Re: [cas-user] Re: Service Registry - Store in MySQL database

[Nguyen Tran Thanh Lam]

Dear Mr Mathieu HETRU
I have tried your solution, It's working fine but the service seem store
temporary on RAM.
It doesn't write to directory (/etc/cas/services-repo) or database.
This lead to service will disappear when I restart cas-management.
Thanks

Vào Th 3, 24 thg 3, 2020 vào lúc 23:13 Mathieu HETRU 
đã viết:

> hello Bob,
> i have the solution : remove the git feature from the war file (produced
> by gradlew) in order to cas-management 6.1.x works fine :
>
> add this line in the build.gradle (in the bootWar step) :
> ---
> excludes = ["**/cas-mgmt-config-version-control*.jar",
> "**/cas-mgmt-config-delegated*.jar", "**/HikariCP-java7-2.4.13.jar"]
> ---
>
> Sincerly,
>
> Mathieu
>
> Le mar. 24 mars 2020 à 16:04, Bob  a écrit :
>
>> Thanks Mathieu,
>>
>> I tried that also but never could get cas-management 6.1.x working (it
>> kept using the built-in git repo, despite having properties set not to use
>> that) with the MySQL data.
>> Finally I gave up on cas-management and have used the workaround from
>> Michele instead.
>> Thanks,
>>
>> Bob
>>
>>
>> On Monday, March 23, 2020 at 4:06:08 PM UTC+1, Mathieu HETRU wrote:
>>>
>>> Hello Bob,
>>>
>>> You should install cas-management web interface because the service
>>> entry in the db got java objects serialized in the db blob fields in the db
>>> tables.
>>>
>>> I have not use the initFromJson feature.
>>>
>>> Sincerly,
>>>
>>> Mathieu
>>>
>>> Le mardi 28 janvier 2020 12:50:54 UTC+1, Bob a écrit :

 Hello,

 We are upgrading to CAS 6.1.x.
 Most things seem to work fine (LDAP and reading Service Registry from
 json file) but we cannot get it to save the Service Registry in a MySQL
 casdb.
 Is there a way to manually enter a Service Registry into a MySQL
 database?

 Running CAS has created 3 tables in our MySQL database:

 regex_registered_service
 regex_registered_service_regex_registered_service_property
 regex_registered_service_registered_service_impl_contact


 Table regex_registered_service has the following columns:

 +--+
 | COLUMN_NAME  |
 +--+
 | access_strategy  |
 | attribute_release|
 | description  |
 | environments |
 | evaluation_order |
 | expiration_policy|
 | expression_type  |
 | id   |
 | information_Url  |
 | logo |
 | logout_type  |
 | logout_url   |
 | mfa_policy   |
 | name |
 | privacy_Url  |
 | proxy_policy |
 | proxy_ticket_expiration_policy   |
 | public_key   |
 | required_handlers|
 | response_Type|
 | service_Id   |
 | service_ticket_expiration_policy |
 | sso_participation_policy |
 | theme|
 | username_attr|
 +--+
 25 rows in set (0.00 sec)

 How would I get the following json into this table?

 {
   "@class" : "org.apereo.cas.services.RegexRegisteredService",
   "serviceId" : "https://localhost:9000/dashboard;,
   "name" : "My App",
   "id" : 10001000,
   "description" : "My Dashboard App",
   "attributeReleasePolicy" : {
 "@class" :
 "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
 "allowedAttributes" : {
   "@class" : "java.util.TreeMap",
   "memberOf" : "authorities"
 }
   },
   "evaluationOrder" : 100,
   "accessStrategy" : {
 "@class" :
 "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
 "enabled" : true,
 "ssoEnabled" : true
   }
 }

 Thanks in advance!

 Bob

>>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/85c1a43d-a4b1-4d91-9106-3ed8a4e9d92d%40apereo.org
>> 
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: 

[cas-user] ticketGrantingTicketCookieGenerator.xml

[Fernando Gómez]

Hello!!!, i hope can help me, for the new policies of google, I need that 
SameSite of the Cookie that is generated when creating the ticketGranting 
in: ticketGrantingTicketCookieGenerator.xml take the value of "None", I do 
not get the way to do it, you have idea how I can do, what should I do? 
modify to tell it the value of SameSite = "None".


Thanks in advance.



[image: Captura2.PNG]




-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/79fa161e-9ff8-47b3-8deb-57ed2faf7c37%40apereo.org.

Re: [cas-user] Re: Keycloak Backchannel Logout and CAS

['Maksim Kopeyka' via CAS Community]

I debugged CAS and found strange behavior

   1. Keycloak sends correct request to "/idp/profile/SAML2/POST/SLO" 
   endpoint
   2. CAS sends redirect to "/cas/logout" in both cases (http and https) 
   however session will be invalidated in http mode only
  - 
  
https://github.com/apereo/cas/blob/master/support/cas-server-support-saml-idp-web/src/main/java/org/apereo/cas/support/saml/web/idp/profile/slo/AbstractSamlSLOProfileHandlerController.java#L70
   3. Java code related to "/cas/logout" doesn't triggered however it 
   triggers in case I call "/cas/logout" in browser
  - 
  
https://github.com/apereo/cas/blob/master/core/cas-server-core-logout-api/src/main/java/org/apereo/cas/logout/DefaultLogoutManager.java#L37
   
Why code related to "/cas/logout" doesn't triggered?

