Re: [cas-user] cas-management-overlay and recent log4j vulnerabilities

[Travis Schmidt]

We need to update the 6.3.x branch to use 2.17, before you can use it in
the overlay.  I have a patch PR submitted now not sure when it will be
available in the repository.  You can pull the 6.3.x build directly, update
log4j, build a version to your local maven and then point your overlay to
that local build to get by until it is in the repo.

Travis

On Mon, Dec 20, 2021 at 8:47 AM Phil Hale  wrote:

> Hello folks,
>
> I'm trying to figure out a way to update the log4j in the
> cas-management-overlay from 2.14.0 to 2.17.0, so far without success.  Does
> anyone have some documentation or information on how to do this?  I've
> tried building from the cas-management 6.3.x source and run into other
> issues.  Any help or advise would be greatly appreciated.
>
> Thanks,
>
> Phil
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/f1977eaf-be46-4158-b8d2-4ec675cf73bbn%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEZ74NdDc3f5wr3K%3DL770kgg8pt9f4OonhknWE1gdgvk5Q%40mail.gmail.com.

Re: [cas-user] New UI elements on cas-management app

[Travis Schmidt]

Yeah, that is something that we do here that must have made it into the
main project.  If you remove "staged" form the "Environments" field on the
"Advanced" tab then it will go away.  It is a way we can make things active
only in stage and not in production.

Travis

On Wed, Sep 15, 2021 at 10:30 AM King, Robert  wrote:

> Just wondering if anyone has an explanation as to what the “staged” ui
> element from cas-management 6.3.4 is?
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/17a463aa5cb946bf87953735cb5a91bc%40mun.ca
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbdEYZFxf8f-vOi%2BONm3WEuDQeicpae-Yg63An9ODR%2B8w%40mail.gmail.com.

Re: [cas-user] CAS/Salesforce Integration via Shibboleth Question

[Travis Schmidt]

If you want to cut Shibboleth out of the loop and use SAML, you would need
to set up your CAS Server as a SAML IdP and integrate directly to CAS.

Another option is to set up your CAS server as an OAuth/OIDC provider.  We
have integrated a Salesforce instance with OIDC and it has been working
well.

Travis

On Thu, Jul 30, 2020 at 9:24 AM Declan Ballantyne <
declan.ballant...@gmail.com> wrote:

> a newbie question.
>
> Is it possible to connect directly from CAS to Salesforce without having
> to go through an IDP. We currently use CAS as our SSO for our suite of
> applications. it is a few years old now and when we had to integrate with
> Remedyforce (Salesforce) we had to build a bridge using Shibboleth to
> enable the two platforms to communicate.
> We have moved our platform to Azure and since then, we have not been able
> to get the bridge working despite multiple rechecks of confiurations.
> Salesforce complains of signature or certificate problems.
> "The signature in the response is not valid"
> "Is the correct certificate supplied in the keyinfo? false"
>
> Any ideas very welcome.
>
> Declan
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c20be1ad-5a8c-4a06-bb82-e90ab2aeb7f7o%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEaH5HFTB%2BA7ouygfVUc7x2E17vACJ8aD6EDBVia-pR9Fw%40mail.gmail.com.

Re: [cas-user] cas-management application

[Travis Schmidt]

Sorry for my absence and radio silence on this.  I had some high priority
projects come up that were eating up my time.  I am finally getting
around to looking into a 6.2 deployment.  I will be creating a 6.1.x branch
and cutting that release, then I will get master switched over to start
creating 6.2.x snapshots for those using the gradel overlays and hopefully
a 6.2 GA release soon.

Travis

On Thu, Jul 23, 2020 at 11:51 AM Rich Renomeron 
wrote:

> Hi Bryan,
>
> You mentioned a version 6.2 of the cas-management application, but I have
> been unable to find that version in Github (the HEAD revision is
> 6.1.4-SNAPSHOT).  Since you're using a 6.1.6 CAS, was that a typo, or am
> I missing something?  (I'm working on a 6.2 deployment right now, so I'd
> love to find a 6.2 cas-management application.)
>
> Thanks,
> Rich
>
> On Tue, Jul 7, 2020 at 5:38 AM Stef  wrote:
>
>> Hi Bryan,
>> If you want to completely disable version control you can do this in
>> build.gradle:
>>
>> bootWar {
>> entryCompression = ZipEntryCompression.STORED
>> overlays {
>> //
>> https://docs.freefair.io/gradle-plugins/current/reference/#_io_freefair_war_overlay
>> // Note: The "excludes" property is only for files in the war
>> dependency.
>> // If a jar is excluded from the war, it could be brought back
>> into the final war as a dependency
>> // of non-war dependencies. Those should be excluded via normal
>> gradle dependency exclusions.
>> cas {
>> from
>> "org.apereo.cas:cas-mgmt-webapp${project.appServer}:${casMgmtServerVersion}@war
>> "
>> provided = false
>> excludes = ["**/cas-mgmt-config-version-control*.jar",
>> "**/cas-mgmt-config-delegated*.jar", "**/HikariCP-java7-2.4.13.jar"]
>> }
>> }
>>
>> }
>>
>>
>> Then the only thing you need for services is
>>
>> cas.serviceRegistry.json.location=file:/etc/cas/services
>>
>>
>> Stéphane
>>
>> Le lun. 6 juil. 2020 à 22:47, Bryan Wooten  a
>> écrit :
>>
>>> Thank you Ray. This helps.
>>>
>>> I see you are very active/helpful on this list...
>>>
>>> Perhaps one day I will return the favor.
>>>
>>> -Bryan
>>>
>>> University of Utah.
>>>
>>> On Mon, Jul 6, 2020 at 1:04 PM Ray Bon  wrote:
>>>
 Bryan,

 I am just looking into cas management after a bit of a break from my
 first frustrating attempt. My impression is that cas management is trying
 to leverage the cas packages. The version of cas management must be the
 same as a source of cas packages (I am working with 6.1.4-SNAPSHOT), but
 does not have to be the same as the deployed cas ( it ca be older for
 sure). This also means that the properties will be the same as those for
 cas.
 I have not tried turning off version control for the services. First
 time I tried, it was problematic. For the extra step of confirming changes
 to a service, it is probably not worth the effort. Just create a writable
 directory (or make the default writable) for the git repo and be done with
 it.
 We store our services in ldap (so no file sync), but I am not that far
 along in my config, maybe later this week or next.

 Ray

 On Mon, 2020-07-06 at 11:52 -0600, Bryan Wooten wrote:

 I was wondering if any of you fine folks could help me.

 I am trying to get cas-management application (6.2) with a Cas 6.1.6
 server. (I can change the cas-management version if needed.

 Anyway I am having trouble understanding the docs and and
 management.properties settings.

 I am simply trying to manage a 1000 json file /etc/cas.config/services
 directory.

 We don't need/want version control at this time or any file sync.

 At startup we get errors like this:

 Origin: "mgmt.enableVersionControl" from property source
 "bootstrapProperties"
 Reason: The elements
 [mgmt.enabledelegatedmgmt,mgmt.enableversioncontrol,mgmt.servicesrepo,mgmt.syncscript,mgmt.userrep
 osdir] were left unbound.

 For example, what is mgmt.userrep?

 If someone could share the management properties file that would be
 great.

 -Bryan

 University of Utah

 --

 Ray Bon
 Programmer Analyst
 Development Services, University Systems
 2507218831 | CLE 019 | r...@uvic.ca

 I respectfully acknowledge that my place of work is located within the
 ancestral, traditional and unceded territory of the Songhees, Esquimalt and
 WSÁNEĆ Nations.

 --
 - Website: https://apereo.github.io/cas
 - Gitter Chatroom: https://gitter.im/apereo/cas
 - List Guidelines: https://goo.gl/1VRrw7
 - Contributions: https://goo.gl/mh7qDG
 ---
 You received this message because you are subscribed to the Google
 Groups "CAS Community" group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to 

Re: [cas-user] cas 6.1 RC4 and cas-management 6.1 RC4 coexistence with git service registry

[Travis Schmidt]

Try adding the module cas-server-support-git-service-registry to your
overlay for cas-mgmt if it is not already there.

On Fri, Jan 31, 2020 at 11:33 AM Nathan Lewan  wrote:

> first off, thanks for responding so quickly!
>
> I added this to management.properties first:
> cas.serviceRegistry.git.cloneDirectory=${git-repo-folder-location}
> that lead to the same behavior
>
> I then set this in management.properties
> mgmt.versionControl=false
> that lead to the same behavior
>
> I then added in management.properties
> cas.serviceRegistry.git.privateKeyPath
> =${hcc.base.dir}/cas-settings/keys/coderepo_id_rsa
> this leads to this error:
>
> ***
> APPLICATION FAILED TO START
> ***
>
> Description:
>
> Binding to target [Bindable@60c98ce4 type =
> org.apereo.cas.configuration.CasConfigurationProperties, value =
> 'provided', annotations =
> array[@org.springframework.boot.context.properties.ConfigurationProperties(ignoreInvalidFields=false,
> ignoreUnknownFields=false, prefix=cas, value=cas)]] failed:
>
> Property: cas.serviceregistry.git.privatekeypath
> Value: ${me.base.dir}/cas-settings/keys/coderepo_id_rsa
> Origin: "cas.serviceRegistry.git.privateKeyPath" from property source
> "bootstrapProperties"
> Reason: The elements [cas.serviceregistry.git.privatekeypath] were
> left unbound.
>
> Action:
>
> Update your application's configuration
>
>
> So everything is working great, like when I delete a service record in
> CAS-MANAGEMENT, it get's deleted in the cloned ${git-repo-folder-location},
> it gets picked up by the cas app itself, it even successfully commits it to
> the cloned  ${git-repo-folder-location}, but neither cas, or
> cas-management seem to want to actually 'push' it to the git repo.
>
>
> on a whim, I decided to take a stab at adding this key that I made up to
> management.properties:
> mgmt.versionControl.pushChanges=true
> that, predictably lead to this:
>
> ***
> APPLICATION FAILED TO START
> ***
>
> Description:
>
> Binding to target [Bindable@13be93b8 type =
> org.apereo.cas.configuration.CasManagementConfigurationProperties, value =
> 'provided', annotations =
> array[@org.springframework.boot.context.properties.ConfigurationProperties(ignoreInvalidFields=false,
> ignoreUnknownFields=false, prefix=mgmt, value=mgmt)]] failed:
>
> Property: mgmt.versioncontrol.pushchanges
> Value: true
> Origin: "mgmt.versionControl.pushChanges" from property source
> "bootstrapProperties"
> Reason: The elements [mgmt.versioncontrol.pushchanges] were left
> unbound.
>
> Action:
>
> Update your application's configuration
>
>
> I guess I should try putting it on another server to rule that out, it's
> just so close to functional, I feel there's just something silly i'm
> missing.
>
> thanks again!
>
> On Friday, January 31, 2020 at 1:12:18 PM UTC-5, Travis Schmidt wrote:
>
>> I think the key that you are missing is this in the management properties
>>
>> cas.serviceRegistry.git.cloneDirectory=${git-repo-folder-location}
>>
>> You cas.serviceRegistry properties from cas.properties to mgmt.properties
>> should be identical.  Also running the Git services repo with
>> management and server in the same JVM, might be an issue.
>>
>> Try turning version control off in management and make your
>> serviceRegistry properties in both to rule out running in same JVM is a
>> problem.
>>
>>
>>
>> On Fri, Jan 31, 2020 at 8:00 AM Nathan Lewan  wrote:
>>
>>> hello!
>>>
>>> these forums have been great for me, and I'd like to throw out a
>>> question to see if anyone has any insights.
>>>
>>> here's what's working:
>>>
>>> cas and cas-management 6.1 RC4 running on tomcat9 on the same server,
>>> are both able to see the git service registry I have set up.
>>>
>>> my fun begins when cas-management commits it's changes. It commits them
>>> in the local git cache, which the cas service is also pointing at and picks
>>> up, BUT it never pushes the commit to the git repo.
>>>
>>> I get java nullopintexception error. actually I get that error right
>>> when I select to look at the services in the cas-management web interface:
>>>
>>> ---
>>> 2020-01-31 10:44:07,275 ERROR
>>> [org.apereo.cas.mgmt.controller.CommitController] - 
>>> java.lang.NullPointerException: null
>>> at
>>> org

Re: [cas-user] cas 6.1 RC4 and cas-management 6.1 RC4 coexistence with git service registry

[Travis Schmidt]

I think the key that you are missing is this in the management properties

cas.serviceRegistry.git.cloneDirectory=${git-repo-folder-location}

You cas.serviceRegistry properties from cas.properties to mgmt.properties
should be identical.  Also running the Git services repo with
management and server in the same JVM, might be an issue.

Try turning version control off in management and make your serviceRegistry
properties in both to rule out running in same JVM is a problem.



On Fri, Jan 31, 2020 at 8:00 AM Nathan Lewan  wrote:

> hello!
>
> these forums have been great for me, and I'd like to throw out a question
> to see if anyone has any insights.
>
> here's what's working:
>
> cas and cas-management 6.1 RC4 running on tomcat9 on the same server, are
> both able to see the git service registry I have set up.
>
> my fun begins when cas-management commits it's changes. It commits them in
> the local git cache, which the cas service is also pointing at and picks
> up, BUT it never pushes the commit to the git repo.
>
> I get java nullopintexception error. actually I get that error right when
> I select to look at the services in the cas-management web interface:
>
> ---
> 2020-01-31 10:44:07,275 ERROR
> [org.apereo.cas.mgmt.controller.CommitController] - 
> java.lang.NullPointerException: null
> at
> org.apereo.cas.mgmt.controller.CommitController.isPublishedBehind(CommitController.java:201)
> ~[cas-mgmt-support-version-control-6.1.0-RC4.jar:6.1.0-RC4]
> at
> org.apereo.cas.mgmt.controller.CommitController.gitStatus(CommitController.java:225)
> [cas-mgmt-support-version-control-6.1.0-RC4.jar:6.1.0-RC4]
> at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method) ~[?:?]
> at
> jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> ~[?:?]
> at
> jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:?]
> at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
> at
> org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190)
> [spring-web-5.2.0.M2.jar:5.2.0.M2]
> at
> org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138)
> [spring-web-5.2.0.M2.jar:5.2.0.M2]
> at
> org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:105)
> [spring-webmvc-5.2.0.M2.jar:5.2.0.M2]
> at
> org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:889)
> [spring-webmvc-5.2.0.M2.jar:5.2.0.M2]
> at
> org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:794)
> [spring-webmvc-5.2.0.M2.jar:5.2.0.M2]
> at
> org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
> [spring-webmvc-5.2.0.M2.jar:5.2.0.M2]
> at
> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1039)
> [spring-webmvc-5.2.0.M2.jar:5.2.0.M2]
> at
> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:942)
> [spring-webmvc-5.2.0.M2.jar:5.2.0.M2]
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1005)
> [spring-webmvc-5.2.0.M2.jar:5.2.0.M2]
> at
> org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:897)
> [spring-webmvc-5.2.0.M2.jar:5.2.0.M2]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
> [servlet-api.jar:?]
> at
> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:882)
> [spring-webmvc-5.2.0.M2.jar:5.2.0.M2]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
> [servlet-api.jar:?]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
> [catalina.jar:9.0.30]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> [catalina.jar:9.0.30]
> at
> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
> [tomcat-websocket.jar:9.0.30]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> [catalina.jar:9.0.30]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> [catalina.jar:9.0.30]
> at
> org.apereo.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:66)
> [inspektr-common-1.8.5.GA.jar:1.8.5.GA]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> [catalina.jar:9.0.30]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

Re: [cas-user] Re: CAS 6.1.3 SAML and JSON

[Travis Schmidt]

To remove unwanted authentication attributes add excludeDefaultAttributes:
true.

On Thu, Jan 23, 2020 at 7:33 AM Josh  wrote:

> Apologies, I see you have that already, I mis-read the original post :)
>
> On Thursday, January 23, 2020 at 10:32:36 AM UTC-5, Josh wrote:
>>
>> You dont need an allowedAttributes sections for this, just an
>> attributeReleasePolicy like so:
>>
>>attributeReleasePolicy : {
>> @class :
>> org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
>> allowedAttributes : {
>> @class : java.util.TreeMap
>> mail : "urn:oid:0.9.2342.19200300.100.1.3"
>> gecos : "urn:oid:2.16.840.1.113730.3.1.241"
>> eduPersonPrincipalName : "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
>> }
>> }
>>
>>
>> On Thursday, January 23, 2020 at 3:54:19 AM UTC-5, stonej wrote:
>>>
>>> Hello All,
>>>
>>> I am trying to move away from shibboleth IDP and move to CAS IDP but
>>> having a few issues, I have had a look at the documentation and this group
>>> and cannot seem to find the answer.  I need to pass certain attributes,
>>> these ones -
>>>
>>> urn:oid:0.9.2342.19200300.100.1.3 - mail value email address
>>> urn:oid:1.3.6.1.4.1.5923.1.1.1.1 - eduPersonAffiliation value member
>>> urn:oid:1.3.6.1.4.1.5923.1.1.1.1 - eduPersonAffiliation value staff or
>>> student
>>> urn:oid:1.3.6.1.4.1.5923.1.1.1.6 - eduPersonPrincipalName mail value
>>> email address
>>> urn:oid:2.5.4.4 - sn value surname
>>> urn:oid:1.3.6.1.4.1.5923.1.1.1.9 - eduPersonScopedAffiliation value
>>> mem...@domain.com
>>> urn:oid:1.3.6.1.4.1.5923.1.1.1.9 - eduPersonScopedAffiliation value
>>> staff or stu...@domain.com
>>> urn:oid:2.5.4.42 - givenName value First Name
>>> urn:oid:1.3.6.1.4.1.5923.1.1.1.10 - eduPersonTargetedID Value random id
>>> based on salt
>>> urn:oid:1.3.6.1.4.1.5923.1.1.1.7 - eduPersonEntitlement value
>>> urn:mace:dir:entitlement:common-lib-terms
>>>
>>> but I am getting :
>>>
>>> credentialType credentialType UsernamePasswordCredential
>>> samlAuthenticationStatementAuthMethod
>>> samlAuthenticationStatementAuthMethod
>>> urn:oasis:names:tc:SAML:1.0:am:password
>>> isFromNewLogin isFromNewLogin true
>>> authenticationDate authenticationDate 2020-01-22T13:59:03.213799Z
>>> urn:oid:0.9.2342.19200300.100.1.3 urn:oid:0.9.2342.19200300.100.1.3
>>> em...@domain.com
>>> authenticationMethod authenticationMethod LdapAuthenticationHandler
>>> urn:oid:0.9.2342.19200300.100.1.1 urn:oid:0.9.2342.19200300.100.1.1
>>> Username
>>> successfulAuthenticationHandlers successfulAuthenticationHandlers
>>> LdapAuthenticationHandler
>>> longTermAuthenticationRequestTokenUsed
>>> longTermAuthenticationRequestTokenUsed false
>>> urn:oid:2.5.4.42 urn:oid:2.5.4.42 FirstName
>>> urn:oid:2.5.4.4 urn:oid:2.5.4.4 Surname
>>>
>>> Here is my JSON file:
>>>
>>> {
>>>   "@class" :
>>> "org.apereo.cas.support.saml.services.SamlRegisteredService",
>>>   "serviceId" : "SERVICE",
>>>   "name" : "Apache Secured By SAML",
>>>   "id" : 10011,
>>>   "description" : "CAS development Apache mod_shib/shibd server with
>>> username/password protection",
>>>   "metadataLocation" : "file:etc/cas/saml/metadata/metadata.xml",
>>>   "encryptAssertions": "true",
>>>   "attributeReleasePolicy" : {
>>> "@class" :
>>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>>> "allowedAttributes" : {
>>>   "@class" : "java.util.TreeMap",
>>>   "eppn" : "urn:mace:dir:attribute-def:eduPersonPrincipalName",
>>>   "cn" : "urn:oid:1.3.6.1.4.1.5923.1.1.1.6",
>>>   "displayName" : "urn:oid:2.16.840.1.113730.3.1.241",
>>>   "givenName" : "urn:oid:2.5.4.42",
>>>   "mail" : "urn:oid:0.9.2342.19200300.100.1.3",
>>>   "role" : "urn:DOMAIN:attribute-def:role",
>>>   "sn" : "urn:oid:2.5.4.4",
>>>   "uid" : "urn:oid:0.9.2342.19200300.100.1.1",
>>>   "UDC_IDENTIFIER": "urn:DOMAIN:attribute-def:UDC_IDENTIFIER",
>>>   "eppn" : "urn:oid:0.9.2342.19200300.100.1.1"
>>>   "affiliation" : "urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
>>>   "affiliation" : "staff"
>>> }
>>> "persistentIdGenerator" : {
>>>   "@class" :
>>> "org.apereo.cas.authentication.principal.ShibbolethCompatiblePersistentIdGenerator",
>>>   "salt" : "aGVsbG93b3JsZA==",
>>>   "attribute": "eduPersonEntitlement"
>>> }
>>>   },
>>>   "evaluationOrder" : 1125
>>> }
>>>
>>>
>>> What am I doing wrong ?  I do have other files to prepare but I know if
>>> I can get this one working I can get the other ones working,
>>>
>>> Thanks for all your help
>>>
>>> Jeff
>>>
>>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web 

Re: [cas-user] Re: cas-management 6.1 RC4 turn off version control

[Travis Schmidt]

Admittedly the CAS Mgmt documentation is lagging some of the latest
refactors in the snapshots.  I usually try and make an effort when GA rolls
around to try and make sure at least config properties are updated.  You
can look here directly at the source of truth:

https://github.com/apereo/cas-management/blob/master/api/cas-mgmt-api-configuration/src/main/java/org/apereo/cas/configuration/CasManagementConfigurationProperties.java

The property name would just follow object "." notation starting with
"mgmt."

