[cas-user] CAS 5 and 6, consent JDBC database name from "ConsentDecision" to "Consent_Decision" issue and fix

[Andy Ng]

Hi all,

During migration from CAS 5 to CAS 6, I encountered an issue:

   - My consent table, originally called `ConsentDecision` , is now renamed 
   to `Consent_Decision`
   - Moreover, the fields name is also changed, same pattern

We have found a solution and want to share here:

   - it is actually changes in *Spring boot* library behavior, detail see 
   this 
  - 
  
https://stackoverflow.com/questions/29087626/entity-class-name-is-transformed-into-sql-table-name-with-underscores
   - Adding this properties should work now:
  - 
  
spring.jpa.hibernate.naming.physical-strategy=org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl
  
Add this here in case other encounter same issue, cheers!

Regards,
Andy

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/184d472b-15a9-48f8-826f-44500156ebb4n%40apereo.org.

[cas-user] Radius OTP - Access Challenge

[Colin Ryan]

Folks,

Needing to look into Radius and 2FA support. In my case it is a token 
based authentication where the PIN is entered in the token and a code is 
generated which is the OTP. So there is no second challenge needed.


However if the provided OTP is stale or out of sync then the Radius 
server will return an Access-Challenge and want's a second OTP to be 
provided to it.



I looked into the mfa-radius stuff, but it seems to, akin to the Google 
Authenticator, always want a challenge. Which isn't what I need.



Any thoughts on making the prompting of a second input be conditional on 
the Access-Challenge response from the Radius server.



Thanks


Colin Ryan


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ddf4252-219f-a9e7-aa40-acbafc9a810d%40caveo.ca.

Re: [cas-user] InCommon and NIH changes

[Mike Osterman]

Score! Looks like another blog that I need to be following. :) That MFA
REFEDS post looks exactly like what was being discussed at yesterday’s
office hours webinar.

Good catch on the REFEDS Assurance profiles. I got the gist of what it was
being discussed, but the requirements seemed a little unclear. Makes sense,
as it sounds like the requirement compliance date has been announced, but
the details are still being sorted out.

I’m still thinking we’ll switch our InCommon federation to CAS, largely for
the operational efficiency (we’re a small school) and the reduced
complexity of running a single SAML IdP, and at present, we only have one
vendor that requires InCommon. If others have gone the consolidation route
by using CAS as their InCommon SAML IdP, I’d welcome any feedback on how
that has gone for you on or off list.

Thank you,
Mike

On Thu, Mar 11, 2021 at 7:44 AM 'Richard Frovarp' via CAS Community <
cas-user@apereo.org> wrote:

> I'm running my InCommon membership through Shibboleth, so I'm not looking
> for a CAS solution. However, here is what I know:
>
> 1) R is documented as you point out. If you are going to provide REFEDS
> R to REFEDS R SPs, you probably want to go into the InCommon Federation
> Manager and assert that you are a R IdP. I would also suggest you review
> your error URL, and see if you can be SIRTFI compliant, as those are
> baseline v2 requirements. Separate from NIH, but while you are in there.
>
> 2) Parts of the NIH are also going to want assurance attributes based on
> the REFEDS Assurance profiles. Once you know which assurance values you can
> assert, they are just attributes that you return to the SP, like any other
> attribute.
>
> 3) MFA will come in the form of REFEDS MFA. I found this from a couple of
> months ago that looks promising given that Misagh wrote it:
> https://fawnoos.com/2020/12/07/cas63x-saml2-mfa-refeds-duo/
>
> On Wed, 2021-03-10 at 15:19 -0800, Mike Osterman wrote:
>
> For those that are using CAS SAML IdP as their InCommon IdP (we are almost
> there but haven't made the switch), there are some upcoming requirements
> (September 21, 2021) for users of electronic Research Administration (eRA):
> https://incommon.org/news/nih-application-to-require-multi-factor-authentication/
>
> The REFEDS Research & Scholarship attributes support seems well-documented:
>
> https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Attribute-Release.html#refeds-research-and-scholarship
>
> The thing that I can't find in the docs is how to express the referenced
> MFA Authentication Context:
> https://refeds.org/profile/mfa
>
> We've implemented Duo, so I'm guessing that flow would be where we would
> trigger this, but again, don't find in the docs how to trigger this or if
> it's even supported by CAS's SAML IdP.
>
> I think I saw a couple names of frequent cas-user participants on the
> office hours webinar today, so I expect others are looking at this as well.
>
> Thanks,
> Mike
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1b141b9362d3bb665a031ed87bab1f94c1e57db.camel%40ndsu.edu
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHVqA1h6Yxgpu%2BUxN_KHHJTfum%2BXnr_ar2p%2BhY8OJCCGXg%40mail.gmail.com.

