[cas-user] Re: SAML functions very slow

2024-03-15 Thread John Shrader 
Thank you for the update and advice. I tested in our dev environment and
saw no noticeable issues, but the safer option is preferred. I've updated
to using server.tomcat.background-processor-delay=0s  property and the
performance issues with SAML are still resolved.

On Thu, Mar 14, 2024 at 4:35 PM Ocean Liu  wrote:

> Hi John,
>
> We want to let you know we *removed* that configuration (which excludes
> the EmbeddedWebServerFactoryCustomizerAutoConfiguration) in our
> environment.
> We added server.tomcat.background-processor-delay=0s configuration, and
> it fixed the performance issue.
> This option is safer and has less impact.
>
> From a Unicon support:
>
> If you are deploying with an embedded tomcat container, excluding that
> component is likely catastrophic to your deployment and a major red flag.
>
> Without knowing what that exclusion does, this should and could very
> severely jeopardize the stability of your deployment.
>
> I would suggest that you remove the exclusion and instead set this:
> server.tomcat.background-processor-delay=0s
> You can follow the conversation here:
> https://github.com/apereo/cas/pull/5652
>
> Cheers,
> ​
>
>
> On Thursday, March 14, 2024 at 10:14:58 AM UTC-7 John Shrader wrote:
>
>> Ocean,
>>
>> Thank you for this suggestion. I've been dealing with slow and CPU
>> intensive SAML response generation since switching to 7.0.x. Adding that to
>> my cas.properties fixed the problem entirely.
>>
>> On Wednesday, March 13, 2024 at 2:01:13 PM UTC-4 Ocean Liu wrote:
>>
>>> Thank you for sharing your insights!
>>>
>>> Though it’s been nearly 4 years since your original post, we wanted to
>>> provide an update on our progress.
>>>
>>> We’re currently in the process of migrating from CAS 5.3 to CAS 7.
>>> During testing, we noticed an issue where CAS 7 took over 6 seconds to
>>> generate the SAMLResponse XML, with CPU usage exceeding 120% on an AWS EC2
>>> instance with 1 vCPU.
>>>
>>> We experimented with the
>>> spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.web.embedded.EmbeddedWebServerFactoryCustomizerAutoConfiguration
>>> .
>>> Surprisingly, this resulted in a significant improvement, reducing
>>> response time to just *150ms* and lowering CPU usage to *11%*.
>>>
>>> It’s worth noting that CAS 7 utilizes Spring Boot 3.2, there may still
>>> be performance-related challenges with the embedded Tomcat auto
>>> configuration at this time.
>>>
>>> While we would have liked to create a minimal sample to submit to Spring
>>> Boot, our current focus is on completing the upgrade within our timeline
>>> constraints.
>>>
>>> Best,
>>>
>>> Ocean
>>> ​
>>>
>>> On Tuesday, March 24, 2020 at 6:10:15 AM UTC-7 John Bond wrote:
>>>
>>>>
>>>> Following up on this thread, it seems we have managed to reduce the lag
>>>> on our infrastructure by adding the following to
>>>> /et/cas/config/cas.properties
>>>>
>>>>   
>>>> spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.web.embedded.EmbeddedWebServerFactoryCustomizerAutoConfiguration
>>>>
>>>> I'm unsrue why this fixed the issue however i came across the
>>>> suggestion while attempting to configure a standalone war to work with an
>>>> external tomcat instance and hitting an error regarding a missing
>>>> method.
>>>>
>>>> <https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/wLuzUAxJGkU>
>>>>
>>>>
>>>> Adding the above config fixed the issue with the with the external
>>>> instance of tomcat however it also significantly reduced the lag we
>>>> observed when using the embeded war. If anyone is able to provide insight
>>>> into why this config parameter helped i would be intrested
>>>>
>>>>
>>>> Thanks
>>>>
>>>

-- 
John Shrader
Administrator of Network Systems
Northwest State Community College
22600 State Route 34
Archbold, OH 43502
(419) 267-1299
jshra...@northweststate.edu

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOkBwvdLS_ieTTMmfN3%3DCHnyCnvVrY44EmSwu3TjFcDGkDjDSQ%40mail.gmail.com.

[cas-user] Re: SAML functions very slow

2024-03-14 Thread John Shrader 
Ocean,

Thank you for this suggestion. I've been dealing with slow and CPU 
intensive SAML response generation since switching to 7.0.x. Adding that to 
my cas.properties fixed the problem entirely.

On Wednesday, March 13, 2024 at 2:01:13 PM UTC-4 Ocean Liu wrote:

> Thank you for sharing your insights!
>
> Though it’s been nearly 4 years since your original post, we wanted to 
> provide an update on our progress.
>
> We’re currently in the process of migrating from CAS 5.3 to CAS 7. During 
> testing, we noticed an issue where CAS 7 took over 6 seconds to generate 
> the SAMLResponse XML, with CPU usage exceeding 120% on an AWS EC2 instance 
> with 1 vCPU.
>
> We experimented with the 
> spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.web.embedded.EmbeddedWebServerFactoryCustomizerAutoConfiguration
> .
> Surprisingly, this resulted in a significant improvement, reducing 
> response time to just *150ms* and lowering CPU usage to *11%*.
>
> It’s worth noting that CAS 7 utilizes Spring Boot 3.2, there may still be 
> performance-related challenges with the embedded Tomcat auto configuration 
> at this time.
>
> While we would have liked to create a minimal sample to submit to Spring 
> Boot, our current focus is on completing the upgrade within our timeline 
> constraints.
>
> Best,
>
> Ocean
> ​
>
> On Tuesday, March 24, 2020 at 6:10:15 AM UTC-7 John Bond wrote:
>
>>
>> Following up on this thread, it seems we have managed to reduce the lag 
>> on our infrastructure by adding the following to 
>> /et/cas/config/cas.properties
>>
>>   
>> spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.web.embedded.EmbeddedWebServerFactoryCustomizerAutoConfiguration
>>
>> I'm unsrue why this fixed the issue however i came across the suggestion 
>> while attempting to configure a standalone war to work with an external 
>> tomcat instance and hitting an error regarding a missing method.
>>
>> <https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/wLuzUAxJGkU>
>>
>>
>> Adding the above config fixed the issue with the with the external 
>> instance of tomcat however it also significantly reduced the lag we 
>> observed when using the embeded war. If anyone is able to provide insight 
>> into why this config parameter helped i would be intrested
>>
>>
>> Thanks
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/dcc9f2a2-42d3-4bff-abda-ef1d9eedfdd7n%40apereo.org.

[cas-user] Duo Universal Prompt and CAS method=POST

2024-01-16 Thread John Wagenleitner 
We have a few services that rely on being able to get the CAS ticket POST'd 
back. When those services redirect the user to the CAS login page they 
include the query string parameter `method=POST` in addition to the service 
parameter.

This works with Duo in a frame (or if MFA is bypassed) but is not working 
for the Duo Universal Prompt. After Duo POST's back to CAS with the state, 
CAS then sends the user back to the service using a GET.

I have tested in CAS v6.6.15, 6.6.14 and 6.6.9 and all do not work with 
passing method=POST and using the Universal Prompt.

Just wondering if anyone else has seen this issue and, if so, have found a 
workaround?

Thanks
John

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f7d28fb8-5df4-4a68-aaf2-e8c365a1cc32n%40apereo.org.

[cas-user] Re: CAS 7 - Deprecation of memcached -- recommendation for replacement

2023-11-04 Thread John 
The AMQP, is the easiest, 

https://apereo.github.io/cas/development/ticketing/Messaging-AMQP-Ticket-Registry.html

On Saturday, November 4, 2023 at 1:45:54 AM UTC-5 Doug C wrote:

> In testing the latest release of 7.0.0, I discovered that memcached was 
> not working for my ticket registry.  This might be a configuration error on 
> my part since I was trying to use the same configuration that I had from 
> 6.5.8.
>
> However, I looked in the documentation and it indicated that memcached was 
> being deprecated as a ticket registry.  Could I get a recommendation of 
> what I should switch to from memcached?
>
> My situation is very simple.  I am not using clustering, just a standalone 
> server.  I do like that up until now memcached persists the tickets through 
> a restart of the CAS server.
>
> I basically am wanting whatever I use to be responsive and if possible 
> persist tickets during a server restart.
>
> I would appreciate any recommendations.
>
> Thanks!
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/09148abf-9ea6-47e8-9c41-65d8e1a34c1bn%40apereo.org.

[cas-user] Re: 6.6.13 - MFA Trusted devices / expiration

2023-11-03 Thread John 
Can also change view to something like this,





Register Device
Please 
name the current device.








document.getElementById("deviceName").value = 
randomWord();



Register


Skip










On Friday, November 3, 2023 at 5:16:18 AM UTC-5 Chris SC wrote:

> Hello, 
> [version 6.6.13]
> I'm working on the implementation of the MFA with the Google Auth. 
> provider and Trusted Devices.
> I have a question concerning the configuration of Trusted Devices.
>
> First time the user comes to a 'Register Device' screen (after MFA Google 
> Auth screen), with 2 fields: 
> 1/ Name of the current device 
> > I want to hide this one on the template. What is the template name 
> please ?
>
> 2/ Duration for registered device
> > I want to hide this one too, by forcing an expiry time for everyone 
> (30 days)
>
> I've seen some of previous 6.6 configurations using : 
> cas.authn.mfa.trusted.expiration=30
> cas.authn.mfa.trusted.timeUnit=DAY
>
> But these 2 parameters are no longer available in 6.6.13.
> I thought that this part was now delegated on the provider side, but I 
> can't find anything on the Google Auth configuration.
>
> For now, If I take a look at storage, default expiration is 1 year.
> So How to set this parameter for now ?
>
> [
> {
> "id": 1699003407119,
> "principal": "testuser",
> "deviceFingerprint": "OO5ovcvIZWMPRebiQZGGp6nK2lT1GzElrgtUN87acB8ADGOy",
> "recordDate": "2023-11-03T10:23:27+01:00",
> "recordKey": 
> "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6IjBjNjQyMzg3LTM3M2EtNDZkZi1iOGM3LTEyNGNlZmJiMDhlNyJ9.ZXlKNmFYQWlPaUpFUlVZaUxDSmhiR2NpT2lKa2FYSWlMQ0psYm1NaU9pSkJNVEk0UTBKRExVaFRNalUySWl3aVkzUjVJam9pU2xkVUlpd2lkSGx3SWpvaVNsZFVJdIUWhmMmt1dWFlQTQ0TFNjTmhnRDFHb1ZSVW5WejVwSWt0QWsuN3JkWkswX0lTcENaMVQ3a1BFOF9LQQ.hW-Q2nsqjhr0Dnx3LIBJilZgBRoyPAKA8RLN5x2Vtzl44lmizs4-EV-ftwU8jIx7Z7whpTgp6DASz49pc6NO8g",
> "name": "charming_wilson",
> "expirationDate": "2123-11-03T09:23:27.000+00:00"
> }
> ]
>
>
> Thanks for your help! 
> Christophe.
>
>
> Current MFA trusted devices configuration : 
> ##
> ## MFA / Trusted Devices :
> ##
>
> cas.authn.mfa.trusted.mongo.clientUri=mongodb://user:x@localhost:27017/cas-mongo-database
> cas.authn.mfa.trusted.mongo.collection=TrustedRepository
> cas.authn.mfa.trusted.mongo.drop-collection=false
>
> cas.authn.mfa.trusted.core.authentication-context-attribute=isFromTrustedMultifactorAuthentication
> cas.authn.mfa.trusted.core.device-registration-enabled=true
> as.authn.mfa.trusted.core.auto-assign-device-name=true
>
> cas.authn.mfa.trusted.crypto.enabled=true
> as.authn.mfa.trusted.crypto.encryption.key=xxx
> cas.authn.mfa.trusted.crypto.signing.key=xxx
>
> cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.encryption.key=xxx
>
> cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.signing.key=xxx
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/19ae7b54-b555-43c2-8602-a07a8f099decn%40apereo.org.

[cas-user] Re: 6.6.13 - MFA Trusted devices / expiration

2023-11-03 Thread John 
Set these 2 divs to display: none and also set duration you want.

Device Name

https://github.com/apereo/cas/blob/v6.6.13/support/cas-server-support-thymeleaf/src/main/resources/templates/mfa-trusted-devices/casMfaRegisterDeviceView.html#L19

Duration
https://github.com/apereo/cas/blob/v6.6.13/support/cas-server-support-thymeleaf/src/main/resources/templates/mfa-trusted-devices/casMfaRegisterDeviceView.html#L41


On Friday, November 3, 2023 at 5:16:18 AM UTC-5 Chris SC wrote:

> Hello, 
> [version 6.6.13]
> I'm working on the implementation of the MFA with the Google Auth. 
> provider and Trusted Devices.
> I have a question concerning the configuration of Trusted Devices.
>
> First time the user comes to a 'Register Device' screen (after MFA Google 
> Auth screen), with 2 fields: 
> 1/ Name of the current device 
> > I want to hide this one on the template. What is the template name 
> please ?
>
> 2/ Duration for registered device
> > I want to hide this one too, by forcing an expiry time for everyone 
> (30 days)
>
> I've seen some of previous 6.6 configurations using : 
> cas.authn.mfa.trusted.expiration=30
> cas.authn.mfa.trusted.timeUnit=DAY
>
> But these 2 parameters are no longer available in 6.6.13.
> I thought that this part was now delegated on the provider side, but I 
> can't find anything on the Google Auth configuration.
>
> For now, If I take a look at storage, default expiration is 1 year.
> So How to set this parameter for now ?
>
> [
> {
> "id": 1699003407119,
> "principal": "testuser",
> "deviceFingerprint": "OO5ovcvIZWMPRebiQZGGp6nK2lT1GzElrgtUN87acB8ADGOy",
> "recordDate": "2023-11-03T10:23:27+01:00",
> "recordKey": 
> "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6IjBjNjQyMzg3LTM3M2EtNDZkZi1iOGM3LTEyNGNlZmJiMDhlNyJ9.ZXlKNmFYQWlPaUpFUlVZaUxDSmhiR2NpT2lKa2FYSWlMQ0psYm1NaU9pSkJNVEk0UTBKRExVaFRNalUySWl3aVkzUjVJam9pU2xkVUlpd2lkSGx3SWpvaVNsZFVJdIUWhmMmt1dWFlQTQ0TFNjTmhnRDFHb1ZSVW5WejVwSWt0QWsuN3JkWkswX0lTcENaMVQ3a1BFOF9LQQ.hW-Q2nsqjhr0Dnx3LIBJilZgBRoyPAKA8RLN5x2Vtzl44lmizs4-EV-ftwU8jIx7Z7whpTgp6DASz49pc6NO8g",
> "name": "charming_wilson",
> "expirationDate": "2123-11-03T09:23:27.000+00:00"
> }
> ]
>
>
> Thanks for your help! 
> Christophe.
>
>
> Current MFA trusted devices configuration : 
> ##
> ## MFA / Trusted Devices :
> ##
>
> cas.authn.mfa.trusted.mongo.clientUri=mongodb://user:x@localhost:27017/cas-mongo-database
> cas.authn.mfa.trusted.mongo.collection=TrustedRepository
> cas.authn.mfa.trusted.mongo.drop-collection=false
>
> cas.authn.mfa.trusted.core.authentication-context-attribute=isFromTrustedMultifactorAuthentication
> cas.authn.mfa.trusted.core.device-registration-enabled=true
> as.authn.mfa.trusted.core.auto-assign-device-name=true
>
> cas.authn.mfa.trusted.crypto.enabled=true
> as.authn.mfa.trusted.crypto.encryption.key=xxx
> cas.authn.mfa.trusted.crypto.signing.key=xxx
>
> cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.encryption.key=xxx
>
> cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.signing.key=xxx
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7c0b6836-53b6-4d78-bdb0-1870c8d70680n%40apereo.org.

[cas-user] Re: simple mfa token

2023-10-26 Thread John 
and also ${tokenWithoutPrefix} for the token without the CAS- prefix
On Thursday, October 26, 2023 at 4:32:24 AM UTC-5 Hartmut Trüe wrote:

> Try this:
> text: "Hello! Your requested CAS token is ${token}"
>
> Regards,
> Hartmut
>
> Mm Mm schrieb am Donnerstag, 26. Oktober 2023 um 10:49:14 UTC+2:
>
>>   I am trying to use simple mfa by email but when the email is received  
>> the space holder %s is the same and not replaced with token
>> my configuration is
>> cas:
>>   authn:
>> mfa:
>>   triggers:
>> global:
>>   global-provider-id: mfa-simple
>>   simple:
>> order: 0
>> token:
>>   core:
>> token-length: '4'
>> mail:
>> attribute-name: mail
>> text: "Hello! Your requested CAS token is ${{%s}}"
>> from: m...@example.com
>> subject: CAS MFA Token
>> time-to-kill-in-seconds: '30'
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ca99e71a-1ee7-4d7e-b6df-1133648e7162n%40apereo.org.

[cas-user] Re: MFA with Yubikey and WebAuthn

2023-10-19 Thread John 
Sounds like you are not on lastest or at least 6.6.10. There was a bug in 
versions previous

On Thursday, October 19, 2023 at 7:10:25 AM UTC-5 Hartmut Trüe wrote:

> No one uses Yubikey? No idea?
>
> Regards, 
> Hartmut
> Hartmut Trüe schrieb am Freitag, 29. September 2023 um 09:59:21 UTC+2:
>
>> Hello,
>>
>> I am trying to get CAS to work with Yubikey. I have configured FIDO2 
>> WebAuthn and it seems to work so far, no error messages in cas.log during 
>> login process. 
>> But when I try to register the yubikey on the "register device" page, I 
>> get "csrfToken is not defined".
>>
>> CAS is running behind an Apache reverse proxy, and login without mfa or 
>> with simple-mfa is working.
>>
>> Any ideas?
>>
>> Regards,
>> Hartmut
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bd40ea75-7bb8-4bd5-9ee5-5d6c187d5f78n%40apereo.org.

Re: [cas-user] [CAS 6.6.8] Custom MFA triggers

2023-09-12 Thread John 
results. That code itself doesn't change much, we had thousands 
> of lines of custom java code before the 6.x days, for all kinds of things. 
> Now we maintain 2 individual java class files and working to get those 
> changes pushed into cas, just need to write the test cases and scenarios.
>  
> One of the benefits to using groovy is the no compile time, they don't 
> need to be compiled with your overlay! most if not all groovy scripts are 
> reloaded on demand, when changed and take affect immediately with no 
> restarts which makes a huge difference.
>  
> Not sure why the other posters simple-mfa wouldnt work but works no 
> problem for us, it could be the trigger type being used, there is the 
> cas.authn.mfa.core.provider-selector-groovy-script and what we use,  
> cas.authn.mfa.groovy-script and we have some vendors/external services that 
> use database auth and mfa is fine, we also use surrogate and in our groovy 
> we have parts written to either bypass/force for surrogate situations.
>  
> We have been using CAS since the 3.x days and when groovy webflow came 
> along, it was a blessing!! It is s much easier to maintain then custom 
> java code. See the attached, this is one of about 4 different flow 
> modifiers, using the "properties" in a service definition, we utilize this 
> flow to inject custom post fields for services that require a POST response 
> instead of REDIRECT.
>  
> I think, in my opinion, groovy is way more sustainable to maintain then 
> the other.
>  
> Thanks,
> John
>  
> On Tuesday, July 25, 2023 at 7:18:07 AM UTC-5 spfma...@e.mail.fr wrote:
>
> Hi,
> Thanks for your reply.
> From what I have read in the recommendations in the docs, scripting is ok 
> but coding is better and more sustainable (build time vs run time I guess).
> So I am trying to understand how to implement something like what is 
> described here :
> https://apereo.github.io/cas/6.6.x/mfa/Configuring-Multifactor-Authentication-Triggers-Custom.html
> But so far I don't even know where to put the code, how to even have a 
> single debug log line.
> Thanks for this example (I think I saw it a couple of monthes ago),if will 
> follow this way if it's the right one too.
> But I can't forget I have to replicate an old "login-webflow.xml", which 
> seems to be done programmatically only in current version.
> Regards
>
>
> Le 21-Jul-2023 20:00:53 +0200, rb...@uvic.ca a écrit:
>
> This may provide some direction 
> https://fawnoos.com/2018/11/22/cas5-groovy-mfa/
> There may be other posts on this site that can help.
>  
> Ray
>  
> On Fri, 2023-07-21 at 08:49 +0200, spfma.tech via CAS Community wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>  
> Hi,
> I would like to implement some conditional MFA scenarios (using a 
> different provider depending on the network is the first one), but reading
> https://apereo.github.io/cas/6.6.x/mfa/Configuring-Multifactor-Authentication-Triggers-Custom.html
>  
> does not provide a lot of help.
> Is there some code snippet available somewhere I could use as an example ?
> Regards
>
> --
> FreeMail powered by mail.fr 
>
>  
>
>  
>  
>
>  
> --
> FreeMail powered by mail.fr
>
>  
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email tocas-user+u...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/fd892674-8cea-4f49-a814-568482278b47n%40apereo.org
>  
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/fd892674-8cea-4f49-a814-568482278b47n%40apereo.org?utm_medium=email_source=footer>
> .
>
>
> --
> FreeMail powered by mail.fr 
>
>  
>
>  
>  
>
>
> --
> FreeMail powered by mail.fr 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4722d24d-2a04-4afe-9437-e692f208beb7n%40apereo.org.

[cas-user] Re: Submit a CAS evolution for 6.6.12

2023-09-08 Thread John 
You have basically one large commit for all changes, its much easier for 
apereo to see what and where is being changed if you make a commit for each 
section of changes. Also, why is there authy stuff in the mfa module, 
should probably be renamed, the classes, etc.. to okta, for example, 
"package org.apereo.cas.adaptors.authy" is already used in cas, should be 
changed to probably something like "org.apereo.cas.okta" since it already 
exist and would stay in line with how modules are packaged, the config 
probably should be under "org.apereo.cas.config" and not be 
'authyconfiguration'

On Friday, September 8, 2023 at 3:18:35 AM UTC-5 Jérémie wrote:

> Hi,
>  
> I have developped a custom module for Apereo CAS to allow Okta MFA support 
> for CAS Authentication
>
> We have developed a custom working module based on a similar Authy project 
> we've found online. 
>
> We are having trouble now to fork, adapt & submit our module to CAS 6.6.12 
> release due for the end of september. Our Pull Request has been 
> automatically rejected : https://github.com/apereo/cas/pull/5751/files
>
> I've never done that so I might not see obvious steps here.
>
> Thank you  
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/71d7d4a4-2f7d-4a33-a88a-f6d0f27ce15bn%40apereo.org.

Re: [cas-user] CAS 6.6.11 : help needed for cas-server-support-gauth-couchdb debugging

2023-08-25 Thread John 
Looks like from your config, you don't have a static value set for gauth 
encryption, each restart without consistent values would generate a new key 
each time,

you could for dev testing, set below, restart. And also, wipe your couchdb 
records so you can re-register,

cas.authn.mfa.gauth.crypto.enabled=false

or just take the auto-generated values that get sent to log and then set 
the below with whats in log,

cas.authn.mfa.gauth.crypto.enabled=true 
cas.authn.mfa.gauth.crypto.encryption.key=
cas.authn.mfa.gauth.crypto.encryption.key-size=
cas.authn.mfa.gauth.crypto.signing.key=
cas.authn.mfa.gauth.crypto.signing.key-size=

On Friday, August 25, 2023 at 12:57:14 PM UTC-5 spfma...@e.mail.fr wrote:

> Hi,
>  
> I thought the Ultimate edition has it : 
> https://www.jetbrains.com/help/idea/remote-development-starting-page.html
> But I will never be offered this tool anyhow !
>  
> I am using my main production logfile at "/etc/cas/config log4j2.xml", 
> with all levels between "trace" and "debug". And I see plenty of debug 
> messages so I think it's ok.
>  
> I am now studying the problem with a simple CAS instance built from the 
> sources, with a dummy JSON service and the internal "casuser" account. I 
> just added "cas-server-support-json-service-registry", 
> ""cas-server-support-gauth" and "cas-server-support-gauth-couchdb" and the 
> related "cas.properties" configuration directives :
>  
> ##
> # MFA (global settings) #
> ##
> cas.authn.mfa.triggers.global.global-provider-id: mfa-gauth
> #cas.authn.mfa.triggers.global.global-provider-id: mfa-simple
>
>
> 
> # Google Authenticator #
> 
>
> cas.authn.mfa.gauth.core.multiple-device-registration-enabled: true
> cas.authn.mfa.gauth.core.issuer: CAS
> cas.authn.mfa.gauth.core.label: OUR_CORP
> cas.authn.mfa.gauth.couch-db.create-if-not-exists: true
> cas.authn.mfa.gauth.couch-db.db-name: cas_gauth
> cas.authn.mfa.gauth.couch-db.password: password
> cas.authn.mfa.gauth.couch-db.username: admin
> cas.authn.mfa.gauth.couch-db.url: http://localhost:5984
>  
> CouchDb is running as a local Docker container, with a persistent volume 
> (I had to create the database manually, as in spite of having set "
> cas.authn.mfa.gauth.couch-db.create-if-not-exists" to true, there are no 
> design documents inside and authenticators registering can not work. There 
> is an older post in this ML about that, I used the informations they 
> provided and it works after manually creating the missing items).
>  
> When I login for the first time, I am asked to pair a new authenticator 
> and the process is successful. And can login again and again it's ok. 
> If I check the database, I have a record related to this authenticator, 
> having a name, and id and user name.
>  
> If I restart CAS, the database content is still the same of course but the 
> codes provided by the authenticator are not working anymore, as if they 
> were wrong. And I have an error message in the logs :
>
> 2023-08-25 11:04:22,487 ERROR 
> [org.apereo.cas.authentication.DefaultAuthenticationManager] - 
>  authentication handler that supports 
> [GoogleAuthenticatorTokenCredential(super=OneTimeTokenCredential(token=),
>  
> accountId=1692865323865)] of type [GoogleAuthenticatorTokenCredential]. 
> Examine the configuration to ensure a method of authentication is defined 
> and analyze CAS logs at DEBUG level to trace the authentication event.>
> 2023-08-25 11:04:22,487 ERROR 
> [org.apereo.cas.authentication.DefaultAuthenticationManager] - 
> <[GoogleAuthenticatorAuthenticationHandler]: [Secret cannot be null.]>
>  
> I still have this record in the databasen with id=1692865323865 in the 
> database, related to the "casuser" and the registered authenticator". The 
> "secretKey" property is still not null.
>  
> I have set "cas.authn.mfa.gauth.core.multiple-device-registration-enabled" 
> to true, and I am indeed allowed to pair additional authenticators with my 
> accounts. But doing so gives no result, there is still only one record in 
> the database.
> If I manually add a forged record corresponding to a second authenticator, 
> it's better, I have a list of authenticators I can choose.
>  
> So I decided to study the internals a bit further, by adding logging 
> directives here and there.
>  
> But I have more and more the feeling something is wrong or is beyond my 
> current understanding to say the least.
>  
> As you suggested, maybe I am looking at the wrong place, expecting to see 
> log messages from methods which are never called in this use case ?
>  
> There is some gargabe collector removing the old tokens (and it's working 
> flawlessly) logging something like :
> 2023-08-25 11:01:11,218 DEBUG 
> [org.apereo.cas.gauth.token.GoogleAuthenticatorCouchDbTokenRepository] - 
> 
>  
> After greping the whole source tree, it seems this message is unique and 
> indeed located in

Re: [cas-user] CAS 6.6.11 : help needed for cas-server-support-gauth-couchdb debugging

2023-08-24 Thread John 
The 6.6.10 thing looks to be a developer ooops, so it should have stayed 
and worked. The removal is probably because it has low usage, maybe based 
on maven download stats. In any case, we moved a lot after I saw the 
deprecation for couchdb in v7 to what we could using Rest based ones, that 
could, ldap for those that could and internal ticket registry is now using 
the AMQP registry which is easy setup for replication. 
https://apereo.github.io/cas/development/ticketing/Messaging-AMQP-Ticket-Registry.html

And yes I concur, trying to find a common backend store for all the modules 
is not easy and having to complicate things just makes it harder to 
automate and we wanted automation throughout the entire lifecycle. Our prod 
env is now fully ephemeral, they are re-built automatically weekly, not 
really because CAS needs the updates but the docker containers themselves, 
OS/Java/Tomcat have frequent security updates. Are you using or plan on 
using docker? whats your prod environment going to look like? If docker or 
kubernetes, an easy, one we almost opted for was just use file based 
storage in the docker volumes which are stored on our nfs servers, which 
are also already replicated over multiple sites. Tickets cannot be stored 
on disk but the new AMQP solves that.

