[cas-user] Invalid IDP initiated SLO front-channel SAML request sent

['Paul Roemer' via CAS Community]

Hi,

I am on CAS 6 and noticed the generated SLO request to my SAML client is 
invalid as it uses "logoutRequest" instead of "SAMLRequest" request 
parameter:

https://preview.vaadin.com/forum/auth/saml/slo?callback=jQuery36005257602387445194_1708340330512=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Csaml2p%3ALogoutRequest+xmlns%3Asaml2p%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22+Destination%3D%22https%3A%2F%2F[...]

Resending the exact same request via browser but with changed parameter 
name (logoutRequest => SAMLRequest) works and I am logged out.

This is about IDP initiated front-channel SLO with HTTP-REDIRECT binding.

I already checked the CAS sources and debugged into the matter:
1) FrontChannelLogoutAction is called as expected
2) As SLO works if I change the parameter name, the actual payload is 
correctly generated
3) FrontChannelLogoutAction uses new LogoutHttpMessage(r.getLogoutUrl(), 
logoutMessage.getPayload(), true) that always uses 
public static final String LOGOUT_REQUEST_PARAMETER = "logoutRequest"; as 
the request parameter name. I cannot see that 
formatOutputMessageInternal() is overwritten.

Now, I wonder how to fix that.  Or is my client actually wrong and should 
support "logoutRequest" parameter, too? Or is there some misconfiguration 
in my setup?

Cheers,
  Paul

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/07af6bd5-3755-4d91-92ea-b6f068eb99a0n%40apereo.org.

[cas-user] CAS accessibility to people with disabilities

[Jean-Paul JORDA]

Hi, 
We use apereo CAS for our applications, but unfortunately the login page is 
not accessible to people with disabilities. That's a problem for these 
people of course, and what's more we a bound by law to provide accessible 
web sites (WCAG <https://www.w3.org/TR/WCAG21/> A and AA criteria). 
Is there any plan to improve CAS in this area ?
If needed, we may provide audit results, help to test, html templates and 
bits of (s)css, but we are poor java developpers.
  
Thanks !
Jean-Paul

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9d0c0700-b140-4a1c-b1fb-0f2573af840fn%40apereo.org.

Re: [cas-user] CAS 6.X Deployment Guide (The Missing Evolutionary Link)

[Paul Chauvet]

Hi Joshua,

I can't claim it is as good as David's was for CAS 5 - but I created a guide in 
the same style:
https://paulchauvet.github.io/deploying-cas

There are some things that I have new there (how we maintain CAS & Tomcat via 
Ansible, delegation of auth to Azure, and a few more things).

I keep meaning to find why that doesn't get indexed by Google but I've been so 
swamped I haven't gotten a chance to get back to that.





Paul Chauvet, CISSP

Information Security Officer

State University of New York at New Paltz

chauv...@newpaltz.edu

[cid:18ea2527-2e16-4daf-8ccf-abee8e1c2037]


Keep on a lookout for fraudulent emails!  For examples reported to us - see the 
"New Paltz PhishBowl<https://www.newpaltz.edu/phishbowl>"


From: cas-user@apereo.org  on behalf of Joshua Brodie 

Sent: Monday, April 4, 2022 1:54 PM
To: cas-user@apereo.org 
Subject: [cas-user] CAS 6.X Deployment Guide (The Missing Evolutionary Link)

CAUTION: Message from a non-New Paltz email server. Treat message, links, and 
attachments with extra caution.

We are migrating from CAS5 to CAS6 -- the changes from maven to gradle is 
taking us for a loop on the dependencies to add.

Is there a CAS6 deployment guide similar to the one by David Curry for CAS5 at 
https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html?



--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAO-t1wHCf4tDjs0YvEn1UGCTuSS7qx38URuNAVOnDecfgV_vxw%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAO-t1wHCf4tDjs0YvEn1UGCTuSS7qx38URuNAVOnDecfgV_vxw%40mail.gmail.com?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/MN2PR20MB300547E161EE417ECDE6A7E59%40MN2PR20MB3005.namprd20.prod.outlook.com.

[cas-user] Guide to Deploying CAS 6 - with Ansible, MFA, and Delegated authentication

[Paul Chauvet]

Hi all,

Over the past couple of months - in my (vanishingly small) free time, I created 
a guide to deploying Apereo CAS 6 (6.3.x specifically).  I did this because 
I've benefited from the documentation others have done in the past (especially 
David Curry's CAS 5 version) - and wanted see if my stumbling, experimentation, 
trial and error could benefit others.

The documentation is available on Github.io: 
http://paulchauvet.github.io/deploying-cas

It covers the following topics:

  *   Using Ansible to deploy Tomcat and CAS (including configs, services, etc.)
  *   Vanilla CAS deployment - with functionality progressively added to it
  *   Service Configuration
  *   Active Directory authentication and attribute release
  *   Duo MFA support
  *   Ticket registry via Hazelcast
  *   Delegating authentication from CAS to Azure
  *   Theming (this one is very incomplete - I'll add more to that soon).

I can't guarantee it will be usable for anyone - and even for those who it is 
usable for whether all of it will be usable.  I am not the CAS expert that many 
here on the list are - and I don't know the underlying Java code well enough to 
cover that here.  But hopefully some will find some benefit on it.

This is my first public documentation like this (my other documentation is 
meant for internal IT staff, or end-users).  I started this as a way to 
document for other IT staff members in case the proverbial bus hits me - but 
realized it may have benefit to others.

If you have suggestions/corrections/objections/etc., let me know.

P.S.  I've got a ton of help from others on various topics - both on the CAS 
list and colleagues within SUNY.  I apologize if I missed anyone here!
Acknowledgements<https://paulchauvet.github.io/deploying-cas/about/acknowledgements/>




Paul Chauvet, CISSP

Information Security Officer

State University of New York at New Paltz

chauv...@newpaltz.edu

[cid:cabf3495-89ce-412d-b254-d4fb06d95e6e]

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/MN2PR20MB3005B546407169397E675815A7529%40MN2PR20MB3005.namprd20.prod.outlook.com.

Re: [cas-user] Hide CAS login box (and only use external identity providers)

[Paul Chauvet]

Hi Ray,

Thanks for getting back to me!  The redirect comment was exactly what I needed.

I ended up adding the following to the cas properties which handles that 
automatic redirect:
cas.authn.pac4j.saml[0].autoRedirect=true

P.S.: It's still not done - but I'm trying to document my whole journey in 
getting CAS 6 (with Duo, Delegated Auth, and using Ansible to deploy/maintain 
CAS and Tomcat).  It's inspired by what David Curry did for his CAS 5 guide 
plus the Ansible stuff I've done in CAS the past couple years.

https://paulchauvet.github.io/deploying-cas/

When it's complete (still need to do a couple more things - mostly on theming) 
I'll announce it to the list formally.  Hopefully someone else can benefit from 
where I've stumbled 





Paul Chauvet, CISSP

Information Security Officer

State University of New York at New Paltz

chauv...@newpaltz.edu

[cid:96aa6b79-aa8f-4c1f-8d0b-9875c0970b48]


From: cas-user@apereo.org  on behalf of Ray Bon 

Sent: Wednesday, April 28, 2021 5:27 PM
To: cas-user@apereo.org 
Subject: Re: [cas-user] Hide CAS login box (and only use external identity 
providers)

CAUTION: Message from a non-New Paltz email server. Treat message, links, and 
attachments with extra caution.

Paul,

If a service is defined as using delegated auth, the redirect will happen 
automatically. The login page may be visible during the redirect.
See, 
https://apereo.github.io/cas/6.3.x/integration/Delegate-Authentication.html#user-interface
I have not tested with only delegated auth, so I do not know if you have to set 
delegated auth for each service.

Ray

On Wed, 2021-04-28 at 20:17 +, Paul Chauvet wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi all,

Is there a way (without making UI/theme changes) to completely hide the login 
box in CAS 6.3?

We're going to be delegating authentication to Azure via SAML - but I'd prefer 
to hide the regular login box completely and just want to leave the button 
under "External Identity Providers" there.

Apologies if I missed something obvious - and thanks all for any advice you can 
share.





Paul Chauvet, CISSP

Information Security Officer

State University of New York at New Paltz

chauv...@newpaltz.edu

[cid:e45efac94c4e14df74937e015cf11c6fb6c0cc53.camel@uvic.ca]

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d30df82f42cedf2e0e7b0e23179fe84be6204252.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/d30df82f42cedf2e0e7b0e23179fe84be6204252.camel%40uvic.ca?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/MN2PR20MB30051BC684711ADAB83D095AA75F9%40MN2PR20MB3005.namprd20.prod.outlook.com.

[cas-user] Hide CAS login box (and only use external identity providers)

[Paul Chauvet]

Hi all,

Is there a way (without making UI/theme changes) to completely hide the login 
box in CAS 6.3?

We're going to be delegating authentication to Azure via SAML - but I'd prefer 
to hide the regular login box completely and just want to leave the button 
under "External Identity Providers" there.

Apologies if I missed something obvious - and thanks all for any advice you can 
share.





Paul Chauvet, CISSP

Information Security Officer

State University of New York at New Paltz

chauv...@newpaltz.edu

[cid:ffab2f8a-fecd-42be-a0a9-6ddbdcd68c2e]

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/MN2PR20MB3005CC634B5F421B1DDE9C75A7409%40MN2PR20MB3005.namprd20.prod.outlook.com.

Re: [cas-user] CSRF protection for login page

[Paul Roemer]

Hey Carl,

you are right. The problem described is not a CSRF issue. Still, I wonder 
if users of CAS are aware of it. In the end it means that attackers can 
easily trigger any flow provided by CAS, right? That bugs me.

Before, I was under the assumption that the Webflow execution ID was used 
as nonce. But I was wrong as it can be reused even if the flow succeeded 
already...
On Wednesday, April 21, 2021 at 10:54:03 PM UTC+2 waldbiec wrote:

> Technically, that is not CSRF, but I understand the concern you have-- 
> phisher captures the username/password on their own form, and then sends 
> the credentials on to the legitimate site so the user is none the wiser.
>
> A nonce in this case wouldn't buy you too much if the user doesn't notice 
> they are at the wrong site.  Consider the attacker could just POST to her 
> own site then redirect to the real site, leaving the user thinking she just 
> entered a typo in the username or password.  Or the phisher could be 
> proxying the site, maybe using something like an sslstrip attack.  In all 
> those cases, if the user hasn't noticed she wound up on 
> https://evil-site-that-looks-like-your.net/ she may be fooled into giving 
> up her credentials.
>
> A nonce is useful as CSRF protection in cases where you are already 
> authenticated to a site, so a bad actor can't trick you into doing 
> something that would normally require authentication.
>
> Historically, I believe CAS used to have a "login ticket" which was a 
> nonce.  It dropped it somewhere between 3.x and 5.x, I believe.
>
> Thanks,
> Carl Waldbieser
> ITS
> Lafayette College
>
>
> On Wed, Apr 21, 2021 at 5:24 AM Paul Roemer  wrote:
>
>>
>> Hey guys,
>>
>> we noticed that you can easily create your own login form with copied 
>> execution ID on any domain you might want to use for phishing attacks. As 
>> for the victim everything looks good (login is successful), detecting the 
>> attack is hard.
>>
>>
>> Example form for the CAS demo server:
>> https://casserver.herokuapp.com/cas/login; method="POST">
>> 
>> 
>> > value="4966e50b-191f-45e1-bab2-22e6304447c7_ZXlKaGJHY2lPaUpJVXpVeE1pSXNJblI1Y0NJNklrcFhWQ0o5Lk5NV1I3dHVicU1USWZqLW1kb1pnak8tWlctN21XRGVMTk1XMl9fMUczNktRemg4MHNRcEoycHFsa01uYkhGbkdUYmZPWkRmUDZfLXk0UTlLMXFVQjFOb05sbmRod3dPZF9ZS0ctc29BalItMzhlRXdNTXpmdFFTZTE5aEJwQXZVeHBnZGN5LVVtajhPRXFFbVlqRWtwUmpST2QzbC1sN3A4ZXkwU1dVWjBHZHFRMXpYSGRjc19Mc21UODZ0TFY3ZDdCd2dUTWxYZUFzUEotTFRzTGFud05rRjlzenRjVjFrd3dYemgxOU1aQ2lHSEMwWkJTVExGYWxxcGtQNTRQbFNJQ2g4azBmNXdjRGJYYmN3TEdFWmJwUFViS3dDZHFkdGg2NndKQ2pWZUM3R0loVzNfQWVjUWZnLXItU3o4S080MjlKMlN5TU40NlNtT0J5WXh1MnJ2RmZINDJFSm9iM0dOSzQzT0xiZWU1dHUzRzhna3NXRmRibkxWbk1LMXJfSEFnMWNXSC1sUGY2cU53c1liSXR6YlJ2WFlaVm1HUHdjN01XdEdqS09ObFpSNDNjS3hHbkp6UUFaUEZuWmo1LUUyNjlpX1ZuemloT0ZlVEx1SG1GcmRCbTFLb2kxTG9qbDF1ZGpfZkg1dHA2azFiLUQ2QzZibTZ3bTRxY1lZWU03SHlpNGJNYVMtNUVUcHpKbzdmX0E5bW9ZWmoyR0RSMVdxaXA4X2Z3RUpEZUd0eklVdVFJaVpVRUJqRW51RGZ2bFgzWkhva1g0WXU1eTNFUEd2LVpHNWhOSjc1STFFQjVtbE53ckpDdWJwQ2I0QWtMS0w5NXc3UGk5eHVrcFRpb01NOVVvRnhXMGZtMXAybTdEbFRPTko3Q080M09HcHo0RmRBNnBKRVJQeVd3SFZkOXA5UEhEaUo1b29ybGk0WUY0S1FmYUFQREJyMHZsSjlac0dhNlJSSHkzQnhIa05EMmg5bUlDUDZNZEpmLUhtTDMyWnM2Z2MyODlkZWYxdVlYMnlpMUFONlg3dTQ4R2k3cVd1aElZWnBVNDVTZENpQVp0ejIwWWk5NzFwUFlkamlnUG9UUmRrdDVzM0RHWDQ0ZnJZbnRFTjQxMjlDcDBscUJ0S2E1eGg5bHd5UGNsZW5rcVJYX3JTREk4VE9EUnRTWHRZYmhwMGxlZUVremtMVXVEdmVnVk0yMkNaOWdnUHJHR1ZCZGV3c0lBc0JoWGtoRzhzVUNtTk1HSjNNbHNfdzFRaUpSX3RHN2hMcUEwNVMzVlRrcUJGNEFnVUF2NktXN1hUMGtBNGxDcS1iNzZCR3JielZIMmhPODlTYng2ZUhQZjRDcFJ3VGZOS2dfVzFRdmU3NkVnZm55M3JXYjN6NWRJeXd0LVRvanhWalhPX1VDcnRybkN1MnhQbkpBVHpucnoxRUpIR3h6Ni1ONzB4aF82Z1FkVV9LNkl2VUd6Zm94WV9XSUZSd2VwVXZJLUNkb0FkY1l1VHItaW0zbnYtZFFFeC5DQkVnem5ieWpjVDlTeUl5alBUNkNmZWk2NWVydU1jU1lhQlZJS1daYTlkLXh5dkExdDdJWE5fdGNKSVQxVURWd3lJbUFPNEZTMlhDTWc1Z1VPa1pBUQ==">
>> 
>> 
>> 
>> 
>>
>> Besides the CSRF issue, I also wonder why the same Spring Webflow 
>> execution ID can be used several times. Shouldn't the execution ID be 
>> deleted after reaching an end state of the flow?
>>
>> Cheers,
>>   Paul
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/822b9c4b-dfdd-4943-b40c-a99c890513e5n%40apereo.org
>>  
>> <htt

[cas-user] CSRF protection for login page

[Paul Roemer]

Hey guys,

we noticed that you can easily create your own login form with copied 
execution ID on any domain you might want to use for phishing attacks. As 
for the victim everything looks good (login is successful), detecting the 
attack is hard.


Example form for the CAS demo server:
https://casserver.herokuapp.com/cas/login; method="POST">








Besides the CSRF issue, I also wonder why the same Spring Webflow execution 
ID can be used several times. Shouldn't the execution ID be deleted after 
reaching an end state of the flow?

Cheers,
  Paul

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/822b9c4b-dfdd-4943-b40c-a99c890513e5n%40apereo.org.

Re: [cas-user] CAS (6.2.6) using delegated authentication to Azure

[Paul Chauvet]

Hi all,

First - thanks to Ray for his response last week!

I'm still hoping to get this working via SAML - but I don't know where else to 
go here.  Has anyone gotten this working (delegated authentication via SAML to 
Azure)?

Alternatively - I'm trying to do this via OIDC as Ray indicated - but I'm not 
sure what I should be using for the "Redirect URI" in Azure?  Should that be 
just our CAS server URL (i.e. https://cas.domain.edu/cas/login)?

Thanks all!




Paul Chauvet, CISSP

Information Security Officer

State University of New York at New Paltz

chauv...@newpaltz.edu

[cid:f625dcc1-a6e3-4b02-9986-cea641818343]


From: cas-user@apereo.org  on behalf of Ray Bon 

Sent: Friday, January 8, 2021 12:38 PM
To: cas-user@apereo.org 
Subject: Re: [cas-user] CAS (6.2.6) using delegated authentication to Azure

CAUTION: Message from a non-New Paltz email server. Treat message, links, and 
attachments with extra caution.

Paul,

I, too, received that error message with SAML delegation. I did get OIDC 
working.

It looks like the only build requirement is:

implementation 
"org.apereo.cas:cas-server-support-pac4j-webflow:${casServerVersion}"

Ray



On Fri, 2021-01-08 at 15:58 +, Paul Chauvet wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi all,

I'm trying to setup a new CAS 6.2.6 environment to eventually replace our 5.3.x 
environment.  Unlike our current environment (where we do regular LDAP 
authentication against on-prem Active Directory) - I wanted to setup delegated 
authentication, pointed at Azure AD.

I started by following the steps at the blog post below - but I feel like I'm 
missing something as I can't get it working.
https://apereo.github.io/cas/6.2.x/integration/Delegate-Authentication.html

(Apologies for the long email - wanted to make sure I have as much info as 
possible on my environment and the errors).

My environment is RHEL 8 with OpenJDK 11 and Tomcat 9.0.41.

What I've done:

  *   In Azure, I created an Enterprise Application within Azure, and within 
Single Sign-on chose SAML.
  *   For CAS - I've built via gradle via the cas-overlay-template.  Beyond the 
default, I've included the following dependencies:
compile "org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-pm-webflow:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-jmx:${project.'cas.version'}"
compile 
"org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"
compile 
"org.apereo.cas:cas-server-support-hazelcast-ticket-registry:${project.'cas.version'}"
compile 
"org.apereo.cas:cas-server-support-pac4j-webflow:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-saml:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-generic:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-reports:${project.'cas.version'}"
compile 
"org.apereo.cas:cas-server-support-hazelcast-monitor:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-metrics:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-core-monitor:${project.'cas.version'}"

  *
Within cas.properties I have:
cas.authn.pac4j.saml[0].keystorePassword=
cas.authn.pac4j.saml[0].privateKeyPassword=
cas.authn.pac4j.saml[0].keystorePath=/etc/cas/config/samlKeystore.jks
cas.authn.pac4j.saml[0].serviceProviderEntityId=urn:mace:saml:pac4j.org (is 
this right?)
cas.authn.pac4j.saml[0].serviceProviderMetadataPath=/etc/cas/config/sp-metadata.xml

cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://login.microsoftonline.com//federationmetadata/2007-06/federationmetadata.xml?appid=
cas.authn.pac4j.saml[0].clientName=AzureADDev

  *   And defined a single CAS service:

{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : 
"https://sts.windows.net/ebd45737-b352-4722-bb0c-9f539bcbfa65/;,
"name" : "AzureAD-Dev",
"id" : 1593461500,
"evaluationOrder" : 50,
"accessStrategy" : {
  "@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
  "delegatedAuthenticationPolicy" : {
"@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
"allowedProviders" : [ "java.util.ArrayList", [ "AzureADDev" ] ]
  }
}
  }



What happens is when I go to CAS and click on the external identity provider, I 
get an error from Microsoft:

Sorry, but we’re having trouble signing you in.

AADSTS7500525: There was an XML error in the SAML message at line 2, positi

[cas-user] CAS (6.2.6) using delegated authentication to Azure

[Paul Chauvet]

pereo.cas.web.flow.DelegatedClientAuthenticationAction.doExecute(DelegatedClientAuthenticationAction.java:125)
 ~[cas-server-support-pac4j-webflow-6.2.6.jar:6.2.6]
at 
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
 ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at 
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 ~[?:?]
at 
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at 
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282) 
~[spring-core-5.2.6.RELEASE.jar:5.2.6.RELEASE]
at 
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499)
 ~[spring-cloud-context-2.2.2.RELEASE.jar:2.2.2.RELEASE]



(this continues for a long while - can provide the full stack trace if needed)

My apologies if I'm missing something obvious here - but I'd appreciate any 
ideas you may have.

P.S.  I tried this again back in the Fall on CAS 6.1.6 but had the same issues 
(then pulled into a bunch of other unrelated projects so I'm only getting back 
to this months later).

Thanks!


Paul Chauvet

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BY5PR20MB2994A1729F8CC507664FC597A76E0%40BY5PR20MB2994.namprd20.prod.outlook.com.

