Re: [cas-user] CAS 6.3 extracting the ST from the redirect response location?

[Dustin J Luck]

The renew=true issue was resolved in 6.3.5.



On Friday, July 2, 2021 at 6:12:12 PM UTC-7 baron wrote:

> My colleague was able to work through this.
>
> He reports that we basically didn't have to call Duo with 5.0 in order to 
> get the ticket back from CAS. We used to submit username and password to 
> the CAS login screen, and the response would be a 302 with a URL that 
> embedded the ticket. No interaction with Duo was required prior to the 
> ticket being returned to the browser.
>
> Now we submit the username and password, get back a form with hidden 
> inputs such as 'execution' and some Duo data in an iframe with the id 
> duo_iframe.  We then have to perform a GET and a POST with that Duo data in 
> order to get back a js_cookie value that's embedded in the response 
> content. We use that js_cookie and data from the duo_iframe, as well as the 
> prior 'execution' input, and resubmit all that to CAS to get back the 302 
> response with the ticket.
>
> Clearly we have Duo MFA enabled for our CAS instance, but this does seem 
> to be a change from how things worked with Duo enabled for 5.0.
>
> It was also noted that the SAML responses differed for samlValidate.
>
> The SAML from CAS5 includes xmlns attributes, e.g.:
>
>  xmlns:xsd="http://www.w3.org/2001/XMLSchema; 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:type="xsd:string">
>uid=testuser
> 
>
> Whereas the SAML returned by CAS 6.3 doesn't, e.g.:
>
> 
> uid=testuser
> 
>
>
> Finally, there seems to be a bug(?) for CAS 6.3 where SSO doesn't work if 
> your first CAS session has renew=true. If we try this sequence of URLs with 
> CAS 5.0,  it works as expected:
>
> Use a new private/incognito window to test CAS 5.0:
>
>
> https://cas50.example.edu/cas/login?service=https://www.example.com/regression/app1=true
>
> Then:
>
>
> https://cas50.example.edu/cas/login?service=https://www.example.com/regression/app2
>
> Close the prior private window, and use a new private/incognito window to 
> test CAS 6.3:
>
>
> https://cas63.example.edu/cas/login?service=https://www.example.com/regression/app1=true
>
> Then:
>
>
> https://cas63.example.edu/cas/login?service=https://www.example.com/regression/app2
>
> SSO doesn't work for the second URL. The bug seems to have to do with 
> starting with renew=true from the start. If you start without it, it works 
> as expected. Behind the scenes, the renew=true seems to prevent the TGC 
> cookie from being sent.
>
>
>
> On Fri, Jun 25, 2021 at 7:04 AM Baron Fujimoto  wrote:
>
>> Our regression test is a homebrew perl-based thing. With the "real" CAS 
>> client, we see the 302 with location header in the response from the CAS 
>> server, but unfortunately we can't use the same browser dev tools on 
>> our script-based tests. Something must differ though. Looks like we'll have 
>> to put time and effort into closely going over our logs carefully and 
>> examining what we're sending and receiving with our regression test.
>>
>> On Fri, Jun 25, 2021 at 6:24 AM Ray Bon  wrote:
>>
>>> Baron,
>>>
>>> My dev tools show the 302 and location header (with ST) on the POST. We 
>>> do not have any other scripts running
>>>
>>> Do you have any modifications to the log in page or the log in flow?
>>>
>>> Ray
>>>
>>> On Thu, 2021-06-24 at 17:05 -1000, Baron Fujimoto wrote:
>>>
>>> Notice: This message was sent from outside the University of Victoria 
>>> email system. Please be cautious with links and sensitive information. 
>>>
>>> We have another strange issue with our CAS 5.0 to 6.3 upgrade. We have a 
>>> homebrew regression test for 5.0 that parsed the HTML for the service 
>>> ticket from the Location header in a 302 redirect response after 
>>> authentication. E.g.: 
>>>
>>> Location: 
>>> https://casdemo.example.edu/casdemo/login/cas?ticket=ST-2-ujMo86d2pYcEebVDEFzWvAKghxE-cas
>>>
>>> But with our 6.3 instance, we don't seem to see this 302 and Location 
>>> header after authentication from our homebrew test. Nor do the logs show an 
>>> ST being issued after an apparently successful authentication from the 
>>> test. Browser developer tools seem to show a number of scripts being 
>>> executed after authentication via "normal" sample client. Is the missing ST 
>>> perhaps because we don't execute these scripts in our regression test? If 
>>> so, can anyone tell us which script is responsible, or a possible 
>>> workaround?
>>> -- 
>>> Baron Fujimoto  :: UH Information Technology Services
>>> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>>>
>>> -- 
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org.

