[cas-user] CAS 5.0 SAML response sign method

[Chris]

Dear all,

I am trying to setup CAS 5.0.4 with SAML SSO support with vendor.  However, 
the SP do not support SHA256 in SAML response.  Is it possible to change 
the SAML response signing method to 
http://www.w3.org/2000/09/xmldsig#rsa-sha1 by configuration?


Thanks.


Chris

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20dd72cb-8753-419b-b584-c227d6e0bf3a%40apereo.org.

Re: [cas-user] CAS 3.5.3 not releasing AD attributes to version 3 WordPress CAS plugin

[dkopylenko]

The confusion here is "version of what" is being talked about. The version 3 
there refers to "CAS protocol" version, which has been only available since 
"CAS server" version 4. You have CAS server version 3, which is a) "end of 
life" and b) does not have CAS protocol version 3 implemented.

HTH,
D.

On Jun 19, 2017, 15:22 -0400, Brian Gibson , 
wrote:
> Hi All,
>
> Be gentle with me I'm not a CAS guru :-)
>
> We are running CAS 3.5.3 and our web team is trying to configure a WordPress 
> plugin for CAS version 3 to authenticate users and receive AD attributes. If 
> they switch the CAS plugin to CAS version 2 the user authenticates fine. When 
> they test using the version 2 CAS plugin by going to this URL
>
> /cas/serviceValidate
>
> they do receive the XML response they are expecting.
> If they go to this URL
> /cas/p3/serviceValidate
> they just get redirected back to the CAS login screen or, if they are already 
> logged in, they end up on the "Log In Successful" screen.
>
> According to this URL
>
> https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol-Specification.html
>
> under the section labeled "2.5.6 URL examples of /serviceValidate"
>
> it says, with CAS version 3, they should get some XML with attribute data.
> What is odd is I've setup the TestApp1 and TestApp2 applications on the CAS 
> server and they do return AD attributes (along with a 3rd party app, CAS 
> releases attributes to it as well.)
>
> The service entry I have for this test service is set to release attributes 
> so that shouldn't be the issue.
> Any suggestions on how to troubleshoot with this cas plugin?
> Thx!
>
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH9ZEH1MRVS3Bn6Lx_cCrQoOm__gBDY_5z6yQ_nvRgjHGs_fXw%40mail.gmail.com.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1440e910-4698-4a3b-9260-d6a74768d5ab%40Spark.

[cas-user] CAS 3.5.3 not releasing AD attributes to version 3 WordPress CAS plugin

[Brian Gibson]

Hi All,

Be gentle with me I'm not a CAS guru :-)

We are running CAS 3.5.3 and our web team is trying to configure a
WordPress plugin for CAS version 3 to authenticate users and receive AD
attributes. If they switch the CAS plugin to CAS version 2 the user
authenticates fine. When they test using the version 2 CAS plugin by going
to this URL

/cas/serviceValidate

they do receive the XML response they are expecting.

If they go to this URL

/cas/p3/serviceValidate

they just get redirected back to the CAS login screen or, if they are
already logged in, they end up on the "Log In Successful" screen.

According to this URL

https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol-Specification.html

under the section labeled "2.5.6 URL examples of /serviceValidate"

it says, with CAS version 3, they should get some XML with attribute data.

What is odd is I've setup the TestApp1 and TestApp2 applications on
the CAS server and they do return AD attributes (along with a 3rd
party app, CAS releases attributes to it as well.)

The service entry I have for this test service is set to release
attributes so that shouldn't be the issue.

Any suggestions on how to troubleshoot with this cas plugin?

Thx!

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH9ZEH1MRVS3Bn6Lx_cCrQoOm__gBDY_5z6yQ_nvRgjHGs_fXw%40mail.gmail.com.

Re: [cas-user] Re: Clarification LPPE and AD on CAS 5

[Andrew Tillinghast]

Sort of, the warnAll is not working but with the setting above if I lock or
disable the account I get back that status.

On Mon, Jun 19, 2017 at 9:26 AM, Rafa  wrote:

> Hi,
>
> Did you manage to set up the password policy?
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/c9527ce9-6067-427f-8f6e-
> ffd93ac7346c%40apereo.org
> 
> .
>



-- 
Andrew Tillinghast
Sr. Web Developer
atill...@conncoll.edu
270 Mohegan Avenue
New London, CT 06320-4196
Ph:860 439-5265 Fax: 860 439-2871
P
*Think before you print*CONFIDENTIALITY: This email (including any
attachments) may contain confidential, proprietary and privileged
information, and unauthorized disclosure or use is prohibited. If you
received this email in error, please notify the sender and delete this
email from your system.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGA6n_%3DGbxCakr-YJuHYDmE4Z31Wz304qgditriEE6idXL8Nww%40mail.gmail.com.

