[cas-user] Using Principal-Id variable in configuration?

[Mike Osterman]

Given that our users sometimes interpret "username" to be their email
address, we added this ldap filter to our user matching:
cas.authn.ldap[0].searchFilter=(|(uid={user})(mail={user}))

That way, if they enter either "username" or "usern...@whitman.edu" they'll
be found correctly.

We've just discovered that we missed doing this in a separate ldap database
lookup for an MFA attribute, and this got me thinking: Is there a similar
configuration variable for the Principal-Id  attribute that gets returned
like the above "{user}"? Maybe "{principalId}"? I searched through the
documentation the best I could, but "user" is pretty generic, and it seemed
the brackets were (rightly) being ignored.

If such a thing were to exist, we could collapse down to something like
this:
cas.authn.attributeRepository.ldap[0].searchFilter=(sAMAccountName={principalId})

-Mike

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHWScMJFNPMMwrx2YuETFNFz_k-mUe7H67DYtYSbkz%2BQow%40mail.gmail.com.

Re: [cas-user] [Cas 6.0 6.1] Trusted devices and gauth account are forgotten on cas reboot

[Michele Melluso]

I found it out.

Cas was generating encription keys every boot asking for me to set it in 
cas.conf.
At the next reboot the key was different so Cas was unable to decript the 
previously stored infos.

Thanks a lot
Michele 

On Thursday, March 12, 2020 at 5:54:55 PM UTC+1, Michele Melluso wrote:
>
> Hi,
> thank you for the reply.
>
> I'm storing session on MariaDB 
> https://apereo.github.io/cas/6.1.x/ticketing/JPA-Ticket-Registry.html
>
> So far it seemed to be working fine, since if i reboot Cas, sso session 
> are mantained and no new login is required.
> I also checked the TICKETGRANTINGTICKET table, and TGT are still there.
>
> meanwhile i keep debugging :)
> thank you again for your time
> Michele
>
> On Thursday, March 12, 2020 at 5:43:41 PM UTC+1, rbon wrote:
>>
>> Michele,
>>
>> Rebooting may remove cas sessions (Ticket Granting Ticket).
>> How are you storing login sessions, (
>> https://apereo.github.io/cas/6.1.x/ticketing/Configuring-Ticketing-Components.html
>> )?
>>
>> Ray
>>
>> On Thu, 2020-03-12 at 05:40 -0700, Michele Melluso wrote:
>>
>> Notice: This message was sent from outside the University of Victoria 
>> email system. Please be cautious with links and sensitive information. 
>>
>> Hi all,  
>> I'm having a problem with mfa persistence both in cas 6.0 and 6.1. 
>> I configured jpa persistence (and also tried json persistence) for 
>> trusted devices and gauth accounts. I can see that the informations are 
>> stored correctly on my dbms (also on json files). 
>>
>> The problem is when i reboot CAS, the informations are ignored and mfa is 
>> triggered again. Even worst Cas will ask again a user to register gauth. 
>> Any idea about this ?
>>
>> thanks
>> Michele
>>
>> -- 
>>
>> Ray Bon
>> Programmer Analyst
>> Development Services, University Systems
>> 2507218831 | CLE 019 | rb...@uvic.ca
>>
>> I respectfully acknowledge that my place of work is located within the 
>> ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
>> WSÁNEĆ Nations.
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/625e7a81-b86a-499a-bd89-5bc650f5cf34%40apereo.org.

Re: [cas-user] [CAS 6.1.X] LDAP Required Configuation Properties.

[Matthew Uribe]

Is jvdaggett a member of ou=Staff,dc=,dc=,dc=on,dc=ca ? I 
assume so, but it seems worth double checking.

