RE: [cas-user] CAS Interrupt Misunderstanding

[Cutting, Shawn]

Well, that is disappointing and reassuring at the same time.  Thankfully, I am 
just beginning the process of utilizing interrupts in this way, so I can easily 
shift my mindset for designing interrupts in the future.  Thank you for your 
quick feedback!!

Shawn

From: cas-user@apereo.org  On Behalf Of Tepe, Dirk
Sent: Tuesday, December 04, 2018 11:06 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] CAS Interrupt Misunderstanding

We had a similar experience and I can share what we found. We have been on CAS 
3.x for many years and used a customization to trigger similar web flow 
behavior. With the upgrade to CAS 5.x, we wanted to use the built-in 
functionality. Here is an exchange we had with a consultant related to the CAS 
project:

-
Question:
> However, we can't seem to get ssoEnabled to work as expected. When ssoEnabled 
> is true, we expect that the link to B presented in the message would not 
> require the user to login again. However, that is not our experience. It 
> seems CAS only builds the SSO session after the Proceed button is clicked, 
> not when the links in the message are used.

Answer:
This is all correct and is the intended behavior. Given that CAS has never 
established SSO on the first run and B is protected by CAS, 
redirecting/accessing B will always ask for user credentials. One cannot build 
an SSO session first, only to then try to destroy it if SSO is interrupted. 
That would be a security breach in the right variations. You also can never 
make the link to B to work, because if a link to B appears in the interrupt 
screen, simply clicking it is not the same thing as CAS issuing a ticket to it 
after a successful authentication, for B to grab that ticket and validate it. 
The link is exactly that; just a link. You wouldn't have access to a ticket, 
because you have not properly passed through the SSO flow because you were 
interrupted. We have had situations in the past were tickets/sso were created 
prematurely before user were to access a link, (i.e. password self service 
app), and those cause many other weird issues.

The ssoEnabled flag basically controls whether CAS should challenge user for 
credentials and build the SSO cookie. It effectively should do the same thing 
as renew=true, and is more or less the same thing as ssoEnabled flag of a 
service in the registry. If this is dysfunctional, where you see REST return 
false for ssoEnabled and yet you are not challenged for credentials, that would 
be a bug we can try to fix.
-

The behavior we want would clearly create a security risk in the authentication 
process. (We recognized this in our 3.x mod as well, but accepted it at the 
time.)

We also provide a grace period for expired passwords. The act of checking for a 
login message triggers the password expiration and starts the grace period. If 
the person is still within the grace period, the message will not block and a 
Proceed button is presented by CAS. If the grace period has ended, the block is 
set to true and the Proceed button no longer appears. The message contains a 
link to the site where the user can change their password. This does not 
support SSO due to the nature of 'ssoEnabled' and the user must authenticate 
again. We present this a security feature. :)

The login interrupt messages are useful, but we have found that we must adapt 
our processes to the capability. I'm in favor of that because trying to 
maintain the modification to make CAS match our process is what kept us on 3.x 
for so long.

Hope this helps.

-dirk

On Tue, Dec 4, 2018 at 10:39 AM Shawn Cutting 
mailto:scutt...@messiah.edu>> wrote:
Good morning,
I am trying to create a dynamic interrupt page and I think I am 
misunderstanding what the "ssoEnabled" setting does.  From the documentation, 
it seems that if this is set to true, then it would give a service ticket 
despite the action that would be taken on the interrupt page.  Here is what I 
am trying to do:

I want to warn people that their passwords are about to expire (we use Active 
Directory as LDAP) and I am giving them the option to "Remind me in 3 days." 
This option updates a database with the reminder date and then should redirect 
to the service page they originally called.  But instead, it takes them back to 
the CAS login where they have to reauthenticate and it bypasses the interrupt 
per my code.  What I want it to do is, after pressing "Remind me" to take them 
to the service page without having to authenticate again, which is what I 
thought should happen with "ssoEnabled=true."

Can anyone give me some better insight?
Thanks!
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 

Re: [cas-user] saml2.0 - idp-signing.key creation

[Curtis Ruck]

Ideally i'll try submitting a couple of PRs to make the 
PrivateKeyBeanFactory handle a PrivateKey object being returned along with 
a PEMKeyPair object, since PEMParser isn't exactly the most deterministic.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4cbb2b24-3399-48f8-8ef4-40caa46248ee%40apereo.org.

Re: [cas-user] saml2.0 - idp-signing.key creation

[Curtis Ruck]

As it turns out, my version of openssl (in Redhat 6.x with FIPS mode 
enforced) can't generate the right PEM format for BouncyCastle to parse 
into a PEMKeyPair object.  BouncyCastle only parses (from my testing) a 
traditional PEM (or SSLeay PEM format) which is unique from PKCS#1 and 
PKCS#8.  The BC documentation is extremely light on this topic in PEMParser 
javadoc.

So i'm giving it a DER format key and it works now, as there is only one 
DER format supposedly.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bce8e284-f818-4d1b-b987-0aca6f9c1560%40apereo.org.

Re: [cas-user] saml2.0 - idp-signing.key creation

[David Curry]

So while I'm eating lunch I did a bit of fiddling around...

It looks like you can do:

openssl genrsa -des3 -out tmp.key 2048


When it prompts for a password, enter "" (or whatever, just remember
it). This gives you an encrypted key file. Then run:

openssl rsa -in tmp.key -out server-signing.key


and enter the password again. This gives you an unencrypted key. Then you
can run:

openssl req -key server-sigining.key -new -x509 -days 3650 -subj /CN=
server.domain.com -out server-signing.crt


And you'll get a certificate that seems to resemble what CAS creates.

