Re: [cas-user] Google Authenticator - scratch codes

[Michael O Holstein]

Forgot the salient bit.


The user it's typically like a lottery ticket, but need not be. You say 
"provide the code for #56 on your card" and they run their finger down the list 
and type that in. When they get to ~85% of the numbers you mail them a new 
card. You can also do it electronically but that kind of defeats the point. 
Lots of companies make these, just google "OTP scratch card"


-Mike.

____________
From: Michael O Holstein
Sent: Thursday, March 15, 2018 9:57:17 AM
To: CAS Community
Subject: Re: [cas-user] Google Authenticator - scratch codes


Mathematically .. think salted hash of list of known values. output is on the 
card .. you compare the values you have against what they gave you and see if 
it matches. The salt is unique per card. You buy them in bulk and you get a 
list of serial numbers = card ID .. usually there's QR so you can do it 
somewhat easily via your crediantialing office (make someone else do that BS, 
it's big numbers).


In Cas it's like any other plugin. The value of the current card and salt is 
stored in (somewhere) and identifiable by (something) like the DN. It looks up 
both, just like how the others work. IIRC you can also do it via API but that's 
a bad dependency if it's not you running it, and why bother if it's you.


Michael Holstein CISSP

Cleveland State University


From: cas-user@apereo.org <cas-user@apereo.org> on behalf of Janina Byky 
<projekt.ha...@gmail.com>
Sent: Thursday, March 15, 2018 9:44:29 AM
To: CAS Community
Subject: [cas-user] Google Authenticator - scratch codes

Hello CAS users,

I've worked out CAS + GAuth + mongodb, but I don't know how does the scratch 
codes work in terms of CAS? How user can use them ?

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c000a5a2-a3d2-40e2-ac19-27f521f3155f%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/c000a5a2-a3d2-40e2-ac19-27f521f3155f%40apereo.org?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DM2PR0801MB08631BDCFB08A8DA4A52EEAC83D00%40DM2PR0801MB0863.namprd08.prod.outlook.com.

Re: [cas-user] Google Authenticator - scratch codes

[Michael O Holstein]

Mathematically .. think salted hash of list of known values. output is on the 
card .. you compare the values you have against what they gave you and see if 
it matches. The salt is unique per card. You buy them in bulk and you get a 
list of serial numbers = card ID .. usually there's QR so you can do it 
somewhat easily via your crediantialing office (make someone else do that BS, 
it's big numbers).


In Cas it's like any other plugin. The value of the current card and salt is 
stored in (somewhere) and identifiable by (something) like the DN. It looks up 
both, just like how the others work. IIRC you can also do it via API but that's 
a bad dependency if it's not you running it, and why bother if it's you.


Michael Holstein CISSP

Cleveland State University


From: cas-user@apereo.org  on behalf of Janina Byky 

Sent: Thursday, March 15, 2018 9:44:29 AM
To: CAS Community
Subject: [cas-user] Google Authenticator - scratch codes

Hello CAS users,

I've worked out CAS + GAuth + mongodb, but I don't know how does the scratch 
codes work in terms of CAS? How user can use them ?

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c000a5a2-a3d2-40e2-ac19-27f521f3155f%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DM2PR0801MB086378D99DD5C564263F593F83D00%40DM2PR0801MB0863.namprd08.prod.outlook.com.

[cas-user] Re: pay forward?

[Michael O Holstein]

Allright folks .. the support folks are good with it, and even said along the 
the lines that they'll make it happen if we're close but a tad shy it an still 
go.


So we're good for 40. Ask your boss what you can do with yours .. and noodle up 
a feature that seams worthwhile. Our expire end of June,


-Mike


From: Michael O Holstein
Sent: Friday, February 23, 2018 2:39:23 PM
To: cas-user@apereo.org
Subject: pay forward?

Our annual contract with Unicon is going to renew here in a bit, and we have a 
bunch of unused consulting hours which are for features and whatnot. I'm sure 
if they're not cool with this I'll get told shortly but here's what I'm 
proposing ..

I'll bet there's a couple others in the same boat .. since you can't roll it .. 
might as well donate it.

If there's a feature that everybody thinks would be neat, or some similar such 
thing that we don't need but would collectively benefit (which happens 
regardless, eventually .. if you've read the contract) .. we propose ..

