Re: [cas-user] [CAS 6.1.X] LDAP Required Configuation Properties.

Is jvdaggett a member of ou=Staff,dc=,dc=,dc=on,dc=ca ? I assume so, but it seems worth double checking. One difference between your dnFormat and my own, is I've just got: cas.authn.ldap[0].SearchFilter: sAMAccountName={user}cas.authn.ldap[0].baseDn:

[cas-user] CAS does not return LDAP attributes for Safari user

Hi everyone, I'm wondering if anyone else has seen something like this: (Environment: CAS 5.3.15.1, AD auth, Hazelcast ticket registry.) I had a report of someone not being able to access a particular service after successfully logging in to CAS (using Safari on iPad and iPhone). It

Re: [cas-user] CAS 5.2.2 SAML IdP vs. Workday

Dave, Huge help, as always! Thank you for your post regarding Workday config. Matt U. On Wednesday, March 14, 2018 at 10:26:22 AM UTC-6, David Curry wrote: > > Following up my own post to document how we solved this for posterity (or > at least for the next person who has the problem and

Re: [cas-user] environment variables in custom_messages.properties

Maybe in your setenv.sh or catalina.properties you might try something like this: export JAVA_OPTS="$JAVA_OPTS -Dcas.env.clusterNodeName=${SOME_VARIABLE_OR_STATIC_VALUE}" Matt Uribe ERP Architect/Administrator Information Technology Aims Community College 970.339.6375 matthew.ur...@aims.edu

[cas-user] Re: Hazelcast with Hybrid CAS deployment

We recently went live with a hybrid CAS (5.3.12.1) deployment using Azure. We have one CAS node inside our network, and 2 in Azure. They replicate sessions using Hazelcast. We have our internal DNS directing on-prem traffic to our local CAS node, and any traffic from public IP addresses goes

[cas-user] Re: service definition (in json) with system/environment variable

I've not tried this for the json service registry files, but I do use some system variables in my cas.properties. In order to do so, you have to set it in JAVA_OPTS So, for the example in Nebil's post, assume ${path.system.variable} should be set to a path matching the $HOSTNAME of the host:

Re: [cas-user] Re: CAS 6.0 How to authenticate user/password with LDAP

ENT IP ADDRESS: XXX > SERVER IP ADDRESS: XX > = > > I'm also trying to have more debug log... > > Le vendredi 11 octobre 2019 15:51:40 UTC+2, Matthew Uribe a écrit : >> >> What kind of errors are you seeing in cas.log? >&g

Re: [cas-user] Re: CAS 6.0 How to authenticate user/password with LDAP

What kind of errors are you seeing in cas.log? Matt Uribe ERP Architect/Administrator Information Technology Aims Community College 970.339.6375 matthew.ur...@aims.edu 5401 W. 20th Street Greeley, CO, 80634

[cas-user] Re: CAS 6.0 How to authenticate user/password with LDAP

It looks like you're using ldap, rather than ldaps. Is that correct? I recall when I was doing that I had to explicitly tell CAS not to encrypt the traffic. I think just providing ldap://server in the ldapUrl is not enough to prevent CAS from trying to connect securely. This is back when I

[cas-user] Re: 500 Session Limit in SSO Session Report?

Update: I just checked in on my prod, single node CAS deployment, and it shows 592 total SSO sessions in the Dashboard (CAS 5.2.6). On Monday, October 7, 2019 at 3:00:58 PM UTC-6, Matthew Uribe wrote: > > Hi everyone. > > I've been using a single node for CAS over the last yea

[cas-user] 500 Session Limit in SSO Session Report?

Hi everyone. I've been using a single node for CAS over the last year or so. Now that we are wanting to load balance our CAS workload, I have configured Hazelcast, per the documentation, and have been quite satisfied with the ease of setup. However, in load testing, I've noticed that the most

Re: [cas-user] Re: Connection refused / Your account is forbidden to login at this thime

Just my initial thoughts: is there an expired SSL cert or a closed port in a firewall? The connection refused seems to indicate something possibly along those lines. On Fri, Aug 30, 2019, 3:23 AM Samuel GARÇON wrote: > Hi, > > I'm sorry to post again, but i really need some help. > > Thanks, >

Re: [cas-user] Re: CAS logging analysis

port such attempts to the Help Desk (x6380).* On Mon, Aug 26, 2019 at 5:05 PM Daniel Ellentuck wrote: > Hi Trenton, Matthew, > > In CAS 5.3: > cas.audit.slf4j.useSingleLine=true > > ... > > Dan Ellentuck > Columbia University I.T. > > > On Mon, Aug 26, 2019 at 6:

[cas-user] Re: CAS logging analysis

Trenton, What version of CAS are you on? When we were on 5.2, we had a line in our cas.properties which made the logging all on one line: cas.audit.useSingleLine=true However, since having gone to CAS 5.3, that property seems to have gone away. I've yet to dig into log4j2.xml to get the same

Re: [cas-user] Re: CAS management

me ext4 rw,relatime 0 0 > /dev/mapper/casermgnt--vg-tmp /tmp ext4 rw,relatime 0 0 > /dev/mapper/casermgnt--vg-var /var ext4 rw,relatime 0 0 > tmpfs /run/user/1000 tmpfs rw,nosuid,nodev,relatime,size=204240k,mode=700, > uid=1000,gid=1000 0 0 > > We can see that the /var is in rw. > &

Re: [cas-user] Re: CAS management

Alain, Your fstab file shows that /var should be mounting correctly, but a file system can become read-only for any number of reasons. If it is in fact read only, then any user, even root, would not be able to write to it. You could try the following command from the directory

Re: [EXT] [cas-user] which version of SAML do I have

Your SAML IDP metadata should be available at cas_server/cas/idp/metadata and should contain lines similar to the following: urn:oasis:names:tc:SAML:2.0:metadata urn:oasis:names:tc:SAML:2.0:bindings . . . Would that be proof enough? On Tuesday, July 16, 2019 at 9:13:42 AM UTC-6,

[cas-user] Re: Repeated Authentication Required when Duo Enabled

, Matthew Uribe wrote: > > Hello Community, > > We use Duo for 2FA and have successfully used it with CAS for a single > application. Recently we decided to enable 2FA for all applications using > cas.authn.mfa.globalProviderId=mfa-duo and are now finding that each >

[cas-user] Repeated Authentication Required when Duo Enabled

Hello Community, We use Duo for 2FA and have successfully used it with CAS for a single application. Recently we decided to enable 2FA for all applications using cas.authn.mfa.globalProviderId=mfa-duo and are now finding that each application requires that the user authenticate to the CAS

[cas-user] Re: Connecting SAML SP to CAS 6

" > > > > Am Donnerstag, 6. Juni 2019 20:14:39 UTC+2 schrieb Matthew Uribe: >> >> Is there any other simplistic service I could try to see if CAS loads >>> anything correct? >> >> >> That same tutorial you mentioned contains steps for setting u

[cas-user] Re: Connecting SAML SP to CAS 6

tomcat user. > But I checked the file, it's owned by the root user. > I then checked the process running the war file environment in the jdk > folder - it is also the root user. > > Am Donnerstag, 6. Juni 2019 15:37:05 UTC+2 schrieb Matthew Uribe: >> >> Is the devConf

[cas-user] Re: SAMLReponse Add new Attributes

Same as Andy, I have CAS 5 working as SAML IdP. But I assume there are others here doing so with CAS 6. In any case, I noticed in your log that your issuer is "localhost:8443/cas/idp". Do you have your cas.server.name and related properties set? It looks like it's creating the SAML response,

[cas-user] Re: Connecting SAML SP to CAS 6

Is the devConfluence-1558621301329267.json file readable for whatever user/service is running CAS? When I forget to change ownership of my json files to the tomcat user, I run into the same issue. On Thursday, June 6, 2019 at 7:06:50 AM UTC-6, Fabian Schipp wrote: > > Hi everyone, > > I am

[cas-user] Re: SAMLReponse Add new Attributes

Do you have any other SPs working with this CAS instance, or is this your first? On Tuesday, June 4, 2019 at 3:33:55 AM UTC-6, Andrey Seledkov wrote: > > Nothing helps > > my property file has next properties > > cas.authn.samlIdp.entityId=${cas.server.prefix}/idp >

[cas-user] Re: SAMLReponse Add new Attributes

TC-6, Andrey Seledkov wrote: > > Cas version is 6 > > > Nothing changed , i got SamlResponse without new attributes > > Maybe i miss something > > > понедельник, 3 июня 2019 г., 18:39:20 UTC+3 пользователь Matthew Uribe > написал: >> >> Andrey, >

[cas-user] Re: SAMLReponse Add new Attributes

se fisrtName and lastName which I > retrieved from database > > понедельник, 3 июня 2019 г., 17:00:20 UTC+3 пользователь Matthew Uribe > написал: >> >> Andrey, >> >> I don't know what version of CAS you're on, but for me, on CAS 5.2.x, I >> have the f

[cas-user] Re: SAMLReponse Add new Attributes

Andrey, I don't know what version of CAS you're on, but for me, on CAS 5.2.x, I have the following json for one of our SPs: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "service-id-here", "name" : "name-here", "id" : 1001, "metadataLocation"

[cas-user] Re: End of life Oracle java 8 - Apereo choices

Linda, If you're on RHEL 7, then OpenJDK 8 is supported until June 2023 https://access.redhat.com/articles/1299013 On Wednesday, May 22, 2019 at 1:21:30 PM UTC-6, lttoth wrote: > > Hello > > We are still moving at glacial speed to upgrade to 5.2.4. What are > subsequent versions of CAS

[cas-user] Re: CAS documentation for a new user is terrible

Va, I would like to mention that your complaint is about a product that you get to use *for free*. I support some paid software with worse documentation. I do understand the frustration, as the learning curve is steep, but that's where this community comes in. Everyone here tries to be very

[cas-user] Re: CAS 5.2 and AD - Auth fail for just one OU

are able to sign in to domain joined workstations. On Monday, March 25, 2019 at 3:08:11 PM UTC-6, Matthew Uribe wrote: > > Hi everyone, > > I'm only just beginning to use AD with my CAS 5.2 deployment, and with the > information in many previous posts here, I've been successful i

[cas-user] Re: What do you use for CAS auditing?

We already had Logrhythm running, so it made sense to send logs over to that. I'm using syslog to get them over there. I don't manage Logrhythm, but from what I understand, they just had to setup a template on their end to parse the CAS logs. On Tuesday, March 26, 2019 at 9:02:40 AM UTC-6,

Re: [cas-user] CAS 5.2 and AD - Auth fail for just one OU

e; please excuse typos and inane auto-corrections. > > > On Mon, Mar 25, 2019, 17:08 Matthew Uribe > wrote: > >> Hi everyone, >> >> I'm only just beginning to use AD with my CAS 5.2 deployment, and with >> the information in many previous posts here, I've been succ

[cas-user] CAS 5.2 and AD - Auth fail for just one OU

Hi everyone, I'm only just beginning to use AD with my CAS 5.2 deployment, and with the information in many previous posts here, I've been successful in authenticating users in CAS with their AD accounts. There is one exception, however, and that is the Active Students OU. Accounts in that OU

[cas-user] Re: Need to upgrade CAS 5.1.4 to 5.3.8

Pameliya, What details do you have about your current deployment? Is it running in Tomcat? Do you have access to the overlay that was used to build the current deployment or the current cas.properties file? Being new to CAS it might be helpful to have a start to finish guide, such as David

[cas-user] Re: Anyone using ellucian banner 9 apps with saml on cas?

Robert, We looked at going 100% SAML2 about a year ago, and Banner was the single sticking point for us. At this time, we are still using CAS 5, and the CAS protocol for Banner 9. It's good to know that there may be complications with CAS 6. While we were trying to make Banner work with SAML2

Re: [cas-user] Re: How to register a service in CAS while using SAM2.0 protocol

I don't think you can use regex in the service id for SAML services. You have to specify the service name exactly. On Fri, Feb 22, 2019, 2:31 AM Pameliya Mukherjee < pameliya.mukherj...@gmail.com> wrote: > I am using CAS 5.3.8. > > I have created the service like below and kept the file in >

Re: [cas-user] Format of Logs Routed to SysLog

MMM dd HH:mm:ss} ${hostName} CAS: %c > %replace{%m}{\n+}{31CAS: TRACE: }%n > > > > Ray > > On Thu, 2019-02-14 at 07:40 -0800, Matthew Uribe wrote: > > Hi all, > > We've just recently added the appender and logger to log4j2.xml referred > to

[cas-user] Format of Logs Routed to SysLog

Hi all, We've just recently added the appender and logger to log4j2.xml referred to in the documentation to route logs to SysLog (CAS 5.2.x). However, each individual line is being sent as a separate log entry. Is there a way to keep all the relevant lines for an entry together? For example,

Re: [cas-user] Re: making an extra LDAP attribute visible via CAS

org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > displayname=Tackett, Zachary, givenName=Zachary, > LdapAuthenticationHandler.dn=cn=tackettz,ou=Office365,dc=marshall,dc=edu, > sAMAccountName=tackettz, sn=Tackett, > UDC_IDENTIFIER=1D89EC8ECD92959EE050650AEC077B26} with creden

Re: [cas-user] Re: making an extra LDAP attribute visible via CAS

Hi Zach, I think you're leaving everyone here in the position of having to assume which version of CAS you're using, as well as what you currently have in place. Do you have a working CAS server now? What version are you working on? Thanks, Matt On Tuesday, November 13, 2018 at 8:08:08 AM

Re: [cas-user] Force service to authenticate every time from server side?

Hi David, FWIW we've been on Banner 9 for a little over a year, and we advise users not to have multiple tabs open. The issue we see is that one tab will "time out" even though the users are actively entering data in another tab. It can be rather frustrating. I'm not sure if your unchecking

Re: [cas-user] Deploying Apereo CAS document updated (finally)!

This is *hugely* helpful, David. Thank you for all the work you've done on this documentation, for sharing it, and for being so active in the CAS community! [image: Aims Community College Top Work Places 2018 - The Denver Post] Matt Uribe Programmer Analyst II Information Technology Aims

[cas-user] Re: How to enable MFA by service rather than globally

Hi Dave, I'm still on CAS 5.2, so perhaps things have changed, but I'm doing exactly what you describe with Duo. In my cas.properties: #Configure Duo authentication properties cas.authn.mfa.globalFailureMode: OPEN # Aims Two-Factor cas.authn.mfa.duo[0].duoApiHost:

Re: [cas-user] CAS build stuck

Have you had a chance to look through David Curry's guide? It's thorough and well laid out, and should get you on the road to successfully setting up CAS. https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html [image: Aims Community College Top Work Places 2018 - The

Re: [cas-user] CAS build stuck

I don't see anything wrong. It shows the build was a success, and that Tomcat is started. The WARN messages are not errors. It's just telling you that it made its own keys, and that tickets are being stored in memory. Are you able to navigate to https://localhost:8443/cas on the host? (Assuming

Re: [cas-user] Can CAS 5.3.2 return JWT ticket instead of the TGT and AT

Have you looked into this page? https://apereo.github.io/cas/5.3.x/installation/JWT-Authentication.html# -Matt On Thu, Aug 30, 2018 at 9:47 AM, vivekanand yaram wrote: > Can some one please help > > On Thu, Aug 30, 2018, 08:19 vivekanand yaram > wrote: > >> Hello All, >> >> Currently we are

Re: [cas-user] Extract custom attributes from IdP

Hopefully you find this page helpful https://apereo.github.io/cas/5.2.x/installation/Configuring-SAML2-Authentication.html#saml-services On Fri, Aug 3, 2018, 7:54 AM Carlos Saavedra Martín < carlos.saave...@edosoft.es> wrote: > Hello, > > I try to authenticate a user with a IdP and use the

[cas-user] Re: (Ask) CAS 5.2 Basic Installation Step by Step

Not that I've seen. You could always try your luck with Google, but I'd imaging most results would lead you back to this group or the CAS official docs. I would still recommend David's docs. There may be some diversions, such as the use of apt rather than yum, but you should be able to work

Re: [cas-user] cas-management question

Sorry, after sending this response, my email refreshed and I saw the other helpful posts. Disregard. On Thursday, May 17, 2018 at 1:28:06 PM UTC-6, Matthew Uribe wrote: > > What's the cas.server.name in your management.properties? > > [image: Aims Community College Top Work

Re: [cas-user] cas-management question

What's the cas.server.name in your management.properties? [image: Aims Community College Top Work Places 2018 - The Denver Post] Matt Uribe Programmer Analyst II Information Technology Aims Community College 970.339.6375 matthew.ur...@aims.edu 5401 W. 20th Street

[cas-user] Re: (Ask) CAS 5.2 Basic Installation Step by Step

Maybe have a look here https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/guide/cas-user/LgZzuXvh3OY/T6XXmVvcCQAJ or https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/CAS$20documentation$20for$20a$20new$20user$20is$20terrible/cas-user/BwI6_qU612c/sPx1lAaQBgAJ

Re: [cas-user] cas-overlay-template sutck with warnings

_CYPHER_OVERLAP > > 2018-05-16 11:57 GMT-03:00 Matthew Uribe <matthe...@aims.edu > >: > >> Érico, >> >> Based on this https://github.com/apereo/cas-overlay-template I would say >> that 8080 and 8443 should both be open while the overlay embedded Tomcat i

Re: [cas-user] cas-overlay-template sutck with warnings

tins$ lsof -i :8443 > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE > NAME > java26098 ericomartins 32u IPv6 0xff2c21fe03059105 0t0 TCP > *:pcsync-https (LISTEN) > > > Thks > > > Em quarta-feira, 16 de maio de 2018 11:05:15 UTC-3, M

Re: [cas-user] cas-overlay-template sutck with warnings

Have you tried going to the CAS webpage? It should load. The warnings are just letting you know that since you didn't define the keys in cas.properties, it's created them for you. If I recall from my experience with ./build.sh run, it will sit on the console because the process is still running.

[cas-user] Re: cas.properties file

In my experience, both work the same. On Monday, May 14, 2018 at 8:28:35 AM UTC-6, Jennifer LaVoie wrote: > > When I configure my LDAP (AD) info, should the entries look like this > cas.authn.ldap[0].name: Active Directory > or this > cas.authn.ldap[0].name= Active Directory > >

[cas-user] Re: Building cas.war for Tomcat -- is 'etc' also required in Tomcat?

Your cas.properties and log4j2.xml files are expected in /etc/cas which will have to be readable to the tomcat process. On Wednesday, May 9, 2018 at 11:20:57 PM UTC-6, josbrodie wrote: > > We are rather confused over here w.r.t installing v5.2.4 --- any help will > be greatly appreciated. > >

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

What do you get back when you do a curl on https://link-to-metadata.com ? On Tuesday, May 8, 2018 at 11:10:44 AM UTC-6, John D Giotta wrote: > > Looking at the logs more I did find these WARNs: > > 2018-05-08 17:02:31,227 WARN >>

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

What does the SP expect the entityID to be? I have not experimented with anything other than setting the entityId to ${cas.server.prefix}/idp and I don't know whether the CAS server will have issues with responding to https://cas.example.org/idp since CAS itself is at

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

I would expect your entityID to be https://cas.example.org/cas/idp but it depends on what you've set it to in cas.properties under cas.authn.samlIdp.entityId On Monday, May 7, 2018 at 10:39:28 AM UTC-6, John D Giotta wrote: > > I noticed that my /cas/idp/metadata endpoint returns the following

[cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

Have you also added the service definition for the IdP endpoint? If you haven't already, you may want to walk through the steps for adding SAML support in this guide: https://dacurry-tns.github.io/deploying-apereo-cas/building_server_saml_update-the-service-registry.html On Monday, May 7,

[cas-user] MFA - Filter by User or Location

Has anyone experimented with, or had success with, enforcing multifactor authentication based on a user's returned attribute, or based on the location from which they are logging in? I'm experimenting with this now, and wondered whether anyone else had already crossed this bridge. We are

[cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

What do you have in your json for "@class"? Is it "org.apereo.cas.support.saml.services.SamlRegisteredService"? On Monday, May 7, 2018 at 9:19:58 AM UTC-6, John D Giotta wrote: > > I'm not too familiar with SAML 2.0 and I need to set up our existing CAS > (currently using CAS protocol). > >

Re: [cas-user] Re: CAS 5.2.x as IDP using SAML 2.0

l (/idp/metadata). >>> >>> To test it I was looking at setting up a local Shibboleth SP application >>> but couldn't since I use Windows and Apache Tomcat to run the CAS >>> application. Any info in this regard would really help. >>>

[cas-user] Re: certificates

It's my understanding that these settings have to do with the embedded Tomcat container: # By default and if you remove this setting, CAS runs on port 8080 server.port=8443 # To disable SSL configuration, comment out the following settings or set to blank values.

Re: [cas-user] Re: cas-overlay-template with cas 5.2.3 and default cas.properties

Did you setup the keystore? On Thursday, March 15, 2018 at 9:55:14 AM UTC-6, Jono Jono wrote: > > There is no message that anything is ready. It only shows the last > warnings about encyption keys. When I visit 8443 though I do see some audit > stuff in the logs. Greping the logs shows nothing

[cas-user] Re: cas-overlay-template with cas 5.2.3 and default cas.properties

I haven't tried 5.2.3 yet, but when I was using the included Tomcat server, I was using ./build.sh package or ./build.sh run to start it. As Marc said, you should get a message on screen or in the logs showing that CAS is ready. Have you dug into any of the logs yet? cas.log and catalina.out

Re: [cas-user] /cas/status/dashboard

Chris, I ran into the same problem. I added json files to /etc/cas/services but CAS was only reading those in the classpath/services directory. I found that my problem was in my cas.properties: Incorrect: cas.serviceRegistry.*config*.location: file:/etc/cas/services Correct:

Re: [cas-user] CAS 5.2 and Ellucian Banner 9 (XE)

t;java.util.ArrayList", ["UDC_IDENTIFIER", > "michigantechRIDM"]] > } > } > > On Thu, Feb 22, 2018 at 9:26 AM, Matthew Uribe <matthe...@aims.edu > > wrote: > >> Thanks Travis. That's the track I've been o

Re: [cas-user] CAS 5.2 and Ellucian Banner 9 (XE)

ravis Schmidt <travis@gmail.com >> > wrote: >> >>> I am helping a team with this exact issue right now. Don't know >>> anything about the banner side of things, but I had to map the attribute >>> they were looking for to UDC_IDENTIFIER in t

Re: [cas-user] CAS 5.2 and Ellucian Banner 9 (XE)

hey were > looking for to UDC_IDENTIFIER in the Service Registry for it to work. > > On Wed, Feb 21, 2018 at 3:46 PM Matthew Uribe <matthe...@aims.edu > > wrote: > >> Hello Community, >> >> I am wondering whether anyone has had success with Banner 9 and CAS 5.2.x

[cas-user] CAS 5.2 and Ellucian Banner 9 (XE)

Hello Community, I am wondering whether anyone has had success with Banner 9 and CAS 5.2.x We have been using the Luminis delivered CAS 3.5.2, but are interested in the features available in 5, such as SAML2 IdP, and MFA using Duo. I have deployed CAS 5.2.0, included cas-server-support-ldap

[cas-user] Step by step guide for simple CAS server with OpenLDAP authentication

I have found David Curry's guide incredibly helpful. https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html Matt -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions:

[cas-user] Re: CAS documentation for a new user is terrible

Jan, I have to say, as another new arrival to the CAS world, that I agree with your statements, and wish I would have encountered your post several weeks ago. I appreciate the link to guide, and hope that others will find it earlier in their journey than I did. Also, I want to thank all who