On Wednesday, March 18, 2020 at 5:29:09 PM UTC+2, Maksim Kopeyka wrote:
>
> I excluded nginx from my local env so I have only executable CAS.war and 
> keycloak.
> I configured CAS to use SSL in this way:
>
> server.ssl.enabled=true
> server.ssl.key-store-type=JKS
> server.ssl.key-store=C:/Environment/jdk-11.0.5/bin/caskeystore.jks
> server.ssl.key-store-password=changeit
> server.ssl.key-alias=my.cas.com
>
> Backchannel logout doesn't work. Looks like SSL causes this issue, doesn't 
> matter it's nginx or embedded tomcat.
>
> On Tuesday, March 17, 2020 at 11:49:34 PM UTC+2, Maksim Kopeyka wrote:
>>
>> Ray,
>>
>> I have had some issues related to self-signed certificate on my local 
>> env. CAS and Keycloak produced exception related to certificate and flow 
>> didn't work at all.
>> I regenerated certificate for domain instead of 127.0.0.1 and all 
>> exceptions were gone. So it's not an issue with certificate.
>> Also I have the same problem on real environment with real certificate. 
>> It also works fine without SSL but with SSL CAS session stay alive after 
>> logout in keycloak.
>>
>> On Tuesday, March 17, 2020 at 5:44:35 PM UTC+2, rbon wrote:
>>>
>>> Maksim,
>>>
>>> Could this be a certificate issue?
>>>
>>> If this is self signed certificate, you will need to add it to the java 
>>> keystore (trust store). 
>>> https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores
>>>
>>> Ray
>>>
>>> On Mon, 2020-03-16 at 16:46 -0700, 'Maksim Kopeyka' via CAS Community 
>>> wrote:
>>>
>>> That's interesting. Backchannel logout works in case load balancer of 
>>> CAS (nginx) doesn't use SSL however backchannel doesn't work in case nginx 
>>> uses SSL. 
>>> I see the same output in console of CAS server in both cases (with SSL 
>>> and without SSL)
>>>
>>> -- 
>>>
>>> Ray Bon
>>> Programmer Analyst
>>> Development Services, University Systems
>>> 2507218831 | CLE 019 | rb...@uvic.ca
>>>
>>> I respectfully acknowledge that my place of work is located within the 
>>> ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
>>> WSÁNEĆ Nations.
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f7a364f-a4b6-4644-bd8d-6f86ce16e4ef%40apereo.org.

Re: [cas-user] Re: Service Registry - Store in MySQL database

[Mathieu HETRU]

hello Bob,
i have the solution : remove the git feature from the war file (produced by
gradlew) in order to cas-management 6.1.x works fine :

add this line in the build.gradle (in the bootWar step) :
---
excludes = ["**/cas-mgmt-config-version-control*.jar",
"**/cas-mgmt-config-delegated*.jar", "**/HikariCP-java7-2.4.13.jar"]
---

Sincerly,

Mathieu

Le mar. 24 mars 2020 à 16:04, Bob  a écrit :

> Thanks Mathieu,
>
> I tried that also but never could get cas-management 6.1.x working (it
> kept using the built-in git repo, despite having properties set not to use
> that) with the MySQL data.
> Finally I gave up on cas-management and have used the workaround from
> Michele instead.
> Thanks,
>
> Bob
>
>
> On Monday, March 23, 2020 at 4:06:08 PM UTC+1, Mathieu HETRU wrote:
>>
>> Hello Bob,
>>
>> You should install cas-management web interface because the service entry
>> in the db got java objects serialized in the db blob fields in the db
>> tables.
>>
>> I have not use the initFromJson feature.
>>
>> Sincerly,
>>
>> Mathieu
>>
>> Le mardi 28 janvier 2020 12:50:54 UTC+1, Bob a écrit :
>>>
>>> Hello,
>>>
>>> We are upgrading to CAS 6.1.x.
>>> Most things seem to work fine (LDAP and reading Service Registry from
>>> json file) but we cannot get it to save the Service Registry in a MySQL
>>> casdb.
>>> Is there a way to manually enter a Service Registry into a MySQL
>>> database?
>>>
>>> Running CAS has created 3 tables in our MySQL database:
>>>
>>> regex_registered_service
>>> regex_registered_service_regex_registered_service_property
>>> regex_registered_service_registered_service_impl_contact
>>>
>>>
>>> Table regex_registered_service has the following columns:
>>>
>>> +--+
>>> | COLUMN_NAME  |
>>> +--+
>>> | access_strategy  |
>>> | attribute_release|
>>> | description  |
>>> | environments |
>>> | evaluation_order |
>>> | expiration_policy|
>>> | expression_type  |
>>> | id   |
>>> | information_Url  |
>>> | logo |
>>> | logout_type  |
>>> | logout_url   |
>>> | mfa_policy   |
>>> | name |
>>> | privacy_Url  |
>>> | proxy_policy |
>>> | proxy_ticket_expiration_policy   |
>>> | public_key   |
>>> | required_handlers|
>>> | response_Type|
>>> | service_Id   |
>>> | service_ticket_expiration_policy |
>>> | sso_participation_policy |
>>> | theme|
>>> | username_attr|
>>> +--+
>>> 25 rows in set (0.00 sec)
>>>
>>> How would I get the following json into this table?
>>>
>>> {
>>>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>>>   "serviceId" : "https://localhost:9000/dashboard;,
>>>   "name" : "My App",
>>>   "id" : 10001000,
>>>   "description" : "My Dashboard App",
>>>   "attributeReleasePolicy" : {
>>> "@class" :
>>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>>> "allowedAttributes" : {
>>>   "@class" : "java.util.TreeMap",
>>>   "memberOf" : "authorities"
>>> }
>>>   },
>>>   "evaluationOrder" : 100,
>>>   "accessStrategy" : {
>>> "@class" :
>>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>>> "enabled" : true,
>>> "ssoEnabled" : true
>>>   }
>>> }
>>>
>>> Thanks in advance!
>>>
>>> Bob
>>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/85c1a43d-a4b1-4d91-9106-3ed8a4e9d92d%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAHNwO5maybN1prurCk8g73_PbEVpk8tDQnVgbKfeXTmAZDdk5g%40mail.gmail.com.

