda$execute$6:200
Optional.java:orElseGet:364
RegisteredServiceAccessStrategyAuditableEnforcer.java:execute:194
>
switch to debug in log4j but can't find anything more
startup log:
05:22:12 INFO [o.a.c.c.CasConfigurationPropertiesValidator] - <Validated
CAS property sources and configuration successfully.>
05:22:16 INFO [o.a.c.c.DefaultCasConfigurationPropertiesSourceLocator] -
<Configuration files found at [/etc/cas/config] are [[]] under profile(s)
[[standalone]]>
05:22:16 INFO [o.a.c.c.CasConfigurationPropertiesValidator] - <Validated
CAS property sources and configuration successfully.>
05:22:16 INFO [o.a.c.w.CasWebApplication] - <The following 1 profile is
active: "standalone">
05:22:29 INFO [o.a.c.c.CasCoreServicesConfiguration] - <Runtime memory is
used as the persistence storage for retrieving and persisting service
definitions. Changes that ar
e made to service definitions during runtime WILL be LOST when the CAS
server is restarted. Ideally for production, you should choose a storage
option (JSON, JDBC, MongoDb, etc
) to track service definitions.>
05:22:36 WARN [o.s.b.a.s.s.UserDetailsServiceAutoConfiguration] - <
Using generated security password: jkljljlk
This generated password is for development use only. Your security
configuration must be updated before running your application in production.
>
05:22:37 INFO [o.s.s.w.a.c.ChannelProcessingFilter] - <Validated
configuration attributes>
05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will secure any
request with
[org.springframework.security.web.access.channel.ChannelProcessingFilter@69069866,
org.sp
ringframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@2f9addd4,
org.springframework.web.filter.CorsFilter@1c43df76,
org.springframework.security.web
.servletapi.SecurityContextHolderAwareRequestFilter@1d7c9811,
org.springframework.security.web.authentication.AnonymousAuthenticationFilter@ff2266c,
org.springframework.securit
y.web.access.ExceptionTranslationFilter@7757a37f,
org.springframework.security.web.access.intercept.AuthorizationFilter@2335aef2]>
05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant
[pattern='/login/**']>
05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant
[pattern='/logout/**']>
05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant
[pattern='/validate/**']>
05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant
[pattern='/serviceValidate/**']>
05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant
[pattern='/p3/serviceValidate/**']>
05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant
[pattern='/proxyValidate/**']>
05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant
[pattern='/p3/proxyValidate/**']>
05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant
[pattern='/proxy/**']>
05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant
[pattern='/webjars/**']>
05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant
[pattern='/js/**']>
05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant
[pattern='/css/**']>
05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant
[pattern='/images/**']>
05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant
[pattern='/static/**']>
05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant
[pattern='/error']>
05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant
[pattern='/favicon.ico']>
05:22:41 INFO [o.a.c.c.CasCoreTicketsConfiguration] - <Runtime memory is
used as the persistence storage for retrieving and managing tickets.
Tickets that are issued during
runtime will be LOST when the web server is restarted. This MAY impact SSO
functionality.>
05:22:41 INFO [o.a.c.u.CoreTicketUtils] - <Ticket registry
encryption/signing is turned off. This MAY NOT be safe in a clustered
production environment. Consider using othe
r choices to handle encryption, signing and verification of ticket registry
tickets, and verify the chosen ticket registry does support this behavior.>