I haven't tried actually feeding these to CAS to see if it likes them, but
looking at them with openssl, they seem to have the same properties, except
that the one I generated as above has this X509v3 Extension:

X509v3 Basic Constraints:
CA:TRUE

that the CAS-generated one doesn't have. You can make that go away with an
OpenSSL config file, but the syntax of those things is (apparently) beyond
me. Left as an exercise to the reader. :-)

--Dave









--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Tue, Dec 4, 2018 at 12:55 PM Curtis Ruck  wrote:

> This works though: openssl rsa -in test2.pem -out test3.pem
>
> It properly converts from PKCS#8 into PKCS#1, which then triggers BC to
> return a PEMKeyPair object.
>
>
> On Tuesday, December 4, 2018 at 12:16:43 PM UTC-5, rbon wrote:
>>
>> Curtis,
>>
>> Will this work:
>> https://stackoverflow.com/questions/991758/how-to-get-pem-file-from-key-and-crt-files
>>
>> Ray
>>
>> On Tue, 2018-12-04 at 08:59 -0800, Curtis Ruck wrote:
>>
>> Does anyone know how to generate the idp-signing.key/crt with openssl?
>> It seems CAS is hardcoded to expect a PEMKeyPair
>> 
>>  object
>> coming out of PEMParser, but I can't figure out how to use OpenSSL to
>> generate an appropriate key file.
>>
>> Yes, CAS generates it fine, using bouncycastle, but I have to generate
>> these keys/certificates outside of CAS so I can distribute the trust to the
>> various SAML 2.0 applications.
>>
>> --
>> Ray Bon
>> Programmer analyst
>> Development Services, University Systems
>> 2507218831 | CLE 019 | rb...@uvic.ca
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4ac43b2-ba8f-43a6-bd49-921ebb32f176%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMAQMDK5vjTrbv5-vgiAVGWofTyjQGa2YQujq3uiiT6wg%40mail.gmail.com.

Re: [cas-user] where is CAS TGC cookie stored in brower?

[Paramvir Singh Karwal]

Thanks Ray,
That clears my confusion.

On Tue, 4 Dec 2018 at 10:38 PM, Ray Bon  wrote:

> Paramvir,
>
> I assume that by session cookie you mean your client application's session
> cookie and not CAS's TGC.
> The client application is responsible for managing its own session. Once
> the user has been authenticated (service ticket validated), CAS is no
> longer required.
>
> Ray
>
> On Tue, 2018-12-04 at 03:22 -0800, Paramvir Singh Karwal wrote:
>
> Hi Andy,
>
> My question is regarding the validation of session cookie, though first
> time, the service ticket is validated by calling CAS's endpoint, but in
> subsequent calls from the browser to application only session cookie is
> sent, how does application validates session cookie, does application
> server makes a record of the session cookie which can be checked with the
> incoming calls containing session cookie. As depicted in the diagram there
> is no call to CAS's from application server to validate the cookie this
> time.
>
> On Saturday, October 22, 2016 at 3:17:39 AM UTC+5:30, Andrew Morgan wrote:
>
> On Fri, 21 Oct 2016, Yan Zhou wrote:
>
> > Hello,
> >
> > It was said that the TGT cookie (TGC) is hidden, so that we won't see
> it.
> >
> > I am curious how browser can send such hidden cookie to CAS, when user
> goes
> > to apps?  If browser can see it, there should be a way for us to see it.
> >
> > The reason I am asking is because I noticed that Ajax XhrRequest does
> not
> > seem to send TGC cookie in some circumstances, so I need to investigate.
>
> The TGC is set by the CAS server using the domain of the CAS server.  For
> example, my CAS server is at https://login.oregonstate.edu/cas/ and the
> TGC has a domain of "login.oregonstate.edu" and a path of "/cas".  The
> browser will only send the cookie to the CAS, not the CAS client.
>
> The TGC persists the SSO session.  It is not used by client applications.
> They receive a Service Ticket (ST) appended to the URL and validate the ST
> by calling CAS's /serviceValidate endpoint.
>
> A more complete description of this can be found at:
>
>https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol.html
>
> Thanks,
>  Andy
>
> --
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1543943315.2944.37.camel%40uvic.ca
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJNOhayguXuysBwOGHS9EFroUsOO9MAf4H0__gim7EfnTZUzCg%40mail.gmail.com.

[cas-user] Re: CAS Interrupt Misunderstanding

[Shawn Cutting]

Well, that is disappointing and reassuring at the same time.  Thankfully, I 
am just beginning the process of utilizing interrupts in this way, so I can 
easily shift my mindset for designing interrupts in the future.  Thank you 
for your quick feedback!!

Shawn

On Tuesday, December 4, 2018 at 10:39:17 AM UTC-5, Shawn Cutting wrote:
>
> Good morning,
> I am trying to create a dynamic interrupt page and I think I am 
> misunderstanding what the "ssoEnabled" setting does.  From the 
> documentation, it seems that if this is set to true, then it would give a 
> service ticket despite the action that would be taken on the interrupt 
> page.  Here is what I am trying to do:
>
> I want to warn people that their passwords are about to expire (we use 
> Active Directory as LDAP) and I am giving them the option to "Remind me in 
> 3 days." This option updates a database with the reminder date and then 
> should redirect to the service page they originally called.  But instead, 
> it takes them back to the CAS login where they have to reauthenticate and 
> it bypasses the interrupt per my code.  What I want it to do is, after 
> pressing "Remind me" to take them to the service page without having to 
> authenticate again, which is what I thought should happen with 
> "ssoEnabled=true."
>
> Can anyone give me some better insight?
> Thanks!
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2ea85375-af1d-4cd3-8158-b84a56de909d%40apereo.org.

Re: [cas-user] saml2.0 - idp-signing.key creation

[Curtis Ruck]

This works though: openssl rsa -in test2.pem -out test3.pem

It properly converts from PKCS#8 into PKCS#1, which then triggers BC to 
return a PEMKeyPair object.


On Tuesday, December 4, 2018 at 12:16:43 PM UTC-5, rbon wrote:
>
> Curtis,
>
> Will this work: 
> https://stackoverflow.com/questions/991758/how-to-get-pem-file-from-key-and-crt-files
>
> Ray
>
> On Tue, 2018-12-04 at 08:59 -0800, Curtis Ruck wrote:
>
> Does anyone know how to generate the idp-signing.key/crt with openssl?  It 
> seems CAS is hardcoded to expect a PEMKeyPair 
> 
>  object 
> coming out of PEMParser, but I can't figure out how to use OpenSSL to 
> generate an appropriate key file. 
>
> Yes, CAS generates it fine, using bouncycastle, but I have to generate 
> these keys/certificates outside of CAS so I can distribute the trust to the 
> various SAML 2.0 applications.
>
> -- 
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4ac43b2-ba8f-43a6-bd49-921ebb32f176%40apereo.org.

Re: [cas-user] saml2.0 - idp-signing.key creation

[Curtis Ruck]

I prefer working with CAS than OpenAM, ADFS, etc...  Try automating one of 
those SSO solutions.

Its also why i preferred Spring XML than this @Configuration stuff.



On Tuesday, December 4, 2018 at 12:43:29 PM UTC-5, David Curry wrote:
>
> 1,000 CAS servers. Ow. :-)
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david...@newschool.edu 
>
>
> On Tue, Dec 4, 2018 at 12:31 PM Curtis Ruck  > wrote:
>
>> Dave, 
>>
>> Keys generated/signed by CA plus we need 100% automated solution.  We 
>> don't just have 1 CAS server, we have 1,000 or so, and they each need 
>> unique keys.  Our CAS use case is unique, in that we essentially run CAS 
>> w/applications at the edge of the network, with extremely poor 
>> communications back up to an centralized enterprise; so we have to automate 
>> as much as possible.
>>
>> Ideally, I'd just submit a couple PRs to make the PrivateKeyFactoryBean 
>> handle multiple outputs from the PEMParser, but i'm working against a tight 
>> schedule, and can't wait for a CAS release at the moment.
>>
>> On Tuesday, December 4, 2018 at 12:12:29 PM UTC-5, David Curry wrote:
>>>
>>> This doesn't really answer your question (I don't know the answer), but 
>>> can't you just start CAS and let it generate the keys (they end up in 
>>> /etc/cas/saml), then stop CAS and copy the keys somewhere for 
>>> safekeeping/redistribution?
>>>
>>> For our installation with multiple CAS servers behind a load balancer 
>>> that's what I did, and copied the keys into the Maven overlay's 
>>> etc/cas/saml directory. Then when I install everything, I end up with the 
>>> same keys (and metadata) on all the servers. And we've uploaded them to a 
>>> SAML SP here and there, as well. Seems to work fine, so far.
>>>
>>> Or do you need to use keys generated/signed by your CA or something?
>>>
>>> --Dave
>>>
>>>
>>>
>>> --
>>>
>>> DAVID A. CURRY, CISSP
>>> *DIRECTOR OF INFORMATION SECURITY*
>>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>>
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>> +1 212 229-5300 x4728 • david...@newschool.edu
>>>
>>>
>>> On Tue, Dec 4, 2018 at 11:59 AM Curtis Ruck  wrote:
>>>
 Does anyone know how to generate the idp-signing.key/crt with openssl?  
 It seems CAS is hardcoded to expect a PEMKeyPair 
 
  object 
 coming out of PEMParser, but I can't figure out how to use OpenSSL to 
 generate an appropriate key file.

 Yes, CAS generates it fine, using bouncycastle, but I have to generate 
 these keys/certificates outside of CAS so I can distribute the trust to 
 the 
 various SAML 2.0 applications.

 -- 
 - Website: https://apereo.github.io/cas
 - Gitter Chatroom: https://gitter.im/apereo/cas
 - List Guidelines: https://goo.gl/1VRrw7
 - Contributions: https://goo.gl/mh7qDG
 --- 
 You received this message because you are subscribed to the Google 
 Groups "CAS Community" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to cas-user+u...@apereo.org.
 To view this discussion on the web visit 
 https://groups.google.com/a/apereo.org/d/msgid/cas-user/36a4ed0f-a015-4438-a9a1-501f9fd5eaec%40apereo.org
  
 
 .

>>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c426ef78-6b75-43d4-9c77-4fe4701e1466%40apereo.org
>>  
>> 
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/470b4074-9d81-4a39-b519-189d9147c797%40apereo.org.

Re: [cas-user] saml2.0 - idp-signing.key creation

[David Curry]

1,000 CAS servers. Ow. :-)


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Tue, Dec 4, 2018 at 12:31 PM Curtis Ruck  wrote:

> Dave,
>
> Keys generated/signed by CA plus we need 100% automated solution.  We
> don't just have 1 CAS server, we have 1,000 or so, and they each need
> unique keys.  Our CAS use case is unique, in that we essentially run CAS
> w/applications at the edge of the network, with extremely poor
> communications back up to an centralized enterprise; so we have to automate
> as much as possible.
>
> Ideally, I'd just submit a couple PRs to make the PrivateKeyFactoryBean
> handle multiple outputs from the PEMParser, but i'm working against a tight
> schedule, and can't wait for a CAS release at the moment.
>
> On Tuesday, December 4, 2018 at 12:12:29 PM UTC-5, David Curry wrote:
>>
>> This doesn't really answer your question (I don't know the answer), but
>> can't you just start CAS and let it generate the keys (they end up in
>> /etc/cas/saml), then stop CAS and copy the keys somewhere for
>> safekeeping/redistribution?
>>
>> For our installation with multiple CAS servers behind a load balancer
>> that's what I did, and copied the keys into the Maven overlay's
>> etc/cas/saml directory. Then when I install everything, I end up with the
>> same keys (and metadata) on all the servers. And we've uploaded them to a
>> SAML SP here and there, as well. Seems to work fine, so far.
>>
>> Or do you need to use keys generated/signed by your CA or something?
>>
>> --Dave
>>
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 212 229-5300 x4728 • david...@newschool.edu
>>
>>
>> On Tue, Dec 4, 2018 at 11:59 AM Curtis Ruck  wrote:
>>
>>> Does anyone know how to generate the idp-signing.key/crt with openssl?
>>> It seems CAS is hardcoded to expect a PEMKeyPair
>>> 
>>>  object
>>> coming out of PEMParser, but I can't figure out how to use OpenSSL to
>>> generate an appropriate key file.
>>>
>>> Yes, CAS generates it fine, using bouncycastle, but I have to generate
>>> these keys/certificates outside of CAS so I can distribute the trust to the
>>> various SAML 2.0 applications.
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/36a4ed0f-a015-4438-a9a1-501f9fd5eaec%40apereo.org
>>> 
>>> .
>>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c426ef78-6b75-43d4-9c77-4fe4701e1466%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPGDviiQh%3DiSq8SqOnYsyVjAmXouBQ2EV5yapcgOSBvvA%40mail.gmail.com.

Re: [cas-user] saml2.0 - idp-signing.key creation

[Curtis Ruck]

No.  The main difference I can see is that the CAS generated 
idp-signing.key has a -BEGIN RSA PRIVATE KEY- versus it seems 
openssl generates a -BEGIN PRIVATE KEY- which indicates a PKCS#1 vs 
PKCS#8 format.  somehow though bouncycastle is thinking it has a public key 
(not certificate) and private key inside the PKCS#1 format that CAS 
generates.

On Tuesday, December 4, 2018 at 12:16:43 PM UTC-5, rbon wrote:
>
> Curtis,
>
> Will this work: 
> https://stackoverflow.com/questions/991758/how-to-get-pem-file-from-key-and-crt-files
>
> Ray
>
> On Tue, 2018-12-04 at 08:59 -0800, Curtis Ruck wrote:
>
> Does anyone know how to generate the idp-signing.key/crt with openssl?  It 
> seems CAS is hardcoded to expect a PEMKeyPair 
> 
>  object 
> coming out of PEMParser, but I can't figure out how to use OpenSSL to 
> generate an appropriate key file. 
>
> Yes, CAS generates it fine, using bouncycastle, but I have to generate 
> these keys/certificates outside of CAS so I can distribute the trust to the 
> various SAML 2.0 applications.
>
> -- 
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/17472bc9-9142-44df-81dc-e32ef2472768%40apereo.org.

Re: [cas-user] saml2.0 - idp-signing.key creation

[Curtis Ruck]

Dave, 

Keys generated/signed by CA plus we need 100% automated solution.  We don't 
just have 1 CAS server, we have 1,000 or so, and they each need unique 
keys.  Our CAS use case is unique, in that we essentially run CAS 
w/applications at the edge of the network, with extremely poor 
communications back up to an centralized enterprise; so we have to automate 
as much as possible.

Ideally, I'd just submit a couple PRs to make the PrivateKeyFactoryBean 
handle multiple outputs from the PEMParser, but i'm working against a tight 
schedule, and can't wait for a CAS release at the moment.

On Tuesday, December 4, 2018 at 12:12:29 PM UTC-5, David Curry wrote:
>
> This doesn't really answer your question (I don't know the answer), but 
> can't you just start CAS and let it generate the keys (they end up in 
> /etc/cas/saml), then stop CAS and copy the keys somewhere for 
> safekeeping/redistribution?
>
> For our installation with multiple CAS servers behind a load balancer 
> that's what I did, and copied the keys into the Maven overlay's 
> etc/cas/saml directory. Then when I install everything, I end up with the 
> same keys (and metadata) on all the servers. And we've uploaded them to a 
> SAML SP here and there, as well. Seems to work fine, so far.
>
> Or do you need to use keys generated/signed by your CA or something?
>
> --Dave
>
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david...@newschool.edu 
>
>
> On Tue, Dec 4, 2018 at 11:59 AM Curtis Ruck  > wrote:
>
>> Does anyone know how to generate the idp-signing.key/crt with openssl?  
>> It seems CAS is hardcoded to expect a PEMKeyPair 
>> 
>>  object 
>> coming out of PEMParser, but I can't figure out how to use OpenSSL to 
>> generate an appropriate key file.
>>
>> Yes, CAS generates it fine, using bouncycastle, but I have to generate 
>> these keys/certificates outside of CAS so I can distribute the trust to the 
>> various SAML 2.0 applications.
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/36a4ed0f-a015-4438-a9a1-501f9fd5eaec%40apereo.org
>>  
>> 
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c426ef78-6b75-43d4-9c77-4fe4701e1466%40apereo.org.

Re: [cas-user] saml2.0 - idp-signing.key creation

[Ray Bon]

Curtis,

Will this work: 
https://stackoverflow.com/questions/991758/how-to-get-pem-file-from-key-and-crt-files

Ray

On Tue, 2018-12-04 at 08:59 -0800, Curtis Ruck wrote:
Does anyone know how to generate the idp-signing.key/crt with openssl?  It 
seems CAS is hardcoded to expect a 
PEMKeyPair
 object coming out of PEMParser, but I can't figure out how to use OpenSSL to 
generate an appropriate key file.

Yes, CAS generates it fine, using bouncycastle, but I have to generate these 
keys/certificates outside of CAS so I can distribute the trust to the various 
SAML 2.0 applications.

--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1543943795.2944.38.camel%40uvic.ca.

Re: [cas-user] saml2.0 - idp-signing.key creation

[David Curry]

This doesn't really answer your question (I don't know the answer), but
can't you just start CAS and let it generate the keys (they end up in
/etc/cas/saml), then stop CAS and copy the keys somewhere for
safekeeping/redistribution?

For our installation with multiple CAS servers behind a load balancer
that's what I did, and copied the keys into the Maven overlay's
etc/cas/saml directory. Then when I install everything, I end up with the
same keys (and metadata) on all the servers. And we've uploaded them to a
SAML SP here and there, as well. Seems to work fine, so far.

Or do you need to use keys generated/signed by your CA or something?

--Dave



--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Tue, Dec 4, 2018 at 11:59 AM Curtis Ruck  wrote:

> Does anyone know how to generate the idp-signing.key/crt with openssl?  It
> seems CAS is hardcoded to expect a PEMKeyPair
> 
>  object
> coming out of PEMParser, but I can't figure out how to use OpenSSL to
> generate an appropriate key file.
>
> Yes, CAS generates it fine, using bouncycastle, but I have to generate
> these keys/certificates outside of CAS so I can distribute the trust to the
> various SAML 2.0 applications.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/36a4ed0f-a015-4438-a9a1-501f9fd5eaec%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAO%2BJtqRL2x6yLSy0Y3RDdYY%2BhLURhs%2BanP_yRry%3DEpVZg%40mail.gmail.com.

Re: [cas-user] where is CAS TGC cookie stored in brower?

[Ray Bon]

Paramvir,

I assume that by session cookie you mean your client application's session 
cookie and not CAS's TGC.
The client application is responsible for managing its own session. Once the 
user has been authenticated (service ticket validated), CAS is no longer 
required.

Ray

On Tue, 2018-12-04 at 03:22 -0800, Paramvir Singh Karwal wrote:
Hi Andy,

My question is regarding the validation of session cookie, though first time, 
the service ticket is validated by calling CAS's endpoint, but in subsequent 
calls from the browser to application only session cookie is sent, how does 
application validates session cookie, does application server makes a record of 
the session cookie which can be checked with the incoming calls containing 
session cookie. As depicted in the diagram there is no call to CAS's from 
application server to validate the cookie this time.

On Saturday, October 22, 2016 at 3:17:39 AM UTC+5:30, Andrew Morgan wrote:
On Fri, 21 Oct 2016, Yan Zhou wrote:

> Hello,
>
> It was said that the TGT cookie (TGC) is hidden, so that we won't see it.
>
> I am curious how browser can send such hidden cookie to CAS, when user goes
> to apps?  If browser can see it, there should be a way for us to see it.
>
> The reason I am asking is because I noticed that Ajax XhrRequest does not
> seem to send TGC cookie in some circumstances, so I need to investigate.

The TGC is set by the CAS server using the domain of the CAS server.  For
example, my CAS server is at https://login.oregonstate.edu/cas/ and the
TGC has a domain of "login.oregonstate.edu" and a 
path of "/cas".  The
browser will only send the cookie to the CAS, not the CAS client.

The TGC persists the SSO session.  It is not used by client applications.
They receive a Service Ticket (ST) appended to the URL and validate the ST
by calling CAS's /serviceValidate endpoint.

A more complete description of this can be found at:

   https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol.html

Thanks,
 Andy

--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1543943315.2944.37.camel%40uvic.ca.

[cas-user] saml2.0 - idp-signing.key creation

[Curtis Ruck]

Does anyone know how to generate the idp-signing.key/crt with openssl?  It 
seems CAS is hardcoded to expect a PEMKeyPair 

 object 
coming out of PEMParser, but I can't figure out how to use OpenSSL to 
generate an appropriate key file.

Yes, CAS generates it fine, using bouncycastle, but I have to generate 
these keys/certificates outside of CAS so I can distribute the trust to the 
various SAML 2.0 applications.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/36a4ed0f-a015-4438-a9a1-501f9fd5eaec%40apereo.org.

Re: [cas-user] CAS Interrupt Misunderstanding

[Tepe, Dirk]

We had a similar experience and I can share what we found. We have been on
CAS 3.x for many years and used a customization to trigger similar web flow
behavior. With the upgrade to CAS 5.x, we wanted to use the built-in
functionality. Here is an exchange we had with a consultant related to the
CAS project:

-
Question:
> However, we can't seem to get ssoEnabled to work as expected. When
ssoEnabled is true, we expect that the link to B presented in the message
would not require the user to login again. However, that is not our
experience. It seems CAS only builds the SSO session after the Proceed
button is clicked, not when the links in the message are used.

Answer:
This is all correct and is the intended behavior. Given that CAS has never
established SSO on the first run and B is protected by CAS,
redirecting/accessing B will always ask for user credentials. One cannot
build an SSO session first, only to then try to destroy it if SSO is
interrupted. That would be a security breach in the right variations. You
also can never make the link to B to work, because if a link to B appears
in the interrupt screen, simply clicking it is not the same thing as CAS
issuing a ticket to it after a successful authentication, for B to grab
that ticket and validate it. The link is exactly that; just a link. You
wouldn't have access to a ticket, because you have not properly passed
through the SSO flow because you were interrupted. We have had situations
in the past were tickets/sso were created prematurely before user were to
access a link, (i.e. password self service app), and those cause many other
weird issues.

The ssoEnabled flag basically controls whether CAS should challenge user
for credentials and build the SSO cookie. It effectively should do the same
thing as renew=true, and is more or less the same thing as ssoEnabled flag
of a service in the registry. If this is dysfunctional, where you see REST
return false for ssoEnabled and yet you are not challenged for credentials,
that would be a bug we can try to fix.
-

The behavior we want would clearly create a security risk in the
authentication process. (We recognized this in our 3.x mod as well, but
accepted it at the time.)

We also provide a grace period for expired passwords. The act of checking
for a login message triggers the password expiration and starts the grace
period. If the person is still within the grace period, the message will
not block and a Proceed button is presented by CAS. If the grace period has
ended, the block is set to true and the Proceed button no longer appears.
The message contains a link to the site where the user can change their
password. This does not support SSO due to the nature of 'ssoEnabled' and
the user must authenticate again. We present this a security feature. :)

The login interrupt messages are useful, but we have found that we must
adapt our processes to the capability. I'm in favor of that because trying
to maintain the modification to make CAS match our process is what kept us
on 3.x for so long.

Hope this helps.

-dirk

On Tue, Dec 4, 2018 at 10:39 AM Shawn Cutting  wrote:

> Good morning,
> I am trying to create a dynamic interrupt page and I think I am
> misunderstanding what the "ssoEnabled" setting does.  From the
> documentation, it seems that if this is set to true, then it would give a
> service ticket despite the action that would be taken on the interrupt
> page.  Here is what I am trying to do:
>
> I want to warn people that their passwords are about to expire (we use
> Active Directory as LDAP) and I am giving them the option to "Remind me in
> 3 days." This option updates a database with the reminder date and then
> should redirect to the service page they originally called.  But instead,
> it takes them back to the CAS login where they have to reauthenticate and
> it bypasses the interrupt per my code.  What I want it to do is, after
> pressing "Remind me" to take them to the service page without having to
> authenticate again, which is what I thought should happen with
> "ssoEnabled=true."
>
> Can anyone give me some better insight?
> Thanks!
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0c6e7901-7ef7-48b0-91d8-d2d5f10170d6%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7

Re: [cas-user] Protect Single Page application using mod_auth_cas

[David Curry]

Directory works fine with mod_auth_cas. For example, I usually use some
variation on this for /etc/httpd/conf.d/cas.conf:

LoadModule auth_cas_module modules/mod_auth_cas.so




AuthTypeCAS
CASAuthNHeader  On


Require valid-user



CASLoginUrl   https://casdev.newschool.edu/cas/login
CASValidateUrlhttps://casdev.newschool.edu/cas/samlValidate
CASCookiePath /var/cache/httpd/mod_auth_cas/
CASValidateSAML   On
CASSSOEnabled On
CASDebug  Off



And there's no need to limit yourself to one Directory section... I
actually have three of them on this server (the different directory names
produce different URLs for different service registry entries with
different settings).

Note: if you don't need attribute values returned from the CAS server, you
can use "serviceValidate" instead of "samlValidate" on the CASValidateUrl,
and get rid of the CASAuthNHeader setting.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Tue, Dec 4, 2018 at 10:44 AM Shankaranand Bahushrutham <
sbahushrut...@mercuryinsurance.com> wrote:

> Thanks. This is very informative. I was under the assumption that
> mod_auth_cas will understand only Location. Does this mean mod_auth_cas can
> act on Directory as well?
>
> On Monday, December 3, 2018 at 3:53:28 PM UTC-8, dhawes wrote:
>>
>> The order of these directives matters. You may want to review:
>>
>> http://httpd.apache.org/docs/current/sections.html#merging
>>
>> We'd need more config to tell what's going on in your case.
>> On Fri, 30 Nov 2018 at 19:46, Shankaranand Bahushrutham
>>  wrote:
>> >
>> >
>> > I have 2 single page applications developed in angular 6. I want to
>> protect one of them with CAS and the other one should not be protected. In
>> apache webserver, i have them under htdocs folder with the name 'unsecured'
>> and 'secured'. Below is my mod_auth_cas configuration and it isn't working.
>> It protects fine if i give  but the problem is
>> that it protects the unsecured app as well.
>> >
>> > 
>> >   Authtype CAS
>> >   require valid-user
>> >   CASAuthNHeader sm_user
>> >   CASScope /secured
>> > 
>> >
>> > I have a rewrite rule to rewrite /* to /secured and another rule
>> /unsecured to /unsecured (this is placed above the /* so that unsecured
>> rule executes first)
>> >
>> > Please advise the right configuration
>> >
>> > --
>> > - Website: https://apereo.github.io/cas
>> > - Gitter Chatroom: https://gitter.im/apereo/cas
>> > - List Guidelines: https://goo.gl/1VRrw7
>> > - Contributions: https://goo.gl/mh7qDG
>> > ---
>> > You received this message because you are subscribed to the Google
>> Groups "CAS Community" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an email to cas-user+u...@apereo.org.
>> > To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/56801da5-25b9-41e5-a94d-b788f4000626%40apereo.org.
>>
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/843e0e42-88f5-4654-9118-e90e81684311%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOTVss9RL8MJEdtGKeib%3Dw0sN-gEgs7oyJVW5r1cjhwug%40mail.gmail.com.

Re: [cas-user] Protect Single Page application using mod_auth_cas

[Shankaranand Bahushrutham]

Thanks. This is very informative. I was under the assumption that 
mod_auth_cas will understand only Location. Does this mean mod_auth_cas can 
act on Directory as well?

On Monday, December 3, 2018 at 3:53:28 PM UTC-8, dhawes wrote:
>
> The order of these directives matters. You may want to review: 
>
> http://httpd.apache.org/docs/current/sections.html#merging 
>
> We'd need more config to tell what's going on in your case. 
> On Fri, 30 Nov 2018 at 19:46, Shankaranand Bahushrutham 
> > wrote: 
> > 
> > 
> > I have 2 single page applications developed in angular 6. I want to 
> protect one of them with CAS and the other one should not be protected. In 
> apache webserver, i have them under htdocs folder with the name 'unsecured' 
> and 'secured'. Below is my mod_auth_cas configuration and it isn't working. 
> It protects fine if i give  but the problem is 
> that it protects the unsecured app as well. 
> > 
> >  
> >   Authtype CAS 
> >   require valid-user 
> >   CASAuthNHeader sm_user 
> >   CASScope /secured 
> >  
> > 
> > I have a rewrite rule to rewrite /* to /secured and another rule 
> /unsecured to /unsecured (this is placed above the /* so that unsecured 
> rule executes first) 
> > 
> > Please advise the right configuration 
> > 
> > -- 
> > - Website: https://apereo.github.io/cas 
> > - Gitter Chatroom: https://gitter.im/apereo/cas 
> > - List Guidelines: https://goo.gl/1VRrw7 
> > - Contributions: https://goo.gl/mh7qDG 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "CAS Community" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to cas-user+u...@apereo.org . 
> > To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/56801da5-25b9-41e5-a94d-b788f4000626%40apereo.org.
>  
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/843e0e42-88f5-4654-9118-e90e81684311%40apereo.org.

[cas-user] CAS Interrupt Misunderstanding

[Shawn Cutting]

Good morning,
I am trying to create a dynamic interrupt page and I think I am 
misunderstanding what the "ssoEnabled" setting does.  From the 
documentation, it seems that if this is set to true, then it would give a 
service ticket despite the action that would be taken on the interrupt 
page.  Here is what I am trying to do:

I want to warn people that their passwords are about to expire (we use 
Active Directory as LDAP) and I am giving them the option to "Remind me in 
3 days." This option updates a database with the reminder date and then 
should redirect to the service page they originally called.  But instead, 
it takes them back to the CAS login where they have to reauthenticate and 
it bypasses the interrupt per my code.  What I want it to do is, after 
pressing "Remind me" to take them to the service page without having to 
authenticate again, which is what I thought should happen with 
"ssoEnabled=true."

Can anyone give me some better insight?
Thanks!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0c6e7901-7ef7-48b0-91d8-d2d5f10170d6%40apereo.org.

[cas-user] HA Redis Crash

[Ramakrishna G]

Hello all,

I am using redis to store ticket is CAS. But now I have a new requirement 
to implement HA Redis Ticket Registery with sentinel.

cas.properties

cas.ticket.registry.redis.host=192.168.111.201
cas.ticket.registry.redis.port=6379
cas.ticket.registry.redis.sentinel.master=mymaster
cas.ticket.registry.redis.sentinel.nodes[0]=192.168.111.201:26379
cas.ticket.registry.redis.sentinel.nodes[1]=192.168.111.205:26379
cas.ticket.registry.redis.sentinel.nodes[2]=192.168.111.206:26379


My cas property has necessary configuration for sentinel but getting below 
exception in start of the application. Can someone help please.

Caused by: 
org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
creating bean with name 
'org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration':
 
Unsatisfied dependency expressed through method 'setConfigurers' parameter 
0; nested exception is 
org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
creating bean with name 'casCoreTicketsConfiguration': Unsatisfied 
dependency expressed through field 'casProperties'; nested exception is 
org.springframework.beans.factory.BeanCreationException: Error creating 
bean with name 
'cas-org.apereo.cas.configuration.CasConfigurationProperties': Could not 
bind properties to CasConfigurationProperties (prefix=cas, 
ignoreInvalidFields=false, ignoreUnknownFields=false, 
ignoreNestedProperties=false); nested exception is 
org.springframework.boot.bind.RelaxedBindingNotWritablePropertyException: 
Failed to bind 'cas.ticket.registry.redis.sentinel.nodes[1]' from 
'applicationProfilesProperties' to 
'ticket.registry.redis.sentinel.nodes[1]' property on 
'org.apereo.cas.configuration.model.support.redis.RedisTicketRegistryProperties'
at 
org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredMethodElement.inject(AutowiredAnnotationBeanPostProcessor.java:667)
at 
org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:88)
at 
org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:366)
at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1272)
at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:553)
at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483)
at 
org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:312)
at 
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
at 
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:308)
at 
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
at 
org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:372)
at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1181)
at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1075)
at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:513)
at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483)
at 
org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:312)
at 
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
at 
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:308)
at 
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
at 
org.springframework.aop.framework.autoproxy.BeanFactoryAdvisorRetrievalHelper.findAdvisorBeans(BeanFactoryAdvisorRetrievalHelper.java:92)
at 
org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.findCandidateAdvisors(AbstractAdvisorAutoProxyCreator.java:102)
at 
org.springframework.aop.aspectj.annotation.AnnotationAwareAspectJAutoProxyCreator.findCandidateAdvisors(AnnotationAwareAspectJAutoProxyCreator.java:88)
at 
org.springframework.aop.aspectj.autoproxy.AspectJAwareAdvisorAutoProxyCreator.shouldSkip(AspectJAwareAdvisorAutoProxyCreator.java:103)
at 

[cas-user] Re: JWTs and Microservice

[Misagh Moayyed]

It shouldn't have to be registered, and no it's not considered "correct 
practice" to share in most cases.

On Thursday, November 29, 2018 at 2:26:10 AM UTC-7, Giuseppe Infurna wrote:
>
> Hi, 
> I have a web application connected with Cas 5.3.5 and it works.
> After logging into Cas, I return to my application with 
> redirect=true=eiyece . in url address
> Web application validates the jwt and creates a session cookie as 
> explained here.
>
> https://apereo.github.io/cas/5.3.x/installation/Configure-ServiceTicket-JWT.html
>
>
> Now, from my application I want to invoke remote microservices on a my 
> third app passing the jwt (ticket) that cas had provided me. 
> This  remote app valid the jwt and ok, but it should be registered on cas? 
> is it a correct practice?
>
> Regards
> Giuseppe
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/078b5a19-9857-4fa8-8df9-3968dae41f6e%40apereo.org.

Re: [cas-user] where is CAS TGC cookie stored in brower?

[Paramvir Singh Karwal]

Hi Andy, 

My question is regarding the validation of session cookie, though first 
time, the service ticket is validated by calling CAS's endpoint, but in 
subsequent calls from the browser to application only session cookie is 
sent, how does application validates session cookie, does application 
server makes a record of the session cookie which can be checked with the 
incoming calls containing session cookie. As depicted in the diagram there 
is no call to CAS's from application server to validate the cookie this 
time.

On Saturday, October 22, 2016 at 3:17:39 AM UTC+5:30, Andrew Morgan wrote:
>
> On Fri, 21 Oct 2016, Yan Zhou wrote: 
>
> > Hello, 
> > 
> > It was said that the TGT cookie (TGC) is hidden, so that we won't see 
> it. 
> > 
> > I am curious how browser can send such hidden cookie to CAS, when user 
> goes 
> > to apps?  If browser can see it, there should be a way for us to see it. 
> > 
> > The reason I am asking is because I noticed that Ajax XhrRequest does 
> not 
> > seem to send TGC cookie in some circumstances, so I need to investigate. 
>
> The TGC is set by the CAS server using the domain of the CAS server.  For 
> example, my CAS server is at https://login.oregonstate.edu/cas/ and the 
> TGC has a domain of "login.oregonstate.edu" and a path of "/cas".  The 
> browser will only send the cookie to the CAS, not the CAS client. 
>
> The TGC persists the SSO session.  It is not used by client applications. 
> They receive a Service Ticket (ST) appended to the URL and validate the ST 
> by calling CAS's /serviceValidate endpoint. 
>
> A more complete description of this can be found at: 
>
>https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol.html 
>
> Thanks, 
>  Andy 
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ad135eff-675c-4602-a930-b2df38ef32bd%40apereo.org.

[cas-user] Re: CAS 5.2 OAuth 2 Redirect to root - not regularly

[Amin M.Tehrani]

Thank you , we are trying it out.

On Thursday, November 29, 2018 at 5:42:48 AM UTC+1, Andy Ng wrote:
>
> Hi,
>
> See if your discovered bug is the same as this one: 
> https://github.com/apereo/cas/pull/3363
>
> If yes, then try upgrading to 5.3.x, it should be fixed already. 
> If the bug is as shown in this answer, but you want to stay in 5.2.x, 
> there is a detail description on how I fixed that in CAS 5.2.x in the PR, a 
> bit dirty but should do the trick.
>
> If your bug is not the same as what I describe above, then idk how to help 
> you, just so you know after fixing the above bug listed in the PR, CAS 
> OAuth runs completely fine in both 5.2.x and 5.3.x version for me.
>
> Cheers!
> - Andy
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1d7826f2-75fd-4c24-92ca-415e2083b7a7%40apereo.org.