Re: [cas-user] CAS Management 6.5 tomcat AJP

['Mallory, Erik' via CAS Community]

All,
I was on vacation and just got back yesterday. Thank you for all your
replies.

Ray, 
I tried configuring mgmt.server-name two ways:
mgmt.server-name=https://cas-dev-mgmt.wichita.edu:443  still redirects
to 9443
mgmt.server-name=https://cas-dev-mgmt.wichita.edu same as above


Jonathan,
 SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

 ProxyPass / https://localhost:9443/
 ProxyPassReverse / https://localhost:9443/

The management webapp works behind the apache proxy, I just have to
remove the :9443 from the url and refresh my browser,it effects 4 or
less people. It's just annoying for me.

As Ray said the app should not care what port its running on. So
somewhere in the management.properties there should be a way to tell it
use 443 or better yet, have it NOT inject server.port attribute in the
url string. Or.. AJP could work? Maybe?

Frabrice, 

Translating from your yaml config to my management.properties config,
it looks like we have the same bits flipped but different ports and
schemes. I do not have the access log turned on and use-forward-
headers 
defaults to true for the tomcat embedded servlet container.

So I'm not sure this is relevant, I'm sure this works with the main
cas.war, which I think is the config you gave me, I'm not sure that ajp
works with the cas-managment.war, or I haven't seen it work yet. I
appreciate you taking the time to respond.

Thanks again everyone.
-- 
Erik Mallory
Server Analyst
Wichita State University

On Mon, 2022-08-29 at 18:36 +, Ray Bon wrote:
> Erik,
> 
> The management server should not know what port it is running under.
> Check mgmt.server-name. 
> 
> Ray
> 
> On Tue, 2022-08-23 at 13:53 +0000, 'Mallory, Erik' via CAS Community
> wrote:
> > Notice: This message was sent from outside the University of
> > Victoria email system. Please be cautious with links and sensitive
> > information.
> > 
> > 
> > Hello,
> > Is there a way to get the CAS Management Webapp to use AJP ports,
> > I'd
> > like to front end the application with Apache.
> > I attempted to use Apache's https proxy to 8443 which works, but
> > when I
> > authenticate against CAS it redirects me to cas-
> > mgmt.domain.tld:8443.
> > It would appear that the management app is inserting the
> > server.port
> > property into the the data sent to CAS, and cas dutifully returns
> > the
> > user to the server:port.
> > 
> > If I could use AJP that would solve this problem.
> > I includled the following in the build.gradle
> > compile "org.apereo.cas:cas-mgmt-webapp-
> > tomcat:${project.'casmgmt.version'}
> > 
> > And attempted to use the following properties:
> > 
> > server.tomcat.ajp.enabled=true
> > server.tomcat.ajp.port=8009
> > server.tomcat.ajp.protocol=AJP/1.3
> > server.tomcat.ajp.async-timeout=5000
> > server.tomcat.ajp.scheme=https
> > server.tomcat.ajp.max-post-size=20971520
> > server.tomcat.ajp.proxy-port=10443
> > server.tomcat.ajp.enable-lookups=false
> > #cas.server.tomcat.ajp.redirect-port=-1
> > server.tomcat.ajp.allow-trace=false
> > server.tomcat.ajp.secure=false
> > 
> > If ajp does not work with the cas-management webapp
> > Is there away to NOT send the server.port propperty in the
> > connection string so cas will just redirect to cas-mgmt.domain.tld
> > ?
> > Thanks,
> > --
> > Erik Mallory
> > Server Analyst
> > Wichita State University
> > 
> > --
> > - Website: 
> >  https://apereo.github.io/cas
> > 
> > - Gitter Chatroom: 
> >  https://gitter.im/apereo/cas
> > 
> > - List Guidelines: 
> >  https://goo.gl/1VRrw7
> > 
> > - Contributions: 
> >  https://goo.gl/mh7qDG
> > 
> > ---
> > You received this message because you are subscribed to the Google
> > Groups "CAS Community" group.
> > To unsubscribe from this group and stop receiving emails from it,
> > send an email to 
> >  cas-user+unsubscr...@apereo.org
> >  .
> > To view this discussion on the web visit 
> >  
> > https://groups.google.com/a/apereo.org/d/msgid/cas-user/1f0074b8f4e2d4828a06f766294e4ab148d83b38.camel%40wichita.edu
> >  .
> 
>  -- 
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
> 
> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional
> territory the university stands, and the Songhees, Esquimalt and
> WSÁNEĆ peoples whose historical relationships with the land continue
> to this day.
> -- 
> - Website: https://apereo.github.io/c

[cas-user] CAS Management 6.5 tomcat AJP

['Mallory, Erik' via CAS Community]

Hello,
Is there a way to get the CAS Management Webapp to use AJP ports, I'd
like to front end the application with Apache.
I attempted to use Apache's https proxy to 8443 which works, but when I
authenticate against CAS it redirects me to cas-mgmt.domain.tld:8443. 
It would appear that the management app is inserting the server.port
property into the the data sent to CAS, and cas dutifully returns the
user to the server:port. 

If I could use AJP that would solve this problem.
I includled the following in the build.gradle
compile "org.apereo.cas:cas-mgmt-webapp-
tomcat:${project.'casmgmt.version'}

And attempted to use the following properties:

server.tomcat.ajp.enabled=true
server.tomcat.ajp.port=8009
server.tomcat.ajp.protocol=AJP/1.3
server.tomcat.ajp.async-timeout=5000
server.tomcat.ajp.scheme=https
server.tomcat.ajp.max-post-size=20971520
server.tomcat.ajp.proxy-port=10443
server.tomcat.ajp.enable-lookups=false
#cas.server.tomcat.ajp.redirect-port=-1
server.tomcat.ajp.allow-trace=false
server.tomcat.ajp.secure=false

If ajp does not work with the cas-management webapp
Is there away to NOT send the server.port propperty in the connection string so 
cas will just redirect to cas-mgmt.domain.tld ?
Thanks,
-- 
Erik Mallory
Server Analyst
Wichita State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1f0074b8f4e2d4828a06f766294e4ab148d83b38.camel%40wichita.edu.

Re: [cas-user] CAS 6.5.2 hazelcast throttle not working

['Mallory, Erik' via CAS Community]

Possibly related:
I find when I configure the following:
cas.authn.throttle.schedule.start-delay=PT15S
cas.authn.throttle.schedule.repeat-interval=PT2M

hazelcast for tickets will not start as well.
{uuid=c50a7ff2-aada-46df-9b27-7becfb0b82ef, partitionId=84,
source=[10.0.79.37]:5701 - 3d6b7b52-1e7b-4d02-86cf-20646660c0dc,
sourceCurrentReplicaIndex=0, sourceNewReplicaIndex=-1,
destination=[10.0.79.38]:5701 - 98a372bd-9e6c-4392-83d4-0f53bc20999e,
destinationCurrentReplicaIndex=2, destinationNewReplicaIndex=0,
master=[10.0.79.38]:5701, initialPartitionVersion=54,
partitionVersionIncrement=2, status=SUCCESS}>
2022-04-19 14:48:20,284 DEBUG
[com.hazelcast.internal.partition.InternalPartitionService] -
<[10.0.79.37]:5701 [dev] [5.0.2] Applied completed migrations with
partition state stamp: -8849522026878563695>
2022-04-19 14:48:20,284 DEBUG
[com.hazelcast.internal.partition.InternalPartitionService] -
<[10.0.79.37]:5701 [dev] [5.0.2] Applied completed migrations with
partition state stamp: -8849522026878563695>
2022-04-19 14:48:20,285 DEBUG [com.hazelcast.instance.impl.Node] -
<[10.0.79.37]:5701 [dev] [5.0.2] Graceful shutdown completed for
InternalPartitionService {stamp: -8849522026878563695, migrationQ: 0}>
2022-04-19 14:48:20,285 DEBUG
[com.hazelcast.internal.cluster.ClusterService] - <[10.0.79.37]:5701
[dev] [5.0.2] Setting master address to null>
2022-04-19 14:48:20,285 INFO [com.hazelcast.instance.impl.Node] -
<[10.0.79.37]:5701 [dev] [5.0.2] Shutting down connection manager...>
2022-04-19 14:48:20,286 INFO
[com.hazelcast.internal.server.tcp.TcpServerConnection] -
<[10.0.79.37]:5701 [dev] [5.0.2] Connection[id=1, /10.0.79.37:46505-
>/10.0.79.38:5701, qualifier=null, endpoint=[10.0.79.38]:5701,
alive=false, connectionType=MEMBER, planeIndex=0] closed. Reason:
TcpServer is stopping>
2022-04-19 14:48:20,288 INFO
[com.hazelcast.internal.server.tcp.TcpServerConnection] -
<[10.0.79.37]:5701 [dev] [5.0.2] Connection[id=2, /10.0.79.37:5701-
>/10.0.79.50:45633, qualifier=null, endpoint=[10.0.79.50]:5701,
alive=false, connectionType=MEMBER, planeIndex=0] closed. Reason:
TcpServer is stopping>
2022-04-19 14:48:20,289 INFO [com.hazelcast.instance.impl.Node] -
<[10.0.79.37]:5701 [dev] [5.0.2] Shutting down node engine...>
2022-04-19 14:48:20,301 DEBUG
[com.hazelcast.internal.cluster.ClusterService] - <[10.0.79.37]:5701
[dev] [5.0.2] Setting master address to null>
2022-04-19 14:48:23,310 INFO
[com.hazelcast.instance.impl.NodeExtension] - <[10.0.79.37]:5701 [dev]
[5.0.2] Destroying node NodeExtension.>
2022-04-19 14:48:23,310 INFO [com.hazelcast.instance.impl.Node] -
<[10.0.79.37]:5701 [dev] [5.0.2] Hazelcast Shutdown is completed in
3191 ms.>
2022-04-19 14:48:23,310 INFO [com.hazelcast.core.LifecycleService] -
<[10.0.79.37]:5701 [dev] [5.0.2] [10.0.79.37]:5701 is SHUTDOWN>

If I comment out the two options above, hazelcast for tickets works.
hazelcast for throttles doesn't work in any case.
-- 
Erik Mallory
Server Analyst
Wichita State University

On Wed, 2022-04-13 at 18:21 +, 'Mallory, Erik' via CAS Community
wrote:
> Hello,
> Hazelcast for throttling is not working.
> Here are my settings, and below the settings is the error.
> Help is appreciated.
> 
> #Authentication Throttling
> cas.authn.throttle.core.username-parameter=username
> cas.authn.throttle.core.app-code=CAS
> cas.authn.throttle.failure.threshold=100
> cas.authn.throttle.failure.code=AUTHENTICATION_FAILED
> cas.authn.throttle.failure.range-seconds=60
> ##
> #Hazelcast for Throttling 
> #cas.authn.throttle.hazelcast.cluster.network.members=10.0.79.37,10.0
> .7
> 9.38,10.79.50
> cas.authn.throttle.hazelcast.cluster.network.local-
> address='10.0.79.37'
> cas.authn.throttle.hazelcast.cluster.network.members=10.0.79.37
> cas.authn.throttle.hazelcast.cluster.core.instance-name=cas-thrt
> cas.authn.throttle.hazelcast.cluster.network.port=5704
> cas.authn.throttle.hazelcast.cluster.network.tcpip-enabled=true
> cas.authn.throttle.hazelcast.cluster.network.port-auto-
> increment=false
> cas.authn.throttle.hazelcast.cluster.core.eviction-policy=LRU
> cas.authn.throttle.hazelcast.cluster.core.max-no-heartbeat-
> seconds=300
> cas.authn.throttle.hazelcast.cluster.core.logging-type=log4j
> cas.authn.throttle.hazelcast.cluster.core.max-size=85
> cas.authn.throttle.hazelcast.cluster.core.max-size-
> policy=USED_HEAP_PERCENTAGE
> cas.authn.throttle.hazelcast.cluster.core.timeout=5
> cas.authn.throttle.hazelcast.cluster.core.backup-count=1
> cas.authn.throttle.hazelcast.cluster.core.async-backup-count=0
> cas.authn.throttle.hazelcast.cluster.core.async-fillup=true
> #cas.authn.throttle.hazelcast.enable-compression=false
> #cas.authn.throttle.hazelcast.enable-management-center-
> scripting=false
> 
>  ERROR
> [org.springframework.scheduling.support.Ta

[cas-user] CAS 6.5.2 hazelcast throttle not working

['Mallory, Erik' via CAS Community]

Hello,
Hazelcast for throttling is not working.
Here are my settings, and below the settings is the error.
Help is appreciated.

#Authentication Throttling
cas.authn.throttle.core.username-parameter=username
cas.authn.throttle.core.app-code=CAS
cas.authn.throttle.failure.threshold=100
cas.authn.throttle.failure.code=AUTHENTICATION_FAILED
cas.authn.throttle.failure.range-seconds=60
##
#Hazelcast for Throttling 
#cas.authn.throttle.hazelcast.cluster.network.members=10.0.79.37,10.0.7
9.38,10.79.50
cas.authn.throttle.hazelcast.cluster.network.local-address='10.0.79.37'
cas.authn.throttle.hazelcast.cluster.network.members=10.0.79.37
cas.authn.throttle.hazelcast.cluster.core.instance-name=cas-thrt
cas.authn.throttle.hazelcast.cluster.network.port=5704
cas.authn.throttle.hazelcast.cluster.network.tcpip-enabled=true
cas.authn.throttle.hazelcast.cluster.network.port-auto-increment=false
cas.authn.throttle.hazelcast.cluster.core.eviction-policy=LRU
cas.authn.throttle.hazelcast.cluster.core.max-no-heartbeat-seconds=300
cas.authn.throttle.hazelcast.cluster.core.logging-type=log4j
cas.authn.throttle.hazelcast.cluster.core.max-size=85
cas.authn.throttle.hazelcast.cluster.core.max-size-
policy=USED_HEAP_PERCENTAGE
cas.authn.throttle.hazelcast.cluster.core.timeout=5
cas.authn.throttle.hazelcast.cluster.core.backup-count=1
cas.authn.throttle.hazelcast.cluster.core.async-backup-count=0
cas.authn.throttle.hazelcast.cluster.core.async-fillup=true
#cas.authn.throttle.hazelcast.enable-compression=false
#cas.authn.throttle.hazelcast.enable-management-center-scripting=false

 ERROR
[org.springframework.scheduling.support.TaskUtils$LoggingErrorHandler]
- 
com.hazelcast.nio.serialization.HazelcastSerializationException: Failed
to serialize
'com.hazelcast.spi.impl.operationservice.impl.operations.PartitionItera
tingOperation'
at
.
Caused by: java.io.NotSerializableException:
org.apereo.cas.web.support.AbstractInMemoryThrottledSubmissionHandlerIn
terceptorAdapter$$Lambda$3419/0x000841191840
-- 
Erik Mallory
Server Analyst
Wichita State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/aa37170aa2f8ba0b5dee992d3fbf27b260f0c742.camel%40wichita.edu.

[cas-user] CAS 6.3.7.4 cas/actuator/statistics Error 500

['Mallory, Erik' via CAS Community]

Hello, I'm working on getting some metrics going for my cas
environments. The prometheus,health,info and throttle endpoints work
fine. the statistics endpoint seems to be broken


build.gradle dependencies:

implementation "org.apereo.cas:cas-server-support-metrics"
implementation "org.apereo.cas:cas-server-support-reports"

cas.properties config:

management.endpoints.web.exposure.include=statistics,info,health,thrott
les,prometheus
management.endpoint.throttles.enabled=true
management.endpoint.health.enabled=true
management.endpoint.info.enabled=true
management.endpoint.statistics.enabled=true
management.endpoint.prometheus.enabled=true
management.metrics.export.prometheus.enabled=true

Error Message:
status":500,"error":"Internal Server
Error","trace":"java.lang.ClassCastException: class
org.apereo.cas.util.cache.DistributedCacheObject cannot be cast to
class org.apereo.cas.ticket.Ticket
(org.apereo.cas.util.cache.DistributedCacheObject and
org.apereo.cas.ticket.Ticket are in unnamed module of loader
org.springframework.boot.loader.LaunchedURLClassLoader @277050dc)
at
java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeli
ne.java:195)
at
java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(Arr
ayList.java:1655)
at
java.base/java.util.stream.ReferencePipeline$Head.forEach(ReferencePipe
line.java:658)
at
java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeli
ne.java:274)
at
java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeli
ne.java:195)
...

Please advise.
Thanks,
-- 
Erik Mallory
Server Analyst
Wichita State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2087761b597a1d4a36abb12500bc6284e4374f58.camel%40wichita.edu.

[cas-user] CAS 6.3.4

['Mallory, Erik' via CAS Community]

All, 
Thanks to Ray Bon for reminding me that TARGET was SAML 1.1 related.
I checked my build.gradle and sure enough I had the saml.core commented
out. I rebuilt and redeployed now cas will not start and fails with

ERROR [org.springframework.boot.web.embedded.tomcat.TomcatStarter] -
http://javax.xml.XMLConstants/property/accessExternalSchema' is not
recognized.>

Any help would be greatly appreciated.
Thanks
-- 
Erik Mallory
Server Analyst
Wichita State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3e49236485c0b00ea1d9a7507ab9666db382f938.camel%40wichita.edu.

[cas-user] service vs TARGET CAS 6.3.4

['Mallory, Erik' via CAS Community]

Hello,
We're working towards upgrading our CAS 6.1.8 to 6.3.4 and I discovered
a problem with a few of our Banner applications that are configured to
send TARGET=https://servicename.example.com/
I reconfigured one app to send service=https://servicename.example.com/
 and that seems to have fixed it. 
I imagine I'm going to have to touch a LOT of apps to get CAS upgraded.
is there a way I can configure CAS to honor the TARGET variable?
Thanks,
-- 
Erik Mallory
Server Analyst
Wichita State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/16d09e1b3cbeab3719ccee2d24246d9212180ee3.camel%40wichita.edu.

Re: [cas-user] CAS 6.3.4 Hazelcast 4.1 Issue.

['Mallory, Erik' via CAS Community]

Thanks to all who replied. I got side tracked by other issues and when
I returned to this one I found that some services worked consistently
and one (cas-managment version 6.1.x) was problematic. So it turns out
that hazelcast was working. 
Thanks for the clarification on distributed vs replicated. I had not
made the distinction.
Warm regards,
-- 
Erik Mallory
Server Analyst
Wichita State University

On Thu, 2021-07-08 at 09:53 -0400, Mark H. Wood wrote:
> On Wed, Jul 07, 2021 at 02:49:32PM -1000, Baron Fujimoto wrote:
> > I'm also confused by this. What does distributed mean, if not
> > replicated?
> 
> I understand "replicated" to mean that each associated instance
> contains the complete set of cache entries locally.  There would be a
> great deal of communication required to maintain consistency, but the
> cost of cache queries is small.
> 
> Another form of distribution is variously called "sharded,",
> "partitioned," etc.  Associated instances would hold subsets of the
> complete cache content, and their association would mean that one
> instance can ask the others if any have hits where it has a miss, and
> to supply one.  This isn't as fast as having a complete set in each
> instance, but it reduces the communication load on insertion.  It may
> be appropriate where the cost of acquiring an uncached object is
> sufficiently higher than the cost of asking for help from another
> subset and awaiting a reply.
> 
> If the cost of uncached objects is quite high, it can also make sense
> to run multiple cache instances atop a shared backing store, which
> has
> its own cost.
> 
> > On Mon, Jul 5, 2021 at 7:42 AM Ray Bon  wrote:
> > 
> > > Erik,
> > > 
> > > Hazelcast is not a replicated cache by default, just distributed.
> > > I
> > > understand there is a backup/restore system but you would need at
> > > least
> > > three servers to test it.
> > > 
> > > The only config I have are these:
> > > cluster.members
> > > cluster.instanceName
> > > crypto.signing.key
> > > crypto.encryption.key
> > > crypto.enabled=true
> > > 
> > > which is in a shared file.
> > > 
> > > I have two cas'es running on my local and have not seen that
> > > error. You
> > > can tell if the hazelcast servers are communicating if your
> > > tickets are
> > > validated on a different server than they were created. Set the
> > > load
> > > balancer to round robin.
> > > 
> > > I do not see a cas property for replication. Is it an option for
> > > cas? See
> > > hazelcast docs,
> > > https://docs.hazelcast.com/imdg/4.1/data-structures/replicated-map.html
> > > 
> > > Ray
> > > 
> > > On Thu, 2021-07-01 at 19:41 +, 'Mallory, Erik' via CAS
> > > Community wrote:
> > > 
> > > Notice: This message was sent from outside the University of
> > > Victoria email system. Please be cautious with links and
> > > sensitive information.
> > > 
> > > 
> > > 
> > > All I'm having a problem implementing the Hazelcast ticket store
> > > in CAS
> > > 
> > > 6.3.4 which uses hazelcast-4.1
> > > 
> > > 
> > > Currently I'm testing with a two node cluster fontended with a
> > > 
> > > netscaler. Each node has it's own /etc/cas/config/cas.properties
> > > so
> > > 
> > > each node as it's own hazelcast configuration.
> > > 
> > > Here is the relevant hazelcast configuration parameters:
> > > 
> > >  cas.ticket.registry.hazelcast.page-size=500
> > > 
> > >  cas.ticket.registry.hazelcast.cluster.tcpip-enabled=true
> > > 
> > >  cas.ticket.registry.hazelcast.cluster.map-merge-
> > > policy=PUT_IF_ABSENT
> > > 
> > >  cas.ticket.registry.hazelcast.cluster.instance-name=cas-dev
> > > 
> > >  cas.ticket.registry.hazelcast.cluster.members=10.0.79.38,10.0.79
> > > .37
> > > 
> > >  cas.ticket.registry.hazelcast.cluster.eviction-policy=LRU
> > > 
> > >  cas.ticket.registry.hazelcast.cluster.max-no-heartbeat-
> > > seconds=300
> > > 
> > >  cas.ticket.registry.hazelcast.cluster.logging-type=slf4j
> > > 
> > >  cas.ticket.registry.hazelcast.cluster.port=5701
> > > 
> > >  cas.ticket.registry.hazelcast.cluster.max-size=85
> > > 
> > >  cas.ticket.registry.hazelcast.cluster.backup-count=1
> > > 
> > >  cas.ticket

[cas-user] CAS 6.3.4 Hazelcast 4.1 Issue.

