Re: [cas-user] CAS 7.0.3: missing LDAP principal attributes when using DUO MFA

[Mike S]

You're right! Removing support-surrogate-webflow allows merging to proceed 
properly. Think this will be addressed in 7.1, or is this working as 
intended and we have to do something else to enable proper attribute 
merging? 

On Tuesday, April 16, 2024 at 8:55:32 p.m. UTC-2:30 Ray Bon wrote:

> I have been able to confirm that the presence of the surrogate log in 
> feature can create the observed problem. 
>
> implementation "org.apereo.cas:cas-server-support-surrogate-webflow"
>
> The non merging of attributes happens even though no surrogate login takes 
> place.
>
> Ray
>
> On Mon, 2024-04-15 at 12:30 -0700, Mike S wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
> FYI, downgrading to 6.6.13 works. DUO universal prompt functions properly 
> and the principal attributes are from LDAP only. I'm suspicious that 
> something about DUO and/or MFA is broken in CAS 7.0.3.
>
> On Monday, April 15, 2024 at 2:10:54 p.m. UTC-2:30 Mike S wrote:
>
> Hi Ray,
>
> it was in /etc/cas/config/lob4j2.xml, setting the log level to debug:
>
> 
> 
> /var/log/cas
> *debug*
>
> On Saturday, April 13, 2024 at 1:48:06 a.m. UTC-2:30 Ray Bon wrote:
>
> Mike,
>
> What logger did you enable to see this?
>
> Ray
>
> On Fri, 2024-04-12 at 11:36 -0700, Mike S wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
> Thanks for your response Ray. I've been banging my head against this for a 
> while and I thought it was something I was missing. I've verified the 
> conflict resolver option doesn't work.
>
> The log debug log output  shows the LDAP and DUO attributes at one point 
> are merged, but the result is discarded.
>
> Is there a suggested workaround?
>
> On Friday, April 12, 2024 at 12:24:47 p.m. UTC-2:30 Ray Bon wrote:
>
> Mike,
>
> I can confirm this behaviour.
> DefaultPrincipalElectionStrategy was changed between 6.5 and 7.0. The 
> change was in 5bcef20 about 5 months ago.
>
> The old behaviour was to select the first principle in a list; new 
> behaviour defaults to last.
> Even setting this property,
>
> cas.person-directory.principal-resolution-conflict-strategy=first
>
> does not work.
>
> Printing the list of principals immediately before 
> PrincipalElectionStrategyConflictResolver is invoked:
>
> 2024-04-11 23:40:23,144 ERROR [ 
> org.aper.cas.auth.prin.DefaultPrincipalElectionStrategy] -  SimplePrincipal(id=rbon, attributes={cn=[Ray Bon], 
> description=[ROLE_ADMIN], domain=[uvic.ca], ...
> 2024-04-11 23:40:23,144 ERROR [ 
> org.aper.cas.auth.prin.DefaultPrincipalElectionStrategy] -  SimplePrincipal(id=rbon, attributes={duoAud=[...], 
> duoAuthCtxAccessDeviceIp=[...], ...
>
> The principal id's are the same (so merging attributes should work). 
>
> Our setup fetches attributes after authentication (instead of at the time 
> of authentication) but before duo flow.
>
> I will investigate if there is an effect of when ldap attributes are 
> retrieved; as well as look into other possible config settings that might 
> affect attribute merging.
>
> Ray
>
>
> On Wed, 2024-04-10 at 12:47 -0700, Mike S wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
>
> (Apologies for the repost. The CAS version has been added in the subject 
> line as well as the cas.properties file)
>
> We are testing a CAS 7.0.3 POC system using universal prompt DUO MFA. The 
> system is configured to use OpenLDAP for authentication. However, once DUO 
> MFA is enabled via the Fawnoos blog entry, the attributes returned for the 
> principal are from DUO.
>
> How do we tell CAS to only use the LDAP attribute repository?
>
> Thanks,
> Mike
>
> *cas.properties*
>
> cas.server.name=https://cas-poc.xxx.yyy
> cas.server.prefix=${cas.server.name}/cas
> cas.server.scope=xxx.yyy
> cas.host.name=xxx.yyy
>
> logging.config: file:/etc/cas/config/log4j2.xml
> logging.level.org.apereoi.cas=debug
>
> server.port=8443
> server.ssl.enabled=true
> server.ssl.protocol=TLS
> server.ssl.key-store=file:/etc/cas/config/keystore.jks
> server.ssl.key-store-password=XXX
> server.ssl.key-password=Y
> server.ssl.key-store-type=JKS
> server.ssl.key-alias=default
>
> server.servlet.context-path=/cas
> server.servlet.application-display-name=cas
>
> cas.server.tomcat.http[0].enabled=false
> cas.server.tomcat.http-proxy

Re: [cas-user] CAS 7.0.3: missing LDAP principal attributes when using DUO MFA

[Mike S]

FYI, downgrading to 6.6.13 works. DUO universal prompt functions properly 
and the principal attributes are from LDAP only. I'm suspicious that 
something about DUO and/or MFA is broken in CAS 7.0.3.

On Monday, April 15, 2024 at 2:10:54 p.m. UTC-2:30 Mike S wrote:

> Hi Ray,
>
> it was in /etc/cas/config/lob4j2.xml, setting the log level to debug:
>
> 
> 
> /var/log/cas
> *debug*
>
> On Saturday, April 13, 2024 at 1:48:06 a.m. UTC-2:30 Ray Bon wrote:
>
>> Mike,
>>
>> What logger did you enable to see this?
>>
>> Ray
>>
>> On Fri, 2024-04-12 at 11:36 -0700, Mike S wrote:
>>
>> Notice: This message was sent from outside the University of Victoria 
>> email system. Please be cautious with links and sensitive information.
>>
>> Thanks for your response Ray. I've been banging my head against this for 
>> a while and I thought it was something I was missing. I've verified the 
>> conflict resolver option doesn't work.
>>
>> The log debug log output  shows the LDAP and DUO attributes at one point 
>> are merged, but the result is discarded.
>>
>> Is there a suggested workaround?
>>
>> On Friday, April 12, 2024 at 12:24:47 p.m. UTC-2:30 Ray Bon wrote:
>>
>> Mike,
>>
>> I can confirm this behaviour.
>> DefaultPrincipalElectionStrategy was changed between 6.5 and 7.0. The 
>> change was in 5bcef20 about 5 months ago.
>>
>> The old behaviour was to select the first principle in a list; new 
>> behaviour defaults to last.
>> Even setting this property,
>>
>> cas.person-directory.principal-resolution-conflict-strategy=first
>>
>> does not work.
>>
>> Printing the list of principals immediately before 
>> PrincipalElectionStrategyConflictResolver is invoked:
>>
>> 2024-04-11 23:40:23,144 ERROR [ 
>> org.aper.cas.auth.prin.DefaultPrincipalElectionStrategy] - > SimplePrincipal(id=rbon, attributes={cn=[Ray Bon], 
>> description=[ROLE_ADMIN], domain=[uvic.ca], ...
>> 2024-04-11 23:40:23,144 ERROR [ 
>> org.aper.cas.auth.prin.DefaultPrincipalElectionStrategy] - > SimplePrincipal(id=rbon, attributes={duoAud=[...], 
>> duoAuthCtxAccessDeviceIp=[...], ...
>>
>> The principal id's are the same (so merging attributes should work). 
>>
>> Our setup fetches attributes after authentication (instead of at the time 
>> of authentication) but before duo flow.
>>
>> I will investigate if there is an effect of when ldap attributes are 
>> retrieved; as well as look into other possible config settings that might 
>> affect attribute merging.
>>
>> Ray
>>
>>
>> On Wed, 2024-04-10 at 12:47 -0700, Mike S wrote:
>>
>> Notice: This message was sent from outside the University of Victoria 
>> email system. Please be cautious with links and sensitive information.
>>
>>
>> (Apologies for the repost. The CAS version has been added in the subject 
>> line as well as the cas.properties file)
>>
>> We are testing a CAS 7.0.3 POC system using universal prompt DUO MFA. The 
>> system is configured to use OpenLDAP for authentication. However, once DUO 
>> MFA is enabled via the Fawnoos blog entry, the attributes returned for the 
>> principal are from DUO.
>>
>> How do we tell CAS to only use the LDAP attribute repository?
>>
>> Thanks,
>> Mike
>>
>> *cas.properties*
>>
>> cas.server.name=https://cas-poc.xxx.yyy
>> cas.server.prefix=${cas.server.name}/cas
>> cas.server.scope=xxx.yyy
>> cas.host.name=xxx.yyy
>>
>> logging.config: file:/etc/cas/config/log4j2.xml
>> logging.level.org.apereoi.cas=debug
>>
>> server.port=8443
>> server.ssl.enabled=true
>> server.ssl.protocol=TLS
>> server.ssl.key-store=file:/etc/cas/config/keystore.jks
>> server.ssl.key-store-password=XXX
>> server.ssl.key-password=Y
>> server.ssl.key-store-type=JKS
>> server.ssl.key-alias=default
>>
>> server.servlet.context-path=/cas
>> server.servlet.application-display-name=cas
>>
>> cas.server.tomcat.http[0].enabled=false
>> cas.server.tomcat.http-proxy.enabled=true
>> cas.server.tomcat.http-proxy.secure=false
>> cas.server.tomcat.http-proxy.scheme=https
>> cas.server.tomcat.http-proxy.protocol=HTTP/2
>> server.tomcat.remoteip.internal-proxies=AAA.BBB.CCC.DDD
>> server.tomcat.accesslog.request-attributes-enabled=true
>> server.tomcat.max-http-form-post-size=2097152
>> server.tomcat.max-threads=200
>>
>> [service registry config omitted]
>

Re: [cas-user] CAS 7.0.3: missing LDAP principal attributes when using DUO MFA

[Mike S]

Hi Ray,

it was in /etc/cas/config/lob4j2.xml, setting the log level to debug:



/var/log/cas
*debug*

On Saturday, April 13, 2024 at 1:48:06 a.m. UTC-2:30 Ray Bon wrote:

> Mike,
>
> What logger did you enable to see this?
>
> Ray
>
> On Fri, 2024-04-12 at 11:36 -0700, Mike S wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
> Thanks for your response Ray. I've been banging my head against this for a 
> while and I thought it was something I was missing. I've verified the 
> conflict resolver option doesn't work.
>
> The log debug log output  shows the LDAP and DUO attributes at one point 
> are merged, but the result is discarded.
>
> Is there a suggested workaround?
>
> On Friday, April 12, 2024 at 12:24:47 p.m. UTC-2:30 Ray Bon wrote:
>
> Mike,
>
> I can confirm this behaviour.
> DefaultPrincipalElectionStrategy was changed between 6.5 and 7.0. The 
> change was in 5bcef20 about 5 months ago.
>
> The old behaviour was to select the first principle in a list; new 
> behaviour defaults to last.
> Even setting this property,
>
> cas.person-directory.principal-resolution-conflict-strategy=first
>
> does not work.
>
> Printing the list of principals immediately before 
> PrincipalElectionStrategyConflictResolver is invoked:
>
> 2024-04-11 23:40:23,144 ERROR [ 
> org.aper.cas.auth.prin.DefaultPrincipalElectionStrategy] -  SimplePrincipal(id=rbon, attributes={cn=[Ray Bon], 
> description=[ROLE_ADMIN], domain=[uvic.ca], ...
> 2024-04-11 23:40:23,144 ERROR [ 
> org.aper.cas.auth.prin.DefaultPrincipalElectionStrategy] -  SimplePrincipal(id=rbon, attributes={duoAud=[...], 
> duoAuthCtxAccessDeviceIp=[...], ...
>
> The principal id's are the same (so merging attributes should work). 
>
> Our setup fetches attributes after authentication (instead of at the time 
> of authentication) but before duo flow.
>
> I will investigate if there is an effect of when ldap attributes are 
> retrieved; as well as look into other possible config settings that might 
> affect attribute merging.
>
> Ray
>
>
> On Wed, 2024-04-10 at 12:47 -0700, Mike S wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
>
> (Apologies for the repost. The CAS version has been added in the subject 
> line as well as the cas.properties file)
>
> We are testing a CAS 7.0.3 POC system using universal prompt DUO MFA. The 
> system is configured to use OpenLDAP for authentication. However, once DUO 
> MFA is enabled via the Fawnoos blog entry, the attributes returned for the 
> principal are from DUO.
>
> How do we tell CAS to only use the LDAP attribute repository?
>
> Thanks,
> Mike
>
> *cas.properties*
>
> cas.server.name=https://cas-poc.xxx.yyy
> cas.server.prefix=${cas.server.name}/cas
> cas.server.scope=xxx.yyy
> cas.host.name=xxx.yyy
>
> logging.config: file:/etc/cas/config/log4j2.xml
> logging.level.org.apereoi.cas=debug
>
> server.port=8443
> server.ssl.enabled=true
> server.ssl.protocol=TLS
> server.ssl.key-store=file:/etc/cas/config/keystore.jks
> server.ssl.key-store-password=XXX
> server.ssl.key-password=Y
> server.ssl.key-store-type=JKS
> server.ssl.key-alias=default
>
> server.servlet.context-path=/cas
> server.servlet.application-display-name=cas
>
> cas.server.tomcat.http[0].enabled=false
> cas.server.tomcat.http-proxy.enabled=true
> cas.server.tomcat.http-proxy.secure=false
> cas.server.tomcat.http-proxy.scheme=https
> cas.server.tomcat.http-proxy.protocol=HTTP/2
> server.tomcat.remoteip.internal-proxies=AAA.BBB.CCC.DDD
> server.tomcat.accesslog.request-attributes-enabled=true
> server.tomcat.max-http-form-post-size=2097152
> server.tomcat.max-threads=200
>
> [service registry config omitted]
>
> cas.authn.accept.users=
> cas.authn.accept.enabled=false
>
> cas.authn.ldap[0].type=AUTHENTICATED
> cas.authn.ldap[0].ldap-url=ldaps://ldap1.xxx.yyy,ldaps://ldap2.xxx.yyy
> cas.authn.ldap[0].base-dn=dc=xxx,dc=yyy
> cas.authn.ldap[0].search-filter=(|(uid={user})(mailAddress={user}))
> cas.authn.ldap[0].bind-dn=uid=ro-ldap-user,ou=users,dc=xxx,dc=yyy
> cas.authn.ldap[0].bind-credential=XX
>
> cas.authn.ldap[0].principal-attribute-list=altEmailaltEmailDate,authViaAltEmailVerificationKey,[...]
>
> cas.authn.mfa.triggers.global.global-provider-id=mfa-duo
> cas.authn.mfa.duo[0].account-status-enabled=true
> cas.authn.mfa.duo[0].duo-secret-key=XX
> cas.authn.mfa.duo[0].duo-integratio

Re: [cas-user] CAS 7.0.3: missing LDAP principal attributes when using DUO MFA

[Mike S]

Thanks for your response Ray. I've been banging my head against this for a 
while and I thought it was something I was missing. I've verified the 
conflict resolver option doesn't work.

The log debug log output  shows the LDAP and DUO attributes at one point 
are merged, but the result is discarded. 

Is there a suggested workaround?

On Friday, April 12, 2024 at 12:24:47 p.m. UTC-2:30 Ray Bon wrote:

> Mike,
>
> I can confirm this behaviour.
> DefaultPrincipalElectionStrategy was changed between 6.5 and 7.0. The 
> change was in 5bcef20 about 5 months ago.
>
> The old behaviour was to select the first principle in a list; new 
> behaviour defaults to last.
> Even setting this property,
>
> cas.person-directory.principal-resolution-conflict-strategy=first
>
> does not work.
>
> Printing the list of principals immediately before 
> PrincipalElectionStrategyConflictResolver is invoked:
>
> 2024-04-11 23:40:23,144 ERROR [ 
> org.aper.cas.auth.prin.DefaultPrincipalElectionStrategy] -  SimplePrincipal(id=rbon, attributes={cn=[Ray Bon], 
> description=[ROLE_ADMIN], domain=[uvic.ca], ...
> 2024-04-11 23:40:23,144 ERROR [ 
> org.aper.cas.auth.prin.DefaultPrincipalElectionStrategy] -  SimplePrincipal(id=rbon, attributes={duoAud=[...], 
> duoAuthCtxAccessDeviceIp=[...], ...
>
> The principal id's are the same (so merging attributes should work). 
>
> Our setup fetches attributes after authentication (instead of at the time 
> of authentication) but before duo flow.
>
> I will investigate if there is an effect of when ldap attributes are 
> retrieved; as well as look into other possible config settings that might 
> affect attribute merging.
>
> Ray
>
>
> On Wed, 2024-04-10 at 12:47 -0700, Mike S wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
>
> (Apologies for the repost. The CAS version has been added in the subject 
> line as well as the cas.properties file)
>
> We are testing a CAS 7.0.3 POC system using universal prompt DUO MFA. The 
> system is configured to use OpenLDAP for authentication. However, once DUO 
> MFA is enabled via the Fawnoos blog entry, the attributes returned for the 
> principal are from DUO.
>
> How do we tell CAS to only use the LDAP attribute repository?
>
> Thanks,
> Mike
>
> *cas.properties*
>
> cas.server.name=https://cas-poc.xxx.yyy
> cas.server.prefix=${cas.server.name}/cas
> cas.server.scope=xxx.yyy
> cas.host.name=xxx.yyy
>
> logging.config: file:/etc/cas/config/log4j2.xml
> logging.level.org.apereoi.cas=debug
>
> server.port=8443
> server.ssl.enabled=true
> server.ssl.protocol=TLS
> server.ssl.key-store=file:/etc/cas/config/keystore.jks
> server.ssl.key-store-password=XXX
> server.ssl.key-password=Y
> server.ssl.key-store-type=JKS
> server.ssl.key-alias=default
>
> server.servlet.context-path=/cas
> server.servlet.application-display-name=cas
>
> cas.server.tomcat.http[0].enabled=false
> cas.server.tomcat.http-proxy.enabled=true
> cas.server.tomcat.http-proxy.secure=false
> cas.server.tomcat.http-proxy.scheme=https
> cas.server.tomcat.http-proxy.protocol=HTTP/2
> server.tomcat.remoteip.internal-proxies=AAA.BBB.CCC.DDD
> server.tomcat.accesslog.request-attributes-enabled=true
> server.tomcat.max-http-form-post-size=2097152
> server.tomcat.max-threads=200
>
> [service registry config omitted]
>
> cas.authn.accept.users=
> cas.authn.accept.enabled=false
>
> cas.authn.ldap[0].type=AUTHENTICATED
> cas.authn.ldap[0].ldap-url=ldaps://ldap1.xxx.yyy,ldaps://ldap2.xxx.yyy
> cas.authn.ldap[0].base-dn=dc=xxx,dc=yyy
> cas.authn.ldap[0].search-filter=(|(uid={user})(mailAddress={user}))
> cas.authn.ldap[0].bind-dn=uid=ro-ldap-user,ou=users,dc=xxx,dc=yyy
> cas.authn.ldap[0].bind-credential=XX
>
> cas.authn.ldap[0].principal-attribute-list=altEmailaltEmailDate,authViaAltEmailVerificationKey,[...]
>
> cas.authn.mfa.triggers.global.global-provider-id=mfa-duo
> cas.authn.mfa.duo[0].account-status-enabled=true
> cas.authn.mfa.duo[0].duo-secret-key=XX
> cas.authn.mfa.duo[0].duo-integration-key=Y
> cas.authn.mfa.duo[0].duo-api-host=ZZ
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b07dcb6c-4c61-4823-9822-1efb0ad53c78n%40apereo.org.

[cas-user] CAS 7.0.3: missing LDAP principal attributes when using DUO MFA

[Mike S]

(Apologies for the repost. The CAS version has been added in the subject 
line as well as the cas.properties file)

We are testing a CAS 7.0.3 POC system using universal prompt DUO MFA. The 
system is configured to use OpenLDAP for authentication. However, once DUO 
MFA is enabled via the Fawnoos blog entry, the attributes returned for the 
principal are from DUO. 

How do we tell CAS to only use the LDAP attribute repository?

Thanks,
Mike

*cas.properties*

cas.server.name=https://cas-poc.xxx.yyy
cas.server.prefix=${cas.server.name}/cas
cas.server.scope=xxx.yyy
cas.host.name=xxx.yyy

logging.config: file:/etc/cas/config/log4j2.xml
logging.level.org.apereoi.cas=debug

server.port=8443
server.ssl.enabled=true
server.ssl.protocol=TLS
server.ssl.key-store=file:/etc/cas/config/keystore.jks
server.ssl.key-store-password=XXX
server.ssl.key-password=Y
server.ssl.key-store-type=JKS
server.ssl.key-alias=default

server.servlet.context-path=/cas
server.servlet.application-display-name=cas

cas.server.tomcat.http[0].enabled=false
cas.server.tomcat.http-proxy.enabled=true
cas.server.tomcat.http-proxy.secure=false
cas.server.tomcat.http-proxy.scheme=https
cas.server.tomcat.http-proxy.protocol=HTTP/2
server.tomcat.remoteip.internal-proxies=AAA.BBB.CCC.DDD
server.tomcat.accesslog.request-attributes-enabled=true
server.tomcat.max-http-form-post-size=2097152
server.tomcat.max-threads=200

[service registry config omitted]

cas.authn.accept.users=
cas.authn.accept.enabled=false

cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldap-url=ldaps://ldap1.xxx.yyy,ldaps://ldap2.xxx.yyy
cas.authn.ldap[0].base-dn=dc=xxx,dc=yyy
cas.authn.ldap[0].search-filter=(|(uid={user})(mailAddress={user}))
cas.authn.ldap[0].bind-dn=uid=ro-ldap-user,ou=users,dc=xxx,dc=yyy
cas.authn.ldap[0].bind-credential=XX
cas.authn.ldap[0].principal-attribute-list=altEmailaltEmailDate,authViaAltEmailVerificationKey,[...]

cas.authn.mfa.triggers.global.global-provider-id=mfa-duo
cas.authn.mfa.duo[0].account-status-enabled=true
cas.authn.mfa.duo[0].duo-secret-key=XX
cas.authn.mfa.duo[0].duo-integration-key=Y
cas.authn.mfa.duo[0].duo-api-host=ZZ

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cf545d20-77db-4b74-a612-d083b8f5e32cn%40apereo.org.

[cas-user] Re: LDAP autentication with DUO MFA only returning DUO attributes

[Mike S]

Hi Ocean, thanks for your reply. Yes, all LDAP attributes are missing. 
Merging attributes is supposed to be the default behaviour, but clearly 
something is up!
On Saturday, March 30, 2024 at 1:05:07 a.m. UTC-2:30 Ocean Liu wrote:

> Hi Mike,
>
> Our set up is very similar with yours: CAS 7, LDAP for authentication and 
> attribute repository, DUO MFA enabled.
>
> We migrated from CAS 5.3, we noticed CAS 7 with DUO does add duo related 
> attribute to the principle.
> However we can still see the attributes from the LDAP authentication and 
> attribute repository.
>
> > the attributes returned for the principal are from DUO
> Are you noticing the attributes from your LDAP ***missing***? If so, that 
> is not normal.
>
> > How do we tell CAS to only use the LDAP attribute repository?
> I don't think there is a way to do this via configuration, your only hope 
> probably will be via customization.
>
> Best,
>
> Ocean
>
> On Thursday, March 28, 2024 at 10:31:10 AM UTC-7 Mike S wrote:
>
> Hi all,
>
> Our CAS 7.0 system is configured to use OpenLDAP for authentication and 
> the attribute repository. However, once DUO MFA is enabled via the Fawnoos 
> blog entry, the attributes returned for the principal are from DUO. How do 
> we tell CAS to only use the LDAP attribute repository?
>
> Thanks,
> Mike
>
>
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f188df56-5aa5-4c69-920a-e5930a8773ben%40apereo.org.

[cas-user] LDAP autentication with DUO MFA only returning DUO attributes

[Mike S]

Hi all,

Our CAS 7.0 system is configured to use OpenLDAP for authentication and the 
attribute repository. However, once DUO MFA is enabled via the Fawnoos blog 
entry, the attributes returned for the principal are from DUO. How do we 
tell CAS to only use the LDAP attribute repository?

Thanks,
Mike




-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/05ee4a7b-20aa-4416-b9ab-bd1fc16ac065n%40apereo.org.

[cas-user] Upgrade from 6.2 to 6.5 delegated to AzureAD issue

[Isan S]

We are having issue with the upgrade from 6.2 to 6.5.6 when accessing cas 
login url it show ERROR on the log. I can login to Azure AD and it 
redirected back to client application so login functionality seems working. 
We enabled json service registration, hazelcast, ldap, delegae 
authentication and surrogate. Does anyone know if I miss something on the 
configuration?
Then I tested with lower version 6.4.6.4, there is no error on the log. So 
I suspect the issue is related to 6.5.x version
DEBUG [org.apereo.cas.support.pac4j.RefreshableDelegatedClients] -  | callbackUrlResolver: 
org.pac4j.core.http.callback.PathParameterCallbackUrlResolver@4c55e89c | 
ajaxRequestResolver: null | redirectionActionBuilder: null | 
credentialsExtractor: null | authenticator: null | profileCreator: 
org.pac4j.core.profile.creator.AuthenticatorProfileCreator@4399e4b0 | 
logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@7f4e4a70 | 
authorizationGenerators: [] | configuration: #AzureAdOidcConfiguration# | 
clientId:  | secret: [protected] | discoveryURI:  | 
scope: null | customParams: {} | clientAuthenticationMethod: null | 
useNonce: false | preferredJwsAlgorithm: null | maxAge: null | 
maxClockSkew: 5 | connectTimeout: 5000 | readTimeout: 5000 | 
resourceRetriever: null | responseType: code | responseMode: null | 
logoutUrl:  | withState: true | stateGenerator: 
org.pac4j.core.util.generator.RandomValueGenerator@57cd438c | 
logoutHandler: null | tokenValidator: null | mappedClaims: {} | 
allowUnsignedIdTokens: false | |]]>

log from 6.5.6
ERROR 
[org.apereo.cas.web.flow.DefaultDelegatedClientIdentityProviderConfigurationProducer]
 
-  | callbackUrlResolver: 
org.pac4j.core.http.callback.PathParameterCallbackUrlResolver@bd9bac8 | 
ajaxRequestResolver: 
org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@6f98b639 | 
redirectionActionBuilder: 
org.pac4j.oidc.redirect.OidcRedirectionActionBuilder@10266771 | 
credentialsExtractor: 
org.pac4j.oidc.credentials.extractor.OidcExtractor@7d10cf80 | 
authenticator: 
org.pac4j.oidc.credentials.authenticator.OidcAuthenticator@16913ae | 
profileCreator: 
org.pac4j.oidc.profile.azuread.AzureAdProfileCreator@2bea44c4 | 
logoutActionBuilder: org.pac4j.oidc.logout.OidcLogoutActionBuilder@854a327 
| authorizationGenerators: [] | configuration: #AzureAdOidcConfiguration# | 
clientId:  | secret: [protected] | discoveryURI:  | 
scope: null | customParams: {} | clientAuthenticationMethod: null | 
useNonce: false | preferredJwsAlgorithm: null | maxAge: null | 
maxClockSkew: 5 | connectTimeout: 5000 | readTimeout: 5000 | 
resourceRetriever: 
org.pac4j.oidc.client.azuread.AzureAdResourceRetriever@73c30162 | 
responseType: code | responseMode: null | logoutUrl:  | 
withState: true | stateGenerator: 
org.pac4j.core.util.generator.RandomValueGenerator@24c6b371 | 
logoutHandler: #DefaultLogoutHandler# | store: #GuavaStore# | size: 1 | 
timeout: 30 | timeUnit: MINUTES | | destroySession: false | | 
tokenValidator: null | mappedClaims: {} | allowUnsignedIdTokens: false | |]>
2022-08-05 10:42:56,976 ERROR 
[org.apereo.cas.web.flow.DefaultDelegatedClientIdentityProviderConfigurationProducer]
 
- 
java.lang.NullPointerException: null
at 
org.apereo.cas.pac4j.client.DefaultDelegatedClientIdentityProviderRedirectionStrategy.getPrimaryDelegatedAuthenticationProvider(DefaultDelegatedClientIdentityProviderRedirectionStrategy.java:51)
 
~[cas-server-support-pac4j-core-6.5.6.jar:6.5.6]
at 
org.apereo.cas.pac4j.client.ChainingDelegatedClientIdentityProviderRedirectionStrategy.lambda$getPrimaryDelegatedAuthenticationProvider$0(ChainingDelegatedClientIdentityProviderRedirectionStrategy.java:39)
 
~[cas-server-support-pac4j-core-6.5.6.jar:6.5.6]
at 
java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195) 
~[?:?]
at 
java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1631) 
~[?:?]
at 
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:127)
 
~[?:?]
at 
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:502) 
~[?:?]
at 
java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:488) ~[?:?]
at 
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) 
~[?:?]
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150) 
~[?:?]
at 
java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]
at 
java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:543) 
~[?:?]
at 
org.apereo.cas.pac4j.client.ChainingDelegatedClientIdentityProviderRedirectionStrategy.getPrimaryDelegatedAuthenticationProvider(ChainingDelegatedClientIdentityProviderRedirectionStrategy.java:42)
 
~[cas-server-support-pac4j-core-6.5.6.jar:6.5.6]
at 
org.apereo.cas.web.flow.DefaultDelegatedClientIdentityProviderConfigurationProducer.lambda$produce$2(DefaultDelegatedClientIdentityProviderConfigurationProducer.java:74)
 

[cas-user] Re: Logout Redirect Issue

[Dan S]

I have some more information after testing yesterday.

I thought it was specific to the logout sent from my app but it's not. If I 
go to cas/login I can see all my information. If I use the logout link 
there with no redirect, it logs out of cas. I

If I enter cas/logout with a service redirect url in the browser, it goes 
to a blank screen. If I press enter on the url again while on the blank 
screen - it works. The only difference I can see in debug is that it 
recognizes that there is no cas session to terminate and it continues on to 
the service redirect. The debug for the first entry appears to work 
correctly -- the only part that seems to be missing is the last line that 
indicates it redirected to the external url.

If I use the cas.logout.redirect-url= parameter, the logout link on the 
page doesn't work. It just goes to the blank page. I can tell that cas has 
been logged out. It definitely doesn't continue to the redirect url or 
correctly show the cas logout page.

I am using a delegated login. In testing today, I am planning to enable to 
regular login and see if logout works with that.

Dan

On Tuesday, June 14, 2022 at 10:30:42 AM UTC-5 Dan S wrote:

> I am working on upgrading our CAS instance from 6.1 to 6.5. I have been 
> able to get everything working as expected except the logout redirect.
>
> I am using the parameter:
> cas.logout.follow-service-redirects=true
>
> I have tried using the parameter for a redirect and setting the global 
> redirect.
>
> If you enter the logout url directly in the browser, it correctly sends 
> back a 302 and the browser is redirected.
>
> If we have an app that sends the browser to the cas logout url, cas sends 
> back a 200 response with a blank screen.
>
> Anyone have any ideas?
>
> Thanks,
>
> Dan
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/76af157d-8a07-4a4f-ba54-1ad54ce3a695n%40apereo.org.

[cas-user] SAML payload larger than expected (mod_auth_cas and proxy_fcgi)

[Alan S]

I don't believe this is an issue with mod_auth_cas, but I could use some 
direction. 

A user with a large SAML memberships payload is not passing authentication 
due to the length:

[proxy_fcgi:warn] [pid 750194] [client xxx.xxx.xxx.xxx:57500] AH02536: 
couldn't encode envvar 'HTTP_SAML_MEMBEROF' in 16384 bytes

The total memberof attributes size is ~30 bytes, but I'm not sure where to 
increase this limit in the FCGI proxy module, or if, indeed, this is a good 
idea. For reference:

https://sources.debian.org/src/apache2/2.4.10-10+deb8u12/modules/proxy/mod_proxy_fcgi.c/#L237

Has anyone else experienced this that could provide some pointers?

Thank you!
-Alan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/21ad9c10-fab7-476f-b7d0-e3d8426c6e42n%40apereo.org.

[cas-user] Re: REST authn with X.509

[Petr Gašparík - AMI Praha a . s .]

Solved.
Attributes need to be defined in attribute resolution configuration - if 
nothing is used, then all attributes are fetched EXCEPT for some (f.e. 
operational)

https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#ldap

On Wednesday, April 14, 2021 at 2:48:41 PM UTC+2 Petr Gašparík - AMI Praha 
a.s. wrote:

> Hi,
> we use *X.509 authentication on REST interface* of Apereo with LDAP 
> repository for attribute fetching (X509CredentialsAuthenticationHandler).
> In general, it works, but *we have troubles getting special attributes: 
> nsRole, nsRoleDN and dn*.
>
> When REST interface of Apereo is called with username/password 
> (LdapAuthenticationHandler), we get everything we need. 
>
> It is the same service and *cas.authn.ldap[0]*.* for username/password 
> (uid={user}) and *cas.authn.attributeRepository.ldap[0].* *for 
> certificate (certsn={user}) has the same configuration.
>
> Does that ring the bell for anyone?
>
> Thank you in advance, Petr
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b7e22f56-2d4c-4abb-bb7d-bd56f1e19236n%40apereo.org.

[cas-user] REST authn with X.509

[Petr Gašparík - AMI Praha a . s .]

Hi,
we use *X.509 authentication on REST interface* of Apereo with LDAP 
repository for attribute fetching (X509CredentialsAuthenticationHandler).
In general, it works, but *we have troubles getting special attributes: 
nsRole, nsRoleDN and dn*.

When REST interface of Apereo is called with username/password 
(LdapAuthenticationHandler), we get everything we need. 

It is the same service and *cas.authn.ldap[0]*.* for username/password 
(uid={user}) and *cas.authn.attributeRepository.ldap[0].* *for certificate 
(certsn={user}) has the same configuration.

Does that ring the bell for anyone?

Thank you in advance, Petr

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/365a998e-fba6-45c9-a155-d56d2c118eb5n%40apereo.org.

[cas-user] Re: CSS Issues with CAS 6.3 and IE11

[Alan S]

I'm looking at this blindly, but you may be able to solve it with a media 
query in your CSS for targeting that browser:

```css
@media screen and (-ms-high-contrast: active), screen and 
(-ms-high-contrast: none) {
  main {
display: block;
min-width: 640px;
width: 100%;
/** or do whatever else is needed to force it into submission... **/
  }
}
```

You might have to specify an element other than `main` (whichever one's 
being unruly).

-Alan


On Thursday, February 25, 2021 at 12:33:48 PM UTC-6 Dustin J Luck wrote:

> I have found compatibility issues with CAS 6.3 in IE11 (screenshot below). 
> I have identified two distinct issues.
>
>1. Icons are not displayed
>2. Flex elements are not properly sized
>
>
> I have tried to figure out what I can change on my own, but haven't made 
> any progress. Personally, I'd be fine telling people not to use IE, 
> however, we have at least one SP (Adobe Acrobat on Windows) that uses IE 
> for its SSO process and can't be changed.
>
> Is there anyone out there with the CSS skills to take a look at this and 
> offer a solution?
>
>
> [image: CAS6.3-IE11.png]
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f5bd1967-7468-4887-a003-ed58b48fb93cn%40apereo.org.

[cas-user] Re: CAS Single logout case

[nandini s]

The solution was to add below property in cas.properties file

*cas.ticket.tgt.onlyTrackMostRecentSession=false*
On Monday, 15 February 2021 at 11:45:14 UTC+5:30 nandini s wrote:

> Hi Team,
>
> We are on version 5.2.4 of CAS for our applications. We have a case where 
> single logout is not working. Below is the description:
>
> I open a browser window and login to my application through CAS(Tab 1). I 
> open the same application in the same browser window but different 
> tab(Tab2).  
>
>- When i logout from the application in Tab1, the Tab2 sessionId (ST 
>ticket) is invalidated, which is correct behavior.
>- When i logout from the application in Tab2, the Tab1 sessionId is 
>still valid and I am able to proceed with the session operations. - This 
> is 
>the issue we are facing with SLO. 
>   - However, the refresh of the Tab1, will take me login session
>   
> These are the CAS properties w.r.t the logout and SLO:
> ## Logout ###
> cas.logout.followServiceRedirects=false
> cas.logout.redirectParameter=service
> cas.logout.confirmLogout=false
> # Single Logout  
> cas.slo.disabled=false
> cas.slo.asynchronous=true
>
> I use /serviceValidate endpoint of the CAS to validate the serviceTicket.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bc95cc80-cbd0-4176-bdff-00f31a3cdfe9n%40apereo.org.

[cas-user] Re: CAS Single logout case

[nandini s]

The solution qas to ad dbelow property in cas properties
cas.ticket.tgt.onlyTrackMostRecentSession=false


On Monday, 15 February 2021 at 11:45:14 UTC+5:30 nandini s wrote:

> Hi Team,
>
> We are on version 5.2.4 of CAS for our applications. We have a case where 
> single logout is not working. Below is the description:
>
> I open a browser window and login to my application through CAS(Tab 1). I 
> open the same application in the same browser window but different 
> tab(Tab2).  
>
>- When i logout from the application in Tab1, the Tab2 sessionId (ST 
>ticket) is invalidated, which is correct behavior.
>- When i logout from the application in Tab2, the Tab1 sessionId is 
>still valid and I am able to proceed with the session operations. - This 
> is 
>the issue we are facing with SLO. 
>   - However, the refresh of the Tab1, will take me login session
>   
> These are the CAS properties w.r.t the logout and SLO:
> ## Logout ###
> cas.logout.followServiceRedirects=false
> cas.logout.redirectParameter=service
> cas.logout.confirmLogout=false
> # Single Logout  
> cas.slo.disabled=false
> cas.slo.asynchronous=true
>
> I use /serviceValidate endpoint of the CAS to validate the serviceTicket.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/22d3dd07-7406-408e-9435-6dd2d4495efan%40apereo.org.

[cas-user] CAS Single logout case

[nandini s]

Hi Team,

We are on version 5.2.4 of CAS for our applications. We have a case where 
single logout is not working. Below is the description:

I open a browser window and login to my application through CAS(Tab 1). I 
open the same application in the same browser window but different 
tab(Tab2).  

   - When i logout from the application in Tab1, the Tab2 sessionId (ST 
   ticket) is invalidated, which is correct behavior.
   - When i logout from the application in Tab2, the Tab1 sessionId is 
   still valid and I am able to proceed with the session operations. - This is 
   the issue we are facing with SLO. 
  - However, the refresh of the Tab1, will take me login session
  
These are the CAS properties w.r.t the logout and SLO:
## Logout ###
cas.logout.followServiceRedirects=false
cas.logout.redirectParameter=service
cas.logout.confirmLogout=false
# Single Logout  
cas.slo.disabled=false
cas.slo.asynchronous=true

I use /serviceValidate endpoint of the CAS to validate the serviceTicket.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/48239b5c-bd3a-45dd-a696-f3468600283en%40apereo.org.

Re: [cas-user] Looking for IAM solution

[Petr Gašparík - AMI Praha a . s .]

Second option (IMHO better, but that's point of view) is to use
Evolveum's midPoint.
It possesses a flexible authentication mechanism (
https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration),
so you can use Apereo CAS as SAML IdP and Evolveum midPoint as SAML SP, for
example.

Both Syncope and midPoint has been recognized even by Gartner as SSO
alternative to IAM (see latest magic quadrant)

Let me know if you need to continue on this deeper.

--

s pozdravem

*Petr Gašparík*
konzultant IT bezpečnosti

gsm: [+420] 603 523 860
e‑mail: petr.gaspa...@ami.cz

*AMI Praha a.s.*
Pláničkova 11, 162 00 Praha 6

tel.: [+420] 274 783 239 | web: www.ami.cz

[image: AMI Praha a.s.]

Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
za společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.

Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může obsahovat
důvěrné nebo osobní
informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
zveřejňování, zprostředkování
nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail neoprávněně,
informujte o tom prosím
odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně
všech jeho příloh. Nakládáním
s neoprávněně získanými informacemi se vystavujete riziku právního postihu.


čt 7. 5. 2020 v 16:25 odesílatel Fabio Martelli 
napsal:

> Il 07/05/20 13:25, Kazim Koybasi ha scritto:
>
> Hello Fabio,
>
> Sure. Can you provide more information about it ?
>
> Hi Kazim, thank you for your question.
>
> First of all, a very brief introduction about Apache Syncope [1].
>
> Apache Syncope is an Open Source Identity Management software.
>
> Syncope allows to manage the entire identity lifecycle - be they users,
> groups or any objects.
> With deployment options either in cloud or on-premise, it offers advanced
> features for approval flows, event notifications, utility task execution
> and schedule, provisioning and reconciliation.
>
> It can be downloaded and deployed in production with no license fees
> (Apache License 2.0).
>
> Generally, Apache Syncope takes care of identity life-cycle management,
> while CAS provides access management  and Single Sign-On (SSO).
> Furthermore, Syncope itself can be configured in order to grant (CAS
> managed) SSO access to its own end-user and/or administration web console
> (SAML2, OAuth2 or JWT).
>
> Although the two main products provide already a very good joint work in
> order to implement a fully completed IAM solution (as proven by several
> installations around the world), there is a work in progress to make this
> cooperation stronger then now. Take a look at [2] to have an idea about.
>
> If you need enterprise support or consultancy, please take a look at
> commercial affiliates pages [3] and [4].
>
> I hope this will help you.
>
> Best regards,
>
> F.
>
> [1] http://syncope.apache.org
>
> [2]
> https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCUSS%5D+Syncope+3.0
>
> [3] https://www.apereo.org/content/commercial-affiliates
>
> [4] http://syncope.apache.org/professional-services
>
>
> Regards.
>
> On Thu, 7 May 2020 at 14:08, Fabio Martelli 
> wrote:
>
>> Hi Kazim, can I suggest a fully completed solution based on Apache
>> Syncope and Apereo CAS?
>>
>> Please let me know if you need more info/details
>>
>> Regards,
>> F.
>>
>> Il gio 7 mag 2020, 12:32 Kazim Koybasi  ha
>> scritto:
>>
>>> Hello,
>>>
>>> We are looking for an open source or proprietary IAM solution to use in
>>> our university infrastructure but we are using CAS for our SSO solution. We
>>> do not want to replace it so we want to use IAM together with CAS. Do you
>>> have any suggestions for opensource and proprietary solution that works
>>> with CAS together?
>>>
>>> Regards.
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/297ec433-da38-43b2-9c97-d01a5e431218%40apereo.org
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/297ec433-da38-43b2-9c97-d01a5e431218%40apereo.org?utm_medium=email_source=f

[cas-user] routing CAS logs from a docker container

[K S]

Has anyone set up CAS inside the docker container ? i am trying to route 
the CAS from from the docker contanier image to fluentd listenener . Let me 
know it it can be acomplished .

https://docs.fluentd.org/configuration/routing-examples

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4f6fb717-efaa-4377-974c-20597053b96a%40apereo.org.

Re: [cas-user] Problem with logout in case several nodes of CAS and several nodes of Keycloak are used

[Petr Gašparík - AMI Praha a . s .]

Hi Maksim,
I have no experience with >2 nodes. Quick searching on Google (because
Apereo docs has broken links) leads me to:
https://www.ehcache.org/documentation/2.8/replication/rmi-replicated-caching.html


best regards

--

s pozdravem

*Petr Gašparík*
konzultant IT bezpečnosti

gsm: [+420] 603 523 860
e‑mail: petr.gaspa...@ami.cz

*AMI Praha a.s.*
Pláničkova 11, 162 00 Praha 6

tel.: [+420] 274 783 239 | web: www.ami.cz

[image: AMI Praha a.s.]

Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
za společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.

Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může obsahovat
důvěrné nebo osobní
informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
zveřejňování, zprostředkování
nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail neoprávněně,
informujte o tom prosím
odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně
všech jeho příloh. Nakládáním
s neoprávněně získanými informacemi se vystavujete riziku právního postihu.


st 15. 1. 2020 v 9:27 odesílatel Petr Gašparík - AMI Praha a.s. <
petr.gaspa...@ami.cz> napsal:

> Maksim,
> you definitely need to set up High Availability with ticket registry
> replication:
>
> https://apereo.github.io/cas/6.1.x/high_availability/High-Availability-Guide.html#high-availability-guide-haclustering
>
>
> We use Ehcase for this (just two nodes), so we have:
>
>- cas.properties: cas.ticket.registry.ehcache.configLocation=ehcache-replicated.xml>
>- ehcache-replicated.xml - see attached: you need to deploy this on
>both nodes, and to specify port of one node as remotePort of another node.
>
> I hope this helps
>
> --
>
> with best regards
>
> *Petr Gašparík*
> IT security consultant
>
>
>
>
> út 14. 1. 2020 v 21:35 odesílatel Ray Bon  napsal:
>
>> Maksim,
>>
>> Default registry is in memory,
>> https://apereo.github.io/cas/6.1.x/ticketing/Default-Ticket-Registry.html
>> .
>> You will find it easier to start with a single CAS node.
>> See,
>> https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html,
>> for an approach to getting things set up.
>>
>> Ray
>>
>> On Tue, 2020-01-14 at 12:14 -0800, 'Maksim Kopeyka' via CAS Community
>> wrote:
>>
>> Ray,
>>
>> We didn't setup any registry configuration yet. We have several nodes of
>> CAS with load balancer.
>> I don't see any *cas.ticket.registry* properties in our config.
>>
>> Maksim
>>
>> On Tuesday, January 14, 2020 at 7:29:52 PM UTC+2, rbon wrote:
>>
>> Maksim,
>>
>> Most (all) of the ticket registries should be able to handle mulit node
>> CAS. Perhaps your registry configuration is incomplete.
>> What is your current config?
>>
>> Ray
>>
>> --
>>
>>
>> Ray Bon
>> Programmer Analyst
>> Development Services, University Systems
>> 2507218831 | CLE 019 | rb...@uvic.ca
>>
>> I respectfully acknowledge that my place of work is located within the
>> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
>> WSÁNEĆ Nations.
>>
>> --
>>
>> Ray Bon
>> Programmer Analyst
>> Development Services, University Systems
>> 2507218831 | CLE 019 | r...@uvic.ca
>>
>> I respectfully acknowledge that my place of work is located within the
>> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
>> WSÁNEĆ Nations.
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/61ec5cf8a135159f0d3a323ec022cac8b2587058.camel%40uvic.ca
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/61ec5cf8a135159f0d3a323ec022cac8b2587058.camel%40uvic.ca?utm_medium=email_source=footer>
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABAspd23%2BoPo4S36tKW7Cy7gLyr6UfvxOj1pg_DEtPFD33ijow%40mail.gmail.com.

Re: [cas-user] Problem with logout in case several nodes of CAS and several nodes of Keycloak are used

[Petr Gašparík - AMI Praha a . s .]

Maksim,
you definitely need to set up High Availability with ticket registry
replication:
https://apereo.github.io/cas/6.1.x/high_availability/High-Availability-Guide.html#high-availability-guide-haclustering


We use Ehcase for this (just two nodes), so we have:

   - cas.properties: cas.ticket.registry.ehcache.configLocation=
   - ehcache-replicated.xml - see attached: you need to deploy this on both
   nodes, and to specify port of one node as remotePort of another node.

I hope this helps

--

with best regards

*Petr Gašparík*
IT security consultant




út 14. 1. 2020 v 21:35 odesílatel Ray Bon  napsal:

> Maksim,
>
> Default registry is in memory,
> https://apereo.github.io/cas/6.1.x/ticketing/Default-Ticket-Registry.html.
> You will find it easier to start with a single CAS node.
> See,
> https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html,
> for an approach to getting things set up.
>
> Ray
>
> On Tue, 2020-01-14 at 12:14 -0800, 'Maksim Kopeyka' via CAS Community
> wrote:
>
> Ray,
>
> We didn't setup any registry configuration yet. We have several nodes of
> CAS with load balancer.
> I don't see any *cas.ticket.registry* properties in our config.
>
> Maksim
>
> On Tuesday, January 14, 2020 at 7:29:52 PM UTC+2, rbon wrote:
>
> Maksim,
>
> Most (all) of the ticket registries should be able to handle mulit node
> CAS. Perhaps your registry configuration is incomplete.
> What is your current config?
>
> Ray
>
> --
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/61ec5cf8a135159f0d3a323ec022cac8b2587058.camel%40uvic.ca
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABAspd0XE0b3RbpO1BEmPCrnNvSj1UKgjCGyhso11J%3DqQjJA%2BA%40mail.gmail.com.
http://www.w3.org/2001/XMLSchema-instance;
xsi:noNamespaceSchemaLocation="http://ehcache.org/ehcache.xsd;>

Re: [cas-user] Re: mod_auth_cas - certificate path configuration and failed connection

[Alan S]

David, for a "shot in the dark," that was perfect aim, and all is working 
great now. I can't thank you and the community enough for the guidance.

For a saner, future me, I documented my procedures below. Any improvements 
or suggestions are welcome.

-Alan

openssl version
OpenSSL 1.1.1  11 Sep 2018 (Library: OpenSSL 1.1.1d  10 Sep 2019)

curl-config --version
libcurl 7.47.0


*INSTALL CURL+SSL*

Build curl from source with SSL support. I used curl v7.67.0 and installed 
it in `/opt/curl`.

sudo mkdir /opt/curl
sudo chown root:root /opt/curl

git clone https://github.com/curl/curl.git
cd curl
git checkout curl-7_67_0

autoreconf
./configure --prefix=/opt/curl --with-ssl
make
sudo make install

Verify the curl installation:

/opt/curl/bin/curl --version

curl 7.68.0-DEV (x86_64-pc-linux-gnu) libcurl/7.68.0-DEV OpenSSL/1.1.1d
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 
pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS HTTPS-proxy IPv6 Largefile NTLM NTLM_WB SSL TLS-SRP 
UnixSockets


*INSTALL MOD_AUTH_CAS*

Clone the apereo/mod_auth_cas from master (latest commit to include a 
requestId: 89ac1b6, 2018-07-30; not necessary, but I branched and tagged 
this locally for now). Specify the newly-built curl+ssl package in the 
configuration and build/install the CAS module.

git clone https://github.com/apereo/mod_auth_cas.git
cd mod_auth_cas

[branched, tagged, and checked out]

autoreconf -ivf
./configure --with-libcurl=/opt/curl
make
sudo make install

Refer to the Apache guidelines for configuring a service or SAML validation 
endpoint.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7edc753b-1458-43df-bf41-d592560282d5%40apereo.org.

Re: [cas-user] Re: mod_auth_cas - certificate path configuration and failed connection

[Alan S]

Here's the Apache log with the additional log reporting lines. It makes it 
to lines 1904 and 1906, but then seems to fail on `curl_easy_perform`.

[Fri Dec 13 16:43:48.345565 2019] [auth_cas:debug] [pid 9977] mod_auth_cas.c
(1832): [client CLIENT_IP:35632] entering getResponseFromServer(), referer: 
https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_SERVER%2fauth%2f
[Fri Dec 13 16:43:48.345651 2019] [auth_cas:debug] [pid 9977] mod_auth_cas.c
(1895): [client CLIENT_IP:35632] samlPayload = http://schemas.xmlsoap.org/soap/envelope/;>ST-9-OQvPfKXueVO
-Tz5dQWATBIktFG4SFACAS3, referer: https:
//CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_SERVER%2fauth%2f
[Fri Dec 13 16:43:48.345666 2019] [auth_cas:debug] [pid 9977] mod_auth_cas.c
(610): [client CLIENT_IP:35632] CAS Service 
'https%3a%2f%2fAPP_SERVER%2fauth%2f', referer: https:
//CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_SERVER%2fauth%2f
[Fri Dec 13 16:43:48.345673 2019] [auth_cas:debug] [pid 9977] mod_auth_cas.c
(1904): [client CLIENT_IP:35632] ** point 1, referer: https:
//CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_SERVER%2fauth%2f
[Fri Dec 13 16:43:48.345688 2019] [auth_cas:debug] [pid 9977] mod_auth_cas.c
(1906): [client CLIENT_IP:35632] ** point 2, referer: https:
//CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_SERVER%2fauth%2f
[Fri Dec 13 16:44:20.816146 2019] [ssl:info] [pid 9978] [client 
APP_SERVER_IP:38236] AH01964: Connection to child 2 established (server 
APP_SERVER:443)
[Fri Dec 13 16:44:20.816483 2019] [ssl:debug] [pid 9978] ssl_engine_kernel.c
(2388): [client APP_SERVER_IP:38236] AH02645: Server name not provided via 
TLS extension (using default/first virtual host)
[Fri Dec 13 16:44:20.816503 2019] [ssl:debug] [pid 9978] ssl_engine_kernel.c
(2388): [client APP_SERVER_IP:38236] AH02645: Server name not provided via 
TLS extension (using default/first virtual host)
[Fri Dec 13 16:44:20.816514 2019] [core:debug] [pid 9978] protocol.c(2316): 
[client APP_SERVER_IP:38236] AH03155: select protocol from , choices=http/
1.1 for server APP_SERVER
[Fri Dec 13 16:44:20.821920 2019] [ssl:debug] [pid 9978] ssl_engine_kernel.c
(2236): [client APP_SERVER_IP:38236] AH02041: Protocol: TLSv1.3, Cipher: 
TLS_AES_256_GCM_SHA384 (256/256 bits)
[Fri Dec 13 16:44:20.821994 2019] [socache_shmcb:debug] [pid 9978] 
mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0xd2 -> subcache 18)
[Fri Dec 13 16:44:20.822009 2019] [socache_shmcb:debug] [pid 9978] 
mod_socache_shmcb.c(849): AH00847: insert happened at idx=0, data=(0:32)
[Fri Dec 13 16:44:20.822018 2019] [socache_shmcb:debug] [pid 9978] 
mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/
idx_used=0/1, data_pos/data_used=0/201
[Fri Dec 13 16:44:20.822026 2019] [socache_shmcb:debug] [pid 9978] 
mod_socache_shmcb.c(516): AH00834: leaving socache_shmcb_store successfully
[Fri Dec 13 16:44:20.822167 2019] [socache_shmcb:debug] [pid 9978] 
mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0x8a -> subcache 10)
[Fri Dec 13 16:44:20.822185 2019] [socache_shmcb:debug] [pid 9978] 
mod_socache_shmcb.c(849): AH00847: insert happened at idx=1, data=(222:254)
[Fri Dec 13 16:44:20.822194 2019] [socache_shmcb:debug] [pid 9978] 
mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/
idx_used=0/2, data_pos/data_used=0/423
[Fri Dec 13 16:44:20.822202 2019] [socache_shmcb:debug] [pid 9978] 
mod_socache_shmcb.c(516): AH00834: leaving socache_shmcb_store successfully
[Fri Dec 13 16:44:20.822360 2019] [ssl:debug] [pid 9978] ssl_engine_kernel.c
(383): [client APP_SERVER_IP:38236] AH02034: Initial (No.1) HTTPS request 
received for child 2 (server APP_SERVER:443)
[Fri Dec 13 16:44:20.822461 2019] [authz_core:debug] [pid 9978] 
mod_authz_core.c(820): [client APP_SERVER_IP:38236] AH01626: authorization 
result of Require all granted: granted
[Fri Dec 13 16:44:20.822475 2019] [authz_core:debug] [pid 9978] 
mod_authz_core.c(820): [client APP_SERVER_IP:38236] AH01626: authorization 
result of : granted
[Fri Dec 13 16:44:20.822587 2019] [authz_core:debug] [pid 9978] 
mod_authz_core.c(820): [client APP_SERVER_IP:38236] AH01626: authorization 
result of Require all granted: granted
[Fri Dec 13 16:44:20.822602 2019] [authz_core:debug] [pid 9978] 
mod_authz_core.c(820): [client APP_SERVER_IP:38236] AH01626: authorization 
result of : granted
[Fri Dec 13 16:44:20.822688 2019] [authz_core:debug] [pid 9978] 
mod_authz_core.c(820): [client APP_SERVER_IP:38236] AH01626: authorization 
result of Require all granted: granted
[Fri Dec 13 16:44:20.822701 2019] [authz_core:debug] [pid 9978] 
mod_authz_core.c(820): [client APP_SERVER_IP:38236] AH01626: authorization 
result of : granted
[Fri Dec 13 16:44:20.822927 2019] [authz_core:debug] [pid 9978] 
mod_authz_core.c(820): [client APP_SERVER_IP:38236] AH01626: authorization 
result of Require all granted: granted
[Fri Dec 13 16:44:20.822943 2019] [authz_core:debug] [pid 9978] 
mod_authz_core.c(820): [client APP_SERVER_IP:38236] AH01626: 

Re: [cas-user] Re: mod_auth_cas - certificate path configuration and failed connection

[Alan S]

I'll rebuild with the log output lines as you suggested and post how it 
goes.

It looks like the curl version matches:

$ /usr/bin/curl-config --version
libcurl 7.47.0

$ /usr/bin/curl --version
curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 
libidn/1.32 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 
pop3s rtmp rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB 
SSL libz TLS-SRP UnixSockets 


...and my mod_auth_cas configuration log:

*config.log (line 1296)*
libcurl_cv_lib_curl_version=7.47.0

Thank you!
-Alan


On Friday, December 13, 2019 at 3:18:28 PM UTC-6, dhawes wrote:
>
> On Fri, 13 Dec 2019 at 14:58, Alan S > 
> wrote: 
> > 
> > Okay, via curl, this looks good (see the response below), and I'm 
> getting the authenticated username returned. So, this is a good step 
> forward in troubleshooting. Do you have advice for debugging the Apache 
> module? I'm not sure what would cause it to be so "quiet." 
>
> I agree, that looks good. It's with the same curl that mod_auth_cas 
> was compiled against, right? 
>
> As far as debugging, could you add some log messages like the following: 
>
> ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "made it here!"); 
>
> to getResponseFromServer()? I'd start at around lines 1904, 1906, and 
> 1912 of git master. 
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/eba59047-f765-4186-ab82-6499e249870d%40apereo.org.

Re: [cas-user] Re: mod_auth_cas - certificate path configuration and failed connection

[Alan S]

Okay, via curl, this looks good (see the response below), and I'm getting 
the authenticated username returned. So, this is a good step forward in 
troubleshooting. Do you have advice for debugging the Apache module? I'm 
not sure what would cause it to be so "quiet."

-Alan

Enter service ticket ID: ST-3-AVml3Z3uyCXQCJ8-xpO9C4OV5sQSFACAS3
*   Trying CAS_SERVER_IP...
* Connected to CAS_SERVER (CAS_SERVER_IP) port 443 (#0)
* found 3 certificates in /etc/ssl/InCommon/chain.crt
* found 582 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
*  server certificate verification OK
*  server certificate status verification SKIPPED
*  common name: CAS_SERVER (matched)
*  server certificate expiration date OK
*  server certificate activation date OK
*  certificate public key: RSA
*  certificate version: #3
*  subject: CERT_INFO
*  start date: Wed, 09 Oct 2019 00:00:00 GMT
*  expire date: Thu, 08 Oct 2020 23:59:59 GMT
*  issuer: C=US,ST=MI,L=Ann Arbor,O=Internet2,OU=InCommon,CN=InCommon 
RSA Server CA
*  compression: NULL
* ALPN, server did not agree to a protocol
> GET /cas/serviceValidate?service=https%3a%2f%2fAPP_SERVER%2fauth%2f
=ST-3-AVml3Z3uyCXQCJ8-xpO9C4OV5sQSFACAS3 HTTP/1.1
> Host: CAS_SERVER
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 
< Cache-Control: no-store
< Pragma: 
< Expires: 
< Strict-Transport-Security: max-age=15768000 ; includeSubDomains
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-XSS-Protection: 1; mode=block
< Content-Type: application/xml;charset=UTF-8
< Content-Language: en-US
< Transfer-Encoding: chunked
< Vary: Accept-Encoding
< Date: Fri, 13 Dec 2019 19:42:02 GMT
< 


MY_USER_NAME


* Connection #0 to host CAS_SERVER left intact


On Friday, December 13, 2019 at 12:05:48 PM UTC-6, Alan S wrote:
>
> Ray--I requested an update to the ticket TTL and will report back with the 
> results. Thanks!
>
> -Alan
>
> On Friday, December 13, 2019 at 11:17:01 AM UTC-6, rbon wrote:
>>
>> Alan,
>>
>> When running manual tests, you can increase the ST time timeout, 
>> https://apereo.github.io/cas/6.1.x/ticketing/Configuring-Ticket-Expiration-Policy.html#service-ticket-policies
>> By default it only lasts 10 seconds, which may not be enough time for you 
>> to copy and paste.
>>
>> Ray
>>
>> On Fri, 2019-12-13 at 07:57 -0800, Alan S wrote:
>>
>> Thank you, David. If I include the service and ticket, with the cert 
>> chain specified, this is the response. Note that I used the ticket from the 
>> browser login attempt to test this--do I need to initiate the login request 
>> via curl? I also would think a validation error would show up in my logs, 
>> but, after the 'CAS Service' line, it simply stops generating auth_cas 
>> logs. I'll contact our CAS server team to request server logs from these 
>> connections.
>>
>> -Alan
>>
>> curl -v --cacert /etc/ssl/InCommon/chain.crt https:
>> //CAS_SERVER/cas/serviceValidate?service=https%3a%2f%2fAPP_HOST%2fauth%2f'&'ticket=ST-2-Tx60JTe9ZiSCDUEphxs6upVgrfgSFACAS3
>>
>>
>> *   Trying CAS_SERVER_IP...
>> * Connected to CAS_SERVER (CAS_SERVER_IP) port 443 (#0)
>> * found 3 certificates in /etc/ssl/InCommon/chain.crt
>> * found 582 certificates in /etc/ssl/certs
>> * ALPN, offering http/1.1
>> * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
>> ''' SNIP! '''
>> * ALPN, server did not agree to a protocol
>> > GET /cas/serviceValidate?service=https%3a%2f%2fAPP_HOST%2fauth%2f&
>> ticket=ST-2-Tx60JTe9ZiSCDUEphxs6upVgrfgSFACAS3 HTTP/1.1
>> > Host: CAS_SERVER
>> > User-Agent: curl/7.47.0
>> > Accept: */*
>> > 
>> < HTTP/1.1 200 
>> < Cache-Control: no-store
>> < Pragma: 
>> < Expires: 
>> < Strict-Transport-Security: max-age=15768000 ; includeSubDomains
>> < X-Content-Type-Options: nosniff
>> < X-Frame-Options: DENY
>> < X-XSS-Protection: 1; mode=block
>> < Content-Type: text/html;charset=UTF-8
>> < Content-Language: en-US
>> < Transfer-Encoding: chunked
>> < Vary: Accept-Encoding
>> < Date: Fri, 13 Dec 2019 15:40:32 GMT
>> < 
>> 
>> Ticket 
>> ST-2-Tx60JTe9ZiSCDUEphxs6upVgrfgSFACAS3 not 
>> recognized
>> 
>> * Connection #0 to host CAS_SERVER left intact
>>
>>
>>
>> On Thursday, December 12, 2019 at 10:06:26 PM UTC-6, dhawes wrote: 
>>
>> On Thu, 12 Dec 2019 at 18:09, Alan S  wrote: 
>> > 
>> > Still wrestling with this, I'm now

Re: [cas-user] Re: mod_auth_cas - certificate path configuration and failed connection

[Alan S]

Ray--I requested an update to the ticket TTL and will report back with the 
results. Thanks!

-Alan

On Friday, December 13, 2019 at 11:17:01 AM UTC-6, rbon wrote:
>
> Alan,
>
> When running manual tests, you can increase the ST time timeout, 
> https://apereo.github.io/cas/6.1.x/ticketing/Configuring-Ticket-Expiration-Policy.html#service-ticket-policies
> By default it only lasts 10 seconds, which may not be enough time for you 
> to copy and paste.
>
> Ray
>
> On Fri, 2019-12-13 at 07:57 -0800, Alan S wrote:
>
> Thank you, David. If I include the service and ticket, with the cert chain 
> specified, this is the response. Note that I used the ticket from the 
> browser login attempt to test this--do I need to initiate the login request 
> via curl? I also would think a validation error would show up in my logs, 
> but, after the 'CAS Service' line, it simply stops generating auth_cas 
> logs. I'll contact our CAS server team to request server logs from these 
> connections.
>
> -Alan
>
> curl -v --cacert /etc/ssl/InCommon/chain.crt https:
> //CAS_SERVER/cas/serviceValidate?service=https%3a%2f%2fAPP_HOST%2fauth%2f'&'ticket=ST-2-Tx60JTe9ZiSCDUEphxs6upVgrfgSFACAS3
>
>
> *   Trying CAS_SERVER_IP...
> * Connected to CAS_SERVER (CAS_SERVER_IP) port 443 (#0)
> * found 3 certificates in /etc/ssl/InCommon/chain.crt
> * found 582 certificates in /etc/ssl/certs
> * ALPN, offering http/1.1
> * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
> ''' SNIP! '''
> * ALPN, server did not agree to a protocol
> > GET /cas/serviceValidate?service=https%3a%2f%2fAPP_HOST%2fauth%2f
> =ST-2-Tx60JTe9ZiSCDUEphxs6upVgrfgSFACAS3 HTTP/1.1
> > Host: CAS_SERVER
> > User-Agent: curl/7.47.0
> > Accept: */*
> > 
> < HTTP/1.1 200 
> < Cache-Control: no-store
> < Pragma: 
> < Expires: 
> < Strict-Transport-Security: max-age=15768000 ; includeSubDomains
> < X-Content-Type-Options: nosniff
> < X-Frame-Options: DENY
> < X-XSS-Protection: 1; mode=block
> < Content-Type: text/html;charset=UTF-8
> < Content-Language: en-US
> < Transfer-Encoding: chunked
> < Vary: Accept-Encoding
> < Date: Fri, 13 Dec 2019 15:40:32 GMT
> < 
> 
> Ticket 
> ST-2-Tx60JTe9ZiSCDUEphxs6upVgrfgSFACAS3 not 
> recognized
> 
> * Connection #0 to host CAS_SERVER left intact
>
>
>
> On Thursday, December 12, 2019 at 10:06:26 PM UTC-6, dhawes wrote: 
>
> On Thu, 12 Dec 2019 at 18:09, Alan S  wrote: 
> > 
> > Still wrestling with this, I'm now specifying just the serviceValidate 
> endpoint to remove any possible problems with SAML attribute delivery. My 
> Apache configuration now looks like this: 
> > 
> > LoadModule auth_cas_module /usr/lib/apache2/modules/mod_auth_cas.so 
> > 
> > CASCookiePath /var/cache/apache2/mod_auth_cas/ 
> > CASLoginURL https://CAS_SERVER/cas/login 
> > CASValidateURL https://CAS_SERVER/cas/serviceValidate 
> > CASDebug On 
> > 
> >  
> > AuthType CAS 
> > AuthName "Autentication required" 
> > CASAuthNHeader CAS-User 
> > Require valid-user 
> >  
> > 
> > My logs never show a response validation: 
> > 
> > [Thu Dec 12 16:54:20.821632 2019] [auth_cas:debug] [pid 20232] 
> mod_auth_cas.c(2675): entering check_vhost_config() 
> > [Thu Dec 12 16:54:20.904208 2019] [auth_cas:debug] [pid 20233] 
> mod_auth_cas.c(2675): entering check_vhost_config() 
> > [Thu Dec 12 16:54:29.432630 2019] [auth_cas:debug] [pid 20238] 
> mod_auth_cas.c(2159): [client CLIENT_IP:44734] Entering cas_authenticate() 
> > [Thu Dec 12 16:54:29.432643 2019] [auth_cas:debug] [pid 20238] 
> mod_auth_cas.c(610): [client CLIENT_IP:44734] CAS Service 
> 'https%3a%2f%2fAPP_HOST%2fauth%2f' 
> > [Thu Dec 12 16:54:29.432652 2019] [auth_cas:debug] [pid 20238] 
> mod_auth_cas.c(558): [client CLIENT_IP:44734] entering getCASLoginURL() 
> > [Thu Dec 12 16:54:29.432663 2019] [auth_cas:debug] [pid 20238] 
> mod_auth_cas.c(535): [client CLIENT_IP:44734] entering getCASGateway() 
> > [Thu Dec 12 16:54:29.432671 2019] [auth_cas:debug] [pid 20238] 
> mod_auth_cas.c(625): [client CLIENT_IP:44734] entering redirectRequest() 
> > [Thu Dec 12 16:54:29.432681 2019] [auth_cas:debug] [pid 20238] 
> mod_auth_cas.c(637): [client CLIENT_IP:44734] Adding outgoing header: 
> Location: 
> https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f 
> > [Thu Dec 12 16:54:34.729642 2019] [auth_cas:debug] [pid 20235] 
> mod_auth_cas.c(2159): [client CLIENT_IP:44736] Entering cas_authenticate(), 
> referer: 
> https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f 
> > [Thu De

Re: [cas-user] Re: mod_auth_cas - certificate path configuration and failed connection

[Alan S]

Thank you, David. If I include the service and ticket, with the cert chain 
specified, this is the response. Note that I used the ticket from the 
browser login attempt to test this--do I need to initiate the login request 
via curl? I also would think a validation error would show up in my logs, 
but, after the 'CAS Service' line, it simply stops generating auth_cas 
logs. I'll contact our CAS server team to request server logs from these 
connections.

-Alan

curl -v --cacert /etc/ssl/InCommon/chain.crt https:
//CAS_SERVER/cas/serviceValidate?service=https%3a%2f%2fAPP_HOST%2fauth%2f'&'ticket=ST-2-Tx60JTe9ZiSCDUEphxs6upVgrfgSFACAS3


*   Trying CAS_SERVER_IP...
* Connected to CAS_SERVER (CAS_SERVER_IP) port 443 (#0)
* found 3 certificates in /etc/ssl/InCommon/chain.crt
* found 582 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
''' SNIP! '''
* ALPN, server did not agree to a protocol
> GET /cas/serviceValidate?service=https%3a%2f%2fAPP_HOST%2fauth%2f=
ST-2-Tx60JTe9ZiSCDUEphxs6upVgrfgSFACAS3 HTTP/1.1
> Host: CAS_SERVER
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 
< Cache-Control: no-store
< Pragma: 
< Expires: 
< Strict-Transport-Security: max-age=15768000 ; includeSubDomains
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-XSS-Protection: 1; mode=block
< Content-Type: text/html;charset=UTF-8
< Content-Language: en-US
< Transfer-Encoding: chunked
< Vary: Accept-Encoding
< Date: Fri, 13 Dec 2019 15:40:32 GMT
< 

Ticket 
ST-2-Tx60JTe9ZiSCDUEphxs6upVgrfgSFACAS3 not 
recognized

* Connection #0 to host CAS_SERVER left intact



On Thursday, December 12, 2019 at 10:06:26 PM UTC-6, dhawes wrote:
>
> On Thu, 12 Dec 2019 at 18:09, Alan S > 
> wrote: 
> > 
> > Still wrestling with this, I'm now specifying just the serviceValidate 
> endpoint to remove any possible problems with SAML attribute delivery. My 
> Apache configuration now looks like this: 
> > 
> > LoadModule auth_cas_module /usr/lib/apache2/modules/mod_auth_cas.so 
> > 
> > CASCookiePath /var/cache/apache2/mod_auth_cas/ 
> > CASLoginURL https://CAS_SERVER/cas/login 
> > CASValidateURL https://CAS_SERVER/cas/serviceValidate 
> > CASDebug On 
> > 
> >  
> > AuthType CAS 
> > AuthName "Autentication required" 
> > CASAuthNHeader CAS-User 
> > Require valid-user 
> >  
> > 
> > My logs never show a response validation: 
> > 
> > [Thu Dec 12 16:54:20.821632 2019] [auth_cas:debug] [pid 20232] 
> mod_auth_cas.c(2675): entering check_vhost_config() 
> > [Thu Dec 12 16:54:20.904208 2019] [auth_cas:debug] [pid 20233] 
> mod_auth_cas.c(2675): entering check_vhost_config() 
> > [Thu Dec 12 16:54:29.432630 2019] [auth_cas:debug] [pid 20238] 
> mod_auth_cas.c(2159): [client CLIENT_IP:44734] Entering cas_authenticate() 
> > [Thu Dec 12 16:54:29.432643 2019] [auth_cas:debug] [pid 20238] 
> mod_auth_cas.c(610): [client CLIENT_IP:44734] CAS Service 
> 'https%3a%2f%2fAPP_HOST%2fauth%2f' 
> > [Thu Dec 12 16:54:29.432652 2019] [auth_cas:debug] [pid 20238] 
> mod_auth_cas.c(558): [client CLIENT_IP:44734] entering getCASLoginURL() 
> > [Thu Dec 12 16:54:29.432663 2019] [auth_cas:debug] [pid 20238] 
> mod_auth_cas.c(535): [client CLIENT_IP:44734] entering getCASGateway() 
> > [Thu Dec 12 16:54:29.432671 2019] [auth_cas:debug] [pid 20238] 
> mod_auth_cas.c(625): [client CLIENT_IP:44734] entering redirectRequest() 
> > [Thu Dec 12 16:54:29.432681 2019] [auth_cas:debug] [pid 20238] 
> mod_auth_cas.c(637): [client CLIENT_IP:44734] Adding outgoing header: 
> Location: 
> https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f 
> > [Thu Dec 12 16:54:34.729642 2019] [auth_cas:debug] [pid 20235] 
> mod_auth_cas.c(2159): [client CLIENT_IP:44736] Entering cas_authenticate(), 
> referer: 
> https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f 
> > [Thu Dec 12 16:54:34.729659 2019] [auth_cas:debug] [pid 20235] 
> mod_auth_cas.c(682): [client CLIENT_IP:44736] Modified r->args (now ''), 
> referer: 
> https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f 
> > [Thu Dec 12 16:54:34.729749 2019] [auth_cas:debug] [pid 20235] 
> mod_auth_cas.c(1832): [client CLIENT_IP:44736] entering 
> getResponseFromServer(), referer: 
> https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f 
> > [Thu Dec 12 16:54:34.729853 2019] [auth_cas:debug] [pid 20235] 
> mod_auth_cas.c(610): [client CLIENT_IP:44736] CAS Service 
> 'https%3a%2f%2fAPP_HOST%2fauth%2f', referer: 
> https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f 
> > [Thu Dec 12 16:54:35.031085 2019] [aut

[cas-user] Re: mod_auth_cas - certificate path configuration and failed connection

[Alan S]

Still wrestling with this, I'm now specifying just the serviceValidate 
endpoint to remove any possible problems with SAML attribute delivery. My 
Apache configuration now looks like this:

LoadModule auth_cas_module /usr/lib/apache2/modules/mod_auth_cas.so

CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://CAS_SERVER/cas/login
CASValidateURL https://CAS_SERVER/cas/serviceValidate
CASDebug On


AuthType CAS
AuthName "Autentication required"
CASAuthNHeader CAS-User
Require valid-user


My logs never show a response validation:

[Thu Dec 12 16:54:20.821632 2019] [auth_cas:debug] [pid 20232] mod_auth_cas.
c(2675): entering check_vhost_config()
[Thu Dec 12 16:54:20.904208 2019] [auth_cas:debug] [pid 20233] mod_auth_cas.
c(2675): entering check_vhost_config()
[Thu Dec 12 16:54:29.432630 2019] [auth_cas:debug] [pid 20238] mod_auth_cas.
c(2159): [client CLIENT_IP:44734] Entering cas_authenticate()
[Thu Dec 12 16:54:29.432643 2019] [auth_cas:debug] [pid 20238] mod_auth_cas.
c(610): [client CLIENT_IP:44734] CAS Service 
'https%3a%2f%2fAPP_HOST%2fauth%2f'
[Thu Dec 12 16:54:29.432652 2019] [auth_cas:debug] [pid 20238] mod_auth_cas.
c(558): [client CLIENT_IP:44734] entering getCASLoginURL()
[Thu Dec 12 16:54:29.432663 2019] [auth_cas:debug] [pid 20238] mod_auth_cas.
c(535): [client CLIENT_IP:44734] entering getCASGateway()
[Thu Dec 12 16:54:29.432671 2019] [auth_cas:debug] [pid 20238] mod_auth_cas.
c(625): [client CLIENT_IP:44734] entering redirectRequest()
[Thu Dec 12 16:54:29.432681 2019] [auth_cas:debug] [pid 20238] mod_auth_cas.
c(637): [client CLIENT_IP:44734] Adding outgoing header: Location: https:
//CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
[Thu Dec 12 16:54:34.729642 2019] [auth_cas:debug] [pid 20235] mod_auth_cas.
c(2159): [client CLIENT_IP:44736] Entering cas_authenticate(), referer: 
https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
[Thu Dec 12 16:54:34.729659 2019] [auth_cas:debug] [pid 20235] mod_auth_cas.
c(682): [client CLIENT_IP:44736] Modified r->args (now ''), referer: https:
//CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
[Thu Dec 12 16:54:34.729749 2019] [auth_cas:debug] [pid 20235] mod_auth_cas.
c(1832): [client CLIENT_IP:44736] entering getResponseFromServer(), referer: 
https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
[Thu Dec 12 16:54:34.729853 2019] [auth_cas:debug] [pid 20235] mod_auth_cas.
c(610): [client CLIENT_IP:44736] CAS Service 
'https%3a%2f%2fAPP_HOST%2fauth%2f', referer: https:
//CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
[Thu Dec 12 16:54:35.031085 2019] [auth_cas:debug] [pid 20236] mod_auth_cas.
c(2159): [client CLIENT_IP:44754] Entering cas_authenticate(), referer: 
https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
[Thu Dec 12 16:54:35.031100 2019] [auth_cas:debug] [pid 20236] mod_auth_cas.
c(682): [client CLIENT_IP:44754] Modified r->args (now ''), referer: https:
//CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
[Thu Dec 12 16:54:35.031149 2019] [auth_cas:debug] [pid 20236] mod_auth_cas.
c(1832): [client CLIENT_IP:44754] entering getResponseFromServer(), referer: 
https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
[Thu Dec 12 16:54:35.031241 2019] [auth_cas:debug] [pid 20236] mod_auth_cas.
c(610): [client CLIENT_IP:44754] CAS Service 
'https%3a%2f%2fAPP_HOST%2fauth%2f', referer: https:
//CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f

Any idea what could be causing this "Secure Connection Failed" issue on a 
5.3 server connection? (I've tried connecting on the latest mod_auth_cas 
master and v1.2 tag.)

Thanks!
-Alan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ec545d94-070a-4a0d-b9e9-8db739d3ab6c%40apereo.org.

[cas-user] mod_auth_cas - certificate path configuration and failed connection

[Alan S]

I'm trying to connect to a CAS 5.3.3 server using the `apereo/mod_auth_cas` 
master branch. Following sign-in, the browser reports 'Secure Connection 
Failed' (ERR_EMPTY_RESPONSE) and the Apache ticket cache is empty. Does the 
configuration below suggest a problem with the CAS certificate path?

Thanks for taking a look.
-Alan


LoadModule auth_cas_module /usr/lib/apache2/modules/mod_auth_cas.so
CASCertificatePath /etc/ssl/cert/CAS_SERVER_x509chain.pem

CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://CAS_SERVER/cas/login
CASValidateURL https://CAS_SERVER/cas/samlValidate
CASValidateSAML On
CASAttributePrefix SAML-
CASDebug On


AuthType CAS
AuthName "Authentication Required"
CASAuthNHeader CAS-User
Require valid-user



[auth_cas:debug] [pid 20375] mod_auth_cas.c(2675): 
entering check_vhost_config()

[auth_cas:debug] [pid 20376] mod_auth_cas.c(2675): 
entering check_vhost_config()

[core:debug] [pid 20378] protocol.c(2316): 
[client CLIENT_IP:49262] 
AH03155: select protocol from , choices=h2,http/1.1 for server APP_HOST

[core:debug] [pid 20379] protocol.c(2316): 
[client CLIENT_IP:49264] 
AH03155: select protocol from , choices=h2,http/1.1 for server APP_HOST

[authz_core:debug] [pid 20379] mod_authz_core.c(820): 
[client CLIENT_IP:49264]
   AH01626: authorization result of Require valid-user : denied (no 
authenticated user yet)

[authz_core:debug] [pid 20379] mod_authz_core.c(820): 
[client CLIENT_IP:49264]
   AH01626: authorization result of : denied (no authenticated 
user yet)

[auth_cas:debug] [pid 20379] mod_auth_cas.c(2159): 
[client CLIENT_IP:49264] 
Entering cas_authenticate()

[auth_cas:debug] [pid 20379] mod_auth_cas.c(610): 
[client CLIENT_IP:49264] 
CAS Service 'https%3a%2f%2fAPP_HOST%2fauth%2f'

[auth_cas:debug] [pid 20379] mod_auth_cas.c(558): 
[client CLIENT_IP:49264] 
entering getCASLoginURL()

[auth_cas:debug] [pid 20379] mod_auth_cas.c(535): 
[client CLIENT_IP:49264] 
entering getCASGateway()

[auth_cas:debug] [pid 20379] mod_auth_cas.c(625): 
[client CLIENT_IP:49264] 
entering redirectRequest()

[auth_cas:debug] [pid 20379] mod_auth_cas.c(637): 
[client CLIENT_IP:49264] 
Adding outgoing header: Location: 
https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f

[authz_core:debug] [pid 20378] mod_authz_core.c(820): 
[client CLIENT_IP:49262] 
AH01626: authorization result of Require valid-user : denied (no 
authenticated user yet),
   referer: 
https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f

[authz_core:debug] [pid 20378] mod_authz_core.c(820): 
[client CLIENT_IP:49262]
   AH01626: authorization result of : denied (no authenticated 
user yet),
   referer: 
https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f

[auth_cas:debug] [pid 20378] mod_auth_cas.c(2159): 
[client CLIENT_IP:49262] 
Entering cas_authenticate(),
   referer: 
https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f

[auth_cas:debug] [pid 20378] mod_auth_cas.c(682): 
[client CLIENT_IP:49262] 
Modified r->args (now ''),
   referer: 
https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f

[auth_cas:debug] [pid 20378] mod_auth_cas.c(1832): 
[client CLIENT_IP:49262] 
entering getResponseFromServer(),
   referer: 
https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f

[auth_cas:debug] [pid 20378] mod_auth_cas.c(1895): 
[client CLIENT_IP:49262] 
samlPayload = http://schemas.xmlsoap.org/soap/envelope/;>ST-53
-zxrvP6m7ACd--xeOLhHqVxQ-7MISFACAS3,
   referer: 
https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f

[auth_cas:debug] [pid 20378] mod_auth_cas.c(610): 
[client CLIENT_IP:49262] 
CAS Service 'https%3a%2f%2fAPP_HOST%2fauth%2f',
   referer: 
https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f

[core:debug] [pid 20380] protocol.c(2316): 
[client CLIENT_IP:49280]
   AH03155: select protocol from , choices=h2,http/1.1 for server APP_HOST

[authz_core:debug] [pid 20380] mod_authz_core.c(820): 
[client CLIENT_IP:49280]
   AH01626: authorization result of Require valid-user : denied (no 
authenticated user yet),
   referer: 
https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f

[authz_core:debug] [pid 20380] mod_authz_core.c(820): 
[client CLIENT_IP:49280]
   AH01626: authorization result of : denied (no authenticated 
user yet),
   referer: 
https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f

[auth_cas:debug] [pid 20380] mod_auth_cas.c(2159): 
[client CLIENT_IP:49280] 
Entering cas_authenticate(),
   referer: 
https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f

[auth_cas:debug] [pid 20380] mod_auth_cas.c(682): 
[client CLIENT_IP:49280] 
Modified r->args (now ''),
   referer: 
https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f

Re: [cas-user] Seamless login

[Petr Gašparík - AMI Praha a . s .]

Hi,
the solution was not selected for PoC.

--

s pozdravem

*Petr Gašparík*
konzultant IT bezpečnosti

gsm: [+420] 603 523 860
e‑mail: petr.gaspa...@ami.cz

*AMI Praha a.s.*
Pláničkova 11, 162 00 Praha 6

tel.: [+420] 274 783 239 | web: www.ami.cz

[image: AMI Praha a.s.]

Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
za společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.

Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může obsahovat
důvěrné nebo osobní
informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
zveřejňování, zprostředkování
nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail neoprávněně,
informujte o tom prosím
odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně
všech jeho příloh. Nakládáním
s neoprávněně získanými informacemi se vystavujete riziku právního postihu.


út 26. 11. 2019 v 14:14 odesílatel Artur Łaga  napsal:

> Hi,
>
> Would you manage to achieve the scenario you wanted with surrogate
> mechanism?
> I'm interested in the 2nd point from you scenario in particular.
>
> I'm trying to get almost the same working path, but have problem with
> generating TGT through REST Api - it's looked like the REST Api doesn't
> accept the surrogate special syntax
> ([surrogate-userid][separator][primary-userid]). Calling the TGT method as
> described in
> https://apereo.github.io/2019/06/12/cas61x-rest-api/#exchange-tokens with
> surrogate in username param always gives AccountNotFoundException exception.
>
> My CAS instance is configured with surrogate auth enabled - the normal
> authentication with impersonate is working well.
>
> Regards,
> Artur
>
>
> W dniu środa, 28 sierpnia 2019 23:50:36 UTC+2 użytkownik Petr Gašparík -
> AMI Praha a.s. napisał:
>>
>> Oh! I know!
>>
>> https://apereo.github.io/cas/6.0.x/installation/Surrogate-Authentication.html#preselected
>>
>> It is done simply by +user in REST authentication request, right? Genial!
>>
>> Petr
>>
>> On Wednesday, August 28, 2019 at 9:42:17 AM UTC+2, Petr Gašparík - AMI
>> Praha a.s. wrote:
>>>
>>> Hi Misagh,
>>> that's what I don't know for sure.
>>>
>>> Can be REST used for issuing TGT for different user than authenticated
>>> one? Like "sudo make TGT for userX" ?
>>> I studied wiki, I think sudoer needs to know user's password.
>>>
>>> --
>>>
>>> s pozdravem
>>>
>>> *Petr Gašparík*
>>> solution architect
>>>
>>> gsm: [+420] 603 523 860
>>> e‑mail: petr.g...@ami.cz
>>>
>>> *AMI Praha a.s.*
>>> Pláničkova 11, 162 00 Praha 6
>>>
>>> tel.: [+420] 274 783 239 | web: www.ami.cz
>>>
>>> [image: AMI Praha a.s.]
>>>
>>> Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
>>> za společnost AMI Praha a.s.
>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>>> výhradně písemnou formu.
>>>
>>> Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může
>>> obsahovat důvěrné nebo osobní
>>> informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
>>> zveřejňování, zprostředkování
>>> nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail
>>> neoprávněně, informujte o tom prosím
>>> odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně
>>> všech jeho příloh. Nakládáním
>>> s neoprávněně získanými informacemi se vystavujete riziku právního
>>> postihu.
>>>
>>>
>>> út 27. 8. 2019 v 21:45 odesílatel Misagh  napsal:
>>>
>>>> Wouldn't step 1 and 2 also be handled using the rest protocol?
>>>>
>>>> On Tue, Aug 27, 2019, 6:48 PM Petr Gašparík - AMI Praha a.s. <
>>>> petr.g...@ami.cz> wrote:
>>>>
>>>>> Hi,
>>>>> in my proof of concept, I want piece of code (program library) to *log
>>>>> in user to CASified application without user's password.*
>>>>>
>>>>> That could be done in this way:
>>>>>
>>>>>1. library authenticates to CAS with its login/password
>>>>>   - CAS responds with OK/fail
>>>>>2. library requests to generate TGT for specified user
>>>>>   - CAS responds with TGT
>>>>>3. library requests ST via TGT
>>>>>   - CAS responds with ST
>>>>>4. library forms URL for CASified application with ST
>>>>>5. 

Re: [cas-user] Seamless login

[Petr Gašparík - AMI Praha a . s .]

Oh! I know!
https://apereo.github.io/cas/6.0.x/installation/Surrogate-Authentication.html#preselected

It is done simply by +user in REST authentication request, right? Genial!

Petr

On Wednesday, August 28, 2019 at 9:42:17 AM UTC+2, Petr Gašparík - AMI 
Praha a.s. wrote:
>
> Hi Misagh,
> that's what I don't know for sure.
>
> Can be REST used for issuing TGT for different user than authenticated 
> one? Like "sudo make TGT for userX" ?
> I studied wiki, I think sudoer needs to know user's password.
>
> --
>
> s pozdravem
>
> *Petr Gašparík*
> solution architect
>
> gsm: [+420] 603 523 860
> e‑mail: petr.gaspa...@ami.cz
>
> *AMI Praha a.s.*
> Pláničkova 11, 162 00 Praha 6
>
> tel.: [+420] 274 783 239 | web: www.ami.cz
>
> [image: AMI Praha a.s.]
>
> Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá 
> za společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně 
> písemnou formu.
>  
> Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může 
> obsahovat důvěrné nebo osobní
> informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv 
> zveřejňování, zprostředkování
> nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail 
> neoprávněně, informujte o tom prosím
> odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně 
> všech jeho příloh. Nakládáním
> s neoprávněně získanými informacemi se vystavujete riziku právního postihu.
>
>
> út 27. 8. 2019 v 21:45 odesílatel Misagh  
> napsal:
>
>> Wouldn't step 1 and 2 also be handled using the rest protocol? 
>>
>> On Tue, Aug 27, 2019, 6:48 PM Petr Gašparík - AMI Praha a.s. <
>> petr.gaspa...@ami.cz> wrote:
>>
>>> Hi,
>>> in my proof of concept, I want piece of code (program library) to *log 
>>> in user to CASified application without user's password.*
>>>
>>> That could be done in this way:
>>>
>>>1. library authenticates to CAS with its login/password 
>>>   - CAS responds with OK/fail
>>>2. library requests to generate TGT for specified user
>>>   - CAS responds with TGT
>>>3. library requests ST via TGT 
>>>   - CAS responds with ST
>>>4. library forms URL for CASified application with ST 
>>>5. user is logged in to CASified application
>>>
>>> I know steps 3-5 are doable through REST + CAS protocol.
>>>
>>> *What about step 2, how to do that*? Can I for example use suggoration 
>>> for that?
>>>
>>> (CASified application means application that use CAS client to get 
>>> authenticated users from CAS)
>>>
>>> best regards
>>>
>>> *Petr Gašparík*
>>>
>>> -- 
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABAspd0yUWw42pPzBTgErQkTyoV_u1tszcjg5M7oNwRsM%3D_6Vg%40mail.gmail.com
>>>  
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABAspd0yUWw42pPzBTgErQkTyoV_u1tszcjg5M7oNwRsM%3D_6Vg%40mail.gmail.com?utm_medium=email_source=footer>
>>> .
>>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGSBKkcBb3d0m%3D_oUe-M1PZdUeoEp0%3DUYfZP6o%3DD4%2BbTHL4gHg%40mail.gmail.com
>>  
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGSBKkcBb3d0m%3D_oUe-M1PZdUeoEp0%3DUYfZP6o%3DD4%2BbTHL4gHg%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6b753544-052f-4bdc-908c-23da8d59a9a4%40apereo.org.

Re: [cas-user] Seamless login

[Petr Gašparík - AMI Praha a . s .]

Hi Misagh,
that's what I don't know for sure.

Can be REST used for issuing TGT for different user than authenticated one?
Like "sudo make TGT for userX" ?
I studied wiki, I think sudoer needs to know user's password.

--

s pozdravem

*Petr Gašparík*
solution architect

gsm: [+420] 603 523 860
e‑mail: petr.gaspa...@ami.cz

*AMI Praha a.s.*
Pláničkova 11, 162 00 Praha 6

tel.: [+420] 274 783 239 | web: www.ami.cz

[image: AMI Praha a.s.]

Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
za společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.

Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může obsahovat
důvěrné nebo osobní
informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
zveřejňování, zprostředkování
nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail neoprávněně,
informujte o tom prosím
odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně
všech jeho příloh. Nakládáním
s neoprávněně získanými informacemi se vystavujete riziku právního postihu.


út 27. 8. 2019 v 21:45 odesílatel Misagh  napsal:

> Wouldn't step 1 and 2 also be handled using the rest protocol?
>
> On Tue, Aug 27, 2019, 6:48 PM Petr Gašparík - AMI Praha a.s. <
> petr.gaspa...@ami.cz> wrote:
>
>> Hi,
>> in my proof of concept, I want piece of code (program library) to *log
>> in user to CASified application without user's password.*
>>
>> That could be done in this way:
>>
>>1. library authenticates to CAS with its login/password
>>   - CAS responds with OK/fail
>>2. library requests to generate TGT for specified user
>>   - CAS responds with TGT
>>3. library requests ST via TGT
>>   - CAS responds with ST
>>4. library forms URL for CASified application with ST
>>5. user is logged in to CASified application
>>
>> I know steps 3-5 are doable through REST + CAS protocol.
>>
>> *What about step 2, how to do that*? Can I for example use suggoration
>> for that?
>>
>> (CASified application means application that use CAS client to get
>> authenticated users from CAS)
>>
>> best regards
>>
>> *Petr Gašparík*
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABAspd0yUWw42pPzBTgErQkTyoV_u1tszcjg5M7oNwRsM%3D_6Vg%40mail.gmail.com
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABAspd0yUWw42pPzBTgErQkTyoV_u1tszcjg5M7oNwRsM%3D_6Vg%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGSBKkcBb3d0m%3D_oUe-M1PZdUeoEp0%3DUYfZP6o%3DD4%2BbTHL4gHg%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGSBKkcBb3d0m%3D_oUe-M1PZdUeoEp0%3DUYfZP6o%3DD4%2BbTHL4gHg%40mail.gmail.com?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABAspd0ORjyfgpfPq1pWoL9JNbVXE%3Dt-a16JAvUfyPKxxfoUfQ%40mail.gmail.com.

[cas-user] Seamless login

[Petr Gašparík - AMI Praha a . s .]

Hi,
in my proof of concept, I want piece of code (program library) to *log in
user to CASified application without user's password.*

That could be done in this way:

   1. library authenticates to CAS with its login/password
  - CAS responds with OK/fail
   2. library requests to generate TGT for specified user
  - CAS responds with TGT
   3. library requests ST via TGT
  - CAS responds with ST
   4. library forms URL for CASified application with ST
   5. user is logged in to CASified application

I know steps 3-5 are doable through REST + CAS protocol.

*What about step 2, how to do that*? Can I for example use suggoration for
that?

(CASified application means application that use CAS client to get
authenticated users from CAS)

best regards

*Petr Gašparík*

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABAspd0yUWw42pPzBTgErQkTyoV_u1tszcjg5M7oNwRsM%3D_6Vg%40mail.gmail.com.

Re: [cas-user] logout requests behind load balancer / 'REMOTE_ADDR'

[Petr Gašparík - AMI Praha a . s .]

Hi,
it is pretty much possible.

In our implementation, the loadbalancer is configured something like this:
[image: image.png]

--

s pozdravem

*Petr Gašparík*
solution architect

gsm: [+420] 603 523 860
e‑mail: petr.gaspa...@ami.cz

*AMI Praha a.s.*
Pláničkova 11, 162 00 Praha 6

tel.: [+420] 274 783 239 | web: www.ami.cz

[image: AMI Praha a.s.]

Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
za společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.

Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může obsahovat
důvěrné nebo osobní
informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
zveřejňování, zprostředkování
nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail neoprávněně,
informujte o tom prosím
odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně
všech jeho příloh. Nakládáním
s neoprávněně získanými informacemi se vystavujete riziku právního postihu.


út 25. 6. 2019 v 20:11 odesílatel Austin  napsal:

> Hello Ray, Sorry, I'm not all that familiar with Load Balancers either.
> But I think it's more common to have your app check for x-forwarded-for
> headers to get the original client ip.  I created an issue in github and
> included an example there:  https://github.com/apereo/phpCAS/issues/311
>
> On Tue, Jun 25, 2019 at 5:17 AM Ray Bon  wrote:
>
>> Austin,
>>
>> What you say makes sense.
>> Load balancers are out of my realm. Is it possible for the load balancer
>> to preserve REMOTE_ADDR?
>>
>> Ray
>>
>> On Mon, 2019-06-24 at 15:37 -1000, Austin wrote:
>>
>> Hello Ray,
>>
>> Thank you for your help.  Yes, after turning on debugging, I found that
>> you were correct, _isLogoutRequest handles "single logout" requests coming
>> from CAS.
>>
>> However, as far as:  $client_ip = $_SERVER['REMOTE_ADDR'];
>>
>> I think there is a bug/oversight in the Client.php code if the app is
>> behind a load balancer.
>>
>> *config.php*
>> --
>> $cas_real_hosts = array('cas-real-1.example.com', 'cas-real-2.example.com
>> ');
>> .
>> .
>> .
>> phpCAS::handleLogoutRequests(true, $cas_real_hosts);
>>
>>
>> *Client.php*
>> --
>> .
>> .
>> .
>> public function handleLogoutRequests($check_client=true, $allowed_clients
>> =array())
>> .
>> .
>> .
>> if ($check_client) {
>> if ($allowed_clients === array()) {
>> $allowed_clients = array( $this->_getServerHostname() );
>> }
>> $client_ip = $_SERVER['REMOTE_ADDR'];
>> $client = gethostbyaddr($client_ip);
>> phpCAS::trace("Client: ".$client."/".$client_ip);
>> foreach ($allowed_clients as $allowed_client) {
>> if (($client == $allowed_client)
>> || ($client_ip == $allowed_client)
>> ) {
>> phpCAS::trace(
>> "Allowed client '".$allowed_client
>> ."' matches, logout request is allowed"
>> );
>> $allowed = true;
>> break;
>> } else {
>> phpCAS::trace(
>> "Allowed client '".$allowed_client."' does not match"
>> );
>> }
>> }
>> }
>>
>> The $client_ip will be set to the load balancer's IP address, then
>> $client (the host name) will be set via $client_ip, which will also return
>> the load balancer's hostname.  So then when it checks if the $client (the
>> hostname) is in the list of $allowed_clients (which can be configured via
>> config.php's $cas_real_hosts = array('cas-real-1.example.com', '
>> cas-real-2.example.com'); ) it won't match.  Even if I were to set the
>> $allowed clients (again via $cas_real_hosts) to IP addresses, that still
>> won't work because again, $_SERVER['REMOTE_ADDR'] returns the load
>> balancer's IP.  I think instead of setting $client_ip =
>> $_SERVER['REMOTE_ADDR'];, it should check the various x-forwarded-for,
>> etc. address I mentioned in my first email... or am I misunderstanding the
>> code?
>>
>>
>> Thanks,
>>
>> Austin
>>
>>
>>
>>
>>
>> On Fri, Jun 14, 2019 at 10:16 AM Ray Bon  wrote:
>>
>> Austin,
>>
>> You can turn on debugging in the phpCAS client to get a _very_ detailed
>> account of what is happening.
>>
>> The code in t

[cas-user] Re: Acceptable Usage Policy Boolean

[JL-S]

Bonjour Laurent,

j'ai connu le même cheminement (avec cas-6.0.1) et tout a bien fonctionné 
mais seulement avec un attribut LDAP de type string.

En 6.0.4, cliquer sur l'acceptation de la charte modifie (ou crée) toujours 
bien la valeur de l'attribut LDAP en "true" mais le processus boucle sur la 
question de l'acceptation et oblige à se reconnecter pour obtenir le ticket.

Avez-vous réussi à faire fonctionner l'AUP et si oui, avec quelle version?

Cordialement, JL Soltner, UHA   


Le mardi 30 avril 2019 16:06:23 UTC+2, Net Work a écrit :
>
> Hello everyone, 
> I work with CAS version 6.0 and 6.1.0-RC3. I am trying to store the 
> booleen result of the AUP validation in my OPENLDAP directory. I get this 
> error message:
>   diagnosticMessage = 'supListRed: value # 0 invalid per syntax' When I 
> modify my configuration to use an attribute accepting a string. I have no 
> more errors and I have the value lowercase. Also I wonder if my error 
> message comes from the format of the response of the AUP? If you have any 
> ideas or explanations I am interested. 
> Thank you in advance.
>
> Laurent
>
> === Configuration ==
> ### LDAP
> cas.authn.ldap[0].type=AUTHENTICATED
> cas.authn.ldap[0].useSsl=true
> cas.authn.ldap[0].ldapUrl=ldaps://ldap..fr
> cas.authn.ldap[0].baseDn=dc=xxx,dc=fr
> cas.authn.ldap[0].subtreeSearch=true
>
>
> cas.authn.ldap[0].searchFilter=uid={user}
> cas.authn.ldap[0].bindDn=uid=sso,ou=x,dc=enssib,dc=fr
> cas.authn.ldap[0].bindCredential=x
>
> cas.authn.ldap[0].principalattributelist=cn,givenname,mail,ou,responsable,supannListeRouge
>
>
>  LDAP AUP  
> cas.acceptableusagepolicy.ldap.binddn=cn=manager,dc=,dc=fr 
> cas.acceptableusagepolicy.ldap.bindcredential=xx 
> cas.acceptableusagepolicy.ldap.ldapurl=ldap://ldap.xxx.fr 
> cas.acceptableusagepolicy.ldap.basedn=dc=,dc=fr 
> cas.acceptableusagepolicy.ldap.searchFilter=uid={user} 
> cas.acceptableUsagePolicy.ldap.connectTimeout=5000 
> cas.acceptableUsagePolicy.ldap.minPoolSize=3 
> cas.acceptableUsagePolicy.ldap.maxPoolSize=10 
> cas.acceptableUsagePolicy.ldap.validateOnCheckout=true 
> cas.acceptableUsagePolicy.ldap.validatePeriodically=true 
> cas.acceptableUsagePolicy.ldap.validatePeriod=600 
> cas.acceptableUsagePolicy.ldap.idleTime=500 
> cas.acceptableUsagePolicy.ldap.prunePeriod=600 
> cas.acceptableUsagePolicy.ldap.blockWaitTime=5000 
> cas.acceptableUsagePolicy.ldap.useSsl=false
>
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/27eb98c5-f5a1-43a2-9b1d-bf2b00fb9a8a%40apereo.org.

Re: [cas-user] empty SAML response with mod_auth_cas from v1.2/master

[Alan S]

Great! If you need additional testing, feel free to reach out.
-Alan

On Wednesday, June 5, 2019 at 8:52:00 AM UTC-5, dhawes wrote:
>
> On Tue, 4 Jun 2019 at 16:58, Alan S > 
> wrote: 
> > 
> > 
> > Hi, David. I'll need to check the previous server version, but I've made 
> significant progress using the unmerged patch on your fork (apereo#148). 
> I'm still testing, but planned to reach out to you regarding a PR. 
> > 
> > The ticketing server reports "samlValidate failing due to 
> NullPointerException." I followed your lead in this thread to troubleshoot 
> the empty requestID issue: 
> > 
> > 
> https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/tm8aQrzKDbc 
> > 
> > Continuing here: 
> > 
> > https://github.com/apereo/mod_auth_cas/issues/148 
> > 
> > I cloned your repo (https://github.com/dhawes/mod_auth_cas.git) and 
> merged the fix: 
> > 
> > "issue-148-missing-requestid" 
> > 
> https://github.com/dhawes/mod_auth_cas/commit/1ca702b08c47f15451014201718b9e78a114b3e9
>  
> > 
> > For my tests, I needed to replace "SSL_library_init" with 
> "OPENSSL_init_ssl." From there, the build process was smooth. 
>
> I went ahead and rebased master on my branch. It should compile 
> without modification now. 
>
> > I am now getting the proper XML with the validation response and 
> mod_auth_cas response, and I can view attributes in the cached ticket. This 
> just works. 
>
> Excellent! Thanks for testing. 
>
> > What additional testing would be required to merge this fix? 
>
> I still need to look at the Java CAS client code to see how they 
> generate the RequestID. I'd also like to look at the CAS server code 
> to see how it is used. This solution generates a random value, but it 
> could just be "1" since it's not really used. 
>
> Basically, I just want to verify that the solution not only works, but 
> is correct. 
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3381ff0a-e76a-41ed-9c2d-25da5688c5d6%40apereo.org.

Re: [cas-user] empty SAML response with mod_auth_cas from v1.2/master

[Alan S]

Hi, David. I'll need to check the previous server version, but I've made 
significant progress using the unmerged patch on your fork (apereo#148). 
I'm still testing, but planned to reach out to you regarding a PR. 

The ticketing server reports "samlValidate failing due to 
NullPointerException." I followed your lead in this thread to troubleshoot 
the empty requestID issue:


https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/tm8aQrzKDbc

Continuing here:

https://github.com/apereo/mod_auth_cas/issues/148

I cloned your repo (https://github.com/dhawes/mod_auth_cas.git) and merged 
the fix:

"issue-148-missing-requestid"

https://github.com/dhawes/mod_auth_cas/commit/1ca702b08c47f15451014201718b9e78a114b3e9

For my tests, I needed to replace "SSL_library_init" with 
"OPENSSL_init_ssl." From there, the build process was smooth.

I am now getting the proper XML with the validation response and 
mod_auth_cas response, and I can view attributes in the cached ticket. This 
just works. 

What additional testing would be required to merge this fix?

Thanks for you work!
-Alan

On Tuesday, June 4, 2019 at 3:17:30 PM UTC-5, dhawes wrote:
>
> On Mon, 3 Jun 2019 at 17:13, Alan S > 
> wrote: 
> > 
> > Hi, all, 
> > 
> > Our previous Apache client (mod_auth_cas v1.0.9.1) worked seamlessly 
> with our organization's CAS server, and retrieving SAML attributes was no 
> problem at all. Currently, we're working toward a rollout of CAS 5.3.3, and 
> I'm trying to integrate an Apache client built from the master branch (v1.2 
> tag). 
> > 
> > If I return only the CAS user from serviceValidate, that response is 
> good; however, I'm getting a null response from the samlValidate endpoint, 
> where Apache reports "Validation response: (null)" with no additional 
> logging. Could I please get some troubleshooting advice for returning 
> proper SAML using the latest Apache module? 
>
> Do versions prior to v1.2 work with CAS 5.3.3? 
>
> Do your CAS server logs show anything about the CAS validation response 
> sent? 
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9ab1a33f-6b19-4a23-a06a-bba87c3fe073%40apereo.org.

[cas-user] empty SAML response with mod_auth_cas from v1.2/master

[Alan S]

Hi, all,

Our previous Apache client (mod_auth_cas v1.0.9.1) worked seamlessly with 
our organization's CAS server, and retrieving SAML attributes was no 
problem at all. Currently, we're working toward a rollout of CAS 5.3.3, and 
I'm trying to integrate an Apache client built from the master branch (v1.2 
tag).

If I return only the CAS user from serviceValidate, that response is good; 
however, I'm getting a null response from the samlValidate endpoint, where 
Apache reports "Validation response: (null)" with no additional logging. 
Could I please get some troubleshooting advice for returning proper SAML 
using the latest Apache module?

Here's what I believe to be relevant. I'm happy to provide further details 
and logs:


*Preflight and build steps*
==
openssl: Installed: 1.1.0g-2ubuntu4.3
libapr1: Installed: 1.6.3-2
libaprutil1: Installed: 1.6.1-2
apache2: Installed: 2.4.29-1ubuntu4.6
libcurl4: Installed: 7.58.0-2ubuntu3.7
libpcre3: Installed: 2:8.39-9

Installation:
$ git clone https://github.com/apereo/mod_auth_cas.git
$ cd mod_auth_cas
$ autoreconf -ivf
$ ./configure
$ make
$ sudo make install

(Libraries have been installed in:  /usr/lib/apache2/modules)


*Apache vhost configuration*
==
LoadModule auth_cas_module /usr/lib/apache2/modules/mod_auth_cas.so

CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://[CAS_SERVER]/cas/login
CASValidateURL https://[CAS_SERVER]/cas/samlValidate
CASValidateSAML On
CASAttributePrefix SAML-
# I've also specified the following while troubleshooting:
#CASVersion 2
CASDebug On


AuthType CAS
AuthName "Test Group"
CASAuthNHeader CAS-User
# Both requirement targets fail with the SAML endpoint:
#Require valid-user
Require cas-attribute memberof~CN=[SOME_GROUP]



*Apache debug log*
==
[ssl:debug] [pid 8565:tid 140140085245696] ssl_engine_kernel.c(377):
[client [APPLICATION_SERVER_IP]:35184]
AH02034: Initial (No.1) HTTPS request received for child 69 (server 
[APPLICATION_SERVER]:443),
referer: 
https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f

[auth_cas:debug] [pid 8565:tid 140140085245696] mod_auth_cas.c(2429):
[client [APPLICATION_SERVER_IP]:35184]
Entering cas_check_authorization.,
referer: 
https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f

[authz_core:debug] [pid 8565:tid 140140085245696] mod_authz_core.c(809):
[client [APPLICATION_SERVER_IP]:35184]
AH01626: authorization result of Require cas-attribute 
memberof~CN=[SOME_GROUP]: denied (no authenticated user yet),
referer: 
https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f

[authz_core:debug] [pid 8565:tid 140140085245696] mod_authz_core.c(809):
[client [APPLICATION_SERVER_IP]:35184]
AH01626: authorization result of : denied (no authenticated 
user yet),
referer: 
https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f

[auth_cas:debug] [pid 8565:tid 140140085245696] mod_auth_cas.c(2152):
[client [APPLICATION_SERVER_IP]:35184]
Entering cas_authenticate(),
referer: 
https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f

[auth_cas:debug] [pid 8565:tid 140140085245696] mod_auth_cas.c(682):
[client [APPLICATION_SERVER_IP]:35184]
Modified r->args (now ''),
referer: 
https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f

[auth_cas:debug] [pid 8565:tid 140140085245696] mod_auth_cas.c(1830):
[client [APPLICATION_SERVER_IP]:35184]
entering getResponseFromServer(),
referer: 
https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f

[auth_cas:debug] [pid 8565:tid 140140085245696] mod_auth_cas.c(610):
[client [APPLICATION_SERVER_IP]:35184]
CAS Service 'https%3a%2f%2f[APPLICATION_SERVER]%2f',
referer: 
https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f

[auth_cas:debug] [pid 8565:tid 140140085245696] mod_auth_cas.c(1910):
[client [APPLICATION_SERVER_IP]:35184]
Validation response: (null),
referer: 
https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f
==

Thank you very much for your time.
-Alan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/55f27aa5-2eef-4fda-9e23-57f295efbb6e%40apereo.org.

[cas-user] CAS 6.0.3 and DUO per service/ per attribute not forcing MFA

[K S]

I am having issue running CAS 6.0.3 and MFA DUO per service/ per attribute 
configured in JSON files , the configuration goes like this , during the 
deploy time i also see the error below 


2019-05-16 13:44:54,091 WARN 
[org.apereo.cas.services.util.RegisteredServiceMultifactorPolicyDeserializationProblemHandler]
 
- 


application.properties 

cas.authn.mfa.duo[0].trustedDeviceEnabled=false
cas.authn.mfa.duo[0].id=mfa-duo
cas.authn.mfa.duo[0].name=mfa-duo
cas.authn.mfa.duo[0].registrationUrl=https://xxx.yyy.zz/duo/
cas.authn.mfa.duo[0].rank=1
cas.authn.mfa.duo[0].duoSecretKey=3sdixxxpmXH7Z8OG
cas.authn.mfa.duo[0].duoApplicationKey=b382465d1f
cas.authn.mfa.duo[0].duoIntegrationKey=DIOTPXXQ6Y
cas.authn.mfa.duo[0].duoApiHost=apixxx.duosecurity.com


service_id.json


*{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^https*://xxx.y.com.*",
  "name" : "Handshake",
  "description" : "",
  "id" : 1422000,
  "theme" : "MY",
  "evaluationOrder" : 45500,
  "multifactorPolicy" :
  {
   "@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ 
"mfa-duo" ] ],
"principalAttributeNameTrigger" : "memberOf",
"principalAttributeValueToMatch" : "CN=IDM-duousers,OU=xx,DC=xx,DC=yy,DC=zz"
  },
  "usernameAttributeProvider" :
  {
"@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",
"canonicalizationMode" : "LOWER",
"encryptUsername" : false
  }
}*


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4c37c2cf-49e9-4deb-8d12-37f22ebc3eec%40apereo.org.

Re: [cas-user] CAS 6.1.0-RC2 JWT error

[K S]

it seems to be working with 5.2.5 . Something changed in 5.3.x and 
subsequent releases that broke it .

On Tuesday, January 15, 2019 at 2:36:19 PM UTC-6, Dmitriy Kopylenko wrote:
>
> I don’t see anything extraordinary here. I’m afraid the next step would be 
> to dive deep into the running code i.e. set debug breakpoint at this call 
> site: 
> https://github.com/apereo/cas/blob/72fe70b4868343cafd0df1f506e98eeea1e9544a/support/cas-server-support-token-core/src/main/java/org/apereo/cas/token/JWTTokenTicketBuilder.java#L74
>  and 
> figure out what type of expiration policy is use and what the value of 
> expirationPolicy.getTimeToLive() 
> is which leads to the exception you are seeing, etc.
>
> D.
>
> From: K S  
> Reply: cas-...@apereo.org   
> Date: January 15, 2019 at 3:03:51 PM
> To: CAS Community  
> Cc: dkopy...@unicon.net   
> Subject:  Re: [cas-user] CAS 6.1.0-RC2 JWT error 
>
> here is what  i have for TGT 
>
> #added to JWT testing
> cas.ticket.tgt.maxTimeToLiveInSeconds=-1
> cas.ticket.tgt.timeToKillInSeconds=7200
> cas.ticket.tgt.rememberMe.enabled=true
> cas.ticket.tgt.rememberMe.timeToKillInSeconds=28800
> cas.ticket.tgt.hardTimeout.timeToKillInSeconds=28800
> cas.ticket.tgt.throttledTimeout.timeToKillInSeconds=28800
> cas.ticket.tgt.throttledTimeout.timeInBetweenUsesInSeconds=5
>
>
>
> On Tuesday, January 15, 2019 at 1:36:26 PM UTC-6, Dmitriy Kopylenko wrote: 
>
> What’s the value of your tgt expiration policy in your properties 
> e.g. cas.ticket.tgt.maxTimeToLiveInSeconds ?
>
> From stack trace it indicates that it fails on this call -> 
> https://github.com/apereo/cas/blob/72fe70b4868343cafd0df1f506e98eeea1e9544a/support/cas-server-support-token-core/src/main/java/org/apereo/cas/token/JWTTokenTicketBuilder.java#L74
>
> That exception will happen if the value passed to the ‘plusSeconds’ method 
> is “too large”
>
> Simple test in my local JShell (Java 11):
>
> jshell> ZonedDateTime.now().plusSeconds(Long.MAX_VALUE)
> |  Exception java.time.DateTimeException: Invalid value for EpochDay 
> (valid values -365243219162 - 365241780471): 106751991185212
> |at ValueRange.checkValidValue (ValueRange.java:311)
> |at ChronoField.checkValidValue (ChronoField.java:717)
> |at LocalDate.ofEpochDay (LocalDate.java:341)
> |at LocalDate.plusDays (LocalDate.java:1393)
> |at LocalDateTime.plusWithOverflow (LocalDateTime.java:1571)
> |at LocalDateTime.plusSeconds (LocalDateTime.java:1327)
> |at ZonedDateTime.plusSeconds (ZonedDateTime.java:1767)
> |at (#9:1)
>
> Best,
> D.
>
>
>
>
> From: Chris Peck 
> Reply: cas-...@apereo.org 
> Date: January 15, 2019 at 1:50:41 PM
> To: cas-...@apereo.org 
> Subject:  Re: [cas-user] CAS 6.1.0-RC2 JWT error
>
> HELP
>
> On Tue, Jan 15, 2019 at 11:34 AM K S  wrote:
>
> here is my service JSON file : 
>
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "^https://abcd.ad.test.edu/.*;,
>   "name" : "JWTService",
>   "id" : 10078999,
>   "theme" : "default",
>   "evaluationOrder" : 1330099,
>   "properties" : {
> "@class" : "java.util.HashMap",
> "jwtAsServiceTicket" : {
>   "@class" : 
> "org.apereo.cas.services.DefaultRegisteredServiceProperty",
>   "values" : [ "java.util.HashSet", [ "true" ] ]
> }
> }
> }
>
>
> here is the error stack i get after logging into CAS:
>
> 2019-01-15 10:23:38,198 WARN [org.apereo.cas.util.function.FunctionUtils] 
> -  106751991185212>
> java.time.DateTimeException: Invalid value for EpochDay (valid values 
> -365243219162 - 365241780471): 106751991185212
> at 
> java.time.temporal.ValueRange.checkValidValue(ValueRange.java:311) ~[?:?]
> at 
> java.time.temporal.ChronoField.checkValidValue(ChronoField.java:717) ~[?:?]
> at java.time.LocalDate.ofEpochDay(LocalDate.java:341) ~[?:?]
> at java.time.LocalDate.plusDays(LocalDate.java:1393) ~[?:?]
> at 
> java.time.LocalDateTime.plusWithOverflow(LocalDateTime.java:1571) ~[?:?]
> at java.time.LocalDateTime.plusSeconds(LocalDateTime.java:1327) 
> ~[?:?]
> at java.time.ZonedDateTime.plusSeconds(ZonedDateTime.java:1767) 
> ~[?:?]
> at 
> org.apereo.cas.token.JWTTokenTicketBuilder.lambda$build$0(JWTTokenTicketBuilder.java:59)
>  
> ~[cas-server-support-token-core-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
> at 
> org.apereo.cas.util.function.FunctionUtils.lambda$doIf$1(FunctionUti

Re: [cas-user] CAS 6.1.0-RC2 JWT error

[K S]

hmm this is painful .

On Tuesday, January 15, 2019 at 2:36:19 PM UTC-6, Dmitriy Kopylenko wrote:
>
> I don’t see anything extraordinary here. I’m afraid the next step would be 
> to dive deep into the running code i.e. set debug breakpoint at this call 
> site: 
> https://github.com/apereo/cas/blob/72fe70b4868343cafd0df1f506e98eeea1e9544a/support/cas-server-support-token-core/src/main/java/org/apereo/cas/token/JWTTokenTicketBuilder.java#L74
>  and 
> figure out what type of expiration policy is use and what the value of 
> expirationPolicy.getTimeToLive() 
> is which leads to the exception you are seeing, etc.
>
> D.
>
> From: K S  
> Reply: cas-...@apereo.org   
> Date: January 15, 2019 at 3:03:51 PM
> To: CAS Community  
> Cc: dkopy...@unicon.net   
> Subject:  Re: [cas-user] CAS 6.1.0-RC2 JWT error 
>
> here is what  i have for TGT 
>
> #added to JWT testing
> cas.ticket.tgt.maxTimeToLiveInSeconds=-1
> cas.ticket.tgt.timeToKillInSeconds=7200
> cas.ticket.tgt.rememberMe.enabled=true
> cas.ticket.tgt.rememberMe.timeToKillInSeconds=28800
> cas.ticket.tgt.hardTimeout.timeToKillInSeconds=28800
> cas.ticket.tgt.throttledTimeout.timeToKillInSeconds=28800
> cas.ticket.tgt.throttledTimeout.timeInBetweenUsesInSeconds=5
>
>
>
> On Tuesday, January 15, 2019 at 1:36:26 PM UTC-6, Dmitriy Kopylenko wrote: 
>
> What’s the value of your tgt expiration policy in your properties 
> e.g. cas.ticket.tgt.maxTimeToLiveInSeconds ?
>
> From stack trace it indicates that it fails on this call -> 
> https://github.com/apereo/cas/blob/72fe70b4868343cafd0df1f506e98eeea1e9544a/support/cas-server-support-token-core/src/main/java/org/apereo/cas/token/JWTTokenTicketBuilder.java#L74
>
> That exception will happen if the value passed to the ‘plusSeconds’ method 
> is “too large”
>
> Simple test in my local JShell (Java 11):
>
> jshell> ZonedDateTime.now().plusSeconds(Long.MAX_VALUE)
> |  Exception java.time.DateTimeException: Invalid value for EpochDay 
> (valid values -365243219162 - 365241780471): 106751991185212
> |at ValueRange.checkValidValue (ValueRange.java:311)
> |at ChronoField.checkValidValue (ChronoField.java:717)
> |at LocalDate.ofEpochDay (LocalDate.java:341)
> |at LocalDate.plusDays (LocalDate.java:1393)
> |at LocalDateTime.plusWithOverflow (LocalDateTime.java:1571)
> |at LocalDateTime.plusSeconds (LocalDateTime.java:1327)
> |at ZonedDateTime.plusSeconds (ZonedDateTime.java:1767)
> |at (#9:1)
>
> Best,
> D.
>
>
>
>
> From: Chris Peck 
> Reply: cas-...@apereo.org 
> Date: January 15, 2019 at 1:50:41 PM
> To: cas-...@apereo.org 
> Subject:  Re: [cas-user] CAS 6.1.0-RC2 JWT error
>
> HELP
>
> On Tue, Jan 15, 2019 at 11:34 AM K S  wrote:
>
> here is my service JSON file : 
>
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "^https://abcd.ad.test.edu/.*;,
>   "name" : "JWTService",
>   "id" : 10078999,
>   "theme" : "default",
>   "evaluationOrder" : 1330099,
>   "properties" : {
> "@class" : "java.util.HashMap",
> "jwtAsServiceTicket" : {
>   "@class" : 
> "org.apereo.cas.services.DefaultRegisteredServiceProperty",
>   "values" : [ "java.util.HashSet", [ "true" ] ]
> }
> }
> }
>
>
> here is the error stack i get after logging into CAS:
>
> 2019-01-15 10:23:38,198 WARN [org.apereo.cas.util.function.FunctionUtils] 
> -  106751991185212>
> java.time.DateTimeException: Invalid value for EpochDay (valid values 
> -365243219162 - 365241780471): 106751991185212
> at 
> java.time.temporal.ValueRange.checkValidValue(ValueRange.java:311) ~[?:?]
> at 
> java.time.temporal.ChronoField.checkValidValue(ChronoField.java:717) ~[?:?]
> at java.time.LocalDate.ofEpochDay(LocalDate.java:341) ~[?:?]
> at java.time.LocalDate.plusDays(LocalDate.java:1393) ~[?:?]
> at 
> java.time.LocalDateTime.plusWithOverflow(LocalDateTime.java:1571) ~[?:?]
> at java.time.LocalDateTime.plusSeconds(LocalDateTime.java:1327) 
> ~[?:?]
> at java.time.ZonedDateTime.plusSeconds(ZonedDateTime.java:1767) 
> ~[?:?]
> at 
> org.apereo.cas.token.JWTTokenTicketBuilder.lambda$build$0(JWTTokenTicketBuilder.java:59)
>  
> ~[cas-server-support-token-core-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
> at 
> org.apereo.cas.util.function.FunctionUtils.lambda$doIf$1(FunctionUtils.java:65)
>  
> ~[cas-server-

Re: [cas-user] CAS 6.1.0-RC2 JWT error

[K S]

here is what  i have for TGT

#added to JWT testing
cas.ticket.tgt.maxTimeToLiveInSeconds=-1
cas.ticket.tgt.timeToKillInSeconds=7200
cas.ticket.tgt.rememberMe.enabled=true
cas.ticket.tgt.rememberMe.timeToKillInSeconds=28800
cas.ticket.tgt.hardTimeout.timeToKillInSeconds=28800
cas.ticket.tgt.throttledTimeout.timeToKillInSeconds=28800
cas.ticket.tgt.throttledTimeout.timeInBetweenUsesInSeconds=5



On Tuesday, January 15, 2019 at 1:36:26 PM UTC-6, Dmitriy Kopylenko wrote:
>
> What’s the value of your tgt expiration policy in your properties 
> e.g. cas.ticket.tgt.maxTimeToLiveInSeconds ?
>
> From stack trace it indicates that it fails on this call -> 
> https://github.com/apereo/cas/blob/72fe70b4868343cafd0df1f506e98eeea1e9544a/support/cas-server-support-token-core/src/main/java/org/apereo/cas/token/JWTTokenTicketBuilder.java#L74
>
> That exception will happen if the value passed to the ‘plusSeconds’ method 
> is “too large”
>
> Simple test in my local JShell (Java 11):
>
> jshell> ZonedDateTime.now().plusSeconds(Long.MAX_VALUE)
> |  Exception java.time.DateTimeException: Invalid value for EpochDay 
> (valid values -365243219162 - 365241780471): 106751991185212
> |at ValueRange.checkValidValue (ValueRange.java:311)
> |at ChronoField.checkValidValue (ChronoField.java:717)
> |at LocalDate.ofEpochDay (LocalDate.java:341)
> |at LocalDate.plusDays (LocalDate.java:1393)
> |at LocalDateTime.plusWithOverflow (LocalDateTime.java:1571)
> |at LocalDateTime.plusSeconds (LocalDateTime.java:1327)
> |at ZonedDateTime.plusSeconds (ZonedDateTime.java:1767)
> |at (#9:1)
>
> Best,
> D.
>
>
>
>
> From: Chris Peck  
> Reply: cas-...@apereo.org   
> Date: January 15, 2019 at 1:50:41 PM
> To: cas-...@apereo.org   
> Subject:  Re: [cas-user] CAS 6.1.0-RC2 JWT error 
>
> HELP
>
> On Tue, Jan 15, 2019 at 11:34 AM K S > 
> wrote:
>
> here is my service JSON file : 
>
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "^https://abcd.ad.test.edu/.*;,
>   "name" : "JWTService",
>   "id" : 10078999,
>   "theme" : "default",
>   "evaluationOrder" : 1330099,
>   "properties" : {
> "@class" : "java.util.HashMap",
> "jwtAsServiceTicket" : {
>   "@class" : 
> "org.apereo.cas.services.DefaultRegisteredServiceProperty",
>   "values" : [ "java.util.HashSet", [ "true" ] ]
> }
> }
> }
>
>
> here is the error stack i get after logging into CAS:
>
> 2019-01-15 10:23:38,198 WARN [org.apereo.cas.util.function.FunctionUtils] 
> -  106751991185212>
> java.time.DateTimeException: Invalid value for EpochDay (valid values 
> -365243219162 - 365241780471): 106751991185212
> at 
> java.time.temporal.ValueRange.checkValidValue(ValueRange.java:311) ~[?:?]
> at 
> java.time.temporal.ChronoField.checkValidValue(ChronoField.java:717) ~[?:?]
> at java.time.LocalDate.ofEpochDay(LocalDate.java:341) ~[?:?]
> at java.time.LocalDate.plusDays(LocalDate.java:1393) ~[?:?]
> at 
> java.time.LocalDateTime.plusWithOverflow(LocalDateTime.java:1571) ~[?:?]
> at java.time.LocalDateTime.plusSeconds(LocalDateTime.java:1327) 
> ~[?:?]
> at java.time.ZonedDateTime.plusSeconds(ZonedDateTime.java:1767) 
> ~[?:?]
> at 
> org.apereo.cas.token.JWTTokenTicketBuilder.lambda$build$0(JWTTokenTicketBuilder.java:59)
>  
> ~[cas-server-support-token-core-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
> at 
> org.apereo.cas.util.function.FunctionUtils.lambda$doIf$1(FunctionUtils.java:65)
>  
> ~[cas-server-core-util-api-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
> at 
> org.apereo.cas.token.JWTTokenTicketBuilder.build(JWTTokenTicketBuilder.java:62)
>  
> ~[cas-server-support-token-core-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
> at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
> Method) ~[?:?]
> at 
> jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>  
> ~[?:?]
> at 
> jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>  
> ~[?:?]
> at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
> at 
> org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:246)
>  
> ~[spring-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
> at 
> org.springframework.cloud.context

[cas-user] CAS 6.1.0-RC2 JWT error

[K S]

here is my service JSON file :

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^https://abcd.ad.test.edu/.*;,
  "name" : "JWTService",
  "id" : 10078999,
  "theme" : "default",
  "evaluationOrder" : 1330099,
  "properties" : {
"@class" : "java.util.HashMap",
"jwtAsServiceTicket" : {
  "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
  "values" : [ "java.util.HashSet", [ "true" ] ]
}
}
}


here is the error stack i get after logging into CAS:

2019-01-15 10:23:38,198 WARN [org.apereo.cas.util.function.FunctionUtils] - 

java.time.DateTimeException: Invalid value for EpochDay (valid values 
-365243219162 - 365241780471): 106751991185212
at 
java.time.temporal.ValueRange.checkValidValue(ValueRange.java:311) ~[?:?]
at 
java.time.temporal.ChronoField.checkValidValue(ChronoField.java:717) ~[?:?]
at java.time.LocalDate.ofEpochDay(LocalDate.java:341) ~[?:?]
at java.time.LocalDate.plusDays(LocalDate.java:1393) ~[?:?]
at 
java.time.LocalDateTime.plusWithOverflow(LocalDateTime.java:1571) ~[?:?]
at java.time.LocalDateTime.plusSeconds(LocalDateTime.java:1327) 
~[?:?]
at java.time.ZonedDateTime.plusSeconds(ZonedDateTime.java:1767) 
~[?:?]
at 
org.apereo.cas.token.JWTTokenTicketBuilder.lambda$build$0(JWTTokenTicketBuilder.java:59)
 
~[cas-server-support-token-core-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
at 
org.apereo.cas.util.function.FunctionUtils.lambda$doIf$1(FunctionUtils.java:65) 
~[cas-server-core-util-api-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
at 
org.apereo.cas.token.JWTTokenTicketBuilder.build(JWTTokenTicketBuilder.java:62) 
~[cas-server-support-token-core-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method) ~[?:?]
at 
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 
~[?:?]
at 
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at 
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:246) 
~[spring-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at 
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:494)
 
~[spring-cloud-context-2.1.0.RC2.jar:2.1.0.RC2]
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
 
~[spring-aop-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at 
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
 
~[spring-aop-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at com.sun.proxy.$Proxy335.build(Unknown Source) ~[?:?]
at 
org.apereo.cas.token.authentication.principal.TokenWebApplicationServiceResponseBuilder.generateToken(TokenWebApplicationServiceResponseBuilder.java:72)
 
~[cas-server-support-token-tickets-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
at 
org.apereo.cas.token.authentication.principal.TokenWebApplicationServiceResponseBuilder.buildInternal(TokenWebApplicationServiceResponseBuilder.java:51)
 
~[cas-server-support-token-tickets-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
at 
org.apereo.cas.authentication.principal.WebApplicationServiceResponseBuilder.build(WebApplicationServiceResponseBuilder.java:45)
 
~[cas-server-core-services-authentication-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
at 
org.apereo.cas.web.flow.actions.RedirectToServiceAction.doExecute(RedirectToServiceAction.java:41)
 
~[cas-server-core-webflow-api-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
at 
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
 
~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method) ~[?:?]
at 
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 
~[?:?]
at 
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at 
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:246) 
~[spring-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at 
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:494)
 
~[spring-cloud-context-2.1.0.RC2.jar:2.1.0.RC2]
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
 
~[spring-aop-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at 
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
 
~[spring-aop-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at com.sun.proxy.$Proxy412.execute(Unknown Source) ~[?:?]
at 

[cas-user] cas 6.1.0-RC2 JWT token creation error

[K S]

here is my service JSON file 

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^https://abcd.ad.test.edu/.*;,
  "name" : "JWTService",
  "id" : 10078999,
  "theme" : "uab",
  "evaluationOrder" : 1330099,
  "properties" : {
"@class" : "java.util.HashMap",
"jwtAsServiceTicket" : {
  "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
  "values" : [ "java.util.HashSet", [ "true" ] ]
}
}
}


here is the error stack i get after logging into CAS:

2019-01-15 10:23:38,198 WARN [org.apereo.cas.util.function.FunctionUtils] - 

java.time.DateTimeException: Invalid value for EpochDay (valid values 
-365243219162 - 365241780471): 106751991185212
at 
java.time.temporal.ValueRange.checkValidValue(ValueRange.java:311) ~[?:?]
at 
java.time.temporal.ChronoField.checkValidValue(ChronoField.java:717) ~[?:?]
at java.time.LocalDate.ofEpochDay(LocalDate.java:341) ~[?:?]
at java.time.LocalDate.plusDays(LocalDate.java:1393) ~[?:?]
at 
java.time.LocalDateTime.plusWithOverflow(LocalDateTime.java:1571) ~[?:?]
at java.time.LocalDateTime.plusSeconds(LocalDateTime.java:1327) 
~[?:?]
at java.time.ZonedDateTime.plusSeconds(ZonedDateTime.java:1767) 
~[?:?]
at 
org.apereo.cas.token.JWTTokenTicketBuilder.lambda$build$0(JWTTokenTicketBuilder.java:59)
 
~[cas-server-support-token-core-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
at 
org.apereo.cas.util.function.FunctionUtils.lambda$doIf$1(FunctionUtils.java:65) 
~[cas-server-core-util-api-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
at 
org.apereo.cas.token.JWTTokenTicketBuilder.build(JWTTokenTicketBuilder.java:62) 
~[cas-server-support-token-core-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method) ~[?:?]
at 
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 
~[?:?]
at 
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at 
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:246) 
~[spring-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at 
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:494)
 
~[spring-cloud-context-2.1.0.RC2.jar:2.1.0.RC2]
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
 
~[spring-aop-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at 
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
 
~[spring-aop-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at com.sun.proxy.$Proxy335.build(Unknown Source) ~[?:?]
at 
org.apereo.cas.token.authentication.principal.TokenWebApplicationServiceResponseBuilder.generateToken(TokenWebApplicationServiceResponseBuilder.java:72)
 
~[cas-server-support-token-tickets-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
at 
org.apereo.cas.token.authentication.principal.TokenWebApplicationServiceResponseBuilder.buildInternal(TokenWebApplicationServiceResponseBuilder.java:51)
 
~[cas-server-support-token-tickets-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
at 
org.apereo.cas.authentication.principal.WebApplicationServiceResponseBuilder.build(WebApplicationServiceResponseBuilder.java:45)
 
~[cas-server-core-services-authentication-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
at 
org.apereo.cas.web.flow.actions.RedirectToServiceAction.doExecute(RedirectToServiceAction.java:41)
 
~[cas-server-core-webflow-api-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
at 
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
 
~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method) ~[?:?]
at 
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 
~[?:?]
at 
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at 
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:246) 
~[spring-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at 
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:494)
 
~[spring-cloud-context-2.1.0.RC2.jar:2.1.0.RC2]
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
 
~[spring-aop-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at 
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
 
~[spring-aop-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at com.sun.proxy.$Proxy412.execute(Unknown Source) ~[?:?]
at 

[cas-user] Re: Error in JWT token creation

[K S]

followed the steps mentioned here .

https://apereo.github.io/cas/5.3.x/installation/Configure-ServiceTicket-JWT.html#configuration


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/08abee1d-cfaa-447d-acbe-ab12c902bec1%40apereo.org.

[cas-user] Error in JWT token creation

[K S]

I am using the CAS 5.3.x , here are my JWT properties and service registry 
,  See the error stack below post login .


# JWT Service
cas.authn.token.crypto.encryption.key=XX
cas.authn.token.crypto.signing.key=XX
cas.authn.token.crypto.enabled=false
cas.authn.token.crypto.encryptionEnabled=true
cas.authn.token.crypto.signingEnabled=true
cas.authn.token.crypto.signing.keySize=512
cas.authn.token.crypto.encryption.keySize=256
cas.authn.token.crypto.alg=HS512



*{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^https://xxx/.*;,
  "name" : "OAuthService",
  "id" : 1007892,
  "properties" : {
"@class" : "java.util.HashMap",
"jwtAsServiceTicket" : {
  "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
  "values" : [ "java.util.HashSet", [ "true" ] ]
  },
"jwtAsServiceTicketSigningKey" : {
   "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
   "values" : [ "java.util.HashSet", [ "supersecretforjwt" ] ]
},
"jwtAsServiceTicketEncryptionKey" : {
 "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
 "values" : [ "java.util.HashSet", [ "supersecretforjwt" ] ]
}
}
}*






org.springframework.webflow.execution.ActionExecutionException: Exception 
thrown executing 
org.apereo.cas.web.flow.actions.RedirectToServiceAction@3c7d9a75 in state 
'redirect' of flow 'login' -- action execution attributes were 'map[[empty]]'
at 
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:62)
at 
org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
at 
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
at 
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
at 
org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101)
at org.springframework.webflow.engine.State.enter(State.java:194)
at 
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395)
at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214)
at 
org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116)
at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390)
at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210)
at 
org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:105)
at org.springframework.webflow.engine.State.enter(State.java:194)
at 
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
at 
org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)
at org.springframework.webflow.engine.State.enter(State.java:194)
at 
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395)
at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214)
at 
org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116)
at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390)
at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210)
at 
org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:105)
at org.springframework.webflow.engine.State.enter(State.java:194)
at 
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395)
at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214)
at 
org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116)
at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390)
at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210)
at 
org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:105)
at org.springframework.webflow.engine.State.enter(State.java:194)

[cas-user] renew parameter issue, true and false both forces login

[K S]

I am using nodeJS cas module cas-authentication , 
https://www.npmjs.com/package/cas-authentication 
.

When i set the renew   to false, i get prompted for login , is this an 
issue with cas ?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1a8a80c2-a6ca-4d4d-be04-78eff398be58%40apereo.org.

Re: [cas-user] Pac4j Retrieve attribute and passing to CAS client

[uvaraj s]

Hi Jerome,

Thanks a lot. I was able to retrieve the attributes in JAVA as given below. 
We have CAS client which is developed in Python. How do I get that 
CasProfile in Python?. Do pac4j support Python?. When we try Django-cas-ng 
it is giving AnonymousUser.

public CasProfile validateServiceTicket(final String serviceURL, final 
TokenCredentials ticket) {
try {
final Assertion assertion = 
getCasRestAuthenticator().getTicketValidator()
.validate(ticket.getToken(), serviceURL);
final AttributePrincipal principal = assertion.getPrincipal();
final CasProfile casProfile = new CasProfile();
casProfile.setId(principal.getName());
casProfile.addAttributes(principal.getAttributes());
return casProfile;
} catch (final TicketValidationException e) {
throw new TechnicalException(e);
}
}

public CasRestAuthenticator getCasRestAuthenticator() {
Authenticator authenticator = getAuthenticator();
if (authenticator instanceof LocalCachingAuthenticator) {
authenticator = ((LocalCachingAuthenticator) 
authenticator).getDelegate();
}
if (authenticator instanceof CasRestAuthenticator) {
return (CasRestAuthenticator) authenticator;
}
throw new TechnicalException("authenticator must be a 
CasRestAuthenticator (or via a LocalCachingAuthenticator)");
}



On Friday, 16 March 2018 11:34:51 UTC-4, leleuj wrote:
>
> Hi,
>
> This documentation should help you: 
> https://apereo.github.io/cas/4.2.x/integration/Delegate-Authentication.html#how-to-use-this-support-on-cas-applications-side
> Thanks.
> Best regards,
> Jérôme
>
>
> On Thu, Mar 15, 2018 at 3:31 AM, uvaraj s > 
> wrote:
>
>> Hi,
>>
>> We are using CAS 4.1.2 and pac4j 1.7 version. We are making SAML2Client 
>> call to shibboleth. These question might look like very basic ones. But the 
>> answer to these will help us a lot.
>>
>> 1.On the logs, I am able to see the attribute details getting printed. 
>> But wanted to know how we can able to retrieve user profile details in the 
>> code?.
>> 2.How does client application who uses this CAS server will be able to 
>> get these attribute details?
>>
>> Thanks a lot in Advance.
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/7aee0ca9-4edd-48af-848f-c9cc7206cd58%40apereo.org
>>  
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/7aee0ca9-4edd-48af-848f-c9cc7206cd58%40apereo.org?utm_medium=email_source=footer>
>> .
>>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/02f98c1d-8cd4-42b6-b028-15b276865cb0%40apereo.org.

[cas-user] CAS SSO login issue with cluster environment

[uvaraj s]

Hi CAS Users,

We are using CAS 4.1.2 which is running on the cluster environment( One My 
SQL DB-> connecting Two CAS tomcat application under 1 Application LB) and 
we do not have any cache implemented.

intermittently when the user tries to login the user are redirected to 
Login page itself. Below are the logs from Tomcat server 1 and server 2

In the server 1 log, we can see that the ticket is getting removed before 
the validation happens from the server 2. 

Is there any way to increase the time and not to remove the ticket so that 
the validate from server 2 goes through without any issue?.

*Logs From Server 1:*

2018-09-25 16:06:58,320 INFO 
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 

2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 

2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 

2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - 
2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - 
2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy] - 
2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy] - 
2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.CentralAuthenticationServiceImpl] - 
2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.CentralAuthenticationServiceImpl] - 
2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.ticket.registry.JpaTicketRegistry] - 
2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.ticket.registry.JpaTicketRegistry] - 
2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.ticket.registry.JpaTicketRegistry] - 
2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.ticket.registry.JpaTicketRegistry] - 
2018-09-25 16:06:58,320 INFO 
[org.jasig.cas.CentralAuthenticationServiceImpl] - https://client.mysite.org/sso] for user 
[suvaraj+g...@gmail.com]>
2018-09-25 16:06:58,320 INFO 
[org.jasig.cas.CentralAuthenticationServiceImpl] - https://client.mysite.org/sso] for user 
[suvaraj+g...@gmail.com]>
2018-09-25 16:06:58,321 DEBUG 
[org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - 
2018-09-25 16:06:58,321 DEBUG 
[org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - 
2018-09-25 16:07:02,813 DEBUG [org.jasig.cas.util.DefaultCipherExecutor] - 

2018-09-25 16:07:02,813 DEBUG [org.jasig.cas.util.DefaultCipherExecutor] - 

2018-09-25 16:07:02,813 DEBUG [org.jasig.cas.util.DefaultCipherExecutor] - 

2018-09-25 16:07:02,813 DEBUG [org.jasig.cas.util.DefaultCipherExecutor] - 

2018-09-25 16:07:02,813 DEBUG 
[org.jasig.cas.web.support.DefaultCasCookieValueManager] - 
2018-09-25 16:07:02,813 DEBUG 
[org.jasig.cas.web.support.DefaultCasCookieValueManager] - 
2018-09-25 16:07:02,814 DEBUG 
[org.jasig.cas.CentralAuthenticationServiceImpl] - 
2018-09-25 16:07:02,814 DEBUG 
[org.jasig.cas.CentralAuthenticationServiceImpl] - 
2018-09-25 16:07:02,818 DEBUG 
[org.jasig.cas.CentralAuthenticationServiceImpl] - 
2018-09-25 16:07:02,818 DEBUG 
[org.jasig.cas.CentralAuthenticationServiceImpl] - 
2018-09-25 16:07:02,818 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - 
https://client.mysite.org/j_spring_security_logout] for service 
[https://client.mysite.org/sso]>
2018-09-25 16:07:02,818 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - 
https://client.mysite.org/j_spring_security_logout] for service 
[https://client.mysite.org/sso]>
2018-09-25 16:07:02,818 DEBUG 
[org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - @NOT_USED@ST-13449-gCFWnpSdkGe2Ll1HBvFo-cas-tomcat-prod-app-i-00e883b0f45ab9503.mysite.org]>
2018-09-25 16:07:02,818 DEBUG 
[org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - @NOT_USED@ST-13449-gCFWnpSdkGe2Ll1HBvFo-cas-tomcat-prod-app-i-00e883b0f45ab9503.mysite.org]>
2018-09-25 16:07:02,818 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - 
https://client.mysite.org/sso]>
2018-09-25 16:07:02,818 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - 
https://client.mysite.org/sso]>
2018-09-25 16:07:02,818 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - 
https://client.mysite.org/j_spring_security_logout,message=@NOT_USED@ST-13449-gCFWnpSdkGe2Ll1HBvFo-cas-tomcat-prod-app-i-00e883b0f45ab9503.mysite.org,asynchronous=true,contentType=application/x-www-form-urlencoded]]>
2018-09-25 16:07:02,818 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - 
https://client.mysite.org/j_spring_security_logout,message=@NOT_USED@ST-13449-gCFWnpSdkGe2Ll1HBvFo-cas-tomcat-prod-app-i-00e883b0f45ab9503.mysite.org,asynchronous=true,contentType=application/x-www-form-urlencoded]]>
2018-09-25 16:07:02,818 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - 
https://client.mysite.org/sso,status=SUCCESS]]>
2018-09-25 16:07:02,818 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - 
https://client.mysite.org/sso,status=SUCCESS]]>



*Logs From Server 2*

2018-09-25 16:07:12,665 INFO 
[org.jasig.cas.CentralAuthenticationServiceImpl] - 
2018-09-25 

[cas-user] Re: Thread count keeps growing at tomcat 8.5 with CAS 5.1

[Dan S]

I haven't found a solution to this issue. It seems to be related to SAML2 
services. Any time one of them creates a service ticket, the thread count 
increases and never decreases.

I checked the 5.3 RC2 and it doesn't seem to have the same issue. Once that 
release is a stable version, I'll be testing that out for our deployment.



On Monday, August 28, 2017 at 9:02:48 AM UTC-5, Song, Doe-Hyun wrote:
>
> Good Morning All, 
>
>  
>
> Since we go to production with CAS 5.1, we keep having growing Thread 
> counts. 
>
>  
>
> We use ehcache for HA implementation and ldap for authentication. 
>
>
> Two types of threads – Timer and pool-3-thread – keep growing as time 
> goes. 
>
>  
>
> Any suggestion to debug this issue? 
>
>  
>
> Thread dump : 
>
>  
>
>  
>
> Full thread dump OpenJDK 64-Bit Server VM (25.101-b13 mixed mode):
>
>  
>
> "Timer-73" #512 daemon prio=5 os_prio=0 tid=0x7f0520033000 nid=0x8041 
> in Object.wait() [0x7f0509b5c000]
>
>java.lang.Thread.State: TIMED_WAITING (on object monitor)
>
> at java.lang.Object.wait(Native Method)
>
> at java.util.TimerThread.mainLoop(Timer.java:552)
>
> - locked <0xafb48f10> (a java.util.TaskQueue)
>
> at java.util.TimerThread.run(Timer.java:505)
>
>  
>
> "Timer-72" #509 daemon prio=5 os_prio=0 tid=0x7f0520019800 nid=0x7fbc 
> in Object.wait() [0x7f050a469000]
>
>java.lang.Thread.State: TIMED_WAITING (on object monitor)
>
> at java.lang.Object.wait(Native Method)
>
> at java.util.TimerThread.mainLoop(Timer.java:552)
>
> - locked <0xafa333a0> (a java.util.TaskQueue)
>
> at java.util.TimerThread.run(Timer.java:505)
>
>  
>
> "pool-3-thread-23" #508 prio=5 os_prio=0 tid=0x7f05180b3000 nid=0x7f36 
> waiting on condition [0x7f0509d6]
>
>java.lang.Thread.State: WAITING (parking)
>
> at sun.misc.Unsafe.park(Native Method)
>
> - parking to wait for  <0xa7f17930> (a 
> java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject)
>
> at 
> java.util.concurrent.locks.LockSupport.park(LockSupport.java:175)
>
> at 
> java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:2039)
>
> at 
> java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:442)
>
> at 
> java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1067)
>
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1127)
>
> at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>
> at java.lang.Thread.run(Thread.java:745)
>
>  
>
> "Timer-71" #507 daemon prio=5 os_prio=0 tid=0x7f05180b8800 nid=0x7f35 
> in Object.wait() [0x7f0509f62000]
>
>java.lang.Thread.State: TIMED_WAITING (on object monitor)
>
> at java.lang.Object.wait(Native Method)
>
> at java.util.TimerThread.mainLoop(Timer.java:552)
>
> - locked <0xaf974c00> (a java.util.TaskQueue)
>
> at java.util.TimerThread.run(Timer.java:505)
>
>  
>
> "Timer-70" #506 daemon prio=5 os_prio=0 tid=0x7f05506ba000 nid=0x7eb4 
> in Object.wait() [0x7f0509e61000]
>
>java.lang.Thread.State: TIMED_WAITING (on object monitor)
>
> at java.lang.Object.wait(Native Method)
>
> at java.util.TimerThread.mainLoop(Timer.java:552)
>
> - locked <0xaf8cf808> (a java.util.TaskQueue)
>
> at java.util.TimerThread.run(Timer.java:505)
>
>  
>
> "pool-3-thread-22" #496 prio=5 os_prio=0 tid=0x7f05180b7800 nid=0x79dd 
> waiting on condition [0x7f050a063000]
>
>java.lang.Thread.State: WAITING (parking)
>
> at sun.misc.Unsafe.park(Native Method)
>
> - parking to wait for  <0xa7f17930> (a 
> java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject)
>
> at 
> java.util.concurrent.locks.LockSupport.park(LockSupport.java:175)
>
> at 
> java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:2039)
>
> at 
> java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:442)
>
> at 
> java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1067)
>
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1127)
>
>  
>
> Thanks,
>
> Doe
>
>  
>
> The information contained in this e-mail and any attachments is confidential 
> and
> intended only for the recipient. If you are not the intended recipient, the
> information contained in this message may not be used, copied, or forwarded to
> third parties or otherwise distributed for any other purpose. Please notify 
> the
> sender if you received this e-mail in error and delete the e-mail and its
> attachments promptly.  Nothing in this e-mail may be used or deemed to form 
> the
> basis of a contractual or any other 

[cas-user] Re: Thread count keeps growing at tomcat 8.5 with CAS 5.1

[Dan S]

We are seeing this same issue. Did you ever find a solution for it?

Dan

On Monday, August 28, 2017 at 9:02:48 AM UTC-5, Song, Doe-Hyun wrote:
>
> Good Morning All, 
>
>  
>
> Since we go to production with CAS 5.1, we keep having growing Thread 
> counts. 
>
>  
>
> We use ehcache for HA implementation and ldap for authentication. 
>
>
> Two types of threads – Timer and pool-3-thread – keep growing as time 
> goes. 
>
>  
>
> Any suggestion to debug this issue? 
>
>  
>
> Thread dump : 
>
>  
>
>  
>
> Full thread dump OpenJDK 64-Bit Server VM (25.101-b13 mixed mode):
>
>  
>
> "Timer-73" #512 daemon prio=5 os_prio=0 tid=0x7f0520033000 nid=0x8041 
> in Object.wait() [0x7f0509b5c000]
>
>java.lang.Thread.State: TIMED_WAITING (on object monitor)
>
> at java.lang.Object.wait(Native Method)
>
> at java.util.TimerThread.mainLoop(Timer.java:552)
>
> - locked <0xafb48f10> (a java.util.TaskQueue)
>
> at java.util.TimerThread.run(Timer.java:505)
>
>  
>
> "Timer-72" #509 daemon prio=5 os_prio=0 tid=0x7f0520019800 nid=0x7fbc 
> in Object.wait() [0x7f050a469000]
>
>java.lang.Thread.State: TIMED_WAITING (on object monitor)
>
> at java.lang.Object.wait(Native Method)
>
> at java.util.TimerThread.mainLoop(Timer.java:552)
>
> - locked <0xafa333a0> (a java.util.TaskQueue)
>
> at java.util.TimerThread.run(Timer.java:505)
>
>  
>
> "pool-3-thread-23" #508 prio=5 os_prio=0 tid=0x7f05180b3000 nid=0x7f36 
> waiting on condition [0x7f0509d6]
>
>java.lang.Thread.State: WAITING (parking)
>
> at sun.misc.Unsafe.park(Native Method)
>
> - parking to wait for  <0xa7f17930> (a 
> java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject)
>
> at 
> java.util.concurrent.locks.LockSupport.park(LockSupport.java:175)
>
> at 
> java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:2039)
>
> at 
> java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:442)
>
> at 
> java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1067)
>
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1127)
>
> at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>
> at java.lang.Thread.run(Thread.java:745)
>
>  
>
> "Timer-71" #507 daemon prio=5 os_prio=0 tid=0x7f05180b8800 nid=0x7f35 
> in Object.wait() [0x7f0509f62000]
>
>java.lang.Thread.State: TIMED_WAITING (on object monitor)
>
> at java.lang.Object.wait(Native Method)
>
> at java.util.TimerThread.mainLoop(Timer.java:552)
>
> - locked <0xaf974c00> (a java.util.TaskQueue)
>
> at java.util.TimerThread.run(Timer.java:505)
>
>  
>
> "Timer-70" #506 daemon prio=5 os_prio=0 tid=0x7f05506ba000 nid=0x7eb4 
> in Object.wait() [0x7f0509e61000]
>
>java.lang.Thread.State: TIMED_WAITING (on object monitor)
>
> at java.lang.Object.wait(Native Method)
>
> at java.util.TimerThread.mainLoop(Timer.java:552)
>
> - locked <0xaf8cf808> (a java.util.TaskQueue)
>
> at java.util.TimerThread.run(Timer.java:505)
>
>  
>
> "pool-3-thread-22" #496 prio=5 os_prio=0 tid=0x7f05180b7800 nid=0x79dd 
> waiting on condition [0x7f050a063000]
>
>java.lang.Thread.State: WAITING (parking)
>
> at sun.misc.Unsafe.park(Native Method)
>
> - parking to wait for  <0xa7f17930> (a 
> java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject)
>
> at 
> java.util.concurrent.locks.LockSupport.park(LockSupport.java:175)
>
> at 
> java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:2039)
>
> at 
> java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:442)
>
> at 
> java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1067)
>
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1127)
>
>  
>
> Thanks,
>
> Doe
>
>  
>
> The information contained in this e-mail and any attachments is confidential 
> and
> intended only for the recipient. If you are not the intended recipient, the
> information contained in this message may not be used, copied, or forwarded to
> third parties or otherwise distributed for any other purpose. Please notify 
> the
> sender if you received this e-mail in error and delete the e-mail and its
> attachments promptly.  Nothing in this e-mail may be used or deemed to form 
> the
> basis of a contractual or any other legally binding obligation unless 
> separately
> confirmed in writing by an authorized representative of ARMADA.
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- 

Re: [cas-user] [CAS-5.2.2] Custom Attribute release

[s 1]

Im using Ldap Authencation And  this link:
https://apereo.github.io/cas/5.2.x/integration/Attribute-Resolution.html#
It's work fine :)

2018-03-19 16:01 GMT+07:00 Soumya Tripathy :

> Hi,
> We are using CAS-5.2.2. We have the following scenario.
> There will be a custom input in the login form where user will provide
> some additional info(say team name). After successful login we want the
> same input (team name) to be release as an attribute to the caller service.
>
> I'm trying to look around custom attribute release policy and the webflow,
> but till now didn't get any clue.
>
> Thanks,
> Soumya
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/581e6aed-ac7f-4067-a34d-
> 1dc4b34fe0f4%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABDdxaEQYpOd%2BDxJaV%2BWcxU6M_1g%3D75FcRHc6aqUEbkFjwU5mg%40mail.gmail.com.

[cas-user] Pac4j Retrieve attribute and passing to CAS client

[uvaraj s]

Hi,

We are using CAS 4.1.2 and pac4j 1.7 version. We are making SAML2Client 
call to shibboleth. These question might look like very basic ones. But the 
answer to these will help us a lot.

1.On the logs, I am able to see the attribute details getting printed. But 
wanted to know how we can able to retrieve user profile details in the 
code?.
2.How does client application who uses this CAS server will be able to get 
these attribute details?

Thanks a lot in Advance.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7aee0ca9-4edd-48af-848f-c9cc7206cd58%40apereo.org.

[cas-user] Pac4j Retrieve attribute values

[uvaraj s]

Hi,

We are using CAS 4.1.2 and pac4j 1.7 version. We are making SAML2Client 
call to shibboleth. On the logs, I am able to see the attribute details 
getting printed. But wanted to know how we can able to retrieve user 
profile details in the code?. 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/97da63e3-38c4-4c14-8ae6-4ad035dcc704%40apereo.org.

[cas-user] Re: CAS 5.1.x and 5.2.x failing when authenticating agains MySQL DB

[S]

Hi

I am also getting the same error. Any solutions?

Thanks

On Saturday, September 16, 2017 at 1:55:45 AM UTC+5:30, Nona M wrote:
>
> Hi,
>
> Were you able to solve this? I am getting the same error.
>
> Thx
>
>
> On Thursday, August 17, 2017 at 9:31:04 AM UTC-4, Szymon Stuglik wrote:
>>
>> Hello everybody,
>>
>> Since 4 days I'm trying to configure CAS to work with MySQL DB for 
>> authentication.
>> I've added required dependencies (jdbc driver support) to the POM, but 
>> I'm getting errors below (version 5.0.7 works btw):
>> Any hints?
>>
>> 2017-08-17 13:28:16,335 ERROR 
>> [org.springframework.boot.SpringApplication] - 
>> org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
>> creating bean with name 'authenticationTransactionManager' defined in class 
>> path resource 
>> [org/apereo/cas/config/CasCoreAuthenticationConfiguration.class]: 
>> Unsatisfied dependency expressed through method 
>> 'authenticationTransactionManager' parameter 0; nested exception is 
>> org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
>> creating bean with name 'casAuthenticationManager' defined in class path 
>> resource [org/apereo/cas/config/CasCoreAuthenticationConfiguration.class]: 
>> Unsatisfied dependency expressed through method 'casAuthenticationManager' 
>> parameter 2; nested exception is 
>> org.springframework.beans.factory.BeanCreationException: Error creating 
>> bean with name 'authenticationEventExecutionPlan' defined in class path 
>> resource [org/apereo/cas/config/CasCoreAuthenticationConfiguration.class]: 
>> Bean instantiation via factory method failed; nested exception is 
>> org.springframework.beans.BeanInstantiationException: Failed to instantiate 
>> [org.apereo.cas.authentication.AuthenticationEventExecutionPlan]: Factory 
>> method 'authenticationEventExecutionPlan' threw exception; nested exception 
>> is org.springframework.beans.factory.BeanCreationException: Error creating 
>> bean with name 'scopedTarget.jdbcAuthenticationHandlers' defined in class 
>> path resource 
>> [org/apereo/cas/adaptors/jdbc/config/CasJdbcAuthenticationConfiguration.class]:
>>  
>> Bean instantiation via factory method failed; nested exception is 
>> org.springframework.beans.BeanInstantiationException: Failed to instantiate 
>> [java.util.Collection]: Factory method 'jdbcAuthenticationHandlers' threw 
>> exception; nested exception is java.lang.IllegalArgumentException: 
>> java.lang.RuntimeException: Failed to load class of driverClassName 
>> [com.mysql.jdbc.Driver] in either of HikariConfig class loader or Thread 
>> context classloader
>> at 
>> org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:749)
>>  
>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>> at 
>> org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:467)
>>  
>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>> at 
>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1173)
>>  
>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>> at 
>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1067)
>>  
>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>> at 
>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:513)
>>  
>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>> at 
>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483)
>>  
>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>> at 
>> org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306)
>>  
>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>> at 
>> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
>>  
>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>> at 
>> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302)
>>  
>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>> at 
>> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
>>  
>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>> at 
>> org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:761)
>>  
>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>> at 
>> org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:867)
>>  
>> ~[spring-context-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>> at 
>> 

[cas-user] Cas 5.2 OpenLDap notworking: authentication failure and sucess

[s 1]

I config Cas 5.2 Authen user login by OpenLDap, but not working
My cas.properties:
cas.authn.accept.users=
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://localhost:389
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].baseDn=ou=Users,dc=xx-cas,dc=com
cas.authn.ldap[0].userFilter=uid={user}
cas.authn.ldap[0].bindDn=cn=Manager,dc=xx-cas,dc=com
cas.authn.ldap[0].bindCredential=

Log:
2018-02-28 13:43:09,886 DEBUG 
[org.apereo.cas.authentication.adaptive.DefaultAdaptiveAuthenticationPolicy] 
- 
2018-02-28 13:43:09,887 DEBUG [org.apereo.cas.web.support.WebUtils] - 

2018-02-28 13:43:09,887 DEBUG [org.apereo.cas.web.support.WebUtils] - 

2018-02-28 13:43:09,889 DEBUG 
[org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] 
- 
2018-02-28 13:43:09,890 DEBUG 
[org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] 
- 
2018-02-28 13:43:09,891 ERROR 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 


2018-02-28 13:43:09,893 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 
2018-02-28 13:43:09,945 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 
2018-02-28 13:43:09,947 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 
2018-02-28 13:43:09,949 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 
2018-02-28 13:43:09,950 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 

Any pointers to this will be highly appreciated . Thanks.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6b17b820-db5e-44c3-9538-19014843ab2b%40apereo.org.

[cas-user] CAS 5.2 - SAML2 SLO

[Dan S]

I am trying to use SAML2 with CAS 5.2. I have it setup as the idp and I 
have two services connected to it. Everything works as expected with one 
service - but the second service does not receive a POST to its logout url 
when signing out of CAS.

Steps:

Sign in to both applications. Only first requires sign in to CAS. Hit cas 
logout url. One app receives a POST to its sign out url - 
/saml/SingleLogout. The other app doesn't receive any logout signal. 

I have debug turned on for opensaml but I am not seeing anything with the 
logout activity. Not sure where to look next.

Any help would be appreciated.

Dan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/16021ea6-f941-4e19-bd2e-9ce9b3a1df53%40apereo.org.

Re: [cas-user] Documentation Recommends https

[Petr Gašparík - AMI Praha a . s .]

Hi Aarton,
you can do it in service json file.

just find default one (HTTPSandIMAPS-1001.json)

just change
  "serviceId" : "^(https|imaps)://.*",
to
  "serviceId" : "^(http|https)://.*",


--

s pozdravem

Petr Gašparík
solution architect

gsm: [+420] 603 523 860
e-mail: petr.gaspa...@ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.


2017-12-04 21:53 GMT+01:00 Aaron Burton <scoobysna...@gmail.com>:

> "Very very strong should" noted.  If I still wanted to disable https on
> the service url callback what property do I set?  I don't see anything that
> looks like it in this https://apereo.github.io/cas/5.1.x/installation/
> Configuration-Properties.html#http-client
>
> Thank you
>
>
> On Tuesday, January 26, 2016 at 2:56:37 PM UTC-6, Misagh Moayyed wrote:
>>
>> -  Nothing in CAS “requires” https. As such, there is no MUST.
>> There is a very very strong SHOULD. Everything if not all is by default
>> configured to assume https. You can turn all that off to use http only, or
>> a combination. You should not do that.
>>
>> -  We recommend you use https for everything. That includes the
>> CAS deployment, and all applications registered with CAS, and every
>> callback URL and serviceId and logout URL and everything else.
>>
>> -  Clients that initiate authentication with HTTP remain to be
>> in HTTP as long as CAS allows HTTP access for that client. Same goes for
>> HTTPS. You cannot change URL protocol in between.
>>
>>
>>
>> *From:* cas-...@apereo.org [mailto:cas-...@apereo.org] *On Behalf Of 
>> *Jonathan
>> Labin
>> *Sent:* Tuesday, January 26, 2016 12:59 PM
>> *To:* CAS Community <cas-...@apereo.org>
>> *Subject:* [cas-user] Documentation Recommends https
>>
>>
>>
>> Could someone please help me understand the recommendation in the
>> documentation to use Secure Transport
>> <http://jasig.github.io/cas/4.1.x/planning/Security-Guide.html#secure-transport-https>
>> ?
>>
>> During development, I've just used https for everything but I'd like to
>> have a better understanding of which configuration items really require it.
>>
>>
>>
>> The page specifically states that "all CAS urls must use HTTPS" and to me
>> this means all of the applications should configure their clients with
>> https urls to endpoints such as loginURL, serverUrlPrefix, ...
>>
>> What about the URL provided as a service redirect argument to the /logout
>> endpoint?
>>
>> I might guess this is O.K. to be http.
>>
>>
>>
>> The documentation also sates https should be used "when the generated
>> service ticket is sent back to the application on the 'service' url"
>>
>> What is the practical implication of this?  Does it mean that all serviceId
>> values for registered services must begin with https?
>>
>> Does this also mean that the client callbackUrl must also be https?
>>
>>
>>
>> If these must all be https, does this mean that the application will
>> always return from authentication in https?
>>
>> If the client was in http before authentication started, is there any way
>> that they can end up in http after authentication?
>>
>>
>>
>> Thanks
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+u...@apereo.org.
>> Visit this group at https://groups.google.com/a/ap
>> ereo.org/group/cas-user/.
>>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/f505541a-d123-4d51-a39f-
> cd83b0217a57%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f505541a-d123-4d51-a39f-cd83b0217a57%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABAspd09zOOkARROcY-cwb12jc9JYLKR_hTRcEbhp5yjNnea4w%40mail.gmail.com.

