Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

2021-04-19 Thread 'Richard Frovarp' via CAS Community 
If they have a public metadata file you can put the URL in the metadata 
configuration element instead of the static file. CAS will download and cache 
the metadata file on some sort of updating schedule ( I don't remember the 
specifics), but it will help ensure you have updated metadata.

On Mon, 2021-04-19 at 19:56 +, Keith Alston (Staff) wrote:
Scratch that. I needed an updated metadata file. Now I can authenticate and get 
forwarded to the sp. Then
I get an error there. I may not be registered in their system. Waiting on a 
response from them.

Thanks!!! This has been very helpful!

Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

From: cas-user@apereo.org  on behalf of Keith Alston 
(Staff) 
Sent: Monday, April 19, 2021 3:36 PM
To: cas-user@apereo.org 
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

Hmmm, metadata expired. So I changed the expire date in the metadata. Now I'm 
getting this:

RootCasException(code=UNSATISFIED_SAML_REQUEST)
at 
org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator.validateSignatureOnProfileRequest(SamlObjectSignatureValidator.java:226)

Progress!!! But still not quite there. Maybe I need to request a new metadata 
file.

from the log:
2021-04-19 15:23:52,554 DEBUG 
[org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade]
 - https://licensing.minitab.com].
 Metadata is valid until [forever]>2021-04-19 15:23:52,554 DEBUG 
[org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
 - 
2021-04-19 15:23:52,558 DEBUG 
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator]
 - 2021-04-19 15:23:52,561 
DEBUG 
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator]
 - 2021-04-19 15:23:52,570 DEBUG 
[org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] - 
2021-04-19 15:23:52,570 DEBUG 
[org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] - 2021-04-19 15:23:52,570 DEBUG 
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator]
 - 

...

2021-04-19 15:23:52,614 DEBUG 
[org.apereo.cas.web.FlowExecutionExceptionResolver] - org.apereo.cas.support.saml.SamlException: 
Signing credentials for validation could not be resolved based on the provided 
signature

Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

From: 'Richard Frovarp' via CAS Community 
Sent: Monday, April 19, 2021 2:19 PM
To: cas-user@apereo.org 
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

You are probably going to need to take a look in the CAS logs. It seems that it 
should match, but the logs should tell you exactly what it is searching for. It 
will also tell you if there was an error loading the service file when it first 
tried to update it.

On Mon, 2021-04-19 at 17:26 +, Keith Alston (Staff) wrote:
I take that back. Zoom works and it does a post request.
saml-tracer show this. Zoom works, minitab  doesnt.

minitab 
request---
https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO%22
>
https://licensing.minitab.com

zoom 
request--
https://regent.zoom.us/saml/SSO%22
 
Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO%22
 ForceAuthn="false"
 ID="a3e6a45e921c2290-5af0f9c82h9cheh"
 IsPassive="false"
 IssueInstant="2021-04-19T17:15:37.720Z"
 
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 Version="2.0"
 xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
 >
regent.zoom.us

here are the service files for each:

zoom service file:
{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "regent.zoom.us",
  "name" : "regent.zoom.us",
  "id" : 1008,
  "metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml",
  "evaluationOrder" : 6,
  "requiredNameIdFormat": 
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "usernameAttributeProvider" : {
"@class" : 
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail",
  }
}


minitab service file:
{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" :

Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

2021-04-19 Thread Keith Alston (Staff) 
Scratch that. I needed an updated metadata file. Now I can authenticate and get 
forwarded to the sp. Then
I get an error there. I may not be registered in their system. Waiting on a 
response from them.

Thanks!!! This has been very helpful!

Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

From: cas-user@apereo.org  on behalf of Keith Alston 
(Staff) 
Sent: Monday, April 19, 2021 3:36 PM
To: cas-user@apereo.org 
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

Hmmm, metadata expired. So I changed the expire date in the metadata. Now I'm 
getting this:

RootCasException(code=UNSATISFIED_SAML_REQUEST)
at 
org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator.validateSignatureOnProfileRequest(SamlObjectSignatureValidator.java:226)

Progress!!! But still not quite there. Maybe I need to request a new metadata 
file.

from the log:
2021-04-19 15:23:52,554 DEBUG 
[org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade]
 - https://licensing.minitab.com].
 Metadata is valid until [forever]>2021-04-19 15:23:52,554 DEBUG 
[org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
 - 
2021-04-19 15:23:52,558 DEBUG 
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator]
 - 2021-04-19 15:23:52,561 
DEBUG 
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator]
 - 2021-04-19 15:23:52,570 DEBUG 
[org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] - 
2021-04-19 15:23:52,570 DEBUG 
[org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] - 2021-04-19 15:23:52,570 DEBUG 
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator]
 - 

...