 What are you using for auth backend? is it ldap? the easiest way we have 
found since our backend auth is AD, is to utilize ldap storage when it is 
available since of of course AD is already replicated, multi-master. 
On Thursday, August 24, 2023 at 4:01:37 AM UTC-5 spfma...@e.mail.fr wrote:

> Hi,
>  
> Thanks for your answer.
>  
> I chose this storage system because my goal is to setup an active/passive 
> pair of servers (with continous db replication on the passive side and 
> automatic seemless failover)  in order to provider high availability.
> It was the only supported backend I have found providing an easy way to 
> achieve this goal (no three tier cluster with qorum and/or manual failover 
> with conventional RDBMS).
>  
> But according you John's answer, I think I will have to change my mind 
> anyway.
>  
> As my computer does not meet the requirements for serious Java 
> developement, I am working remotely on an beefed up VM with plenty of RAM 
> and CPU cores. And for that, VSCode has a very nice remote session 
> extension, using ssh. Since Java related extensions don't seem to work 
> correctly this way (maybe they work better localy, I don't have enough 
> resources to test it), I am indeed using two shell sessions to run commands 
> : one for building (clean build), and the other one for running (bootRun).
>  
> I have seen some posts here and there relating unexplainable problems with 
> Gradle, and wiping out all the folders solved them. So I gave a try too !
>  
> My actual log4j config has a logger defined this way :
>  
> 
> 
> 
> 
> 
>  
> And I am adding "LOGGER. debug" directives here in there. Should it be ok ?
>  
> I had a look at several IDE, and IDEA free has no remote support 
> unfortunately.  Need to have a look at Eclipse and Netbeans too, but it 
> seems they have the same limitations. So better make a wise choice before 
> investing time and energy in such a complex product.
>  
> Regards
>
>
> Le 23-Aug-2023 19:53:05 +0200, rb...@uvic.ca a écrit:
>
> Could you use a different storage system?
>  
> I do not see the couchdb module in the current development branch. Not 
> sure if it is being removed or if a different module takes on that feature.
>  
> Instead of running gradlew in vscode, you can run it from the command 
> line. The 'clean' part of the command will remove all .class files; no need 
> to get rid of gradle directories unless you are changing gradle version 
> (which you should not).
> Once you build the project, remove 'clean'; only modified packages will be 
> rebuilt (will be fine for logging, but not for api changes).
>  
> It is possible that method is not being called. You could put your logging 
> statement in every method in that class to be sure. Also, use error level 
> logging. Default logging for that class may not show at info or debug. Or 
> add to log4j2.xml:
>  
> 
>  
> If you want a more 'capable' development environment, here are some notes 
> on intellij (I think there is a free version), 
> https://apereo.github.io/cas/development/developer/Build-Process.html#intellij-idea
>  
> Ray
>  
> On Wed, 2023-08-23 at 17:43 +0200, spfma.tech via CAS Community wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>  
> Hi,
>  
> I am still trying to understand what is wrong with 
> "cas-server-support-gauth-couchdb" (only the first authenticator is 
> recorded in the database, none is working anymore after a restart).
>  
> As I am not a Java dev (I don't have the skills and don't have the most 
> convenient tools), my idea was to add some logging directives here and 
>

Re: [cas-user] CAS 6.6.0 MFA Per application trigger not working

2023-08-23 Thread John 
I wouldnt even be able to tell you why your build doesnt launch with @class 
because that is what it should be, maybe its VS Code issue. You can setup 
intellij idea community and its free. Here is the gradle build, although, 
can you try downgrading to 6.6.9 in gradle.properties ? just curious on the 
outcome.

Gradle build below, you can disregard a lot in the Core section as its only 
needed for local development purposes for custom stuff.

https://pastebin.com/4F72xCSB

The bare bones, cas config you can see in the puppeteer test below, I would 
paste ours but we use the spring cloud rest config

config:
https://github.com/apereo/cas/blob/6.6.x/ci/tests/puppeteer/scenarios/mfa-provider-selection/script.json

service:
https://github.com/apereo/cas/blob/6.6.x/ci/tests/puppeteer/scenarios/mfa-provider-selection/services/Sample-1.json






On Wednesday, August 23, 2023 at 2:18:44 PM UTC-5 Ray Bon wrote:

> Diego,
>
> A service (application) can be configured to trigger MFA 
> https://apereo.github.io/cas/6.6.x/mfa/Configuring-Multifactor-Authentication-Triggers-PerApplication.html
>  and 
> block (bypass=false) or with groovy script 
> https://apereo.github.io/cas/6.6.x/mfa/Configuring-Multifactor-Authentication-Bypass.html#bypass-via-groovy
>
> Ray
>
> On Wed, 2023-08-23 at 11:23 -0700, Diego Gimenez wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
> I tried using @class instead of _class for my service and CAS will not 
> launch, I am struggling to find a solution. Can you show me your 
> build.gradle and your cas.properties so I can try it and see if the problem 
> may be in any of my local build.gradle or cas.properties?
>
> What I mean with that sentence is that I am looking for other solutions to 
> trigger an MFA based on an specific service. The one that I thought about 
> was using Groovy to detect certain serviceId (i.e. https/http prefix) and 
> decide if it should actually trigger an MFA authentication or not. So the 
> part that I am missing is how to actually block an authentication attempt 
> (based on testing, I've reached that if you return null on a Groovy script 
> to trigger certain MFA, the authentication will proceed, and I want to do 
> the opposite). I know is not optimal, but given the fact that I am unable 
> to trigger an MFA authentication by service I am looking for options! The 
> image below shows an example of what I want to do.
>
>
> On Wednesday, 23 August 2023 at 13:12:06 UTC-3 John wrote:
>
> Forgot, what do you mean by this? " Is there a way to block authentication 
> when using Groovy to trigger the mfa? " can you post what your doing in 
> groovy to get better idea?
>
> On Wednesday, August 23, 2023 at 10:01:04 AM utc-5diego@unc.edu.ar 
> wrote:
>
> Hello John,
>
> first of all, thanks for your response.
>
> Unfortunately, it did not work. I am using the CAS overlay and set 
> `cas.version=6.6.10` in `gradle.properties`. However, the trigger is still 
> not working, I used a Groovy script to trigger mfa and printed the 
> registered service as I did before. I have a question that is not directly 
> related. Is there a way to block authentication when using Groovy to 
> trigger the mfa? That would temporarily work. (The only method I found was 
> to throw an exception on purpose, but that won't provide feedback to the 
> user with what went wrong)
>
> On Wednesday, 23 August 2023 at 10:13:38 UTC-3 John wrote:
>
> You have an array set, there was a bug in earlier 6.6 versions and was 
> fixed in a later 6.6 release. Please update to the latest 6.6.x release and 
> it will work as it should.
>
> On Wednesday, August 23, 2023 at 7:50:48 AM utc-5diego@unc.edu.ar 
> wrote:
>
> Hello Ray,
>
> Sorry about that.
>
> I attach the registered service and the providers I get from the service. 
> I used a Groovy script to print the registered service.
>
> I have tried using @class instead of _class and it did not made any 
> difference, also tried to search through the CAS source code and I have the 
> hypothesis that it might not be detecting either the policy or the 
> providers I am using.
>
> On Friday, 18 August 2023 at 20:19:18 UTC-3 Ray Bon wrote:
>
> Diego,
>
> Image did not come through.
>
> Ray
>
> On Fri, 2023-08-18 at 11:46 -0700, 'Diego Gimenez' via CAS Community wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
>
> Hello. As the title says I can't make an MFA trigger per service. Looks 
> like the service can't detect such provider as shown in the following

Re: [cas-user] CAS 6.6.0 MFA Per application trigger not working

2023-08-23 Thread John 
You shouldnt need groovy for that, what you want I believe is Failure mode, 
see here

https://apereo.github.io/cas/6.6.x/mfa/Configuring-Multifactor-Authentication-FailureModes.html
""failureMode" : "CLOSED"

CLOSED = Disallow MFA and block authentication.


On Wednesday, August 23, 2023 at 2:18:44 PM UTC-5 Ray Bon wrote:

> Diego,
>
> A service (application) can be configured to trigger MFA 
> https://apereo.github.io/cas/6.6.x/mfa/Configuring-Multifactor-Authentication-Triggers-PerApplication.html
>  and 
> block (bypass=false) or with groovy script 
> https://apereo.github.io/cas/6.6.x/mfa/Configuring-Multifactor-Authentication-Bypass.html#bypass-via-groovy
>
> Ray
>
> On Wed, 2023-08-23 at 11:23 -0700, Diego Gimenez wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
> I tried using @class instead of _class for my service and CAS will not 
> launch, I am struggling to find a solution. Can you show me your 
> build.gradle and your cas.properties so I can try it and see if the problem 
> may be in any of my local build.gradle or cas.properties?
>
> What I mean with that sentence is that I am looking for other solutions to 
> trigger an MFA based on an specific service. The one that I thought about 
> was using Groovy to detect certain serviceId (i.e. https/http prefix) and 
> decide if it should actually trigger an MFA authentication or not. So the 
> part that I am missing is how to actually block an authentication attempt 
> (based on testing, I've reached that if you return null on a Groovy script 
> to trigger certain MFA, the authentication will proceed, and I want to do 
> the opposite). I know is not optimal, but given the fact that I am unable 
> to trigger an MFA authentication by service I am looking for options! The 
> image below shows an example of what I want to do.
>
>
> On Wednesday, 23 August 2023 at 13:12:06 UTC-3 John wrote:
>
> Forgot, what do you mean by this? " Is there a way to block authentication 
> when using Groovy to trigger the mfa? " can you post what your doing in 
> groovy to get better idea?
>
> On Wednesday, August 23, 2023 at 10:01:04 AM utc-5diego@unc.edu.ar 
> wrote:
>
> Hello John,
>
> first of all, thanks for your response.
>
> Unfortunately, it did not work. I am using the CAS overlay and set 
> `cas.version=6.6.10` in `gradle.properties`. However, the trigger is still 
> not working, I used a Groovy script to trigger mfa and printed the 
> registered service as I did before. I have a question that is not directly 
> related. Is there a way to block authentication when using Groovy to 
> trigger the mfa? That would temporarily work. (The only method I found was 
> to throw an exception on purpose, but that won't provide feedback to the 
> user with what went wrong)
>
> On Wednesday, 23 August 2023 at 10:13:38 UTC-3 John wrote:
>
> You have an array set, there was a bug in earlier 6.6 versions and was 
> fixed in a later 6.6 release. Please update to the latest 6.6.x release and 
> it will work as it should.
>
> On Wednesday, August 23, 2023 at 7:50:48 AM utc-5diego@unc.edu.ar 
> wrote:
>
> Hello Ray,
>
> Sorry about that.
>
> I attach the registered service and the providers I get from the service. 
> I used a Groovy script to print the registered service.
>
> I have tried using @class instead of _class and it did not made any 
> difference, also tried to search through the CAS source code and I have the 
> hypothesis that it might not be detecting either the policy or the 
> providers I am using.
>
> On Friday, 18 August 2023 at 20:19:18 UTC-3 Ray Bon wrote:
>
> Diego,
>
> Image did not come through.
>
> Ray
>
> On Fri, 2023-08-18 at 11:46 -0700, 'Diego Gimenez' via CAS Community wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
>
> Hello. As the title says I can't make an MFA trigger per service. Looks 
> like the service can't detect such provider as shown in the following 
> image[image: 
> Displaying image.png]
>
>
>
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/222bfd55-d91b-4652-ba94-3eb66980cc13n%40apereo.org.

Re: [cas-user] CAS 6.6.0 MFA Per application trigger not working

2023-08-23 Thread John 
Are you sure that CAS is even reading your service definition? because it 
looks off completely and doesn't pass json validation. Turn your logging in 
log4j xml to debug and see what it spits out,

try this as well, as the only service definition for cas,

https://pastebin.com/mZKavp1h



On Wednesday, August 23, 2023 at 2:18:44 PM UTC-5 Ray Bon wrote:

> Diego,
>
> A service (application) can be configured to trigger MFA 
> https://apereo.github.io/cas/6.6.x/mfa/Configuring-Multifactor-Authentication-Triggers-PerApplication.html
>  and 
> block (bypass=false) or with groovy script 
> https://apereo.github.io/cas/6.6.x/mfa/Configuring-Multifactor-Authentication-Bypass.html#bypass-via-groovy
>
> Ray
>
> On Wed, 2023-08-23 at 11:23 -0700, Diego Gimenez wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
> I tried using @class instead of _class for my service and CAS will not 
> launch, I am struggling to find a solution. Can you show me your 
> build.gradle and your cas.properties so I can try it and see if the problem 
> may be in any of my local build.gradle or cas.properties?
>
> What I mean with that sentence is that I am looking for other solutions to 
> trigger an MFA based on an specific service. The one that I thought about 
> was using Groovy to detect certain serviceId (i.e. https/http prefix) and 
> decide if it should actually trigger an MFA authentication or not. So the 
> part that I am missing is how to actually block an authentication attempt 
> (based on testing, I've reached that if you return null on a Groovy script 
> to trigger certain MFA, the authentication will proceed, and I want to do 
> the opposite). I know is not optimal, but given the fact that I am unable 
> to trigger an MFA authentication by service I am looking for options! The 
> image below shows an example of what I want to do.
>
>
> On Wednesday, 23 August 2023 at 13:12:06 UTC-3 John wrote:
>
> Forgot, what do you mean by this? " Is there a way to block authentication 
> when using Groovy to trigger the mfa? " can you post what your doing in 
> groovy to get better idea?
>
> On Wednesday, August 23, 2023 at 10:01:04 AM utc-5diego@unc.edu.ar 
> wrote:
>
> Hello John,
>
> first of all, thanks for your response.
>
> Unfortunately, it did not work. I am using the CAS overlay and set 
> `cas.version=6.6.10` in `gradle.properties`. However, the trigger is still 
> not working, I used a Groovy script to trigger mfa and printed the 
> registered service as I did before. I have a question that is not directly 
> related. Is there a way to block authentication when using Groovy to 
> trigger the mfa? That would temporarily work. (The only method I found was 
> to throw an exception on purpose, but that won't provide feedback to the 
> user with what went wrong)
>
> On Wednesday, 23 August 2023 at 10:13:38 UTC-3 John wrote:
>
> You have an array set, there was a bug in earlier 6.6 versions and was 
> fixed in a later 6.6 release. Please update to the latest 6.6.x release and 
> it will work as it should.
>
> On Wednesday, August 23, 2023 at 7:50:48 AM utc-5diego@unc.edu.ar 
> wrote:
>
> Hello Ray,
>
> Sorry about that.
>
> I attach the registered service and the providers I get from the service. 
> I used a Groovy script to print the registered service.
>
> I have tried using @class instead of _class and it did not made any 
> difference, also tried to search through the CAS source code and I have the 
> hypothesis that it might not be detecting either the policy or the 
> providers I am using.
>
> On Friday, 18 August 2023 at 20:19:18 UTC-3 Ray Bon wrote:
>
> Diego,
>
> Image did not come through.
>
> Ray
>
> On Fri, 2023-08-18 at 11:46 -0700, 'Diego Gimenez' via CAS Community wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
>
> Hello. As the title says I can't make an MFA trigger per service. Looks 
> like the service can't detect such provider as shown in the following 
> image[image: 
> Displaying image.png]
>
>
>
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f74ced60-f912-45b6-b096-d28a54b6c8d4n%40apereo.org.

[cas-user] Re: CAS 6.6.11 : help needed for cas-server-support-gauth-couchdb debugging

2023-08-23 Thread John 
Were no longer on 6.x series, as in your case, we used couchdb for many 
items and it is being removed in 7.x so we went ahead and moved on and it 
looks as though it was removed on the tag for 6.6.10, maybe on accident? 
because it still exists in the 6.6.x branch. Maybe an ooops by one of the 
devs and tagged 6.6.10 off wrong branch? Idk..



On Wednesday, August 23, 2023 at 10:53:43 AM UTC-5 spfma...@e.mail.fr wrote:

> Hi,
>  
> I am still trying to understand what is wrong with 
> "cas-server-support-gauth-couchdb" (only the first authenticator is 
> recorded in the database, none is working anymore after a restart).
>  
> As I am not a Java dev (I don't have the skills and don't have the most 
> convenient tools), my idea was to add some logging directives here and 
> there to trace the process, using the latest branch of the application 
> source code (not the overlay one).
>  
> Can someone confirm I am doing the right way :
> - add "import lombok.extern.slf4j.Slf4j;" if missing on the top of the 
> class file
> - anotate the class definition with "@Slf4j"
> - put stuff like "LOGGER.debug" or "LOGGER.info" as needed
>  
> VSCode is my tool, and it seems convenient extensions for 
> Java/Maven/Gradle are not able to handle a big project like CAS (language 
> server crashing and restarting all the time, Gradle extensions unable to 
> build a tree of all subprojects without crashing, ...) so I don't mind 
> using the good old manual way instead of wasting time.
>  
> After modifying the code here and there, I rebuild the whole app with 
> "./gradlew clean build --parallel --configure-on-demand --stacktrace 
> --no-daemon -x checkstyleMain" at the root of the project.
>  
> And "cas/webapp/cas-server-webapp-jetty$ ../../gradlew bootRun --parallel 
> --configure-on-demand --build-cache --stacktrace --no-daemon -x 
> checkstyleMain" allows me to try it (we use it with Jetty in production).
>  
> The app is running, I can reproduce the problems but I have the feeling my 
> modifications don't exist  as none of my custom logging messages is 
> displayed.
>  
> For an example, I added a simple logging flag in this file 
> "support/cas-server-support-gauth-couchdb/src/main/java/org/apereo/cas/couchdb/gauth/credential/GoogleAuthenticatorAccountCouchDbRepository.java"
>  
> this way :
>  
> @View(name = "by_username", map = "function(doc) { if(doc.secretKey) { 
> emit(doc.username, doc) } }")
> public List findByUsername(final String 
> username) {
> LOGGER.debug("[MY_DEBUG_STUFF] 
> findByUsername@GoogleAuthenticatorAccountCouchDbRepository={}", username);
> try {
> return queryView("by_username", username.trim().toLowerCase());
> } catch (final DocumentNotFoundException e) {
> LOGGER.trace(e.getMessage(), e);
> }
> return new ArrayList<>(0);
> }
>  
> as I think it's the one responsible for database lookup, according to the 
> request I have seen coming on database side.
>  
> But nothing in the logs ... Maybe I am not tagging the right source file ?
>  
> So why not tweak a known existing log message, it is safer. In 
> "support/cas-server-support-gauth-couchdb/src/main/java/org/apereo/cas/gauth/token/GoogleAuthenticatorCouchDbTokenRepository.java"
>  
> I changed the message in "cleanInternal" method. The string "Removing 
> tokens older than" is only found in this file, so I think it's spot on.
>  
> After rebuilding and restarting the application, I still get the original 
> message in my logs.
>  
> DEBUG 
> [org.apereo.cas.gauth.token.GoogleAuthenticatorCouchDbTokenRepository] - 
>   
> Could someone tell me what I am missing or doing wrong ? Of course, I have 
> deleted all Gradle dirs, used a find to delete all ".class" files and 
> rebuild the projects several times but I am stuck.
>  
> Reagrds
>  
>  
>
> --
> FreeMail powered by mail.fr 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2d74742b-5ed9-4ae5-bdea-07fdf52b5bdan%40apereo.org.

Re: [cas-user] CAS 6.6.0 MFA Per application trigger not working

2023-08-23 Thread John 
I tested on local dev, 6.6.10 and is working, also its not _class, it has 
to be @class, see below, also make sure you have 
""cas.authn.mfa.core.provider-selection-enabled=true" in config

{
  "@class": "org.apereo.cas.services.CasRegisteredService",
  "serviceId": "^(https|imaps)://.*",
  "name": "Sample",
  "id": 1,
  "description": "Sample Service",
  "evaluationOrder": 1,
  "multifactorPolicy" : {
"@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ 
"mfa-gauth", "mfa-webauthn" ] ]
  }
}






On Wednesday, August 23, 2023 at 10:01:04 AM UTC-5 diego@unc.edu.ar 
wrote:

> Hello John,
>
> first of all, thanks for your response.
>
> Unfortunately, it did not work. I am using the CAS overlay and set 
> `cas.version=6.6.10` in `gradle.properties`. However, the trigger is still 
> not working, I used a Groovy script to trigger mfa and printed the 
> registered service as I did before. I have a question that is not directly 
> related. Is there a way to block authentication when using Groovy to 
> trigger the mfa? That would temporarily work. (The only method I found was 
> to throw an exception on purpose, but that won't provide feedback to the 
> user with what went wrong)
>
> On Wednesday, 23 August 2023 at 10:13:38 UTC-3 John wrote:
>
>> You have an array set, there was a bug in earlier 6.6 versions and was 
>> fixed in a later 6.6 release. Please update to the latest 6.6.x release and 
>> it will work as it should.
>>
>> On Wednesday, August 23, 2023 at 7:50:48 AM UTC-5 diego@unc.edu.ar 
>> wrote:
>>
>>> Hello Ray,
>>>
>>> Sorry about that.
>>>
>>> I attach the registered service and the providers I get from the 
>>> service. I used a Groovy script to print the registered service.
>>>
>>> I have tried using @class instead of _class and it did not made any 
>>> difference, also tried to search through the CAS source code and I have the 
>>> hypothesis that it might not be detecting either the policy or the 
>>> providers I am using.
>>>
>>> On Friday, 18 August 2023 at 20:19:18 UTC-3 Ray Bon wrote:
>>>
>>> Diego,
>>>
>>> Image did not come through.
>>>
>>> Ray
>>>
>>> On Fri, 2023-08-18 at 11:46 -0700, 'Diego Gimenez' via CAS Community 
>>> wrote:
>>>
>>> Notice: This message was sent from outside the University of Victoria 
>>> email system. Please be cautious with links and sensitive information.
>>>
>>>
>>> Hello. As the title says I can't make an MFA trigger per service. Looks 
>>> like the service can't detect such provider as shown in the following 
>>> image[image: 
>>> Displaying image.png]
>>>
>>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/de5de4c0-1860-4375-a9e6-bbe6bdba8a3fn%40apereo.org.

Re: [cas-user] CAS 6.6.0 MFA Per application trigger not working

2023-08-23 Thread John 
Forgot, what do you mean by this? " Is there a way to block authentication 
when using Groovy to trigger the mfa? " can you post what your doing in 
groovy to get better idea?

On Wednesday, August 23, 2023 at 10:01:04 AM UTC-5 diego@unc.edu.ar 
wrote:

> Hello John,
>
> first of all, thanks for your response.
>
> Unfortunately, it did not work. I am using the CAS overlay and set 
> `cas.version=6.6.10` in `gradle.properties`. However, the trigger is still 
> not working, I used a Groovy script to trigger mfa and printed the 
> registered service as I did before. I have a question that is not directly 
> related. Is there a way to block authentication when using Groovy to 
> trigger the mfa? That would temporarily work. (The only method I found was 
> to throw an exception on purpose, but that won't provide feedback to the 
> user with what went wrong)
>
> On Wednesday, 23 August 2023 at 10:13:38 UTC-3 John wrote:
>
>> You have an array set, there was a bug in earlier 6.6 versions and was 
>> fixed in a later 6.6 release. Please update to the latest 6.6.x release and 
>> it will work as it should.
>>
>> On Wednesday, August 23, 2023 at 7:50:48 AM UTC-5 diego@unc.edu.ar 
>> wrote:
>>
>>> Hello Ray,
>>>
>>> Sorry about that.
>>>
>>> I attach the registered service and the providers I get from the 
>>> service. I used a Groovy script to print the registered service.
>>>
>>> I have tried using @class instead of _class and it did not made any 
>>> difference, also tried to search through the CAS source code and I have the 
>>> hypothesis that it might not be detecting either the policy or the 
>>> providers I am using.
>>>
>>> On Friday, 18 August 2023 at 20:19:18 UTC-3 Ray Bon wrote:
>>>
>>> Diego,
>>>
>>> Image did not come through.
>>>
>>> Ray
>>>
>>> On Fri, 2023-08-18 at 11:46 -0700, 'Diego Gimenez' via CAS Community 
>>> wrote:
>>>
>>> Notice: This message was sent from outside the University of Victoria 
>>> email system. Please be cautious with links and sensitive information.
>>>
>>>
>>> Hello. As the title says I can't make an MFA trigger per service. Looks 
>>> like the service can't detect such provider as shown in the following 
>>> image[image: 
>>> Displaying image.png]
>>>
>>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e9ea61bb-c69b-4d8e-b40e-817243985165n%40apereo.org.

Re: [cas-user] CAS 6.6.0 MFA Per application trigger not working

2023-08-23 Thread John 
You have an array set, there was a bug in earlier 6.6 versions and was 
fixed in a later 6.6 release. Please update to the latest 6.6.x release and 
it will work as it should.

On Wednesday, August 23, 2023 at 7:50:48 AM UTC-5 diego@unc.edu.ar 
wrote:

> Hello Ray,
>
> Sorry about that.
>
> I attach the registered service and the providers I get from the service. 
> I used a Groovy script to print the registered service.
>
> I have tried using @class instead of _class and it did not made any 
> difference, also tried to search through the CAS source code and I have the 
> hypothesis that it might not be detecting either the policy or the 
> providers I am using.
>
> On Friday, 18 August 2023 at 20:19:18 UTC-3 Ray Bon wrote:
>
> Diego,
>
> Image did not come through.
>
> Ray
>
> On Fri, 2023-08-18 at 11:46 -0700, 'Diego Gimenez' via CAS Community wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
>
> Hello. As the title says I can't make an MFA trigger per service. Looks 
> like the service can't detect such provider as shown in the following 
> image[image: 
> Displaying image.png]
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0eb12095-d872-4e7a-beff-61c1fe0c4678n%40apereo.org.

[cas-user] CAS 7.0 potential release and when SPM 6.5, 6.6 will be EoL

2023-08-10 Thread John Bergant 
I'm looking at staying within the SPM for CAS. I'm a bit nervous as the EoL 
for 6.5.x is slated for the end of December. It looks like 7.0.0-RC9 is 
slated for 12/22. Is there any plans for extending the 6.6.x SPM date? How 
many releases are generally left in SPM after a new version of CAS is 
released?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a7db1281-a2c1-4673-89f8-15ac4d31e1a2n%40apereo.org.

Re: [cas-user] Simple MFA to Surrogate bypasses surrogate selection

2023-07-27 Thread John 
Took me a few to get a few different container versions ready, and it looks 
like it was a bug. We have been using surrogate for only a few months and 
have been using a 'master' branch container as primary on our app 
controller for a while and it doesn't occur and fixed in master many moons 
ago. See here, 
https://github.com/apereo/cas/commit/3a8cb528850d3822dbeba7a73f7e3bf85d3d9abc 
, you could switch to latest tag in gradle if you dont want to build off 
master, tag is 7.0.0-RC6 ,  

On Wednesday, July 26, 2023 at 11:54:54 AM UTC-5 tos...@smythco.com wrote:

> Thanks for your reply John.
>
> Read the docs repeatedly and somehow kept reading that as admin+surrogate 
> rather than surrogate+admin.  
>
> However, there is still a default "web flow" issue between MFA and 
> surrogate.
>
> When tested as +admin with the drop down it triggers simple MFA but 
> bypasses surrogate drop down selection. 
>
> When tested as you suggested as surrogate+admin (which does correctly 
> authenticate), it bypasses MFA and does correctly bring up the surrogate.
>
>
> Should point out that if MFA groovy script returns null it will correctly 
> display the surrogate drop down.  So If I disable MFA, which is what we 
> currently have for our internal logins, then surrogate selection works.
>
>
> On Wednesday, July 26, 2023 at 9:32:36 AM UTC-5 John wrote:
>
>> We don't use the surrogate selector at all, the person has to know the 
>> account name, and for your login you should be using ` surrogate+adminuser 
>> ` and not  ` adminuser+surrogate `. Have you turned on debug? Do you have 
>> sufficient debug logging messages in your groovy script to track through 
>> the whole process? The debug logs can give you a good clue into where or 
>> why it would be not working.
>>
>> On Tuesday, July 25, 2023 at 11:01:59 PM UTC-5 tos...@smythco.com wrote:
>>
>>> Really appreciate the quick responses.
>>>
>>> Currently using 
>>> cas.authn.mfa.groovy-script.location=file:/somepath/mfa_trigger.groovy 
>>> (script contents same as previous message)
>>>
>>> Oddly the adminuser+surrogate approach does not work at all.  It won't 
>>> authenticate.  That has not presented much of an issue as we have so many 
>>> potential surrogates that we use the +adminuser/password approach followed 
>>> by the drop down selection of the surrogate.
>>>
>>> MFA within our context is in regards to the original +adminuser, not in 
>>> regards to MFA for the surrogate themselves ( so intent is for MFA to 
>>> occur and then surrogate selection).
>>>
>>> Correct in assuming that the what appears to be the failure is the 
>>> bypass of the surrogate drop down selection when using the +adminuser 
>>> approach if the groovy script returns "mfa-simple".  If the groovy script 
>>> returns null then surrogate drop down selection works correctly with 
>>> +adminuser/password.
>>>
>>> On Tuesday, July 25, 2023 at 3:49:50 PM UTC-5 John wrote:
>>>
>>>> We use mfa-simple for database auths as well, which groovy mfa are you 
>>>> using? cas.authn.mfa.core.provider-selector-groovy-script OR 
>>>> cas.authn.mfa.groovy-script 
>>>> which is what we use,
>>>>
>>>>
>>>> On Tuesday, July 25, 2023 at 3:41:02 PM UTC-5 Ray Bon wrote:
>>>>
>>>>> Anthony,
>>>>>
>>>>> Does surrogate+username / password approach work, or is it only the 
>>>>> surrogate selection that does not work?
>>>>>
>>>>> If I use surrogate+ with a service that requires MFA, it goes through 
>>>>> the mfa flow for username and then to service as surrogate. But I do not 
>>>>> have any groovy scripts running.
>>>>>
>>>>> Ray
>>>>>
>>>>> On Tue, 2023-07-25 at 10:31 -0700, Anthony Oslund wrote:
>>>>>
>>>>> Notice: This message was sent from outside the University of Victoria 
>>>>> email system. Please be cautious with links and sensitive information.
>>>>>
>>>>>
>>>>> Start by stating current deployment uses 6.6.6 with DBMS 
>>>>> authentication, not LDAP.
>>>>>
>>>>> Deployment uses the groovy approach for triggering simple MFA.  
>>>>>
>>>>> Based on much testing and researching of this archive determined that 
>>>>> if simple MFA is activated through groovy script that CAS will bypass 
>>>>> surr

Re: [cas-user] Simple MFA to Surrogate bypasses surrogate selection

2023-07-26 Thread John 
We don't use the surrogate selector at all, the person has to know the 
account name, and for your login you should be using ` surrogate+adminuser 
` and not  ` adminuser+surrogate `. Have you turned on debug? Do you have 
sufficient debug logging messages in your groovy script to track through 
the whole process? The debug logs can give you a good clue into where or 
why it would be not working.

On Tuesday, July 25, 2023 at 11:01:59 PM UTC-5 tos...@smythco.com wrote:

> Really appreciate the quick responses.
>
> Currently using 
> cas.authn.mfa.groovy-script.location=file:/somepath/mfa_trigger.groovy 
> (script contents same as previous message)
>
> Oddly the adminuser+surrogate approach does not work at all.  It won't 
> authenticate.  That has not presented much of an issue as we have so many 
> potential surrogates that we use the +adminuser/password approach followed 
> by the drop down selection of the surrogate.
>
> MFA within our context is in regards to the original +adminuser, not in 
> regards to MFA for the surrogate themselves ( so intent is for MFA to 
> occur and then surrogate selection).
>
> Correct in assuming that the what appears to be the failure is the bypass 
> of the surrogate drop down selection when using the +adminuser approach if 
> the groovy script returns "mfa-simple".  If the groovy script returns null 
> then surrogate drop down selection works correctly with +adminuser/password.
>
> On Tuesday, July 25, 2023 at 3:49:50 PM UTC-5 John wrote:
>
>> We use mfa-simple for database auths as well, which groovy mfa are you 
>> using? cas.authn.mfa.core.provider-selector-groovy-script OR 
>> cas.authn.mfa.groovy-script 
>> which is what we use,
>>
>>
>> On Tuesday, July 25, 2023 at 3:41:02 PM UTC-5 Ray Bon wrote:
>>
>>> Anthony,
>>>
>>> Does surrogate+username / password approach work, or is it only the 
>>> surrogate selection that does not work?
>>>
>>> If I use surrogate+ with a service that requires MFA, it goes through 
>>> the mfa flow for username and then to service as surrogate. But I do not 
>>> have any groovy scripts running.
>>>
>>> Ray
>>>
>>> On Tue, 2023-07-25 at 10:31 -0700, Anthony Oslund wrote:
>>>
>>> Notice: This message was sent from outside the University of Victoria 
>>> email system. Please be cautious with links and sensitive information.
>>>
>>>
>>> Start by stating current deployment uses 6.6.6 with DBMS authentication, 
>>> not LDAP.
>>>
>>> Deployment uses the groovy approach for triggering simple MFA.  
>>>
>>> Based on much testing and researching of this archive determined that if 
>>> simple MFA is activated through groovy script that CAS will bypass 
>>> surrogate selection.  From researching this archive others have run into 
>>> the same limitation (at least for 6.6.6 and earlier, not sure about later 
>>> versions).
>>>
>>> For surrogate logging in using the +username / pass approach and then 
>>> selecting surrogate from drop down.
>>>
>>> Surrogate process functions correctly, but only if MFA not selected by 
>>> the groovy script.  This is true even if MFA not required in that exact 
>>> login instance, having been satisfied by recent/previous login/MFA.  For 
>>> example, groovy script determines that MFA is required for +username... 
>>> system examines recent MFA cache... regardless if MFA required/not required 
>>> at this moment surrogate process bypassed and authenticated/released 
>>> parameters are for original +username.
>>>
>>> Current deployment's security requirements restrict surrogate to 
>>> internal use only, while only requiring MFA externally so at this time not 
>>> an issue as both MFA and surrogate are working within their separate 
>>> external/internal scopes.  Future requirements may likely require MFA 
>>> internally as well, which with current deployment would conflict with 
>>> internal scope surrogate process.
>>>
>>>
>>> Looking at attached groovy scripts from other posts it appears they are 
>>> potentially using other MFA ("mfa-gauth", "mfa-webauthn").  Perhaps issue 
>>> with our deployment is a default web flow issue specific to simple MFA.
>>>
>>>
>>> Simple MFA currently works in all instances, but does not flow to 
>>> surrogate.  If groovy script below returns null for MFA then flow to 
>>> surrogate selection works as intended.
>>>
>>>
&

Re: [cas-user] Simple MFA to Surrogate bypasses surrogate selection

2023-07-25 Thread John 
We use mfa-simple for database auths as well, which groovy mfa are you 
using? cas.authn.mfa.core.provider-selector-groovy-script OR 
cas.authn.mfa.groovy-script 
which is what we use,


On Tuesday, July 25, 2023 at 3:41:02 PM UTC-5 Ray Bon wrote:

> Anthony,
>
> Does surrogate+username / password approach work, or is it only the 
> surrogate selection that does not work?
>
> If I use surrogate+ with a service that requires MFA, it goes through the 
> mfa flow for username and then to service as surrogate. But I do not have 
> any groovy scripts running.
>
> Ray
>
> On Tue, 2023-07-25 at 10:31 -0700, Anthony Oslund wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
>
> Start by stating current deployment uses 6.6.6 with DBMS authentication, 
> not LDAP.
>
> Deployment uses the groovy approach for triggering simple MFA.  
>
> Based on much testing and researching of this archive determined that if 
> simple MFA is activated through groovy script that CAS will bypass 
> surrogate selection.  From researching this archive others have run into 
> the same limitation (at least for 6.6.6 and earlier, not sure about later 
> versions).
>
> For surrogate logging in using the +username / pass approach and then 
> selecting surrogate from drop down.
>
> Surrogate process functions correctly, but only if MFA not selected by the 
> groovy script.  This is true even if MFA not required in that exact login 
> instance, having been satisfied by recent/previous login/MFA.  For example, 
> groovy script determines that MFA is required for +username... system 
> examines recent MFA cache... regardless if MFA required/not required at 
> this moment surrogate process bypassed and authenticated/released 
> parameters are for original +username.
>
> Current deployment's security requirements restrict surrogate to internal 
> use only, while only requiring MFA externally so at this time not an issue 
> as both MFA and surrogate are working within their separate 
> external/internal scopes.  Future requirements may likely require MFA 
> internally as well, which with current deployment would conflict with 
> internal scope surrogate process.
>
>
> Looking at attached groovy scripts from other posts it appears they are 
> potentially using other MFA ("mfa-gauth", "mfa-webauthn").  Perhaps issue 
> with our deployment is a default web flow issue specific to simple MFA.
>
>
> Simple MFA currently works in all instances, but does not flow to 
> surrogate.  If groovy script below returns null for MFA then flow to 
> surrogate selection works as intended.
>
>
> import java.util.*
>   
> class SampleGroovyProviderSelection {
>
> def String run(final Object... args) {
> def service = args[0]
> def authentication = args[2]
> def request = args[3]
> def logger = args[4]
>
> def mfa = null
>
> def email = authentication.principal.attributes['email']
> def phone = authentication.principal.attributes['phone']
> def mfaMode = authentication.principal.attributes['mfa_mode']
>
> logger.info('Groovy script for mfa')
> logger.info(mfaMode)
> logger.info(email)
> logger.info(phone)
>
> /* 
>If user lacks both email and phone then bypass MFA 
>
>If plan is to prevent the user from authenticating if
>they cannot use MFA, that should be handled further upstream
>through the DBMS view.  It can simply prevent them from
>ever authenticating (if that is the desired outcome), in 
>which case they will never even get to this point
> */
> if (mfaMode && (email || phone)) {
>   if (mfaMode.contains("Y")) {
>  mfa = ["mfa-simple"]
>   }
> }
> return mfa
> }
> }
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e2ec4972-dae9-47f3-9b39-e4a6ac176836n%40apereo.org.

Re: ~Re: [cas-user] [CAS 6.6.8] Custom MFA triggers

2023-07-25 Thread John 
Maybe Misagh could put in his thoughts on this, but I would argue the 
opposite is more true in fact, having custom java code and having to 
register, etc.. rely's on way MORE base code in cas then the groovy 
methods. If you take a look at the way groovy scripts are written in cas it 
is mainly a simple execute groovy method passing the parameters and just 
reading the results. That code itself doesn't change much, we had thousands 
of lines of custom java code before the 6.x days, for all kinds of things. 
Now we maintain 2 individual java class files and working to get those 
changes pushed into cas, just need to write the test cases and scenarios.

One of the benefits to using groovy is the no compile time, they don't need 
to be compiled with your overlay! most if not all groovy scripts are 
reloaded on demand, when changed and take affect immediately with no 
restarts which makes a huge difference.

Not sure why the other posters simple-mfa wouldnt work but works no problem 
for us, it could be the trigger type being used, there is the 
cas.authn.mfa.core.provider-selector-groovy-script 
and what we use,  cas.authn.mfa.groovy-script and we have some 
vendors/external services that use database auth and mfa is fine, we also 
use surrogate and in our groovy we have parts written to either 
bypass/force for surrogate situations.

We have been using CAS since the 3.x days and when groovy webflow came 
along, it was a blessing!! It is s much easier to maintain then custom 
java code. See the attached, this is one of about 4 different flow 
modifiers, using the "properties" in a service definition, we utilize this 
flow to inject custom post fields for services that require a POST response 
instead of REDIRECT.

I think, in my opinion, groovy is way more sustainable to maintain then the 
other.

Thanks,
John

On Tuesday, July 25, 2023 at 7:18:07 AM UTC-5 spfma...@e.mail.fr wrote:

> Hi,
> Thanks for your reply.
> From what I have read in the recommendations in the docs, scripting is ok 
> but coding is better and more sustainable (build time vs run time I guess).
> So I am trying to understand how to implement something like what is 
> described here : 
> https://apereo.github.io/cas/6.6.x/mfa/Configuring-Multifactor-Authentication-Triggers-Custom.html
> But so far I don't even know where to put the code, how to even have a 
> single debug log line.
> Thanks for this example (I think I saw it a couple of monthes ago),if will 
> follow this way if it's the right one too.
> But I can't forget I have to replicate an old "login-webflow.xml", which 
> seems to be done programmatically only in current version.
> Regards
>
>
> Le 21-Jul-2023 20:00:53 +0200, rb...@uvic.ca a écrit:
>
> This may provide some direction 
> https://fawnoos.com/2018/11/22/cas5-groovy-mfa/
> There may be other posts on this site that can help.
>  
> Ray
>  
> On Fri, 2023-07-21 at 08:49 +0200, spfma.tech via CAS Community wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>  
> Hi,
> I would like to implement some conditional MFA scenarios (using a 
> different provider depending on the network is the first one), but reading
> https://apereo.github.io/cas/6.6.x/mfa/Configuring-Multifactor-Authentication-Triggers-Custom.html
>  
> does not provide a lot of help.
> Is there some code snippet available somewhere I could use as an example ?
> Regards
>
> --
> FreeMail powered by mail.fr 
>
>  
>
>  
>  
>
>
> --
> FreeMail powered by mail.fr 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fd892674-8cea-4f49-a814-568482278b47n%40apereo.org.
if (webflow.containsFlowState(loginFlow, 
CasWebflowConstants.STATE_ID_GENERATE_SERVICE_TICKET)) {
logger.debug("Webflow: Found state that modifys the 
generateServiceTicketAction");

def state = webflow.getState(loginFlow, 
CasWebflowConstants.STATE_ID_GENERATE_SERVICE_TICKET, ActionState.class)
logger.debug("Webflow: State id is {}", state.id);

state.getExitActionList().add({ requestContext ->
def flowScope = requestContext.flowScope
def httpRequest = 
WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext);
def

[cas-user] Re: [CAS 6.6.8] Custom MFA triggers

2023-07-21 Thread John 
This is slimmed down using the groovy script trigger, 
cas.authn.mfa.groovy-script.location 
from here, 
https://apereo.github.io/cas/6.6.x/mfa/Configuring-Multifactor-Authentication-Triggers-Groovy.html
 
. I left in the bits pertaining basically to your case, gets the clients ip 
address and compares against a cidr list using springs IpAddressMatcher 
function. There is a little more in it, we also modified the groovy trigger 
to accept an array, and not just mfa-composite. If you want to see the 
change, its a single file change, easy. Just need to get it better and 
submit pull request.



On Friday, July 21, 2023 at 1:58:27 AM UTC-5 spfma...@e.mail.fr wrote:

> Hi,
> I would like to implement some conditional MFA scenarios (using a 
> different provider depending on the network is the first one), but reading 
> https://apereo.github.io/cas/6.6.x/mfa/Configuring-Multifactor-Authentication-Triggers-Custom.html
>  
> does not provide a lot of help.
> Is there some code snippet available somewhere I could use as an example ?
> Regards
>
> --
> FreeMail powered by mail.fr 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/aefaeec6-6f7c-444f-9575-d22dd50f8121n%40apereo.org.


mfa_trigger.groovy
Description: Binary data

Re: [cas-user] CAS 6.6.x WebAuthn Registration Failing,

2023-03-29 Thread John 
What does your cas.log state for error? Are you using a valid ssl 
certificate, cas host name matches whats in config? Also, in 7.x/master you 
have to edit this,

https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437

with the below,

return List.of(WebAuthnController.BASE_ENDPOINT_WEBAUTHN + 
WebAuthnController.WEBAUTHN_ENDPOINT_AUTHENTICATE,
WebAuthnController.BASE_ENDPOINT_WEBAUTHN + 
WebAuthnController.WEBAUTHN_ENDPOINT_REGISTER);

There's actually 2 bugs, maybe more. One is the PreAuthorize and the other 
is CSRF related to spring 6/spring boot 3 and possible another bug. I fixed 
the csrf issue and still working through the other as time permits.


On Wednesday, March 29, 2023 at 4:29:34 AM UTC-5 dussu...@gmail.com wrote:

> Thank you, you saved me lots of time, actually I needed those two :
> implementation "org.springframework.security:spring-security-config"
> implementation "org.springframework.security:spring-security-web"
>
> But I still have an js issue (JSON.Parse) when registering my device :
>
> "Registration failed SyntaxError: JSON.parse: unexpected non-digit at line 
> 1 column 2 of the JSON data" after the POST request on 
> https://cas-xx.xxx.fr/cas/webauthn/register.
> (Chrome says the same: Registration failed SyntaxError: No number after 
> minus sign in JSON at position 1.)
>
> The error is caught here : 
> # register https://cas-xx.xx.fr/cas/js/webauthn/webauthn.js:477.
> # (Asynchrone : promise callback) / register 
> https://cas-xx..fr/cas/js/webauthn/webauthn.js:475
> # 
> https://cas-xx.xx.fr/cas/login?service=https://node-cas-x.addomain.xxx.fr:9446/sample/=true:390
> .
>
> (The webapp is an instance of cas-sample-java-webapp running on port 9446.)
>
> About JSON.Parse :
> https://cas/login?service=https://x:9446/sample/=true at 
> lines 386 and 390 : register(username, displayName, credentialNickname, 
> csrfToken);
>
> In my browser debugger, data seems present, as I can see them parsed by 
> the function getRegisterRequest in webauthn.js line 327:
>
> arguments: Arguments
> 0: {…}
> authenticate: "webauthn/authenticate"
> register: "webauthn/register"
> : {…}
> 1: "frederic.dussurget"
> 2: "Frederic Dussurget"
> 3: "wonderful_borg"
> 4: false
> callee:
> length: 5
> Symbol(Symbol.iterator):values()
> : ()
> : ()
> : {…
> credentialNickname: "wonderful_borg"
> displayName: "Frederic Dussurget"
> requireResidentKey: false
> urls: {…}
> authenticate: "webauthn/authenticate"
> register: "webauthn/register"
> : {…}
> username: "frederic.dussurget"
>
> I you guys have any idea ...
> Regards,
> Le vendredi 24 mars 2023 à 04:57:51 UTC+1, John a écrit :
>
>> Spring security and probably one or 2 of the webauthn, I dont remeber at 
>> the moment with looking at local commit history but here is all from gradle,
>>
>>
>> /** Core **/
>> implementation 
>> "org.apereo.cas:cas-server-core-api-configuration-model"
>> implementation "org.apereo.cas:cas-server-core-api-mfa"
>> implementation "org.apereo.cas:cas-server-core-events-configuration"
>> implementation "org.apereo.cas:cas-server-core-notifications"
>> implementation "org.apereo.cas:cas-server-core-authentication"
>> implementation "org.apereo.cas:cas-server-core-authentication-api"
>> implementation "org.apereo.cas:cas-server-core-authentication-mfa-api"
>> implementation "org.apereo.cas:cas-server-core-util"
>> implementation "org.apereo.cas:cas-server-core-web-api"
>> implementation "org.apereo.cas:cas-server-core-webflow"
>> implementation "org.apereo.cas:cas-server-core-webflow-api"
>> implementation "org.apereo.cas:cas-server-core-webflow-mfa-api"
>> implementation "org.apereo.cas:cas-server-webapp"
>> implementation "org.apereo.cas:cas-server-webapp-init"
>> implementation "org.apereo.cas:cas-server-webapp-config"
>>
>> /** Rest Plugins **/
>> implementation 
>> "org.apereo.cas:cas-server-support-configuration-cloud-rest"
>> implementation "org.apereo.cas:cas-server-support-rest-authentication"
>>
>> /** LDAP Support **/
>> implementation "org.apereo.cas:cas-server-support-ldap"
>> implementation "org.apereo.cas:cas-server-support-pm-ldap&quo

Re: [cas-user] CAS 6.6.x WebAuthn Registration Failing,

2023-03-23 Thread John 
Spring security and probably one or 2 of the webauthn, I dont remeber at 
the moment with looking at local commit history but here is all from gradle,


/** Core **/
implementation "org.apereo.cas:cas-server-core-api-configuration-model"
implementation "org.apereo.cas:cas-server-core-api-mfa"
implementation "org.apereo.cas:cas-server-core-events-configuration"
implementation "org.apereo.cas:cas-server-core-notifications"
implementation "org.apereo.cas:cas-server-core-authentication"
implementation "org.apereo.cas:cas-server-core-authentication-api"
implementation "org.apereo.cas:cas-server-core-authentication-mfa-api"
implementation "org.apereo.cas:cas-server-core-util"
implementation "org.apereo.cas:cas-server-core-web-api"
implementation "org.apereo.cas:cas-server-core-webflow"
implementation "org.apereo.cas:cas-server-core-webflow-api"
implementation "org.apereo.cas:cas-server-core-webflow-mfa-api"
implementation "org.apereo.cas:cas-server-webapp"
implementation "org.apereo.cas:cas-server-webapp-init"
implementation "org.apereo.cas:cas-server-webapp-config"

/** Rest Plugins **/
implementation 
"org.apereo.cas:cas-server-support-configuration-cloud-rest"
implementation "org.apereo.cas:cas-server-support-rest-authentication"

/** LDAP Support **/
implementation "org.apereo.cas:cas-server-support-ldap"
implementation "org.apereo.cas:cas-server-support-pm-ldap"
implementation "org.apereo.cas:cas-server-support-pm-rest"

/** Database Support **/
implementation "org.apereo.cas:cas-server-support-jdbc"
implementation "org.apereo.cas:cas-server-support-jpa-util"
implementation "mysql:mysql-connector-java:${project.mysqlVerison}"
implementation 
"com.microsoft.sqlserver:mssql-jdbc:${project.mssqlVersion}"

/** Interrupt Support **/
implementation "org.apereo.cas:cas-server-support-interrupt-webflow"

/** Multifactor Auth **/
implementation "org.apereo.cas:cas-server-support-gauth"
implementation "org.apereo.cas:cas-server-support-gauth-ldap"
implementation "org.apereo.cas:cas-server-support-webauthn"
implementation "org.apereo.cas:cas-server-support-webauthn-ldap"
implementation "org.apereo.cas:cas-server-support-webauthn-core"
implementation "org.apereo.cas:cas-server-support-webauthn-core-webflow"
implementation "org.apereo.cas:cas-server-support-simple-mfa"
implementation "org.apereo.cas:cas-server-support-trusted-mfa"

/** Protocols **/
implementation "org.apereo.cas:cas-server-support-ws-idp"
implementation "org.apereo.cas:cas-server-support-saml-idp"
implementation "org.apereo.cas:cas-server-support-saml-sp-integrations"


/** Services **/
/** implementation 
"org.apereo.cas:cas-server-support-json-service-registry" **/
implementation "org.apereo.cas:cas-server-support-rest-service-registry"

implementation 
"org.springframework.security:spring-security-config:5.7.3"
implementation "commons-net:commons-net:${project.apacheNetCom}"
On Thursday, March 23, 2023 at 2:51:11 PM UTC-5 dussu...@gmail.com wrote:

> Hi, I've got quite the same issue : it works perfectly with CAS 6.5.9 but 
> not on 6.6 nor on the master branch 7.x. 
> On 6.6, after basic auth, a popup asks for the Yubikey pin and then, when 
> I press the register button,the flow breaks at POST 
> https://xxx.xx/cas/webauthn/register/finish. (FF : err 400 
> strict-origin-when-cross-origin)
>
> (The service app I use for my tests is the same when I wetn thru every CAS 
> version)
>
> webAuthnDevices.acces endpoint is AUTHENTICATED in my cas.yml just as you 
> did
>
> here is my build.gradle webauthn section :
>// MFA FIDO2 WEBAUTHN
> implementation 
> "org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-support-webauthn-core:${project.'cas.version'}" 
> (this one in order to comment out  @PreAuthorize("isAuthenticated()") as 
> you did in  
> src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java )
>
> //MFA TRUSTED DEVICE
> implementation 
> "org.apereo.cas:cas-server-support-trusted-mfa:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-support-trusted-mfa-redis:${project.'cas.version'}"
>
> (

Re: [cas-user] CAS 6.6.x WebAuthn Registration Failing,

2023-03-15 Thread John 
Circling back to this, it also fails on 7.x current and master. Same issue, 
I believe I have found the source which is related to the csrf token. It 
works by excluding the /register from csrf to the ignored endpoints on 

https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437

with the below,

return List.of(WebAuthnController.BASE_ENDPOINT_WEBAUTHN + 
WebAuthnController.WEBAUTHN_ENDPOINT_AUTHENTICATE,
WebAuthnController.BASE_ENDPOINT_WEBAUTHN + 
WebAuthnController.WEBAUTHN_ENDPOINT_REGISTER);





On Monday, February 6, 2023 at 9:53:31 PM UTC-6 John wrote:

> Since we don't use any of the actuators, all disabled except for whatever 
> cas sets as default, I am leaving my change by commenting out 
> @PreAuthorize("isAuthenticated()") in WebAuthnController.java. I'm just 
> going along finishing upgrade testing for us and will circle back to this 
> later before we upgrade prod.
>
> However, I do see some changes made below, I haven't had time to test if 
> it will resolve this issue yet, maybe it will be part of next 7.x RC but 
> for now its only in master. If I get some time I will switch to master and 
> give it a go.
>
>
> https://github.com/apereo/cas/commits/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java
>
>
> On Friday, February 3, 2023 at 7:11:44 AM UTC-6 micha...@gmail.com wrote:
>
>> Yes, I have the same registration issue.
>>
>> I thought I have caused this error by meddling with the spring security 
>> settings, but it looks like it is not the case.
>>
>> However, after setting up spring security for the webAuthnDevices 
>> actuator like this
>>
>> spring.security.user.name=XXX
>>
>> spring.security.user.password=YYY
>>
>> cas.monitor.endpoints.endpoint.webAuthnDevices.access=AUTHENTICATED
>>
>>
>> then registration starts to work, but requires HTTP basic authentication.
>>
>>
>> This is spring security filter chain for /webauthn/register endpoint 
>> without any additional configuration:
>>
>> Security filter chain: [
>>
>>   ChannelProcessingFilter
>>
>>   WebAsyncManagerIntegrationFilter
>>
>>   CorsFilter
>>
>>   CsrfFilter
>>
>>   SecurityContextHolderAwareRequestFilter
>>
>>   AnonymousAuthenticationFilter
>>
>>   ExceptionTranslationFilter
>>
>>   AuthorizationFilter
>>
>> ]
>>
>> And the chain with the spring security settings as above:
>>
>> Security filter chain: [
>>
>>   ChannelProcessingFilter
>>
>>   WebAsyncManagerIntegrationFilter
>>
>>   CorsFilter
>>
>>   CsrfFilter
>>
>>   BasicAuthenticationFilter
>>
>>   SecurityContextHolderAwareRequestFilter
>>
>>   AnonymousAuthenticationFilter
>>
>>   ExceptionTranslationFilter
>>
>>   AuthorizationFilter
>>
>> ]
>>
>>
>> I would say that
>>
>>   1) setting the actuator access really influences the processing for 
>> registration endpoint (and it should not), 
>>
>>   2) using PERMIT or ANONYMOUS is not enough to make it work, as perhaps 
>> it does not satisfy the  @PreAuthorize("isAuthenticated()") requirement
>>
>> I wonder how the registration endpoint should be authenticated; I guess 
>> it can not be left unprotected but I fail to see how to set it up.
>>
>> Regards,
>>
>> Michal V.
>>
>> On 1/31/23 16:14, John wrote:
>>
>> I have nothing configured or defined for endpoints or actuators besides 
>> what is default set by cas, we have never used those. I went back and 
>> configured according to 
>>
>> management.endpoint.webAuthnDevices.enabled=true
>> management.endpoints.web.exposure.include=*
>> cas.monitor.endpoints.endpoint.webAuthnDevices.access=PERMIT
>>
>> even tried ANONYMOUS below, which makes all actuators work, I can even 
>> pull /cas/actuator/webAuthnDevices/username anonymously and gets devices 
>> for user. I don't think the endpoint webAuthnDevices controls the end user 
>> registration page as it falls under/webauthn/register and NOT 
>> /cas/actuator/webAuthnDevices 
>>
>> cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS
>>
>> Below is debug output,
>>
>> 2023-01-31 09:05:41,149 DEBUG 
>> [org.apereo.cas.web.FlowExecutionExceptionResolver] - > received exception 
>> [org.springframework.security.access.AccessDeniedException: Access is 
>> denied] d

[cas-user] Problem with encoding via CAS passwords that are located in my Oracle database

2023-03-03 Thread John Myrna 
Hi CAS Community, 

Issue:
I'm currently facing a problem with encoding my passwords that are saved in 
a Oracle DataBase and they are crypted by SHA-1

This is my .yml configuration
cas:
authn:
accept:
enabled: false
jdbc:
query[0]:
driver-class: oracle.jdbc.driver.OracleDriver
field-password: {myPassword}
sql: {mySqlQuery}
url: {myUrl}
dialect: org.hibernate.dialect.Oracle12cDialect
user: {myUserName}
password: {myPassword}
ddl-auto: none
password-encoder:
encoding-algorithm: DEFAULT
type: SSHA

And with these setting once trying to log (localhost:8443/cas/)

I get information that: 
*[org.apereo.cas.authentication.DefaultAuthenticationManager] -  *

And it's not a problem with connection to the database because if I update 
my password with a plain not crypted password and change my .yml file to 
use:
*encoding-algorithm: NONE*
*type: NONE*

I can login in correctly

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1b44d8ec-fd42-493a-83cc-19f728ecf2b4n%40apereo.org.

[cas-user] Re: CAS Interrupt

2023-02-17 Thread John 
Yes, full groovy below, and all we have set in config,

cas.interrupt.core.trigger-mode=AFTER_SSO
cas.interrupt.groovy.location=file:/etc/cas/scripts/interrupt.groovy


import org.apereo.cas.interrupt.InterruptResponse

def run(final Object... args) {
def principal = args[0]
def attributes = args[1]
def service = args[2]
def registeredService = args[3]
def requestContext = args[4]
def logger = args[5]

message = "Test message";
redirect_to = [link1: ""];
block = false;
sso_enabled = true;
interrupt_flow = false;
   
if (interrupt_enabled) {
if (registeredService) {
svc_id = 0;
if (registeredService.containsKey('id')) {
svc_id = registeredService.id.intValue();
}
svc_list = [106, 108];
url1 = "https://url..;;
url2 =  "https://url..;;
url3 =  "https://url..;;
   
if 
(authentication.principal.attributes.containsKey('eduPersonAffiliation')) {
edu_affiliation = 
principal.attributes.eduPersonAffiliation.join(", ");
profile_list = ["faculty", "staff", "student"];
if (profile_list.contains(edu_affiliation)) {
if (svc_list.contains(svc_id)) {
interrupt_flow = true;
if (svc_id == 106) {
redirect_to = [link1: url1];
}
if (svc_id == 108) {
redirect_to = [link1: url2];
}
}
}
}
}
}
return new InterruptResponse(message: message, links: redirect_to, 
block: block, ssoEnabled: sso_enabled, interrupt: interrupt_flow, 
autoRedirect: true)
}

On Friday, February 17, 2023 at 7:19:09 AM UTC-6 Josh wrote:

> Thanks for the reply John.
>
> Are you using "def run(final Object... args) { }" as your function 
> definition?
>
> Like the original poster, I have reverted back to using the out of the box 
> example in the documentation for interrupts, however it's just not finding 
> it according to the DEBUG logs. 
>
> On Thursday, February 16, 2023 at 10:17:04 PM UTC-5 John wrote:
>
>> Works fine for us on 6.6.4, using something below
>>
>> message = "Test message";
>> redirect_to = [link1: ""];
>> block = false;
>> sso_enabled = true;
>> interrupt_flow = false;
>> 
>> if (interrupt_enabled) {
>> if (registeredService) {
>> svc_id = 0;
>> if (registeredService.containsKey('id')) {
>> svc_id = registeredService.id.intValue();
>> }
>> svc_list = [106, 108];
>> url1 = "https://url..;;
>> url2 =  "https://url..;; 
>> url3 =  "https://url..;; 
>> 
>> if 
>> (authentication.principal.attributes.containsKey('eduPersonAffiliation')) {
>> edu_affiliation = 
>> principal.attributes.eduPersonAffiliation.join(", ");
>> profile_list = ["faculty", "staff", "student"];
>> if (profile_list.contains(edu_affiliation)) {
>> if (svc_list.contains(svc_id)) {
>> interrupt_flow = true;
>> if (svc_id == 106) {
>> redirect_to = [link1: url1];
>> }
>> if (svc_id == 108) {
>> redirect_to = [link1: url2];
>> }
>> }
>> }
>> }
>> }
>> }
>> return new InterruptResponse(message: message, links: redirect_to, 
>> block: block, ssoEnabled: sso_enabled, interrupt: interrupt_flow, 
>> autoRedirect: true)
>>
>> On Thursday, February 16, 2023 at 2:36:31 PM UTC-6 Josh wrote:
>>
>>> We're seeing the same thing on our end moving from 6.4.x to 6.6.x
>>>
>>> 2023-02-16 18:52:47,362 DEBUG 
>>> [org.apereo.cas.interrupt.webflow.actions.InquireInterruptAction] - 
>>> 
>>> 2023-02-16 18:52:47,362 DEBUG 
>>> [org.apereo.cas.interrupt.BaseInterruptInquirer] - >> allow interrupt notifications>
>>> 2023-02-16 18:52:47,362 DEBUG 
>>> [org.apereo.cas.interrupt.webflow.actions.InquireInterruptAction] - 
>>> 
>>>
>>> Is anyone else experiencing this issue and h

[cas-user] Re: CAS Interrupt

2023-02-16 Thread John 
Works fine for us on 6.6.4, using something below

message = "Test message";
redirect_to = [link1: ""];
block = false;
sso_enabled = true;
interrupt_flow = false;

if (interrupt_enabled) {
if (registeredService) {
svc_id = 0;
if (registeredService.containsKey('id')) {
svc_id = registeredService.id.intValue();
}
svc_list = [106, 108];
url1 = "https://url..;;
url2 =  "https://url..;; 
url3 =  "https://url..;; 

if 
(authentication.principal.attributes.containsKey('eduPersonAffiliation')) {
edu_affiliation = 
principal.attributes.eduPersonAffiliation.join(", ");
profile_list = ["faculty", "staff", "student"];
if (profile_list.contains(edu_affiliation)) {
if (svc_list.contains(svc_id)) {
interrupt_flow = true;
if (svc_id == 106) {
redirect_to = [link1: url1];
}
if (svc_id == 108) {
redirect_to = [link1: url2];
}
}
}
}
}
}
return new InterruptResponse(message: message, links: redirect_to, 
block: block, ssoEnabled: sso_enabled, interrupt: interrupt_flow, 
autoRedirect: true)

On Thursday, February 16, 2023 at 2:36:31 PM UTC-6 Josh wrote:

> We're seeing the same thing on our end moving from 6.4.x to 6.6.x
>
> 2023-02-16 18:52:47,362 DEBUG 
> [org.apereo.cas.interrupt.webflow.actions.InquireInterruptAction] - 
> 
> 2023-02-16 18:52:47,362 DEBUG 
> [org.apereo.cas.interrupt.BaseInterruptInquirer] -  allow interrupt notifications>
> 2023-02-16 18:52:47,362 DEBUG 
> [org.apereo.cas.interrupt.webflow.actions.InquireInterruptAction] - 
> 
>
> Is anyone else experiencing this issue and have a fix?
>
> On Saturday, May 14, 2022 at 8:00:01 PM UTC-4 mago...@hacc.edu wrote:
>
>> Built CAS 6.5.3 with:
>> support-interrupt-webflow
>>
>> Added this line to the config:
>> cas.interrupt.groovy.location=/etc/cas/scripts/INTERRUPT.groovy
>>
>> It does not appear to be calling the groovy script at all. I even added 
>> an intentional coding error expecting to break CAS, and nothing. Any ideas?
>>
>> LOG:
>> 2022-05-14 19:53:37,426 DEBUG 
>> [org.apereo.cas.interrupt.webflow.actions.InquireInterruptAction] - 
>> 
>> 2022-05-14 19:53:37,429 DEBUG 
>> [org.apereo.cas.interrupt.webflow.actions.InquireInterruptAction] - 
>> 
>>
>>
>> SCRIPT:
>>
>> import org.apereo.cas.interrupt.InterruptResponse
>>
>> def run(final Object... args) {
>> def principal = args[0]
>> def attributes = args[1]
>> def service = args[2]
>> def registeredService = args[3]
>> def requestContext = args[4]
>> def logger = args[5]
>>
>> logger.info("**principal - Attributes:")
>> principal.properties.each {  logger.info("KEY: $it.key -> VALUE: 
>> $it.value") }
>>
>> logger.info("**attributes - Attributes:")
>> attributes.properties.each {  logger.info("KEY: $it.key -> VALUE: 
>> $it.value") }
>>
>> logger.info("**service - Attributes:")
>> service.properties.each {  logger.info("KEY: $it.key -> VALUE: 
>> $it.value") }
>>
>> logger.info("**registeredService - Attributes:")
>> registeredService.properties.each {  logger.info("KEY: $it.key -> 
>> VALUE: $it.value") }
>>
>> logger.info("**requestContext - Attributes:")
>> requestContext.properties.each {  logger.info("KEY: $it.key -> 
>> VALUE: $it.value") }
>>
>> def block = false
>> def ssoEnabled = false
>>
>> return new InterruptResponse("Message", [link1:"google.com", link2:"
>> yahoo.com"], block, ssoEnabled)
>> 
>> /*return new InterruptResponse(message: message, redirectTo: 
>> redirectTo, block: block, ssoEnabled: ssoEnabled, autoRedirect: true, 
>> autoRedirectAfterSeconds: 1)*/
>> }
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ecfd2d9-a27c-4d88-8562-fa630c0af498n%40apereo.org.

Re: [cas-user] CAS 6.6.x WebAuthn Registration Failing,

2023-02-06 Thread John 
Since we don't use any of the actuators, all disabled except for whatever 
cas sets as default, I am leaving my change by commenting out 
@PreAuthorize("isAuthenticated()") in WebAuthnController.java. I'm just 
going along finishing upgrade testing for us and will circle back to this 
later before we upgrade prod.

However, I do see some changes made below, I haven't had time to test if it 
will resolve this issue yet, maybe it will be part of next 7.x RC but for 
now its only in master. If I get some time I will switch to master and give 
it a go.

https://github.com/apereo/cas/commits/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java


On Friday, February 3, 2023 at 7:11:44 AM UTC-6 micha...@gmail.com wrote:

> Yes, I have the same registration issue.
>
> I thought I have caused this error by meddling with the spring security 
> settings, but it looks like it is not the case.
>
> However, after setting up spring security for the webAuthnDevices actuator 
> like this
>
> spring.security.user.name=XXX
>
> spring.security.user.password=YYY
>
> cas.monitor.endpoints.endpoint.webAuthnDevices.access=AUTHENTICATED
>
>
> then registration starts to work, but requires HTTP basic authentication.
>
>
> This is spring security filter chain for /webauthn/register endpoint 
> without any additional configuration:
>
> Security filter chain: [
>
>   ChannelProcessingFilter
>
>   WebAsyncManagerIntegrationFilter
>
>   CorsFilter
>
>   CsrfFilter
>
>   SecurityContextHolderAwareRequestFilter
>
>   AnonymousAuthenticationFilter
>
>   ExceptionTranslationFilter
>
>   AuthorizationFilter
>
> ]
>
> And the chain with the spring security settings as above:
>
> Security filter chain: [
>
>   ChannelProcessingFilter
>
>   WebAsyncManagerIntegrationFilter
>
>   CorsFilter
>
>   CsrfFilter
>
>   BasicAuthenticationFilter
>
>   SecurityContextHolderAwareRequestFilter
>
>   AnonymousAuthenticationFilter
>
>   ExceptionTranslationFilter
>
>   AuthorizationFilter
>
> ]
>
>
> I would say that
>
>   1) setting the actuator access really influences the processing for 
> registration endpoint (and it should not), 
>
>   2) using PERMIT or ANONYMOUS is not enough to make it work, as perhaps 
> it does not satisfy the  @PreAuthorize("isAuthenticated()") requirement
>
> I wonder how the registration endpoint should be authenticated; I guess it 
> can not be left unprotected but I fail to see how to set it up.
>
> Regards,
>
> Michal V.
>
> On 1/31/23 16:14, John wrote:
>
> I have nothing configured or defined for endpoints or actuators besides 
> what is default set by cas, we have never used those. I went back and 
> configured according to 
>
> management.endpoint.webAuthnDevices.enabled=true
> management.endpoints.web.exposure.include=*
> cas.monitor.endpoints.endpoint.webAuthnDevices.access=PERMIT
>
> even tried ANONYMOUS below, which makes all actuators work, I can even 
> pull /cas/actuator/webAuthnDevices/username anonymously and gets devices 
> for user. I don't think the endpoint webAuthnDevices controls the end user 
> registration page as it falls under/webauthn/register and NOT 
> /cas/actuator/webAuthnDevices 
>
> cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS
>
> Below is debug output,
>
> 2023-01-31 09:05:41,149 DEBUG 
> [org.apereo.cas.web.FlowExecutionExceptionResolver] -  received exception 
> [org.springframework.security.access.AccessDeniedException: Access is 
> denied] due to a type mismatch with handler 
> [org.apereo.cas.webauthn.web.WebAuthnController#startRegistration(String, 
> String, String, boolean, String, HttpServletRequest, HttpServletResponse)]>
>
> And browser POST response to /webauthn/register , base64 decoded is
>
> --- !
> timestamp: "2023-01-31T15:05:41.161+00:00"
> status: 403
> error: "Forbidden"
> path: "/cas/webauthn/register"
>
>
> On Monday, January 30, 2023 at 11:16:42 PM UTC-6 micha...@gmail.com wrote:
>
>> Hi, 
>>   have you, by any chance, configured spring security for the webauthn 
>> endpoint? 
>>
>> Best regards,
>>
>> Michal Vocu
>>
>> On 1/26/23 19:03, John wrote:
>>
>> When trying to register a new device, the POST request to 
>> /webauthn/register is failing from spring security, access denied, http 403.
>>
>> Commenting out the below within 
>> (support/cas-server-support-webauthn-core/src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java)
>>  
>> got it working again, 
>>
>> @PreAuthorize

Re: [cas-user] CAS 6.6.x WebAuthn Registration Failing,

2023-02-03 Thread John 
I have nothing configured or defined for endpoints or actuators besides 
what is default set by cas, we have never used those. I went back and 
configured according to 

management.endpoint.webAuthnDevices.enabled=true
management.endpoints.web.exposure.include=*
cas.monitor.endpoints.endpoint.webAuthnDevices.access=PERMIT

even tried ANONYMOUS below, which makes all actuators work, I can even pull 
/cas/actuator/webAuthnDevices/username anonymously and gets devices for 
user. I don't think the endpoint webAuthnDevices controls the end user 
registration page as it falls under/webauthn/register and NOT 
/cas/actuator/webAuthnDevices 

cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS

Below is debug output,

2023-01-31 09:05:41,149 DEBUG 
[org.apereo.cas.web.FlowExecutionExceptionResolver] - 

And browser POST response to /webauthn/register , base64 decoded is

--- !
timestamp: "2023-01-31T15:05:41.161+00:00"
status: 403
error: "Forbidden"
path: "/cas/webauthn/register"

On Monday, January 30, 2023 at 11:16:42 PM UTC-6 micha...@gmail.com wrote:

> Hi, 
>   have you, by any chance, configured spring security for the webauthn 
> endpoint? 
>
> Best regards,
>
> Michal Vocu
>
> On 1/26/23 19:03, John wrote:
>
> When trying to register a new device, the POST request to 
> /webauthn/register is failing from spring security, access denied, http 403.
>
> Commenting out the below within 
> (support/cas-server-support-webauthn-core/src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java)
>  
> got it working again, 
>
> @PreAuthorize("isAuthenticated()")
>
> Looks like it was added in 6.4.x release, is anyone else not having a 
> registration issue?
>
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org
>  
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org?utm_medium=email_source=footer>
> .
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c3df6fd1-38d1-42cf-a8bc-8f9e8848e2f7n%40apereo.org.

[cas-user] CAS 6.6.x WebAuthn Registration Failing,

2023-01-26 Thread John 
When trying to register a new device, the POST request to 
/webauthn/register is failing from spring security, access denied, http 403.

Commenting out the below within 
(support/cas-server-support-webauthn-core/src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java)
 
got it working again, 

@PreAuthorize("isAuthenticated()")

Looks like it was added in 6.4.x release, is anyone else not having a 
registration issue?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org.

[cas-user] Re: Add second MFA provider CAS 6.5

2022-07-14 Thread John 
This was also fixed recently but not released in 6.5.x build, the fix is in 
earliest 6.6.0-RC4 from what I can tell,

https://github.com/apereo/cas/commit/c7d1bf17af0e06930363730aeffbdb7cb3241f2f


On Wednesday, July 13, 2022 at 11:49:25 AM UTC-5 tha...@apu.edu wrote:

> We recently upgraded our CAS instance to 6.5 as well as began enforcing 
> MFA for all our staff and faculty.  Overall things have been going well but 
> we've had a few people ask about alternative MFA options.  As of right now 
> we use mfa-gauth.
>
> My goal would be to make it so that users could enroll into mfa in and 
> "and/or" kind of scenario.  They could activate mfa-gauth or mfa-u2f 
> depending on their preference.  Or they decide to enroll in both they would 
> then be prompted with a selection page at login to choose the mfa method 
> they plan to use for that given session.  Either way Staff and Faculty will 
> be required to enroll in at least one.
>
> For context on the current setup.  Right now we use mfa-gauth which is 
> triggered with the use of the "cas.authn.mfa.groovy-script.location" 
> setting.  Our groovy script connects to a back end redis database and 
> attempts to find the user in the database.  If the user has mfatype: 
> mfa-gauth set as a key/value in the database then mfa is triggered for that 
> user.  For Faculty and Staff a cronjob runs to add users to that database 
> from a group in AD which enforces mfa for those groups.  For students we 
> have a custom opt-in page where they can just click an "activate" button 
> and they are then added to the database.
>
> In my dev environment I've got u2f dependencies and settings added and 
> successfully tested the u2f method by manually updating my record in the 
> corresponding dev redis db from mfatype: mfa-gauth to mfatype: mfa-u2f.  So 
> at this point I've determined that I can do either or but now I'm stuck on 
> how to go about supporting the ability to enroll in both...
>
> I enabled the "cas.authn.mfa.core.provider-selection-enabled=true" option 
> in my dev environment and so far the only way I've been able to trigger the 
> selection page is by commenting out my groovy script setting and adding 
> this instead 
> "cas.authn.mfa.triggers.global.global-provider-id=mfa-gauth,mfa-u2f" so I 
> at least know I can test the selection page now but that setting isn't 
> going to work for production as it would force everyone into mfa and would 
> prompt everyone with a selection page even if they were enrolled in only 
> one option.  To try and simplify things a bit I took redis out of the 
> equation and tried to just hard code a return value in the script so that 
> it would just always trigger.  I can return a single provider no issue but 
> trying to add a list of providers in the return just causes the script to 
> be ignored and mfa is never prompted.
>
> Hopefully someone can give me some guidance here.  
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d5088ef7-a2d6-47bc-a1fc-0514b649b271n%40apereo.org.

[cas-user] Re: MFA configuration flow

2022-04-19 Thread John 
You can use multiple providers using selection now in current release with 
principal attribute per 
service, 
https://github.com/apereo/cas/commit/90e770fb9d04877c58f569b4dab28e97422d62ef 
, I reported it with a pull request not to long ago and someone else also 
added a fix for Rest, I am assuming others will come along soon enough. 
This now works in current 6.5.x as it was backported 
, https://github.com/apereo/cas/commit/ab0e3d547417c97373200463b42c777abc2a61c5 
.

Some of the MFA providers have the option,  
cas.authn.mfa.provider_name.multiple-device-registration-enabled which set 
to true or false to allow multiple registrations, you could look into that 
for the providers you are using.

On Friday, April 15, 2022 at 4:52:04 AM UTC-5 Marcin Roman wrote:

> We have exactly the same problem.
> It would be great to have similar workflow to the google mfa.
>
> I experimented with webauthn and simple mfa. The problem is that the mfa 
> provider selection menu shows all providers without respecting the 
> providers's groovy bypass.
> Also you can only use provider selection menu with the global mfa trigger.
>
> On Friday, April 15, 2022 at 2:44:30 AM UTC+2 rcp...@gmail.com wrote:
>
>> Hi,
>> Are there any documents about the flow of control when using MFA?
>> We have configured CAS to optionally show MFA options when the user logs 
>> in, and this works, but there are a number of problems we would like to 
>> address, and are unsure how this should work in CAS.
>>
>> The flow we have at the moment is:
>> 1. User requests to enable MFA
>> 2. User is logged out and taken to the CAS login page
>> 3. User has to configure MFA
>> 4. User is now logged in.
>>
>> This is somewhat acceptable, but we would prefer to allow users to 
>> configure MFA when they are already logged in and not force them to login 
>> again. Is this possible?
>>
>> The main problem we have is that once MFA is configured, and the user 
>> logs is and is presented with the MFA check, they always have the option to 
>> configure another MFA device (we are using at the moment). This defeats the 
>> purpose of MFA, as if the user's password is compromised, the attacker can 
>> just configure another device. We are trying and failing to understand how 
>> this should be configured.
>>
>> I would be grateful for any pointers.
>> Thanks in advance.
>> Rob
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6addeb9d-7a16-4f7b-8a4a-a49bf7265754n%40apereo.org.

[cas-user] Re: problems with getting ldap support in cas 6.5.2

2022-04-16 Thread John 
Java doesn't use or recognize a systems root store afaik, at least on 
linux, windows can use or used to be able to 
use -Djavax.net.ssl.trustStoreType=Windows-ROOT, not sure if that even 
works still , java uses its own cacerts file in /lib/security/ , you need 
to put your certs CAS will need into a java keystore file, here is AD 
conifg we use, the keystore is of type JKS and is stored in the file 
/etc/cas/keys/carootcerts

cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].baseDn=DC=Example,DC=Com
cas.authn.ldap[0].bindCredential=password
cas.authn.ldap[0].bindDn=bindu...@example.com
cas.authn.ldap[0].blockWaitTime=5000
cas.authn.ldap[0].collectDnAttribute=true
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].dnFormat=CN=%s,DC=EXAMPLE,DC=COM
cas.authn.ldap[0].failFast=true
cas.authn.ldap[0].followReferrals=false
cas.authn.ldap[0].idleTime=5000
cas.authn.ldap[0].keystore=file:/etc/cas/keys/carootcerts
cas.authn.ldap[0].keystorePassword=changeit
cas.authn.ldap[0].keystoreType=JKS
cas.authn.ldap[0].useStartTls=true
cas.authn.ldap[0].ldapUrl=ldaps://ldap1.example.com:636 
ldaps://ldap2.example.com:636
cas.authn.ldap[0].maxPoolSize=10
cas.authn.ldap[0].minPoolSize=3
cas.authn.ldap[0].poolPassivator=BIND
cas.authn.ldap[0].searchFilter=sAMAccountName={user}
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].principalAttributeList=sn,cn,displayName,givenName,eduPersonAffiliation,eduPersonPrincipalName,eduPersonEntitlement,employeeNumber,employeeType,memberOf,userPrincipalName,mail,otherMailbox,mobile
cas.authn.ldap[0].prunePeriod=5000
cas.authn.ldap[0].validateOnCheckout=true
cas.authn.ldap[0].validatePeriod=600
cas.authn.ldap[0].validatePeriodically=true

On Saturday, April 16, 2022 at 10:15:22 AM UTC-5 anders.c...@gmail.com 
wrote:

> Hi, 
>
> I have a basic cas installation (installed using overlay-template running 
> in tomcat9 on a debian 11 machine.
> Each time I try to configure ldap support to lookup users in Active 
> Directory deployment of root.war in my tomcat fails.
>
> Active Directory is running with self signed certificate for ldaps support.
> The certificate is placed in both
> the certificated is added to trust with update-ca-certificates
>
> ldapsearch works fine with following settings:
> # TLS certificates (needed for GnuTLS)
> TLS_CACERT  /etc/ssl/certs/ca-certificates.crt
> TLS_REQCERT always
>
> my cas.properties:
> ##
> # CAS ldap
> #
> cas.authn.ldap[0].type=DIRECT
> cas.authn.ldap[0].ldap-url=ldaps://my-AD.domain.com
> cas.authn.ldap[0].use-start-tls=true
> cas.authn.ldap[0].dn-format=sAMAccountName=%s,ou=ORG,dc=domain,dc=com
> cas.authn.ldap[0].base-dn=ou=ORG,dc=domain,dc=com
> cas.authn.ldap[0].search-filter=sAMAccountName={user}
> cas.authn.ldap[0].bind-dn=cn=ldaplookupuser,ou=ORG,dc=domain,dc=com
> cas.authn.ldap[0].bind-credential=superserectpassword
>
> cas.authn.ldap[0].principal-attribute-list=mail,sn,givenName,cn,name,sAMAccountName,memberOf
>
> (if I comment out all the ldap stuff in cas.properties, then I can log in 
> with "casuser/Mellon")
>
> dependencies in my build.gradle:
> dependencies {
> /**
> * Do NOT modify the lines below or else you will risk breaking 
> dependency management.
> */
> implementation 
> enforcedPlatform("org.apereo.cas:cas-server-support-bom:${project.'cas.version'}")
> implementation 
> platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)
>
> /**
>  * CAS dependencies and modules may be listed here.
>  *
>  * There is no need to specify the version number for each dependency
>  * since versions are all resolved and controlled by the dependency 
> management
>  * plugin via the CAS bom.
>  **/
>
> implementation "org.apereo.cas:cas-server-support-ldap"
> implementation "org.apereo.cas:cas-server-support-throttle"
> implementation 
> "org.apereo.cas:cas-server-support-json-service-registry"
> implementation "org.apereo.cas:cas-server-core-api-configuration-model"
> implementation "org.apereo.cas:cas-server-webapp-init"
>
> if (project.hasProperty("casModules")) {
> def dependencies = project.getProperty("casModules").split(",")
> dependencies.each {
> def projectsToAdd = rootProject.subprojects.findAll {project ->
> project.name == "cas-server-core-${it}" || project.name 
> == "cas-server-support-${it}"
> }
> projectsToAdd.each {implementation it}
> }
> }
>
>
> Error:
> Caused by: 
> org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
> creating bean with name 'serviceValidateController' defined in class path 
> resource 
> [org/apereo/cas/web/config/CasValidationConfiguration$CasValidationControllerConfiguration.class]:
>  
> Unsatisfied dependency expressed through method 'serviceValidateController' 
> parameter 1; nested exception is 
> org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
> creating bean

[cas-user] Re: CAS v6.4 problem with OIDC claim name mappings in the ID Token

2022-03-22 Thread John Wagenleitner 
Hi Jae,

Yes, after the changes I checked both the IDToken and user profile
endpoint. What I noticed is that the IDToken only contains the mapped name
whereas the user profile endpoint contains both the original names and the
mapped names, both with values. But in our case that is ok.

Here is what the response from our user profile endpoint response looks
like, which is the same as when we had the `claims-map` entries:

```

{
"cn": "John Doe",
"email": "j...@example.edu",
"family_name": "Doe",
"given_name": "John",
"mail": "j...@example.edu",
"name": "John Doe",
"sub": "jdoe",
"service": "https://cas.example.edu/account/idplogin;,
"auth_time": 1647958411,
"id": "jdoe",
"client_id": "local-oidc-8...@example.edu"
}

```

John

On Tue, Mar 22, 2022 at 12:17 AM Jae Liu  wrote:

> Hi John,
>
> did you use the user profile endpoint?
> are the user profile values in the endpoint response array not string
>
> 在2022年3月19日星期六 UTC+8 02:19:51 写道:
>
>> Hi Jae,
>>
>> Thank you very much for your email. That is a good work-around/fix for
>> the issue. I removed the `scopes` key in the service definition file
>> completely and in the `cas.properties` removed all of the
>> `cas.authn.oidc.core.claims-map` entries.
>>
>> I used the following attribute release policy in my service definition to
>> do the mappings (had tried this before, but it doesn't work with the
>> `scopes` set):
>>
>> """
>>
>> "attributeReleasePolicy" : {
>>   "@class": "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>>   "allowedAttributes": {
>> "@class": "java.util.TreeMap",
>>
>> "mail": "email",
>> "cn": "name",
>> "sn": "family_name",
>> "givenName": "given_name"
>>   }
>> }
>>
>> """
>>
>> With those changes (using CAS v6.5.0), now the correct names (email,
>> name, family_name, given_name) appear in both the IDToken and userinfo
>> endpoint.
>>
>> Thanks again,
>> John
>>
>> On Tue, Mar 15, 2022 at 12:03 AM Jae Liu  wrote:
>>
>>> Hi John,
>>>
>>> I removed the claims-map in config and following are my
>>> attributeReleasePolicy
>>>
>>>   attributeReleasePolicy:
>>>   {
>>> @class: org.apereo.cas.services.ChainingAttributeReleasePolicy
>>> policies:
>>> [
>>>   java.util.ArrayList
>>>   [
>>> {
>>>   @class:
>>> org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
>>>   principalAttributesRepository:
>>>   {
>>> @class:
>>> org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository
>>> mergingStrategy: REPLACE
>>> ignoreResolvedAttributes: false
>>>   }
>>>   order: 0
>>>   allowedAttributes:
>>>   [
>>> java.util.ArrayList
>>> [
>>>   mail
>>>   displayName
>>>   sAMAccountName
>>>   userPrincipalName
>>> ]
>>>   ]
>>> }
>>> {
>>>   @class:
>>> org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
>>>   allowedAttributes:
>>>   {
>>> @class: java.util.TreeMap
>>> email: groovy { return attributes[ 'mail'
>>> ].get(0) }
>>> email_verified: groovy { if(!attributes[ 'mail'
>>> ].isEmpty() && attributes[ 'mail' ].get(0).endsWith('@.com')){
>>> return true } else { return false } }
>>> name: groovy { return attributes[ 'displayName'
>>> ].get(0) }
>>> nickname: groovy { return attributes[
>>> 'sAMAccountName' ].get(0) }
>>> preferred_username: groovy { return attributes[
>>> 'userPrincipalName' ].get(0) }
>>>   }
>>>   principalAttributesRepository:
>>>   {
>>> @class:
>>> org.apereo.cas.authenticat

[cas-user] Re: CAS v6.4 problem with OIDC claim name mappings in the ID Token

2022-03-18 Thread John Wagenleitner 
Hi Jae,

Thank you very much for your email. That is a good work-around/fix for the
issue. I removed the `scopes` key in the service definition file completely
and in the `cas.properties` removed all of the
`cas.authn.oidc.core.claims-map` entries.

I used the following attribute release policy in my service definition to
do the mappings (had tried this before, but it doesn't work with the
`scopes` set):

"""

"attributeReleasePolicy" : {
  "@class": "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
  "allowedAttributes": {
"@class": "java.util.TreeMap",
"mail": "email",
"cn": "name",
"sn": "family_name",
"givenName": "given_name"
  }
}

"""

With those changes (using CAS v6.5.0), now the correct names (email, name,
family_name, given_name) appear in both the IDToken and userinfo endpoint.

Thanks again,
John

On Tue, Mar 15, 2022 at 12:03 AM Jae Liu  wrote:

> Hi John,
>
> I removed the claims-map in config and following are my
> attributeReleasePolicy
>
>   attributeReleasePolicy:
>   {
> @class: org.apereo.cas.services.ChainingAttributeReleasePolicy
> policies:
> [
>   java.util.ArrayList
>   [
> {
>   @class:
> org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
>   principalAttributesRepository:
>   {
> @class:
> org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository
> mergingStrategy: REPLACE
> ignoreResolvedAttributes: false
>   }
>   order: 0
>   allowedAttributes:
>   [
> java.util.ArrayList
> [
>   mail
>   displayName
>   sAMAccountName
>   userPrincipalName
> ]
>   ]
> }
> {
>   @class:
> org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
>   allowedAttributes:
>   {
> @class: java.util.TreeMap
> email: groovy { return attributes[ 'mail' ].get(0)
> }
> email_verified: groovy { if(!attributes[ 'mail'
> ].isEmpty() && attributes[ 'mail' ].get(0).endsWith('@.com')){ return
> true } else { return false } }
> name: groovy { return attributes[ 'displayName'
> ].get(0) }
> nickname: groovy { return attributes[
> 'sAMAccountName' ].get(0) }
> preferred_username: groovy { return attributes[
> 'userPrincipalName' ].get(0) }
>   }
>   principalAttributesRepository:
>   {
> @class:
> org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository
> mergingStrategy: REPLACE
> ignoreResolvedAttributes: false
>   }
>   order: 1
> }
>   ]
> ]
> mergingPolicy: REPLACE
> order: 0
>   }
>
> *also removed the scopes*
>
>   scopes:
>   [
> java.util.HashSet
> []
>   ]
>
>
> 在2022年3月9日星期三 UTC+8 23:47:15 写道:
>
>> Hi Jae,
>>
>> Thanks for the reply, are you able to share any of your config?
>>
>> In my case both the IDToken and the userinfo endpoint contain claims such
>> as `mail` and `cn`. But the `claims-map` only seems to work for the
>> userinfo endpoint, which returns both claims `mail` and `email` and `cn`
>> and `name`, though I would have not expected it to include both the
>> original CAS attribute (from LDAP such as cn) and the mapped claim (such as
>> email) and think in versions prior to v6.4 it returned only `email` as a
>> claim name for that particular value.
>>
>> so the attributes in your claims-map do not have value, so the IDToken
>>> does have value.
>>
>>
>> In my claim-map I'm mapping `cn` to `name`. The IDToken we receive does
>> include `cn` as a claim. Based on my mapping settings, I would have
>> expected the claim name to be `name` and not `cn` both in the IDToken and
>> in the userinfo endpoint and this is how it worked prior to v6.4.
>>
>> John
>>
>> On Tue, Mar 8, 2022 at 5:55 PM Jae Liu  wrote:
>>
>>> I used CAS v6.4 it's ok for me.
>>>
>>> I think there something wrong with your configuration. You defined the
>>> scopes (scopes=openid,profile,emai), CAS will use these as attributes
>>> release policy, the scopes email will only release attributes email and
>>> email_verified, profi

[cas-user] Re: Cas v6.4+ exception with mfa-webauthn

2022-03-15 Thread John 
I got the same error too for web-authn, although we haven't deployed 
web-authn because I cannot seem to get multiple providers to work and let 
the user decide, at all, using any type of triggers

On Sunday, March 13, 2022 at 11:36:15 PM UTC-5 Benjamin Somers wrote:

> Hi,
> I am configuring CAS for the webauthn MFA and as soon as a user tries to 
> do the registration, they receive an error. You can find below the 
> stacktrace corresponding to the error (the exception occurs as soon as the 
> user clicks on the webauthn button on the provider selection screen). I 
> have tried both v6.4 and v6.5. Am I missing something?
> Thanks in advance
> Ben
>
> mars 13 22:18:51 casimir cas.war[15255]: 
> =
> mars 13 22:18:51 casimir cas.war[15255]: WHO: audit:unknown
> mars 13 22:18:51 casimir cas.war[15255]: WHAT: {principal=XX, 
> execution=true, provider=mfa-webauthn}
> mars 13 22:18:51 casimir cas.war[15255]: ACTION: 
> MULTIFACTOR_AUTHENTICATION_BYPASS
> mars 13 22:18:51 casimir cas.war[15255]: APPLICATION: CAS
> mars 13 22:18:51 casimir cas.war[15255]: WHEN: Sun Mar 13 22:18:51 CET 2022
> mars 13 22:18:51 casimir cas.war[15255]: CLIENT IP ADDRESS: XX.XX.XX.XX
> mars 13 22:18:51 casimir cas.war[15255]: SERVER IP ADDRESS: YY.YY.YY.YY
> mars 13 22:18:51 casimir cas.war[15255]: 
> =
> mars 13 22:18:51 casimir cas.war[15255]: >
> mars 13 22:18:51 casimir cas.war[15255]: 2022-03-13 22:18:51,791 WARN 
> [org.apereo.cas.web.flow.executor.EncryptedTranscoder] - 
> 
> mars 13 22:18:51 casimir cas.war[15255]: java.io.NotSerializableException: 
> java.util.Optional
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1185) ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:349) ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.util.HashMap.internalWriteEntries(HashMap.java:1858) ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.util.HashMap.writeObject(HashMap.java:1412) ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> jdk.internal.reflect.GeneratedMethodAccessor149.invoke(Unknown Source) 
> ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>  
> ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectStreamClass.invokeWriteObject(ObjectStreamClass.java:1145) 
> ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1497) 
> ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1433) 
> ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1179) ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1553) 
> ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectOutputStream.defaultWriteObject(ObjectOutputStream.java:442) 
> ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> org.springframework.webflow.core.collection.LocalAttributeMap.writeObject(LocalAttributeMap.java:333)
>  
> ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> jdk.internal.reflect.GeneratedMethodAccessor187.invoke(Unknown Source) 
> ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>  
> ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectStreamClass.invokeWriteObject(ObjectStreamClass.java:1145) 
> ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1497) 
> ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1433) 
> ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1179) ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:349) ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> org.springframework.webflow.engine.impl.FlowSessionImpl.writeExternal(FlowSessionImpl.java:162)
>  
> ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
>

[cas-user] Re: CAS v6.4 problem with OIDC claim name mappings in the ID Token

2022-03-10 Thread John Wagenleitner 
Hi Rodolphe,

Thank you for sharing the information, this is really helpful. This
work-around may be something we look into implementing.

John

On Thu, Mar 10, 2022 at 12:46 AM Rodolphe Prin 
wrote:

> Hi,
> this is what I did to deal with that problem :
> in my case I was retrieving attributes from the authentication source
> (LDAP) with the following configuration
> ```
> cas.authn.ldap[0].principal-attribute-list=displayName,givenName,mail,sn
> cas.authn.ldap[0].additional-attributes=memberOf
> ```
> and then trying to map these attributes to standard OIDC claim names
> ```
> cas.authn.oidc.core.claims-map.name=displayName
> cas.authn.oidc.core.claims-map.given_name=givenName
> cas.authn.oidc.core.claims-map.email=mail
> cas.authn.oidc.core.claims-map.family_name=sn
> cas.authn.oidc.core.claims-map.groups=memberOf
> ```
> With this configuration I had wrong claim names in the token (for example
> givenName instead of name), as mentionned in this thread.
>
> I changed my configuration to resolve attributes with the attribute
> repository method, wich allows mapping attributes directly from the
> attibute source.
> It seems though that this is not the recommended way when the
> authentication source is the same as the attribute source, as mentionned
> here (
> https://apereo.github.io/cas/6.4.x/integration/Attribute-Resolution.html#person-directory
> )
> So my new configuration is
> ```
> # cas.authn.ldap[0].principal-attribute-list=
> # cas.authn.ldap[0].additional-attributes=
> cas.person-directory.active-attribute-repository-ids=ldapRepository
> cas.authn.attribute-repository.ldap[0].order=0
> cas.authn.attribute-repository.ldap[0].ldap-url=x
> cas.authn.attribute-repository.ldap[0].base-dn=xxx
> cas.authn.attribute-repository.ldap[0].search-filter=xx
> cas.authn.attribute-repository.ldap[0].bind-dn=xxx
> cas.authn.attribute-repository.ldap[0].bind-credential=x
>
> cas.authn.attribute-repository.ldap[0].attributes.cn=name
> cas.authn.attribute-repository.ldap[0].attributes.givenName=given_name
> cas.authn.attribute-repository.ldap[0].attributes.mail=email
> cas.authn.attribute-repository.ldap[0].attributes.sn=family_name
> cas.authn.attribute-repository.ldap[0].attributes.memberOf=groups
> ```
> This way the "CAS" attributes are directly matching standard OIDC claim
> names, so no need to define OIDC attributes mappings, and I bypass the
> "seems to be a" bug.
>
> This impacts however every attributes release, not only OIDC services. So
> for every other services that needs releasing attributes I formely mapped,
> I was forced to map them at the service level so that they get their
> original "LDAP" name, for instance : ```
> "attributeReleasePolicy": {
> "@class": "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
> "allowedAttributes" : {
> "@class" : "java.util.TreeMap",
> /*in : out */
> "email" : "mail",
> "name": "displayname"
> }
> },
> ```
> I do not know if this can apply to your case, but I hope it helps...
>
> Rodolphe
>
> Le mercredi 9 mars 2022 à 16:47:15 UTC+1, John Wagenleitner a écrit :
>
>> Hi Jae,
>>
>> Thanks for the reply, are you able to share any of your config?
>>
>> In my case both the IDToken and the userinfo endpoint contain claims such
>> as `mail` and `cn`. But the `claims-map` only seems to work for the
>> userinfo endpoint, which returns both claims `mail` and `email` and `cn`
>> and `name`, though I would have not expected it to include both the
>> original CAS attribute (from LDAP such as cn) and the mapped claim (such as
>> email) and think in versions prior to v6.4 it returned only `email` as a
>> claim name for that particular value.
>>
>> so the attributes in your claims-map do not have value, so the IDToken
>>> does have value.
>>
>>
>> In my claim-map I'm mapping `cn` to `name`. The IDToken we receive does
>> include `cn` as a claim. Based on my mapping settings, I would have
>> expected the claim name to be `name` and not `cn` both in the IDToken and
>> in the userinfo endpoint and this is how it worked prior to v6.4.
>>
>> John
>>
>> On Tue, Mar 8, 2022 at 5:55 PM Jae Liu  wrote:
>>
>>> I used CAS v6.4 it's ok for me.
>>>
>>> I think there something wrong with your configuration. You defined the
>>> scopes (scopes=openid,profile,emai), CAS will use these as attributes
>>> release policy, the scopes email will only release attributes email and
>>> email_verified, profile will release

[cas-user] Re: CAS v6.4 problem with OIDC claim name mappings in the ID Token

2022-03-09 Thread John Wagenleitner 
Hi Jae,

Thanks for the reply, are you able to share any of your config?

In my case both the IDToken and the userinfo endpoint contain claims such
as `mail` and `cn`. But the `claims-map` only seems to work for the
userinfo endpoint, which returns both claims `mail` and `email` and `cn`
and `name`, though I would have not expected it to include both the
original CAS attribute (from LDAP such as cn) and the mapped claim (such as
email) and think in versions prior to v6.4 it returned only `email` as a
claim name for that particular value.

so the attributes in your claims-map do not have value, so the IDToken does
> have value.


In my claim-map I'm mapping `cn` to `name`. The IDToken we receive does
include `cn` as a claim. Based on my mapping settings, I would have
expected the claim name to be `name` and not `cn` both in the IDToken and
in the userinfo endpoint and this is how it worked prior to v6.4.

John

On Tue, Mar 8, 2022 at 5:55 PM Jae Liu  wrote:

> I used CAS v6.4 it's ok for me.
>
> I think there something wrong with your configuration. You defined the
> scopes (scopes=openid,profile,emai), CAS will use these as attributes
> release policy, the scopes email will only release attributes email and
> email_verified, profile will release name, given_name. family_name, so the
> attributes in your claims-map do not have value, so the IDToken does have
> value.
>
> 在2022年1月11日星期二 UTC+8 12:28:01 写道:
>
>> In CAS v6.3 (up to and including v6.3.7.4) we used the
>> `cas.authn.oidc.claims-map` properties to map our LDAP attribute names to
>> the standard claim names. This mapping worked for both the ID Token and the
>> UserInfo (`/profile`) endpoint.
>>
>> Here are the relevant properties we have set:
>>
>> ```
>> cas.authn.oidc.discovery.scopes=openid,profile,email
>> cas.authn.oidc.discovery.claims=sub,name,family_name,given_name,email
>> cas.authn.oidc.core.claims-map.email=mail
>> cas.authn.oidc.core.claims-map.name=cn
>> cas.authn.oidc.core.claims-map.family_name=sn
>> cas.authn.oidc.core.claims-map.given_name=givenName
>> ```
>>
>> This mapping is no longer working in CAS v6.4 (and also tested in the
>> latest v6.4.4.2) for the generated ID Token. Our ID Token claims no longer
>> contain the mapped names but instead contain the LDAP attribute names such
>> as `mail`, `cn`, etc. The UserInfo endpoint does correctly contain the
>> mapped claim names.
>>
>> As a possible workaround, I tried using a service definition that
>> included an `attributeReleasePolicy` using the
>> `ReturnMappedAttributeReleasePolicy` class but that had no affect on the ID
>> Token claim names.
>>
>> I have reviewed all the OIDC settings and didn't spot anything that looks
>> like it would address this issue.
>>
>> Any help/advice would be appreciated,
>> John
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAON9TV2JXD8YxKVzwZbyRsehyxGM%3D1UjQwWvwdDuPi-YC-nLbQ%40mail.gmail.com.

[cas-user] MFA with Multiple Providers, Bugs in CAS?

2022-03-08 Thread John 
I tried all different ways to get MFA triggers to work with CAS and let the 
user decide which one to use, scenarios I tested,

Triggers:
Groovy Per Application- only works for single provider

Principal Attribute - used multi-valued attribute in ldap, set to mfa-gauth 
and mfa-webathn, but CAS will pick one and not let user decide

REST - Only works if it returns a single provider

Principal Attribute Per Application -  Only works if it returns a single 
provider

Since those trigger weren't working to let user decide the provider, I 
decided to activate globally

cas.authn.mfa.triggers.global.global-provider-id=mfa-gauth,mfa-web-authn

and then used bypass rules such as groovy for each provider using 

cas.authn.mfa.gauth.bypass.groovy.location
cas.authn.mfa.web-authn.bypass.groovy.location

boolean run(final Object... args) {
def authentication = args[0]
def principal = args[1]
def service = args[2]
def provider = args[3]
def logger = args[4]
def httpRequest = args[5]

if (service.name == "myservicename") {
logger.info("Evaluating principal attributes 
${principal.attributes}")

def bypass = principal.attributes['eduPersonAffiliation']
if (bypass.contains("staff")) {
logger.info("Bypass for principal ${principal.id} is not 
allowed")
return true
}
}
return false
}

this works to allow selection if the script returns true but if it return 
false CAS just sits at the MFA selection screen blank because no providers 
should be used. I would assume this is a bug or mis-config because if no 
providers are found it should continue to login to application.

I don't really know what else to try or how to get multiple MFA providers 
to work based on attribute and value

Any help with this would be appreciated

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0749e4ee-8a91-4082-9b04-fc14c48d7f33n%40apereo.org.

Re: [cas-user] CAS v6.4 problem with OIDC claim name mappings in the ID Token

2022-03-06 Thread John Wagenleitner 
I haven't tried v6.4.6, but the same problem does still occur with v6.5.0.

On Sat, Mar 5, 2022, 11:22 PM Stef  wrote:

> Hi,
>
> Do you know if this problem has been solved in 6.4.6 ?
>
> Stéphane
>
> Le lun. 31 janv. 2022, 09:22, Rodolphe Prin  a
> écrit :
>
>> Hi,
>> I noticed the same behavior.
>> Version : 6.4.4.2
>>
>> `cas.authn.oidc.core.include-id-token-claims=true`  allows to get the
>> claims in the token, but with the wrong name.
>>
>> Rodolphe
>>
>>
>> Le mardi 11 janvier 2022 à 20:01:46 UTC+1, John Wagenleitner a écrit :
>>
>>> Hi Frédéric,
>>>
>>> Thanks for the reply. In our case the claims are being included in the
>>> ID Token, they just don't have the names we mapped and instead have the
>>> names as they come from our attribute store. We are using
>>> `respone_type=code` and a `scope=openid`.
>>>
>>> I had not tried `cas.authn.oidc.core.include-id-token-claims=true` since
>>> the docs mentioned that is the default setting. I just tested again with it
>>> set to `true` and there is no change, the claims appear in the ID Token but
>>> not with the desired names. I also tried with it set to `false` and in that
>>> case the claims did not appear in the ID Token.
>>>
>>> John
>>>
>>> On Tue, Jan 11, 2022 at 12:57 AM Frédéric Lohier 
>>> wrote:
>>>
>>>> Hello,
>>>>
>>>> Have you tried to set cas.authn.oidc.core.include-id-token-claims=true
>>>> ?
>>>>
>>>> According to OIDC spec, if you are using response-type=code , the
>>>> id_token should not contain the user claims. But, if you are using
>>>> response_type=id_token, then the id_token should include the user claims.
>>>> According to CAS 6.4 doc, if you set
>>>> cas.authn.oidc.core.include-id-token-claims=true , it will force the
>>>> release of user claims in the id_token.
>>>> However, in my tests with CAS 6.4.4.2, even with
>>>> response_type=id_token, user claims are not included in the id_token (tried
>>>> to GET an URL like
>>>> https://mycasserver.com/cas/oidc/oidcAuthorize?response_type=id_token_id=myclient=openid%20profile%20email_uri=https://serviceredirecturi).
>>>> Not a blocker for me for the moment, but if you find a fix, I'm interested.
>>>>
>>>> Here is the relevant documentation :
>>>> https://apereo.github.io/cas/6.4.x/authentication/OIDC-Authentication-Claims.html#configuration
>>>>
>>>>- cas.authn.oidc.core.include-id-token-claims=true
>>>>
>>>> As per OpenID Connect Core section 5.4, "The Claims requested by the
>>>> profile, email, address, and phone scope values are returned from the
>>>> userinfo endpoint", except for response_type=id_token, where they are
>>>> returned in the id_token (as there is no access token issued that could be
>>>> used to access the userinfo endpoint). The Claims requested by the profile,
>>>> email, address, and phone scope values are returned from the userinfo
>>>> endpoint when a response_type value is used that results in an access
>>>> token being issued. However, when no access token is issued (which is the
>>>> case for the response_type value id_token), the resulting Claims are
>>>> returned in the ID Token.
>>>>
>>>> Setting this flag to true will force CAS to include claims in the ID
>>>> token regardless of the response type. Note that this setting MUST ONLY be
>>>> used as a last resort, to stay compliant with the specification as much as
>>>> possible. DO NOT use this setting without due consideration.
>>>>
>>>> Note that this setting is set to true by default mainly provided to
>>>> preserve backward compatibility with previous CAS versions that included
>>>> claims into the ID token without considering the response type. The
>>>> behavior of this setting may change and it may be removed in future CAS
>>>> releases.
>>>>
>>>> On Tue, Jan 11, 2022 at 5:28 AM John Wagenleitner <
>>>> joh...@mail.fresnostate.edu> wrote:
>>>>
>>>>> In CAS v6.3 (up to and including v6.3.7.4) we used the
>>>>> `cas.authn.oidc.claims-map` properties to map our LDAP attribute names to
>>>>> the standard claim names. This mapping worked for both the ID Token and 
>>>>> the
>>>>> UserInfo (`

[cas-user] Re: MFA Trigger "Principal Attribute Per Application" defined but doesn't trigger

2022-03-03 Thread John 
This works fine when only one provider is defined but when you have 
multiple like  [ "mfa-gauth", "mfa-webauthn"] it doesn't trigger, changing 
to either  [ "mfa-gauth"] or  [ "mfa-webauthn"] triggers it. Are MFA 
triggers only allowed to return one provider? It works with multiple 
providers when no trigger is set so is this a bug?

On Wednesday, March 2, 2022 at 11:17:24 AM UTC-6 John wrote:

> With debug on I can see it being skipped?? Of course I have attributes 
> defined and WANT it to trigger, and the attributes/values match and still 
> says its skipping
>
> DEBUG 
> [org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver]
>  
> - 
> DEBUG 
> [org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver]
>  
> - 
> DEBUG [org.apereo.cas.authentication.MultifactorAuthenticationUtils] - 
> 
> 
> 
> DEBUG 
> [org.apereo.cas.authentication.mfa.trigger.RegisteredServiceMultifactorAuthenticationTrigger]
>  
> -  defined principal attribute triggers. Skipping...>
>
> On Wednesday, March 2, 2022 at 9:19:51 AM UTC-6 John wrote:
>
>> I have added the "Principal Attribute Per Application" MFA setting, CAS 
>> 6.4.6 , and MFA never triggers, if I remove the  
>> principalAttributeNameTrigger and  principalAttributeValueToMatch it works 
>> just fine. I can see in the console and logs, the attribute values are 
>> retrieved from ldap and doesnt trigger still. See below, the attribute  
>> eduPersonAffiliation=staff but doesnt trigger. Anything else need to be set 
>> to get it working?
>>
>> console log:
>>
>> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-gauth,
>>  
>> mfa-webauthn], failureMode=UNDEFINED, 
>> principalAttributeNameTrigger=eduPersonAffiliation, 
>> principalAttributeValueToMatch=staff, bypassEnabled=false, 
>> forceExecution=true, bypassTrustedDeviceEnabled=false, 
>> bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, 
>> script=null)
>>
>> audit log:
>>
>> "attributes\":{\"cn\":[\"changed name\"],\"displayName\":[\"changed 
>> name\"],\"eduPersonAffiliation\":[\"staff\"],
>>
>> service:
>>
>>   "multifactorPolicy":
>>   {
>> "@class": 
>> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
>> "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ 
>> "mfa-gauth", "mfa-webauthn"] ],
>> "principalAttributeNameTrigger" : "eduPersonAffiliation",
>> "principalAttributeValueToMatch" : "staff",
>>   },
>>   
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/91716223-5575-4cc5-b394-0525ef0f0e5dn%40apereo.org.

[cas-user] Re: MFA Trigger "Principal Attribute Per Application" defined but doesn't trigger

2022-03-02 Thread John 
With debug on I can see it being skipped?? Of course I have attributes 
defined and WANT it to trigger, and the attributes/values match and still 
says its skipping

DEBUG 
[org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver]
 
- 
DEBUG 
[org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver]
 
- 
DEBUG [org.apereo.cas.authentication.MultifactorAuthenticationUtils] - 



DEBUG 
[org.apereo.cas.authentication.mfa.trigger.RegisteredServiceMultifactorAuthenticationTrigger]
 
- 

On Wednesday, March 2, 2022 at 9:19:51 AM UTC-6 John wrote:

> I have added the "Principal Attribute Per Application" MFA setting, CAS 
> 6.4.6 , and MFA never triggers, if I remove the  
> principalAttributeNameTrigger and  principalAttributeValueToMatch it works 
> just fine. I can see in the console and logs, the attribute values are 
> retrieved from ldap and doesnt trigger still. See below, the attribute  
> eduPersonAffiliation=staff but doesnt trigger. Anything else need to be set 
> to get it working?
>
> console log:
>
> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-gauth,
>  
> mfa-webauthn], failureMode=UNDEFINED, 
> principalAttributeNameTrigger=eduPersonAffiliation, 
> principalAttributeValueToMatch=staff, bypassEnabled=false, 
> forceExecution=true, bypassTrustedDeviceEnabled=false, 
> bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, 
> script=null)
>
> audit log:
>
> "attributes\":{\"cn\":[\"changed name\"],\"displayName\":[\"changed 
> name\"],\"eduPersonAffiliation\":[\"staff\"],
>
> service:
>
>   "multifactorPolicy":
>   {
> "@class": 
> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
> "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ 
> "mfa-gauth", "mfa-webauthn"] ],
> "principalAttributeNameTrigger" : "eduPersonAffiliation",
> "principalAttributeValueToMatch" : "staff",
>   },
>   
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4d18130d-779a-4026-89da-00e7cadee55an%40apereo.org.

[cas-user] MFA Trigger "Principal Attribute Per Application" defined but doesn't trigger

2022-03-02 Thread John 
I have added the "Principal Attribute Per Application" MFA setting, CAS 
6.4.6 , and MFA never triggers, if I remove the  
principalAttributeNameTrigger and  principalAttributeValueToMatch it works 
just fine. I can see in the console and logs, the attribute values are 
retrieved from ldap and doesnt trigger still. See below, the attribute  
eduPersonAffiliation=staff but doesnt trigger. Anything else need to be set 
to get it working?

console log:

multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-gauth,
 
mfa-webauthn], failureMode=UNDEFINED, 
principalAttributeNameTrigger=eduPersonAffiliation, 
principalAttributeValueToMatch=staff, bypassEnabled=false, 
forceExecution=true, bypassTrustedDeviceEnabled=false, 
bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, 
script=null)

audit log:

"attributes\":{\"cn\":[\"changed name\"],\"displayName\":[\"changed 
name\"],\"eduPersonAffiliation\":[\"staff\"],

service:

  "multifactorPolicy":
  {
"@class": 
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ 
"mfa-gauth", "mfa-webauthn"] ],
"principalAttributeNameTrigger" : "eduPersonAffiliation",
"principalAttributeValueToMatch" : "staff",
  },
  

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/617c920e-64d3-4f83-965d-a2167e7f8dfen%40apereo.org.

[cas-user] Re: adding WebAuthn to latest 6.4.x, java.lang.NoClassDefFoundError: com/fasterxml/jackson/core/base/BinaryTSFactory

2022-03-01 Thread John 
I meant o post an update last week, anyways, this seems to be stemming from 
maven, I switched to using gradle in intellij and it no longer occurs. I 
still haven't been able to figure out why maven is introducing Jackson  
BinaryTSFactory :/

On Wednesday, February 23, 2022 at 1:58:46 PM UTC-6 John wrote:

> Trying to a 2nd MFA provider, WebAuthn, after I add the dependency and 
> configure all the settings, build fails and tomcat doesnt start, see below, 
> failing on
>
> java.lang.NoClassDefFoundError: 
> com/fasterxml/jackson/core/base/BinaryTSFactory
>
> I checked on jackson core doesnt have BinaryTSFactory in releases, only 
> 3.0 snapshot, which when added I get so many other cas errors, the original 
> error log is below,
>
> Caused by: 
> org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
> creating bean with name 'webAuthnController' defined in class path resource 
> [org/apereo/cas/webauthn/web/WebAuthnController.class]: Unsatisfied 
> dependency expressed through constructor parameter 0; nested exception is 
> org.springframework.beans.factory.BeanCreationException: Error creating 
> bean with name 'webAuthnServer' defined in class path resource 
> [org/apereo/cas/config/WebAuthnConfiguration.class]: Bean instantiation via 
> factory method failed; nested exception is 
> org.springframework.beans.BeanInstantiationException: Failed to instantiate 
> [com.yubico.core.WebAuthnServer]: Factory method 'webAuthnServer' threw 
> exception; nested exception is 
> org.springframework.beans.factory.BeanCreationException: Error creating 
> bean with name 'webAuthnMetadataService' defined in class path resource 
> [org/apereo/cas/config/WebAuthnConfiguration.class]: Bean instantiation via 
> factory method failed; nested exception is 
> org.springframework.beans.BeanInstantiationException: Failed to instantiate 
> [com.yubico.webauthn.attestation.MetadataService]: Factory method 
> 'webAuthnMetadataService' threw exception; nested exception is 
> java.lang.NoClassDefFoundError: 
> com/fasterxml/jackson/core/base/BinaryTSFactory
> at 
> org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:800)
> at 
> org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:229)
> at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1354)
> at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1204)
> at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:564)
> at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:524)
> at 
> org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:335)
> at 
> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)
> at 
> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:333)
> at 
> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:208)
> at 
> org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:944)
> at 
> org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:918)
> at 
> org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:583)
> at 
> org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:145)
> at 
> org.springframework.boot.SpringApplication.refresh(SpringApplication.java:754)
> at 
> org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:434)
> at 
> org.springframework.boot.SpringApplication.run(SpringApplication.java:338)
> at 
> org.springframework.boot.web.servlet.support.SpringBootServletInitializer.run(SpringBootServletInitializer.java:175)
> at 
> org.springframework.boot.web.servlet.support.SpringBootServletInitializer.cr

[cas-user] adding WebAuthn to latest 6.4.x, java.lang.NoClassDefFoundError: com/fasterxml/jackson/core/base/BinaryTSFactory

2022-02-23 Thread John 
Trying to a 2nd MFA provider, WebAuthn, after I add the dependency and 
configure all the settings, build fails and tomcat doesnt start, see below, 
failing on

java.lang.NoClassDefFoundError: 
com/fasterxml/jackson/core/base/BinaryTSFactory

I checked on jackson core doesnt have BinaryTSFactory in releases, only 3.0 
snapshot, which when added I get so many other cas errors, the original 
error log is below,

Caused by: 
org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
creating bean with name 'webAuthnController' defined in class path resource 
[org/apereo/cas/webauthn/web/WebAuthnController.class]: Unsatisfied 
dependency expressed through constructor parameter 0; nested exception is 
org.springframework.beans.factory.BeanCreationException: Error creating 
bean with name 'webAuthnServer' defined in class path resource 
[org/apereo/cas/config/WebAuthnConfiguration.class]: Bean instantiation via 
factory method failed; nested exception is 
org.springframework.beans.BeanInstantiationException: Failed to instantiate 
[com.yubico.core.WebAuthnServer]: Factory method 'webAuthnServer' threw 
exception; nested exception is 
org.springframework.beans.factory.BeanCreationException: Error creating 
bean with name 'webAuthnMetadataService' defined in class path resource 
[org/apereo/cas/config/WebAuthnConfiguration.class]: Bean instantiation via 
factory method failed; nested exception is 
org.springframework.beans.BeanInstantiationException: Failed to instantiate 
[com.yubico.webauthn.attestation.MetadataService]: Factory method 
'webAuthnMetadataService' threw exception; nested exception is 
java.lang.NoClassDefFoundError: 
com/fasterxml/jackson/core/base/BinaryTSFactory
at 
org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:800)
at 
org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:229)
at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1354)
at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1204)
at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:564)
at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:524)
at 
org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:335)
at 
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)
at 
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:333)
at 
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:208)
at 
org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:944)
at 
org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:918)
at 
org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:583)
at 
org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:145)
at 
org.springframework.boot.SpringApplication.refresh(SpringApplication.java:754)
at 
org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:434)
at 
org.springframework.boot.SpringApplication.run(SpringApplication.java:338)
at 
org.springframework.boot.web.servlet.support.SpringBootServletInitializer.run(SpringBootServletInitializer.java:175)
at 
org.springframework.boot.web.servlet.support.SpringBootServletInitializer.createRootApplicationContext(SpringBootServletInitializer.java:155)
at 
org.springframework.boot.web.servlet.support.SpringBootServletInitializer.onStartup(SpringBootServletInitializer.java:97)
at 
org.apereo.cas.util.spring.boot.AbstractCasSpringBootServletInitializer.onStartup(AbstractCasSpringBootServletInitializer.java:32)
at 
org.springframework.web.SpringServletContainerInitializer.onStartup(SpringServletContainerInitializer.java:174)
at 
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5135)
at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
... 43 more
Caused by:

[cas-user] Re: CAS Spring Cloud Rest, Properties not functioning

2022-02-17 Thread John 
I figured it out, these work just fine,

cas.spring.cloud.rest.basicAuthUsername=
cas.spring.cloud.rest.basicAuthPassword=

On Thursday, February 17, 2022 at 2:10:01 PM UTC-6 John wrote:

> So converting to using a rest api, the following cas properties have no 
> affect nor are used,
>
> cas.spring.cloud.rest.basic-auth-username= 
> cas.spring.cloud.rest.basic-auth-password= cas.spring.cloud.rest.method= 
> cas.spring.cloud.rest.headers=Header1:Value1;Header2:Value2
>
> The only one that works is
>
> cas.spring.cloud.rest.url=  
>
> and cas reaches out but because our api requires auth it doesn't start, if 
> I remove the authetication from our API it works great. I also added some 
> debug code to our API and in fact the username, password, and headers are 
> never sent during cas boot up.
>
> Do the properties maybe have a typo or is this a bug?
>
> Thanks
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ab08c48f-d026-4987-a131-ea2d68c9d186n%40apereo.org.

[cas-user] CAS Spring Cloud Rest, Properties not functioning

2022-02-17 Thread John 
So converting to using a rest api, the following cas properties have no 
affect nor are used,

cas.spring.cloud.rest.basic-auth-username= 
cas.spring.cloud.rest.basic-auth-password= cas.spring.cloud.rest.method= 
cas.spring.cloud.rest.headers=Header1:Value1;Header2:Value2

The only one that works is

cas.spring.cloud.rest.url=  

and cas reaches out but because our api requires auth it doesn't start, if 
I remove the authetication from our API it works great. I also added some 
debug code to our API and in fact the username, password, and headers are 
never sent during cas boot up.

Do the properties maybe have a typo or is this a bug?

Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a638573a-8648-4308-8933-7d66ca57d03bn%40apereo.org.

Re: [cas-user] CAS v6.4 problem with OIDC claim name mappings in the ID Token

2022-01-11 Thread John Wagenleitner 
Hi Frédéric,

Thanks for the reply. In our case the claims are being included in the ID
Token, they just don't have the names we mapped and instead have the names
as they come from our attribute store. We are using `respone_type=code` and
a `scope=openid`.

I had not tried `cas.authn.oidc.core.include-id-token-claims=true` since
the docs mentioned that is the default setting. I just tested again with it
set to `true` and there is no change, the claims appear in the ID Token but
not with the desired names. I also tried with it set to `false` and in that
case the claims did not appear in the ID Token.

John

On Tue, Jan 11, 2022 at 12:57 AM Frédéric Lohier 
wrote:

> Hello,
>
> Have you tried to set cas.authn.oidc.core.include-id-token-claims=true ?
>
> According to OIDC spec, if you are using response-type=code , the id_token
> should not contain the user claims. But, if you are using
> response_type=id_token, then the id_token should include the user claims.
> According to CAS 6.4 doc, if you set
> cas.authn.oidc.core.include-id-token-claims=true , it will force the
> release of user claims in the id_token.
> However, in my tests with CAS 6.4.4.2, even with response_type=id_token,
> user claims are not included in the id_token (tried to GET an URL like
> https://mycasserver.com/cas/oidc/oidcAuthorize?response_type=id_token_id=myclient=openid%20profile%20email_uri=https://serviceredirecturi).
> Not a blocker for me for the moment, but if you find a fix, I'm interested.
>
> Here is the relevant documentation :
> https://apereo.github.io/cas/6.4.x/authentication/OIDC-Authentication-Claims.html#configuration
>
>- cas.authn.oidc.core.include-id-token-claims=true
>
> As per OpenID Connect Core section 5.4, "The Claims requested by the
> profile, email, address, and phone scope values are returned from the
> userinfo endpoint", except for response_type=id_token, where they are
> returned in the id_token (as there is no access token issued that could be
> used to access the userinfo endpoint). The Claims requested by the profile,
> email, address, and phone scope values are returned from the userinfo
> endpoint when a response_type value is used that results in an access
> token being issued. However, when no access token is issued (which is the
> case for the response_type value id_token), the resulting Claims are
> returned in the ID Token.
>
> Setting this flag to true will force CAS to include claims in the ID token
> regardless of the response type. Note that this setting MUST ONLY be used
> as a last resort, to stay compliant with the specification as much as
> possible. DO NOT use this setting without due consideration.
>
> Note that this setting is set to true by default mainly provided to
> preserve backward compatibility with previous CAS versions that included
> claims into the ID token without considering the response type. The
> behavior of this setting may change and it may be removed in future CAS
> releases.
>
> On Tue, Jan 11, 2022 at 5:28 AM John Wagenleitner <
> joh...@mail.fresnostate.edu> wrote:
>
>> In CAS v6.3 (up to and including v6.3.7.4) we used the
>> `cas.authn.oidc.claims-map` properties to map our LDAP attribute names to
>> the standard claim names. This mapping worked for both the ID Token and the
>> UserInfo (`/profile`) endpoint.
>>
>> Here are the relevant properties we have set:
>>
>> ```
>> cas.authn.oidc.discovery.scopes=openid,profile,email
>> cas.authn.oidc.discovery.claims=sub,name,family_name,given_name,email
>> cas.authn.oidc.core.claims-map.email=mail
>> cas.authn.oidc.core.claims-map.name=cn
>> cas.authn.oidc.core.claims-map.family_name=sn
>> cas.authn.oidc.core.claims-map.given_name=givenName
>> ```
>>
>> This mapping is no longer working in CAS v6.4 (and also tested in the
>> latest v6.4.4.2) for the generated ID Token. Our ID Token claims no longer
>> contain the mapped names but instead contain the LDAP attribute names such
>> as `mail`, `cn`, etc. The UserInfo endpoint does correctly contain the
>> mapped claim names.
>>
>> As a possible workaround, I tried using a service definition that
>> included an `attributeReleasePolicy` using the
>> `ReturnMappedAttributeReleasePolicy` class but that had no affect on the ID
>> Token claim names.
>>
>> I have reviewed all the OIDC settings and didn't spot anything that looks
>> like it would address this issue.
>>
>> Any help/advice would be appreciated,
>> John
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/

[cas-user] CAS v6.4 problem with OIDC claim name mappings in the ID Token

2022-01-10 Thread John Wagenleitner 
In CAS v6.3 (up to and including v6.3.7.4) we used the 
`cas.authn.oidc.claims-map` properties to map our LDAP attribute names to 
the standard claim names. This mapping worked for both the ID Token and the 
UserInfo (`/profile`) endpoint.

Here are the relevant properties we have set:

```
cas.authn.oidc.discovery.scopes=openid,profile,email
cas.authn.oidc.discovery.claims=sub,name,family_name,given_name,email
cas.authn.oidc.core.claims-map.email=mail
cas.authn.oidc.core.claims-map.name=cn
cas.authn.oidc.core.claims-map.family_name=sn
cas.authn.oidc.core.claims-map.given_name=givenName
```

This mapping is no longer working in CAS v6.4 (and also tested in the 
latest v6.4.4.2) for the generated ID Token. Our ID Token claims no longer 
contain the mapped names but instead contain the LDAP attribute names such 
as `mail`, `cn`, etc. The UserInfo endpoint does correctly contain the 
mapped claim names.

As a possible workaround, I tried using a service definition that included 
an `attributeReleasePolicy` using the `ReturnMappedAttributeReleasePolicy` 
class but that had no affect on the ID Token claim names.

I have reviewed all the OIDC settings and didn't spot anything that looks 
like it would address this issue.

Any help/advice would be appreciated,
John

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fdf662f8-e990-4b9a-b22a-57a6c643e0b1n%40apereo.org.

[cas-user] Re: CAS Upgrade 6.3.x OAuth Cache not being refreshed.

2021-06-28 Thread 'John Bergant' via CAS Community 
It looks like the class: 
OAuth20AuthorizationCodeResponseTypeAuthorizationRequestValidator only 
checks for services based on client id and not service name. Since the 
service name is not checked the resulting service is null and the cache is 
never updated.
On Monday, June 28, 2021 at 11:33:04 AM UTC-7 John Bergant wrote:

> I am trying to upgrade my *CAS* server to *6.3.3* from *6.2.8* and it 
> seems the OAuth flow is not working after the upgrade. In *6.3.x* there 
> was a feature added that cached registered services (here is the commit 
> <https://github.com/apereo/cas/commit/3c91ec4f7e124595a55eaa173fb7660833f69d1b>).
>  
> When testing locally it seems like the cache is not being updated on a 
> miss. Other types of registered services rehydrate the cache on misses but 
> not the OAuth service.
>
> Am I missing a property that needs to be set on the Service so the cache 
> gets rehydrated? I took a look at the RegexRegisteredService and the 
> OAuthRegisteredService interface and I didn't see anything that would 
> indicate if the service should be cached.
>
> I am not using the Service Management, all my services are registered at 
> startup as beans and placed in a inMemoryRegisteredService Bean.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/83ecb2d3-f430-44dd-b794-095bac26f73an%40apereo.org.

[cas-user] CAS Upgrade 6.3.x OAuth Cache not being refreshed.

2021-06-28 Thread 'John Bergant' via CAS Community 


I am trying to upgrade my *CAS* server to *6.3.3* from *6.2.8* and it seems 
the OAuth flow is not working after the upgrade. In *6.3.x* there was a 
feature added that cached registered services (here is the commit 
).
 
When testing locally it seems like the cache is not being updated on a 
miss. Other types of registered services rehydrate the cache on misses but 
not the OAuth service.

Am I missing a property that needs to be set on the Service so the cache 
gets rehydrated? I took a look at the RegexRegisteredService and the 
OAuthRegisteredService interface and I didn't see anything that would 
indicate if the service should be cached.

I am not using the Service Management, all my services are registered at 
startup as beans and placed in a inMemoryRegisteredService Bean.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/432a3956-4b04-4270-ab5f-1beeb5e73163n%40apereo.org.

[cas-user] CAS Logout Redirect with Front Channel Logout

2021-05-24 Thread 'John Bergant' via CAS Community 

Hi all,

I maintain a CAS server, we have multiple services registered with 
different configurations. Some of the services are registered with Front 
Channel Logout. I have noticed that CAS will not redirect to the specified 
service on logout if one of the Front Channel Logout Services has been 
authenticated against. Is this a limitation of the Front Channel Logout 
feature or do I have something configured improperly?

Thanks,

John

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/027aec62-07de-4a9b-a99a-769452da698cn%40apereo.org.

[cas-user] Memcache exception after restart cas 6.3.1 & 6.4.0-RC1

2021-02-04 Thread John Bond 

Hello all,

We are currently using memcached to store store tickets using the following 
configuration

```
cas.ticket.registry.memcached.servers=localhost:11213
cas.ticket.registry.memcached.transcoder=KRYO
```
After a recent upgrade from cas 6.2.7 -> 6.3.1 i noticed that, after cas is 
restarted, it is unable to de-serialize tickets.  

When using cas 6.3.1 we see the following error

Caused by: java.util.concurrent.ExecutionException: 
com.esotericsoftware.kryo.KryoException: 
com.esotericsoftware.kryo.KryoException: Invalid ordinal for enum 
"org.apereo.cas.validation.ValidationResponseType": 16Caused by: 
java.util.concurrent.ExecutionException: 
com.esotericsoftware.kryo.KryoException: 
com.esotericsoftware.kryo.KryoException: Invalid ordinal for enum 
"org.apereo.cas.validation.ValidationResponseType": 16 
(full trace avalible here: 
https://phabricator.wikimedia.org/T273867#6803365)

When using cas 6.4.0-RC1 we get a slightly different error:

java.lang.ClassCastException: class 
org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult 
cannot be cast to class org.apereo.cas.ticket.Ticket 
(org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult 
and org.apereo.cas.ticket.Ticket are in unnamed module of loader 
org.apache.catalina.loader.ParallelWebappClassLoader @686449f9)
(full stack here: https://phabricator.wikimedia.org/T273867#6803717)

In both cases, a naive look at the error, suggests it related to unpacking 
the memcache stored value.  This also looks like it may be related to an 
issue reported early with 6.3.0-RC3 
(https://groups.google.com/u/1/g/jasig-cas-user/c/v2VTr1y_X8M/m/_gieSp0lDAAJ). 


Its also worth noting that logging out works i.e. cas can delete the 
memcache value.  Finnaly i tested all the other transcoders and the issues 
is only present in the KYRO transcoder.  6.3.1 and 6.4.0-RC1 both work fine 
with the SERIAL, WHALIN and WHALINV1 trancoders

Any guidence or pointers to help troubleshoot this issue would be most 
welcome.  we also have a test environment to try out any fixes. 

The cas-overlay-template we are using is avlible here:
   * 
https://gerrit.wikimedia.org/g/operations/software/cas-overlay-template/+/refs/heads/master
and we are tracking this issues in our own phabricator ticket here:
  * https://phabricator.wikimedia.org/T273867#6803717

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c30b508b-d26e-46c7-8bcd-54c498d80231n%40apereo.org.

Re: [cas-user] CAS 6.2.x custom theme problem - theme not changing

2020-10-22 Thread John Wagenleitner 
Thanks Jonathon, really appreciate the help. Disabling the thymeleaf cache 
fixed the issue and also seeing, as you mentioned, no significant 
difference in performance.
 

On Wednesday, October 21, 2020 at 5:08:02 PM UTC-7 Jonathon Taylor wrote:

> John,
>
> We saw the same behavior and fixed it by disabling Spring thymeleaf 
> caching.  Performance testing shows no difference so seems like an OK fix.  
> Try adding this to cas.properties:
>
> spring.thymeleaf.cache=false
>
> Jonathon
>
> On Wed, Oct 21, 2020 at 3:12 PM John Wagenleitner <
> joh...@mail.fresnostate.edu> wrote:
>
>> Upgrading from 6.1.7 to the 6.2.x release and noticing that once a custom 
>> theme is displayed, that theme is displayed from that point on no matter 
>> what theme the service definition specifies and it happens for all 
>> browsers/users and not just on the browser that first requested the service 
>> with the custom theme.
>>
>> We use the json service registry. Turning on debug we can see messages 
>> for ``org.apereo.cas.services.web.RegisteredServiceThemeResolver`` that 
>> shows the service is configured to use a custom theme, but that theme is 
>> not shown.
>>
>> We have the default, theme-A and theme-B. When first starting CAS and 
>> using a service with no theme set the default is shown. Then if a service 
>> with theme-A set, that theme is shown. But then using a service with 
>> theme-B set, the theme-A is still shown. And a service with no theme set 
>> still shows theme-A (the first custom theme displayed after start-up). Same 
>> thing happens if theme-B is the first custom theme requested, all future 
>> requests will only show theme-B.
>>
>> I looked over the release notes and didn't notice anything specific to 
>> theming. Everything worked as expected in 6.1.7 and other than removing the 
>> ldap `providerClass` property our config didn't change between 6.1.7 and 
>> 6.2.4. I have also tried all of the 6.2.[0-4] release and 6.3.0 RC's and 
>> all exhibit the same issue for us.
>>
>> Any help or pointers would be appreciated.
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/dad50ae0-443e-4cb6-9985-004d400041dfn%40apereo.org
>>  
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/dad50ae0-443e-4cb6-9985-004d400041dfn%40apereo.org?utm_medium=email_source=footer>
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4e06dab6-1fcb-40ee-be09-c303739d572bn%40apereo.org.

[cas-user] CAS 6.2.x custom theme problem - theme not changing

2020-10-21 Thread John Wagenleitner 
Upgrading from 6.1.7 to the 6.2.x release and noticing that once a custom 
theme is displayed, that theme is displayed from that point on no matter 
what theme the service definition specifies and it happens for all 
browsers/users and not just on the browser that first requested the service 
with the custom theme.

We use the json service registry. Turning on debug we can see messages for 
``org.apereo.cas.services.web.RegisteredServiceThemeResolver`` that shows 
the service is configured to use a custom theme, but that theme is not 
shown.

We have the default, theme-A and theme-B. When first starting CAS and using 
a service with no theme set the default is shown. Then if a service with 
theme-A set, that theme is shown. But then using a service with theme-B 
set, the theme-A is still shown. And a service with no theme set still 
shows theme-A (the first custom theme displayed after start-up). Same thing 
happens if theme-B is the first custom theme requested, all future requests 
will only show theme-B.

I looked over the release notes and didn't notice anything specific to 
theming. Everything worked as expected in 6.1.7 and other than removing the 
ldap `providerClass` property our config didn't change between 6.1.7 and 
6.2.4. I have also tried all of the 6.2.[0-4] release and 6.3.0 RC's and 
all exhibit the same issue for us.

Any help or pointers would be appreciated.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/dad50ae0-443e-4cb6-9985-004d400041dfn%40apereo.org.

[cas-user] CAS memcache issue 6.3.0-RCS

2020-10-06 Thread john titmus 
Hello,
I am trying to use multiple instances of cas in a docker environment
I am getting the cast exception error when I have more than 1 instance of 
cas running
java.lang.ClassCastException: class 
org.apereo.cas.services.DefaultRegisteredServiceProperty cannot be cast to 
class org.apereo.cas.ticket.Ticket 
(org.apereo.cas.services.DefaultRegisteredServiceProperty and 
org.apereo.cas.ticket.Ticket are in unnamed module of loader 
org.apache.catalina.loader.ParallelWebappClassLoader @68217d41) at 
org.apereo.cas.ticket.registry.MemcachedTicketRegistry.getTicket(MemcachedTicketRegistry.java:96)
 
~[cas-server-support-memcached-ticket-registry-6.3.0-RC3.jar:6.3.0-RC3]

the cas.properties is configured with 
# memcached ticket registry and related settings
cas.ticket.registry.memcached.servers=10.5.84.66:11211
cas.ticket.st.timeToKillInSeconds=60
cas.ticket.tgt.timeToKillInSeconds=43200

and the build has these dependency's in it version being 6.3.0-RC3
implementation 
"org.apereo.cas:cas-server-support-memcached-ticket-registry:${casServerVersion}"
implementation 
"org.apereo.cas:cas-server-support-memcached-spy:${casServerVersion}"

this was working fine in 6.2 versions and am wondering if any config 
changes were made to the 6.3.0-RC3 version to make memcache work with 
multiple instances?

thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c878dd73-f13a-4ecc-8996-c4fe550ea59bn%40apereo.org.

[cas-user] Re: Multiple entries when using JPA with u2f resgitration

2020-07-03 Thread John Bond 
Just a quick update that i tested this with 6.2.0  (original test with 
6.1.5) and saw the same behaviour

On Wednesday, July 1, 2020 at 12:20:18 PM UTC+2 John Bond wrote:

> > cas.authn.mfa.u2f.crypto.signing.key=***REDACTED***
> there is also: cas.authn.mfa.u2f.crypto.encryption.key=***REDACTED***
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/65b76cfe-805e-4c0e-ac38-0af643501c17n%40apereo.org.

[cas-user] Re: Multiple entries when using JPA with u2f resgitration

2020-07-01 Thread John Bond 
> cas.authn.mfa.u2f.crypto.signing.key=***REDACTED***
there is also: cas.authn.mfa.u2f.crypto.encryption.key=***REDACTED***

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f1f62840-1a65-444e-985d-f9d008a612dfn%40apereo.org.

[cas-user] Multiple entries when using JPA with u2f resgitration

2020-07-01 Thread John Bond 

Hello All, 

I have recently been testing the use of JPA for u2f registration, moving 
away from json.  however it seems im getting many more rows in the 
U2FDevice_Registration table then expected.

# What i see:

after deleting all entries from the table i login and am asked to register 
my device.  after registering i see an entry like the following in the 
Database

*** 1. row *** 
id: 1 
created_Date: 2020-07-01 00:00:00 
record: ***REDACTED***  
username: jbond

Im then asked to authenticate with the device to confirm registration.  
This creates a second entry in the database exactly the same as the first 
entry except the id has been incremented

*** 1. row *** 
id: 2
created_Date: 2020-07-01 00:00:00 
record: ***REDACTED***  
username: jbond

Following this each additional login causes another entry to be added to 
the U2FDevice_Registration table, in all cases the only change is the auto 
incremented ID.   I'm not asked to re-register so the registration process 
seems to have worked correctly.

This behaviour seemed unexpected to me and would expect additional logins 
to cause an update to the initial records and not to a new insert.  Is this 
expected behaviour of have i  configured something incorrectly.

I have the following u2f related config

cas.authn.mfa.u2f.crypto.signing.key=***REDACTED***
cas.authn.mfa.u2f.jpa.user=cas
cas.authn.mfa.u2f.jpa.password=***REDACTED***
cas.authn.mfa.u2f.jpa.driver-class=org.mariadb.jdbc.Driver
cas.authn.mfa.u2f.jpa.url=jdbc:mysql://db1077.eqiad.wmnet/cas_test?useSSL=true
cas.authn.mfa.u2f.jpa.dialect=org.hibernate.dialect.MariaDBDialect

Any help appreciated thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f1774d6a-42b1-4803-a565-540048955d2bn%40apereo.org.

Re: [cas-user] cas.ticket.tgt.timeout.maxTimeToLiveInSeconds and Memcache ticket experation policy

2020-06-04 Thread John Bond 
Hi Fazla,

Unfortunately i'm unsure what cas.tgc.rememberMeMaxAge is used for and how
it differes from cas.ticket.tgt.rememberMe.timeToKillInSeconds=

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAA7%2BHnCpGZFxJ_YcauUGYgO-%2BrfWCD9RKa6z_B91%3D91aCyY7Sg%40mail.gmail.com.

Re: [cas-user] cas.ticket.tgt.timeout.maxTimeToLiveInSeconds and Memcache ticket experation policy

2020-06-04 Thread John Bond 

Hi Fazla,

We use are now using the following settings

cas.ticket.tgt.rememberMe.enabled=true
cas.ticket.tgt.rememberMe.timeToKillInSeconds=604800
cas.ticket.tgt.timeToKillInSeconds=3600
cas.ticket.tgt.maxTimeToLiveInSeconds=604800

We are still testing but the intention is that someone who sets RemeberMe 
will get a long term cookie and not need to re-authenticate for one week.  
however if you don't set remember me i.e. in public place or shared cookie, 
then your session will be killed after an hour of inactivity.  this allows 
us to clean up dead sessions quickly in-case users forget to log out.  We 
have not changed any of the values at the `cas.tgc` level, other then the 
encryption and signing keys, as such we will be using what ever the 
defaults are,.

Thanks John


On Thursday, June 4, 2020 at 10:32:30 AM UTC+2, casuser wrote:
>
> Hello John and Ray,
>
> We are also using memcached as a ticket registry and facing the same 
> issue as the remember me functionality not working properly as expected.  
> Below 
> is our configuration. Are you doing anything wrong. 
> cas.ticket.tgt.rememberMe.enabled=true
> cas.ticket.tgt.rememberMe.timeToKillInSeconds=2592000
> cas.ticket.tgt.maxTimeToLiveInSeconds=2592000
> cas.ticket.tgt.timeToKillInSeconds=2592000
>
> # cas.tgc.path=/
> # cas.tgc.maxAge=-1 If one modified this to an positive number, 
> # you will get the behavior of CAS session after browser close and re-open.
> cas.tgc.maxAge=-1
> cas.tgc.name=TGC
> cas.tgc.secure=true
> # cas.tgc.httpOnly=true
> cas.tgc.rememberMeMaxAge=2592000
> cas.tgc.pinToSession=true Thanks in advance.
>
> On Wed, Jun 3, 2020 at 6:48 PM John Bond  > wrote:
>
>> Ray
>>
>> On Tue, Jun 2, 2020 at 6:04 PM Ray Bon > 
>> wrote:
>>
>>> John,
>>>
>>> I think timeout.maxTimeToLiveInSeconds provides a sliding window with no 
>>> defined stop time.
>>>
>> Ahh thanks, This now makes sense why 
>> org.apereo.cas.ticket.expiration.TimeoutExpirationPolicy 
>> returns Long.MAX_VALUE for its TTL
>>  
>>
>>> I set our remember me to the same as maxTimeToLiveInSeconds, so do not 
>>> know if it provides a sliding window.
>>>
>> Ack thanks very much appreciate the assistance
>>
>> John
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAA7%2BHnD3bmq%2BQe%2BRKCPs63FV4%2BVw-iyWk%2Btdxs502En8saRpQQ%40mail.gmail.com
>>  
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAA7%2BHnD3bmq%2BQe%2BRKCPs63FV4%2BVw-iyWk%2Btdxs502En8saRpQQ%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
>
>
> -- 
> -Fazla.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7ab8147d-0661-41d2-9a52-a7e6a1ac7aac%40apereo.org.

Re: [cas-user] cas.ticket.tgt.timeout.maxTimeToLiveInSeconds and Memcache ticket experation policy

2020-06-03 Thread John Bond 
Ray

On Tue, Jun 2, 2020 at 6:04 PM Ray Bon  wrote:

> John,
>
> I think timeout.maxTimeToLiveInSeconds provides a sliding window with no
> defined stop time.
>
Ahh thanks, This now makes sense why
org.apereo.cas.ticket.expiration.TimeoutExpirationPolicy
returns Long.MAX_VALUE for its TTL


> I set our remember me to the same as maxTimeToLiveInSeconds, so do not
> know if it provides a sliding window.
>
Ack thanks very much appreciate the assistance

John

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAA7%2BHnD3bmq%2BQe%2BRKCPs63FV4%2BVw-iyWk%2Btdxs502En8saRpQQ%40mail.gmail.com.

Re: [cas-user] cas.ticket.tgt.timeout.maxTimeToLiveInSeconds and Memcache ticket experation policy

2020-06-02 Thread John Bond 
Hi Ray,

Thanks for the explanation this is very helpful, i'd like to update our
documentation[1] and want to ensure i understand this correctly.  Is the
following be correct

# Timeout level
If maxTimeToLiveInSeconds is specified at the timeout level as in the
following example, then it takes precedence over all other settings and
creates a hard expiration policy such that a users session will always be
killed after this time is reached

```
cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=86400
```

With this configuration a user will have to re-authenticate after 1 day
(86400 seconds)

# Default level
When setting maxTimeToLiveInSeconds and timeToKillInSeconds at the default
level as in the following example.  A sliding window is created such that
an applications TGT is valid for a week (640800 seconds) as long as some
activity occurs every hour (3600 seconds)

```
cas.ticket.tgt.timeToKillInSeconds=3600
cas.ticket.tgt.maxTimeToLiveInSeconds=640800
```

With theses setting a user will be required to re authenticate if either of
the following occurs:
  * there has been no activity with CAS within one hour
  * On week after the user authenticated with CAS

# RemberMe
timeToKillInSeconds can also be set at the remberMe level as below.  With
this setting a user will be issued with a long term cookie instead of a
session cookie.  This long term cookie creates another sliding window where
the users can keep the TGT while the long term rememberMe cookie was still
valid.  With the following settings and assuming the users ticks Remember
Me, a TGT is valid for a week (640800 seconds) as long as some activity
occurs every day (86400 seconds).  If the users does not tick Remeber Me
the behaviour is the same the above example, setting maxTimeToLiveInSeconds
and timeToKillInSeconds at the default level


```
cas.ticket.tgt.timeToKillInSeconds=3600
cas.ticket.tgt.maxTimeToLiveInSeconds=640800
cas.ticket.tgt.rememberMe.enabled=true
cas.ticket.tgt.rememberMe.timeToKillInSeconds=86400
```

With theses setting  and assuming the user checks the remember me box, they
will have to reauthenticate if either of the following occurs:
  * there has been no activity with CAS within one day
  * On week after the user authenticated with CAS


>Maybe by setting timeout.maxTimeToLiveInSeconds, it forces
maxTimeToLiveInSeconds to -1 and this value gets sent to memcache.

In my initial config i had the following

```
cas.ticket.tgt.timeToKillInSeconds=3600
cas.ticket.tgt.maxTimeToLiveInSeconds=604800
cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=604800
```
Following the code and checking the debug messages i can see that the
timeout policy choses is based on
`cas.ticket.tgt.timeout.maxTimeToLiveInSeconds` which ultimately uses `
org.apereo.cas.ticket.expiration.TimeoutExpirationPolicy` for the
expiration policy which returns Long.MAX_VALUE[3] when
org.apereo.cas.ticket.registry.MemcachedTicketRegistry set the ticket[4]
and calculates the timeout[5].  The timeout is eventually returned
with ttl.intValue()[6]
and a quick test shows that the following results in ttl value of -1.

  var ttl = Long.valueOf(Long.MAX_VALUE).intValue();

However i am still missing something as Long.MAX_VALUE should have been
converted to Long.valueOf(Integer.MAX_VALUE)[7].

Thanks for your help and patience and i think my references are correct
this time :)

John

[1]
https://wikitech.wikimedia.org/wiki/CAS-SSO/Administration#Session_timeout_handling
[2]
https://github.com/apereo/cas/blob/v6.1.5/core/cas-server-core-tickets-api/src/main/java/org/apereo/cas/ticket/expiration/builder/TicketGrantingTicketExpirationPolicyBuilder.java#L70-L73
[3]
https://github.com/apereo/cas/blob/v6.1.5/core/cas-server-core-tickets-api/src/main/java/org/apereo/cas/ticket/expiration/TimeoutExpirationPolicy.java#L74
[4]
https://github.com/apereo/cas/blob/master/support/cas-server-support-memcached-ticket-registry/src/main/java/org/apereo/cas/ticket/registry/MemcachedTicketRegistry.java#L59
[5]
https://github.com/apereo/cas/blob/master/support/cas-server-support-memcached-ticket-registry/src/main/java/org/apereo/cas/ticket/registry/MemcachedTicketRegistry.java#L128
[6]
https://github.com/apereo/cas/blob/master/support/cas-server-support-memcached-ticket-registry/src/main/java/org/apereo/cas/ticket/registry/MemcachedTicketRegistry.java#L138
[7]
https://github.com/apereo/cas/blob/master/support/cas-server-support-memcached-ticket-registry/src/main/java/org/apereo/cas/ticket/registry/MemcachedTicketRegistry.java#L130

On Mon, Jun 1, 2020 at 10:59 PM Ray Bon  wrote:

> John,
>
> Timeout has higher priority than Default.
> timeout.maxTimeToLiveInSeconds is a more general approach (an application
> like an webmail client, that hits cas every 10m when it checks for new
> mail, will keep the TGT alive while the tab is open).
>
> The two settings in Default, maxTimeToLiveInSeconds and
> timeToKillInSeconds, provide for the timeout sliding window but have a hard
&g

Re: [cas-user] cas.ticket.tgt.timeout.maxTimeToLiveInSeconds and Memcache ticket experation policy

2020-06-01 Thread John Bond 
Hi Ray,

Thanks for the response however ...

On Mon, Jun 1, 2020 at 6:16 PM Ray Bon  wrote:

> John,
>
>
> https://apereo.github.io/cas/6.1.x/ticketing/Configuring-Ticket-Expiration-Policy.html
>
> timeout.maxTimeToLive... is a hard timeout. The other is a 'must be used
> within this time' to be valid. If the TGT is used within this window, the
> validity will extend by that time up to timeout.maxTimeToLive...
> View Task <https://phabricator.wikimedia.org/T245771>
>

I thought that was the difference between cas.ticket.tgt.maxTimeToLiveInSeconds
and cas.ticket.tgt.maxTimeToLiveInSeconds i.e.

  * cas.ticket.tgt.timeToKillInSeconds
- If cas has seen no access from a user in this time kill the ticket
   * cas.ticket.tgt.maxTimeToLiveInSeconds
- Regardless of anything always kill the ticket after this timeout
  * cas.ticket.tgt.timeout.maxTimeToLiveInSeconds
- ???

If not what does cas.ticket.tgt.timeToKillInSeconds control?

Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAA7%2BHnAn3TuWLCmQjKMJchukwK2bQHw312f9nV%2BUN2ZAtTkpiA%40mail.gmail.com.

[cas-user] cas.ticket.tgt.timeout.maxTimeToLiveInSeconds and Memcache ticket experation policy

2020-06-01 Thread John Bond 
Hello All, 

In out config we set both cas.ticket.tgt.timeout.maxTimeToLiveInSeconds and 
cas.ticket.tgt.maxTimeToLiveInSeconds to the same value believing theses 
where the same and  made a note to validate this with this group[1]. That 
later step never happened and the config remained.  however today i tried 
to implement memcache as the ticket store and i noticed via tcpdump that 
CAS was setting the memcache value with an expiry time of -1, this 
effectively means don't cache so when CAS tries to fetch the ticket it 
doesn't exist.   Checking my logs i notice the following debug messages 
which seemed confusing


2020-06-01 14 05 44,597 DEBUG 
[org.apereo.cas.ticket.expiration.builder.TicketGrantingTicketExpirationPolicyBuilder]
 
- 
2020-06-01 14 05 44,599 DEBUG 
[org.apereo.cas.ticket.expiration.builder.TicketGrantingTicketExpirationPolicyBuilder]
 
- 

memcache only supports an int for the expiry however the final value we 
have is 9223372036854775807, my assumption is that this at some point this 
gets coalesced down to -1.  however i'm curious why the final value is not 
604800.

Looking at the code i see that when setting  
`cas.ticket.tgt.timeout.maxTimeToLiveInSeconds` the final timeout value 
comes from TimeoutExpirationPolicy.java which always returns Long.MAX_VALUE[1]. 
 
When setting only `cas.ticket.tgt.maxTimeToLiveInSeconds`  the timeout 
value comes from TicketGrantingTicketExpirationPolicy.java which returns 
`this.maxTimeToLiveInSeconds` which is the value i would expect.  The logic 
that makes this choice is in 
TicketGrantingTicketExpirationPolicyBuilder.java

With this in mind could someone explain the difference between the two 
config items or point me to further documentation.  Further it seems that 
the use of cas.ticket.tgt.timeout.maxTimeToLiveInSeconds is not currently 
compatible with memcache.

We are running CAS 6.5.1 on debian buster, let me know if further 
information is required.

Thanks


[1]https://github.com/apereo/cas/blob/v6.1.5/core/cas-server-core-tickets-api/src/main/java/org/apereo/cas/ticket/expiration/builder/TicketGrantingTicketExpirationPolicyBuilder.java#L63-L98
[2]https://github.com/apereo/cas/blob/v6.1.5/core/cas-server-core-tickets-api/src/main/java/org/apereo/cas/ticket/expiration/TimeoutExpirationPolicy.java#L74
[3]https://github.com/apereo/cas/blob/v6.1.5/core/cas-server-core-tickets-api/src/main/java/org/apereo/cas/ticket/expiration/builder/TicketGrantingTicketExpirationPolicyBuilder.java#L70-L73

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4e3277d1-7093-4d58-b289-29e1073e422e%40apereo.org.

[cas-user] Re: SAML functions very slow

2020-03-24 Thread John Bond 

Following up on this thread, it seems we have managed to reduce the lag on 
our infrastructure by adding the following to /et/cas/config/cas.properties

  
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.web.embedded.EmbeddedWebServerFactoryCustomizerAutoConfiguration

I'm unsrue why this fixed the issue however i came across the suggestion 
while attempting to configure a standalone war to work with an external 
tomcat instance and hitting an error regarding a missing method.



Adding the above config fixed the issue with the with the external instance 
of tomcat however it also significantly reduced the lag we observed when 
using the embeded war. If anyone is able to provide insight into why this 
config parameter helped i would be intrested


Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a633dbb-79be-4ffb-b32f-c671a4f60bd4%40apereo.org.

Re: [cas-user] SAML Delegated Authentication Auto Redirect

2020-03-11 Thread John Stevens II 
Thank you Dmitriy, I was able to get it working with your help.

On Wed, Mar 11, 2020 at 9:09 AM Dmitriy Kopylenko 
wrote:

> Set this flag to true: *${configurationKey}.autoRedirect=true *where 
> *configurationKey
> *is your pac4j client prefix path of interest.
>
>
> https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties-Common.html#delegated-authentication-settings
>
> Cheers,
> D.
>
> On March 11, 2020 at 03:57:17, John Stevens II (jstevens...@gmail.com)
> wrote:
>
> How do I set CAS to auto-redirect to a configured IDP when a user hits the
> cas login page?
>
> The documentation listed below states :
> "CAS does allow options for auto-redirection of the authentication flow
> to a provider, if only there is a single provider available and configured"
>
> It's mentioned but it's not stated how to configure auto-redirection.
> Documentation here:
> https://apereo.github.io/cas/6.0.x/integration/Delegate-Authentication.html#user-interface
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/00227586-2ce6-4c11-b7ca-023bafcf338e%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/00227586-2ce6-4c11-b7ca-023bafcf338e%40apereo.org?utm_medium=email_source=footer>
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.5e68e321.182e7149.202%40unicon.net
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.5e68e321.182e7149.202%40unicon.net?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2B2kfxH9sc%3DghhpjgSqdaY92tZp4VOig6XMQWUip_hs82NnEwA%40mail.gmail.com.

[cas-user] Re: SAML functions very slow

2020-03-11 Thread John Bond 

We have also observed this slow down running cas 6.1.*.  We have been 
tracking our troubleshooting progress[1] but so far have not found anything 
concrete. however my colleague has tracked down one pause to the following 
part of sprin-webflow code

https://github.com/spring-projects/spring-webflow/blob/v2.5.1.RELEASE/spring-binding/src/main/java/org/springframework/binding/mapping/impl/DefaultMapper.java#L63-L66

We will attempt to move to an external tomcat instance and see if that 
resolves the issue

[1]https://phabricator.wikimedia.org/T246010

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/226b9165-d3ea-4f2f-8dd0-ddabe860968c%40apereo.org.

[cas-user] SAML Delegated Authentication Auto Redirect

2020-03-11 Thread John Stevens II 
How do I set CAS to auto-redirect to a configured IDP when a user hits the 
cas login page?

The documentation listed below states :
"CAS does allow options for auto-redirection of the authentication flow to 
a provider, if only there is a single provider available and configured"

It's mentioned but it's not stated how to configure auto-redirection.
Documentation here: 
https://apereo.github.io/cas/6.0.x/integration/Delegate-Authentication.html#user-interface

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00227586-2ce6-4c11-b7ca-023bafcf338e%40apereo.org.

[cas-user] webflowcrypto release

2020-02-12 Thread John Bond 
Hi All,

after the blog post below i was hoping to see a 6.5.1 release to fix the 
webflowcrypto issues.  I see releases for the 6.0.* and 5.3.* branches but 
not the 6.1.* and  6.2.* branches. 
  https://apereo.github.io/2020/02/08/webflowcrypto/

Is anyone able to provide a time line when theses wil be releases. Im not 
sure if this is the best place to ask, if not perhaps some one could 
directly me to a better place.  

Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b2f7214-cf95-4b1e-85e4-bcc896ee36af%40apereo.org.

Re: [cas-user] Re: cas 6.1 with u2f

2019-11-15 Thread John Bond 
Hi Andy,

For the time being i need to use json, i can investigate using a different
storage backend and probably will when i need to start scaling the
application.  however for now im happy to hold of the upgrade as this is
currently working for cas 6.0.  i assumed its either a bug or something
stupid i have missed

On Fri, Nov 15, 2019 at 3:36 PM Andy Ng  wrote:

> I see, so does that fix your problem? or you must need to use JSON? /Andy
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "CAS Community" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/a/apereo.org/d/topic/cas-user/cNimp-h4r2w/unsubscribe
> .
> To unsubscribe from this group and all its topics, send an email to
> cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a3f0f76b-103d-4bb5-8160-5a91d0d62822%40apereo.org
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAA7%2BHnDqFYydpd663hZjoFxeysdXpR%3DHdzgXaoDUKGarN%3DthoA%40mail.gmail.com.

Re: [cas-user] Re: cas 6.1 with u2f

2019-11-15 Thread John Bond 
Hi Andy,

Thanks for the response and additional testing.  It looks like the error is
specific to 'u2fDeviceRepositoryCleanerScheduler' which I think only
applies when using "FIDO U2F JSON".  by adding the `
cas-server-support-u2f-jp` dependency im guessing that
u2fDeviceRepositoryCleanerScheduler gets disabled.

On Fri, Nov 15, 2019 at 2:57 PM Andy Ng  wrote:

> Hi John,
>
> Not familiar with uf2 at all, but I am trying this out in my simulation
> and I also encountered your bug as well.
>
> Something like this:
> *Caused by:
> org.springframework.beans.factory.BeanCurrentlyInCreationException: Error
> creating bean with name 'u2fDeviceRepository': Requested bean is currently
> in creation: Is there an unresolvable circular reference?*
>
> I found that the bug will be gone if you add *cas-server-support-u2f-jpa*
> as well:
>
> compile "org.apereo.cas:cas-server-support-u2f:${project.'cas.version'}"
> compile "org.apereo.cas:cas-server-support-u2f-jpa:${project.'cas.version'
> }"
>
> The error seems gone after I apply the above.
>
> Again I am not familiar with u2f, so other might be able to help pick up
> from here if the above info is not helping you fix this bug
>
> Cheers!
> - Andy
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "CAS Community" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/a/apereo.org/d/topic/cas-user/cNimp-h4r2w/unsubscribe
> .
> To unsubscribe from this group and all its topics, send an email to
> cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0b45cc66-1160-48aa-9320-b4fabc54ae75%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/0b45cc66-1160-48aa-9320-b4fabc54ae75%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAA7%2BHnBfw1OEU2%3Drx1xp%3DHG8YtyaOzqM5%3D3McZSHaeo5NGoHhg%40mail.gmail.com.

[cas-user] cas 6.1 with u2f

2019-11-15 Thread John Bond 
Hi All,

I have recently tested the 6.1 branch by using the cas-overlay-template 
from apereo.  however when i try to add u2f support i get the following 
error

2019-11-15 10:47:32,512 WARN [org.apereo.cas.web.CasWebApplicationContext] 
-

The change i made is here 
https://github.com/apereo/cas-overlay-template/pull/39

Thanks 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a2435e2f-5835-4a72-a7b7-0802ab834536%40apereo.org.

[cas-user] OAuth code gets expired even though expiry set to 60s

2019-10-26 Thread john 
HI, I am using cas 5.2.3 version and have configured opened. sometimes when 
validating OAuthCode I get following error even though I have set expiry to 
60s 

OAuth token indicated by parameter 
[OC-292-YQTMn2RWTsBzXym-aK6gMms-NrZtGt4b] has expired or not found: [null]
 ERROR 
[org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController]
 
- 
org.apereo.cas.ticket.InvalidTicketException: 
OC-292-YQTMn2RWTsBzXym-aK6gMms-NrZtGt4b
 at 
org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenAuthorizationCodeGrantRequestExtractor.extract(AccessTokenAuthorizationCodeGrantRequestExtractor.java:52)
 
~[cas-server-support-oauth-5.2.3.jar:5.2.3]
 at 
org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController.examineAndExtractAccessTokenGrantRequest(OAuth20AccessTokenEndpointController.java:160)
 
~[cas-server-support-oauth-5.2.3.jar:5.2.3]
 at 
org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController.handleRequest(OAuth20AccessTokenEndpointController.java:105)
 
~[cas-server-support-oauth-5.2.3.jar:5.2.3]
 at 
org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController$$FastClassBySpringCGLIB$$db180f28.invoke()
 
~[cas-server-support-oauth-5.2.3.jar:5.2.3]

cas.properties

cas.authn.oauth.code.timeToKillInSeconds=60


Thanks
John

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c6517983-8bf8-4945-952f-77eb68a21590%40apereo.org.

[cas-user] CAS sometime displays logged-in screen of cas instead of redirecting to App url With openid

2019-10-20 Thread john 
Hi, i have configured  Cas5.2.3 with openid, after successful login from  
openid provider , cas is redirecting to logged-in screen of cas sometimes. 
I dont seen any errors in logs.

please help

Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ceef5274-377a-49f2-bdfd-98024274f419%40apereo.org.

[cas-user] Login Screen prompted in IE even though user logged-in from chrome using OAuth2

2019-09-08 Thread john 
Hi, i am using OAUTH based login with cas version 5.2.3. A user logs into 
application using chrome and if user opens application in IE, then user is 
prompted with OAuth login screen instead of using existing sessions. CAs is 
redirecting to oauth login screen.

Please let me know if this scenario can be handled.


Thanks
john

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c7b90bf-24d0-4e65-a3a1-17ebb28896dc%40apereo.org.

[cas-user] Re: CAS keeps generating RegexRegisteredService-********.json files in CAS/Services folder

2019-08-30 Thread john 
Andy, i am using cas 5.2.3 version. i have attached the cas.properties for 
reference

Thanks
John.

On Friday, August 30, 2019 at 1:31:39 PM UTC+5:30, Andy Ng wrote:
>
> Hmm very strange, it shouldn't do that, at least it doesn't do that in my 
> CAS deployment. What is the version of CAS that you use?
>
> - Andy
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fb7ba042-ac2e-4b1c-bf48-510a6c1577d1%40apereo.org.


cas.properties
Description: Binary data

[cas-user] Re: CAS keeps generating RegexRegisteredService-********.json files in CAS/Services folder

2019-08-28 Thread john 


Andy, i am using openid and as you mentioned, in generated json it has 
serviceid as mentioned below. But CAS generates new file when server is 
restarted instead of looking into already generated json file. 


On Thursday, August 29, 2019 at 6:43:48 AM UTC+5:30, Andy Ng wrote:
>
> Hi John,
>
> On seconds thought, those might be some necessary service for OpenID to 
> use 
>
> Can you check if the serviceId is something like `https://cas.example
> .org:8443/cas/oauth2.0/callbackAuthorize`? 
>
> If so, then you probably don't want to remove those, or else your CAS will 
> most likely have unexpected error when using OpenID.
>
> Hope this info helps.
>
> Cheer!
> - Andy
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f3565190-2470-4a7d-a361-766a78052382%40apereo.org.

[cas-user] Re: CAS keeps generating RegexRegisteredService-********.json files in CAS/Services folder

2019-08-28 Thread john 
Andy, i am using openid and as you mentioned, in generated json it has 
serviceid as mentioned below. But CAS generates new file when server is 
restarted instead of looking into already generated json file.


Thanks
Gopal

On Thursday, August 29, 2019 at 6:43:48 AM UTC+5:30, Andy Ng wrote:
>
> Hi John,
>
> On seconds thought, those might be some necessary service for OpenID to 
> use 
>
> Can you check if the serviceId is something like `https://cas.example
> .org:8443/cas/oauth2.0/callbackAuthorize`? 
>
> If so, then you probably don't want to remove those, or else your CAS will 
> most likely have unexpected error when using OpenID.
>
> Hope this info helps.
>
> Cheer!
> - Andy
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/14bd3c34-bb20-4517-b193-106fc9d64930%40apereo.org.

