Re: [cas-user] Re: 4.x SAML documentation

> > I've been holding off on trying the snapshots so far, due mostly to other > things on my plate, but also because I'm waiting for 4.3.x and MFA to get a > little closer, as we want that, too. I sorta kinda get the overlays and > stuff, and even some coding, in that I managed to figure out

[cas-user] 4.x SAML documentation

Hopefully this isn't too dumb a question; I haven't been able to find a definitive answer anywhere. Right now we're using CAS 3.5.x (we're waiting for summer and 4.3.x with MFA) as our primary authentication/single sign-on. We also have Shibboleth 2.4.x for those few services that don't

Re: [cas-user] Questions about configuration management (CAS 5.0)

Thanks for the detailed answers; that all makes sense. The GitHub approach to storing the application.properties file(s) sounds pretty neat; especially if we were to ever do some kind of split on-prem/cloud deployment (which we have been kicking around but won't be in our first iteration).

[cas-user] Re: Step by Step guide

For what it's worth, as I've been working on building a CAS 5.0 development/test environment here, I have been documenting every step along the way (starting from bare Red Hat 7 servers that you have to install Java and Tomcat on). I've been doing this for our own internal use, but have

Re: [cas-user] login page state

So just to confirm... does that mean that this paragraph: There is a further consideration for active/active deployments: session affinity. Session affinity is a feature of most load balancer equipment where the device performs state management for incoming requests and routes a client to the

[cas-user] Dependency issues trying to enable SAML IdP support in 5.0 RC5-SNAPSHOT?

RedHat 7, OpenJDK 1.8.0_111, Tomcat 8.5.6 (non-embedded) If I build RC5-SNAPSHOT using the cas-overlay-template with only the addition of the "cas-server-support-ldap" dependency, everything builds and works fine (it did with RC4-SNAPSHOT, too). However, now I'm working on adding SAML IdP

Re: [cas-user] Dependency issues trying to enable SAML IdP support in 5.0 RC5-SNAPSHOT?

com/apereo/cas/issues/2103 > > > > --Misagh > > > > *From:* cas-...@apereo.org [mailto:cas-...@apereo.org > ] *On Behalf Of *David Curry > *Sent:* Wednesday, November 2, 2016 1:12 PM > *To:* CAS Community cas-...@apereo.org > *Subject:* [cas-user] Dependency i

[cas-user] Configuration management for properties - clue(s) needed

So I'm building a development/planning a production high availability clustered setup of CAS 5.0 servers, and I'm trying to work out the best way to manage the property settings (/etc/cas/config/cas.properties). I've read the "Configuration Management" page, as well as the "Clustered

[cas-user] cas.authn.samlIdp.metadata.location not parsed as uri

The documentation (https://apereo.github.io/cas/development/installation/Configuration-Properties.html#saml-idp) says that the cas.authn.samlIdp.metadata.location property should be set to a URI/URL like "file:/etc/cas/saml". However, if you do this, the server will die on startup with

Re: [cas-user] Configuration management for properties - clue(s) needed

Thanks for the clarifications, Misagh. I think for the moment then, I may just kick this particular can down the road and just copy the properties file around. It's not like I don't have plenty of other features and settings and options to play around with. :-) --Dave On Wednesday, November

Re: [cas-user] Commercial companies using CAS?

Well, for what it's worth, Misagh ran a survey in this group back in March, and shared the results at Open Apereo. From one of those slides, of 156 respondents: Healthcare: 4 (2.8%) Insurance: 5 (3.5%) Government: 11 (7.5%) Higher Ed: 109 (75.7%) Finance: 1 (0.7%) Travel: 1 (0.7%) Other: 25

Re: [cas-user] Service registry initialisation using JSON files. Help needed

You also have to add org.apereo.cas cas-server-support-json-service-registry ${cas.version} to your pom.xml. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

l setup, which authenticates against Active Directory first and LDAP second, and merges attributes from both, I get: REMOTE_USER = curryd AuthenticationMethod = Active Directory displayName = David Curry successfulAuthenticationHandlers = Active Directory cn = x EmailAddress = david.cu...

