Re: [cas-user] Access strategy not working with SAML based service
Thank you Carl for your reply,
i am wondering if it s not related to SAML because i have the same config
that works fine for CAS protocol based SPs ...but for SAML bases ones
nothing,
I would be very thankful if someone can help me.
Thanks.
Le jeu. 23 sept. 2021 à 16:35, Carl Waldbieser a
écrit :
> We are using CAS 6.x. I have a SAML entry in my allow list that looks
> similar to this:
>
> {
> "@class": "org.apereo.cas.services.RegexRegisteredService",
> "serviceId": "Entity ID goes here ...",
> "id": 1000,
> "evaluationOrder": 1000,
> "name": "SAML Provider",
> "description": "Blah blah blah ...",
> "attributeReleasePolicy": {
> "@class":
> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
> "allowedAttributes": [
> "java.util.ArrayList",
> [
> "eduPersonEntitlement"
> ]
> ],
> "attributeFilter": {
> "@class":
> "org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
> "completeMatch": false,
> "excludeUnmappedAttributes": false,
> "order": 0,
> "patterns": {
> "@class": "java.util.HashMap",
> "eduPersonEntitlement": "^
> https://example.lafayette.edu/authorized$;
> }
> }
> },
> "accessStrategy": {
> "@class":
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "unauthorizedRedirectUrl": "
> https://example.lafayette.edu/pages/403.html;,
> "requiredAttributes": {
> "@class": "java.util.HashMap",
> "eduPersonEntitlement": [
> "java.util.HashSet",
> [
> "https://example.lafayette.edu/authorized;
> ]
> ]
> }
> },
> "logo": "https://cdn.lafayette.edu/images/logos/example-100x100.png;,
> "properties": {
> "@class": "java.util.HashMap",
> "InformationURL": {
> "@class":
> "org.apereo.cas.services.DefaultRegisteredServiceProperty",
> "values": [
> "java.util.HashSet",
> [
> "https://help.lafayette.edu/example;
> ]
> ]
> }
> }
> }
>
>
> Hope that helps.
>
> Thanks,
> Carl Waldbieser
> ITS
> Lafayette College
>
> On Thu, Sep 23, 2021 at 9:44 AM Nordy Di Marzio
> wrote:
>
>> hello cas community,
>>
>>
>>
>> wish you are doing great,
>>
>>
>>
>> i am having little issues having to work access strategy with SAML based
>> service
>>
>>
>>
>> more precisely, i am trying to implement access restrictions based on
>> group membership but for now all users are able to logon on the app
>> regardless of their group membership, and no error is being logged
>>
>>
>>
>> so i am wondring if there is somthing missing in my config, could you
>> please help me find out what else should i configure ?
>>
>>
>>
>>
>>
>> this is the service file that i am using
>>
>> {
>>
>> "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
>>
>> "serviceId": "https://foo.bar/;,
>>
>> "name": "foo",
>>
>> "id": 10013986,
>>
>> "evaluationOrder": 3,
>>
>> "metadataLocation": "/etc/cas/saml/foo.xml",
>>
>> "attributeReleasePolicy": {
>>
>> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>>
>> },
>>
>> "accessStrategy" : {
>>
>> "@class" :
>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>>
>> "enabled" : true,
>>
>> "requireAllAttributes" : false,
>>
>> "ssoEnabled" : true,
>>
>> "requiredAttributes" : {
>>
>> "@class" : "java.util.HashMap",
>>
>> "memberOf" : [ "java.util.HashSet", [
>> "CN=GRP,CN=Users,DC=corp,DC=foo,DC=bar" ] ]
>>
>> }
>>
>> }
>>
>> }
>>
>>
>>
>> the cas version i am using is 5.1
>>
>>
>>
>> thank for your help,
>>
>> Nordy
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAA8Tp34kFCWYLEEB4nn8%3DcJki4WCkp-x0V208P%2BfRwdwyqKrXw%40mail.gmail.com
>>
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS
[cas-user] Customize CAS login view and cas logout view
Hello team i want to customize the CAS login view and the logout view i'm using cas-overlay-template 6.4 @Ray et team for support. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6883a9a0-fa62-4300-b3a6-2c76002c0702n%40apereo.org.
