Re: [cas-user] Re: SPNEGO Client Selection Strategy

2018-05-22 Thread Charles Le Gallic
Ok thanks. Let me know if you can confirm that current native
implementation is buggy.

Regards,

Charles


12, impasse du Malrigou, 31140 Montberon
cont...@amoae.com | 06 24 73 04 98 | *amoae.com* 


Le mer. 23 mai 2018 à 04:46, Christian Poirier  a
écrit :

> Hi Charles
>
> Yes I did, but with my own development and my properties. I will check if
> I can implement with Client Access Strategy by implementing my own SPNEGO
> Service Access Strategy
>
> Christian Poirier
> Mobile: 418-473-2824
>
> 2018-05-22 1:58 GMT-04:00 Charles Le Gallic :
>
>> Hi Christian,
>>
>> Did you achieved to make IP based SPNEGO client selection works on CAS
>> 5.x ?
>>
>> In that case, is there any other configuration to setup in addition to
>> cas.properties configuration ?
>>
>> Regards,
>>
>> Charles
>>
>> 
>> 12, impasse du Malrigou, 31140 Montberon
>> 
>> cont...@amoae.com | 06 24 73 04 98 | *amoae.com* 
>>
>>
>> Le ven. 18 mai 2018 à 14:14, Christian Poirier  a
>> écrit :
>>
>>> Hi Charles
>>>
>>> I am using the 5.3.0-RC3. I illustrated the webflow to see the logic.
>>> The webflow logic is built in the code.
>>> I will check if the implementation based on a
>>> RegisteredServiceAccessStrategy is possible.
>>>
>>> Christian Poirier
>>> Mobile: 418-473-2824
>>>
>>> 2018-05-18 1:28 GMT-04:00 Charles Le Gallic :
>>>
 Hi Christian,

 Which version of CAS do you use ?

 It seems to be a version below CAS 5.0.x (org.jasig packages and XML
 spring configurations). SPNEGO client selection strategy was working on 4.x
 version, but I cannot make it work after having upgrade to CAS 5.1.x

 Regards,

 Charles

 
 12, impasse du Malrigou, 31140 Montberon
 
 cont...@amoae.com | 06 24 73 04 98 | *amoae.com* 


 Le jeu. 17 mai 2018 à 15:25, Christian Poirier 
 a écrit :

> Hi Nicolas,
>
> In our organization, we need to let the user choose between the
> default login and SPNEGO upon a list of criteria and sometimes we need to
> go directly to the SPNEGO authentication upon other criteria. For this
> feature, I extended the SPNEGO module. I show a button with the label
> "LOGIN WITH MY WINDOWS ACCOUNT" when the IP address matches a regular
> expression. When the service matches a regular expression and the IP
> address also matches its regular expression, I force SPNEGO authentication
> without giving the user the chance to authenticate otherwise. If none of
> the previous conditions are present, then the user must authenticate
> normally with his user ID and password.
> If you look the following webflow, you will find this logic inside.
>
>  "org.jasig.cas.authentication.principal.UsernamePasswordCredentials"
> />
>
> 
>
> 
>
>
>
> 
>
>
> 
>
>    "hasServiceCheck" else="gatewayRequestCheck" />
>
> 
>
>
> 
>
>    "gatewayServicesManagementCheck" else="startAuthenticateCheck" />
>
> 
>
>
> 
>
>    "viewGenericLoginSuccess" />
>
> 
>
>
> 
>
>  ="startAuthenticateCheck" else="generateServiceTicket" />
>
> 
>
>
> 
>
> 
>
>    ="redirect" />
>
> 
>
>
> 
>
> 
>
>    then="generateLoginTicket" else="spnegoForceCheckAction" />
>
> 
>
>
> 
>
> then="spnegoIPCheckAction2" else="spnegoAppCheckAction" />
>
> 
>
>
> 
>
>
>
>
>
>   
>
> 
>
>
> 
>
> 
>
> 
>
> 
>
>
>   
>
>   
>
> 
>
>
> 
>
>
>
> 
>
>  
>
> 
>
>
> 
>
>   
>
>   
>
> 
>
>
> 
>
>  
>
>
>
>   
>
> 
>
>
> 
>
>  "generateLoginTicketAction.generate(flowRequestContext)" />
>
>
>
> 
>
>
> Here are my new spnego.properties
> # cas.authn.spnego.spnegoMode=direct: indicates to go directly to the
> SPNEGO by changing the succes transition of initialLoginForm action-state
> to startSpnegoAuthenticate
> # cas.authn.spnego.spnegoMode=evaluateClient: indicates to evaluate
> the client based on the client action strategy defined in 
> evaluateClientActionStrategy.
>
> # 

[cas-user] CAS Login Page Cutomization

2018-05-22 Thread Lionel Samuel
We are planning of customizing the CAS login page --- would anyone know of 
a resource that lists the files for us to update?