Re: [cas-user] CAS-Management App

[Ray Bon]

Bartosz,

Are you using the overlay, https://github.com/apereo/cas-management-overlay?

The properties file is etc/cas/config/management.properties.

Start with cas as the auth source. This way you can log in without any other 
configuration.

Then copy the properties for the service registry from cas.properties to the 
above management.properties. No need to change any properties.

Ray

On Wed, 2021-03-10 at 23:05 -0800, Bartosz Nitkiewicz wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Ray,
Thank you for replay. But what do you mean my management config? Which file it 
is?

So if I want to authorize access to cas-management through LDAP I should built 
this dependency?
I have placed

dependencies {
// Other CAS Management dependencies/modules may be listed here...
implementation "org.apereo.cas:cas-server-support-ldap:${casMgmtServerVersion}"
implementation 
"org.apereo.cas:cas-server-support-json-service-registry:${casMgmtServerVersion}"
implementation 
"org.apereo.cas:cas-mgmt-config-authz-ldap:${casMgmtServerVersion}"
}

in build.gradle,  is it ok?
środa, 10 marca 2021 o 23:00:47 UTC+1 Ray Bon napisał(a):
Bartosz,

I assume you are using a recent version of cas-management.
The log message says that you are trying to set a property but cas-management 
does not know how to set it.

I think the properties are being changed to use the same values as cas (it uses 
the same config libraries).
Properties will have the same name as in cas.
I have this in my management config:

# org.ldaptive.provider.unboundid.UnboundIDProvider is default
# 
cas.serviceRegistry.ldap.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider

It has been months since I worked on this but you may not need to set this 
particular field.

Some properties will be mgmt.something... and some will be cas.something...
If you can find the property in the cas docs, 
https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html, 
try the cas.something first.

Ray

On Wed, 2021-03-10 at 03:18 -0800, Bartosz Nitkiewicz wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi,
After successful CAS Server installation I have problem with CAS-Management APP

I can't build it with some dependencies placed in build.gradle:

compile "org.apereo.cas:cas-server-support-jdbc-drivers:${casMgmtServerVersion}"
compile 
"org.apereo.cas:cas-server-support-jpa-service-registry:${casMgmtServerVersion}"
compile "org.apereo.cas:cas-server-support-ldap:${casMgmtServerVersion}"

Here is output of tomcat log.
https://dpaste.com/D36YB8PGX

Could You please help me.
Thanks



--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.


--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8136337b83de6436129d35db24a9b7eefd97ad7e.camel%40uvic.ca.

Re: [cas-user] InCommon and NIH changes

['Richard Frovarp' via CAS Community]

I'm running my InCommon membership through Shibboleth, so I'm not looking for a 
CAS solution. However, here is what I know:

1) R is documented as you point out. If you are going to provide REFEDS R 
to REFEDS R SPs, you probably want to go into the InCommon Federation Manager 
and assert that you are a R IdP. I would also suggest you review your error 
URL, and see if you can be SIRTFI compliant, as those are baseline v2 
requirements. Separate from NIH, but while you are in there.

2) Parts of the NIH are also going to want assurance attributes based on the 
REFEDS Assurance profiles. Once you know which assurance values you can assert, 
they are just attributes that you return to the SP, like any other attribute.

3) MFA will come in the form of REFEDS MFA. I found this from a couple of 
months ago that looks promising given that Misagh wrote it: 
https://fawnoos.com/2020/12/07/cas63x-saml2-mfa-refeds-duo/

On Wed, 2021-03-10 at 15:19 -0800, Mike Osterman wrote:
For those that are using CAS SAML IdP as their InCommon IdP (we are almost 
there but haven't made the switch), there are some upcoming requirements 
(September 21, 2021) for users of electronic Research Administration (eRA): 
https://incommon.org/news/nih-application-to-require-multi-factor-authentication/

The REFEDS Research & Scholarship attributes support seems well-documented:
https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Attribute-Release.html#refeds-research-and-scholarship

The thing that I can't find in the docs is how to express the referenced MFA 
Authentication Context:
https://refeds.org/profile/mfa

We've implemented Duo, so I'm guessing that flow would be where we would 
trigger this, but again, don't find in the docs how to trigger this or if it's 
even supported by CAS's SAML IdP.

I think I saw a couple names of frequent cas-user participants on the office 
hours webinar today, so I expect others are looking at this as well.

Thanks,
Mike



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1b141b9362d3bb665a031ed87bab1f94c1e57db.camel%40ndsu.edu.