[cas-user] NullPointerException When Trying to Decode Password via StandardPasswordEncoder

[Derek Jackson]

READY screen comes up just fine, but when I enter the username and password 
I get an error I cannot figure out (error below).
We use the StandardPasswordEncoder, with no additional secret added.

I am using the Maven Overlay, with the Database Authentication installed in 
the pom file.

Any help would be greatly appreciated.

cas.properties:

cas.server.name: https://localhost:8443

cas.server.prefix: https://localhost:8443/cas


cas.adminPagesSecurity.ip=127\.0\.0\.1


logging.config: file:/etc/cas/config/log4j2.xml


cas.authn.accept.users=


cas.authn.jdbc.query[0].sql=SELECT username, password FROM user WHERE 
username=?

cas.authn.jdbc.query[0].healthQuery=

cas.authn.jdbc.query[0].isolateInternalQueries=false

cas.authn.jdbc.query[0].url=jdbc:mysql://localhost:3306/*db*
?serverTimezone=UTC

cas.authn.jdbc.query[0].failFast=true

cas.authn.jdbc.query[0].isolationLevelName=ISOLATION_READ_COMMITTED

cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQLDialect

cas.authn.jdbc.query[0].leakThreshold=10

cas.authn.jdbc.query[0].propagationBehaviorName=PROPAGATION_REQUIRED

cas.authn.jdbc.query[0].batchSize=1

cas.authn.jdbc.query[0].user=sa

cas.authn.jdbc.query[0].ddlAuto=create-drop

cas.authn.jdbc.query[0].maxAgeDays=180

cas.authn.jdbc.query[0].password=

cas.authn.jdbc.query[0].autocommit=false

cas.authn.jdbc.query[0].driverClass=com.mysql.jdbc.Driver

cas.authn.jdbc.query[0].idleTimeout=5000

cas.authn.jdbc.query[0].credentialCriteria=

cas.authn.jdbc.query[0].name=

cas.authn.jdbc.query[0].order=0

cas.authn.jdbc.query[0].dataSourceName=

cas.authn.jdbc.query[0].dataSourceProxy=false


cas.authn.jdbc.query[0].passwordEncoder.type=STANDARD

#cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=

#cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=

cas.authn.jdbc.query[0].passwordEncoder.secret=

#cas.authn.jdbc.query[0].passwordEncoder.strength=16


Exception:


2017-06-19 10:35:21,925 DEBUG 
[org.apereo.cas.authentication.adaptive.DefaultAdaptiveAuthenticationPolicy] - 

2017-06-19 10:35:21,925 DEBUG [org.apereo.cas.web.support.WebUtils] - 

2017-06-19 10:35:21,925 DEBUG [org.apereo.cas.web.support.WebUtils] - 

2017-06-19 10:35:21,946 DEBUG 
[org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] 
- 
2017-06-19 10:35:21,949 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 - 
2017-06-19 10:35:21,950 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 - 
2017-06-19 10:35:21,952 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 - 
2017-06-19 10:35:21,961 WARN [com.zaxxer.hikari.HikariConfig] - 
2017-06-19 10:35:21,961 WARN [com.zaxxer.hikari.HikariConfig] - 
2017-06-19 10:35:22,261 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 
2017-06-19 10:35:22,285 WARN 
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
 - 
java.lang.NullPointerException: null
at org.springframework.security.crypto.codec.Hex.decode(Hex.java:48) 
~[spring-security-core-4.2.2.RELEASE.jar!/:4.2.2.RELEASE]
at 
org.springframework.security.crypto.password.StandardPasswordEncoder.decode(StandardPasswordEncoder.java:96)
 ~[spring-security-core-4.2.2.RELEASE.jar!/:4.2.2.RELEASE]
at 
org.springframework.security.crypto.password.StandardPasswordEncoder.matches(StandardPasswordEncoder.java:71)
 ~[spring-security-core-4.2.2.RELEASE.jar!/:4.2.2.RELEASE]
at 
org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler.matches(AbstractUsernamePasswordAuthenticationHandler.java:134)
 ~[cas-server-core-authentication-5.1.0.jar!/:5.1.0]
at 
org.apereo.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler.authenticateUsernamePasswordInternal(QueryDatabaseAuthenticationHandler.java:75)
 ~[cas-server-support-jdbc-authentication-5.1.0.jar!/:5.1.0]
at 
org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler.doAuthentication(AbstractUsernamePasswordAuthenticationHandler.java:76)
 ~[cas-server-core-authentication-5.1.0.jar!/:5.1.0]
at 
org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate(AbstractPreAndPostProcessingAuthenticationHandler.java:40)
 ~[cas-server-core-authentication-5.1.0.jar!/:5.1.0]
at 
org.apereo.cas.authentication.AbstractAuthenticationManager.authenticateAndResolvePrincipal(AbstractAuthenticationManager.java:174)
 ~[cas-server-core-authentication-5.1.0.jar!/:5.1.0]
at 
org.apereo.cas.authentication.PolicyBasedAuthenticationManager.lambda$null$3(PolicyBasedAuthenticationManager.java:129)
 ~[cas-server-core-authentication-5.1.0.jar!/:5.1.0]
at java.util.stream.MatchOps$1MatchSink.accept(MatchOps.java:90) 
~[?:1.8.0_131]
at 

