[cas-user] Re: Delegate Auth and SAML IDP - BYPASS WAYF not working in 6.3 as it did in 5.3

[Alin Tomoiaga]

Hi Andrew, any luck with this? I am having the same issue. I have tried 
6.3, 6.4 and 6.5. Thanks.

On Thursday, July 22, 2021 at 8:01:34 AM UTC-5 Andrew Marker wrote:

>
> Sorry little typo:
>
>
> https://login.test.ku.edu/cas/clientredirect?client_name=Delegate%20Test=https%3A%2F%2Flogin.test.ku.edu%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3FentityId%3Dtouchnet-test-tbp%26SAMLRequest%3DPD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlVVJMPSJodHRwczovL3Rlc3Quc2VjdXJlLnRvdWNobmV0Lm5ldDo4NDQzL0MyMTU4MXRlc3RfdHNhL3dlYi9jYXNsb2dpbi5qc3AiIEZvcmNlQXV0aG49ImZhbHNlIiBJc3N1ZUluc3RhbnQ9IjIwMjEtMDItMThUMjI6NTU6MzEuNDMzWiIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBWZXJzaW9uPSIyLjAiPjxzYW1sMjpJc3N1ZXIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPnRvdWNobmV0LXRlc3QtdGJwPC9zYW1sMjpJc3N1ZXI%252BPHNhbWwycDpOYW1lSURQb2xpY3kgQWxsb3dDcmVhdGU9InRydWUiLz48L3NhbWwycDpBdXRoblJlcXVlc3Q%252B%26RelayState=en
> On Thursday, July 22, 2021 at 6:37:19 AM UTC-5 Andrew Marker wrote:
>
>> Hi all,
>>
>> I'm trying to make the jump to 6.3 and everything is working as I had 
>> hoped excepting one item.  I was asked to provide a way for a specific 
>> routing that leveraged delegate auth for a given service (Touchnet Payment 
>> Gateway).  I initially tried many variations of routing through 
>> https://login.test.ku.edu/cas/idp/profile/SAML2/Unsolicited/SSO?providerId=touchnet-test-tbp
>>  
>> but ultimately I needed the user authenticated to CAS prior to routing 
>> through the delegate and I came up with the following solution.
>>
>> The CAS Delegate auth provider passes the following parameters to the 
>> client redirect endpoint and the auth is routed through CAS and on into 
>> Touchnet.  Essentially the request is routed back to the same instance of 
>> CAS with info to initiate the auth for a IDP initiated auth.  At this point 
>> the user already has a session in cas and the IDP will validate the user 
>> once the user is routed to the SP.
>>
>>
>> https://login.test.ku.edu/clientredirect?client_name=Delegate%20Test=https%3A%2F%2Flogin.test.ku.edu%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3FentityId%3Dtouchnet-test-tbp%26SAMLRequest%3DPD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlVVJMPSJodHRwczovL3Rlc3Quc2VjdXJlLnRvdWNobmV0Lm5ldDo4NDQzL0MyMTU4MXRlc3RfdHNhL3dlYi9jYXNsb2dpbi5qc3AiIEZvcmNlQXV0aG49ImZhbHNlIiBJc3N1ZUluc3RhbnQ9IjIwMjEtMDItMThUMjI6NTU6MzEuNDMzWiIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBWZXJzaW9uPSIyLjAiPjxzYW1sMjpJc3N1ZXIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPnRvdWNobmV0LXRlc3QtdGJwPC9zYW1sMjpJc3N1ZXI%252BPHNhbWwycDpOYW1lSURQb2xpY3kgQWxsb3dDcmVhdGU9InRydWUiLz48L3NhbWwycDpBdXRoblJlcXVlc3Q%252B%26RelayState=en
>>
>> ---
>> My delegate settings, below are the updated name to match the settings in 
>> 6.3. 
>>
>> cas.authn.pac4j.cas[1].login-url=https://beakem.test.ku.edu/tn/login
>> cas.authn.pac4j.cas[1].principal-attribute-id=uid
>> cas.authn.pac4j.cas[1].protocol=CAS30
>> cas.authn.pac4j.cas[1].client-name=Delegate Test
>> cas.authn.pac4j.cas[1].callback-url-type=QUERY_PARAMETER
>>
>> idp settings
>> cas.authn.saml-idp.entity-id=https://login.test.ku.edu/cas/idp/metadata
>> cas.samlCore.skew-allowance=15
>> cas.authn.saml-idp.metadata.location=file:/etc/cas/config/saml-idp/
>> cas.authn.saml-idp.metadata.cache-expiration-minutes=120
>> # replicate sessions by default is false
>> cas.authn.saml-idp.replicate-sessions=true
>> # default attribute-query-profile-endabled is false
>> cas.authn.saml-idp.attribute-query-profile-enabled=false
>> cas.authn.saml-idp.logout.force-signed-logout-requests=false
>> cas.authn.saml-idp.response.default-attribute-name-format=uri
>> 
>> This is the error in 6.3.5. and I did not see it in any of the 5.3.x 
>> versions this has been configure with.
>>
>> java.lang.IllegalArgumentException: SAML request could not be determined 
>> from the authentication request at 
>> org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.retrieveSamlAuthenticationRequestFromHttpRequest(AbstractSamlIdPProfileHandlerController.java:183)
>>  
>> at 
>> org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController.handleCallbackProfileRequest(SSOSamlIdPProfileCallbackHandlerController.java:45)
>>  
>> at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
>> Method) at 
>> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>  
>> at 
>> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>  
>> at 