Re: [cas-user] Logging out from CAS logs me out from Google, too

[Paul Roemer]

Hey denizg,

first thanks for you suggestion. But I actually want SLO. I want to destroy 
the SSO session and not only the application session. I also configured 
front channel to make it work.

No, the problem is something different: If I use delegated SSO provider 
like Google or GitHub to authenticate against CAS (during Sign-In) and 
logout again, I am not only logged out from the SSO session that CAS 
manages but also from my Google or GitHub account. And that is what should 
not happen and is new behavior.

I wonder when this changed.

On Monday, August 24, 2020 at 10:47:14 AM UTC+2 denizg wrote:

> edit: single sign on  out
>
> dyte gyte , 24 Ağu 2020 Pzt, 11:46 tarihinde şunu 
> yazdı:
>
>> Hello,
>>
>> afaik, there are 2 logout type: single logout and single sign-on. the 
>> default behavior is single logout which means that if you logout current 
>> app, you also logout all applications that cas is connected. this is the 
>> situation you are facing. but you need single sign on as i understand. 
>> basically, turn off this .(
>> https://apereo.github.io/cas/6.2.x/installation/Logout-Single-Signout.html#turning-off-single-logout
>> )
>>
>> reference: 
>> https://apereo.github.io/cas/6.2.x/installation/Logout-Single-Signout.html#logout-and-single-logout-slo
>>
>> Paul Roemer , 24 Ağu 2020 Pzt, 11:26 tarihinde şunu 
>> yazdı:
>>
>>> Hey guys,
>>>
>>> we noticed some new behavior with delegated SSO authentication. When I 
>>> login with my Google SSO account at our CAS and logout again, I am not only 
>>> logged out from CAS but also from my Google account. This also happens with 
>>> delegated GitHub SSO.
>>>
>>> We are using CAS 6.2.1 but I am unsure when we noticed this behavior the 
>>> first time.
>>>
>>> Anyone else noticed it? Is there some configuration option to disable it?
>>>
>>> Cheers,
>>>   Paul
>>>
>>> -- 
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/711682f7-6b0e-4872-9be3-f55426e1913fo%40apereo.org
>>>  
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/711682f7-6b0e-4872-9be3-f55426e1913fo%40apereo.org?utm_medium=email_source=footer>
>>> .
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a128a3e-e0f7-4466-9c76-28bd2583e08fn%40apereo.org.

[cas-user] Logging out from CAS logs me out from Google, too

[Paul Roemer]

Hey guys,

we noticed some new behavior with delegated SSO authentication. When I 
login with my Google SSO account at our CAS and logout again, I am not only 
logged out from CAS but also from my Google account. This also happens with 
delegated GitHub SSO.

We are using CAS 6.2.1 but I am unsure when we noticed this behavior the 
first time.

Anyone else noticed it? Is there some configuration option to disable it?

Cheers,
  Paul

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/711682f7-6b0e-4872-9be3-f55426e1913fo%40apereo.org.

Re: [cas-user] Configuration property overrides via environment variables does not work

[Paul Roemer]

Hey guys,

I was out sick for a couple of days so I could not answer.

@Ray, I am using the latest and greatest CAS 6.2 release. And I do not 
recall in which RC but at some point it was decided to switch from 
camelCase to kebab-case. That is why it is 
cas.service-registry.json.location in my case.

@ste, so you are facing the same issue. Are you sure about the Spring Boot 
behavior? I just tried it (Spring Boot 2.2.8 as CAS 6.2 is using it, too) 
and it works at least for the server.port property:

java -jar ./build/libs/demo-0.0.1-SNAPSHOT.jar --server.port=8080

I set it to 8081 in the application.properties and override it via command 
line parameter. And that's also what I understand from the Spring Boot 
documentation.


On Thursday, June 25, 2020 at 9:43:00 PM UTC+2 ste wrote:

> Hi Paul,
>
> I had the same probleme. What I notice :
>
> If you coment or you remove property in app.properties, the corresponding 
> env var is used. 
>
> But if you have it in the app.properties, property will not be erasse by 
> env var.
>
> But for me is same as other spring-boot app. Maybe what you are tallking 
> about it's a new feature in a newest version of sprint boot ?!
>
> For your purpose use spring boot profil and multi app.properties.
>
>
>
>
>
>
>
>
>
>
>
> Le jeu. 25 juin 2020 à 17:04, Paul Roemer  a écrit :
>
>> Hey guys,
>>
>> today we noticed that we are not able to override properties set in some 
>> application properties file by environment variables. 
>> For example, we have some property 'secrect' that we configure with value 
>> 'unknown' in application-production.properties. Now, for the deployment we 
>> want to override the property by setting the env variable SECRET=dontaskme. 
>> But it fails and it's still 'unknown'. On the other hand after removing the 
>> property 'secret' from the application-production.properties, the 
>> environment variable is taken into account and the value is 'dontaskme'.
>>
>> So, does CAS not behave as normal Spring Boot applications when it comes 
>> to property overrides?
>>
>> Cheers,
>>   Paul
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0e49b715-d2d6-49f4-b33e-01670375343cn%40apereo.org
>>  
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/0e49b715-d2d6-49f4-b33e-01670375343cn%40apereo.org?utm_medium=email_source=footer>
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4350c405-62bc-47dc-9878-832d1f1b7ddbn%40apereo.org.

Re: [cas-user] Configuration property overrides via environment variables does not work

[Paul Roemer]

Hey Ray,

this was just an example. We actually used the property to set the JSON 
registry location for testing:

cas.service-registry.json.location=file:etc/cas/services

Also, Docker is in use and then you end up with something like that

1) docker run --rm -it -v $PWD/etc/cas/config:/etc/cas/config cas:latest

[...]
2020-06-25 12:45:14,401 WARN [org.apereo.cas.web.CasWebApplicationContext] 
- 

Configuration from the application-production.properties is used with value 
'/cas-overlay/etc/cas/services'

2a) docker run --rm -it -v $PWD/etc/cas/config:/etc/cas/config -e 
cas.service-registry.json.location=file:/foobar cas:latest
2b) docker run --rm -it -v $PWD/etc/cas/config:/etc/cas/config -e 
CAS.SERVICE_REGISTRY_JSON_LOCATION=file:/foobar cas:latest

We got the same result as above. The environment variable is not respected.

3) Same commands as above but we commented out 
'cas.service-registry.json.location' 
in the properties file

[...]
2020-06-25 12:47:48,725 WARN [org.apereo.cas.web.CasWebApplicationContext] 
- 

Only now, the environment variable's value is respected...

Very strange.
On Thursday, June 25, 2020 at 5:24:09 PM UTC+2 rbon wrote:

> Paul,
>
> Is the value in properties 'secrect' a typo?
> What about case, SECRET != secret?
>
> Ray
>
> On Thu, 2020-06-25 at 08:04 -0700, Paul Roemer wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information. 
>
>
> Hey guys,
>
> today we noticed that we are not able to override properties set in some 
> application properties file by environment variables. 
> For example, we have some property 'secrect' that we configure with value 
> 'unknown' in application-production.properties. Now, for the deployment we 
> want to override the property by setting the env variable SECRET=dontaskme. 
> But it fails and it's still 'unknown'. On the other hand after removing the 
> property 'secret' from the application-production.properties, the 
> environment variable is taken into account and the value is 'dontaskme'.
>
> So, does CAS not behave as normal Spring Boot applications when it comes 
> to property overrides?
>
> Cheers,
>   Paul
>
> -- 
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the 
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
> WSÁNEĆ Nations.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1b75e162-e25a-4915-a62e-1bc8744cbe24n%40apereo.org.

[cas-user] Configuration property overrides via environment variables does not work

[Paul Roemer]

Hey guys,

today we noticed that we are not able to override properties set in some 
application properties file by environment variables. 
For example, we have some property 'secrect' that we configure with value 
'unknown' in application-production.properties. Now, for the deployment we 
want to override the property by setting the env variable SECRET=dontaskme. 
But it fails and it's still 'unknown'. On the other hand after removing the 
property 'secret' from the application-production.properties, the 
environment variable is taken into account and the value is 'dontaskme'.

So, does CAS not behave as normal Spring Boot applications when it comes to 
property overrides?

Cheers,
  Paul

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0e49b715-d2d6-49f4-b33e-01670375343cn%40apereo.org.

Re: [cas-user] SLO within browser context

[Paul Roemer]

Guys,

thanks a lot for all your awesome answers. Switching to the front channel 
mechanism solved the issue for us. But I am happy about the possible 
fallbacks in case we have to switch back to the back channel.

Cheers,
 Paul

On Wednesday, June 17, 2020 at 6:29:46 PM UTC+2 pascal...@univ-paris1.fr 
wrote:

> Hi,
>
> In case you can't use front-channel SLO,
> when you use cookie affinity,
> here is a solution that duplicates the back-channel SLO request to all 
> the backends :
> https://github.com/EsupPortail/proxy-broadcast
>
> cu
>
>
> Paul Roemer  a écrit :
>
> > Hey guys,
> >
> > I just ran into the SLO + loadbalancer issue as some of our CAS clients 
> are
> > clustered. Now, I wonder if it is possible to send the POST logout 
> requests
> > to the services participating at the current SSO session from within the
> > browser/from client side instead of sending them from the CAS server.
> >
> > If that is possible, I expect the load balancer issue is solved without
> > further adjustments as it will redirect the request to the correct node 
> in
> > case of a clustered CAS client.
> >
> > What are your thougts?
> >
> > Cheers,
> > Paul
> >
> > --
> > - Website: https://apereo.github.io/cas
> > - Gitter Chatroom: https://gitter.im/apereo/cas
> > - List Guidelines: https://goo.gl/1VRrw7
> > - Contributions: https://goo.gl/mh7qDG
> > ---
> > You received this message because you are subscribed to the Google 
> > Groups "CAS Community" group.
> > To unsubscribe from this group and stop receiving emails from it, 
> > send an email to cas-user+u...@apereo.org.
> > To view this discussion on the web visit 
> > 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/95830dcf-aa6a-44df-8c7e-7d84d517f83an%40apereo.org
> .
>
>
>
> -- 
> Pascal Rigaux
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2bd3ff07-d344-4f45-8718-cd2b8cfe7f6fn%40apereo.org.

[cas-user] SLO within browser context

[Paul Roemer]

Hey guys,

I just ran into the SLO + loadbalancer issue as some of our CAS clients are 
clustered. Now, I wonder if it is possible to send the POST logout requests 
to the services participating at the current SSO session from within the 
browser/from client side instead of sending them from the CAS server.

If that is possible, I expect the load balancer issue is solved without 
further adjustments as it will redirect the request to the correct node in 
case of a clustered CAS client.

What are your thougts?

Cheers,
  Paul

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/95830dcf-aa6a-44df-8c7e-7d84d517f83an%40apereo.org.

[cas-user] No ticket parameter when using "cas.view.defaultRedirectUrl"

[Paul Roemer]

Hey,

I would like to be able to sepcify a default service that CAS redirects to 
after a successful authentication instead of showing the principal 
attributes. In the docs there is a section about a default redirect URL one 
can configure:

# Defines a default URL to which CAS may redirect if there is no service
# provided in the authentication request.
# cas.view.defaultRedirectUrl=https://www.github.com


I tried, I am redirected but no ticket parameter is given. Is that the 
expected behavior? If yes, is it possible to specify a default service via 
some other property? Or do I have to alter the flow and add an extra action 
to inject a default service if needed?

Cheers,
Paul

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cc2a43da-0f53-4f5c-a9f9-93bc63f44968%40apereo.org.

Re: [cas-user] Ideas to check if the SSO session is still valid

[Paul Roemer]

Let's see. I will go for option 2) and prototype an implementation to check 
the UX.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/32c2e0be-5a66-4ba9-9eb7-d58ddf3ea5f5%40apereo.org.

[cas-user] Ideas to check if the SSO session is still valid

[Paul Roemer]

Hey guys,

today I would like to discuss ideas on how to determine whether a SSO 
session tied to the user’s browser is still valid and accepted by CAS? In 
my scenario one of our services that also has public pages has to check if 
a SSO session was created via some other service and authenticate the user 
if that is the case. Some people call it Single Login Identification (SLI).

Misagh Moayyed already provided a blog post talking about the issue: 
https://apereo.github.io/2019/06/14/cas53x-userlogin-ssostatus/

It is a good starting point and uses the TGC (if available) to check the 
session state. But unfortunately, getting the TGC is not discussed. The 
problem is that the TGC is tied to the subdomain of the CAS server 
(cas.example.org) for security reasons. That is good and I do not want to 
change that. Exposing the TGC to all subdomains of example.org is risky. We 
do not want to do that.

Now, I would like to know if someone else 
1) uses the same approach as described in the blog post and how you get the 
TGC
2) uses a completly different approach to achieve the same

For 1) I was thinking about sharing the TGC via some lookup table (, 
) and create a cookie by CAS accessible to all subdomains containing 
the  to allow my service to get the TGC.

For 2) I was thinking about having a marker cookie (SSO_SESSION_STARTED) 
created by CAS shared to all subdomains and trigger an authentication by 
redirecting the user to CAS login endpoint. The drawback is that the user 
will see the redirect and wonders why the service reloads.

I am open to other ideas!

Cheers,
  Paul

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6b6ae9d8-8269-4546-8ea2-9b7ffaab084a%40apereo.org.

Re: [cas-user] Prevent CAS from overwriting the currently logged in user

[Paul Roemer]

David, Ray,

I successfully added the flow updates David shared. Thanks again, David.

I do not see a reason to allow users to login with different credentials in 
our case, too. Per user there should be only one SSO session, mainly to not 
confuse them. If other credentials are needed, then another browser is 
needed or the user has to logout before.

Cheers,
  Paul

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/06c51edf-8db4-47f7-8a6d-0b5df36cd0cb%40apereo.org.

Re: [cas-user] Prevent CAS from overwriting the currently logged in user

[Paul Roemer]

Wow David, awesome!

Thanks a lot. That saves me a lot of time and headaches for sure. As you, I 
also wonder why this is the default behavior of CAS. After reading your 
linked thread I am even more worried as I wasn't aware of the logout 
consequences (only one of the two SSO sessions is closed)...

Anyway, I will give it a try, now.

Cheers, 
  Paul

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d7d3bb06-2d46-4899-a7e9-a8ebd2cf5c0f%40apereo.org.

Re: [cas-user] Prevent CAS from overwriting the currently logged in user

[Paul Roemer]

Hey Ray,

sure, the second tab does not know about the TGC but both share the same 
session cookie. That is why CAS should be able to detect such cases and 
could react in a configrable way, right?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/167e540e-e160-4c52-8f33-46137876416c%40apereo.org.

Re: [cas-user] Prevent CAS from overwriting the currently logged in user

[Paul Roemer]

Hey Ray,

sure, the second tab does not know about the TGC but both share the same 
session cookie. That is why CAS should be able to detect such cases and 
could react in a configrable way, right?


On Friday, February 21, 2020 at 6:23:28 PM UTC+1, rbon wrote:
>
> Paul,
>
> Tab 2 does not have the CAS session cookie (TGC), so the form submits as a 
> new login and the TGC is switched to the second log in. Subsequent tabs 
> will use the second login
>
> Ray
>
> On Fri, 2020-02-21 at 02:37 -0800, Paul Roemer wrote:
>
> Hey guys,
>
> do you know if it is possible to configure CAS to deny logging in if the 
> user was authenticated already.
>
> To reproduce what I mean you just have to open the CAS login screen in 2 
> tabs and log in in tab 1 and afterwards log in in tab 2 with a different 
> user. CAS will not complain and overwrites the logged in user from tab 1 
> (you will notice when you open CAS in a third tab).
>
> My question: Is there a way to prevent CAS from authenticating a user if 
> someone is logged in already? As all tabs still share the same session, 
> from a technical point of view, this should be possible, right?
>
> Cheers,
>   Paul
>
> -- 
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>
> I respectfully acknowledge that my place of work is located within the 
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
> WSÁNEĆ Nations.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/07904546-c9e9-4aea-bea9-55f64e2afa05%40apereo.org.

[cas-user] Prevent CAS from overwriting the currently logged in user

[Paul Roemer]

Hey guys,

do you know if it is possible to configure CAS to deny logging in if the 
user was authenticated already.

To reproduce what I mean you just have to open the CAS login screen in 2 
tabs and log in in tab 1 and afterwards log in in tab 2 with a different 
user. CAS will not complain and overwrites the logged in user from tab 1 
(you will notice when you open CAS in a third tab).

My question: Is there a way to prevent CAS from authenticating a user if 
someone is logged in already? As all tabs still share the same session, 
from a technical point of view, this should be possible, right?

Cheers,
  Paul

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3878c691-9c9f-4127-856a-c08dbf467711%40apereo.org.

[cas-user] Azure AD SSO SAML Issue

[Paul Spencer]

Hello, looking for some guidance on implementing Azure AD SSO with CAS 5.3.

We've been working on implementing these guides 
https://apereo.github.io/cas/5.3.x/installation/Configuring-SAML2-Authentication.html#saml2-authentication
https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol

We can get the services to communicate but CAS is sending an XML with a 
statement that Azure AD does not support. Specifically the "NameQualifier"


X

Is there any way to work around this issue or remove this statement from 
the XML?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/87ffd2e3-c48f-4486-8010-d4a42fbb42b6%40apereo.org.

[cas-user] AzureAD/Office365 SSO w/ CAS 5.3

[Paul Spencer]

Hello, looking for some guidance on implementing Azure AD SSO with CAS 5.3.

We've been working on implementing these guides 
https://apereo.github.io/cas/5.3.x/integration/Configuring-SAML-SP-Integrations.html
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications

We hit a hitch on the cas.properties It's not clear to me how these values 
should be defined. For example 

cas.samlSp.office365.metadata=/etc/cas/saml/azure-ad-metadata.xml
cas.samlSp.office365.name=O365
cas.samlSp.office365.description=O365 Integration
cas.samlSp.office365.nameIdAttribute=scopedImmutableID
cas.samlSp.office365.attributes=IDPEmail,ImmutableID

The last two are the items I struggle with. Also the naming convention that 
this is all labeled Office365.

cas.samlSp.office365.nameIdAttribute=scopedImmutableID -- What is the valid 
syntax for a scope? I need to define this correct?
cas.samlSp.office365.attributes=IDPEmail,ImmutableID -- Same thing, what's 
the valid syntax and where exactly is ImmutableID defined? Can I find that 
in my AzureAD? All the articles I've found have to deal with ImmutableID in 
an AD on Prem sync context, which isn't helpful. 

Also, is Office365 the correct configuration approach for an AzureAD SP SSO 
Setup? It appears as if Office365 = AzureAD for all real world applications 
but I want to be sure.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ad1db872-bf11-4005-8355-f7d1ab338030%40apereo.org.

Re: [cas-user] Re: Issue with Ticket Registry Cleanup (MongoDB - CAS 5.3.12.1

[Paul Chauvet]

Hi Andy,

Apologies for the belated reply here.  I really appreciate your time and effort 
looking into this!

I'm looking into options (downgrading to 5.2.9, upgrading to 5.3.14) for a fix. 
 Next week is our advance registration - one of the busiest periods - so I'd 
prefer to avoid major changes.

Moving to 6.x is a path to consider if 5.3.14 doesn't work, as well as 
switching the ticket registry to Hazelcast as you suggest.  I won't get a 
chance to do this (especially a 6.x upgrade) until I have more time available 
after classes are done for the semester.

As a shorter-term fix - I've gone into the MongoDB (primary instance in the 
replica set) and deleted any tickets that were set to expire in the past:
db.ticketGrantingTicketsCollection.deleteMany({expireAt: { $regex: 
/^2019-11-0[1-6]/ } } )
db.ticketGrantingTicketsCollection.deleteMany({expireAt: { $regex: 
/^2019-10-0[/ } } )

Tomorrow I'll write a script to clean old tickets on a daily basis until I can 
get a more permanent solution.

If the upgrade to 5.3.14 fixes the problem - I'll report back to the list in 
case anyone else experiences the same issue.




Paul Chauvet, CISSP

Information Security Officer

State University of New York at New Paltz

845-257-3828

chauv...@newpaltz.edu

[cid:1c3f69ea-8daf-4da5-bceb-8e507afe1175]


From: cas-user@apereo.org  on behalf of Andy Ng 

Sent: Thursday, November 7, 2019 3:21 AM
To: CAS Community 
Subject: [cas-user] Re: Issue with Ticket Registry Cleanup (MongoDB - CAS 
5.3.12.1

CAUTION: Message from a non-New Paltz email server. Treat message, links, and 
attachments with extra caution.

Hi Paul,

I have done some investigation on your case, and:

I can reproduce your error case using my testing docker with CAS 5.3.x and 
MongoDB 4 ticket registry, after a single login, I can see the error same as 
yours occurs.

Below are my error log as well:

2019-11-07 08:00:58,144 INFO [org.apereo.cas.services.AbstractServicesManager] 
- 
2019-11-07 08:01:08,187 ERROR 
[org.apereo.cas.util.serialization.AbstractJacksonBackedStringSerializer] - 
org.apereo.cas.authentication.DefaultAuthentication["credentials"]->java.util.ArrayList[0])]>
2019-11-07 08:01:08,193 ERROR 
[org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - 
org.apereo.cas.ticket.InvalidTicketException: null
at 
org.apereo.cas.ticket.BaseTicketSerializers.deserializeTicket(BaseTicketSerializers.java:208)
 ~[cas-server-core-tickets-api-5.3.12.1.jar!/:5.3.12.1]
at 
org.apereo.cas.ticket.BaseTicketSerializers.deserializeTicket(BaseTicketSerializers.java:185)
 ~[cas-server-core-tickets-api-5.3.12.1.jar!/:5.3.12.1]


As for fixing it, seems too complicated for me so I am probably not going to 
devote time into fixing it... See if other want to help investigate more.

