Re: [cas-user] Re: Ask for authenticating at every login

2020-01-29 Thread Alex T 
Ray,

I try to use interrupts, with json configuration. Interrupt occurs, but at 
second login user must reenter credentials. I try to change some parameters 
in json, but not succesfully. And another problem in json configuration is 
that it configured for specific user only. It documented for 
testing/demo/develop only.

Is there examples how to use Regex interrupt configuration? I not 
understand what I need to write in attribute name and value expressions.

On Wednesday, January 29, 2020 at 9:01:37 PM UTC+3, rbon wrote:
>
> Alex,
>
> There is this capability to manipulate the log in flow, 
> https://apereo.github.io/cas/6.1.x/webflow/Webflow-Customization-Interrupt.html
> .
>
> You can also modify the web flow, 
> https://apereo.github.io/cas/6.1.x/webflow/Webflow-Customization.html
>
> Ray
>
> On Wed, 2020-01-29 at 06:17 -0800, Alex T wrote:
>
> PS. If user already authenticated in CAS, I dont want to force reentering 
> password. I want ask user does he want to log in in app. If yes, user 
> redirected to app with token, then he became authenticated.
>
> On Wednesday, January 29, 2020 at 5:03:22 PM UTC+3, Alex T wrote: 
>
> I create app, that use Apereo CAS server. And it works :)
>
> But I want to do some changes. If I authenticated successfully in my app 
> via CAS, than I log out in my app. Than I try to login via cas again, 
> redirect occurs to cas, and redirect back with ticket, and seems that I 
> loged in again without any question from sso.
>
> I want to change CAS default behavior to ask if I want to login before 
> redirect back to app. And show some information, like you logged in as 
> , this  want to authenticate and so on.
>
> Which simplest way to do it?
>
> It is possible to do with some configuration (settings or gradle)? Or I 
> need develop custom overlay for it?
>
> -- 
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>
> I respectfully acknowledge that my place of work is located within the 
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
> WSÁNEĆ Nations.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d9bc1947-4266-4bfc-bb53-48b1d816fae3%40apereo.org.

[cas-user] cas with Office 365

2020-01-29 Thread Mahmoud Elnahrawy 
hi everybody

i have oracle access manager implemented with Azure office 365 . i need to 
implement azure office 365 with cas also i want to make it in backup plan 
if oracle access manager down i can use it so i need clear instructions how 
configure azure office 365 from portal to can able to connect with cas 
directly , please anyone can help .

Note: cas already implemented and configure with AD with attributes :- uid 
, samaccount , mail

Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/34e975d7-edb8-40b2-822a-4c2886c7ae07%40apereo.org.

Re: [cas-user] 6.2.x Gradle Compilation

2020-01-29 Thread Ray Bon 
Tom,

I think if you are running the release candidates, check 
https://github.com/apereo/cas/blob/master/gradle.properties to see what master 
is set at.
Try 6.2.0-SNAPSHOT

Ray

On Wed, 2020-01-29 at 13:35 -0800, Tom Healey wrote:
Hi all,
I am trying to modify the overlay from

from the CAS overlay directory that i downloaded from  gitbub.


I have changed my gradle.properties
to cas.version=6.2.0-RC2
(I copied it right from the posting. )

and I get:

Could not resolve 
org.apereo.cas:cas-server-core-api-configuration-model:6.2.0-RC2.

I am running ./gradlew from the command line.

When I run it from the docker-build file it works but I can't use that all the 
time. I want to configure the CAS war to suit my needs and I think I need to do 
that with gradlew.
I looked through the docker build to see if I could reverse engineer it to get 
the right things in place so it can find what it needs to run from the command 
line with ./gradlew only.

Thanks,
Tom

On Thursday, January 2, 2020 at 2:59:28 PM UTC-5, Dmitriy Kopylenko wrote:
You might want to run it with —info or —debug flag to see what might be 
failing, like so:

./gradlew run —info

or build and run as two separate steps:

./gradlew clean build
java -jar build/libs/cas.war

D.


From: Jérémie Pilette 
Reply: Jérémie Pilette 
Date: January 2, 2020 at 2:47:55 PM
To: CAS Community 
Cc: dkopy...@unicon.net 
Subject:  Re: [cas-user] 6.2.x Gradle Compilation

Hi Dmitriy,
thank you.
Now I have another ailed :

> Task :run FAILED

FAILURE: Build failed with an exception.

* Where:
Script '/home/USER/bin/cas-overlay-template/gradle/tasks.gradle' line: 57

* What went wrong:
Execution failed for task ':run'.
> Process 'command '/usr/lib/jvm/java-11-openjdk-amd64/bin/java'' finished with 
> non-zero exit value 1

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug 
option to get more log output. Run with --scan to get full insights.

* Get more help at https://help.gradle.org

Deprecated Gradle features were used in this build, making it incompatible with 
Gradle 7.0.
Use '--warning-mode all' to show the individual deprecation warnings.
See 
https://docs.gradle.org/6.0.1/userguide/command_line_interface.html#sec:command_line_warnings

Thank you,
Jérémie


Le jeudi 2 janvier 2020 14:24:48 UTC+1, Dmitriy Kopylenko a écrit :
Hi there.

Change version of CAS to 6.2 RC2 in gradle.properties like so:

cas.version=6.2.0-RC2

Best,
D.


From: Jérémie Pilette 
Reply: cas-...@apereo.org 
Date: January 2, 2020 at 7:57:00 AM
To: CAS Community 
Subject:  [cas-user] 6.2.x Gradle Compilation

Hi everybody,
I have a problem with my first compilation of cas-overlay-template (6.2.x)

Here this is  my messages :

FAILURE: Build failed with an exception.
A problem occurred evaluating root project 'cas'.
> Could not resolve all artifacts for configuration 'classpath'.
   > Could not find 
org.apereo.cas:cas-server-core-api-configuration-model:6.2.0-SNAPSHOT.
[...]
Could not find 
org.apereo.cas:cas-server-core-configuration-metadata-repository:6.2.0-SNAPSHOT.
 Searched in the following locations:
[...]


Do you have an idea please ?

Jérémie
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5f89af02-21ff-4d66-82ca-73474ffb4b52%40apereo.org.







This email has been scanned for spam and viruses by Proofpoint Essentials. 
Click 
here
 to report this email as spam.

