[cas-user] Re: Delegated CAS SAML IDP

[Andy Ng]

Hi,

Can you try enabled debug log: 
https://apereo.github.io/cas/5.3.x/installation/Troubleshooting-Guide.html#review-logs

And capture more logs for debugging purpose?

Also, please be careful when reading the documentation, I see that you are 
using CAS 5.3.x, but you are viewing CAS 5.2.x documentation (
https://apereo.github.io/cas/5.2.x/integration/Delegate-Authentication.html) 
, which is not ideal...

Judging from the limited information given, here's are some point that you 
might want to have a look at:
=
- Would like to know, what are the functionality for both service 
#1SAMLServices-123456788.json 
and #2SAMLServices-123456789.json
- From what I know, it is perfectly fine to just use a single json for one 
SP

Somethinkg like this would work:
*SAML2Client-300.json*
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "^https://cas.example.org:443/.*;,
"name": "SAML2Client",
"id": 300,
"evaluationOrder" : 300,
"metadataLocation" : "file:///etc/cas/resources/simplesamlphp-sp.xml"
}


- From what I know, seems entity ID is usually an *URL / name *instead of 
this *urn:mace:saml:pac4j.org*, My successful property is here (Note: mine 
is using CAS 6.1.1)

cas.authn.pac4j.saml:
- keystorePassword: changeit
privateKeyPassword: changeit 
keystorePath: file:/etc/cas/thekeystore
principalAttributeId: uid
clientName: SAMLIdp
serviceProviderEntityId: simplesamlphp
serviceProviderMetadataPath: file:/etc/cas/saml/saml-self-sp-metadata.xml
identityProviderMetadataPath: file:/etc/cas/saml/idp-metadata.php
attributeConsumingServiceIndex: 1
nameIdPolicyFormat: urn:oasis:names:tc:SAML:2.0:nameid-format:transient



Don't if can help you See if can helps.

Cheers!
- Andy



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d7a94e4d-776d-4f38-8a56-ea90392483cc%40apereo.org.

[cas-user] Delegated CAS SAML IDP

[Raheem Shaik]

I have successfully configured the CAS 5.3.10 overlay to delegate 
authentication to a SAML IDP and I can successfully authenticate with the 
IDP using the CAS login page default CASTEST button provided 
(https://test1./cas/login), However, after authentication is 
successful, I am redirected to 
https://test2./cas/login?client_name=CASTEST which is the 
client_name in the metadata generated by CAS. After 
"SAML2_RESPONSE_CREATED"The page displayed has message "CAS is unable to 
process this request: "500:Internal Server Error" and below is the error

Can somebody help me on this issue,  let me know if i have missing any 
config or json setup .

org.springframework.webflow.execution.ActionExecutionException: Exception 
thrown executing 
org.apereo.cas.web.flow.DelegatedClientAuthenticationAction@3dfd83d7 in 
state 'clientAction' of flow 'login' -- action execution attributes were 
'map[[empty]]'
at 
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:62)
at 
org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
at 
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
at 
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
at 
org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Flow.start(Flow.java:527)
at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368)
at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223)
at 
org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:139)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at 
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:216)
at 
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:470)
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at 
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
at com.sun.proxy.$Proxy168.launchExecution(Unknown Source)
at 
org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:264)
at 
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967)
at 
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
at 
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
at 
org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at 
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
org.apereo.cas.web.support.AuthenticationCredentialsThreadLocalBinderClearingFilter.doFilter(AuthenticationCredentialsThreadLocalBinderClearingFilter.java:30)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
org.apereo.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:261)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
org.apereo.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:240)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
org.apereo.cas.security.AddResponseHeadersFilter.doFilter(AddResponseHeadersFilter.java:94)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 

[cas-user] Re: JWT token response for CAS-SAML Delegation setup

[Raheem Shaik]

