Re: [cas-user] Delegating to multiple SAML IdPs

2019-05-21 Thread Ray Bon 
Brent,

Steps 3) and 4) are confusing. If IdP is performing authentication in 3), why 
is CAS also validating credentials?

Picking from a list (or typing it in) is frequently used as a method for IdP 
selection. User name would also work but may be a little confusing to users 
when they enter the same data twice (but maybe that is just my view on UX).

Do you control the IdP(s)? The SP(s)?

What is the role of CAS in 4)?
If the IdP has already authenticated the user, that should indicate that the 
user is on the 'approved list'.

Ray


On Tue, 2019-05-21 at 10:36 -0700, Brent Smith wrote:
Hey Ray,

We want to delegate authentication from CAS to these client IdPs.  We'll either 
use an IdP-initiated flow, or we'll build out an "SP-initiated flow" in CAS.   
Something like this,

1) User hits protected service and is redirected to CAS
2) "Magic IdP resolution" (TBD) forwards them to client's IdP.
3) IdP sends them back to CAS after successful authentication
4) CAS validates user credentials against the approved list of users for that 
IdP.

Step 4) is the one i'm asking about here.  We have a list of approved users for 
each client from our provisioning system.

Step 2) might just be a "pick your IdP from a list", or we might attempt to 
customize the CAS login flow to accept username first (instead of username and 
password), then look up IdP based on username and redirect, if necessary.

I'm curious of anyone has done anything like 2) as well.

Thanks!




On Tuesday, May 21, 2019 at 1:21:06 PM UTC-4, rbon wrote:
Brent,

Are you saying that the user authenticates first with CAS and is then 
redirected to a SAML IdP? Or how will you determine to which IdP a user will be 
sent?

Ray

On Tue, 2019-05-21 at 07:45 -0700, Brent Smith wrote:
Hi,

I'm trying to set up a new CAS implementation that delegates to multiple SAML 
IdPs, with each IdP representing a distinct slice of the user base (one IdP per 
customer).

Is there a way for me to restrict one IdP from attempting to authenticate a 
user from another IdP?

I thought about building a custom PersonDirectoryPrincipalResolver, overriding 
the resolve() method to ensure the Credential "matched" the appropriate 
AuthenticationHandler.

Is there another way to do this that doesn't require custom code?

Thanks,

-B



--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2638abb7ab529b8895c832f3db91ba0d43a5006f.camel%40uvic.ca.

Re: [cas-user] Delegating to multiple SAML IdPs

2019-05-21 Thread Brent Smith 
Hey Ray,

We want to delegate authentication from CAS to these client IdPs.  We'll 
either use an IdP-initiated flow, or we'll build out an "SP-initiated flow" 
in CAS.   Something like this,

1) User hits protected service and is redirected to CAS
2) "Magic IdP resolution" (TBD) forwards them to client's IdP.  
3) IdP sends them back to CAS after successful authentication
4) CAS validates user credentials against the approved list of users for 
that IdP.

Step 4) is the one i'm asking about here.  We have a list of approved users 
for each client from our provisioning system.

Step 2) might just be a "pick your IdP from a list", or we might attempt to 
customize the CAS login flow to accept username first (instead of username 
and password), then look up IdP based on username and redirect, if 
necessary.

I'm curious of anyone has done anything like 2) as well.

Thanks!




On Tuesday, May 21, 2019 at 1:21:06 PM UTC-4, rbon wrote:
>
> Brent,
>
> Are you saying that the user authenticates first with CAS and is then 
> redirected to a SAML IdP? Or how will you determine to which IdP a user 
> will be sent?
>
> Ray
>
> On Tue, 2019-05-21 at 07:45 -0700, Brent Smith wrote:
>
> Hi, 
>
> I'm trying to set up a new CAS implementation that delegates to multiple 
> SAML IdPs, with each IdP representing a distinct slice of the user base 
> (one IdP per customer).  
>
> Is there a way for me to restrict one IdP from attempting to authenticate 
> a user from another IdP?  
>
> I thought about building a custom PersonDirectoryPrincipalResolver, 
> overriding the resolve() method to ensure the Credential "matched" the 
> appropriate AuthenticationHandler.  
>
> Is there another way to do this that doesn't require custom code?
>
> Thanks,
>
> -B
>
>
> -- 
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2598bd63-739c-4be7-9163-3414825416c6%40apereo.org.