Come up with something, we'll donate our hours remaining (40 something?) to it 
.. we get new block next year anyway. If that covers it, great .. if not, 
perhaps others will agree with the idea and it'll get done collectively. But as 
long as Unicon is cool with this we're game. Yay open source, etc.

Suggestions? Needs to be well-scoped though, so if you've thought it through 
but couldn't get funding, here's your chance.

Michael Holstein CISSP
Mgr. Network & Data Security
Cleveland State University


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DM2PR0801MB08630C11A1F7F9D74123D66283CC0%40DM2PR0801MB0863.namprd08.prod.outlook.com.

[cas-user] pay forward?

[Michael O Holstein]

Our annual contract with Unicon is going to renew here in a bit, and we have a 
bunch of unused consulting hours which are for features and whatnot. I'm sure 
if they're not cool with this I'll get told shortly but here's what I'm 
proposing ..

I'll bet there's a couple others in the same boat .. since you can't roll it .. 
might as well donate it.

If there's a feature that everybody thinks would be neat, or some similar such 
thing that we don't need but would collectively benefit (which happens 
regardless, eventually .. if you've read the contract) .. we propose ..

Come up with something, we'll donate our hours remaining (40 something?) to it 
.. we get new block next year anyway. If that covers it, great .. if not, 
perhaps others will agree with the idea and it'll get done collectively. But as 
long as Unicon is cool with this we're game. Yay open source, etc.

Suggestions? Needs to be well-scoped though, so if you've thought it through 
but couldn't get funding, here's your chance.

Michael Holstein CISSP
Mgr. Network & Data Security
Cleveland State University


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DM2PR0801MB0863C082C73ACC125861182783CC0%40DM2PR0801MB0863.namprd08.prod.outlook.com.

Re: [cas-user] Blackboard Ultra

[Michael O Holstein]

As an update on this (and thanks to everyone who lent expertise) ...


We *did* have "global logout" enabled in the Blackboard building block for 
Authentication (CAS), although the URL was a custom one that just redirected 
the user, it did NOT actually point at the CAS logout page, however their 
internal code was calling it anyway, apparently due to a bug which they are 
working on as a level 3 ticket.


Disabling "global logout" resolves the issue, a the expense of making the UX if 
a student clicks :"logout" do nothing for 30 seconds and leave them where they 
started (it didn't work before either, but at least provided the facade).


So if you're encountering this, try turniing that setting off and see how it 
goes. If anyone needs the internal ticket numbers for reference ping me 
off-list.


Thanks,


Michael Holstein CISSP

Cleveland State University


From: cas-user@apereo.org <cas-user@apereo.org> on behalf of Richard Frovarp 
<richard.frov...@ndsu.edu>
Sent: Tuesday, January 30, 2018 6:27:29 PM
To: cas-user@apereo.org
Subject: Re: [cas-user] Blackboard Ultra

I think that they are. From my recollection that was what came up on the Bb 
admin list a couple of years ago. You have to specify a logout URL, and it 
sends the user to it after it kills its own session. People are providing the 
IdP logout URL, so that kicks it off. My suggestion would be to provide a 
different logout URL other than the IdP.

On 01/30/2018 11:38 AM, Ray Bon wrote:
I certainly hope that Bb is not sending a logout request to CAS when 'its' 
session expires (not user initiated). That would single logout the user out of 
all services (that participate in SLO) regardless of CAS settings ==> unhappy 
users & confused administrators.

Ray

On Tue, 2018-01-30 at 09:42 -0600, Richard Frovarp wrote:
Do you have a logout URL configured? Best I know is that when a session expires 
in Bb, it kills the Bb session, then sends the browser to the IdP logout URL, 
which would kill your TGT.

On 01/30/2018 07:08 AM, Michael O Holstein wrote:

We recently moved onto Blackboard's SaaS offering (aka "Ultra") and random 
users are telling us it times out of them. While I suspect this is an issue of 
opening the app, letting it sit for 2 hours, and then noticing their session 
went away (which should re-auth as the TGT is still valid on our end).


Anyone else seen this? How'd you fix it? Our TGT/ST lifetimes are as-delivered 
default.