I'm a bit lost -- as I don't see a master file that builds the login page 
(it probably me still getting used to the changes from v3 to v5.2)

src/main/resources/messages.properties
src/main/resources/cas-theme-default.properties
src/main/resources/templates/casLoginView.html
src/main/resources/templates/casLoginMessageView.html

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/dd1a0b6a-c288-4d53-b95e-a019905233f8%40apereo.org.


Re: [cas-user] Re: SPNEGO Client Selection Strategy

2018-05-22 Thread Christian Poirier
Hi Charles

Yes I did, but with my own development and my properties. I will check if I
can implement with Client Access Strategy by implementing my own SPNEGO
Service Access Strategy

Christian Poirier
Mobile: 418-473-2824

2018-05-22 1:58 GMT-04:00 Charles Le Gallic :

> Hi Christian,
>
> Did you achieved to make IP based SPNEGO client selection works on CAS 5.x
> ?
>
> In that case, is there any other configuration to setup in addition to
> cas.properties configuration ?
>
> Regards,
>
> Charles
>
> 
> 12, impasse du Malrigou, 31140 Montberon
> 
> cont...@amoae.com | 06 24 73 04 98 | *amoae.com* 
>
>
> Le ven. 18 mai 2018 à 14:14, Christian Poirier  a
> écrit :
>
>> Hi Charles
>>
>> I am using the 5.3.0-RC3. I illustrated the webflow to see the logic. The
>> webflow logic is built in the code.
>> I will check if the implementation based on a
>> RegisteredServiceAccessStrategy is possible.
>>
>> Christian Poirier
>> Mobile: 418-473-2824
>>
>> 2018-05-18 1:28 GMT-04:00 Charles Le Gallic :
>>
>>> Hi Christian,
>>>
>>> Which version of CAS do you use ?
>>>
>>> It seems to be a version below CAS 5.0.x (org.jasig packages and XML
>>> spring configurations). SPNEGO client selection strategy was working on 4.x
>>> version, but I cannot make it work after having upgrade to CAS 5.1.x
>>>
>>> Regards,
>>>
>>> Charles
>>>
>>> 
>>> 12, impasse du Malrigou, 31140 Montberon
>>> 
>>> cont...@amoae.com | 06 24 73 04 98 | *amoae.com* 
>>>
>>>
>>> Le jeu. 17 mai 2018 à 15:25, Christian Poirier  a
>>> écrit :
>>>
 Hi Nicolas,

 In our organization, we need to let the user choose between the default
 login and SPNEGO upon a list of criteria and sometimes we need to go
 directly to the SPNEGO authentication upon other criteria. For this
 feature, I extended the SPNEGO module. I show a button with the label
 "LOGIN WITH MY WINDOWS ACCOUNT" when the IP address matches a regular
 expression. When the service matches a regular expression and the IP
 address also matches its regular expression, I force SPNEGO authentication
 without giving the user the chance to authenticate otherwise. If none of
 the previous conditions are present, then the user must authenticate
 normally with his user ID and password.
 If you look the following webflow, you will find this logic inside.

 

 

 



 


 

   >>> "hasServiceCheck" else="gatewayRequestCheck" />

 


 

   

 


 

   >>> "viewGenericLoginSuccess" />

 


 

 >>> "startAuthenticateCheck" else="generateServiceTicket" />

 


 

 

   >>> "redirect" />

 


 

 

   >>> ="generateLoginTicket" else="spnegoForceCheckAction" />

 


 



 


 





   

 


 

 

 

 


   

   

 


 



 

  

 


 

   

   

 


 

  



   

 


 

 



 


 Here are my new spnego.properties
 # cas.authn.spnego.spnegoMode=direct: indicates to go directly to the
 SPNEGO by changing the succes transition of initialLoginForm action-state
 to startSpnegoAuthenticate
 # cas.authn.spnego.spnegoMode=evaluateClient: indicates to evaluate
 the client based on the client action strategy defined in
 evaluateClientActionStrategy.
 # It changes the
 success transition of initialLoginForm action-state to 
 evaluateClientRequest
 cas.authn.spnego.spnegoMode=evaluateClient|direct
 # The following property is deprecated
 #cas.authn.spnego.hostNameClientActionStrategy=
 serviceNameSpnegoClientAction
 # cas.authn.spnego.evaluateClientActionStrategy=hostnameSpnegoClientAction
 where CAS checks to see if the request?s remote hostname matches a
 predefine pattern
 # cas.authn.spnego.evaluateClientActionStrategy=ldapSpnegoClientAction
 where CAS checks an LDAP instance for the remote hostname,
 #
  to locate a pre-defined attribute whose mere existence would allow
 the webflow to resume to SPNEGO
 # 
 cas.authn.spnego.evaluateClientActionStrategy=serviceNameSpnegoClientAction