=

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ba2e0b088c01cb6efd68b28266d3c2591bf65ad1.camel%40uvic.ca.

Re: [cas-user] How do I cut some of the information that is logged with SERVICE_ACCESS_ENFORCEMENT_TRIGGERED log entries to our cas_audit log to reduce log verbosity?

2020-01-29 Thread Ray Bon 
I here you on 'filters in appenders'. All of mine are commented out because 
they did not work.

Ray

On Wed, 2020-01-29 at 12:54 -0800, crdaudt wrote:
Thanks Ray.  The following log4j2.xml RegexFilter configuration worked for me 
to eliminated all log entries with the specified string:
---BEGIN---

...




...

---END---

Oddly enough, I could not get the same RegexFilter to work with my Appender (as 
you had suggested).  The following RegexFilter string appears to be ignored:
---BEGIN---

...












...

---END---

If I can figure out how to apply the filter to the Appender rather than the 
Logger, I could write to two separate CAS audit log appenders, one that is 
filtered ("casAudit") and one that is unfiltered ("casAuditVerbose").
In retrospect, I think we will be fine with simply having a single CAS audit 
log, removing all "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" entries from it.  But 
I am mystified why the RegexFilter fails to perform any action when configured 
with the Appender.

Carl


On Tuesday, January 28, 2020 at 3:03:07 PM UTC-5, rbon wrote:
Carl,

To change output of audit logging, you could override it with a custom 
implementation, 
https://apereo.github.io/2019/01/07/cas61-gettingstarted-overlay/#overlay-customization.
 This describes modifying text but the process can be used to modify java 
classes as well. But see, 
https://apereo.github.io/2017/09/10/stop-writing-code/. The java blog entry, 
https://apereo.github.io/2018/04/01/cas-overlays-supercharged/.

To hide log entries, you can use filters. For example:






See here for filter possibilities, 
https://logging.apache.org/log4j/2.x/manual/filters.html

Ray

On Mon, 2020-01-27 at 14:22 -0800, crdaudt wrote:
In updating from CAS 5.x to CAS 6.1.x, I see that additional logging 
information has been added to the cas_audit log, specifically, log entries that 
include "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED".  We would either like to 
reduce, the amount of information in these entries, or possibly even omit these 
entries altogether.  The reason is that the security groups listing for many of 
our users results in rather large log entries.  For example, my own entry for 
""SERVICE_ACCESS_ENFORCEMENT_TRIGGERED"" is an entry that is over 3,000 
characters long.

Perhaps some of my ideas below are not very good ideas, and I am open to 
perspective.


Idea 1:  Is it possible to replace the logged results of the "memberOf" field 
with ellipses, and if so, how?

-->I.e., change:
2020-01-27 15:56:06,835 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Mon Jan 27 
15:56:06 EST 2020|CAS|[result=Service Access 
Granted,service=https://my.casServer.edu/idp/Aut...,principal=SimplePrincipal(id=john_doe,
 attributes={displayName=[Doe, John], 
mail=[john...@myuniversity.edu], 
memberOf=[CN=securityGroup1,OU=Faculty Groups,OU=Security 
Groups,DC=myADdomain,DC=myuniversity,DC=edu, CN=securityGroup2,OU=Faculty 
Groups,OU=Security Groups,DC=myADdomain,DC=myuniversity,DC=edu, 
CN=securityGroup3,OU=Faculty Groups,OU=Security 
Groups,DC=myADdomain,DC=myuniversity,DC=edu], sAMAccountName=[john_doe], 
UDC_IDENTIFIER=[john_doe]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|10.2.100.56

-->Into something like this:
2020-01-27 15:56:06,835 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Mon Jan 27 
15:56:06 EST 2020|CAS|[result=Service Access 
Granted,service=https://my.casServer.edu/idp/Aut...,principal=SimplePrincipal(id=john_doe,
 attributes={displayName=[Doe, John], 
mail=[john...@myuniversity.edu], 
memberOf=[...]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|10.2.100.56


Idea 2:  Is it possible to omit the log entries for 
"SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" altogether and if so, how?


Idea 3:  Is it possible to create two separate audit log files, one without the 
"SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" entries (call this cas_audit.log) and 
one with the "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" (call this 
cas_audit_log.verbose)?  If so, how?  In this case, I would likely gzip the 
verbose logs relatively frequently.


I am open to other ideas as well.

Carl

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ

Re: [cas-user] Externalizing custom messages

2020-01-29 Thread Ray Bon 
Dustin,

Should your file be custom_messages.properties (note '_')?

Then maybe cas.messageBundle.baseNames = 
file:/etc/cas/messages/custom_messages,classpath...

You could also put your custom file in src/main/resources/ and it will end up 
in the classpath (would this negate setting cas.messageBundle.baseNames?).

Ray

On Wed, 2020-01-29 at 12:33 -0800, Dustin J Luck wrote:
I am trying to externalize as many of the customizations to CAS as possible. I 
have figured out how to do so for UI 
templates
 using the cas.view.templatePrefixes[0] property, but am having trouble 
figuring out a similar technique for custom_messages.properties. I tried using 
the cas.messageBundle.baseNames property as described in this 
thread,
 but couldn't get that to work. Am I missing something or is there another 
method I should try?

Actual property value set
cas.messageBundle.baseNames = 
file:/etc/cas/messages,classpath:custom_messages,classpath:messages

File location on server:
c:\etc\cas\messages\custom.messages.properties


If it isn't possible to externalize custom messages, what are the downsides to 
including my customized text as literals in the UI templates rather than 
bringing them in as custom messages?


Thanks


My environment:

  *   Standalone CAS 6.0.5 build
  *   Windows Server 2012 R2
  *   Tomcat 9 running as a service

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b166236aa95c77e527cb6325bdc331110bc8d3dc.camel%40uvic.ca.