[cas-user] Re: cas delegate skip WAYF screen

[Alin Tomoiaga]

I do see this "CAS does allow options for auto-redirection of the 
authentication flow to a provider, if only there is a single provider 
available and configured." 
(https://apereo.github.io/cas/5.2.x/integration/Delegate-Authentication.html#user-interface).
But this is such a useful feature particularly when there are multiple 
providers.. is there a way to turn it on for multiple providers?

On Wednesday, July 21, 2021 at 9:35:40 AM UTC-5 Alin Tomoiaga wrote:

> This is the behavior that I am seeing in 5.2.7:
> - if I have a single delegated idp, this works 
> https://myapppretectedwithcas?client_name=remoteidp1 
> <https://myapppretectedwithcas/?client_name=remoteidp1>. It works great; 
> get redirected to remoteidp1 comes back to app, great. 
>
> cas.authn.pac4j.cas[0].loginUrl=https://remoteidp1/cas/login
> cas.authn.pac4j.cas[0].protocol=CAS20
> cas.authn.pac4j.cas[0].clientName=remoteidp1
> cas.authn.pac4j.cas[0].autoRedirect=true # not sure if this does anything
>
> cas.authn.pac4j.autoRedirect=true # i guess this works
>
> - but if I have two idps, then 
> https://myapppretectedwithcas?client_name=remoteidp1 
> <https://myapppretectedwithcas/?client_name=remoteidp1> does not work 
> anymore
>
> cas.authn.pac4j.cas[0].loginUrl=https://remoteidp1/cas/login
> cas.authn.pac4j.cas[0].protocol=CAS20
> cas.authn.pac4j.cas[0].clientName=remoteidp1
> cas.authn.pac4j.cas[0].autoRedirect=true # not sure if this does anything
>
> cas.authn.pac4j.autoRedirect=true # i guess this works
>
> cas.authn.pac4j.cas[1].loginUrl=https://remoteidp2/cas/login
> cas.authn.pac4j.cas[1].protocol=CAS20
> cas.authn.pac4j.cas[1].clientName=remoteidp2
>
> Now, nothing works,
> this does not work meaning the user is just presented with the WAYF page, 
> but they are not sent to the IDPs directly
> https://myapppretectedwithcas?client_name=remoteidp2 
> <https://myapppretectedwithcas/?client_name=remoteidp2>
> this does not work
> https://myapppretectedwithcas?client_name=remoteidp1 
> <https://myapppretectedwithcas/?client_name=remoteidp1>
>
> Thank you for your help!
> Best.
>
> On Wednesday, July 21, 2021 at 9:00:43 AM UTC-4 Alin Tomoiaga wrote:
>
>> How can we skip the WAYF (choose IDP screen) when delegating to multiple 
>> IDPs?
>>
>> Consider the scenario:
>> - our cas delegates to two other cas servers
>> - when the use logs in, they are presented with a screen allowing them to 
>> choose the IDP
>> - every time the user logs in, they need to choose the idp.
>> - is there a way to cache/save the choice as a default and /or provide 
>> the user with a url that will take them directly to the desired IDP?
>>
>> Thanks
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a9fc5db5-4690-45b1-9385-ce2a886594d8n%40apereo.org.