Re: [cas-user] cas standalone configuration security

[Frédéric Lohier]

Hello,

In case it helps others, to encrypt/sign the "clientSecret" in an OIDC 
service, you have to use the following command in the CAS Shell :

cipher-text --value secret --encryption-key  --encryption-key-size 
 --signing-key  
--signing-key-size 

Then you can use the produced "encoded value" prefixed by {cas-cipher}

-Frederic


On Wednesday, November 18, 2020 at 7:21:26 PM UTC+1 Ken Hopkins wrote:

> Thanks Ray.
> The first four lines of the cas log seem to suggest that the configuration 
> is being read properly:
> 2020-11-18 11:51:34,719 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] 
> - 
> 2020-11-18 11:51:34,723 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] 
> - 
> 2020-11-18 11:51:34,723 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] 
> - 
> 2020-11-18 11:51:34,725 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] 
> - 
>
> However, you may be on to something.  I removed the provider and algorithm 
> from my start-up command:
> java -jar build/libs/cas.war 
> --cas.standalone.configurationSecurity.iterations=1000 
> --cas.standalone.configurationSecurity.psw=siMdrGQcecY5_orN3Zo_gZN-oAwqWmvOEKpxhp02bGF8VdJ5rdi8IfJ2NklWkqVvK9uMEAGHZwD_Qsd9UUjAbQ
>
> The start of the log now looks like:
>
>
> *2020-11-18 13:11:25,966 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] 
> - 2020-11-18 
> 13:11:25,971 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - 
> 2020-11-18 13:11:25,973 DEBUG 
> [org.apereo.cas.util.crypto.CipherExecutor] -  iterations>*
>
>
>
>  _  _   _ ___ _  
> / \  |  _ \| |  _ \| / _ \   / ___|  / \  / ___| 
>/ _ \ | |_) |  _| | |_) |  _|| | | | | | / _ \ \___ \ 
>   / ___ \|  __/| |___|  _ <| |__| |_| | | |___ / ___ \ ___) |
>  /_/   \_\_|   |_|_| \_\_\___/   \/_/   \_\/ 
>  
>
> CAS Version: 6.2.5
> CAS Branch: 6.2.x
> CAS Commit Id: cde05dab3b560a449036d61290ebcb4cf56eb0a2
> CAS Build Date/Time: 2020-11-03T03:51:10Z
> Spring Boot Version: 2.2.8.RELEASE
> Spring Version: 5.2.6.RELEASE
> Java Home: /usr/lib/jvm/java-11-openjdk-amd64
> Java Vendor: Ubuntu
> Java Version: 11.0.9.1
> JVM Free Memory: 560 MB
>
> JVM Maximum Memory: 9 GB
> JVM Total Memory: 1022 MB
>
> JCE Installed: Yes
> OS Architecture: amd64
> OS Name: Linux
> OS Version: 5.4.0-54-generic
> OS Date/Time: 2020-11-18T13:11:26.595293
>
> OS Temp Directory: /tmp
> 
> Apache Tomcat Version: Apache Tomcat/9.0.39
> 
>
>
> 2020-11-18 13:11:26,621 DEBUG 
> [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator] 
> - 
> 2020-11-18 13:11:26,621 INFO 
> [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator] 
> -  the specific path>
> 2020-11-18 13:11:26,633 INFO 
> [org.apereo.cas.configuration.loader.YamlConfigurationPropertiesLoader] - 
>  [application.yml]]>
>
>
>
>
> *2020-11-18 13:11:26,635 TRACE [org.apereo.cas.util.crypto.CipherExecutor] 
> - 2020-11-18 13:11:26,635 
> DEBUG [org.apereo.cas.util.crypto.CipherExecutor] -  Jasypt...>2020-11-18 13:11:26,647 TRACE 
> [org.apereo.cas.util.crypto.CipherExecutor] -  [bRgoFJzNOBogeWGrty800g==]...>2020-11-18 13:11:26,655 DEBUG 
> [org.apereo.cas.util.crypto.CipherExecutor] -  [bRgoFJzNOBogeWGrty800g==] successfully.>2020-11-18 13:11:26,655 TRACE 
> [org.apereo.cas.util.crypto.CipherExecutor] -  [server.ssl.enabled] successfully>*
> 2020-11-18 13:11:26,672 INFO [org.apereo.cas.web.CasWebApplication] -  following profiles are active: standalone>
> 2020-11-18 13:11:26,870 TRACE 
> [org.apereo.cas.web.CasWebApplicationContext] -  CasWebApplicationContext()>
> 2020-11-18 13:11:29,896 TRACE 
> [org.apereo.cas.web.CasWebApplicationContext] -  [org.apereo.cas.web.view.CasReloadableMessageBundle: 
> basenames=[classpath:custom_messages, classpath:messages]]>
> 2020-11-18 13:11:29,896 TRACE 
> [org.apereo.cas.web.CasWebApplicationContext] -  'applicationEventMulticaster' bean, using 
> [SimpleApplicationEventMulticaster]>
> 2020-11-18 13:11:29,921 ERROR 
> [org.apereo.cas.configuration.CasConfigurationPropertiesValidator] - <
>
> Failed to bind properties under 'cas' to 
> org.apereo.cas.configuration.CasConfigurationProperties
>
> cas.standalone.configurationsecurity.iterations = 1000 (Origin: 
> "cas.standalone.configurationSecurity.iterations" from property source 
> "commandLineArgs")
>
> Listed settings above are no longer recognized by CAS 6.2.5. They may have 
> been renamed, removed, or relocated to a new address in the CAS 
> configuration schema. CAS will ignore such settings and will proceed with 
> its normal initialization sequence. Please consult the CAS documentation to 
> review and adjust each setting to find an alternative or remove the 
> definition. Failure to do so puts the stability of the CAS server 
> deployment in danger and complicates future upgrades.

