from:"Mike Osterman"

Re: [cas-user] Security question about CasRegisteredService wildcards

2023-02-15 Thread Mike Osterman

Hi Joshua,

Note this is based solely on my experience as a CAS admin at my
institution. I hope others will add to the conversation.

Your risk example is correct because it’s basically making any app that
wants to use your CAS service a seemingly institutionally-supported
resource, which can lead to the type of scenario you describe, but it also
risks releasing sensitive user attributes (think FERPA) depending on how
you set up your attribute release policy; users would only need to access
the link and have an existing CAS session—no input required.

The more university specific approach is better, but relies on proper
controls and vetting where your DNS is managed. Can you see a scenario
where a subdomain might get provisioned that you would not want using CAS
services?

A non-security factor on a catch all registration is that each service may
have different attribute requirements, therefore you’d want to have a
separate registration and attribute release policy.  I’ve found CAS to be
very good at renaming and transforming attributes to meet the needs of
different services.

Again, this is just my perspective as long-time user of CAS.

On Wed, Feb 15, 2023 at 8:55 PM Joshua Leger  wrote:

> Hello,
>
> I have recently taken over the CAS instance at my university and have a
> question about security for the regex in CasRegisteredService.
>
> My understanding is that you wouldn't want to set up a service with a
> serviceId of "^https://.+; because an attacker could make a fake website
> that seems legitimate because it uses our actual CAS server to authenticate
> and then convinces the user to input sensitive information. If my
> university owns the university.edu domain though, could I set up a regex
> like "^https?://[^/]*university\.edu/.*" that allows all subdomains safely
> because an attacker couldn't make their own subdomain that they control?
> Are there any other risks of the "^https://.+; serviceId that I haven't
> thought of?
>
> Thanks!
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/9d329790-70fd-4e84-b22d-29a3192cd304n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHU6NNAQXuVzkBXy%3D%3DANcfbZr6NX-3ykcd41oyP2s-wofg%40mail.gmail.com.

[cas-user] Anyone using everbridge.net with SAML and running into 414 status?

2022-12-01 Thread Mike Osterman

We have a SAML SP service that has been working just fine for years, but
they are now updating SSO certificates
, and I'm
running into an issue where the Duo flow is breaking because of the length
of the URI in the initial SAML request. Specifically, I can get past the
password prompt, but once the flow redirects to Duo, Duo's API rejects the
response with "414 Request-URI Too Large"

I'm going to contact the vendor support as well, and I suspect that's
likely where the issue is coming from, which Duo support suspects as well:

*  The HAR shows the request and the 414 error returned. I was able to
review the SAML request, but only after URL decoding the request twice
before I could Base64 decode and Inflate the request.*



*Seeing that the SAML request is URL encoded multiple times before
being sent to Duo, I suggest reviewing the SP settings to determine why it
is encoding the request multiple times, adding to the length and causing
the failure. The request URL is 10550 chars long when it returns the 414.*

That said, I'm wondering if others have run into this behavior and already
know what the resolution is.

Thanks!
Mike

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUjMh9ovF_u3sO3AMDWKK4ev%3DQTorRRXTM8uFv05zAxww%40mail.gmail.com.

Re: [cas-user] Such a thing as illegal characters in entityID for SAML?

2022-10-06 Thread Mike Osterman

OK - update!

A co-worker much smarter than me did the research into the code, and found
that the SAML service ID was being processed through a regex.

{
  "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId": "*REDACTED*/metadata*\\*?Z3JvdXBJZD0yNTMxNQ==",

We've got plenty of CAS org.apereo.cas.services.RegexRegisteredService
services, but I had always assumed that
the org.apereo.cas.support.saml.services.SamlRegisteredService class was a
literal string. Guess that's not the case!

In any event, we escaped the "?" and we're off to the races!

-Mike

On Thu, Oct 6, 2022 at 12:10 PM Nate Klingenstein  wrote:

> Mike,
>
> That smells like a bug to me.  SAML allows for any valid URI, which that
> clearly is, and I've seen much worse registered and used successfully with
> SAMLtest.
>
> docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd
>
> So, I think your theory is correct.
>
> Take care,
> Nate
>
> On Thu, Oct 6, 2022 at 1:03 PM Mike Osterman  wrote:
>
>> Hi all,
>>
>> We are running into an issue with a new SP, and despite turning on DEBUG
>> for both org.apereo.cas.services.AbstractServicesManager and
>> org.apereo.cas.support.saml.web.idp we can't find any hints for why this
>> is showing up in the logs:
>>
>> 2022-10-06 09:57:15,798 WARN
>> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
>> - <[*REDACTED*/metadata?Z3JvdXBJZD0yNTMxNQ==] is not found in the
>> registry or service access is denied. Ensure service is registered in
>> service registry>
>>
>> We've double and triple checked that the service is loading without error
>> and that the service ID in the JSON file (snippet below) matches the
>>
>> {
>>   "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
>>   "serviceId": "*REDACTED*/metadata?Z3JvdXBJZD0yNTMxNQ==",
>>
>> My current crackpot theory is that entityID/ServiceID having either a "?"
>> or a "=" in it is what's causing it not to be matching in the registry when
>> resolving the SAML request.
>>
>> Does anyone:
>>
>>- Have experience with this issue?
>>- Have other class paths to recommend to get debug info?
>>- Have any other troubleshooting steps to try?
>>
>> Thank you!
>> Mike
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHV11bvtO3v9eoE%2BhBWA3p9PkMxkFb-A9mmBD32z-V%3DY-Q%40mail.gmail.com
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHV11bvtO3v9eoE%2BhBWA3p9PkMxkFb-A9mmBD32z-V%3DY-Q%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BeXai676bafp19rbbfgL0uuQ%2B2rwiPjjyy3jpi2jY0oF9c-sw%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BeXai676bafp19rbbfgL0uuQ%2B2rwiPjjyy3jpi2jY0oF9c-sw%40mail.gmail.com?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHWUO4tu1H7T_9GWENJks_aUmudT3%3DqogvMewG2eH9Joew%40mail.gmail.com.

[cas-user] Such a thing as illegal characters in entityID for SAML?

2022-10-06 Thread Mike Osterman

Hi all,

We are running into an issue with a new SP, and despite turning on DEBUG
for both org.apereo.cas.services.AbstractServicesManager and
org.apereo.cas.support.saml.web.idp we can't find any hints for why this is
showing up in the logs:

2022-10-06 09:57:15,798 WARN
[org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
- <[*REDACTED*/metadata?Z3JvdXBJZD0yNTMxNQ==] is not found in the registry
or service access is denied. Ensure service is registered in service
registry>

We've double and triple checked that the service is loading without error
and that the service ID in the JSON file (snippet below) matches the

{
  "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId": "*REDACTED*/metadata?Z3JvdXBJZD0yNTMxNQ==",

My current crackpot theory is that entityID/ServiceID having either a "?"
or a "=" in it is what's causing it not to be matching in the registry when
resolving the SAML request.

Does anyone:

   - Have experience with this issue?
   - Have other class paths to recommend to get debug info?
   - Have any other troubleshooting steps to try?

Thank you!
Mike

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHV11bvtO3v9eoE%2BhBWA3p9PkMxkFb-A9mmBD32z-V%3DY-Q%40mail.gmail.com.

[cas-user] Duo Universal Prompt - ready to go?

2022-07-29 Thread Mike Osterman

So as not to co-opt Baron's "CAS 6.5 w/ Duo MFA, was MFA actually used?"
thread where Ray brings up Universal Prompt, I'm starting a new one.

I seem to remember a while back there were issues with CAS + Duo's
Universal Prompt. Is anyone using it successfully/happily in production, or
is it better to stay with the previous version of Duo for now? I
suspect that my Information Security Officer is about to ask me about it
again...

Thanks!
Mike

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHWitmLUJfHXMt8Q%2BUWaKi18KXi%3DB%3Dk0jcuA4X1a9r-Hyw%40mail.gmail.com.

Re: [cas-user] CAS 6.5 w/ Duo MFA, was MFA actually used?

2022-07-29 Thread Mike Osterman

We are also non-mandatory MFA at present, and doing what Richard suggests.
If they are a memberOf the AD group in question, they are required to Duo,
regardless of service.

# Active Directory LDAP connection
cas.authn.attributeRepository.ldap[0].attributes.memberOf=mfaAttribute

cas.authn.mfa.globalPrincipalAttributeNameTriggers=mfaAttribute
# MFA Group
cas.authn.mfa.globalPrincipalAttributeValueRegex=CN=MFA,OU=Something,DC=school,DC=edu

On a side note, we've talked about limiting some services to only users
that are MFA'd (Apparently Transact will require if we want to use their
Mobile Credential smart phone NFC functionality) and are looking towards
service access strategies via the same group membership attribute:
https://apereo.github.io/cas/6.5.x/services/Configuring-Service-Access-Strategy.html

On Fri, Jul 29, 2022 at 1:46 PM 'Richard Frovarp' via CAS Community <
cas-user@apereo.org> wrote:

> How are you triggering MFA / Duo? You likely only want to trigger Duo on a
> local attribute and setup the integration to force Duo always. If you are
> leaving it up to Duo to decide if the user is enrolled and bypass if not,
> the old Duo Web integration couldn't tell you what happen, just that they
> got past Duo. 6.5 should be using the new OIDC method, and it was supposed
> to return back more detail so you could make security decisions. So
> something there isn't working?? Here's my writeup about the Duo Web
> integration problems:
> https://www.frovarp.dev/2019/03/24/ambiguous-response-in-duo-web/
>
> But in any event, I'd stick them in a group if they have to MFA and
> trigger Duo off of membership in that group, always enforcing MFA to happen
> on that integration.
>
> On 7/29/22 14:44, Baron Fujimoto wrote:
>
> We're currently using CAS 6.5 with Duo for MFA. While the MFA itself
> works, we're trying to find some way of determining whether MFA was
> actually used during a user's authentication.
>
> MFA is not mandatory for our users, and they must opt-in and enroll
> themselves with Duo. We can see that when a user authenticates, there is a
> set of promising CAS authentication attributes available. e.g.:
> - successfulAuthenticationHandlers: [DuoSecurityAuthenticationHandler]
> - credentialType: [DuoSecurityCredential]
> - authenticationMethod: [DuoSecurityAuthenticationHandler]
> - authnContextClass: [mfa-duo]
>
> However, these attributes appear to be assigned the same values
> whether the user is enrolled in Duo or not – and thus are presented
> with the MFA requirement during their login. Therefore, there doesn't
> appear to be anything in these attributes that allows us to distinguish
> whether MFA was actually invoked/required/used for the user's
> authentication.
>
> FWIW, this is how we're currently enabling MFA for CAS in cas.properties:
> cas.authn.mfa.triggers.global.global-provider-id=mfa-duo
>
> We've looked at the available multifactor authentication triggers, but
> none of the attribute-based triggers seem appropriate since I think they
> rely on local information about the principal, and not something
> authoritative from Duo or about the actual CAS authentication flow that was
> used. Perhaps there's a way using the REST method with the Duo Auth API
> /enroll_status or /preauth endpoints, but that sounds kind of fraught (even
> if possible).
>
> Is there something else we may be overlooking that would help us achieve
> our goal?
> --
> Baron Fujimoto  ::: UH Information Technology Services
> minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0-uwSJhTVCLXBRSUPhfDWSHFUn1xT%3DjSJJw8vwWXdp9g%40mail.gmail.com
> 
> .
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/de4b2e35-06a5-20a2-e3dd-58960bfb7159%40ndsu.edu
>

Re: [cas-user] Cannot open Apereo CAS version 5.3.x document

2022-04-23 Thread Mike Osterman

The 5.3.x documentation from that link is unfortunately broken, and has
been for several weeks. I had assumed it was intentional, but maybe it's in
error?

