[cas-user] U2F works and doesn't work
CAS experts, We are running CAS 5.2. We configured MFA to use mfa-u2f. We bought two devices. We bought a u2fzero cheap product which actually works just fine. We bought another slightly more expensive u2f Thetis brand. It won’t work at all. The device does receive the challenge (blinks), but once we click on it, it gives a 500 error: org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.adaptors.u2f.web.flow.U2FAccountSaveRegistrationAction@571d28fe in state 'saveRegistration' of flow 'mfa-u2f' -- action execution attributes were 'map[[empty]]' We have not really configured much in cas.properties yet. Didn’t think we had to. Any idea why one u2f device works and the other doesn’t? Tim Tyler Network Engineer Beloit College -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b27ee95eb27df63176a68c7d1ef88ec%40mail.gmail.com.
[cas-user] FYI Had to modify column size for Trusted Device
CAS Community. We setup 2FA with Trusted Device on MariaDB on Redhat 7. In order to get Trusted Device working, we had to modify the column size of recordKey column as it was too small. It was set to 500. We set it to 8k, but we are not sure what the optimal size would be. It is fine at 8k. Probably be fine at 4k, maybe smaller. It seems like it might be a good idea to fix this in the distribution. Small fix that might save others some hassle if they are using Mariadb or perhaps some other databases. Tim Tyler Network Engineer Beloit College -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/614ecba0a3de847b4f542bcb28067aab%40mail.gmail.com.
[cas-user] Trusted Device/Browser failing in db storage -Data too long
CAS experts, We are running CAS 5.2. We MFA working fine with Google Authenticator which is stored in an MFA database. We are now trying to add in the Trusted device configuration. So we created a new database, mfatrusted. I assume we should not use the same database that we created for google auth. We know the database schema is getting created and it does create the following: MariaDB [mfatrust]> show tables; +--+ | Tables_in_mfatrust | +--+ | MultifactorAuthenticationTrustRecord | +--+ 1 row in set (0.00 sec) MariaDB [mfatrust]> select * from MultifactorAuthenticationTrustRecord; Empty set (0.00 sec) However, we now get a 500 error when trying to authenticate with mfa. registerTrustedDevice' of flow 'mfa-gauth' -- action execution attributes were 'map[[empty]]' ……. Caused by: java.sql.SQLException: Data too long for column 'recordKey' at row 1 Query is: insert into MultifactorAuthenticationTrustRecord (geography, name, principal, recordDate, recordKey) values (?, ?, ?, ?, ?), parameters ['144.89.41.210@Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko','Timdesktop','tyler','2018-03-13','eyJhbGciOiJIUzUxMiJ9.WlhsS05tRllRV2xQYVVwRlVsVlphVXhEU21oaVIyTnBUMmxLYTJGWVNXbE1RMHBzWW0xTmFVOXBTa0pOVkVrMFVUQktSRXhWYUZSTmFsVXlTVzR3TGk1c2RYSlROa0ZOYTJGemFFSkdZMDltYms5TlYzaEJMbVpIWjFNdFJHNUdTWEY2VW1kUWRHbDBSVUUyTnkwNVMwWnlXVmhsUVU0eE1EQkRPRVY1Y21Wa2FsTllaV1JRTTBOMGRtVnNRbFJIVVVab1dXcDZZM1k1WWpOUU1saGtVR1owZUc4NVZtRndSWFZhTkVJeVdtSTVjamt5TVRRNGNreE9VMDR3VGw5eGNVNXFNWGQzWm1GQ1ZXSlBlVXh4Y0hBM1JrSnFiR015TGs1T1dIRmpUbHBZTWxGaWQydDVXVkJUWkVob1NYYz0.DnGt3qqCV8ATGH1HhUFeR4UGCTqUJP5Gj3G2jbcZM7HgacEPuh6HYjY6AowW60dWf3mP_KDzw7CkQEQN_VvT0w'] Our config in cas.properties has the following for this: # Trusted Device/Browser cas.authn.mfa.trusted.authenticationContextAttribute=isFromTrustedMultifactorAuthentication cas.authn.mfa.trusted.deviceRegistrationEnabled=true cas.authn.mfa.trusted.expiration=30 cas.authn.mfa.trusted.timeUnit=DAYS # cas.authn.mfa.trusted.crypto.encryption.key= # cas.authn.mfa.trusted.crypto.signing.key= # cas.authn.mfa.trusted.crypto.enabled=true # CAS MFA Trusted Device cas.authn.mfa.trusted.jpa.healthQuery=SELECT 1 cas.authn.mfa.trusted.jpa.url=jdbc:mariadb://cas.beloit.edu:3306/mfatrust cas.authn.mfa.trusted.jpa.dialect=org.hibernate.dialect.MariaDBDialect cas.authn.mfa.trusted.jpa.user=root cas.authn.mfa.trusted.jpa.password= cas.authn.mfa.trusted.jpa.driverClass=org.mariadb.jdbc.Driver cas.authn.mfa.trusted.jpa.autocommit=true ##cas.authn.mfa.trusted.jpa.ddlAuto=create cas.authn.mfa.trusted.jpa.ddlAuto=validate Any idea what I might be missing? What should be set for cas.authn.mfa.trusted.jpa.healthQuery= Tim Tyler Network Engineer Beloit College -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f30ee0f2dd877c583dead7881b289c1a%40mail.gmail.com.