Re: [cas-user] Delegating to multiple SAML IdPs

2019-05-21 Thread Ray Bon 
Brent,

Are you saying that the user authenticates first with CAS and is then 
redirected to a SAML IdP? Or how will you determine to which IdP a user will be 
sent?

Ray

On Tue, 2019-05-21 at 07:45 -0700, Brent Smith wrote:
Hi,

I'm trying to set up a new CAS implementation that delegates to multiple SAML 
IdPs, with each IdP representing a distinct slice of the user base (one IdP per 
customer).

Is there a way for me to restrict one IdP from attempting to authenticate a 
user from another IdP?

I thought about building a custom PersonDirectoryPrincipalResolver, overriding 
the resolve() method to ensure the Credential "matched" the appropriate 
AuthenticationHandler.

Is there another way to do this that doesn't require custom code?

Thanks,

-B



--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a8941475a583048f774e25db61da7d71de6a46e6.camel%40uvic.ca.

Re: [cas-user] Re: CAS 5.3.9 Access Strategy Groovy script

2019-05-21 Thread Ray Bon 
Debian,

In doPrincipal..., you are using a variable called 'map' but the variable is 
'attributes'.

Ray

On Tue, 2019-05-21 at 02:22 -0700, Debian HNT wrote:
Hello guys,

I'm still trying to configure a groovy script for access strategy but I have 
some errors

Here's my access-strategy.groovy


import org.apereo.cas.services.*
import java.util.*

class GroovyRegisteredAccessStrategy extends 
DefaultRegisteredServiceAccessStrategy {
@Override
boolean isServiceAccessAllowed() {
return true
}

@Override
boolean isServiceAccessAllowedForSso() {
return true
}

@Override
boolean doPrincipalAttributesAllowServiceAccess(String principal, 
Map attributes) {
for (Map.Entry entry : map.entrySet()){
if (entry.getKey().equals(principal)){
return true
}
}
return false
}
}

@Override
java.net.URI getUnauthorizedRedirectUrl(){
return "https://blocked-acc.html;
}
}




org.springframework.webflow.execution.ActionExecutionException: Exception 
thrown executing org.apereo.cas.web.flow.login.InitialFlowSetupAction@2357e4bc 
in state 'null' of flow 'login' -- action execution attributes were 
'map[[empty]]'


Caused by: java.lang.NullPointerException

at 
org.apereo.cas.services.GroovyRegisteredServiceAccessStrategy.isServiceAccessAllowed(GroovyRegisteredServiceAccessStrategy.java:49)

at 
org.apereo.cas.web.flow.login.InitialFlowSetupAction.configureWebflowContextForService(InitialFlowSetupAction.java:62)

at 
org.apereo.cas.web.flow.login.InitialFlowSetupAction.doExecute(InitialFlowSetupAction.java:51)

at 
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)

at sun.reflect.GeneratedMethodAccessor447.invoke(Unknown Source)

at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at 
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:216)

at 
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:470)

at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)

at 
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)

at com.sun.proxy.$Proxy376.execute(Unknown Source)

at 
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)

... 100 more



I'd like to set some attributes required and redirection url.

For example if the account attribute = Active, i'll be able to join the service

but

if the account attribute = blocked, i'll be redirect to 
https://blocked-acc.html

or

if the account attribute = waiting, i'll be redirect to 
https://waiting-acc/html

I'm new to groovy and I dont understand the issue, May I have some help pls?

Regards,

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c7bc134a9892ed67cc2817eb87ccc17fe87e649d.camel%40uvic.ca.

Re: [cas-user] Service Registry -- Getting the 1st Application Entered

2019-05-21 Thread Ray Bon 
Va,

'usage' in mvnrepository means how many projects have a dependency on that 
project, not number of downloads.

Ray

On Sun, 2019-05-19 at 07:28 -0700, Va Sja wrote:
Hmm...
..looks really like "Security through obscurity" :((
Guys - how many peoples use CAS worldwide?
looks like nobody?

SRC: https://mvnrepository.com/artifact/org.apereo.cas/cas-server-webapp



Am Freitag, 31. August 2018 13:05:02 UTC+2 schrieb 党田力:
I had test on 5.2.6 adn 5.2.7 version
Only append `cas-server-support-json-service-registry` to pom.xml, the 
'cas.serviceRegistry.initFromJson=true' is worked.
Only append `cas-server-support-jpa-service-registry` to pom.xml, the database 
is worked.
But I append both them, the services defined in json is not loaded.