When I needed it a while back, I resorted to accessing the 5.3.16 tag here
and then typing the "." character (hats off to my co-worker Ocean Liu for
this tip) to bring up the web editor version to search the code for what I
was after: https://github.dev/apereo/cas/tree/v5.3.16

On Sat, Apr 23, 2022 at 1:36 PM William Jojo  wrote:

> Try https://apereo.github.io/cas/Older-Versions.html
>
> Sent from a device.
>
> On Apr 23, 2022, at 11:31 AM, '刘观良' via CAS Community 
> wrote:
>
> 
> why 5.3.x cannot open, but version 6.x and above can be opened. I checked
> it out two days ago, and it can be opened.
>
> 404 appears
> https://apereo.github.io/cas/5.3.x/index.html
>
> time now 2022-4-23 20:30:22
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1ede8ac3-785a-4c18-be80-99046b303648n%40apereo.org
> 
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/2DB77035-B094-4773-B705-454B809DF4DB%40gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUPyjZqW9Tnp1DXzfY%3DzT3q%3DmHZdMaX6Vh4%2BT86%3DGTNKg%40mail.gmail.com.

[cas-user] Resource: all-cas-properties.ref

2022-02-18 Thread Mike Osterman

Since I don't want to muddle the troubleshooting going on in the
"cas.properties reference" thread,
I'm starting a new one.

I wanted to plug a reference that is an answer (Ray's technique is also
solid) that I've found very helpful from Initializr that Misagh writes
about here:
https://fawnoos.com/2020/11/14/cas63-cas-initializr/#properties--references

Specifically, the etc/cas/config/all-cas-properties.ref it produces. Unicon
showed this to us when helping us revise our properties to the new kebab
case, and it made the process much less painful.

-Mike

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHXbXPyv_QHBhyLjz1u9yTuOo5pSoE%2BOBXU9zzZdyFEHww%40mail.gmail.com.

Re: [cas-user] Re: 6.1 put into production, CAS_AuthenticationException thrown.

2021-12-20 Thread Mike Osterman

Hi Rod,

Are you seeing that same ticket ID being issued to the service earlier on
in the logs?

Also, do test and production share identical cas properties settings (apart
from server name, that is)?

I found a small mention of the INVALID_TICKET message in the Troubleshooting
guide
,
and it links to ticket expiration policies:
https://apereo.github.io/cas/6.1.x/ticketing/Configuring-Ticket-Expiration-Policy.html

There are some potentially helpful per service configuration settings you
could try to see if any of those settings move the needle.

What I read is that you'll get that message if the ticket doesn't exist or
it's expired, so you may want to try turning on DEBUG logging if you can
get the classpath(?) specific enough so as to not clobber the logs. Maybe
"org.apereo.cas.ticket" might be a good place to start to see if you can
see more about the cause of the invalid ticket?

Good luck!
Mike

On Mon, Dec 20, 2021 at 6:11 PM Rod  wrote:

> No. Sigh. DNS ruled out.
>
> It's so strange. Works fine in test but not in production.
>
> -Rod
>
> On Mon., Dec. 20, 2021, 12:08 p.m. Rod B,  wrote:
>
>> Please ignore this post, I think we had a DNS propagation issue.
>>
>> Thanks for your time,
>>
>> Rod
>>
>> On Monday, 20 December 2021 at 11:33:13 UTC-8 Rod B wrote:
>>
>>> P.S. we are running log4j2 2.17.0 on it. I should have mentioned that to
>>> set everyone's mind at ease!
>>>
>>> On Monday, 20 December 2021 at 11:31:51 UTC-8 Rod B wrote:
>>>
 Hi All,

 We are attempting to put  our new 6.1 server (we can't move to 6.4.x
 for the moment) into production and came across an error from two of our
 WordPress sites- the strange thing is, we have tested them in staging and
 this error did not present itself.

 Any ideas what is a foot?


 http://lowresgradstudios.our-domain.ca/wp-login.php?redirect_to=http%3A%2F%2Flowresgradstudios.our-domain.ca%2Fwp-admin%2F=1=ST-90-aoVDVDJ3AOl-yrBGcQO0uUpHIR4-Furan

 CAS_AuthenticationException thrown


 CAS URL:
 https://cas.our-domain.ca/cas/serviceValidate?service=http%3A%2F%2Flowresgradstudios.our-domain.ca%2Fwp-login.php%3Fredirect_to%3Dhttp%253A%252F%252Flowresgradstudios.our-domain.ca%252Fwp-admin%252F%26reauth%3D1=ST-90-aoVDVDJ3AOl-yrBGcQO0uUpHIR4-Furan
 Authentication failure: Ticket not validated Reason: [INVALID_TICKET] CAS
 error: ticket 'ST-90-aoVDVDJ3AOl-yrBGcQO0uUpHIR4-Furan' not recognized CAS
 response: ticket 'ST-90-aoVDVDJ3AOl-yrBGcQO0uUpHIR4-Furan' not recognized

 I checked the time on both servers and they are in sync. I'm not sure
 what else to do.

 Thanks for your help!

 Rod

>>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOz46ZT-pG8hrLG9VR%2Bu%3DQgDQ2XfKM2OgDxxCXdmgE%2B%3DnGgRnA%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHWgh-yugM6b2GOC0_ptJ98itJ4GaeNmp7hMKHOS9%2Bu2%2Bg%40mail.gmail.com.

Re: [cas-user] log4j vulnerability

2021-12-10 Thread Mike Osterman

Yeah, it seems like setting the log4j2.formatMsgNoLookups to "true" in
the log4j2.xml config file might do to trick.

I'm guessing we'd do that somewhere here at the top?





/etc/cas/logs



On Fri, Dec 10, 2021 at 10:41 AM 'Richard Frovarp' via CAS Community <
cas-user@apereo.org> wrote:

> Using a new enough version of the JDK might also alleviate it? The other
> option is to throw the config option at the JDK to stop it from happening.
> That would seem to be easiest.
>
> On 12/10/21 12:36 PM, King, Robert wrote:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
>
>
>
> Has anyone attempted to mitigate this CVE yet?
>
>
>
> There seems to be two possible approaches to mitigation:
>
>
>
> 1 The sledgehammer approach of removing the JndiLookup.class from the jar
> files:
>
>
>
> zip –q –d log4j-core-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class
>
>
>
> 2. Rebuild CAS and set “log4jVersion=2.15.0”
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca
> 
> .
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUe7%2BfgzA2uQ2eWFe9O-a%3D9sOP4LBi9FviTvsEMYHtKsA%40mail.gmail.com.

Re: [cas-user] CAS 6.4.2 cas.google-apps.key- unspoorted?

2021-11-24 Thread Mike Osterman

Oh! Apologies for misrepresenting that, Misagh. Thanks for chiming in!

On Wed, Nov 24, 2021 at 8:45 AM Misagh  wrote:

> On Wed, Nov 24, 2021 at 8:42 PM Rod  wrote:
>
>> Thanks Mike!
>>
>> I was hoping we would have a little more time with this feature.
>>
>
> You do. It's not removed.
>
> https://apereo.github.io/cas/6.4.x/integration/Google-Apps-Integration.html
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGSBKkc9_1%3DKq%2B6ULj-cM1wFkFQgA6sKgDpEQUeV7keTWh46iQ%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHWhv3%3DpHwFTziSHtyma3F--RZHD6JuLjWwp7m%2BUny3T5A%40mail.gmail.com.

Re: [cas-user] CAS 6.4.2 cas.google-apps.key- unspoorted?

2021-11-23 Thread Mike Osterman

Hi Rod,

I believe that this functionality has been removed from CAS in 6.x forward,
and the only way to achieve SSO with Google Apps is via the CAS SAML2 IdP
feature. Richard Frovarp wrote an excellent blog post on how to accomplish
this:
https://www.frovarp.dev/2021/03/10/cas-configuration-for-g-suite/

-Mike

On Tue, Nov 23, 2021 at 4:49 PM Rod B  wrote:

> Hello,
> I mostly have CAS 6.4.2 up and running (I told you we'd get there), but
> I'm seeing in the Catalina.out log a concerning error:
>
> The use of configuration keys that are no longer supported was found in
> the environment:
>
>
> Property source
> 'bootstrapProperties-applicationProfilesCompositeProperties':
>
> Key: cas.google-apps.key-algorithm
>  Reason: none
>
> Key: cas.google-apps.private-key-location
> Reason: none
>
> Key: cas.google-apps.public-key-location
>  Reason: none
>
> I checked the guide and it's different from 6.1 but you use an
> implementation statement in build.gradle:
>  implementation
> "org.apereo.cas:cas-server-support-saml-googleapps:${project.'cas.version'}"
>
> And I'm supposing that the error is complaining about what's in
> cas.properties:
>
> cas.googleApps.publicKeyLocation=file:/etc/cas/keys/public.key
>
> cas.googleApps.keyAlgorithm=RSA
>
> cas.googleApps.privateKeyLocation=file:/etc/cas/keys/private.key
>
> What is the proper way to provide this information to CAS?
>
> Thanks for any help!
>
>
>
> Rod
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/85b15e11-8801-4b41-ae86-d9c87e535ec9n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHU8iHkjyaqy%2BvnwZPZ4LN_JGdEAvK_xPSw-b8iKuv5T6A%40mail.gmail.com.

[cas-user] Re: Sudden failure of certain SAML Services after system updates

2021-10-28 Thread Mike Osterman

Hi Jason,

Our root cause was the openjdk runtime update we received via our Oracle
Linux repo. I was able to roll back to the prior version to work around
this issue.