Re: [cas-user] Re: Trying to determine why CAS is returning an encoded attribute to SAML SP

2020-01-29 Thread Mike Osterman 
Thanks, Misagh! Responses below:

On Wed, Jan 29, 2020 at 2:23 AM Misagh Moayyed 
wrote:

>
>> None of this would be a big deal if we hadn't run into a bizarre problem
>> that the encoded attribute being sent *CHANGED*.
>>
>
> It would be helpful to describe the steps you took to create/duplicate
> this scenario.
>

That's the rub. The only thing I can come up with that did change was my
rebuilding my cas.war after adding the dependency for GoogleApps. That's
when the value being sent changed. It's possible other bits got changed
when I rebuilt my war file, but I didn't change the cas version in the
gradle file - only added the Google Apps dependency:
compile
"org.apereo.cas:cas-server-support-saml-googleapps:${project.'cas.version'}"


>
>> So my two questions:
>> 1) Is there any chance that the google apps keys have somehow superseded
>> the ones that general SAML services were using previously, such that my
>> non-Google SAML service switched to using the Google keys instead? This is
>> the only reason why I can fathom that the NameID attribute value suddenly
>> changed.
>>
>
>
> No.
>
> However, please note that the Google Apps for Education integration allows
> CAS to act as a miniaturized SAML2 identity provider, for deployments that
> may not be prepared to turn on and allow CAS to fully act as a SAML2
> identity provider. This feature is deprecated and is scheduled to be
> removed in the future. It does not make much sense to turn on and use both
> features (Google Apps + SAML2 IDP) in CAS at the same time, as one outranks
> the other and it is likely that using both features in CAS simultaneously
> would interfere with the functionality of both. If you can, consider using
> the SAML2 identity provider functionality in CAS to handle this integration
> as you would any other SAML2 service provider.
>
> Big blue box here:
> https://apereo.github.io/cas/6.1.x/integration/Google-Apps-Integration.html
>
> I am not saying using both at the same time is causing this issue; just
> that if your deployment qualifies for that sort of condition, you're
> inviting additional complexity with no real benefits to your deployment.
>

Ah - that makes good sense. The reason I missed that big blue box is that
we're on 5.3.x, and it's not on that page:
https://apereo.github.io/cas/5.3.x/integration/Google-Apps-Integration.html
Perhaps
it could be added there as well?


>
>> 2) Does anyone have ideas of how to disable the signing/encoding of the
>> NameID attribute so I can get visibility into what's getting sent? Or is
>> that happening at the direction of the SAML SP?
>>
>
> Unless your SAML2 SP is asking/forcing CAS to use encrypted NameIDs or
> Transient NameIDs, I don't think this is happening. IIRC, this indication
> will be instructed to CAS via the SP metadata. If you want to see what's
> happening, turn up TRACE logging for org.apereo.cas and comb through the
> logs.
>

I couldn't find anything in the metadata (in the metadata backup file) that
indicated a requested preference for a NameID format. Adding the tracing at
that level sounds like a firehose for a production system. That said, I
appreciate the pointer to where to look for more clues. I'll see if I can
get the vendor to help me test this on a non-production instance with our
test CAS server.

Thank you,
Mike

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHVsTKRg3RUjUvXH-N-YOXW60WThPCjPPeM0nnrHY1YC7w%40mail.gmail.com.

Re: [cas-user] 6.2.x Gradle Compilation

2020-01-29 Thread Tom Healey 
Hi all,
I am trying to modify the overlay from

from the CAS overlay directory that i downloaded from  gitbub.


I have changed my gradle.properties
to *cas.version=6.2.0-RC2*

*(I copied it right from the posting. )*

and I get:


*Could not resolve 
org.apereo.cas:cas-server-core-api-configuration-model:6.2.0-RC2.*

I am running ./gradlew from the command line.

When I run it from the docker-build file it works but I can't use that all 
the time. I want to configure the CAS war to suit my needs and I think I 
need to do that with gradlew.
I looked through the docker build to see if I could reverse engineer it to 
get the right things in place so it can find what it needs to run from the 
command line with ./gradlew only.

Thanks,
Tom

On Thursday, January 2, 2020 at 2:59:28 PM UTC-5, Dmitriy Kopylenko wrote:
>
> You might want to run it with —info or —debug flag to see what might be 
> failing, like so:
>
> ./gradlew run —info
>
> or build and run as two separate steps:
>
> ./gradlew clean build
> java -jar build/libs/cas.war
>
> D.
>
>
> From: Jérémie Pilette  
> Reply: Jérémie Pilette  
> Date: January 2, 2020 at 2:47:55 PM
> To: CAS Community  
> Cc: dkopy...@unicon.net   
> Subject:  Re: [cas-user] 6.2.x Gradle Compilation 
>
> Hi Dmitriy,
> thank you.
> Now I have another ailed :
>
> > Task :run FAILED
>
> FAILURE: Build failed with an exception.
>
> * Where:
> Script '/home/USER/bin/cas-overlay-template/gradle/tasks.gradle' line: 57
>
> * What went wrong:
> Execution failed for task ':run'.
> > Process 'command '/usr/lib/jvm/java-11-openjdk-amd64/bin/java'' finished 
> with non-zero exit value 1
>
> * Try:
> Run with --stacktrace option to get the stack trace. Run with --info or 
> --debug option to get more log output. Run with --scan to get full insights.
>
> * Get more help at https://help.gradle.org
>
> Deprecated Gradle features were used in this build, making it incompatible 
> with Gradle 7.0.
> Use '--warning-mode all' to show the individual deprecation warnings.
> See 
> https://docs.gradle.org/6.0.1/userguide/command_line_interface.html#sec:command_line_warnings
>
> Thank you,
> Jérémie
>
>
> Le jeudi 2 janvier 2020 14:24:48 UTC+1, Dmitriy Kopylenko a écrit : 
>>
>> Hi there.
>>
>> Change version of CAS to 6.2 RC2 in gradle.properties like so:
>>
>> *cas.version=6.2.0-RC2*
>>
>> Best,
>> D.
>>
>>
>> From: Jérémie Pilette 
>> Reply: cas-...@apereo.org 
>> Date: January 2, 2020 at 7:57:00 AM
>> To: CAS Community 
>> Subject:  [cas-user] 6.2.x Gradle Compilation
>>
>> Hi everybody,
>> I have a problem with my first compilation of cas-overlay-template (6.2.x)
>>
>> Here this is  my messages :
>>
>> FAILURE: Build failed with an exception.
>> A problem occurred evaluating root project 'cas'.
>> > Could not resolve all artifacts for configuration 'classpath'.
>>> Could not find 
>> org.apereo.cas:cas-server-core-api-configuration-model:6.2.0-SNAPSHOT.
>> [...]
>> Could not find 
>> org.apereo.cas:cas-server-core-configuration-metadata-repository:6.2.0-SNAPSHOT.
>>  Searched in the following locations:
>> [...]
>>
>>
>> Do you have an idea please ?
>>
>> Jérémie
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/5f89af02-21ff-4d66-82ca-73474ffb4b52%40apereo.org
>>  
>> 
>> .
>>
>>
>  
> --
>
> This email has been scanned for spam and viruses by Proofpoint Essentials. 
> Click here 
> 
>  
> to report this email as spam.
>
> = 
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/47959119-ab24-4f80-a565-62127952737e%40apereo.org.

