Re: [cas-user] log in error question

['Robert Bond' via CAS Community]

Hi Jen,

>From a security perspective doing this is perhaps not the best idea. By
giving this information you aid attackers looking to verify if an account
exists.
It is best not to give any indication that an account is valid or has been
locked.

https://security.stackexchange.com/questions/40694/disclose-to-user-if-account-exists
https://silentbreaksecurity.com/username-discovery/
https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002)
https://www.netsparker.com/blog/web-security/information-disclosure-issues-attacks/

Bring these concerns up to management. I would heavily not recommend
exposing yourself to account enumeration.


Thanks,
Robert Bond.

On Fri, May 18, 2018 at 1:36 PM David Curry 
wrote:

> There is. You can enable LDAP Password Policy Enforcement (LPPE):
>
>
> https://apereo.github.io/cas/development/installation/Password-Policy-Enforcement.html
>
> This is separate from Password Management (further down the page).
>
> All I had to do was add
>
> cas.authn.ldap[0].passwordPolicy.enabled:   true
> cas.authn.ldap[0].passwordPolicy.type:  AD
> cas.authn.ldap[0].passwordPolicy.strategy:  DEFAULT
>
> to cas.properties.
>
> If you've gotten as far as setting up the src/ hierarchy in your overlay
> to create a theme and/or modify the various page templates, you can style
> these pages (there's a separate one for each failure condition) and you can
> customize the messages displayed by editing custom_messages.properties.
>
> It seems to work pretty well.
>
> --Dave
>
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> 
> +1 212 229-5300 x4728 <(212)%20229-5300> • david.cu...@newschool.edu
>
> [image: The New School]
>
> On Fri, May 18, 2018 at 1:02 PM, Jennifer LaVoie 
> wrote:
>
>> Hello Everyone
>>
>> My managers are asking if CAS can return a better error to the end user
>> besides "invalid credentials" based on the status of their account.
>>
>> If there a way for CAS to know if the account is disabled or the password
>> has expired and return that information to the end user?  I am integrated
>> with Active Directory.
>>
>> thanks
>> Jen
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/87658e9a-bb8f-46bf-a4f8-e176818f26fd%40apereo.org
>> 
>> .
>>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMZzGSVUEGbEjd-RWLq%2B%2BEnDHj7OGvRUMETa2e0iTL_ew%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6pAusz-c-sXkxZjMZD2TxJj1fU-G%3DR0NSDgxRSxwzy0-Q%40mail.gmail.com.

[cas-user] Re: [Cas 5.1.8] Unable to connect to Database for authentication.

['Robert Bond' via CAS Community]

Here is what we added for oracle setup:

sadf

org.apereo.cas
cas-server-support-jdbc-drivers
${cas.version}


com.oracle.jdbc
ojdbc8
12.2.0.1


Next add the ojdbc8.jar into the folder jdbc/oracle/ojdbc8.jar

[image: oracleJar.PNG] 


We are using Oracle for just attribute resolution and AD LDAP for 
credentials. 
Here is our attribute resolution for Oracle:
# # Oracle Database Attribute query
cas.authn.attributeRepository.jdbc[0].attributes.GOBUMAP_UDC_ID= 
UDC_IDENTIFIER
cas.authn.attributeRepository.jdbc[0].username= GOBTPAC_EXTERNAL_USER
cas.authn.attributeRepository.jdbc[0].singleRow= true
cas.authn.attributeRepository.jdbc[0].sql= select GOBUMAP_UDC_ID from 
GOBUMAP INNER JOIN GOBTPAC on GOBTPAC.GOBTPAC_PIDM = GOBUMAP.GOBUMAP_PIDM 
where upper(GOBTPAC_EXTERNAL_USER)=upper(?)
cas.authn.attributeRepository.jdbc[0].GOBTPAC_EXTERNAL_USER= uid
cas.authn.attributeRepository.jdbc[0].healthQuery= SELECT 1 FROM DUAL
cas.authn.attributeRepository.jdbc[0].isolateInternalQueries= false
cas.authn.attributeRepository.jdbc[0].url= 
jdbc:oracle:thin:@//hostname:1521/PROD.example.edu
cas.authn.attributeRepository.jdbc[0].dialect= 
org.hibernate.dialect.Oracle12cDialect
cas.authn.attributeRepository.jdbc[0].user= casUDCuser
cas.authn.attributeRepository.jdbc[0].password= asdf
cas.authn.attributeRepository.jdbc[0].driverClass= oracle.jdbc.OracleDriver


Hope this helps!


On Tuesday, August 21, 2018 at 10:49:46 AM UTC-5, Ranga Nadha wrote:
>
> Hi Everyone,
>
> We are using CAS 5.1.8 and I am trying to connect to the database for 
> authentication purpose.
>
> I have followed the below procedure but I am getting exceptions.
>
>
>- Downloaded the CAS 5.1.8
>- Modify POM.xml with the following dependency
>
> 
>  org.apereo.cas
>  cas-server-support-jdbc
>  ${cas.version}
>  
>  
>  log4j-slf4j-impl
>  
>  
>  org.codehaus.groovy
>  groovy-jsr223
>  
>   
> 
> 
>  org.apereo.cas
>  cas-server-support-jdbc-drivers
>  ${cas.version}
> 
> 
>  org.apereo.cas
>  cas-server-support-jdbc-authentication
>  ${cas.version}
> 
>
>- Build cas project using mvn clean install.
>- Take the war file and deploy in tomcat.
>- In the extracted cas war.
>- Go to Tomcat/webapps/cas/WEB-INF/classes/appliation.properties and 
>add the below properties.
>
> cas.authn.jdbc.query[0].sql=SELECT * FROM USERS WHERE USER_ID=?
> cas.authn.jdbc.query[0].url=jdbc:oracle:thin:@xxx..local:1521:db12c
> cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.Oracle12cDialect
> cas.authn.jdbc.query[0].user=
> cas.authn.jdbc.query[0].password=
> cas.authn.jdbc.query[0].driverClass=oracle.jdbc.OracleDriver
> cas.authn.jdbc.query[0].fieldPassword=PASSWORD
> cas.authn.jdbc.query[0].passwordEncoder.type=DEFAULT
> cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=UTF-8
> cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=SHA1
> cas.authn.jdbc.query[0].passwordEncoder.secret=
> cas.authn.jdbc.query[0].passwordEncoder.strength=16
>
>
> cas.authn.accept.users=
> logging.level.org.apereo=DEBUG
>
> *I am getting the below error*
>
> 2018-08-21 21:00:02,828 DEBUG 
> [org.apereo.cas.adaptors.jdbc.config.CasJdbcAuthenticationConfiguration] - 
>  me, sn=sn, cn=commonName}] for 
> [jdbc:oracle:thin:@..local:1521:dev12c]...>
> 2018-08-21 21:00:02,870 ERROR [com.zaxxer.hikari.HikariConfig] -  to load class of driverClassName oracle.jdbc.OracleDriver in HikariConfig 
> class classloader
> ParallelWebappClassLoader
>   context: cas
>   delegate: false
> --> Parent Classloader:
> java.net.URLClassLoader@13221655
> >
> 2018-08-21 21:00:02,870 ERROR [org.apereo.cas.configuration.support.Beans] 
> -  [oracle.jdbc.Oracle
> Driver] in either of HikariConfig class loader or Thread context 
> classloader]>
>
> Can any one help to resolve this issue.
>
> Thanks in advance,
>
> Thanks,
> Pandu Ranga T.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0fc03805-e2a8-4b62-afeb-751c6f0cbc1d%40apereo.org.

[cas-user] Unable to read meta-data for class org.apereo.cas.config.SurrogateJdbcAuthenticationConfiguration>

['Robert Bond' via CAS Community]

I am running into an error when setting up jdbc surrogate authentication on 
CAS 5.2.3 .

The error "Unable to read meta-data for class 
org.apereo.cas.config.SurrogateJdbcAuthenticationConfiguration>" leads me 
to think that I am missing some dependency in pom.xml or bad config in 
cas.properties. 


Here is the error:

2018-08-22 16:07:12,034 INFO 
[org.apereo.cas.web.CasWebApplicationServletInitializer] - 
2018-08-22 16:07:12,396 WARN 
[org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext]
 
- 
2018-08-22 16:07:12,404 ERROR [org.springframework.boot.SpringApplication] 
- 
org.springframework.beans.factory.BeanDefinitionStoreException: Failed to 
process import candidates for configuration class 
[org.apereo.cas.web.CasWebApplication]; nested exception is 
java.lang.IllegalStateException: Unable to read meta-data for class 
org.apereo.cas.config.SurrogateJdbcAuthenticationConfiguration
at 
org.springframework.context.annotation.ConfigurationClassParser.processDeferredImportSelectors(ConfigurationClassParser.java:556)
 
~[spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
at 
org.springframework.context.annotation.ConfigurationClassParser.parse(ConfigurationClassParser.java:185)
 
~[spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
at 
org.springframework.context.annotation.ConfigurationClassPostProcessor.processConfigBeanDefinitions(ConfigurationClassPostProcessor.java:308)
 
~[spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
at 
org.springframework.context.annotation.ConfigurationClassPostProcessor.postProcessBeanDefinitionRegistry(ConfigurationClassPostProcessor.java:228)
 
~[spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]


Dependencies I added to pom.xml:


org.apereo.cas
cas-server-support-surrogate-webflow
${cas.version}


org.apereo.cas
cas-server-support-surrogate-authentication-jdbc
${cas.version}


Here is the relivant config in cas.properties. 

# # Oracle Database Attribute query
cas.authn.surrogate.jdbc.healthQuery= SELECT 1 FROM DUAL
cas.authn.surrogate.jdbc.isolateInternalQueries= false
cas.authn.surrogate.jdbc.url= 
jdbc:oracle:thin:@//hostname:1521/serviceName.example.edu
cas.authn.surrogate.jdbc.dialect= org.hibernate.dialect.Oracle12cDialect
cas.authn.surrogate.jdbc.user= cas_db_login_user
cas.authn.surrogate.jdbc.password= passwordASDF
cas.authn.surrogate.jdbc.driverClass= oracle.jdbc.OracleDriver
# # END Oracle Database Attribute query
cas.authn.surrogate.separator=+
# not sure if this is needed for correct
cas.authn.surrogate.principal=samAccountName
cas.authn.surrogate.jdbc.surrogateSearchQuery=SELECT COUNT(*) FROM 
surrogates WHERE (sysdate between create_date and nvl(expire_date, sysdate 
+ 1)) and login_id=?
cas.authn.surrogate.jdbc.surrogateAccountQuery=SELECT surrogate_id AS 
surrogateAccount FROM surrogates WHERE (sysdate between create_date and 
nvl(expire_date, sysdate + 1)) and login_id=?
# END ORACLE JDBC surrogate login config


If anyone has a working config for jdbc surrogate authentication please 
post it or if you have any thoughts on the error.

Thanks!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/27a906c0-b98b-4d86-b11b-1358865bf2a6%40apereo.org.

[cas-user] What do you use for CAS auditing?

['Robert Bond' via CAS Community]

What is everyone using for CAS auditing?

Mongo, Redis, Postgres, Mysql or other?

I am working on a new deployment for CAS and trying to see what auditing 
repository everyone is using.

Previously I used Mongo but I am leaning toward a relational db for ease of 
reporting.  

Look forward to your responses. 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e4e7f822-1e30-4b9d-9391-c6e8cf132cc7%40apereo.org.

[cas-user] Anyone using ellucian banner 9 apps with saml on cas?

['Robert Bond' via CAS Community]

I have encountered issues with banner 9 using the cas protocol on cas 
version 6.0.0 and greater. 
see: 
https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/banner$209|sort:date/cas-user/5B_wPaG7oXA/b2IzHaw3BAAJ

I am going to try setting up some of the banner 9 app using the SAML 
protocol to avoid those issues. Does anyone have experience with banner 9 
and SAML?

The documentation from ellucian is not great, looking for some sample 
config if anyone can share.

Thanks! 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/126f1663-f463-4564-87cc-7e68471d399c%40apereo.org.

[cas-user] Re: Anyone using ellucian banner 9 apps with saml on cas?

['Robert Bond' via CAS Community]

Hi Matt,
Thanks for your reply. 



I think it might just be a bug currently. Looks like there have been some 
changes to how cas selects mfa. It currently does not work for finding the 
service when it comes in using the TARGET= service method.
2019-02-25 09:47:54,016 DEBUG [
org.apereo.cas.web.flow.resolver.impl.RankedMultifactorAuthenticationProviderWebflowEventResolver]
 
- 
I have been trying to find what might be wrong by looking at the cas code, 
sadly I am not experienced enough with the cas code to find what might be 
the problem. The service is correctly found if I change the query-string 
parameter from 'TARGET' to 'service'

Relevant logs:
2019-02-25 09:47:54,010 DEBUG [
org.springframework.webflow.executor.FlowExecutorImpl] -  
'https://appnav.dev.example.edu/applicationNavigator/j_spring_cas_security_check'
]>

2019-02-25 09:47:54,010 DEBUG [
org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] 
- 

2019-02-25 09:47:54,010 DEBUG [
org.springframework.webflow.engine.impl.FlowExecutionImplFactory] - 


2019-02-25 09:47:54,010 DEBUG [
org.springframework.webflow.engine.impl.FlowExecutionImpl] -  
'https://appnav.dev.example.edu/applicationNavigator/j_spring_cas_security_check'
]>

2019-02-25 09:47:54,010 DEBUG [org.springframework.webflow.engine.Flow] - 


2019-02-25 09:47:54,014 DEBUG [
org.springframework.webflow.execution.ActionExecutor] - 

2019-02-25 09:47:54,014 DEBUG [
org.springframework.webflow.execution.ActionExecutor] - 

2019-02-25 09:47:54,015 DEBUG [
org.springframework.webflow.execution.ActionExecutor] - 

2019-02-25 09:47:54,015 DEBUG [
org.springframework.webflow.execution.ActionExecutor] - 

2019-02-25 09:47:54,015 DEBUG [
org.springframework.webflow.engine.ActionState] - 

2019-02-25 09:47:54,015 DEBUG [
org.springframework.webflow.execution.ActionExecutor] - 

2019-02-25 09:47:54,015 DEBUG [
org.springframework.webflow.execution.ActionExecutor] - 

2019-02-25 09:47:54,016 DEBUG [
org.apereo.cas.web.flow.resolver.impl.RankedMultifactorAuthenticationProviderWebflowEventResolver]
 
- 

2019-02-25 09:47:54,016 DEBUG [
org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 


2019-02-25 09:47:54,016 INFO [
org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 
> Robert,
>
> We looked at going 100% SAML2 about a year ago, and Banner was the single 
> sticking point for us. At this time, we are still using CAS 5, and the CAS 
> protocol for Banner 9. It's good to know that there may be complications 
> with CAS 6.
>
> While we were trying to make Banner work with SAML2 (both via CAS 5, and 
> via Okta), I found a pretty helpful guide on eCommunities, attached in this 
> thread as a PDF:  https://ecommunities.ellucian.com/message/190536#190536
>
> My recollection of the experience is, like you say, Ellucian's 
> documentation is not great, and the support for SAML seems to be an 
> afterthought. Most SPs are pretty easy to setup, but not Banner 9. We got 
> the self service apps working alright, but the Admin pages workaround, 
> along with the excessive effort required to maintain the metadata after 
> each application release, just proved to be too much for our small shop. I 
> believe one or two people in this thread went live with SAML2 and Banner 9: 
> https://ecommunities.ellucian.com/message/194959#194959
>
> Matt
>
>
> On Monday, February 25, 2019 at 3:16:42 PM UTC-7, Robert Bond wrote:
>>
>> I have encountered issues with banner 9 using the cas protocol on cas 
>> version 6.0.0 and greater. see: 
>> https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/banner$209|sort:date/cas-user/5B_wPaG7oXA/b2IzHaw3BAAJ
>>
>> I am going to try setting up some of the banner 9 app using the SAML 
>> protocol to avoid those issues. Does anyone have experience with banner 9 
>> and SAML?
>>
>> The documentation from ellucian is not great, looking for some sample 
>> config if anyone can share.
>>
>> Thanks! 
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/02d3c9e0-95a9-4377-8ac6-3af971d9ab0e%40apereo.org.