Thanks,


Michael Holstein CISSP

Mgr. Network  & Data Security

Cleveland State University

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CO2PR0801MB6478C3DA610FAD823AD852283E40%40CO2PR0801MB647.namprd08.prod.outlook.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CO2PR0801MB6478C3DA610FAD823AD852283E40%40CO2PR0801MB647.namprd08.prod.outlook.com?utm_medium=email_source=footer>.


--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca>

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1517333882.1782.42.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/1517333882.1782.42.camel%40uvic.ca?utm_medium=email_source=footer>.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c1d401af-137b-a078-60b0-9cf13f95132d%40ndsu.edu<https://groups.google.com/a/apereo.org/d/msgid/cas-user/c1d401af-137b-a078-60b0-9cf13f95132d%40ndsu.edu?utm_medium=

Re: [cas-user] Blackboard Ultra

[Michael O Holstein]

I'm not sure what BB is doing, but in looking through this cluster@#%# of 
javascript I do see the variable "globalLogoutEnabled=true" set various places.


Note : in memcached I'm seeing this happen .. transactions below are over the 
course of 9 seconds. I suspect this is them but asked the list because it's not 
like Blackboard and CAS are rare in the .edu circle.


-Mike


ST values removed ..


<29 ADD ST-135206-xxx-casvm2 Value len is 1865

<29 GET ST-135206-xxx-casvm2

<29 REPLACE ST-135206-xxx-casvm2 Value len is 1870  <--- WHY?

Deleting ST-135206-xxx-casvm2

<29 GET ST-135206-xxx-casvm2 <-- fails

<29 GET ST-135206-xxx-casvm2 <-- fails

<29 GET ST-135206-xxx-casvm2 <-- fails




From: cas-user@apereo.org <cas-user@apereo.org> on behalf of Ray Bon 
<r...@uvic.ca>
Sent: Tuesday, January 30, 2018 12:38:04 PM
To: cas-user@apereo.org
Subject: Re: [cas-user] Blackboard Ultra

I certainly hope that Bb is not sending a logout request to CAS when 'its' 
session expires (not user initiated). That would single logout the user out of 
all services (that participate in SLO) regardless of CAS settings ==> unhappy 
users & confused administrators.

Ray

On Tue, 2018-01-30 at 09:42 -0600, Richard Frovarp wrote:
Do you have a logout URL configured? Best I know is that when a session expires 
in Bb, it kills the Bb session, then sends the browser to the IdP logout URL, 
which would kill your TGT.

On 01/30/2018 07:08 AM, Michael O Holstein wrote:

We recently moved onto Blackboard's SaaS offering (aka "Ultra") and random 
users are telling us it times out of them. While I suspect this is an issue of 
opening the app, letting it sit for 2 hours, and then noticing their session 
went away (which should re-auth as the TGT is still valid on our end).


Anyone else seen this? How'd you fix it? Our TGT/ST lifetimes are as-delivered 
default.


Thanks,


Michael Holstein CISSP

Mgr. Network  & Data Security

Cleveland State University

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CO2PR0801MB6478C3DA610FAD823AD852283E40%40CO2PR0801MB647.namprd08.prod.outlook.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CO2PR0801MB6478C3DA610FAD823AD852283E40%40CO2PR0801MB647.namprd08.prod.outlook.com?utm_medium=email_source=footer>.


--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1517333882.1782.42.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/1517333882.1782.42.camel%40uvic.ca?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CO2PR0801MB6473E6C542B5301D37004A083E40%40CO2PR0801MB647.namprd08.prod.outlook.com.

Re: [cas-user] Blackboard Ultra

[Michael O Holstein]

> Do you have a logout URL configured? Best I know is that when a session 
> expires in Bb, it kills the Bb session, then sends the browser to the IdP 
> logout URL, which would kill your TGT.

We use a custom logout URL that is in essence just a JSP that redirects to the 
homepage. We have CAS configured subordinate to ADFS, and as such, there really 
is not a way to "log out" of CAS, even if you do, any new attempt will 
automatically be re-authenticated by the upstream ADFS and new TGT granted.

I can't reproduce it, but I suspect the code on Blackboard's side associates 
their application persistence (JSESSIONID or whatever) taking into account the 
present id of the ST and upon change drops the session .. first I've ever seen 
of that, but I am trying to troubleshoot blind.