[cas-user] Any Jenzabar JICS CAS users?
CAS users, Anyone using Jenzabar with CAS? We have CAS 5.2. We have SAML working with simplSAMLphp now. So we know SAML should work. But we can’t get it working with Jenzabar yet. We are pretty sure the metadata gets exchanged between CAS and Jenzabar. But we get some “Can’t find element” error. We think it has something to do with the Jenzabar config side though not sure. Seems like Jenzabar can’t find something in the metadata it is looking for. I would like to find someone using Jenzabar that might share with me off-line about how you configured your Jenzabar side. Do we need Shibboleth for this? Tim Tyler Network Engineer Beloit College -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b0bcccbd1a4f4d6891030402362b6213%40mail.gmail.com.
[cas-user] CAS SAML no signature signing ???
CAS Experts, We installed simplesamlphp to test against CAS 5.2 SAML(IdP) using keys generated by cas. We were able to get each side to recognize each other's metadata and perform the login flow. However, when we have signed responses enabled, we get a CAS error: Error: org.opensaml.saml.common.SAMLException: No signature signing parameter is available And when we have signed responses disabled we get an error from the SP side: Caused by: SimpleSAML_Error_Exception: Neither the assertion nor the response was signed. Note: We don’t have encryption enabled in case that matters.What might we be missing? Tim Tyler Network Engineer Beloit College -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e8ea177a46e48e4127961d1f34578454%40mail.gmail.com.
RE: [cas-user] SAML and Jenzabar JICS
example.org/SAML2/SSO/POST; ...> ... The RelayState token is an opaque reference to state information maintained at the service provider. (The RelayState mechanism can leak details of the user's activities at the SP to the IdP and so the SP should take care in its implementation to protect the user's privacy.) The value of the SAMLRequest parameter is the base64 encoding of the following element: https://sp.example.com/SAML2 1. For ease-of-use purposes, the HTML FORM typically will be accompanied by script code that will automatically post the form to the destination site (which is the IdP in this case). The browser, due either to a user action or execution of an “auto-submit” script, issues an HTTP POST request to send the form to the identity provider's Single Sign-On Service. POST /SAML2/SSO/POST HTTP/1.1 Host: idp.example.org Cidp-metadata.xmlontent-Type: application/x-www-form-urlencoded Content-Length: nnn SAMLRequest=request=token 3. The Single Sign-On Service determines whether the user has an existing logon security context at the identity provider that meets the default or requested authentication policy requirements. If not, the IdP interacts with the browser to challenge the user to provide valid credentials. 4. The user provides valid credentials and a local logon security context is created for the user at the IdP. 5. The IdP Single Sign-On Service issues a SAML assertion representing the user's logon security context and places the assertion within a SAML message. Since the HTTP Artifact binding will be used to deliver the SAML Response message, it is not mandated that the assertion be digitally signed. The IdP creates an artifact containing the source ID for the idp.example.org site and a reference to the message (the MessageHandle). The HTTP Artifact binding allows the choice of either HTTP redirection or an HTML form POST as the mechanism to deliver the artifact to the partner. The figure shows the use of redirection. 6. The SP's Assertion Consumer Service now sends a SAML message containing the artifact to the IdP's Artifact Resolution Service endpoint. This exchange is performed using a synchronous SOAP message exchange. https://idp.example.org/SAML2/ArtifactResolution;> https://sp.example.com/SAML2 http://www.w3.org/2000/09/xmldsig# <http://www.w3.org/2000/09/xmldsig>">... artifact 7. The IdP's Artifact Resolution Service extracts the MessageHandle from the artifact and locates the original SAML message associated with it. This message is then placed inside a SAML message, which is returned to the SP over the SOAP channel. http://www.w3.org/2000/09/xmldsig# <http://www.w3.org/2000/09/xmldsig>">... https://sp.example.com/SAML2/SSO/Artifact;> https://idp.example.org/SAML2 http://www.w3.org/2000/09/xmldsig# <http://www.w3.org/2000/09/xmldsig>">... https://idp.example.org/SAML2 u...@mail.example.org https://sp.example.com/SAML2/SSO/Artifact; NotOnOrAfter="2004-12-05T09:27:05Z"/> https://sp.example.com/SAML2 urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport The SP extracts and processes the message and then processes the embedded assertion in order to create a local logon security context for the user at the SP. Once this is completed, the SP retrieves the local state information indicated by the RelayState data to recall the originally-requested resource URL. It then sends an HTTP redirect response to the browser directing it to access the originally requested resource (not shown). 7. An access check is made to establish whether the user has the correct authorization to access the resource. If the access check passes, the resource is then returned to the browser. urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport The SP extracts and processes the message and then processes the embedded assertion in order to create a local logon security context for the user at the SP. Once this is completed, the SP retrieves the local state information indicated by the RelayState data to recall the originally-requested resource URL. It then sends an HTTP redirect response to the browser directing it to access the originally requested resource (not shown). 7. An access check is made to establish whether the user has the correct authorization to access the resource. If the access check passes, the resource is then returned to the browser. 2018-02-28 12:30 GMT-03:00 Tim Tyler <ty...@beloit.edu>: CAS Experts, Looking for any hints I can get. We are running CAS 5.2 on REdhat 7. I am trying to get SAML to work with our Jenzabar JICS portal. Trying to Configure CAS as the Identity Manager and Jenzabar as the Identity Provider. When one goes to our Jenzabar url to login, they simply need to click the login icon. It redirects the use
[cas-user] SAML and Jenzabar JICS
CAS Experts,
Looking for any hints I can get.
We are running CAS 5.2 on REdhat 7. I am trying to get SAML to work
with our Jenzabar JICS portal. Trying to Configure CAS as the Identity
Manager and Jenzabar as the Identity Provider.
When one goes to our Jenzabar url to login, they simply need to click the
login icon. It redirects the user back to our CAS server. After
authenticating into CAS successfully, it never takes the user back to
Jenzabar. I am not sure what side to blame and I have never configured
SAML before.
When configuring SAML 2.0 in the CAS-management, we do have the meta path
entered from Jenzabar and it does provide the following:
https://bcportaldev.beloit.edu/ics/StaticPages/SAML/ServiceProvider/ACS.aspx;>urn:oasis:names:tc:SAML:2.0:nameid-format:unspecifiedhttps://bcportaldev.beloit.edu/ics/StaticPages/SAML/ServiceProvider/ACS.aspx"/>https://bcportaldev.beloit.edu/ics/StaticPages/SAML/ServiceProvider/ACS.aspx
"/>
I have the following in cas.properties:
# CAS SAML2.0 IDP
cas.authn.samlIdp.entityId=https://cas.beloit.edu:8443/idp
cas.authn.samlIdp.scope=cas.beloit.edu
cas.authn.samlIdp.metadata.cacheExpirationMinutes=30
cas.authn.samlIdp.metadata.failFast=false
cas.authn.samlIdp.metadata.location=file:/etc/cas/saml/
cas.authn.samlIdp.metadata.privateKeyAlgName=RSA
cas.authn.samlIdp.metadata.requireValidMetadata=true
cas.authn.samlIdp.logout.forceSignedLogoutRequests=true
cas.authn.samlIdp.logout.singleLogoutCallbacksDisabled=false
cas.authn.samlIdp.response.skewAllowance=0
cas.authn.samlIdp.response.signError=false
cas.authn.samlIdp.response.useAttributeFriendlyName=true
I do see the following in /etc/cas/saml self created by CAS.
