Re: [cas-user] Redirection after authentication from https to http

[Joe Manavalan]

Hi Jerome,
Are there any logs we can get to see the timed out request url?
btw I tried adding the proxy host and port as jvm arguments with the same 
connection timed out error.

Thanks
Joe
On Tuesday, September 8, 2020 at 7:49:32 PM UTC-5 Joe Manavalan wrote:

>
> HiJerome,
>
> It appears that the token server cannot be reached directly but has to go 
> via a proxy.
> Is there a property in cas to specify the proxy url and port ? or this has 
> to be a network settings on the server ?
>
> Thanks 
> Joe
> On Tuesday, September 8, 2020 at 1:00:12 AM UTC-5 leleuj wrote:
>
>> Hi,
>>
>> During the authentication process, CAS via pac4j tries to directly 
>> contact the identity provider to retrieve the access token.
>> The "connection timeout" means that the identity provider is not directly 
>> reachable from the CAS server. Maybe a mismatch in the URL definition or a 
>> proxy setting on the CAS server.
>> Thanks.
>> Best regards,
>> Jérôme
>>  
>>
>> Le mar. 8 sept. 2020 à 03:34, Joe Manavalan  a 
>> écrit :
>>
>>> Hi Jerome,
>>>
>>> For testing I set up the server name as the url. And now I have the 
>>> redirect url coming correctly but its timing out when getting 
>>> authentication Object. since the error is from pac4j, I also posted a 
>>> message in pac4j group too..
>>>
>>> Following is the trace from log. Would it help trying a different 
>>> version of pac4j ?
>>>
>>>
>>> 2020-09-07 18:47:30,765 DEBUG 
>>> [org.springframework.security.web.FilterChainProxy] - 
>>> >>  
>>> reached end of additional filter chain; proceeding with original chain>
>>> 2020-09-07 18:47:30,772 DEBUG 
>>> [org.springframework.web.servlet.DispatcherServlet] - >> "/codesESSO/login/a204264-CodesESSO_DevDomain?code=Fvyu6ywosaL8ym8wbzsdjBWy23mu__38eEgzxxse=TST-4-RfkeExouV9CAQXsjUlhRAXgZ84QdVGF8",
>>>  
>>> parameters={masked}>
>>> 2020-09-07 18:47:30,774 DEBUG 
>>> [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
>>>  
>>> - >> org.apereo.cas.web.DelegatedClientNavigationController#redirectResponseToFlow(String,
>>>  
>>> HttpServletRequest, HttpServletResponse)>
>>> 2020-09-07 18:47:30,775 DEBUG 
>>> [org.apereo.cas.web.BaseDelegatedAuthenticationController] - >> response for client [a204264-CodesESSO_DevDomain], redirecting the login 
>>> flow [
>>> https://mycompanydomain.com:8445/codesESSO/login?code=Fvyu6ywosaL8ym8wbzsdjBWy23mu__38eEgzxxse=TST-4-RfkeExouV9CAQXsjUlhRAXgZ84QdVGF8_name=a204264-CodesESSO_DevDomain
>>> ]>
>>> 2020-09-07 18:47:30,786 DEBUG 
>>> [org.springframework.web.servlet.view.RedirectView] - >> model {}>
>>> 2020-09-07 18:47:30,787 DEBUG 
>>> [org.springframework.security.web.context.HttpSessionSecurityContextRepository]
>>>  
>>> - >> stored in HttpSession.>
>>> 2020-09-07 18:47:30,787 DEBUG 
>>> [org.springframework.web.servlet.DispatcherServlet] - 
>>> 2020-09-07 18:47:30,787 DEBUG 
>>> [org.springframework.security.web.access.ExceptionTranslationFilter] - 
>>> 
>>> 2020-09-07 18:47:30,788 DEBUG 
>>> [org.springframework.security.web.context.SecurityContextPersistenceFilter] 
>>> - 
>>> 2020-09-07 18:47:30,860 DEBUG 
>>> [org.springframework.security.web.FilterChainProxy] - 
>>> >>  
>>> at position 1 of 9 in additional filter chain; firing Filter: 
>>> 'ChannelProcessingFilter'>
>>> 2020-09-07 18:47:30,860 DEBUG 
>>> [org.springframework.security.web.FilterChainProxy] - 
>>> >>  
>>> at position 2 of 9 in additional filter chain; firing Filter: 
>>> 'WebAsyncManagerIntegrationFilter'>
>>> 2020-09-07 18:47:30,860 DEBUG 
>>> [org.springframework.security.web.FilterChainProxy] - 
>>> >>  
>>> at position 3 of 9 in additional filter chain; firing Filter: 
>>> 'SecurityContextPersistenceFilter'>
>>> 2020-09-07 18:47:30,861 DEBUG 
>>> [org.springframework.security.web.context.HttpSessionSecurityContextRepository]
>>>  
>>> - 
>>> 2020-09-07 18:47:30,861 DEBUG 
>>> [org.springframework.security.web.context.HttpSessionSecurityContextRepository]
>>>  
>>> - >> will be created.>
>>> 2020-09-07 18:47:30,861 DEBUG 
>>> [org.springframework.security.web.FilterChainProxy] - 
>>> >>  
>>> at position 4 of 9 in additional filter chain; firing Filter: 
>>> 'RequestCacheAwareFilter'>
>>> 2020-09-07 18:47:30,861 DEBUG 
>>> [org.springframework.security.web.savedrequest.HttpSessionRequestCache] - 
>>> 
>>> 2020-09-07 18:47:30,861 DEBUG 
>>> [org.springframework.security.web.FilterChainProxy] - 
>>> >>  
>>> at position 5 of 9 in additional filter chain; firing Filter: 
>>> 'SecurityContextHolderAwareRequestFilter'>
>>> 2020-09-07 18:47:30,861 DEBUG 
>>> [org.springframework.security.web.FilterChainProxy] - 
>>> >>  
>>> at position 6 of 9 in additional filter chain; firing Filter: 
>>> 'AnonymousAuthenticationFilter'>
>>> 2020-09-07 18:47:30,861 DEBUG 
>>> [org.springframework.security.web.authentication.AnonymousAuthenticationFilter]
>>>  
>>> - >> 'org.springframework.security.authentication.AnonymousAuthenticationToken@11ef9e01:
>>>  
>>> Principal: anonymousUser; Credentials: 