[cas-user] Re: SAML-does CAS support IdP Initiated SSO?

[Dustin J Luck]

Correction: make that 
/idp/profile/SAML2/Unsolicited/SSO?provider*Id*= 


On Thursday, June 17, 2021 at 8:12:05 AM UTC-7 Dustin J Luck wrote:

> For unsolicited SSO, use 
> /idp/profile/SAML2/Unsolicited/SSO?provider=
>
> See this help page for more details: 
> https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Authentication.html#unsolicited-sso
>
> On Wednesday, June 16, 2021 at 11:53:34 PM UTC-7 He vincent wrote:
>
>>
>> I am running a CAS in production. I get a lot of issues with SSO 
>> intigrations. A lot of web applications use Idp Initiated SSO only. What's 
>> the URI of CAS of Idp Initiated workflow?
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5a75b4f3-2d75-4f8f-8943-287012298b52n%40apereo.org.

[cas-user] Re: SAML-does CAS support IdP Initiated SSO?

[Dustin J Luck]

For unsolicited SSO, use 
/idp/profile/SAML2/Unsolicited/SSO?provider=

See this help page for more details: 
https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Authentication.html#unsolicited-sso

On Wednesday, June 16, 2021 at 11:53:34 PM UTC-7 He vincent wrote:

>
> I am running a CAS in production. I get a lot of issues with SSO 
> intigrations. A lot of web applications use Idp Initiated SSO only. What's 
> the URI of CAS of Idp Initiated workflow?
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/046b095b-ca2c-4035-aa8e-a16cf940848cn%40apereo.org.

[cas-user] Re: passing static values that are not in AD???

[Dustin J Luck]

I've been using inline groovy in the service definition attribute release.

  "schoolName" : "groovy { return 'Regent University' }"

I'm interested to see if anyone else knows of a better way.


On Thursday, May 13, 2021 at 8:25:57 AM UTC-7 Keith Alston (Staff) wrote:

> I'm running cas 5.3.14 and have a SAML2 sp who requires attributes that 
> are not in AD. schoolName/schoolNumber.
> How can I send these without adding attribs to my directory?
>
> Keith Alston
> Regent University
> IT Department
> kei...@regent.edu
> 757.619.3421 <(757)%20619-3421>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ef415716-8254-4db5-9d2a-a771dbe5d596n%40apereo.org.

[cas-user] Re: password reset

[Dustin J Luck]

 I created a custom messages file 

 
and changed it with 'screen.pm.button.forgotpwd'.


On Wednesday, April 14, 2021 at 2:27:19 PM UTC-7 Jennifer LaVoie wrote:

> Hi All
>
> I am trying to edit the password reset link in our 5.x cas implementation 
> to point to our password reset url...Which file should I look in to make 
> that change?
>
> Thank you
> Jen
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d357f15b-7077-43e6-add2-435fe49988d3n%40apereo.org.

[cas-user] Re: CSS Issues with CAS 6.3 and IE11

[Dustin J Luck]

Thanks, cski.

I was able to fix my flexbox issue with that pull request. Once that fix 
was applied, it revealed another issue with the field labels that was 
solved by pull request #5068 <https://github.com/apereo/cas/pull/5068/files>. 


As far as the icon issue, I tracked it down to the cache-control and pragma 
headers <https://stackoverflow.com/a/33508291/9041207>. The way CAS is 
handling these appears to be a security setting, but I don't know how to 
change the behavior. Instead, I added the following line to layout.htm directly 
below the stylesheet link for mdi-font.css. This has the effect of loading 
the Material Design Icons CSS and font files twice in IE *only*, but that's 
a price I can live with.

https://cdn.materialdesignicons.com/5.4.55/css/materialdesignicons.min.css;
 
media="all and (-ms-high-contrast: none), (-ms-high-contrast: active)">



Hope that helps!