Re: [cas-user] How do I cut some of the information that is logged with SERVICE_ACCESS_ENFORCEMENT_TRIGGERED log entries to our cas_audit log to reduce log verbosity?

2020-01-29 Thread crdaudt 
Thanks Ray.  The following log4j2.xml RegexFilter configuration worked for 
me to eliminated all log entries with the specified string:
---BEGIN---

...




...

---END---

Oddly enough, I could not get the same RegexFilter to work with my Appender 
(as you had suggested).  The following RegexFilter string appears to be 
ignored:
---BEGIN---

...












...

---END---

If I can figure out how to apply the filter to the Appender rather than the 
Logger, I could write to two separate CAS audit log appenders, one that is 
filtered ("casAudit") and one that is unfiltered ("casAuditVerbose").
In retrospect, I think we will be fine with simply having a single CAS 
audit log, removing all "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" entries from 
it.  But I am mystified why the RegexFilter fails to perform any action 
when configured with the Appender.

Carl


On Tuesday, January 28, 2020 at 3:03:07 PM UTC-5, rbon wrote:
>
> Carl,
>
> To change output of audit logging, you could override it with a custom 
> implementation, 
> https://apereo.github.io/2019/01/07/cas61-gettingstarted-overlay/#overlay-customization.
>  
> This describes modifying text but the process can be used to modify java 
> classes as well. But see, 
> https://apereo.github.io/2017/09/10/stop-writing-code/. The java blog 
> entry, https://apereo.github.io/2018/04/01/cas-overlays-supercharged/.
>
> To hide log entries, you can use filters. For example:
>
> 
>  name="org.apereo.cas.AbstractCentralAuthenticationService" level="error" 
> includeLocation="true">
>  regex="Publishing.*ticketGrantingTicket=.*serviceTicket=.*" 
> onMismatch="DENY" />
> 
>
> See here for filter possibilities, 
> https://logging.apache.org/log4j/2.x/manual/filters.html
>
> Ray
>
> On Mon, 2020-01-27 at 14:22 -0800, crdaudt wrote:
>
> In updating from CAS 5.x to CAS 6.1.x, I see that additional logging 
> information has been added to the cas_audit log, specifically, log entries 
> that include "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED".  We would either like 
> to reduce, the amount of information in these entries, or possibly even 
> omit these entries altogether.  The reason is that the security groups 
> listing for many of our users results in rather large log entries.  For 
> example, my own entry for ""SERVICE_ACCESS_ENFORCEMENT_TRIGGERED"" is an 
> entry that is over 3,000 characters long. 
>
> Perhaps some of my ideas below are not very good ideas, and I am open to 
> perspective.
>
>
> Idea 1:  Is it possible to replace the logged results of the "memberOf" 
> field with ellipses, and if so, how?
>
> -->I.e., change:
> 2020-01-27 15:56:06,835 INFO 
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Mon Jan 
> 27 15:56:06 EST 2020|CAS|[result=Service Access Granted,service=
> https://my.casServer.edu/idp/Aut...,principal=SimplePrincipal(id=john_doe, 
> attributes={displayName=[Doe, John], mail=[john...@myuniversity.edu 
> ], memberOf=[CN=securityGroup1,OU=Faculty Groups,OU=Security 
> Groups,DC=myADdomain,DC=myuniversity,DC=edu, CN=securityGroup2,OU=Faculty 
> Groups,OU=Security 
> Groups,DC=myADdomain,DC=myuniversity,DC=edu, CN=securityGroup3,OU=Faculty 
> Groups,OU=Security Groups,DC=myADdomain,DC=myuniversity,DC=edu], 
> sAMAccountName=[john_doe], 
> UDC_IDENTIFIER=[john_doe]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|10.2.100.56
>
> -->Into something like this:
> 2020-01-27 15:56:06,835 INFO 
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Mon Jan 
> 27 15:56:06 EST 2020|CAS|[result=Service Access Granted,service=
> https://my.casServer.edu/idp/Aut...,principal=SimplePrincipal(id=john_doe, 
> attributes={displayName=[Doe, John], mail=[john...@myuniversity.edu 
> ], 
> memberOf=[...]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|10.2.100.56
>
>
> Idea 2:  Is it possible to omit the log entries for 
> "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" altogether and if so, how?
>
>
> Idea 3:  Is it possible to create two separate audit log files, one 
> without the "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" entries (call this 
> cas_audit.log) and one with the "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" 
> (call this cas_audit_log.verbose)?  If so, how?  In this case, I would 
> likely gzip the verbose logs relatively frequently.
>
>
> I am open to other ideas as well.
>
> Carl
>
> -- 
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>
> I respectfully acknowledge that my place of work is located within the 
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
> WSÁNEĆ Nations.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom:

[cas-user] Externalizing custom messages

2020-01-29 Thread Dustin J Luck 
I am trying to externalize as many of the customizations to CAS as 
possible. I have figured out how to do so for UI templates 
 
using the cas.view.templatePrefixes[0] property, but am having trouble 
figuring out a similar technique for custom_messages.properties. I tried 
using the cas.messageBundle.baseNames property as described in this thread 
,
 
but couldn't get that to work. Am I missing something or is there another 
method I should try?

*Actual property value set*

>
> cas.messageBundle.baseNames = 
> file:/etc/cas/messages,classpath:custom_messages,classpath:messages


*File location on server:*

> c:\etc\cas\messages\custom.messages.properties



If it isn't possible to externalize custom messages, what are the downsides 
to including my customized text as literals in the UI templates rather than 
bringing them in as custom messages?


Thanks


*My environment:*

   - Standalone CAS 6.0.5 build
   - Windows Server 2012 R2
   - Tomcat 9 running as a service

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/558d2f4f-56b9-4f4a-b877-58094cd7b7b1%40apereo.org.