Re: [cas-user] Redirection after authentication from https to http

[Joe Manavalan]

HiJerome,

It appears that the token server cannot be reached directly but has to go 
via a proxy.
Is there a property in cas to specify the proxy url and port ? or this has 
to be a network settings on the server ?

Thanks 
Joe
On Tuesday, September 8, 2020 at 1:00:12 AM UTC-5 leleuj wrote:

> Hi,
>
> During the authentication process, CAS via pac4j tries to directly contact 
> the identity provider to retrieve the access token.
> The "connection timeout" means that the identity provider is not directly 
> reachable from the CAS server. Maybe a mismatch in the URL definition or a 
> proxy setting on the CAS server.
> Thanks.
> Best regards,
> Jérôme
>  
>
> Le mar. 8 sept. 2020 à 03:34, Joe Manavalan  a 
> écrit :
>
>> Hi Jerome,
>>
>> For testing I set up the server name as the url. And now I have the 
>> redirect url coming correctly but its timing out when getting 
>> authentication Object. since the error is from pac4j, I also posted a 
>> message in pac4j group too..
>>
>> Following is the trace from log. Would it help trying a different version 
>> of pac4j ?
>>
>>
>> 2020-09-07 18:47:30,765 DEBUG 
>> [org.springframework.security.web.FilterChainProxy] - 
>> >  
>> reached end of additional filter chain; proceeding with original chain>
>> 2020-09-07 18:47:30,772 DEBUG 
>> [org.springframework.web.servlet.DispatcherServlet] - > "/codesESSO/login/a204264-CodesESSO_DevDomain?code=Fvyu6ywosaL8ym8wbzsdjBWy23mu__38eEgzxxse=TST-4-RfkeExouV9CAQXsjUlhRAXgZ84QdVGF8",
>>  
>> parameters={masked}>
>> 2020-09-07 18:47:30,774 DEBUG 
>> [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
>>  
>> - > org.apereo.cas.web.DelegatedClientNavigationController#redirectResponseToFlow(String,
>>  
>> HttpServletRequest, HttpServletResponse)>
>> 2020-09-07 18:47:30,775 DEBUG 
>> [org.apereo.cas.web.BaseDelegatedAuthenticationController] - > response for client [a204264-CodesESSO_DevDomain], redirecting the login 
>> flow [
>> https://mycompanydomain.com:8445/codesESSO/login?code=Fvyu6ywosaL8ym8wbzsdjBWy23mu__38eEgzxxse=TST-4-RfkeExouV9CAQXsjUlhRAXgZ84QdVGF8_name=a204264-CodesESSO_DevDomain
>> ]>
>> 2020-09-07 18:47:30,786 DEBUG 
>> [org.springframework.web.servlet.view.RedirectView] - > model {}>
>> 2020-09-07 18:47:30,787 DEBUG 
>> [org.springframework.security.web.context.HttpSessionSecurityContextRepository]
>>  
>> - > stored in HttpSession.>
>> 2020-09-07 18:47:30,787 DEBUG 
>> [org.springframework.web.servlet.DispatcherServlet] - 
>> 2020-09-07 18:47:30,787 DEBUG 
>> [org.springframework.security.web.access.ExceptionTranslationFilter] - 
>> 
>> 2020-09-07 18:47:30,788 DEBUG 
>> [org.springframework.security.web.context.SecurityContextPersistenceFilter] 
>> - 
>> 2020-09-07 18:47:30,860 DEBUG 
>> [org.springframework.security.web.FilterChainProxy] - 
>> >  
>> at position 1 of 9 in additional filter chain; firing Filter: 
>> 'ChannelProcessingFilter'>
>> 2020-09-07 18:47:30,860 DEBUG 
>> [org.springframework.security.web.FilterChainProxy] - 
>> >  
>> at position 2 of 9 in additional filter chain; firing Filter: 
>> 'WebAsyncManagerIntegrationFilter'>
>> 2020-09-07 18:47:30,860 DEBUG 
>> [org.springframework.security.web.FilterChainProxy] - 
>> >  
>> at position 3 of 9 in additional filter chain; firing Filter: 
>> 'SecurityContextPersistenceFilter'>
>> 2020-09-07 18:47:30,861 DEBUG 
>> [org.springframework.security.web.context.HttpSessionSecurityContextRepository]
>>  
>> - 
>> 2020-09-07 18:47:30,861 DEBUG 
>> [org.springframework.security.web.context.HttpSessionSecurityContextRepository]
>>  
>> - > will be created.>
>> 2020-09-07 18:47:30,861 DEBUG 
>> [org.springframework.security.web.FilterChainProxy] - 
>> >  
>> at position 4 of 9 in additional filter chain; firing Filter: 
>> 'RequestCacheAwareFilter'>
>> 2020-09-07 18:47:30,861 DEBUG 
>> [org.springframework.security.web.savedrequest.HttpSessionRequestCache] - 
>> 
>> 2020-09-07 18:47:30,861 DEBUG 
>> [org.springframework.security.web.FilterChainProxy] - 
>> >  
>> at position 5 of 9 in additional filter chain; firing Filter: 
>> 'SecurityContextHolderAwareRequestFilter'>
>> 2020-09-07 18:47:30,861 DEBUG 
>> [org.springframework.security.web.FilterChainProxy] - 
>> >  
>> at position 6 of 9 in additional filter chain; firing Filter: 
>> 'AnonymousAuthenticationFilter'>
>> 2020-09-07 18:47:30,861 DEBUG 
>> [org.springframework.security.web.authentication.AnonymousAuthenticationFilter]
>>  
>> - > 'org.springframework.security.authentication.AnonymousAuthenticationToken@11ef9e01:
>>  
>> Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; 
>> Details: 
>> org.springframework.security.web.authentication.WebAuthenticationDetails@e21a:
>>  
>> RemoteIpAddress: 10.98.183.5; SessionId: null; Granted Authorities: 
>> ROLE_ANONYMOUS'>
>> 2020-09-07 18:47:30,861 DEBUG 
>> [org.springframework.security.web.FilterChainProxy] - 
>> >  
>> at position 7 of 9 in additional filter chain; firing Filter: 
>> 

[cas-user] Authentication throttling, per IP and username?

[Baron Fujimoto]

I'm seeking some clarification on Authentication Throttling. We're using 5.0.x, 
but the documentation doesn't seem to differ much in subsequent versions for 
this question.