drwxr-xr-x 2 root root 128 Feb 20 10:40 id
-rw-r--r-- 1 root root 1135 Feb 27 15:45 idp-encryption.crt
-rw-r--r-- 1 root root 1679 Feb 27 15:45 idp-encryption.key
-rw-r--r-- 1 root root 6938 Feb 27 15:49 idp-metadata.xml
-rw-r--r-- 1 root root 1135 Feb 27 15:45 idp-signing.crt
The following relates to our SAML json service for Jenzabar:
[root@cas services]# more Jenzabar-1519156718058.json
{
@class: org.apereo.cas.support.saml.services.SamlRegisteredService
serviceId: https://bcportaldev.beloit.edu.*
name: Jenzabar
id: 1519156718058
expirationPolicy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy
deleteWhenExpired: false
notifyWhenDeleted: false
}
proxyPolicy:
{
@class: org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy
}
evaluationOrder: -1
usernameAttributeProvider:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider
canonicalizationMode: NONE
encryptUsername: false
}
logoutType: BACK_CHANNEL
attributeReleasePolicy:
{
@class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
principalAttributesRepository:
{
@class:
org.apereo.cas.authentication.principal.DefaultPrincipalAttributes
Repository
expiration: 2
timeUnit: HOURS
}
consentPolicy:
{
@class:
org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPol
icy
enabled: true
}
authorizedToReleaseCredentialPassword: false
authorizedToReleaseProxyGrantingTicket: false
excludeDefaultAttributes: false
authorizedToReleaseAuthenticationAttributes: true
}
multifactorPolicy:
{
@class:
org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
failureMode: NOT_SET
bypassEnabled: false
}
accessStrategy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
order: 0
enabled: true
ssoEnabled: true
requireAllAttributes: true
caseInsensitive: false
}
metadataLocation:
https://bcportaldev.beloit.edu/ICS/StaticPages/SAML/ServiceP
rovider/Metadata.ashx
metadataMaxValidity: 0
metadataExpirationDuration: PT60M
signAssertions: true
skipGeneratingAssertionNameId: false
skipGeneratingSubjectConfirmationInResponseTo: false
skipGeneratingSubjectConfirmationNotOnOrAfter: false
skipGeneratingSubjectConfirmationRecipient: false
skipGeneratingSubjectConfirmationNotBefore: true
signResponses: true
encryptAssertions: true
metadataCriteriaRoles: SPSSODescriptor
metadataCriteriaRemoveEmptyEntitiesDescriptors: true
metadataCriteriaRemoveRolelessEntityDescriptors: true
signingCredentialType: BASIC
}
So what reason(s) might I look for that might explain why CAS doesn't send
the user back to the Jenzabar portal? Could this be a problem with the
metadata? Missing something on CAS?
Tim Tyler
Network Engineer
Beloit College
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups &qu
RE: [cas-user] Access Strategy not working???
Travis,
Thanks! I think that worked. That is what I get for reading older
documentation. I really wish bad lines would not be ignored. Makes me
wonder what else I have entered might not be doing anything.
Tim
*From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *Travis
Schmidt
*Sent:* Friday, February 23, 2018 10:11 AM
*To:* cas-user@apereo.org
*Subject:* Re: [cas-user] Access Strategy not working???
The property was changed in 5.2 to cas.serviceRegistry.json.location. 5.2
currently ignores unknown properties and falls back to default on this. I
got bit by this on a deployment two weeks ago. Also the property names for
webflow and tgc encryption were changed, so check those as well.
On Fri, Feb 23, 2018 at 7:35 AM Tim Tyler <ty...@beloit.edu> wrote:
CAS users,
Ok, I am on CAS 5.2 on Redhat 7.
I have created a number of services stored in json files in
/etc/cas/services. But I don’t think any of them are getting read by CAS.
The CAS-Management creates them and puts them there. But I am not sure
CAS is reading them there. My goal was to create a service for one of our
Moodle development servers where only staff could access it, not students.
I simply added an ldap attribute which contains the value of Staff.
CAS-Management seems to create it properly. But CAS ignores it.
Instead I get the following results from the CAS Dashboard from the
“Attribute Release” interface (see picture below): The result is
https|imap which I never created a service for. I had to hunt for where
this was coming from and found it in
/usr/local/cas/target/cas/WEB-INF/classes/services/HTTPSandIMAPS-1001.json
I tried removing it but it restored itself when I restarted the server. I
don’t understand what is going on here. I have the following setting in
cas:
cas.serviceRegistry.config.location: file:/etc/cas/services
So why is CAS finding json services from
/usr/local/cas/target/cas/WEB-INF/classes/services instead of
/etc/cas/services {or at least the dashboard anyways}? Shouldn’t the
“cas.serviceRegistry.config.location: entry be pointing in to
/etc/cas/services”??? I think I got this from the documentation.
In case this helps, this is in the DevMoodle service registration json file:
@class: org.apereo.cas.services.RegexRegisteredService
serviceId: https://devmoodle.beloit.edu.*
name: Dev Moodle
id: 1519398393836
…..and much more
Tim Tyler
Network Engineer
Beloit College
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/03d58f91ff6f2a6b1fc06d57f6946e3b%40mail.gmail.com
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/03d58f91ff6f2a6b1fc06d57f6946e3b%40mail.gmail.com?utm_medium=email_source=footer>
.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbB3-52_Q1uxZWZto5YYw6fj4PcvocW0DXh7nfdU2-1bQ%40mail.gmail.com
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbB3-52_Q1uxZWZto5YYw6fj4PcvocW0DXh7nfdU2-1bQ%40mail.gmail.com?utm_medium=email_source=footer>
.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c83880ddc64fe203e3f5aa644392a06e%40mail.gmail.com.