[cas-user] How to Register Custom Account State Handler in CAS 5.2.4

2018-05-22 Thread UVASIREDDY
Hi,

I created CustomAuthenticationResponseHandler with CustomAccountState. I 
added below to my Properties file. It is throwing AccountState is null 
error. The Default State Handler doesn't have my Custom Account State.

cas.authn.ldap[1].passwordPolicy.customPolicyClass=com.cga.oms.sso.authentication.handler.AaimsAuthenticationResponseHandler



 So, i tried adding my own accountStateHandler for this LDAP. But it is not 
working. 

cas.authn.ldap[1].passwordPolicy.accountStateHandler=com.cga.oms.sso.authentication.handler.AaimsAccountStateHandler



Finally i added below and the PasswordPolicyControl AccountState is throwing 
the exceptions for ACCOUNT_LOCKED, PASSWORD_EXPIRED and PASSWORD_MUST_CHANGE. 
PPC doesn't support Account_Disabled

cas.authn.ldap[1].passwordPolicy.policyAttributes.password_expired=javax.security.auth.login.CredentialExpiredException




*I need help with ACCOUNT_DISABLED/ Registering CUSTOMACCOUNTSTATE. *



CAS Properties:

cas.authn.ldap[1].type=AUTHENTICATED

cas.authn.ldap[1].useSsl=false
cas.authn.ldap[1].useStartTls=false
cas.authn.ldap[1].connectTimeout=5000
cas.authn.ldap[1].ldapUrl=ldap\://cgldads:x/
cas.authn.ldap[1].baseDn=DC=x,DC=COM
cas.authn.ldap[1].userFilter=uid={}
cas.authn.ldap[1].bindDn=uid=x,ou=system
cas.authn.ldap[1].bindCredential=xx
cas.authn.ldap[1].principalAttributeId=uid
cas.authn.ldap[1].principalAttributePassword=
cas.authn.ldap[1].principalAttributeList=uid,sn,cn,givenName,mail,title,organizationDescription,pwdLastSet
cas.authn.ldap[1].failFast=false

cas.authn.ldap[1].passwordPolicy.type=GENERIC
cas.authn.ldap[1].passwordPolicy.enabled=true



*Thanks,*

*UV*

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/872faea5-6e02-41d1-a320-bd8c7fe047fa%40apereo.org.


[cas-user] Re: (Ask) CAS 5.2 Basic Installation Step by Step

2018-05-22 Thread Fahmi L. Ramdhani
Okay. I will try again and will share the results on this topic. Thank you.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4e6e9174-4b28-4f99-9a24-52afd2ece61f%40apereo.org.


Re: [cas-user] Re: (Ask) CAS 5.2 Basic Installation Step by Step

2018-05-22 Thread Fahmi L. Ramdhani
Okay. I will try again and will share the results on this topic. Thank you.

Pada Rabu, 23 Mei 2018 05.33.37 UTC+7, David Curry menulis:
>
> Check the Tomcat log file (catalina.out) for errors. You should see it 
> starting up the CAS service, etc. Also check the CAS log file.
>
>
> David A. Curry,  CISSP
> Director of Information Security
> The New School - Information Technology
> 71 Fifth Ave., 9th Fl. ~ New York, NY 10003
> +1 212 229-5300 x4728 ~ david...@newschool.edu 
> Sent from my phone; please excuse typos and inane auto-corrections.
> 
>
> On Tue, May 22, 2018, 18:28 Fahmi L. Ramdhani  > wrote:
>
>> Hello,
>>
>> After I tried the guide from 
>> https://dacurry-tns.github.io/deploying-apereo-cas, overall setup no 
>> problem. My virtual address at https://cas.example.org:8443/cas/login
>>
>> # cd mycas
>> # ./mvnw clean package
>> # sudo sh ./cassrv-tarball.sh (result is success)
>> # sudo sh ./cassrv-install.sh (result is"installation completed")
>>
>> After that I open my virtual address url 
>> https://cas.example.org:8443/cas/login, but not accessible (It seems 
>> port is not active). Why does tomcat service not run port 8443? Though 
>> tomcat service active (green).
>>
>> Thanks for help
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/69dd68d6-5c93-4074-8ebf-b2fc1b5f63b4%40apereo.org
>>  
>> 
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/369ddc26-9cbc-4a76-8faa-fc6f0a58067e%40apereo.org.


