[cas-user] service multifactorPolicy failureMode

[Rob Spellman]

We are evaluating using MFA on campus, and I've setup CAS to authenticate 
with duo.  I'm able to login via CAS, and then successfully navigate the 
duo page and get logged into my service.

Now I'd like to test what happens if we can't communicate with duo.  

In my service definition, failureMode is set to OPEN.  

I added a simple route reject on my linux box to block communication with 
the duo api server, and tried to login again, and now I'm getting request 
denied message from my service.  Logging the saml response does indeed show 
that:




The validation request for 
['ST-AAEFFIa9ztEEPxYo5BVSyfZGsWN09PkWxHDHKNItv+S35C1Lfa8VbiWC'] cannot be 
satisfied. The request is either unrecognized or 
unfulfilled.



Reading the documentation, I thought failureMode OPEN would allow 
authentication to proceed with a success message to the service provider 
based upon the successful login to LDAP.  I also tried PHANTOM with the 
same result.

If I remove the multifactorPolicy from my service, I'm able to login 
without MFA without issue.

Running CAS 5.2.2.

Rob

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/94a7497d-029b-4727-9d07-dc55f9e043ce%40apereo.org.

[cas-user] CAS 4.1.X Client IP restrictions

[Ted Fisher]

Has anyone enabled restrictions on Client IP by service?
I think I should be able to at the service level use requiredAttributes to 
evaluate the Client IP is within a defined value, but I can’t find anything on 
how to access Client IP as an attribute.

Any help?

Thanks.

Ted Fisher
Bowling Green State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DM2PR0501MB86006E62275AB66D664BA43C0B40%40DM2PR0501MB860.namprd05.prod.outlook.com.

Re: [cas-user] Re: CAS 5.2.x as IDP using SAML 2.0

[David Curry]

Did you create an entry in your service registry to allow the service? It
should look something like this:

{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "IAMShowcase",
  "name" : "Test SP",
  "id" : 123456789,
  "description" : "IAMShowcase test SP",
  "metadataLocation" : "file:/etc/cas/saml/sp-metadata/iamshowcase.xml",
  "evaluationOrder" : 1
}


with some sort of attribute release policy added.   Note that the entityID
for that service is "IAMShowcase", NOT a URL (see the metadata).

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Fri, Apr 20, 2018 at 2:26 AM, Jay 
wrote:

> Thank you Dave.
>
> I guess it worked out for me, it was able to hit the IDP successfully and
> I think I am missing something in the CAS-Overlay. Can you help me here.
> Below is the error message I see when I hit the url that was generated in
> sptest.iamshowcase.com/instructions after uploading the metadata file
> generated locally.
>
>
> 
>
>
> On Thursday, April 19, 2018 at 6:58:16 AM UTC-5, David Curry wrote:
>>
>> Just this week I discovered   https://sptest.iamshowcase.com/   that
>> lets you set up a custom SP to talk to your IdP for testing. You download
>> their metadata, save it somewhere on your server
>> (/etc/cas/saml/sp-metadata/iamshowcase.xml or something), upload your
>> CAS IdP metadata to them, create a service definition, and you're done.
>> Takes like 5 minutes.
>>
>> You can also use testshib.org of course, but personally I find it to be
>> pretty cumbersome, both generally and because it's very
>> Shibboleth/InCommon-centric (it's their site, so that's okay, but it's a
>> hassle when you're wanting to use it for something else).
>>
>> --Dave
>>
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> 
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Thu, Apr 19, 2018 at 12:52 AM, Jay  wrote:
>>
>>> Hi Matt,
>>>
>>> Thank you so much, that helped in setting up the Local CAS application
>>> as IDP and was able to see the metadata generated carefully by invoking the
>>> idp url (/idp/metadata).
>>>
>>> To test it I was looking at setting up a local Shibboleth SP application
>>> but couldn't since I use Windows and Apache Tomcat to run the CAS
>>> application. Any info in this regard would really help.
>>>
>>> Thank you,
>>> Jay
>>>
>>> On Thursday, April 12, 2018 at 2:47:40 PM UTC-5, Matthew Uribe wrote:

 Jay,

 I just recently went through an upgrade from CAS 3.5.2 to 5.2.0 and
 this documentation was immeasurably helpful:

 https://dacurry-tns.github.io/deploying-apereo-cas/building_
 server_saml_overview.html