The docs describe both throttling by IP address, and IP address and username. How do we 
ensure the latter so the throttling is also per username? The cas.properties 
documentation includes a "cas.authn.throttle.usernameParameter=username" 
property, but doesn't explain its purpose. I don't see anything else that looks like it 
may be relevant?

--
UH Information Technology Services : Identity & Access Mgmt, Middleware
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20200908221042.immqr5tibuzxq44v%40MacBook-Pro.local.

Re: [cas-user] Google SSO

[Jeremiah Garmatter]

Great!

Thank you again Richard, have a wonderful day.

On Tuesday, September 8, 2020 at 11:56:52 AM UTC-4 richard.frovarp wrote:

> Yes. The one caveat is that you would need to enable the "Use a domain 
> specific" issuer on prod otherwise it will spit it out with generic values, 
> which doesn't have onu.edu in it. I don't remember what the generic 
> values are. When we upgraded CAS, I logged in to click that button to swap 
> prod over.
>
> On Mon, 2020-09-07 at 13:05 -0700, Jeremiah Garmatter wrote:
>
> Richard,
>
> I'd like to verify something with you about production deployment. 
>
> When I am ready to deploy my CAS instance to my organization, I will need 
> to change the google metadata and service entry. So I should change the 
> service entry from:
> "serviceId" : "google.com/a/gsuitetest.onu.edu" to "serviceId" : "
> google.com/a/onu.edu" ?
>
> and the metadata from:
> entityID="google.com/a/gsuitetest.onu.edu" and Location="
> https://www.google.com/a/gsuitetest.onu.edu/acs;
> to
> entityID="google.com/a/onu.edu"andLocation="
> https://www.google.com/a/onu.edu/acs;
>
> Does that all seem correct? I'd really like to verify as this is one of 
> the most used services on campus.
>
> On Monday, August 17, 2020 at 2:17:54 PM UTC-4 Jeremiah Garmatter wrote:
>
> You were right on the first guess,
>
> Google was logging the user out, however, since CAS never properly saw the 
> logout, it could not destroy / invalidate the ticket. It turns out 
> something was entered incorrectly on Google's side. Once I changed the 
> logout URL to the /cas/logout endpoint, without typos, I was able to 
> successfully logout from both CAS and Google mail. 
>
> -Jeremiah Garmatter, Systems Administrator
> -Ohio Northern University, Class of 2020
> -Work: 419-772-1074 <(419)%20772-1074> Cell: 419-672-8685 
> <(419)%20672-8685>
> -j-gar...@onu.edu
>
> On Mon, Aug 17, 2020 at 11:52 AM Richard Frovarp  
> wrote:
>
> I haven't chased down logout operation. You're going to need to look, but 
> I'm guessing that they are getting logged out on the Google side, but an 
> SSO session is still active in the IdP? Or is it after logout it isn't 
> doing a logout on Google side?
>
> On Mon, 2020-08-17 at 08:29 -0700, Jeremiah Garmatter wrote:
>
> Richard,
>
> I've got one more question for you.
> First, I'd like to say that all of the sign-in procedure worked perfectly, 
> so thank you for that. 
>
> The only problem I have now is with the logout URL on Google. Before we 
> could set up the SSO, we had to enter a logout URL for Google to use. At 
> first, I tried the /idp/profile/SAML2/Redirect/SLO endpoint, but after the 
> redirect, I get a 500 internal error stating " Error: No SAMLRequest or 
> SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message " 
> as I am redirected to https://X/cas/idp/profile/SAML2/Redirect/SLO. I 
> then realized that, despite being a SAML2 provider, when attempting to 
> access my gsuitetest gmail account, I was redirected to 
> https://X/cas/login?service=. This lead me to 
> believe that I could use the /cas/logout endpoint as the logout URL (
> https://XX/cas/logout). I was greeted with the "logout successful" 
> page, but when I open a new tab to access my gsuitetest email, I was not 
> prompted to enter my credentials, I could access my emails as if the cookie 
> was still in use.
>
> I was wondering if you knew how to properly sign a google user out of 
> their email with the logout URL field on Google? 
>
> On Friday, August 14, 2020 at 12:10:39 PM UTC-4 Jeremiah Garmatter wrote:
>
> Sweet, thanks for all this Richard, you've saved me a lot of headache.
>
> -Jeremiah Garmatter, Systems Administrator
> -Ohio Northern University, Class of 2020
> -Work: 419-772-1074 <(419)%20772-1074> Cell: 419-672-8685 
> <(419)%20672-8685>
> -j-gar...@onu.edu
>
> On Fri, Aug 14, 2020 at 12:06 PM Richard Frovarp  
> wrote:
>
> I think that's controlled by the metadata, and my notes below say 1.1 
> unspecified.
>
> On Fri, 2020-08-14 at 12:03 -0400, Jeremiah Garmatter wrote:
>
> Ah, I see now. I should have mentioned that, in our case, the username is 
> being sent to google as well, just through that attribute. When you set up 
> google's single sign on, did google's side inform you of the namespace they 
> are expecting usernames to come in as?
>
> -Jeremiah Garmatter, Systems Administrator
> -Ohio Northern University, Class of 2020
> -Work: 419-772-1074 <(419)%20772-1074> Cell: 419-672-8685 
> <(419)%20672-8685>
> -j-gar...@onu.edu
>
>
> On Fri, Aug 14, 2020 at 10:24 AM Richard Frovarp  
> wrote:
>
> Yeah, you'll need to treat it like any other SAML2 service, including 
> using the SamlRegisteredService configuration. Not entirely sure about 
> attribute release. In our case, releasing the default username is all we 
> need to make it work. But it should be like any other SAML2 service.
>
> The difference is they used to have a helper that simplified the 

Re: [cas-user] Google SSO

['Richard Frovarp' via CAS Community]

Yes. The one caveat is that you would need to enable the "Use a domain 
specific" issuer on prod otherwise it will spit it out with generic values, 
which doesn't have onu.edu in it. I don't remember what the generic values are. 
When we upgraded CAS, I logged in to click that button to swap prod over.

On Mon, 2020-09-07 at 13:05 -0700, Jeremiah Garmatter wrote:
Richard,

I'd like to verify something with you about production deployment.

When I am ready to deploy my CAS instance to my organization, I will need to 
change the google metadata and service entry. So I should change the service 
entry from:
"serviceId" : "google.com/a/gsuitetest.onu.edu" to "serviceId" : 
"google.com/a/onu.edu" ?

and the metadata from:
entityID="google.com/a/gsuitetest.onu.edu" and 
Location="https://www.google.com/a/gsuitetest.onu.edu/acs;
to
entityID="google.com/a/onu.edu"and
Location="https://www.google.com/a/onu.edu/acs;

Does that all seem correct? I'd really like to verify as this is one of the 
most used services on campus.

On Monday, August 17, 2020 at 2:17:54 PM UTC-4 Jeremiah Garmatter wrote:
You were right on the first guess,

Google was logging the user out, however, since CAS never properly saw the 
logout, it could not destroy / invalidate the ticket. It turns out something 
was entered incorrectly on Google's side. Once I changed the logout URL to the 
/cas/logout endpoint, without typos, I was able to successfully logout from 
both CAS and Google mail.

-Jeremiah Garmatter, Systems Administrator
-Ohio Northern University, Class of 2020
-Work: 419-772-1074 Cell: 
419-672-8685
-j-gar...@onu.edu

On Mon, Aug 17, 2020 at 11:52 AM Richard Frovarp  wrote:
I haven't chased down logout operation. You're going to need to look, but I'm 
guessing that they are getting logged out on the Google side, but an SSO 
session is still active in the IdP? Or is it after logout it isn't doing a 
logout on Google side?

On Mon, 2020-08-17 at 08:29 -0700, Jeremiah Garmatter wrote:
Richard,

I've got one more question for you.
First, I'd like to say that all of the sign-in procedure worked perfectly, so 
thank you for that.

The only problem I have now is with the logout URL on Google. Before we could 
set up the SSO, we had to enter a logout URL for Google to use. At first, I 
tried the /idp/profile/SAML2/Redirect/SLO endpoint, but after the redirect, I 
get a 500 internal error stating " Error: No SAMLRequest or SAMLResponse query 
path parameter, invalid SAML 2 HTTP Redirect message " as I am redirected to 
https://X/cas/idp/profile/SAML2/Redirect/SLO. I then realized that, despite 
being a SAML2 provider, when attempting to access my gsuitetest gmail account, 
I was redirected to https://X/cas/login?service=. This 
lead me to believe that I could use the /cas/logout endpoint as the logout URL 
(https://XX/cas/logout). I was greeted with the "logout successful" page, 
but when I open a new tab to access my gsuitetest email, I was not prompted to 
enter my credentials, I could access my emails as if the cookie was still in 
use.