-Mike.


From: cas-user@apereo.org <cas-user@apereo.org> on behalf of Richard Frovarp 
<richard.frov...@ndsu.edu>
Sent: Tuesday, January 30, 2018 10:42:04 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] Blackboard Ultra

Do you have a logout URL configured? Best I know is that when a session expires 
in Bb, it kills the Bb session, then sends the browser to the IdP logout URL, 
which would kill your TGT.

On 01/30/2018 07:08 AM, Michael O Holstein wrote:

We recently moved onto Blackboard's SaaS offering (aka "Ultra") and random 
users are telling us it times out of them. While I suspect this is an issue of 
opening the app, letting it sit for 2 hours, and then noticing their session 
went away (which should re-auth as the TGT is still valid on our end).


Anyone else seen this? How'd you fix it? Our TGT/ST lifetimes are as-delivered 
default.


Thanks,


Michael Holstein CISSP

Mgr. Network  & Data Security

Cleveland State University

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CO2PR0801MB6478C3DA610FAD823AD852283E40%40CO2PR0801MB647.namprd08.prod.outlook.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CO2PR0801MB6478C3DA610FAD823AD852283E40%40CO2PR0801MB647.namprd08.prod.outlook.com?utm_medium=email_source=footer>.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a194b20f-76cc-5909-b36c-1c74b4fa352d%40ndsu.edu<https://groups.google.com/a/apereo.org/d/msgid/cas-user/a194b20f-76cc-5909-b36c-1c74b4fa352d%40ndsu.edu?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CO2PR0801MB647F75A09D73B01CBF27A3F83E40%40CO2PR0801MB647.namprd08.prod.outlook.com.

[cas-user] Blackboard Ultra

[Michael O Holstein]

We recently moved onto Blackboard's SaaS offering (aka "Ultra") and random 
users are telling us it times out of them. While I suspect this is an issue of 
opening the app, letting it sit for 2 hours, and then noticing their session 
went away (which should re-auth as the TGT is still valid on our end).


Anyone else seen this? How'd you fix it? Our TGT/ST lifetimes are as-delivered 
default.


Thanks,


Michael Holstein CISSP

Mgr. Network  & Data Security

Cleveland State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CO2PR0801MB6478C3DA610FAD823AD852283E40%40CO2PR0801MB647.namprd08.prod.outlook.com.

Re: [cas-user] Re: CAS documentation for a new user is terrible

[Michael O Holstein]

CAS is an open-source project. It is not plug-and-play.


If you want a turnkey implementation, I'd recommend contacting Unicon (the 
principal architects) who offer it as a hosted solution, various support 
contracts, and implementation consulting.


From: cas-user@apereo.org  on behalf of David Curry 

Sent: Monday, January 29, 2018 2:52:29 PM
To: cas-user@apereo.org
Subject: Re: [cas-user] Re: CAS documentation for a new user is terrible

For those of you who are new to CAS and looking for some help, in addition to 
Carl's task list (for lack of a better word), I have been making this available 
for anyone who wants it:

https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html

It's NOT official, and it's not the only way to do things, but it's pretty 
verbose and step-by-step.

I just updated it the other day with my initial work on doing some high 
availability stuff with MongoDb, so it's up-to-date with CAS 5.2.2-SNAPSHOT.

--Dave



--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • 
david.cu...@newschool.edu

[The New School]

On Mon, Jan 29, 2018 at 2:08 PM, Matthew Uribe 
> wrote:
Jan,

I have to say, as another new arrival to the CAS world, that I agree with your 
statements, and wish I would have encountered your post several weeks ago. I 
appreciate the link to guide, and hope that others will find it earlier in 
their journey than I did.

Also, I want to thank all who have contributed directly to the project, as well 
as here in the group.


On Monday, October 30, 2017 at 7:50:43 AM UTC-6, Jan wrote:
Hello,

As a new user of CAS, I'd like to voice my opinion that the official 
documentation of how one can get started with CAS is just awful. By this I mean 
not the lack of it, but rather how indirect, not step-by-step it is. Clarity 
could often be improved too.

