Re: [cas-user] Re: Access Denied with CAS Service Management WebApp
Hi Arnold,
Thank you very much for the suggestion. I confirmed that CAS is finding
the properties file by changing the filename to something bogus, when I
do that the deployment of the war file crashes because it says it cannot
find the file.
I believe CAS is successfully finding the file, it is just not
processing it correctly (as far as I can tell). I'm getting around this
by setting the "cas.mgmt.adminRoles" option to nothing (instead of the
suggested "ROLE_ADMIN" value). Doing so (I believe) makes it so /anyone
/who logs in can access the service management web app. I am getting
around that by adding an accessStrategy section to the .json file that
controls access to that service, inside there I am using the following
requiredAttributes to restrict access to my Active Directory loginID
"accessStrategy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true,
"requiredAttributes" : {
"@class" : "java.util.HashMap",
"cn" : [ "java.util.HashSet", [ "bgibson" ] ],
}
},
On 8/10/2017 3:24 AM, Bergner, Arnold wrote:
Hi there,
it seems to me your properties file location might be wrong. At least,
there’s no C: in there:
cas.mgmt.userPropertiesFile=file:/etc/cas/config/users.properties
Maybe you also need windows notation?
Regards
Arnold
*Von:*cas-user@apereo.org [mailto:cas-user@apereo.org] *Im Auftrag von
*Brian Gibson
*Gesendet:* Mittwoch, 9. August 2017 20:03
*An:* cas-user@apereo.org
*Betreff:* [cas-user] Re: Access Denied with CAS Service Management WebApp
To follow up on my last email, I enabled DEBUG mode and noticed in the
logs where it was denying my access. Here is the snippet. I think it
is because the "roles" value is empty (in bold below)
2017-08-09 12:28:29,675 DEBUG
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic]
- {wID=/my_AD_loginID/, isFromNewLogin=true,
authenticationDate=2017-08-09T12:28:29.175-04:00[America/New_York],
affiliation=staff, authenticationMethod=LdapAuthenticationHandler,
FullName=/my_Full_Name_From_AD/,
successfulAuthenticationHandlers=LdapAuthenticationHandler,
longTermAuthenticationRequestTokenUsed=false,
sn=/my_Last_Name_From_AD/, cn=/my_AD_loginID/,
EmailAddress=/my_AD_EmailAddress/} | *roles: []* | permissions: [] |
isRemembered: false | clientName: CasClient | linkedId: null |]>
2017-08-09 12:28:29,675 DEBUG
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic]
-
2017-08-09 12:28:29,691 DEBUG
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic]
- **
I thought the c:\etc\cas\config\users.properties file referenced from
my management.properties file would list me as having the ROLE_ADMIN
role?
If it helps, here is the .json file service entry used to allow the
management app.
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "https://cas5test.wheatonma.edu/cas-management/.*;
<https://cas5test.wheatonma.edu/cas-management/.*>,
"name" : "CASManagementService",
"id" : 132457456798678,
"description" : "Service entry to allow access to the CAS Management
App",
"attributeReleasePolicy" : {
"@class" :
"org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"sn" : "sn",
"cn" : "cn",
"mail" : "EmailAddress",
"displayname" : "FullName"
"sAMAccountName" : "wID"
"employeeType" : "affiliation"
}
},
"evaluationOrder" : 2
}
Thanks!!!
On 8/9/2017 10:44 AM, Brian Gibson wrote:
Hi All,
Be gentle, I'm a sys admin, not a Java expert ;-)
Running Tomcat 9 on Windows 2012 R2 Server.
Running CAS 5.1.2 using the War Overlay method and I have it
authenticating against Active Directory and it recognizes services
that I define in .json files.
I'm trying to get the CAS Services Management Webapp working so I
can login with my Active Directory credentials. Here is where I am
1. I go to the /cas-management URL and if I am not already logged
into CAS I get redirected to the CAS login page (good so far)
2. I log in with my Active Directory credentials and I am greeted
with this error
/CAS Services Management Access Denied You are not authorized
to access this resource. Contact your CAS Administrator for more
info./
I put this entry in the c:\etc\cas\config\users.properti
[cas-user] Re: Access Denied with CAS Service Management WebApp
To follow up on my last email, I enabled DEBUG mode and noticed in the
logs where it was denying my access. Here is the snippet. I think it is
because the "roles" value is empty (in bold below)
2017-08-09 12:28:29,675 DEBUG
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic]
- {wID=/my_AD_loginID/, isFromNewLogin=true,
authenticationDate=2017-08-09T12:28:29.175-04:00[America/New_York],
affiliation=staff, authenticationMethod=LdapAuthenticationHandler,
FullName=/my_Full_Name_From_AD/,
successfulAuthenticationHandlers=LdapAuthenticationHandler,
longTermAuthenticationRequestTokenUsed=false, sn=/my_Last_Name_From_AD/,
cn=/my_AD_loginID/, EmailAddress=/my_AD_EmailAddress/} | *roles: []* |
permissions: [] | isRemembered: false | clientName: CasClient |
linkedId: null |]>
2017-08-09 12:28:29,675 DEBUG
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic]
-
2017-08-09 12:28:29,691 DEBUG
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic]
- **
I thought the c:\etc\cas\config\users.properties file referenced from my
management.properties file would list me as having the ROLE_ADMIN role?
If it helps, here is the .json file service entry used to allow the
management app.
