[cas-user] Re: Ranking Providers for step-up authentication
This might get you started in the right direction: https://apereo.github.io/2019/05/13/cas61x-mfa-selection-strategies/ On Monday, May 20, 2019 at 4:09:19 AM UTC-7, Fabio Martelli wrote: > > Hi All, I'd like to exploit "Ranking Providers" feature [1] in order to > implement a step-up authentication. > > My scenario is exactly the following: > >- CAS has achieved an SSO session, but a separate request now requires >step-up authentication with another provider of a greater "rank". > > Can someone address me in this direction? I didn't find any documentation > for implementing this feature. > > Thank you in advance. > > Regards, > > F. > > [1] > https://apereo.github.io/cas/5.2.x/installation/Configuring-Multifactor-Authentication.html#ranking-providers > > -- > Fabio > Martellihttps://it.linkedin.com/pub/fabio-martelli/1/974/a44http://blog.tirasa.net/author/fabio/index.html > > Tirasa - Open Source > Excellencehttp://www.tirasa.net/index.html?pk_campaign=email_kwd=fm > > Apache Syncope PMChttp://people.apache.org/~fmartelli/ > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/75d6257e-e144-411c-b708-b0e906fd68dd%40apereo.org.
[cas-user] X509 authentication with LDAP integration
Greetings all,
I'm having a heck of time getting X509 with LDAP integration and LDAP
attribute resolution working on CAS 6.0. The core issue is that I have to
use the certificate UPN for initial authentication and for determining the
users DN from LDAP. Then I have to use that DN to lookup other
attributes. My hands are tied on how the LDAP schema is setup.
Using this configuration:
cas.authn.x509.name=X509_AUTHENTICATION
cas.authn.x509.order=0
cas.authn.x509.principalType=SUBJECT_ALT_NAME
cas.authn.x509.checkKeyUsage=true
cas.authn.x509.requireKeyUsage=true
cas.authn.attributeRepository.ldap[0].order=0
cas.authn.attributeRepository.ldap[0].name=AD_SERVERS
cas.authn.attributeRepository.ldap[0].ldapUrl=${ldapUrl}
cas.authn.attributeRepository.ldap[0].bindDn=${bindDn}
cas.authn.attributeRepository.ldap[0].bindCredential=${bindCredential}
cas.authn.attributeRepository.ldap[0].baseDn=${baseDn}
cas.authn.attributeRepository.ldap[0].subtreeSearch=true
cas.authn.attributeRepository.ldap[0].searchFilter=(&(sAMAccountType=805306368)(userPrincipalName={0}))
cas.authn.attributeRepository.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
cas.authn.attributeRepository.ldap[0].attributes.distinguishedName=distinguishedName
cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
cas.authn.attributeRepository.ldap[0].attributes.mail=mail
CAS gives get the UPN off the certificate creates a Principal ID and
returns distinguishedName, displayName, and mail. But I need other
attributes with a searchFilter using the distinguishedName. I tired adding
a 2nd cas.authn.attributeRepository entry but can't figure out how to use
the distinguishedName from the first one. So then I thought I might be
able to use LDAP integration to use the UPN to get the DN and then use that
in attributeRepository block and it's turned out to be even worse. Just
for authentication I've got:
cas.authn.x509.name=X509_AUTHENTICATION
cas.authn.x509.order=0
cas.authn.x509.principalType=SUBJECT_ALT_NAME
cas.authn.x509.principalDescriptor=$username
cas.authn.x509.checkKeyUsage=true
cas.authn.x509.requireKeyUsage=true
cas.authn.x509.ldap.name=X509_LDAP_INTEGRATION
cas.authn.x509.ldap.ldapUrl=${ldapUrl}
cas.authn.x509.ldap.bindDn=${bindDn}
cas.authn.x509.ldap.bindCredential=${bindCredential}
cas.authn.x509.ldap.baseDn=${baseDn}
cas.authn.x509.ldap.keystore=${keyStore}
cas.authn.x509.ldap.keystorePassword=${keyPasswd}
cas.authn.x509.ldap.useSsl=true
cas.authn.x509.ldap.useStartTls=false
cas.authn.x509.ldap.subtreeSearch=true
cas.authn.x509.ldap.searchFilter=(&(sAMAccountType=805306368)(userPrincipalName={0}))
cas.authn.x509.ldap.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
cas.authn.x509.ldap.allowMultipleDns=false
cas.authn.x509.ldap.allowMultipleEntries=false
cas.authn.x509.ldap.followReferrals=false
The logs shows:
Then is thows a NullPointerException:
ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<[X509SubjectAlternativeNameUPNPrincipalResolver(super=AbstractX509PrincipalResolver(super=PersonDirectoryPrincipalResolver(attributeRepository=org.apereo.services.persondir.support.CachingPersonAttributeDaoImpl@25109608,
principalFactory=org.apereo.cas.authentication.principal.DefaultPrincipalFactory@1,
returnNullIfNoAttributes=false,
principalNameTransformer=org.apereo.cas.authentication.principal.resolvers.PersonDirectoryPrincipalResolver$$Lambda$706/0x000840841840@be5226f,
principalAttributeNames=username, useCurrentPrincipalId=false),
alternatePrincipalAttribute=null))] failed to resolve principal from
[AbstractCredential()]>
Followed by:
2019-05-20 12:30:47,903 WARN
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
2019-05-20 12:30:47,903 WARN
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
2019-05-20 12:30:47,903 DEBUG
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
and then AUTHENTICATION FAILED
Any ideas? This is driving me up the wall.
Thanks
r/Chad
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/10091f6f-d896-4780-a49e-a4ac42d773b7%40apereo.org.
Re: [cas-user] CAS 5.3.8 - SAML2 IdP - match found for service in registry but the match is not defined as a SAML service
Hi Ray,
the first declaration of serviceId was "https://localhost:/saml/login;
as you suggested but the error was the same.
The file SAML2_client5-109005.xml contains the demo app metadata and is
imported by the service's JSON with declaration
"metadataLocation":
"/home/user/Documents/eclipse-workspace/DEV_CERTIFICATE_UTIL/SAML2_client5-109005.xml"
Thanks
Il giorno venerdì 17 maggio 2019 21:33:50 UTC+2, rbon ha scritto:
>
> Nicola,
>
> I assume you have imported SP metadata.
> Perhaps you have to name your service registry entry "serviceId" : "
> https://localhost:/saml/login; to match the entityId.
>
> Ray
>
> On Fri, 2019-05-17 at 01:55 -0700, Nicola Boldrin wrote:
>
> Hi all,
> I'm trying to configure CAS 3.5.8 to be SAML2 IdP; I'm trying to do an SSO
> login with a Spring sample app too (
> https://github.com/spring-projects/spring-security-saml).
> When the sample app send auth request, CAS says "Application Not
> Authorized to Use CAS".
>
> Below the log's messages
>
> INFO [org.apereo.cas.support.saml.web.idp.profile.sso.request.
> DefaultSSOSamlHttpRequestExtractor] Received SAML profile request [
> /cas-jpa/idp/profile/SAML2/POST/SSO]
> DEBUG [org.apereo.cas.support.saml.web.idp.profile.sso.request.
> DefaultSSOSamlHttpRequestExtractor] Locating SAML object from message
> context...
> DEBUG [org.apereo.cas.support.saml.web.idp.profile.sso.request.
> DefaultSSOSamlHttpRequestExtractor] Decoded SAML object [{urn:oasis:names:
> tc:SAML:2.0:protocol}AuthnRequest] from http request
> INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager]
> Audit trail record BEGIN
> =
> WHO: audit:unknown
> WHAT: [issuer=https:
> //localhost:/saml/login,binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST]
> ACTION: SAML2_REQUEST_CREATED
> APPLICATION: CAS
> WHEN: Thu May 16 17:27:10 CEST 2019
> CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1
> SERVER IP ADDRESS: 0:0:0:0:0:0:0:1
> =
>
>
>
>
> DEBUG [org.apereo.cas.support.saml.web.idp.profile.
> AbstractSamlProfileHandlerController] Located issuer
> [https://localhost:/saml/login]
> from authentication request
> DEBUG [org.apereo.cas.support.saml.web.idp.profile.
> AbstractSamlProfileHandlerController] Checking service access in CAS
> service registry for [https://localhost:/saml/login]
> ERROR [org.apereo.cas.support.saml.web.idp.profile.
> AbstractSamlProfileHandlerController] CAS has found a match for service [
> https://localhost:/saml/login] in registry but the match is not
> defined as a SAML service
> WARN [org.springframework.web.servlet.mvc.method.annotation.
> ExceptionHandlerExceptionResolver] Resolved [org.apereo.cas.services.
> UnauthorizedServiceException: screen.service.error.message] to
> ModelAndView: reference to view with name 'casServiceErrorView'; model is
> {rootCauseException=org.apereo.cas.services.UnauthorizedServiceException:
> }
> INFO [org.apereo.cas.support.oauth.services.
> OAuth20AuthenticationServiceSelectionStrategy] service='null', svc='null',
> this.callbackUrl='
> https://localhost:6443/cas-jpa/oauth2.0/callbackAuthorize'
> DEBUG [org.apereo.cas.support.oauth.services.
> OAuth20AuthenticationServiceSelectionStrategy] Authentication request is
> not identified as an OAuth request
> INFO [org.apereo.cas.support.oauth.services.
> OAuth20AuthenticationServiceSelectionStrategy] service='null', svc='null',
> this.callbackUrl='
> https://localhost:6443/cas-jpa/oauth2.0/callbackAuthorize'
> DEBUG [org.apereo.cas.support.oauth.services.
> OAuth20AuthenticationServiceSelectionStrategy] Authentication request is
> not identified as an OAuth request
>
>
>
> Below my configuration
>
> # === SAML 2 Idp
>
>
> cas.authn.samlIdp.entityId=https://localhost:6443/cas-jpa/idp
> cas.authn.samlIdp.metadata.location=file:${etc.cas.dir}saml
> cas.authn.samlIdp.attributeQueryProfileEnabled=true
>
>
>
> Thanks
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3e1438cb-cfce-48cc-8cf1-e3e93e403610%40apereo.org.
[cas-user] Ranking Providers for step-up authentication
Hi All, I'd like to exploit "Ranking Providers" feature [1] in order to implement a step-up authentication. My scenario is exactly the following: * CAS has achieved an SSO session, but a separate request now requires step-up authentication with another provider of a greater "rank". Can someone address me in this direction? I didn't find any documentation for implementing this feature. Thank you in advance. Regards, F. [1] https://apereo.github.io/cas/5.2.x/installation/Configuring-Multifactor-Authentication.html#ranking-providers -- Fabio Martelli https://it.linkedin.com/pub/fabio-martelli/1/974/a44 http://blog.tirasa.net/author/fabio/index.html Tirasa - Open Source Excellence http://www.tirasa.net/index.html?pk_campaign=email_kwd=fm Apache Syncope PMC http://people.apache.org/~fmartelli/ -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c100f6ce-27a4-609b-be3b-3d2d34d129ab%40gmail.com.
[cas-user] Several CAS webapps in one tomcat server
Hi all, I have the need of setting up a few CAS servers with different auth backends, if possible in the same server (I'm not familiar with Spring config, so I'm using just old-fashioned config files). Indeed, it is easy to do it just changing the line # cas.standalone.config=/etc/cas/config or spring.application.name=cas in bootstrap.properties. But, as it is not recommended to modify this file or application.properties, I'm trying to override that value with a WEB-INF/classes/application.yml file like this one: cas: standalone: config : /usr/local/etc/cascert which has no effect. Is this correct? Can I safely modify the spring.application.name property in bootstrap.properties (as I did previoulsy with success)? Best regards, -- Alberto Cabello Sánchez Servicio de Informática Universidad de Extremadura -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20190520110615.fdd82f24a7a976e022c21906%40unex.es.
[cas-user] Re: CAS 5.3.9 Access Strategy Groovy script
Someone? pls -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a5344f5e-67ba-473c-8bc5-da0b077974c0%40apereo.org.
