[cas-user] CAS5 OIDC support hybrid flow?

Hi there, CAS 5.3.x. oidc flow. it works well with authorization code flow. does it support "hybrid flow", i.e., the response type is "code token" or "code id_token". I am getting "application not authorized to use CAS" error. Is this by design? 2021-03-07 04:40:24,173 WARN [org.apereo.ca

Re: [cas-user] cas5 rebuild and restart for every change??

Yan, In addition to exploding the war, you can create a link to the exploded war from within tomcat webapps $ ll Applications/tomcat/webapps/ lrwxrwxrwx 1 rbon rbon 51 Apr 1 19:20 cas -> /home/rbon/workspace/cas-overlay-template/build/cas Ray On Thu, 2020-04-09 at 19:28 +, Richard Frova

Re: [cas-user] cas5 rebuild and restart for every change??

Just to add to what Richard said, you'll also want to put spring.thymeleaf.cache: false in your cas.properties so that you can edit the files and see the changes "immediately" without having to bounce Tomcat. Note that it seems to only refresh every 60 seconds though; so my usual approach was to

Re: [cas-user] cas5 rebuild and restart for every change??

If you deploy to an external container like Tomcat, you can instead of using the war, explode it into the webapp directory. Wars and jars are just zip files. Or let Tomcat explode it for you the first time, stop Tomcat, then delete war. You can edit content without having to rebuild. I think that

[cas-user] cas5 rebuild and restart for every change??

Hi there, CAS5.3.x overlay. It looks like we have to build it into a WAR file first, then either run it as an executable WAR or deploy to external container. There is also a way to run CAS as an executable WAR via Spring Boot's maven plugin, but that requires NO change to CAS dependencies, wh

[cas-user] CAS5 Redis Labs (clustering) support

Hi there, CAS5 supports Redis sentinel. When seeing Redis in this group, I am assuming it is all about Redis Sentinel. Has anyone integrated CAS5 with Redis Labs (the commercial offering of Redis clustering)? Thx! Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitt

Re: [cas-user] cas5 start up time much longer, development productivity?

Hi Yan, Me too, I also wait a long time during each CAS 5 war deployment. However, actually you don't need to re-deploy the war file everytime you change something, if you just want to change some properties (e.g. Maybe you want to change the scope properties from EMAIL to PROFILE for pac4j go

Re: [cas-user] cas5 start up time much longer, development productivity?

Yan, I use an external tomcat on my local machine. I point webapps/cas to build/cas and call explodeWar task (see CAS 6.1). I have a script that restarts tomcat. I run these on every change. Not sure how long it takes to go through the whole process but I do something else like check email, pl

[cas-user] cas5 start up time much longer, development productivity?

Hello, I have done both CAS4 and CAS5 overlay development. CAS5 start up seems much longer (I already set it to use embed mode, i.e., not look for configuration from remote server, everything is local), close to 3 minutes. In addition, since I had to add additional dependencies in CAS POM, I

[cas-user] CAS5 hazelcast registry, how to support management center monitoring?

Hello, CAS5's hazelcast module does not seem to support Hazelcast Management Center. The properties does not include URL for mancenter, etc. How do I extend CAS hazelcast support so that I can set additional properties under hazelcast Config class? Thx! Yan -- - Website: https://apereo.git

Re: [cas-user] CAS5 management

t; 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g> >>> +1 212 229-5300 x4728 • david.cu...@newschool.edu >>> >>> [image: The New School] >>> >>>

[cas-user] [CAS5]

Hi all (those still alive despite the heat), Is there a way to make a persistent session (never expires) only for a specific service (JSON file) ? NB: Global policy is SSO and Throttled Timeout Policy Best regards, -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.i

Re: [cas-user] CAS5 management

t; >> Chris Cheltenham >> Technology Services >> The School District of Philadelphia >> >> Work # 215-400-5025 >> Cell # 215-301-6571 >> >> *From:* cas-...@apereo.org [mailto:cas-...@apereo.org >> ] *On Behalf Of *David Curry >> *Sent:* Fri

[cas-user] CAS5, openid connect logout?

Hello, CAS5.3.X, one client uses CAS protocol and the other uses OpenId Connect. Both Clients are SSO. The openID connect client does not want to call /cas/logout, because they prefer an OpenId Connect approach. Does CAS provide logout for OpenId Connect clients? I do not see it, implem

Re: [cas-user] CAS5, Hazelcast clustering question?

Hi, I am saying, in order for Hazelcast instance to auto-join cluster, it seems that the property file must specify the same port#. So, first instance running takes 5701, and 2nd instance tries to bind 5701, it cannot, so it goes to 5702, this process tells that the two instances are two memb

Re: [cas-user] CAS5, Hazelcast clustering question?

Yan, Do you mean they both try to come up with 5701 or the second one complains the port is already taken? Perhaps hazelcast tries to grab selection of ports. Maybe set one to 4701. Ray On Thu, 2019-07-11 at 07:26 -0700, Yan Zhou wrote: Hello, CAS 5.3.x, using Hazelcast for ticket registry.

[cas-user] CAS5, Hazelcast clustering question?

Hello, CAS 5.3.x, using Hazelcast for ticket registry. Two CAS instances on the same server A. I was trying to avoid port conflict in cas.properties, so, one instances' cas.properties look like this cas.ticket.registry.hazelcast.cluster.members=A cas.ticket.registry.hazelcast.cluster.insta

Re: [cas-user] CAS5 Protocol diagram with OpenID Connect and CAS protocol mixed clients

Yes, I know TGC, and it is in the cookie. How do two clients (native Mobile Apps) using Open ID Connect talk to CAS, and achieve SSO? Where is TGC stored? There is no cookie in native apps. In other words, when user is authenticated in CAS via the first client, and he goes to the 2nd client

Re: [cas-user] CAS5 Protocol diagram with OpenID Connect and CAS protocol mixed clients

Yan, CAS creates a TGC (ticket granting cookie) that it uses to look up the SSO session. It is (typically) not available to client application. Ray On Thu, 2019-05-02 at 15:38 -0700, Yan Zhou wrote: Hello, CAS has a nice diagram explains CAS protocol, how it achieves SSO, by using cookie. Wi

[cas-user] CAS5 Protocol diagram with OpenID Connect and CAS protocol mixed clients

Hello, CAS has a nice diagram explains CAS protocol, how it achieves SSO, by using cookie. With CAS5, I can achieve SSO with two clients, one speaking CAS protocol, the other speaking OpenID Connect. How did CAS do that, is that by the use of cookie as well? I do not think OpenID Connect i

[cas-user] CAS5, OpenID connect flow newbie question

Hello, I am experimenting with CAS5 OpenID connect support with the overlay project of 5.3.8. I put this url in browser, CAS login page comes up, after I enter user/password, the next screen is: http://localhost:8180/ (this is where my CAS5 runs). https://localhost:8543/cas5/oidc/authoriz

Re: [cas-user] CAS5 flow state transition lose service parameter in URL?

Yan, In our action class we get parameters with: service = requestContext.getRequestParameters().get("service"); target = requestContext.getRequestParameters().get("TARGET"); Ray On Fri, 2018-12-28 at 11:51 -0800, Yan Zhou wrote: Hello, When an app directs to CAS, the CAS login URL is appended

[cas-user] CAS5 flow state transition lose service parameter in URL?

Hello, When an app directs to CAS, the CAS login URL is appended "service" parameter for later redirect. In CAS4., state transition from Login page preserves the "service" parameter, the URL does not change as the flow transitions to different states. But in CAS5, any state transition from L

[cas-user] CAS5, Log4j2 and SpringBoot 1.5.x, Error creating converter for xwEx java.lang.reflect.InvocationTargetException

Hello! This is a known issue: https://github.com/spring-projects/spring-boot/issues/9172 I am seeing that with CAS5.3.4 overlay, which defaults to log4j2 version 2.11.x and Spring Boot 1.5.16, Is this just me or a known issue with CAS? When you start up CAS5, does it complain about this?

[cas-user] CAS5 error out on: server.connection-timeout=PT20S

Hello! I am using CAS 5.3.3 overlay, but got this error on application.properties. It has: server.connection-timeout=PT20S, this is default but giving this error. What did I miss? Binding to target org.springframework.boot.autoconfigure.web.ServerProperties@109952a1 failed: Property: s

Re: [cas-user] CAS5 LDAP

Glad you figured it out. David A. Curry, CISSP Director of Information Security The New School - Information Technology 71 Fifth Ave., 9th Fl. ~ New York, NY 10003 +1 212 229-5300 x4728 ~ david.cu...@newschool.edu Sent from my phone; please excuse typos and inane auto-corrections. On Sat, May

Re: [cas-user] CAS5 LDAP

Thanks David! Your guidance helped tremendously --- I had inadvertently commented out the ' cas.authn.ldap[0].type' line. have a great weekend. On Saturday, May 12, 2018 at 5:03:25 PM UTC-7, David Curry wrote: > > Since you have bind credentials specified, I'm thinking maybe you want > AUTHENT

Re: [cas-user] CAS5 LDAP

Since you have bind credentials specified, I'm thinking maybe you want AUTHENTICATED rather than DIRECT. That's just a guess, though. You might want to check the definitions of the types here: https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#ldap-authentication-1 Other

Re: [cas-user] CAS5 LDAP

I am testing on my localhost and don't have SSL --- could this be it? If this is it, is there a way to disable SSL requirement for testing? On Saturday, May 12, 2018 at 4:51:11 PM UTC-7, Lionel Samuel wrote: > > Yes --- here is my 'cas.properties' configuration. > > The ldap connection URL and DN

Re: [cas-user] CAS5 LDAP

Yes --- here is my 'cas.properties' configuration. The ldap connection URL and DNs are correct (validated via ldapsearch from command line). Do you notice anything else missing? cas.properties: cas.server.name: http://localhost:8080/ cas.server.prefix: http://localhost:8080/edu-cas cas.admin

Re: [cas-user] CAS5 LDAP

Assuming you added all the LDAP properties Did you disable the use of the built-in credentials (casuser/Mellon)? cas.authn.accept.users: It should be set to an empty value, as shown above. David A. Curry, CISSP Director of Information Security The New School - Information Technology 71 Fift

Re: [cas-user] CAS5 LDAP

Hi David: It's a honor. I read your guide when googling this issue. I had added the following to the pom.xml and had rebuilt the war via './build.sh package' --- and deployed the new WAR to the Tomcat. Did I miss anything? I can't see the CAS server making a call to our LDAP server --- so it m

Re: [cas-user] CAS5 LDAP

Did you add the LDAP dependency to pom.xml and rebuild the WAR? David A. Curry, CISSP Director of Information Security The New School - Information Technology 71 Fifth Ave., 9th Fl. ~ New York, NY 10003 +1 212 229-5300 x4728 ~ david.cu...@newschool.edu Sent from my phone; please excuse typos and

[cas-user] CAS5 LDAP

Hi List: I have a shiny new deployment of CAS5.2.4. I am setting up for LDAP authentication however, HttpBasedServiceCredentialsAuthenticationHandler appears to be leveraged and not LdapAuthenticationHandler.how do I toggle LDAP authentication? I have followed Any's setting for cas.pr

Re: [cas-user] CAS5 - High thread counts

see https://groups.google.com/a/apereo.org/d/msgid/cas-user/63fc6bc3-31f9-46a6-8d14-a8f14d3a329c%40apereo.org?utm_medium=email&utm_source=footer 2018-04-25 16:11 GMT-03:00 Oscar Ruiz : > Hi Ray, > > Thank you for your suggestion. We disabled EhCache in the dev environment > and saw no improvemen

Re: [cas-user] CAS5 - High thread counts

Hi Ray, Thank you for your suggestion. We disabled EhCache in the dev environment and saw no improvement. We did notice that a new thread is spawned every time a login session is generated and the number of sleeping threads increases. Next step, we're going to deploy default CAS and see if we

Re: [cas-user] CAS5 - High thread counts

Oscar, We had similar difficulties with EhCache. EhCache expiration is actually the frequency with which the cache is reviewed. The entire cache is processed (which can be large on a busy site). With a distributed cache, the one currently processing is sending updates to its peers. This gets co

[cas-user] CAS5 - High thread counts

Hi, We noticed that our CAS5 installation is running out of memory because of a high number of threads that are running on our server, this results in it unable to process new request. Has anyone experienced this before? Here's our setup CAS5 - 5.1.6 Tomcat - 8.5.16 (We're currently trying 8.0

Re: [cas-user] Cas5 Ldap Authentication

Hi Manfredo Hopp, How to send authorities to an application On Thursday, March 8, 2018 at 11:09:54 AM UTC-6, Manfredo Hopp wrote: > > see > > > https://apereo.github.io/cas/development/installation/Configuring-Custom-Authentication.html > > 2018-03-08 11:32 GMT-03:00 yashwanth chowdary >: > >

Re: [cas-user] Cas5 Ldap Authentication

Did you work it out? But the documentation suggests it'll just pick it up and run it (which means I'm doing wrong by overriding LdapAuthenticationConfiguration, creating much more work for myself on upgr

Re: [cas-user] Cas5 Ldap Authentication

On Thu, 8 Mar 2018 06:32:52 -0800 (PST) yashwanth chowdary wrote: > I have written my .own classes handler,configuration(please refer to > the attached files).What i observe is My handler is getting registered > properly but when i give the credentials the method > "authenticateUsernamePasswor

Re: [cas-user] Cas5 Ldap Authentication

see https://apereo.github.io/cas/development/installation/Configuring-Custom-Authentication.html 2018-03-08 11:32 GMT-03:00 yashwanth chowdary < ryashwanthkumarchowd...@gmail.com>: > Dave I have written my .own classes handler,configuration(please refer to >> the attached files).What i observe i

Re: [cas-user] Cas5 Ldap Authentication

As I said, I have no experience at all with that stuff, sorry. I'm an old 'C' programmer who only writes Java under duress. :-) David A. Curry, CISSP Director of Information Security The New School - Information Technology 71 Fifth Ave., 9th Fl. ~ New York, NY 10003 +1 212 229-5300 x4728 ~ david

Re: [cas-user] Cas5 Ldap Authentication

> > Dave I have written my .own classes handler,configuration(please refer to > the attached files).What i observe is My handler is getting registered > properly but when i give the credentials the method " > authenticateUsernamePasswordInternal" is not getting called. properties > are same as

Re: [cas-user] Cas5 Ldap Authentication

Other than the CAS documentation, sorry, no. There are probably other people on the list who can. We are using out-of-the-box configured-with-plain-old-cas.properties interfaces only, no custom code. For what it's worth, the configuration we're running (we're putting it into production later this

Re: [cas-user] Cas5 Ldap Authentication

Dave can you give a ref for writing our own customization handlers and configuration classes for Ldap On Thursday, March 8, 2018 at 6:42:04 PM UTC+5:30, David Curry wrote: > > It looks right, but I have never used that particular property, so I'm > just guessing. > > In our environment we have t

Re: [cas-user] Cas5 Ldap Authentication

It looks right, but I have never used that particular property, so I'm just guessing. In our environment we have to merge attributes from two different directories, so I have the authentication and attribute resolution configured separately and list the attributes out individually. Someone else c

Re: [cas-user] Cas5 Ldap Authentication

Hi David , Is this the correct way to initialize my principalAttributeList? By the way , I am using 5.3.0RC2 version On Wednesday, March 7, 2018 at 6:23:27 PM UTC+5:30, David Curry wrote: > > You don't say what version you're using, but the userFilter property was > renamed to searchFilter betw

Re: [cas-user] Cas5 Ldap Authentication

You don't say what version you're using, but the userFilter property was renamed to searchFilter between 5.2 and 5.3 as part of the property documentation cleanup. (Documented here: https://apereo.github.io/2017/12/29/530rc1-release/#documentation-cleanup) --Dave -- DAVID A. CURRY, CISSP *DI

[cas-user] Cas5 Ldap Authentication

I was trying to connect ldap using below properties.Getting an errror that failed to bind authn.ldap[0].userFilter .you can observe the error in the attched file. cas.authn.ldap[0].order=0 cas.authn.ldap[0].name=AD cas.authn.ldap[0].type=AUTHENTICATED cas.authn.ldap[0].ldapUrl=ldaps://***.

Re: [cas-user] CAS5 management

> > *From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *David > Curry > *Sent:* Friday, February 23, 2018 1:48 PM > > *To:* cas-user@apereo.org > *Subject:* Re: [cas-user] CAS5 management > > > > > > The /status endpoint (but not the endpoin

RE: [cas-user] CAS5 management

Behalf Of David Curry Sent: Friday, February 23, 2018 1:48 PM To: cas-user@apereo.org Subject: Re: [cas-user] CAS5 management The /status endpoint (but not the endpoints underneath it) is only protected by an IP address pattern. You need to set the cas.adminPagesSecurity.ip property to a

Re: [cas-user] CAS5 management

> casuser=ROLE_ADMIN,enabled > > > > > > > > === > > Thank You; > > Chris Cheltenham > Technology Services > The School District of Philadelphia > > Work # 215-400-5025 > Cell # 215-301-6571 > > *From:* cas-use

RE: [cas-user] CAS5 management

PM To: cas-user@apereo.org Subject: Re: [cas-user] CAS5 management Chris, Check your service registry entry. Ray On Fri, 2018-02-23 at 12:33 -0500, Cheltenham, Chris wrote: David, Along the same lines, /cas/status says access denied. Is a different file

Re: [cas-user] CAS5 management

Philadelphia Work # 215-400-5025 Cell # 215-301-6571 From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David Curry Sent: Friday, February 23, 2018 10:52 AM To: cas-user@apereo.org Subject: Re: [cas-user] CAS5 management Admin pages is the /status/dashboard stuff (and all the

RE: [cas-user] CAS5 management

@apereo.org] On Behalf Of David Curry Sent: Friday, February 23, 2018 10:52 AM To: cas-user@apereo.org Subject: Re: [cas-user] CAS5 management Admin pages is the /status/dashboard stuff (and all the things underneath). The access to that is controlled with a user.properties file as well. The

RE: [cas-user] CAS5 management

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David Curry Sent: Friday, February 23, 2018 10:58 AM To: cas-user@apereo.org Subject: Re: [cas-user] CAS5 management As for the cheesiness of it, I believe it's inherited from Spring Security (which is an alternative way yo

RE: [cas-user] CAS5 management

Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David Curry Sent: Friday, February 23, 2018 10:58 AM To: cas-user@apereo.org Subject: Re: [cas-user] CAS5 management As for the

Re: [cas-user] CAS5 management

> >> >> I gotta say this is a really stupid and cheesy way to do this. >> >> >> >> >> >> === >> >> Thank You; >> >> Chris Cheltenham >> Technology Services >> The School District of

Re: [cas-user] CAS5 management

== > > Thank You; > > Chris Cheltenham > Technology Services > The School District of Philadelphia > > Work # 215-400-5025 > Cell # 215-301-6571 > > *From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *David > Curry > *Sent:* Friday, Februa

Re: [cas-user] CAS5 management

ct of Philadelphia > > Work # 215-400-5025 > Cell # 215-301-6571 > > *From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *David > Curry > *Sent:* Friday, February 23, 2018 10:33 AM > *To:* cas-user@apereo.org > *Subject:* Re: [cas-user] CAS5 management

RE: [cas-user] CAS5 management

-5025 Cell # 215-301-6571 From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David Curry Sent: Friday, February 23, 2018 10:48 AM To: cas-user@apereo.org Subject: Re: [cas-user] CAS5 management Gnarls the Narwhal is The New School's mascot. https://www.newschoo

Re: [cas-user] CAS5 management

-user@apereo.org] *On Behalf Of *David > Curry > *Sent:* Friday, February 23, 2018 10:33 AM > *To:* cas-user@apereo.org > *Subject:* Re: [cas-user] CAS5 management > > > > Your users.properties file is not formatted correctly. It's the same > format (and in fact can

RE: [cas-user] CAS5 management

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David Curry Sent: Friday, February 23, 2018 10:33 AM To: cas-user@apereo.org Subject: Re: [cas-user] CAS5 management Your users.properties file is not formatted correctly. It's the same format (and in fact can be the same

RE: [cas-user] CAS5 management

, February 23, 2018 10:33 AM To: cas-user@apereo.org Subject: Re: [cas-user] CAS5 management Your users.properties file is not formatted correctly. It's the same format (and in fact can be the same file) as the one for the admin pages: # The syntax for each line is: # # username=pas

Re: [cas-user] CAS5 management

Your users.properties file is not formatted correctly. It's the same format (and in fact can be the same file) as the one for the admin pages: # The syntax for each line is: # # username=password,grantedAuthority[,grantedAuthority][,enabled|disabled] # gnarls=passwordnotused,ROLE_ADMIN The above

[cas-user] CAS5 management

Hello Everyone, Still having problems with access denied on /cas-management I turned on DEBUG and I see this in the logs. 22T13:22:12.379-05:00[America/New_York], authenticationMethod=Employee-LDAP, successfulAuthenticationHandlers=Employee-LDAP, longTermAuthenticationRequestTokenUs

Re: [cas-user] CAS5 upgrade - existing clients not supplying target service?

gt; --Misagh > > -- > > *From: *"Justin Andrews" > *To: *"CAS Community" > *Sent: *Friday, November 17, 2017 12:54:45 PM > *Subject: *[cas-user] CAS5 upgrade - existing clients not supplying > target service? > > Hi folks -

Re: [cas-user] CAS5 upgrade - existing clients not supplying target service?

Do you have this? https://apereo.github.io/cas/5.1.x/protocol/SAML-Protocol.html#saml-11 --Misagh > From: "Justin Andrews" > To: "CAS Community" > Sent: Friday, November 17, 2017 12:54:45 PM > Subject: [cas-user] CAS5 upgrade - existing clients not supplyi

[cas-user] CAS5 upgrade - existing clients not supplying target service?

Hi folks - we are working through upgrading CAS from 4.0 to 5.1.x - I've found some clients work fine when pointing to CAS5 (instead of CAS4) with no modifications (great!), but at least one existing clients are not working and producing errors like below. It's not clear to me if CAS5 can be se

[cas-user] CAS5 - Multiple View Resolvers

Hi all, I'm trying to modify the webflow to use json views instead of html ones. For that we are trying to add new View Resolvers. Basically in one of our configuration classes, we have added: @Bean(name = "jsonView") public MappingJackson2JsonView jsonView() { MappingJackson2JsonView mappi

Re: [cas-user] CAS5 how large for tomcat maxHttpHeaderSize

Thank you for that explanation. Our original CAS4 setting was maxHttpHeaderSize="16384", but after the CAS5 upgrade that failed right away as it was too small. Then we did go to the CAS5 documentation setting that I reference below, and recently we were questioning the value of the setting

Re: [cas-user] CAS5 how large for tomcat maxHttpHeaderSize

Tomcat's default value for maxPostSize is 2097152, so that's "normal." ( https://tomcat.apache.org/tomcat-8.5-doc/config/http.html) Tomcat's default value for maxHttpHeaderSize is 8192 (see same link, above), but the CAS documentation for configuring the server as a SAML2 IdP recommends setting it

[cas-user] CAS5 how large for tomcat maxHttpHeaderSize

Hi, we were noticing server.tomcat.maxHttpHeaderSize=20971520 in https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html#embedded-tomcat and server.tomcat.maxHttpPostSize=20971520 in https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#embedded-tomc

Re: [cas-user] CAS5 tgt ticket time out when session is inactive?

Scratch my last comment. I did want the default behavior of the 2 hour sliding window with a max of 8 hours. Thanks On Thursday, October 26, 2017 at 3:56:59 PM UTC-7, Duane Booher wrote: > > Ray, I now have the behavior that I was hoping by using these settings: > > cas.ticket.tgt.timeout.maxTim

Re: [cas-user] CAS5 tgt ticket time out when session is inactive?

Ray, I now have the behavior that I was hoping by using these settings: cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=7200 cas.ticket.tgt.timeToKillInSeconds=28800 Notice that what you and I are essentially using is opposite what the TGT expire policy doc maxTimeToLiveInSeconds/timeToKillInSeco

Re: [cas-user] CAS5 tgt ticket time out when session is inactive?

Duane, These are my settings: # TGT Expiration Policy # https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#tgt-expiration-policy cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=7200 # Remember Me cas.ticket.tgt.rememberMe.enabled=true cas.ticket.tgt.rememberMe.timeToKi

Re: [cas-user] CAS5 tgt ticket time out when session is inactive?

Just some more information on my investigation. We are running CAS 5.0.5, plus I have tested 5.0.9 with the same results. For CAS4 we use these parameters work for our authentication timeout controls: tgt.maxTimeToLiveInSeconds=28800 tgt.timeToKillInSeconds=7200 On CAS5 I've been using these

Re: [cas-user] CAS5 tgt ticket time out when session is inactive?

Thanks for the response, good point. What I really mean, for a given SSO session (TGT and a created ST) in a given browser, then a new ST comes in after 2 hours. In this case we would like a new forced CAS login to occur. For example, here is how I am testing where page-a and page-b are static

Re: [cas-user] CAS5 tgt ticket time out when session is inactive?

Duane, By session, do you mean the client application the user is working in or do you mean the SSO session? The client application is responsible for its own session expiration. CAS only sends a logout to applications if a user chooses to logout (and appropriate configuration is in place). Aft

[cas-user] CAS5 tgt ticket time out when session is inactive?

Hello I'm running CAS5.0 with all of the tgt session defaults. We are testing we are testing tgt timeout when a tgt session is inactive with no new activity. I was assuming that the default setting of cas.ticket.tgt.timeToKillInSeconds=7200 would kill the session, however it is going beyond 2 h

Re: [cas-user] CAS5 /cas/status cas.adminPagesSecurity.ip

> On Oct 25, 2017, at 8:42 AM, Duane Booher wrote: > > For CAS 5.0 /cas/status access, the only way I can get access is with a > single ip, such as cas.adminPagesSecurity.ip=127.0.0.1 > > My question, is there any additional pattern matching capabilities and/or a > list of ip addresses? In CA

[cas-user] CAS5 /cas/status cas.adminPagesSecurity.ip

For CAS 5.0 /cas/status access, the only way I can get access is with a single ip, such as cas.adminPagesSecurity.ip=127.0.0.1 My question, is there any additional pattern matching capabilities and/or a list of ip addresses? In CAS4 there use to be a subnet mask option, such as xx.xx.xx.xx/24,

[cas-user] CAS5 with ColdFusion

I was wondering if anyone out there uses ColdFusion with CAS5? We are currently using Coldfusion 11 with cas 3.5.2. I'm in process of upgrading us from cas 3 to cas 5 and our adapter for coldfusion doesn't like it. It is written for version 2 of the cas protocol while cas 5 is running version 3

[cas-user] CAS5 conflict between JWT and OpenID Connect in the same CAS instance

Is there a restriction on having a combination of JWT and OpenID Connect service configurations in the same CAS server? I have a functional CAS 5.0.7 working with JWT ( cas-server-support-token-webflow). If i add OpenID Connect overlay (cas-server-support-oidc) to enable OpenID Connect Provider

Re: [cas-user] CAS5 Maven overlay not reading config files

les into the webapp itself after deployment & reloading the >> application... yikes! :-( >> >> >> >> — >> >> Raymond Walker >> Software Systems Engineer StSp. >> ITS Northern Arizona University >> >> >> >> >>

Re: [cas-user] CAS5 Maven overlay not reading config files

ment & reloading the > application... yikes! :-( > > > > — > > Raymond Walker > Software Systems Engineer StSp. > ITS Northern Arizona University > > > > > > *From: * on behalf of Raymond Drew Walker < > ray.wal...@nau.edu> > *Reply-To: *"cas-user@apere

[cas-user] CAS5 pom.xml org.ldaptive version

We have CAS5 running on a test system with LDAP configured using unboundID, and it is working. Where in the CAS5 doc is the org.ldaptive maven pom documented, and what dependency version should be used to match say the CAS 5.0.4 version? Currently I am using: 1.2.1 Here are snips of my pom:

Re: [cas-user] CAS5 Maven overlay not reading config files

8 PM To: "cas-user@apereo.org" Subject: [cas-user] CAS5 Maven overlay not reading config files In a CAS 5.0.1 Maven overlay I have the following files included: src/main/resources/bootstrap.properties spring.profiles.active=native spring.cloud.config.server.native.searchLocations=file:///nau/loca

[cas-user] CAS5 Maven overlay not reading config files

In a CAS 5.0.1 Maven overlay I have the following files included: src/main/resources/bootstrap.properties spring.profiles.active=native spring.cloud.config.server.native.searchLocations=file:///nau/local/cas/config In the config file: /nau/local/cas/config I have some basic stuff, but it doesn’t

[cas-user] CAS5 Shibboleth and MFA using duo

Can cas trigger MFA based on certain Shibboleth relying party . Right now it's all or nothing for cas shib integration for MFA . the request is similar to this thread https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/Eo7KQUn1EHk like cas can display messages based on entityid SAML M

[cas-user] CAS5 intermittent login loop

We're trying to troubleshoot an intermittent problem some of our users have been reporting with CAS5 (RC4). The behavior being reported is that that after providing their credentials at the login page, they are simply returned to the login page again with no error. Unfortunately we have not yet bee

[cas-user] CAS5 with ticket throttled timeout

Dear all, I am setting up CAS 5.0.0. I tried to use ticket throttled timeout by adding following into cas.properties file cas.ticket.tgt.throttledTimeout.timeToKillInSeconds=28800 cas.ticket.tgt.throttledTimeout.timeInBetweenUsesInSeconds=30 I expect if I use the TGT within 30 sec, then TGT

[cas-user] CAS5 - Log configuration file in git ?

Hello, Is it possible to store the log4j2.xml file in the git repository used to store config files ? What would be the syntax for the logging.config parameters ? Thank you -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Maili

[cas-user] cas5 MFA for SAML2 SP

Can MFA can be triggered for a specific SAML2 SP inside the CAS service registry. I am using following JSON but it's not triggering the DUO login . I am able to login to SP though. { @class: org.apereo.cas.support.saml.services.SamlRegisteredService serviceId: https://localhost:8443/spring-

Re: [cas-user] CAS5 Delegate Authentication for linkedin using pac4j

And that is simply because that LinkedIn is not currently implemented. Here are all the pac4j supported clients that are currently implemented: https://github.com/apereo/cas/blob/master/support/cas-server-support-pac4j/src/main/java/org/apereo/cas/support/pac4j/config/Pac4jConfiguration.java#L212

[cas-user] CAS5 Delegate Authentication for linkedin using pac4j

I dont see Linkedin delegated auth properties in CAS5 documentation . I am using these but it does not create the login link when cas comes up . cas.authn.pac4j.linkedin.id= cas.authn.pac4j.linkedin.secret= cas.authn.pac4j.linkedin.scope= -- - CAS gitter chatroom: https://gitter.im/apereo/c

[cas-user] CAS5 RC4 /oidc/authorize leads to error page

Hi, I'm trying to set up OpenId Connect authentication as described in https://apereo.github.io/cas/development/installation/OIDC-Authentication.html However, when I access GET .../cas/oidc/authorize/?response_type=code&scope=openid&client_id=client&redirect_uri= I only get an error page (ap