from:"Christopher Myers"

[cas-user] Documentation on bringing a CAS server online

2018-05-02 Thread Christopher Myers



I'm not quite sure the best way of going about this, so I thought I'd start 
out here.


There is a ton of documentation about the different options that are 
available for CAS, but I've yet to find a step-by-step "here's how to bring 
a new CAS server online" document, and trying to infer what all you need to 
do and in what steps just from the config file examples on the 
documentation site is rather painful and time-consuming to be honest. Since 
I document the daylights out of stuff like this as I go through it, I 
thought that I'd share what I did in case it helps others.


Is there any way that something like this could be published to the 
documentation site as some sort of getting started guide?


Chris




This document isn't universal, but it should help provide a good 
kicking-off point. It assumes that you already have a Tomcat server built 
on a Linux server, running with the default port 8080, front-ended by some 
sort of device/software that does SSL offloading and URL rewriting. (Eg., 
while the Tomcat server address would be http://casvm.school.edu:8080/cas 
,
 
the end-user and other applications would see https://login.school.edu/cas 

)


It also operates under the assumption that you're going to be pointed to a 
regular LDAP server (in my example, we use an eDirectory server, but it 
should be comparable to generic LDAP.)


The configuration below provides support for  SAML attribute handling, the 
JSON registry service, login attempt throttling, and has configuration for 
the CAS password management service (It is disabled in the configuration 
(cas.authn.pm.enabled=false) because we aren't able to take advantage of it 
at this point, but the configuration is still included below.)


I will also provide documentation on bringing online the GUI management web 
application.


Downloading, configuring, building, and deploying the CAS application 
itself:


https://github.com/apereo/cas-overlay-template
https://apereo.github.io/2017/03/28/cas5-gettingstarted-overlay/

Build the directory structure and clone the project:

> CASVM:/ # cd /opt/
>
> CASVM:/opt # mkdir apereo
>
> CASVM:/opt # cd apereo/
>
> CASVM:/opt/apereo # mkdir cas
>
> CASVM:/opt/apereo # cd cas/
>
> CASVM:/opt/apereo/cas # git clone 
> https://github.com/apereo/cas-overlay-template.git 
> 
>
> CASVM:/opt/apereo/cas # cd cas-overlay-template
>
> CASVM:/opt/apereo/cas/cas-overlay-template # mkdir -p src/main/resources
>
>
Add the following to the "dependencies" element of the pom.xml file in 
/opt/apereo/cas/cas-overlay-template ::

> 
>
>   org.apereo.cas
>
>   cas-server-support-ldap
>
>   ${cas.version}
>
> 
>
> 
>
>   org.apereo.cas
>
>   cas-server-support-ldap-core
>
>   ${cas.version}
>
> 
>
> 
>
>   org.apereo.cas
>
>   cas-server-support-saml
>
>   ${cas.version}
>
> 
>
> 
>
>   org.apereo.cas
>
>   cas-server-support-json-service-registry
>
>   ${cas.version}
>
> 
>
> 
>
>   org.apereo.cas
>
>   cas-server-support-pm-ldap
>
>   ${cas.version}
>
> 
>
>
Modify the build.sh file to add the "deploy" target as well as modify the 
"clean" target. Example file attached.


Create folders and set permissions:

Set the permissions on that /etc/cas/config folder:

> CASVM:/ # mkdir -p /etc/cas/config
>
> CASVM:/ # mkdir -p /etc/cas/logs
>
> CASVM:/ # mkdir -p /etc/cas/services
>
>
> CASVM:/ # chown -r tomcat:root /etc/cas/config
>
> CASVM:/ # chown -r tomcat:root /etc/cas/logs
>
> CASVM:/ # chown -r tomcat:root /etc/cas/services
>
>
> CASVM:/ # cd /etc/cas
>
>
> CASVM:/etc/cas # chmod u+s config
>
> CASVM:/etc/cas # chmod u+s logs
>
> CASVM:/etc/cas # chmod u+s services
>
>
Build the project for the first time:

> CASVM:/opt/apereo/cas/cas-overlay-template # chmod +x build.sh 
>
> CASVM:/opt/apereo/cas/cas-overlay-template # ./build.sh package
>
> ..
>
> Creating configuration directory under /etc/cas
>
> Copying configuration files from etc/cas to /etc/cas
>
> 'etc/cas/config/application.yml' -> '/etc/cas/config/application.yml'
>
> 'etc/cas/config/cas.properties' -> '/etc/cas/config/cas.properties'
>
> 'etc/cas/config/log4j2.xml' -> '/etc/cas/config/log4j2.xml'
>



Set the following configuration in 
/opt/apereo/cas/cas-overlay-template/etc/cas/config/cas.properties:

> #General configuration
>
> cas.server.name: https://login.school.edu 
> 
>
> cas.server.prefix: https://login.school.edu/cas 
> 
>
>
>
>
> #CAS Management
>
>

[cas-user] Using the password management functionality when your LDAP doesn't support password modify extended operation (OID - 1.3.6.1.4.1.4203.1.11.1)

2018-03-09 Thread Christopher Myers

I've tried to set up the LDAP password management on our environment, per 
https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#ldap-password-management
 
, but it's not working for me.

After much digging and LDAP traces, I found this:

Completed TLS handshake on connection 0x816bbc00
> DoBind on connection 0x816bbc00
> Bind name:, version:3, authentication:simple
> Sending operation result 0:"":"" to connection 0x816bbc00
> DoExtended on connection 0x816bbc00
> DoExtended: Extension Request OID: 1.3.6.1.4.1.4203.1.11.1
> *Unable to find extension handler 1.3.6.1.4.1.4203.1.11.1 in extension 
> list*
> *Sending operation result 2:"":"Unrecognized extended operation" to 
> connection 0x816bbc00*
>

I've tried using both the GENERIC and EDirectory options, with the same 
result.

Is there any alternative way besides this?

We're running eDirectory 8.8.8 with patches, but I verified that that 
extension isn't supported in our environment.

Chris

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/523c3ff8-8560-49c1-b081-082e860ec377%40apereo.org.

Re: [cas-user] Issues with service registry on 5.2.2

2018-02-12 Thread Christopher Myers

THANK YOU!

Thankyou thankyou thankyou thankyou thankyou thankyou thankyou thankyou 
thankyou thankyou thankyou thankyou thankyou thankyou thankyou thankyou 
..

That was driving me absolutely bonkers...