Re: [cas-user] Re: SAML functions very slow

[Hayden Sartoris]

Successfully reproduced this here.

That's very informative actually. It takes us here:
https://github.com/spring-projects/spring-boot/blob/2.2.x/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/embedded/EmbeddedWebServerFactoryCustomizerAutoConfiguration.java

As we're discussing Tomcat, this leads here:
https://github.com/spring-projects/spring-boot/blob/master/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizer.java

This result strongly suggests that either the configuration specified by
this class or the very existence of the Bean
tomcatWebServerFactoryCustomizer (and thus some other part of the code) is
the cause of this slowdown. I'll take a look at this hopefully in the near
future; if anyone knows anything about this part of Spring please chime in.

Best,
Hayden

On Tue, Mar 24, 2020 at 9:10 AM John Bond  wrote:

>
> Following up on this thread, it seems we have managed to reduce the lag on
> our infrastructure by adding the following to /et/cas/config/cas.properties
>
>   
> spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.web.embedded.EmbeddedWebServerFactoryCustomizerAutoConfiguration
>
> I'm unsrue why this fixed the issue however i came across the suggestion
> while attempting to configure a standalone war to work with an external
> tomcat instance and hitting an error regarding a missing method.
> 
>
>
> Adding the above config fixed the issue with the with the external
> instance of tomcat however it also significantly reduced the lag we
> observed when using the embeded war. If anyone is able to provide insight
> into why this config parameter helped i would be intrested
>
>
> Thanks
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "CAS Community" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/a/apereo.org/d/topic/cas-user/iMwglmoMBPc/unsubscribe
> .
> To unsubscribe from this group and all its topics, send an email to
> cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a633dbb-79be-4ffb-b32f-c671a4f60bd4%40apereo.org
> 
> .
>


-- 
Hayden Sartoris
Systems Administrator
Bard College IT
(he/him/his)

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP8%3D9-6qcns-1RJYFgJ74i9G%2BqrXepHZhbtVcVj9Chiv%2B50y-w%40mail.gmail.com.

Re: [cas-user] Service Registry - Store in MySQL database

[Michele Melluso]

Hi Bob,

I'm glad to hear it. I will try to see if it deserves a PR at least to 
start a discussion about it.

Regards
Michele

On Tuesday, March 24, 2020 at 4:02:15 PM UTC+1, Bob wrote:
>
> Hello Michele,
>
> Finally managed to get it working by commenting out the code you 
> mentioned. Now it does read the JSON files and store it in MySQL database.
> I exported the database records as a SQL script and then reinstated the 
> code so it should be good to go.
> Thank you very much again!
> Regards,
>
> Bob
>
>
> On Saturday, March 14, 2020 at 12:20:46 AM UTC+1, Michele Melluso wrote:
>>
>> Hi Bob,
>>
>> I had a similar regression from 6.0 to 6.1. The problem is that 
>> EmbeddedResourceBasedServiceRegistry is registered in the registries chain.
>>
>> So, when the ServiceRegistryInitializer.java checks at row 66 if the json 
>> service exists already, it is found from 
>> EmbeddedResourceBasedServiceRegistry and then it is not added to 
>> JpaTicketRegistry.
>>
>> I solved somehow by avoiding the 
>> "embeddedJsonServiceRegistryExecutionPlanConfigurer" bean, just commenting 
>> it away in CasServiceRegistryInitializationConfiguration.java
>>
>> // @Bean
>> // @ConditionalOnMissingBean(name = 
>> "embeddedJsonServiceRegistryExecutionPlanConfigurer")
>> // public ServiceRegistryExecutionPlanConfigurer 
>> embeddedJsonServiceRegistryExecutionPlanConfigurer() {
>> // return plan -> 
>> plan.registerServiceRegistry(embeddedJsonServiceRegistry());
>> // }
>>
>> I don't know if there will be any collateral problems, by the way now 
>> json services are correctly copied on JpaTicketRegistry.
>> Wouldn't know how to fix it in a clean way as to make a pr.
>>
>> Hope it helps
>> Regards
>> Michele
>>
>>
>> On Thursday, January 30, 2020 at 1:00:47 PM UTC+1, Bob wrote:
>>>
>>> Thanks Misagh and Ray,
>>>
>>> I cloned the cas-overlay-template in a new location and used the 
>>> settings Misagh suggested but I still have the same problem that my casdb 
>>> still has an empty regex_registered_service table.
>>> Here's what I'm using:
>>>
>>> Here's what I'm using:
>>>
>>> CAS Version: 6.1.0
>>> CAS Branch: 6.1.x
>>> CAS Commit Id: c92590730249df0cf26fd1b4bebd8aea8447b256
>>> CAS Build Date/Time: 2019-10-28T02:43:18Z
>>> Spring Boot Version: 2.2.0.RELEASE
>>> Spring Version: 5.2.0.RELEASE
>>> Java Home: C:\Programs\Java\amazon-corretto\jdk11.0.3_7
>>> Java Vendor: Amazon.com Inc.
>>> Java Version: 11.0.3
>>>
>>>
>>> My dependencies in build.gradle:
>>>
>>> dependencies {
>>> // Other CAS dependencies/modules may be listed here...
>>> compile 
>>> "org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
>>> compile 
>>> "org.apereo.cas:cas-server-support-jdbc-drivers:${project.'cas.version'}"
>>> compile 
>>> "org.apereo.cas:cas-server-support-jpa-service-registry:${project.'cas.version'}"
>>> }
>>>
>>>
>>> My minimum cas.propertie (I omitted the LDAP part since that's working 
>>> fine):
>>>
>>> cas.server.name: https://localhost:8443
>>> cas.server.prefix: ${cas.server.name}/cas
>>>
>>> logging.config: file:/etc/cas/config/log4j2.xml
>>>
>>> server.ssl.key-store=file:/etc/cas/keystore.jks
>>> server.ssl.key-store-password=
>>> server.ssl.key-password=xxx
>>>
>>> cas.serviceRegistry.initFromJson=true
>>> cas.serviceRegistry.json.location=file:/etc/cas/config/services
>>>
>>> cas.serviceRegistry.jpa.user=xx
>>> cas.serviceRegistry.jpa.password=xxx
>>> cas.serviceRegistry.jpa.driverClass=com.mysql.cj.jdbc.Driver
>>>
>>> cas.serviceRegistry.jpa.url=jdbc:mysql://localhost:3306/casdb?allowPublicKeyRetrieval=true=UTF-8=FALSE
>>>
>>> cas.serviceRegistry.jpa.dialect=org.hibernate.dialect.MySQL57InnoDBDialect
>>> cas.serviceRegistry.jpa.ddlAuto=update
>>>
>>>
>>> When I run CAS 6.1.0 I see: 
>>>
>>> [org.apereo.cas.services.AbstractServicesManager] - >> service(s) from [EmbeddedResourceBasedServiceRegistry,JpaServiceRegistry].>
>>>
>>>
>>> I can then use CAS to login to my application, but it does not insert 
>>> any Service Registry into the MySQL casdb.
>>> Do you see anything wrong in my setup?
>>> Thanks,
>>>
>>> Bob
>>>
>>> On Wednesday, January 29, 2020 at 11:21:24 AM UTC+1, Misagh Moayyed 
>>> wrote:


 Something along the following lines should work:

 cas.serviceRegistry.initFromJson=true
 cas.serviceRegistry.json.location=file:/etc/cas/config/services

 - Then, make sure your JSON files are in the above noted directory.
 - Then, make sure your overlay contains a reference to the JPA service 
 registry

 (You do not need to include the JSON service registry, IIRC, in the 
 overlay)

 Then, on startup, CAS will import your JSON files from that directory 
 over to the real (JPA) service registry.

 YMMV.


 On Wednesday, January 29, 2020 at 12:56:11 AM UTC+4, rbon wrote:
>
> Bob,
>
> We are using the 5.1.5 version of cas management. You only need to 
> upgrade it if you 

[cas-user] Re: Service Registry - Store in MySQL database

[Bob]

Thanks Mathieu,

I tried that also but never could get cas-management 6.1.x working (it kept 
using the built-in git repo, despite having properties set not to use that) 
with the MySQL data.
Finally I gave up on cas-management and have used the workaround from 
Michele instead.
Thanks,

Bob


On Monday, March 23, 2020 at 4:06:08 PM UTC+1, Mathieu HETRU wrote:
>
> Hello Bob,
>
> You should install cas-management web interface because the service entry 
> in the db got java objects serialized in the db blob fields in the db 
> tables.
>
> I have not use the initFromJson feature.
>
> Sincerly,
>
> Mathieu
>
> Le mardi 28 janvier 2020 12:50:54 UTC+1, Bob a écrit :
>>
>> Hello,
>>
>> We are upgrading to CAS 6.1.x.
>> Most things seem to work fine (LDAP and reading Service Registry from 
>> json file) but we cannot get it to save the Service Registry in a MySQL 
>> casdb.
>> Is there a way to manually enter a Service Registry into a MySQL database?
>>
>> Running CAS has created 3 tables in our MySQL database:
>>
>> regex_registered_service
>> regex_registered_service_regex_registered_service_property
>> regex_registered_service_registered_service_impl_contact
>>
>>
>> Table regex_registered_service has the following columns:
>>
>> +--+
>> | COLUMN_NAME  |
>> +--+
>> | access_strategy  |
>> | attribute_release|
>> | description  |
>> | environments |
>> | evaluation_order |
>> | expiration_policy|
>> | expression_type  |
>> | id   |
>> | information_Url  |
>> | logo |
>> | logout_type  |
>> | logout_url   |
>> | mfa_policy   |
>> | name |
>> | privacy_Url  |
>> | proxy_policy |
>> | proxy_ticket_expiration_policy   |
>> | public_key   |
>> | required_handlers|
>> | response_Type|
>> | service_Id   |
>> | service_ticket_expiration_policy |
>> | sso_participation_policy |
>> | theme|
>> | username_attr|
>> +--+
>> 25 rows in set (0.00 sec)
>>
>> How would I get the following json into this table?
>>
>> {
>>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>>   "serviceId" : "https://localhost:9000/dashboard;,
>>   "name" : "My App",
>>   "id" : 10001000,
>>   "description" : "My Dashboard App",
>>   "attributeReleasePolicy" : {
>> "@class" : 
>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>> "allowedAttributes" : {
>>   "@class" : "java.util.TreeMap",
>>   "memberOf" : "authorities"
>> }
>>   },
>>   "evaluationOrder" : 100,
>>   "accessStrategy" : {
>> "@class" : 
>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>> "enabled" : true,
>> "ssoEnabled" : true
>>   }
>> }
>>
>> Thanks in advance!
>>
>> Bob
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/85c1a43d-a4b1-4d91-9106-3ed8a4e9d92d%40apereo.org.