I was wondering if you knew how to properly sign a google user out of their 
email with the logout URL field on Google?

On Friday, August 14, 2020 at 12:10:39 PM UTC-4 Jeremiah Garmatter wrote:
Sweet, thanks for all this Richard, you've saved me a lot of headache.

-Jeremiah Garmatter, Systems Administrator
-Ohio Northern University, Class of 2020
-Work: 419-772-1074 Cell: 
419-672-8685
-j-gar...@onu.edu

On Fri, Aug 14, 2020 at 12:06 PM Richard Frovarp  wrote:
I think that's controlled by the metadata, and my notes below say 1.1 
unspecified.

On Fri, 2020-08-14 at 12:03 -0400, Jeremiah Garmatter wrote:
Ah, I see now. I should have mentioned that, in our case, the username is being 
sent to google as well, just through that attribute. When you set up google's 
single sign on, did google's side inform you of the namespace they are 
expecting usernames to come in as?

-Jeremiah Garmatter, Systems Administrator
-Ohio Northern University, Class of 2020
-Work: 419-772-1074 Cell: 
419-672-8685
-j-gar...@onu.edu


On Fri, Aug 14, 2020 at 10:24 AM Richard Frovarp  wrote:
Yeah, you'll need to treat it like any other SAML2 service, including using the 
SamlRegisteredService configuration. Not entirely sure about attribute release. 
In our case, releasing the default username is all we need to make it work. But 
it should be like any other SAML2 service.

The difference is they used to have a helper that simplified the SAML2 bits for 
this service. That has been deprecated, and it actively interferes with other 
SAML2 services. Hence the change.

On Fri, 2020-08-14 at 05:54 -0700, Jeremiah Garmatter wrote:
Richard,

Thank you for the advice on this. We have started the creation process of our 
gsuitetest subdomain. While waiting for Google to verify ownership, I'd like to 
probe your brain some more.
In the past (CAS 5.2), using that Googleapps SAML dependency allowed you to 

Re: [cas-user] Design apereo cas version 6.2.1

[Ray Bon]

Alainam,

Check out 
https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html 
to see the steps involved. Then use 
https://apereo.github.io/cas/6.2.x/index.html for the updated configuration.

Ray

On Mon, 2020-09-07 at 13:44 +0200, alain ubfc wrote:
Hello,

I am looking for a tutorial on cas 6.2.1 to create thé webssite home page.
Thanks
Best regards

Alainam

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d75f0eb508dd895121335328a8c18e19c356a7cc.camel%40uvic.ca.

Re: [cas-user] Redirection after authentication from https to http

[Jérôme LELEU]

Hi,

During the authentication process, CAS via pac4j tries to directly contact
the identity provider to retrieve the access token.
The "connection timeout" means that the identity provider is not directly
reachable from the CAS server. Maybe a mismatch in the URL definition or a
proxy setting on the CAS server.
Thanks.
Best regards,
Jérôme


Le mar. 8 sept. 2020 à 03:34, Joe Manavalan  a
écrit :

