Re: [cas-user] CAS Scalling

[Ramakrishna G]

 I have a requirement where I hit a url say www.abc.com/123 which redirects
to cas if not logged in, generates tickets and then redirects to specified
url. User is unaware of CAS. Internally we are handling the request to
forward to CAS or specified url based on ticket. This is the reason I am
using Mod_Auth_CAS

Can you pls elaborate  mod_proxy_balancer and how will it help my
requirement to meet?

Thanks in Advance
Ramakrishna G

On Mon, May 7, 2018 at 8:29 PM, Richard Frovarp 
wrote:

> A bit confused as to why you need the IdP (CAS Server) and the SP
> (mod_auth_cas) on every system. You don't need mod_auth_cas to run the CAS
> Server. There is mod_proxy_balancer in HTTPD which can do load balancing to
> multiple backends.
>
>
> On 05/07/2018 09:13 AM, Ramakrishna G wrote:
>
> Hello
>
> I am running a load balancer(NGINX) which redirects the request to
> Mod_Auth_Cas(Apache) and its corresponding CAS Server(Tomcat).
>
>
>
>
>
> Drawback of current approach what I am using is
>
> -> One tomcat for one apache which I want to remove. Also I need to remove
> multiple node connection.
>
>
> Is there a way I can configure single Apache to talk to multiple Tomcat.
> In other words single Mod_Auth_Cas will talk to multiple Cas Server. How
> can I achive it.
>
> Note: I know it can be achieved by adding NGINX in between Apache and
> Tomcat to make it work. But I am looking for a cost efficient and less
> utilized(node) approach.
>
> Thanks
> Ramakrishna G
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/CAGST5P-%3De%2BCrUzWEOBkX%
> 2BN89cba31Cnh70p9%2BebN-5RMGc-Gog%40mail.gmail.com
> 
> .
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/7180e6b8-7801-e55b-eb4f-
> 402d3852201b%40ndsu.edu
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P8eaATCubo%2BNO20u55RnfiPNbBSLkbzGyLR2cNxHbts_Q%40mail.gmail.com.

[cas-user] Re: how to change cas.properties location

[Jay]

Hi Cristina,

I tried to define the property in JAVA_OPTS, but still it could not pick up 
the cas.properties file from the location.

I see the below from the catalina.out log file.
May 07, 2018 11:15:14 PM org.apache.catalina.startup.VersionLoggerListener 
log
INFO: Command line argument: 
-Dcas.standalone.config={{config_dir}}/etc/cas/config

Any help would be really appreciated.

Thanks,
Jay

On Friday, December 8, 2017 at 7:34:56 AM UTC-6, Cristina Vlaicu wrote:
>
> Hello,
>
> I found out my response here : 
> https://apereo.github.io/cas/5.2.x/installation/Configuration-Management.html#overview
>
> I added in tomcat in JAVA_OPTS variable the system property 
> -Dcas.standalone.config=/my/config/folder/location 
>
> Thank you,
> Cristina 
>
>
> On Friday, December 8, 2017 at 2:44:44 PM UTC+2, Cristina Vlaicu wrote:
>>
>> Hello,
>>
>> I read in the documentation that for changing cas.properties location I 
>> have to change the value of cas.standalone.config property, but I did not 
>> understood where this property should be configured ? Should it be 
>> configured in file application.properties ? Another question is if for this 
>> settings, should I add another dependency in pom.xml file of cas-overlay 
>> project? 
>>
>> Thank you,
>>
>> Cristina 
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/dd458f7f-0482-49b7-8983-b58bbea3ac60%40apereo.org.

[cas-user] Re: CAS not redirecting to service after successful authentication.

[Andy Ng]

Hi Neha,

Would like to know in which documentation do you know about the parameter 
TARGET in "https://idiv-dev1:8443/cas/login?TARGET=
*http%3a%2f%2flocalhost%3a60397%2f*", I didn't see this parameter in the 
official documentation. 
Maybe it is something related to ASP.NET?

Anyway, the usual parameter for defining service in CAS is "service", that 
means your url should be "https://idiv-dev1:8443/cas/login?*service*
=http%3a%2f%2flocalhost%3a60397%2f"

It is nice that you attached the debug log:
- I can see that the service is register successfully based on "", so your service 
registration is correct.

Regarding the part related to ASP.NET, I have no idea so I would not 
comment on that. But i think since you can login success, the ASP.NET part 
should be fine as is.