['Mallory, Erik' via CAS Community]

All I'm having a problem implementing the Hazelcast ticket store in CAS
6.3.4 which uses hazelcast-4.1

Currently I'm testing with a two node cluster fontended with a
netscaler. Each node has it's own /etc/cas/config/cas.properties so
each node as it's own hazelcast configuration.
Here is the relevant hazelcast configuration parameters:
 cas.ticket.registry.hazelcast.page-size=500
 cas.ticket.registry.hazelcast.cluster.tcpip-enabled=true
 cas.ticket.registry.hazelcast.cluster.map-merge-policy=PUT_IF_ABSENT
 cas.ticket.registry.hazelcast.cluster.instance-name=cas-dev
 cas.ticket.registry.hazelcast.cluster.members=10.0.79.38,10.0.79.37
 cas.ticket.registry.hazelcast.cluster.eviction-policy=LRU
 cas.ticket.registry.hazelcast.cluster.max-no-heartbeat-seconds=300
 cas.ticket.registry.hazelcast.cluster.logging-type=slf4j
 cas.ticket.registry.hazelcast.cluster.port=5701
 cas.ticket.registry.hazelcast.cluster.max-size=85
 cas.ticket.registry.hazelcast.cluster.backup-count=1
 cas.ticket.registry.hazelcast.cluster.async-backup-count=0
 cas.ticket.registry.hazelcast.cluster.max-size-
policy=USED_HEAP_PERCENTAGE
 cas.ticket.registry.hazelcast.cluster.timeout=5

IN my testing I found that the tickets were not being replicated the
other host. I'd use the netscaler to switch between the backend CAS
nodes, log in to one, fail over to the other node and attempt to access
cas, and I was redirected to the login screen.

After restarting the cas services on both nodes and tailing out the cas
log I noticed the following error:

Cannot add a dynamic configuration 

'MapConfig{name='serviceTicketsCache', inMemoryFormat=BINARY',
metadataPolicy=CREATE_ON_
UPDATE, backupCount=1, asyncBackupCount=0, timeToLiveSeconds=0,
maxIdleSeconds=500, readBackupData=false, evictionConfig=Evict
ionConfig{size=85, maxSizePolicy=USED_HEAP_PERCENTAGE,
evictionPolicy=LRU, comparatorClassName=null, comparator=null}, merkleT
ree=MerkleTreeConfig{enabled=false, depth=10},
eventJournal=EventJournalConfig{enabled=false, capacity=1,
timeToLiveSecond
s=0}, hotRestart=HotRestartConfig{enabled=false, fsync=false},
nearCacheConfig=null, mapStoreConfig=MapStoreConfig{enabled=fal
se, className='null', factoryClassName='null', writeDelaySeconds=0,
writeBatchSize=1, implementation=null, factoryImplementation=null,
properties={}, initialLoadMode=LAZY, writeCoalescing=true},
mergePolicyConfig=MergePolicyConfig{policy='com.hazelcast.spi.merge.Lat
estUpdateMergePolicy', batchSize=100}, wanReplicationRef=null,
entryListenerConfigs=null, indexConfigs=null, attributeConfigs=null,
splitBrainProtectionName=null, queryCacheConfigs=null,
cacheDeserializedValues=INDEX_ONLY}' 

as there is already a conflicting configuration

 'MapConfig{name='serviceTicketsCache', inMemoryFormat=BINARY',
metadataPolicy=CREATE_ON_UPDATE, backupCount=1, asyncBackupCount=0,
timeToLiveSeconds=0, maxIdleSeconds=10, readBackupData=false,
evictionConfig=EvictionConfig{size=85,
maxSizePolicy=USED_HEAP_PERCENTAGE, evictionPolicy=LRU,
comparatorClassName=null, comparator=null},
merkleTree=MerkleTreeConfig{enabled=false, depth=10},
eventJournal=EventJournalConfig{enabled=false, capacity=1,
timeToLiveSeconds=0}, hotRestart=HotRestartConfig{enabled=false,
fsync=false}, nearCacheConfig=null,
mapStoreConfig=MapStoreConfig{enabled=false, className='null',
factoryClassName='null', writeDelaySeconds=0, writeBatchSize=1,
implementation=null, factoryImplementation=null, properties={},
initialLoadMode=LAZY, writeCoalescing=true},
mergePolicyConfig=MergePolicyConfig{policy='com.hazelcast.spi.merge.Lat
estUpdateMergePolicy', batchSize=100}, wanReplicationRef=null,
entryListenerConfigs=null, indexConfigs=null, attributeConfigs=null,
splitBrainProtectionName=null, queryCacheConfigs=null,
cacheDeserializedValues=INDEX_ONLY}'>

So off to google I go and I find 
https://github.com/hazelcast/hazelcast/issues/1
and I add -Dhazelcast.dynamicconfig.ignore.conflicts=true for giggles
and to see something at least boot.

So now both services start up but I'm ignoring the dynamic config
conflicts. My testing fails it would appear that hazelcast is not able
to share the tgt between nodes.

Any help would be greatly appreciated.


-- 
Erik Mallory
Server Analyst
Wichita State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/eb34bc51bfd8f5db71a2b000f1b362491c243cbd.camel%40wichita.edu.

Re: [cas-user] Duo Warning in CAS Logs

['Mallory, Erik' via CAS Community]

Thanks for the response. I think we've isolated the issue to the
application.
-- 
Erik Mallory
Server Analyst
Wichita State University

On Tue, 2020-08-25 at 13:04 -0500, 'Robert Bond' via CAS Community
wrote:
> CAUTION: This email originated from outside of Wichita State
> University. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.
> 
> I get those also. Duo still works fine. Tried looking on the duo side
> to grant additional privileges, did not find any. 
> 
> On Tue, Aug 25, 2020 at 8:54 AM 'Mallory, Erik' via CAS Community <
> cas-user@apereo.org> wrote:
> > Hello,
> > 
> > 
> > CAS Version: 6.1.5
> > 
> > We're getting the following warning in the CAS logs and were are
> > intermittently having login issues for one particular app. I would
> > like
> > to know if any one has experienced this error and could perhaps
> > explain
> > it.
> > 2020-08-25 08:14:01,474 WARN
> > [org.apereo.cas.adaptors.duo.authn.BaseDuoSecurityAuthenticationSer
> > vice
> > ] -  > forbidden]
> > and detail [Wrong integ
> > ration type for this API.] when determining user account. This
> > maybe a
> > configuration error in the admin request and Duo will still be
> > considered available.>
> > 
> > Thank you,
> > -- 
> > Erik Mallory
> > Server Analyst
> > Wichita State University
> > 
> > -- 
> > - Website: https://apereo.github.io/cas
> > - Gitter Chatroom: https://gitter.im/apereo/cas
> > - List Guidelines: https://goo.gl/1VRrw7
> > - Contributions: https://goo.gl/mh7qDG
> > --- 
> > You received this message because you are subscribed to the Google
> > Groups "CAS Community" group.
> > To unsubscribe from this group and stop receiving emails from it,
> > send an email to cas-user+unsubscr...@apereo.org.
> > To view this discussion on the web visit 
> > https://groups.google.com/a/apereo.org/d/msgid/cas-user/aeee447ce213b4ccc4b936b9168ffce29a0bb184.camel%40wichita.edu
> > .
> > 
> 
> 
> -- 
> Robert Bond
> Network Administrator
> (918) 444-5886
> Northeastern State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/37597cf4413ca1bff57120f3e5eda97c9ae53937.camel%40wichita.edu.

[cas-user] Principal ID Warning

['Mallory, Erik' via CAS Community]

Hello,
CAS Version: 6.1.5

We've had this warning in our logs for sometime now. It doesnt' seem to
be adversely affecting logins but I'd like to know if anyone else has
seen this warning and if they fixed it, how that was accomplished.
WARN
[org.apereo.cas.authentication.principal.resolvers.PersonDirectoryPrinc
ipalResolver] - 
Thanks,
-- 
Erik Mallory
Server Analyst
Wichita State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5b5a6561c7293654f0e176ecbb7d1c42c6e45980.camel%40wichita.edu.

[cas-user] Duo Warning in CAS Logs

['Mallory, Erik' via CAS Community]

Hello,


CAS Version: 6.1.5
 
We're getting the following warning in the CAS logs and were are
intermittently having login issues for one particular app. I would like
to know if any one has experienced this error and could perhaps explain
it.
2020-08-25 08:14:01,474 WARN
[org.apereo.cas.adaptors.duo.authn.BaseDuoSecurityAuthenticationService
] - 

Thank you,
-- 
Erik Mallory
Server Analyst
Wichita State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/aeee447ce213b4ccc4b936b9168ffce29a0bb184.camel%40wichita.edu.

Re: [cas-user] CAS 6.1.7 ADFS Client Banner Applications

['Mallory, Erik' via CAS Community]

Lol.. Well I appreciate the commiseration. It sounds very similar to
what I'm experiencing. I'm delegating to ADFS and the CAS server is
forgetting it's in the middle of a SAML conversation. I just think this
*should* work. Think I think I'm missing some config. I keep eyeing
SAML IdP config but every time I look throug the CAS Docs, I'm like
"Nope that won't do it."

It would be nice if someone who knows more than I do would take the
time to explain why I'm wrong, so I could explain to my superiors why
this doesn't work.

-- 
Erik Mallory
Server Analyst
Wichita State University

On Thu, 2020-07-23 at 14:26 +, Jon Anderson wrote:
> CAUTION: This email originated from outside of Wichita State
> University. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.
> 
> 
> This isn't so helpful, but I once tried to get a CAS5 to speak SAML2
> with an SP but delegate the auth to older existing CAS server. I
> ended up giving up on delegation, because I could never get it to
> finish the SAML2 conversation. It would come back from the delegated
> authentication, forget that it was in the middle of a SAML
> conversation and try to finish with the SP speaking CAS.
> ________________
> From: 'Mallory, Erik' via CAS Community [cas-user@apereo.org]
> Sent: Thursday, July 23, 2020 9:12 AM
> To: cas-user@apereo.org
> Subject: Re: [cas-user] CAS 6.1.7 ADFS Client Banner Applications
> 
> CAUTION: THIS EMAIL ORIGINATED FROM OUTSIDE OF ORU
> 
> So basically, what happens here is CAS "forgets" to speak SAML back
> to
> the Banner Application. When the conversation is between the CAS
> server
> and the banner app all is well. When the CAS server communicates to
> the
> Banner app, the banner app does not receive SAML data.
> 
> So how would one configure CAS to send SAML data in addition to
> responding to a saml request?
> 
> Really I'm at a dead end here.
> --
> Erik Mallory
> Server Analyst
> Wichita State University
> 
> On Fri, 2020-07-17 at 20:22 +, 'Mallory, Erik' via CAS Community
> wrote:
> > CAUTION: This email originated from outside of Wichita State
> > University. Do not click links or open attachments unless you
> > recognize the sender and know the content is safe.
> > 
> > 
> > So I've increased the logging for the Banner Application I'm trying
> > to
> > get configured. the Banner application uses SAML 1.1 to
> > communicate.
> > CAS hands off the authentication to ADFS and then back to CAS which
> > then sends the user back to the Banner Application. CAS is not
> > sending
> > a SAML response at that time.
> > 
> > If you open a second tab, and navigate to the application, it sends
> > you
> > to cas, you're authenticated, so cas sends you back with a SAML
> > response and you are able to log in.
> > I've attached the application logs if anyone is interested.
> > 
> > --
> > Erik Mallory
> > Server Analyst
> > Wichita State University
> > 
> > On Fri, 2020-07-17 at 16:29 +, 'Mallory, Erik' via CAS
> > Community
> > wrote:
> > > CAUTION: This email originated from outside of Wichita State
> > > University. Do not click links or open attachments unless you
> > > recognize the sender and know the content is safe.
> > > 
> > > 
> > > Thanks!
> > > I'm working with Elluician now. It's strange to me that it works
> > > with
> > > just CAS but then does not work when CAS is configured as an ADFS
> > > client. It's as if CAS is not speaking SAML for that initial log
> > > in
> > > but
> > > it is speaking SAML for subsequent logins.
> > > 
> > > --
> > > Erik Mallory
> > > Server Analyst
> > > Wichita State University
> > > 
> > > On Thu, 2020-07-16 at 22:29 +, Ray Bon wrote:
> > > > CAUTION: This email originated from outside of Wichita State
> > > > University. Do not click links or open attachments unless you
> > > > recognize the sender and know the content is safe.
> > > > 
> > > > Erik,
> > > > 
> > > > Our Banner setup uses SAML 1.1. During the log in request it is
> > > > /cas/login?TARGET=blah/banner/applicationnavigator
> > > > 'service' is used for CAS protocol. Check your banner setup.
> > > > 
> > > > Ray
> > > > 
> > > > On Thu, 2020-07-16 at 21:07 +, 'Mallory, Erik' via CAS
> > > > Community
> > > > wrote:
> > > > > Hello I th

Re: [cas-user] CAS-Manager and MDQ Metadata

['Mallory, Erik' via CAS Community]

Try something like this.
JAVA_OPTS="-Dhttp.proxySet=true -Dhttps.proxySet=true
-Dhttp.proxyHost=proxysvc.domain.edu
-Dhttps.proxyHost=proxysvc.domain.edu -Dhttp.proxyPort=8080
-Dhttps.proxyPort=8080"
-- 
Erik Mallory
Server Analyst
Wichita State University

On Thu, 2020-07-23 at 07:53 -0700, Mickaël wrote:
> CAUTION: This email originated from outside of Wichita State
> University. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.
> 
> Hi Erik,
> 
> Yes, wget and curl are configured to use our proxy server.
> If I wget https://mdq.incommon.org/entities it works and I download a
> file of 74 Mo.
> 
> Mickaël
> 
> Le jeudi 23 juillet 2020 à 16:40:58 UTC+2, Mallory, Erik a écrit :
> > Are you able to configure the proxy for the command line and wget
> > the 
> > target url? 
> > I had this configured a few years back I'm not sure if I still have
> > a 
> > copy I'll did around though. 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e02b640193ae8f6d703fb0a1e63b8938efc09998.camel%40wichita.edu.

Re: [cas-user] CAS-Manager and MDQ Metadata

['Mallory, Erik' via CAS Community]

Are you able to configure the proxy for the command line and wget the
target url?
I had this configured a few years back I'm not sure if I still have a
copy I'll did around though.
-- 
Erik Mallory
Server Analyst
Wichita State University

On Thu, 2020-07-23 at 02:10 -0700, Mickaël wrote:
> CAUTION: This email originated from outside of Wichita State
> University. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.
> 
> 
> Hi,
> 
> I'm preparing to migrate our CAS and CAS-Manager from version 5.3.X
> to 6.1.X.
> 
> I'm testing CAS 6.1 with CAS-Manager 6.1.4-SNAPSHOT with JPA/JDBC
> dependencies for service storage on Tomcat 9 and Debian 10.
> 
> At startup of CAS-Manager, I have a timeout error to reach an
> external URL for MDQ.
> 
> I have to deal with a proxy for going on internet. I have put in
> JAVA_OPTS -Dhttps.proxyHost= and -Dhttps.proxyPort= without success.
> 
> [2020-07-23 10:51:06] [info] 2020-07-23 10:51:06,568 ERROR
> [org.apereo.cas.util.HttpUtils] -  [mdq.incommon.org/13.226.169.83, mdq.incommon.org/13.226.169.49,
> mdq.incommon.org/13.226.169.48, mdq.incommon.org/13.226.169.117]
> failed: Connection timed out (Connection timed out)>
> [2020-07-23 10:51:06] [info]
> org.apache.http.conn.HttpHostConnectException: Connect to
> mdq.incommon.org:443 [mdq.incommon.org/13.226.169.83,
> mdq.incommon.org/13.226.169.49, mdq.incommon.org/13.226.169.48,
> mdq.incommon.org/13.226.169.117] failed: Connection timed out
> (Connection timed out)
> [2020-07-23 10:51:06] [info] 2020-07-23 10:51:06,579 ERROR
> [org.apereo.cas.mgmt.InCommonMetadataAggregateResolver] -  fetch metadata from [https://mdq.incommon.org/entities]>
> [2020-07-23 10:51:06] [info] 2020-07-23 10:51:06,581 WARN
> [org.springframework.boot.web.servlet.context.AnnotationConfigServlet
> WebServerApplicationContext] -  initialization - cancelling refresh attempt:
> org.springframework.beans.factory.BeanCreationException: Error
> creating bean with name 'samlController' defined in class path
> resource
> [org/apereo/cas/mgmt/config/CasManagementSamlConfiguration.class]:
> Bean instantiation via factory method failed; nested exception is
> org.springframework.beans.BeanInstantiationException: Failed to
> instantiate [org.apereo.cas.mgmt.SamlController]: Factory method
> 'samlController' threw exception; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error
> creating bean with name 'metadataAggregateResolver' defined in class
> path resource
> [org/apereo/cas/mgmt/config/CasManagementSamlConfiguration.class]:
> Bean instantiation via factory method failed; nested exception is
> org.springframework.beans.BeanInstantiationException: Failed to
> instantiate [org.apereo.cas.mgmt.MetadataAggregateResolver]: Factory
> method 'metadataAggregateResolver' threw exception; nested exception
> is org.apereo.cas.services.UnauthorizedServiceException:
> screen.service.error.message>
> [2020-07-23 10:51:06] [info] 2020-07-23 10:51:06,655 ERROR
> [org.springframework.boot.SpringApplication] -  failed>
> 
> Thanks for reading.
> 
> Sincerely,
> 
> Mickaël
> 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7103d9ee42adf95d8e1962ad089916b150bfe043.camel%40wichita.edu.

Re: [cas-user] CAS 6.1.7 ADFS Client Banner Applications

['Mallory, Erik' via CAS Community]

So basically, what happens here is CAS "forgets" to speak SAML back to
the Banner Application. When the conversation is between the CAS server
and the banner app all is well. When the CAS server communicates to the
Banner app, the banner app does not receive SAML data.

So how would one configure CAS to send SAML data in addition to
responding to a saml request?

