Re: [cas-user] pac4j SAML2Client and principal
Hi Jérôme,
The issue goes away with CAS version 5.2.3 and pac4j version 2.3.1.
Thanks,
Scott K
> Hi Jérôme,
>
> I am using the JSON service registry. The service is registered as
>
> {
> "@class" : "org.apereo.cas.services.RegexRegisteredService",
> "serviceId" : "https://my.org/testing/cas/phpclient/example_simple.php;,
> "name" : "testClient01",
> "id" : 1,
> "evaluationOrder" : 10,
> "attributeReleasePolicy" : {
> "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
> },
> "usernameAttributeProvider" : {
> "@class" :
> "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
> "usernameAttribute" : "urn:oid:0.9.2342.19200300.100.1.1",
> "canonicalizationMode" : "NONE"
> }
> }
>
> So I believe the correct attribute release policy is in place to release all
> attributes to the service.
>
> The CAS log file contains this WARN message:
>
> 2018-03-24 10:02:59,411 WARN
> [org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider]
> - [AAdzZWNyZXQxoaZsp8jwcLkuGIb3wouQ4fg7MWmqgx+bnkd/EuWdmYlccwnzGtnBELaGS7ZMhiYxjvbzbXmlFcmhlQyJe9RyOsSx27yE14APpGvAWDpuR9bkuah8SfexOMbogtnYyK3aMRXjnFqsso5giA==]
> does not have an attribute [urn:oid:0.9.2342.19200300.100.1.1] among
> attributes [{}] so CAS cannot provide the user attribute the service expects.
> CAS will instead return the default principal id
> [AAdzZWNyZXQxoaZsp8jwcLkuGIb3wouQ4fg7MWmqgx+bnkd/EuWdmYlccwnzGtnBELaGS7ZMhiYxjvbzbXmlFcmhlQyJe9RyOsSx27yE14APpGvAWDpuR9bkuah8SfexOMbogtnYyK3aMRXjnFqsso5giA==].
> Ensure the attribute selected as the username is allowed to be released by
> the service attribute release policy.>
>
> So CAS thinks there is no attribute "urn:oid:0.9.2342.19200300.100.1.1" but
> earlier in the log file pac4j logs
>
> 2018-03-24 10:02:58,906 DEBUG [org.pac4j.saml.client.SAML2Client] - #S
> AML2Profile# | id:
> AAdzZWNyZXQxoaZsp8jwcLkuGIb3wouQ4fg7MWmqgx+bnkd/EuWdmYlccwnzG
> tnBELaGS7ZMhiYxjvbzbXmlFcmhlQyJe9RyOsSx27yE14APpGvAWDpuR9bkuah8SfexOMbogtnYyK3aM
> RXjnFqsso5giA== | attributes:
> {urn:oid:0.9.2342.19200300.100.1.3=[skoranda@gmail
> .com], mail=[skora...@gmail.com],
> urn:oid:0.9.2342.19200300.100.1.1=[scott.koran
> da], displayName=[Scott Koranda], givenName=[Scott],
> urn:oid:2.5.4.42=[Scott], n
> otBefore=2018-03-24T10:02:57.588Z, uid=[scott.koranda],
> urn:oid:2.16.840.1.11373
> 0.3.1.241=[Scott Koranda],
> urn:oid:1.3.6.1.4.1.5923.1.1.1.6=[scott.koranda@spher
> icalcowgroup.com], notOnOrAfter=2018-03-24T10:07:57.588Z,
> eduPersonPrincipalName
> =[scott.kora...@sphericalcowgroup.com], urn:oid:2.5.4.4=[Koranda],
> sn=[Koranda],
> sessionindex=_0572dab54bff96c199e29f058aae9302} | roles: [] | permissions:
> [] |
> isRemembered: false | clientName: null | linkedId: null |>
>
> where the attribute urn:oid:0.9.2342.19200300.100.1.1 is explicitly shown to
> be populated.
>
> Am I missing something in my JSON service configuration?
>
> Again this is for version 5.1.3.