Re: [cas-user] Re: (Ask) CAS 5.2 Basic Installation Step by Step

2018-05-22 Thread Fahmi L. Ramdhani
Okay. I will try again and will share the results on this topic. Thank you.

2018-05-23 5:33 GMT+07:00 David Curry :

> Check the Tomcat log file (catalina.out) for errors. You should see it
> starting up the CAS service, etc. Also check the CAS log file.
>
>
> David A. Curry,  CISSP
> Director of Information Security
> The New School - Information Technology
> 71 Fifth Ave., 9th Fl. ~ New York, NY 10003
> 
> +1 212 229-5300 x4728 ~ david.cu...@newschool.edu
> Sent from my phone; please excuse typos and inane auto-corrections.
>
>
> On Tue, May 22, 2018, 18:28 Fahmi L. Ramdhani  com> wrote:
>
>> Hello,
>>
>> After I tried the guide from https://dacurry-tns.github.io/
>> deploying-apereo-cas, overall setup no problem. My virtual address at
>> https://cas.example.org:8443/cas/login
>>
>> # cd mycas
>> # ./mvnw clean package
>> # sudo sh ./cassrv-tarball.sh (result is success)
>> # sudo sh ./cassrv-install.sh (result is"installation completed")
>>
>> After that I open my virtual address url https://cas.example.org:8443/
>> cas/login, but not accessible (It seems port is not active). Why does
>> tomcat service not run port 8443? Though tomcat service active (green).
>>
>> Thanks for help
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit https://groups.google.com/a/
>> apereo.org/d/msgid/cas-user/69dd68d6-5c93-4074-8ebf-
>> b2fc1b5f63b4%40apereo.org
>> 
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/CA%2Bd9XAObWo20yTT0jo%2BLAikxOnVq-
> boV9wy43zNocv7Vr0Tbwg%40mail.gmail.com
> 
> .
>



-- 

*Sentrasoft*
www.sentrasoft.com

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALQ5%3DGftRa-6Mw6PR3k71T%2BzYvJ7Cni46JDjY8wy7b7%2BHok_xg%40mail.gmail.com.


Re: [cas-user] Re: (Ask) CAS 5.2 Basic Installation Step by Step

2018-05-22 Thread David Curry
Check the Tomcat log file (catalina.out) for errors. You should see it
starting up the CAS service, etc. Also check the CAS log file.


David A. Curry,  CISSP
Director of Information Security
The New School - Information Technology
71 Fifth Ave., 9th Fl. ~ New York, NY 10003
+1 212 229-5300 x4728 ~ david.cu...@newschool.edu
Sent from my phone; please excuse typos and inane auto-corrections.


On Tue, May 22, 2018, 18:28 Fahmi L. Ramdhani <
fahmilestianramdh...@gmail.com> wrote:

> Hello,
>
> After I tried the guide from
> https://dacurry-tns.github.io/deploying-apereo-cas, overall setup no
> problem. My virtual address at https://cas.example.org:8443/cas/login
>
> # cd mycas
> # ./mvnw clean package
> # sudo sh ./cassrv-tarball.sh (result is success)
> # sudo sh ./cassrv-install.sh (result is"installation completed")
>
> After that I open my virtual address url
> https://cas.example.org:8443/cas/login, but not accessible (It seems port
> is not active). Why does tomcat service not run port 8443? Though tomcat
> service active (green).
>
> Thanks for help
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/69dd68d6-5c93-4074-8ebf-b2fc1b5f63b4%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAObWo20yTT0jo%2BLAikxOnVq-boV9wy43zNocv7Vr0Tbwg%40mail.gmail.com.


[cas-user] Re: (Ask) CAS 5.2 Basic Installation Step by Step

2018-05-22 Thread Fahmi L. Ramdhani
Hello,

After I tried the guide from 
https://dacurry-tns.github.io/deploying-apereo-cas, overall setup no 
problem. My virtual address at https://cas.example.org:8443/cas/login

# cd mycas
# ./mvnw clean package
# sudo sh ./cassrv-tarball.sh (result is success)
# sudo sh ./cassrv-install.sh (result is"installation completed")

After that I open my virtual address url 
https://cas.example.org:8443/cas/login, but not accessible (It seems port 
is not active). Why does tomcat service not run port 8443? Though tomcat 
service active (green).

Thanks for help

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/69dd68d6-5c93-4074-8ebf-b2fc1b5f63b4%40apereo.org.