[cas-user] Access Strategy not working???
CAS users,
Ok, I am on CAS 5.2 on Redhat 7.
I have created a number of services stored in json files in
/etc/cas/services. But I don’t think any of them are getting read by CAS.
The CAS-Management creates them and puts them there. But I am not sure
CAS is reading them there. My goal was to create a service for one of our
Moodle development servers where only staff could access it, not students.
I simply added an ldap attribute which contains the value of Staff.
CAS-Management seems to create it properly. But CAS ignores it.
Instead I get the following results from the CAS Dashboard from the
“Attribute Release” interface (see picture below): The result is
https|imap which I never created a service for. I had to hunt for where
this was coming from and found it in
/usr/local/cas/target/cas/WEB-INF/classes/services/HTTPSandIMAPS-1001.json
I tried removing it but it restored itself when I restarted the server. I
don’t understand what is going on here. I have the following setting in
cas:
cas.serviceRegistry.config.location: file:/etc/cas/services
So why is CAS finding json services from
/usr/local/cas/target/cas/WEB-INF/classes/services instead of
/etc/cas/services {or at least the dashboard anyways}? Shouldn’t the
“cas.serviceRegistry.config.location: entry be pointing in to
/etc/cas/services”??? I think I got this from the documentation.
In case this helps, this is in the DevMoodle service registration json file:
@class: org.apereo.cas.services.RegexRegisteredService
serviceId: https://devmoodle.beloit.edu.*
name: Dev Moodle
id: 1519398393836
…..and much more
Tim Tyler
Network Engineer
Beloit College
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/03d58f91ff6f2a6b1fc06d57f6946e3b%40mail.gmail.com.
RE: [cas-user] CAS google-authenticator removes tables???
Ray, YES! That fixed that aspect by using create for the value. Except now we are finding that the data entries are now removed on startup though the tables remain. Are we also missing something for startup that cleans. Or should we use update instead of create? Tim *From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *Ray Bon *Sent:* Thursday, February 15, 2018 3:15 PM *To:* cas-user@apereo.org *Subject:* Re: [cas-user] CAS google-authenticator removes tables??? Tim, Check your database settings, something along the lines of 'ddlAuto'. It can be set to 'create-drop' which would result in the behaviour you are seeing. Search for JPA options to see what other settings are available. Ray On Thu, 2018-02-15 at 14:51 -0600, Tim Tyler wrote: CAS experts, We are running CAS 5.2 on Redhat 7. We installed and configured Google Authenticator and got it sort of working with Mariadb. We see the tables and record entries get created and entered into the database when logging in. But when we cntrl-C to restart the CAS service, CAS removes the tables from the database: MariaDB [mfa]> select * from GoogleAuthenticatorRegistrationRecord; ERROR 1146 (42S02): Table 'mfa.GoogleAuthenticatorRegistrationRecord' doesn't exist Why does control-C shutting down CAS result in removing all of the tables and entries? FYI: We startup with ./build.sh run and we shutdown with Ctrl-C. Tim Tyler Network Engineer Beloit College -- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | r...@uvic.ca -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1518729293.1763.19.camel%40uvic.ca <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1518729293.1763.19.camel%40uvic.ca?utm_medium=email_source=footer> . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f8c9636292e1e76a7c660b9be0c76797%40mail.gmail.com.
[cas-user] CAS google-authenticator removes tables???
CAS experts, We are running CAS 5.2 on Redhat 7. We installed and configured Google Authenticator and got it sort of working with Mariadb. We see the tables and record entries get created and entered into the database when logging in. But when we cntrl-C to restart the CAS service, CAS removes the tables from the database: MariaDB [mfa]> select * from GoogleAuthenticatorRegistrationRecord; ERROR 1146 (42S02): Table 'mfa.GoogleAuthenticatorRegistrationRecord' doesn't exist Why does control-C shutting down CAS result in removing all of the tables and entries? FYI: We startup with ./build.sh run and we shutdown with Ctrl-C. Tim Tyler Network Engineer Beloit College -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bbd3778fc4b8ab3a444d4db06abe9805%40mail.gmail.com.