>
> Thanks,
>
> Scott K
>
> > Hi,
> >
> > The behavior is to create the CAS principal and attributes from the pac4j
> > principal and attributes. So you should get the pac4j attributes at the end.
> > Ignore the log about the ClientCredential, the toString method just outputs
> > the id (not the attributes).
> >
> > Is the service configured properly (with ReturnAllAttributeReleasePolicy
> > for example)?
> >
> > Thanks.
> > Best regards,
> > Jérôme
> >
> >
> > On Thu, Mar 22, 2018 at 4:25 PM, Scott Koranda <skora...@gmail.com> wrote:
> >
> > > Hi,
> > >
> > > I am using CAS 5.1.3 (though I might be able to upgrade to 5.2.3,
> > > depending on the issue of which binding is being used for the
> > > , as detailed in an earlier note to this list).
> > >
> > > I am delegating authentication to a SAML2 IdP using pac4j.
> > >
> > > After a successful authentication I see in cas.log
> > >
> > > 2018-03-22 14:44:46,372 DEBUG [org.pac4j.saml.client.SAML2Client] -
> > > > > OnEE09XX3FnuYElvWkhkCSbAshdwAYSR5WQq3x7qEeuj6lzDF18EwarKKWUh
> > > ElP5/dR+k1h1NlMaLBZmgeA/5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E
> > > 8uqJp0pzRmivQ== |
> > > attributes:
> > > {urn:oid:0.9.2342.19200300.100.1.3=[skora...@gmail.com], mail=[
> > > skora...@gmail.com],
> > > u
Re: [cas-user] build from source with additional modules
Hi, > This is not the information you gave on first place. > So try not to mislead answers. Again, thank you for your time. I appreciate that this is a community effort. I do not believe I have provided misleading information. My first note explained that I am building CAS from source following the instructions at https://apereo.github.io/cas/developer/Build-Process-5X.html The instructions show how to build CAS from source using Gradle. > Why you want to use gradle if you where using maven. I am using Maven with the overlap approach for production deployments. For building from source in order to help debug an issue with pac4j SAML in version 5.2 so that I may contribute back to the community I need to build a war file that includes the pac4j and JSON service registry functionality. I would like additional details not provided at the link https://apereo.github.io/cas/developer/Build-Process-5X.html on how to do that. I appreciate any insights that can provided. Thank you again, Scott K > > > El domingo, 25 de marzo de 2018, Scott Koranda <skora...@gmail.com> > escribió: > > > Hi, > > > > > Copy etc/cas/properties to /etc/cas/properties > > > Add modules relevant properties to that. > > > See > > > https://apereo.github.io/cas/5.2.x/installation/ > > Configuration-Properties.html > > > > Thank you for your prompt reply, but this is not the information I need. > > > > I have a working and configured CAS deployment deployed using a standard > > Maven overlay approach. It is already configured to use the JSON service > > registry and pac4j modules. I did that by appropriately adding > > dependencies in my pom.xml file and then adding appropriate > > configurations to /etc/cas/config/cas.properties. > > > > Now I want to build CAS from source using gradle and use the same > > configuration. > > > > I am able to build from source as I detailed in my last note, but the > > war file I build does not have the JSON service registry or pac4j > > modules includes. > > > > I need a detailed explanation or example of how I modify a gradle > > build.gradle file to include the JSON service registry or pac4j module > > in the war file built from source. > > > > I would be grateful if someone could provide that information. > > > > Thank you for your time. > > > > Scott K > > > > -- > > - Website: https://apereo.github.io/cas > > - Gitter Chatroom: https://gitter.im/apereo/cas > > - List Guidelines: https://goo.gl/1VRrw7 > > - Contributions: https://goo.gl/mh7qDG > > --- > > You received this message because you are subscribed to the Google Groups > > "CAS Community" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to cas-user+unsubscr...@apereo.org. > > To view this discussion on the web visit https://groups.google.com/a/ > > apereo.org/d/msgid/cas-user/20180325135942.t7n63gsdppotycnd%40paprika. > > local. > > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5midiAa0_rXt1AefQ9M%2B4YmbfGNBtYyet8BnTPwuShXYuDw%40mail.gmail.com. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180325141827.s3fz3ze46kjpczob%40paprika.local.
Re: [cas-user] pac4j SAML2Client and principal
Hi Jérôme,
I am using the JSON service registry. The service is registered as
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "https://my.org/testing/cas/phpclient/example_simple.php;,
"name" : "testClient01",
"id" : 1,
"evaluationOrder" : 10,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "urn:oid:0.9.2342.19200300.100.1.1",
"canonicalizationMode" : "NONE"
}
}
So I believe the correct attribute release policy is in place to release all
attributes to the service.
The CAS log file contains this WARN message:
2018-03-24 10:02:59,411 WARN
[org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider] -
So CAS thinks there is no attribute "urn:oid:0.9.2342.19200300.100.1.1" but
earlier in the log file pac4j logs
2018-03-24 10:02:58,906 DEBUG [org.pac4j.saml.client.SAML2Client] -
where the attribute urn:oid:0.9.2342.19200300.100.1.1 is explicitly shown to
be populated.
Am I missing something in my JSON service configuration?
Again this is for version 5.1.3.
Thanks,
Scott K
> Hi,
>
> The behavior is to create the CAS principal and attributes from the pac4j
> principal and attributes. So you should get the pac4j attributes at the end.
> Ignore the log about the ClientCredential, the toString method just outputs
> the id (not the attributes).
>
> Is the service configured properly (with ReturnAllAttributeReleasePolicy
> for example)?
>
> Thanks.
> Best regards,
> Jérôme
>
>
> On Thu, Mar 22, 2018 at 4:25 PM, Scott Koranda <skora...@gmail.com> wrote:
>
> > Hi,
> >
> > I am using CAS 5.1.3 (though I might be able to upgrade to 5.2.3,
> > depending on the issue of which binding is being used for the
> > , as detailed in an earlier note to this list).
> >
> > I am delegating authentication to a SAML2 IdP using pac4j.
> >
> > After a successful authentication I see in cas.log
> >
> > 2018-03-22 14:44:46,372 DEBUG [org.pac4j.saml.client.SAML2Client] -
> > > OnEE09XX3FnuYElvWkhkCSbAshdwAYSR5WQq3x7qEeuj6lzDF18EwarKKWUh
> > ElP5/dR+k1h1NlMaLBZmgeA/5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E
> > 8uqJp0pzRmivQ== |
> > attributes:
> > {urn:oid:0.9.2342.19200300.100.1.3=[skora...@gmail.com], mail=[
> > skora...@gmail.com],
> > urn:oid:0.9.2342.19200300.100.1.1=[scott.koranda], displayName=[Scott
> > Koranda], givenName=[Scott],
> > urn:oid:2.5.4.42=[Scott], notBefore=2018-03-22T14:44:45.460Z,
> > uid=[scott.koranda],
> > urn:oid:2.16.840.1.113730.3.1.241=[Scott Koranda],
> > urn:oid:1.3.6.1.4.1.5923.1.1.1.6=[scott.kora...@sphericalcowgroup.com],
> > notOnOrAfter=2018-03-22T14:49:45.460Z,
> > eduPersonPrincipalName=[scott.kora...@sphericalcowgroup.com],
> > urn:oid:2.5.4.4=[Koranda], sn=[Koranda],
> > sessionindex=_570a4d9a94551c4e52cf75415fac58f0} | roles: [] |
> > permissions: [] | isRemembered: false | clientName: null | linkedId:
> > null |>
> >
> > Those are the values for NameID (transient) and attributes that I
> > expect.