Good luck!
Mike

On Thu, Oct 28, 2021 at 7:55 AM Jason Cole  wrote:

> Mike-
>
> What was your ultimate resolution for this? We've experienced the same
> issue and are looking for ways around until we can update CAS.
>
> Thanks
> Jason
>
> On Monday, August 2, 2021 at 10:45:32 PM UTC-5 Mike Osterman wrote:
>
>> Hello,
>>
>> We have two SAML services on CAS 5.3.x (yes, I know we need to get to
>> 6.3.x STAT) that stopped working suddenly with behavior identical to this
>> thread:
>> https://groups.google.com/a/apereo.org/g/cas-user/c/fc_biQnh1l4
>>
>> The kicker is that we haven't rebuilt the cas.war file recently, and the
>> behavior only began happening very recently.
>>
>> One of the services maps the mail attribute to a SOAP schema:
>> "attributeReleasePolicy" : {
>> "@class" :
>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>> "allowedAttributes" : {
>>   "@class" : "java.util.TreeMap",
>>   "sn" : "User.LastName",
>>   "givenName" : "User.FirstName",
>>   "mail" : "
>> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress;
>> }
>>   }
>> (note the : that others mentioned)
>>
>> And the other uses friendlyNames:
>> "attributeFriendlyNames": {
>> "@class": "java.util.HashMap",
>> "urn:oid:1.3.6.1.4.1.5923.1.1.1.6": "eduPersonPrincipalName",
>> "urn:oid:1.3.6.1.4.1.5923.1.1.1.9": "eduPersonScopedAffiliation"
>>   },
>>
>> Again, these have worked for several months, and the compiled CAS binary
>> hasn't changed in some time. The only thing that changed was the java
>> binary itself via system updates on July 23, which coincides with this in
>> the behavior beginning. It appears that this has somehow affected the
>> attribute encoding.
>>
>> Apart from rolling back the openjdk RPMs and cutting over to 6.3.x
>> spontaneously, does anyone have any ideas for workarounds for this
>> behavior?
>>
>> Thank you,
>> Mike
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHWqTTU0Y0aMtYMLbc2xY84SX1Z%3DU8gGTxM2LcvzYGKC4w%40mail.gmail.com.

[cas-user] Sudden failure of certain SAML Services after system updates

2021-08-02 Thread Mike Osterman

Hello,

We have two SAML services on CAS 5.3.x (yes, I know we need to get to 6.3.x
STAT) that stopped working suddenly with behavior identical to this thread:
https://groups.google.com/a/apereo.org/g/cas-user/c/fc_biQnh1l4

The kicker is that we haven't rebuilt the cas.war file recently, and the
behavior only began happening very recently.

One of the services maps the mail attribute to a SOAP schema:
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "sn" : "User.LastName",
  "givenName" : "User.FirstName",
  "mail" : "
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress;
}
  }
(note the : that others mentioned)

And the other uses friendlyNames:
"attributeFriendlyNames": {
"@class": "java.util.HashMap",
"urn:oid:1.3.6.1.4.1.5923.1.1.1.6": "eduPersonPrincipalName",
"urn:oid:1.3.6.1.4.1.5923.1.1.1.9": "eduPersonScopedAffiliation"
  },

Again, these have worked for several months, and the compiled CAS binary
hasn't changed in some time. The only thing that changed was the java
binary itself via system updates on July 23, which coincides with this in
the behavior beginning. It appears that this has somehow affected the
attribute encoding.

Apart from rolling back the openjdk RPMs and cutting over to 6.3.x
spontaneously, does anyone have any ideas for workarounds for this
behavior?

Thank you,
Mike

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHW9aOqhQN%2BS%2BGhq_YdUz-jAywxzOQvEYk_%3DOPG6ezRZbw%40mail.gmail.com.

Re: [cas-user] How to release eduPersonTargetedID in correct format

2021-05-07 Thread Mike Osterman

Hi there,

I had this issue early on, and it turned out that my service registry was
not specifying the nameid format as persistent, but rather unspecified,
which was making it transient.

Here's a snippet from our service config for the requiredNameIdFormat
and usernameAttributeProvider properties:

"requiredNameIdFormat": "urn:oasis:names:tc:SAML:2.0:
*nameid-format:persistent*",
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "eduPersonTargetedID",
"canonicalizationMode" : "NONE"
  }

-Mike

On Fri, May 7, 2021 at 9:37 AM Marcin Roman 
wrote:

> Hi, I could not manage to configure CAS to release eduPersonTargetedID in
> correct format.
> According to specs (
> https://www.switch.ch/aai/support/documents/attributes/edupersontargetedid/)
> eduPersonTargetedID should look like this:
>
>  Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> 
>  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
> NameQualifier="https://sso.umk.pl/idp/shibboleth; SPNameQualifier="
> https://orcid.org/saml2/sp/1;>S1yftf/VIwgXi4bclR5tdXB/VRE=
> 
> 
>
> This the way shibboleth releases it.
> However CAS releases eduPersonTargetedID in the following way:
>
>  Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" >
> aALV+7l7KzaznzhyDsaBNgAdzSI=
> 
>
> Perhaps I misconfigured something?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/337e9277-89c4-4fec-bf43-44e11d35e78dn%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHWHOK5Ztw9n%3DzQRcuWwfQdQ8tgQOma5DxPp2NFQy9gUSQ%40mail.gmail.com.

Re: [cas-user] gradle versions of dependency documentation?

2021-04-13 Thread Mike Osterman

Hi Baron,

I too am working on 5.x to 6.3.x and have been getting help from Unicon.

While I'm not sure if "compile" works, here's what I picked up from working
with them. Here are our dependencies:

implementation "org.apereo.cas:cas-server-webapp-init:${casServerVersion}"
implementation
"org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-duo:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-saml:${project.'cas.version'}"

You can see where this starts in the base 6.3 build.gradle here on line 84:
https://github.com/apereo/cas-overlay-template/blob/6.3/build.gradle

It looks like a lot of this is covered in the README.md at the root of the
project:
https://github.com/apereo/cas-overlay-template/tree/6.3

Check out the "Adding Modules" section, which suggests:
dependencies {
implementation
"org.apereo.cas:cas-server-some-module:${project.casVersion}"
...
}

I'm not sure where the *${project.'cas.version'}* syntax (slightly
different from above) comes from, but it has been working for our build.

Good luck!
Mike



On Tue, Apr 13, 2021 at 7:29 PM Baron Fujimoto  wrote:

> I'm working on upgrading our old cas 5.x to a current 6.3 version. For our
> old cas, we used maven and pom.xml for the war overlay and dependencies.
> Apparently that's been deprecated in favor of gradle, but it looks like the
> documentation still uses XML. For example:
>
> 
>
> I think it's equivalent should now go in the dependencies block of
> build.gradle, but it's not clear how to specify the gradle version of this
> dependency there based on that documentation.
>
> Based on this blog post, <
> https://apereo.github.io/2019/11/03/cas62-gettingstarted-overlay/>, it
> looks like:
>
> compile "org.apereo.cas:cas-server-support-ldap:${casServerVersion}"
>
> Does this format generally hold true for translating such dependencies?
> I.e.:
>
> compile ${groupId}:${artifactId}:${casServerVersion}
>
> FWIW, I'm finding it challenging to use the CAS documentation as a
> starting point for these tasks, since many things don't seem to be included
> (e.g., without that blog post, I wouldn't have known about running "gradlew
> clean" to set gradle up, or even about gradlew itself, for that matter).
> Unless I missed it, I don't see any clear connection between these
> necessary steps.
> --
> Baron Fujimoto  :: UH Information Technology Services
> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0Nj-DGE_5Jn7mgfXbu1w83f9eqfW95ncd3TB17XdN1pQ%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHXr%2BZQ41cpyWoyPoqH%3DwxHRU9Smu7aO%2BoVzR7pOyRryJQ%40mail.gmail.com.

Re: [cas-user] No registered service found/Freshworks SAML2/ CAS 5.3

2021-04-13 Thread Mike Osterman

I'm also a little surprised that the metadata url above is throwing an
exception. My understanding is that if your SP metadata is based on a URL,
it has to return metadata XML. I suppose there could be some form of ACLs
at the SP level that is causing me to get an error when trying to access
https://regent-team.myfreshworks.com/sp/SAML/26912657608931/metadata, but
that seems worth looking at as well.

-Mike

On Tue, Apr 13, 2021 at 8:31 AM Ray Bon  wrote:

> Keith,
>
> What is the value of the Issuer in the authentication request?
>
> It should be the same as the entityId in the metadata.
>
> Ray
>
> On Mon, 2021-04-12 at 20:41 +, Keith Alston (Staff) wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> replaced the serviceid with the entityid from the sp metadata
>
> which is:
>
> https://regent-team.myfreshworks.com/sp/SAML/26912657608931/metadata
> yes, this is the entityid in the sp metadata!
>
> now I'm getting this:
>
> 2021-04-12 16:27:27,481 WARN
> [org.apereo.cas.web.flow.ServiceAuthorizationCheck]
>  -  https://regent-team.myfreshwor
> ks.com/sp/SAML/26912657608931/callback] is not found in service registry.>
> 2021-04-12 16:27:27,481 DEBUG
> [org.springframework.webflow.engine.impl.FlowExecu
> tionImpl] -  [org.springframework.webflow.execution.ActionE
> xecutionException: Exception thrown executing
> org.apereo.cas.web.flow.ServiceAut
> horizationCheck@2262e7de in state 'serviceAuthorizationCheck' of flow
> 'login' --
>  action execution attributes were 'map[[empty]]'] with root cause [
> org.apereo.ca
> s.services.UnauthorizedServiceException: Service Management: missing
> service. Se
> rvice [
> https://regent-team.myfreshworks.com/sp/SAML/26912657608931/callback]
>  is not found in service registry.]>
> 2021-04-12 16:27:27,481 DEBUG
> [org.springframework.webflow.engine.support.Transi
> tionExecutingFlowExecutionExceptionHandler] -  exception
>  org.springframework.webflow.execution.ActionExecutionException: Exception
> throw
> n executing org.apereo.cas.web.flow.ServiceAuthorizationCheck@2262e7de in
> state
> 'serviceAuthorizationCheck' of flow 'login' -- action execution attributes
> were
> 'map[[empty]]'>
>
>
> Keith Alston
> Regent University
> IT Department
> keit...@regent.edu
> 757.352.4081
> --
> *From:* cas-user@apereo.org  on behalf of Trenton
> Adams 
> *Sent:* Monday, April 12, 2021 2:56 PM
> *To:* cas-user@apereo.org 
> *Subject:* [External] Re: [cas-user] No registered service
> found/Freshworks SAML2/ CAS 5.3
>
>
> Oops, I had meant to paste this.  This should allow anything with
> domain.com and prefix regent-team.myfresh to authenticate against your
> CAS server.
>
> ^(https|http):\/\/regent-team\.myfresh.*domain\.com(:[0-9]{1,5})?\/.*$"
>
>
>
> *From: * on behalf of Trenton Adams <
> tre...@athabascau.ca>
> *Reply-To: *"cas-user@apereo.org" 
> *Date: *Monday, April 12, 2021 at 12:53 PM
> *To: *"cas-user@apereo.org" 
> *Subject: *Re: [cas-user] No registered service found/Freshworks SAML2/
> CAS 5.3
>
>
>
> I’m pretty sure the serviced is supposed to be a regular expression, no?.
> * after an ‘h’ means repeat the ‘h’.  Put ‘.*’ and you’ll repeat anything,
> but that wouldn’t be what you want either, as that would allow any domain
> with a DNS prefix of ‘regent-team.myfresh’, to authenticate against your
> CAS instance.
>
>
>
> *From: * on behalf of "Keith Alston (Staff)" <
> keit...@regent.edu>
> *Reply-To: *"cas-user@apereo.org" 
> *Date: *Monday, April 12, 2021 at 12:46 PM
> *To: *"cas-user@apereo.org" 
> *Subject: *[cas-user] No registered service found/Freshworks SAML2/ CAS
> 5.3
>
>
>
>
>
> Any ideas on what might be going on here?
>
> I get the "Application Not Authorized to Use CAS" page when redirected to
> CAS.
>
>
>
> 2021-04-12 14:21:32,474 WARN
> [org.apereo.cas.services.web.RegisteredServiceThemeResolver] -  registered service is found to match [AbstractWebApplicationService(id=
> https://regent-team.myfreshworks.com/sp/SAML/269126576089314274/callback
> ,
> originalUrl=
> https://regent-team.myfreshworks.com/sp/SAML/26912657608931/callback
> ,
> artifactId=null, principal=null, source=AssertionConsumerServiceURL,
> loggedOutAlready=true, format=XML, attributes={})] or access is denied.
> Using default theme [cas-theme-default]>
>
>
>
>
>
> here's my service file:
>
>
>
> {
>
>   "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
>
>   "serviceId" : "^(https|http)://regent-team.myfresh*",
>
>   "name" : "freshregistrar",
>
>   "id" : 1608070210,
>
>

Re: [cas-user] SAML to CAS but no SAML response after authentication

2021-04-12 Thread Mike Osterman

If I'm reading your message correctly about the SP displaying an exception,
you might also want to ask the SP to check their logs as well. I've had
cases where I did everything I could to debug on my end, and it ended up
that the SP had misconfigured our IdP registration on their end.

Good luck!
Mike

On Mon, Apr 12, 2021 at 2:11 PM Ray Bon  wrote:

> Keith,
>
> Check your cas logs, perhaps on debug, to see why it did not generate a
> SAML response.
>
> Ray
>
> On Mon, 2021-04-12 at 20:57 +, Keith Alston (Staff) wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> I've configured a SAML 2.0 service using CAS 5.3.
>
> Using SAML trace I see a SAML request to CAS,
> I get the login page, authenticate successfully
> I'm redirected but I never see a SAML response to the SP.
> "Error in processing saml response" at the SP.
>
> Does anyone have any idea why this might be happening?
>
> Keith Alston
> Regent University
> IT Department
> keit...@regent.edu
> 757.352.4081
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b73f2af4633c43736af6697f61bcfd3e46d2b300.camel%40uvic.ca
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHWysnqweuyh9GK1mcL%2BO0b0AeVaSW1PQYK%2BbOVJd7dBEw%40mail.gmail.com.

Re: [cas-user] InCommon and NIH changes

2021-03-11 Thread Mike Osterman

Score! Looks like another blog that I need to be following. :) That MFA
REFEDS post looks exactly like what was being discussed at yesterday’s
office hours webinar.

Good catch on the REFEDS Assurance profiles. I got the gist of what it was
being discussed, but the requirements seemed a little unclear. Makes sense,
as it sounds like the requirement compliance date has been announced, but
the details are still being sorted out.

I’m still thinking we’ll switch our InCommon federation to CAS, largely for
the operational efficiency (we’re a small school) and the reduced
complexity of running a single SAML IdP, and at present, we only have one
vendor that requires InCommon. If others have gone the consolidation route
by using CAS as their InCommon SAML IdP, I’d welcome any feedback on how
that has gone for you on or off list.

Thank you,
Mike

On Thu, Mar 11, 2021 at 7:44 AM 'Richard Frovarp' via CAS Community <
cas-user@apereo.org> wrote:

> I'm running my InCommon membership through Shibboleth, so I'm not looking
> for a CAS solution. However, here is what I know:
>
> 1) R is documented as you point out. If you are going to provide REFEDS
> R to REFEDS R SPs, you probably want to go into the InCommon Federation
> Manager and assert that you are a R IdP. I would also suggest you review
> your error URL, and see if you can be SIRTFI compliant, as those are
> baseline v2 requirements. Separate from NIH, but while you are in there.
>
> 2) Parts of the NIH are also going to want assurance attributes based on
> the REFEDS Assurance profiles. Once you know which assurance values you can
> assert, they are just attributes that you return to the SP, like any other
> attribute.
>
> 3) MFA will come in the form of REFEDS MFA. I found this from a couple of
> months ago that looks promising given that Misagh wrote it:
> https://fawnoos.com/2020/12/07/cas63x-saml2-mfa-refeds-duo/
>
> On Wed, 2021-03-10 at 15:19 -0800, Mike Osterman wrote:
>
> For those that are using CAS SAML IdP as their InCommon IdP (we are almost
> there but haven't made the switch), there are some upcoming requirements
> (September 21, 2021) for users of electronic Research Administration (eRA):
> https://incommon.org/news/nih-application-to-require-multi-factor-authentication/
>
> The REFEDS Research & Scholarship attributes support seems well-documented:
>
> https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Attribute-Release.html#refeds-research-and-scholarship
>
> The thing that I can't find in the docs is how to express the referenced
> MFA Authentication Context:
> https://refeds.org/profile/mfa
>
> We've implemented Duo, so I'm guessing that flow would be where we would
> trigger this, but again, don't find in the docs how to trigger this or if
> it's even supported by CAS's SAML IdP.
>
> I think I saw a couple names of frequent cas-user participants on the
> office hours webinar today, so I expect others are looking at this as well.
>
> Thanks,
> Mike
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1b141b9362d3bb665a031ed87bab1f94c1e57db.camel%40ndsu.edu
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1b141b9362d3bb665a031ed87bab1f94c1e57db.camel%40ndsu.edu?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHVqA1h6Yxgpu%2BUxN_KHHJTfum%2BXnr_ar2p%2BhY8OJCCGXg%40mail.gmail.com.

Re: [cas-user] Sample SAML2 service definition for Google Apps?

2021-03-10 Thread Mike Osterman

This is perfect - thank you, Richard! We do have SAML2 IdP already set and
have several services configured for it. As you say, the setup is not at
all obvious.

Thanks as well for the pointer on the test Google Workspace account! That
was a revelation to me, as I remember asking several years back and getting
nowhere. It's now well-documented here:
https://support.google.com/a/answer/6254870

Cheers!
Mike

On Wed, Mar 10, 2021 at 3:36 PM 'Richard Frovarp' via CAS Community <
cas-user@apereo.org> wrote:

> Here's what I figured out to get it done:
>
> https://www.frovarp.dev/2021/03/10/cas-configuration-for-g-suite/
>
> Everything I have in there assumes that CAS is already setup as a SAML 2
> IdP, and that you have a slight idea as to how to configure a service for a
> SAML 2 SP. It really is no different than any other SAML 2 SP. It's just
> that they don't make the values you need to know to setup the metadata
> known anywhere obvious.
>
> Depending on what version you are on, the legacy method might be
> supported, but it will get in the way of normal SAML 2 IdP operations.
>
> On Wed, 2021-03-10 at 14:54 -0800, Mike Osterman wrote:
>
> Thanks, Richard!
>
> On Wed, Mar 10, 2021 at 2:40 PM 'Richard Frovarp' via CAS Community <
> cas-user@apereo.org> wrote:
>
> Get a test instance. It's pretty easy to do. Takes a little bit, but easy
> to do. You really only need one or two users in it to test anyway.
>
> There is a previous post on this list on how to do it the new way. I have
> internal documentation that I can turn into external documentation tonight
> and post the link back here.
>
> On Wed, 2021-03-10 at 13:58 -0800, Mike Osterman wrote:
>
> We're looking to migrate from the now legacy (from a supported versions
> perspective) Google Apps Integration (
> https://apereo.github.io/cas/5.3.x/integration/Google-Apps-Integration.html)
> to a generic SAML2 service configuration.
>
> Our current service config is very sparse:
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "https://www.google.com/a/.yyy/acs;,
>   "name" : "Google Apps",
>   "id" : 123,
>   "evaluationOrder" : 123
> }
>
> I'm wondering if someone's already made the switch to SAML2
> (org.apereo.cas.support.saml.services.SamlRegisteredService) and is willing
> to share a sample service configuration? We don't have a test instance of
> Google Apps, and I'm a little nervous about fiddling with our production
> service, especially given the sparseness of the 3rd party IdP config
> interface in Apps Admin and Google's habit of stating that changes in the
> admin may take up to XX hours.
>
> Thank you,
> Mike
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/72239eb0f457422aa3628bc16dfbb05b74620fa7.camel%40ndsu.edu
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/72239eb0f457422aa3628bc16dfbb05b74620fa7.camel%40ndsu.edu?utm_medium=email_source=footer>
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8139aace723572273094f72afe700254b71ae5c2.camel%40ndsu.edu
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/8139aace723572273094f72afe700254b71ae5c2.camel%40ndsu.edu?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHU4GB1UUpD7MvTDoL2onNsi0Ohztz7ujJpG-nF2vCVTOQ%40mail.gmail.com.

[cas-user] InCommon and NIH changes

2021-03-10 Thread Mike Osterman

For those that are using CAS SAML IdP as their InCommon IdP (we are almost
there but haven't made the switch), there are some upcoming requirements
(September 21, 2021) for users of electronic Research Administration (eRA):
https://incommon.org/news/nih-application-to-require-multi-factor-authentication/

The REFEDS Research & Scholarship attributes support seems well-documented:
https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Attribute-Release.html#refeds-research-and-scholarship

The thing that I can't find in the docs is how to express the referenced
MFA Authentication Context:
https://refeds.org/profile/mfa

We've implemented Duo, so I'm guessing that flow would be where we would
trigger this, but again, don't find in the docs how to trigger this or if
it's even supported by CAS's SAML IdP.

I think I saw a couple names of frequent cas-user participants on the
office hours webinar today, so I expect others are looking at this as well.

Thanks,
Mike

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHWyBCCRZcHamWjp%3Dwo00zOEw6eRta0UNi5-q%2Bdoq5Pnvw%40mail.gmail.com.

Re: [cas-user] Sample SAML2 service definition for Google Apps?

2021-03-10 Thread Mike Osterman

Thanks, Richard!

On Wed, Mar 10, 2021 at 2:40 PM 'Richard Frovarp' via CAS Community <
cas-user@apereo.org> wrote:

> Get a test instance. It's pretty easy to do. Takes a little bit, but easy
> to do. You really only need one or two users in it to test anyway.
>
> There is a previous post on this list on how to do it the new way. I have
> internal documentation that I can turn into external documentation tonight
> and post the link back here.
>
> On Wed, 2021-03-10 at 13:58 -0800, Mike Osterman wrote:
>
> We're looking to migrate from the now legacy (from a supported versions
> perspective) Google Apps Integration (
> https://apereo.github.io/cas/5.3.x/integration/Google-Apps-Integration.html)
> to a generic SAML2 service configuration.
>
> Our current service config is very sparse:
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "https://www.google.com/a/.yyy/acs;,
>   "name" : "Google Apps",
>   "id" : 123,
>   "evaluationOrder" : 123
> }
>
> I'm wondering if someone's already made the switch to SAML2
> (org.apereo.cas.support.saml.services.SamlRegisteredService) and is willing
> to share a sample service configuration? We don't have a test instance of
> Google Apps, and I'm a little nervous about fiddling with our production
> service, especially given the sparseness of the 3rd party IdP config
> interface in Apps Admin and Google's habit of stating that changes in the
> admin may take up to XX hours.
>
> Thank you,
> Mike
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/72239eb0f457422aa3628bc16dfbb05b74620fa7.camel%40ndsu.edu
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/72239eb0f457422aa3628bc16dfbb05b74620fa7.camel%40ndsu.edu?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHXMmSTkjP%3DNF3yH_O20%3DehvEMXKJRkj3-sKqqv5jNX2-g%40mail.gmail.com.

[cas-user] Sample SAML2 service definition for Google Apps?

2021-03-10 Thread Mike Osterman

We're looking to migrate from the now legacy (from a supported versions
perspective) Google Apps Integration (
https://apereo.github.io/cas/5.3.x/integration/Google-Apps-Integration.html)
to a generic SAML2 service configuration.

Our current service config is very sparse:
{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "https://www.google.com/a/.yyy/acs;,
  "name" : "Google Apps",
  "id" : 123,
  "evaluationOrder" : 123
}

I'm wondering if someone's already made the switch to SAML2
(org.apereo.cas.support.saml.services.SamlRegisteredService) and is willing
to share a sample service configuration? We don't have a test instance of
Google Apps, and I'm a little nervous about fiddling with our production
service, especially given the sparseness of the 3rd party IdP config
interface in Apps Admin and Google's habit of stating that changes in the
admin may take up to XX hours.

Thank you,
Mike

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUnw3JSXTZ0kBzHqR%2BhceOec8CUzDghjMYohdAe0ZZ1AQ%40mail.gmail.com.

Re: [cas-user] Re: Per Service Ticket Expiration in 5.2.x?

2021-03-05 Thread Mike Osterman

Thanks, Ray, I'll look in my logs again.

On Fri, Mar 5, 2021 at 2:17 PM Ray Bon  wrote:

> Bill, Mike,
>
> The combination of timeToKillInSeconds and maxTimeToLiveInSeconds provides
> a sliding window for TGT lifetime. Every request for a ST (or PT) will
> extend the life of the TGT by timeToKillInSeconds up
> to maxTimeToLiveInSeconds.
> So, since Canvas is not using a proxy request, and does not have a hidden
> iFrame, it must be probing Cas near its session end (as Misagh mentioned).
> [Could javascript be used to probe Cas?]
> One could look at the cas logs to see the request(s).
> I set my local with very short TGT life time to test repeated login and
> ticket expiry behaviour (this would not be practical in production):
>
> cas.ticket.tgt.maxTimeToLiveInSeconds=300
> cas.ticket.tgt.timeToKillInSeconds=120
>
> Ray
>
> On Fri, 2021-03-05 at 12:41 -0800, Mike Osterman wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> Hi Bill,
>
> I was dealing with people getting logged out Canvas frequently, and ended
> up changing a couple config properties. I had our CSM team set the
> Canvas-side timeout really high, but it didn't work. There's something
> unusual about the way the Canvas application interacts with CAS protocol. I
> had checked for callbacks from the Instructure servers, but it really does
> seem to be managing the session after the initial SSO flow. By the way, do
> you use a Discovery URL? That's when our session behavior seemed to change,
> but it may just be correlation rather than causation.
>
> I eventually set two properties and got it to behave as expected, but
> never figured out which one did the trick:
>
> cas.ticket.tgt.timeout.maxTimeToLiveInSeconds:
> https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#timeout
> AND
> server.session.timeout:
> https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#web-application-session
>
> It sounds like you've found that it was the first one, so I wanted to
> corroborate that for you.
>
> I just ended up setting these properties server-wide in cas.properties,
> which isn't ideal, because you have a single service dictating timeout
> behavior for all services using CAS.
>
> I've also considered switching over to using CAS's SAML2 IdP functionality
> for Canvas, but need to wait for an appropriate time to make that change.
>
> Finally, so as not to hijack the thread and keep the proxy ticket service
> configuration comment from Ray alive, I think this is how the service would
> be configured for it:
>
> https://apereo.github.io/cas/5.2.x/installation/Configuring-Service-Proxy-Policy.html
>
> I did look for server-side traffic from Canvas as Ray suggested, but
> didn't find any as mentioned above. I just checked for an iFrame, which
> would be client-side traffic, but didn't see anything in the Network tab of
> developer tools.
>
> -Mike
>
>
>
> On Fri, Mar 5, 2021 at 12:01 PM Bill Scully  wrote:
>
> Hi Ray,
>
> Another possibility, Canvas is using is a proxy ticket.
> Does your service definition allow proxying?
>
>
> I would say, no.  It's pretty straightforward:
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "^https://[omitted]/.*;,
>   "name" : "Canvas",
>   "id" : [omitted],
>   "evaluationOrder" : [omitted]
> }
>
> I looked at what I think covers proxy ticketing (
> https://apereo.github.io/cas/5.2.x/installation/Configuring-Ticket-Expiration-Policy.html#proxy-ticket-policies),
> but didn't see how to configure.
>
> Any example I could try?
>
> Thanks.
>
> Bill
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUbe1phOQ52Eux60vtHuz%2BE1jMzFrKNY1wuAj%3DcFc%2BmLw%40mail.gmail.com.

Re: [cas-user] Re: Per Service Ticket Expiration in 5.2.x?

2021-03-05 Thread Mike Osterman

Hi Bill,

I was dealing with people getting logged out Canvas frequently, and ended
up changing a couple config properties. I had our CSM team set the
Canvas-side timeout really high, but it didn't work. There's something
unusual about the way the Canvas application interacts with CAS protocol. I
had checked for callbacks from the Instructure servers, but it really does
seem to be managing the session after the initial SSO flow. By the way, do
you use a Discovery URL? That's when our session behavior seemed to change,
but it may just be correlation rather than causation.

I eventually set two properties and got it to behave as expected, but never
figured out which one did the trick:

cas.ticket.tgt.timeout.maxTimeToLiveInSeconds:
https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#timeout
AND
server.session.timeout:
https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#web-application-session

It sounds like you've found that it was the first one, so I wanted to
corroborate that for you.

I just ended up setting these properties server-wide in cas.properties,
which isn't ideal, because you have a single service dictating timeout
behavior for all services using CAS.

I've also considered switching over to using CAS's SAML2 IdP functionality
for Canvas, but need to wait for an appropriate time to make that change.

Finally, so as not to hijack the thread and keep the proxy ticket service
configuration comment from Ray alive, I think this is how the service would
be configured for it:
https://apereo.github.io/cas/5.2.x/installation/Configuring-Service-Proxy-Policy.html

I did look for server-side traffic from Canvas as Ray suggested, but didn't
find any as mentioned above. I just checked for an iFrame, which would be
client-side traffic, but didn't see anything in the Network tab of
developer tools.

-Mike

On Fri, Mar 5, 2021 at 12:01 PM Bill Scully  wrote:

> Hi Ray,
>
> Another possibility, Canvas is using is a proxy ticket.
>> Does your service definition allow proxying?
>>
>
> I would say, no.  It's pretty straightforward:
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "^https://[omitted]/.*;,
>   "name" : "Canvas",
>   "id" : [omitted],
>   "evaluationOrder" : [omitted]
> }
>
> I looked at what I think covers proxy ticketing (
> https://apereo.github.io/cas/5.2.x/installation/Configuring-Ticket-Expiration-Policy.html#proxy-ticket-policies),
> but didn't see how to configure.
>
> Any example I could try?
>
> Thanks.
>
> Bill
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/de81107e-2895-4ac6-8241-c0337a0ccfb6n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHU8f%2B%3D_Fw8Dj1ut8i__2MDjCN8_MddFozd95o-4gg%3Dbtw%40mail.gmail.com.

Re: [cas-user] Shibboleth and CAS

2020-11-13 Thread Mike Osterman

Hi Nathan,

I highly expect that #2 is why it's not yet working. Java, by default,
never lets go of a DNS resolution record until the application restarts.
You have to pass an argument at startup of your CAS application to indicate
an expiry TTL.

I did this recently on our CAS server when we did some work with our
Activity Directory that provides group membership and needed it to get a
new IP address for the AD LDAP server(s).

-Mike

On Fri, Nov 13, 2020 at 11:18 AM Nathan Lewan  wrote:

> very interesting, thanks!
>
> so i tried to do a reverse dns lookup on the entity host based on the
> shibboleth entityid's hostname, and came up with no record.
>
> they are not being super helpful with me, so I tried to cheat. I just
> added a reverse lookup zone on the dns server that CAS talks to, and added
> the entry in there as a test. It did not seem to help, but:
>
> 1. I don't know if a cheat like that would actually work (this is just
> temporary, proof of concept, no way would I leave it like that in
> production)
> 2. I have not restarted CAS. I did do a dig -x on the CAS host, and it
> successfully reverse-resolved the IP of the entity server
>
> thanks very much for the quick response, i have a lead which feels very
> good!
>
>
>
> On Fri, Nov 13, 2020 at 1:30 PM David Curry 
> wrote:
>
>> We just ran into this recently with an older version of CAS (5.2.9).
>>
>> CAS populates the SubjectLocality by doing a reverse DNS lookup on the IP
>> address of the entity that's calling it (the application the user is trying
>> to log into). If the DNS lookup fails, then it doesn't put anything in
>> there, which makes Shibboleth very unhappy.
>>
>> In our case, the fix was to get the company running the application that
>> was calling CAS to register DNS entries for their IP addresses. All of a
>> sudden everything started working.
>>
>> --Dave
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 646 909-4728 • david.cu...@newschool.edu
>>
>>
>> On Fri, Nov 13, 2020 at 1:12 PM Nathan Lewan 
>> wrote:
>>
>>> hello!
>>>
>>> I am trying to get CAS 6.1.0 to integrate with a SP that uses shibboleth.
>>>
>>> i appear to have everything in place, however they are requiring my
>>> responses to have in the *AuthnStatement* a *SubjectLocality* entry.
>>>
>>> It is currently empty in all my responses. Here's what it looks like:
>>>
>>> >> >
>>> **
>>> 
>>> 
>>>
>>> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
>>> 
>>> 
>>> 
>>>
>>> As you can see, it's blank, and I have no idea how to get it populated!
>>> Any hints would be appreciated. Looking for info on this, you can find
>>> much related to shibboleth, but I have not found anything on how one could
>>> get CAS to populate this.
>>>
>>> thanks!
>>>
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABeAwjkrJ8hk5geJbz_tbN1NgVSxESjAGUAfqcmOd8vpTHuUYQ%40mail.gmail.com
>>> 
>>> .
>>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPbf2nhAiOuG7_R8-M7v4KUgjbCDnJunNU47V%2BVc%2BgHsw%40mail.gmail.com
>> 
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
>

[cas-user] Re: [cas-dev] Release Announcement: CAS Security Patches

2020-10-15 Thread Mike Osterman

Thanks, Jérôme!

