Re: [cas-user] ideas for persistence login session

['Richard Frovarp' via CAS Community]

I would change the application and not do it via CAS. Changing the application 
session timeout to what they want. Because otherwise it will do a SSO session 
again, which will interrupt anything the end user is trying to do with the 
browser open for the past two days. So anything done via CAS won't give a good 
user experience.

From: cas-user@apereo.org  on behalf of Ray Bon 

Sent: Wednesday, July 27, 2022 4:34:56 PM
To: cas-user@apereo.org 
Subject: Re: [cas-user] ideas for persistence login session

Pablo,

The long running pages could be added as a service with longer TGT life, 
https://apereo.github.io/cas/6.5.x/ticketing/Configuring-Ticket-Expiration-Policy.html#per-service

Ray

On Wed, 2022-07-27 at 12:16 -0700, Pablo Vidaurri wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Currently CAS TGT is an 8hr session, ST is a 2hr session. Client is requesting 
to enable certain parts of their site (protected) to include a longer ST (for 
weeks) while maintaining a 2hr session for other secured parts like 
"Account/Profile".

I understand the application needs to change, but is there anything on the CAS 
side that I can do to help in this effort?

Would JWT help? When a user successfully logs in, issue a JWT good for 4 weeks 
with user's credentials. Now lets assume the TGT/ST are no longer valid and the 
user is trying to access part of the site where not logging is not required for 
days (protected area). The JWT would then be used to auto login the user. 
Achievable or pure abuse?

Also considered increasing the TGT TTL for weeks and  creating separate 
services to define an 
AuthenticationDateRegisteredServiceSingleSignOnParticipationPolicy of 
2hrs/8hrs, etc but this this means certain parts of the site need to be under 
specific URL patterns.

Any suggestions?

-psv

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory 
the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose 
historical relationships with the land continue to this day.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a5c8a9514a354884dd7a78daba1dba5272b9620f.camel%40uvic.ca.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DM5PR08MB2778300FAF7FA4D5C5950D068B979%40DM5PR08MB2778.namprd08.prod.outlook.com.

Re: [cas-user] ideas for persistence login session

[Ray Bon]

Pablo,

The long running pages could be added as a service with longer TGT life, 
https://apereo.github.io/cas/6.5.x/ticketing/Configuring-Ticket-Expiration-Policy.html#per-service

Ray

On Wed, 2022-07-27 at 12:16 -0700, Pablo Vidaurri wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Currently CAS TGT is an 8hr session, ST is a 2hr session. Client is requesting 
to enable certain parts of their site (protected) to include a longer ST (for 
weeks) while maintaining a 2hr session for other secured parts like 
"Account/Profile".

I understand the application needs to change, but is there anything on the CAS 
side that I can do to help in this effort?

Would JWT help? When a user successfully logs in, issue a JWT good for 4 weeks 
with user's credentials. Now lets assume the TGT/ST are no longer valid and the 
user is trying to access part of the site where not logging is not required for 
days (protected area). The JWT would then be used to auto login the user. 
Achievable or pure abuse?

Also considered increasing the TGT TTL for weeks and  creating separate 
services to define an 
AuthenticationDateRegisteredServiceSingleSignOnParticipationPolicy of 
2hrs/8hrs, etc but this this means certain parts of the site need to be under 
specific URL patterns.

Any suggestions?

-psv

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory 
the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose 
historical relationships with the land continue to this day.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a5c8a9514a354884dd7a78daba1dba5272b9620f.camel%40uvic.ca.

Re: [cas-user] ideas for persistence login session

[Carl Waldbieser]

The ST generally should have a lifetime measured in seconds.  Since it is
single use, it doesn't really make sense to issue one, have a client hold
on to it for an hour, and finally use it.  The lifetime should generally
reflect the anticipated network time for the client to receive the ST and
validate it.

For the TGT, you can set that however long makes sense for your SSO
sessions.  2 hours works for my organization.  You may need a longer time
measured in days or weeks, I guess, but it seems like users should be using
something like a password manager if they can't log in at least once a
day?  It really depends on the policies in your organization.

