[cas-user] Re: Can I get an ID-Token using Rest Api?

[vivekanand yaram]

in your url user the url param response type as below 

*response_type=id_token%20token*

On Friday, August 10, 2018 at 7:49:16 PM UTC+5:30, Ryan C wrote:
>
> I'm interested in this as well. I was trying to use the OAuth password 
> grant (access token/token endpoint) but that returns an access 
> token/refresh token. I can't figure out how to get an id token returned 
> instead.
>
>
> On Monday, July 30, 2018 at 9:09:09 PM UTC-4, SangHyun Kim wrote:
>>
>> Hi. I use cas 5.3.1.
>>
>> I need to get Id-token in open id connect with rest api?
>>
>> Is it possible???
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0dd01673-2059-4e29-beb0-7e19453dbaa3%40apereo.org.

[cas-user] Rules in CAS log-in flow .

[vivekanand yaram]

Hello All,

We are planning to CAS in our application. But we have a requirement like , 
After the user successful login , we should be able to display terms and 
conditions before redirecting to the client uri  . Is this supported in CAS 
?


More details about the flow :

1 . Our project is micro-service based project and would be serving 
requests from multiple applications (client applications ) .
2.  CAS will be the middle layer between the our application and client 
applications 
3.  Once user logged-in from the client application , after success full 
login , we should display the terms and conditions page on a first time 
login 
4.  If the user accepts the T , then redirect to the client application 
with the tokens , if the user declined  the T redirect to the CAS login 
page with login failed message .  


Please suggest whether this is supported by CAS or not .


Regads,
Vivekanand. 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/094d5033-93c2-4c70-accc-00f49943fe3f%40apereo.org.

Re: [cas-user] Service Registry -- Getting the 1st Application Entered

[abdellhak tlili]

please can you share with me your LDAP configuration , exactly the 
modification of the file  "cas.properties" modification ,
have you modfied  some classes  in the overlay.?
 thanks alot

Le lundi 3 septembre 2018 03:21:33 UTC+2, 党田力 a écrit :
>
> But 5.1.9 works.
> Why?
>
> 在 2018年8月31日星期五 UTC+8下午9:46:17，Francois Campbell写道：
>>
>> Hi.
>>
>> I believe only one of the two should be in the pom.xml file at a time.
>> 
>> Regards
>> *Francois Campbell*
>> Teaching and Learning Product Lead
>>
>>
>>
>>
>>
>>
>> On Fri, 31 Aug 2018 at 13:05, 党田力  wrote:
>>
>>> I had test on 5.2.6 adn 5.2.7 version
>>> Only append `cas-server-support-json-service-registry` to pom.xml, the '
>>> cas.serviceRegistry.initFromJson=true' is worked.
>>> Only append `cas-server-support-jpa-service-registry` to pom.xml, the 
>>> database is worked.
>>> But I append both them, the services defined in json is not loaded.
>>>
>>> On 5.1.9 version works.
>>>
>>>
>>> 在 2018年5月15日星期二 UTC+8下午8:15:55，David Curry写道：

 Lionel and Jann,

 Did you ever have the JSON service registry working? If not, I 
 recommend that you take all the JPA stuff out of pom.xml and 
 cas.properties 
 and get that working correctly first, so that you're only trying to debug 
 one thing at a time. Once you have the JSON service registry working 
 correctly, for both the main server and the management webapp, then it's 
 time to move things to JPA.

 The basic steps for moving to JPA *should* be this:

 1. REMOVE the "cas-server-support-json-service-registry" dependency 
 from pom.xml (server and management webapp)

 2. Add the "cas-server-support-jpa-service-registry" dependency and 
 whatever other dependencies go with it to pom.xml (server and management 
 webapp)

 3. Rebuild the server and management webapp

 4. In the server's cas.properties file, include BOTH of these lines:

 cas.serviceRegistry.json.location: file:/etc/cas/services
 cas.serviceRegistry.initFromJson:  true


 The first line should already be there (since before you start these 
 steps you're using the JSON service registry), but you must add the second 
 line.

 5. Add all the lines you need to configure the JPA service registry to 
 the server's cas.properties file.

 6. Start the CAS server (do not start the management webapp). You 
 should see it load the services from the JSON files (again, this should 
 already be working before you start) and then it will magically save them 
 into the JPA registry.

 7. Shut the server down.

 8. Check the database to see that the services actually got loaded 
 there. If not, this is where you need to start debugging. And the first 
 step of that would be setting the log level to "debug" in log4j2.xml, and 
 adding whatever Logger configuration you need to make the Oracle JDBC 
 library log for you as well.

 Once you've got the services loaded into the database

 9. Remove the "cas.serviceRegistry.json.location" and 
 "cas.serviceRegistry.initFromJson" properties from the server's 
 cas.properties file.

 10. Remove the "cas.serviceRegistry.json.location" property from, and 
 add all the JPA properties to, the management webapp's 
 management.properties file.

 At least, that's the procedure I followed to get the MongoDB service 
 registry working (see 
 https://dacurry-tns.github.io/deploying-apereo-cas/high-avail_service-registry_overview.html).
  
 I've not used the JPA stuff at all, so no guarantees, but I don't see why 
 it should be any different.

 --Dave


 --

 DAVID A. CURRY, CISSP
 *DIRECTOR OF INFORMATION SECURITY*
 INFORMATION TECHNOLOGY

 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
 +1 212 229-5300 x4728 • david.cu...@newschool.edu

 [image: The New School]

 On Tue, May 15, 2018 at 12:14 AM, Lionel Samuel  
 wrote:

> Changing in "cas.properties"  
> 'cas.serviceRegistry.json.location:file:/etc/cas/services' to 
> 'cas.serviceRegistry.json.location:foobar:/etc/cas/services'
>
> The above does not generate an error message --- is that a sign it's 
> not loaded?
>
>
> On Monday, May 14, 2018 at 8:25:37 PM UTC-7, Lionel Samuel wrote:
>>
>> I'm working with Jann -- attached is our pom file (we call the jar 
>> my-cas -- which is reflected in the URLs).
>>
>> It does not look like the JSON file is loaded -- I don't think it's 
>> pom related --- but at the moment we are both stumped so anything goes.
>>
>> 2018-05-14 20:23:17,715 WARN 
>> [org.apereo.cas.services.web.ServiceThemeResolver] - > service 
>> is found to match 
>> [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@330c1ecf[id=
>> 

Re: [cas-user] Service Registry -- Getting the 1st Application Entered

[abdellhak tlili]

please can you share with me your LDAP configuration , exactly the 
modification of the file  "cas.properties" modification ,
have you modfied  some classes  in the overlay.?
 thanks alot

Le lundi 3 septembre 2018 03:21:33 UTC+2, 党田力 a écrit :
>
> But 5.1.9 works.
> Why?
>
> 在 2018年8月31日星期五 UTC+8下午9:46:17，Francois Campbell写道：
>>
>> Hi.
>>
>> I believe only one of the two should be in the pom.xml file at a time.
>> 
>> Regards
>> *Francois Campbell*
>> Teaching and Learning Product Lead
>>
>>
>>
>>
>>
>>
>> On Fri, 31 Aug 2018 at 13:05, 党田力  wrote:
>>
>>> I had test on 5.2.6 adn 5.2.7 version
>>> Only append `cas-server-support-json-service-registry` to pom.xml, the '
>>> cas.serviceRegistry.initFromJson=true' is worked.
>>> Only append `cas-server-support-jpa-service-registry` to pom.xml, the 
>>> database is worked.
>>> But I append both them, the services defined in json is not loaded.
>>>
>>> On 5.1.9 version works.
>>>
>>>
>>> 在 2018年5月15日星期二 UTC+8下午8:15:55，David Curry写道：

 Lionel and Jann,

 Did you ever have the JSON service registry working? If not, I 
 recommend that you take all the JPA stuff out of pom.xml and 
 cas.properties 
 and get that working correctly first, so that you're only trying to debug 
 one thing at a time. Once you have the JSON service registry working 
 correctly, for both the main server and the management webapp, then it's 
 time to move things to JPA.

 The basic steps for moving to JPA *should* be this:

 1. REMOVE the "cas-server-support-json-service-registry" dependency 
 from pom.xml (server and management webapp)

 2. Add the "cas-server-support-jpa-service-registry" dependency and 
 whatever other dependencies go with it to pom.xml (server and management 
 webapp)

 3. Rebuild the server and management webapp

 4. In the server's cas.properties file, include BOTH of these lines:

 cas.serviceRegistry.json.location: file:/etc/cas/services
 cas.serviceRegistry.initFromJson:  true


 The first line should already be there (since before you start these 
 steps you're using the JSON service registry), but you must add the second 
 line.

 5. Add all the lines you need to configure the JPA service registry to 
 the server's cas.properties file.

 6. Start the CAS server (do not start the management webapp). You 
 should see it load the services from the JSON files (again, this should 
 already be working before you start) and then it will magically save them 
 into the JPA registry.

 7. Shut the server down.

 8. Check the database to see that the services actually got loaded 
 there. If not, this is where you need to start debugging. And the first 
 step of that would be setting the log level to "debug" in log4j2.xml, and 
 adding whatever Logger configuration you need to make the Oracle JDBC 
 library log for you as well.

 Once you've got the services loaded into the database

 9. Remove the "cas.serviceRegistry.json.location" and 
 "cas.serviceRegistry.initFromJson" properties from the server's 
 cas.properties file.

 10. Remove the "cas.serviceRegistry.json.location" property from, and 
 add all the JPA properties to, the management webapp's 
 management.properties file.

 At least, that's the procedure I followed to get the MongoDB service 
 registry working (see 
 https://dacurry-tns.github.io/deploying-apereo-cas/high-avail_service-registry_overview.html).
  
 I've not used the JPA stuff at all, so no guarantees, but I don't see why 
 it should be any different.

 --Dave


 --

 DAVID A. CURRY, CISSP
 *DIRECTOR OF INFORMATION SECURITY*
 INFORMATION TECHNOLOGY

 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
 +1 212 229-5300 x4728 • david.cu...@newschool.edu

 [image: The New School]

 On Tue, May 15, 2018 at 12:14 AM, Lionel Samuel  
 wrote:

> Changing in "cas.properties"  
> 'cas.serviceRegistry.json.location:file:/etc/cas/services' to 
> 'cas.serviceRegistry.json.location:foobar:/etc/cas/services'
>
> The above does not generate an error message --- is that a sign it's 
> not loaded?
>
>
> On Monday, May 14, 2018 at 8:25:37 PM UTC-7, Lionel Samuel wrote:
>>
>> I'm working with Jann -- attached is our pom file (we call the jar 
>> my-cas -- which is reflected in the URLs).
>>
>> It does not look like the JSON file is loaded -- I don't think it's 
>> pom related --- but at the moment we are both stumped so anything goes.
>>
>> 2018-05-14 20:23:17,715 WARN 
>> [org.apereo.cas.services.web.ServiceThemeResolver] - > service 
>> is found to match 
>> [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@330c1ecf[id=
>> 

Re: [cas-user] Re: PGT release in validation response

[Tepe, Dirk]

After posting this, I did find that including the PGTurl parameter did
cause CAS to include the encrypted PGT in the validation response. I don't
believe that the PGTurl must actually be accessible by the CAS server,
though. In my case, there is ability for that happen and I was able to make
the encrypted exchange work.

It seems that the only way to trigger the proxy behavior is to include the
PGTurl param, regardless of wether it can actually be used or not. I did
not investigate if CAS attempts to connect first and then only includes the
PGT in the response if it that fails.

So the feature does work, but how to elicit the desired behavior is not
obvious.

Thanks,

-dirk

On Fri, Aug 31, 2018 at 10:38 AM Sean Carr  wrote:

> I think you still need to have a valid PGT Callback URL which is a bit
> strange as you don't need to use it to retrieve the PGT.
>
> I got it working as follows:
> curl -X GET -k "
> https://cas-server:8443/cas/p3/serviceValidate?ticket=ST-***=https://*=https://*:4443
>
> If the CAS Server is able to communicate to the pgtUrl, it will send the
> PGT and PGTIOU to this URL as normal, but it will also return the PGT in
> the XML response to the above request.
>
> Sean
>
>
> On Monday, August 6, 2018 at 5:57:52 PM UTC+1, Dirk Tepe wrote:
>>
>> I am interested in developing a proof-of-concept based on the "PGT in
>> Validation Response" feature documented here:
>>
>>
>> https://apereo.github.io/cas/5.3.x/installation/Configuring-Proxy-Authentication.html#pgt-in-validation-response
>>
>> We are running CAS 5.3.2 and have successfully used public/private keys
>> in services for ClearPass, so we believe we understand the expected
>> operation.
>>
>> I have successfully had a release of the PGTiou to a service using the
>> traditional PGTurl feature, so I believe the basic proxy authorization is
>> also functional for the service.
>>
>> I am trying to address a situation "such that invoking a callback url to
>> receive the proxy granting ticket is not feasible, CAS may be configured to
>> return the proxy-granting ticket id directly in the validation response". I
>> am unclear how to trigger the release of the proxyGrantingTicketId in the
>> validation response, though. The documentation only describes the need to
>> set up the public key and ensure authorizedToReleaseProxyGrantingTicket is
>> true for the service. There is no mention of how to elicit the release in
>> the validation response rather than expecting the PGTurl.
>>
>> I had hoped the presence of authorizedToReleaseProxyGrantingTicket would
>> trigger that behavior, but that does not appear to be the case. I have been
>> unable to find any solution after hours of searching and testing.
>>
>> Any suggestions or clarification of the expected behavior would be
>> welcome.
>>
>> Dirk Tepe
>> Miami University
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae837ca9-6f0e-4bdc-93fa-369ca6882df2%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZy63xeX%3D80-XEaOFFXi%2BwLgMn0-mMGbvyW%2BkLPw8BypKA%40mail.gmail.com.