In the end I managed to do what I hoped for, ie investigate CAS locally as an 
SSO solution, for which I needed to (1) run CAS server locally, (2) connect and 
authenticate using a simple CAS client locally, (3) run the service management 
app. However, the difficulty I had at most steps of getting it all to work make 
me really want to use something else even if I have to implement parts of it 
from scratch..

Only now, when wanting to post this message, did I find this helpful guide: 
https://dacurry-tns.github.io/deploying-apereo-cas/ Could the CAS team 
incorporate some step-by-step tutorial like this into the official 
documentation?

These threads seem to voice a similar concern:
https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/documentation/cas-user/z3BLJ0IQwZ0/wRybEK1LAQAJ
https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/documentation/cas-user/qaAINooFi1s/D3k7Pr-7BQAJ

I'm also posting the notes I made for myself during the process. I wouldn't 
have written them if there was something like this available in official docs, 
or I had found the unofficial guide earlier. I'm adding  to points that 
took me particularly long to figure out.

Building
- Described here: https://apereo.github.io/cas/developer/Build-Process.html
- git clone --depth=1 --single-branch --branch=master 
g...@github.com:apereo/cas.git cas-server
- cd cas-server
- git checkout master
- ./gradlew build install --parallel -x test -x javadoc -x check

Config
- Default config dir is /etc/cas/config (may need to be created, given 
permissions) If you create application.properties in there, CAS seems to pick 
them up. 
- You can override in there any properties listed on 
https://apereo.github.io/cas/development/installation/Configuration-Properties.html

Keys
- keytool -genkey -alias cas -keyalg RSA -validity 999 -keystore 
/etc/cas/thekeystore -ext san=dns:cas-sso.local
- Add 127.0.0.1 cas-sso.local to /etc/hosts
- keytool -export -file /etc/cas/config/cas.crt -keystore /etc/cas/thekeystore 
-alias cas
- sudo keytool -import -file /etc/cas/config/cas.crt -alias cas -keystore 
$JAVA_HOME/jre/lib/security/cacerts (default password to cacerts is changeit)
- Add the following lines to application.properties in CAS config dir (with 
whatever password you set up for /etc/cas/thekeystore) 
server.ssl.keyStorePassword=qwer1234
server.ssl.keyPassword=qwer1234

Adding JSON service registry (to get a sample client registered)
- Add line >>compile 
"org.apereo.cas:cas-server-support-json-service-registry:5.2.0-SNAPSHOT"<< to 
the file cas-server/webapp/cas-server-webapp-tomcat/build.gradle, replacing 
5.2.0-SNAPSHOT with whatever version of CAS you have. The version can be 
figured out after starting CAS (is displayed). 
- Recompile the whole thing as above.
- Add the following lines to application.properties in CAS config dir: 

Re: [cas-user] Re: SSO problems with CAS 5.1.3

[Michael O Holstein]

> A default service registry will be automatically created under /etc/cas


I've never found that to be the case .. it gets created in 
JAVA_IO_TEMPDIR/$server.context.path/services


eg .. with no other options, you'll find it in /tmp/cas/services.


IMPORTANT NOTE: despite what's claimed about externalized configuration, I can 
never get any -Dcas.standalone.config=blahblahblah to transfer into the tomcat 
container. Spring sees it just fine, but no dice on tomcat. Only thing what 
works is inside the classpath on an overlay (eg: 
./src/main/resources/whatever.properties).


In fact, spring doesn't seem to care one bit if /etc/cas is missing or not 
writable, as long as the goodies are in the classpath.

Anyone know how to build a WAR file with symlinks :)


WRT to the hazelcast stuff, the config directives in application.properties 
will fight with hazelcast.xml. I've been able to get away with this .