Some alternative suggestions from me, which may or may not help you:

- During my simulation, I also tried using CAS 6.1.1 and MongoDB 4 ticket 
registry, and from my testing it works fine, no null pointer exception.
  - If you can affort the upgrade, then this might be one path the choose.

- In my own production environment, I am using Hazelcast ticket registry and 
CAS 5.3, and didn't encounter any related error,
  - so I guess the null pointer bug is MongoDB related, probably something 
bug related to phrasing of the JSON.



See if other can help more...

- Andy

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff9f9c9d-b795-4aa4-9f91-4228dd55912d%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff9f9c9d-b795-4aa4-9f91-4228dd55912d%40apereo.org?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/MWHPR20MB147156EF47D2F5B3B3BC488DA77B0%40MWHPR20MB1471.namprd20.prod.outlook.com.

[cas-user] Issue with Ticket Registry Cleanup (MongoDB - CAS 5.3.12.1

[Paul Chauvet]

-5.3.12.1.jar:5.3.12.1]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
~[?:1.8.0_222]
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
~[?:1.8.0_222]
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 ~[?:1.8.0_222]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_222]
at 
org.springframework.scheduling.support.ScheduledMethodRunnable.run(ScheduledMethodRunnable.java:65)
 ~[spring-context-4.3.25.RELEASE.jar:4.3.25.RELEASE]
at 
org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54)
 ~[spring-context-4.3.25.RELEASE.jar:4.3.25.RELEASE]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) 
~[?:1.8.0_222]
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) 
~[?:1.8.0_222]
at 
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
 ~[?:1.8.0_222]
at 
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
 ~[?:1.8.0_222]
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
~[?:1.8.0_222]
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
~[?:1.8.0_222]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222]




Paul Chauvet, CISSP
Information Security Officer
State University of New York at New Paltz
845-257-3828
chauv...@newpaltz.edu<mailto:chauv...@newpaltz.edu>
[emlogo]

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/MWHPR20MB14714ADCE2A3B1AF23221A8CA7790%40MWHPR20MB1471.namprd20.prod.outlook.com.

[cas-user] Re: CAS 6.0.1 & Wildfly 14

[Paul Spaude]

Check out the docs here: 
https://apereo.github.io/cas/development/installation/Configuring-Servlet-Container.html#external

JBoss, Wildfly and EAP all require `jdk.unsupported` with Spring past Java 
9. 

-Paul

On Wednesday, February 13, 2019 at 12:20:53 PM UTC-7, malomowny wrote:
>
> Hi,
> I'm trying to install CAS (version 6.0.1, JDK 11) in Wildfly 14.
>
> I built overlay using command: 
> gradlew clean build -PappServer=
>
> Wildfly is not modified at all (just unzipped). CAS has also clean 
> configuration (banner is the only thing I added).
> During deployment there is an error:
>
> [standalone@localhost:9990 /] deploy C:\tmp\cas.war
> {"WFLYCTL0062: Composite operation failed and was rolled back. Steps that 
> failed:" => {"Operation step-2" => {"WFLYCTL0080: Failed services" => {
> "jboss.deployment.unit.\"cas.war\".undertow-deployment" => 
> "java.lang.RuntimeExce
> ption: org.springframework.context.ApplicationContextException: Unable to 
> start web server; nested exception is 
> org.springframework.beans.factory.BeanCreationException: Error creating 
> bean with name 'threadContextMDCServletFilter' define d in class path 
> resource [org/apereo/cas/logging/config/CasLoggingConfiguration.class]: 
> Bean instantiation via factory method failed; nested exception is 
> org.springframework.beans.BeanInstantiationException: Failed to instantiate 
> [org.sp ringframework.boot.web.servlet.FilterRegistrationBean]: Factory 
> method 'threadContextMDCServletFilter' threw exception; nested exception is 
> org.springframework.beans.factory.BeanCreationException: Error creating 
> bean with name 'defaultTi cketRegistrySupport' defined in class path 
> resource [org/apereo/cas/config/CasCoreTicketsConfiguration.class]: 
> Initialization of bean failed; nested exception is 
> org.springframework.aop.framework.AopConfigException: Unexpected AOP except 
> ion; nested exception is 
> org.springframework.aop.framework.AopConfigException: Unable to instantiate 
> proxy using Objenesis, and regular proxy instantiation via default 
> constructor fails as well; nested exception is java.lang.NoSuchMethod 
> Exception: 
> org.apereo.cas.ticket.registry.DefaultTicketRegistrySupport$$EnhancerBySpringCGLIB$$24a960d5.()
> Caused by: java.lang.RuntimeException: 
> org.springframework.context.ApplicationContextException: Unable to start 
> web server; nested exception is 
> org.springframework.beans.factory.BeanCreationException: Error creating 
> bean with name 't hreadContextMDCServletFilter' defined in class path 
> resource [org/apereo/cas/logging/config/CasLoggingConfiguration.class]: 
> Bean instantiation via factory method failed; nested exception is 
> org.springframework.beans.BeanInstantiationExce ption: Failed to 
> instantiate [org.springframework.boot.web.servlet.FilterRegistrationBean]: 
> Factory method 'threadContextMDCServletFilter' threw exception; nested 
> exception is org.springframework.beans.factory.BeanCreationException: Erro 
> r creating bean with name 'defaultTicketRegistrySupport' defined in class 
> path resource [org/apereo/cas/config/CasCoreTicketsConfiguration.class]: 
> Initialization of bean failed; nested exception is 
> org.springframework.aop.framework.AopCo nfigException: Unexpected AOP 
> exception; nested exception is 
> org.springframework.aop.framework.AopConfigException: Unable to instantiate 
> proxy using Objenesis, and regular proxy instantiation via default 
> constructor fails as well; nested  exception is 
> java.lang.NoSuchMethodException: 
> org.apereo.cas.ticket.registry.DefaultTicketRegistrySupport$$EnhancerBySpringCGLIB$$24a960d5.()
> Caused by: org.springframework.context.ApplicationContextException: 
> Unable to start web server; nested exception is 
> org.springframework.beans.factory.BeanCreationException: Error creating 
> bean with name 'threadContextMDCServletFilter ' defined in class path 
> resource [org/apereo/cas/logging/config/CasLoggingConfiguration.class]: 
> Bean instantiation via factory method failed; nested exception is 
> org.springframework.beans.BeanInstantiationException: Failed to instantiate 
>  [org.springframework.boot.web.servlet.FilterRegistrationBean]: Factory 
> method 'threadContextMDCServletFilter' threw exception; nested exception is 
> org.springframework.beans.factory.BeanCreationException: Error creating 
> bean with name 'd efaultTicketRegistrySupport' defined in class path 
> resource [org/apereo/cas/config/CasCoreTicketsConfiguration.class]: 
> Initialization of bean failed; nested exception is 
> org.springframework.aop.framework.AopConfigException: Unexpected AO P 
> exception; nested exception is 
> org.springframework.aop.framework.AopConfi

RE: [cas-user] Debugging - saving (temporarily) full CAS XML response

[Paul Chauvet]

Awesome – thanks Dave!

Paul Chauvet, CISSP
Information Security Officer
State University of New York at New Paltz
845-257-3828
chauv...@newpaltz.edu<mailto:chauv...@newpaltz.edu>
[emlogo]

From: cas-user@apereo.org  On Behalf Of David Curry
Sent: Tuesday, October 1, 2019 1:15 PM
To: CAS Community 
Subject: Re: [cas-user] Debugging - saving (temporarily) full CAS XML response

CAUTION: Message from a non-New Paltz email server. Treat message, links, and 
attachments with extra caution.

I got this solution from Misagh way back when:

  1.  Install the SAML Chrome Panel extension in your Chrome browser.
  2.  Go to your application (or the CAS login screen if it redirects you 
there).
  3.  Right-click and select "Inspect" to open the Chrome developer console and 
click on the "SAML" tab (SAML Chrome Panel)
  4.  Log in as normal
All the SAML back-and-forth will be there. Note that SAML Chrome Panel doesn't 
resize itself with the developer console, so look for the scroll bar to see all 
of the SAML response (I forget this every time).

--Dave


--

DAVID A. CURRY, CISSP
DIRECTOR • INFORMATION SECURITY & PRIVACY
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu<mailto:david.cu...@newschool.edu>


On Tue, Oct 1, 2019 at 12:28 PM Paul Chauvet 
mailto:chauv...@newpaltz.edu>> wrote:
Hi all,

I’m trying to troubleshoot an issue with an external vendor using our CAS 
server to authenticate our users.  I’m doing attribute release the same way as 
I’ve done for a ton of other services, but this vendor is claiming they are not 
receiving the attribute we’re sending over (the Banner SPRIDEN ID).  The vendor 
is saying the attribute is not in the response.  They appear to be doing a CAS 
version 3 serviceValidate (based on the get request to 
/cas/p3/serviceValidate?service=https%3A%2F%2Fiss.newpaltz.edu<http://2Fiss.newpaltz.edu>=REDACTED).

What I’m wondering is if there’s a way to (temporarily) capture/log the XML 
response that is being sent back to the CAS client (the vendor)?  I have debug 
mode enabled, which is giving me information like the following, but not the 
actual response.

We’re using CAS 5.2.9 (we have our test environment upgraded to 5.3.12.1 – with 
plans on doing the same in production in the coming weeks in case there’s a 5.3 
way of doing this).

Thanks in advance for any guidance or advice on this!



Paul Chauvet, CISSP
Information Security Officer
State University of New York at New Paltz
845-257-3828
chauv...@newpaltz.edu<mailto:chauv...@newpaltz.edu>
[emlogo]

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/MWHPR20MB1471D738F83EE589F1AD5EF3A79D0%40MWHPR20MB1471.namprd20.prod.outlook.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/MWHPR20MB1471D738F83EE589F1AD5EF3A79D0%40MWHPR20MB1471.namprd20.prod.outlook.com?utm_medium=email_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPVFACgXo9-eU1bGqU6B71ry6o_sN_zienhzybXm_kmvA%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPVFACgXo9-eU1bGqU6B71ry6o_sN_zienhzybXm_kmvA%40mail.gmail.com?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/MWHPR20MB1471E2691296A25605E34E03A79D0%40MWHPR20MB1471.namprd20.prod.outlook.com.

[cas-user] Debugging - saving (temporarily) full CAS XML response

[Paul Chauvet]

Hi all,

I'm trying to troubleshoot an issue with an external vendor using our CAS 
server to authenticate our users.  I'm doing attribute release the same way as 
I've done for a ton of other services, but this vendor is claiming they are not 
receiving the attribute we're sending over (the Banner SPRIDEN ID).  The vendor 
is saying the attribute is not in the response.  They appear to be doing a CAS 
version 3 serviceValidate (based on the get request to 
/cas/p3/serviceValidate?service=https%3A%2F%2Fiss.newpaltz.edu=REDACTED).

What I'm wondering is if there's a way to (temporarily) capture/log the XML 
response that is being sent back to the CAS client (the vendor)?  I have debug 
mode enabled, which is giving me information like the following, but not the 
actual response.

We're using CAS 5.2.9 (we have our test environment upgraded to 5.3.12.1 - with 
plans on doing the same in production in the coming weeks in case there's a 5.3 
way of doing this).

Thanks in advance for any guidance or advice on this!



Paul Chauvet, CISSP
Information Security Officer
State University of New York at New Paltz
845-257-3828
chauv...@newpaltz.edu<mailto:chauv...@newpaltz.edu>
[emlogo]

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/MWHPR20MB1471D738F83EE589F1AD5EF3A79D0%40MWHPR20MB1471.namprd20.prod.outlook.com.

[cas-user] mod_auth_cas and apache 2.4 AuthMerging

[Paul Hirose]

RHEL7.6, mod_auth_cas-1.1-3.el7.x86_64 (from EPEL).
I'd like to protect my overall site with CAS.  I'd then additionally like 
to add IP restrictions on a subset of this site.  I was hoping the first 
Location stanza would require CAS for everything and the second Location 
would also require I have IP 1.1.1.1.


 AuthType CAS
 Require valid-user
 CASSCope /

 

 AuthMerging And
 Require ip 1.1.1.1



 AuthMerging And
 Require ip 2.2.2.2


If I add the CAS directives to each subsequent Location stanza, it does 
work (ie: I have to both CAS and be from the right IP.).  But I was hoping 
to avoid having to duplicate the CAS stuff again and again.

If the above would work with the v1.2 release, I'm fine building that from 
source.

Thanks,
PH

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/11a93a80-9e1e-4f5f-a6ea-d01ce70ddb7f%40apereo.org.

[cas-user] Spring Security client related: How to automatically login my webapp when the CasAuthenticationFilter cannot be used

[Paul Roemer]

Hi,

I will try to describe the exact problem in detail as it is hard to sum up 
in the title.

We have a website and several other services that we are gonna protect with 
CAS 5.3. The website uses Spring Security but we have to use a custom 
access control due to it's Vaadin nature. It's a SPA so we cannot rely on 
Spring Security's filter mechanism.

I would like to be able to login a user that is already authenticated via 
CAS when the user enters the website. Normally, the Spring Security 
CasAuthenticationFilter would jump in if a user wants to visit a guarded 
page but this is not the case. I understand I have to trigger that 
mechanism manually.

Does anyone has a suggestion what would be the best approach? Use the Java 
CAS Client and do more or less the same what the CasAuthenticationFilter is 
doing and implement it on my own?

Cheers,
  Paul

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a841f50f-5e05-4a83-a809-a37cf3389181%40apereo.org.

[cas-user] Seek for your advice on CAS adoption

[Paul Luk]

Hi all,

  i am doing a research on adoption of CAS.

  Background - my company is a healthcare company (managed many hospitals 
and offer 24x7x365 business) that run hundreds of in-house developed 
systems, as well as acquire some 3rd party products.

  Currently, for the in-house developed systems, they have their own 
authentication/authorization mechanism, mostly:
  1. user credentials & attributes stored in DB
  2. active directory for authentication and DB for user attributes

  There are dedicate support for maintenance and support of each system 
and, when downtime is required, support will liaise with users to arrange 
for downtime. There won't be a period that all systems can down for 
maintenance.

  To reduce repeated effort spent on authentication and authorization of 
each systems, i am checking whether we can adopt CAS to help, especially on:
  1. OpenID Connect 1.0 + JWT  (to achieve single sign on in the future)
  2. OAuth 2.0 (password grant) + JWT (seems be a good path for migration 
and finally to OpenID Connect)
  3. SAML2/Kerberos [mainly for backward compatibility])

  My concern on CAS adoption are:
  1. Do CAS are flexible enough to extend to cater for future 
authentication requirement? we will definitely requested to support more 
and more authentication mechanism (e.g. FIDO2, RSA hardware token [with 
custom username/password paddings], trust device registration...etc). 
  
  I found there is not much document telling developer to extend the 
CAS login flow, custom authenticator 

 / 
MFA ). 
Is there a starter guide for CAS development (e.g. the detail system flow / 
architecture diagram)?

   2. For high availability, in my company, the CAS service need at least 
deployed to 2 or more datacenters, can you share your experience of CAS 
high availability (in terms of maintenance and setup, stability, 
performance...)

   3. After adoption of CAS, all systems will make use of it/depends on it, 
i am worry about the system update/patching as we cannot have a period to  
shutdown all CAS instances for upgrade/patching (which will impact ALL 
systems...vs currently, individual systems down for maintenance will 
smaller impact to hospital operations). 

  Can you share you experience of system upgrade/patching? Do you have 
experience to update CAS (say from 5.x to 6.x) without downtime?

   4. Where can i find unknow security issue/vulnerability of each CAS 
version? i am just able to find this 

 and 
the CAS security mailing list 
.

   5. Unlike commercial product that we can't request to backport fix from 
a newer version to an older version, but upgrade CAS seems not easy, how do 
you cater for that? Do you have a good strategy?

   6. for authorization (like, who can perform what function in which 
system) with OpenID Connect JWT token, anybody tried to put the permissions 
in the scope field and check for that for authorization? How to you enforce 
authorization?  Use of Oauth 2.0 UMA seems make the system more complicate?

   Thank you.

   

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/481ce30f-20fc-4534-832c-3d56196e5978%40apereo.org.

[cas-user] Re: CAS 5.3.9 and Azure OIDC Delegation - ClassCastException in pac4j

[Paul Bransford]

Thank you, this does the trick!

There's some other concern around how to appropriately accomplish this in 
my reply on the other group. I meant to put that all here instead of over 
there, but what's sent is sent so I'll leave it be. If anyone else finds 
this thread and needs to see that context, check out that other thread 
here: https://groups.google.com/d/msg/pac4j-users/RlZ98-KhaXY/gytfPjojBQAJ

Thank you once again!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6aed70d5-5e2d-4cd8-8cbe-d9cfd7d79205%40apereo.org.

Re: [cas-user] Re: CAS 5.3.9 and Azure OIDC Delegation - ClassCastException in pac4j

[Paul Bransford]

OK! Forcing pac4j 3.4.0 and then fixing my client name so it has no spaces 
(pac4j 3.4.0 throws an error about that - i did make sure and this doesn't 
matter regarding the error I see with 3.6.1) and CAS is now sending me 
along to Azure.

Granted, now I'm having problems azure-side but that's a whole different 
subject.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac3e00f8-f4a1-4765-be06-403dc65b0dba%40apereo.org.

Re: [cas-user] Re: CAS 5.3.9 and Azure OIDC Delegation - ClassCastException in pac4j

[Paul Bransford]

I've also gone and asked on the pac4j-user mailing list. This commit has 
been around since 2018, so I can't be the only one who's run into this - 
assuming it's in fact not something I'm causing with a misconfiguration.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a95af1c-44d8-44c7-919d-aacc87c548e2%40apereo.org.

Re: [cas-user] Re: CAS 5.3.9 and Azure OIDC Delegation - ClassCastException in pac4j

[Paul Bransford]

Spoke too soon. 
<https://github.com/apereo/cas/blob/v5.3.9/gradle.properties#L150>
pac4jVersion=3.6.1


On Wednesday, March 27, 2019 at 12:21:02 PM UTC-4, Paul Bransford wrote:

> It doesn't look like CAS depends on a particular version of it. 
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1ed6630e-2a68-45e1-977d-6efa3891c21d%40apereo.org.

Re: [cas-user] Re: CAS 5.3.9 and Azure OIDC Delegation - ClassCastException in pac4j

[Paul Bransford]

I *think* my issue is related to this change on the pac4j-oidc side 
.
 
(maven is bundling in pac4j-oidc-3.6.1.jar)

I'm trying to work out what the most recent version of this library is 
prior to that commit.

It doesn't look like CAS depends on a particular version of it. 
build.gradle for support/cas-server-support-pac4j* all say either 
'implementation libraries.pac4j' or 'api libraries.pac4j' - though I'm 
nowhere near as familiar with gradle as maven (and even that's a shaky 
familiarity).

I'll follow up if I manage to fix this issue this route or not.

On Wednesday, March 27, 2019 at 11:15:49 AM UTC-4, Drew Liscomb wrote:
>
> But that doesn't look like your problem.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6b170bd6-889d-464b-961a-cc8fb320a8db%40apereo.org.

[cas-user] Re: Migrating from CAS 3.5.2 to CAS 6.1.0

[Paul Bransford]

We use CAS 5.2.x with Oracle via JDBC query/attributes. Sounds very similar 
:)

In my case, I went with a 3-node redis/sentinel cluster for my ticket 
registry, as I am the only one maintaining this deployment and I'm 
completely unfamiliar with hazelcast. Redis, with sentinel and an *odd 
number* of nodes, is a solid HA-capable solution.

I build a war that I run in a jetty docker container, personally. Embedding 
the server application just seems icky to me. This tightly couples that 
with the build artifact of CAS, which means you couldn't touch one without 
touching the other.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6519df53-f26a-45ae-8820-03885fda06ab%40apereo.org.

[cas-user] Re: broken repository

[Paul Bransford]

I only have the following repos in my pom.xml, and stuff like pac4j gets 
pulled down without any issue. What made you hook in jasig specifically?

  

  sonatype-releases
  http://oss.sonatype.org/content/repositories/releases/
  
false
  
  
true
  


  sonatype-snapshots
  https://oss.sonatype.org/content/repositories/snapshots/
  
true
  
  
false
  


  shibboleth-releases
  https://build.shibboleth.net/nexus/content/repositories/releases


  


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7971fffe-36c6-4b80-b1c3-5079ab43ad92%40apereo.org.

[cas-user] Re: CAS 5.3.9 and Azure OIDC Delegation - ClassCastException in pac4j

[Paul Bransford]

Eh. The underlinesin the pac4j code got eaten by the syntax hilighter. 
First one was "Map.Entry::getKey" and the other "Collections.singletonList(e
.getValue())"

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a8f9508-9f05-4504-8ab8-e6b93da89179%40apereo.org.

[cas-user] CAS 5.3.9 and Azure OIDC Delegation - ClassCastException in pac4j

[Paul Bransford]

Hello folks,

Does anyone have a working CAS 5.x deployment delegating authentication via 
OpenID Connect? I'd love to pick your brain.

