[cas-user] Exposing SAML attribute with ":" character breaks CAS flow

[Sean Gottschalk]

Hello,

I'm using CAS 6.0.4 and I'm trying to do a SAML SP integration with AWS but 
it seems that having an attribute with name 
"https://aws.amazon.com/SAML/Attributes/SessionDuration; causes CAS to fail 
when redirecting to itself after the initial authentication.

I've been digging into how CAS builds the SAML response and it appears that 
the issue is related to the DefaultCasProtocolAttributeEncoder 

 
and how it hex encodes attribute names that contain the ":" or "@" 
character. When it encodes 
"https://aws.amazon.com/SAML/Attributes/SessionDuration; the resulting 
value is 
"68747470733a2f2f6177732e616d617a6f6e2e636f6d2f53414d4c2f417474726962757465732f53657373696f6e4475726174696f6e",
 
so the resulting casServiceValidationSuccess response is as follows:




T9HpcKRRSSigqWVCNdViTqijyvQ=


43200




However, 
cas:68747470733a2f2f6177732e616d617a6f6e2e636f6d2f53414d4c2f417474726962757465732f53657373696f6e4475726174696f6e
 
is not valid xml as the namespace string can only start with a letter or 
'_'. This causes Cas20ServiceTicketValidator.extractCustomAttributes(xml) 
to fail when it delegates to the cas-client's 
XmlUtils.getTextForElement(response, 
"authenticationFailure") 

.

I'm not sure how to fix this issue as it seems like the encoding and 
decoding of attribute names are quite decoupled. Is there something that 
I'm missing with my configuration?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ca12748-2a53-400b-93b0-39bb5eb482a9%40apereo.org.

[cas-user] Re: CAS - SMS Notificatiosn via REST

[Christian Schmidt]

Hi, 

I've been digging through the documentation and the source for about 2-3 
hours now.

As stated on this page: 
https://apereo.github.io/cas/development/password_management/Password-Management.html
It says : "Those who have forgotten their account password may receive a 
secure link with a time-based expiration policy at their registered email 
address and/or phone."

To implement this behaviour I followed the link to the SMS Notification 
Guide.
https://apereo.github.io/cas/development/notifications/SMS-Messaging-Configuration.html

I set the propertys:
cas.smsProvider.rest.method=POST
cas.smsProvider.rest.url=http://somedummy.url
and started the CAS App. 

Accoring to the debug log some things happened:
- setting this values initializes the CommunicationsManger class with my 
defined SmsSender Class -> 
https://github.com/apereo/cas/blob/master/core/cas-server-core-util-api/src/main/java/org/apereo/cas/util/io/CommunicationsManager.java
- following the code of the manager and the code which use the manager, 
sending SMS is possible
- when using the reset password flow the 
SendPasswordResetInstructionsAction class is invoked -> 
https://github.com/apereo/cas/blob/master/support/cas-server-support-pm-webflow/src/main/java/org/apereo/cas/pm/web/flow/actions/SendPasswordResetInstructionsAction.java

Calling the doExecute method results in an exception, stating that no mail 
sender is defined. Which is absolutly true.


The problem therefore is, that the whole code for password resets is only 
working when using emails. 
Also there is no call at all to the sendSms function of the 
CommunicationsManager, therefore it impossible to send a SMS with a reset 
link.


I already checked the commits for 1 year but it seems that is never worked.



In my opinion, implementing this feature would lead to a generic rest 
interface which could be used to send the reset-link to another, more 
specialized service, which would handle the transfer to the user.
In my case I would connect a service which creates mails that are enriched 
by meta data from my companys CRM system. 
One could even connect a service which generates morse code, light signals 
or something else because the transport channel would be out of the scope 
from CAS.


Best regards
Christian













-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f9240083-681c-4cdc-ad42-f4c149a90c9e%40apereo.org.

[cas-user] Re: CAS Management 6 non-JSON issue

[Dmitry Malinin]

Try to build cas management from 
https://github.com/apereo/cas-management/releases/tag/v6.0.0-RC4 (not from 
overlay)
Append dependencies to build.gradle:
 compile 
"org.apereo.cas:cas-server-support-jpa-service-registry:${casVersion}"
 compile "org.apereo.cas:cas-server-support-jdbc-drivers:${casVersion}"
 runtime "net.bytebuddy:byte-buddy:1.10.1"