Re: [cas-user] Re: Ask for authenticating at every login

2020-01-29 Thread Ray Bon 
Alex,

There is this capability to manipulate the log in flow, 
https://apereo.github.io/cas/6.1.x/webflow/Webflow-Customization-Interrupt.html.

You can also modify the web flow, 
https://apereo.github.io/cas/6.1.x/webflow/Webflow-Customization.html

Ray

On Wed, 2020-01-29 at 06:17 -0800, Alex T wrote:
PS. If user already authenticated in CAS, I dont want to force reentering 
password. I want ask user does he want to log in in app. If yes, user 
redirected to app with token, then he became authenticated.

On Wednesday, January 29, 2020 at 5:03:22 PM UTC+3, Alex T wrote:
I create app, that use Apereo CAS server. And it works :)

But I want to do some changes. If I authenticated successfully in my app via 
CAS, than I log out in my app. Than I try to login via cas again, redirect 
occurs to cas, and redirect back with ticket, and seems that I loged in again 
without any question from sso.

I want to change CAS default behavior to ask if I want to login before redirect 
back to app. And show some information, like you logged in as , this 
 want to authenticate and so on.

Which simplest way to do it?

It is possible to do with some configuration (settings or gradle)? Or I need 
develop custom overlay for it?

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8bedec2eb12bb1fd4070d88b421382b466aa7506.camel%40uvic.ca.

Re: [cas-user] Re: CAS 6.1.3 SAML and JSON

2020-01-29 Thread Ray Bon 
Jeff,

'excludeDefaultAttributes' should be inside 'attributeReleasePolicy'.

Where are you defining 'FirstName' and 'Surname'?
If it is in the list of default attributes, then you want 
'excludeDefaultAttributes=false'.

Add this to log4j2.xml:




Ray

P.S. It would be easier to see what is going on if you the service definition 
was complete (just in case something else was in the wrong place).

On Wed, 2020-01-29 at 04:50 -0800, stonej wrote:
Hi All,

I am slowly getting there, although now I have hit another hurdle.

I need eduPersonTargetedID, now I can get that by using

{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "https://DOMAIN;,
"name" : "Apache Secured By SAML",
"id" : 10011,
"description" : "CAS development Apache mod_shib/shibd server with 
username/password protection",
"metadataLocation" : "file:etc/cas/saml/metadata/metadata.xml",
"encryptAssertions": "true",
"excludeDefaultAttributes" : "true",
"attributeReleasePolicy": {
"@class": 
"org.apereo.cas.support.saml.services.EduPersonTargetedIdAttributeReleasePolicy",
"salt": "OqmG80fEKBQt",
"attribute": ""
}
}

But I cannot get any other attributes like FirstName, Surname etc.

And also the "excludeDefaultAttributes" : "true",  doesn't seem to work, not 
sure if I have put it in the correct place.

I have tried :

"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "eppn" : "urn:mace:dir:attribute-def:eduPersonPrincipalName",
  "cn" : "urn:oid:1.3.6.1.4.1.5923.1.1.1.6",
  "eduPersonPrincipalName" : "urn:oid:1.3.6.1.4.1.5923.1.1.1.6",
  "displayName" : "urn:oid:2.16.840.1.113730.3.1.241",
  "givenName" : "urn:oid:2.5.4.42",
  "mail" : "urn:oid:0.9.2342.19200300.100.1.3",
  "role" : "urn:hope.ac.uk:attribute-def:role",
  "sn" : "urn:oid:2.5.4.4",
  "uid" : "urn:oid:0.9.2342.19200300.100.1.1",
  "UDC_IDENTIFIER": "urn:hope.ac.uk:attribute-def:UDC_IDENTIFIER",
  "eppn" : "urn:oid:0.9.2342.19200300.100.1.1",
  "affiliation" : "urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
  "affiliation" : "staff",
  "excludeDefaultAttributes" : "true"
}
"persistentIdGenerator" : {
  "@class" : 
"org.apereo.cas.authentication.principal.ShibbolethCompatiblePersistentIdGenerator",
  "salt" : ""OqmG80fEKBQt",
  "attribute": "eduPersonTargetedID"
}

And that shows me the attributes but NOT the eduPersonTargetedID.  Do I have to 
use a Groovy script to pull all the attributes together ?

Thanks

Jeff


On Friday, January 24, 2020 at 1:30:26 AM UTC, Andy Ng wrote:
Hi Travis,

> To remove unwanted authentication attributes add excludeDefaultAttributes: 
> true.

Oh we can do that?! Didn't knows about that and good to learn about this! 
Thanks Travis :)

Cheers!
- Andy


--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/95e0c8c76d4ce6cd9f350ad3b5b84a5292ad2145.camel%40uvic.ca.

[cas-user] Re: Adding cas.properties file to source control

2020-01-29 Thread Dustin J Luck 
Thanks, Misagh.

That's exactly what I was looking for. The thing that confused me at first 
was how to set the profile. I'll leave what I did here for others that may 
need to do the same.

My environment uses Tomcat running as a service on a Windows server. In 
order to set the profile, I had to add the 
-Dspring.profiles.include=[profile] to the Java Options found in the Tomcat 
properties utility 

.





On Wednesday, January 29, 2020 at 2:26:37 AM UTC-8, Misagh Moayyed wrote:
>
> I would like to add my cas.properties file for a standalone deployment to 
>> source control. I'd like to know if there is a way to put certain settings 
>> that would necessarily be different between our dev & prod environments 
>> someplace external to the main properties file so I don't need to maintain 
>> the common properties in multiple places. An example of one of the 
>> properties I'd like to manage this way is 
>> cas.ticket.registry.hazelcast.cluster.members.
>>
>
> You need to use deployment profiles.  Keep your cas.properties file, then 
> create a dev.properties file and a prod.properties file. Put the relevant 
> settings for each tier in those, and keep the common stuff in the 
> cas.properties file. Then activate the profile at runtime with 
> "-Dspring.profiles.include=dev|prod"
>
> Then manage the configuration files as you like with source control. 
>
> Blog post that conceptually outlines the same strategy: 
> https://apereo.github.io/2018/11/02/cas6-groovy-config-slurper/
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/65f93d6f-e2a0-46f7-9eb2-cf7b6a41168e%40apereo.org.

[cas-user] Re: Ask for authenticating at every login

2020-01-29 Thread Alex T 
PS. If user already authenticated in CAS, I dont want to force reentering 
password. I want ask user does he want to log in in app. If yes, user 
redirected to app with token, then he became authenticated.