Re: [cas-user] Service Registry - Store in MySQL database

[Bob]

Hello Michele,

Finally managed to get it working by commenting out the code you mentioned. 
Now it does read the JSON files and store it in MySQL database.
I exported the database records as a SQL script and then reinstated the 
code so it should be good to go.
Thank you very much again!
Regards,

Bob


On Saturday, March 14, 2020 at 12:20:46 AM UTC+1, Michele Melluso wrote:
>
> Hi Bob,
>
> I had a similar regression from 6.0 to 6.1. The problem is that 
> EmbeddedResourceBasedServiceRegistry is registered in the registries chain.
>
> So, when the ServiceRegistryInitializer.java checks at row 66 if the json 
> service exists already, it is found from 
> EmbeddedResourceBasedServiceRegistry and then it is not added to 
> JpaTicketRegistry.
>
> I solved somehow by avoiding the 
> "embeddedJsonServiceRegistryExecutionPlanConfigurer" bean, just commenting 
> it away in CasServiceRegistryInitializationConfiguration.java
>
> // @Bean
> // @ConditionalOnMissingBean(name = 
> "embeddedJsonServiceRegistryExecutionPlanConfigurer")
> // public ServiceRegistryExecutionPlanConfigurer 
> embeddedJsonServiceRegistryExecutionPlanConfigurer() {
> // return plan -> 
> plan.registerServiceRegistry(embeddedJsonServiceRegistry());
> // }
>
> I don't know if there will be any collateral problems, by the way now json 
> services are correctly copied on JpaTicketRegistry.
> Wouldn't know how to fix it in a clean way as to make a pr.
>
> Hope it helps
> Regards
> Michele
>
>
> On Thursday, January 30, 2020 at 1:00:47 PM UTC+1, Bob wrote:
>>
>> Thanks Misagh and Ray,
>>
>> I cloned the cas-overlay-template in a new location and used the settings 
>> Misagh suggested but I still have the same problem that my casdb still has 
>> an empty regex_registered_service table.
>> Here's what I'm using:
>>
>> Here's what I'm using:
>>
>> CAS Version: 6.1.0
>> CAS Branch: 6.1.x
>> CAS Commit Id: c92590730249df0cf26fd1b4bebd8aea8447b256
>> CAS Build Date/Time: 2019-10-28T02:43:18Z
>> Spring Boot Version: 2.2.0.RELEASE
>> Spring Version: 5.2.0.RELEASE
>> Java Home: C:\Programs\Java\amazon-corretto\jdk11.0.3_7
>> Java Vendor: Amazon.com Inc.
>> Java Version: 11.0.3
>>
>>
>> My dependencies in build.gradle:
>>
>> dependencies {
>> // Other CAS dependencies/modules may be listed here...
>> compile 
>> "org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
>> compile 
>> "org.apereo.cas:cas-server-support-jdbc-drivers:${project.'cas.version'}"
>> compile 
>> "org.apereo.cas:cas-server-support-jpa-service-registry:${project.'cas.version'}"
>> }
>>
>>
>> My minimum cas.propertie (I omitted the LDAP part since that's working 
>> fine):
>>
>> cas.server.name: https://localhost:8443
>> cas.server.prefix: ${cas.server.name}/cas
>>
>> logging.config: file:/etc/cas/config/log4j2.xml
>>
>> server.ssl.key-store=file:/etc/cas/keystore.jks
>> server.ssl.key-store-password=
>> server.ssl.key-password=xxx
>>
>> cas.serviceRegistry.initFromJson=true
>> cas.serviceRegistry.json.location=file:/etc/cas/config/services
>>
>> cas.serviceRegistry.jpa.user=xx
>> cas.serviceRegistry.jpa.password=xxx
>> cas.serviceRegistry.jpa.driverClass=com.mysql.cj.jdbc.Driver
>>
>> cas.serviceRegistry.jpa.url=jdbc:mysql://localhost:3306/casdb?allowPublicKeyRetrieval=true=UTF-8=FALSE
>> cas.serviceRegistry.jpa.dialect=org.hibernate.dialect.MySQL57InnoDBDialect
>> cas.serviceRegistry.jpa.ddlAuto=update
>>
>>
>> When I run CAS 6.1.0 I see: 
>>
>> [org.apereo.cas.services.AbstractServicesManager] - > service(s) from [EmbeddedResourceBasedServiceRegistry,JpaServiceRegistry].>
>>
>>
>> I can then use CAS to login to my application, but it does not insert any 
>> Service Registry into the MySQL casdb.
>> Do you see anything wrong in my setup?
>> Thanks,
>>
>> Bob
>>
>> On Wednesday, January 29, 2020 at 11:21:24 AM UTC+1, Misagh Moayyed wrote:
>>>
>>>
>>> Something along the following lines should work:
>>>
>>> cas.serviceRegistry.initFromJson=true
>>> cas.serviceRegistry.json.location=file:/etc/cas/config/services
>>>
>>> - Then, make sure your JSON files are in the above noted directory.
>>> - Then, make sure your overlay contains a reference to the JPA service 
>>> registry
>>>
>>> (You do not need to include the JSON service registry, IIRC, in the 
>>> overlay)
>>>
>>> Then, on startup, CAS will import your JSON files from that directory 
>>> over to the real (JPA) service registry.
>>>
>>> YMMV.
>>>
>>>
>>> On Wednesday, January 29, 2020 at 12:56:11 AM UTC+4, rbon wrote:

 Bob,

 We are using the 5.1.5 version of cas management. You only need to 
 upgrade it if you want newer features, etc.
 I also have grumblings about the 6.x version. I put off upgrading cas 
 management until it settles. 

 Ray

 On Tue, 2020-01-28 at 12:34 -0800, Bob wrote:

 Hi Ray,

 No, I'm currently just using the cas overlay (6.1.x).
 I did try to get cas management working but had some issue 

Re: [cas-user] OpenID Connect (pac4j integration) simultaneous login in several windows/tabs fails

[Jérôme LELEU]

Hi,

We should have a session per tab if ever it's possible or no session at all.
But this is definitely a hard topic, I'm not sure it's worth the deal to
work on that.

