[cas-user] disabling MFA, MFA failure modes

2018-08-31 Thread Baron Fujimoto 
We're considering contingencies to MFA failures in light of recent service 
problems with Duo.

We're currently still using CAS 5.0.x. I'm assuming the property of interest 
for us here is cas.authn.mfa.globalFailureMode. The documentation doesn't 
really make this clear, but specifically what MFA is/isn't "communicated to the 
client if provider" is unavailable for PHANTOM/OPEN modes? How does these 
differ from NONE?



We also MFA enabled for each registered service with the following:

  "multifactorPolicy" : {
"@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ 
"mfa-duo" ] ],
"failureMode" : "OPEN"
  }

I appears however, that setting cas.authn.mfa.globalFailureMode=NONE in 
cas.properties is not sufficient to disable/bypass MFA. I am still prompted for 
it. Should globalFailureMode in cas.properties take precedence over failureMode 
in the service registration, or vice versa? Or is this not the right way to 
achieve this goal? 

We are thinking that OPEN may not be desired in the rare cases where Duo may be 
technically available (how does CAS detemine Duo's availability?), but the 
service has degraded unacceptably.

-- 
Baron Fujimoto  :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180901040127.ryteg5l4s3ccqeve%40combobulate.mgt.hawaii.edu.

Re: [cas-user] CAS 5.2 Passing LDAP Attributes to Application

2018-08-31 Thread Bill Scully 
Yup, it was just the CAS client configuration.  All is well.  Thanks!

On Friday, August 31, 2018 at 4:02:11 PM UTC-5, Bill Scully wrote:
>
> Thank you both for your helpful links and examples!
>
> I haven't been able to successfully retrieve any specified attributes in 
> our testing, but it may our client configuration.
>
> On to troubleshooting!
>
> Many, many thanks to both of you, again!
>
> On Friday, August 31, 2018 at 2:17:12 PM UTC-5, waldbiec wrote:
>>
>> Bill, 
>>
>> In `cas.properties`, in your LDAP section, you want a property like this: 
>>
>> 
>> cas.authn.ldap[0].principalAttributeList=uid,givenName,sn:surname,mail:email,memberOf
>>  
>>
>>
>> That says that the principal that is authenticated should get the above 
>> list of LDAP attributes.  For the ones that have 2 items separated by a 
>> colon, that is just a rename from the LDAP attribute to the name that will 
>> be exposed via CAS. 
>>
>> In your service file for an individual service, you specify what 
>> attributes from the above list you want to release.  The following sections 
>> from a service file are an example: 
>>
>>   "attributeReleasePolicy" : { 
>> "@class" : 
>> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", 
>> "attributeFilter" : { 
>>   "@class": 
>> "org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
>>  
>>
>>   "patterns": { 
>>   "@class" : "java.util.HashMap", 
>>   "memberOf": "cn=administrators,ou=groups,dc=example,dc=org" 
>>   }, 
>>   "excludeUnmappedAttributes": false, 
>>   "completeMatch": false, 
>>   "order": 0 
>> }, 
>> "allowedAttributes" : [ "java.util.ArrayList", 
>> [ 
>> "uid", 
>> "memberOf", 
>> "email", 
>> "givenName", 
>> "surname" 
>> ] 
>> ] 
>>   }, 
>>
>> The "attributeReleasePolicy" is used to filer the "memberOf" attribute 
>> down to a specific value (because he attribute is multi-valued, and you 
>> usually only want to release only one or a few of the values to a service). 
>>  The "allowedAttributes" section specifies what attributes from the 
>> principal will be released at all. 
>>
>> Thanks, 
>> Carl Waldbieser 
>> ITS Identity Management 
>> Lafayette College 
>>
>> - Original Message - 
>> From: "Bill Scully"  
>> To: "cas-user"  
>> Sent: Friday, 31 August, 2018 15:00:09 
>> Subject: [cas-user] CAS 5.2 Passing LDAP Attributes to Application 
>>
>> Hi, 
>>
>> I'm having a hard time getting my head around where to start configuring 
>> CAS to provide LDAP attributes to the "RegisteredService" / application 
>> after authentication.  I'm assuming there are 2 areas that I need to 
>> configure, cas.properties and service JSON files, but navigating the 
>> documentation to find what I need has been beyond me up to this point. 
>>
>> Can someone kindly point me to the right areas 
>> of https://apereo.github.io/cas/5.2.x/ or give me some tips on where I 
>> can 
>> figure out how to retrieve certain attributes from LDAP and share those 
>> selected values with the application?  I hope I'm using "application" 
>> properly. 
>>
>> Thanks, 
>>
>> Bill 
>>
>> -- 
>> - Website: https://apereo.github.io/cas 
>> - Gitter Chatroom: https://gitter.im/apereo/cas 
>> - List Guidelines: https://goo.gl/1VRrw7 
>> - Contributions: https://goo.gl/mh7qDG 
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group. 
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org. 
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac28e9bc-9bdf-4d1d-9d59-d99ad23d2dc9%40apereo.org.
>>  
>>
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/714d92bf-5b86-44eb-8af7-3769a862738d%40apereo.org.

Re: [cas-user] CAS 5.2 Passing LDAP Attributes to Application

2018-08-31 Thread Bill Scully 
Thank you both for your helpful links and examples!

I haven't been able to successfully retrieve any specified attributes in 
our testing, but it may our client configuration.

On to troubleshooting!

Many, many thanks to both of you, again!