Thanks,
Carl Waldbieser


On Wed, Jul 27, 2022 at 3:16 PM Pablo Vidaurri  wrote:

> Currently CAS TGT is an 8hr session, ST is a 2hr session. Client is
> requesting to enable certain parts of their site (protected) to include a
> longer ST (for weeks) while maintaining a 2hr session for other secured
> parts like "Account/Profile".
>
> I understand the application needs to change, but is there anything on the
> CAS side that I can do to help in this effort?
>
> Would JWT help? When a user successfully logs in, issue a JWT good for 4
> weeks with user's credentials. Now lets assume the TGT/ST are no longer
> valid and the user is trying to access part of the site where not logging
> is not required for days (protected area). The JWT would then be used to
> auto login the user. Achievable or pure abuse?
>
> Also considered increasing the TGT TTL for weeks and  creating separate
> services to define an
> AuthenticationDateRegisteredServiceSingleSignOnParticipationPolicy of
> 2hrs/8hrs, etc but this this means certain parts of the site need to be
> under specific URL patterns.
>
> Any suggestions?
>
> -psv
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/793b6932-8c4d-48d3-a5e7-945988566788n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbOGtu-KaHTBxre3wq8A5YcB173sSwc7ux%3D5m3TPDE_iLw%40mail.gmail.com.

[cas-user] CAS Management Publish Option

[Alex Morford]

I've inherited a cas (5.3.5)/cas-management (5.3.6) setup from a colleague, 
and am trying to get it working as he implemented version control, but we 
never receive the option to publish the change, so they stay in the repo 
folder instead of the services folder. The following error is also 
appearing in the logs:

2022-07-27 08:42:45,036 ERROR 
[org.apereo.cas.mgmt.services.web.ServiceRepositoryController] - null

management properties:

### Server Settings ###
cas.server.name=https://sso.url
cas.server.prefix=${cas.server.name}/cas
mgmt.serverName=https://sso.url
mgmt.enableVersionControl=true
mgmt.servicesRepo=/etc/cas/repo
server.context-path=/cas-management
server.port=443

# Proxy Settings
server.port=8081
server.ssl.enabled=false
cas.server.http.enabled=false
cas.server.httpProxy.enabled=true
cas.server.httpProxy.secure=true
cas.server.httpProxy.scheme=https
cas.server.httpProxy.protocol=HTTP/1.1
cas.server.httpProxy.proxyPort=443
cas.audit.alternateClientAddrHeaderName=X-Forwarded-For

# Service Registry Settings
cas.serviceRegistry.json.location=file:/etc/cas/services

# CAS Authentication Settings
mgmt.adminRoles[0]=cn=AdminGroup,ou=groups,o=bu
mgmt.authzAttributes[0]=GroupAttribute

# Manage Available Attributes
cas.authn.attributeRepository.stub.attributes.XXX=XXX
cas.authn.attributeRepository.stub.attributes.XXX=XXX
cas.authn.attributeRepository.stub.attributes.XXX=XXX
cas.authn.attributeRepository.stub.attributes.uid=uid
cas.authn.attributeRepository.stub.attributes.XXX=XXX
cas.authn.attributeRepository.stub.attributes.XXX=XXX
cas.authn.attributeRepository.stub.attributes.XXX=XXX
cas.authn.attributeRepository.stub.attributes.mail=mail
cas.authn.attributeRepository.stub.attributes.preferredName=preferredName
cas.authn.attributeRepository.stub.attributes.givenName=givenName
cas.authn.attributeRepository.stub.attributes.sn=sn

# Logging Configuration
logging.config=file:/etc/cas/config/log4j2-management.xml

Any thoughts on this issue?


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/40f6a479-85d9-4eeb-8a9f-19d9ae42e7d2n%40apereo.org.

[cas-user] ideas for persistence login session

[Pablo Vidaurri]

Currently CAS TGT is an 8hr session, ST is a 2hr session. Client is 
requesting to enable certain parts of their site (protected) to include a 
longer ST (for weeks) while maintaining a 2hr session for other secured 
parts like "Account/Profile".

I understand the application needs to change, but is there anything on the 
CAS side that I can do to help in this effort?

Would JWT help? When a user successfully logs in, issue a JWT good for 4 
weeks with user's credentials. Now lets assume the TGT/ST are no longer 
valid and the user is trying to access part of the site where not logging 
is not required for days (protected area). The JWT would then be used to 
auto login the user. Achievable or pure abuse?

Also considered increasing the TGT TTL for weeks and  creating separate 
services to define an 
AuthenticationDateRegisteredServiceSingleSignOnParticipationPolicy of 
2hrs/8hrs, etc but this this means certain parts of the site need to be 
under specific URL patterns.

Any suggestions?

-psv

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/793b6932-8c4d-48d3-a5e7-945988566788n%40apereo.org.

Re: [cas-user] CAS 6.5.5 Hazelcast discovery documentation issue

[Ray Bon]

Stéphane,

I could not find it either.