You can specify a luceneIndexDir and I think it only uses this directory as
temp storage when executing queries, so I think it is always cleaned up.
Anyways Lucene needed some file system dir configured.

If you are using version control then you will always see a
JSONServiceRegistry popup in the logs, since JSON files in a Git repository
is how that is implemented, regardless of the persistence you use for your
configured service registry.

Not sure what the logout thing is.

For the /dashboard and discovery endpoint, I have it configured and about
the only way I know it would work is to open up the admin endpoints by IP
address to the IP of your running CAS Management webapp.  Documentation can
be found here:

https://apereo.github.io/cas/development/monitoring/Monitoring-Statistics.html

I do not personally use the gradle overlays or even do any real testing
with them.  It has turned out in the past that the overlay was picking up
conflicting config from cas in the overlay that wasn't realized when just
building and deploying from source.

Lastly, I do believe some resources may be picking up the cause of CAS
Mgmt, and I may have some more time for the OS version freeing up soon, at
least will try and smooth out some rough edges for GA.  As always pull
requests are welcomed and encouraged.

Travis






On Fri, Oct 25, 2019 at 6:55 AM randomuser878  wrote:

> Hello
>
>   Thanks for the hint per CasManagementConfigurationProperties.java
> 
>   Have been really struggling with this one as well.  Really feel
> cas-management is behind cas and sure hope the recent indicators of moving
> dashboards from cas to cas-management means better product eventually.
>
>   Ranting aside, cas-management 6.1 RC4, these two flags end up as
> non-bound and service will fail/crash to restart.
>mgmt.enableVersionControl=false
>mgmt.enableDelegatedMgmt=false
>
>   Overlaying this
> file 
> src/main/java/org/apereo/cas/configuration/CasManagementConfigurationProperties.java
> by setting the two references you alluded to false it will compile but then
> on restart it will throw tons of errors about ALL mgmt parameters being
> unbound.  If you can figure out what I could have missed by just modifying
> that code directly that would be great.
>   Added this to build.gradle
> compile "org.apereo.cas:cas-mgmt-api-core:${project.'casmgmt.version'}"
> compile "org.projectlombok:lombok:1.18.8"
>
>   Then tried the 6.1. RC5 snapshot, maybe those two parameters that are in
> documentation would work but nope, it would crash per  some collusion about
> groovy libraries and such, anyway gave up on that front, it is snapshot
> after all.
>
>   HERE is what currently WORKS for me (not sure if it breaks anything else
> but I am past the point of desperation)
>   1) deploy cas-management.war and explode into webapps (remove war
> afterwards)
>   rm -v
> $CATALINA_BASE/webapps/cas-management/WEB-INF/lib/cas-mgmt-config-version-control-6.1.0-RC4.jar
>   rm -v
> $CATALINA_BASE/webapps/cas-management/WEB-INF/lib/cas-mgmt-config-delegated-6.1.0-RC4.jar
>
>
>   Now here are other gems
>   1) using JPA so would really like to tell JSON to take a back-seat.
>  cas.serviceRegistry.initFromJson=false
>YET it loads from services default or whatever you specify including
> commenting out or leaving default or whatever:
> cas.serviceRegistry.json.location=classpath:/services
>Implicit PROBLEM for me: when you create new service you see double
> entries. One for JPA, the other one for json. Which is which?
>Workaround:
> 1) do not specify at all cas.serviceRegistry.json.location in config
> (not sure it matters)
> 2) same as above post explode cas-management.war (not sure how can I
> remove them from overlay, I could just try empty files in overlay but
> removing is cleaner)
>rm -v
> $CATALINA_BASE/webapps/cas-management/WEB-INF/classes/services/*.json
>
>Another headache: I want to have search work for me. Why can't I change
> the path of luceneIndexDir. (no parameter, nor can change and compile above
> without other failures)
>So must create folder /etc/cas/lucene even though for this scenario it
> is just a placeholder, so I 

Re: [cas-user] [CAS-6.1.x] Where is the old "/cas/status/dashboard" url?

[Travis Schmidt]

The dashboard UI has been removed from CAS Server, but the APIs are still
there and have been expanded.  There is a new /dashboard endpoint in the
CAS Management application that is is still being constructed as a
replacement.

On Thu, Oct 24, 2019 at 6:11 AM Nicola Boldrin 
wrote:

> Someone could give me the documentation references to activate the old url
> *"/cas/status/dashboard"* or an example settings' file?
>
>
> Thanks
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ebe3671-362c-42ef-95e1-e6b9ff176fbf%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEZESP%3DiWt8oFF9d%2BGSPwL1-GAipiOvRT-5OMfFMUVJiSw%40mail.gmail.com.

Re: [cas-user] More issues with cas-management 6.1 RC4

[Travis Schmidt]

Hi Ron,

  External Cloud config is something I am fairly certain would need to be
added as s feature to CAS Management.

  Are you looking to Authorize users against LDAP instead of the static
users.json?  You can try add :config:cas-mgmt-config-authz-ldap to your
build.

Travis

On Wed, Sep 18, 2019 at 9:57 AM Ray Bon  wrote:

> I am combining these issues because I suspect that they have the same
> underlying problem.
>
> 1. I need cas-management to access an external spring cloud config server
> but I am unable to get cas-management to look anywhere but at local config
> files.
> 2. I need cas-management to look in ldap for user attributes but it only
> looks at users.[json|properties].
>
> I have tried to remove all references to local files but the result is
> errors about missing properties or files.
> This suggests to me that cas-management is not enabling my configuration
> (which is working in CAS) or more accurately not overriding the defaults.
>
> Any insight into what is going on with cas-management will be appreciated
> greatly.
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/4b4f64fa2cca43282ca8581094407fdbe9331ad3.camel%40uvic.ca
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEZNOYo5-0d2hhSrhO1MJvnSej-0%2B7uLQYCSadPSq%3Dintw%40mail.gmail.com.

Re: [cas-user] CAS 6.1 Management RC3 service sync behavior

[Travis Schmidt]

Hi Erik,

  CAS Mangement RC4 was released yesterday, please try running that
version.  Also the sync script property was changed to
mgmt.versionControl.syncScript.

Travis

On Thu, Jun 13, 2019 at 1:28 PM 'Mallory, Erik' via CAS Community <
cas-user@apereo.org> wrote:

> Hello
>
> I’ve been working through upgrading our development environment using the
> new 6.1 release, currently the services management is at RC 3 and I’m
> noticing some odd behavior.
>
> First off the following property doesn’t seem to be available.
>
> mgmt.syncScript=/etc/cas/sync.sh
>
>
>
> So I figured I’d use Rsync and cron to keep the services in sync between
> the two nodes.  The script synced the files in /etc/cas/services-repo but
> cas never picked up the services. I disabled one node, and created the
> service by hand and it worked. It would appear that sync is still under
> construction. If I’m doing it wrong or if you have any insight please share
> what you know.
>
>
>
> Property: mgmt.syncscript
>
> Value: /etc/cas/sync.sh
>
> Origin: "mgmt.syncScript" from property source "bootstrapProperties"
>
> Reason: The elements [mgmt.syncscript] were left unbound.
>
>
>
> Action:
>
>
>
> Update your application's configuration
>
>
>
> Thanks,
>
>
>
> Erik Mallory
>
> Server Analyst
>
> Wichita State University
>
> 316.978.3502
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/F7246706-820D-4FC8-A6AF-007040DDB74A%40wichita.edu
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbUUd2LNyp7E196wqEs52P_AueXU7dw-8wmK0yb1Apfpg%40mail.gmail.com.

Re: [cas-user] CAS 5.3.x CAS Services Management and attribute uir like urn:oid:...

[Travis Schmidt]

Thinking this could be more of an issue with MongoDb as storage for this
info:

org.springframework.data.mongodb.core.convert.MappingMongoConverter.
potentiallyEscapeMapKey(MappingMongoConverter.java:725)


On Fri, Mar 22, 2019 at 1:06 PM Christian Poirier 
wrote:

> Hi everybody
>
> I have an error using CAS Services Management 5.3.x when I try to save a
> SAML2 service containing
>
> "attributeFriendlyNames": {
> "@class": "java.util.HashMap",
> "urn:oid:1.3.6.1.4.1.5923.1.1.1.10": "eduPersonTargetedID",
> "urn:oid:1.3.6.1.4.1.5923.1.1.1.6": "eduPersonPrincipalName",
> "urn:oid:2.5.4.3": "cn",
> "urn:oid:2.5.4.4": "sn",
> "urn:oid:0.9.2342.19200300.100.1.3": "mail",
> "urn:oid:2.5.4.42": "givenName",
> "urn:oid:1.3.6.1.4.1.5923.1.1.1.9": "eduPersonScopedAffiliation",
> "urn:oid:1.3.6.1.4.1.5923.1.1.1.1": "eduPersonAffiliation",
> "urn:oid:2.16.840.1.113730.3.1.241": "displayName",
> "urn:oid:1.3.6.1.4.1.5923.1.1.1.7": "eduPersonEntitlement",
> "urn:oid:2.16.840.1.113730.3.1.39": "preferredLanguage",
> "urn:oid:1.3.6.1.4.1.5923.1.5.1.1": "isMemberOf"
>   },
>   "attributeNameFormats": {
> "@class": "java.util.HashMap",
> "urn:oid:1.3.6.1.4.1.5923.1.1.1.10": "uri",
> "urn:oid:1.3.6.1.4.1.5923.1.1.1.6": "uri",
> "urn:oid:2.5.4.3": "uri",
> "urn:oid:2.5.4.4": "uri",
> "urn:oid:0.9.2342.19200300.100.1.3": "uri",
> "urn:oid:2.5.4.42": "uri",
> "urn:oid:1.3.6.1.4.1.5923.1.1.1.9": "uri",
> "urn:oid:1.3.6.1.4.1.5923.1.1.1.1": "uri",
> "urn:oid:2.16.840.1.113730.3.1.241": "uri",
> "urn:oid:1.3.6.1.4.1.5923.1.1.1.7": "uri",
> "urn:oid:2.16.840.1.113730.3.1.39": "uri",
> "urn:oid:1.3.6.1.4.1.5923.1.5.1.1": "uri",
> "eduPersonTargetedID": "unspecified",
> "eduPersonPrincipalName": "unspecified",
> "email": "unspecified",
> "cn": "unspecified",
> "sn": "unspecified",
> "mail": "unspecified",
> "givenName": "unspecified",
> "eduPersonScopedAffiliation": "unspecified",
> "eduPersonAffiliation": "unspecified",
> "displayName": "unspecified",
> "eduPersonEntitlement": "unspecified",
> "preferredLanguage": "unspecified",
> "memberOf": "unspecified"
>   }
>
>
>
> The error is :
> =
> WHO: xxx
> WHAT: Map key urn:oid:0.9.2342.19200300.100.1.3 contains dots but no
> replacement was configured! Make sure map keys don't contain dots in the
> first place or configure an appropriate re
> placement!
> ACTION: SAVE_SERVICE_FAILED
> APPLICATION: CAS_Management
> WHEN: Fri Mar 22 16:02:17 EDT 2019
> CLIENT IP ADDRESS: 999.999.999.999
> SERVER IP ADDRESS: 999.999.999.999
> =
> 2019-03-22 16:02:17,055 ERROR
> [org.apereo.cas.mgmt.services.web.AbstractManagementController] - Map key
> urn:oid:0.9.2342.19200300.100.1.3 contains dots but no replacement was
> configure
> d! Make sure map keys don't contain dots in the first place or configure
> an appropriate replacement!
> org.springframework.data.mapping.model.MappingException: Map key urn:oid:
> 0.9.2342.19200300.100.1.3 contains dots but no replacement was configured!
> Make sure map keys don't contain dot
> s in the first place or configure an appropriate replacement!
> at
> org.springframework.data.mongodb.core.convert.MappingMongoConverter.potentiallyEscapeMapKey(MappingMongoConverter.java:725)
> ~[spring-data-mongodb-1.10.15.RELEASE.jar:?]
>
>
>
>
> *Is the any way to resolve this error?*
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1f9dd93d-b361-4932-9c0f-c72f3d4bfc19%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEanKo7zqBnhSsdG5Sa8atkhCP5Xz3v%3D17U7Omt_LdCQ_w%40mail.gmail.com.

Re: [cas-user] DUO ByPass unenrolled users broken?

[Travis Schmidt]

All true, but I guess I am still confused by what Duo is doing.  If
pre-auth just returns AUTH in all cases then what does it return for a
bypassed user in Duo from the Iframe?  If it is a signed response then
everything should be good and CAS would assume the user was authenticated
with Duo.  Any other return value I think would result in an authentication
error and the user would not be allowed to continue.

Travis

On Thu, Feb 21, 2019 at 11:02 AM Richard Frovarp 
wrote:

> 5.1 uses a broken method for bypassing Duo. Or at least broken in some
> respects. That's why you get the flash on the screen. 5.1 actually triggers
> the widget, and the widget is doing the bypass. CAS doesn't know, so all of
> your users under 5.1 are asserting via attribute release that they have
> performed MFA, when in fact they may not have.
>
> 5.2+ added a method that makes an API call to see if the user can bypass.
> If the user can bypass, they don't get the MFA iframe appearing. It also
> then doesn't assert that MFA has happened when it hasn't.
>
> What we're doing is that everyone that has to MFA is in an AD group. We
> use that to trigger MFA. The Duo integration is configured to always
> require MFA, because anyone sent to it will have been asserted by AD to
> require Duo. If you need to bypass Duo, you just change the CAS config to
> point to an AD group that doesn't exist, touch the file, and away it goes.
> Handy for when Duo is down, or your own network is down.
>
> On 2/21/19 11:38 AM, Travis Schmidt wrote:
>
> Ok, That might explain it.  Does the Duo iframe screen then flash by now
> for these users when in the past it did not?
>
> One way to get around possibly.  If you have an attribute available that
> marks a user has being enrolled in Duo, You can set a trigger to enforce
> Duo on only those users, with name attribute values or groovy script.
> Trade off being is that all services will require Duo for anyone enrolled
> in Duo, but you should be able to set bypass flags in services or a bypass
> script.  Depending on how you are set up to use Duo now, this could be a
> big or small change.
>
> Travis
>
> On Thu, Feb 21, 2019 at 9:30 AM Greg Booth  wrote:
>
>> We are seeing this issue as well, CAS 5.3.4 using MFA with Duo. We
>> believe it is an issue Duo has introduced with their new API. See
>> the yellow box under “User Account Status”:
>> https://apereo.github.io/cas/5.3.x/installation/DuoSecurity-Authentication.html#user-account-status
>>
>> Rather than wait for Duo to fix this, we are looking into ways to bypass
>> this issue without disabling Duo entirely on our services, using
>> Multifactor Authentication Bypass:
>>
>> https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties-Common.html#multifactor-authentication-bypass
>>
>> Have not gotten anywhere with this yet, if anyone has experience with
>> those config settings, we could use your help.
>>
>> Greg
>>
>> On Thu, Feb 21, 2019 at 9:39 AM atilling  wrote:
>>
>>> CAS version 5.1.9 using MFA with DUO. We had this working fine for about
>>> two years at this point. Tuesday it started causing problems for our
>>> unenrolled users. We have the DUO setting "allow unenrolled users to pass
>>> through without two-factor authentication" but sometime around 5 pm Tuesday
>>> all unenrolled users started getting the error "The validation request for
>>> ['ST-...'] cannot be satisfied. The request is either unrecognized or
>>> unfulfilled." whenever logging into a Duo protected service.
>>>
>>> Has anyone else experienced this? Did something change with Duo in the
>>> last 72 hours? We had to turn off Duo for these services and we don't want
>>> to keep it off.
>>>
>>> Any help would be appreciated.
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d6587944-0b2a-492c-9922-b84d0047486f%40apereo.org
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/d6587944-0b2a-492c-9922-b84d0047486f%40apereo.org?utm_medium=email_source=footer>
>>> .
>>>
>>
>>
>&

Re: [cas-user] DUO ByPass unenrolled users broken?

[Travis Schmidt]

Ok, That might explain it.  Does the Duo iframe screen then flash by now
for these users when in the past it did not?

One way to get around possibly.  If you have an attribute available that
marks a user has being enrolled in Duo, You can set a trigger to enforce
Duo on only those users, with name attribute values or groovy script.
Trade off being is that all services will require Duo for anyone enrolled
in Duo, but you should be able to set bypass flags in services or a bypass
script.  Depending on how you are set up to use Duo now, this could be a
big or small change.

Travis

On Thu, Feb 21, 2019 at 9:30 AM Greg Booth  wrote:

> We are seeing this issue as well, CAS 5.3.4 using MFA with Duo. We believe
> it is an issue Duo has introduced with their new API. See the yellow box
> under “User Account Status”:
> https://apereo.github.io/cas/5.3.x/installation/DuoSecurity-Authentication.html#user-account-status
>
> Rather than wait for Duo to fix this, we are looking into ways to bypass
> this issue without disabling Duo entirely on our services, using
> Multifactor Authentication Bypass:
>
> https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties-Common.html#multifactor-authentication-bypass
>
> Have not gotten anywhere with this yet, if anyone has experience with
> those config settings, we could use your help.
>
> Greg
>
> On Thu, Feb 21, 2019 at 9:39 AM atilling  wrote:
>
>> CAS version 5.1.9 using MFA with DUO. We had this working fine for about
>> two years at this point. Tuesday it started causing problems for our
>> unenrolled users. We have the DUO setting "allow unenrolled users to pass
>> through without two-factor authentication" but sometime around 5 pm Tuesday
>> all unenrolled users started getting the error "The validation request for
>> ['ST-...'] cannot be satisfied. The request is either unrecognized or
>> unfulfilled." whenever logging into a Duo protected service.
>>
>> Has anyone else experienced this? Did something change with Duo in the
>> last 72 hours? We had to turn off Duo for these services and we don't want
>> to keep it off.
>>
>> Any help would be appreciated.
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d6587944-0b2a-492c-9922-b84d0047486f%40apereo.org
>> 
>> .
>>
>
>
> --
> Gregory Booth
> Senior Systems Administrator & Technical Team Lead
> IT Operations
> Information Technology
> Michigan Technological University
> (906) 487-1797 <9064871797>
> www.mtu.edu
> www.it.mtu.edu
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH%2BQwmhzWZgfTVapQ--LXEcNnOLF-dwC%2B%3D6zSLAtnF0hSnN2Vw%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbNSJGZZkr-knNrb5kDUcRda6BBDY_KRqDEsXnSz6nMrw%40mail.gmail.com.

Re: [cas-user] DUO ByPass unenrolled users broken?

[Travis Schmidt]

Nothing has recently changed in your CAS Config?

If you can set this class to debug logging level
org.apereo.cas.authentication.DefaultAuthenticationContextValidator.
That should give you some insight into perhaps why this is getting hit.

On Thu, Feb 21, 2019 at 6:39 AM atilling  wrote:

> CAS version 5.1.9 using MFA with DUO. We had this working fine for about
> two years at this point. Tuesday it started causing problems for our
> unenrolled users. We have the DUO setting "allow unenrolled users to pass
> through without two-factor authentication" but sometime around 5 pm Tuesday
> all unenrolled users started getting the error "The validation request for
> ['ST-...'] cannot be satisfied. The request is either unrecognized or
> unfulfilled." whenever logging into a Duo protected service.
>
> Has anyone else experienced this? Did something change with Duo in the
> last 72 hours? We had to turn off Duo for these services and we don't want
> to keep it off.
>
> Any help would be appreciated.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d6587944-0b2a-492c-9922-b84d0047486f%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEYTpXOq15rrdGyJABxGjoYGjyu%3DKqw4fP3KVFgE%3Dq4_CA%40mail.gmail.com.

[cas-user] CAS Management v6.0.0-RC4 release

[Travis Schmidt]

CAS Mgmt v6.0.0-RC4 has been released:
https://github.com/apereo/cas-management/releases/tag/v6.0.0-RC4

Travis

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEZH-LBV3O44C025DV9PCLC8%2B7Z5Gw%3D0UOTu6pfHM-35aQ%40mail.gmail.com.

Re: [cas-user] Point CAS apps at different Duo protected applications (group policies)

[Travis Schmidt]

Yes that would indeed be the case.  Also if you need to use multiple Duo
instances, I think you would have better luck with the latest 5.3.6 release
for both CAS and CAS Management which was moved to it's own repository
starting with 5.3: https://github.com/apereo/cas-management

Travis

On Thu, Dec 6, 2018 at 10:56 AM Mukunthini Jeyakumar 
wrote:

> Hi Travis,
>
> Does management webapp work with discovery endpoint only in cas 5.3? I'm
> using CAS 5,2,8
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/f9a0185b-dd99-4ce1-ab52-efbb649df489%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEYHGmyOxLTcosu7MM4maN10xvZPMeO%2B0dsz67GBmbc1ZQ%40mail.gmail.com.

[cas-user] Re: [cas-dev] Re: CAS Management v5.3.5 Released

[Travis Schmidt]

After cloning the overlay repository, checkout the branch tagged as "5.3".
You can also do git clone --single-branch -b 5.3
https://github.com/apereo/cas-management-overlay.git



On Sun, Nov 25, 2018 at 10:31 PM  wrote:

> link of the Maven war Overlay points to cas 6 gradle overlay for both cas
> and cas-management app. Can you please provide the Maven war overlay links?
>
> On Friday, November 2, 2018 at 5:51:00 AM UTC+8, Travis Schmidt wrote:
>>
>> CAS Management version 5.3.5 has been released:
>> https://github.com/apereo/cas-management/releases/tag/v5.3.5
>>
>> This release contains a a new Search screen that provides full text
>> search of Services in  a sortable table.
>>
>> Travis
>>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Developer" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-dev+unsubscr...@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-dev/.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEYNecFk6qVhOYtau0HKqnhNQMRWJQaX1n_7uryFGoK0aQ%40mail.gmail.com.

Re: [cas-user] what is the difference bewteen two selection of cas.serviceRegistry.managementType ?

[Travis Schmidt]

https://apereo.github.io/cas-management/5.3.x/installation/Installing-ServicesMgmt-Webapp.html#default-vs-domain

On Tue, Nov 20, 2018 at 7:11 PM James Mackerel 
wrote:

> I saw cas.serviceRegistry.managementType option in CAS properties document
> ,
> which indicates that this option can be set to DEFAULT|DOMAIN. But after
> searching on web and everywhere in document,
>
> I can not find the difference between these 2 options. Would anyone
> explain that for me?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6fafd7b1-5a30-4423-b1be-8d4b897d9a00%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEYhCZ-ekJv62o7sbiU9V4wOwYfsJ1C7YvRJb9MKWOC%3Dow%40mail.gmail.com.

Re: [cas-user] Point CAS apps at different Duo protected applications (group policies)

[Travis Schmidt]

They would only show in the mgmt webapp if you have configured the
cas/status/discovery endpoint on your cas-server and the mgmt webapp server
is able to reach it on startup.  Otherwise only default values are shown.



On Wed, Nov 14, 2018 at 11:37 AM Mukunthini Jeyakumar 
wrote:

> Other recipients:
> Hi Travis, I'm in the same situation trying to configure multiple duo
> instances to apply different duo group policies. I've configured
> cas.properties with 2 duo instances and those are not showing up on
> management webapp to select as Multifactor
> Hi Travis,
>
> I'm in the same situation trying to configure multiple duo instances to
> apply different duo group policies.  I've configured cas.properties with 2
> duo instances and those are not showing up on management webapp to select
> as Multifactor Provider. I'm using cas 5.2.8 and JPA service registry.
>
> Thanks
> Thini
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/fc8e6c4e-c953-4811-8470-ca49985b0a4c%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEZgXqC00uGg4Tij91814_HhOG4jm-fC%2Bt%3D%3D31d_Gy1YAQ%40mail.gmail.com.

Re: [cas-user] Re: CAS Management v5.3.6 Release

[Travis Schmidt]

Wildcard searches are what you want:

http://lucene.apache.org/core/7_5_0/queryparser/org/apache/lucene/queryparser/classic/package-summary.html#package.description

Doing a quick test against our registry for my first name, Tra?is works,
Tra*is works.  For some reason though to make Trav* work somewhat as
expected it needs to be Trav**

There is also some support for Regular Expressions(See link above), but
seems finicky when I try and use it.  Usually works searching fields
directly that do not contain without whitespace.

On Wed, Nov 7, 2018 at 7:17 AM Shawn Cutting  wrote:

> Is the search functionality limited to "whole word" searches?  It would be
> nice if the search can find partial words as well.
>
> On Friday, November 2, 2018 at 1:57:01 PM UTC-4, Travis Schmidt wrote:
>>
>> CAS Management v5.3.6 has been released:
>> https://github.com/apereo/cas-management/releases/tag/v5.3.6
>>
>> This release corrects an error that was found in the new Search
>> functionality released in 5.3.5.
>>
>> Deployers that use the war overlay, take note that the pom.xml has been
>> updated to include a separate  property.  
>> is still present and can be used for any CAS modules that you add to the
>> overlay.
>>
>> Thanks
>> Travis
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8d3c6ad8-4a84-4aac-983e-e7a9c7a1f92e%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/8d3c6ad8-4a84-4aac-983e-e7a9c7a1f92e%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbX4_%2B_-Xdn6EfYP1g6wE5Eu4H-nuoHTD_QZ0ud8X%2B4zA%40mail.gmail.com.

[cas-user] CAS Management v5.3.6 Release

[Travis Schmidt]

CAS Management v5.3.6 has been released:
https://github.com/apereo/cas-management/releases/tag/v5.3.6

This release corrects an error that was found in the new Search
functionality released in 5.3.5.

Deployers that use the war overlay, take note that the pom.xml has been
updated to include a separate  property.  
is still present and can be used for any CAS modules that you add to the
overlay.

Thanks
Travis

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEaT0_HwK47Ojn%3D8C4jBMxnK%2B_8mHXayS5fSZW7Jc9ZHwA%40mail.gmail.com.

[cas-user] CAS Management v5.3.5 Released

[Travis Schmidt]

CAS Management version 5.3.5 has been released:
https://github.com/apereo/cas-management/releases/tag/v5.3.5

This release contains a a new Search screen that provides full text search
of Services in  a sortable table.

Travis

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEYKvY4XyAQEH0PZWtd5bpa4W0LQbQMc5bj4%3Dak%3DrGLd8w%40mail.gmail.com.

Re: [cas-user] Mysterious ADFS Issue: CAS Doesn't seem to know what to do with the saml.

[Travis Schmidt]

Possible the date compare with the different timezones is off somehow?

- 

Maybe dev CAS and dev ADFS are same timezone and only prod is different?

On Wed, Oct 31, 2018 at 12:06 PM Toby Archer  wrote:

> So I've got a mysterious problem. This morning we were going to go live
> with our new cas 5 servers, but when I tried to login to them, through
> ADFS, my login got redirected five times and landed on an ADFS error page.
> The logs looked like this:
>
> 2018-10-31 11:47:57,680 INFO
>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] -
>> > https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0=urn:cas:cas.usd.edu]>
>> 2018-10-31 11:48:08,947 WARN
>> [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential]
>> - > [2018-10-31T16:47:51.558Z] while allowed drift is
>> [2018-10-31T11:47:58.925-05:00[America/Chicago]]>
>> 2018-10-31 11:48:08,948 WARN
>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - > assertions are blank or no longer valid based on RP identifier [urn:cas:
>> cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust
>> ]>
>> 2018-10-31 11:48:08,948 WARN
>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] -
>> > https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0=urn:cas:cas.usd.edu]
>> and returning error>
>> 2018-10-31 11:48:09,253 WARN
>> [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential]
>> - > [2018-10-31T16:47:56.615Z] while allowed drift is
>> [2018-10-31T11:47:59.251-05:00[America/Chicago]]>
>> 2018-10-31 11:48:09,254 WARN
>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - > assertions are blank or no longer valid based on RP identifier [urn:cas:
>> cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust
>> ]>
>> 2018-10-31 11:48:09,254 WARN
>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] -
>> > https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0=urn:cas:cas.usd.edu]
>> and returning error>
>> 2018-10-31 11:48:09,612 WARN
>> [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential]
>> - > [2018-10-31T16:47:57.017Z] while allowed drift is
>> [2018-10-31T11:47:59.610-05:00[America/Chicago]]>
>> 2018-10-31 11:48:09,612 WARN
>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - > assertions are blank or no longer valid based on RP identifier [urn:cas:
>> cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust
>> ]>
>> 2018-10-31 11:48:09,613 WARN
>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] -
>> > https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0=urn:cas:cas.usd.edu]
>> and returning error>
>> 2018-10-31 11:48:09,846 WARN
>> [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential]
>> - > [2018-10-31T16:47:57.264Z] while allowed drift is
>> [2018-10-31T11:47:59.844-05:00[America/Chicago]]>
>> 2018-10-31 11:48:09,847 WARN
>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - > assertions are blank or no longer valid based on RP identifier [urn:cas:
>> cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust
>> ]>
>> 2018-10-31 11:48:09,847 WARN
>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] -
>> > https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0=urn:cas:cas.usd.edu]
>> and returning error>
>> 2018-10-31 11:48:10,122 WARN
>> [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential]
>> - > [2018-10-31T16:47:57.532Z] while allowed drift is
>> [2018-10-31T11:48:00.121-05:00[America/Chicago]]>
>> 2018-10-31 11:48:10,123 WARN
>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - > assertions are blank or no longer valid based on RP identifier [urn:cas:
>> cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust
>> ]>
>> 2018-10-31 11:48:10,124 WARN
>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] -
>> > https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0=urn:cas:cas.usd.edu]
>> and returning error>
>> 2018-10-31 11:48:10,373 WARN
>> [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential]
>> - > [2018-10-31T16:47:57.796Z] while allowed drift is
>> [2018-10-31T11:48:00.359-05:00[America/Chicago]]>
>> 2018-10-31 11:48:10,373 WARN
>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - > assertions are blank or no longer valid based on RP identifier [urn:cas:
>> cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust
>> ]>
>> 2018-10-31 11:48:10,374 WARN
>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] -
>> > https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0=urn:cas:cas.usd.edu]
>> and returning error>
>>
>
> I discussed it with the guy who manages our ADFS instance and he asked me
> if the dev cas server works. We have no dev instance of ADFS so both dev
> and production hit the same ADFS server. Dev worked just fine. Login, hit
> 

Re: [cas-user] CAS 5.3.x and Shibboleth entityId

[Travis Schmidt]

Now that I am in front of my computer, the property is this:

cas.authn.shibIdp.serverUrl=

On Fri, Oct 26, 2018 at 7:00 AM Travis Schmidt 
wrote:

> We do the same as well, looks like docs might need to be updated.  You
> should only need to add support-shibboleth to your build, but there is a
> property that needs to be set that is your shibboleth idp url.  You should
> see something in the logs on start up about it not being set.
>
> On Fri, Oct 26, 2018, 6:28 AM Tepe, Dirk  wrote:
>
>> We have a Shibboleth 3.3.x server which will authenticates via our CAS
>> 5.3.x server. I am interested in using the service provider's entity ID to
>> apply configuration within CAS rather than applying configuration to the
>> Shibboleth service as a whole. This appears to be possible based on:
>>
>>
>> https://apereo.github.io/cas/5.3.x/integration/Shibboleth.html#relying-party-entityid
>>
>> and
>>
>>
>> https://apereo.github.io/cas/5.3.x/installation/Configuring-Multifactor-Authentication-Triggers.html#entity-id-request-parameter
>>
>> I have built our war with the required cas-server-support-shibboleth
>> dependency and am testing using a login request with both service and
>> entityId parameters. However, CAS still uses the service configuration
>> which matches our Shibboleth service rather than the relying party given by
>> the entity ID.
>>
>> I made sure that the service I created for the relying party's entityId
>> has a lower evaluationOrder value than the definition which matches the
>> Shibboleth service, so I would expect the entityId value to take
>> precedence. When I use the entityId value as the service, CAS matches the
>> correct relying party service configuration, which indicates that the match
>> should happen and entityId isn't being considered.
>>
>> The documentation does not describe any additional configuration or
>> changes in the service configurations that are required to use entityId
>> when it's provided in the request. Has anyone been able to make this work
>> or have any suggestions what I'm missing?
>>
>> -dirk
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZzWiiS1dhpQLNYTQ2oL-JggGd3AkjSoMBmHVJvkcsGWrg%40mail.gmail.com
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZzWiiS1dhpQLNYTQ2oL-JggGd3AkjSoMBmHVJvkcsGWrg%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEb7XqvqLdYtVaSatKqhw29StzbYxjENnk2nBxLa%2BgWVPg%40mail.gmail.com.

Re: [cas-user] CAS 5.3.x and Shibboleth entityId

[Travis Schmidt]

We do the same as well, looks like docs might need to be updated.  You
should only need to add support-shibboleth to your build, but there is a
property that needs to be set that is your shibboleth idp url.  You should
see something in the logs on start up about it not being set.

On Fri, Oct 26, 2018, 6:28 AM Tepe, Dirk  wrote:

> We have a Shibboleth 3.3.x server which will authenticates via our CAS
> 5.3.x server. I am interested in using the service provider's entity ID to
> apply configuration within CAS rather than applying configuration to the
> Shibboleth service as a whole. This appears to be possible based on:
>
>
> https://apereo.github.io/cas/5.3.x/integration/Shibboleth.html#relying-party-entityid
>
> and
>
>
> https://apereo.github.io/cas/5.3.x/installation/Configuring-Multifactor-Authentication-Triggers.html#entity-id-request-parameter
>
> I have built our war with the required cas-server-support-shibboleth
> dependency and am testing using a login request with both service and
> entityId parameters. However, CAS still uses the service configuration
> which matches our Shibboleth service rather than the relying party given by
> the entity ID.
>
> I made sure that the service I created for the relying party's entityId
> has a lower evaluationOrder value than the definition which matches the
> Shibboleth service, so I would expect the entityId value to take
> precedence. When I use the entityId value as the service, CAS matches the
> correct relying party service configuration, which indicates that the match
> should happen and entityId isn't being considered.
>
> The documentation does not describe any additional configuration or
> changes in the service configurations that are required to use entityId
> when it's provided in the request. Has anyone been able to make this work
> or have any suggestions what I'm missing?
>
> -dirk
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZzWiiS1dhpQLNYTQ2oL-JggGd3AkjSoMBmHVJvkcsGWrg%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbUbowaWqvjybbH%2Bd%3DiDRMRYK3UOTr19Ff0yAFyDDERNQ%40mail.gmail.com.

[cas-user] CAS Management v5.3.4 Release

[Travis Schmidt]

CAS Management v5.3.4 has been released:
https://github.com/apereo/cas-management/releases/tag/v5.3.4

Travis

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEahbRGz3QqJA6eAqrehYLj8P8U1R-t%2B574utFv7zBjNag%40mail.gmail.com.

Re: [cas-user] CAS 5.3.3 overlay, How do I override "base href" in manage.html

[Travis Schmidt]

Hmm, not sure about overriding from an overlay.  If you build from source
there is gradle property that you can set to make the base href whatever
you need it to be.,  If you front the app server with apache or something
else you should be change the redirect to look like it is serving from
root.  That is what we do currently.

Travis

On Tue, Oct 9, 2018 at 7:29 AM Yan Zhou  wrote:

> Hello,
>
> I need to run cas5.3.3 management app on a context root, different from
> the default cas-management.
>
> I think I need to have a local manage.html in my cas 5.3.3 management app
> overlay, but I do not know where do I place it.  It seems to have a
> different building process.
>
> Suggestions?
>
> Thx!
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c0d7a12a-9494-4a6c-b947-47add25bba78%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEY7Uu03eK_Cs%3DzutkEKrOOK2wdV2d_GJUQ5-S9oy2DPSw%40mail.gmail.com.

Re: [cas-user] CAS 5.3.3 management failed to save edits

[Travis Schmidt]

Try this against 5.3.4-SNAPSHOT

On Mon, Oct 8, 2018 at 1:20 PM Travis Schmidt 
wrote:

> Not sure about the problem with creating the repository on Windows.  Never
> tried to run on a windows machine, so maybe someone else can help witnh
> that.
>
> As for not being able to save, that is a bug that you have uncovered. If
> you switch back to only use JPA, you should be able to make edits in any
> other field besides Service Name.  This will get fixed in the next release
> for sure and you may be able to use a -SNAPSHOT instance before then.
>
> Travis
>
> On Mon, Oct 8, 2018 at 12:43 PM Yan Zhou  wrote:
>
>> Hello,
>>
>> CAS 5.3.3 management app is loading service registry in database. That
>> works correctly. But when edit and save, got error.
>>
>> this is my management.properties.
>>
>> mgmt.enableVersionControl=false
>> mgmt.enableDiscoveryEndpointCall=false
>> cas.serviceRegistry.initFromJson=false
>> cas.serviceRegistry.jpa...
>>
>> I do not understand why the app. is trying to access directory, when my
>> service registry is in database and I have version control set to false?
>>
>>
>> 2018-10-08 15:28:56,436 DEBUG
>> [org.apereo.cas.mgmt.authentication.CasUserProfileFactory] - > user profile [#CasUserProfile# | id: testuser1 | attributes:
>> {credentialType=UsernamePasswordCredential, isFromNewLogin=true,
>> authenticationDate=2018-10-08T15:28:35.293-04:00[America/New_York],
>> authenticationMethod=questAuthHandler,
>> successfulAuthenticationHandlers=questAuthHandler,
>> longTermAuthenticationRequestTokenUsed=false} | roles: [ROLE_ADMIN] |
>> permissions: [] | isRemembered: false | clientName: CasClient | linkedId:
>> null |]>
>> 2018-10-08 15:28:56,436 DEBUG
>> [org.apereo.cas.mgmt.services.web.factory.RepositoryFactory] - > [#CasUserProfile# | id: testuser1 | attributes:
>> {credentialType=UsernamePasswordCredential, isFromNewLogin=true,
>> authenticationDate=2018-10-08T15:28:35.293-04:00[America/New_York],
>> authenticationMethod=questAuthHandler,
>> successfulAuthenticationHandlers=questAuthHandler,
>> longTermAuthenticationRequestTokenUsed=false} | roles: [ROLE_ADMIN] |
>> permissions: [] | isRemembered: false | clientName: CasClient | linkedId:
>> null |] is not an administrator. Loading objects from master repository>
>> 2018-10-08 15:28:56,438 DEBUG [org.apereo.cas.mgmt.GitUtil] -
>> > with strict path checking [on]>
>> 2018-10-08 15:28:59,109 DEBUG [org.apereo.cas.mgmt.GitUtil] - > to move [ssv-1.json] to [ssv2-1.json]>
>> 2018-10-08 15:28:59,109 DEBUG [org.apereo.cas.mgmt.GitUtil] - > [\etc\cas\services-repo\ssv-1.json] to [\etc\cas\services-repo\ssv2-1.json]>
>> 2018-10-08 15:28:59,111 ERROR
>> [org.apereo.cas.mgmt.services.web.AbstractManagementController] -
>> <\etc\cas\services-repo\ssv-1.json>
>> java.nio.file.NoSuchFileException: \etc\cas\services-repo\ssv-1.json
>>
>>
>> Anyway, I tried defining serviceRepo like below, but it fails as well.
>>  I am on windows.
>>
>>
>> mgmt.servicesRepo=file:///c:/gitworkspace/quest-cas5/cas5-server/etc/cas/services
>>
>> why does it say Repository not found?
>>
>> 018-10-08 15:41:27,658 DEBUG
>> [org.apereo.cas.mgmt.authentication.CasUserProfileFactory] - > user profile [#CasUserProfile# | id: testuser1 | attributes:
>> {credentialType=UsernamePasswordCredential, isFromNewLogin=true,
>> authenticationDate=2018-10-08T15:41:19.484-04:00[America/New_York],
>> authenticationMethod=questAuthHandler,
>> successfulAuthenticationHandlers=questAuthHandler,
>> longTermAuthenticationRequestTokenUsed=false} | roles: [ROLE_ADMIN] |
>> permissions: [] | isRemembered: false | clientName: CasClient | linkedId:
>> null |]>
>> 2018-10-08 15:41:27,658 DEBUG
>> [org.apereo.cas.mgmt.services.web.factory.RepositoryFactory] - > [#CasUserProfile# | id: testuser1 | attributes:
>> {credentialType=UsernamePasswordCredential, isFromNewLogin=true,
>> authenticationDate=2018-10-08T15:41:19.484-04:00[America/New_York],
>> authenticationMethod=questAuthHandler,
>> successfulAuthenticationHandlers=questAuthHandler,
>> longTermAuthenticationRequestTokenUsed=false} | roles: [ROLE_ADMIN] |
>> permissions: [] | isRemembered: false | clientName: CasClient | linkedId:
>> null |] is not an administrator. Loading objects from master repository>
>> 2018-10-08 15:41:27,658 DEBUG [org.apereo.cas.mgmt.GitUtil] - > git repository directory at
>> [c:\gitworkspace\quest-cas5\cas5-server\etc\cas\services\.git]>
>> 2018-10-08 15:41:27,660 DEBUG [org.apereo.cas.mgmt

Re: [cas-user] CAS 5.3.3 management failed to save edits

[Travis Schmidt]

Not sure about the problem with creating the repository on Windows.  Never
tried to run on a windows machine, so maybe someone else can help witnh
that.

As for not being able to save, that is a bug that you have uncovered. If
you switch back to only use JPA, you should be able to make edits in any
other field besides Service Name.  This will get fixed in the next release
for sure and you may be able to use a -SNAPSHOT instance before then.

Travis

On Mon, Oct 8, 2018 at 12:43 PM Yan Zhou  wrote:

> Hello,
>
> CAS 5.3.3 management app is loading service registry in database. That
> works correctly. But when edit and save, got error.
>
> this is my management.properties.
>
> mgmt.enableVersionControl=false
> mgmt.enableDiscoveryEndpointCall=false
> cas.serviceRegistry.initFromJson=false
> cas.serviceRegistry.jpa...
>
> I do not understand why the app. is trying to access directory, when my
> service registry is in database and I have version control set to false?
>
>
> 2018-10-08 15:28:56,436 DEBUG
> [org.apereo.cas.mgmt.authentication.CasUserProfileFactory] -  user profile [#CasUserProfile# | id: testuser1 | attributes:
> {credentialType=UsernamePasswordCredential, isFromNewLogin=true,
> authenticationDate=2018-10-08T15:28:35.293-04:00[America/New_York],
> authenticationMethod=questAuthHandler,
> successfulAuthenticationHandlers=questAuthHandler,
> longTermAuthenticationRequestTokenUsed=false} | roles: [ROLE_ADMIN] |
> permissions: [] | isRemembered: false | clientName: CasClient | linkedId:
> null |]>
> 2018-10-08 15:28:56,436 DEBUG
> [org.apereo.cas.mgmt.services.web.factory.RepositoryFactory] -  [#CasUserProfile# | id: testuser1 | attributes:
> {credentialType=UsernamePasswordCredential, isFromNewLogin=true,
> authenticationDate=2018-10-08T15:28:35.293-04:00[America/New_York],
> authenticationMethod=questAuthHandler,
> successfulAuthenticationHandlers=questAuthHandler,
> longTermAuthenticationRequestTokenUsed=false} | roles: [ROLE_ADMIN] |
> permissions: [] | isRemembered: false | clientName: CasClient | linkedId:
> null |] is not an administrator. Loading objects from master repository>
> 2018-10-08 15:28:56,438 DEBUG [org.apereo.cas.mgmt.GitUtil] -
>  with strict path checking [on]>
> 2018-10-08 15:28:59,109 DEBUG [org.apereo.cas.mgmt.GitUtil] -  to move [ssv-1.json] to [ssv2-1.json]>
> 2018-10-08 15:28:59,109 DEBUG [org.apereo.cas.mgmt.GitUtil] -  [\etc\cas\services-repo\ssv-1.json] to [\etc\cas\services-repo\ssv2-1.json]>
> 2018-10-08 15:28:59,111 ERROR
> [org.apereo.cas.mgmt.services.web.AbstractManagementController] -
> <\etc\cas\services-repo\ssv-1.json>
> java.nio.file.NoSuchFileException: \etc\cas\services-repo\ssv-1.json
>
>
> Anyway, I tried defining serviceRepo like below, but it fails as well.   I
> am on windows.
>
>
> mgmt.servicesRepo=file:///c:/gitworkspace/quest-cas5/cas5-server/etc/cas/services
>
> why does it say Repository not found?
>
> 018-10-08 15:41:27,658 DEBUG
> [org.apereo.cas.mgmt.authentication.CasUserProfileFactory] -  user profile [#CasUserProfile# | id: testuser1 | attributes:
> {credentialType=UsernamePasswordCredential, isFromNewLogin=true,
> authenticationDate=2018-10-08T15:41:19.484-04:00[America/New_York],
> authenticationMethod=questAuthHandler,
> successfulAuthenticationHandlers=questAuthHandler,
> longTermAuthenticationRequestTokenUsed=false} | roles: [ROLE_ADMIN] |
> permissions: [] | isRemembered: false | clientName: CasClient | linkedId:
> null |]>
> 2018-10-08 15:41:27,658 DEBUG
> [org.apereo.cas.mgmt.services.web.factory.RepositoryFactory] -  [#CasUserProfile# | id: testuser1 | attributes:
> {credentialType=UsernamePasswordCredential, isFromNewLogin=true,
> authenticationDate=2018-10-08T15:41:19.484-04:00[America/New_York],
> authenticationMethod=questAuthHandler,
> successfulAuthenticationHandlers=questAuthHandler,
> longTermAuthenticationRequestTokenUsed=false} | roles: [ROLE_ADMIN] |
> permissions: [] | isRemembered: false | clientName: CasClient | linkedId:
> null |] is not an administrator. Loading objects from master repository>
> 2018-10-08 15:41:27,658 DEBUG [org.apereo.cas.mgmt.GitUtil] -  git repository directory at
> [c:\gitworkspace\quest-cas5\cas5-server\etc\cas\services\.git]>
> 2018-10-08 15:41:27,660 DEBUG [org.apereo.cas.mgmt.GitUtil] -
>  [c:\gitworkspace\quest-cas5\cas5-server\etc\cas\services\.git] with strict
> path checking [on]>
> 2018-10-08 15:41:30,199 ERROR [org.apereo.cas.mgmt.GitUtil] -  repository not found/initialized at
> [C:\gitworkspace\quest-cas5\cas5-server\etc\cas\services\.git]>
> 2018-10-08 15:41:30,200 ERROR
> [org.apereo.cas.mgmt.services.web.AbstractManagementController] -
>  c:\gitworkspace\quest-cas5\cas5-server\etc\cas\services\.git>
> java.lang.RuntimeException: repository not found:
> c:\gitworkspace\quest-cas5\cas5-server\etc\cas\services\.git
> at org.apereo.cas.mgmt.GitUtil.initializeGitRepository(GitUtil.java:1225)
> ~[cas-management-webapp-support-5.3.3.jar:5.3.3]
> at 

Re: [cas-user] cas-management ldap upgrade to 5.3.3 problems

[Travis Schmidt]

An oversight on my part.  A 5.3.4-SNAPSHOT of the CAS Management should be
available later today with this jar restored.  Full release will be coming
soon.

Travis

On Fri, Oct 5, 2018 at 3:44 AM Ian Wright  wrote:

> Hi,
>
> I'm trying to upgrade from 5.2 to 5.3 and I get an exception about missing
> CasManagementLdapAuthorizationConfiguration.class
>
> I can see that it's in cas-management-webapp-support-ldap-5.2.3.jar but
> not cas-management-webapp-support-ldap-5.3.3.jar
>
> As an aside I think the properties need to change from cas.mgmt.xxx to
> mgmt.xxx but I've done that
>
> Any ideas?
>
> Thanks
>
> P.S. I find the lack of upgrade guides extremely frustrating!
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/00442525-a943-4947-9a06-7943a2fe3e66%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEZxka1eiH4jZ2Lez5GRpp14_nAHniQipcRCvMBvqf4T0w%40mail.gmail.com.

[cas-user] CAS Management 5.3.3 Release Announcement - Apereo Webinar 10/3 12ET/9PT

[Travis Schmidt]

CAS Management 5.3.3 is now released:
https://github.com/apereo/cas-management/releases/tag/v5.3.3

Features:
  - Property to not attempt to call CAS discovery(makes it possible to run
in same AS as CAS server)
  - Source and Diff views now use dialog windows to avoid app navigation
  - Improved view history options when using version control
  - Only show actual deployed options from discovery endpoint

In addition, the master branch at https://github.com/apereo/cas-management
has been updated to build against CAS 6.0 RC2, not available using overlay
just yet.

Also I will moderating a webinar hosted by Apereo tomorrow 10/3 at
12:00ET/9:00PT all about the CAS Management application.  You can find more
information on the webinar and how to join here:
https://www.apereo.org/content/2018-apereo-webinars

We will go over what has changed in CAS Management since 5.2.  Where things
are currently, with a demo of the 5.3.3 release, and possible future
enhancements.

Travis

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEYJ%2BrgpYB1OfAU7EcNjDvZCzAFPoTire%3D%2BXQTMq8DfRiQ%40mail.gmail.com.

Re: [cas-user] Re: How to enable MFA by service rather than globally

[Travis Schmidt]

Are you using latest 5.3.3 relaease or 5.3.4-SNAPSHOT?  If you put logs in
debug do you see an entry like this?

2018-09-22 11:22:10,821 DEBUG
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] -




On Sat, Sep 22, 2018 at 10:57 AM Dave B  wrote:

> In testing, I have found that without
> "cas.authn.mfa.globalProviderId=mfa-gauth" set in cas.properties, the only
> way I can activate the MFA gauth flow is to set triggers, like:
> cas.authn.mfa.globalPrincipalAttributeNameTriggers=something
> cas.authn.mfa.globalPrincipalAttributeValueRegex=something
>
> So, unless I have something misconfigured, I assume that the presence of
> multifactorPolicy with multifactorAuthenicationProviders specified in a
> service registry entry is not sufficient to "trigger" the MFA flow.  At
> least in my case.
>
>
>
> On Friday, September 21, 2018 at 2:56:53 PM UTC-4, Dave B wrote:
>>
>> Running latest CAS 5.3 and just implemented MFA.  My goal is to have MFA
>> disabled globally but able to be turned on based only on inclusion service
>> registry.
>>
>> However, I can not get MFA to work on any service unless
>> cas.authn.mfa.globalProviderId set to a value, in my case mfa-gauth.
>>
>> With the settings below, ALL services, regardless of inclusion of
>> "multifactorPolicy", require MFA.  My only option is to explicitly exclude
>> (bypass) all other services for which I don't want to require MFA.
>>
>> Is this intended behavior?
>>
>> Relevant config:
>> cas.properties:
>> cas.authn.mfa.globalProviderId=mfa-gauth
>> cas.authn.mfa.globalFailureMode=CLOSED
>>
>>
>>   "multifactorPolicy" : {
>> "@class" :
>> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
>> "multifactorAuthenicationProviders" : [ "java.util.LinkedHashSet", [
>> "mfa-gauth" ] ],
>> "failureMode" : "CLOSED"
>>},
>>
>> Thanks for any help!
>> -Dave
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d50562a2-ba8b-455f-8e46-bef22f222888%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEYRqU5FkvoPuzrr3JedwgV%3Du14r8%3DOxm-Rge9kW4FSeiA%40mail.gmail.com.

Re: [cas-user] Re: How to enable MFA by service rather than globally

[Travis Schmidt]

Just to cover all the bases, you have verified that CAS is validating
against the service you set the MFA for and is not getting hit by some
other service entry that matches the service you are trying to log into?

On Fri, Sep 21, 2018 at 12:58 PM Dave B  wrote:

> Thank you both for the replies!
>
> It makes sense that "cas.authn.mfa.globalProviderId=mfa-gauth" is the
> problem, only if I comment it out, then I can't seem to get the service
> registry entry I pasted earlier to force MFA, though debug logs show some
> stuff about mfa-gauth in the DefaultAuthenticationEventExecutionPlan which
> indicates to me it's at least... considered(?), but nothing telling.
>
> I have no other cas.authn.mfa configuration directives in cas.properties
> at this point except for
> cas.authn.mfa.gauth.label
> cas.authn.mfa.gauth.issuer
>
> I wonder if it's possible I'm hitting some kind of default bypass
> condition? Any other ideas?
>
> Thanks again,
> Dave
>
>
>
> On Friday, September 21, 2018 at 3:40:10 PM UTC-4, David Curry wrote:
>>
>> I think the problem is this line:
>>
>> cas.authn.mfa.globalProviderId=mfa-gauth
>>
>>
>> According to the documentation, that enables MFA for all services,
>> regardless of any other settings. Since you don't want that, you should
>> probably turn it off.
>>
>> We have basically the same settings that Matt just posted here, and like
>> his setup, it only does MFA on the few services where we've explicitly told
>> it to.
>>
>> --Dave
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>>
>> On Fri, Sep 21, 2018 at 3:37 PM Matthew Uribe  wrote:
>>
>>> Hi Dave,
>>>
>>> I'm still on CAS 5.2, so perhaps things have changed, but I'm doing
>>> exactly what you describe with Duo.
>>>
>>> In my cas.properties:
>>>
>>> #Configure Duo authentication properties
>>> cas.authn.mfa.globalFailureMode:   OPEN
>>> # Aims Two-Factor
>>> cas.authn.mfa.duo[0].duoApiHost:   such.and.such
>>> cas.authn.mfa.duo[0].duoIntegrationKey:D...A5
>>> cas.authn.mfa.duo[0].duoSecretKey: N.E5
>>> cas.authn.mfa.duo[0].trustedDeviceEnabled: false
>>> cas.authn.mfa.duo[0].duoApplicationKey:01234567890
>>> cas.authn.mfa.duo[0].id:   mfa-duo
>>>
>>>
>>> Then in service registry:
>>>
>>>   "multifactorPolicy" : {
>>> "@class" :
>>> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
>>> "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet",
>>> [ "mfa-duo" ] ]
>>>   }
>>>
>>>
>>> Services which don't include a multifactorPolicy don't require MFA.
>>>
>>> Matt
>>>
>>>
>>> On Friday, September 21, 2018 at 12:56:53 PM UTC-6, Dave B wrote:

 Running latest CAS 5.3 and just implemented MFA.  My goal is to have
 MFA disabled globally but able to be turned on based only on inclusion
 service registry.

 However, I can not get MFA to work on any service unless
 cas.authn.mfa.globalProviderId set to a value, in my case mfa-gauth.

 With the settings below, ALL services, regardless of inclusion of
 "multifactorPolicy", require MFA.  My only option is to explicitly exclude
 (bypass) all other services for which I don't want to require MFA.

 Is this intended behavior?

 Relevant config:
 cas.properties:
 cas.authn.mfa.globalProviderId=mfa-gauth
 cas.authn.mfa.globalFailureMode=CLOSED


   "multifactorPolicy" : {
 "@class" :
 "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
 "multifactorAuthenicationProviders" : [ "java.util.LinkedHashSet",
 [ "mfa-gauth" ] ],
 "failureMode" : "CLOSED"
},

 Thanks for any help!
 -Dave

>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c9ca7d75-0826-4fb5-86aa-9a67d2d3e3a3%40apereo.org
>>> 
>>> .
>>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, 

Re: [cas-user] cas 5.3.3 management webapp overlay issue

[Travis Schmidt]

A CAS Management 5.3.3-SNAPSHOT should be available soon in the snapshot
repo.  Change your pom.xml/gradle.build to use this snapshot for CAS
Management and 5.3.3 for CAS server modules.

Will get a release out next week. With options to run on the same server in
the config.

On Thu, Sep 13, 2018 at 6:21 AM Yan Zhou  wrote:

> OK, good to know.
>
> Is it possible to allow CAS and CAS management App deployed on the same
> host, without the order of which one starts first?  I can do that with
> CAS4, that makes our deployment a lot simpler, without such dependencies.
> Can we turn off discovery mode in CAS 5.3 management to allow that?
>
> In addition, did something change from 5.3.1 to 5.3.3?  I am using CAS
> 5.3.3, and Management App for 5.3.1 (because there is not one for 5.3.3)
>
> I am using JPA service registry on CAS and CAS management.
>
> Got this error when starting management app. on a separate tomcat, that is
> probably because the JPA service registry in Management App is still 5.3.1
> based, but the CAS schema already moved to 5.3.3?
>
> SQLSyntaxErrorException: ORA-00904: "ABSTRACTRE0_"."SUBJECTTYPE": invalid
> identifier
>
>
> Thx!
> Yan
>
>
> On Wednesday, September 12, 2018 at 4:23:05 PM UTC-4, Travis Schmidt wrote:
>
>> What I meant to go on and say is that the management app tries to call
>> the discovery endpoint on the configured cas server when trying to
>> startup.  If you are running both the server and the management app on the
>> same server, I think it is stalling cause it can't reach the CAS server,
>> because it is not up yet.  Looks like I have neglected to put an option in
>> to not try and call the cas server during startup.  Maybe try starting the
>> app server with only CAS server, then add the management war to the started
>> service.
>>
>> Hoping to give management app some attention next week.
>>
>> On Wed, Sep 12, 2018 at 1:00 PM Travis Schmidt 
>> wrote:
>>
> Looks like you have configured your CAS server and the management app to
>>> run on the same host and the same port.
>>>
>>> On Wed, Sep 12, 2018, 12:52 PM Yan Zhou  wrote:
>>>
>> Hello,
>>>>
>>>> I am running CAS 5.3.3, but latest management web app is 5.3.1.
>>>>
>>>> My management web app will not start up. It just hangs there.  What did
>>>> I miss?
>>>>
>>>> Here is the log file.
>>>>
>>>> 2018-09-12 15:48:11,936 INFO
>>>> [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator]
>>>> - >>> t-cas5\cas5-server\etc\cas\config] are
>>>> [[C:\gitworkspace\quest-cas5\cas5-server\etc\cas\config\application.yml,
>>>> C:\gitworkspace\quest-cas5\cas5-server\etc\cas\c
>>>> onfig\management.properties]] under profile(s) [[standalone]]>
>>>> 2018-09-12 15:48:12,245 INFO
>>>> [org.apereo.cas.mgmt.web.CasManagementWebApplicationServletInitializer] -
>>>> 
>>>> 2018-09-12 15:48:18,924 DEBUG
>>>> [org.apereo.cas.config.CasCoreUtilSerializationConfiguration] -
>>>> >>> nConfiguration]>
>>>> 2018-09-12 15:48:20,795 DEBUG
>>>> [org.apereo.cas.mgmt.config.CasManagementAuthenticationConfiguration] -
>>>> >>> ng at [http://localhost:8080]>
>>>> 2018-09-12 15:48:20,843 DEBUG
>>>> [org.apereo.cas.mgmt.config.CasManagementAuthenticationConfiguration] -
>>>> >>> ; no pattern is defined>
>>>>
>>>> --- nothing else ---
>>>>
>>>> Following is my externalized management.properties. My services are
>>>> defined in a local directory.
>>>>
>>>> cas.server.name=http://localhost:8080
>>>> cas.server.prefix=${cas.server.name}/cas5
>>>>
>>>> #
>>>> # is this how I tell Management App where the services are defined at?
>>>> #
>>>>
>>>> mgmt.servicesRepo=file:///c:/gitworkspace/quest-cas5/cas5-server/etc/cas/services
>>>>
>>>> mgmt.adminRoles[0]=ROLE_ADMIN
>>>>
>>>> mgmt.userPropertiesFile=file:///c:/gitworkspace/quest-cas5/cas5-server/etc/cas/config/management-users.properties
>>>>
>>>> mgmt.serverName=http://localhost:8080
>>>>
>>>> server.context-path=/cas5manage
>>>> server.port=8080
>>>>
>>>>
>>>> logging.config=file:///c:/gitworkspace/quest-cas5/cas5-server/etc/cas/config/management-log4j2.xml
>>>>
>>>> --
>>

Re: [cas-user] cas 5.3.3 management webapp overlay issue

[Travis Schmidt]

What I meant to go on and say is that the management app tries to call the
discovery endpoint on the configured cas server when trying to startup.  If
you are running both the server and the management app on the same server,
I think it is stalling cause it can't reach the CAS server, because it is
not up yet.  Looks like I have neglected to put an option in to not try and
call the cas server during startup.  Maybe try starting the app server with
only CAS server, then add the management war to the started service.

Hoping to give management app some attention next week.

On Wed, Sep 12, 2018 at 1:00 PM Travis Schmidt 
wrote:

> Looks like you have configured your CAS server and the management app to
> run on the same host and the same port.
>
> On Wed, Sep 12, 2018, 12:52 PM Yan Zhou  wrote:
>
>> Hello,
>>
>> I am running CAS 5.3.3, but latest management web app is 5.3.1.
>>
>> My management web app will not start up. It just hangs there.  What did I
>> miss?
>>
>> Here is the log file.
>>
>> 2018-09-12 15:48:11,936 INFO
>> [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator]
>> - > t-cas5\cas5-server\etc\cas\config] are
>> [[C:\gitworkspace\quest-cas5\cas5-server\etc\cas\config\application.yml,
>> C:\gitworkspace\quest-cas5\cas5-server\etc\cas\c
>> onfig\management.properties]] under profile(s) [[standalone]]>
>> 2018-09-12 15:48:12,245 INFO
>> [org.apereo.cas.mgmt.web.CasManagementWebApplicationServletInitializer] -
>> 
>> 2018-09-12 15:48:18,924 DEBUG
>> [org.apereo.cas.config.CasCoreUtilSerializationConfiguration] -
>> > nConfiguration]>
>> 2018-09-12 15:48:20,795 DEBUG
>> [org.apereo.cas.mgmt.config.CasManagementAuthenticationConfiguration] -
>> > ng at [http://localhost:8080]>
>> 2018-09-12 15:48:20,843 DEBUG
>> [org.apereo.cas.mgmt.config.CasManagementAuthenticationConfiguration] -
>> > ; no pattern is defined>
>>
>> --- nothing else ---
>>
>> Following is my externalized management.properties. My services are
>> defined in a local directory.
>>
>> cas.server.name=http://localhost:8080
>> cas.server.prefix=${cas.server.name}/cas5
>>
>> #
>> # is this how I tell Management App where the services are defined at?
>> #
>>
>> mgmt.servicesRepo=file:///c:/gitworkspace/quest-cas5/cas5-server/etc/cas/services
>>
>> mgmt.adminRoles[0]=ROLE_ADMIN
>>
>> mgmt.userPropertiesFile=file:///c:/gitworkspace/quest-cas5/cas5-server/etc/cas/config/management-users.properties
>>
>> mgmt.serverName=http://localhost:8080
>>
>> server.context-path=/cas5manage
>> server.port=8080
>>
>>
>> logging.config=file:///c:/gitworkspace/quest-cas5/cas5-server/etc/cas/config/management-log4j2.xml
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/3d51a950-2e51-4921-bc07-6b34a82358f8%40apereo.org
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/3d51a950-2e51-4921-bc07-6b34a82358f8%40apereo.org?utm_medium=email_source=footer>
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEZ7Ouv3QObFh6tCXQJnvcB3KEuMvqg-ASW4kvCDStJ_jw%40mail.gmail.com.

Re: [cas-user] cas 5.3.3 management webapp overlay issue

[Travis Schmidt]

Looks like you have configured your CAS server and the management app to
run on the same host and the same port.

On Wed, Sep 12, 2018, 12:52 PM Yan Zhou  wrote:

> Hello,
>
> I am running CAS 5.3.3, but latest management web app is 5.3.1.
>
> My management web app will not start up. It just hangs there.  What did I
> miss?
>
> Here is the log file.
>
> 2018-09-12 15:48:11,936 INFO
> [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator]
> -  t-cas5\cas5-server\etc\cas\config] are
> [[C:\gitworkspace\quest-cas5\cas5-server\etc\cas\config\application.yml,
> C:\gitworkspace\quest-cas5\cas5-server\etc\cas\c
> onfig\management.properties]] under profile(s) [[standalone]]>
> 2018-09-12 15:48:12,245 INFO
> [org.apereo.cas.mgmt.web.CasManagementWebApplicationServletInitializer] -
> 
> 2018-09-12 15:48:18,924 DEBUG
> [org.apereo.cas.config.CasCoreUtilSerializationConfiguration] -
>  nConfiguration]>
> 2018-09-12 15:48:20,795 DEBUG
> [org.apereo.cas.mgmt.config.CasManagementAuthenticationConfiguration] -
>  ng at [http://localhost:8080]>
> 2018-09-12 15:48:20,843 DEBUG
> [org.apereo.cas.mgmt.config.CasManagementAuthenticationConfiguration] -
>  ; no pattern is defined>
>
> --- nothing else ---
>
> Following is my externalized management.properties. My services are
> defined in a local directory.
>
> cas.server.name=http://localhost:8080
> cas.server.prefix=${cas.server.name}/cas5
>
> #
> # is this how I tell Management App where the services are defined at?
> #
>
> mgmt.servicesRepo=file:///c:/gitworkspace/quest-cas5/cas5-server/etc/cas/services
>
> mgmt.adminRoles[0]=ROLE_ADMIN
>
> mgmt.userPropertiesFile=file:///c:/gitworkspace/quest-cas5/cas5-server/etc/cas/config/management-users.properties
>
> mgmt.serverName=http://localhost:8080
>
> server.context-path=/cas5manage
> server.port=8080
>
>
> logging.config=file:///c:/gitworkspace/quest-cas5/cas5-server/etc/cas/config/management-log4j2.xml
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/3d51a950-2e51-4921-bc07-6b34a82358f8%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbAepytxo6UbSoh7%2BXMF1ZdNLg%3DAP_XrQRLHO2Y1SkEEA%40mail.gmail.com.

Re: [cas-user] disabling MFA, MFA failure modes

[Travis Schmidt]

PR (https://github.com/apereo/cas/pull/3509) has been submitted to correct
this.

On Mon, Sep 10, 2018 at 8:03 AM Travis Schmidt 
wrote:

> This is an issue where if you indicate bypass from a script, the the
> authentication is not correctly marked as being bypassed and the context
> validator then rejects.  Also be aware that currently if you choose GROOVY
> or REST for bypass providers, this overrides all rules in DEFAULT.  Meaning
> if you mark a service as "Bypass Enabled" in your service registry, the
> bypass will not be honored, unless you write your script to check that
> flag.
>
>
> On Mon, Sep 10, 2018 at 7:15 AM Tepe, Dirk  wrote:
>
>> I'm literally dealing with the same error and decision of trigger vs
>> bypass right now. We were triggering all users for Duo, then deciding in
>> the groovy script which to bypass. This works fine when simply judging by
>> the prompt for Duo or not, but we also got the INVALID_AUTHENTICATION_CONTEXT
>> when the service validates the ticket. The logs indicate the validation was
>> successful which seems to lead to a problem building the validation
>> response.
>>
>> I am in the process of moving our logic to the trigger groovy script,
>> which appears to provide the desired behavior. I'm not clear on the
>> intended use case of "trigger" vs "bypass" or what the ramification of this
>> move will be, however.
>>
>> -dirk
>>
>> On Mon, Sep 10, 2018 at 9:55 AM 'jhawkesworth' via CAS Community <
>> cas-user@apereo.org> wrote:
>>
>>> Thanks for this thread.
>>>
>>> I think perhaps having a groovy script which determines whether or not
>>> to bypass DUO might be the way forward?
>>>
>>> In theory you can just change the groovy script (on each CAS node) if
>>> DUO is degraded and subsequent requests would then take notice of new
>>> bypass policy.
>>>
>>> That said, I'm not able to get duo bypass fully working using with a
>>> groovy script.  The /login works, correctly identifying if duo is needed
>>> depending on our selection criteria, but /servicevalidate still fails with
>>>
>>> INVALID_AUTHENTICATION_CONTEXT
>>>
>>>
>>> Just to be clear I am running against latest snapshot 5.3.4-SNAPSHOT, so
>>> should have  https://github.com/apereo/cas/pull/3493 included but I'm
>>> still getting the INVALID_AUTHENTICATION_CONTEXT failure for all users (not
>>> just those who should/shouldn't be required to 2FA) as soon as I configure
>>> duo for a service.
>>>
>>> Can anyone share how they have got bypass working with DUO?
>>>
>>> This comment
>>> https://github.com/apereo/cas/pull/3493#discussion_r213138134
>>>
>>>- "There is no bypassProvider created currently unless one is
>>>defined in cas.properties" seems to hint that something needs explicit
>>>configuration in cas.properties.
>>>
>>>
>>> I am just setting the following (along with the duo keys):
>>>
>>> cas.authn.mfa.duo[0].id=mfa-duo
>>> cas.authn.mfa.duo[0].bypass.type=GROOVY
>>>
>>> cas.authn.mfa.duo[0].bypass.groovy.location=file:/etc/cas/config/mfa-bypass.groovy
>>>
>>> Am I missing something?
>>>
>>> Debugging into AbstractServiceValidateController it appears there's no
>>> bypassEvaluator for duo (see below), so this is presumably why cas things
>>> it needs to get duo to do something in order to validate the ST.
>>>
>>> duoMultifactorAuthenticationProvider=AbstractMultifactorAuthenticationProvider(bypassEvaluator=null,
>>> globalFailureMode=null, id=mfa-duo, order=0)
>>>
>>> Somewhat related, I'm wondering if I should instead by using 'trigger'
>>> instead of 'bypass' - are they simply semantic default-not-to-try /
>>> default-is-to-try or is there something more subtle going on?In my case
>>> some users won't even be registered with DUO
>>>
>>> Any help greatly appreciated.
>>>
>>> All the best,
>>>
>>> Jon
>>>
>>>
>>>
>>> On Saturday, September 8, 2018 at 4:37:08 AM UTC+1, baron wrote:
>>>>
>>>> A closer review of the cas properties documentation suggests that
>>>> setting cas.authn.mfa.globalFailureMode=NONE wouldn't have the desired
>>>> effect after all. It doesn't disable MFA, just assumes the MFA provider is
>>>> avialable. So I should back up and reformulate my question:
>>>>
>>&

Re: [cas-user] disabling MFA, MFA failure modes

[Travis Schmidt]

This is an issue where if you indicate bypass from a script, the the
authentication is not correctly marked as being bypassed and the context
validator then rejects.  Also be aware that currently if you choose GROOVY
or REST for bypass providers, this overrides all rules in DEFAULT.  Meaning
if you mark a service as "Bypass Enabled" in your service registry, the
bypass will not be honored, unless you write your script to check that
flag.


On Mon, Sep 10, 2018 at 7:15 AM Tepe, Dirk  wrote:

> I'm literally dealing with the same error and decision of trigger vs
> bypass right now. We were triggering all users for Duo, then deciding in
> the groovy script which to bypass. This works fine when simply judging by
> the prompt for Duo or not, but we also got the INVALID_AUTHENTICATION_CONTEXT
> when the service validates the ticket. The logs indicate the validation was
> successful which seems to lead to a problem building the validation
> response.
>
> I am in the process of moving our logic to the trigger groovy script,
> which appears to provide the desired behavior. I'm not clear on the
> intended use case of "trigger" vs "bypass" or what the ramification of this
> move will be, however.
>
> -dirk
>
> On Mon, Sep 10, 2018 at 9:55 AM 'jhawkesworth' via CAS Community <
> cas-user@apereo.org> wrote:
>
>> Thanks for this thread.
>>
>> I think perhaps having a groovy script which determines whether or not to
>> bypass DUO might be the way forward?
>>
>> In theory you can just change the groovy script (on each CAS node) if DUO
>> is degraded and subsequent requests would then take notice of new bypass
>> policy.
>>
>> That said, I'm not able to get duo bypass fully working using with a
>> groovy script.  The /login works, correctly identifying if duo is needed
>> depending on our selection criteria, but /servicevalidate still fails with
>>
>> INVALID_AUTHENTICATION_CONTEXT
>>
>>
>> Just to be clear I am running against latest snapshot 5.3.4-SNAPSHOT, so
>> should have  https://github.com/apereo/cas/pull/3493 included but I'm
>> still getting the INVALID_AUTHENTICATION_CONTEXT failure for all users (not
>> just those who should/shouldn't be required to 2FA) as soon as I configure
>> duo for a service.
>>
>> Can anyone share how they have got bypass working with DUO?
>>
>> This comment
>> https://github.com/apereo/cas/pull/3493#discussion_r213138134
>>
>>- "There is no bypassProvider created currently unless one is defined
>>in cas.properties" seems to hint that something needs explicit
>>configuration in cas.properties.
>>
>>
>> I am just setting the following (along with the duo keys):
>>
>> cas.authn.mfa.duo[0].id=mfa-duo
>> cas.authn.mfa.duo[0].bypass.type=GROOVY
>>
>> cas.authn.mfa.duo[0].bypass.groovy.location=file:/etc/cas/config/mfa-bypass.groovy
>>
>> Am I missing something?
>>
>> Debugging into AbstractServiceValidateController it appears there's no
>> bypassEvaluator for duo (see below), so this is presumably why cas things
>> it needs to get duo to do something in order to validate the ST.
>>
>> duoMultifactorAuthenticationProvider=AbstractMultifactorAuthenticationProvider(bypassEvaluator=null,
>> globalFailureMode=null, id=mfa-duo, order=0)
>>
>> Somewhat related, I'm wondering if I should instead by using 'trigger'
>> instead of 'bypass' - are they simply semantic default-not-to-try /
>> default-is-to-try or is there something more subtle going on?In my case
>> some users won't even be registered with DUO
>>
>> Any help greatly appreciated.
>>
>> All the best,
>>
>> Jon
>>
>>
>>
>> On Saturday, September 8, 2018 at 4:37:08 AM UTC+1, baron wrote:
>>>
>>> A closer review of the cas properties documentation suggests that
>>> setting cas.authn.mfa.globalFailureMode=NONE wouldn't have the desired
>>> effect after all. It doesn't disable MFA, just assumes the MFA provider is
>>> avialable. So I should back up and reformulate my question:
>>>
>>> Is there a way to configure CAS to disable MFA globally, ideally via the
>>> cas.properties file in a way that will override anything that may be set in
>>> an individual service registration? I suppose you could take the dependency
>>> out of the overlay and rebuild CAS, but that seems like overkill (and would
>>> that approach cause it to choke on MFA references already present in the
>>> cas.properties or services registrations?).
>>>
>>> On Tue, Sep 04, 2018 at 05:59:58PM -1000, Baron Fujimoto wrote:
>>> >Yes, we're essentially relying on the Duo integration to determine
>>> whether the user needs MFA and we're hitting Duo with every AuthN. Our CAS
>>> isn't currently set configured up to check a group for Duo-enabled
>>> membership. Thus our desire to simply disable MFA altogether (by executive
>>> decision) in dire circumstances.
>>> >
>>> >On Tue, Sep 04, 2018 at 03:39:14PM -0500, Richard Frovarp wrote:
>>> >>Yeah, but how do they opt in? You're basically relying on the Duo
>>> integration
>>> >>to come back and say that the user needs to MFA? 

Re: [cas-user] Point CAS apps at different Duo protected applications (group policies)

[Travis Schmidt]

The first entry is what is used as the name for the auth context.  You most
likely Iikely authed against the second Duo, but it will just return the
first one.  I also think that the two are treated equally in an sso
situation.  So one fills MFA requirement for the other and vice versa.

On Fri, Sep 7, 2018 at 12:41 PM Brian Gibson <
gibson_br...@wheatoncollege.edu> wrote:

> Thanks Travis,
>
> Moving to a newer version of CAS 5 is not an option for us now. Our Duo
> rep said that he has customers doing what I asked but before I bug him for
> help I was hoping someone on this list had this scenario working in a 5.1
> environment?
>
>
>
>
>
> On 9/7/2018 2:48 PM, Travis Schmidt wrote:
>
> This PR https://github.com/apereo/cas/pull/3498, against 5.3.x addresses
> this issue.
>
>
> On Fri, Sep 7, 2018 at 11:42 AM Brian Gibson <
> gibson_br...@wheatoncollege.edu> wrote:
>
>> Hi all,
>>
>> We have Duo working in our test CAS 5.1.2 environment. Now we'd like to
>> point different CAS-protected services at different Duo Protected
>> Applications so we can set different group policies for each. I created 2
>> CAS applications inside Duo's admin portal, I called them
>>
>> "CAS ID=mfa-duo"
>> "CAS ID=mfa-duo2"
>>
>> I then edited my cas.properties file and created a second set of Duo
>> settings, here is what it looks like with the important data scrubbed out
>>
>> cas.authn.mfa.duo[0].duoSecretKey=**
>> cas.authn.mfa.duo[0].duoApplicationKey=*<40 character random string>*
>> cas.authn.mfa.duo[0].duoIntegrationKey=*> ID=mfa-duo>*
>> cas.authn.mfa.duo[0].duoApiHost=**
>> cas.authn.mfa.duo[0].id=*mfa-duo*
>> cas.authn.mfa.duo[0].name=Duo_Profile1
>>
>> cas.authn.mfa.duo[1].duoSecretKey=**
>> cas.authn.mfa.duo[1].duoApplicationKey=*> string>*
>> cas.authn.mfa.duo[1].duoIntegrationKey=*> ID=mfa-duo2>*
>> cas.authn.mfa.duo[1].duoApiHost=**
>> cas.authn.mfa.duo[1].id=*mfa-duo2*
>> cas.authn.mfa.duo[1].name=Duo_Profile2
>>
>>
>> I then edited the .json files for 2 services and added these sections for
>> multifactor authentication, note the duo ID I am referencing differently in
>> each...
>>
>> === Service 1
>>   multifactorPolicy:
>>   {
>> @class:
>> org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
>> multifactorAuthenticationProviders:
>> [
>>   java.util.HashSet
>>   [
>> *mfa-duo*
>>   ]
>> ]
>> failureMode: CLOSED
>> principalAttributeNameTrigger: memberOf
>> principalAttributeValueToMatch: **
>> bypassEnabled: false
>>   }
>> ===
>> === Service 2
>>   multifactorPolicy:
>>   {
>> @class:
>> org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
>> multifactorAuthenticationProviders:
>> [
>>   java.util.HashSet
>>   [
>> *mfa-duo2*
>>   ]
>> ]
>> failureMode: CLOSED
>> principalAttributeNameTrigger: memberOf
>> principalAttributeValueToMatch: **
>> bypassEnabled: false
>>   }
>> ===
>>
>> When I log into both services I do get prompted to do 2 factor auth but
>> when I authenticate on my phone app they both list the protected app named
>>
>> *"CAS ID=mfa-duo"*
>>
>> How do you get different CAS-protected services to point to different CAS
>> instances in Duo (and therefore different group policies)?
>>
>> Thanks!
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a4c87cd-8bda-58b7-d38f-04ef16532366%40wheatoncollege.edu
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a4c87cd-8bda-58b7-d38f-04ef16532366%40wheatoncollege.edu?utm_medium=email_source=footer>
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas

Re: [cas-user] Point CAS apps at different Duo protected applications (group policies)

[Travis Schmidt]

This PR https://github.com/apereo/cas/pull/3498, against 5.3.x addresses
this issue.


On Fri, Sep 7, 2018 at 11:42 AM Brian Gibson <
gibson_br...@wheatoncollege.edu> wrote:

> Hi all,
>
> We have Duo working in our test CAS 5.1.2 environment. Now we'd like to
> point different CAS-protected services at different Duo Protected
> Applications so we can set different group policies for each. I created 2
> CAS applications inside Duo's admin portal, I called them
>
> "CAS ID=mfa-duo"
> "CAS ID=mfa-duo2"
>
> I then edited my cas.properties file and created a second set of Duo
> settings, here is what it looks like with the important data scrubbed out
>
> cas.authn.mfa.duo[0].duoSecretKey=**
> cas.authn.mfa.duo[0].duoApplicationKey=*<40 character random string>*
> cas.authn.mfa.duo[0].duoIntegrationKey=* ID=mfa-duo>*
> cas.authn.mfa.duo[0].duoApiHost=**
> cas.authn.mfa.duo[0].id=*mfa-duo*
> cas.authn.mfa.duo[0].name=Duo_Profile1
>
> cas.authn.mfa.duo[1].duoSecretKey=**
> cas.authn.mfa.duo[1].duoApplicationKey=* string>*
> cas.authn.mfa.duo[1].duoIntegrationKey=* ID=mfa-duo2>*
> cas.authn.mfa.duo[1].duoApiHost=**
> cas.authn.mfa.duo[1].id=*mfa-duo2*
> cas.authn.mfa.duo[1].name=Duo_Profile2
>
>
> I then edited the .json files for 2 services and added these sections for
> multifactor authentication, note the duo ID I am referencing differently in
> each...
>
> === Service 1
>   multifactorPolicy:
>   {
> @class:
> org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
> multifactorAuthenticationProviders:
> [
>   java.util.HashSet
>   [
> *mfa-duo*
>   ]
> ]
> failureMode: CLOSED
> principalAttributeNameTrigger: memberOf
> principalAttributeValueToMatch: **
> bypassEnabled: false
>   }
> ===
> === Service 2
>   multifactorPolicy:
>   {
> @class:
> org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
> multifactorAuthenticationProviders:
> [
>   java.util.HashSet
>   [
> *mfa-duo2*
>   ]
> ]
> failureMode: CLOSED
> principalAttributeNameTrigger: memberOf
> principalAttributeValueToMatch: **
> bypassEnabled: false
>   }
> ===
>
> When I log into both services I do get prompted to do 2 factor auth but
> when I authenticate on my phone app they both list the protected app named
>
> *"CAS ID=mfa-duo"*
>
> How do you get different CAS-protected services to point to different CAS
> instances in Duo (and therefore different group policies)?
>
> Thanks!
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a4c87cd-8bda-58b7-d38f-04ef16532366%40wheatoncollege.edu
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbNx7pi7_6uUQXHgE4F5_P8sdTirwjTUvZinyapNBnSFg%40mail.gmail.com.

Re: [cas-user] Re: disabling MFA, MFA failure modes

[Travis Schmidt]

This PR (https://github.com/apereo/cas/pull/3493
) was merged into 5.3.x branch,
and I think has been ported into some 5.2.x versions to try and address
some of these issues.

On Thu, Sep 6, 2018 at 9:20 AM Andrew Marker  wrote:

> I like the idea of a configurable timeout for mfa globally or mfa
> provider-service level.  The other ideas related to being able to disable
> it quickly or set discreet failure modes for populations and at the service
> level (which i think we can do already?) are really nice features/value
> adds.
>
> *Having the request marked as a failure if it takes too long will allow
> the existing process/contingency to kick in. This, in my opinion is
> critical.*
>
>  We never hit fail-open in the last DUO event we had because the duo
> service never hung up.  The contingency that is in place never
> materialized:  CAS 5.2.6 and CAS 5.2.7 are the versions in use when our two
> DUO failures occurred btw.
>
> On Friday, August 31, 2018 at 11:01:37 PM UTC-5, baron wrote:
>
>> We're considering contingencies to MFA failures in light of recent
>> service problems with Duo.
>>
>> We're currently still using CAS 5.0.x. I'm assuming the property of
>> interest for us here is cas.authn.mfa.globalFailureMode. The documentation
>> doesn't really make this clear, but specifically what MFA is/isn't
>> "communicated to the client if provider" is unavailable for PHANTOM/OPEN
>> modes? How does these differ from NONE?
>>
>> <
>> https://apereo.github.io/cas/5.0.x/installation/Configuring-Multifactor-Authentication.html#fail-open-vs-fail-closed>
>>
>>
>> We also MFA enabled for each registered service with the following:
>>
>>   "multifactorPolicy" : {
>> "@class" :
>> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
>> "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [
>> "mfa-duo" ] ],
>> "failureMode" : "OPEN"
>>   }
>>
>> I appears however, that setting cas.authn.mfa.globalFailureMode=NONE in
>> cas.properties is not sufficient to disable/bypass MFA. I am still prompted
>> for it. Should globalFailureMode in cas.properties take precedence over
>> failureMode in the service registration, or vice versa? Or is this not the
>> right way to achieve this goal?
>>
>> We are thinking that OPEN may not be desired in the rare cases where Duo
>> may be technically available (how does CAS detemine Duo's availability?),
>> but the service has degraded unacceptably.
>>
>> --
>>
> Baron Fujimoto  :: UH Information Technology Services
>>
> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f126146-db42-487e-9120-1e1de96eebdd%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEaO3jYH0_%2B2SUnvfbyMbKd45Paspi4ZK13k%3DwMamSu%2BXw%40mail.gmail.com.

Re: [cas-user] Re: OAuth cannot validate service ticket?

[Travis Schmidt]

If you are running in case servers in a cluster I think it is required to
use some shared session mechanism between the nodes for the current OAuth
implementation.  This is due to the pac4j reliance on server side session
store.  This might cause your issue.

On Wed, Sep 5, 2018, 1:23 PM Baron Fujimoto  wrote:

> Here are the debug logs for the client's attempt. I've just redacted some
> of the potentially sensitive local info and hazelcast related entries.
>
> 2018-09-05 09:11:23,754 DEBUG
> [org.apereo.cas.support.oauth.DefaultOAuthCasClientRedirectActionBuilder] -
>  http://cas.example.edu/cas/login?service=http%3A%2F%2Fcas.example.edu%2Fcas%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClient%26client_id%3DOAuth_test%26redirect_uri%3Dhttp%3A%2F%2Flocalhost%3A8080%2Flogin%2Fcas
> >
> 2018-09-05 09:11:23,787 DEBUG
> [org.apereo.cas.support.saml.authentication.principal.SamlServiceFactory] -
> 
> 2018-09-05 09:11:23,788 DEBUG
> [org.apereo.cas.web.support.DefaultArgumentExtractor] -  http://cas.example.edu/cas/oauth2.0/callbackAuthorize?client_name=CasOAuthClient_id=OAuth_test_uri=http://localhost:8080/login/cas
> based on
> org.apereo.cas.authentication.principal.WebApplicationServiceFactory@5f44f10e
> >
> 2018-09-05 09:11:23,789 DEBUG
> [org.apereo.cas.web.support.DefaultArgumentExtractor] -  generated service type
> org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl
> for:
> http://cas.example.edu/cas/oauth2.0/callbackAuthorize?client_name=CasOAuthClient_id=OAuth_test_uri=http://localhost:8080/login/cas
> >
> 2018-09-05 09:11:23,789 DEBUG [org.apereo.cas.util.RegexUtils] -  ^http://.* is a valid regex.>
> 2018-09-05 09:11:23,790 DEBUG [org.apereo.cas.web.support.WebUtils] -
> 
> 2018-09-05 09:11:23,800 DEBUG
> [org.apereo.cas.support.saml.authentication.principal.SamlServiceFactory] -
> 
> 2018-09-05 09:11:23,803 DEBUG
> [org.apereo.cas.web.support.DefaultArgumentExtractor] -  http://cas.example.edu/cas/oauth2.0/callbackAuthorize?client_name=CasOAuthClient_id=OAuth_test_uri=http://localhost:8080/login/cas
> based on
> org.apereo.cas.authentication.principal.WebApplicationServiceFactory@5f44f10e
> >
> 2018-09-05 09:11:23,804 DEBUG
> [org.apereo.cas.web.support.DefaultArgumentExtractor] -  generated service type
> org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl
> for:
> http://cas.example.edu/cas/oauth2.0/callbackAuthorize?client_name=CasOAuthClient_id=OAuth_test_uri=http://localhost:8080/login/cas
> >
> 2018-09-05 09:11:24,676 DEBUG
> [org.apereo.cas.web.view.CasReloadableMessageBundle] -  found for [classpath:custom_messages_en] - neither plain properties nor XML>
> 2018-09-05 09:11:24,677 DEBUG
> [org.apereo.cas.web.view.CasReloadableMessageBundle] -  found for [classpath:custom_messages] - neither plain properties nor XML>
> 2018-09-05 09:11:24,678 DEBUG
> [org.apereo.cas.web.view.CasReloadableMessageBundle] -  found for [classpath:messages_en] - neither plain properties nor XML>
> 2018-09-05 09:11:24,679 DEBUG
> [org.apereo.cas.web.view.CasReloadableMessageBundle] -  properties for filename [classpath:messages] - file hasn't been modified>
> 2018-09-05 09:11:29,927 DEBUG
> [org.apereo.cas.support.saml.authentication.principal.SamlServiceFactory] -
> 
> 2018-09-05 09:11:29,931 DEBUG
> [org.apereo.cas.web.support.DefaultArgumentExtractor] -  http://cas.example.edu/cas/oauth2.0/callbackAuthorize?client_name=CasOAuthClient_id=OAuth_test_uri=http://localhost:8080/login/cas
> based on
> org.apereo.cas.authentication.principal.WebApplicationServiceFactory@5f44f10e
> >
> 2018-09-05 09:11:29,931 DEBUG
> [org.apereo.cas.web.support.DefaultArgumentExtractor] -  generated service type
> org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl
> for:
> http://cas.example.edu/cas/oauth2.0/callbackAuthorize?client_name=CasOAuthClient_id=OAuth_test_uri=http://localhost:8080/login/cas
> >
> 2018-09-05 09:11:29,934 DEBUG
> [org.apereo.cas.authentication.adaptive.DefaultAdaptiveAuthenticationPolicy]
> - 
> 2018-09-05 09:11:29,934 DEBUG
> [org.apereo.cas.authentication.adaptive.DefaultAdaptiveAuthenticationPolicy]
> -  (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 is authorized to
> proceed>
> 2018-09-05 09:11:29,934 DEBUG
> [org.apereo.cas.authentication.adaptive.DefaultAdaptiveAuthenticationPolicy]
> -  proceed.>
> 2018-09-05 09:11:29,934 DEBUG [org.apereo.cas.web.support.WebUtils] -
> 
> 2018-09-05 09:11:29,939 DEBUG [org.apereo.cas.web.support.WebUtils] -
> 
> 2018-09-05 09:11:29,959 DEBUG
> [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver]
> -  [org.apereo.cas.adaptors.duo.authn.api.DuoApiAuthenticationHandler@7051b1f7,
> org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@70efdca7,
> org.apereo.cas.adaptors.duo.authn.web.DuoAuthenticationHandler@70253ce,
> org.apereo.cas.authentication.LdapAuthenticationHandler@2bf516da]>
> 2018-09-05 09:11:29,963 DEBUG
> 

Re: [cas-user] CAS5.3.x: Error getting flow information for URL

[Travis Schmidt]

Do you have the same webflow encryption keys set in each of the config
files on the different servers?  If the property is not present the server
generates it's own on each server at start up, resulting in each server not
understanding the other.



On Fri, May 18, 2018 at 8:39 AM Ray Bon  wrote:

> Jay,
>
> Are there multiple CAS servers? Could this be a result of the load
> balancer switching between CAS servers for each request (load form, post
> form)?
> You may need to cluster your tomcats or set load balancer to be sticky.
>
> Ray
>
> On Thu, 2018-05-17 at 22:42 -0700, Jay wrote:
>
> Hi Ray,
>
>
> Yes, it does not allow the user to be validated and login successfully. It
> redirects back to login page only.
>
> Any suggestion to look into specifically.
>
> We see this issue when we hit the load balance url but not when we
> directly access the server url.
>
> Thanks,
> Jay
>
> On Thursday, May 17, 2018 at 11:46:17 AM UTC-5, rbon wrote:
>
> Jay,
>
> I seem to recall a message like this was produced because of a 'feature'
> to clear out the flow if it sat for too long. It would show up periodically
> and had no bearing on how long the user took to log in.
> Does it cause a problem?
>
> Ray
>
> On Thu, 2018-05-17 at 01:16 -0700, Jay wrote:
>
> Hello everyone,
>
> We have CAS application running in Tomcat in two different instances and
> load balanced by a F5 url.
> Any application is configured with the F5 url for login authentication and
> authorization.
>
> We have customized the url to *https:///las/v3/login* (Naming
> the war file as *las#v3.war* sets the context path here)
>
> When I use individual server instance login/logout works absolutely fine.
> (i.e. *:/las/v3/login* )
>
> We see below error after we give the user credential and clink on login
> button.
>
> 2018-05-17 01:49:36,786 DEBUG
> [org.apereo.cas.web.FlowExecutionExceptionResolver] - <*Error getting
> flow information for URL*
> [/las/v3/login?service=http%3A%2F%2Flocalhost%3A3001%2Flogin%3Fdestination%3D%252Fconfiguration%252Faccounts%252F34864%252FproductLines%252FPrismPostPD%252Ftemplates%252F311]>
> [m
> org.apereo.spring.webflow.plugin.ClientFlowExecutionRepositoryException:
> Error decoding flow execution
> at
> org.apereo.spring.webflow.plugin.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:99)
> ~[spring-webflow-client-repo-1.0.3.jar:1.0.3]
> at
> org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168)
> ~[spring-webflow-2.4.7.RELEASE.jar:2.4.7.RELEASE]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[?:1.8.0_31]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> ~[?:1.8.0_31]
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:1.8.0_31]
> at java.lang.reflect.Method.invoke(Method.java:483) ~[?:1.8.0_31]
> at
> org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:216)
> ~[spring-core-4.3.14.RELEASE.jar:4.3.14.RELEASE]
> at
> org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:470)
> ~[spring-cloud-context-1.3.0.RELEASE.jar:1.3.0.RELEASE]
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
> ~[spring-aop-4.3.14.RELEASE.jar:4.3.14.RELEASE]
> at
> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
> ~[spring-aop-4.3.14.RELEASE.jar:4.3.14.RELEASE]
> at com.sun.proxy.$Proxy165.resumeExecution(Unknown Source) ~[?:?]
> at
> org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:253)
> ~[spring-webflow-2.4.7.RELEASE.jar:2.4.7.RELEASE]
> at
> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967)
> ~[spring-webmvc-4.3.14.RELEASE.jar:4.3.14.RELEASE]
> at
> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
> ~[spring-webmvc-4.3.14.RELEASE.jar:4.3.14.RELEASE]
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
> ~[spring-webmvc-4.3.14.RELEASE.jar:4.3.14.RELEASE]
> at
> org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872)
> ~[spring-webmvc-4.3.14.RELEASE.jar:4.3.14.RELEASE]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
> ~[servlet-api.jar:?]
> at
> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
> ~[spring-webmvc-4.3.14.RELEASE.jar:4.3.14.RELEASE]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
> ~[servlet-api.jar:?]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
> ~[catalina.jar:8.0.29]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> ~[catalina.jar:8.0.29]
> at 

Re: [cas-user] How to get SLO to work in CAS 5?

[Travis Schmidt]

If you logout directly on the SP does it then logout out of the IdP?
Sounds like maybe it could be setup for only local logout.  We use
Shibboleth and have this set in shibboleth2.xml to do both local and SAML
logout to the IdP.

 SAML2 Local

Travis

On Mon, Apr 9, 2018 at 8:19 AM paul li  wrote:

> Thanks Ray,
>
> Apologizes I went to finish other tasks first, now this logout is pretty
> much the only piece remaining
> Below is the output of a logout action.  we currently have 3 SP modules
> deployed:
>
>1. calendar
>2. platformadmin
>3. user-api
>
> After the logout, all 3 modules are logged from their session, but the
> user is not logged from IDP.
>
>
>> 2018-04-09 10:48:46,469 DEBUG [org.apereo.cas.util.EncodingUtils] -
>> 
>> 2018-04-09 10:48:46,470 DEBUG
>> [org.apereo.cas.web.support.DefaultCasCookieValueManager] - > value is
>> [TGT-1-rFbC-nomL1ZmEYpjvWvciFTKZ9M1vfOTYNFHDbYyyimzstc98SE9X-1420SX91P-90A-ca-dev-dt43@127.0.0.1@Mozilla/5.0
>> (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
>> Chrome/65.0.3325.181 Safari/537.36]>
>> 2018-04-09 10:48:46,470 DEBUG
>> [org.apereo.cas.web.flow.TerminateSessionAction] - > linked to ticket-granting ticket
>> [TGT-1-rFbC-nomL1ZmEYpjvWvciFTKZ9M1vfOTYNFHDbYyyimzstc98SE9X-1420SX91P-90A-ca-dev-dt43]>
>> 2018-04-09 10:48:46,470 DEBUG
>> [org.apereo.cas.authentication.PseudoPlatformTransactionManager] -
>> > [org.apereo.cas.DefaultCentralAuthenticationService.destroyTicketGrantingTicket]:
>> PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>
>> 2018-04-09 10:48:46,470 DEBUG
>> [org.apereo.cas.DefaultCentralAuthenticationService] - > [TGT-1-rFbC-nomL1ZmEYpjvWvciFTKZ9M1vfOTYNFHDbYyyimzstc98SE9X-1420SX91P-90A-ca-dev-dt43]
>> from registry...>
>> 2018-04-09 10:48:46,470 DEBUG
>> [org.apereo.cas.DefaultCentralAuthenticationService] - > Processing logout requests and then deleting the ticket...>
>> 2018-04-09 10:48:46,471 INFO [org.apereo.cas.logout.DefaultLogoutManager]
>> - > [TGT-1-rFbC-nomL1ZmEYpjvWvciFTKZ9M1vfOTYNFHDbYyyimzstc98SE9X-1420SX91P-90A-ca-dev-dt43]>
>> 2018-04-09 10:48:46,476 DEBUG
>> [org.apereo.cas.logout.DefaultLogoutManager] -* > callback for
>> [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@77c7f4eb[id=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,artifactId=
>> ,principal=z...@crosscap.com
>> |crosscapdev,loggedOutAlready=false,format=XML]]>*
>> 2018-04-09 10:48:46,476 DEBUG
>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] -
>> > [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@77c7f4eb
>> [id=
>> https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,artifactId=
>> ,principal=z...@crosscap.com
>> |crosscapdev,loggedOutAlready=false,format=XML]]...>
>> 2018-04-09 10:48:46,477 DEBUG
>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - > [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@77c7f4eb
>> [id=
>> https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,artifactId=
>> ,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]]
>> supports single logout and is found in the registry as [id=1,name=HTTPS and
>> IMAPS,description=This service definition authorizes all application urls
>> that support HTTPS and IMAPS
>> protocols.,serviceId=^(http|https|imaps)://.*,usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@d
>> ,theme=,evaluationOrder=1,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@6f4230be
>> [attributeFilter=,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@5c14927e
>> [],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=false,excludeDefaultAttributes=false,principalIdAttribute=,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@4b8d9d7f
>> [excludedAttributes=,includeOnlyAttributes=,enabled=true],allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@4f985406
>> [enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=,caseInsensitive=false,rejectedAttributes={}],publicKey=,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@619ec8ca
>> 

Re: [cas-user] How to define SAML attribute name formats in management webapp?

[Travis Schmidt]

No need, a Pull Request has already been submitted:

https://github.com/apereo/cas/pull/3247

When it is merged you should be able to pull the snapshot to try out.
Sorry for the inconvenience.

Travis

On Thu, Mar 15, 2018 at 8:31 AM David Curry <david.cu...@newschool.edu>
wrote:

> :-(
>
> Not the answer I wanted to hear, but at least I know to stop looking. :-)
>
> Should I file a bug report, or does this thread suffice for you to add it
> to your list?
>
> Thanks,
> --Dave
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003=gmail=g>
> +1 212 229-5300 x4728 <(212)%20229-5300> • david.cu...@newschool.edu
>
> [image: The New School]
>
> On Thu, Mar 15, 2018 at 11:11 AM, Travis Schmidt <travis.schm...@gmail.com
> > wrote:
>
>> Sorry David,
>> No properties to set that, I think you just uncovered a bug.
>>
>> Travis
>>
>> On Thu, Mar 15, 2018 at 7:13 AM David Curry <david.cu...@newschool.edu>
>> wrote:
>>
>>>
>>> CAS 5.2.x. In the management webapp, on the SAML2 SP tab, there is a box
>>> at the bottom labeled "SAML Attribute Name Formats":
>>>
>>>
>>>
>>>
>>> If you click on the "+" it comes up with a blank to fill in an attribute
>>> name, and a drop-down menu to set the value. However, the drop-down menu is
>>> empty. I'm expecting it to include "basic", "uri," "unspecified," etc.
>>>
>>> I assume I need to configure something in the management.properties file
>>> like I had to configure the attribute names in the stub attribute
>>> repository, but I can't figure out what property(ies) I need to set.
>>>
>>> Anyone know?
>>>
>>> Thanks,
>>> --Dave
>>>
>>> --
>>>
>>> DAVID A. CURRY, CISSP
>>> *DIRECTOR OF INFORMATION SECURITY*
>>> INFORMATION TECHNOLOGY
>>>
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003=gmail=g>
>>> +1 212 229-5300 x4728 <(212)%20229-5300> • david.cu...@newschool.edu
>>>
>>> [image: The New School]
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANc3tiwJQ-Ju85KqpqFpWd9PJ1FT90%2Br2rU9d7V0qnvLg%40mail.gmail.com
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANc3tiwJQ-Ju85KqpqFpWd9PJ1FT90%2Br2rU9d7V0qnvLg%40mail.gmail.com?utm_medium=email_source=footer>
>>> .
>>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>>
> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEYG6M84EV96PJd414C9-_WX1%3DDiQaFBZg2Mr0UtvLDtDw%40mail.gmail.com
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEYG6M84EV96PJd414C9-_WX1%3DDiQaFBZg2Mr0UtvLDtDw%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOZ%3DASpF-fkGwp-o5rOquy4jX6Gn71G%2BtnsuTwKWzD_mA%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOZ%3DASpF-fkGwp-o5rOquy4jX6Gn71G%2BtnsuTwKWzD_mA%40mail.gmail.com?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEYvKJW2LFk8P_z697q4H0nf6sRQvvqDkLnHQEBonzM8kQ%40mail.gmail.com.

Re: [cas-user] How to define SAML attribute name formats in management webapp?

[Travis Schmidt]

Sorry David,
No properties to set that, I think you just uncovered a bug.

Travis

On Thu, Mar 15, 2018 at 7:13 AM David Curry 
wrote:

>
> CAS 5.2.x. In the management webapp, on the SAML2 SP tab, there is a box
> at the bottom labeled "SAML Attribute Name Formats":
>
>
>
>
> If you click on the "+" it comes up with a blank to fill in an attribute
> name, and a drop-down menu to set the value. However, the drop-down menu is
> empty. I'm expecting it to include "basic", "uri," "unspecified," etc.
>
> I assume I need to configure something in the management.properties file
> like I had to configure the attribute names in the stub attribute
> repository, but I can't figure out what property(ies) I need to set.
>
> Anyone know?
>
> Thanks,
> --Dave
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> 
> +1 212 229-5300 x4728 <(212)%20229-5300> • david.cu...@newschool.edu
>
> [image: The New School]
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANc3tiwJQ-Ju85KqpqFpWd9PJ1FT90%2Br2rU9d7V0qnvLg%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEYG6M84EV96PJd414C9-_WX1%3DDiQaFBZg2Mr0UtvLDtDw%40mail.gmail.com.

Re: [cas-user] Access Strategy not working???

[Travis Schmidt]

The property was changed in 5.2 to cas.serviceRegistry.json.location.  5.2
currently ignores unknown properties and falls back to default on this.  I
got bit by this on a deployment two weeks ago.  Also the property names for
webflow and tgc encryption were changed, so check those as well.



On Fri, Feb 23, 2018 at 7:35 AM Tim Tyler  wrote:

> CAS users,
>
>   Ok, I am on CAS 5.2 on Redhat 7.
>
>
>
> I have created a number of services stored in json files in
> /etc/cas/services.   But I don’t think any of them are getting read by CAS.
>   The CAS-Management creates them and puts them there.  But I am not sure
> CAS is reading them there.  My goal was to create a service for one of our
> Moodle development servers where only staff could access it, not students.
> I simply added an ldap attribute which contains the value of Staff.
> CAS-Management seems to create it properly.   But CAS ignores it.
>
>
>
> Instead I get the following results from the CAS Dashboard from the
> “Attribute Release” interface (see picture below):  The result is
> https|imap which I never created a service for.  I had to hunt for where
> this was coming from and found it in
> /usr/local/cas/target/cas/WEB-INF/classes/services/HTTPSandIMAPS-1001.json
>
>
>
> I tried removing it but it restored itself when I restarted the server.  I
> don’t understand what is going on here.  I have the following setting in
> cas:
>
> cas.serviceRegistry.config.location: file:/etc/cas/services
>
>
>
> So why is CAS finding json services from
> /usr/local/cas/target/cas/WEB-INF/classes/services instead of
> /etc/cas/services  {or at least the dashboard anyways}?   Shouldn’t the
> “cas.serviceRegistry.config.location: entry be pointing in to
> /etc/cas/services”???  I think I got this from the documentation.
>
>
>
> In case this helps, this is in the DevMoodle service registration json
> file:
>
> @class: org.apereo.cas.services.RegexRegisteredService
>
>   serviceId: https://devmoodle.beloit.edu.*
>
>   name: Dev Moodle
>
>   id: 1519398393836
>
> …..and much more
>
>
>
>
>
>
>
>
>
> Tim Tyler
>
> Network Engineer
>
> Beloit College
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/03d58f91ff6f2a6b1fc06d57f6946e3b%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbB3-52_Q1uxZWZto5YYw6fj4PcvocW0DXh7nfdU2-1bQ%40mail.gmail.com.

Re: [cas-user] CAS 5.2 and Ellucian Banner 9 (XE)

[Travis Schmidt]

I am helping a team with this exact issue right now.  Don't know anything
about the banner side of things, but I had to map the attribute they were
looking for to UDC_IDENTIFIER in the Service Registry for it to work.

On Wed, Feb 21, 2018 at 3:46 PM Matthew Uribe 
wrote:

> Hello Community,
>
> I am wondering whether anyone has had success with Banner 9 and CAS 5.2.x
>
> We have been using the Luminis delivered CAS 3.5.2, but are interested in
> the features available in 5, such as SAML2 IdP, and MFA using Duo. I have
> deployed CAS 5.2.0, included cas-server-support-ldap and 
> cas-server-support-saml
> dependencies, and setup a service for one of our Banner 9 apps, but haven't
> been able to successfully access the application. I can access the CAS
> Dashboard, as well as the CAS-Management webapp, but the Banner apps are
> beyond me at this point. Right now, when I navigate to the Banner 9 app, I
> am redirected to the CAS login page. After logging in successfully, the
> browser gives me an error: "HTTP Status 403 - No assertions found".
>
> I figure the problem is either in my service registry, or that I maybe
> need to import the CAS certificate into a keystore somewhere on the Banner
> 9 server. Since I don't see anything related to a cert import in the Banner
> 9 install guides, I'm focused on the first of these two possibilities, but
> after 2 days of going in circles I've run out of ideas and would eagerly
> accept the advice of this community.
>
> Thank you,
> Matt
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/56930314-153c-4426-8eda-3f9bb5596089%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEasSNK33m-WXAVmDYsQKX3CFDrV4kEesKkgrecBx01Nqw%40mail.gmail.com.

[cas-user] CAS Management App

[Travis Schmidt]

CAS Management 5.3.0 RC2 is released:
https://github.com/apereo/cas-management/releases/tag/v5.3.0-RC2

Thanks
Travis

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEY_cuyjnPVWsAhe6sjMQtDF3nr6kV80sEqG%3Dx2wHy2xuQ%40mail.gmail.com.

Re: [cas-user] cas 5 management

[Travis Schmidt]

Here is a link to getting started with CAS Management with 5.2.x

https://apereo.github.io/cas/5.2.x/installation/Installing-ServicesMgmt-Webapp.html

As far as LDAP is concerned, it is mostly a preference.  The management app
will contact a CAS Server for authenticating a user in whichever way you
have it set up.  For the management app you usually only have a few people
authorized to use it, so users.json or static list is an acceptable way to
limit who can use it.  The management app can be configured to call back to
LDAP and query for the ROLE_* attributes on the authenticated user, but in
my opinion is a lot more work to make something dynamic that is mostly
static.



On Fri, Feb 9, 2018 at 7:13 AM Cheltenham, Chris <
ccheltenham-...@philasd.org> wrote:

> Hello ,
>
>
>
> I have embarked on building cas-management via the overlay.
>
> I am assuming you build a totally separate war file with the ldapp
> dependency is you use ldap.
>
>
>
> Is that correct?
>
>
>
>
>
>
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025 <(215)%20400-5025>
> Cell # 215-301-6571 <(215)%20301-6571>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/008401d3a1b8%249791de50%24c6b59af0%24%40philasd.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEZmsgzrQq82Dg4r_QR-27U6v4EbG8O-qq2eXmE_GKeZng%40mail.gmail.com.

Re: [cas-user] cas-management 5.x cas-management.log java.io.IOException: Permission denied

[Travis Schmidt]

Setting cas.log.dir in management.properties does not override System
properties.  At least not that I was able to figure out.  So passing
-Dcas.log.dir=/some/dir/ to your startup script should sub
${sys:cas.log.dir} correctly in your log42j.xml.  I also think that setting
a default in the .xml file to be overridden by sys property is not
achievable.  If you just want to set the log dir in property file in the
xml, then just use ${cas.log.dir} and drop the sys: prefix.

More on this can be found here:

https://logging.apache.org/log4j/2.x/manual/configuration.html

Under the section Property Substitution


On Wed, Feb 7, 2018 at 10:08 AM Jeremiah Schilens  wrote:

> Hello,
>
> I'm working on the cas-management-overlay for 5.x and it doesn't seem to
> be honoring the settings in the log4j2-management.xml. In my
> management.properties I have:
>
> cas.log.dir=/u01/app/tomcat/logs/
> logging.config=file:///etc/cas/config/log4j2-management.xml
>
> and in the log4j2-management.xml file I have
> 
> 
> 
> 
> 
> /not/the/patht/logs/
> 
> info
> 
> 
> 
> 
> 
>  fileName="${sys:cas.log.dir}/cas-management.log" append="true"
>
>  filePattern="${sys:cas.log.dir}/cas-management-%d{-MM-dd-HH}-%i.log.gz">
> 
> 
> 
> 
> 
> 
> 
> 
>
> But when the management app starts up it prints
> localhost-startStop-1 ERROR Unable to create file cas-management.log
> java.io.IOException: Permission denied
> at java.io.UnixFileSystem.createFileExclusively(Native Method)
> at java.io.File.createNewFile(File.java:1012)
> at
> org.apache.logging.log4j.core.appender.rolling.RollingFileManager$RollingFileManagerFactory.createManager(RollingFileManager.java:628)
> at
> org.apache.logging.log4j.core.appender.rolling.RollingFileManager$RollingFileManagerFactory.createManager(RollingFileManager.java:608)
> at
> org.apache.logging.log4j.core.appender.AbstractManager.getManager(AbstractManager.java:113)
> at
> org.apache.logging.log4j.core.appender.OutputStreamManager.getManager(OutputStreamManager.java:115)
> at
> org.apache.logging.log4j.core.appender.rolling.RollingFileManager.getFileManager(RollingFileManager.java:188)
> ...
>
> Once the war deploys, if I look
> in  cas-management/WEB-INF/classes/log4j2.xml it has
> 
> 
> 
> 
> 
> 
> 
>  append="true"
>
>  filePattern="cas-management-%d{-MM-dd-HH}-%i.log.gz">
> 
> 
> 
> 
> 
> 
> 
> 
>
>
> If I look in the CAS app log4j.xml after deploy the file line is
>  
>
> Am I right in thinking this is a bug and the source for cas-management
> log4j.xml should be updated to have ${baseDir} added? Or am I missing
> something in my config?
>
> Thank you,
>
> Jeremiah
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/e081da1e-45f1-4bd2-b59d-2a568d251f9d%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbgi4E%3DXipCsUHy%2BFDH5kB--ECEJKdEQUn1FLvCXh9wSw%40mail.gmail.com.

Re: [cas-user] Management webapp 5.3.0-RC1/RC2-SNAPSHOT hates my management.properties file?

[Travis Schmidt]

Hi David,
  Not exactly sure what is going on, but I have to confess that I have not
tried building the management app with the Maven overlay.

I can say for sure that to be compatible with the last release of the
management app that the cas.version needs to be 5.3.0-RC1, since that is
what it is built against.

Also I am not sure exactly what benefit the Maven overlay has for the
management-app and maybe that it is a discussion we need to have with
developers and the CAS community at large.

if you do:

git clone https://github.com/apereo/cas-management.git
cd cas-manaagement
./gradlew build -x check -x javadoc

This will build a war under
cas-management/webapp-mgmt/cas-management-webapp/build/libs/ that can be
deployed.

Needless to say some time needs to be put into the documentation for the
management app.

Thanks
Travis



On Tue, Jan 23, 2018 at 10:11 AM David Curry 
wrote:

>
> I am building the management webapp with the current Maven WAR overlay,
> and  set to either 5.3.0-RC1 or 5.3.0-RC2-SNAPSHOT. In both
> cases, all of a sudden the webapp is unhappy with my
> *management.properties* file that has been working just fine with 5.1.x
> and 5.2.x. Specifically, I get:
>
> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
> creating bean with name 'casCoreWebConfiguration': Unsatisfied dependency
> expressed through field 'casProperties'; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name
> 'cas-org.apereo.cas.configuration.CasConfigurationProperties': Could not
> bind properties to CasConfigurationProperties (prefix=cas,
> ignoreInvalidFields=false, ignoreUnknownFields=false,
> ignoreNestedProperties=false); nested exception is
> org.springframework.beans.NotWritablePropertyException: Invalid property
> 'mgmt[adminRoles][0]' of bean class
> [org.apereo.cas.configuration.CasConfigurationProperties]: Cannot access
> indexed value in property referenced in indexed property path
> 'mgmt[adminRoles][0]'; nested exception is
> org.springframework.beans.NotReadablePropertyException: Invalid property
> 'mgmt[adminRoles][0]' of bean class
> [org.apereo.cas.configuration.CasConfigurationProperties]: Bean property
> 'mgmt[adminRoles][0]' is not readable or has an invalid getter method: Does
> the return type of the getter match the parameter type of the setter?
>
> and, if I delete "cas.mgmt.adminRoles[0]: ROLE_ADMIN" from the file, I
> get basically the same error on the next property:
>
> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
> creating bean with name 'casCoreWebConfiguration': Unsatisfied dependency
> expressed through field 'casProperties'; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name
> 'cas-org.apereo.cas.configuration.CasConfigurationProperties': Could not
> bind properties to CasConfigurationProperties (prefix=cas,
> ignoreInvalidFields=false, ignoreUnknownFields=false,
> ignoreNestedProperties=false); nested exception is
> org.springframework.beans.NotWritablePropertyException: Invalid property
> 'mgmt[userPropertiesFile]' of bean class
> [org.apereo.cas.configuration.CasConfigurationProperties]: Cannot access
> indexed value in property referenced in indexed property path
> 'mgmt[userPropertiesFile]'; nested exception is
> org.springframework.beans.NotReadablePropertyException: Invalid property
> 'mgmt[userPropertiesFile]' of bean class
> [org.apereo.cas.configuration.CasConfigurationProperties]: Bean property
> 'mgmt[userPropertiesFile]' is not readable or has an invalid getter method:
> Does the return type of the getter match the parameter type of the setter?
>
> It occurred to me that maybe the property name prefix ("cas.mgmt") might
> have changed when the webapp was spun off into its own GitHub repository,
> but unfortunately, when I try to check the documentation on this:
>
>
> https://apereo.github.io/cas-management/development/installation/Configuration-Properties.html
>
> it results in a 404 error (as does Configuration-Management.html).
>
> Is this a bug, or am I doing something wrong?
>
> Thanks,
> --Dave
>
>
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> 
> +1 212 229-5300 x4728 <(212)%20229-5300> • david.cu...@newschool.edu
>
> [image: The New School]
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> 

[cas-user] CAS Management v5.3.0-RC1 Released

[Travis Schmidt]

Version 5.3.0-RC1 of the CAS Management Application has been released.
This release is the beginning of many new features being added to the
application and the details can be found here:
https://github.com/apereo/cas-management/releases/tag/v5.3.0-RC1.

CAS Management has been moved into it's own GitHub repository and project:
https://github.com/apereo/cas-management.  Any changes or PRs for the
management application that target CAS Server versions >=5.3.0 should be
done with this repository.

Please provide any feedback or issues to either the cas-...@aprero.org or
cas-user@apereo.org mailing lists.

Thanks
…

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEZHV0NZgRkL3O%2Bx1q%3DM_6rVNwfDqF-0i38UOp5uzBS0Zg%40mail.gmail.com.

Re: [cas-user] Mgmt Webapp issues

[Travis Schmidt]

Arnold,
  Thanks for reporting these issues.  This PR
https://github.com/apereo/cas/pull/3129  contains the necessary
corrections.  When merged a new snapshot will be available soon with these
changes.

Thanks
Travis

On Tue, Jan 9, 2018 at 7:31 AM Bergner, Arnold <
arnold.berg...@hrz.tu-darmstadt.de> wrote:

> Hi,
>
>
>
> I’ve found a few issues with the mgmt webapp, version 5.2.2-SNAPSHOT,
> using the overlay.
>
>
>
> 1.   editing or creating a service, “Access Strategy” tab, “Required
> Attribues” is pre-filled with name = value = attribute name for all
> available attributes. Before saving, I have to delete all these lines, or
> service access is not possible. It would be better if these lines were not
> there.
>
> 2.   duplicating a service, there is no “save” button, and the
> “require all attributes” flag is checked (this was a bug when creating a
> new service, too)
>
> 3.   the footer line is cutting off part of the forms. for some tabs,
> this makes it impossible to edit certain fields. (using firefox)
>
>
>
> Unfortunately, I cannot get the build to work, so I’m posting these issues
> here, as others have.
>
>
>
>
>
> Arnold
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/935dfddb3d7b471cac2bdaec0750bfa2%40hrz.tu-darmstadt.de
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEa%2BWa9jkNAv%3DQ6GiBQ0eakKUw%2BNgHjk%2BOFSPRU74%2Bqsag%40mail.gmail.com.

Re: [cas-user] Re: Management Webapp 5.2 issue with attributes release

[Travis Schmidt]

Ludovic,

   Thanks for reporting the issue with the cas-management application.  It
seems that I incompletely refactored some code in the attribute-release
screens.  A fix for the issue has been submitted as a PR and can be viewed
here:

https://github.com/apereo/cas/pull/3108

Once this is merged into the 5.2.x branch you should be able to pull it in
using the latest 5.2.x snapshot release.

Thanks again,
Travis



On Thu, Dec 21, 2017 at 2:09 AM Ludovic Senecaux 
wrote:

> And I have a problem to release mapped attributes too.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/25f3e76e-da12-4e7b-8460-9f4fa728e9d8%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEagkF9huz-0P7pHCu7ZQHVF5fK%2Bp7-KssG8zU0g26jDUw%40mail.gmail.com.

Re: [cas-user] CAS Management - Loading

[Travis Schmidt]

I am assuming this is version 5.2?  Can you open developer tools or
javascript console and see what if any errors are logged?

On Fri, Dec 8, 2017 at 6:49 AM Jeffrey Ramsay 
wrote:

> My cas management screen only display "Loading..." while all other
> services are functioning.
>
> [image: Inline image 1]
> What can I do to resolve this? Anyone else experienced this.
>
> Thanks,
> -Jeff
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOTningvhbkhismnKBmK%3DLY4cBmY-KEowGYeb%2BXXnKgG_A%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEa6uCOKi5kLkyi_8X9PNUkbOSb_vJgbkkEbhfp5jsU2Rg%40mail.gmail.com.

Re: [cas-user] MFA with Duo in CAS 4.2.x

[Travis Schmidt]

We customized 4.2.x to use Duo.  Looking back it was probably more work
then benefit, but we thought we needed it for some reason before 5.0 would
be released.  If you truly need MFA make the move to 5.0.  Works out of the
box with only a small amount of configuration.

On Mon, Nov 14, 2016 at 7:29 AM Dmitriy Kopylenko 
wrote:

>
> but maybe 4.2 has native support for duo?
>
>
> No.
>
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines:
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.5829d863.5ad72059.7f8%40unicon.net
> 
> .
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbW_nbxbicxS%3D_WwLkp24trwn9XutFbUwdWj6y389Bb4A%40mail.gmail.com.

Re: [cas-user] CAS 5 RC4 snapshot Hazelcast warning

[Travis Schmidt]

This is caused by the HazelcastConfiguration.java calling a method that
.setEvictionPercentage(); when setting up the ticket map that has been
deprecated in version 3.7.1 that is now used.  Nothing you change
externally, the class needs to be modified to not call that method.



On Tue, Oct 18, 2016 at 7:52 AM Tom Mendenhall 
wrote:

>
> Not sure if I should be concerned about deprecated warnings but I thought
> I should mention it. Maybe it's my config but I don't see those settings
> listed. Have not enabled encryption (yet).
>
> WARN [com.hazelcast.config.MapConfig] -  `minEvictionCheckMillis` and `evictionPercentage` are deprecated due to the
> eviction mechanism change. New eviction mechanism uses a probabilistic
> algorithm based on sampling. Please see documentation for further details>
>
> cas.properties
>
> # hazelcast ticket cache replication
> cas.ticket.registry.hazelcast.pageSize=500
> cas.ticket.registry.hazelcast.mapName=tickets
> cas.ticket.registry.hazelcast.cluster.evictionPolicy=LRU
> cas.ticket.registry.hazelcast.cluster.maxNoHeartbeatSeconds=300
> cas.ticket.registry.hazelcast.cluster.multicastEnabled=false
> cas.ticket.registry.hazelcast.cluster.evictionPercentage=10
> cas.ticket.registry.hazelcast.cluster.tcpipEnabled=true
>
> cas.ticket.registry.hazelcast.cluster.members=192.168.118.7,192.168.118.8,192.168.118.9
> cas.ticket.registry.hazelcast.cluster.loggingType=slf4j
> cas.ticket.registry.hazelcast.cluster.instanceName=localhost
> cas.ticket.registry.hazelcast.cluster.port=5701
> cas.ticket.registry.hazelcast.cluster.portAutoIncrement=true
> cas.ticket.registry.hazelcast.cluster.maxHeapSizePercentage=85
> cas.ticket.registry.hazelcast.cluster.backupCount=1
> cas.ticket.registry.hazelcast.cluster.asyncBackupCount=0
> cas.ticket.registry.hazelcast.cluster.maxSizePolicy=USED_HEAP_PERCENTAGE
> cas.ticket.registry.hazelcast.cluster.timeout=5
> # cas.ticket.registry.hazelcast.crypto.signing.key=
> # cas.ticket.registry.hazelcast.crypto.signing.keySize=512
> # cas.ticket.registry.hazelcast.crypto.encryption.key=
> # cas.ticket.registry.hazelcast.crypto.encryption.keySize=16
> # cas.ticket.registry.hazelcast.crypto.alg=AES
>
> log4j2.xml
> 
>
> Thanks,
> Tom
>
> --
> CAS gitter chatroom: https://gitter.im/apereo/cas
> CAS mailing list guidelines:
> https://apereo.github.io/cas/Mailing-Lists.html
> CAS documentation website: https://apereo.github.io/cas
> CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To post to this group, send email to cas-user@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAKFJ3E%2B6sCfkoh2%2BG4%3DA%2BQw3dOpvr_qePp-G5%3DhRhDSMuxv%2BA%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
>

-- 
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbf29Rg6TWMGD-n-L%3DH1H%2BrT6HsBaXJuNubtJv4_SbHZA%40mail.gmail.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] Hazelcast ticket registry and status dashboard problems

[Travis Schmidt]

We have the same performance issues with the HazelcastTicketRegistry.
Problem as we see it is that all tickets are in a single map, and that map
is walked to find and sort out TGT, STs and expired versions of both.
 /ssosessions will bring down a server in our production environment for
same reasons.  We modified HazelcastTicketRegistry to use two maps, one for
TGTs and one for STs,(similar to what is coded in other implemented caches)
and then were able to make /status and /statistics run in constant time,
with the assumption that expired tickets are removed immediately, or counts
may be off by a few expired tickets.  /ssosessions is still death for us
though.

I am curious about the 1800 STs though.  Our count is always near zero,
because of one time usage count and 60s expiration.

Travis

On Thu, Oct 6, 2016 at 5:16 AM Felix Schumacher <
felix.schumac...@internetallee.de> wrote:

> Hi all,
>
> when I use the hazelcast ticket registry and try to access the
> .../status dashboard, I get timeout errors, when there are too many
> granting/service tickets in the ticket cache.
>
> In my setup (5.0.0RC3 with two Apache Tomcat 8.5.5 servers using
> hazelcast ticket registry) the problem starts to show with 200 granting
> tickets (sessions) and 1800 service tickets.
>
> Regards,
>   Felix
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To post to this group, send email to cas-user@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/23b7b38f186160f82ea28b8d8c9f8b6f%40www.internetallee.de
> .
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEaP_yzyVPazS-pt5AmdZxY8HBDMYLM%3DN6VinqD1F0cfQg%40mail.gmail.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] Mod_auth_cas Logout Question

[Travis Schmidt]

I think what is happening is that CAS uses the proxy host to create the
logout url.  You can put logs in debug mode and then see the actual url
that is trying to call to logout.  CAS also needs the cert for the host it
will call in its truststore to be able to make the call for logout.  My
guess is that either the proxy is not set up to forward the logout end
point to the apache server, or CAS cannot establish trust with the proxy.

On Thu, Aug 18, 2016 at 9:17 AM David Abney <david.ab...@centre.edu> wrote:

> Travis,
>
>
>
> Below are the settings I used to try to get the mod_auth_cas logout to
> work, but I was still unsuccessful.  I guess it may have something to do
> with the fact that I am using a proxy server.
>
>
>
> Since I am using Ubuntu, my mod_auth_cas settings are in
> /etc/apache2/mods-enabled/auth_cas.conf and they look like this:
>
> CASCookiePath /var/cache/apache2/mod_auth_cas/
>
> CASLoginURL [my cas server login url]
>
> CASValidateURL [my cas server validate url]
>
> CASDebug On
>
> CASVersion 2
>
> #Only if using SAML
>
> #CASValidateSAML Off
>
> #CASAttributeDelimiter ;
>
> CASSSOEnabled On
>
> CASCertificatePath /etc/ssl/certs
>
>
>
> 
>
> AuthType CAS
>
> CASAuthNHeader [my HTTP Header value]
>
> require valid-user
>
> CASScope /
>
> 
>
>
>
> For my proxy server I have the logout type set to BACK_CHANNEL and my
> registered service looks like this:
>
> {
>
>   "@class" : "org.jasig.cas.services.RegexRegisteredService",
>
>   "serviceId" : "[my proxy server url]",
>
>   "name" : "CAS-PROXY",
>
>   "id" : 8,
>
>   "description" : "Allows connections from CAS Proxy",
>
>   "proxyPolicy" : {
>
> "@class" : "org.jasig.cas.services.RefuseRegisteredServiceProxyPolicy"
>
>   },
>
>   "evaluationOrder" : 8,
>
>   "usernameAttributeProvider" : {
>
> "@class" :
> "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
>
>   },
>
>   "logoutType" : "BACK_CHANNEL",
>
>   "attributeReleasePolicy" : {
>
> "@class" :
> "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
>
> "principalAttributesRepository" : {
>
>   "@class" :
> "org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository"
>
> },
>
> "authorizedToReleaseCredentialPassword" : false,
>
> "authorizedToReleaseProxyGrantingTicket" : false
>
>   },
>
>   "accessStrategy" : {
>
> "@class" :
> "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
>
> "enabled" : true,
>
> "ssoEnabled" : true
>
>   }
>
> }
>
>
>
> Thanks,
>
>
>
> 
>
> *David Abney*
>
> ITS Web Developer/Programmer
>
>
>
> 600 West Walnut Street
>
> Danville, Kentucky 40422
>
> 859.238.5761
>
>
>
> [image: email_logo]
>
> www.centre.edu
>
>
>
> *From:* Travis Schmidt [mailto:travis.schm...@gmail.com]
> *Sent:* Thursday, August 18, 2016 11:18 AM
>
>
> *To:* David Abney <david.ab...@centre.edu>; cas-user@apereo.org
> *Subject:* Re: [cas-user] Mod_auth_cas Logout Question
>
>
>
> Make sure "CASSSOEnabled On" is set in httpd.conf.  If you are using a
> Service Registry in CAS, make sure the Logout Channel is enabled and set to
> BACK_CHANNEL.  This is working for me, but I don't have a proxy in the
> middle either.
>
>
>
>
>
> On Thu, Aug 18, 2016 at 7:20 AM David Abney <david.ab...@centre.edu>
> wrote:
>
> I am using mod_auth_cas v1.1 with a proxy server to login to our PaperCut
> system using CAS v4.2.  We can set a logout URL in PaperCut, which is set
> to the CAS server logout URL.  So, when I logout of PaperCut, it appears I
> am logged out of PaperCut and CAS, but if I go back to the proxy server
> then mod_auth_cas still logs me back into PaperCut without redirecting me
> to CAS to login again.
>
>
>
> Is there a way to logout of my session with mod_auth_cas or clear my
> mod_auth_cas cookie?
>
>
>
> Thanks,
>
>
>
> 
>
> *David Abney*
>
> ITS Web Developer/Programmer
>
>
>
> 600 West Walnut Street
>
> Danville, Kentucky 40422
>
> 859.238.5761
>
>
>
> [image: email_logo]
>
> www.centre.edu
>
>
>
> --
> You receiv

[cas-user] Landing Page using Gateway with mod_auth_cas

[Travis Schmidt]

I have been trying to come up with a way to configure a landing page for an
app that uses gateway to determine if the user is logged in or not with
Apache 2.4 and mod_auth_cas.  I thought at first just doing something like

Require valid-user
Require all granted

would do the trick, but the RequireAny is evaluated before authentication
is called which means mod_auth_cas is never executed in that case.  The
best I could come up with is something like this:


AuthType CAS
AuthName "Authentication via CAS"
CASScope /GatewayApp/
CASSecureCookie CAS_GATEWAY_S
CASGateway /GatewayApp/
Require valid-user

   require valid-user


   Require all granted



Anyone else have or know of a better way to do this?

Travis

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEZgZFfE7e8sgt5OozHHH-34NNKHui8s8uSLJ3ursxfbgw%40mail.gmail.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] Protect Services Management Webapp with LDAP

[Travis Schmidt]

We would like to look up the authenticated user in LDAP to check they are
part of the the ADMIN group, to key off of if they are authorized to access
the Services Management Webapp.  We assumed that is what the LDAP snippet
was doing that is in the guide.

Thanks
Travis

On Tue, Mar 29, 2016 at 11:11 AM Misagh Moayyed  wrote:

>
>
> Trying to replace the user-details.properties method of authentication by
> getting the user role from LDAP.  Trying to follow the instructions found
> here
>
>
> https://jasig.github.io/cas/4.2.x/installation/Installing-ServicesMgmt-Webapp.html
>
> This doesn't seem to be complete though.  I am assuming the reference to
> deployerConfigContext, is really meant to be managementConfigContext.
>
> Yes that looks like a typo, assuming you’re referring to the LDAP config.
>
> Also it seems there needs to be another step needed to wire up.  Do we
> need to replace the "authorizationGenerator" for pac4j config?   Do we need
> to replace the pac4j in securityContext.xml completely with soemthing else?
>
> Are you trying to configure a static list of users via that file or,
> provide LDAP access, or something else?
>
>
>
> I appreciate any help or hints in the right direction to get this going.
>
> Thanks
> Travis
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
>

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.