On Wednesday, January 29, 2020 at 5:03:22 PM UTC+3, Alex T wrote:
>
> I create app, that use Apereo CAS server. And it works :)
>
> But I want to do some changes. If I authenticated successfully in my app 
> via CAS, than I log out in my app. Than I try to login via cas again, 
> redirect occurs to cas, and redirect back with ticket, and seems that I 
> loged in again without any question from sso.
>
> I want to change CAS default behavior to ask if I want to login before 
> redirect back to app. And show some information, like you logged in as 
> , this  want to authenticate and so on.
>
> Which simplest way to do it?
>
> It is possible to do with some configuration (settings or gradle)? Or I 
> need develop custom overlay for it?
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4b004380-754c-4e80-ab1e-5f3a64ee3aee%40apereo.org.

[cas-user] Ask for authenticating at every login

2020-01-29 Thread Alex T 
I create app, that use Apereo CAS server. And it works :)

But I want to do some changes. If I authenticated successfully in my app 
via CAS, than I log out in my app. Than I try to login via cas again, 
redirect occurs to cas, and redirect back with ticket, and seems that I 
loged in again without any question from sso.

I want to change CAS default behavior to ask if I want to login before 
redirect back to app. And show some information, like you logged in as 
, this  want to authenticate and so on.

Which simplest way to do it?

It is possible to do with some configuration (settings or gradle)? Or I 
need develop custom overlay for it?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/eb5119d2-f803-4ea2-bd25-912a56e58f6f%40apereo.org.

Re: [cas-user] Re: CAS 6.1.3 SAML and JSON

2020-01-29 Thread stonej 
Hi All,

I am slowly getting there, although now I have hit another hurdle.

I need eduPersonTargetedID, now I can get that by using

{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "https://DOMAIN;,
"name" : "Apache Secured By SAML",
"id" : 10011,
"description" : "CAS development Apache mod_shib/shibd server with 
username/password protection",
"metadataLocation" : "file:etc/cas/saml/metadata/metadata.xml",
"encryptAssertions": "true",
"excludeDefaultAttributes" : "true",
"attributeReleasePolicy": {
"@class": 
"org.apereo.cas.support.saml.services.EduPersonTargetedIdAttributeReleasePolicy",
"salt": "OqmG80fEKBQt",
"attribute": ""
}
}

But I cannot get any other attributes like FirstName, Surname etc.

And also the "excludeDefaultAttributes" : "true",  doesn't seem to work, 
not sure if I have put it in the correct place.

I have tried :

"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "eppn" : "urn:mace:dir:attribute-def:eduPersonPrincipalName",
  "cn" : "urn:oid:1.3.6.1.4.1.5923.1.1.1.6",
  "eduPersonPrincipalName" : "urn:oid:1.3.6.1.4.1.5923.1.1.1.6",
  "displayName" : "urn:oid:2.16.840.1.113730.3.1.241",
  "givenName" : "urn:oid:2.5.4.42",
  "mail" : "urn:oid:0.9.2342.19200300.100.1.3",
  "role" : "urn:hope.ac.uk:attribute-def:role",
  "sn" : "urn:oid:2.5.4.4",
  "uid" : "urn:oid:0.9.2342.19200300.100.1.1",
  "UDC_IDENTIFIER": "urn:hope.ac.uk:attribute-def:UDC_IDENTIFIER",
  "eppn" : "urn:oid:0.9.2342.19200300.100.1.1",
  "affiliation" : "urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
  "affiliation" : "staff",
  "excludeDefaultAttributes" : "true"
}
"persistentIdGenerator" : {
  "@class" : 
"org.apereo.cas.authentication.principal.ShibbolethCompatiblePersistentIdGenerator",
  "salt" : ""OqmG80fEKBQt",
  "attribute": "eduPersonTargetedID"
}

And that shows me the attributes but NOT the eduPersonTargetedID.  Do I 
have to use a Groovy script to pull all the attributes together ?

Thanks

Jeff


On Friday, January 24, 2020 at 1:30:26 AM UTC, Andy Ng wrote:
>
> Hi Travis,
>
> > To remove unwanted authentication attributes add 
> excludeDefaultAttributes: true.
>
> Oh we can do that?! Didn't knows about that and good to learn about this! 
> Thanks Travis :)
>
> Cheers!
> - Andy
>

-- 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/231a13b4-d3a6-4205-aaef-cc05b3897da5%40apereo.org.

[cas-user] Re: SAML Delegation in 6.2.0-RC2

2020-01-29 Thread Misagh Moayyed 

>
> I don't know what to look for. I know there's a  tag on the 
> request standard for SAML, but the documentation is not clear about this 
> subject.
>
> Can you guys give me some advice or point me in the right direction?
>

There is no issuer tag in the saml2 response you get back from the identity 
provider, because your attempt at authentication has somehow failed there. 
The IdP is sending you an error response. You need to look into your IdP 
and figure out what is causing it to error out.  Or examine the CAS logs to 
see what that response looks like before it's parsed. 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bcd6d987-b8f6-496d-9c92-156569b1a485%40apereo.org.

[cas-user] Re: Adding cas.properties file to source control

2020-01-29 Thread Misagh Moayyed 

>
> I would like to add my cas.properties file for a standalone deployment to 
> source control. I'd like to know if there is a way to put certain settings 
> that would necessarily be different between our dev & prod environments 
> someplace external to the main properties file so I don't need to maintain 
> the common properties in multiple places. An example of one of the 
> properties I'd like to manage this way is 
> cas.ticket.registry.hazelcast.cluster.members.
>

You need to use deployment profiles.  Keep your cas.properties file, then 
create a dev.properties file and a prod.properties file. Put the relevant 
settings for each tier in those, and keep the common stuff in the 
cas.properties file. Then activate the profile at runtime with 
"-Dspring.profiles.include=dev|prod"

Then manage the configuration files as you like with source control. 

Blog post that conceptually outlines the same strategy: 
https://apereo.github.io/2018/11/02/cas6-groovy-config-slurper/

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b2305ee7-1020-435a-871d-df04e6e39af2%40apereo.org.