classpath:application.properties

cas.ticket.registry.hazelcast.configLocation=classpath:hazelcast.xml

cas.ticket.registry.hazelcast.mapName=tickets

cas.ticket.registry.hazelcast.cluster.evictionPolicy=LRU

cas.ticket.registry.hazelcast.cluster.maxNoHeartbeatSeconds=300

cas.ticket.registry.hazelcast.cluster.multicastEnabled=true

cas.ticket.registry.hazelcast.cluster.tcpipEnabled=false

cas.ticket.registry.hazelcast.cluster.loggingType=slf4j

cas.ticket.registry.hazelcast.cluster.instanceName=(whatever)

cas.ticket.registry.hazelcast.cluster.port=5701

cas.ticket.registry.hazelcast.cluster.backupCount=1

cas.ticket.registry.hazelcast.cluster.asyncBackupCount=0

cas.ticket.registry.hazelcast.cluster.multicastTrustedInterfaces=(ip address, 
but it ignores it)

cas.ticket.registry.hazelcast.crypto.signing.key=JWK of 512

cas.ticket.registry.hazelcast.crypto.signing.keySize=512

cas.ticket.registry.hazelcast.crypto.encryption.key=JWK of 16

cas.ticket.registry.hazelcast.crypto.encryption.keySize=16

cas.ticket.registry.hazelcast.crypto.alg=AES

cas.tgc.crypto.enabled=true

cas.tgc.crypto.encryption.key=JWK of 256

cas.tgc.crypto.encryption.keySize=256

cas.tgc.crypto.signing.key=JWK of 512

cas.tgc.crypto.signing.keySize=512

cas.tgc.crypto.alg=AES


For unknown and frustrating reasons, I have yet to get hazelcast to bind to the 
correct IP, it always uses the highest ordered one, which happens to be a 
vmwareLocalNet, but it works for single-node so I'll tackle that later.


classpath:hazelcast.xml

http://www.hazelcast.com/schema/config 
hazelcast-config-3.10.xsd"

   xmlns="http://www.hazelcast.com/schema/config;

   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;>

cas



2

LFU

0

99





~


It seems that hazelcast.xml MUST be present, regardless of how little 
information is in there. I played with it and this is as little as you can get 
away with.




Michael Holstein

Cleveland State University


From: cas-user@apereo.org  on behalf of Ray Bon 

Sent: Wednesday, November 1, 2017 4:10:34 PM
To: cas-user@apereo.org
Subject: Re: [cas-user] Re: SSO problems with CAS 5.1.3

Mohammad,

A default service registry will be automatically created under /etc/cas if no 
other option is set. I have not used the in memory option but you could try 
removing it to see if all works under default settings.

Ray

On Wed, 2017-11-01 at 16:47 +0330, Mohammad Anbari wrote:
This is my application.properties  in cas  src/main/resources:




cas.server.name: http://localhost:8080
cas.server.prefix: http://localhost:8080/cas

cas.authn.accept.users=
cas.ticket.registry.hazelcast.configLocation=classpath:/hazelcast.xml


cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://192.168.99.100:32769
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].baseDn=ou=people,dc=planetexpress,dc=com
cas.authn.ldap[0].userFilter=uid={user}
cas.authn.ldap[0].bindDn=cn=Hubert J. 
Farnsworth,ou=people,dc=planetexpress,dc=com
cas.authn.ldap[0].bindCredential=professor



And This is my deployerConfigContext.xml :


http://www.springframework.org/schema/beans;
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; 
xmlns:p="http://www.springframework.org/schema/p;
xmlns:c="http://www.springframework.org/schema/c; 
xmlns:lang="http://www.springframework.org/schema/lang;
xmlns:util="http://www.springframework.org/schema/util;
xsi:schemaLocation="http://www.springframework.org/schema/beans
   http://www.springframework.org/schema/beans/spring-beans.xsd
   http://www.springframework.org/schema/lang
   http://www.springframework.org/schema/lang/spring-lang.xsd
   http://www.springframework.org/schema/util
   http://www.springframework.org/schema/util/spring-util.xsd;>


http://.*;
p:evaluationOrder="0" />




And This is my added dependencies in cas pom file :



org.apereo.cas
cas-server-webapp${app.server}
${cas.version}
war

Re: [cas-user] Re: SSO problems with CAS 5.1.3

[Michael O Holstein]

what's in hazelcast.xml .. it's mandatory you configure that.
also bear in mind that only spring will load externalized configs, everything 
else seems to need be in the classpath.

ymmv, and you are using less features .. but I had to :

- use an updated springboot due to a bug in 1.5.3
- manually declare hazelcast dependency
- download correct XSD and change hazelcast.xml to use it
- use log4j-jcl and exclude logback from the spring components that declare it 
as a dependency (mvn dependency:tree helps there)

one thing you did do that I haven't found necessary is to mess with 
deployerConfigContext. Just use the registry-support-json and then do 
initfromjson=true .. the ./services/(*.json) files need to be in the classpath, 
so once again .. mvn clean package ** java -jar target/cas.war

also .. doing "-Xdebug -Ddebug" as javaopts on the cli helps immensely.