[cas-user] cas.properties for MFA database
CAS experts, We are running CAS 5.2. What variables do you use to point the (MFA) Google Authenticator registries into a database? Is it the cas.authn.mfa.trusted.jpa.* variables or is it something else? Not sure what to put in our cas.properties to point GA registries into our database. Tim Tyler Network Engineer Beloit College -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f1f3860daf86f2f3bd26a523d4792b36%40mail.gmail.com.
[cas-user] MFA Google Authenticator persistence issue?
CAS Experts, I am trying to setup Google Authenticator for MFA purposes. It works fine in memory mode. So now we want to install persistence for it on MariaDB. So here is what we did. 1. We installed Mariadb and initiated it. 2. We created a database named "mfa" to store the registries. 3. We have no idea what the schema should look like so we didn't create anything else. 4. We configured ca.properties with cas.authn.mfa.trusted.jpa.url=jdbc:mariadb://localhost:1489/mfa cas.authn.mfa.trusted.jpa.dialect=org.hibernate.dialect.MariaDBDialect cas.authn.mfa.trusted.jpa.user=root cas.authn.mfa.trusted.jpa.password=xxx cas.authn.mfa.trusted.jpa.driverClass=org.mariadb.jdbc.Driver So do we need a schema or does it get created automatically –and how? When I login to CAS, we don't see any evidence of database changes, etc. There are no tables in the mfa database. But we still get the following error on CAS output: 2018-01-23 15:19:24,808 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] - What might we be missing or might be wrong? Tim Tyler Network Engineer Beloit College -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/324d6ed73e1fade42c7d91b9b1d82b03%40mail.gmail.com.
[cas-user] Database integration?
CAS experts, I recently installed CAS 5.2. I just installed cas-management from the maven over-lay on the same Redhat server. The documentation warns me that I need to be in sync with CAS registries, but I am not sure what that really requires me to do. Given I also get persistent storage warnings on startup of CAS, I am guessing I perhaps need to get a database integrated into CAS before I move much further forward. Since I am using Redhat, MariaDB is native to Redhat. So I figure I might as well use that unless someone wants to recommend otherwise. But I am having a hard time piecing together all of the steps to get a database integrated. 1. Should I get MariaDB running on Redhat through normal Redhat install methods? 2. Do I need to install any dependency modules in CAS? Cas-management as well? 3. Can anyone share configuration settings for both CAS and cas-management to reference the Database (assuming it is ok to use MariaDB)? Note: I don’t mind using a different database if it is recommended to do so. Tim Tyler Network Engineer Beloit College -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ebb02643ec9c75880d8b142c00bacf58%40mail.gmail.com.
RE: [cas-user] how to access admin or management page?
Dave, others,
Ok, I think I am getting closer but I am getting the error shown below.
I should note that there was no etc/cas/services directory so I had to
create the service directory manually before creating the
etc/cas/services/CASAdminDashboard-123456789.json
file. I included the port :8443 with the hostname. I assume I need it. I
should also point out that I am using the equal sign format for variables
in cas.properties. I am not sure how the colon format works or if it is
even appropriate for cas.properties.
I got this warning when starting up:
https://cas.beloit.edu:8443/cas/status/dashboard,originalUrl=https://cas.beloit.edu:8443/cas/status/dashboard,artifactId=,principal=,loggedOutAlready=false,format=XML]]
or service access is disallowed. Using default theme [cas-theme-default]>
This is how the json entry for service looks:
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://cas.beloit.edu:8443/cas/status/dashboard(\\z|/.*)
",
"name" : "CAS Admin Dashboard",
"id" : 123456789,
"description" : "CAS dashboard and administrative endpoints",
"evaluationOrder" : 5000
}
Tim
*From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *David
Curry
*Sent:* Tuesday, December 19, 2017 7:26 AM
*To:* cas-user@apereo.org
*Subject:* Re: [cas-user] how to access admin or management page?
Here is one way to do it. It's not the only way, since CAS gives you so
many options, but it should be enough to get you started.
1. Set these to enable the dashboard (these settings enable all of the
endpoints; you can also pick and choose):
cas.adminPagesSecurity.actuatorEndpointsEnabled: true
cas.monitor.endpoints.enabled:true
endpoints.enabled:true
2. Set this to a regular expression that matches the IP address(es) you
want to allow access from:
cas.adminPagesSecurity.ip:
^192\\.168\\.(50\\.[0-9]{1,3}|1\\.[12]0)$
(This example matches 192.168.50.*, 192.168.1.10, and 192.168.1.20; the
intention is that the first pattern is the "IT subnet" where the
administrators live, and the other two IPs are the internal IPs of the load
balancers, which will be using the /status endpoint to check that the
server is up and running.)
3. Set these to enable CAS authentication (as opposed to Spring Security)
authentication:
cas.monitor.endpoints.sensitive:false
endpoints.sensitive:false
The CAS documentation explains other alternatives, if you want to use
Spring Security instead of CAS.
4. Configure CAS to perform the authentication:
cas.adminPagesSecurity.loginUrl:${cas.server.prefix}/login
cas.adminPagesSecurity.service:
${cas.server.prefix}/status/dashboard
cas.adminPagesSecurity.users:
file:/etc/cas/config/admusers.properties
cas.adminPagesSecurity.adminRoles[0]: ROLE_ADMIN
5. Create an admusers.properties file (use whatever name you gave it in the
property above). List one user per line and give them whatever role you
defined above. This files does NOT create new users, it just lists the
usernames (which exist in LDAP or AD or whatever) who can access the
dashboard. Their password is whatever they use when authenticating to the
CAS server. In this case, it's a user named "gnarls":
# This file lists the users who are allowed access to the CAS /status/*
# endpoints ("adminpages").
#
# The syntax for each line is:
#
# username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]
#
gnarls=passwordnotused,ROLE_ADMIN
6. Create a service registry entry for the dashboard (in
/etc/cas/services/CASAdminDashboard-123456789.json or wherever):
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^
https://casserver.your.dom.ain/cas/status/dashboard(\\z|/.*)
<https://casserver.your.dom.ain/cas/status/dashboard(/z|/.*)>",
"name" : "CAS Admin Dashboard",
"id" : 123456789,
"description" : "CAS dashboard and administrative endpoints",
"evaluationOrder" : 5000
}
Restart the server, point your web browser at
https://casserver.your.dom.ain/cas/staus/dashboard, and log in as the
user(s) you listed in the admusers.properties file.
For a more detailed description (same steps, but more explanation behind
them), see
https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_overview.html
.
--Dave
--
*DAVID A. CURRY, CISSP*
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu
[image: The New School]
On Mon, Dec 18, 2017 at 4:44 PM, Tim Tyler <ty...@beloit.edu> wrote:
I am running CAS 5.
[cas-user] how to access admin or management page?
I am running CAS 5.2 and have configured ldap for authentication. But I still have not figured out how to access the admin or management page. What do I need to configure to login to the management page? Do I need to define an admin account? Do I need to define the Admin Status Endpoints per https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html ? Do I need to create an adminusers.properties file? Can I define an existing ldap user as an admin to access the management page(s)? Tim Tyler Network Engineer Beloit College -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/357545e0243806517d1dac6eed8c06ee%40mail.gmail.com.
RE: [cas-user] CAS ldap against AD?
Michael,
That really helped. I finally have ldap working. You filled in some gaps
for me. But I did have one remaining problem that I had to resolve. Our
AD certs are self signed for ldap. The chain cert wasn’t trusted by just
loading the public cert. So I had to get the CA and install it into the
Java native keystore. After that, it worked. I think if we had a
commercial signed certs, I think your cert instructions would have worked.
Still getting used to Java.
Thanks!
Tim
*From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *michael
kromarek
*Sent:* Wednesday, December 13, 2017 4:20 PM
*To:* cas-user@apereo.org
*Subject:* Re: [cas-user] CAS ldap against AD?
We use SSL as startTLS tends to complain, saying it has already occurred,
so SSL. You will want the cert from the server you are connecting to,
which you can pull with openssl like so:
echo -n | openssl s_client -connect 192.168.1.225:636 | sed -ne
'/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem
This is what we use for our AD auth and attribute resolution
#
# LDAP Auth
#
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].ldapUrl=ldaps://your_ad_server.site.org
cas.authn.ldap[0].connectTimeout=3000
cas.authn.ldap[0].useStartTLS=false
cas.authn.ldap[0].trustedCertificates=file:///etc/ssl/certs/cert_name.crt
#pool settings and validation
cas.authn.ldap[0].minPoolSize=3
cas.authn.ldap[0].maxPoolSize=10
cas.authn.ldap[0].validateOnCheckout=false
cas.authn.ldap[0].validatePeriodically=true
cas.authn.ldap[0].validatePeriod=300
# Amount of time in milliseconds to block on pool exhausted condition
before giving up.
