Re: [cas-user] CAS accessibility to people with disabilities

['Richard Frovarp' via CAS Community]

On Fri, 2023-08-04 at 02:52 -0700, Jean-Paul JORDA wrote:
Hi,
We use apereo CAS for our applications, but unfortunately the login page is not 
accessible to people with disabilities. That's a problem for these people of 
course, and what's more we a bound by law to provide accessible web sites 
(WCAG A and AA criteria).
Is there any plan to improve CAS in this area ?
If needed, we may provide audit results, help to test, html templates and bits 
of (s)css, but we are poor java developpers.

Thanks !
Jean-Paul

Audit results are probably important to help highlight what the problem is and 
where it is. The actual layout is driven by a bunch of HTML templates, that one 
can typically update without being a Java dev or really knowing the internals 
of CAS. Most installations are going to customize a lot of it to make the login 
page look more like a page for their campus. Additionally, a lot of the page 
can vary depending on what CAS options you have enabled. So testing on my login 
page can have very different results than the default one or another campus' 
customized one.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/829b2cf7281deee4c21ec6ede3cd7e081c3cf0a6.camel%40ndsu.edu.

Re: [cas-user] ERROR CAS 6.1 SAML IDP GOOGLE

['Richard Frovarp' via CAS Community]

Typically the helpful bit in a long stack like this is at the end


Error:
    Caused by: java.net.MalformedURLException: no protocol: 
login.unila.ac.id/cas

        at java.base/java.net.URL.(URL.java:627)
        at java.base/java.net.URL.(URL.java:523)
        at java.base/java.net.URL.(URL.java:470)
        at 
org.apereo.cas.config.SamlIdPMetadataConfiguration.samlSelfSignedCertificateWriter(SamlIdPMetadataConfiguration.java:154)
        at 
org.apereo.cas.config.SamlIdPMetadataConfiguration$$EnhancerBySpringCGLIB$$150398bf.CGLIB$samlSelfSignedCertificateWriter$3()
        at 
org.apereo.cas.config.SamlIdPMetadataConfiguration$$EnhancerBySpringCGLIB$$150398bf$$FastClassBySpringCGLIB$$4511572f.invoke()
        at 
org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:244)
        at 
org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:363)
        at 
org.apereo.cas.config.SamlIdPMetadataConfiguration$$EnhancerBySpringCGLIB$$150398bf.samlSelfSignedCertificateWriter()
        at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method)
        at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at 
org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154)

        ... 111 more



So you are missing the protocol (https://) bit from that value. Digging 
through the code, that comes from:


val url = new URL(casProperties.getServer().getPrefix());

In my CAS config I have:

cas.server.prefix=${cas.server.name}/cas

which is what it is trying to read.

I then have:

cas.server.name=https://.ndsu.edu


So look in that area of your config to add the protocol. Obligatory note 
that 6.1 is old and you should upgrade.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cb9d2184-c2bd-50fc-e60a-10148b0a4cf7%40ndsu.edu.

[cas-user] REST attribute resolution and filtering

['Richard Frovarp' via CAS Community]

I am trying to retrieve one specific attribute from a REST end point. I 
have it connecting to it. However, I only have one service that should 
get this attribute, and thus I only need to connect to the REST 
attribute store for that one service. How do I configure this in my 
service definition? I don't see anything in the REST attribute store 
documentation indicating how we tell CAS what attributes to get from it. 
I'm on 6.6.


Thanks,

Richard

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1e798bde-1954-a058-4f32-9175d67ec8c4%40ndsu.edu.

[cas-user] Public workstation functionality doesn't work with Duo Universal Prompt

['Richard Frovarp' via CAS Community]

I have two otherwise identically configured CAS configurations, both on 
6.6.6. Both are configured to use Duo, and both of them have the public 
workstation checkbox in the login form. The only difference between the 
two is that one uses the iframe Duo integration and one uses the 
Universal Prompt. The one using iframe will enforce the public 
workstation checkbox when checked by asking for creds again on the 
second service. The one using Universal Prompt won't.


Richard

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a107dafe-a711-16fe-3672-a2f8b493ef8f%40ndsu.edu.

Re: [cas-user] Re: CAS Client help

['Richard Frovarp' via CAS Community]

APIs are handled differently from SPAs. You probably need to look at the CAS 
REST protocol? https://apereo.github.io/cas/6.6.x/protocol/REST-Protocol.html

I would put APIs behind an API gateway. Conceptually they are the same thing as 
CAS + AD, but specifically designed for API calls, especially from background 
processes.

On Fri, 2023-03-24 at 16:13 -0700, Pablo Vidaurri wrote:
So how did you handle this. I too have API's behind CAS ... which is causing 
problems of its own.

On Tuesday, November 22, 2022 at 10:56:47 PM UTC-6 Michael Remijan wrote:
Hello user community,

I am looking for some information on a CAS client and I haven’t been able to 
find it anywhere online.

All CAS Client references I’ve find have been for configuring a Web App so that 
user login integrates with CAS for authentication. Unfortunately, this is not 
what I need.

I have an REST API endpoint I need to integrate with in a headless/background 
process kind of way.  Basic data integration stuff…periodically call the API 
throughout the day, get the data, process data.  So I need an example of this 
kind of integration…having a background process pass the CAS authentication 
server what it needs to authenticate the request in a non-interactive, headless 
manner so my process can integrate with a REST API.

Any examples like this exist?  Any help would be appreciated.

Mike

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6bcdae894552b9763e2f1cbd1f0375f01abf5d4b.camel%40ndsu.edu.

Re: [cas-user] Install CAS on Ubuntu (implement SSO system using OpenLDAP)

['Richard Frovarp' via CAS Community]

Not sure why that isn't starting up. I launch it differently with a java 
-jar command. Good resource for getting going:


https://fawnoos.com/2022/03/04/cas65-gettingstarted-overlay/

That is for 6.5, but I think everything holds for 6.6. It also has 
different instructions for launching.



On 3/23/23 04:56, Jasmine Bui wrote:

Hi there,
I'm a newbie. I'm installing CAS - WAR Overlay using CAS Initializr 
following the instructions at: 
https://github.com/vieiro/cas-initializr. When I get to the step 
./gradlew :app:bootRun, I encountered the error shown in the image 
below. Can you help me troubleshoot this?


By the way, could you suggest to me how to implement an SSO system 
using OpenLDAP on Ubuntu with CAS? I still don't have a clear 
direction. I would really appreciate it if you could provide me with 
some instructional materials on configuring the system. For example, 
"Installing CAS on Ubuntu", "Integrating CAS with OpenLDAP", or 
"Building an SSO system using CAS".

Thank you for your time and I look forward to hearing back from you soon.

Best regards,
Screenshot 2023-03-23 145206.jpg --
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/528b60d1-fbd8-4fc7-a4d6-1039ca9ffb52n%40apereo.org 
.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ed2d8a3b-09f4-8603-a5a9-42163282095e%40ndsu.edu.

Re: [cas-user] Duo Universal Prompt behind proxy

['Richard Frovarp' via CAS Community]

On 3/8/23 12:59, 'Richard Frovarp' via CAS Community wrote:
On CAS 6.6.6 and using the Duo Universal Prompt, it is exposing my 
internal hostname, rather than the load balancer. It's not clear to me 
why this is happening. It is also not clear to me what the correct 
configuration options are for a load balanced CAS with respect to 
hostname / proxy configuration. Any suggestions?


Thanks,

Richard

And I can answer my own question. You need to set: cas.server.name to 
https://


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ef5e31a-d49e-dc31-248e-2742bfeeadd2%40ndsu.edu.

[cas-user] Duo Universal Prompt behind proxy

['Richard Frovarp' via CAS Community]

On CAS 6.6.6 and using the Duo Universal Prompt, it is exposing my 
internal hostname, rather than the load balancer. It's not clear to me 
why this is happening. It is also not clear to me what the correct 
configuration options are for a load balanced CAS with respect to 
hostname / proxy configuration. Any suggestions?


Thanks,

Richard

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a4aaf94-4e5f-69c2-c670-3f1e251cc333%40ndsu.edu.

Re: [cas-user] SAML IdP keys and metadata problems

['Richard Frovarp' via CAS Community]

Ideally it would generate the metadata when it can't find that, and leave the 
keys alone. Not a whole lot changes between versions as far as the idp metadata 
is concerned, but it would be nice if it could generate it when needed.

Even with it generated with the git meatadata bit commented out in the 
build.gradle file, I still get the exception when I add it back. The repo is 
initialized and checked out. It's also set in CAS to not get updates and not 
get IdP metadata. My setup is less than ideal, as the config area is owned by 
the user I'm running CAS as at the moment, so it has all of the write 
permissions it needs. So I think it is a bug. I don't see where one can submit 
bugs.

Richard

On Mon, 2023-01-09 at 17:42 +, Ray Bon wrote:
Richard,

Cas only generates the metadata and keys if it can not find them. You can 
always swap in your metadata and keys to whatever location cas thinks is 
correct.
Not sure about the exception. Perhaps it is missing something related to git; 
path, write permissions, initialized repo, etc.

Ray


On Fri, 2023-01-06 at 15:42 -0600, 'Richard Frovarp' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.


I'm having two different problems related to SAML 2 keys and metadata on
6.6.3.

If I have org.apereo.cas:cas-server-support-saml-idp-metadata-git
enabled, I get an NPE when trying to access the metadata URL. I have
enforced the default false flag to indicate that the IdP metadata
shouldn't expect to be found in there. The NPE isn't very helpful:

023-01-06 15:34:25,629 ERROR
[org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas].[dispatcherServlet]]
- 
java.lang.NullPointerException: null
 at
org.apereo.cas.support.saml.web.idp.metadata.SamlIdPMetadataController.generateMetadataForIdp(SamlIdPMetadataController.java:61)
~[cas-server-support-saml-idp-web-6.6.3.jar!/:6.6.3]
 at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method) ~[?:?]
 at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:?]
 at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]

If I don't have idp metadata git enabled, then if I don't have the
metadata file in the directory, it replaces my keys and generates a new
metadata file. I ideally would like to keep my existing keys and have it
generate a new metadata file for the new version. Guessing I just need
to create it with bogus keys elsewhere and swap in my certs and put it
somewhere that CAS can't write to it? It seems wrong for it to
regenerate the keys, and I haven't found the correct section of the
documentation at this point in time.

Thanks,

Richard

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
tocas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/85e046b9-04e5-da3c-c27c-428423af4f4a%40ndsu.edu.


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3aeb50ba2d667035d4f179f638e6770dab2060f8.camel%40ndsu.edu.

[cas-user] SAML IdP keys and metadata problems

['Richard Frovarp' via CAS Community]

I'm having two different problems related to SAML 2 keys and metadata on 
6.6.3.


If I have org.apereo.cas:cas-server-support-saml-idp-metadata-git 
enabled, I get an NPE when trying to access the metadata URL. I have 
enforced the default false flag to indicate that the IdP metadata 
shouldn't expect to be found in there. The NPE isn't very helpful:


023-01-06 15:34:25,629 ERROR 
[org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas].[dispatcherServlet]] 
- path [/cas] threw exception [Request processing failed; nested exception is

 java.lang.NullPointerException] with root cause>
java.lang.NullPointerException: null
    at 
org.apereo.cas.support.saml.web.idp.metadata.SamlIdPMetadataController.generateMetadataForIdp(SamlIdPMetadataController.java:61) 
~[cas-server-support-saml-idp-web-6.6.3.jar!/:6.6.3]
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method) ~[?:?]
    at 
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
~[?:?]
    at 
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
~[?:?]


If I don't have idp metadata git enabled, then if I don't have the 
metadata file in the directory, it replaces my keys and generates a new 
metadata file. I ideally would like to keep my existing keys and have it 
generate a new metadata file for the new version. Guessing I just need 
to create it with bogus keys elsewhere and swap in my certs and put it 
somewhere that CAS can't write to it? It seems wrong for it to 
regenerate the keys, and I haven't found the correct section of the 
documentation at this point in time.


Thanks,

Richard

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/85e046b9-04e5-da3c-c27c-428423af4f4a%40ndsu.edu.

Re: [cas-user] Using git on multiple repos

['Richard Frovarp' via CAS Community]

Thanks for the advice. I'll work on getting it changed over to the 
method you list.


On 12/22/22 21:38, Misagh wrote:

Not quite. What you have at the moment is just a "lucky"
implementation detail and could change. It would be in your favor to
separate things they ought to be separated.

On Fri, Dec 23, 2022 at 5:28 AM 'Richard Frovarp' via CAS Community
 wrote:

That could also work. Thanks.

On 12/22/22 07:50, Misagh wrote:

Did you mean this?
https://apereo.github.io/cas/6.6.x/installation/Configuring-SAML2-DynamicMetadata-Git.html

On Thu, Dec 22, 2022 at 4:52 AM 'Richard Frovarp' via CAS Community
 wrote:

Is it possible to have CAS use two different repos, with one of them
NOT being services in 6.6? I have a repo of all of my hand maintained
metadata that isn't in the same repo as the JSON files for service
configuration.

Thanks,
Richard

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/db7163d616723b2075ff3eecb3e0601298cc2dea.camel%40ndsu.edu.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0c189625-cc40-7877-7bd2-8b94eb025de6%40ndsu.edu.



--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/584ea710-ee9c-f9ea-9781-2944ce3ce7cc%40ndsu.edu.

Re: [cas-user] Using git on multiple repos

['Richard Frovarp' via CAS Community]

That could also work. Thanks.

On 12/22/22 07:50, Misagh wrote:

Did you mean this?
https://apereo.github.io/cas/6.6.x/installation/Configuring-SAML2-DynamicMetadata-Git.html

On Thu, Dec 22, 2022 at 4:52 AM 'Richard Frovarp' via CAS Community
 wrote:

Is it possible to have CAS use two different repos, with one of them
NOT being services in 6.6? I have a repo of all of my hand maintained
metadata that isn't in the same repo as the JSON files for service
configuration.

Thanks,
Richard

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/db7163d616723b2075ff3eecb3e0601298cc2dea.camel%40ndsu.edu.



--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0c189625-cc40-7877-7bd2-8b94eb025de6%40ndsu.edu.

[cas-user] Re: Using git on multiple repos

['Richard Frovarp' via CAS Community]

I discovered that the git service repository is not recursive. So, I can put 
the hand maintained metadata in a subdirectory in the repo, and we are good.

From: 'Richard Frovarp' via CAS Community 
Sent: Tuesday, December 20, 2022 2:52:21 PM
To: cas-user@apereo.org 
Subject: [cas-user] Using git on multiple repos

Is it possible to have CAS use two different repos, with one of them
NOT being services in 6.6? I have a repo of all of my hand maintained
metadata that isn't in the same repo as the JSON files for service
configuration.

Thanks,
Richard

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/db7163d616723b2075ff3eecb3e0601298cc2dea.camel%40ndsu.edu.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BN6PR08MB35392814530F5EDAF5FF4F488BE89%40BN6PR08MB3539.namprd08.prod.outlook.com.

[cas-user] Using git on multiple repos

['Richard Frovarp' via CAS Community]

Is it possible to have CAS use two different repos, with one of them
NOT being services in 6.6? I have a repo of all of my hand maintained
metadata that isn't in the same repo as the JSON files for service
configuration.

Thanks,
Richard

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/db7163d616723b2075ff3eecb3e0601298cc2dea.camel%40ndsu.edu.

Re: [cas-user] CAS SSL - How to send SSL Certificate Chain?

['Richard Frovarp' via CAS Community]

Guessing that it has to do with how you brought it into the keystore? 
This answer has details on how to import it as a chain into the 
keystore: 
https://stackoverflow.com/questions/9299133/why-doesnt-java-send-the-client-certificate-during-ssl-handshake/9300727#9300727


On 11/3/22 14:22, 'Richard Frovarp' via CAS Community wrote:
Browsers will insert the intermediate certificates if they know them. 
So you can't trust the browser. Scanners look for the chain with no 
prior knowledge, and thus are more reliable in determining if you have 
everything setup correctly.


On 11/3/22 12:47, Ray Bon wrote:

Michael,

I have not run the embedded tomcat so I do not know where the logs 
are or if they are the same in the console on startup.
When you are on the cas site, you can click the lock icon beside the 
url. You can then get access to the certificate(s) and view them. 
(Steps vary a bit between browsers.) You should see your host cert, 
the intermediates, and the root CA.
If those certs are as you  expect, perhaps the scanning tool can 
provide more details on what it thinks is amiss.


Ray

On Thu, 2022-11-03 at 10:18 -0700, Michael Santangelo wrote:
Notice: This message was sent from outside the University of 
Victoria email system. Please be cautious with links and sensitive 
information.


Ray,

So bare with me here, because I've only been doing this for about 6 
months, and it's felt very piecemeal (as in I am pretty sure there's 
a better way to do it but I'm not familiar enough with it to figure 
it out yet).


Yes, I think we're running the embedded Tomcat as I start our cas 
with a "sudo ./gradlew clean copyCasConfiguration build run" --- I 
then watch the screen for output and I don't see any errors 
regarding any of the stores.


The tomcat.jks certificate is consistently sent by the webserver as 
evidenced by loading the site and getting proper SSL.  It's just 
when I run a qualys ssl scan on our instance it says that we're 
missing the certificate chain, which I thought I specified to 
include by adding the lines 
"server.ssl.truststore=file:/path/to/ssl/chain.jks

server.ssl.truststorepassword=thepassword2" to the cas.properties.

I've tried changing it to server.ssl.trust-store and 
server.ssl.trust-store-password but I don't get errors with that 
either... Which leads me to believe I'm missing the errors as they 
happen or something else entirely is wrong.


I don't see any errors during page access either.

On Thursday, November 3, 2022 at 12:59:58 PM UTC-4 Ray Bon wrote:

Michael,

I assume you are running embedded tomcat and the process running 
tomcat has read access to the .jks.

What certificate is being sent when you browse to cas/login?
Are there any log errors on tomcat startup or page access?

Ray

On Wed, 2022-11-02 at 12:44 -0700, Michael Santangelo wrote:
Notice: This message was sent from outside the University of 
Victoria email system. Please be cautious with links and sensitive 
information.


Hello all,

I'm struggling with getting CAS to send the certificate chain 
properly and wondering if maybe I'm using the wrong lines in the 
config.


Before this project I had:
server.ssl.key-store=file:/path/to/ssl/tomcat.jks
server.ssl.key-store-password=thepassword

After some googling, I added
server.ssl.truststore=file:/path/to/ssl/chain.jks
server.ssl.truststorepassword=thepassword2

However, when I run SSL scans against the site, it still reports 
that the chain isn't being sent.


Is it different keys? Or should I just bake the chain into the 
tomcat file?  Are there any aliases I should use specifically?


Thanks.
-M




--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, 
send an email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/429fbda4d3d5dabb12f4f445553fb92c6236568e.camel%40uvic.ca 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/429fbda4d3d5dabb12f4f445553fb92c6236568e.camel%40uvic.ca?utm_medium=email_source=footer>.



--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f1390460-efb7-ef29-6353-61aa34677cf7%40ndsu.edu 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/f1390460-efb7-ef29-6353-61aa3

Re: [cas-user] CAS SSL - How to send SSL Certificate Chain?

['Richard Frovarp' via CAS Community]

Browsers will insert the intermediate certificates if they know them. So 
you can't trust the browser. Scanners look for the chain with no prior 
knowledge, and thus are more reliable in determining if you have 
everything setup correctly.


On 11/3/22 12:47, Ray Bon wrote:

Michael,

I have not run the embedded tomcat so I do not know where the logs are 
or if they are the same in the console on startup.
When you are on the cas site, you can click the lock icon beside the 
url. You can then get access to the certificate(s) and view them. 
(Steps vary a bit between browsers.) You should see your host cert, 
the intermediates, and the root CA.
If those certs are as you  expect, perhaps the scanning tool can 
provide more details on what it thinks is amiss.


Ray

On Thu, 2022-11-03 at 10:18 -0700, Michael Santangelo wrote:
Notice: This message was sent from outside the University of Victoria 
email system. Please be cautious with links and sensitive information.


Ray,

So bare with me here, because I've only been doing this for about 6 
months, and it's felt very piecemeal (as in I am pretty sure there's 
a better way to do it but I'm not familiar enough with it to figure 
it out yet).


Yes, I think we're running the embedded Tomcat as I start our cas 
with a "sudo ./gradlew clean copyCasConfiguration build run" --- I 
then watch the screen for output and I don't see any errors regarding 
any of the stores.


The tomcat.jks certificate is consistently sent by the webserver as 
evidenced by loading the site and getting proper SSL.  It's just when 
I run a qualys ssl scan on our instance it says that we're missing 
the certificate chain, which I thought I specified to include by 
adding the lines "server.ssl.truststore=file:/path/to/ssl/chain.jks

server.ssl.truststorepassword=thepassword2" to the cas.properties.

I've tried changing it to server.ssl.trust-store and 
server.ssl.trust-store-password but I don't get errors with that 
either... Which leads me to believe I'm missing the errors as they 
happen or something else entirely is wrong.


I don't see any errors during page access either.

On Thursday, November 3, 2022 at 12:59:58 PM UTC-4 Ray Bon wrote:

Michael,

I assume you are running embedded tomcat and the process running 
tomcat has read access to the .jks.

What certificate is being sent when you browse to cas/login?
Are there any log errors on tomcat startup or page access?

Ray

On Wed, 2022-11-02 at 12:44 -0700, Michael Santangelo wrote:
Notice: This message was sent from outside the University of 
Victoria email system. Please be cautious with links and sensitive 
information.


Hello all,

I'm struggling with getting CAS to send the certificate chain 
properly and wondering if maybe I'm using the wrong lines in the 
config.


Before this project I had:
server.ssl.key-store=file:/path/to/ssl/tomcat.jks
server.ssl.key-store-password=thepassword

After some googling, I added
server.ssl.truststore=file:/path/to/ssl/chain.jks
server.ssl.truststorepassword=thepassword2

However, when I run SSL scans against the site, it still reports 
that the chain isn't being sent.


Is it different keys? Or should I just bake the chain into the 
tomcat file?  Are there any aliases I should use specifically?


Thanks.
-M




--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/429fbda4d3d5dabb12f4f445553fb92c6236568e.camel%40uvic.ca 
.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f1390460-efb7-ef29-6353-61aa34677cf7%40ndsu.edu.

[cas-user] Metrics prefix for 6.6?

['Richard Frovarp' via CAS Community]

Is there a metrics prefix for StatsD (or any of the other ones) that we 
can provide? Generally we run one StatsD for multiple systems, and it 
not using a prefix to group it together is going to make things 
complicated / impossible. There used to be one, but I can't seem to find 
anything in the existing version / documentation.


Thanks,

Richard

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/65ca7a0f-12f9-98ca-43c3-1075df18f5dd%40ndsu.edu.

Re: [cas-user] Re: Older documentation is no longer available

['Richard Frovarp' via CAS Community]

On Tue, 2022-11-01 at 09:06 -0400, Mark H. Wood wrote:
> On Mon, Oct 31, 2022 at 03:25:12PM -0700, Benjamin Bini wrote:
> > Which project removes documentation as a way to encourage people to
> > upgrade?
> > What is the next step? Removing the code from GitHub and removing
> > artifacts 
> > from online repositories?
> > 
> > Node.js documentation goes back to 0.0.1 : https://nodejs.org/docs/
> > Should you use Node 0.0.1? Of course not. But the doc is still
> > online if 
> > for some reason you need it.
> > And I took the first example that came to my mind.
> > 
> > CAS documentation has always be really hard to navigate and
> > understand, 
> > especially for less experienced developpers.
> > How are you supposed to upgrade without the documentation from the
> > version 
> > you're coming from?
> 
> This is the piece that, I think, has been missing from the discussion
> until now:  *why* one needs documentation for a prior version.
> 
> So, you want to upgrade to the latest CAS release.  This means that
> you need to understand the release that you are running now, so that
> you can set the new one up to meet the same needs.
> 
> You have, after many months, gotten everyone to agree to downtime for
> a vital, cross-cutting service.  Current production is several
> releases old.  It may have been installed by someone else who has
> left
> the organization; it may have been installed by you, but that was a
> long time and many projects ago.  The new release has *different*
> configuration properties, and may have been re-organized, so you
> can't
> just copy the setup and hope it works.  Even a same-named property
> may have a subtly different meaning in the new version.
> 
> So you start reading the old configuration.  What does it all mean?
> The documentation for that version would help.  The documentation for
> the new version may in some areas be useless or even misleading
> w.r.t. the old version.


+1

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2f313de36b2ac134c380cd1c838814301d842d1b.camel%40ndsu.edu.

Re: [cas-user] renew=true, risk of bypassing?

['Richard Frovarp' via CAS Community]

Part of the response metadata coming back is if the authentication is 
from a new login. I think it will also tell you what time the auth 
happened. Don't trust the user provided data, validate that what CAS is 
telling you matches your security requirement. If it doesn't, don't let 
them pass.


On 8/16/22 12:13, Pablo Vidaurri wrote:
So I have an application with certain parts allowing a  long SSO 
session and other areas that require login every time.


I know I can leverage the renew query parameter but how to avoid the 
user from simply removing it and then access the secured part of the 
app without logging in again?


For example, I want the user to provide their credentials every time 
they access their profile. So if there is already have an active 
session for https://www.myapp.com and they access their profile, i 
will redirect them to 
https://www.mycas.com/auth/login?renew=true=https://www.myapp.com/myprofile


This works, but I can also remove the renew query parameter and 
directly hit myprofile page since I already have a session to the app.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ea11170-164e-4408-bc66-422bf188c108n%40apereo.org 
.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/97bfa18a-9e8c-eb4c-b2fe-39bcac657d7a%40ndsu.edu.

Re: [cas-user] CAS 6.5 w/ Duo MFA, was MFA actually used?

['Richard Frovarp' via CAS Community]

How are you triggering MFA / Duo? You likely only want to trigger Duo on 
a local attribute and setup the integration to force Duo always. If you 
are leaving it up to Duo to decide if the user is enrolled and bypass if 
not, the old Duo Web integration couldn't tell you what happen, just 
that they got past Duo. 6.5 should be using the new OIDC method, and it 
was supposed to return back more detail so you could make security 
decisions. So something there isn't working?? Here's my writeup about 
the Duo Web integration problems: 
https://www.frovarp.dev/2019/03/24/ambiguous-response-in-duo-web/


But in any event, I'd stick them in a group if they have to MFA and 
trigger Duo off of membership in that group, always enforcing MFA to 
happen on that integration.


On 7/29/22 14:44, Baron Fujimoto wrote:
We're currently using CAS 6.5 with Duo for MFA. While the MFA itself 
works, we're trying to find some way of determining whether MFA was 
actually used during a user's authentication.


MFA is not mandatory for our users, and they must opt-in and enroll 
themselves with Duo. We can see that when a user authenticates, there 
is a set of promising CAS authentication attributes available. e.g.:

- successfulAuthenticationHandlers: [DuoSecurityAuthenticationHandler]
- credentialType: [DuoSecurityCredential]
- authenticationMethod: [DuoSecurityAuthenticationHandler]
- authnContextClass: [mfa-duo]

However, these attributes appear to be assigned the same values 
whether the user is enrolled in Duo or not – and thus are presented 
with the MFA requirement during their login. Therefore, there doesn't 
appear to be anything in these attributes that allows us to 
distinguish whether MFA was actually invoked/required/used for the 
user's authentication.


FWIW, this is how we're currently enabling MFA for CAS in cas.properties:
cas.authn.mfa.triggers.global.global-provider-id=mfa-duo

We've looked at the available multifactor authentication triggers, but 
none of the attribute-based triggers seem appropriate since I think 
they rely on local information about the principal, and not something 
authoritative from Duo or about the actual CAS authentication flow 
that was used. Perhaps there's a way using the REST method with the 
Duo Auth API /enroll_status or /preauth endpoints, but that sounds 
kind of fraught (even if possible).


Is there something else we may be overlooking that would help us 
achieve our goal?

--
Baron Fujimoto  ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0-uwSJhTVCLXBRSUPhfDWSHFUn1xT%3DjSJJw8vwWXdp9g%40mail.gmail.com 
.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/de4b2e35-06a5-20a2-e3dd-58960bfb7159%40ndsu.edu.

Re: [cas-user] ideas for persistence login session

['Richard Frovarp' via CAS Community]

Amazon stores a decent amount of info at the account layer. Different 
application sessions across different devices share cart. But the 
solution for this is to do it at the application layer. Extend the 
session out there. Then at the security layer, it should have the 
functionality to know when the last authentication was. If they are 
doing something that requires higher security, that last login time is 
queried and a forced authentication is done if it isn't high enough. You 
could do a normal SSO auth if your IdP session is less than your 
critical time period. You can force an auth through CAS, even with an 
active session, but using the renew option.


On 7/28/22 09:07, Pablo Vidaurri wrote:
Sorry, waldbiec is correct ... ST is using the default value of 10 sec 
... I meant the application session is 2hrs.


Basically we are looking at how to mimic sites like amazon ... once 
you login you can browse for days, add stuff to your cart, maybe even 
check out. But once you go to modify your account details 
(shipping/billing, etc) you get prompted to login again.


-psv

On Wednesday, July 27, 2022 at 6:34:15 PM UTC-5 richard.frovarp wrote:

I would change the application and not do it via CAS. Changing the
application session timeout to what they want. Because otherwise
it will do a SSO session again, which will interrupt anything the
end user is trying to do with the browser open for the past two
days. So anything done via CAS won't give a good user experience.

*From:* cas-...@apereo.org  on behalf of Ray
Bon 
*Sent:* Wednesday, July 27, 2022 4:34:56 PM
*To:* cas-...@apereo.org 
*Subject:* Re: [cas-user] ideas for persistence login session
Pablo,

The long running pages could be added as a service with longer TGT
life,

https://apereo.github.io/cas/6.5.x/ticketing/Configuring-Ticket-Expiration-Policy.html#per-service

Ray

On Wed, 2022-07-27 at 12:16 -0700, Pablo Vidaurri wrote:

Notice: This message was sent from outside the University of
Victoria email system. Please be cautious with links and
sensitive information.

Currently CAS TGT is an 8hr session, ST is a 2hr session. Client
is requesting to enable certain parts of their site (protected)
to include a longer ST (for weeks) while maintaining a 2hr
session for other secured parts like "Account/Profile".

I understand the application needs to change, but is there
anything on the CAS side that I can do to help in this effort?

Would JWT help? When a user successfully logs in, issue a JWT
good for 4 weeks with user's credentials. Now lets assume the
TGT/ST are no longer valid and the user is trying to access part
of the site where not logging is not required for days (protected
area). The JWT would then be used to auto login the user.
Achievable or pure abuse?

Also considered increasing the TGT TTL for weeks and  creating
separate services to define an
AuthenticationDateRegisteredServiceSingleSignOnParticipationPolicy
of 2hrs/8hrs, etc but this this means certain parts of the site
need to be under specific URL patterns.

Any suggestions?

-psv


-- 


Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831  | CLE 019 | rb...@uvic.ca

I acknowledge and respect the lək̓ʷəŋən peoples on whose
traditional territory the university stands, and the Songhees,
Esquimalt and WSÁNEĆ peoples whose historical relationships with
the land continue to this day.
-- 
- Website: https://apereo.github.io/cas

- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit

https://groups.google.com/a/apereo.org/d/msgid/cas-user/a5c8a9514a354884dd7a78daba1dba5272b9620f.camel%40uvic.ca

.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b8b0a792-35a3-4188-ae66-ef699650732an%40apereo.org 

Re: [cas-user] ideas for persistence login session

['Richard Frovarp' via CAS Community]

I would change the application and not do it via CAS. Changing the application 
session timeout to what they want. Because otherwise it will do a SSO session 
again, which will interrupt anything the end user is trying to do with the 
browser open for the past two days. So anything done via CAS won't give a good 
user experience.

From: cas-user@apereo.org  on behalf of Ray Bon 

Sent: Wednesday, July 27, 2022 4:34:56 PM
To: cas-user@apereo.org 
Subject: Re: [cas-user] ideas for persistence login session

Pablo,

The long running pages could be added as a service with longer TGT life, 
https://apereo.github.io/cas/6.5.x/ticketing/Configuring-Ticket-Expiration-Policy.html#per-service

Ray

On Wed, 2022-07-27 at 12:16 -0700, Pablo Vidaurri wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Currently CAS TGT is an 8hr session, ST is a 2hr session. Client is requesting 
to enable certain parts of their site (protected) to include a longer ST (for 
weeks) while maintaining a 2hr session for other secured parts like 
"Account/Profile".

I understand the application needs to change, but is there anything on the CAS 
side that I can do to help in this effort?

Would JWT help? When a user successfully logs in, issue a JWT good for 4 weeks 
with user's credentials. Now lets assume the TGT/ST are no longer valid and the 
user is trying to access part of the site where not logging is not required for 
days (protected area). The JWT would then be used to auto login the user. 
Achievable or pure abuse?

Also considered increasing the TGT TTL for weeks and  creating separate 
services to define an 
AuthenticationDateRegisteredServiceSingleSignOnParticipationPolicy of 
2hrs/8hrs, etc but this this means certain parts of the site need to be under 
specific URL patterns.

Any suggestions?

-psv

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory 
the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose 
historical relationships with the land continue to this day.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a5c8a9514a354884dd7a78daba1dba5272b9620f.camel%40uvic.ca.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DM5PR08MB2778300FAF7FA4D5C5950D068B979%40DM5PR08MB2778.namprd08.prod.outlook.com.

Re: [cas-user] Re: Migrating services from version 5 to 6

['Richard Frovarp' via CAS Community]

The tables in the post are for the service registry. If you don't 
migrate those, you will have to reconfigure from scratch.


I do not know what the plans are for the project with respect to the 
service registry. It's changed a bit between versions, and usually seems 
like a pain. We made the change in a previous upgrade to just drop JSON 
files on the filesystem and have CAS pick those up. It keeps us free of 
changes in the JPA method (which we had been using), and free from 
management app changes. In addition, we can keep service configuration 
in git, which is extremely nice.


What I gather from that post is you are going to need to change the 
source code of RegisteredServicesReportController either changing that 
method, or adding that method. Looks like it is adding the method. 
Compile, put into your deployment (or download your DB and run locally), 
and then hit that point to get the exported JSON services. If you are 
running the management application in 5.3, I think you can export 
services as JSON as well, just by clicking a bunch of times and possibly 
doing copy and paste. Depending on your number of services, it might be 
simpler to just export via the management application, which I'm 
assuming that you are using. That would save you from editing code and 
having to deploy a new class file.


Richard

On 3/31/22 09:32, Pablo Vidaurri wrote:
There is no need to migrate the data. These tables are for various 
type of tickets. Worst case when you cut over to v6.4 your users will 
have to login again.


-psv


On Wednesday, March 30, 2022 at 9:43:58 AM UTC-5 fjan...@gmail.com wrote:

Hi,

I need to migrate JPA service registry  from Apereo CAS  5.2.2 to
6.4,
but in this last version , data structures seem to have been
replaced by
just one table with flat JSON field in a column : no more relationnal
structure, or I missed something.
Has anyone here observe the same ?
If the JPA migration is not possible, does it mean I have to use
JSON in
any way ?

The best hit had met my searches till now is this page :
https://fawnoos.com/2021/01/19/cas53-service-registry-migration-to-cas63/

But its content is pretty elliptic and I don't see where to apply the
snippet showed in it :  I have an installation based on cas-overlay,
there is no  java file named RegisteredServicesReportController to
override...

In short my purpose is as follow : migration services from JPA to
JSON

Does anyone faced the same issue ?

Thanks a lot for any clue.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/133c5bb4-c6cd-4ec6-bf46-e1deaad1ffc4n%40apereo.org 
.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/75ef5b42-d3b7-366b-8b5b-c784e578b5a2%40ndsu.edu.

Re: [cas-user] MFA with Duo - A Lot Of Failures

['Richard Frovarp' via CAS Community]

Looks like the clock on your server isn't correct?

2022-02-17 20:14:10,479 ERROR 
[org.apereo.cas.adaptors.duo.authn.DuoSecurityAuthenticationHandler] - 

Caused by: com.auth0.jwt.exceptions.InvalidClaimException: The Token 
can't be used before Thu Feb 17 20:15:11 UTC 2022.


I don't know about your timezone, but the minute in your log statement 
is before the minute when the token can be used. Looks like you are 
running about 61 seconds ahead?


On 2/17/22 14:34, Michael Santangelo wrote:

Hello all,

We have implemented Duo as an MFA provider in CAS, and it was working 
great in small-scale testing.


We are pushing to a larger user base to test, and are frequently 
getting an error upon completion of the MFA process (after the user 
has approved the push notification):

---
MFA Provider Unavailable

CAS was unable to reach your configured MFA provider at this time. Due 
to failure policies configured for the service you are attempting to 
access, authentication can not be granted at this time.

---

When I look at the cas-date.log:

[32m2022-02-17 20:05:36,120 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

=
WHO: audit:unknown
WHAT: 
{source=RankedMultifactorAuthenticationProviderWebflowEventResolver, 
event=success, timestamp=Thu Feb 17 20:05:36 UTC 2022}

ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Thu Feb 17 20:05:36 UTC 2022
CLIENT IP ADDRESS: 10.200.2.209
SERVER IP ADDRESS: 10.200.1.63
=

>
[32m2022-02-17 20:05:39,993 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

=
WHO: username
WHAT: [UsernamePasswordCredential(username=username, source=null, 
customFields={})]

ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Thu Feb 17 20:05:39 UTC 2022
CLIENT IP ADDRESS: 10.200.2.209
SERVER IP ADDRESS: 10.200.1.63
=

>
[32m2022-02-17 20:05:39,995 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

=
WHO: username
WHAT: {source=String, event=mfa-duo, timestamp=Thu Feb 17 20:05:39 UTC 
2022}

ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Thu Feb 17 20:05:39 UTC 2022
CLIENT IP ADDRESS: 10.200.2.209
SERVER IP ADDRESS: 10.200.1.63
=

>
[32m2022-02-17 20:05:39,998 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

=
WHO: username
WHAT: {principal=username, execution=true, provider=mfa-duo}
ACTION: MULTIFACTOR_AUTHENTICATION_BYPASS
APPLICATION: CAS
WHEN: Thu Feb 17 20:05:39 UTC 2022
CLIENT IP ADDRESS: 10.200.2.209
SERVER IP ADDRESS: 10.200.1.63
=

>
[33m2022-02-17 20:05:40,673 WARN 
[org.apereo.cas.adaptors.duo.authn.BaseDuoSecurityAuthenticationService] 
- and detail [Wrong integration type for this API.] when determining 
user account. This maybe a configuration error in the admin request 
and Duo will still be considered available.>
[1;31m2022-02-17 20:05:49,874 ERROR 
[org.apereo.cas.adaptors.duo.authn.DuoSecurityAuthenticationHandler] - 

[32m2022-02-17 20:05:49,875 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

=
WHO: *
WHAT: [DuoSecurityUniversalPromptCredential(token=*, 
authentication=org.apereo.cas.authentication.DefaultAuthentication@2b2b031b, 
providerId=mfa-duo)]

ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Thu Feb 17 20:05:49 UTC 2022
CLIENT IP ADDRESS: 10.200.2.209
SERVER IP ADDRESS: 10.200.1.63
=

>
[1;31m2022-02-17 20:05:49,875 ERROR 
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] 
- <1 errors, 0 successes>
[32m2022-02-17 20:05:49,876 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

=
WHO: ELHb25Fr2JP5NWc8S0jljab45p6wIqx1
WHAT: {source=DuoSecurityAuthenticationWebflowEventResolver, 
event=error, timestamp=Thu Feb 17 20:05:49 UTC 2022}

ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Thu Feb 17 20:05:49 UTC 2022
CLIENT IP ADDRESS: 10.200.2.209
SERVER IP ADDRESS: 10.200.1.63
=

>
[32m2022-02-17 20:05:49,877 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

=
WHO: ELHb25Fr2JP5NWc8S0jljab45p6wIqx1
WHAT: TST-b31b7c0a5048e9995aa54daa5b3d1f8d141c
ACTION: TICKET_DESTROYED
APPLICATION: CAS
WHEN: Thu Feb 17 20:05:49 UTC 2022
CLIENT IP ADDRESS: 10.200.2.209

Re: [cas-user] log4j2 vulnerability

['Richard Frovarp' via CAS Community]

Newer version of the JDK are still affected. The newer JDK versions stop JNDI 
from running remote code, it doesn't stop JNDI lookup. An attacker can still 
exfil data through the DNS lookup. Also, there are other paths to exploit with 
this attack. It was first found via JNDI LDAP to execute remote code. There is 
now a known path using classes present in Apache Tomcat. There will be more 
that are found. Update Log4j or put the environment variable in.

From: cas-user@apereo.org  on behalf of Robert Oschwald 

Sent: Saturday, December 11, 2021 09:24
To: cas-user@apereo.org 
Subject: Re: [cas-user] log4j2 vulnerability

Jdk 1.8 192 or newer or jdk11 11.0.2 or newer are not affected it seems, as 
JNDI lookups are disabled there by default.

https://www.veracode.com/blog/security-news/urgent-analysis-and-remediation-guidance-log4j-zero-day-rce-cve-2021-44228



Sent while mobile.

Am 11.12.2021 um 13:44 schrieb Anders Collstrup :


My fix was the following:

CAS 6.1 running on debian 10. All except CAS installed from standard repo's

created this file:
/usr/share/tomcat9/bin/setenv.sh

containing::
JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=True"

After restart of tomcat I could see the following in the log:
10-Dec-2021 18:49:18.681 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Dlog4j2.formatMsgNoLookups=True

On Fri, Dec 10, 2021 at 7:37 PM Manuel Cones 
mailto:manuelco...@gmail.com>> wrote:
Hello, due the recent discovered log4j2 vulnerability, whats the way to 
mitigate it?


should i add log4j2.formatMsgNoLookups=true to the cas.properties file?

Thanks in Advance,
Manuel.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae1c7b48-1c3e-4c3c-b762-f5a8e5794df9n%40apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BMOL%2B%3DpjJ2JgE%2BOL7X4RibLSjWe8KQAKt13Q1npJj_g21VoCA%40mail.gmail.com.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/D71FB144-5859-4D97-97B8-F363CBBE8256%40gmail.com.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DM5PR08MB2778F3CA314A919997DCE15F8B739%40DM5PR08MB2778.namprd08.prod.outlook.com.

Re: [cas-user] log4j vulnerability

['Richard Frovarp' via CAS Community]

Maybe? The one that I've seen
https://logging.apache.org/log4j/2.x/security.html

says set it as a system property, so -Dlog4j2.formatMsgNoLookups=true to 
your JVM and not in the config file.


On 12/10/21 12:55 PM, Mike Osterman wrote:
Yeah, it seems like setting the log4j2.formatMsgNoLookups to "true" in 
the log4j2.xml config file might do to trick.


I'm guessing we'd do that somewhere here at the top?




    
        /etc/cas/logs
    
    

On Fri, Dec 10, 2021 at 10:41 AM 'Richard Frovarp' via CAS Community 
mailto:cas-user@apereo.org>> wrote:


Using a new enough version of the JDK might also alleviate it? The
other option is to throw the config option at the JDK to stop it
from happening. That would seem to be easiest.

On 12/10/21 12:36 PM, King, Robert wrote:


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>

Has anyone attempted to mitigate this CVE yet?

There seems to be two possible approaches to mitigation:

1 The sledgehammer approach of removing the JndiLookup.class from
the jar files:

zip –q –d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class

2. Rebuild CAS and set “log4jVersion=2.15.0”

-- 
- Website: https://apereo.github.io/cas

<https://apereo.github.io/cas>
- Gitter Chatroom: https://gitter.im/apereo/cas
<https://gitter.im/apereo/cas>
- List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
- Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
---
You received this message because you are subscribed to the
Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit

https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca

<https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca?utm_medium=email_source=footer>.



-- 
- Website: https://apereo.github.io/cas <https://apereo.github.io/cas>

- Gitter Chatroom: https://gitter.im/apereo/cas
<https://gitter.im/apereo/cas>
- List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
- Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit

https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu

<https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu?utm_medium=email_source=footer>.

--
- Website: https://apereo.github.io/cas <https://apereo.github.io/cas>
- Gitter Chatroom: https://gitter.im/apereo/cas 
<https://gitter.im/apereo/cas>

- List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
- Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUe7%2BfgzA2uQ2eWFe9O-a%3D9sOP4LBi9FviTvsEMYHtKsA%40mail.gmail.com 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUe7%2BfgzA2uQ2eWFe9O-a%3D9sOP4LBi9FviTvsEMYHtKsA%40mail.gmail.com?utm_medium=email_source=footer>.



--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/67916862-8f31-e08c-1949-86a97958ba36%40ndsu.edu.

Re: [cas-user] log4j vulnerability

['Richard Frovarp' via CAS Community]

Using a new enough version of the JDK might also alleviate it? The other 
option is to throw the config option at the JDK to stop it from 
happening. That would seem to be easiest.


On 12/10/21 12:36 PM, King, Robert wrote:


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Has anyone attempted to mitigate this CVE yet?

There seems to be two possible approaches to mitigation:

1 The sledgehammer approach of removing the JndiLookup.class from the 
jar files:


zip –q –d log4j-core-*.jar 
org/apache/logging/log4j/core/lookup/JndiLookup.class


2. Rebuild CAS and set “log4jVersion=2.15.0”

--
- Website: https://apereo.github.io/cas 
- Gitter Chatroom: https://gitter.im/apereo/cas 


- List Guidelines: https://goo.gl/1VRrw7 
- Contributions: https://goo.gl/mh7qDG 
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca 
.



--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu.

Re: [cas-user] Clarification on ADFS/CAS integration possibilities

['Richard Frovarp' via CAS Community]

"I understand you can make CAS use ADFS for backend authentication, or 
vise-a-versa, but i'm not sure that's exactly what i'm asking here... or 
is it?"


Yes, that is what you are asking. Otherwise they are two independent 
applications that know nothing about the state of one another, even 
though both are your systems. If you are starting from the beginning, 
you may want to examine the support status for ADFS. MS is putting most 
of their effort into Azure, so you may be better off starting there.


You should also consider what protocols are needed, and what external 
systems you need to federate with. You said "developers that aren't 
agreeing", that should be a protocol level concern. CAS can handle most 
of the protocols, including the odd WS-Fed protocol that ADFS provides. 
So, with an IdP that can support multiple different protocols, it 
shouldn't matter what IdP product you are running to support developers. 
That said, I'm a developer that operates and configures our IdPs. So 
that may be of concern.


On 10/21/21 11:26 AM, Nathan Lewan wrote:

hello all!

I have been reading through the CAS/ADFS configurations, and feel I 
somewhat get it, but I wanted to confirm something:


Important not to scenario: Both ADFS and CAS are aware of who *USER-A* is.

Is it possible if *USER-A* logs into an *ADFS* application, and then 
tries to log into a *CAS* application, *CAS* can check to see if they 
are already authenticated with *ADFS* and if so, let them in, SSO-style?


and on the flip side:

Is it possible if *USER-A* logs into a *CAS* application, and then 
tries to log into an *ADFS* application, *ADFS* can check to see if 
they are already authenticated with *CAS* and if so, let them in, 
SSO-style?


I have developers that aren't agreeing on one system or the other for 
SSO, and am looking into any possibility of having the two share info.


I understand you can make CAS use ADFS for backend authentication, or 
vise-a-versa, but i'm not sure that's exactly what i'm asking here... 
or is it?


thanks for any clarifications!
--
- Website: https://apereo.github.io/cas 
- Gitter Chatroom: https://gitter.im/apereo/cas 


- List Guidelines: https://goo.gl/1VRrw7 
- Contributions: https://goo.gl/mh7qDG 
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/417d82f2-b60d-4173-a8e6-5fc7ce079613n%40apereo.org 
.



--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d0795478-2241-c5d8-8bfd-a4e96f3e3d8b%40ndsu.edu.

[cas-user] Re: Trimming username for attribute resolution

['Richard Frovarp' via CAS Community]

The issue is that this happens before the service release policy can trigger. 
For some reason it is going against AD with 'richard.frovarp ', which results 
in a failed AD lookup. So it can't even get the extra attributes to return.

So it appears that the result of the principal transformation isn't use in 
attribute resolution. I'm doing a lowercase transformation, which does trim. 
That is then used to do the auth, but when attribute resolution fires, it isn't 
using the transformed principal to do the lookup, and I don't see anyway of 
transforming the value that is used to do the lookup. But maybe I'm missing 
something in the documentation for Person Directory.

On Tue, 2021-08-31 at 21:08 -0700, Andy Ng wrote:
Hi Richard,

I am also not aware on any native attribute trimming feature, maybe other can 
chime in on that.

However, if you think groovy can solve your issue but you don't want external 
files, you can always use inline Groovy.

Ref: 
https://apereo.github.io/cas/6.3.x/integration/Attribute-Release-Policies.html#inline-groovy-attributes

So, you can do it with something like this:


{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "sample",
  "name" : "sample",
  "id" : 300,
  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "uid" : "groovy { return attributes['uid'].trim() }"
}
  }
}

This would not be the prettiest solution, but should be able to get the job 
done.

Cheers!
- Andy
On Wednesday, 1 September 2021 at 05:28:09 UTC+8 richard.frovarp wrote:
What's the way to do that? I thought I figured that out, but it turns
out I haven't. I think one of my systems is accomplishing it via JS in
the page. Another CAS instance for a different org doesn't have that JS.
Random trailing spaces is causing attribute resolution to fail. Somehow
authentication is working, despite both of them using the same LDAP/AD
filter:

sAMAccountName={user}

I can always add the JS and redeploy, but this feels like something that
should be able to be done via config file. I know you can specify an
external Groovy file for principalTransformation, but I'm not entirely
sure if that goes through attribute retrieval, and I would prefer to not
reference an external file.

Thanks,

Richard

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cc44e33b1f5251a2e068d4bf0f1beb076f9ce764.camel%40ndsu.edu.

[cas-user] Trimming username for attribute resolution

['Richard Frovarp' via CAS Community]

What's the way to do that? I thought I figured that out, but it turns 
out I haven't. I think one of my systems is accomplishing it via JS in 
the page. Another CAS instance for a different org doesn't have that JS. 
Random trailing spaces is causing attribute resolution to fail. Somehow 
authentication is working, despite both of them using the same LDAP/AD 
filter:


sAMAccountName={user}

I can always add the JS and redeploy, but this feels like something that 
should be able to be done via config file. I know you can specify an 
external Groovy file for principalTransformation, but I'm not entirely 
sure if that goes through attribute retrieval, and I would prefer to not 
reference an external file.


Thanks,

Richard

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2ea5a460-a4ed-3a8a-2cff-59198eb60b34%40ndsu.edu.

Re: [cas-user] Re: CAS vs Spring Security PLUS CAS

['Richard Frovarp' via CAS Community]

Fernando's message below is great advice. The version of the CAS server 
isn't going to matter too terribly much. It will depend on what protocol 
you are planning to use against CAS. I'm going to guess CAS Protocol v3, 
which gives you everything you need. You are going to want a security 
library in your application. Since it is taking logins, something in it 
must be not for public consumption, and the easiest way to tie all of 
that together is through a security library. I use Apache Shiro (we 
don't use Spring), but have used Spring Security in the past and it is a 
very capable library. You will want to take advantage of Spring 
Security, and you will want to have CAS auth travel through your 
security library.


On 7/9/21 9:26 AM, Fernando Bárcenas Martínez wrote:
This is just a thought. I'm in kind of the same position as you are. I 
was given the task to implement SSO and SLO for our apps even though 
I'm rather inexperienced and been working with Spring for less than a 
year.


I don't know exactly which versions of either Spring, Java nor CAS you 
are using, and I've found it matters (little, but it does, especially 
for configuration). The spring security tutorials I think you've 
followed does work, but they don't really go into much detail, and 
after a couple monts struggling with it, I found out that the 
configuration can be VERY flexible. You can autowire several 
components or declare them as beans or as plain objects, for instance. 
My first recommendation is to read carefully the basic documentation 
for the version of CAS you're deploying and read carefully the 
tutorials and the code. The goal is to really understand how CAS 
works, as knowing this will make debugging rather straightforward. 
Next, set goals per point in the spring security-to-CAS communications 
as described by the Spring Security team in their documentation.


You could also mention what style of configuration you're using. I 
believe XML config is the easiest right now because thats exactly how 
Spring Security has it documented (Even if Spring itself encourages 
the use of Java config or properties file config). For Java config I 
could be more helpful, but translating from XML to Java beans is 
rather easy (Again, understanding the SpringSecurity-to-CAS flow is 
pretty much a must here) and most recent tutorials use 
yaml/application.properties type of config, so just read carefully.


If, by any chance, you are using Java 8 stack in Spring (Not boot) 
applications (Or use Java config) with Cas 5.3.x, then I might be able 
to help you a bit. I'm guessing most troubles you had revovled around 
the URLs or Too many petitions or even SSL handshakes if you went that 
far (Not to mention the SAN little issue when working with self-signed 
certificates).


For short, it works with Spring Security. If you are working with 
Spring, my recommendation would be to take advantage of Security.


El jueves, 8 de julio de 2021 a las 17:35:58 UTC-5, 
worlds...@gmail.com escribió:


I'm making a web app for my company for a new product and we've
setup a CAS server for authentication.  I'm fairly new to Spring
in the first place so this has been pretty steep curve all around,
but I've finally used the java-cas-client to integrate cas into my
app.

I wound up doing this because all the tutorials and guides on how
to set up spring security + CAS never worked.
But now that I've CAS going at all, I'm wondering if I shouldn't
go back to trying to giet it working with Spring Security as
well.  Does anyone have any comments/thoughts/experiences that
might enlighten me as to what the "best" path forward is?

--
- Website: https://apereo.github.io/cas 
- Gitter Chatroom: https://gitter.im/apereo/cas 


- List Guidelines: https://goo.gl/1VRrw7 
- Contributions: https://goo.gl/mh7qDG 
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d91dd614-9783-4835-8a5b-1bb111ff9139n%40apereo.org 
.



--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 

Re: [cas-user] Re: Spring Security integration doubts (With JDBC)

['Richard Frovarp' via CAS Community]

CAS can do multifactor. It can also release a bunch of attributes about 
how the authentication went if you use the CAS 3 protocol. The service 
directing the individual to CAS can also request that a fresh login is 
used. Combined together, the service can be assured (so long as they 
trust the CAS IdP) that the authentication just happened. Submitting 
credentials again would likely not offer any increased security. And it 
also requires that each app handles the plain text credentials and needs 
to have the infrastructure to use it. Something like a Duo push on the 
SP side for MFA would be additional work for the user, but removes some 
of the infrastructure requirements on the SP.


On 6/21/21 3:02 PM, Fernando Bárcenas Martínez wrote:
i see. So it was indeed something I wasn't really understanding about 
how to handle the data, even when I was right about the authentication 
and authorization roles of CAS and Spring Security. That tells me that 
for my scenario, I will need to get a ticket for a meeting to rebuild 
some things, then.


And about the need to submit credentials again: I don't like it 
either, but I understand it's some sort of two-factor authorization. I 
got no vote on those design choices though.


Thank you very much for your insight and for the resources. I'll take 
a closer look to the Attribute Resolution too.


El lunes, 21 de junio de 2021 a las 12:13:33 UTC-5, Ray Bon escribió:

Cas can find username/password from a variety of sources and this
can be configured per service [1].
You can use the CAS 3 protocol [2] to release attributes to the
client application. And like username/password, attributes can be
obtained from more than one location [3].
There is also the facility to release the user's password [4].
This should be a last resort.

Spring and cas can point to the same table for user data. Cas is
for authentication, your application will have to perform
authorization. If you are returning attributes, you may need to
override or provide custom UserDetails and/or UserDetailsService
classes to handle the different source of attributes.

As for submitting username/password for 'important transactions',
this seems to be an architectural smell. If you know the user
(with attributes), what does the password give you? If requiring
the password is a decision out of your control, submitting it
automatically would circumvent this requirement.

Ray

[1]
https://apereo.github.io/cas/6.3.x/services/Service-Management.html

[2]

https://apereo.github.io/cas/6.3.x/protocol/CAS-Protocol-Specification.html#28-p3servicevalidate-cas-30


[3]
https://apereo.github.io/cas/6.3.x/integration/Attribute-Resolution.html

[4] https://apereo.github.io/cas/6.3.x/integration/ClearPass.html


On Saturday, June 19, 2021 at 9:24:34 AM UTC-7
barcmtz...@gmail.com wrote:

Good day! I've looked around for ways to enable SSO for our
web applications and CAS came out as an answer a lot, so I did
some research and gave it a try. So far, I managed to get the
server running and it generates de tickets using data for an
'access' database table. I have an issue with the redirects,
but that's not the topic of this.

The doubts I have are about the UserDetailsService and
UserDetails. Many of the tutorials and documentations I've
read touch into this breefly. I also didn't think it was much
necesary since using Spring Security formLogin is pretty much
the same concept, but as I tried to 'map' my needs to this,
things got confusing.

As I understand, CAS will use this 'access' table to
authenticatate, but that means that Spring will use it's own
'users' table to authorize. This kind of breaks my
requirements, as the idea of enabling SSO was to have a single
'users/access' table, not one for every webapp as we have
right now. The idea was to have the principal with important
data (principal name, password as it's required to enter it
for certain important transactions, autorithes for access and
a few other pieces of information that will let us know if an
user can access one webapplication or not), so having the
'users 'data to check for authorizations kind of make it seem
like there will be duplicated data as the info in 'access'
will need to match the UserDetails from 'users'... right?

Is this the way it should be or am I just not getting
something? To be fair, it would make my 

Re: [cas-user] CAS Authentication issue

['Richard Frovarp' via CAS Community]

Looks like it can't find the table?? Are there any tables in your DB? Is your 
DB named vantage? You'll need to refer to the docs on how to get it to create 
the tables if they aren't there. If they are there in that DB, I'm not sure. 
You are on an ancient version of CAS. If this is setting it up from scratch, 
you really should get on something newer.

On Wed, 2021-05-26 at 15:05 -0700, shirisha wrote:
Now I can see different error in cas.log file.

2021-05-26 16:52:12,019 DEBUG 
[org.springframework.orm.jpa.JpaTransactionManager] - Rolling back JPA 
transaction on EntityManager [org.hibernate.ejb.EntityManagerImpl@ff3cf39a]
2021-05-26 16:52:12,025 DEBUG 
[org.springframework.orm.jpa.JpaTransactionManager] - Closing JPA EntityManager 
[org.hibernate.ejb.EntityManagerImpl@ff3cf39a] after transaction
2021-05-26 16:52:12,025 DEBUG 
[org.springframework.orm.jpa.EntityManagerFactoryUtils] - Closing JPA 
EntityManager
2021-05-26 16:52:12,025 ERROR [org.quartz.core.JobRunShell] - Job 
DEFAULT.ticketRegistryCleanerJobDetail threw an unhandled Exception:
org.springframework.scheduling.quartz.JobMethodInvocationFailedException: 
Invocation of method 'clean' on target class [class 
org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] failed; 
nested exception is org.springframework.jdbc.BadSqlGrammarException: 
PreparedStatementCallback; bad SQL grammar [SELECT UNIQUE_ID, EXPIRATION_DATE 
FROM LOCKS WHERE APPLICATION_ID=? FOR UPDATE]; nested exception is 
com.ibm.db2.jcc.am.SqlSyntaxErrorException: "VANTAGE.LOCKS" is an undefined 
name.. SQLCODE=-204, SQLSTATE=42704, DRIVER=4.25.1301
at 
org.springframework.scheduling.quartz.MethodInvokingJobDetailFactoryBean$MethodInvokingJob.executeInternal(MethodInvokingJobDetailFactoryBean.java:273)
at 
org.springframework.scheduling.quartz.QuartzJobBean.execute(QuartzJobBean.java:86)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:525)
Caused by: org.springframework.jdbc.BadSqlGrammarException: 
PreparedStatementCallback; bad SQL grammar [SELECT UNIQUE_ID, EXPIRATION_DATE 
FROM LOCKS WHERE APPLICATION_ID=? FOR UPDATE]; nested exception is 
com.ibm.db2.jcc.am.SqlSyntaxErrorException: "VANTAGE.LOCKS" is an undefined 
name.. SQLCODE=-204, SQLSTATE=42704, DRIVER=4.25.1301
at 
org.springframework.jdbc.support.SQLErrorCodeSQLExceptionTranslator.doTranslate(SQLErrorCodeSQLExceptionTranslator.java:233)
at 
org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:72)
at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:602)
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:636)
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:665)
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:673)
at 
org.jasig.cas.ticket.registry.support.JdbcLockingStrategy.acquire_aroundBody2(JdbcLockingStrategy.java:282)
at 
org.jasig.cas.ticket.registry.support.JdbcLockingStrategy.acquire_aroundBody3$advice(JdbcLockingStrategy.java:44)
at 
org.jasig.cas.ticket.registry.support.JdbcLockingStrategy.acquire(JdbcLockingStrategy.java:1)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at 
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:309)
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at 
org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:110)
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at 
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at com.sun.proxy.$Proxy60.acquire(Unknown Source)
at 
org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner.clean_aroundBody0(DefaultTicketRegistryCleaner.java:71)
at 
org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner.clean_aroundBody1$advice(DefaultTicketRegistryCleaner.java:44)
at 
org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner.clean(DefaultTicketRegistryCleaner.java:1)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at org.springframework.util.MethodInvoker.invoke(MethodInvoker.java:273)
at 

Re: [cas-user] Re: Guide to Deploying CAS 6 - with Ansible, MFA, and Delegated authentication

['Richard Frovarp' via CAS Community]

Yes, very nicely done. I too will find the Azure bit helpful when I spin up a 
social CAS instance in the future.

Richard

On Thu, 2021-05-13 at 21:59 -0700, Andy Ng wrote:
Hi Paul,

Thanks for the contribution! We soon also need to setup delegate auth to Azure, 
so that section is going to be useful to me.
Now whenever people asking for a CAS 6 guide I know where to point them to :)

Cheers!
- Andy

On Thursday, 13 May 2021 at 05:12:14 UTC+8 chauvetp wrote:
Hi all,

Over the past couple of months - in my (vanishingly small) free time, I created 
a guide to deploying Apereo CAS 6 (6.3.x specifically).  I did this because 
I've benefited from the documentation others have done in the past (especially 
David Curry's CAS 5 version) - and wanted see if my stumbling, experimentation, 
trial and error could benefit others.

The documentation is available on Github.io: 
http://paulchauvet.github.io/deploying-cas

It covers the following topics:

  *   Using Ansible to deploy Tomcat and CAS (including configs, services, etc.)
  *   Vanilla CAS deployment - with functionality progressively added to it
  *   Service Configuration
  *   Active Directory authentication and attribute release
  *   Duo MFA support
  *   Ticket registry via Hazelcast
  *   Delegating authentication from CAS to Azure
  *   Theming (this one is very incomplete - I'll add more to that soon).

I can't guarantee it will be usable for anyone - and even for those who it is 
usable for whether all of it will be usable.  I am not the CAS expert that many 
here on the list are - and I don't know the underlying Java code well enough to 
cover that here.  But hopefully some will find some benefit on it.

This is my first public documentation like this (my other documentation is 
meant for internal IT staff, or end-users).  I started this as a way to 
document for other IT staff members in case the proverbial bus hits me - but 
realized it may have benefit to others.

If you have suggestions/corrections/objections/etc., let me know.

P.S.  I've got a ton of help from others on various topics - both on the CAS 
list and colleagues within SUNY.  I apologize if I missed anyone here!
Acknowledgements




Paul Chauvet, CISSP

Information Security Officer

State University of New York at New Paltz

chau...@newpaltz.edu

[https://groups.google.com/a/apereo.org/group/cas-user/attach/2fb454bccf0b8/Outlook-f0akb0x2.png?part=0.1=1]

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f02de8e59cb5c3f251b81fcb2fcbd16d1d83c44.camel%40ndsu.edu.

Re: [cas-user] Failed Login Attempts

['Richard Frovarp' via CAS Community]

Don't get me wrong, throttling is definitely good. The thing you want to watch 
out for is when unexpected attempts succeed. So one bit of strange behavior to 
be on the lookout for is an authentication that triggers MFA, but the MFA 
success never happens. It will depend on your MFA solution. However, for 
instance, Duo won't send a failure, only a success. So you would want to watch 
for the trigger on Duo, but never seeing any success. That either means your 
users have having trouble with MFA, or an attacker has found the creds, but 
hasn't triggered MFA by blocking the MFA scripts from even running. If they 
have blocked the scripts, you won't even see anything in Duo or your MFA 
solution of choice.

On Tue, 2021-05-18 at 12:42 -0700, Jeremiah Garmatter wrote:
Thanks for the clarification guys,

Failure and rate throttling are better than nothing. I'll use them and maybe 
set up another script to alert me if strange behavior rolls in.

On Tuesday, May 18, 2021 at 2:24:20 PM UTC-4 richard.frovarp wrote:
Adding user won't catch a spray over different usernames. I just use rate 
throttling as well.

And yeah, if they go down to 1 per second, you'll never catch them with the 
throttle. You also won't catch them if they come at you with hundreds of IPs.

On Mon, 2021-05-17 at 16:40 +, Ray Bon wrote:
Jeremiah,

There is also throttling based on usename and IP address, 
https://apereo.github.io/cas/6.3.x/installation/Configuring-Authentication-Throttling.html.
 I have not used this, just rate throttling.

Ray


On Mon, 2021-05-17 at 08:32 -0700, Jeremiah Garmatter wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hello,

I'm looking for a feature of CAS 6.3 that will allow me to lock or limit users 
after a few failed login attempts. I have tried the failure 
throttling
 module but find it confusing and not quite what I'm looking for.

The failure throttling module seems like it can only detect 2 auth failures if 
the second one comes in very quickly (fast enough to be caught by the defined 
threshold per secondRange rate). If someone slows down their authentication 
attempts so they occur once every second, they'll never be caught right? Also, 
3 failed attempts over 15 seconds has the same effect as 2 failed attempt over 
10 seconds, so if you only fail 2, you won't be allowed to try a third time.

Is there another feature that would let me define an actual amount of failed 
logins over a period of time instead of a rate?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3d4ae5cd552bce43945a5b77073f2fac2c5f85ec.camel%40ndsu.edu.

Re: [cas-user] Failed Login Attempts

['Richard Frovarp' via CAS Community]

Adding user won't catch a spray over different usernames. I just use rate 
throttling as well.

And yeah, if they go down to 1 per second, you'll never catch them with the 
throttle. You also won't catch them if they come at you with hundreds of IPs.

On Mon, 2021-05-17 at 16:40 +, Ray Bon wrote:
Jeremiah,

There is also throttling based on usename and IP address, 
https://apereo.github.io/cas/6.3.x/installation/Configuring-Authentication-Throttling.html.
 I have not used this, just rate throttling.

Ray


On Mon, 2021-05-17 at 08:32 -0700, Jeremiah Garmatter wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hello,

I'm looking for a feature of CAS 6.3 that will allow me to lock or limit users 
after a few failed login attempts. I have tried the failure 
throttling
 module but find it confusing and not quite what I'm looking for.

The failure throttling module seems like it can only detect 2 auth failures if 
the second one comes in very quickly (fast enough to be caught by the defined 
threshold per secondRange rate). If someone slows down their authentication 
attempts so they occur once every second, they'll never be caught right? Also, 
3 failed attempts over 15 seconds has the same effect as 2 failed attempt over 
10 seconds, so if you only fail 2, you won't be allowed to try a third time.

Is there another feature that would let me define an actual amount of failed 
logins over a period of time instead of a rate?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d6d2cdeec8a5f9c813db1a4fc87552f3822ee932.camel%40ndsu.edu.

Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

['Richard Frovarp' via CAS Community]

If they have a public metadata file you can put the URL in the metadata 
configuration element instead of the static file. CAS will download and cache 
the metadata file on some sort of updating schedule ( I don't remember the 
specifics), but it will help ensure you have updated metadata.

On Mon, 2021-04-19 at 19:56 +, Keith Alston (Staff) wrote:
Scratch that. I needed an updated metadata file. Now I can authenticate and get 
forwarded to the sp. Then
I get an error there. I may not be registered in their system. Waiting on a 
response from them.

Thanks!!! This has been very helpful!

Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

From: cas-user@apereo.org  on behalf of Keith Alston 
(Staff) 
Sent: Monday, April 19, 2021 3:36 PM
To: cas-user@apereo.org 
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

Hmmm, metadata expired. So I changed the expire date in the metadata. Now I'm 
getting this:

RootCasException(code=UNSATISFIED_SAML_REQUEST)
at 
org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator.validateSignatureOnProfileRequest(SamlObjectSignatureValidator.java:226)

Progress!!! But still not quite there. Maybe I need to request a new metadata 
file.

from the log:
2021-04-19 15:23:52,554 DEBUG 
[org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade]
 - https://licensing.minitab.com<https://urldefense.com/v3/__https://licensing.minitab.com__;!!CHfpmW4!3uMiPkpoDIgZuFHIzfjlweIzaYwUFwQbj17GKnp8dOMl3fu-7E2C7LzeQeFwVfWF$>].
 Metadata is valid until [forever]>2021-04-19 15:23:52,554 DEBUG 
[org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
 - 
2021-04-19 15:23:52,558 DEBUG 
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator]
 - 2021-04-19 15:23:52,561 
DEBUG 
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator]
 - 2021-04-19 15:23:52,570 DEBUG 
[org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] - 
2021-04-19 15:23:52,570 DEBUG 
[org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] - 2021-04-19 15:23:52,570 DEBUG 
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator]
 - 

...

2021-04-19 15:23:52,614 DEBUG 
[org.apereo.cas.web.FlowExecutionExceptionResolver] - org.apereo.cas.support.saml.SamlException: 
Signing credentials for validation could not be resolved based on the provided 
signature

Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421
____
From: 'Richard Frovarp' via CAS Community 
Sent: Monday, April 19, 2021 2:19 PM
To: cas-user@apereo.org 
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

You are probably going to need to take a look in the CAS logs. It seems that it 
should match, but the logs should tell you exactly what it is searching for. It 
will also tell you if there was an error loading the service file when it first 
tried to update it.

On Mon, 2021-04-19 at 17:26 +, Keith Alston (Staff) wrote:
I take that back. Zoom works and it does a post request.
saml-tracer show this. Zoom works, minitab  doesnt.

minitab 
request---
https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO%22
>
https://licensing.minitab.com

zoom 
request--
https://regent.zoom.us/saml/SSO%22
 
Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO%22
 ForceAuthn="false"
 ID="a3e6a45e921c2290-5af0f9c82h9cheh"
 IsPassive="false"
 IssueInstant="2021-04-19T17:15:37.720Z"
 
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 Version="2.0"
 xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
 >
regent.zoom.us

here are the service files for each:

zoom service file:
{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "regent.zoom.us",
  "name" : "regent.zoom.us",
  "id" : 1008,
  "metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml",
  "evaluationOrder" : 6,
  "requiredNameIdFormat": 
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "usernameAttributeProvider" : {
"@class" : 
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail",
  }
}


minitab servic

Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

['Richard Frovarp' via CAS Community]

You are probably going to need to take a look in the CAS logs. It seems that it 
should match, but the logs should tell you exactly what it is searching for. It 
will also tell you if there was an error loading the service file when it first 
tried to update it.

On Mon, 2021-04-19 at 17:26 +, Keith Alston (Staff) wrote:
I take that back. Zoom works and it does a post request.
saml-tracer show this. Zoom works, minitab  doesnt.

minitab 
request---
https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO;
>
https://licensing.minitab.com

zoom 
request--
https://regent.zoom.us/saml/SSO;
 
Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO;
 ForceAuthn="false"
 ID="a3e6a45e921c2290-5af0f9c82h9cheh"
 IsPassive="false"
 IssueInstant="2021-04-19T17:15:37.720Z"
 
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 Version="2.0"
 xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
 >
regent.zoom.us

here are the service files for each:

zoom service file:
{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "regent.zoom.us",
  "name" : "regent.zoom.us",
  "id" : 1008,
  "metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml",
  "evaluationOrder" : 6,
  "requiredNameIdFormat": 
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "usernameAttributeProvider" : {
"@class" : 
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail",
  }
}


minitab service file:
{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "https://licensing.minitab.com;,
  "name" : "minitab",
  "id" : 1617641399,
  "metadataLocation" : "file:/etc/cas/config/minitab-com-metadata.xml",
  "evaluationOrder" : 2,
  "requiredNameIdFormat": 
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "usernameAttributeProvider" : {
"@class" : 
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "emailAddress",
  },
  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "ExtensionAttribute1" : "Email",
  "givenname" : "FirstName",
  "sn" : "LastName"
}
  }
}




Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

From: cas-user@apereo.org  on behalf of Keith Alston 
(Staff) 
Sent: Monday, April 19, 2021 1:00 PM
To: cas-user@apereo.org 
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

Looks like my post URL is:

https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO

I guess the get url has redirect in it??

Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

From: 'Richard Frovarp' via CAS Community 
Sent: Monday, April 19, 2021 12:49 PM
To: cas-user@apereo.org 
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

Since I saw someone create the URL by hand the other day, I'm going to ask the 
simple question: is the request hitting the HTTP-POST binding location? POST 
and Redirect are two different URLs in CAS (and I'm guessing most IdPs).

I've never had to do anything different to handle the two different types of 
SPs on that version.

On Mon, 2021-04-19 at 16:41 +, Keith Alston (Staff) wrote:
It seems that my CAS SAML2.0 idp is handling SAML2 services that do GET 
requests just fine.
But when I have an SP that does a SAML2 POST request my idp is not reading the 
parameters
and I get the "Application Not Authorized to Use CAS" message instead of the 
auth page. Difference being
parameters in the URI vs parameters in the POST body. Anyone have
any idea where I might look to resolve this issue? Are there certain parameters 
in the service definition
that I should be including? Something I'm missing in cas.properties? The audit 
log does not show POST
requests as SAML2_POST though SAML trace does show it as

Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??

['Richard Frovarp' via CAS Community]

Since I saw someone create the URL by hand the other day, I'm going to ask the 
simple question: is the request hitting the HTTP-POST binding location? POST 
and Redirect are two different URLs in CAS (and I'm guessing most IdPs).

I've never had to do anything different to handle the two different types of 
SPs on that version.

On Mon, 2021-04-19 at 16:41 +, Keith Alston (Staff) wrote:
It seems that my CAS SAML2.0 idp is handling SAML2 services that do GET 
requests just fine.
But when I have an SP that does a SAML2 POST request my idp is not reading the 
parameters
and I get the "Application Not Authorized to Use CAS" message instead of the 
auth page. Difference being
parameters in the URI vs parameters in the POST body. Anyone have
any idea where I might look to resolve this issue? Are there certain parameters 
in the service definition
that I should be including? Something I'm missing in cas.properties? The audit 
log does not show POST
requests as SAML2_POST though SAML trace does show it as a SAML request. Any 
clue here would be
helpful. TIA!

Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6bad321c10587be379a7cec181afa435c58c8b3e.camel%40ndsu.edu.

Re: [cas-user] No registered service found/Freshworks SAML2/ CAS 5.3

['Richard Frovarp' via CAS Community]

Or rather

serviceId : 

instead of the regex you have there.

On Mon, 2021-04-12 at 18:50 +, 'Richard Frovarp' via CAS Community wrote:
Don't do a regex for the serviceId for SAML2. Do the entityId instead.

On Mon, 2021-04-12 at 18:46 +, Keith Alston (Staff) wrote:

Any ideas on what might be going on here?
I get the "Application Not Authorized to Use CAS" page when redirected to CAS.

2021-04-12 14:21:32,474 WARN 
[org.apereo.cas.services.web.RegisteredServiceThemeResolver] - https://regent-team.myfreshworks.com/sp/SAML/269126576089314274/callback,
 
originalUrl=https://regent-team.myfreshworks.com/sp/SAML/26912657608931/callback,
 artifactId=null, principal=null, source=AssertionConsumerServiceURL, 
loggedOutAlready=true, format=XML, attributes={})] or access is denied. Using 
default theme [cas-theme-default]>


here's my service file:

{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "^(https|http)://regent-team.myfresh*",
  "name" : "freshregistrar",
  "id" : 1608070210,
  "metadataLocation" : 
"https://regent-team.myfreshworks.com/sp/SAML/26912657608931/metadata;,
  "evaluationOrder" : 17,
  "requiredNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
",
  "attributeReleasePolicy" : {
@class : org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
allowedAttributes :  [ "java.util.ArrayList", [ 
"firstname","lastname","email","nameid","phone","mobile","title" ]]
  },
}




Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/352786e3eebfc4d4945fd0f91e9612ff0e489a0b.camel%40ndsu.edu.

Re: [cas-user] No registered service found/Freshworks SAML2/ CAS 5.3

['Richard Frovarp' via CAS Community]

Don't do a regex for the serviceId for SAML2. Do the entityId instead.

On Mon, 2021-04-12 at 18:46 +, Keith Alston (Staff) wrote:

Any ideas on what might be going on here?
I get the "Application Not Authorized to Use CAS" page when redirected to CAS.

2021-04-12 14:21:32,474 WARN 
[org.apereo.cas.services.web.RegisteredServiceThemeResolver] - https://regent-team.myfreshworks.com/sp/SAML/269126576089314274/callback,
 
originalUrl=https://regent-team.myfreshworks.com/sp/SAML/26912657608931/callback,
 artifactId=null, principal=null, source=AssertionConsumerServiceURL, 
loggedOutAlready=true, format=XML, attributes={})] or access is denied. Using 
default theme [cas-theme-default]>


here's my service file:

{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "^(https|http)://regent-team.myfresh*",
  "name" : "freshregistrar",
  "id" : 1608070210,
  "metadataLocation" : 
"https://regent-team.myfreshworks.com/sp/SAML/26912657608931/metadata;,
  "evaluationOrder" : 17,
  "requiredNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
",
  "attributeReleasePolicy" : {
@class : org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
allowedAttributes :  [ "java.util.ArrayList", [ 
"firstname","lastname","email","nameid","phone","mobile","title" ]]
  },
}




Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6e6a278486351b57bf72d0eeb3d80ae71bc496b3.camel%40ndsu.edu.

Re: [cas-user] CAS 5.2.9 Authenticating LDAP users outside baseDn

['Richard Frovarp' via CAS Community]

My guess is that the bind user is going to ignore the base DN as it happens 
before the search is done. As for the rest, it likely should follow the base 
DN. You may have something effectively double defined there that is causing it 
to work outside. I'm not sure what the dnFormat parameter does. You'll want to 
refer to the ldaptive documentation as to what those various values do:

http://www.ldaptive.org/v1/

Note that you'll want to list your DCs separately instead of just the one name 
to get failover. Also, you have subtree search on, so it will search in Users.

On Wed, 2021-03-31 at 12:51 -0700, Alcides Moraes wrote:

Hello group,

We have a working installation of CAS 5.2.9 authenticating against Active 
Directory.

However, we have noticed we are able to authenticate using credentials of a 
user outside the BaseDN, including the bind user. How can we fix this?
Below are my authn.ldap configuration entries:

ldap[0]:
baseDn: OU=Users,DC=domain3,DC=domain2,DC=domain1
bindCredential: bindpassword
bindDn: bind
blockWaitTime: 5000
connectTimeout: 5000
dnFormat: '%s@domain3.domain2.domain1'
failFast: true
idleTime: 5000
ldapUrl: ldap://adserver
maxPoolSize: 10
minPoolSize: 3
principalAttributeId: sAMAccountName
principalAttributeList: 
sAMAccountName,displayName,givenName,mail,distinguishedName
prunePeriod: 5000
subtreeSearch: true
type: AD
useSsl: false
useStartTls: false
userFilter: (sAMAccountName={user})
validateOnCheckout: true
validatePeriod: 600
validatePeriodically: true

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2d867109d751ede146152a1bc67d1069cde5ce16.camel%40ndsu.edu.

Re: [cas-user] CAS 6.3 + SAML

['Richard Frovarp' via CAS Community]

If I'm understanding you correctly, I've never done it that way.

You are saying that you have an attribute already setup called sAMAccountName 
right? And you want to release it to this system as domain\sAMAcountName as 
userID?

I've always done such a thing via Groovy attribute return with simple 
concatenation.
https://apereo.github.io/cas/6.3.x/integration/Attribute-Release-Policies.html#inline-groovy-attributes

On Mon, 2021-03-22 at 09:04 -0700, Bartosz Nitkiewicz wrote:
This is of course not "patternFormat": "domail\\{0}", but "patternFormat": 
"domain\\{0}",

poniedziałek, 22 marca 2021 o 17:03:03 UTC+1 Bartosz Nitkiewicz napisał(a):
I'm still trying to use CAS as SAML authenticator for my service desk plus app. 
Username has to be in format: domain\user
I want use my LDAP sAMAccountName as user but I don't know how to prepare 
regexp to domain\sAMAccountName. I have read 
https://apereo.github.io/cas/6.3.x/integration/Attribute-Definitions.html and 
prepare attribute-defns.json

{
"@class" : "java.util.TreeMap",
"userID" : {
  "@class" : 
"org.apereo.cas.authentication.attribute.DefaultAttributeDefinition",
  "key" : "userID",
  "friendlyName" : "userID",
  "patternFormat": "domail\\{0}",
  "attribute" : "sAMAccountName"
}
}

I load it in my cas.properties
...
cas.person-directory.attribute-definition-store.json.location=file:/etc/cas/config/attribute-defns.json
...

Here is my SAML app JSON file.

{
  @class: org.apereo.cas.support.saml.services.SamlRegisteredService
  serviceId: fashdfk3289_duhfdsf
  name: serwis
  id: 1616411747419

  proxyTicketExpirationPolicy:
  {
@class: 
org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy
  }
  serviceTicketExpirationPolicy:
  {
@class: 
org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy
  }
  evaluationOrder: 2
  attributeReleasePolicy:
  {
@class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
principalIdAttribute: userID
allowedAttributes:
[
  java.util.ArrayList
  [
userID
  ]
]
  }
  metadataLocation: 
file://etc/cas-mgmt/metadata/174faaa56d5138f63770fb792b1a35e26d5486e0.xml
  requiredNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  signAssertions: true
  signingCredentialType: X509
}

Can anyone tell me if I'm right.
piątek, 19 marca 2021 o 18:45:20 UTC+1 Bartosz Nitkiewicz napisał(a):
Ok, so 
https://apereo.github.io/cas/6.3.x/integration/Attribute-Definitions.html#pattern-formats
 would be ok.
How to setup CAS to pass desire attribute?

I have this in my app.json. Is it ok?
{
  @class: org.apereo.cas.support.saml.services.SamlRegisteredService
  serviceId: MExxx_05efd170-38cd-4893-9631-6891575asa197
  name: serwis
  id: 1616175519923

  proxyTicketExpirationPolicy:
  {
@class: 
org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy
  }
  serviceTicketExpirationPolicy:
  {
@class: 
org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy
  }
  evaluationOrder: 2
  usernameAttributeProvider:
  {
@class: 
org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider
usernameAttribute: sAMAccountName

  }
  attributeReleasePolicy:
  {
@class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
excludeDefaultAttributes: true
authorizedToReleaseAuthenticationAttributes: false
  }
  metadataLocation: 
file://etc/cas-mgmt/metadata/174faaa56d5138f63770fb792b1a35e26d5486e0.xml
  requiredNameIdFormat: 
org.opensaml.saml.saml2.metadata.impl.NameIDFormatImpl@2afbaa5
  signAssertions: true
  signingCredentialType: X509
}
piątek, 19 marca 2021 o 16:30:44 UTC+1 Ray Bon napisał(a):
Bartosz,

See, https://apereo.github.io/cas/6.3.x/integration/Attribute-Definitions.html, 
for modifying attributes.

Ray

On Fri, 2021-03-19 at 01:47 -0700, Bartosz Nitkiewicz wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

One more thing. How to change LDAP user name form sAMAccountName to 
univ\sAMAccountName. Is it possible?

czwartek, 18 marca 2021 o 14:05:48 UTC+1 Bartosz Nitkiewicz napisał(a):
Thank You once again.
As you said, SAML profiles did the trick.It seems to work fine. Now I have to 
pass user name from my LDAP to SAML SP. First I need to figure out proper value 
for authorization.
Regards
BN


środa, 17 marca 2021 o 19:07:26 UTC+1 richard.frovarp napisał(a):
The IdP automatically generates metadata. And the correct endpoints are
listed on this page, including the metadata endpoint:

https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Authentication.html

Usually with SAML you provide the SP with a copy of your metadata,
ideally loaded from the URL automatically. If you need to provide
separate URLs to the SP, you'll find the correct ones in the metadata
and/or using the paths from documentation.

On 

Re: [cas-user] CAS 6.3 + SAML

['Richard Frovarp' via CAS Community]

The IdP automatically generates metadata. And the correct endpoints are
listed on this page, including the metadata endpoint:

https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Authentication.html

Usually with SAML you provide the SP with a copy of your metadata,
ideally loaded from the URL automatically. If you need to provide
separate URLs to the SP, you'll find the correct ones in the metadata
and/or using the paths from documentation.

On Wed, 2021-03-17 at 10:26 -0700, Bartosz Nitkiewicz wrote:
> Hi,
> Thanks for reply.
> What do you mean your IdP generated metadata? 
> 
> I did something like this as they recommended: 
> https://help.servicedeskplus.com/saml-authentication$configuration
> 
> As loginURL I've provided my https://myserver.org/cas/idp, I don't
> know if it is correct url?
> I'm wondering what is Assertion Consumer URL and where should I place
> it?
> 
> Also I've uploaded my certificate.
> 
> my cas.properties for SAML looks like this:
> 
> ## SAML2 ##
> 
> cas.authn.saml-idp.entity-id: ${cas.server.prefix}/idp
> cas.authn.saml-idp.metadata.location=file:/etc/cas/saml
> 
> and service registry for app:
> 
> {
>   @class: org.apereo.cas.support.saml.services.SamlRegisteredService
>   serviceId: MExx_6d2ea86d-b4e1-4473-8d4b-7a1378964e8b
>   name: serwisapp
>   id: 1615981648113
>   proxyTicketExpirationPolicy:
>   {
> @class:
> org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpiration
> Policy
>   }
>   serviceTicketExpirationPolicy:
>   {
> @class:
> org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirati
> onPolicy
>   }
>   evaluationOrder: 2
>   attributeReleasePolicy:
>   {
> @class:
> org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
> excludeDefaultAttributes: true
> authorizedToReleaseAuthenticationAttributes: false
>   }
>   metadataLocation: file://etc/cas-
> mgmt/metadata/174faaa56d5138f63770fb792b1a35e26d5486e0.xml <- (this
> is correct as cas-managment app create this directory)
>   requiredAuthenticationContextClass:
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
>   requiredNameIdFormat: urn:oasis:names:tc:SAML:2.0:nameid-
> format:transient
>   nameIdQualifier: ""
>   signAssertions: true
>   signingCredentialType: X509
>   assertionAudiences: https://servicedeskplus.com/SamlResponseServlet
> }
> 
> Regards,
> BN
> 
> środa, 17 marca 2021 o 16:49:11 UTC+1 richard.frovarp napisał(a):
> > Did you provide the app your IdP generated metadata or provide the
> > SP with the information in a different method? As that's the wrong
> > end point for the SP to be sending you to:
> > 
> > https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Authentication.html
> > 
> > On Wed, 2021-03-17 at 06:21 -0700, Bartosz Nitkiewicz wrote:
> > > Hi,
> > > Another day another CAS problem :)
> > > I'm trying to authenticate servicedeskplus.com application
> > > through SAML protocol. 
> > > I've compiled in cas-server-support-saml-idp in my CAS app.
> > > Added service registry in CAS-Management app. I used xml file
> > > form servicedesk.
> > > 
> > > Everything seems to work but if I want to authenticate
> > > serivcedesk it redirects me to this:
> > > 
> > > https://myserver.org/cas/idp?SAMLRequest=fZJfb5swFMWf10%2BBeDdgCCFYSaS02bRI7YaSbA97qRz70loCm%2FmadNunn01XtdWkvB6f3%2F1zrpfI%2B25gm9E96j38HAFddBX96juNbHpaxaPVzHBUyDTvAZkT7LC5u2V5krHBGmeE6eJ30GWGI4J1yugA7bar%2BO7j%2FYwLSSWn5NSWOZnRuiQLkUsyP0EhOM9o3s6D%2FTtY9OQq9oUmHHGEnUbHtfNillOSFYRWR1owmrGy%2BhFcjTVnJcF%2B8bOEds9k4wdRZy%2B0vEMIWrT16yvN3dTi0bkBWZo6LwqOySj%2BQKcVT8anPgE5JkOXej1VcvjXZIriWmmp9MPlDE7PJmSfj8eGNF8Px1Bi85LMjdE49mAPYM9KwLf97es43vKk8O0QBx%2F5HnDwEASiAxevr6IPy3ALNkVk1z7krIRW0iojxUJIMlvUBannBSXzRU3LquSc1tUyfQu9FBlYiG63bUynxO%2Fok7E9d5c3DIqSpJ2sbAh3QwfaxVE6lU3%2F%2F3jrvw%3D%3D
> > > 
> > > service.xlm as attachement (without real cert)
> > > 
> > > Please help me.
> > > 
> > > 
> > > 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4413c968149d8f873e74f136dad7da1c1b00fe75.camel%40ndsu.edu.

Re: [cas-user] CAS 6.3 + SAML

['Richard Frovarp' via CAS Community]

Did you provide the app your IdP generated metadata or provide the SP with the 
information in a different method? As that's the wrong end point for the SP to 
be sending you to:

https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Authentication.html

On Wed, 2021-03-17 at 06:21 -0700, Bartosz Nitkiewicz wrote:
Hi,
Another day another CAS problem :)
I'm trying to authenticate servicedeskplus.com application through SAML 
protocol.

  *   I've compiled in cas-server-support-saml-idp in my CAS app.

  *   Added service registry in CAS-Management app. I used xml file form 
servicedesk.

Everything seems to work but if I want to authenticate serivcedesk it redirects 
me to this:

https://myserver.org/cas/idp?SAMLRequest=fZJfb5swFMWf10%2BBeDdgCCFYSaS02bRI7YaSbA97qRz70loCm%2FmadNunn01XtdWkvB6f3%2F1zrpfI%2B25gm9E96j38HAFddBX96juNbHpaxaPVzHBUyDTvAZkT7LC5u2V5krHBGmeE6eJ30GWGI4J1yugA7bar%2BO7j%2FYwLSSWn5NSWOZnRuiQLkUsyP0EhOM9o3s6D%2FTtY9OQq9oUmHHGEnUbHtfNillOSFYRWR1owmrGy%2BhFcjTVnJcF%2B8bOEds9k4wdRZy%2B0vEMIWrT16yvN3dTi0bkBWZo6LwqOySj%2BQKcVT8anPgE5JkOXej1VcvjXZIriWmmp9MPlDE7PJmSfj8eGNF8Px1Bi85LMjdE49mAPYM9KwLf97es43vKk8O0QBx%2F5HnDwEASiAxevr6IPy3ALNkVk1z7krIRW0iojxUJIMlvUBannBSXzRU3LquSc1tUyfQu9FBlYiG63bUynxO%2Fok7E9d5c3DIqSpJ2sbAh3QwfaxVE6lU3%2F%2F3jrvw%3D%3D

service.xlm as attachement (without real cert)

Please help me.



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3a8f38d28d9d2bcc62637f857eaad23100edc904.camel%40ndsu.edu.

Re: [cas-user] InCommon and NIH changes

['Richard Frovarp' via CAS Community]

I'm running my InCommon membership through Shibboleth, so I'm not looking for a 
CAS solution. However, here is what I know:

1) R is documented as you point out. If you are going to provide REFEDS R 
to REFEDS R SPs, you probably want to go into the InCommon Federation Manager 
and assert that you are a R IdP. I would also suggest you review your error 
URL, and see if you can be SIRTFI compliant, as those are baseline v2 
requirements. Separate from NIH, but while you are in there.

2) Parts of the NIH are also going to want assurance attributes based on the 
REFEDS Assurance profiles. Once you know which assurance values you can assert, 
they are just attributes that you return to the SP, like any other attribute.

3) MFA will come in the form of REFEDS MFA. I found this from a couple of 
months ago that looks promising given that Misagh wrote it: 
https://fawnoos.com/2020/12/07/cas63x-saml2-mfa-refeds-duo/

On Wed, 2021-03-10 at 15:19 -0800, Mike Osterman wrote:
For those that are using CAS SAML IdP as their InCommon IdP (we are almost 
there but haven't made the switch), there are some upcoming requirements 
(September 21, 2021) for users of electronic Research Administration (eRA): 
https://incommon.org/news/nih-application-to-require-multi-factor-authentication/

The REFEDS Research & Scholarship attributes support seems well-documented:
https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Attribute-Release.html#refeds-research-and-scholarship

The thing that I can't find in the docs is how to express the referenced MFA 
Authentication Context:
https://refeds.org/profile/mfa

We've implemented Duo, so I'm guessing that flow would be where we would 
trigger this, but again, don't find in the docs how to trigger this or if it's 
even supported by CAS's SAML IdP.

I think I saw a couple names of frequent cas-user participants on the office 
hours webinar today, so I expect others are looking at this as well.

Thanks,
Mike



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1b141b9362d3bb665a031ed87bab1f94c1e57db.camel%40ndsu.edu.

Re: [cas-user] Sample SAML2 service definition for Google Apps?

['Richard Frovarp' via CAS Community]

Here's what I figured out to get it done:

https://www.frovarp.dev/2021/03/10/cas-configuration-for-g-suite/

Everything I have in there assumes that CAS is already setup as a SAML 2 IdP, 
and that you have a slight idea as to how to configure a service for a SAML 2 
SP. It really is no different than any other SAML 2 SP. It's just that they 
don't make the values you need to know to setup the metadata known anywhere 
obvious.

Depending on what version you are on, the legacy method might be supported, but 
it will get in the way of normal SAML 2 IdP operations.

On Wed, 2021-03-10 at 14:54 -0800, Mike Osterman wrote:
Thanks, Richard!

On Wed, Mar 10, 2021 at 2:40 PM 'Richard Frovarp' via CAS Community 
mailto:cas-user@apereo.org>> wrote:
Get a test instance. It's pretty easy to do. Takes a little bit, but easy to 
do. You really only need one or two users in it to test anyway.

There is a previous post on this list on how to do it the new way. I have 
internal documentation that I can turn into external documentation tonight and 
post the link back here.

On Wed, 2021-03-10 at 13:58 -0800, Mike Osterman wrote:
We're looking to migrate from the now legacy (from a supported versions 
perspective) Google Apps Integration 
(https://apereo.github.io/cas/5.3.x/integration/Google-Apps-Integration.html) 
to a generic SAML2 service configuration.

Our current service config is very sparse:
{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "https://www.google.com/a/.yyy/acs;,
  "name" : "Google Apps",
  "id" : 123,
  "evaluationOrder" : 123
}

I'm wondering if someone's already made the switch to SAML2 
(org.apereo.cas.support.saml.services.SamlRegisteredService) and is willing to 
share a sample service configuration? We don't have a test instance of Google 
Apps, and I'm a little nervous about fiddling with our production service, 
especially given the sparseness of the 3rd party IdP config interface in Apps 
Admin and Google's habit of stating that changes in the admin may take up to XX 
hours.

Thank you,
Mike

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/72239eb0f457422aa3628bc16dfbb05b74620fa7.camel%40ndsu.edu<https://groups.google.com/a/apereo.org/d/msgid/cas-user/72239eb0f457422aa3628bc16dfbb05b74620fa7.camel%40ndsu.edu?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8139aace723572273094f72afe700254b71ae5c2.camel%40ndsu.edu.

Re: [cas-user] Sample SAML2 service definition for Google Apps?

['Richard Frovarp' via CAS Community]

Get a test instance. It's pretty easy to do. Takes a little bit, but easy to 
do. You really only need one or two users in it to test anyway.

There is a previous post on this list on how to do it the new way. I have 
internal documentation that I can turn into external documentation tonight and 
post the link back here.

On Wed, 2021-03-10 at 13:58 -0800, Mike Osterman wrote:
We're looking to migrate from the now legacy (from a supported versions 
perspective) Google Apps Integration 
(https://apereo.github.io/cas/5.3.x/integration/Google-Apps-Integration.html) 
to a generic SAML2 service configuration.

Our current service config is very sparse:
{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "https://www.google.com/a/.yyy/acs;,
  "name" : "Google Apps",
  "id" : 123,
  "evaluationOrder" : 123
}

I'm wondering if someone's already made the switch to SAML2 
(org.apereo.cas.support.saml.services.SamlRegisteredService) and is willing to 
share a sample service configuration? We don't have a test instance of Google 
Apps, and I'm a little nervous about fiddling with our production service, 
especially given the sparseness of the 3rd party IdP config interface in Apps 
Admin and Google's habit of stating that changes in the admin may take up to XX 
hours.

Thank you,
Mike

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/72239eb0f457422aa3628bc16dfbb05b74620fa7.camel%40ndsu.edu.

Re: [cas-user] Re: Per Service Ticket Expiration in 5.2.x?

['Richard Frovarp' via CAS Community]

https://apereo.github.io/cas/5.2.x/installation/Logout-Single-Signout.html


Usage Warning!
Single Logout is turned on by default.

Documentation states that it will trigger when the TGT is explicitly
expired, which I think means calling the logout end point.

On Fri, 2021-03-05 at 21:17 +, 'Richard Frovarp' via CAS Community
wrote:
> It's doing something with Single Logout. Turn it off / block it, or
> something:
> 
> https://community.canvaslms.com/t5/Integration-Documents/Configuring-CAS-and-Canvas-Authentication/ta-p/387390
> 
> Look at the end for "User is randomly logged out of Canvas"
> 
> On Fri, 2021-03-05 at 12:41 -0800, Mike Osterman wrote:
> > Hi Bill,
> > 
> > I was dealing with people getting logged out Canvas frequently, and
> > ended up changing a couple config properties. I had our CSM team
> > set the Canvas-side timeout really high, but it didn't work.
> > There's something unusual about the way the Canvas application
> > interacts with CAS protocol. I had checked for callbacks from the
> > Instructure servers, but it really does seem to be managing the
> > session after the initial SSO flow. By the way, do you use a
> > Discovery URL? That's when our session behavior seemed to change,
> > but it may just be correlation rather than causation.
> > 
> > I eventually set two properties and got it to behave as expected,
> > but never figured out which one did the trick:
> > 
> > cas.ticket.tgt.timeout.maxTimeToLiveInSeconds: 
> > https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#timeout
> > AND
> > server.session.timeout: 
> > https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#web-application-session
> > 
> > It sounds like you've found that it was the first one, so I wanted
> > to corroborate that for you. 
> > 
> > I just ended up setting these properties server-wide in
> > cas.properties, which isn't ideal, because you have a single
> > service dictating timeout behavior for all services using CAS.
> > 
> > I've also considered switching over to using CAS's SAML2 IdP
> > functionality for Canvas, but need to wait for an appropriate time
> > to make that change.
> > 
> > Finally, so as not to hijack the thread and keep the proxy ticket
> > service configuration comment from Ray alive, I think this is how
> > the service would be configured for it:
> > https://apereo.github.io/cas/5.2.x/installation/Configuring-Service-Proxy-Policy.html
> > 
> > I did look for server-side traffic from Canvas as Ray suggested,
> > but didn't find any as mentioned above. I just checked for an
> > iFrame, which would be client-side traffic, but didn't see anything
> > in the Network tab of developer tools.
> > 
> > -Mike
> > 
> > 
> > 
> > On Fri, Mar 5, 2021 at 12:01 PM Bill Scully 
> > wrote:
> > > Hi Ray,
> > > 
> > > > Another possibility, Canvas is using is a proxy ticket. 
> > > > Does your service definition allow proxying?
> > > > 
> > > 
> > > I would say, no.  It's pretty straightforward: 
> > > {
> > >   "@class" : "org.apereo.cas.services.RegexRegisteredService",
> > >   "serviceId" : "^https://[omitted]/.*;,
> > >   "name" : "Canvas",
> > >   "id" : [omitted],
> > >   "evaluationOrder" : [omitted]
> > > }
> > > 
> > > I looked at what I think covers proxy ticketing (
> > > https://apereo.github.io/cas/5.2.x/installation/Configuring-Ticket-Expiration-Policy.html#proxy-ticket-policies
> > > ), but didn't see how to configure.
> > > 
> > > Any example I could try?
> > > 
> > > Thanks.
> > > 
> > > Bill
> > > -- 
> > > - Website: https://apereo.github.io/cas
> > > - Gitter Chatroom: https://gitter.im/apereo/cas
> > > - List Guidelines: https://goo.gl/1VRrw7
> > > - Contributions: https://goo.gl/mh7qDG
> > > --- 
> > > You received this message because you are subscribed to the
> > > Google Groups "CAS Community" group.
> > > To unsubscribe from this group and stop receiving emails from it,
> > > send an email to cas-user+unsubscr...@apereo.org.
> > > To view this discussion on the web visit 
> > > https://groups.google.com/a/apereo.org/d/msgid/cas-user/de81107e-2895-4ac6-8241-c0337a0ccfb6n%40apereo.org
> > > .

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/50e4df06c1aa010f75da95b65d0da9e5e8d73796.camel%40ndsu.edu.

Re: [cas-user] Re: Per Service Ticket Expiration in 5.2.x?

['Richard Frovarp' via CAS Community]

It's doing something with Single Logout. Turn it off / block it, or something:

https://community.canvaslms.com/t5/Integration-Documents/Configuring-CAS-and-Canvas-Authentication/ta-p/387390

Look at the end for "User is randomly logged out of Canvas"

On Fri, 2021-03-05 at 12:41 -0800, Mike Osterman wrote:
Hi Bill,

I was dealing with people getting logged out Canvas frequently, and ended up 
changing a couple config properties. I had our CSM team set the Canvas-side 
timeout really high, but it didn't work. There's something unusual about the 
way the Canvas application interacts with CAS protocol. I had checked for 
callbacks from the Instructure servers, but it really does seem to be managing 
the session after the initial SSO flow. By the way, do you use a Discovery URL? 
That's when our session behavior seemed to change, but it may just be 
correlation rather than causation.

I eventually set two properties and got it to behave as expected, but never 
figured out which one did the trick:

cas.ticket.tgt.timeout.maxTimeToLiveInSeconds: 
https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#timeout
AND
server.session.timeout: 
https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#web-application-session

It sounds like you've found that it was the first one, so I wanted to 
corroborate that for you.

I just ended up setting these properties server-wide in cas.properties, which 
isn't ideal, because you have a single service dictating timeout behavior for 
all services using CAS.

I've also considered switching over to using CAS's SAML2 IdP functionality for 
Canvas, but need to wait for an appropriate time to make that change.

Finally, so as not to hijack the thread and keep the proxy ticket service 
configuration comment from Ray alive, I think this is how the service would be 
configured for it:
https://apereo.github.io/cas/5.2.x/installation/Configuring-Service-Proxy-Policy.html

I did look for server-side traffic from Canvas as Ray suggested, but didn't 
find any as mentioned above. I just checked for an iFrame, which would be 
client-side traffic, but didn't see anything in the Network tab of developer 
tools.

-Mike



On Fri, Mar 5, 2021 at 12:01 PM Bill Scully 
mailto:fwscu...@gmail.com>> wrote:
Hi Ray,

Another possibility, Canvas is using is a proxy ticket.
Does your service definition allow proxying?


I would say, no.  It's pretty straightforward:
{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^https://[omitted]/.*;,
  "name" : "Canvas",
  "id" : [omitted],
  "evaluationOrder" : [omitted]
}

I looked at what I think covers proxy ticketing 
(https://apereo.github.io/cas/5.2.x/installation/Configuring-Ticket-Expiration-Policy.html#proxy-ticket-policies),
 but didn't see how to configure.

Any example I could try?

Thanks.

Bill

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/de81107e-2895-4ac6-8241-c0337a0ccfb6n%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1d907f2351205b366137f746965de4aece69943c.camel%40ndsu.edu.

Re: [cas-user] Re: Per Service Ticket Expiration in 5.2.x?

['Richard Frovarp' via CAS Community]

On Fri, 2021-03-05 at 11:20 -0800, Bill Scully wrote:
Does single logout trigger upon CAS session expiration? I would expect
not, but maybe there's a setting to flip that? Or maybe something else
is triggering single logout at two hours, and that is triggering
Canvas?

According to Instructure Support and my experience, yes.  Whatever I set to 
cas.ticket.tgt.timeToKillInSeconds is how long the Canvas session lasts.  If I 
set it to 8 hours, the Canvas session lasts 8 hours.

Then disable single logout on Canvas? I don't use single logout, but there 
should be a variety of ways of doing so, even if it involves providing bogus 
URLs that don't work to systems that insist on them.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9fdeb754000525662fc5ccb6b155dd6d8914f850.camel%40ndsu.edu.

Re: [cas-user] Re: Per Service Ticket Expiration in 5.2.x?

['Richard Frovarp' via CAS Community]

Does single logout trigger upon CAS session expiration? I would expect
not, but maybe there's a setting to flip that? Or maybe something else
is triggering single logout at two hours, and that is triggering
Canvas? 

On Fri, 2021-03-05 at 22:49 +0400, Misagh wrote:
> > Instructure's Canvas (LMS) oddly links session timeouts to CAS'
> > Ticket Expiration Policy.  So, as I understand it, with the default
> > Ticket Expiration Policy of 2 hours, Canvas sessions are
> > automatically logging out users because Instructure chose to tie
> > their Canvas-user session limits to CAS tickets.  I had to increase
> > the value in cas.properties to the following in order for the
> > Canvas session to remain open for 4 hours:
> > cas.ticket.tgt.timeToKillInSeconds=14400
> 
> Sure, but this has nothing to do with the Canvas session; they are
> still logging people out after 2 hours, etc. There is no way they can
> tell what the CAS SSO session is, and this information is not
> available anywhere to an app. So by "tied it", I think you mean that
> they hardcoded "2 hours" in their config because that's what they
> believe CAS would do by default for the idle timeout.
> 
> What is really happening is, they log the user out after 2 hours;
> then
> at session loss, Canvas redirects the user back to CAS, and CAS has a
> longer SSO session, so the user is not prompted for credentials and
> goes right back into canvas.
> 
> > Interestingly, none of our other SSO-enabled applications work this
> > way, i.e., tickets may expire, but users remains logged in.
> 
> That makes sense; applications manage their own session, and while
> you
> may have lost SSO, the application has no need to re-auth the user
> because it has a longer session expiration policy. When it does, and
> there is no SSO, they get asked for credentials again.
> 
> > After working with Support, they suggested I considered modifying
> > this Per Service (
> > https://apereo.github.io/cas/6.3.x/ticketing/Configuring-Ticket-Expiration-Policy.html#per-service
> > , "The expiration policy of ticket granting tickets can be
> > conditionally decided on a per-application basis."
> 
> I assume you mean Canvas support; That is not correct. It will have
> no
> effect on this issue. CAS will not and cannot manage the application
> session. If you want the application to not log users out after X
> number of hours, ask and modify the application to not log users out
> after X number of hours :)
> 
> > Is there a workaround for 5.2.x where I can just increase this
> > value for Canvas, I assume in services:
> 
> Not without custom code, lots of it, leading to hair loss and
> possibly
> covid. To control the application session timeout, you should modify
> the application. CAS has no control over what happens inside the
> application.
> 
> The only "workaround" is what you have done; to increase the sso
> session expiration time to accommodate canvas, at the expense of
> affecting the relationship between the global SSO session and all
> other applications. As I said, canvas will continue to log users out;
> users might lose data, etc. The difference is, they won't be asked to
> reauth by CAS because you increased the global sso session timeout.
> 
> You might have read this already:
> https://apereo.github.io/cas/6.3.x/installation/Logout-Single-Signout.html#sso-session-vs-application-session
> 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/56c0266b93b9daf2d0e6a5e141af161dfa983302.camel%40ndsu.edu.

Re: [cas-user] Unable to get UID attribute in client side

['Richard Frovarp' via CAS Community]

I don't remember the fine specifics of the logs well enough to know. It's 
possible that both are at fault? Make sure you are listing attributes to lookup 
in your ldap attribute repository configuration. If they aren't there, that'll 
be problem one. The other thing is that by default the CAS 2 protocol doesn't 
do attribute return. You need to use CAS 3 protocol to get attribute return. It 
was an extension for CAS 2 protocol, but I don't think the IdP is going to 
follow that extension at CAS 6.2, but I may be wrong. The CAS 3 protocol 
validation URL should be able to be used to get the attributes back, which is 
typically at the/p3/ serviceValidate path.

On Tue, 2021-02-16 at 13:25 -0800, Morning Star wrote:
Hi Team,

CAS server - 6.2.3
CAS client - 3.6.2

We are not getting UID attribute in client side. We use CAS 2 protocol i,e 
Cas20ProxyReceivingTicketValidationFilter.

Upon redirection, we are getting ticket value(ticket=) in url and after 
successfull ticket validation got 302 http status code. Till this, it is 
working as expected.

But we are not getting UID attribute in client side.

My JSON file :
{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^(https://cx.example.com.*)",
  "name" : "web",
  "description" : "Allows HTTP(S) and IMAP(S) protocols",
  "id" : 1001,
  "evaluationOrder" : 1,
  "usernameAttributeProvider" : {
"@class" : 
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "uid"
  },
  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "uid", "email", "CN" ] ],
  }
}

DEBUG LOG:
2021-02-16 12:57:51 [DEBUG] 
org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy  – 
Initiating attributes release phase for principal [a...@test.com] accessing 
service 
[AbstractWebApplicationService(id=https://bexfept021.int.mgc.com:1/exx/cp?id=12345,
 originalUrl=https:// bexfept021  .int.mgc.com:1/exx/cp?id=12345, 
artifactId=null, principal=a...@test.com, source=service, 
loggedOutAlready=false, format=XML, attributes={})] defined by registered 
service [^(https:// cx.example.*)]...
2021-02-16 12:57:51 [DEBUG] 
org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy  – 
Using principal attribute repository [DefaultPrincipalAttributesRepository()] 
to retrieve attributes
2021-02-16 12:57:51 [WARN] 
org.apereo.cas.authentication.attribute.PrincipalAttributeRepositoryFetcher  
– No person records were fetched from attribute repositories for 
[{principal=a...@test.com, userStatus=[ACTIVE], tryCount=[0:1613505872733], 
username=a...@test.com}]
2021-02-16 12:57:51 [DEBUG] 
org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy  – 
Found principal attributes [{userStatus=[ACTIVE], tryCount=[0:1613505872733]}] 
for [a...@test.com]
2021-02-16 12:57:51 [DEBUG] 
org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy  – 
Attribute policy [ReturnAllowedAttributeReleasePolicy] allows release of [{}] 
for [a...@test.com]
2021-02-16 12:57:51 [DEBUG] 
org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy  – 
Default attributes for release are: [[]]

Tried adding these entries also:
cas.authn.ldap[0].principal-attribute-list=uid,mail,cn
cas.authn.attribute-repository.default-attributes-to-release=uid,mail,cn
It doesn't help.

Am I doing something wrong here? CAS2 protocol release UID right?
Kindly help me with some syntax:-(
Atleast want to know issue is from server side or client side.







-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c9d59de0656a8d8b43ece90c9768a27723140e40.camel%40ndsu.edu.

Re: [cas-user] Question about using CAS with LDAP...?

['Richard Frovarp' via CAS Community]

In particular, I would either be looking at

https://apereo.github.io/cas/6.3.x/services/Configuring-Service-Access-Strategy.html

Or
https://github.com/apereo/mod_auth_cas
Require cas-attribute :

The first page you referenced is nearly a decade old, and brings an LDAP 
dependency into your HTTPD configuration. I'm guessing you can't anonymous bind 
to LDAP from HTTPD.


On Fri, 2021-02-12 at 15:10 +, 'Richard Frovarp' via CAS Community wrote:
I wouldn't mix the two methods. There's probably a way to make that work, but 
that's an HTTPD question, not a CAS question. You can have CAS authenticate 
against LDAP from the CAS IdP. That can either then return the list of 
attributes to have mod_auth_cas filter on. Or you can have the IdP do filtering 
on its side, depending on your needs.

On Thu, 2021-02-11 at 18:38 -0800, KC Pullen wrote:
Hello,

I'm currently using CAS to protect web directories on Linux Centos7 and Apache 
2.4.6.

I'd like to use LDAP to grant authorization to select groups.

The following is a list the sites/blogs that I'm using for reference:
- https://fy.blackhats.net.au/blog/html/2011/07/10/Mod_auth_cas.html
- https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#authldapurl
- 
https://stackoverflow.com/questions/8939487/how-to-support-require-group-foobar-in-mod-auth-cas

Now, for "valid-user", there is no problem at all, but if I try to use LDAP and 
a filter, I'm getting the "Unauthorized" message.

Below is a snippet from my conf file:




AuthName "Test password protection for  directory"
AuthType CAS
AuthLDAPURL 
"ldaps://mysite.edu:636/cn=Users,dc=mysite,dc=edu?email?sub?(objectClass=*)<http://mysite.edu:636/cn=Users,dc=nl,dc=edu?email?sub?(objectClass=*)>"
 Require ldap-filter &(email=test...@mysite.edu<https://groups.google.com/>)
# Require valid-user



Would anyone be able to take a look and provide a suggestion or two ?  Maybe 
share a link to a blog or web-page..?

Thank you kindly,

KP

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/79820f4a6a14b974fa03730a95270732e45e6f1c.camel%40ndsu.edu.

Re: [cas-user] Question about using CAS with LDAP...?

['Richard Frovarp' via CAS Community]

I wouldn't mix the two methods. There's probably a way to make that work, but 
that's an HTTPD question, not a CAS question. You can have CAS authenticate 
against LDAP from the CAS IdP. That can either then return the list of 
attributes to have mod_auth_cas filter on. Or you can have the IdP do filtering 
on its side, depending on your needs.

On Thu, 2021-02-11 at 18:38 -0800, KC Pullen wrote:
Hello,

I'm currently using CAS to protect web directories on Linux Centos7 and Apache 
2.4.6.

I'd like to use LDAP to grant authorization to select groups.

The following is a list the sites/blogs that I'm using for reference:
- https://fy.blackhats.net.au/blog/html/2011/07/10/Mod_auth_cas.html
- https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#authldapurl
- 
https://stackoverflow.com/questions/8939487/how-to-support-require-group-foobar-in-mod-auth-cas

Now, for "valid-user", there is no problem at all, but if I try to use LDAP and 
a filter, I'm getting the "Unauthorized" message.

Below is a snippet from my conf file:




AuthName "Test password protection for  directory"
AuthType CAS
AuthLDAPURL 
"ldaps://mysite.edu:636/cn=Users,dc=mysite,dc=edu?email?sub?(objectClass=*)"
 Require ldap-filter &(email=test...@mysite.edu)
# Require valid-user



Would anyone be able to take a look and provide a suggestion or two ?  Maybe 
share a link to a blog or web-page..?

Thank you kindly,

KP

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b73b5c47db40d3b46dc859b8c176761f45625b7f.camel%40ndsu.edu.

Re: [EXTERNAL SENDER] Re: [cas-user] CAS 5.0.x newer ldaptive?

['Richard Frovarp' via CAS Community]

It's hard for me to remember where I first came across the "Always use 
UnboundID" rule to ldaptive. Don't remember if it was CAS, Shibboleth, or my 
own direct use of ldaptive.

Under v1 docs, there is a very prominent note about Java 9
http://www.ldaptive.org/v1/

Provider info:
http://www.ldaptive.org/v1/docs/guide/providers.html

which is pretty sparse on the always use UnboundID bit.

On Thu, 2021-02-04 at 15:45 -1000, Baron Fujimoto wrote:
Mahalo nui loa! The UnboundID workaround appears to solve the problem so I 
don't need to further pursue trying to substitute a newer version of the 
Ldaptive library. I wasn't able to find any documentation on the 
UnboundIDProvider though (what does it do specifically, and where would I have 
found that requisite dependency). Did I miss that somewhere? Now I can focus on 
upgrading to a current version of CAS.

On Fri, Jan 29, 2021 at 5:20 AM 'Richard Frovarp' via CAS Community 
mailto:cas-user@apereo.org>> wrote:
Sorry, you don't need it in 5.3 as that one is default. So I didn't see that in 
my dependencies. You'll need the ldaptive dependency for that. You'll want to 
match version to the other ldaptive version you have. 1.2 appears to bring in 
the unboundid dependency:

https://search.maven.org/artifact/org.ldaptive/ldaptive-unboundid/1.2.0/jar


  org.ldaptive
  ldaptive-unboundid
  1.2.0




On Fri, 2021-01-29 at 13:21 +, King, Robert wrote:
I’m not certainas to the 5.0 version, but to use the UnboundIDProvider in 6.x 
you need to add :

compile "com.unboundid:unboundid-ldapsdk:4.0.9"

to the Gradle build dependencies.  I would assume it would be the same for 
Maven.

From: cas-user@apereo.org<mailto:cas-user@apereo.org> 
mailto:cas-user@apereo.org>> On Behalf Of Baron Fujimoto
Sent: Thursday, January 28, 2021 11:41 PM
To: CAS Community mailto:cas-user@apereo.org>>
Subject: [EXTERNAL SENDER] Re: [cas-user] CAS 5.0.x newer ldaptive?

Since the approach of trying to use an updated ldaptive library was rapidly 
getting complicated, I tried the suggested UnboundIDProvider[*] with the 
following in my cas.properties:

cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider

But CAS throws this exception on startup:

ERROR [org.apereo.cas.configuration.support.Beans] - 

java.lang.ClassNotFoundException: 
org.ldaptive.provider.unboundid.UnboundIDProvider

So perhaps I'm missing some other prerequisite? I don't see other mention or 
discussion of it in the docs though.

[*] I can't seem to find a 5.0.x version of 
/Configuration-Properties-Common.html#ldap-connection-settings but this 
property is also listed in the 5.0.x properties 
<https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html>

On Thu, Jan 28, 2021 at 11:18 AM 'Richard Frovarp' via CAS Community 
mailto:cas-user@apereo.org>> wrote:
You have to do overlay exclusions. Which for me looks like. Obviously close the 
XML out as appropriate. I have further build plugins.




maven-war-plugin
2.6

false
false

false
${project.build.directory}/war/work/org.apereo.cas/cas-server-webapp/META-INF/MANIFEST.MF



org.apereo.cas
cas-server-webapp


WEB-INF/classes/application*.properties
WEB-INF/lib/spring*.jar
WEB-INF/lib/log4j*.jar



cas




But that isn't going to help you to put ldaptive in there. If you look at the 
pom for ldaptive 2.0, they are calling for Java 11. Guessing they are using 
something that is JDK 11 specific. Maybe you can rebuild with 8 and it will 
work, I don't know.

I would go with the easier solution of giving the UnboundID provider a try. 
https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties-Common.html#ldap-connection-settings
 Bypass the JDK code altogether.

On Thu, 2021-01-28 at 10:56 -1000, Baron Fujimoto wrote:
Hmm, the older ldaptive-1.2.0.jar and ldaptive-beans-1.2.0.jar don't appear in 
the packages dependency tree, I'm not sure how I would exclude them from the 
build. If I manually delete them from the resulting cas.war file, then when I 
start CAS, I encounter the following error/exception:

ERROR [org.springframework.boot.SpringApplication] - 
java.lang.UnsupportedClassVersionError: org/ldaptive/ConnectionFactory has been 
compiled by a more recent version of the Java Runtime (class file version 
55.0), this version of the Java Runtime only recognizes class file versions up 
to 52.0 (unable to load class [org.ldaptive.ConnectionFactory])

If my google-fu is right, this suggests that the newer ldaptive jar files 
included via the overlay pom.xml were compiled with Java 11 rather than the 
Java 8 we are using. If I wanted to continue down this path, I suppose that 
means I would need to compile the newer ldaptive jars myself from source using 
our installed Java 8? And if successful, then manually place them in the 
resulting cas.war file? Or is there an easier way?

On Thu, Jan 28, 2021 at 7:46 AM Ray Bon mailto:r...@uvic.ca>> 
wrote:
B

Re: [EXTERNAL SENDER] Re: [cas-user] CAS 5.0.x newer ldaptive?

['Richard Frovarp' via CAS Community]

Sorry, you don't need it in 5.3 as that one is default. So I didn't see that in 
my dependencies. You'll need the ldaptive dependency for that. You'll want to 
match version to the other ldaptive version you have. 1.2 appears to bring in 
the unboundid dependency:

https://search.maven.org/artifact/org.ldaptive/ldaptive-unboundid/1.2.0/jar


  org.ldaptive
  ldaptive-unboundid
  1.2.0




On Fri, 2021-01-29 at 13:21 +, King, Robert wrote:
I’m not certainas to the 5.0 version, but to use the UnboundIDProvider in 6.x 
you need to add :

compile "com.unboundid:unboundid-ldapsdk:4.0.9"

to the Gradle build dependencies.  I would assume it would be the same for 
Maven.

From: cas-user@apereo.org  On Behalf Of Baron Fujimoto
Sent: Thursday, January 28, 2021 11:41 PM
To: CAS Community 
Subject: [EXTERNAL SENDER] Re: [cas-user] CAS 5.0.x newer ldaptive?

Since the approach of trying to use an updated ldaptive library was rapidly 
getting complicated, I tried the suggested UnboundIDProvider[*] with the 
following in my cas.properties:

cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider

But CAS throws this exception on startup:

ERROR [org.apereo.cas.configuration.support.Beans] - 

java.lang.ClassNotFoundException: 
org.ldaptive.provider.unboundid.UnboundIDProvider

So perhaps I'm missing some other prerequisite? I don't see other mention or 
discussion of it in the docs though.

[*] I can't seem to find a 5.0.x version of 
/Configuration-Properties-Common.html#ldap-connection-settings but this 
property is also listed in the 5.0.x properties 
<https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html>

On Thu, Jan 28, 2021 at 11:18 AM 'Richard Frovarp' via CAS Community 
mailto:cas-user@apereo.org>> wrote:
You have to do overlay exclusions. Which for me looks like. Obviously close the 
XML out as appropriate. I have further build plugins.




maven-war-plugin
2.6

false
false

false
${project.build.directory}/war/work/org.apereo.cas/cas-server-webapp/META-INF/MANIFEST.MF



org.apereo.cas
cas-server-webapp


WEB-INF/classes/application*.properties
WEB-INF/lib/spring*.jar
WEB-INF/lib/log4j*.jar



cas




But that isn't going to help you to put ldaptive in there. If you look at the 
pom for ldaptive 2.0, they are calling for Java 11. Guessing they are using 
something that is JDK 11 specific. Maybe you can rebuild with 8 and it will 
work, I don't know.

I would go with the easier solution of giving the UnboundID provider a try. 
https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties-Common.html#ldap-connection-settings
 Bypass the JDK code altogether.

On Thu, 2021-01-28 at 10:56 -1000, Baron Fujimoto wrote:
Hmm, the older ldaptive-1.2.0.jar and ldaptive-beans-1.2.0.jar don't appear in 
the packages dependency tree, I'm not sure how I would exclude them from the 
build. If I manually delete them from the resulting cas.war file, then when I 
start CAS, I encounter the following error/exception:

ERROR [org.springframework.boot.SpringApplication] - 
java.lang.UnsupportedClassVersionError: org/ldaptive/ConnectionFactory has been 
compiled by a more recent version of the Java Runtime (class file version 
55.0), this version of the Java Runtime only recognizes class file versions up 
to 52.0 (unable to load class [org.ldaptive.ConnectionFactory])

If my google-fu is right, this suggests that the newer ldaptive jar files 
included via the overlay pom.xml were compiled with Java 11 rather than the 
Java 8 we are using. If I wanted to continue down this path, I suppose that 
means I would need to compile the newer ldaptive jars myself from source using 
our installed Java 8? And if successful, then manually place them in the 
resulting cas.war file? Or is there an easier way?

On Thu, Jan 28, 2021 at 7:46 AM Ray Bon mailto:r...@uvic.ca>> 
wrote:
Baron,

Check what packages are included in the build with:
mvn dependency:tree

You can  transitive dependencies for the old library.
But, the overlay, itself, may include an old version of the library, which 
means that you would have to manually remove the old one from the war. Maybe 
the exclude can be applied to the overlay too???

Ray

On Wed, 2021-01-27 at 15:06 -1000, Baron Fujimoto wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

I'm working with Oracle to troubleshoot a bug we've encountered with their JDK 
(1.8u231+) and LDAP errors. According to their analysis, they're claiming that 
the problem lies with the ldaptive library being used by this old (I know) 
version of CAS. More specifically that the subsequent JDKs adhere to spec, and 
the ldaptive library appears to be testing for unspecified behaviour. They are 
recommending I try a newer version of the ldaptive library which does not 
appear to have the same code.

I added the following to our pom.xml:

 

Re: [cas-user] CAS 5.0.x newer ldaptive?

['Richard Frovarp' via CAS Community]

I'm guessing that it just doesn't exist anymore. Browsing from

https://repo.spring.io/snapshot/

They don't have anything for Duo that is obvious. It was a SNAPSHOT dependency, 
and thus shouldn't have been used in anything released. I see in my pom:


  org.apereo.cas
  cas-server-support-duo
  ${cas.version}
  

  duo_client_java
  com.github.duosecurity

  


Which removes the snapshot one.

I have


  com.duosecurity
  duo-client
  0.2.1


However, 0.2.1 isn't in central. I think I grabbed it from their GitHub, 
compiled, and put it in my own Maven repo. They do have 0.3.0 in Maven Central. 
No idea if it is compatible or not.

Their source is here:

https://github.com/duosecurity/duo_client_java

But obviously they can't be trusted to tag their releases. The only tag they 
have is 0.2.2, despite the fact they have 0.3.0 in Central. So you probably 
need to get git version from them, build, and reference locally. mvn install on 
a local project will stick it in your local .m2 cache dir, making it available 
as a dependency.

On Thu, 2021-01-28 at 11:19 -1000, Baron Fujimoto wrote:
[Forking this thread to separate the ldaptive and maven repo issues]

Per that spring-io advisory, it says, "The /snapshot, /milestone, and /release 
repositories will remain available, but please fetch our releases from a 
central repository". The only reference I see in our pom.xml to spring-io is:


…

spring-milestones
https://repo.spring.io/milestone



Would updating or supplementing with something else resolve these errors? 
Unfortunately, my experience with maven and these build strategies is pretty 
limited to what I've used to successfully build CAS in the past. I'll happily 
RTFM if someone could kindly point me to the appropriate FM that would explain 
this or how to pursue the other suggested strategies.


On Thu, Jan 28, 2021 at 2:39 AM Jeffrey Miller 
mailto:jeffrey.mil...@usuhs.edu>> wrote:

For the Duo dependency, spring updated their use for artifacts in their repo 
and now libs-release (and probably libs-snapshot) is no longer available 
publicly

https://spring.io/blog/2020/10/29/notice-of-permissions-changes-to-repo-spring-io-fall-and-winter-2020

On Wednesday, January 27, 2021 at 8:52:32 PM UTC-5 richard.frovarp wrote:
For the Duo jar, you should put them in your own local repo? Or maybe the cache 
dir? I know that by default it feels like you have to hunt through a  variety 
of external repos to find that dependency. I run a local Nexus install for us 
so I only have to hunt down once.

For the LDAP problems, I think on the Shib list they say don't use the JNDI 
LDAP connector, in particular with JDK 11. But even then, I don't think the 1.8 
JNDI provider is that great. So, you may be able to move over to the UnboundID 
provider and have better success? To determine what version is being used, I 
would recommend looking at what is in your resulting build artifact. I'm 
building to a war, and therefore the place for me to look to see what is being 
placed in the war file. So if the file is present in the lib dir where you are 
running it, it might be using. I don't remember if there is an authoritative 
way the JRE loads libs or not. I generally assume that if there are two in the 
classpath, it is going to randomly load out of one of them. It's probably 
deterministic in some way, but if you have to ask about load order, you're 
probably in a space you don't want to be in.

I know that with overlays I've had trouble getting the version I want to be the 
only one. I don't think the normal Maven rules for dependency versions fully 
apply for overlays. You're best off putting excludes in to ensure the version 
you don't want is excluded.

You can also exclude out of the overlay, and I see that I'm doing that. I just 
don't remember why I'm doing that. I have spring and log4j in those excludes. 
I'm excluding Duo out of a normal dependency section. I have a different GAV 
bringing that dependency in.

We're using the UnboundID provider.

From: cas-...@apereo.org  on behalf of Baron Fujimoto 

Sent: Wednesday, January 27, 2021 19:06
To: CAS Users 
Subject: [cas-user] CAS 5.0.x newer ldaptive?

I'm working with Oracle to troubleshoot a bug we've encountered with their JDK 
(1.8u231+) and LDAP errors. According to their analysis, they're claiming that 
the problem lies with the ldaptive library being used by this old (I know) 
version of CAS. More specifically that the subsequent JDKs adhere to spec, and 
the ldaptive library appears to be testing for unspecified behaviour. They are 
recommending I try a newer version of the ldaptive library which does not 
appear to have the same code.

I added the following to our pom.xml:


org.ldaptive
ldaptive
2.0.1


When I ran "mvn clean package" I 

Re: [cas-user] CAS 5.0.x newer ldaptive?

['Richard Frovarp' via CAS Community]

You have to do overlay exclusions. Which for me looks like. Obviously close the 
XML out as appropriate. I have further build plugins.




maven-war-plugin
2.6

false
false

false
${project.build.directory}/war/work/org.apereo.cas/cas-server-webapp/META-INF/MANIFEST.MF



org.apereo.cas
cas-server-webapp


WEB-INF/classes/application*.properties
WEB-INF/lib/spring*.jar
WEB-INF/lib/log4j*.jar



cas




But that isn't going to help you to put ldaptive in there. If you look at the 
pom for ldaptive 2.0, they are calling for Java 11. Guessing they are using 
something that is JDK 11 specific. Maybe you can rebuild with 8 and it will 
work, I don't know.

I would go with the easier solution of giving the UnboundID provider a try. 
https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties-Common.html#ldap-connection-settings
 Bypass the JDK code altogether.

On Thu, 2021-01-28 at 10:56 -1000, Baron Fujimoto wrote:
Hmm, the older ldaptive-1.2.0.jar and ldaptive-beans-1.2.0.jar don't appear in 
the packages dependency tree, I'm not sure how I would exclude them from the 
build. If I manually delete them from the resulting cas.war file, then when I 
start CAS, I encounter the following error/exception:

ERROR [org.springframework.boot.SpringApplication] - 
java.lang.UnsupportedClassVersionError: org/ldaptive/ConnectionFactory has been 
compiled by a more recent version of the Java Runtime (class file version 
55.0), this version of the Java Runtime only recognizes class file versions up 
to 52.0 (unable to load class [org.ldaptive.ConnectionFactory])

If my google-fu is right, this suggests that the newer ldaptive jar files 
included via the overlay pom.xml were compiled with Java 11 rather than the 
Java 8 we are using. If I wanted to continue down this path, I suppose that 
means I would need to compile the newer ldaptive jars myself from source using 
our installed Java 8? And if successful, then manually place them in the 
resulting cas.war file? Or is there an easier way?

On Thu, Jan 28, 2021 at 7:46 AM Ray Bon mailto:r...@uvic.ca>> 
wrote:
Baron,

Check what packages are included in the build with:
mvn dependency:tree

You can  transitive dependencies for the old library.
But, the overlay, itself, may include an old version of the library, which 
means that you would have to manually remove the old one from the war. Maybe 
the exclude can be applied to the overlay too???

Ray

On Wed, 2021-01-27 at 15:06 -1000, Baron Fujimoto wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

I'm working with Oracle to troubleshoot a bug we've encountered with their JDK 
(1.8u231+) and LDAP errors. According to their analysis, they're claiming that 
the problem lies with the ldaptive library being used by this old (I know) 
version of CAS. More specifically that the subsequent JDKs adhere to spec, and 
the ldaptive library appears to be testing for unspecified behaviour. They are 
recommending I try a newer version of the ldaptive library which does not 
appear to have the same code.

I added the following to our pom.xml:


org.ldaptive
ldaptive
2.0.1


When I ran "mvn clean package" I think it looked like it was including the 
2.0.1 version of ldaptive in the build. However, it seems like I'm still seeing 
LDAP problems. When I try to login, it will often result in the errors such as 
the following being logged:

2021-01-27 12:10:56,974 DEBUG 
[org.apereo.cas.authentication.LdapAuthenticationHandler] - 
2021-01-27 12:10:56,986 WARN [org.ldaptive.pool.BlockingConnectionPool] - 

2021-01-27 12:10:56,989 ERROR 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 


Eventually the validation succeeds, then so does the authentication.

How can I verify which version of ldaptive is being used by CAS? I don't think 
I saw anything indicating this in the logs. If I search for ldaptive in my 
overlay work directory I find the following:

=
$ grep -ilr ldaptive .
./target/cas.war
./target/war/work/org.apereo.cas/cas-server-webapp/WEB-INF/classes/log4j2.xml
./target/war/work/org.apereo.cas/cas-server-webapp/WEB-INF/lib/person-directory-impl-1.8.4.jar
./target/war/work/org.apereo.cas/cas-server-webapp/WEB-INF/lib/ldaptive-1.2.0.jar
./target/war/work/org.apereo.cas/cas-server-webapp/WEB-INF/lib/ldaptive-beans-1.2.0.jar
./target/cas/WEB-INF/classes/log4j2.xml
./target/cas/WEB-INF/lib/person-directory-impl-1.8.4.jar
./target/cas/WEB-INF/lib/ldaptive-1.2.0.jar
./target/cas/WEB-INF/lib/ldaptive-beans-1.2.0.jar
./target/cas/WEB-INF/lib/ldaptive-beans-2.0.1.jar
./target/cas/WEB-INF/lib/ldaptive-2.0.1.jar
./pom.xml
./etc/cas/config/log4j2.xml
=

I see an ldaptive-2.0.1.jar and ldaptive-beans-2.0.1.jar, but also 
ldaptive-1.2.0.jar and ldaptive-beans-1.2.0.jar. The 1.2.0 versions are always 
present after the build even if I delete them first, so something 

Re: [cas-user] CAS 5.0.x newer ldaptive?

['Richard Frovarp' via CAS Community]

For the Duo jar, you should put them in your own local repo? Or maybe the cache 
dir? I know that by default it feels like you have to hunt through a  variety 
of external repos to find that dependency. I run a local Nexus install for us 
so I only have to hunt down once.

For the LDAP problems, I think on the Shib list they say don't use the JNDI 
LDAP connector, in particular with JDK 11. But even then, I don't think the 1.8 
JNDI provider is that great. So, you may be able to move over to the UnboundID 
provider and have better success? To determine what version is being used, I 
would recommend looking at what is in your resulting build artifact. I'm 
building to a war, and therefore the place for me to look to see what is being 
placed in the war file. So if the file is present in the lib dir where you are 
running it, it might be using. I don't remember if there is an authoritative 
way the JRE loads libs or not. I generally assume that if there are two in the 
classpath, it is going to randomly load out of one of them. It's probably 
deterministic in some way, but if you have to ask about load order, you're 
probably in a space you don't want to be in.

I know that with overlays I've had trouble getting the version I want to be the 
only one. I don't think the normal Maven rules for dependency versions fully 
apply for overlays. You're best off putting excludes in to ensure the version 
you don't want is excluded.

You can also exclude out of the overlay, and I see that I'm doing that. I just 
don't remember why I'm doing that. I have spring and log4j in those excludes. 
I'm excluding Duo out of a normal dependency section. I have a different GAV 
bringing that dependency in.

We're using the UnboundID provider.

From: cas-user@apereo.org  on behalf of Baron Fujimoto 

Sent: Wednesday, January 27, 2021 19:06
To: CAS Users 
Subject: [cas-user] CAS 5.0.x newer ldaptive?

I'm working with Oracle to troubleshoot a bug we've encountered with their JDK 
(1.8u231+) and LDAP errors. According to their analysis, they're claiming that 
the problem lies with the ldaptive library being used by this old (I know) 
version of CAS. More specifically that the subsequent JDKs adhere to spec, and 
the ldaptive library appears to be testing for unspecified behaviour. They are 
recommending I try a newer version of the ldaptive library which does not 
appear to have the same code.

I added the following to our pom.xml:


org.ldaptive
ldaptive
2.0.1


When I ran "mvn clean package" I think it looked like it was including the 
2.0.1 version of ldaptive in the build. However, it seems like I'm still seeing 
LDAP problems. When I try to login, it will often result in the errors such as 
the following being logged:

2021-01-27 12:10:56,974 DEBUG 
[org.apereo.cas.authentication.LdapAuthenticationHandler] - 
2021-01-27 12:10:56,986 WARN [org.ldaptive.pool.BlockingConnectionPool] - 

2021-01-27 12:10:56,989 ERROR 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 


Eventually the validation succeeds, then so does the authentication.

How can I verify which version of ldaptive is being used by CAS? I don't think 
I saw anything indicating this in the logs. If I search for ldaptive in my 
overlay work directory I find the following:

=
$ grep -ilr ldaptive .
./target/cas.war
./target/war/work/org.apereo.cas/cas-server-webapp/WEB-INF/classes/log4j2.xml
./target/war/work/org.apereo.cas/cas-server-webapp/WEB-INF/lib/person-directory-impl-1.8.4.jar
./target/war/work/org.apereo.cas/cas-server-webapp/WEB-INF/lib/ldaptive-1.2.0.jar
./target/war/work/org.apereo.cas/cas-server-webapp/WEB-INF/lib/ldaptive-beans-1.2.0.jar
./target/cas/WEB-INF/classes/log4j2.xml
./target/cas/WEB-INF/lib/person-directory-impl-1.8.4.jar
./target/cas/WEB-INF/lib/ldaptive-1.2.0.jar
./target/cas/WEB-INF/lib/ldaptive-beans-1.2.0.jar
./target/cas/WEB-INF/lib/ldaptive-beans-2.0.1.jar
./target/cas/WEB-INF/lib/ldaptive-2.0.1.jar
./pom.xml
./etc/cas/config/log4j2.xml
=

I see an ldaptive-2.0.1.jar and ldaptive-beans-2.0.1.jar, but also 
ldaptive-1.2.0.jar and ldaptive-beans-1.2.0.jar. The 1.2.0 versions are always 
present after the build even if I delete them first, so something must be 
re-including them. How can I ensure that the new ldaptive is used in place of 
the old one?

Unrelated, but I'm also seeing the following errors in the build now that 
weren't present when I originally built this long ago:

Downloading: 
https://repo.spring.io/libs-snapshot/com/github/duosecurity/duo_client_java/-SNAPSHOT/maven-metadata.xml
[WARNING] Could not transfer metadata 
com.github.duosecurity:duo_client_java:-SNAPSHOT/maven-metadata.xml from/to 
spring-libs-snapshots (https://repo.spring.io/libs-snapshot): Not authorized , 
ReasonPhrase:Unauthorized.
[WARNING] Failure to transfer 
com.github.duosecurity:duo_client_java:-SNAPSHOT/maven-metadata.xml from 

Re: [cas-user] 3.5.2 Oracle DB compatibility

['Richard Frovarp' via CAS Community]

Maybe? That version was released nearly 7 years ago and isn't supported. I 
would suggest moving to CAS 6.3.

On Thu, 2021-01-21 at 17:05 -0800, Kylie L wrote:
Will CAS 3.5.2 work with an Oracle 19c  or 18c database?

Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/998c64c4b2f978e086232b8ffc008797b4f870ab.camel%40ndsu.edu.

Re: [cas-user] Getting 403 when POST to /cas endpoint

['Richard Frovarp' via CAS Community]

So you want to turn CAS into a SAML 2 SP? You'll need to follow this
documentation:

https://apereo.github.io/cas/5.3.x/integration/Delegate-Authentication.html

On Thu, 2021-01-21 at 17:09 -0800, Yan Zhou wrote:
> Hi, 
> 
> Try to implement this:  people logged into their app (that does not
> use CAS),  they click a link in their webapp, that triggers a POST to
> CAS /login endpoint, with SAML Assertion in POST body. My CAS
> implementation will detect the payload and then follow a different
> route of validating SAML, etc. (the CAS login page does not show up,
> instead, we are validating SAML Assertion).   I thought the non-
> interactive type of login also comes in through the /login endpoint.
> Because we still want it to go through service validation, TGT/ST
> generation, etc., so it has to go through CAS login flow.  
> 
> But we noticed that such POST made by another Webapp on /cas endpoint
> fails in FF and Chrome, it works in IE. 
> 
> CAS 5.3.x runs on Tomcat, the access logs shows 403, but I donot see
> anything in CAS or Tomcat logs (after turn on DEBUG).  My guess is
> there is some kind of CSRF type of protection in CAS preventing such
> post? I placed "executionKey" in the form post, made no difference,
> still 403. 
> 
> How would such non-interactive flow work?   If CAS indeed has
> something prevent such POST, why does IE work and what that is?
> 
> Thanks,
> Yan
> 
> On Thursday, January 21, 2021 at 7:09:35 PM UTC-5 richard.frovarp
> wrote:
> > Why are you trying to POST to the login URL? It looks like this
> > isn't 
> > the POST from the login page? What do the CAS logs say? 
> > 
> > On Thu, 2021-01-21 at 15:27 -0800, Yan Zhou wrote: 
> > > Hello, 
> > > 
> > > i am using CAS 5.3.X, but I think the same would apply to CAS4
> > or 
> > > CA5. 
> > > 
> > >  > > action="https://.MyCASEndPoint,,>/cas/login"> 
> > >  
> > > 
> > > In browser, when I submit this form, I get 403, 
> > > 
> > > But, when I use PostMan, it returns CAS login page. 
> > > 
> > > I do not understand why in browser (FF and Chrome), I am getting
> > 403, 
> > > is that because of CSRF? I tried to put in "execution" as hidden 
> > > value, but that did not help). 
> > > 
> > > Why does Postman return a different result as Chrome/FF? 
> > > 
> > > Thanks, 
> > > Yan 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b96028c548f64cb999893535a69aff01b7b5aa0d.camel%40ndsu.edu.

Re: [cas-user] Getting 403 when POST to /cas endpoint

['Richard Frovarp' via CAS Community]

Why are you trying to POST to the login URL? It looks like this isn't
the POST from the login page? What do the CAS logs say?

On Thu, 2021-01-21 at 15:27 -0800, Yan Zhou wrote:
> Hello, 
> 
> i am using CAS 5.3.X, but I think the same would apply to CAS4 or
> CA5.
> 
>  action="https://.MyCASEndPoint,,>/cas/login">
> 
> 
> In browser, when I submit this form, I get 403,  
> 
> But, when I use PostMan, it returns CAS login page. 
> 
> I do not understand why in browser (FF and Chrome), I am getting 403,
> is that because of CSRF?  I tried to put in "execution" as hidden
> value, but that did not help). 
> 
> Why does Postman return a different result as Chrome/FF?
> 
> Thanks,
> Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a9b6ed50da22a5cb6f82aa376e8354039519e6b.camel%40ndsu.edu.

Re: [cas-user] Managing Services with JPA (SQL)

['Richard Frovarp' via CAS Community]

I believe that it is serialized Java classes. So it's binary data. You
don't change it without an external service. I guess you could find the
code that does it and write you own service. But you don't be doing it
via direct DB manipulation.

On Fri, 2020-12-04 at 09:48 +, Francisco Castel-Branco wrote:
> Hi everyone,
> 
> I can't figure out how can I determine accessStrategies and stuff
> through the JPA service manager in version 6.2(.4). I have all the
> automatically generated tables, but I cant seem to understand what
> goes into the LONGBLOB columns.
> 
> How can I modify these parameters with or without an external
> service?
> 
> Thanks
> -- 
> Francisco Castel-Branco

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/442bb51d526b78a62dfe179245cf5956c1e46ad5.camel%40ndsu.edu.

Re: [cas-user] cas Java installation

['Richard Frovarp' via CAS Community]

You would normally use it with your favorite security library in Java.
Common ones include Apache Shiro, Pac4J, and Spring Security. From
there use the library specific instructions for bringing in the CAS
client library.

On Thu, 2020-12-03 at 13:23 +0530, rohini bansode wrote:
> IF you have some links and information  about java cas client or any
> discussion  happened before so you can send me the discussion blog .
> 
> thanks and reagrds
> 
> On Thu, Dec 3, 2020 at 9:57 AM rohini bansode  > wrote:
> > Hello, 
> > 
> > what is the flow of cas java installation and its steps? 
> > Exactly what is the working environment of java cas  client.
> > 
> > Thanks & Regards
> > -- 
> > - Website: https://apereo.github.io/cas
> > - Gitter Chatroom: https://gitter.im/apereo/cas
> > - List Guidelines: https://goo.gl/1VRrw7
> > - Contributions: https://goo.gl/mh7qDG
> > --- 
> > You received this message because you are subscribed to the Google
> > Groups "CAS Community" group.
> > To unsubscribe from this group and stop receiving emails from it,
> > send an email to cas-user+unsubscr...@apereo.org.
> > To view this discussion on the web visit 
> > https://groups.google.com/a/apereo.org/d/msgid/cas-user/8ca6a9a7-66f5-477a-9416-8f835ed92f11n%40apereo.org
> > .

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3842e9fa07a378562728aed2c83c9bf6155f291e.camel%40ndsu.edu.

Re: [cas-user] Wrong user authenticated

['Richard Frovarp' via CAS Community]

Probably not? That sounds like code that is being hit somewhere that isn't 
thread safe. The built in LDAP code to CAS should be just fine with that 
respect. Assuming you're using a well supported LDAP server that wouldn't have 
thread issues? I don't know how a HTTP proxy would impact this. I guess the 
question is, do you have any custom code anywhere in the network or login flow?

On Thu, 2020-10-08 at 14:59 -0300, Danilo Mendes wrote:
My server is hosted on a vmware4 server and I`ve followed a lead about entropy 
and noted that /dev/random dont play well with VMs.

Do any of you think it could be related?

--
Danilo Mendes


On Tue, Oct 6, 2020 at 11:06 AM Danilo Mendes 
mailto:djmen...@gmail.com>> wrote:
Hello,

I have a 6.1.7.1 installation authenticating gsuite apps against a LDAP 
directory. It`s configured using standalone profile.

Most of the time it works OK, but sometimes when two users tries to 
authenticate at the same time it sends wrong responses and User A opens User B 
account.

Can you o help me debugging? Or to point a direction I can follow?

Thank you.



--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c03472f2-56d5-4357-9af6-94f4f045728fn%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/92192eff7187568875d6f6e91a2d5072a6de937b.camel%40ndsu.edu.

Re: [cas-user] Configure SAML2 IdP functionality to provide SSO for G Suite

['Richard Frovarp' via CAS Community]

The cert you were using under the old integration likely doesn't match your 
SAML cert. You would need to upload your new SAML cert to Google. And yeah, you 
want to remove the old bits of the old method, in particular the jars 
associated with it as it fires before the generic SAML can.

On Tue, 2020-09-22 at 23:15 -0400, Doug Campbell wrote:
Responding a little to my own question.  I don’t have it fully figured out yet 
but I did find a significant issue.  I had left my service file for the old 
Google Apps SAML integration method in my services directory and I think this 
was intercepting things.  I’m not getting the same error as before but when I 
authenticated I got back a page from Google indicating that no such account 
existed.  I’m going to try again and see what I can find perhaps see if I can 
turn of the debugging.

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Doug C
Sent: Tuesday, September 22, 2020 12:12 AM
To: CAS Community 
Subject: [cas-user] Configure SAML2 IdP functionality to provide SSO for G Suite

I have been working toward updating from CAS 6.0.x to CAS 6.2.x.  Most 
everything has gone smoothly but I am having trouble with setting up CAS to be 
my G Suite third-party Idp.  Previously I had been using the Google Apps 
Integration (org.apereo.cas:cas-server-support-saml-googleapps) but the page 
for that 
(https://apereo.github.io/cas/6.2.x/integration/Google-Apps-Integration.html) 
now indicates that it is deprecated and that I should consider using the SAML2 
identity provider functionality to handle this.  I have tried to piece together 
information in the documentation and in other folk's questions in the cas-user 
forum but I seem to be missing something.  This is likely due to my lack of 
familiarity with SAML.

I would appreciate any help or direction on getting this working.

This is what I have done so far.

Note: I have replaced the references to my G Suite primary domain with 
example.com for this posting.

I created a services file (etc/cas/services/GSuite-1003.json) with the 
following content:

{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "google.com/a/example.com",
  "name" : "SAMLService",
  "id" : 1003,
  "evaluationOrder" : 1,
  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "mail" ] ]
  },
  "usernameAttributeProvider" : {
"@class" : 
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail"
  }
  "metadataLocation" : "/etc/cas/saml/sp-metadata.xml"
}


I also created an sp-metadata.xml file using 
https://www.samltool.com/sp_metadata.php with the following contents:





urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
https://www.google.com/a/example.com/acs;
 index="1" />





I also included the following dependency in the CAS overlay:

implementation 
"org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"


In G Suite Admin Console "Set up single sign-on (SSO) with a third party IdP" I:
1. Checked the box for "Set up SSO with third-party identity provider"
2. Entered 
"https://signin.my-cas-server.com/cas/idp/profile/SAML2/Redirect/SSO; for 
"Sign-in page URL"
3. Entered "https://signin.my-cas-server.com/cas/logout; for "Sign-out page URL"
4. Checked "Use a domain specific identifier"
5. Uploaded the previous x.509 certificate that I had used when using the 
previous method.


At the moment, when I attempt to load a Google service I am redirected back to 
my CAS server but I receive the following error message:

Error: No metadata resolvers could be configured for service SAMLService with 
metadata location /etc/cas/saml/sp-metadata.xml


I am guessing that this is something to do with my sp-metadata.xml file missing 
something but I am at a loss as to what I need to do.

Any help appreciated.  Thanks!

Doug

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8326668d-8a37-41cc-9d7a-aef2aaf987bcn%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are 

Re: [cas-user] Google SSO

['Richard Frovarp' via CAS Community]

Yes. The one caveat is that you would need to enable the "Use a domain 
specific" issuer on prod otherwise it will spit it out with generic values, 
which doesn't have onu.edu in it. I don't remember what the generic values are. 
When we upgraded CAS, I logged in to click that button to swap prod over.

On Mon, 2020-09-07 at 13:05 -0700, Jeremiah Garmatter wrote:
Richard,

I'd like to verify something with you about production deployment.

When I am ready to deploy my CAS instance to my organization, I will need to 
change the google metadata and service entry. So I should change the service 
entry from:
"serviceId" : "google.com/a/gsuitetest.onu.edu" to "serviceId" : 
"google.com/a/onu.edu" ?

and the metadata from:
entityID="google.com/a/gsuitetest.onu.edu" and 
Location="https://www.google.com/a/gsuitetest.onu.edu/acs;
to
entityID="google.com/a/onu.edu"and
Location="https://www.google.com/a/onu.edu/acs;

Does that all seem correct? I'd really like to verify as this is one of the 
most used services on campus.

On Monday, August 17, 2020 at 2:17:54 PM UTC-4 Jeremiah Garmatter wrote:
You were right on the first guess,

Google was logging the user out, however, since CAS never properly saw the 
logout, it could not destroy / invalidate the ticket. It turns out something 
was entered incorrectly on Google's side. Once I changed the logout URL to the 
/cas/logout endpoint, without typos, I was able to successfully logout from 
both CAS and Google mail.

-Jeremiah Garmatter, Systems Administrator
-Ohio Northern University, Class of 2020
-Work: 419-772-1074 Cell: 
419-672-8685
-j-gar...@onu.edu

On Mon, Aug 17, 2020 at 11:52 AM Richard Frovarp  wrote:
I haven't chased down logout operation. You're going to need to look, but I'm 
guessing that they are getting logged out on the Google side, but an SSO 
session is still active in the IdP? Or is it after logout it isn't doing a 
logout on Google side?

On Mon, 2020-08-17 at 08:29 -0700, Jeremiah Garmatter wrote:
Richard,

I've got one more question for you.
First, I'd like to say that all of the sign-in procedure worked perfectly, so 
thank you for that.

The only problem I have now is with the logout URL on Google. Before we could 
set up the SSO, we had to enter a logout URL for Google to use. At first, I 
tried the /idp/profile/SAML2/Redirect/SLO endpoint, but after the redirect, I 
get a 500 internal error stating " Error: No SAMLRequest or SAMLResponse query 
path parameter, invalid SAML 2 HTTP Redirect message " as I am redirected to 
https://X/cas/idp/profile/SAML2/Redirect/SLO. I then realized that, despite 
being a SAML2 provider, when attempting to access my gsuitetest gmail account, 
I was redirected to https://X/cas/login?service=. This 
lead me to believe that I could use the /cas/logout endpoint as the logout URL 
(https://XX/cas/logout). I was greeted with the "logout successful" page, 
but when I open a new tab to access my gsuitetest email, I was not prompted to 
enter my credentials, I could access my emails as if the cookie was still in 
use.

I was wondering if you knew how to properly sign a google user out of their 
email with the logout URL field on Google?

On Friday, August 14, 2020 at 12:10:39 PM UTC-4 Jeremiah Garmatter wrote:
Sweet, thanks for all this Richard, you've saved me a lot of headache.

-Jeremiah Garmatter, Systems Administrator
-Ohio Northern University, Class of 2020
-Work: 419-772-1074 Cell: 
419-672-8685
-j-gar...@onu.edu

On Fri, Aug 14, 2020 at 12:06 PM Richard Frovarp  wrote:
I think that's controlled by the metadata, and my notes below say 1.1 
unspecified.

On Fri, 2020-08-14 at 12:03 -0400, Jeremiah Garmatter wrote:
Ah, I see now. I should have mentioned that, in our case, the username is being 
sent to google as well, just through that attribute. When you set up google's 
single sign on, did google's side inform you of the namespace they are 
expecting usernames to come in as?

-Jeremiah Garmatter, Systems Administrator
-Ohio Northern University, Class of 2020
-Work: 419-772-1074 Cell: 
419-672-8685
-j-gar...@onu.edu


On Fri, Aug 14, 2020 at 10:24 AM Richard Frovarp  wrote:
Yeah, you'll need to treat it like any other SAML2 service, including using the 
SamlRegisteredService configuration. Not entirely sure about attribute release. 
In our case, releasing the default username is all we need to make it work. But 
it should be like any other SAML2 service.

The difference is they used to have a helper that simplified the SAML2 bits for 
this service. That has been deprecated, and it actively interferes with other 
SAML2 services. Hence the change.

On Fri, 2020-08-14 at 05:54 -0700, Jeremiah Garmatter wrote:
Richard,

Thank you for the advice on this. We have started the creation process of our 
gsuitetest subdomain. While waiting for Google to verify ownership, I'd like to 

Re: [cas-user] Google SSO

[Richard Frovarp]

I haven't chased down logout operation. You're going to need to look, but I'm 
guessing that they are getting logged out on the Google side, but an SSO 
session is still active in the IdP? Or is it after logout it isn't doing a 
logout on Google side?

On Mon, 2020-08-17 at 08:29 -0700, Jeremiah Garmatter wrote:
Richard,

I've got one more question for you.
First, I'd like to say that all of the sign-in procedure worked perfectly, so 
thank you for that.

The only problem I have now is with the logout URL on Google. Before we could 
set up the SSO, we had to enter a logout URL for Google to use. At first, I 
tried the /idp/profile/SAML2/Redirect/SLO endpoint, but after the redirect, I 
get a 500 internal error stating " Error: No SAMLRequest or SAMLResponse query 
path parameter, invalid SAML 2 HTTP Redirect message " as I am redirected to 
https://X/cas/idp/profile/SAML2/Redirect/SLO. I then realized that, despite 
being a SAML2 provider, when attempting to access my gsuitetest gmail account, 
I was redirected to https://X/cas/login?service=. This 
lead me to believe that I could use the /cas/logout endpoint as the logout URL 
(https://XX/cas/logout). I was greeted with the "logout successful" page, 
but when I open a new tab to access my gsuitetest email, I was not prompted to 
enter my credentials, I could access my emails as if the cookie was still in 
use.

I was wondering if you knew how to properly sign a google user out of their 
email with the logout URL field on Google?

On Friday, August 14, 2020 at 12:10:39 PM UTC-4 Jeremiah Garmatter wrote:
Sweet, thanks for all this Richard, you've saved me a lot of headache.

-Jeremiah Garmatter, Systems Administrator
-Ohio Northern University, Class of 2020
-Work: 419-772-1074 Cell: 
419-672-8685
-j-gar...@onu.edu

On Fri, Aug 14, 2020 at 12:06 PM Richard Frovarp  wrote:
I think that's controlled by the metadata, and my notes below say 1.1 
unspecified.

On Fri, 2020-08-14 at 12:03 -0400, Jeremiah Garmatter wrote:
Ah, I see now. I should have mentioned that, in our case, the username is being 
sent to google as well, just through that attribute. When you set up google's 
single sign on, did google's side inform you of the namespace they are 
expecting usernames to come in as?

-Jeremiah Garmatter, Systems Administrator
-Ohio Northern University, Class of 2020
-Work: 419-772-1074 Cell: 
419-672-8685
-j-gar...@onu.edu


On Fri, Aug 14, 2020 at 10:24 AM Richard Frovarp  wrote:
Yeah, you'll need to treat it like any other SAML2 service, including using the 
SamlRegisteredService configuration. Not entirely sure about attribute release. 
In our case, releasing the default username is all we need to make it work. But 
it should be like any other SAML2 service.

The difference is they used to have a helper that simplified the SAML2 bits for 
this service. That has been deprecated, and it actively interferes with other 
SAML2 services. Hence the change.

On Fri, 2020-08-14 at 05:54 -0700, Jeremiah Garmatter wrote:
Richard,

Thank you for the advice on this. We have started the creation process of our 
gsuitetest subdomain. While waiting for Google to verify ownership, I'd like to 
probe your brain some more.
In the past (CAS 5.2), using that Googleapps SAML dependency allowed you to 
configure the Google service with the 
org.apereo.cas.services.RegexRegisteredService class, if memory serves. Are you 
saying that I'll have to change the service entry to use the 
org.apereo.cas.support.saml.services.SamlRegisteredService class and configure 
it as a SAML2 service now? That's not an issue if I do, but I'm confused by 
that difference.

Also, in the past vesion of CAS, I believe we sent uid attributes to Google , 
if I release that through SAML2, will I need to specify the namespace used 
(something like urn:oid:0.9.2342.19200300.100.1.1 )?

On Monday, August 3, 2020 at 2:00:59 PM UTC-4 richard.frovarp wrote:
No, there isn't You configure it as a SAML 2 provider. This means you have to 
craft the metadata by hand. Also, it is beyond deprecated as it will kill your 
other SAML integrations. So it's best to just do a pure SAML setup with it. 
Here's the draft set of instructions I put together. I need to get these 
publish on the public Internet somewhere, as I suspect they would be useful to 
others:


G Suite now offers test domains for testing things. This can be used to 
validate SSO settings and changes.

So first you may want to change to "Use a domain specific issuer" to 
differentiate between your normal instance and the test one. That will result 
in a issuer looking like this:

google.com/a/gsuitetest.ndsu.edu<http://google.com/a/gsuitetest.ndsu.edu>

instead of

google.com<http://google.com>

The Sign-in page URL is this off of your IdP

cas/idp/profile/SAML2/Redirect/SSO

The certificate provided needs to be your SAML 2 signing certificate.

>From here you will need to generate metadata to giv

Re: [cas-user] CAS Management not starting

[Richard Frovarp]

You probably aren't waiting long enough?

2020-08-17 09:06:54,686 DEBUG [org.apache.http.impl.execchain.MainClientExec] - 
Executing request GET /actuator/discoveryProfile HTTP/1.1

It's trying to make a connection to your CAS system. Looks like from your logs 
it hasn't time out, and thus hasn't fully started. Either make sure CAS is 
available upon startup of Management, or turn that feature off.
mgmt.enableDiscoveryEndpointCall=false

This is an obvious problem if you are running the IdP and Management in the 
same container.

On Mon, 2020-08-17 at 00:34 -0700, Julien Sabatier wrote:
I try to setup a CAS Management to manages services of my CAS instance.

But when I launch the webapp, it's like it freeze on startup, and I can't 
access it in my browser.

CAS Version : 6.2.1
CAS Management Version : 6.2.1

Here is my /etc/cas/config/management.properties : https://pastebin.com/v04Q6GwE

And here is the logs I get at CAS Management startup : 
https://pastebin.com/Wc6Kfvnt

Can someone help me to understand why Cas Management isn't reachable ?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f276bbd09b21f262e5f6154167c09b4469a0ff48.camel%40ndsu.edu.

Re: [cas-user] Google SSO

[Richard Frovarp]

I think that's controlled by the metadata, and my notes below say 1.1 
unspecified.

On Fri, 2020-08-14 at 12:03 -0400, Jeremiah Garmatter wrote:
Ah, I see now. I should have mentioned that, in our case, the username is being 
sent to google as well, just through that attribute. When you set up google's 
single sign on, did google's side inform you of the namespace they are 
expecting usernames to come in as?

-Jeremiah Garmatter, Systems Administrator
-Ohio Northern University, Class of 2020
-Work: 419-772-1074 Cell: 419-672-8685
-j-garmat...@onu.edu<mailto:j-garmat...@onu.edu>


On Fri, Aug 14, 2020 at 10:24 AM Richard Frovarp 
mailto:richard.frov...@ndsu.edu>> wrote:
Yeah, you'll need to treat it like any other SAML2 service, including using the 
SamlRegisteredService configuration. Not entirely sure about attribute release. 
In our case, releasing the default username is all we need to make it work. But 
it should be like any other SAML2 service.

The difference is they used to have a helper that simplified the SAML2 bits for 
this service. That has been deprecated, and it actively interferes with other 
SAML2 services. Hence the change.

On Fri, 2020-08-14 at 05:54 -0700, Jeremiah Garmatter wrote:
Richard,

Thank you for the advice on this. We have started the creation process of our 
gsuitetest subdomain. While waiting for Google to verify ownership, I'd like to 
probe your brain some more.
In the past (CAS 5.2), using that Googleapps SAML dependency allowed you to 
configure the Google service with the 
org.apereo.cas.services.RegexRegisteredService class, if memory serves. Are you 
saying that I'll have to change the service entry to use the 
org.apereo.cas.support.saml.services.SamlRegisteredService class and configure 
it as a SAML2 service now? That's not an issue if I do, but I'm confused by 
that difference.

Also, in the past vesion of CAS, I believe we sent uid attributes to Google , 
if I release that through SAML2, will I need to specify the namespace used 
(something like urn:oid:0.9.2342.19200300.100.1.1 )?

On Monday, August 3, 2020 at 2:00:59 PM UTC-4 richard.frovarp wrote:
No, there isn't You configure it as a SAML 2 provider. This means you have to 
craft the metadata by hand. Also, it is beyond deprecated as it will kill your 
other SAML integrations. So it's best to just do a pure SAML setup with it. 
Here's the draft set of instructions I put together. I need to get these 
publish on the public Internet somewhere, as I suspect they would be useful to 
others:


G Suite now offers test domains for testing things. This can be used to 
validate SSO settings and changes.

So first you may want to change to "Use a domain specific issuer" to 
differentiate between your normal instance and the test one. That will result 
in a issuer looking like this:

google.com/a/gsuitetest.ndsu.edu<http://google.com/a/gsuitetest.ndsu.edu>

instead of

google.com<http://google.com>

The Sign-in page URL is this off of your IdP

cas/idp/profile/SAML2/Redirect/SSO

The certificate provided needs to be your SAML 2 signing certificate.

>From here you will need to generate metadata to give CAS. You can use this 
>service to generate the metadata:

https://www.samltool.com/sp_metadata.php

Values:

Entity ID: The issuer, which in my case is 
google.com/a/gsuitetest.ndsu.edu<http://google.com/a/gsuitetest.ndsu.edu>

ACS Endpoint: This can be got by doing a test auth from G Suite and using SAML 
Tracer, but looks like this for my test domain: 
https://www.google.com/a/gsuitetest.ndsu.edu/acs

Nameid Format: Leave at 1.1 unspecified

You don't need a cert. You need to upload your SAML certificate to Google so 
that it can verify the response.

You will need to edit the generated metadata to remove the "validUntil" 
attribute, as it is set to expire very quickly.


On Mon, 2020-08-03 at 10:50 -0700, Jeremiah Garmatter wrote:
Hello,

I've recently upgraded my CAS server from 5.3.14 to 6.2.1 and had a question 
about Google Apps integration.

On the older system, there was a gradle dependency for google apps SAML:
implementation 
"org.apereo.cas:cas-server-support-saml-googleapps:${project.'cas.version'}"

I get a deprecation warning when using this:
CAS integration with Google Apps is now deprecated and scheduled to be removed 
in the future. The functionality is now redundant and unnecessary with CAS able 
to provide SAML2 identity provider features.To handle the integration, you 
should configure CAS to act as a SAML2 identity provider and remove this 
integration from your deployment to protected against future removals and 
surprises.>

I've changed to use the SAML 2 dependency:
implementation 
"org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
but I'm not sure what to do about Google's properties. There were properties 
defined for public and private keys within cas.properties:
cas.google-apps.private-key-l

Re: [cas-user] Google SSO

[Richard Frovarp]

Yeah, you'll need to treat it like any other SAML2 service, including using the 
SamlRegisteredService configuration. Not entirely sure about attribute release. 
In our case, releasing the default username is all we need to make it work. But 
it should be like any other SAML2 service.

The difference is they used to have a helper that simplified the SAML2 bits for 
this service. That has been deprecated, and it actively interferes with other 
SAML2 services. Hence the change.

On Fri, 2020-08-14 at 05:54 -0700, Jeremiah Garmatter wrote:
Richard,

Thank you for the advice on this. We have started the creation process of our 
gsuitetest subdomain. While waiting for Google to verify ownership, I'd like to 
probe your brain some more.
In the past (CAS 5.2), using that Googleapps SAML dependency allowed you to 
configure the Google service with the 
org.apereo.cas.services.RegexRegisteredService class, if memory serves. Are you 
saying that I'll have to change the service entry to use the 
org.apereo.cas.support.saml.services.SamlRegisteredService class and configure 
it as a SAML2 service now? That's not an issue if I do, but I'm confused by 
that difference.

Also, in the past vesion of CAS, I believe we sent uid attributes to Google , 
if I release that through SAML2, will I need to specify the namespace used 
(something like urn:oid:0.9.2342.19200300.100.1.1 )?

On Monday, August 3, 2020 at 2:00:59 PM UTC-4 richard.frovarp wrote:
No, there isn't You configure it as a SAML 2 provider. This means you have to 
craft the metadata by hand. Also, it is beyond deprecated as it will kill your 
other SAML integrations. So it's best to just do a pure SAML setup with it. 
Here's the draft set of instructions I put together. I need to get these 
publish on the public Internet somewhere, as I suspect they would be useful to 
others:


G Suite now offers test domains for testing things. This can be used to 
validate SSO settings and changes.

So first you may want to change to "Use a domain specific issuer" to 
differentiate between your normal instance and the test one. That will result 
in a issuer looking like this:

google.com/a/gsuitetest.ndsu.edu

instead of

google.com

The Sign-in page URL is this off of your IdP

cas/idp/profile/SAML2/Redirect/SSO

The certificate provided needs to be your SAML 2 signing certificate.

>From here you will need to generate metadata to give CAS. You can use this 
>service to generate the metadata:

https://www.samltool.com/sp_metadata.php

Values:

Entity ID: The issuer, which in my case is 
google.com/a/gsuitetest.ndsu.edu

ACS Endpoint: This can be got by doing a test auth from G Suite and using SAML 
Tracer, but looks like this for my test domain: 
https://www.google.com/a/gsuitetest.ndsu.edu/acs

Nameid Format: Leave at 1.1 unspecified

You don't need a cert. You need to upload your SAML certificate to Google so 
that it can verify the response.

You will need to edit the generated metadata to remove the "validUntil" 
attribute, as it is set to expire very quickly.


On Mon, 2020-08-03 at 10:50 -0700, Jeremiah Garmatter wrote:
Hello,

I've recently upgraded my CAS server from 5.3.14 to 6.2.1 and had a question 
about Google Apps integration.

On the older system, there was a gradle dependency for google apps SAML:
implementation 
"org.apereo.cas:cas-server-support-saml-googleapps:${project.'cas.version'}"

I get a deprecation warning when using this:
CAS integration with Google Apps is now deprecated and scheduled to be removed 
in the future. The functionality is now redundant and unnecessary with CAS able 
to provide SAML2 identity provider features.To handle the integration, you 
should configure CAS to act as a SAML2 identity provider and remove this 
integration from your deployment to protected against future removals and 
surprises.>

I've changed to use the SAML 2 dependency:
implementation 
"org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
but I'm not sure what to do about Google's properties. There were properties 
defined for public and private keys within cas.properties:
cas.google-apps.private-key-location=
cas.google-apps.public-key-location=
cas.google-apps.key-algorithm=RSA

Are there equivalent properties for SAML2?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/03c5e613172ba07fdcb4c8acf1adc1393103e2f4.camel%40ndsu.edu.

Re: [cas-user] Google SSO

[Richard Frovarp]

No, there isn't You configure it as a SAML 2 provider. This means you have to 
craft the metadata by hand. Also, it is beyond deprecated as it will kill your 
other SAML integrations. So it's best to just do a pure SAML setup with it. 
Here's the draft set of instructions I put together. I need to get these 
publish on the public Internet somewhere, as I suspect they would be useful to 
others:


G Suite now offers test domains for testing things. This can be used to 
validate SSO settings and changes.

So first you may want to change to "Use a domain specific issuer" to 
differentiate between your normal instance and the test one. That will result 
in a issuer looking like this:

google.com/a/gsuitetest.ndsu.edu

instead of

google.com

The Sign-in page URL is this off of your IdP

cas/idp/profile/SAML2/Redirect/SSO

The certificate provided needs to be your SAML 2 signing certificate.

>From here you will need to generate metadata to give CAS. You can use this 
>service to generate the metadata:

https://www.samltool.com/sp_metadata.php

Values:

Entity ID: The issuer, which in my case is 
google.com/a/gsuitetest.ndsu.edu

ACS Endpoint: This can be got by doing a test auth from G Suite and using SAML 
Tracer, but looks like this for my test domain: 
https://www.google.com/a/gsuitetest.ndsu.edu/acs

Nameid Format: Leave at 1.1 unspecified

You don't need a cert. You need to upload your SAML certificate to Google so 
that it can verify the response.

You will need to edit the generated metadata to remove the "validUntil" 
attribute, as it is set to expire very quickly.


On Mon, 2020-08-03 at 10:50 -0700, Jeremiah Garmatter wrote:
Hello,

I've recently upgraded my CAS server from 5.3.14 to 6.2.1 and had a question 
about Google Apps integration.

On the older system, there was a gradle dependency for google apps SAML:
implementation 
"org.apereo.cas:cas-server-support-saml-googleapps:${project.'cas.version'}"

I get a deprecation warning when using this:
CAS integration with Google Apps is now deprecated and scheduled to be removed 
in the future. The functionality is now redundant and unnecessary with CAS able 
to provide SAML2 identity provider features.To handle the integration, you 
should configure CAS to act as a SAML2 identity provider and remove this 
integration from your deployment to protected against future removals and 
surprises.>

I've changed to use the SAML 2 dependency:
implementation 
"org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
but I'm not sure what to do about Google's properties. There were properties 
defined for public and private keys within cas.properties:
cas.google-apps.private-key-location=
cas.google-apps.public-key-location=
cas.google-apps.key-algorithm=RSA

Are there equivalent properties for SAML2?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/34702d6409490cc7f8fef38c145852f39cf4b64a.camel%40ndsu.edu.

Re: [cas-user] CAS Management UI Question

[Richard Frovarp]

https://apereo.github.io/cas-management/5.3.x/installation/Installing-ServicesMgmt-Webapp.html#available-attributes

On Mon, 2020-07-20 at 09:14 -0600, Bryan Wooten wrote:
How do I add / remove allowed attributes to a service?

The json file (below) shows the attributes. Note this file was imported from an 
earlier
cas system.

I can't find a way to make changes from the new UI.

I have the same issue trying to create a new service.

What am I missing?

-Bryan

University of Utah

{
  @class: org.apereo.cas.services.RegexRegisteredService
  serviceId: ^https://appserv01-test.idm.utah.edu/.*
  name: appserv01TestIdmUtahEdu
  id: 1014
  description: "Bryan Wooten "
  expirationPolicy:
  {
@class: org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy
deleteWhenExpired: false
notifyWhenDeleted: false
  }
  proxyPolicy:
  {
@class: org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy
pattern: ^https?://.*
  }
  evaluationOrder: 0
  usernameAttributeProvider:
  {
@class: org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider
canonicalizationMode: NONE
encryptUsername: false
  }
  logoutType: BACK_CHANNEL
  requiredHandlers:
  [
java.util.HashSet
[]
  ]
  environments:
  [
java.util.HashSet
[]
  ]
  attributeReleasePolicy:
  {
@class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
principalAttributesRepository:
{
  @class: 
org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository
  mergingStrategy: MULTIVALUED
  ignoreResolvedAttributes: false
}
consentPolicy:
{
  @class: 
org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy
  enabled: true
  order: 0
}
authorizedToReleaseCredentialPassword: false
authorizedToReleaseProxyGrantingTicket: false
excludeDefaultAttributes: false
authorizedToReleaseAuthenticationAttributes: true
order: 0
allowedAttributes:
[
  java.util.ArrayList
  [
firstName
lastName
displayName
email
homephone
department
ou
cn
telephoneNumber
acadplan
almail
eduPersonAffiliation
uid
eduPersonPrincipalName
ummail
unid
uudept
uustudent
  ]
]
  }
  multifactorPolicy:
  {
@class: org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
multifactorAuthenticationProviders:
[
  java.util.LinkedHashSet
  []
]
failureMode: UNDEFINED
bypassEnabled: false
  }
  accessStrategy:
  {
@class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
order: 0
enabled: true
ssoEnabled: true
delegatedAuthenticationPolicy:
{
  @class: 
org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy
  allowedProviders:
  [
java.util.LinkedHashSet
[]
  ]
  permitUndefined: true
  exclusive: false
}
requireAllAttributes: true
requiredAttributes:
{
  @class: java.util.HashMap
}
rejectedAttributes:
{
  @class: java.util.HashMap
}
caseInsensitive: false
  }
  properties:
  {
@class: java.util.HashMap
  }
  contacts:
  [
java.util.ArrayList
[]
  ]
}

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/37500de3678892cb89f783c2f8bb7b615012a74f.camel%40ndsu.edu.

Re: [cas-user] same user with 2 logins and MFA

[Richard Frovarp]

You've listed the 3 or 4 different recommendations below.

My best guess is that it will set the username equal to the capturing
group. So:

cas.authn.ldap[0].principalTransformation.pattern=(.+)@domain.name


should give you everything in (.+) bit as the username. You don't need
a Groovy script, but that would be a different way you could do it if
necessary. Groovy is basically Java without semicolons, so it isn't a
hard place to start.

There is a decent bit of this that is experimentation. There are a LOT
of configuration options and abilities. And that certainly is made more
difficult by the sometimes sparse documentation. Give what you have
above a try. Depending on your DB, that also may not be the entire fix.
That is likely to keep things in whatever case the user provided, and
if you have a sane DB with case sensitive equals, you will have
problems there too. So you likely will want to look at the
caseConversion operation as well to get things consistent.

There is that chance that this only impact the LDAP lookup and won't
forward on to MFA, but this is where I would start.

On Fri, 2020-07-17 at 11:50 +, Patrick Proniewski wrote:
> Richard,
> 
> I can't find the 3 or 4 different recommendations you are writing
> about. More importantly I'm sorry to be CAS-illiterate but nothing I
> read here is really actionable by me and when I try to find info by
> myself the CAS documentation fails hard on me. For example, the
> string principalAttributeId returns zero useful hit on the official
> documentation. How is that even possible?
> 
> You point me toward "Authentication Principal Transformation", ok:
> 
> (quote of documentation)
> The following options related to principal transformation support in
> CAS apply equally to a number of CAS components (authentication
> handlers, etc) given the component’s configuration key:
> 
> #
> ${configurationKey}.principalTransformation.pattern=(.+)@example.org
> #
> ${configurationKey}.principalTransformation.groovy.location=file:///e
> tc/cas/config/principal.groovy
> # ${configurationKey}.principalTransformation.suffix=
> #
> ${configurationKey}.principalTransformation.caseConversion=NONE|UPPER
> CASE|LOWERCASE
> # ${configurationKey}.principalTransformation.prefix=
> 
> I think ${configurationKey} should be replaced by cas.authn.ldap[0]
> in those lines, but I'm not sure.
> If I understand correctly I could set:
> 
> cas.authn.ldap[0].principalTransformation.pattern=(.+)@domain.name
> 
> to detect when a user submits the long form of his login (
> u...@domain.name) and apply a transformation to that login. Is that
> correct?
> From here, how am I supposed to proceed in order to strip the suffix?
> I think I'll have to use a groovy script
> (principalTransformation.groovy.location). But I can't write groovy
> script, I know nothing about that language.
> 
> Now lets see Person Directory Principal Resolution (<
> https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties-Common.html#person-directory-principal-resolution
> >)
> 
> (quote of documentation)
> The following options related to Person Directory support in CAS when
> it attempts to resolve and build the authenticated principal, given
> the component’s configuration key:
> 
> # ${configurationKey}.principalAttribute=uid,sAMAccountName,etc
> # ${configurationKey}.returnNull=false
> # ${configurationKey}.principalResolutionFailureFatal=false
> # ${configurationKey}.useExistingPrincipalId=false
> 
> What do these configuration directives mean? How do I use them? The
> string useExistingPrincipalId is nowhere to be found apart from this
> sample code.
> 
> While looking for the string "principalAttribute" on Google I've
> stumbled upon this unrelated topic <
> https://apereo.github.io/2018/05/07/cas-impersonation-authn/>
> depicting "cas.personDirectory.principalAttribute=uid" as
> "instructing CAS to build the final authenticated Principal
> identified by the uid attribute (instead of whatever the user types
> into the login form as the credential id)". 
> That might be it. But what is the difference with
> "cas.authn.ldap[0].principalAttributeId=uid", already in my
> cas.properties, that exists in sample code (here for example 
> https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html
> ) but is documented absolutely nowhere?
> 
> As you can see, I'm quite lost. I try to do my home work but the lack
> of documentation is really a problem.
> 
> regards
> 
> Patrick Proniewski
> --
> Chef du Service Opérations ~ DSI ~ Université Lyon 2
> Responsable de la Sécurité des Systèmes d'Information
> 
> 
> De : cas-user@ape

Re: [cas-user] same user with 2 logins and MFA

[Richard Frovarp]

es "{user}" as key instead of
> retrieving and using the value of uid from LDAP. That might be my
> problem here.
> 
> 
> I don't know if you need more details, let me know.
> 
> 
> Regards,
> 
> 
> Patrick Proniewski
> 
> --
> 
> Chef du Service Opérations ~ DSI ~ Université Lyon 2
> 
> Responsable de la Sécurité des Systèmes d'Information
> 
> 
> 
> 
> De :
> 
> <mailto:cas-user@apereo.org<mailto:cas-user@apereo.org>>
> 
> cas-user@apereo.org<mailto:cas-user@apereo.org>
> 
>  <
> 
> <mailto:cas-user@apereo.org<mailto:cas-user@apereo.org>>
> 
> cas-user@apereo.org<mailto:cas-user@apereo.org>
> 
> > de la part de Richard Frovarp <
> 
> <mailto:richard.frov...@ndsu.edu<mailto:richard.frov...@ndsu.edu>>
> 
> richard.frov...@ndsu.edu<mailto:richard.frov...@ndsu.edu>
> 
> > 
> 
> Envoyé : mercredi 15 juillet 2020 16:48
> 
> À :
> 
> <mailto:cas-user@apereo.org<mailto:cas-user@apereo.org>>
> 
> cas-user@apereo.org<mailto:cas-user@apereo.org>
> 
> 
> Objet : Re: [cas-user] same user with 2 logins and MFA
> 
> 
> You are going to need to provide more details. How are you triggering
> 
> MFA? What MFA solution are you using? Etc. Something isn't matching,
> 
> but not knowing what you are matching on when it works just leaves a
> 
> bunch of guesses.
> 
> 
> On Wed, 2020-07-15 at 16:20 +0200, Patrick Proniewski wrote:
> 
> Hello,
> 
> 
> On our CAS servers we allow users to log in with their short login
> 
> (UID) and with their long login (
> 
> <mailto:u...@domain.name<mailto:u...@domain.name>>
> 
> u...@domain.name<mailto:u...@domain.name>
> 
> ).
> 
> I've discovered that activating MFA for login UID will work ok, but
> 
> that if the same user logs in with
> 
> <mailto:u...@domain.name<mailto:u...@domain.name>>
> 
> u...@domain.name<mailto:u...@domain.name>
> 
> , then MFA is
> 
> bypassed.
> 
> 
> Any idea how I could fix this properly?
> 
> 
> Thanks,
> 
> 
> Patrick PRONIEWSKI
> 
> --
> 
> Chef du Service Opérations - DSI - Université Lumière Lyon 2
> 
> Responsable Sécurité des Systèmes d'Information
> 
> 
> 
> --
> 
> - Website:
> 
> <https://apereo.github.io/cas>
> 
> https://apereo.github.io/cas
> 
> 
> - Gitter Chatroom:
> 
> <https://gitter.im/apereo/cas>
> 
> https://gitter.im/apereo/cas
> 
> 
> - List Guidelines:
> 
> <https://goo.gl/1VRrw7>
> 
> https://goo.gl/1VRrw7
> 
> 
> - Contributions:
> 
> <https://goo.gl/mh7qDG>
> 
> https://goo.gl/mh7qDG
> 
> 
> ---
> 
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> 
> To unsubscribe from this group and stop receiving emails from it,
> send an email to
> 
> <mailto:cas-user+unsubscr...@apereo.org cas-user%2bunsubscr...@apereo.org>>
> 
> cas-user+unsubscr...@apereo.org cas-user%2bunsubscr...@apereo.org>
> 
> .
> 
> To view this discussion on the web visit
> 
> <
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/60e5a724a74e843ec1ecf9547247ac2a47520899.camel%40ndsu.edu
> >
> 
> 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/60e5a724a74e843ec1ecf9547247ac2a47520899.camel%40ndsu.edu
> 
> .
> 
> 
> --
> 
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca> r...@uvic.ca<mailto:r...@uvic.ca>>
> 
> I respectfully acknowledge that my place of work is located within
> the ancestral, traditional and unceded territory of the Songhees,
> Esquimalt and WSÁNEĆ Nations.
> 
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to cas-user+unsubscr...@apereo.org cas-user%2bunsubscr...@apereo.org> cas-user+unsubscr...@apereo.org cas-user%2bunsubscr...@apereo.org>>.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d858872d9515e8dc630d2635a174b72c8aab71e0.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/d858872d9515e8dc630d263

Re: [cas-user] same user with 2 logins and MFA

[Richard Frovarp]

So I don't know how Google MFA works. But I think you are on to
something. Best I know (which certainly could be wrong), CAS maintains
the username that the user provided. So your search filter works fine.
But when trying to do Google Auth, it turns out to be effectively two
different usernames. 

There are likely two ways of addressing it if I understand how your
system is setup. 

1) Make the MFA side of it know both usernames. In something like Duo
you can set account aliases on an integration.

2) Fix the username attribute in CAS to be consistent.

You likely want #2 its wider implications. The username attribute sent
out by default would match what the user provided. So the remote
systems would need to handle both formats. It's easier to have CAS go
to one consistent representation.

I'm not sure if the principal transformation is what you need or not to
be honest. But it's the idea.


https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#authentication-principal-transformation

If you do that on authentication for LDAP, that should yield a
consistent username for MFA to use I think.

On Wed, 2020-07-15 at 15:58 +, Patrick Proniewski wrote:
> Hello,
> 
> We use CAS 6.* official MFA support (cas.authn.mfa.*) and accounts
> from LDAP:
> 
> # Account search parameters
> cas.authn.ldap[0].baseDn=ou=people,dc=domain,dc=name
> cas.authn.ldap[0].subtreeSearch=true
> cas.authn.ldap[0].searchFilter=(|(uid={user})(eduPersonPrincipalName=
> {user}))
> 
> In this LDAP, eduPersonPrincipalName is in the form of 
> u...@domain.name
> 
> My tests are for cas.authn.mfa.gauth, MFA is set with:
> 
> cas.authn.mfa.globalPrincipalAttributePredicate=file:/etc/cas/mfaGroo
> vyPredicate.groovy
> 
> but this file is basically default/useless AFAIK.
> 
> As far as I understand, MFA in CAS uses "{user}" as key instead of
> retrieving and using the value of uid from LDAP. That might be my
> problem here.
> 
> I don't know if you need more details, let me know.
> 
> Regards,
> 
> Patrick Proniewski
> --
> Chef du Service Opérations ~ DSI ~ Université Lyon 2
> Responsable de la Sécurité des Systèmes d'Information
> 
> 
> De : cas-user@apereo.org  de la part de Richard
> Frovarp 
> Envoyé : mercredi 15 juillet 2020 16:48
> À : cas-user@apereo.org
> Objet : Re: [cas-user] same user with 2 logins and MFA
> 
> You are going to need to provide more details. How are you triggering
> MFA? What MFA solution are you using? Etc. Something isn't matching,
> but not knowing what you are matching on when it works just leaves a
> bunch of guesses.
> 
> On Wed, 2020-07-15 at 16:20 +0200, Patrick Proniewski wrote:
> > Hello,
> > 
> > On our CAS servers we allow users to log in with their short login
> > (UID) and with their long login (u...@domain.name).
> > I've discovered that activating MFA for login UID will work ok, but
> > that if the same user logs in with u...@domain.name, then MFA is
> > bypassed.
> > 
> > Any idea how I could fix this properly?
> > 
> > Thanks,
> > 
> > Patrick PRONIEWSKI
> > --
> > Chef du Service Opérations - DSI - Université Lumière Lyon 2
> > Responsable Sécurité des Systèmes d'Information
> > 
> 
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/60e5a724a74e843ec1ecf9547247ac2a47520899.camel%40ndsu.edu
> .
> 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f7921ece616da38507cd06244cc2add86fe6b1b5.camel%40ndsu.edu.

Re: [cas-user] same user with 2 logins and MFA

[Richard Frovarp]

You are going to need to provide more details. How are you triggering
MFA? What MFA solution are you using? Etc. Something isn't matching,
but not knowing what you are matching on when it works just leaves a
bunch of guesses.

On Wed, 2020-07-15 at 16:20 +0200, Patrick Proniewski wrote:
> Hello,
> 
> On our CAS servers we allow users to log in with their short login
> (UID) and with their long login (u...@domain.name).
> I've discovered that activating MFA for login UID will work ok, but
> that if the same user logs in with u...@domain.name, then MFA is
> bypassed. 
> 
> Any idea how I could fix this properly?
> 
> Thanks,
> 
> Patrick PRONIEWSKI
> -- 
> Chef du Service Opérations - DSI - Université Lumière Lyon 2
> Responsable Sécurité des Systèmes d'Information
> 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/60e5a724a74e843ec1ecf9547247ac2a47520899.camel%40ndsu.edu.

Re: [cas-user] JDBC attribute SQL query

[Richard Frovarp]

cas.authn.attribute-repository.jdbc[0].case-canonicalization=NONE|LOWER|UPPER

It's been a while since we haven't used canonicalization, so I can't remember 
the details (like CAS 3.4). However, it used to be that CAS would return back 
the username attribute case matching whatever the user typed in. So if the end 
application wasn't doing anything, it could get different casings of the same 
user. I will admit to writing code that then failed because it wasn't expecting 
a different case. I always typed my username in all lower case, so it wasn't 
expect by me. You can also use canonicalization on the authentication bit as 
well.

On Thu, 2020-07-09 at 16:24 -0700, Parker Grimes wrote:
I recently set up a JDBC attributeRepository and my SQL query expects the 
username passed from CAS to be lowercase. Does anyone know how to either 
override the "WHERE {0}" or make sure the username being passed is lowercase?

The problem we have is people entering their username in mixed case like 
"UserName" instead of "username" and "UserName" is being passed to the "SELECT 
* FROM user_table WHERE {0}"

>From the logs:
DEBUG 
[org.apereo.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao] - 


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/462fed9f6c0410aec06642f1c38aa02d61ec9a13.camel%40ndsu.edu.

Re: [cas-user] How do you set the ticket generator?

[Richard Frovarp]

With a little luck, I found the right source code, which lead me to
here:

https://apereo.github.io/cas/5.3.x/installation/Configuration-Propertie
s.html#cas-server

with the cas.host.name property.

Version 4 of CAS had info on how to do this with the ticket
documentation. IT would be nice to have a line about this in the
Configuring Ticketing Components area.

On Mon, 2020-06-08 at 21:09 +, Richard Frovarp wrote:
> I need to add a suffix to the service ticket that is being generated.
> I
> see in the code that it is in the code, but I have no idea where to
> begin to make changes to configuration. I can do it either globally
> or
> per service, that doesn't matter.
> 
> I have some code that is looking at the suffix to determine where to
> send the ticket validation to in Apache Shiro. I'm authenticating /
> validating against two different CASes against two different domains,
> hence my usecase. Using 5.3.
> 
> Thanks,
> Richard
> 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4866c1826710973beb760e2164d159af35cddfbc.camel%40ndsu.edu.

[cas-user] How do you set the ticket generator?

[Richard Frovarp]

I need to add a suffix to the service ticket that is being generated. I
see in the code that it is in the code, but I have no idea where to
begin to make changes to configuration. I can do it either globally or
per service, that doesn't matter.

I have some code that is looking at the suffix to determine where to
send the ticket validation to in Apache Shiro. I'm authenticating /
validating against two different CASes against two different domains,
hence my usecase. Using 5.3.

Thanks,
Richard

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d4523ca0223819b3dfdc8fe08b42d0398c9f5525.camel%40ndsu.edu.

Re: [cas-user] Logging "Application Not Authorized to Use CAS"

[Richard Frovarp]

Example entry:

[33m2020-05-22 09:43:51,450 WARN
[org.apereo.cas.web.flow.ServiceAuthorizationCheck] - https://frovarp.com] is not found
in service registry.>

On Fri, 2020-05-22 at 14:16 +0000, Richard Frovarp wrote:
> That's logged at the default logging level in cas.log. I don't
> remember
> what it shows up as, but it is in there. I've used it to find when
> services make unexpected changes on me.
> 
> Richard
> 
> On Fri, 2020-05-22 at 15:39 +0200, spfma.t...@e.mail.fr wrote:
> > Hi,
> > Is there a way to log these errors ? I have set all levels to
> > “debug”
> > in the configuration, but I can only see the normal activity.
> > I am trying to investigate a complex bunch of webservices and their
> > interactions, and I am sure some elements are missing.
> > So it would help me a lot if I could know from a central point what
> > is missing instead of dumping here and there 
> > Regards
> 
> 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c1b5541884da33258f03c1b387bac841cdb73640.camel%40ndsu.edu.

Re: [cas-user] Logging "Application Not Authorized to Use CAS"

[Richard Frovarp]

That's logged at the default logging level in cas.log. I don't remember
what it shows up as, but it is in there. I've used it to find when
services make unexpected changes on me.

Richard

On Fri, 2020-05-22 at 15:39 +0200, spfma.t...@e.mail.fr wrote:
> Hi,
> Is there a way to log these errors ? I have set all levels to “debug”
> in the configuration, but I can only see the normal activity.
> I am trying to investigate a complex bunch of webservices and their
> interactions, and I am sure some elements are missing.
> So it would help me a lot if I could know from a central point what
> is missing instead of dumping here and there 
> Regards

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/610006efe0c512a49ccd3c475eedb6c0aec79819.camel%40ndsu.edu.

Re: [cas-user] Handling multiple accounts for one person

[Richard Frovarp]

We just have separate accounts in AD, which is where we are
authenticating and doing attribute release from. The IAM system is
responsible for correctly populating the directory and end application
if needed in the correct way for each account. This requires multiple
accounts and passwords, and currently multiple Duo setups. Although,
thinking of it now, we could use alternate usernames on Duo to use the
same configuration between different accounts.

On Mon, 2020-05-18 at 10:19 -0700, mbar...@scad.edu wrote:
> At our university, we have some applications where one person will
> only have one account and the application is aware of the different
> "roles" a person might have, i.e., student, staff, faculty and/or
> alumni.   We also have some other applications where a person may
> have a student account and also a faculty/staff account.  Due to
> historical reasons, our CAS is built around the former, one-person-
> to-one-account model.  Up until now, we've a been able to handle
> multiple accounts via separate login URLs to the same service, and
> CAS will respond with the appropriate staff or student attributes.
> 
> We're now integrating with some Cloud services and the separate login
> URL does not appear to be a possibility. We'll just have one URL for
> the Cloud service.   
> 
> How are other organizations handling this?  I'd love to hear some
> ideas.
> 
> I can think of a couple ways, but I'm not sure I like them.   
> 
> Thank you very much,
> Mike

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/792d3a4e0fe3167f3ec9f165b8e6ead0744d9a71.camel%40ndsu.edu.

Re: [cas-user] cas5 rebuild and restart for every change??

[Richard Frovarp]

If you deploy to an external container like Tomcat, you can instead of
using the war, explode it into the webapp directory. Wars and jars are
just zip files. Or let Tomcat explode it for you the first time, stop
Tomcat, then delete war. You can edit content without having to
rebuild. 

I think that the HTML / CSS can be updated live enough if you use the
method above. If nothing else it saves you the build step even if you
have to bounce Tomcat.

On Thu, 2020-04-09 at 12:16 -0700, Yan Zhou wrote:
> Hi there,
> 
> CAS5.3.x overlay.  It looks like we have to build it into a WAR file
> first, then either run it as an executable WAR or deploy to external
> container. 
> 
> There is also a way to run CAS as an executable WAR via Spring Boot's
> maven plugin, but that requires NO change to CAS dependencies, which
> is not my use case (I have made a lot changes in CAS dependencies).
> 
> Is there some way that I can do a hot swap, e.g., see the static
> HTML/CSS change with the refresh of a browser?
> 
> Even in standalone mode, it takes several minutes for CAS 5.3 to
> startup. 
> Thanks,
> Yan
> 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bb3e28f3ade53f5c94ca10aea400869a577a8e00.camel%40ndsu.edu.

Re: [cas-user] Registry service from CAS MANAGEMENT WEB APP to MONGODB

[Richard Frovarp]

Yeah, there's something odd with the 5.3 version of the manager. Even
withe version control bits turned off, it still wants to go to the
services-repo directory. Also, with JPA, it doesn't work with the
latest server versions of 5.3 for SAML2 services. Not sure if you will
see that problem with MongoDB or not.

On Mon, 2020-03-16 at 23:19 +0700, Nguyen Tran Thanh Lam wrote:
> Dear Mr Ray Bon
> But Web Management can only create json file and store in
> /etc/cas/services-repo.
> And I want to store services in mongodB
> It conflicted.
> 
> 
> Vào 23:14, T.2, 16 Th3, 2020 Ray Bon  đã viết:
> > Why do you want to have multiple service registry locations?
> > 
> > If you want to use MongoDB, remove json entry.
> > 
> > Ray
> > 
> > On Fri, 2020-03-13 at 20:52 -0700, Napoleon Ponaparte wrote:
> > > Hi all,
> > > I have confused with service registry.
> > > I have  two methods to store service.
> > > 
> > > Method 1: Using cas-server-support-json-service
> > > 
> > > By compile "org.apereo.cas:cas-server-support-json-service-
> > > registry:6.1.3"
> > > The CAS server will read service from directory
> > > /etc/cas/services-repo
> > > 
> > > Method 2: Using cas-server-support-mongo-service-registry
> > > 
> > > By compile "org.apereo.cas:cas-server-support-mongo-service-
> > > registry:6.1.3"
> > > The CAS server will read service from directory
> > > /etc/cas/services-repo then load these service to MongoDB
> > > 
> > > But, I have a trouble now.
> > > I cannot use both methods.  Exactly if I build cas with 2 methods
> > > like
> > > 
> > > compile "org.apereo.cas:cas-server-support-json-service-
> > > registry:6.1.3"
> > > compile "org.apereo.cas:cas-server-support-mongo-service-
> > > registry:6.1.3"
> > > -->the cas will build fail.
> > > 
> > > And the CAS Management web app seem only save new service to
> > > directory.
> > > This is lead to I can't create new service if I want to store
> > > service to MongoDB. 
> > > Note: I want to store service to mongoDB to deploy cas in
> > > cluster.
> > > So, Do you have any suggest to solve this problem?
> > > Thank you.
> > > 
> > > 
> > 
> >  -- 
> > Ray Bon
> > Programmer Analyst
> > Development Services, University Systems
> > 2507218831 | CLE 019 | r...@uvic.ca
> > 
> > I respectfully acknowledge that my place of work is located within
> > the ancestral, traditional and unceded territory of the Songhees,
> > Esquimalt and WSÁNEĆ Nations.
> > -- 
> > - Website: https://apereo.github.io/cas
> > - Gitter Chatroom: https://gitter.im/apereo/cas
> > - List Guidelines: https://goo.gl/1VRrw7
> > - Contributions: https://goo.gl/mh7qDG
> > --- 
> > You received this message because you are subscribed to the Google
> > Groups "CAS Community" group.
> > To unsubscribe from this group and stop receiving emails from it,
> > send an email to cas-user+unsubscr...@apereo.org.
> > To view this discussion on the web visit https://groups.google.com/
> > a/apereo.org/d/msgid/cas-
> > user/8b90d35d44ca242663b7d6e318dffc286764633b.camel%40uvic.ca.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cc18a1ed309937c5298d722cb9ee54db18855f4d.camel%40ndsu.edu.

Re: [cas-user] How do to G Suite as a normal SAML SP?

[Richard Frovarp]

I've seen some of those. I guess the part that I'm struggling with is the 
values to enter. G Suite doesn't publish their end points. I can probably grab 
them using SAML Tracer and my existing working integration. I was more 
wondering if someone had a known working configuration so I don't have to guess 
and try multiple times.

On 3/5/20 1:51 PM, Ray Bon wrote:
Richard,

There are some online tools that can get you started, 
https://www.google.com/search?client=ubuntu=fs=saml2+create+metadata=utf-8=utf-8

Ray

On Thu, 2020-03-05 at 19:42 +, Richard Frovarp wrote:

I'm missing something basic in what it is that I need. We have G Suite

setup through the custom bit in CAS. That is conflicting with our other

normal SAML SPs and throwing stack traces. I see that in 5.3, the

version that we are on, the custom bit has been deprecated. What I'm not

able to wrap my head around is how to construct the SP metadata for G

Suite. Do I just monitor the URLs that are currently working to set the

end points? Or is there a better way to do this? I'm used to dealing

with systems that will give me their metadata, rather than having to

construct it.




Any help would be appreciated. Thanks,




Richard




--


Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca>

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/aba0e65d40c04a88839bece305353c2210a9b677.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/aba0e65d40c04a88839bece305353c2210a9b677.camel%40uvic.ca?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5a3d170f-d0ff-4d07-8207-9c455f22828d%40ndsu.edu.

[cas-user] How do to G Suite as a normal SAML SP?

[Richard Frovarp]

I'm missing something basic in what it is that I need. We have G Suite 
setup through the custom bit in CAS. That is conflicting with our other 
normal SAML SPs and throwing stack traces. I see that in 5.3, the 
version that we are on, the custom bit has been deprecated. What I'm not 
able to wrap my head around is how to construct the SP metadata for G 
Suite. Do I just monitor the URLs that are currently working to set the 
end points? Or is there a better way to do this? I'm used to dealing 
with systems that will give me their metadata, rather than having to 
construct it.

Any help would be appreciated. Thanks,

Richard

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/376aee22-5c98-3e7e-4ac4-5e6c22d9e1f6%40ndsu.edu.

[cas-user] CAS Management: How to do authorization?

[Richard Frovarp]

How does one do authorization checks in CAS Management 5.3.6 using CAS 
attribute return? In 5.1, I have this:

cas.mgmt.adminRoles[0]=CN=,OU=,DC=dc,DC=ndsu,DC=edu
cas.mgmt.authzAttributes[0]=memberOf

Not entirely sure why that is failing on 5.3.6. Part of me says that it 
is due to pac4j splitting on the commas.

So I get the bright idea of using eduPersonEntitlement, so

mgmt.adminRoles[0]=https://www.ndsu.edu/eci/entitlement

mgmt.authzAttributes[0]=eduPersonEntitlement

But that isn't working either. In the log for the application I can see 
that my list of entitlements is being returned, but I see no roles.

What am I missing?

Thanks,

Richard

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e3789f7f-c186-1451-89da-ea4f694c6fb4%40ndsu.edu.

Re: [cas-user] Upgrading from 5.1 to 5.3 with JPA service registry and SAML 2 services

[Richard Frovarp]

While trying to figure out how to delete just the SAML 2 services to 
prepare for that, I saw the new fields were added to the DB instead of 
being in one of the serialized fields. So this worked, getting me to 
defaults:

update regexregisteredservice set 
skipGeneratingAssertionNameId=0,skipGeneratingSubjectConfirmationInResponseTo=0,skipGeneratingSubjectConfirmationNotBefore=1,skipGeneratingSubjectConfirmationNotOnOrAfter=0,skipGeneratingSubjectConfirmationRecipient=0,skipGeneratingTransientNameId=0
 
where metadataLocation is not null;


On 2/5/20 5:36 PM, Richard Frovarp wrote:
> Looks like there was a change to how SAML 2 services were defined in CAS
> 5.2. So when Hibernate brings those back in, it's failing to create the
> object. My guess is that since there isn't anything there in the
> serialized form, it is trying to set a boolean to null, which doesn't
> work well for primitives. I haven't been able to find any upgrade
> instructions to handle this. Are there any? Or are we going to need to
> delete our SAML 2 services first, and then recreate?
>
> org.hibernate.PropertyAccessException: Null value was assigned to a
> property [class
> org.apereo.cas.support.saml.services.SamlRegisteredService.skipGeneratingAssertionNameId]
> of primitive type
> setter of
> org.apereo.cas.support.saml.services.SamlRegisteredService.skipGeneratingAssertionNameId
>
>
> Thanks,
>
> Richard
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/520f171d-d2c5-33fd-d98b-4e31b2ffd4d6%40ndsu.edu.

[cas-user] Upgrading from 5.1 to 5.3 with JPA service registry and SAML 2 services

[Richard Frovarp]

Looks like there was a change to how SAML 2 services were defined in CAS 
5.2. So when Hibernate brings those back in, it's failing to create the 
object. My guess is that since there isn't anything there in the 
serialized form, it is trying to set a boolean to null, which doesn't 
work well for primitives. I haven't been able to find any upgrade 
instructions to handle this. Are there any? Or are we going to need to 
delete our SAML 2 services first, and then recreate?

org.hibernate.PropertyAccessException: Null value was assigned to a 
property [class 
org.apereo.cas.support.saml.services.SamlRegisteredService.skipGeneratingAssertionNameId]
 
of primitive type
setter of 
org.apereo.cas.support.saml.services.SamlRegisteredService.skipGeneratingAssertionNameId


Thanks,

Richard

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4b27377-2097-a3e6-f1c4-16d1670bdf27%40ndsu.edu.

Re: [cas-user] CAS, Chrome 80 and SameSite cookies policy

[Richard Frovarp]

>From what I gather, it's mostly an SP issue. The SSO part might be an issue 
>with the IdP, and the fix for it might kill some versions of Safari. It's best 
>to test with Firefox as it doesn't have a two minute grace period. This is 
>what I've gleaned from the Shibboleth list. Their documentation is here:

https://wiki.shibboleth.net/confluence/display/IDP30/SameSite
https://wiki.shibboleth.net/confluence/display/SP3/SameSite

On 1/30/20 4:58 AM, Tobias Johansson wrote:
Hi!

I'm wondering what impact the new same site cookie policy in Chrome 80, to be 
released soon, will have?
I get warnings in the chrome console regarding CAS cookies without SameSite 
attribute. But I'm having trouble finding any information regarding this.
Should I be worried and how can I solve this? Any help would be greatly 
appreciated!

Thanks!
/Tobias
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/221198ba-1cb6-42e8-ae57-8193c32176f5%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9d60d946-7398-099e-d87a-ec1ff9c0d208%40ndsu.edu.

Re: [cas-user] Re: Cas java client

[Richard Frovarp]

The web.xml file is part of your web application. You need to modify that and 
include the required jar files.

From: cas-user@apereo.org  on behalf of KIRTI KHEDKAR 

Sent: Friday, December 6, 2019 10:09:56 PM
To: CAS Community 
Subject: [cas-user] Re: Cas java client

I got source code of Java client from github but didn't get web.xml in that. Is 
it will create after build or we have to create ? and what is correct  
location/path of web.xml file

On Friday, 6 December 2019 14:27:20 UTC+5:30, KIRTI KHEDKAR wrote:
Please tell me how to deploy Java CAS client

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/32909d09-7630-40b2-a687-38ebd867e84e%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN2PR0801MB2175104FAE689330C91A8B5E0%40SN2PR0801MB2175.namprd08.prod.outlook.com.

Re: [cas-user] Re: Cas java client

[Richard Frovarp]

Documentation can be found 
https://github.com/apereo/java-cas-client/blob/master/README.md

Looks to be some good examples https://cuit.columbia.edu/cas-authentication/java

From: cas-user@apereo.org  on behalf of KIRTI KHEDKAR 

Sent: Friday, December 6, 2019 6:52:45 AM
To: CAS Community 
Subject: [cas-user] Re: Cas java client

I'm tring to deploy using servlet filtering please guid me



On Friday, 6 December 2019 14:27:20 UTC+5:30, KIRTI KHEDKAR wrote:
Please tell me how to deploy Java CAS client

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3c35e3ec-5245-4677-84dc-0148326d86a4%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN2PR0801MB21756B25F47EC3A561866E148B5F0%40SN2PR0801MB2175.namprd08.prod.outlook.com.

Re: [cas-user] Cas java client

[Richard Frovarp]

That will depend on how you plan to use it. You will need to provide more 
details. Some of the common ways to use it in Java are the servlet filter, 
Spring Security, and Apache Shiro.

From: cas-user@apereo.org  on behalf of KIRTI KHEDKAR 

Sent: Friday, December 6, 2019 02:57
To: CAS Community 
Subject: [cas-user] Cas java client

Please tell me how to deploy Java CAS client

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/59713cb2-1e9f-4f3b-83f8-65f797610bfd%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN2PR0801MB217546D4C3F19B04C03D04C68B5F0%40SN2PR0801MB2175.namprd08.prod.outlook.com.

Re: [cas-user] CAS - Form Based Login

[Richard Frovarp]

Yeah, I think that should work. I've done it once or twice for a web 
application. You'll have to bring in the CAS Servlet filter to do it. Pretty 
much everything of mine is using Apache Shiro for security, so I'm not very 
familiar with the servlet based security constraints.  
https://github.com/apereo/java-cas-client/blob/master/README.md

On 11/21/19 1:00 AM, Steve Cheung wrote:
Hi Richard,

Thanks for your clarification. I think it is ok to use the cas login page for 
the login. However, Is it still possible to preserve the security-constraint 
setting in the web.xml? Or you have any recommendation how to integrate this 
web app with CAS?



Thanks, Steve


On Wednesday, 20 November 2019 23:54:39 UTC+8, richard.frovarp wrote:
The point of doing federated authentication is that you don't login through the 
application anymore. So you no longer need the login form. It becomes a button 
like all of the login with Facebook, Google, Twitter, etc options you see on a 
variety of sites.

On 11/20/19 3:10 AM, Steve Cheung wrote:
Hi all,

I search around the Java-Cas-Client readme and it said CAS supporting JAAS. 
However, I really cant find much detail on how to configure it on my web 
application.

https://github.com/apereo/java-cas-client/blob/master/README.md


I wanna keep the form based login in my web app and using the CAS backend as 
authentication service. Anyone has experience or useful link for me?

For example,  in web.xml, only the user with admin role is able to access the 
/admin page


  
Admin
/admin/*
  
  
admin
  



  admin



  FORM
  
/login.html
/error.html
  



Many thanks, Steve













--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/22c195a6-be47-443a-9652-c2dc3270c0b2%40apereo.org.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6f3ce0a9-1fed-4bf2-85bf-fd7b6a83cc54%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/24286f7c-aa10-8d69-9830-62e5635b7903%40ndsu.edu.

Re: [cas-user] IAM & SSO

[Richard Frovarp]

It depends on what you are after. You can do authentication checks for the 
whole service using the service access strategy:
https://apereo.github.io/cas/6.1.x/services/Configuring-Service-Access-Strategy.html

You can also do attribute release in a lot of the authentication protocols that 
CAS uses. You release whatever attributes you feel like you need to, and then 
the application has them available for authorization. CAS could pull the list 
of groups an account is a member of through LDAP/AD and return that to the 
application. They application could then do authorization checks based on that 
information. You can also return something like a list of entitlements. Where 
and how you store those is up to you. Pulling it from the same system they 
authenticated against makes it easy to setup and get running. You could resolve 
all of the groups out of Grouper if you wanted.

In higher education there are a lot that are using Grouper for some of the 
problems. Internet2 is helping to move along the Grouper, Shibboleth, COManage, 
and midPoint combination. You can pretty easily swap CAS for Shibboleth, or run 
both. https://www.incommon.org/trusted-access/

On 11/20/19 6:00 AM, Ramakrishna G wrote:
Hi everyone,

A few questions for those of you who are using IAM plus SSO.

  1.  Does CAS support both authentication as well as authorization?
 *   If Yes, Can you please elaborate with documentation.
 *   If No, Any workaround can be done on CAS to support authorization?
  2.  Which Database to use? I figured out LDAP supports authorizations but is 
there some other db suggestions.
  3.  I am also curious to know the industry standard product for IAM & SSO? If 
possible, please share the technical stack used for the same.

We'd like to know what other folks' are using for IAM & SSO, so that maybe we 
can make a better choice.

Thanks,
-Ram


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7edaca52-e82f-42ec-9b37-6cb5ce4346f9%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1b5f6728-3dcb-2bbb-9068-6a86843f7e3a%40ndsu.edu.

Re: [cas-user] CAS - Form Based Login

[Richard Frovarp]

The point of doing federated authentication is that you don't login through the 
application anymore. So you no longer need the login form. It becomes a button 
like all of the login with Facebook, Google, Twitter, etc options you see on a 
variety of sites.

On 11/20/19 3:10 AM, Steve Cheung wrote:
Hi all,

I search around the Java-Cas-Client readme and it said CAS supporting JAAS. 
However, I really cant find much detail on how to configure it on my web 
application.

https://github.com/apereo/java-cas-client/blob/master/README.md


I wanna keep the form based login in my web app and using the CAS backend as 
authentication service. Anyone has experience or useful link for me?

For example,  in web.xml, only the user with admin role is able to access the 
/admin page


  
Admin
/admin/*
  
  
admin
  



  admin



  FORM
  
/login.html
/error.html
  



Many thanks, Steve













--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/22c195a6-be47-443a-9652-c2dc3270c0b2%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/42c8d5b6-d32b-ddd0-3bdb-74d0a540ccb3%40ndsu.edu.

Re: [cas-user] How to install CAS 3.3 with Tomcat 8.0

[Richard Frovarp]

Apache Tomcat 8.0 is end of life, so it is no longer supported by the project. 
Hasn't been for a long time. v8.5 is still supported.

On 10/25/19 11:54 PM, Carlota Viña wrote:
Hi Richard,

Thanks you for the message.

What means Tomcat 8 is EOL?

Best wishes,

Carlota

El vie., 25 oct. 2019 a las 21:22, Richard Frovarp 
(mailto:richard.frov...@ndsu.edu>>) escribió:
Tomcat 8 is also EOL.


On 10/25/19 1:29 PM, Ray Bon wrote:
Carlota,

Out of curiosity, why are you bound to an ancient, unsupported, and insecure 
version of CAS?

Maven can be downloaded, https://maven.apache.org/

Have you found any documentation on CAS 3.3?

I suspect that you will spend more time trying to figure out how to install and 
run CAS 3.3 than changing the requirements. There have been a lot of 
improvements to CAS in the more than 5 years since I have been using it (which 
was after 3.3).

Lastly, when you have troubles (and you will), no one has the knowledge to help 
you.

Ray

On Fri, 2019-10-25 at 10:04 -0700, CarlotaVina wrote:
Hello,

Recently I start to work with a project with Java 1.8,  tomcat 8.0. We don't 
have Maven. One of the requirements is to install CAS 3.3 with tomcat 8.0. The 
project is old and we can't change these requirements.

I don't know how to install CAS 3.3 with Tomcat 8.0


Could somebody to help me.


Best wishes,

Carlota

--


Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca>

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/01e0ceeccdfc1139211302198b6066aa48d2cfaf.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/01e0ceeccdfc1139211302198b6066aa48d2cfaf.camel%40uvic.ca?utm_medium=email_source=footer>.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to a topic in the Google 
Groups "CAS Community" group.
To unsubscribe from this topic, visit 
https://groups.google.com/a/apereo.org/d/topic/cas-user/q39gJhUk2w8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to 
cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6d9aa635-363f-0a36-f5fd-fda29745d9f3%40ndsu.edu<https://groups.google.com/a/apereo.org/d/msgid/cas-user/6d9aa635-363f-0a36-f5fd-fda29745d9f3%40ndsu.edu?utm_medium=email_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALaSPS3H2EioTrX7SUZxSNnUsnqxS2LJi_xw%2Bce9bz3anCFRYQ%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALaSPS3H2EioTrX7SUZxSNnUsnqxS2LJi_xw%2Bce9bz3anCFRYQ%40mail.gmail.com?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7cd07364-38c5-43ca-8a72-acce52a95997%40ndsu.edu.

Re: [cas-user] How to install CAS 3.3 with Tomcat 8.0

[Richard Frovarp]

The 3.4 method was to create a Maven overlay and build a war from there. I 
think there was a special config file. Don't remember how that was referenced. 
You'll need to dig into old documentation.

You probably can do it without Maven, but it would be a giant pain. Maven is a 
build tool and in this case is gathering all of the dependencies and putting 
them into a war. You could likely work your way through each dependency, find 
their dependencies, find their dependencies, etc and grab each one off of 
maven.org, and build the war by hand. But I don't know why you would want to 
subject yourself to that.


On 10/25/19 12:04 PM, CarlotaVina wrote:
Hello,

Recently I start to work with a project with Java 1.8,  tomcat 8.0. We don't 
have Maven. One of the requirements is to install CAS 3.3 with tomcat 8.0. The 
project is old and we can't change these requirements.

I don't know how to install CAS 3.3 with Tomcat 8.0


Could somebody to help me.


Best wishes,

Carlota
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/887cf9e1-b396-405d-b4d1-5879bc2da244%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/efbd5ca7-b069-0d62-fc93-cae9bbd37b21%40ndsu.edu.