 On Thursday, April 12, 2018 at 10:40:21 AM UTC-6, Jay wrote:
>
> Hello everyone,
>
> We are recently in process of upgrading from CAS3.5 to CAS5.2 as part
> of this effort we need to provide support of SAML authentication to an
> external application (say 'abc' application).
>
> Here 'abc' will be the SP and new CAS5.x will be the identity provider.
>
> Could someone guide us or tell how to achieve since we are new to
> CAS5.x framework, it would be very helpful the achieve this 
> implementation.
>
> Thanks,
> Jay
>
 --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit https://groups.google.com/a/ap
>>> ereo.org/d/msgid/cas-user/fe87891a-9508-42d3-a044-207b6f3e31
>>> ac%40apereo.org
>>> 
>>> .
>>>
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on 

Re: [cas-user] Re: CAS 5.2.x as IDP using SAML 2.0

[Matthew Uribe]

It looks like you need to create a service for the application. I don't
think the wild card service applies to SAML applications, so you need a
service specifically for this new application.

On Fri, Apr 20, 2018, 12:26 AM Jay 
wrote:

> Thank you Dave.
>
> I guess it worked out for me, it was able to hit the IDP successfully and
> I think I am missing something in the CAS-Overlay. Can you help me here.
> Below is the error message I see when I hit the url that was generated in
> sptest.iamshowcase.com/instructions after uploading the metadata file
> generated locally.
>
>
> 
>
>
> On Thursday, April 19, 2018 at 6:58:16 AM UTC-5, David Curry wrote:
>>
>> Just this week I discovered   https://sptest.iamshowcase.com/
>> 
>>  that lets you set up a custom SP to talk to your IdP for testing. You
>> download their metadata, save it somewhere on your server
>> (/etc/cas/saml/sp-metadata/iamshowcase.xml or something), upload your CAS
>> IdP metadata to them, create a service definition, and you're done. Takes
>> like 5 minutes.
>>
>> You can also use testshib.org
>> 
>> of course, but personally I find it to be pretty cumbersome, both generally
>> and because it's very Shibboleth/InCommon-centric (it's their site, so
>> that's okay, but it's a hassle when you're wanting to use it for something
>> else).
>>
>> --Dave
>>
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Thu, Apr 19, 2018 at 12:52 AM, Jay  wrote:
>>
>>> Hi Matt,
>>>
>>> Thank you so much, that helped in setting up the Local CAS application
>>> as IDP and was able to see the metadata generated carefully by invoking the
>>> idp url (/idp/metadata).
>>>
>>> To test it I was looking at setting up a local Shibboleth SP application
>>> but couldn't since I use Windows and Apache Tomcat to run the CAS
>>> application. Any info in this regard would really help.
>>>
>>> Thank you,
>>> Jay
>>>
>>> On Thursday, April 12, 2018 at 2:47:40 PM UTC-5, Matthew Uribe wrote:

 Jay,

 I just recently went through an upgrade from CAS 3.5.2 to 5.2.0 and
 this documentation was immeasurably helpful:


 https://dacurry-tns.github.io/deploying-apereo-cas/building_server_saml_overview.html
 


 On Thursday, April 12, 2018 at 10:40:21 AM UTC-6, Jay wrote:
>
> Hello everyone,
>
> We are recently in process of upgrading from CAS3.5 to CAS5.2 as part
> of this effort we need to provide support of SAML authentication to an
> external application (say 'abc' application).
>
> Here 'abc' will be the SP and new CAS5.x will be the identity provider.
>
> Could someone guide us or tell how to achieve since we are new to
> CAS5.x framework, it would be very helpful the achieve this 
> implementation.
>
> Thanks,
> Jay
>
 --
>>> - Website: https://apereo.github.io/cas
>>> 
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> 
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> 

Re: [cas-user] buji-pac4j-demo-master, CAS delegation through pac4j-webflow and 1 OIDC provider

[Jérôme LELEU]

Hi,

I'm resuming on your latest message.

Yes, you do need a callback URL for your application.

This is the doc you are looking for:
https://apereo.github.io/cas/5.2.x/installation/Service-Management.html

Every time you want an application to log in to the CAS server, the CAS
server must know it. Thus the declaration of the CAS services and callback
URLs.