четверг, 22 августа 2019 г., 20:27:54 UTC+3 пользователь mba...@scad.edu 
написал:
>
> I've been trying to get CAS Management v6 to work with a JPA service 
> registry, but it seems to be stuck with JSON.  After logging into the 
> management Web app, I never see any of the services that are stored in my 
> database.  The only services that display are ones created via the 
> management web app and are stored in JSON at /etc/cas/services-repo/  I've 
> tried committing too, but the new service never makes it to the database.
>
> Now, I can see services being pulled from my database in the log file.  
> Here's a snippet below:
> ---
> 2019-08-22 13:23:55,847 DEBUG 
> [org.apereo.cas.services.AbstractServicesManager] -  service [^(https|imaps)://.*]>
> 2019-08-22 13:23:55,847 DEBUG 
> [org.apereo.cas.services.AbstractServicesManager] -  service [^https://www.apereo.org]>
> 2019-08-22 13:23:55,847 DEBUG 
> [org.apereo.cas.services.AbstractServicesManager] -  service [^http://localhost:8080.*]>
> 2019-08-22 13:23:55,848 INFO 
> [org.apereo.cas.services.AbstractServicesManager] -  from [JpaServiceRegistry].>
> 
>
> I've added the JPA service registry to build.gradle and I do not have the 
> JSON service registry in build.gradle.
>
> The management.properties file looks like this:
> --
> cas.server.name=https://poc-sso.scad.edu
> cas.server.prefix=${cas.server.name}/cas-web
>
> server.port=8444
> server.ssl.keyStore=file:/etc/cas/newks
> server.ssl.keyStorePassword=CHANGEME
> server.ssl.keyPassword=CHANGEME
>
> mgmt.serverName=https://ppoc-sso.scad.edu:8444
> mgmt.adminRoles[0]=ROLE_ADMIN
> mgmt.userPropertiesFile=file:/etc/cas/config/users.json
>
> logging.config=file:/etc/cas/config/log4j2-management.xml
>
> cas.authn.attributeRepository.stub.attributes.UDC_IDENTIFIER:   
> UDC_IDENTIFIER
> cas.authn.attributeRepository.stub.attributes.cn:   cn
> cas.authn.attributeRepository.stub.attributes.displayName:  displayName
> cas.authn.attributeRepository.stub.attributes.mail: mail
> cas.authn.attributeRepository.stub.attributes.sn:   sn
> cas.authn.attributeRepository.stub.attributes.uid:  uid
>
> #cas.serviceRegistry.initFromJson=false
> cas.serviceRegistry.jpa.user=${CAS_DB_USER}
> cas.serviceRegistry.jpa.password=${CAS_DB_PW}
> cas.serviceRegistry.jpa.driverClass=oracle.jdbc.OracleDriver
> cas.serviceRegistry.jpa.url=${CAS_DB_URL}
> cas.serviceRegistry.jpa.dialect=org.hibernate.dialect.Oracle12cDialect
>
> cas.serviceRegistry.jpa.healthQuery=select 1 from dual
> cas.serviceRegistry.jpa.ddlAuto=update
> cas.serviceRegistry.jpa.pool.minSize=3
> cas.serviceRegistry.jpa.pool.maxSize=20
> cas.serviceRegistry.jpa.pool.maxWait=2000
> cas.serviceRegistry.jpa.pool.timeoutMillis=1000
> --
>
> Any help would be appreciated.
>
> Thanks in advance,
> Mike
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b18d2938-3fe0-4c81-a4e0-9a0947d6b505%40apereo.org.

[cas-user] Re: Inquiring CAS commercial support

[Misagh Moayyed]

Clarification: while this should in no way affect your decision, I should 
point out that as of July 5th, I am no longer a Unicon employee.

On Tuesday, September 10, 2019 at 6:19:52 PM UTC+4:30, William E. wrote:
>
> We have been using Unicon  for a few years now. 
> Misagh, who I consider the main CAS developer, works for them.  We're happy 
> with their support.
>
> -William
>
>
> On Monday, September 9, 2019 at 1:38:05 PM UTC-5, Yan Zhou wrote:
>>
>> Hi,
>>
>> We use CAS 4.1.9 and CAS 5.3. It has been running well in PROD., We are 
>> in health-care industry and would like to look into commercial CAS support. 
>>
>> One of my biggest unknowns and fear is gaining visibility into CAS ticket 
>> registry, hazelcast.  If some of PROD users cannot login, it seems that 
>> usually this is because the ticket validation failed. It seems difficult 
>> gaining visibility into troubleshooting that in PROD traffic.
>>
>> I am not sure whether I would better off getting Hazelcast commercial 
>> support of CAS commercial support. 
>>
>> I looked up the CAS documentation, the membership fee is for academic 
>> organizations, so we do not qualify. With the list of commercial 
>> organizations providing CAS support, anyone has experience with any of them?
>>
>>
>>
>> Thx!
>> Yan
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4ed338a1-aee8-4a0d-ac34-937d1a73ed05%40apereo.org.