> Hi Jerome,
>
> For testing I set up the server name as the url. And now I have the
> redirect url coming correctly but its timing out when getting
> authentication Object. since the error is from pac4j, I also posted a
> message in pac4j group too..
>
> Following is the trace from log. Would it help trying a different version
> of pac4j ?
>
>
> 2020-09-07 18:47:30,765 DEBUG
> [org.springframework.security.web.FilterChainProxy] -
>  reached end of additional filter chain; proceeding with original chain>
> 2020-09-07 18:47:30,772 DEBUG
> [org.springframework.web.servlet.DispatcherServlet] -  "/codesESSO/login/a204264-CodesESSO_DevDomain?code=Fvyu6ywosaL8ym8wbzsdjBWy23mu__38eEgzxxse=TST-4-RfkeExouV9CAQXsjUlhRAXgZ84QdVGF8",
> parameters={masked}>
> 2020-09-07 18:47:30,774 DEBUG
> [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
> -  org.apereo.cas.web.DelegatedClientNavigationController#redirectResponseToFlow(String,
> HttpServletRequest, HttpServletResponse)>
> 2020-09-07 18:47:30,775 DEBUG
> [org.apereo.cas.web.BaseDelegatedAuthenticationController] -  response for client [a204264-CodesESSO_DevDomain], redirecting the login
> flow [
> https://mycompanydomain.com:8445/codesESSO/login?code=Fvyu6ywosaL8ym8wbzsdjBWy23mu__38eEgzxxse=TST-4-RfkeExouV9CAQXsjUlhRAXgZ84QdVGF8_name=a204264-CodesESSO_DevDomain
> ]>
> 2020-09-07 18:47:30,786 DEBUG
> [org.springframework.web.servlet.view.RedirectView] -  model {}>
> 2020-09-07 18:47:30,787 DEBUG
> [org.springframework.security.web.context.HttpSessionSecurityContextRepository]
> -  stored in HttpSession.>
> 2020-09-07 18:47:30,787 DEBUG
> [org.springframework.web.servlet.DispatcherServlet] - 
> 2020-09-07 18:47:30,787 DEBUG
> [org.springframework.security.web.access.ExceptionTranslationFilter] -
> 
> 2020-09-07 18:47:30,788 DEBUG
> [org.springframework.security.web.context.SecurityContextPersistenceFilter]
> - 
> 2020-09-07 18:47:30,860 DEBUG
> [org.springframework.security.web.FilterChainProxy] -
>  at position 1 of 9 in additional filter chain; firing Filter:
> 'ChannelProcessingFilter'>
> 2020-09-07 18:47:30,860 DEBUG
> [org.springframework.security.web.FilterChainProxy] -
>  at position 2 of 9 in additional filter chain; firing Filter:
> 'WebAsyncManagerIntegrationFilter'>
> 2020-09-07 18:47:30,860 DEBUG
> [org.springframework.security.web.FilterChainProxy] -
>  at position 3 of 9 in additional filter chain; firing Filter:
> 'SecurityContextPersistenceFilter'>
> 2020-09-07 18:47:30,861 DEBUG
> [org.springframework.security.web.context.HttpSessionSecurityContextRepository]
> - 
> 2020-09-07 18:47:30,861 DEBUG
> [org.springframework.security.web.context.HttpSessionSecurityContextRepository]
> -  will be created.>
> 2020-09-07 18:47:30,861 DEBUG
> [org.springframework.security.web.FilterChainProxy] -
>  at position 4 of 9 in additional filter chain; firing Filter:
> 'RequestCacheAwareFilter'>
> 2020-09-07 18:47:30,861 DEBUG
> [org.springframework.security.web.savedrequest.HttpSessionRequestCache] -
> 
> 2020-09-07 18:47:30,861 DEBUG
> [org.springframework.security.web.FilterChainProxy] -
>  at position 5 of 9 in additional filter chain; firing Filter:
> 'SecurityContextHolderAwareRequestFilter'>
> 2020-09-07 18:47:30,861 DEBUG
> [org.springframework.security.web.FilterChainProxy] -
>  at position 6 of 9 in additional filter chain; firing Filter:
> 'AnonymousAuthenticationFilter'>
> 2020-09-07 18:47:30,861 DEBUG
> [org.springframework.security.web.authentication.AnonymousAuthenticationFilter]
> -  'org.springframework.security.authentication.AnonymousAuthenticationToken@11ef9e01:
> Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true;
> Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@e21a:
> RemoteIpAddress: 10.98.183.5; SessionId: null; Granted Authorities:
> ROLE_ANONYMOUS'>
> 2020-09-07 18:47:30,861 DEBUG
> [org.springframework.security.web.FilterChainProxy] -
>  at position 7 of 9 in additional filter chain; firing Filter:
> 'SessionManagementFilter'>
> 2020-09-07 18:47:30,861 DEBUG
> [org.springframework.security.web.FilterChainProxy] -
>  at position 8 of 9 in additional filter chain; firing Filter:
> 'ExceptionTranslationFilter'>
> 2020-09-07 18:47:30,861 DEBUG
> [org.springframework.security.web.FilterChainProxy] -
>  at position 9 of 9 in additional filter chain; firing Filter:
> 'FilterSecurityInterceptor'>
> 2020-09-07 18:47:30,864 DEBUG
> [org.springframework.security.web.util.matcher.OrRequestMatcher] -  to match using Ant [pattern='/null/**']>
> 2020-09-07 18:47:30,864