In any case, it's more a pac4j issue than a CAS one, you would have the
same problem with all pac4j implementations (JEE, Shiro, Play, Vertx...)
Let's move that discussion to the pac4j dev mailing list:
https://groups.google.com/forum/?fromgroups#!forum/pac4j-dev

Thanks.
Best regards,
Jérôme

Le mar. 24 mars 2020 à 13:55, mlabib  a écrit :

> Thanks, Jérôme,
>
> for the explanation.
>
> As I understand it there would have to be more state to be pushed around
> to fix the issue - maybe even the session made unnecessary?
>
> Still I am quite unsure where this should be discussed. Do you think this
> qualifies as a pac4j issue? Should I open a CAS PR?
>
> Best regards,
> Marcus
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d7c7704c-413b-482b-8d8e-06d7f1167ec4%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwnroWBVUZwQbOmegL06nzTh_GnFVBPZA_AEM%2BaCkwxaA%40mail.gmail.com.

[cas-user] Re: SAML functions very slow

[John Bond]

Following up on this thread, it seems we have managed to reduce the lag on 
our infrastructure by adding the following to /et/cas/config/cas.properties

  
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.web.embedded.EmbeddedWebServerFactoryCustomizerAutoConfiguration

I'm unsrue why this fixed the issue however i came across the suggestion 
while attempting to configure a standalone war to work with an external 
tomcat instance and hitting an error regarding a missing method.



Adding the above config fixed the issue with the with the external instance 
of tomcat however it also significantly reduced the lag we observed when 
using the embeded war. If anyone is able to provide insight into why this 
config parameter helped i would be intrested


Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a633dbb-79be-4ffb-b32f-c671a4f60bd4%40apereo.org.

Re: [cas-user] OpenID Connect (pac4j integration) simultaneous login in several windows/tabs fails

[mlabib]

Thanks, Jérôme,

for the explanation.

As I understand it there would have to be more state to be pushed around to 
fix the issue - maybe even the session made unnecessary?

Still I am quite unsure where this should be discussed. Do you think this 
qualifies as a pac4j issue? Should I open a CAS PR?

Best regards,
Marcus

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d7c7704c-413b-482b-8d8e-06d7f1167ec4%40apereo.org.

Re: [cas-user] CAS Logout Issue

[Ramakrishna G]

Hi Maksim,

Yes I had resolved this problem.

I had specified logoutType & logoutUrl in service file.

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^(https|http)://.*",
  "name" : "testId",
  "id" : 1,
  "logoutType" : "BACK_CHANNEL",
  "logoutUrl" : "https://backchannel.abc.com/logout.php;
}

Logout.php

 $v)
{
$ticket = $v;
$filename = md5($ticket);
$fileContent =
file_get_contents("/var/cache/mod_auth_cas/.$filename");
if($fileContent != "")
{
unlink("/var/cache/mod_auth_cas/$fileContent");
unlink("/var/cache/mod_auth_cas/.$filename");
}
}
?>

Basically I am forcefully deleting the cache files created by mod_auth_cas
during login. Next time any request from the browser will be invalidated as
the cookie files are deleted and automatically redirected to the login page.

Thanks & Regards
Ramakrishna G

On Tue, Mar 24, 2020 at 3:51 PM 'Maksim Kopeyka' via ram 
wrote:

> Hi Ramakrishna,
>
> Did you solve your issue? I have the same problem with SSL session which
> is alive after backchannel logout.
>
> On Wednesday, May 23, 2018 at 2:32:41 PM UTC+3, Ramakrishna G wrote:
>>
>> Ok Ray. Thanks for your help!!
>>
>> Anyone who has worked on Mod_auth_cas along with CAS server pls guide me.
>> My issue is MOD_AUTH_CAS_S cookie is not removed from browser after logout.
>>
>> Thanks
>> Ramakrishna G
>>
>> On Tue, May 22, 2018 at 9:53 PM, Ray Bon  wrote:
>>
>>> Ramakrishna,
>>>
>>> This now sounds like an issue on the client side. I have not used
>>> mod_auth_cas. Try debugging it and your client for how they handle the
>>> logout request.
>>>
>>> Ray
>>>
>>> On Tue, 2018-05-22 at 15:41 +0530, Ramakrishna G wrote:
>>>
>>> Ray,
>>>
>>> I was able to solve the ssl issue using open_sll. Now I am using https
>>> at both end with valid certificate.
>>>
>>> But my original problem of cas not logging out still persist.
>>>
>>> On Sat, May 19, 2018 at 4:51 PM, Ramakrishna G  wrote:
>>>
>>> Ray,
>>>
>>> I configured ssl as advised by you. Now I have a different issue.
>>>
>>> When I use CASValidateURL with https url I get this Unauthorized error.
>>> If i remove https it works but logout issue still persist  Unauthorized
>>>
>>> This server could not verify that you are authorized to access the
>>> document requested. Either you supplied the wrong credentials (e.g., bad
>>> password), or your browser doesn't understand how to supply the credentials
>>> required.
>>>
>>>
>>> I am sharing my config
>>>
>>> CASCookiePath /var/cache/mod_auth_cas/
>>>
>>> CASCertificatePath  /etc/httpd/conf/casdev.crt
>>>
>>> CASLoginURL https://192.168.111.12:8443/cas/login
>>>
>>> CASRootProxiedAs https://192.168.111.12:8443
>>>
>>> CASValidateURL  https://192.168.111.12:8443/cas/serviceValidate
>>>
>>> #CASValidateURL http://192.168.111.12:/cas/serviceValidate // *Tomcat
>>> http port *
>>>
>>> CASValidateSAML Off
>>>
>>> CASSSOEnabled On
>>> 
>>>SSLProxyEngine on
>>>SSLProxyVerify none
>>>SSLProxyCheckPeerCN off
>>>SSLProxyCheckPeerName off
>>>SSLProxyCheckPeerExpire off
>>>Loglevel debug
>>> 
>>> AllowOverride
>>> AuthType CAS
>>> require valid-user
>>> CASRenew On
>>> ProxyPass http://192.168.111.10/
>>> ProxyPassReverse http://192.168.111.10/
>>> 
>>> 
>>> Require all granted
>>> ProxyPass https://192.168.111.12:9443/cas  *// Tomcat
>>> https port 9443*
>>> ProxyPassReverse https://192.168.111.12:9443/cas
>>> 
>>>
>>> 
>>>
>>>
>>> On Fri, May 18, 2018 at 8:50 PM, Ray Bon  wrote:
>>>
>>> Ramakrishna,
>>>
>>> During log out when CAS contacts your service (where mod_auth_cas is),
>>> it does so with https. You need to install the custom certificate that is
>>> on your service into the jvm running CAS.
>>>
>>> sudo keytool -import -file ${certName} -alias ${aliasName} -keystore
>>> $JAVA_HOME/jre/lib/security/cacerts
>>>
>>>
>>> https://apereo.github.io/cas/developer/Build-Process-5X.html#configure-ssl
>>>
>>> Ray
>>>
>>> On Fri, 2018-05-18 at 11:04 +0530, Ramakrishna G wrote:
>>>
>>> Ray,
>>>
>>> Let me explain you my architecture. I have a CAS client (mod_auth_cas)
>>> which redirects to NGINX Load Balancer. The nginx forwards to one of the
>>> active CAS Server. Do I need to install certificates on all CAS Server?
>>>
>>> User request to Mod_auth_cas via HTTPS but I am doing ssl stripping for
>>> internal communication from Nginx to CAS server. i.e Plain http
>>> comminication is happenning from nginx to cas server.
>>>
>>>
>>> Can you pls guide me how can I achieve logout for my approach.
>>>
>>> On Thu, May 17, 2018 at 9:49 PM, Ray Bon  wrote:
>>>
>>> Ramakrishna,
>>>
>>> Add this to the log config:
>>>
>>> 
>>>
>>> The above may produce a lot of messages.
>>> It 