On 5.1.9 version works.


在 2018年5月15日星期二 UTC+8下午8:15:55,David Curry写道:
Lionel and Jann,

Did you ever have the JSON service registry working? If not, I recommend that 
you take all the JPA stuff out of pom.xml and cas.properties and get that 
working correctly first, so that you're only trying to debug one thing at a 
time. Once you have the JSON service registry working correctly, for both the 
main server and the management webapp, then it's time to move things to JPA.

The basic steps for moving to JPA *should* be this:

1. REMOVE the "cas-server-support-json-service-registry" dependency from 
pom.xml (server and management webapp)

2. Add the "cas-server-support-jpa-service-registry" dependency and whatever 
other dependencies go with it to pom.xml (server and management webapp)

3. Rebuild the server and management webapp

4. In the server's cas.properties file, include BOTH of these lines:

cas.serviceRegistry.json.location: file:/etc/cas/services
cas.serviceRegistry.initFromJson:  true

The first line should already be there (since before you start these steps 
you're using the JSON service registry), but you must add the second line.

5. Add all the lines you need to configure the JPA service registry to the 
server's cas.properties file.

6. Start the CAS server (do not start the management webapp). You should see it 
load the services from the JSON files (again, this should already be working 
before you start) and then it will magically save them into the JPA registry.

7. Shut the server down.

8. Check the database to see that the services actually got loaded there. If 
not, this is where you need to start debugging. And the first step of that 
would be setting the log level to "debug" in log4j2.xml, and adding whatever 
Logger configuration you need to make the Oracle JDBC library log for you as 
well.

Once you've got the services loaded into the database

9. Remove the "cas.serviceRegistry.json.location" and 
"cas.serviceRegistry.initFromJson" properties from the server's cas.properties 
file.

10. Remove the "cas.serviceRegistry.json.location" property from, and add all 
the JPA properties to, the management webapp's management.properties file.

At least, that's the procedure I followed to get the MongoDB service registry 
working (see 
https://dacurry-tns.github.io/deploying-apereo-cas/high-avail_service-registry_overview.html).
 I've not used the JPA stuff at all, so no guarantees, but I don't see why it 
should be any different.

--Dave



--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[The New School]

On Tue, May 15, 2018 at 12:14 AM, Lionel Samuel  wrote:
Changing in "cas.properties"  
'cas.serviceRegistry.json.location:file:/etc/cas/services' to 
'cas.serviceRegistry.json.location:foobar:/etc/cas/services'

The above does not generate an error message --- is that a sign it's not loaded?


On Monday, May 14, 2018 at 8:25:37 PM UTC-7, Lionel Samuel wrote:
I'm working with Jann -- attached is our pom file (we call the jar my-cas -- 
which is reflected in the URLs).

It does not look like the JSON file is loaded -- I don't think it's pom related 
--- but at the moment we are both stumped so anything goes.

2018-05-14 20:23:17,715 WARN [org.apereo.cas.services.web.ServiceThemeResolver] 
- http://localhost:8080/cas-management/manage.html,originalUrl=http://localhost:8080/cas-management/manage.html,artifactId=,principal=,loggedOutAlready=false,format=XML]]
 or service access is disallowed. Using default theme [cas-theme-default]>

On Monday, May 14, 2018 at 5:42:35 PM UTC-7, Jann Malenkoff wrote:

Attached is my 'cas.properties' file ---  in case I may be missing something 
there (very likely)


On Monday, May 14, 2018 at 5:09:12 PM UTC-7, Jann Malenkoff wrote:
I had a minor Eureka moment --- but it came to fraught (partially).

I has a typo in the 'cas.properties' file: 
cas.serviceRegistry.json.location:file:/etc/cas/service

i,e, 'service' instead of 'services' --- corrected now (validated that the json 
files are in '/etc/cas/services').

But still no-go...any ideas will be matched by the maximum Karma I can

Re: [cas-user] Re: JWT without encryption key

2019-05-21 Thread Michele Melluso 
Hi all,

I got a similar issue when I try to verify the jwt signature with several 
libreries including Node.js jsonwebtoken, since the library allows only 
base64url encoded tokens because of mentioned RFC7515.
With java-jwt library the token is correctly verified.