[cas-user] Re: cas delegate skip WAYF screen

[Alin Tomoiaga]

This is the behavior that I am seeing in 5.2.7:
- if I have a single delegated idp, this works 
https://myapppretectedwithcas?client_name=remoteidp1 
<https://myapppretectedwithcas/?client_name=remoteidp1>. It works great; 
get redirected to remoteidp1 comes back to app, great. 

cas.authn.pac4j.cas[0].loginUrl=https://remoteidp1/cas/login
cas.authn.pac4j.cas[0].protocol=CAS20
cas.authn.pac4j.cas[0].clientName=remoteidp1
cas.authn.pac4j.cas[0].autoRedirect=true # not sure if this does anything

cas.authn.pac4j.autoRedirect=true # i guess this works

- but if I have two idps, then 
https://myapppretectedwithcas?client_name=remoteidp1 
<https://myapppretectedwithcas/?client_name=remoteidp1> does not work 
anymore

cas.authn.pac4j.cas[0].loginUrl=https://remoteidp1/cas/login
cas.authn.pac4j.cas[0].protocol=CAS20
cas.authn.pac4j.cas[0].clientName=remoteidp1
cas.authn.pac4j.cas[0].autoRedirect=true # not sure if this does anything

cas.authn.pac4j.autoRedirect=true # i guess this works

cas.authn.pac4j.cas[1].loginUrl=https://remoteidp2/cas/login
cas.authn.pac4j.cas[1].protocol=CAS20
cas.authn.pac4j.cas[1].clientName=remoteidp2

Now, nothing works,
this does not work meaning the user is just presented with the WAYF page, 
but they are not sent to the IDPs directly
https://myapppretectedwithcas?client_name=remoteidp2 
<https://myapppretectedwithcas/?client_name=remoteidp2>
this does not work
https://myapppretectedwithcas?client_name=remoteidp1 
<https://myapppretectedwithcas/?client_name=remoteidp1>

Thank you for your help!
Best.

On Wednesday, July 21, 2021 at 9:00:43 AM UTC-4 Alin Tomoiaga wrote:

> How can we skip the WAYF (choose IDP screen) when delegating to multiple 
> IDPs?
>
> Consider the scenario:
> - our cas delegates to two other cas servers
> - when the use logs in, they are presented with a screen allowing them to 
> choose the IDP
> - every time the user logs in, they need to choose the idp.
> - is there a way to cache/save the choice as a default and /or provide the 
> user with a url that will take them directly to the desired IDP?
>
> Thanks
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0fa27ebf-0e4d-4888-b367-52cfeb45db22n%40apereo.org.

Re: [cas-user] buji-pac4j-demo-master, CAS delegation through pac4j-webflow and 1 OIDC provider

[Alin Tomoiaga]

Thank you very much, I appreciate your time and opinion.

Best,
Alin

On Wednesday, July 21, 2021 at 10:31:58 AM UTC-4 Alin Tomoiaga wrote:

> Hi @leleuj,
>
> This is the behavior that I am seeing in 5.2.7:
> - if I have a single delegated idp, this works 
> https://myapppretectedwithcas?client_name=remoteidp1. It works great; get 
> redirected to remoteidp1 comes back to app, great. 
>
> cas.authn.pac4j.cas[0].loginUrl=https://remoteidp1/cas/login
> cas.authn.pac4j.cas[0].protocol=CAS20
> cas.authn.pac4j.cas[0].clientName=remoteidp1
> cas.authn.pac4j.cas[0].autoRedirect=true # not sure if this does anything
>
> cas.authn.pac4j.autoRedirect=true # i guess this works
>
> - but if I have two idps, then 
> https://myapppretectedwithcas?client_name=remoteidp1 does not work anymore
>
> cas.authn.pac4j.cas[0].loginUrl=https://remoteidp1/cas/login
> cas.authn.pac4j.cas[0].protocol=CAS20
> cas.authn.pac4j.cas[0].clientName=remoteidp1
> cas.authn.pac4j.cas[0].autoRedirect=true # not sure if this does anything
>
> cas.authn.pac4j.autoRedirect=true # i guess this works
>
> cas.authn.pac4j.cas[1].loginUrl=https://remoteidp2/cas/login
> cas.authn.pac4j.cas[1].protocol=CAS20
> cas.authn.pac4j.cas[1].clientName=remoteidp2
>
> Now, nothing works,
> this does not work meaning the user is just presented with the WAYF page, 
> but they are not sent to the IDPs directly
> https://myapppretectedwithcas?client_name=remoteidp2
> this does not work
> https://myapppretectedwithcas?client_name=remoteidp1
>
>
>
>
>
> On Friday, April 20, 2018 at 9:04:25 AM UTC-4 leleuj wrote:
>
>> Hi,
>>
>> I'm resuming on your latest message.
>>
>> Yes, you do need a callback URL for your application.
>>
>> This is the doc you are looking for: 
>> https://apereo.github.io/cas/5.2.x/installation/Service-Management.html
>>
>> Every time you want an application to log in to the CAS server, the CAS 
>> server must know it. Thus the declaration of the CAS services and callback 
>> URLs.
>>
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>>
>> On Thu, Apr 19, 2018 at 10:39 PM, Steve Hespelt  
>> wrote:
>>
>>> Well, I stumbled across a few config properties I decided to try 
>>> (desperate people do desperate things...)
>>>
>>> cas.http-web-request.cors.allow-credentials=true
>>> # ? where are login requests coming from? Our webapp server name(s)
>>> # is this needed to get the final redirect back to our app ??
>>> cas.http-web-request.cors.allow-origins=localhost
>>> # ?? 
>>> cas.webflow.redirect-same-state=true
>>>
>>> Restarted CAS, same test case.
>>> now I see this warning log:
>>> 2018-04-19 15:47:48,430 WARN 
>>> [org.apereo.cas.web.flow.ServiceAuthorizationCheck] - >> missing service. Service [
>>> https://localhost:8449/callback?client_name=CasClient] is not found in 
>>> service registry.>
>>>  I have to have a Service defined for the call back to the initial 
>>> app ???
>>>
>>>
>>> 2018-04-19 15:47:48,432 DEBUG 
>>> [org.springframework.webflow.engine.impl.FlowExecutionImpl] - >> to handle [org.springframework.webflow.execution.ActionExecutionException: 
>>> Exception thrown executing 
>>> org.apereo.cas.web.flow.ServiceAuthorizationCheck@5fad865 in state 
>>> 'serviceAuthorizationCheck' of flow 'login' -- action execution attributes 
>>> were 'map[[empty]]'] with root cause 
>>> [org.apereo.cas.services.UnauthorizedServiceException: Service Management: 
>>> missing service. Service [
>>> https://localhost:8449/callback?client_name=CasClient] is not found in 
>>> service registry.]>
>>>
>>> Has anyone actually gotten delegated authentication to flow from CAS 
>>> back to an app that used the CAS protocol to request authentication to 
>>> work? using CAS 5.2.x ?  Reading tons of CAS docs have provided no magic 
>>> beans, nor did any page mention having to have a call back service 
>>> defined...
>>> Am I frustrated? You bet.
>>> Is it correct for me to assume that this use case is 'typical' and that 
>>> being tyhttps://
>>> apereo.github.io/cas/5.2.x/installation/Webflow-Customization.htmlpical, 
>>> the default webflow definitions in CAS 5.2.2 ought to provide for it 
>>> working? The docs at 
>>> https://apereo.github.io/cas/5.2.x/installation/Webflow-Customization.html 
>>> certainly suggest to me that's the case.
>>> Sure would like to make use of many of the posit

Re: [cas-user] buji-pac4j-demo-master, CAS delegation through pac4j-webflow and 1 OIDC provider

[Alin Tomoiaga]

Hi @leleuj,

This is the behavior that I am seeing in 5.2.7:
- if I have a single delegated idp, this works 
https://myapppretectedwithcas?client_name=remoteidp1. It works great; get 
redirected to remoteidp1 comes back to app, great. 

cas.authn.pac4j.cas[0].loginUrl=https://remoteidp1/cas/login
cas.authn.pac4j.cas[0].protocol=CAS20
cas.authn.pac4j.cas[0].clientName=remoteidp1
cas.authn.pac4j.cas[0].autoRedirect=true # not sure if this does anything

cas.authn.pac4j.autoRedirect=true # i guess this works

- but if I have two idps, then 
https://myapppretectedwithcas?client_name=remoteidp1 does not work anymore

cas.authn.pac4j.cas[0].loginUrl=https://remoteidp1/cas/login
cas.authn.pac4j.cas[0].protocol=CAS20
cas.authn.pac4j.cas[0].clientName=remoteidp1
cas.authn.pac4j.cas[0].autoRedirect=true # not sure if this does anything

cas.authn.pac4j.autoRedirect=true # i guess this works

cas.authn.pac4j.cas[1].loginUrl=https://remoteidp2/cas/login
cas.authn.pac4j.cas[1].protocol=CAS20
cas.authn.pac4j.cas[1].clientName=remoteidp2

