Re: [cas-user] Step by step guide for simple CAS server with OpenLDAP authentication

a more > "debuggable" output. > CAS uses the port 636 by default, so I just had to disable SSL since we > use startTLS on 389 instead. > For reference, the entry is: > > *cas.authn.ldap[0].useSsl: false* > > Thank you ! > > > > On 26/02/2018 16:5

Re: [cas-user] Re: CAS5.2 Connect to LDAP

lize a user's username but rather a user's full name as > part of the DN. For example, my DN is CN=Kevin Liu, OU=Alpha, DC=beta, > DC=gamma instead of CN=kliu. Do you have any ideas on how I might get > around that? > > On Friday, February 23, 2018 at 2:24:37 PM UTC-6, David

Re: [cas-user] /cas/status/dashboard

I think we've been through most of these at one time or another, but to assemble them all in one place... 1. You have all of these: # The /status endpoint is protected by IP address only. cas.adminPagesSecurity.ip: ...a valid regex to match your authorized addresses... # The /status

Re: [cas-user] /cas/status/dashboard

ot;, > > "id" : 12 > > "description" : "CAS dashboard and administrative endpoints", > > "evaluationOrder" : 1001 > > } > > > > > > === > > Thank You; > > Chris Cheltenham >

Re: [cas-user] Re: CAS5.2 Connect to LDAP

utput? If so, how? Cause I can't seem to be able to shut off the others > without shutting off debug all together. > > On Monday, February 26, 2018 at 11:53:16 AM UTC-6, David Curry wrote: >> >> Well, you can start with log4j2.xml, and change >> >> warn >>

Re: [cas-user] /cas/status/dashboard

something stupid but I just don’t see > it yet. > > > > > > === > > Thank You; > > Chris Cheltenham > Technology Services > The School District of Philadelphia > > Work # 215-400-5025 > Cell # 215-301-6571 > > *From

Re: [cas-user] Re: CAS5.2 Connect to LDAP

DAP, and then use username and password to authenticate > instead and it looks like principalAttribute fields might be it. > > On Monday, February 26, 2018 at 2:36:13 PM UTC-6, David Curry wrote: >> >> I haven't tried it myself, but you ought to be able to put cas

Re: [cas-user] Re: CAS5.2 Connect to LDAP

ically > using a DN format. > It says that it authenticates using the sAMAccountName which should get > passed in if we use cas.authn.ldap[0].userFilter=sAMAccountName={user} > correct? > Right now, I can put anything in the username field and it gets > authenticated. That can't

Re: [cas-user] /cas/status/dashboard

er@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *Kevin > Liu > *Sent:* Monday, February 26, 2018 3:56 PM > *To:* CAS Community > *Subject:* Re: [cas-user] /cas/status/dashboard > > > > I concur with Matthew. That was my issue too until I changed it. Then > services st

Re: [cas-user] /cas/status/dashboard

== > > Thank You; > > Chris Cheltenham > Technology Services > The School District of Philadelphia > > Work # 215-400-5025 > Cell # 215-301-6571 > > *From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *David > Curry > *Sen

Re: [cas-user] /cas/status/dashboard

If you use "config" then the property is being ignored because it doesn't do anything, and you are likely getting the wildcard service registry entry in the classpath. If you use "json" then you are most likely correctly getting your /etc/cas/services directory, and assuming you didn't copy the wi

Re: [cas-user] /cas/status/dashboard

alse, > notifyWhenDeleted=false,expirationDate=],]]> > > 2018-02-27 09:36:57,741 DEBUG > [org.apereo.cas.services.AbstractServicesManager] > - https://www.apereo.org]> > > 2018-02-27 09:36:57,741 DEBUG > [org.apereo.cas.services.AbstractServicesManager] > - > >

Re: [cas-user] /cas/status/dashboard

Cheltenham > Technology Services > The School District of Philadelphia > > Work # 215-400-5025 > Cell # 215-301-6571 > > *From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *David > Curry > *Sent:* Tuesday, February 27, 2018 8:58 AM > *To:* cas-user@

Re: [cas-user] Re: CAS 5.2 Password Variable

Note that Jasypt is just a wrapper around Java's symmetric encryption algorithms. Yeah, you've encrypted the passwords in the cas.properties file, but the Jasypt key to decrypt them has to exist in plaintext in the startup script (systemd service file, /etc/init.d script, etc.) for the server (unl

Re: [cas-user] Cas5 Ldap Authentication

You don't say what version you're using, but the userFilter property was renamed to searchFilter between 5.2 and 5.3 as part of the property documentation cleanup. (Documented here: https://apereo.github.io/2017/12/29/530rc1-release/#documentation-cleanup) --Dave -- DAVID A. CURRY, CISSP *DI

Re: [cas-user] Cas5 Ldap Authentication

sday, March 7, 2018 at 6:23:27 PM UTC+5:30, David Curry wrote: >> >> You don't say what version you're using, but the userFilter property was >> renamed to searchFilter between 5.2 and 5.3 as part of the property >> documentation cleanup. >> >> (Docume

Re: [cas-user] Cas5 Ldap Authentication

owd...@gmail.com> wrote: > Dave can you give a ref for writing our own customization handlers and > configuration classes for Ldap > > On Thursday, March 8, 2018 at 6:42:04 PM UTC+5:30, David Curry wrote: >> >> It looks right, but I have never used that particular property, so

Re: [cas-user] Cas5 Ldap Authentication

As I said, I have no experience at all with that stuff, sorry. I'm an old 'C' programmer who only writes Java under duress. :-) David A. Curry, CISSP Director of Information Security The New School - Information Technology 71 Fifth Ave., 9th Fl. ~ New York, NY 10003 +1 212 229-5300 x4728 ~ david

Re: [cas-user] CAS 5.2.2 SAML IdP vs. Workday

Following up my own post to document how we solved this for posterity (or at least for the next person who has the problem and searches the forum). The SAML2 spec says that by default, the audience should be set to the value of the entityID. And sure enough, that's what CAS is sending back. This

[cas-user] How to define SAML attribute name formats in management webapp?

CAS 5.2.x. In the management webapp, on the SAML2 SP tab, there is a box at the bottom labeled "SAML Attribute Name Formats": If you click on the "+" it comes up with a blank to fill in an attribute name, and a drop-down menu to set the value. However, the drop-down menu is empty. I'm expecting

Re: [cas-user] How to define SAML attribute name formats in management webapp?

YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School] On Thu, Mar 15, 2018 at 11:11 AM, Travis Schmidt wrote: > Sorry David, > No properties to set that, I think you just uncovered a bug. > > Travis > > On Thu, Mar 15, 2018 at 7:13 AM Da

Re: [cas-user] How to define SAML attribute name formats in management webapp?

ull Request has already been submitted: > > https://github.com/apereo/cas/pull/3247 > > When it is merged you should be able to pull the snapshot to try out. > Sorry for the inconvenience. > > Travis > > On Thu, Mar 15, 2018 at 8:31 AM David Curry > wrote: > >

Re: [cas-user] CAS 5 is it possible to configure multiple jdbc attribute repositories?

Yes, you can do something like that in 3.5.2. In short, you define all your attribute repositories in deployerConfigContext.xml, giving them unique bean ids other than " attributeRepository", and then you replace the "attributeRepository" bean that came out-of-the-box with CAS with a new one that

Re: [cas-user] CAS 5.3.0-RC2 LDAP Authentication and cas.authn.ldap[0].userFilter property

The userFilter attribute was renamed to searchFilter in 5.3.0-RC1. It was documented in the "feature release" blog post for that release candidate, here: https://apereo.github.io/2017/12/29/530rc1-release/#documentation-cleanup The feature release blog posts are an excellent source of information

Re: [cas-user] Customizing messages

Yes, you can override individual messages in messages.properties by putting them in custom_messages.properties with new values. You can also define completely new messages in there as well, and reference them with Thymeleaf in the page templates, using the same syntax as used for the "standard" pr

Re: [cas-user] Re: CAS 5.2.x as IDP using SAML 2.0

Just this week I discovered https://sptest.iamshowcase.com/ that lets you set up a custom SP to talk to your IdP for testing. You download their metadata, save it somewhere on your server (/etc/cas/saml/sp-metadata/iamshowcase.xml or something), upload your CAS IdP metadata to them, create a se

Re: [cas-user] Saml service provider for testing

Try https://sptest.iamshowcase.com/ or http://www.testshib.org/ --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School] On Thu, Apr 19, 2018

Re: [cas-user] CAS IdP integration with service provider that does not provide metadata

Would this little tool help? It's what we used to create the metadata for a couple of the services we have that don't provide metadata. https://www.samltool.com/sp_metadata.php (This is the same service that the CAS documentation points to.) --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORM

Re: [cas-user] Re: CAS 5.2.x as IDP using SAML 2.0

gt; sptest.iamshowcase.com/instructions after uploading the metadata file > generated locally. > > > <https://lh3.googleusercontent.com/-NVA435Of-Lw/WtmH752aYVI/AB8/PUCeCO-TD3wOq3t4yTDuAKPPm8aroebBACLcBGAs/s1600/Capture.PNG> > > > On Thursday, April 19, 2018 at 6:58

Re: [cas-user] Re: JSON Service Registry cas.serviceRegistry.config.location property setting ineffective after upgrading to CAS version 5.2

This was answered earlier in this thread. You have the wrong property name. It changed between 5.1 and 5.2 to: cas.serviceRegistry.json.location: file:/etc/cas/services If you're moving from one version to another, I strongly recommend carefully reading the "ChangeLog" blog posts that Misagh writ

Re: [cas-user] Re: JSON Service Registry cas.serviceRegistry.config.location property setting ineffective after upgrading to CAS version 5.2

. On Sat, Apr 21, 2018, 13:14 IOTech Co., Ltd wrote: > i has config as below...but it not work, please help me > > > cas.serviceRegistry.location=file:/etc/cas/services > > > > 2018-04-21 20:59 GMT+07:00 David Curry : > >> This was answered earlier in this thread. Yo

Re: [cas-user] Re: CAS 5.2.x as IDP using SAML 2.0

va:292) > at sun.security.validator.Validator.validate(Validator.java:260) > at > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > at > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > at > sun.security.s

Re: [cas-user] CAS Logging {really log4j2 questions}

Thanks, Duncan. I've got a pile of updates to make to the instructions, if I can ever get enough uninterrupted time to actually type them in. :-( I'll add that to the list. For what it's worth, I have our servers configured to send their logs to Graylog as well as the log files, and the TGTs are n

Re: [cas-user] CAS 5.4.2 AD integration

Thanks for the recommendation, Riley (and others who have pointed people at it in the past). For those of you who are (or will be) using it, please know that I haven't forgotten about it. If I get can get "real work" to stop intruding :-), I hope to push a bunch of updates in the next week or thre

Re: [cas-user] error when I run mvmn - the trustAnchors parameter must be non-empty

Hi Jennifer, When you first run "mvnw" it tries to download and install Maven for you. This seems to be a problem with that process; it's failing to download one of the Maven plug-ins. I can think of a couple of reasons for this... one would be that it was just a transient thing with the Maven re

Re: [cas-user] error when I run mvmn - the trustAnchors parameter must be non-empty

all cas...This is very > frustrating...I really appreciate this community > > On Wednesday, May 2, 2018 at 12:49:27 PM UTC-4, David Curry wrote: >> >> Hi Jennifer, >> >> When you first run "mvnw" it tries to download and install Maven for you. >> This seems to

Re: [cas-user] error when I run mvmn - the trustAnchors parameter must be non-empty

00) >> at java.security.cert.PKIXParameters.(PKIXParameters.java:120) >> at java.security.cert.PKIXBuilderParameters.(PKIXBuilderP >> arameters.java:104) >> at sun.security.validator.PKIXValidator.(PKIXValidator.java:89) >> ... 23 more >> It looks l

Re: [cas-user] can't run mvnw clean package - TrustAnchors parameter must be non-empty

Are you running Oracle Java, or OpenJDK? I assume Oracle, because "/usr/java" is not a path used by OpenJDK. If you're running Oracle, did you run the "alternatives" command to set up all the links to point at the right things? (I've never installed the Oracle Java, so I'm not sure this is a requi

Re: [cas-user] can't run mvnw clean package - TrustAnchors parameter must be non-empty

...@newschool.edu [image: The New School] On Fri, May 4, 2018 at 10:43 AM, David Curry wrote: > Are you running Oracle Java, or OpenJDK? I assume Oracle, because > "/usr/java" is not a path used by OpenJDK. > > If you're running Oracle, did you run the "alternatives&qu

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

Just a thought, do you still have the "HTTP|IMAP" wildcard service in there? And does it have a lower evaluation order than your service-specific entry? --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 2

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

Well, I used the one file per service model with them all in the /etc/cas/services directory. But I believe you can keep them all in one big JSON file if you want. David A. Curry, CISSP Director of Information Security The New School - Information Technology 71 Fifth Ave., 9th Fl. ~ New York, NY

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

For the service definition, you should only have one, which is a SamlRegisteredService. You do not need (or want) a RegexRegisteredService for a SAML service. And as Matthew said, you should also set cas.authn.samlIdp.entityId: ${cas.server.prefix}/idp cas.authn.samlIdp.scope:

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

Do you have the dashboard endpoints enabled? Can you go to the "services" endpoint, which dumps the service registry, and see if there's something else in there? Alternatively, I think if you turn on debug mode logging, it will tell you what services are loaded. I'm thinking you might be getting

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

No, it's the "adminpages" stuff: https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_overview.html It's enabled solely in the CAS server; you don't need the management webapp. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 7

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

This may be your problem, then? validUntil="2018-05-03T20:29:06Z --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School] On Tue, May 8, 2018

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

I do not see it in the metadata from any of the SPs we have in production here, so my guess would be probably not. But that's just a guess; I don't pretend to be an authority on SAML. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

Just to make sure your terminology is right: - The Service Provider is the service that you, as a user, want to use. For example, here at The New School we have Adobe Creative Cloud, Tableau, Workday, Zoom, etc. as SPs. - The Identity Provider (IdP) is the system that the user authenti

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

Does the vendor require you to configure your IdP (CAS server) to obtain the metadata from them dynamically? Or could you: 1. Use curl to grab a copy of their metadata from https://vendor.com/metadata 2. Edit the metadata yourself and get rid of the "validUntil" attribute 3. Put the ed

Re: [cas-user] Favicon.ico file location (when building CAS 5.2.x with Maven)

Unless told otherwise by a tag, browsers expect favicon.ico to be at the document root ("/"). That's WEB-INF/classes/static, so I believe you should put it in src/main/resources/static/favicon.ico. I think. I ended up doing a custom template as well as a custom theme, so I just used a tag in th

Re: [cas-user] Deployment Question from the Excellent Docs at: 'dacurry-tns.github.io'

In my configuration (which is essentially what this guide is describing), I use an external Tomcat, not the embedded one. So, my setup follows the Tomcat hardening guidelines, which recommend deploying exploded directories rather than WAR files. See the section on installing Tomcat (under Setting u

Re: [cas-user] Deployment Question from the Excellent Docs at: 'dacurry-tns.github.io'

> To build a WAR.do we run './build.sh package' at > '/opt/workspace/cas-overlay-template'? > > I don't see the WAR having the configurations we added in > '/opt/workspace/cas-overlay-template/etc' > > Spending many hours in fron of the computer

Re: [cas-user] error in catalina.out Address already in use

I _think_ that's caused by a missing or too-low-version library -- either the Tomcat Native Library, or the Apache Portable Runtime, or OpenSSL would be my guess. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 1000

Re: [cas-user] SAML Public Key for Metadata

Assuming you mean for CAS to be your IdP... When you start CAS for the first time with the SAML IdP enabled, it will generate keys and store them in /etc/cas/saml for you. You need to copy them from there back to a safe location so that they get re-deployed whenever you update the server. See, fo

Re: [cas-user] SAML Public Key for Metadata

Sorry, I don't. We don't use ADFS, so have no need for it. David A. Curry, CISSP Director of Information Security The New School - Information Technology 71 Fifth Ave., 9th Fl. ~ New York, NY 10003 +1 212 229-5300 x4728 ~ david.cu...@newschool.edu Sent from my phone; please excuse typos and inan

Re: [cas-user] CAS5 LDAP

Did you add the LDAP dependency to pom.xml and rebuild the WAR? David A. Curry, CISSP Director of Information Security The New School - Information Technology 71 Fifth Ave., 9th Fl. ~ New York, NY 10003 +1 212 229-5300 x4728 ~ david.cu...@newschool.edu Sent from my phone; please excuse typos and

Re: [cas-user] CAS5 LDAP

- so it must > somehow be skipping LDAP altogether. > > > < org.apereo.cas > < cas-server-support-ldap > < ${cas.version} > < > > On Saturday, May 12, 2018 at 4:30:06 PM UTC-7, David Curry wrote: >> >

Re: [cas-user] CAS5 LDAP

allowMultiplePrincipalAttributeValues=true > > > > # Bind credentials used to connect to the LDAP instance > # > cas.authn.ldap[0].bindDn=uid=foo,ou=edu > cas.authn.ldap[0].bindCredential=snip > > cas.authn.accept.users: > > > On Saturday, May 12, 2018 at 4:43:24 PM UTC-7, Da

Re: [cas-user] CAS5 LDAP

12, 2018, 22:19 Lionel Samuel wrote: > Thanks David! > > Your guidance helped tremendously --- I had inadvertently commented out > the ' cas.authn.ldap[0].type' line. > > have a great weekend. > > On Saturday, May 12, 2018 at 5:03:25 PM UTC-7, David Curr

Re: [cas-user] cas.authn.ldap[0].poolPassivator=NONE|CLOSE|BIND

See this link. https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#passivators David A. Curry, CISSP Director of Information Security The New School - Information Technology 71 Fifth Ave., 9th Fl. ~ New York, NY 10003 +1 212 229-5300 x4728 ~ david.cu...@newschool.edu S

Re: [cas-user] 5.2.X Service Registry

There are a whole bunch of options, from JSON/YAML to JPA (multiple databases) to REST-ful web interfaces. Go to the CAS documentation ( https://apereo.github.io/cas/5.2.x/index.html) and then on the right-hand side menu, click on "Services" and then "Storage" to see the whole list. We have been u

Re: [cas-user] cas.properties file

Either one; they are interchangeable. Personally I like colons better, but I'm pretty sure I'm in the minority on that. The official spec is documented in the java.util.Properties documentation , but I find this description

Re: [cas-user] Service Registry -- Getting the 1st Application Entered

Lionel and Jann, Did you ever have the JSON service registry working? If not, I recommend that you take all the JPA stuff out of pom.xml and cas.properties and get that working correctly first, so that you're only trying to debug one thing at a time. Once you have the JSON service registry working

Re: [cas-user] Authentication issues - CAS cannot find authentication handler that supports [UsernamePasswordCredential].

If you're using ldap.type=AD, you should not be using a bind credential. If you want to use a bind credential, you should use ldap.type=AUTHENTICATED. See https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#ldap-authentication-1 for more info on ldap.type. --Dave -

Re: [cas-user] New Error -- I broke it LOL

Looks like the CAS webapp isn't starting. catalina.out should tell you what happened? -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School] On Tue,

Re: [cas-user] Error - Service Registry json

If you're using the JSON service registry, services are supposed to be defined one service per file, with all the files stored in a directory. And there is a naming convention for the files: JSON fileName = serviceName + "-" + serviceNumericId + ".json" See https://apereo.github.io/cas/development

Re: [cas-user] New Error -- I broke it LOL

icationException: [LDAP: error code 49 - > 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, > data 52e, v2580], controls=null]]> > 2018-05-15 13:27:45,877 ERROR [org.apereo.cas.authentication. > PolicyBasedAuthenticationManager] - Credentials may be incorrect

Re: [cas-user] cas admin pages from every IP?

You need to set cas.adminPagesSecurity.ip to a regular expression that matches the IPs you want to let in. To allow all of 10.28.51 in, you'd have something like this: cas.adminPagesSecurity.ip: ^10\\.28\\.51\\.[0-9]{1,3}$ I have something like this: cas.adminPagesSecurity.ip: ^19

Re: [cas-user] User Attributes for SAML 2.0

The same way you do for CAS services, pretty much. Just list what you want to return. If you need the uri naming, you can use the "return mapped attributes" feature; there's an example of that in my doc. Although that may or may not be necessary depending on the SP. CAS 5.3 has some improved funct

Re: [cas-user] Re: Error - Service Registry json

Yes, but the rest of the name has to match the service name, as well. Again, JSON fileName = serviceName + "-" + serviceNumericId + ".json" so based on your first post in this thread, you should have two files: The first file, called HTTPSIMAPSwildcard-20170905111650.json, contains { "

Re: [cas-user] User Attributes for SAML 2.0

Here's a JSON definition for an Apache HTTPD with the Shibboleth mod_shib/shibd plug-in: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "https://casdev-samlsp.newschool.edu/shibboleth";, "name" : "Apache Secured By SAML", "id" : 1509030300, "desc

Re: [cas-user] User Attributes for SAML 2.0

I'm not sure I understand the question. If you mean could you copy the example I provided directly into a jdbc/jpa service registry, then I have to say I don't know, because I don't know how the information is stored in the database. The first example I gave (the Apache one) is a json file from a

Re: [cas-user] cas-management question

etc/cas/config/management.properties --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School] On Thu, May 17, 2018 at 3:18 PM, Jennifer LaVoie

Re: [cas-user] Re: cas-management question

You have "server.name" instead of "cas.server.name" (oops) -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School] On Thu, May 17, 2018 at 3:23 PM,

Re: [cas-user] cas-management question

Not sure if you copy-n-pasted this: https://cashost/cas/login?service=https%3A%2F%2Fcashost%3A8443%2Fcas-management%2Fmanage.html or typed it by hand, but I see both "cashost" and "cashost:8443". Normally they'd both be the same (since Tomcat is usually only listening on the one port). --Dave

Re: [cas-user] Re: cas-management question

Haven't seen that one, that I can recall. Is that a CAS error (shows in a CAS-branded web page) or a Tomcat error? Do the logs (cas.log and/or catalina.out) say anything helpful? -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YO

Re: [cas-user] Re: cas-management question

Sorry, not cas.log cas-management.log. If still nothing, try setting cas.log.level to debug in log4j2-management.xml. -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@news

Re: [cas-user] log in error question

There is. You can enable LDAP Password Policy Enforcement (LPPE): https://apereo.github.io/cas/development/installation/Password-Policy-Enforcement.html This is separate from Password Management (further down the page). All I had to do was add cas.authn.ldap[0].passwordPolicy.enabled: true ca

Re: [cas-user] Commiting to GIT (my CAS Overlay)

Personally, I made branches for our Dev, Test, and Prod deployments, and pushed the whole thing to our gitlab. Adding features in Dev and moving them through Test and Prod then just becomes an exercise in merging. --Dave David A. Curry, CISSP Director of Information Security The New School - In

Re: [cas-user] Failed to get nested archive for entry /WEB-INF/lib/getopt-1.0.13.jar

CAS 5 requires Tomcat 8 or better. That may not be the cause (or only cause) of your problem, but I would start there. David A. Curry, CISSP Director of Information Security The New School - Information Technology 71 Fifth Ave., 9th Fl. ~ New York, NY 10003 +1 212 229-5300 x4728 ~ david.cu...@ne

Re: [cas-user] User Attributes for SAML 2.0

Someone smarter than me may need to weigh in on this... but I'll try. As I understand it, SAML SPs will accept two forms of attribute names. One form is that "urn" notation that Shibboleth seems to like: The other form is the "friendly name," which is basically just a string, like "cn" or

Re: [cas-user] User Attributes for SAML 2.0

Can you attach the relevant section of cas.properties (the part where you define which attributes you're going to resolve) and the service definition for the SAML SP? -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1

Re: [cas-user] User Attributes for SAML 2.0

Based on the SELECT, I think these definitions are flipped: cas.authn.attributeRepository.jdbc[0].attributes.uid=id cas.authn.attributeRepository.jdbc[0].attributes.givenName=first_name cas.authn.attributeRepository.jdbc[0].attributes.emailaddress=email cas.authn.attributeRepository.jdbc[0].attrib

Re: [cas-user] User Attributes for SAML 2.0

Could be, but as I don't use the jdbc stuff, I can't help you with that. The {0} gets replaced with some dynamic value generated by the Java code. My guess would be it's some condition like column=value, but that's pretty a guess. I would suggest if you haven't yet to see the CAS log level to debu

Re: [cas-user] User Attributes for SAML 2.0

I'm pretty sure that if you enable debug-level logging on org.apereo.services.persondir in */etc/cas/config/log4j2.xml*, you'll see the SQL query in *cas.log*. You can do that most easily by changing this line near the top of the file: warn to: debug You shouldn't even need to restart the serve

Re: [cas-user] User Attributes for SAML 2.0

So, you have cas.authn.attributeRepository.jdbc[0].username=email in *cas.properties*? I didn't see it in the ones you copied/pasted earlier. Dumb question, but if you connect to the database using the same user and password that you have CAS configured to use, and you run SELECT * FROM app_us

Re: [cas-user] Re: (Ask) CAS 5.2 Basic Installation Step by Step

Check the Tomcat log file (catalina.out) for errors. You should see it starting up the CAS service, etc. Also check the CAS log file. David A. Curry, CISSP Director of Information Security The New School - Information Technology 71 Fifth Ave., 9th Fl. ~ New York, NY 10003 +1 212 229-5300 x4728 ~

Re: [cas-user] CAS Login Page Cutomization

These two threads are somewhat helpful: https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/themes/cas-user/k-yfoou7Zy0/BXry1PxgFAAJ https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/template/cas-user/3eaKVAMhFYE/uuj7eEpCAwAJ Assuming you're making new templates, most

Re: [cas-user] CAS Login Page Cutomization

ry-tns.github.io/deploying-apereo-cas/ui_overview.html > to come to live :) > > - Andy > > On Wednesday, 23 May 2018 20:01:29 UTC+8, David Curry wrote: >> >> These two threads are somewhat helpful: >> >> >> https://groups.google.com/a/apereo.org/forum/#

Re: [cas-user] SLO and SSO using Mod_auth_cas

What do you mean when you say you are "using mod_auth_cas for reverse proxy to my cas server"? Mod_auth_cas is not a (reverse) proxy. It's simply a way to control access to content on an Apache web server using CAS authentication. Think of it as an alternative to HTTP Basic Authentication. It seems

Re: [cas-user] Re: CAS5.3.x - Health & Version monitor Page

https://apereo.github.io/cas/development/installation/Monitoring-Statistics.html You do not need the CAS Management Overlay to enable the above; it's accomplished with just some settings in cas.properties and creating the user file and a service registry entry. If you'd like step-by-step instruct

Re: [cas-user] SLO and SSO using Mod_auth_cas

id.cu...@newschool.edu [image: The New School] On Thu, May 24, 2018 at 9:45 AM Ramakrishna G wrote: > Hey David, > > Firstly thanks for your response and clarifying few things. My query to > you now is > > Does logoutUrl property support SLO? If so, which all cookie should I b

Re: [cas-user] How to route new page

How strongly do you feel about having "https://server/cas/timeout"; as opposed to "https://server/cas/timeout.html";? If you're fine with the latter, you should just be able to drop "timeout.html" into the same place where all the other casWhateverView.html pages are and redirect to "/timeout.html

Re: [cas-user] How to route new page

t, I'm upgrading an old version of > cas so I may be using an outdated method. I do window.location = > myRedirect; in a script in the loginform.html fragment. Where myRedirect is > "/cas/timedOut.html". It just goes to https://server/cas/timedOut.html. > > Thank you for your

Re: [cas-user] User Attributes for SAML 2.0

You should probably start by reading the CAS SAML documentation: https://apereo.github.io/cas/development/installation/Configuring-SAML2-Authentication.html And then you can look at, for example, the instructions here: https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html

Re: [cas-user] Re: CAS documentation for a new user is terrible

I'm sure the development team would gladly accept any documentation you'd care to contribute and maintain. In the meantime, perhaps this may be helpful to you: https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html David A. Curry, CISSP Director of Information Security Th

Re: [cas-user] CAS 3.2.11 Metadata URL/XML

CAS 3.x does not have native support for SAML2. To enable SAML-based services to authenticate against a CAS 3.x server, you'd have to install the Shibboleth IdP and the shib-cas-authn3 plugin. But honestly, upgrading to CAS 5 would be a much better answ

Re: [cas-user] CAS 5.2.3- Enable CAS SAML IDP

That is not the right dependency. You need cas-server-support-saml-idp. For step-by-step see https://dacurry-tns.github.io/deploying-apereo-cas/building_server_saml_overview.html David A. Curry, CISSP Director of Information Security The New School - Information Technology 71 Fifth Ave., 9th F

Re: [cas-user] CAS 5.x default ticket expiration times

I think these are what you want (first is the explanation, second shows the values): https://apereo.github.io/cas/development/installation/Configuring-Ticket-Expiration-Policy.html https://apereo.github.io/cas/development/installation/Configuration-Properties.html#tgt-expiration-policy -- DAVID

Re: [cas-user] Error in CAS Management(5.2) app after authentication with the CAS Server (5.3.2)

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found Your SSL certificate(s) is/are not set up correctly. -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE.,

Re: [cas-user] MS Edge/IE issues with SAML2 + Duo

allenge, is shorter and > the request goes through without a hitch. > > The issue doesn't appear to affect users who don't have MFA enable for > this service or users that are required to use MFA when they use another > browser. > > > > On Thursday, June 28, 2

<    1   2   3   4   >