Re: [cas-user] Re: 5.1.x - How to configure CAS to transfert some values from different attribut of LDAP

Personally I would use the second option, as it gives you more flexibility. If you'd like a step-by-step example of setting up attribute release, see here: https://dacurry-tns.github.io/deploying-apereo-cas/building_server_ldap_resolution-release_overview.html (The above is not official

Re: [cas-user] Re: 5.1.x - How to configure CAS to transfert some values from different attribut of LDAP

Did you configure the server to support releasing attributes with SAML 1.1? The CAS protocol didn't support attribute release until v3.0 of the protocol, which came out in v4.0 of the server. To support SAML 1.1 attribute release, you need this in pom.xml: org.apereo.cas

Re: [cas-user] Re: Service registry initialisation using JSON files. Help needed

Didier, Is /etc/cas/json a file, or a directory? CAS is expecting it to be a directory, with individual JSON files for each service underneath, like this: / <-- file system root etc/ json/ Apereo-1002.json HTTPSandIMAPS-1001.json Assuming you have added the

Re: [cas-user] CAS config server credentials

Normally you disable the static authentication handler altogether once you have a "real" authentication handler (e.g., LDAP or Active Directory) configured. To do that, put this in cas.properties: cas.authn.accept.users: Just leave the value empty. If you really and truly want to keep the

Re: [cas-user] Re: CAS5.1 ,Application Not Authorized to Use CAS , no service registry issue.???

/04/520rc2-release/#minors. > > "Service registry initialization from JSON is now able to honor service > definitions found at the path specified via settings, rather than only > loading those found on the classpath’s services directory." > > > > On Tuesday, September 5,

Re: [cas-user] Re: FYI: Detailed CAS 5.1.x how-to documentation available

login form/experience? > > Thank you! > > On Friday, September 1, 2017 at 4:24:25 PM UTC-4, David Curry wrote: >> >> Hi everyone, >> >> A couple of weeks ago there was a thread here asking for CAS 5.1.x >> step-by-step documentation. >> >> As I've

Re: [cas-user] A new CAS Adopter

You might find this helpful; it's the step-by-step documentation I've been building to record our development environment for posterity. It's not the only way to do it, but if you're completely new to everything, it will at least get you off the ground with something you can then start to

Re: [cas-user] making an extra LDAP attribute visible via CAS

Short answer: cas.authn.attributeRepository.ldap[0].attributes.employeeNumber: UDC_IDENTIFIER The last element of the property name is the name of the attribute in the directory, the value of the property is the name you want to give it when it's released to applications. The above assumes

Re: [cas-user] CAS authentication denial based on an attribute

Most of the functionality for what you want is here, I think: https://apereo.github.io/cas/development/installation/Webflow-Customization-AUP.html It seems to be available in 5.1.x as well, although with fewer options for storing state that what 5.2.x is going to offer. I should mention that

Re: [cas-user] CAS authentication denial based on an attribute

om O'Neill <one...@sigcorp.com> wrote: > Looks like I need to catch up on my 5.x – another good reference, thanks > Dave! > > > > Thanks, > > > > *Tom O’Neill* > > > > > > *From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behal

Re: [cas-user] Re: CAS5.1 ,Application Not Authorized to Use CAS , no service registry issue.???

To use a separate JSON registry (e.g., /etc/cas/services/), you have to add the cas-server-support-json-service-registry dependency to pom.xml and rebuild the server. Then you can set cas.serviceRegistry.config.location:file:/etc/cas/services and put your service declarations in there.

Re: [cas-user] Service Registry

I don't have a specific MySQL-ish answer, but if you've configured the dashboard ("admin pages"), the "Registered Services" button will give you a JSON document that contains the entire registry. It's just a REST endpoint (https://your.server.name/cas/status/services), so depending on how you've

Re: [cas-user] CAS 5.2.0

Two dumb questions (but I've gotten caught by both): 1. Did you pull down a new copy (or do a git pull) from the Github repo for cas-maven-overlay? It is not (or at least not always) sufficient to just update the ${cas.version}, because other information in pom.xml changes sometimes.

Re: [cas-user] Re: having difficulty with dependencies when upgrading to CAS 5.2.0

Just a thought... When you went from 5.1.4 to 5.2.0, did you update the Maven overlay template from GitHub and then re-apply your local changes, or did you just update ${cas.version}? In my (limited) experience, just updating the version doesn't always work, and it's better to update from the

Re: [cas-user] having difficulty with dependencies when upgrading to CAS 5.2.0

ou might try removing or updating > the version of the ldaptive-unboundid artifact to the latest version or > even try removing it as a test to see if the error message goes away or > changes. > ​​ > > ​-Adam​ > > > On Thu, Dec 14, 2017 at 12:13 PM, David Curry <david.cu.

Re: [cas-user] having difficulty with dependencies when upgrading to CAS 5.2.0

This is PURE speculation, but I see this dependency in your 5.2 pom.xml: org.ldaptive ldaptive-unboundid 1.0 What is that? I cannot find any mention of it in the CAS documentation searching for "ldaptive-unboundid", which makes me think it

Re: [cas-user] JSON Service Registry cas.serviceRegistry.config.location property setting ineffective after upgrading to CAS version 5.2

You have the wrong property name (I forget when it changed). cas.serviceRegistry.json.location: file:/etc/cas/services Also, since you have your own non-empty service registry, you should have cas.serviceRegistry.initFromJson: false That property tells the CAS server to load an otherwise

Re: [cas-user] how to access admin or management page?

Here is one way to do it. It's not the only way, since CAS gives you so many options, but it should be enough to get you started. 1. Set these to enable the dashboard (these settings enable all of the endpoints; you can also pick and choose): cas.adminPagesSecurity.actuatorEndpointsEnabled:

Re: [cas-user] Exception in async processing

This is a servlet container configuration issue, not a code issue -- no pr needed. The embedded servlet container comes pre-configured with async support enabled, but if you're using an external servlet container, you have to enable it yourself. This is documented here:

Re: [cas-user] Re: having difficulty with dependencies when upgrading to CAS 5.2.0

> I updated from the repo. My guess is that I missed something in doing so, > but I have not been able to figure out what I missed. Thanks Dave. > > On Tuesday, December 12, 2017 at 11:29:24 AM UTC-5, David Curry wrote: >> >> Just a thought... >> >> When you went f

Re: [cas-user] JSON Service Registry cas.serviceRegistry.config.location property setting ineffective after upgrading to CAS version 5.2

. How can this be avoided? > > Just to reiterate: My primary issue has been resolved. > > > > On Monday, December 18, 2017 at 3:50:22 PM UTC-5, David Curry wrote: >> >> You have the wrong property name (I forget when it changed). >> >> cas.serviceRegistry.js

Re: [cas-user] CAS ldap against AD?

You might find this link helpful. It's a work in progress and not "official" documentation, but it does include, among other things, an example and step-by-step instructions for how to configure for AD, both authentication and attributes. https://dacurry-tns.github.io/deploying-apereo-cas/

Re: [cas-user] CAS 5.1.5: Change SAML Attribute Names

This is the way I did it with the Shib SP (Apache mod_shib) as well. Not sure it's the "right" way, but it works. In our experience, just about every SAML SP we work with (mostly third-party SaaS platforms) requires their own custom attribute list anyway, so doing this seems like it will be a

Re: [cas-user] Re: Dumb question

I agree that in the particular case of IP addresses, it probably doesn't matter, because the '.' is going to match either a '.' or a single character of any value but that will almost always be a '.' anyway, since IP addresses have a more or less fixed format. I guess my question is a bit more

[cas-user] Re: Help! Weird JSON service registry crash

e happy to help test if someone else is able to do them... --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School] On Tue, Oct 31, 2017 at

Re: [cas-user] CAS5 how large for tomcat maxHttpHeaderSize

Tomcat's default value for maxPostSize is 2097152, so that's "normal." ( https://tomcat.apache.org/tomcat-8.5-doc/config/http.html) Tomcat's default value for maxHttpHeaderSize is 8192 (see same link, above), but the CAS documentation for configuring the server as a SAML2 IdP recommends setting

Re: [cas-user] phpCAS and returnin SAML attributes

> eventual goal of authentication with SSO Banner. The project installation > guide > <https://dacurry-tns.github.io/deploying-apereo-cas/building_server_ldap_authentication_overview.html> > kindly provided by David Curry has been a great help as I am new to CAS. > Many thank

Re: [cas-user] Custom License Validator Implementaion

I'm not completely sure I understand what you want to do, but could you use the Acceptable Use Policy piece of the workflow, and just replace the text of the AUP (which you have to put into it anyway) with whatever license you need?

Re: [cas-user] Unknown encryption/secret key WARN message at startup

Those are probably referring to missing signing/encryption keys for Spring Webflow encryption, since you say you have the tgc properties configured. (Although you should also check the properties you have set for tgc encryption; all the sigining/encryption key properties were "rationalized" in one

Re: [cas-user] Service Registry

a full database > recovery. > > Thanks, > -Jeff > > On Wed, Dec 6, 2017 at 7:49 AM, David Curry <david.cu...@newschool.edu> > wrote: > >> Looks like you're right; it was added in 5.2RC1: >> >> https://apereo.github.io/2017/06/30/520rc1-release/#016-regi &

Re: [cas-user] Service Registry

n Mon, Dec 4, 2017 at 4:01 PM, Jeffrey Ramsay <jeffrey.ram...@gmail.com> > wrote: > >> Well, I had that turned on but didn't notice that option so, I'll >> redeploy. >> >> Thank you, >> -Jeff >> >> On Mon, Dec 4, 2017 at 2:51 PM, David Curry <d

Re: [cas-user] how to access admin or management page?

ices.RegexRegisteredService", > > "serviceId" : "^https://cas.beloit.edu:8443/ > cas/status/dashboard(\\z|/.*)", > > "name" : "CAS Admin Dashboard", > > "id" : 123456789, > > "description" : "CAS dashboar

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

Does the vendor require you to configure your IdP (CAS server) to obtain the metadata from them dynamically? Or could you: 1. Use curl to grab a copy of their metadata from https://vendor.com/metadata 2. Edit the metadata yourself and get rid of the "validUntil" attribute 3. Put the

Re: [cas-user] cas.properties file

Either one; they are interchangeable. Personally I like colons better, but I'm pretty sure I'm in the minority on that. The official spec is documented in the java.util.Properties documentation , but I find this description

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

Do you have the dashboard endpoints enabled? Can you go to the "services" endpoint, which dumps the service registry, and see if there's something else in there? Alternatively, I think if you turn on debug mode logging, it will tell you what services are loaded. I'm thinking you might be getting

Re: [cas-user] Favicon.ico file location (when building CAS 5.2.x with Maven)

Unless told otherwise by a tag, browsers expect favicon.ico to be at the document root ("/"). That's WEB-INF/classes/static, so I believe you should put it in src/main/resources/static/favicon.ico. I think. I ended up doing a custom template as well as a custom theme, so I just used a tag in

Re: [cas-user] error in catalina.out Address already in use

I _think_ that's caused by a missing or too-low-version library -- either the Tomcat Native Library, or the Apache Portable Runtime, or OpenSSL would be my guess. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY

Re: [cas-user] SAML Public Key for Metadata

Assuming you mean for CAS to be your IdP... When you start CAS for the first time with the SAML IdP enabled, it will generate keys and store them in /etc/cas/saml for you. You need to copy them from there back to a safe location so that they get re-deployed whenever you update the server. See,

Re: [cas-user] SAML Public Key for Metadata

Sorry, I don't. We don't use ADFS, so have no need for it. David A. Curry, CISSP Director of Information Security The New School - Information Technology 71 Fifth Ave., 9th Fl. ~ New York, NY 10003 +1 212 229-5300 x4728 ~ david.cu...@newschool.edu Sent from my phone; please excuse typos and

Re: [cas-user] cas.authn.ldap[0].poolPassivator=NONE|CLOSE|BIND

See this link. https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#passivators David A. Curry, CISSP Director of Information Security The New School - Information Technology 71 Fifth Ave., 9th Fl. ~ New York, NY 10003 +1 212 229-5300 x4728 ~ david.cu...@newschool.edu

Re: [cas-user] CAS5 LDAP

gt; somehow be skipping LDAP altogether. > > > < org.apereo.cas > < cas-server-support-ldap > < ${cas.version} > < > > On Saturday, May 12, 2018 at 4:30:06 PM UTC-7, David Curry wrote: >>

Re: [cas-user] CAS5 LDAP

12, 2018, 22:19 Lionel Samuel <lionel.samue...@gmail.com> wrote: > Thanks David! > > Your guidance helped tremendously --- I had inadvertently commented out > the ' cas.authn.ldap[0].type' line. > > have a great weekend. > > On Saturday, May 12, 2018 at 5:03:

Re: [cas-user] CAS5 LDAP

MultiplePrincipalAttributeValues=true > > > > # Bind credentials used to connect to the LDAP instance > # > cas.authn.ldap[0].bindDn=uid=foo,ou=edu > cas.authn.ldap[0].bindCredential=snip > > cas.authn.accept.users: > > > On Saturday, May 12, 2018 at 4:43:24

Re: [cas-user] 5.2.X Service Registry

There are a whole bunch of options, from JSON/YAML to JPA (multiple databases) to REST-ful web interfaces. Go to the CAS documentation ( https://apereo.github.io/cas/5.2.x/index.html) and then on the right-hand side menu, click on "Services" and then "Storage" to see the whole list. We have been

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

For the service definition, you should only have one, which is a SamlRegisteredService. You do not need (or want) a RegexRegisteredService for a SAML service. And as Matthew said, you should also set cas.authn.samlIdp.entityId: ${cas.server.prefix}/idp cas.authn.samlIdp.scope:

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

No, it's the "adminpages" stuff: https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_overview.html It's enabled solely in the CAS server; you don't need the management webapp. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

Just a thought, do you still have the "HTTP|IMAP" wildcard service in there? And does it have a lower evaluation order than your service-specific entry? --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

Well, I used the one file per service model with them all in the /etc/cas/services directory. But I believe you can keep them all in one big JSON file if you want. David A. Curry, CISSP Director of Information Security The New School - Information Technology 71 Fifth Ave., 9th Fl. ~ New York,

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

This may be your problem, then? validUntil="2018-05-03T20:29:06Z --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School] On Tue, May 8, 2018

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

I do not see it in the metadata from any of the SPs we have in production here, so my guess would be probably not. But that's just a guess; I don't pretend to be an authority on SAML. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE.,

Re: [cas-user] can't run mvnw clean package - TrustAnchors parameter must be non-empty

Are you running Oracle Java, or OpenJDK? I assume Oracle, because "/usr/java" is not a path used by OpenJDK. If you're running Oracle, did you run the "alternatives" command to set up all the links to point at the right things? (I've never installed the Oracle Java, so I'm not sure this is a

Re: [cas-user] can't run mvnw clean package - TrustAnchors parameter must be non-empty

...@newschool.edu [image: The New School] On Fri, May 4, 2018 at 10:43 AM, David Curry <david.cu...@newschool.edu> wrote: > Are you running Oracle Java, or OpenJDK? I assume Oracle, because > "/usr/java" is not a path used by OpenJDK. > > If you're running Oracle, d

Re: [cas-user] Authentication issues - CAS cannot find authentication handler that supports [UsernamePasswordCredential].

If you're using ldap.type=AD, you should not be using a bind credential. If you want to use a bind credential, you should use ldap.type=AUTHENTICATED. See https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#ldap-authentication-1 for more info on ldap.type. --Dave

Re: [cas-user] User Attributes for SAML 2.0

I'm not sure I understand the question. If you mean could you copy the example I provided directly into a jdbc/jpa service registry, then I have to say I don't know, because I don't know how the information is stored in the database. The first example I gave (the Apache one) is a json file from a

Re: [cas-user] User Attributes for SAML 2.0

Here's a JSON definition for an Apache HTTPD with the Shibboleth mod_shib/shibd plug-in: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "https://casdev-samlsp.newschool.edu/shibboleth;, "name" : "Apache Secured By SAML", "id" : 1509030300,

Re: [cas-user] Service Registry -- Getting the 1st Application Entered

Lionel and Jann, Did you ever have the JSON service registry working? If not, I recommend that you take all the JPA stuff out of pom.xml and cas.properties and get that working correctly first, so that you're only trying to debug one thing at a time. Once you have the JSON service registry

Re: [cas-user] Re: Error - Service Registry json

Yes, but the rest of the name has to match the service name, as well. Again, JSON fileName = serviceName + "-" + serviceNumericId + ".json" so based on your first post in this thread, you should have two files: The first file, called HTTPSIMAPSwildcard-20170905111650.json, contains {

Re: [cas-user] New Error -- I broke it LOL

vax.naming.AuthenticationException: [LDAP: error code 49 - > 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, > data 52e, v2580], controls=null]]> > 2018-05-15 13:27:45,877 ERROR [org.apereo.cas.authentication. > PolicyBasedAuthenticationManager] - Credentials ma

Re: [cas-user] Error - Service Registry json

If you're using the JSON service registry, services are supposed to be defined one service per file, with all the files stored in a directory. And there is a naming convention for the files: JSON fileName = serviceName + "-" + serviceNumericId + ".json" See

Re: [cas-user] New Error -- I broke it LOL

Looks like the CAS webapp isn't starting. catalina.out should tell you what happened? -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School] On Tue,

Re: [cas-user] cas admin pages from every IP?

You need to set cas.adminPagesSecurity.ip to a regular expression that matches the IPs you want to let in. To allow all of 10.28.51 in, you'd have something like this: cas.adminPagesSecurity.ip: ^10\\.28\\.51\\.[0-9]{1,3}$ I have something like this: cas.adminPagesSecurity.ip:

Re: [cas-user] User Attributes for SAML 2.0

Someone smarter than me may need to weigh in on this... but I'll try. As I understand it, SAML SPs will accept two forms of attribute names. One form is that "urn" notation that Shibboleth seems to like: The other form is the "friendly name," which is basically just a string, like "cn"

Re: [cas-user] Failed to get nested archive for entry /WEB-INF/lib/getopt-1.0.13.jar

CAS 5 requires Tomcat 8 or better. That may not be the cause (or only cause) of your problem, but I would start there. David A. Curry, CISSP Director of Information Security The New School - Information Technology 71 Fifth Ave., 9th Fl. ~ New York, NY 10003 +1 212 229-5300 x4728 ~

Re: [cas-user] User Attributes for SAML 2.0

Can you attach the relevant section of cas.properties (the part where you define which attributes you're going to resolve) and the service definition for the SAML SP? -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1

Re: [cas-user] User Attributes for SAML 2.0

Could be, but as I don't use the jdbc stuff, I can't help you with that. The {0} gets replaced with some dynamic value generated by the Java code. My guess would be it's some condition like column=value, but that's pretty a guess. I would suggest if you haven't yet to see the CAS log level to

Re: [cas-user] User Attributes for SAML 2.0

Based on the SELECT, I think these definitions are flipped: cas.authn.attributeRepository.jdbc[0].attributes.uid=id cas.authn.attributeRepository.jdbc[0].attributes.givenName=first_name cas.authn.attributeRepository.jdbc[0].attributes.emailaddress=email

Re: [cas-user] User Attributes for SAML 2.0

I'm pretty sure that if you enable debug-level logging on org.apereo.services.persondir in */etc/cas/config/log4j2.xml*, you'll see the SQL query in *cas.log*. You can do that most easily by changing this line near the top of the file: warn to: debug You shouldn't even need to restart the

Re: [cas-user] CAS Login Page Cutomization

These two threads are somewhat helpful: https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/themes/cas-user/k-yfoou7Zy0/BXry1PxgFAAJ https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/template/cas-user/3eaKVAMhFYE/uuj7eEpCAwAJ Assuming you're making new templates, most

Re: [cas-user] Re: (Ask) CAS 5.2 Basic Installation Step by Step

Check the Tomcat log file (catalina.out) for errors. You should see it starting up the CAS service, etc. Also check the CAS log file. David A. Curry, CISSP Director of Information Security The New School - Information Technology 71 Fifth Ave., 9th Fl. ~ New York, NY 10003 +1 212 229-5300 x4728

Re: [cas-user] SLO and SSO using Mod_auth_cas

School] On Thu, May 24, 2018 at 9:45 AM Ramakrishna G <r...@tts.in> wrote: > Hey David, > > Firstly thanks for your response and clarifying few things. My query to > you now is > > Does logoutUrl property support SLO? If so, which all cookie should I be > deleting?

Re: [cas-user] SLO and SSO using Mod_auth_cas

What do you mean when you say you are "using mod_auth_cas for reverse proxy to my cas server"? Mod_auth_cas is not a (reverse) proxy. It's simply a way to control access to content on an Apache web server using CAS authentication. Think of it as an alternative to HTTP Basic Authentication. It

Re: [cas-user] Re: CAS5.3.x - Health & Version monitor Page

https://apereo.github.io/cas/development/installation/Monitoring-Statistics.html You do not need the CAS Management Overlay to enable the above; it's accomplished with just some settings in cas.properties and creating the user file and a service registry entry. If you'd like step-by-step

Re: [cas-user] How to route new page

How strongly do you feel about having "https://server/cas/timeout; as opposed to "https://server/cas/timeout.html;? If you're fine with the latter, you should just be able to drop "timeout.html" into the same place where all the other casWhateverView.html pages are and redirect to

Re: [cas-user] Re: cas-management question

Haven't seen that one, that I can recall. Is that a CAS error (shows in a CAS-branded web page) or a Tomcat error? Do the logs (cas.log and/or catalina.out) say anything helpful? -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW

Re: [cas-user] log in error question

There is. You can enable LDAP Password Policy Enforcement (LPPE): https://apereo.github.io/cas/development/installation/Password-Policy-Enforcement.html This is separate from Password Management (further down the page). All I had to do was add cas.authn.ldap[0].passwordPolicy.enabled: true

Re: [cas-user] Re: cas-management question

You have "server.name" instead of "cas.server.name" (oops) -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School] On Thu, May 17, 2018 at 3:23

Re: [cas-user] cas-management question

etc/cas/config/management.properties --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School] On Thu, May 17, 2018 at 3:18 PM, Jennifer

Re: [cas-user] cas-management question

Not sure if you copy-n-pasted this: https://cashost/cas/login?service=https%3A%2F%2Fcashost%3A8443%2Fcas-management%2Fmanage.html or typed it by hand, but I see both "cashost" and "cashost:8443". Normally they'd both be the same (since Tomcat is usually only listening on the one port). --Dave

Re: [cas-user] Re: cas-management question

Sorry, not cas.log cas-management.log. If still nothing, try setting cas.log.level to debug in log4j2-management.xml. -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 •

Re: [cas-user] User Attributes for SAML 2.0

The same way you do for CAS services, pretty much. Just list what you want to return. If you need the uri naming, you can use the "return mapped attributes" feature; there's an example of that in my doc. Although that may or may not be necessary depending on the SP. CAS 5.3 has some improved

Re: [cas-user] CAS Login Page Cutomization

: > https://dacurry-tns.github.io/deploying-apereo-cas/ui_overview.html > to come to live :) > > - Andy > > On Wednesday, 23 May 2018 20:01:29 UTC+8, David Curry wrote: >> >> These two threads are somewhat helpful: >> >> >> https://groups.google.com

Re: [cas-user] User Attributes for SAML 2.0

So, you have cas.authn.attributeRepository.jdbc[0].username=email in *cas.properties*? I didn't see it in the ones you copied/pasted earlier. Dumb question, but if you connect to the database using the same user and password that you have CAS configured to use, and you run SELECT * FROM

Re: [cas-user] Commiting to GIT (my CAS Overlay)

Personally, I made branches for our Dev, Test, and Prod deployments, and pushed the whole thing to our gitlab. Adding features in Dev and moving them through Test and Prod then just becomes an exercise in merging. --Dave David A. Curry, CISSP Director of Information Security The New School -

Re: [cas-user] error when I run mvmn - the trustAnchors parameter must be non-empty

PKIXParame >> ters.java:200) >> at java.security.cert.PKIXParameters.(PKIXParameters.java:120) >> at java.security.cert.PKIXBuilderParameters.(PKIXBuilderP >> arameters.java:104) >> at sun.security.validator.PKIXValidator.(PKIXValidator.java:89) >> ... 23 more &g

Re: [cas-user] error when I run mvmn - the trustAnchors parameter must be non-empty

few days ago to install cas...This is very > frustrating...I really appreciate this community > > On Wednesday, May 2, 2018 at 12:49:27 PM UTC-4, David Curry wrote: >> >> Hi Jennifer, >> >> When you first run "mvnw" it tries to download and install Maven

Re: [cas-user] error when I run mvmn - the trustAnchors parameter must be non-empty

Hi Jennifer, When you first run "mvnw" it tries to download and install Maven for you. This seems to be a problem with that process; it's failing to download one of the Maven plug-ins. I can think of a couple of reasons for this... one would be that it was just a transient thing with the Maven

Re: [cas-user] CAS 5.4.2 AD integration

Thanks for the recommendation, Riley (and others who have pointed people at it in the past). For those of you who are (or will be) using it, please know that I haven't forgotten about it. If I get can get "real work" to stop intruding :-), I hope to push a bunch of updates in the next week or

  1   2   3   >