On Friday, August 31, 2018 at 2:17:12 PM UTC-5, waldbiec wrote:
>
> Bill, 
>
> In `cas.properties`, in your LDAP section, you want a property like this: 
>
> 
> cas.authn.ldap[0].principalAttributeList=uid,givenName,sn:surname,mail:email,memberOf
>  
>
>
> That says that the principal that is authenticated should get the above 
> list of LDAP attributes.  For the ones that have 2 items separated by a 
> colon, that is just a rename from the LDAP attribute to the name that will 
> be exposed via CAS. 
>
> In your service file for an individual service, you specify what 
> attributes from the above list you want to release.  The following sections 
> from a service file are an example: 
>
>   "attributeReleasePolicy" : { 
> "@class" : 
> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", 
> "attributeFilter" : { 
>   "@class": 
> "org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
>  
>
>   "patterns": { 
>   "@class" : "java.util.HashMap", 
>   "memberOf": "cn=administrators,ou=groups,dc=example,dc=org" 
>   }, 
>   "excludeUnmappedAttributes": false, 
>   "completeMatch": false, 
>   "order": 0 
> }, 
> "allowedAttributes" : [ "java.util.ArrayList", 
> [ 
> "uid", 
> "memberOf", 
> "email", 
> "givenName", 
> "surname" 
> ] 
> ] 
>   }, 
>
> The "attributeReleasePolicy" is used to filer the "memberOf" attribute 
> down to a specific value (because he attribute is multi-valued, and you 
> usually only want to release only one or a few of the values to a service). 
>  The "allowedAttributes" section specifies what attributes from the 
> principal will be released at all. 
>
> Thanks, 
> Carl Waldbieser 
> ITS Identity Management 
> Lafayette College 
>
> - Original Message - 
> From: "Bill Scully" > 
> To: "cas-user" > 
> Sent: Friday, 31 August, 2018 15:00:09 
> Subject: [cas-user] CAS 5.2 Passing LDAP Attributes to Application 
>
> Hi, 
>
> I'm having a hard time getting my head around where to start configuring 
> CAS to provide LDAP attributes to the "RegisteredService" / application 
> after authentication.  I'm assuming there are 2 areas that I need to 
> configure, cas.properties and service JSON files, but navigating the 
> documentation to find what I need has been beyond me up to this point. 
>
> Can someone kindly point me to the right areas 
> of https://apereo.github.io/cas/5.2.x/ or give me some tips on where I 
> can 
> figure out how to retrieve certain attributes from LDAP and share those 
> selected values with the application?  I hope I'm using "application" 
> properly. 
>
> Thanks, 
>
> Bill 
>
> -- 
> - Website: https://apereo.github.io/cas 
> - Gitter Chatroom: https://gitter.im/apereo/cas 
> - List Guidelines: https://goo.gl/1VRrw7 
> - Contributions: https://goo.gl/mh7qDG 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group. 
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org . 
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac28e9bc-9bdf-4d1d-9d59-d99ad23d2dc9%40apereo.org.
>  
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/75e63571-f1e0-40c6-99c4-35784432e1dc%40apereo.org.

Re: [cas-user] CAS 5.2 Passing LDAP Attributes to Application

2018-08-31 Thread Bill Scully 
Thank you both for your helpful links and examples!

I haven't been able to successfully retrieve any specified attributes in 
our testing, but it may our client configuration.

On to troubleshooting!

Many, many thanks to both of you, again!

On Friday, August 31, 2018 at 2:17:12 PM UTC-5, waldbiec wrote:
>
> Bill, 
>
> In `cas.properties`, in your LDAP section, you want a property like this: 
>
> 
> cas.authn.ldap[0].principalAttributeList=uid,givenName,sn:surname,mail:email,memberOf
>  
>
>
> That says that the principal that is authenticated should get the above 
> list of LDAP attributes.  For the ones that have 2 items separated by a 
> colon, that is just a rename from the LDAP attribute to the name that will 
> be exposed via CAS. 
>
> In your service file for an individual service, you specify what 
> attributes from the above list you want to release.  The following sections 
> from a service file are an example: 
>
>   "attributeReleasePolicy" : { 
> "@class" : 
> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", 
> "attributeFilter" : { 
>   "@class": 
> "org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
>  
>
>   "patterns": { 
>   "@class" : "java.util.HashMap", 
>   "memberOf": "cn=administrators,ou=groups,dc=example,dc=org" 
>   }, 
>   "excludeUnmappedAttributes": false, 
>   "completeMatch": false, 
>   "order": 0 
> }, 
> "allowedAttributes" : [ "java.util.ArrayList", 
> [ 
> "uid", 
> "memberOf", 
> "email", 
> "givenName", 
> "surname" 
> ] 
> ] 
>   }, 
>
> The "attributeReleasePolicy" is used to filer the "memberOf" attribute 
> down to a specific value (because he attribute is multi-valued, and you 
> usually only want to release only one or a few of the values to a service). 
>  The "allowedAttributes" section specifies what attributes from the 
> principal will be released at all. 
>
> Thanks, 
> Carl Waldbieser 
> ITS Identity Management 
> Lafayette College 
>
> - Original Message - 
> From: "Bill Scully" > 
> To: "cas-user" > 
> Sent: Friday, 31 August, 2018 15:00:09 
> Subject: [cas-user] CAS 5.2 Passing LDAP Attributes to Application 
>
> Hi, 
>
> I'm having a hard time getting my head around where to start configuring 
> CAS to provide LDAP attributes to the "RegisteredService" / application 
> after authentication.  I'm assuming there are 2 areas that I need to 
> configure, cas.properties and service JSON files, but navigating the 
> documentation to find what I need has been beyond me up to this point. 
>
> Can someone kindly point me to the right areas 
> of https://apereo.github.io/cas/5.2.x/ or give me some tips on where I 
> can 
> figure out how to retrieve certain attributes from LDAP and share those 
> selected values with the application?  I hope I'm using "application" 
> properly. 
>
> Thanks, 
>
> Bill 
>
> -- 
> - Website: https://apereo.github.io/cas 
> - Gitter Chatroom: https://gitter.im/apereo/cas 
> - List Guidelines: https://goo.gl/1VRrw7 
> - Contributions: https://goo.gl/mh7qDG 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group. 
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org . 
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac28e9bc-9bdf-4d1d-9d59-d99ad23d2dc9%40apereo.org.
>  
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20140c81-415e-47f4-8862-9c0e99eac889%40apereo.org.

Re: [cas-user] CAS 5.2 Passing LDAP Attributes to Application

2018-08-31 Thread Carl Waldbieser 
Bill,

In `cas.properties`, in your LDAP section, you want a property like this:


cas.authn.ldap[0].principalAttributeList=uid,givenName,sn:surname,mail:email,memberOf

That says that the principal that is authenticated should get the above list of 
LDAP attributes.  For the ones that have 2 items separated by a colon, that is 
just a rename from the LDAP attribute to the name that will be exposed via CAS.

In your service file for an individual service, you specify what attributes 
from the above list you want to release.  The following sections from a service 
file are an example:

  "attributeReleasePolicy" : {
"@class" : 
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"attributeFilter" : {
  "@class": 
"org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
  "patterns": {
  "@class" : "java.util.HashMap",
  "memberOf": "cn=administrators,ou=groups,dc=example,dc=org"
  },
  "excludeUnmappedAttributes": false,
  "completeMatch": false,
  "order": 0
},
"allowedAttributes" : [ "java.util.ArrayList",
[
"uid",
"memberOf",
"email",
"givenName",
"surname"
]
]
  },

The "attributeReleasePolicy" is used to filer the "memberOf" attribute down to 
a specific value (because he attribute is multi-valued, and you usually only 
want to release only one or a few of the values to a service).  The 
"allowedAttributes" section specifies what attributes from the principal will 
be released at all.

Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College

- Original Message -
From: "Bill Scully" 
To: "cas-user" 
Sent: Friday, 31 August, 2018 15:00:09
Subject: [cas-user] CAS 5.2 Passing LDAP Attributes to Application

Hi,

I'm having a hard time getting my head around where to start configuring 
CAS to provide LDAP attributes to the "RegisteredService" / application 
after authentication.  I'm assuming there are 2 areas that I need to 
configure, cas.properties and service JSON files, but navigating the 
documentation to find what I need has been beyond me up to this point.

Can someone kindly point me to the right areas 
of https://apereo.github.io/cas/5.2.x/ or give me some tips on where I can 
figure out how to retrieve certain attributes from LDAP and share those 
selected values with the application?  I hope I'm using "application" 
properly.

Thanks,

Bill

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac28e9bc-9bdf-4d1d-9d59-d99ad23d2dc9%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1473853490.82791165.1535742993465.JavaMail.zimbra%40lafayette.edu.

Re: [cas-user] CAS 5.2 Passing LDAP Attributes to Application

2018-08-31 Thread Ray Bon 
Bill,

Service config:
https://apereo.github.io/cas/5.2.x/integration/Attribute-Release-Policies.html

CAS config:
https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#passivators

in particular, cas.authn.ldap[0].principalAttributeList

Ray

On Fri, 2018-08-31 at 12:00 -0700, Bill Scully wrote:
Hi,

I'm having a hard time getting my head around where to start configuring CAS to 
provide LDAP attributes to the "RegisteredService" / application after 
authentication.  I'm assuming there are 2 areas that I need to configure, 
cas.properties and service JSON files, but navigating the documentation to find 
what I need has been beyond me up to this point.

Can someone kindly point me to the right areas of 
https://apereo.github.io/cas/5.2.x/ or give me some tips on where I can figure 
out how to retrieve certain attributes from LDAP and share those selected 
values with the application?  I hope I'm using "application" properly.

Thanks,

Bill

--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1535742584.2864.46.camel%40uvic.ca.

[cas-user] CAS 5.2 Passing LDAP Attributes to Application

2018-08-31 Thread Bill Scully 
Hi,

I'm having a hard time getting my head around where to start configuring 
CAS to provide LDAP attributes to the "RegisteredService" / application 
after authentication.  I'm assuming there are 2 areas that I need to 
configure, cas.properties and service JSON files, but navigating the 
documentation to find what I need has been beyond me up to this point.

Can someone kindly point me to the right areas 
of https://apereo.github.io/cas/5.2.x/ or give me some tips on where I can 
figure out how to retrieve certain attributes from LDAP and share those 
selected values with the application?  I hope I'm using "application" 
properly.

Thanks,

Bill

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac28e9bc-9bdf-4d1d-9d59-d99ad23d2dc9%40apereo.org.

Re: [cas-user] Re: Service Registry -- Getting the 1st Application Entered

2018-08-31 Thread Francois Campbell 
can you set your LDAP logger to debug level

in /etc/cas/config/log4j2.xml +- line 93
e.g. 

Restart and test, you should see a great deal more information.

Regards
*Francois Campbell*
Teaching and Learning Product Lead






On Fri, 31 Aug 2018 at 17:26, abdellhak tlili 
wrote:

> that not solve the problem !!
>
>
> Le vendredi 31 août 2018 16:11:09 UTC+2, Francois Campbell a écrit :
>>
>> Not sure if it just a typo, but your example repeats ldap protocol twice.
>> cas.authn.ldap[0].ldapUrl=*ldap:ldap*://localhost:10389/dc=XXX,dc=com
>>
>> You may also require cas.authn.ldap[0].bindDn
>> e.g.
>> cas.authn.ldap[0].bindDn: CN=ADMIN_USERNAME,cn=Users,dc=XXX,dc=com
>>
>> 
>> Regards
>> *Francois Campbell*
>> Teaching and Learning Product Lead
>>
>>
>>
>>
>>
>>
>> On Fri, 31 Aug 2018 at 16:02, abdellhak tlili 
>> wrote:
>>
>>> Hi All ,
>>> i'm trying to configure CAS 5.1.9 with LDAP authentication  , i have add
>>> ldap support dependency in pom.xml  also i have add ldap configuration into
>>> cas.properites , and when i try to connect LDAP i have this 2  messages in
>>> cas.log
>>>
>>> *cas.properites:*
>>>  cas.authn.ldap[0].principalAttributeList=sn,cn:admin
>>>  cas.authn.ldap[0].collectDnAttribute=false
>>>  cas.authn.ldap[0].principalDnAttributeName=dc=XXX,dc=com
>>>  cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
>>>  cas.authn.ldap[0].allowMissingPrincipalAttributeValue=true
>>>  cas.authn.ldap[0].credentialCriteria=
>>>
>>>  
>>> cas.authn.attributeRepository.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
>>>
>>> #
>>> # Authentication
>>> #
>>> cas.authn.accept.users=
>>> cas.authn.ldap[0].type=AD
>>> cas.authn.ldap[0].ldapUrl=ldap:ldap://localhost:10389/dc=XXX,dc=com
>>> cas.authn.ldap[0].useSsl=false
>>> cas.authn.ldap[0].baseDn=ou=Users,dc=XXX,dc=com
>>> cas.authn.ldap[0].userFilter=uid={user}
>>> cas.authn.ldap[0].bindCredential=userPassword
>>>
>>>
>>>
>>> *cas.log*
>>> 1- /***/
>>> N [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>>> >> authentication handler that supports [admin@**.com] of type
>>> [UsernamePasswordCredential], which suggests a configuration problem.>
>>> 2018-08-31 14:51:28,279 INFO
>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >> trail record BEGIN
>>> /**/
>>>
>>> 2-/**/
>>> 2018-08-31 14:51:28,285 ERROR
>>> [org.apereo.cas.web.flow.AuthenticationExceptionHandlerAction] - >> translate handler errors of the authentication exception
>>> [org.apereo.cas.authentication.AuthenticationException: 0 errors, 0
>>> successes]Returning [UNKNOWN]>
>>> /***/
>>>
>>>
>>>
>>> *pleas HELP HELP*
>>>
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8baed680-b5ec-405a-8f13-b2b3054e7a88%40apereo.org
>>> 
>>> .
>>>
>>
>>
>> --
>> See OpenCollab email disclaimer at
>> http://www.opencollab.co.za/email-disclaimer
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/03043b14-30da-4677-8d46-309e26a02140%40apereo.org
> 
> .
>