[cas-user] Re: How to unpack the cas war (5.3.x) with Jetty

2020-01-29 Thread Misagh Moayyed 


>
>
> Does any one know how to make CAS unpack the war file to the temp 
> directory with embedded Jetty ?
>

That is not how "embedded" works. An "embedded" container is not a 
repackaged version of the server distribution stuffed into the CAS web 
application artifact.  You won't find a "real jetty" if you unpacked CAS. 
Embedded container only means that you are getting a server that is able to 
run the CAS webapp automatically without extra manual/download work, 
regardless of how and to what effect. 

If you want to actually use a real jetty instance, download it first, 
remove the embedded jetty from the CAS webapp build and deploy the 
now-made-vanialla/plain webapp there as you normally would with any other 
webapp. With embedded, you lose control at the expense of 
auto-configuration, automation and comfort. If you prefer manual work for 
deployments, embedded is not the right option for you. 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/19f28f84-0c22-45b9-8c96-2df22954be3f%40apereo.org.

[cas-user] Re: [CAS 6.1.3]: OAuth2 Implict Grant - Passed state isn't returned correctly

2020-01-29 Thread Misagh Moayyed 
Just wanted to note the patch/fix is now merged.

Thank you David!

On Friday, January 24, 2020 at 1:06:47 PM UTC+4, David Albrecht wrote:
>
> Hi all,
>
> when using the implict grant and passing a state parameter which contains 
> special characters the state parameter in the returned redirect doesn't 
> match.
>
> Example:
>
>
> https://localhost:25443/ffauth/oauth2.0/authorize?response_type=token_id=swagger_uri=http%3A%2F%2Flocalhost%3A24080%2Fffwebservices%2Fswagger%2Foauth2-redirect.html=write%20read=RnJpIEphbiAyNCAyMDIwIDA5OjQ4OjM3IEdNVCswMTAwIChNaXR0ZWxldXJvcMOkaXNjaGUgTm9ybWFsemVpdCk%3D
>
> leads to a redirect to:
>
>
> http://localhost:24080/ffwebservices/swagger/oauth2-redirect.html#access_token=eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.ZXlKNmFYQWlPaUpFUlVZaUxDSmhiR2NpT2lKa2FYSWlMQ0psYm1NaU9pSkJNVEk0UTBKRExVaFRNalUySWl3aVkzUjVJam9pU2xkVUlpd2lkSGx3SWpvaVNsZFVJbjAuLml6NjUycnV5LV9IRXN4RTBNckRudEEuWUFmNThMN2FjanM5cExoVVpjR1hma3pYc1lrSnpFUkQtSmp6V0VyTDNMUW0tSEdVZV9Pa3FESEhnalRySVMweDhoRkhQb2JCQy12RGJnWWlxT2wyUTJONGNVMTZ3bEJCcjlMUEg3Qjk4MUUzQ1ltN0Vlb2pCa2N3VjlwZ3J3TDIwVndnc0xIbmNFc1VPZV9ic1NidnRURVM3RElxVWJfbjVUUk1OYy01TmROTGRjd2Z1V3VGNTRkcXpCMGQ3R3ZieTNqdXZJNEkwMHNpOTEyMGRoNGRsU1hxMEdDV0VwOWE3cWVaTnZSa1hWYlRrcFZHaFRNbUFBOXBkT2k2dWlrb3ZfSFNwYVRKczBkMnN3REN5ejhzVk4xUEJfamRDU3dla0dxanR5WkxZcTdnNktGMEtIZGFlakZhTzVfdk9rNkYyODNBQ2RHcmVhSjBXNjhJc2dhQkYwVUhHMUNXYzdlNDB3LTEzQk1ZTW9SazhOLVoxR092TTVreTN5elJLUnZ1OTRXelFXd0dsYl9aWmNYLW11Wldsd0JyNVFUaTItZlpDeUVFNXZuMG9zcy5jQ0xnMkYwUGdMOC1ENHl0V091djNn.n2rpw9_bXKx78LdxjSyET6xCkN5je9q-KJD_M_llMmOaDH5XZzpKTIl1cLzjz-5Ewg6WQYvM1oufkLMPeZSOKg_type=bearer_in=86400=RnJpIEphbiAyNCAyMDIwIDA5OjQ4OjM3IEdNVCswMTAwIChNaXR0ZWxldXJvcMOkaXNjaGUgTm9ybWFsemVpdCk%253D
>
>
> As you can see the '%' is returned URL encoded as '%25'. This leads to 
> errors like:
>
> *auth warning*Authorization may be unsafe, passed state was changed in 
> server Passed state wasn't returned from auth server.
>
> In addition it seems to violate 
> https://tools.ietf.org/html/rfc6749#section-4.2.1
>
> Regards
> David
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b112418-2107-4473-aaf3-fa49b6113406%40apereo.org.

[cas-user] Re: Trying to determine why CAS is returning an encoded attribute to SAML SP

2020-01-29 Thread Misagh Moayyed 

>
>
> None of this would be a big deal if we hadn't run into a bizarre problem 
> that the encoded attribute being sent *CHANGED*. 
>

It would be helpful to describe the steps you took to create/duplicate this 
scenario.
 

>
> So my two questions:
> 1) Is there any chance that the google apps keys have somehow superseded 
> the ones that general SAML services were using previously, such that my 
> non-Google SAML service switched to using the Google keys instead? This is 
> the only reason why I can fathom that the NameID attribute value suddenly 
> changed.
>


No. 

However, please note that the Google Apps for Education integration allows 
CAS to act as a miniaturized SAML2 identity provider, for deployments that 
may not be prepared to turn on and allow CAS to fully act as a SAML2 
identity provider. This feature is deprecated and is scheduled to be 
removed in the future. It does not make much sense to turn on and use both 
features (Google Apps + SAML2 IDP) in CAS at the same time, as one outranks 
the other and it is likely that using both features in CAS simultaneously 
would interfere with the functionality of both. If you can, consider using 
the SAML2 identity provider functionality in CAS to handle this integration 
as you would any other SAML2 service provider.

Big blue box here: 
https://apereo.github.io/cas/6.1.x/integration/Google-Apps-Integration.html

I am not saying using both at the same time is causing this issue; just 
that if your deployment qualifies for that sort of condition, you're 
inviting additional complexity with no real benefits to your deployment.

 

>
> 2) Does anyone have ideas of how to disable the signing/encoding of the 
> NameID attribute so I can get visibility into what's getting sent? Or is 
> that happening at the direction of the SAML SP?
>

Unless your SAML2 SP is asking/forcing CAS to use encrypted NameIDs or 
Transient NameIDs, I don't think this is happening. IIRC, this indication 
will be instructed to CAS via the SP metadata. If you want to see what's 
happening, turn up TRACE logging for org.apereo.cas and comb through the 
logs.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6cefe6fb-bce7-4e9a-bf34-241c4f7eaae8%40apereo.org.

[cas-user] Re: CAS 6.1.3 PM password reset link question.

2020-01-29 Thread Misagh Moayyed 

>
> Not sure the service needs to be on this link. As I understand it, the 
> transient service ticket is a one shot directed at the password reset 
> component, so I am uncertain why the service would be necessary as the link 
> also works with the ?service portion removed.
>
> Is this something that ought to be removed from the link?
>

No. 

Let's say you start with Service A and attempt to login via CAS, and then 
you are forced to reset your password. When you have completed the password 
flow, the service parameter is re-collected again to redirect you back to 
Service A, so you can resume.

The service parameter is always optional, whether you're resetting 
passwords or doing anything else. 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6eb52038-7a0e-4060-b0e6-df6fa13fb722%40apereo.org.

Re: [cas-user] Service Registry - Store in MySQL database

2020-01-29 Thread Misagh Moayyed 

Something along the following lines should work:

cas.serviceRegistry.initFromJson=true
cas.serviceRegistry.json.location=file:/etc/cas/config/services

- Then, make sure your JSON files are in the above noted directory.
- Then, make sure your overlay contains a reference to the JPA service 
registry

(You do not need to include the JSON service registry, IIRC, in the overlay)

Then, on startup, CAS will import your JSON files from that directory over 
to the real (JPA) service registry.

YMMV.


On Wednesday, January 29, 2020 at 12:56:11 AM UTC+4, rbon wrote:
>
> Bob,
>
> We are using the 5.1.5 version of cas management. You only need to upgrade 
> it if you want newer features, etc.
> I also have grumblings about the 6.x version. I put off upgrading cas 
> management until it settles. 
>
> Ray
>
> On Tue, 2020-01-28 at 12:34 -0800, Bob wrote:
>
> Hi Ray,
>
> No, I'm currently just using the cas overlay (6.1.x).
> I did try to get cas management working but had some issue with a 
> pre-defined service registry in some kind of git repo.
> Whenever I tried to enter a service via cas management, there was no 
> option to save it to my database. All it ever did was show this 1 entry 
> from a git repo.
> SInce I did get it working (reading my json file and store it in MySQL 
> database) without cas management for version 5.3.9, I assumed it would work 
> for version 6 as well.
> Do you think cas management is the only way to get it stored in the 
> database? I might have another look at it then.
> Thanks,
>
> Bob
>
>
> On Tuesday, January 28, 2020 at 8:31:44 PM UTC+1, rbon wrote: 
>
> Bob,
>
> Are you using the cas management server, 
> https://github.com/apereo/cas-management-overlay?
> If you are, what do the logs say when you try to save?
>
> Ray
>
> On Tue, 2020-01-28 at 03:50 -0800, Bob wrote:
>
> Hello,
>
> We are upgrading to CAS 6.1.x.
> Most things seem to work fine (LDAP and reading Service Registry from json 
> file) but we cannot get it to save the Service Registry in a MySQL casdb.
> Is there a way to manually enter a Service Registry into a MySQL database?
>
> Running CAS has created 3 tables in our MySQL database:
>
> regex_registered_service
> regex_registered_service_regex_registered_service_property
> regex_registered_service_registered_service_impl_contact
>
>
> Table regex_registered_service has the following columns:
>
> +--+
> | COLUMN_NAME  |
> +--+
> | access_strategy  |
> | attribute_release|
> | description  |
> | environments |
> | evaluation_order |
> | expiration_policy|
> | expression_type  |
> | id   |
> | information_Url  |
> | logo |
> | logout_type  |
> | logout_url   |
> | mfa_policy   |
> | name |
> | privacy_Url  |
> | proxy_policy |
> | proxy_ticket_expiration_policy   |
> | public_key   |
> | required_handlers|
> | response_Type|
> | service_Id   |
> | service_ticket_expiration_policy |
> | sso_participation_policy |
> | theme|
> | username_attr|
> +--+
> 25 rows in set (0.00 sec)
>
> How would I get the following json into this table?
>
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "https://localhost:9000/dashboard;,
>   "name" : "My App",
>   "id" : 10001000,
>   "description" : "My Dashboard App",
>   "attributeReleasePolicy" : {
> "@class" : 
> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
> "allowedAttributes" : {
>   "@class" : "java.util.TreeMap",
>   "memberOf" : "authorities"
> }
>   },
>   "evaluationOrder" : 100,
>   "accessStrategy" : {
> "@class" : 
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "enabled" : true,
> "ssoEnabled" : true
>   }
> }
>
> Thanks in advance!
>
> Bob
>
> -- 
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the 
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
> WSÁNEĆ Nations.
>
>
> On Tuesday, January 28, 2020 at 8:31:44 PM UTC+1, rbon wrote: 
>
> Bob,
>
> Are you using the cas management server, 
> https://github.com/apereo/cas-management-overlay?
> If you are, what do the logs say when you try to save?
>
> Ray
>
> On Tue, 2020-01-28 at 03:50 -0800, Bob wrote:
>
> Hello,
>
> We are upgrading to CAS 6.1.x.
> Most things seem to work fine (LDAP and reading Service Registry from json 
> file) but we

[cas-user] Re: How to specify redirect_uri for CAS 6 Delegation to Azure AD OIDC

2020-01-29 Thread Sean Day 

This seems to have been fixed in 6.2.0 RC2, I have not had the error at all 
on 6.2.0 RC2, I then spend a bit of time finding a reliable sequence of 
events that caused the error and found a way to reproduce consistently on 
6.1.2 following a specific series of login/logout requests:

In the same browser window: 
Login to system A.
Login to system B.
Logout System B.
Login to system A.
Logout System A.
Login System B - results in error.

Above resulted in the error on every attempt, I then replaced the 6.1.2 
cas.war file with 6.2.0 RC2 no other changes made to config etc and 
repeated above and did not get the error.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c1d95dce-c581-46ac-ab8c-287d67b189cd%40apereo.org.