I have successfully configured the CAS 5.3.10 overlay to delegate 
authentication to a SAML IDP and I can successfully authenticate with the 
IDP using the CAS login page default CASTEST button provided 
(https://test1./cas/login), However, after authentication is 
successful, I am redirected to 
https://test2./cas/login?client_name=CASTEST which is the 
client_name in the metadata generated by CAS. The page displayed has 
message "CAS is unable to process this request: "500:Internal Server Error" 
and below is the error

org.springframework.webflow.execution.ActionExecutionException: Exception 
thrown executing 
org.apereo.cas.web.flow.DelegatedClientAuthenticationAction@3dfd83d7 in 
state 'clientAction' of flow 'login' -- action execution attributes were 
'map[[empty]]'
at 
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:62)
at 
org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
at 
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
at 
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
at 
org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Flow.start(Flow.java:527)
at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368)
at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223)
at 
org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:139)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at 
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:216)
at 
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:470)
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at 
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
at com.sun.proxy.$Proxy168.launchExecution(Unknown Source)
at 
org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:264)
at 
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967)
at 
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
at 
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
at 
org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at 
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
org.apereo.cas.web.support.AuthenticationCredentialsThreadLocalBinderClearingFilter.doFilter(AuthenticationCredentialsThreadLocalBinderClearingFilter.java:30)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
org.apereo.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:261)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
org.apereo.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:240)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
org.apereo.cas.security.AddResponseHeadersFilter.doFilter(AddResponseHeadersFilter.java:94)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
org.springframework.boot.actuate.trace.WebRequestTraceFilter.doFilterInternal(WebRequestTraceFilter.java:111)
at 

Re: [cas-user] Re: SAMLResponse is not base64 encoded

[Andy Ng]

Hi all,

I am not familiar with CAS 3, however, I have done some research and tried 
building CAS 6.1.1 (latest release CAS) with OneLogin PHPSAML, 

And I found that, CAS 6 can successfully integrate with OneLogin PHPSaml 
using SAML protocol. No error for CAS 6.

So, maybe the lack of base64 encoding for SAML Response is a problem in CAS 
3? 
Would like to know, is upgrading CAS from 3 -> 6 be a viable options? (CAS 
3 is super old, I don't think the maintainers from CAS will help fix the 
issue) 

I have put my OneLogin phpsaml files and settings here, the code are a bit 
messy but might be insightful so here you go:
https://github.com/NgSekLong/SelectUrCAS/tree/master/source/other-client/saml2-php-onelogin-client

See if the above info helps

Cheers!
- Andy

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6682c720-fbb4-42a0-919e-add8e9363bf0%40apereo.org.

[cas-user] Re: Connect to AD and AZURE

[Andy Ng]

No problem glad it helps! - Andy

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/16afcbe3-12ef-459f-95be-4ed1825702f9%40apereo.org.

[cas-user] Proxy Authentication to Reverse Proxy

[Colin Ryan]

Folks,

I see that the mod_auth_cas module for Apache2 does not support 
consumption/use of Proxy Ticket'ed Validation.


Anyone stumble across a solution along these lines. I'd like to Proxy 
Authenticate from a Web Application to a resource behind a reverse proxy 
that is not a browser front end, i.e. a script with wget/curl time tools.


Cheers


Colin Ryan

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/807fed11-31f9-47fe-2aa1-040854bcec75%40caveo.ca.

Re: [cas-user] CAS - Form Based Login

[Richard Frovarp]

Yeah, I think that should work. I've done it once or twice for a web 
application. You'll have to bring in the CAS Servlet filter to do it. Pretty 
much everything of mine is using Apache Shiro for security, so I'm not very 
familiar with the servlet based security constraints.  
https://github.com/apereo/java-cas-client/blob/master/README.md

On 11/21/19 1:00 AM, Steve Cheung wrote:
Hi Richard,

Thanks for your clarification. I think it is ok to use the cas login page for 
the login. However, Is it still possible to preserve the security-constraint 
setting in the web.xml? Or you have any recommendation how to integrate this 
web app with CAS?