Based on the opening statement of "affects the handling of secret keys with
Google Authenticator for multifactor authentication" is it safe to assume
that this only affects CAS implementations that use Google Authenticator
for MFA (as opposed to Duo or another MFA implementation)?

Thank you,
Mike

On Thu, Oct 15, 2020 at 2:32 AM Jérôme LELEU  wrote:

> Hi,
>
> Please see: https://apereo.github.io/2020/10/14/gauthvuln/
> Thanks.
> Best regards,
> Jérôme
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Developer" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-dev+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-dev/CAP279Lw1zqtJP90kD-6ibeFCf4qJMZvLSjsWOBicp11cA9EchQ%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHV5PHPo4zJ_Py59ubsBtdLAa3d7VgGB9fpnx9m1StPHiQ%40mail.gmail.com.

Re: [cas-user] SAML2.0 deployment

2020-08-31 Thread Mike Osterman

Hi Umut,

I looked at our Zoom configuration with our 5.3.x CAS IdP, and this sounds
like it might be a question of a couple Zoom SSO properties. Here's what we
have in our Zoom SSO config:

Sign-in page URL: {REPLACE-WITH-CAS-BASE-URL}/idp/profile/SAML2/Redirect/SSO

(this is also the "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
binding URL in your SAML metadata)

Binding: HTTP-Redirect

Try that and see if you make it any further!


On Mon, Aug 31, 2020 at 8:42 AM Umut Arus  wrote:

> Hi,
>
> I am having an initial setup issue with CAS SAML2.0 deployment. I couldn't
> authenticate account successfully yet.
>
> Getting the below error:
>
> 2020-08-31 16:10:36,575 INFO
> [org.apereo.cas.support.saml.web.idp.profile.sso.request.DefaultSSOSamlHttpRequestExtractor]
> - 
> 2020-08-31 16:10:36,576 ERROR
> [org.opensaml.saml.saml2.binding.decoding.impl.HTTPPostDecoder] -  did not contain either a SAMLRequest or SAMLResponse paramter.  Invalid
> request for SAML 2 HTTP POST binding.>
>
> Config or deployment problem? Have you any suggestion?
>
> Regards.
>
>
> --
> *UMUT ARUS*
> SİSTEM SORUMLUSU
> SYSTEM SPECIALIST
> --
> Sabancı Üniversitesi
> Üniversite Caddesi No:27
> 34956 Orta Mahalle, Tuzla – İstanbul
> *T*   0 216 483 91 72
> *F*   0 216 483 91 86
> * www.sabanciuniv.edu * 
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALwryzFoacaTy006iCo_WsWfpeF1E8Mp_d2FY80S5FraFhptAw%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHVANY5aEKhdG9%3Dw-xb_pmiXn9Qs2QdVQwycsqDfUu7yHw%40mail.gmail.com.

Re: [cas-user] Any CAS + Canvas schools having problems with frequent Canvas session timeouts?

2020-08-24 Thread Mike Osterman

Thanks, Ray! I appreciate the pointer. It's nice to have another lead to
chase down.

On Mon, Aug 24, 2020 at 9:41 AM Ray Bon  wrote:

> Mike,
>
> This sounds like a proxy failure. The user successfully logs in, but when
> a proxy ticket is required, there is a failure and the user is returned to
> the log in page (am I understanding correctly?).
>
> Check your access logs for Canvas and cas to see if communication is
> successful when a PT is needed.
> You can use the below to get some logging from cas:
>
> 
> 
>
> 
>  level="error" />
>
> Ray
>
> On Fri, 2020-08-21 at 19:43 -0700, Mike Osterman wrote:
>
> Disclaimer: I know this is a CAS list, not a Canvas list, but the
> combination of the two is having issues, and I've run out of road working
> with Instructure support.
>
> Late last semester, we started experiencing issues where Canvas users were
> getting logged out frequently. I believe it started around the time that we
> switched Canvas from CAS 3.x to our CAS 5.3.x IdP. We also made the switch
> from defaulting login to CAS for all users, where external "guest" accounts
> had to know the native Canvas account login URL, to the Discovery page
> setup, where users are presented with Door #1 (Institutional SSO) and Door
> #2 (native Canvas accounts).
>
> I worked with Instructure support, and they insisted that the cause was
> our CAS server, which doesn't track with the pattern I see with most
> CASified applications: app redirect to CAS to authenticate and get returned
> some attributes, but upon successful login flow, the app manages its own
> internal session state and timeout.
>
> That said, in testing out a different CAS IdP implementation with Canvas
> provided by Technolutions in the Slate platform, I learned that the CAS
> client that Canvas uses only uses proxyValidate. (The Slate IdP only
> supports /serviceValidate). I'm not sure this is in any way related, but
> it's another data point.
>
> Finally, we had Instructure hard-code our Canvas application session
> timeout to 8 hours, which has had zero impact on the short session timeouts
> in CAS.
>
> Has anyone else dealt with this issue with CAS + Canvas, and better still,
> solved it?
>
> Thanks for any and all pointers, suggestions, etc.
>
> -Mike
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/11b6ce7d3ad57e30b5448244d6ef02f1c8f1617e.camel%40uvic.ca
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/11b6ce7d3ad57e30b5448244d6ef02f1c8f1617e.camel%40uvic.ca?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHVSzjjW7pRqsEw-Ezj_H%2BKFRG5Fr7Wi_ZOkApkPEf81XQ%40mail.gmail.com.

[cas-user] Re: Any CAS + Canvas schools having problems with frequent Canvas session timeouts?

2020-08-21 Thread Mike Osterman

Thanks, Elijah! I did wonder if I ought to switch to SAML instead. Are you
using a Discovery URL as well?

On Fri, Aug 21, 2020 at 8:25 PM Elijah Gagne 
wrote:

> Just as another data point, we're using CAS 6.1.7 using a SAML integration
> with Canvas. We don't have any session timeout issues.
> Regards,
> EWG
>
> On Friday, August 21, 2020 at 10:43:23 PM UTC-4 Mike Osterman wrote:
>
>> Disclaimer: I know this is a CAS list, not a Canvas list, but the
>> combination of the two is having issues, and I've run out of road working
>> with Instructure support.
>>
>> Late last semester, we started experiencing issues where Canvas users
>> were getting logged out frequently. I believe it started around the time
>> that we switched Canvas from CAS 3.x to our CAS 5.3.x IdP. We also made the
>> switch from defaulting login to CAS for all users, where external "guest"
>> accounts had to know the native Canvas account login URL, to the Discovery
>> page setup, where users are presented with Door #1 (Institutional SSO) and
>> Door #2 (native Canvas accounts).
>>
>> I worked with Instructure support, and they insisted that the cause was
>> our CAS server, which doesn't track with the pattern I see with most
>> CASified applications: app redirect to CAS to authenticate and get returned
>> some attributes, but upon successful login flow, the app manages its own
>> internal session state and timeout.
>>
>> That said, in testing out a different CAS IdP implementation with Canvas
>> provided by Technolutions in the Slate platform, I learned that the CAS
>> client that Canvas uses only uses proxyValidate. (The Slate IdP only
>> supports /serviceValidate). I'm not sure this is in any way related, but
>> it's another data point.
>>
>> Finally, we had Instructure hard-code our Canvas application session
>> timeout to 8 hours, which has had zero impact on the short session timeouts
>> in CAS.
>>
>> Has anyone else dealt with this issue with CAS + Canvas, and better
>> still, solved it?
>>
>> Thanks for any and all pointers, suggestions, etc.
>>
>> -Mike
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUodLjNcFMTpZxib-e17Nt4DqnEavMDhr93FVBMfB43_Q%40mail.gmail.com.

[cas-user] Any CAS + Canvas schools having problems with frequent Canvas session timeouts?

2020-08-21 Thread Mike Osterman

Disclaimer: I know this is a CAS list, not a Canvas list, but the
combination of the two is having issues, and I've run out of road working
with Instructure support.

Late last semester, we started experiencing issues where Canvas users were
getting logged out frequently. I believe it started around the time that we
switched Canvas from CAS 3.x to our CAS 5.3.x IdP. We also made the switch
from defaulting login to CAS for all users, where external "guest" accounts
had to know the native Canvas account login URL, to the Discovery page
setup, where users are presented with Door #1 (Institutional SSO) and Door
#2 (native Canvas accounts).

I worked with Instructure support, and they insisted that the cause was our
CAS server, which doesn't track with the pattern I see with most CASified
applications: app redirect to CAS to authenticate and get returned some
attributes, but upon successful login flow, the app manages its own
internal session state and timeout.

That said, in testing out a different CAS IdP implementation with Canvas
provided by Technolutions in the Slate platform, I learned that the CAS
client that Canvas uses only uses proxyValidate. (The Slate IdP only
supports /serviceValidate). I'm not sure this is in any way related, but
it's another data point.

Finally, we had Instructure hard-code our Canvas application session
timeout to 8 hours, which has had zero impact on the short session timeouts
in CAS.

Has anyone else dealt with this issue with CAS + Canvas, and better still,
solved it?

Thanks for any and all pointers, suggestions, etc.

-Mike

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHXGVzWdG4_oRt0yt17exBeUcXzJ-4-Jtm99AGZ-f2-H_A%40mail.gmail.com.

Re: [cas-user] Re: CAS Release/Security Announcements

2020-08-14 Thread Mike Osterman

I asked pretty much the same question as Dustin about a week ago:
https://groups.google.com/a/apereo.org/g/cas-user/c/xTu0yzJQHBo

I hope we don't have to use an RSS reader to get alerts about security
vulnerabilities. To Dustin's (and my) point, the documented security
announcement paths  don't
appear to be getting used.