I am working on a CAS 5.3.9 deployment, testing CAS delegation to Azure AD 
via OpenID Connect. I think I am close, but I'm running into a problem.

When I try to access '/cas/clientredirect?client_name=REDACTED' via the 
link on the `/cas/login' page, I receive a 500 error with a stacktrace as 
follows below. There is no STDOUT/STDERR emitted when this occurs, and I 
have tweaked my log levels so that I would expect to see *something*. I'll 
share those later.

What worries me, is if I start nosing around in IDEA, the IDE also throws a 
hint that this is an invalid cast. (I used './gradlew idea' in a clone of 
the cas repository, and opened the generated idea project in IntelliJ IDEA 
Ultimate).

Here's the stack trace:

> org.pac4j.core.exception.TechnicalException: java.lang.ClassCastException: 
> java.util.Collections$SingletonList cannot be cast to java.lang.String
>   at 
> org.pac4j.oidc.redirect.OidcRedirectActionBuilder.buildAuthenticationRequestUrl(OidcRedirectActionBuilder.java:113)
>   at 
> org.pac4j.oidc.redirect.OidcRedirectActionBuilder.redirect(OidcRedirectActionBuilder.java:78)
>   at 
> org.pac4j.core.client.IndirectClient.getRedirectAction(IndirectClient.java:109)
>   at 
> org.apereo.cas.web.DelegatedClientNavigationController.redirectToProvider(DelegatedClientNavigationController.java:83)
>   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>   at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>   at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>   at java.lang.reflect.Method.invoke(Method.java:498)
>   at 
> org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205)
>   at 
> org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:133)
>   at 
> org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:97)
>   at 
> org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:849)
>   at 
> org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:760)
>   at 
> org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
>   at 
> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967)
>   at 
> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
>   at 
> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
>   at 
> org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
>   at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
>   at 
> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
>   at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>   at 
> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:867)
>   at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623)
>   at 
> org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:214)
>   at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
>   at 
> org.apereo.cas.web.support.AuthenticationCredentialsThreadLocalBinderClearingFilter.doFilter(AuthenticationCredentialsThreadLocalBinderClearingFilter.java:30)
>   at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
>   at 
> org.apereo.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:261)
>   at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
>   at 
> org.apereo.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:240)
>   at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
>   at 
> org.apereo.cas.security.AddResponseHeadersFilter.doFilter(AddResponseHeadersFilter.java:94)
>   at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
>   at 
> org.springframework.boot.actuate.trace.WebRequestTraceFilter.doFilterInternal(WebRequestTraceFilter.java:111)
>   at 
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
>   at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
>   at 
> 

RE: [cas-user] How to change logging location

[Paul Chauvet]

Assuming you are using CAS 5.x the following should work.  This is how I have 
things set (relevant parts in bold).  This is a portion of the log4j2.xml file 
in /etc/cas/config





/var/log/cas

warn




























Paul Chauvet, CISSP
Information Security Officer
State University of New York at New Paltz
845-257-3828
chauv...@newpaltz.edu<mailto:chauv...@newpaltz.edu>
[emlogo]

From: cas-user@apereo.org  On Behalf Of Zach Tackett
Sent: Wednesday, November 14, 2018 9:19 AM
To: CAS Community 
Subject: [cas-user] How to change logging location

Currently, the cas, cas_audit, and perfStats logs are saving to the root cas 
directory. Where can that be changed?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ab5f4e12-3f0f-49ba-a7ef-f20dc36811f5%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/ab5f4e12-3f0f-49ba-a7ef-f20dc36811f5%40apereo.org?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BL0PR20MB2209804A381D57439D97E0E8A7C30%40BL0PR20MB2209.namprd20.prod.outlook.com.

RE: [cas-user] Non-secure connection message appearing

[Paul Chauvet]

Hi Zach,

Is the CAS server behind a load balancer?  If so, is the connection https 
end-to-end (i.e. from client to load balancer and from load balancer to 
back-end server)?  If not – there was a previous post on this list which may be 
of use for this:
https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/aey5xVaTLGI


P.S.  Apologies if my message comes through after someone else has answered.  
Sometimes my messages to this list are delayed a bit.

Paul Chauvet, CISSP
Information Security Officer
State University of New York at New Paltz
845-257-3828
chauv...@newpaltz.edu<mailto:chauv...@newpaltz.edu>
[emlogo]

From: cas-user@apereo.org  On Behalf Of Zach Tackett
Sent: Wednesday, November 14, 2018 9:03 AM
To: CAS Community 
Subject: [cas-user] Non-secure connection message appearing

My coworker and I successfully got a cas 5.0 server using LDAP up and running 
yesterday. The address bar shows that the connection is secured but we are 
getting the following message on the login page.


Non-secure Connection

You are currently accessing CAS over a non-secure connection. Single Sign On 
WILL NOT WORK. In order to have single sign on work, you MUST log in over HTTPS.

Even though our SSL cert is set and is passing over a secure connection.

Is there a way to fix this?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/84bc64d8-d47a-423b-9b3d-e6cdfe2db687%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/84bc64d8-d47a-423b-9b3d-e6cdfe2db687%40apereo.org?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BL0PR20MB220975ADE7B9538F0DB76003A7C30%40BL0PR20MB2209.namprd20.prod.outlook.com.

[cas-user] RE: CAS and WebEx SAML SSO

[Paul Chauvet]

Sorry – forgot to mention we’re on 5.2.x (though looking to upgrade to 5.3.x 
soon).


Paul Chauvet, CISSP
Information Security Officer
State University of New York at New Paltz
845-257-3828
chauv...@newpaltz.edu<mailto:chauv...@newpaltz.edu>
[emlogo]

From: cas-user@apereo.org  On Behalf Of Paul Chauvet
Sent: Thursday, November 8, 2018 11:08 AM
To: cas-user@apereo.org
Subject: [cas-user] CAS and WebEx SAML SSO

Hi all,

Has anyone implemented SSO with WebEx and CAS (via SAML)?

We have the setup done – and when you’re still in the setup you can click a 
button to test (which redirects to the CAS page, signs in, and returns with a 
message stating that the test was successful).

Unfortunately, any actual users cannot login.

If anyone has a service definition file for this that they can share (redacted 
of anything specific to your school) or can otherwise point me in the right 
direction, it would be greatly appreciated!


Paul Chauvet, CISSP
Information Security Officer
State University of New York at New Paltz
845-257-3828
chauv...@newpaltz.edu<mailto:chauv...@newpaltz.edu>
[emlogo]

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/MW2PR20MB2218D492E16205B6F447A7C50%40MW2PR20MB2218.namprd20.prod.outlook.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/MW2PR20MB2218D492E16205B6F447A7C50%40MW2PR20MB2218.namprd20.prod.outlook.com?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/MW2PR20MB2218F313C6AE24D614707DCDA7C50%40MW2PR20MB2218.namprd20.prod.outlook.com.

[cas-user] CAS and WebEx SAML SSO

[Paul Chauvet]

Hi all,

Has anyone implemented SSO with WebEx and CAS (via SAML)?

We have the setup done - and when you're still in the setup you can click a 
button to test (which redirects to the CAS page, signs in, and returns with a 
message stating that the test was successful).

Unfortunately, any actual users cannot login.

If anyone has a service definition file for this that they can share (redacted 
of anything specific to your school) or can otherwise point me in the right 
direction, it would be greatly appreciated!


Paul Chauvet, CISSP
Information Security Officer
State University of New York at New Paltz
845-257-3828
chauv...@newpaltz.edu<mailto:chauv...@newpaltz.edu>
[emlogo]

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/MW2PR20MB2218D492E16205B6F447A7C50%40MW2PR20MB2218.namprd20.prod.outlook.com.

Re: [cas-user] JDBC Audit log

[Paul Mitchell]

Hi,

In reply to my own post find the issue was with the create statement that I
used for the table.  I needed to ensure that the table was created in
uppercase.  Our current MySQL installation has case disabled due to a
legacy database,

Thanks,
Paul.

On Mon, 5 Nov 2018 at 09:31, Paul Mitchell 
wrote:

> Hi,
>
> I'm attempting to get CAS to audit to MySQL but no audit entry is being
> created.  I've created the table given the information in the inspektr.
>
> Below is the CAS header:
>
> CAS Version: 5.3.5
> CAS Commit Id: 47bf5165c20e7858e27f8a04469aef0b197833c7
> CAS Build Date/Time: 2018-11-05T08:49:18Z
> Spring Boot Version: 1.5.16.RELEASE
> Spring Version: 4.3.20.RELEASE
> Java Home: /home/vagrant/.sdkman/candidates/java/8.0.191-oracle/jre
> Java Vendor: Oracle Corporation
> Java Version: 1.8.0_191
> JVM Free Memory: 22 MB
> JVM Maximum Memory: 483 MB
> JVM Total Memory: 55 MB
> JCE Installed: Yes
> Node Version: N/A
> NPM Version: N/A
> OS Architecture: amd64
> OS Name: Linux
> OS Version: 4.15.0-29-generic
> OS Date/Time: 2018-11-05T09:19:45.339
> OS Temp Directory: /tmp
> 
> Apache Tomcat Version: Apache Tomcat/8.5.34
> 
>
> I enabled logging on Spring Boot and cannot find the class in the
> configuration report (attached)
> The dependency has been added to the pom.xml
> 
>org.apereo.cas
>cas-server-support-jdbc-drivers
>${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-audit-jdbc
> ${cas.version}
> 
>
> I configure CAS through the ev SPRING_APPLICATION_JSON.  Here is the
> cas.audit section given by:
>
> vagrant@vagrant:/vagrant$ echo $SPRING_APPLICATION_JSON | jq .cas.audit
> {
>   "jdbc": {
> "user": "root",
> "password": "r00t_passw0rd",
> "driverClass": "com.mysql.cj.jdbc.Driver",
> "url": "jdbc:mysql://localhost:3306/cas?useSSL=false",
> "dialect": "org.hibernate.dialect.MySQL57InnoDBDialect"
>   }
> }
>
> I'm sure I'm missing a configuration option as the audit is being logged
> via org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager.
>
> Thanks,
> Paul.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/df90e0ad-2675-462e-84f3-db8709b1af31%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/df90e0ad-2675-462e-84f3-db8709b1af31%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGvhSLSCCKjt%3D9Sgv0h8wgem-nZ-PBDmgcec_vDxuCpRfUwDaw%40mail.gmail.com.

[cas-user] CLI client login to CAS to access REST service

[Paul Roemer]

Hey guys,

as I am on it already:

What is the best approach to use CAS in conjunction with a command line 
tool to login to a secured service? I read through the documentation and 
the first problem seems to be that I am not in a browser context. Am I 
forced to talk to the CAS REST API? Or are there other ways to solve the 
authentication?

At the moment I would:
1) Talk to the CAS REST API to get a JWT token and store it when executing
> awesome-command login 

2) Use the token to talk to my REST API for subsequent commands
> awesome-command init 

Cheers,
  Paul

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1bf5fac4-7641-46ba-9fe5-cba5005f9c57%40apereo.org.

[cas-user] Delegated Authentication: pac4j and attribute mapping

[Paul Roemer]

Hey guys,

I would like to understand if CAS already provides a configuration based 
approach to map the SSO provider specific attributes in the payload to CAS 
attributes map sent to the CAS service so that the services do not have to 
take care about it.

Cheers,
  Paul

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/606d51c5-626e-45a9-9e12-1848a876cc72%40apereo.org.

[cas-user] Favicon.ico file location (when building CAS 5.2.x with Maven)

[Paul Chauvet]

Hi all,

Forgive me if this is a stupid question - but I can't find where to place the 
favicon.ico file on CAS (with a custom theme).

Where (presumably somewhere within the src directory before building with 
maven) should the file be placed?

Thanks in advance all!

Paul Chauvet
Information Security Officer
State University of New York at New Paltz
845-257-3828
chauv...@newpaltz.edu<mailto:chauv...@newpaltz.edu>
[emlogo]

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN1PR20MB2141082E216A50198E1C1371A7990%40SN1PR20MB2141.namprd20.prod.outlook.com.

[cas-user] AUP in LDAP

[Paul Mitchell]

Hi,

I'm having an issue with getting AUP working in CAS 5.2.4.  Actually, it 
works fine except when the user accepts the policy an error occurs.  If I 
manually change the attribute then the user can sign in with no issue.

The error happens when LdapUtils attempts to modify the attribute.

2018-05-02 20:45:47,284 DEBUG 
[org.apereo.cas.aup.AbstractPrincipalAttributeAcceptableUsagePolicyRepository] 
- 
2018-05-02 20:45:47,284 DEBUG 
[org.apereo.cas.aup.AbstractPrincipalAttributeAcceptableUsagePolicyRepository] 
- 
2018-05-02 20:45:47,285 WARN 
[org.apereo.cas.aup.AbstractPrincipalAttributeAcceptableUsagePolicyRepository] 
- 
2018-05-02 20:45:51,164 DEBUG 
[org.apereo.cas.aup.LdapAcceptableUsagePolicyRepository] - 
2018-05-02 20:45:51,181 ERROR 
[org.apereo.cas.aup.LdapAcceptableUsagePolicyRepository] - 

java.lang.ClassCastException: java.util.ArrayList cannot be cast to 
java.util.Set
at 
org.apereo.cas.util.LdapUtils.lambda$executeModifyOperation$0(LdapUtils.java:366)
 
~[cas-server-support-ldap-core-5.2.4.jar!/:5.2.4]
at 
java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) 
~[?:1.8.0_151]
at 
java.util.HashMap$EntrySpliterator.forEachRemaining(HashMap.java:1696) 
~[?:1.8.0_151]
at 
java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) 
~[?:1.8.0_151]
at 
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) 
~[?:1.8.0_151]
at 
java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) 
~[?:1.8.0_151]
at 
java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) 
~[?:1.8.0_151]
at 
java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) 
~[?:1.8.0_151]
at 
org.apereo.cas.util.LdapUtils.executeModifyOperation(LdapUtils.java:367) 
~[cas-server-support-ldap-core-5.2.4.jar!/:5.2.4]
at 
org.apereo.cas.aup.LdapAcceptableUsagePolicyRepository.submit(LdapAcceptableUsagePolicyRepository.java:52)
 
~[cas-server-support-aup-ldap-5.2.4.jar!/:5.2.4]




After manually changing it.
2018-05-02 20:54:39,272 DEBUG 
[org.apereo.cas.aup.AbstractPrincipalAttributeAcceptableUsagePolicyRepository] 
- 
2018-05-02 20:54:39,273 DEBUG 
[org.apereo.cas.aup.AbstractPrincipalAttributeAcceptableUsagePolicyRepository] 
- 

Regards,
Paul.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0278eb7e-830c-4cb9-99de-945a0007e7cd%40apereo.org.

[cas-user] AUP in LDAP

[Paul Mitchell]

Hi,

I'm having an issue with getting AUP working in CAS 5.2.4.  Actually, it 
works fine except when the user accepts the policy an error occurs.  If I 
manually change the attribute then the user can sign in with no issue.

The error happens when LdapUtils attempts to modify the attribute.

2018-05-02 20:45:47,284 DEBUG 
[org.apereo.cas.aup.AbstractPrincipalAttributeAcceptableUsagePolicyRepository] 
- 
2018-05-02 20:45:47,284 DEBUG 
[org.apereo.cas.aup.AbstractPrincipalAttributeAcceptableUsagePolicyRepository] 
- 
2018-05-02 20:45:47,285 WARN 
[org.apereo.cas.aup.AbstractPrincipalAttributeAcceptableUsagePolicyRepository] 
- 
2018-05-02 20:45:51,164 DEBUG 
[org.apereo.cas.aup.LdapAcceptableUsagePolicyRepository] - 
2018-05-02 20:45:51,181 ERROR 
[org.apereo.cas.aup.LdapAcceptableUsagePolicyRepository] - 

java.lang.ClassCastException: java.util.ArrayList cannot be cast to 
java.util.Set
at 
org.apereo.cas.util.LdapUtils.lambda$executeModifyOperation$0(LdapUtils.java:366)
 
~[cas-server-support-ldap-core-5.2.4.jar!/:5.2.4]
at 
java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) 
~[?:1.8.0_151]
at 
java.util.HashMap$EntrySpliterator.forEachRemaining(HashMap.java:1696) 
~[?:1.8.0_151]
at 
java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) 
~[?:1.8.0_151]
at 
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) 
~[?:1.8.0_151]
at 
java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) 
~[?:1.8.0_151]
at 
java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) 
~[?:1.8.0_151]
at 
java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) 
~[?:1.8.0_151]
at 
org.apereo.cas.util.LdapUtils.executeModifyOperation(LdapUtils.java:367) 
~[cas-server-support-ldap-core-5.2.4.jar!/:5.2.4]
at 
org.apereo.cas.aup.LdapAcceptableUsagePolicyRepository.submit(LdapAcceptableUsagePolicyRepository.java:52)
 
~[cas-server-support-aup-ldap-5.2.4.jar!/:5.2.4]




After manually changing it.
2018-05-02 20:54:39,272 DEBUG 
[org.apereo.cas.aup.AbstractPrincipalAttributeAcceptableUsagePolicyRepository] 
- 
2018-05-02 20:54:39,273 DEBUG 
[org.apereo.cas.aup.AbstractPrincipalAttributeAcceptableUsagePolicyRepository] 
- 

Regards,
Paul.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bc2ec37a-b1c7-47ae-b174-bbaa93a75ff5%40apereo.org.

[cas-user] AUP in LDAP

[Paul Mitchell]

Hi,

I'm having an issue with getting AUP working in CAS 5.2.4.  Actually, it 
works fine except when the user accepts the policy an error occurs.  If I 
manually change the attribute then the user can sign in with no issue.

The error happens when LdapUtils attempts to modify the attribute.

2018-05-02 20:45:47,284 DEBUG 
[org.apereo.cas.aup.AbstractPrincipalAttributeAcceptableUsagePolicyRepository] 
- 
2018-05-02 20:45:47,284 DEBUG 
[org.apereo.cas.aup.AbstractPrincipalAttributeAcceptableUsagePolicyRepository] 
- 
2018-05-02 20:45:47,285 WARN 
[org.apereo.cas.aup.AbstractPrincipalAttributeAcceptableUsagePolicyRepository] 
- 
2018-05-02 20:45:51,164 DEBUG 
[org.apereo.cas.aup.LdapAcceptableUsagePolicyRepository] - 
2018-05-02 20:45:51,181 ERROR 
[org.apereo.cas.aup.LdapAcceptableUsagePolicyRepository] - 

java.lang.ClassCastException: java.util.ArrayList cannot be cast to 
java.util.Set
at 
org.apereo.cas.util.LdapUtils.lambda$executeModifyOperation$0(LdapUtils.java:366)
 
~[cas-server-support-ldap-core-5.2.4.jar!/:5.2.4]
at 
java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) 
~[?:1.8.0_151]
at 
java.util.HashMap$EntrySpliterator.forEachRemaining(HashMap.java:1696) 
~[?:1.8.0_151]
at 
java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) 
~[?:1.8.0_151]
at 
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) 
~[?:1.8.0_151]
at 
java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) 
~[?:1.8.0_151]
at 
java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) 
~[?:1.8.0_151]
at 
java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) 
~[?:1.8.0_151]
at 
org.apereo.cas.util.LdapUtils.executeModifyOperation(LdapUtils.java:367) 
~[cas-server-support-ldap-core-5.2.4.jar!/:5.2.4]
at 
org.apereo.cas.aup.LdapAcceptableUsagePolicyRepository.submit(LdapAcceptableUsagePolicyRepository.java:52)
 
~[cas-server-support-aup-ldap-5.2.4.jar!/:5.2.4]




After manually changing it.
2018-05-02 20:54:39,272 DEBUG 
[org.apereo.cas.aup.AbstractPrincipalAttributeAcceptableUsagePolicyRepository] 
- 
2018-05-02 20:54:39,273 DEBUG 
[org.apereo.cas.aup.AbstractPrincipalAttributeAcceptableUsagePolicyRepository] 
- 

Regards,
Paul.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3d30eb31-183a-4124-b62e-c0bafe4e1bd2%40apereo.org.

[cas-user] mod_perl CAS authentication

[Paul B. Henson]

I recently needed to integrate CAS authentication into a mod_perl based 
application; as I couldn't find anything that handled proxy authentication in a 
way that would work for me, I ended up implementing my own framework. I put it 
out on CPAN and github in case anyone else might find it useful:

https://github.com/pbhenson/Apache2-AuthCASpbh


Would it be possible to get someone to add it to the list on the wiki?

https://wiki.jasig.org/display/CASC/Perl+Client

Thanks...


--
Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
Operating Systems and Network Analyst  |  hen...@cpp.edu
California State Polytechnic University  |  Pomona CA 91768


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/MWHPR0101MB3151636C25DF8902CC5EF22BD28F0%40MWHPR0101MB3151.prod.exchangelabs.com.

Re: [cas-user] How to get SLO to work in CAS 5?

[paul li]

Thanks Ray,
Apologizes I went to finish other tasks first, now this logout is pretty 
much the only piece remaining
Below is the output of a logout action.  we currently have 3 SP modules 
deployed:

   1. calendar
   2. platformadmin
   3. user-api
   
After the logout, all 3 modules are logged from their session, but the user 
is not logged from IDP.
 

