[cas-user] Use of # in service URL

[Shawn Cutting]

Good Day,
I am running into an issue with a service URL that includes a "#"... 
example like this:
https://service-site.com/#/login-page
The issue is that after CAS authenticates, it is returning the URL of:
https://service-site.com/?ticket=ST-370468-randomticketstuff#/login-page
(note the #/login-page at the end of the ST info).  How can I get CAS to 
return back to the original URL?

Thanks for your insight.
Shawn

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/31900d1e-34e4-4219-93b5-087e97d5653fn%40apereo.org.

[cas-user] Re: CAS V5.3 with Zoom SSO???

[Shawn Cutting]

We are using pure SAML with Zoom, and it was not the easiest thingto setup, 
but it is working. What have you tried thus far?

On Tuesday, May 12, 2020 at 5:37:03 PM UTC-4, Keith Alston (Staff) wrote:
>
> Anyone set up Zoom SSO with CAS?? Any pointers/tips??
>
>  
>
> -Keith Alston
>
> kei...@regent.edu 
>
> Regent University
>
> 757-619-3421
>
>  
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/128fffa9-c0da-40b9-9873-acb5698b22f6%40apereo.org.

[cas-user] Re: MFA Trusted Devices and Public Machines

[Shawn Cutting]

Thanks gentlemen for your input. I wanted to point out that I made a 
mistake with the CAS property... it should have been 
cas.authn.mfa.trusted.deviceRegistrationEnabled=true (CAS 5.3.14)

Ray, I was looking into the ver 5.3 notes regarding the webflow 
customization, but I am not familiar at all with how to write Java or 
incorporate extensions to the system, so unfortunately I can't use this... 
but thanks!

Hayden, I was beginning to go down the javascript path to try and "trick" 
the system into not recording the device in a similar way as you are 
describing, but with version 5.3, even if I leave the name blank, the 
system defaults to giving the device a name (it basically looks like a line 
that would normally go into an http access log, with the timestamp, the 
device information, etc).  I was trying to figure out the timing of the 
webflow to see if I could intercept the information before it went to the 
database (I am using a MySQL database to store this info) but have not been 
able to do so.  Would you be willing to give me your javascript to see if I 
can engineer something for our setup?  I really think that there is just 
one little thing that is keeping me from progressing.

Thanks again, gents!

Shawn

On Monday, May 4, 2020 at 1:06:36 PM UTC-4, Shawn Cutting wrote:
>
> Good Day,
>
> I am trying to get one last piece of our CAS 5.3 MFA setup and I am 
> hitting a roadblock.  I have cas.authn.mfa.gauth.trustedDeviceEnabled=true, 
> and everything works as it should (I am writing MFA info to a MySQL 
> database) when it asks for a device name.  The issue is that I want to make 
> it so that a user can choose to NOT remember the device, as if using a 
> public computer (which we do discourage when logging in).  Is there a way 
> to programmatically bypass the device naming screen if a user checks a box 
> asking to do so?  I can manipulate the MFA Google Authenticator code page 
> to add the checkbox.
> Any suggestions would be fabulous!
>
> Thanks in advance,
>
> Shawn
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e62485cf-627b-4ac7-b3e7-c9c2b7fe6d71%40apereo.org.

[cas-user] MFA Trusted Devices and Public Machines

[Shawn Cutting]

Good Day,

I am trying to get one last piece of our CAS 5.3 MFA setup and I am hitting 
a roadblock.  I have cas.authn.mfa.gauth.trustedDeviceEnabled=true, and 
everything works as it should (I am writing MFA info to a MySQL database) 
when it asks for a device name.  The issue is that I want to make it so 
that a user can choose to NOT remember the device, as if using a public 
computer (which we do discourage when logging in).  Is there a way to 
programmatically bypass the device naming screen if a user checks a box 
asking to do so?  I can manipulate the MFA Google Authenticator code page 
to add the checkbox.
Any suggestions would be fabulous!

Thanks in advance,

Shawn

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6adcc4d5-84f4-446a-9b82-3ae3609176fb%40apereo.org.

[cas-user] Re: Service Registry in MongoDB (with replication)

[Shawn Cutting]

I figured out the problem (several factors):
1. I changed the pom.xml file so that the cas version matched what I was 
using (it was 5.3.5, but I made it 5.3.14) -> Can't do that apparently.
2. I was not properly deleting the cas-management folder from the 
tomcat/webapps, and the updated jars created by the pom build were getting 
added to the webapps folder.

Once I set everything back to the original, and deleted the appropriate 
folder, it came up.  Ugh!
Thanks for your help!

Shawn

On Thursday, November 14, 2019 at 10:53:56 AM UTC-5, Shawn Cutting wrote:
>
> Good morning,
>
> I am at a total loss here about how to get CAS services to load from (and 
> to) MongoDB.  Following the instructions on David Curry's site 
> <https://dacurry-tns.github.io/deploying-apereo-cas/high-avail_overview.html> 
> (very well written, by the way), I have the mongodb server running and 
> replicating across 3 servers.  I am also able to successfully 
> auto-initialize the database with the JSON files.  I verify this by opening 
> mongodb and searching the collection "casServiceRegistry."
>
> *CAS version 5.3.14*, by the way.
>
> When I start the tomcat server and watch the debug logs, I see that CAS is 
> loading the entry from the database:
>
> - snippet -
> 2019-11-13 16:24:22,706 DEBUG 
> [org.apereo.cas.services.AbstractServicesManager] -  [org.apereo.cas.services.ChainingServiceRegistry@3971e14f]>
> 2019-11-13 16:24:22,728 DEBUG 
> [org.apereo.cas.services.AbstractServicesManager] -  service [http(|s)://cas(|.*).messiah.edu(|.*)/cas-management(|/.*)]>
> 2019-11-13 16:24:22,729 INFO 
> [org.apereo.cas.services.AbstractServicesManager] -  from [MongoDbServiceRegistry].>
>
>
> Here is where it gets weird: when I load the management app, I see one 
> service entry that does NOT match the one loaded on startup.  I should also 
> note that I have the ticket registry replicated on the same MongoDB server 
> and it works perfectly.
>
> That's the short story, here are the details (these settings match on all 
> 3 servers "*cas-ha01, cas-ha02, cas-ha03*":
>
> -- cas.properties: --
> cas.server.name=https://cas-ha.messiah.edu
> cas.server.prefix=${cas.server.name}/cas
> cas.view.templatePrefixes[0]=file:///etc/cas/templates
> cas.logout.followServiceRedirects=true
> logging.config=file:/etc/cas/config/log4j2.xml
>
> mongo.db=casdb
> mongo.rs=rs0
> mongo.opts==true
> mongo.creds=mongocas:**
> mongo.hosts=cas-ha01.messiah.edu,cas-ha02.messiah.edu,cas-ha03.messiah.edu
> # The connection string, assembled
> mongo.uri=mongodb://${mongo.creds}@${mongo.hosts}/${mongo.db}?replicaSet=${
> mongo.rs}${mongo.opts}
>
> ### Remove default/local users (must be left blank) ###
> cas.authn.accept.users=
>
> ### Service Registry Setup ###
> #cas.serviceRegistry.json.location=file:/etc/cas/services
> #cas.serviceRegistry.initFromJson=true
> cas.serviceRegistry.mongo.databaseName=${mongo.db}
> cas.serviceRegistry.mongo.clientUri=${mongo.uri}
> cas.serviceRegistry.mongo.collection=casServiceRegistry
> cas.serviceRegistry.mongo.replicaSet=${mongo.rs}
> cas.serviceRegistry.mongo.sslEnabled=true
> cas.ticket.registry.mongo.clientUri=${mongo.uri}
>
>
> -- management.properties: --
> cas.server.name=https://cas-ha.messiah.edu
> cas.server.prefix=${cas.server.name}/cas
> mgmt.serverName=${cas.server.name}
> mgmt.userPropertiesFile=file:/etc/cas/config/adminusers.properties
>
> mongo.db=casdb
> mongo.rs=rs0
> mongo.opts==true
> mongo.creds=mongocas:**
> mongo.hosts=cas-ha01.messiah.edu,cas-ha02.messiah.edu,cas-ha03.messiah.edu
> # The connection string, assembled
> mongo.uri=mongodb://${mongo.creds}@${mongo.hosts}/${mongo.db}?replicaSet=${
> mongo.rs}${mongo.opts}
>
> ### Service Registry Setup ###
> #cas.serviceRegistry.json.location=file:/etc/cas/services
> cas.serviceRegistry.mongo.clientUri=${mongo.uri}
> cas.serviceRegistry.mongo.collection=casServiceRegistry
>
> -- pom.xml (cas server, dependencies): --
> ...
> 
> org.apereo.cas
> cas-server-webapp${app.server}
> ${cas.version}
> war
> runtime
> 
> 
> org.apereo.cas
> cas-server-support-ldap
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-ldap-core
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-webapp-config-security
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-interrupt-core
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-interrupt-api
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-interrupt-webflow
> ${cas.version}
> 
&g

Re: [cas-user] Service Registry in MongoDB (with replication)

[Shawn Cutting]

Sorry.. it's this error:

Caused by: java.lang.IllegalArgumentException: More than one fragment with 
the name [log4j] was found. This is not legal with relative ordering. See 
section 8.2.2 2c of the Servlet specification for details. Consider using 
absolute ordering.



On Thursday, November 14, 2019 at 4:10:46 PM UTC-5, Shawn Cutting wrote:
>
> I watched the catalina log and found this error when the management app 
> was loading:
>
> java.lang.IllegalStateException: ContainerBase.addChild: start: 
> org.apache.catalina.LifecycleException: Failed to start component 
> [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/cas-management]]
>
> Thoughts?
>
> On Thursday, November 14, 2019 at 3:06:26 PM UTC-5, Shawn Cutting wrote:
>>
>> No, I don't.  Every time I try to add it to the management pom, it will 
>> not start with Tomcat.  Is there another dependency that I need or a config 
>> setting that keeps it from loading?  I can't seem to locate the log that 
>> the cas-management app should be creating to see why it is not loading.  
>> All I have is what shows on the Tomcat manager page:
>>
>> FAIL - Application at context path [/cas-management] could not be started
>> FAIL - Encountered exception [org.apache.catalina.LifecycleException: Failed 
>> to start component 
>> [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/cas-management]]]
>>
>>
>>
>> On Thursday, November 14, 2019 at 12:24:21 PM UTC-5, David Curry wrote:
>>>
>>> Do you have the   cas-server-support-mongo-service-registry  
>>>  dependency in the cas-management pom.xml as well as the cas server 
>>> pom.xml? I didn't see it in the excerpt you provided.
>>>
>>> --Dave
>>>
>>> --
>>>
>>> DAVID A. CURRY, CISSP
>>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>>
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>> +1 646 909-4728 • david...@newschool.edu
>>>
>>>
>>> On Thu, Nov 14, 2019 at 10:53 AM Shawn Cutting  
>>> wrote:
>>>
>>>> Good morning,
>>>>
>>>> I am at a total loss here about how to get CAS services to load from 
>>>> (and to) MongoDB.  Following the instructions on David Curry's site 
>>>> <https://dacurry-tns.github.io/deploying-apereo-cas/high-avail_overview.html>
>>>>  
>>>> (very well written, by the way), I have the mongodb server running and 
>>>> replicating across 3 servers.  I am also able to successfully 
>>>> auto-initialize the database with the JSON files.  I verify this by 
>>>> opening 
>>>> mongodb and searching the collection "casServiceRegistry."
>>>>
>>>> *CAS version 5.3.14*, by the way.
>>>>
>>>> When I start the tomcat server and watch the debug logs, I see that CAS 
>>>> is loading the entry from the database:
>>>>
>>>> - snippet -
>>>> 2019-11-13 16:24:22,706 DEBUG 
>>>> [org.apereo.cas.services.AbstractServicesManager] - >>> [org.apereo.cas.services.ChainingServiceRegistry@3971e14f]>
>>>> 2019-11-13 16:24:22,728 DEBUG 
>>>> [org.apereo.cas.services.AbstractServicesManager] - >>> service [http(|s)://cas(|.*).messiah.edu(|.*)/cas-management(|/.*)]>
>>>> 2019-11-13 16:24:22,729 INFO 
>>>> [org.apereo.cas.services.AbstractServicesManager] - >>> from [MongoDbServiceRegistry].>
>>>>
>>>>
>>>> Here is where it gets weird: when I load the management app, I see one 
>>>> service entry that does NOT match the one loaded on startup.  I should 
>>>> also 
>>>> note that I have the ticket registry replicated on the same MongoDB server 
>>>> and it works perfectly.
>>>>
>>>> That's the short story, here are the details (these settings match on 
>>>> all 3 servers "*cas-ha01, cas-ha02, cas-ha03*":
>>>>
>>>> -- cas.properties: --
>>>> cas.server.name=https://cas-ha.messiah.edu
>>>> cas.server.prefix=${cas.server.name}/cas
>>>> cas.view.templatePrefixes[0]=file:///etc/cas/templates
>>>> cas.logout.followServiceRedirects=true
>>>> logging.config=file:/etc/cas/config/log4j2.xml
>>>>
>>>> mongo.db=casdb
>>>> mongo.rs=rs0
>>>> mongo.opts==true
>>>> mongo.creds=mongocas:**
>>>> mongo.hosts=cas-ha01.messiah.edu,cas-ha02.messi

Re: [cas-user] Service Registry in MongoDB (with replication)

[Shawn Cutting]

I watched the catalina log and found this error when the management app was 
loading:

java.lang.IllegalStateException: ContainerBase.addChild: start: 
org.apache.catalina.LifecycleException: Failed to start component 
[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/cas-management]]

Thoughts?

On Thursday, November 14, 2019 at 3:06:26 PM UTC-5, Shawn Cutting wrote:
>
> No, I don't.  Every time I try to add it to the management pom, it will 
> not start with Tomcat.  Is there another dependency that I need or a config 
> setting that keeps it from loading?  I can't seem to locate the log that 
> the cas-management app should be creating to see why it is not loading.  
> All I have is what shows on the Tomcat manager page:
>
> FAIL - Application at context path [/cas-management] could not be started
> FAIL - Encountered exception [org.apache.catalina.LifecycleException: Failed 
> to start component 
> [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/cas-management]]]
>
>
>
> On Thursday, November 14, 2019 at 12:24:21 PM UTC-5, David Curry wrote:
>>
>> Do you have the   cas-server-support-mongo-service-registry   dependency 
>> in the cas-management pom.xml as well as the cas server pom.xml? I didn't 
>> see it in the excerpt you provided.
>>
>> --Dave
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 646 909-4728 • david...@newschool.edu
>>
>>
>> On Thu, Nov 14, 2019 at 10:53 AM Shawn Cutting  
>> wrote:
>>
>>> Good morning,
>>>
>>> I am at a total loss here about how to get CAS services to load from 
>>> (and to) MongoDB.  Following the instructions on David Curry's site 
>>> <https://dacurry-tns.github.io/deploying-apereo-cas/high-avail_overview.html>
>>>  
>>> (very well written, by the way), I have the mongodb server running and 
>>> replicating across 3 servers.  I am also able to successfully 
>>> auto-initialize the database with the JSON files.  I verify this by opening 
>>> mongodb and searching the collection "casServiceRegistry."
>>>
>>> *CAS version 5.3.14*, by the way.
>>>
>>> When I start the tomcat server and watch the debug logs, I see that CAS 
>>> is loading the entry from the database:
>>>
>>> - snippet -
>>> 2019-11-13 16:24:22,706 DEBUG 
>>> [org.apereo.cas.services.AbstractServicesManager] - >> [org.apereo.cas.services.ChainingServiceRegistry@3971e14f]>
>>> 2019-11-13 16:24:22,728 DEBUG 
>>> [org.apereo.cas.services.AbstractServicesManager] - >> service [http(|s)://cas(|.*).messiah.edu(|.*)/cas-management(|/.*)]>
>>> 2019-11-13 16:24:22,729 INFO 
>>> [org.apereo.cas.services.AbstractServicesManager] - >> from [MongoDbServiceRegistry].>
>>>
>>>
>>> Here is where it gets weird: when I load the management app, I see one 
>>> service entry that does NOT match the one loaded on startup.  I should also 
>>> note that I have the ticket registry replicated on the same MongoDB server 
>>> and it works perfectly.
>>>
>>> That's the short story, here are the details (these settings match on 
>>> all 3 servers "*cas-ha01, cas-ha02, cas-ha03*":
>>>
>>> -- cas.properties: --
>>> cas.server.name=https://cas-ha.messiah.edu
>>> cas.server.prefix=${cas.server.name}/cas
>>> cas.view.templatePrefixes[0]=file:///etc/cas/templates
>>> cas.logout.followServiceRedirects=true
>>> logging.config=file:/etc/cas/config/log4j2.xml
>>>
>>> mongo.db=casdb
>>> mongo.rs=rs0
>>> mongo.opts==true
>>> mongo.creds=mongocas:**
>>> mongo.hosts=cas-ha01.messiah.edu,cas-ha02.messiah.edu,
>>> cas-ha03.messiah.edu
>>> # The connection string, assembled
>>>
>>> mongo.uri=mongodb://${mongo.creds}@${mongo.hosts}/${mongo.db}?replicaSet=${
>>> mongo.rs}${mongo.opts}
>>>
>>> ### Remove default/local users (must be left blank) ###
>>> cas.authn.accept.users=
>>>
>>> ### Service Registry Setup ###
>>> #cas.serviceRegistry.json.location=file:/etc/cas/services
>>> #cas.serviceRegistry.initFromJson=true
>>> cas.serviceRegistry.mongo.databaseName=${mongo.db}
>>> cas.serviceRegistry.mongo.clientUri=${mongo.uri}
>>> cas.serviceRegistry.mongo.collection=casServiceRegistry
>>> cas.serviceRegistry.mongo.replica

Re: [cas-user] Service Registry in MongoDB (with replication)

[Shawn Cutting]

No, I don't.  Every time I try to add it to the management pom, it will not 
start with Tomcat.  Is there another dependency that I need or a config 
setting that keeps it from loading?  I can't seem to locate the log that 
the cas-management app should be creating to see why it is not loading.  
All I have is what shows on the Tomcat manager page:

FAIL - Application at context path [/cas-management] could not be started
FAIL - Encountered exception [org.apache.catalina.LifecycleException: Failed to 
start component 
[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/cas-management]]]



On Thursday, November 14, 2019 at 12:24:21 PM UTC-5, David Curry wrote:
>
> Do you have the   cas-server-support-mongo-service-registry   dependency 
> in the cas-management pom.xml as well as the cas server pom.xml? I didn't 
> see it in the excerpt you provided.
>
> --Dave
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 646 909-4728 • david...@newschool.edu 
>
>
> On Thu, Nov 14, 2019 at 10:53 AM Shawn Cutting  > wrote:
>
>> Good morning,
>>
>> I am at a total loss here about how to get CAS services to load from (and 
>> to) MongoDB.  Following the instructions on David Curry's site 
>> <https://dacurry-tns.github.io/deploying-apereo-cas/high-avail_overview.html>
>>  
>> (very well written, by the way), I have the mongodb server running and 
>> replicating across 3 servers.  I am also able to successfully 
>> auto-initialize the database with the JSON files.  I verify this by opening 
>> mongodb and searching the collection "casServiceRegistry."
>>
>> *CAS version 5.3.14*, by the way.
>>
>> When I start the tomcat server and watch the debug logs, I see that CAS 
>> is loading the entry from the database:
>>
>> - snippet -
>> 2019-11-13 16:24:22,706 DEBUG 
>> [org.apereo.cas.services.AbstractServicesManager] - > [org.apereo.cas.services.ChainingServiceRegistry@3971e14f]>
>> 2019-11-13 16:24:22,728 DEBUG 
>> [org.apereo.cas.services.AbstractServicesManager] - > service [http(|s)://cas(|.*).messiah.edu(|.*)/cas-management(|/.*)]>
>> 2019-11-13 16:24:22,729 INFO 
>> [org.apereo.cas.services.AbstractServicesManager] - > from [MongoDbServiceRegistry].>
>>
>>
>> Here is where it gets weird: when I load the management app, I see one 
>> service entry that does NOT match the one loaded on startup.  I should also 
>> note that I have the ticket registry replicated on the same MongoDB server 
>> and it works perfectly.
>>
>> That's the short story, here are the details (these settings match on all 
>> 3 servers "*cas-ha01, cas-ha02, cas-ha03*":
>>
>> -- cas.properties: --
>> cas.server.name=https://cas-ha.messiah.edu
>> cas.server.prefix=${cas.server.name}/cas
>> cas.view.templatePrefixes[0]=file:///etc/cas/templates
>> cas.logout.followServiceRedirects=true
>> logging.config=file:/etc/cas/config/log4j2.xml
>>
>> mongo.db=casdb
>> mongo.rs=rs0
>> mongo.opts==true
>> mongo.creds=mongocas:**
>> mongo.hosts=cas-ha01.messiah.edu,cas-ha02.messiah.edu,
>> cas-ha03.messiah.edu
>> # The connection string, assembled
>>
>> mongo.uri=mongodb://${mongo.creds}@${mongo.hosts}/${mongo.db}?replicaSet=${
>> mongo.rs}${mongo.opts}
>>
>> ### Remove default/local users (must be left blank) ###
>> cas.authn.accept.users=
>>
>> ### Service Registry Setup ###
>> #cas.serviceRegistry.json.location=file:/etc/cas/services
>> #cas.serviceRegistry.initFromJson=true
>> cas.serviceRegistry.mongo.databaseName=${mongo.db}
>> cas.serviceRegistry.mongo.clientUri=${mongo.uri}
>> cas.serviceRegistry.mongo.collection=casServiceRegistry
>> cas.serviceRegistry.mongo.replicaSet=${mongo.rs}
>> cas.serviceRegistry.mongo.sslEnabled=true
>> cas.ticket.registry.mongo.clientUri=${mongo.uri}
>>
>>
>> -- management.properties: --
>> cas.server.name=https://cas-ha.messiah.edu
>> cas.server.prefix=${cas.server.name}/cas
>> mgmt.serverName=${cas.server.name}
>> mgmt.userPropertiesFile=file:/etc/cas/config/adminusers.properties
>>
>> mongo.db=casdb
>> mongo.rs=rs0
>> mongo.opts==true
>> mongo.creds=mongocas:**
>> mongo.hosts=cas-ha01.messiah.edu,cas-ha02.messiah.edu,
>> cas-ha03.messiah.edu
>> # The connection string, assembled
>>
>> mongo.uri=mongodb://${mongo.creds}@${mongo.hosts}/${mongo.db}?replicaSet=${
>> mongo.rs}${mongo.opts}
>>

[cas-user] Re: Service Registry in MongoDB (with replication)

[Shawn Cutting]

 

Update:

 

I found something else out in trying to get this working.  If I *manually* 
add a service to MongoDB, I am able to access that service via CAS (this 
was verified by deleting the record and subsequently getting the 
"Application not allowed" message, re-adding it and being allowed again).

 

So it seems that the issue is with the management application, not the CAS 
server.  I need to be able to manage the MongoDB records with the service 
application, and that is not possible for some reason.

 

Thanks in advance for any help.

 

Shawn


On Thursday, November 14, 2019 at 10:53:56 AM UTC-5, Shawn Cutting wrote:
>
> Good morning,
>
> I am at a total loss here about how to get CAS services to load from (and 
> to) MongoDB.  Following the instructions on David Curry's site 
> <https://dacurry-tns.github.io/deploying-apereo-cas/high-avail_overview.html> 
> (very well written, by the way), I have the mongodb server running and 
> replicating across 3 servers.  I am also able to successfully 
> auto-initialize the database with the JSON files.  I verify this by opening 
> mongodb and searching the collection "casServiceRegistry."
>
> *CAS version 5.3.14*, by the way.
>
> When I start the tomcat server and watch the debug logs, I see that CAS is 
> loading the entry from the database:
>
> - snippet -
> 2019-11-13 16:24:22,706 DEBUG 
> [org.apereo.cas.services.AbstractServicesManager] -  [org.apereo.cas.services.ChainingServiceRegistry@3971e14f]>
> 2019-11-13 16:24:22,728 DEBUG 
> [org.apereo.cas.services.AbstractServicesManager] -  service [http(|s)://cas(|.*).messiah.edu(|.*)/cas-management(|/.*)]>
> 2019-11-13 16:24:22,729 INFO 
> [org.apereo.cas.services.AbstractServicesManager] -  from [MongoDbServiceRegistry].>
>
>
> Here is where it gets weird: when I load the management app, I see one 
> service entry that does NOT match the one loaded on startup.  I should also 
> note that I have the ticket registry replicated on the same MongoDB server 
> and it works perfectly.
>
> That's the short story, here are the details (these settings match on all 
> 3 servers "*cas-ha01, cas-ha02, cas-ha03*":
>
> -- cas.properties: --
> cas.server.name=https://cas-ha.messiah.edu
> cas.server.prefix=${cas.server.name}/cas
> cas.view.templatePrefixes[0]=file:///etc/cas/templates
> cas.logout.followServiceRedirects=true
> logging.config=file:/etc/cas/config/log4j2.xml
>
> mongo.db=casdb
> mongo.rs=rs0
> mongo.opts==true
> mongo.creds=mongocas:**
> mongo.hosts=cas-ha01.messiah.edu,cas-ha02.messiah.edu,cas-ha03.messiah.edu
> # The connection string, assembled
> mongo.uri=mongodb://${mongo.creds}@${mongo.hosts}/${mongo.db}?replicaSet=${
> mongo.rs}${mongo.opts}
>
> ### Remove default/local users (must be left blank) ###
> cas.authn.accept.users=
>
> ### Service Registry Setup ###
> #cas.serviceRegistry.json.location=file:/etc/cas/services
> #cas.serviceRegistry.initFromJson=true
> cas.serviceRegistry.mongo.databaseName=${mongo.db}
> cas.serviceRegistry.mongo.clientUri=${mongo.uri}
> cas.serviceRegistry.mongo.collection=casServiceRegistry
> cas.serviceRegistry.mongo.replicaSet=${mongo.rs}
> cas.serviceRegistry.mongo.sslEnabled=true
> cas.ticket.registry.mongo.clientUri=${mongo.uri}
>
>
> -- management.properties: --
> cas.server.name=https://cas-ha.messiah.edu
> cas.server.prefix=${cas.server.name}/cas
> mgmt.serverName=${cas.server.name}
> mgmt.userPropertiesFile=file:/etc/cas/config/adminusers.properties
>
> mongo.db=casdb
> mongo.rs=rs0
> mongo.opts==true
> mongo.creds=mongocas:**
> mongo.hosts=cas-ha01.messiah.edu,cas-ha02.messiah.edu,cas-ha03.messiah.edu
> # The connection string, assembled
> mongo.uri=mongodb://${mongo.creds}@${mongo.hosts}/${mongo.db}?replicaSet=${
> mongo.rs}${mongo.opts}
>
> ### Service Registry Setup ###
> #cas.serviceRegistry.json.location=file:/etc/cas/services
> cas.serviceRegistry.mongo.clientUri=${mongo.uri}
> cas.serviceRegistry.mongo.collection=casServiceRegistry
>
> -- pom.xml (cas server, dependencies): --
> ...
> 
> org.apereo.cas
> cas-server-webapp${app.server}
> ${cas.version}
> war
> runtime
> 
> 
> org.apereo.cas
> cas-server-support-ldap
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-ldap-core
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-webapp-config-security
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-interrupt-core
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-interrupt-api
> ${cas.version}
> 
> 
> o

[cas-user] Re: Service Registry in MongoDB (with replication)

[Shawn Cutting]

Update:

I found something else out in trying to get this working.  If I *manually* 
add a service to MongoDB, I am able to access that service via CAS (this 
was verified by deleting the record and subsequently getting the 
"Application not allowed" message, re-adding it and being allowed again).

So it seems that the issue is with the management application, not the CAS 
server.  I need to be able to manage the MongoDB records with the service 
application, and that is not possible for some reason.

Thanks in advance for any help.

Shawn


On Thursday, November 14, 2019 at 10:53:56 AM UTC-5, Shawn Cutting wrote:
>
> Good morning,
>
> I am at a total loss here about how to get CAS services to load from (and 
> to) MongoDB.  Following the instructions on David Curry's site 
> <https://dacurry-tns.github.io/deploying-apereo-cas/high-avail_overview.html> 
> (very well written, by the way), I have the mongodb server running and 
> replicating across 3 servers.  I am also able to successfully 
> auto-initialize the database with the JSON files.  I verify this by opening 
> mongodb and searching the collection "casServiceRegistry."
>
> *CAS version 5.3.14*, by the way.
>
> When I start the tomcat server and watch the debug logs, I see that CAS is 
> loading the entry from the database:
>
> - snippet -
> 2019-11-13 16:24:22,706 DEBUG 
> [org.apereo.cas.services.AbstractServicesManager] -  [org.apereo.cas.services.ChainingServiceRegistry@3971e14f]>
> 2019-11-13 16:24:22,728 DEBUG 
> [org.apereo.cas.services.AbstractServicesManager] -  service [http(|s)://cas(|.*).messiah.edu(|.*)/cas-management(|/.*)]>
> 2019-11-13 16:24:22,729 INFO 
> [org.apereo.cas.services.AbstractServicesManager] -  from [MongoDbServiceRegistry].>
>
>
> Here is where it gets weird: when I load the management app, I see one 
> service entry that does NOT match the one loaded on startup.  I should also 
> note that I have the ticket registry replicated on the same MongoDB server 
> and it works perfectly.
>
> That's the short story, here are the details (these settings match on all 
> 3 servers "*cas-ha01, cas-ha02, cas-ha03*":
>
> -- cas.properties: --
> cas.server.name=https://cas-ha.messiah.edu
> cas.server.prefix=${cas.server.name}/cas
> cas.view.templatePrefixes[0]=file:///etc/cas/templates
> cas.logout.followServiceRedirects=true
> logging.config=file:/etc/cas/config/log4j2.xml
>
> mongo.db=casdb
> mongo.rs=rs0
> mongo.opts==true
> mongo.creds=mongocas:**
> mongo.hosts=cas-ha01.messiah.edu,cas-ha02.messiah.edu,cas-ha03.messiah.edu
> # The connection string, assembled
> mongo.uri=mongodb://${mongo.creds}@${mongo.hosts}/${mongo.db}?replicaSet=${
> mongo.rs}${mongo.opts}
>
> ### Remove default/local users (must be left blank) ###
> cas.authn.accept.users=
>
> ### Service Registry Setup ###
> #cas.serviceRegistry.json.location=file:/etc/cas/services
> #cas.serviceRegistry.initFromJson=true
> cas.serviceRegistry.mongo.databaseName=${mongo.db}
> cas.serviceRegistry.mongo.clientUri=${mongo.uri}
> cas.serviceRegistry.mongo.collection=casServiceRegistry
> cas.serviceRegistry.mongo.replicaSet=${mongo.rs}
> cas.serviceRegistry.mongo.sslEnabled=true
> cas.ticket.registry.mongo.clientUri=${mongo.uri}
>
>
> -- management.properties: --
> cas.server.name=https://cas-ha.messiah.edu
> cas.server.prefix=${cas.server.name}/cas
> mgmt.serverName=${cas.server.name}
> mgmt.userPropertiesFile=file:/etc/cas/config/adminusers.properties
>
> mongo.db=casdb
> mongo.rs=rs0
> mongo.opts==true
> mongo.creds=mongocas:**
> mongo.hosts=cas-ha01.messiah.edu,cas-ha02.messiah.edu,cas-ha03.messiah.edu
> # The connection string, assembled
> mongo.uri=mongodb://${mongo.creds}@${mongo.hosts}/${mongo.db}?replicaSet=${
> mongo.rs}${mongo.opts}
>
> ### Service Registry Setup ###
> #cas.serviceRegistry.json.location=file:/etc/cas/services
> cas.serviceRegistry.mongo.clientUri=${mongo.uri}
> cas.serviceRegistry.mongo.collection=casServiceRegistry
>
> -- pom.xml (cas server, dependencies): --
> ...
> 
> org.apereo.cas
> cas-server-webapp${app.server}
> ${cas.version}
> war
> runtime
> 
> 
> org.apereo.cas
> cas-server-support-ldap
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-ldap-core
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-webapp-config-security
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-interrupt-core
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-interrupt-api
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-supp

[cas-user] Service Registry in MongoDB (with replication)

[Shawn Cutting]

Good morning,

I am at a total loss here about how to get CAS services to load from (and 
to) MongoDB.  Following the instructions on David Curry's site 
 
(very well written, by the way), I have the mongodb server running and 
replicating across 3 servers.  I am also able to successfully 
auto-initialize the database with the JSON files.  I verify this by opening 
mongodb and searching the collection "casServiceRegistry."

*CAS version 5.3.14*, by the way.

When I start the tomcat server and watch the debug logs, I see that CAS is 
loading the entry from the database:

- snippet -
2019-11-13 16:24:22,706 DEBUG 
[org.apereo.cas.services.AbstractServicesManager] - 
2019-11-13 16:24:22,728 DEBUG 
[org.apereo.cas.services.AbstractServicesManager] - 
2019-11-13 16:24:22,729 INFO 
[org.apereo.cas.services.AbstractServicesManager] - 


Here is where it gets weird: when I load the management app, I see one 
service entry that does NOT match the one loaded on startup.  I should also 
note that I have the ticket registry replicated on the same MongoDB server 
and it works perfectly.

That's the short story, here are the details (these settings match on all 3 
servers "*cas-ha01, cas-ha02, cas-ha03*":

-- cas.properties: --
cas.server.name=https://cas-ha.messiah.edu
cas.server.prefix=${cas.server.name}/cas
cas.view.templatePrefixes[0]=file:///etc/cas/templates
cas.logout.followServiceRedirects=true
logging.config=file:/etc/cas/config/log4j2.xml

mongo.db=casdb
mongo.rs=rs0
mongo.opts==true
mongo.creds=mongocas:**
mongo.hosts=cas-ha01.messiah.edu,cas-ha02.messiah.edu,cas-ha03.messiah.edu
# The connection string, assembled
mongo.uri=mongodb://${mongo.creds}@${mongo.hosts}/${mongo.db}?replicaSet=${mongo.rs}${mongo.opts}

### Remove default/local users (must be left blank) ###
cas.authn.accept.users=

### Service Registry Setup ###
#cas.serviceRegistry.json.location=file:/etc/cas/services
#cas.serviceRegistry.initFromJson=true
cas.serviceRegistry.mongo.databaseName=${mongo.db}
cas.serviceRegistry.mongo.clientUri=${mongo.uri}
cas.serviceRegistry.mongo.collection=casServiceRegistry
cas.serviceRegistry.mongo.replicaSet=${mongo.rs}
cas.serviceRegistry.mongo.sslEnabled=true
cas.ticket.registry.mongo.clientUri=${mongo.uri}


-- management.properties: --
cas.server.name=https://cas-ha.messiah.edu
cas.server.prefix=${cas.server.name}/cas
mgmt.serverName=${cas.server.name}
mgmt.userPropertiesFile=file:/etc/cas/config/adminusers.properties

mongo.db=casdb
mongo.rs=rs0
mongo.opts==true
mongo.creds=mongocas:**
mongo.hosts=cas-ha01.messiah.edu,cas-ha02.messiah.edu,cas-ha03.messiah.edu
# The connection string, assembled
mongo.uri=mongodb://${mongo.creds}@${mongo.hosts}/${mongo.db}?replicaSet=${mongo.rs}${mongo.opts}

### Service Registry Setup ###
#cas.serviceRegistry.json.location=file:/etc/cas/services
cas.serviceRegistry.mongo.clientUri=${mongo.uri}
cas.serviceRegistry.mongo.collection=casServiceRegistry

-- pom.xml (cas server, dependencies): --
...

org.apereo.cas
cas-server-webapp${app.server}
${cas.version}
war
runtime


org.apereo.cas
cas-server-support-ldap
${cas.version}


org.apereo.cas
cas-server-support-ldap-core
${cas.version}


org.apereo.cas
cas-server-webapp-config-security
${cas.version}


org.apereo.cas
cas-server-support-interrupt-core
${cas.version}


org.apereo.cas
cas-server-support-interrupt-api
${cas.version}


org.apereo.cas
cas-server-support-interrupt-webflow
${cas.version}


org.apereo.cas
cas-server-support-rest
${cas.version}


org.apereo.cas
cas-server-support-gauth
${cas.version}


   org.apereo.cas
   cas-server-support-jdbc-drivers
   ${cas.version}


 org.apereo.cas
 cas-server-support-gauth-jpa
 ${cas.version}


org.apereo.cas
cas-server-support-trusted-mfa
${cas.version}


org.apereo.cas
cas-server-support-trusted-mfa-jdbc
${cas.version}


org.apereo.cas
cas-server-support-mongo-ticket-registry
${cas.version}


org.apereo.cas
cas-server-support-mongo-service-registry
${cas.version}

...

-- pom.xml (management app, dependencies): --
...

org.apereo.cas
cas-management-webapp
${cas-mgmt.version}
war

...

When I load the Service Management app, here is the service that appears:
^https://cas-ha.messiah.edu/cas-management/manage.html

But the one that is in the MongoDB table (which I imported from the 
initFromJson) is:
http(|s)://cas(|.*).messiah.edu(|.*)/cas-management(|/.*)

If I try to create a new service entry, it does not appear in the MongoDB, 
and I cannot delete the existing one.  In fact, I do not know how that one 
is even getting into the management app (that's what is really driving me 
nuts, since I have deleted all service json files)!!

If anyone can help me out, I woudl certainly apprecite it.

-- 
- 

Re: [cas-user] OpenID Connect issues

[Shawn Cutting]

I am now able to see the JSON returned, but I also placed the file in both 
places (/etc/cas/keystore.jwks  & /etc/cas/jwks/keystore.jwks).  I would 
prefer not to have it in both places, but it is what seems to return the 
information.

I am using ver. 5.3.11.

On Tuesday, September 24, 2019 at 11:59:05 AM UTC-4, Dmitriy Kopylenko 
wrote:
>
> So with this setting: cas.authn.oidc.jwksFile=file:/etc/cas/keystore.jwks 
> you are still seeing the error?
>
> You might want to check the version of CAS you’re using and try newer 
> version(s) if this error persists despite the properties setting, etc.
>
> D.
>
>
>
>
> From: Shawn Cutting  
> Reply: Shawn Cutting  
> Date: September 24, 2019 at 11:03:42 AM
> To: CAS Community  
> Cc: dkopy...@unicon.net   
> Subject:  Re: [cas-user] OpenID Connect issues 
>
> Ok, this is strange.  I am not sure why the error is giving 
> /etc/cas/jwks/keystore.jwks when that is not in the config.  I did have it 
> there at one point, but why did it persist after I restarted the service?
>
> On Tuesday, September 24, 2019 at 10:59:05 AM UTC-4, Shawn Cutting wrote: 
>>
>> cas.authn.oidc.jwksFile=file:/etc/cas/keystore.jwks
>>
>> On Tuesday, September 24, 2019 at 10:57:02 AM UTC-4, Dmitriy Kopylenko 
>> wrote: 
>>>
>>> What is the value of *cas.authn.oidc.jwksFile* property?
>>>
>>> D.
>>>
>>>
>>> From: Shawn Cutting 
>>> Reply: cas-...@apereo.org 
>>> Date: September 24, 2019 at 10:49:24 AM
>>> To: CAS Community 
>>> Subject:  [cas-user] OpenID Connect issues
>>>
>>> I am trying to setup CAS to function as an OpenID provider, and am 
>>> running into a roadblock.  When I attempt to retrieve the jwks info, I am 
>>> hit with the following error in the log:
>>>
>>> java.io.FileNotFoundException: Could not open ServletContext resource 
>>> [/etc/cas/jwks/keystore.jwks]
>>> at 
>>> org.springframework.web.context.support.ServletContextResource.getInputStream(ServletContextResource.java:141)
>>>  
>>> ~[spring-web-4.3.20.RELEASE.jar:4.3.20.RELEASE]
>>> at 
>>> org.apereo.cas.oidc.web.controllers.OidcJwksEndpointController.lambda$handleRequestInternal$1(OidcJwksEndpointController.java:89)
>>>  
>>> ~[cas-server-support-oidc-5.3.11.jar:5.3.11]
>>>
>>> I know that CAS sees and can read the file, because if I make any format 
>>> changes to the JSON, it returns an error stating that there is an incorrect 
>>> character in the file.
>>> Any help would be fabulous.  Thanks.
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-...@apereo.org.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6b87b276-bfdc-4112-9526-b5bad3872c67%40apereo.org
>>>  
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6b87b276-bfdc-4112-9526-b5bad3872c67%40apereo.org?utm_medium=email_source=footer>
>>> .
>>>
>>>
>  
> --
>
> This email has been scanned for spam and viruses by Proofpoint Essentials. 
> Click here 
> <https://us2.proofpointessentials.com/index01.php?mod_id=11_option=logitem_id=1569337417-2KWDdF8dpHab_address=dkopylenko%40unicon.net=1>
>  
> to report this email as spam.
>
> = 
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/33993f2d-b13b-45a4-b1ba-80a529715a01%40apereo.org.

Re: [cas-user] OpenID Connect issues

[Shawn Cutting]

Ok, this is strange.  I am not sure why the error is giving 
/etc/cas/jwks/keystore.jwks when that is not in the config.  I did have it 
there at one point, but why did it persist after I restarted the service?

On Tuesday, September 24, 2019 at 10:59:05 AM UTC-4, Shawn Cutting wrote:
>
> cas.authn.oidc.jwksFile=file:/etc/cas/keystore.jwks
>
> On Tuesday, September 24, 2019 at 10:57:02 AM UTC-4, Dmitriy Kopylenko 
> wrote:
>>
>> What is the value of *cas.authn.oidc.jwksFile *property?
>>
>> D.
>>
>>
>> From: Shawn Cutting 
>> Reply: cas-...@apereo.org 
>> Date: September 24, 2019 at 10:49:24 AM
>> To: CAS Community 
>> Subject:  [cas-user] OpenID Connect issues 
>>
>> I am trying to setup CAS to function as an OpenID provider, and am 
>> running into a roadblock.  When I attempt to retrieve the jwks info, I am 
>> hit with the following error in the log:
>>
>> java.io.FileNotFoundException: Could not open ServletContext resource 
>> [/etc/cas/jwks/keystore.jwks]
>> at 
>> org.springframework.web.context.support.ServletContextResource.getInputStream(ServletContextResource.java:141)
>>  
>> ~[spring-web-4.3.20.RELEASE.jar:4.3.20.RELEASE]
>> at 
>> org.apereo.cas.oidc.web.controllers.OidcJwksEndpointController.lambda$handleRequestInternal$1(OidcJwksEndpointController.java:89)
>>  
>> ~[cas-server-support-oidc-5.3.11.jar:5.3.11]
>>
>> I know that CAS sees and can read the file, because if I make any format 
>> changes to the JSON, it returns an error stating that there is an incorrect 
>> character in the file.
>> Any help would be fabulous.  Thanks.
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6b87b276-bfdc-4112-9526-b5bad3872c67%40apereo.org
>>  
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6b87b276-bfdc-4112-9526-b5bad3872c67%40apereo.org?utm_medium=email_source=footer>
>> .
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/afda9ed0-ebab-4edc-9ad7-e4123d30372b%40apereo.org.

[cas-user] OpenID Connect issues

[Shawn Cutting]

I am trying to setup CAS to function as an OpenID provider, and am running 
into a roadblock.  When I attempt to retrieve the jwks info, I am hit with 
the following error in the log:

java.io.FileNotFoundException: Could not open ServletContext resource 
[/etc/cas/jwks/keystore.jwks]
at 
org.springframework.web.context.support.ServletContextResource.getInputStream(ServletContextResource.java:141)
 
~[spring-web-4.3.20.RELEASE.jar:4.3.20.RELEASE]
at 
org.apereo.cas.oidc.web.controllers.OidcJwksEndpointController.lambda$handleRequestInternal$1(OidcJwksEndpointController.java:89)
 
~[cas-server-support-oidc-5.3.11.jar:5.3.11]

I know that CAS sees and can read the file, because if I make any format 
changes to the JSON, it returns an error stating that there is an incorrect 
character in the file.
Any help would be fabulous.  Thanks.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6b87b276-bfdc-4112-9526-b5bad3872c67%40apereo.org.

[cas-user] Re: Google Autenticator Error

[Shawn Cutting]

It seems that I am back where I started, but I think I know what the 
culprit is.  I am trying to use a REST call to store the trusted devices og 
Google Authenticator, but simply building the 
"cas-server-support-trusted-mfa-rest" into the overlay causes the gauth to 
not function at all.

If anyone has had any success with REST and google authenticator/trusted 
devices, I could sure use the help.

Shawn

On Sunday, August 11, 2019 at 8:51:49 PM UTC-4, Shawn Cutting wrote:
>
> I was able to figure out how to get the Google Authenticator working with 
> a REST call (to dynamically return the correctly formatted JSON 
> information), but I am still unable to use REST to store/register a new 
> code for a user (I am not sure how to send teh POST data to store the 
> information).  Any help would be appreciated.
>
> Thanks!
> Shawn
>
> On Friday, August 9, 2019 at 9:13:18 AM UTC-4, Shawn Cutting wrote:
>>
>> I am trying to get CAS 5.3.9 working with Google Authenticator MFA, but I am 
>> getting the following error:
>>
>> Error: Exception thrown executing 
>> org.apereo.cas.trusted.web.flow.MultifactorAuthenticationVerifyTrustAction@7b20419f
>>  in state 'verifyTrustedDevice' of flow 'mfa-gauth' -- action execution 
>> attributes were 'map['resolvedAuthenticationEvents' -> set[mfa-gauth]]'
>>
>> The config is below:
>>
>> cas.server.name: https://
>> cas.server.prefix: ${cas.server.name}/cas
>>
>> cas.logout.followServiceRedirects=true
>>
>> cas.view.templatePrefixes[0]=file:///etc/cas/templates
>>
>> logging.config=file:/etc/cas/config/log4j2.xml
>>
>> cas.serviceRegistry.json.location=file:/etc/cas/services
>>
>> cas.authn.accept.users=
>>
>> cas.authn.ldap[0].type=AUTHENTICATED
>> cas.authn.ldap[0].ldapUrl=ldaps://*
>> cas.authn.ldap[0].bindDn=*
>> cas.authn.ldap[0].bindCredential=*
>> cas.authn.ldap[0].useSsl=true
>> cas.authn.ldap[0].useStartTls=false
>> cas.authn.ldap[0].poolPassivator=BIND
>> cas.authn.ldap[0].baseDn=*
>> cas.authn.ldap[0].subtreeSearch=true
>> cas.authn.ldap[0].searchFilter=(*)
>> cas.authn.ldap[0].principalAttributeId=cn
>> cas.authn.ldap[0].principalAttributeList=*
>>
>> cas.authn.attributeRepository.ldap[0].attributes.sAMAccountName=UDC_IDENTIFIER
>> cas.authn.attributeRepository.ldap[0].attributes.mail=email
>> cas.authn.attributeRepository.ldap[0].attributes.givenName=firstName
>> cas.authn.attributeRepository.ldap[0].attributes.sn=lastName
>> cas.authn.attributeRepository.ldap[0].attributes.cn=user
>> cas.authn.attributeRepository.ldap[0].attributes.memberOf=memberOf
>>
>> ### Authy setup
>> cas.authn.mfa.authy.apiKey=*
>> cas.authn.mfa.authy.apiUrl=*
>> cas.authn.mfa.authy.phoneAttribute=mobile
>> cas.authn.mfa.authy.mailAttribute=extenstionattribute1
>> cas.authn.mfa.authy.countryCode=1
>> cas.authn.mfa.authy.forceVerification=true
>> cas.authn.mfa.authy.trustedDeviceEnabled=false
>> cas.authn.mfa.authy.name=castest
>>
>> ### Google Authenticator setup
>>
>> #cas.authn.mfa.globalProviderId=mfa-gauth
>>
>> cas.authn.mfa.gauth.issuer=Messiah_College_CAS
>> cas.authn.mfa.gauth.label=Username
>> cas.authn.mfa.gauth.windowSize=3
>> cas.authn.mfa.gauth.codeDigits=6
>> cas.authn.mfa.gauth.timeStepSize=30
>> cas.authn.mfa.gauth.rank=0
>> cas.authn.mfa.gauth.trustedDeviceEnabled=true
>> cas.authn.mfa.gauth.name=castest
>> cas.authn.mfa.gauth.json.location=file:/etc/cas/config/gauth.json
>> #cas.authn.mfa.gauth.rest.endpointUrl=https://*/processGauth.php
>>
>> cas.authn.mfa.gauth.crypto.encryption.key=*
>> cas.authn.mfa.gauth.crypto.encryption.keySize=256
>> cas.authn.mfa.gauth.crypto.signing.key=*
>> cas.authn.mfa.gauth.crypto.signing.keySize=512
>> cas.authn.mfa.gauth.crypto.enabled=true
>>
>> #cas.authn.mfa.gauth.cleaner.enabled=true
>> #cas.authn.mfa.gauth.cleaner.schedule.startDelay=2
>> #cas.authn.mfa.gauth.cleaner.schedule.repeatInterval=6
>>
>> cas.authn.mfa.trusted.authenticationContextAttribute=isFromTrustedMultifactorAuthentication
>> cas.authn.mfa.trusted.deviceRegistrationEnabled=true
>> cas.authn.mfa.trusted.expiration=30
>> cas.authn.mfa.trusted.timeUnit=DAYS
>> cas.authn.mfa.trusted.json.location=file:/etc/cas/config/trusted-dev.json
>> #cas.authn.mfa.trusted.rest.endpoint=https://*/trustedBrowser/index.php
>> cas.authn.mfa.trusted.crypto.encryption.key=*
>> cas.authn.mfa.trusted.

[cas-user] Re: Google Autenticator Error

[Shawn Cutting]

I was able to figure out how to get the Google Authenticator working with a 
REST call (to dynamically return the correctly formatted JSON information), 
but I am still unable to use REST to store/register a new code for a user 
(I am not sure how to send teh POST data to store the information).  Any 
help would be appreciated.

Thanks!
Shawn

On Friday, August 9, 2019 at 9:13:18 AM UTC-4, Shawn Cutting wrote:
>
> I am trying to get CAS 5.3.9 working with Google Authenticator MFA, but I am 
> getting the following error:
>
> Error: Exception thrown executing 
> org.apereo.cas.trusted.web.flow.MultifactorAuthenticationVerifyTrustAction@7b20419f
>  in state 'verifyTrustedDevice' of flow 'mfa-gauth' -- action execution 
> attributes were 'map['resolvedAuthenticationEvents' -> set[mfa-gauth]]'
>
> The config is below:
>
> cas.server.name: https://
> cas.server.prefix: ${cas.server.name}/cas
>
> cas.logout.followServiceRedirects=true
>
> cas.view.templatePrefixes[0]=file:///etc/cas/templates
>
> logging.config=file:/etc/cas/config/log4j2.xml
>
> cas.serviceRegistry.json.location=file:/etc/cas/services
>
> cas.authn.accept.users=
>
> cas.authn.ldap[0].type=AUTHENTICATED
> cas.authn.ldap[0].ldapUrl=ldaps://*
> cas.authn.ldap[0].bindDn=*
> cas.authn.ldap[0].bindCredential=*
> cas.authn.ldap[0].useSsl=true
> cas.authn.ldap[0].useStartTls=false
> cas.authn.ldap[0].poolPassivator=BIND
> cas.authn.ldap[0].baseDn=*
> cas.authn.ldap[0].subtreeSearch=true
> cas.authn.ldap[0].searchFilter=(*)
> cas.authn.ldap[0].principalAttributeId=cn
> cas.authn.ldap[0].principalAttributeList=*
>
> cas.authn.attributeRepository.ldap[0].attributes.sAMAccountName=UDC_IDENTIFIER
> cas.authn.attributeRepository.ldap[0].attributes.mail=email
> cas.authn.attributeRepository.ldap[0].attributes.givenName=firstName
> cas.authn.attributeRepository.ldap[0].attributes.sn=lastName
> cas.authn.attributeRepository.ldap[0].attributes.cn=user
> cas.authn.attributeRepository.ldap[0].attributes.memberOf=memberOf
>
> ### Authy setup
> cas.authn.mfa.authy.apiKey=*
> cas.authn.mfa.authy.apiUrl=*
> cas.authn.mfa.authy.phoneAttribute=mobile
> cas.authn.mfa.authy.mailAttribute=extenstionattribute1
> cas.authn.mfa.authy.countryCode=1
> cas.authn.mfa.authy.forceVerification=true
> cas.authn.mfa.authy.trustedDeviceEnabled=false
> cas.authn.mfa.authy.name=castest
>
> ### Google Authenticator setup
>
> #cas.authn.mfa.globalProviderId=mfa-gauth
>
> cas.authn.mfa.gauth.issuer=Messiah_College_CAS
> cas.authn.mfa.gauth.label=Username
> cas.authn.mfa.gauth.windowSize=3
> cas.authn.mfa.gauth.codeDigits=6
> cas.authn.mfa.gauth.timeStepSize=30
> cas.authn.mfa.gauth.rank=0
> cas.authn.mfa.gauth.trustedDeviceEnabled=true
> cas.authn.mfa.gauth.name=castest
> cas.authn.mfa.gauth.json.location=file:/etc/cas/config/gauth.json
> #cas.authn.mfa.gauth.rest.endpointUrl=https://*/processGauth.php
>
> cas.authn.mfa.gauth.crypto.encryption.key=*
> cas.authn.mfa.gauth.crypto.encryption.keySize=256
> cas.authn.mfa.gauth.crypto.signing.key=*
> cas.authn.mfa.gauth.crypto.signing.keySize=512
> cas.authn.mfa.gauth.crypto.enabled=true
>
> #cas.authn.mfa.gauth.cleaner.enabled=true
> #cas.authn.mfa.gauth.cleaner.schedule.startDelay=2
> #cas.authn.mfa.gauth.cleaner.schedule.repeatInterval=6
>
> cas.authn.mfa.trusted.authenticationContextAttribute=isFromTrustedMultifactorAuthentication
> cas.authn.mfa.trusted.deviceRegistrationEnabled=true
> cas.authn.mfa.trusted.expiration=30
> cas.authn.mfa.trusted.timeUnit=DAYS
> cas.authn.mfa.trusted.json.location=file:/etc/cas/config/trusted-dev.json
> #cas.authn.mfa.trusted.rest.endpoint=https://*/trustedBrowser/index.php
> cas.authn.mfa.trusted.crypto.encryption.key=*
> cas.authn.mfa.trusted.crypto.encryption.keySize=256
> cas.authn.mfa.trusted.crypto.signing.key=*
> cas.authn.mfa.trusted.crypto.signing.keySize=512
> cas.authn.mfa.trusted.crypto.enabled=true
> cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.encryption.key=*
> cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.encryption.keySize=256
> cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.signing.key=*
> cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.signing.keySize=512
> cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.enabled=true
>
> cas.tgc.crypto.encryption.key=*
> cas.tgc.crypto.encryption.keySize=256
> cas.tgc.crypto.signing.key=*
> cas.tgc.crypto.signing.keySize=512
> cas.tgc.crypto.enabled=true
>
> cas.webflow.crypto.signing.key=*
> cas.webflow.crypto.signing.keySize

[cas-user] Google Autenticator Error

[Shawn Cutting]

I am trying to get CAS 5.3.9 working with Google Authenticator MFA, but I am 
getting the following error:

Error: Exception thrown executing 
org.apereo.cas.trusted.web.flow.MultifactorAuthenticationVerifyTrustAction@7b20419f
 in state 'verifyTrustedDevice' of flow 'mfa-gauth' -- action execution 
attributes were 'map['resolvedAuthenticationEvents' -> set[mfa-gauth]]'