2021-04-19 15:23:52,614 DEBUG 
[org.apereo.cas.web.FlowExecutionExceptionResolver] - org.apereo.cas.support.saml.SamlException: 
Signing credentials for validation could not be resolved based on the provided 
signature

Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

From: 'Richard Frovarp' via CAS Community 
Sent: Monday, April 19, 2021 2:19 PM
To: cas-user@apereo.org 
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

You are probably going to need to take a look in the CAS logs. It seems that it 
should match, but the logs should tell you exactly what it is searching for. It 
will also tell you if there was an error loading the service file when it first 
tried to update it.

On Mon, 2021-04-19 at 17:26 +, Keith Alston (Staff) wrote:
I take that back. Zoom works and it does a post request.
saml-tracer show this. Zoom works, minitab  doesnt.

minitab 
request---
https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO%22
>
https://licensing.minitab.com

zoom 
request--
https://regent.zoom.us/saml/SSO%22
 
Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO%22
 ForceAuthn="false"
 ID="a3e6a45e921c2290-5af0f9c82h9cheh"
 IsPassive="false"
 IssueInstant="2021-04-19T17:15:37.720Z"
 
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 Version="2.0"
 xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
 >
regent.zoom.us

here are the service files for each:

zoom service file:
{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "regent.zoom.us",
  "name" : "regent.zoom.us",
  "id" : 1008,
  "metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml",
  "evaluationOrder" : 6,
  "requiredNameIdFormat": 
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "usernameAttributeProvider" : {
"@class" : 
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail",
  }
}


minitab service file:
{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : 
"https://licensing.minitab.com;,
  "name" : "minitab",
  "id" : 1617641399,
  "metadataLocation" : "file:/etc/cas/config/minitab-com-metadata.xml",
  "evaluationOrder" : 2,
  "requiredNameIdFormat": 
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "usernameAttributeProvider" : {
"@class" :

Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

2021-04-19 Thread Keith Alston (Staff) 
Hmmm, metadata expired. So I changed the expire date in the metadata. Now I'm 
getting this:

RootCasException(code=UNSATISFIED_SAML_REQUEST)
at 
org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator.validateSignatureOnProfileRequest(SamlObjectSignatureValidator.java:226)

Progress!!! But still not quite there. Maybe I need to request a new metadata 
file.

from the log:
2021-04-19 15:23:52,554 DEBUG 
[org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade]
 - https://licensing.minitab.com]. 
Metadata is valid until [forever]>2021-04-19 15:23:52,554 DEBUG 
[org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
 - 
2021-04-19 15:23:52,558 DEBUG 
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator]
 - 2021-04-19 15:23:52,561 
DEBUG 
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator]
 - 2021-04-19 15:23:52,570 DEBUG 
[org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] - 
2021-04-19 15:23:52,570 DEBUG 
[org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] - 2021-04-19 15:23:52,570 DEBUG 
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator]
 - 

...

2021-04-19 15:23:52,614 DEBUG 
[org.apereo.cas.web.FlowExecutionExceptionResolver] - org.apereo.cas.support.saml.SamlException: 
Signing credentials for validation could not be resolved based on the provided 
signature

Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

From: 'Richard Frovarp' via CAS Community 
Sent: Monday, April 19, 2021 2:19 PM
To: cas-user@apereo.org 
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

You are probably going to need to take a look in the CAS logs. It seems that it 
should match, but the logs should tell you exactly what it is searching for. It 
will also tell you if there was an error loading the service file when it first 
tried to update it.