Really I'm at a dead end here.  
-- 
Erik Mallory
Server Analyst
Wichita State University

On Fri, 2020-07-17 at 20:22 +, 'Mallory, Erik' via CAS Community
wrote:
> CAUTION: This email originated from outside of Wichita State
> University. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.
> 
> 
> So I've increased the logging for the Banner Application I'm trying
> to
> get configured. the Banner application uses SAML 1.1 to communicate.
> CAS hands off the authentication to ADFS and then back to CAS which
> then sends the user back to the Banner Application. CAS is not
> sending
> a SAML response at that time.
> 
> If you open a second tab, and navigate to the application, it sends
> you
> to cas, you're authenticated, so cas sends you back with a SAML
> response and you are able to log in.
> I've attached the application logs if anyone is interested.
> 
> --
> Erik Mallory
> Server Analyst
> Wichita State University
> 
> On Fri, 2020-07-17 at 16:29 +, 'Mallory, Erik' via CAS Community
> wrote:
> > CAUTION: This email originated from outside of Wichita State
> > University. Do not click links or open attachments unless you
> > recognize the sender and know the content is safe.
> > 
> > 
> > Thanks!
> > I'm working with Elluician now. It's strange to me that it works
> > with
> > just CAS but then does not work when CAS is configured as an ADFS
> > client. It's as if CAS is not speaking SAML for that initial log in
> > but
> > it is speaking SAML for subsequent logins.
> > 
> > --
> > Erik Mallory
> > Server Analyst
> > Wichita State University
> > 
> > On Thu, 2020-07-16 at 22:29 +, Ray Bon wrote:
> > > CAUTION: This email originated from outside of Wichita State
> > > University. Do not click links or open attachments unless you
> > > recognize the sender and know the content is safe.
> > > 
> > > Erik,
> > > 
> > > Our Banner setup uses SAML 1.1. During the log in request it is
> > > /cas/login?TARGET=blah/banner/applicationnavigator
> > > 'service' is used for CAS protocol. Check your banner setup.
> > > 
> > > Ray
> > > 
> > > On Thu, 2020-07-16 at 21:07 +, 'Mallory, Erik' via CAS
> > > Community
> > > wrote:
> > > > Hello I think I've narrowed the problem and I *think* it's on
> > > > the
> > > > application side... but... is there any way to control the
> > > > source
> > > > parameter that we see below in the logs. If I could configure
> > > > cas
> > > > to
> > > > always send source=TARGET I think this configuration would work
> > > > for
> > > > the
> > > > banner apps.
> > > > 
> > > > Log from inital login which produces "Invalid login/access
> > > > denied"
> > > >  > > > [
> > > > org.apereo.cas.authentication.principal.DefaultResponse@323ac4df
> > > > ]
> > > > for
> > > > [AbstractWebApplicationService(id=
> > > > 
> > > > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
> > > > 
> > > > , originalUrl=
> > > > 
> > > > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
> > > > 
> > > > , artifactId=null, principal=f282c439, source=service,
> > > > loggedOutAlready=false, format=XML, attributes={})]>
> > > > ^^ Invalid login access denied.
> > > > 
> > > > Log from the an established  CAS/ADFS session gaining access to
> > > > the
> > > > application
> > > > 
> > > >  > > > 
> > > > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
> > > > 
> > > > , originalUrl=
> > > > 
> > > > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
> > > > 
> > > > , artifactId=null, principal=f282c439, source=TARGET,
> > > > loggedOutAlready=false, format=XML, attributes={})] from

Re: [cas-user] CAS 6.1.7 ADFS Client Banner Applications

['Mallory, Erik' via CAS Community]

Thanks!
I'm working with Elluician now. It's strange to me that it works with
just CAS but then does not work when CAS is configured as an ADFS
client. It's as if CAS is not speaking SAML for that initial log in but
it is speaking SAML for subsequent logins.

-- 
Erik Mallory
Server Analyst
Wichita State University

On Thu, 2020-07-16 at 22:29 +, Ray Bon wrote:
> CAUTION: This email originated from outside of Wichita State
> University. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.
> 
> Erik,
> 
> Our Banner setup uses SAML 1.1. During the log in request it is
> /cas/login?TARGET=blah/banner/applicationnavigator
> 'service' is used for CAS protocol. Check your banner setup.
> 
> Ray
> 
> On Thu, 2020-07-16 at 21:07 +, 'Mallory, Erik' via CAS Community
> wrote:
> > Hello I think I've narrowed the problem and I *think* it's on the
> > application side... but... is there any way to control the source
> > parameter that we see below in the logs. If I could configure cas
> > to
> > always send source=TARGET I think this configuration would work for
> > the
> > banner apps.
> > 
> > Log from inital login which produces "Invalid login/access denied"
> >  > [org.apereo.cas.authentication.principal.DefaultResponse@323ac4df]
> > for
> > [AbstractWebApplicationService(id=
> >  
> > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
> > 
> > , originalUrl=
> >  
> > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
> > 
> > , artifactId=null, principal=f282c439, source=service,
> > loggedOutAlready=false, format=XML, attributes={})]>
> > ^^ Invalid login access denied.
> > 
> > Log from the an established  CAS/ADFS session gaining access to the
> > application 
> > 
> >  >  
> > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
> > 
> > , originalUrl=
> >  
> > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
> > 
> > , artifactId=null, principal=f282c439, source=TARGET,
> > loggedOutAlready=false, format=XML, attributes={})] from the
> > context>
> > ^^ works
> > 
> > In the applications there is a groovy file with a parameter 
> > 
> > serviceParameter = 'TARGET' 
> > 
> > I tried changing it to 'service' but had no luck. 
> > -- 
> > Erik Mallory
> > Server Analyst
> > Wichita State University
> > 
> 
>  -- 
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
> 
> I respectfully acknowledge that my place of work is located within
> the ancestral, traditional and unceded territory of the Songhees,
> Esquimalt and WSÁNEĆ Nations.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6f456a2cc561e9552639d6e94a0b2956c51dcd2c.camel%40wichita.edu.

[cas-user] CAS 6.1.7 ADFS Client Banner Applications

['Mallory, Erik' via CAS Community]

Hello I think I've narrowed the problem and I *think* it's on the
application side... but... is there any way to control the source
parameter that we see below in the logs. If I could configure cas to
always send source=TARGET I think this configuration would work for the
banner apps.

Log from inital login which produces "Invalid login/access denied"
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, originalUrl=
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, artifactId=null, principal=f282c439, source=service,
loggedOutAlready=false, format=XML, attributes={})]>
^^ Invalid login access denied.

Log from the an established  CAS/ADFS session gaining access to the
application 

https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, originalUrl=
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, artifactId=null, principal=f282c439, source=TARGET,
loggedOutAlready=false, format=XML, attributes={})] from the context>
^^ works

In the applications there is a groovy file with a parameter 

serviceParameter = 'TARGET' 

I tried changing it to 'service' but had no luck. 
-- 
Erik Mallory
Server Analyst
Wichita State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b6f10e675570fd1f8109f00a2dcfa2cdaea04d3d.camel%40wichita.edu.

Re: [cas-user] Integrating CAS 6.1 as ADFS client

['Mallory, Erik' via CAS Community]

Sorry to bother you all with this. I'm out of ideas here. Again, any
help would be greatly appreciated. If anyone has a working config for a
CAS as ADFS client I'd love to see it. I'd also like to know if there
are changes elsewhere in the config that I need to make. I attempted to
configure a wordpress blog to use the authorizer plugin. I get routed
through cas to ADFS where I log in, then I get routed back to the app
which routes me back to a cas logout page.
Thanks,
-- 
Erik Mallory
Server Analyst
Wichita State University

On Thu, 2020-07-02 at 19:25 +, 'Mallory, Erik' via CAS Community
wrote:
> CAUTION: This email originated from outside of Wichita State
> University. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.
> 
> 
> as I go through the debug looking for differences I've noticed that
> on
> the initial session cas does not send a SAML response to the
> application.
> The second session does send a saml response.
> Why would that be?
> 
> --
> Erik Mallory
> Server Analyst
> Wichita State University
> 
> On Wed, 2020-07-01 at 21:43 +, 'Mallory, Erik' via CAS Community
> wrote:
> > CAUTION: This email originated from outside of Wichita State
> > University. Do not click links or open attachments unless you
> > recognize the sender and know the content is safe.
> > 
> > 
> > I discovered that if I open a second tab I can get logged into the
> > banner app just fine. Here's what I did:
> > I browse to the application I am attempting to authenticate to. I
> > get
> > redirected to cas which redirects me to ADFS where I enter my
> > credentials and then get passed to cas and then to the application.
> > I
> > get a "user/login denied invalid username/password" message from
> > the
> > application. I open a second browser tab and point it at the
> > application and vola, I'm in. It works.
> > The only real difference I see in the logs is
> >  DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] -
> >  > [AbstractWebApplicationService(id=
> > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
> > , originalUrl=
> > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
> > , artifactId=null, principal=f282c439, source=service,
> > loggedOutAlready=false, format=XML, attributes={})] via event
> > [redirect]>
> > 
> > DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] -
> >  > [AbstractWebApplicationService(id=
> > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
> > , originalUrl=
> > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
> > , artifactId=null, principal=f282c439, source=TARGET,
> > loggedOutAlready=false, format=XML, attributes={})] via event
> > [redirect]>
> >  Again, any help would be greatly appreciated.
> > 
> > --
> > Erik Mallory
> > Server Analyst
> > Wichita State University
> > 
> > On Wed, 2020-07-01 at 20:25 +, 'Mallory, Erik' via CAS
> > Community
> > wrote:
> > > CAUTION: This email originated from outside of Wichita State
> > > University. Do not click links or open attachments unless you
> > > recognize the sender and know the content is safe.
> > > 
> > > 
> > > Hello,
> > > My institution would like to make cas a client of ADFS. I started
> > > working through the config and it mostly works EXCEPT passing the
> > > banner UDC_IDENTIFIER to a Banner application.
> > > Here is the relevant config for adfs:
> > > 
> > > cas.authn.wsfed[0].identityProviderUrl=
> > > https://sts.wichita.edu/adfs/ls/
> > > cas.authn.wsfed[0].identityProviderIdentifier=
> > > http://sts.wichita.edu/adfs/services/trust
> > > cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:cas-dev
> > > #cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:cas-
> > > dev.wichita.edu
> > > cas.authn.wsfed[0].signingCertificateResources=file:/etc/cas/adfs
> > > /w
> > > su
> > > -
> > > adfs-signing.crt
> > > cas.authn.wsfed[0].identityAttribute=upn
> > > cas.authn.wsfed[0].attributesType=BOTH
> > > #cas.authn.wsfed[0].attributesType=WSFED
> > > cas.authn.wsfed[0].tolerance=1
> > > cas.authn.wsfed[0].attributeResolverEnabled=true
> > > cas.authn.wsfed[0].autoRedirect=true
> > > cas.authn.wsfed[0].name=
> > > cas.authn.wsfed[0].attributeMutatorScript.location=file:/etc/cas/
> > &g

Re: [cas-user] Integrating CAS 6.1 as ADFS client

['Mallory, Erik' via CAS Community]

as I go through the debug looking for differences I've noticed that on
the initial session cas does not send a SAML response to the
application.
The second session does send a saml response. 
Why would that be?

-- 
Erik Mallory
Server Analyst
Wichita State University

On Wed, 2020-07-01 at 21:43 +, 'Mallory, Erik' via CAS Community
wrote:
> CAUTION: This email originated from outside of Wichita State
> University. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.
> 
> 
> I discovered that if I open a second tab I can get logged into the
> banner app just fine. Here's what I did:
> I browse to the application I am attempting to authenticate to. I get
> redirected to cas which redirects me to ADFS where I enter my
> credentials and then get passed to cas and then to the application. I
> get a "user/login denied invalid username/password" message from the
> application. I open a second browser tab and point it at the
> application and vola, I'm in. It works.
> The only real difference I see in the logs is
>  DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] -
>  [AbstractWebApplicationService(id=
> https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
> , originalUrl=
> https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
> , artifactId=null, principal=f282c439, source=service,
> loggedOutAlready=false, format=XML, attributes={})] via event
> [redirect]>
> 
> DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] -
>  [AbstractWebApplicationService(id=
> https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
> , originalUrl=
> https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
> , artifactId=null, principal=f282c439, source=TARGET,
> loggedOutAlready=false, format=XML, attributes={})] via event
> [redirect]>
>  Again, any help would be greatly appreciated.
> 
> --
> Erik Mallory
> Server Analyst
> Wichita State University
> 
> On Wed, 2020-07-01 at 20:25 +, 'Mallory, Erik' via CAS Community
> wrote:
> > CAUTION: This email originated from outside of Wichita State
> > University. Do not click links or open attachments unless you
> > recognize the sender and know the content is safe.
> > 
> > 
> > Hello,
> > My institution would like to make cas a client of ADFS. I started
> > working through the config and it mostly works EXCEPT passing the
> > banner UDC_IDENTIFIER to a Banner application.
> > Here is the relevant config for adfs:
> > 
> > cas.authn.wsfed[0].identityProviderUrl=
> > https://sts.wichita.edu/adfs/ls/
> > cas.authn.wsfed[0].identityProviderIdentifier=
> > http://sts.wichita.edu/adfs/services/trust
> > cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:cas-dev
> > #cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:cas-
> > dev.wichita.edu
> > cas.authn.wsfed[0].signingCertificateResources=file:/etc/cas/adfs/w
> > su
> > -
> > adfs-signing.crt
> > cas.authn.wsfed[0].identityAttribute=upn
> > cas.authn.wsfed[0].attributesType=BOTH
> > #cas.authn.wsfed[0].attributesType=WSFED
> > cas.authn.wsfed[0].tolerance=1
> > cas.authn.wsfed[0].attributeResolverEnabled=true
> > cas.authn.wsfed[0].autoRedirect=true
> > cas.authn.wsfed[0].name=
> > cas.authn.wsfed[0].attributeMutatorScript.location=file:/etc/cas/ad
> > fs
> > /m
> > utator.groovy
> > cas.authn.wsfed[0].principal.principalAttribute=upn
> > cas.authn.wsfed[0].principal.returnNull=false
> > 
> > # Private/Public keypair used to decrypt assertions, if any.
> > cas.authn.wsfed[0].encryptionPrivateKey=file:/etc/cas/adfs/assertio
> > ns
> > -
> > private.key
> > cas.authn.wsfed[0].encryptionCertificate=file:/etc/cas/adfs/asserti
> > on
> > s-
> > certificate.crt
> > #cas.authn.wsfed[0].encryptionPrivateKeyPassword=NONE
> > 
> > here is the groovy script
> > import org.apereo.cas.*
> > import java.util.*
> > import org.apereo.cas.authentication.*
> > 
> > def Map run(final Object... args) {
> > def attributes = args[0]
> > def logger = args[1]
> > logger.warn("Mutating attributes {}", attributes)
> > return [UDC_IDENTIFIER: attributes.upn, upn: attributes.upn]
> > }
> > 
> > The service is configured to use the principal as UDC_IDENTIFIER,
> > and
> > this configuration works for "regular" CAS logins.
> > 
> > I noticed these differences in the CAS logs between &quo

Re: [cas-user] Integrating CAS 6.1 as ADFS client

['Mallory, Erik' via CAS Community]

I discovered that if I open a second tab I can get logged into the
banner app just fine. Here's what I did:
I browse to the application I am attempting to authenticate to. I get
redirected to cas which redirects me to ADFS where I enter my
credentials and then get passed to cas and then to the application. I
get a "user/login denied invalid username/password" message from the
application. I open a second browser tab and point it at the
application and vola, I'm in. It works.
The only real difference I see in the logs is 
 DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] -
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, originalUrl=
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, artifactId=null, principal=f282c439, source=service,
loggedOutAlready=false, format=XML, attributes={})] via event
[redirect]>

DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] -
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, originalUrl=
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, artifactId=null, principal=f282c439, source=TARGET,
loggedOutAlready=false, format=XML, attributes={})] via event
[redirect]>
 Again, any help would be greatly appreciated.

-- 
Erik Mallory
Server Analyst
Wichita State University

On Wed, 2020-07-01 at 20:25 +, 'Mallory, Erik' via CAS Community
wrote:
> CAUTION: This email originated from outside of Wichita State
> University. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.
> 
> 
> Hello,
> My institution would like to make cas a client of ADFS. I started
> working through the config and it mostly works EXCEPT passing the
> banner UDC_IDENTIFIER to a Banner application.
> Here is the relevant config for adfs:
> 
> cas.authn.wsfed[0].identityProviderUrl=
> https://sts.wichita.edu/adfs/ls/
> cas.authn.wsfed[0].identityProviderIdentifier=
> http://sts.wichita.edu/adfs/services/trust
> cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:cas-dev
> #cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:cas-
> dev.wichita.edu
> cas.authn.wsfed[0].signingCertificateResources=file:/etc/cas/adfs/wsu
> -
> adfs-signing.crt
> cas.authn.wsfed[0].identityAttribute=upn
> cas.authn.wsfed[0].attributesType=BOTH
> #cas.authn.wsfed[0].attributesType=WSFED
> cas.authn.wsfed[0].tolerance=1
> cas.authn.wsfed[0].attributeResolverEnabled=true
> cas.authn.wsfed[0].autoRedirect=true
> cas.authn.wsfed[0].name=
> cas.authn.wsfed[0].attributeMutatorScript.location=file:/etc/cas/adfs
> /m
> utator.groovy
> cas.authn.wsfed[0].principal.principalAttribute=upn
> cas.authn.wsfed[0].principal.returnNull=false
> 
> # Private/Public keypair used to decrypt assertions, if any.
> cas.authn.wsfed[0].encryptionPrivateKey=file:/etc/cas/adfs/assertions
> -
> private.key
> cas.authn.wsfed[0].encryptionCertificate=file:/etc/cas/adfs/assertion
> s-
> certificate.crt
> #cas.authn.wsfed[0].encryptionPrivateKeyPassword=NONE
> 
> here is the groovy script
> import org.apereo.cas.*
> import java.util.*
> import org.apereo.cas.authentication.*
> 
> def Map run(final Object... args) {
> def attributes = args[0]
> def logger = args[1]
> logger.warn("Mutating attributes {}", attributes)
> return [UDC_IDENTIFIER: attributes.upn, upn: attributes.upn]
> }
> 
> The service is configured to use the principal as UDC_IDENTIFIER, and
> this configuration works for "regular" CAS logins.
> 
> I noticed these differences in the CAS logs between "regular" cas
> auth
> and ADFS Client auth.
> 
> 2:41 PM
> 
>  ADFS
> 
> DEBUG
> [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEve
> nt
> Resolver] -  [AbstractWebApplicationService(id=
> https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
> , originalUrl=
> https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
> , artifactId=null, principal=null, source=service,
> loggedOutAlready=false, format=XML, attributes={})] using
> [DefaultMultifactorAuthenticationProviderWebflowEventResolver]>
> reg cas...2020-07-01 14:16:12,807 DEBUG
> [org.apereo.cas.web.flow.actions.RedirectToServiceAction] -
> 
> reg cas
> 
>  DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] -
>  [org.apereo.cas.support.saml.authentication.principal.SamlServiceResp
> on
> seBuilder@71d2261e] for [AbstractWebApplicationService(id=
> https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
> , originalUrl=
> https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
&

[cas-user] Integrating CAS 6.1 as ADFS client

['Mallory, Erik' via CAS Community]

Hello,
My institution would like to make cas a client of ADFS. I started
working through the config and it mostly works EXCEPT passing the
banner UDC_IDENTIFIER to a Banner application.
Here is the relevant config for adfs:

cas.authn.wsfed[0].identityProviderUrl=https://sts.wichita.edu/adfs/ls/
cas.authn.wsfed[0].identityProviderIdentifier=
http://sts.wichita.edu/adfs/services/trust
cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:cas-dev
#cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:cas-dev.wichita.edu
cas.authn.wsfed[0].signingCertificateResources=file:/etc/cas/adfs/wsu-
adfs-signing.crt
cas.authn.wsfed[0].identityAttribute=upn
cas.authn.wsfed[0].attributesType=BOTH
#cas.authn.wsfed[0].attributesType=WSFED
cas.authn.wsfed[0].tolerance=1
cas.authn.wsfed[0].attributeResolverEnabled=true
cas.authn.wsfed[0].autoRedirect=true
cas.authn.wsfed[0].name=
cas.authn.wsfed[0].attributeMutatorScript.location=file:/etc/cas/adfs/m
utator.groovy
cas.authn.wsfed[0].principal.principalAttribute=upn
cas.authn.wsfed[0].principal.returnNull=false

# Private/Public keypair used to decrypt assertions, if any.
cas.authn.wsfed[0].encryptionPrivateKey=file:/etc/cas/adfs/assertions-
private.key
cas.authn.wsfed[0].encryptionCertificate=file:/etc/cas/adfs/assertions-
certificate.crt
#cas.authn.wsfed[0].encryptionPrivateKeyPassword=NONE

here is the groovy script
import org.apereo.cas.*
import java.util.*
import org.apereo.cas.authentication.*

def Map run(final Object... args) {
def attributes = args[0]
def logger = args[1]
logger.warn("Mutating attributes {}", attributes)
return [UDC_IDENTIFIER: attributes.upn, upn: attributes.upn]
}

The service is configured to use the principal as UDC_IDENTIFIER, and
this configuration works for "regular" CAS logins.

I noticed these differences in the CAS logs between "regular" cas auth
and ADFS Client auth.

2:41 PM

 ADFS

DEBUG
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEvent
Resolver] - https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, originalUrl=
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, artifactId=null, principal=null, source=service,
loggedOutAlready=false, format=XML, attributes={})] using
[DefaultMultifactorAuthenticationProviderWebflowEventResolver]>
reg cas...2020-07-01 14:16:12,807 DEBUG
[org.apereo.cas.web.flow.actions.RedirectToServiceAction] - 

reg cas

 DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] -
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, originalUrl=
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, artifactId=null, principal=f282c439, source=TARGET,
loggedOutAlready=false, format=XML, attributes={})]>

Looks like the principal is not making it to the banner application in
the ADFS config
Any help would be greatly appreciated.

-- 
Erik Mallory
Server Analyst
Wichita State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c87084b75a940a6aa31e3c76fa1206c97133d645.camel%40wichita.edu.

Re: [cas-user] Passvators and Connection Strategy 6.1.6

['Mallory, Erik' via CAS Community]

I found more log info in our test environment concerning the inability
of CAS to switch to an active AD DC with my configuration.

2020-05-22 09:07:07,607 ERROR
[org.ldaptive.pool.BlockingConnectionPool] - <[
org.ldaptive.pool.BlockingConnectionPool@1704234754::name=null,
poolConfig=[org.ldaptive.pool.PoolConfig@796
4874::minPoolSize=3, maxPoolSize=10, validateOnCheckIn=false,
validateOnCheckOut=true, validatePeriodically=true,
validatePeriod=PT5M, validateTimeout=PT5S], activator=null, passivator=
[org.ldaptive.pool.BindPassivator@697150633::bindRequest=[
org.ldaptive.BindRequest@266593343::bindDn=CN=casldapper,CN=Managed
Service Accounts,DC=ad,DC=wichita,DC=edu, saslConfig=null, 
controls=null, referralHandler=null,
intermediateResponseHandlers=null]], validator=[
org.ldaptive.pool.SearchValidator@1322157662::searchRequest=[
org.ldaptive.SearchRequest@1100233085::
baseDn=, searchFilter=[org.ldaptive.SearchFilter@1642584434::filter=(ob
jectClass=*), parameters={}], returnAttributes=[1.1],
searchScope=OBJECT, timeLimit=PT0S, sizeLimit=1, derefAliase
s=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED,
searchEntryHandlers=null,
searchReferenceHandlers=[org.ldaptive.referral.SearchReferralHandler$Se
archReferenceHan
dler@2bd6895], controls=null, 
referralHandler=org.ldaptive.referral.SearchReferralHandler@6c05228e,
intermediateResponseHandlers=null]]
pruneStrategy=[org.ldaptive.pool.IdlePruneStrateg
y@85268059::prunePeriod=PT2H, idleTime=PT10M], connectOnCreate=true,
connectionFactory=[org.ldaptive.DefaultConnectionFactory@1223536490::pr
ovider=org.ldaptive.provider.unboundid.Unboun
dIDProvider@376345b,
config=[org.ldaptive.ConnectionConfig@1176659945::ldapUrl=ldaps://dcsvc
-300.ad.wichita.edu ldaps://dcsvc-307.ad.wichita.edu
ldaps://latitude.ad.wichita.edu ldaps://
longitude.ad.wichita.edu, connectTimeout=PT3M20S, responseTimeout=PT5S,
sslConfig=[org.ldaptive.ssl.SslConfig@1806177976::credentialConfig=null
, trustManagers=null, hostnameVerifier=org
.ldaptive.ssl.DefaultHostnameVerifier@4e9b6258,
hostnameVerifierConfig=null, enabledCipherSuites=null,
enabledProtocols=null, handshakeCompletedListeners=null], useSSL=true,
useStartTLS
=false, connectionInitializer=[
org.ldaptive.BindConnectionInitializer@2088588092::bindDn=CN=casldapper
,CN=Managed Service Accounts,DC=ad,DC=wichita,DC=edu,
bindSaslConfig=null, bindCont
rols=null], 
connectionStrategy=org.ldaptive.ActivePassiveConnectionStrategy@29b56e75
]], initialized=true, availableCount=0, activeCount=0] unable to
connect to the ldap>
org.ldaptive.LdapException: LDAPException(resultCode=49 (invalid
credentials), diagnosticMessage='80090308: LdapErr: DSID-0C090436,
comment: AcceptSecurityContext error, data 52e, v4563
^@', ldapSDKVersion=4.0.12,
revision=aaefc59e0e6d110bf3a8e8a029adb776f6d2ce28

Please advise.
Thanks,
-- 
Erik Mallory
Server Analyst
Wichita State University


On Mon, 2020-05-18 at 22:35 -0400, Daniel Fisher wrote:
> On Mon, May 18, 2020 at 12:22 PM 'Mallory, Erik' via CAS Community <
> cas-user@apereo.org> wrote:
> > Could someone confirm and explain the relationship (if any) of
> > passivators to to the connection strategy configuration options? 
> 
> Passivators are executed when a connection is returned to the pool.
> The connection strategy defines how multiple URLs should be handled
> when a connection is opened.
> 
> What do your logs say when the domain controller is rebooted?
> 
> --Daniel Fisher
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFC6YwRHAMUZ355LtSpbW28UVuaKaJd%3DhsjNOjz0_Q%3DKFnb9EQ%40mail.gmail.com
> .

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a3e26ead8165561586a5f6a3616a8c89cc236610.camel%40wichita.edu.

Re: [cas-user] Passvators and Connection Strategy 6.1.6

['Mallory, Erik' via CAS Community]

Okay this just happened a few moments ago.. The DCs needed an emergency
reboot and cas did not handle it as I would expect.
I'd expect CAS to switch to another DC when an LDAP server/connection
error occurs.

Below is the error:
2020-05-22 09:25:22,736 ERROR
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<[WSUAD]: [Unexpected LDAP error / LDAPException(resultCode=1
(operations error), numEntries=0, numReferences=0,
diagnosticMessage='04DC: LdapErr: DSID-0C090A59, comment: In order
to perform this operation a successful bind must be completed on the
connection., data 0, v4563', ldapSDKVersion=4.0.12,
revision=aaefc59e0e6d110bf3a8e8a029adb776f6d2ce28')]>

Below is the relevant config.

cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://dcsvc-300.ad.wichita.edu
ldaps://dcsvc-307.ad.wichita.edu ldaps://latitude.ad.wichita.edu
ldaps://longitude.ad.wichita.edu
cas.authn.ldap[0].bindDn=CN=NOPE
cas.authn.ldap[0].bindCredential=secret
cas.authn.ldap[0].baseDn=ou=Wichita State
University,dc=ad,dc=wichita,dc=edu
cas.authn.ldap[0].connectionStrategy=ACTIVE_PASSIVE
cas.authn.ldap[0].searchFilter=sAMAccountName={user}
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].dnFormat=%s...@wichita.edu
cas.authn.ldap[0].principalAttributeId=sAMAccountName

I'd super appreciate some guidance here.
Thanks,
-- 
Erik Mallory
Server Analyst
Wichita State University

On Mon, 2020-05-18 at 22:35 -0400, Daniel Fisher wrote:
> CAUTION: This email originated from outside of Wichita State
> University. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.
> 
> On Mon, May 18, 2020 at 12:22 PM 'Mallory, Erik' via CAS Community <
> cas-user@apereo.org> wrote:
> > Could someone confirm and explain the relationship (if any) of
> > passivators to to the connection strategy configuration options? 
> > 
> 
> Passivators are executed when a connection is returned to the pool.
> The connection strategy defines how multiple URLs should be handled
> when a connection is opened.
> 
> What do your logs say when the domain controller is rebooted?
> 
> --Daniel Fisher

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2cdd3dd39c8df1a244a0414c13f2b7acd020b133.camel%40wichita.edu.

[cas-user] Passvators and Connection Strategy 6.1.6

['Mallory, Erik' via CAS Community]

Hello,
Currently we are running CAS 6.1.6 and we have a problem when we reboot
a domain controller. It would appear that the ldap connection is not
failing to the second DC in the list causing logins to fail. We have
four of DCs. CAS is configured to use all 4 with a connection strategy
of ACTIVE_PASSIVE and passivators are set to none.

Could someone confirm and explain the relationship (if any) of
passivators to to the connection strategy configuration options? 
Thanks,
-- 
Erik Mallory
Server Analyst
Wichita State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f0da2a0e706e758099f0ceade3eb141e42273d23.camel%40wichita.edu.

[cas-user] Viewing Current SSO Sessions CAS 6.1.x

['Mallory, Erik' via CAS Community]

Hello, 
I've set up our cas environments to use the CAS Boot Admin Server in
hopes that I would beable to see SSO Session information. I navigate to
the Sessions page and I do not see anything.
Our environment is configured with three CAS nodes behind a netscaler
so I have each of the three nodes configured to communicate with the
Spring Boot Admin Server. On none of them do I see any session
information.
I'm sure I'm missing some small configuration option. speaking of
options, here's what I have enabled in CAS

management.endpoints.web.exposure.include=*
management.endpoints.enabled-by-default=true
cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS

If anyone can point out the error of my ways I'd be grateful.
Thanks,
-- 
Erik Mallory
Server Analyst
Wichita State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/93d2bfee82135a3bae9793a70a6e4a4df92100a5.camel%40wichita.edu.

[cas-user] CAS 6.1.0-RC6 startup error

['Mallory, Erik' via CAS Community]

Hello I’m still having issues, a bit different from yesterday, but I am unable 
to start a fresh build of CAS 6.1.0-RC6

CAS Version: 6.1.0-RC6-SNAPSHOT

CAS Branch: master

CAS Commit Id: 23d66983c360f0ecaa444a1f6880b85a631ec1a5

CAS Build Date/Time: 2019-09-25T12:03:42Z

Spring Boot Version: 2.2.0.M6

Spring Version: 5.2.0.RC2

Java Home: /usr/lib/jvm/java-11-openjdk-11.0.4.11-1.el7_7.x86_64

Java Vendor: Oracle Corporation

Java Version: 11.0.4

JVM Free Memory: 119 MB

JVM Maximum Memory: 948 MB

JVM Total Memory: 256 MB

JCE Installed: Yes

OS Architecture: amd64

OS Name: Linux

OS Version: 3.10.0-1062.1.1.el7.x86_64

OS Date/Time: 2019-09-26T10:54:25.948103

OS Temp Directory: /tmp



Apache Tomcat Version: Apache Tomcat/9.0.26



It would appear that  the embedded tomcat is having trouble loading the 
keystore. Did something change with how the keystore is configured?

Exception in thread "main" java.lang.reflect.InvocationTargetException
   at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
   at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at java.base/java.lang.reflect.Method.invoke(Method.java:566)
   at 
org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48)
   at org.springframework.boot.loader.Launcher.launch(Launcher.java:87)
   at org.springframework.boot.loader.Launcher.launch(Launcher.java:51)
   at org.springframework.boot.loader.WarLauncher.main(WarLauncher.java:58)
Caused by: org.springframework.boot.web.server.WebServerException: Unable to 
start embedded Tomcat server
   at 
org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:215)
   at 
org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.startWebServer(ServletWebServerApplicationContext.java:297)
   at 
org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.finishRefresh(ServletWebServerApplicationContext.java:163)
   at 
org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:552)
   at 
org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:141)
   at 
org.springframework.boot.SpringApplication.refresh(SpringApplication.java:747)
   at 
org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:397)
   at 
org.springframework.boot.SpringApplication.run(SpringApplication.java:315)
   at 
org.springframework.boot.builder.SpringApplicationBuilder.run(SpringApplicationBuilder.java:140)
   at org.apereo.cas.web.CasWebApplication.main(CasWebApplication.java:80)
   ... 8 more
Caused by: java.lang.IllegalArgumentException: 
standardService.connector.startFailed
   at 
org.apache.catalina.core.StandardService.addConnector(StandardService.java:231)
   at 
org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:278)
   at 
org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:197)
   ... 17 more
Caused by: org.apache.catalina.LifecycleException: Protocol handler start failed
   at 
org.apache.catalina.connector.Connector.startInternal(Connector.java:1008)
   at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
   at 
org.apache.catalina.core.StandardService.addConnector(StandardService.java:227)
   ... 19 more
Caused by: java.lang.IllegalArgumentException: Stream closed
   at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
   at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
   at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:218)
   at 
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1124)
   at 
org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1210)
   at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:585)
   at 
org.apache.catalina.connector.Connector.startInternal(Connector.java:1005)
   ... 21 more
Caused by: java.io.IOException: Stream closed
   at 
java.base/java.io.BufferedInputStream.getBufIfOpen(BufferedInputStream.java:176)
   at 
java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:342)
   at 
java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:252)
   at 
java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:271)
   at 

[cas-user] CAS 6.1.0-RC6 run failure

['Mallory, Erik' via CAS Community]

CAS Version: 6.1.0-RC6-SNAPSHOT

CAS Branch: master

CAS Commit Id: 23d66983c360f0ecaa444a1f6880b85a631ec1a5

CAS Build Date/Time: 2019-09-25T12:03:42Z

Spring Boot Version: 2.2.0.M6

Spring Version: 5.2.0.RC2

Java Home: /usr/lib/jvm/java-11-openjdk-11.0.4.11-1.el7_7.x86_64

Java Vendor: Oracle Corporation

Java Version: 11.0.4

JVM Free Memory: 229 MB

JVM Maximum Memory: 948 MB

JVM Total Memory: 272 MB

JCE Installed: Yes

OS Architecture: amd64

OS Name: Linux

OS Version: 3.10.0-1062.1.1.el7.x86_64

OS Date/Time: 2019-09-25T12:50:51.216267

2019-09-25 12:50:51,314 INFO 
[org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator] - 

2019-09-25 12:50:51,489 main ERROR Unable to locate appender "casConsole" for 
logger config "root"
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by 
com.hazelcast.internal.networking.nio.SelectorOptimizer 
(jar:file:/data/cas/bin/cas.war!/WEB-INF/lib/hazelcast-3.12.2.jar!/) to field 
sun.nio.ch.SelectorImpl.selectedKeys
WARNING: Please consider reporting this to the maintainers of 
com.hazelcast.internal.networking.nio.SelectorOptimizer
WARNING: Use --illegal-access=warn to enable warnings of further illegal 
reflective access operations
WARNING: All illegal access operations will be denied in a future release
Exception in thread "main" java.lang.reflect.InvocationTargetException
   at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
   at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at java.base/java.lang.reflect.Method.invoke(Method.java:566)
   at 
org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48)
   at org.springframework.boot.loader.Launcher.launch(Launcher.java:87)
   at org.springframework.boot.loader.Launcher.launch(Launcher.java:51)
   at org.springframework.boot.loader.WarLauncher.main(WarLauncher.java:58)
Caused by: org.springframework.boot.web.server.WebServerException: Unable to 
start embedded Tomcat server
   at 
org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:215)
   at 
org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.startWebServer(ServletWebServerApplicationContext.java:297)
   at 
org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.finishRefresh(ServletWebServerApplicationContext.java:163)
   at 
org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:552)
   at 
org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:141)
   at 
org.springframework.boot.SpringApplication.refresh(SpringApplication.java:747)
   at 
org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:397)
   at 
org.springframework.boot.SpringApplication.run(SpringApplication.java:315)
   at 
org.springframework.boot.builder.SpringApplicationBuilder.run(SpringApplicationBuilder.java:140)
   at org.apereo.cas.web.CasWebApplication.main(CasWebApplication.java:80)
   ... 8 more


Erik Mallory
Server Analyst
Wichita State University
316.978.3502

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0FB0-76B0-4D70-B10B-DC6642C8FE1D%40wichita.edu.

[cas-user] CAS 6.1.0 RC6 build failure

['Mallory, Erik' via CAS Community]

Looks like something is missing, so gradle is not able to pull the necessary 
files to build…

Could not find org.apereo.cas:cas-server-core-api-ticket:6.1.0-RC6-SNAPSHOT.

 Searched in the following locations:

   - 
file:/root/.m2/repository/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/maven-metadata.xml

   - 
file:/root/.m2/repository/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/cas-server-core-api-ticket-6.1.0-RC6-SNAPSHOT.pom

   - 
file:/root/.m2/repository/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/cas-server-core-api-ticket-6.1.0-RC6-SNAPSHOT.jar

   - 
https://repo.maven.apache.org/maven2/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/maven-metadata.xml

   - 
https://repo.maven.apache.org/maven2/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/cas-server-core-api-ticket-6.1.0-RC6-SNAPSHOT.pom

   - 
https://repo.maven.apache.org/maven2/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/cas-server-core-api-ticket-6.1.0-RC6-SNAPSHOT.jar

   - 
https://jcenter.bintray.com/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/maven-metadata.xml

   - 
https://jcenter.bintray.com/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/cas-server-core-api-ticket-6.1.0-RC6-SNAPSHOT.pom

   - 
https://jcenter.bintray.com/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/cas-server-core-api-ticket-6.1.0-RC6-SNAPSHOT.jar

   - 
https://oss.sonatype.org/content/repositories/snapshots/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/maven-metadata.xml

   - 
https://oss.sonatype.org/content/repositories/snapshots/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/cas-server-core-api-ticket-6.1.0-RC6-20190924.150847-27.pom

   - 
https://oss.sonatype.org/content/repositories/snapshots/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/cas-server-core-api-ticket-6.1.0-RC6-20190924.150847-27.jar

   - 
https://build.shibboleth.net/nexus/content/repositories/releases/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/maven-metadata.xml

   - 
https://build.shibboleth.net/nexus/content/repositories/releases/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/cas-server-core-api-ticket-6.1.0-RC6-SNAPSHOT.pom

   - 
https://build.shibboleth.net/nexus/content/repositories/releases/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/cas-server-core-api-ticket-6.1.0-RC6-SNAPSHOT.jar

   - 
https://repo.spring.io/milestone/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/maven-metadata.xml

   - 
https://repo.spring.io/milestone/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/cas-server-core-api-ticket-6.1.0-RC6-SNAPSHOT.pom

   - 
https://repo.spring.io/milestone/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/cas-server-core-api-ticket-6.1.0-RC6-SNAPSHOT.jar

   - 
https://repo.spring.io/snapshot/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/maven-metadata.xml

   - 
https://repo.spring.io/snapshot/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/cas-server-core-api-ticket-6.1.0-RC6-SNAPSHOT.pom

   - 
https://repo.spring.io/snapshot/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/cas-server-core-api-ticket-6.1.0-RC6-SNAPSHOT.jar

   - 
https://oss.jfrog.org/artifactory/oss-snapshot-local/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/maven-metadata.xml

   - 
https://oss.jfrog.org/artifactory/oss-snapshot-local/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/cas-server-core-api-ticket-6.1.0-RC6-SNAPSHOT.pom

   - 
https://oss.jfrog.org/artifactory/oss-snapshot-local/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/cas-server-core-api-ticket-6.1.0-RC6-SNAPSHOT.jar

   - 
https://dl.bintray.com/uniconiam/maven/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/maven-metadata.xml

   - 
https://dl.bintray.com/uniconiam/maven/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/cas-server-core-api-ticket-6.1.0-RC6-SNAPSHOT.pom

   - 
https://dl.bintray.com/uniconiam/maven/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/cas-server-core-api-ticket-6.1.0-RC6-SNAPSHOT.jar

   - 
file:/data/cas/build/cas-overlay-template-6.1/:/jitpack.io/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/maven-metadata.xml

   - 
file:/data/cas/build/cas-overlay-template-6.1/:/jitpack.io/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/cas-server-core-api-ticket-6.1.0-RC6-SNAPSHOT.pom

   - 
file:/data/cas/build/cas-overlay-template-6.1/:/jitpack.io/org/apereo/cas/cas-server-core-api-ticket/6.1.0-RC6-SNAPSHOT/cas-server-core-api-ticket-6.1.0-RC6-SNAPSHOT.jar

 Required by:

 project : > 
org.apereo.cas:cas-server-support-oidc:6.1.0-RC6-SNAPSHOT:20190924.065426-23

 

[cas-user] CAS 6.1.0 RC6 Stack Overflow Error

['Mallory, Erik' via CAS Community]

Hello
When I try loggin into our Luminis 5 portal as the delivered Luminis admin I 
get a “cas login failed” I tailed the cas.log in debug mode and got the error 
below. Really that is about 15% of the error thrown. If I log into luminis as 
unprivileged user everything works. I’m not sure what the problem would be. The 
luminis admin portal runs on port 8443 that’s the only difference I can think 
of on the luminis side of the fence.