Thanks, Steve


On Wednesday, 20 November 2019 23:54:39 UTC+8, richard.frovarp wrote:
The point of doing federated authentication is that you don't login through the 
application anymore. So you no longer need the login form. It becomes a button 
like all of the login with Facebook, Google, Twitter, etc options you see on a 
variety of sites.

On 11/20/19 3:10 AM, Steve Cheung wrote:
Hi all,

I search around the Java-Cas-Client readme and it said CAS supporting JAAS. 
However, I really cant find much detail on how to configure it on my web 
application.

https://github.com/apereo/java-cas-client/blob/master/README.md


I wanna keep the form based login in my web app and using the CAS backend as 
authentication service. Anyone has experience or useful link for me?

For example,  in web.xml, only the user with admin role is able to access the 
/admin page


  
Admin
/admin/*
  
  
admin
  



  admin



  FORM
  
/login.html
/error.html
  



Many thanks, Steve













--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/22c195a6-be47-443a-9652-c2dc3270c0b2%40apereo.org.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6f3ce0a9-1fed-4bf2-85bf-fd7b6a83cc54%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/24286f7c-aa10-8d69-9830-62e5635b7903%40ndsu.edu.

Re: [cas-user] Re: SAMLResponse is not base64 encoded

[Chris H]

Unfortunatly, I never got resolution on this.

Here is my ticket for the OneLogin PHP-SAML lib: 
https://github.com/onelogin/php-saml/issues/390

OneLogin quoted this from the SAML spec:

3.5.4 Message Encoding
Messages are encoded for use with this binding by encoding the XML into an HTML 
form
 control and are transmitted using the HTTP POST method. A SAML protocol 
message is 
form-encoded by applying the base-64 encoding rules to the XML representation 
of the
message and placing the result in a hidden form control within a form as 
defined by 
[HTML401] Section 17. The HTML document MUST adhere to the XHTML specification, 
[XHTML]. The base64-encoded value MAY be line-wrapped at a reasonable length
in accordance with common practice.



I'm fairly confident that we have other clients using CAS as an IdP and 
they are sending base64 encoded responses. Perhaps this is a configuration 
(though I have not been able to locate such a setting) or something that is 
only an issue on specific versions of CAS.


On Thursday, November 21, 2019 at 12:48:33 PM UTC-5, Robert Bond wrote:
>
> I have been running into this same issue for quite a while now. Have not 
> been able to identify the source.
>
> On Thu, Nov 21, 2019 at 11:25 AM Chris G > 
> wrote:
>
>> I'm just wondering if anyone figured this out. I have the same 
>> issue--SAML Responses from CAS are NOT base64 encoded, but all the clients 
>> I have seem to expect the SAML Response to be base64 encoded. 
>>
>> Is this a SAML spec, that it should be base64 encoded and CAS isn't 
>> implementing it properly?
>>
>>
>> On Wednesday, September 18, 2019 at 4:55:58 PM UTC-4, Chris H wrote:
>>>
>>>
>>> ​I am working with client who's running a CAS server ​(a backpatched 
>>> version of 3.4.12) as their IdP. We are trying to connect this with our 
>>> product, a SAML SP implemented with OneLogin's PHP client.
>>>
>>> The issue we are having is that the "SAMLResponse" POST parameter is​ 
>>> coming over in raw form, ie it is not base64 encoded. The OneLogin lib 
>>> appears to assume that this value is base64 encoded and throws an exception 
>>> when it is not. I do not see any configuration to override this behaviour.
>>>
>>> ​Is it possible to configure CAS to base64 encode this value before 
>>> sending?
>>>
>>> Any idea why this would be happening? We have several active SAML2 
>>> integrations with other clients who use CAS as their IdP.
>>>
>>> Thanks!
>>> Chris
>>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/464a638f-6566-474b-b2d3-74202141986d%40apereo.org
>>  
>> 
>> .
>>
>
>
> -- 
> Robert Bond
> Network Administrator
> (918) 444-5886
> Northeastern State University
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/74cf1a4d-1d61-41d8-8bb1-1fd5204b31d3%40apereo.org.