[cas-user] Re: CAS 6.4.4.1 Microsoft SAML logout request failed
ADD: I saw that the same error happend in CAS 6.3.X versions El viernes, 17 de diciembre de 2021 a las 11:02:22 UTC+1, Enrique Guerrero escribió: > Hi there. > > I'm using CAS (v.6.4.4.1) as Idp for users who want to use Office 365. I > configure the integration following the next guide: > https://apereo.github.io/2018/12/06/cas53-office365-saml2-integration/ > > The login and SSO session was great through SAML protocol. The fail exits > at logout. We saw that Microsoft send the SAML Logout Request without > signing. This cause an error on CAS which inform that the validation of > request simple signature failed for context issuer: > "urn:federation:MicrosoftOnline". > > I attempted to allow saml logout request without signing following this > properties (cas.authn.saml-idp.logout.force-signed-logout-requests=false > ): > https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#saml-logout > > , but this doesn't do nothing. > > This SAML Logout fail doesn't happen in our integration with Cisco Webex. > Cisco send us the SAML logout request with a valid signing, this cause a > correct logout on CAS. > > === > > These are the Microsoft SAML Logout Request and CAS log: > > ID="_432d86e3-f344-4f1e-b553-a6c49e38ce2c" > Version="2.0" > IssueInstant="2021-11-42T19:10:29.132Z" > > Destination="https:///cas/idp/profile/SAML2/Redirect/SLO" > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> > > xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline > > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" > xmlns="urn:oasis:names:tc:SAML:2.0:assertion">localUsername > > ST-13-ZXChfuWEi-uGlIlVejtucpHznlw-sv0181 > > > > === > > 2021-11-24 19:10:29,947 ERROR > [org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter] > > - java.lang.NullPointerException: null at > org.apereo.cas.support.saml.services.SamlIdPEntityIdAuthenticationServiceSelectionStrategy.supports(SamlIdPEntityIdAuthenticationServiceSelectionStrategy.java:48) > > ~[cas-server-support-saml-idp-metadata-6.4.2.jar:6.4.2] at > org.apereo.cas.authentication.DefaultAuthenticationServiceSelectionPlan.lambda$resolveService$0(DefaultAuthenticationServiceSelectionPlan.java:38) > > ~[cas-server-core-authentication-api-6.4.2.jar:6.4.2] at > java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:176) > ~[?:?] at > java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1631) > ~[?:?] at > java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:127) > > ~[?:?] at > java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:502) > > ~[?:?] at > java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:488) > ~[?:?] at > java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) > ~[?:?] at > java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150) ~[?:?] > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) > ~[?:?] at > java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:543) > ~[?:?] at > org.apereo.cas.authentication.DefaultAuthenticationServiceSelectionPlan.resolveService(DefaultAuthenticationServiceSelectionPlan.java:39) > > ~[cas-server-core-authentication-api-6.4.2.jar:6.4.2] at > org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter.getRegisteredServiceFromRequest(RegisteredServiceResponseHeadersEnforcementFilter.java:205) > > ~[cas-server-core-web-api-6.4.2.jar:6.4.2] at > org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter.prepareFilterBeforeExecution(RegisteredServiceResponseHeadersEnforcementFilter.java:63) > > ~[cas-server-core-web-api-6.4.2.jar:6.4.2] at > org.apereo.cas.web.support.filters.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:184) > > ~[cas-server-core-web-api-6.4.2.jar:6.4.2] at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[catalina.jar:9.0.30] at > org.apereo.cas.web.support.filters.AddResponseHeadersFilter.doFilter(AddResponseHeadersFilter.java:62) > > ~[cas-server-core-web-api-6.4.2.jar:6.4.2] at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[catalina.jar:9.0.30] at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:204) > >
[cas-user] CAS 6.4.4.1 Microsoft SAML logout request failed
Hi there. I'm using CAS (v.6.4.4.1) as Idp for users who want to use Office 365. I configure the integration following the next guide: https://apereo.github.io/2018/12/06/cas53-office365-saml2-integration/ The login and SSO session was great through SAML protocol. The fail exits at logout. We saw that Microsoft send the SAML Logout Request without signing. This cause an error on CAS which inform that the validation of request simple signature failed for context issuer: "urn:federation:MicrosoftOnline". I attempted to allow saml logout request without signing following this properties (cas.authn.saml-idp.logout.force-signed-logout-requests=false): https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#saml-logout , but this doesn't do nothing. This SAML Logout fail doesn't happen in our integration with Cisco Webex. Cisco send us the SAML logout request with a valid signing, this cause a correct logout on CAS. === These are the Microsoft SAML Logout Request and CAS log: urn:federation:MicrosoftOnline localUsername ST-13-ZXChfuWEi-uGlIlVejtucpHznlw-sv0181 === 2021-11-24 19:10:29,947 ERROR [org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter] - java.lang.NullPointerException: null at org.apereo.cas.support.saml.services.SamlIdPEntityIdAuthenticationServiceSelectionStrategy.supports(SamlIdPEntityIdAuthenticationServiceSelectionStrategy.java:48) ~[cas-server-support-saml-idp-metadata-6.4.2.jar:6.4.2] at org.apereo.cas.authentication.DefaultAuthenticationServiceSelectionPlan.lambda$resolveService$0(DefaultAuthenticationServiceSelectionPlan.java:38) ~[cas-server-core-authentication-api-6.4.2.jar:6.4.2] at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:176) ~[?:?] at java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1631) ~[?:?] at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:127) ~[?:?] at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:502) ~[?:?] at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:488) ~[?:?] at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?] at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150) ~[?:?] at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?] at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:543) ~[?:?] at org.apereo.cas.authentication.DefaultAuthenticationServiceSelectionPlan.resolveService(DefaultAuthenticationServiceSelectionPlan.java:39) ~[cas-server-core-authentication-api-6.4.2.jar:6.4.2] at org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter.getRegisteredServiceFromRequest(RegisteredServiceResponseHeadersEnforcementFilter.java:205) ~[cas-server-core-web-api-6.4.2.jar:6.4.2] at org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter.prepareFilterBeforeExecution(RegisteredServiceResponseHeadersEnforcementFilter.java:63) ~[cas-server-core-web-api-6.4.2.jar:6.4.2] at org.apereo.cas.web.support.filters.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:184) ~[cas-server-core-web-api-6.4.2.jar:6.4.2] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:9.0.30] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:9.0.30] at org.apereo.cas.web.support.filters.AddResponseHeadersFilter.doFilter(AddResponseHeadersFilter.java:62) ~[cas-server-core-web-api-6.4.2.jar:6.4.2] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:9.0.30] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:9.0.30] at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:204) ~[spring-security-web-5.5.2.jar:5.5.2] at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183) ~[spring-security-web-5.5.2.jar:5.5.2] at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) ~[spring-web-5.3.9.jar:5.3.9] at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) ~[spring-web-5.3.9.jar:5.3.9] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:9.0.30] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:9.0.30] at