Selinux and extended ACLs will both ruin your day with embedded tomcat. If 
you're on RHEL/CentOS just disable it. Personally I gave up fighting with that 
and used vanilla Debian and had better luck.

If you are doing this for a production use, it might be wise to just start 
collecting the patches and apply them on build by inserting them into your 
overlay. All the diffs I have to do bugfixes against what comes out of github I 
just stick in another VCS directory and tell Jenkins to overlay them. I'm using 
5.1.5-RELEASE and have at least a dozen of them thus far.

Cheers,

Michael Holstein
Cleveland State University

From: cas-user@apereo.org  on behalf of Mohammad Anbari 

Sent: Wednesday, November 1, 2017 9:17:07 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] Re: SSO problems with CAS 5.1.3

This is my application.properties  in cas  src/main/resources:




cas.server.name: http://localhost:8080
cas.server.prefix: http://localhost:8080/cas

cas.authn.accept.users=
cas.ticket.registry.hazelcast.configLocation=classpath:/hazelcast.xml


cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://192.168.99.100:32769
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].baseDn=ou=people,dc=planetexpress,dc=com
cas.authn.ldap[0].userFilter=uid={user}
cas.authn.ldap[0].bindDn=cn=Hubert J. 
Farnsworth,ou=people,dc=planetexpress,dc=com
cas.authn.ldap[0].bindCredential=professor



And This is my deployerConfigContext.xml :


http://www.springframework.org/schema/beans;
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; 
xmlns:p="http://www.springframework.org/schema/p;
xmlns:c="http://www.springframework.org/schema/c; 
xmlns:lang="http://www.springframework.org/schema/lang;
xmlns:util="http://www.springframework.org/schema/util;
xsi:schemaLocation="http://www.springframework.org/schema/beans
   http://www.springframework.org/schema/beans/spring-beans.xsd
   http://www.springframework.org/schema/lang
   http://www.springframework.org/schema/lang/spring-lang.xsd
   http://www.springframework.org/schema/util
   http://www.springframework.org/schema/util/spring-util.xsd;>


http://.*;
p:evaluationOrder="0" />




And This is my added dependencies in cas pom file :



org.apereo.cas
cas-server-webapp${app.server}
${cas.version}
war
runtime


org.apereo.cas
cas-server-support-ldap
${cas.version}


org.apereo.cas
cas-server-support-hazelcast-ticket-registry
${cas.version}





These are all configuration i have done for my cas server, I think cas sso 
functionality does not need any further configuration, am i right ?

On Wed, Nov 1, 2017 at 12:48 PM, Andy Ng 
> wrote:
Did you configure your properties file to the correct port?
You can do so with making a file application.properties in src/main/resources
And add these things here: 
https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#cas-server


On Wednesday, 1 November 2017 15:17:27 UTC+8, hadi wrote:
hi martin,
it's my mistake to mention,correct port is 8083

On Wednesday, November 1, 2017 at 10:37:17 AM UTC+3:30, Martin Bohun wrote:
well your example/list says that App1 is on port 8083, NOT on port 8080,

cheers,

martin

On Wednesday, November 1, 2017 at 5:54:27 PM UTC+11, hadi wrote:
Hi all

I am new to cas , I am configuring cas server on JBOSS( Wild Fly 10) and 
configured two cas client on separated embedded tomcat ( spring boot 
applications ) , all of these applications are in the same machine

localhost:8080 ---> refer to my cas server
localhost:8083 ---> refer to my App 1
localhost:8085 ---> refer to my App 2

When I refer to App1 Url ( localhost:8080) it redirects to cas server correctly 
but when i refer to App2 Url it redirects to cas server again.
cas server let me just one application login at the same time.

I am so confused and i do not know what to do ?
can anyone help me ?

thanks


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: 

[cas-user] Bug in Twilio config

[Michael O Holstein]

This held me up forever .. I CC'd the author because I don't think I can post.
fwiw we contract support for cas via Unicon.