[cas-user] CAS keeps generating RegexRegisteredService-********.json files in CAS/Services folder

2019-08-26 Thread john 
Hi, i have  configured CAS 5.2.3  with Openid, during every server startup 
the CAS generates RegexRegisteredService-.json files.  How to avoid 
generating these json files.

Thanks
John

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8f8ce364-32ae-4338-9458-7938444baef9%40apereo.org.

Re: [cas-user] Re: Problem with Global Principal Attribute

2019-08-16 Thread John Bond 
thanks danny,



I have created a PR upstrem[1] and the devs have been very responsive
hopfully we can gt this fixed.

[1]https://github.com/apereo/cas/pull/4188

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAA7%2BHnB-bT36MNYR8zL06q0pziiBwv9HT-%2Bc2U7dYWKahQ9Wng%40mail.gmail.com.

Re: [cas-user] Re: Problem with Global Principal Attribute

2019-08-15 Thread John Bond 
Mr. Bond,

Thanks for your response.  According to the docs[1] there are two ways too
use the Global Principal Attribute[1]

> Trigger MFA based on a principal attribute(s) whose value(s) matches a
regex pattern. Note that this
> behavior is only applicable if there is only a single MFA provider
configured, since that would allow
> CAS to know what provider to next activate.

I believe this is the method you have described which has the end result
[in your case] that any user in
the group 'CN=mfa-eligible,OU=DuoMFA,OU=Groups,DC=nsuok,DC=edu' will need
to use the MFA
method specific by `cas.authn.mfa.globalProviderId`

I would like to support, multiple MFA options and have the user indicate
the MFA they want to use via
LDAP.  For this i thought i could configure CAS using the second option

> Trigger MFA based on a principal attribute(s) whose value(s) EXACTLY
matches an MFA provider.
> This option is more relevant if you have more than one provider
configured or if you have the flexibility
> of assigning provider ids to attributes as values.

[1]
https://apereo.github.io/cas/6.0.x/mfa/Configuring-Multifactor-Authentication-Triggers.html#global-principal-attribute

On Wed, Aug 14, 2019 at 9:23 PM 'Robert Bond' via CAS Community <
cas-user@apereo.org> wrote:

>
> Here is what I think you need
> # Activate MFA globally based on principal attributes
> cas.authn.mfa.globalPrincipalAttributeNameTriggers=businessCategory
> # Specify the regular expression pattern to trigger multifactor when
> working with a single provider.
> cas.authn.mfa.globalPrincipalAttributeValueRegex=mfa-gauth
>
> Let me know if that works for you.
>

I tried this and it made no difference, which surprised me as i had assumed
it would complain about a missing
cas.authn.mfa.globalProviderId.  however i wonder if simply having more
then one provider disables this function.
The comment hints at this

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAA7%2BHnCOwL%3DjAL_ezn5wbCK4Fm33J7dzCDkYRx-AX23oPLmqnA%40mail.gmail.com.

[cas-user] Problem with Global Principal Attribute

2019-08-14 Thread John Bond 
HI all,

I'm attempting to configure CAS so that the MFA provider is determined via 
an ldap attribute.  I have the following config 

```
server.ssl.keyStore=file:/etc/cas/thekeystore

cas.server.name=https://idp.wikimedia.org:8443
cas.server.prefix=https://idp.wikimedia.org:8443/cas

cas.authn.mfa.globalPrincipalAttributeNameTriggers=businessCategory
cas.authn.mfa.gauth.json.location=file:///etc/cas/config/gauthdevices.json
cas.authn.mfa.u2f.json.location=file:///etc/cas/config/u2fdevices.json

logging.config: file:/etc/cas/config/log4j2.xml

cas.serviceRegistry.json.location=file:/etc/cas/services

cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
cas.authn.ldap[0].principalAttributeList=cn,memberOf,mail,businessCategory
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].connectionStrategy=ACTIVE_PASSIVE
cas.authn.ldap[0].ldapurl=ldaps://ldap-ro.eqiad.wikimedia.org:636 
ldaps://ldap-ro.codfw.wikimedia.org:636
cas.authn.ldap[0].useStartTLS=false
cas.authn.ldap[0].basedn=dc=wikimedia,dc=org
cas.authn.ldap[0].searchFilter=cn={user}
cas.authn.ldap[0].binddn=cn=user,ou=profile,dc=wikimedia,dc=org
cas.authn.ldap[0].bindcredential=**removed**
cas.authn.accept.users=
logging.level.org.apereo=DEBUG
```
And my user has `businessCategory: mfa-gauth` configuered in ldap.  however 
when i try to authenticate i see the following in the debug logs

```
2019-08-14 17:35:06,797 DEBUG 
[org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver]
 
- 
2019-08-14 17:35:06,797 DEBUG 
[org.apereo.cas.authentication.MultifactorAuthenticationUtils] - 
2019-08-14 17:35:06,799 DEBUG 
[org.apereo.cas.authentication.MultifactorAuthenticationUtils] - 
2019-08-14 17:35:06,799 DEBUG 
[org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver]
 
-   
```

so it looks like ldap sends this value as an array and CAS doesn't like 
that.  Is anyone able to give advice on how i could get ldap to send this 
[or some other attribute] as a string or fix this issue on the CAS side

Cheers John

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/027b362c-8152-457e-94b4-1136043f4bfc%40apereo.org.

[cas-user] CAS 6.0.1 Azure AD Oauth2 issue

2019-03-05 Thread John Ng 
Hi,

I am trying to configure CAS 6.0.1 to delegate to Azure AD using Oauth2

My overlay build.gradle contains the following:

dependencies {
compile 
"org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}"
compile 
"org.apereo.cas:cas-server-support-pac4j-webflow:${project.'cas.version'}"
}

My cas.properties contains the following:

cas.authn.pac4j.oauth2[0].id=----
cas.authn.pac4j.oauth2[0].secret=mysecret
cas.authn.pac4j.oauth2[0].authUrl=https:
//login.microsoftonline.com/common/oauth2/authorize
cas.authn.pac4j.oauth2[0].tokenUrl=https:
//login.microsoftonline.com/common/oauth2/token
cas.authn.pac4j.oauth2[0].clientName=AzureAD


I have added the CAS redirect URL to the allowed Reply URLs for the App 
registration in Azure AD.

When I point my browser at CAS:

   1. My browser is redirected to Azure AD.
   2. I login to Azure AD.
   3. My browser is redirected back to CAS.

However, at that point CAS fails to complete the login, and the following 
error is displayed in the log.

2019-03-06 11:04:52,337 DEBUG [org.pac4j.oauth.credentials.extractor.
OAuth20CredentialsExtractor] - 
2019-03-06 11:04:52,337 DEBUG [org.pac4j.oauth.credentials.extractor.
OAuth20CredentialsExtractor] - 
2019-03-06 11:04:52,337 DEBUG [org.pac4j.oauth.credentials.authenticator.
OAuth20Authenticator] - 
2019-03-06 11:04:53,522 DEBUG [org.pac4j.oauth.credentials.authenticator.
OAuth20Authenticator] - 
2019-03-06 11:04:53,522 DEBUG [org.pac4j.oauth.client.GenericOAuth20Client] 
- 
2019-03-06 11:04:53,522 INFO [org.apereo.cas.web.flow.
DelegatedClientAuthenticationAction] - 
2019-03-06 11:04:53,539 DEBUG [org.pac4j.oauth.client.GenericOAuth20Client] 
- 
2019-03-06 11:04:53,539 DEBUG [org.pac4j.oauth.profile.creator.
OAuth20ProfileCreator] - 
2019-03-06 11:04:53,541 ERROR [org.apereo.cas.authentication.
PolicyBasedAuthenticationManager] - 


Any ideas what I'm doing wrong?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b3ea0c1d-e8e2-43df-bc9d-c57d60262fe0%40apereo.org.

[cas-user] CAS-5.3.8 displays cas login page before rediecting to openid provider login screen

2019-02-21 Thread john 
Hi , I upgraded Cas from 5.2.3 to 5.3.8 and when i try to use the 
url 
http://localhost:8080/cas/oauth2.0/authorize?response_type=code_id=_uri=http://localhost:8080/test,
 
cas displays default login page(For a second) before redirecting to OpenId 
provider login screen. I have set autoredirect to true for openid in 
cas.properties.

Any idea how to redirect to openid login screen without displaying cas 
login page.


Thanks



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/82b20319-ba8b-4454-8d9d-9aceb6acde68%40apereo.org.

Re: [cas-user] Re: Cas Default language

2019-02-18 Thread john adz 
Hi,

I'm trying with Chrome incognito. I write what I wrote in 
application.properties, but still in English. Do I delete the 
messages.properties file and see the messages_uk.properties file? Do I have 
to make a change elsewhere?

Thanks,

On Monday, February 18, 2019 at 12:44:23 PM UTC+3, Andy Ng wrote:
>
> Looking at the source code here: 
> https://github.com/apereo/cas/blob/v5.3.7/webapp/cas-server-webapp-config/src/main/java/org/apereo/cas/config/CasWebAppConfiguration.java#L63
>
> The locale also affected by Cookie, maybe try using an Chrome Incognito or 
> similar browser, so that your previous cookie is not stored?
>
> - Andy
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a0dd8efa-b39b-43b2-aebb-c1f7d2139ae8%40apereo.org.

[cas-user] Re: Cas upgrade from 5.2.3 to 5.3.7 not returning oauthCode

2019-02-18 Thread john 
Andy, can you help us to resolve this issue.

thanks

On Monday, February 18, 2019 at 10:17:23 AM UTC+5:30, john wrote:
>
> Andy, I dont see any error in logs. with above url its returning 
> serviceticket to the redirect_uri but not with oauthCode.  I am using same 
> configuration which was working in cas-5.2.3.
>
> Thanks
> Gopal
>
> On Sunday, February 17, 2019 at 11:26:15 AM UTC+5:30, Andy Ng wrote:
>>
>> Hi John,
>>
>> Try setting up CAS in *https* instead of *http*. CAS is not intended to 
>> be used in  *http* so might lead to issue like the above.
>>
>> If not the above issue, then you might need to also look at your debug 
>> log for more inspiration, when the error happen did CAS output an error? 
>> How does it not return an oauth code, did it shows 404 page? Page with 
>> empty page? 
>>
>> Additional information in the debug log and the error behavior is going 
>> to help debug the problem.
>>
>> Cheers!
>> - Andy
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3b37b9b2-5d56-46a2-9c1a-b597d3ca8696%40apereo.org.

Re: [cas-user] Re: Cas Default language

2019-02-17 Thread john adz 
Hi,

I added the following lines in application.properties.
Unfortunately, it did not happen. He doesn't see the change here. It comes
in English.

cas.locale.paramName=locale

cas.locale.defaultValue=uk




Thanks,
On Mon, Feb 18, 2019 at 4:20 AM Andy Ng  wrote:

> Hi John,
>
> Try this:
>
> https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#localization
>
> # cas.locale.defaultValue=en
>
>
> See if this works.
>
> - Andy
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0585cd90-ed4c-4b07-9ce4-33473ff0b079%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/0585cd90-ed4c-4b07-9ce4-33473ff0b079%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2B4-XFjeXN5-4rzD0TuyLMuyW8KN_BeqB9uci6VbFwQ9xCn34w%40mail.gmail.com.

[cas-user] Re: Cas upgrade from 5.2.3 to 5.3.7 not returning oauthCode

2019-02-17 Thread john 
Andy, I dont see any error in logs. with above url its returning 
serviceticket to the redirect_uri but not with oauthCode.  I am using same 
configuration which was working in cas-5.2.3.

Thanks
Gopal

On Sunday, February 17, 2019 at 11:26:15 AM UTC+5:30, Andy Ng wrote:
>
> Hi John,
>
> Try setting up CAS in *https* instead of *http*. CAS is not intended to 
> be used in  *http* so might lead to issue like the above.
>
> If not the above issue, then you might need to also look at your debug log 
> for more inspiration, when the error happen did CAS output an error? How 
> does it not return an oauth code, did it shows 404 page? Page with empty 
> page? 
>
> Additional information in the debug log and the error behavior is going to 
> help debug the problem.
>
> Cheers!
> - Andy
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e06e6929-bd05-4e97-81e2-6eb328102a18%40apereo.org.

[cas-user] Cas Default language

2019-02-17 Thread john adz 
Hi,

cas i want to change default language. default file. But I want the default
of messages_uk.properties file. locale = uk comes when I do, but I don't
want to do that. I changed the contents of the messages.properties file and
copied the contents of the messages_uk.properties file there. But he still
comes in English.

thanks,

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2B4-XFhX9jvVAj_mv-PDr7HUYV5aHRmLL2PV4MU%2BObW%2BWEw1OQ%40mail.gmail.com.

[cas-user] Cas upgrade from 5.2.3 to 5.3.7 not returning oauthCode

2019-02-14 Thread john 
Hi, I have upgraded cas war from 5.2.3 to 5.3.7 and i am using the 
URL 
http://localhost:8080/cas/oauth2.0/authorize?response_type=code_id=_uri=http://localhost:8080/test
 
which was working in 5.2.3 and returns OAuthCode. But in 5.3.7 the url  
does not return oauthcode. 

Any advise or guidance would be greatly appreciated

Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ecac9b9d-86b9-4e91-bbca-adcd086a051b%40apereo.org.

Re: [cas-user] CAS Attribute

2019-01-23 Thread john adz 
Ray, I check the records that the error is returned because the mail did
not come. I'm sending the log again. Is this way when the mail is gone? Or
should I see the e-mail address in the WHO: WHAT: section of the page?


2019-01-23 07:17:28,283 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-23 07:17:28,284 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-23 07:17:28,284 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-23 07:17:28,286 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-23 07:17:28,287 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-23 07:17:28,287 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-23 07:17:28,288 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-23 07:17:28,289 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-23 07:17:28,289 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-23 07:17:28,290 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-23 07:17:28,290 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-23 07:17:28,290 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-23 07:17:28,290 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -




On Tue, Jan 22, 2019 at 9:44 PM Ray Bon  wrote:

> John,
>
> What happens on the client side?
> Check client logs to see if email is being received.
>
> Ray
>
> On Tue, 2019-01-22 at 10:41 +0300, john adz wrote:
>
> Hi Ray,
> Thanks for your answer. I've done something, and I see e-mails in the
> logs. But I don't know how to send this email address to the application.
> Or I don't know if I'm sending it right now. log like
>
> 2019-01-22 07:28:04,472 INFO
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
> 
>
> 2019-01-22 07:28:04,477 INFO
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>  with credentials [username**].>
>
> 2019-01-22 07:28:04,478 INFO
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -  trail record BEGIN
>
> =
>
> WHO: username**
>
> WHAT: Supplied credentials: [username**]
>
> ACTION: AUTHENTICATION_SUCCESS
>
> APPLICATION: CAS
>
> WHEN: Tue Jan 22 07:28:04 UTC 2019
>
>
> =
>
>
> >
>
> 2019-01-22 07:28:04,478 INFO
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -  trail record BEGIN
>
> =
>
> WHO: username**
>
> WHAT: Supplied credentials: [username**]
>
> ACTION: AUTHENTICATION_SUCCESS
>
> APPLICATION: CAS
>
> WHEN: Tue Jan 22 07:28:04 UTC 2019
>
>
> =
>
>
> >
>
> 2019-01-22 07:28:04,480 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> 
>
> 2019-01-22 07:28:04,481 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> 
>
> 2019-01-22 07:28:04,481 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>  attributes for username**>
>
> 2019-01-22 07:28:04,481 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>  for username**>
>
> 2019-01-22 07:28:04,482 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> 
>
> 2019-01-22 07:28:04,482 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>  any>
>
> 2019-01-22 07:28:04,482 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> 
>
> 2019-01-22 07:28:04,483 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> 
>
> 2019-01-22 07:28:04,483 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> 
>
> 2019-01-22 07:28:04,483 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> 
>
> 2019-01-22 07:28:04,483 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> 
>
> 2019-01-22 07:28:04,484 DEBUG
> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
> 
>
> 2019-01-22 07:28:04,484 DEBUG
> [org.apere

Re: [cas-user] CAS Attribute

2019-01-22 Thread john adz 
I tried this way but I couldn't send the mail again.

application.properties

cas.authn.attributeRepository.jdbc.attributes.mail=email

cas.authn.attributeRepository.defaultAttributesToRelease=mail


cas.log

INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -


2019-01-22 13:10:12,051 INFO
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -


2019-01-22 13:10:12,059 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

2019-01-22 13:10:12,059 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

2019-01-22 13:10:12,139 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 13:10:12,140 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 13:10:12,142 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 13:10:12,143 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 13:10:12,143 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 13:10:12,144 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 13:10:12,145 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 13:10:12,145 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 13:10:12,145 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 13:10:12,146 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 13:10:12,146 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 13:10:12,157 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

2019-01-22 13:10:12,157 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 
wrote:

> Could you try the same property without squared brackets?
> cas.authn.attributeRepository.*jdbc*.attributes.mail=email
>
> as described here?
>
> https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html#jdbc
>
>
>
>
> On Tuesday, January 22, 2019 at 10:23:28 AM UTC+1, john adz wrote:
>>
>> Hi Michele,
>>
>> I get an invalid property error when I use jdbc [0]. I'il try again and
>> send the log. Because I am using cas 5.0.x. I think you said for 5.2. In
>> the meantime, I can understand how the mail sent mail.
>>
>> Thanks,
>>
>> On Tue, Jan 22, 2019 at 11:38 AM Michele Melluso 
>> wrote:
>>
>>> Hi,
>>> I was wrong, please ignore my previous answer.
>>>
>>> Looking at your configuration I think you may be using the wrong
>>> properties to select attributes:
>>> cas.authn.attributeRepository.attributes.mail=email
>>>
>>> both in my configuration and here:
>>> https://apereo.github.io/2018/02/20/cas-service-rbac-attributeresolution/
>>> the following properties are used:
>>> cas.authn.attributeRepository.*jdbc[0**]*.attributes.mail=email
>>>
>>> I hope this time to be correct :)
>>> Michele
>>>
>>>
>>>
>>> On Tuesday, January 22, 2019 at 9:17:28 AM UTC+1, Michele Melluso wrote:
>>>>
>>>> Looking at your configuration I think you should replace in
>>>> defaultattributesToRelease property the value email with mail.
>>>> That is because you defined an attribute called "mail" populated with
>>>> the "email" field. The the new attribute "mail" is what you want to 
>>>> release.
>>>>
>>>> cas.authn.attributeRepository.attributes.mail=email
>>>> cas.authn.attributeRepository.defaultAttributesToRelease=*mail*
>>>>
>>>> Michele
>>>>
>>>>
>>>> On Tuesday, January 22, 2019 at 8:41:38 AM UTC+1, john adz wrote:
>>>>>
>>>>> Hi Ray,
>>>>> Thanks for your answer. I've done something, and I see e-mails in the
>>>>> logs. But I don't know how to send this email address to the application.
>>>>> Or I don't know if I'm sending it right now. log like
>>>>>
>>>>> 2019-01-22 07:28:04,472 INFO
>>>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>>>>> 
>>>>>
>>>>> 2019-01-22 07:28:04,477 INFO
>>>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>>>>> >>>> a...@gmail.com} with credentials [username**].>
>>>>>
>>>>> 2019-01-22 07:28:04,478

Re: [cas-user] CAS Attribute

2019-01-22 Thread john adz 
Hi Michele,

I get an invalid property error when I use jdbc [0]. I'il try again and
send the log. Because I am using cas 5.0.x. I think you said for 5.2. In
the meantime, I can understand how the mail sent mail.

Thanks,

On Tue, Jan 22, 2019 at 11:38 AM Michele Melluso 
wrote:

> Hi,
> I was wrong, please ignore my previous answer.
>
> Looking at your configuration I think you may be using the wrong
> properties to select attributes:
> cas.authn.attributeRepository.attributes.mail=email
>
> both in my configuration and here:
> https://apereo.github.io/2018/02/20/cas-service-rbac-attributeresolution/
> the following properties are used:
> cas.authn.attributeRepository.*jdbc[0**]*.attributes.mail=email
>
> I hope this time to be correct :)
> Michele
>
>
>
> On Tuesday, January 22, 2019 at 9:17:28 AM UTC+1, Michele Melluso wrote:
>>
>> Looking at your configuration I think you should replace in
>> defaultattributesToRelease property the value email with mail.
>> That is because you defined an attribute called "mail" populated with the
>> "email" field. The the new attribute "mail" is what you want to release.
>>
>> cas.authn.attributeRepository.attributes.mail=email
>> cas.authn.attributeRepository.defaultAttributesToRelease=*mail*
>>
>> Michele
>>
>>
>> On Tuesday, January 22, 2019 at 8:41:38 AM UTC+1, john adz wrote:
>>>
>>> Hi Ray,
>>> Thanks for your answer. I've done something, and I see e-mails in the
>>> logs. But I don't know how to send this email address to the application.
>>> Or I don't know if I'm sending it right now. log like
>>>
>>> 2019-01-22 07:28:04,472 INFO
>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>>> 
>>>
>>> 2019-01-22 07:28:04,477 INFO
>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>>> >> a...@gmail.com} with credentials [username**].>
>>>
>>> 2019-01-22 07:28:04,478 INFO
>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >> trail record BEGIN
>>>
>>> =
>>>
>>> WHO: username**
>>>
>>> WHAT: Supplied credentials: [username**]
>>>
>>> ACTION: AUTHENTICATION_SUCCESS
>>>
>>> APPLICATION: CAS
>>>
>>> WHEN: Tue Jan 22 07:28:04 UTC 2019
>>>
>>>
>>> =
>>>
>>>
>>> >
>>>
>>> 2019-01-22 07:28:04,478 INFO
>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >> trail record BEGIN
>>>
>>> =
>>>
>>> WHO: username**
>>>
>>> WHAT: Supplied credentials: [username**]
>>>
>>> ACTION: AUTHENTICATION_SUCCESS
>>>
>>> APPLICATION: CAS
>>>
>>> WHEN: Tue Jan 22 07:28:04 UTC 2019
>>>
>>>
>>> =
>>>
>>>
>>> >
>>>
>>> 2019-01-22 07:28:04,480 DEBUG
>>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>>> 
>>>
>>> 2019-01-22 07:28:04,481 DEBUG
>>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>>> 
>>>
>>> 2019-01-22 07:28:04,481 DEBUG
>>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>>> >> attributes for username**>
>>>
>>> 2019-01-22 07:28:04,481 DEBUG
>>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>>> >> for username**>
>>>
>>> 2019-01-22 07:28:04,482 DEBUG
>>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>>> 
>>>
>>> 2019-01-22 07:28:04,482 DEBUG
>>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>>> >> any>
>>>
>>> 2019-01-22 07:28:04,482 DEBUG
>>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>>> 
>>>
>>> 2019-01-22 07:28:04,483 DEBUG
>>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>>> 
>>>
>>> 2019-01-22 07:28:04,483 DEBUG
>>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>>>

Re: [cas-user] CAS Attribute

2019-01-21 Thread john adz 
Hi Ray,
Thanks for your answer. I've done something, and I see e-mails in the logs.
But I don't know how to send this email address to the application. Or I
don't know if I'm sending it right now. log like

2019-01-22 07:28:04,472 INFO
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -


2019-01-22 07:28:04,477 INFO
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -


2019-01-22 07:28:04,478 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

2019-01-22 07:28:04,478 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

2019-01-22 07:28:04,480 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,481 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,481 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,481 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,482 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,482 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,482 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,483 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,483 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,483 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,483 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,484 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,484 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,485 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

2019-01-22 07:28:04,485 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

2019-01-22 07:28:04,489 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,489 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,489 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,489 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,490 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,490 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,490 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,490 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,496 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,496 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,496 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,496 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -


2019-01-22 07:28:04,497 INFO
[org.apereo.cas.CentralAuthenticationServiceImpl] - 

2019-01-22 07:28:04,498 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - https://k**

ACTION: SERVICE_TICKET_CREATED

APPLICATION: CAS

WHEN: Tue Jan 22 07:28:04 UTC 2019


=




2019-01-22 07:28:04,565 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -  wrote:

> John,
>
> Attribute release policy for 5.0.x is here
> https://apereo.github.io/cas/5.0.x/integration/Attribute-Release-Policies.html
>
> You will also need to use SAML 1.1 or CAS 3 protocols,
> https://apereo.github.io/cas/5.0.x/integration/Attribute-Release.html
>
> Ray
>
> On Mon, 2019-01-21 at 16:30 +0300, john adz wrote:
>
> Hi Michele;
>
> I tried to do as you said. I am sending the contents of the file. Can you
> help me?
>
> application.properties
>
> cas.authn.jdbc.query[0].driverClass=com.mysql.jdbc.Driver
>
>
> cas.authn.jdbc.query[0].passwordEncoder.type=DEFAULT
>
>
> cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=UTF-8
>
>
> cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=SHA-256
>
>
> cas.authn.jdbc.query[0].passwordEncoder.secret=
>
>
> cas.authn.jdbc.query[0].passwordEncoder.strength=16
>
>
> #cas.authn.jdbc.query[0].principalAttributeList=email,mail
>

Re: [cas-user] CAS Attribute

2019-01-18 Thread john adz 
Hi,

Hello, I want to send other information such as mail address or firstname
which is registered in user database. What should I add to
application.properties? Can you give an example?

On Fri, Jan 18, 2019 at 8:07 PM Ray Bon  wrote:

> John,
>
> Do you mean you want to email the user the service they logged in to? Or
> send the service the user's email address?
> If the latter, you have to release the attribute in the service
> definition,
> https://apereo.github.io/cas/5.2.x/integration/Attribute-Release-Policies.html
>
> To see what attributes are being released, use this logging:
>
> 
>  name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
> level="debug"/>
>
> Ray
>
> On Fri, 2019-01-18 at 04:16 -0800, john adz wrote:
>
> Hi,
> I did cas mysql authentication. I want to send cas service to the user's
> email address. Add attribute, but not. Can you help me?
>
> application.properties
>
> cas.authn.accept.users=
>
>
> cas.authn.jdbc.query[0].fieldUser=username
>
>
> cas.authn.jdbc.query[0].sql=SELECT password FROM users WHERE username=?
>
>
> cas.authn.jdbc.query[0].healthQuery=SELECT 1 FROM db.users
>
>
> cas.authn.jdbc.query[0].tableUsers=users
>
>
> cas.authn.jdbc.query[0].fieldPassword=password
>
>
> cas.authn.jdbc.query[0].url=jdbc:mysql://localhost:3306/db
>
>
> cas.authn.jdbc.query[0].user=root
>
>
> cas.authn.jdbc.query[0].password=***
>
>
> cas.authn.jdbc.query[0].driverClass=com.mysql.jdbc.Driver
>
>
> cas.authn.jdbc.query[0].passwordEncoder.type=DEFAULT
>
>
> cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=UTF-8
>
>
> cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=SHA-256
>
>
> cas.authn.jdbc.query[0].passwordEncoder.secret=
>
>
> cas.authn.jdbc.query[0].passwordEncoder.strength=16
>
>
> cas.authn.jdbc.query[0].principalAttributeList=email,mail
>
>
>
> cas.authn.attributeRepository.jdbc.sql=SELECT * FROM users WHERE {0}
>
> cas.authn.attributeRepository.jdbc.username=username
>
> cas.authn.attributeRepository.jdbc.healthQuery=
>
> cas.authn.attributeRepository.jdbc.url=jdbc:mysql://localhost:3306/db
>
> cas.authn.attributeRepository.jdbc.singleRow=true
>
> cas.authn.attributeRepository.jdbc.user=root
>
> cas.authn.attributeRepository.jdbc.password=***
>
> cas.authn.attributeRepository.attributes.email=email
>
> cas.authn.attributeRepository.attributes.mail=mail
>
> --
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1547831249.3078.147.camel%40uvic.ca
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1547831249.3078.147.camel%40uvic.ca?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2B4-XFjNsdsXkJ3wXsEBK%2BzD5xoZX4%3DB9yfFYBPvDUg5m3aSmQ%40mail.gmail.com.

  1   2   >