Re: [cas-user] CAS 6.4 OIDC JWKS missing key fields?

[Carl Waldbieser]

Yan,

No, our jwks doesn't have that property.  But since that is just the
algorithm (see
https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-set-properties),
you could probably manually specify the algorithm being used in the key by
adding it directly to the JSON.

Thanks,
Carl Waldbieser
ITS
Lafayette College

On Fri, Mar 17, 2023 at 12:04 PM Yan Zhou  wrote:

> Does your JWKS have "alg" field?  it does not seem to have that option.
>
> This is what JWKS looks like in general, they do have "alg" field. I do
> not know how to get CAS JWKS to include it.
>
> Yan
>
> On Tuesday, March 7, 2023 at 10:29:12 AM UTC-5 waldbiec wrote:
>
>> I noticed my JWKS was missing a kid and causing weird results in one of
>> the OIDC libraries I use for testing.
>> I just added the kid to my key in the "keystore.jwks" manually.  I just
>> generated a uuid4, but you can use any ID unique to your keystore from what
>> I understand.
>> The kid then appears on the endpoint.
>>
>> Thanks,
>> Carl Waldbieser
>> ITS
>> Lafayette College
>>
>> On Tue, Mar 7, 2023 at 12:13 AM Yan Zhou  wrote:
>>
>>> Hi,,
>>>
>>> CAS 6.4  OIDC JWKS endpoint looks like this.  Our vendor has problem
>>> with its missing fields such as  alg, kid, and use.
>>>
>>> Anyone knows how to show these fields in JWKS?  They showed us what Okta
>>> and Google OIDC provider presents, yes, they do have these fields.
>>>
>>> This probably affects OIDC JWT access token header attributes as well.
>>>
>>> Thanks,
>>> Yan
>>>
>>> {
>>>
>>> "keys":
>>>
>>> [
>>>
>>> {
>>>
>>> "kty":"RSA",
>>>
>>> "n":"pwNNGZn0..RW18eq6Asiw",
>>>
>>> "e":"AQAB"
>>>
>>> }
>>>
>>> ]
>>>
>>> }
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a816b9c5-662f-4a75-b87e-414f350df5d3n%40apereo.org
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/a816b9c5-662f-4a75-b87e-414f350df5d3n%40apereo.org?utm_medium=email_source=footer>
>>> .
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbM-mAJJCmWEXRZ2YyoUeeh9nPKeXSiRpLPOsO7M57CGGg%40mail.gmail.com.

Re: [cas-user] Duo Universal Prompt behind proxy

[Carl Waldbieser]

Richard,

Do you have `cas.server.name` set?
https://apereo.github.io/cas/6.6.x/configuration/Configuration-Management.html
I have CAS 6.6.6 running behind an AWS ALB and I don't seem to have any
issues with the Duo Universal prompt.  We haven't rolled out Universal
Prompt to production yet, though, so I'd be interested in what the
particular symptoms are.

Thanks,
Carl Waldbieser
ITS
Lafayette College

On Wed, Mar 8, 2023 at 2:57 PM 'Richard Frovarp' via CAS Community <
cas-user@apereo.org> wrote:

> On CAS 6.6.6 and using the Duo Universal Prompt, it is exposing my
> internal hostname, rather than the load balancer. It's not clear to me
> why this is happening. It is also not clear to me what the correct
> configuration options are for a load balanced CAS with respect to
> hostname / proxy configuration. Any suggestions?
>
> Thanks,
>
> Richard
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a4aaf94-4e5f-69c2-c670-3f1e251cc333%40ndsu.edu
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbMs4sPdZCmN9RmEKhjZEuxQOED94dRRkiq%2B%3D2jW-AY%3Dhw%40mail.gmail.com.

Re: [cas-user] CAS 6.4 OIDC JWKS missing key fields?

[Carl Waldbieser]

I noticed my JWKS was missing a kid and causing weird results in one of the
OIDC libraries I use for testing.
I just added the kid to my key in the "keystore.jwks" manually.  I just
generated a uuid4, but you can use any ID unique to your keystore from what
I understand.
The kid then appears on the endpoint.

Thanks,
Carl Waldbieser
ITS
Lafayette College

On Tue, Mar 7, 2023 at 12:13 AM Yan Zhou  wrote:

> Hi,,
>
> CAS 6.4  OIDC JWKS endpoint looks like this.  Our vendor has problem with
> its missing fields such as  alg, kid, and use.
>
> Anyone knows how to show these fields in JWKS?  They showed us what Okta
> and Google OIDC provider presents, yes, they do have these fields.
>
> This probably affects OIDC JWT access token header attributes as well.
>
> Thanks,
> Yan
>
> {
>
> "keys":
>
> [
>
> {
>
> "kty":"RSA",
>
> "n":"pwNNGZn0..RW18eq6Asiw",
>
> "e":"AQAB"
>
> }
>
> ]
>
> }
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a816b9c5-662f-4a75-b87e-414f350df5d3n%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/a816b9c5-662f-4a75-b87e-414f350df5d3n%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbNZ%2B6%3DNbtqSVAbge%2Bm%3DUbhSNrkGCEP4qYSXNpmaRDWHKw%40mail.gmail.com.

Re: [cas-user] ideas for persistence login session

[Carl Waldbieser]

The ST generally should have a lifetime measured in seconds.  Since it is
single use, it doesn't really make sense to issue one, have a client hold
on to it for an hour, and finally use it.  The lifetime should generally
reflect the anticipated network time for the client to receive the ST and
validate it.

For the TGT, you can set that however long makes sense for your SSO
sessions.  2 hours works for my organization.  You may need a longer time
measured in days or weeks, I guess, but it seems like users should be using
something like a password manager if they can't log in at least once a
day?  It really depends on the policies in your organization.

Thanks,
Carl Waldbieser


On Wed, Jul 27, 2022 at 3:16 PM Pablo Vidaurri  wrote:

> Currently CAS TGT is an 8hr session, ST is a 2hr session. Client is
> requesting to enable certain parts of their site (protected) to include a
> longer ST (for weeks) while maintaining a 2hr session for other secured
> parts like "Account/Profile".
>
> I understand the application needs to change, but is there anything on the
> CAS side that I can do to help in this effort?
>
> Would JWT help? When a user successfully logs in, issue a JWT good for 4
> weeks with user's credentials. Now lets assume the TGT/ST are no longer
> valid and the user is trying to access part of the site where not logging
> is not required for days (protected area). The JWT would then be used to
> auto login the user. Achievable or pure abuse?
>
> Also considered increasing the TGT TTL for weeks and  creating separate
> services to define an
> AuthenticationDateRegisteredServiceSingleSignOnParticipationPolicy of
> 2hrs/8hrs, etc but this this means certain parts of the site need to be
> under specific URL patterns.
>
> Any suggestions?
>
> -psv
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/793b6932-8c4d-48d3-a5e7-945988566788n%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/793b6932-8c4d-48d3-a5e7-945988566788n%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbOGtu-KaHTBxre3wq8A5YcB173sSwc7ux%3D5m3TPDE_iLw%40mail.gmail.com.

Re: [cas-user] CAS LDAP authentication with OpenLDAP aliases?

[Carl Waldbieser]

Ray,

No-- I don't want person "A" to be able to authenticate on behalf of person
"B".

Currently, our users log on with a system assigned username.  I'd like them
to also be able to claim their own username alias and be able to log on
with that.  So for example, user "smithe" could have an alias "catlover86"
and use that as their username.

OpenLDAP has a concept of alias entries for its DIT that can refer to other
entries.  Potentially, I could use this, but there are some caveats:


   1. The LDAP client has to explicitly dereference aliases.
   2. When an entry is being dereferenced, it won't be returned in a search
   if you are searching for attributes on the alias itself.  This is because
   the filter matches the attributes on the dereferenced entry.

The 2nd rule is very counter-intuitive in my opinion.  It took me a while
to wrap my head around what was going on.  But you can set the LDAP base DN
to the alias during a SEARCH operation, and the dereferenced target will be
returned assuming you have a filter that matches the target.

Typically, our 2 step BIND in CAS looks like this:


   1. SEARCH the LDAP DIT for an entry with an attribute (let's say "uid")
   that matches the username provided.  This search is done while BINDed as a
   DN with elevated search privs.
   2. Once a matching entry is found, BIND to it using the password
   provided.

CAS lets me set up a search filter like "(uid={user})" where it will do the
substitution for "user", so this works fine.

To use aliases, I'd want to do something like:


   1. SEARCH the LDAP DIT for an entry with a base DN of
   "uid={user},ou=aliases,o=myorg".  Again, the search would be done while
   BINDed as a DN with elevated search privs.
   2. Once a matching *dereferenced* entry is found, BIND to it using the
   password provided.

The configuration I'm not sure about is that CAS would need to be able to
substitute {user} into the base DN for the search, making sure to escape it
properly.  Also, the SEARCH would need to indicate that alias entries
should be dereferenced.

I'm not sure if CAS supports this without getting into some magical Java
bean territory.

Thanks,
Carl Waldbieser


On Wed, May 18, 2022 at 7:09 PM Ray Bon  wrote:

> Carl,
>
> Are you referring to surrogate authentication?
>
> https://apereo.github.io/cas/6.4.x/authentication/Surrogate-Authentication.html
>
> Ray
>
> On Wed, 2022-05-18 at 16:23 -0400, Carl Waldbieser wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> If I have an entry and an alias in an OpenLDAP DIT such that searching on
> "alias" dereferences "entry", is it possible to configure CAS to perform a
> 2 stage BIND in this way?
>
> I.e.
>
>
>1. User enters "alias" and password at the CAS login form.
>2. CAS searches the DIT with LDAP base "uid=alias,ou=aliases,o=myorg"
>and a filter like "(objectClass=*)".
>3. The actual entry dereferenced has DN
>"uid=entry,ou=somedepartment,o=myorg".
>4. CAS attempts a BIND against this DN with the provided password.
>
>
> It's not obvious from the documentation how one might configure that, or
> even if it is possible.
>
> Thanks,
> Carl Waldbieser
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional
> territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ
> peoples whose historical relationships with the land continue to this day.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/868a2f900c274818b9e38f466497d550f92d75a7.camel%40uvic.ca
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/868a2f900c274818b9e38f466497d550f92d75a7.camel%40uvic.ca?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbPf7o0L%3DVOf58e4b6V%2B9n5JLyHyky-MW0gahbAjD2OU0A%40mail.gmail.com.

[cas-user] CAS LDAP authentication with OpenLDAP aliases?

[Carl Waldbieser]

If I have an entry and an alias in an OpenLDAP DIT such that searching on
"alias" dereferences "entry", is it possible to configure CAS to perform a
2 stage BIND in this way?

I.e.


   1. User enters "alias" and password at the CAS login form.
   2. CAS searches the DIT with LDAP base "uid=alias,ou=aliases,o=myorg"
   and a filter like "(objectClass=*)".
   3. The actual entry dereferenced has DN
   "uid=entry,ou=somedepartment,o=myorg".
   4. CAS attempts a BIND against this DN with the provided password.


It's not obvious from the documentation how one might configure that, or
even if it is possible.

Thanks,
Carl Waldbieser

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbOY6rzt0meT%3D-1u0EA4aO%3DR%2Bg%2B_e286KFt9occTy9%3DfAQ%40mail.gmail.com.

Re: [cas-user] Prevent users bookmarking and sharing URLs containing CAS ticket

[Carl Waldbieser]

The lifetime of a service ticket is usually set pretty short-- 15 or 20
seconds max.  Alice needs to leak her ST within that timeframe for it to be
valid, or else Bob should get an invalid ticket error at the client.

You may want to examine the ST lifetime and shorten it.

Thanks,
Carl Waldbieser


On Fri, Mar 4, 2022, 6:36 AM Rob Pumphrey  wrote:

> Hi,
> We have had a user complain about the behaviour of an application
> protected by CAS single sign on.
>
> The user Alice has logged into the application via the CAS login page,
> then pressed back on their browser and bookmarked the URL with
> https://example.com/?ticket=ST-344-adfafff..
> Alice has then shared that URL with another person, Bob.
> Bob navigates to the link supplied by Alice and is now logged into the
> application as Alice. This is a surprise to Alice and Bob.
>
> Is there any way to help prevent users bookmarking URLs containing the
> ticket?
> Is there any way to prevent Bob logging in as Alice with the URL with
> Alice's ticket?
>
> We currently are thinking that we have to educate users not to bookmark
> the URLs that have the ticket parameter, but that seems a bit weak.
>
> Any suggestions or insight would be welcome.
> Thanks in advance.
> Rob
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b1a5bf3d-e7cc-4065-8f14-ece00e261af3n%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b1a5bf3d-e7cc-4065-8f14-ece00e261af3n%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbO1TyaoUhw%2BcNx3%3DvJ6V_YE2TkB%3DHecW%2B%2BvbCW%2BwuG-Dw%40mail.gmail.com.

Re: [cas-user] "Partial Login" strategies

[Carl Waldbieser]

I agree with Ray that most of the heavy lifting for that scenario would be
in the application.  However, what is going on is that there are different
levels of access based on the session context.
So if I am able to log in simply because of a long-lived session cookie, I
have access to some parts of my user data.  But to make changes or spend
money, I need to have additional authorization, often in the form of a more
recent authentication.

CAS can still be a component in that kind of authentication/access control
decision, but the enforcement of such a policy is *typically* within the
application.  For example, an application may allow you to view your data
with a simple authentication.  But in order to modify or access your stored
credit card information, you may be required to authenticate with some kind
of MFA.  CAS can provide attributes that can aid the application in
deciding whether or not this type of access should be granted.  But it is
*typically* the application's responsibility to enforce that kind of access
control.

Thanks,
Carl Waldbieser


On Tue, Feb 22, 2022 at 3:15 PM Ray Bon  wrote:

> Pablo,
>
> That kind of behaviour is in your application and has nothing to do with
> cas. If the application determines that a user needs to log in, then send
> them to cas.
>
> Ray
>
> On Tue, 2022-02-22 at 09:15 -0800, Pablo Vidaurri wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> Hi, not sure exactly what this is called but I'm sure you have seen it on
> Amazon, Best Buy, etc. You have access to view browsing history, shopping
> cart, etc but when you actually click on order history, profile, etc you
> are prompted to log in.
>
> So some items are viewable but once you start to interact you get prompted
> to login.
>
> How does a site do something like that? I'm assuming CAS doesn't offer
> anything like that, correct?
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional
> territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ
> peoples whose historical relationships with the land continue to this day.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/4d0192fbf57df796bb01fc65893443b1064903ce.camel%40uvic.ca
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/4d0192fbf57df796bb01fc65893443b1064903ce.camel%40uvic.ca?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbN8sNrT9_m7M7cbwEQcp0_VmvRgTRR2xSr5D2jTs547gg%40mail.gmail.com.

Re: [cas-user] login via modal window

[Carl Waldbieser]

Pablo,

You'd need to implement the parts of the CAS protocol (
https://apereo.github.io/cas/6.0.x/protocol/CAS-Protocol.html) that you
actually intend to use.  So probably you'd need some way of persisting the
TGT to the browser.  The CAS server also sets up a bunch of security
headers, etc.

Trying to replicate the CAS server functionality from the REST API seems
like a pretty big undertaking.  The REST API is really meant to model
"applications as users".
>From my point of view this doesn't seem like the best way to use CAS.

Thanks,
Carl Waldbieser
ITS
Lafayette College


On Tue, Feb 15, 2022 at 9:55 PM Pablo Vidaurri  wrote:

> Hello,
>
> On our website we wish to present a modal window for login instead of
> redirecting the user to cas/login which takes away from the user
> experience. Our modal window is react based.
>
> I have come across this documentation
> <https://apereo.github.io/cas/6.4.x/protocol/REST-Protocol.html> regarding
> rest protocol. I guess we could make an ajax call to authenticate a user
> and create a TGT, even create an ST if necessary. Is there anything else I
> need to do like need to create a cookie on the browser side for the browser
> to use for subsequent SSO checks.
>
> -psv
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/fc9ab2b8-dc66-4c59-a223-680361ea356dn%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/fc9ab2b8-dc66-4c59-a223-680361ea356dn%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbPh8RmvV2WVNF5Eu_tUmHhX_NicxaM2F6bLdoQ_xsybhg%40mail.gmail.com.

[cas-user] Security Response Headers Question

[Carl Waldbieser]

In CAS 6.4.x, I believe that the security response headers are enabled by
default.  I.e.:

cas.http-web-request.header.enabled=true


If I browse to one of our CAS endpoints (e.g. /cas/login), I see the Strict
Transport Security response header.

However, if I browse to an invalid endpoint, e.g. /, I don't see the Strict
Transport Security response header.  This gets flagged in security scans.

I have a 2 part question.  Is this really a security issue?  An end user
doesn't typically browse to a CAS resource on their own, so it seems like
maybe not having the invalid resources protected is OK, since the user will
likely be first introduced to CAS on a valid resource and the browser will
remember the header setting for the site.

If this *is* an issue, is there a way to configure CAS to just apply the
security response headers to *all* resources that it serves up?

Thanks,
Carl Waldbieser
ITS
Lafayette College

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbNs3y--eqc%3DdpM3uCog4A5kXCOAG5DOzuJd85JjLnf%3Deg%40mail.gmail.com.

Re: [cas-user] CAS Shibboleth, check user attribute before granting acess

[Carl Waldbieser]

Pablo,

We have a config similar to this for a particular service:

{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "https://service.example.net/login/saml2;,
"id": 1000,
"evaluationOrder": 1000,
"name": "DocuSign",
"description": "An example service.",
"attributeReleasePolicy": {
"@class":
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes": [
"java.util.ArrayList",
[
"eduPersonEntitlement"
]
],
"attributeFilter": {
"@class":
"org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
"completeMatch": false,
"excludeUnmappedAttributes": false,
"order": 0,
"patterns": {
"@class": "java.util.HashMap",
"eduPersonEntitlement": "^
https://service.example.net/authorized$;
}
}
},
"accessStrategy": {
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"unauthorizedRedirectUrl": "
https://cas.example.org/cas/html/403.html;,
"requiredAttributes": {
"@class": "java.util.HashMap",
"eduPersonEntitlement": [
"java.util.HashSet",
[
"https://service.example.net/authorized;
]
]
}
},
"logo": "https://cdn.lafayette.edu/images/logos/docusign-100x100.png;,
"properties": {
"@class": "java.util.HashMap",
"InformationURL": {
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceProperty",
    "values": [
"java.util.HashSet",
[
"https://help.example.org/service-example-net;
]
]
}
}
}


The idea is to just redirect to an "Unauthorized" page if the principal
does not have the required entitlement for the service.  There are other
actions you can take as well, though you'd have to check the CAS docs to
see what those are.

Thanks,
Carl Waldbieser
ITS
Lafayette College

On Wed, Jan 26, 2022 at 10:35 PM Pablo Vidaurri 
wrote:

> Currently using standalone shib. I have a configuration in flow/intercept
> to check for a user attribute. If it is not a certain value, then we deny
> him access to the app he trying to log into. Shib allows me to define the
> entity-id in rely party to force this check, so I can decide which service
> needs this attribute set.
>
> Now, trying to use CAS-Shib. How can I do the same?
> 1) Check user attribute, if not value "X" then display message that he
> needs to do something first.
> 2) Be able to define which SAML service needs this attribute set.
>
> Thanks.
> -psv
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c29502f-388f-4e2a-b99f-8eb5591dab48n%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c29502f-388f-4e2a-b99f-8eb5591dab48n%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbOoyoBvLJ8owSHFoCLX9ONnomVEDA08MKJyw5DCfEj2tg%40mail.gmail.com.

[cas-user] CAS JDK version question

[Carl Waldbieser]

In the docs for CS 6.4 installation (
https://apereo.github.io/cas/6.4.x/planning/Installation-Requirements.html)
it reads:

CAS at its heart is a Java-based web application. Prior to deployment, you
will need to have JDK <https://openjdk.java.net/projects/jdk/11/> 11
 installed.

Is JDK 11 an exact requirement?  Or are later versions of the JDK also
acceptable?  I don't follow Java development too closely, but I did see
that JDK 17 is in general availability, so it just got me wondering.

Thanks,
Carl Waldbieser
ITS
Lafayette College

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbMfuF2o_0tP9vCNg22dijc3YyAnsERf5-vv8-pz9gH9kQ%40mail.gmail.com.

Re: [cas-user] ignore TLS hostname verification (SSLPeerUnverifiedException)?

[Carl Waldbieser]

Well, you'd need to at least update all the DR certs in use.  The
production service certs could be left alone until they expire, but you'd
probably want to eventually consolidate those.

You can probably get ldaptive to ignore the hostname verification when your
DR CAS client instance queries your DR LDAP service, but you could just
configure it to use the DR LDAP service's current name if you just wanted
to quickly verify the service starts up.  Presumably the DR DNS name will
still be around during a fail over?

Thanks,
Carl Waldbieser
ITS
Lafayette College

On Mon, Oct 4, 2021 at 2:53 PM Baron Fujimoto  wrote:

> Hmm, maybe? But then wouldn't we have to update all the certs in use? I
> was hoping for something we could just enable temporarily that would allow
> us to test sufficiently to give us enough confidence that it generally
> works as expected.
>
> On Mon, Oct 4, 2021 at 8:17 AM Carl Waldbieser 
> wrote:
>
>> Baron,
>>
>> Couldn't you just put a subject alternative names on the certificate to
>> include both the DR name and the production service name?
>>
>> Thanks,
>> Carl Waldbieser
>> ITS
>> Lafayette College
>>
>> On Mon, Oct 4, 2021 at 2:01 PM Baron Fujimoto  wrote:
>>
>>> This isn't strictly a CAS issue, but we're encountering it trying to
>>> test CAS so I'm hoping someone may be able to offer suggestions.
>>>
>>> We have a disaster recovery (DR) instance of our login stack that
>>> includes CAS (which uses a DR instance of LDAP). These instances have
>>> hostnames that follow a convention something like, dr-cas.example.edu
>>> and dr-ldap.example.edu. However, they use TLS certificates that use
>>> the non dr- versions of their hostnames, e,g, cas.example.edu and
>>> ldap.example.edu. The idea being that in the event we actually need to
>>> make use of the DR instance of the CAS/LDAP login stack, DNS changes would
>>> point cas.example.edu to dr-cas.example.edu, and ldap.example.edu to
>>> dr-example.edu.
>>>
>>> This presents a challenge though to test the DR instance of our login
>>> stack without making the aforementioned DNS changes.
>>>
>>> When CAS is started, it throws an exception:
>>>
>>> Caused by: javax.net.ssl.SSLPeerUnverifiedException: Hostname
>>> verification failed for dr-ldap.example.edu using
>>> [org.ldaptive.ssl.HostnameVerifierAdapter@20.
>>> ..63::hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@41...82]
>>>
>>> Is there a way to get CAS to temporarily disable or ignore hostname
>>> verification via a property or Java option so that we can confirm things
>>> are otherwise working as expected? Any suggestions would be appreciated.
>>> --
>>> Baron Fujimoto  :: UH Information Technology Services
>>> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL16hZqpddPZv2q4-q6JeC1xEK7FpDS_c8SUJnyt0i84EA%40mail.gmail.com
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL16hZqpddPZv2q4-q6JeC1xEK7FpDS_c8SUJnyt0i84EA%40mail.gmail.com?utm_medium=email_source=footer>
>>> .
>>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbPiQvbGxEprZ%3DEFaS3h_3Ohy%2BV53vL-BxqqyFO%2Bzs1pMQ%40mail.gmail.com
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbPiQvbGxEprZ%3DEFaS3h_3Ohy%2BV53vL-BxqqyFO%2Bzs1pMQ%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
>
>
> --
> Baron Fujimoto  :: UH Info

Re: [cas-user] ignore TLS hostname verification (SSLPeerUnverifiedException)?

[Carl Waldbieser]

Baron,

Couldn't you just put a subject alternative names on the certificate to
include both the DR name and the production service name?

Thanks,
Carl Waldbieser
ITS
Lafayette College

On Mon, Oct 4, 2021 at 2:01 PM Baron Fujimoto  wrote:

> This isn't strictly a CAS issue, but we're encountering it trying to test
> CAS so I'm hoping someone may be able to offer suggestions.
>
> We have a disaster recovery (DR) instance of our login stack that includes
> CAS (which uses a DR instance of LDAP). These instances have hostnames that
> follow a convention something like, dr-cas.example.edu and
> dr-ldap.example.edu. However, they use TLS certificates that use the non
> dr- versions of their hostnames, e,g, cas.example.edu and ldap.example.edu.
> The idea being that in the event we actually need to make use of the DR
> instance of the CAS/LDAP login stack, DNS changes would point
> cas.example.edu to dr-cas.example.edu, and ldap.example.edu to
> dr-example.edu.
>
> This presents a challenge though to test the DR instance of our login
> stack without making the aforementioned DNS changes.
>
> When CAS is started, it throws an exception:
>
> Caused by: javax.net.ssl.SSLPeerUnverifiedException: Hostname verification
> failed for dr-ldap.example.edu using
> [org.ldaptive.ssl.HostnameVerifierAdapter@20.
> ..63::hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@41...82]
>
> Is there a way to get CAS to temporarily disable or ignore hostname
> verification via a property or Java option so that we can confirm things
> are otherwise working as expected? Any suggestions would be appreciated.
> --
> Baron Fujimoto  :: UH Information Technology Services
> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL16hZqpddPZv2q4-q6JeC1xEK7FpDS_c8SUJnyt0i84EA%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL16hZqpddPZv2q4-q6JeC1xEK7FpDS_c8SUJnyt0i84EA%40mail.gmail.com?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbPiQvbGxEprZ%3DEFaS3h_3Ohy%2BV53vL-BxqqyFO%2Bzs1pMQ%40mail.gmail.com.

Re: [cas-user] Access strategy not working with SAML based service

[Carl Waldbieser]

We are using CAS 6.x.  I have a SAML entry in my allow list that looks
similar to this:

{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "Entity ID goes here ...",
"id": 1000,
"evaluationOrder": 1000,
"name": "SAML Provider",
"description": "Blah blah blah ...",
"attributeReleasePolicy": {
"@class":
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes": [
"java.util.ArrayList",
[
"eduPersonEntitlement"
]
],
"attributeFilter": {
"@class":
"org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
"completeMatch": false,
"excludeUnmappedAttributes": false,
"order": 0,
"patterns": {
"@class": "java.util.HashMap",
"eduPersonEntitlement": "^
https://example.lafayette.edu/authorized$;
}
}
},
"accessStrategy": {
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"unauthorizedRedirectUrl": "
https://example.lafayette.edu/pages/403.html;,
"requiredAttributes": {
"@class": "java.util.HashMap",
"eduPersonEntitlement": [
"java.util.HashSet",
[
"https://example.lafayette.edu/authorized;
]
]
}
},
"logo": "https://cdn.lafayette.edu/images/logos/example-100x100.png;,
    "properties": {
"@class": "java.util.HashMap",
"InformationURL": {
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values": [
"java.util.HashSet",
[
"https://help.lafayette.edu/example;
]
]
}
}
}


Hope that helps.

Thanks,
Carl Waldbieser
ITS
Lafayette College

On Thu, Sep 23, 2021 at 9:44 AM Nordy Di Marzio 
wrote:

> hello cas community,
>
>
>
> wish you are doing great,
>
>
>
> i am having little issues having to work access strategy with SAML  based
> service
>
>
>
> more precisely, i am trying to implement access restrictions based on
>  group membership but for now all users are able to logon on the app
> regardless of their group membership, and no error is being logged
>
>
>
> so i am wondring if there  is somthing missing in my config, could you
> please help me find out what else should i configure ?
>
>
>
>
>
> this is the service file that i am using
>
> {
>
>   "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
>
>   "serviceId": "https://foo.bar/;,
>
>   "name": "foo",
>
>   "id": 10013986,
>
>   "evaluationOrder": 3,
>
>   "metadataLocation": "/etc/cas/saml/foo.xml",
>
>   "attributeReleasePolicy": {
>
> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>
>   },
>
>   "accessStrategy" : {
>
> "@class" :
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>
> "enabled" : true,
>
> "requireAllAttributes" : false,
>
> "ssoEnabled" : true,
>
> "requiredAttributes" : {
>
>   "@class" : "java.util.HashMap",
>
>   "memberOf" : [ "java.util.HashSet", [
> "CN=GRP,CN=Users,DC=corp,DC=foo,DC=bar" ] ]
>
>  }
>
> }
>
> }
>
>
>
> the cas version i am using is 5.1
>
>
>
> thank for your help,
>
> Nordy
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAA8Tp34kFCWYLEEB4nn8%3DcJki4WCkp-x0V208P%2BfRwdwyqKrXw%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAA8Tp34kFCWYLEEB4nn8%3DcJki4WCkp-x0V208P%2BfRwdwyqKrXw%40mail.gmail.com?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbP%3DS0iM1OYSRyeC9bhZ5RNj5QmgYDntDhpKR9i%3Da0e83g%40mail.gmail.com.

Re: [cas-user] CAS 6.1.7.2 Duo-Client Not Found

[Carl Waldbieser]

Zachary,

I'm running CAS in docker containers.  If I load up one of the container
images and override the entrypoint with a shell, I can see that the CAS WAR
file is at /docker/cas/war/cas.war .  I copy that out of the container and
expand the archive with `jar xvf cas.war`.  The JAR I am looking for is at
"./WEB-INF/lib/duo-client-0.2.2.jar".  There are also a couple "okhttp"
JARs in there, too.  I think I needed one of those as well.

Thanks,
Carl Waldbieser
ITS
Lafayette College

On Tue, May 11, 2021 at 3:01 PM 'Zachary Dunham' via CAS Community <
cas-user@apereo.org> wrote:

> Carl,
>
> Do you happen to know where those gradle jars are stored by default? I was
> going to go to our currently working instance and grab the jar from there
> but can't seem to locate it. My first though would be in the .gradle/
> location. (I'm running it on Linux).
>
> Thanks again for the help!
>
> On Tue, May 11, 2021 at 10:08 AM Carl Waldbieser 
> wrote:
>
>> I am working around this by having the JAR files (duo
>> and okhttp-2.3.0.jar) locally in the build environment and tweaking the
>> Gradle build script to use those.  Seems to work for now with 6.2.8.
>>
>> Thanks,
>> Carl Waldbieser
>> ITS
>> Lafayette College
>>
>>
>> On Mon, May 10, 2021 at 5:14 PM 'Zachary Dunham' via CAS Community <
>> cas-user@apereo.org> wrote:
>>
>>> I'm getting the following error in my gradle build:
>>>
>>> FAILURE: Build failed with an exception.
>>>
>>> * What went wrong:
>>> Execution failed for task ':bootWar'.
>>> > Could not resolve all files for configuration ':runtimeClasspath'.
>>>> Could not resolve net.unicon.iam:duo-client:0.2.2.
>>>  Required by:
>>>  project : > org.apereo.cas:cas-server-support-duo:6.1.7.2 >
>>> org.apereo.cas:cas-server-support-duo-core:6.1.7.2
>>>   > Could not resolve net.unicon.iam:duo-client:0.2.2.
>>>  > Could not get resource '
>>> https://oss.jfrog.org/artifactory/oss-snapshot-local/net/unicon/iam/duo-client/0.2.2/duo-client-0.2.2.pom
>>> '.
>>> > Could not GET '
>>> https://oss.jfrog.org/artifactory/oss-snapshot-local/net/unicon/iam/duo-client/0.2.2/duo-client-0.2.2.pom'.
>>> Received status code 409 from server:
>>>   > Could not resolve net.unicon.iam:duo-client:0.2.2.
>>>  > Could not get resource '
>>> https://dl.bintray.com/uniconiam/maven/net/unicon/iam/duo-client/0.2.2/duo-client-0.2.2.pom
>>> '.
>>> > Could not GET '
>>> https://dl.bintray.com/uniconiam/maven/net/unicon/iam/duo-client/0.2.2/duo-client-0.2.2.pom'.
>>> Received status code 403 from server: Forbidden
>>>
>>> This error tells me
>>> that org.apereo.cas:cas-server-support-duo-core:6.1.7.2 requires duo-client
>>> 0.2.2. However, https://dl.bintray.com/uniconiam/maven/ and
>>> https://oss.jfrog.org/artifactory/oss-snapshot-local/net/unicon/iam/duo-client/
>>> are no longer accessible due to Jfrog shutting bintray down. I also
>>> don't see unicon/iam/duo-client:0.2.2 in Maven Central.
>>>
>>> Does this mean my only option here is to upgrade to 6.3.x or disable Duo
>>> MFA?
>>>
>>> Is anyone else experiencing this issue or has anyone found a workaround
>>> for this?
>>>
>>> Thanks
>>>
>>> --
>>> Zachary Dunham
>>> Database Administrator I
>>> Information Technology Services
>>> Northeastern State University
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFnS6pk4yCuyNdkHBeCfKzsQ9hs9r%3D-TN8_AHo1C1innjtxi3Q%40mail.gmail.com
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFnS6pk4yCuyNdkHBeCfKzsQ9hs9r%3D-TN8_AHo1C1innjtxi3Q%40mail.gmail.com?utm_medium=email_source=footer>
>>> .
>>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: 

Re: [cas-user] CAS 6.1.7.2 Duo-Client Not Found

[Carl Waldbieser]

I am working around this by having the JAR files (duo and okhttp-2.3.0.jar)
locally in the build environment and tweaking the Gradle build script to
use those.  Seems to work for now with 6.2.8.

Thanks,
Carl Waldbieser
ITS
Lafayette College


On Mon, May 10, 2021 at 5:14 PM 'Zachary Dunham' via CAS Community <
cas-user@apereo.org> wrote:

> I'm getting the following error in my gradle build:
>
> FAILURE: Build failed with an exception.
>
> * What went wrong:
> Execution failed for task ':bootWar'.
> > Could not resolve all files for configuration ':runtimeClasspath'.
>> Could not resolve net.unicon.iam:duo-client:0.2.2.
>  Required by:
>  project : > org.apereo.cas:cas-server-support-duo:6.1.7.2 >
> org.apereo.cas:cas-server-support-duo-core:6.1.7.2
>   > Could not resolve net.unicon.iam:duo-client:0.2.2.
>  > Could not get resource '
> https://oss.jfrog.org/artifactory/oss-snapshot-local/net/unicon/iam/duo-client/0.2.2/duo-client-0.2.2.pom
> '.
> > Could not GET '
> https://oss.jfrog.org/artifactory/oss-snapshot-local/net/unicon/iam/duo-client/0.2.2/duo-client-0.2.2.pom'.
> Received status code 409 from server:
>   > Could not resolve net.unicon.iam:duo-client:0.2.2.
>  > Could not get resource '
> https://dl.bintray.com/uniconiam/maven/net/unicon/iam/duo-client/0.2.2/duo-client-0.2.2.pom
> '.
> > Could not GET '
> https://dl.bintray.com/uniconiam/maven/net/unicon/iam/duo-client/0.2.2/duo-client-0.2.2.pom'.
> Received status code 403 from server: Forbidden
>
> This error tells me
> that org.apereo.cas:cas-server-support-duo-core:6.1.7.2 requires duo-client
> 0.2.2. However, https://dl.bintray.com/uniconiam/maven/ and
> https://oss.jfrog.org/artifactory/oss-snapshot-local/net/unicon/iam/duo-client/
> are no longer accessible due to Jfrog shutting bintray down. I also don't
> see unicon/iam/duo-client:0.2.2 in Maven Central.
>
> Does this mean my only option here is to upgrade to 6.3.x or disable Duo
> MFA?
>
> Is anyone else experiencing this issue or has anyone found a workaround
> for this?
>
> Thanks
>
> --
> Zachary Dunham
> Database Administrator I
> Information Technology Services
> Northeastern State University
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFnS6pk4yCuyNdkHBeCfKzsQ9hs9r%3D-TN8_AHo1C1innjtxi3Q%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFnS6pk4yCuyNdkHBeCfKzsQ9hs9r%3D-TN8_AHo1C1innjtxi3Q%40mail.gmail.com?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbPYUdsNQSv8i2dYqGrhpzUyAdFvX5XajHhdoXY%2B563kxA%40mail.gmail.com.

Re: [cas-user] CSRF protection for login page

[Carl Waldbieser]

Technically, that is not CSRF, but I understand the concern you have--
phisher captures the username/password on their own form, and then sends
the credentials on to the legitimate site so the user is none the wiser.

A nonce in this case wouldn't buy you too much if the user doesn't notice
they are at the wrong site.  Consider the attacker could just POST to her
own site then redirect to the real site, leaving the user thinking she just
entered a typo in the username or password.  Or the phisher could be
proxying the site, maybe using something like an sslstrip attack.  In all
those cases, if the user hasn't noticed she wound up on
https://evil-site-that-looks-like-your.net/ she may be fooled into giving
up her credentials.

A nonce is useful as CSRF protection in cases where you are already
authenticated to a site, so a bad actor can't trick you into doing
something that would normally require authentication.

Historically, I believe CAS used to have a "login ticket" which was a
nonce.  It dropped it somewhere between 3.x and 5.x, I believe.

Thanks,
Carl Waldbieser
ITS
Lafayette College


On Wed, Apr 21, 2021 at 5:24 AM Paul Roemer  wrote:

>
> Hey guys,
>
> we noticed that you can easily create your own login form with copied
> execution ID on any domain you might want to use for phishing attacks. As
> for the victim everything looks good (login is successful), detecting the
> attack is hard.
>
>
> Example form for the CAS demo server:
> https://casserver.herokuapp.com/cas/login; method="POST">
> 
> 
>  value="4966e50b-191f-45e1-bab2-22e6304447c7_ZXlKaGJHY2lPaUpJVXpVeE1pSXNJblI1Y0NJNklrcFhWQ0o5Lk5NV1I3dHVicU1USWZqLW1kb1pnak8tWlctN21XRGVMTk1XMl9fMUczNktRemg4MHNRcEoycHFsa01uYkhGbkdUYmZPWkRmUDZfLXk0UTlLMXFVQjFOb05sbmRod3dPZF9ZS0ctc29BalItMzhlRXdNTXpmdFFTZTE5aEJwQXZVeHBnZGN5LVVtajhPRXFFbVlqRWtwUmpST2QzbC1sN3A4ZXkwU1dVWjBHZHFRMXpYSGRjc19Mc21UODZ0TFY3ZDdCd2dUTWxYZUFzUEotTFRzTGFud05rRjlzenRjVjFrd3dYemgxOU1aQ2lHSEMwWkJTVExGYWxxcGtQNTRQbFNJQ2g4azBmNXdjRGJYYmN3TEdFWmJwUFViS3dDZHFkdGg2NndKQ2pWZUM3R0loVzNfQWVjUWZnLXItU3o4S080MjlKMlN5TU40NlNtT0J5WXh1MnJ2RmZINDJFSm9iM0dOSzQzT0xiZWU1dHUzRzhna3NXRmRibkxWbk1LMXJfSEFnMWNXSC1sUGY2cU53c1liSXR6YlJ2WFlaVm1HUHdjN01XdEdqS09ObFpSNDNjS3hHbkp6UUFaUEZuWmo1LUUyNjlpX1ZuemloT0ZlVEx1SG1GcmRCbTFLb2kxTG9qbDF1ZGpfZkg1dHA2azFiLUQ2QzZibTZ3bTRxY1lZWU03SHlpNGJNYVMtNUVUcHpKbzdmX0E5bW9ZWmoyR0RSMVdxaXA4X2Z3RUpEZUd0eklVdVFJaVpVRUJqRW51RGZ2bFgzWkhva1g0WXU1eTNFUEd2LVpHNWhOSjc1STFFQjVtbE53ckpDdWJwQ2I0QWtMS0w5NXc3UGk5eHVrcFRpb01NOVVvRnhXMGZtMXAybTdEbFRPTko3Q080M09HcHo0RmRBNnBKRVJQeVd3SFZkOXA5UEhEaUo1b29ybGk0WUY0S1FmYUFQREJyMHZsSjlac0dhNlJSSHkzQnhIa05EMmg5bUlDUDZNZEpmLUhtTDMyWnM2Z2MyODlkZWYxdVlYMnlpMUFONlg3dTQ4R2k3cVd1aElZWnBVNDVTZENpQVp0ejIwWWk5NzFwUFlkamlnUG9UUmRrdDVzM0RHWDQ0ZnJZbnRFTjQxMjlDcDBscUJ0S2E1eGg5bHd5UGNsZW5rcVJYX3JTREk4VE9EUnRTWHRZYmhwMGxlZUVremtMVXVEdmVnVk0yMkNaOWdnUHJHR1ZCZGV3c0lBc0JoWGtoRzhzVUNtTk1HSjNNbHNfdzFRaUpSX3RHN2hMcUEwNVMzVlRrcUJGNEFnVUF2NktXN1hUMGtBNGxDcS1iNzZCR3JielZIMmhPODlTYng2ZUhQZjRDcFJ3VGZOS2dfVzFRdmU3NkVnZm55M3JXYjN6NWRJeXd0LVRvanhWalhPX1VDcnRybkN1MnhQbkpBVHpucnoxRUpIR3h6Ni1ONzB4aF82Z1FkVV9LNkl2VUd6Zm94WV9XSUZSd2VwVXZJLUNkb0FkY1l1VHItaW0zbnYtZFFFeC5DQkVnem5ieWpjVDlTeUl5alBUNkNmZWk2NWVydU1jU1lhQlZJS1daYTlkLXh5dkExdDdJWE5fdGNKSVQxVURWd3lJbUFPNEZTMlhDTWc1Z1VPa1pBUQ==">
> 
> 
> 
> 
>
> Besides the CSRF issue, I also wonder why the same Spring Webflow
> execution ID can be used several times. Shouldn't the execution ID be
> deleted after reaching an end state of the flow?
>
> Cheers,
>   Paul
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/822b9c4b-dfdd-4943-b40c-a99c890513e5n%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/822b9c4b-dfdd-4943-b40c-a99c890513e5n%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbP7T_jRTkP6G3WX9OO6Vx0-FchBJNdMB05YsOJ93QoUzg%40mail.gmail.com.

Re: [cas-user] Combine mod_auth_cas and mod_auth_basic?

[Carl Waldbieser]

Mark,

If your web site uses some kind of session to persist authentication
between requests, you could just have separate login resources for CAS or
for an alternative authN/authZ method.  Either one could establish the
session and you could proceed from there.

Thanks,
Carl Waldbieser
ITS
Lafayette College


On Thu, Feb 18, 2021 at 12:22 PM Mark Wood  wrote:

> We would like to support access to a service by both our CAS users and a
> table of "local" users in a file or database.  Is there a way to get HTTPD
> to consult both of these modules for the same location?  (The use of
> "AuthType CAS" suggests that the answer is "no":  only one AuthType can be
> declared for a location.)
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b232e278-5d35-4d37-9705-cb9bb9f934f0n%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b232e278-5d35-4d37-9705-cb9bb9f934f0n%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbMa-q_Ef6FXhJMn0e_ksDSQBcUemnf0KerY9Q56ucPaNw%40mail.gmail.com.

Re: [cas-user] Question about using CAS with LDAP..?

[Carl Waldbieser]

KP,

Not sure exactly what you are trying to do, but typically you can use CAS
attributes to make authorization decisions instead of having to use LDAP to
make a separate query.  Your particular needs may be different.  In a
typical case, one might only allow subjects to use a service if the account
owner can authenticate with CAS *and* CAS releases a particular entitlement
value to the service during tiket validation.  So with mod_auth_cas,
something like:

In the httpd config for the mod_auth_cas module (e.g. cas.conf in
/etc/httpd/conf.d or some other conf include folder):

LoadModule auth_cas_module modules/mod_auth_cas.so

CASCookiePath /var/cache/mod_auth_cas/
CASLoginURL *${CAS_PREFIX}*/login
CASValidateURL *${CAS_PREFIX}*/samlValidate
CASValidateSAML On


In the vhost config:


CASScope /
Authtype CAS
Require cas-attribute eduPersonEntitlement:
https://myservice.example.org/users


NOTE: The *${...}* syntax above is just a placeholder I am using-- I think
you actually can use environment variables in an Apache config with this
syntax, but I'm not suggesting that you ought to do that.
This example only allows users to log in if they can authenticate to CAS
and CAS releases an attribute named "eduPersonEntitlement" with a value of "
https://myservice.example.org/users;.  You could use group memberships or
whatever attributes are appropriate.

That means that your web app is totally decoupled from your centralized
person directory.  CAS brokers the authentication and provides the
information necessary to make policy enforcement decisions.

Thanks,
Carl Waldbieser
ITS
Lafayette College

On Thu, Feb 11, 2021 at 6:32 PM KC Pullen  wrote:

> Hello,
>
> I'm currently using CAS to protect web directories on Linux Centos7 and
> Apache 2.4.6.
>
> I'd like to use LDAP to grant authorization to select groups.
>
> The following is a list the sites/blogs that I'm using for reference:
> - https://fy.blackhats.net.au/blog/html/2011/07/10/Mod_auth_cas.html
> - https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#authldapurl
> -
> https://stackoverflow.com/questions/8939487/how-to-support-require-group-foobar-in-mod-auth-cas
>
> Now, for "valid-user", there is no problem at all, but if I try to use
> LDAP and a filter, I'm getting the "Unauthorized" message.
>
> Below is a snippet from my conf file:
>
>
> 
>
> AuthName "Test password protection for  directory"
> AuthType CAS
> AuthLDAPURL "ldaps://
> mysite.edu:636/cn=Users,dc=nl,dc=edu?email?sub?(objectClass=*)"
>  Require ldap-filter &(email=testu...@mysite.edu)
> # Require valid-user
>
> 
>
> Would anyone be able to take a look and provide a suggestion or two ?
> Maybe share a link to a blog or web-page..?
>
> Thank you kindly,
>
> KP
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/de52d5e0-1f27-4b83-818d-6c0d5a252a57n%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/de52d5e0-1f27-4b83-818d-6c0d5a252a57n%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbNeY9Ox6bS4BMS8WcksVA%3D4DJOnGFDB2fWt4wRjE03r0w%40mail.gmail.com.

Re: [cas-user] CAS in AWS

[Carl Waldbieser]

Kelly,

We are using the JIB approach to building our CAS docker images.  See
https://apereo.github.io/2018/11/09/cas6-docker-jib/ .  I did override the
following property in my gradle.properties file:

  baseDockerImage=amd64/adoptopenjdk:11-jdk-hotspot-bionic

Mostly it was because I couldn't determine a better way to get the
container to do a health check without some kind of rudimentary shell.

We do use Duo MFA integration.

I'm not certain what CAS interruption is-- I'm pretty sure we don't use it.

Thanks,
Carl Waldbieser
ITS
Lafayette College


On Wed, Dec 16, 2020 at 5:33 PM Geng, Kelly  wrote:

> Carl,
>
> Thanks for your response! Some followup questions if you don't mind: what
> container image do you use to run CAS? Do you have any MFA integration such
> as Duo? Do you have CAS interruption configured and if yes, in what way?
>
> Thanks again!
> Kelly
>
> On Tue, Dec 15, 2020 at 6:55 PM Carl Waldbieser 
> wrote:
>
>> Kelly,
>>
>> At Lafayette College we run CAS entirely in AWS.
>> entry
>> We are running it containerized on the AWS Fargate container service.
>>
>> At a high level, we are using DynamoDB for the ticket registry and the
>> JSON service registry.  I still make service entry changes by editing the
>> config file and redeploying-- we don't have the management interface
>> deployed.  We do have an automatic CI/CD pipeline, so redeployment is
>> pretty trivial.
>>
>> We have a single region multi-AZ deployment.  AWS application load
>> balancer is out in front and automatically manages the user facing certs.
>>
>> If you have any questions, let me know.
>>
>> Thanks,
>> Carl Waldbieser
>> ITS
>> Lafayette College
>>
>>
>> On Tue, Dec 15, 2020, 3:30 PM Geng, Kelly  wrote:
>>
>>> Hi All,
>>>
>>> Is there anyone that is successfully running CAS v5+ on AWS either
>>> exclusively or in hybrid mode? We are trying to migrate CAS 6.0 to AWS and
>>> keep running into issues that we don't have running on premise. The issue
>>> is manifested to be tomcat trying to open too many files without properly
>>> closing them.  I'm wondering whether anyone else has issues on AWS, or if
>>> you successfully run it on AWS, what the deployment looks like. We
>>> appreciate any experience sharing with us.
>>>
>>>
>>>
>>> --
>>> Kelly Geng
>>>
>>> Application Developer
>>> Miami University of Ohio
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANDcCJ%3Di5KnoORTHXV3FcqzwhwSpF49xpr0RBGx0BX_BfGAY6A%40mail.gmail.com
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANDcCJ%3Di5KnoORTHXV3FcqzwhwSpF49xpr0RBGx0BX_BfGAY6A%40mail.gmail.com?utm_medium=email_source=footer>
>>> .
>>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbOxdq3ygx_Y5%2Bz8gMEJ-0XaMd0m%2BgQQLZ2-W5%2Ba6ghiDA%40mail.gmail.com
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbOxdq3ygx_Y5%2Bz8gMEJ-0XaMd0m%2BgQQLZ2-W5%2Ba6ghiDA%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
>
>
> --
> Kelly
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this di

Re: [cas-user] CAS in AWS

[Carl Waldbieser]

Kelly,

At Lafayette College we run CAS entirely in AWS.
entry
We are running it containerized on the AWS Fargate container service.

At a high level, we are using DynamoDB for the ticket registry and the JSON
service registry.  I still make service entry changes by editing the config
file and redeploying-- we don't have the management interface deployed.  We
do have an automatic CI/CD pipeline, so redeployment is pretty trivial.

We have a single region multi-AZ deployment.  AWS application load balancer
is out in front and automatically manages the user facing certs.

If you have any questions, let me know.

Thanks,
Carl Waldbieser
ITS
Lafayette College


On Tue, Dec 15, 2020, 3:30 PM Geng, Kelly  wrote:

> Hi All,
>
> Is there anyone that is successfully running CAS v5+ on AWS either
> exclusively or in hybrid mode? We are trying to migrate CAS 6.0 to AWS and
> keep running into issues that we don't have running on premise. The issue
> is manifested to be tomcat trying to open too many files without properly
> closing them.  I'm wondering whether anyone else has issues on AWS, or if
> you successfully run it on AWS, what the deployment looks like. We
> appreciate any experience sharing with us.
>
>
>
> --
> Kelly Geng
>
> Application Developer
> Miami University of Ohio
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANDcCJ%3Di5KnoORTHXV3FcqzwhwSpF49xpr0RBGx0BX_BfGAY6A%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANDcCJ%3Di5KnoORTHXV3FcqzwhwSpF49xpr0RBGx0BX_BfGAY6A%40mail.gmail.com?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbOxdq3ygx_Y5%2Bz8gMEJ-0XaMd0m%2BgQQLZ2-W5%2Ba6ghiDA%40mail.gmail.com.

[cas-user] CAS service accessStrategy and external SAML IdP?

[Carl Waldbieser]

Hi,

I'm running the Internet2 Shibboleth IdP and delegating authentication to
CAS v6.2 for authentication.  I know CAS can do its own SAML negotiation,
but this is configuration my institution is currently happy with.

We are using the Unicon shibcas authenticator 3 (
https://github.com/Unicon/shib-cas-authn3) to make this work.

When the IdP passes authentication to CAS, I can have CAS service entries
set up that can be used for displaying service info on our CAS login page
just like a service using the CAS protocol.  However, the "accessStrategy"
configuration doesn't seem to be working for this service.  Is this
configuration not supported?  Authentication is successful despite the fact
that the principal doesn't have the required attributes.

Here is my example service configuration:

{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "
https://account-d.docusign.com/organizations/7b69e84c-b873-4923-85b7-b9930c08d975/saml2
",
"id": 6860,
"attributeReleasePolicy": {
"@class":
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes": [
"java.util.ArrayList",
[
"eduPersonEntitlement"
]
],
"attributeFilter": {
"@class":
"org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
"completeMatch": false,
"excludeUnmappedAttributes": false,
"order": 0,
"patterns": {
"@class": "java.util.HashMap",
"eduPersonEntitlement": "^
https://docusign-sandbox.lafayette.edu/$;
}
}
},
"accessStrategy": {
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"unauthorizedRedirectUrl": "
https://cas.stage.lafayette.edu/cas/html/403.html;,
"requiredAttributes": {
"@class": "java.util.HashMap",
"eduPersonEntitlement": [
"java.util.HashSet",
[
"https://docusign-sandbox.lafayette.edu/;
]
]
}
},
"evaluationOrder": 6860,
"name": "DocuSign Sandbox",
"description": "DocuSign is an electronic signature and document
routing service that securely transmits documents for signing.",
"logo": "https://cdn.lafayette.edu/images/logos/docusign-100x100.png;,
"properties": {
"@class": "java.util.HashMap",
"InformationURL": {
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values": [
"java.util.HashSet",
[
"https://help.lafayette.edu/docusign;
]
]
}
}
}

Any help would be appreciated!

Thanks,
Carl Waldbieser
ITS
Lafayette College

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbMsLYd5TjSWbN7nZRXUi0tNTBHCf05PtbWF-EL4Rp9SMQ%40mail.gmail.com.

[cas-user] Custom 403 page for unauthorized access to service

[Carl Waldbieser]

I want to use the accessStrategy -> unauthorizedRedirectUrl in my service
registry if a user authenticates but doesn't have the required
entitlement.  I think I can use the attributeReleasePolicy and
accessStrategy to accomplish this, but if a user is not authorized, I want
the web browser to be redirected to a static "Unauthorized" page that
explains that the user is not authorized for this service.

Is that something I can do using CAS views?  Or would I be better off just
setting up an external web page somewhere?

Thanks,
Carl Waldbieser
ITS
Lafayette College

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbOQO9Lay1JHOBaquNLNucVDbVLgjkxicdnRPCBRq0fG3Q%40mail.gmail.com.

Re: [cas-user] Should the CAS ticket be authoritative?

[Carl Waldbieser]

Matt,

Yes.  I would say that if establishing a CAS web SSO session requires MFA, then 
one could infer that MFA had to have happened if ticket validation takes place 
successfully.

It might not leave you in the best position if you ever want to swap components 
around.  E.g. if one day you decide to consolidate CAS services, suddenly all 
the clients that were not checking that MFA was asserted during ticket 
validation might need to be updated.  That could be mitigated by forcing the 
MFA CAS service to assert that MFA took place during validation, and forcing 
clients to check that MFA was asserted.  Again, I'm not sure how one would 
configure something like that in practice.

Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College

- Original Message -
From: "Matt T" 
To: "cas-user" 
Sent: Friday, 7 September, 2018 11:47:43
Subject: Re: [cas-user] Should the CAS ticket be authoritative?

Carl, 

This is very helpful.  We actually run two CAS instances because of our IDP 
configuration.  One (the one in question here) requires MFA while the other 
does not.  So, if the CAS ticket in question is only valid in the MFA CAS 
instance, we can be certain the user has performed MFA.  In that case, it 
seems like the CAS ticket is enough, right?  Again, just checking my logic 
so sorry for redundant questions.  

-Matt

On Friday, September 7, 2018 at 9:55:48 AM UTC-5, waldbiec wrote:
>
> Matt, 
>
> It depends.  If during CAS ticket validation, the validation result can 
> assert that MFA took place for the authentication that created the TGT, 
> then I think that would be sufficient if your requirement is simply that 
> MFA took place already in the SSO session. 
>
> However, suppose not all services require MFA.  If you first establish an 
> SSO session to such a service, you might not be prompted for MFA.  When you 
> next go to a service that requires MFA, CAS would need to check in with the 
> IdP so it could perform MFA, or else the SSO session would be denied access 
> until it was terminated and a new SSO session was started that actually did 
> use MFA. 
>
> If your setup is such that in order to establish an SSO session, you need 
> to have provided a 2nd factor, then I would agree that CAS shouldn't need 
> to check with the IdP each time whether MFA is valid-- the fact that the 
> SSO session exists at all is based on the fact that MFA was successful. 
>  Whether it is possible to configure the software that way, I'm not sure. 
>
> Our own setup is the opposite of yours.  We run both CAS and Shibboleth 
> services.  CAS clients interface directly with our CAS service.  SAML2 
> clients interact with our Shibboleth IdP, but the IdP delegates all 
> authentication to CAS so the SSO experience is unified.  Our CAS service 
> does need to signal to the IdP if MFA was used to establish the session. 
>  We require MFA on a per-user basis.  Either a user will be required to use 
> MFA to establish an SSO session or it will not.  Any call to our IdP will 
> always pass though to CAS to verify an SSO session exists.  Users are only 
> prompted for MFA once per session. 
>
> Thanks, 
> Carl Waldbieser 
> ITS Identity Management 
> Lafayette College 
>
> - Original Message - 
> From: "Matt T" > 
> To: "cas-user" > 
> Sent: Friday, 7 September, 2018 09:54:07 
> Subject: [cas-user] Should the CAS ticket be authoritative? 
>
> Hi Everyone, 
>
> I'll be the first to admin I'm no CAS expert.  In fact, I don't even 
> manage 
> our deployments here.  Instead, I work with applications which interface 
> with it so I do understand to some degree.  That being said, I have a 
> question which came up in internal discussions I'm hoping to get some 
> input 
> on. 
>
> We have CAS delegating authentication to our IDP.  Our IDP enforces 
> two-factor auth so if we require it, we don't have to facilitate with CAS. 
>   
> We've run into an issue where every request to an application behind 
> two-factor prompts the user for the second factor of authentication.  This 
> happens even when in a browser you've already verified.  This is an issue 
> because it takes away from the true SSO experience and a user can't move 
> from app to app. 
>
> The main reason it is asking for the second factor again is due to the way 
> we integrate CAS into our IDP.  That's a whole different topic and really 
> outside of the scope of this questions so just know we're aware of why it 
> happens even if it isn't right. 
>
> The question is this.  Is CAS ticket validity secure enough to trust only 
> that?  Why should we even check with our IDP a second time if the user's 
> session already has a valid CAS ticket?  Do others use this configuration 
> or do yo

Re: [cas-user] Should the CAS ticket be authoritative?

[Carl Waldbieser]

Matt,

It depends.  If during CAS ticket validation, the validation result can assert 
that MFA took place for the authentication that created the TGT, then I think 
that would be sufficient if your requirement is simply that MFA took place 
already in the SSO session.

However, suppose not all services require MFA.  If you first establish an SSO 
session to such a service, you might not be prompted for MFA.  When you next go 
to a service that requires MFA, CAS would need to check in with the IdP so it 
could perform MFA, or else the SSO session would be denied access until it was 
terminated and a new SSO session was started that actually did use MFA.

If your setup is such that in order to establish an SSO session, you need to 
have provided a 2nd factor, then I would agree that CAS shouldn't need to check 
with the IdP each time whether MFA is valid-- the fact that the SSO session 
exists at all is based on the fact that MFA was successful.  Whether it is 
possible to configure the software that way, I'm not sure.

Our own setup is the opposite of yours.  We run both CAS and Shibboleth 
services.  CAS clients interface directly with our CAS service.  SAML2 clients 
interact with our Shibboleth IdP, but the IdP delegates all authentication to 
CAS so the SSO experience is unified.  Our CAS service does need to signal to 
the IdP if MFA was used to establish the session.  We require MFA on a per-user 
basis.  Either a user will be required to use MFA to establish an SSO session 
or it will not.  Any call to our IdP will always pass though to CAS to verify 
an SSO session exists.  Users are only prompted for MFA once per session.

Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College

- Original Message -
From: "Matt T" 
To: "cas-user" 
Sent: Friday, 7 September, 2018 09:54:07
Subject: [cas-user] Should the CAS ticket be authoritative?

Hi Everyone, 

I'll be the first to admin I'm no CAS expert.  In fact, I don't even manage 
our deployments here.  Instead, I work with applications which interface 
with it so I do understand to some degree.  That being said, I have a 
question which came up in internal discussions I'm hoping to get some input 
on. 

We have CAS delegating authentication to our IDP.  Our IDP enforces 
two-factor auth so if we require it, we don't have to facilitate with CAS.  
We've run into an issue where every request to an application behind 
two-factor prompts the user for the second factor of authentication.  This 
happens even when in a browser you've already verified.  This is an issue 
because it takes away from the true SSO experience and a user can't move 
from app to app. 

The main reason it is asking for the second factor again is due to the way 
we integrate CAS into our IDP.  That's a whole different topic and really 
outside of the scope of this questions so just know we're aware of why it 
happens even if it isn't right. 

The question is this.  Is CAS ticket validity secure enough to trust only 
that?  Why should we even check with our IDP a second time if the user's 
session already has a valid CAS ticket?  Do others use this configuration 
or do you always check with the IDP?

It seems like trusting the CAS ticket if valid is the best option and would 
allow us to better control application logins and state but maybe I'm not 
thinking it all the way through. 

Thanks in advance for any insight!

-Matt

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7ed4ac9e-139b-4273-b491-16ae953a9347%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1982198971.87822549.1536332145477.JavaMail.zimbra%40lafayette.edu.

Re: [cas-user] CAS 5.2 Passing LDAP Attributes to Application

[Carl Waldbieser]

Bill,

In `cas.properties`, in your LDAP section, you want a property like this:


cas.authn.ldap[0].principalAttributeList=uid,givenName,sn:surname,mail:email,memberOf

That says that the principal that is authenticated should get the above list of 
LDAP attributes.  For the ones that have 2 items separated by a colon, that is 
just a rename from the LDAP attribute to the name that will be exposed via CAS.

In your service file for an individual service, you specify what attributes 
from the above list you want to release.  The following sections from a service 
file are an example:

  "attributeReleasePolicy" : {
"@class" : 
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"attributeFilter" : {
  "@class": 
"org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
  "patterns": {
  "@class" : "java.util.HashMap",
  "memberOf": "cn=administrators,ou=groups,dc=example,dc=org"
  },
  "excludeUnmappedAttributes": false,
  "completeMatch": false,
  "order": 0
},
"allowedAttributes" : [ "java.util.ArrayList",
[
"uid",
"memberOf",
"email",
"givenName",
"surname"
]
]
  },

The "attributeReleasePolicy" is used to filer the "memberOf" attribute down to 
a specific value (because he attribute is multi-valued, and you usually only 
want to release only one or a few of the values to a service).  The 
"allowedAttributes" section specifies what attributes from the principal will 
be released at all.

Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College

- Original Message -
From: "Bill Scully" 
To: "cas-user" 
Sent: Friday, 31 August, 2018 15:00:09
Subject: [cas-user] CAS 5.2 Passing LDAP Attributes to Application

Hi,

I'm having a hard time getting my head around where to start configuring 
CAS to provide LDAP attributes to the "RegisteredService" / application 
after authentication.  I'm assuming there are 2 areas that I need to 
configure, cas.properties and service JSON files, but navigating the 
documentation to find what I need has been beyond me up to this point.

Can someone kindly point me to the right areas 
of https://apereo.github.io/cas/5.2.x/ or give me some tips on where I can 
figure out how to retrieve certain attributes from LDAP and share those 
selected values with the application?  I hope I'm using "application" 
properly.

Thanks,

Bill

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac28e9bc-9bdf-4d1d-9d59-d99ad23d2dc9%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1473853490.82791165.1535742993465.JavaMail.zimbra%40lafayette.edu.

Re: [cas-user] [SSO] Is it possible to make a service completely separated from other SSO services without require login every time (i.e. renew=true)

[Carl Waldbieser]

There are probably a bunch of other problems associated with this idea, but 
couldn't you just serve the CAS service from 2 distinct domains?  E.g. 
cas.example.net and cas.special.example.net?  Since the TGT is scoped to a 
particular domain, if you point A's CAS client to the special domain, it should 
act like its own unique CAS instance.

Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College

- Original Message -
From: "Andy Ng" <long...@gmail.com>
To: "cas-user" <cas-user@apereo.org>
Sent: Wednesday, April 25, 2018 5:20:01 AM
Subject: [cas-user] [SSO] Is it possible to make a service completely separated 
from other SSO services without require login every time (i.e. renew=true)

Hi all,

So I have done some research on this group and still doesn't find other 
with my use case, so I am asking for your help.

Assume we have services A, B, C and D:

B, C, D are normal SSO services, each one of them authenticate success, all 
BCD will login success.

As for A, I want that even when BCD is authenticated, user still needs to 
authenticate once more before getting to A.

At this point, theoretically all can be solved by* "renew=true"*. And the 
new *createSsoCookieOnRenewAuthn = false on 5.3.0*
 
(https://github.com/apereo/cas/blob/v5.3.0-RC3/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/core/sso/SsoProperties.java)

However, the tricky part is that, next time when user go back to service A , 
I want the user to *no need to authenticate again*.

So it is basically like Service A is using another completely separated CAS 
server. Without actually using a separated CAS server (I don't want to make 
another server just for this).

One more requirement would be to single logout all ABCD, but I know how to 
do that so no advice is needed there.


Any advice would be appreciated, Thanks!

-Andy


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f1002b09-eb19-477d-a733-13a6d45bad26%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1827159704.70324385.1524750195544.JavaMail.zimbra%40lafayette.edu.

Re: [cas-user] Initial CAS builds failing at core:cas-server-core-configuration:test

[Carl Waldbieser]

John,

Unless you're developing for the CAS server, you probably just want to use the 
WAR overlay method[1].
Basically, you set up a pom.xml file and run the `maven` command, and all the 
relevant Java libs are pulled from remote repositories and assembled for you.

Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College

[1] 
https://apereo.github.io/cas/5.2.x/installation/Maven-Overlay-Installation.html

- Original Message -
From: "John Coleman" <jcole...@sbc.edu>
To: "cas-user" <cas-user@apereo.org>
Sent: Wednesday, March 14, 2018 10:49:47 AM
Subject: [cas-user] Initial CAS builds failing at 
core:cas-server-core-configuration:test

I always hate for my first posting to a group to be a plea for help, but I 
thought I'd ask here first to ensure I'm not doing something stupid. I've 
checked out the master branch of CAS from GitHub and the initial build is 
failing at the core:cas-server-core-configuration:test task. Specifically, 
the 
org.apereo.cas.configuration.support.CasConfigurationJasyptCipherExecutorTests 
are failing: verifyDecryptionEncryption 
and verifyDecryptionEncryptionPairSuccess.

I'm using JDK 1.8.0_121 and  the gradle wrapper and skipping the findBugs 
task (as that is also failing but is obviously not essential). Should I, in 
fact, be checking out a different branch for 5.2?

Thanks for any insight you may offer.

Best regards,

John Coleman

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/53897b6c-7188-48b7-bb0c-22737e547a72%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/688211237.356398.1521039321587.JavaMail.zimbra%40lafayette.edu.