Re: [cas-user] Service Manager question

2018-05-22 Thread Sam Erie
So I tried putting in a simple test.war that I know can be served from my
local version of tomcat. When I use cas with ./build.sh run I am able to
access the cas webapp from my browser. After the build I have tried putting
test.war into /cas-overlay-template/target/test.war by the cas.war. I also
tried putting it into
/cas-overlay-template/build/tomcat/work/Tomcat/localhost/test/test.war.

It serves cas with a nice 302 in the access logs, but test gets a 404.

I don't see a place to put it, like my local tomcat has a webapps folder. I
have not tried it with the cas-management.war yet because I am having build
problems. I think I need to try the gradle build, as the maven is giving me
issues.

Am I missing something, like does cas' embedded tomcat need the war in a
special format? Or did I misunderstand you and I do need to run these from
my own local tomcat?


On Mon, May 21, 2018 at 5:35 PM, Mailvaganam, Hari 
wrote:

> >Is this the intended replacement service manager?
>
> Yes --- for management via a UI
>
> >I could imagine just adding the war to the work directory of the cas
> tomcat build, but the build folder doesn't contain cas.war, or any tomcat
> config files,
>
> Drop in the WAR file after build --- default name is 'cas-management'
>
> You will have 2 paths in same tomcat ---
>
> hxxps://foobar/cas
> hxxps://foobar/cas-management
>
> --
> *From:* cas-user@apereo.org [cas-user@apereo.org] on behalf of Sam Erie [
> se...@alaska.edu]
> *Sent:* Monday, May 21, 2018 15:53
> *To:* cas-user@apereo.org
> *Subject:* [cas-user] Service Manager question
>
> I am attempting to recreate my university's cas installation from version
> 3.5 currently in production to the new 5.2. The service manager in use now
> uses j_acegi_cas_security_check. As far as I can tell from the
> documentation this has been separated into a new webapp, which I am
> currently exploring at https://github.com/apereo/cas-management-overlay.
>
> Is this the intended replacement service manager?
>
> Assuming that it is I need to plan how to run these webapps from a single
> server. Initially I was planning to use the maven cas-overlay's embedded
> tomcat server to serve cas. Ideally the server would not need to run two
> instances of tomcat. If I was to run only the executable war for cas is
> there a way to package the cas-management.war and run it from the cas
> embedded tomcat?
>
> I could imagine just adding the war to the work directory of the cas
> tomcat build, but the build folder doesn't contain cas.war, or any tomcat
> config files, so I am a little confused as to how this would work.
>
> Is there some intended way to do this I am overlooking? Or is the best
> option to just package both webapps to run on my own servlet container, and
> run from a locally installed tomcat on my server?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/CAMM6z%2BKUq%3DVwq4EL4hdLuV%3D-WovpYLhD-vT8o2%
> 3DhhZpinM7Xwg%40mail.gmail.com
> 
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/EC0CBF4FEE159740B93D387CA8E301
> 86021EC7C34F%40S-ITSV-MBX07P.ead.ubc.ca
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMM6z%2BKR7WfDPCtONHzEA9dZWN1mB%3DGGY1adZjSZjg5HyEkGew%40mail.gmail.com.


Re: [cas-user] User Attributes for SAML 2.0

2018-05-22 Thread David Curry
So, you have

cas.authn.attributeRepository.jdbc[0].username=email


in *cas.properties*? I didn't see it in the ones you copied/pasted earlier.

Dumb question, but if you connect to the database using the same user and
password that you have CAS configured to use, and you run

SELECT * FROM app_user WHERE email=jdgio...@gmail.com


do you get your attributes?

And...assuming you own the database, can you enable query logging on that
end? Or make the JDBC library log what it's doing?


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]


On Tue, May 22, 2018 at 1:18 PM John D Giotta  wrote:

> My "username" column is called email, but even with your suggestions I
> still get the following DEBUG output in logs.
>
> Found [0] attributes for principal [jdgio...@gmail.com] from the
> attribute repository.
>
> This is why I think there something wrong with the query. Log level is set
> to debug, but I still don't see queries. I even set debug to 
> org.springframework.orm.jpa
> for good measure.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/27db9e1c-b36c-44ca-acb2-e240f1eea07d%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPUpse_XaCa1vwRWmMNBkRk2hUALLhWuQyHvT%3DMpc%2B7%3Dw%40mail.gmail.com.


Re: [cas-user] User Attributes for SAML 2.0

2018-05-22 Thread Ray Bon
John,

You may be able to set 'show_sql' for hibernate. CAS properties has 
'Hibernate-specific properties' but I have not used this.

Ray

On Tue, 2018-05-22 at 10:18 -0700, John D Giotta wrote:
My "username" column is called email, but even with your suggestions I still 
get the following DEBUG output in logs.