Cheers!
- Andy


On Monday, 7 May 2018 22:12:34 UTC+8, Neha Gupta wrote:
>
> Dear All,
>
> I am trying to integrate CAS with ASP.NET application.
> Everything is working fine but CAS is not able to redirect to the 
> destination service and showing its own logged in page.
>
> Final URL is: - https://idiv-dev1:8443/cas/login?TARGET=
> *http%3a%2f%2flocalhost%3a60397%2f*
>
> where in TARGET my service URL is defined where i want CAS to redirect .
>
> Following configuration i have done in "*web.config*" file: -
>
> * casServerLoginUrl="https://idiv-dev1:8443/cas/login"; 
> casServerUrlPrefix="https://idiv-dev1:8443/cas/"; 
> serverName="http://localhost:60397/"; 
> notAuthorizedUrl="~/NotAuthorized.aspx" 
> redirectAfterValidation="true"
>  renew="false" 
> singleSignOut="true" 
> ticketValidatorName="Saml11" 
> serviceTicketManager="CacheServiceTicketManager"
> * />*
>
> * *
>   https://idiv-dev1:8443/cas/login"; cookieless="UseCookies" />
> **
>
> Along with this configuration i have also mentioned in "*FilterConfig.cs*" 
> below two lines: - 
>
> filters.Add(new System.Web.Mvc.AuthorizeAttribute());
> filters.Add(new RequireHttpsAttribute());
>
>
> Please let me know where is the problem as i have no clue.
>
> PS: - I have registered the service with CAS and also below service is 
> present which authorizes all services to pass through CAS: -
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "*^(https|imaps|http)://.**",
>   "name" : "Apereo",
>   "theme" : "apereo",
>   "id" : 1002,
>   "description" : "Apereo foundation sample service",
>   "evaluationOrder" : 1
>"accessStrategy" : {
> "@class" : 
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "enabled" : true,
> "ssoEnabled" : true
>   }
> }
>
>
>
>
> Regards
> Neha Gupta
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bf71cc99-1f5b-443b-9cc8-0b29dbcf2add%40apereo.org.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[David Curry]

Do you have the dashboard endpoints enabled? Can you go to the "services"
endpoint, which dumps the service registry, and see if there's something
else in there?

Alternatively, I think if you turn on debug mode logging, it will tell you
what services are loaded.

I'm thinking you might be getting a wildcard match through no fault of your
own.

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Mon, May 7, 2018 at 3:48 PM, Patrick Sutton <
patrick.sutton.w...@gmail.com> wrote:

> Hello everyone,
>
> I'm the developer who has been working on implementing the SAML
> authentication referenced by the OP, and the provided responses seem to
> align with what I've come across while researching the issue, so I wanted
> to try and provide a little more information in the hopes that it'll help
> better explain the issue.
>
> From what I've been able to discern while attempting to debug the issue,
> it appears that the SAML service definition isn't even being loaded by CAS
> for some reason. I've tried everything from manually modifying the
> evaulationOrder property of the existing services to ensure the SAML
> service definition would be loaded first to deleting the other service
> definitions to eliminate load order issues, but to no avail.
>
> I've attached "scrubbed" versions of our current service definitions,
> along with the metadata returned from the SP we are attempting to integrate
> with CAS. If there is any additional information I can provide, please
> don't hesitate to ask.
>
> For reference, here are the property values related to SAML that we are
> currently using:
>
> cas.authn.samlIdp.entityId=${cas.server.prefix}/idp
> cas.authn.samlIdp.scope=cas-idp-domain.com
>
>
> {
> /*
>   Generic service definition that applies to https/imaps urls
>   that wish to register with CAS for authentication.
> */
> "@class" : "org.apereo.cas.services.RegexRegisteredService",
> "serviceId" : "^(https):\\/\\/.*\\.cas-idp-domain\\.com\\/.*",
> "name" : "HTTPS for genius",
> "id" : 1006,
> "evaluationOrder": 300,
> }
>
>
> {
>   /*
> Generic service definition that applies to https/imaps urls
> that wish to register with CAS for authentication.
>   */
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "^(https):\\/\\/portal\\.cas-idp-domain\\.com\\/.*",
>   "name" : "HTTPS for another Vendor",
>   "id" : 1004,
>   "evaluationOrder": 200,
> }
>
>
> {
>   /*
>* The CAS SAML IdP creates this endpoint as part of its initialization
>* process at server startup time. If the service registry doesn't already
>* contain an entry whose serviceId matches the endpoint, CAS will create
>* a new service definition and save it to the registry. If the CAS server
>* doesn't have write access to the registry, then the save will fail and
>* the server will not start.
>*
>* To avoid that situation, and to make it clear that this endpoint is a
>* "desired" service, it is defined explicitly here.
>*/
>   "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
>   "serviceId" : "https://vendor-site.com/Pages/Auth/Login.aspx 
> ",
>   "name" : "SAML Authentication Request",
>   "id" : 1003,
>   "metadataLocation" : "https://link-to-metadata.com";,
>   "evaluationOrder": 1
> }
>
>
> SP Metadata:
>
> 
>  validUntil="2018-05-03T20:29:06Z" cacheDuration="PT604800S" entityID="
> https://vendor-site.com/Pages/Auth/Login.aspx";>
>  WantAssertionsSigned="false" protocolSupportEnumeration="
> urn:oasis:names:tc:SAML:2.0:protocol">
>  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Location="https://vendor-site.com/Pages/Auth/Login.aspx"; index="1" />
> 
> 
>
> On Monday, May 7, 2018 at 8:19:58 AM UTC-7, John D Giotta wrote:
>>
>> I'm not too familiar with SAML 2.0 and I need to set up our existing CAS
>> (currently using CAS protocol).
>>
>> I've followed documentation, but unfortunately I'm unable to get the
>> application to authorize.
>>
>> The error I get in logs is:
>>
>> CAS has found a match for service [https://vendor-site.com/Pages
>>> /Auth/Login.aspx] in registry but the match is not defined as a SAML
>>> service>
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://group

[cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[Patrick Sutton]

Hello everyone,

I'm the developer who has been working on implementing the SAML 
authentication referenced by the OP, and the provided responses seem to 
align with what I've come across while researching the issue, so I wanted 
to try and provide a little more information in the hopes that it'll help 
better explain the issue.

>From what I've been able to discern while attempting to debug the issue, it 
appears that the SAML service definition isn't even being loaded by CAS for 
some reason. I've tried everything from manually modifying the 
evaulationOrder property of the existing services to ensure the SAML 
service definition would be loaded first to deleting the other service 
definitions to eliminate load order issues, but to no avail.

I've attached "scrubbed" versions of our current service definitions, along 
with the metadata returned from the SP we are attempting to integrate with 
CAS. If there is any additional information I can provide, please don't 
hesitate to ask.

For reference, here are the property values related to SAML that we are 
currently using:

cas.authn.samlIdp.entityId=${cas.server.prefix}/idp
cas.authn.samlIdp.scope=cas-idp-domain.com


{
/*
  Generic service definition that applies to https/imaps urls
  that wish to register with CAS for authentication.
*/
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https):\\/\\/.*\\.cas-idp-domain\\.com\\/.*",
"name" : "HTTPS for genius",
"id" : 1006,
"evaluationOrder": 300,
}


{
  /*
Generic service definition that applies to https/imaps urls
that wish to register with CAS for authentication.
  */
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^(https):\\/\\/portal\\.cas-idp-domain\\.com\\/.*",
  "name" : "HTTPS for another Vendor",
  "id" : 1004,
  "evaluationOrder": 200,
}


{
  /*
   * The CAS SAML IdP creates this endpoint as part of its initialization
   * process at server startup time. If the service registry doesn't already
   * contain an entry whose serviceId matches the endpoint, CAS will create
   * a new service definition and save it to the registry. If the CAS server
   * doesn't have write access to the registry, then the save will fail and
   * the server will not start.
   *
   * To avoid that situation, and to make it clear that this endpoint is a
   * "desired" service, it is defined explicitly here.
   */
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "https://vendor-site.com/Pages/Auth/Login.aspx 
",
  "name" : "SAML Authentication Request",
  "id" : 1003,
  "metadataLocation" : "https://link-to-metadata.com";,
  "evaluationOrder": 1
}


SP Metadata:


https://vendor-site.com/Pages/Auth/Login.aspx";>

https://vendor-site.com/Pages/Auth/Login.aspx"; index="1" />



On Monday, May 7, 2018 at 8:19:58 AM UTC-7, John D Giotta wrote:
>
> I'm not too familiar with SAML 2.0 and I need to set up our existing CAS 
> (currently using CAS protocol).
>
> I've followed documentation, but unfortunately I'm unable to get the 
> application to authorize.
>
> The error I get in logs is:
>
> CAS has found a match for service [
>> https://vendor-site.com/Pages/Auth/Login.aspx] in registry but the match 
>> is not defined as a SAML service>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e4069196-0a04-4c66-9013-e7cd865a8f8d%40apereo.org.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[David Curry]

For the service definition, you should only have one, which is a
SamlRegisteredService. You do not need (or want)  a RegexRegisteredService
for a SAML service.

And as Matthew said, you should also set

cas.authn.samlIdp.entityId: ${cas.server.prefix}/idp
cas.authn.samlIdp.scope:yourdomain.com

I'm not sure it actually matters from the perspective of your CAS SAML IdP
working or not, but it may matter to the service provider ("client"),
especially if that's a third party, who probably wants a "real" name there
instead of "example.org".

As for why you're not matching the service, ASSUMING you only have the
single SamlRegisteredService definition (and not also a
RegexRegisteredService), then you should check that the entityId being sent
by the service is identical to what you have in the "serviceId" field of
your service registry entry.

To check what the SP is sending, look in the XML file for the SP's metadata
near the top of the file:

http://workday.workday.com/newschool_preview";
entityID="http://www.workday.com/newschool_preview";>

or

http://www.w3.org/2000/09/xmldsig#"; entityID="IAMShowcase"
validUntil="2025-12-09T09:13:31.006Z">

Whatever you see in the "entityID" attribute is what you should have,
exactly, in the "serviceId" field of your service registry entry. Note
that  there's no requirement that the entityId be a "real" URL, or even
URL-shaped. The only requirement is that the SP and IdP agree on what it
should be.

--Dave






--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Mon, May 7, 2018 at 12:57 PM, John D Giotta  wrote:

> If I don't set this property does it affect the vendor integration I'm
> attempting to do?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/e5262492-62ae-480c-abc5-
> 2a4e5c429c5c%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMyp6%2BAnCtJRh_e1-%2BNizgD6Q7LajdCYMW9pH-Q0kdJ3A%40mail.gmail.com.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[Matthew Uribe]

What does the SP expect the entityID to be? 

