Re: [cas-user] CAS 5.3.2 - Delegate auth to SAML2 IdP issue - No client found for name: SAML2Client
IMHO, Nebil has a fair point. The pac4j.saml[0].clientName property is in
the 5.2.x doc (line 27 of the SAML section under the Pac4j delegated authn
section) but not the 5.3.x. Being paranoid & cynical, I have to wonder, if
the documentation for 1 property has been removed, what are the odds it's
the only piece of regressed documentation? I have to jump back into CAS
5.3 soon, I need to invest the time into determining how to find all the
config properties in the source code, because of my cynicism.
I give thanks each day for the excellent project & user community feedback,
postings. helps us all, I suspect.
Hopefully, my cynicism will improved over the remainder of today...
-Steve
On Thu, Aug 2, 2018 at 4:23 AM, Nebil Mabrouk
wrote:
>
> Thank you Misagh, it works.
> But this property does not exist in CAS documentation (
> https://apereo.github.io/cas/5.3.x/installation/
> Configuration-Properties.html#saml2).
>
> Nebil
>
>
> On Wed, Aug 1, 2018 at 10:22 PM, Misagh Moayyed
> wrote:
>
>> cas.authn.pac4j.saml[0].clientName=SAML2Client
>>
>> --Misagh
>>
>> --
>>
>> *From: *"Nebil Mabrouk"
>> *To: *"CAS Community"
>> *Sent: *Wednesday, August 1, 2018 1:15:18 PM
>> *Subject: *[cas-user] CAS 5.3.2 - Delegate auth to SAML2 IdP issue - No
>> client found for name: SAML2Client
>>
>> Hello,
>> I followed the tutorial (https://apereo.github.io/2017
>> /03/22/cas51-delauthn-tutorial/) to delegate CAS authentication to an
>> external SAML2 IdP.
>> It works well with CAS 5.2.x, but when I upgraded to CAS 5.3..2, I have
>> the following errors:
>>
>>
>> *==> In the browser I see:*
>> Application Not Authorized to Use CAS
>> The application you attempted to authenticate to is not authorized to use
>> CAS. This usually indicates that the application is not registered with
>> CAS, or its authorization policy defined in its registration record
>> prevents it from leveraging CAS functionality, or it's malformed and
>> unrecognized by CAS. Contact your CAS administrator to learn how you might
>> register and integrate your application with CAS.
>>
>>
>> *==> in the logs: *
>> ERROR [org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] -
>>
>> org.pac4j.core.exception.TechnicalException: No client found for name:
>> SAML2Client
>> at org.pac4j.core.client.Clients.findClient(Clients.java:128)
>> ~[pac4j-core-3.0.1.jar!/:?]
>>
>>
>> I added the following dependency in build.gradle
>>
>> *compile*
>> "org.apereo.cas:cas-server-support-pac4j-webflow:${project.'cas.version'}"
>>
>>
>> *Here are the properties I use:*
>>
>> cas.authn.pac4j.saml[0].keystorePassword=zzz
>> cas.authn.pac4j.saml[0].privateKeyPassword=zzz
>> cas.authn.pac4j.saml[0].serviceProviderEntityId=urn:mace:saml:pac4j.org
>> cas.authn.pac4j.saml[0].serviceProviderMetadataPath=/sp-metadata.xml
>> cas.authn.pac4j.saml[0].keystorePath=/keystore
>> cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://x.oktapreview.com/app/xx/sso/saml/metadata
>>
>>
>> I also added the following service declaration
>>
>> {
>> "@class" : "org.apereo.cas.services.RegexRegisteredService",
>> "serviceId" : "^https://localhost:8446/iam-client-2(\\z|/.*)",
>> "name" : "CAS Client 2",
>> "id" : 3,
>> "description" : "CAS java webapp client",
>> "attributeReleasePolicy" : {
>> "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>> "allowedAttributes" : {
>> "@class" : "java.util.TreeMap",
>> "Group" : "role",
>> "FirstName" : "FirstName",
>> "LastName" : "LastName",
>> "Email" : "Email"
>> }
>> }
>> }
>>
>>
>>
>> Have I missed something? please help
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit https://groups.google.com/a/ap
>> ereo.org/d/msgid/cas-user/914dc1d1-a924-46cd-96bc-7556040abd
>> a8%40apereo.org
>>
>> .