>  2018-04-09 10:48:46,470 DEBUG 
> [org.apereo.cas.web.support.DefaultCasCookieValueManager] -  value is 
> [TGT-1-rFbC-nomL1ZmEYpjvWvciFTKZ9M1vfOTYNFHDbYyyimzstc98SE9X-1420SX91P-90A-ca-dev-dt43@127.0.0.1@Mozilla/5.0
>  
> (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) 
> Chrome/65.0.3325.181 Safari/537.36]>
> 2018-04-09 10:48:46,470 DEBUG 
> [org.apereo.cas.web.flow.TerminateSessionAction] -  linked to ticket-granting ticket 
> [TGT-1-rFbC-nomL1ZmEYpjvWvciFTKZ9M1vfOTYNFHDbYyyimzstc98SE9X-1420SX91P-90A-ca-dev-dt43]>
> 2018-04-09 10:48:46,470 DEBUG 
> [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 
>  [org.apereo.cas.DefaultCentralAuthenticationService.destroyTicketGrantingTicket]:
>  
> PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>
> 2018-04-09 10:48:46,470 DEBUG 
> [org.apereo.cas.DefaultCentralAuthenticationService] -  [TGT-1-rFbC-nomL1ZmEYpjvWvciFTKZ9M1vfOTYNFHDbYyyimzstc98SE9X-1420SX91P-90A-ca-dev-dt43]
>  
> from registry...>
> 2018-04-09 10:48:46,470 DEBUG 
> [org.apereo.cas.DefaultCentralAuthenticationService] -  Processing logout requests and then deleting the ticket...>
> 2018-04-09 10:48:46,471 INFO [org.apereo.cas.logout.DefaultLogoutManager] 
> -  [TGT-1-rFbC-nomL1ZmEYpjvWvciFTKZ9M1vfOTYNFHDbYyyimzstc98SE9X-1420SX91P-90A-ca-dev-dt43]>
> *2018-04-09 10:48:46,476 DEBUG 
> [org.apereo.cas.logout.DefaultLogoutManager] -  callback for 
> [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@77c7f4eb[id=https://ca-dev-dt43.com:8443/calendar/login/cas/,originalUrl=https://ca-dev-dt43.com:8443/calendar/login/cas/,artifactId=,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]]>*
> *2018-04-09 10:48:46,476 DEBUG 
> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
>  [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@77c7f4eb[id=https://ca-dev-dt43.com:8443/calendar/login/cas/,originalUrl=https://ca-dev-dt43.com:8443/calendar/login/cas/,artifactId=,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]]...>*
> 2018-04-09 10:48:46,477 DEBUG 
> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] -  [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@77c7f4eb[id=https://ca-dev-dt43.com:8443/calendar/login/cas/,originalUrl=https://ca-dev-dt43.com:8443/calendar/login/cas/,artifactId=,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]]
>  
> supports single logout and is found in the registry as [id=1,name=HTTPS and 
> IMAPS,description=This service definition authorizes all application urls 
> that support HTTPS and IMAPS 
> protocols.,serviceId=^(http|https|imaps)://.*,usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@d,theme=,evaluationOrder=1,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@6f4230be[attributeFilter=,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@5c14927e[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=false,excludeDefaultAttributes=false,principalIdAttribute=,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@4b8d9d7f[excludedAttributes=,includeOnlyAttributes=,enabled=true],allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@4f985406[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=,caseInsensitive=false,rejectedAttributes={}],publicKey=,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@619ec8ca,logo=,logoutUrl=,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@31a14a8b[multifactorAuthenticationProviders=[],failureMode=NOT_SET,principalAttributeNameTrigger=,principalAttributeValueToMatch=,bypassEnabled=false],informationUrl=,privacyUrl=,contacts=[],expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@49dea9a3[deleteWhenExpired=false,notifyWhenDeleted=false,expirationDate=],].
>  
> Proceeding...>
> 2018-04-09 10:48:46,477 DEBUG 
> [org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder] - 
>  [https://ca-dev-dt43.com:8443/calendar/login/cas/] for service 
> 

Re: [cas-user] How to get SLO to work in CAS 5?

[paul li]

04-09 10:48:46,638 DEBUG 
> [org.apereo.cas.logout.SamlCompliantLogoutMessageCreator] -  logout message: [ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
> ID="LR-3-GTdAHeNvXTCyjYcI5ZiDRNVI" Version="2.0" 
> IssueInstant="2018-04-09T10:48:46Z"> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@ST-2-DnO-sHlxfAgVZ3fDbfTdZR-1NsI-ca-dev-dt43]>
> 2018-04-09 10:48:46,638 DEBUG 
> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
>  [https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/] to 
> [https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/]>
> 2018-04-09 10:48:46,638 DEBUG 
> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
>  [org.apereo.cas.logout.LogoutHttpMessage@52eea6a3[url=https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/,message=  
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
> ID="LR-3-GTdAHeNvXTCyjYcI5ZiDRNVI" Version="2.0" 
> IssueInstant="2018-04-09T10:48:46Z"> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@ST-2-DnO-sHlxfAgVZ3fDbfTdZR-1NsI-ca-dev-dt43,asynchronous=true,contentType=application/x-www-form-urlencoded,responseCode=0]].
>  
> Sending...>
> *2018-04-09 10:48:46,639 DEBUG [org.apereo.cas.util.http.SimpleHttpClient] 
> -  https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/ HTTP/1.1]>*
> *2018-04-09 10:48:46,643 INFO [org.apereo.cas.logout.DefaultLogoutManager] 
> - <[3] logout requests were processed>*
> *2018-04-09 10:48:46,643 DEBUG 
> [org.apereo.cas.ticket.registry.AbstractTicketRegistry] -  children of ticket 
> [TGT-1-rFbC-nomL1ZmEYpjvWvciFTKZ9M1vfOTYNFHDbYyyimzstc98SE9X-1420SX91P-90A-ca-dev-dt43]
>  
> from the registry.>*
> *2018-04-09 10:48:46,644 DEBUG 
> [org.apereo.cas.ticket.registry.AbstractTicketRegistry] -  ticket [ST-3-j8U9yYSWKezbaw9v96O8-EQXYsI-ca-dev-dt43]>*
> *2018-04-09 10:48:46,644 DEBUG 
> [org.apereo.cas.ticket.registry.AbstractTicketRegistry] -  ticket [ST-1-YDJa9sviT8B4b4arci0kun1fsKY-ca-dev-dt43]>*
> *2018-04-09 10:48:46,644 DEBUG 
> [org.apereo.cas.ticket.registry.AbstractTicketRegistry] -  ticket [ST-2-DnO-sHlxfAgVZ3fDbfTdZR-1NsI-ca-dev-dt43]>*
> *2018-04-09 10:48:46,645 DEBUG 
> [org.apereo.cas.ticket.registry.AbstractTicketRegistry] -  [TGT-1-rFbC-nomL1ZmEYpjvWvciFTKZ9M1vfOTYNFHDbYyyimzstc98SE9X-1420SX91P-90A-ca-dev-dt43]
>  
> from the registry.>*
> *2018-04-09 10:48:46,645 DEBUG 
> [org.apereo.cas.AbstractCentralAuthenticationService] -  [org.apereo.cas.support.events.ticket.CasTicketGrantingTicketDestroyedEvent@7a5d2ef3[ticketGrantingTicket=TGT-1-rFbC-nomL1ZmEYpjvWvciFTKZ9M1vfOTYNFHDbYyyimzstc98SE9X-1420SX91P-90A-ca-dev-dt43]]>*
> *2018-04-09 10:48:46,647 DEBUG 
> [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 
> *
> *2018-04-09 10:48:46,647 DEBUG 
> [org.apereo.cas.web.flow.TerminateSessionAction] - *
> *2018-04-09 10:48:46,647 DEBUG 
> [org.apereo.cas.web.support.TGCCookieRetrievingCookieGenerator] -  cookie with name [TGC]>*
> *2018-04-09 10:48:46,647 DEBUG 
> [org.apereo.cas.web.WarningCookieRetrievingCookieGenerator] -  cookie with name [CASPRIVACY]>*
> *2018-04-09 10:48:46,647 DEBUG 
> [org.apereo.cas.web.flow.TerminateSessionAction] -  session>*
> *2018-04-09 10:48:46,681 DEBUG 
> [org.apereo.cas.web.flow.TerminateSessionAction] -  sessions successfully.>*
> *2018-04-09 10:48:46,689 DEBUG [org.apereo.cas.web.flow.LogoutAction] - 
> *
> *2018-04-09 10:48:46,689 DEBUG [org.apereo.cas.web.flow.LogoutAction] - 
> *
> *2018-04-09 10:48:46,689 DEBUG [org.apereo.cas.web.flow.LogoutAction] - 
>  [https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/]>*
> *2018-04-09 10:48:46,689 DEBUG [org.apereo.cas.web.flow.LogoutAction] - 
> *
> *2018-04-09 10:48:46,693 DEBUG 
> [org.apereo.cas.support.pac4j.web.flow.SAML2ClientLogoutAction] -  current client is not a SAML2 client or it cannot be found at all, no 
> logout action will be executed.>*
>
>
> Right now, the system is able to logout out of all the SP modules, but not 
logged out from the SAML IDP.
 
The reason that no SAML2 client is found during logout, is because no 
userProfile is saved in the session.  
It seems the userProfile is saved via 
org.pac4j.core.engine.DefaultCallbackLogic#saveUserProfile.  

We didn't use the callBackFilter in our delegate authentication flow, as we 
couldn't get it work together with the other CAS filters. We just used the 
CasAuthenticationEntryPoint and CasAuthenticationFilter.

*Does this mean we must use the pac4j callBackFilter to get the 
SAML2ClientLogoutAction to perform correctly? *

Thanks
Paul L

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/aa01f261-99a6-4837-9c1d-7ffab62987b9%40apereo.org.

Re: [cas-user] How to get SLO to work in CAS 5?

[paul li]

Update on the SLO issue we are having.
The SLO is working correctly if we don't delegate to SAML authentication.

If user is signed in from an *external IDP via SAML authentication *(we are 
using okta apps at the moment), 
the the logout action (/logout, or logout/cas/) invalidate the sessions, 
but *does not logout the user from the IDP. (SLO flag on the IDP is 
enabled)*

User just need to click a button on the CAS default login page 
(loginform.html) again, and automatically redirected into the app.

We traced our code, and and on logout, we saw in
* org.apereo.cas.support.pac4j.web.flow.SAML2ClientLogoutAction.java*
following code is executed: 
@Override
protected Event doExecute(final RequestContext requestContext) {
try {
final HttpServletRequest request = WebUtils.
getHttpServletRequestFromExternalWebflowContext(requestContext);
final HttpServletResponse response = WebUtils.
getHttpServletResponseFromExternalWebflowContext(requestContext);
final J2EContext context = Pac4jUtils.getPac4jJ2EContext(request
, response);


Client client;
try {
final String currentClientName = findCurrentClientName(
context); //<---this is returning null, but we are overwriting this 
value in debug mode at the moment. likely something missed in the sso 
authentication flow.
client = (currentClientName == null) ? null : clients.
findClient(currentClientName); //<---client is retrieved correctly
} catch(final TechnicalException e) {
// this exception indicates that the SAML2Client is not in 
the list
LOGGER.debug("No SAML2 client found");
client = null;
}


// Call logout on SAML2 clients only
if (client instanceof SAML2Client) {
final SAML2Client saml2Client = (SAML2Client) client;
LOGGER.debug("Located SAML2 client [{}]", saml2Client);
final RedirectAction action = saml2Client.getLogoutAction(
context, null, null); //<---we see the correct slo url is generated 
here in the format https:///slo/saml?SAMLRequest=
LOGGER.debug("Preparing logout message to send is [{}]", 
action.getLocation());
action.perform(context); //<---this is executed 
without exception
} else {
LOGGER.debug("The current client is not a SAML2 client or 
it cannot be found at all, no logout action will be executed.");
}
} catch (final Exception e) {
LOGGER.warn(e.getMessage(), e);
}
return null;
}

but after this code is finished, we accessed the okta IDP and user is still 
*signed 
in*...even though on the CAS side, user is directed to the CAS login page.

We did come across couple of other posts in our investigations, seems to be 
suggesting that SLO for SAML is not fully implemented yet..
e.g. 
https://groups.google.com/forum/#!searchin/pac4j-users/saml$20slo$20not$20working%7Csort:date/pac4j-users/60-ndNhwsyI/N7au6ticBQAJ
  

Could someone confirm if SLO with SAML is working with CAS 5.2.3 or is 
there something we are missing...
Thank you very much in advance!

Paul Li


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/98d13813-cb56-4b35-842f-cddf736f42dd%40apereo.org.

[cas-user] How to get SLO to work in CAS 5?

[paul li]

Hi

 

My team is working with CAS (5.2.3) and delegated SAML authentication via 
pac4j libraries. What we have so far:

1.  3 separate services, each is configured through spring to 
authenticate with CAS.

2.  CAS is configured to delegate authentication to SAML IDP via 
*cas.properties* config

3.  We extended the ClientAuthenticationHandler with small changes and 
registered it through a @Configuration class.

 

With this basic setup, we are able to get the SSO to work correctly across 
the services, against okta sample IDP, with a flow similar to this:

*SP -> CAS -> Delegate Authentication -> Redirect to IDP -> Input 
credentials -> IDP returns SAML response -> CasAuthenticationFilter 
finishes the authentication and ST issuing -> System redirects the original 
‘service’ url.*

 

However, we are trying to get *single logout (SLO)* to work with the 
existing framework, we got no luck. 

It appears the system only logging out the local service, but not other 
services.

 

*What we have at the moment:*

For each of the service module, we have the following configured:

1. LogoutFilter via spring bean

2. SingleSignOutFilter via web.xml or spring bean

3. SingleSignOutHttpSessionListener in web.xml


Also we have ServiceRegistry json with logoutType: BACK_CHANNEL


spring config

  

  

 

 

 

 

 

 

 

  

 

  



   

 

 



 

  


In web.xml of each module, we have:

 


org.jasig.cas.client.session.SingleSignOutHttpSessionListener
 

  CAS Single Sign Out Filter  

org.jasig.cas.client.session.SingleSignOutFilter 

  



   CAS Single Sign Out Filter  

/*

  


*service registry:*

{

  "@class": *"org.apereo.cas.services.RegexRegisteredService"*,

  "serviceId": *"^(http|https|imaps)://.*"*,

  "name": *"HTTPS and IMAPS"*,

  "id": 1001,

  "description": *"This service definition authorizes all application urls 
that support HTTPS and IMAPS protocols."*,

  "evaluationOrder": 1,

  "logoutType" : *"BACK_CHANNEL"*,

….



*Problem:*

When we issue a logout via: https://localhost:8443/platformadmin/logout/cas/ , 
we see the *LogoutFilter* is triggered and in *doFilter() *session is 
invalidated.

*SingleSignOutHttpSessionListen**er#sessionDestroy() *is immediately 
triggered after.


Then *SingleLogoutFilter* is triggered, in which *SingleSignoutHandler#*
*process*(..) method, BACK_CHANNEL logout is triggered.

In the console log however, I only see the ST of the current service 
(platformadmin) is destroyed.


If we access any modules *other than* *platformadmin*, we are directed to 
the app automatically.

It seems we are only logged out of the current service modules (local 
logout), but didn’t logout from the other service modules.


What configuration are we missing? I see posts in this group where they 
have SLO working, 

We'd much appreciate if someone could provide a summary of their 
configuration.


Please let us know if you have any advices


Thanks!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/43525944-da4f-4891-ae95-3f81eb7f07c0%40apereo.org.

Re: [cas-user] Which CAS 5.x release are people running successfully in prod?

[Paul]

Hi Duanne,

Have you had any success with this?  I am in the same boat with respect to 
any version of CAS > 5.0.5 breaks proxy tickets.  Unfortunately 5.0.5 is 
not production ready and requires constant restarts due to memory leaks.  
We can also crash it fairly quickly doing load tests with service tickets 
only with over 8 GB of heap.

I'm looking at reverting to a stable version of CAS like 4.2.X unless I can 
solve the proxy ticket issue.  5.2.3 seems stable related to service 
tickets; except proxy configuration is not working as documented.  

So far what we found is this is always throws a null pointer; and sure 
enough in the cas code it isn't initialized; which leads me to believe 
there is some configuration missing that is supposed to do you a favor.


2018-03-21 13:34:06,537 ERROR 
[org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas].[dispatcherServlet]]
 
- 

java.lang.NullPointerException

at 
org.apereo.cas.web.ProxyController.getTargetService(ProxyController.java:102) 
~[cas-server-support-validation-5.0.10.jar!/:5.0.10]

at 
org.apereo.cas.web.ProxyController.handleRequestInternal(ProxyController.java:78)
 
~[cas-server-support-validation-5.0.10.jar!/:5.0.10]

thanks in advance.



On Thursday, November 16, 2017 at 4:05:52 PM UTC-8, Duane Booher wrote:
>
> First off, we are running CAS 5.0.5 because that is the latest 5.0.x 
> version that we get cas/poxy to work.
>
> The problems we've encountered - First, when zero days are left on the 
> LDAP password expiration policy, then a CREDENTIAL_NOT_FOUND occurs 
> instead of the PASSWORD_EXPIRED. Another error is that we encountered a 
> heap out of memory error and we are running at 6G heap. Another error is 
> that SSO session persistence across multiple app tabs on same browser was 
> not lasting longer than 30 minutes.
>
> There are additional circumstances for all the above, but bottom line is 
> that all of these issues work as expected on CAS 4.0.3.
>
> We are starting to configure a CAS 5.2 system to evaluate the above 
> functionality.
>
> Duane 
>
> On Thursday, November 16, 2017 at 3:50:03 PM UTC-7, rbon wrote:
>>
>> Duane,
>>
>> Can you itemize what is not working in your production environment?
>>
>> Ray
>>
>> On Thu, 2017-11-16 at 08:21 -0800, Duane Booher wrote:
>>
>> Hi, we have been trying to upgrade to CAS 5.x in our production 
>> environment. We run successfully in our CAS-Test, but in our prod 
>> environment we encounter various issues forcing us to revert back to CAS 4. 
>>
>> What CAS 5.x releases are people successfully running in production?
>>
>> Duane Booher
>>
>> -- 
>> Ray Bon
>> Programmer analyst
>> Development Services, University Systems
>> 2507218831 | CLE 019 | rb...@uvic.ca
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f2ba523a-a1f9-482c-9304-84ae1148cc5d%40apereo.org.

[cas-user] Re: Using JSON for test attributes in CAS 4.2.2

[Paul D]

On Tuesday, June 13, 2017 at 2:13:00 PM UTC+1, Paul D wrote:
>
> Trying to setup a testing CAS server using docker 
> (apereo/cas:v4.2.2)
>

I switched to v5.0.6 and the json attribute storage is working now. Just to 
assist anyone else who needs a similar setup for testing, my docker 
container is simply apereo/cas:v5.0.6 plus these additional files added via 
the Dockerfile

*/cas-overlay/etc/cas/config/cas.properties* (this is copied to 
/etc/cas/config at startup, and contains the location of the attribute 
repository)
cas.server.name: https://cas.example.org:8443
cas.server.prefix: https://cas.example.org:8443/cas

cas.adminPagesSecurity.ip=172\.17\.8\.1
cas.authn.attributeRepository.json.config.location=file:
//etc/cas/attribute-repository.json

logging.config: file:/etc/cas/config/log4j2.xml


*/etc/cas/attribute-repository.json *(here's the attributes - the 
installation has a casuser with password Mellon already configured)
{
  "casuser": {
"firstName":["Cassie"],
"eduPersonAffiliation":["employee", "student"]
  }
}


*/cas-overlay/src/main/resources/services/TestService-1003.json *(this 
has a low numbered evaluation order to beat the other default service, and 
ensures all attributes are released)
{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^(https|http)://.*",
  "name" : "HTTPS and HTTP Test",
  "id" : 1003,
  "description" : "Test service which releases all attributes.",
  "proxyPolicy" : {
"@class" : "org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy"
  },
  "evaluationOrder" : 1,
  "usernameAttributeProvider" : {
"@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider"
  },
  "logoutType" : "BACK_CHANNEL",
  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
  },
  "accessStrategy" : {
"@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
  }
}

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f07d61f8-6891-4c43-8869-75056a646e0d%40apereo.org.

[cas-user] Using JSON for test attributes in CAS 4.2.2

[Paul D]

Trying to setup a testing CAS server using docker (apereo/cas:v4.2.2) 

I can bring the server up and can successfully login and validate a ticket. 
What I really want to do is simulate various types of attribute release so 
I can easily have a set of users for testing with various affiliations and 
group memberships. 

My cas.properties defines some test users admin1, admin2 and admin3 

accept.authn.users=admin1::admin1,admin2::admin2,admin3::admin3 

Then I'd like to use a JSON file as an attribute repository, which I'm 
trying like this: 


cas.authn.attributeRepository.json[0].config.location=file://etc/cas/attribute-repository.json
 

cas.authn.attributeRepository.json[0].order=0 


/etc/cas/attribute-repository.json contains 

{ 
 "admin1": { 
 "firstName":["Admin1"], 
 "lastName":["One"] 
 }, 

 "admin2": { 
 "firstName":["Admin2"], 
 "eduPersonAffiliation":["employee", "student"] 
 } 
} 


My test service is configured to release all attributes 

{ 
"@class" : "org.jasig.cas.services.RegexRegisteredService", 
 "serviceId" : "^(https|http)://.*", 
 "name" : "HTTPS and HTTP Test", 
 "id" : 1001, 
 "description" : "Test service which releases all attributes.", 
 "proxyPolicy" : { 
 "@class" : "org.jasig.cas.services.RefuseRegisteredServiceProxyPolicy" 
 }, 

 "evaluationOrder" : 1, 
 "usernameAttributeProvider" : { 
 "@class" : 
"org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider" 
 }, 
 "logoutType" : "BACK_CHANNEL", 
 "attributeReleasePolicy" : { 
 "@class" : "org.jasig.cas.services.ReturnAllAttributeReleasePolicy" 
 }, 
 "accessStrategy" : { 
 "@class" : "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy", 
 "enabled" : true, 
 "ssoEnabled" : true 
 }
} 


When I login as admin2 and validate the ticket, the response I get is like 
this: 


http://www.yale.edu/tp/cas;> 
 
admin2 
 
uid 
true 
2017-06-13T11:45:43.636Z 
eduPersonAffiliation 
false
 
faculty 
staff 
org 
groupMembership 
 
 


I was hoping to see a firstName attribute and a eduPersonAffiliation 
attribute, and I'm not sure where the memberOf attributes have come from! 
Clearly, I'm missing some configuration somewhere - clues very much welcome!

Clues most welcome...

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7a7e897a-5e12-4d15-bf6e-52d19783cfd8%40apereo.org.

[cas-user] CAS as a OAuth server

[Paul Mitchell]

Hi,

I'm trying to get CAS running as an OAuth server. It running fine as a CAS
server.

I've included 'compile
"org.apereo.cas:cas-server-support-oauth-webflow:${project.'cas.version'}"'
in the build.gradle file for cas.version 5.0.4.

Breaking open the war file I can see the relevant jars have been included.
I've include a service registry entry based on the JSON example and am
loading the services from a directory.

When I start cas within Tomcat 8.5 I get the following error:

Caused by: com.fasterxml.jackson.databind.exc.InvalidTypeIdException: Could
not resolve type id
'org.apereo.cas.support.oauth.services.OAuthRegisteredService' into a
subtype of [simple type, class org.apereo.cas.services.RegisteredService]:
no such class found
 at [Source:
{"@class":"org.apereo.cas.support.oauth.services.OAuthRegisteredService","clientId":"clientid","clientSecret":"clientSecret","bypassApprovalPrompt":false,"serviceId":"^(https|imaps)://hello.*","name":"HTTPS
and IMAPS","id":105}; line: 1, column: 11]

Again, I've confirmed that the class is present with the OAuth-core jar
within the war.

I'm not sure what to do from here and advice will be gratefully received.

Paul.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGvhSLRNnWkvN%2BEBcYZVSj685Q7js-Yf2zsYioiW2kt%3DTaOaaQ%40mail.gmail.com.

Re: [cas-user] Another CAS 5 LDAP issue

[Paul Mitchell]

Your bindDn is wrong, in at least what you've pasted above "
cas.authn.ldap[0].bindDn=cn=cn=Directory Manager,o=org" . You look to have
an extra cn= in there.

Paul.

On 11 April 2017 at 18:25, bobbintb <angla...@isu.edu> wrote:

> Same thing. I already had the dependency in pom.xml, and most of those
> LDAP settings. I added all the extra ones you mentioned but it didn't
> change anything. I don't get it. I'm obviously missing something but near
> as I can tell, I have all the prerequisites mention in the documentation.
>
>
> On Tuesday, April 11, 2017 at 1:39:12 AM UTC-6, Nour Krichene wrote:
>>
>> Hello,
>>
>> It seems that some files are needed to support LDAP
>>
>>
>> In pom.xml add this script
>>
>>
>> 
>>  org.apereo.cas
>>  cas-server-support-ldap
>>  ${cas.version}
>> 
>>
>> after project's build add this code to etc/cas/config/cas.properties
>>
>> cas.authn.accept.users=
>> cas.authn.ldap[0].type=AUTHENTICATED
>>
>> cas.authn.ldap[0].ldapUrl=ldap://localhost:389
>> cas.authn.ldap[0].useSsl=false
>> cas.authn.ldap[0].useStartTls=false
>> cas.authn.ldap[0].connectTimeout=5000
>> cas.authn.ldap[0].baseDc=dc=example,dc=com
>> cas.authn.ldap[0].baseDn=ou=users,dc=example,dc=com
>> cas.authn.ldap[0].userFilter=uid={user}
>> cas.authn.ldap[0].subtreeSearch=true
>> cas.authn.ldap[0].usePasswordPolicy=false
>> cas.authn.ldap[0].bindDn=cn=admin,dc=example,dc=com
>> cas.authn.ldap[0].bindCredential=**
>>
>> cas.authn.ldap[0].enhanceWithEntryResolver=false
>> cas.authn.ldap[0].dnFormat=uid=%s,ou=users,dc=example,dc=com
>> cas.authn.ldap[0].principalAttributeId=uid
>> cas.authn.ldap[0].principalAttributePassword=
>> cas.authn.ldap[0].principalAttributeList=sn,cn:commonName,givenName
>> cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
>>
>> cas.authn.ldap[0].minPoolSize=3
>> cas.authn.ldap[0].maxPoolSize=10
>> cas.authn.ldap[0].validateOnCheckout=true
>> cas.authn.ldap[0].validatePeriodically=true
>> cas.authn.ldap[0].validatePeriod=600
>>
>> cas.authn.ldap[0].failFast=true
>> cas.authn.ldap[0].idleTime=5000
>> cas.authn.ldap[0].prunePeriod=5000
>> cas.authn.ldap[0].blockWaitTime=5000
>> cas.authn.ldap[0].allowMultipleDns=false
>>
>> cas.authn.ldap[0].passwordEncoder.type=NONE
>> cas.authn.ldap[0].principalTransformation.suffix=
>> cas.authn.ldap[0].principalTransformation.caseConversion=NONE
>> cas.authn.ldap[0].principalTransformation.prefix=
>>
>>
>>
>>
>> On Monday, April 10, 2017 at 11:00:54 PM UTC+2, bobbintb wrote:
>>>
>>> I'm new to CAS and I have been trying to figure out how to get it to
>>> authenticate against LDAP. I'm on RHEL 7 with Tomcat 7 and CAS 5.0,4. I
>>> used the Maven overlay. My pom.xml has:
>>>
>>> org.apereo.cas
>>> cas-server-support-ldap
>>> 5.0.4
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-support-ldap-core
>>> 5.0.4
>>> 
>>>
>>> No errors building. I didn't have the second one initially. I added it
>>> later and it made no difference
>>>
>>>
>>> Here is my ldap section from cas.properties:
>>>
>>>
>>>
>>> #LDAP connection info
>>> cas.authn.accept.users=
>>> cas.authn.ldap[0].type=AUTHENTICATED
>>> cas.authn.ldap[0].ldapUrl=ldaps://ldap.my.org:636
>>> cas.authn.ldap[0].useSsl=true
>>> cas.authn.ldap[0].useStartTls=false
>>> cas.authn.ldap[0].connectTimeout=5000
>>> cas.authn.ldap[0].baseDn=ou=cp,o=org
>>> cas.authn.ldap[0].principalAttributeId=uid
>>> cas.authn.ldap[0].userFilter=cn=uid
>>> cas.authn.ldap[0].subtreeSearch=true
>>> cas.authn.ldap[0].usePasswordPolicy=true
>>> cas.authn.ldap[0].bindDn=cn=cn=Directory Manager,o=org
>>>
>>> I just keep getting the same errors:
>>>
>>> WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>>> >> authentication handler that supports [testusername] of type
>>> [UsernamePasswordCredential], which suggests a configuration problem.>
>>>
>>> ERROR [org.apereo.cas.web.flow.AuthenticationExceptionHandler] -
>>> >> org.apereo.cas.authentication.AuthenticationException: 0 errors, 0
>>> successes. Returning UNKNOWN by default...>
>>>
>>> Nothing I have found has help

Re: [cas-user] 5.0.1 Issues with javascript & spring

[Paul Legeay]

Have this bug too. No idea where this comes from :/

Le mercredi 18 janvier 2017 18:57:30 UTC+1, ray.walker a écrit :
>
> This behavior also exists for other various static resources (such as 
> images) that come bundled within the webapp.
>
>  
>
> Additional info:
>
> Java 1.8.0_111 Open JDK
>
> Tomcat 8.0.38
>
> — 
>
> Raymond Walker
> Software Systems Engineer StSp.
> ITS Northern Arizona University
>
>  
>
>  
>
> *From: * on behalf of Raymond Drew 
> Walker 
> *Reply-To: *"cas-...@apereo.org "  >
> *Date: *Monday, January 16, 2017 at 8:20 PM
> *To: *"cas-...@apereo.org "  >
> *Subject: *[cas-user] 5.0.1 Issues with javascript & spring
>
>  
>
> Simply put, it appears that no JS is firing:
>
>  
>
> Seeing these in logs:
>
> 2017-01-15 14:37:04,063 WARN 
> [org.springframework.web.servlet.mvc.support.DefaultHandlerExceptionResolver] 
> -  org.springframework.web.HttpMediaTypeNotAcceptableException: Could not find 
> acceptable representation>
>
>  
>
> And from the browser:
>
> CAS is unable to process this request: "406:Not Acceptable"
>
> Error: Could not find acceptable representation
>
> (refers to the logs above)
>
>  
>
> Any ideas? Am I missing something basic?
>
>  
>
> — 
>
> Raymond Walker
> Software Systems Engineer StSp.
> ITS Northern Arizona University
>
>  
>
> -- 
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: 
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/690F6BC5-9B93-44E9-81D9-1439D62D5BBE%40nau.edu
>  
> 
> .
>
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9034b675-4cf2-4766-8d5a-2fc011bf465d%40apereo.org.

Re: [cas-user] [cas user] missing inResponeTo attribute

[Paul Legeay]

Yes, that's what I meant sorry :).

Le mercredi 8 mars 2017 19:20:13 UTC+1, Misagh Moayyed a écrit :
>
> Sounds like a bug to me.
>
>
> PS There is no such thing as CAS 5.0.4. Did you mean SNAPSHOT? 
>
> -- 
> Misagh
>
> From: Paul Legeay <dev.p...@gmail.com> 
> Reply: cas-...@apereo.org  <cas...@apereo.org> 
> Date: March 8, 2017 at 7:37:16 PM
> To: CAS Community <cas...@apereo.org> 
> Subject:  [cas-user] [cas user] missing inResponeTo attribute 
>
> Hi everyone, 
>>
>> I'm trying to use a local installation of simplesamlphp  as a SP to log 
>> through a local CAS 5.0.4 server using the saml 2 protocol.
>> The issue I have at the moment, is that the response I get from the CAS 
>> server is missing the inResponseTo attribute  in the response Element. 
>>
>> The saml 2 spec specifies that the InResponseTo must be present in the 
>> response element if the response is associated to a request.
>> Do I have something missing in my configuration or is it a bug ?
>>
>> Any help would be apreciated.
>>
>> Thanks
>>
>>
>> relevent part application.properties
>>
>> cas.authn.samlIdp.metadata.location=${user.home}/work/metadata/
>> cas.authn.samlIdp.entityId=http://localhost:8042/cas/idp
>> cas.authn.samlIdp.hostName=http://localhost:8042
>> cas.samlCore.ticketidSaml2=true
>>
>> IDP metadata in php format
>> > /**
>>  * SAML 2.0 remote IdP metadata for SimpleSAMLphp.
>>  *
>>  * Remember to remove the IdPs you don't use from this file.
>>  *
>>  * See: 
>> https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote 
>>  */
>>
>>
>> $metadata['http://localhost:8042/cas/idp'] = array (
>>   'entityid' => 'http://localhost:8042/cas/idp',
>>   'contacts' => 
>>   array (
>>   ),
>>   'metadata-set' => 'saml20-idp-remote',
>>   'SingleSignOnService' => 
>>   array (
>> 0 => 
>> array (
>>   'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
>>   'Location' => '
>> http://localhost:8042/cas/idp/profile/SAML2/Redirect/SSO',
>> ),
>> 1 => 
>> array (
>>   'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
>>   'Location' => 'http://localhost:8042/cas/idp/profile/SAML2/POST/SSO
>> ',
>> ),
>> 2 => 
>> array (
>>   'Binding' => 
>> 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign',
>>   'Location' => '
>> http://localhost:8042/idp/profile/SAML2/POST-SimpleSign/SSO',
>> ),
>>   ),
>>   'ArtifactResolutionService' => 
>>   array (
>> 0 => 
>> array (
>>   'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
>>   'Location' => '
>> http://localhost:8042/cas/idp/profile/SAML2/SOAP/ArtifactResolution',
>>   'index' => 2,
>> ),
>>   ),
>>   'NameIDFormats' => 
>>   array (
>> 0 => 'urn:mace:shibboleth:1.0:nameIdentifier',
>> 1 => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
>>   ),
>>   'keys' => 
>>   array (
>> 0 => 
>> array (
>>   'encryption' => false,
>>   'signing' => true,
>>   'type' => 'X509Certificate',
>>   'X509Certificate' => '
>> MIIDGDCCAgCgAwIBAgIUTHtu3X3oSmNnElYPdxoY3QzjOgwwDQYJKoZIhvcNAQEL
>> BQAwGTEXMBUGA1UEAwwObG9jYWxob3N0OjgwNDIwHhcNMTcwMzA3MTA1NzI0WhcN
>> MzcwMzA3MTA1NzI0WjAZMRcwFQYDVQQDDA5sb2NhbGhvc3Q6ODA0MjCCASIwDQYJ
>> KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ7L2leA8jlRxrkWm0q3prVAMOJBxr0J
>> A2Z74h+9k3c4vAzb7FlvWV3TIY8YDXDZ29YZ0dtTIodeleVJfAcUMpZ6RLcHdiBK
>> C5VgAQ8ci98aM5aXxS+kXxjjilOHB8ckKFqjb8asPlvpN368Z1Qk/lKNbsE35hxb
>> f/9V2oiHtbShG0vrSC7da2uOTpBiguO2yB6mJO92FymBWS7zlZ+G9pWTE4EuizWk
>> 10kz7jHYfUm/BKgVOnEDTL4e+eb5cTIxnpZ9iA3+dfi8qU2bOQ0PlXW7nW4ZMSzW
>> 4BlWjuK4G78HnlZu+FqgNlQwjR9tjbvma6aovE3UH1nHJWy93uALrnECAwEAAaNY
>> MFYwHQYDVR0OBBYEFKTnbarNb/ik8VO/dkLDxyrRWeDcMDUGA1UdEQQuMCyCDmxv
>> Y2FsaG9zdDo4MDQyhhpsb2NhbGhvc3Q6ODA0MmlkcC9tZXRhZGF0YTANBgkqhkiG
>> 9w0BAQsFAAOCAQEANnk4BeurZaPWVdVDalg+jQdBlfi6DtF8oKGWoc3tlmA414Cu
>> Aih+4nopXl8/xByk0DQdBcnhYJ59hPNm5BBwlM66T0eUP7kzOoVw2PgOhjEfCbqG
>> a8S3Cu0fULL2OxrxSozAhz2fTsd+zn6cla0KJGMjQmEjiORs8ThHFZhPlueqAtwp
>> cyrNyeO3vSt8A28kyY5TOZPjWickk39ilveuRZKMkBN4TAFAHciKZP8Y3foESB6+
>> rC/guihxOCgUNKfUEREVveBxaFEV6xUYNcnIFAQNnTzwDbSM63+Sq2hAKh8ynnML
>> cVl0ONhI47hxf1HWQN5TGhip2rcARx2T0v+mfA==
>> ',Hi everyone, 

[cas-user] Re: [cas user] missing inResponeTo attribute

[Paul Legeay]

Edit: I downgraded to the version 5.0.0.RC5-SNAPSHOT and this issue is not 
be present anymore. I have a inResponseTo attribute for my response element.

Le mercredi 8 mars 2017 17:04:59 UTC+1, Paul Legeay a écrit :
>
> Hi everyone,
>>
>> I'm trying to use a local installation of simplesamlphp  as a SP to log 
>> through a local CAS 5.0.4 server using the saml 2 protocol.
>> The issue I have at the moment, is that the response I get from the CAS 
>> server is missing the inResponseTo attribute  in the response Element. 
>>
>> The saml 2 spec specifies that the InResponseTo must be present in the 
>> response element if the response is associated to a request.
>> Do I have something missing in my configuration or is it a bug ?
>>
>> Any help would be apreciated.
>>
>> Thanks
>>
>>
>> relevent part application.properties
>>
>> cas.authn.samlIdp.metadata.location=${user.home}/work/metadata/
>> cas.authn.samlIdp.entityId=http://localhost:8042/cas/idp
>> cas.authn.samlIdp.hostName=http://localhost:8042
>> cas.samlCore.ticketidSaml2=true
>>
>> IDP metadata in php format
>> > /**
>>  * SAML 2.0 remote IdP metadata for SimpleSAMLphp.
>>  *
>>  * Remember to remove the IdPs you don't use from this file.
>>  *
>>  * See: 
>> https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote 
>>  */
>>
>>
>> $metadata['http://localhost:8042/cas/idp'] = array (
>>   'entityid' => 'http://localhost:8042/cas/idp',
>>   'contacts' => 
>>   array (
>>   ),
>>   'metadata-set' => 'saml20-idp-remote',
>>   'SingleSignOnService' => 
>>   array (
>> 0 => 
>> array (
>>   'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
>>   'Location' => '
>> http://localhost:8042/cas/idp/profile/SAML2/Redirect/SSO',
>> ),
>> 1 => 
>> array (
>>   'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
>>   'Location' => 'http://localhost:8042/cas/idp/profile/SAML2/POST/SSO
>> ',
>> ),
>> 2 => 
>> array (
>>   'Binding' => 
>> 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign',
>>   'Location' => '
>> http://localhost:8042/idp/profile/SAML2/POST-SimpleSign/SSO',
>> ),
>>   ),
>>   'ArtifactResolutionService' => 
>>   array (
>> 0 => 
>> array (
>>   'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
>>   'Location' => '
>> http://localhost:8042/cas/idp/profile/SAML2/SOAP/ArtifactResolution',
>>   'index' => 2,
>> ),
>>   ),
>>   'NameIDFormats' => 
>>   array (
>> 0 => 'urn:mace:shibboleth:1.0:nameIdentifier',
>> 1 => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
>>   ),
>>   'keys' => 
>>   array (
>> 0 => 
>> array (
>>   'encryption' => false,
>>   'signing' => true,
>>   'type' => 'X509Certificate',
>>   'X509Certificate' => '
>> MIIDGDCCAgCgAwIBAgIUTHtu3X3oSmNnElYPdxoY3QzjOgwwDQYJKoZIhvcNAQEL
>> BQAwGTEXMBUGA1UEAwwObG9jYWxob3N0OjgwNDIwHhcNMTcwMzA3MTA1NzI0WhcN
>> MzcwMzA3MTA1NzI0WjAZMRcwFQYDVQQDDA5sb2NhbGhvc3Q6ODA0MjCCASIwDQYJ
>> KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ7L2leA8jlRxrkWm0q3prVAMOJBxr0J
>> A2Z74h+9k3c4vAzb7FlvWV3TIY8YDXDZ29YZ0dtTIodeleVJfAcUMpZ6RLcHdiBK
>> C5VgAQ8ci98aM5aXxS+kXxjjilOHB8ckKFqjb8asPlvpN368Z1Qk/lKNbsE35hxb
>> f/9V2oiHtbShG0vrSC7da2uOTpBiguO2yB6mJO92FymBWS7zlZ+G9pWTE4EuizWk
>> 10kz7jHYfUm/BKgVOnEDTL4e+eb5cTIxnpZ9iA3+dfi8qU2bOQ0PlXW7nW4ZMSzW
>> 4BlWjuK4G78HnlZu+FqgNlQwjR9tjbvma6aovE3UH1nHJWy93uALrnECAwEAAaNY
>> MFYwHQYDVR0OBBYEFKTnbarNb/ik8VO/dkLDxyrRWeDcMDUGA1UdEQQuMCyCDmxv
>> Y2FsaG9zdDo4MDQyhhpsb2NhbGhvc3Q6ODA0MmlkcC9tZXRhZGF0YTANBgkqhkiG
>> 9w0BAQsFAAOCAQEANnk4BeurZaPWVdVDalg+jQdBlfi6DtF8oKGWoc3tlmA414Cu
>> Aih+4nopXl8/xByk0DQdBcnhYJ59hPNm5BBwlM66T0eUP7kzOoVw2PgOhjEfCbqG
>> a8S3Cu0fULL2OxrxSozAhz2fTsd+zn6cla0KJGMjQmEjiORs8ThHFZhPlueqAtwp
>> cyrNyeO3vSt8A28kyY5TOZPjWickk39ilveuRZKMkBN4TAFAHciKZP8Y3foESB6+
>> rC/guihxOCgUNKfUEREVveBxaFEV6xUYNcnIFAQNnTzwDbSM63+Sq2hAKh8ynnML
>> cVl0ONhI47hxf1HWQN5TGhip2rcARx2T0v+mfA==
>> ',Hi everyone,
>>
>> I'm trying to use a local installation of simplesamlphp  as a SP to log 
>> through a local CAS 5.0.4 server using the saml 2 protocol.
>> The issue I have at the moment is that the response I get from the CAS 
>> server is missing the inResponseTo attribute  in the r