On Friday, February 9, 2018 at 4:52:55 PM UTC-6, Dmitriy Kopylenko wrote:
>
> For CAS versions 5.2+ use *cas.serviceRegistry.json.location *property: 
> https://apereo.github.io/cas/development/installation/Configuration-Properties.html#json-service-registry
>
> Cheers,
> D.
>
>
> From: Christopher Myers <chris...@gmail.com> 
> Reply: cas-...@apereo.org  <cas...@apereo.org> 
> Date: February 9, 2018 at 2:29:46 PM
> To: CAS Community <cas...@apereo.org> 
> Subject:  [cas-user] Issues with service registry on 5.2.2 
>
> I apologize in advance, I didn't realize that the jasig-cas-user list 
> wasn't the current one because that's the list that showed up in my Google 
> searches, and it appears to still be active based on others posting out 
> there.
>
> So I'm cross-posting to this list, which I guess is the current one?
>
>
>
>
>
>
>
>
>
>
> Hi all,
>
> This has been driving me nuts the last couple of days, so I decided to 
> just reach out in case anyone had thoughts.
>
> The long story is we used Apereo CAS up through version 4.x last year, 
> then switched over to WSO2 per our SIS vendor's recommendation (Ellucian -- 
> they developed CAS plugins for WSO2, and the promise of not having to 
> maintain both CAS and Shibboleth servers was too great to pass up.) 
> However, it's definitely not meeting our needs, so I'm in the process of 
> switching us back to the regular Apereo CAS.
>
> I'm using the maven overlay template, and things seem to be working ok so 
> far, with the exception of the service registry (specifically, the JSON 
> registry.) I'm running into two problems that I'm hoping someone can help 
> out with.
>
> 1.) How in the world do you get CAS to not include the default Apereo and 
> HTTPS/IMAPS service configuration when you package?
> 2.) It seems as if the ability to do an external file location for the 
> service registry isn't functional on the latest version?
>
> At this point I've googled my fingers to the bone on both issues, but 
> haven't come up with the magical working combination. Based on threads like 
> the following, it seems like things should just work, but none of the 
> things suggested have:
> https://groups.google.com/forum/#!topic/jasig-cas-user/UpflUgRKtT0
> https://groups.google.com/forum/#!topic/jasig-cas-user/fukomW8Ayos
> https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/IXIrh-ZqzrY
>
> https://apereo.github.io/cas/5.1.x/installation/JSON-Service-Management.html
> (and several others)
>
> I've verified that I've got the cas-server-support-json- 
> service-registry dependency added, and tried every which way to set the 
> cas.serviceRegistry.config.location option (colon vs equals sign, file:, 
> file://, no "file" at all, etc.) and still, it always ignores the external 
> location that I've set (/etc/cas/services folder.) I've checked filesystem 
> permissions (even set to 777 for a while,) and after each attempt would go 
> through the regimen of:
> - undeploy war
> - ./build.sh clean
> - ./build.sh package
> - redeploy war
>
> all to no avail, and with nothing in the catalina or CAS logs. Even if I 
> set a totally bogus cas.serviceRegistry.config.location, it doesn't throw 
> any errors/warnings/etc.
>
> If I create a "src/main/resources/services" folder in the 
> cas-overlay-template folder, and put a .json file in it, it gets picked up 
> and dumped in the "classpath:/services" folder of the deployed application 
> (/usr/share/tomcat/webapps/cas/WEB-INF/classes/services), as expected. 
> Which I guess works (except for the fact that I don't want the two default 
> .json services.) But I'd much rather have the .json files saved to that 
> /etc/ folder if at all possible.
>
> I'm curious if the problem is related to the 
> cas-server-support-json-service-registry plugin? The reason I'm wondering 
> that is because I tried to set up the cas-management webap, and it's doing 
> the same thing -- instead of following my request to pull the services from 
> the CAS classpath:/services location 
> (file:/usr/share/tomcat/webapps/cas/WEB-INF/classes/services), it's pulling 
> from its own WEB-INF/classes/services folder. 
>
> (Obviously, I'd rather have them pull from /etc/cas/services...or anywhere 
> else...but barring that, I'd like for the management webapp to at least be 
> functional.)
>
> We're currently on version 5.2.2 2018-01-31T22:29Z 
> <http://www.apereo.org/cas> on SLES 12 SP3, Tom

[cas-user] Issues with service registry on 5.2.2

2018-02-09 Thread Christopher Myers

I apologize in advance, I didn't realize that the jasig-cas-user list 
wasn't the current one because that's the list that showed up in my Google 
searches, and it appears to still be active based on others posting out 
there.

So I'm cross-posting to this list, which I guess is the current one?










Hi all,

This has been driving me nuts the last couple of days, so I decided to just 
reach out in case anyone had thoughts.

The long story is we used Apereo CAS up through version 4.x last year, then 
switched over to WSO2 per our SIS vendor's recommendation (Ellucian -- they 
developed CAS plugins for WSO2, and the promise of not having to maintain 
both CAS and Shibboleth servers was too great to pass up.) However, it's 
definitely not meeting our needs, so I'm in the process of switching us 
back to the regular Apereo CAS.

I'm using the maven overlay template, and things seem to be working ok so 
far, with the exception of the service registry (specifically, the JSON 
registry.) I'm running into two problems that I'm hoping someone can help 
out with.

1.) How in the world do you get CAS to not include the default Apereo and 
HTTPS/IMAPS service configuration when you package?
2.) It seems as if the ability to do an external file location for the 
service registry isn't functional on the latest version?

At this point I've googled my fingers to the bone on both issues, but 
haven't come up with the magical working combination. Based on threads like 
the following, it seems like things should just work, but none of the 
things suggested have:
https://groups.google.com/forum/#!topic/jasig-cas-user/UpflUgRKtT0
https://groups.google.com/forum/#!topic/jasig-cas-user/fukomW8Ayos
https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/IXIrh-ZqzrY
https://apereo.github.io/cas/5.1.x/installation/JSON-Service-Management.html
(and several others)

I've verified that I've got the cas-server-support-json-
service-registry dependency added, and tried every which way to set the 
cas.serviceRegistry.config.location option (colon vs equals sign, file:, 
file://, no "file" at all, etc.) and still, it always ignores the external 
location that I've set (/etc/cas/services folder.) I've checked filesystem 
permissions (even set to 777 for a while,) and after each attempt would go 
through the regimen of:
- undeploy war
- ./build.sh clean
- ./build.sh package
- redeploy war

all to no avail, and with nothing in the catalina or CAS logs. Even if I 
set a totally bogus cas.serviceRegistry.config.location, it doesn't throw 
any errors/warnings/etc.

If I create a "src/main/resources/services" folder in the 
cas-overlay-template folder, and put a .json file in it, it gets picked up 
and dumped in the "classpath:/services" folder of the deployed application 
(/usr/share/tomcat/webapps/cas/WEB-INF/classes/services), as expected. 
Which I guess works (except for the fact that I don't want the two default 
.json services.) But I'd much rather have the .json files saved to that 
/etc/ folder if at all possible.

I'm curious if the problem is related to the 
cas-server-support-json-service-registry plugin? The reason I'm wondering 
that is because I tried to set up the cas-management webap, and it's doing 
the same thing -- instead of following my request to pull the services from 
the CAS classpath:/services location 
(file:/usr/share/tomcat/webapps/cas/WEB-INF/classes/services), it's pulling 
from its own WEB-INF/classes/services folder.

(Obviously, I'd rather have them pull from /etc/cas/services...or anywhere 
else...but barring that, I'd like for the management webapp to at least be 
functional.)

We're currently on version 5.2.2 2018-01-31T22:29Z 
 on SLES 12 SP3, Tomcat 8.0.43, Java 8.

Thanks much!

Chris

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bcc670ef-36b7-4248-860c-9dc3f40e6abd%40apereo.org.

Re: [cas-user] What LDAP Server do you guys use?

2017-02-20 Thread Christopher Myers

We use eDirectory; works splendidly for us :)

I used openLDAP at home for a long time.

Whatever route you choose, an awesome free tool that I've found to be super 
handy is LDAP Admin: http://www.ldapadmin.org/

Chris



>>> RJ Guroo  02/20/17 10:06 AM >>>
We have been thinking of using OpenLDAP or OpenDJ for the user store. Any 
suggestions? Thx

 
 -- 
 - CAS gitter chatroom: https://gitter.im/apereo/cas
 - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
 - CAS documentation website: https://apereo.github.io/cas
 - CAS project website: https://github.com/apereo/cas
 --- 
 You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
 To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org.
 To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CACNfiM%2BvskBESyd-3sN2hkNvZuvLMurzKy%3D%2BMZ%2BnhMnei6Q1pg%40mail.gmail.com.
 

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/58AAC14F02450007F02D%40mugwgate.millikin.edu.

Re: [cas-user] Elucian Banner 5 minute timeout with CAS

2017-02-15 Thread Christopher Myers

Try this change, and then repackage and redeploy the CAS war:


modify the value of CAS's web.xml file, change the default timeout to 2 hours


  

120
  



 




>>> Adam Causey  02/15/17 10:45 AM >>>
We are experiencing a 5 minute session timeout after users login to our Elucian 
Banner system via CAS. We think it's an issue in Banner, but wanted to see if 
anyone else has come across the issue.  


It only seems to occur when the user already has an existing CAS SSO session 
(TGT cookie), and not if they are starting a new login from CAS when going into 
Banner.


Here is how we are able to replicate the issue:


1) User logs into a CAS-enabled application (other than Banner)
2) User goes into Banner via its SSO URL (this will redirect to CAS, which 
sends a 302 back with a ticket)
3) After no activity in Banner for 5 minutes the user returns and refreshes the 
page. A popup that says "Session Timeout Occurred" is displayed to the user.


We have SLO disabled in our CAS instance (due to previous issues with it 
automatically logging out Blackboard users).


Thanks for any help you can provide.


-Adam



 
 -- 
 - CAS gitter chatroom: https://gitter.im/apereo/cas
 - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
 - CAS documentation website: https://apereo.github.io/cas
 - CAS project website: https://github.com/apereo/cas
 --- 
 You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
 To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org.
 To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAN6MV5Op8%2BZmgB3vAq%2BaNHbjRwwGA_w7Y4jozVb605SGXFXcag%40mail.gmail.com.
 

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/58A4329F02450007EB6F%40mugwgate.millikin.edu.