Found [0] attributes for principal [jdgio...@gmail.com] from the attribute 
repository.

This is why I think there something wrong with the query. Log level is set to 
debug, but I still don't see queries. I even set debug to 
org.springframework.orm.jpa for good measure.

--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1527010376.1830.8.camel%40uvic.ca.


Re: [cas-user] User Attributes for SAML 2.0

2018-05-22 Thread John D Giotta
My "username" column is called email, but even with your suggestions I 
still get the following DEBUG output in logs.

Found [0] attributes for principal [jdgio...@gmail.com] from the attribute 
repository.

This is why I think there something wrong with the query. Log level is set 
to debug, but I still don't see queries. I even set debug to 
org.springframework.orm.jpa 
for good measure.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/27db9e1c-b36c-44ca-acb2-e240f1eea07d%40apereo.org.


Re: [cas-user] CAS Logout Issue

2018-05-22 Thread Ray Bon
Ramakrishna,

This now sounds like an issue on the client side. I have not used mod_auth_cas. 
Try debugging it and your client for how they handle the logout request.

Ray

On Tue, 2018-05-22 at 15:41 +0530, Ramakrishna G wrote:
Ray,

I was able to solve the ssl issue using open_sll. Now I am using https at both 
end with valid certificate.

But my original problem of cas not logging out still persist.

On Sat, May 19, 2018 at 4:51 PM, Ramakrishna G 
> wrote:
Ray,

I configured ssl as advised by you. Now I have a different issue.

When I use CASValidateURL with https url I get this Unauthorized error. If i 
remove https it works but logout issue still persist
Unauthorized

This server could not verify that you are authorized to access the document 
requested. Either you supplied the wrong credentials (e.g., bad password), or 
your browser doesn't understand how to supply the credentials required.


I am sharing my config

CASCookiePath /var/cache/mod_auth_cas/

CASCertificatePath  /etc/httpd/conf/casdev.crt

CASLoginURL https://192.168.111.12:8443/cas/login

CASRootProxiedAs https://192.168.111.12:8443

CASValidateURL  https://192.168.111.12:8443/cas/serviceValidate

#CASValidateURL http://192.168.111.12:/cas/serviceValidate // Tomcat http 
port 

CASValidateSAML Off

CASSSOEnabled On


   SSLProxyEngine on
   SSLProxyVerify none
   SSLProxyCheckPeerCN off
   SSLProxyCheckPeerName off
   SSLProxyCheckPeerExpire off
   Loglevel debug

AllowOverride
AuthType CAS
require valid-user
CASRenew On
ProxyPass http://192.168.111.10/
ProxyPassReverse http://192.168.111.10/


Require all granted
ProxyPass https://192.168.111.12:9443/cas  // Tomcat https port 
9443
ProxyPassReverse https://192.168.111.12:9443/cas





On Fri, May 18, 2018 at 8:50 PM, Ray Bon > 
wrote:
Ramakrishna,

During log out when CAS contacts your service (where mod_auth_cas is), it does 
so with https. You need to install the custom certificate that is on your 
service into the jvm running CAS.

sudo keytool -import -file ${certName} -alias ${aliasName} -keystore 
$JAVA_HOME/jre/lib/security/cacerts

https://apereo.github.io/cas/developer/Build-Process-5X.html#configure-ssl

Ray

On Fri, 2018-05-18 at 11:04 +0530, Ramakrishna G wrote:
Ray,

Let me explain you my architecture. I have a CAS client (mod_auth_cas) which 
redirects to NGINX Load Balancer. The nginx forwards to one of the active CAS 
Server. Do I need to install certificates on all CAS Server?

User request to Mod_auth_cas via HTTPS but I am doing ssl stripping for 
internal communication from Nginx to CAS server. i.e Plain http comminication 
is happenning from nginx to cas server.
[cid:1527006185.1830.4.camel@uvic.ca]

Can you pls guide me how can I achieve logout for my approach.

On Thu, May 17, 2018 at 9:49 PM, Ray Bon > 
wrote:
Ramakrishna,

Add this to the log config:



The above may produce a lot of messages.
It looks to be a problem with CAS contacting your client. It could be a 
certificate issue.
I guess you created a certificate since it is on a 192 ip. Did you add the 
certificate to the java key store? If CAS and your client are on different 
machines, then the certificate will need to be added to both.