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit https://groups.google.com/a/ap
>> ereo.org/d/msgid/cas-user/308092497.6622737.1533154966534.
>> JavaMail.zimbra%40unicon.net
>>
Re: [cas-user] buji-pac4j-demo-master, CAS delegation through pac4j-webflow and 1 OIDC provider
Well, I stumbled across a few config properties I decided to try (desperate
people do desperate things...)
cas.http-web-request.cors.allow-credentials=true
# ? where are login requests coming from? Our webapp server name(s)
# is this needed to get the final redirect back to our app ??
cas.http-web-request.cors.allow-origins=localhost
# ??
cas.webflow.redirect-same-state=true
Restarted CAS, same test case.
now I see this warning log:
2018-04-19 15:47:48,430 WARN
[org.apereo.cas.web.flow.ServiceAuthorizationCheck] - https://localhost:8449/callback?client_name=CasClient] is not found in
service registry.>
I have to have a Service defined for the call back to the initial app
???
2018-04-19 15:47:48,432 DEBUG
[org.springframework.webflow.engine.impl.FlowExecutionImpl] - https://localhost:8449/callback?client_name=CasClient]
is not found in service registry.]>
Has anyone actually gotten delegated authentication to flow from CAS back
to an app that used the CAS protocol to request authentication to work?
using CAS 5.2.x ? Reading tons of CAS docs have provided no magic beans,
nor did any page mention having to have a call back service defined...
Am I frustrated? You bet.
Is it correct for me to assume that this use case is 'typical' and that
being
tyhttps://apereo.github.io/cas/5.2.x/installation/Webflow-Customization.htmlpical,
the default webflow definitions in CAS 5.2.2 ought to provide for it
working? The docs
at https://apereo.github.io/cas/5.2.x/installation/Webflow-Customization.html
certainly suggest to me that's the case.
Sure would like to make use of many of the positive features described in
CAS 5.2.x. But I have to wonder if I'm missing much of the necessary
details. I would like to avoid implementing all the features myself. Never
been a big fan of the "let's reinvent the wheel" school of development.
But...
Any insights, magic beans greatly appreciated.
-steve
On Thursday, April 19, 2018 at 1:46:35 PM UTC-4, Steve Hespelt wrote:
>
> Hi Jérôme,
> I found an earlier posting
> <https://groups.google.com/a/apereo.org/d/msg/cas-user/bGZam9qkP3E/IKPTYzp7AQAJ>
>
> from 12/21/17 regarding the NPEs, so as suggested by that posting, I
> restarted CAS & then cleared all related cookies from the browser. Once I
> restart CAS & re-initiated the same flow, no more NPE as shown in my log.
> But I still have the problem with the webflow not finishing as I expect.
> I increased the log level to trace on a few packages:
> org.apereo.cas.web.flow
> org.springframework.webflow
> org.springframework.session
> org.springframework.web
> org.springframework.web.socket
> Some log entries of interest (to me): (and I'm currently guessing the
> issue may be related to a SSO log msg at 2018-04-19 11:53:23,186 below.
> Why would a service not be allowed to use SSO ?
> -steve
>
> 2018-04-19 11:53:01,183 TRACE
> [org.springframework.web.servlet.DispatcherServlet] - context to thread: org.apache.catalina.connector.RequestFacade@33327a12>
> <- this object ref# shows up later, at the bottom so I'm correlating
> this initial log with the later ('completion' ) log msg below with the same
> object ref#...