One difference between your dnFormat and my own, is I've just got:

cas.authn.ldap[0].SearchFilter: 
sAMAccountName={user}cas.authn.ldap[0].baseDn:   
dc=aims,dc=educas.authn.ldap[0].dnFormat: %s...@aims.edu


You seem to be specifying  "ou=Staff,dc=,dc=,dc=on,dc=ca" 
as your baseDn, and then again in your dnFormat. I'm not sure if that will 
have it looking for ou=Staff,dc=,dc=,dc=on,dc=ca within 
ou=Staff,dc=,dc=,dc=on,dc=ca

Since I'm not an LDAP expert, my startup process was more just trying 
different variations in the settings and seeing what works and what 
doesn't. You've certainly found one that doesn't work, as the log seems to 
indicate: It looked for jvdaggett + a password and couldn't find a match.

(I'm also still on CAS 5, which might be another variable between our 
settings.)

Matt

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c0b1a7fc-f6b8-4beb-9db0-d35047e43714%40apereo.org.

Re: [cas-user] [CAS 6.1.X] LDAP Required Configuation Properties.

[James Daggett]

>
> Thanks for the info. I have added those lines to my log4j.xml
>

This is what I'm seeing in the cas.log file for my login attempt.

2020-03-12 13:40:58,552 DEBUG 
[org.apereo.cas.authentication.adaptive.DefaultAdaptiveAuthenticationPolicy] 
- 
2020-03-12 13:40:58,552 DEBUG 
[org.apereo.cas.authentication.adaptive.DefaultAdaptiveAuthenticationPolicy] 
- 
2020-03-12 13:40:58,553 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
 
- 
2020-03-12 13:40:58,553 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
 
- 
2020-03-12 13:40:58,553 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
 
- 
2020-03-12 13:40:58,553 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
 
- 
2020-03-12 13:40:58,564 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 

2020-03-12 13:40:58,566 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 

2020-03-12 13:40:58,577 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 

2020-03-12 13:40:58,577 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 

2020-03-12 13:40:58,577 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 

2020-03-12 13:40:58,578 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 

2020-03-12 13:40:58,579 DEBUG 
[org.apereo.cas.authentication.AuthenticationHandlerResolver] - 
2020-03-12 13:40:58,579 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 

2020-03-12 13:40:58,579 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 

2020-03-12 13:40:58,579 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 

2020-03-12 13:40:58,580 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 

2020-03-12 13:40:58,582 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 
2020-03-12 13:40:58,583 WARN 
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
 
- 
2020-03-12 13:40:58,583 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
 
- <0 errors, 0 successes>
org.apereo.cas.authentication.AuthenticationException: 0 errors, 0 successes
at 
org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:350)
 
~[cas-server-core-authentication-api-6.1.3.jar:6.1.3]
at 
org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:328)
 
~[cas-server-core-authentication-api-6.1.3.jar:6.1.3]
at 
org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(PolicyBasedAuthenticationManager.java:136)
 
~[cas-server-core-authentication-api-6.1.3.jar:6.1.3]
at 
org.apereo.cas.authentication.PolicyBasedAuthenticationManager$$FastClassBySpringCGLIB$$90e801d3.invoke()
 
~[cas-server-core-authentication-api-6.1.3.jar:6.1.3]
at 
org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) 
~[spring-core-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at 
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:769)
 
~[spring-aop-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
 
~[spring-aop-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at 
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:747)
 
~[spring-aop-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at 
org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:88)
 
~[spring-aop-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at 
org.apereo.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:135)
 
~[inspektr-audit-1.8.6.GA.jar:1.8.6.GA]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method) ~[?:?]
at 
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 
~[?:?]
at 
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at 
org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:644)
 
~[spring-aop-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at 
org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:633)
 
~[spring-aop-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at 
org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:70)
 

Re: [cas-user] [Cas 6.0 6.1] Trusted devices and gauth account are forgotten on cas reboot

[Michele Melluso]

Hi,
thank you for the reply.