> >
> > The next line in cas.log is
> >
> > 2018-03-22 14:44:46,402 INFO
> > [org.apereo.cas.authentication.AbstractAuthenticationManager] -
> > > [AAdzZWNyZXQxQJ7RzalR0+OnEE09XX3FnuYElvWkhkCSbAshdwAY
> > SR5WQq3x7qEeuj6lzDF18EwarKKWUhElP5/dR+k1h1NlMaLBZmgeA/
> > 5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E8uqJp0pzRmivQ==]
> > with attributes [{}] via credentials
> > [[org.apereo.cas.authentication.principal.ClientCredential@6c1c5d52[id=
> > AAdzZWNyZXQxQJ7RzalR0+OnEE09XX3FnuYElvWkhkCSbAshdwAY
> > SR5WQq3x7qEeuj6lzDF18EwarKKWUhElP5/dR+k1h1NlMaLBZmgeA/
> > 5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E8uqJp0pzRmivQ==]]].>
> >
> > So it appears that the NameID value (transient) is being used as the
> > principal, but none of the attributes are making it from the pac4j layer
> > into the CAS layer.
> >
> > Is that a correct assessment?
> >
> > If so, how can I
> >
> > a) change what value is used for the principal? I would like to use the
> > value from one of the asserted attributes.
> >
> > b) push the attributes into the CAS layer to make them available for
> > assertion downstream to the CAS client?
> >
> > I have reviewed the documentation for the Delegated/pac4j authenticati
[cas-user] Re: pac4j SAML2 authn request protocol binding
> I am using pac4j delegated authentication with SAML2 so that CAS uses a
> SAML2 Identity Provider (IdP) for authentication.
>
> With CAS version 5.1.3 the sent to the IdP has
>
> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
> as I expect, and that matches the metadata for the CAS server SP that
> was given to the IdP. The CAS server auto-generated SP SAML metadata
> contains
>
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Location="https://my.server/cas/login?client_name=SAML2Client;
> index="0"/>
>
> So this is consistent and the SAML flow works as expected.
>
> With CAS version 5.2.3 the sent to the IdP has instead
>
> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
>
> That is not what I expect and appears to be a regression.
>
> Further if I delete the auto-generated SP metadata so that CAS version
> 5.2.3 re-generates it I see in the metadata
>
>Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
> Location="https://my.server/cas/login?client_name=SAML2Client;
> index="0"/>
>
> Again, this is not what I expect for the SP ACS. I would expect it to
> be using the HTTP-POST binding.
>
> Can someone confirm that this is a regression somewhere between 5.1.3
> and 5.2.3?
I used a Maven overlay to build version 5.2.3 but then after Tomcat
exploded the WAR I did
cd /var/lib/tomcat8/webapps/cas/WEB-INF/lib
rm pac4j-saml-2.2.0.jar
cp /home/skoranda/pac4j/pac4j-saml/target/pac4j-saml-2.3.1-SNAPSHOT.jar .
and restarted Tomcat. The pac4j version 2.3.1 jar was one I built from source
by doing
git clone g...@github.com:pac4j/pac4j.git
cd pac4j
git checkout 2.2.x
mvn install -DskipTests
That caused the issue to go away: the from the CAS SP to
the remote IdP included
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
as I expected and it matched the element in
the existing SP metadata.
By default when CAS 5.2.3 is deployed with a Maven overly version 2.2.0
of pac4j is used but with version 2.3.1 of pac4j the issue is resolved.
I edited my pom.xml file and changed
org.apereo.cas
cas-server-support-pac4j-webflow
${cas.version}
to be instead
org.apereo.cas
cas-server-support-pac4j-webflow
${cas.version}
org.pac4j
pac4j-saml
org.pac4j
pac4j-saml
2.3.1
This allowed CAS version 5.2.3 to leverage pac4j version 2.3.1 and resolved
the issue.
Thanks,
Scott K
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180325203321.4jxx32nojpmisywx%40paprika.local.
[cas-user] Re: build from source with additional modules
> I would like to build CAS from source so that I can add some additional
> debugging to troubleshoot an issue with the pac4j SAML2 client support
> for version 5.2.x.
>
> I did
>
> git clone g...@github.com:apereo/cas.git cas-server
> cd cas-server
> git checkout 5.2.x
> ./gradlew war --parallel -x test -x javadoc -x check
>
> The build completed successfully.
>
> I was then able to do
>
> sudo cp \
>
> ./webapp/cas-server-webapp/build/libs/cas-server-webapp-5.2.4-SNAPSHOT.war \
> /var/lib/tomcat8/webapps/cas.war
>
> restart Tomcat 8.5
>
> and see the CAS server start up and access /cas/login.
>
> I need, however, to add the module for pac4j support and for the JSON
> service registry.
>
> I see on this page
>
> https://apereo.github.io/cas/developer/Build-Process-5X.html
>
> the text
>
> "To test the functionality provided by a given CAS module, execute the
> following steps:
>
> Add the module reference to the build script (i.e. build.gradle) of web
> application you intend to run (i.e Web App, Management Web App, etc)"
>
> and the example
>
> implementation project(":support:cas-server-support-modulename")
>
> I did add the line
>
> implementation project(":support:cas-server-support-json-service-registry")
>
> to the file
>
> webapp/build.gradle
>
> but when I copied over the war file and restarted Tomcat the configured
> JSON service registry was not recognized.
>
> What step am I missing to add the JSON service registry support to the
> war file I build from source?
Apologies for answering my own post, but for the archives...
A correct recipe for building version 5.2.x from source with support for
the JSON service registry and the pac4j SAML functionality is
git clone g...@github.com:apereo/cas.git cas-server
cd cas-server
git checkout 5.2.x
Then edit the file
webapp/cas-server-webapp/build.gradle
and add the lines
dependencies {
implementation project(path:
":support:cas-server-support-json-service-registry")
implementation project(path: ":support:cas-server-support-pac4j-webflow")
}
Then execute
./gradlew war --parallel -x test -x javadoc -x check
sudo cp
./webapp/cas-server-webapp/build/libs/cas-server-webapp-5.2.4-SNAPSHOT.war
/var/lib/tomcat8/webapps/cas.war
After restarting Tomcat8 the code built from source will be in effect.
Thanks,
Scott K
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180325200932.jtmbs3jckk7v5g2d%40paprika.local.
Re: [cas-user] build from source with additional modules
Hi, > Copy etc/cas/properties to /etc/cas/properties > Add modules relevant properties to that. > See > https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html Thank you for your prompt reply, but this is not the information I need. I have a working and configured CAS deployment deployed using a standard Maven overlay approach. It is already configured to use the JSON service registry and pac4j modules. I did that by appropriately adding dependencies in my pom.xml file and then adding appropriate configurations to /etc/cas/config/cas.properties. Now I want to build CAS from source using gradle and use the same configuration. I am able to build from source as I detailed in my last note, but the war file I build does not have the JSON service registry or pac4j modules includes. I need a detailed explanation or example of how I modify a gradle build.gradle file to include the JSON service registry or pac4j module in the war file built from source. I would be grateful if someone could provide that information. Thank you for your time. Scott K -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180325135942.t7n63gsdppotycnd%40paprika.local.
[cas-user] build from source with additional modules
Hi,
I would like to build CAS from source so that I can add some additional
debugging to troubleshoot an issue with the pac4j SAML2 client support
for version 5.2.x.
I did
git clone g...@github.com:apereo/cas.git cas-server
cd cas-server
git checkout 5.2.x
./gradlew war --parallel -x test -x javadoc -x check
The build completed successfully.
I was then able to do
sudo cp \
./webapp/cas-server-webapp/build/libs/cas-server-webapp-5.2.4-SNAPSHOT.war \
/var/lib/tomcat8/webapps/cas.war
restart Tomcat 8.5
and see the CAS server start up and access /cas/login.
I need, however, to add the module for pac4j support and for the JSON
service registry.
I see on this page
https://apereo.github.io/cas/developer/Build-Process-5X.html
the text
"To test the functionality provided by a given CAS module, execute the
following steps:
Add the module reference to the build script (i.e. build.gradle) of web
application you intend to run (i.e Web App, Management Web App, etc)"
and the example
implementation project(":support:cas-server-support-modulename")
I did add the line
implementation project(":support:cas-server-support-json-service-registry")
to the file
webapp/build.gradle
but when I copied over the war file and restarted Tomcat the configured
JSON service registry was not recognized.
What step am I missing to add the JSON service registry support to the
war file I build from source?
Thanks,
Scott K
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180324163227.ca72ilrewnfdnojn%40paprika.local.
[cas-user] pac4j SAML2Client and principal
Hi, I am using CAS 5.1.3 (though I might be able to upgrade to 5.2.3, depending on the issue of which binding is being used for the , as detailed in an earlier note to this list). I am delegating authentication to a SAML2 IdP using pac4j. After a successful authentication I see in cas.log 2018-03-22 14:44:46,372 DEBUG [org.pac4j.saml.client.SAML2Client] - Those are the values for NameID (transient) and attributes that I expect. The next line in cas.log is 2018-03-22 14:44:46,402 INFO [org.apereo.cas.authentication.AbstractAuthenticationManager] - So it appears that the NameID value (transient) is being used as the principal, but none of the attributes are making it from the pac4j layer into the CAS layer. Is that a correct assessment? If so, how can I a) change what value is used for the principal? I would like to use the value from one of the asserted attributes. b) push the attributes into the CAS layer to make them available for assertion downstream to the CAS client? I have reviewed the documentation for the Delegated/pac4j authentication at https://apereo.github.io/cas/5.1.x/integration/Delegate-Authentication.html and that for Attribute Resolution at https://apereo.github.io/cas/5.1.x/integration/Attribute-Resolution.html but I am not able to find a configuration option that appears to tell pac4j to push the attributes into the Authentication object. Thank you for your consideration. Scott K -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180322152546.o52kuzuh6u227e5s%40paprika.local.
[cas-user] pac4j SAML2 authn request protocol binding
Hi, I am using pac4j delegated authentication with SAML2 so that CAS uses a SAML2 Identity Provider (IdP) for authentication. With CAS version 5.1.3 the sent to the IdP has ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" as I expect, and that matches the metadata for the CAS server SP that was given to the IdP. The CAS server auto-generated SP SAML metadata contains https://my.server/cas/login?client_name=SAML2Client; index="0"/> So this is consistent and the SAML flow works as expected. With CAS version 5.2.3 the sent to the IdP has instead ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" That is not what I expect and appears to be a regression. Further if I delete the auto-generated SP metadata so that CAS version 5.2.3 re-generates it I see in the metadata https://my.server/cas/login?client_name=SAML2Client; index="0"/> Again, this is not what I expect for the SP ACS. I would expect it to be using the HTTP-POST binding. Can someone confirm that this is a regression somewhere between 5.1.3 and 5.2.3? Thanks, Scott K -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180321212411.yrgvkw5jcbldzbla%40paprika.local.
[cas-user] only delegated (pac4j SAML) authentication and no button click
Hello, I am running CAS 5.2.2. I have successfully configured CAS to use pac4j for delegated authentication. Specifically CAS/pac4j is configured as a SAML SP. When I browse to a CAS client I am redirected to the CAS server login page. I can then click a button to kick off the SAML flow and am redirected to the SAML IdP for authentication. After returning to the CAS/pac4j SAML SP I am then redirected to the CAS client with a ticket, which is later validated and I successfully access the resource. I would like the delegated SAML authentication flow to be the only CAS authentication mechanism and I would like it so that I do not have to click a button to kick off the SAML flow. Ideally the user would never "see" the CAS server at all. I thought this configuration would make that happen: cas.authn.policy.requiredHandlerAuthenticationPolicyEnabled=true cas.authn.policy.req.handlerName=Pac4j cas.authn.policy.req.tryAll=false cas.authn.policy.req.enabled=true cas.authn.accept.users= With this configuration I still see the login page and have to click a button to cause the SAML flow. Is it possible to have the SAML flow start immediately without having to click the button? If so what configuration do I need? Thanks, Scott K -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e93b3d08-8bf3-42e3-b7e0-5e856b8f8af8%40apereo.org.