Now, nothing works,
this does not work meaning the user is just presented with the WAYF page, 
but they are not sent to the IDPs directly
https://myapppretectedwithcas?client_name=remoteidp2
this does not work
https://myapppretectedwithcas?client_name=remoteidp1





On Friday, April 20, 2018 at 9:04:25 AM UTC-4 leleuj wrote:

> Hi,
>
> I'm resuming on your latest message.
>
> Yes, you do need a callback URL for your application.
>
> This is the doc you are looking for: 
> https://apereo.github.io/cas/5.2.x/installation/Service-Management.html
>
> Every time you want an application to log in to the CAS server, the CAS 
> server must know it. Thus the declaration of the CAS services and callback 
> URLs.
>
> Thanks.
> Best regards,
> Jérôme
>
>
>
> On Thu, Apr 19, 2018 at 10:39 PM, Steve Hespelt  wrote:
>
>> Well, I stumbled across a few config properties I decided to try 
>> (desperate people do desperate things...)
>>
>> cas.http-web-request.cors.allow-credentials=true
>> # ? where are login requests coming from? Our webapp server name(s)
>> # is this needed to get the final redirect back to our app ??
>> cas.http-web-request.cors.allow-origins=localhost
>> # ?? 
>> cas.webflow.redirect-same-state=true
>>
>> Restarted CAS, same test case.
>> now I see this warning log:
>> 2018-04-19 15:47:48,430 WARN 
>> [org.apereo.cas.web.flow.ServiceAuthorizationCheck] - > missing service. Service [
>> https://localhost:8449/callback?client_name=CasClient] is not found in 
>> service registry.>
>>  I have to have a Service defined for the call back to the initial 
>> app ???
>>
>>
>> 2018-04-19 15:47:48,432 DEBUG 
>> [org.springframework.webflow.engine.impl.FlowExecutionImpl] - > to handle [org.springframework.webflow.execution.ActionExecutionException: 
>> Exception thrown executing 
>> org.apereo.cas.web.flow.ServiceAuthorizationCheck@5fad865 in state 
>> 'serviceAuthorizationCheck' of flow 'login' -- action execution attributes 
>> were 'map[[empty]]'] with root cause 
>> [org.apereo.cas.services.UnauthorizedServiceException: Service Management: 
>> missing service. Service [
>> https://localhost:8449/callback?client_name=CasClient] is not found in 
>> service registry.]>
>>
>> Has anyone actually gotten delegated authentication to flow from CAS back 
>> to an app that used the CAS protocol to request authentication to work? 
>> using CAS 5.2.x ?  Reading tons of CAS docs have provided no magic beans, 
>> nor did any page mention having to have a call back service defined...
>> Am I frustrated? You bet.
>> Is it correct for me to assume that this use case is 'typical' and that 
>> being tyhttps://
>> apereo.github.io/cas/5.2.x/installation/Webflow-Customization.htmlpical, 
>> the default webflow definitions in CAS 5.2.2 ought to provide for it 
>> working? The docs at 
>> https://apereo.github.io/cas/5.2.x/installation/Webflow-Customization.html 
>> certainly suggest to me that's the case.
>> Sure would like to make use of many of the positive features described in 
>> CAS 5.2.x. But I have to wonder if I'm missing much of the necessary 
>> details.  I would like to avoid implementing all the features myself. Never 
>> been a big fan of the "let's reinvent the wheel" school of development. 
>> But...
>>
>> Any insights, magic beans greatly appreciated.
>> -steve 
>>
>>
>> On Thursday, April 19, 2018 at 1:46:35 PM UTC-4, Steve Hespelt wrote:
>>>
>>> Hi Jérôme,
>>> I found an earlier posting 
>>> 
>>>  
>>> from 12/21/17 regarding the NPEs, so as suggested by that posting, I 
>>> restarted CAS & then cleared all related cookies from the browser. Once I 
>>> restart CAS & re-initiated the same flow, no more NPE as shown in my log. 
>>> But I still have the problem with the webflow not finishing as I expect.
>>> I increased the log level to trace on a few packages:
>>> org.apereo.cas.web.flow
>>> 

[cas-user] Re: Multiple PAC4J Clients - Unauthorized Access

[Alin Tomoiaga]

Have you managed to find an answer to this question? I am very much 
interested in the same thing?

On Saturday, March 24, 2018 at 11:55:47 AM UTC-4 ssog...@gmail.com wrote:

> Well, I guess /cas/login?client_name=SAML2Client is allowed only for 
> SAMLResponse (HTTP POST Operation).
>
> The autodirect works with the following parameters, only when there is one 
> client, for example SAML2Client or abc in the  example below.
>
> cas.authn.pac4j.typedIdUsed=true
> cas.authn.pac4j.autoRedirect=true
>
> How do we allow autoredirect when there are multiple pac4j clients.. and 
> client name is sent in the query string.
>
> Now that /login?client_name=xxx is not designed for this purpose, Is there 
> another end point such as /redirectclient?client_name= ?
>
>
>
> On Fri, Mar 23, 2018 at 11:32 AM, RJ  wrote:
>
>> One PAC4J client works great, however, when multiple clients are defined,
>>
>> Login flow throws an error:
>>
>> /cas/login?client_name=abc, throws error:Unauthorized Access 
>> /cas/login?client_name=def, throws error :Unauthorized Access 
>> /cas/login throws default login page
>>
>>
>> properties:
>> cas.authn.pac4j.saml[0].clientName=abc
>> cas.authn.pac4j.saml[0].keystorePassword=
>> cas.authn.pac4j.saml[0].privateKeyPassword=
>> cas.authn.pac4j.saml[0].serviceProviderEntityId=
>> https://tempsp01.example.com
>> ..
>>
>> cas.authn.pac4j.saml[1].clientName=def
>> cas.authn.pac4j.saml[1].keystorePassword=
>> cas.authn.pac4j.saml[1].privateKeyPassword=
>> cas.authn.pac4j.saml[1].serviceProviderEntityId=
>> https://tempsp01.example.com
>> ..
>>
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7aedb39f-ef22-48f6-b926-f6e2d44a624bn%40apereo.org.

[cas-user] cas delegate skip WAYF screen

[Alin Tomoiaga]

How can we skip the WAYF (choose IDP screen) when delegating to multiple 
IDPs?

Consider the scenario:
- our cas delegates to two other cas servers
- when the use logs in, they are presented with a screen allowing them to 
choose the IDP
- every time the user logs in, they need to choose the idp.
- is there a way to cache/save the choice as a default and /or provide the 
user with a url that will take them directly to the desired IDP?

Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/de702bd6-0722-4c93-88e3-a23013f7a02en%40apereo.org.

[cas-user] Re: Help with redirecting user after terminating sessions

[Alin Tomoiaga]

I am also interested in this question. Have you found an answer?
Thanks.

On Tuesday, April 16, 2019 at 1:47:05 PM UTC-4 deejam wrote:

> No one has any experience with the CAS logout flow when delegating 
> authentication to a third party SAML IDP?
>
> It seems like we basically need to preserve the value of the service 
> parameter when passed in via /logout?service=
> https://app-that-uses-cas.example.com, and pass it to the third party idp 
> so it can handle the redirect back to the app where the logout originated. 
>
> Or maybe we rethink it and switch to a model where logouts across all apps 
> land on the same logout landing page. 
>
> Other thoughts?
>
> Thanks,
> Majeed
>
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/22041589-4dfd-49b2-85ba-eeefa7fa029fn%40apereo.org.

[cas-user] Re: logging saml response xml

[Alin Tomoiaga]

It works great. Great advice. Thank you.

On Wednesday, February 5, 2020 at 7:23:50 PM UTC-6, Alin Tomoiaga wrote:
>
> Hi Andy, thank you very much for the help. I will try it tomorrow and 
> report my findings 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/451a889b-1fd7-46c5-8fea-278fc53cf544%40apereo.org.

[cas-user] Re: logging saml response xml

[Alin Tomoiaga]

Hi Andy, thank you very much for the help. I will try it tomorrow and report my 
findings 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9a17bcc4-b165-4910-83ae-ef9382eccfa6%40apereo.org.

[cas-user] logging saml response xml

[Alin Tomoiaga]

Hi everyone,


Do you know what logging setting I need to turn on to be able to see the 
samlRequests and samlResponses in the clear text in the logs? 

Our cas server is configured as a saml idp.


(For the cas protocol, I can turn on logging to see the validation xml 
messages, but I do not seem to be able to turn on just the right knob with 
the saml messages ).


We would like to monitor changes in the saml communication (sometimes sp's 
change their metadata without telling us)

and I would like to be able to see in the logs the entire xml:


 https://app.ca1.chromeriver.com/login/sso/saml/consume?customerId=2260; ID=
"_8921793056161713360" InResponseTo="_46f07e73-2207-47c0-8b61-bec1ae529cbe" 
IssueInstant="2020-01-23T22:39:24.667Z" Version="2.0" xmlns:saml2p=
"urn:oasis:names:tc:SAML:2.0:protocol"> https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bade9b85-0b2d-42f7-883f-1d8501689a8d%40apereo.org.

[cas-user] cas 6.0 wsfed idp - how to set the audience?

[Alin Tomoiaga]

Hi,

How can I set the audience restriction?

 "SAML Audience restriction" is the configuration in Microsoft ADFS, how 
can I do the same with cas 6.0 wsfed idp?

(note: "CAS can act as a standalone identity provider, presenting support 
for the WS-Federation Passive Requestor Profile 

"
according to: 
https://apereo.github.io/cas/6.0.x/protocol/WS-Federation-Protocol.html)
[image: adfs_saml_provider_name.jpg]
Thank you.



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1607208e-af2d-4084-a05f-bc9d7c574552%40apereo.org.

[cas-user] Re: CAS 5.3.6 - Ws-Federation

[Alin Tomoiaga]

Try version 6.0 of apereo cas.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b0b1cee3-5d36-4ede-acf7-58e7a562f535%40apereo.org.

[cas-user] Re: cas 6 with ws federation protcol cxf policy error

[Alin Tomoiaga]

Make sure you set all the keystore properties:
cas.authn.wsfedIdp.sts.signingKeystoreFile=/etc/cas/config/ststrust.jks
cas.authn.wsfedIdp.sts.signingKeystorePassword=storepass
cas.authn.wsfedIdp.sts.encryptionKeystoreFile=/etc/cas/config/stsencrypt.jks
cas.authn.wsfedIdp.sts.encryptionKeystorePassword=storepass

cas.authn.wsfedIdp.sts.subjectNameIdFormat=unspecified
cas.authn.wsfedIdp.sts.encryptTokens=true

cas.authn.wsfedIdp.sts.realm.keystoreFile=/etc/cas/config/stscasrealm.jks
cas.authn.wsfedIdp.sts.realm.keystorePassword=storepass
cas.authn.wsfedIdp.sts.realm.keystoreAlias=realmcas
cas.authn.wsfedIdp.sts.realm.keyPassword=mypass
cas.authn.wsfedIdp.sts.realm.issuer=CAS

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ccad8db8-807f-4df5-b699-28b9d57be4ff%40apereo.org.

[cas-user] combine attributes: repository and delegated

[Alin Tomoiaga]

How can I push combined list of delegated and local cas attributes to app?

As stated 
here: 
https://apereo.github.io/cas/5.3.x/integration/Delegate-Authentication.html

CAS can act as a client using the pac4j security engine and delegate the 
authentication to: CAS servers, SAML2 identity providers, OAuth2, ADFS,... 


In CAS-protected applications, through service ticket validation, user 
information are pushed to the CAS client and therefore to the application 
itself.

On CAS server side, to push attributes to the CAS client, it should be 
configured in the expected service:

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "sample",
  "name" : "sample",
  "id" : 100,
  "description" : "sample",
  "attributeReleasePolicy" : {
"@class" : 
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "name", "first_name", 
"middle_name" ] ]
  }
}


But CAS also allows for jdbc attributes to be pulled from database:
cas.authn.attributeRepository.jdbc[0].attributes.uid=uid
# cas.authn.attributeRepository.jdbc[0].attributes.displayName=displayName
# cas.authn.attributeRepository.jdbc[0].attributes.cn=commonName
# 
cas.authn.attributeRepository.jdbc[0].attributes.affiliation=groupMembership

# cas.authn.attributeRepository.jdbc[0].singleRow=true
# cas.authn.attributeRepository.jdbc[0].order=0




How can I combine the list of attributes from the delegated source with the 
attributes pulled from the jdbc source and push both to the app? Or at 
least only push the jdbc attributes?

Thank you.