Re: [cas-user] OpenID Connect (pac4j integration) simultaneous login in several windows/tabs fails

[Jérôme LELEU]

Hi,

I'm not surprised of this issue. pac4j relies on one session (distributed
or not) to perform a login process.

When starting the login process in a tab, you put some data in the session.
If meanwhile, in another tab, a login process is performed, the previous
data have been erased and the first login process can't happen correctly in
the first tab.

Thanks.
Best regards,
Jérôme


Le mar. 24 mars 2020 à 11:34, mlabib  a écrit :

> Hi group,
>
> since I am not sure where to better report a bug, I am doing it here. I am
> also looking for advice if the pac4j issue tracker might be a better place
> to report.
>
> We are using CAS Server 6.1.5 to federate the customer login to several of
> our services via OpenID Connect.
>
> It came to our attention that if a yet unauthenticated user opens several
> services at once in different windows/tabs of the same browser. Only the
> first authentication process attempted will succeed. Submission of a second
> still open login form will result in the display of the error message
> "Error: No message available".
>
> In the first submission of the credentials the POST to /cas/login will
> send a redirect (302) to
> /cas/oauth2.0/callbackAuthorize which in turn will redirect to
> /cas/oidc/authorize which will finally redirect to the service.
>
> In the second submission of the credentials the POST will also send a
> redirect to
> /cas/oauth2.0/callbackAuthorize, which will use and invalidate the issued
> service ticket and send a redirect to
> /cas/oauth2.0/callbackAuthorize again (NOT to
> /cas/oidc/authorize). On the second call of
> /cas/oauth2.0/callbackAuthorize the supplied ticket is already invalidated
> and gives rise to a org.apereo.cas.ticket.InvalidTicketException and in
> turn to the
> "Error: No message available" error presented to the user.
>
> I tried changing cas.authn.oauth.replicateSessions to true, which resulted
> in no change to the problem.
>
> Any input would be greatly appreciated!
>
> Thanks,
> Marcus
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c4f2cc5a-a4d1-4717-8acd-fbc340fc41db%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LzB898Q6HfV%2B9871j3Ud16L%3DO75NAVkrQgQzTvDOWXv8g%40mail.gmail.com.

[cas-user] OpenID Connect (pac4j integration) simultaneous login in several windows/tabs fails

[mlabib]

Hi group,

since I am not sure where to better report a bug, I am doing it here. I am 
also looking for advice if the pac4j issue tracker might be a better place 
to report.

We are using CAS Server 6.1.5 to federate the customer login to several of 
our services via OpenID Connect.

It came to our attention that if a yet unauthenticated user opens several 
services at once in different windows/tabs of the same browser. Only the 
first authentication process attempted will succeed. Submission of a second 
still open login form will result in the display of the error message 
"Error: No message available".

In the first submission of the credentials the POST to /cas/login will send 
a redirect (302) to 
/cas/oauth2.0/callbackAuthorize which in turn will redirect to 
/cas/oidc/authorize which will finally redirect to the service.

In the second submission of the credentials the POST will also send a 
redirect to 
/cas/oauth2.0/callbackAuthorize, which will use and invalidate the issued 
service ticket and send a redirect to 
/cas/oauth2.0/callbackAuthorize again (NOT to 
/cas/oidc/authorize). On the second call of 
/cas/oauth2.0/callbackAuthorize the supplied ticket is already invalidated 
and gives rise to a org.apereo.cas.ticket.InvalidTicketException and in 
turn to the 
"Error: No message available" error presented to the user.

I tried changing cas.authn.oauth.replicateSessions to true, which resulted 
in no change to the problem.