The config is below:

cas.server.name: https://
cas.server.prefix: ${cas.server.name}/cas

cas.logout.followServiceRedirects=true

cas.view.templatePrefixes[0]=file:///etc/cas/templates

logging.config=file:/etc/cas/config/log4j2.xml

cas.serviceRegistry.json.location=file:/etc/cas/services

cas.authn.accept.users=

cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://*
cas.authn.ldap[0].bindDn=*
cas.authn.ldap[0].bindCredential=*
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].poolPassivator=BIND
cas.authn.ldap[0].baseDn=*
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].searchFilter=(*)
cas.authn.ldap[0].principalAttributeId=cn
cas.authn.ldap[0].principalAttributeList=*

cas.authn.attributeRepository.ldap[0].attributes.sAMAccountName=UDC_IDENTIFIER
cas.authn.attributeRepository.ldap[0].attributes.mail=email
cas.authn.attributeRepository.ldap[0].attributes.givenName=firstName
cas.authn.attributeRepository.ldap[0].attributes.sn=lastName
cas.authn.attributeRepository.ldap[0].attributes.cn=user
cas.authn.attributeRepository.ldap[0].attributes.memberOf=memberOf

### Authy setup
cas.authn.mfa.authy.apiKey=*
cas.authn.mfa.authy.apiUrl=*
cas.authn.mfa.authy.phoneAttribute=mobile
cas.authn.mfa.authy.mailAttribute=extenstionattribute1
cas.authn.mfa.authy.countryCode=1
cas.authn.mfa.authy.forceVerification=true
cas.authn.mfa.authy.trustedDeviceEnabled=false
cas.authn.mfa.authy.name=castest

### Google Authenticator setup

#cas.authn.mfa.globalProviderId=mfa-gauth

cas.authn.mfa.gauth.issuer=Messiah_College_CAS
cas.authn.mfa.gauth.label=Username
cas.authn.mfa.gauth.windowSize=3
cas.authn.mfa.gauth.codeDigits=6
cas.authn.mfa.gauth.timeStepSize=30
cas.authn.mfa.gauth.rank=0
cas.authn.mfa.gauth.trustedDeviceEnabled=true
cas.authn.mfa.gauth.name=castest
cas.authn.mfa.gauth.json.location=file:/etc/cas/config/gauth.json
#cas.authn.mfa.gauth.rest.endpointUrl=https://*/processGauth.php

cas.authn.mfa.gauth.crypto.encryption.key=*
cas.authn.mfa.gauth.crypto.encryption.keySize=256
cas.authn.mfa.gauth.crypto.signing.key=*
cas.authn.mfa.gauth.crypto.signing.keySize=512
cas.authn.mfa.gauth.crypto.enabled=true

#cas.authn.mfa.gauth.cleaner.enabled=true
#cas.authn.mfa.gauth.cleaner.schedule.startDelay=2
#cas.authn.mfa.gauth.cleaner.schedule.repeatInterval=6

cas.authn.mfa.trusted.authenticationContextAttribute=isFromTrustedMultifactorAuthentication
cas.authn.mfa.trusted.deviceRegistrationEnabled=true
cas.authn.mfa.trusted.expiration=30
cas.authn.mfa.trusted.timeUnit=DAYS
cas.authn.mfa.trusted.json.location=file:/etc/cas/config/trusted-dev.json
#cas.authn.mfa.trusted.rest.endpoint=https://*/trustedBrowser/index.php
cas.authn.mfa.trusted.crypto.encryption.key=*
cas.authn.mfa.trusted.crypto.encryption.keySize=256
cas.authn.mfa.trusted.crypto.signing.key=*
cas.authn.mfa.trusted.crypto.signing.keySize=512
cas.authn.mfa.trusted.crypto.enabled=true
cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.encryption.key=*
cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.encryption.keySize=256
cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.signing.key=*
cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.signing.keySize=512
cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.enabled=true

cas.tgc.crypto.encryption.key=*
cas.tgc.crypto.encryption.keySize=256
cas.tgc.crypto.signing.key=*
cas.tgc.crypto.signing.keySize=512
cas.tgc.crypto.enabled=true

cas.webflow.crypto.signing.key=*
cas.webflow.crypto.signing.keySize=512
cas.webflow.crypto.encryption.key=*
cas.webflow.crypto.encryption.keySize=16
cas.webflow.crypto.enabled=true

cas.monitor.endpoints.enabled=true
cas.monitor.endpoints.sensitive=false

cas.monitor.freeMemThreshold=10

cas.ticket.st.numberOfUses=1
cas.ticket.st.timeToKillInSeconds=300
cas.ticket.tgt.maxTimeToLiveInSeconds=36000
cas.ticket.tgt.timeToKillInSeconds=28000
cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=36000
# cas.ticket.tgt.rememberMe.enabled=false
# cas.ticket.tgt.rememberMe.timeToKillInSeconds=1

cas.interrupt.rest.url=https://*/interrupts/process.php
cas.interrupt.rest.method=GET

My ultimate goal is to get this to work using a REST call so that I can store 
the user and device information (I have asked that in a different thread 
)
 but at this point, I am not sure why the JSON file-based is throwing the 

[cas-user] Re: Google Auth and REST

[Shawn Cutting]

Bumping to see if anyone has any advice.
Thanks!

On Tuesday, December 18, 2018 at 12:26:22 PM UTC-5, Shawn Cutting wrote:
>
> I am trying to implement Google Authenticator as our MFA, and I am able to 
> get everything working if I use the JSON method.  However, I want to be 
> able to store the validation information for the users in a MySQL database, 
> and I figure the best way to do that is by using a custom REST page.  But I 
> am not sure how the information is being sent (or even what type of 
> information) is being sent to the REST endpoint.  Anything that I have 
> tried results in a "Whitelabel Error Page."  Has anyone had success (or can 
> tell me) getting REST endpoints to work with Google Auth MFA?
>
> Thanks!
>
> BTW, this is the body of the error:
>
> There was an unexpected error (type=Internal Server Error, status=500).
> Exception thrown executing 
> org.apereo.cas.otp.web.flow.OneTimeTokenAccountCheckRegistrationAction@264472e1
>  
> in state 'accountRegistrationCheck' of flow 'mfa-gauth' -- action execution 
> attributes were 'map['resolvedAuthenticationEvents' -> set[mfa-gauth]]'
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8a767118-d0dc-4638-bd47-cf277b5d63f5%40apereo.org.

[cas-user] Unable to build 5.3 SAML as IdP

[Shawn Cutting]

Greetings,
I have been banging my head against a wall for the past few weeks trying to 
figure out why I cannot build a functional CAS instance with SAML IdP.  
When I run "build.sh package", I get the following error:

[ERROR] Failed to execute goal on project cas-overlay: Could not resolve 
dependencies for project org.apereo.cas:cas-overlay:war:1.0: Failed to 
collect dependencies at org.apereo.cas:cas-server-support-ldap:jar:5.3.9 -> 
org.apereo.cas:cas-server-core-util-api:jar:5.3.9 -> 
org.pac4j:pac4j-saml:jar:3.6.1 -> net.shibboleth.tool:xmlsectool:jar:2.0.0: 
Failed to read artifact descriptor for 
net.shibboleth.tool:xmlsectool:jar:2.0.0: Could not transfer artifact 
net.shibboleth.tool:xmlsectool:pom:2.0.0 from/to shib-release 
(https://build.shibboleth.net/nexus/content/repositories/releases): 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target -> [Help 1]

I doing some more research, it seems that the last part of the error 
indicates that perhaps the shibboleth.net site is not trusted, yet its 
information is inside the keystore (and is valid).  Something to note, we 
are running CAS behind an Apache proxy/reverse proxy (for ease of updating 
the SSL certificate of the server).  Does anyone have any insight into why 
the SAML elements of my build keep it from succeding?

Info about the build:
CAS 5.3.9 overlay (Maven)

pom.xml:

http://maven.apache.org/POM/4.0.0;
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 
http://maven.apache.org/xsd/maven-4.0.0.xsd ">
4.0.0
org.apereo.cas
cas-overlay
war
1.0




com.rimerosolutions.maven.plugins
wrapper-maven-plugin
0.0.5

true
MD5



org.springframework.boot
spring-boot-maven-plugin
${springboot.version}

${mainClassName}
true
${isExecutable}
WAR




repackage





org.apache.maven.plugins
maven-war-plugin
2.6

cas
false
false

false
${manifestFileToUse}



org.apereo.cas

cas-server-webapp${app.server}





org.apache.maven.plugins
maven-compiler-plugin
3.3


cas



5.3.9
1.5.18.RELEASE

-tomcat


org.springframework.boot.loader.WarLauncher
false

${project.build.directory}/war/work/org.apereo.cas/cas-server-webapp${app.server}/META-INF/MANIFEST.MF

1.8
1.8
UTF-8




sonatype-releases

http://oss.sonatype.org/content/repositories/releases/

false


true



sonatype-snapshots

https://oss.sonatype.org/content/repositories/snapshots/

true


false



shibboleth-releases

https://build.shibboleth.net/nexus/content/repositories/releases






true

default


org.apereo.cas
cas-server-webapp${app.server}
${cas.version}
war
runtime


org.apereo.cas
cas-server-support-ldap
${cas.version}


org.apereo.cas
cas-server-support-ldap-core
${cas.version}


org.apereo.cas
cas-server-support-saml
${cas.version}


org.apereo.cas
cas-server-support-saml-idp
${cas.version}


org.apereo.cas

[cas-user] Google Auth and REST

[Shawn Cutting]

I am trying to implement Google Authenticator as our MFA, and I am able to 
get everything working if I use the JSON method.  However, I want to be 
able to store the validation information for the users in a MySQL database, 
and I figure the best way to do that is by using a custom REST page.  But I 
am not sure how the information is being sent (or even what type of 
information) is being sent to the REST endpoint.  Anything that I have 
tried results in a "Whitelabel Error Page."  Has anyone had success (or can 
tell me) getting REST endpoints to work with Google Auth MFA?

Thanks!

BTW, this is the body of the error:

There was an unexpected error (type=Internal Server Error, status=500).
Exception thrown executing 
org.apereo.cas.otp.web.flow.OneTimeTokenAccountCheckRegistrationAction@264472e1 
in state 'accountRegistrationCheck' of flow 'mfa-gauth' -- action execution 
attributes were 'map['resolvedAuthenticationEvents' -> set[mfa-gauth]]'

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8e9c5d1f-0c8b-4262-b42b-e8860af04aab%40apereo.org.

[cas-user] Re: CAS Interrupt Misunderstanding

[Shawn Cutting]

Well, that is disappointing and reassuring at the same time.  Thankfully, I 
am just beginning the process of utilizing interrupts in this way, so I can 
easily shift my mindset for designing interrupts in the future.  Thank you 
for your quick feedback!!

Shawn

On Tuesday, December 4, 2018 at 10:39:17 AM UTC-5, Shawn Cutting wrote:
>
> Good morning,
> I am trying to create a dynamic interrupt page and I think I am 
> misunderstanding what the "ssoEnabled" setting does.  From the 
> documentation, it seems that if this is set to true, then it would give a 
> service ticket despite the action that would be taken on the interrupt 
> page.  Here is what I am trying to do:
>
> I want to warn people that their passwords are about to expire (we use 
> Active Directory as LDAP) and I am giving them the option to "Remind me in 
> 3 days." This option updates a database with the reminder date and then 
> should redirect to the service page they originally called.  But instead, 
> it takes them back to the CAS login where they have to reauthenticate and 
> it bypasses the interrupt per my code.  What I want it to do is, after 
> pressing "Remind me" to take them to the service page without having to 
> authenticate again, which is what I thought should happen with 
> "ssoEnabled=true."
>
> Can anyone give me some better insight?
> Thanks!
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2ea85375-af1d-4cd3-8158-b84a56de909d%40apereo.org.

[cas-user] CAS Interrupt Misunderstanding

[Shawn Cutting]

Good morning,
I am trying to create a dynamic interrupt page and I think I am 
misunderstanding what the "ssoEnabled" setting does.  From the 
documentation, it seems that if this is set to true, then it would give a 
service ticket despite the action that would be taken on the interrupt 
page.  Here is what I am trying to do:

I want to warn people that their passwords are about to expire (we use 
Active Directory as LDAP) and I am giving them the option to "Remind me in 
3 days." This option updates a database with the reminder date and then 
should redirect to the service page they originally called.  But instead, 
it takes them back to the CAS login where they have to reauthenticate and 
it bypasses the interrupt per my code.  What I want it to do is, after 
pressing "Remind me" to take them to the service page without having to 
authenticate again, which is what I thought should happen with 
"ssoEnabled=true."

Can anyone give me some better insight?
Thanks!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0c6e7901-7ef7-48b0-91d8-d2d5f10170d6%40apereo.org.

[cas-user] status/refresh

[Shawn Cutting]

Good day.
I am trying to implement the "/cas/status/refresh" feature of CAS 5.3.5, 
and I have it configured to use security.basic as follows:

   endpoints.enabled=true
   endpoints.refresh.enabled=true
   security.basic.authorizeMode=authenticated
   security.basic.enabled=true
   security.basic.path=/cas/status/**
   security.user.name=admin
   security.user.password=adminPassword
   security.user.role=ACTUATOR,ADMIN

I know that these settings work for the other pages (like /cas/status/info 
and /cas/status/config) but when I try to send "curl -X POST -u admin 
https://cas-test.messiah.edu/cas/status/refresh; and enter the password 
when prompted, I get the following error in the logs:
   ERROR [org.pac4j.cas.client.direct.DirectCasClient] -  
org.pac4j.core.exception.CredentialsException: POST requests not supported

and the JSON returned from the curl is:
   
{"timestamp":1541782467520,"status":403,"error":"Forbidden","message":"No 
message available","path":"/cas/status/refresh"}

I would really like to get this working so that I can more efficiently make 
changes to the config and reload CAS.  I would also like to get it working 
with LDAP authentication instead of the basic.

Thanks!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/810daf53-40f4-4243-be58-b2f75a603ad7%40apereo.org.

[cas-user] Re: CAS Management v5.3.6 Release

[Shawn Cutting]

Is the search functionality limited to "whole word" searches?  It would be 
nice if the search can find partial words as well.

On Friday, November 2, 2018 at 1:57:01 PM UTC-4, Travis Schmidt wrote:
>
> CAS Management v5.3.6 has been released:
> https://github.com/apereo/cas-management/releases/tag/v5.3.6
>
> This release corrects an error that was found in the new Search 
> functionality released in 5.3.5.
>
> Deployers that use the war overlay, take note that the pom.xml has been 
> updated to include a separate  property.   
> is still present and can be used for any CAS modules that you add to the 
> overlay.
>
> Thanks
> Travis 
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8d3c6ad8-4a84-4aac-983e-e7a9c7a1f92e%40apereo.org.

Re: [cas-user] CAS 5.3.5 Authorization Interrupt & REST

[Shawn Cutting]

Dirk,

You are FABULOUS!!!  That was exactly what it needed.  Thank you for such a 
quick response, too.

Shawn

On Monday, October 29, 2018 at 9:29:36 PM UTC-4, Dirk Tepe wrote:
>
> The interrupt JSON file contains a mapping of username to interrupt 
> configuration. The REST response is the only the configuration block for 
> the matched user. Drop the 'testuser' key and just return that block:
>
>   {
> "autoRedirect": false,
> "autoRedirectAfterSeconds": -1,
> "block": false,
> "interrupt": true,
> "links": {
> "Google Link": "https://www.google.com;,
> "Yahoo Link": "https://www.yahoo.com;
> },
> "message": "This is the announcement message that will tell people 
> what to do",
> "ssoEnabled": false
>   }
>
> The 200 Ok response tells CAS to interrupt, but then it can't find the 
> data elements it expects.
>
> -dirk
> On Mon, Oct 29, 2018 at 4:43 PM Shawn Cutting  > wrote:
>
>> Greetings.
>>
>> I am looking for some sort of documentation or other source of help for 
>> how to properly use the Authorization Interrupt with a REST page response.  
>> I am able to see the CAS server calling my REST application, and I am able 
>> to appropriately process the call on the application, and the result is a 
>> straight JSON file in the exact same syntax as the interrupt.json file.
>>
>> If I use the same information that I am returning from my REST app in the 
>> json file, everything works like I would expect.  But the returned JSON 
>> does NOT follow the rules that are set in the json code.  It does recognize 
>> the specific user and only processes that user, but the rest of the rules 
>> are not followed.
>>
>> Here is what I am returning (with example 'testuser'):
>>
>> >
>> if ($_GET["username"] == "testuser"){
>> header("HTTP/1.1 200 OK");
>> header('Content-Type:application/json');
>>
>> $array = array("testuser" => array(
>> "message" => "This is the announcement message that will tell 
>> people what to do",
>> "links" => array(
>> "Yahoo Link" => urlencode("https://www.yahoo.com;),
>> "Google Link"  => urlencode("https://www.google.com;)
>> ),
>> "block" => false,
>> "ssoEnabled" => false,
>> "interrupt" => true,
>> "autoRedirect" => false,
>> "autoRedirectAfterSeconds" => -1
>> ));
>>
>> echo urldecode(json_encode($array));
>> }
>> ?>
>>
>> If I put this json layout into the interrupt.json file, it works as it 
>> should (the message appears, the links appear, etc).  But when I call this 
>> php file, it sees that testuser is the user in play and it does interrupt 
>> the login, but the content is the default interrupt information with no 
>> custom message, no links.
>>
>>
>> Has anyone had any success with the interrupt settings and REST?  Any 
>> help would be fabulous!
>>
>> Shawn
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/7329613a-c5f1-4a15-b9fd-340dfad68331%40apereo.org
>>  
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/7329613a-c5f1-4a15-b9fd-340dfad68331%40apereo.org?utm_medium=email_source=footer>
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/149ab0d4-6572-4bf4-95ee-fc6d0a5531f5%40apereo.org.

[cas-user] CAS 5.3.5 Authorization Interrupt & REST

[Shawn Cutting]

Greetings.

I am looking for some sort of documentation or other source of help for how 
to properly use the Authorization Interrupt with a REST page response.  I 
am able to see the CAS server calling my REST application, and I am able to 
appropriately process the call on the application, and the result is a 
straight JSON file in the exact same syntax as the interrupt.json file.

If I use the same information that I am returning from my REST app in the 
json file, everything works like I would expect.  But the returned JSON 
does NOT follow the rules that are set in the json code.  It does recognize 
the specific user and only processes that user, but the rest of the rules 
are not followed.

Here is what I am returning (with example 'testuser'):

 array(
"message" => "This is the announcement message that will tell 
people what to do",
"links" => array(
"Yahoo Link" => urlencode("https://www.yahoo.com;),
"Google Link"  => urlencode("https://www.google.com;)
),
"block" => false,
"ssoEnabled" => false,
"interrupt" => true,
"autoRedirect" => false,
"autoRedirectAfterSeconds" => -1
));

echo urldecode(json_encode($array));
}
?>

If I put this json layout into the interrupt.json file, it works as it 
should (the message appears, the links appear, etc).  But when I call this 
php file, it sees that testuser is the user in play and it does interrupt 
the login, but the content is the default interrupt information with no 
custom message, no links.


Has anyone had any success with the interrupt settings and REST?  Any help 
would be fabulous!

Shawn

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7329613a-c5f1-4a15-b9fd-340dfad68331%40apereo.org.