File :

cas/support/cas-server-support-sms-twillio/src/main/java/org/apereo/cas/config/TwillioSmsConfiguration.java

Commit :

620dc67c760cb2489adbd9ef6a3170d9d604f354

Lines :

25 Assert.notNull(casProperties.getTwillio().getAccountId(), "Twillio account 
id cannot be blank");
26 Assert.notNull(casProperties.getTwillio().getToken(), "Twillio token cannot 
be blank");

It's --> t w i l i o <-- .. as in one "L".

So when you read in the config .. (and these are right)

cas.Twilio.AccountId=
cas.Twilio.Token=

it throws an exception ...

WARN [org.apereo.cas.web.CasWebApplicationContext] - 

I suppose the easy fix is to just change the config to use a double "L" .. but 
geez.

Michael Holstein
Cleveland State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DM5PR08MB332343CCA2BB2C3AFC6DC87B835F0%40DM5PR08MB3323.namprd08.prod.outlook.com.

[cas-user] Re: duo integration with CAS

[Michael O Holstein]

The biggest thing you will need to do is configure some sort of replication for 
the ticket registry .. pick a flavor (ehcache, memcache, whatever ...).


Also, with casshib you can do per-service on the SAML/shib side as well, since 
each shib service comes across to CAS separately (if you wish). MFA 
requirements are just an extra element in servicesregistry.json


Regards,


Michael Holstein

Cleveland State University



From: cas-user@apereo.org  on behalf of Ted Fisher 

Sent: Friday, January 15, 2016 3:55 PM
To: cas-user@apereo.org
Subject: [cas-user] duo integration with CAS


We are facing an urgent push to get duo integrated with our CAS and I'd like to 
get some feedback as to best approach, caveats, etc.

Environment:

CAS 3.5.0  on Tomcat 7,  2 RHEL 6 servers behind Cisco ACE load balancer

   2  Shibboleth IDPs using CAS as auth handler.

Needs / concerns

Use duo only on specific services, which sounds like not much 
of an issue since cas-mfa supports per service and we are using a JSON service 
registry where we can configure settings for that.

Our IDPs would likely then be all or nothing with duo since 
that is one CAS defined service.  Or could we change CAS / Shibboleth 
integration to allow finer definition of the Shibboleth integrated service(s)?



We considered adding duo 2FA to one of our new CAS services as a pilot  month 
ago, but since our CAS is 3.5.0 and the Unicon cas-mfa project needs 3.5.2 we 
decided to wait.

It looks like cas-mfa is the best way to get to duo with CAS, am I correct?

We first upgrade our CAS to 3.5.3 and then add cas-mfa, configure and test.



Please offer any specific considerations or caveats.



Thanks.



Ted F. Fisher

Server Administrator

323 Hayes Hall

Information Technology Services

Email:  tffi...@bgsu.edu

Phone: 419.372.1626

[Description: BGSU]



--
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

[cas-user] shibcas + ECP

[Michael O Holstein]

(cross-posted to both lists since I'm not sure who to ask)


I have a deployment of both Shibboleth3 and Cas3 whereby authentication is 
delegated (to CAS) via Shibcas. I'm running into a wall trying to get ECP 
working.


I am front-ending Tomcat with Apache and using AJP, configured per the wiki .. 
and basic auth works, but the scripts on CIlogin.org for ECP testing generate 
this in the idp-process.log :


2015-12-03 15:02:23,634 - INFO 
[net.shibboleth.idp.authn.impl.FilterFlowsByNonBrowserSupport:82] - Profile 
Action FilterFlowsByNonBrowserSupport: No potential authentication flows remain 
after filtering

2015-12-03 15:02:23,635 - ERROR 
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:271] - Profile Action 
SelectAuthenticationFlow: No potential flows left to choose from, 
authentication will fail


.. and also fail from the script as :





The various web-based methods (SAML and CAS) *do* work against the springSMAL 
or javaCAS test apps.


The reason behind the complexity is to take advantage of the multifactor 
modules available for CAS. In this particular situation MFA isn't needed for 
the ECP endpoint, as that is only used for MS Outlook.


Many thanks,


Michael Holstein

Cleveland State University

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at http://groups.google.com/a/apereo.org/group/cas-user/.