> 2018-04-19 11:53:01,183 DEBUG
> [org.springframework.web.servlet.DispatcherServlet] - with name 'dispatcherServlet' processing GET request for [/cas/login]>
>
> 2018-04-19 11:53:01,209 TRACE
> [org.apereo.cas.web.CasWebApplicationContext] - org.apereo.cas.web.CasWebApplicationContext@222545dc:
> ServletRequestHandledEvent: url=[/cas/login]; client=[0:0:0:0:0:0:0:1];
> method=[GET]; servlet=[dispatcherServlet];
> session=[2C34A85ABE5CF428636B86D697AA5B56]; user=[null]; time=[26ms];
> status=[OK]> <- From the pac4j demo's SecurityFilter redirect to initial
> request on /cas/index.jsp
>
> 2018-04-19 11:53:22,914 DEBUG
> [org.springframework.web.servlet.DispatcherServlet] - with name 'dispatcherServlet' processing GET request for [/cas/login]>
>
> 2018-04-19 11:53:22,921 TRACE
> [org.springframework.web.servlet.DispatcherServlet] - [org.springframework.webflow.mvc.servlet.FlowHandlerMapping@2ee91bdf] in
> DispatcherServlet with name 'dispatcherServlet'>
> 2018-04-19 11:53:22,921 DEBUG
> [org.springframework.webflow.mvc.servlet.FlowHandlerMapping] - request with URI '/cas/login' to flow with id 'login'>
>
> 2018-04-19 11:53:22,921 DEBUG
> [org.springframework.webflow.executor.FlowExecutorImpl] - execution of flow 'login' with input map['state' ->
> 'ldCrbo4sRBQJJ6MWsbMyEwW9aEbB2SXH4-qaq69Zz6s', 'code' ->
> '4/AAAp_BeFI-e0zZCTS9wDDdIcKYhrXd2QDMej_cpXiigGC_jCEZ43E_FrsaW-dPvESPMcVV32AFlPmaDHAVPg_ME',
>
>
[cas-user] buji-pac4j-demo-master, CAS delegation through pac4j-webflow and 1 OIDC provider
also posted in the "Pac4j users mailing list" group as well. Hi, I'm hoping my usage is pretty common & someone has already made this scenario work properly. My objective is to use the bujio-pac4j-demo-master (3.2.0-SNAPSHOT) project as a starting point as a CAS client, having CAS delegate via the pac4j webflow support, eventually I want to make use of the SSO, ticket management in CAS 5.2.x (5.2.2 currently). The intended webflow: demo app (buji-pac4j-demo-master) security filter redirects to CAS via the buji-pac4j CasClient.loginUrl= https://localhost:8443/cas/login which will redirect to Google OIDC auth url, with flow eventually returning credentials, profile info to the SecurityFilter to redirect to original requested URL (eg. https://localhost:8449/cas/index.jsp) I've got the buji-pac4j-demo-master configured so I can test using jetty (using https on port 8449). initial CAS 5.2.3 setup is with 1 delegated IDP. per https://apereo.github.io/cas/5.2.x/integration/Delegate-Authentication.html, I added the cas-server-support-pac4j-webflow (5.2.3) artifact to the CAS overlay's pom. my CAS 5.2.2 server is listening for incoming https connections on port 8443. So, my understanding is that CAS will not bother with the CAS generated login page, but (autoRedirect==true) will just redirect the login request to the 1 configured delegated IDP. This works as I expect, I get the usual Google login page, I authenticate & I get redirected but only back to the CAS login page. BUT, while it looks as though CAS is processing the redirect from Google [see below log msgs involving org.pac4j.oidc.credentials.extractor.OidcExtractor], no sign that it is responding to the application's request - lots of gory details below gives me reason to suspect that. First is the response code of 200 on the redirect for CAS to process Google's response. So my embarrassingly large post boils down to: What am I missing to get CAS to finish the webflow by returning the response with the authenticated credentials back the initial requesting app, the pac4j demo's SecurityFilter? Any chance it's related to the below response header showing for a Set-Cookie field with the following: Secure; HttpOnly ? Thank you for any insights. -steve my cas.properties contains the following cas.authn.pac4j.