I have not experimented with anything other than setting the entityId to 
${cas.server.prefix}/idp   and I don't know whether the CAS server will 
have issues with responding to https://cas.example.org/idp since CAS itself 
is at https://cas.example.org/cas, based on where you say your metadata is. 
Why would you not set this property? 

On Monday, May 7, 2018 at 10:58:00 AM UTC-6, John D Giotta wrote:
>
> If I don't set this property does it affect the vendor integration I'm 
> attempting to do?
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4021e4b3-6a35-42ab-8022-d3400ec3bf72%40apereo.org.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[John D Giotta]

If I don't set this property does it affect the vendor integration I'm 
attempting to do?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e5262492-62ae-480c-abc5-2a4e5c429c5c%40apereo.org.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[Matthew Uribe]

I would expect your entityID to be https://cas.example.org/cas/idp but it 
depends on what you've set it to in cas.properties under 
cas.authn.samlIdp.entityId


On Monday, May 7, 2018 at 10:39:28 AM UTC-6, John D Giotta wrote:
>
> I noticed that my /cas/idp/metadata endpoint returns the following
>
> 
> http://www.w3.org/2000/09/xmldsig#"; xmlns:shibmd=
> "urn:mace:shibboleth:metadata:1.0" xmlns:xml="
> http://www.w3.org/XML/1998/namespace"; xmlns:mdui=
> "urn:oasis:names:tc:SAML:metadata:ui" entityID="
> https://cas.example.org/idp 
> 
> ">
>
>
> Shouldn't the entityID attribute read something else?
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/84cfd271-b179-46b7-8725-db264140da91%40apereo.org.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[John D Giotta]

I noticed that my /cas/idp/metadata endpoint returns the following


http://www.w3.org/2000/09/xmldsig#"; xmlns:shibmd=
"urn:mace:shibboleth:metadata:1.0" xmlns:xml=
"http://www.w3.org/XML/1998/namespace"; xmlns:mdui=
"urn:oasis:names:tc:SAML:metadata:ui" entityID="https://cas.example.org/idp";
>


Shouldn't the entityID attribute read something else?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8f9d1422-208f-4a97-9fed-0de2555c8f18%40apereo.org.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[John D Giotta]

What I meant was that Matthew asked about my JSON using the @class 
org.apereo.cas.support.saml.services.SamlRegisteredService
Then asked if I registered the IdP endpoint. From the tutorial he pointed 
me towards, I can't tell if I'm creating both a SamlRegisteredService and a 
RegexRegisteredService 
JSON in registry.


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/80c81fd6-5c41-48c1-99cd-099863d0701e%40apereo.org.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[David Curry]

Well, I used the one file per service model with them all in the
/etc/cas/services directory. But I believe you can keep them all in one big
JSON file if you want.


David A. Curry,  CISSP
Director of Information Security
The New School - Information Technology
71 Fifth Ave., 9th Fl. ~ New York, NY 10003
+1 212 229-5300 x4728 ~ david.cu...@newschool.edu
Sent from my phone; please excuse typos and inane auto-corrections.


On Mon, May 7, 2018, 12:21 John D Giotta  wrote:

> Are there 2 service JSON files I'm supposed to create?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c2cc73eb-1368-4b6d-b4e7-4c0f832c30ac%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPqROosTPHzVtMEVaAC2bd4SrqpPBEnu%2B9L803echtZ5g%40mail.gmail.com.

[cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[John D Giotta]

Are there 2 service JSON files I'm supposed to create?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c2cc73eb-1368-4b6d-b4e7-4c0f832c30ac%40apereo.org.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[David Curry]

Just a thought, do you still have the "HTTP|IMAP" wildcard service in
there? And does it have a lower evaluation order than your service-specific
entry?

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Mon, May 7, 2018 at 11:57 AM, John D Giotta  wrote:

> Yes, it is.
>
> {
>  "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
>  "serviceId": "https://vendor-site.com/Pages/Auth/Login.aspx";,
>  "name": "SAML Authentication Request",
>  "id": 1003,
>  "evaluationOrder": 1,
>  "metadataLocation": 
> "https://s3.amazonaws.com/jdgiotta/sp-metadata/metadata.xml";
> }
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/f226ed6c-34a3-4d92-b8fa-
> a609b983a380%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPgWO26CErx8x9Ti6f8979HZS8xoXP6KvcYKxEf%2BqqfQA%40mail.gmail.com.

[cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[Matthew Uribe]

Have you also added the service definition for the IdP endpoint? 

If you haven't already, you may want to walk through the steps for adding 
SAML support in this guide:  
https://dacurry-tns.github.io/deploying-apereo-cas/building_server_saml_update-the-service-registry.html

On Monday, May 7, 2018 at 9:57:23 AM UTC-6, John D Giotta wrote:
>
> Yes, it is.
>
> {
>  "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
>  "serviceId": "https://vendor-site.com/Pages/Auth/Login.aspx";,
>  "name": "SAML Authentication Request",
>  "id": 1003,
>  "evaluationOrder": 1,
>  "metadataLocation": 
> "https://s3.amazonaws.com/jdgiotta/sp-metadata/metadata.xml";
> }
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/937c7f12-9fd5-4d27-8723-b4e6c1e72572%40apereo.org.

[cas-user] MFA - Filter by User or Location

[Matthew Uribe]

Has anyone experimented with, or had success with, enforcing multifactor 
authentication based on a user's returned attribute, or based on the 
location from which they are logging in? I'm experimenting with this now, 
and wondered whether anyone else had already crossed this bridge. 

We are using Duo for MFA.

Thanks!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/58d01a7f-8c6f-491a-8c4e-129d6eec1571%40apereo.org.

[cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[John D Giotta]

Yes, it is.

{
 "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
 "serviceId": "https://vendor-site.com/Pages/Auth/Login.aspx";,
 "name": "SAML Authentication Request",
 "id": 1003,
 "evaluationOrder": 1,
 "metadataLocation": 
"https://s3.amazonaws.com/jdgiotta/sp-metadata/metadata.xml";
}

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f226ed6c-34a3-4d92-b8fa-a609b983a380%40apereo.org.

[cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[Matthew Uribe]

What do you have in your json for "@class"? Is it 
"org.apereo.cas.support.saml.services.SamlRegisteredService"?

On Monday, May 7, 2018 at 9:19:58 AM UTC-6, John D Giotta wrote:
>
> I'm not too familiar with SAML 2.0 and I need to set up our existing CAS 
> (currently using CAS protocol).
>
> I've followed documentation, but unfortunately I'm unable to get the 
> application to authorize.
>
> The error I get in logs is:
>
> CAS has found a match for service [
>> https://vendor-site.com/Pages/Auth/Login.aspx] in registry but the match 
>> is not defined as a SAML service>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/36158d03-cc35-4f0c-b301-b9ca33d28270%40apereo.org.

[cas-user] Working on Setting Up SAML 2.0 for the First Time

[John D Giotta]

I'm not too familiar with SAML 2.0 and I need to set up our existing CAS 
(currently using CAS protocol).

I've followed documentation, but unfortunately I'm unable to get the 
application to authorize.

The error I get in logs is:

CAS has found a match for service 
> [https://vendor-site.com/Pages/Auth/Login.aspx] in registry but the match 
> is not defined as a SAML service>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e8a991f0-3406-4dd8-ab2f-02a19855049a%40apereo.org.

Re: [cas-user] CAS SLO Unable to remove ticket [ST-...]

[Ray Bon]

Iker,

It looks like the logout message was sent. Was it received and processed by the 
client?
It could be that the ST was removed earlier or that the ticket was expired and 
the response from the cache was interpreted by CAS as 'Unable to remove...'.

Ray

On Mon, 2018-05-07 at 04:24 -0700, Iker Gil wrote:
Hello!

We have a problem and I hope someone can help us.

I let you the error log, basically we can not perform the Single Logout.
The problem we have comes when we delete the ST ticket, it shows, Unable to 
remove ticket [ST-...]

However, it is capable of erasing the TGT ticket.
I do not know what is happening, we have tried everything we have found online 
and we have not had any luck. Can you help us?

Thank you very much in advance.


DEBUG [org.apereo.cas.DefaultCentralAuthenticationService] - 
INFO [org.apereo.cas.logout.DefaultLogoutManager] - 
DEBUG [org.apereo.cas.logout.DefaultLogoutManager] - https://localhost/sample/,originalUrl=https://localhost/sample/,artifactId=,principal=casuser,loggedOutAlready=false,format=XML]]>
DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
https://localhost/sample/,originalUrl=https://localhost/sample/,artifactId=,principal=casuser,loggedOutAlready=false,format=XML]]...>
DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
https://localhost/sample/,originalUrl=https://localhost/sample/,artifactId=,principal=casuser,loggedOutAlready=false,format=XML]]
 supports single logout and is found in the registry as 
[id=10001000,name=localhost,description=,serviceId=^https://.*,usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@d,theme=,evaluationOrder=0,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ScriptedRegisteredServiceAttributeReleasePolicy@99bf835[attributeFilter=,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@f1bde9df[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=false,excludeDefaultAttributes=false,principalIdAttribute=,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@16d0dc6b[excludedAttributes=,includeOnlyAttributes=,enabled=true]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@baae77d9[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=,caseInsensitive=false,rejectedAttributes={}],publicKey=,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@acc58972,logo=,logoutUrl=,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@8caa7c4[multifactorAuthenticationProviders=[],failureMode=NOT_SET,principalAttributeNameTrigger=,principalAttributeValueToMatch=,bypassEnabled=false],informationUrl=,privacyUrl=,contacts=[],expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@17d9e978[deleteWhenExpired=false,notifyWhenDeleted=false,expirationDate=],].
 Proceeding...>
DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
https://localhost/sample/] for service 
[org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@4423027b[id=https://localhost/sample/,originalUrl=https://localhost/sample/,artifactId=,principal=casuser,loggedOutAlready=false,format=XML]]>
DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
https://localhost/sample/,originalUrl=https://localhost/sample/,artifactId=,principal=casuser,loggedOutAlready=false,format=XML]]
 and ticket id [ST-2-k36PYFnDfyUmNh0AfOyYxspF9Wk]>
DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
https://localhost/sample/,originalUrl=https://localhost/sample/,artifactId=,principal=casuser,loggedOutAlready=false,format=XML],status=NOT_ATTEMPTED]]
 created for 
[org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@4423027b[id=https://localhost/sample/,originalUrl=https://localhost/sample/,artifactId=,principal=casuser,loggedOutAlready=false,format=XML]]
 and ticket id [ST-2-k36PYFnDfyUmNh0AfOyYxspF9Wk]>
DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
https://localhost/sample/,originalUrl=https://localhost/sample/,artifactId=,principal=casuser,loggedOutAlready=false,format=XML]]
 is [BACK_CHANNEL]>
DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
https://localhost/sample/,originalUrl=https://localhost/sample/,artifactId=,principal=casuser,loggedOutAlready=false,format=XML],status=NOT_ATTEMPTED]]>
DEBUG [org.apereo.cas.logout.SamlCompliantLogoutMessageCreator] - @NOT_USED@ST-2-k36PYFnDfyUmNh0AfOyYxspF9Wk]>
DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
https://localhost/sample/] to 
[https://localhost/sample/]>
DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
https