Re: [cas-user] CAS-6.1.0-RC2 Invalid credentals

['Robert Bond' via CAS Community]

Hi Erik,

Can you provide an example of your AD config?

Here is an example of mine which is working on 6.1.0RC2:
## LDAP Settings ##
#
https://apereo.github.io/cas/development/configuration/Configuration-Properties-Common.html#ldap-connection-settings

### CONFIG for 6.1.0 RC2
cas.authn.ldap[0].type= AD
cas.authn.ldap[0].ldapUrl= ldap://ad.example.edu
cas.authn.ldap[0].baseDn= ou=All_Users,dc=example,dc=edu
cas.authn.ldap[0].searchFilter= cn={user}
cas.authn.ldap[0].bindDn= cn=aduser,ou=All_Users,dc=example,dc=edu
cas.authn.ldap[0].bindCredential= examplePassword!
cas.authn.ldap[0].dnFormat= cn=%s,ou=All_Users,dc=example,dc=edu
cas.authn.ldap[0].useSsl= false
cas.authn.ldap[0].name= Example-Active-Directory
cas.authn.ldap[0].principalAttributeList
=cn:commonName,sn:surname,displayName:displayName,mail:email,givenName,memberOf,samAccountName:eduPersonPrincipalName,mail:emailAddress


On Fri, Feb 8, 2019 at 4:40 PM Erik Mallory  wrote:

> Hello,
>
> I’m getting  the following error trying to authenticate.
>
> I’m using AD for password storage. I this did work in RC1 I’m at a loss as
> to what might be broken. Any  help would be greatly apricated.
>
> 2019-02-08 16:30:35,551 DEBUG
> [org.apereo.cas.authentication.support.DefaultLdapAccountStateHandler] -
> 
>
> 2019-02-08 16:30:35,551 ERROR
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>  authentication handler that supports
> [UsernamePasswordCredential(username=f282c439, source=null)] of type
> [UsernamePasswordCredential]. Examine the configuration to ensure a method
> of authentication is defined and analyze CAS logs at DEBUG level to trace
> the authentication event.>
>
> 2019-02-08 16:30:35,552 DEBUG
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[WSUAD]
> exception details: [Invalid credentials].>
>
> 2019-02-08 16:30:35,552 DEBUG
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>  [UsernamePasswordCredential(username=f282c439, source=null)]. Trying
> next...>
>
>
>
>
>
> 2019-02-08 16:30:35,568 DEBUG
> [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
> - <1 errors, 0 successes>
>
> org.apereo.cas.authentication.AuthenticationException: 1 errors, 0
> successes
>
>at
> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:349)
> ~[cas-server-core-authentication-api-6.1.0-RC2-SNAPSHOT.jar:6.1.0-RC2-SNAPSHOT]
>
>at
> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:327)
> ~[cas-server-core-authentication-api-6.1.0-RC2-SNAPSHOT.jar:6.1.0-RC2-SNAPSHOT]
>
>at
> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(PolicyBasedAuthenticationManager.java:136)
> ~[cas-server-core-authentication-api-6.1.0-RC2-SNAPSHOT.jar:6.1.0-RC2-SNAPSHOT]
>
>at
> org.apereo.cas.authentication.PolicyBasedAuthenticationManager$$FastClassBySpringCGLIB$$90e801d3.invoke()
> ~[cas-server-core-authentication-api-6.1.0-RC2-SNAPSHOT.jar:6.1.0-RC2-SNAPSHOT]
>
>at
> org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
> ~[spring-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
>
>at
> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:749)
> ~[spring-aop-5.1.4.RELEASE.jar:5.1.4.RELEASE]
>
>at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
> ~[spring-aop-5.1.4.RELEASE.jar:5.1.4.RELEASE]
>
>at
> org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:88)
> ~[spring-aop-5.1.4.RELEASE.jar:5.1.4.RELEASE]
>
>at
> org.apereo.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:135)
> ~[inspektr-audit-1.8.4.GA.jar:1.8.4.GA]
>
>at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method) ~[?:?]
>
>at
> jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> ~[?:?]
>
>at
> jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:?]
>
>at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
>
>at
> org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:644)
> ~[spring-aop-5.1.4.RELEASE.jar:5.1.4.RELEASE]
>
>at
> org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:633)
> ~[spring-aop-5.1.4.RELEASE.jar:5.1.4.RELEASE]
>
>at
> org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:70)
> ~[spring-aop-5.1.4.RELEASE.jar:5.1.4.RELEASE]
>
>at
> 

[cas-user] serviceParameter = 'SAMLart' and artifactParameterName ='TARGET ' depreciated?

['Robert Bond' via CAS Community]

Has the serviceParameter = 'SAMLart' and artifactParameterName ='TARGET ' 
depreciated in cas?

I am using trying to connect CAS 6.1.0-RC2-SNAPSHOT to Banner 9 Application 
Navigator ver 3.1.

We had it working on 6.0.0-RC4-SNAPSHOT  and CAS 5.1.2.

Despite being the most recent version of Banner 9 Application Navigator ver 
3.1 released jan 2019 
ApplicationNavigator uses really old versions of the cas client.
it uses the following jars:
cas-client-core-3.3.3.jar
spring-security-cas-3.2.0.RC1.jar

it uses the following config on the cas client:

/
* *
* CAS SSO Configuration *
* *
/
// Set active = true when Application Navigator is configured for CAS SSO 
grails {
plugin {
springsecurity {
cas {
active = true
serviceUrl = 
'http://APPLICATION_NAVIGATOR_HOST:PORT/applicationNavigator/j_spring_cas_security_check'
serverName = 'http://APPLICATION_NAVIGATOR_HOST:PORT'
proxyCallbackUrl = 
'http://APPLICATION_NAVIGATOR_HOST:PORT/applicationNavigator/secure/receptor'
loginUri = '/login'
sendRenew = false
proxyReceptorUrl = '/secure/receptor'
useSingleSignout = true
key = 'grails-spring-security-cas'
artifactParameter = 'SAMLart'
serviceParameter = 'TARGET'
filterProcessesUrl = '/j_spring_cas_security_check'
serverUrlEncoding = 'UTF-8'
if (useSingleSignout){
grails.plugin.springsecurity.useSessionFixationPrevention = false
}
}
}
}
}

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5fb000f4-fa2d-47e4-8377-dc06385d22ad%40apereo.org.

Re: [cas-user] Re: CAS ver >=6.0.0 is not working for 'TARGET' service parameter

['Robert Bond' via CAS Community]

We tried using Ellucian's WSO2. We did not enjoy it. We tried using it in
in 2016. At that time Ellucian was super behind the real WSO2 project at
time. At the same time they had modified it in ways where trying to use
WSO2's documentation was problematic.

I have been super happy with cas, the documentation can be trying
sometimes, but the project is very alive.

I have seen Ellucian trying to convince people that "Ethos" (Who knows what
Ethos even means) is required. We have been able to do everything without
it and have the flexibility to truly SSO with the rest of our systems.

On Thu, Mar 14, 2019 at 7:48 AM mbar...@scad.edu  wrote:

> Robert,
>
> You are welcome, but I'm just learning about this version of CAS myself.
> I'm glad that helped.
>
> We've been using Ellucian's Luminis version of CAS for years.  I think
> that's still at 3x something, and I never had to do much configuration with
> it.  We've been using that version with Banner 9 for over a year now with
> no issues.
>
> But now we're looking at switching to a standalone CAS.  Ellucian is
> switching over to WSO2 and we're not sure we want to use that product.
> Plus the current version of CAS has several features we could use and being
> not so tied to Ellucian should give us more control.
>
> Thanks,
> Mike
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6bebfd84-41e3-4303-9f06-5ff32b588d13%40apereo.org
> 
> .
>


-- 
Robert Bond
Application Developer / System Administrator
(918) 444-5936
Northeastern State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6rq6Tbecn-9KdtDWgfHDe8ZA2w6khFwzF3wuFkv43NSOA%40mail.gmail.com.

Re: [cas-user] Re: CAS ver >=6.0.0 is not working for 'TARGET' service parameter

['Robert Bond' via CAS Community]

Dear Mike,

You are the best. It worked! Not sure why I did not have to do this on
previous versions of CAS.
Thanks so much, this has been the last piece preventing me from going
forward with a new deployment of cas using 6.1.0 RC2
You are seriously the best.

How has your deployment of "Banner 9" apps and cas gone?

We are setting up a new CAS cluster using containers k8s with hazelcast
ticket replication

On Wed, Mar 13, 2019 at 9:27 AM mbar...@scad.edu  wrote:

> Robert,
>
> I am very new at this, but I have that functioning in a test environment
> using CAS deployed from the 6.0 branch of the cas-overlay-template.  It's
> working to Ellucian's application navigator and admin common web
> applications.
>
> I added the following to the build.gradle
>
> compile "org.apereo.cas:cas-server-support-saml:${project.'cas.version'}"
>
> and these settings to the cas.properties
>
> --
> cas.samlCore.ticketidSaml2=false
> cas.samlCore.skewAllowance=5
> cas.samlCore.issueLength=30
> cas.samlCore.attributeNamespace=http://www.ja-sig.org/products/cas/
> cas.samlCore.issuer=poc-sso.scad.edu
> cas.samlCore.securityManager=org.apache.xerces.util.SecurityManager
> --
>
> I hope that helps.
>
> -Mike
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/47c08c5a-7dc8-4f73-9316-bb2d280e7822%40apereo.org
> 
> .
>


-- 
Robert Bond
Application Developer / System Administrator
(918) 444-5936
Northeastern State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6pzZSALED%2Bmxg40OxpDLCesNx3jwfU7ZUNQzj8JKgVg9A%40mail.gmail.com.

[cas-user] CAS ver >=6.0.0 is not working for 'TARGET' service parameter

['Robert Bond' via CAS Community]

I have been troubleshooting login with a CAS application that uses the 
'TARGET' service parameter in the querystring instead of the normal 
'service'.
It looks like 6.0.0 introduced a new process for multifactor selection 
based on the service parameter. I think there is a bug in this process. 

CAS >= 6.0.0 does not find the services when using the 'TARGET' service 
parameter. 
https://cas.example.edu/cas/login?*TARGET*
=https%3A%2F%2Fpprd2-appnav.example.edu%2FapplicationNavigator%2Fj_spring_cas_security_check

I can manually change it to 'service' and it does find it, but it does not 
use the SamlArt authentication like it should when using the 'TARGET' 
service parameter.
https://cas.example.edu/cas/login?*service*
=https%3A%2F%2Fpprd2-appnav.example.edu%2FapplicationNavigator%2Fj_spring_cas_security_check

I tried digging into the cas code to find where the error might be, sadly I 
have been unable to find anything. 

Does anyone have any ideas? 


Thanks!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2b27450a-a587-4ba6-ab1d-b892dafa25ce%40apereo.org.

Re: [cas-user] Re: cas with o365

['Robert Bond' via CAS Community]

If you do not want to use Azure AD Connect you can create a process to sync
via powershell. I have an example on my github:
https://github.com/bondr007/office365UserSync it consumes a csv and does
some querys to AD. It could be modified for openldap.

The steps to actually enable SSO on office are hard to find, It has to be
done via powershell. Here is what I used:
http://malithiedirisinghe.blogspot.com/2015/12/office-365-saml-20-federation-with-wso2.html

Here are the specific settings I used when configuring office 365
federation with cas.
ActiveLogOnUri :
DefaultInteractiveAuthenticationMethod :
FederationBrandName:
IssuerUri  : https://logon.example.com/cas/idp
LogOffUri  :
https://logon.example/cas/logout?service=http%3A%2F%2Fportal.office.com%2F
MetadataExchangeUri:
NextSigningCertificate :
OpenIdConnectDiscoveryEndpoint :
PassiveLogOnUri:
https://logon.example.com/cas/idp/profile/SAML2/POST/SSO

Let me know if that helps.


On Wed, Jul 3, 2019 at 5:19 AM Alfonso Veraluz  wrote:

> Hello Robert
>
> Users from the openLdap and from the O365 are not synced at all at the
> moment. It's supossed to achive this with the Azure AD Connect but this
> means a new server on Windows and seems the only option it may fit is with
> the Passthrough option (
> https://docs.microsoft.com/es-es/azure/active-directory/hybrid/how-to-connect-pta)
> . Not sure about it and i can test it but will require some time to build
> and configure it. This can be achieved via powershell?
>
> As @casuser, the steps to be done in the O365 are not very clear in the
> documentation
>
> Thanks
>
> El martes, 2 de julio de 2019, 23:41:11 (UTC+2), Robert Bond escribió:
>>
>>
>> Were you able to complete the setup?
>>
>> Thanks!
>> On Tuesday, July 2, 2019 at 9:38:53 AM UTC-5, Alfonso Veraluz wrote:
>>>
>>> Hello.
>>>
>>> I have a CAS 5.2.3 running fine with a Tomcat 8.0.32, Openjdk 1.8 and
>>> connected to a OpenLdap so my users can login with the uid and the mail.
>>> This CAS is actually providing SSO between Alfresco and Liferay.
>>>
>>> I want to add the SSO with Office365 but only for a particular public
>>> domain and there are some questions:
>>>
>>> 1.- What FederationMetadata.xml is needed to provide in CAS, the one in
>>> https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
>>> or the one with my EntityID provided from the Portal Azure Admin section?
>>> 2.- How to map the mail in the OpenLdap to be the same at O365 account?
>>> It's suposed the idp will map in the cas.samlSp.office365.attributes?
>>>
>>> adding this to my cas.properties should be enough?
>>>
>>> #/etc/cas/saml/frommsoft/federationmetadata.xml from
>>> https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
>>>
>>>  
>>> cas.samlSP.office365.metadata=/etc/cas/saml/frommsoft/federationmetadata.xml
>>>  cas.samlSp.office365.name=O365
>>>  cas.samlSp.office365.description=Office365 Integration
>>>  cas.samlSp.office365.nameIdAttribute=scopedImmutableID
>>>  cas.samlSp.office365.attributes=IDPEmail,ImmutableID
>>>
>>> Thanks your comments.
>>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/49ba8f0f-fee3-4bcb-a154-d2345360178d%40apereo.org
> 
> .
>


-- 
Robert Bond
Network Administrator
(918) 444-5886
Northeastern State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6pgPeVKYh1aOZz_qHMikcnrLBtv1awc6ksxQh6xFR4Q7w%40mail.gmail.com.

[cas-user] Re: cas with o365

['Robert Bond' via CAS Community]

Let me know if the below makes since. 

For the integration you need to pass the attributes as follows:

cas.samlSP.office365.metadata=
https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
 

cas.samlSP.office365.name=O365
cas.samlSP.office365.description=O365 Integration
cas.samlSP.office365.nameIdAttribute=Something from your openldap that does 
not change. like objectguid in Active Directory. need to sync this to o365 
as the immuatbleId
cas.samlSP.office365.attributes=mail 'from your openldap', objectguid 'your 
immutableId again'


On Tuesday, July 2, 2019 at 9:38:53 AM UTC-5, Alfonso Veraluz wrote:
>
> Hello.
>
> I have a CAS 5.2.3 running fine with a Tomcat 8.0.32, Openjdk 1.8 and 
> connected to a OpenLdap so my users can login with the uid and the mail. 
> This CAS is actually providing SSO between Alfresco and Liferay.
>
> I want to add the SSO with Office365 but only for a particular public 
> domain and there are some questions:
>
> 1.- What FederationMetadata.xml is needed to provide in CAS, the one in 
> https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
>  
> or the one with my EntityID provided from the Portal Azure Admin section?
> 2.- How to map the mail in the OpenLdap to be the same at O365 account? 
> It's suposed the idp will map in the cas.samlSp.office365.attributes?
>
> adding this to my cas.properties should be enough?  
>
> #/etc/cas/saml/frommsoft/federationmetadata.xml from 
> https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
>
>  cas.samlSP.office365.metadata=/etc/cas/saml/frommsoft/federationmetadata.xml
>  cas.samlSp.office365.name=O365
>  cas.samlSp.office365.description=Office365 Integration
>  cas.samlSp.office365.nameIdAttribute=scopedImmutableID
>  cas.samlSp.office365.attributes=IDPEmail,ImmutableID
>
> Thanks your comments.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d701e953-6f3e-46b8-88e3-dc9fd07ae357%40apereo.org.

Re: [cas-user] Re: cas with o365

['Robert Bond' via CAS Community]

Neat tip for anyone using cas with Office 365. You can have Microsoft 
automatically redirect to your cas login by using a link like the below:
https://login.microsoftonline.com/?whr=example.com

A few other options mentioned here: 
https://www.enowsoftware.com/solutions-engine/using-smart-links-to-improve-the-login-process-to-office-365-applications


On Monday, July 8, 2019 at 8:28:10 AM UTC-5, Robert Bond wrote:
>
> Were you able to complete the o365 setup with cas?
>
> On Wednesday, July 3, 2019 at 9:26:36 AM UTC-5, Robert Bond wrote:
>>
>> If you do not want to use Azure AD Connect you can create a process to 
>> sync via powershell. I have an example on my github: 
>> https://github.com/bondr007/office365UserSync it consumes a csv and does 
>> some querys to AD. It could be modified for openldap. 
>>
>> The steps to actually enable SSO on office are hard to find, It has to be 
>> done via powershell. Here is what I used:
>>
>> http://malithiedirisinghe.blogspot.com/2015/12/office-365-saml-20-federation-with-wso2.html
>>
>> Here are the specific settings I used when configuring office 365 
>> federation with cas.
>> ActiveLogOnUri :
>> DefaultInteractiveAuthenticationMethod :
>> FederationBrandName:
>> IssuerUri  : 
>> https://logon.example.com/cas/idp
>> LogOffUri  : 
>> https://logon.example/cas/logout?service=http%3A%2F%2Fportal.office.com%2F
>> MetadataExchangeUri:
>> NextSigningCertificate :
>> OpenIdConnectDiscoveryEndpoint :
>> PassiveLogOnUri: 
>> https://logon.example.com/cas/idp/profile/SAML2/POST/SSO
>>
>> Let me know if that helps.
>>
>>
>> On Wed, Jul 3, 2019 at 5:19 AM Alfonso Veraluz  
>> wrote:
>>
>>> Hello Robert
>>>
>>> Users from the openLdap and from the O365 are not synced at all at the 
>>> moment. It's supossed to achive this with the Azure AD Connect but this 
>>> means a new server on Windows and seems the only option it may fit is with 
>>> the Passthrough option (
>>> https://docs.microsoft.com/es-es/azure/active-directory/hybrid/how-to-connect-pta)
>>>  
>>> . Not sure about it and i can test it but will require some time to build 
>>> and configure it. This can be achieved via powershell?
>>>
>>> As @casuser, the steps to be done in the O365 are not very clear in the 
>>> documentation
>>>
>>> Thanks 
>>>
>>> El martes, 2 de julio de 2019, 23:41:11 (UTC+2), Robert Bond escribió:


 Were you able to complete the setup?

 Thanks!
 On Tuesday, July 2, 2019 at 9:38:53 AM UTC-5, Alfonso Veraluz wrote:
>
> Hello.
>
> I have a CAS 5.2.3 running fine with a Tomcat 8.0.32, Openjdk 1.8 and 
> connected to a OpenLdap so my users can login with the uid and the mail. 
> This CAS is actually providing SSO between Alfresco and Liferay.
>
> I want to add the SSO with Office365 but only for a particular public 
> domain and there are some questions:
>
> 1.- What FederationMetadata.xml is needed to provide in CAS, the one 
> in 
> https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
>  
> or the one with my EntityID provided from the Portal Azure Admin section?
> 2.- How to map the mail in the OpenLdap to be the same at O365 
> account? It's suposed the idp will map in the 
> cas.samlSp.office365.attributes?
>
> adding this to my cas.properties should be enough?  
>
> #/etc/cas/saml/frommsoft/federationmetadata.xml from 
> https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
>
>  
> cas.samlSP.office365.metadata=/etc/cas/saml/frommsoft/federationmetadata.xml
>  cas.samlSp.office365.name=O365
>  cas.samlSp.office365.description=Office365 Integration
>  cas.samlSp.office365.nameIdAttribute=scopedImmutableID
>  cas.samlSp.office365.attributes=IDPEmail,ImmutableID
>
> Thanks your comments.
>
 -- 
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/49ba8f0f-fee3-4bcb-a154-d2345360178d%40apereo.org
>>>  
>>> 
>>> .
>>>
>>
>>
>> -- 
>> Robert Bond
>> Network Administrator
>> (918) 444-5886
>> Northeastern State University
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: 

Re: [cas-user] Re: cas with o365

['Robert Bond' via CAS Community]

Were you able to complete the o365 setup with cas?

On Wednesday, July 3, 2019 at 9:26:36 AM UTC-5, Robert Bond wrote:
>
> If you do not want to use Azure AD Connect you can create a process to 
> sync via powershell. I have an example on my github: 
> https://github.com/bondr007/office365UserSync it consumes a csv and does 
> some querys to AD. It could be modified for openldap. 
>
> The steps to actually enable SSO on office are hard to find, It has to be 
> done via powershell. Here is what I used:
>
> http://malithiedirisinghe.blogspot.com/2015/12/office-365-saml-20-federation-with-wso2.html
>
> Here are the specific settings I used when configuring office 365 
> federation with cas.
> ActiveLogOnUri :
> DefaultInteractiveAuthenticationMethod :
> FederationBrandName:
> IssuerUri  : https://logon.example.com/cas/idp
> LogOffUri  : 
> https://logon.example/cas/logout?service=http%3A%2F%2Fportal.office.com%2F
> MetadataExchangeUri:
> NextSigningCertificate :
> OpenIdConnectDiscoveryEndpoint :
> PassiveLogOnUri: 
> https://logon.example.com/cas/idp/profile/SAML2/POST/SSO
>
> Let me know if that helps.
>
>
> On Wed, Jul 3, 2019 at 5:19 AM Alfonso Veraluz  
> wrote:
>
>> Hello Robert
>>
>> Users from the openLdap and from the O365 are not synced at all at the 
>> moment. It's supossed to achive this with the Azure AD Connect but this 
>> means a new server on Windows and seems the only option it may fit is with 
>> the Passthrough option (
>> https://docs.microsoft.com/es-es/azure/active-directory/hybrid/how-to-connect-pta)
>>  
>> . Not sure about it and i can test it but will require some time to build 
>> and configure it. This can be achieved via powershell?
>>
>> As @casuser, the steps to be done in the O365 are not very clear in the 
>> documentation
>>
>> Thanks 
>>
>> El martes, 2 de julio de 2019, 23:41:11 (UTC+2), Robert Bond escribió:
>>>
>>>
>>> Were you able to complete the setup?
>>>
>>> Thanks!
>>> On Tuesday, July 2, 2019 at 9:38:53 AM UTC-5, Alfonso Veraluz wrote:

 Hello.

 I have a CAS 5.2.3 running fine with a Tomcat 8.0.32, Openjdk 1.8 and 
 connected to a OpenLdap so my users can login with the uid and the mail. 
 This CAS is actually providing SSO between Alfresco and Liferay.

 I want to add the SSO with Office365 but only for a particular public 
 domain and there are some questions:

 1.- What FederationMetadata.xml is needed to provide in CAS, the one in 
 https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
  
 or the one with my EntityID provided from the Portal Azure Admin section?
 2.- How to map the mail in the OpenLdap to be the same at O365 account? 
 It's suposed the idp will map in the cas.samlSp.office365.attributes?

 adding this to my cas.properties should be enough?  

 #/etc/cas/saml/frommsoft/federationmetadata.xml from 
 https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml

  
 cas.samlSP.office365.metadata=/etc/cas/saml/frommsoft/federationmetadata.xml
  cas.samlSp.office365.name=O365
  cas.samlSp.office365.description=Office365 Integration
  cas.samlSp.office365.nameIdAttribute=scopedImmutableID
  cas.samlSp.office365.attributes=IDPEmail,ImmutableID

 Thanks your comments.

>>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/49ba8f0f-fee3-4bcb-a154-d2345360178d%40apereo.org
>>  
>> 
>> .
>>
>
>
> -- 
> Robert Bond
> Network Administrator
> (918) 444-5886
> Northeastern State University
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f421b7a0-3a97-466d-9479-695e1fd4b3c0%40apereo.org.

[cas-user] Re: 6.0.x Actuator endpoint security for cas config server

['Robert Bond' via CAS Community]

Here is a blog post by Misagh Moayyed about it: 
https://apereo.github.io/2018/11/06/cas6-admin-endpoints-security/

On Wednesday, April 24, 2019 at 8:29:05 AM UTC-5, Juna Grosse Lengerich 
wrote:
>
> Hi,
>
> we're having a problem with the actuator configuration for our cas config 
> server.
> Since Spring Boot 2 the actuator endpoint security can't be configured by 
> properties anymore.
> But the cas server properties that allow security configuration seem to be 
> missing for both the config and admin server.
>
> The spring configuration adapters are defined in this class:
>
> https://github.com/apereo/cas/blob/6.0.x/webapp/cas-server-webapp-config/src/main/java/org/apereo/cas/web/security/CasWebSecurityConfigurerAdapter.java
>
> But the cas server webapp config dependency has conflicts with bean 
> definitions, so it can't just be included.
>
> Has anyone found a solution to this problem? We need unrestricted access 
> to the health endpoint for a health check
>
> Any help would be really appreciated
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/07f64e5f-b953-45e7-b651-ec9460f158db%40apereo.org.

[cas-user] Re: cas with o365

['Robert Bond' via CAS Community]

You need to have an immutableId that is shared with Office365 through your 
import process. This can be almost anything just cannot be changed on the 
o365 side. Typically people use the account guid from their directory 
server. 

You can use the integration like how you are currently or below is my 
service for office 365. 

Do you have the attributes 'scopedImmutableID,IDPEmail,ImmutableID' being 
imported into the cas attribute repository from your openldap? 

Service for office365:

{
"id" : 23,
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"evaluationOrder" : 23,
"metadataLocation" : 
"https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml;
,
"metadataExpirationDuration" : "PT60M",
"signAssertions" : false,
"skipGeneratingAssertionNameId" : false,
"skipGeneratingSubjectConfirmationInResponseTo" : false,
"skipGeneratingSubjectConfirmationNotOnOrAfter" : false,
"skipGeneratingSubjectConfirmationRecipient" : false,
"skipGeneratingSubjectConfirmationNotBefore" : true,
"signResponses" : true,
"encryptAssertions" : false,
"metadataCriteriaRoles" : "SPSSODescriptor",
"metadataCriteriaRemoveEmptyEntitiesDescriptors" : true,
"metadataCriteriaRemoveRolelessEntityDescriptors" : true,
"signingCredentialType" : "BASIC",
"serviceId" : "urn:federation:MicrosoftOnline",
"name" : "office365",
"description" : "Office 365",
"usernameAttributeProvider" : {
"@class" : 
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider"
,
"usernameAttribute" : "ImmutableId",
"canonicalizationMode" : "NONE",
"encryptUsername" : false
},
"logoutType" : "BACK_CHANNEL",
"logoutUrl" : "https://login.microsoftonline.com/login.srf;,
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
}
}

sadf
On Tuesday, July 2, 2019 at 9:38:53 AM UTC-5, Alfonso Veraluz wrote:
>
> Hello.
>
> I have a CAS 5.2.3 running fine with a Tomcat 8.0.32, Openjdk 1.8 and 
> connected to a OpenLdap so my users can login with the uid and the mail. 
> This CAS is actually providing SSO between Alfresco and Liferay.
>
> I want to add the SSO with Office365 but only for a particular public 
> domain and there are some questions:
>
> 1.- What FederationMetadata.xml is needed to provide in CAS, the one in 
> https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
>  
> or the one with my EntityID provided from the Portal Azure Admin section?
> 2.- How to map the mail in the OpenLdap to be the same at O365 account? 
> It's suposed the idp will map in the cas.samlSp.office365.attributes?
>
> adding this to my cas.properties should be enough?  
>
> #/etc/cas/saml/frommsoft/federationmetadata.xml from 
> https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
>
>  cas.samlSP.office365.metadata=/etc/cas/saml/frommsoft/federationmetadata.xml
>  cas.samlSp.office365.name=O365
>  cas.samlSp.office365.description=Office365 Integration
>  cas.samlSp.office365.nameIdAttribute=scopedImmutableID
>  cas.samlSp.office365.attributes=IDPEmail,ImmutableID
>
> Thanks your comments.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/52da3327-d9fd-4056-a7f7-a61499b03eba%40apereo.org.

[cas-user] Re: cas with o365

['Robert Bond' via CAS Community]

Yep, you also need to add the uid as the ImmutableId on creation of the 
accounts in office365. How are you syncing users to office365? 
To set the ImmutableId on a user via powershell:
Set-MsolUser -UserPrincipalName a...@example.com L 
-ImmutableId 71cfd66c-2c72-43ee-a88e-8e29458eb3b0

On Tuesday, July 2, 2019 at 9:38:53 AM UTC-5, Alfonso Veraluz wrote:
>
> Hello.
>
> I have a CAS 5.2.3 running fine with a Tomcat 8.0.32, Openjdk 1.8 and 
> connected to a OpenLdap so my users can login with the uid and the mail. 
> This CAS is actually providing SSO between Alfresco and Liferay.
>
> I want to add the SSO with Office365 but only for a particular public 
> domain and there are some questions:
>
> 1.- What FederationMetadata.xml is needed to provide in CAS, the one in 
> https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
>  
> or the one with my EntityID provided from the Portal Azure Admin section?
> 2.- How to map the mail in the OpenLdap to be the same at O365 account? 
> It's suposed the idp will map in the cas.samlSp.office365.attributes?
>
> adding this to my cas.properties should be enough?  
>
> #/etc/cas/saml/frommsoft/federationmetadata.xml from 
> https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
>
>  cas.samlSP.office365.metadata=/etc/cas/saml/frommsoft/federationmetadata.xml
>  cas.samlSp.office365.name=O365
>  cas.samlSp.office365.description=Office365 Integration
>  cas.samlSp.office365.nameIdAttribute=scopedImmutableID
>  cas.samlSp.office365.attributes=IDPEmail,ImmutableID
>
> Thanks your comments.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7b22e5dd-94fc-4e47-a1fe-7303ed02cb69%40apereo.org.

Re: [cas-user] Re: Problem with Global Principal Attribute

['Robert Bond' via CAS Community]

Mr. Bond,

I have not configured cas for triggering multi-factor based off a singular
attribute. I have for a multi-valued memberOf attribute, It should be
basically the same.
Here is my config for looking at the memberOf attributes:
# Activate MFA globally based on principal attributes
cas.authn.mfa.globalPrincipalAttributeNameTriggers=memberOf
# Specify the regular expression pattern to trigger multifactor when
working with a single provider.
cas.authn.mfa.globalPrincipalAttributeValueRegex=CN=mfa-eligible,OU=DuoMFA,
OU=Groups,DC=nsuok,DC=edu

Here is what I think you need
# Activate MFA globally based on principal attributes
cas.authn.mfa.globalPrincipalAttributeNameTriggers=businessCategory
# Specify the regular expression pattern to trigger multifactor when
working with a single provider.
cas.authn.mfa.globalPrincipalAttributeValueRegex=mfa-gauth

Let me know if that works for you.

Robert Bond.

On Wed, Aug 14, 2019 at 12:58 PM John Bond  wrote:

>
>
> On Wednesday, August 14, 2019 at 6:50:13 PM UTC+1, John Bond wrote:
>>
>>
>> cas.authn.mfa.globalPrincipalAttributeNameTriggers=businessCategory
>>
>>
> I tried to use preferredLanguage instead of bussinessCategory which is a
> SINGLE-VALUE[1] attribute but this made no difference
>
> 2019-08-14 17:56:04,201 DEBUG
> [org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver]
> - 
>
> 2019-08-14 17:56:04,202 DEBUG
> [org.apereo.cas.authentication.MultifactorAuthenticationUtils] -  value [[mfa-gauth]] is not a single-valued attribute>
>
> 2019-08-14 17:56:04,204 DEBUG
> [org.apereo.cas.authentication.MultifactorAuthenticationUtils] -  [mfa-gauth] since no matching transition could be found>
>
>
> [1]https://ldapwiki.com/wiki/SINGLE-VALUE
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1d49b26-d8e9-423f-8831-4596aca3f189%40apereo.org
> 
> .
>


-- 
Robert Bond
Network Administrator
(918) 444-5886
Northeastern State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6oGTCFTprTe8V%2Bgzm8XhT08CeLth_a82xihbAZiDFBBvw%40mail.gmail.com.

Re: [cas-user] Re: cas with o365

['Robert Bond' via CAS Community]

Have you switched office 365 over to use federated login via 
the Set-MsolDomainAuthentication powershell command?

On Monday, July 8, 2019 at 11:28:18 AM UTC-5, Alfonso Veraluz wrote:
>
> Hello.
>
> No. I made an advance adding values like to the inmutableId in the 365 
> users but after that:
>  1) I can login to Cas but it doesn't login on the 
> login.microsoftonline.com
>  2) I can login in login.microsoftonline.com but doesn't sso with my Cas. 
>
> It's just both systems are not connected after all.
>
> El lunes, 8 de julio de 2019, 15:28:10 (UTC+2), Robert Bond escribió:
>>
>> Were you able to complete the o365 setup with cas?
>>
>> On Wednesday, July 3, 2019 at 9:26:36 AM UTC-5, Robert Bond wrote:
>>>
>>> If you do not want to use Azure AD Connect you can create a process to 
>>> sync via powershell. I have an example on my github: 
>>> https://github.com/bondr007/office365UserSync it consumes a csv and 
>>> does some querys to AD. It could be modified for openldap. 
>>>
>>> The steps to actually enable SSO on office are hard to find, It has to 
>>> be done via powershell. Here is what I used:
>>>
>>> http://malithiedirisinghe.blogspot.com/2015/12/office-365-saml-20-federation-with-wso2.html
>>>  
>>> 
>>>
>>> Here are the specific settings I used when configuring office 365 
>>> federation with cas.
>>> ActiveLogOnUri :
>>> DefaultInteractiveAuthenticationMethod :
>>> FederationBrandName:
>>> IssuerUri  : 
>>> https://logon.example.com/cas/idp
>>> LogOffUri  : 
>>> https://logon.example/cas/logout?service=http%3A%2F%2Fportal.office.com%2F
>>> MetadataExchangeUri:
>>> NextSigningCertificate :
>>> OpenIdConnectDiscoveryEndpoint :
>>> PassiveLogOnUri: 
>>> https://logon.example.com/cas/idp/profile/SAML2/POST/SSO
>>>
>>> Let me know if that helps.
>>>
>>>
>>> On Wed, Jul 3, 2019 at 5:19 AM Alfonso Veraluz  
>>> wrote:
>>>
 Hello Robert

 Users from the openLdap and from the O365 are not synced at all at the 
 moment. It's supossed to achive this with the Azure AD Connect but this 
 means a new server on Windows and seems the only option it may fit is with 
 the Passthrough option (
 https://docs.microsoft.com/es-es/azure/active-directory/hybrid/how-to-connect-pta)
  
 . Not sure about it and i can test it but will require some time to build 
 and configure it. This can be achieved via powershell?

 As @casuser, the steps to be done in the O365 are not very clear in the 
 documentation

 Thanks 

 El martes, 2 de julio de 2019, 23:41:11 (UTC+2), Robert Bond escribió:
>
>
> Were you able to complete the setup?
>
> Thanks!
> On Tuesday, July 2, 2019 at 9:38:53 AM UTC-5, Alfonso Veraluz wrote:
>>
>> Hello.
>>
>> I have a CAS 5.2.3 running fine with a Tomcat 8.0.32, Openjdk 1.8 and 
>> connected to a OpenLdap so my users can login with the uid and the mail. 
>> This CAS is actually providing SSO between Alfresco and Liferay.
>>
>> I want to add the SSO with Office365 but only for a particular public 
>> domain and there are some questions:
>>
>> 1.- What FederationMetadata.xml is needed to provide in CAS, the one 
>> in 
>> https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
>>  
>> or the one with my EntityID provided from the Portal Azure Admin section?
>> 2.- How to map the mail in the OpenLdap to be the same at O365 
>> account? It's suposed the idp will map in the 
>> cas.samlSp.office365.attributes?
>>
>> adding this to my cas.properties should be enough?  
>>
>> #/etc/cas/saml/frommsoft/federationmetadata.xml from 
>> https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
>>
>>  
>> cas.samlSP.office365.metadata=/etc/cas/saml/frommsoft/federationmetadata.xml
>>  cas.samlSp.office365.name=O365
>>  cas.samlSp.office365.description=Office365 Integration
>>  cas.samlSp.office365.nameIdAttribute=scopedImmutableID
>>  cas.samlSp.office365.attributes=IDPEmail,ImmutableID
>>
>> Thanks your comments.
>>
> -- 
 - Website: https://apereo.github.io/cas
 - Gitter Chatroom: https://gitter.im/apereo/cas
 - List Guidelines: https://goo.gl/1VRrw7
 - Contributions: https://goo.gl/mh7qDG
 --- 
 You received this message because you are subscribed to the Google 
 Groups "CAS Community" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to cas-...@apereo.org.
 To view this discussion on the web visit 
 

Re: [cas-user] Re: SAMLResponse is not base64 encoded

['Robert Bond' via CAS Community]

I have been running into this same issue for quite a while now. Have not
been able to identify the source.

On Thu, Nov 21, 2019 at 11:25 AM Chris G  wrote:

> I'm just wondering if anyone figured this out. I have the same issue--SAML
> Responses from CAS are NOT base64 encoded, but all the clients I have seem
> to expect the SAML Response to be base64 encoded.
>
> Is this a SAML spec, that it should be base64 encoded and CAS isn't
> implementing it properly?
>
>
> On Wednesday, September 18, 2019 at 4:55:58 PM UTC-4, Chris H wrote:
>>
>>
>> ​I am working with client who's running a CAS server ​(a backpatched
>> version of 3.4.12) as their IdP. We are trying to connect this with our
>> product, a SAML SP implemented with OneLogin's PHP client.
>>
>> The issue we are having is that the "SAMLResponse" POST parameter is​
>> coming over in raw form, ie it is not base64 encoded. The OneLogin lib
>> appears to assume that this value is base64 encoded and throws an exception
>> when it is not. I do not see any configuration to override this behaviour.
>>
>> ​Is it possible to configure CAS to base64 encode this value before
>> sending?
>>
>> Any idea why this would be happening? We have several active SAML2
>> integrations with other clients who use CAS as their IdP.
>>
>> Thanks!
>> Chris
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/464a638f-6566-474b-b2d3-74202141986d%40apereo.org
> 
> .
>


-- 
Robert Bond
Network Administrator
(918) 444-5886
Northeastern State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6r13jQ%3DV%3D8ZkO0Pi4roKrp9rjd%3D%3DtCtMK33mP7Uq7%3DJrg%40mail.gmail.com.

Re: [cas-user] Re: private git Service Registry authentication not working

['Robert Bond' via CAS Community]

6.1.0RC6, I switched to using ssh keys and it worked.

Thanks,
Robert Bond.

On Tue, Oct 29, 2019 at 5:28 AM Misagh Moayyed 
wrote:

> Are you still seeing this with 6.1.0?
>
> On Saturday, October 12, 2019 at 12:07:47 AM UTC+4, Robert Bond wrote:
>>
>> Getting an error when using a private git repo for cas service registry.
>> It works correctly if I remove the username and password config options are
>> use a public repo.
>>
>> Here is my config for the registry:
>> cas.serviceRegistry.git.repositoryUrl=
>> https://gitlab.example.edu/cas-service-registry.git
>> cas.serviceRegistry.git.branchesToClone=dev
>> cas.serviceRegistry.git.activeBranch=dev
>> cas.serviceRegistry.git.username=asdf
>> cas.serviceRegistry.git.password=asdf
>> cas.serviceRegistry.git.cloneDirectory=file:/tmp/cas-service-registry
>> cas.serviceRegistry.git.pushChanges=false
>>
>>
>> And here is the error I am getting:
>> 2019-10-11 19:03:29,837 ERROR
>> [org.springframework.scheduling.support.TaskUtils$LoggingErrorHandler] -
>> 
>> org.eclipse.jgit.api.errors.TransportException:
>> https://gitlab.example.edu/cas-service-registry.git: Authentication is
>> required but no CredentialsProvider has been registered
>>
>> Any thoughts?
>>
>> I used our internal gitlab and tried using a github account also, tested
>> the credentials are working.
>>
>> I tried looking at the cas code for the gitServiceRegistry and it seems
>> like it has the options for specifying a username and password.
>>
>> Attached full log output also.
>>
>> Thanks!
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/811d628a-9011-4037-946e-b74c5e3bb74e%40apereo.org
> 
> .
>


-- 
Robert Bond
Network Administrator
(918) 444-5886
Northeastern State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6pc2xpJTE4oQMm0%3DQK_3bOia20nc_cwzv3i9%3DnwLRJruQ%40mail.gmail.com.

[cas-user] 6.1.0 RC6 Attributes Values being doubled when surrogacy is enabled

['Robert Bond' via CAS Community]

Running into an odd doubling of attribute values when surrogate access is 
enabled. 
On CAS 6.1.0 RC6


Here is my Surrogate config, Active Directory Auth config, and Attribute 
repository:

# Surrogate config 
cas.authn.surrogate.separator=+
cas.authn.surrogate.json.location=file:/etc/cas/config/surrogates.json

# set some properties we can re-use in authn and attributeRepository 
configuration
ldap-url= ldaps://ad01.example.edu:636
ldap-binddn=  cn=logon_ldap_user,ou=Application Users,ou=All_Users,dc
=example,dc=edu
ldap-bindpw=  examplePass
ldap-auth-type=   DIRECT
ldap-basedn=  ou=All_Users,dc=example,dc=edu
ldap-dnformat=cn=%s,ou=All_Users,dc=example,dc=edu
ldap-user-filter= (cn={user})
ldap-max-pool-size=20
ldap-tls=false
ldap-ssl=true
# configure ldap authentication
cas.authn.ldap[0].trustCertificates=file:/etc/cas/trustedexamplecert.der
cas.authn.ldap[0].base-dn=${ldap-basedn}
cas.authn.ldap[0].bind-credential=${ldap-bindpw}
cas.authn.ldap[0].bind-dn=${ldap-binddn}
cas.authn.ldap[0].dn-format=${ldap-dnformat}
cas.authn.ldap[0].ldap-url=${ldap-url}
cas.authn.ldap[0].max-pool-size=${ldap-max-pool-size}
cas.authn.ldap[0].min-pool-size=0
cas.authn.ldap[0].subtree-search=true
cas.authn.ldap[0].type=${ldap-auth-type}
cas.authn.ldap[0].searchFilter=${ldap-user-filter}
cas.authn.ldap[0].use-ssl=${ldap-ssl}
cas.authn.ldap[0].use-start-tls=${ldap-tls}

# configure ldap attribute repository
cas.authn.attributeRepository.ldap[0].trustCertificates
=file:/etc/cas/trustedexamplecert.der
cas.authn.attributeRepository.ldap[0].ldapUrl=${ldap-url}
cas.authn.attributeRepository.ldap[0].order=0
cas.authn.attributeRepository.ldap[0].useSsl=${ldap-ssl}
cas.authn.attributeRepository.ldap[0].useStartTls=${ldap-tls}
cas.authn.attributeRepository.ldap[0].baseDn=${ldap-basedn}
cas.authn.attributeRepository.ldap[0].searchFilter=${ldap-user-filter}
cas.authn.attributeRepository.ldap[0].subtreeSearch=true
cas.authn.attributeRepository.ldap[0].bindDn=${ldap-binddn}
cas.authn.attributeRepository.ldap[0].bindCredential=${ldap-bindpw}
cas.authn.attributeRepository.ldap[0].minPoolSize=0
cas.authn.attributeRepository.ldap[0].maxPoolSize=${ldap-max-pool-size}
cas.authn.attributeRepository.ldap[0].validateOnCheckout=true

# configure validator for attribute repository
cas.authn.attributeRepository.ldap[0].validator.type=SEARCH
cas.authn.attributeRepository.ldap[0].validator.baseDn=${ldap-basedn}
cas.authn.attributeRepository.ldap[0].validator.searchFilter=(objectClass=*)
cas.authn.attributeRepository.ldap[0].validator.scope=OBJECT
cas.authn.attributeRepository.ldap[0].validator.attributeName=objectClass
cas.authn.attributeRepository.ldap[0].validator.attributeValues=top

# Get AD attributes
cas.authn.attributeRepository.ldap[0].attributes.sAMAccountName
=samAccountName
cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
cas.authn.attributeRepository.ldap[0].attributes.mail=email
cas.authn.attributeRepository.ldap[0].attributes.mail=emailAddress
cas.authn.attributeRepository.ldap[0].attributes.givenName=givenName
cas.authn.attributeRepository.ldap[0].attributes.sn=surname
cas.authn.attributeRepository.ldap[0].attributes.cn=commonName
cas.authn.attributeRepository.ldap[0].attributes.memberOf=memberOf


When the surrogacy dependency is added to build.gradle the 
attributeRepository returns doubled values for the attributes. See the 
example attributes below"

cn [BONDR, BONDR]
displayName [Robert Bond, Robert Bond]
distinguishedName [CN=BONDR,OU=NSU,OU=All_Users,DC=example,DC=edu, 
CN=BONDR,OU=All_Users,DC=example,DC=edu]


Any thoughts? When I remove the surrogate dependency from build.gradle it 
returns the attributes correctly. ex: cn [BONDR]


Thanks!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0f3842e4-4e15-4101-b420-238935acceb9%40apereo.org.

Re: [cas-user] 6.1.0 RC6 Attributes Values being doubled when surrogacy is enabled

['Robert Bond' via CAS Community]

I changed my ldap active directory config, removed the attribute repository 
stuff and changed the type to AUTHENTICATED.

The below config seems to be working well for me while using surrogacy with 
LDAPS Active Directory:

# set some properties we can re-use in authn and attributeRepository 
configuration
ldap-url= ldaps://ad01.example.edu:636
ldap-binddn=  cn=logon_ldap_user,ou=Application Users,ou=All_Users,dc
=example,dc=edu
ldap-bindpw=  asdfasdfasdfasdfasdf
ldap-auth-type=   AUTHENTICATED
ldap-basedn=  ou=All_Users,dc=example,dc=edu
ldap-user-filter= (cn={user})
ldap-max-pool-size=20
ldap-tls=false
ldap-ssl=true

# configure ldap authentication
cas.authn.ldap[0].trustCertificates=file:/etc/cas/trustedexamplecert.der
cas.authn.ldap[0].base-dn=${ldap-basedn}
cas.authn.ldap[0].bind-credential=${ldap-bindpw}
cas.authn.ldap[0].bind-dn=${ldap-binddn}
cas.authn.ldap[0].ldap-url=${ldap-url}
cas.authn.ldap[0].max-pool-size=${ldap-max-pool-size}
cas.authn.ldap[0].min-pool-size=0
cas.authn.ldap[0].type=${ldap-auth-type}
cas.authn.ldap[0].searchFilter=${ldap-user-filter}
cas.authn.ldap[0].use-ssl=${ldap-ssl}
cas.authn.ldap[0].use-start-tls=${ldap-tls}
# list of attributes to be collected and mapped
cas.authn.ldap[0].principalAttributeList
=cn:commonName,sn:surname,displayName:displayName,mail:email,givenName,memberOf,samAccountName,mail:emailAddress,samAccountName



I had troubles getting surrogacy to work on previous versions with anything 
put the JSON file method which works for our current purposes. 

Thanks,
Robert Bond.

On Tuesday, October 8, 2019 at 11:14:06 AM UTC-5, rbon wrote:
>
> Surrogates is on my todo list. Hopefully some else with more experience 
> will chime in.
>
> Ray
>
> On Tue, 2019-10-08 at 06:41 -0700, 'Robert Bond' via CAS Community wrote:
>
> No error messages on login. I do not think that is is expected behavior. 
> When logging in as a surrogate it does not have duplicated values for the 
> properties.  
> See example below: 
>cn [bansecr_bondr] 
>
> The service registiries do not handle when there is duplicated values like 
> the "cn [BONDR, BONDR]" that I am getting when I do not use surrogate 
> access.
> I have 5 surrogates configured for my account in side the json file. When 
> I disable surrogate access completely and remove the build.gradle 
> dependency: 
> compile "org.apereo.cas:cas-server-support-surrogate-webflow:${
> project.'cas.version'}"
> Cas then returns the attributes correctly as "cn [BONDR]"
>
> I think this is a bug. Any thoughts on how to better document and report 
> it?
> Or maybe I have something wrong with my Active Directory 
> LDAP attributeRepository config in cas.
>
>
> Thanks!
>
> On Monday, October 7, 2019 at 4:39:19 PM UTC-5, rbon wrote: 
>
> Robert,
>
> Is log in failing? Any error messages?
>
> Could it be that the second entry is the surrogate; and if no surrogate is 
> supplied in the log in form, then the same subject exists for both [that 
> is, for the surrogate plugin, an array is required]?
>
> Ray
>
> On Mon, 2019-10-07 at 13:10 -0700, 'Robert Bond' via CAS Community wrote:
>
> Running into an odd doubling of attribute values when surrogate access is 
> enabled.  
> On CAS 6.1.0 RC6
>
>
> Here is my Surrogate config, Active Directory Auth config, and Attribute 
> repository:
>
> # Surrogate config 
> cas.authn.surrogate.separator=+
> cas.authn.surrogate.json.location=file:/etc/cas/config/surrogates.json
>
>
> # set some properties we can re-use in authn and attributeRepository 
> configuration
> ldap-url= ldaps://ad01.example.edu:636
> ldap-binddn=  cn=logon_ldap_user,ou=Application Users,ou=All_Users,dc
> =example,dc=edu
> ldap-bindpw=  examplePass
> ldap-auth-type=   DIRECT
> ldap-basedn=  ou=All_Users,dc=example,dc=edu
> ldap-dnformat=cn=%s,ou=All_Users,dc=example,dc=edu
> ldap-user-filter= (cn={user})
> ldap-max-pool-size=20
> ldap-tls=false
> ldap-ssl=true
> # configure ldap authentication
> cas.authn.ldap[0].trustCertificates=file:/etc/cas/trustedexamplecert.der
> cas.authn.ldap[0].base-dn=${ldap-basedn}
> cas.authn.ldap[0].bind-credential=${ldap-bindpw}
> cas.authn.ldap[0].bind-dn=${ldap-binddn}
> cas.authn.ldap[0].dn-format=${ldap-dnformat}
> cas.authn.ldap[0].ldap-url=${ldap-url}
> cas.authn.ldap[0].max-pool-size=${ldap-max-pool-size}
> cas.authn.ldap[0].min-pool-size=0
> cas.authn.ldap[0].subtree-search=true
> cas.authn.ldap[0].type=${ldap-auth-type}
> cas.authn.ldap[0].searchFilter=${ldap-user-filter}
> cas.authn.ldap[0].use-ssl=${ldap-ssl}
> cas.authn.ldap[0].use-start-tls=${ldap-tls}
>
> # configure ldap attribute repository
> cas.authn.attributeRepositor

Re: [cas-user] 6.1.0 RC6 Attributes Values being doubled when surrogacy is enabled

['Robert Bond' via CAS Community]

No error messages on login. I do not think that is is expected behavior. 
When logging in as a surrogate it does not have duplicated values for the 
properties. 
See example below:
   cn [bansecr_bondr] 

The service registiries do not handle when there is duplicated values like 
the "cn [BONDR, BONDR]" that I am getting when I do not use surrogate 
access.
I have 5 surrogates configured for my account in side the json file. When I 
disable surrogate access completely and remove the build.gradle dependency: 
compile "org.apereo.cas:cas-server-support-surrogate-webflow:${
project.'cas.version'}"
Cas then returns the attributes correctly as "cn [BONDR]"

I think this is a bug. Any thoughts on how to better document and report it?
Or maybe I have something wrong with my Active Directory 
LDAP attributeRepository config in cas.


Thanks!

On Monday, October 7, 2019 at 4:39:19 PM UTC-5, rbon wrote:
>
> Robert,
>
> Is log in failing? Any error messages?
>
> Could it be that the second entry is the surrogate; and if no surrogate is 
> supplied in the log in form, then the same subject exists for both [that 
> is, for the surrogate plugin, an array is required]?
>
> Ray
>
> On Mon, 2019-10-07 at 13:10 -0700, 'Robert Bond' via CAS Community wrote:
>
> Running into an odd doubling of attribute values when surrogate access is 
> enabled.  
> On CAS 6.1.0 RC6
>
>
> Here is my Surrogate config, Active Directory Auth config, and Attribute 
> repository:
>
> # Surrogate config 
> cas.authn.surrogate.separator=+
> cas.authn.surrogate.json.location=file:/etc/cas/config/surrogates.json
>
>
> # set some properties we can re-use in authn and attributeRepository 
> configuration
> ldap-url= ldaps://ad01.example.edu:636
> ldap-binddn=  cn=logon_ldap_user,ou=Application Users,ou=All_Users,dc
> =example,dc=edu
> ldap-bindpw=  examplePass
> ldap-auth-type=   DIRECT
> ldap-basedn=  ou=All_Users,dc=example,dc=edu
> ldap-dnformat=cn=%s,ou=All_Users,dc=example,dc=edu
> ldap-user-filter= (cn={user})
> ldap-max-pool-size=20
> ldap-tls=false
> ldap-ssl=true
> # configure ldap authentication
> cas.authn.ldap[0].trustCertificates=file:/etc/cas/trustedexamplecert.der
> cas.authn.ldap[0].base-dn=${ldap-basedn}
> cas.authn.ldap[0].bind-credential=${ldap-bindpw}
> cas.authn.ldap[0].bind-dn=${ldap-binddn}
> cas.authn.ldap[0].dn-format=${ldap-dnformat}
> cas.authn.ldap[0].ldap-url=${ldap-url}
> cas.authn.ldap[0].max-pool-size=${ldap-max-pool-size}
> cas.authn.ldap[0].min-pool-size=0
> cas.authn.ldap[0].subtree-search=true
> cas.authn.ldap[0].type=${ldap-auth-type}
> cas.authn.ldap[0].searchFilter=${ldap-user-filter}
> cas.authn.ldap[0].use-ssl=${ldap-ssl}
> cas.authn.ldap[0].use-start-tls=${ldap-tls}
>
> # configure ldap attribute repository
> cas.authn.attributeRepository.ldap[0].trustCertificates
> =file:/etc/cas/trustedexamplecert.der
> cas.authn.attributeRepository.ldap[0].ldapUrl=${ldap-url}
> cas.authn.attributeRepository.ldap[0].order=0
> cas.authn.attributeRepository.ldap[0].useSsl=${ldap-ssl}
> cas.authn.attributeRepository.ldap[0].useStartTls=${ldap-tls}
> cas.authn.attributeRepository.ldap[0].baseDn=${ldap-basedn}
> cas.authn.attributeRepository.ldap[0].searchFilter=${ldap-user-filter}
> cas.authn.attributeRepository.ldap[0].subtreeSearch=true
> cas.authn.attributeRepository.ldap[0].bindDn=${ldap-binddn}
> cas.authn.attributeRepository.ldap[0].bindCredential=${ldap-bindpw}
> cas.authn.attributeRepository.ldap[0].minPoolSize=0
> cas.authn.attributeRepository.ldap[0].maxPoolSize=${ldap-max-pool-size}
> cas.authn.attributeRepository.ldap[0].validateOnCheckout=true
>
> # configure validator for attribute repository
> cas.authn.attributeRepository.ldap[0].validator.type=SEARCH
> cas.authn.attributeRepository.ldap[0].validator.baseDn=${ldap-basedn}
> cas.authn.attributeRepository.ldap[0].validator.searchFilter=(objectClass
> =*)
> cas.authn.attributeRepository.ldap[0].validator.scope=OBJECT
> cas.authn.attributeRepository.ldap[0].validator.attributeName=objectClass
> cas.authn.attributeRepository.ldap[0].validator.attributeValues=top
>
> # Get AD attributes
> cas.authn.attributeRepository.ldap[0].attributes.sAMAccountName
> =samAccountName
> cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
> cas.authn.attributeRepository.ldap[0].attributes.mail=email
> cas.authn.attributeRepository.ldap[0].attributes.mail=emailAddress
> cas.authn.attributeRepository.ldap[0].attributes.givenName=givenName
> cas.authn.attributeRepository.ldap[0].attributes.sn=surname
> cas.authn.attributeRepository.ldap[0].attributes.cn=commonName
> cas.authn.attributeRepository.ldap[0].attributes.memberOf=memberOf
>
>
> Wh

[cas-user] private git Service Registry authentication not working

['Robert Bond' via CAS Community]

Getting an error when using a private git repo for cas service registry. It 
works correctly if I remove the username and password config options are 
use a public repo.

Here is my config for the registry:
cas.serviceRegistry.git.repositoryUrl
=https://gitlab.example.edu/cas-service-registry.git
cas.serviceRegistry.git.branchesToClone=dev
cas.serviceRegistry.git.activeBranch=dev
cas.serviceRegistry.git.username=asdf
cas.serviceRegistry.git.password=asdf
cas.serviceRegistry.git.cloneDirectory=file:/tmp/cas-service-registry
cas.serviceRegistry.git.pushChanges=false


And here is the error I am getting:
2019-10-11 19:03:29,837 ERROR 
[org.springframework.scheduling.support.TaskUtils$LoggingErrorHandler] - 

org.eclipse.jgit.api.errors.TransportException: 
https://gitlab.example.edu/cas-service-registry.git: Authentication is 
required but no CredentialsProvider has been registered

Any thoughts?

I used our internal gitlab and tried using a github account also, tested 
the credentials are working.

I tried looking at the cas code for the gitServiceRegistry and it seems 
like it has the options for specifying a username and password. 

Attached full log output also.

Thanks!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/219ffe79-9bbf-43c8-b85f-a779a4039a8b%40apereo.org.
2019-10-11 20:03:24,679 ERROR 
[org.springframework.aop.interceptor.SimpleAsyncUncaughtExceptionHandler] - 

java.lang.reflect.UndeclaredThrowableException: null
at com.sun.proxy.$Proxy146.load(Unknown Source) ~[?:?]
at 
org.apereo.cas.config.CasCoreServicesConfiguration.refreshServicesManagerWhenReady(CasCoreServicesConfiguration.java:239)
 ~[cas-server-core-services-6.1.0-RC6.jar!/:6.1.0-RC6]
at 
org.apereo.cas.config.CasCoreServicesConfiguration$$FastClassBySpringCGLIB$$b13b6f59.invoke()
 ~[cas-server-core-services-6.1.0-RC6.jar!/:6.1.0-RC6]
at 
org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) 
~[spring-core-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
at 
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:769)
 ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
 ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
at 
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:747)
 ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
at 
org.springframework.aop.interceptor.AsyncExecutionInterceptor.lambda$invoke$0(AsyncExecutionInterceptor.java:115)
 ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
at java.util.concurrent.FutureTask.run(Unknown Source) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) 
~[?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) 
~[?:?]
at java.lang.Thread.run(Unknown Source) [?:?]
Caused by: org.eclipse.jgit.api.errors.TransportException: 
https://github.com/bondr007/test-cas-service-registry.git: Authentication is 
required but no CredentialsProvider has been registered
at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:255) 
~[org.eclipse.jgit-5.5.0.201909110433-r.jar!/:5.5.0.201909110433-r]
at org.eclipse.jgit.api.PullCommand.call(PullCommand.java:296) 
~[org.eclipse.jgit-5.5.0.201909110433-r.jar!/:5.5.0.201909110433-r]
at org.apereo.cas.git.GitRepository.pull(GitRepository.java:169) 
~[cas-server-support-git-service-registry-6.1.0-RC6.jar!/:6.1.0-RC6]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) 
~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown 
Source) ~[?:?]
at java.lang.reflect.Method.invoke(Unknown Source) ~[?:?]
at 
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:279) 
~[spring-core-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
at 
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499)
 ~[spring-cloud-context-2.2.0.M3.jar!/:2.2.0.M3]
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
 ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
at 
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:747)
 

Re: [cas-user] Secure Ldap (LDAPS) --(PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)

['Robert Bond' via CAS Community]

CA Trust chain without the client cert should work.

On Fri, Feb 21, 2020 at 11:48 AM Jason Everling 
wrote:

> I was just curious about using the root cert instead, we have a JKS file
> with our internal roots. We have a 3 tier internal pki so we dont use
> endpoint certs in any trust settings because machine certs are only valid
> for 12 months
> ------
> *From:* 'Robert Bond' via CAS Community 
> *Sent:* Friday, February 21, 2020 8:36:59 AM
> *To:* cas-user@apereo.org 
> *Subject:* Re: [cas-user] Secure Ldap (LDAPS) --(PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target)
>
> I just finished writing an article detailing setting up LDAPS on Active
> Directory:
> https://dev.to/bondr007/active-directory-ldaps-the-easy-way-1bnc
>
> For cas I just specified the CA cert I created using the config line below:
> cas.authn.ldap[0].trustCertificates=file:/etc/cas/ldaps_cert.crt
>
> On Fri, Feb 21, 2020 at 8:25 AM Robert Bond  wrote:
>
> iirc it can be the root ca or the client public cert.
>
> Are you using a public ca, and if so which one?
> To be safe you could just put the fullchain.
>
> On Thu, Feb 20, 2020 at 8:06 PM Jason Everling 
> wrote:
>
> Does that work if you specify the root or only the end entity certificate?
>
> On Thu, Feb 20, 2020 at 8:33 AM 'Robert Bond' via CAS Community <
> cas-user@apereo.org> wrote:
>
> You can also just pass it just the (CA or client) cert file. Like so:
> cas.authn.ldap[0].trustCertificates=file:/etc/cas/ldaps_cert.crt
>
> On Wed, Feb 19, 2020 at 7:34 PM Jason Everling 
> wrote:
>
> Grab your LDAPS certificates, create a new JKS keystore type and add your
> certificates to it. The default java password is changeit so we will just
> use that as well. The AD ldap settings would be,
>
> cas.authn.ldap[0].keystore=file:/etc/cas/your_keystore_name
> cas.authn.ldap[0].keystorePassword=changeit
>
> On Wednesday, February 19, 2020 at 6:40:54 PM UTC-6, Tom Healey wrote:
>
>
> Daniel,
> Thank you for your response. Is there a difference between the keystore
>
> cas.authn.ldap[0].keystore=file:/etc/cas/thekeystore
> cas.authn.ldap[0].keystorePassword=keystorepassword
>
>
> and the trust store parameters?
>
> cas.authn.ldap[0].trustStore=file:/etc/cas/thetruststore
> cas.authn.ldap[0].trustStorePassword=truststorepassword
>
> In any event
> I did this:
>
> keytool -alias myalias -importcert -keystore theLdapKeystore - -storetype
> PKCS12 -file myalias.cer # root
> keytool -alias myalias2 -importcert -keystore theLdapKeystore - -storetype
> PKCS12 -file myalias.cer # server
> and still have the problem of
>
> *sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target *
>
> Thanks all.
> Tom
>
>
>
> I did add the certs to the keystore(/etc/cas/thekeystore), which is the
> same one that tomcat uses for SSL server keys.
> Thanks.
>
> On Wednesday, February 19, 2020 at 4:58:24 PM UTC-5, dfisher wrote:
>
> On Wed, Feb 19, 2020 at 1:21 PM Tom Healey  wrote:
>
> LDAPS issue
>
> Hi all!
> I get the following error when trying to communicate to MS AD server over
> LDAPS.
> (PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target)
>
> here is my relevant LDAP config in cas.properties
>
> cas.authn.ldap[0].name=Active Directory
> cas.authn.ldap[0].type=AUTHENTICATED
> cas.authn.ldap[0].ldapUrl=ldaps://XXX.XXX.XXX.XXX:636
> cas.authn.ldap[0].useSsl=true
> cas.authn.ldap[0].baseDn="set to sane value"
> cas.authn.ldap[0].searchFilter="set to sane value"
> cas.authn.ldap[0].bindDn="set to sane value"
> cas.authn.ldap[0].bindCredential="set to sane value"
> cas.authn.ldap[0].dnFormat="set to sane value"
> cas.authn.ldap[0].connectTimeout=1000
>
> cas.authn.ldap[0].principalAttributeList=memberOf,cn,givenName,mail,givenName,mail,sn
> cas.authn.ldap[0].followReferrals=false
> cas.authn.ldap[0].keystore=file:/etc/cas/thekeystore
> cas.authn.ldap[0].keystorePassword=keystorepassword
>
>
> Try adding new properties:
> cas.authn.ldap[0].trustStore=file:/etc/cas/thetruststore
> cas.authn.ldap[0].trustStorePassword=truststorepassword
>
> Then import your CA into that truststore file. I'm not certain about the
> camel casing of those properties, but it should be something close to that.
>
>
>
>
> --Daniel Fisher
>
> --
&g

Re: [cas-user] Secure Ldap (LDAPS) --(PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)

['Robert Bond' via CAS Community]

You can also just pass it just the (CA or client) cert file. Like so:
cas.authn.ldap[0].trustCertificates=file:/etc/cas/ldaps_cert.crt

On Wed, Feb 19, 2020 at 7:34 PM Jason Everling 
wrote:

> Grab your LDAPS certificates, create a new JKS keystore type and add your
> certificates to it. The default java password is changeit so we will just
> use that as well. The AD ldap settings would be,
>
> cas.authn.ldap[0].keystore=file:/etc/cas/your_keystore_name
> cas.authn.ldap[0].keystorePassword=changeit
>
> On Wednesday, February 19, 2020 at 6:40:54 PM UTC-6, Tom Healey wrote:
>>
>>
>> Daniel,
>> Thank you for your response. Is there a difference between the keystore
>>
>> cas.authn.ldap[0].keystore=file:/etc/cas/thekeystore
>> cas.authn.ldap[0].keystorePassword=keystorepassword
>>
>>
>> and the trust store parameters?
>>
>> cas.authn.ldap[0].trustStore=file:/etc/cas/thetruststore
>> cas.authn.ldap[0].trustStorePassword=truststorepassword
>>
>> In any event
>> I did this:
>>
>> keytool -alias myalias -importcert -keystore theLdapKeystore - -storetype
>> PKCS12 -file myalias.cer # root
>> keytool -alias myalias2 -importcert -keystore theLdapKeystore -
>> -storetype PKCS12 -file myalias.cer # server
>> and still have the problem of
>>
>> *sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>> valid certification path to requested target*
>>
>> Thanks all.
>> Tom
>>
>>
>>
>> I did add the certs to the keystore(/etc/cas/thekeystore), which is the
>> same one that tomcat uses for SSL server keys.
>> Thanks.
>>
>> On Wednesday, February 19, 2020 at 4:58:24 PM UTC-5, dfisher wrote:
>>>
>>> On Wed, Feb 19, 2020 at 1:21 PM Tom Healey  wrote:
>>>
 LDAPS issue

 Hi all!
 I get the following error when trying to communicate to MS AD server
 over LDAPS.
 (PKIX path building failed:
 sun.security.provider.certpath.SunCertPathBuilderException: unable to find
 valid certification path to requested target)

 here is my relevant LDAP config in cas.properties

 cas.authn.ldap[0].name=Active Directory
 cas.authn.ldap[0].type=AUTHENTICATED
 cas.authn.ldap[0].ldapUrl=ldaps://XXX.XXX.XXX.XXX:636
 cas.authn.ldap[0].useSsl=true
 cas.authn.ldap[0].baseDn="set to sane value"
 cas.authn.ldap[0].searchFilter="set to sane value"
 cas.authn.ldap[0].bindDn="set to sane value"
 cas.authn.ldap[0].bindCredential="set to sane value"
 cas.authn.ldap[0].dnFormat="set to sane value"
 cas.authn.ldap[0].connectTimeout=1000

 cas.authn.ldap[0].principalAttributeList=memberOf,cn,givenName,mail,givenName,mail,sn
 cas.authn.ldap[0].followReferrals=false
 cas.authn.ldap[0].keystore=file:/etc/cas/thekeystore
 cas.authn.ldap[0].keystorePassword=keystorepassword


>>> Try adding new properties:
>>> cas.authn.ldap[0].trustStore=file:/etc/cas/thetruststore
>>> cas.authn.ldap[0].trustStorePassword=truststorepassword
>>>
>>> Then import your CA into that truststore file. I'm not certain about the
>>> camel casing of those properties, but it should be something close to that.
>>>
>>
>>
>>>
>>> --Daniel Fisher
>>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/f60ee9d3-6154-4adc-ba38-f2cfd52643af%40apereo.org
> 
> .
>


-- 
Robert Bond
Network Administrator
(918) 444-5886
Northeastern State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6ru4wYRvpPLtL_KWw1MxNvnmTPeR_9rOnzjoKq5zzseLQ%40mail.gmail.com.

Re: [cas-user] Secure Ldap (LDAPS) --(PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)

['Robert Bond' via CAS Community]

I just finished writing an article detailing setting up LDAPS on Active
Directory:
https://dev.to/bondr007/active-directory-ldaps-the-easy-way-1bnc

For cas I just specified the CA cert I created using the config line below:
cas.authn.ldap[0].trustCertificates=file:/etc/cas/ldaps_cert.crt

On Fri, Feb 21, 2020 at 8:25 AM Robert Bond  wrote:

> iirc it can be the root ca or the client public cert.
>
> Are you using a public ca, and if so which one?
> To be safe you could just put the fullchain.
>
> On Thu, Feb 20, 2020 at 8:06 PM Jason Everling 
> wrote:
>
>> Does that work if you specify the root or only the end entity certificate?
>>
>> On Thu, Feb 20, 2020 at 8:33 AM 'Robert Bond' via CAS Community <
>> cas-user@apereo.org> wrote:
>>
>>> You can also just pass it just the (CA or client) cert file. Like so:
>>> cas.authn.ldap[0].trustCertificates=file:/etc/cas/ldaps_cert.crt
>>>
>>> On Wed, Feb 19, 2020 at 7:34 PM Jason Everling 
>>> wrote:
>>>
>>>> Grab your LDAPS certificates, create a new JKS keystore type and add
>>>> your certificates to it. The default java password is changeit so we will
>>>> just use that as well. The AD ldap settings would be,
>>>>
>>>> cas.authn.ldap[0].keystore=file:/etc/cas/your_keystore_name
>>>> cas.authn.ldap[0].keystorePassword=changeit
>>>>
>>>> On Wednesday, February 19, 2020 at 6:40:54 PM UTC-6, Tom Healey wrote:
>>>>>
>>>>>
>>>>> Daniel,
>>>>> Thank you for your response. Is there a difference between the
>>>>> keystore
>>>>>
>>>>> cas.authn.ldap[0].keystore=file:/etc/cas/thekeystore
>>>>> cas.authn.ldap[0].keystorePassword=keystorepassword
>>>>>
>>>>>
>>>>> and the trust store parameters?
>>>>>
>>>>> cas.authn.ldap[0].trustStore=file:/etc/cas/thetruststore
>>>>> cas.authn.ldap[0].trustStorePassword=truststorepassword
>>>>>
>>>>> In any event
>>>>> I did this:
>>>>>
>>>>> keytool -alias myalias -importcert -keystore theLdapKeystore -
>>>>> -storetype PKCS12 -file myalias.cer # root
>>>>> keytool -alias myalias2 -importcert -keystore theLdapKeystore -
>>>>> -storetype PKCS12 -file myalias.cer # server
>>>>> and still have the problem of
>>>>>
>>>>> *sun.security.validator.ValidatorException: PKIX path building failed:
>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>> valid certification path to requested target*
>>>>>
>>>>> Thanks all.
>>>>> Tom
>>>>>
>>>>>
>>>>>
>>>>> I did add the certs to the keystore(/etc/cas/thekeystore), which is
>>>>> the same one that tomcat uses for SSL server keys.
>>>>> Thanks.
>>>>>
>>>>> On Wednesday, February 19, 2020 at 4:58:24 PM UTC-5, dfisher wrote:
>>>>>>
>>>>>> On Wed, Feb 19, 2020 at 1:21 PM Tom Healey 
>>>>>> wrote:
>>>>>>
>>>>>>> LDAPS issue
>>>>>>>
>>>>>>> Hi all!
>>>>>>> I get the following error when trying to communicate to MS AD server
>>>>>>> over LDAPS.
>>>>>>> (PKIX path building failed:
>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to 
>>>>>>> find
>>>>>>> valid certification path to requested target)
>>>>>>>
>>>>>>> here is my relevant LDAP config in cas.properties
>>>>>>>
>>>>>>> cas.authn.ldap[0].name=Active Directory
>>>>>>> cas.authn.ldap[0].type=AUTHENTICATED
>>>>>>> cas.authn.ldap[0].ldapUrl=ldaps://XXX.XXX.XXX.XXX:636
>>>>>>> cas.authn.ldap[0].useSsl=true
>>>>>>> cas.authn.ldap[0].baseDn="set to sane value"
>>>>>>> cas.authn.ldap[0].searchFilter="set to sane value"
>>>>>>> cas.authn.ldap[0].bindDn="set to sane value"
>>>>>>> cas.authn.ldap[0].bindCredential="set to sane value"
>>>>>>> cas.authn.ldap[0].dnFormat="set to sane value"
>>>>>>> cas.authn.ldap[0].connectTimeout=1000
>>>>>>>
>&g

Re: [cas-user] Secure Ldap (LDAPS) --(PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)

['Robert Bond' via CAS Community]

iirc it can be the root ca or the client public cert.

Are you using a public ca, and if so which one?
To be safe you could just put the fullchain.

On Thu, Feb 20, 2020 at 8:06 PM Jason Everling 
wrote:

> Does that work if you specify the root or only the end entity certificate?
>
> On Thu, Feb 20, 2020 at 8:33 AM 'Robert Bond' via CAS Community <
> cas-user@apereo.org> wrote:
>
>> You can also just pass it just the (CA or client) cert file. Like so:
>> cas.authn.ldap[0].trustCertificates=file:/etc/cas/ldaps_cert.crt
>>
>> On Wed, Feb 19, 2020 at 7:34 PM Jason Everling 
>> wrote:
>>
>>> Grab your LDAPS certificates, create a new JKS keystore type and add
>>> your certificates to it. The default java password is changeit so we will
>>> just use that as well. The AD ldap settings would be,
>>>
>>> cas.authn.ldap[0].keystore=file:/etc/cas/your_keystore_name
>>> cas.authn.ldap[0].keystorePassword=changeit
>>>
>>> On Wednesday, February 19, 2020 at 6:40:54 PM UTC-6, Tom Healey wrote:
>>>>
>>>>
>>>> Daniel,
>>>> Thank you for your response. Is there a difference between the keystore
>>>>
>>>> cas.authn.ldap[0].keystore=file:/etc/cas/thekeystore
>>>> cas.authn.ldap[0].keystorePassword=keystorepassword
>>>>
>>>>
>>>> and the trust store parameters?
>>>>
>>>> cas.authn.ldap[0].trustStore=file:/etc/cas/thetruststore
>>>> cas.authn.ldap[0].trustStorePassword=truststorepassword
>>>>
>>>> In any event
>>>> I did this:
>>>>
>>>> keytool -alias myalias -importcert -keystore theLdapKeystore -
>>>> -storetype PKCS12 -file myalias.cer # root
>>>> keytool -alias myalias2 -importcert -keystore theLdapKeystore -
>>>> -storetype PKCS12 -file myalias.cer # server
>>>> and still have the problem of
>>>>
>>>> *sun.security.validator.ValidatorException: PKIX path building failed:
>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>> valid certification path to requested target*
>>>>
>>>> Thanks all.
>>>> Tom
>>>>
>>>>
>>>>
>>>> I did add the certs to the keystore(/etc/cas/thekeystore), which is
>>>> the same one that tomcat uses for SSL server keys.
>>>> Thanks.
>>>>
>>>> On Wednesday, February 19, 2020 at 4:58:24 PM UTC-5, dfisher wrote:
>>>>>
>>>>> On Wed, Feb 19, 2020 at 1:21 PM Tom Healey 
>>>>> wrote:
>>>>>
>>>>>> LDAPS issue
>>>>>>
>>>>>> Hi all!
>>>>>> I get the following error when trying to communicate to MS AD server
>>>>>> over LDAPS.
>>>>>> (PKIX path building failed:
>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to 
>>>>>> find
>>>>>> valid certification path to requested target)
>>>>>>
>>>>>> here is my relevant LDAP config in cas.properties
>>>>>>
>>>>>> cas.authn.ldap[0].name=Active Directory
>>>>>> cas.authn.ldap[0].type=AUTHENTICATED
>>>>>> cas.authn.ldap[0].ldapUrl=ldaps://XXX.XXX.XXX.XXX:636
>>>>>> cas.authn.ldap[0].useSsl=true
>>>>>> cas.authn.ldap[0].baseDn="set to sane value"
>>>>>> cas.authn.ldap[0].searchFilter="set to sane value"
>>>>>> cas.authn.ldap[0].bindDn="set to sane value"
>>>>>> cas.authn.ldap[0].bindCredential="set to sane value"
>>>>>> cas.authn.ldap[0].dnFormat="set to sane value"
>>>>>> cas.authn.ldap[0].connectTimeout=1000
>>>>>>
>>>>>> cas.authn.ldap[0].principalAttributeList=memberOf,cn,givenName,mail,givenName,mail,sn
>>>>>> cas.authn.ldap[0].followReferrals=false
>>>>>> cas.authn.ldap[0].keystore=file:/etc/cas/thekeystore
>>>>>> cas.authn.ldap[0].keystorePassword=keystorepassword
>>>>>>
>>>>>>
>>>>> Try adding new properties:
>>>>> cas.authn.ldap[0].trustStore=file:/etc/cas/thetruststore
>>>>> cas.authn.ldap[0].trustStorePassword=truststorepassword
>>>>>
>>>>> Then import your CA into that truststore file. I'm not certain about
>>>>> the camel casing of th

Re: [cas-user] What's your production version?

['Robert Bond' via CAS Community]

We are on 6.1.5,

6.1.X has been very stable for us. Once we got the config up to date from
our 6.0.4 build.

At times the release schedule can be a little uncertain, in that we can be
uncertain of what version we want to move to.
I do not think "keeping up" with the release schedule is too difficult. For
us continually testing with the RC releases as they come out has allowed us
to move quickly to new versions.
I understand your situation, and there is most definitely a time investment
to keep up with it. In the same way I am sure it is incredibly difficult
for the project to maintain many versions.
Potentially a LTS style release could solve this, or maybe just some
suggestions from the project for versions.
I think we hardest part is adjusting the config due to dependencies that
have been updated.  As a community we could start sharing those adjustments
for some of the common services, such as LDAP (AD), etc...

Thanks,
Robert Bond.

On Thu, Mar 12, 2020 at 8:27 AM David Curry 
wrote:

> We're running 5.2.9.
>
> The release schedule moves way too quickly for us to keep up with, and so
> far, the features that have been added, while a couple of them are
> interesting, are not significant enough to justify the effort to move.
>
> The one thing that concerns us is that 5.2.x is no longer supported, even
> for security patches. IMHO the CAS maintenance plan is not terribly
> realistic in giving only 12 months' support to a release. I understand why,
> but that doesn't make it better.
>
> --Dave
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 646 909-4728 • david.cu...@newschool.edu
>
>
> On Thu, Mar 12, 2020 at 8:50 AM Jack  wrote:
>
>> Hello,
>>
>> Over the time, we have burnt our fingers with different versions. We're
>> still running 5.1.
>>
>> What's the stable version or your production version now?
>>
>> Thanks!
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CACNfiM%2B0uG%3DjuFZXt-iQv%2B4Ohf2%3Di_m4q6ervcPDqCWavg%2Bp0w%40mail.gmail.com
>> 
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPFnfH%2BG_rxaucyVpcvErDrn0TFxmAbSD3nseocrr3f8w%40mail.gmail.com
> 
> .
>


-- 
Robert Bond
Network Administrator
(918) 444-5886
Northeastern State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6pJxTRHpbqbMFxaYDM%2BCbs1XhyUrKUU3P%2B57WVfbD_vtQ%40mail.gmail.com.

Re: [cas-user] Re: CAS V5.3 with Zoom SSO???

['Robert Bond' via CAS Community]

Are you running into any issues?
You need to have SAML setup first.

Here is a modified copy of our service registry entry: (modify attributes
as needed)
{
"id" : 12,
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"metadataLocation" : "https://regent.zoom.us/saml/metadata/sp;,
"metadataExpirationDuration" : "PT60M",
"signAssertions" : true,
"skipGeneratingAssertionNameId" : false,
"skipGeneratingSubjectConfirmationInResponseTo" : false,
"skipGeneratingSubjectConfirmationNotOnOrAfter" : false,
"skipGeneratingSubjectConfirmationRecipient" : false,
"skipGeneratingSubjectConfirmationNotBefore" : true,
"signResponses" : true,
"encryptAssertions" : false,
"metadataCriteriaRoles" : "SPSSODescriptor",
"metadataCriteriaRemoveEmptyEntitiesDescriptors" : true,
"metadataCriteriaRemoveRolelessEntityDescriptors" : true,
"signingCredentialType" : "BASIC",
"serviceId" : "regent.zoom.us",
"name" : "Zoom",
"logo" : "/cas/images/services/zoom_logo.png",
"description" : "Zoom",
"evaluationOrder" : 12,
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider"
,
"usernameAttribute" : "mail",
"canonicalizationMode" : "NONE",
"encryptUsername" : false
},
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "givenName", "mail",
"surname", "memberOf" ] ]
},
"logoutType" : "BACK_CHANNEL",
"logoutUrl" : "https://regent.zoom.us/saml/SingleLogout;,
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
}
}


On Fri, May 15, 2020 at 7:08 AM Shawn Cutting  wrote:

> We are using pure SAML with Zoom, and it was not the easiest thingto
> setup, but it is working. What have you tried thus far?
>
> On Tuesday, May 12, 2020 at 5:37:03 PM UTC-4, Keith Alston (Staff) wrote:
>>
>> Anyone set up Zoom SSO with CAS?? Any pointers/tips??
>>
>>
>>
>> -Keith Alston
>>
>> kei...@regent.edu
>>
>> Regent University
>>
>> 757-619-3421
>>
>>
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/128fffa9-c0da-40b9-9873-acb5698b22f6%40apereo.org
> 
> .
>


-- 
Robert Bond
Network Administrator
(918) 444-5886
Northeastern State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6pYH3Gm5KU3mMZ9Wp2Ka-CxD%3DKdER5BuFsSWgPCER7hMA%40mail.gmail.com.

Re: [cas-user] Re: CAS V5.3 with Zoom SSO???

['Robert Bond' via CAS Community]

No problem.

Glad to hear it is working.

A lot of those parameters are default

Thanks!

On Fri, May 22, 2020 at 8:17 AM Keith Alston (Staff) 
wrote:

> WOW! Thanks for sharing your registry entry.
>
>
>
> I did get this working and it actually was pretty straightforward. My
> registry entry was way smaller but I’m going to research those parameters
> now!
>
>
>
> Thanks!
>
>
>
> *From:* Robert Bond [mailto:bo...@nsuok.edu]
> *Sent:* Friday, May 15, 2020 10:53 AM
> *To:* cas-user@apereo.org
> *Cc:* Keith Alston (Staff) 
> *Subject:* Re: [cas-user] Re: CAS V5.3 with Zoom SSO???
>
>
>
> Are you running into any issues?
>
> You need to have SAML setup first.
>
>
>
> Here is a modified copy of our service registry entry: (modify attributes
> as needed)
>
> {
>
> "id" : 12,
>
> "@class" :
> "org.apereo.cas.support.saml.services.SamlRegisteredService",
>
>"metadataLocation" : "https://regent.zoom.us/saml/metadata/sp;,
>
> "metadataExpirationDuration" : "PT60M",
>
> "signAssertions" : true,
>
> "skipGeneratingAssertionNameId" : false,
>
> "skipGeneratingSubjectConfirmationInResponseTo" : false,
>
> "skipGeneratingSubjectConfirmationNotOnOrAfter" : false,
>
> "skipGeneratingSubjectConfirmationRecipient" : false,
>
> "skipGeneratingSubjectConfirmationNotBefore" : true,
>
> "signResponses" : true,
>
> "encryptAssertions" : false,
>
> "metadataCriteriaRoles" : "SPSSODescriptor",
>
> "metadataCriteriaRemoveEmptyEntitiesDescriptors" : true,
>
> "metadataCriteriaRemoveRolelessEntityDescriptors" : true,
>
> "signingCredentialType" : "BASIC",
>
> "serviceId" : "regent.zoom.us",
>
> "name" : "Zoom",
>
> "logo" : "/cas/images/services/zoom_logo.png",
>
> "description" : "Zoom",
>
> "evaluationOrder" : 12,
>
> "usernameAttributeProvider" : {
>
> "@class" :
> "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider"
> ,
>
> "usernameAttribute" : "mail",
>
> "canonicalizationMode" : "NONE",
>
> "encryptUsername" : false
>
> },
>
> "attributeReleasePolicy" : {
>
> "@class" :
> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
>
> "allowedAttributes" : [ "java.util.ArrayList", [ "givenName",
> "mail", "surname", "memberOf" ] ]
>
> },
>
> "logoutType" : "BACK_CHANNEL",
>
> "logoutUrl" : "https://regent.zoom.us/saml/SingleLogout;,
>
> "accessStrategy" : {
>
> "@class" :
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>
> "enabled" : true,
>
> "ssoEnabled" : true
>
>   }
>
> }
>
>
>
>
>
> On Fri, May 15, 2020 at 7:08 AM Shawn Cutting 
> wrote:
>
> We are using pure SAML with Zoom, and it was not the easiest thingto
> setup, but it is working. What have you tried thus far?
>
>
> On Tuesday, May 12, 2020 at 5:37:03 PM UTC-4, Keith Alston (Staff) wrote:
>
> Anyone set up Zoom SSO with CAS?? Any pointers/tips??
>
>
>
> -Keith Alston
>
> kei...@regent.edu
>
> Regent University
>
> 757-619-3421
>
>
>
> --
> - Website: https://apereo.github.io/cas
> 
> - Gitter Chatroom: https://gitter.im/apereo/cas
> 
> - List Guidelines: https://goo.gl/1VRrw7
> 
> - Contributions: https://goo.gl/mh7qDG
> 
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/128fffa9-c0da-40b9-9873-acb5698b22f6%40apereo.org
> 
> .
>
>
>
>
> --
>
> Robert Bond
> Network Administrator
> (918) 444-5886
> Northeastern State University
>


-- 
Robert Bond
Network Administrator
(918) 444-5886
Northeastern State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To 

Re: [cas-user] Duo Warning in CAS Logs

['Robert Bond' via CAS Community]

I get those also. Duo still works fine. Tried looking on the duo side to
grant additional privileges, did not find any.

On Tue, Aug 25, 2020 at 8:54 AM 'Mallory, Erik' via CAS Community <
cas-user@apereo.org> wrote:

> Hello,
>
>
> CAS Version: 6.1.5
>
> We're getting the following warning in the CAS logs and were are
> intermittently having login issues for one particular app. I would like
> to know if any one has experienced this error and could perhaps explain
> it.
> 2020-08-25 08:14:01,474 WARN
> [org.apereo.cas.adaptors.duo.authn.BaseDuoSecurityAuthenticationService
> ] -  and detail [Wrong integ
> ration type for this API.] when determining user account. This maybe a
> configuration error in the admin request and Duo will still be
> considered available.>
>
> Thank you,
> --
> Erik Mallory
> Server Analyst
> Wichita State University
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/aeee447ce213b4ccc4b936b9168ffce29a0bb184.camel%40wichita.edu
> .
>


-- 
Robert Bond
Network Administrator
(918) 444-5886
Northeastern State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6q5nqKyrpebvJ1tfXuLDChF8UJBQf7gdbwARH8bi1BRDA%40mail.gmail.com.

Re: [cas-user] Conditional attributes via LDAP group membership

['Robert Bond' via CAS Community]

I have done this with one of our services.
Here is the groovy code to handle something similar. Probably not the
cleanest.
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"mail" : "groovy {return attributes['emailAddress'] }",
"userType" : "groovy {def r=[];def a=['student','employee','faculty'];for(x
in attributes['memberOf']){for(y in
a){if(x.toLowerCase().contains(y)){r+=y};};};return r.unique();}"
}
}

You can build out the logic in an online groovy interpreter like
https://groovy-playground.appspot.com/ then make it one line and throw it
in a service registry entry.

Hope this helps!

On Thu, Aug 27, 2020 at 1:33 PM Michael Wisenbaker 
wrote:

> Ray,
>
> Warning: I've never touched CAS, I'm trying to find ways to make our use
> case work to suggest them to the proper folks.
>
> In pseudocode what I am looking for is:
>
> if memberOf Group1 {
> attribute value = x
> }else{
> attribute value = y
> }
>
> I'm not sure if any of the regex filters would apply, but this seems like
> something that could be accomplished via a Groovy script?
>
> We currently pass an HR identifier to Zoom that determines which
> org/sub-org an account is in, but it would be beneficial to be able to
> over-ride this value for certain individuals; e.g. students that have no HR
> identifier.
>
> I appreciate that you took the time to respond to my OP!
>
> On Thursday, August 27, 2020 at 12:56:38 PM UTC-4 Ray Bon wrote:
>
>> Michael,
>>
>> Is this what you are looking for:
>> https://apereo.github.io/cas/6.2.x/integration/Attribute-Value-Release-Policies.html#mutant-mapped-regex
>>
>> Ray
>>
>> On Thu, 2020-08-27 at 08:47 -0700, Michael Wisenbaker wrote:
>>
>> Is it possible to have a flow within CAS that provides differing
>> attributes to the SP based upon ldap group membership?  For example, for
>> members of GROUP1 attribute x=value and for members of GROUP2 attribute
>> x=someothervalue?
>>
>> For a more concrete example - my org uses CAS for Zoom integration, one
>> of the attributes passed through is an identifier drawn from an ldap
>> source, but in some cases it would be preferable that this attribute could
>> be modified without changing the ldap source
>>
>> Thanks.
>>
>> --
>>
>> Ray Bon
>> Programmer Analyst
>> Development Services, University Systems
>> 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca
>>
>> I respectfully acknowledge that my place of work is located within the
>> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
>> WSÁNEĆ Nations.
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/7fb34e7c-53d7-4c1a-a228-5d5d1af70da9n%40apereo.org
> 
> .
>


-- 
Robert Bond
Network Administrator
(918) 444-5886
Northeastern State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6r2T0WphQETxSF0nU0dA0oYcsvFucudRYg8qbyCMMB2xQ%40mail.gmail.com.

Re: [cas-user] Duo Warning in CAS Logs

['Robert Bond' via CAS Community]

If you find out what causes the logs let me know. Thanks!

On Tue, Aug 25, 2020 at 3:42 PM 'Mallory, Erik' via CAS Community <
cas-user@apereo.org> wrote:

> Thanks for the response. I think we've isolated the issue to the
> application.
> --
> Erik Mallory
> Server Analyst
> Wichita State University
>
> On Tue, 2020-08-25 at 13:04 -0500, 'Robert Bond' via CAS Community
> wrote:
> > CAUTION: This email originated from outside of Wichita State
> > University. Do not click links or open attachments unless you
> > recognize the sender and know the content is safe.
> >
> > I get those also. Duo still works fine. Tried looking on the duo side
> > to grant additional privileges, did not find any.
> >
> > On Tue, Aug 25, 2020 at 8:54 AM 'Mallory, Erik' via CAS Community <
> > cas-user@apereo.org> wrote:
> > > Hello,
> > >
> > >
> > > CAS Version: 6.1.5
> > >
> > > We're getting the following warning in the CAS logs and were are
> > > intermittently having login issues for one particular app. I would
> > > like
> > > to know if any one has experienced this error and could perhaps
> > > explain
> > > it.
> > > 2020-08-25 08:14:01,474 WARN
> > > [org.apereo.cas.adaptors.duo.authn.BaseDuoSecurityAuthenticationSer
> > > vice
> > > ] -  > > forbidden]
> > > and detail [Wrong integ
> > > ration type for this API.] when determining user account. This
> > > maybe a
> > > configuration error in the admin request and Duo will still be
> > > considered available.>
> > >
> > > Thank you,
> > > --
> > > Erik Mallory
> > > Server Analyst
> > > Wichita State University
> > >
> > > --
> > > - Website: https://apereo.github.io/cas
> > > - Gitter Chatroom: https://gitter.im/apereo/cas
> > > - List Guidelines: https://goo.gl/1VRrw7
> > > - Contributions: https://goo.gl/mh7qDG
> > > ---
> > > You received this message because you are subscribed to the Google
> > > Groups "CAS Community" group.
> > > To unsubscribe from this group and stop receiving emails from it,
> > > send an email to cas-user+unsubscr...@apereo.org.
> > > To view this discussion on the web visit
> > >
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/aeee447ce213b4ccc4b936b9168ffce29a0bb184.camel%40wichita.edu
> > > .
> > >
> >
> >
> > --
> > Robert Bond
> > Network Administrator
> > (918) 444-5886
> > Northeastern State University
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/37597cf4413ca1bff57120f3e5eda97c9ae53937.camel%40wichita.edu
> .
>


-- 
Robert Bond
Network Administrator
(918) 444-5886
Northeastern State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6p%2BERi0z0u80QyVsPqmdP2zd-3c4Q7%2BXjDdJuL7%2Ban3Gw%40mail.gmail.com.

Re: [cas-user] deploy docker image as root instead of /cas using war overlay with cas 6.1

['Robert Bond' via CAS Community]

It might be better to just have your in ingress controller do a 301 
redirect to the /cas 
I have seen third parties hard code the /cas in their cas integration, even 
if they don't might throw them off initially. 



On Wednesday, July 15, 2020 at 4:06:21 PM UTC-5 Ray Bon wrote:

> Landon,
>
> I have not tried this, but could you just change 
> cas.server.name: local.uvic.ca
> cas.server.prefix: ${cas.server.name}/cas
> to 
>
> cas.server.name: local.uvic.ca
> cas.server.prefix: ${cas.server.name}/
>
> Ray
>
> On Wed, 2020-07-15 at 13:42 -0700, Landon Heinrichs wrote:
>
> I would like the deploy of cas to be at https://myUrl.com/   instead of 
> https://myUrl.com/cas 
>
> currently I'm deploying it with docker using the cas war overlay. It seems 
> to work fairly well, the one thing we need to figure out is how to change 
> this.
>
> We are currently using cas 6.1. The plan is to run it in a kubernetes/helm 
> environment.
>
> any help would be greatly apprecaited. 
>
> Thanks.
>
>
> -- 
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the 
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
> WSÁNEĆ Nations.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a2a94656-c5b2-4a55-9573-cc0c3a625aa2n%40apereo.org.

[cas-user] Surrogate Auditing in Cas 6.1.5

['Robert Bond' via CAS Community]

I am having issues finding the audits for surrogate logins in Cas 6.1.5. 
Inside the audit log and in the console output I never see the audit even 
for a surrogate login like it is described in the docs here: 
https://apereo.github.io/cas/6.1.x/installation/Surrogate-Authentication.html#surrogate-audits

Looking for the audit log to contain the following like in the docs:
WHO: (Primary User: [casuser], Surrogate User: [testuser])

Is anyone using surrogacy and auditing or have an idea why the surrogate 
audits would not show up? 

Thanks so much!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6c08cc03-f55b-4929-85d5-a6bb29b0ee2en%40apereo.org.

Re: [cas-user] CAS 6.2 Monitoring and Statistics

['Robert Bond' via CAS Community]

Hi Bryan,

Are you using SpringBoot Admin Server?

Here is how we have monitoring configured without SpringBoot Admin Server:
## Management/Monitoring Settings ##
# Blog post:
https://apereo.github.io/2018/11/06/cas6-admin-endpoints-security/
# And https://apereo.github.io/2019/02/07/cas61-healthstatus-springboot/
management.endpoints.enabled-by-default= true
management.endpoints.defaults.sensitive= false
management.endpoints.web.base-path= /actuator
management.endpoints.web.exposure.include=
info,health,status,registeredServices
management.server.add-application-context-header= false

management.endpoint.health.enabled= true
management.endpoint.health.show-details= always
management.endpoint.info.enabled= true
management.endpoint.status.enabled= true
management.endpoint.registeredServices.enabled= true
# basic auth to health and info used for ecs health check
cas.monitor.endpoints.endpoint.health.access=AUTHENTICATED
cas.monitor.endpoints.endpoint.info.access=AUTHENTICATED
cas.monitor.endpoints.endpoint.registeredServices.access=AUTHENTICATED


spring.security.user.name=${spring_security_user_name}
spring.security.user.password=${spring_security_user_password}

The monitoring endpoints do not listen on a different port, they are all
part of the same application.

Take a look at the linked blog posts in the code block also.

Hope this helps!



On Mon, Jun 22, 2020 at 12:13 PM Bryan Wooten  wrote:

> We are trying to get the /status /health endpoints to work on the CAS 6.2
> main branch following this guide:
>
>
> https://apereo.github.io/cas/development/monitoring/Monitoring-Statistics.html
>
> We have this in our pom.xml:
>
> implementation
> "org.apereo.cas:cas-server-support-reports:${project.'cas.version'}"
>
> Our cas.properties has:
> #settings for monitoring and statistics
> spring.boot.admin.url=https://cas6test.go.utah.edu:8444
> spring.boot.admin.client.managementUrl=${cas.server.prefix}/status
>
> management.endpoints.web.exposure.include=*
> management.endpoints.enabled-by-default=true
> cas.monitor.endpoints.endpoint.defaults.access=AUTHENTICATED
>
> spring.security.user.name=casuser
> spring.security.user.password=Mellon
>
> I don't see port 8444 open using:
> netstat -tulpn | grep LISTEN
>
> In catalina.out I see:
>
>  22-Jun-2020 10:53:21.601 WARNING
> [AsyncReporter{org.springframework.cloud.sleuth.zipkin2.sender.RestTemplateSender@1063035f}]
> zipkin2.reporter.AsyncReporter$BoundedAsyncReporter.flush Dropped 2 spans
> due to ResourceAccessException(I/O error on POST request for "
> http://localhost:9411/api/v2/spans": Connection refused (Connection
> refused); nested exception is java.net.ConnectException: Connection
> refused (Connection refused))
>
> org.springframework.web.client.ResourceAccessException: I/O error
> on POST request for "http://localhost:9411/api/v2/spans": Connection
> refused (Connection refused); nested exception is
> java.net.ConnectException: Connection refused (Connection refused)
>
> at
> org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:751)
>
> at
> org.springframework.cloud.sleuth.zipkin2.sender.ZipkinRestTemplateWrapper.doExecute(ZipkinRestTemplateSenderConfiguration.java:228)
>
> at
> org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:644)
>
> Any hints or clues? We need this as it seems to be a prerequisite for:
>
>
> https://apereo.github.io/cas/6.0.x/monitoring/Configuring-Monitoring-Administration.html#configuration
>
>
> Thanks,
>
> Bryan
>
> University of Utah
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GWtaRwDPbMP%2B%3D6Lmpu9BHbjJNV__BJiMfguav0%2BdaGS8w%40mail.gmail.com
> 
> .
>


-- 
Robert Bond
Network Administrator
(918) 444-5886
Northeastern State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 

Re: [cas-user] CAS newbie 1st time install on RHEL problems with connection to LDAP server

['Robert Bond' via CAS Community]

You can use the following config to specify the cert of the CA, if that is
what is needed:

cas.authn.ldap[0].trustCertificates=file:/etc/cas/ca_ldaps_cert.crt

On Tue, Jun 16, 2020 at 3:10 PM David Curry 
wrote:

> The CAS server (Tomcat) cannot validate the TLS certificate being returned
> by your LDAP server. This could be for a few different reasons:
>
>1. The LDAP server's TLS certificate is not for the host name you're
>using to access the LDAP server (walnut.wccnet.edu)
>2. The LDAP server's TLS certificate requires an intermediate
>certificate that it's not providing itself (by concatenating certificates)
>and the Tomcat server doesn't have the intermediate certificate either
>3. Same as #2, but for the root certificate
>
> Check #1 first; if that's not it, #2 is probably the issue, and it can be
> fixed by having the LDAP server return a concatenated certificate
> (basically, instead of just providing the server certificate, provide the
> server cert, the intermediate cert, and [optionally] the root cert all
> together).
>
> --Dave
>
> P.S. - The tip-off is this line:
>
> org.ldaptive.ConnectException: javax.net.ssl.SSLException:
> javax.net.ssl.SSLHandshakeException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
>
> and then you just read backwards to see what it's trying to connect to
> when the error occurs.
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 646 909-4728 • david.cu...@newschool.edu
>
>
> On Tue, Jun 16, 2020 at 4:01 PM David Lacerte  wrote:
>
>> At Washtenaw Community College Ann Arbor Michigan I am working to replace
>> a old CAS 3.x server with a new CAS 6.2 server running on RHEL 8.1
>>
>> We have encountered an error when we perform a 'gradlew run' command in
>> which we see this error:
>>
>>
>> AS Version: 6.2.0-SNAPSHOT
>> CAS Branch: master
>> CAS Commit Id: 4ac819eb72848f0ca995bb369526727479fa8cbf
>> CAS Build Date/Time: 2020-06-16T19:16:54Z
>> Spring Boot Version: 2.2.8.RELEASE
>> Spring Version: 5.2.6.RELEASE
>> Java Home: /usr/lib/jvm/java-11-openjdk-11.0.7.10-1.el8_1.x86_64
>> Java Vendor: Oracle Corporation
>> Java Version: 11.0.7
>> JVM Free Memory: 409 MB
>> JVM Maximum Memory: 2 GB
>> JVM Total Memory: 478 MB
>> JCE Installed: Yes
>> OS Architecture: amd64
>> OS Name: Linux
>> OS Version: 4.18.0-147.5.1.el8_1.x86_64
>> OS Date/Time: 2020-06-16T15:56:59.381046
>> OS Temp Directory: /tmp
>> Apache Tomcat Version: Apache Tomcat/9.0.36
>> 
>>
>>
>> 2020-06-16 15:02:49,204 INFO
>> [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator]
>> - > [/etc/cas/config/cas.properties]]] unde  r
>> profile(s) [[standalone]]>
>> 2020-06-16 15:02:49,381 INFO [org.apereo.cas.web.CasWebApplication] -
>> 
>> 2020-06-16 15:02:52,616 INFO
>> [org.apereo.cas.configuration.CasConfigurationPropertiesValidator] -
>> > successfully.>
>> 2020-06-16 15:03:00,848 INFO
>> [org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration]
>> - <
>>
>> Using generated security password: xx
>> >
>> 2020-06-16 15:03:01,045 INFO
>> [org.springframework.security.web.access.channel.ChannelProcessingFilter] -
>> 
>> 2020-06-16 15:03:01,063 INFO
>> [org.springframework.security.web.DefaultSecurityFilterChain] - > filter chain: any request,
>> [org.springframework.security.web.access.channel.ChannelProcessingFilter@1a6d
>> c5ea,
>> org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@3d88ce0e,
>> org.springframework.security.web.context.SecurityContextPersistenceFilter@31b741e2,
>> org.springframework
>> .security.web.savedrequest.RequestCacheAwareFilter@28f05b0c,
>> org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@5fdb7394,
>> org.springframework.security.web.authentication.Anon
>> ymousAuthenticationFilter@31f7eb8,
>> org.springframework.security.web.session.SessionManagementFilter@1846ad0f,
>> org.springframework.security.web.access.ExceptionTranslationFilter@432c0f1,
>> org.springframework.s
>> ecurity.web.access.intercept.FilterSecurityInterceptor@70884875]>
>> 2020-06-16 15:03:02,145 ERROR
>> [org.ldaptive.transport.netty.NettyConnection] - > for org.ldaptive.transport.netty.NettyConnection@193667460
>> ::ldapUrl=[org.ldaptive.LdapURL@-120939274::sc
>> heme=ldaps, hostname=walnut.wccnet.edu, port=636, baseDn=null,
>> attributes=null, scope=null, filter=null, inetAddress=null], isOpen=false,
>> connectTime=null, connectionConfig=[org.ldaptive.ConnectionConfig@697
>> 975769::ldapUrl=ldaps://walnut.wccnet.edu:636, connectTimeout=PT5S,
>> responseTimeout=PT5S, reconnectTimeout=PT2M, autoReconnect=true,
>> 

Re: [cas-user] Re: What is needed to get ADFS in CAS6?

['Robert Bond' via CAS Community]

Hi Tobey,

Thanks for the further insight. To potentially simplify your setup, is
there a reason you cannot use just cas?
After taking a look I am guessing you do not have an option. Looks like
ADFS is controlled by your regents? https://adfs.sdbor.edu/

Unfortunately I have not setup a relaying trust with ADFS before. I have
configured CAS to work with an SP using ADFS.
Potentially this guide can help:
https://apereo.github.io/2018/07/31/cas6-delegated-authn-adfs/

Hope that helps!




On Wed, Jun 10, 2020 at 9:09 AM Toby Archer  wrote:

> Oh, and yes, this is our current functioning configuration in production
> with CAS5. Works like a charm.
>
> On Wednesday, June 10, 2020 at 9:02:25 AM UTC-5, Toby Archer wrote:
>>
>> Thank you for your help. Yes, a little more detail. ADFS will be doing
>> the authenticating, so if I've got my abbreviations straight, yes it will
>> be SP. You hit CAS, it redirects you to ADFS where you login, and ADFS
>> sends you back to CAS which sends you back to the service requesting a
>> login. Through this whole process, the user never sees CAS. CAS adds no
>> information to the ADFS responses, so it can be thought of as strictly a
>> relying party which acts as a translator/adapter for services that can't
>> connect directly to ADFS.
>>
>
>> On Monday, June 8, 2020 at 2:10:10 PM UTC-5, Robert Bond wrote:
>>>
>>>
>>> Hi Tobey,
>>>
>>> Can you explain the scenario a little more?
>>>
>>> What Role is the ADFS server playing? SP?
>>>
>>> What role is the cas server fulfilling? IDP?
>>>
>>> Do you have this working on CAS 5?
>>>
>>> Thanks!
>>>
>>>
>>> On Thursday, June 4, 2020 at 11:40:47 AM UTC-5, Toby Archer wrote:

 We are looking to upgrade from CAS 5 to CAS 6. I have a fresh setup so
 I've just got the default json services and ADFS.. This
  
 guide
 suggests I need this line:

 compile
> "org.apereo.cas:cas-server-support-wsfederation-webflow:${project.'cas.version'}"


 In my build.gradle file. Presumably in the area right below:

 dependencies {
> // Other CAS dependencies/modules may be listed here...
> // implementation
> "org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}"
> compile
> "org.apereo.cas:cas-server-support-wsfederation-webflow:${project.'cas.version'}"


 And then I copied over the attributes from our test box, which appears
 to be the same in 5.x as it is in 6.x:
 

 cas.authn.wsfed[0].identityProviderUrl=https://adfs.usd.edu/adfs/ls/
> cas.authn.wsfed[0].identityProviderIdentifier=
> http://adfs.usd.edu/adfs/services/trust
> cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:test-sso.usd.edu
> cas.authn.wsfed[0].attributesType=WSFED
> cas.authn.wsfed[0].autoRedirect=true
>
> cas.authn.wsfed[0].signingCertificateResources=file:/etc/cas/adfs_signing2019.cer


 But nothing happens. No redirect, no mention of ADFS in the logs. Was
 there something else I had to do?

>>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/e80feb56-1d2a-42f7-a13b-753cd20bd745o%40apereo.org
> 
> .
>


-- 
Robert Bond
Network Administrator
(918) 444-5886
Northeastern State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6qfeata-5BAtVWptc92JAT8wiwEvJ5ManrPB38%3DHAmgOA%40mail.gmail.com.

[cas-user] Re: What is needed to get ADFS in CAS6?

['Robert Bond' via CAS Community]

Hi Tobey,

Can you explain the scenario a little more? 

What Role is the ADFS server playing? SP?

What role is the cas server fulfilling? IDP? 

Do you have this working on CAS 5? 

Thanks!


On Thursday, June 4, 2020 at 11:40:47 AM UTC-5, Toby Archer wrote:
>
> We are looking to upgrade from CAS 5 to CAS 6. I have a fresh setup so 
> I've just got the default json services and ADFS.. This 
>  guide 
> suggests I need this line:
>
> compile 
>> "org.apereo.cas:cas-server-support-wsfederation-webflow:${project.'cas.version'}"
>
>
> In my build.gradle file. Presumably in the area right below:
>
> dependencies {
>> // Other CAS dependencies/modules may be listed here...
>> // implementation 
>> "org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}"
>> compile 
>> "org.apereo.cas:cas-server-support-wsfederation-webflow:${project.'cas.version'}"
>
>
> And then I copied over the attributes from our test box, which appears to 
> be the same in 5.x as it is in 6.x: 
> 
>
> cas.authn.wsfed[0].identityProviderUrl=https://adfs.usd.edu/adfs/ls/
>> cas.authn.wsfed[0].identityProviderIdentifier=
>> http://adfs.usd.edu/adfs/services/trust
>> cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:test-sso.usd.edu
>> cas.authn.wsfed[0].attributesType=WSFED
>> cas.authn.wsfed[0].autoRedirect=true
>>
>> cas.authn.wsfed[0].signingCertificateResources=file:/etc/cas/adfs_signing2019.cer
>
>
> But nothing happens. No redirect, no mention of ADFS in the logs. Was 
> there something else I had to do?
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2304b0a2-b691-4364-b152-5a4a1495c874o%40apereo.org.