Re: [cas-user] Re: SAMLResponse is not base64 encoded

['Robert Bond' via CAS Community]

I have been running into this same issue for quite a while now. Have not
been able to identify the source.

On Thu, Nov 21, 2019 at 11:25 AM Chris G  wrote:

> I'm just wondering if anyone figured this out. I have the same issue--SAML
> Responses from CAS are NOT base64 encoded, but all the clients I have seem
> to expect the SAML Response to be base64 encoded.
>
> Is this a SAML spec, that it should be base64 encoded and CAS isn't
> implementing it properly?
>
>
> On Wednesday, September 18, 2019 at 4:55:58 PM UTC-4, Chris H wrote:
>>
>>
>> ​I am working with client who's running a CAS server ​(a backpatched
>> version of 3.4.12) as their IdP. We are trying to connect this with our
>> product, a SAML SP implemented with OneLogin's PHP client.
>>
>> The issue we are having is that the "SAMLResponse" POST parameter is​
>> coming over in raw form, ie it is not base64 encoded. The OneLogin lib
>> appears to assume that this value is base64 encoded and throws an exception
>> when it is not. I do not see any configuration to override this behaviour.
>>
>> ​Is it possible to configure CAS to base64 encode this value before
>> sending?
>>
>> Any idea why this would be happening? We have several active SAML2
>> integrations with other clients who use CAS as their IdP.
>>
>> Thanks!
>> Chris
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/464a638f-6566-474b-b2d3-74202141986d%40apereo.org
> 
> .
>


-- 
Robert Bond
Network Administrator
(918) 444-5886
Northeastern State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6r13jQ%3DV%3D8ZkO0Pi4roKrp9rjd%3D%3DtCtMK33mP7Uq7%3DJrg%40mail.gmail.com.

[cas-user] Re: SAMLResponse is not base64 encoded

[Chris G]

I'm just wondering if anyone figured this out. I have the same issue--SAML 
Responses from CAS are NOT base64 encoded, but all the clients I have seem 
to expect the SAML Response to be base64 encoded. 

Is this a SAML spec, that it should be base64 encoded and CAS isn't 
implementing it properly?


On Wednesday, September 18, 2019 at 4:55:58 PM UTC-4, Chris H wrote:
>
>
> ​I am working with client who's running a CAS server ​(a backpatched 
> version of 3.4.12) as their IdP. We are trying to connect this with our 
> product, a SAML SP implemented with OneLogin's PHP client.
>
> The issue we are having is that the "SAMLResponse" POST parameter is​ 
> coming over in raw form, ie it is not base64 encoded. The OneLogin lib 
> appears to assume that this value is base64 encoded and throws an exception 
> when it is not. I do not see any configuration to override this behaviour.
>
> ​Is it possible to configure CAS to base64 encode this value before 
> sending?
>
> Any idea why this would be happening? We have several active SAML2 
> integrations with other clients who use CAS as their IdP.
>
> Thanks!
> Chris
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/464a638f-6566-474b-b2d3-74202141986d%40apereo.org.

[cas-user] Re: Connect to AD and AZURE

[vallee.romain]

Hello  Mister Andy .
thank you very much for taking the time to give me such a complete answer.
I now have a better understanding of how to integrate O365.
The little explanatory diagram is perfect!
This week, I understood how the connection to O365 worked, and why the 
rememberME can't remember when the IP address changes:
# case.tgc.pinToSession=true --> false 
Thank you so much.

Le mercredi 20 novembre 2019 12:38:12 UTC+1, vallee.romain a écrit :
>
> Hello everybody .
> I have two questions about how authentication works
>
> my first question :
> Do you think that CAS server can retrieve attributes from azure users ( 
> like mail, upn  )?
>
> My second question :
>
> Is Cas server can mix to auth methode like AD and Azure ?  exemple :
> if my ad user exist, cas server return true
>
> if my ad user doesn't exist, can my cas server can look if this user exist 
> into AZURE ?
>
> Best regards
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4b746539-0ea3-43f8-b2f1-9d6e1152268f%40apereo.org.