-- 


See OpenCollab email disclaimer at 
http://www.opencollab.co.za/email-disclaimer 


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit

[cas-user] probelm with cas 5.1 + ldap configuration

2018-08-31 Thread abdellhak tlili 
Hi all, 
i'm trying to configure cas ( 5.1.9) + LDAP authentication ( using apache 
directoy )   
i have modify the pom/.xml file also i modify cas.propreties file , 
after deploy  cas.war to tomacte server , i have this messages in the 
cas.log file 


*cas.log :*
* WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
*
*2018-08-31 16:34:04,220 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

org.apereo.cas
cas-server-webapp${app.server}
${cas.version}
war
runtime


 org.apereo.cas
 cas-server-support-ldap
 ${cas.version}
*



*cas.properties:*

*server.name=https://localhost:8443
server.prefix=${server.name}/cas
cas.securityContext.serviceProperties.service=${server.prefix}/services/j_acegi_cas_security_check
# Names of roles allowed to access the CAS service manager
cas.securityContext.serviceProperties.adminRoles=ROLE_ADMIN
cas.securityContext.casProcessingFilterEntryPoint.loginUrl=${server.prefix}/login
cas.securityContext.ticketValidator.casServerUrlPrefix=${server.prefix}
# IP address or CIDR subnet allowed to access the /status URI of CAS that 
exposes health check information
# IPv6 version
cas.securityContext.status.allowedSubnet=0:0:0:0:0:0:0:1

# IPv4 version
#cas.securityContext.status.allowedSubnet=127.0.0.1


cas.themeResolver.defaultThemeName=cas-theme-default
cas.viewResolver.basename=default_views

host.name=cas.example.org

## Log4J 
log4j.config.location=log4j2.xml
log4j.refresh.interval=6

#database.hibernate.dialect=org.hibernate.dialect.HSQLDialect

##
# Single Sign-On Session Timeouts
# Defaults sourced from WEB-INF/spring-configuration/ticketExpirationPolices.xml
#
# Maximum session timeout - TGT will expire in maxTimeToLiveInSeconds 
regardless of usage
tgt.maxTimeToLiveInSeconds=28800

#
# Idle session timeout -  TGT will expire sooner than maxTimeToLiveInSeconds if 
no further requests
# for STs occur within timeToKillInSeconds
tgt.timeToKillInSeconds=7200

##
# Service Ticket Timeout
# Default sourced from WEB-INF/spring-configuration/ticketExpirationPolices.xml
#
# Service Ticket timeout - typically kept short as a control against replay 
attacks, default is 10s.  You'll want to
# increase this timeout if you are manually testing service ticket 
creation/validation via tamperdata or similar tools

# Set to 3 min here for easy testing/demonstrating new features.
st.timeToKillInSeconds=10
#==
# Define attributes to be retrieved from LDAP as part of the same 
authentication transaction
# The left-hand size notes the source while the right-hand size indicate an 
optional renaming/remapping
# of the attribute definition. The same attribute name is allowed to be mapped 
multiple times to
# different attribute names.
#==
 cas.authn.ldap[0].principalAttributeList=sn,cn:admin
cas.authn.ldap[0].collectDnAttribute=false
cas.authn.ldap[0].principalDnAttributeName=dc=,dc=com
cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
cas.authn.ldap[0].allowMissingPrincipalAttributeValue=true
cas.authn.ldap[0].credentialCriteria=
cas.authn.attributeRepository.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider

#
# Authentication
#
cas.authn.accept.users=
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].ldapUrl=ldap://localhost:10389/dc=,dc=com
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].baseDn=cn=admin,ou=Users,dc=,dc=com
cas.authn.ldap[0].userFilter=uid={user}
cas.authn.ldap[0].bindCredential=userPassword*


*and this ldap : *





-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c2ed74dc-c55e-48ba-84cd-916435324ae8%40apereo.org.

Re: [cas-user] Re: Service Registry -- Getting the 1st Application Entered

2018-08-31 Thread abdellhak tlili 
that not solve the problem !!


Le vendredi 31 août 2018 16:11:09 UTC+2, Francois Campbell a écrit :
>
> Not sure if it just a typo, but your example repeats ldap protocol twice.
> cas.authn.ldap[0].ldapUrl=*ldap:ldap*://localhost:10389/dc=XXX,dc=com
>
> You may also require cas.authn.ldap[0].bindDn
> e.g. 
> cas.authn.ldap[0].bindDn: CN=ADMIN_USERNAME,cn=Users,dc=XXX,dc=com
>
> 
> Regards
> *Francois Campbell*
> Teaching and Learning Product Lead
>
>
>
>
>
>
> On Fri, 31 Aug 2018 at 16:02, abdellhak tlili  > wrote:
>
>> Hi All , 
>> i'm trying to configure CAS 5.1.9 with LDAP authentication  , i have add 
>> ldap support dependency in pom.xml  also i have add ldap configuration into 
>> cas.properites , and when i try to connect LDAP i have this 2  messages in 
>> cas.log 
>>
>> *cas.properites:*
>>  cas.authn.ldap[0].principalAttributeList=sn,cn:admin
>>  cas.authn.ldap[0].collectDnAttribute=false
>>  cas.authn.ldap[0].principalDnAttributeName=dc=XXX,dc=com
>>  cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
>>  cas.authn.ldap[0].allowMissingPrincipalAttributeValue=true
>>  cas.authn.ldap[0].credentialCriteria=
>>
>>  
>> cas.authn.attributeRepository.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
>>
>> #
>> # Authentication
>> #
>> cas.authn.accept.users=
>> cas.authn.ldap[0].type=AD
>> cas.authn.ldap[0].ldapUrl=ldap:ldap://localhost:10389/dc=XXX,dc=com
>> cas.authn.ldap[0].useSsl=false
>> cas.authn.ldap[0].baseDn=ou=Users,dc=XXX,dc=com
>> cas.authn.ldap[0].userFilter=uid={user}
>> cas.authn.ldap[0].bindCredential=userPassword
>>
>>
>>
>> *cas.log*
>> 1- /***/
>> N [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>> > authentication handler that supports [admin@**.com] of type 
>> [UsernamePasswordCredential], which suggests a configuration problem.>
>> 2018-08-31 14:51:28,279 INFO 
>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - > trail record BEGIN
>> /**/
>>
>> 2-/**/ 
>> 2018-08-31 14:51:28,285 ERROR 
>> [org.apereo.cas.web.flow.AuthenticationExceptionHandlerAction] - > translate handler errors of the authentication exception 
>> [org.apereo.cas.authentication.AuthenticationException: 0 errors, 0 
>> successes]Returning [UNKNOWN]>
>> /***/
>>
>>
>>
>> *pleas HELP HELP* 
>>
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8baed680-b5ec-405a-8f13-b2b3054e7a88%40apereo.org
>>  
>> 
>> .
>>
>
>
> --
> See OpenCollab email disclaimer at 
> http://www.opencollab.co.za/email-disclaimer

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/03043b14-30da-4677-8d46-309e26a02140%40apereo.org.