[cas-user] [cas user] missing inResponeTo attribute

[Paul Legeay]

>
> Hi everyone,
>
> I'm trying to use a local installation of simplesamlphp  as a SP to log 
> through a local CAS 5.0.4 server using the saml 2 protocol.
> The issue I have at the moment, is that the response I get from the CAS 
> server is missing the inResponseTo attribute  in the response Element. 
>
> The saml 2 spec specifies that the InResponseTo must be present in the 
> response element if the response is associated to a request.
> Do I have something missing in my configuration or is it a bug ?
>
> Any help would be apreciated.
>
> Thanks
>
>
> relevent part application.properties
>
> cas.authn.samlIdp.metadata.location=${user.home}/work/metadata/
> cas.authn.samlIdp.entityId=http://localhost:8042/cas/idp
> cas.authn.samlIdp.hostName=http://localhost:8042
> cas.samlCore.ticketidSaml2=true
>
> IDP metadata in php format
>  /**
>  * SAML 2.0 remote IdP metadata for SimpleSAMLphp.
>  *
>  * Remember to remove the IdPs you don't use from this file.
>  *
>  * See: 
> https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote 
>  */
>
>
> $metadata['http://localhost:8042/cas/idp'] = array (
>   'entityid' => 'http://localhost:8042/cas/idp',
>   'contacts' => 
>   array (
>   ),
>   'metadata-set' => 'saml20-idp-remote',
>   'SingleSignOnService' => 
>   array (
> 0 => 
> array (
>   'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
>   'Location' => '
> http://localhost:8042/cas/idp/profile/SAML2/Redirect/SSO',
> ),
> 1 => 
> array (
>   'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
>   'Location' => 'http://localhost:8042/cas/idp/profile/SAML2/POST/SSO'
> ,
> ),
> 2 => 
> array (
>   'Binding' => 
> 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign',
>   'Location' => '
> http://localhost:8042/idp/profile/SAML2/POST-SimpleSign/SSO',
> ),
>   ),
>   'ArtifactResolutionService' => 
>   array (
> 0 => 
> array (
>   'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
>   'Location' => '
> http://localhost:8042/cas/idp/profile/SAML2/SOAP/ArtifactResolution',
>   'index' => 2,
> ),
>   ),
>   'NameIDFormats' => 
>   array (
> 0 => 'urn:mace:shibboleth:1.0:nameIdentifier',
> 1 => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
>   ),
>   'keys' => 
>   array (
> 0 => 
> array (
>   'encryption' => false,
>   'signing' => true,
>   'type' => 'X509Certificate',
>   'X509Certificate' => '
> MIIDGDCCAgCgAwIBAgIUTHtu3X3oSmNnElYPdxoY3QzjOgwwDQYJKoZIhvcNAQEL
> BQAwGTEXMBUGA1UEAwwObG9jYWxob3N0OjgwNDIwHhcNMTcwMzA3MTA1NzI0WhcN
> MzcwMzA3MTA1NzI0WjAZMRcwFQYDVQQDDA5sb2NhbGhvc3Q6ODA0MjCCASIwDQYJ
> KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ7L2leA8jlRxrkWm0q3prVAMOJBxr0J
> A2Z74h+9k3c4vAzb7FlvWV3TIY8YDXDZ29YZ0dtTIodeleVJfAcUMpZ6RLcHdiBK
> C5VgAQ8ci98aM5aXxS+kXxjjilOHB8ckKFqjb8asPlvpN368Z1Qk/lKNbsE35hxb
> f/9V2oiHtbShG0vrSC7da2uOTpBiguO2yB6mJO92FymBWS7zlZ+G9pWTE4EuizWk
> 10kz7jHYfUm/BKgVOnEDTL4e+eb5cTIxnpZ9iA3+dfi8qU2bOQ0PlXW7nW4ZMSzW
> 4BlWjuK4G78HnlZu+FqgNlQwjR9tjbvma6aovE3UH1nHJWy93uALrnECAwEAAaNY
> MFYwHQYDVR0OBBYEFKTnbarNb/ik8VO/dkLDxyrRWeDcMDUGA1UdEQQuMCyCDmxv
> Y2FsaG9zdDo4MDQyhhpsb2NhbGhvc3Q6ODA0MmlkcC9tZXRhZGF0YTANBgkqhkiG
> 9w0BAQsFAAOCAQEANnk4BeurZaPWVdVDalg+jQdBlfi6DtF8oKGWoc3tlmA414Cu
> Aih+4nopXl8/xByk0DQdBcnhYJ59hPNm5BBwlM66T0eUP7kzOoVw2PgOhjEfCbqG
> a8S3Cu0fULL2OxrxSozAhz2fTsd+zn6cla0KJGMjQmEjiORs8ThHFZhPlueqAtwp
> cyrNyeO3vSt8A28kyY5TOZPjWickk39ilveuRZKMkBN4TAFAHciKZP8Y3foESB6+
> rC/guihxOCgUNKfUEREVveBxaFEV6xUYNcnIFAQNnTzwDbSM63+Sq2hAKh8ynnML
> cVl0ONhI47hxf1HWQN5TGhip2rcARx2T0v+mfA==
> ',Hi everyone,
>
> I'm trying to use a local installation of simplesamlphp  as a SP to log 
> through a local CAS 5.0.4 server using the saml 2 protocol.
> The issue I have at the moment is that the response I get from the CAS 
> server is missing the inResponseTo attribute  in the response Element. 
>
> The saml 2 spec specifies that the InResponseTo must be present in the 
> response element if the response is associated to a request.
> Do I have something missing in my configuration or is it a bug ?
>
> Any help would be apreciated.
>
> Thanks
>
>
> relevent part application.properties
>
> cas.authn.samlIdp.metadata.location=${user.home}/work/metadata/
> cas.authn.samlIdp.entityId=http://localhost:8042/cas/idp
> cas.authn.samlIdp.hostName=http://localhost:8042
> cas.samlCore.ticketidSaml2=true
>
> IDP metadata in php format
>  /**
>  * SAML 2.0 remote IdP metadata for SimpleSAMLphp.
>  *
>  * Remember to remove the IdPs you don't use from this file.
>  *
>  * See: 
> https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote 
>  */
>
>
> $metadata['http://localhost:8042/cas/idp'] = array (
>   'entityid' => 'http://localhost:8042/cas/idp',
>   'contacts' => 
>   array (
>   ),
>   'metadata-set' => 'saml20-idp-remote',
>   'SingleSignOnService' => 
>   array (
> 0 => 
> array (
>   'Binding' 

RE: [cas-user] Error starting CAS 5.x (conflicting module versions, Groovy)

[Paul Chauvet]

I sent a reply to this, but it doesn’t seem to have come through.  Apologies if 
anyone receives a duplicate.

We were using cas.version 5.0.0, and gradle.version 3.1 as set in the gradle 
properties.  I tried updating to 5.0.2 and gradle.version 3.2.1 as per the info 
in the gradle overlay template on github, but the same issue occurs.


Paul Chauvet
Information Security Officer
State University of New York at New Paltz
845-257-3828
chauv...@newpaltz.edu<mailto:chauv...@newpaltz.edu>
[emlogo]

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Misagh 
Moayyed
Sent: Monday, February 6, 2017 3:20 PM
To: cas-user@apereo.org
Subject: RE: [cas-user] Error starting CAS 5.x (conflicting module versions, 
Groovy)

An exact version would be helpful.

--Misagh

From: cas-user@apereo.org<mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org] On Behalf Of Paul Chauvet
Sent: Monday, February 6, 2017 9:14 PM
To: cas-user@apereo.org<mailto:cas-user@apereo.org>
Subject: [cas-user] Error starting CAS 5.x (conflicting module versions, Groovy)

Hello all,

We’re in the process of rolling out CAS 5.x.  Things were deploying fine in our 
test environment, and we moved on to UI customizations, but sometime recently 
when building from source it has caused an error which prevents Tomcat from 
deploying the .war file.

I’ve attached the Catalina log export, but the root issue appears to be in this 
line:
Caused by: groovy.lang.GroovyRuntimeException: Conflicting module versions. 
Module [groovy-jsr223 is loaded in version 2.4.8 and you are trying to load 
version 2.4.7

The same error happens now on deployment in Tomcat, even for builds that worked 
perfectly fine several weeks ago.  We are using Gradle for building the CAS 
.war.  Our CAS-5 build was made for us by Unicon, and all we were working on is 
some UI changes.  I thought it might have been those UI changes, but even the 
exact version provided for us by Unicon for v5 doesn’t work anymore.

If other info is needed (build.gradle files or something else), please let me 
know.  Any thoughts or ideas on this would be greatly appreciated!

Paul Chauvet
Information Security Officer
State University of New York at New Paltz
845-257-3828
chauv...@newpaltz.edu<mailto:chauv...@newpaltz.edu>
[emlogo]

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CY4PR2001MB1062B1AB7814984B01D9BBDEA7400%40CY4PR2001MB1062.namprd20.prod.outlook.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CY4PR2001MB1062B1AB7814984B01D9BBDEA7400%40CY4PR2001MB1062.namprd20.prod.outlook.com?utm_medium=email_source=footer>.
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/002901d280b6%245fa92710%241efb7530%24%40unicon.net<https://groups.google.com/a/apereo.org/d/msgid/cas-user/002901d280b6%245fa92710%241efb7530%24%40unicon.net?utm_medium=email_source=footer>.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CY4PR2001MB10623405CC0C0A3187F78149A7400%40CY4PR2001MB1062.namprd20.prod.outlook.com.

RE: [cas-user] Error starting CAS 5.x (conflicting module versions, Groovy)

[Paul Chauvet]

Oops!  Sorry, can’t believe I forgot that.  From gradle.properties:
cas.version=5.0.0
gradle.version=3.1
sourceCompatibility=1.8
targetCompatibility=1.8
springboot.version=1.4.1.RELEASE


Paul Chauvet
Information Security Officer
State University of New York at New Paltz
845-257-3828
chauv...@newpaltz.edu<mailto:chauv...@newpaltz.edu>
[emlogo]

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Misagh 
Moayyed
Sent: Monday, February 6, 2017 3:20 PM
To: cas-user@apereo.org
Subject: RE: [cas-user] Error starting CAS 5.x (conflicting module versions, 
Groovy)

An exact version would be helpful.

--Misagh

From: cas-user@apereo.org<mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org] On Behalf Of Paul Chauvet
Sent: Monday, February 6, 2017 9:14 PM
To: cas-user@apereo.org<mailto:cas-user@apereo.org>
Subject: [cas-user] Error starting CAS 5.x (conflicting module versions, Groovy)

Hello all,

We’re in the process of rolling out CAS 5.x.  Things were deploying fine in our 
test environment, and we moved on to UI customizations, but sometime recently 
when building from source it has caused an error which prevents Tomcat from 
deploying the .war file.

I’ve attached the Catalina log export, but the root issue appears to be in this 
line:
Caused by: groovy.lang.GroovyRuntimeException: Conflicting module versions. 
Module [groovy-jsr223 is loaded in version 2.4.8 and you are trying to load 
version 2.4.7

The same error happens now on deployment in Tomcat, even for builds that worked 
perfectly fine several weeks ago.  We are using Gradle for building the CAS 
.war.  Our CAS-5 build was made for us by Unicon, and all we were working on is 
some UI changes.  I thought it might have been those UI changes, but even the 
exact version provided for us by Unicon for v5 doesn’t work anymore.

If other info is needed (build.gradle files or something else), please let me 
know.  Any thoughts or ideas on this would be greatly appreciated!

Paul Chauvet
Information Security Officer
State University of New York at New Paltz
845-257-3828
chauv...@newpaltz.edu<mailto:chauv...@newpaltz.edu>
[emlogo]

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CY4PR2001MB1062B1AB7814984B01D9BBDEA7400%40CY4PR2001MB1062.namprd20.prod.outlook.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CY4PR2001MB1062B1AB7814984B01D9BBDEA7400%40CY4PR2001MB1062.namprd20.prod.outlook.com?utm_medium=email_source=footer>.
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/002901d280b6%245fa92710%241efb7530%24%40unicon.net<https://groups.google.com/a/apereo.org/d/msgid/cas-user/002901d280b6%245fa92710%241efb7530%24%40unicon.net?utm_medium=email_source=footer>.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CY4PR2001MB1062A314D7E9922709F0FA72A7400%40CY4PR2001MB1062.namprd20.prod.outlook.com.

[cas-user] Error starting CAS 5.x (conflicting module versions, Groovy)

[Paul Chauvet]

Hello all,

We're in the process of rolling out CAS 5.x.  Things were deploying fine in our 
test environment, and we moved on to UI customizations, but sometime recently 
when building from source it has caused an error which prevents Tomcat from 
deploying the .war file.

I've attached the Catalina log export, but the root issue appears to be in this 
line:
Caused by: groovy.lang.GroovyRuntimeException: Conflicting module versions. 
Module [groovy-jsr223 is loaded in version 2.4.8 and you are trying to load 
version 2.4.7

The same error happens now on deployment in Tomcat, even for builds that worked 
perfectly fine several weeks ago.  We are using Gradle for building the CAS 
.war.  Our CAS-5 build was made for us by Unicon, and all we were working on is 
some UI changes.  I thought it might have been those UI changes, but even the 
exact version provided for us by Unicon for v5 doesn't work anymore.

If other info is needed (build.gradle files or something else), please let me 
know.  Any thoughts or ideas on this would be greatly appreciated!

Paul Chauvet
Information Security Officer
State University of New York at New Paltz
845-257-3828
chauv...@newpaltz.edu<mailto:chauv...@newpaltz.edu>
[emlogo]

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CY4PR2001MB1062B1AB7814984B01D9BBDEA7400%40CY4PR2001MB1062.namprd20.prod.outlook.com.
06-Feb-2017 14:55:33.899 SEVERE [localhost-startStop-1] 
org.apache.catalina.core.ContainerBase.addChildInternal ContainerBase.addChild: 
start: 
 org.apache.catalina.LifecycleException: Failed to start component 
[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/cas]]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:153)
at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:701)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)
at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:940)
at 
org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1816)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.ExceptionInInitializerError
at 
org.springframework.beans.factory.groovy.GroovyBeanDefinitionReader.(GroovyBeanDefinitionReader.java:150)
at 
org.springframework.boot.BeanDefinitionLoader.(BeanDefinitionLoader.java:84)
at 
org.springframework.boot.SpringApplication.createBeanDefinitionLoader(SpringApplication.java:752)
at 
org.springframework.boot.SpringApplication.load(SpringApplication.java:692)
at 
org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:366)
at 
org.springframework.boot.SpringApplication.run(SpringApplication.java:313)
at 
org.springframework.boot.builder.SpringApplicationBuilder.run(SpringApplicationBuilder.java:134)
at 
org.springframework.cloud.bootstrap.BootstrapApplicationListener.bootstrapServiceContext(BootstrapApplicationListener.java:138)
at 
org.springframework.cloud.bootstrap.BootstrapApplicationListener.onApplicationEvent(BootstrapApplicationListener.java:84)
at 
org.springframework.cloud.bootstrap.BootstrapApplicationListener.onApplicationEvent(BootstrapApplicationListener.java:62)
at 
org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:167)
at 
org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:139)
at 
org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:122)
at 
org.springframework.boot.context.event.EventPublishingRunListener.environmentPrepared(EventPublishingRunListener.java:68)
at 
org.springframework.boot.SpringApplicationRunListeners.environmentPrepared(SpringApplicationRunListeners.java:54)
at 
org.springframework.boot.SpringApplication.prepareEnvironment(SpringApplication.java:337)
at 
org.springframework.boot.SpringApplication.run(SpringAppl

Re: [cas-user] gauth-jpa

[Paul Mitchell]

My thoughts on that was since GoogleAuth uses Base32 of an 80 bit key so
that is 16 bytes. So a 8192 bit key at base32 should be around 1639.

Regards,
Paul.

On 18 November 2016 at 15:38, Misagh Moayyed <mmoay...@unicon.net> wrote:

> Great. As an alternative, can you experiment with column definitions or
> @Type annotations to enforce a better type such as text?
>
>
>
> I suppose the thing I dislike is that 255 (and similar numbers) is such an
> arbitrary value. If you can find a reasonable number that would work for
> most databases and not just MYSQL and the size can account for reasonable
> secret key lengths, then sure. File an PR please.
>
>
>
> --Misagh
>
>
>
> *From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *Paul
> Mitchell
> *Sent:* Friday, November 18, 2016 7:53 AM
> *To:* cas-user@apereo.org
> *Subject:* Re: [cas-user] gauth-jpa
>
>
>
> Also this is on MySQL 5.7.16
>
>
>
> On 18 November 2016 at 14:52, Paul Mitchell <pauldmitchel...@gmail.com>
> wrote:
>
> Yes, the table is not created an MySQL returns an error of:
>
>
>
> ERROR 1074 (42000): Column length too big for column 'secretKey' (max =
> 65535); use BLOB or TEXT instead
>
>
>
> Regards,
>
> Paul.
>
>
>
> On 18 November 2016 at 14:48, Misagh Moayyed <mmoay...@unicon.net> wrote:
>
> Is the MySQL complaint causing issues?
>
>
>
> --Misagh
>
>
>
> *From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *Paul
> Mitchell
> *Sent:* Friday, November 18, 2016 3:50 AM
> *To:* CAS Community <cas-user@apereo.org>
> *Subject:* [cas-user] gauth-jpa
>
>
>
> Hi,
>
>
>
> I found what appears to be a bug in GoogleAuthenticatorRegistrationRecord.java
> the record contains the lines
>
>
>
>  @Column(length = Integer.MAX_VALUE, updatable = true, insertable = true,
> nullable = false)
>
>
>
> for two of the string fields in the class.  This causes Hibernate to
> generate the follow SQL:
>
>
>
>   create table GoogleAuthenticatorRegistrationRecord (id bigint not null,
> secretKey varchar(2147483647) not null, username varchar(2147483647) not
> null, validationCode integer not null, primary key (id))
>
>
>
> which naturally MySQL complains about the size of the varchar.  This was
> changed between RC4 and 5.0.0 with commit 'fe1155a'. Prior to the commit
> the length was 255.  There is also an integer field validationCode which
> also had a length of 255, which was changed to Integer.MAX_VALUE which to
> me make sense.
>
>
>
> Can submit an issue/pull request with what I think it should be but wanted
> to check in if there was a good reason for this that I am not aware of.
>
>
>
> Regards,
>
> Paul.
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/f938e37b-4d90-4b05-bce1-
> 5b317523bef8%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f938e37b-4d90-4b05-bce1-5b317523bef8%40apereo.org?utm_medium=email_source=footer>
> .
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
>
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/00aa01d241aa%24e1b42110%
> 24a51c6330%24%40unicon.net
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/00aa01d241aa%24e1b42110%24a51c6330%24%40unicon.net?utm_medium=email_source=footer>
> .
>
>
>
>
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> -

Re: [cas-user] gauth-jpa

[Paul Mitchell]

Yes, the table is not created an MySQL returns an error of:

ERROR 1074 (42000): Column length too big for column 'secretKey' (max =
65535); use BLOB or TEXT instead

Regards,
Paul.

On 18 November 2016 at 14:48, Misagh Moayyed <mmoay...@unicon.net> wrote:

> Is the MySQL complaint causing issues?
>
>
>
> --Misagh
>
>
>
> *From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *Paul
> Mitchell
> *Sent:* Friday, November 18, 2016 3:50 AM
> *To:* CAS Community <cas-user@apereo.org>
> *Subject:* [cas-user] gauth-jpa
>
>
>
> Hi,
>
>
>
> I found what appears to be a bug in GoogleAuthenticatorRegistrationRecord.java
> the record contains the lines
>
>
>
>  @Column(length = Integer.MAX_VALUE, updatable = true, insertable = true,
> nullable = false)
>
>
>
> for two of the string fields in the class.  This causes Hibernate to
> generate the follow SQL:
>
>
>
>   create table GoogleAuthenticatorRegistrationRecord (id bigint not null,
> secretKey varchar(2147483647) not null, username varchar(2147483647) not
> null, validationCode integer not null, primary key (id))
>
>
>
> which naturally MySQL complains about the size of the varchar.  This was
> changed between RC4 and 5.0.0 with commit 'fe1155a'. Prior to the commit
> the length was 255.  There is also an integer field validationCode which
> also had a length of 255, which was changed to Integer.MAX_VALUE which to
> me make sense.
>
>
>
> Can submit an issue/pull request with what I think it should be but wanted
> to check in if there was a good reason for this that I am not aware of.
>
>
>
> Regards,
>
> Paul.
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/f938e37b-4d90-4b05-bce1-
> 5b317523bef8%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f938e37b-4d90-4b05-bce1-5b317523bef8%40apereo.org?utm_medium=email_source=footer>
> .
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/00aa01d241aa%24e1b42110%
> 24a51c6330%24%40unicon.net
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/00aa01d241aa%24e1b42110%24a51c6330%24%40unicon.net?utm_medium=email_source=footer>
> .
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGvhSLTpZFP-isUNsokv1Gun1ut_usn3KEozX2LD3Fr-ck4GtQ%40mail.gmail.com.