2019-09-23 15:39:17,510 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 


2019-09-23 15:39:17,510 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 


2019-09-23 15:39:17,510 DEBUG 
[org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider] - 


2019-09-23 15:39:17,511 DEBUG 
[org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider] - 
java.lang.StackOverflowError:null!!!]]
 in the registry. Attempting to resolve attributes for [lumadm]>

2019-09-23 15:39:17,511 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 
https://mywsu-dev.wichita.edu:8443/c/portal/login,
 originalUrl=https://mywsu-dev.wichita.edu:8443/c/portal/login, 
artifactId=null, principal=lumadm, source=service, loggedOutAlready=false, 
format=XML, attributes={})] defined by registered service 
[^(http|https)://mywsu-dev.wichita.edu:8443.*]...>

2019-09-23 15:39:17,511 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 


2019-09-23 15:39:17,511 DEBUG 
[org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository] 
- 

2019-09-23 15:39:17,511 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 


2019-09-23 15:39:17,511 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 


2019-09-23 15:39:17,511 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 


2019-09-23 15:39:17,511 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 


2019-09-23 15:39:17,511 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 


2019-09-23 15:39:17,511 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 


2019-09-23 15:39:17,511 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 


2019-09-23 15:39:17,511 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 


2019-09-23 15:39:17,511 DEBUG 
[org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider] - 


2019-09-23 15:39:17,511 DEBUG 
[org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider] - 
java.lang.StackOverflowError:null!!!]]
 in the registry. Attempting to resolve attributes for [lumadm]>

2019-09-23 15:39:17,512 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 
https://mywsu-dev.wichita.edu:8443/c/portal/login,
 originalUrl=https://mywsu-dev.wichita.edu:8443/c/portal/login, 
artifactId=null, principal=lumadm, source=service, loggedOutAlready=false, 
format=XML, attributes={})] defined by registered service 
[^(http|https)://mywsu-dev.wichita.edu:8443.*]...>

2019-09-23 15:39:17,512 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 


2019-09-23 15:39:17,512 DEBUG 
[org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository] 
- 

2019-09-23 15:39:17,512 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 


2019-09-23 15:39:17,512 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 


2019-09-23 15:39:17,513 DEBUG 
[org.apereo.cas.ticket.expiration.MultiTimeUseOrTimeoutExpirationPolicy] - 


2019-09-23 15:39:17,513 DEBUG 
[org.apereo.cas.ticket.registry.AbstractTicketRegistry] - 

2019-09-23 15:39:17,513 DEBUG 
[org.apereo.cas.ticket.registry.HazelcastTicketRegistry] - 

2019-09-23 15:39:17,513 DEBUG 
[org.apereo.cas.ticket.registry.HazelcastTicketRegistry] - 

2019-09-23 15:39:17,513 DEBUG 
[org.apereo.cas.ticket.registry.AbstractTicketRegistry] - 

2019-09-23 15:39:17,514 DEBUG 
[org.apereo.cas.ticket.registry.AbstractTicketRegistry] - 

2019-09-23 15:39:17,514 DEBUG 
[org.apereo.cas.ticket.registry.AbstractTicketRegistry] - 

2019-09-23 15:39:17,514 DEBUG 
[org.apereo.cas.ticket.registry.AbstractTicketRegistry] - 

2019-09-23 15:39:17,514 DEBUG 
[org.apereo.cas.ticket.registry.HazelcastTicketRegistry] - 

2019-09-23 15:39:17,514 DEBUG 
[org.apereo.cas.ticket.registry.HazelcastTicketRegistry] - 

2019-09-23 15:39:17,518 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - https://mywsu-dev.wichita.edu:8443/c/portal/login

ACTION: SERVICE_TICKET_VALIDATE_FAILED

APPLICATION: CAS

WHEN: Mon Sep 23 15:39:17 CDT 2019

CLIENT IP ADDRESS: 10.0.79.19

SERVER IP ADDRESS: 10.0.79.50

=



>

[cas-user] Received status code 429 from server: Too Many Requests

['Mallory, Erik' via CAS Community]

Hello,
I’m trying to build a cas.war  and I’m getting  429 errors

Could not HEAD 
'https://oss.sonatype.org/content/repositories/snapshots/org/apereo/cas/cas-server-core-audit/6.1.0-RC6-SNAPSHOT/cas-server-core-audit-6.1.0-RC6-20190911.130548-10.pom'.
 Received status code 429 from server: Too Many Requests

Is there a workaround?
Thanks,
Erik Mallory
Server Analyst
Wichita State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DF8BBE62-1754-4A7F-920E-790FCC4FBC61%40wichita.edu.

[cas-user] Re: CAS 6.1.0-RC5 gradle build issue

['Mallory, Erik' via CAS Community]

Nevermind. Answered my own question

Erik Mallory
Server Analyst
Wichita State University


From: Erik Mallory 
Date: Friday, September 6, 2019 at 12:54 PM
To: "cas-user@apereo.org" 
Subject: CAS 6.1.0-RC5 gradle build issue

Hello,
I get the following error when attempting to include DUO MFA in the gradle build

Execution failed for task ':bootWar'.

> Could not resolve all files for configuration ':runtimeClasspath'.

   > Could not resolve net.unicon.iam:duo-client:0.2.2.

 Required by:

 project : > 
org.apereo.cas:cas-server-support-duo:6.1.0-RC5-SNAPSHOT:20190902.034040-116 > 
org.apereo.cas:cas-server-support-duo-core:6.1.0-RC5-SNAPSHOT:20190902.034040-116

  > Could not resolve net.unicon.iam:duo-client:0.2.2.

 > Could not get resource 
'https://oss.jfrog.org/artifactory/oss-snapshot-local/net/unicon/iam/duo-client/0.2.2/duo-client-0.2.2.pom'.

> Could not HEAD 
'https://oss.jfrog.org/artifactory/oss-snapshot-local/net/unicon/iam/duo-client/0.2.2/duo-client-0.2.2.pom'.
 Received status code 409 from server:

My gradle.build has the following line:

compile "org.apereo.cas:cas-server-support-duo:${project.'cas.version'}

Thanks
Erik Mallory
Server Analyst
Wichita State University
316.978.3502

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0A3DC619-0A75-4FAA-AF5F-FA651239EE66%40wichita.edu.

[cas-user] CAS 6.1.0-RC5 gradle build issue

['Mallory, Erik' via CAS Community]

Hello,
I get the following error when attempting to include DUO MFA in the gradle build

Execution failed for task ':bootWar'.

> Could not resolve all files for configuration ':runtimeClasspath'.

   > Could not resolve net.unicon.iam:duo-client:0.2.2.

 Required by:

 project : > 
org.apereo.cas:cas-server-support-duo:6.1.0-RC5-SNAPSHOT:20190902.034040-116 > 
org.apereo.cas:cas-server-support-duo-core:6.1.0-RC5-SNAPSHOT:20190902.034040-116

  > Could not resolve net.unicon.iam:duo-client:0.2.2.

 > Could not get resource 
'https://oss.jfrog.org/artifactory/oss-snapshot-local/net/unicon/iam/duo-client/0.2.2/duo-client-0.2.2.pom'.

> Could not HEAD 
'https://oss.jfrog.org/artifactory/oss-snapshot-local/net/unicon/iam/duo-client/0.2.2/duo-client-0.2.2.pom'.
 Received status code 409 from server:

My gradle.build has the following line:

compile "org.apereo.cas:cas-server-support-duo:${project.'cas.version'}

Thanks
Erik Mallory
Server Analyst
Wichita State University
316.978.3502

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/FCF68AB7-0DF7-4519-AC1A-686069BE65E8%40wichita.edu.

Re: [cas-user] CAS 6.1-RC4 OIDC configuration

['Mallory, Erik' via CAS Community]

I did find these…

cd /etc/

[root@appdev-523 etc]# grep -r cas.example *

cas/config/services/RegexRegisteredService-8396761148980578304.json:  
serviceId: https://cas.example.org:8443/cas/oauth2.0/callbackAuthorize.*

cas/config/services/RegexRegisteredService-7398083621929947136.json:  
serviceId: https://cas.example.org:8443/cas/oauth2.0/callbackAuthorize.*

cas/config/services/RegexRegisteredService-1905997417559537664.json:  
serviceId: https://cas.example.org:8443/cas/oauth2.0/callbackAuthorize.*

cas/config/services/RegexRegisteredService-4418765845257222144.json:  
serviceId: https://cas.example.org:8443/cas/oauth2.0/callbackAuthorize.*

cas/config/services/RegexRegisteredService-5291673557665746944.json:  
serviceId: https://cas.example.org:8443/cas/oauth2.0/callbackAuthorize.*

cas/config/services/RegexRegisteredService-7671336329000167424.json:  
serviceId: https://cas.example.org:8443/cas/oauth2.0/callbackAuthorize.*

These are apparently auto-generated. As far as I know I have not configured CAS 
to create these service entries, nor do they show up in the management 
interface.
The time stamps on the files appear to be related to restarts. This may be by 
design. I still can’t find the bit to set the proper server name though.

Thanks,

Erik Mallory
Server Analyst
Wichita State University


From: "'Mallory, Erik' via CAS Community" 
Reply-To: "cas-user@apereo.org" 
Date: Wednesday, August 28, 2019 at 1:03 PM
To: "cas-user@apereo.org" 
Subject: Re: [cas-user] CAS 6.1-RC4 OIDC configuration

I double checked that I didn’t have an errant file somewhere that would 
override the config. I un jared the cas.war file and grepped for 
cas.example.org JIC.
All settings are loaded from the location below. CAS is running with embedded 
tomcat and is started by systemd.
# The configuration directory where CAS should monitor to locate settings.
spring.cloud.config.server.native.searchLocations=file:///etc/cas/config

/bin/java --add-modules java.se --add-exports 
java.base/jdk.internal.ref=ALL-UNNAMED --add-opens 
java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.nio=ALL-UNNAMED 
--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens 
java.management/sun.management=ALL-UNNAMED --add-opens 
jdk.management/com.sun.management.internal=ALL-UNNAMED -Dhttp.proxySet=true 
-Dhttps.proxySet=true -Dhttp.proxyHost=proxysvc-501.wichita.edu 
-Dhttps.proxyHost=proxysvc-501.wichita.edu -Dhttp.proxyPort=8080 
-Dhttps.proxyPort=8080 
-Djava.util.logging.config.file=/etc/cas/config/logging.properties -jar 
/data/cas/bin/cas.war

Thanks Again,
Erik Mallory
Server Analyst
Wichita State University
316.978.3502


From:  on behalf of Misagh Moayyed 

Reply-To: "cas-user@apereo.org" 
Date: Wednesday, August 28, 2019 at 3:35 AM
To: CAS Community 
Subject: Re: [cas-user] CAS 6.1-RC4 OIDC configuration

Are you certain your configuration values are not overridden by something else?



On Aug 28, 2019, at 1:30 AM, 'Mallory, Erik' via CAS Community 
mailto:cas-user@apereo.org>> wrote:

Yes.
# OpenID Authentication
cas.authn.oidc.issuer=http://cas-dev.wichita.edu/cas/oidc
# Skew ID tokens in minutes
cas.authn.oidc.skew=5

cas.authn.oidc.jwksFile=file:/etc/cas/config/keystore.jwks
cas.authn.oidc.jwksCacheInMinutes=60

#cas.authn.oidc.dynamicClientRegistrationMode=OPEN|PROTECTED
cas.authn.oidc.dynamicClientRegistrationMode=PROTECTED

cas.authn.oidc.subjectTypes=public,pairwise

Erik Mallory
Server Analyst
Wichita State University
316.978.3502


From: mailto:cas-user@apereo.org>> on behalf of Misagh 
Moayyed mailto:misagh.moay...@gmail.com>>
Reply-To: "cas-user@apereo.org<mailto:cas-user@apereo.org>" 
mailto:cas-user@apereo.org>>
Date: Tuesday, August 27, 2019 at 2:59 AM
To: CAS Community mailto:cas-user@apereo.org>>
Subject: Re: [cas-user] CAS 6.1-RC4 OIDC configuration

Have you defined an issuer?
https://apereo.github.io/cas/development/configuration/Configuration-Properties.html#openid-connect




On Aug 27, 2019, at 2:23 AM, 'Mallory, Erik' via CAS Community 
mailto:cas-user@apereo.org>> wrote:

Hello,
I'm trying to configure oAuth/OIDC and I'm running into a head scratcher.
The CAS oidc/.well-known endpoint returns 
cas.example.org:8443<http://cas.example.org:8443/> for all of the related 
endpoints.
Example:
{"issuer":"http://cas-dev.wichita.edu/cas/oidc","scopes_supported":["openid","profile","email","address","phone","offline_access"],"response_types_supported":["code","token","id_token
 
token"],"subject_types_supported":["public","pairwise"],"claim_types_supported":["normal"],"claims_supported":["sub","name","preferred_username","family_name","given_name","middle_name",

Re: [cas-user] CAS 6.1-RC4 OIDC configuration

['Mallory, Erik' via CAS Community]

I double checked that I didn’t have an errant file somewhere that would 
override the config. I un jared the cas.war file and grepped for 
cas.example.org JIC.
All settings are loaded from the location below. CAS is running with embedded 
tomcat and is started by systemd.
# The configuration directory where CAS should monitor to locate settings.
spring.cloud.config.server.native.searchLocations=file:///etc/cas/config

/bin/java --add-modules java.se --add-exports 
java.base/jdk.internal.ref=ALL-UNNAMED --add-opens 
java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.nio=ALL-UNNAMED 
--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens 
java.management/sun.management=ALL-UNNAMED --add-opens 
jdk.management/com.sun.management.internal=ALL-UNNAMED -Dhttp.proxySet=true 
-Dhttps.proxySet=true -Dhttp.proxyHost=proxysvc-501.wichita.edu 
-Dhttps.proxyHost=proxysvc-501.wichita.edu -Dhttp.proxyPort=8080 
-Dhttps.proxyPort=8080 
-Djava.util.logging.config.file=/etc/cas/config/logging.properties -jar 
/data/cas/bin/cas.war

Thanks Again,
Erik Mallory
Server Analyst
Wichita State University
316.978.3502


From:  on behalf of Misagh Moayyed 

Reply-To: "cas-user@apereo.org" 
Date: Wednesday, August 28, 2019 at 3:35 AM
To: CAS Community 
Subject: Re: [cas-user] CAS 6.1-RC4 OIDC configuration

Are you certain your configuration values are not overridden by something else?


On Aug 28, 2019, at 1:30 AM, 'Mallory, Erik' via CAS Community 
mailto:cas-user@apereo.org>> wrote:

Yes.
# OpenID Authentication
cas.authn.oidc.issuer=http://cas-dev.wichita.edu/cas/oidc
# Skew ID tokens in minutes
cas.authn.oidc.skew=5

cas.authn.oidc.jwksFile=file:/etc/cas/config/keystore.jwks
cas.authn.oidc.jwksCacheInMinutes=60

#cas.authn.oidc.dynamicClientRegistrationMode=OPEN|PROTECTED
cas.authn.oidc.dynamicClientRegistrationMode=PROTECTED

cas.authn.oidc.subjectTypes=public,pairwise

Erik Mallory
Server Analyst
Wichita State University
316.978.3502


From: mailto:cas-user@apereo.org>> on behalf of Misagh 
Moayyed mailto:misagh.moay...@gmail.com>>
Reply-To: "cas-user@apereo.org<mailto:cas-user@apereo.org>" 
mailto:cas-user@apereo.org>>
Date: Tuesday, August 27, 2019 at 2:59 AM
To: CAS Community mailto:cas-user@apereo.org>>
Subject: Re: [cas-user] CAS 6.1-RC4 OIDC configuration

Have you defined an issuer?
https://apereo.github.io/cas/development/configuration/Configuration-Properties.html#openid-connect



On Aug 27, 2019, at 2:23 AM, 'Mallory, Erik' via CAS Community 
mailto:cas-user@apereo.org>> wrote:

Hello,
I'm trying to configure oAuth/OIDC and I'm running into a head scratcher.
The CAS oidc/.well-known endpoint returns 
cas.example.org:8443<http://cas.example.org:8443/> for all of the related 
endpoints.
Example:
{"issuer":"http://cas-dev.wichita.edu/cas/oidc","scopes_supported":["openid","profile","email","address","phone","offline_access"],"response_types_supported":["code","token","id_token
 
token"],"subject_types_supported":["public","pairwise"],"claim_types_supported":["normal"],"claims_supported":["sub","name","preferred_username","family_name","given_name","middle_name","given_name","profile","picture","nickname","website","zoneinfo","locale","updated_at","birthdate","email","email_verified","phone_number","phone_number_verified","address","gender"],"grant_types_supported":["authorization_code","password","client_credentials","refresh_token"],"id_token_signing_alg_values_supported":["none","RS256","RS384","RS512","PS256","PS384","PS512","ES256","ES384","ES512","HS256","HS384","HS512"],"id_token_encryption_alg_values_supported":["RSA1_5","RSA-OAEP","RSA-OAEP-256","A128KW","A192KW","A256KW","A128GCMKW","A192GCMKW","A256GCMKW","ECDH-ES","ECDH-ES+A128KW","ECDH-ES+A192KW","ECDH-ES+A256KW"],"id_token_encryption_enc_values_supported":["A128CBC-HS256","A192CBC-HS384","A256CBC-HS512","A128GCM","A192GCM","A256GCM"],"userinfo_signing_alg_values_supported":["none","RS256","RS384","RS512","PS256","PS384","PS512","ES256","ES384","ES512","HS256","H

Re: [cas-user] CAS 6.1-RC4 OIDC configuration

['Mallory, Erik' via CAS Community]

Yes.
# OpenID Authentication
cas.authn.oidc.issuer=http://cas-dev.wichita.edu/cas/oidc
# Skew ID tokens in minutes
cas.authn.oidc.skew=5

cas.authn.oidc.jwksFile=file:/etc/cas/config/keystore.jwks
cas.authn.oidc.jwksCacheInMinutes=60

#cas.authn.oidc.dynamicClientRegistrationMode=OPEN|PROTECTED
cas.authn.oidc.dynamicClientRegistrationMode=PROTECTED

cas.authn.oidc.subjectTypes=public,pairwise

Erik Mallory
Server Analyst
Wichita State University
316.978.3502


From:  on behalf of Misagh Moayyed 

Reply-To: "cas-user@apereo.org" 
Date: Tuesday, August 27, 2019 at 2:59 AM
To: CAS Community 
Subject: Re: [cas-user] CAS 6.1-RC4 OIDC configuration

Have you defined an issuer?
https://apereo.github.io/cas/development/configuration/Configuration-Properties.html#openid-connect


On Aug 27, 2019, at 2:23 AM, 'Mallory, Erik' via CAS Community 
mailto:cas-user@apereo.org>> wrote:

Hello,
I'm trying to configure oAuth/OIDC and I'm running into a head scratcher.
The CAS oidc/.well-known endpoint returns 
cas.example.org:8443<http://cas.example.org:8443> for all of the related 
endpoints.
Example:
{"issuer":"http://cas-dev.wichita.edu/cas/oidc","scopes_supported":["openid","profile","email","address","phone","offline_access"],"response_types_supported":["code","token","id_token
 
token"],"subject_types_supported":["public","pairwise"],"claim_types_supported":["normal"],"claims_supported":["sub","name","preferred_username","family_name","given_name","middle_name","given_name","profile","picture","nickname","website","zoneinfo","locale","updated_at","birthdate","email","email_verified","phone_number","phone_number_verified","address","gender"],"grant_types_supported":["authorization_code","password","client_credentials","refresh_token"],"id_token_signing_alg_values_supported":["none","RS256","RS384","RS512","PS256","PS384","PS512","ES256","ES384","ES512","HS256","HS384","HS512"],"id_token_encryption_alg_values_supported":["RSA1_5","RSA-OAEP","RSA-OAEP-256","A128KW","A192KW","A256KW","A128GCMKW","A192GCMKW","A256GCMKW","ECDH-ES","ECDH-ES+A128KW","ECDH-ES+A192KW","ECDH-ES+A256KW"],"id_token_encryption_enc_values_supported":["A128CBC-HS256","A192CBC-HS384","A256CBC-HS512","A128GCM","A192GCM","A256GCM"],"userinfo_signing_alg_values_supported":["none","RS256","RS384","RS512","PS256","PS384","PS512","ES256","ES384","ES512","HS256","HS384","HS512"],"userinfo_encryption_alg_values_supported":["RSA1_5","RSA-OAEP","RSA-OAEP-256","A128KW","A192KW","A256KW","A128GCMKW","A192GCMKW","A256GCMKW","ECDH-ES","ECDH-ES+A128KW","ECDH-ES+A192KW","ECDH-ES+A256KW"],"userinfo_encryption_enc_values_supported":["A128CBC-HS256","A192CBC-HS384","A256CBC-HS512","A128GCM","A192GCM","A256GCM"],"introspection_endpoint_auth_methods_supported":["client_secret_basic"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt"],"claims_parameter_supported":true,"request_parameter_supported":false,"authorization_endpoint":"https://cas.example.org:8443/cas/oidc/authorize","token_endpoint":"https://cas.example.org:8443/cas/oidc/accessToken","userinfo_endpoint":"https://cas.example.org:8443/cas/oidc/profile","registration_endpoint":"https://cas.example.org:8443/cas/oidc/register","end_session_endpoint":"https://cas.example.org:8443/cas/oidc/logout","introspection_endpoint":"https://cas.example.org:8443/cas/oidc/introspect","revocation_endpoint":"https://cas.example.org:8443/cas/oidc/revoke","jwks_uri":"https://cas.example.org:8443/cas/oidc/jwks"}


I thought this value was controlled by the cas.s

[cas-user] CAS 6.1-RC4 OIDC configuration

['Mallory, Erik' via CAS Community]

Hello,
 I'm trying to configure oAuth/OIDC and I'm running into a head scratcher.
The CAS oidc/.well-known endpoint returns cas.example.org:8443 for all of the 
related endpoints. 
Example:
{"issuer":"http://cas-dev.wichita.edu/cas/oidc","scopes_supported":["openid","profile","email","address","phone","offline_access"],"response_types_supported":["code","token","id_token
 
token"],"subject_types_supported":["public","pairwise"],"claim_types_supported":["normal"],"claims_supported":["sub","name","preferred_username","family_name","given_name","middle_name","given_name","profile","picture","nickname","website","zoneinfo","locale","updated_at","birthdate","email","email_verified","phone_number","phone_number_verified","address","gender"],"grant_types_supported":["authorization_code","password","client_credentials","refresh_token"],"id_token_signing_alg_values_supported":["none","RS256","RS384","RS512","PS256","PS384","PS512","ES256","ES384","ES512","HS256","HS384","HS512"],"id_token_encryption_alg_values_supported":["RSA1_5","RSA-OAEP","RSA-OAEP-256","A128KW","A192KW","A256KW","A128GCMKW","A192GCMKW","A256GCMKW","ECDH-ES","ECDH-ES+A128KW","ECDH-ES+A192KW","ECDH-ES+A256KW"],"id_token_encryption_enc_values_supported":["A128CBC-HS256","A192CBC-HS384","A256CBC-HS512","A128GCM","A192GCM","A256GCM"],"userinfo_signing_alg_values_supported":["none","RS256","RS384","RS512","PS256","PS384","PS512","ES256","ES384","ES512","HS256","HS384","HS512"],"userinfo_encryption_alg_values_supported":["RSA1_5","RSA-OAEP","RSA-OAEP-256","A128KW","A192KW","A256KW","A128GCMKW","A192GCMKW","A256GCMKW","ECDH-ES","ECDH-ES+A128KW","ECDH-ES+A192KW","ECDH-ES+A256KW"],"userinfo_encryption_enc_values_supported":["A128CBC-HS256","A192CBC-HS384","A256CBC-HS512","A128GCM","A192GCM","A256GCM"],"introspection_endpoint_auth_methods_supported":["client_secret_basic"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt"],"claims_parameter_supported":true,"request_parameter_supported":false,"authorization_endpoint":"https://cas.example.org:8443/cas/oidc/authorize","token_endpoint":"https://cas.example.org:8443/cas/oidc/accessToken","userinfo_endpoint":"https://cas.example.org:8443/cas/oidc/profile","registration_endpoint":"https://cas.example.org:8443/cas/oidc/register","end_session_endpoint":"https://cas.example.org:8443/cas/oidc/logout","introspection_endpoint":"https://cas.example.org:8443/cas/oidc/introspect","revocation_endpoint":"https://cas.example.org:8443/cas/oidc/revoke","jwks_uri":"https://cas.example.org:8443/cas/oidc/jwks"}


I thought this value was controlled by the cas.server.name property. But I 
guess it's elsewhere?

server.context-path=/cas
server.port=443
cas.server.name=https://cas-dev.wichita.edu
cas.server.prefix=https://cas-dev.wichita.edu/cas
cas.host.name=cas-dev.wichita.edu

Hopefully someone can shine a light on this for me. 
Thanks,
Erik Mallory
Server Analyst 
Wichita State University
 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3B7E953C-586C-41E3-BB3A-73A53D433AB0%40wichita.edu.

Re: [cas-user] CAS Management 6.1 RC4 Hazelcast and services-repo

['Mallory, Erik' via CAS Community]

Ok I made some changes….  Figuring I was thinking about how this wrong.
I moved mgmt.versionControl.servicesRepo to a shared NFS mount on both nodes.

I have hazelcast for service replication configured
And the cas services are located in /etc/cas/config/services
cas.serviceRegistry.json.location=file:/etc/cas/config/services

anything that is added, removed or updated in /etc/cas/config/services on N1 
gets updated on N2 and vice versa. (Hazelcast is working just fine.. I noticed 
odd behavior once… I had deleted a file I’d just created and it was not deleted 
on the other host.. five mintues later the file was recreated on the host I 
deleted it from)
The cas-management application only will add a new entry in /etc/cas/config 
when you click publish. It will not update or delete in the /etc/cas/config 
directory.
I’ve verified permissions and SELinux.
If it’s something on my end let me know. If not I’ll wait for cas-mgmt RC5 ☺

Best,
Erik Mallory
Server Analyst
Wichita State University


From: "'Mallory, Erik' via CAS Community" 
Reply-To: "cas-user@apereo.org" 
Date: Thursday, August 1, 2019 at 12:35 PM
To: "cas-user@apereo.org" 
Subject: [cas-user] CAS Management 6.1 RC4 Hazelcast and services-repo

Hello,
I’ve tried a few different configurations with the new  services-repo and 
hazelcast.
I have two nodes N1 and N2 both have been configured in two ways:

The first way: for both nodes
mgmt.versionControl.servicesRepo=/etc/cas/services-repo
cas.serviceRegistry.json.location=file:/etc/cas/config/services

The management web interface deletes the service from /etc/cas/services-repo 
and does not remove it from /etc/cas/config/services/ and hazelcast will not 
propagate the changes. Edits and Adds work, just not deletes.

The second way: for both nodes
mgmt.versionControl.servicesRepo=/etc/cas/services-repo
cas.serviceRegistry.json.location=file:/etc/cas/services-repo

then Edits,Adds and DELETES work properly. However, if I am on N1 and I commit 
and publish changes the versionControl on N2 dutifully picks up the changes.  
So when I am on N2 in the management interface I have to commit  and publish 
the changes.

Please tell me If I’m missing a setting somewhere…
Thanks,
Erik Mallory
Server Analyst
Wichita State University
--
- Website: 
https://apereo.github.io/cas<http://linkscanner3.wichita.edu:32224/?dmVyPTEuMDAxJiY1NmNkOTZkY2Y4ZGYzZjQ5Zj01RDQzMjM1MV84OTE5N18yMDE2MF8xJiYxODkzYzA0M2NiZTNiNGQ9MTIyMyYmdXJsPWh0dHBzJTNBJTJGJTJGYXBlcmVvJTJFZ2l0aHViJTJFaW8lMkZjYXM=>
- Gitter Chatroom: 
https://gitter.im/apereo/cas<http://linkscanner3.wichita.edu:32224/?dmVyPTEuMDAxJiY0N2NiOTZjMWY4ZDEzYjEyZj01RDQzMjM1MV84OTE5N18yMDE2MF8xJiY4OGMzYjU4MzBiZTNiNGQ9MTIyMyYmdXJsPWh0dHBzJTNBJTJGJTJGZ2l0dGVyJTJFaW0lMkZhcGVyZW8lMkZjYXM=>
- List Guidelines: 
https://goo.gl/1VRrw7<http://linkscanner3.wichita.edu:32224/?dmVyPTEuMDAxJiY1YmNiODdjM2E1ODI3OTEyZj01RDQzMjM1MV84OTE5N18yMDE2MF8xJiZlOTMzMTA0MzJiZDNiMWY9MTIyMyYmdXJsPWh0dHBzJTNBJTJGJTJGZ29vJTJFZ2wlMkYxVlJydzc=>
- Contributions: 
https://goo.gl/mh7qDG<http://linkscanner3.wichita.edu:32224/?dmVyPTEuMDAxJiY1YmNiODdjM2E1ODI3OTEyZj01RDQzMjM1MV84OTE5N18yMDE2MF8xJiZlOTMzMTA0MzJiZDNiNDM9MTIyMyYmdXJsPWh0dHBzJTNBJTJGJTJGZ29vJTJFZ2wlMkZtaDdxREc=>
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/47BC6362-BAE6-4472-A759-621231A6BAB2%40wichita.edu<http://linkscanner3.wichita.edu:32224/?dmVyPTEuMDAxJiY1Y2NhODNjMGY4ZGYzOTUyZj01RDQzMjM1MV84OTE5N18yMDE2MF8xJiZlOTAzYjA0MzZiZTc5MDE9MTIyMyYmdXJsPWh0dHBzJTNBJTJGJTJGZ3JvdXBzJTJFZ29vZ2xlJTJFY29tJTJGYSUyRmFwZXJlbyUyRW9yZyUyRmQlMkZtc2dpZCUyRmNhcy11c2VyJTJGNDdCQzYzNjItQkFFNi00NDcyLUE3NTktNjIxMjMxQTZCQUIyJTI1NDB3aWNoaXRhJTJFZWR1JTNGdXRtJTVGbWVkaXVtJTNEZW1haWwlMjZ1dG0lNUZzb3VyY2UlM0Rmb290ZXI=>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20F5B1AB-A9F1-4301-B862-D8FD1654D6F3%40wichita.edu.

[cas-user] CAS Management 6.1 RC4 Hazelcast and services-repo

['Mallory, Erik' via CAS Community]

Hello,
I’ve tried a few different configurations with the new  services-repo and 
hazelcast.
I have two nodes N1 and N2 both have been configured in two ways:

The first way: for both nodes
mgmt.versionControl.servicesRepo=/etc/cas/services-repo
cas.serviceRegistry.json.location=file:/etc/cas/config/services

The management web interface deletes the service from /etc/cas/services-repo 
and does not remove it from /etc/cas/config/services/ and hazelcast will not 
propagate the changes. Edits and Adds work, just not deletes.

The second way: for both nodes
mgmt.versionControl.servicesRepo=/etc/cas/services-repo
cas.serviceRegistry.json.location=file:/etc/cas/services-repo

then Edits,Adds and DELETES work properly. However, if I am on N1 and I commit 
and publish changes the versionControl on N2 dutifully picks up the changes.  
So when I am on N2 in the management interface I have to commit  and publish 
the changes.

Please tell me If I’m missing a setting somewhere…
Thanks,
Erik Mallory
Server Analyst
Wichita State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/47BC6362-BAE6-4472-A759-621231A6BAB2%40wichita.edu.

Re: [cas-user] CAS 6.1 RC 4 configuration issues Hazelcast service registry OIDC and OAuth

['Mallory, Erik' via CAS Community]

Yes I did ☺ Thanks for your time and sorry for the noise. I know you’re busy. I 
was able to get it going just now.  I’ll try the same with the oidc and oauth 
config. I’ll message back if I have issues.
BTW Great work on the management interface!  It’s a massive improvement from 
5.1 . It might be my exposure to cas, but 6.1 has been easier to set up than 
other versions. Thanks for all of that.


Erik Mallory
Server Analyst
Wichita State University


From:  on behalf of Misagh Moayyed 

Reply-To: "cas-user@apereo.org" 
Date: Thursday, August 1, 2019 at 8:46 AM
To: CAS Community 
Subject: Re: [cas-user] CAS 6.1 RC 4 configuration issues Hazelcast service 
registry OIDC and OAuth

Judging by your snippet below it looks like you did miss a few. This is correct 
(compare with yours):

cas.serviceRegistry.stream.hazelcast.duration=PT1M

cas.serviceRegistry.stream.hazelcast.config.cluster.evictionPolicy=LRU
cas.serviceRegistry.stream.hazelcast.config.cluster.maxNoHeartbeatSeconds=300
cas.serviceRegistry.stream.hazelcast.config.cluster.loggingType=slf4j
cas.serviceRegistry.stream.hazelcast.config.cluster.portAutoIncrement=false
cas.serviceRegistry.stream.hazelcast.config.cluster.maxHeapSizePercentage=85
cas.serviceRegistry.stream.hazelcast.config.cluster.backupCount=1
cas.serviceRegistry.stream.hazelcast.config.cluster.asyncBackupCount=0
cas.serviceRegistry.stream.hazelcast.config.cluster.maxSizePolicy=USED_HEAP_PERCENTAGE
cas.serviceRegistry.stream.hazelcast.config.cluster.timeout=5
cas.serviceRegistry.stream.hazelcast.config.cluster.members=10.0.79.37,10.0.79.38
cas.serviceRegistry.stream.hazelcast.config.cluster.instanceName=cas-dev-svcs
cas.serviceRegistry.stream.hazelcast.config.cluster.port=5703



On Aug 1, 2019, at 1:06 AM, 'Mallory, Erik' via CAS Community 
mailto:cas-user@apereo.org>> wrote:

Yes, I tried it both ways.
cas.serviceRegistry.stream.hazelcast.config.duration=PT1M
cas.serviceRegistry.stream.hazelcast.config.cluster.evictionPolicy=LRU
cas.serviceRegistry.stream.hazelcast.config.cluster.maxNoHeartbeatSeconds=300
cas.serviceRegistry.stream.hazelcast.config.cluster.loggingType=slf4j
cas.serviceRegistry.stream.hazelcast.config.cluster.portAutoIncrement=false
cas.serviceRegistry.stream.hazelcast.config.cluster.maxHeapSizePercentage=85
cas.serviceRegistry.stream.hazelcast.config.cluster.backupCount=1
cas.serviceRegistry.stream.hazelcast.config.cluster.asyncBackupCount=0
cas.serviceRegistry.stream.hazelcast.config.maxSizePolicy=USED_HEAP_PERCENTAGE
cas.serviceRegistry.stream.hazelcast.config.timeout=5
cas.serviceRegistry.stream.hazelcast.config.cluster.members=10.0.79.37,10.0.79.38
cas.serviceRegistry.stream.hazelcast.config.cluster.instanceName=cas-dev-svcs
cas.serviceRegistry.stream.hazelcast.config.cluster.port=5703


Erik Mallory
Server Analyst
Wichita State University
316.978.3502


From: mailto:cas-user@apereo.org>> on behalf of Misagh 
Moayyed mailto:misagh.moay...@gmail.com>>
Reply-To: "cas-user@apereo.org<mailto:cas-user@apereo.org>" 
mailto:cas-user@apereo.org>>
Date: Wednesday, July 31, 2019 at 3:02 PM
To: CAS Community mailto:cas-user@apereo.org>>
Subject: Re: [cas-user] CAS 6.1 RC 4 configuration issues Hazelcast service 
registry OIDC and OAuth

Post your settings please.

Chances are, you are using:
cas.serviceRegistry.stream.hazelcast.cluster.instanceName=blah

where it should be:
cas.serviceRegistry.stream.hazelcast.config.cluster.instanceName=blah

Key being, quite literally, “cas.serviceRegistry.stream.hazelcast.config” as 
the starting prefix which you pasted below.



On Jul 31, 2019, at 11:53 PM, 'Mallory, Erik' via CAS Community 
mailto:cas-user@apereo.org>> wrote:

Hello,
I have CAS-6.1-RC4 installed and it mostly works.  I’ve noticed that some of 
the configuration properties don’t work and are “left unbound”.  for example, 
trying to configure hazelcast for service definition replication, I up date the 
dependency section in build.gradle, and rebuild the cas.war file then I add the 
config properties from 
https://apereo.github.io/cas/development/configuration/Configuration-Properties-Common.html#hazelcast-configuration<http://linkscanner2.wichita.edu:32224/?dmVyPTEuMDAxJiZmZDdiZDRhZDE2OTc2ZjI3Nj01RDQxRjQ0RF81NzczNl83OTczXzEmJmM0MThlODM3ODg4YzEzZD0xMjIzJiZ1cmw9aHR0cHMlM0ElMkYlMkZhcGVyZW8lMkVnaXRodWIlMkVpbyUyRmNhcyUyRmRldmVsb3BtZW50JTJGY29uZmlndXJhdGlvbiUyRkNvbmZpZ3VyYXRpb24tUHJvcGVydGllcy1Db21tb24lMkVodG1sJTIzaGF6ZWxjYXN0LWNvbmZpZ3VyYXRpb24=>
Using the key cas.serviceRegistry.stream.hazelcast.config.
I replace the cas.war file and restart.

I get the following errors.
Origin: "cas.serviceRegistry.stream.hazelcast.cluster.backupCount" from 
property source "bootstrapProperties"
Reason: The elements 
[cas.serviceregistry.stream.hazelcast.cluster.backupcount,cas.serviceregistry.stream.hazelcast.cluster.evictionpolicy,cas.serviceregistry.stream

Re: [cas-user] CAS 6.1 RC 4 configuration issues Hazelcast service registry OIDC and OAuth

['Mallory, Erik' via CAS Community]

Yes, I tried it both ways.
cas.serviceRegistry.stream.hazelcast.config.duration=PT1M
cas.serviceRegistry.stream.hazelcast.config.cluster.evictionPolicy=LRU
cas.serviceRegistry.stream.hazelcast.config.cluster.maxNoHeartbeatSeconds=300
cas.serviceRegistry.stream.hazelcast.config.cluster.loggingType=slf4j
cas.serviceRegistry.stream.hazelcast.config.cluster.portAutoIncrement=false
cas.serviceRegistry.stream.hazelcast.config.cluster.maxHeapSizePercentage=85
cas.serviceRegistry.stream.hazelcast.config.cluster.backupCount=1
cas.serviceRegistry.stream.hazelcast.config.cluster.asyncBackupCount=0
cas.serviceRegistry.stream.hazelcast.config.maxSizePolicy=USED_HEAP_PERCENTAGE
cas.serviceRegistry.stream.hazelcast.config.timeout=5
cas.serviceRegistry.stream.hazelcast.config.cluster.members=10.0.79.37,10.0.79.38
cas.serviceRegistry.stream.hazelcast.config.cluster.instanceName=cas-dev-svcs
cas.serviceRegistry.stream.hazelcast.config.cluster.port=5703


Erik Mallory
Server Analyst
Wichita State University
316.978.3502


From:  on behalf of Misagh Moayyed 

Reply-To: "cas-user@apereo.org" 
Date: Wednesday, July 31, 2019 at 3:02 PM
To: CAS Community 
Subject: Re: [cas-user] CAS 6.1 RC 4 configuration issues Hazelcast service 
registry OIDC and OAuth

Post your settings please.

Chances are, you are using:
cas.serviceRegistry.stream.hazelcast.cluster.instanceName=blah

where it should be:
cas.serviceRegistry.stream.hazelcast.config.cluster.instanceName=blah

Key being, quite literally, “cas.serviceRegistry.stream.hazelcast.config” as 
the starting prefix which you pasted below.


On Jul 31, 2019, at 11:53 PM, 'Mallory, Erik' via CAS Community 
mailto:cas-user@apereo.org>> wrote:

Hello,
I have CAS-6.1-RC4 installed and it mostly works.  I’ve noticed that some of 
the configuration properties don’t work and are “left unbound”.  for example, 
trying to configure hazelcast for service definition replication, I up date the 
dependency section in build.gradle, and rebuild the cas.war file then I add the 
config properties from 
https://apereo.github.io/cas/development/configuration/Configuration-Properties-Common.html#hazelcast-configuration<http://linkscanner2.wichita.edu:32224/?dmVyPTEuMDAxJiZmZDdiZDRhZDE2OTc2ZjI3Nj01RDQxRjQ0RF81NzczNl83OTczXzEmJmM0MThlODM3ODg4YzEzZD0xMjIzJiZ1cmw9aHR0cHMlM0ElMkYlMkZhcGVyZW8lMkVnaXRodWIlMkVpbyUyRmNhcyUyRmRldmVsb3BtZW50JTJGY29uZmlndXJhdGlvbiUyRkNvbmZpZ3VyYXRpb24tUHJvcGVydGllcy1Db21tb24lMkVodG1sJTIzaGF6ZWxjYXN0LWNvbmZpZ3VyYXRpb24=>
Using the key cas.serviceRegistry.stream.hazelcast.config.
I replace the cas.war file and restart.

I get the following errors.
Origin: "cas.serviceRegistry.stream.hazelcast.cluster.backupCount" from 
property source "bootstrapProperties"
Reason: The elements 
[cas.serviceregistry.stream.hazelcast.cluster.backupcount,cas.serviceregistry.stream.hazelcast.cluster.evictionpolicy,cas.serviceregistry.stream.hazelcast.cluster.instancename,cas.serviceregistry.stream.hazelcast.cluster.loggingtype,cas.serviceregistry.stream.hazelcast.cluster.maxheapsizepercentage,cas.serviceregistry.stream.hazelcast.cluster.maxnoheartbeatseconds,cas.serviceregistry.stream.hazelcast.cluster.members,cas.serviceregistry.stream.hazelcast.cluster.port,cas.serviceregistry.stream.hazelcast.cluster.portautoincrement,cas.serviceregistry.stream.hazelcast.maxsizepolicy]
 were left unbound.
Property: cas.serviceregistry.stream.hazelcast.cluster.evictionpolicy
Value: LRU
Origin: "cas.serviceRegistry.stream.hazelcast.cluster.evictionPolicy" from 
property source "bootstrapProperties"
Reason: The elements 
[cas.serviceregistry.stream.hazelcast.cluster.backupcount,cas.serviceregistry.stream.hazelcast.cluster.evictionpolicy,cas.serviceregistry.stream.hazelcast.cluster.instancename,cas.serviceregistry.stream.hazelcast.cluster.loggingtype,cas.serviceregistry.stream.hazelcast.cluster.maxheapsizepercentage,cas.serviceregistry.stream.hazelcast.cluster.maxnoheartbeatseconds,cas.serviceregistry.stream.hazelcast.cluster.members,cas.serviceregistry.stream.hazelcast.cluster.port,cas.serviceregistry.stream.hazelcast.cluster.portautoincrement,cas.serviceregistry.stream.hazelcast.maxsizepolicy]
 were left unbound.
Property: cas.serviceregistry.stream.hazelcast.cluster.instancename
Value: cas-dev-svcs
Origin: "cas.serviceRegistry.stream.hazelcast.cluster.instanceName" from 
property source "bootstrapProperties"
Reason: The elements 
[cas.serviceregistry.stream.hazelcast.cluster.backupcount,cas.serviceregistry.stream.hazelcast.cluster.evictionpolicy,cas.serviceregistry.stream.hazelcast.cluster.instancename,cas.serviceregistry.stream.hazelcast.cluster.loggingtype,cas.serviceregistry.stream.hazelcast.cluster.maxheapsizepercentage,cas.serviceregistry.stream.hazelcast.cluster.maxnoheartbeatseconds,cas.serviceregistry.stream.hazelcast.cluster.members,cas.serviceregistry.stream.haz

[cas-user] CAS 6.1 RC 4 configuration issues Hazelcast service registry OIDC and OAuth

['Mallory, Erik' via CAS Community]

Hello,
I have CAS-6.1-RC4 installed and it mostly works.  I’ve noticed that some of 
the configuration properties don’t work and are “left unbound”.  for example, 
trying to configure hazelcast for service definition replication, I up date the 
dependency section in build.gradle, and rebuild the cas.war file then I add the 
config properties from 
https://apereo.github.io/cas/development/configuration/Configuration-Properties-Common.html#hazelcast-configuration
Using the key cas.serviceRegistry.stream.hazelcast.config.
I replace the cas.war file and restart.

I get the following errors.

Origin: "cas.serviceRegistry.stream.hazelcast.cluster.backupCount" from 
property source "bootstrapProperties"

Reason: The elements 
[cas.serviceregistry.stream.hazelcast.cluster.backupcount,cas.serviceregistry.stream.hazelcast.cluster.evictionpolicy,cas.serviceregistry.stream.hazelcast.cluster.instancename,cas.serviceregistry.stream.hazelcast.cluster.loggingtype,cas.serviceregistry.stream.hazelcast.cluster.maxheapsizepercentage,cas.serviceregistry.stream.hazelcast.cluster.maxnoheartbeatseconds,cas.serviceregistry.stream.hazelcast.cluster.members,cas.serviceregistry.stream.hazelcast.cluster.port,cas.serviceregistry.stream.hazelcast.cluster.portautoincrement,cas.serviceregistry.stream.hazelcast.maxsizepolicy]
 were left unbound.

Property: cas.serviceregistry.stream.hazelcast.cluster.evictionpolicy

Value: LRU

Origin: "cas.serviceRegistry.stream.hazelcast.cluster.evictionPolicy" from 
property source "bootstrapProperties"

Reason: The elements 
[cas.serviceregistry.stream.hazelcast.cluster.backupcount,cas.serviceregistry.stream.hazelcast.cluster.evictionpolicy,cas.serviceregistry.stream.hazelcast.cluster.instancename,cas.serviceregistry.stream.hazelcast.cluster.loggingtype,cas.serviceregistry.stream.hazelcast.cluster.maxheapsizepercentage,cas.serviceregistry.stream.hazelcast.cluster.maxnoheartbeatseconds,cas.serviceregistry.stream.hazelcast.cluster.members,cas.serviceregistry.stream.hazelcast.cluster.port,cas.serviceregistry.stream.hazelcast.cluster.portautoincrement,cas.serviceregistry.stream.hazelcast.maxsizepolicy]
 were left unbound.

Property: cas.serviceregistry.stream.hazelcast.cluster.instancename

Value: cas-dev-svcs

Origin: "cas.serviceRegistry.stream.hazelcast.cluster.instanceName" from 
property source "bootstrapProperties"

Reason: The elements 
[cas.serviceregistry.stream.hazelcast.cluster.backupcount,cas.serviceregistry.stream.hazelcast.cluster.evictionpolicy,cas.serviceregistry.stream.hazelcast.cluster.instancename,cas.serviceregistry.stream.hazelcast.cluster.loggingtype,cas.serviceregistry.stream.hazelcast.cluster.maxheapsizepercentage,cas.serviceregistry.stream.hazelcast.cluster.maxnoheartbeatseconds,cas.serviceregistry.stream.hazelcast.cluster.members,cas.serviceregistry.stream.hazelcast.cluster.port,cas.serviceregistry.stream.hazelcast.cluster.portautoincrement,cas.serviceregistry.stream.hazelcast.maxsizepolicy]
 were left unbound.

Property: cas.serviceregistry.stream.hazelcast.cluster.loggingtype

Value: slf4j

I get similar errors when attempting to configure oauth or oidc.
I figure this is something that is still under development.  Or I missed 
something. Either way any information that can be provided would be apricated.

Thanks,
Erik Mallory
Server Analyst
Wichita State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4F3C07B0-D4CC-40C7-90BD-44DA77024C99%40wichita.edu.

[cas-user] CAS Management 6.1. RC4 minor issues

['Mallory, Erik' via CAS Community]

Hello,
Just a few things I’ve noticed Under Logout there is a field labeled Logout URL 
it will not accept a hyphen (-)  I figure this is some sort of a bug.
Steps to produce error
Create or Edit Service
Click on Logout
Click on Logout URL
Input a  URL with a hyphen
Also putting a hyphen in the service name produces the following warning in the 
logs

2019-06-14 12:18:32,935 WARN 
[org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] - 
[banapp-appdev-1560531595119.json] does not match the recommended pattern 
[(\w+)-(\d+)\.json]. While CAS tries to be forgiving as much as possible, it's 
recommended that you rename the file to match the requested pattern to avoid 
issues with duplicate service loading. Future CAS versions may try to strictly 
force the naming syntax, refusing to load the file.

Perhaps it would be better to not allow hyphenated names for services?

Thanks
Erik Mallory
Server Analyst
Wichita State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/FB538527-B7B4-42B4-83C3-DF0A1EA215AF%40wichita.edu.

Re: [cas-user] CAS 6.1 Management RC3 service sync behavior

['Mallory, Erik' via CAS Community]

Travis,
Thank you very much! It’s working as expected now.


Erik Mallory
Server Analyst
Wichita State University


From:  on behalf of Travis Schmidt 

Reply-To: "cas-user@apereo.org" 
Date: Thursday, June 13, 2019 at 3:48 PM
To: CAS Community 
Subject: Re: [cas-user] CAS 6.1 Management RC3 service sync behavior

Hi Erik,

  CAS Mangement RC4 was released yesterday, please try running that version.  
Also the sync script property was changed to mgmt.versionControl.syncScript.

Travis

On Thu, Jun 13, 2019 at 1:28 PM 'Mallory, Erik' via CAS Community 
mailto:cas-user@apereo.org>> wrote:
Hello
I’ve been working through upgrading our development environment using the new 
6.1 release, currently the services management is at RC 3 and I’m noticing some 
odd behavior.
First off the following property doesn’t seem to be available.
mgmt.syncScript=/etc/cas/sync.sh

So I figured I’d use Rsync and cron to keep the services in sync between the 
two nodes.  The script synced the files in /etc/cas/services-repo but cas never 
picked up the services. I disabled one node, and created the service by hand 
and it worked. It would appear that sync is still under construction. If I’m 
doing it wrong or if you have any insight please share what you know.


Property: mgmt.syncscript

Value: /etc/cas/sync.sh

Origin: "mgmt.syncScript" from property source "bootstrapProperties"

Reason: The elements [mgmt.syncscript] were left unbound.



Action:



Update your application's configuration

Thanks,

Erik Mallory
Server Analyst
Wichita State University
316.978.3502

--
- Website: 
https://apereo.github.io/cas<http://linkscanner2.wichita.edu:32224/?dmVyPTEuMDAxJiZmZTA2MDU1NDA1YmRmYTM5YT01RDAyQjZDOF84Mjc5XzI2MTRfMSYmMjhiNDI5MGY2MWQ0ODJiPTEyMjMmJnVybD1odHRwcyUzQSUyRiUyRmFwZXJlbyUyRWdpdGh1YiUyRWlvJTJGY2Fz>
- Gitter Chatroom: 
https://gitter.im/apereo/cas<http://linkscanner2.wichita.edu:32224/?dmVyPTEuMDAxJiZmZTA2MDU1NDA1YmRmYTM5YT01RDAyQjZDOF84Mjc5XzI2MTRfMSYmNDkyNTM5NmY2MDA0ODI1PTEyMjMmJnVybD1odHRwcyUzQSUyRiUyRmdpdHRlciUyRWltJTJGYXBlcmVvJTJGY2Fz>
- List Guidelines: 
https://goo.gl/1VRrw7<http://linkscanner2.wichita.edu:32224/?dmVyPTEuMDAxJiZmZTA2MDU1NDA1YmRmYTM5YT01RDAyQjZDOF84Mjc5XzI2MTRfMSYmNDk0NDhjY2Y0MWU0OTdkPTEyMjMmJnVybD1odHRwcyUzQSUyRiUyRmdvbyUyRWdsJTJGMVZScnc3>
- Contributions: 
https://goo.gl/mh7qDG<http://linkscanner2.wichita.edu:32224/?dmVyPTEuMDAxJiZmZTA2MDU1NDA1YmRmYTM5YT01RDAyQjZDOF84Mjc5XzI2MTRfMSYmNDk0NDhjY2Y0MWU0OTIxPTEyMjMmJnVybD1odHRwcyUzQSUyRiUyRmdvbyUyRWdsJTJGbWg3cURH>
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/F7246706-820D-4FC8-A6AF-007040DDB74A%40wichita.edu<http://linkscanner2.wichita.edu:32224/?dmVyPTEuMDAxJiZiODE1MWU0YjExZWJiMDM4YT01RDAyQjZDOF84Mjc5XzI2MTRfMSYmMDk0NGFjZGYyNWQwNzNjPTEyMjMmJnVybD1odHRwcyUzQSUyRiUyRmdyb3VwcyUyRWdvb2dsZSUyRWNvbSUyRmElMkZhcGVyZW8lMkVvcmclMkZkJTJGbXNnaWQlMkZjYXMtdXNlciUyRkY3MjQ2NzA2LTgyMEQtNEZDOC1BNkFGLTAwNzA0MEREQjc0QSUyNTQwd2ljaGl0YSUyRWVkdSUzRnV0bSU1Rm1lZGl1bSUzRGVtYWlsJTI2YW1wJTNCdXRtJTVGc291cmNlJTNEZm9vdGVy>.
--
- Website: 
https://apereo.github.io/cas<http://linkscanner2.wichita.edu:32224/?dmVyPTEuMDAxJiZmZTA2MDU1NDA1YmRmYTM5YT01RDAyQjZDOF84Mjc5XzI2MTRfMSYmMjhiNDI5MGY2MWQ0ODJiPTEyMjMmJnVybD1odHRwcyUzQSUyRiUyRmFwZXJlbyUyRWdpdGh1YiUyRWlvJTJGY2Fz>
- Gitter Chatroom: 
https://gitter.im/apereo/cas<http://linkscanner2.wichita.edu:32224/?dmVyPTEuMDAxJiZmZTA2MDU1NDA1YmRmYTM5YT01RDAyQjZDOF84Mjc5XzI2MTRfMSYmNDkyNTM5NmY2MDA0ODI1PTEyMjMmJnVybD1odHRwcyUzQSUyRiUyRmdpdHRlciUyRWltJTJGYXBlcmVvJTJGY2Fz>
- List Guidelines: 
https://goo.gl/1VRrw7<http://linkscanner2.wichita.edu:32224/?dmVyPTEuMDAxJiZmZTA2MDU1NDA1YmRmYTM5YT01RDAyQjZDOF84Mjc5XzI2MTRfMSYmNDk0NDhjY2Y0MWU0OTdkPTEyMjMmJnVybD1odHRwcyUzQSUyRiUyRmdvbyUyRWdsJTJGMVZScnc3>
- Contributions: 
https://goo.gl/mh7qDG<http://linkscanner2.wichita.edu:32224/?dmVyPTEuMDAxJiZmZTA2MDU1NDA1YmRmYTM5YT01RDAyQjZDOF84Mjc5XzI2MTRfMSYmNDk0NDhjY2Y0MWU0OTIxPTEyMjMmJnVybD1odHRwcyUzQSUyRiUyRmdvbyUyRWdsJTJGbWg3cURH>
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbUUd2LNyp7E196wqEs52P_AueXU7dw-8wmK0yb1Apfpg%40mail.gmail.com<http://linkscanner2.wichita.edu:32224/?dmVyPTEuMDAxJiZiODE1MWU0YjExZWJiMDM4YT01RDAyQjZDOF84Mjc5XzI2MTRfMSYmMDk0NGFjZGYyNWQwNzNjPTEyMjMmJnVybD1odHRwcyUzQSUyRiUyRmdyb3Vwcy

[cas-user] CAS 6.1 Management RC3 service sync behavior

['Mallory, Erik' via CAS Community]

Hello
I’ve been working through upgrading our development environment using the new 
6.1 release, currently the services management is at RC 3 and I’m noticing some 
odd behavior.
First off the following property doesn’t seem to be available.
mgmt.syncScript=/etc/cas/sync.sh

So I figured I’d use Rsync and cron to keep the services in sync between the 
two nodes.  The script synced the files in /etc/cas/services-repo but cas never 
picked up the services. I disabled one node, and created the service by hand 
and it worked. It would appear that sync is still under construction. If I’m 
doing it wrong or if you have any insight please share what you know.


Property: mgmt.syncscript

Value: /etc/cas/sync.sh

Origin: "mgmt.syncScript" from property source "bootstrapProperties"

Reason: The elements [mgmt.syncscript] were left unbound.



Action:



Update your application's configuration

Thanks,

Erik Mallory
Server Analyst
Wichita State University
316.978.3502

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/F7246706-820D-4FC8-A6AF-007040DDB74A%40wichita.edu.

[cas-user] CAS 6.1-RC3 AD LDAP issue

['Mallory, Erik' via CAS Community]

Hello,
I received the following error when trying to authenticate to our AD servers. 
I’m not sure what bit to flip to get the %s...@site.org to work for the 
dnFormat property, or if there is a new way to format the DN string for AD. 
Below is the error:

2019-03-05 16:23:22,455 DEBUG 
[org.apereo.cas.authentication.LdapAuthenticationHandler] - 

Bleow are the relevant AD configuration properties

cas.authn.ldap[0].searchFilter=sAMAccountName={user}

cas.authn.ldap[0].dnFormat=%s...@wichita.edu

cas.authn.ldap[0].derefAliases=ALWAYS

#cas.authn.ldap[0].dnFormat=sAMAccountName=%s,OU=Unix 
Group,OU=UCATS,OU=Academic Affairs,OU=Wichita State 
University,DC=ad,DC=wichita,DC=edu

cas.authn.ldap[0].principalAttributeId=sAMAccountName

cas.authn.ldap[0].principalAttributePassword=userPassword

#cas.authn.ldap[0].poolPassivator=NONE|CLOSE|BIND

cas.authn.ldap[0].poolPassivator=NONE

#cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider

cas.authn.ldap[0].connectTimeout=PT5S

cas.authn.ldap[0].minPoolSize=3

cas.authn.ldap[0].maxPoolSize=10

cas.authn.ldap[0].validateOnCheckout=true

cas.authn.ldap[0].validatePeriodically=true

cas.authn.ldap[0].validatePeriod=PT5M

cas.authn.ldap[0].validateTimeout=PT5S

cas.authn.ldap[0].failFast=true

cas.authn.ldap[0].idleTime=PT10M

cas.authn.ldap[0].prunePeriod=PT2H

cas.authn.ldap[0].blockWaitTime=PT3S

cas.authn.ldap[0].useSsl=true

cas.authn.ldap[0].useStartTls=false

cas.authn.ldap[0].responseTimeout=PT5S

cas.authn.ldap[0].allowMultipleDns=true

cas.authn.ldap[0].allowMultipleEntries=false

cas.authn.ldap[0].followReferrals=true

cas.authn.ldap[0].name=WSUAD

#cas.authn.ldap[0].trustCertificates=

#cas.authn.ldap[0].keystore=

#cas.authn.ldap[0].keystorePassword=

#cas.authn.ldap[0].keystoreType=JKS|JCEKS|PKCS12

#cas.authn.ldap[0].binaryAttributes=objectGUID,someOtherAttribute

cas.authn.ldap[0].principalAttributeList=cn:commonName,sAMAccountName:UDC_IDENTIFIER

cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true

Any help would be greatly appreciated.
Thanks,
Erik Mallory
Server Analyst
Wichita State University
316.978.3502

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/243A460A-3E81-415F-ABB1-C51F4C0EC247%40wichita.edu.

Re: [cas-user] Re: DUO MFA Issues

['Mallory, Erik' via CAS Community]

We heard back from them as well. We spot checked with a few students. There was 
a desire from up top to get duo turned on again for production systems. We did 
so about an hour ago. So far, so good.
Thanks,
Erik Mallory
Server Analyst
Wichita State University


From: David Curry 
Date: Friday, February 22, 2019 at 4:18 PM
To: "cas-user@apereo.org" 
Cc: Erik Mallory 
Subject: Re: [cas-user] Re: DUO MFA Issues

Just passing along that we heard back from Duo support late this afternoon that 
the issue had been escalated to engineering and that a fix has now been rolled 
out.

But given that it's late on Friday afternoon we're waiting until Monday to try 
it, so I can't say for sure whether it's really been fixed or not.

--Dave

David A. Curry,  CISSP
Director of Information Security
The New School - Information Technology
71 Fifth Ave., 9th Fl. ~ New York, NY 10003
+1 212 229-5300 x4728 ~ 
david.cu...@newschool.edu
Sent from my phone; please excuse typos and inane auto-corrections.


On Fri, Feb 22, 2019, 11:55 atilling 
mailto:atill...@conncoll.edu>> wrote:
For our institution it was first reported on the 19th around 5pm EST shortly 
after a server restart.

On Friday, February 22, 2019 at 9:39:00 AM UTC-5, Mallory, Erik wrote:
Hello,
Yesterday about 3:30 CST Duo quit working for CAS, we contacted Duo support and 
it was determined to be a problem with Duo, given the number of educational 
institutions that were contacting Duo at the same time we were. I’m starting a 
thread here if anyone cares to share any information and I will share what 
information I have as we get it.

Thanks,
Erik Mallory
Server Analyst
Wichita State University

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8f04c8d4-b6c7-4fab-a901-776c83534be6%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/A7B15D07-D03C-4A07-9938-764F697F74C8%40wichita.edu.

Re: [cas-user] DUO MFA Issues

['Mallory, Erik' via CAS Community]

More accurately, Duo worked for users configured to use Duo, anyone that was 
NOT configured for Duo would fail.

Erik Mallory
Server Analyst
Wichita State University


From: "'Mallory, Erik' via CAS Community" 
Reply-To: 
Date: Friday, February 22, 2019 at 8:38 AM
To: "cas-user@apereo.org" 
Subject: [cas-user] DUO MFA Issues

Hello,
Yesterday about 3:30 CST Duo quit working for CAS, we contacted Duo support and 
it was determined to be a problem with Duo, given the number of educational 
institutions that were contacting Duo at the same time we were. I’m starting a 
thread here if anyone cares to share any information and I will share what 
information I have as we get it.

Thanks,
Erik Mallory
Server Analyst
Wichita State University

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/001D06E1-43CE-4A74-ADE9-3D3480A644F9%40wichita.edu<https://groups.google.com/a/apereo.org/d/msgid/cas-user/001D06E1-43CE-4A74-ADE9-3D3480A644F9%40wichita.edu?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5F483D20-532E-4105-872F-400B21E8A98D%40gmail.com.

[cas-user] DUO MFA Issues

['Mallory, Erik' via CAS Community]

Hello,
Yesterday about 3:30 CST Duo quit working for CAS, we contacted Duo support and 
it was determined to be a problem with Duo, given the number of educational 
institutions that were contacting Duo at the same time we were. I’m starting a 
thread here if anyone cares to share any information and I will share what 
information I have as we get it.

Thanks,
Erik Mallory
Server Analyst
Wichita State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/001D06E1-43CE-4A74-ADE9-3D3480A644F9%40wichita.edu.

[cas-user] PGP Verify Timeout issue CAS Management 5.1.9

['Mallory, Erik' via CAS Community]

Attempting to build CAS 5.1.9 CAS Management yields the following error. This 
is also true for 5.1.8 .I circumvented it by commenting out the pgp verify 
stanza in the pom. I’d like a better solution if possible.
KeyId: 0x3B2C12292E76FEE3 UserIds: [Jerome LELEU ]
[INFO] 
[INFO] BUILD FAILURE
[INFO] 
[INFO] Total time: 04:41 min
[INFO] Finished at: 2018-05-02T09:31:55-05:00
[INFO] Final Memory: 45M/312M
[INFO] 
[ERROR] Failed to execute goal 
com.github.s4u.plugins:pgpverify-maven-plugin:1.1.0:check (default) on project 
cas-overlay: Connection timed out (Connection timed out) -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e 
switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please 
read the following articles:
[ERROR] [Help 1] 
http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException

Thanks,

Erik Mallory
Server Analyst
Wichita State University


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/12B1766A-4471-4A8C-A0B7-0707590D77E6%40wichita.edu.

[cas-user] duo-client not downloading

['Mallory, Erik' via CAS Community]

To whom it may concern,
I successfully built and configured cas 5.1.8 with duo-mfa in our development 
environment. When I went to build it for our test environment I received the 
following error.
Downloading: 
https://jitpack.io/com/github/duosecurity/duo_client_java/-930cd4e0a5-1/duo_client_java--930cd4e0a5-1.jar
[INFO] 
[INFO] BUILD FAILURE
[INFO] 
[INFO] Total time: 22.202 s
[INFO] Finished at: 2018-05-02T08:31:08-05:00
[INFO] Final Memory: 27M/179M
[INFO] 
[ERROR] Failed to execute goal on project cas-overlay: Could not resolve 
dependencies for project org.apereo.cas:cas-overlay:war:1.0: Could not find 
artifact com.github.duosecurity:duo_client_java:jar:-930cd4e0a5-1 in jitpack 
(https://jitpack.io) -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e 
switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please 
read the following articles:
[ERROR] [Help 1] 
http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionException


I went back to my dev environment to try a build there, and got the same error. 
Being the hard head that I am, I copied the cas.war file from the development 
environment to the test environment and I was able to get it working. That was 
last night. This morning I tried building the war file again
And received the same error. Can some one somewhere fix this?

Thanks,
Erik Mallory
Server Analyst
Wichita State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1A2877B2-7A28-47A1-8DA8-6C6A6DAC0675%40wichita.edu.

[cas-user] CAS 5.1.8 and DUO configuration error

['Mallory, Erik' via CAS Community]

Hello,
I’m having an issue with my duo configuration. I have a three node load 
balanced cas cluster. The nodes are on a private subnet that has no connection 
to the internet aside from the HTTPS traffic served by the load balancer.

Below is the abbreviated error message from the cas.log

Caused by: org.springframework.beans.factory.UnsatisfiedDependencyException: 
Error creating bean with name 'casAuthenticationManager' defined in class path 
resource [org/apereo/cas/config/CasCoreAuthenticationConfiguration.class]: 
Unsatisfied dependency expressed through method 'casAuthenticationManager' 
parameter 2; nested exception is 
org.springframework.beans.factory.BeanCreationException: Error creating bean 
with name 'authenticationEventExecutionPlan' defined in class path resource 
[org/apereo/cas/config/CasCoreAuthenticationConfiguration.class]: Bean 
instantiation via factory method failed; nested exception is 
org.springframework.beans.BeanInstantiationException: Failed to instantiate 
[org.apereo.cas.authentication.AuthenticationEventExecutionPlan]: Factory 
method 'authenticationEventExecutionPlan' threw exception; nested exception is 
org.springframework.beans.factory.BeanCreationException: Error creating bean 
with name 'scopedTarget.duoAuthenticationHandler' defined in class path 
resource 
[org/apereo/cas/adaptors/duo/config/DuoSecurityAuthenticationEventExecutionPlanConfiguration.class]:
 Bean instantiation via factory method failed; nested exception is 
org.springframework.beans.BeanInstantiationException: Failed to instantiate 
[org.apereo.cas.authentication.AuthenticationHandler]: Factory method 
'duoAuthenticationHandler' threw exception; nested exception is 
org.springframework.beans.factory.BeanCreationException:

 No configuration/settings could be found for Duo Security. Review settings and 
ensure the correct syntax is used


##
#Multi-factor Authentication
#
 cas.authn.mfa.globalProviderId=mfa-duo

 
cas.authn.mfa.globalPrincipalAttributeNameTriggers=memberOf,eduPersonPrimaryAffiliation
 cas.authn.mfa.globalPrincipalAttributeValueRegex=staff

 #cas.authn.mfa.restEndpoint=
 cas.authn.mfa.requestParameter=authn_method
 cas.authn.mfa.globalFailureMode=CLOSED
 cas.authn.mfa.authenticationContextAttribute=authnContextClass
 cas.authn.mfa.contentType=application/cas
##
#Duo Security
#
 cas.authn.mfa.duo.duoSecretKey=
 cas.authn.mfa.duo.rank=0
 cas.authn.mfa.duo.duoApplicationKey=
 cas.authn.mfa.duo.duoIntegrationKey=
 cas.authn.mfa.duo.duoApiHost=.duosecurity.com
 cas.authn.mfa.duo.trustedDeviceEnabled=true

I am unable to connect to the cas.authn.mfa.duo.duoApiHost on the command line 
so I wonder if that’s the problem I’m having, If anyone can point out my errors 
I’d greatly appreciate it.

Thanks,
Erik Mallory
Server Analyst
Wichita State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/C2050CAC-0366-4CED-91FD-E0E1D8608890%40wichita.edu.

[cas-user] CAS 5.2.1 Inspeckr jdbc mysql database not being populated.

['Mallory, Erik' via CAS Community]

Inspektr or jdbc does not seem to be working properly. The database tables are 
not getting created on start, so there is nothing for Inspektr to write to.
The error:
PreparedStatementCallback; bad SQL grammar [SELECT AUD_DATE FROM 
COM_AUDIT_TRAIL WHERE AUD_CLIENT_IP = ? AND AUD_USER = ? AND AUD_ACTION = ? AND 
APPLIC_CD = ? AND AUD_DATE >= ? ORDER BY AUD_DATE DESC]; nested exception is 
java.sql.SQLSyntaxErrorException: Table 'casdb.COM_AUDIT_TRAIL' doesn't exist]>
org.springframework.jdbc.BadSqlGrammarException: PreparedStatementCallback; bad 
SQL grammar [SELECT AUD_DATE FROM COM_AUDIT_TRAIL WHERE AUD_CLIENT_IP = ? AND 
AUD_USER = ? AND AUD_ACTION = ? AND APPLIC_CD = ? AND AUD_DATE >= ? ORDER BY 
AUD_DATE DESC]; nested exception is java.sql.SQLSyntaxErrorException: Table 
'casdb.COM_AUDIT_TRAIL' doesn't exist

Relevant configuration information.

cas.authn.throttle.jdbc.ddlAuto=create-drop
cas.authn.throttle.jdbc.driverClass=com.mysql.jdbc.Driver
cas.authn.throttle.jdbc.dialect=org.hibernate.dialect.MySQL5Dialect

I am able to create a table as the cas user in the database.

Any help would be appreciated.
Thanks,
Erik Mallory
Server Analyst
Wichita State University
316.978.3502

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/AFDFBB13-AD53-4CB2-9002-99B33069D47C%40wichita.edu.

[cas-user] CAS 5.2.1 Inspeckr jdbc mysql database not being populated.

['Mallory, Erik' via CAS Community]

Hello,

Inspektr or jdbc does not seem to be working properly. The database tables are 
not getting created on start, so there is nothing for Inspektr to write to.
The error:
PreparedStatementCallback; bad SQL grammar [SELECT AUD_DATE FROM 
COM_AUDIT_TRAIL WHERE AUD_CLIENT_IP = ? AND AUD_USER = ? AND AUD_ACTION = ? AND 
APPLIC_CD = ? AND AUD_DATE >= ? ORDER BY AUD_DATE DESC]; nested exception is 
java.sql.SQLSyntaxErrorException: Table 'casdb.COM_AUDIT_TRAIL' doesn't exist]>
org.springframework.jdbc.BadSqlGrammarException: PreparedStatementCallback; bad 
SQL grammar [SELECT AUD_DATE FROM COM_AUDIT_TRAIL WHERE AUD_CLIENT_IP = ? AND 
AUD_USER = ? AND AUD_ACTION = ? AND APPLIC_CD = ? AND AUD_DATE >= ? ORDER BY 
AUD_DATE DESC]; nested exception is java.sql.SQLSyntaxErrorException: Table 
'casdb.COM_AUDIT_TRAIL' doesn't exist

Relevant configuration information.

cas.authn.throttle.jdbc.ddlAuto=create-drop
cas.authn.throttle.jdbc.driverClass=com.mysql.jdbc.Driver
cas.authn.throttle.jdbc.dialect=org.hibernate.dialect.MySQL5Dialect

I am able to create a table as the cas user in the database.

Any help would be appreciated.
Thanks,
Erik Mallory
Server Analyst
Wichita State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5E1A07A4-C7F3-4E2B-814D-885709DAF270%40wichita.edu.

[cas-user] CAS 5.2.1 Inspeckr jdbc mysql database not being populated.

['Mallory, Erik' via CAS Community]

Hello,

Inspektr or jdbc does not seem to be working properly. The database tables are 
not getting created on start, so there is nothing for Inspektr to write to.
The error:
PreparedStatementCallback; bad SQL grammar [SELECT AUD_DATE FROM 
COM_AUDIT_TRAIL WHERE AUD_CLIENT_IP = ? AND AUD_USER = ? AND AUD_ACTION = ? AND 
APPLIC_CD = ? AND AUD_DATE >= ? ORDER BY AUD_DATE DESC]; nested exception is 
java.sql.SQLSyntaxErrorException: Table 'casdb.COM_AUDIT_TRAIL' doesn't exist]>
org.springframework.jdbc.BadSqlGrammarException: PreparedStatementCallback; bad 
SQL grammar [SELECT AUD_DATE FROM COM_AUDIT_TRAIL WHERE AUD_CLIENT_IP = ? AND 
AUD_USER = ? AND AUD_ACTION = ? AND APPLIC_CD = ? AND AUD_DATE >= ? ORDER BY 
AUD_DATE DESC]; nested exception is java.sql.SQLSyntaxErrorException: Table 
'casdb.COM_AUDIT_TRAIL' doesn't exist

Relevant configuration information.

cas.authn.throttle.jdbc.ddlAuto=create-drop
cas.authn.throttle.jdbc.driverClass=com.mysql.jdbc.Driver
cas.authn.throttle.jdbc.dialect=org.hibernate.dialect.MySQL5Dialect

I am able to create a table as the cas user in the database.

Any help would be appreciated.
Thanks,
Erik Mallory
Server Analyst
Wichita State University
316.978.3502

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6C5860DF-ADE8-4629-AE28-13F293108E63%40wichita.edu.

Re: [cas-user] Disaster Recovery Site

['Mallory, Erik' via CAS Community]

I did this last year.  We have a DR site with a VMware cluster. All told we 
have three vmware clusters two are in our main data center and the previously 
mentioned DR cluster. I created three RHEL 7 vms, set up maven, java 8 and 
tomcat 8 (not part of the base install RHEL 7)
I use 389 on each host and leverage replication for service definitions. The 
idea is that each host can be nearly dependency free, save for our credential 
store, AD.
All three hosts are configured behind a netscaler using a least connection 
strategy. SSL is terminated on the netscaler and communication is encrypted on 
the back end to each cas node. We are using Hazelcast for ticket registry, ldap 
for connections to our credential store and as previously mentioned, for our 
service definition store.
I hope this helps, if you have questions I can probably help.
Best,
Erik Mallory
Server Analyst
Wichita State University


From:  on behalf of Bryan Wooten 
Reply-To: "cas-user@apereo.org" 
Date: Tuesday, January 9, 2018 at 7:04 PM
To: "cas-user@apereo.org" 
Subject: [cas-user] Disaster Recovery Site

Looking for any guidance / best practices for setting up CAS 5.x in a DR site.

I have been tasked to architect CAS for our much broader DR project.

We already have a remote Data Center as a location.

Now I know once you start talking CAS many other systems get involved (Like 
LDAP which I am also responsible for).

So I'll take any White Papers, personal experience, project plans, diagrams, 
etc.

Cheers,

Bryan

University of Utah
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GW1ZAHFFgVqCojV0KbiuUq_9BB_Y5%3Dv8%3DENgP1paEgwUA%40mail.gmail.com.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/857DC8AA-36F8-4983-873C-4A26B575E7D8%40wichita.edu.

[cas-user] CAS 5.2.1 Login Behavior

['Mallory, Erik' via CAS Community]

All,
I’m trying out cas 5.2.1 in our development environment. One of our services 
uses a splash screen that sends the Username and password encrypted to the cas 
server with a service parameter and a parameter called auto. In our CAS 5.1.1 
environment this works, we use a separate theme, and have made adjustments to 
the html to make it work. The user logs in, is redirected to our modified CAS 
theme and then is authenticated and redirected to the service.

In CAS 5.2.1 this configuration does not work The service’s splash page submits 
the login information but cas never authenticates or redirects the web browser 
back to the service.

The webflow debug looks like this in 5.1.1
2018-01-08 16:46:06,711 DEBUG 
[org.springframework.webflow.execution.repository.impl.DefaultFlowExecutionRepository]
 - 
2018-01-08 16:46:06,711 DEBUG 
[org.springframework.webflow.conversation.impl.SessionBindingConversationManager]
 -  
map['messagesMemento' -> map[[empty>
2018-01-08 16:46:06,711 DEBUG 
[org.springframework.webflow.conversation.impl.SessionBindingConversationManager]
 - 
2018-01-08 16:46:20,319 DEBUG 
[org.springframework.webflow.mvc.servlet.FlowHandlerMapping] - 
2018-01-08 16:46:20,340 DEBUG 
[org.springframework.webflow.executor.FlowExecutorImpl] -  'NEVER', 'auto' -> 
'true', 'service' -> 'https://mywsu-test.wichita.edu', 'username' -> 'USER']>
2018-01-08 16:46:20,341 DEBUG 
[org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] - 

2018-01-08 16:46:20,341 DEBUG 
[org.springframework.webflow.engine.impl.FlowExecutionImplFactory] - 
2018-01-08 16:46:20,341 DEBUG 
[org.springframework.webflow.engine.impl.FlowExecutionImpl] -  'NEVER', 'auto' -> 'true', 'service' -> 
'https://mywsu-test.wichita.edu', 'username' -> 'USER']>
2018-01-08 16:46:20,341 DEBUG [org.springframework.webflow.engine.Flow] - 

2018-01-08 16:46:20,342 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-01-08 16:46:20,342 DEBUG 
[org.springframework.webflow.execution.AnnotatedAction] - 


And 5.2.1 looks like this:

2018-01-04 10:56:48,569 TRACE 
[org.springframework.web.servlet.DispatcherServlet] - 
2018-01-04 10:56:48,569 TRACE 
[org.springframework.web.servlet.DispatcherServlet] - 
2018-01-04 10:56:48,569 TRACE 
[org.springframework.web.servlet.DispatcherServlet] - 
2018-01-04 10:56:48,608 DEBUG 
[org.springframework.webflow.executor.FlowExecutorImpl] -  'NEVER', 'auto' -> 
'true', 'service' -> 'https://mywsu-dev.wichita.edu', 'username' -> 'USER']>
2018-01-04 10:56:48,608 DEBUG 
[org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] - 

2018-01-04 10:56:48,610 DEBUG 
[org.springframework.webflow.engine.impl.FlowExecutionImplFactory] - 
2018-01-04 10:56:48,683 DEBUG 
[org.springframework.webflow.engine.impl.FlowExecutionImpl] -  'NEVER', 'auto' -> 'true', 'service' -> 
'https://mywsu-dev.wichita.edu', 'username' -> 'USER']>
2018-01-04 10:56:48,694 DEBUG [org.springframework.webflow.engine.Flow] - 

2018-01-04 10:56:48,753 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-01-04 10:56:48,754 TRACE 
[org.springframework.aop.aspectj.annotation.AnnotationAwareAspectJAutoProxyCreator]
 - 
2018-01-04 10:56:48,754 TRACE 
[org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator] - 

2018-01-04 10:56:48,756 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-01-04 10:56:48,770 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-01-04 10:56:48,771 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 

So what changed?
Any help would be greatly appreciated.

Thanks,
Erik Mallory
Server Analyst
Wichita State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/27CA39FA-C380-4B21-9B4F-6B28D311605E%40wichita.edu.

[cas-user] CAS 5.1.1 Login Throttle logging

['Mallory, Erik' via CAS Community]

Hello,
When the Throttle Logging gets tripped I get the following log message.
2017-12-04 08:23:41,729 WARN 
[org.apereo.cas.web.support.AbstractThrottledSubmissionHandlerInterceptorAdapter]
 - 

I’m throttling based on username, our cas nodes are behind a loadbalancer, so 
the ip address isn’t of use.

I’ve configured our Nagios install to scrape the logs for this string to create 
an alert, so we can see how often our cas system is getting hit with some type 
of Brute Force attack.  I would like to know which accounts are being used for 
these attacks. How do I configure cas or log4j to write the a the account being 
throttled to the either the cas.log or cas_audit.log?


Erik Mallory
Server Analyst
Wichita State University
316.978.3502

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8B8BA323-F395-45C1-AB4A-3E6FEA088C5F%40wichita.edu.

[cas-user] SAML 1.1 CAS validation issue

['Mallory, Erik' via CAS Community]

Hello
I have the majority of our applications at my institution working with CAS 5.1  
however there is one application that has me stumped. On the first log in the 
application to be authenticated returns an Error 500. I didn’t find much useful 
information in said application’s logs. However I did find the following in the 
cas.log
ERROR [org.apereo.cas.DefaultCentralAuthenticationService] - https://banapp-test.wichita.edu/tvlexp/tvlexp-flex/index.html;GLMSSESSIONID=WxCSML_XeujsoTWJMmjX3ommfnVFNFUtrZXisYsVjqEwts3aQN2V!-1491267655]
 does not match supplied service 
[org.apereo.cas.support.saml.authentication.principal.SamlService@732d3ee7[id=https://banapp-test.wichita.edu/tvlexp/tvlexp-flex/index.html,originalUrl=https://banapp-test.wichita.edu/tvlexp/tvlexp-flex/index.html,artifactId=ST-16-JHtqjsPbcvBASRxrWKZc-cas-test.wichita.edu,principal=,loggedOutAlready=false,format=XML]]>

Clearing the above error up a bit:
This link 
https://banapp-test.wichita.edu/tvlexp/tvlexp-flex/index.html;GLMSSESSIONID=WxCSML_XeujsoTWJMmjX3ommfnVFNFUtrZXisYsVjqEwts3aQN2V!-1491267655

Does not match this link 
https://banapp-test.wichita.edu/tvlexp/tvlexp-flex/index.html,originalUrl=https://banapp-test.wichita.edu/tvlexp/tvlexp-flex/index.html,artifactId=ST-16-JHtqjsPbcvBASRxrWKZc-cas-test.wichita.edu,principal=,loggedOutAlready=false,format=XML

Now when I remove everything after 
https://banapp-test.wichita.edu/tvlexp/tvlexp-flex/index.html   and retry the 
url everything works as it should.

The service definition for this service are very permissive: 
^(http|https)://banapp-test.wichita.edu.*

My saml configuration is basic:
##
# SAML Core configuration
 cas.samlCore.ticketidSaml2=false
 cas.samlCore.skewAllowance=5
 cas.samlCore.issueLength=30
 cas.samlCore.attributeNamespace=http://www.ja-sig.org/products/cas/
 cas.samlCore.issuer=cas-test.wichita.edu
 
cas.samlCore.securityManager=com.sun.org.apache.xerces.internal.util.SecurityManager

Any help on this issue would be greatly appreciated.
Thanks,
Erik Mallory
Server Analyst
Wichita State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/E7A5796E-151C-4E8E-B4AC-FE146172D8C4%40wichita.edu.