Re: [cas-user] Internally hosted applications under load balancer issue

2017-01-18 Thread Christopher Myers

A few questions --

Are the applications behind the same load balancer, or different ones?

Does the load balancer do SSL offloading?

How is the DNS set up for the applications behind the load balancer?
Eg., can application X see the proper DNS and IP address for CAS server
Y?

Do the logs say anything special? (CAS logs, application logs, load
balancer logs, etc.)


It's working fine for us both ways for quite a while.




>>> Uxío Prego 01/13/17 11:35 AM >>>
You can try to find the way of applying sticky
(https://en.wikipedia.org/wiki/Load_balancing_(computing)#Persistence)
to your casified applications' load balancer, and see if that solves,
but I am afraid you could be alone on that.

CAS itself supports being behind a load balancer since a particular
version.

> On 10 Jan 2017, at 17:30, Daniel Rakaric  wrote:
> 
> Hi,
> 
> Recently our institution has been trying to implement a new load
balancer. We have tried this out in our pre-prod environment and test
out to see how our applications behave with this new implementation.
> 
> So far, not a single application that is behind the load balancer that
requires CAS authentication works as the connection just times out
during a login request. Any externally hosted applications such as our
vendor applications that use our CAS to authenticate works with no
issues. Also, any application that is internally hosted that is not
behind a load balancer works as well.
> 
> We were wondering if anyone has had a similar time-out issue while
using a load balancer, and how did you configure the load balancer to
behave properly?
> 
> Just to iterate, CAS is also behind a load balancer.
> 
> -- 
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines:
https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> --- 
> You received this message because you are subscribed to the Google
Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
an email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/383046f6-d8c2-4657-ab4a-b027eefbd322%40apereo.org.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines:
https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/AF20D2B9-BFEC-4985-956F-AC43045BBCAE%40madiva.com.


-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/587E196402450007D11F%40mugwgate.millikin.edu.

Re: [cas-user] Java client - Dynamic service urls

2016-12-21 Thread Christopher Myers

Out of curiosity, are these different URLs, or just dynamic content on the same 
URL?

After visiting a secured page, then logging in, you should be automatically 
redirected back to the page that triggered the login, unless your login page 
has expired.

Example:

Visiting https://my.millikin.edu/muportal/secure/
redirects to 
https://login.millikin.edu/cas/login?service=https%3A%2F%2Fmy.millikin.edu%2Fmuportal%2Fsecure%2F
and after logging in returns to https://my.millikin.edu/muportal/secure/

Chris



>>> Bryan Wooten  12/20/16 11:48 AM >>>
I have a developer writing an app with several pages.

Some pages are available without logging in. The other pages require a log in.


After logging into a secured page she wants the user to return to that page.


For the life of me I cannot figure out how to accomplish that with java client.


Any help appreciated.


Thanks,


Bryan

 
 -- 
 - CAS gitter chatroom: https://gitter.im/apereo/cas
 - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
 - CAS documentation website: https://apereo.github.io/cas
 - CAS project website: https://github.com/apereo/cas
 --- 
 You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
 To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org.
 To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GW79OMmfmu%2BuPGRjxGVC_74hdz7gAJjUG3JycmNKTgbuQ%40mail.gmail.com.
 

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/58591B9402450007BAD6%40mugwgate.millikin.edu.

Re: [cas-user] Re: CAS with two ldap servers

2016-09-21 Thread Christopher Myers

Not really sure to be honest. I haven't done anything with AWS or Nginx.

Doing a quick google, it looks like you might be able to use nginx:
https://www.nginx.com/resources/admin-guide/tcp-load-balancing/

We've got a Barracuda load balancer; it was fairly inexpensive, I want
to say maybe a few grand?

Chris

>>> Nikolas Stylianides 09/21/16 2:22 AM >>>
Hi Christopher. Thank you for your answer. Can we accomplish that with
AWS ELB?
Otherwise, can we use nginx for that? Also in failover IP configuration?

Τη Παρασκευή, 16 Σεπτεμβρίου 2016 - 5:39:38 μ.μ. UTC+3, ο χρήστης
Nikolas Stylianides έγραψε:Hi.Does anyone know how to configure a CAS
server with two ldap servers (in MirrorMode)?
Thank you in advance.

--
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at
https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c95c54e8-a449-482b-b562-1da6159f9ab6%40apereo.org.
For more options, visit
https://groups.google.com/a/apereo.org/d/optout.

--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/57E259AC024500076ABA%40mugwgate.millikin.edu.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] CAS with two ldap servers

2016-09-16 Thread Christopher Myers

Usually you'd either have some sort of load balancer in front of the LDAP
servers, or just use DNS round-robin.

We currently have a load balancer, but before that did use round-robin. Both
work fine, but the load balancing method is more reliable since it can
intelligently detect when one of the LDAP servers is offline or overloaded.

Chris

>>> Nikolas Stylianides 09/16/16 9:39 AM >>>
Hi.Does anyone know how to configure a CAS server with two ldap servers (in
MirrorMode)?
Thank you in advance.

--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7ffd81de-36ce-4632-b7aa-81a81a821197%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/57DBBFEB024500076682%40mugwgate.millikin.edu.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] Forgot password

2016-08-16 Thread Christopher Myers

If you want something pre-built and free, you might consider
https://github.com/pwm-project/pwm

Chris

>>> Dmitriy Kopylenko <dkopyle...@unicon.net> 08/16/16 8:31 AM >>>
And to make it even clearer - CAS server does not have password handling
facility. Such functionality will need to be implemented (outside of CAS
server).

Best,
D.

On Aug 16, 2016, at 9:11 AM, Christopher Myers <cmy...@mail.millikin.edu> wrote:

Not quite sure what you're asking, but --

the only thing we had to change on our side was to add the links to the login
page. The link basically just redirects the user to a different application
that handles all the forgot password stuff. CAS isn't even aware of that
application.

Chris

>>> Guru Prashanth Thanakodi <tguru@gmail.com> 08/16/16 5:11 AM >>>
Thanks for your inputs.

I am new to Spring. Does it mean we have to write a Spring code on the jasig
cas side to change the username and password because the application cannot get
the control until an user logs in?

Thanks
Guru

Thanks,
Guru

On Mon, Aug 15, 2016 at 11:55 PM, Linda Toth <ltt...@alaska.edu> wrote:
We have implemented password links to our SSO management systems in two ways.

At first, as Chris did, we simply added a link. Then we also added a link to a
second page with more explanation of what was needed and icons for each of the
campus branded versions of the universally used password reset program.

Both work well.

Linda Toth
University of Alaska - Office of Information Technology (OIT) - Identity and
Access Management910 Yukon Drive, Suite 103
Fairbanks, Alaska 99775
Tel: 907-450-8320
Fax: 907-450-8381
linda.t...@alaska.edu | www.alaska.edu/oit/

On Thu, Aug 11, 2016 at 6:58 AM, Christopher Myers <cmy...@mail.millikin.edu>
wrote:
Personally, I just edit the source pages in

/cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/default/ui/

There are a couple of files you can edit, including the casLoginView.jsp, and
the files in the "includes" subfolder.

and then it gets compiled when you go to build the app.

If you want to see what ours looks like, just go to https://login.millikin.edu/

Chris

>>> Guru Prashanth Thanakodi <tguru@gmail.com> 08/11/16 7:06 AM >>>
Hi All

I am using CAS 3.4.11. I have to add a forgot password in the login page. Are
there any documentation to add this facility in CAS. Can you please help me
here on where to start with.

Thanks
Guru

--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/91c73557-fa17-4964-9653-4d034e543c67%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/57AC4C390245000742CD%40mugwgate.millikin.edu.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOi1v6OS2z09e3nQjJZkTGoudhd8Qn9JG%2BJCksHOZJeaGmnusg%40mail.gmail.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/57B2CAB40245000745C6%40mugwgate.millikin.edu.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

--
You received this m

Re: [cas-user] Forgot password

2016-08-16 Thread Christopher Myers

Not quite sure what you're asking, but --

Chris

>>> Guru Prashanth Thanakodi <tguru@gmail.com> 08/16/16 5:11 AM >>>
Thanks for your inputs.

I am new to Spring. Does it mean we have to write a Spring code on the jasig
cas side to change the username and password because the application cannot get
the control until an user logs in?

Thanks
Guru

Thanks,
Guru

On Mon, Aug 15, 2016 at 11:55 PM, Linda Toth <ltt...@alaska.edu> wrote:
We have implemented password links to our SSO management systems in two ways.