[cas-user] Re: PGT release in validation response

2018-08-31 Thread Sean Carr 
I think you still need to have a valid PGT Callback URL which is a bit 
strange as you don't need to use it to retrieve the PGT.

I got it working as follows:
curl -X GET -k 
"https://cas-server:8443/cas/p3/serviceValidate?ticket=ST-***=https://*=https://*:4443

If the CAS Server is able to communicate to the pgtUrl, it will send the 
PGT and PGTIOU to this URL as normal, but it will also return the PGT in 
the XML response to the above request.

Sean


On Monday, August 6, 2018 at 5:57:52 PM UTC+1, Dirk Tepe wrote:
>
> I am interested in developing a proof-of-concept based on the "PGT in 
> Validation Response" feature documented here:
>
>
> https://apereo.github.io/cas/5.3.x/installation/Configuring-Proxy-Authentication.html#pgt-in-validation-response
>
> We are running CAS 5.3.2 and have successfully used public/private keys in 
> services for ClearPass, so we believe we understand the expected operation. 
>
> I have successfully had a release of the PGTiou to a service using the 
> traditional PGTurl feature, so I believe the basic proxy authorization is 
> also functional for the service.
>
> I am trying to address a situation "such that invoking a callback url to 
> receive the proxy granting ticket is not feasible, CAS may be configured to 
> return the proxy-granting ticket id directly in the validation response". I 
> am unclear how to trigger the release of the proxyGrantingTicketId in the 
> validation response, though. The documentation only describes the need to 
> set up the public key and ensure authorizedToReleaseProxyGrantingTicket is 
> true for the service. There is no mention of how to elicit the release in 
> the validation response rather than expecting the PGTurl.
>
> I had hoped the presence of authorizedToReleaseProxyGrantingTicket would 
> trigger that behavior, but that does not appear to be the case. I have been 
> unable to find any solution after hours of searching and testing.
>
> Any suggestions or clarification of the expected behavior would be welcome.
>
> Dirk Tepe
> Miami University
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae837ca9-6f0e-4bdc-93fa-369ca6882df2%40apereo.org.

[cas-user] CAS 5.3.3 /cas does not redirect to /cas/login

2018-08-31 Thread Yan Zhou 
Hello,

With previous CAS4.x and 5.2.x,  go to /cas will redirect to /cas/login 
automatically.  That is quite nice. 

But, with 5.3.3, this is no longer happening, it comes up with an "Access 
Denied" page and provides a link to /cas/login. 

How do I configure the auto-redirect?

Thx!
Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff546714-aa79-4cc5-9d8a-eb9b95d535fd%40apereo.org.

[cas-user] CAS5 error out on: server.connection-timeout=PT20S

2018-08-31 Thread Yan Zhou 
Hello!

I am using CAS 5.3.3 overlay, but got this error on application.properties.

It has:  server.connection-timeout=PT20S,  this is default but giving this 
error.  What did I miss?

Binding to target 
org.springframework.boot.autoconfigure.web.ServerProperties@109952a1 failed:

Property: server.connectionTimeout
Value: PT20S
Reason: Failed to convert property value of type 'java.lang.String' to 
required type 'java.lang.Integer' for property 'connectionTimeout'; nested 
exception is org.springframework.core.convert.ConverterNotFoundException: 
No converter found capable of converting from type [java.lang.String] to 
type [java.lang.Integer]

Thanks!
Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/17a826d8-b9ec-4616-b972-9d9a8a0098dd%40apereo.org.

Re: [cas-user] Re: Service Registry -- Getting the 1st Application Entered

2018-08-31 Thread Francois Campbell 
Not sure if it just a typo, but your example repeats ldap protocol twice.
cas.authn.ldap[0].ldapUrl=*ldap:ldap*://localhost:10389/dc=XXX,dc=com

You may also require cas.authn.ldap[0].bindDn
e.g.
cas.authn.ldap[0].bindDn: CN=ADMIN_USERNAME,cn=Users,dc=XXX,dc=com


Regards
*Francois Campbell*
Teaching and Learning Product Lead






On Fri, 31 Aug 2018 at 16:02, abdellhak tlili 
wrote:

> Hi All ,
> i'm trying to configure CAS 5.1.9 with LDAP authentication  , i have add
> ldap support dependency in pom.xml  also i have add ldap configuration into
> cas.properites , and when i try to connect LDAP i have this 2  messages in
> cas.log
>
> *cas.properites:*
>  cas.authn.ldap[0].principalAttributeList=sn,cn:admin
>  cas.authn.ldap[0].collectDnAttribute=false
>  cas.authn.ldap[0].principalDnAttributeName=dc=XXX,dc=com
>  cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
>  cas.authn.ldap[0].allowMissingPrincipalAttributeValue=true
>  cas.authn.ldap[0].credentialCriteria=
>
>  
> cas.authn.attributeRepository.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
>
> #
> # Authentication
> #
> cas.authn.accept.users=
> cas.authn.ldap[0].type=AD
> cas.authn.ldap[0].ldapUrl=ldap:ldap://localhost:10389/dc=XXX,dc=com
> cas.authn.ldap[0].useSsl=false
> cas.authn.ldap[0].baseDn=ou=Users,dc=XXX,dc=com
> cas.authn.ldap[0].userFilter=uid={user}
> cas.authn.ldap[0].bindCredential=userPassword
>
>
>
> *cas.log*
> 1- /***/
> N [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>  authentication handler that supports [admin@**.com] of type
> [UsernamePasswordCredential], which suggests a configuration problem.>
> 2018-08-31 14:51:28,279 INFO
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -  trail record BEGIN
> /**/
>
> 2-/**/
> 2018-08-31 14:51:28,285 ERROR
> [org.apereo.cas.web.flow.AuthenticationExceptionHandlerAction] -  translate handler errors of the authentication exception
> [org.apereo.cas.authentication.AuthenticationException: 0 errors, 0
> successes]Returning [UNKNOWN]>
> /***/
>
>
>
> *pleas HELP HELP*
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8baed680-b5ec-405a-8f13-b2b3054e7a88%40apereo.org
> 
> .
>

-- 


See OpenCollab email disclaimer at 
http://www.opencollab.co.za/email-disclaimer 


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFQxT-%2BZtJU67vjsTEoBPu-nF_EfcxeV96QC40O9hu965GiuOg%40mail.gmail.com.

[cas-user] Re: Service Registry -- Getting the 1st Application Entered

2018-08-31 Thread abdellhak tlili 
Hi All , 
i'm trying to configure CAS 5.1.9 with LDAP authentication  , i have add 
ldap support dependency in pom.xml  also i have add ldap configuration into 
cas.properites , and when i try to connect LDAP i have this 2  messages in 
cas.log 

*cas.properites:*
 cas.authn.ldap[0].principalAttributeList=sn,cn:admin
 cas.authn.ldap[0].collectDnAttribute=false
 cas.authn.ldap[0].principalDnAttributeName=dc=XXX,dc=com
 cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
 cas.authn.ldap[0].allowMissingPrincipalAttributeValue=true
 cas.authn.ldap[0].credentialCriteria=
 
cas.authn.attributeRepository.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider

#
# Authentication
#
cas.authn.accept.users=
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].ldapUrl=ldap:ldap://localhost:10389/dc=XXX,dc=com
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].baseDn=ou=Users,dc=XXX,dc=com
cas.authn.ldap[0].userFilter=uid={user}
cas.authn.ldap[0].bindCredential=userPassword



*cas.log*
1- /***/
N [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 

2018-08-31 14:51:28,279 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 
/***/



*pleas HELP HELP* 


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8baed680-b5ec-405a-8f13-b2b3054e7a88%40apereo.org.

Re: [cas-user] Service Registry -- Getting the 1st Application Entered

2018-08-31 Thread Francois Campbell 
Hi.

I believe only one of the two should be in the pom.xml file at a time.

Regards
*Francois Campbell*
Teaching and Learning Product Lead






On Fri, 31 Aug 2018 at 13:05, 党田力  wrote:

> I had test on 5.2.6 adn 5.2.7 version
> Only append `cas-server-support-json-service-registry` to pom.xml, the '
> cas.serviceRegistry.initFromJson=true' is worked.
> Only append `cas-server-support-jpa-service-registry` to pom.xml, the
> database is worked.
> But I append both them, the services defined in json is not loaded.
>
> On 5.1.9 version works.
>
>
> 在 2018年5月15日星期二 UTC+8下午8:15:55,David Curry写道:
>>
>> Lionel and Jann,
>>
>> Did you ever have the JSON service registry working? If not, I recommend
>> that you take all the JPA stuff out of pom.xml and cas.properties and get
>> that working correctly first, so that you're only trying to debug one thing
>> at a time. Once you have the JSON service registry working correctly, for
>> both the main server and the management webapp, then it's time to move
>> things to JPA.
>>
>> The basic steps for moving to JPA *should* be this:
>>
>> 1. REMOVE the "cas-server-support-json-service-registry" dependency from
>> pom.xml (server and management webapp)
>>
>> 2. Add the "cas-server-support-jpa-service-registry" dependency and
>> whatever other dependencies go with it to pom.xml (server and management
>> webapp)
>>
>> 3. Rebuild the server and management webapp
>>
>> 4. In the server's cas.properties file, include BOTH of these lines:
>>
>> cas.serviceRegistry.json.location: file:/etc/cas/services
>> cas.serviceRegistry.initFromJson:  true
>>
>>
>> The first line should already be there (since before you start these
>> steps you're using the JSON service registry), but you must add the second
>> line.
>>
>> 5. Add all the lines you need to configure the JPA service registry to
>> the server's cas.properties file.
>>
>> 6. Start the CAS server (do not start the management webapp). You should
>> see it load the services from the JSON files (again, this should already be
>> working before you start) and then it will magically save them into the JPA
>> registry.
>>
>> 7. Shut the server down.
>>
>> 8. Check the database to see that the services actually got loaded there.
>> If not, this is where you need to start debugging. And the first step of
>> that would be setting the log level to "debug" in log4j2.xml, and adding
>> whatever Logger configuration you need to make the Oracle JDBC library log
>> for you as well.
>>
>> Once you've got the services loaded into the database
>>
>> 9. Remove the "cas.serviceRegistry.json.location" and
>> "cas.serviceRegistry.initFromJson" properties from the server's
>> cas.properties file.
>>
>> 10. Remove the "cas.serviceRegistry.json.location" property from, and add
>> all the JPA properties to, the management webapp's management.properties
>> file.
>>
>> At least, that's the procedure I followed to get the MongoDB service
>> registry working (see
>> https://dacurry-tns.github.io/deploying-apereo-cas/high-avail_service-registry_overview.html).
>> I've not used the JPA stuff at all, so no guarantees, but I don't see why
>> it should be any different.
>>
>> --Dave
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Tue, May 15, 2018 at 12:14 AM, Lionel Samuel 
>> wrote:
>>
>>> Changing in "cas.properties"
>>> 'cas.serviceRegistry.json.location:file:/etc/cas/services' to
>>> 'cas.serviceRegistry.json.location:foobar:/etc/cas/services'
>>>
>>> The above does not generate an error message --- is that a sign it's not
>>> loaded?
>>>
>>>
>>> On Monday, May 14, 2018 at 8:25:37 PM UTC-7, Lionel Samuel wrote:

 I'm working with Jann -- attached is our pom file (we call the jar
 my-cas -- which is reflected in the URLs).

 It does not look like the JSON file is loaded -- I don't think it's pom
 related --- but at the moment we are both stumped so anything goes.

 2018-05-14 20:23:17,715 WARN
 [org.apereo.cas.services.web.ServiceThemeResolver] - >>> is found to match
 [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@330c1ecf
 [id=
 http://localhost:8080/cas-management/manage.html,originalUrl=http://localhost:8080/cas-management/manage.html,artifactId=,principal=,loggedOutAlready=false,format=XML]]
 or service access is disallowed. Using default theme [cas-theme-default]>

 On Monday, May 14, 2018 at 5:42:35 PM UTC-7, Jann Malenkoff wrote:
>
>
> Attached is my 'cas.properties' file ---  in case I may be missing
> something there (very likely)
>
>
> On Monday, May 14, 2018 at 5:09:12 PM UTC-7, Jann Malenkoff wrote:
>>
>> I had a minor Eureka moment --- but it came to fraught (partially).
>>
>> I has a typo in the

Re: [cas-user] Service Registry -- Getting the 1st Application Entered

2018-08-31 Thread 党田力 
I debug the JsonServiceRegistryConfiguration, the class is not loaded.
Then I change the version of spring from 1.5.12 to 1.5.15, nothing changes.

在 2018年8月31日星期五 UTC+8下午7:05:02,党田力写道:
>
> I had test on 5.2.6 adn 5.2.7 version
> Only append `cas-server-support-json-service-registry` to pom.xml, the '
> cas.serviceRegistry.initFromJson=true' is worked.
> Only append `cas-server-support-jpa-service-registry` to pom.xml, the 
> database is worked.
> But I append both them, the services defined in json is not loaded.
>
> On 5.1.9 version works.
>
>
> 在 2018年5月15日星期二 UTC+8下午8:15:55,David Curry写道:
>>
>> Lionel and Jann,
>>
>> Did you ever have the JSON service registry working? If not, I recommend 
>> that you take all the JPA stuff out of pom.xml and cas.properties and get 
>> that working correctly first, so that you're only trying to debug one thing 
>> at a time. Once you have the JSON service registry working correctly, for 
>> both the main server and the management webapp, then it's time to move 
>> things to JPA.
>>
>> The basic steps for moving to JPA *should* be this:
>>
>> 1. REMOVE the "cas-server-support-json-service-registry" dependency from 
>> pom.xml (server and management webapp)
>>
>> 2. Add the "cas-server-support-jpa-service-registry" dependency and 
>> whatever other dependencies go with it to pom.xml (server and management 
>> webapp)
>>
>> 3. Rebuild the server and management webapp
>>
>> 4. In the server's cas.properties file, include BOTH of these lines:
>>
>> cas.serviceRegistry.json.location: file:/etc/cas/services
>> cas.serviceRegistry.initFromJson:  true
>>
>>
>> The first line should already be there (since before you start these 
>> steps you're using the JSON service registry), but you must add the second 
>> line.
>>
>> 5. Add all the lines you need to configure the JPA service registry to 
>> the server's cas.properties file.
>>
>> 6. Start the CAS server (do not start the management webapp). You should 
>> see it load the services from the JSON files (again, this should already be 
>> working before you start) and then it will magically save them into the JPA 
>> registry.
>>
>> 7. Shut the server down.
>>
>> 8. Check the database to see that the services actually got loaded there. 
>> If not, this is where you need to start debugging. And the first step of 
>> that would be setting the log level to "debug" in log4j2.xml, and adding 
>> whatever Logger configuration you need to make the Oracle JDBC library log 
>> for you as well.
>>
>> Once you've got the services loaded into the database
>>
>> 9. Remove the "cas.serviceRegistry.json.location" and 
>> "cas.serviceRegistry.initFromJson" properties from the server's 
>> cas.properties file.
>>
>> 10. Remove the "cas.serviceRegistry.json.location" property from, and add 
>> all the JPA properties to, the management webapp's management.properties 
>> file.
>>
>> At least, that's the procedure I followed to get the MongoDB service 
>> registry working (see 
>> https://dacurry-tns.github.io/deploying-apereo-cas/high-avail_service-registry_overview.html).
>>  
>> I've not used the JPA stuff at all, so no guarantees, but I don't see why 
>> it should be any different.
>>
>> --Dave
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Tue, May 15, 2018 at 12:14 AM, Lionel Samuel  
>> wrote:
>>
>>> Changing in "cas.properties"  
>>> 'cas.serviceRegistry.json.location:file:/etc/cas/services' to 
>>> 'cas.serviceRegistry.json.location:foobar:/etc/cas/services'
>>>
>>> The above does not generate an error message --- is that a sign it's not 
>>> loaded?
>>>
>>>
>>> On Monday, May 14, 2018 at 8:25:37 PM UTC-7, Lionel Samuel wrote:

 I'm working with Jann -- attached is our pom file (we call the jar 
 my-cas -- which is reflected in the URLs).

 It does not look like the JSON file is loaded -- I don't think it's pom 
 related --- but at the moment we are both stumped so anything goes.

 2018-05-14 20:23:17,715 WARN 
 [org.apereo.cas.services.web.ServiceThemeResolver] - >>> service 
 is found to match 
 [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@330c1ecf[id=
 http://localhost:8080/cas-management/manage.html,originalUrl=http://localhost:8080/cas-management/manage.html,artifactId=,principal=,loggedOutAlready=false,format=XML]]
  
 or service access is disallowed. Using default theme [cas-theme-default]>

 On Monday, May 14, 2018 at 5:42:35 PM UTC-7, Jann Malenkoff wrote:
>
>
> Attached is my 'cas.properties' file ---  in case I may be missing 
> something there (very likely)
>
>
> On Monday, May 14, 2018 at 5:09:12 PM UTC-7, Jann Malenkoff wrote:
>>
>> I had a minor Eureka moment --- but it came to fraught

Re: [cas-user] Service Registry -- Getting the 1st Application Entered

2018-08-31 Thread 党田力 
I had test on 5.2.6 adn 5.2.7 version
Only append `cas-server-support-json-service-registry` to pom.xml, the '
cas.serviceRegistry.initFromJson=true' is worked.
Only append `cas-server-support-jpa-service-registry` to pom.xml, the 
database is worked.
But I append both them, the services defined in json is not loaded.

On 5.1.9 version works.


在 2018年5月15日星期二 UTC+8下午8:15:55,David Curry写道:
>
> Lionel and Jann,
>
> Did you ever have the JSON service registry working? If not, I recommend 
> that you take all the JPA stuff out of pom.xml and cas.properties and get 
> that working correctly first, so that you're only trying to debug one thing 
> at a time. Once you have the JSON service registry working correctly, for 
> both the main server and the management webapp, then it's time to move 
> things to JPA.
>
> The basic steps for moving to JPA *should* be this:
>
> 1. REMOVE the "cas-server-support-json-service-registry" dependency from 
> pom.xml (server and management webapp)
>
> 2. Add the "cas-server-support-jpa-service-registry" dependency and 
> whatever other dependencies go with it to pom.xml (server and management 
> webapp)
>
> 3. Rebuild the server and management webapp
>
> 4. In the server's cas.properties file, include BOTH of these lines:
>
> cas.serviceRegistry.json.location: file:/etc/cas/services
> cas.serviceRegistry.initFromJson:  true
>
>
> The first line should already be there (since before you start these steps 
> you're using the JSON service registry), but you must add the second line.
>
> 5. Add all the lines you need to configure the JPA service registry to the 
> server's cas.properties file.
>
> 6. Start the CAS server (do not start the management webapp). You should 
> see it load the services from the JSON files (again, this should already be 
> working before you start) and then it will magically save them into the JPA 
> registry.
>
> 7. Shut the server down.
>
> 8. Check the database to see that the services actually got loaded there. 
> If not, this is where you need to start debugging. And the first step of 
> that would be setting the log level to "debug" in log4j2.xml, and adding 
> whatever Logger configuration you need to make the Oracle JDBC library log 
> for you as well.
>
> Once you've got the services loaded into the database
>
> 9. Remove the "cas.serviceRegistry.json.location" and 
> "cas.serviceRegistry.initFromJson" properties from the server's 
> cas.properties file.
>
> 10. Remove the "cas.serviceRegistry.json.location" property from, and add 
> all the JPA properties to, the management webapp's management.properties 
> file.
>
> At least, that's the procedure I followed to get the MongoDB service 
> registry working (see 
> https://dacurry-tns.github.io/deploying-apereo-cas/high-avail_service-registry_overview.html).
>  
> I've not used the JPA stuff at all, so no guarantees, but I don't see why 
> it should be any different.
>
> --Dave
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu 
>
> [image: The New School]
>
> On Tue, May 15, 2018 at 12:14 AM, Lionel Samuel  > wrote:
>
>> Changing in "cas.properties"  
>> 'cas.serviceRegistry.json.location:file:/etc/cas/services' to 
>> 'cas.serviceRegistry.json.location:foobar:/etc/cas/services'
>>
>> The above does not generate an error message --- is that a sign it's not 
>> loaded?
>>
>>
>> On Monday, May 14, 2018 at 8:25:37 PM UTC-7, Lionel Samuel wrote:
>>>
>>> I'm working with Jann -- attached is our pom file (we call the jar 
>>> my-cas -- which is reflected in the URLs).
>>>
>>> It does not look like the JSON file is loaded -- I don't think it's pom 
>>> related --- but at the moment we are both stumped so anything goes.
>>>
>>> 2018-05-14 20:23:17,715 WARN 
>>> [org.apereo.cas.services.web.ServiceThemeResolver] - >> is found to match 
>>> [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@330c1ecf[id=
>>> http://localhost:8080/cas-management/manage.html,originalUrl=http://localhost:8080/cas-management/manage.html,artifactId=,principal=,loggedOutAlready=false,format=XML]]
>>>  
>>> or service access is disallowed. Using default theme [cas-theme-default]>
>>>
>>> On Monday, May 14, 2018 at 5:42:35 PM UTC-7, Jann Malenkoff wrote:


 Attached is my 'cas.properties' file ---  in case I may be missing 
 something there (very likely)


 On Monday, May 14, 2018 at 5:09:12 PM UTC-7, Jann Malenkoff wrote:
>
> I had a minor Eureka moment --- but it came to fraught (partially).
>
> I has a typo in the 'cas.properties' file: 
> cas.serviceRegistry.json.location:file:/etc/cas/service
>
> i,e, 'service' instead of 'services' --- corrected now (validated that 
> the json files are in '/etc/cas/services').
>
> But still no-go...any ideas will be matched by the maximum Karma

[cas-user] CAS 5.1.X + LDAP issues

2018-08-31 Thread abdellhak tlili 
I'm working now in project that i must configure CAS( 5.1.9 ) base on  LDAP 
( apache directory )  authentication , after deployet the cas war i have 
this messag in log 


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/98d64864-6db5-4e25-903a-47794037f707%40apereo.org.


application.properties
Description: Binary data


cas.properties
Description: Binary data

[cas-user] Re: AUP and X509 authentication

2018-08-31 Thread Andy Ng 
Hi Curtis,

Please disregard my answer, I was thinking AUP is an authentication method 
and it is not, ops. Maybe other can help instead. 

- Andy 

On Friday, 31 August 2018 14:58:20 UTC+8, Andy Ng wrote:
>
> Hi Curtis,
>
> I didn't use either AUP or X509 as my authentication webflow myself, so I 
> won't comment on whether or not either of the authentication have bugs or 
> not.
>
> However, it seems like you might have set the *CAS* *authentication 
> policy* to *Any* (See 
> https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties.html#authentication-policy
> ), 
> Any is the default authentication policy in CAS so you might not even 
> realize you have set it to that.
>
> I think you might want to set *CAS* *authentication policy* to *All*, 
> (put "*cas.authn.policy.all.enabled=true*" into your cas.properties if 
> you are using CAS 5.3.x)
>
> Read this (
> https://apereo.github.io/cas/5.3.x/installation/Configuring-Authentication-Components.html#authentication-policy)
>  
> or see below (highly simplified) graph for the difference in CAS 
> authentication policy All vs Any
>
> [image: temp.png]
>
>
>
>
>
>
>
>
>
>
> I am using LDAP and Database as an example, but for your case should be 
> AUP & X509. As you can see set CAS authentication policy to All seems to 
> match your requirement.
>
> See if the above helps you!
>
> Cheers!
> -Andy
>
>
> On Wednesday, 29 August 2018 21:11:44 UTC+8, Curtis Ruck wrote:
>>
>> I'm trying to configure the aup-webflow and x509-webflow.  It seems that 
>> when a user logs in with username/password they hit the aup-webflow, but 
>> when a user logs in with x509 it skips the AUP flow.
>>
>> I don't understand spring webflow, and have no clue what i'm looking for 
>> or at, but it seems that either the x509 webflow completely skips aup, or 
>> the aup webflow is somehow transitioning past the aup view.
>>
>> I'm not using an AUP persistence (intentionally), so the AUP already 
>> accepted is only kept in memory.
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/59862239-3b52-4872-9883-782fd1bb42d7%40apereo.org.

[cas-user] Re: AUP and X509 authentication

2018-08-31 Thread Andy Ng 
Hi Curtis,

I didn't use either AUP or X509 as my authentication webflow myself, so I 
won't comment on whether or not either of the authentication have bugs or 
not.

However, it seems like you might have set the *CAS* *authentication policy* 
to *Any* (See 
https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties.html#authentication-policy),
 
Any is the default authentication policy in CAS so you might not even 
realize you have set it to that.

I think you might want to set *CAS* *authentication policy* to *All*, (put "
*cas.authn.policy.all.enabled=true*" into your cas.properties if you are 
using CAS 5.3.x)

Read this 
(https://apereo.github.io/cas/5.3.x/installation/Configuring-Authentication-Components.html#authentication-policy)
 
or see below (highly simplified) graph for the difference in CAS 
authentication policy All vs Any

[image: temp.png] 










I am using LDAP and Database as an example, but for your case should be AUP 
& X509. As you can see set CAS authentication policy to All seems to match 
your requirement.

See if the above helps you!

Cheers!
-Andy


On Wednesday, 29 August 2018 21:11:44 UTC+8, Curtis Ruck wrote:
>
> I'm trying to configure the aup-webflow and x509-webflow.  It seems that 
> when a user logs in with username/password they hit the aup-webflow, but 
> when a user logs in with x509 it skips the AUP flow.
>
> I don't understand spring webflow, and have no clue what i'm looking for 
> or at, but it seems that either the x509 webflow completely skips aup, or 
> the aup webflow is somehow transitioning past the aup view.
>
> I'm not using an AUP persistence (intentionally), so the AUP already 
> accepted is only kept in memory.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/13c84825-ef0e-46c4-a95c-23316865d76e%40apereo.org.