On Mon, 2021-04-19 at 17:26 +, Keith Alston (Staff) wrote:
I take that back. Zoom works and it does a post request.
saml-tracer show this. Zoom works, minitab  doesnt.

minitab 
request---
https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO%22
>
https://licensing.minitab.com

zoom 
request--
https://regent.zoom.us/saml/SSO%22
 
Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO%22
 ForceAuthn="false"
 ID="a3e6a45e921c2290-5af0f9c82h9cheh"
 IsPassive="false"
 IssueInstant="2021-04-19T17:15:37.720Z"
 
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 Version="2.0"
 xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
 >
regent.zoom.us

here are the service files for each:

zoom service file:
{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "regent.zoom.us",
  "name" : "regent.zoom.us",
  "id" : 1008,
  "metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml",
  "evaluationOrder" : 6,
  "requiredNameIdFormat": 
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "usernameAttributeProvider" : {
"@class" : 
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail",
  }
}


minitab service file:
{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : 
"https://licensing.minitab.com;,
  "name" : "minitab",
  "id" : 1617641399,
  "metadataLocation" : "file:/etc/cas/config/minitab-com-metadata.xml",
  "evaluationOrder" : 2,
  "requiredNameIdFormat": 
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "usernameAttributeProvider" : {
"@class" : 
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "emailAddress",
  },
  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "ExtensionAttribute1" : "Email",
  "givenname" : "FirstName",
  "sn" : "LastName"
}
  }
}




Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

From: cas-user@apereo.org  on behalf of Keith Alston 
(Staff) 
Sent: Monday, April 19, 2021 1:00 PM
To: cas-user@apereo.org 
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

Looks like my post URL is:

Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

2021-04-19 Thread Keith Alston (Staff) 
Yes, zoom is in production. minitab in my dev environment. Both 5.3.14. pretty 
much the exact same setup.

Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

From: cas-user@apereo.org  on behalf of Ray Bon 

Sent: Monday, April 19, 2021 2:35 PM
To: cas-user@apereo.org 
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

Keith,

The destination URLs are different, cas and casdev.
Is minitab routing to cas or casdev and is your service defined there?

Ray

On Mon, 2021-04-19 at 17:26 +, Keith Alston (Staff) wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

I take that back. Zoom works and it does a post request.
saml-tracer show this. Zoom works, minitab  doesnt.

minitab 
request---
https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO%22
>
https://licensing.minitab.com

zoom 
request--
https://regent.zoom.us/saml/SSO%22
 
Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO%22
 ForceAuthn="false"
 ID="a3e6a45e921c2290-5af0f9c82h9cheh"
 IsPassive="false"
 IssueInstant="2021-04-19T17:15:37.720Z"
 
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 Version="2.0"
 xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
 >
regent.zoom.us

here are the service files for each:

zoom service file:
{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "regent.zoom.us",
  "name" : "regent.zoom.us",
  "id" : 1008,
  "metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml",
  "evaluationOrder" : 6,
  "requiredNameIdFormat": 
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "usernameAttributeProvider" : {
"@class" : 
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail",
  }
}


minitab service file:
{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : 
"https://licensing.minitab.com;,
  "name" : "minitab",
  "id" : 1617641399,
  "metadataLocation" : "file:/etc/cas/config/minitab-com-metadata.xml",
  "evaluationOrder" : 2,
  "requiredNameIdFormat": 
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "usernameAttributeProvider" : {
"@class" : 
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "emailAddress",
  },
  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "ExtensionAttribute1" : "Email",
  "givenname" : "FirstName",
  "sn" : "LastName"
}
  }
}




Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

From: cas-user@apereo.org  on behalf of Keith Alston 
(Staff) 
Sent: Monday, April 19, 2021 1:00 PM
To: cas-user@apereo.org 
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

Looks like my post URL is:

https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO

I guess the get url has redirect in it??

Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

From: 'Richard Frovarp' via CAS Community 
Sent: Monday, April 19, 2021 12:49 PM
To: cas-user@apereo.org 
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

Since I saw someone create the URL by hand the other day, I'm going to ask the 
simple question: is the request hitting the HTTP-POST binding location? POST 
and Redirect are two different URLs in CAS (and I'm guessing most IdPs).

I've never had to do anything different to handle the two different types of 
SPs on that version.

On Mon, 2021-04-19 at 16:41 +, Keith Alston (Staff) wrote:
It seems that my CAS SAML2.0 idp is handling SAML2 services that do GET 
requests just fine.
But when I have an SP that does a SAML2 POST request my idp is not reading the 
parameters
and I get the "Application Not Authorized to Use CAS" message instead of the 
auth page. Difference being
parameters in the URI vs parameters in the POST body. Anyone have
any idea where I might look to resolve this issue? Are there certain parameters 
in the service definition
that I should be including? Something I'm missing in cas.properties? The audit 
log does not show POST
requests as SAML2_POST though SAML trace

Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

2021-04-19 Thread Ray Bon 
Keith,

The destination URLs are different, cas and casdev.
Is minitab routing to cas or casdev and is your service defined there?

Ray

On Mon, 2021-04-19 at 17:26 +, Keith Alston (Staff) wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

I take that back. Zoom works and it does a post request.
saml-tracer show this. Zoom works, minitab  doesnt.

minitab 
request---
https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO;
>
https://licensing.minitab.com

zoom 
request--
https://regent.zoom.us/saml/SSO;
 
Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO;
 ForceAuthn="false"
 ID="a3e6a45e921c2290-5af0f9c82h9cheh"
 IsPassive="false"
 IssueInstant="2021-04-19T17:15:37.720Z"
 
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 Version="2.0"
 xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
 >
regent.zoom.us

here are the service files for each:

zoom service file:
{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "regent.zoom.us",
  "name" : "regent.zoom.us",
  "id" : 1008,
  "metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml",
  "evaluationOrder" : 6,
  "requiredNameIdFormat": 
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "usernameAttributeProvider" : {
"@class" : 
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail",
  }
}


minitab service file:
{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "https://licensing.minitab.com;,
  "name" : "minitab",
  "id" : 1617641399,
  "metadataLocation" : "file:/etc/cas/config/minitab-com-metadata.xml",
  "evaluationOrder" : 2,
  "requiredNameIdFormat": 
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "usernameAttributeProvider" : {
"@class" : 
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "emailAddress",
  },
  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "ExtensionAttribute1" : "Email",
  "givenname" : "FirstName",
  "sn" : "LastName"
}
  }
}




Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

From: cas-user@apereo.org  on behalf of Keith Alston 
(Staff) 
Sent: Monday, April 19, 2021 1:00 PM
To: cas-user@apereo.org 
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

Looks like my post URL is:

https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO

I guess the get url has redirect in it??

Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

From: 'Richard Frovarp' via CAS Community 
Sent: Monday, April 19, 2021 12:49 PM
To: cas-user@apereo.org 
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

Since I saw someone create the URL by hand the other day, I'm going to ask the 
simple question: is the request hitting the HTTP-POST binding location? POST 
and Redirect are two different URLs in CAS (and I'm guessing most IdPs).

I've never had to do anything different to handle the two different types of 
SPs on that version.

On Mon, 2021-04-19 at 16:41 +, Keith Alston (Staff) wrote:
It seems that my CAS SAML2.0 idp is handling SAML2 services that do GET 
requests just fine.
But when I have an SP that does a SAML2 POST request my idp is not reading the 
parameters
and I get the "Application Not Authorized to Use CAS" message instead of the 
auth page. Difference being
parameters in the URI vs parameters in the POST body. Anyone have
any idea where I might look to resolve this issue? Are there certain parameters 
in the service definition
that I should be including? Something I'm missing in cas.properties? The audit 
log does not show POST
requests as SAML2_POST though SAML trace does show it as a SAML request. Any 
clue here would be
helpful. TIA!

Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

--
- Website: 
https://apereo.github.io/cas
- Gitter Chatroom: 
https://gitter.im/apereo/cas
- List Guidelines:

Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

2021-04-19 Thread 'Richard Frovarp' via CAS Community 
You are probably going to need to take a look in the CAS logs. It seems that it 
should match, but the logs should tell you exactly what it is searching for. It 
will also tell you if there was an error loading the service file when it first 
tried to update it.

On Mon, 2021-04-19 at 17:26 +, Keith Alston (Staff) wrote:
I take that back. Zoom works and it does a post request.
saml-tracer show this. Zoom works, minitab  doesnt.

minitab 
request---
https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO;
>
https://licensing.minitab.com

zoom 
request--
https://regent.zoom.us/saml/SSO;
 
Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO;
 ForceAuthn="false"
 ID="a3e6a45e921c2290-5af0f9c82h9cheh"
 IsPassive="false"
 IssueInstant="2021-04-19T17:15:37.720Z"
 
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 Version="2.0"
 xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
 >
regent.zoom.us

here are the service files for each:

zoom service file:
{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "regent.zoom.us",
  "name" : "regent.zoom.us",
  "id" : 1008,
  "metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml",
  "evaluationOrder" : 6,
  "requiredNameIdFormat": 
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "usernameAttributeProvider" : {
"@class" : 
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail",
  }
}


minitab service file:
{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "https://licensing.minitab.com;,
  "name" : "minitab",
  "id" : 1617641399,
  "metadataLocation" : "file:/etc/cas/config/minitab-com-metadata.xml",
  "evaluationOrder" : 2,
  "requiredNameIdFormat": 
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "usernameAttributeProvider" : {
"@class" : 
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "emailAddress",
  },
  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "ExtensionAttribute1" : "Email",
  "givenname" : "FirstName",
  "sn" : "LastName"
}
  }
}




Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

From: cas-user@apereo.org  on behalf of Keith Alston 
(Staff) 
Sent: Monday, April 19, 2021 1:00 PM
To: cas-user@apereo.org 
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

Looks like my post URL is:

https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO

I guess the get url has redirect in it??

Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

From: 'Richard Frovarp' via CAS Community 
Sent: Monday, April 19, 2021 12:49 PM
To: cas-user@apereo.org 
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

Since I saw someone create the URL by hand the other day, I'm going to ask the 
simple question: is the request hitting the HTTP-POST binding location? POST 
and Redirect are two different URLs in CAS (and I'm guessing most IdPs).

I've never had to do anything different to handle the two different types of 
SPs on that version.

On Mon, 2021-04-19 at 16:41 +, Keith Alston (Staff) wrote:
It seems that my CAS SAML2.0 idp is handling SAML2 services that do GET 
requests just fine.
But when I have an SP that does a SAML2 POST request my idp is not reading the 
parameters
and I get the "Application Not Authorized to Use CAS" message instead of the 
auth page. Difference being
parameters in the URI vs parameters in the POST body. Anyone have
any idea where I might look to resolve this issue? Are there certain parameters 
in the service definition
that I should be including? Something I'm missing in cas.properties? The audit 
log does not show POST
requests as SAML2_POST though SAML trace does show it as a SAML request. Any 
clue here would be
helpful. TIA!

Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

--
- Website: 
https://apereo.github.io/cas
- Gitter Chatroom: 
https://gitter.im/apereo/cas
- List Guidelines:

Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

2021-04-19 Thread Keith Alston (Staff) 
I take that back. Zoom works and it does a post request.
saml-tracer show this. Zoom works, minitab  doesnt.

minitab 
request---
https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO;
>
https://licensing.minitab.com

zoom 
request--
https://regent.zoom.us/saml/SSO;
 
Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO;
 ForceAuthn="false"
 ID="a3e6a45e921c2290-5af0f9c82h9cheh"
 IsPassive="false"
 IssueInstant="2021-04-19T17:15:37.720Z"
 
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 Version="2.0"
 xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
 >
regent.zoom.us

here are the service files for each:

zoom service file:
{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "regent.zoom.us",
  "name" : "regent.zoom.us",
  "id" : 1008,
  "metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml",
  "evaluationOrder" : 6,
  "requiredNameIdFormat": 
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "usernameAttributeProvider" : {
"@class" : 
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail",
  }
}


minitab service file:
{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "https://licensing.minitab.com;,
  "name" : "minitab",
  "id" : 1617641399,
  "metadataLocation" : "file:/etc/cas/config/minitab-com-metadata.xml",
  "evaluationOrder" : 2,
  "requiredNameIdFormat": 
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "usernameAttributeProvider" : {
"@class" : 
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "emailAddress",
  },
  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "ExtensionAttribute1" : "Email",
  "givenname" : "FirstName",
  "sn" : "LastName"
}
  }
}




Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

From: cas-user@apereo.org  on behalf of Keith Alston 
(Staff) 
Sent: Monday, April 19, 2021 1:00 PM
To: cas-user@apereo.org 
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

Looks like my post URL is:

https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO

I guess the get url has redirect in it??

Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

From: 'Richard Frovarp' via CAS Community 
Sent: Monday, April 19, 2021 12:49 PM
To: cas-user@apereo.org 
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

Since I saw someone create the URL by hand the other day, I'm going to ask the 
simple question: is the request hitting the HTTP-POST binding location? POST 
and Redirect are two different URLs in CAS (and I'm guessing most IdPs).

I've never had to do anything different to handle the two different types of 
SPs on that version.

On Mon, 2021-04-19 at 16:41 +, Keith Alston (Staff) wrote:
It seems that my CAS SAML2.0 idp is handling SAML2 services that do GET 
requests just fine.
But when I have an SP that does a SAML2 POST request my idp is not reading the 
parameters
and I get the "Application Not Authorized to Use CAS" message instead of the 
auth page. Difference being
parameters in the URI vs parameters in the POST body. Anyone have
any idea where I might look to resolve this issue? Are there certain parameters 
in the service definition
that I should be including? Something I'm missing in cas.properties? The audit 
log does not show POST
requests as SAML2_POST though SAML trace does show it as a SAML request. Any 
clue here would be
helpful. TIA!

Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

--
- Website: 
https://apereo.github.io/cas
- Gitter Chatroom: 
https://gitter.im/apereo/cas
- List Guidelines: 
https://goo.gl/1VRrw7
- Contributions: 
https://goo.gl/mh7qDG
---
You received this message because you

Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

2021-04-19 Thread Keith Alston (Staff) 
Looks like my post URL is:

https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO

I guess the get url has redirect in it??

Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

From: 'Richard Frovarp' via CAS Community 
Sent: Monday, April 19, 2021 12:49 PM
To: cas-user@apereo.org 
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

Since I saw someone create the URL by hand the other day, I'm going to ask the 
simple question: is the request hitting the HTTP-POST binding location? POST 
and Redirect are two different URLs in CAS (and I'm guessing most IdPs).

I've never had to do anything different to handle the two different types of 
SPs on that version.

On Mon, 2021-04-19 at 16:41 +, Keith Alston (Staff) wrote:
It seems that my CAS SAML2.0 idp is handling SAML2 services that do GET 
requests just fine.
But when I have an SP that does a SAML2 POST request my idp is not reading the 
parameters
and I get the "Application Not Authorized to Use CAS" message instead of the 
auth page. Difference being
parameters in the URI vs parameters in the POST body. Anyone have
any idea where I might look to resolve this issue? Are there certain parameters 
in the service definition
that I should be including? Something I'm missing in cas.properties? The audit 
log does not show POST
requests as SAML2_POST though SAML trace does show it as a SAML request. Any 
clue here would be
helpful. TIA!

Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

--
- Website: 
https://apereo.github.io/cas
- Gitter Chatroom: 
https://gitter.im/apereo/cas
- List Guidelines: 
https://goo.gl/1VRrw7
- Contributions: 
https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6bad321c10587be379a7cec181afa435c58c8b3e.camel%40ndsu.edu.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BL0PR10MB29951DBBD5A7BD78EFACD709D9499%40BL0PR10MB2995.namprd10.prod.outlook.com.

Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

2021-04-19 Thread 'Richard Frovarp' via CAS Community 
Since I saw someone create the URL by hand the other day, I'm going to ask the 
simple question: is the request hitting the HTTP-POST binding location? POST 
and Redirect are two different URLs in CAS (and I'm guessing most IdPs).

I've never had to do anything different to handle the two different types of 
SPs on that version.

On Mon, 2021-04-19 at 16:41 +, Keith Alston (Staff) wrote:
It seems that my CAS SAML2.0 idp is handling SAML2 services that do GET 
requests just fine.
But when I have an SP that does a SAML2 POST request my idp is not reading the 
parameters
and I get the "Application Not Authorized to Use CAS" message instead of the 
auth page. Difference being
parameters in the URI vs parameters in the POST body. Anyone have
any idea where I might look to resolve this issue? Are there certain parameters 
in the service definition
that I should be including? Something I'm missing in cas.properties? The audit 
log does not show POST
requests as SAML2_POST though SAML trace does show it as a SAML request. Any 
clue here would be
helpful. TIA!

Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6bad321c10587be379a7cec181afa435c58c8b3e.camel%40ndsu.edu.

[cas-user] SAML2 request POST vs GET CAS 5.3.14??

2021-04-19 Thread Keith Alston (Staff) 
It seems that my CAS SAML2.0 idp is handling SAML2 services that do GET 
requests just fine.
But when I have an SP that does a SAML2 POST request my idp is not reading the 
parameters
and I get the "Application Not Authorized to Use CAS" message instead of the 
auth page. Difference being
parameters in the URI vs parameters in the POST body. Anyone have
any idea where I might look to resolve this issue? Are there certain parameters 
in the service definition
that I should be including? Something I'm missing in cas.properties? The audit 
log does not show POST
requests as SAML2_POST though SAML trace does show it as a SAML request. Any 
clue here would be
helpful. TIA!

Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BL0PR10MB29952D583FD8469A25748324D9499%40BL0PR10MB2995.namprd10.prod.outlook.com.

[cas-user] Re: Cas overlay ver 6.3.x integration with pure RADIUS (not MFA RADIUS)

2021-04-19 Thread artur miś 



I have changed cas.propierties to :


cas.authn.radius.server.nasPortId=-1
cas.authn.radius.server.nasRealPort=-1
cas.authn.radius.server.protocol=EAP_MSCHAPv2
cas.authn.radius.server.retries=3
cas.authn.radius.server.nasPortType=-1
cas.authn.radius.server.nasPort=-1
cas.authn.radius.server.nasIpAddress=
cas.authn.radius.server.nasIpv6Address=
cas.authn.radius.server.nasIdentifier=-1

cas.authn.radius.client.authenticationPort=1812
cas.authn.radius.client.sharedSecret=string
cas.authn.radius.client.socketTimeout=0
cas.authn.radius.client.inetAddress=IPadresradius
cas.authn.radius.client.accountingPort=1813

cas.authn.radius.name=Radius
cas.authn.radius.failoverOnException=false
cas.authn.radius.failoverOnAuthenticationFailure=false

But still no restult i cant see any issues in: 
docker logs -f container.

I can do like this too but i think it is the same :
${configurationKey}=cas.authn.radius
an then:
${configurationKey}.server.nasPortId=-1 and than the same .

I have given up .
środa, 14 kwietnia 2021 o 17:51:08 UTC+2 artur miś napisał(a):

> Dears,
> I have cas.propierties like:
>
> #Radius
> cas.authn.radius.name=Radius
> cas.authn.radius.server.protocol=EAP_MSCHAPv2
> cas.authn.radius.server.retries=1
> cas.authn.radius.client.authenticationPort=1812
> cas.authn.radius.client.sharedSecret=somestring
> cas.authn.radius.client.inetAddress=IP
> cas.authn.radius.client.accountingPort=1813
>
>
> build.gradle:
> dependencies {
> // Add modules in format compatible with overlay casModules property
> if (project.hasProperty("casModules")) {
> def dependencies = project.getProperty("casModules").split(",")
> dependencies.each {
> def projectsToAdd = rootProject.subprojects.findAll {project ->
> project.name == "cas-server-core-${it}" || project.name 
> == "cas-server-support-${it}"
>implementation 
> "org.apereo.cas:cas-server-support-radius:${project.'cas.version'}"
>   // implementation 
> "org.apereo.cas:cas-server-support-simple-mfa:${project.'cas.version'}"
> }
> projectsToAdd.each {implementation it}
> }
> }
>
>
> I am able prepare image of container .Container is opperating. But i 
> cannnot see any hits on network trafic  if i try to log to  singned 
> services .Of course i cant log in.What more after   sudo docker -f logs 
>  i cannot see any problems with connection to radius side. 
> Dears  Any idea ?
>
>
>
> {
>   "@class" : "org.jasig.cas.services.RegexRegisteredService",
>   "serviceId" : "^(http|https|imaps)://*",
>   "name" : "PRG_PABLO",
>   "id" : 3,
>   "evaluationOrder" : 0,
>   "theme" : "nextor",
>"authenticationPolicy" : {
> "@class" : 
> "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",
> "requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "Radius" ]]
>   }
>
> }
>
>
> Is it generaly possible auth via RADIUS in cas 6.3.x noweaday ?
>
> Any debug setting  in log4j2.xml ?
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/57e95c2c-8a5c-4c7a-85de-005b76e8c120n%40apereo.org.

Re: [cas-user] User limit of inotify instances reached or too many open files

2021-04-19 Thread Robert 
Thanks for the great hint. That helps a lot.
The core question for the CAS devs stays: Where does that leak come from? I 
mean, FileWatcherService and PathWatcherService seem to be straight forward.

jephte.clain schrieb am Sonntag, 18. April 2021 um 17:06:48 UTC+2:

> hello,
>
> we noticed that CAS doesn't release inotify handles when watching changes 
> on groovy scripts
> as our scripts doesn't change (CAS is run inside a docker container), we 
> ended up disabling watching changes (thanks to Jerome Leleu for his help on 
> this)
>
> I attach the modified class. I won't be able to help you more than that, 
> sorry
>
> hope this helps. regards,
> Jephté Clain
>
> Le ven. 16 avr. 2021 à 10:02, Robert  a écrit :
>
>> Hi all,
>>
>> We ware running CAS 6.2.8 on Ubuntu 20.04.2 LTS with OpenJDK 11.0.10.
>> After an uptime of about 2 weeks we've hit the following error resulting 
>> that scripted attributes became just empty:
>>
>> "User limit of inotify instances reached or too many open files"
>>
>>
>> Increasing the inotify max_user_instances from 128 to 256 via "echo 256 > 
>> /proc/sys/fs/inotify/max_user_instances" solved that probem just temporaly, 
>> because this limit was reached again within 1 day.
>>
>> Ive tried to find out what was causing this issue and used "lsof -p 
>> $(pgrep java) | grep notify" to see a lot (253) anonymous inodes. Ive 
>> created a Java Heapdump to found 263 instances of a FileDescriptor.
>> Now im out of ideas to find the root cause, but I guess, that there is 
>> some kind of leak.
>>
>> Someone else experienced that issue already?
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/db4d659f-9cdd-4523-8f6e-f572388c83d8n%40apereo.org
>>  
>> 
>> .
>>
>
>
> -- 
>
>  
>
> Jephté Clain
>
> Développeur, intégrateur d'applications
>
> Direction des Systèmes d'Information
>
> Université de La Réunion
>
> Interne : 2107 | Externe : +262 262 93 86 31 <+262%20262%2093%2086%2031> | 
> Mobile 
> : +262 692 29 58 24 <+262%20692%2029%2058%2024>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1e95bdb9-204a-4938-b8fb-1c67b934aa75n%40apereo.org.

[cas-user] RE: Endpoint security behind a proxy

2021-04-19 Thread King, Robert 
Just in case, anyone else runs into this….

Only tested for our specific use case, running your own Tomcat server version 
9.x instead of using the embedded.

The issue ended up being Tomcat requires a remote IP valve to handle client IPs 
behind a proxy.  Added the following valve to the tomcat server.xml 
configuration:


  
  …



Reference here:

http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_IP_Valve


From: cas-user@apereo.org  On Behalf Of King, Robert
Sent: Friday, April 9, 2021 2:26 PM
To: cas-user@apereo.org
Subject: [EXTERNAL SENDER] [cas-user] Endpoint security behind a proxy

Is there a way to use x-forwarded-for when attempting actuator/endpoint 
security?

Our current implementation uses IP_ADDRESS, but having moved behind an Apache 
proxy everything gets access to the endpoints since all access seems to come 
from the proxy server IP.

cas.monitor.endpoints.endpoint.defaults.access=IP_ADDRESS
cas.monitor.endpoints.endpoint.defaults.requiredIpAddresses=

Is there a way to switch to x-forwarded-for IPs?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2dbe3e891e8d46da896568c80e1f1f2d%40mun.ca.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/841c7ef71fcf48a6b8102913e42b8365%40mun.ca.