Thanks.
Best regards,
Jérôme



On Thu, Apr 19, 2018 at 10:39 PM, Steve Hespelt  wrote:

> Well, I stumbled across a few config properties I decided to try
> (desperate people do desperate things...)
>
> cas.http-web-request.cors.allow-credentials=true
> # ? where are login requests coming from? Our webapp server name(s)
> # is this needed to get the final redirect back to our app ??
> cas.http-web-request.cors.allow-origins=localhost
> # ??
> cas.webflow.redirect-same-state=true
>
> Restarted CAS, same test case.
> now I see this warning log:
> 2018-04-19 15:47:48,430 WARN 
> [org.apereo.cas.web.flow.ServiceAuthorizationCheck]
> - https://localhost:8449/
> callback?client_name=CasClient] is not found in service registry.>
>  I have to have a Service defined for the call back to the initial app
> ???
>
>
> 2018-04-19 15:47:48,432 DEBUG 
> [org.springframework.webflow.engine.impl.FlowExecutionImpl]
> -  [org.springframework.webflow.execution.ActionExecutionException:
> Exception thrown executing org.apereo.cas.web.flow.
> ServiceAuthorizationCheck@5fad865 in state 'serviceAuthorizationCheck' of
> flow 'login' -- action execution attributes were 'map[[empty]]'] with root
> cause [org.apereo.cas.services.UnauthorizedServiceException: Service
> Management: missing service. Service [https://localhost:8449/
> callback?client_name=CasClient] is not found in service registry.]>
>
> Has anyone actually gotten delegated authentication to flow from CAS back
> to an app that used the CAS protocol to request authentication to work?
> using CAS 5.2.x ?  Reading tons of CAS docs have provided no magic beans,
> nor did any page mention having to have a call back service defined...
> Am I frustrated? You bet.
> Is it correct for me to assume that this use case is 'typical' and that
> being tyhttps://apereo.github.io/cas/5.2.x/installation/
> Webflow-Customization.htmlpical, the default webflow definitions in CAS
> 5.2.2 ought to provide for it working? The docs at
> https://apereo.github.io/cas/5.2.x/installation/Webflow-Customization.html
> certainly suggest to me that's the case.
> Sure would like to make use of many of the positive features described in
> CAS 5.2.x. But I have to wonder if I'm missing much of the necessary
> details.  I would like to avoid implementing all the features myself. Never
> been a big fan of the "let's reinvent the wheel" school of development.
> But...
>
> Any insights, magic beans greatly appreciated.
> -steve
>
>
> On Thursday, April 19, 2018 at 1:46:35 PM UTC-4, Steve Hespelt wrote:
>>
>> Hi Jérôme,
>> I found an earlier posting
>> 
>> from 12/21/17 regarding the NPEs, so as suggested by that posting, I
>> restarted CAS & then cleared all related cookies from the browser. Once I
>> restart CAS & re-initiated the same flow, no more NPE as shown in my log.
>> But I still have the problem with the webflow not finishing as I expect.
>> I increased the log level to trace on a few packages:
>> org.apereo.cas.web.flow
>> org.springframework.webflow
>> org.springframework.session
>> org.springframework.web
>> org.springframework.web.socket
>> Some log entries of interest (to me): (and I'm currently guessing the
>> issue may be related to a SSO log msg at 2018-04-19 11:53:23,186
>> below.  Why would a service not be allowed to use SSO ?
>> -steve
>>
>> 2018-04-19 11:53:01,183 TRACE 
>> [org.springframework.web.servlet.DispatcherServlet]
>> - > RequestFacade@33327a12><- this object ref# shows up later, at the
>> bottom so I'm correlating this initial log with the later ('completion' )
>> log msg below with the same object ref#...
>> 2018-04-19 11:53:01,183 DEBUG 
>> [org.springframework.web.servlet.DispatcherServlet]
>> - > for [/cas/login]>
>>
>> 2018-04-19 11:53:01,209 TRACE [org.apereo.cas.web.CasWebApplicationContext]
>> - > cationContext@222545dc: ServletRequestHandledEvent: url=[/cas/login];
>> client=[0:0:0:0:0:0:0:1]; method=[GET]; servlet=[dispatcherServlet];
>> session=[2C34A85ABE5CF428636B86D697AA5B56]; user=[null]; time=[26ms];
>> status=[OK]>  <- From the pac4j demo's SecurityFilter redirect to
>> initial request on /cas/index.jsp
>>
>> 2018-04-19 11:53:22,914 DEBUG 
>> [org.springframework.web.servlet.DispatcherServlet]
>> - > for [/cas/login]>
>>
>> 2018-04-19 11:53:22,921 TRACE 
>> [org.springframework.web.servlet.DispatcherServlet]
>> - > vc.servlet.FlowHandlerMapping@2ee91bdf] in DispatcherServlet with name
>> 'dispatcherServlet'>
>> 2018-04-19 11:53:22,921 DEBUG 
>> 

[cas-user] CAS Logging {really log4j2 questions}

[Duncan Brannen]

 

Morning All,

    First, thanks to Dave from the New School for producing the 
deployment guide it was a great help for us migrating

from CAS 3 -> CAS 5 which we’ve recently done.

 

I’ve a couple of issues with logging I wouldn’t mind throwing out here.

 

1/.

 

I set a TimeBasedTriggeringPolicy of a day (via interval of 1 and pattern of 
yyy-MM-dd ) and removed the size=10 MB” from the SizeBasedTriggeringPolicy in 
our

Log4j2.xml file but noticed our logs were rolling still at 10/11MB when we left 
in the  line.  

 

Without it the just roll daily as expected.  I’m not sure if this is something 
unique to us and haven’t found any log4j2 docs that imply there’s a default

if it’s left in without a value.  Can anyone else clarify if the 
SizeBasedTriggeringPolicy should be removed or this is a local issue.

 

2/.

 

I created another Appender and AsyncLogger to send logs to our ELS stack via 
logstash.  Our TGT’s are not being ’d our in those logs.  Given the

below configs, the TGT’s are obfuscated in cas_json.log but not in logstash.  
Is this as expected / do I need to do the obfuscation in logstash?

 

Cheers,

    Duncan

 

 















 

 







 









 

 



   

   



 

 

 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7102A04D-14F7-48C0-B54A-AAEB755B0DFF%40st-andrews.ac.uk.


smime.p7s
Description: S/MIME cryptographic signature

Re: [cas-user] Re: CAS 5.2.x as IDP using SAML 2.0

[Jay]

Thank you Dave.

I guess it worked out for me, it was able to hit the IDP successfully and I 
think I am missing something in the CAS-Overlay. Can you help me here. 
Below is the error message I see when I hit the url that was generated in 
sptest.iamshowcase.com/instructions after uploading the metadata file 
generated locally.




On Thursday, April 19, 2018 at 6:58:16 AM UTC-5, David Curry wrote:
>
> Just this week I discovered   https://sptest.iamshowcase.com/   that lets 
> you set up a custom SP to talk to your IdP for testing. You download their 
> metadata, save it somewhere on your server 
> (/etc/cas/saml/sp-metadata/iamshowcase.xml or something), upload your CAS 
> IdP metadata to them, create a service definition, and you're done. Takes 
> like 5 minutes.
>
> You can also use testshib.org of course, but personally I find it to be 
> pretty cumbersome, both generally and because it's very 
> Shibboleth/InCommon-centric (it's their site, so that's okay, but it's a 
> hassle when you're wanting to use it for something else).
>
> --Dave
>
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu 
>
> [image: The New School]
>
> On Thu, Apr 19, 2018 at 12:52 AM, Jay  > wrote:
>
>> Hi Matt,
>>
>> Thank you so much, that helped in setting up the Local CAS application as 
>> IDP and was able to see the metadata generated carefully by invoking the 
>> idp url (/idp/metadata).
>>
>> To test it I was looking at setting up a local Shibboleth SP application 
>> but couldn't since I use Windows and Apache Tomcat to run the CAS 
>> application. Any info in this regard would really help.
>>
>> Thank you,
>> Jay
>>
>> On Thursday, April 12, 2018 at 2:47:40 PM UTC-5, Matthew Uribe wrote:
>>>
>>> Jay,
>>>
>>> I just recently went through an upgrade from CAS 3.5.2 to 5.2.0 and this 
>>> documentation was immeasurably helpful:
>>>
>>>
>>> https://dacurry-tns.github.io/deploying-apereo-cas/building_server_saml_overview.html
>>>
>>>
>>> On Thursday, April 12, 2018 at 10:40:21 AM UTC-6, Jay wrote:

 Hello everyone,

 We are recently in process of upgrading from CAS3.5 to CAS5.2 as part 
 of this effort we need to provide support of SAML authentication to an 
 external application (say 'abc' application).

 Here 'abc' will be the SP and new CAS5.x will be the identity provider.

 Could someone guide us or tell how to achieve since we are new to 
 CAS5.x framework, it would be very helpful the achieve this implementation.

 Thanks,
 Jay

>>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/fe87891a-9508-42d3-a044-207b6f3e31ac%40apereo.org
>>  
>> 
>> .
>>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/acf02555-d016-446c-a162-3c6015c62c3f%40apereo.org.