Debugging the code i found in cas version 6.0 EncodingUtils.java:362 the 
following code:

@SneakyThrows
361 public static byte[] signJws(final Key key, final byte[] value, 
final String algHeaderValue) {
362 val base64 = EncodingUtils.encodeBase64(value);
363 val jws = new JsonWebSignature();
364 jws.setEncodedPayload(base64);
365 jws.setAlgorithmHeaderValue(algHeaderValue);
366 jws.setKey(key);
367 jws.setHeader("typ", "JWT");
368 return 
jws.getCompactSerialization().getBytes(StandardCharsets.UTF_8);
369 }


could it be convenient to use the base64url encoder in the same class 
instead? I've been trying to inject the patch into my overlay environment 
without success because of my poor gradle skills.

best regards
Michele



On Monday, December 17, 2018 at 4:04:38 PM UTC+1, William E. wrote:
>
> I think the jwt as seen in the url as the value for the token parameter 
> has been rul'ized by converting some characters to their html entity 
> values.  If you look at the same jwt as seen in the cas logs you will find 
> it does not have the html characters, it's pure base64.  If I use that 
> value or convert the token value to non-url safe characters, it will 
> validate with jose.
>
> However, although I can validate in jose in java and python, I cannot in 
> another python jwt library. I've been in direct contact with that 
> maintainer and they tell me the jwt built by cas may not be following 
> spec.  That the signature is being built with the base64, not base64-url 
> encoding.  Jose validates because it doesn't verify payload first.  I'm not 
> sure where the issue is for certain as I am no jwt expert.  Perhaps one of 
> the cas developers can weigh in?
>
> From the jwcrypto library maintainer:
>
> RFC7515 point 2:
>
> Base64url Encoding
> Base64 encoding using the URL- and filename-safe character set
> defined in Section 5 of RFC 4648 [RFC4648], with all trailing '='
> characters omitted (as permitted by Section 3.2) and without the
> inclusion of any line breaks, whitespace, or other additional
> characters. Note that the base64url encoding of the empty octet
> sequence is the empty string. (See Appendix C for notes on
> implementing base64url encoding without padding.)
>
>
> -W
>
>
> On Monday, December 17, 2018 at 6:10:51 AM UTC-6, Devendra Sisodia wrote:
>>
>> I am observing that extra non base64 char are appended to payload. If i 
>> remove them then I am able to verify signature. Can someone suggest if this 
>> is CAS issue or issue in my configurations ?
>>
>>
>> JWT:eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJpdmVyYXNlIiwiaXNGcm9tTmV3TG9naW4iOiJ0cnVlIiwiYXV0aGVudGljYXRpb25EYXRlIjoiMjAxOC0xMi0xN1QxMzowNTowOS43MzkrMDE6MDBbRXVyb3BlXC9CZXJsaW5dIiwicm9sZXMiOlsidXNlciIsImFjZV9vcGVyYXRvciIsIkFSQ0hJVkVfT1BFUkFUT1IiLCJQSEFTRTNfT1BFUkFUT1IiLCJHTkxUX1VTRVIiLCJDQVRBTE9HVUVfT1BFUkFUT1IiLCJhc21fdXNlciJdLCJzdWNjZXNzZnVsQXV0aGVudGljYXRpb25IYW5kbGVycyI6IkVTTyBBdXRoIEhhbmRsZXIiLCJpc3MiOiJodHRwczpcL1wvY2FzLmV4YW1wbGUub3JnOjg0NDNcL3NzbyIsImNyZWRlbnRpYWxUeXBlIjoiVXNlcm5hbWVQYXNzd29yZENyZWRlbnRpYWwiLCJhdWQiOiJodHRwOlwvXC9sb2NhbGhvc3Q6ODg4OFwvYXBpIiwiaXNJbXBlcnNvbmF0aW5nIjoiZmFsc2UiLCJhdXRoZW50aWNhdGlvbk1ldGhvZCI6IkVTTyBBdXRoIEhhbmRsZXIiLCJsb25nVGVybUF1dGhlbnRpY2F0aW9uUmVxdWVzdFRva2VuVXNlZCI6ImZhbHNlIiwiZXhwIjoxNTQ1MDc3MTEwLCJpYXQiOjE1NDUwNDgzMTAsImp0aSI6IlNULTEtYUZwSnRnRXFXTHc3VUREVlN3VnB4SGZucDhnR0EwMjI1ODcifQ
>> %3D%3D
>> .WB71awCAFz2tsa1ZqoZnWacKKVAarjsylBuOvnetHf9CHsIFgYtg58-2hCbeJT-gMFlCzaolriDsks1bE_RIPw
>>
>> If I remove '%3D%3D' from JWT then verification succeeds. 
>>
>>
>>
>> On Sat, Dec 15, 2018 at 4:14 PM William E.  wrote:
>>
>>> I think you are seeing the discrepancy due to base64 vs. base64url 
>>> decoding.  I think the jwt spec. wants base64 url vs. plain base64.
>>>
>>> https://en.wikipedia.org/wiki/Base64#URL_applications
>>>
>>>
>>> On Friday, December 14, 2018 at 9:37:45 AM UTC-6, Devendra Sisodia wrote:

 While decoding JWT there is error "Bad Base64 input character decimal 
 37 in array position 806" Which means 37(%) is not allowed in encoded base 
 64 string in JWT.

 My JWT looks like below and yellow highlighted is the 806th element 
 that cannot be base 64 decode. 

 eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJpdmVyYXNlINTg3In0%3D.
 UmNz8ikEOFYqPgHRmZb1SK6A1pRFu48fSfYTasMGYHKtg7V8JepAfwunXwFeHsx5JTi4yKBug1Tq9PqfdY93lA

 On Fri, Dec 14, 2018 at 2:11 PM Giuseppe Infurna  
 wrote:

>
> i'm using io.jsonwebtoken.jjwt library
>
> Jwts.parser().setSigningKey().parseClaimsJws();
>
>
>
> Il giorno venerdì 14 dicembre 2018 14:02:14 UTC+1, Devendra Sisodia ha 
> scritto:
>>
>> Hello,

[cas-user] Delegating to multiple SAML IdPs

2019-05-21 Thread Brent Smith 
Hi,

I'm trying to set up a new CAS implementation that delegates to multiple 
SAML IdPs, with each IdP representing a distinct slice of the user base 
(one IdP per customer).  

Is there a way for me to restrict one IdP from attempting to authenticate a 
user from another IdP?  

I thought about building a custom PersonDirectoryPrincipalResolver, 
overriding the resolve() method to ensure the Credential "matched" the 
appropriate AuthenticationHandler.  

Is there another way to do this that doesn't require custom code?

Thanks,

-B


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/efd69655-ff2f-471c-b295-b2843fb9367c%40apereo.org.

[cas-user] Re: Cas5.3.0 Zì dìngyì dēnglù rènzhèng 15/5000 Cas5.3.0 custom login authentication

2019-05-21 Thread Andy Ng 
* CAS SSO do not work without https

On Tuesday, 21 May 2019 20:36:33 UTC+8, Andy Ng wrote:
>
> Dear Lee,
>
> Seeing your log, I suspect you are using http instead of https for your 
> CAS server, 
>
> CAS SSO do not work with https, if you are not using https, please 
> configure CAS to use https
>
> Cheers!
> - Andy
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2e7bc00f-938e-4e03-99b0-6a180e0af171%40apereo.org.

[cas-user] Re: Cas5.3.0 Zì dìngyì dēnglù rènzhèng 15/5000 Cas5.3.0 custom login authentication

2019-05-21 Thread Andy Ng 
Dear Lee,

Seeing your log, I suspect you are using http instead of https for your CAS 
server, 

CAS SSO do not work with https, if you are not using https, please 
configure CAS to use https

Cheers!
- Andy

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/487d88a4-983d-416c-95e4-22ca4f62c4b7%40apereo.org.

[cas-user] Re: Several CAS webapps in one tomcat server

2019-05-21 Thread Andy Ng 
Hi Alberto,

See if the below info helps you:
- depends on your CAS version, you might need to use 
cas.standalone.configurationDirectory=/etc/cas/config 
instead of cas.standalone.config=/etc/cas/config
- bootstrap.properties load before application.properties or 
application.yml, that's why your modification didn't work
- One way to do it (I don't know if recommended or not...) is to put your 
cas.standalone.config: 
/etc/cas/config inside *bootstrap.yml* instead
- yml load after properties, so bootstrap.yml will override 
bootstrap.properties.

I also agrees that using config is the sometime the better option, 
especially when you already have a system to manage config files, just 
didn't see the benefit of switching to spring config.

Hope the info helps you!

Cheers!
- Andy
 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b380ab4-38dd-4702-8697-e4aef39b7497%40apereo.org.