Re: [cas-user] CAS-Management App

[Bartosz Nitkiewicz]

I have fixed mgmt.xxx to cas.mgmt.xxx but now I have other error.
https://dpaste.com/7WYTYWLQL

My config entries in management.properties looks like this:


# Enable authorization based on groups
cas.mgmt.ldap.ldapAuthz.groupAttribute=memberOf
cas.mgmt.ldap.ldapAuthz.groupPrefix=
cas.mgmt.ldap.ldapAuthz.groupFilter=
cas.mgmt.ldap.ldapAuthz.groupBaseDn=OU=xxx,dc=xxx,dc=xxx,dc=xxx,dc=xxx

# Enable authorization based on attributes and roles
cas.mgmt.ldap.ldapAuthz.rolePrefix=ROLE_
cas.mgmt.ldap.ldapAuthz.roleAttribute=extensionAttribute9

cas.mgmt.ldap.ldapAuthz.searchFilter=sAMAccountName={user}
cas.mgmt.ldap.ldapAuthz.baseDn=OU=xxx,dc=xxx,dc=xxx,dc=xxx,dc=pl

cas.mgmt.ldap.ldapUrl=ldaps://ldapserver.name
cas.mgmt.ldap.connectionStrategy=
#mgmt.ldap.userFilter=sAMAccountName={user}
cas.mgmt.ldap.bindDn=cn=xxxr,cn=xxx,dc=xxx,dc=xx,dc=xxx,dc=xxx
#cas.mgmt.ldap.bindDn=cn=xxx,cn=xxx,dc=xxx,dc=xxx,dc=xxx,dc=
cas.mgmt.ldap.bindCredential=
cas.mgmt.ldap.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
cas.mgmt.ldap.connectTimeout=5000

.

środa, 10 marca 2021 o 23:00:47 UTC+1 Ray Bon napisał(a):

> Bartosz,
>
> I assume you are using a recent version of cas-management.
> The log message says that you are trying to set a property but 
> cas-management does not know how to set it.
>
> I think the properties are being changed to use the same values as cas (it 
> uses the same config libraries).
> Properties will have the same name as in cas.
> I have this in my management config:
>
> # org.ldaptive.provider.unboundid.UnboundIDProvider is default
> # 
> cas.serviceRegistry.ldap.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
>
> It has been months since I worked on this but you may not need to set this 
> particular field.
>
> Some properties will be mgmt.something... and some will be cas.something...
> If you can find the property in the cas docs, 
> https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html,
>  
> try the cas.something first.
>
> Ray
>
> On Wed, 2021-03-10 at 03:18 -0800, Bartosz Nitkiewicz wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information. 
>
>
> Hi, 
> After successful CAS Server installation I have problem with 
> CAS-Management APP
>
> I can't build it with some dependencies placed in build.gradle:
>
> compile 
> "org.apereo.cas:cas-server-support-jdbc-drivers:${casMgmtServerVersion}"
> compile 
> "org.apereo.cas:cas-server-support-jpa-service-registry:${casMgmtServerVersion}"
> compile "org.apereo.cas:cas-server-support-ldap:${casMgmtServerVersion}"
>
> Here is output of tomcat log.
> https://dpaste.com/D36YB8PGX
>
> Could You please help me.
> Thanks
>
>
> -- 
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the 
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
> WSÁNEĆ Nations.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f447bba2-0c00-420d-9a07-9084699a6c5an%40apereo.org.