You can get a list of all properties with:
./gradlew exportConfigMetadata

And to know that command:
./gradlew tasks

Ray

On Tue, 2022-07-26 at 03:25 -0700, Stéphane Delcourt wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi,

Just noticed that the property
cas.ticket.registry.hazelcast.cluster.discovery.enabled
is missing in documentation. (or I'm not able to find it)
I guess it's because there's no global discovery page in documentation but new 
users are not going to find correct information to setup discovery.

Regards

Stéphane


--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory 
the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose 
historical relationships with the land continue to this day.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ef55814b72546ba29cf3b6e7b6866b7555fd1141.camel%40uvic.ca.

[cas-user] Re: Wants to know your location

[Pablo Vidaurri]

No I am not, using below dependencies ...

implementation "org.apereo.cas:cas-server-core-api-configuration-model"
implementation "org.apereo.cas:cas-server-webapp-init"
implementation 
"org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-ldap-core:${project.'cas.version'}"
implementation 'org.apereo.cas:cas-server-core-authentication-api:6.3.7.4'
implementation 'org.ldaptive:ldaptive:2.1.0'   
implementation 
"org.apereo.cas:cas-server-support-jdbc-drivers:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-jpa-ticket-registry:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-jpa-util:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"
 
   
implementation 
"org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-oauth-webflow:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-saml-core-api:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-core-api-webflow:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-core-webflow:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-core-webflow-api:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-core-tickets-api:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-core-util-api:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-saml:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-rest:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-reports:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-core-web-api:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"

testImplementation "org.mockito:mockito-inline:3.12.4"
testImplementation 
"org.apereo.cas:cas-server-core-authentication-api:${project.'cas.version'}"
testImplementation 
"org.apereo.cas:cas-server-core-authentication-attributes:${project.'cas.version'}"
testImplementation 
"org.apereo.cas:cas-server-core-services-authentication:${project.'cas.version'}"
testImplementation 
"org.apereo.cas:cas-server-core-services-api:${project.'cas.version'}"
On Thursday, July 7, 2022 at 11:09:46 AM UTC-5 mago...@hacc.edu wrote:

> Are you building with Trusted Device support: 
> https://apereo.github.io/cas/development/mfa/Multifactor-TrustedDevice-Authentication-DeviceFingerprint.html
>
> Sounds like you are. Please provide which modules you are building with.
>
> Thank you,
> Matt
>
> On Thursday, June 30, 2022 at 3:35:15 PM UTC-4 Pablo Vidaurri wrote:
>
>> Since upgrading to CAS 6.3.x from 3.5.2 there is this pop up that prompts 
>> for allowing to k now  your location. Is this something coming from CAS? We 
>> have our custom JS/CSS running on other parts of our site and it never 
>> prompts for this info until we hit the login page. 
>>
>> Where is this coming from and can I turn it off? I don't need geolocation 
>> services for my site.
>>
>> -psv
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5dc13e03-1610-4433-94cd-926c5e88c9f6n%40apereo.org.

[cas-user] Re: Refresh token issue

[Pablo Vidaurri]

are you missing double quotes and a comma?

supportedResponseTypes": [ "java.util.HashSet",[ "id_token","token" ] ],

On Friday, July 15, 2022 at 12:11:10 AM UTC-5 tibint...@gmail.com wrote:

> Hi,
>
> CAS version 6.0.x
>
> i am using the following config, but not getting refresh token in response.
>
> {
> "@class": "org.apereo.cas.services.OidcRegisteredService",
> "clientId": "",
> "serviceId": "xx",
> "signIdToken": true,
> "implicit": true,
> "bypassApprovalPrompt": true,
> "name": "",
> "id": 1234,
> "evaluationOrder": 12,
> "supportedGrantTypes": [ "java.util.HashSet",[ "implicit","refresh_token" 
> ] ],
> "supportedResponseTypes": [ "java.util.HashSet",[ "id_token token" ] ],
> "generateRefreshToken": true,
> "scopes": [ "java.util.HashSet",[ "openid", "profile" 
> ,"profile_hrbAuth","offline_access"] ],
> "attributeReleasePolicy" : {"@class" : 
> "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" },
> "requiredHandlers": ["java.util.HashSet",[ 
> "QueryDatabaseAuthenticationHandler" ,"mfa-simple"]],
> "theme": "admin",
> "accessStrategy" : {
> "@class" : 
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "enabled" : true,
> "ssoEnabled" : false,
> "requiredAttributes" : {"@class" : "java.util.HashMap", "userRole" : [ 
> "java.util.HashSet", [ "X","Y" ] ]}
> }
> }
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/940c9151-4b04-43c4-8f83-75eaae440469n%40apereo.org.