I also want to find out if this latest vulnerability is truly just a 6.x
problem, or if it applies to 5.3.x as well.

Thanks!
Mike

On Fri, Aug 14, 2020 at 1:21 PM Jeremiah Garmatter 
wrote:

> Dustin,
>
> I would check https://apereo.github.io/
> This is Apereo's blog, they last updated July 24th of this year discussing
> a vulnerability.
>
> On Friday, August 14, 2020 at 2:55:17 PM UTC-4 Dustin J Luck wrote:
>
>> Where is the proper place to get notifications for new CAS releases and
>> security announcements? I haven't seen anything from cas-announce
>>  since 10/28/19
>> or cas-appsec-public
>>  since
>> 08/28/18.
>>
>> Both of these are still referenced on the CAS Mailing Lists page
>> .
>>
>>
>> Thanks
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/3cc3da59-112b-4248-9697-59940d587bfan%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHW5GoG_1%3DqEHhNaYPp9cADRtXP%3DLmFF_4uH2G7GcE1pxg%40mail.gmail.com.

[cas-user] Current location for CAS public security announcements?

2020-08-08 Thread Mike Osterman

I came across this announcement on an RSS feed:
https://apereo.github.io/2020/07/24/credvuln/

I searched for it on the public security list (
https://groups.google.com/a/apereo.org/forum/#!forum/cas-appsec-public)
listed here:
https://apereo.github.io/cas/Mailing-Lists.html

And I didn’t see any discussion of this vulnerability here.

Where are we supposed to be getting this information apart from the blog?

On a side note, I note that 5.3.x is not listed, but wanted to double-check
that it is not affected.  As I understand it, 5.3.x is in security-patch
mode through October 29, 2020:
https://apereo.github.io/cas/developer/Maintenance-Policy.html

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHWX8d4y1XGsUEO5YCa7G5BcU70-ZqWyWB%2BBfdJbcim-Zg%40mail.gmail.com.

[cas-user] 5.3.x SAML2 + OverDrive, anyone?

2020-08-07 Thread Mike Osterman

I'm having difficulty configuring a SAML2 integration to work with the
OverDrive SP, and I'm wondering if anyone has a (redacted as needed)
working configuration they'd be willing to share?

Thank you!
Mike

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHXtKqp%3DEY_%2B7C4NggfDqDJST3j0TzQ2wAAJNickdtmX_Q%40mail.gmail.com.

Re: [cas-user] Re: groovyScript: expecting String concatenation, getting array?

2020-05-07 Thread Mike Osterman

That did it--thanks!

On Thu, May 7, 2020 at 1:04 AM Misagh Moayyed 
wrote:

> Try:
>
> "groovy { return attributes['wcWhitmanId'][0] + '@whitman.edu' }"
>
> "wcWhitmanId'" is resolved internally as a multi-valued attribute.
>
>
> On Thursday, May 7, 2020 at 6:03:11 AM UTC+4:30, Mike Osterman wrote:
>>
>> Hi all,
>>
>> I'm setting up a SAML2 service and running into unexpected behavior with
>> the syntax for building the PrincipalID using
>> the GroovyRegisteredServiceUsernameProvider. Here's what I'm attempting to
>> do:
>>
>> [snip]
>> "requiredNameIdFormat":
>> "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
>> "usernameAttributeProvider" : {
>> "@class" :
>> "org.apereo.cas.services.GroovyRegisteredServiceUsernameProvider",
>> "groovyScript" : "groovy { return attributes['wcWhitmanId'] + '@
>> whitman.edu' }",
>> "canonicalizationMode" : "NONE"
>>   }
>> [snip]
>>
>> Based on the documentation
>> <https://apereo.github.io/cas/5.3.x/integration/Attribute-Release-PrincipalId.html#inline>.
>> I'm expecting this to concatenate the wcWhitmanId attribute with the text "@
>> whitman.edu" as a string of format "123...@whitman.edu" (where 124356 is
>> a sample value of the wcWhitmanId attribute.
>>
>> Instead, what's being built and sent is this:
>> principal=SimplePrincipal(id=[123456, @whitman.edu]
>>
>> Which looks like an array to me.
>>
>> What am I doing wrong here?
>>
>> Thanks!
>> Mike
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d2fd82f9-056f-4b2f-a9d2-6c40bc97d76c%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/d2fd82f9-056f-4b2f-a9d2-6c40bc97d76c%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHVbaNb62Jm_sUx%2Bbj7%3DcrrkO4b51sVrqTkx-yjVyANsXA%40mail.gmail.com.

[cas-user] groovyScript: expecting String concatenation, getting array?

2020-05-06 Thread Mike Osterman

Hi all,

I'm setting up a SAML2 service and running into unexpected behavior with
the syntax for building the PrincipalID using
the GroovyRegisteredServiceUsernameProvider. Here's what I'm attempting to
do:

[snip]
"requiredNameIdFormat":
"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.GroovyRegisteredServiceUsernameProvider",
"groovyScript" : "groovy { return attributes['wcWhitmanId'] + '@
whitman.edu' }",
"canonicalizationMode" : "NONE"
  }
[snip]

Based on the documentation
.
I'm expecting this to concatenate the wcWhitmanId attribute with the text "@
whitman.edu" as a string of format "123...@whitman.edu" (where 124356 is a
sample value of the wcWhitmanId attribute.

Instead, what's being built and sent is this:
principal=SimplePrincipal(id=[123456, @whitman.edu]

Which looks like an array to me.

What am I doing wrong here?

Thanks!
Mike

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHWX%3DgcoK_va0YgZhF-PjKz7Uz-SM0B%3DfvS_1tefGU5ZiA%40mail.gmail.com.

[cas-user] Using Principal-Id variable in configuration?

2020-03-12 Thread Mike Osterman

Given that our users sometimes interpret "username" to be their email
address, we added this ldap filter to our user matching:
cas.authn.ldap[0].searchFilter=(|(uid={user})(mail={user}))

That way, if they enter either "username" or "usern...@whitman.edu" they'll
be found correctly.

We've just discovered that we missed doing this in a separate ldap database
lookup for an MFA attribute, and this got me thinking: Is there a similar
configuration variable for the Principal-Id  attribute that gets returned
like the above "{user}"? Maybe "{principalId}"? I searched through the
documentation the best I could, but "user" is pretty generic, and it seemed
the brackets were (rightly) being ignored.

If such a thing were to exist, we could collapse down to something like
this:
cas.authn.attributeRepository.ldap[0].searchFilter=(sAMAccountName={principalId})

-Mike

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHWScMJFNPMMwrx2YuETFNFz_k-mUe7H67DYtYSbkz%2BQow%40mail.gmail.com.

Re: [cas-user] Re: Trying to determine why CAS is returning an encoded attribute to SAML SP

2020-02-04 Thread Mike Osterman

Update: well, here's yet another lesson that correlation does not equal
causation. :)

Here was the root cause:
[36m2020-02-04 23:15:43,941 DEBUG
[org.apereo.cas.support.saml.web.idp.profile.builders.nameid.SamlProfileSamlNameIdBuilder]
- 

The reason I was thinking it was the adding of the Google Apps support is
because that's when I restarted the CAS service. Through some testing, I
found that a consistent transient NameID was being sent until I restarted
CAS, then a new transient ID was being generated.

Question: is transient the default NameID format for CAS SAML2 support, or
did I somehow override that? I get that the root cause is the SP not
specifying the Name ID format, but I'm surprised by the "Added default
[urn:oasis:names:tc:SAML:2.0:nameid-format:transient]" part of the debug
log message, as transient seems like a squirrely format to work with.

A further comment about the documentation for older supported versions,
similar to my earlier note that the "big blue box" about deprecation isn't
on the 5.3.x version of the Google Apps Integration page. I was able to
find some extremely useful examples for forcing persistent NameID format
here:
https://apereo.github.io/cas/6.1.x/installation/Configuring-SAML2-Authentication.html#name-id-selection
The
5.3.x version of the same documentation, however, does not have those
examples:
https://apereo.github.io/cas/5.3.x/installation/Configuring-SAML2-Authentication.html#name-id-selection
It
would be extremely helpful for documentation improvements like these to be
"backported" (pardon the [mis?]use of that term) to the documentation of
the older, yet still supported, versions. I only came across the 6.1.x
version after stumbling across the master branch of the document here:
https://github.com/apereo/cas/blob/master/docs/cas-server-documentation/installation/Configuring-SAML2-Authentication.md
.

Thanks again for the troubleshooting pointers!

-Mike

On Wed, Jan 29, 2020 at 2:22 PM Mike Osterman  wrote:

> Thanks, Misagh! Responses below:
>
> On Wed, Jan 29, 2020 at 2:23 AM Misagh Moayyed 
> wrote:
>
>>
>>> None of this would be a big deal if we hadn't run into a bizarre problem
>>> that the encoded attribute being sent *CHANGED*.
>>>
>>
>> It would be helpful to describe the steps you took to create/duplicate
>> this scenario.
>>
>
> That's the rub. The only thing I can come up with that did change was my
> rebuilding my cas.war after adding the dependency for GoogleApps. That's
> when the value being sent changed. It's possible other bits got changed
> when I rebuilt my war file, but I didn't change the cas version in the
> gradle file - only added the Google Apps dependency:
> compile
> "org.apereo.cas:cas-server-support-saml-googleapps:${project.'cas.version'}"
>
>
>>
>>> So my two questions:
>>> 1) Is there any chance that the google apps keys have somehow superseded
>>> the ones that general SAML services were using previously, such that my
>>> non-Google SAML service switched to using the Google keys instead? This is
>>> the only reason why I can fathom that the NameID attribute value suddenly
>>> changed.
>>>
>>
>>
>> No.
>>
>> However, please note that the Google Apps for Education integration
>> allows CAS to act as a miniaturized SAML2 identity provider, for
>> deployments that may not be prepared to turn on and allow CAS to fully act
>> as a SAML2 identity provider. This feature is deprecated and is scheduled
>> to be removed in the future. It does not make much sense to turn on and use
>> both features (Google Apps + SAML2 IDP) in CAS at the same time, as one
>> outranks the other and it is likely that using both features in CAS
>> simultaneously would interfere with the functionality of both. If you can,
>> consider using the SAML2 identity provider functionality in CAS to handle
>> this integration as you would any other SAML2 service provider.
>>
>> Big blue box here:
>> https://apereo.github.io/cas/6.1.x/integration/Google-Apps-Integration.html
>>
>> I am not saying using both at the same time is causing this issue; just
>> that if your deployment qualifies for that sort of condition, you're
>> inviting additional complexity with no real benefits to your deployment.
>>
>
> Ah - that makes good sense. The reason I missed that big blue box is that
> we're on 5.3.x, and it's not on that page:
> https://apereo.github.io/cas/5.3.x/integration/Google-Apps-Integration.html 
> Perhaps
> it could be added there as well?
>
>
>>
>>> 2) Does anyone have ideas of how to disable the signing/encoding of the
>>> NameID attribute so I can get visibility into what'

[cas-user] Blackboard Transact SAM/E-Accounts SAML service?