* settings. cas.authn.pac4j.autoRedirect=true cas.authn.pac4j.oidc[0].id=**.apps.googleusercontent.com cas.authn.pac4j.oidc[0].secret=my-secret cas.authn.pac4j.oidc[0].type=GOOGLE cas.authn.pac4j.oidc[0].scope=openid profile cas.authn.pac4j.oidc[0].clientName=GoogleOIDC cas.pac4j.oidc.discoveryUri= https://accounts.google.com/.well-known/openid-configuration My Google console authorized redirect URIs has 1: https://localhost:8443/cas/login?client_name=GoogleOIDC So the following is working: SecurityFilter is generating a 302 redirect response to the initial (unauthenticated) request for https://localhost:8449/cas/index.jsp reponse header has location= https://localhost:8443/cas/login?service=https%3A%2F%2Flocalhost%3A8449%2Fcallback%3Fclient_name%3DCasClient Server: Jetty(9.3.8.v20160314) redirect sent to CAS is: https://localhost:8443/cas/login?service=https%3A%2F%2Flocalhost%3A8449%2Fcallback%3Fclient_name%3DCasClient response header has location=https://accounts.google.com/o/oauth2/v2/auth? response_type=code&client_id=myclientID*.apps.googleusercontent.com &redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fcas%2Flogin%3Fclient_name%3DGoogleOIDC&scope=openid+profile&state=jLX6iCY6siWaOmH7VtwjuzpROtM3k_HL8K70LidaZAw response header also has Set-Cookie: JSESSIONID=79B39C7E5E5693B5BF61884B52E09FCD; Path=/cas; Secure; HttpOnly This results in the CAS instance redirecting via 302 response the following request URL (same as response location above): https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=myclientID*.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fcas%2Flogin%3Fclient_name%3DGoogleOIDC&scope=openid+profile&state=jLX6iCY6siWaOmH7VtwjuzpROtM3k_HL8K70LidaZAw I get the Google login page, enter my credentials and the generated response is a 302 redirect reponse header has location= https://localhost:8443/cas/login?client_name=GoogleOIDC&state=jLX6iCY6siWaOmH7VtwjuzpROtM3k_HL8K70LidaZAw&code=4/AAA9qlRlbkuWmFzJO1nvr23LnRf4HVoMu9eqJeQ-nzq922D375okGqD52Dv_haMQIYAkV5ikouz3NAtLbJg2csA&authuser=0&session_state=da7bae9eb4fa3459e15f94e81f06a8258c41c9c1..b186&prompt=none# state value matches the value provided in above CAS (pac4j oidc code) redirect - good. The redirect response has a status code: 200. request cookie has TGC key, SESSIONID=79B39C7E5E5693B5BF61884B52E09FCD; JSESSIONID=sghbip4bak977llku5mld199 and Referer: https://localhost:8449/ So the cas_audit.log has: (time matches Chrome's display of the request/response details) WHO: null WHAT: Supplied credentials: [org.apereo.cas.authentica
Re: [cas-user] CAS 5.1 Question to retrieve Facebook Profile Fields
Hi Raymond,
I came across your post & I have a really (?) simple question: where did
you find documentation on what values should be used for various authn
properties - eg. the cas.authn.pac4j.facebook.scope=public_profile,email that
you had in the 6/22/17 post? I've been looking at the CAS 5.2.x docs & one
thing I've noticed is a lack of detail on what values are meaningful for
various properties & the implications for using such values. grepping the
src tree for fully specified property names or just prefixes (eg.
"cas.authn.pac4j." result in matches found only in the /docs/ So
obviously the code doesn't use full property name strings to retrieve
values.
Hope you can just point me in the right direction.
And I'm curious if you find the solution to your post.
Thanks,
-steve
On Thursday, June 22, 2017 at 3:16:48 AM UTC-4, Raymond Cheng - ITD wrote:
>
> Hi,
>
>
>
> I am trying to setup CAS 5.1 and I have enabled Facebook login
> successfully.
>
> But I cannot retrieve Facebook Fields and server log see empty attribute
> list in principal.
>
>
>
> Please kindly advise if there is some setting missing. Thanks!
>
>
>
> Regards,
>
> Raymond Cheng
>
>
>
> [service json]
>
> _hkscs{
>
> "@class": "org.apereo.cas.services.RegexRegisteredService",
>
> "id": 1001,
>
> "name": "sample",
>
> "serviceId": "^(*http*|*https*)://.*\\.*testing*\\.*com*/.*",
>
> "evaluationOrder": 1,
>
> "attributeReleasePolicy" : {
>
> "@class" :
> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
>
> "allowedAttributes" : [ "java.util.ArrayList", [ "id", "name",
> "first_name", "middle_name", "last_name", "email" ] ]
>
> }
>
> }
>
>
>
> [cas.properties]
>
> cas.authn.pac4j.name=*facebook* login
>
> cas.authn.pac4j.typedIdUsed=true
>
> cas.authn.pac4j.autoRedirect=false
>
>
>
> cas.authn.pac4j.facebook.id=123
>
> cas.authn.pac4j.facebook.secret=123
>
> cas.authn.pac4j.facebook.scope=public_profile,email
>
> cas.authn.pac4j.facebook.fields=
> id,name,first_name,middle_name,last_name,email
>
>
>
> [cas log on startup]
>
> 2017-06-22 15:04:15,645 DEBUG
> [org.apereo.cas.config.CasPersonDirectoryConfiguration] - attribute repositories is [[]]>
>
> 2017-06-22 15:04:15,656 DEBUG
> [org.apereo.cas.config.CasPersonDirectoryConfiguration] - merging strategy for attribute sources is [REPLACE]>
>
> 2017-06-22 15:04:15,666 DEBUG
> [org.apereo.cas.config.CasPersonDirectoryConfiguration] - repository sources are available/defined to merge together.>
>
>
>
> [cas log after facebook login]
>
> 2017-06-22 14:34:45,167 DEBUG
> [org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository]
>
> - [org.pac4j.oauth.profile.facebook.FacebookProfile#112233406054479] in the
> repository so no attributes are returned.>
>
> 2017-06-22 14:34:45,168 DEBUG
> [org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository]
>
> - [org.pac4j.oauth.profile.facebook.FacebookProfile#112233406054479] from the
> attribute repository.>
>
> 2017-06-22 14:34:45,169 DEBUG
> [org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository]
>
> - will be used instead.>
>
> 2017-06-22 14:34:45,171 DEBUG
> [org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository]
>
> - [org.pac4j.oauth.profile.facebook.FacebookProfile#112233406054479], no
> caching takes place for [DefaultPrincipalAttributesRepository] to add
> attributes.>
>
> 2017-06-22 14:34:45,172 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> [org.pac4j.oauth.profile.facebook.FacebookProfile#112233406054479]>
>
> 2017-06-22 14:34:45,173 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> attributes for
> [org.pac4j.oauth.profile.facebook.FacebookProfile#112233406054479]>
>
> 2017-06-22 14:34:45,173 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> [{}] for [org.pac4j.oauth.profile.facebook.FacebookProfile#112233406054479]>
>
> 2017-06-22 14:34:45,174 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>
>
> 2017-06-22 14:34:45,174 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>
>
> 2017-06-22 14:34:45,175 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> any>
>
> 2017-06-22 14:34:45,175 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>
>
> 2017-06-22 14:34:45,176 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>
>
> 2017-06-22 14:34:45,176 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>
>
> 2017-06-22 14:34:45,177 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>
>
> 2017-06-22 14:34:45,177 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeRel