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "https://cas5test.wheatonma.edu/cas-management/.*;,
"name" : "CASManagementService",
"id" : 132457456798678,
"description" : "Service entry to allow access to the CAS Management
App",
"attributeReleasePolicy" : {
"@class" :
"org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"sn" : "sn",
"cn" : "cn",
"mail" : "EmailAddress",
"displayname" : "FullName"
"sAMAccountName" : "wID"
"employeeType" : "affiliation"
}
},
"evaluationOrder" : 2
}
Thanks!!!
On 8/9/2017 10:44 AM, Brian Gibson wrote:
Hi All,
Be gentle, I'm a sys admin, not a Java expert ;-)
Running Tomcat 9 on Windows 2012 R2 Server.
Running CAS 5.1.2 using the War Overlay method and I have it
authenticating against Active Directory and it recognizes services
that I define in .json files.
I'm trying to get the CAS Services Management Webapp working so I can
login with my Active Directory credentials. Here is where I am
1. I go to the /cas-management URL and if I am not already logged into
CAS I get redirected to the CAS login page (good so far)
2. I log in with my Active Directory credentials and I am greeted with
this error
/CAS Services Management Access Denied You are not authorized to
access this resource. Contact your CAS Administrator for more info./
I put this entry in the c:\etc\cas\config\users.properties file (which
is referenced below in my management.properties file)
/my_AD_loginID/=notused,ROLE_ADMIN,enabled
My management.properties file looks like this
management.properties +
cas.server.name=https://cas5test.wheatonma.edu
cas.server.prefix=https://cas5test.wheatonma.edu/cas
cas.mgmt.host=${cas.server.name}
cas.serviceRegistry.initFromJson=true
spring.thymeleaf.mode=HTML
logging.config=file:/etc/cas/config/log4j2-management.xml
server.port=443
cas.serviceRegistry.config.location:file:/etc/cas/services
server.contextPath=/cas-management
cas.mgmt.adminRoles=ROLE_ADMIN
cas.mgmt.userPropertiesFile=file:/etc/cas/config/users.properties
cas.mgmt.serverName=https://cas5test.wheatonma.edu
cas.mgmt.defaultLocale=en
cas.mgmt.ldap.ldapAuthz.searchFilter=cn={user}
cas.mgmt.ldap.ldapAuthz.baseDn=OU=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.ldapUrl=ldaps://my_1st_ad_controller
ldaps://my_2nd_ad_controller
cas.mgmt.ldap.baseDn=OU=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.bindDn=CN=hidden,CN=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.bindCredential=hidden
cas.mgmt.ldap.useSsl=true
cas.mgmt.ldap.useStartTls=false
Thanks for any advice you can offer :-)
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/01747094-c76a-36a1-ffd1-8072e34ca39b%40wheatoncollege.edu.
[cas-user] Access Denied with CAS Service Management WebApp
Hi All,
Be gentle, I'm a sys admin, not a Java expert ;-)
Running Tomcat 9 on Windows 2012 R2 Server.
Running CAS 5.1.2 using the War Overlay method and I have it
authenticating against Active Directory and it recognizes services that
I define in .json files.
I'm trying to get the CAS Services Management Webapp working so I can
login with my Active Directory credentials. Here is where I am
1. I go to the /cas-management URL and if I am not already logged into
CAS I get redirected to the CAS login page (good so far)
2. I log in with my Active Directory credentials and I am greeted with
this error
/CAS Services Management Access Denied You are not authorized to
access this resource. Contact your CAS Administrator for more info./
I put this entry in the c:\etc\cas\config\users.properties file (which
is referenced below in my management.properties file)
/my_AD_loginID/=notused,ROLE_ADMIN,enabled
My c:\etc\cas\config\management.properties file looks like this
management.properties +
cas.server.name=https://cas5test.wheatonma.edu
cas.server.prefix=https://cas5test.wheatonma.edu/cas
cas.mgmt.host=${cas.server.name}
cas.serviceRegistry.initFromJson=true
spring.thymeleaf.mode=HTML
logging.config=file:/etc/cas/config/log4j2-management.xml
server.port=443
cas.serviceRegistry.config.location:file:/etc/cas/services
server.contextPath=/cas-management
cas.mgmt.adminRoles=ROLE_ADMIN
cas.mgmt.userPropertiesFile=file:/etc/cas/config/users.properties
cas.mgmt.serverName=https://cas5test.wheatonma.edu
cas.mgmt.defaultLocale=en
cas.mgmt.ldap.ldapAuthz.searchFilter=cn={user}
cas.mgmt.ldap.ldapAuthz.baseDn=OU=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.ldapUrl=ldaps://my_1st_ad_controller
ldaps://my_2nd_ad_controller
cas.mgmt.ldap.baseDn=OU=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.bindDn=CN=hidden,CN=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.bindCredential=hidden
cas.mgmt.ldap.useSsl=true
cas.mgmt.ldap.useStartTls=false
Thanks for any advice you can offer :-)
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e3a09cf4-8e29-8b4b-049e-25281064f0eb%40wheatoncollege.edu.
Re: [cas-user] Help with CAS 5.1.3 & LDAP
I don't know if this is 100% correct but my ldap settings are in my
cas.properties file, I do not have an ldap.properties file.