Both work well.

On Thu, Aug 11, 2016 at 6:58 AM, Christopher Myers <cmy...@mail.millikin.edu>
wrote:
Personally, I just edit the source pages in

/cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/default/ui/

There are a couple of files you can edit, including the casLoginView.jsp, and
the files in the "includes" subfolder.

and then it gets compiled when you go to build the app.

If you want to see what ours looks like, just go to https://login.millikin.edu/

Chris

>>> Guru Prashanth Thanakodi <tguru@gmail.com> 08/11/16 7:06 AM >>>
Hi All

I am using CAS 3.4.11. I have to add a forgot password in the login page. Are
there any documentation to add this facility in CAS. Can you please help me
here on where to start with.

Thanks
Guru

--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/91c73557-fa17-4964-9653-4d034e543c67%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/57B2CAB40245000745C6%40mugwgate.millikin.edu.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] New to CAS, new to Apereo

2016-08-12 Thread Christopher Myers

Actually, CAS is just an application that's deployed on an app server,
so they're all on the same boxes. Each VM has a Tomcat instance that's
running CAS, so we have four SLES12 VMs, each running a copy of CAS on
Tomcat, and each VM is running on a different physical host. (We use
SLES12 for our app servers, because we can get "unlimited virtualization
host" licenses for fairly inexpensive after the education discount.)

And yep, that's basically what we did -- built one VM, then cloned it to
create the others (changing a few minor things on each VM as it was
cloned (hostname, IP, and server identification string.)) Super easy to
do, and makes it incredibly easy to spawn up new application servers
should we need to do so -- roughly 15 minutes from start to finish.

We have all of the session data replicated between the four nodes using
Hazelcast. It's a lot easier to set up than other technologies IMO. That
way if we happen to take one node offline during the day (upgrades,
patches, hardware failure, etc.,) the logins will be redirected to the
other servers without a hitch. It also enables us to do the
"active-active-failover-lastresort" setup we've got. (Our third VM is
just as robust as the first and second, and has the same software
configuration, but is configured as a "failover" node on the load
balancer because we primarily use it for doing scheduled tasks. But if
the first and second nodes go offline, all of the traffic will get
directed there as well. This is all done through the policies on the
Barracuda.)

Also, the SSL offloading done by the load balancer makes things a lot
easier too...no more dealing with keystores on each individual box. Plus
it lets Tomcat do what it's best at -- delivering applications. It
leaves all that messy CPU-intensive encryption and decryption to
hardware designed for the purpose. There is a bit of additional
configuration you have to do to Tomcat, but it's not bad.

Chris

>>> Hank Foss <hank.f...@gmail.com> 08/12/16 8:11 AM >>>
Chris,

So you have TC and CAS on separate boxes. Is it possible to have both on
the same box or is it better to have them separate? It sounds like in
your environment you have quite a few services configured which is why
you chose to separate the roles to different servers. So, e.g. having
CAS  and TC on same server, then replicate to other VMs - is that
viable?

Hank

On Friday, August 12, 2016 at 8:50:22 AM UTC-4, Christopher Myers
wrote:Likewise, we have 3+1 (two primary, one secondary, and an "oh crud
the entire production VMWare environment went offline" backup.) All are
running 4.0.x, connected together with hazelcast replication. We've got
over 20 registered services, including connecting Shibboleth to CAS for
its authentication source, which handles even more services.

Each TC server is on its own VM, on a different VMWare server. All are
front-ended by our Barracuda, with SSL offloading.

So yeah, it's a pretty robust system :)

Chris

>>> Ray Bon <rb...@uvic.ca> 08/11/16 5:09 PM >>>
   Hank,

 We have 3 CAS (v 3.5.2.1) virtual machine servers in a primary,
secondary, tertiary setup with LDAP (all on Redhat). CAS is very
capable and can handle several logins per second.

 Ray 

 On 2016-08-11 14:23, Hank Foss wrote:

Thanks, Misagh, much appreciated.

 It sounds like this will work quite well for us. Most of   
   our web apps rely on LDAP authentication. 

 Regarding architecture, hope you don't mind a couple  
of other questions:

How many servers are in your CAS environment
(presuming you recommend an HA environment) - e.g. 1 web
server (Tomcat?) + 2 HA CAS ticketing servers   Do
you recommend RHEL for OS? 

 Our user environment is about 12,000 (2,000 staff + 10 

 -Hank

   On Thursday, August 11, 2016 at 4:45:43 PM UTC-4, Misagh 
   Moayyed wrote:

 If you   mean CAS is going
to provide you with an LDAP server, the   answer is no.
AFAIK, that has never been the case. If you   mean you wish
to authenticate via AD/LDAP and get access   to your portal
and other CAS-protected apps, then it’s   quite simple.
Since the dawn of time, CAS has supported   LDAP/AD
authentication. 90% of the deployments use that   method of
authentication.

--  Misagh

From: Hank Foss <hank...@gmail.com>
   Reply: Hank

Re: [cas-user] New to CAS, new to Apereo

2016-08-12 Thread Christopher Myers

Likewise, we have 3+1 (two primary, one secondary, and an "oh crud the
entire production VMWare environment went offline" backup.) All are
running 4.0.x, connected together with hazelcast replication. We've got
over 20 registered services, including connecting Shibboleth to CAS for
its authentication source, which handles even more services.

Each TC server is on its own VM, on a different VMWare server. All are
front-ended by our Barracuda, with SSL offloading.

So yeah, it's a pretty robust system :)

Chris




>>> Ray Bon  08/11/16 5:09 PM >>>
   Hank,
 
 We have 3 CAS (v 3.5.2.1) virtual machine servers in a primary,
secondary, tertiary setup with LDAP (all on Redhat). CAS is very
capable and can handle several logins per second.
 
 Ray 
 
 On 2016-08-11 14:23, Hank Foss wrote:
 
Thanks, Misagh, much appreciated.
 
 
 It sounds like this will work quite well for us. Most of   
   our web apps rely on LDAP authentication. 
 
 
 Regarding architecture, hope you don't mind a couple  
of other questions:
 
 
How many servers are in your CAS environment
(presuming you recommend an HA environment) - e.g. 1 web
server (Tomcat?) + 2 HA CAS ticketing servers   Do
you recommend RHEL for OS? 
  
 Our user environment is about 12,000 (2,000 staff + 10,000 
 students) so I am trying to architect the CAS to support that.
 
 
 
 
 -Hank
 
   On Thursday, August 11, 2016 at 4:45:43 PM UTC-4, Misagh 
   Moayyed wrote:
 
 If you   mean CAS is going
to provide you with an LDAP server, the   answer is no.
AFAIK, that has never been the case. If you   mean you wish
to authenticate via AD/LDAP and get access   to your portal
and other CAS-protected apps, then it’s   quite simple.
Since the dawn of time, CAS has supported   LDAP/AD
authentication. 90% of the deployments use that   method of
authentication.
   
--  Misagh
   
 
From: Hank Foss 
   Reply: Hank Foss 
   Date: August 11, 2016 at   1:38:35 PM
   To: CAS Community 
   Subject:  [cas-user] New   to CAS, new to
Apereo 

 
   

Hello,
 
   
   I'm brand new to CAS and Apereo, and am  
  asking the best way to begin. We
are migrating our CAS from the cloud to
on-premise as a cost savings measure. This will
likely save us $60+k annually, as   
 the vendor is also provides our portal.
 
   
   The externally hosted portal contains LDAP as
well as CAS links. I
understand CAS 5 comes out this fall (October?)
which offers LDAP support, so I am on the fence
a bit more. Since AD
authentication drives many of our
authentication, I have been told that we will
either need to use ADFS or Sh
there are learning
curve, architecture, installation and
customization components of this project that
all come into play.
 
   
   I built the Linux box, most current version  
  of CentOS, but I believe being
an open source application that the support of  
  at least the OS should actually be a licensed 
   RHEL instance.
 
   
   I'm technical, but this is uncharted 
   territory  so suggestions, comments,
and criticism are all greatly welcome.

Re: [cas-user] New to CAS, new to Apereo

2016-08-11 Thread Christopher Myers

This is the super-down-and-dirty writeup I did internally when I did a
fresh 4.x install to upgrade us from 3.5 (we use Novell eDirectory, but
it should be very similar for any non-AD LDAP) :

















Comment by  
Christopher
Myers

[
25-Feb-2015

]





Edit
as-server-4.0.0/cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigContext.xml

Comment out














Replace it with


















































Add the following to the bottom of the file
/opt/cas-server-4.0.0/cas-#
ldap.url=ldap://ldapserver.school.edu

# Base DN of users to be authenticated
ldap.baseDn=o=our_base_dn


# LDAP connection timeout in milliseconds
ldap.connectTimeout=3000

# Whether to use StartTLS (probably needed if not SSL connection)
ldap.useStartTLS=false

#
# LDAP connection pool configuration
#
ldap.pool.minSize=3
ldap.pool.maxSize=10
ldap.pool.validateOnCheckout=false
ldap.pool.validatePeriodically=true

# Amount of time in milliseconds to block on pool exhausted condition
# before giving up.
ldap.pool.blockWaitTime=3000

# Frequency of connection validation in seconds
# Only applies if validatePeriodically=true
ldap.pool.validatePeriod=300

# Attempt to prune connections every N seconds
ldap.pool.prunePeriod=300

# Maximum amount of time an idle connection is allowed to be in
# pool before it is liable to be removed/destroyed
ldap.pool.idleTime=600

#
# Authentication
#

# Search filter used for configurations that require searching for DNs
ldap.authn.searchFilter=(uid={user})




 




While you're in the cas.properties file, also set up the URLs for the
server, etc.


Also edit the line:







and replace it with:







 






Comment by  
Christopher
Myers

[
26-Feb-2015

]




modify the value of CAS's web.xml file, change the default
login session timeout to 2 hours


  

120
  




 





Comment by  
Christopher
Myers

[
26-Feb-2015

]




Edit .../cas-server-webapp/pom.xml and add the following
dependency inside the  section:



  ${project.groupId}
  cas-server-support-ldap
  ${project.version}













Comment by  
Christopher
Myers

[
26-Feb-2015

]




You can't use the maven 2 version that was already on the
 boxes to build the new version of CAS; instead, need to download the 
3.2.5 version from http://maven.apache.org/download.cgi, extract it, and
change the "maven" symlink to point to the new install folder.









Comment by  
    Christopher
Myers

[
26-Feb-2015

]




The first time I tried to run "mvn package" after doing
this, I got the error:


 Non-parseable POM 
/root/.m2/repository/org/jasig/parent/jasig-parent/39/jasig-parent-39.pom:
 Expected root element 'project' but found 'html'


When I looked at the contents of that .pom file, it was an HTML document
that just said basically "HTTP 301 moved permanently."


I deleted the /root/.m2 folder, and after doing so, things started
running.









 ]




Now I'm getting the error:


Failed to execute goal 
com.mycila.maven-license-plugin:maven-license-plugin:1.9.0:check 
(default) on project cas-server: Resource 
/opt/cas-server-4.0.0/src/licensing/header.txt not found in file system


Found this: https://github.com/Jasig/cas/issues/745


Modified the pom.xml file, changed


${cs.dir}/src/licensing/header.txt




to 


${licenseHeader}





After doing so, that error went away.

Re: [cas-user] Forgot password

2016-08-11 Thread Christopher Myers

Personally, I just edit the source pages in

/cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/default/ui/

There are a couple of files you can edit, including the casLoginView.jsp, and
the files in the "includes" subfolder.

and then it gets compiled when you go to build the app.

If you want to see what ours looks like, just go to https://login.millikin.edu/

Chris

>>> Guru Prashanth Thanakodi 08/11/16 7:06 AM >>>
Hi All

I am using CAS 3.4.11. I have to add a forgot password in the login page. Are
there any documentation to add this facility in CAS. Can you please help me
here on where to start with.

Thanks
Guru

--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/91c73557-fa17-4964-9653-4d034e543c67%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/57AC4C390245000742CD%40mugwgate.millikin.edu.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] CASify email system

2016-06-29 Thread Christopher Myers

We have GroupWise, and cheat - we've got an intermediary page that's CASified
and just does a form post of the credentials to the WebAccess login page.

Chris

>>> "noumann.f" 06/29/16 5:38 AM >>>
Hi,
I need to CASify an email system (Postmaster and Roundcube web mail) against a
CAS server (v4.2,2). Is there and kind of guides for such thing?

Any help is appreciated.

Regards,

--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff410cf2-36d4-4c46-89db-66112698d62c%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/57737EFD02450007153E%40mugwgate.millikin.edu.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] Any published use of cas by "fortune 500" companies?

2016-06-21 Thread Christopher Myers

Ellucian and Heartland Payment Systems use it for their product offerings (both
on-prem and hosted;) not sure where they fall on the list though.

>>> John Rellis 06/21/16 4:21 AM >>>
Hey folks,

I am presenting the SSO solution using cas to our customers.

Is there any evidence on the internets that cas is being used by well known
companies? It would be great to use in the presentation.

I couldn't really find any so any pointers would be greatly appreciated

Thanks,
John

--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bd03175b-04f9-4aab-9c21-1dc5abb81509%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5768F54F024500070E14%40mugwgate.millikin.edu.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

RE: [cas-user] Version lifetimes

2016-02-16 Thread Christopher Myers

Cool, thanks much :) No need for that; we're on CAS4. We just have a
vendor who is saying they won't certify on CAS4 yet, so I'm asking why,
and wanted some additional details about their "supported" branch.



>>> "Misagh Moayyed" <mmoay...@unicon.net> 02/16/16 10:18 AM >>>
CAS3 was pronounced EOL on the list about a year and half ago. 
 
I don’t know if there is an official policy. Probably there isn’t. Might
be good to take that to the PMC. Unofficially, releases tend to last as
long as it makes sense for them to last typically a couple of years. We
certainly no longer work on or maintain CAS 3, but if you have a patch
that you think might be a good fit for 3.x, we could certainly cut a
patch release as long as the work is done. Same with all the other
versions. 
 
From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of
Christopher Myers
Sent: Tuesday, February 16, 2016 7:44 AM
To: cas-user@apereo.org
Subject: [cas-user] Version lifetimes


 
Out of curiosity, is there a list of the support lifetimes for the
various CAS server versions? (Eg., how long is the 3.x branch going to
be continued to be developed and patched?)

Thanks much!

Chris
-- 
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to cas-user+unsubscr...@apereo.org.
Visit this group at
https://groups.google.com/a/apereo.org/group/cas-user/.

 
 -- 
 You received this message because you are subscribed to the Google
Groups "CAS Community" group.
 To unsubscribe from this group and stop receiving emails from it, send
an email to cas-user+unsubscr...@apereo.org.
 Visit this group at
https://groups.google.com/a/apereo.org/group/cas-user/.
 

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

[cas-user] Version lifetimes

2016-02-16 Thread Christopher Myers

Out of curiosity, is there a list of the support lifetimes for the various CAS 
server versions? (Eg., how long is the 3.x branch going to be continued to be 
developed and patched?)

Thanks much!

Chris

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

Re: [cas-user] CAS4 SSL Requirement for SSO to Work

2016-02-09 Thread Christopher Myers

No problem, hope that it helps out!

OH - proxyport=443 is important too, forgot to list that one earlier.

Overall, this has worked beautifully for us :) And it makes it MUCH
simpler too because we now have one SSL cert to change in one place,
instead of having to redo java keystores on all of the different Tomcat
instances.

The one thing that we've run into with doing things this way is that the
first time you'd log into our campus portal from
 CAS, the browser would timeout and would eventually end up at the url
https://my.millikin.edu:80/muportal/secure/ . However, if you'd try to
go to the campus portal afterwards, it would go through fine.

It turned out to be something I wouldn't have ever expected - the 
code in index.jsp that strips the ?ticket= stuff out of the URL 
after you log in:

  } else if ((!StringUtil.isNull(queryString)) &&
(queryString.indexOf("ticket") > -1)) {
queryString =
queryString.substring(0,queryString.indexOf("ticket")-1);
response.sendRedirect("/muportal/secure/" + queryString);
  }

But, after changing it to

response.sendRedirect("https://; +
String.valueOf(request.getServerName()) + "/muportal/secure/" +
queryString);

it worked fine. (We have this code in there because otherwise the
"?ticket=x" stuff messes with Google Analytics and JavaMelody.)

Chris

>>> Stephan Arts <step...@xfce.org> 02/09/16 8:35 AM >>>
Thanks, this appears to be a neat solution :-)

Cheers,

Stephan

On Tue, Feb 9, 2016 at 2:59 PM, Christopher Myers
<cmy...@mail.millikin.edu> wrote:
What we do is:

internet(https) -> (https)load balancer(http) -> tomcat (http)

Basically, the load balancer talks https to the internet and http to
tomcat, doing the SSL offloading.

This is what the connector in our server.xml file looks like:

the important parts are the secure=true and scheme=https parts. We're on
CAS 4.0.x.

Chris

>>> Misagh Moayyed <mmoay...@unicon.net> 02/09/16 4:04 AM >>>
The ssl warning is actually  good test to demonstrate that something is
broken and dysfunctional in your deployment. As Scott said, you will
need to find a way to relay the SSL context back to the application
server. The warning shows up only if that chain is broken. You’ll need
to consult apache/tomcat.load balancer docs to see how to configure your
containers. There is nothing in CAS that requires/enables you do this,
other than the expectation that HTTPS is available by simply checking
the request. (Which is the piece you can turn off, but should not since
the problem is elsewhere) 

 - Misagh 

On Feb 9, 2016, at 9:29 AM, Stephan Arts <step...@xfce.org> wrote:

My workaround was indeed to do this:

internet -[HTTPS]> load-balancer -[HTTP]> apache -[HTTPS]> tomcat...

I don't like it either, since it requires me fiddling around with the
java keystore and self-signed certificates, which is an administrative
overhead with no added value when it comes to security.

I'd much rather have apache provide the X-Forwarded-Proto header set to
HTTPS and instruct tomcat to tell cas 'every thing is fine, walk along'.

Unfortunately, that does not work. (CAS 4.0.7) - Is there a way I can
suppress the HTTPS warning? There really is no reason to encrypt the
data going over the loopback device.

Cheers,

Stephan

On Mon, Feb 8, 2016 at 6:55 PM, Scott Battaglia
<scott.battag...@gmail.com> wrote:
If something is fronting CAS that is terminating SSL, you should be able
to indicate to the servlet container hosting CAS that it really is a
secure connection.  Does that not work? (sorry I can't remember the
specifics of it)

On Mon, Feb 8, 2016 at 12:52 PM, Robert <robert.pepers...@gdit.com>
wrote:
Hi MisaghOn Monday, February 8, 2016 at 12:20:57 PM UTC-5, Misagh Moayyed wrote:
On Feb 8, 2016, at 8:14 PM, Robert <robert.p...@gdit.com> wrote:

Our current Production Setup
For CAS3.x.x having SSL was not required to support Single Sign On. This
was perfect as we have Reverse Proxy Servers fronting our Application
Server farm and it took care of providing all TLS for our user facing
interface. All handshake between the reverse-proxy server and JBOSS/ IBM
WAS server farm was “as if” no SSL was in place. This also helped us
immensely in terms of performance, as all SSL encryption/decryption was
handled on our Reverse Proxy Servers. And helped cut cost for our
clients in terms of maintaining and purchasing certificates to bare
essential.

All of that still true in CAS4.

Now, we are trying to work with CAS4 
We found out that it requires HTTPS or else Single Sign On just won’t
work. 

HTTPS is always required by default. How you satisfy that requirement
remains the same across all CAS versions. There are not considerations
on the CAS side to dictate a particular form of container configuration.

Can you help us understand as to how

Re: [cas-user] Anonymous Access (Re-Posting In cas-user)

2016-02-08 Thread Christopher Myers

Oh - I didn't have to do any of this in the CAS web.xml; the "url-pattern" is 
in the application's web.xml file, but you should only need to tweak that if 
you want a part of that application itself to be unauthenticated.

Or, are you basically wanting to allow part of the CAS environment itself to be 
unauthenticated?

Chris




>>> William  02/08/16 9:17 AM >>>
Chris,

I think that is what I will have to do.  I was hoping there was a way to do 
this without touching the CAS web.xml or Spring Security files.


There is an 
org.jasig.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider 
class.  


I think this provides anonymous access to a service, but I do not see much 
documentation on how to configure it.


Regards


-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

Re: [cas-user] Anonymous Access (Re-Posting In cas-user)

2016-02-08 Thread Christopher Myers

Hmm, I don't think that should be a problem then, unless you have the 
applications all bundled together in the same deployable, with the "unsecured" 
level beneath the "secured" level?

For example, we have multiple applications deployed on the same Tomcat instance 
(CAS, our campus portal, a "diagnostic" application, and a "user feedback" 
application.) The campus portal is CASified, but the diagnostic and user 
feedback applications aren't. We didn't have to do anything special to exempt 
the diag and feedback apps, we simply didn't tell them anything at all about 
CAS, so they don't demand authentication.

For the campus portal application, we have an "unsecured" level, and a 
"secured" level. Basically, anything in the application at the "/secure/" level 
and beneath requires authentication, but everything not in that "secure" folder 
is anonymous. This is defined by the "CAS Filter" filter-mapping in our web.xml 
file:

CAS Filter
/secure/*

Chris

>>> William <alertyardbar...@gmail.com> 02/08/16 8:31 AM >>>
Chris,

I have a situation where I need to deploy unsecured applications on the same 
application server instance that CAS is deployed to.

I would like to have this one context root not protected by SSO.

Regards.

On Monday, February 8, 2016 at 9:11:54 AM UTC-5, Christopher Myers wrote:Just 
out of curiosity - why even have CAS enabled on an application when you don't 
want someone to have to login? Wouldn't it be easier to just not require CAS? 
Or am I misreading/missing something?

Also, what kind of environment are you using? Eg., is the application java, 
php, asp, etc.?

Chris

>>> William <alertya...@gmail.com> 02/08/16 7:57 AM >>>
Re-posting this in cas-user.  Mistakenly posted in cas-dev last week.

Update: I tried setting ssoEnabled to true as Misagh suggested, and I am still 
getting prompted for user ID and password.

I am using CAS 4.1.4 (using Maven Overlay) with Tomcat 8.0.26.

I am struggling with allowing anonymous access to a particular web application 
with the context root of "keepalive".

I keep getting prompted for the SSO login page.  I have looked on the Wiki and 
cannot find info on this: https://jasig.github.io/cas/4.1.x/index.html

The rest of my applications are protected with CAS SSO.  That part works fine.

I am certain this is something I am doing incorrectly. 

Is this something I need to configure in CAS securityContext.xml?  Or, is this 
configured in the .json file for the registered service?

The .json file for this service is below.  I have set the ssoEnabled attribute 
to false on the access strategy:

{
  "@class" : "org.jasig.cas.services.RegexRegisteredService",
  "serviceId" : "https://localhost:8443/keepalive.*;,
  "name" : "Keepalive Application",
  "id" : 103479920584348,
  "description" : "Keepalive Application",
  "proxyPolicy" : {
"@class" : "org.jasig.cas.services.RefuseRegisteredServiceProxyPolicy"
  },
  "evaluationOrder" : 1,
  "usernameAttributeProvider" : {
"@class" : 
"org.jasig.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider",
"persistentIdGenerator" : {
  "@class" : 
"org.jasig.cas.authentication.principal.ShibbolethCompatiblePersistentIdGenerator",
  "salt" : "Salty"
}
  },
  "logoutType" : "BACK_CHANNEL",
  "attributeReleasePolicy" : {
"@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
"principalAttributesRepository" : {
  "@class" : 
"org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository"
},
"authorizedToReleaseCredentialPassword" : false,
"authorizedToReleaseProxyGrantingTicket" : false
  },
  "accessStrategy" : {
"@class" : "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true,
"requireAllAttributes" : false
  }
}

Thank you.

 -- 
 You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
 To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+u...@apereo.org.
 Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

 -- 
 You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
 To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org.
 Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

Re: [cas-user] Anonymous Access (Re-Posting In cas-user)

2016-02-08 Thread Christopher Myers

Hmm...that really seems like the application itself is looking for CAS...would 
you be willing to post an (edited) version of your "keepalive" application's 
web.xml file?




>>> William  02/08/16 2:09 PM >>>
Chris,

Right now I am working on a local instance.


CAS url is https://localhost:8443/cas/login
Protected application is https://localhost:8443/adminconsole
Safe application is https://localhost:8443/keepalive

The URL after I access the application is: 
https://localhost:8443/cas/login?service=https%3A%2F%2Flocalhost%3A8443%2Fkeepalive%2F



Regards.


-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

Re: [cas-user] Anonymous Access (Re-Posting In cas-user)

2016-02-08 Thread Christopher Myers

No worries at all, and no apologies needed...that would definitely explain 
things then :D That's what was making me so confused - we're doing exactly what 
you're wanting to do here, so I couldn't understand why it wasn't working for 
you :) Glad you're all set up!

And - I've been trying to wean myself back off of coffee...but no luck so far 
:P Can usually make it a couple of days, but then I fall back to it again...

Chris


>>> William  02/08/16 3:50 PM >>>
Chris,

Ok...first I have to apologize...I can't believe I did this...


I thought I had taken the 
org.jasig.cas.client.authentication.AuthenticationFilter out of web.xml.  When 
I went to grab the web.xml for you and saw that...


Very very sorry.  This was my mistake.
 

Thanks for your help though.  Tomorrow, I will drink another cup of coffee.  :(


I can't believe how dumb of a mistake that was.


Regards.

 
 -- 
 You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
 To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org.
 Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
 

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

Re: [cas-user] Anonymous Access (Re-Posting In cas-user)

2016-02-08 Thread Christopher Myers

Definitely sounds like it!

I started playing around with CAS back in 2007 when I knew basically nothing 
about Java, Tomcat, or Linux, so I got to learn them all at the same time :P 
For the most part, it's been really straightforward to set up and configure, 
and we've gone from one small old pizza box with CAS on it to a three-node VM 
cluster with Hazelcast replication behind our Barracuda, connected to our Shib 
instance so that Shib apps can use CAS for their back-end authentication as 
well. Definitely happy with it :)

Definitely not even remotely an expert, but I have fun with it anyhow ;)

Chris






>>> William  02/08/16 4:23 PM >>>
Thanks Chris!

I started working on that issue last week...I guess I am getting there!


Learning more about CAS...

 
 -- 
 You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
 To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org.
 Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
 

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

Re: [cas-user] Re: CAS Intermittent SSO logins issues

2016-01-14 Thread Christopher Myers

Out of curiosity, what happens if you take the load balancer out of the picture 
- does the required re-authentication happen? Also, do you have any kind of 
session replication set up between your CAS nodes, such as hazelcast? Also, 
what frequency does this happen? Eg., if someone logs into a CAS application, 
then immediately into another application? Or is there some delay in between 
the login attempts?

Some things to check:

Session timeout in your web.xml file:
  

5
  
If there is more of a delay than X minutes in between logins, the users will 
have to re-authenticate. We have ours set to 120 (2 hours.)

If your URL has "=true" then this will always be the case; that forces 
the user to re-authenticate to CAS regardless of their current session status. 
This option can also be forced through your service registry, so you'll want to 
check that as well.

Also, you may want to kick up your logging to DEBUG for additional details 
about what's going on during the login process.

Cookies working correctly too?

Ultimately to me, since "I was able to consistently reproduce  the issue so 
after stopping tomcat 8 and rebooting the server it started working again." it 
sounds like one of your two boxes may be having an issue, because at that 
point, the connections should be failing over to the other one.

Chris



>>> Juan Quintanilla  01/14/16 7:29 AM >>>
   So wanted to send an update, it seems that the intermittent SSO issue 
also happened on our Second CAS server today. Once it was rebooted it seemed to 
not prompt the user to log in again to a CAS application once they had already 
authenticated to another  CAS application.  Below is a snippet from the logs 
showing ldap authentication request for each service even though I was already 
authenticated in the first service.  When I took a look at the audit logs it 
seems that its generating a new TGT for each service,  so for some reason CAS 
was not recognizing that a TGT already existed for the user.  The client 
applications point to a load balanced address which directs the traffic to 
either of the 2 CAS servers using sticky sessions, I was able to consistently 
reproduce  the issue so after stopping tomcat 8 and rebooting the server it 
started working again. 
 
 
 
 2016-01-14 07:27:33,286 INFO 
[org.jasig.cas.authentication.AuthenticationManagerImpl] - 2016-01-14 07:27:33,287 INFO 
[org.jasig.cas.authentication.AuthenticationManagerImpl] - 

 2016-01-14 07:27:33,298 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] 
- 
 2016-01-14 07:28:22,804 INFO 
[org.jasig.cas.authentication.AuthenticationManagerImpl] - 

 2016-01-14 07:28:22,902 INFO 
[org.jasig.cas.authentication.AuthenticationManagerImpl] - 
 2016-01-14 07:28:22,903 INFO 
[org.jasig.cas.authentication.AuthenticationManagerImpl] - 

 2016-01-14 07:28:22,912 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] 
- 
 2016-01-14 07:29:59,697 INFO 
[org.jasig.cas.authentication.AuthenticationManagerImpl] - 

 2016-01-14 07:29:59,795 INFO 
[org.jasig.cas.authentication.AuthenticationManagerImpl] - 
 2016-01-14 07:29:59,795 INFO 
[org.jasig.cas.authentication.AuthenticationManagerImpl] - 

 2016-01-14 07:29:59,803 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] 
- 
 
 
 
 
  ___
 Juan Quintanilla
 UTS - Enterprise Group
 305-348-6573
 jquin...@fiu.edu
 
 
 
   From: cas-user@apereo.org  on behalf of Juan 
Quintanilla 
 Sent: Wednesday, January 13, 2016 8:33 PM
 To: cas-user@apereo.org
 Subject: [cas-user] CAS Intermittent SSO logins issues  
 
Hi,
  We are running CAS 3.6.0 and its been working fine but on occasions we are 
seeing issues where a user logs into a CAS application and then goes to another 
CAS application and is prompted to log in again. The applications are not 
configured to renew or force  a new login.
  The 2 CAS servers point to the same oracle database and running tomcat 8 both 
having the same configuration.
 We see this more consistent on  the first CAS server during tomcat startup 
where if we point an application to the 1st CAS server directly we are forced 
to login to each application no matter if we have set a CAS Session.  Once the 
server is restarted again the issue goes away.
 This time we see it very intermittently  so we are not sure where to look, the 
second CAS server does not seem to have the issue, but like I said they have 
the same config and after a tomcat restart its fine.
 Any help would really be appreciated. 
 
  
 
 
 
  ___
 Juan Quintanilla
 UTS -

Re: [cas-user] Cas 3.5 and Shibboleth idp 2.4 Integration

2016-01-11 Thread Christopher Myers

Ok, it looks like they modified the configure.html page on testshib to reflect 
the 3.x branch of Shibboleth, since 2.x is being de-supported as of mid-2016.

To set this up on our 2.x server originally, I did this:

Edit /opt/shibboleth-idp/conf/relying-party.xml (where /opt/shibboleth-idp/conf 
is the location of your shibboleth-idp's config folder.)

Under   
add something like

http://www.testshib.org/metadata/testshib-providers.xml"/>

Then restart Tomcat.

After doing so, you should be able to connect, assuming that your account is 
set up properly. To do this:

visit https://sp.testshib.org/

Enter the full URL of your shib install in the box, then click the Go! button.

If you get this error: Unable to locate metadata for identity provider 
(https://shibboleth.millikin.edu/idp/shibboleth) then that means that you need 
to upload your metadata file on the register page: 
https://www.testshib.org/register.html (the instructions there still look good 
for 2.x) (Even if you have uploaded the file previously, I've found that they 
clear them out occasionally, so you may need to re-upload it.)

At that point, if you still can't access it, please click on the "shibd.log" 
and "native.log" buttons to access the logs from the testshib SP for further 
troubleshooting details.

Chris

>>> Mostafa Tabal <mostafatabal...@gmail.com> 01/10/16 3:20 AM >>>
Hi,

i didn't understand this link :-

 http://www.testshib.org/configure.html

and i couldn't configure .
 please help 

i open idp-proccess.log

and i found :- 

-No metadata for relying party https://sp.testship.org/ shibboleth-sp couldn't 
be resolved
- Saml2 sso profile is not configured for https://sp.testship.org/ shibboleth-sp

On Thursday, January 7, 2016 at 4:50:59 PM UTC+3, Christopher Myers wrote:Hi!

It looks like you haven't walked through configuring your Shib instance to be 
used with testshib; please see http://www.testshib.org/configure.html and 
follow the "post install idp config" instructions.

Chris

>>> Mostafa Tabal <mostafa...@gmail.com> 01/07/16 2:19 AM >>>
Hi,

i deploy shibboleth idp 204 on tomcat 7 and follow the configuration:-

https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration

and when i test by this link :- https://sp.testshib.org/

i got error message :- 

ERRORAn error occurred while processing your request. Please contact your 
helpdesk or user ID office for assistance.
This service requires cookies. Please ensure cookies are enabled in your 
browser, then go back to your desired resource and try to login again.
Use of your browser's back button may cause specific errors that can be 
resolved by going back to your desired resource and trying to login again.
If you think you were sent here in error, please contact technical support
Error Message: SAML 2 SSO profile is not configured for relying party 
https://sp.testshib.org/shibboleth-sp

how can i solve this problem , please ?

Thanks

 -- 
 You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
 To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+u...@apereo.org.
 Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

 -- 
 You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
 To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+u...@apereo.org.
 Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

 -- 
 You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
 To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org.
 Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

Re: [cas-user] Cas 3.5 and Shibboleth idp 2.4 Integration

2016-01-07 Thread Christopher Myers

Hi!

It looks like you haven't walked through configuring your Shib instance to be 
used with testshib; please see http://www.testshib.org/configure.html and 
follow the "post install idp config" instructions.

Chris



>>> Mostafa Tabal  01/07/16 2:19 AM >>>
Hi,

i deploy shibboleth idp 204 on tomcat 7 and follow the configuration:-


https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration



and when i test by this link :- https://sp.testshib.org/


i got error message :- 


ERRORAn error occurred while processing your request. Please contact your 
helpdesk or user ID office for assistance.
This service requires cookies. Please ensure cookies are enabled in your 
browser, then go back to your desired resource and try to login again.
Use of your browser's back button may cause specific errors that can be 
resolved by going back to your desired resource and trying to login again.
If you think you were sent here in error, please contact technical support
Error Message: SAML 2 SSO profile is not configured for relying party 
https://sp.testshib.org/shibboleth-sp





how can i solve this problem , please ?


Thanks

 
 -- 
 You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
 To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org.
 Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
 

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

Re: [cas-user] CAS 4.1.3 Shibboleth IdP integration

2016-01-06 Thread Christopher Myers

Awesome, thanks much! Watching it now :)

>>> Gang Wang <wangga...@gmail.com> 01/06/16 3:36 PM >>>
here is the issue, https://github.com/Jasig/cas/issues/1423thanks!

On Wednesday, January 6, 2016 at 4:17:12 PM UTC-5, Christopher Myers wrote:When 
you do, please let the list know what the issue number is so that we can follow 
it too; I'm going to be doing an upgrade from Shib 2.x to 3.x here sometime 
this spring since 2.x is being desupported. Our Shib instance points to our CAS 
instance for authentication, so we'll need to make sure all is ok :)




>>> "Misagh Moayyed" <mmoa...@unicon.net> 01/06/16 2:33 PM >>>
Sounds like a bug. Open up an issue please, and attach your configuration there.
 
From: cas-...@apereo.org [mailto:cas-...@apereo.org] On Behalf Of Gang Wang
Sent: Wednesday, January 6, 2016 1:18 PM
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] CAS 4.1.3 Shibboleth IdP integration


 
I try to follow the instruction, 
http://jasig.github.io/cas/4.1.x/integration/Shibboleth.htm, and use the 
external option.  But when the cas.war is deployed and the login page is 
accessed, there is a runtime exception.  Looks like it's caused by the static 
metadata source configuration.  Before this changes, I have already enabled 
SAML 2.0 Google Account.  Don't know if that could the the cause.  The 
stacktrace is provided below.  Any help would be greatly appreciated.  Thanks!
 

org.springframework.beans.factory.BeanCreationException: Error creating bean 
with name 'metadataAdapter': Invocation of init method failed; nested exception 
is java.lang.RuntimeException: org.quartz.ObjectAlreadyExistsException: Unable 
to store Job : 'DEFAULT.StaticMetadataResolverAdapter', because one already 
exists with this identification. 
org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:136)
 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanFactory.java:408)
 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1564)
 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:539)
 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:476)
 
org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:303)
 
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
 
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:299)
 
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:194)
 
org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
 
org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108)
 
org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:648)
 
org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:140)
 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1137)
 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1040)
 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:504)
 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:476)
 
org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:303)
 
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
 
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:299)
 
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:194)
 
org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:755)
 
org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:759)
 
org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:480)
 
org.springframework.web.servlet.FrameworkServlet.co

RE: [cas-user] CAS 4.1.3 Shibboleth IdP integration

2016-01-06 Thread Christopher Myers

When you do, please let the list know what the issue number is so that we can 
follow it too; I'm going to be doing an upgrade from Shib 2.x to 3.x here 
sometime this spring since 2.x is being desupported. Our Shib instance points 
to our CAS instance for authentication, so we'll need to make sure all is ok :)




>>> "Misagh Moayyed"  01/06/16 2:33 PM >>>
Sounds like a bug. Open up an issue please, and attach your configuration there.
 
From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Gang Wang
Sent: Wednesday, January 6, 2016 1:18 PM
To: CAS Community 
Subject: [cas-user] CAS 4.1.3 Shibboleth IdP integration


 
I try to follow the instruction, 
http://jasig.github.io/cas/4.1.x/integration/Shibboleth.htm, and use the 
external option.  But when the cas.war is deployed and the login page is 
accessed, there is a runtime exception.  Looks like it's caused by the static 
metadata source configuration.  Before this changes, I have already enabled 
SAML 2.0 Google Account.  Don't know if that could the the cause.  The 
stacktrace is provided below.  Any help would be greatly appreciated.  Thanks!
 

org.springframework.beans.factory.BeanCreationException: Error creating bean 
with name 'metadataAdapter': Invocation of init method failed; nested exception 
is java.lang.RuntimeException: org.quartz.ObjectAlreadyExistsException: Unable 
to store Job : 'DEFAULT.StaticMetadataResolverAdapter', because one already 
exists with this identification. 
org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:136)
 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanFactory.java:408)
 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1564)
 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:539)
 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:476)
 
org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:303)
 
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
 
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:299)
 
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:194)
 
org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
 
org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108)
 
org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:648)
 
org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:140)
 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1137)
 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1040)
 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:504)
 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:476)
 
org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:303)
 
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
 
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:299)
 
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:194)
 
org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:755)
 
org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:759)
 
org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:480)
 
org.springframework.web.servlet.FrameworkServlet.configureAndRefreshWebApplicationContext(FrameworkServlet.java:664)
 
org.springframework.web.servlet.FrameworkServlet.createWebApplicationContext(FrameworkServlet.java:630)
 
org.springframework.web.servlet.FrameworkServlet.createWebApplicationContext(FrameworkServlet.java:678)

[cas-user] Documentation on bringing a CAS server online

[cas-user] Using the password management functionality when your LDAP doesn't support password modify extended operation (OID - 1.3.6.1.4.1.4203.1.11.1)

Re: [cas-user] Issues with service registry on 5.2.2

[cas-user] Issues with service registry on 5.2.2

Re: [cas-user] What LDAP Server do you guys use?

Re: [cas-user] Elucian Banner 5 minute timeout with CAS

Re: [cas-user] Internally hosted applications under load balancer issue

Re: [cas-user] Java client - Dynamic service urls

Re: [cas-user] Re: CAS with two ldap servers

Re: [cas-user] CAS with two ldap servers

Re: [cas-user] Forgot password

Re: [cas-user] Forgot password

Re: [cas-user] New to CAS, new to Apereo

Re: [cas-user] New to CAS, new to Apereo

Re: [cas-user] New to CAS, new to Apereo

Re: [cas-user] Forgot password

Re: [cas-user] CASify email system

Re: [cas-user] Any published use of cas by "fortune 500" companies?

RE: [cas-user] Version lifetimes

[cas-user] Version lifetimes

Re: [cas-user] CAS4 SSL Requirement for SSO to Work

Re: [cas-user] Anonymous Access (Re-Posting In cas-user)

Re: [cas-user] Anonymous Access (Re-Posting In cas-user)

Re: [cas-user] Anonymous Access (Re-Posting In cas-user)

Re: [cas-user] Anonymous Access (Re-Posting In cas-user)

Re: [cas-user] Anonymous Access (Re-Posting In cas-user)

Re: [cas-user] Re: CAS Intermittent SSO logins issues

Re: [cas-user] Cas 3.5 and Shibboleth idp 2.4 Integration

Re: [cas-user] Cas 3.5 and Shibboleth idp 2.4 Integration

Re: [cas-user] CAS 4.1.3 Shibboleth IdP integration

RE: [cas-user] CAS 4.1.3 Shibboleth IdP integration

31 matches

Site Navigation

Mail list logo

Footer information