[cas-user] cas.js javascript error in certain browser

[K S]

I am getting Object does not support property or method  trim()  javascript 
error . Is there a workaround to this error in cas.js . the code is below .

function disableEmptyInputFormSubmission() {

$('#fm1 input[name="username"],[name="password"]').on("input", function 
(event) {
var enableSubmission = $('#fm1 input[name="username"]').val().trim() &&
   $('#fm1 input[name="password"]').val().trim();

if (enableSubmission) {
$("#fm1 input[name=submit]").removeAttr('disabled');
event.stopPropagation();
} else {
$("#fm1 input[name=submit]").attr('disabled', 'true');
}
});

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e96c32d0-54b4-48de-8903-0e8ebcfed924%40apereo.org.

[cas-user] cas 5.1.x: webflow multiple endpoints (howto set multiple domain webflow?)

[Josef S]

Hi,

is there a way to extend webflow for more then one Domain endpoints
Is this (https://apereo.github.io/2016/10/07/webflow-extcfg/) the right 
document to get a solution to handle it?


Thanks
Josef

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c3c39f54-008a-42d4-8c0c-caf2ad39e525%40apereo.org.

[cas-user] CAS 4.x to 5.x: Migration xml to properties

[Josef S]

Hi,
in our Company we use CAS 4.0 and want to update to CAS 5.x
 
in WEB-INF in the developement-tree we hve a lot of XML-files like

web.xml
login-webflow.xml
cas-servlet.xml

My question for that is: 

Can I Keep this XML-config files or have I to translate/migrate it to 
properties files os that spring boot can autoconfigure it?
Than we can later migrate them it step by step .
If not, does there exist an tutorial for a Migration existing cas-projects 
with customizations into the new overlay technics?


Thanks a lot
Josef

 

  

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d9f93899-008b-4c93-877c-92b208dcf303%40apereo.org.

[cas-user] Theme 'theme': No message found under code 'standard.custom.css.file' for locale 'en_US'

[Nadeem S]

Hi All,

I am new to CAS ,We are implementing CAS SSO new server for BANNER Upgrade.

We implemented CAS server cas-server-3.4.12 as instructed in ELLUCIAN 
documents .

I am able to login with the ADMIN user CASADMIN.

but when i am trying to acces further url https://://services/manage.html

We are facing below to error First is SSL handshake and other Theme 
'theme': No message found under code 'standard.custom.css.file' for locale 
'en_US'.

Any Help to resolve the issue will save us lot of time to complete our 
upgrade project.

Thanks & Regards,
Nadeem

2017-08-24 09:58:42,063 ERROR [org.jasig.cas.client.util.CommonUtils] - 

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1979)
at 
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1086)
at 
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
at 
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at 
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at 
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1301)
at 
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at 
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:281)
at 
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:33)
at 
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:178)
at 
org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:131)
at 
org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:117)
at 
org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:130)
at 
org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:48)
at 
org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:104)
at 
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at 
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at 
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at 
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:169)
at 
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at 
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at 
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at 
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
at 

[cas-user] Cas 5.x Active SSO Sessions Report

[K S]

Is CAS addons supported on version 5.x ? 
https://github.com/Unicon/cas-addons
I am trying to build Active SSO Sessions Report for CAS version 5.x  
https://github.com/Unicon/cas-addons/wiki/Active-SSO-Sessions-Report

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/85780523-d85c-4d56-b7fb-d95650e3571c%40apereo.org.

[cas-user] Property for password change URL

[Petr Gašparík - AMI Praha a . s .]

Hi,
in CAS 4.2 there was this property:  
password.policy.url=https://password.example.edu/change

I believe, that is points to URL where the user is redirected, when his/her 
password is about to expire or expired.

*What is name of this property in Apereo 5.1?*

Thank you!
Petr

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8f752682-2e1b-48c1-aaff-572febc386fd%40apereo.org.

Re: [cas-user] how to upgradation from CAS 3.5.2 to CAS 5.0.

[Petr Gašparík - AMI Praha a . s .]

It will hurt. Better reimplement it. A lot of changes...

--

s pozdravem

Petr Gašparík
solution architect

gsm: [+420] 603 523 860
e-mail: petr.gaspa...@ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.


2017-06-28 13:08 GMT+02:00 Ravi Sharma <abes.r...@gmail.com>:

> Hi Team
>
> working on JASIG CAS upgradation from *CAS 3.5.2* to* CAS 5.0.*
> Did not find any link for this please provide help for this.
>
> reagrds
> ravi Prakash
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/14d2eb3a-7f83-4efc-ae08-
> c3648c216b3d%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/14d2eb3a-7f83-4efc-ae08-c3648c216b3d%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABAspd0_bWG%3De%3D%2BadsJ69%2BOUS5V1g7Dhsi98Hs-6C14LiS%2B8GA%40mail.gmail.com.

Re: [cas-user] cas.sso.missingService and cas.sso.renewedAuthn

[Petr Gašparík - AMI Praha a . s .]

No, sorry. I was just hoping to look into log file for something that hit
me.

--

s pozdravem

Petr Gašparík
solution architect

gsm: [+420] 603 523 860
e-mail: petr.gaspa...@ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.


2017-06-21 14:48 GMT+02:00 atilling <atill...@conncoll.edu>:

> I'm not seeing any logged activity other than the normal service registry
> refreshes. Do you have a suggestion on a class that I should set to debug?
>
> I'm not the only one that has mentioned SSO not functioning:
> https://groups.google.com/a/apereo.org/forum/?utm_medium=
> email_source=footer#!searchin/cas-user/SSO/cas-
> user/_fLKyk3pIzc/Bu66dz_SAAAJ
>
> On Wednesday, June 21, 2017 at 2:55:20 AM UTC-4, Petr Gašparík - AMI Praha
> a.s. wrote:
>>
>> Hi,
>> what says the log file?
>>
>> --
>>
>> s pozdravem
>>
>> Petr Gašparík
>> solution architect
>>
>> gsm: [+420] 603 523 860 <603%20523%20860>
>> e-mail: petr.g...@ami.cz
>>
>>
>> AMI Praha a.s.
>> Pláničkova 11
>> 162 00 Praha 6
>> tel.: [+420] 274 783 239 <274%20783%20239>
>> web: www.ami.cz
>>
>>
>> [image: AMI Praha a.s.]
>>
>> [image: AMI Praha a.s.]
>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap>
>>
>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>> společnost AMI Praha a.s.
>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
>> písemnou formu.
>>
>>
>> 2017-06-21 1:54 GMT+02:00 atilling <atil...@conncoll.edu>:
>>
>>> I did build from scratch using the maven overlay. Authentication is
>>> working fine but every application is requiring the user to sign in again.
>>>
>>> On Tuesday, June 20, 2017 at 2:03:18 PM UTC-4, Petr Gašparík - AMI Praha
>>> a.s. wrote:
>>>>
>>>> Hi, if you are upgrading from 3.5, be aware, that there is a lot of
>>>> things changed (for example, service json files are not default option).
>>>>
>>>> GlobalSSO works out of the box, so try to configure CAS server from the
>>>> scratch in 5.1
>>>>
>>>> --
>>>>
>>>> s pozdravem
>>>>
>>>> Petr Gašparík
>>>> solution architect
>>>>
>>>> gsm: [+420] 603 523 860
>>>> e-mail: petr.g...@ami.cz
>>>>
>>>>
>>>> AMI Praha a.s.
>>>> Pláničkova 11
>>>> 162 00 Praha 6
>>>> tel.: [+420] 274 783 239
>>>> web: www.ami.cz
>>>>
>>>>
>>>> [image: AMI Praha a.s.]
>>>>
>>>> [image: AMI Praha a.s.]
>>>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap>
>>>>
>>>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>>>> společnost AMI Praha a.s.
>>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>>>> výhradně písemnou formu.
>>>>
>>>>
>>>> 2017-06-20 14:55 GMT+02:00 atilling <atil...@conncoll.edu>:
>>>>
>>>>> Is there any documentation of the function of these two properties?
>>>>>
>>>>> I see that they exist from https://apereo.github.io/
>>>>> cas/5.1.x/installation/Configuration-Properties.html#global-
>>>>> sso-behavior but there is no mention of function.
>>>>>
>>>>> I am attempting to deploy 5.1.0 and while I can get logins to work I
>>>>> can not get SSO to work.
>>>>>
>>>>> I have verified that the TGC cookie is working and being sent with
>>>>> correct domain, path and 2 hr lifespan same as we had in 3.5.3 and I have
>>>>> verified via service manager that all of our services have a check in
>>>>> enable SSO. However, for each cas enabled application the user is required
>>>>> to login again.
>>>>>
>>>>> Thank you for any help,
>>>>>
>>>>> -Andrew
>>>>>
>>>>> --
>>>>> - CAS gitter chatroom: https://gitter.im/apereo/cas
&

Re: [cas-user] cas.sso.missingService and cas.sso.renewedAuthn

[Petr Gašparík - AMI Praha a . s .]

Hi,
what says the log file?

--

s pozdravem

Petr Gašparík
solution architect

gsm: [+420] 603 523 860
e-mail: petr.gaspa...@ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.


2017-06-21 1:54 GMT+02:00 atilling <atill...@conncoll.edu>:

> I did build from scratch using the maven overlay. Authentication is
> working fine but every application is requiring the user to sign in again.
>
> On Tuesday, June 20, 2017 at 2:03:18 PM UTC-4, Petr Gašparík - AMI Praha
> a.s. wrote:
>>
>> Hi, if you are upgrading from 3.5, be aware, that there is a lot of
>> things changed (for example, service json files are not default option).
>>
>> GlobalSSO works out of the box, so try to configure CAS server from the
>> scratch in 5.1
>>
>> --
>>
>> s pozdravem
>>
>> Petr Gašparík
>> solution architect
>>
>> gsm: [+420] 603 523 860
>> e-mail: petr.g...@ami.cz
>>
>>
>> AMI Praha a.s.
>> Pláničkova 11
>> 162 00 Praha 6
>> tel.: [+420] 274 783 239
>> web: www.ami.cz
>>
>>
>> [image: AMI Praha a.s.]
>>
>> [image: AMI Praha a.s.]
>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap>
>>
>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>> společnost AMI Praha a.s.
>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
>> písemnou formu.
>>
>>
>> 2017-06-20 14:55 GMT+02:00 atilling <atil...@conncoll.edu>:
>>
>>> Is there any documentation of the function of these two properties?
>>>
>>> I see that they exist from https://apereo.github.io/
>>> cas/5.1.x/installation/Configuration-Properties.html#global-sso-behavior
>>> but there is no mention of function.
>>>
>>> I am attempting to deploy 5.1.0 and while I can get logins to work I can
>>> not get SSO to work.
>>>
>>> I have verified that the TGC cookie is working and being sent with
>>> correct domain, path and 2 hr lifespan same as we had in 3.5.3 and I have
>>> verified via service manager that all of our services have a check in
>>> enable SSO. However, for each cas enabled application the user is required
>>> to login again.
>>>
>>> Thank you for any help,
>>>
>>> -Andrew
>>>
>>> --
>>> - CAS gitter chatroom: https://gitter.im/apereo/cas
>>> - CAS mailing list guidelines: https://apereo.github.io/cas/M
>>> ailing-Lists.html
>>> - CAS documentation website: https://apereo.github.io/cas
>>> - CAS project website: https://github.com/apereo/cas
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit https://groups.google.com/a/ap
>>> ereo.org/d/msgid/cas-user/cbdbb9e1-5f37-471f-a581-0e57427f2a
>>> f4%40apereo.org
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/cbdbb9e1-5f37-471f-a581-0e57427f2af4%40apereo.org?utm_medium=email_source=footer>
>>> .
>>>
>>
>> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/5f1b8a2d-fb2f-4b13-abc9-
> 08269a84ceba%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/5f1b8a2d-fb2f-4b13-abc9-08269a84ceba%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABAspd15ZRg%3Ds-ugzudZhYBSY35PDTp2hq2JO7ixM34UrcrJpA%40mail.gmail.com.

Re: [cas-user] cas.sso.missingService and cas.sso.renewedAuthn

[Petr Gašparík - AMI Praha a . s .]

Hi, if you are upgrading from 3.5, be aware, that there is a lot of things
changed (for example, service json files are not default option).

GlobalSSO works out of the box, so try to configure CAS server from the
scratch in 5.1

--

s pozdravem

Petr Gašparík
solution architect

gsm: [+420] 603 523 860 <603%20523%20860>
e-mail: petr.gaspa...@ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239 <274%20783%20239>
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.


2017-06-20 14:55 GMT+02:00 atilling <atill...@conncoll.edu>:

> Is there any documentation of the function of these two properties?
>
> I see that they exist from https://apereo.github.io/
> cas/5.1.x/installation/Configuration-Properties.html#global-sso-behavior
> but there is no mention of function.
>
> I am attempting to deploy 5.1.0 and while I can get logins to work I can
> not get SSO to work.
>
> I have verified that the TGC cookie is working and being sent with correct
> domain, path and 2 hr lifespan same as we had in 3.5.3 and I have verified
> via service manager that all of our services have a check in enable SSO.
> However, for each cas enabled application the user is required to login
> again.
>
> Thank you for any help,
>
> -Andrew
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/M
> ailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/ap
> ereo.org/d/msgid/cas-user/cbdbb9e1-5f37-471f-a581-0e57427f2a
> f4%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/cbdbb9e1-5f37-471f-a581-0e57427f2af4%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABAspd1qo5XvXrfPiXy-B-2gYOnDm7LKGkKsCRJxQ7%2BrJ5vT%3DA%40mail.gmail.com.

Re: [cas-user] CAS 5 - SNPEGO with LDAP fallback

[Petr Gašparík - AMI Praha a . s .]

*Solved*. It was on client side.

So, if you want to skip login dialog, do this in every related zone (or
all, internet, intranet, trusted)

Custom level: User Authentication -> Logon -> Automatic logon with current
user name and password

[image: Vložený obrázek 1]

--

s pozdravem

Petr Gašparík
solution architect

gsm: [+420] 603 523 860
e-mail: petr.gaspa...@ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.


2017-06-04 3:32 GMT+02:00 Colin Wilkinson <wilca...@gmail.com>:

> What we found is that chrome does not have it own settings it relies on
> the Internet Explorer settings.
>
> Internet explorer unlike Firefox has three settings.
>
> Internet Explorer settings.
> 1. On and CAS server allowed.
> 2. On and CAS server not allowed. Note this default setting.
> 3. Turned off.
>
> The issue is with 2 rather going to the login page it brings up that box.
> If configured properly to be on or off Internet Explorer works fine and so
> does chrome.
>
> The only way we were able to over come this problem was to have the main
> button go to the login page and have a link below the button that enables
> SPENGO.
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/22039670-73b4-4bb3-b1fe-
> 98b853e138ab%40apereo.org.
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABAspd2CVdXQpUwnLuBADhU5ZT3HLukrmu1HaRppzPO4xFJ_7Q%40mail.gmail.com.

[cas-user] TGC Signing + Encryption in HA

[Petr Gašparík - AMI Praha a . s .]

Hi,
What is best practice for signing and encryption key in HA enviroment (2 
CAS nodes behind VIP router)?

No signing and encryption works ok, but what if we want more security?

Do we have to use encryption and signing the same? Does TGC works this way 
(theres hostname in TGC value) ?

thanks!
Petr G.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7320d124-0621-474c-bbf0-2850cf260568%40apereo.org.

[cas-user] cas 5 authentication throttling

[K S]

I am using following settings to limit auth attempts . It does not seems to 
work as intended . After the first failed attempt i get the "YOU ARE NOT 
AUTHORIZED TO BE AUTHORIZED!" error on second attempt  .  

Also i am able to login if i enter the right credential immediately at third 
attempt .


cas.authn.throttle.usernameParameter=username
cas.authn.throttle.startDelay=1
cas.authn.throttle.repeatInterval=2
cas.authn.throttle.appcode=CAS

cas.authn.throttle.failure.threshold=5
cas.authn.throttle.failure.code=AUTHENTICATION_FAILED
cas.authn.throttle.failure.rangeSeconds=30

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc3c844f-e30a-4868-b459-3ef907563c8a%40apereo.org.

[cas-user] Migrating CAS 4.1.2 to CAS 5.0

[uvaraj s]

Hi All,

Is there any documentation available which will help me to migrate from CAS 
4.1.2 to CAS 5.0.

Regards,
Uvaraj

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7199d097-9c79-4c41-bcaa-fa1d947c2726%40apereo.org.

Re: [cas-user] SPNEGO Configuration

[Petr Gašparík - AMI Praha a . s .]

Hi,
better *append *whole log file.

P.

--

s pozdravem

Petr Gašparík
solution architect

gsm: [+420] 603 523 860
e-mail: petr.gaspa...@ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.


2017-06-05 18:19 GMT+02:00 Francesco Cirigliano <francesco...@gmail.com>:

> Hi all,
>
> I have a problem with SPNEGO Handler, using CAS 5.0.6,
>
> Below, I reported the error and the mainly configurations about SPNEGO.
>
> *Any idea about issue and the way to debug it?*
>
> Thanks in advance
>
>
> 2017-06-05 17:58:35,299 WARN [org.apereo.cas.web.flow.resolver.impl.
> InitialAuthenticationAttemptWebflowEventResolver] - 
> java.lang.NullPointerException
> at org.apereo.cas.support.spnego.authentication.handler.support.
> JcifsSpnegoAuthenticationHandler.doAuthentication(
> JcifsSpnegoAuthenticationHandler.java:50) ~[cas-server-support-spnego-5.
> 0.6.jar:5.0.6]
> at org.apereo.cas.authentication.handler.support.
> AbstractPreAndPostProcessingAuthenticationHandler.authenticate(
> AbstractPreAndPostProcessingAuthenticationHandler.java:59)
> ~[cas-server-core-authentication-5.0.6.jar:5.0.6]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[?:1.8.0_60]
> at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62) ~[?:1.8.0_60]
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_60]
> at java.lang.reflect.Method.invoke(Method.java:497) ~[?:1.8.0_60]
> at 
> org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333)
> ~[spring-aop-4.3.4.RELEASE.jar:4.3.4.RELEASE]
> at org.springframework.aop.framework.ReflectiveMethodInvocation.
> invokeJoinpoint(ReflectiveMethodInvocation.java:190)
> ~[spring-aop-4.3.4.RELEASE.jar:4.3.4.RELEASE]
> at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(
> ReflectiveMethodInvocation.java:157) ~[spring-aop-4.3.4.RELEASE.
> jar:4.3.4.RELEASE]
> at org.springframework.aop.support.DelegatingIntroductionIntercep
> tor.doProceed(DelegatingIntroductionInterceptor.java:133)
> ~[spring-aop-4.3.4.RELEASE.jar:4.3.4.RELEASE]
> at org.springframework.aop.support.DelegatingIntroductionIntercep
> tor.invoke(DelegatingIntroductionInterceptor.java:121)
> ~[spring-aop-4.3.4.RELEASE.jar:4.3.4.RELEASE]
> at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(
> ReflectiveMethodInvocation.java:179) ~[spring-aop-4.3.4.RELEASE.
> jar:4.3.4.RELEASE]
> at org.springframework.aop.framework.JdkDynamicAopProxy.
> invoke(JdkDynamicAopProxy.java:213) ~[spring-aop-4.3.4.RELEASE.
> jar:4.3.4.RELEASE]
> at com.sun.proxy.$Proxy79.authenticate(Unknown Source) ~[?:?]
> at org.apereo.cas.authentication.AbstractAuthenticationManager.
> authenticateAndResolvePrincipal(AbstractAuthenticationManager.java:209)
> ~[cas-server-core-authentication-5.0.6.jar:5.0.6]
> at org.apereo.cas.authentication.PolicyBasedAuthenticationManag
> er.lambda$null$2(PolicyBasedAuthenticationManager.java:102)
> ~[cas-server-core-authentication-5.0.6.jar:5.0.6]
> at java.util.stream.MatchOps$1MatchSink.accept(MatchOps.java:90)
> ~[?:1.8.0_60]
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:175)
> ~[?:1.8.0_60]
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1561)
> ~[?:1.8.0_60]
> at 
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> ~[?:1.8.0_60]
> at 
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> ~[?:1.8.0_60]
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> ~[?:1.8.0_60]
> at 
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> ~[?:1.8.0_60]
> at java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:230)
> ~[?:1.8.0_60]
> at java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:196)
> ~[?:1.8.0_60]
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> ~[?:1.8.0_60]
> at java.util.stream.ReferencePipeline.anyMatch(ReferencePipeline.java:449)
> ~[?:1.8.0_60]
> at org.apereo.cas.authentication.PolicyBasedAuthenticationManager.lambda$
> authenticateInternal$3(PolicyBasedAuthenticationManager.java:100)
> ~[cas-server-core-authentication-5.0.6.jar:5.0.6]
> at java.util.stream.MatchOps$1MatchSink.accept(MatchOps.java:90)
> ~[?:1.8.0_60]
> at java.util.

[cas-user] Salesforce as client to CAS

[uvaraj s]

Hi Team,
I am using CAS 4.1.2 .For login and currenlty we have Java  and phython 
clients connecting to CAS for login. We are having a system built on 
salesforce which has to use the CAS for login. Is there any documentation 
avaiable to proceed further. 

Regards,
Uvaraj S

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/842b4200-d4fa-4d78-bfe1-4ec25fcc7ff2%40apereo.org.

Re: [cas-user] CAS 5.1.0-RC4 In-memory ticket registry still starting when using Hazelcast ticket registry

[Matt S.]

Sorry, I copied the wrong one.  Please see below.

*WARN [org.apereo.cas.config.CasCoreTicketsConfiguration] - *


On Monday, May 1, 2017 at 8:03:17 PM UTC-4, Misagh Moayyed wrote:
>
> This is quite simple. You are looking at the wrong log. 
>
>  
>
> The warning is warning you about service definitions and the service 
> registry. Not tickets. 
>
>  
>
> --Misagh
>
>  
>
> *From:* cas-...@apereo.org  [mailto:cas-...@apereo.org 
> ] *On Behalf Of *Matt S.
> *Sent:* Monday, May 1, 2017 5:00 PM
> *To:* CAS Community <cas-...@apereo.org >
> *Subject:* [cas-user] CAS 5.1.0-RC4 In-memory ticket registry still 
> starting when using Hazelcast ticket registry
>
>  
>
> Hello,
>
>  
>
> We're testing CAS 5.1.0-RC4 and noticed that the in-memory ticket registry 
> still seems to be starting when we configure CAS to use the Hazelcast 
> ticket registry.
>
> Configuration was done according to the documentation, linked here 
> <https://apereo.github.io/cas/development/installation/Hazelcast-Ticket-Registry.html>
>  by 
> adding the dependency and configuring the properties in cas.properties.
>
>  
>
> The following warning shows up in the logs even though the logs clearly 
> show that an HZ ticket registry was setup prior to this point in the logs.
>
>  
>
>  
>
> *WARN [org.apereo.cas.config.CasCoreServicesConfiguration] -  memory is used as the persistence storage for retrieving and persisting 
> service definitions. Changes that are made to service definitions during 
> runtime WILL be LOST upon container restarts.>*
>
>  
>
> ...which shows up after the following line:
>
>  
>
> *INFO [org.apereo.cas.ticket.registry.HazelcastTicketRegistry] -  up Hazelcast Ticket Registry instance 
> [HazelcastInstance{name='devcas5Tickets', node=[xx.xx.xx.xx]:5701}]>*
>
>  
>
> It seems as if the bean called "ticketRegistry" that should be registered 
> by HZ is either not being registered or recognized by the time CAS checks 
> if it should load the default in-memory ticket registry.
>
>  
>
> Please advise.
>
>  
>
> Thanks,
>
> Matt
>
> -- 
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: 
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0390f2cd-a47d-4e9d-aa39-7f66b705b63b%40apereo.org
>  
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/0390f2cd-a47d-4e9d-aa39-7f66b705b63b%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/054c3d62-168e-4c8a-8153-b43b450b86d6%40apereo.org.

[cas-user] Re: CAS 5 Logout Shows Error in Logs but Browser Shows Logout Success

[Matt S.]

After reverting back to using the embedded Tomcat in CAS 5.0.4, this error 
still shows in the logs, so this seems to be an issue in CAS (pac4j) itself.

It seems to occur during ticket cleanup, such as after the TGT is destroyed 
for a user.

Has anyone else noticed this and is it something that we need to worry 
about, considering that the logout functionality seems to be working fine 
otherwise?



On Thursday, April 13, 2017 at 9:46:54 AM UTC-4, Matt S. wrote:
>
> Hi,
>
> When I access the CAS logout URL, the browser seems to show a successful 
> logout but the CAS log shows the following error:
>
> ERROR [org.pac4j.cas.client.direct.DirectCasClient] -  or validate CAS credentials>
> org.pac4j.core.exception.CredentialsException: POST requests not supported
>
> We're using an external Tomcat, not the embedded Tomcat, so I'm not sure 
> if this is related to the issue.
>
> Any suggestions?
>
> Thanks,
> Matt
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6088d647-991d-484c-a02d-177e5c0703b0%40apereo.org.

[cas-user] Re: CAS 5 Logout Shows Error in Logs but Browser Shows Logout Success

[Matt S.]

Quick update.

This only seems to happen if I login, access the Admin web app 
(/cas/status/dashboard) and call /cas/logout.

If I just login and logout, there is no error.

Thanks,
Matt

On Thursday, April 13, 2017 at 9:46:54 AM UTC-4, Matt S. wrote:
>
> Hi,
>
> When I access the CAS logout URL, the browser seems to show a successful 
> logout but the CAS log shows the following error:
>
> ERROR [org.pac4j.cas.client.direct.DirectCasClient] -  or validate CAS credentials>
> org.pac4j.core.exception.CredentialsException: POST requests not supported
>
> We're using an external Tomcat, not the embedded Tomcat, so I'm not sure 
> if this is related to the issue.
>
> Any suggestions?
>
> Thanks,
> Matt
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/24e57898-91bc-42b2-b41f-85a483783821%40apereo.org.

[cas-user] CAS 5 Logout Shows Error in Logs but Browser Shows Logout Success

[Matt S.]

Hi,

When I access the CAS logout URL, the browser seems to show a successful 
logout but the CAS log shows the following error:

ERROR [org.pac4j.cas.client.direct.DirectCasClient] - 
org.pac4j.core.exception.CredentialsException: POST requests not supported

We're using an external Tomcat, not the embedded Tomcat, so I'm not sure if 
this is related to the issue.

Any suggestions?

Thanks,
Matt

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5f990334-218e-4668-8246-97eafc970496%40apereo.org.

[cas-user] CAS 5 External Tomcat Asynchronous Requests Parameter in web.xml

[Matt S.]

Hello,

In the CAS 5 docs located 
at 
https://apereo.github.io/cas/5.0.x/installation/Configuring-Servlet-Container.html,
 
it suggests to add "true" into the 
container web.xml file.

Does anyone know where in the web.xml file this should be added?

I'm currently using Tomcat 8.5.8.

Thanks,
Matt

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8fe9b728-6eb6-47c7-ba50-8dea5f70cbd7%40apereo.org.

[cas-user] How to Add OAuth Clients to CAS Server?

[Alvaro S.]

Hi, I'm trying to add som clients to my config, the documentation states 
this:

Every OAuth client must be defined as a CAS service (notice the new 
> *clientId* and *clientSecret* properties, specific to OAuth)


And shows this json

{
  "@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
  "clientId": "clientid",
  "clientSecret": "clientSecret",
  "bypassApprovalPrompt": false,
  "serviceId" : "^(https|imaps)://hello.*",
  "name" : "HTTPS and IMAPS",
  "id" : 1001 

}

But where I have to put this??

I'm using a maven overlay 

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c8ec3266-1f7a-4782-878b-c133569898a9%40apereo.org.

[cas-user] Adding OAuth 2.0 support to 5.0.2

[Alvaro S.]

Hi, I have a working cas server but I want to add OAuth support, so I just 
added the dependencies as the manual states, but I'm getting the following 
error:


  org.apereo.cas
  cas-server-support-oauth-webflow
  ${cas.version}





Exception in thread "main" java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at 
org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:87)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:50)
at org.springframework.boot.loader.WarLauncher.main(WarLauncher.java:59)
Caused by: org.springframework.beans.factory.BeanCreationException: *Error 
creating bean with name 'oauthConfiguration': Invocation of init method 
failed; nested exception is java.lang.IllegalArgumentException: 
'clientIpAddress' cannot be null.*
Check the correctness of @Audit annotation at the following audit point: 
execution(public synchronized org.apereo.cas.services.RegisteredService 
org.apereo.cas.services.DefaultServicesManagerImpl.save(org.apereo.cas.services.RegisteredService))
at 
org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:137)
at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanFactory.java:408)
at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1575)
at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:553)
at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:482)
at 
org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306)
at 
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
at 
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302)
at 
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
at 
org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:754)
at 
org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:866)
at 
org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:542)
at 
org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122)
at 
org.springframework.boot.SpringApplication.refresh(SpringApplication.java:761)
at 
org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:371)
at 
org.springframework.boot.SpringApplication.run(SpringApplication.java:315)
at 
org.springframework.boot.builder.SpringApplicationBuilder.run(SpringApplicationBuilder.java:134)
at org.apereo.cas.web.CasWebApplication.main(CasWebApplication.java:61)
... 8 more
Caused by: java.lang.IllegalArgumentException: 'clientIpAddress' cannot be 
null.
Check the correctness of @Audit annotation at the following audit point: 
execution(public synchronized org.apereo.cas.services.RegisteredService 
org.apereo.cas.services.DefaultServicesManagerImpl.save(org.apereo.cas.services.RegisteredService))
at 
org.apereo.inspektr.audit.AuditActionContext.assertNotNull(AuditActionContext.java:80)
at 
org.apereo.inspektr.audit.AuditActionContext.(AuditActionContext.java:67)
at 
org.apereo.inspektr.audit.AuditTrailManagementAspect.executeAuditCode(AuditTrailManagementAspect.java:159)
at 
org.apereo.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:147)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at 
org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:629)
at 
org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:618)
at 
org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:70)
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:168)
at 

[cas-user] Re: CAS DB Authentication “encode” password encryption can't match with database password encrypted using Spring Security's MD5

[Alvaro S.]

Ok, I'm pretty sure what is the error but I don't know how to solve it.

We are using md5 with salt this way

md5(password+salt)

How can I tell CAS that the salt is before the password?

Thanks

On Monday, 6 February 2017 12:54:13 UTC+1, Alvaro S. wrote:
>
> I am currently configuring my CAS Server v5.0.2 to use Database 
> Authentication, particularly using the Encode method, using the CAS 
> properties file. Below are the relevant property configurations from the 
> properties file:
>
> cas.server.name: https://cas.example.org:8443
> cas.server.prefix: https://cas.example.org:8443/cas
>
>
> cas.adminPagesSecurity.ip=127\.0\.0\.1
>
>
> logging.config: file:/etc/cas/config/log4j2.xml
> # cas.serviceRegistry.config.location: classpath:/services
>
>
> cas.authn.accept.users=
>
>
> cas.authn.jdbc.query[0].sql=SELECT password FROM UserSocial WHERE email=?
> cas.authn.jdbc.query[0].healthQuery=SELECT 1 FROM UserSocial
> # cas.authn.jdbc.query[0].isolateInternalQueries=false
> cas.authn.jdbc.query[0].url=jdbc:mysql://*.
> amazonaws.com:3306/feisbuk
> # cas.authn.jdbc.query[0].failFast=true
> # cas.authn.jdbc.query[0].isolationLevelName=ISOLATION_READ_COMMITTED
> cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQLDialect
> # cas.authn.jdbc.query[0].leakThreshold=10
> # cas.authn.jdbc.query[0].propagationBehaviorName=PROPAGATION_REQUIRED
> # cas.authn.jdbc.query[0].batchSize=1
> cas.authn.jdbc.query[0].user=*
> # cas.authn.jdbc.query[0].ddlAuto=create-drop
> # cas.authn.jdbc.query[0].maxAgeDays=180
> cas.authn.jdbc.query[0].password=
> # cas.authn.jdbc.query[0].autocommit=false
> cas.authn.jdbc.query[0].driverClass=com.mysql.cj.jdbc.Driver
> # cas.authn.jdbc.query[0].idleTimeout=5000
> # cas.authn.jdbc.query[0].credentialCriteria=
>
>
> cas.authn.jdbc.query[0].passwordEncoder.type=NONE
> cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=UTF-8
> cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=MD5
> cas.authn.jdbc.query[0].passwordEncoder.secret=lothlorien
> #cas.authn.jdbc.query[0].passwordEncoder.strength=16
>
>
> # cas.authn.jdbc.query[0].principalTransformation.suffix=
> cas.authn.jdbc.query[0].principalTransformation.caseConversion=NONE
> # cas.authn.jdbc.query[0].principalTransformation.prefix=
>
> The database I am connecting with is a MySQL. The passwords were 
> previously encoded using Spring Security's MD5 and a salt-source. I have 
> tested the CAS DB Authentication configuration by entering valid 
> credentials in the CAS Server's default login page, but authentication 
> always fail and return "Invalid credentials." Additionally, It throws me 
> this error
> *Authentication has failed. Credentials may be incorrect or CAS cannot 
> find authentication handler that supports [alvaro.seg...@evoluciona.com 
> <alvaro.seg...@evoluciona.com>] of type [UsernamePasswordCredential], which 
> suggests a configuration problem*
>
> This is part of spring security config:
>
> 
> 
> 
> 
> 
> 
> 
> 
>
> Right now I am looking for any approach on resolving this issue. I am 
> still relatively new to CAS, and I really appreciate the much needed help. 
> Thanks!
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9c5aa52f-859d-45b0-8918-8c56fcc1193b%40apereo.org.

[cas-user] CAS DB Authentication “encode” password encryption can't match with database password encrypted using Spring Security's MD5

[Alvaro S.]

I am currently configuring my CAS Server v5.0.2 to use Database 
Authentication, particularly using the Encode method, using the CAS 
properties file. Below are the relevant property configurations from the 
properties file:

cas.server.name: https://cas.example.org:8443
cas.server.prefix: https://cas.example.org:8443/cas


cas.adminPagesSecurity.ip=127\.0\.0\.1


logging.config: file:/etc/cas/config/log4j2.xml
# cas.serviceRegistry.config.location: classpath:/services


cas.authn.accept.users=


cas.authn.jdbc.query[0].sql=SELECT password FROM UserSocial WHERE email=?
cas.authn.jdbc.query[0].healthQuery=SELECT 1 FROM UserSocial
# cas.authn.jdbc.query[0].isolateInternalQueries=false
cas.authn.jdbc.query[0].url=jdbc:mysql://*.amazonaws.com:3306/feisbuk
# cas.authn.jdbc.query[0].failFast=true
# cas.authn.jdbc.query[0].isolationLevelName=ISOLATION_READ_COMMITTED
cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQLDialect
# cas.authn.jdbc.query[0].leakThreshold=10
# cas.authn.jdbc.query[0].propagationBehaviorName=PROPAGATION_REQUIRED
# cas.authn.jdbc.query[0].batchSize=1
cas.authn.jdbc.query[0].user=*
# cas.authn.jdbc.query[0].ddlAuto=create-drop
# cas.authn.jdbc.query[0].maxAgeDays=180
cas.authn.jdbc.query[0].password=
# cas.authn.jdbc.query[0].autocommit=false
cas.authn.jdbc.query[0].driverClass=com.mysql.cj.jdbc.Driver
# cas.authn.jdbc.query[0].idleTimeout=5000
# cas.authn.jdbc.query[0].credentialCriteria=


cas.authn.jdbc.query[0].passwordEncoder.type=NONE
cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=UTF-8
cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=MD5
cas.authn.jdbc.query[0].passwordEncoder.secret=lothlorien
#cas.authn.jdbc.query[0].passwordEncoder.strength=16


# cas.authn.jdbc.query[0].principalTransformation.suffix=
cas.authn.jdbc.query[0].principalTransformation.caseConversion=NONE
# cas.authn.jdbc.query[0].principalTransformation.prefix=

The database I am connecting with is a MySQL. The passwords were previously 
encoded using Spring Security's MD5 and a salt-source. I have tested the 
CAS DB Authentication configuration by entering valid credentials in the 
CAS Server's default login page, but authentication always fail and return 
"Invalid credentials." Additionally, It throws me this error
*Authentication has failed. Credentials may be incorrect or CAS cannot find 
authentication handler that supports [alvaro.seg...@evoluciona.com] of type 
[UsernamePasswordCredential], which suggests a configuration problem*

This is part of spring security config:










Right now I am looking for any approach on resolving this issue. I am still 
relatively new to CAS, and I really appreciate the much needed help. Thanks!

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/56d29c11-7af3-4d39-96d5-bd5ff3e21a84%40apereo.org.

[cas-user] Re: CAS 5.0.2 compilation and deployment

[Alvaro S.]

You not are the only one.

I'm very new to CAS and I can't even get to work the server any single 
time. The documentation needs more works. Can't mark any concrete article 
because it's eveything. Starting for the new users

On Thursday, 26 January 2017 11:57:13 UTC+1, Jean-Michel Zigna wrote:
>
> Hello,
>
> I was quite familiar with a very old verson of CAS and I'm trying to 
> update it to the last version.
>
> I downloaded cas-5.0.2.tar.gz, and compiled sucessfully CAS with the 
> dev-build-no-tests.sh 
> script (error during execution of a tets for the dev-build.sh).
>
> The fact is that are a lot of builds and libs forlder including war and 
> jar files, and I'm a bit lost to identify clearly what I have to deploy in 
> the tomcat webapps.
>
> I started with the cas-server-webapp/build/libs/cas-server-webapp-5.0.2.war, 
> but it seems to be not sufficient because I can't find the cas.properties 
> configuration file for instance.
>
> Could you please tell me how to complete the instalaltion/configuration to 
> connect to an LDAP?
>
> Thanks.
>
> Best regards.
>
> Jean-Michel
>  
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d0cd1112-2d1a-428f-81f1-4154546bf6c3%40apereo.org.

[cas-user] Can't connet to mongo database using CAS 5.0.2

[Alvaro S.]

Hi, I've tried to connect to a mongodb, but I always get an *INVALID 
CREDENTIALS* message. But instead of getting me a stack error with what's 
happening, only shows this:

2017-02-01 17:25:27,809 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit 
trail record BEGIN
=
WHO: alvaro
WHAT: Supplied credentials: [alvaro]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Wed Feb 01 17:25:27 CET 2017
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=


2017-02-01 17:25:27,830 ERROR 
[org.apereo.cas.web.flow.AuthenticationExceptionHandler] - <*Unable to 
translate handler errors of the authentication exception 
org.apereo.cas.authentication.AuthenticationException*: 0 errors, 0 
successes. Returning UNKNOWN by default...>




How can I change that message exception to a more useful error instead? I 
don't know if the problem is with the connection to mongo or something else.

Steps to reproduce:

- Dowloaded MAVEN Overlay.
- Added properties to cas.properties
- run ./build.sh

Properties set:

cas.authn.mongo.mongoHostUri=mongodb://localhost:61954/cas
cas.authn.mongo.collectionName=users
cas.authn.mongo.attributes=attribute1,attribute2
cas.authn.mongo.username.attribute=username
cas.authn.mongo.password.attribute=password

I have enabled the debug mode on the log but nothing changes. Same error as 
before.

So I have to questions, how to change the error to be more "helpful" and 
why is not working ?

Any help will be appreciated. Thanks



-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0b78702b-fc37-4865-8373-c6bc8b8b6101%40apereo.org.

[cas-user] searchLocation in overlay?

[Petr Gašparík - AMI Praha a . s .]

Hi,
is it possible to define searchLocation in overlay project?

...so I can change file:///etc/cas/config right in the build.

thanks!

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/aa4859c3-610e-4506-9301-1f4c41ff199e%40apereo.org.

[cas-user] Gateway = proxy?

[Petr Gašparík - AMI Praha a . s .]

Hi,
is the term gateway in Jasig wiki the same as proxy term in Apereo wiki?

I am looking for the man-in-the-middle scenario, where app does not 
communicate directly with the CAS server.

regards
Petr Gašparík

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/46594068-3386-4576-88ef-d5d1667e02e4%40apereo.org.

[cas-user] CAS 4.2.x multiple authenication handler

[K S]

is it possible to define 2 auth handlers in cas 4.2  ( in my case LDAP and 
AD )  with one being primary and second one secondary . Right now i have 
both defined as primary and i am not sure how cas orders them .



   






-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2bd6076c-624d-4a20-956a-abf2dab2c7d6%40apereo.org.

[cas-user] Authentication with certificate

[Petr Gašparík - AMI Praha a . s .]

Hi, 
does anyone successfully *authenticated user with certificate *in 
non-interactive way?

Scenario: Service Provider handles CAS user certificate and CAS compare 
this certificate against LDAP/AD to find matching user.

If, what approach did you use? SAML 2 or something else? Could you spare 
configuration details?

thank you in advance,
Petr

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c4547392-fec2-456b-8e1d-92e2b78eb4dd%40apereo.org.

[cas-user] CAS5 Shibboleth and MFA using duo

[K S]

Can cas trigger MFA based on certain Shibboleth relying party . Right now 
it's all or nothing for cas shib integration for MFA . the request is 
similar to this thread

https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/Eo7KQUn1EHk

like cas can display messages based on entityid SAML MDUI i would like 
finer MFA support for SHIB plugin

https://apereo.github.io/cas/5.0.x/integration/Shibboleth.html#displaying-saml-mdui

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/31eb0839-27c7-4443-aac8-732ec49380c9%40apereo.org.

[cas-user] cas 5 hide main login and enable social login for a given service

[K S]

Can it be achieved using theme and service management JSON ?

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c36e3745-a759-45df-80b1-28a233dffdb9%40apereo.org.

Re: [cas-user] CAS 4.1 - Routing logs to SysLog - is it possible

[Petr Gašparík - AMI Praha a . s .]

Martin,
is that applicable also to CAS 4.1? Do you have an experience with that?

thanks, Petr

--

s pozdravem

Petr Gašparík
solution architect

gsm: [+420] 603 523 860
e-mail: petr.gaspa...@ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.


2016-12-07 17:15 GMT+01:00 Lukas Paulus <lukaspau...@gmail.com>:

> Thank you.
>
> 2016-12-07 2:49 GMT+01:00 Martin Bohun <martin.bo...@gmail.com>:
>
>> https://apereo.github.io/cas/4.2.x/installation/Monitoring-S
>> tatistics.html#routing-logs-to-syslog
>>
>>
>>  *Martin Bohun* <https://plus.google.com/u/0/105600676538699036821>
>>
>> On Tue, Dec 6, 2016 at 11:43 PM, Lukas Paulus <lukaspau...@gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I searched in wiki and I have a question, is CAS 5.0 feature "Routing
>>> log to SysLog" also available in CAS 4.1.
>>> If yes, how can I configure it?
>>>
>>> Thanks
>>>
>>> --
>>> - CAS gitter chatroom: https://gitter.im/apereo/cas
>>> - CAS mailing list guidelines: https://apereo.github.io/cas/M
>>> ailing-Lists.html
>>> - CAS documentation website: https://apereo.github.io/cas
>>> - CAS project website: https://github.com/apereo/cas
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit https://groups.google.com/a/ap
>>> ereo.org/d/msgid/cas-user/32432172-9896-4fc2-b362-1021459b8d
>>> 45%40apereo.org
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/32432172-9896-4fc2-b362-1021459b8d45%40apereo.org?utm_medium=email_source=footer>
>>> .
>>>
>>
>> --
>> - CAS gitter chatroom: https://gitter.im/apereo/cas
>> - CAS mailing list guidelines: https://apereo.github.io/cas/M
>> ailing-Lists.html
>> - CAS documentation website: https://apereo.github.io/cas
>> - CAS project website: https://github.com/apereo/cas
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit https://groups.google.com/a/ap
>> ereo.org/d/msgid/cas-user/CAGVz94gFg%3DhgYrWNq2icEfXXv7UxKe6
>> 6u1hiASMA58nyi1xicg%40mail.gmail.com
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGVz94gFg%3DhgYrWNq2icEfXXv7UxKe66u1hiASMA58nyi1xicg%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/CAA4D82tczXeYtGm0ZXd3QQyzYb0aW
> D4S472%2BWFvtb2e5zXJcuA%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAA4D82tczXeYtGm0ZXd3QQyzYb0aWD4S472%2BWFvtb2e5zXJcuA%40mail.gmail.com?utm_medium=email_source=footer>
> .
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABAspd1LxDAJb3bGAtjmQJY1a4_XHH66UNqgkkbp3a%2BwRmXUog%40mail.gmail.com.

Re: [cas-user] Java versions client vs server

[Petr Gašparík - AMI Praha a . s .]

Thank you for your answer.

To rephrase my question, can I use latest CAS 5.0 client on Java 6
machines?

--

s pozdravem

Petr Gašparík
solution architect

gsm: [+420] 603 523 860
e-mail: petr.gaspa...@ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.


2016-12-06 16:43 GMT+01:00 'Philippe MARASSE' via CAS Community <
cas-user@apereo.org>:

> Hello,
>
> TLS can cause troubles between Java 6 & Java 8 :
>   - DH parameters can not exceed 1024 bits,
>   - SNI is unavailable before Java 7
>   - Java 6 does not support TLS 1.1&1.2 but only SSLv3 and TLS 1.0
>
> Some of these issues can be worked around with bouncy castle security
> provider.
>
> Regards.
>
>
> Le 06/12/2016 à 13:59, Petr Gašparík - AMI Praha a.s. a écrit :
>
> Hi all,
> what is the dependence between Java version on CAS server and CAS client?
>
> For example, if I have installed CAS server 5.0 in Java EE 8 enviroment,
> and I want to connect Java client running in Java EE 6 enviroment, will it
> work?
> Or do I have to upgrade client env to Java 8 in first place?
>
> thank you in advance
> Petr G.
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/48d93549-6527-4c07-8795-
> 8c9983cd7843%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/48d93549-6527-4c07-8795-8c9983cd7843%40apereo.org?utm_medium=email_source=footer>
> .
>
>
> --
> Philippe MARASSE
>
> Responsable pôle Infrastructures - DSIO
> Centre Hospitalier Henri Laborit
> CS 10587 - 370 avenue Jacques Cœur
> 86021 Poitiers Cedex
> Tel : 05.49.44.57.19
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/43d8d2a6-cd9b-435d-14c4-
> 9b2a57e4a01e%40ch-poitiers.fr
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/43d8d2a6-cd9b-435d-14c4-9b2a57e4a01e%40ch-poitiers.fr?utm_medium=email_source=footer>
> .
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABAspd29PGoJa%3DRf5jTiHRxcWN0CBgjAe_G%2BRrWjf9RJ34xB0g%40mail.gmail.com.

[cas-user] Java versions client vs server

[Petr Gašparík - AMI Praha a . s .]

Hi all,
what is the dependence between Java version on CAS server and CAS client?

For example, if I have installed CAS server 5.0 in Java EE 8 enviroment, 
and I want to connect Java client running in Java EE 6 enviroment, will it 
work?
Or do I have to upgrade client env to Java 8 in first place?

thank you in advance
Petr G.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/48d93549-6527-4c07-8795-8c9983cd7843%40apereo.org.

[cas-user] Logging events

[Petr Gašparík - AMI Praha a . s .]

Hi,
is there a list of events in log files? 

I searched wiki but I have found only some sample like 

WHO: 
org.jasig.cas.support.oauth.authentication.principal.OAuthCredentials@6cd7c975
WHAT: TGT-9-qj2jZKQUmu1gQvXNf7tXQOJPOtROvOuvYAxybhZiVrdZ6pCUwW-cas01.example.org
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Mon Aug 26 12:35:59 IST 2013
CLIENT IP ADDRESS: 172.16.5.181
SERVER IP ADDRESS: 192.168.200.22



So, I am looking for possible values for ACTION 

thank you in advance
Petr Gašparík

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/53a55383-9806-4a60-b3b9-fea04bcadbfd%40apereo.org.

[cas-user] Re: cas5 MFA for SAML2 SP

[K S]

I was able to trigger it using the Opt-In Request Parameter but is there a 
way to do it using entityID in SAML2 SP service registry JSON ?

On Thursday, November 17, 2016 at 11:17:59 AM UTC-6, K S wrote:
>
> Can MFA can be triggered for a specific SAML2 SP inside the CAS service 
> registry. I am using following JSON but it's not triggering the DUO login . 
> I am able to login to SP though.
>
> {
>   @class: org.apereo.cas.support.saml.services.SamlRegisteredService
>   serviceId: 
> https://localhost:8443/spring-security-saml2-sample/saml/metadata
>   name: SAMLService
>   id: 1023
>   description: SAML Client Metadata
>   evaluationOrder: 10
>   logoutType: BACK_CHANNEL
>   attributeReleasePolicy:
>   {
> @class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
> principalAttributesRepository:
> {
>   @class: 
> org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository
>   expiration: 2
>   timeUnit: HOURS
> }
> authorizedToReleaseCredentialPassword: false
> authorizedToReleaseProxyGrantingTicket: false
>   }
>   multifactorPolicy:
>   {
> @class: 
> org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
> multifactorAuthenticationProviders:
> [
>   java.util.HashSet
>   [
> mfa-duo
>   ]
> ]
> failureMode: CLOSED
> principalAttributeNameTrigger: eduPersonAffiliation
> principalAttributeValueToMatch: alum
>   }
>   accessStrategy:
>   {
> @class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
> enabled: true
> ssoEnabled: true
> requireAllAttributes: true
> caseInsensitive: false
>   }
>   metadataLocation: /home/cas/spring-security-saml.xml
>   metadataMaxValidity: 0
>   signAssertions: false
>   signResponses: true
>   encryptAssertions: false
>   metadataCriteriaRoles: SPSSODescriptor
>   metadataCriteriaRemoveEmptyEntitiesDescriptors: true
>   metadataCriteriaRemoveRolelessEntityDescriptors: true
> }
>
>
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/708c1df4-56bb-4e38-81a4-aec7bc687170%40apereo.org.

[cas-user] cas5 MFA for SAML2 SP

[K S]

Can MFA can be triggered for a specific SAML2 SP inside the CAS service 
registry. I am using following JSON but it's not triggering the DUO login . 
I am able to login to SP though.

{
  @class: org.apereo.cas.support.saml.services.SamlRegisteredService
  serviceId: 
https://localhost:8443/spring-security-saml2-sample/saml/metadata
  name: SAMLService
  id: 1023
  description: SAML Client Metadata
  evaluationOrder: 10
  logoutType: BACK_CHANNEL
  attributeReleasePolicy:
  {
@class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
principalAttributesRepository:
{
  @class: 
org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository
  expiration: 2
  timeUnit: HOURS
}
authorizedToReleaseCredentialPassword: false
authorizedToReleaseProxyGrantingTicket: false
  }
  multifactorPolicy:
  {
@class: 
org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
multifactorAuthenticationProviders:
[
  java.util.HashSet
  [
mfa-duo
  ]
]
failureMode: CLOSED
principalAttributeNameTrigger: eduPersonAffiliation
principalAttributeValueToMatch: alum
  }
  accessStrategy:
  {
@class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
enabled: true
ssoEnabled: true
requireAllAttributes: true
caseInsensitive: false
  }
  metadataLocation: /home/cas/spring-security-saml.xml
  metadataMaxValidity: 0
  signAssertions: false
  signResponses: true
  encryptAssertions: false
  metadataCriteriaRoles: SPSSODescriptor
  metadataCriteriaRemoveEmptyEntitiesDescriptors: true
  metadataCriteriaRemoveRolelessEntityDescriptors: true
}


-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/af79c4d3-0230-4a39-9b46-6018136e19c6%40apereo.org.

[cas-user] Disable Multiple logins

[uvaraj s]

Hi, 

  Is there a way in CAS to prevent multiple logins from the same account 
(same userid)?.When the same account logs in the first login should get 
invalidated automatically. We have CAS acting as the authentication 
provider and user MySQL database.

Regards,
Uvaraj S

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9373c409-a733-4dc6-a85d-1333064882af%40apereo.org.

[cas-user] CAS5 Delegate Authentication for linkedin using pac4j

[K S]

I dont see Linkedin delegated auth properties in CAS5 documentation . I am 
using these but it does not create the login link when cas comes up .

cas.authn.pac4j.linkedin.id=
cas.authn.pac4j.linkedin.secret=
cas.authn.pac4j.linkedin.scope=


 

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/39825eac-58bf-45ba-aee9-5935bfbde705%40apereo.org.

[cas-user] turn off delegated social login for few services

[K S]

Is it possible to turn off delegated social login for a given service. the 
other use case i have is only allow social login and not LDAP / main login 
.  

-- 
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/881e6141-3064-4c29-abce-95841ec7d27e%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] CAS 4x and gssapi

[Petr Gašparík - AMI Praha a . s .]

I don't think so. If it is not here : https://apereo.github.io/cas/4.2.x/
it is not anywhere.

--

s pozdravem

Petr Gašparík
solution architect

gsm: [+420] 603 523 860
e-mail: petr.gaspa...@ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.


2016-05-19 15:13 GMT+02:00 Christophe Ségui <
christophe.se...@math.univ-toulouse.fr>:

> Hi list,
>
> Is there something like
> https://wiki.jasig.org/pages/viewpage.action?pageId=10650669 for CAS 4x ?
>
> Thanks,
> --
> --
>
>
> *   Christophe SéguiResponsableinformatique*
>
> Institut de Mathématiques de Toulouse
> Université de Toulouse - CNRS
> 118 Route de Narbonne
> 31062 Toulouse Cedex 09
>
> Tel : (+33) 5 61 55 63 78
> <christophe.se...@math.univ-toulouse.fr>
> christophe.se...@math.univ-toulouse.fr
> http://www.math.univ-toulouse.fr
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To post to this group, send email to cas-user@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/573DBC0A.2040508%40math.univ-toulouse.fr
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/573DBC0A.2040508%40math.univ-toulouse.fr?utm_medium=email_source=footer>
> .
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABAspd23J5Lu5bZ_BavYstwH8D9eGDW2GRO1%2B0grJFJQDbsz0g%40mail.gmail.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.