On 8/16/2017 3:21 PM, Chris Peck wrote:
I cannot for the life of me figure out what I need to get my dev CAS
instance to talk to LDAP. When it's running and I try to auth to the
webpage I see this in the logs:
cas_1 | 2017-08-16 19:14:36,150 DEBUG
[org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver]
- [HttpBasedServiceCredentialsAuthenticationHandler]>
cas_1 | 2017-08-16 19:14:36,152 WARN
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
find authentication handler that supports [crp] of type
[UsernamePasswordCredential], which suggests a configuration problem.>
I have this in my pom.xml:
org.apereo.cas
cas-server-webapp${app.server}
${cas.version}
war
runtime
org.apereo.cas
* cas-server-support-ldap*
${cas.version}
And, I've this in my cas.properties file:
/etc/cas/config # cat cas.properties
cas.server.name : https://localhost:8443
cas.server.prefix: https://localhost:8443/cas
cas.adminPagesSecurity.ip=127\.0\.0\.1
logging.level.org.apereo=DEBUG
logging.config: file:/etc/cas/config/log4j2.xml
cas.serviceRegistry.config.location: classpath:/services
# Override cas-overlay-template auth for testing
cas.authn.accept.users=
and myh ldap.properties
# LDAP Config
cas.authn.policy.req.handlername=LdapAuthenticationHandler
cas.authn.policy.req.enabled=true
cas.authn.ldap[0].type=ANONYMOUS
cas.authn.ldap[0].ldapUrl=ldaps://ldap.somewhere
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].baseDn=ou=people,dc=some,dc=where
cas.authn.ldap[0].userFilter=uid={user}
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].dnFormat=uid=%s,ou=people,dc=some,dc=where
cas.authn.ldap[0].principalAttributeId=uid
cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
It's gotta be some simple little thing I'm missing.
Thanks,
Chris
PS - it's all running in a docker container
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines:
https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to cas-user+unsubscr...@apereo.org
.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFZ1tgYS_eTRq09SofVSPQHirfnz32nvO-V21i9c1Q34SkV%3DWQ%40mail.gmail.com
.
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7b29fb3b-1383-4e25-67e5-e37e17e9671e%40wheatoncollege.edu.
Re: [cas-user] CAS 3.5.3 not releasing AD attributes to version 3 WordPress CAS plugin
Thank you very much for this info. Can i ask a follow up? How are some services we have successfully receiving attributes like email address from our CAS instance? I thought I read that attribute release wasn't available until CAS protocol version 3? Thanks, Brian Sent from my iPhone > On Jun 19, 2017, at 5:09 PM, dkopyle...@unicon.net wrote: > > The confusion here is "version of what" is being talked about. The version 3 > there refers to "CAS protocol" version, which has been only available since > "CAS server" version 4. You have CAS server version 3, which is a) "end of > life" and b) does not have CAS protocol version 3 implemented. > > HTH, > D. > >> On Jun 19, 2017, 15:22 -0400, Brian Gibson >> <gibson_br...@wheatoncollege.edu>, wrote: >> Hi All, >> >> Be gentle with me I'm not a CAS guru :-) >> >> We are running CAS 3.5.3 and our web team is trying to configure a WordPress >> plugin for CAS version 3 to authenticate users and receive AD attributes. If >> they switch the CAS plugin to CAS version 2 the user authenticates fine. >> When they test using the version 2 CAS plugin by going to this URL >> >> /cas/serviceValidate >> >> they do receive the XML response they are expecting. >> If they go to this URL >> /cas/p3/serviceValidate >> they just get redirected back to the CAS login screen or, if they are >> already logged in, they end up on the "Log In Successful" screen. >> >> According to this URL >> >> https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol-Specification.html >> >> under the section labeled "2.5.6 URL examples of /serviceValidate" >> >> it says, with CAS version 3, they should get some XML with attribute data. >> What is odd is I've setup the TestApp1 and TestApp2 applications on the CAS >> server and they do return AD attributes (along with a 3rd party app, CAS >> releases attributes to it as well.) >> >> The service entry I have for this test service is set to release attributes >> so that shouldn't be the issue. >> Any suggestions on how to troubleshoot with this cas plugin? >> Thx! >> >> >> -- >> - CAS gitter chatroom: https://gitter.im/apereo/cas >> - CAS mailing list guidelines: >> https://apereo.github.io/cas/Mailing-Lists.html >> - CAS documentation website: https://apereo.github.io/cas >> - CAS project website: https://github.com/apereo/cas >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+unsubscr...@apereo.org. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH9ZEH1MRVS3Bn6Lx_cCrQoOm__gBDY_5z6yQ_nvRgjHGs_fXw%40mail.gmail.com. > > -- > - CAS gitter chatroom: https://gitter.im/apereo/cas > - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html > - CAS documentation website: https://apereo.github.io/cas > - CAS project website: https://github.com/apereo/cas > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/1440e910-4698-4a3b-9260-d6a74768d5ab%40Spark. -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6F483E97-AF41-4797-BC56-A0750CD20B9E%40wheatoncollege.edu.
[cas-user] CAS 3.5.3 not releasing AD attributes to version 3 WordPress CAS plugin
Hi All, Be gentle with me I'm not a CAS guru :-) We are running CAS 3.5.3 and our web team is trying to configure a WordPress plugin for CAS version 3 to authenticate users and receive AD attributes. If they switch the CAS plugin to CAS version 2 the user authenticates fine. When they test using the version 2 CAS plugin by going to this URL /cas/serviceValidate they do receive the XML response they are expecting. If they go to this URL /cas/p3/serviceValidate they just get redirected back to the CAS login screen or, if they are already logged in, they end up on the "Log In Successful" screen. According to this URL https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol-Specification.html under the section labeled "2.5.6 URL examples of /serviceValidate" it says, with CAS version 3, they should get some XML with attribute data. What is odd is I've setup the TestApp1 and TestApp2 applications on the CAS server and they do return AD attributes (along with a 3rd party app, CAS releases attributes to it as well.) The service entry I have for this test service is set to release attributes so that shouldn't be the issue. Any suggestions on how to troubleshoot with this cas plugin? Thx! -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH9ZEH1MRVS3Bn6Lx_cCrQoOm__gBDY_5z6yQ_nvRgjHGs_fXw%40mail.gmail.com.