cas.authn.ldap[0].blockWaitTime=3000
# Attempt to prune connections every N seconds
cas.authn.ldap[0].prunePeriod=300
#max connection idle time, for pool conections
cas.authn.ldap[0].idleTime=600
#search filters and settings
cas.authn.ldap[0].bindDn=
cas.authn.ldap[0].bindCredential=
cas.authn.ldap[0].baseDn=dc=site,dc=org
cas.authn.ldap[0].userFilter=(sAMAccountName={user})
#construct login as usern...@site.org
cas.authn.ldap[0].dnFormat=%s...@site.org
#principal id and attributes
cas.authn.ldap[0].principalAttributeId=sAMAccountName
cas.authn.ldap[0].principalAttributeList=sAMAccountName,dn,sn,cn,givenname,mail,memberOf,displayName
#
# LDAP Attributes Retrival
#
#default attributes to release (you don't have to do this, but you can if
you want)
cas.authn.attributeRepository.defaultAttributesToRelease=sAMAccountName,dn,sn,cn,givenname,mail,displayName
#attributes
cas.authn.attributeRepository.ldap[0].attributes.sAMAccountName=sAMAccountName
cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
cas.authn.attributeRepository.ldap[0].attributes.givenname=givenname
cas.authn.attributeRepository.ldap[0].attributes.sn=sn
cas.authn.attributeRepository.ldap[0].attributes.mail=mail
cas.authn.attributeRepository.ldap[0].attributes.distinguishedName=dn
#connection and search
cas.authn.attributeRepository.ldap[0].ldapUrl=ldaps://
your_ad_server.site.org
cas.authn.attributeRepository.ldap[0].useSsl=true
cas.authn.attributeRepository.ldap[0].useStartTls=false
cas.authn.attributeRepository.ldap[0].baseDn=dc=site,dc=org
cas.authn.attributeRepository.ldap[0].userFilter=(sAMAccountName={user})
cas.authn.attributeRepository.ldap[0].subtreeSearch=true
cas.authn.attributeRepository.ldap[0].bindDn=
cas.authn.attributeRepository.ldap[0].bindCredential=
On Wed, Dec 13, 2017 at 2:08 PM, Tim Tyler <ty...@beloit.edu> wrote:
I am a newbie to CAS. I just installed 5.2 using Maven. I successfully
logged in via the test account of causer. But now I want to get ldap
against active directory working. I successfully installed the
dependencies and that seems ok. My issue is with configuring
cas.properties. I read on-line that if I use type=AD, I need to use
dnFormat? Is that true? I don’t really understand how that entry should
look.
Also, I would like to use SSL or TLS. Not sure if certs are necessary for
at least establishing encryption. Can someone share with me the necessary
settings for getting ldap to auth against AD. I seem to be struggling with
what I particularly need to get ldap to work against AD. And if I need
dnFormat, I could use an example of how that should look.
Below is my config related to ldap.
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].ldapUrl=ldaps://bcdc3.beloit.edu
cas.authn.ldap[0].connectionStrategy=
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].baseDn=dc=its,dc=beloit,dc=edu
cas.authn.ldap[0].userFilter=cn={sAMAccountName}
cas.authn.ldap[0].bindDn=CN=ldapadmin,CN=Users,DC=its,DC=belo
[cas-user] CAS ldap against AD?
I am a newbie to CAS. I just installed 5.2 using Maven. I successfully
logged in via the test account of causer. But now I want to get ldap
against active directory working. I successfully installed the
dependencies and that seems ok. My issue is with configuring
cas.properties. I read on-line that if I use type=AD, I need to use
dnFormat? Is that true? I don’t really understand how that entry should
look.
Also, I would like to use SSL or TLS. Not sure if certs are necessary for
at least establishing encryption. Can someone share with me the necessary
settings for getting ldap to auth against AD. I seem to be struggling with
what I particularly need to get ldap to work against AD. And if I need
dnFormat, I could use an example of how that should look.
Below is my config related to ldap.
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].ldapUrl=ldaps://bcdc3.beloit.edu
cas.authn.ldap[0].connectionStrategy=
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].baseDn=dc=its,dc=beloit,dc=edu
cas.authn.ldap[0].userFilter=cn={sAMAccountName}
cas.authn.ldap[0].bindDn=CN=ldapadmin,CN=Users,DC=its,DC=beloit,DC=edu
cas.authn.ldap[0].bindCredential=
#cas.authn.ldap[0].enhanceWithEntryResolver=false
#cas.authn.ldap[0].dnFormat=%s,dc=its,dc=beloit,dc=edu
#cas.authn.ldap[0].principalAttributeId=sAMAccountName
#cas.authn.ldap[0].principalAttributePassword=password
Tim Tyler
Network Engineer
Beloit College
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/22394f2759232d0a1e53c6d61f841f82%40mail.gmail.com.