On Wednesday, March 17, 2021 at 10:56:33 PM UTC-7 cski wrote:

> Dustin, I was in the same situation you were/are with a single SP reliant 
> upon IE 11. Have a look at the following pull request: 
> https://github.com/apereo/cas/pull/5078/files. I was apply to apply the 
> changes in 6.2.7 and it corrected the Flexbox issue. Still need to figure 
> out the issue with the icons not displaying properly.
> On Thursday, February 25, 2021 at 7:31:57 PM UTC-6 Dustin J Luck wrote:
>
>> Thanks, Alan. I'm pretty sure I'm seeing some sort of IE incompatibility 
>> with flex boxes for issue #2. I checked out all the issues documented in 
>> flexbugs <https://github.com/philipwalton/flexbugs>, but didn't see 
>> anything that helped.
>>
>> Issue #1 seems like an issue with the icon font not displaying properly.
>>
>>
>> On Thursday, February 25, 2021 at 10:58:30 AM UTC-8 Alan S wrote:
>>
>>> I'm looking at this blindly, but you may be able to solve it with a 
>>> media query in your CSS for targeting that browser:
>>>
>>> ```css
>>> @media screen and (-ms-high-contrast: active), screen and 
>>> (-ms-high-contrast: none) {
>>>   main {
>>> display: block;
>>> min-width: 640px;
>>> width: 100%;
>>> /** or do whatever else is needed to force it into submission... **/
>>>   }
>>> }
>>> ```
>>>
>>> You might have to specify an element other than `main` (whichever one's 
>>> being unruly).
>>>
>>> -Alan
>>>
>>>
>>> On Thursday, February 25, 2021 at 12:33:48 PM UTC-6 Dustin J Luck wrote:
>>>
>>>> I have found compatibility issues with CAS 6.3 in IE11 (screenshot 
>>>> below). I have identified two distinct issues.
>>>>
>>>>1. Icons are not displayed
>>>>2. Flex elements are not properly sized
>>>>
>>>>
>>>> I have tried to figure out what I can change on my own, but haven't 
>>>> made any progress. Personally, I'd be fine telling people not to use IE, 
>>>> however, we have at least one SP (Adobe Acrobat on Windows) that uses IE 
>>>> for its SSO process and can't be changed.
>>>>
>>>> Is there anyone out there with the CSS skills to take a look at this 
>>>> and offer a solution?
>>>>
>>>>
>>>> [image: CAS6.3-IE11.png]
>>>>
>>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7a59a1ce-cd04-4877-ad60-5bce9d25af28n%40apereo.org.

[cas-user] Re: CSS Issues with CAS 6.3 and IE11

[Dustin J Luck]

Thanks, Alan. I'm pretty sure I'm seeing some sort of IE incompatibility 
with flex boxes for issue #2. I checked out all the issues documented in 
flexbugs <https://github.com/philipwalton/flexbugs>, but didn't see 
anything that helped.

Issue #1 seems like an issue with the icon font not displaying properly.


On Thursday, February 25, 2021 at 10:58:30 AM UTC-8 Alan S wrote:

> I'm looking at this blindly, but you may be able to solve it with a media 
> query in your CSS for targeting that browser:
>
> ```css
> @media screen and (-ms-high-contrast: active), screen and 
> (-ms-high-contrast: none) {
>   main {
> display: block;
> min-width: 640px;
> width: 100%;
> /** or do whatever else is needed to force it into submission... **/
>   }
> }
> ```
>
> You might have to specify an element other than `main` (whichever one's 
> being unruly).
>
> -Alan
>
>
> On Thursday, February 25, 2021 at 12:33:48 PM UTC-6 Dustin J Luck wrote:
>
>> I have found compatibility issues with CAS 6.3 in IE11 (screenshot 
>> below). I have identified two distinct issues.
>>
>>1. Icons are not displayed
>>2. Flex elements are not properly sized
>>
>>
>> I have tried to figure out what I can change on my own, but haven't made 
>> any progress. Personally, I'd be fine telling people not to use IE, 
>> however, we have at least one SP (Adobe Acrobat on Windows) that uses IE 
>> for its SSO process and can't be changed.
>>
>> Is there anyone out there with the CSS skills to take a look at this and 
>> offer a solution?
>>
>>
>> [image: CAS6.3-IE11.png]
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4d906d4-21ad-4df4-83cf-dcd0c5574ddbn%40apereo.org.

Re: [cas-user] Using SCIM to modify/remove users from an SP account store

[Dustin J Luck]

Thank you, Ray & Francesco.