I'm storing session on MariaDB 
https://apereo.github.io/cas/6.1.x/ticketing/JPA-Ticket-Registry.html

So far it seemed to be working fine, since if i reboot Cas, sso session are 
mantained and no new login is required.
I also checked the TICKETGRANTINGTICKET table, and TGT are still there.

meanwhile i keep debugging :)
thank you again for your time
Michele

On Thursday, March 12, 2020 at 5:43:41 PM UTC+1, rbon wrote:
>
> Michele,
>
> Rebooting may remove cas sessions (Ticket Granting Ticket).
> How are you storing login sessions, (
> https://apereo.github.io/cas/6.1.x/ticketing/Configuring-Ticketing-Components.html
> )?
>
> Ray
>
> On Thu, 2020-03-12 at 05:40 -0700, Michele Melluso wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information. 
>
> Hi all,  
> I'm having a problem with mfa persistence both in cas 6.0 and 6.1. 
> I configured jpa persistence (and also tried json persistence) for trusted 
> devices and gauth accounts. I can see that the informations are stored 
> correctly on my dbms (also on json files). 
>
> The problem is when i reboot CAS, the informations are ignored and mfa is 
> triggered again. Even worst Cas will ask again a user to register gauth. 
> Any idea about this ?
>
> thanks
> Michele
>
> -- 
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>
> I respectfully acknowledge that my place of work is located within the 
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
> WSÁNEĆ Nations.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/855d10c4-f551-4ea3-9697-34de90fac9a6%40apereo.org.

Re: [cas-user] [CAS 6.1.X] LDAP Required Configuation Properties.

[Ray Bon]

James,

You may need to set ldaptive logs to trace:

trace

This one should get you some cas startup details:




Ray


On Thu, 2020-03-12 at 08:25 -0700, James Daggett wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hello,

This is my first time setting up a CAS environment and I have been trying to 
find as much info as I can to set up LDAP authentication.

I am using the CAS 6.1 gradle overlay.

I have my cas.properties set up with the following configuration settings.

cas.authn.ldap[0].name=Staff Active Directory
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].ldapUrl=ldaps://...on.ca
cas.authn.ldap[0].validatePeriod: 270
cas.authn.ldap[0].poolPassivator: NONE
cas.authn.ldap[0].searchFilter: sAMAccountName={user}
cas.authn.ldap[0].baseDn=ou=Staff,dc=,dc=,dc=on,dc=ca
cas.authn.ldap[0].dnFormat=cn=%s,ou=Staff,dc=,dc=,dc=on,dc=ca

I redeploy CAS and when I try to login i'm getting a 'Your account is not 
recognized and cannot login at this time.' error on the page. And when looking 
through the cas.log I am not seeing anything referencing LDAP is running or a 
check through LDAP for my attempt.

I have included in my log4j.xml file the string on the official documentation 
for ldaptive debug logs.

And my build.gradle file includes the compile 
"org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}" reference 
under dependencies.

I do not think my ldap is actually running and I don't know where to look from 
here.

Any help would be greatly appreciated.

Thanks,

James

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d3a64eda8b8da4ee10cc9ab1b1ea6a5301819870.camel%40uvic.ca.

Re: [cas-user] [Cas 6.0 6.1] Trusted devices and gauth account are forgotten on cas reboot

[Ray Bon]

Michele,

Rebooting may remove cas sessions (Ticket Granting Ticket).
How are you storing login sessions, 
(https://apereo.github.io/cas/6.1.x/ticketing/Configuring-Ticketing-Components.html)?

Ray

On Thu, 2020-03-12 at 05:40 -0700, Michele Melluso wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi all,
I'm having a problem with mfa persistence both in cas 6.0 and 6.1.
I configured jpa persistence (and also tried json persistence) for trusted 
devices and gauth accounts. I can see that the informations are stored 
correctly on my dbms (also on json files).

The problem is when i reboot CAS, the informations are ignored and mfa is 
triggered again. Even worst Cas will ask again a user to register gauth. Any 
idea about this ?

thanks
Michele

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a9f8c632ad6ee128e412641cd7b10e380fa8339.camel%40uvic.ca.

[cas-user] [CAS 6.1.X] LDAP Required Configuation Properties.

[James Daggett]

Hello,

This is my first time setting up a CAS environment and I have been trying 
to find as much info as I can to set up LDAP authentication.

I am using the CAS 6.1 gradle overlay.

I have my cas.properties set up with the following configuration settings.

cas.authn.ldap[0].name=Staff Active Directory
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].ldapUrl=ldaps://...on.ca
cas.authn.ldap[0].validatePeriod: 270
cas.authn.ldap[0].poolPassivator: NONE
cas.authn.ldap[0].searchFilter: sAMAccountName={user}
cas.authn.ldap[0].baseDn=ou=Staff,dc=,dc=,dc=on,dc=ca
cas.authn.ldap[0].dnFormat=cn=%s,ou=Staff,dc=,dc=,dc=on,dc=ca

I redeploy CAS and when I try to login i'm getting a 'Your account is not 
recognized and cannot login at this time.' error on the page. And when 
looking through the cas.log I am not seeing anything referencing LDAP is 
running or a check through LDAP for my attempt.

I have included in my log4j.xml file the string on the official 
documentation for ldaptive debug logs. 

And my build.gradle file includes the compile *"org.apereo.cas*:
cas-server-support-ldap:${project.'cas.version'}*"* reference under 
dependencies.

I do not think my ldap is actually running and I don't know where to look 
from here.

Any help would be greatly appreciated.

Thanks,

James

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/40060f99-142a-40a7-9e09-609cdafb7486%40apereo.org.

Re: [cas-user] What's your production version?

['Robert Bond' via CAS Community]

We are on 6.1.5,

6.1.X has been very stable for us. Once we got the config up to date from
our 6.0.4 build.

At times the release schedule can be a little uncertain, in that we can be
uncertain of what version we want to move to.
I do not think "keeping up" with the release schedule is too difficult. For
us continually testing with the RC releases as they come out has allowed us
to move quickly to new versions.
I understand your situation, and there is most definitely a time investment
to keep up with it. In the same way I am sure it is incredibly difficult
for the project to maintain many versions.
Potentially a LTS style release could solve this, or maybe just some
suggestions from the project for versions.
I think we hardest part is adjusting the config due to dependencies that
have been updated.  As a community we could start sharing those adjustments
for some of the common services, such as LDAP (AD), etc...

Thanks,
Robert Bond.

On Thu, Mar 12, 2020 at 8:27 AM David Curry 
wrote:

> We're running 5.2.9.
>
> The release schedule moves way too quickly for us to keep up with, and so
> far, the features that have been added, while a couple of them are
> interesting, are not significant enough to justify the effort to move.
>
> The one thing that concerns us is that 5.2.x is no longer supported, even
> for security patches. IMHO the CAS maintenance plan is not terribly
> realistic in giving only 12 months' support to a release. I understand why,
> but that doesn't make it better.
>
> --Dave
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 646 909-4728 • david.cu...@newschool.edu
>
>
> On Thu, Mar 12, 2020 at 8:50 AM Jack  wrote:
>
>> Hello,
>>
>> Over the time, we have burnt our fingers with different versions. We're
>> still running 5.1.
>>
>> What's the stable version or your production version now?
>>
>> Thanks!
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CACNfiM%2B0uG%3DjuFZXt-iQv%2B4Ohf2%3Di_m4q6ervcPDqCWavg%2Bp0w%40mail.gmail.com
>> 
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPFnfH%2BG_rxaucyVpcvErDrn0TFxmAbSD3nseocrr3f8w%40mail.gmail.com
> 
> .
>


-- 
Robert Bond
Network Administrator
(918) 444-5886
Northeastern State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6pJxTRHpbqbMFxaYDM%2BCbs1XhyUrKUU3P%2B57WVfbD_vtQ%40mail.gmail.com.

[cas-user] Re: What's your production version?

[mbar...@scad.edu]

We're at 6.0 for now, but just switched to the full open source version 
last year.  We were using a vendor-provided version of CAS that was stuck 
at 3-something for a long, long time before that.

It does look like a rather speedy upgrade schedule.  We just started 
testing 6.1, but might need to jump to 6.2 instead.  I am a little nervous 
about the upgrades.

-Mike


On Thursday, March 12, 2020 at 8:50:09 AM UTC-4, Jack wrote:
>
> Hello,
>
> Over the time, we have burnt our fingers with different versions. We're 
> still running 5.1.
>
> What's the stable version or your production version now?
>
> Thanks!
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7b64de44-2de6-4d4d-843c-a62e7b4eec80%40apereo.org.

Re: [cas-user] What's your production version?

[David Curry]

We're running 5.2.9.

The release schedule moves way too quickly for us to keep up with, and so
far, the features that have been added, while a couple of them are
interesting, are not significant enough to justify the effort to move.

The one thing that concerns us is that 5.2.x is no longer supported, even
for security patches. IMHO the CAS maintenance plan is not terribly
realistic in giving only 12 months' support to a release. I understand why,
but that doesn't make it better.

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Thu, Mar 12, 2020 at 8:50 AM Jack  wrote:

> Hello,
>
> Over the time, we have burnt our fingers with different versions. We're
> still running 5.1.
>
> What's the stable version or your production version now?
>
> Thanks!
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CACNfiM%2B0uG%3DjuFZXt-iQv%2B4Ohf2%3Di_m4q6ervcPDqCWavg%2Bp0w%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPFnfH%2BG_rxaucyVpcvErDrn0TFxmAbSD3nseocrr3f8w%40mail.gmail.com.

[cas-user] What's your production version?

[Jack]

Hello,

Over the time, we have burnt our fingers with different versions. We're
still running 5.1.

What's the stable version or your production version now?

Thanks!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CACNfiM%2B0uG%3DjuFZXt-iQv%2B4Ohf2%3Di_m4q6ervcPDqCWavg%2Bp0w%40mail.gmail.com.

[cas-user] [Cas 6.0 6.1] Trusted devices and gauth account are forgotten on cas reboot

[Michele Melluso]

Hi all, 
I'm having a problem with mfa persistence both in cas 6.0 and 6.1. 
I configured jpa persistence (and also tried json persistence) for trusted 
devices and gauth accounts. I can see that the informations are stored 
correctly on my dbms (also on json files). 

The problem is when i reboot CAS, the informations are ignored and mfa is 
triggered again. Even worst Cas will ask again a user to register gauth. 
Any idea about this ?

thanks
Michele

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e81744a1-de89-4889-84aa-82436fcfffd5%40apereo.org.

Re: [cas-user] regex for logoutUrl

['Adrian Gonzalez' via CAS Community]

 Hi Ray,
> I assume you have seen 
>https://apereo.github.io/cas/6.1.x/installation/Logout-Single-Signout.html#redirecting-logout-to-serviceYes,
> that's exactly what I'm using (but at first I didn't understand it completely 
>- I know OIDC but I'm a newbie in CAS)
> Is myapp.com different from mysite.com or is that a typo?
I meant; 
myapp (available at https://app1.mysite.com) will send the user to the portal 
logout page.

hence the app1 application will redirect the user to 

https://cas.mysite.com/cas/oidc/logout?id_token_hint=xxx_logout_redirect_uri=https%3A%2F%2Fportal.mysite.com%2Fauth%2Flogout

This means that :1. app1 needs to clean up its local session (in browser 
sessionStorage)    (since we have multiple apps we can will have app1, app2, 
etc...)2. app1 redirects to CAS for logout3. CAS cleans up the CAS Session4. 
CAS redirects the end-user to the portal app (ie 
https://portal.mysite.com/auth/logout?local=true)5. Portal will clean up its 
local session6. Portal will redirect the user to a a logout success page (i.e. 
https://portal.mysite.com/auth/logout-success)
And so after reading your answer, I now have a working solution - without 
requiring any regex in the logoutUrls (thanks !!!)
Solution A: (CAS 6.1.5)

In this solution, appX doesn't send any post_logout_redirect_uri parameter 
(requires CAS 6.1.5, it fixes an issue in OIDC logout).When CAS receives a OIDC 
logout request without post_logout_redirect_uri, it will redirect the user to 
the first element in logoutUrl.
this matches the > 3. app1.myapp.com goes to cas/logout with no 
post_logout_redirect_url, cas/logout calls app1.myapp.com with a logout request 
which gets forwarded to myapp.com/auth/logout
And we have this corresponding configuration (important parts are logoutUrl 
value that needs to match the Portal serviceId):
```# one section for each appX{  "@class": 
"org.apereo.cas.services.OidcRegisteredService",  "clientId": "appX",  
"clientSecret": "secret",  "name": "App X",  "serviceId" : 
"^https://appX.mysite.com",  "logoutUrl" : 
"https://portal.mysite.com/auth/logout?local=true",  "jwtAccessToken": true,
  "bypassApprovalPrompt": true,  "signIdToken": true,  "id": 10}# single 
declaration for portal page{  "@class": 
"org.apereo.cas.services.OidcRegisteredService",  "clientId": "portal",  
"clientSecret": "secret",  "name": "Portal",  "serviceId" : 
"^https://portal.mysite.com/.*",  "logoutUrl" : 
"https://portal.mysite.com/logout-success",  "jwtAccessToken": true,
  "bypassApprovalPrompt": true,  "signIdToken": true,  "id": 1}```

Solution B:Same configuration but doesn't require CAS 6.1.5?
The client app needs in the initial OIDC mlogout request the 
post_logout_redirect_uri parameter to 
https://portal.mysite.com/auth/logout?local=true

Thanks for your help once more Ray !
Cheers, Adrian
Le jeudi 12 mars 2020 à 01:02:23 UTC+1, Ray Bon  a écrit :  
 
 Adrian,
I have not used OIDC in cas so there may be some bits that I am unaware of.I 
assume you have seen 
https://apereo.github.io/cas/6.1.x/installation/Logout-Single-Signout.html#redirecting-logout-to-service
Is myapp.com different from mysite.com or is that a typo?
If I understand correctly, you want cas to send a logout request to the generic 
logout page (myapp.com/auth/logout)?
Here are some possible scenarios that may meet your requirement(s):1. add 
myapp.com/auth/logout as a service in the registry2. app1.myapp.com goes to 
myapp.com/auth/logout which cleans app1 session and redirects to cas/logout 
with no post_logout_redirect_url3. app1.myapp.com goes to cas/logout with no 
post_logout_redirect_url, cas/logout calls app1.myapp.com with a logout request 
which gets forwarded to myapp.com/auth/logout
With CAS protocol single logout, when one application hits cas/logout, cas 
sends logouts to all applications in that TGC's session. For those logouts, the 
login URL is used unless a logoutUrl is set in the service, which is used 
instead.
If this is the case with OIDC, you can not control which other endpoints will 
be targeted.
Is the post_logout_redirect_url for performing logout or is it for user 
experience (e.g., some generic landing page) (not clear in the link above)?
Note: needFrontSlo most likely refers to front or back channel logout, not the 
type of application.
Ray

On Wed, 2020-03-11 at 18:51 +, 'Adrian Gonzalez' via CAS Community wrote:
Hi Ray,
Sorry for not having replied earlie, I'm a bit ashamed :( (I was working on 
other topics, but still my fault I was asking the question in the first place)
The use case for having this regex is that I'm using the same client for 
multiple applications.
Hence:- I'm using the same clientId for multiple front end apps (i.e. 
app1.mysite.com, app2.mysite.com, etc...).- so atm, I have a serviceId like 
   "serviceId": "http://.+\.mysite.com/.*;
- I'd have liked to use a similar logoutUrl        "logoutUrl": 
"http://.+\.mysite.com/.*;

And I'm using OIDC implicit flow and the OIDC front end logout 

[cas-user] Re: Forgot username in CAS

[arti wavale]

 you have successfully configured CAS to make use of password management so 
can you share cas.properties file ?



On Friday, June 8, 2018 at 12:04:07 PM UTC+5:30, newbee wrote:
>
> Hello cas-users,
>
> First of all thanks to everyne supporting this project.
>
> I am using CAS 5.2.5. I have successfully configured CAS to make use of 
> password management. 
>
> I would like similar functionality for forgotten username. Is this kind of 
> functionality available in CAS 5.2 version? Could it be implemented easily?
>
> Any help will be much appreciated.
>
> Thanks,
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4df61a8c-2be1-4486-9539-61d82d7c64ac%40apereo.org.

Re: [cas-user] cas single logout not working

[dg]

hey, thanks for quick response. when i added this in log4j2.xml, i see that 
logout requests works. thanks.

9 Mart 2020 Pazartesi 19:20:02 UTC+3 tarihinde rbon yazdı:
>
> Try these log statements to see if CAS is sending your logout requests:
>
> 
> 
> 
>  level="debug">
> 
>  onMismatch="NEUTRAL" />
>  onMismatch="DENY" />
> 
> 
> 
>  name="org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder" 
> level="debug" />
> 
>  name="org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler" 
> level="debug" />
> 
>  name="org.apereo.cas.logout.SamlCompliantLogoutMessageCreator" 
> level="debug" />
>
> Check your application's access logs to see if the logout request was 
> received.
>
> If you are using self signed certificates, you may need to add them to 
> your application hosts.
>
> Ray
>
> On Mon, 2020-03-09 at 07:22 -0700, dg wrote:
>
> hello, 
>
> i am using apereo cas (with https) and it works successfully single-sign 
> on feature with have two cas clients (with http). 
>
> when i hit /cas/logout on browser, the cas server displays logout page 
> successfully but there is no requests to clients and i can still access 
> resources after logout. i configure back channel for logout.
>
> here is my one of cas client configuration.
>
> {
>
>
>   "@class" 
>
> : 
>
> "org.apereo.cas.services.RegexRegisteredService"
>
> ,
>
>
>   "serviceId" 
>
> : 
>
> "http://localhost:8094/.*;
>
> ,
>
>
>   "name" 
>
> : 
>
> "CAS Spring Secured App"
>
> ,
>
>
>   "description"
>
> : 
>
> "This is a Spring App that uses the CAS Server for it's authentication"
>
> ,
>
>
>   "id" 
>
> : 
>
> 19991
>
> ,
>
>
>   "evaluationOrder" 
>
> : 
>
> 1
>
> ,
>
>
>   "logoutType" 
>
> : 
>
> "BACK_CHANNEL"
>
> ,
>
>
>   "logoutUrl" 
>
> : 
>
> "http://localhost:8094/logout/custom;
>
>
> }
>
>
> my cas.properties file
>
>
> cas.slo.disabled
>
> =
>
> false
>
>
> cas.slo.asynchronous
>
> =
>
> true
>
>
> do i need to add any configuration to enable single logout? because it cannot 
> works in this way. i couldnt find where the problem is.
>
>
> thanks.
>
> -- 
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>
> I respectfully acknowledge that my place of work is located within the 
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
> WSÁNEĆ Nations.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cbe3c63d-22c1-42bb-9598-41f37b5d88ad%40apereo.org.

Re: [cas-user] Service Information Lost during PAC4J Authentication

[Jérôme LELEU]

Hi,

Which version of the CAS server do you use? Do you have a cluster of CAS
servers?
Thanks.
Best regards,
Jérôme


Le jeu. 12 mars 2020 à 04:26, Jack  a écrit :

> After the PAC4J authentication by provider, Service information is lost
> occasionally and user does not go back to service URL, rather lands at
> /login.
>
> During the regular login process, service is always available as a URL
> parameter.
>
> In case of the PAC4J authentication flow, where authentication controller
> goes to third party provider (for example SAML IdP), how's the service
> information retained?
>
> Is this stored in instance runtime memory? Can we set this as a Cookie or
> so that we dont lose the Service information?
>
> Thanks much!
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CACNfiMKVGJ6LcTbtDVds%2BG%3D%3DYxU7OfdTLEwh%3Dzdp60mdae1evQ%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwYuvTCRYSvjRWcqunkT%3DOv2Mh3u%2BX2PZsZuW-nEKqzvQ%40mail.gmail.com.