2020-02-04 Thread Mike Osterman

We're looking to transition the few SAML services we have on our
Shibbloeth IdP over to CAS 5.3.x, and so far, it's been great. I realize we
can bridge Shib to CAS, but running one SSO service instead of two would
reduce our overall maintenance.

We've run into a new service, however, that says it's does SAML2, but all
of the documentation is specific to Shibboleth IdP, down to specific
attribute statements to copy/paste into the shib XML files.

I've got a query to the implementation team, but I thought I'd ask here:
has anyone successfully configured support in CAS for authentication of
Blackboard's Transact (card system, not LMS) Student Account Management
portal? If so, I'd be very interested to learn (on or off list) how you
accomplished it.

Thanks!
Mike

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUCBO%3DMN6gYq7bK5JN_GhQaccYuGp4o2aF-29qnGObZqQ%40mail.gmail.com.

Re: [cas-user] Re: Trying to determine why CAS is returning an encoded attribute to SAML SP

2020-01-29 Thread Mike Osterman

Thanks, Misagh! Responses below:

On Wed, Jan 29, 2020 at 2:23 AM Misagh Moayyed 
wrote:

>
>> None of this would be a big deal if we hadn't run into a bizarre problem
>> that the encoded attribute being sent *CHANGED*.
>>
>
> It would be helpful to describe the steps you took to create/duplicate
> this scenario.
>

That's the rub. The only thing I can come up with that did change was my
rebuilding my cas.war after adding the dependency for GoogleApps. That's
when the value being sent changed. It's possible other bits got changed
when I rebuilt my war file, but I didn't change the cas version in the
gradle file - only added the Google Apps dependency:
compile
"org.apereo.cas:cas-server-support-saml-googleapps:${project.'cas.version'}"


>
>> So my two questions:
>> 1) Is there any chance that the google apps keys have somehow superseded
>> the ones that general SAML services were using previously, such that my
>> non-Google SAML service switched to using the Google keys instead? This is
>> the only reason why I can fathom that the NameID attribute value suddenly
>> changed.
>>
>
>
> No.
>
> However, please note that the Google Apps for Education integration allows
> CAS to act as a miniaturized SAML2 identity provider, for deployments that
> may not be prepared to turn on and allow CAS to fully act as a SAML2
> identity provider. This feature is deprecated and is scheduled to be
> removed in the future. It does not make much sense to turn on and use both
> features (Google Apps + SAML2 IDP) in CAS at the same time, as one outranks
> the other and it is likely that using both features in CAS simultaneously
> would interfere with the functionality of both. If you can, consider using
> the SAML2 identity provider functionality in CAS to handle this integration
> as you would any other SAML2 service provider.
>
> Big blue box here:
> https://apereo.github.io/cas/6.1.x/integration/Google-Apps-Integration.html
>
> I am not saying using both at the same time is causing this issue; just
> that if your deployment qualifies for that sort of condition, you're
> inviting additional complexity with no real benefits to your deployment.
>

Ah - that makes good sense. The reason I missed that big blue box is that
we're on 5.3.x, and it's not on that page:
https://apereo.github.io/cas/5.3.x/integration/Google-Apps-Integration.html
Perhaps
it could be added there as well?


>
>> 2) Does anyone have ideas of how to disable the signing/encoding of the
>> NameID attribute so I can get visibility into what's getting sent? Or is
>> that happening at the direction of the SAML SP?
>>
>
> Unless your SAML2 SP is asking/forcing CAS to use encrypted NameIDs or
> Transient NameIDs, I don't think this is happening. IIRC, this indication
> will be instructed to CAS via the SP metadata. If you want to see what's
> happening, turn up TRACE logging for org.apereo.cas and comb through the
> logs.
>

I couldn't find anything in the metadata (in the metadata backup file) that
indicated a requested preference for a NameID format. Adding the tracing at
that level sounds like a firehose for a production system. That said, I
appreciate the pointer to where to look for more clues. I'll see if I can
get the vendor to help me test this on a non-production instance with our
test CAS server.

Thank you,
Mike

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHVsTKRg3RUjUvXH-N-YOXW60WThPCjPPeM0nnrHY1YC7w%40mail.gmail.com.

[cas-user] Trying to determine why CAS is returning an encoded attribute to SAML SP

2020-01-25 Thread Mike Osterman

Hello,

I've been trying to determine for several hours now why a SAML-based SP is
being sent different values of the Id as part of the authentication flow.
Here's a sample of the "WHO" line from a single login in transaction:

WHO: usern...@whitman.edu
WHO: usern...@whitman.edu
WHO: YfXXXo=
WHO: YfXXXo=

Note that first, the username is provided, but later a (presumably)
signed/encoded value is being returned. (Yep, those Xs are
intentional--redaction)

I turned on debug for "org.apereo.cas.support.saml" and found that it seems
to be happening in building the NameID response:
org.apereo.cas.support.saml.web.idp.profile.builders.nameid.SamlProfileSamlNameIdBuilder]
- 

None of this would be a big deal if we hadn't run into a bizarre problem
that the encoded attribute being sent *CHANGED*.

I have one crackpot theory for what might have changed: On January 10, we
enabled Google Apps support by compiling in the dependency and generating
keys, which are referenced as such in our cas.properties file:
cas.googleApps.publicKeyLocation=file:public.key
cas.googleApps.keyAlgorithm=RSA
cas.googleApps.privateKeyLocation=file:private.key

So my two questions:
1) Is there any chance that the google apps keys have somehow superseded
the ones that general SAML services were using previously, such that my
non-Google SAML service switched to using the Google keys instead? This is
the only reason why I can fathom that the NameID attribute value suddenly
changed.

2) Does anyone have ideas of how to disable the signing/encoding of the
NameID attribute so I can get visibility into what's getting sent? Or is
that happening at the direction of the SAML SP?

Thank you!
Mike

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUTd9d-COYaZzN1%2B_V6tKf3Rhma9CECtXBLby5wTtn1Gg%40mail.gmail.com.

Re: [cas-user] Re: [CAS 6.1] Base64 decoding failed / incorrect header check

2020-01-25 Thread Mike Osterman

Hi all,

Just another piece to the puzzle...

We have been on 5.3.x for a while, but it wasn't until we added and
deployed support for Google Apps that we started seeing this error.

Note that not too far down the error stack you find this line:
"at
org.apereo.cas.support.saml.authentication.principal.GoogleAccountsServiceFactory.createService(GoogleAccountsServiceFactory.java:34"

So perhaps this is specific to
the org.apereo.cas:cas-server-support-saml-googleapps dependency that Josh
shared? Christine, do you have Google Apps support on 5.3.x as well?

I can also concur that it doesn't seem to be causing any authentication
issues, but it is definitely muddying up the logs and adding noise to
troubleshooting other issues.

Thanks,
Mike

On Wed, Jan 22, 2020 at 7:31 AM Pasek, Christine  wrote:

> That is good to hear. Thanks for letting me know.
>
> On Wed, Jan 22, 2020 at 9:29 AM Josh 
> wrote:
>
>> Hi Chris -
>>
>> No luck finding a solution on the error, however the good news is other
>> than polluting our logs (which we could mitigate) there does not appear to
>> be any negative user impact.
>>
>> We're several million authentications into this upgrade without any users
>> reporting issues.
>>
>>
>> On Wednesday, January 22, 2020 at 9:45:40 AM UTC-5, Christine Pasek wrote:
>>>
>>> Hello Josh,
>>>
>>> I have just upgraded from 5.2.X to 5.3.X and am experiencing the same
>>> error and like you, everything seems to be working fine.
>>>
>>> Were you able to find a solution to fixing this error?
>>>
>>> Thanks!
>>> Chris
>>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a5632664-a375-4e32-8776-abaf6058218e%40apereo.org
>> 
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAHFOFS0_cENrJHgcQvz4QYGzGSQgQ-VcnF8V1cn3z%2BVNc9CpPw%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHXrLCJ0YLreBT2hDPQ%2BT58%3D%3D8mqcd13TVSS%3D8YPvo6fCQ%40mail.gmail.com.

[cas-user] Tips for changing Google Apps 3rd-party SSO - CAS 5.3.x

2020-01-08 Thread Mike Osterman

We're finally getting up to CAS 5.3.x, and for a variety of reasons, we
built a new server with a different host name. As part of the transition,
we'll be updating the "Third-party identity provider" settings in Google
Apps with the new URL and keys.

As I'm sure others have gone through this, so I thought I'd ask a few
questions here:

   1. Did you reuse the X509 certificates from your previous CAS instance?
   2. The CAS side seems pretty well-documented and straightforward:
   https://apereo.github.io/cas/5.3.x/integration/Google-Apps-Integration.html

   Is there anything you'd add to this? For example, does your service
   registry entry match that on the documentation, or did you need to add more
   attributes?
   3. Were there any gotchas you didn't foresee, such as all users' OAuth
   tokens being expired due to the changes? (I'm not certain this will happen,
   just trying to think of things that might happen as an unintended
   byproduct.)
   4. Are there additional preparations you wish you'd done given hindsight?

Thanks!
Mike

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHXw2PEKEuvqgi0T4MaAwGAaqMc4iKoNdJzyY8_RqG6zKg%40mail.gmail.com.

[cas-user] Return uid in attribute list?

2019-08-14 Thread Mike Osterman

Hello,

We're new to "modern" CAS (moving from 3.x to 5.x), and have run into an
issue. We configured an attribute release filter to return mail & uid:

"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "mail", "uid" ] ]
}

But for some reason, the response is coming back with only "mail" in the
attribute list and the uid listed as property called "id":

principal=SimplePrincipal(id=username, attributes={mail=[
usern...@whitman.edu]}),requiredAttributes={}

I found this reference to the "principalIdAttribute" that states "By
default, the principal id is NOT released as an attribute."
https://apereo.github.io/cas/5.3.x/integration/Attribute-Release-Policies.html

I can see where we have it listed as principalIdAttribute in our config:
cas.authn.ldap[0].principalAttributeId=uid

So I can see why it's mapping to the principal id and would not release by
default, but I can't discern from the documentation how to change the
default behavior to release it as part of the attribute list.

Any ideas?

Thank you,
Mike

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUpBFArrbdSU52t2sF7Sqape-Joajo1JSW3sCa6tFM0DQ%40mail.gmail.com.

44 matches

Mail list logo