Re: [cas-user] CAS Scalling

[Richard Frovarp]

A bit confused as to why you need the IdP (CAS Server) and the SP 
(mod_auth_cas) on every system. You don't need mod_auth_cas to run the 
CAS Server. There is mod_proxy_balancer in HTTPD which can do load 
balancing to multiple backends.


On 05/07/2018 09:13 AM, Ramakrishna G wrote:

Hello

I am running a load balancer(NGINX) which redirects the request to 
Mod_Auth_Cas(Apache) and its corresponding CAS Server(Tomcat).






Drawback of current approach what I am using is

-> One tomcat for one apache which I want to remove. Also I need to 
remove multiple node connection.



Is there a way I can configure single Apache to talk to multiple 
Tomcat. In other words single Mod_Auth_Cas will talk to multiple Cas 
Server. How can I achive it.


Note: I know it can be achieved by adding NGINX in between Apache and 
Tomcat to make it work. But I am looking for a cost efficient and less 
utilized(node) approach.


Thanks
Ramakrishna G
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P-%3De%2BCrUzWEOBkX%2BN89cba31Cnh70p9%2BebN-5RMGc-Gog%40mail.gmail.com 
.



--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7180e6b8-7801-e55b-eb4f-402d3852201b%40ndsu.edu.

[cas-user] CAS Scalling

[Ramakrishna G]

Hello

I am running a load balancer(NGINX) which redirects the request to
Mod_Auth_Cas(Apache) and its corresponding CAS Server(Tomcat).





Drawback of current approach what I am using is

-> One tomcat for one apache which I want to remove. Also I need to remove
multiple node connection.


Is there a way I can configure single Apache to talk to multiple Tomcat. In
other words single Mod_Auth_Cas will talk to multiple Cas Server. How can I
achive it.

Note: I know it can be achieved by adding NGINX in between Apache and
Tomcat to make it work. But I am looking for a cost efficient and less
utilized(node) approach.

Thanks
Ramakrishna G

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P-%3De%2BCrUzWEOBkX%2BN89cba31Cnh70p9%2BebN-5RMGc-Gog%40mail.gmail.com.

[cas-user] CAS not redirecting to service after successful authentication.

[Neha Gupta]

Dear All,

I am trying to integrate CAS with ASP.NET application.
Everything is working fine but CAS is not able to redirect to the 
destination service and showing its own logged in page.

Final URL is: - https://idiv-dev1:8443/cas/login?TARGET=
*http%3a%2f%2flocalhost%3a60397%2f*

where in TARGET my service URL is defined where i want CAS to redirect .

Following configuration i have done in "*web.config*" file: -

*https://idiv-dev1:8443/cas/login"; 
casServerUrlPrefix="https://idiv-dev1:8443/cas/"; 
serverName="http://localhost:60397/"; 
notAuthorizedUrl="~/NotAuthorized.aspx" 
redirectAfterValidation="true"
 renew="false" 
singleSignOut="true" 
ticketValidatorName="Saml11" 
serviceTicketManager="CacheServiceTicketManager"
* />*

* *
  https://idiv-dev1:8443/cas/login"; cookieless="UseCookies" />
**

Along with this configuration i have also mentioned in "*FilterConfig.cs*" 
below two lines: - 

filters.Add(new System.Web.Mvc.AuthorizeAttribute());
filters.Add(new RequireHttpsAttribute());


Please let me know where is the problem as i have no clue.

PS: - I have registered the service with CAS and also below service is 
present which authorizes all services to pass through CAS: -
{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "*^(https|imaps|http)://.**",
  "name" : "Apereo",
  "theme" : "apereo",
  "id" : 1002,
  "description" : "Apereo foundation sample service",
  "evaluationOrder" : 1
   "accessStrategy" : {
"@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
  }
}




Regards
Neha Gupta

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/dd725e6c-f9d6-4c6e-8c33-bc4d8ecd1399%40apereo.org.
=
WHO: audit:unknown
WHAT: [event=success,timestamp=Mon May 07 18:00:25 CEST 
2018,source=RankedAuthenticationProviderWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Mon May 07 18:00:25 CEST 2018
CLIENT IP ADDRESS: 10.35.12.194
SERVER IP ADDRESS: 10.35.14.239
=

>
2018-05-07 18:00:25,940 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 18:00:25,940 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 18:00:25,941 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 18:00:25,941 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 18:00:25,943 DEBUG 
[org.apereo.cas.services.web.ServiceThemeResolver] - 
2018-05-07 18:00:25,944 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 18:00:25,945 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 18:00:29,112 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 
2018-05-07 18:00:29,116 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 
2018-05-07 18:00:29,118 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 
2018-05-07 18:00:29,121 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 
2018-05-07 18:00:29,293 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 18:00:29,294 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 18:00:29,295 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 18:00:29,295 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 18:00:29,297 DEBUG 
[org.apereo.cas.services.web.ServiceThemeResolver] - 
2018-05-07 18:00:29,298 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 18:00:29,298 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 18:00:38,397 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 18:00:38,398 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 18:00:38,399 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 18:00:38,399 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 18:00:38,400 DEBUG 
[org.apereo.cas.services.web.ServiceThemeResolver] - 
2018-05-07 18:00:38,400 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 18:00:38,401 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 18:00:38,456 DEBUG 
[org.apereo.cas.authentication.adaptive.DefaultAdaptiveAuthenticationPolicy] - 

2018-05-07 18:00:38,456 DEBUG 
[org.apereo.cas.authentication.adaptive.DefaultAdaptiveAuthenticationPolicy] - 

2018-05-07 18:00:

Re: [cas-user] ORCID API updated to version 2.0.

[Jérôme LELEU]

Hi,

This upgrade will be available in pac4j 3.0.0(-RC2). See:
https://github.com/pac4j/pac4j/commit/cfb5113300de914b6a6e5a109a87a9d1da576472
Thanks.
Best regards,
Jérôme


On Mon, May 7, 2018 at 9:55 AM, Neha Gupta  wrote:

> Dear CAS Community,
>
> ORCID have updated the API version to 2 and as such problem is coming
> while authenticating with Orcid credentials. I am attaching a trace for the
> same. Request you to please look into the same.
>
> Error shown in the CAS trace: -
>
> http://www.orcid.org/ns/orcid";>
> 1.2
> API Version 1.1 is no longer available. please upgrade to
> the 2.0 API https://members.orcid.org/api/news/xsd-20-update
> 
>
>
> Let me know in case any further information is required.
>
>
> Regards
> Neha Gupta
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/defeb581-ade3-4a1f-92e7-
> e9fa42388bec%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LzDGuXCO-f8dm7Km_WRYiv4EfLj--fAK1zryG0taW-8ow%40mail.gmail.com.

[cas-user] CAS SLO Unable to remove ticket [ST-...]

[Iker Gil]

Hello! 

We have a problem and I hope someone can help us.

I let you the error log, basically we can not perform the Single Logout. 
The problem we have comes when we delete the ST ticket, it shows, Unable to 
remove ticket [ST-...]

However, it is capable of erasing the TGT ticket.
I do not know what is happening, we have tried everything we have found 
online and we have not had any luck. Can you help us?

Thank you very much in advance.


DEBUG [org.apereo.cas.DefaultCentralAuthenticationService] - 
INFO [org.apereo.cas.logout.DefaultLogoutManager] - 
DEBUG [org.apereo.cas.logout.DefaultLogoutManager] - https://localhost/sample/,originalUrl=https://localhost/sample/,artifactId=
,principal=casuser,loggedOutAlready=false,format=XML]]>
DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
https://localhost/sample/,originalUrl=https://localhost/sample/,artifactId=
,principal=casuser,loggedOutAlready=false,format=XML]]...>
DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
https://localhost/sample/,originalUrl=https://localhost/sample/,artifactId=
,principal=casuser,loggedOutAlready=false,format=XML]] supports 
single logout and is found in the registry as 
[id=10001000,name=localhost,description=
,serviceId=^https://.*,usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@d,theme=

,evaluationOrder=0,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ScriptedRegisteredServiceAttributeReleasePolicy@99bf835[attributeFilter=

,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@f1bde9df[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=false,excludeDefaultAttributes=false,principalIdAttribute=

,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@16d0dc6b[excludedAttributes=
,includeOnlyAttributes=
,enabled=true]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@baae77d9[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=
,caseInsensitive=false,rejectedAttributes={}],publicKey=
,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@acc58972,logo=
,logoutUrl=
,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@8caa7c4[multifactorAuthenticationProviders=[],failureMode=NOT_SET,principalAttributeNameTrigger=
,principalAttributeValueToMatch=
,bypassEnabled=false],informationUrl=,privacyUrl=
,contacts=[],expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@17d9e978[deleteWhenExpired=false,notifyWhenDeleted=false,expirationDate=
],]. Proceeding...>
DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
https://localhost/sample/] for service 
[org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@4423027b[id=https://localhost/sample/,originalUrl=https://localhost/sample/,artifactId=
,principal=casuser,loggedOutAlready=false,format=XML]]>
DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
https://localhost/sample/,originalUrl=https://localhost/sample/,artifactId=
,principal=casuser,loggedOutAlready=false,format=XML]] and ticket id 
[ST-2-k36PYFnDfyUmNh0AfOyYxspF9Wk]>
DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
https://localhost/sample/,originalUrl=https://localhost/sample/,artifactId=
,principal=casuser,loggedOutAlready=false,format=XML],status=NOT_ATTEMPTED]]
 
created for 
[org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@4423027b[id=https://localhost/sample/,originalUrl=https://localhost/sample/,artifactId=
,principal=casuser,loggedOutAlready=false,format=XML]] and ticket id 
[ST-2-k36PYFnDfyUmNh0AfOyYxspF9Wk]>
DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
https://localhost/sample/,originalUrl=https://localhost/sample/,artifactId=
,principal=casuser,loggedOutAlready=false,format=XML]] is 
[BACK_CHANNEL]>
DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
https://localhost/sample/,originalUrl=https://localhost/sample/,artifactId=

,principal=casuser,loggedOutAlready=false,format=XML],status=NOT_ATTEMPTED]]>
DEBUG [org.apereo.cas.logout.SamlCompliantLogoutMessageCreator] - 
@NOT_USED@
ST-2-k36PYFnDfyUmNh0AfOyYxspF9Wk
]>
DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
https://localhost/sample/] to [https://
localhost/sample/]>
DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
https://localhost/sample/,message=
@NOT_USED@
ST-2-k36PYFnDfyUmNh0AfOyYxspF9Wk
,asynchronous=true,contentType=application/x-www-form-urlencoded,responseCode=0]].
 
Sending...>
DEBUG [org.apereo.cas.util.http.SimpleHttpClient] - https://localhost/sample/ HTTP/1.1]>
INFO [org.apereo.c

[cas-user] ORCID API updated to version 2.0.

[Neha Gupta]

Dear CAS Community,

ORCID have updated the API version to 2 and as such problem is coming while 
authenticating with Orcid credentials. I am attaching a trace for the same. 
Request you to please look into the same.

Error shown in the CAS trace: -

http://www.orcid.org/ns/orcid";>
1.2
API Version 1.1 is no longer available. please upgrade to 
the 2.0 API https://members.orcid.org/api/news/xsd-20-update



Let me know in case any further information is required.


Regards
Neha Gupta

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/defeb581-ade3-4a1f-92e7-e9fa42388bec%40apereo.org.
WHO: audit:unknown
WHAT: [event=success,timestamp=Mon May 07 09:14:14 CEST 
2018,source=RankedAuthenticationProviderWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Mon May 07 09:14:14 CEST 2018
CLIENT IP ADDRESS: 10.35.12.194
SERVER IP ADDRESS: 10.35.12.194
=

>
2018-05-07 09:14:14,963 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 09:14:14,964 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 09:14:14,965 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 09:14:14,965 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 09:14:14,966 DEBUG 
[org.apereo.cas.services.web.ServiceThemeResolver] - https://desktop-d8r3ca4:8443/iDivWebApp/.*,usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@d,theme=,evaluationOrder=1,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@723827c6[attributeFilter=,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@684235ec[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=true,excludeDefaultAttributes=false,principalIdAttribute=,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@5ea7f97[excludedAttributes=,includeOnlyAttributes=,enabled=true],allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@43b55050[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=,caseInsensitive=false,rejectedAttributes={}],publicKey=,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@44a3f77d,logo=,logoutUrl=https://desktop-d8r3ca4:8443/iDivWebApp/CasLogout,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@708049f7[multifactorAuthenticationProviders=[],failureMode=NOT_SET,principalAttributeNameTrigger=,principalAttributeValueToMatch=,bypassEnabled=false],informationUrl=,privacyUrl=,contacts=[],expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@994ff5e[deleteWhenExpired=false,notifyWhenDeleted=false,expirationDate=],].
 Using default theme [cas-theme-default]>
2018-05-07 09:14:14,967 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 09:14:14,968 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 09:14:15,066 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 
2018-05-07 09:14:15,069 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 
2018-05-07 09:14:15,071 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 
2018-05-07 09:14:15,073 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 
2018-05-07 09:14:15,074 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 09:14:15,075 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 09:14:15,076 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 09:14:15,076 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 
2018-05-07 09:14:15,077 DEBUG 
[org.apereo.cas.services.web.ServiceThemeResolver] - https://desktop-d8r3ca4:8443/iDivWebApp/.*,usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@d,theme=,evaluationOrder=1,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@723827c6[attributeFilter=,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@684235ec[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=