Re: [cas-user] Re: mfa-webauthn broken since last week. CAS 7.1.0

[Jérôme LELEU]

Hi,

This is due to my change here: https://github.com/apereo/cas/pull/6015

Though, this should be fixed in the latest 7.1.0-SNAPSHOT.

Thanks.
Best regards,
Jérôme


Le jeu. 25 avr. 2024 à 07:14, Frédéric Dussurget  a
écrit :

> Yet another info with spring web logs :
>
> 2024-04-23 16:46:27,232 DEBUG
> [org.springframework.security.web.FilterChainProxy] - 
> 2024-04-23 16:46:27,232 DEBUG
> [org.springframework.security.web.access.channel.ChannelProcessingFilter] -
>  [REQUIRES_SECURE_CHANNEL]>
> 2024-04-23 16:46:27,233 DEBUG
> [org.springframework.security.web.FilterChainProxy] - 
> 2024-04-23 16:46:27,234 DEBUG
> [org.springframework.web.servlet.DispatcherServlet] - <"FORWARD" dispatch
> for POST "/cas/error", parameters={masked}>
> 2024-04-23 16:46:27,234 DEBUG
> [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
> -  org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)>
> 2024-04-23 16:46:27,244 DEBUG
> [org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor]
> -  [application/vnd.cas.services+yaml, application/json, application/*+json,
> application/cbor, application/xml;charset=UTF-8, text/xml;charset=UTF-8,
> application/*+xml;charset=UTF-8]>
> 2024-04-23 16:46:27,244 DEBUG
> [org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor]
> -  error=Forbidden, message=Forbidden, path=/cas/ (truncated)...]>
> 2024-04-23 16:46:27,273 DEBUG
> [org.springframework.web.servlet.DispatcherServlet] -  "FORWARD" dispatch, status 403>
> 2024-04-23 16:46:27,273 DEBUG
> [org.springframework.security.web.authentication.AnonymousAuthenticationFilter]
> - 
>
> Le mercredi 24 avril 2024 à 05:54:03 UTC+2, Frédéric Dussurget a écrit :
>
>> Hi,
>> Some additional info : The base64 for decoded response is :
>>
>> --- !
>> timestamp: "2024-04-23T14:14:08.165+00:00"
>> status: 403
>> error: "Forbidden"
>> message: "Forbidden"
>> path: "/cas/webauthn/register"
>>
>>
>>
>>
>> Le jeudi 18 avril 2024 à 11:56:56 UTC+2, Frédéric Dussurget a écrit :
>>
>>> Hi,
>>> We cannot register devices anymore with mfa-webauthn since last week.
>>> It works with a clone of cas-overlay-template from April 11th but not
>>> with today's clone (April 18th). Same dependencies and same cas.properties
>>> directives. Master CAS 7 branch.
>>>
>>> When trying to register a new device, I have this message on the login :
>>>
>>> JSON.parse: unexpected non-digit at line 1 column 2 of the JSON data
>>>
>>> In the firefox debugger :
>>>
>>> XHRPOST
>>> https://mycasdev.mywonderfuluniv.fr/cas/webauthn/register
>>> [HTTP/1.1 200  63ms]
>>>
>>> Registration failed DOMException: CredentialContainer request is not
>>> allowed.
>>> createCredential
>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:102
>>> executeRegisterRequest
>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:347
>>> executeRequest
>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:444
>>> performCeremony
>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:400
>>> promise callback*performCeremony
>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:386
>>> register
>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:434
>>>  https://mycasdev.mywonderfuluniv.fr/cas/login:373
>>> webauthn.js:474:21
>>> Uncaught (in promise) DOMException: CredentialContainer request is not
>>> allowed.
>>> createCredential
>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:102
>>> executeRegisterRequest
>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:347
>>> executeRequest
>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:444
>>> performCeremony
>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:400
>>> promise callback*performCeremony
>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:386
>>> register
>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:434
>>>  https://mycasdev.mywonderfuluniv.fr/cas/login:373
>>>
>>>
>>> If I try to reuse a device that had already been registered, I have this
>>> error in the ff debugger  with today's build :
>>>
>>> XHRPOST
>>> https://mycasdev.mywonderfuluniv.fr/cas/webauthn/authenticate
>>> [HTTP/1.1 403  131ms]
>>>
>>> Authentication failed SyntaxError: JSON.parse: unexpected non-digit at
>>> line 1 column 2 of the JSON data webauthn.js:570:17
>>> authenticate
>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:570
>>> (Asynchrone : promise callback)
>>> authenticate
>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:561
>>>  https://mycasdev.mywonderfuluniv.fr/cas/login:356
>>> Uncaught (in promise) SyntaxError: JSON.parse: unexpected non-digit at
>>> line 1 column 2 of the JSON data
>>>
>>> Regards,
>>>
>>>
>>>
>>> --
> - Website: 

[cas-user] Multi-host feature: contribution?

[Jérôme LELEU]

Hi,

One of my customers has requested a customisation to support multiple hosts
for the OIDC protocol, meaning the same CAS (acting as an OIDC) server
works for www.host1.com and www.host2.com.
For the CAS protocol, there is no problem, it works out of the box.

I'd like to know if this could be a useful contribution.

Has anyone ever implemented or been interested in this feature?

Thanks.
Best regards,
Jérôme

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lyusd5VAys1XUJCYoTpaeOcFRv%3Dv1v8mEr2489MQ-e6eQ%40mail.gmail.com.

Re: [cas-user] Potential new features

[Jérôme LELEU]

Hi,

Thanks for the feedback. Let me clarify though.

I did these two customisations for one of my customers and we talked with
Misagh about the relevancy of integrating them in the Open Source project.

So the question is: have you ever needed one of these two features?

Thanks.
Best regards,
Jérôme


Le sam. 27 mai 2023 à 00:50, Ray Bon  a écrit :

> Feature 1: The second login should alert (or at least be configurable) the
> user that the first login will be terminated and should trigger the SLO
> process. The lost first TGT also happens with the DUO oauth2 process (not
> with the iframe implementation), thus orphaning the ST records created
> before DUO second factor and preventing those services from taking part in
> SLO (we added some behaviour to the login flow to transfer the pre DUO
> services to the post DUO TGT).
>
> Feature 2: The log in page could be displayed with a password field and an
> uneditable username field filled with the current user's login id and a
> link saying 'switch user' or 'if this is not you ...'. If the the user
> wants to change the login id, then a warning is displayed saying that SLO
> will be performed.
>
> Ray
>
> On Thu, 2023-05-25 at 11:08 +0200, Jérôme LELEU wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> Hi,
>
> I'd like to make some kind of poll to know if some people might be
> interested by the two following new features:
>
> Feature 1: I open the login page in two tabs of my browser and log in in
> the first tab and then in the second tab: the second authentication
> currently just erases the first one. Should we have better behavior? Like
> displaying a warning to indicate that we keep the existing authentication
> or replace it by a new one?
>
> Feature 2: I call the login page with the renew parameter. If the new
> logged user is different from the old one, should I perform a SLO?
>
> Feedback will be welcome.
>
> Thanks.
> Best regards,
> Jérôme
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/3fdbc5e6f00342eb38f4a6f663f910c1988d4504.camel%40uvic.ca
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/3fdbc5e6f00342eb38f4a6f663f910c1988d4504.camel%40uvic.ca?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LyWW7D6k1xJEUGv%2Bhd0w58fAQUK%2B66YStdcyGLnK2wrCQ%40mail.gmail.com.

[cas-user] Potential new features

[Jérôme LELEU]

Hi,

I'd like to make some kind of poll to know if some people might be
interested by the two following new features:

Feature 1: I open the login page in two tabs of my browser and log in in
the first tab and then in the second tab: the second authentication
currently just erases the first one. Should we have better behavior? Like
displaying a warning to indicate that we keep the existing authentication
or replace it by a new one?

Feature 2: I call the login page with the renew parameter. If the new
logged user is different from the old one, should I perform a SLO?

Feedback will be welcome.

Thanks.
Best regards,
Jérôme

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lz8jH970S%3D-7J1fw1BcgP%3DYv%3DnnZ9QRXhOtdBzY8WGOFQ%40mail.gmail.com.

Re: [cas-user] Re: Support for renew=1 when using delegated auth to Azure AD?

[Jérôme LELEU]

Hi,

The version 6.5.x no longer accepts contributions (except
security patches):
https://apereo.github.io/cas/developer/Maintenance-Policy.html

So don't worry about submitting a PR.

Thanks.
Best regards,
Jérôme


Le ven. 28 oct. 2022 à 14:04, Dennis Sjögren  a
écrit :

> So... Running IntelliJ IDEA on a 2019 MacBook Pro with a 2,.6GHz 6-Core
> Intel i7 is... interesting. Having it directly in your lap is not
> recommended. Listening to the fans constantly at 5000 rpm is not as fun as
> it sounds. :) (And being a developer in a completely different ecosystem
> doesn't help.)
>
> Anyway, I found out that if you manage to set the *ForceAuthn* request
> attribute in the *getRedirectionAction* method in
> *DelegatedClientAuthenticationRedirectAction*.java
> (cas-server-support-pac4j-webflow), the resulting redirect to Azure will
> have *max_age=0* as a query parameter. Yay!
>
> I've been experimenting with setting a query parameter (for the
> clientredirect call) in the *resolve* method in
> *DelegatedClientIdentityProviderConfigurationFactory*.java
> (cas-server-support-pac4j-core). This then gets carried over to the
> aforementioned *getRedirectAction* method via the transient session
> ticket. This works but I'm not sure if this is more of a "hack" or if it's
> nearing something that would be acceptable to submit as a PR.
>
> Anyway. Back to experimenting.
>
> Regards,
> Dennis
>
>
> On Tuesday, October 25, 2022 at 7:59:32 PM UTC+2 Dennis Sjögren wrote:
>
>> Currently running v6.5.2. Planning on upgrading to latest 6.6.x soon.
>>
>> The thing is, initially CAS does the right thing with renew=true, i.e.
>> redirecting to the authorize endpoint in Azure. My goal is that renew=true
>> should translate to prompt=login. Is there anything *I* can do to influence
>> this process? Besides learning Java and fixing it myself (which, depending
>> on the complexity, I'm actually considering). :)
>>
>> However, I think I might have another problem.
>>
>> I did a "poor man's" fix by adding this:
>> cas.authn.pac4j.oidc[0].azure.custom-params.prompt=login
>>
>> Then when my app is requesting re-auth (via renew=true), Delegated
>> Authentication redirects to Azure and credentials are requested (forced by
>> my setting above). However, then I get this:
>>
>> PROTOCOL_SPECIFICATION_VALIDATE_FAILED
>> [Cas20WithoutProxyingValidationSpecification] is to enforce the [renew]
>> CAS protocol behavior, yet the assertion is not issued from a new login
>>
>> So my suspicion is that even if I could translate renew=true to
>> prompt=login in Delegated Authentication somehow, I would get stuck on this
>> validation. Correct me if I'm wrong, but this must be an error? I mean, CAS
>> is obviously aware of renew=true, but when Delegated Authentication returns
>> the ST seems to be generated from the previously created TGT anyway? This
>> could of course be by design - considering that there might not be a way
>> for CAS to know if the delegated authentication client did request
>> re-validation of credentials or not. That way, it would probably be better
>> to send max_age=0, but that requires that CAS can validate the auth_time
>> claim...
>>
>> I'm so close to getting this setup to where I want it to be... but this
>> might just be a blocker. Gonna go look up the price of IntelliJ IDEA now. :)
>>
>> Regards,
>> Dennis
>>
>> On Tuesday, October 25, 2022 at 5:56:49 PM UTC+2 CAS Community wrote:
>>
>>> It generally depends on what version of CAS (and pac4j) you run. Most
>>> recent versions can handle protocol translations, such that renew=true is
>>> ultimate translated to prompt=login or max_age=0 or something like that.
>>>
>>> On Tuesday, October 25, 2022 at 6:14:55 PM UTC+4 Dennis Sjögren wrote:
>>>
 Hi,

 I've been experimenting with Delegated Authentication to Azure AD (via
 pac4j) and it works like a charm. The last day or so I've been searching
 for an answer to whether renew=1 can be propagated to the authorize call to
 Azure AD somehow. If I'm not mistaken, a parameter of prompt=login could be
 the way to go.

 When I test from a CAS enabled app, renew=1 seems to be forcing a new
 request to Microsofts authorize endpoint, but since I already have an
 active session in Azure, I'm not prompted for my credentials again.

 I've been looking into the CAS codebase for a configuration hint or
 something. I've been a full time developer for 25+ years, unfortunately not
 in Java - so needless to say, I'm not being particularly successful. :)

 So my question is: Is it possible to force re-validation of credentials
 using renew=1 when delegating to Azure AD?

 Regards,
 Dennis

>>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS 

Re: [cas-user] very slow ticket delivery on CAS 6.6 & redis ticket registry

[Jérôme LELEU]

Hi,

Thanks for raising the point.

It's always hard to find a good balance between a generic design and
performance.

It seems to me that performing scans to get a ticket is not the best thing
to do in terms of performance.

The Redis ticket registry is commonly used and we should try to avoid any
performance degradation.

I have a few ideas in mind, but I'm not a Redis specialist: what do you
propose?

Thanks.
Best regards,
Jérôme


Le jeu. 27 oct. 2022 à 19:59, Pascal Rigaux 
a écrit :

> Hi,
>
> In 6.6.x Redis ticket registry key is suffixed with userid (since
> 6.6.0-RC4)
>
> This is great to know who owns a TGT or a ST.
>
> Alas, this means getting a TGT from Redis now requires a "SCAN"... which
> is much more costly.
> Example: full "SCAN" is ~100 times slower then "GET" on our production
> Redis (dbsize ~100k, because we have 1 month rememberMe TGT)
>
>
> For the record, getting a ST triggers
> - on 5.3 : 8 redis "GET" on the TGT
> - on 6.5 : 17 redis "GET" on the TGT
> - on 6.6 : 15 redis "SCAN" + "GET" on the TGT on a small redis db
>
>
>
> PS: "cas.ticket.registry.core.enable-locking=false" fails on redis ticket
> registry with error
>  > Could not find a destroy method named 'destroy' on bean with name
> 'casTicketRegistryRedisLockRegistry'
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ca6a06e7-88cd-8f5f-1f26-232238eb6d5b%40univ-paris1.fr
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LyO9iRxfsesjEpxO%2BwWY9A7rCz9bW%2BMnpNAWZhCuMnPPA%40mail.gmail.com.

Re: [cas-user] Re: use permitAll via HttpSecurity#authorizeHttpRequests

[Jérôme LELEU]

PR submitted: https://github.com/apereo/cas/pull/5534
To be continued...

Le mar. 25 oct. 2022 à 15:49, Noelette Stout  a écrit :

> Thanks!
>
> On Tue, Oct 25, 2022 at 7:41 AM Jérôme LELEU  wrote:
>
>> Hi,
>>
>> This is not a big problem, just warnings. You can't fix it by settings.
>> I will fix that in the source code.
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> Le mar. 25 oct. 2022 à 15:02, Noelette Stout  a écrit :
>>
>>> Unfortunately, I have not found a solution to this. I upgraded to 6.6.0
>>> when it was released, but the warnings are still there. I'm not even sure
>>> where to look to fix it. It doesn't seem to be affecting anything
>>> functionally; it just creates a bunch of logging on startup.
>>>
>>> On Tue, Oct 25, 2022 at 6:58 AM lanf detroy 
>>> wrote:
>>>
>>>> Hello,
>>>>
>>>> did you find the solution? I have the same warnings
>>>>
>>>> Le mardi 30 août 2022 à 18:29:46 UTC+2, stou...@isu.edu a écrit :
>>>>
>>>>> I just installed 6.6.0-RC5, and I am seeing a number of messages
>>>>> similar to this in the log:
>>>>>
>>>>> WARN
>>>>> [org.springframework.security.config.annotation.web.builders.WebSecurity] 
>>>>> -
>>>>> >>>> This is not recommended -- please use permitAll via
>>>>> HttpSecurity#authorizeHttpRequests instead.>
>>>>>
>>>>> Where do I find the setting for this?
>>>>>
>>>>> Thanks,
>>>>> Noelette
>>>>>
>>>>
>>>
>>> --
>>> Noelette Stout
>>> ITS Enterprise Applications - Senior Application Administrator
>>> Idaho State University
>>> E-mail: stounoel "at" isu "dot" edu
>>> Desk: 208-282-2554
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC3gc2Ek5S6Rbv2CUp5bKoRhYGeY-Je%2BrkvQyuPpDyAMOUBudw%40mail.gmail.com
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC3gc2Ek5S6Rbv2CUp5bKoRhYGeY-Je%2BrkvQyuPpDyAMOUBudw%40mail.gmail.com?utm_medium=email_source=footer>
>>> .
>>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to a topic in the
>> Google Groups "CAS Community" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/a/apereo.org/d/topic/cas-user/34PmxGJJCWU/unsubscribe
>> .
>> To unsubscribe from this group and all its topics, send an email to
>> cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwJTvj0oK29obe3d7dNPEj4WhF39cKtmEwfSbDaHZhThQ%40mail.gmail.com
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwJTvj0oK29obe3d7dNPEj4WhF39cKtmEwfSbDaHZhThQ%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
>
>
> --
> Noelette Stout
> ITS Enterprise Applications - Senior Application Administrator
> Idaho State University
> E-mail: stounoel "at" isu "dot" edu
> Desk: 208-282-2554
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC3gc2HyRXHYq7T_%2B%2BVFw7B1SiOxHTLw5uP-r%2B%3Dp-Xya0XS3zg%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC3gc2HyRXHYq7T_%2B%2BVFw7B1SiOxHTLw5uP-r%2B%3Dp-Xya0XS3zg%40mail.gmail.com?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LzgoR_F1iE0Ce7yQPB_M6vwoikmAVL4E%3D763scoP-6BKQ%40mail.gmail.com.

Re: [cas-user] Re: use permitAll via HttpSecurity#authorizeHttpRequests

[Jérôme LELEU]

Hi,

This is not a big problem, just warnings. You can't fix it by settings.
I will fix that in the source code.
Thanks.
Best regards,
Jérôme


Le mar. 25 oct. 2022 à 15:02, Noelette Stout  a écrit :

> Unfortunately, I have not found a solution to this. I upgraded to 6.6.0
> when it was released, but the warnings are still there. I'm not even sure
> where to look to fix it. It doesn't seem to be affecting anything
> functionally; it just creates a bunch of logging on startup.
>
> On Tue, Oct 25, 2022 at 6:58 AM lanf detroy  wrote:
>
>> Hello,
>>
>> did you find the solution? I have the same warnings
>>
>> Le mardi 30 août 2022 à 18:29:46 UTC+2, stou...@isu.edu a écrit :
>>
>>> I just installed 6.6.0-RC5, and I am seeing a number of messages similar
>>> to this in the log:
>>>
>>> WARN
>>> [org.springframework.security.config.annotation.web.builders.WebSecurity] -
>>> >> This is not recommended -- please use permitAll via
>>> HttpSecurity#authorizeHttpRequests instead.>
>>>
>>> Where do I find the setting for this?
>>>
>>> Thanks,
>>> Noelette
>>>
>>
>
> --
> Noelette Stout
> ITS Enterprise Applications - Senior Application Administrator
> Idaho State University
> E-mail: stounoel "at" isu "dot" edu
> Desk: 208-282-2554
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC3gc2Ek5S6Rbv2CUp5bKoRhYGeY-Je%2BrkvQyuPpDyAMOUBudw%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwJTvj0oK29obe3d7dNPEj4WhF39cKtmEwfSbDaHZhThQ%40mail.gmail.com.

Re: [cas-user] A bug with throttling in cas 6.5.1 ?

[Jérôme LELEU]

Hi,

There is a bug with the bucket4j throttling.
I submitted a fix: https://github.com/apereo/cas/pull/5458
I will be available in the next release 6.5.4 (and 6.6.0).
Thanks.
Best regards,
Jérôme


Le ven. 6 mai 2022 à 15:55, qla3fa  a écrit :

> Hi,
>
> No it still doesn't work in my 6.5.2 install.
>
> Like you, with 6.4.6.1 it work correctly. And in my 6.5.2 install, I
> comment these 3 cas.authn.throttle.xxx directive too...
>
> Quentin.
>
>
> Le 05/04/2022 à 18:47, Frédéric Lohier a écrit :
>
> Hello,
>
> I am experiencing the same issue in CAS 6.5.2. , the throttle failure
> module triggers at the first login attempt even if I submit a good user
> login/password. It was working fine in CAS 6.4.6.1.
> I am only using the cas-server-support-throttle, and if I comment the
> following failure-throttle configuration, authentication works again
>
> #cas.authn.throttle.failure.threshold=1
> #cas.authn.throttle.failure.code=AUTHENTICATION_FAILED
> #cas.authn.throttle.failure.range-seconds=3
>
> Did you manage to make it work in 6.5.x?
>
> -Frederic
>
> On Fri, Mar 25, 2022 at 10:24 AM qla3fa  wrote:
>
>> Hi,
>>
>> I try to upgrade my CAS from v6.4.6.1 to 6.5.1. The configuration who was
>> ok with v6.4 don't work in 6.5.1...
>>
>> I load these modules :
>>
>> implementation
>> "org.apereo.cas:cas-server-support-throttle-bucket4j:${project.'cas.version'}"
>> implementation
>> "org.apereo.cas:cas-server-support-throttle:${project.'cas.version'}"
>> implementation
>> "org.apereo.cas:cas-server-support-throttle-jdbc:${project.'cas.version'}"
>>
>> I load et configure the audit log in jdbc too.
>>
>> In my cas.properties my conf is:
>>
>> cas.authn.throttle.jdbc.user=xxx
>> cas.authn.throttle.jdbc.password=
>> cas.authn.throttle.jdbc.driver-class=com.mysql.cj.jdbc.Driver
>> cas.authn.throttle.jdbc.url=
>> cas.authn.throttle.jdbc.dialect=org.hibernate.dialect.MySQL8Dialect
>> cas.authn.throttle.core.username-parameter=username
>> cas.authn.throttle.core.app-code=CAS
>> cas.authn.throttle.failure.threshold=1
>> cas.authn.throttle.failure.code=AUTHENTICATION_FAILED
>> cas.authn.throttle.failure.range-seconds=3
>> cas.authn.throttle.bucket4j.blocking=true
>> cas.authn.throttle.bucket4j.enabled=true
>> cas.authn.throttle.bucket4j.bandwidth[0].duration=PT60S
>> cas.authn.throttle.bucket4j.bandwidth[0].capacity=50
>>
>> Authentication always fail with message :
>>
>> More than [0.] failed login attempts within [3] seconds.
>> Authentication attempt exceeds the failure threshold [1]
>>
>> I Try with different values in treshold and range-seconds but the issue
>> is same...
>>
>> In database for an authentication I had only two rows :
>>
>> MariaDB [DEVCAS]> select * from COM_AUDIT_TRAIL\G;
>> *** 1. row *** id: 1
>> AUD_ACTION: AUTHENTICATION_EVENT_TRIGGERED APPLIC_CD: CAS AUD_CLIENT_IP:
>>  AUD_DATE: 2022-03-24 16:03:34.00 AUD_RESOURCE:
>> {source=RankedMultifactorAuthenticationProviderWebflowEventResolver,
>> event=success, timestamp=Thu Ma AUD_SERVER_IP: xxx
>> AUD_USER: audit:unknown AUD_USERAGENT: Mozilla/5.0 (Macintosh; Intel Mac OS
>> X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0 ***
>> 2. row *** id: 2 AUD_ACTION:
>> THROTTLED_LOGIN_ATTEMPT APPLIC_CD: CAS AUD_CLIENT_IP: xxx AUD_DATE:
>> 2022-03-24 16:03:44.00 AUD_RESOURCE: N/A AUD_SERVER_IP: 
>> AUD_USER: xxx AUD_USERAGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X
>> 10.15; rv:98.0) Gecko/20100101 Firefox/98.0 2 rows in set (0.001 sec)
>>
>> If I unload modules
>> "org.apereo.cas:cas-server-support-throttle:${project.'cas.version'}" and
>> "org.apereo.cas:cas-server-support-throttle-jdbc:${project.'cas.version'}"
>> the authnetication work properly.
>>
>> Is there un bug with throttling and v6.5.1 ? Or I miss something ?
>>
>> Best regards.
>>
>> Quentin.
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8119db25-4120-5fd3-dceb-4286306826a8%40gmail.com
>> 
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from 

Re: [cas-user] 6.4 cas deployment in a clustered (multi server) environment

[Jérôme LELEU]

Hi,

Did you configure the clustering for the SAML server support?

- cas.authn.saml-idp.core.session-storage-type=HTTP

Indicates whether saml requests, and other session data, collected as part
of SAML flows and requests that are kept by the container http session,
local storage, or should be replicated across the cluster. Available values
are as follows:

   - HTTP: Saml requests, and other session data collected as part of SAML
   flows and requests are kept in the http servlet session that is local to
   the server.
   - BROWSER_SESSION_STORAGE: Saml requests, and other session data
   collected as part of SAML flows and requests are kept in the client
   browser's session storage, signed and encrypted. SAML2 interactions require
   client-side read/write operations to restore the session from the browser.
   - TICKET_REGISTRY: Saml requests, and other session data collected as
   part of SAML flows and requests are tracked as CAS tickets in the registry
   and replicated across the entire cluster as tickets.

Thanks.
Best regards,
Jérôme


Le lun. 15 nov. 2021 à 16:50, Fotis Memis  a écrit :

> Hello,
>
> Has anyone tried to deploy 6.4 version of CAS in a clustered
> environment? We are facing some problems in SAML services, regarding
> session management, that do not happen in our 6.3.7 deployment.
>
> Specifically we are seeing the following error:
>
> Nov 15 16:28:01 example.com CAS[catalina-exec-21]: [ERROR] Forwarding to
> error page from request [/idp/profile/SAML2/Callback] due to exception
> [SAML request or context could not be determined from session store] -
> org.springframework.boot.web.servlet.support.ErrorPageFilter
> java.lang.IllegalArgumentException: SAML request or context could not be
> determined from session store
>  at
> org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.lambda$retrieveAuthenticationRequest$3(AbstractSamlIdPProfileHandlerController.java:639)
>
> ~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1]
>  at java.util.Optional.orElseThrow(Optional.java:408) ~[?:?]
>  at
> org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.retrieveAuthenticationRequest(AbstractSamlIdPProfileHandlerController.java:639)
>
> ~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1]
>  at
> org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController.handleProfileRequest(SSOSamlIdPProfileCallbackHandlerController.java:88)
>
> ~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1]
>  at
> org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController.handleCallbackProfileRequestGet(SSOSamlIdPProfileCallbackHandlerController.java:60)
>
> ~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1]
>  at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method) ~[?:?]
>  at
> jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>
> ~[?:?]
>  at
> jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
> ~[?:?]
>  at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
>  at
> org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282)
>
> ~[spring-core-5.3.9.jar:5.3.9]
>  at
> org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:485)
>
> ~[spring-cloud-context-3.0.3.jar:3.0.3]
>  at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
>
> ~[spring-aop-5.3.9.jar:5.3.9]
>  at
> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:750)
>
> ~[spring-aop-5.3.9.jar:5.3.9]
>  at
> org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:692)
>
> ~[spring-aop-5.3.9.jar:5.3.9]
>  at
> org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController$$EnhancerBySpringCGLIB$$bc6144ef.handleCallbackProfileRequestGet()
>
> ~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1]
>  at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method) ~[?:?]
>  at
> jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>
> ~[?:?]
>  at
> jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
> ~[?:?]
>  at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
>  at
> org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:197)
>
> ~[spring-web-5.3.9.jar:5.3.9]
>  at
> org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:141)
>
> ~[spring-web-5.3.9.jar:5.3.9]
>  at
> 

Re: [cas-user] Problème Service Registry CAS 6.3

[Jérôme LELEU]

Hi,

Please use the English language for this mailing list.

You defined: https://toto.unis.fr/.* and you have:
https://toto.unis.fr?auth_method=CAS
This does not work because of the trailing slash in your definition.
That said, you shouldn't define: https://toto.unis.fr.* for security
reasons.
So https://toto\\.unis\\.fr\\?auth_method=CAS should be the right
definition for you.

Thanks.
Best regards,
Jérôme


Le mar. 19 oct. 2021 à 17:32, Florent Vallee  a
écrit :

> Bonjour,
>
> J'ai un soucis pour autoriser un site à utiliser notre CAS.
>
> Voici mon fichier json :
>
> {
> "@class" : "org.apereo.cas.services.RegexRegisteredService",
> "serviceId" : "^https://toto.unis.fr/.*;,
> "name" : "Toto",
> "logo": "themes/toto/images/favicon.ico",
> "id": 1611215127,
> "evaluationOrder" : 9
> }
>
> Le site est refusé, et dans le fichier de log j'ai cette erreur :
>
> #033[33m2021-10-19 17:31:42,366 WARN
> [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] -
>  https://toto.unis.fr?auth_method=CAS] is not found in service
> registry.>#033[m
>
> De quoi cela vient t'il ? il me semble avoir autorisé tout le site.
>
> Merci pour votre aide.
>
> Cordialement
>
> *Florent*
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1953932400.991632.1634657553821.JavaMail.zimbra%40insa-cvl.fr
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Ly0toGExzsUhpyN7V_7xMaFxMTvOECjJ3rn5NjLsfnyBA%40mail.gmail.com.

Re: [cas-user] CAS + simple LDAP authorization

[Jérôme LELEU]

Hi,

It looks like: *cas.authn.ldap[0].dn-format: '%s@domain'*
Thanks.
Best regards,
Jérôme


Le mar. 2 mars 2021 à 10:13, Bartosz Nitkiewicz  a
écrit :

> Could you please tell me how it should looks like?
>
> wtorek, 2 marca 2021 o 10:09:05 UTC+1 leleuj napisał(a):
>
>> Hi,
>>
>> I checked an AD configuration I have and there is also a
>> *cas.authn.ldap[0].dn-format* property I don't see in your configuration.
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> Le mar. 2 mars 2021 à 10:01, Bartosz Nitkiewicz  a
>> écrit :
>>
>>> Checked. Doesn't work either :(
>>>
>>> wtorek, 2 marca 2021 o 09:57:10 UTC+1 leleuj napisał(a):
>>>
 Hi,

 For the AD LDAP, your type property should be AD:

 cas.authn.ldap[0].type=AD


 Thanks.
 Best regards,
 Jérôme



 Le mar. 2 mars 2021 à 09:43, Bartosz Nitkiewicz 
 a écrit :

> Hello.
> I need your help. I'm trying to use CAS as authentication service for
> some of my applications. There are user names and passwords stored in AD
> (LDAP) server. I can't make CAS to authenticate users through LDAP. I have
> read all documentation an this ML, found some configs and I tried almost
> everything. Could someone look at my simple cas.properties and tell me if
> it looks ok?
>
> cas.server.name: https://localhost:8443
> cas.server.prefix: ${cas.server.name}/cas
>
> cas.authn.accept.enabled=false
>
> cas.authn.policy.any.try-all=false
> cas.authn.policy.any.enabled=true
>
> cas.authn.ldap[0].type=AUTHENTICATED
> cas.authn.ldap[0].ldap-url=ldaps://ldpadomainname.org
> cas.authn.ldap[0].base-dn=OU=TEST,dc=test,dc=test,dc=test,dc=org
> cas.authn.ldap[0].subtree-search=true
>
>
> cas.authn.ldap[0].searchFilter=(&(objectclass=*)(sAMAccountName={user}))
>
>
> cas.authn.ldap[0].bind-dn=cn=testaccount,cn=group,dc=test,dc=test,dc=test,dc=com
> cas.authn.ldap[0].bind-credential=password
>
> cas.authn.ldap[0].keystore=file:/etc/cas/config/thekeystore
> cas.authn.ldap[0].keystorePassword=asd123456
> cas.authn.ldap[0].keystoreType=PKCS12
>
> ldapsearch form commandline works fine. I can filter LDAP tree to find
> proper username.
>
> Thanks in advance.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/88e9b773-d5df-4b8f-ae1e-4b299840d479n%40apereo.org
> 
> .
>


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lyyb3OQ-GMqrbgT9duQUEU4LK4FtzL4xsnKDcAO5x_L-A%40mail.gmail.com.

Re: [cas-user] CAS + simple LDAP authorization

[Jérôme LELEU]

Hi,

I checked an AD configuration I have and there is also a
*cas.authn.ldap[0].dn-format* property I don't see in your configuration.
Thanks.
Best regards,
Jérôme


Le mar. 2 mars 2021 à 10:01, Bartosz Nitkiewicz  a
écrit :

> Checked. Doesn't work either :(
>
> wtorek, 2 marca 2021 o 09:57:10 UTC+1 leleuj napisał(a):
>
>> Hi,
>>
>> For the AD LDAP, your type property should be AD:
>>
>> cas.authn.ldap[0].type=AD
>>
>>
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>>
>> Le mar. 2 mars 2021 à 09:43, Bartosz Nitkiewicz  a
>> écrit :
>>
>>> Hello.
>>> I need your help. I'm trying to use CAS as authentication service for
>>> some of my applications. There are user names and passwords stored in AD
>>> (LDAP) server. I can't make CAS to authenticate users through LDAP. I have
>>> read all documentation an this ML, found some configs and I tried almost
>>> everything. Could someone look at my simple cas.properties and tell me if
>>> it looks ok?
>>>
>>> cas.server.name: https://localhost:8443
>>> cas.server.prefix: ${cas.server.name}/cas
>>>
>>> cas.authn.accept.enabled=false
>>>
>>> cas.authn.policy.any.try-all=false
>>> cas.authn.policy.any.enabled=true
>>>
>>> cas.authn.ldap[0].type=AUTHENTICATED
>>> cas.authn.ldap[0].ldap-url=ldaps://ldpadomainname.org
>>> cas.authn.ldap[0].base-dn=OU=TEST,dc=test,dc=test,dc=test,dc=org
>>> cas.authn.ldap[0].subtree-search=true
>>>
>>> cas.authn.ldap[0].searchFilter=(&(objectclass=*)(sAMAccountName={user}))
>>>
>>>
>>> cas.authn.ldap[0].bind-dn=cn=testaccount,cn=group,dc=test,dc=test,dc=test,dc=com
>>> cas.authn.ldap[0].bind-credential=password
>>>
>>> cas.authn.ldap[0].keystore=file:/etc/cas/config/thekeystore
>>> cas.authn.ldap[0].keystorePassword=asd123456
>>> cas.authn.ldap[0].keystoreType=PKCS12
>>>
>>> ldapsearch form commandline works fine. I can filter LDAP tree to find
>>> proper username.
>>>
>>> Thanks in advance.
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/88e9b773-d5df-4b8f-ae1e-4b299840d479n%40apereo.org
>>> 
>>> .
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LyM8FRZBLfCBa35BcUYxK4%2BaWrbNb3b_HitwzDRV2Lk2A%40mail.gmail.com.

Re: [cas-user] CAS + simple LDAP authorization

[Jérôme LELEU]

Hi,

For the AD LDAP, your type property should be AD:

cas.authn.ldap[0].type=AD


Thanks.
Best regards,
Jérôme



Le mar. 2 mars 2021 à 09:43, Bartosz Nitkiewicz  a
écrit :

> Hello.
> I need your help. I'm trying to use CAS as authentication service for some
> of my applications. There are user names and passwords stored in AD (LDAP)
> server. I can't make CAS to authenticate users through LDAP. I have read
> all documentation an this ML, found some configs and I tried almost
> everything. Could someone look at my simple cas.properties and tell me if
> it looks ok?
>
> cas.server.name: https://localhost:8443
> cas.server.prefix: ${cas.server.name}/cas
>
> cas.authn.accept.enabled=false
>
> cas.authn.policy.any.try-all=false
> cas.authn.policy.any.enabled=true
>
> cas.authn.ldap[0].type=AUTHENTICATED
> cas.authn.ldap[0].ldap-url=ldaps://ldpadomainname.org
> cas.authn.ldap[0].base-dn=OU=TEST,dc=test,dc=test,dc=test,dc=org
> cas.authn.ldap[0].subtree-search=true
>
> cas.authn.ldap[0].searchFilter=(&(objectclass=*)(sAMAccountName={user}))
>
>
> cas.authn.ldap[0].bind-dn=cn=testaccount,cn=group,dc=test,dc=test,dc=test,dc=com
> cas.authn.ldap[0].bind-credential=password
>
> cas.authn.ldap[0].keystore=file:/etc/cas/config/thekeystore
> cas.authn.ldap[0].keystorePassword=asd123456
> cas.authn.ldap[0].keystoreType=PKCS12
>
> ldapsearch form commandline works fine. I can filter LDAP tree to find
> proper username.
>
> Thanks in advance.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/88e9b773-d5df-4b8f-ae1e-4b299840d479n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lza%2B%3D0%2Bm_5%3D_OBqmGGWDvyvTPGDNLuQSLYti6pzoNOvVA%40mail.gmail.com.

Re: [cas-user] Cookieless SSO in Cas

[Jérôme LELEU]

Hi,

For web interactions, the SSO mechanism relies on a cookie.

For web services, no cookie is needed via the CAS proxy mechanism:
https://apereo.github.io/cas/6.2.x/protocol/CAS-Protocol.html#proxy-web-flow-diagram

Thanks.
Best regards,
Jérôme


Le mar. 2 mars 2021 à 07:31, Hasan Çağrı Traş  a
écrit :

> Hello everyone,
>
> I know that Apereo Cas is cookie based technology (CASTGC cookie,
> represents a SSO session for a user see:
> https://apereo.github.io/cas/6.2.x/protocol/CAS-Protocol.html).
>
> But I wonder is it somehow possible to have SSO feature without cookie in
> Apereo Cas.
>
> Thanks in advance.
>
> Cagri
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/57583df1-12bf-40a3-ae53-921a93aac731n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LxdmqabkJ3fgmYVCwhnG%3DJuOLqjzeRnKgCB1ezJX0Zngg%40mail.gmail.com.

[cas-user] Re: [cas-announce] Apereo Paris 21 & ESUP-Days 31

[Jérôme LELEU]

And you'll talk about CAS at 11h20 ;-)

Le mar. 2 févr. 2021 à 07:42, Misagh  a écrit :

> The ESUP-Portail Consortium and the Apereo Foundation are pleased to
> invite you to the eighth edition of the ESUP-Days/Apereo Paris event
> that will take place on February 2, 2021. Due to the pandemic
> situation, we have no other choice but to go fully online for this
> edition. The "good" thing about this is that it will make it far
> easier for people outside of France to participate. You don't speak
> the "language of Molière" fluently? No worries! There will be
> simultaneous translation so you can appreciate all the sessions no
> matter which language is being used.
>
> Check out the program here:
> https://www.esup-portail.org/conference/index-EN.html
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Announcements" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-announce+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-announce/CAGSBKkcfvygEoP6MmYvmvn2%3Dz6mGcxYm7BqwXi8-EByC-EVi_w%40mail.gmail.com
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LzcwF0nnNG_Aos-agGGOCQJ8zZBrNRPn8yd5Gs4vBqVMw%40mail.gmail.com.

Re: [cas-user] pac4j error in cas management webapp

[Jérôme LELEU]

ifactory/oss-snapshot-local/org/apereo/cas/cas-mgmt-webapp-tomcat/6.2.3/cas-mgmt-webapp-tomcat-6.2.3.pom
> '.
> > *Could not GET
> 'https://oss.jfrog.org/artifactory/oss-snapshot-local/org/apereo/cas/cas-mgmt-webapp-tomcat/6.2.3/cas-mgmt-webapp-tomcat-6.2.3.pom
> <https://oss.jfrog.org/artifactory/oss-snapshot-local/org/apereo/cas/cas-mgmt-webapp-tomcat/6.2.3/cas-mgmt-webapp-tomcat-6.2.3.pom>'.
> Received status code 409 from server*
>
> -Frederic
>
> On Friday, November 13, 2020 at 5:32:17 PM UTC+1 leleuj wrote:
>
>> Hi,
>>
>> Yes, I have an issue with the version 6.2.3 too, I can't download it.
>>
>> I just set up a Maven overlay based on the cas-mgmt-webapp v6.2.2, but I
>> only see pac4j-* v4.0.3 dependencies in the WEB-INF/lib.
>>
>> I don't know how you can get pac4j-core v4.1.0. Don't you have other
>> dependencies? What do you get with: *./gradlew allDependencies* in terms
>> of pac4j dependencies?
>>
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>>
>>
>> Le ven. 13 nov. 2020 à 16:45, Frédéric Lohier  a
>> écrit :
>>
>>> I just noticed that the pac4j dependency has been upgraded to 4.1.0 in
>>> the cas management 6.2.3 tag :
>>> https://github.com/apereo/cas-management/blob/v6.2.3/gradle.properties
>>>
>>> But the building in the overlay project in 6.2.3 fails because of an
>>> http error 409 of a cas artifact.
>>>
>>> On Fri, Nov 13, 2020, 16:38 Frédéric Lohier  wrote:
>>>
>>>> I built the cas management web app from the cas-management-overlay
>>>> project which does not mention any pac4j dependency.
>>>>
>>>> But the Gradle.properties of the cas management project mentions a
>>>> pac4j 4.0.3 dependency :
>>>> https://github.com/apereo/cas-management/blob/v6.2.2/gradle.properties
>>>>
>>>> On Fri, Nov 13, 2020, 16:26 Jérôme LELEU  wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> What's the version of your pac4j-cas dependency? You need pac4j-cas
>>>>> v4.1.0 (to be aligned with pac4j-core v4.1.0)...
>>>>> Thanks.
>>>>> Best regards,
>>>>> Jérôme
>>>>>
>>>>>
>>>>> Le ven. 13 nov. 2020 à 16:18, Frédéric Lohier  a
>>>>> écrit :
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>>
>>>>>> Thank you for looking into this. The full error stack below is indeed
>>>>>> mentionning pac4j 4.1.0 (pac4j-core-4.1.0.jar!/:?]) :
>>>>>>
>>>>>> ERROR
>>>>>> [org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas-management].[dispatcherServlet]]
>>>>>> - >>>>> [/cas-management] threw exception [Handler dispatch failed; nested
>>>>>> exception is java.lang.NoSuchMethodError:
>>>>>> 'org.pac4j.core.profile.InternalAttributeHandler
>>>>>> org.pac4j.core.profile.ProfileHelper.getInternalAttributeHandler()'] with
>>>>>> root cause>
>>>>>>
>>>>>> java.lang.NoSuchMethodError:
>>>>>> 'org.pac4j.core.profile.InternalAttributeHandler
>>>>>> org.pac4j.core.profile.ProfileHelper.getInternalAttributeHandler()'
>>>>>>
>>>>>> at
>>>>>> org.pac4j.cas.credentials.authenticator.CasAuthenticator.validate(CasAuthenticator.java:82)
>>>>>> ~[pac4j-cas-4.0.3.jar!/:?]
>>>>>>
>>>>>> at
>>>>>> org.pac4j.cas.client.direct.DirectCasClient.retrieveCredentials(DirectCasClient.java:91)
>>>>>> ~[pac4j-cas-4.0.3.jar!/:?]
>>>>>>
>>>>>> at
>>>>>> org.pac4j.core.client.DirectClient.getCredentials(DirectClient.java:42)
>>>>>> ~[pac4j-core-4.1.0.jar!/:?]
>>>>>>
>>>>>> at
>>>>>> org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:119)
>>>>>> ~[pac4j-core-4.1.0.jar!/:?]
>>>>>>
>>>>>> at
>>>>>> org.pac4j.springframework.web.SecurityInterceptor.preHandle(SecurityInterceptor.java:120)
>>>>>> ~[spring-webmvc-pac4j-4.0.1.jar!/:?]
>>>>>>
>>>>>> at
>>>>>> org.springframework.web.servlet.HandlerExecutionChain.applyPreHandle(HandlerExecutionChain.jav

Re: [cas-user] pac4j error in cas management webapp

[Jérôme LELEU]

Hi,

Yes, I have an issue with the version 6.2.3 too, I can't download it.

I just set up a Maven overlay based on the cas-mgmt-webapp v6.2.2, but I
only see pac4j-* v4.0.3 dependencies in the WEB-INF/lib.

I don't know how you can get pac4j-core v4.1.0. Don't you have other
dependencies? What do you get with: *./gradlew allDependencies* in terms of
pac4j dependencies?

Thanks.
Best regards,
Jérôme




Le ven. 13 nov. 2020 à 16:45, Frédéric Lohier  a
écrit :

> I just noticed that the pac4j dependency has been upgraded to 4.1.0 in the
> cas management 6.2.3 tag :
> https://github.com/apereo/cas-management/blob/v6.2.3/gradle.properties
>
> But the building in the overlay project in 6.2.3 fails because of an http
> error 409 of a cas artifact.
>
> On Fri, Nov 13, 2020, 16:38 Frédéric Lohier  wrote:
>
>> I built the cas management web app from the cas-management-overlay
>> project which does not mention any pac4j dependency.
>>
>> But the Gradle.properties of the cas management project mentions a pac4j
>> 4.0.3 dependency :
>> https://github.com/apereo/cas-management/blob/v6.2.2/gradle.properties
>>
>> On Fri, Nov 13, 2020, 16:26 Jérôme LELEU  wrote:
>>
>>> Hi,
>>>
>>> What's the version of your pac4j-cas dependency? You need pac4j-cas
>>> v4.1.0 (to be aligned with pac4j-core v4.1.0)...
>>> Thanks.
>>> Best regards,
>>> Jérôme
>>>
>>>
>>> Le ven. 13 nov. 2020 à 16:18, Frédéric Lohier  a
>>> écrit :
>>>
>>>> Hello,
>>>>
>>>>
>>>> Thank you for looking into this. The full error stack below is indeed
>>>> mentionning pac4j 4.1.0 (pac4j-core-4.1.0.jar!/:?]) :
>>>>
>>>> ERROR
>>>> [org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas-management].[dispatcherServlet]]
>>>> - >>> [/cas-management] threw exception [Handler dispatch failed; nested
>>>> exception is java.lang.NoSuchMethodError:
>>>> 'org.pac4j.core.profile.InternalAttributeHandler
>>>> org.pac4j.core.profile.ProfileHelper.getInternalAttributeHandler()'] with
>>>> root cause>
>>>>
>>>> java.lang.NoSuchMethodError:
>>>> 'org.pac4j.core.profile.InternalAttributeHandler
>>>> org.pac4j.core.profile.ProfileHelper.getInternalAttributeHandler()'
>>>>
>>>> at
>>>> org.pac4j.cas.credentials.authenticator.CasAuthenticator.validate(CasAuthenticator.java:82)
>>>> ~[pac4j-cas-4.0.3.jar!/:?]
>>>>
>>>> at
>>>> org.pac4j.cas.client.direct.DirectCasClient.retrieveCredentials(DirectCasClient.java:91)
>>>> ~[pac4j-cas-4.0.3.jar!/:?]
>>>>
>>>> at
>>>> org.pac4j.core.client.DirectClient.getCredentials(DirectClient.java:42)
>>>> ~[pac4j-core-4.1.0.jar!/:?]
>>>>
>>>> at
>>>> org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:119)
>>>> ~[pac4j-core-4.1.0.jar!/:?]
>>>>
>>>> at
>>>> org.pac4j.springframework.web.SecurityInterceptor.preHandle(SecurityInterceptor.java:120)
>>>> ~[spring-webmvc-pac4j-4.0.1.jar!/:?]
>>>>
>>>> at
>>>> org.springframework.web.servlet.HandlerExecutionChain.applyPreHandle(HandlerExecutionChain.java:141)
>>>> ~[spring-webmvc-5.2.6.RELEASE.jar!/:5.2.6.RELEASE]
>>>>
>>>> at
>>>> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1035)
>>>> ~[spring-webmvc-5.2.6.RELEASE.jar!/:5.2.6.RELEASE]
>>>>
>>>> at
>>>> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943)
>>>> ~[spring-webmvc-5.2.6.RELEASE.jar!/:5.2.6.RELEASE]
>>>>
>>>> at
>>>> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
>>>> ~[spring-webmvc-5.2.6.RELEASE.jar!/:5.2.6.RELEASE]
>>>>
>>>> at
>>>> org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898)
>>>> ~[spring-webmvc-5.2.6.RELEASE.jar!/:5.2.6.RELEASE]
>>>>
>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:645)
>>>> ~[javax.servlet-api-4.0.1.jar!/:4.0.1]
>>>>
>>>> at
>>>> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
>>>> ~[spring-webmvc-5.2.6.RELEASE.jar!/:5.2.6.RELEASE]
&g

Re: [cas-user] pac4j error in cas management webapp

[Jérôme LELEU]

Hi,

What's the version of your pac4j-cas dependency? You need pac4j-cas v4.1.0
(to be aligned with pac4j-core v4.1.0)...
Thanks.
Best regards,
Jérôme


Le ven. 13 nov. 2020 à 16:18, Frédéric Lohier  a
écrit :

> Hello,
>
>
> Thank you for looking into this. The full error stack below is indeed
> mentionning pac4j 4.1.0 (pac4j-core-4.1.0.jar!/:?]) :
>
> ERROR
> [org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas-management].[dispatcherServlet]]
> -  [/cas-management] threw exception [Handler dispatch failed; nested
> exception is java.lang.NoSuchMethodError:
> 'org.pac4j.core.profile.InternalAttributeHandler
> org.pac4j.core.profile.ProfileHelper.getInternalAttributeHandler()'] with
> root cause>
>
> java.lang.NoSuchMethodError:
> 'org.pac4j.core.profile.InternalAttributeHandler
> org.pac4j.core.profile.ProfileHelper.getInternalAttributeHandler()'
>
> at
> org.pac4j.cas.credentials.authenticator.CasAuthenticator.validate(CasAuthenticator.java:82)
> ~[pac4j-cas-4.0.3.jar!/:?]
>
> at
> org.pac4j.cas.client.direct.DirectCasClient.retrieveCredentials(DirectCasClient.java:91)
> ~[pac4j-cas-4.0.3.jar!/:?]
>
> at
> org.pac4j.core.client.DirectClient.getCredentials(DirectClient.java:42)
> ~[pac4j-core-4.1.0.jar!/:?]
>
> at
> org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:119)
> ~[pac4j-core-4.1.0.jar!/:?]
>
> at
> org.pac4j.springframework.web.SecurityInterceptor.preHandle(SecurityInterceptor.java:120)
> ~[spring-webmvc-pac4j-4.0.1.jar!/:?]
>
> at
> org.springframework.web.servlet.HandlerExecutionChain.applyPreHandle(HandlerExecutionChain.java:141)
> ~[spring-webmvc-5.2.6.RELEASE.jar!/:5.2.6.RELEASE]
>
> at
> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1035)
> ~[spring-webmvc-5.2.6.RELEASE.jar!/:5.2.6.RELEASE]
>
> at
> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943)
> ~[spring-webmvc-5.2.6.RELEASE.jar!/:5.2.6.RELEASE]
>
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
> ~[spring-webmvc-5.2.6.RELEASE.jar!/:5.2.6.RELEASE]
>
> at
> org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898)
> ~[spring-webmvc-5.2.6.RELEASE.jar!/:5.2.6.RELEASE]
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:645)
> ~[javax.servlet-api-4.0.1.jar!/:4.0.1]
>
> at
> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
> ~[spring-webmvc-5.2.6.RELEASE.jar!/:5.2.6.RELEASE]
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:750)
> ~[javax.servlet-api-4.0.1.jar!/:4.0.1]
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
> ~[tomcat-catalina-9.0.37.jar!/:9.0.37]
>
>at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> ~[tomcat-catalina-9.0.37.jar!/:9.0.37]
>
> at
> org.apereo.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:66)
> ~[inspektr-common-1.8.10.GA.jar!/:1.8.10.GA ]
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> ~[tomcat-catalina-9.0.37.jar!/:9.0.37]
>
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> ~[tomcat-catalina-9.0.37.jar!/:9.0.37]
>
> at
> org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
> ~[spring-web-5.2.6.RELEASE.jar!/:5.2.6.RELEASE]
>
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
> ~[spring-web-5.2.6.RELEASE.jar!/:5.2.6.RELEASE]
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> ~[tomcat-catalina-9.0.37.jar!/:9.0.37]
>
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> ~[tomcat-catalina-9.0.37.jar!/:9.0.37]
>
> at
> org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
> ~[spring-web-5.2.6.RELEASE.jar!/:5.2.6.RELEASE]
>
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
> ~[spring-web-5.2.6.RELEASE.jar!/:5.2.6.RELEASE]
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> ~[tomcat-catalina-9.0.37.jar!/:9.0.37]
>
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> ~[tomcat-catalina-9.0.37.jar!/:9.0.37]
>
> at
> org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
> ~[spring-web-5.2.6.RELEASE.jar!/:5.2.6.RELEASE]
>
> at
> 

Re: [cas-user] pac4j error in cas management webapp

[Jérôme LELEU]

Hi,

Indeed, pac4j is the security framework used for authentication.

It feels like a dependency issue as the InternalAttributeHandler component
has been removed in pac4j v4.1.0.

What are the versions of the pac4j dependencies?

Thanks.
Best regards,
Jérôme



Le ven. 13 nov. 2020 à 15:58, Frédéric Lohier  a
écrit :

> Hello,
>
> I am trying to setup the CAS Management webapp 6.2.2 with CAS Server
> 6.2.5. but I am running into the following issue :
>
> When I log in the CAS Management webapp with a user that exists in the
> users.json file of the Management webapp, the authentication with CAS is
> successfull but I get the message "Management app is not available" in the
> GUI and in the cas-management.log file, I get the error:
>
> ERROR
> [org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas-management].[dispatcherServlet]]
> -  [/cas-management] threw exception [Handler dispatch failed; nested
> exception is java.lang.NoSuchMethodError:
> 'org.pac4j.core.profile.InternalAttributeHandler
> org.pac4j.core.profile.ProfileHelper.getInternalAttributeHandler()'] with
> root cause>
>
> java.lang.NoSuchMethodError:
> 'org.pac4j.core.profile.InternalAttributeHandler
> org.pac4j.core.profile.ProfileHelper.getInternalAttributeHandler()'
>
> Any idea where this issue could come from?
>
> From my understanding, pac4j is the component evaluating the identity's
> attributes coming from CAS server.
>
> With CAS Management in debug log-level, I can see all attributes of the
> authenticated identity coming from CAS server in the cas-management.log.
>
> Could it be a dependency issue? I build CAS Management with the following
> gradle properties :
> # Versions
> casmgmt.version=6.2.2
> cas.version=6.2.5
> springBootVersion=2.2.8.RELEASE
> appServer=-tomcat
> sourceCompatibility=11
> targetCompatibility=11
> gradleMavenPluginVersion=5.1.1
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0498530b-b40a-4e14-9267-58c31a7148cen%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LyKAModUTL7FYf%2BPcF-fuFX16v8dJyvu6jNyutGFUQfbA%40mail.gmail.com.

Re: [cas-user] JWT decode

[Jérôme LELEU]

Hi,

You have an example in the documentation:
https://apereo.github.io/cas/6.2.x/installation/JWT-Authentication.html#overview
Thanks.
Best regards,
Jérôme


Le mer. 11 nov. 2020 à 23:38, Colin Ryan  a écrit :

> I did this, it wasn't easy, possibly due to my lack of knowledge. I combed
> through the CAS source code to find the bits involved an simply emulated
> them as they are all to spec. workings.
>
> I didn't see any directly exposed CAS API's for this they were all
> internal.
>
> I made extensive use of the jose4j library to deal with the JWT tokens etc
> etc.
>
> https://bitbucket.org/b_c/jose4j/wiki/Home
>
> Look around in the source for
>
> CipherExecutor
>
> EncodingUtils
>
> for hints.
>
> There are multiple layers (sorry can't remember the details). The JWT
> component itself has signature and hashes and then the JWT itself is
> additional encrypted before being stored in TOTP databases. Keep in mind
> that there are secrets involved that once shared expose every token.
>
> Not sure if this was much help.
>
>
> Colin
> On 11/11/20 3:58 PM, Jeffrey Ramsay wrote:
>
> Hello -
>
> I am hoping someone can point me in the right direction regarding JWT used
> with CAS and which api is used to decode/decrypt them. I want to be able to
> decode the GAUTH secret for third-party access.
>
> Base64 decoding the string produces these headers.
>
> {"alg":"HS512","typ":"JWT"}
> {"zip":"DEF","alg":"dir","enc":"A256GCM","cty":"JWT","typ":"JWT"}
>
> Thanks,
> -Jeff
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOSO_RDcdt3OCezQ927d8VcDzfK0txvq9Oabc82Lj0tcFQ%40mail.gmail.com
> 
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/f5d265ea-389d-acd1-7451-c95e2b994139%40caveo.ca
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lxz6C9NQR9_oCroB6YqyGidbRyCQKnyK3fzA7kP_oAZkg%40mail.gmail.com.

Re: [cas-user] I need guidance please: Id in social networks must go with Google2Profile

[Jérôme LELEU]

Hi,

You should set the *cas.authn.pac4j.typed-id-used* property to *true*.
Thanks.
Best regards,
Jérôme



Le mar. 3 nov. 2020 à 13:33, Fernando Gómez  a écrit :

> Hello, to complete my integration of CAS SSO with my app, I need that when
> I return the answer that it can be credited with networks, for example with
> Google, my ID that I return must come in the format:
> Google2Profile123456789, it means that the Google2Profile word concatenated
> the user's ID, the problem is that it is not arriving this way, only the ID
> arrives, on the way the Google2Profile is lost, please know what I can do,
> and if it is not possible to leave the Google2Profile, how could I To
> identify that this accreditation comes through networks, is that I must do
> some internal processes in my app, if it comes from a network.
>
> Thanks in advance...
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/995e4fa5-9cd3-4c62-b99b-02af38f46442n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwD3tZ5i-SLK6b8siVugMU1hB3sonnoMuewFXXh2DbuWQ%40mail.gmail.com.

[cas-user] Re: [cas-dev] Release Announcement: CAS Security Patches

[Jérôme LELEU]

Hi,

Yes, exactly, this only affects the Google Authenticator MFA support.
Thanks.
Best regards,
Jérôme


Le jeu. 15 oct. 2020 à 22:13, Mike Osterman  a écrit :

> Thanks, Jérôme!
>
> Based on the opening statement of "affects the handling of secret keys
> with Google Authenticator for multifactor authentication" is it safe to
> assume that this only affects CAS implementations that use Google
> Authenticator for MFA (as opposed to Duo or another MFA implementation)?
>
> Thank you,
> Mike
>
> On Thu, Oct 15, 2020 at 2:32 AM Jérôme LELEU  wrote:
>
>> Hi,
>>
>> Please see: https://apereo.github.io/2020/10/14/gauthvuln/
>> Thanks.
>> Best regards,
>> Jérôme
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "CAS Developer" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-dev+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-dev/CAP279Lw1zqtJP90kD-6ibeFCf4qJMZvLSjsWOBicp11cA9EchQ%40mail.gmail.com
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-dev/CAP279Lw1zqtJP90kD-6ibeFCf4qJMZvLSjsWOBicp11cA9EchQ%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lw1xZCcMBRDm2_dmb2JVTxKF7eTr_wWj0cQo0UEE1%2BimQ%40mail.gmail.com.

[cas-user] Release Announcement: CAS Security Patches

[Jérôme LELEU]

Hi,

Please see: https://apereo.github.io/2020/10/14/gauthvuln/
Thanks.
Best regards,
Jérôme

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lw1zqtJP90kD-6ibeFCf4qJMZvLSjsWOBicp11cA9EchQ%40mail.gmail.com.

Re: [cas-user] Redirection after authentication from https to http

[Jérôme LELEU]

Hi,

Yes, you need to add additional JARs for that customization.
Thanks.
Best regards,
Jérôme


Le jeu. 17 sept. 2020 à 07:22, Joe Manavalan  a
écrit :

> Hi Jerome,
> Where do we add custom jars in the project to be included in the build ? I
> am using cas overlay template 6.1, building war, and deploying in tomcat
> [not embedded tomcat]
> Also how do we restrict specific version of jars being pulled in by Gradle
> build ?
>
> After using custom JDKHttpClient with modified JDKHttpClientConfig using
> proxy, redirection issue [https to http ] was resolved with replace method
> in BaseDelegatedAuthenticationController
> [val url = httpUrl.replace("http", "https");]
>
> So I need to use 2 custom jars
> cas-server-support-pac4j-webflow-6.1.7.jar
> scribejava-core-6.9.0.jar
>
> Thanks
> Joe
>
>
> Thanks
> Joe
>
> On Tuesday, September 15, 2020 at 11:35:30 AM UTC-5 leleuj wrote:
>
>> Hi,
>>
>> In fact, I meant that you should set the *Proxy* in a specific
>> JDKHttpClientConfig and instantiate a specific JDKHttpClient with that.
>> Instead of using it directly for the *HttpURLConnection*.
>> This may not be possible though... I haven't tested it...
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> Le mar. 15 sept. 2020 à 18:28, Joe Manavalan  a
>> écrit :
>>
>>> Hi Jerome,
>>>
>>> For some reason
>>> com.github.scribejava.core.httpclient.jdk.JDKHttpClient.java is not using
>>> the proxy from jvm arguments even though the arguments are reaching the
>>> class.
>>>
>>> Finally when I explicitly use a proxy in the connection, everything
>>> works.  Do you think this is the right approach ? Or am I missing any
>>> properties which is causing the client not to use proxy ?
>>>
>>> final Proxy proxy = new Proxy(Proxy.Type.HTTP, new
>>> InetSocketAddress("proxy", 80));
>>> final HttpURLConnection connection = (HttpURLConnection) new
>>> URL(completeUrl).openConnection(proxy);
>>>
>>> Thanks again for your tips.
>>> Joe
>>>
>>> On Thursday, September 10, 2020 at 1:06:01 AM UTC-5 leleuj wrote:
>>>
 Hi,

 pac4j relies on ScribeJava to handle the OAuth protocol communications.
 This library itself relies on an internal HTTP client for HTTP calls:
 by default, it's the JDKHttpClient.
 And you can set a Proxy at this level. But this must be done
 programmatically.
 You should put some breakpoint in the OAuth20Authenticator.
 Thanks.
 Best regards,
 Jérôme


 Le jeu. 10 sept. 2020 à 05:30, Joe Manavalan  a
 écrit :

> Unfortunately I did not get any additional logs from  either of the
> packages.
>
> On Wednesday, September 9, 2020 at 5:45:55 AM UTC-5 leleuj wrote:
>
>> Hi,
>>
>> You should turn on DEBUG logs on org.pac4j and com.github.scribejava.
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> Le mer. 9 sept. 2020 à 06:42, Joe Manavalan  a
>> écrit :
>>
>>>
>>> Hi Jerome,
>>> Are there any logs we can get to see the timed out request url?
>>> btw I tried adding the proxy host and port as jvm arguments with the
>>> same connection timed out error.
>>>
>>> Thanks
>>> Joe
>>> On Tuesday, September 8, 2020 at 7:49:32 PM UTC-5 Joe Manavalan
>>> wrote:
>>>

 HiJerome,

 It appears that the token server cannot be reached directly but has
 to go via a proxy.
 Is there a property in cas to specify the proxy url and port ? or
 this has to be a network settings on the server ?

 Thanks
 Joe
 On Tuesday, September 8, 2020 at 1:00:12 AM UTC-5 leleuj wrote:

> Hi,
>
> During the authentication process, CAS via pac4j tries to directly
> contact the identity provider to retrieve the access token.
> The "connection timeout" means that the identity provider is not
> directly reachable from the CAS server. Maybe a mismatch in the URL
> definition or a proxy setting on the CAS server.
> Thanks.
> Best regards,
> Jérôme
>
>
> Le mar. 8 sept. 2020 à 03:34, Joe Manavalan 
> a écrit :
>
>> Hi Jerome,
>>
>> For testing I set up the server name as the url. And now I have
>> the redirect url coming correctly but its timing out when getting
>> authentication Object. since the error is from pac4j, I also posted a
>> message in pac4j group too..
>>
>> Following is the trace from log. Would it help trying a different
>> version of pac4j ?
>>
>>
>> 2020-09-07 18:47:30,765 DEBUG
>> [org.springframework.security.web.FilterChainProxy] -
>> > reached end of additional filter chain; proceeding with original 
>> chain>
>> 2020-09-07 18:47:30,772 DEBUG
>> [org.springframework.web.servlet.DispatcherServlet] - > 

Re: [cas-user] Change the Path of cas.properties file

[Jérôme LELEU]

Hi,

You can pass this property when starting your CAS server (-Dxxx). For
example: java -jar /path/to/cas.war -Djava.util.logging.config.file=
/path/to/logging.properties
Thanks.
Best regards,
Jérôme


Le mer. 16 sept. 2020 à 11:30, Danny Tung  a écrit :

> Hello all,
>
> I would like to change the path of cas.properties. According to the
> document @
> https://apereo.github.io/cas/6.2.x/configuration/Configuration-Server-Management.html
>  ,
> ... ...*CAS by default will attempt to locate settings and properties
> inside a given directory indicated under the setting name
> cas.standalone.configurationDirectory and otherwise falls back to using
> /etc/cas/config as the configuration directory* ..
>
> However, I have no idea how to config the setting name 
> *cas.standalone.configurationDirectory
> . *Does any one have idea on how to config the value of 
> *configurationDirectory
> *? Thankyou very much.
>
> Dan
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/76d5901a-1898-42bd-aefb-5fe010bbe443n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LxrQnB1xPWT0vOB%2BfXpaNZVAKdPW6fnnU1pEzUpC1JV1g%40mail.gmail.com.

Re: [cas-user] Redirection after authentication from https to http

[Jérôme LELEU]

Hi,

In fact, I meant that you should set the *Proxy* in a specific
JDKHttpClientConfig and instantiate a specific JDKHttpClient with that.
Instead of using it directly for the *HttpURLConnection*.
This may not be possible though... I haven't tested it...
Thanks.
Best regards,
Jérôme


Le mar. 15 sept. 2020 à 18:28, Joe Manavalan  a
écrit :

> Hi Jerome,
>
> For some reason
> com.github.scribejava.core.httpclient.jdk.JDKHttpClient.java is not using
> the proxy from jvm arguments even though the arguments are reaching the
> class.
>
> Finally when I explicitly use a proxy in the connection, everything
> works.  Do you think this is the right approach ? Or am I missing any
> properties which is causing the client not to use proxy ?
>
> final Proxy proxy = new Proxy(Proxy.Type.HTTP, new
> InetSocketAddress("proxy", 80));
> final HttpURLConnection connection = (HttpURLConnection) new
> URL(completeUrl).openConnection(proxy);
>
> Thanks again for your tips.
> Joe
>
> On Thursday, September 10, 2020 at 1:06:01 AM UTC-5 leleuj wrote:
>
>> Hi,
>>
>> pac4j relies on ScribeJava to handle the OAuth protocol communications.
>> This library itself relies on an internal HTTP client for HTTP calls: by
>> default, it's the JDKHttpClient.
>> And you can set a Proxy at this level. But this must be done
>> programmatically.
>> You should put some breakpoint in the OAuth20Authenticator.
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> Le jeu. 10 sept. 2020 à 05:30, Joe Manavalan  a
>> écrit :
>>
>>> Unfortunately I did not get any additional logs from  either of the
>>> packages.
>>>
>>> On Wednesday, September 9, 2020 at 5:45:55 AM UTC-5 leleuj wrote:
>>>
 Hi,

 You should turn on DEBUG logs on org.pac4j and com.github.scribejava.
 Thanks.
 Best regards,
 Jérôme


 Le mer. 9 sept. 2020 à 06:42, Joe Manavalan  a
 écrit :

>
> Hi Jerome,
> Are there any logs we can get to see the timed out request url?
> btw I tried adding the proxy host and port as jvm arguments with the
> same connection timed out error.
>
> Thanks
> Joe
> On Tuesday, September 8, 2020 at 7:49:32 PM UTC-5 Joe Manavalan wrote:
>
>>
>> HiJerome,
>>
>> It appears that the token server cannot be reached directly but has
>> to go via a proxy.
>> Is there a property in cas to specify the proxy url and port ? or
>> this has to be a network settings on the server ?
>>
>> Thanks
>> Joe
>> On Tuesday, September 8, 2020 at 1:00:12 AM UTC-5 leleuj wrote:
>>
>>> Hi,
>>>
>>> During the authentication process, CAS via pac4j tries to directly
>>> contact the identity provider to retrieve the access token.
>>> The "connection timeout" means that the identity provider is not
>>> directly reachable from the CAS server. Maybe a mismatch in the URL
>>> definition or a proxy setting on the CAS server.
>>> Thanks.
>>> Best regards,
>>> Jérôme
>>>
>>>
>>> Le mar. 8 sept. 2020 à 03:34, Joe Manavalan  a
>>> écrit :
>>>
 Hi Jerome,

 For testing I set up the server name as the url. And now I have the
 redirect url coming correctly but its timing out when getting
 authentication Object. since the error is from pac4j, I also posted a
 message in pac4j group too..

 Following is the trace from log. Would it help trying a different
 version of pac4j ?


 2020-09-07 18:47:30,765 DEBUG
 [org.springframework.security.web.FilterChainProxy] -
 >>> reached end of additional filter chain; proceeding with original chain>
 2020-09-07 18:47:30,772 DEBUG
 [org.springframework.web.servlet.DispatcherServlet] - >>> "/codesESSO/login/a204264-CodesESSO_DevDomain?code=Fvyu6ywosaL8ym8wbzsdjBWy23mu__38eEgzxxse=TST-4-RfkeExouV9CAQXsjUlhRAXgZ84QdVGF8",
 parameters={masked}>
 2020-09-07 18:47:30,774 DEBUG
 [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
 - >>> org.apereo.cas.web.DelegatedClientNavigationController#redirectResponseToFlow(String,
 HttpServletRequest, HttpServletResponse)>
 2020-09-07 18:47:30,775 DEBUG
 [org.apereo.cas.web.BaseDelegatedAuthenticationController] - >>> a
 response for client [a204264-CodesESSO_DevDomain], redirecting the 
 login
 flow [
 https://mycompanydomain.com:8445/codesESSO/login?code=Fvyu6ywosaL8ym8wbzsdjBWy23mu__38eEgzxxse=TST-4-RfkeExouV9CAQXsjUlhRAXgZ84QdVGF8_name=a204264-CodesESSO_DevDomain
 ]>
 2020-09-07 18:47:30,786 DEBUG
 [org.springframework.web.servlet.view.RedirectView] - >>> [RedirectView],
 model {}>
 2020-09-07 18:47:30,787 DEBUG
 [org.springframework.security.web.context.HttpSessionSecurityContextRepository]
 - >>> not be
 stored in 

Re: [cas-user] SAML request via http POST

[Jérôme LELEU]

Hi,

Yes, it cannot work in the old versions of CAS.
An intermediate component has been added in more recent versions to handle
that.
I recommend upgrading to v6.1 or v6.2.
Thanks.
Best regards,
Jérôme


Le jeu. 10 sept. 2020 à 15:55, Peter Lee  a écrit :

> I don't get the http request in the browser. The link at the login page
> button is extracted from pac4jUrls object for redirect (looks like it's for
> redirect binding, this button works when destinationbinding is set to
> redirect).
> So it seems what I am missing is to get the POST body and set it to a form
> button on the login page.  But I don't know what object (is it Velocity
> object?) and how do I get the object.
> I am not familiar with front end. Do I miss css and vm/html files? Thanks.
>
> Here is additional log related to rendering the login page.
> 2020-09-09 23:03:11,906 DEBUG
> [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction]
> - 
> 2020-09-09 23:03:11,906 DEBUG
> [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction]
> - 
>
>
> On Thursday, September 10, 2020 at 8:25:00 AM UTC-5 leleuj wrote:
>
>> Hi,
>>
>> Regarding the logs, it seems to be working.
>> Do you see the SAML authn request posted in your browser logs?
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> Le jeu. 10 sept. 2020 à 14:28, Peter Lee  a écrit :
>>
>>> I am using v5.2.9. I've set the
>>> *cas.authn.pac4j.saml[0].destinationbinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST.*
>>> I do see POST body is being created according to the log, is POST
>>> binding not fully supported yet in this version?
>>> Or am I missing jar files in build to associate Velocity objects to be
>>> able to send SAML request with http POST? Thank you.
>>>
>>> 2020-09-09 23:03:11,902 DEBUG
>>> [org.pac4j.saml.transport.Pac4jHTTPPostEncoder] - >> Pac4jHTTPPostEncoder>
>>> 2020-09-09 23:03:11,902 DEBUG
>>> [org.pac4j.saml.transport.Pac4jHTTPPostEncoder] - >> template to create POST body>
>>> 2020-09-09 23:03:11,902 DEBUG
>>> [org.pac4j.saml.transport.Pac4jHTTPPostEncoder] - >> https://auth.pingone.com/198f2df8-575d-4e67-9c83-9693476dd6b7/saml20/idp/sso'
>>> with encoded value 'httpsauth.pingone.com
>>> 198f2df8-575d-4e67-9c83-9693476dd6b7saml20idpsso'>
>>> 2020-09-09 23:03:11,902 DEBUG
>>> [org.pac4j.saml.transport.Pac4jHTTPPostEncoder] - >> encoding SAML message>
>>> 2020-09-09 23:03:11,902 DEBUG
>>> [org.pac4j.saml.transport.Pac4jHTTPPostEncoder] - 
>>> 2020-09-09 23:03:11,902 DEBUG
>>> [org.opensaml.core.xml.util.XMLObjectSupport] - 
>>> 2020-09-09 23:03:11,902 DEBUG
>>> [org.opensaml.core.xml.util.XMLObjectSupport] - >> cached DOM, returning that element>
>>> 2020-09-09 23:03:11,903 DEBUG
>>> [org.pac4j.saml.transport.Pac4jHTTPPostEncoder] - >> parameter to:
>>>
>>> On Thursday, September 10, 2020 at 1:00:56 AM UTC-5 leleuj wrote:
>>>
 Hi,

 You should be able to configure the POST binding for the SAML authn
 request via the following property:
 *cas.authn.pac4j.saml[0].destination-binding* (in v6.2).
 Though, it may not work in old CAS versions.
 Thanks.
 Best regards,
 Jérôme


 Le mer. 9 sept. 2020 à 23:06, Peter Lee  a écrit :

> Hi all, trying to set up our application sso using cas delegated to
> external idp.  When the idp requires the POST binding for sso, for our
> customized login page, what is the interface do i call to get saml request
> and url to set to the http post?  we've made redirect binding work by
> getting redirecturl from pac4jUrls. But I can't find objects for POST
> binding though I do see in the log that "Invoking Velocity template to
> create POST body" in Pac4jHTTPPostEncoder . Thanks a lot in advance.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/7cb8829a-d699-43d0-b7dd-78dad44b059en%40apereo.org
> 
> .
>


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 

Re: [cas-user] SAML request via http POST

[Jérôme LELEU]

Hi,

Regarding the logs, it seems to be working.
Do you see the SAML authn request posted in your browser logs?
Thanks.
Best regards,
Jérôme


Le jeu. 10 sept. 2020 à 14:28, Peter Lee  a écrit :

> I am using v5.2.9. I've set the
> *cas.authn.pac4j.saml[0].destinationbinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST.*
> I do see POST body is being created according to the log, is POST binding
> not fully supported yet in this version?
> Or am I missing jar files in build to associate Velocity objects to be
> able to send SAML request with http POST? Thank you.
>
> 2020-09-09 23:03:11,902 DEBUG
> [org.pac4j.saml.transport.Pac4jHTTPPostEncoder] -  Pac4jHTTPPostEncoder>
> 2020-09-09 23:03:11,902 DEBUG
> [org.pac4j.saml.transport.Pac4jHTTPPostEncoder] -  template to create POST body>
> 2020-09-09 23:03:11,902 DEBUG
> [org.pac4j.saml.transport.Pac4jHTTPPostEncoder] -  https://auth.pingone.com/198f2df8-575d-4e67-9c83-9693476dd6b7/saml20/idp/sso'
> with encoded value 'httpsauth.pingone.com
> 198f2df8-575d-4e67-9c83-9693476dd6b7saml20idpsso'>
> 2020-09-09 23:03:11,902 DEBUG
> [org.pac4j.saml.transport.Pac4jHTTPPostEncoder] -  encoding SAML message>
> 2020-09-09 23:03:11,902 DEBUG
> [org.pac4j.saml.transport.Pac4jHTTPPostEncoder] - 
> 2020-09-09 23:03:11,902 DEBUG
> [org.opensaml.core.xml.util.XMLObjectSupport] - 
> 2020-09-09 23:03:11,902 DEBUG
> [org.opensaml.core.xml.util.XMLObjectSupport] -  cached DOM, returning that element>
> 2020-09-09 23:03:11,903 DEBUG
> [org.pac4j.saml.transport.Pac4jHTTPPostEncoder] -  parameter to:
>
> On Thursday, September 10, 2020 at 1:00:56 AM UTC-5 leleuj wrote:
>
>> Hi,
>>
>> You should be able to configure the POST binding for the SAML authn
>> request via the following property:
>> *cas.authn.pac4j.saml[0].destination-binding* (in v6.2).
>> Though, it may not work in old CAS versions.
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> Le mer. 9 sept. 2020 à 23:06, Peter Lee  a écrit :
>>
>>> Hi all, trying to set up our application sso using cas delegated to
>>> external idp.  When the idp requires the POST binding for sso, for our
>>> customized login page, what is the interface do i call to get saml request
>>> and url to set to the http post?  we've made redirect binding work by
>>> getting redirecturl from pac4jUrls. But I can't find objects for POST
>>> binding though I do see in the log that "Invoking Velocity template to
>>> create POST body" in Pac4jHTTPPostEncoder . Thanks a lot in advance.
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/7cb8829a-d699-43d0-b7dd-78dad44b059en%40apereo.org
>>> 
>>> .
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lya7n9yi%3D1tfgVHKMPQT60wY_CZYDYJaw7LZzxs%2BP3FyA%40mail.gmail.com.

Re: [cas-user] Redirection after authentication from https to http

[Jérôme LELEU]

5.2.0.RELEASE]
>>>>>> at
>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>>>>> ~[catalina.jar:9.0.12]
>>>>>> at
>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>>>>> ~[catalina.jar:9.0.12]
>>>>>> at
>>>>>> org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:128)
>>>>>> ~[spring-boot-2.2.0.RELEASE.jar:2.2.0.RELEASE]
>>>>>> at
>>>>>> org.springframework.boot.web.servlet.support.ErrorPageFilter.access$000(ErrorPageFilter.java:66)
>>>>>> ~[spring-boot-2.2.0.RELEASE.jar:2.2.0.RELEASE]
>>>>>> at
>>>>>> org.springframework.boot.web.servlet.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:103)
>>>>>> ~[spring-boot-2.2.0.RELEASE.jar:2.2.0.RELEASE]
>>>>>> at
>>>>>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestF

Re: [cas-user] SAML request via http POST

[Jérôme LELEU]

Hi,

You should be able to configure the POST binding for the SAML authn request
via the following property: *cas.authn.pac4j.saml[0].destination-binding*
(in v6.2).
Though, it may not work in old CAS versions.
Thanks.
Best regards,
Jérôme


Le mer. 9 sept. 2020 à 23:06, Peter Lee  a écrit :

> Hi all, trying to set up our application sso using cas delegated to
> external idp.  When the idp requires the POST binding for sso, for our
> customized login page, what is the interface do i call to get saml request
> and url to set to the http post?  we've made redirect binding work by
> getting redirecturl from pac4jUrls. But I can't find objects for POST
> binding though I do see in the log that "Invoking Velocity template to
> create POST body" in Pac4jHTTPPostEncoder . Thanks a lot in advance.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/7cb8829a-d699-43d0-b7dd-78dad44b059en%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwsxwYjU4HbzO0KWOK_ezM0dd4KXSX5QyRZpLjDvaVbrQ%40mail.gmail.com.

Re: [cas-user] Authentication throttling, per IP and username?

[Jérôme LELEU]

Hi,

The value of the *cas.authn.throttle.usernameParameter* property must be
the name of the request parameter holding the username (from the login
form), which is "username".
Thanks.
Best regards,
Jérôme


Le mer. 9 sept. 2020 à 19:37, Baron Fujimoto  a écrit :

> Mahalo for the clarification! I'm assuming that the "username" value for
> the cas.authn.throttle.usernameParameter is a general value for all users
> and not a specific user, e.g. "alice" or "bob" (because that would be...
> non-optimal)? Does it matter what the value for the
> cas.authn.throttle.usernameParameter property is, or just that it has some
> value? I.e., could it be set to a pseudo-boolean value, like "true" and
> have the same effect?
>
> It would be helpful if the documentation included this information.
>
> On Wed, Sep 09, 2020 at 12:57:32PM +0200, Jérôme LELEU wrote:
> >Hi,
> >
> >If you define something for the username, you'll use the throttling by IP
> >and username.
> >Thanks.
> >Best regards,
> >Jérôme
> >
> >
> >Le mer. 9 sept. 2020 à 00:10, Baron Fujimoto  a écrit :
> >
> >> I'm seeking some clarification on Authentication Throttling. We're using
> >> 5.0.x, but the documentation doesn't seem to differ much in subsequent
> >> versions for this question.
> >>
> >> <
> >>
> https://apereo.github.io/cas/5.0.x/installation/Configuring-Authentication-Throttling.html
> >> >
> >>
> >> The docs describe both throttling by IP address, and IP address and
> >> username. How do we ensure the latter so the throttling is also per
> >> username? The cas.properties documentation includes a
> >> "cas.authn.throttle.usernameParameter=username" property, but doesn't
> >> explain its purpose. I don't see anything else that looks like it may be
> >> relevant?
> >>
> >> --
> >> UH Information Technology Services : Identity & Access Mgmt, Middleware
> >> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
> >>
> >> --
> >> - Website: https://apereo.github.io/cas
> >> - Gitter Chatroom: https://gitter.im/apereo/cas
> >> - List Guidelines: https://goo.gl/1VRrw7
> >> - Contributions: https://goo.gl/mh7qDG
> >> ---
> >> You received this message because you are subscribed to the Google
> Groups
> >> "CAS Community" group.
> >> To unsubscribe from this group and stop receiving emails from it, send
> an
> >> email to cas-user+unsubscr...@apereo.org.
> >> To view this discussion on the web visit
> >>
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/20200908221042.immqr5tibuzxq44v%40MacBook-Pro.local
> >> .
> >>
> >
> >--
> >- Website: https://apereo.github.io/cas
> >- Gitter Chatroom: https://gitter.im/apereo/cas
> >- List Guidelines: https://goo.gl/1VRrw7
> >- Contributions: https://goo.gl/mh7qDG
> >---
> >You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> >To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> >To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lwg_D%2BKQSN4%3DTGSQFRDnvNdouSZ5S441aawXkdb7wQk7g%40mail.gmail.com
> .
>
> --
> UH Information Technology Services : Identity & Access Mgmt, Middleware
> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/20200909173651.2pqnbpxmkvcq6gej%40MacBook-Pro.local
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lw8Vh%3DzrnO07vDPd-NWVZiKp3mnzwNUD9mxgQ9bgzmOTQ%40mail.gmail.com.

Re: [cas-user] Authentication throttling, per IP and username?

[Jérôme LELEU]

Hi,

If you define something for the username, you'll use the throttling by IP
and username.
Thanks.
Best regards,
Jérôme


Le mer. 9 sept. 2020 à 00:10, Baron Fujimoto  a écrit :

> I'm seeking some clarification on Authentication Throttling. We're using
> 5.0.x, but the documentation doesn't seem to differ much in subsequent
> versions for this question.
>
> <
> https://apereo.github.io/cas/5.0.x/installation/Configuring-Authentication-Throttling.html
> >
>
> The docs describe both throttling by IP address, and IP address and
> username. How do we ensure the latter so the throttling is also per
> username? The cas.properties documentation includes a
> "cas.authn.throttle.usernameParameter=username" property, but doesn't
> explain its purpose. I don't see anything else that looks like it may be
> relevant?
>
> --
> UH Information Technology Services : Identity & Access Mgmt, Middleware
> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/20200908221042.immqr5tibuzxq44v%40MacBook-Pro.local
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lwg_D%2BKQSN4%3DTGSQFRDnvNdouSZ5S441aawXkdb7wQk7g%40mail.gmail.com.

Re: [cas-user] Redirection after authentication from https to http

[Jérôme LELEU]

;>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>>> ~[catalina.jar:9.0.12]
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>>> ~[catalina.jar:9.0.12]
>>>> at
>>>> org.apereo.cas.logging.web.ThreadContextMDCServletFilter.doFilter(ThreadContextMDCServletFilter.java:99)
>>>> ~[cas-server-core-logging-6.1.7.jar:6.1.7]
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>>> ~[catalina.jar:9.0.12]
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>>> ~[catalina.jar:9.0.12]
>>>> at
>>>> org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
>>>> ~[spring-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
>>>> at
>>>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
>>>> ~[spring-web-5.2.0.RELEASE.jar:5.2.0.RELEASE]
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>>> ~[catalina.jar:9.0.12]
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>>> ~[catalina.jar:9.0.12]
>>>> at
>>>> org.apereo.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:66)
>>>> ~[inspektr-common-1.8.6.GA.jar:1.8.6.GA]
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>>> ~[catalina.jar:9.0.12]
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>>> ~[catalina.jar:9.0.12]
>>>> at
>>>> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
>>>> ~[log4j-web-2.12.1.jar:2.12.1]
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>>> ~[catalina.jar:9.0.12]
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>>> ~[catalina.jar:9.0.12]
>>>> at
>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:185)
>>>> ~[catalina.jar:9.0.12]
>>>> at
>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
>>>> ~[catalina.jar:9.0.12]
>>>> at
>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
>>>> ~[catalina.jar:9.0.12]
>>>> at
>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
>>>> ~[catalina.jar:9.0.12]
>>>> at
>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
>>>> ~[catalina.jar:9.0.12]
>>>> at
>>>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668)
>>>> ~[catalina.jar:9.0.12]
>>>> at
>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
>>>> ~[catalina.jar:9.0.12]
>>>> at
>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
>>>> ~[catalina.jar:9.0.12]
>>>> at
>>>> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
>>>> ~[tomcat-coyote.jar:9.0.12]
>>>> at
>>>> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
>>>> ~[tomcat-coyote.jar:9.0.12]
>>>> at
>>>> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:770)
>>>> ~[tomcat-coyote.jar:9.0.12]
>>>> at
>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1415)
>>>> ~[tomcat-coyote.jar:9.0.12]
>>>> at
>>>> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
>>>> ~[tomcat-coyote.jar:9.0.12]
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
>>>> ~[?:?]
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecu

Re: [cas-user] Redirection after authentication from https to http

[Jérôme LELEU]

Token(OAuth20Authenticator.java:36)
> ~[pac4j-oauth-4.0.3.jar:?]
> at
> org.pac4j.oauth.credentials.authenticator.OAuthAuthenticator.validate(OAuthAuthenticator.java:38)
> ~[pac4j-oauth-4.0.3.jar:?]
> at
> org.pac4j.oauth.credentials.authenticator.OAuth20Authenticator.validate(OAuth20Authenticator.java:20)
> ~[pac4j-oauth-4.0.3.jar:?]
> at
> org.pac4j.oauth.credentials.authenticator.OAuthAuthenticator.validate(OAuthAuthenticator.java:20)
> ~[pac4j-oauth-4.0.3.jar:?]
> at
> org.pac4j.core.client.BaseClient.lambda$retrieveCredentials$0(BaseClient.java:70)
> ~[pac4j-core-4.0.3.jar:?]
> at java.util.Optional.ifPresent(Optional.java:183) ~[?:?]
> at
> org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:67)
> ~[pac4j-core-4.0.3.jar:?]
> at
> org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:144)
> ~[pac4j-core-4.0.3.jar:?]
> at
> org.apereo.cas.web.flow.DelegatedClientAuthenticationAction.getCredentialsFromDelegatedClient(DelegatedClientAuthenticationAction.java:254)
> ~[cas-server-support-pac4j-webflow-6.1.7.jar:6.1.7]
> at
> org.apereo.cas.web.flow.DelegatedClientAuthenticationAction.populateContextWithClientCredential(DelegatedClientAuthenticationAction.java:240)
> ~[cas-server-support-pac4j-webflow-6.1.7.jar:6.1.7]
> at
> org.apereo.cas.web.flow.DelegatedClientAuthenticationAction.doExecute(DelegatedClientAuthenticationAction.java:213)
> ~[cas-server-support-pac4j-webflow-6.1.7.jar:6.1.7]
> at
> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
> ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
> at jdk.internal.reflect.GeneratedMethodAccessor196.invoke(Unknown Source)
> ~[?:?]
> at
> jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:?]
> at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
> at
> org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:279)
> ~[spring-core-5.2.0.RELEASE.jar:5.2.0.RELEASE]
> at
> org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499)
> ~[spring-cloud-context-2.2.0.RC1.jar:2.2.0.RC1]
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
> ~[spring-aop-5.2.0.RELEASE.jar:5.2.0.RELEASE]
> at
> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
> ~[spring-aop-5.2.0.RELEASE.jar:5.2.0.RELEASE]
> at com.sun.proxy.$Proxy228.execute(Unknown Source) ~[?:?]
> at
> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
> ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
> ... 119 more
> 2020-09-07 18:49:38,308 DEBUG
> [org.springframework.web.servlet.DispatcherServlet] - <"FORWARD" dispatch
> for GET
> "/codesESSO/error?code=Fvyu6ywosaL8ym8wbzsdjBWy23mu__38eEgzxxse=TST-4-RfkeExouV9CAQXsjUlhRAXgZ84QdVGF8_name=a204264-CodesESSO_DevDomain",
> parameters={masked}>
> 2020-09-07 18:49:38,310 DEBUG
> [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
> -  org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#errorHtml(HttpServletRequest,
> HttpServletResponse)>
> 2020-09-07 18:49:38,432 DEBUG
> [org.springframework.web.servlet.view.ContentNegotiatingViewResolver] -
> 
>
>
>
> Thanks
>
> On Friday, September 4, 2020 at 3:07:18 AM UTC-5 leleuj wrote:
>
>> Hi,
>>
>> I would have expected the *val url = httpUrl.replace("http", "https");*
>> solution to work.
>>
>> You may also try to set the "secure" flag in the Tomcat connector.
>>
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> Le jeu. 3 sept. 2020 à 18:48, Joe Manavalan  a
>> écrit :
>>
>>> I was told there is  BIG-IP which counts as reverse proxy in front of
>>> tomcat. Are there any specific settings to resolve this ?
>>> FYI : We have CAS war deployed in tomcat 8.5 [Not in embedded tomcat]
>>>
>>> Thanks
>>> Joe
>>>
>>>
>>> On Monday, August 31, 2020 at 6:01:46 PM UTC-5 Joe Manavalan wrote:
>>>
>>>> Thanks Jerome for the response.
>>>>
>>>> I am checking with the network team about the reverse proxy..
>>>> request.getRequestURL()  is coming in as "http  "
>>>>
>>>> Following is the log
>>>>
>>>>
>>>> 2020-08-31 17:45:43,157 DEBUG
>>>> [org.springframework.security.web.FilterChainProxy] -
>>>> >>> reached end of additional filter chain; proceeding with origina

Re: [cas-user] Redirection after authentication from https to http

[Jérôme LELEU]

Hi,

I would have expected the *val url = httpUrl.replace("http", "https");*
solution to work.

You may also try to set the "secure" flag in the Tomcat connector.

Thanks.
Best regards,
Jérôme


Le jeu. 3 sept. 2020 à 18:48, Joe Manavalan  a
écrit :

> I was told there is  BIG-IP which counts as reverse proxy in front of
> tomcat. Are there any specific settings to resolve this ?
> FYI : We have CAS war deployed in tomcat 8.5 [Not in embedded tomcat]
>
> Thanks
> Joe
>
>
> On Monday, August 31, 2020 at 6:01:46 PM UTC-5 Joe Manavalan wrote:
>
>> Thanks Jerome for the response.
>>
>> I am checking with the network team about the reverse proxy..
>> request.getRequestURL()  is coming in as "http  "
>>
>> Following is the log
>>
>>
>> 2020-08-31 17:45:43,157 DEBUG
>> [org.springframework.security.web.FilterChainProxy] -
>> > reached end of additional filter chain; proceeding with original chain>
>> 2020-08-31 17:45:43,164 DEBUG
>> [org.springframework.web.servlet.DispatcherServlet] - > "/codesESSO/login/CodesESSO_Dev?code=aF7GlAT5G_5OTjTQQw512P5U7WQ87DQwGfloQZcI=TST-1-M7NvxcUUbWhZsfDKg9WZ3CF2ift41e5s",
>> parameters={masked}>
>> 2020-08-31 17:45:43,167 DEBUG
>> [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
>> - > org.apereo.cas.web.DelegatedClientNavigationController#redirectResponseToFlow(String,
>> HttpServletRequest, HttpServletResponse)>
>> 2020-08-31 17:45:43,201 DEBUG
>> [org.apereo.cas.web.BaseDelegatedAuthenticationController] - > client [http://:8445/codesESSO/login/CodesESSO_Dev],>
>>
>>
>> I manually added a http to https replace here in
>> BaseDelegatedAuthenticationController for testing
>> val url = httpUrl.replace("http", "https");
>>
>>
>> 2020-08-31 17:45:43,204 DEBUG
>> [org.apereo.cas.web.BaseDelegatedAuthenticationController] - > response for client [a204264-CodesESSO_Dev], redirecting the login flow
>> [https://
>> :8445/codesESSO/login?code=aF7GlAT5G_5OTjTQQw512P5U7WQ87DQwGfloQZcI=TST-1-M7NvxcUUbWhZsfDKg9WZ3CF2ift41e5s_name=CodesESSO_Dev]>
>>
>> Ended up throwing an error  [Which I believe is expected due to the
>> manipulation]
>> org.springframework.webflow.execution.ActionExecutionException: Exception
>> thrown executing
>> org.apereo.cas.web.flow.DelegatedClientAuthenticationAction@40e79dec in
>> state 'delegatedAuthenticationAction' of flow 'login' -- action execution
>> attributes were 'map[[empty]]'
>> at
>> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:62)
>> at
>> org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
>>
>> On Mon, Aug 31, 2020 at 1:52 AM Jérôme LELEU  wrote:
>>
>>> Hi,
>>>
>>> This redirection relies on: request.getRequestURL()
>>> Do you have some reverse proxy in front of your Tomcat?
>>> Thanks.
>>> Best regards,
>>> Jérôme
>>>
>>>
>>> Le jeu. 27 août 2020 à 17:20, Joe Manavalan  a
>>> écrit :
>>>
>>>> I have cas6.1 deployed and working with cas.authn.pac4j.oauth2. The app
>>>> works fine in my local windows machine on an https port
>>>> When deployed in unix with the same setting [except the url has domain
>>>> name instead of server name] the app after authenticating with the external
>>>> oauth2 provider redirects the url to an http port as shown below
>>>> This is the redirect url configured and get successfully redirected
>>>> after authentication and authorization based on the browser trace
>>>> https://
>>>> :/cas/login/?code==_name=
>>>> It then gets redirected to the below http port instead of the expected
>>>> https port
>>>>
>>>> http//:/cas/login?code==_name=
>>>>
>>>> Is this some configuration in CAS  or need to be investigated on the
>>>> network side ?
>>>> Any help appreciated
>>>>
>>>>
>>>> --
>>>> - Website: https://apereo.github.io/cas
>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>> - Contributions: https://goo.gl/mh7qDG
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "CAS Community" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email 

Re: [cas-user] How to give encrypted password in cas.properties for redis ticket registry

[Jérôme LELEU]

Hi,

See:
https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Security.html
to
secure your properties.
Thanks.
Best regards,
Jérôme


Le mer. 2 sept. 2020 à 13:22, Priyambada Madala 
a écrit :

> Passwords for your redis cluster should be treated as a sensitive
> information .
> It would be nice to have the password encrypted with a private key.
> On Tuesday, September 1, 2020 at 8:44:37 PM UTC+5:30 Ray Bon wrote:
>
>> Priyambada,
>>
>> Why do you want an encrypted password in your config?
>>
>> Ray
>>
>> On Tue, 2020-09-01 at 02:17 -0700, Priyambada Madala wrote:
>>
>> Notice: This message was sent from outside the University of Victoria
>> email system. Please be cautious with links and sensitive information.
>>
>>
>> I have following cas.properties for redis registry set up .
>>
>> # Redis Ticket Registry properties
>> cas.ticket.registry.redis.host=localhost
>> cas.ticket.registry.redis.database=1
>> cas.ticket.registry.redis.port=6379
>> cas.ticket.registry.redis.password=redis
>> cas.ticket.registry.redis.timeout=2000
>> cas.ticket.registry.redis.useSsl=false
>> cas.ticket.registry.redis.usePool=true
>>
>> cas.ticket.registry.redis.pool.max-active=20
>> cas.ticket.registry.redis.pool.maxIdle=8
>> cas.ticket.registry.redis.pool.minIdle=0
>> cas.ticket.registry.redis.pool.maxActive=8
>> cas.ticket.registry.redis.pool.maxWait=-1
>> cas.ticket.registry.redis.pool.numTestsPerEvictionRun=0
>> cas.ticket.registry.redis.pool.softMinEvictableIdleTimeMillis=0
>> cas.ticket.registry.redis.pool.minEvictableIdleTimeMillis=0
>> cas.ticket.registry.redis.pool.lifo=true
>> cas.ticket.registry.redis.pool.fairness=false
>>
>> cas.ticket.registry.redis.pool.testOnCreate=false
>> cas.ticket.registry.redis.pool.testOnBorrow=false
>> cas.ticket.registry.redis.pool.testOnReturn=false
>> cas.ticket.registry.redis.pool.testWhileIdle=false
>>
>> I want to provide an encrypted value in
>> "cas.ticket.registry.redis.password".
>>
>> Is there a possible bean i can override where i can decrypt the password
>> with proper key ?
>>
>> --
>>
>> Ray Bon
>> Programmer Analyst
>> Development Services, University Systems
>> 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca
>>
>> I respectfully acknowledge that my place of work is located within the
>> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
>> WSÁNEĆ Nations.
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/06d454ad-4144-49f4-ac31-68b30b243858n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lz9NA4a8wDSNOOAGzKyeUDc%2B8OjLY%3DcQ5_2ahinf3RDLg%40mail.gmail.com.

Re: [cas-user] Assign roles properties for CAS's user or CAS's service registry

[Jérôme LELEU]

Hi,

Reading the code, you need to setup a * for the authzAttributes property.
Something like this in your *management.properties* file:
*mgmt.authzAttributes[0]=**
Thanks.
Best regards,
Jérôme


Le mar. 1 sept. 2020 à 08:35, Nguyen Tran Thanh Lam <
naphaluan211...@gmail.com> a écrit :

> Hi Jérôm,
> Exactly what i wanted, I want to setup static roles for all user with CAS
> Management Web App service.
> If you know how to setup, please help me.
> Thank you in advance.
> Regards
> ---
> Thanh Lam
>
>
> Vào Th 3, 1 thg 9, 2020 vào lúc 13:19 Jérôme LELEU 
> đã viết:
>
>> Hi,
>>
>> Depending on your configuration, you have several options: either pick up
>> static roles (but I don't think this is what you want) or take some user's
>> attributes as roles or use the users file.
>> See:
>> https://github.com/apereo/cas-management/blob/master/config/cas-mgmt-config-authz/src/main/java/org/apereo/cas/mgmt/config/CasManagementAuthorizationConfiguration.java#L39
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> Le lun. 31 août 2020 à 09:03, Nguyen Tran Thanh Lam <
>> naphaluan211...@gmail.com> a écrit :
>>
>>> Hi Mr Jérôme LELEU,
>>> Yes I know this configuration but I have inconvenient process when I
>>> create new user.
>>> It means, when I create new user in MongoDB, CAS Overlay can
>>> authenticated new user (I must not restart cas service) but with CAS
>>> Management Web App, I must add this role for new user to user.json file and
>>> restart CAS Management Web App service.
>>> For example:
>>> First:
>>> I have already had one user with username is casuser and password =x1.
>>> I could use casuser/x1 as CAS's account to use CAS Overlay and CAS
>>> Management Web app feature.
>>> Next:
>>> I add new user  with username is casuser2 and password =x2.
>>> I could use casuser2/x2 as CAS's account to use CAS Overlay feature.
>>> But with CAS Management Web App, I need modified user.json file like this
>>>
>>> {
>>>  "casuser" : {
>>>"roles" : [ "ROLE_ADMIN" ]
>>>  },
>>>   "casuser2" : {
>>>"roles" : [ "ROLE_ADMIN" ]
>>>  },
>>> }
>>>
>>> Then restart CAS Management service. After that, I could use this
>>> casuser2 account for CAS Management Web App.
>>> It's very inconvenient, thus I hope any way to fix this role for all
>>> users.
>>> Please help me.
>>> Thank you in advance.
>>>
>>> Vào Th 2, 31 thg 8, 2020 vào lúc 13:44 Jérôme LELEU 
>>> đã viết:
>>>
>>>> Hi,
>>>>
>>>> You need to add a *users.json* (or *users.yml* in YAML format) file in
>>>> the classpath.
>>>> For example:
>>>>
>>>> {
>>>>  "casuser" : {
>>>>"roles" : [ "ROLE_ADMIN" ]
>>>>  }
>>>> }
>>>>
>>>>
>>>> Thanks.
>>>> Best regards,
>>>> Jérôme
>>>>
>>>>
>>>> Le jeu. 27 août 2020 à 14:11, Napoleon Ponaparte <
>>>> naphaluan211...@gmail.com> a écrit :
>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> I have succeeded config CAS Overlay template 6.2.x can authenticated
>>>>> user that registed in MongoDB.
>>>>> Here is my config:
>>>>>
>>>>> 1. CAS Properties
>>>>> "name":"cas.authn.mongo.name","value":"users"
>>>>> "name":"cas.authn.mongo.database-name","value":"users"
>>>>> "name":"cas.authn.mongo.collection","value":"users"
>>>>> "name":"cas.authn.mongo.username-attribute","value":"username"
>>>>> "name":"cas.authn.mongo.password-attribute","value":"password"
>>>>> "name":"cas.authn.mongo.user-id","value":"casuser"
>>>>> "name":"cas.authn.mongo.password","value":"Mellon"
>>>>>
>>>>> "name":"cas.authn.mongo.attributes","value":"lastname,useremail,usertel"
>>>>> "name":"cas.authn.mongo.clientUri","value":"mongodb://casuser:Mellon@IP
>

Re: [cas-user] CAS 4.2.7 Authentication Delegation Problems (PAC4J)

[Jérôme LELEU]

Hi,

The CAS server v4.2.7 does support the SAML2 protocol for authentication
delegation (client behavior), but not as an IdP (server behavior).
See:
https://apereo.github.io/cas/4.2.x/integration/Delegate-Authentication.html
Upgrading to v6.x is a good idea as the authentication delegation has been
highly improved. That said, it should work in your current version.
Thanks.
Best regards,
Jérôme


Le lun. 31 août 2020 à 14:59, King, Robert  a écrit :

> I would suggest moving to CAS version 5.x or greater.  Version 4.x has
> been end of life for some time now.
>
>
>
>
>
> *From:* saimir pollogati 
> *Sent:* Monday, August 31, 2020 9:50 AM
> *To:* CAS Community 
> *Cc:* King, Robert 
> *Subject:* Re: [cas-user] CAS 4.2.7 Authentication Delegation Problems
> (PAC4J)
>
>
>
> thank you for your answer,
>
> do you have any suggestion  please,  in what ways or how can I handle this
> problem
>
>
>
>
>
>
>
> Regards,
>
> Saimir
>
>
>
>
>
> On Monday, August 31, 2020 at 1:54:46 PM UTC+2 ro...@mun.ca wrote:
>
> CAS v 4.2.7 does not support SAML version 2.  Please see the bottom of
> this webpage for reference.
>
>
>
> https://apereo.github.io/cas/4.2.x/protocol/SAML-Protocol.html
>
>
>
>
>
> *From:* cas-...@apereo.org  *On Behalf Of *saimir
> pollogati
> *Sent:* Monday, August 31, 2020 7:39 AM
> *To:* CAS Community 
> *Subject:* [cas-user] CAS 4.2.7 Authentication Delegation Problems (PAC4J)
>
>
>
> Hello!
>
>
>
> I am using cas v. 4.2.7,  I use authentication from database and
>  everything works perfect,
>
> now I have to add also  authentication  from idp provider (idp delegation
> with saml).
>
> After a successful auth on idp login page,  cas  redirect me  on login
> page again
>
> CAS Login link :
>
> *  href="/cas/login?client_name=SAML2Client_client_redirection=true">Hyr
> nga e-Test*
>
> I did configs as on attached files. I followed cas documentations bud I
> don't know what I am  missing
>
>
>
> Any help is welcomed!
>
>
>
> Regards
>
> Saimir
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+u...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/5d56e6db-4f5f-4370-8277-3eab74233010n%40apereo.org
> 
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0c8d6fe1e65b4da9bf8d9c465d319c69%40mun.ca
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lwjfx6U6XYBL6C4O5DRMU0roNUB%2Bnk5voXXzqSTbmqZaA%40mail.gmail.com.

Re: [cas-user] Assign roles properties for CAS's user or CAS's service registry

[Jérôme LELEU]

Hi,

Depending on your configuration, you have several options: either pick up
static roles (but I don't think this is what you want) or take some user's
attributes as roles or use the users file.
See:
https://github.com/apereo/cas-management/blob/master/config/cas-mgmt-config-authz/src/main/java/org/apereo/cas/mgmt/config/CasManagementAuthorizationConfiguration.java#L39
Thanks.
Best regards,
Jérôme


Le lun. 31 août 2020 à 09:03, Nguyen Tran Thanh Lam <
naphaluan211...@gmail.com> a écrit :

> Hi Mr Jérôme LELEU,
> Yes I know this configuration but I have inconvenient process when I
> create new user.
> It means, when I create new user in MongoDB, CAS Overlay can authenticated
> new user (I must not restart cas service) but with CAS Management Web App,
> I must add this role for new user to user.json file and restart CAS
> Management Web App service.
> For example:
> First:
> I have already had one user with username is casuser and password =x1.
> I could use casuser/x1 as CAS's account to use CAS Overlay and CAS
> Management Web app feature.
> Next:
> I add new user  with username is casuser2 and password =x2.
> I could use casuser2/x2 as CAS's account to use CAS Overlay feature.
> But with CAS Management Web App, I need modified user.json file like this
>
> {
>  "casuser" : {
>"roles" : [ "ROLE_ADMIN" ]
>  },
>   "casuser2" : {
>"roles" : [ "ROLE_ADMIN" ]
>  },
> }
>
> Then restart CAS Management service. After that, I could use this casuser2
> account for CAS Management Web App.
> It's very inconvenient, thus I hope any way to fix this role for all users.
> Please help me.
> Thank you in advance.
>
> Vào Th 2, 31 thg 8, 2020 vào lúc 13:44 Jérôme LELEU 
> đã viết:
>
>> Hi,
>>
>> You need to add a *users.json* (or *users.yml* in YAML format) file in
>> the classpath.
>> For example:
>>
>> {
>>  "casuser" : {
>>"roles" : [ "ROLE_ADMIN" ]
>>  }
>> }
>>
>>
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> Le jeu. 27 août 2020 à 14:11, Napoleon Ponaparte <
>> naphaluan211...@gmail.com> a écrit :
>>
>>>
>>> Hi,
>>>
>>> I have succeeded config CAS Overlay template 6.2.x can authenticated
>>> user that registed in MongoDB.
>>> Here is my config:
>>>
>>> 1. CAS Properties
>>> "name":"cas.authn.mongo.name","value":"users"
>>> "name":"cas.authn.mongo.database-name","value":"users"
>>> "name":"cas.authn.mongo.collection","value":"users"
>>> "name":"cas.authn.mongo.username-attribute","value":"username"
>>> "name":"cas.authn.mongo.password-attribute","value":"password"
>>> "name":"cas.authn.mongo.user-id","value":"casuser"
>>> "name":"cas.authn.mongo.password","value":"Mellon"
>>> "name":"cas.authn.mongo.attributes","value":"lastname,useremail,usertel"
>>> "name":"cas.authn.mongo.clientUri","value":"mongodb://casuser:Mellon@IP
>>> :port/users?authSource=admin=primary=MongoDB%20Compass%20Community=false"
>>> 2. And this is user properties in User collecion
>>>
>>> "username":"root",
>>> "password":"root",
>>> "lastname":"VNPT ADMIN",
>>> "useremail":"xxx",
>>> "usertel":"xxx"
>>>
>>> But,  I have faced with problem about CAS Management Web App service.
>>> Here is CAS Management Web App log:
>>>
>>> WARN [org.apereo.cas.mgmt.authz.CasRoleBasedAuthorizer] - >> authorize access, since the authenticated profile [#CasProfile# | id: root
>>> | attributes: {credentialType=UsernamePasswordCredential,
>>> isFromNewLogin=false, authenticationDate=2020-08-26T08:51:16.865441Z[UTC],
>>> authenticationMethod=users, successfulAuthenticationHandlers=users,
>>> longTermAuthenticationRequestTokenUsed=false} | roles: [] | permissions: []
>>> | isRemembered: false | clientName: CasClient | linkedId: null |] *does
>>> not contain any required roles*>
>>>
>>> Here is my service registry for CAS Manaement Web App:
>>>
>>> {
>>>   "@class" : "org.apereo.ca

Re: [cas-user] Redirection after authentication from https to http

[Jérôme LELEU]

Hi,

This redirection relies on: request.getRequestURL()
Do you have some reverse proxy in front of your Tomcat?
Thanks.
Best regards,
Jérôme


Le jeu. 27 août 2020 à 17:20, Joe Manavalan  a
écrit :

> I have cas6.1 deployed and working with cas.authn.pac4j.oauth2. The app
> works fine in my local windows machine on an https port
> When deployed in unix with the same setting [except the url has domain
> name instead of server name] the app after authenticating with the external
> oauth2 provider redirects the url to an http port as shown below
> This is the redirect url configured and get successfully redirected after
> authentication and authorization based on the browser trace
> https://
> :/cas/login/?code==_name=
> It then gets redirected to the below http port instead of the expected
> https port
>
> http//:/cas/login?code==_name=
>
> Is this some configuration in CAS  or need to be investigated on the
> network side ?
> Any help appreciated
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c9fa4862-6604-4c32-8a75-81a04f982998n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lz_k_jQenLtSjYe3TPNOD%3DStaVdub7UaF4yUpMErBTiHg%40mail.gmail.com.

Re: [cas-user] Assign roles properties for CAS's user or CAS's service registry

[Jérôme LELEU]

Hi,

You need to add a *users.json* (or *users.yml* in YAML format) file in the
classpath.
For example:

{
 "casuser" : {
   "roles" : [ "ROLE_ADMIN" ]
 }
}


Thanks.
Best regards,
Jérôme


Le jeu. 27 août 2020 à 14:11, Napoleon Ponaparte 
a écrit :

>
> Hi,
>
> I have succeeded config CAS Overlay template 6.2.x can authenticated user
> that registed in MongoDB.
> Here is my config:
>
> 1. CAS Properties
> "name":"cas.authn.mongo.name","value":"users"
> "name":"cas.authn.mongo.database-name","value":"users"
> "name":"cas.authn.mongo.collection","value":"users"
> "name":"cas.authn.mongo.username-attribute","value":"username"
> "name":"cas.authn.mongo.password-attribute","value":"password"
> "name":"cas.authn.mongo.user-id","value":"casuser"
> "name":"cas.authn.mongo.password","value":"Mellon"
> "name":"cas.authn.mongo.attributes","value":"lastname,useremail,usertel"
> "name":"cas.authn.mongo.clientUri","value":"mongodb://casuser:Mellon@IP
> :port/users?authSource=admin=primary=MongoDB%20Compass%20Community=false"
> 2. And this is user properties in User collecion
>
> "username":"root",
> "password":"root",
> "lastname":"VNPT ADMIN",
> "useremail":"xxx",
> "usertel":"xxx"
>
> But,  I have faced with problem about CAS Management Web App service.
> Here is CAS Management Web App log:
>
> WARN [org.apereo.cas.mgmt.authz.CasRoleBasedAuthorizer] -  authorize access, since the authenticated profile [#CasProfile# | id: root
> | attributes: {credentialType=UsernamePasswordCredential,
> isFromNewLogin=false, authenticationDate=2020-08-26T08:51:16.865441Z[UTC],
> authenticationMethod=users, successfulAuthenticationHandlers=users,
> longTermAuthenticationRequestTokenUsed=false} | roles: [] | permissions: []
> | isRemembered: false | clientName: CasClient | linkedId: null |] *does
> not contain any required roles*>
>
> Here is my service registry for CAS Manaement Web App:
>
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId":"^https://cas-server-domain:8088/cas-management.+;,
>   "name" : "casManagement",
>   "id" : 1,
>   "evaluationOrder" : 1,
>   "allowedAttributes":["cn","mail"]
> }
>
> CAS server succeed create and authorized access token for user (id = root)
> but CAS Management missing user's role.
>
> I don't know how to assign ROLE for user or indicate user's role fixed in
> service registry.
> Please help me.
> Thank you in advance.
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d45135e1-e8d4-4f55-9e49-02e1d825c18bn%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LydnJDBBuVcJzjGPE6bVPOQUAZkEaxz6J25bcT0kzKO_Q%40mail.gmail.com.

Re: [cas-user] CAS Unable to parse my ReturnAllowedAttributeReleasePolicy

[Jérôme LELEU]

Hi,

Indeed, it feels good. I would try to directly have the array:




*"attributeReleasePolicy" : {"@class" :
"org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : [ "username", "email"]  }*

Thanks.
Best regards,
Jérôme


Le mar. 25 août 2020 à 10:36, Giovan Isa Musthofa  a
écrit :

>
> Hi,
>
> I have my service registry in a rest endpoint. I have make sure the
> allowedAttributes
> field similar to the documented syntax of ["java.util.ArrayList", ["cn",
> "mail", "sn"]].
>
> [image: Screenshot_2020-08-25 Read Only Rest Service Registry List –
> Django REST framework.png]
>
> But, I got this error.
>
> Caused by: com.fasterxml.jackson.databind.exc.MismatchedInputException:
> Cannot deserialize instance of `java.lang.String` out of START_ARRAY token
> at [Source: UNKNOWN; line: -1, column: -1] (through reference chain:
> org.apereo.cas.support.oauth.services.OAuthRegisteredService["attributeReleasePolicy"]>org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy["allowedAttributes"]->java.util.ArrayList[1])
>
> Can anyone point what could be wrong? I can provide more information if
> needed.
>
> Regards,
> Giovan
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/34a640fa-5122-4e02-8752-64a47b6e8db9n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LyecrkX3eKHca%2BG_TZbg3fLtetcVAV8O4KhTmL5n7nWvg%40mail.gmail.com.

Re: [cas-user] SLO within browser context

[Jérôme LELEU]

Hi,

Yes, you can. This is called "front channel". You can configure that at the
service level.
See:
https://apereo.github.io/cas/6.1.x/installation/Logout-Single-Signout.html#front-channel
Thanks.
Best regards,
Jérôme


Le mer. 17 juin 2020 à 07:22, Paul Roemer  a écrit :

>
> Hey guys,
>
> I just ran into the SLO + loadbalancer issue as some of our CAS clients
> are clustered. Now, I wonder if it is possible to send the POST logout
> requests to the services participating at the current SSO session from
> within the browser/from client side instead of sending them from the CAS
> server.
>
> If that is possible, I expect the load balancer issue is solved without
> further adjustments as it will redirect the request to the correct node in
> case of a clustered CAS client.
>
> What are your thougts?
>
> Cheers,
>   Paul
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/95830dcf-aa6a-44df-8c7e-7d84d517f83an%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LzsM0qg5donJaN4yVkmf8_kFaxmeJh7UX3ChiE4aK0hpQ%40mail.gmail.com.

Re: [cas-user] How to skip Azure AD logout which conflicting with CAS client Front_Channel logout in CAS V6

[Jérôme LELEU]

Hi,

I guess this logout call is triggered by the
DelegatedAuthenticationClientLogoutAction. I don't think you can disable
that without the appropriate customisation.
Thanks.
Best regards,
Jérôme


Le ven. 17 avr. 2020 à 09:57, Robert Li  a écrit :

> Hello, I encounter SLO issue with Azure AD as IDP with CAS 6.1.4.
>
> I have a few CAS client applications which must use front channel logout
> to support SLO.  In my testing, if login through the default CAS id/pwd UI,
> SLO worked as as expected.  However, if I use delegated Azure AD as IDP,
> the logout will just performed the Azure AD logout. In the debug, the
> frontLogout step in the logout flow was executed. However, the rendered
> content was not sent back to the browser. I guess it was overwritten by the
> Azure logout step which is useign the setting of azure.logoutUrl.
>
> I tried to removed below setting, but it had no effect (which I could see
> now the code just reconstruct it anyway)
> cas.authn.pac4j.oidc[0].azure.logoutUrl=
> https://login.microsoftonline.com/39469cf7-e1da-410f-be47-95ee748cdb9c/oauth2/v2.0/logout
>
> In our business case, it is actually not desirable to perform the Azure
> Logout, due to applications SSOed with CAS are viewed as different suit to
> Office 365 suit. So after sign-out from CAS, we expected to see Office 365
> still logged-in.
>
> Are there any setting that allows me to skip the azure.logoutUrl and
> performed the front_channel logout instead? I am using CAS 6.1.4 at this
> point, but I can use any CAS 6 version if necessary.
>
> Appreciated your attention.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a236bd91-7ca0-4676-8d0f-170d95621950%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwkKR-GczfeD%2BjY-_4aKSMu36oJj4M1-TrJuQK5tYkKHQ%40mail.gmail.com.

Re: [cas-user] Re: SAML Delegation in 6.2.0-RC2

[Jérôme LELEU]

Hi,

There are a few properties you may use to setup algorithms. See:
https://apereo.github.io/cas/6.1.x/configuration/Configuration-Properties.html#saml2
Thanks.
Best regards,
Jérôme


Le ven. 17 avr. 2020 à 13:14, Francisco Castel-Branco <
franciscoc...@gmail.com> a écrit :

> Hi
>
>
>
> I got it to work, thanks.
>
>
>
> Now I have another problem. According to my IdP documentation, I need to
> use [http://www.w3.org/2000/09/xmldsig#rsa-sha1] as a digest, and Pac4j
> seems to support the signature type I need (SHA1withRSA), CAS returns me
> "The requested algorithm SHA1withRSA does not exist. Original Message was:
> SHA1withRSA MessageDigest not available".
>
>
>
> I understand this is an older algorithm, and probably insecure. As you may
> know, I cannot control this. Is there a way to get this working?
>
>
>
> Jérôme LELEU  escreveu no dia sexta, 27/03/2020 à(s)
> 10:21:
>
> Hi,
>
>
>
> Yes, you need a specific keystore for the SAML protocol communication (on
> pac4j thus CAS client side). It would be used to sign the SAML
> authentication request although this is not really necessary (signing the
> SAML response is mandatory).
>
>
>
> This might help: http://www.pac4j.org/3.9.x/docs/clients/saml.html
>
>
>
> Thanks.
>
> Best regards,
>
> Jérôme
>
>
>
>
>
> Le ven. 27 mars 2020 à 11:17, Francisco Castel-Branco <
> franciscoc...@gmail.com> a écrit :
>
> I’ve finally managed to understand something by expanding almost all logs
> to debug mode.
>
>
>
> In a SAML routine, the client needs to sign the request, right? And the
> pac4j properties for delegation refer a keystore. So, it leads to a kind of
> obvious question. Does the key that is supposed to issue the request need
> to be included in the JKS (Java Key Store)?
>
>
>
> The documentation doesn’t refer anything about this, so i’m a bit lost
> here. In my oppinion, CAS should be able to read a PEM certificate and the
> private key to generate the metadata required for this to work. Obviously
> using plain metadata sources makes this much simpler.
>
>
>
> Am I pointed in the right direction?
>
>
>
> Misagh Moayyed  escreveu no dia quarta,
> 29/01/2020 à(s) 10:26:
>
> I don't know what to look for. I know there's a  tag on the
> request standard for SAML, but the documentation is not clear about this
> subject
>
>
>
> Can you guys give me some advice or point me in the right direction?
>
>
>
> There is no issuer tag in the saml2 response you get back from the
> identity provider, because your attempt at authentication has somehow
> failed there. The IdP is sending you an error response. You need to look
> into your IdP and figure out what is causing it to error out.  Or examine
> the CAS logs to see what that response looks like before it's parsed.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscribe@apereoorg .
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/bcd6d987-b8f6-496d-9c92-156569b1a485%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/bcd6d987-b8f6-496d-9c92-156569b1a485%40apereo.org?utm_medium=email_source=footer>
> .
>
>
>
>
> --
>
> Francisco Castel-Branco
>
>
>
>
> <https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=emailclient>
>
> Virus-free. *www.avast.com*
> <https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=emailclient>
>
> --
> - Website: *https://apereo.github.io/cas*
> - Gitter Chatroom: *https://gitter.im/apereo/cas*
> - List Guidelines: *https://goo.gl/1VRrw7*
> - Contributions: *https://goo.gl/mh7qDG*
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to *cas-user+unsubscr...@apereo.org*.
> To view this discussion on the web visit
> *https://groups.google.com/a/apereo.org/d/msgid/cas-user/5e7dd2b4.1c69fb81.7489d.1f44%40mx.google.com*
> .
> <https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=emailclient>
>
> --
> - Website: *https://apereo.github.io/cas*
> - Gitter Chatroom: *https://

Re: [cas-user] Stumped about Login-Page (CAS 6.1)

[Jérôme LELEU]

Hi,

The documentation:
https://apereo.github.io/cas/6.1.x/ux/User-Interface-Customization-Views.html
should
be helpful.
Thanks.
Best regards,
Jérôme


Le lun. 6 avr. 2020 à 15:13, Sven Specker  a
écrit :

> Hi!
>
> Usually, I don't have to ask for things like that, but the customization
> of the loging page leaves me scratching  my head.
>
> While I appreciate the absence of the usual xml hell of spring stuff, I
> cannot for the life of me find out how to customize the login page to
> our corporate design.
>
> After deploying the war file, everything runs fine, but I cannot find a
> trace of any default page customization, so I believe the base page is
> somehow hardcoded.
>
> I could use a hint on how to create a different design. I never use
> spring for my projects so maybe that is the problem. :)
>
> Thanks!
> --
> **
> ** Sven Specker -- Goethe-University Frankfurt Computing Center **
> *** UNIX System Administration (Auth/IDM) 
> * spec...@rz.uni-frankfurt.de [Phone (+49)-69-798-15188] *
> **
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/fdac7cb4-07f2-e0e4-ac55-7f5665b7a0c8%40rz.uni-frankfurt.de
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LyvhVukLjvQpeC7ODU%3D_9Ties5rFvY780McvEePFE%3D4%2BQ%40mail.gmail.com.

Re: [cas-user] Re: SAML Delegation in 6.2.0-RC2

[Jérôme LELEU]

Hi,

Yes, you need a specific keystore for the SAML protocol communication (on
pac4j thus CAS client side). It would be used to sign the SAML
authentication request although this is not really necessary (signing the
SAML response is mandatory).

This might help: http://www.pac4j.org/3.9.x/docs/clients/saml.html

Thanks.
Best regards,
Jérôme


Le ven. 27 mars 2020 à 11:17, Francisco Castel-Branco <
franciscoc...@gmail.com> a écrit :

> I’ve finally managed to understand something by expanding almost all logs
> to debug mode.
>
>
>
> In a SAML routine, the client needs to sign the request, right? And the
> pac4j properties for delegation refer a keystore. So, it leads to a kind of
> obvious question. Does the key that is supposed to issue the request need
> to be included in the JKS (Java Key Store)?
>
>
>
> The documentation doesn’t refer anything about this, so i’m a bit lost
> here. In my oppinion, CAS should be able to read a PEM certificate and the
> private key to generate the metadata required for this to work. Obviously
> using plain metadata sources makes this much simpler.
>
>
>
> Am I pointed in the right direction?
>
>
>
> Misagh Moayyed  escreveu no dia quarta,
> 29/01/2020 à(s) 10:26:
>
> I don't know what to look for. I know there's a  tag on the
> request standard for SAML, but the documentation is not clear about this
> subject
>
>
>
> Can you guys give me some advice or point me in the right direction?
>
>
>
> There is no issuer tag in the saml2 response you get back from the
> identity provider, because your attempt at authentication has somehow
> failed there. The IdP is sending you an error response. You need to look
> into your IdP and figure out what is causing it to error out.  Or examine
> the CAS logs to see what that response looks like before it's parsed.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscribe@apereoorg .
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/bcd6d987-b8f6-496d-9c92-156569b1a485%40apereo.org
> 
> .
>
>
>
>
> --
>
> Francisco Castel-Branco
>
>
> 
>  Virus-free.
> www.avast.com
> 
> <#m_-3660743195862999002_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/5e7dd2b4.1c69fb81.7489d.1f44%40mx.google.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LxZ3giE3rH99W2TKgLYvfS_JLSaiuDhYmhzxk39pLcppw%40mail.gmail.com.

Re: [cas-user] OpenID Connect (pac4j integration) simultaneous login in several windows/tabs fails

[Jérôme LELEU]

Hi,

We should have a session per tab if ever it's possible or no session at all.
But this is definitely a hard topic, I'm not sure it's worth the deal to
work on that.

In any case, it's more a pac4j issue than a CAS one, you would have the
same problem with all pac4j implementations (JEE, Shiro, Play, Vertx...)
Let's move that discussion to the pac4j dev mailing list:
https://groups.google.com/forum/?fromgroups#!forum/pac4j-dev

Thanks.
Best regards,
Jérôme

Le mar. 24 mars 2020 à 13:55, mlabib  a écrit :

> Thanks, Jérôme,
>
> for the explanation.
>
> As I understand it there would have to be more state to be pushed around
> to fix the issue - maybe even the session made unnecessary?
>
> Still I am quite unsure where this should be discussed. Do you think this
> qualifies as a pac4j issue? Should I open a CAS PR?
>
> Best regards,
> Marcus
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d7c7704c-413b-482b-8d8e-06d7f1167ec4%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwnroWBVUZwQbOmegL06nzTh_GnFVBPZA_AEM%2BaCkwxaA%40mail.gmail.com.

Re: [cas-user] OpenID Connect (pac4j integration) simultaneous login in several windows/tabs fails

[Jérôme LELEU]

Hi,

I'm not surprised of this issue. pac4j relies on one session (distributed
or not) to perform a login process.

When starting the login process in a tab, you put some data in the session.
If meanwhile, in another tab, a login process is performed, the previous
data have been erased and the first login process can't happen correctly in
the first tab.

Thanks.
Best regards,
Jérôme


Le mar. 24 mars 2020 à 11:34, mlabib  a écrit :

> Hi group,
>
> since I am not sure where to better report a bug, I am doing it here. I am
> also looking for advice if the pac4j issue tracker might be a better place
> to report.
>
> We are using CAS Server 6.1.5 to federate the customer login to several of
> our services via OpenID Connect.
>
> It came to our attention that if a yet unauthenticated user opens several
> services at once in different windows/tabs of the same browser. Only the
> first authentication process attempted will succeed. Submission of a second
> still open login form will result in the display of the error message
> "Error: No message available".
>
> In the first submission of the credentials the POST to /cas/login will
> send a redirect (302) to
> /cas/oauth2.0/callbackAuthorize which in turn will redirect to
> /cas/oidc/authorize which will finally redirect to the service.
>
> In the second submission of the credentials the POST will also send a
> redirect to
> /cas/oauth2.0/callbackAuthorize, which will use and invalidate the issued
> service ticket and send a redirect to
> /cas/oauth2.0/callbackAuthorize again (NOT to
> /cas/oidc/authorize). On the second call of
> /cas/oauth2.0/callbackAuthorize the supplied ticket is already invalidated
> and gives rise to a org.apereo.cas.ticket.InvalidTicketException and in
> turn to the
> "Error: No message available" error presented to the user.
>
> I tried changing cas.authn.oauth.replicateSessions to true, which resulted
> in no change to the problem.
>
> Any input would be greatly appreciated!
>
> Thanks,
> Marcus
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c4f2cc5a-a4d1-4717-8acd-fbc340fc41db%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LzB898Q6HfV%2B9871j3Ud16L%3DO75NAVkrQgQzTvDOWXv8g%40mail.gmail.com.

Re: [cas-user] "Authentication issue instant is too old or in the future"

[Jérôme LELEU]

Sure. Go ahead...

Le lun. 16 mars 2020 à 11:02, Ganesh and Sashi Prasad 
a écrit :

> Hi Jerome,
>
> Thanks for the quick response. I have a SAML certificate (captured on this
> user's browser using the SAML Message Decoder Chrome plugin), but since it
> pertains to a client organisation's IdP, I didn't want to attach it to a
> mail addressed to a mailing list. Can I send it to you privately?
>
> Regards,
> Ganesh
>
> On Mon, 16 Mar 2020 at 19:14, Jérôme LELEU  wrote:
>
>> Hi,
>>
>> Indeed, this kind of error is generally related to the
>> *maximumAuthenticationLifetime* setting.
>>
>> But if only one user has an issue, it generally means that the setup is
>> correct.
>>
>> Can you take a closer look a the SAML response he gets by enabling TRACE
>> logs on org.opensaml?
>>
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>>
>> Le lun. 16 mars 2020 à 08:25, Ganesh and Sashi Prasad <
>> g.c.pra...@gmail.com> a écrit :
>>
>>> One of my users keeps having the same problem every time he tries to log
>>> in. He gets an "Access Unauthorized" message from CAS.
>>>
>>> He belongs to an organisation that has its own identity provider (Okta),
>>> and my setup delegates to his organisation's Okta server.
>>>
>>> I use CAS 5.2.9, and pac4j for delegated authentication to Okta. A SAML
>>> token is sent by Okta, which pac4j validates, and if all is well, CAS
>>> issues a TGC cookie.
>>>
>>> The mechanism works for all other users of this organisation that uses
>>> Okta, but not for this one user.
>>>
>>> I've found an error message in the CAS logs at around the time he was
>>> unable to log in:
>>>
>>> *org.pac4j.saml.exceptions.SAMLException: Authentication issue instant
>>> is too old or in the future*
>>>
>>> and then a bit later
>>>
>>> *org.pac4j.saml.exceptions.SAMLException: No valid subject assertion
>>> found in response*
>>>
>>> But there doesn't seem to be anything wrong with the issue instant. The
>>> Okta setup renews SAML tokens every 24 hours, so I changed the CAS property
>>> to be 24 hours and 5 minutes (86700 seconds):
>>>
>>> cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=86700
>>>
>>> But this user still has problems logging in. He sees a message "Access
>>> Unauthorized". He has to clear his cookies every time, and even then, he
>>> isn't always able to get back in.
>>>
>>> Can anyone help with this?
>>>
>>> Regards,
>>> Ganesh
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOEeopgp47coF7743fWmStcZ_Nm346ZOKo7HTTpGys0B0KQXMQ%40mail.gmail.com
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOEeopgp47coF7743fWmStcZ_Nm346ZOKo7HTTpGys0B0KQXMQ%40mail.gmail.com?utm_medium=email_source=footer>
>>> .
>>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lzi9NQYxoWt0YOi5W178yrm3BmEH-i_0QDjoYwdH-SgsQ%40mail.gmail.com
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lzi9NQYxoWt0YOi5W178yrm3BmEH-i_0QDjoYwdH-SgsQ%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> &

Re: [cas-user] "Authentication issue instant is too old or in the future"

[Jérôme LELEU]

Hi,

Indeed, this kind of error is generally related to the
*maximumAuthenticationLifetime* setting.

But if only one user has an issue, it generally means that the setup is
correct.

Can you take a closer look a the SAML response he gets by enabling TRACE
logs on org.opensaml?

Thanks.
Best regards,
Jérôme



Le lun. 16 mars 2020 à 08:25, Ganesh and Sashi Prasad 
a écrit :

> One of my users keeps having the same problem every time he tries to log
> in. He gets an "Access Unauthorized" message from CAS.
>
> He belongs to an organisation that has its own identity provider (Okta),
> and my setup delegates to his organisation's Okta server.
>
> I use CAS 5.2.9, and pac4j for delegated authentication to Okta. A SAML
> token is sent by Okta, which pac4j validates, and if all is well, CAS
> issues a TGC cookie.
>
> The mechanism works for all other users of this organisation that uses
> Okta, but not for this one user.
>
> I've found an error message in the CAS logs at around the time he was
> unable to log in:
>
> *org.pac4j.saml.exceptions.SAMLException: Authentication issue instant is
> too old or in the future*
>
> and then a bit later
>
> *org.pac4j.saml.exceptions.SAMLException: No valid subject assertion found
> in response*
>
> But there doesn't seem to be anything wrong with the issue instant. The
> Okta setup renews SAML tokens every 24 hours, so I changed the CAS property
> to be 24 hours and 5 minutes (86700 seconds):
>
> cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=86700
>
> But this user still has problems logging in. He sees a message "Access
> Unauthorized". He has to clear his cookies every time, and even then, he
> isn't always able to get back in.
>
> Can anyone help with this?
>
> Regards,
> Ganesh
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOEeopgp47coF7743fWmStcZ_Nm346ZOKo7HTTpGys0B0KQXMQ%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lzi9NQYxoWt0YOi5W178yrm3BmEH-i_0QDjoYwdH-SgsQ%40mail.gmail.com.

Re: [cas-user] Service Information Lost during PAC4J Authentication

[Jérôme LELEU]

Hi,

Which version of the CAS server do you use? Do you have a cluster of CAS
servers?
Thanks.
Best regards,
Jérôme


Le jeu. 12 mars 2020 à 04:26, Jack  a écrit :

> After the PAC4J authentication by provider, Service information is lost
> occasionally and user does not go back to service URL, rather lands at
> /login.
>
> During the regular login process, service is always available as a URL
> parameter.
>
> In case of the PAC4J authentication flow, where authentication controller
> goes to third party provider (for example SAML IdP), how's the service
> information retained?
>
> Is this stored in instance runtime memory? Can we set this as a Cookie or
> so that we dont lose the Service information?
>
> Thanks much!
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CACNfiMKVGJ6LcTbtDVds%2BG%3D%3DYxU7OfdTLEwh%3Dzdp60mdae1evQ%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwYuvTCRYSvjRWcqunkT%3DOv2Mh3u%2BX2PZsZuW-nEKqzvQ%40mail.gmail.com.

Re: [cas-user] CAS 6.1.4 - Unable to resolve Duo and Hazelcast dependencies

[Jérôme LELEU]

Hi,

The Hazelcast dependency is available in the Maven central repository as
most dependencies.
Thanks.
Best regards,
Jérôme


Le lun. 24 févr. 2020 à 17:43, Bryan Wooten  a écrit :

> Thanks for the fast reply!
>
> They URL you sent was added to the build.gradle and resolved the Duo issue.
>
> Unfortunately, the build is still failing on the Hazelcast dependency.
>
> -Bryan
>
> On Mon, Feb 24, 2020 at 9:34 AM Jérôme LELEU  wrote:
>
>> Hi,
>>
>> You need to add the Unicon repository:
>> https://github.com/apereo/cas/blob/master/gradle/maven.gradle#L197
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> Le lun. 24 févr. 2020 à 17:14, Bryan Wooten  a
>> écrit :
>>
>>> Following the instructions here:
>>>
>>>
>>> https://apereo.github.io/2019/01/07/cas61-gettingstarted-overlay/#dependencies
>>>
>>>
>>> We are trying to add dependencies for Hazelcast and Duo by adding to the
>>> build.gradle file:
>>>
>>> compile "org.apereo.cas:cas-server-support-duo:${casServerVersion}"
>>>
>>> compile
>>> "org.apereo.cas:cas-server-support-hazlcast-ticket-registry:${casServerVersion}"
>>>
>>> Any help appreciated,
>>>
>>> -Bryan
>>>
>>> But we get these errors:
>>>
>>> Could not resolve all files for configuration ':runtimeClasspath'.
>>>> Could not resolve
>>> org.apereo.cas:cas-server-support-hazlcast-ticket-registry:6.1.4.
>>>  Required by:
>>>  project :
>>>   > Could not resolve
>>> org.apereo.cas:cas-server-support-hazlcast-ticket-registry:6.1.4.
>>>  > Could not get resource '
>>> https://oss.jfrog.org/artifactory/oss-snapshot-local/org/apereo/cas/cas-server-support-hazlcast-ticket-registry/6.1.4/cas-server-support-hazlcast-ticket-registry-6.1.4.pom'
>>> .
>>> > Could not GET '
>>> https://oss.jfrog.org/artifactory/oss-snapshot-local/org/apereo/cas/cas-server-support-hazlcast-ticket-registry/6.1.4/cas-server-support-hazlcast-ticket-registry-6.1.4.pom'.
>>>  Received
>>> status code 409 from server:
>>>> Could not resolve net.unicon.iam:duo-client:0.2.2.
>>>  Required by:
>>>  project : > org.apereo.cas:cas-server-support-duo:6.1.4 >
>>> org.apereo.cas:cas-server-support-duo-core:6.1.4
>>>   > Could not resolve net.unicon.iam:duo-client:0.2.2.
>>>  > Could not get resource '
>>> https://oss.jfrog.org/artifactory/oss-snapshot-local/net/unicon/iam/duo-client/0.2.2/duo-client-0.2.2.pom'
>>> .
>>> > Could not HEAD '
>>> https://oss.jfrog.org/artifactory/oss-snapshot-local/net/unicon/iam/duo-client/0.2.2/duo-client-0.2.2.pom'.
>>>  Received
>>> status code 409 from server:
>>>
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GX1wMGVBYDp1FQvsgopoek4C57yLSoSTc9CkguQyT5YMQ%40mail.gmail.com
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GX1wMGVBYDp1FQvsgopoek4C57yLSoSTc9CkguQyT5YMQ%40mail.gmail.com?utm_medium=email_source=footer>
>>> .
>>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LyS78qvpKf_vh375g_vR3R3Y5YCr_zfq0Owk%2B3_eJXx9A%40mail.gmail.com
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LyS78qvpKf_vh375g_vR3R3Y5YCr_zfq0Owk%2B3_eJXx9A%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
> --
> - Website: https

Re: [cas-user] CAS 6.1.4 - Unable to resolve Duo and Hazelcast dependencies

[Jérôme LELEU]

Hi,

You need to add the Unicon repository:
https://github.com/apereo/cas/blob/master/gradle/maven.gradle#L197
Thanks.
Best regards,
Jérôme


Le lun. 24 févr. 2020 à 17:14, Bryan Wooten  a écrit :

> Following the instructions here:
>
>
> https://apereo.github.io/2019/01/07/cas61-gettingstarted-overlay/#dependencies
>
>
> We are trying to add dependencies for Hazelcast and Duo by adding to the
> build.gradle file:
>
> compile "org.apereo.cas:cas-server-support-duo:${casServerVersion}"
>
> compile
> "org.apereo.cas:cas-server-support-hazlcast-ticket-registry:${casServerVersion}"
>
> Any help appreciated,
>
> -Bryan
>
> But we get these errors:
>
> Could not resolve all files for configuration ':runtimeClasspath'.
>> Could not resolve
> org.apereo.cas:cas-server-support-hazlcast-ticket-registry:6.1.4.
>  Required by:
>  project :
>   > Could not resolve
> org.apereo.cas:cas-server-support-hazlcast-ticket-registry:6.1.4.
>  > Could not get resource '
> https://oss.jfrog.org/artifactory/oss-snapshot-local/org/apereo/cas/cas-server-support-hazlcast-ticket-registry/6.1.4/cas-server-support-hazlcast-ticket-registry-6.1.4.pom'
> .
> > Could not GET '
> https://oss.jfrog.org/artifactory/oss-snapshot-local/org/apereo/cas/cas-server-support-hazlcast-ticket-registry/6.1.4/cas-server-support-hazlcast-ticket-registry-6.1.4.pom'.
>  Received
> status code 409 from server:
>> Could not resolve net.unicon.iam:duo-client:0.2.2.
>  Required by:
>  project : > org.apereo.cas:cas-server-support-duo:6.1.4 >
> org.apereo.cas:cas-server-support-duo-core:6.1.4
>   > Could not resolve net.unicon.iam:duo-client:0.2.2.
>  > Could not get resource '
> https://oss.jfrog.org/artifactory/oss-snapshot-local/net/unicon/iam/duo-client/0.2.2/duo-client-0.2.2.pom'
> .
> > Could not HEAD '
> https://oss.jfrog.org/artifactory/oss-snapshot-local/net/unicon/iam/duo-client/0.2.2/duo-client-0.2.2.pom'.
>  Received
> status code 409 from server:
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GX1wMGVBYDp1FQvsgopoek4C57yLSoSTc9CkguQyT5YMQ%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LyS78qvpKf_vh375g_vR3R3Y5YCr_zfq0Owk%2B3_eJXx9A%40mail.gmail.com.

Re: [cas-user] What happened to cas.authn.ldap[0].type=AUTHENTICATED in 6.1.x ?

[Jérôme LELEU]

Hi,

For the password policy, indeed, it's the LdapType. Pick the appropriate
one:

public enum LdapType {

/**
 * Generic ldap type (OpenLDAP, 389ds, etc).
 */
GENERIC,
/**
 * Active directory.
 */
AD,
/**
 * FreeIPA directory.
 */
FreeIPA,
/**
 * EDirectory.
 */
EDirectory
}


Thanks.
Best regards,
Jérôme


Le jeu. 20 févr. 2020 à 15:49, Jason Everling  a
écrit :

> It doesn't start, error message below. Also, I just realized it works
> under the cas.authn.ldap[0].type BUT the one that causes it is
>
> cas.authn.ldap[0].passwordPolicy.type=AUTHENTICATED
>
> changing to
>
> cas.authn.ldap[0].passwordPolicy.type=AD CAS starts up just fine.
>
> When using AUTHENTICATED the error is below,
>
> Caused by: org.springframework.core.convert.ConversionFailedException:
> Failed to convert from type [java.lang.String] to type
> [org.apereo.cas.configuration.model.support.ldap.AbstractLdapProperties$LdapType]
> for value 'AUTHENTICATED'; nested exception is
> java.lang.IllegalArgumentException: No enum constant
> org.apereo.cas.configuration.model.support.ldap.AbstractLdapProperties.LdapType.AUTHENTICATED
> at
> org.springframework.core.convert.support.ConversionUtils.invokeConverter(ConversionUtils.java:47)
> at
> org.springframework.core.convert.support.GenericConversionService.convert(GenericConversionService.java:191)
> at
> org.springframework.boot.context.properties.bind.BindConverter$CompositeConversionService.convert(BindConverter.java:170)
> at
> org.springframework.boot.context.properties.bind.BindConverter.convert(BindConverter.java:96)
> at
> org.springframework.boot.context.properties.bind.BindConverter.convert(BindConverter.java:88)
> at
> org.springframework.boot.context.properties.bind.Binder.bindProperty(Binder.java:408)
> at
> org.springframework.boot.context.properties.bind.Binder.bindObject(Binder.java:353)
> at
> org.springframework.boot.context.properties.bind.Binder.bind(Binder.java:293)
> ... 179 more
> Caused by: java.lang.IllegalArgumentException: No enum constant
> org.apereo.cas.configuration.model.support.ldap.AbstractLdapProperties.LdapType.AUTHENTICATED
> at
> org.springframework.boot.convert.LenientObjectToEnumConverterFactory$LenientToEnumConverter.findEnum(LenientObjectToEnumConverterFactory.java:93)
> at
> org.springframework.boot.convert.LenientObjectToEnumConverterFactory$LenientToEnumConverter.convert(LenientObjectToEnumConverterFactory.java:80)
> at
> org.springframework.boot.convert.LenientObjectToEnumConverterFactory$LenientToEnumConverter.convert(LenientObjectToEnumConverterFactory.java:61)
> at
> org.springframework.core.convert.support.GenericConversionService$ConverterFactoryAdapter.convert(GenericConversionService.java:436)
> at
> org.springframework.core.convert.support.ConversionUtils.invokeConverter(ConversionUtils.java:41)
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/dac5f55e-d67e-4e0c-b87d-c6d8903572e4%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwMyS76%3D-osUw8pCAozFKD9LQ4_tLTZkJup_7aaLBjVMw%40mail.gmail.com.

Re: [cas-user] What happened to cas.authn.ldap[0].type=AUTHENTICATED in 6.1.x ?

[Jérôme LELEU]

Hi,

The AUTHENTICATED value still exists: what error do you have when using it?
The only misleading thing in "LDAP type" is the existence of both
AuthenticationTypes and LdapType.
Thanks.
Best regards,
Jérôme


Le jeu. 20 févr. 2020 à 01:47, Jason Everling  a
écrit :

> Looks like after a test upgrade from 6.0.x to
> 6.1.4 cas.authn.ldap[0].type=AUTHENTICATED no longer exists, it has to
> use cas.authn.ldap[0].type=AD but logins DO NOT work using the AD type, it
> never has. We have always had to use AUTHENTICATED but it looks like it was
> removed?
>
> Under
> https://apereo.github.io/cas/6.1.x/configuration/Configuration-Properties-Common.html#ldap-types
>  it
> doesnt show AUTHENTICATED but under
> https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties-Common.html#ldap-authenticationsearch-settings
>  AUTHENTICATED
> is an option but trying to use it in any form CAS will not start.
>
> Is it a bug maybe? Back down to 6.0.x for now and all is well using
> cas.authn.ldap[0].type=AUTHENTICATED
>
> Thanks!
> Jason
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/fb50310a-6eb1-438c-85af-6a52bb26f17e%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LzJrbA4CZxCPT9qJsKYDJqLUxwFvEq7PC8R3orz-m9w0Q%40mail.gmail.com.

Re: [cas-user] Add new field in CasLogin.

[Jérôme LELEU]

Hi,

You may have custom fields on your login page which are available in the
UsernamePasswordCredentials:
https://github.com/apereo/cas/blob/v6.1.4/webapp/cas-server-webapp-resources/src/main/resources/templates/fragments/loginform.html#L110
Thanks.
Best regards,
Jérôme


Le lun. 17 févr. 2020 à 10:46, Anurag Richharia  a
écrit :

> Hi all,
>
> I am trying to add multitenacy to my application.I want to add new field
> on Login and provide the value at backend.
> Can i bind new field value with UserPasswordCredentials?
>
> Can we add new field during cas Login?
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/e23b9921-c6a5-450b-b4b1-d9bf85e0369c%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LzggVgLdA1zZL10%3DpkmOt_5qQsJzOxCTqbJzOzX%2BkqNrw%40mail.gmail.com.

Re: [cas-user] OIDC provider multi node ST VALIDATE FAILED after ST VALIDATE SUCESS

[Jérôme LELEU]

Hi,

If you enable the OAuth server support with multiple nodes, you must enable
the session replication via the following property:
*cas.authn.oauth.replicateSessions=true*.

In that case, the pac4j session will be stored via the
*DistributedJEESessionStore* component (which uses a cookie).

Thanks.
Best regards,
Jérôme


Le mer. 5 févr. 2020 à 09:29, Jérôme Steve  a
écrit :

> Hi all,
>
> I confirm all work fine without replication session, with CAS protocol.
> The replication is needed only by OIDC and more specifically by Oauth2
> protocol.
> Hal, i can just tell you, the package Pac4j store some information in
> session. In my cas the Urls in cause (oidc/callbackAutorize and
> oidc/authorize).
>
> I wiil try to put httpSession in a redis cluster and i come back to you.
>
> Chears
>
> Le mer. 5 févr. 2020 à 05:06, Hal Deadman  a
> écrit :
>
>> I am running a fairly recent 6.2 snapshot build. I have only seen a
>> problem with OIDC when using an active/active cluster rather than an
>> active/standby cluster. CAS and SAML protocols didn't have a problem. I
>> don't have session clustering configured but I may work on adding support
>> for a Tomcat clustering that works in Kubernetes (
>> https://cwiki.apache.org/confluence/display/TOMCAT/ClusteringCloud) -
>> although that would just mask the dependency on session replication. I only
>> suspect that this is caused by a dependency on session replication; I am
>> using the Ehcache 3 ticket registry and the problem may be related to that.
>>
>> On Tuesday, February 4, 2020 at 11:57:05 AM UTC-5, Travis Schmidt wrote:
>>>
>>> I thought we got rid of the shared session requirement starting with CAS
>>> versions 6.1.x+?  What specific version are you running?
>>>
>>> Travis
>>>
>>> On Tue, Feb 4, 2020 at 8:34 AM Hal Deadman  wrote:
>>>
>>> Jerome, did you find out what specifically CAS is storing in the http
>>> session for OIDC that needs to be replicated? I think I have seen the same
>>> issue in my deployment where OIDC wasn't working in an active/active CAS
>>> cluster but I haven't had a chance to track down the cause.
>>>
>>> - Hal
>>>
>>> On Monday, February 3, 2020 at 12:18:57 PM UTC-5, Jérôme Steve wrote:
>>>
>>> Hi Ray,
>>>
>>> After some investigation, I found the problem.
>>>
>>> I Have to replicate the httpSession for Hight Avaibility (Multi node)
>>> when my cas server act like an OpenID Connect Provider ...
>>>
>>> If you know how to do it,you are my guess :) (I have my own view on that
>>> but i'm curious to have an other view).
>>>
>>> Thanks for your Help,
>>> Jérôme.
>>>
>>>
>>>
>>> Le jeudi 16 janvier 2020 18:37:16 UTC+1, rbon a écrit :
>>>
>>> Jérôme,
>>>
>>> I have not used memcached so I do not know its workings. A problem we
>>> had with ehcache (replicated cache) was that replication was too slow. The
>>> request for validation came in before the ticket was replicated to the
>>> other servers, so it was never found. We switched to hazelcast (not
>>> replicated) and all has been good.
>>>
>>> It is possible to use cURL to help debug this. Increase the ST lifetime
>>> (say, a few minutes) so that you can perform some manual steps,
>>> https://apereo.github.io/cas/6.1.x/configuration/Configuration-Properties.html#service-tickets-behavior
>>>
>>> 1. add a fake service to the registry for testing (you do not want the
>>> ST to be sent by the service)
>>> 2. access the service in your browser (or maybe from cURL),
>>> https://cashost.com/cas/login?service=https://possum.com/fake (browser
>>> returns 404)
>>> 3. copy ST from URL
>>> 4. check that the ST exists in all memcached stores
>>> 5. use cURL (maybe as POST) to submit ST for validation,
>>> https://cashost.com/cas/serviceValidate?service=https://possum.com/fake=ST
>>> 
>>> -...
>>>
>>> You will want to turn logging up (debug or trace) for CAS, and
>>> memcached. Also check access logs.
>>>
>>> Ray
>>>
>>>
>>> On Wed, 2020-01-15 at 08:13 -0800, Jérôme Steve wrote:
>>>
>>> Hi Ray,
>>>
>>> Thanks for your reply (and sorry for my latency ...)
>>>
>>> So I'm stored Ticket in a memcahced ticket registery (All work fine).
>>> My log come from TWO different node (Exactly 2 container in a same stack
>>> behind a load balancer).
>>>
>>> I understand what you're saying about the round robin load blancer, but
>>> i don't think it's the problem.
>>>
>>> So my problem it's when i'm in multi node architecture (2 or 3 no
>>> matters) the cas/oauth2.0/callbackAuthorize url loop on itself and
>>> after looping N time (N corresponding to properties
>>>
>>> cas.ticket.st.numberOfUses=N)
>>>
>>> ST validation failed (That is normal is not my problem, it's the normal 
>>> way).
>>>
>>>
>>>
>>> My problem is why this loop ?
>>>
>>>
>>> In the same environment, but in single node ( One container only in the 
>>> same stack behind the same load balancer) i haven't this loop. the
>>>
>>> cas/oauth2.0/callbackAuthorize
>>>
>>> url 

Re: [cas-user] Re: CAS OKTA integration

[Jérôme LELEU]

Hi,

If you use the SAML authentication delegation to Okta, there is a
SAML2ClientLogoutAction component which should retrieve the user profile
and send a logout request to Okta when you trigger a CAS logout (
https://github.com/apereo/cas/blob/5.1.x/support/cas-server-support-pac4j-core-clients/src/main/java/org/apereo/cas/support/pac4j/web/flow/SAML2ClientLogoutAction.java
).
This may not work for a cluster. Turn on DEBUG logs on this component to
see what happens.
Thanks.
Best regards,
Jérôme


Le ven. 20 déc. 2019 à 09:50, Filip Majernik  a
écrit :

> I am using CAS 5.1.1 which comes with pac4j 2.0.0
>
> On Friday, December 20, 2019 at 8:34:55 AM UTC+1, leleuj wrote:
>>
>> Hi,
>>
>> Which version of CAS (and pac4j) do you use? Do you have one or more CAS
>> servers?
>> Thanks.
>> Best regards,
>> Jérôme
>>
>> Le jeu. 19 déc. 2019 à 17:28, Filip Majernik  a
>> écrit :
>>
>>> Hi Sarika,
>>> I am facing the same issue. The SAML logout request to Okta does not
>>> work. After debugging I have found out that in pac4j's implementation in
>>> SAML2LogoutRequestBuilder the UserProfile cannot be retrieved from the
>>> context, hence no sessionIndex as nameId is added to the request. This
>>> UserProfile should be created and kept in session after the user has
>>> successfully authenticated in the IdP, but it isn't. Looking at the Pac4J
>>> documentation I assume, that there is no CallbackFilter in CAS initialized
>>> which would store the UserProfile in the session, but I cannot confirm this.
>>>
>>> Does anybody know how to make this work?
>>>
>>> Thanks,
>>> Filip
>>>
>>>
>>> On Friday, September 14, 2018 at 7:24:44 AM UTC+2, sarika deshmukh wrote:

 Hi,

 Is there any update on this issue?

 Thanks in advance.


 On Tuesday, 4 September 2018 18:34:10 UTC+5:30, sarika deshmukh wrote:
>
> Hi Ganesh,
>
> Sorry for the late reply.
> I have checked logs as well, it seems like CAS is not connecting with
> OKTA at the time of logout.
>
> log details:
> 2018-09-04 17:29:21,173 DEBUG
> [org.apereo.cas.support.saml.services.SamlIdPSingleLogoutServiceLogoutUrlBuilder]
> - https://.*,
> name=HTTPS, theme=null, informationUrl=null, privacyUrl=null,
> responseType=null, id=1001, description=This service definition
> authorizes all application urls that support HTTPS and IMAPS protocols.,
> expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
> notifyWhenDeleted=false, expirationDate=null),
> proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1,
> evaluationOrder=1,
> usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2,
> logoutType=BACK_CHANNEL, requiredHandlers=[],
> attributeReleasePolicy=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
> principalAttributesRepository=DefaultPrincipalAttributesRepository(),
> consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true,
> excludedAttributes=null, includeOnlyAttributes=null),
> authorizedToReleaseCredentialPassword=false,
> authorizedToReleaseProxyGrantingTicket=false,
> excludeDefaultAttributes=false,
> authorizedToReleaseAuthenticationAttributes=true,
> principalIdAttribute=null), allowedAttributes=[]),
> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[],
> failureMode=NOT_SET, principalAttributeNameTrigger=null,
> principalAttributeValueToMatch=null, bypassEnabled=false), logo=null,
> logoutUrl=https://localhost:8443/cas/logout,
> accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0,
> enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null,
> delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[SAML2Client]),
> requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={},
> caseInsensitive=false), publicKey=null, properties={}, contacts=[])] is 
> not
> a SAML service, or its logout url could not be determined>
> 2018-09-04 17:29:21,173 DEBUG
> [org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder] -
> https://localhost:8443/cas/logout]
> for service [AbstractWebApplicationService(id=
> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
> https://localhost:8443/vcm/j_spring_cas_security_check,
> artifactId=null, principal=us...@company.com, source=service,
> loggedOutAlready=false, format=XML, attributes={})]>
> 2018-09-04 17:29:21,174 DEBUG
> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] -
> https://localhost:8443/cas/logout]] for
> service [AbstractWebApplicationService(id=
> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
> 

Re: [cas-user] Re: CAS OKTA integration

[Jérôme LELEU]

Hi,

Which version of CAS (and pac4j) do you use? Do you have one or more CAS
servers?
Thanks.
Best regards,
Jérôme

Le jeu. 19 déc. 2019 à 17:28, Filip Majernik  a
écrit :

> Hi Sarika,
> I am facing the same issue. The SAML logout request to Okta does not work.
> After debugging I have found out that in pac4j's implementation in
> SAML2LogoutRequestBuilder the UserProfile cannot be retrieved from the
> context, hence no sessionIndex as nameId is added to the request. This
> UserProfile should be created and kept in session after the user has
> successfully authenticated in the IdP, but it isn't. Looking at the Pac4J
> documentation I assume, that there is no CallbackFilter in CAS initialized
> which would store the UserProfile in the session, but I cannot confirm this.
>
> Does anybody know how to make this work?
>
> Thanks,
> Filip
>
>
> On Friday, September 14, 2018 at 7:24:44 AM UTC+2, sarika deshmukh wrote:
>>
>> Hi,
>>
>> Is there any update on this issue?
>>
>> Thanks in advance.
>>
>>
>> On Tuesday, 4 September 2018 18:34:10 UTC+5:30, sarika deshmukh wrote:
>>>
>>> Hi Ganesh,
>>>
>>> Sorry for the late reply.
>>> I have checked logs as well, it seems like CAS is not connecting with
>>> OKTA at the time of logout.
>>>
>>> log details:
>>> 2018-09-04 17:29:21,173 DEBUG
>>> [org.apereo.cas.support.saml.services.SamlIdPSingleLogoutServiceLogoutUrlBuilder]
>>> - https://.*,
>>> name=HTTPS, theme=null, informationUrl=null, privacyUrl=null,
>>> responseType=null, id=1001, description=This service definition
>>> authorizes all application urls that support HTTPS and IMAPS protocols.,
>>> expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
>>> notifyWhenDeleted=false, expirationDate=null),
>>> proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1,
>>> evaluationOrder=1,
>>> usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2,
>>> logoutType=BACK_CHANNEL, requiredHandlers=[],
>>> attributeReleasePolicy=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
>>> principalAttributesRepository=DefaultPrincipalAttributesRepository(),
>>> consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true,
>>> excludedAttributes=null, includeOnlyAttributes=null),
>>> authorizedToReleaseCredentialPassword=false,
>>> authorizedToReleaseProxyGrantingTicket=false,
>>> excludeDefaultAttributes=false,
>>> authorizedToReleaseAuthenticationAttributes=true,
>>> principalIdAttribute=null), allowedAttributes=[]),
>>> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[],
>>> failureMode=NOT_SET, principalAttributeNameTrigger=null,
>>> principalAttributeValueToMatch=null, bypassEnabled=false), logo=null,
>>> logoutUrl=https://localhost:8443/cas/logout,
>>> accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0,
>>> enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null,
>>> delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[SAML2Client]),
>>> requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={},
>>> caseInsensitive=false), publicKey=null, properties={}, contacts=[])] is not
>>> a SAML service, or its logout url could not be determined>
>>> 2018-09-04 17:29:21,173 DEBUG
>>> [org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder] -
>>> https://localhost:8443/cas/logout] for
>>> service [AbstractWebApplicationService(id=
>>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
>>> https://localhost:8443/vcm/j_spring_cas_security_check,
>>> artifactId=null, principal=us...@company.com, source=service,
>>> loggedOutAlready=false, format=XML, attributes={})]>
>>> 2018-09-04 17:29:21,174 DEBUG
>>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] -
>>> https://localhost:8443/cas/logout]] for service
>>> [AbstractWebApplicationService(id=
>>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
>>> https://localhost:8443/vcm/j_spring_cas_security_check,
>>> artifactId=null, principal=us...@company.com, source=service,
>>> loggedOutAlready=false, format=XML, attributes={})]>
>>> 2018-09-04 17:29:21,174 DEBUG
>>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] -
>>> >> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
>>> https://localhost:8443/vcm/j_spring_cas_security_check,
>>> artifactId=null, principal=us...@company.com, source=service,
>>> loggedOutAlready=false, format=XML, attributes={})] and ticket id
>>> [ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12]>
>>> 2018-09-04 17:29:21,401 DEBUG
>>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - >> request
>>> [DefaultLogoutRequest(ticketId=ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12,
>>> service=AbstractWebApplicationService(id=
>>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=

Re: [cas-user] Mongodb Authentication won't work if no attributes given in CAS 6.1.1

[Jérôme LELEU]

Hi,

I saw his answer. I understand the concern and the need for consistency in
CAS, but the same is worth for pac4j as well: I could change the default
behavior in pac4j, but this would impact users just to accommodate with the
consistency of CAS.

My feeling is that the default behavior of pac4j should be kept, but
changed when used in CAS to have consistency in both systems (alone or
bundle).

Here is my proposal: by default, in CAS, the id,username,password
attributes are defined, which makes things consistent in CAS: no need to
define the attributes, consistent in pac4j and things will work properly.
What do you think?

Thanks.
Best regards,
Jérôme




Le lun. 4 nov. 2019 à 09:51, Andy Ng  a écrit :

> Hi Jérôme,
>
> PR was declined because Moayyed considered this behavior as something need
> to be fixed in pac4j, see this:
>
> Since defining attributes is necessary for pac4j to work when using
> MongoDB Authentication, the attributes properties is necessary here.
> However, this behavior of requiring attributes is different from other
> authentication methods (e.g.JDBC), so I proposed to add an warning here for
> clarity sake. See if agree.
>
> Thanks for the patch but none of this sounds right.
>
> Attribute support is always optional. All authentication methods in CAS
> work with or without presence of attributes in the authentication source. A
> design choice or limitation of a library should not have to contract
> consistent behavior elsewhere. Changes need to be done on pac4j to allow
> attribute-less authentication.
>
>
> Should I bring this discussion to pac4j group instead? Thanks.
>
> Cheers!
> - Andy
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/84c1396e-647e-484c-b2db-1325250b621f%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LyUrT6YWAhEaw83dOo9je%3DdUNDZhVttwjHyDKe541s6rQ%40mail.gmail.com.

Re: [cas-user] Mongodb Authentication won't work if no attributes given in CAS 6.1.1

[Jérôme LELEU]

Sure. The documentation needs to be complemented here...

Le lun. 4 nov. 2019 à 08:24, Andy Ng  a écrit :

> Hi Jérôme
>
> Oh nice, thanks for your explanation :)
>
> I think we should document that *requirement on attribute* on
> https://apereo.github.io/cas/6.1.x/installation/MongoDb-Authentication.html
>
> Since the authentication experience is differs from other
> Authentication authenticationMethod, (e.g. JDBCAuthenticaiontHandler), it
> seems beneficial to document the behavior on CAS page.
>
> What do you think?
>
> Cheers!
> - Andy
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/87b65beb-ef10-4d77-a4ca-5b0094c8d224%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lz9bcPQcM2axxku1ZR2WAykzDa_CRcmnXF6W%2BegfVo_OA%40mail.gmail.com.

Re: [cas-user] Mongodb Authentication won't work if no attributes given in CAS 6.1.1

[Jérôme LELEU]

Hi,

Yes, this is the expected behavior in pac4j. There are two modes (
http://www.pac4j.org/docs/authenticators/mongodb.html): either you define
the attributes and they are used for the profile OR you don't and a
serializedprofile attribute is expected to store the whole serialized
profile.
In the CAS server, defining the attributes is what makes sense.
Thanks.
Best regards,
Jérôme


Le lun. 4 nov. 2019 à 05:11, Andy Ng  a écrit :

>
> Hi all,
>
> Today I am testing out CAS using MongoDB authentication, and found out a
> behavior for MongoDB Authentication:
>
> > if no attribute was given in cas.authn.mongo.attributes, the
> authentication will failed by No serialized profile found.
>
>
> Here an example:
>
> cas.yml:
>
> cas.authn.mongo:
>   host: ${AUTHENTICATION_MONGODB}
>   userId: root
>   password: ThisIsThePasswordForRoot
>   databaseName: ${AUTHENTICATION_MONGODB}
>   authenticationDatabaseName: admin
>
>
> MongoDB users:
>
> db.users.insertMany([
> { _id: 
> username: "mongodb",
> password: "Mellon",
> },
> ]),
>
>
> logs
>
> cas_1 | 2019-11-04 04:02:37,780 ERROR
> [org.apereo.cas.integration.pac4j.authentication.handler.support.AbstractWrapperAuthenticationHandler]
> - 
> cas_1 | org.pac4j.core.exception.TechnicalException:
> No serialized profile found. You should certainly define the explicit
> attribute names you want to retrieve
> cas_1 | at
> org.pac4j.core.profile.service.AbstractProfileService.convertAttributesToProfile(AbstractProfileService.java:245)
> ~[pac4j-core-4.0.0-RC1.jar!/:?]
> cas_1 | at
> org.pac4j.core.profile.service.AbstractProfileService.validate(AbstractProfileService.java:300)
> ~[pac4j-core-4.0.0-RC1.jar!/:?]
> cas_1 | at
> org.pac4j.core.profile.service.AbstractProfileService.validate(AbstractProfileService.java:27)
> ~[pac4j-core-4.0.0-RC1.jar!/:?]
> cas_1 | at
> org.apereo.cas.integration.pac4j.authentication.handler.support.AbstractWrapperAuthenticationHandler.doAuthentication(AbstractWrapperAuthenticationHandler.java:76)
> ~[cas-server-support-pac4j-authentication-6.1.1.jar!/:6.1.1]
> cas_1 | at
> org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate(AbstractPreAndPostProcessingAuthenticationHandler.java:43)
> ~[cas-server-core-authentication-api-6.1.1.jar!/:6.1.1]
> cas_1 | at
> jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
> cas_1 | at
> jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
> cas_1 | at
> jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> ~[?:?]
> cas_1 | at java.lang.reflect.Method.invoke(Unknown
> Source) ~[?:?]
> cas_1 | at
> org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:279)
> ~[spring-core-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
> cas_1 | at
> org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499)
> ~[spring-cloud-context-2.2.0.RC1.jar!/:2.2.0.RC1]
> cas_1 | at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
> ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
> cas_1 | at
> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
> ~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
> cas_1 | at
> com.sun.proxy.$Proxy159.authenticate(Unknown Source) ~[?:?]
> cas_1 | at
> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateAndResolvePrincipal(PolicyBasedAuthenticationManager.java:198)
> ~[cas-server-core-authentication-api-6.1.1.jar!/:6.1.1]
> cas_1 | at
> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:308)
> ~[cas-server-core-authentication-api-6.1.1.jar!/:6.1.1]
> cas_1 | at
> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(PolicyBasedAuthenticationManager.java:136)
> ~[cas-server-core-authentication-api-6.1.1.jar!/:6.1.1]
> cas_1 | at
> org.apereo.cas.authentication.PolicyBasedAuthenticationManager$$FastClassBySpringCGLIB$$90e801d3.invoke()
> ~[cas-server-core-authentication-api-6.1.1.jar!/:6.1.1]
> cas_1 | at
> org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
> ~[spring-core-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
> cas_1 | at
> 

[cas-user] [cas-announce] Java CAS client v3.6.0

[Jérôme LELEU]

The Java CAS client v3.6.0 is released:
https://github.com/apereo/java-cas-client/releases/tag/cas-client-3.6.0

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LzbYTsXR%2BtHhRt%2BywaORB3sT%2B43is4U6_%2BcVnaA4mjg7A%40mail.gmail.com.

Re: [cas-user] 5.3.6 CAS 100% CPU

[Jérôme LELEU]

Hi,

I would recommend doing a threads dump to see what's going on inside the
CAS server.
Thanks.
Best regards,
Jérôme


Le mer. 5 juin 2019 à 16:10, thomas  a écrit :

> Hi all,
>
> I recently migrate my cas system from v4 to v5.3.6.
>
> Everything works fine for logging, but I have a problem with CPU load on
> server.
>
> After some time (can be minutes or hours), CPU load raises and reach ~100%
> (1/2% before), no matter how many cores I allocate to the VM (if I set 4
> cpu, the 4 are ~100% cpu).
>
> I'm not a java expert, and I don't know how to find the origin of this
> problem.
>
> I have few TGT delivred (~80), java memory is OK (45%).
>
> I use apache-tomcat-8.5.37 , and a recent java version (jre1.8.0_211).
>
> Any advice should be appreciated, if you need more informations jusk ask.
>
> regards
> thomas
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a4bbcb61-f351-4331-b504-c400b41ca80c%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lzj1Hi6nTYURuk5ji%2Bj%2BMdjKtJEbVNZmmKYbtrWiJJF2w%40mail.gmail.com.

Re: [cas-user] Re: How add a Custom OAuth20Client in CAS 5.3.X

[Jérôme LELEU]

Hi,

The XML spring configuration is now a Java configuration so you can still
add whatever pac4j clients you want by, for example, overriding the
pac4jDelegatedClientFactory.
Thanks.
Best regards,
Jérôme


Le mar. 19 févr. 2019 à 10:42, Xavier Rodríguez  a
écrit :

> Hi,
>
> Are there any way to add my new custom Client Oauth2 in CAS-server 5.3.X
> without modify the PAC4j library?
>
> I need to add my new Client-OAUTH but PAC4j only accept limited clients.
> Are there any way to Override the CAS-Server to add my new Client Oauth in
> PAC4j?
>
> Thanks!!!
>
> El divendres, 15 febrer de 2019 10:06:32 UTC+1, Xavier Rodríguez va
> escriure:
>>
>> Hi,
>>
>> I'm upgrading from CAS 4.2.3 to CAS 5.3.3. In CAS 4.2.3 I define my
>> custom oauth integration in *pac4jContext.xml*:
>>
>> 
>> 
>> 
>> https://localhost:8444/oauth-server/oauth2.0; />
>> 
>> 
>> 
>>
>> How can I do this in CAS 5.3.3?
>>
>> In this version of CAS I can activate an Oauth through:
>>
>> pac4j:
>> oauth2[0]:
>> authUrl: https://myOrg/o/oauth2/auth
>> tokenUrl: https://myOrg/o/oauth2/token
>> profileUrl: https://myOrg/services-rest/getUserInfo
>> profileAttrs:
>> attr1: attr1
>> customParams:
>> state: state
>> id: xx.yyy.zz
>> secret: 3233fdsf4343jk545m543543j
>>
>>
>> I put my Custom Oauth in /java Overlay directory. But I don't know how
>> indicate to CAS that my Class is a new Oauth client. And In what file can I
>> put my properties for my custom oauth? In the application.yml?
>>
>> Or have I to modify the pac4j-oauth library? But I prefer put my Custom
>> Oauth in Cas-Overlay.
>>
>> Any idea?
>>
>> Thanks in advance!
>>
>> - Xavier -
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8a3cb3dc-3158-40f2-98c0-ff8c53408fdf%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lx5E%2BLfYNgVjQ2D%2Bj3WjcE2YksLcEhL2%3D2JREbiqUJ8Pg%40mail.gmail.com.

Re: [cas-user] Google + API Being Depreated in pac4j library, any plan to update CAS before Google+ shutdown?

[Jérôme LELEU]

Hi,

A pac4j v3.6.0 release will be cut before end of February to handle the
Google+ API deprecation.

Then, you just need to pull the pac4j-* v3.6.0 dependencies along your
current version of CAS (pac4j v3.x is backward compatible). There is no
"hotfix", nor "patch".

That said, as CAS v5.3.9 and v6.0.2 releases are planned for March 01,
2019, I think we can update them before.

Thanks.
Best regards,
Jérôme


Le ven. 15 févr. 2019 à 03:28, Andy Ng  a écrit :

> Hi CAS team,
>
> Reference here: https://github.com/pac4j/pac4j/issues/1228, Google+ API
> is being depreated. And will be shutdown on *March 7, 2019*.
> So the Google delegate authentication for CAS will most likely not able to
> work anymore if not patch before March 7, 2019.
>
> pac4j is plan to upgrade before end of Feb to cater this problem, but are
> there any plan for CAS to put out a new release of 5.3.x and 6.0.x before
> the Google+ API shutdown?
>
> The organization that I worked with relies heavily on google delegate
> authentication, so will be greatly appreciated if there is an patch
> before the shutdown.
> In the worst case scenario we can customized CAS to hotfix it ourselves,
> but it would be less than ideal. Thanks!
>
> Cheers!
> - Andy
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/696f46c5-509c-49ba-9c92-972d352387f6%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LxMPGZmc_e5QJp%2BsHWrghKmkhsU4wm6DChcyo8FLsfYxQ%40mail.gmail.com.

Re: [cas-user] RE: CAS 5.2 PAC4J SAML 2.0 Delegation Behavior

[Jérôme LELEU]

Hi,

You're right: the TGT should be checked first. Notice that things have been
fixed in 5.3, the autoRedirect property is still computed in the
DelegationAuthenticationClientAction, but the redirection is applied on the
HTML page.
Thanks.
Best regards,
Jérôme

Le jeu. 24 janv. 2019 à 23:25, Tom O'Neill  a écrit :

> Hi All,
>
>
>
> I did some additional testing and thought I’d provide an update…
>
>
>
> It seems to me that when autoRedirect is set to ‘true’, the CAS TGT is
> ignored and the user is always sent on to authenticate at the IdP.
>
> When autoRedirect is set to ‘false’ the CAS session is recognized OR the
> user can click a button which will delegate authentication to the IdP.
>
>
>
> In other words, having autoRedirect set to true seems to negate the CAS
> TGT check.
>
> I could see an argument for delegating every time and I could be
> overlooking a detail but I think it would be better to have it check for a
> CAS session and only delegate if the user isn’t already authenticated.
>
>
>
> Thanks,
>
> Tom
>
>
>
> *From:* cas-user@apereo.org  *On Behalf Of *Tom
> O'Neill
> *Sent:* Thursday, January 24, 2019 2:41 PM
> *To:* cas-user@apereo.org
> *Subject:* [cas-user] CAS 5.2 PAC4J SAML 2.0 Delegation Behavior
>
>
>
> Hi All,
>
>
>
> I am troubleshooting application integration and looking for some insight.
>
>
>
> We have a CAS 5.2 instance with the PAC4J module, which is being used to
> delegate authentication to an IdP using SAML 2.0.
>
> Based on some testing, it seems like the CAS server is delegating
> authentication to the IdP any time the CAS login method is hit.
>
>
>
> We’re have the PAC4J autoRedirect property set to true – so I don’t expect
> or want CAS to present a login page but I also didn’t expect it to redirect
> to the IDP if the user has a valid TGT.
>
> cas.authn.pac4j.autoRedirect=true
>
>
>
> Can anyone confirm that this is the designed and expected behavior?
>
> Is anyone aware of a different setting or combination of settings that
> might adjust the behavior to what I’m looking for?
>
>
>
> Hopefully I’m missing something.
>
>
>
> Thanks!!!
>
> Tom
>
>
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/BN7PR02MB50098001DBCF6CAF1552DCE2CB9A0%40BN7PR02MB5009.namprd02.prod.outlook.com
> 
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/BN7PR02MB5009C0CF6348943A69A8BEC9CB9A0%40BN7PR02MB5009.namprd02.prod.outlook.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lwg6dFCi-Eo3oNwc5705KR_ErNdhjy324P6%2BkdLrWs3Aw%40mail.gmail.com.

Re: [cas-user] Re: CAS integration with multiple OpenID Providers

[Jérôme LELEU]

Hi,

Starting with the version 5.3, you have the /clientredirect URL with the
service and client_name parameters. You may use that.
Thanks.
Best regards,
Jérôme


Le mer. 23 janv. 2019 à 05:54, P Shreyas Holla  a
écrit :

>
> leleuj , we want to achieve something like* http://localhost:8080/cas
> ?client_name=AzureAdClient* for Azure and 
> *http://localhost:8080/cas
> ?client_name=GoogleClient *for google
> provider. Would this be possible?
>
> Thanks
> Shreyas
>
> On Tuesday, January 22, 2019 at 8:00:29 PM UTC+5:30, leleuj wrote:
>>
>> Hi,
>>
>> You can log in at Azure or Google via the authentication delegation
>> feature:
>> https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties.html#openid-connect-1
>>
>> Choosing the OpenID Connect provider per service is a customization.
>>
>> Thanks.
>> Best regards,
>> Jéôme
>>
>>
>> Le mardi 22 janvier 2019 09:58:39 UTC+1, P Shreyas Holla a écrit :
>>>
>>> Suppose we have User1 and User2.
>>>
>>> 1)Whenever user1 acesses the application URL, he has to be redirected to
>>> google login page,
>>>
>>> 2) Whenever user2 acesses the application URL, he has to be redirected
>>> to microsoft Azure login page.
>>>
>>> On Tuesday, January 22, 2019 at 2:20:25 PM UTC+5:30, P Shreyas Holla
>>> wrote:

 We need to integrate CAS with multiple OpenID Providers like with
 Google and Azure. How can we achieve it?

>>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f16a773-03fc-433b-884f-e206e3979469%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lwf32jftK97cfAaCZmDqXsQvoB3hBKhK69ogR2B00oA3Q%40mail.gmail.com.

Re: [cas-user] When pac4j delegated AuthN fails ...

[Jérôme LELEU]

Hi,

Yes, it feels a bit too aggressive to return an IllegalArgumentException,
but I think it makes sense as there is already a check via the
hasDelegationRequestFailed method to know if the authentication has failed.
The check may be incomplete though...

In fact, it's the responsibility of pac4j to handle cancelled/failed
authentications and in that case, it returns a null credentials (for
delegated authentications), but here, the CAS server takes over.

In any case, we should certainly avoid throwing an IllegalArgumentException
when pac4j returns a null credentials.

How do you get the AuthnFailed SAML response?

Thanks.
Best regards,
Jérôme


On Wed, Nov 21, 2018 at 6:18 PM Rich Renomeron 
wrote:

> I have a requirement to gracefully handle a failed delegated
> authentication scenario (from multiple providers).  A specific example of
> this when a SAML IdP returns an AuthnFailed in the (SAML) response.
>
> Based on my memory with 5.2 and 5.1 overlays, I would expect that, if
> configured correctly, I'd end up on the stopWebflow state when that
> happens.  But if I am reading the 5.3.5 code and my logs correctly, it
> seems that the DelegatedClientAuthenticationAction is now just throwing in
> IllegalArgumentException back to the web flow, which results in the generic
> error page.  That's not really what I want to show my users, especially
> when I need to give them a way back to the login page to try a different
> authN method and end up at the right service if the other attempt succeeds.
>
> Is there a preferred way to handle an exception like that now?  I could
> just mod the generic error page to have a "go back to CAS login" link (like
> the stopWebflow error page does), but that's not ideal.  Or I could write
> some custom code to inject a ExceptionHander into the clientAction state
> (which I'm not succeeding with at the moment; I can't get my
> WebflowConfigurer to run after the clientAction state has been created).
> Is there a reason why CAS doesn't seem to use the stopWebflow state to
> handle this any more?
>
> Thanks,
> Rich
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMYXOV9jf2bdAzXjpNA6JgxqmKfXpg49NWdFLt705nebUi4qKA%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwTfrvbBRV5n5vhbXTV%3DZ6Pte8qo6NNiQne1dBSF94F3Q%40mail.gmail.com.

Re: [cas-user] SAML delegated authentication - Authentication attributes missing in the user profile

[Jérôme LELEU]

Hi,

You are missing nothing. pac4j authentication attributes are not used to
build the CAS principal, only the user attributes.
Thanks.
Best regards,
Jérôme



On Tue, Nov 13, 2018 at 3:48 PM David Oteo  wrote:

> Hi,
>
> We configured CAS 5.2.2 to delegate authentication to an external IdP
> through SAML. In the SAML response there is an "AuthnContext" tag that does
> not appear in the user profile attributes. CAS 5.2.2 seems to use pac4j
> v2.2.x and here (https://github.com/pac4j/pac4j/pull/961) I can see that
> this functionality was added to pac4j v2.2.
>
> I see this in the logs:
>
> [13/11/18 15:13:42:484 CET] 0147 SystemOut O 2018-11-13
> 15:13:42,339 DEBUG [org.pac4j.saml.profile.SAML2Profile] -  key:
> authnContext / value: [urn:safelayer:tws:policies:authentication:flow:cert]
> / class java.util.ArrayList>
>
> but the attribute is not present in the user profile:
>
> [13/11/18 15:13:42:547 CET] 0147 SystemOut O 2018-11-13
> 15:13:42,340 DEBUG [org.pac4j.saml.client.SAML2Client] -  #SAML2Profile# | id: CN=CORPREC FICTICIO ACTIVO, O=EMPTY | attributes:
> {country=[ES], cif=[Q3890349H], birthdate=[EMPTY], key_usage=[EMPTY],
> not_before=[2017-03-16T12:15:29Z], subject=[SERIALNUMBER=9988J,
> OID.2.5.4.4=#0C08464943544943494F, OID.2.5.4.42=#0C07434F5250524543,
> CN=CORPREC FICTICIO ACTIVO,
> OID.2.5.4.46=#131D2D646E692039393939393938384A202D63696620513338393033343948,
> OU=Condiciones de uso en www.izenpe.com nola erabili jakiteko,
> OU=Ziurtagiri korporatibo onartua - Cert. corporativo reconocido, O=IZENPE,
> C=ES], tsl=[S], issuer=[CN=CA personal de AAPP vascas (2) - DESARROLLO,
> OU=AZZ Ziurtagiri publikoa - Certificado publico SCA, O=IZENPE S.A., C=ES],
> notBefore=2018-11-13T14:13:41.480Z, surname1=[FICTICIO], surname2=[ACTIVO],
> dni=[9988J], email=EMPTY, tipoAfirma=[0], firmaCualificada=[S],
> naturalPersonSemanticsIdentifier=[IDCES-9988J],
> legalPersonSemanticsIdentifier=[VATES-Q3890349H], serial_number=[C6o=],
> preferencia_otp=[sms], given_name=[CORPREC], pais=[ES],
> not_after=[2021-03-16T12:15:29Z], register_type=[1],
> policy_identifier=[1.3.6.1.4.1.14777.104.2], person_status=[PF],
> organization=[EMPTY], domain=[izenpe], name=[CORPREC FICTICIO ACTIVO],
> notOnOrAfter=2018-11-13T14:18:41.480Z, family_name=FICTICIO ACTIVO} |
> roles: [] | permissions: [] | isRemembered: false | clientName: null |
> linkedId: null |>
>
> What am I missing here?
>
> Thank you very much once again!!
>
> Best regards,
> David.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b40c3d58-1281-43e8-917b-8e76ca204241%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lxi5A_04L9YzqVQE%2BhCXrWhbZqKPnYJ8tCXsEp2fvs2_g%40mail.gmail.com.

Re: [cas-user] OAuth delegated authentication - Profile id null

[Jérôme LELEU]

Hi,

I don't think so. Exposing these two pac4j capabilities should not be too
complicated for your first contributions ;-)
Thanks.
Best regards,
Jérôme


On Thu, Nov 8, 2018 at 3:43 PM David Oteo  wrote:

> Hi,
>
> Thank you for the quick response. We will try with version 5.3.x.
>
> By the way, in our case access token has to be sent as header. We see that
> pac4j v2.x already allows to choose this option:
>
> @Override
> protected void signRequest(final OAuth2AccessToken accessToken, final
> OAuthRequest request) {
> this.configuration.getService().signRequest(accessToken, request);
> if (*this.configuration.isTokenAsHeader()*) {
> request.addHeader(HttpConstants.AUTHORIZATION_HEADER,
> HttpConstants.BEARER_HEADER_PREFIX + accessToken.getAccessToken());
> }
> if (Verb.POST.equals(request.getVerb())) {
> request.addParameter(OAuthConfiguration.OAUTH_TOKEN,
> accessToken.getAccessToken());
> }
> }
>
> Is it possible to configure this in the CAS properties or elsewhere? Right
> now we are modifying the code too :-(
>
> Regards,
> David.
>
> El jueves, 8 de noviembre de 2018, 15:09:24 (UTC+1), leleuj escribió:
>>
>> Hi,
>>
>> Since pac4j v3.2, you can set the element to use as the identifier:
>> http://www.pac4j.org/docs/release-notes.html
>>
>> Unfortunately, CAS v5.2.2 is still based on pac4j v2.x. So the right
>> version to use would be the version 5.3.x, given the fact the profileId
>> could be set by properties (it's an easy improvement though).
>>
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> On Thu, Nov 8, 2018 at 2:18 PM David Oteo  wrote:
>>
>>> Hello,
>>>
>>> We succesfully configured CAS 5.2.2 to delegate authentication to an
>>> external provider through generic OAuth2 properties:
>>>
>>> #(Optional) Friendly name for OAuth 2 provider, e.g. "This Organization"
>>> or "That Organization"
>>> cas.authn.pac4j.oauth2[0].clientName=Giltza Oauth 2
>>> cas.authn.pac4j.oauth2[0].id=xxx
>>> cas.authn.pac4j.oauth2[0].secret=xxx
>>> cas.authn.pac4j.oauth2[0].authUrl=
>>> https://eidasdes.izenpe.com:8082/trustedx-authserver/izenpe/oauth
>>> cas.authn.pac4j.oauth2[0].tokenUrl=
>>> https://eidasdes.izenpe.com:8082/trustedx-authserver/izenpe/oauth/token
>>> cas.authn.pac4j.oauth2[0].profileUrl=
>>> https://eidasdes.izenpe.com:8082/trustedx-resources/openid/v1/users/me
>>> cas.authn.pac4j.oauth2[0].profileVerb=GET
>>> #cas.authn.pac4j.oauth2[0].profilePath=
>>>
>>> cas.authn.pac4j.oauth2[0].customParams.client_id=xxx
>>> cas.authn.pac4j.oauth2[0].customParams.response_type=code
>>> cas.authn.pac4j.oauth2[0].customParams.state=123456
>>>
>>> cas.authn.pac4j.oauth2[0].customParams.acr_values=urn:safelayer:tws:policies:authentication:flow:bakq|urn:safelayer:tws:policies:authentication:flow:cert
>>> cas.authn.pac4j.oauth2[0].customParams.scope=urn:izenpe:identity:global
>>>
>>> cas.authn.pac4j.oauth2[0].profileAttrs.name=name
>>> cas.authn.pac4j.oauth2[0].profileAttrs.surname1=surname1
>>> cas.authn.pac4j.oauth2[0].profileAttrs.surname2=surname2
>>> ...
>>>
>>> If we don't do anything else, the following error occurs:
>>>
>>> [8/11/18 13:28:57:621 CET] 00d3 SystemOut O 2018-11-08
>>> 13:28:57,611 DEBUG [org.pac4j.oauth.client.GenericOAuth20Client] -
>>> >> {sub=978fa4ff4ea06ca1d39f35eb728b5a7e, cif=Q3890349H, country=ES,
>>> birthdate=EMPTY, key_usage=EMPTY, subject=SERIALNUMBER=9988J,
>>> OID.2.5.4.4=#0C08464943544943494F, OID.2.5.4.42=#0C07434F5250524543,
>>> CN=CORPREC FICTICIO ACTIVO,
>>> OID.2.5.4.46=#131D2D646E692039393939393938384A202D63696620513338393033343948,
>>> OU=Condiciones de uso en www.izenpe.com nola erabili jakiteko,
>>> OU=Ziurtagiri korporatibo onartua - Cert. corporativo reconocido, O=IZENPE,
>>> C=ES, not_before=2017-03-16T12:15:29Z, tsl=S, issuer=CN=CA personal de AAPP
>>> vascas (2) - DESARROLLO, OU=AZZ Ziurtagiri publikoa - Certificado publico
>>> SCA, O=IZENPE S.A., C=ES,
>>> acr=urn:safelayer:tws:policies:authentication:flow:cert, surname1=FICTICIO,
>>> surname2=ACTIVO, email=EMPTY, dni=9988J, tipoAfirma=0,
>>> firmaCualificada=S, naturalPersonSemanticsIdentifier=IDCES-9988J,
>>> legalPersonSemanticsIdentifier=VATES-Q3890349H, serial_number=C6o=,
>>> given_name=CORPREC, pais=ES, not_after=2021-03-16T12:15:29Z,
>>> access_token=fc6ccaad705c4363cce28d89b7a3fd45897400c6134afd3c18d2d7a8bc8261a2,
>>> register_type=1, policy_identifier=1.3.6.1.4.1.14777.104.2,
>>> person_status=PF, domain=izenpe, organization=EMPTY, name=CORPREC FICTICIO
>>> ACTIVO, family_name=FICTICIO ACTIVO} | roles: [] | permissions: [] |
>>> isRemembered: false | clientName: null | linkedId: null |>
>>> [8/11/18 13:28:57:621 CET] 00d3 SystemOut O 2018-11-08
>>> 13:28:57,611 ERROR
>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>>> >> authentication handler that supports
>>> [org.apereo.cas.authentication.principal.ClientCredential@2cf6f06a[id=]]
>>> of type [ClientCredential].>
>>> [8/11/18 

Re: [cas-user] OAuth delegated authentication - Profile id null

[Jérôme LELEU]

Hi,

Since pac4j v3.2, you can set the element to use as the identifier:
http://www.pac4j.org/docs/release-notes.html

Unfortunately, CAS v5.2.2 is still based on pac4j v2.x. So the right
version to use would be the version 5.3.x, given the fact the profileId
could be set by properties (it's an easy improvement though).

Thanks.
Best regards,
Jérôme


On Thu, Nov 8, 2018 at 2:18 PM David Oteo  wrote:

> Hello,
>
> We succesfully configured CAS 5.2.2 to delegate authentication to an
> external provider through generic OAuth2 properties:
>
> #(Optional) Friendly name for OAuth 2 provider, e.g. "This Organization"
> or "That Organization"
> cas.authn.pac4j.oauth2[0].clientName=Giltza Oauth 2
> cas.authn.pac4j.oauth2[0].id=xxx
> cas.authn.pac4j.oauth2[0].secret=xxx
> cas.authn.pac4j.oauth2[0].authUrl=
> https://eidasdes.izenpe.com:8082/trustedx-authserver/izenpe/oauth
> cas.authn.pac4j.oauth2[0].tokenUrl=
> https://eidasdes.izenpe.com:8082/trustedx-authserver/izenpe/oauth/token
> cas.authn.pac4j.oauth2[0].profileUrl=
> https://eidasdes.izenpe.com:8082/trustedx-resources/openid/v1/users/me
> cas.authn.pac4j.oauth2[0].profileVerb=GET
> #cas.authn.pac4j.oauth2[0].profilePath=
>
> cas.authn.pac4j.oauth2[0].customParams.client_id=xxx
> cas.authn.pac4j.oauth2[0].customParams.response_type=code
> cas.authn.pac4j.oauth2[0].customParams.state=123456
>
> cas.authn.pac4j.oauth2[0].customParams.acr_values=urn:safelayer:tws:policies:authentication:flow:bakq|urn:safelayer:tws:policies:authentication:flow:cert
> cas.authn.pac4j.oauth2[0].customParams.scope=urn:izenpe:identity:global
>
> cas.authn.pac4j.oauth2[0].profileAttrs.name=name
> cas.authn.pac4j.oauth2[0].profileAttrs.surname1=surname1
> cas.authn.pac4j.oauth2[0].profileAttrs.surname2=surname2
> ...
>
> If we don't do anything else, the following error occurs:
>
> [8/11/18 13:28:57:621 CET] 00d3 SystemOut O 2018-11-08
> 13:28:57,611 DEBUG [org.pac4j.oauth.client.GenericOAuth20Client] -
>  {sub=978fa4ff4ea06ca1d39f35eb728b5a7e, cif=Q3890349H, country=ES,
> birthdate=EMPTY, key_usage=EMPTY, subject=SERIALNUMBER=9988J,
> OID.2.5.4.4=#0C08464943544943494F, OID.2.5.4.42=#0C07434F5250524543,
> CN=CORPREC FICTICIO ACTIVO,
> OID.2.5.4.46=#131D2D646E692039393939393938384A202D63696620513338393033343948,
> OU=Condiciones de uso en www.izenpe.com nola erabili jakiteko,
> OU=Ziurtagiri korporatibo onartua - Cert. corporativo reconocido, O=IZENPE,
> C=ES, not_before=2017-03-16T12:15:29Z, tsl=S, issuer=CN=CA personal de AAPP
> vascas (2) - DESARROLLO, OU=AZZ Ziurtagiri publikoa - Certificado publico
> SCA, O=IZENPE S.A., C=ES,
> acr=urn:safelayer:tws:policies:authentication:flow:cert, surname1=FICTICIO,
> surname2=ACTIVO, email=EMPTY, dni=9988J, tipoAfirma=0,
> firmaCualificada=S, naturalPersonSemanticsIdentifier=IDCES-9988J,
> legalPersonSemanticsIdentifier=VATES-Q3890349H, serial_number=C6o=,
> given_name=CORPREC, pais=ES, not_after=2021-03-16T12:15:29Z,
> access_token=fc6ccaad705c4363cce28d89b7a3fd45897400c6134afd3c18d2d7a8bc8261a2,
> register_type=1, policy_identifier=1.3.6.1.4.1.14777.104.2,
> person_status=PF, domain=izenpe, organization=EMPTY, name=CORPREC FICTICIO
> ACTIVO, family_name=FICTICIO ACTIVO} | roles: [] | permissions: [] |
> isRemembered: false | clientName: null | linkedId: null |>
> [8/11/18 13:28:57:621 CET] 00d3 SystemOut O 2018-11-08
> 13:28:57,611 ERROR
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>  authentication handler that supports
> [org.apereo.cas.authentication.principal.ClientCredential@2cf6f06a[id=]]
> of type [ClientCredential].>
> [8/11/18 13:28:57:621 CET] 00d3 SystemOut O 2018-11-08
> 13:28:57,616 INFO
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -  trail record BEGIN
> =
> WHO: null
> WHAT: Supplied credentials:
> [org.apereo.cas.authentication.principal.ClientCredential@2cf6f06a
> [id=]]
> ACTION: AUTHENTICATION_SUCCESS
> APPLICATION: CAS
> WHEN: Thu Nov 08 13:28:57 CET 2018
> CLIENT IP ADDRESS: 127.0.0.1
> SERVER IP ADDRESS: 127.0.0.1
> =
> [8/11/18 13:28:57:629 CET] 00d3 SystemOut O 2018-11-08
> 13:28:57,628 ERROR [com.ibm.ws.webcontainer.servlet.ServletWrapper] -
>  org.springframework.web.util.NestedServletException: Request processing
> failed; nested exception is
> org.springframework.webflow.execution.ActionExecutionException: Exception
> thrown executing
> org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction@f990386
> in state 'clientAction' of flow 'login' -- action execution attributes were
> 'map[[empty]]'
>
> In order to solve the problem we modified the class
> GenericOAuth20ProfileDefinition.java of pac4j-oauth-2.3.1.jar. We just set
> an id for the profile.
>
> @Override
> public OAuth20Profile extractUserProfile(String body) throws
> HttpAction {
> final OAuth20Profile profile = new 

Re: [cas-user] Pac4j Retrieve attribute and passing to CAS client

[Jérôme LELEU]

Hi,

By nature, pac4j is written in Java language. In any case, data are passed
via the CAS assertion.
For simple types, things should be straightforward. For more complex types,
you many need some manual/custom adjustments.
Thanks.
Best regards,
Jérôme


On Mon, Oct 29, 2018 at 7:14 PM uvaraj s  wrote:

> Hi Jerome,
>
> Thanks a lot. I was able to retrieve the attributes in JAVA as given
> below. We have CAS client which is developed in Python. How do I get that
> CasProfile in Python?. Do pac4j support Python?. When we try Django-cas-ng
> it is giving AnonymousUser.
>
> public CasProfile validateServiceTicket(final String serviceURL, final
> TokenCredentials ticket) {
> try {
> final Assertion assertion =
> getCasRestAuthenticator().getTicketValidator()
> .validate(ticket.getToken(), serviceURL);
> final AttributePrincipal principal = assertion.getPrincipal();
> final CasProfile casProfile = new CasProfile();
> casProfile.setId(principal.getName());
> casProfile.addAttributes(principal.getAttributes());
> return casProfile;
> } catch (final TicketValidationException e) {
> throw new TechnicalException(e);
> }
> }
>
> public CasRestAuthenticator getCasRestAuthenticator() {
> Authenticator authenticator = getAuthenticator();
> if (authenticator instanceof LocalCachingAuthenticator) {
> authenticator = ((LocalCachingAuthenticator)
> authenticator).getDelegate();
> }
> if (authenticator instanceof CasRestAuthenticator) {
> return (CasRestAuthenticator) authenticator;
> }
> throw new TechnicalException("authenticator must be a
> CasRestAuthenticator (or via a LocalCachingAuthenticator)");
> }
>
>
>
> On Friday, 16 March 2018 11:34:51 UTC-4, leleuj wrote:
>>
>> Hi,
>>
>> This documentation should help you:
>> https://apereo.github.io/cas/4.2.x/integration/Delegate-Authentication.html#how-to-use-this-support-on-cas-applications-side
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> On Thu, Mar 15, 2018 at 3:31 AM, uvaraj s  wrote:
>>
>>> Hi,
>>>
>>> We are using CAS 4.1.2 and pac4j 1.7 version. We are making SAML2Client
>>> call to shibboleth. These question might look like very basic ones. But the
>>> answer to these will help us a lot.
>>>
>>> 1.On the logs, I am able to see the attribute details getting printed.
>>> But wanted to know how we can able to retrieve user profile details in the
>>> code?.
>>> 2.How does client application who uses this CAS server will be able to
>>> get these attribute details?
>>>
>>> Thanks a lot in Advance.
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/7aee0ca9-4edd-48af-848f-c9cc7206cd58%40apereo.org
>>> 
>>> .
>>>
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/02f98c1d-8cd4-42b6-b028-15b276865cb0%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LyBsdmbvFtGzDn99QUUvRUpw0Y2xqBaffuy5WJObXEQ9w%40mail.gmail.com.

Re: [cas-user] Simple example for .Net Cas Client

[Jérôme LELEU]

Hi,

It certainly does. New versions of the CAS server remain backward
compatible regarding the CAS protocol, so old CAS protocol endpoints still
exist.
Thanks.
Best regards,
Jérôme


On Wed, Oct 3, 2018 at 4:46 PM Hoang Anh Duc  wrote:

> Hi!
> Thanks so much but I don't know it can work with CAS 5.x :(
> Do you know?
> Thanks!
>
> On Wednesday, October 3, 2018 at 9:36:00 PM UTC+7, leleuj wrote:
>>
>> Hi,
>>
>> I have an old .Net CAS client example, it's outdated, but it might prove
>> useful: https://github.com/casinthecloud/dotnet-cas-client-demo
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> On Wed, Oct 3, 2018 at 4:28 PM Hoang Anh Duc  wrote:
>>
>>> Hi!
>>> I'm try to doing authentication with CAS server using .Net C#. But the
>>> example from github is quite difficult to understand.
>>> Anyone have a simple example, so that I can do my work following it?
>>> Thanks so much!
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/f99f9a26-9f3b-4a09-8389-261a83fc52dc%40apereo.org
>>> 
>>> .
>>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/4a8aec98-1178-44fd-bd81-a71e13efeade%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LzpvivYO1xGRGHzDOj7v7J636zJVdx2vzOQsSJ9fUzipg%40mail.gmail.com.

Re: [cas-user] Simple example for .Net Cas Client

[Jérôme LELEU]

Hi,

I have an old .Net CAS client example, it's outdated, but it might prove
useful: https://github.com/casinthecloud/dotnet-cas-client-demo
Thanks.
Best regards,
Jérôme


On Wed, Oct 3, 2018 at 4:28 PM Hoang Anh Duc  wrote:

> Hi!
> I'm try to doing authentication with CAS server using .Net C#. But the
> example from github is quite difficult to understand.
> Anyone have a simple example, so that I can do my work following it?
> Thanks so much!
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/f99f9a26-9f3b-4a09-8389-261a83fc52dc%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lyyda1nKk4Xy8rwV3_hBZx%3DJY7Y81m40jRJg7TVCRy%2Baw%40mail.gmail.com.

Re: [cas-user] Choosing authenticator based on IP address

[Jérôme LELEU]

Hi,

Controlling the behavior by IP is not out-of-the-box. I think your best
option here is to override the DelegatedClientAuthenticationAction.
Thanks.
Best regards,
Jérôme


On Tue, Oct 2, 2018 at 3:21 PM Dicta Artisan 
wrote:

> Hi all
>
> I have question on configuring a complex scenario where I am protecting a
> series of services with a CAS instance (5.2). I have two sets of users that
> I want authenticated by CAS: a set I can authenticate via a database (using
> a query database authenticator) and another set I can authenticate
> delegating to an external SAML IdP (with a pac4J delegated authenticator).
> Basically some users we manage ourselves, some other users are managed by a
> different organisation with their own IdP. The application needs to provide
> equal access to all users to protected services.
>
> Once I define the two authenticators, the default CAS login page presents
> the username/password boxes with the SAML IdP as an optional button to
> click on.
>
> I would like that the login screen behaves the following way: connections
> from a designated IP address range are not presented the login but
> redirected to an authentication request to the SAML IdP. And that
> connections arriving from other addresses are presented the login screen
> for username and password and not offered the option attempting the SAML
> IdP.
>
> Is there a parameter I can pass to the login screen to request an
> automatic redirect to the delegated service under certain conditions? And
> similay, is there an option to present a login where authentication is
> performed against the database only? In my webapp I can detect the IP
> address before presenting the CAS login screen to the users, but I am at
> loss how to configure or drive CAS to adapt the login behaviour for these
> two cases.
>
> I suspect I can hack the login page to do this, but this would be rather
> crude. Is there a better option? Thanks for any suggestion you might have.
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/415c786c-1872-45ef-8011-2c37d78406ee%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LygOwwqT__mfvcu5LAAwNzuS_Ei9qbh6W9S9%2B1yNQ3_Uw%40mail.gmail.com.

Re: [cas-user] Re: CAS 5.3.x PAC4J

[Jérôme LELEU]

Hi,

Authentication handlers are called depending on the passed credentials. For
a delegated authentication, a ClientCredentials is created which triggers
the ClientAuthenticationHandler.

Are you sure your new authentication handler supports ClientCredentials?

Thanks.
Best regards,
Jérôme


On Wed, Sep 26, 2018 at 4:24 AM Colin Wilkinson  wrote:

> Regarding Authentication I have ask a separate question to see if what I
> want to do is possible.
>
> On Wednesday, 26 September 2018 08:14:00 UTC+10, Colin Wilkinson wrote:
>>
>> Hi Jérôme,
>>
>> I am not 100% sure, if it maybe a edge bug with CAS server itself.
>> Basically its an issue when serialising the session, there is no problem
>> when executing code only when trying to serialise the session and that made
>> the problem hard to track. Basically I had two beans that were session
>> scoped and proxy class targeted and the serialisation did not like one of
>> those session scope.
>>
>> The first session is about user information that is required to enable
>> talking between our Enterprise Service Bus (ESB) and our systems. We
>> configure this once and store it the session. This bean is still stored in
>> the session.
>>
>> The second session bean use to do a lot more that it does not and has
>> been reconfigured. Now it only configures the User Information and no
>> longer need to be stored in the session. The second session bean also
>> stores a reference to the first session bean and I think that is where the
>> problem lies.
>>
>> This beans a located in services module that is used across multiple
>> projects without a problem.
>>
>> I think there maybe a problem with CAS regarding authentication handlers.
>> I initially tried to add additional authentication handler that ran after
>> the main ClientAuthenticationHandler it did not fire. I will do some
>> testing today now that CAS is functioning and get back to if there is a
>> problem
>>
>> I have set cas.authn.policy.all.enabled=true as well
>>
>> Regards,
>> Colin
>>
>> On Tuesday, 25 September 2018 18:05:09 UTC+10, leleuj wrote:
>>>
>>> Hi,
>>>
>>> Was it a bug on your customization or something from the CAS server
>>> itself?
>>> Thanks.
>>> Best regards,
>>> Jérôme
>>>
>>>
>>> On Tue, Sep 25, 2018 at 4:37 AM Colin Wilkinson 
>>> wrote:
>>>
 Hi,

 I have worked out what the issue was. It one of the scope session beans
 being loaded after the initial request that was causing the issue.

 Regards,

 On Monday, 24 September 2018 15:59:52 UTC+10, Colin Wilkinson wrote:
>
> Hi,
>
> We at working are looking at implementing delegated authentication for
> facebook, google, twitter, etc but there seems to be a weird issue with 
> it.
> A little bit of background we have extended the delegated authentication 
> as
> we need to map the email associated with facebook for instance back to a
> staff or student account. If the email has no association then we navigate
> to a registration screen which the user input a user name and password
> otherwise it logs the staff or student in. If staff or student follow the
> flow as designed then all works fine and there is no issue. If the staff 
> or
> student registers using the username and password provided I trigger the
> form authentication.
>
> The issue arises if the user does not navigate as expected, if when
> they get the registration screen they realised they have clicked the wrong
> client and decided to go back to the main login screen and choose the 
> right
> client I am receiving
>
> org.springframework.web.util.NestedServletException: Handler dispatch
> failed; nested exception is java.lang.OutOfMemoryError: Java heap
> space
>
>
> I am certain its not the modifications I have made as its failing
> before the call to redirect to the client has happened the problem in the
> "DelegatedClientNavigationController" class with the following line, place
> debug statement proceeding the call and debug statement after the call.
>
>
>  this.delegatedSessionCookieManager.store(webContext);
>
> The main dev cas server is running 16gb of ram as initially it was
> only running 8gb of ram.
>
> The possible steps to replicate the issue are as followings
>
>1. Navigate to CAS
>2. Click Facebook (Authentication must fail)
>3. Redirected back to login screen (Upon redirecting back PAC4J
>clients list goes missing)
>4. Navigate back to CAS so that clients are there
>5. Click Facebook should get a heap space error.
>
> I have tried this with both 5.3.3 and 5.3.4-SNAPSHOT with no success.
>
> The dump statement where as follows
>
> LOGGER.debug("PRIOR TO CALLING DELEGTED SESSION COOKIE MANAGER STORE");
> this.delegatedSessionCookieManager.store(webContext);
> LOGGER.debug("AFTER TO CALLING 

Re: [cas-user] Re: CAS 5.3.x PAC4J

[Jérôme LELEU]

Hi,

Was it a bug on your customization or something from the CAS server itself?
Thanks.
Best regards,
Jérôme


On Tue, Sep 25, 2018 at 4:37 AM Colin Wilkinson  wrote:

> Hi,
>
> I have worked out what the issue was. It one of the scope session beans
> being loaded after the initial request that was causing the issue.
>
> Regards,
>
> On Monday, 24 September 2018 15:59:52 UTC+10, Colin Wilkinson wrote:
>>
>> Hi,
>>
>> We at working are looking at implementing delegated authentication for
>> facebook, google, twitter, etc but there seems to be a weird issue with it.
>> A little bit of background we have extended the delegated authentication as
>> we need to map the email associated with facebook for instance back to a
>> staff or student account. If the email has no association then we navigate
>> to a registration screen which the user input a user name and password
>> otherwise it logs the staff or student in. If staff or student follow the
>> flow as designed then all works fine and there is no issue. If the staff or
>> student registers using the username and password provided I trigger the
>> form authentication.
>>
>> The issue arises if the user does not navigate as expected, if when they
>> get the registration screen they realised they have clicked the wrong
>> client and decided to go back to the main login screen and choose the right
>> client I am receiving
>>
>> org.springframework.web.util.NestedServletException: Handler dispatch
>> failed; nested exception is java.lang.OutOfMemoryError: Java heap space
>>
>>
>> I am certain its not the modifications I have made as its failing before
>> the call to redirect to the client has happened the problem in the
>> "DelegatedClientNavigationController" class with the following line, place
>> debug statement proceeding the call and debug statement after the call.
>>
>>
>>  this.delegatedSessionCookieManager.store(webContext);
>>
>> The main dev cas server is running 16gb of ram as initially it was only
>> running 8gb of ram.
>>
>> The possible steps to replicate the issue are as followings
>>
>>1. Navigate to CAS
>>2. Click Facebook (Authentication must fail)
>>3. Redirected back to login screen (Upon redirecting back PAC4J
>>clients list goes missing)
>>4. Navigate back to CAS so that clients are there
>>5. Click Facebook should get a heap space error.
>>
>> I have tried this with both 5.3.3 and 5.3.4-SNAPSHOT with no success.
>>
>> The dump statement where as follows
>>
>> LOGGER.debug("PRIOR TO CALLING DELEGTED SESSION COOKIE MANAGER STORE");
>> this.delegatedSessionCookieManager.store(webContext);
>> LOGGER.debug("AFTER TO CALLING DELEGTED SESSION COOKIE MANAGER STORE");
>>
>>
>> Attached are is the success results and the heap space error results.
>>
>> I apologise if this does not make sense.
>>
>> Regards,
>> Colin
>>
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/cbf7bd25-bc0d-44b8-92dd-40b8e7d653c3%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LxTEm6XnYz_HBo%2B3Org-BJZHxU41GSQFE%3D7J8GNqL9dTQ%40mail.gmail.com.

Re: [cas-user] Call additional URL on service logout

[Jérôme LELEU]

Hi,

This is another property: the *logoutType* (*BACK_CHANNEL* or
*FRONT_CHANNEL*).

In your case (for the browser to send the logout request), you need the
front channel logout (
https://apereo.github.io/cas/5.3.x/installation/Logout-Single-Signout.html#front-channel
).

Thanks.
Best regards,
Jérôme


On Tue, Aug 7, 2018 at 5:43 PM, Brian Gibson <
gibson_br...@wheatoncollege.edu> wrote:

> Hi Jérôme,
>
> Thanks for the suggestion, we need the end user's browser to make the call
> to the logout URL and I think the URL in the "logoutUrl" value gets called
> by the CAS server, no?
>
> - Brian
>
> On 8/7/2018 9:09 AM, Jérôme LELEU wrote:
>
> Hi,
>
> By default, the CAS server will call the service URL of the CAS
> applications the user has accessed during his SSO session.
>
> But you can change the application logout URL (called by CAS) via the CAS
> property when defining the CAS service: logoutUrl.
>
> See: https://apereo.github.io/cas/5.3.x/installation/Logout-
> Single-Signout.html#service-endpoint-for-logout-requests
>
> Thanks.
> Best regards,
> Jérôme
>
>
> On Tue, Aug 7, 2018 at 2:33 PM, Brian Gibson <
> gibson_br...@wheatoncollege.edu> wrote:
>
>> One of our portal's subapps doesn't get logged out when the portal calls
>> the /cas/logout URL on our CAS 5.1.2 server, that subapp has it's own
>> logout URL.
>>
>> Is there a way within CAS 5 to have the client call a URL in the
>> background as they log out of a service?
>>
>> Thanks!
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit https://groups.google.com/a/ap
>> ereo.org/d/msgid/cas-user/CAH9ZEH3DU5u2LDA%2B%2Bgs_hthFgmqMv
>> 8WwH_O%2BFGNTFAr1S7mTFg%40mail.gmail.com
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH9ZEH3DU5u2LDA%2B%2Bgs_hthFgmqMv8WwH_O%2BFGNTFAr1S7mTFg%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/CAP279LwcoZbr0bda46z-UeZXJRpo1pAsMrh_
> qXD4BLNE7ZcAHQ%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwcoZbr0bda46z-UeZXJRpo1pAsMrh_qXD4BLNE7ZcAHQ%40mail.gmail.com?utm_medium=email_source=footer>
> .
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lzfcta0zt9PomXTtU2ZmFTtmbZKqzcf2Xv58NWrfv3v-Q%40mail.gmail.com.

Re: [cas-user] Call additional URL on service logout

[Jérôme LELEU]

Hi,

By default, the CAS server will call the service URL of the CAS
applications the user has accessed during his SSO session.

But you can change the application logout URL (called by CAS) via the CAS
property when defining the CAS service: logoutUrl.

See: https://apereo.github.io/cas/5.3.x/installation/Logout-
Single-Signout.html#service-endpoint-for-logout-requests

Thanks.
Best regards,
Jérôme


On Tue, Aug 7, 2018 at 2:33 PM, Brian Gibson  wrote:

> One of our portal's subapps doesn't get logged out when the portal calls
> the /cas/logout URL on our CAS 5.1.2 server, that subapp has it's own
> logout URL.
>
> Is there a way within CAS 5 to have the client call a URL in the
> background as they log out of a service?
>
> Thanks!
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/ap
> ereo.org/d/msgid/cas-user/CAH9ZEH3DU5u2LDA%2B%2Bgs_hthFgmqMv
> 8WwH_O%2BFGNTFAr1S7mTFg%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwcoZbr0bda46z-UeZXJRpo1pAsMrh_qXD4BLNE7ZcAHQ%40mail.gmail.com.

Re: [cas-user] ORCID API updated to version 2.0.

[Jérôme LELEU]

Hi,

There are not many requests for the Orcid support, so I count on your
contribution on this.
Thanks.
Best regards,
Jérôme


On Wed, May 9, 2018 at 9:56 AM, Neha Gupta  wrote:

> Hello  Jérôme,
>
> Thanks for the reply but it was me only who proposed these changes.
>
> But it seems that now they have completely stopped supporting the previuos
> versions of Orcid API and thus now they are not working and throwing an
> error. Though same was working before May.So now they are advising to
> upgrade to version 2.0 or 2.1 and below is the link where they have
> mentioned the details for upgrading the same: -
>
> https://members.orcid.org/api/news/xsd-20-update
>
> So just want to know when you are planning to provide full support for
> Orcid provider and it would be great if possible let me the estimated
> release when they can be incorporated.
>
>
> Regards
> Neha Gupta
>
>
> On Monday, May 7, 2018 at 3:30:53 PM UTC+2, leleuj wrote:
>>
>> Hi,
>>
>> This upgrade will be available in pac4j 3.0.0(-RC2). See:
>> https://github.com/pac4j/pac4j/commit/cfb5113300de914b6
>> a6e5a109a87a9d1da576472
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> On Mon, May 7, 2018 at 9:55 AM, Neha Gupta  wrote:
>>
>>> Dear CAS Community,
>>>
>>> ORCID have updated the API version to 2 and as such problem is coming
>>> while authenticating with Orcid credentials. I am attaching a trace for the
>>> same. Request you to please look into the same.
>>>
>>> Error shown in the CAS trace: -
>>>
>>> http://www.orcid.org/ns/orcid;>
>>> 1.2
>>> API Version 1.1 is no longer available. please upgrade
>>> to the 2.0 API https://members.orcid.org/api/news/xsd-20-update
>>> 
>>> 
>>>
>>>
>>> Let me know in case any further information is required.
>>>
>>>
>>> Regards
>>> Neha Gupta
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit https://groups.google.com/a/ap
>>> ereo.org/d/msgid/cas-user/defeb581-ade3-4a1f-92e7-e9fa42388b
>>> ec%40apereo.org
>>> 
>>> .
>>>
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/16a820f8-8cd4-4d4a-9df2-
> 8a6facdbd702%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwGHoTaQko3cFwSD7WVtjv5ONa0xrduFbpA8x01jQVQEw%40mail.gmail.com.

Re: [cas-user] ORCID API updated to version 2.0.

[Jérôme LELEU]

Hi,

This upgrade will be available in pac4j 3.0.0(-RC2). See:
https://github.com/pac4j/pac4j/commit/cfb5113300de914b6a6e5a109a87a9d1da576472
Thanks.
Best regards,
Jérôme


On Mon, May 7, 2018 at 9:55 AM, Neha Gupta  wrote:

> Dear CAS Community,
>
> ORCID have updated the API version to 2 and as such problem is coming
> while authenticating with Orcid credentials. I am attaching a trace for the
> same. Request you to please look into the same.
>
> Error shown in the CAS trace: -
>
> http://www.orcid.org/ns/orcid;>
> 1.2
> API Version 1.1 is no longer available. please upgrade to
> the 2.0 API https://members.orcid.org/api/news/xsd-20-update
> 
>
>
> Let me know in case any further information is required.
>
>
> Regards
> Neha Gupta
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/defeb581-ade3-4a1f-92e7-
> e9fa42388bec%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LzDGuXCO-f8dm7Km_WRYiv4EfLj--fAK1zryG0taW-8ow%40mail.gmail.com.

Re: [cas-user] buji-pac4j-demo-master, CAS delegation through pac4j-webflow and 1 OIDC provider

[Jérôme LELEU]

Hi,

I'm resuming on your latest message.

Yes, you do need a callback URL for your application.

This is the doc you are looking for:
https://apereo.github.io/cas/5.2.x/installation/Service-Management.html

Every time you want an application to log in to the CAS server, the CAS
server must know it. Thus the declaration of the CAS services and callback
URLs.

Thanks.
Best regards,
Jérôme



On Thu, Apr 19, 2018 at 10:39 PM, Steve Hespelt  wrote:

> Well, I stumbled across a few config properties I decided to try
> (desperate people do desperate things...)
>
> cas.http-web-request.cors.allow-credentials=true
> # ? where are login requests coming from? Our webapp server name(s)
> # is this needed to get the final redirect back to our app ??
> cas.http-web-request.cors.allow-origins=localhost
> # ??
> cas.webflow.redirect-same-state=true
>
> Restarted CAS, same test case.
> now I see this warning log:
> 2018-04-19 15:47:48,430 WARN 
> [org.apereo.cas.web.flow.ServiceAuthorizationCheck]
> - https://localhost:8449/
> callback?client_name=CasClient] is not found in service registry.>
>  I have to have a Service defined for the call back to the initial app
> ???
>
>
> 2018-04-19 15:47:48,432 DEBUG 
> [org.springframework.webflow.engine.impl.FlowExecutionImpl]
> -  [org.springframework.webflow.execution.ActionExecutionException:
> Exception thrown executing org.apereo.cas.web.flow.
> ServiceAuthorizationCheck@5fad865 in state 'serviceAuthorizationCheck' of
> flow 'login' -- action execution attributes were 'map[[empty]]'] with root
> cause [org.apereo.cas.services.UnauthorizedServiceException: Service
> Management: missing service. Service [https://localhost:8449/
> callback?client_name=CasClient] is not found in service registry.]>
>
> Has anyone actually gotten delegated authentication to flow from CAS back
> to an app that used the CAS protocol to request authentication to work?
> using CAS 5.2.x ?  Reading tons of CAS docs have provided no magic beans,
> nor did any page mention having to have a call back service defined...
> Am I frustrated? You bet.
> Is it correct for me to assume that this use case is 'typical' and that
> being tyhttps://apereo.github.io/cas/5.2.x/installation/
> Webflow-Customization.htmlpical, the default webflow definitions in CAS
> 5.2.2 ought to provide for it working? The docs at
> https://apereo.github.io/cas/5.2.x/installation/Webflow-Customization.html
> certainly suggest to me that's the case.
> Sure would like to make use of many of the positive features described in
> CAS 5.2.x. But I have to wonder if I'm missing much of the necessary
> details.  I would like to avoid implementing all the features myself. Never
> been a big fan of the "let's reinvent the wheel" school of development.
> But...
>
> Any insights, magic beans greatly appreciated.
> -steve
>
>
> On Thursday, April 19, 2018 at 1:46:35 PM UTC-4, Steve Hespelt wrote:
>>
>> Hi Jérôme,
>> I found an earlier posting
>> 
>> from 12/21/17 regarding the NPEs, so as suggested by that posting, I
>> restarted CAS & then cleared all related cookies from the browser. Once I
>> restart CAS & re-initiated the same flow, no more NPE as shown in my log.
>> But I still have the problem with the webflow not finishing as I expect.
>> I increased the log level to trace on a few packages:
>> org.apereo.cas.web.flow
>> org.springframework.webflow
>> org.springframework.session
>> org.springframework.web
>> org.springframework.web.socket
>> Some log entries of interest (to me): (and I'm currently guessing the
>> issue may be related to a SSO log msg at 2018-04-19 11:53:23,186
>> below.  Why would a service not be allowed to use SSO ?
>> -steve
>>
>> 2018-04-19 11:53:01,183 TRACE 
>> [org.springframework.web.servlet.DispatcherServlet]
>> - > RequestFacade@33327a12><- this object ref# shows up later, at the
>> bottom so I'm correlating this initial log with the later ('completion' )
>> log msg below with the same object ref#...
>> 2018-04-19 11:53:01,183 DEBUG 
>> [org.springframework.web.servlet.DispatcherServlet]
>> - > for [/cas/login]>
>>
>> 2018-04-19 11:53:01,209 TRACE [org.apereo.cas.web.CasWebApplicationContext]
>> - > cationContext@222545dc: ServletRequestHandledEvent: url=[/cas/login];
>> client=[0:0:0:0:0:0:0:1]; method=[GET]; servlet=[dispatcherServlet];
>> session=[2C34A85ABE5CF428636B86D697AA5B56]; user=[null]; time=[26ms];
>> status=[OK]>  <- From the pac4j demo's SecurityFilter redirect to
>> initial request on /cas/index.jsp
>>
>> 2018-04-19 11:53:22,914 DEBUG 
>> [org.springframework.web.servlet.DispatcherServlet]
>> - > for [/cas/login]>
>>
>> 2018-04-19 11:53:22,921 TRACE 
>> [org.springframework.web.servlet.DispatcherServlet]
>> - > vc.servlet.FlowHandlerMapping@2ee91bdf] in DispatcherServlet with name
>> 'dispatcherServlet'>
>> 2018-04-19 11:53:22,921 DEBUG 
>> 

Re: [cas-user] buji-pac4j-demo-master, CAS delegation through pac4j-webflow and 1 OIDC provider

[Jérôme LELEU]

Hi,

It looks more like a CAS issue than like a pac4j issue, so I will answer on
this thread.

I guess the NullPointerException blocks the regular web flow and is the
root cause.

Can you copy/paste the full stack trace?

Thanks.
Best regards,
Jérôme


On Tue, Apr 17, 2018 at 10:40 PM, Steve Hespelt  wrote:

> also posted in the "Pac4j users mailing list" group as well.
>
> Hi, I'm hoping my usage is pretty common & someone has already made this
> scenario work properly.
>
> My objective is to use the bujio-pac4j-demo-master (3.2.0-SNAPSHOT)
> project as a starting point as a CAS client, having CAS delegate via the
> pac4j webflow support, eventually I want to make use of the SSO, ticket
> management in CAS 5.2.x (5.2.2 currently).
>
> The intended webflow:  demo app (buji-pac4j-demo-master) security filter
> redirects to CAS via the buji-pac4j CasClient.loginUrl=https://loc
> alhost:8443/cas/login which will redirect to Google
> OIDC auth url, with flow eventually returning credentials, profile info to
> the SecurityFilter to redirect to original requested URL (eg.
> https://localhost:8449/cas/index.jsp)
>
> I've got the buji-pac4j-demo-master configured so I can test using jetty
> (using https on port 8449).
>
> initial CAS 5.2.3 setup is with 1 delegated IDP. per
> https://apereo.github.io/cas/5.2.x/integration/
> Delegate-Authentication.html, I added the cas-server-support-pac4j-webflow
> (5.2.3) artifact to the CAS overlay's pom.
> my CAS 5.2.2 server is listening for incoming https connections on port
> 8443.
>
> So, my understanding is that CAS will not bother with the CAS generated
> login page, but (autoRedirect==true) will just redirect the login request
> to the 1 configured delegated IDP.
> This works as I expect, I get the usual Google login page, I authenticate
> & I get redirected but only back to the CAS login page.
>
> BUT, while it looks as though CAS is processing the redirect from Google
> [see below log msgs involving 
> org.pac4j.oidc.credentials.extractor.OidcExtractor],
> no sign that it is responding to the application's request - lots of gory
> details below gives me reason to suspect that. First is the response code
> of 200 on the redirect for CAS to process Google's response.
>
> So my embarrassingly large post boils down to: What am I missing to get
> CAS to finish the webflow by returning the response with the authenticated
> credentials back the initial requesting app, the pac4j demo's
> SecurityFilter?  Any chance it's related to the below response header
> showing for a Set-Cookie field with the following: Secure; HttpOnly ?
>
> Thank you for any insights.
> -steve
>
>
> my cas.properties contains the following cas.authn.pac4j.* settings.
>
> cas.authn.pac4j.autoRedirect=true
> cas.authn.pac4j.oidc[0].id=**.apps.googleusercontent.com
> cas.authn.pac4j.oidc[0].secret=my-secret
> cas.authn.pac4j.oidc[0].type=GOOGLE
> cas.authn.pac4j.oidc[0].scope=openid profile
> cas.authn.pac4j.oidc[0].clientName=GoogleOIDC
> cas.pac4j.oidc.discoveryUri=https://accounts.google.com/.wel
> l-known/openid-configuration
>
>
>
> My Google console authorized redirect URIs has 1:  https://localhost:8443/
> cas/login?client_name=GoogleOIDC
>
> So the following is working:
> SecurityFilter is generating a 302 redirect response to the initial
> (unauthenticated) request for https://localhost:8449/cas/index.jsp
>   reponse header has location=https://localhost:844
> 3/cas/login?service=https%3A%2F%2Flocalhost%3A8449%2Fcallba
> ck%3Fclient_name%3DCasClient
>  Server: Jetty(9.3.8.v20160314)
>
> redirect sent to CAS is:  https://localhost:8443/
> cas/login?service=https%3A%2F%2Flocalhost%3A8449%2Fcallback%
> 3Fclient_name%3DCasClient
>response header has location=https://accounts.goog
> le.com/o/oauth2/v2/auth? response_type=code_id=myclientID*.
> apps.googleusercontent.com_uri=https%3A%2F%2Flocalhost%
> 3A8443%2Fcas%2Flogin%3Fclient_name%3DGoogleOIDC=
> openid+profile=jLX6iCY6siWaOmH7VtwjuzpROtM3k_HL8K70LidaZAw
>response header also has Set-Cookie: 
> JSESSIONID=79B39C7E5E5693B5BF61884B52E09FCD;
> Path=/cas; Secure; HttpOnly
>
> This results in the CAS instance redirecting via 302 response the
> following request URL (same as response location above):
> https://accounts.google.com/o/oauth2/v2/auth?response_type=c
> ode_id=myclientID*.apps.googleusercontent.com
> _uri=https%3A%2F%2Flocalhost%3A8443%2Fcas%2Flogin%
> 3Fclient_name%3DGoogleOIDC=openid+profile=jLX
> 6iCY6siWaOmH7VtwjuzpROtM3k_HL8K70LidaZAw
>
> I get the Google login page, enter my credentials and the generated
> response is a 302 redirect
>reponse header has location=https://localhost:844
> 3/cas/login?client_name=GoogleOIDC=jLX6iCY6siWaOmH7Vtw
> juzpROtM3k_HL8K70LidaZAw=4/AAA9qlRlbkuWmFzJO1nvr23LnRf4HVoMu9eqJeQ-
> nzq922D375okGqD52Dv_haMQIYAkV5ikouz3NAtLbJg2csA=0&
> session_state=da7bae9eb4fa3459e15f94e81f06a8258c41c9c1..b186=none#
> state value matches the 

Re: [cas-user] pac4j SAML2Client and principal

[Jérôme LELEU]

Hi,

The behavior is to create the CAS principal and attributes from the pac4j
principal and attributes. So you should get the pac4j attributes at the end.
Ignore the log about the ClientCredential, the toString method just outputs
the id (not the attributes).

Is the service configured properly (with ReturnAllAttributeReleasePolicy
for example)?

Thanks.
Best regards,
Jérôme


On Thu, Mar 22, 2018 at 4:25 PM, Scott Koranda  wrote:

> Hi,
>
> I am using CAS 5.1.3 (though I might be able to upgrade to 5.2.3,
> depending on the issue of which binding is being used for the
> , as detailed in an earlier note to this list).
>
> I am delegating authentication to a SAML2 IdP using pac4j.
>
> After a successful authentication I see in cas.log
>
> 2018-03-22 14:44:46,372 DEBUG [org.pac4j.saml.client.SAML2Client] -
>  OnEE09XX3FnuYElvWkhkCSbAshdwAYSR5WQq3x7qEeuj6lzDF18EwarKKWUh
> ElP5/dR+k1h1NlMaLBZmgeA/5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E
> 8uqJp0pzRmivQ== |
> attributes:
> {urn:oid:0.9.2342.19200300.100.1.3=[skora...@gmail.com], mail=[
> skora...@gmail.com],
> urn:oid:0.9.2342.19200300.100.1.1=[scott.koranda], displayName=[Scott
> Koranda], givenName=[Scott],
> urn:oid:2.5.4.42=[Scott], notBefore=2018-03-22T14:44:45.460Z,
> uid=[scott.koranda],
> urn:oid:2.16.840.1.113730.3.1.241=[Scott Koranda],
> urn:oid:1.3.6.1.4.1.5923.1.1.1.6=[scott.kora...@sphericalcowgroup.com],
> notOnOrAfter=2018-03-22T14:49:45.460Z,
> eduPersonPrincipalName=[scott.kora...@sphericalcowgroup.com],
> urn:oid:2.5.4.4=[Koranda], sn=[Koranda],
> sessionindex=_570a4d9a94551c4e52cf75415fac58f0} | roles: [] |
> permissions: [] | isRemembered: false | clientName: null | linkedId:
> null |>
>
> Those are the values for NameID (transient) and attributes that I
> expect.
>
> The next line in cas.log is
>
> 2018-03-22 14:44:46,402 INFO
> [org.apereo.cas.authentication.AbstractAuthenticationManager] -
>  [AAdzZWNyZXQxQJ7RzalR0+OnEE09XX3FnuYElvWkhkCSbAshdwAY
> SR5WQq3x7qEeuj6lzDF18EwarKKWUhElP5/dR+k1h1NlMaLBZmgeA/
> 5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E8uqJp0pzRmivQ==]
> with attributes [{}] via credentials
> [[org.apereo.cas.authentication.principal.ClientCredential@6c1c5d52[id=
> AAdzZWNyZXQxQJ7RzalR0+OnEE09XX3FnuYElvWkhkCSbAshdwAY
> SR5WQq3x7qEeuj6lzDF18EwarKKWUhElP5/dR+k1h1NlMaLBZmgeA/
> 5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E8uqJp0pzRmivQ==]]].>
>
> So it appears that the NameID value (transient) is being used as the
> principal, but none of the attributes are making it from the pac4j layer
> into the CAS layer.
>
> Is that a correct assessment?
>
> If so, how can I
>
> a) change what value is used for the principal? I would like to use the
> value from one of the asserted attributes.
>
> b) push the attributes into the CAS layer to make them available for
> assertion downstream to the CAS client?
>
> I have reviewed the documentation for the Delegated/pac4j authentication at
>
> https://apereo.github.io/cas/5.1.x/integration/Delegate-
> Authentication.html
>
> and that for Attribute Resolution at
>
> https://apereo.github.io/cas/5.1.x/integration/Attribute-Resolution.html
>
> but I am not able to find a configuration option that appears to tell
> pac4j to push the attributes into the Authentication object.
>
> Thank you for your consideration.
>
> Scott K
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/20180322152546.o52kuzuh6u227e5s%40paprika.
> local.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lxnu8HSxPMQzxLvCW0Ee0-RmBVEGq%2BC67PRqajwz0Q5Tg%40mail.gmail.com.

Re: [cas-user] Pac4j Retrieve attribute and passing to CAS client

[Jérôme LELEU]

Hi,

This documentation should help you:
https://apereo.github.io/cas/4.2.x/integration/Delegate-Authentication.html#how-to-use-this-support-on-cas-applications-side
Thanks.
Best regards,
Jérôme


On Thu, Mar 15, 2018 at 3:31 AM, uvaraj s  wrote:

> Hi,
>
> We are using CAS 4.1.2 and pac4j 1.7 version. We are making SAML2Client
> call to shibboleth. These question might look like very basic ones. But the
> answer to these will help us a lot.
>
> 1.On the logs, I am able to see the attribute details getting printed. But
> wanted to know how we can able to retrieve user profile details in the
> code?.
> 2.How does client application who uses this CAS server will be able to get
> these attribute details?
>
> Thanks a lot in Advance.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/7aee0ca9-4edd-48af-848f-
> c9cc7206cd58%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LyvfihQoR8JGaQbjZzbKqqVUKe%2BJFgNimTzvZCDmpVquQ%40mail.gmail.com.

Re: [cas-user] Customizing webflows

[Jérôme LELEU]

Hi,

You don't need to explicitly add the configuration class in your
spring.factories file. Adding the dependency is enough (there is already a
spring.factories file inside it).
Thanks.
Best regards,
Jérôme


On Wed, Feb 28, 2018 at 11:18 AM, yashwanth chowdary <
ryashwanthkumarchowd...@gmail.com> wrote:

> I want to use pswdreset-webflow in my cas5 overlay.I have added the
> dependencies and I have customized the login-webflow so that on click of
> changepassword button it show us the view that is configured in pswdreset
> webflow. I have added the the class "org.apereo.cas.pm.config.
> PasswordManagementWebflowConfiguration" in spring.factories file. I am
> facing an issue the below issue."NoSuchFlowFoundException"
>
>
> Please refer to the attached files for the dependencies, customized login
> flow and html files .
> Error log:
>
> org.springframework.webflow.execution.FlowExecutionException: Exception 
> thrown in state 'forceChangePassword' of flow 'login'
>   at 
> org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573)
>   at 
> org.springframework.webflow.engine.impl.FlowExecutionImpl.resume(FlowExecutionImpl.java:263)
>   at 
> org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:169)
>   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>   at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>   at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>   at java.lang.reflect.Method.invoke(Method.java:483)
>   at 
> org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:216)
>   at 
> org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:470)
>   at 
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
>   at 
> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
>   at com.sun.proxy.$Proxy125.resumeExecution(Unknown Source)
>   at 
> org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:253)
>   at 
> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967)
>   at 
> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
>   at 
> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
>   at 
> org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872)
>   at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
>   at 
> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
>   at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
>   at 
> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
>   at 
> org.apereo.cas.web.support.AuthenticationCredentialsLocalBinderClearingFilter.doFilter(AuthenticationCredentialsLocalBinderClearingFilter.java:30)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
>   at 
> org.apereo.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:261)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
>   at 
> org.apereo.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:237)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
>   at 
> org.apereo.cas.security.AddResponseHeadersFilter.doFilter(AddResponseHeadersFilter.java:94)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
>   at 
> org.springframework.boot.actuate.trace.WebRequestTraceFilter.doFilterInternal(WebRequestTraceFilter.java:110)
>   at 
> 

Re: [cas-user] only delegated (pac4j SAML) authentication and no button click

[Jérôme LELEU]

Hi,

You need to use the following property :

# cas.authn.pac4j.autoRedirect=false

Thanks.
Best regards,
Jérôme


On Tue, Feb 27, 2018 at 8:35 PM, Scott Koranda  wrote:

> Hello,
>
> I am running CAS 5.2.2.
>
> I have successfully configured CAS to use pac4j for delegated
> authentication. Specifically CAS/pac4j is configured as a SAML SP.
>
> When I browse to a CAS client I am redirected to the CAS server login
> page. I can then click a button to kick off the SAML flow and am redirected
> to the SAML IdP for authentication. After returning to the CAS/pac4j SAML
> SP I am then redirected to the CAS client with a ticket, which is later
> validated and I successfully access the resource.
>
> I would like the delegated SAML authentication flow to be the only CAS
> authentication mechanism and I would like it so that I do not have to click
> a button to kick off the SAML flow. Ideally the user would never "see" the
> CAS server at all.
>
> I thought this configuration would make that happen:
>
> cas.authn.policy.requiredHandlerAuthenticationPolicyEnabled=true
> cas.authn.policy.req.handlerName=Pac4j
> cas.authn.policy.req.tryAll=false
> cas.authn.policy.req.enabled=true
> cas.authn.accept.users=
>
> With this configuration I still see the login page and have to click a
> button to cause the SAML flow.
>
> Is it possible to have the SAML flow start immediately without having to
> click the button?
>
> If so what configuration do I need?
>
> Thanks,
>
> Scott K
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/e93b3d08-8bf3-42e3-b7e0-
> 5e856b8f8af8%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LywiBeZwbqpMRqDa-qFcQPAK17g3-rJpbBd_bePyE4urw%40mail.gmail.com.

Re: [cas-user] Problem integrating CAS 5.2.0 with ORCID and FACEBOOK.

[Jérôme LELEU]

Hi,

The problem happens at the pac4j level, but it is not because of pac4j. The
identity provider returns a specific error which makes authentication
impossible.

There must be some bad configuration: maybe you have public key and secret
while you need member ones. It definitely feels like a functional error.

Thanks.
Best regards,
Jérôme


On Tue, Feb 13, 2018 at 10:53 AM, Neha Gupta <neha.1.gu...@gmail.com> wrote:

> Hello Jérôme,
>
> Request you to please elaborate in more detail about how can i run these
> testcases.
>
> I tried to solve the problem in pac4j (i.e. correcting the URL) but after
> that i am getting below error (Traces and Snapshot attached): -
>
> org.pac4j.core.exception.TechnicalException:
> com.github.scribejava.core.model.OAuth2AccessTokenErrorResponse: {
>   "error" : "invalid_request",
>   "error_description" : "Public members are not allowed to use the Members
> API"
> }
>
> Request you to please give me more detail about the issue i.e. the place
> of its occurence whether the problem is at CAS side or pac4j side and how
> can i proceed further.
>
> Regards
> Neha Gupta
>
> On Fri, Feb 2, 2018 at 4:46 PM, Jérôme LELEU <lel...@gmail.com> wrote:
>
>> Hi,
>>
>> Before fixing things in CAS, you should start to make it work in pac4j
>> and run successfully a manual test like these ones:
>> https://github.com/pac4j/pac4j/tree/master/pac4j-oauth
>> /src/test/java/org/pac4j/oauth/run
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> On Thu, Feb 1, 2018 at 4:03 PM, Neha Gupta <neha.1.gu...@gmail.com>
>> wrote:
>>
>>> Hello Jérôme,
>>>
>>> Thanks a lot for support.
>>>
>>> So finally i was able to compile pac4j with the required changes but
>>> still not able to access ORCID login page. Still same problem is coming
>>> "There has been a problem with the server. If this problem persists please
>>> contact administrator"
>>>
>>> After looking into the CAS traces i found out that the URL which CAS is
>>> building has "/" at the end of authorise and because of this ORCID login
>>> page is not getting displayed.
>>>
>>> URL which CAS is building is below and is not accessible: -
>>>
>>> http://www.orcid.org/oauth/authorize*/*?client_id=APP-UPW3FFH0
>>> 8YVI6YUJ=%2Fa
>>> uthenticate%2Fread-limited_type=code_uri=http%3A%2F%
>>> 2Fidiv-dev1.inf-bb.uni-jena.de%3A8080%2Fcas%2Flogi
>>> n%3Fclient_name%3Dorcid#show_login
>>>
>>>
>>> The below URL after removing / is accessible: -
>>>
>>> http://www.orcid.org/oauth/authorize?client_id=APP-UPW3FFH08
>>> YVI6YUJ=%2Fa
>>> uthenticate%2Fread-limited_type=code_uri=http%3A%2F%
>>> 2Fidiv-dev1.inf-bb.uni-jena.de%3A8080%2Fcas%2Flogi
>>> n%3Fclient_name%3Dorcid#show_login
>>>
>>> Looking forward for your support on this.
>>>
>>>
>>> Thanks and Regards
>>> Neha Gupta
>>>
>>>
>>>
>>>
>>> On Wed, Jan 31, 2018 at 11:13 AM, Jérôme LELEU <lel...@gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> OK. So let's take problems in order:
>>>>
>>>> - regarding the AbstractMethodError error, it certainly comes from the
>>>> fact that you don't have the same version of pac4j-core and the other
>>>> pac4j-* modules (check that with a "mvn dependency:tree" or
>>>> "gradlew dependencies"). It should be 2.2.1 for all modules to use the
>>>> latest version.
>>>>
>>>> - regarding the Illegal key size error, either it comes from the key
>>>> size you use or from the fact you haven't installed the unlimited strength
>>>> policy for your JDK.
>>>>
>>>> We don't use the v2 API as I don't see any v2.0 text in the URL we use.
>>>> I remember taking a look at this integration, but it wasn't really easy to
>>>> test it. It might be easier with the version 2.
>>>>
>>>> Your contribution will be welcome.
>>>>
>>>> Thanks.
>>>> Best regards,
>>>> Jérôme
>>>>
>>>>
>>>> On Tue, Jan 30, 2018 at 1:36 PM, Neha Gupta <neha.1.gu...@gmail.com>
>>>> wrote:
>>>>
>>>>> Hello  Jérôme,
>>>>>
>>>>> Thanks a lot for update. I tried making changes in the file you
>>>>> suggested but always not ab

Re: [cas-user] Problem integrating CAS 5.2.0 with ORCID and FACEBOOK.

[Jérôme LELEU]

Hi,

Before fixing things in CAS, you should start to make it work in pac4j and
run successfully a manual test like these ones:
https://github.com/pac4j/pac4j/tree/master/pac4j-oauth/src/test/java/org/pac4j/oauth/run
Thanks.
Best regards,
Jérôme


On Thu, Feb 1, 2018 at 4:03 PM, Neha Gupta <neha.1.gu...@gmail.com> wrote:

> Hello Jérôme,
>
> Thanks a lot for support.
>
> So finally i was able to compile pac4j with the required changes but still
> not able to access ORCID login page. Still same problem is coming "There
> has been a problem with the server. If this problem persists please contact
> administrator"
>
> After looking into the CAS traces i found out that the URL which CAS is
> building has "/" at the end of authorise and because of this ORCID login
> page is not getting displayed.
>
> URL which CAS is building is below and is not accessible: -
>
> http://www.orcid.org/oauth/authorize*/*?client_id=APP-
> UPW3FFH08YVI6YUJ=%2Fa
> uthenticate%2Fread-limited_type=code_uri=http%3A%2F%
> 2Fidiv-dev1.inf-bb.uni-jena.de%3A8080%2Fcas%2Flogin%3Fclient_name%
> 3Dorcid#show_login
>
>
> The below URL after removing / is accessible: -
>
> http://www.orcid.org/oauth/authorize?client_id=APP-
> UPW3FFH08YVI6YUJ=%2Fa
> uthenticate%2Fread-limited_type=code_uri=http%3A%2F%
> 2Fidiv-dev1.inf-bb.uni-jena.de%3A8080%2Fcas%2Flogin%3Fclient_name%3Dorcid#show_login
>
>
> Looking forward for your support on this.
>
>
> Thanks and Regards
> Neha Gupta
>
>
>
>
> On Wed, Jan 31, 2018 at 11:13 AM, Jérôme LELEU <lel...@gmail.com> wrote:
>
>> Hi,
>>
>> OK. So let's take problems in order:
>>
>> - regarding the AbstractMethodError error, it certainly comes from the
>> fact that you don't have the same version of pac4j-core and the other
>> pac4j-* modules (check that with a "mvn dependency:tree" or
>> "gradlew dependencies"). It should be 2.2.1 for all modules to use the
>> latest version.
>>
>> - regarding the Illegal key size error, either it comes from the key
>> size you use or from the fact you haven't installed the unlimited strength
>> policy for your JDK.
>>
>> We don't use the v2 API as I don't see any v2.0 text in the URL we use. I
>> remember taking a look at this integration, but it wasn't really easy to
>> test it. It might be easier with the version 2.
>>
>> Your contribution will be welcome.
>>
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> On Tue, Jan 30, 2018 at 1:36 PM, Neha Gupta <neha.1.gu...@gmail.com>
>> wrote:
>>
>>> Hello  Jérôme,
>>>
>>> Thanks a lot for update. I tried making changes in the file you
>>> suggested but always not able to access CAS login page after that as CAS is
>>> throwing some error. Traces(CASTraces.txt) attached.
>>> Request you to please help me on this.
>>>
>>> Also when i tried to package the complete pac4j package i am getting
>>> error in JWT. Traces attached(Pac4jTraces.txt) for the same.
>>>
>>>
>>> Also i had a talk with ORCID support team and here is the extract from
>>> mail regarding the version: -
>>>
>>>
>>>
>>> *By March 1st, all calls made to the Public API (using the pub.orcid.org
>>> <http://pub.orcid.org> domain) must use version 2.0 or 2.1; calls made
>>> using version 1.2 will return an error.If you are still using version 1.2
>>> you need to be planning your upgrade to version 2.0. On this page you can
>>> find the necessary changes to
>>> implement: https://members.orcid.org/api/news/xsd-20-update
>>> <https://members.orcid.org/api/news/xsd-20-update> *
>>>
>>>
>>> I don't know which version of ORCID API CAS is using so just thought of
>>> sharing this information with you.
>>>
>>>
>>> Thanks and Regards
>>> Neha Gupta
>>>
>>> On Tue, Jan 23, 2018 at 11:28 AM, Jérôme LELEU <lel...@gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> In pac4j, you can set the scope of the Orcid client. It doesn't seem
>>>> possible within the CAS server: https://apereo.github.
>>>> io/cas/5.2.x/installation/Configuration-Properties.html#orcid
>>>>
>>>> That said, this is easy to change: don't hesitate to submit a PR for
>>>> that in the CAS project.
>>>>
>>>> What would be the right default scope to change that in pac4j:
>>>> https://github.com/pac4j/pac4j/blob/master/pac4j-oaut
>>>> h

Re: [cas-user] Problem integrating CAS 5.2.0 with ORCID and FACEBOOK.

[Jérôme LELEU]

Hi,

OK. So let's take problems in order:

- regarding the AbstractMethodError error, it certainly comes from the fact
that you don't have the same version of pac4j-core and the other pac4j-*
modules (check that with a "mvn dependency:tree" or
"gradlew dependencies"). It should be 2.2.1 for all modules to use the
latest version.

- regarding the Illegal key size error, either it comes from the key size
you use or from the fact you haven't installed the unlimited strength
policy for your JDK.

We don't use the v2 API as I don't see any v2.0 text in the URL we use. I
remember taking a look at this integration, but it wasn't really easy to
test it. It might be easier with the version 2.

Your contribution will be welcome.

Thanks.
Best regards,
Jérôme


On Tue, Jan 30, 2018 at 1:36 PM, Neha Gupta <neha.1.gu...@gmail.com> wrote:

> Hello  Jérôme,
>
> Thanks a lot for update. I tried making changes in the file you suggested
> but always not able to access CAS login page after that as CAS is throwing
> some error. Traces(CASTraces.txt) attached.
> Request you to please help me on this.
>
> Also when i tried to package the complete pac4j package i am getting error
> in JWT. Traces attached(Pac4jTraces.txt) for the same.
>
>
> Also i had a talk with ORCID support team and here is the extract from
> mail regarding the version: -
>
>
>
> *By March 1st, all calls made to the Public API (using the pub.orcid.org
> <http://pub.orcid.org> domain) must use version 2.0 or 2.1; calls made
> using version 1.2 will return an error.If you are still using version 1.2
> you need to be planning your upgrade to version 2.0. On this page you can
> find the necessary changes to
> implement: https://members.orcid.org/api/news/xsd-20-update
> <https://members.orcid.org/api/news/xsd-20-update> *
>
>
> I don't know which version of ORCID API CAS is using so just thought of
> sharing this information with you.
>
>
> Thanks and Regards
> Neha Gupta
>
> On Tue, Jan 23, 2018 at 11:28 AM, Jérôme LELEU <lel...@gmail.com> wrote:
>
>> Hi,
>>
>> In pac4j, you can set the scope of the Orcid client. It doesn't seem
>> possible within the CAS server: https://apereo.github.
>> io/cas/5.2.x/installation/Configuration-Properties.html#orcid
>>
>> That said, this is easy to change: don't hesitate to submit a PR for that
>> in the CAS project.
>>
>> What would be the right default scope to change that in pac4j:
>> https://github.com/pac4j/pac4j/blob/master/pac4j-oaut
>> h/src/main/java/org/pac4j/oauth/client/OrcidClient.java#L18 ?
>>
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> On Mon, Jan 22, 2018 at 3:19 PM, Neha Gupta <neha.1.gu...@gmail.com>
>> wrote:
>>
>>> Hello Jérôme,
>>>
>>> I posted the reply last week but seems it lost somewhere. So posting it
>>> again: -
>>>
>>> *ORCID: -*
>>> Problem seems to be with scope. Please see the URL where new scopes are
>>> described and also had a talk with ORCID support and according to them the
>>> scope /orcid-profile belongs to an older version of API. Current 2.1 API
>>> only supports scopes mentioned in the link.
>>>
>>> https://members.orcid.org/api/oauth/orcid-scopes
>>>
>>> FACEBOOK: -
>>> After defining correctly the "App Domain" and "Site URL" delegation to
>>> facebook started working.
>>>
>>>
>>> Thanks a lot for your support.
>>>
>>> Regards
>>> Neha Gupta
>>>
>>> On Tuesday, January 16, 2018 at 10:55:11 AM UTC+1, leleuj wrote:
>>>>
>>>> Hi,
>>>>
>>>> 1) Orcid
>>>>
>>>> The URL looks good: I would try another value for the scope. Have you
>>>> taken a look at the documentation?
>>>>
>>>> 2) Facebook
>>>>
>>>> I opened the Facebook console, and I see a "Facebook login" item in the
>>>> left menu with a "Parameters" submenu, in which you have several flags to
>>>> enable, especially "web OAuth connection": is this checked? There is also a
>>>> "redirection URL" input field you may need to fill, depending on the
>>>> version of your FB app.
>>>>
>>>> Thanks.
>>>> Best regards,
>>>> Jérôme
>>>>
>>>>
>>>> On Mon, Jan 15, 2018 at 2:43 PM, Neha Gupta <neha.1...@gmail.com>
>>>> wrote:
>>>>
>>>>> Hello Jérôme,
>>>>>
>>>>> Below i

Re: [cas-user] Problem integrating CAS 5.2.0 with ORCID and FACEBOOK.

[Jérôme LELEU]

Hi,

In pac4j, you can set the scope of the Orcid client. It doesn't seem
possible within the CAS server:
https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#orcid

That said, this is easy to change: don't hesitate to submit a PR for that
in the CAS project.

What would be the right default scope to change that in pac4j:
https://github.com/pac4j/pac4j/blob/master/pac4j-oauth/src/main/java/org/pac4j/oauth/client/OrcidClient.java#L18
?

Thanks.
Best regards,
Jérôme


On Mon, Jan 22, 2018 at 3:19 PM, Neha Gupta  wrote:

> Hello Jérôme,
>
> I posted the reply last week but seems it lost somewhere. So posting it
> again: -
>
> *ORCID: -*
> Problem seems to be with scope. Please see the URL where new scopes are
> described and also had a talk with ORCID support and according to them the
> scope /orcid-profile belongs to an older version of API. Current 2.1 API
> only supports scopes mentioned in the link.
>
> https://members.orcid.org/api/oauth/orcid-scopes
>
> FACEBOOK: -
> After defining correctly the "App Domain" and "Site URL" delegation to
> facebook started working.
>
>
> Thanks a lot for your support.
>
> Regards
> Neha Gupta
>
> On Tuesday, January 16, 2018 at 10:55:11 AM UTC+1, leleuj wrote:
>>
>> Hi,
>>
>> 1) Orcid
>>
>> The URL looks good: I would try another value for the scope. Have you
>> taken a look at the documentation?
>>
>> 2) Facebook
>>
>> I opened the Facebook console, and I see a "Facebook login" item in the
>> left menu with a "Parameters" submenu, in which you have several flags to
>> enable, especially "web OAuth connection": is this checked? There is also a
>> "redirection URL" input field you may need to fill, depending on the
>> version of your FB app.
>>
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> On Mon, Jan 15, 2018 at 2:43 PM, Neha Gupta  wrote:
>>
>>> Hello Jérôme,
>>>
>>> Below is the update
>>>
>>> *ORCID: -*
>>>
>>> The URL which is getting called before is "http://www.orcid.org/oauth/au
>>> thorize/?client_id=xxx=%2Forcid-profile%2Fread-limited
>>> _type=code_uri=https%3A%2F%2Fdesktop-
>>> d8r3ca4%3A8443%2Fcas%2Flogin%3Fclient_name%3Dorcid"
>>>
>>> After seeing the Network calls it seems that 301 and 302 status code are
>>> being thrown in response of the above URL.
>>>
>>> *FACEBOOK:- *
>>> In facebook app console i don't see any place for callback URL.Fields as
>>> shown in attached snapshot are only available.
>>>
>>>
>>> Thanks a lot for your support.
>>>
>>>
>>> Regards
>>> Neha Gupta
>>>
>>>
>>>
>>>
>>> On Friday, January 12, 2018 at 3:03:22 PM UTC+1, leleuj wrote:

 Hi,

 Please don't output your id and secret in your emails!

 - Orcid:

 I think there is an URL called before the one given in the error
 message, it should be something like http://www.orcid.org/oaut
 h/authorize/xxx (https://github.com/pac4j/pac4j/blob/master/
 pac4j-oauth/src/main/java/org/pac4j/scribe/builder/api/
 OrcidApi20.java#L20)

 Can you post it here?

 - Facebook:

 Are you sure you defined the callback URL: https://desktop-d8r3ca4:8
 443/cas/login?client_name=Facebook in your Facebook app console?

 Thanks.
 Best regards,
 Jérôme


 On Fri, Jan 12, 2018 at 10:57 AM, Neha Gupta 
 wrote:

> Dear CAS people,
>
> Good morning!
>
> I am trying to delegate CAS authentication to Orcid and Facebook and
> as such created war file after updating "pom.xml" and "cas.properties" as
> follows: -
>
> *pom.xml*
>
> 
> org.apereo.cas
> cas-server-support-pac4j-webflow
> 5.2.0
> 
> 
>
> *cas.properties*
>
>  cas.authn.pac4j.orcid.id=xxx
>  cas.authn.pac4j.orcid.secret=yyy
>  cas.authn.pac4j.orcid.clientName=orcid
>
> and similarly given for Facebook as well but when i am trying to do so
> i am getting error with both Orcid and Facebook
>
> *Problem with ORCID: -*
>
> "There has been a problem with the server". If problem persists please
> contact ORCID support.  URL which CAS is hitting is "
> https://orcid.org/signin?oauth#show_login; which seems
> little weird to me. I already contacted Orcid support group but according
> to them there is no problem at their end and asked me to look into the 
> URL.
>
> *Problem with Facebook: -*
>
> "Sorry something went wrong"*. *URL which CAS is hitting is
> "https://www.facebook.com/v2.8/dialog/oauth?response_type=co
> de_id=476366362744200_uri=https%3A%2F%
> 2Fdesktop-d8r3ca4%3A8443%2Fcas%2Flogin%3Fclient_name%
> 3DFacebook=email%2Cuser_likes%2Cuser_about_me%2Cuser_
> birthday%2Cuser_education_history%2Cuser_hometown%
> 2Cuser_relationship_details%2Cuser_location%2Cuser_
> religion_politics%2Cuser_relationships%2Cuser_work_
> 

Re: [cas-user] Steam OpenId2 auth

[Jérôme LELEU]

And feel free to contribute your Steam client to the pac4j project if you
have time...

On Fri, Jan 19, 2018 at 8:47 PM, FritzTheWonderMutt <
fritzthewonderm...@gmail.com> wrote:

> The one with your name on it? ;D
>
> You're right, that's a much better place for it.
> Thanks.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/a4ac454f-023c-4c82-9687-
> 448857db7d7d%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lx-%2BBoAV7FRJTLKPjrSOv4XxfGgVCi_EpbzskiK43oZoQ%40mail.gmail.com.

Re: [cas-user] Steam OpenId2 auth

[Jérôme LELEU]

OK. I guess you could have achieved the same result with a specific pac4j
ProfileDefinition configuration...

On Thu, Jan 18, 2018 at 6:12 PM, FritzTheWonderMutt <
fritzthewonderm...@gmail.com> wrote:

> That's just the way Steam returns the steamId per their doc:
> https://partner.steamgames.com/doc/features/auth#website
>
> So at some point you'd need to strip it off the end. I ended up extending
> ClientAuthenticationHandler to do some extra work so I pull out the steamId
> there.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/57b68256-ba57-40ef-9a72-
> a68c454feb04%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LzK_QOFvyOEshui-%3DNze%3DTiZgJfoLsV5mz9wehKkGSRAQ%40mail.gmail.com.

Re: [cas-user] Steam OpenId2 auth

[Jérôme LELEU]

Hi,

I guess it depends on the way you built your SteamOpenIdClient, but in
pac4j you can control which attribute is used for the identifier.
Thanks.
Best regards,
Jérôme


On Wed, Jan 17, 2018 at 11:30 PM, FritzTheWonderMutt <
fritzthewonderm...@gmail.com> wrote:

> This works:
>
> @Autowired
> Clients builtClients;
>
> @PostConstruct
> public void addSteamOpenIdClient() {
> builtClients.getClients().add(new SteamOpenIdClient());
> builtClients.reinit();
>
> }
>
> @Bean
> public AuthenticationHandler openIDAuthenticationHandler(final
> AuthenticationEventExecutionPlan plan) {
> final ClientAuthenticationHandler handler = new
> ClientAuthenticationHandler("OpenIdClientAuthHandler", servicesManager,
> new DefaultPrincipalFactory(), builtClients);
> plan.registerAuthenticationHandler(handler);
> return handler;
> }
>
>
> But it does return the whole url as the ID so you'll have to pull out the
> SteamId from the end:
>
> 01-17 14:22:39 DEBUG support.ClientAuthenticationHandler -
> clientCredentials  [org.apereo.cas.authentication.principal.
> ClientCredential@3a86ccf3[id=]]
> 01-17 14:22:39 DEBUG support.ClientAuthenticationHandler - clientName:
> [SteamOpenIdClient]
> 01-17 14:22:39 DEBUG support.ClientAuthenticationHandler - client:
> [#SteamOpenIdClient# | name: SteamOpenIdClient | callbackUrl:
> https://auth-test.daybreakgames.com/login?client_name=SteamOpenIdClient |
> urlResolver: org.pac4j.core.http.DefaultUrlResolver@281e917c |
> ajaxRequestResolver: org.pac4j.core.http.DefaultAjaxRequestResolver@5079ce36
> | includeClientNameInCallbackUrl: true | redirectActionBuilder:
> com.dgc.plat.cas.steam.SteamRedirectActionBuilder@42012006 |
> credentialsExtractor: 
> com.dgc.plat.cas.steam.SteamCredentialsExtractor@588ce794
> | authenticator: com.dgc.plat.cas.steam.SteamAuthenticator@4451888 |
> profileCreator: org.pac4j.core.profile.creator.
> AuthenticatorProfileCreator@1ad37e48 | logoutActionBuilder:
> org.pac4j.core.logout.NoLogoutActionBuilder@51196c04 |
> authorizationGenerators: [] |]
> 01-17 14:22:39 DEBUG support.ClientAuthenticationHandler - userProfile:
> [#SteamOpenIdProfile# | id: http://steamcommunity.com/openid/id/1234567890
> | attributes: {} | roles: [] | permissions: [] | isRemembered: false |
> clientName: SteamOpenIdClient | linkedId: null |]
> 01-17 14:22:39 DEBUG authentication.AbstractAuthenticationManager -
> Authentication handler [OpenIdClientAuthHandler] successfully authenticated
> [org.apereo.cas.authentication.principal.ClientCredential@3a86ccf3[id=h
> ttp://steamcommunity.com/openid/id/1234567890]]
> 01-17 14:22:39 DEBUG authentication.AbstractAuthenticationManager - No
> principal resolution is configured for [OpenIdClientAuthHandler]. Falling
> back to handler principal [http://steamcommunity.com/openid/id/1234567890]
> 01-17 14:22:39 DEBUG authentication.AbstractAuthenticationManager - Final
> principal resolved for this authentication event is [
> http://steamcommunity.com/openid/id/1234567890]
> 01-17 14:22:39 DEBUG policy.AnyAuthenticationPolicy - Authentication
> policy is satisfied having found at least one authentication transactions
> 01-17 14:22:39 INFO  authentication.AbstractAuthenticationManager - 
> Authenticated
> principal [http://steamcommunity.com/openid/id/1234567890] with
> attributes [{}] via credentials [[org.apereo.cas.authentication.principal.
> ClientCredential@3a86ccf3[id=http://steamcommunity.com/
> openid/id/1234567890]]].
> 01-17 14:22:39 DEBUG authentication.AbstractAuthenticationManager -
> Invoking authentication metadata populators for authentication transaction
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/edc77f19-4b1f-4e06-86c2-
> cd009dcff0a2%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LxSLhmbuUKd4xFERb-Oc%2BW7YMbHrsQP4PLbRDHrKbpebg%40mail.gmail.com.

Re: [cas-user] Steam OpenId2 auth

[Jérôme LELEU]

Hi,

Can you do some debugging in the ClientAuthenticationHandler to see how the
login process finishes?

Thanks.
Best regards,
Jérôme


On Fri, Jan 12, 2018 at 11:17 PM, FritzTheWonderMutt <
fritzthewonderm...@gmail.com> wrote:

>
> You are my new hero!
> A few things to note...
> You have to call reinit() on the builtClients after you add the new
> client. It looks like this:
>
> @Autowired
> Clients builtClients;
>
> @PostConstruct
> public void addSteamOpenIdClient() {
> builtClients.getClients().add(new SteamOpenIdClient());
> builtClients.reinit();
> }
>
> The SteamOpenIdClient and supporting code is a straight one-to-one rip-off
> of the old YahooOpenIdClient in the pac4j-openid project with the following
> exception.
> The RedirectActionBuilder gets the Steam endpoint and you turn off
> association attempts and attribute data fetch per this discussion:
> https://github.com/jbufu/openid4java/issues/192
>
> Looks like this:
>
> public class SteamRedirectActionBuilder implements RedirectActionBuilder {
>
> private static final Logger logger = LoggerFactory.getLogger(
> SteamRedirectActionBuilder.class);
>
> private static final String STEAM_OPENID_ENDPOINT = "
> https://steamcommunity.com/openid/;;
>
> private SteamOpenIdClient client;
>
> public SteamRedirectActionBuilder(final SteamOpenIdClient client) {
> CommonHelper.assertNotNull("client", client);
> this.client = client;
> }
>
> @Override
> public RedirectAction redirect(final WebContext context) throws
> HttpAction {
> try {
> // perform discovery on the user-supplied identifier
> final List discoveries = this.client.
> getConsumerManager().discover(STEAM_OPENID_ENDPOINT);
>
> // attempt to associate with the OpenID provider
> // and retrieve one service endpoint for authentication
> this.client.getConsumerManager().setMaxAssocAttempts(0);
> final DiscoveryInformation discoveryInformation = this.client.
> getConsumerManager().associate(discoveries);
>
> // save discovery information in session
> context.setSessionAttribute(this.client.
> getDiscoveryInformationSessionAttributeName(), discoveryInformation);
>
> // create authentication request to be sent to the OpenID
> provider
> final AuthRequest authRequest = this.client.
> getConsumerManager().authenticate(discoveryInformation,
> this.client.computeFinalCallbackUrl(context));
>
>
> final String redirectionUrl = authRequest.getDestinationUrl(
> true);
> logger.debug("redirectionUrl: {}", redirectionUrl);
> return RedirectAction.redirect(redirectionUrl);
> } catch (final OpenIDException e) {
> throw new TechnicalException("OpenID exception", e);
> }
> }
>
>
> }
>
>
> Add steam to the loginProviders.html template fragment...
> 
>
> And that will get you a button on the login page that will send you
> through the Steam auth flow.
>
> *Next Problem:*
> When you return to CAS from Steam all the OpenId auth works correctly, but
> Authentication fails. I think CAS doesn't know what to do with a
> OpenIdCredentials maybe? Actual SteamId is at the end of the
> openid.claimed_id field.
>
> 01-12 13:07:39 DEBUG flow.DelegatedClientAuthenticationAction - Retrieved
> credentials: [#OpenIdCredentials# | discoveryInformation: OpenID2
> OP-endpoint:https://steamcommunity.com/openid/login
> ClaimedID:null
> Delegate:null | parameterList: client_name:SteamOpenIdClient
> openid.ns:http://specs.openid.net/auth/2.0
> openid.mode:id_res
> openid.op_endpoint:https://steamcommunity.com/openid/login
> openid.claimed_id:http://steamcommunity.com/openid/id/1234123412341234
> openid.identity:http://steamcommunity.com/openid/id/1234123412341234
> openid.return_to:https://auth-test.daybreakgames.com/login?
> client_name=SteamOpenIdClient
> openid.response_nonce:2018-01-12T21:07:18ZcPA3u0qpRI9mztuzYk/0SRwwTUU=
> openid.assoc_handle:1234567890
> openid.signed:signed,op_endpoint,claimed_id,identity,
> return_to,response_nonce,assoc_handle
> openid.sig:g5gKyXlD+B+Vd4k58VulQPlLYzk=
>  | clientName: SteamOpenIdClient |]
> 01-12 13:07:39 DEBUG flow.DelegatedClientAuthenticationAction - Retrieve
> service: [null]
> 01-12 13:07:39 WARN  authentication.PolicyBasedAuthenticationManager -
> Authentication has failed. Credentials may be incorrect or CAS cannot find
> authentication handler that supports [org.apereo.cas.
> authentication.principal.ClientCredential@752bf076[id=]] of type
> [ClientCredential], which suggests a configuration problem.
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To 

Re: [cas-user] Problem integrating CAS 5.2.0 with ORCID and FACEBOOK.

[Jérôme LELEU]

Hi,

1) Orcid

The URL looks good: I would try another value for the scope. Have you taken
a look at the documentation?

2) Facebook

I opened the Facebook console, and I see a "Facebook login" item in the
left menu with a "Parameters" submenu, in which you have several flags to
enable, especially "web OAuth connection": is this checked? There is also a
"redirection URL" input field you may need to fill, depending on the
version of your FB app.

Thanks.
Best regards,
Jérôme


On Mon, Jan 15, 2018 at 2:43 PM, Neha Gupta  wrote:

> Hello Jérôme,
>
> Below is the update
>
> *ORCID: -*
>
> The URL which is getting called before is "http://www.orcid.org/oauth/
> authorize/?client_id=xxx=%2Forcid-profile%2Fread-
> limited_type=code_uri=https%3A%2F%
> 2Fdesktop-d8r3ca4%3A8443%2Fcas%2Flogin%3Fclient_name%3Dorcid"
>
> After seeing the Network calls it seems that 301 and 302 status code are
> being thrown in response of the above URL.
>
> *FACEBOOK:- *
> In facebook app console i don't see any place for callback URL.Fields as
> shown in attached snapshot are only available.
>
>
> Thanks a lot for your support.
>
>
> Regards
> Neha Gupta
>
>
>
>
> On Friday, January 12, 2018 at 3:03:22 PM UTC+1, leleuj wrote:
>>
>> Hi,
>>
>> Please don't output your id and secret in your emails!
>>
>> - Orcid:
>>
>> I think there is an URL called before the one given in the error message,
>> it should be something like http://www.orcid.org/oauth/authorize/xxx (
>> https://github.com/pac4j/pac4j/blob/master/pac4j-oauth/src/main/java/org/
>> pac4j/scribe/builder/api/OrcidApi20.java#L20)
>>
>> Can you post it here?
>>
>> - Facebook:
>>
>> Are you sure you defined the callback URL: https://desktop-d8r3ca4:8
>> 443/cas/login?client_name=Facebook in your Facebook app console?
>>
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> On Fri, Jan 12, 2018 at 10:57 AM, Neha Gupta  wrote:
>>
>>> Dear CAS people,
>>>
>>> Good morning!
>>>
>>> I am trying to delegate CAS authentication to Orcid and Facebook and as
>>> such created war file after updating "pom.xml" and "cas.properties" as
>>> follows: -
>>>
>>> *pom.xml*
>>>
>>> 
>>> org.apereo.cas
>>> cas-server-support-pac4j-webflow
>>> 5.2.0
>>> 
>>> 
>>>
>>> *cas.properties*
>>>
>>>  cas.authn.pac4j.orcid.id=xxx
>>>  cas.authn.pac4j.orcid.secret=yyy
>>>  cas.authn.pac4j.orcid.clientName=orcid
>>>
>>> and similarly given for Facebook as well but when i am trying to do so i
>>> am getting error with both Orcid and Facebook
>>>
>>> *Problem with ORCID: -*
>>>
>>> "There has been a problem with the server". If problem persists please
>>> contact ORCID support.  URL which CAS is hitting is "
>>> https://orcid.org/signin?oauth#show_login; which seems little
>>> weird to me. I already contacted Orcid support group but according to them
>>> there is no problem at their end and asked me to look into the URL.
>>>
>>> *Problem with Facebook: -*
>>>
>>> "Sorry something went wrong"*. *URL which CAS is hitting is
>>> "https://www.facebook.com/v2.8/dialog/oauth?response_type=co
>>> de_id=476366362744200_uri=https%3A%2F%
>>> 2Fdesktop-d8r3ca4%3A8443%2Fcas%2Flogin%3Fclient_name%
>>> 3DFacebook=email%2Cuser_likes%2Cuser_about_me%2Cuser_
>>> birthday%2Cuser_education_history%2Cuser_hometown%
>>> 2Cuser_relationship_details%2Cuser_location%2Cuser_
>>> religion_politics%2Cuser_relationships%2Cuser_work_
>>> history%2Cuser_website%2Cuser_photos%2Cuser_events%2Cuser_
>>> actions.music%2Cbadscope=2fb5c80427"
>>> 
>>>
>>>
>>> I request you to please look into the matter and  let me know in case
>>> some configuration is missing.
>>>
>>> Wish you a nice weekend.
>>>
>>>
>>> Thanks and Regards
>>>
>>> Neha Gupta
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit https://groups.google.com/a/ap
>>> ereo.org/d/msgid/cas-user/CAF2xoWpeD5M7iiRLyy7Bqhgx_dzvyo45L
>>> %3DVsUTxMiFDXg4W6Ag%40mail.gmail.com
>>> 
>>> .
>>>
>>
>> --
> - 

Re: [cas-user] Problem integrating CAS 5.2.0 with ORCID and FACEBOOK.

[Jérôme LELEU]

Hi,

Please don't output your id and secret in your emails!

- Orcid:

I think there is an URL called before the one given in the error message,
it should be something like http://www.orcid.org/oauth/authorize/xxx (
https://github.com/pac4j/pac4j/blob/master/pac4j-oauth/src/main/java/org/pac4j/scribe/builder/api/OrcidApi20.java#L20
)

Can you post it here?

- Facebook:

Are you sure you defined the callback URL:
https://desktop-d8r3ca4:8443/cas/login?client_name=Facebook in your
Facebook app console?

Thanks.
Best regards,
Jérôme


On Fri, Jan 12, 2018 at 10:57 AM, Neha Gupta  wrote:

> Dear CAS people,
>
> Good morning!
>
> I am trying to delegate CAS authentication to Orcid and Facebook and as
> such created war file after updating "pom.xml" and "cas.properties" as
> follows: -
>
> *pom.xml*
>
> 
> org.apereo.cas
> cas-server-support-pac4j-webflow
> 5.2.0
> 
> 
>
> *cas.properties*
>
>  cas.authn.pac4j.orcid.id=xxx
>  cas.authn.pac4j.orcid.secret=yyy
>  cas.authn.pac4j.orcid.clientName=orcid
>
> and similarly given for Facebook as well but when i am trying to do so i
> am getting error with both Orcid and Facebook
>
> *Problem with ORCID: -*
>
> "There has been a problem with the server". If problem persists please
> contact ORCID support.  URL which CAS is hitting is "
> https://orcid.org/signin?oauth#show_login; which seems little
> weird to me. I already contacted Orcid support group but according to them
> there is no problem at their end and asked me to look into the URL.
>
> *Problem with Facebook: -*
>
> "Sorry something went wrong"*. *URL which CAS is hitting is
> "https://www.facebook.com/v2.8/dialog/oauth?response_type=code_id=
> 476366362744200_uri=https%3A%2F%2Fdesktop-d8r3ca4%
> 3A8443%2Fcas%2Flogin%3Fclient_name%3DFacebook=email%
> 2Cuser_likes%2Cuser_about_me%2Cuser_birthday%2Cuser_
> education_history%2Cuser_hometown%2Cuser_relationship_
> details%2Cuser_location%2Cuser_religion_politics%
> 2Cuser_relationships%2Cuser_work_history%2Cuser_website%
> 2Cuser_photos%2Cuser_events%2Cuser_actions.music%
> 2Cbadscope=2fb5c80427"
> 
>
>
> I request you to please look into the matter and  let me know in case some
> configuration is missing.
>
> Wish you a nice weekend.
>
>
> Thanks and Regards
>
> Neha Gupta
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/CAF2xoWpeD5M7iiRLyy7Bqhgx_
> dzvyo45L%3DVsUTxMiFDXg4W6Ag%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LyX%3DFv0zJjEpo55V2zW5F%2BtQrsRhEq%2B5Ph3R5-iP1kFYg%40mail.gmail.com.