Re: [cas-user] Avoid default services recreation cas overlay
I got rid of /one /of those .json files from appearing by adding the
bolded section to my pom.xml file. I couldn't figure out the
XML syntax to try and get more than one .json file from appearing so I
have a scheduled task in the CAS 5 Windows server that nukes the other
one when it sees it :-)
http://maven.apache.org/POM/4.0.0;
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/xsd/maven-4.0.0.xsd ">
4.0.0
org.apereo.cas
cas-overlay
war
1.0
com.rimerosolutions.maven.plugins
wrapper-maven-plugin
0.0.4
true
MD5
org.springframework.boot
spring-boot-maven-plugin
${springboot.version}
org.springframework.boot.loader.WarLauncher
true
org.apache.maven.plugins
maven-war-plugin
2.6
cas
false
false
false
${project.build.directory}/war/work/org.apereo.cas/cas-server-webapp${app.server}/META-INF/MANIFEST.MF
org.apereo.cas
cas-server-webapp${app.server}
* **
**WEB-INF/classes/services/HTTPSandIMAPS-1001.json**
** *
org.apache.maven.plugins
maven-compiler-plugin
3.3
cas
org.apereo.cas
cas-server-webapp${app.server}
${cas.version}
war
runtime
org.apereo.cas
cas-server-support-ldap
${cas.version}
org.apereo.cas
cas-server-support-json-service-registry
${cas.version}
5.1.2
1.5.3.RELEASE
-tomcat
1.8
1.8
UTF-8
sonatype-releases
http://oss.sonatype.org/content/repositories/releases/
false
true
sonatype-snapshots
https://oss.sonatype.org/content/repositories/snapshots/
true
false
shibboleth-releases
https://build.shibboleth.net/nexus/content/repositories/releases
spring-milestones
https://repo.spring.io/milestone
false
pgp
com.github.s4u.plugins
pgpverify-maven-plugin
1.1.0
check
hkp://pool.sks-keyservers.net
${settings.localRepository}/pgpkeys-cache
test
true
false
On 10/10/2017 5:04 AM, Charl Thiem wrote:
Hi
Adding that dependency doesn't help either. It creates those files for
me too with that dependency...
Regards / Groete
*Charl Thiem*
Senior Developer
IT Infrastructure Manager
On Tue, Oct 10, 2017 at 10:57 AM, Doug Campbell
> wrote:
Christian,
I believe I ran into this too at one point. If I remember
correctly you just need to add the following dependency to your
CAS overlay pom.xml file:
org.apereo.cas
cas-server-support-json-service-registry
${cas.version}
Until you add that dependency I think the build process just grabs
the two files you mention from the CAS source.
Doug
*From:*cas-user@apereo.org
[mailto:cas-user@apereo.org ] *On
Behalf Of *Christian Axel Schmidt Dick
*Sent:* Tuesday, October 10, 2017 4:10 PM
*To:* CAS Community
*Subject:* [cas-user] Avoid default services recreation cas overlay
Hi there, It might be a noob question but it is something that
should be easy to avoid, that is driving me mad. I am using the
war overlay 5.1.4, and have docker-ized it. But everytime I start
the container, 2 files inside the services folder get created
'Apereo-1002.json' and 'HTTPSandIMAPS-1001.json'. How can
I avoid it? tried to delete them but once I restart the container
the appear there once again. Even leaving them there and editing
them wont work.
--
- Website:
Re: [cas-user] making an extra LDAP attribute visible via CAS
We are working towards this as well but do not have it in place yet. I
think it will be a two step process. Inside the
C:\etc\cas\config\cas.properties files in the LDAP section you need to
tell it what attributes from LDAP you want to pull
cas.authn.ldap[0].principalAttributeList=sn,cn,mail,displayname,givenName,sAMAccountName,employeeType,*employeeNumber*
Then, inside the .json file that denotes the service entry for Self
Service Banner you would map the employeeNumber LDAP attribute to
UDC_IDENTIFIER for when you send the info out here is (what I
believe to be) a valid .json file, in our case located in
C:\etc\cas\services\service_entry_4_475674893038.json with the
UDC_IDENTIFIER line bolded
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "https://bss.wheatonma.edu/.*;,
"name" : "BannerSelfService",
"id" : 475674893038,
"description" : "Service entry to Banner SSO",
"attributeReleasePolicy" : {
"@class" :
"org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"sn" : "sn",
"cn" : "cn",
"mail" : "EmailAddress",
"displayname" : "FullName"
*"employeeNumber" : "UDC_IDENTIFIER"*
"employeeType" : "affiliation"
}
},
"evaluationOrder" : 6
}
On 9/26/2017 8:46 AM, charlie derr wrote:
Greetings,
We are new to CAS, but have managed to successfully get 5.1 working
with our LDAP directory on the back end. Apologies if this is a FAQ, but
I've looked around the web for the answer and only found instructions on
how to do this with 4.x (and earlier) CAS installs.
We have a need to expose the LDAP attribute employeeNumber (it's
present directly on each user's entry) as UDC_IDENTIFIER to the
application using CAS (Self-Service Banner). Any pointers or links to
documentation on how to correctly and securely accomplish this will very
much be appreciated.
thanks ever so much,
~c
--
Charlie Derr
Director of Instructional Technology
Bard College at Simon's Rock
413-528-7344
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b2775040-27cb-11c6-4b64-d16f14581a2e%40wheatoncollege.edu.
[cas-user] Call additional URL on service logout
One of our portal's subapps doesn't get logged out when the portal calls the /cas/logout URL on our CAS 5.1.2 server, that subapp has it's own logout URL. Is there a way within CAS 5 to have the client call a URL in the background as they log out of a service? Thanks! -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH9ZEH3DU5u2LDA%2B%2Bgs_hthFgmqMv8WwH_O%2BFGNTFAr1S7mTFg%40mail.gmail.com.
Re: [cas-user] Call additional URL on service logout
Hi Jérôme, Thanks for the suggestion, we need the end user's browser to make the call to the logout URL and I think the URL in the "logoutUrl" value gets called by the CAS server, no? - Brian On 8/7/2018 9:09 AM, Jérôme LELEU wrote: Hi, By default, the CAS server will call the service URL of the CAS applications the user has accessed during his SSO session. But you can change the application logout URL (called by CAS) via the CAS property when defining the CAS service: logoutUrl. See: https://apereo.github.io/cas/5.3.x/installation/Logout-Single-Signout.html#service-endpoint-for-logout-requests <https://apereo.github.io/cas/5.3.x/installation/Logout-Single-Signout.html#service-endpoint-for-logout-requests> Thanks. Best regards, Jérôme On Tue, Aug 7, 2018 at 2:33 PM, Brian Gibson <mailto:gibson_br...@wheatoncollege.edu>> wrote: One of our portal's subapps doesn't get logged out when the portal calls the /cas/logout URL on our CAS 5.1.2 server, that subapp has it's own logout URL. Is there a way within CAS 5 to have the client call a URL in the background as they log out of a service? Thanks! -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH9ZEH3DU5u2LDA%2B%2Bgs_hthFgmqMv8WwH_O%2BFGNTFAr1S7mTFg%40mail.gmail.com <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH9ZEH3DU5u2LDA%2B%2Bgs_hthFgmqMv8WwH_O%2BFGNTFAr1S7mTFg%40mail.gmail.com?utm_medium=email_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwcoZbr0bda46z-UeZXJRpo1pAsMrh_qXD4BLNE7ZcAHQ%40mail.gmail.com <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwcoZbr0bda46z-UeZXJRpo1pAsMrh_qXD4BLNE7ZcAHQ%40mail.gmail.com?utm_medium=email_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8af3c082-c92d-bf71-f4cc-02f161c291c2%40wheatoncollege.edu.
[cas-user] Point CAS apps at different Duo protected applications (group policies)
Hi all,
We have Duo working in our test CAS 5.1.2 environment. Now we'd like to
point different CAS-protected services at different Duo Protected
Applications so we can set different group policies for each. I created
2 CAS applications inside Duo's admin portal, I called them
"CAS ID=mfa-duo"
"CAS ID=mfa-duo2"
I then edited my cas.properties file and created a second set of Duo
settings, here is what it looks like with the important data scrubbed out
cas.authn.mfa.duo[0].duoSecretKey=//
cas.authn.mfa.duo[0].duoApplicationKey=/<40 character random string>/
cas.authn.mfa.duo[0].duoIntegrationKey=/ID=mfa-duo>/
cas.authn.mfa.duo[0].duoApiHost=//
cas.authn.mfa.duo[0].id=*mfa-duo*
cas.authn.mfa.duo[0].name=Duo_Profile1
cas.authn.mfa.duo[1].duoSecretKey=//
cas.authn.mfa.duo[1].duoApplicationKey=/string>/
cas.authn.mfa.duo[1].duoIntegrationKey=/ID=mfa-duo2>/
cas.authn.mfa.duo[1].duoApiHost=//
cas.authn.mfa.duo[1].id=*mfa-duo2*
cas.authn.mfa.duo[1].name=Duo_Profile2
I then edited the .json files for 2 services and added these sections
for multifactor authentication, note the duo ID I am referencing
differently in each...
=== Service 1
multifactorPolicy:
{
@class:
org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
multifactorAuthenticationProviders:
[
java.util.HashSet
[
*mfa-duo*
]
]
failureMode: CLOSED
principalAttributeNameTrigger: memberOf
principalAttributeValueToMatch: //
bypassEnabled: false
}
===
=== Service 2
multifactorPolicy:
{
@class:
org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
multifactorAuthenticationProviders:
[
java.util.HashSet
[
*mfa-duo2*
]
]
failureMode: CLOSED
principalAttributeNameTrigger: memberOf
principalAttributeValueToMatch: //
bypassEnabled: false
}
===
When I log into both services I do get prompted to do 2 factor auth but
when I authenticate on my phone app they both list the protected app named
/*"CAS ID=mfa-duo"*/
How do you get different CAS-protected services to point to different
CAS instances in Duo (and therefore different group policies)?
Thanks!
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a4c87cd-8bda-58b7-d38f-04ef16532366%40wheatoncollege.edu.
Re: [cas-user] Point CAS apps at different Duo protected applications (group policies)
Thanks Travis,
Moving to a newer version of CAS 5 is not an option for us now. Our Duo
rep said that he has customers doing what I asked but before I bug him
for help I was hoping someone on this list had this scenario working in
a 5.1 environment?