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3b2438aa-209a-4b5e-a671-43d98fa7aafc%40apereo.org.

[cas-user] Re: Problem integrating CAS 5.2.2 with WS Federation Identity Provider

[Alin Tomoiaga]

Hi Beni,

This has been a very frustrating issue and I have never managed to get it 
working correctly.
Interestingly, different cas versions error out but with different errors: 
5.1.9 seemed to get past this cxf error but had another problem.
(on the other hand, saml support worked like a charm with various cas 
versions)
I generated the keystore using keytool, but at this point, I am pretty sure 
this cxf error is a bug...

I would still like to get it working so still open to suggestions.


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1075d165-cadd-4244-b991-8b3632b97333%40apereo.org.

[cas-user] Re: Problem integrating CAS 5.2.2 with WS Federation Identity Provider

[Alin Tomoiaga]

One correction:

In the cxf sources, it is not
Object[] obj = this.client.invoke(boi, new Object[]{new 
DOMSource(writer.getDocument().getDocumentElement())}); 

Instead it's: 

Object obj[] = client.invoke(boi, new DOMSource(writer.getDocument(). 
getDocumentElement())); 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4d70034b-b003-440d-924c-a0dda9653000%40apereo.org.

[cas-user] Re: [WS Federation] Claims encoded in the SAML Assertion, unrecognized

[Alin Tomoiaga]

Hi Dimitri, were you able to get past the reflection STS error you reported 
in https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/MrgpGK-kxjM? 
I am debugging the same code you were talking about and hitting the same 
error... Thank you.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/45a4d64a-c267-49b6-81a0-a651ce5bbb86%40apereo.org.

[cas-user] Re: [WS Federation] Source/StaxSource error on Security Token Service Provider

[Alin Tomoiaga]

Brought up cas under debug mode:

- the error happens in 
org.apache.cxf.ws.security.trust.AbstractSTSClient.issue() at this line:
Object[] obj = this.client.invoke(boi, new Object[]{new 
DOMSource(writer.getDocument().getDocumentElement())});

The error is:
org.apache.cxf.binding.soap.SoapFault: object is not an instance of 
declaring class while invoking public javax.xml.transform.Source 
org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider.invoke(javax.xml.transform.Source)
 
with params [org.apache.cxf.staxutils.StaxSource@601c0935].

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/28b76bca-17c6-4128-906b-00d29e002d4a%40apereo.org.

[cas-user] Re: Problem integrating CAS 5.2.2 with WS Federation Identity Provider

[Alin Tomoiaga]

Brought up cas under debug mode:

- the error happens in 
org.apache.cxf.ws.security.trust.AbstractSTSClient.issue() at this line:
Object[] obj = this.client.invoke(boi, new Object[]{new 
DOMSource(writer.getDocument().getDocumentElement())});

The error is:
org.apache.cxf.binding.soap.SoapFault: object is not an instance of 
declaring class while invoking public javax.xml.transform.Source 
org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider.invoke(javax.xml.transform.Source)
 
with params [org.apache.cxf.staxutils.StaxSource@601c0935].


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/871c86cd-6058-4276-8342-c05cdeb9551f%40apereo.org.

Re: [cas-user] SAML Public Key for Metadata

[Alin Tomoiaga]

David, thank you for the great information you have on New School. Do you 
by any chance have a similar tutorial on setting up CAS as an ADFS idp as 
described here: 
https://apereo.github.io/cas/5.2.x/protocol/WS-Federation-Protocol.html ? 
(sorry for posting on this thread)

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d9791bfb-e4ce-4f91-bd11-270ccfd315cc%40apereo.org.

[cas-user] Re: [WS Federation] Source/StaxSource error on Security Token Service Provider

[Alin Tomoiaga]

Dmitri, Misagh Moayyed (apereo developer) advised to stand up cas in debug 
mode and step through the code.
This sounds like a lot of moving pieces will need to be configured, but 
that is the only reply I managed to get. Just fyi.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/dab61088-fda3-49e2-a885-138d5bbcb6b2%40apereo.org.

[cas-user] Re: Problem integrating CAS 5.2.2 with WS Federation Identity Provider

[Alin Tomoiaga]

I got  a reply from one of the apereo developers and he did not rule out 
the possibility of a bug; advised I should stand up cas in debug mode which 
I will work on.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9da5d4fa-a253-409a-bcf8-9669c089a0b1%40apereo.org.