Based on your replies, I surmise that CAS is not the right tool for this. 
We do use an IDM to sync Google Workspace accounts to AD; I'll reach out 
and see if the same can be done for other applications.



On Friday, February 5, 2021 at 11:36:09 AM UTC-8 Francesco Chicchiriccò 
wrote:

> On 5 feb 2021 20:20:13 CET, Ray Bon  wrote:
> >Dustin,
> >
> >From the docs, it sounds like CAS SCIM is only for provisioning users
> >(with REST or groovy script). You would have to have a different system
> >for managing users after that.
> >
> >Does your university have some identity management software (i.e.
> >midpoint or grouper)?
>
> ...or maybe Apache Syncope :blink :blink
> which also features SCIM 2.0 native endpoints
>
> Regards.
>
> >On Fri, 2021-02-05 at 10:56 -0800, Dustin J Luck wrote:
> >Notice: This message was sent from outside the University of Victoria
> >email system. Please be cautious with links and sensitive information.
> >
> >
> >I have received a request from one of our SPs to use CAS to modify
> >and/or remove users from their account store upon separation from the
> >university.
> >
> >From the limited CAS SCIM
> >documentation<
> https://apereo.github.io/cas/6.3.x/integration/SCIM-Integration.html>
> >on GitHub, I'm not sure what capabilities CAS has for modifying the
> >account store for a specific SP. If anyone can direct me to where I can
> >find more information, I'd be grateful.
> >
> >
> >Thanks
> >
> >--
> >
> >Ray Bon
> >Programmer Analyst
> >Development Services, University Systems
> >2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca rb...@uvic.ca>
> >
> >I respectfully acknowledge that my place of work is located within the
> >ancestral, traditional and unceded territory of the Songhees, Esquimalt
> >and WSÁNEĆ Nations.
>
>
> -- 
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, 
> OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0c3cfc58-c7de-4e16-a73c-3bcaafecf063n%40apereo.org.

[cas-user] Re: logout redirect not working

[Dustin J Luck]

You should only need the first property to enable service redirects on 
logout. One thing I can think of that would prevent the redirect is if the 
URL provided to the service parameter does not match an authorized service 
in your environment. Make sure that whatever you're passing to the service 
parameter resolves to a configured service.

A good way to test would be to try 
https://cas_host/login?service=https%3A%2F%2Fservice_host. If you get a 
message that the application is not authorized to use CAS, that's your 
problem.

On Friday, February 5, 2021 at 8:29:40 AM UTC-8 stephane...@ulb.be wrote:

>
> Hi All,
>
> Using cas 6.2.6 I have both version of parameter set to true to be sure:
> cas.logout.follow-service-redirects=true 
> cas.logout.followServiceRedirects=true
>
> Even like this when I logout the browser keep the logout page and redirect 
> never happens :
> https://cas_host/logout?service=https%3A%2F%2Fservice_host
>
> Am I missing something here ?
>
> Stéphane
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e19fa197-b70f-4a8f-bada-2134d0cbfbc6n%40apereo.org.

[cas-user] Using SCIM to modify/remove users from an SP account store

[Dustin J Luck]

I have received a request from one of our SPs to use CAS to modify and/or 
remove users from their account store upon separation from the university.

>From the limited CAS SCIM documentation 
 on 
GitHub, I'm not sure what capabilities CAS has for modifying the account 
store for a specific SP. If anyone can direct me to where I can find more 
information, I'd be grateful.


Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/849da215-4ca8-4d13-beb1-f6d368b5b77en%40apereo.org.

[cas-user] Single location for release notes

[Dustin J Luck]

I am in the process of upgrading from CAS 6.0.8 to CAS 6.3. To prepare for 
this, I'd like to review all the changes from my current version through 
the version I'm going to. Many other software projects have a single 
document that gets updated with release notes on each new release, but the 
only thing I can find for CAS is the release page on GitHub 
. I believe I can get all the 
details I need there, but it would mean clicking through to a lot of links 
and would be very time-consuming. Is this my only option or have I just 
missed the correct place to look?


Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/353f9830-25a3-4234-a60b-b5d4c2b5a180n%40apereo.org.

[cas-user] Re: CAS Release/Security Announcements

[Dustin J Luck]

Looking at the blog, there is too much general info posted there to be 
useful for those of us looking solely for release and security 
announcements.

On Friday, August 14, 2020 at 1:21:25 PM UTC-7 j-gar...@onu.edu wrote:

> Dustin,
>
> I would check https://apereo.github.io/
> This is Apereo's blog, they last updated July 24th of this year discussing 
> a vulnerability. 
>
> On Friday, August 14, 2020 at 2:55:17 PM UTC-4 Dustin J Luck wrote:
>
>> Where is the proper place to get notifications for new CAS releases and 
>> security announcements? I haven't seen anything from cas-announce 
>> <https://groups.google.com/a/apereo.org/g/cas-announce> since 10/28/19 
>> or cas-appsec-public 
>> <https://groups.google.com/a/apereo.org/g/cas-appsec-public> since 
>> 08/28/18.
>>
>> Both of these are still referenced on the CAS Mailing Lists page 
>> <https://apereo.github.io/cas/Mailing-Lists.html>.
>>
>>
>> Thanks
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6147992b-e517-4073-be94-6e0e012f1a0dn%40apereo.org.

[cas-user] Re: CAS Release/Security Announcements

[Dustin J Luck]

Thanks for the info, Jeremiah. I was hoping not to have to set a reminder 
to myself to go and manually check something on a daily or weekly basis. 
When the mailing lists were being updated, it was great because it came to 
a place I'm already checking on a daily basis - my email inbox.


On Friday, August 14, 2020 at 1:21:25 PM UTC-7 j-gar...@onu.edu wrote:

> Dustin,
>
> I would check https://apereo.github.io/
> This is Apereo's blog, they last updated July 24th of this year discussing 
> a vulnerability. 
>
> On Friday, August 14, 2020 at 2:55:17 PM UTC-4 Dustin J Luck wrote:
>
>> Where is the proper place to get notifications for new CAS releases and 
>> security announcements? I haven't seen anything from cas-announce 
>> <https://groups.google.com/a/apereo.org/g/cas-announce> since 10/28/19 
>> or cas-appsec-public 
>> <https://groups.google.com/a/apereo.org/g/cas-appsec-public> since 
>> 08/28/18.
>>
>> Both of these are still referenced on the CAS Mailing Lists page 
>> <https://apereo.github.io/cas/Mailing-Lists.html>.
>>
>>
>> Thanks
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e73aa68f-e8a6-43eb-8f81-0e137551c2e9n%40apereo.org.

[cas-user] CAS Release/Security Announcements

[Dustin J Luck]

Where is the proper place to get notifications for new CAS releases and 
security announcements? I haven't seen anything from cas-announce 
 since 10/28/19 or 
cas-appsec-public 
 since 08/28/18.

Both of these are still referenced on the CAS Mailing Lists page 
.


Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20fd09b8-33a5-4bf3-86ca-35ea3a432a17n%40apereo.org.

[cas-user] Re: Auto-Reload of Properties File Not Working

[Dustin J Luck]

Thanks, Andy. That is very helpful.


On Tuesday, April 7, 2020 at 7:06:37 PM UTC-7, Andy Ng wrote:
>
> Hi Dustin,
>
> > Is there a list somewhere of which properties can/can't auto-reload? The 
> documentation I linked to in the original post states that "Most if not all 
> CAS settings are eligible candidates for reloads."
> Not that I am aware of, maybe other can provide insight if they know of 
> such list.
>
> > Most if not all CAS settings are eligible candidates for reloads
> Not sure about this statement, from my understanding quite a lot of them 
> can auto reload. However as you and me both found some setting not able to 
> auto reload, so I guess the "all" CAS settings are eligible candidate is 
> not true.
>
>
> For me to check whether the properties consist of the following procedure:
>
> 1. Go to Apereo CAS github page: https://github.com/apereo/cas
> 2. Search for the properties keyword at top right searach bar: 
> requiredIpAddresses
> 3. Doing multiple Searches and trace back the Bean responsible for the 
> properties, in the requireIpAddress case I found this: 
> https://github.com/apereo/cas/blob/v6.1.5/webapp/cas-server-webapp-config/src/main/java/org/apereo/cas/config/CasWebAppSecurityConfiguration.java#L51
> 4. Check if there is the keyword "RefreshScope", if you see it then it can 
> reload, if not then cannot reload.
> 5. For your case, casWebSecurityConfigurerAdapter is a Bean without 
> RefreshScope, so it cannot be reloaded.
>
> For RefreshScope example, the properties under this Bean can refresh, due 
> to having the keyword @RefreshScope:
>
> https://github.com/apereo/cas/blob/v6.1.5/support/cas-server-support-actions/src/main/java/org/apereo/cas/web/config/CasSupportActionsConfiguration.java#L168
>
>
>
> Although troublesome, this is the so far only way I found able to check 
> for properties refresh Other then of course testing it using live server
>
>
> See if the above helps.
>
> Cheers!
> Andy
>
>
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00a800a4-4b74-426a-a7b5-cab907dbb271%40apereo.org.

[cas-user] Re: Auto-Reload of Properties File Not Working

[Dustin J Luck]

Hi Andy-

Sorry it has taken me so long to reply.

The two properties I'm most interested in at this time are:

   - cas.monitor.endpoints.endpoint.health.requiredIpAddresses
   - cas.authn.ldap[0].principalAttributeList
   

Is there a list somewhere of which properties can/can't auto-reload? The 
documentation I linked to in the original post states that "Most if not all 
CAS settings are eligible candidates for reloads."

I also tried to figure out how to manually refresh the properties since my 
properties files are external, but after following the instructions, I got 
an error when trying to run the curl command.


Thanks in advance for any insight you may have.



On Wednesday, February 26, 2020 at 12:06:17 AM UTC-8, Andy Ng wrote:
>
> Hi Dustin,
>
> I am using 5.3.x and the auto reload does work, however not for all 
> properties (I think maybe some of the properties are hard to implement auto 
> reload).
>
> For eample, changing TGT cookie timeout cannot auto-reload
> But changing pac4j OAuth credential can auto-reload
>
> What is the properties that you are trying to auto-reload? Maybe it is one 
> of the properties that cannot be auto-reloaded...
>
> Cheers!
> - Andy
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/836ccfb2-baef-47b8-8188-4bcc1be6fe80%40apereo.org.

[cas-user] Auto-Reload of Properties File Not Working

[Dustin J Luck]

According to the documentation 
,
 
the CAS properties files should auto-reload when a change is detected. I am 
not seeing that work in practice; changes to properties only take effect 
when I restart CAS. Is there some Java/Tomcat setting I need to enable to 
get this to work?

Here is the relevant part of the documentation:

> In the event that the standalone configuration profile is used to control 
> and direct settings and Spring Cloud configuration server is disabled, CAS 
> will begin to automatically watch and monitor the configuration files 
> indicated by the profile and will auto-reload the state of the runtime 
> application context automatically.




Thanks


*My environment:*

   - Standalone CAS 6.0.5 build
   - Windows Server 2012 R2
   - Tomcat 9 running as a service


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2c79f8f6-edce-46e1-9e11-cb534522b792%40apereo.org.

[cas-user] Re: Externalize static resources (css, images, favicon, etc.)

[Dustin J Luck]

Thanks. I was able to get this to work with a couple of modifications.

First of all, I added the settings to my cas.properties file rather than 
setting them on the command line. I did this so I can keep as many of the 
changes in source control as possible.

Second, I had to modify the static locations prop as follows:

>
> spring.resources.static-locations=file:///etc/cas/resources/,classpath:/static/
>

Without the classpath, CAS was only serving files from my local directory 
and I only wanted to externalize the resources I'm adding and overriding.



On Wednesday, February 5, 2020 at 6:11:23 AM UTC-8, B Ran wrote:
>
>
> Haven't tried on Windows, but on Linux with Embedded Tomcat, I could add 
> some arguments to the service running Java
>
>  -Dspring.resources.static-locations=file:/opt/cas/theme/static/  
> -Dspring.thymeleaf.prefix=file:/opt/cas/theme/templates/ 
> -Dspring.thymeleaf.cache=false  -Dspring.resources.cache.period=0 
>
> Le mardi 4 février 2020 18:41:24 UTC+1, Dustin J Luck a écrit :
>>
>> I have successfully moved almost all of the customizations for my CAS 
>> environment out of the source folder in the overlay into external 
>> directories that can be referenced at run time without having to rebuild my 
>> cas.war file. The last parts I'm trying to externalize are in the 
>> \src\main\resources\static directory. If anyone has successfully done this 
>> or knows how to, I'd appreciate any help you can give.
>>
>>
>> Thanks
>>
>>
>> *My environment:*
>>
>>- Standalone CAS 6.0.5 build
>>- Windows Server 2012 R2
>>- Tomcat 9 running as a service
>>
>>
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/de3059ca-72b7-4d94-9206-d41ee08f5db4%40apereo.org.

[cas-user] Externalize static resources (css, images, favicon, etc.)

[Dustin J Luck]

I have successfully moved almost all of the customizations for my CAS 
environment out of the source folder in the overlay into external 
directories that can be referenced at run time without having to rebuild my 
cas.war file. The last parts I'm trying to externalize are in the 
\src\main\resources\static directory. If anyone has successfully done this 
or knows how to, I'd appreciate any help you can give.


Thanks


*My environment:*

   - Standalone CAS 6.0.5 build
   - Windows Server 2012 R2
   - Tomcat 9 running as a service



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8cd0258e-9fd5-4e6a-8538-d745d9c2c28c%40apereo.org.

Re: [cas-user] Externalizing custom messages

[Dustin J Luck]

Thanks, Ray. That did the trick. The dot in the file name was a typo; my 
custom_messages file was named properly. I just needed to fix the value for 
file.



On Wednesday, January 29, 2020 at 4:10:56 PM UTC-8, rbon wrote:
>
> Dustin,
>
> Should your file be custom_messages.properties (note '_')?
>
> Then maybe cas.messageBundle.baseNames = 
> file:/etc/cas/messages/custom_messages,classpath...
>
> You could also put your custom file in src/main/resources/ and it will end 
> up in the classpath (would this negate setting 
> cas.messageBundle.baseNames?).
>
> Ray
>
> On Wed, 2020-01-29 at 12:33 -0800, Dustin J Luck wrote:
>
> I am trying to externalize as many of the customizations to CAS as 
> possible. I have figured out how to do so for UI templates 
> <https://apereo.github.io/2018/06/10/cas-userinterface-customizations/> 
> using the cas.view.templatePrefixes[0] property, but am having trouble 
> figuring out a similar technique for custom_messages.properties. I tried 
> using the cas.messageBundle.baseNames property as described in this thread 
> <https://groups.google.com/a/apereo.org/d/topic/cas-user/FbC6iDGUx4A/discussion>,
>  
> but couldn't get that to work. Am I missing something or is there another 
> method I should try? 
>
> *Actual property value set*
>
>
> cas.messageBundle.baseNames = 
> file:/etc/cas/messages,classpath:custom_messages,classpath:messages
>
>
> *File location on server:*
>
> c:\etc\cas\messages\custom.messages.properties
>
>
>
> If it isn't possible to externalize custom messages, what are the 
> downsides to including my customized text as literals in the UI templates 
> rather than bringing them in as custom messages?
>
>
> Thanks
>
>
> *My environment:*
>
>- Standalone CAS 6.0.5 build
>- Windows Server 2012 R2
>- Tomcat 9 running as a service
>
> -- 
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>
> I respectfully acknowledge that my place of work is located within the 
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
> WSÁNEĆ Nations.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a368e76-573d-4b8e-8817-93e89914de21%40apereo.org.

[cas-user] Externalizing custom messages

[Dustin J Luck]

I am trying to externalize as many of the customizations to CAS as 
possible. I have figured out how to do so for UI templates 
 
using the cas.view.templatePrefixes[0] property, but am having trouble 
figuring out a similar technique for custom_messages.properties. I tried 
using the cas.messageBundle.baseNames property as described in this thread 
,
 
but couldn't get that to work. Am I missing something or is there another 
method I should try?

*Actual property value set*

>
> cas.messageBundle.baseNames = 
> file:/etc/cas/messages,classpath:custom_messages,classpath:messages


*File location on server:*

> c:\etc\cas\messages\custom.messages.properties



If it isn't possible to externalize custom messages, what are the downsides 
to including my customized text as literals in the UI templates rather than 
bringing them in as custom messages?


Thanks


*My environment:*

   - Standalone CAS 6.0.5 build
   - Windows Server 2012 R2
   - Tomcat 9 running as a service

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/558d2f4f-56b9-4f4a-b877-58094cd7b7b1%40apereo.org.

[cas-user] Re: Adding cas.properties file to source control

[Dustin J Luck]

Thanks, Misagh.

That's exactly what I was looking for. The thing that confused me at first 
was how to set the profile. I'll leave what I did here for others that may 
need to do the same.

My environment uses Tomcat running as a service on a Windows server. In 
order to set the profile, I had to add the 
-Dspring.profiles.include=[profile] to the Java Options found in the Tomcat 
properties utility 

.





On Wednesday, January 29, 2020 at 2:26:37 AM UTC-8, Misagh Moayyed wrote:
>
> I would like to add my cas.properties file for a standalone deployment to 
>> source control. I'd like to know if there is a way to put certain settings 
>> that would necessarily be different between our dev & prod environments 
>> someplace external to the main properties file so I don't need to maintain 
>> the common properties in multiple places. An example of one of the 
>> properties I'd like to manage this way is 
>> cas.ticket.registry.hazelcast.cluster.members.
>>
>
> You need to use deployment profiles.  Keep your cas.properties file, then 
> create a dev.properties file and a prod.properties file. Put the relevant 
> settings for each tier in those, and keep the common stuff in the 
> cas.properties file. Then activate the profile at runtime with 
> "-Dspring.profiles.include=dev|prod"
>
> Then manage the configuration files as you like with source control. 
>
> Blog post that conceptually outlines the same strategy: 
> https://apereo.github.io/2018/11/02/cas6-groovy-config-slurper/
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/65f93d6f-e2a0-46f7-9eb2-cf7b6a41168e%40apereo.org.

[cas-user] Adding cas.properties file to source control

[Dustin J Luck]

I would like to add my cas.properties file for a standalone deployment to 
source control. I'd like to know if there is a way to put certain settings 
that would necessarily be different between our dev & prod environments 
someplace external to the main properties file so I don't need to maintain 
the common properties in multiple places. An example of one of the 
properties I'd like to manage this way is 
cas.ticket.registry.hazelcast.cluster.members.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4e5ab0b9-d72a-446b-8212-b2113cab6f82%40apereo.org.

Re: [cas-user] Excluding system generated attributes in SAML response

[Dustin J Luck]

Thanks, Misagh. The first line did the trick!

-Dustin

On Wednesday, May 15, 2019 at 11:33:15 AM UTC-7, Misagh Moayyed wrote:
>
>
> https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties.html#protocol-attributes
>
> cas.authn.releaseProtocolAttributes=false
> cas.authn.authenticationAttributeRelease.neverRelease=A,B,C,D
>
> --Misagh
>
> --
>
> *From: *"Dustin Luck" >
> *To: *"CAS Community" >
> *Sent: *Wednesday, May 15, 2019 11:25:59 AM
> *Subject: *[cas-user] Excluding system generated attributes in SAML 
> response
>
> I have set up an SP in my service registry in CAS 5.3.2. All of the 
> attributes I have included via the attributeReleasePolicy are being 
> included in the response, however, many attributes that I didn't specify 
> are being included as well. This is causing an error with the SP because 
> the attributes are unexpected. Is there any way to exclude them? How would 
> I do so?
>
> These are the attributes in question:
>
>- credentialType 
>- samlAuthenticationStatementAuthMethod 
>- isFromNewLogin 
>- bypassMultifactorAuthentication 
>- authenticationDate 
>- authenticationMethod 
>- authnContextClass 
>- successfulAuthenticationHandlers 
>- longTermAuthenticationRequestTokenUsed
>
>
> Thanks
> -Dustin
>
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-...@apereo.org .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/44a76c02-0a44-4adf-b4cf-0658185c450a%40apereo.org
>  
> 
> .
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/206c35d1-5dc1-4e38-8aad-abf1e654d505%40apereo.org.

[cas-user] Excluding system generated attributes in SAML response

[Dustin J Luck]

I have set up an SP in my service registry in CAS 5.3.2. All of the 
attributes I have included via the attributeReleasePolicy are being 
included in the response, however, many attributes that I didn't specify 
are being included as well. This is causing an error with the SP because 
the attributes are unexpected. Is there any way to exclude them? How would 
I do so?

These are the attributes in question:

   - credentialType 
   - samlAuthenticationStatementAuthMethod 
   - isFromNewLogin 
   - bypassMultifactorAuthentication 
   - authenticationDate 
   - authenticationMethod 
   - authnContextClass 
   - successfulAuthenticationHandlers 
   - longTermAuthenticationRequestTokenUsed


Thanks
-Dustin

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/44a76c02-0a44-4adf-b4cf-0658185c450a%40apereo.org.