On 9/7/2018 2:48 PM, Travis Schmidt wrote:
This PR https://github.com/apereo/cas/pull/3498, against 5.3.x
addresses this issue.
On Fri, Sep 7, 2018 at 11:42 AM Brian Gibson
<mailto:gibson_br...@wheatoncollege.edu>> wrote:
Hi all,
We have Duo working in our test CAS 5.1.2 environment. Now we'd
like to point different CAS-protected services at different Duo
Protected Applications so we can set different group policies for
each. I created 2 CAS applications inside Duo's admin portal, I
called them
"CAS ID=mfa-duo"
"CAS ID=mfa-duo2"
I then edited my cas.properties file and created a second set of
Duo settings, here is what it looks like with the important data
scrubbed out
cas.authn.mfa.duo[0].duoSecretKey=//
cas.authn.mfa.duo[0].duoApplicationKey=/<40 character random string>/
cas.authn.mfa.duo[0].duoIntegrationKey=//
cas.authn.mfa.duo[0].duoApiHost=//
cas.authn.mfa.duo[0].id=*mfa-duo*
cas.authn.mfa.duo[0].name=Duo_Profile1
cas.authn.mfa.duo[1].duoSecretKey=//
cas.authn.mfa.duo[1].duoApplicationKey=//
cas.authn.mfa.duo[1].duoIntegrationKey=//
cas.authn.mfa.duo[1].duoApiHost=//
cas.authn.mfa.duo[1].id=*mfa-duo2*
cas.authn.mfa.duo[1].name=Duo_Profile2
I then edited the .json files for 2 services and added these
sections for multifactor authentication, note the duo ID I am
referencing differently in each...
=== Service 1
multifactorPolicy:
{
@class:
org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
multifactorAuthenticationProviders:
[
java.util.HashSet
[
*mfa-duo*
]
]
failureMode: CLOSED
principalAttributeNameTrigger: memberOf
principalAttributeValueToMatch: //
bypassEnabled: false
}
===
=== Service 2
multifactorPolicy:
{
@class:
org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
multifactorAuthenticationProviders:
[
java.util.HashSet
[
*mfa-duo2*
]
]
failureMode: CLOSED
principalAttributeNameTrigger: memberOf
principalAttributeValueToMatch: //
bypassEnabled: false
}
===
When I log into both services I do get prompted to do 2 factor
auth but when I authenticate on my phone app they both list the
protected app named
/*"CAS ID=mfa-duo"*/
How do you get different CAS-protected services to point to
different CAS instances in Duo (and therefore different group
policies)?
Thanks!
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a4c87cd-8bda-58b7-d38f-04ef16532366%40wheatoncollege.edu
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a4c87cd-8bda-58b7-d38f-04ef16532366%40wheatoncollege.edu?utm_medium=email_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbNx7pi7_6uUQXHgE4F5_P8sdTirwjTUvZinyapNBnSFg%40mail.gmail.com
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbNx7pi7_6uUQXHgE4F5_P8sdTirwjTUvZinyapNBnSFg%40mail.gmail.com?utm_medium=email_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To
Re: [cas-user] masquerade as different user
Hi everyone,
Dirk, thanks for all the suggestions, I 'think' I am close. I created
the c:\etc\cas\config\surrogates.json file and it looks like this...
{
"bob": ["mary", "jim"]
}
and I am referencing the surrogates.json file from my cas.properties
file like this...
cas.authn.surrogate.separator=+
cas.authn.surrogate.json.config.location=file:/etc/cas/config/surrogates.json
When I go to log into a service I enter "mary+bob" in the username field
along with bob's password and I get taken to the service successfully as
bob (unfortunately not mary) and this is what I see in the logs...
WHO: (Real user: [bob], Surrogate user: [mary])
WHAT: Supplied credentials: [[surrogateUsername=mary]]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Tue Jan 22 16:14:47 EST 2019
CLIENT IP ADDRESS:
SERVER IP ADDRESS:
2019-01-22 16:14:47,559 */WARN
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] -
value and is not collected>/*
Any ideas on what I'm missing? I don't think I need the
surrogate-authentication-rest dependencies since I believe that has to
do with building a web page with surrogate users to choose from and in
our case we are explicitly referencing the target's name with the
personA+PersonB syntax.
Thanks!
On 1/11/2019 9:07 AM, Tepe, Dirk wrote:
I can't speak to 5.1.x, we've been experimenting with surrogate since
5.2 and only using it actively since 5.3.
I can say that any user can be a surrogate, it is not restricted to
admin users. The only restriction is the authorization.
We use a REST endpoint to authorize surrogate requests. Our POM
includes both the surrogate-workflow and surrogate-authentication-rest
dependencies. Could you need another dependency to enable the actual
authorization? When working on a proof of concept, I used a json file.
It seemed to provide more flexibility.
If the primary user authentication succeeds, then CAS will need to
resolve attributes for the given target. If CAS cannot identify the
given target, I'm not sure what to expect in the logs. A useful test
is to use the form '+primary_username' which, if the user is
authorized, will show a list of the users eligible for impersonation.
Also keep in mind that not all properties can be applied on the fly.
Some changes in the cas.properties file require a restart.
-dirk
On Thu, Jan 10, 2019 at 2:08 PM Brian Gibson
<mailto:gibson_br...@wheatoncollege.edu>> wrote:
Hi all,
Couple of questions regarding Surrogate Authentication
1. Does the user that logs in have to also be a CAS admin? I'd
like to map a specific non-admin user to another non-admin user.
