Re: [cas-user] CAS 6.6.9 Hazelcast and Ticket Registry errors

Sathish, Your async-backup-count and backup-count have non default values. Is it possible these values are causing hazelcast to consume memory? Try using default values to see if memory use improves. You can monitor the JVM with JDK Misson Control or jConsole. Ray P.S. To keep your config

Re: [cas-user] Allow REST login, but prohibit web login

Ben, This policy would prevent a login _after_ the REST session was established, https://apereo.github.io/cas/6.6.x/authentication/Configuring-Authentication-Policy-UniquePrincipal.html There is also a custom groovy script option,

Re: [cas-user] Re: Implementing ORCID auth: Problem with cas.authn.pac4j.oauth2[0].profile-url

Aleix, That documentation is _very_ old. There have been a lot of changes to cas since 2014; not the least of which is the change from org.jasig to org.apereo. Reading that document may provide some general understanding. You can increase the logging level [debug|trace] to see what classes are

Re: [cas-user] Re: Implementing ORCID auth: Problem with cas.authn.pac4j.oauth2[0].profile-url

And this property warn Ray On Wed, 2023-11-08 at 07:44 -0800, Aleix Mariné wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. So, I have found

Re: [cas-user] impact of Google Chrome "HTTPS upgrades" on slow http login urls

Pascal, Are you saying that cas redirects to http://foo... and chrome changes the protocol to https://foo... ? And then it only waits 3s for a response??? That sounds like stupid chrome behaviour (but not unexpected). When serviceValidate is called, it has to be called from https://foo... Are

Re: [cas-user] CAS 6.6.x CSS with SSL Offload

[org.springframework.security.web.DefaultSecurityFilterChain] - On Thursday, November 2, 2023 at 3:22:24 PM UTC-4 Ray Bon wrote: Is it possible that vip...themes is protected/secured and needs login to access? Check your developer console to see where the redirects are going. Check cas logs to see which URIs are unprotected

Re: [cas-user] Re: No generated SAML metadata after migration

locator or and the generator bean when the two dependencies are presents When keeping only jpa, do you know where to find the default idp saml metadata. Best regards Le jeu. 2 nov. 2023 à 20:22, Ray Bon mailto:r...@uvic.ca>> a écrit : Mohamed, jpa is an alternative to file system s

Re: [cas-user] CAS 6.6.x CSS with SSL Offload

Is it possible that vip...themes is protected/secured and needs login to access? Check your developer console to see where the redirects are going. Check cas logs to see which URIs are unprotected (shows on startup). Ray On Thu, 2023-11-02 at 09:24 -0700, atilling wrote: Notice: This message was

Re: [cas-user] Re: No generated SAML metadata after migration

Mohamed, jpa is an alternative to file system storage (default). Services can use the file system as well. If you do not need/use it, remove it. Ray On Thu, 2023-11-02 at 18:24 +0100, Mohamed Amdouni wrote: Notice: This message was sent from outside the University of Victoria email system.

Re: [cas-user] CAS 6.6.9

Sathish, I was not able to find recommended memory requirements in cas docs. This guide has a suggestion https://paulchauvet.github.io/deploying-cas/setting-up-the-environment/tomcat/systemd-service/ Memory is cheap, I would start at 2G. See tomcat docs to configure this. Cas also has some

Re: [cas-user] Strange delegated SAML Error on RHEL (CAS6.4.6.6)

Yan, Does samlkeystore exist and is writable (same for path to sp metadata)? But there should be no metadata file when cas starts if you want it to be generated. You can also create metadata manually, see https://www.samltool.com/sp_metadata.php Ray On Tue, 2023-10-24 at 13:15 -0700, Yan

Re: [cas-user] CAS management overlay broken

Aleix, The second repo is the one you want. It has a 6.6 branch as most recent. Assuming you have checked out the 6.6 branch, it will build with ./gradlew clean build It is better to post log messages as text rather than images. One, it is searchable; Two, images are hard to see in a desktop

Re: [cas-user] Re: standalone configuration security

ION=35 or --cas.standalone.configuration-security.iteration=35 When i use iterations it does, unless the iteration value is actually wrong. I have been told that the unit test for this passes: great. It doesn't actually mean at run time it functions as expected. On Wednesday, September 7, 2022 at 5:03:10 PM UTC-5 Ray Bon

Re: [cas-user] CAS 7 MFA broken since last build

Frédéric, Are there any error messages in the logs? Ray On Fri, 2023-10-13 at 06:26 -0700, Frédéric Dussurget wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi, latest build broke MFA (both

Re: [cas-user] Custom webflow priority

The order is part of spring webflow, so look into that. Cas does have some helper methods. See https://github.com/apereo/cas/blob/6.6.x/core/cas-server-core-webflow-api/src/main/java/org/apereo/cas/web/flow/configurer/AbstractCasWebflowConfigurer.java which has an order field and a number of

Re: [cas-user] CAS 66x, how to make association between authentication handlers and attribute repositories / PersonAttributeDaos

Luís, It is possible to get attributes at time of authentication for ldap and jdbc. cas.authn.ldap[0].principal-attribute-list= \ mail, \ cn, \ sn, \ givenName That will give you one source. See https://apereo.github.io/cas/6.6.x/authentication/LDAP-Authentication.html Does your user

Re: [cas-user] Migration process best practices

Mohamed, Unfortunately the overlay no longer has a git history, so upgrades are needlessly complex. You are making a big upgrade so there will be property name changes. It is possible to stick with maven, but most of the documentation assumes gradle. I switched to gradle when it was first an

Re: [cas-user] Debugging help

Jeff, Was this part of an upgrade? It could be that a property has changed names. As artur said, you could start with a vanilla version and the items in one at a time. There is also the possibility that there is an old/incompatible library hanging around. These loggers may help:

Re: [cas-user] Re: Submit a CAS evolution for 6.6.12

Jérémie, There is a cas developer list https://apereo.github.io/cas/Mailing-Lists.html#cas-developer-list-cas-devapereoorg Ray On Mon, 2023-09-25 at 00:48 -0700, Jérémie wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links

Re: [cas-user] CAS 6, AbstractNonInteractiveCredentialsAction on Trusted AuthN with incoming SAML Assertion

Yan, Are you thinking of this https://apereo.github.io/cas/6.6.x/integration/Delegate-Authentication.html Ray On Tue, 2023-09-19 at 12:28 -0700, Yan Zhou wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive

Re: [cas-user] debugging login issues

Pablo, Cas creates a TGC (TicketGrantingCookie) to track the user session. You will be able to see it when on your logged in browser at https://login.server/cas/actuator/health Your ticket store will have TGTs and STs. The STs are kept for performing

Re: [cas-user] Customizing AUP Webflow Logic

Trevor, Test classes are not part of packaged jars. If you want test classes, you have to copy them into your src directory. Beware, you may have to copy in dependencies of the test classes too; and remember to update them when you upgrade. Is it possible to rework your logic to extend the

Re: [cas-user] SAML delegated authN in CAS 6.6.x, SLO has no signature element to external IDP?

Yan, It is a wise idea to sign logout requests. This prevents a bad actor from creating false logouts. 'Validate SAML requests with signature ... ' is for the log in request. When your client app sends a logout request to cas, does cas (as IdP) end its session with the client? Ray On Fri,

Re: [cas-user] Add a new controller to the CAS7 server

See https://apereo.github.io/cas/6.6.x/webflow/Webflow-Customization-Extensions.html and https://fawnoos.com/2022/07/22/cas66-ui-themes/ Ray On Fri, 2023-09-08 at 16:15 +0800, ztf863 wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious

Re: [cas-user] CAS-6.6.x war overlay by maven

Are you trying to build cas as a developer or a an operator? If you want to run cas as a sign on system, use the overlay, https://github.com/apereo/cas-overlay-template that is described in the previous link. Developer info starts here,

Re: [cas-user] [CAS 6.6.8] Custom MFA triggers

These should help https://fawnoos.com/2021/08/20/cas64-webflow-extensions/ https://fawnoos.com/2022/04/21/cas66-webflow-groovy-actions/ I have a helper class that can print out the flow https://gist.github.com/rbonatuvic/d3ef9e8dc0c5a78870a8520bc2ab2b74 Ray On Wed, 2023-09-06 at 14:46 +0200,

Re: [cas-user] CAS-6.6.x war overlay by maven

https://fawnoos.com/2022/08/06/cas66-gettingstarted-overlay/ On Mon, 2023-09-04 at 01:53 -0700, 'Char Lin' via CAS Community wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi, all. How to use

Re: [cas-user] Delegated authentication attribute resolution

I use the cas.authn.pac4j.oidc[0].azure authentication service. The attributes I get back are the ones defined in my Azure AD application. Thank you! (I hope I'm not spamming you, I just replied a few minutes ago but now I can't find it...) On Thursday, August 31, 2023 at 11:54:26 AM UTC-4 Ray

Re: [cas-user] Delegated authentication attribute resolution

Aaron, Do you have the attribute repository defined with: cas.authn.attribute-repository. ... properties? Ray On Wed, 2023-08-30 at 13:04 -0700, Aaron Chantrill wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and

Re: [cas-user] View and Edit of allowedAtributes in cas-management 6.6.3

Martin, Do you have attributes defined in the config file? e.g. cas.authn.attributeRepository.stub.attributes.mail=mail In 6.5 I have those in management.properties. Not sure if they can go in cas.properties. Ray On Tue, 2023-08-29 at 12:50 +, 'Büchler, Martin' via CAS Community wrote:

Re: [cas-user] what is the CAS 6.6.x SSO endpoint as SP in delegated SAML AuthN?

onExecutor.java:51) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE] at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE] On Fri, Aug 25, 2023 at 3:34 PM Ray Bon mailto:r...@uvic.ca>> wrote: Yan, My loc

Re: [cas-user] what is the CAS 6.6.x SSO endpoint as SP in delegated SAML AuthN?

Yan, My local OIDC goes to cas/oidc/oidcAuthorize where cas redirects to /cas/login. In your case, cas should redirect to the remote IdP. The cas endpoints are described here, https://apereo.github.io/cas/6.6.x/authentication/OIDC-Authentication.html (though I note that the protocol differs

Re: [cas-user] CAS 6.6.8 ST ticket generation with cas.host.name appended

Pablo, When using cas protocol for login, it is possible to include the host name (foobar1 in your case) to the ST. It escapes my how to set this, since my local does not do this but our prod servers do. This is handy when you have multiple cas servers. The other form of the ST is probably for

Re: [cas-user] CAS 6.6.11 : help needed for cas-server-support-gauth-couchdb debugging

Thanks for the tip on the ultimate edition. Cas uses a number of keys for various tasks. If the key is not present in your config, cas will create one on boot. It will be different each time cas starts and, of course, anything persisted with the earlier key will no longer be accessible. There

Re: [cas-user] Help about Front-end and back-end separation architecture

Benny, Front end customizations are described here, https://fawnoos.com/2022/08/06/cas66-gettingstarted-overlay/#user-interface-customizations https://fawnoos.com/2022/07/22/cas66-ui-themes/ https://apereo.github.io/cas/6.6.x/ux/User-Interface-Customization.html Cas has a rest interface,

Re: [cas-user] CAS 6.6.11 : help needed for cas-server-support-gauth-couchdb debugging

The paid for version of intellij does not support remote editing either (sigh). Your dev setup sounds fine and you should not have to worry about your local machine since it is only used for editing. I only use intellij for code completion and class/method references. I always build/run on the

Re: [cas-user] CAS 6.6.0 MFA Per application trigger not working

difference, also tried to search through the CAS source code and I have the hypothesis that it might not be detecting either the policy or the providers I am using. On Friday, 18 August 2023 at 20:19:18 UTC-3 Ray Bon wrote: Diego, Image did not come through. Ray On Fri, 2023-08-18 at 11:46 -07

Re: [cas-user] CAS 6.6.11 : help needed for cas-server-support-gauth-couchdb debugging

Could you use a different storage system? I do not see the couchdb module in the current development branch. Not sure if it is being removed or if a different module takes on that feature. Instead of running gradlew in vscode, you can run it from the command line. The 'clean' part of the

Re: [cas-user] CAS 6.6.x manipulation of attribute-repository

Florent, In LDAP the 'role' (from the linked example) would/should be multi valued unlike the multi row of a database. If group1 has its own dn from group2, you could use a groovy script to merge them, https://apereo.github.io/cas/6.6.x/integration/Attribute-Resolution-Groovy.html Ray On

Re: [cas-user] Version 6.5.9.2 not available for download in github

Taieb, You can set the two version properties in gradle.properties to 6.5.9.2 and build. Ray On Mon, 2023-08-21 at 01:48 -0700, Taieb Riahi wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi,

Re: [cas-user] CAS 6.6.0 MFA Per application trigger not working

Diego, Image did not come through. Ray On Fri, 2023-08-18 at 11:46 -0700, 'Diego Gimenez' via CAS Community wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hello. As the title says I can't make

Re: [cas-user] Radius -MFA in cas 6.6.8

wrote: Hi Ray, We have NW change in place. There is UDP connectivity from my cas server to radius server(unidirectional ) on port 1812 and 1813 . On Wed, Aug 9, 2023, 10:29 PM Ray Bon mailto:r...@uvic.ca>> wrote: Vikash, Is it possible there is a network issue? Ray On Tue, 2023-08-08 at

Re: [cas-user] SAML delegation CAS 6.6.x, which XML to use on ClientApp side, IDP or SP metadata?

Yan, There are two independent steps; bootstp2 -> cas (SP -> IdP), and cas -> okta (SP -> IdP). See https://apereo.github.io/cas/6.6.x/protocol/Protocol-Overview.html#the-bridge for explanation. Delegation can be per service or global. I have not used delegation so am unsure why the cas

Re: [cas-user] CAS 6.6.x SAML delegated authN to Okta not working

Lifetime= # Path/URL to delegated IdP metadata # cas.authn.pac4j.saml[0].identityProviderMetadataPath= On Monday, August 14, 2023 at 1:53:24 PM UTC-4 Ray Bon wrote: Yan, Is it possible that the okta-cas config is incorrect and okta is returning an error response which cas does not understand? Are y

Re: [cas-user] CAS 6.6.x SAML delegated authN to Okta not working

Yan, Is it possible that the okta-cas config is incorrect and okta is returning an error response which cas does not understand? Are you using SAML Tracer to see the exchanges between SPs and IdPs? If the keystore is not created, you can create it yourself. Or, turn off SAML encryption between

Re: [cas-user] Cas prefix don't work with empty value (/cas instead of ROOT context)

Julien, This sounds like a tomcat config issue (I have not used embedded tomcat). Maybe a config on this page https://apereo.github.io/cas/6.6.x/installation/Configuring-Servlet-Container-Embedded-Tomcat.html Ray On Fri, 2023-08-11 at 08:53 -0700, Julien Weillaert wrote: Notice: This message

Re: [cas-user] Re: CAS 5.1.X - In Delegated authentication mode, 'service' is coming as null from the session

Sanjay, Version 5.1 is very old. It is difficult to know if this is a bug in that version of cas or if it is a browser problem. Your best, and safest, option is to upgrade and see if the issue persists. Ray On Thu, 2023-08-10 at 15:48 -0700, Sanjay Semwal wrote: Notice: This message was sent

Re: [cas-user] login with valid service but not getting ticket query parameter on redirect

have injected as view between generateServiceTicket and Redirect action/view states. When I disable this custom step all works fine. I haven't been able to trace my issue but it is my issue. -psv On Thursday, August 3, 2023 at 9:24:17 AM UTC-5 Ray Bon wrote: Pablo, What version of Cas is this?

Re: [cas-user] Re: Is Azure AD B2C Supported in CAS 6.6.8?

Pablo, This logger may help: Ray On Wed, 2023-08-09 at 12:12 -0700, Pablo Vidaurri wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Still having an issue. Trying to figure out if it's a

Re: [cas-user] Radius -MFA in cas 6.6.8

Vikash, Is it possible there is a network issue? Ray On Tue, 2023-08-08 at 17:20 +0530, Vikash Chandra Ansh wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi Everyone, We are trying to

Re: [cas-user] SCIM configuration and I get an error "Using SCIM provisioning target [null]"

Jakub, This link, https://apereo.github.io/cas/6.6.x/integration/Delegate-Authentication-Provisioning.html#scim-provisioner, leads to, https://apereo.github.io/cas/6.6.x/integration/SCIM-Integration.html, which lists a required field (among others): cas.scim.target Ray On Mon, 2023-08-07 at

Re: [cas-user] shib-cas-authenticator, proxy tickets, and third-party services

-authenticator? Janemarie On Fri, Aug 4, 2023 at 4:08 PM Ray Bon mailto:r...@uvic.ca>> wrote: Janemarie, Proxy tickets are for backend service communication. The user does not interact with the other service. It is not the same thing as proxied/delegated authentication. If I unde

Re: [cas-user] shib-cas-authenticator, proxy tickets, and third-party services

Janemarie, Proxy tickets are for backend service communication. The user does not interact with the other service. It is not the same thing as proxied/delegated authentication. If I understand correctly, shibboleth is handling the username/password and therefore the SSO session. Does the one

Re: [cas-user] No CAS logs

Andrew, Tomcat has an access log, localhost_access_log.DATE.txt. Any problems should be in catalina.out. Ray On Thu, 2023-08-03 at 14:08 -0400, Andrew Tillinghast wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and

Re: [cas-user] Setting up disk backup/log for Hazelcast cluster - Seeking advice

Miguel, If you have not done so already, you should post to hazelcast forums or see their documentation. If you can rotate through your servers when bringing them down-up, hazelcast can preserve the tickets on the remaining hosts (if my understanding of hazelcast is correct). Ray On Fri,

Re: [cas-user] Failure throttling not working with Mixed SPNEGO authentication by-design?

the request submission rate (calculated as the difference between the current > date and the last submission date) exceeds the failure threshold rate. Petr On Thursday, 3 August 2023 at 16:49:37 UTC+2 Ray Bon wrote: Petr, Check your throttling settings, https://apereo.github.io/cas/6.5.x

Re: [cas-user] Failure throttling not working with Mixed SPNEGO authentication by-design?

Petr, Check your throttling settings, https://apereo.github.io/cas/6.5.x/authentication/Configuring-Authentication-Throttling.html#configuration It, cas.authn.throttle.failure.*, is a range per second (even when set to multiple seconds). If set, it should be more than 2 attempts per second.

Re: [cas-user] login with valid service but not getting ticket query parameter on redirect

Pablo, What version of Cas is this? Check your logs. The audit log records the authentication events, including ticket creation. Ray On Wed, 2023-08-02 at 14:39 -0700, Pablo Vidaurri wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious

Re: [cas-user] cas-management overlay 6.6.3 with support-mongo-service-registry does not bind cas properties

Martin, This logger may help: I also have this line in my log output: cas | 2023-07-27 19:10:08,677 INFO [ org.aper.cas.util.io.PathWatcherService] - [main] Check to make sure it is looking in the correct place for management.properties (even though /etc/cas/config is the default). Ray

Re: [cas-user] ERROR CAS 6.1 SAML IDP GOOGLE

What Richard said. Ray On Thu, 2023-07-27 at 09:45 -0500, 'Richard Frovarp' via CAS Community wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Typically the helpful bit in a long stack like this

Re: [cas-user] ERROR CAS 6.1 SAML IDP GOOGLE

Muhammad, Your config has entity-id=https://cas.example.com/idp but it looks like cas is trying to create the certificate with login.unila.ac.id/cas I am not sure why it insists on a protocol, should not matter for a self signed cert. You could also make sure your cas.server.name has a

Re: [cas-user] Simple MFA to Surrogate bypasses surrogate selection

Anthony, Does surrogate+username / password approach work, or is it only the surrogate selection that does not work? If I use surrogate+ with a service that requires MFA, it goes through the mfa flow for username and then to service as surrogate. But I do not have any groovy scripts running.

Re: [cas-user] Re: CAS 5.3 OAuth2 Delegated Authentication error Client not found

Mohsen, Version 5 is very old. If the problem is in cas, there may be no one that can help. If the log says that client name was not found (serviceId in service definition). Then check your service definition. serviceId can be a regex. Ray On Fri, 2023-07-21 at 21:08 -0700, mohsen saeedi

Re: [cas-user] Duo Universal Prompt configuration?

Baron, Try creating a new service in Duo to check if the problem is on their side. Ray On Fri, 2023-07-21 at 15:02 -1000, Baron Fujimoto wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. We're

Re: [cas-user] How to easily fix an application after CAS upgrade

Radek, If you have custom code, there really are only two options; drop it or upgrade it. With the large jump you are going to, it may make more sense to move to version 7 (to be official in a few months) and re-implement your features. You will have to search the code base to see how the new

Re: [cas-user] Custom Audit Log to DB

Shing, Are you looking for an audit entry that is different from those in COM_AUDIT_TRAIL? You may be able to create a web flow event to do that. But NOTE: I was not able to insert my custom login flow after the Duo universal prompt flow. Unfortunately it looks like the cas modules (cas 6.5.x)

Re: [cas-user] [CAS 6.6.8] Custom MFA triggers

This may provide some direction https://fawnoos.com/2018/11/22/cas5-groovy-mfa/ There may be other posts on this site that can help. Ray On Fri, 2023-07-21 at 08:49 +0200, spfma.tech via CAS Community wrote: Notice: This message was sent from outside the University of Victoria email system.

Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5

Niral, Start with the cas docs https://apereo.github.io/cas/6.6.x/monitoring/Monitoring-Statistics.html There is also some guidance at https://fawnoos.com/2022/02/20/cas65-actuator-endpoints/ 'Too many redirects' can happen when the client (stage.eclkc.info ?) does not process the login from

Re: [cas-user] embedded tomcat startup error cas6.6.x

flow > project :support:cas-server-support-thymeleaf Possible solution: - Declare repository providing the artifact, see the documentation at https://docs.gradle.org/current/userguide/declaring_repositories.html Thanks, Yan On Tuesday, July 18, 2023 at 12:29:49 PM UTC-4 Ray Bon wrote: Yan,

Re: [cas-user] embedded tomcat startup error cas6.6.x

Yan, It looks like you are using cas instead of cas-overlay-template. The main project is for developers. This is for deployers https://github.com/apereo/cas-overlay-template Ray On Mon, 2023-07-17 at 12:15 -0700, Yan Zhou wrote: Notice: This message was sent from outside the University of

Re: [cas-user] CAS support oauth, how store the authCode -CAS 7.0.0-SNAPSHOT

Redis ticket storage is described here https://apereo.github.io/cas/6.6.x/ticketing/Redis-Ticket-Registry.html Ray On Thu, 2023-07-13 at 20:12 -0700, 'Char Lin' via CAS Community wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with

Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5

one) { System.out.println("Issue for encoding" +e.getMessage()); } } Do you think that is issue for expiring TGC ? From: cas-user@apereo.org<mailto:cas-user@apereo.org>cas-user@apereo.org<mailto:cas-user@apereo.org> On Behalf Of Ray Bon Sent: Friday,

Re: [cas-user] OIDC /authorize - Authorization Denied

;: true, "generateRefreshToken": true, "evaluationOrder": 1 } And the URL called : https://{URL}/cas/oidc/authorize?client_id=41ff9715-bd3e-473c-9888-e2d5a1364c2a=openid profile email read:all_type=code_mode=query=T0xJV2hyOXFQdVY5anNsX1VsUURrMEVIRlREQ3JGRF9vYzFvZVBXRUpFNw===eUFOTnU4NFVBQ0lDQjRteGcxV3E5V1I0N05O

Re: [cas-user] OIDC /authorize - Authorization Denied

2023 à 20:36:08 UTC+2, Ray Bon a écrit : Jérémie, What do the cas logs say about the authentication event (may need debug level)? The authorize URL comes after the authentication step. Are you logged in, in that browser? Ray On Tue, 2023-06-27 at 06:30 -0700, Jérémie wrote: Notice: This m

Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5

Niral, I would be surprised if there were any changes in the way tickets are handled by cas in the upgrade (it is fundamental in the way cas operates). Spring is good at logging when there is a mismatch between your config and class properties. Is there anything in the logs that would suggest

Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5

Niral, Is it possible the hosted environment has more than one tomcat server? If TGTs are not shared between cas instances, then, when switching tomcat servers (controlled by the hosting service / load balancer), the second cas will not know about the login session and force the login screen.

Re: [cas-user] Unauthorized URL conditional on enforced attributes?

elves. Do we need to consult more generic Spring Webflow docs for the methods available to requestContext and applicationContext, and whether they would contain the desired info re the specific requiredAttributes conditions that were not met? On Tue, Jul 4, 2023 at 6:56 AM Ray Bon mailto:r...@uvic.ca>>

Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5

Niral, To see a list of all cas properties: $ ./gradlew exportConfigMetadata Which will create a file called config-metadata.properties You can search for 'tgt' or 'tgc' The default value will be shown beside the property. TicketGgrantingTicket is the server side session and TGC is the client

Re: [cas-user] OIDC /authorize - Authorization Denied

Jérémie, What do the cas logs say about the authentication event (may need debug level)? The authorize URL comes after the authentication step. Are you logged in, in that browser? Ray On Tue, 2023-06-27 at 06:30 -0700, Jérémie wrote: Notice: This message was sent from outside the University

Re: [cas-user] Cas Azure AD

07:06:30,841 INFO [org.apereo.cas.services.AbstractServicesManager] - Bests On Mon, Jul 3, 2023 at 10:59 PM Ray Bon mailto:r...@uvic.ca>> wrote: Jerome, Your test service is not being loaded. 05:22:45 INFO [o.a.c.s.AbstractServicesManager] - See https://apereo.github.io/cas/6.6.x/se

Re: [cas-user] Unauthorized URL conditional on enforced attributes?

Baron, There may be something in the fawnoos blog https://fawnoos.com/blog/ Ray On Mon, 2023-07-03 at 15:48 -1000, Baron Fujimoto wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. When using

Re: [cas-user] Cas Azure AD

Jerome, Your test service is not being loaded. 05:22:45 INFO [o.a.c.s.AbstractServicesManager] - See https://apereo.github.io/cas/6.6.x/services/JSON-Service-Management.html and https://apereo.github.io/cas/6.6.x/services/Service-Management.html Ray On Mon, 2023-07-03 at 06:17 -0700, Jerome

Re: [cas-user] OAuth and CAS Protocols

Jeremy, See https://www.oauth.com/oauth2-servers/access-tokens/ Ray On Thu, 2023-06-22 at 21:55 +, Wickham, Jeremy wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. I am currently developing

Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5

Niral, I think that is OK. The default page is only to make sure cas is set up correctly. You can change the default https://apereo.github.io/cas/6.6.x/authentication/Configuring-SSO.html#default-service Set up an application to use cas for authentication and the cas sso session will persist.

Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5

Niral, Is the page you are refreshing the cas default login page or is it a page in your client application? Can you post the URL when you land on the cas login page after a refresh? Ray On Wed, 2023-06-21 at 19:34 +, 'Niral Kunadia' via CAS Community wrote: Notice: This message was sent

Re: [cas-user] CAS 6.6.8 - Authenticate using AD

Jérémie, 'Unknown user name or bad password.' Suggests that this is an issue on AD side. See https://fawnoos.com/2022/11/24/cas70x-azure-active-directory/ or this older one https://fawnoos.com/2017/11/22/cas-saml-integration-adfs/ Ray On Mon, 2023-06-19 at 00:41 -0700, Jérémie wrote: Notice:

Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5

Niral, Here is a handy blog, https://fawnoos.com/2022/07/22/cas66-ui-themes/ Ray On Fri, 2023-06-16 at 12:08 +, 'Niral Kunadia' via CAS Community wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive

Re: [cas-user] CAS 6.6.8 - Authenticate using AD

Jérémie, I did some testing and the ldaptive loggers are not nearly as useful as I thought they would be. This logger at debug or trace may provide a little more detail: It shows the error message in your email: 2023-06-16 09:12:59,430 INFO

Re: [cas-user] CAS 6.6.8 - Authenticate using AD

Jérémie, Here are some loggers for cas ldap: Make sure you can authenticate / find the user from another application (I do not know what tools are available for AD). Check your AD logs to see what it thinks the problem is. Ray On Thu, 2023-06-15 at 05:19 -0700, Jérémie wrote: Notice: This

Re: [cas-user] CAS 6.6, shib-cas-authn v4, entityId?

Baron, You could configure Shib to use SAML2 proxy with Cas as a SAML2 IdP. With the Shib Cas plugin, you are authenticating for Shib as a service, rather than the entity which is the destination (FooBar). Ray On Wed, 2023-06-14 at 09:44 -1000, Baron Fujimoto wrote: Notice: This message was

Re: [cas-user] About session expiration

Gökhan, Perhaps this attribute: cas.tgc.pin-to-session=true See Optional configuration at https://apereo.github.io/cas/6.5.x/authentication/Configuring-SSO.html#configuration Ray On Tue, 2023-06-13 at 12:41 -0700, 'Gökhan Öner (IT)' via CAS Community wrote: Notice: This message was sent from

Re: [cas-user] CAS 7.0.0 - Service unauthorized to use CAS

recognized by CAS. Contact your CAS administrator to learn how you might register and integrate your application with CAS." Is there any part of the service registry that I've configured that would make it incompatible? Thanks! Dillon On Monday, June 12, 2023 at 12:14:04 PM UTC-4 Ray Bon wrot

Re: [cas-user] CAS 7.0.0 - Service unauthorized to use CAS

Dillon, Your regex does not look right to me. Here is one of my test apps: ^https?://local\\.uvic\\.ca/~rbon/phpCAS/docs/examples/.* We are not escaping

Re: [cas-user] Failing to server parallel flows in SAML2

Miguel, This sounds like what Jérôme talked about in this thread https://groups.google.com/a/apereo.org/g/cas-user/c/fNZ82V32sio/m/RKhi5VQCAQAJ?utm_medium=email_source=footer Ray On Fri, 2023-06-09 at 05:03 -0700, Miguel Martínez De Espronceda Cámara wrote: Notice: This message was sent from

Re: [cas-user] JDBC attribute repository not working since 6.3.0-R3

Andrea, It is possible that property names have changed across versions. To get a file with all cas properties: ./gradlew exportConfigMetadata Then search that file for your property. eg: You have: cas.authn.attributeRepository.defaultAttributesToRelease In version 6.5 it is:

Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5

Niral, That version is VERY old. I suggest you use or upgrade to the latest version. See https://apereo.github.io/cas/developer/Maintenance-Policy.html It is possible that the properties you have do not work with that old version. You should be using the overlay instead of the main cas project

Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5

Niral, Ticket expiration is built in, nothing to include. When you say 'on that page for a few mins', what page are you talking about? Ray On Mon, 2023-06-05 at 13:21 +, 'Niral Kunadia' via CAS Community wrote: Notice: This message was sent from outside the University of Victoria email

Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5

Niral, Perhaps I am misunderstanding what it is that you are doing. Post your cas.ticket.tgt.* config and the steps that you are performing. I just tested with 6.5.9 and can confirm that these settings work: cas.ticket.tgt.primary.max-time-to-live-in-seconds=301

Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5

Niral, You will see in the logs that cas will issue a different TGT for each login; this means two different session == two different users (even if same username:password). In the same browser, open a new tab and access / log in to a different service. You can create fake services in your

Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5

Niral, A refresh of the cas page may not be enough. You may have to get cas to issue a new ST [to a different application]. The service does not have to be real, just added to the service registry. Use this type of url to get cas to go through the login process and issue a ST.

<    1   2   3   4   5   6   7   8   9   10   >