[cas-user] Re: CAS 5.3.9 Access Strategy Groovy script

2019-05-21 Thread Debian HNT 
Hello guys,

I'm still trying to configure a groovy script for access strategy but I 
have some errors

Here's my access-strategy.groovy


import org.apereo.cas.services.*
import java.util.*

class GroovyRegisteredAccessStrategy extends 
DefaultRegisteredServiceAccessStrategy {
@Override
boolean isServiceAccessAllowed() {
return true
}

@Override
boolean isServiceAccessAllowedForSso() {
return true
}

@Override
boolean doPrincipalAttributesAllowServiceAccess(String principal, 
Map attributes) {
for (Map.Entry entry : map.entrySet()){
if (entry.getKey().equals(principal)){
return true
}
}
return false
}
}

@Override
java.net.URI getUnauthorizedRedirectUrl(){
return "https://blocked-acc.html;
}
}



org.springframework.webflow.execution.ActionExecutionException: Exception 
thrown executing org.apereo.cas.web.flow.login.InitialFlowSetupAction@2357e4bc 
in state 'null' of flow 'login' -- action execution attributes were 
'map[[empty]]'
Caused by: java.lang.NullPointerException
at 
org.apereo.cas.services.GroovyRegisteredServiceAccessStrategy.isServiceAccessAllowed(GroovyRegisteredServiceAccessStrategy.java:49)
at 
org.apereo.cas.web.flow.login.InitialFlowSetupAction.configureWebflowContextForService(InitialFlowSetupAction.java:62)
at 
org.apereo.cas.web.flow.login.InitialFlowSetupAction.doExecute(InitialFlowSetupAction.java:51)
at 
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
at sun.reflect.GeneratedMethodAccessor447.invoke(Unknown Source)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at 
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:216)
at 
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:470)
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at 
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
at com.sun.proxy.$Proxy376.execute(Unknown Source)
at 
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
... 100 more


I'd like to set some attributes required and redirection url. 

For example if the account attribute = Active, i'll be able to join the 
service

but 

if the account attribute = blocked, i'll be redirect to 
https://blocked-acc.html  

or 

if the account attribute = waiting, i'll be redirect to 
https://waiting-acc/html 

I'm new to groovy and I dont understand the issue, May I have some help 
pls? 

Regards,

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4cf61a61-ce2f-4a01-84e4-bba76d84efef%40apereo.org.

Re: [cas-user] Re: Ranking Providers for step-up authentication

2019-05-21 Thread Fabio Martelli 

Il 20/05/19 20:23, Misagh Moayyed ha scritto:
This might get you started in the right direction: 
https://apereo.github.io/2019/05/13/cas61x-mfa-selection-strategies/


Hi Misagh, thank you for this input.

Just a pair of questions more:

 * How do I have to configure ranking in case of custom providers?
 * Is there a way to update an existing SSO session (step-up)?

Thank you in advance.

Kind regards,

F.



On Monday, May 20, 2019 at 4:09:19 AM UTC-7, Fabio Martelli wrote:

Hi All, I'd like to exploit "Ranking Providers" feature [1] in
order to implement a step-up authentication.

My scenario is exactly the following:

  * CAS has achieved an SSO session, but a separate request now
requires step-up authentication with another provider of a
greater "rank".

Can someone address me in this direction? I didn't find any
documentation for implementing this feature.

Thank you in advance.

Regards,

F.

[1]

https://apereo.github.io/cas/5.2.x/installation/Configuring-Multifactor-Authentication.html#ranking-providers



-- 
Fabio Martelli

https://it.linkedin.com/pub/fabio-martelli/1/974/a44  

http://blog.tirasa.net/author/fabio/index.html  


Tirasa - Open Source Excellence
http://www.tirasa.net/index.html?pk_campaign=email_kwd=fm  


Apache Syncope PMC
http://people.apache.org/~fmartelli/  

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/75d6257e-e144-411c-b708-b0e906fd68dd%40apereo.org 
.



--
Fabio Martelli
https://it.linkedin.com/pub/fabio-martelli/1/974/a44
http://blog.tirasa.net/author/fabio/index.html

Tirasa - Open Source Excellence
http://www.tirasa.net/index.html?pk_campaign=email_kwd=fm

Apache Syncope PMC
http://people.apache.org/~fmartelli/

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c3377b5a-c9b8-97d2-6e06-1a1da3b39c5a%40gmail.com.