2. If I am using LDAP authentication in CAS 5.1.2 do I have to do
the surrogate mapping via LDAP as well? I've pulled in the
surrogate dependency in my pom.xml file and added this to my
cas.properties file...
cas.authn.surrogate.separator=+
cas.authn.surrogate.simple.surrogates.casuser=mary,bob
I thought I could then put "mary+bob" in the username field along
with bob's password and I'd be logged in as mary but I just end up
getting logged in as bob with nothing mentioned about mary in the
log files.
Thanks for any help you can provide.
On 1/9/2019 9:29 PM, Tepe, Dirk wrote:
We are successfully using surrogate authentication with CAS
5.3.x. Beginning with 5.3.0, the CAS audit log includes the
surrogate authorization details, which was important for our ISO.
There were some bumps and changes related to attribute release in
the 5.3.x releases, so beware.
-dirk
On Wed, Jan 9, 2019 at 4:40 PM Brian Gibson
mailto:gibson_br...@wheatoncollege.edu>> wrote:
I think that's it!
Thanks, I'll do some testing and report back.
Appreciate your help.
On 1/9/2019 4:29 PM, David Curry wrote:
I've never played with it myself, but isn't this:
https://apereo.github.io/cas/5.1.x/installation/Surrogate-Authentication.html
what you're talking about?
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL• INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu
<mailto:david.cu...@newschool.edu>
On Wed, Jan 9, 2019 at 2:48 PM Brian Gibson
mailto:gibson_br...@wheatoncollege.edu>> wrote:
Hi all,
Is there a way within a service entry in CAS 5.1 to say
that if person A
logs in successfully, send them to the service as person B?
I checked the 5.1 service-related docs but couldn't find
anything.
Thanks,
Re: [cas-user] masquerade as different user
Hi Dirk,
Unfortunately when I add the "cas-server-support-surrogate-webflow"
dependency to my pom.xml file I get the following error when I do "mvn
clean package"
/[ERROR] Failed to execute goal on project cas-overlay: Could not
resolve depende//
//ncies for project org.apereo.cas:cas-overlay:war:1.0: Could not find
artifact or//
//g.apereo.cas:cas-server-support-surrogate-webflow:jar:5.1.2 in
sonatype-releases//
// (http://oss.sonatype.org/content/repositories/releases/) -> [Help 1]//
//[ERROR]/
From what I remember reading, the 5.1.x docs only mentioned the
"cas-server-support-surrogate-authentication" dependency in the
Surrogate setup directions and the other surrogate webflow and rest
dependencies only started appearing (I think) in the 5.2 docs and above.
On 1/22/2019 9:05 PM, Tepe, Dirk wrote:
Just to be clear, you did include
'cas-server-support-surrogate-webflow' in your dependencies, right?
While you don't need the REST dependency, you do need that one.
-dirk
On Tue, Jan 22, 2019 at 4:30 PM Brian Gibson
<mailto:gibson_br...@wheatoncollege.edu>> wrote:
Hi everyone,
Dirk, thanks for all the suggestions, I 'think' I am close. I
created the c:\etc\cas\config\surrogates.json file and it looks
like this...
{
"bob": ["mary", "jim"]
}
and I am referencing the surrogates.json file from my
cas.properties file like this...
cas.authn.surrogate.separator=+
cas.authn.surrogate.json.config.location=file:/etc/cas/config/surrogates.json
When I go to log into a service I enter "mary+bob" in the username
field along with bob's password and I get taken to the service
successfully as bob (unfortunately not mary) and this is what I
see in the logs...
WHO: (Real user: [bob], Surrogate user: [mary])
WHAT: Supplied credentials: [[surrogateUsername=mary]]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Tue Jan 22 16:14:47 EST 2019
CLIENT IP ADDRESS:
SERVER IP ADDRESS:
2019-01-22 16:14:47,559 */WARN
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder]
- /*
Any ideas on what I'm missing? I don't think I need the
surrogate-authentication-rest dependencies since I believe that
has to do with building a web page with surrogate users to choose
from and in our case we are explicitly referencing the target's
name with the personA+PersonB syntax.
Thanks!
On 1/11/2019 9:07 AM, Tepe, Dirk wrote:
I can't speak to 5.1.x, we've been experimenting with surrogate
since 5.2 and only using it actively since 5.3.
I can say that any user can be a surrogate, it is not restricted
to admin users. The only restriction is the authorization.
We use a REST endpoint to authorize surrogate requests. Our POM
includes both the surrogate-workflow and
surrogate-authentication-rest dependencies. Could you need
another dependency to enable the actual authorization? When
working on a proof of concept, I used a json file. It seemed to
provide more flexibility.
If the primary user authentication succeeds, then CAS will need
to resolve attributes for the given target. If CAS cannot
identify the given target, I'm not sure what to expect in the
logs. A useful test is to use the form '+primary_username' which,
if the user is authorized, will show a list of the users eligible
for impersonation.
Also keep in mind that not all properties can be applied on the
fly. Some changes in the cas.properties file require a restart.
-dirk
On Thu, Jan 10, 2019 at 2:08 PM Brian Gibson
mailto:gibson_br...@wheatoncollege.edu>> wrote:
Hi all,
Couple of questions regarding Surrogate Authentication
1. Does the user that logs in have to also be a CAS admin?
I'd like to map a specific non-admin user to another
non-admin user.
2. If I am using LDAP authentication in CAS 5.1.2 do I have
to do the surrogate mapping via LDAP as well? I've pulled in
the surrogate dependency in my pom.xml file and added this to
my cas.properties file...
cas.authn.surrogate.separator=+
cas.authn.surrogate.simple.surrogates.casuser=mary,bob
I thought I could then put "mary+bob" in the username field
along with bob's password and I'd be logged in as mary but I
just end up getting logged in as bob with nothing mentioned
about mary in the log files.
Thanks for any help you can provide.
On 1/9/2019 9:29 PM, Tepe, Dirk wrote:
We are successfully using surrogate authentication with CAS
5.3.x. Beginning with 5.3.0, the CAS audit
Re: [cas-user] masquerade as different user
Hi all, Couple of questions regarding Surrogate Authentication 1. Does the user that logs in have to also be a CAS admin? I'd like to map a specific non-admin user to another non-admin user. 2. If I am using LDAP authentication in CAS 5.1.2 do I have to do the surrogate mapping via LDAP as well? I've pulled in the surrogate dependency in my pom.xml file and added this to my cas.properties file... cas.authn.surrogate.separator=+ cas.authn.surrogate.simple.surrogates.casuser=mary,bob I thought I could then put "mary+bob" in the username field along with bob's password and I'd be logged in as mary but I just end up getting logged in as bob with nothing mentioned about mary in the log files. Thanks for any help you can provide. On 1/9/2019 9:29 PM, Tepe, Dirk wrote: We are successfully using surrogate authentication with CAS 5.3.x. Beginning with 5.3.0, the CAS audit log includes the surrogate authorization details, which was important for our ISO. There were some bumps and changes related to attribute release in the 5.3.x releases, so beware. -dirk On Wed, Jan 9, 2019 at 4:40 PM Brian Gibson <mailto:gibson_br...@wheatoncollege.edu>> wrote: I think that's it! Thanks, I'll do some testing and report back. Appreciate your help. On 1/9/2019 4:29 PM, David Curry wrote: I've never played with it myself, but isn't this: https://apereo.github.io/cas/5.1.x/installation/Surrogate-Authentication.html what you're talking about? -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* THE NEW SCHOOL• INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu <mailto:david.cu...@newschool.edu> On Wed, Jan 9, 2019 at 2:48 PM Brian Gibson mailto:gibson_br...@wheatoncollege.edu>> wrote: Hi all, Is there a way within a service entry in CAS 5.1 to say that if person A logs in successfully, send them to the service as person B? I checked the 5.1 service-related docs but couldn't find anything. Thanks, Brian -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user%2bunsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/541cb878-ace9-e180-fb86-4f8f66b5ab65%40wheatoncollege.edu. On Wed, Jan 9, 2019 at 2:48 PM Brian Gibson mailto:gibson_br...@wheatoncollege.edu>> wrote: Hi all, Is there a way within a service entry in CAS 5.1 to say that if person A logs in successfully, send them to the service as person B? I checked the 5.1 service-related docs but couldn't find anything. Thanks, Brian -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user%2bunsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/541cb878-ace9-e180-fb86-4f8f66b5ab65%40wheatoncollege.edu. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAN4Q%3DDucyHb-sK0qB_STumqg_Aua_egPxz_DFBeyK9bMg%40mail.gmail.com <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAN4Q%3DDucyHb-sK0qB_STumqg_Aua_egPxz_DFBeyK9bMg%40mail.gmail.com?utm_medium=email_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo
[cas-user] masquerade as different user
Hi all, Is there a way within a service entry in CAS 5.1 to say that if person A logs in successfully, send them to the service as person B? I checked the 5.1 service-related docs but couldn't find anything. Thanks, Brian -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/541cb878-ace9-e180-fb86-4f8f66b5ab65%40wheatoncollege.edu.
Re: [cas-user] masquerade as different user
I think that's it! Thanks, I'll do some testing and report back. Appreciate your help. On 1/9/2019 4:29 PM, David Curry wrote: I've never played with it myself, but isn't this: https://apereo.github.io/cas/5.1.x/installation/Surrogate-Authentication.html what you're talking about? -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* THE NEW SCHOOL• INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu <mailto:david.cu...@newschool.edu> On Wed, Jan 9, 2019 at 2:48 PM Brian Gibson <mailto:gibson_br...@wheatoncollege.edu>> wrote: Hi all, Is there a way within a service entry in CAS 5.1 to say that if person A logs in successfully, send them to the service as person B? I checked the 5.1 service-related docs but couldn't find anything. Thanks, Brian -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user%2bunsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/541cb878-ace9-e180-fb86-4f8f66b5ab65%40wheatoncollege.edu. On Wed, Jan 9, 2019 at 2:48 PM Brian Gibson <mailto:gibson_br...@wheatoncollege.edu>> wrote: Hi all, Is there a way within a service entry in CAS 5.1 to say that if person A logs in successfully, send them to the service as person B? I checked the 5.1 service-related docs but couldn't find anything. Thanks, Brian -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user%2bunsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/541cb878-ace9-e180-fb86-4f8f66b5ab65%40wheatoncollege.edu. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAN4Q%3DDucyHb-sK0qB_STumqg_Aua_egPxz_DFBeyK9bMg%40mail.gmail.com <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAN4Q%3DDucyHb-sK0qB_STumqg_Aua_egPxz_DFBeyK9bMg%40mail.gmail.com?utm_medium=email_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/88affc8e-1a7a-228f-0f23-225209c8f29b%40wheatoncollege.edu.