Re: [cas-user] gauth-jpa

[Paul Mitchell]

Also this is on MySQL 5.7.16

On 18 November 2016 at 14:52, Paul Mitchell <pauldmitchel...@gmail.com>
wrote:

> Yes, the table is not created an MySQL returns an error of:
>
> ERROR 1074 (42000): Column length too big for column 'secretKey' (max =
> 65535); use BLOB or TEXT instead
>
> Regards,
> Paul.
>
> On 18 November 2016 at 14:48, Misagh Moayyed <mmoay...@unicon.net> wrote:
>
>> Is the MySQL complaint causing issues?
>>
>>
>>
>> --Misagh
>>
>>
>>
>> *From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *Paul
>> Mitchell
>> *Sent:* Friday, November 18, 2016 3:50 AM
>> *To:* CAS Community <cas-user@apereo.org>
>> *Subject:* [cas-user] gauth-jpa
>>
>>
>>
>> Hi,
>>
>>
>>
>> I found what appears to be a bug in 
>> GoogleAuthenticatorRegistrationRecord.java
>> the record contains the lines
>>
>>
>>
>>  @Column(length = Integer.MAX_VALUE, updatable = true, insertable =
>> true, nullable = false)
>>
>>
>>
>> for two of the string fields in the class.  This causes Hibernate to
>> generate the follow SQL:
>>
>>
>>
>>   create table GoogleAuthenticatorRegistrationRecord (id bigint not
>> null, secretKey varchar(2147483647) not null, username varchar(2147483647)
>> not null, validationCode integer not null, primary key (id))
>>
>>
>>
>> which naturally MySQL complains about the size of the varchar.  This was
>> changed between RC4 and 5.0.0 with commit 'fe1155a'. Prior to the commit
>> the length was 255.  There is also an integer field validationCode which
>> also had a length of 255, which was changed to Integer.MAX_VALUE which to
>> me make sense.
>>
>>
>>
>> Can submit an issue/pull request with what I think it should be but
>> wanted to check in if there was a good reason for this that I am not aware
>> of.
>>
>>
>>
>> Regards,
>>
>> Paul.
>>
>> --
>> - CAS gitter chatroom: https://gitter.im/apereo/cas
>> - CAS mailing list guidelines: https://apereo.github.io/cas/M
>> ailing-Lists.html
>> - CAS documentation website: https://apereo.github.io/cas
>> - CAS project website: https://github.com/apereo/cas
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit https://groups.google.com/a/ap
>> ereo.org/d/msgid/cas-user/f938e37b-4d90-4b05-bce1-5b317523be
>> f8%40apereo.org
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f938e37b-4d90-4b05-bce1-5b317523bef8%40apereo.org?utm_medium=email_source=footer>
>> .
>>
>> --
>> - CAS gitter chatroom: https://gitter.im/apereo/cas
>> - CAS mailing list guidelines: https://apereo.github.io/cas/M
>> ailing-Lists.html
>> - CAS documentation website: https://apereo.github.io/cas
>> - CAS project website: https://github.com/apereo/cas
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit https://groups.google.com/a/ap
>> ereo.org/d/msgid/cas-user/00aa01d241aa%24e1b42110%24a51c6330
>> %24%40unicon.net
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/00aa01d241aa%24e1b42110%24a51c6330%24%40unicon.net?utm_medium=email_source=footer>
>> .
>>
>
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGvhSLSe3eZGwbpgO%3D9JdePTRDGKEaXq34XaHRNCBY0m_4wGjg%40mail.gmail.com.

[cas-user] gauth-jpa

[Paul Mitchell]

Hi,

I found what appears to be a bug 
in GoogleAuthenticatorRegistrationRecord.java the record contains the lines

 @Column(length = Integer.MAX_VALUE, updatable = true, insertable = true, 
nullable = false)

for two of the string fields in the class.  This causes Hibernate to 
generate the follow SQL:

  create table GoogleAuthenticatorRegistrationRecord (id bigint not null, 
secretKey varchar(2147483647) not null, username varchar(2147483647) not 
null, validationCode integer not null, primary key (id))

which naturally MySQL complains about the size of the varchar.  This was 
changed between RC4 and 5.0.0 with commit 'fe1155a'. Prior to the commit 
the length was 255.  There is also an integer field validationCode which 
also had a length of 255, which was changed to Integer.MAX_VALUE which to 
me make sense.

Can submit an issue/pull request with what I think it should be but wanted 
to check in if there was a good reason for this that I am not aware of.  

Regards,
Paul.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f938e37b-4d90-4b05-bce1-5b317523bef8%40apereo.org.

RE: [cas-user] SAML errors with BEIS after upgrading to CAS 4.2.3

[Paul Chauvet]

Hi Linda,



Thanks for your response.  We’re only using BEIS for signing in to Self Service 
Banner (SSB).  We aren’t using it with INB at this time.



The actual application on the Banner side that triggers this seems to be 
random.  Looking at the logs, most of the request are to either our schedule of 
classes, or Financial Aid – but that is due to what people are looking up 
mostly at this time in the semester.  There is a smattering of others.


The error only seems to occur on a fraction of requests (5% or less based on 
the number of successful entries).

The errors below show multiple destination 'apps' within Banner (since we deep 
link into SSB from our portal).



java.lang.RuntimeException: java.io.FileNotFoundException: Response: '400: Bad 
Request' for url: 
'https://login.newpaltz.edu/cas/samlValidate?TARGET=http%3A%2F%2Fbannerauth.newpaltz.edu%3A%2Fssomanager%2Fc%2FSSB%3Fpkg%3Dbwskflib.P_SelDefTerm%253Fcalling_proc_name%253Dbwskcrse.P_CrseSchdDetl'

Caused By: java.io.FileNotFoundException: Response: '400: Bad Request' for url: 
'https://login.newpaltz.edu/cas/samlValidate?TARGET=http%3A%2F%2Fbannerauth.newpaltz.edu%3A%2Fssomanager%2Fc%2FSSB%3Fpkg%3Dbwskflib.P_SelDefTerm%253Fcalling_proc_name%253Dbwskcrse.P_CrseSchdDetl'



Or



java.lang.RuntimeException: java.io.FileNotFoundException: Response: '400: Bad 
Request' for url: 
'https://login.newpaltz.edu/cas/samlValidate?TARGET=http%3A%2F%2Fbannerauth.newpaltz.edu%3A%2Fssomanager%2Fc%2FSSB%3Fpkg%3Dtwbkwbis.P_GenMenu%253Fname%253Dbmenu.P_FinAidMainMnu'

Caused By: java.io.FileNotFoundException: Response: '400: Bad Request' for url: 
'https://login.newpaltz.edu/cas/samlValidate?TARGET=http%3A%2F%2Fbannerauth.newpaltz.edu%3A%2Fssomanager%2Fc%2FSSB%3Fpkg%3Dtwbkwbis.P_GenMenu%253Fname%253Dbmenu.P_FinAidMainMnu'



Paul Chauvet

Information Security Officer

State University of New York at New Paltz

845-257-3828

chauv...@newpaltz.edu<mailto:chauv...@newpaltz.edu>

[emlogo]



From: Linda Toth [mailto:ltt...@alaska.edu]
Sent: Monday, September 26, 2016 4:36 PM
To: Paul Chauvet <chauv...@newpaltz.edu>
Subject: Re: [cas-user] SAML errors with BEIS after upgrading to CAS 4.2.3



Can you explain your configuration and tools a little better?  The pipe is 
broken at net.shibboleth.utilities.java, i.e., it fails in a tool you use from 
that directory, right?



The failure you see in BEIS usually means that weblogic is not configured to 
receive that URL from CAS, and might be related to this part of the URL in some 
way:



3Fpkg%3Dbwskflib.P_SelDefTerm%253Fcalling_proc_name%253Dbwskfreg.P_AltPin<https://login.newpaltz.edu/cas/samlValidate?TARGET=http%3A%2F%2Fbannerauth.newpaltz.edu%3A%2Fssomanager%2Fc%2FSSB%3Fpkg%3Dbwskflib.P_SelDefTerm%253Fcalling_proc_name%253Dbwskfreg.P_AltPin>'


Linda Toth
University of Alaska - Office of Information Technology (OIT) - Identity and 
Access Management

910 Yukon Drive, Suite 103

Fairbanks, Alaska 99775

Tel: 907-450-8320

Fax: 907-450-8381

linda.t...@alaska.edu<mailto:linda.t...@alaska.edu> | 
www.alaska.edu/oit/<http://www.alaska.edu/oit/>





On Fri, Sep 16, 2016 at 9:11 AM, Paul Chauvet 
<chauv...@newpaltz.edu<mailto:chauv...@newpaltz.edu>> wrote:

Hello all,



We recently upgraded from CAS 3.4.12 to 4.2.3.  All our applications are 
working fine with a single exception.  Banner’s BEIS (Banner Enterprise 
Identity Service) is giving occasional errors to some users.  The client gets a 
“500 – Bad Request” error.  The CAS server gets the error below (apologies for 
the long Java stack traces).  The error from the BEIS side is shown below the 
CAS trace.



Any ideas on this would be appreciated!



2016-09-16 11:54:06,945 ERROR 
[org.jasig.cas.support.saml.web.view.Saml10FailureResponseView] - Error 
generating SAML response for service 
bannerauth.newpaltz.edu<http://bannerauth.newpaltz.edu>.

org.w3c.dom.ls.LSException: java.io.IOException: Broken pipe

at 
com.sun.org.apache.xml.internal.serialize.DOMSerializerImpl.write(DOMSerializerImpl.java:854)
 ~[?:1.8.0_91]

at 
net.shibboleth.utilities.java.support.xml.SerializeSupport.writeNode(SerializeSupport.java:137)
 ~[java-support-7.1.1.jar:?]

at 
net.shibboleth.utilities.java.support.xml.SerializeSupport.writeNode(SerializeSupport.java:114)
 ~[java-support-7.1.1.jar:?]

at 
org.opensaml.soap.soap11.encoder.http.impl.HTTPSOAP11Encoder.doEncode(HTTPSOAP11Encoder.java:99)
 ~[opensaml-soap-impl-3.1.1.jar:?]

at 
org.opensaml.messaging.encoder.AbstractMessageEncoder.encode(AbstractMessageEncoder.java:53)
 ~[opensaml-messaging-api-3.1.1.jar:?]

at 
org.opensaml.messaging.encoder.servlet.BaseHttpServletResponseXMLMessageEncoder.encode(BaseHttpServletResponseXMLMessageEncoder.java:50)
 ~[opensaml-messaging-api-3.1.1.jar:?]

at 
org.jasig.cas.support.saml.util.Saml10ObjectBuilder.encodeSamlResponse_aroundBody16(Saml10ObjectBuilder.java

Re: [cas-user] CAS 2.4.2 LDAP AUTHENTICATE

[paul radinota]

Hi,

i remove double quotes on the file cas.properties and restart tomcat 
service .

I have the same error : 

Sep 13 12:45:41 cas server: 2016-09-13 12:45:41,756 WARN 
[org.springframework.web.context.support.XmlWebApplicationContext] - 

Sep 13 12:45:41 cas server: 2016-09-13 12:45:41,765 ERROR 
[org.springframework.web.context.ContextLoader] - ldap://ponopo.local:389
ldap.useStartTLS=false
ldap.rootDn=dc=ponopo,dc=local
ldap.baseDn=OU=Groupes et Users ,dc=ponopo,dc=local
ldap.authn.format=%s
ldap.connectTimeout=3000
ldap.managerDn=CN=readAD,CN=Users,DC=ponopo,DC=local
ldap.managerPassword=
ldap.pool.minSize=1
ldap.pool.maxSize=10
ldap.pool.validateOnCheckout=false
ldap.pool.validatePeriodically=true
ldap.pool.blockWaitTime=3000
ldap.pool.validatePeriod=300
ldap.pool.prunePeriod=300
ldap.pool.idleTime=600
ldap.authn.searchFilter=cn={user}
ldap.domain=ponopo.local
ldap.usePpolicy=false
ldap.allowMultipleDns=false



thanks for your help


Le mardi 13 septembre 2016 12:21:41 UTC+2, paul radinota a écrit :

>
> Hello,
>
> I use the document to install CAS with ldap authentication (Active 
> Directory):
>
> *https://apereo.github.io/cas/4.2.x/installation/LDAP-Authentication.html#active-directory-authentication
>  
> <https://apereo.github.io/cas/4.2.x/installation/LDAP-Authentication.html#active-directory-authentication>*
>
>
>
> It not work i have this error message :
>
>
> 2016-09-13 11:18:57,232 WARN 
> [org.springframework.web.context.support.XmlWebApplicationContext] - 
> Exception encountered during context initialization - cancelling refresh 
> attempt: org.springframework.beans.factory.BeanDefinitionStoreException: 
> Invalid bean definition with name 'authenticator' defined in null: Could 
> not resolve placeholder 'ldap.baseDn' in string value "${ldap.baseDn}"; 
> nested exception is java.lang.IllegalArgumentException: Could not resolve 
> placeholder 'ldap.baseDn' in string value "${ldap.baseDn}"
> 2016-09-13 11:18:57,259 ERROR 
> [org.springframework.web.context.ContextLoader] - Context initialization 
> failed
> org.springframework.beans.factory.BeanDefinitionStoreException: Invalid 
> bean definition with name 'authenticator' defined in null: Could not 
> resolve placeholder 'ldap.baseDn' in string value "${ldap.baseDn}"; nested 
> exception is java.lang.IllegalArgumentException: Could not resolve 
> placeholder 'ldap.baseDn' in string value "${ldap.baseDn}"
>  at 
> org.springframework.beans.factory.config.PlaceholderConfigurerSupport.doProcessProperties(PlaceholderConfigurerSupport.java:211)
>
>
> My files configuration are 
>
> *etc/cas/cas.properties :*
>
> # LDAP
> ldap.url=ldap://ponopo.local:389
> ldap.useStartTLS=false
> ldap.rootDn=dc=ponopo,dc=local
> ldap.baseDn="OU=Groupes et Users ,dc=ponopo,dc=local"
> ldap.authn.format=%s
> ldap.connectTimeout=3000
> ldap.managerDn="CN=readAD,CN=Users,DC=ponopo,DC=local"
> ldap.managerPassword=
> ldap.pool.minSize=1
> ldap.pool.maxSize=10
> ldap.pool.validateOnCheckout=false
> ldap.pool.validatePeriodically=true
> ldap.pool.blockWaitTime=3000
> ldap.pool.validatePeriod=300
> ldap.pool.prunePeriod=300
> ldap.pool.idleTime=600
> ldap.authn.searchFilter=cn={user}
> ldap.domain=ponopo.local
> ldap.usePpolicy=false
> ldap.allowMultipleDns=false
>
>
> *On the file deployerConfigContext.xml:*
>
>  ldapUrl="${ldap.url}"
> userFilter="${ldap.authn.searchFilter}"
> bindDn="${ldap.managerDn}"
> bindCredential="${ldap.managerPassword}"
> allowMultipleDns="${ldap.allowMultipleDns:false}"
> connectTimeout="${ldap.connectTimeout}"
> validateOnCheckOut="${ldap.pool.validateOnCheckout}"
> failFastInitialize="true"
> blockWaitTime="${ldap.pool.blockWaitTime}"
> idleTime="${ldap.pool.idleTime}"
> baseDn="${ldap.baseDn}"
> maxPoolSize="${ldap.pool.maxSize}"
> minPoolSize="${ldap.pool.minSize}"
> validatePeriodically="${ldap.pool.validatePeriodically}"
> validatePeriod="${ldap.pool.validatePeriod}"
> prunePeriod="${ldap.pool.prunePeriod}"
> useSSL="${ldap.use.ssl:false}" 
> subtreeSearch="${ldap.subtree.search:true}"
> useStartTLS="${ldap.useStartTLS}" />
>
> Very thanks for your help
>
> Best Regards
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop r

[cas-user] CAS 2.4.2 LDAP AUTHENTICATE

[paul radinota]

Hello,

I use the document to install CAS with ldap authentication (Active 
Directory):

*https://apereo.github.io/cas/4.2.x/installation/LDAP-Authentication.html#active-directory-authentication
 
*



It not work i have this error message :


2016-09-13 11:18:57,232 WARN 
[org.springframework.web.context.support.XmlWebApplicationContext] - 
Exception encountered during context initialization - cancelling refresh 
attempt: org.springframework.beans.factory.BeanDefinitionStoreException: 
Invalid bean definition with name 'authenticator' defined in null: Could 
not resolve placeholder 'ldap.baseDn' in string value "${ldap.baseDn}"; 
nested exception is java.lang.IllegalArgumentException: Could not resolve 
placeholder 'ldap.baseDn' in string value "${ldap.baseDn}"
2016-09-13 11:18:57,259 ERROR 
[org.springframework.web.context.ContextLoader] - Context initialization 
failed
org.springframework.beans.factory.BeanDefinitionStoreException: Invalid 
bean definition with name 'authenticator' defined in null: Could not 
resolve placeholder 'ldap.baseDn' in string value "${ldap.baseDn}"; nested 
exception is java.lang.IllegalArgumentException: Could not resolve 
placeholder 'ldap.baseDn' in string value "${ldap.baseDn}"
 at 
org.springframework.beans.factory.config.PlaceholderConfigurerSupport.doProcessProperties(PlaceholderConfigurerSupport.java:211)


My files configuration are 

*etc/cas/cas.properties :*

# LDAP
ldap.url=ldap://ponopo.local:389
ldap.useStartTLS=false
ldap.rootDn=dc=ponopo,dc=local
ldap.baseDn="OU=Groupes et Users ,dc=ponopo,dc=local"
ldap.authn.format=%s
ldap.connectTimeout=3000
ldap.managerDn="CN=readAD,CN=Users,DC=ponopo,DC=local"
ldap.managerPassword=
ldap.pool.minSize=1
ldap.pool.maxSize=10
ldap.pool.validateOnCheckout=false
ldap.pool.validatePeriodically=true
ldap.pool.blockWaitTime=3000
ldap.pool.validatePeriod=300
ldap.pool.prunePeriod=300
ldap.pool.idleTime=600
ldap.authn.searchFilter=cn={user}
ldap.domain=ponopo.local
ldap.usePpolicy=false
ldap.allowMultipleDns=false


*On the file deployerConfigContext.xml:*



Very thanks for your help

Best Regards

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f21ac7f2-f64b-4681-871c-5d6bcb793693%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

RE: [cas-user] Migrating CAS clients to shib idp v3 cas service

[Paul B. Henson]

> From: Andrew Morgan
> Sent: Wednesday, March 02, 2016 12:54 PM
> 
> Is the /samlValidate endpoint supported?

Yes:

https://wiki.shibboleth.net/confluence/display/IDP30/CasProtocolConfiguration

As is /proxyValidate...

--
Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
Operating Systems and Network Analyst  |  hen...@cpp.edu
California State Polytechnic University  |  Pomona CA 91768


-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

[cas-user] javassist error when starting CAS

[Paul Chauvet]

Hi all,

I'm starting the process of moving to a newer version of CAS, specifically 4.1 
(we're currently on 3.4.x).  I've started out clean with the following:

* RHEL 7

* Tomcat 7.0.54 (latest version from RedHat's repos)

* Maven 1.7.0_95

* JDK 1.7.0_95

* To start with at least, pom.xml directly from 
(https://github.com/Jasig/cas-overlay-template)

After building the war file and deploying it, CAS fails to start due to errors. 
 There are a ton of them, all about javassist-3.19.0-GA.jar.  I've included one 
of those stack traces below.  I've been unable to find what specifically is 
causing this error (I saw some posts online about issues with JDK 8, which is 
what I started with, but going back to JDK 7 didn't seem to change things).

Any ideas as to what could be causing this?  My apologies if this is something 
obvious that I missed.

Thanks in advance for any advice you can provide.

Stack trace:
Feb 05, 2016 2:02:26 PM org.apache.catalina.startup.ContextConfig 
processAnnotationsJar
SEVERE: Unable to process Jar entry [javassist/ByteArrayClassPath.class] from 
Jar 
[jar:file:/usr/share/tomcat/webapps/cas/WEB-INF/lib/javassist-3.19.0-GA.jar!/] 
for annotations
java.io.EOFException
at java.io.DataInputStream.readUnsignedShort(DataInputStream.java:340)
at 
org.apache.tomcat.util.bcel.classfile.Utility.swallowMethodParameters(Utility.java:797)
at 
org.apache.tomcat.util.bcel.classfile.Attribute.readAttribute(Attribute.java:171)
at 
org.apache.tomcat.util.bcel.classfile.FieldOrMethod.(FieldOrMethod.java:57)
at org.apache.tomcat.util.bcel.classfile.Method.(Method.java:71)
at 
org.apache.tomcat.util.bcel.classfile.ClassParser.readMethods(ClassParser.java:267)
at 
org.apache.tomcat.util.bcel.classfile.ClassParser.parse(ClassParser.java:127)
at 
org.apache.catalina.startup.ContextConfig.processAnnotationsStream(ContextConfig.java:2058)
at 
org.apache.catalina.startup.ContextConfig.processAnnotationsJar(ContextConfig.java:1934)
at 
org.apache.catalina.startup.ContextConfig.processAnnotationsUrl(ContextConfig.java:1900)
at 
org.apache.catalina.startup.ContextConfig.processAnnotations(ContextConfig.java:1885)
at 
org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1317)
at 
org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:876)
at 
org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:374)
at 
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at 
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at 
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5355)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
at 
org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1083)
at 
org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1880)
at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)



Paul Chauvet
Information Security Officer
State University of New York at New Paltz
chauv...@newpaltz.edu<mailto:chauv...@newpaltz.edu>
845-257-3828
[emlogo]

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.