[cas-user] Re: JAMF OIDC

['Gordon, Matthew' via CAS Community]

Hi Jeremiah,

My Service Config:

{
"@class" : "org.apereo.cas.services.OidcRegisteredService",
"clientId": "[CLIENT_ID]",
"clientSecret": "[CLIENT_SECRET]",
"serviceId" : "https://127.0.0.1/jamfconnect;,
"name" : "Mac User Login",
"id" : 1,
"attributeReleasePolicy" : {
"@class": "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes": {
"@class": "java.util.TreeMap",
"displayName": "Realname",
"mail": "email",
"cn": "name",
"sn": "family_name",
"sn": "familyName",
"givenName": "given_name"
}
},
"jwtAccessToken": true,
"signIdToken": false,
"encryptIdToken": false,
"signAccessToken": false,
"encryptAccessToken": false,
"evaluationOrder":1,
"bypassApprovalPrompt": true,
"supportedGrantTypes": [ "java.util.HashSet", [ "password","authorization_code" 
] ],
"supportedResponseTypes": [ "java.util.HashSet", [ "code","token","id_token" ] ]
}

I think on the Jamf side we are using the Azure AD and not generic option: 
https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Azure_AD_Integration.html

That was the trick to the not getting prompted.

If you use SSO though it breaks that, and they will still get prompted. It's a 
bug since it tries to capture the content of the last password box to use as 
the user password for the user. They are aware.

Thank you,
Matt

-Original Message-
From: Jeremiah Garmatter 
mailto:jeremiah%20garmatter%20%3cj-garmat...@onu.edu%3e>>
To: CAS Community 
mailto:cas%20community%20%3ccas-u...@apereo.org%3e>>
Cc: mago...@hacc.edu 
mailto:%22mago...@hacc.edu%22%20%3cmagor...@hacc.edu%3e>>
Subject: Re: JAMF OIDC
Date: 06/21/2023 02:13:58 PM

CAUTION: This email originated outside ofHACC. Please do not click links or 
open attachments unless you recognize and/or trust the sender. Forward this 
message tosuspici...@hacc.edu if you are unsure of the content.  
id:HAb2e815ff6a8d6c97CC

Hi Matt,

I am looking to configure Jamf Connect with my CAS instance. I currently have 
the OIDC portion working with CAS but the ROPG returns a CAS 500 internal 
server error related to an "InvalidTicketException: null" error.
Did you run into anything like this when configuring CAS with JAMF Connect? The 
error only happens on Resource Owner Password Grants.

Also, did you find a way to prevent users having to log in twice?

On Wednesday, May 25, 2022 at 5:08:17 PM UTC-4 mago...@hacc.edu wrote:
I was able to get JAMF SSO working with OIDC, but the OIDCUsePassthroughAuth 
portion of JAMF isn't working. I was wondering if anyone used JAMF with CAS and 
didn't require the users to login twice?

Thank you,
Matt



To unsubscribe: email unsubscr...@hacc.edu with sender email address and 
subject.

This email and any files attached from HACC, Central Pennsylvania's Community 
College are confidential and intended solely for use by the individual or 
entity to whom addressed. If you have received this email in error please 
notify postmas...@hacc.edu This message may contain confidential information 
and is intended only for the individual named. If you are not the named 
addressee do not disseminate, distribute or copy this e-mail. Please notify the 
sender immediately by e-mail if you have received this e-mail by mistake and 
delete from your system. If you are not the intended recipient you are notified 
that disclosing, copying, distributing or taking any action in reliance on the 
contents of this information is strictly prohibited.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/116bfa6bde75f488f011e28fd48bd2e31e7f9ccf.camel%40hacc.edu.

Re: [cas-user] SAML SP Metadata with multiple signing keys

[Gordon, Matthew]

Hi Ray,

Thank you for the suggestion.

I am attempting to use that method already, but the two signing keys in there 
metadata presents the problem. If I configure the service definition to pull 
their metadata via the https URL, it works.

The problem is they sign their AuthN request and CAS is unable to verify the 
signature, since it picks the wrong signing key from their metadata, that was 
successfully obtained by CAS, via the URL.

To make it work, I have to save the metadata, and remove the invalid signing 
key, then use a local copy of the metadata and a 
"metadataLocation":"file/", rather than the URL.

Thank you,
Matt




-Original Message-
From: Ray Bon mailto:ray%20bon%20%3cr...@uvic.ca%3e>>
Reply-To: cas-user@apereo.org
To: cas-user@apereo.org 
mailto:%22cas-u...@apereo.org%22%20%3ccas-u...@apereo.org%3e>>
Subject: Re: [cas-user] SAML SP Metadata with multiple signing keys
Date: Mon, 28 Feb 2022 19:59:12 +

Matthew,

You can set SP metadataLocation to a URL, 
https://apereo.github.io/cas/6.4.x/services/SAML2-Service-Management.html

Ray

On Mon, 2022-02-28 at 09:41 -0800, Matthew Gordon wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

We have a SAML SP (3rd Party system) that has multiple signing keys in their 
metadata. They rotate keys, yearly, from a Public Certificate Authority. CAS 
picks either the first key or the one with the furthest expiration date, I 
don't know which, but I do know it's picking the wrong certificate. Is there a 
way to influence this behavior, so I can use their hosted, on the internet, 
metadata, rather than having to copy and update locally?

Thank you in advance!

Thank you,
Matt

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory 
the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose 
historical relationships with the land continue to this day.



To unsubscribe: email unsubscr...@hacc.edu with sender email address and 
subject.

This email and any files attached from HACC, Central Pennsylvania's Community 
College are confidential and intended solely for use by the individual or 
entity to whom addressed. If you have received this email in error please 
notify postmas...@hacc.edu This message may contain confidential information 
and is intended only for the individual named. If you are not the named 
addressee do not disseminate, distribute or copy this e-mail. Please notify the 
sender immediately by e-mail if you have received this e-mail by mistake and 
delete from your system. If you are not the intended recipient you are notified 
that disclosing, copying, distributing or taking any action in reliance on the 
contents of this information is strictly prohibited.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/05447e3006a1da3501c6cf8b0f0c74e8599a11b6.camel%40hacc.edu.