[cas-user] CAS Management 5.1.0 - error No attributes are retrieved for this user

[Julien Whizz]

Hi everyone,


I have this error when i logon to my /cas-management :

   - Login LDAP : *OK*
   - Access to Management : *FAILED* (error with my ldap attribute).

2017-06-19 15:01:57,497 ERROR 
[org.apereo.cas.mgmt.services.web.AbstractManagementController] - 

org.pac4j.core.exception.TechnicalException: java.lang.IllegalStateException: 
No attributes are retrieved for this user.

I think it's a failed configuration, but i don't know...
Someone can help me ?


*My management.properties* (my LDAP information)

cas.mgmt.adminRoles=ROLE_ADMIN
cas.mgmt.userPropertiesFile=file:/etc/cas/config/users.properties
cas.authn.attributeRepository.ldap.ldapUrl=Ldap://domaine.prive.fr
cas.authn.attributeRepository.ldap.baseDn=dc=domaine,dc=prive,dc=fr
cas.authn.attributeRepository.ldap.minPoolSize=3
cas.authn.attributeRepository.ldap.maxPoolSize=10
cas.authn.attributeRepository.ldap.validateOnCheckout=false
cas.authn.attributeRepository.ldap.validatePeriodically=true

cas.mgmt.ldap.ldapAuthz.searchFilter=sAMAccountName={user}
cas.mgmt.ldap.ldapAuthz.baseDn=dc=domaine,dc=prive,dc=fr
cas.mgmt.ldap.ldapUrl=Ldap://domaine.prive.fr
cas.mgmt.ldap.baseDn=dc=domaine,dc=prive,dc=fr
cas.mgmt.ldap.userFilter=sAMAccountName={user}
cas.mgmt.ldap.bindDn=CN=BIND 
Ldap,OU=Technique,OU=ADMINISTRATIFS,DC=domaine,DC=prive,DC=fr
cas.mgmt.ldap.bindCredential=password
cas.mgmt.ldap.useSsl=false
 

*My managementConfigContext.xml* (default after ./build package)


http://www.w3.org/2001/XMLSchema-instance;
   xmlns:p="http://www.springframework.org/schema/p;
   xmlns:c="http://www.springframework.org/schema/c;
   xmlns:util="http://www.springframework.org/schema/util;
   xmlns="http://www.springframework.org/schema/beans;
   xsi:schemaLocation="http://www.springframework.org/schema/beans 
http://www.springframework.org/schema/beans/spring-beans.xsd
   http://www.springframework.org/schema/util 
http://www.springframework.org/schema/util/spring-util.xsd;>

 

*Full debug log is here* :
https://pastebin.com/4w9qRTWV




*Config* :
CAS apereo 5.1.0 with "cas-server-support-ldap"
CAS-management apereo 5.1.0 with "cas-server-support-ldap"
on Centos 7 and tomcat 8


Thx for your help

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/42726807-d845-4eac-9087-11cad387c32d%40apereo.org.

[cas-user] Re: Clarification LPPE and AD on CAS 5

[Rafa]

Hi,

Did you manage to set up the password policy?

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c9527ce9-6067-427f-8f6e-ffd93ac7346c%40apereo.org.

[cas-user] CAS 5.1 Single Log Out Help

[Divyesh Prajapati]

Hi All,

I need help while logging out from my all applications.

I have implemented the sso in two spring web applications, tested its 
single log In functionality and it is working fine. But Single Log Out is 
not working properly. Here is the problem statement..

   - Authentication
  - Open browser and enter url for application A. 
  - It will redirect you to CAS login page for authentication.
  - Authentication happens, TGT is being generated, ST-1 is being 
  generated and you are being redirected to the application A successfully.
  - Open Application B by entering its url in new tab.
  - It is being authenticated since it has the url matching the url 
  pattern giving in service registry.
  - ST-2 is being created for  application B under the same TGT.
   

   - Logout
  - Now I have Cas server on another machine, application A and B on 
  each tabs.
  - When I logout from application A, application A gets logged out.
  - But application B is still logged in. I can access all pages. Only 
  after logout from application B only, it is getting logged out.
   
What do I need to configure it in proper way ? Please help me to sort out 
the issue. 

Thanks and Regards,
Divyesh Prajapati

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c1f49869-4363-4f27-9867-36e550568da9%40apereo.org.