05:22:43 WARN [o.a.c.u.c.BaseStringCipherExecutor] - <Secret key for
encryption is not defined for [Ticket-granting Cookie]; CAS will attempt to
auto-generate the encryptio
n key>
05:22:43 WARN [o.a.c.u.c.BaseStringCipherExecutor] - <Generated encryption
key [jklhkjjk] of size [256] for [Ticket-granting Cookie]. The
generated key MUST be added to CAS settings:
cas.tgc.crypto.encryption.key=jklhkjjk
>
05:22:43 WARN [o.a.c.u.c.BaseStringCipherExecutor] - <Secret key for
signing is not defined for [Ticket-granting Cookie]. CAS will attempt to
auto-generate the signing key>
05:22:43 WARN [o.a.c.u.c.BaseStringCipherExecutor] - <Generated signing key
[oQ30Tk3YNd_mYgu7um3kuIUFzPamDVkfSjdDVaEvhW6Wh1YhgqRNgwoYHh5eSJhyc8sTin7naLdaob4UARLseA]
of size
[512] for [Ticket-granting Cookie]. The generated key MUST be added to CAS
settings:
cas.tgc.crypto.signing.key=oQ30Tk3YNd_mYgu7um3kuIUFzPamDVkfSjdDVaEvhW6Wh1YhgqRNgwoYHh5eSJhyc8sTin7naLdaob4UARLseA
>
05:22:43 WARN [o.a.c.u.c.BaseBinaryCipherExecutor] - <Secret key for
signing is not defined under [cas.webflow.crypto.signing.key]. CAS will
attempt to auto-generate the si
gning key>
05:22:43 WARN [o.a.c.u.c.BaseBinaryCipherExecutor] - <Generated signing key
[gBCy5m2niOKZMNmLE-_yVJFhBRK2mCw1diQZHcr16CRqAs7aMUxyLHo-zYWyFizksC_JVaq7tLjYw0SYlW9s5Q]
of size
[512]. The generated key MUST be added to CAS settings:
cas.webflow.crypto.signing.key=gBCy5m2niOKZMNmLE-_yVJFhBRK2mCw1diQZHcr16CRqAs7aMUxyLHo-zYWyFizksC_JVaq7tLjYw0SYlW9s5Q
>
05:22:43 WARN [o.a.c.u.c.BaseBinaryCipherExecutor] - <Secret key for
encryption is not defined under [cas.webflow.crypto.encryption.key]. CAS
will attempt to auto-generate
the encryption key>
05:22:43 WARN [o.a.c.u.c.BaseBinaryCipherExecutor] - <Generated encryption
key [knHc-h7pqGrVVLbZYNXiuA] of size [16]. The generated key MUST be added
to CAS settings:
cas.webflow.crypto.encryption.key=knHc-h7pqGrVVLbZYNXiuA
>
05:22:45 WARN
[o.a.c.c.s.a.AcceptUsersAuthenticationEventExecutionPlanConfiguration] - <>
05:22:45 WARN
[o.a.c.c.s.a.AcceptUsersAuthenticationEventExecutionPlanConfiguration] - <
____ _____ ___ ____ _
/ ___|_ _/ _ \| _ \| |
\___ \ | || | | | |_) | |
___) || || |_| | __/|_|
|____/ |_| \___/|_| (_)
CAS is configured to accept a static list of credentials for
authentication. While this is generally useful for demo purposes, it is
STRONGLY recommended that you DISABLE this
authentication method by setting 'cas.authn.accept.enabled=false' and
switch to a mode that is more suitable for production.>
05:22:45 WARN
[o.a.c.c.s.a.AcceptUsersAuthenticationEventExecutionPlanConfiguration] - <>
05:22:45 INFO [o.a.c.w.CasWebApplication] - <Started CasWebApplication in
33.514 seconds (JVM running for 37.949)>
05:22:45 INFO [o.a.c.s.AbstractServicesManager] - <Loaded [0] service(s)
from [InMemoryServiceRegistry].>
05:22:45 INFO [o.a.c.w.CasWebApplicationReady] - <>
05:22:45 INFO [o.a.c.w.CasWebApplicationReady] - <
____ _____ _ ______ __
| _ \| ____| / \ | _ \ \ / /
| |_) | _| / _ \ | | | \ V /
| _ <| |___ / ___ \| |_| || |
|_| \_\_____/_/ \_\____/ |_|
>
05:22:45 INFO [o.a.c.w.CasWebApplicationReady] - <>
05:22:45 INFO [o.a.c.w.CasWebApplicationReady] - <Ready to process requests
@ [2023-07-03T12:22:45.529Z]>
05:23:15 INFO [o.a.c.t.r.DefaultTicketRegistryCleaner] - <[0] expired
tickets removed.>
05:23:40 INFO [o.a.i.a.s.Slf4jLoggingAuditTrailManager] - <Audit trail
record BEGIN
=============================================================
WHO: audit:unknown
WHAT: {result=Service Access Denied, service=https://xxx.com/login.php}
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Mon Jul 03 12:23:40 UTC 2023
CLIENT IP ADDRESS: x.x.x.x
SERVER IP ADDRESS: x.x.x.x
=============================================================
>
Any help please ?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b81a1965-c438-4272-ae26-5110f4f65b89n%40apereo.org.