Ray

On Thu, 2018-05-17 at 12:01 +0530, Ramakrishna G wrote:
Hi Ray,

As said by you, I enabled logs and this is the output

2018-05-17 11:50:46,479 INFO [org.apereo.cas.logout.DefaultLogoutManager] - 

2018-05-17 11:50:46,501 DEBUG 
[org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - https://192.168.111.12:8443/,originalUrl=https://192.168.111.12:8443/,artifactId=,principal=casuser,loggedOutAlready=false,format=XML]]...>
2018-05-17 11:50:46,503 DEBUG 
[org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - https://192.168.111.12:8443/,originalUrl=https://192.168.111.12:8443/,artifactId=,principal=casuser,loggedOutAlready=false,format=XML]]
 supports single logout and is found in the registry as [id=1001,name=HTTPS 
and IMAPS,description=This service definition authorizes all application urls 
that support HTTPS and IMAPS 

Re: [cas-user] User Attributes for SAML 2.0

2018-05-22 Thread David Curry
I'm pretty sure that if you enable debug-level logging on
org.apereo.services.persondir in */etc/cas/config/log4j2.xml*, you'll see
the SQL query in *cas.log*. You can do that most easily by changing this
line near the top of the file:

warn

to:

debug

You shouldn't even need to restart the server, just wait 5-10 seconds for
it to re-check the logging config file.

But you sparked my curiosity (not the least because I actually did figure
this out once a long time ago for CAS 3.5), so I dug around a bit. The
documentation for the SingleRowJdbcPersonAttributeDao (which is what you're
ultimately configuring) is here:
https://wiki.jasig.org/display/PDM15/JDBC+Attribute+Source.

According to that, the attributes are going to be fetched with a SQL query
like SELECT * FROM USER_DATA WHERE {0} and, by default, the {0} is going to
be replaced with username=*value* (where *value* is the name of the user
you're looking for). If the column in your database that contains the
username is called something other than username, you can change that with
a queryAttributeMapping definition:








(The above will change the {0} from username=*value* to uid=*value*.)

So, reading the CAS documentation here:
https://apereo.github.io/cas/development/installation/Configuration-Properties.html#jdbc
it looks to me like you need this setting:

cas.authn.attributeRepository.jdbc[0].sql=SELECT * FROM app_user WHERE {0}


(I know your current setting lists the columns you want, but I would
suggest starting with this until it works, and then tweak it down if you
really need to.) And, since your app_user table, as near as I can guess,
doesn't have a column named username, you need to set the column you want
to use (this is the equivalent of the queryAttributeMapping XML above):

cas.authn.attributeRepository.jdbc[0].username=id


I might be wrong about the setting above; you might want email in there
instead of id, since that's what your authentication query is using (the
value it's matching against is, I believe, whatever the user is typing in
as his/her username).

The other part of the SingleRowJdbcPersonAttributeDao discussed in the
documentation is the part that maps database column names (the keys) to
attribute names (the values):










That's covered by the other properties we talked about yesterday:

cas.authn.attributeRepository.jdbc[0].attributes.id=uid
cas.authn.attributeRepository.jdbc[0].attributes.first_name=givenName
cas.authn.attributeRepository.jdbc[0].attributes.email=emailaddress
cas.authn.attributeRepository.jdbc[0].attributes.last_name=surname


The database column names are on the left-hand side of the '=', and the
attribute names (what the client application gets) are on the right-hand
side.

Please note that the above is from my reading the documentation only (well,
and getting it working once several years ago on CAS 3.5). I don't have a
CAS-with-JDBC instance configured to try it out on. But hopefully it points
you in the right direction, at least.

Good luck,
--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]



On Mon, May 21, 2018 at 10:26 PM John D Giotta  wrote:

> Is there any way to show the sql used to get user attributes?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/e3453ba3-aa88-4e3f-bba8-d96114a6ab37%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOWst8n-UX6rYnjNraSQa0RbVM7t4-Oz47hw-YMousK%3Dw%40mail.gmail.com.


Re: [cas-user] CAS Logout Issue

2018-05-22 Thread Ramakrishna G
Ray,

I was able to solve the ssl issue using open_sll. Now I am using https at
both end with valid certificate.

But my original problem of cas not logging out still persist.

On Sat, May 19, 2018 at 4:51 PM, Ramakrishna G  wrote:

> Ray,
>
> I configured ssl as advised by you. Now I have a different issue.
>
> When I use CASValidateURL with https url I get this Unauthorized error. If
> i remove https it works but logout issue still persist Unauthorized
>
> This server could not verify that you are authorized to access the
> document requested. Either you supplied the wrong credentials (e.g., bad
> password), or your browser doesn't understand how to supply the credentials
> required.
>
>
> I am sharing my config
>
> CASCookiePath /var/cache/mod_auth_cas/
>
> CASCertificatePath  /etc/httpd/conf/casdev.crt
>
> CASLoginURL https://192.168.111.12:8443/cas/login
>
> CASRootProxiedAs https://192.168.111.12:8443
>
> CASValidateURL  https://192.168.111.12:8443/cas/serviceValidate
>
> #CASValidateURL http://192.168.111.12:/cas/serviceValidate // *Tomcat
> http port *
>
> CASValidateSAML Off
>
> CASSSOEnabled On
> 
>SSLProxyEngine on
>SSLProxyVerify none
>SSLProxyCheckPeerCN off
>SSLProxyCheckPeerName off
>SSLProxyCheckPeerExpire off
>Loglevel debug
> 
> AllowOverride
> AuthType CAS
> require valid-user
> CASRenew On
> ProxyPass http://192.168.111.10/
> ProxyPassReverse http://192.168.111.10/
> 
> 
> Require all granted
> ProxyPass https://192.168.111.12:9443/cas  *// Tomcat
> https port 9443*
> ProxyPassReverse https://192.168.111.12:9443/cas
> 
>
> 
>
>
> On Fri, May 18, 2018 at 8:50 PM, Ray Bon  wrote:
>
>> Ramakrishna,
>>
>> During log out when CAS contacts your service (where mod_auth_cas is), it
>> does so with https. You need to install the custom certificate that is on
>> your service into the jvm running CAS.
>>
>> sudo keytool -import -file ${certName} -alias ${aliasName} -keystore
>> $JAVA_HOME/jre/lib/security/cacerts
>>
>> https://apereo.github.io/cas/developer/Build-Process-5X.html
>> #configure-ssl
>>
>> Ray
>>
>> On Fri, 2018-05-18 at 11:04 +0530, Ramakrishna G wrote:
>>
>> Ray,
>>
>> Let me explain you my architecture. I have a CAS client (mod_auth_cas)
>> which redirects to NGINX Load Balancer. The nginx forwards to one of the
>> active CAS Server. Do I need to install certificates on all CAS Server?
>>
>> User request to Mod_auth_cas via HTTPS but I am doing ssl stripping for
>> internal communication from Nginx to CAS server. i.e Plain http
>> comminication is happenning from nginx to cas server.
>>
>>
>> Can you pls guide me how can I achieve logout for my approach.
>>
>> On Thu, May 17, 2018 at 9:49 PM, Ray Bon  wrote:
>>
>> Ramakrishna,
>>
>> Add this to the log config:
>>
>> 
>>
>> The above may produce a lot of messages.
>> It looks to be a problem with CAS contacting your client. It could be a
>> certificate issue.
>> I guess you created a certificate since it is on a 192 ip. Did you add
>> the certificate to the java key store? If CAS and your client are on
>> different machines, then the certificate will need to be added to both.
>>
>> Ray
>>
>> On Thu, 2018-05-17 at 12:01 +0530, Ramakrishna G wrote:
>>
>> Hi Ray,
>>
>> As said by you, I enabled logs and this is the output
>>
>> 2018-05-17 11:50:46,479 INFO [org.apereo.cas.logout.DefaultLogoutManager]
>> - > **eGcHG1JqHs-client]>
>> 2018-05-17 11:50:46,501 DEBUG [org.apereo.cas.logout.Default
>> SingleLogoutServiceMessageHandler] - > service [org.apereo.cas.authentication.principal.SimpleWebApplicatio
>> nServiceImpl@432f5faa[id=https://192.168.111.12:8443/,origin
>> alUrl=https://192.168.111.12:8443/,*artifactId=*,
>> principal=casuser,loggedOutAlready=false,format=XML]]...>
>> 2018-05-17 11:50:46,503 DEBUG [org.apereo.cas.logout.Default
>> SingleLogoutServiceMessageHandler] - > [org.apereo.cas.authentication.principal.SimpleWebApplicatio
>> nServiceImpl@432f5faa[id=https://192.168.111.12:8443/,origin
>> alUrl=https://192.168.111.12:8443/,artifactId=,
>> principal=casuser,loggedOutAlready=false,format=XML]] supports single
>> logout and is found in the registry as [id=1001,name=HTTPS and
>> IMAPS,description=This service definition authorizes all application urls
>> that support HTTPS and IMAPS protocols.,serviceId=^(https|i
>> maps)://.*,usernameAttributeProvider=org.apereo.cas.services
>> .DefaultRegisteredServiceUsernameProvider@d,theme=,
>> evaluationOrder=1,logoutType=BACK_CHANNEL,attributeRelea
>> sePolicy=org.apereo.cas.services.ReturnAllowedAttributeRelea
>> sePolicy@15646ed9[attributeFilter=,principalAttributes
>> Repository=org.apereo.cas.authentication.principal.Defau
>> ltPrincipalAttributesRepository@7923006f[],authorizedToRelea