Any input would be greatly appreciated!

Thanks,
Marcus

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c4f2cc5a-a4d1-4717-8acd-fbc340fc41db%40apereo.org.

Re: [cas-user] CAS Logout Issue

['Maksim Kopeyka' via CAS Community]

Hi Ramakrishna,

Did you solve your issue? I have the same problem with SSL session which is 
alive after backchannel logout.

On Wednesday, May 23, 2018 at 2:32:41 PM UTC+3, Ramakrishna G wrote:
>
> Ok Ray. Thanks for your help!!
>
> Anyone who has worked on Mod_auth_cas along with CAS server pls guide me. 
> My issue is MOD_AUTH_CAS_S cookie is not removed from browser after logout.
>
> Thanks
> Ramakrishna G
>
> On Tue, May 22, 2018 at 9:53 PM, Ray Bon > 
> wrote:
>
>> Ramakrishna,
>>
>> This now sounds like an issue on the client side. I have not used 
>> mod_auth_cas. Try debugging it and your client for how they handle the 
>> logout request.
>>
>> Ray
>>
>> On Tue, 2018-05-22 at 15:41 +0530, Ramakrishna G wrote:
>>
>> Ray, 
>>
>> I was able to solve the ssl issue using open_sll. Now I am using https at 
>> both end with valid certificate.
>>
>> But my original problem of cas not logging out still persist.
>>
>> On Sat, May 19, 2018 at 4:51 PM, Ramakrishna G 
>> > wrote:
>>
>> Ray, 
>>
>> I configured ssl as advised by you. Now I have a different issue.
>>
>> When I use CASValidateURL with https url I get this Unauthorized error. 
>> If i remove https it works but logout issue still persist  Unauthorized 
>>
>> This server could not verify that you are authorized to access the 
>> document requested. Either you supplied the wrong credentials (e.g., bad 
>> password), or your browser doesn't understand how to supply the credentials 
>> required.
>>
>>
>> I am sharing my config
>>
>> CASCookiePath /var/cache/mod_auth_cas/
>>
>> CASCertificatePath  /etc/httpd/conf/casdev.crt
>>
>> CASLoginURL https://192.168.111.12:8443/cas/login
>>
>> CASRootProxiedAs https://192.168.111.12:8443
>>
>> CASValidateURL  https://192.168.111.12:8443/cas/serviceValidate
>>
>> #CASValidateURL http://192.168.111.12:/cas/serviceValidate // *Tomcat 
>> http port *
>>
>> CASValidateSAML Off
>>
>> CASSSOEnabled On
>> 
>>SSLProxyEngine on
>>SSLProxyVerify none
>>SSLProxyCheckPeerCN off
>>SSLProxyCheckPeerName off
>>SSLProxyCheckPeerExpire off
>>Loglevel debug
>> 
>> AllowOverride
>> AuthType CAS
>> require valid-user
>> CASRenew On
>> ProxyPass http://192.168.111.10/
>> ProxyPassReverse http://192.168.111.10/
>> 
>> 
>> Require all granted
>> ProxyPass https://192.168.111.12:9443/cas  *// Tomcat 
>> https port 9443*
>> ProxyPassReverse https://192.168.111.12:9443/cas
>> 
>>
>> 
>>
>>
>> On Fri, May 18, 2018 at 8:50 PM, Ray Bon > 
>> wrote:
>>
>> Ramakrishna,
>>
>> During log out when CAS contacts your service (where mod_auth_cas is), it 
>> does so with https. You need to install the custom certificate that is on 
>> your service into the jvm running CAS.
>>
>> sudo keytool -import -file ${certName} -alias ${aliasName} -keystore 
>> $JAVA_HOME/jre/lib/security/cacerts
>>
>> https://apereo.github.io/cas/developer/Build-Process-5X.html#configure-ssl
>>
>> Ray
>>
>> On Fri, 2018-05-18 at 11:04 +0530, Ramakrishna G wrote:
>>
>> Ray, 
>>
>> Let me explain you my architecture. I have a CAS client (mod_auth_cas) 
>> which redirects to NGINX Load Balancer. The nginx forwards to one of the 
>> active CAS Server. Do I need to install certificates on all CAS Server?
>>
>> User request to Mod_auth_cas via HTTPS but I am doing ssl stripping for 
>> internal communication from Nginx to CAS server. i.e Plain http 
>> comminication is happenning from nginx to cas server. 
>>
>>
>> Can you pls guide me how can I achieve logout for my approach.
>>
>> On Thu, May 17, 2018 at 9:49 PM, Ray Bon > 
>> wrote:
>>
>> Ramakrishna,
>>
>> Add this to the log config:
>>
>> 
>>
>> The above may produce a lot of messages.
>> It looks to be a problem with CAS contacting your client. It could be a 
>> certificate issue.
>> I guess you created a certificate since it is on a 192 ip. Did you add 
>> the certificate to the java key store? If CAS and your client are on 
>> different machines, then the certificate will need to be added to both.
>>
>> Ray
>>
>> On Thu, 2018-05-17 at 12:01 +0530, Ramakrishna G wrote:
>>
>> Hi Ray, 
>>
>> As said by you, I enabled logs and this is the output
>>
>> 2018-05-17 11:50:46,479 INFO [org.apereo.cas.logout.DefaultLogoutManager] 
>> - > [TGT-2-*eGcHG1JqHs-client]>
>> 2018-05-17 11:50:46,501 DEBUG 
>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
>> > [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@432f5faa[id=
>> https://192.168.111.12:8443/,originalUrl=https://192.168.111.12:8443/,
>> *artifactId=*
>> ,principal=casuser,loggedOutAlready=false,format=XML]]...>
>> 2018-05-17 11:50:46,503 DEBUG 
>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - >