[cas-user] Re: CAS V5.3 with Zoom SSO???

[William E.]

We did with saml too, but with the Shibboleth "half" of our CAS+Shibboleth 
combined service.  If you are looking for guidance using CAS as saml IDP 
with it, sorry, can't help.

As for the integration, once you get it going, on the zoom side you can map 
attribute values to zoom roles.  And it auto-creates user account on first 
sso login to zoom.

-William

On Tuesday, May 12, 2020 at 4:37:03 PM UTC-5, Keith Alston (Staff) wrote:
>
> Anyone set up Zoom SSO with CAS?? Any pointers/tips??
>
>  
>
> -Keith Alston
>
> kei...@regent.edu 
>
> Regent University
>
> 757-619-3421
>
>  
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/773af5d2-9d83-4f2c-b931-a3afbd02486a%40apereo.org.

[cas-user] Re: Chrome and samesite cookies

[William E.]

Not us.  Canvas is hosted with the vendor, our CAS is local, we're on 5.3.

-W


On Wednesday, February 26, 2020 at 12:13:47 PM UTC-6, ste...@rutgers.edu 
wrote:
>
> We received an email stating there are issues authenticating to our Canvas 
> instance due to the Chrome SameSite changes.  Has anyone else had issues?  
> Is there a fix for this?  We're running v3.6 at the moment, upgrading to 
> v5.3 within the next 6 months.
>
> thanks,
> ds
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f54fdc28-520b-45de-b27b-27d2b0e1feb9%40apereo.org.

[cas-user] Re: Inquiring CAS commercial support

[William E.]

We have been using Unicon  for a few years now. 
Misagh, who I consider the main CAS developer, works for them.  We're happy 
with their support.

-William


On Monday, September 9, 2019 at 1:38:05 PM UTC-5, Yan Zhou wrote:
>
> Hi,
>
> We use CAS 4.1.9 and CAS 5.3. It has been running well in PROD., We are in 
> health-care industry and would like to look into commercial CAS support. 
>
> One of my biggest unknowns and fear is gaining visibility into CAS ticket 
> registry, hazelcast.  If some of PROD users cannot login, it seems that 
> usually this is because the ticket validation failed. It seems difficult 
> gaining visibility into troubleshooting that in PROD traffic.
>
> I am not sure whether I would better off getting Hazelcast commercial 
> support of CAS commercial support. 
>
> I looked up the CAS documentation, the membership fee is for academic 
> organizations, so we do not qualify. With the list of commercial 
> organizations providing CAS support, anyone has experience with any of them?
>
>
>
> Thx!
> Yan
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f24b9a4c-0345-4303-a42f-e584ba3846c2%40apereo.org.

[cas-user] Re: Signing is not enabled for [Token/JWT Tickets]. The cipher [RegisteredServiceJwtTicketCipherExecutor] will attempt to produce plain objects

[William E.]

We're on 5.3.11.  Struggled with this as well, could never find a third 
party tool or library that could validate the jwt generated by cas.  I even 
contact the maintainer of one of the python libs and he claims the cas 
generated JWT was invalid.  I was able to write my own java to validate 
based on code provided by cas:  
https://apereo.github.io/cas/5.3.x/installation/Configure-ServiceTicket-JWT.html

cas.authn.token.crypto.enabled=true

cas.authn.token.crypto.encryptionEnabled=true

cas.authn.token.crypto.signing.key=

cas.authn.token.crypto.encryption.key=


Snippet from service configured to return jwt.  Note pre-5.3, somewhere, 
the property name was jwtAsServiceTicket vs. jwtAsResponse.


properties:

  {

@class: java.util.LinkedHashMap

jwtAsResponse:

{

  @class: org.apereo.cas.services.DefaultRegisteredServiceProperty

  values:

  [

java.util.HashSet

[

  "true"

]

  ]

}

  }




On Thursday, August 8, 2019 at 4:15:35 PM UTC-5, Drew Liscomb wrote:
>
> Also, this was working in 5.1.3, but, of course, with the 'old style' 
> properties, before the New Order with *.crypto.* was implemented.
>
> Drew
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f7bb150e-e84d-4b7c-96ee-89d4e3136785%40apereo.org.

Re: [cas-user] Re: JWT without encryption key

[William E.]

I think you are seeing the discrepancy due to base64 vs. base64url 
decoding.  I think the jwt spec. wants base64 url vs. plain base64.

https://en.wikipedia.org/wiki/Base64#URL_applications


On Friday, December 14, 2018 at 9:37:45 AM UTC-6, Devendra Sisodia wrote:
>
> While decoding JWT there is error "Bad Base64 input character decimal 37 
> in array position 806" Which means 37(%) is not allowed in encoded base 64 
> string in JWT.
>
> My JWT looks like below and yellow highlighted is the 806th element that 
> cannot be base 64 decode. 
>
> eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJpdmVyYXNlINTg3In0%3D.
> UmNz8ikEOFYqPgHRmZb1SK6A1pRFu48fSfYTasMGYHKtg7V8JepAfwunXwFeHsx5JTi4yKBug1Tq9PqfdY93lA
>
> On Fri, Dec 14, 2018 at 2:11 PM Giuseppe Infurna  > wrote:
>
>>
>> i'm using io.jsonwebtoken.jjwt library
>>
>> Jwts.parser().setSigningKey().parseClaimsJws();
>>
>>
>>
>> Il giorno venerdì 14 dicembre 2018 14:02:14 UTC+1, Devendra Sisodia ha 
>> scritto:
>>>
>>> Hello,
>>>
>>> Big Thanks for sharing configuration and as a result JWT is not 
>>> encrypted and only signed. 
>>>
>>> But now I face strange issue. when I try to verify signature it fails. I 
>>> am using AES and single key to sign and JWT is generated. But the generate 
>>> JWT fails signature verification.
>>>
>>> JWT generated as below:
>>> 2018-12-14 12:33:00,684 DEBUG 
>>> [org.apereo.cas.token.JWTTokenTicketBuilder] - >> http://localhost:/api] in service registry>
>>> 2018-12-14 12:33:00,685 DEBUG 
>>> [org.apereo.cas.token.JWTTokenTicketBuilder] - >> signing and encryption keys for [http://localhost:/api] in service 
>>> registry>
>>> 2018-12-14 12:33:00,690 WARN 
>>> [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - >> enabled for [Token/JWT Tickets]. The cipher 
>>> [RegisteredServiceTokenTicketCipherExecutor] will only attempt to produce 
>>> signed objects>
>>> 2018-12-14 12:33:00,690 WARN 
>>> [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - >> enabled for [Token/JWT Tickets]. The cipher 
>>> [RegisteredServiceTokenTicketCipherExecutor] will attempt to produce plain 
>>> objects>
>>> 2018-12-14 12:33:00,690 DEBUG 
>>> [org.apereo.cas.token.JWTTokenTicketBuilder] - >> default global keys for [http://localhost:/api]>
>>> 2018-12-14 12:33:00,734 DEBUG 
>>> [org.apereo.cas.authentication.principal.DefaultResponse] - >> for redirect response is [http://localhost:/api]>
>>> 2018-12-14 12:33:00,736 DEBUG 
>>> [org.apereo.cas.authentication.principal.DefaultResponse] - >> response is [
>>> http://localhost:/api?redirect=true=eyJhbGciOiJSUzUxMiJ9
>>>
>>> Verfication code used is:
>>> final Key key = new AesKey(jwtSigning.getBytes(StandardCharsets.UTF_8));
>>>
>>> final JsonWebSignature jws = new JsonWebSignature();
>>> jws.setCompactSerialization(secureJwt);
>>> jws.setKey(key);
>>> if (!jws.verifySignature()) {
>>> throw new Exception("JWT verification failed");
>>> }
>>>
>>> On Thu, Dec 13, 2018 at 3:40 PM Giuseppe Infurna  
>>> wrote:
>>>

 yes


 ###Token/JWT Tickets ENCRIPTION
 cas.authn.token.crypto.enabled=true

 cas.authn.token.crypto.signing-enabled=true
 cas.authn.token.crypto.signing.key=
 Dkkpi7iUKqidOXXmeAbr4RyHirYmgQgqqUrIo6q_JPNks2iqX2l95jVVoZQDWLNiFnhQF43agCtdMxRnIXOO9g

 cas.authn.token.crypto.encryption-enabled=false
 cas.authn.token.crypto.encryption.key=

 and 

 {
   "@class" : "org.apereo.cas.services.RegexRegisteredService",
   "serviceId" : "^(http|https)://?localhost(:8081|:9060|:9000)?/.*",
   "name" : "myApplication",
   "theme" : "myApplication",
   "id" : 1003,
   "description" : "My Application",
   "evaluationOrder" : 1,
   "usernameAttributeProvider" : {
 "@class" : 
 "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
   },
   "attributeReleasePolicy" : {
 "@class" : 
 "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
   },
   "accessStrategy" : {
 "@class" : 
 "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
 "enabled" : true,
 "ssoEnabled" : true
   },
   "proxyPolicy" : {
 "@class" : 
 "org.jasig.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
 "pattern" : "^(http|https)?://.*"
   },
   "properties" : {
 "@class" : "java.util.HashMap",
 "jwtAsServiceTicket" : {
   "@class" : 
 "org.apereo.cas.services.DefaultRegisteredServiceProperty",
   "values" : [ "java.util.HashSet", [ "true" ] ]
 }
   }
 }



 Il giorno giovedì 13 dicembre 2018 14:55:49 UTC+1, Devendra Sisodia ha 
 scritto:
>
> Sorry, but this does not work.
> How's your service(one with definition of 'jwtAsServiceTicket', etc) 
> looks like ?
>
>
> On Thu, Dec 13, 2018 at 2:09 PM Giuseppe Infurna  
> wrote:
>
>> Hi all,
>>  I'm work fine with
>>
>> 

[cas-user] Decode nested JWT with Python

[William E.]

Has anyone tried to parse the nested JWT, JWS + JWE, produced by CAS 5.x?  
If so, would you mind posting a snippet please?  I've read that the 
python-jose library can check signatures but not decrypt the payload.  Been 
trying to use jwcrypto but can't seem to get the step put together in the 
correct order.  Admittedly, I am very new to python and may be just making 
newbie mistakes.

My understanding is the JWT from cas is header + encrypted payload with 
signature of these two combined, then all base64 encoded.  Using this 

 
doc showing java decode/decrypt as a guide: 

  
https://apereo.github.io/cas/development/installation/Configure-ServiceTicket-JWT.html#jwt-validation---aes


Our cas settings are as follows, keys omitted below.

cas.authn.token.crypto.signing.keySize=512

cas.authn.token.crypto.encryption.keySize=256

cas.authn.token.crypto.alg=AES

cas.authn.token.crypto.enabled=true

cas.authn.token.crypto.encryptionEnabled=true



My feeble attempts so far look something like this:


import base64

from jwcrypto import jwk, jwe, jws, jwt

from jwcrypto.common import json_encode, json_decode


token = 'eyJhbGciOiJIUzUxMiJ9.ZX' # the base64 jwt 


signKey = jwk.JWK(kty='oct', k=signkeyStr)

encKey = jwk.JWK(kty='oct', k=enckeyStr)


E = jwe.JWE()

# deserialize and decrypt

E.deserialize(token)

E.decrypt(encKey)

raw_payload = E.payload



Which results in:




  File 
"/usr/local/Cellar/python/3.7.1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/__init__.py",
 
line 348, in loads

return _default_decoder.decode(s)

  File 
"/usr/local/Cellar/python/3.7.1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/decoder.py",
 
line 337, in decode

obj, end = self.raw_decode(s, idx=_w(s, 0).end())

  File 
"/usr/local/Cellar/python/3.7.1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/decoder.py",
 
line 355, in raw_decode

raise JSONDecodeError("Expecting value", s, err.value) from None

json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)





jwcrypto.jwe.InvalidJWEData: Unknown Data Verification Failure





jwcrypto.jwe.InvalidJWEData: Invalid format {InvalidJWEData('Unknown Data 
Verification Failure')}



Thanks,

William


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/760c3248-9a47-41d3-9612-7c5e34d4c961%40apereo.org.

[cas-user] Re: encryption and signing key generation

[William E.]

If you enable jwt in cas.properties by defining these two properties:

cas.authn.token.crypto.enabled=true
cas.authn.token.crypto.encryptionEnabled=true


But leave these commented out:

cas.authn.token.crypto.signing.key
cas.authn.token.crypto.encryption.key


Your catalina.out should log the generation of both keys, different each 
time you start the app of course.  I would just grab the values, then 
define in your cas.properties, then restart tomcat.

Log lines to look for:

WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 

WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 


WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 

WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 


-W

On Thursday, September 13, 2018 at 3:01:26 PM UTC-5, Curtis Ruck wrote:
>
> The problem is due to the chicken and egg issue.  I need to prepopulate 
> the cas.properties, so the service can start up and work (without human 
> intervention).  I'm trying my best to avoid having to start a service, 
> parse the logs, and modify config, then restart the service.  The 
> documentation seems very light on these keys.
>
> On Thursday, September 13, 2018 at 10:03:02 AM UTC-4, William E. wrote:
>>
>> +1
>>
>> I ended up grabbing values from the cas startup logs and setting in my 
>> cas.properties.  Seems to work.
>>
>>
>> On Wednesday, September 12, 2018 at 3:34:32 PM UTC-5, Curtis Ruck wrote:
>>>
>>> So i'm trying to automate the generation and persistence of the 
>>> cas.tgc.crypto and cas.webflow.crypto encryption and signing keys.
>>>
>>> I'm using the jwk-gen.jar, and when i store the key in cas.properties, 
>>> i end up with "Invalid AES key length: 43 bytes" when trying to access the 
>>> login page.
>>>
>>>
>>> If I let CAS generate a key, its the same exact string length (43 
>>> bytes). What is different between my key versus cas's generated keys? Then 
>>> i'm extracting the k value from the json, and inserting it into my 
>>> cas.properties.
>>>
>>> java -jar jwk-gen.jar -t oct 256 -o tgc-enc.jwks
>>> java -jar jwk-gen.jar -t oct 512 -o tgc-sig.jwks
>>> java -jar jwk-gen.jar -t oct 256 -o webflow-enc.jwks
>>> java -jar jwk-gen.jar -t oct 512 -o webflow-sig.jwks
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a9e1fc4-7305-4efe-8da8-7d7ccd465206%40apereo.org.

[cas-user] Re: encryption and signing key generation

[William E.]

+1

I ended up grabbing values from the cas startup logs and setting in my 
cas.properties.  Seems to work.


On Wednesday, September 12, 2018 at 3:34:32 PM UTC-5, Curtis Ruck wrote:
>
> So i'm trying to automate the generation and persistence of the 
> cas.tgc.crypto and cas.webflow.crypto encryption and signing keys.
>
> I'm using the jwk-gen.jar, and when i store the key in cas.properties, i 
> end up with "Invalid AES key length: 43 bytes" when trying to access the 
> login page.
>
>
> If I let CAS generate a key, its the same exact string length (43 bytes). 
> What is different between my key versus cas's generated keys? Then i'm 
> extracting the k value from the json, and inserting it into my 
> cas.properties.
>
> java -jar jwk-gen.jar -t oct 256 -o tgc-enc.jwks
> java -jar jwk-gen.jar -t oct 512 -o tgc-sig.jwks
> java -jar jwk-gen.jar -t oct 256 -o webflow-enc.jwks
> java -jar jwk-gen.jar -t oct 512 -o webflow-sig.jwks
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/337c54a8-1b4c-4e08-826c-f4980b54d2a3%40apereo.org.

[cas-user] banner 8 via ssomanager and cas intermittent error

[William E.]

We upgraded cas from 5.2 to 5.3 last night.  Today almost everything is 
working fine except banner 8 sso logins via ellucian's ssomanager(circa 
2013 version).  We're sporadically seeing the below trace in the browser.  
I'm suspecting the 2013 ssomanager app from ellucian is running an outdated 
cas client jar and upgrading it will fix us.  Anyone else seen this issue?

Error 500--Internal Server Error

org.jasig.cas.client.validation.TicketValidationException: 
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 243; 
cvc-datatype-valid.1.2.1: '27b0904a-b383-4325-8b62-997b606893cd' is not a valid 
value for 'NCName'.
at 
org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:94)
at 
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:188)
at 
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:132)
at 
com.ellucian.sso.client.web.filter.SSOValidationFilter.doFilter(Unknown Source)
at 
weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at 
org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:102)
at 
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at 
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at 
weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at 
com.ellucian.sso.client.web.filter.QueryParamStorageFilter.doFilter(Unknown 
Source)
at 
weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at 
weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
at 
weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at 
weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3748)
at 
weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3714)
at 
weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at 
weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at 
weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2283)
at 
weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2182)
at 
weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1499)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:263)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 243; 
cvc-datatype-valid.1.2.1: '27b0904a-b383-4325-8b62-997b606893cd' is not a valid 
value for 'NCName'.
at org.opensaml.SAMLObject.fromStream(Unknown Source)
at org.opensaml.SAMLResponse.(Unknown Source)
at 
org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:50)
... 21 more
Caused by: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 243; 
cvc-datatype-valid.1.2.1: '27b0904a-b383-4325-8b62-997b606893cd' is not a valid 
value for 'NCName'.
at 
com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:198)
at 
com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.error(ErrorHandlerWrapper.java:134)
at 
com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:437)
at 
com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:368)
at 
com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:325)
at 
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(XMLSchemaValidator.java:458)
at 
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.reportSchemaError(XMLSchemaValidator.java:3237)
at 
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.processOneAttribute(XMLSchemaValidator.java:2832)
at 
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.processAttributes(XMLSchemaValidator.java:2769)
at 
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.handleStartElement(XMLSchemaValidator.java:2056)
at 
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.startElement(XMLSchemaValidator.java:746)
at 
com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.scanStartElement(XMLNSDocumentScannerImpl.java:379)
at 

Re: [cas-user] Re: JSON Service Registry cas.serviceRegistry.config.location property setting ineffective after upgrading to CAS version 5.2

[William E.]

Your service provided in this thread:

"serviceId" : "^(https|imaps|http)://.*"

Will not match with a port specified.  Try instead:

"serviceId" : "^(https|imaps|http)://.*:8443/.*"

-W


On Saturday, April 21, 2018 at 8:44:17 PM UTC-5, IOTech Co., Ltd wrote:
>
> i have got error...please help me on this bug. Thanks
>
> Unauthorized Service Access. Service [https://cas01.example.org:8443/cas] 
> is not found in service registry.
>
> 2018-04-22 1:07 GMT+07:00 David Curry  >:
>
>> cas.serviceRegistry.json.location
>>
>>
>>
>> David A. Curry,  CISSP
>> Director of Information Security
>> The New School - Information Technology
>> 71 Fifth Ave., 9th Fl. ~ New York, NY 10003 
>> 
>> +1 212 229-5300 x4728 ~ david...@newschool.edu 
>> Sent from my phone; please excuse typos and inane auto-corrections.
>> 
>>
>> On Sat, Apr 21, 2018, 13:14 IOTech Co., Ltd > > wrote:
>>
>>> i has config as below...but it not work, please help me
>>>
>>>
>>> cas.serviceRegistry.location=file:/etc/cas/services
>>>
>>>
>>>
>>> 2018-04-21 20:59 GMT+07:00 David Curry >> >:
>>>
 This was answered earlier in this thread. You have the wrong property 
 name. It changed between 5.1 and 5.2 to:

 cas.serviceRegistry.json.location: file:/etc/cas/services 

 If you're moving from one version to another, I strongly recommend 
 carefully reading the "ChangeLog" blog posts that Misagh writes for every 
 release candidate before you start. He's pretty good at documenting all 
 the 
 changes, especially the ones that might cause an older configuration to 
 break.

 Go here: https://github.com/apereo/cas/releases/tag/v5.2.0 and click 
 on "RC1," "RC2," "RC3," and "RC4" (the change above is documented in 
 "RC2").

 --Dave


 --

 DAVID A. CURRY, CISSP
 *DIRECTOR OF INFORMATION SECURITY*
 INFORMATION TECHNOLOGY

 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
 
 +1 212 229-5300 x4728 • david.cu...@newschool.edu 

 [image: The New School]

 On Sat, Apr 21, 2018 at 9:26 AM, IOTech Co., Ltd  wrote:

> I updated my test sever from CAS v5.1.4 to v5.2.0, and my 
> configruation is no longer reading my *.json files from my external file 
> location.
>
> Vào 20:24:46 UTC+7 Thứ Bảy, ngày 21 tháng 4 năm 2018, IOTech Co., Ltd 
> đã viết:
>
>> please help me :
>>
>> #
>> # Service Registry
>> #
>> cas.serviceRegistry.watcherEnabled=true
>> cas.serviceRegistry.repeatInterval=12
>> cas.serviceRegistry.startDelay=15000
>> cas.serviceRegistry.initFromJson=false
>> cas.serviceRegistry.config.location=file:/etc/cas/services
>>
>>
>> *serviceTicket ST-1-5b-doeKww5fM0PDeSvpMPGxk2ak-longtran
>> 200
>> 
>> 
>> admin
>> 
>> *
>>
>>
>>
>>
>> Vào 03:37:16 UTC+7 Thứ Ba, ngày 19 tháng 12 năm 2017, crdaudt đã viết:
>>>
>>> I updated my test sever from CAS v5.1.4 to v5.2.0, and my 
>>> configruation is no longer reading my *.json files from my external 
>>> file 
>>> location.  Here are my relevant property settings:
>>>
>>> #
>>> # Service Registry
>>> #
>>> cas.serviceRegistry.watcherEnabled=true
>>> cas.serviceRegistry.initFromJson=true
>>> cas.serviceRegistry.config.location=file:///etc/cas/services
>>>
>>> I have the following dependency set in pom.xml:
>>>
>>>  
>>>org.apereo.cas
>>>cas-server-support-json-service-registry
>>>${cas.version}
>>> 
>>>
>>> The /etc/cas/services/ directory and json files within it are owned 
>>> by tomcat.
>>>
>>> Nevertheless, the only services loaded are the *.json files located 
>>> in classpath:/services.  On the other hand, if I redeploy the cas.war 
>>> file 
>>> for v5.1.4 and restart tomcat, my JSON files in /etc/cas/services are 
>>> loaded as I would expect.
>>>
>>> Any ideas?
>>>
>>> I have attached copies of my cas.log (with debug enabled), pom.xml, 
>>> and cas.properties.  Thanks in advance for any help with this.
>>>
>>> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google 
> Groups "CAS Community" group.
> To unsubscribe from this group and stop 

[cas-user] Re: CAS JWT/JWK oddities

[William E.]

I feel ya...  :-)

My biggest concern at the moment, as others have posted about here as well, 
is the jwt is a url parameter when passed back to the client app.  I would 
much rather it be a header or cookie or post param or anything really 
because my concern is until the jwt expiration time anyone who has access 
to the apache logs, syslogs, etc. of the cas server or the server hosting 
the client app, or has access to the network logs, or sniff the traffic in 
some way, could grab that url parameter and masquerade as that user to the 
client app.

I'm looking at the cas source code in hopes that I can make this an 
option(and make a pull request) but being a non-spring java developer my 
head is currently exploding with all the spring/lombok/etc. "magic" I am 
having to learn.  Not to mention the large amount of highly modularized 
code.  It's looks well written and well commented, it's just a lot to take 
in.  Importing it into eclipse created about a hundred or so source folders 
I am currently perusing.  Argh.



On Wednesday, April 18, 2018 at 7:21:43 AM UTC-5, Karl Banke wrote:
>
> Hello there,
>
> I am using CAS 5.2 and have spent a long time (which translates to a lot 
> of money) on getting JWT Service Tickets to work. 
>
> The CAS documentation states here 
>
>
> https://apereo.github.io/cas/5.2.x/installation/Configure-ServiceTicket-JWT.html
>  
> that this should be configured using the 
>
> jwtAsServiceTicket Property
>
> It also states here 
>
> https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#jwt-tickets
>
> that the signing key is a JWK 
>
> My findings so far: 
>
> JWT service tickets do not work at all in CAS 5.2.0. They work in 5.2.4.
>
> But there are some weired "limitations" that I only figured out running CAS 
> inside my debugger. 
>
> (a) The property name is wrong. The property that actually leads to anything 
> happening is jwtAsResponse, as others have pointed out in this community.
>
> But even thenI would like to sign my JWTs with a public RSA key in order 
> to allow Single Page Web Applications to validate the keys. 
>
> (b) When trying to read the private key, the code does never look for a JWK, 
> but - in PrivateKeyFactoryBean - tries to parse a PEM file.
> (c) Even if one is lucky enough to eventually have a RSA key inside the 
> privateKey by supplying a PEM file, you run in trouble because.
> -- taataaa --
> the AbstractCipherExecutor calls a hardcoded method called 
> EncodingUtils.signJwsHMACSha512
> (d) If you chose not to encrypt the JWT payload, you may rest assured that 
> you get another problem, because someone chose to Base64 encode the payload 
> twice rather than once. 
>
>
> I have also considered using the OpenID Connect flow instead of the JWT 
> Service tokens, but since this is a much more complicated interface my 
> expectation 
> is that it's implementation is even more broken and its documentation more 
> inaccurate. 
>
> Sorry for the rant, but I am really about to lose patience with CAS that 
> used to be a very usable, well documented and extensible tool. 
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fd5502dd-f0bc-46b4-bedb-942d162ab5ff%40apereo.org.

[cas-user] Re: CAS 5.2 return JWT for service

[William E.]

Posting resolution in hopes it may help someone else out.

In cas 5.2 you are supposed to use the jat property jwtAsServiceTicket but 
it looks like there may be a bug in cas where you need to use the 
(deprecated) jwtAsResponse instead.

properties : {

"@class" : "java.util.HashMap",

"jwtAsResponse" : {

  "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",

  "values" : [ "java.util.HashSet", [ "true" ] ]

}

  }



Additionally, my bad on this one from misunderstanding the cas documents, 
the 

cas.authn.token.crypto.encryption.key and cas.authn.token.crypto.signing.key 
accept key values directly, not file paths to files containing the keys.  


Anyway, much thanks to Paul at Unicon for all his help.  Support money well 
spent.


-William


On Wednesday, April 11, 2018 at 5:40:16 PM UTC-5, William E. wrote:
>
> Hi all,
>
>
> I am trying to follow the CAS docs to configure a service to return jwt's 
> but not having much success. 
>
> Docs I am reading on this:
>
>  
> https://apereo.github.io/cas/5.2.x/installation/Configure-ServiceTicket-JWT.html
>  
>  https://apereo.github.io/2017/10/17/cas-jwt-authn-with-duo/ (JWT Service 
> Tickets portion)
>
>
> My cas.properties has:
>
> cas.authn.token.crypto.enabled=true
> cas.authn.token.crypto.encryptionEnabled=true
> cas.authn.token.crypto.signing.key=/etc/cas/config/token-signing.jwk
> cas.authn.token.crypto.signing.keySize=512
> cas.authn.token.crypto.encryption.key=/etc/cas/config/token-encryption.jwk
> cas.authn.token.crypto.encryption.keySize=256
> cas.authn.token.crypto.alg=AES
>
>
> jwk's generated per docs:
>
> wget https://raw.githubusercontent.com/apereo/cas/master/etc/jwk-gen.jar
> java -jar jwk-gen.jar -t oct -s 512 >/etc/cas/config/token-signing.jwk
> java -jar jwk-gen.jar -t oct -s 256 >/etc/cas/config/token-encryption.jwk
>
> $ file /etc/cas/config/token*
> /etc/cas/config/token-encryption.jwk: ASCII text
> /etc/cas/config/token-signing.jwk: ASCII text
>
>
> Using maven overlay, my pom.xml has the rest snippet:
>
> 
> org.apereo.cas
> cas-server-support-token-tickets
> ${cas.version}
> 
>
>
> My service has the jwt as ticket property:
>
> properties:
> {
> @class: java.util.LinkedHashMap
> jwtAsServiceTicket:
> {
> @class: org.apereo.cas.services.DefaultRegisteredServiceProperty
> values:
> [
> java.util.HashSet
> [
> "true"
> ]
> ]
> }
> }
>
> In the CAS CLI I can generate a jwt that appears valid. But when I use my 
> service via web browser I see no header or cookie referencing a ticket with 
> JWT- prefix, nor a jwt formatted base64 string, I just see the normal ST- 
> ticket. I'm using a simple tomcat webapp wit cas client filters and 
> java-cas-client 3.5.0. 
>
> Anyone made JWT's work yet for cas 5.2.3?  Any idea what step I missed?
>
> Thanks,
> William
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d8e6b961-be8a-4018-8c1b-e5b8d28a0759%40apereo.org.

Re: [cas-user] Re: CAS 5.2 login with UPN removing domain

[William E.]

Try this:

cas.authn.ldap[0].principalAttributeList=uid,userprincipalname

Instead of this:

cas.authn.ldap[0].principalAttributeId=userprincipalname

-William



On Thursday, April 12, 2018 at 2:40:00 AM UTC-5, dag wrote:
>
> Thanks for your comment William.
>
>
> I've in cas.properties:
>
> cas.authn.ldap[0].userFilter=(|(uid={user})(userprincipalname={user}))
> cas.authn.ldap[0].principalAttributeId=userprincipalname
>
> It seems upn is not allowed in this version. Anyway, the filter it's not 
> working. I've to type user@domain to login yet :(
>
> Any other trick please?
>
>
> Regards.
>
>
> 2018-04-12 0:42 GMT+02:00 William E. <wre...@uah.edu >:
>
>> We use ldap and used an ldap filter on uid or'ed with upn.  Ldap search 
>> syntax.
>>
>> Like so:
>>
>> cas.authn.ldap[0].userFilter=(|(uid={user})(upn={user}))
>>
>>
>> -William
>>
>>
>>
>> On Wednesday, April 11, 2018 at 10:26:10 AM UTC-5, dag wrote:
>>>
>>> Hi all,
>>>
>>> I've configured Apereo CAS 5.2, and it's running fine using UPN.
>>> However is there any parameter to include in cas.properties config file 
>>> to allow authenticacion through UPN without typing the domain name?
>>>
>>> Thanks in advance.
>>>
>>>
>>> Regards.
>>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc8d575a-51ba-445d-9bab-a5f08f69b0ec%40apereo.org
>>  
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc8d575a-51ba-445d-9bab-a5f08f69b0ec%40apereo.org?utm_medium=email_source=footer>
>> .
>>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac9959a0-1338-410c-8297-cf548eb57ae0%40apereo.org.

Re: [cas-user] CAS-Management - Bottle at the sea - Need advice or help

[William E.]

I see you pom.xml has ldap module, but I do not see you ldap properties.  
Did I miss it?  Sorry if so.

The log makes me think cas is trying to do an ldap lookup and all of the 
properties it needs are not defined.  Do you have all of these in you 
cas.properties?

# Authentication
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://ldap.example.edu:636
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].baseDn=ou=People,dc=uah,dc=edu
cas.authn.ldap[0].userFilter=uid={user}
cas.authn.ldap[0].bindDn=uid=cas,ou=people,dc=example,dc=edu
cas.authn.ldap[0].bindCredential=

# Attribute resolution
cas.authn.attributeRepository.ldap[0].order=0
cas.authn.attributeRepository.ldap[0].ldapUrl=ldaps://ldap.example.edu:636
cas.authn.attributeRepository.ldap[0].useSsl=true
cas.authn.attributeRepository.ldap[0].useStartTls=false
cas.authn.attributeRepository.ldap[0].baseDn=ou=People,dc=example,dc=edu
cas.authn.attributeRepository.ldap[0].bindDn=uid=cas,ou=People,dc=example,dc=edu
cas.authn.attributeRepository.ldap[0].bindCredential=
cas.authn.attributeRepository.ldap[0].userFilter=uid={user}
#
cas.authn.attributeRepository.ldap[0].attributes.uid=uid
cas.authn.attributeRepository.ldap[0].attributes.ou=ou
cas.authn.attributeRepository.ldap[0].attributes.o=o
cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
cas.authn.attributeRepository.ldap[0].attributes.cn=cn
cas.authn.attributeRepository.ldap[0].attributes.mail=mail
.


-W


On Thursday, April 12, 2018 at 3:32:55 AM UTC-5, Olivier Calzi wrote:
>
> Hi William,
>
> As i showed in my configuration on my first post i have the same ldap 
> configuration on the management.properties and the cas.properties.
> What do you mean exactly ?
>
> Thanks
>
> On Thursday, April 12, 2018 at 4:23:36 AM UTC+2, William E. wrote:
>>
>> This makes me think you have a bad ldap search filter in your .properties 
>> file, or maybe ldap support partially configured.
>>
>> Caused by: java.lang.NullPointerException
>> at 
>> org.apereo.cas.util.LdapUtils.lambda$newLdaptiveSearchFilter$2(LdapUtils.java:531)
>>  
>> ~[cas-server-support-ldap-core-5.2.2.jar:5.2.2]
>>
>>
>>
>> On Monday, April 9, 2018 at 2:05:47 AM UTC-5, Olivier Calzi wrote:
>>>
>>> Hi,
>>>
>>> No as it's behind an haproxy i'm using the 443.
>>>
>>> Here you will find more logs who may have the lost key to this problem.
>>>
>>>> 2018-04-09 08:54:00,851 ERROR 
>>>> [org.apereo.cas.mgmt.services.web.AbstractManagementController] - 
>>>> 
>>>> org.pac4j.core.exception.TechnicalException: 
>>>> java.lang.NullPointerException
>>>> at 
>>>> org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:168)
>>>>  
>>>> ~[pac4j-core-2.2.0.jar:?]
>>>> at 
>>>> org.pac4j.springframework.web.SecurityInterceptor.preHandle(SecurityInterceptor.java:65)
>>>>  
>>>> ~[spring-webmvc-pac4j-2.0.0.jar:?]
>>>> at 
>>>> org.springframework.web.servlet.HandlerExecutionChain.applyPreHandle(HandlerExecutionChain.java:133)
>>>>  
>>>> ~[spring-webmvc-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>>>> at 
>>>> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:962)
>>>>  
>>>> ~[spring-webmvc-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>>>> at 
>>>> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
>>>>  
>>>> ~[spring-webmvc-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>>>> at 
>>>> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
>>>>  
>>>> ~[spring-webmvc-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>>>> at 
>>>> org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
>>>>  
>>>> ~[spring-webmvc-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:635) 
>>>> ~[servlet-api-3.1.jar:?]
>>>> at 
>>>> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
>>>>  
>>>> ~[spring-webmvc-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) 
>>>> ~[servlet-api-3.1.jar:?]
>>>> at 
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
>>>>  
>>>> ~[tomcat8-catalina-8.5.14.jar:8.5.14]
>&g

Re: [cas-user] CAS-Management - Bottle at the sea - Need advice or help

[William E.]

This makes me think you have a bad ldap search filter in your .properties 
file, or maybe ldap support partially configured.

Caused by: java.lang.NullPointerException
at 
org.apereo.cas.util.LdapUtils.lambda$newLdaptiveSearchFilter$2(LdapUtils.java:531)
 
~[cas-server-support-ldap-core-5.2.2.jar:5.2.2]



On Monday, April 9, 2018 at 2:05:47 AM UTC-5, Olivier Calzi wrote:
>
> Hi,
>
> No as it's behind an haproxy i'm using the 443.
>
> Here you will find more logs who may have the lost key to this problem.
>
>> 2018-04-09 08:54:00,851 ERROR 
>> [org.apereo.cas.mgmt.services.web.AbstractManagementController] - 
>> 
>> org.pac4j.core.exception.TechnicalException: 
>> java.lang.NullPointerException
>> at 
>> org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:168)
>>  
>> ~[pac4j-core-2.2.0.jar:?]
>> at 
>> org.pac4j.springframework.web.SecurityInterceptor.preHandle(SecurityInterceptor.java:65)
>>  
>> ~[spring-webmvc-pac4j-2.0.0.jar:?]
>> at 
>> org.springframework.web.servlet.HandlerExecutionChain.applyPreHandle(HandlerExecutionChain.java:133)
>>  
>> ~[spring-webmvc-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>> at 
>> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:962)
>>  
>> ~[spring-webmvc-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>> at 
>> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
>>  
>> ~[spring-webmvc-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>> at 
>> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
>>  
>> ~[spring-webmvc-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>> at 
>> org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
>>  
>> ~[spring-webmvc-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:635) 
>> ~[servlet-api-3.1.jar:?]
>> at 
>> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
>>  
>> ~[spring-webmvc-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) 
>> ~[servlet-api-3.1.jar:?]
>> at 
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
>>  
>> ~[tomcat8-catalina-8.5.14.jar:8.5.14]
>> at 
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>  
>> ~[tomcat8-catalina-8.5.14.jar:8.5.14]
>> at 
>> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) 
>> ~[tomcat8-websocket-8.5.14.jar:8.5.14]
>> at 
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>  
>> ~[tomcat8-catalina-8.5.14.jar:8.5.14]
>> at 
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>  
>> ~[tomcat8-catalina-8.5.14.jar:8.5.14]
>> at 
>> org.springframework.boot.web.filter.ApplicationContextHeaderFilter.doFilterInternal(ApplicationContextHeaderFilter.java:55)
>>  
>> ~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
>> at 
>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
>>  
>> ~[spring-web-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>> at 
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>  
>> ~[tomcat8-catalina-8.5.14.jar:8.5.14]
>> at 
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>  
>> ~[tomcat8-catalina-8.5.14.jar:8.5.14]
>> at 
>> org.apereo.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:66)
>>  
>> ~[inspektr-common-1.8.0.GA.jar:1.8.0.GA]
>> at 
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>  
>> ~[tomcat8-catalina-8.5.14.jar:8.5.14]
>> at 
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>  
>> ~[tomcat8-catalina-8.5.14.jar:8.5.14]
>> at 
>> org.springframework.boot.actuate.trace.WebRequestTraceFilter.doFilterInternal(WebRequestTraceFilter.java:110)
>>  
>> ~[spring-boot-actuator-1.5.8.RELEASE.jar:1.5.8.RELEASE]
>> at 
>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
>>  
>> ~[spring-web-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>> at 
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>  
>> ~[tomcat8-catalina-8.5.14.jar:8.5.14]
>> at 
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>  
>> ~[tomcat8-catalina-8.5.14.jar:8.5.14]
>> at 
>> org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
>>  
>> ~[spring-web-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>> at 
>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
>>  
>> 

[cas-user] Re: CAS 5.2 login with UPN removing domain

[William E.]

We use ldap and used an ldap filter on uid or'ed with upn.  Ldap search 
syntax.

Like so:

cas.authn.ldap[0].userFilter=(|(uid={user})(upn={user}))


-William



On Wednesday, April 11, 2018 at 10:26:10 AM UTC-5, dag wrote:
>
> Hi all,
>
> I've configured Apereo CAS 5.2, and it's running fine using UPN.
> However is there any parameter to include in cas.properties config file to 
> allow authenticacion through UPN without typing the domain name?
>
> Thanks in advance.
>
>
> Regards.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc8d575a-51ba-445d-9bab-a5f08f69b0ec%40apereo.org.

[cas-user] CAS 5.2 return JWT for service

[William E.]

Hi all,


I am trying to follow the CAS docs to configure a service to return jwt's 
but not having much success. 

Docs I am reading on this:

 
https://apereo.github.io/cas/5.2.x/installation/Configure-ServiceTicket-JWT.html
 
 https://apereo.github.io/2017/10/17/cas-jwt-authn-with-duo/ (JWT Service 
Tickets portion)


My cas.properties has:

cas.authn.token.crypto.enabled=true
cas.authn.token.crypto.encryptionEnabled=true
cas.authn.token.crypto.signing.key=/etc/cas/config/token-signing.jwk
cas.authn.token.crypto.signing.keySize=512
cas.authn.token.crypto.encryption.key=/etc/cas/config/token-encryption.jwk
cas.authn.token.crypto.encryption.keySize=256
cas.authn.token.crypto.alg=AES


jwk's generated per docs:

wget https://raw.githubusercontent.com/apereo/cas/master/etc/jwk-gen.jar
java -jar jwk-gen.jar -t oct -s 512 >/etc/cas/config/token-signing.jwk
java -jar jwk-gen.jar -t oct -s 256 >/etc/cas/config/token-encryption.jwk

$ file /etc/cas/config/token*
/etc/cas/config/token-encryption.jwk: ASCII text
/etc/cas/config/token-signing.jwk: ASCII text


Using maven overlay, my pom.xml has the rest snippet:


org.apereo.cas
cas-server-support-token-tickets
${cas.version}



My service has the jwt as ticket property:

properties:
{
@class: java.util.LinkedHashMap
jwtAsServiceTicket:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceProperty
values:
[
java.util.HashSet
[
"true"
]
]
}
}

In the CAS CLI I can generate a jwt that appears valid. But when I use my 
service via web browser I see no header or cookie referencing a ticket with 
JWT- prefix, nor a jwt formatted base64 string, I just see the normal ST- 
ticket. I'm using a simple tomcat webapp wit cas client filters and 
java-cas-client 3.5.0. 

Anyone made JWT's work yet for cas 5.2.3?  Any idea what step I missed?

Thanks,
William


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2ce63d92-fef6-41c4-9167-9c388f73d3e7%40apereo.org.

Re: [cas-user] java 1.62 - JCE Unlimited Strength Jurisdiction Policy

[William E.]

I think I've resolved it and it appears to be unrelated to the JCE libs.  
Using jdk 1.8.162 as-is, with #crypto.policy=unlimited comment out as is 
delivered.

I was using cas-management to add the jwt properties and added one too 
many.  When my service has the below, it works without jce error:

.
  properties:
  {
@class: java.util.LinkedHashMap
jwtAsServiceTicket:
{
  @class: org.apereo.cas.services.DefaultRegisteredServiceProperty
  values:
  [
java.util.HashSet
[
  "true"
]
  ]
}
  }


But when it has these two entries, it fails with jce error which was 
apparently a JCE red herring.

  properties:
  {
@class: java.util.LinkedHashMap
jwtAsServiceTicket:
{
  @class: org.apereo.cas.services.DefaultRegisteredServiceProperty
  values:
  [
java.util.HashSet
[
  "true"
]
  ]
}
jwtAsResponse:
{
  @class: org.apereo.cas.services.DefaultRegisteredServiceProperty
  values:
  [
java.util.HashSet
[
  "true"
]
  ]
}
  }



On Tuesday, April 10, 2018 at 10:05:14 AM UTC-5, William E. wrote:
>
> Hi Mike,
>
> Thanks for replying.  
>
> 1. Cas startup says "JCE Installed: Yes " but fails to find AES??
>
> 2. Isn't unlimited the default and verified by the jsunscript test?
>
> From the 1.8.162 java.security file you reference:
>
> # Cryptographic Jurisdiction Policy defaults
> #
> # Import and export control rules on cryptographic software vary from
> # country to country.  By default, the JDK provides two different sets of
> # cryptographic policy files:
> #
> # unlimited:  These policy files contain no restrictions on 
> cryptographic
> # strengths or algorithms.
> #
> # limited:These policy files contain more restricted cryptographic
> # strengths, and are still available if your country or
> # usage requires the traditional restrictive policy.
> #
> # The JDK JCE framework uses the unlimited policy files by default.
> # However the user may explicitly choose a set either by defining the
> # "crypto.policy" Security property or by installing valid JCE policy
> # jar files into the traditional JDK installation location.  To better
> # support older JDK Update releases, the "crypto.policy" property is not
> # defined by default.  See below for more information.
> #
> # The following logic determines which policy files are used:
> #
> #  refers to the directory where the JRE was
> # installed and may be determined using the "java.home"
> # System property.
> #
> # 1.  If the Security property "crypto.policy" has been defined,
> # then the following mechanism is used:
> #
> # The policy files are stored as jar files in subdirectories of
> # /lib/security/policy.  Each directory contains a complete
> # set of policy files.
> #
> # The "crypto.policy" Security property controls the directory
> # selection, and thus the effective cryptographic policy.
> #
> # The default set of directories is:
> #
> # limited | unlimited
> #
> # 2.  If the "crypto.policy" property is not set and the traditional
> # US_export_policy.jar and local_policy.jar files
> # (e.g. limited/unlimited) are found in the legacy
> # /lib/security directory, then the rules embedded within
> # those jar files will be used. This helps preserve compatibility
> # for users upgrading from an older installation.
> #
> # 3.  If the jar files are not present in the legacy location
> # and the "crypto.policy" Security property is not defined,
> # then the JDK will use the unlimited settings (equivalent to
> # crypto.policy=unlimited)
> #
> # Please see the JCA documentation for additional information on these
> # files and formats.
> #
> # YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
> # TO DETERMINE THE EXACT REQUIREMENTS.
> #
> # Please note that the JCE for Java SE, including the JCE framework,
> # cryptographic policy files, and standard JCE providers provided with
> # the Java SE, have been reviewed and approved for export as mass market
> # encryption item by the US Bureau of Industry and Security.
> #
> # Note: This property is currently used by the JDK Reference 
> implementation.
> # It is not guaranteed to be examined and used by other implementations.
> #
> #crypto.policy=unlimited
>
>
>
> # pwd; find .
> /usr/java/jdk1.8.0_162/jre/lib/security
> .
> ./cacerts
> ./javaws.policy
> ./trusted.libraries
> ./java.security
&

Re: [cas-user] java 1.62 - JCE Unlimited Strength Jurisdiction Policy

[William E.]

Hi Mike,

Thanks for replying.  

1. Cas startup says "JCE Installed: Yes " but fails to find AES??

2. Isn't unlimited the default and verified by the jsunscript test?

>From the 1.8.162 java.security file you reference:

# Cryptographic Jurisdiction Policy defaults
#
# Import and export control rules on cryptographic software vary from
# country to country.  By default, the JDK provides two different sets of
# cryptographic policy files:
#
# unlimited:  These policy files contain no restrictions on 
cryptographic
# strengths or algorithms.
#
# limited:These policy files contain more restricted cryptographic
# strengths, and are still available if your country or
# usage requires the traditional restrictive policy.
#
# The JDK JCE framework uses the unlimited policy files by default.
# However the user may explicitly choose a set either by defining the
# "crypto.policy" Security property or by installing valid JCE policy
# jar files into the traditional JDK installation location.  To better
# support older JDK Update releases, the "crypto.policy" property is not
# defined by default.  See below for more information.
#
# The following logic determines which policy files are used:
#
#  refers to the directory where the JRE was
# installed and may be determined using the "java.home"
# System property.
#
# 1.  If the Security property "crypto.policy" has been defined,
# then the following mechanism is used:
#
# The policy files are stored as jar files in subdirectories of
# /lib/security/policy.  Each directory contains a complete
# set of policy files.
#
# The "crypto.policy" Security property controls the directory
# selection, and thus the effective cryptographic policy.
#
# The default set of directories is:
#
# limited | unlimited
#
# 2.  If the "crypto.policy" property is not set and the traditional
# US_export_policy.jar and local_policy.jar files
# (e.g. limited/unlimited) are found in the legacy
# /lib/security directory, then the rules embedded within
# those jar files will be used. This helps preserve compatibility
# for users upgrading from an older installation.
#
# 3.  If the jar files are not present in the legacy location
# and the "crypto.policy" Security property is not defined,
# then the JDK will use the unlimited settings (equivalent to
# crypto.policy=unlimited)
#
# Please see the JCA documentation for additional information on these
# files and formats.
#
# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
# TO DETERMINE THE EXACT REQUIREMENTS.
#
# Please note that the JCE for Java SE, including the JCE framework,
# cryptographic policy files, and standard JCE providers provided with
# the Java SE, have been reviewed and approved for export as mass market
# encryption item by the US Bureau of Industry and Security.
#
# Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations.
#
#crypto.policy=unlimited



# pwd; find .
/usr/java/jdk1.8.0_162/jre/lib/security
.
./cacerts
./javaws.policy
./trusted.libraries
./java.security
./blacklisted.certs
./java.policy
./blacklist
./policy
./policy/limited
./policy/limited/US_export_policy.jar
./policy/limited/local_policy.jar
./policy/unlimited
./policy/unlimited/US_export_policy.jar
./policy/unlimited/local_policy.jar



-William


On Tuesday, April 10, 2018 at 9:45:41 AM UTC-5, Michael A Grady wrote:
>
> The easiest way to get the latest versions of Java to use unlimited 
> strength algorithms is to:
>
>  Modify the file (within the Java directory):
>
>   jre/lib/security/java.security 
>
>  change the commented out property, near the end of the file:
>
>   #crypto.policy=unlimited
>
> by simply removing the comment marker:
>
>   crypto.policy=unlimited
>
> On Apr 10, 2018, at 8:58 AM, William E. <wre...@uah.edu > 
> wrote:
>
> Has anyone run into a problem with the JCE files on newer JDK's?  It is my 
> understanding that jdk 1.8.161 and later includes the jce unlimited 
> cryptography libs by default, and command line testing seems to confirm 
> this, but CAS 5.2.3 fails with the following:
>
> Caused by: java.lang.RuntimeException: Is JCE Unlimited Strength 
> Jurisdiction Policy installed? AES is an unknown, unsupported or 
> unavailable enc algorithm (not one of [A128CBC-HS256, A192CBC-HS384, 
> A256CBC-HS512, A128GCM, A192GCM, A256GCM]).
>
> CAS startup shows the correct JDK is being used and JCE is present:
>
> CAS Version: 5.2.3 
> CAS Commit Id: 14850a4ef16ef32ce6390f62fda566fdb8fa3948 
> CAS Build Date/Time: 2018-03-07T20:08:12Z 
> Spring Boot Version: 1.5.8.RELEASE 
> -

[cas-user] Re: The CAS management webapp is unavailable. NPE ERROR [org.apereo.cas.mgmt.services.web.AbstractManagementController] - java.lang.NullPointerException

[William E.]

Just guessing here, but I think I would first try trimming down the 
principal list values from:

cas.authn.ldap[0].principalAttributeList=sn:familyName,cn:casId,givenName,mail,memberOf,xxxUID

To maybe:

cas.authn.ldap[0].principalAttributeList=cn,xxxUID

Things that always exist in every ldap record.  My theory is one or more is 
null and throwing the NPE.

If that's not it, I would simplify my properties line by line restarting 
cas-management app each time until the NPE goes away.  Painful, I know, but 
other than reading the source code or paying a vendor like Unicon for 
support, not sure what else to try.

Good luck.

-William




On Tuesday, October 31, 2017 at 5:18:12 AM UTC-5, Krzysztof Kluczynski 
wrote:
>
> Hi,
>
> I am getting an NPE  
> [org.apereo.cas.mgmt.services.web.AbstractManagementController] - 
> java.lang.NullPointerException after a successful login to the CAS 
> management webapp.
>
> Both CAS and the CAS management webapp are configured to use LDAP.
>
> I am using the following versions :
>
> cas-services-management-overlay 5.2.0-SNAPSHOT
> cas-server 5.2.0-RC4
>
> *Configuration files*
>
> *management.properties*
>
>
> #cas.server.prefix: https://jasigcas.herokuapp.com/cas
> cas.server.name:https://xxx.xxx.org
> cas.server.prefix:https://xxx.xxx.org/sso
>
> cas.mgmt.adminRoles=ROLE_ADMIN
> cas.mgmt.userPropertiesFile=file:/etc/cas/config/users.properties
>
> # Update this URL to point at server running this management app
> cas.mgmt.serverName:https://xxx.xxx.org
>
> server.context-path=/cas-management
> server.port=8443
>
> spring.thymeleaf.mode=HTML
> logging.config=file:/etc/cas/config/log4j2-management.xml
>
>
> cas.authn.attributeRepository.defaultAttributesToRelease=sn,cn,givenName,mail,memberOf,xxxUID
> cas.personDirectory.principalAttribute=mail
> cas.personDirectory.returnNull=false
> cas.personDirectory.principalResolutionFailureFatal=false
>
>
> cas.mgmt.ldap.baseDn=ou=cas,ou=system,dc=xxx,dc=net
> cas.mgmt.ldap.ldapUrl=ldaps://xxx.xxx.org/
> cas.mgmt.ldap.connectionStrategy=ACTIVE_PASSIVE
> cas.mgmt.ldap.userFilter=mail={user}
> cas.mgmt.ldap.bindDn=cn=admin,dc=xxx,dc=net
> cas.mgmt.ldap.bindCredential=password
>
> cas.serviceRegistry.ldap.serviceDefinitionAttribute=casServiceDescription
> cas.serviceRegistry.ldap.idAttribute=cn
> cas.serviceRegistry.ldap.objectClass=casRegisteredService
> cas.serviceRegistry.ldap.ldapUrl=ldaps://xxx.xxx.org/
> cas.serviceRegistry.ldap.connectionStrategy=ACTIVE_PASSIVE
> cas.serviceRegistry.ldap.baseDn=ou=cas,ou=system,dc=xxx,dc=net
> cas.serviceRegistry.ldap.bindDn=cn=admin,dc=xxx,dc=net
> cas.serviceRegistry.ldap.bindCredential=password
>
> cas.properties
>
> #cas.server.name: https://cas.example.org:8443
> #cas.server.prefix: https://cas.example.org:8443/cas
>
> cas.server.name:https://xxx.xxx.org
> cas.server.prefix:https://xxx.xxx.org/sso
>
> cas.tgc.crypto.encryption.key=key
> cas.tgc.crypto.signing.key=signingkey
>
> cas.webflow.crypto.encryption.key=encrkey
> cas.webflow.crypto.signing.key=signingkey
>
> cas.logout.followServiceRedirects=true
> cas.logout.redirectParameter=service
>
> cas.adminPagesSecurity.ip=127\.0\.0\.1
> cas.monitor.endpoints.enabled=true
> cas.monitor.endpoints.sensitive=false
> cas.adminPagesSecurity.loginUrl=https://xxx.xxx.org/sso/login
> cas.adminPagesSecurity.service=https://xxx.xxx.org/sso/status/dashboard
> cas.adminPagesSecurity.users=file:/etc/cas/config/adminusers.properties
> cas.adminPagesSecurity.adminRoles[0]=ROLE_ADMIN
> cas.adminPagesSecurity.actuatorEndpointsEnabled=true
>
> logging.config: file:/etc/cas/config/log4j2.xml
>
> cas.authn.accept.users=
> cas.authn.ldap[0].type=AUTHENTICATED
>
> cas.authn.ldap[0].ldapUrl=ldaps://xxx.xxx.org/
> cas.authn.ldap[0].connectionStrategy=ACTIVE_PASSIVE
> cas.authn.ldap[0].baseDn=dc=xxx,dc=net
> cas.authn.ldap[0].userFilter=mail={user}
> cas.authn.ldap[0].bindDn=cn=admin,dc=xxx,dc=net
> cas.authn.ldap[0].bindCredential=credential
>
> cas.authn.ldap[0].dnFormat=cn=%s,ou=users,ou=people,dc=xxx,dc=net
> cas.authn.ldap[0].principalAttributeId=xxxUID
> cas.authn.attributeRepository.ldap[0].attributes.sn=sn
> cas.authn.attributeRepository.ldap[0].attributes.cn=cn
> cas.authn.attributeRepository.ldap[0].attributes.givenName=givenName
> cas.authn.attributeRepository.ldap[0].attributes.mail=mail
> cas.authn.attributeRepository.ldap[0].attributes.memberOf=memberOf
> cas.authn.attributeRepository.ldap[0].attributes.xxxUID=xxxUID
>
>
> cas.authn.ldap[0].principalAttributeList=sn:familyName,cn:casId,givenName,mail,memberOf,xxxUID
>
>
> cas.authn.attributeRepository.attributes.sn=sn
> cas.authn.attributeRepository.attributes.cn=cn
> cas.authn.attributeRepository.attributes.givenName=givenName
> cas.authn.attributeRepository.attributes.mail=mail
> cas.authn.attributeRepository.attributes.memberOf=memberOf
> cas.authn.attributeRepository.attributes.xxxUID=xxxUID
>
> cas.authn.releaseProtocolAttributes=true
>
>
> 

Re: [cas-user] Help with LDAP auth

[William E.]

We grab the memberof attribute in the user record. Note it's multivalued.


On Tuesday, March 13, 2018 at 1:28:43 PM UTC-5, Марат Бралиев wrote:
>
> how best practice to check member of specific group? check in LDAP search 
> query, or use some CAS (or ldaptive) handler, and check member of group 
> after simple search? Does CAS support such handler?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8047506b-9d11-44d1-93c5-7dfe6eb6ad92%40apereo.org.

[cas-user] Re: CAS 5.2 and Ellucian Banner 9 (XE)

[William E.]

We are on cas 5.2.2, banner 8 via ssomanager and banner 9 admin apps.  
Seems to work fine since we upgraded to cas 5.2.2 in late December.

We populate the udcid in ldap from banner, then map it in cas as:

cas.authn.attributeRepository.ldap[0].attributes.uahUDCID=UDC_IDENTIFIER

Please note, without full BEIS the udcid in banner is not automatically 
populated when new users are created.  Our IDM calls a delivered BEIS 
component to populate any blank udcid values in banner before ldap 
provisioning since we don't use BEIS.

IP_IDENTITY_DATA_EXPORT_UTIL.P_ASSIGN_UDCID();


-William

BEIS = Banner Enterprise Identity Services


On Wednesday, February 21, 2018 at 5:46:21 PM UTC-6, Matthew Uribe wrote:
>
> Hello Community,
>
> I am wondering whether anyone has had success with Banner 9 and CAS 5.2.x 
>
> We have been using the Luminis delivered CAS 3.5.2, but are interested in 
> the features available in 5, such as SAML2 IdP, and MFA using Duo. I have 
> deployed CAS 5.2.0, included cas-server-support-ldap and 
> cas-server-support-saml 
> dependencies, and setup a service for one of our Banner 9 apps, but haven't 
> been able to successfully access the application. I can access the CAS 
> Dashboard, as well as the CAS-Management webapp, but the Banner apps are 
> beyond me at this point. Right now, when I navigate to the Banner 9 app, I 
> am redirected to the CAS login page. After logging in successfully, the 
> browser gives me an error: "HTTP Status 403 - No assertions found".
>
> I figure the problem is either in my service registry, or that I maybe 
> need to import the CAS certificate into a keystore somewhere on the Banner 
> 9 server. Since I don't see anything related to a cert import in the Banner 
> 9 install guides, I'm focused on the first of these two possibilities, but 
> after 2 days of going in circles I've run out of ideas and would eagerly 
> accept the advice of this community.
>
> Thank you,
> Matt
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/524db851-6ae3-4c5a-8670-389faeda2356%40apereo.org.

[cas-user] Re: cas 5 management

[William E.]

Exactly.  cas-management-overlay/target/cas-management.war


Since we use json registry, and ldap, we add the below.


org.apereo.cas
cas-server-support-json-service-registry
${cas.version}


 org.apereo.cas
 cas-server-support-ldap
 ${cas.version}




On Friday, February 9, 2018 at 9:13:54 AM UTC-6, Chris Cheltenham wrote:
>
> Hello ,
>
>  
>
> I have embarked on building cas-management via the overlay.
>
> I am assuming you build a totally separate war file with the ldapp 
> dependency is you use ldap.
>
>  
>
> Is that correct?
>
>  
>
>  
>
>  
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571 
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/df4774ec-7151-4769-a96d-ee447296bced%40apereo.org.

[cas-user] Re: CAS 5.2.x

[William E.]

For Dave's docs:

We too have been working on using cas 5.2's saml2 capabilities to replace a 
full shibboleth.  Not quite there yet, but still working on it.

FWIW - We use apache's mod_ajp to front tomcat and these lines are what we 
use in proxy_ajp.conf:

ProxyPass /cas ajp://localhost:8009/cas


# CAS for IDP
ProxyPass /idp/shibboleth ajp://localhost:8009/cas/idp/metadata
ProxyPass /idp ajp://localhost:8009/cas/idp


The first is just for regular cas redirects to the cas app on the local 
tomcat.  The latter is specific for the IDP.  We publish our IDP metadata 
to InCommon which is turn published to all it's subscribers in their 
metadata aggregate.  We could republish of course changing host/idp to 
host/cas/idp, but to make the switch seamless, and to not break 
non-incommon SP's that we have to manually exchange metadata with, we use 
proxy_ajp to send host/idp requests to localhost/cas/idp with this line:

ProxyPass /idp ajp://localhost:8009/cas/idp

We have also found that some SP's specifically check idp/shibboleth which 
is not an endpoint cas provides, cas publishes it's IDP metadata as 
/cas/idp/metadata so we use this line to send /idp/shibboleth requests to 
/cas/idp/metadata.

ProxyPass /idp/shibboleth ajp://localhost:8009/cas/idp/metadata

Fortunately, the way ajp works is top to bottom order so the more specific 
/idp/shibboleth is used before the more generic /idp line.

You may need to similar, perhaps with your load balancer.  We use a load 
balancer as well, in front of apache, but found the redirect easiest with 
apache's ajp.

-W


On Monday, February 5, 2018 at 12:14:53 PM UTC-6, Chris Cheltenham wrote:
>
> Hello,
>
> I am not understanding how to bundle the LDAP authentication handler into 
> the cas.war file.
>
> Any suggestions?
>  
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f4df5045-a965-4a24-9243-b611b2d304af%40apereo.org.

[cas-user] Re: Application Not Authorized to Use CAS The application you attempted to authenticate to is not authorized to use CAS.

[William E.]

What is in the service url parameter?  Add it as an allowed service regex.

For example, since I access cas-management via localhost, I have a service 
that allows ^http://localhost:8080/cas-management/.*


On Friday, January 19, 2018 at 1:41:38 PM UTC-6, Ramakrishna G wrote:
>
> Application Not Authorized to Use CAS The application you attempted to 
> authenticate to is not authorized to use CAS.
>
> I keep getting this error. CAS-MANAGEMENT i am not able to run. Have any 
> other solution to get rid of this error.
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/723a2a42-cbe5-4644-a43a-692dc8b8fe9c%40apereo.org.

Re: [cas-user] CAS attribute resolution with LDAP

[William E.]

In our cas.properties, we also have:

cas.personDirectory.principalAttribute=uid,mail
cas.personDirectory.returnNull=false
cas.personDirectory.principalResolutionFailureFatal=false

Hope this helps.


On Wednesday, January 10, 2018 at 10:30:38 AM UTC-6, rbon wrote:
>
> Sebastien,
>
> To see what is happening on CAS side, put this in your CAS log config:
>
> 
>  name="org.apereo.cas.DefaultCentralAuthenticationService" level="debug" />
> 
>  name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
>  
> level="debug"/>
>
> 
> 
>
> Have you configured LDAP to release those attributes?
>
> Ray
>
> On Wed, 2018-01-10 at 06:11 -0800, Sébastien Ragons wrote:
>
> Hello, 
>
> I am trying to get attribute from LDAP but with no success since days.
> So i tried a basic configuration but it doesnt work.
>
> My basic configuration:
> # Authentification LDAP
> cas.authn.ldap[0].type=AUTHENTICATED
> cas.authn.ldap[0].ldapUrl=ldap://frparantgaga:389/
> cas.authn.ldap[0].useSsl=false
> cas.authn.ldap[0].useStartTls=false
> cas.authn.ldap[0].connectTimeout=5000
> cas.authn.ldap[0].baseDn=o=antalis
> cas.authn.ldap[0].userFilter=(|(uid={user})(mail={user}))
> cas.authn.ldap[0].subtreeSearch=true
> cas.authn.ldap[0].usePasswordPolicy=true
>
> # Credential to connect to LDAP
> cas.authn.ldap[0].bindDn=cn=root,o=antalis
> cas.authn.ldap[0].bindCredential=passwd
>
> # authentication-attributes
> cas.authn.ldap[0].principalAttributeList=sn,cn,mail,description
> cas.authn.attributeRepository.attributes.sn=sn
> cas.authn.attributeRepository.attributes.cn=cn
> cas.authn.attributeRepository.attributes.mail=mail
> cas.authn.attributeRepository.attributes.description=description 
>
>
> I configured my service to get all attributes
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : ".*",
>   "name" : "Service 3 avec theme 2",
>   "theme" : "theme2",
>   "id" : 3,
>   "attributeReleasePolicy" : {
> "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>   }
> }
>
>
> Client side the principal doesnt contain none of the configured attributes.
> CAS server's logs seem to indicate that there is no attribute to release:
>
> .AbstractRegisteredServiceAttributeReleasePolicy] -  attributes [{}] for [seba...@gmail.com ]> 
>
>
>
> I'm aware about the article on the blog about attributes: 
> https://apereo.github.io/2017/02/22/cas51-dbauthn-tutorial/
> I've consulted several questions about this topic on this group.
> I dont understand why it doesnt work.
>
> Could you help me ?
> Thank you 
>
> Sebastien
>
> -- 
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2f817a19-2b89-4944-a3c7-794b773e7cad%40apereo.org.

[cas-user] SAML FriendlyName and Name using same value

[William E.]

Hi all,

I'm pretty sure this is not a current feature of CAS 5.2.x, but I just 
wanted to ask this community if they found any way to do so by some config 
trickery.  If not, would the awesome CAS developers be interested in 
putting this on the list of future feature enhancements please?

So we're trying to use the saml idp of cas 5.2 to replace our shibboleth 
service.  Seems most SP's work but a few don't and unfortunately getting 
logs from vendors or technical insight is sometimes challenging.  But one 
distinct difference between the attributes shibboleth returns and cas IDP 
returns is that with cas, while you can specify the "return attribute x as 
name y" part, it's used for both the name and friendlyname values.

For example, in our config shibboleth returns the givenName like so:


http://www.w3.org/2001/XMLSchema;
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; 
xsi:type="xsd:string">Jane



With Name="urn:oid:2.5.4.42" and FriendlyName="givenName".


In the cas service definition I can specify givenName should be returned as 
urn:oid:2.5.4.42, which is awesome, but the urn:oid... is used for both 
Name and FriendlyName values.


  attributeReleasePolicy:
  {
@class: org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
allowedAttributes:
{
  @class: java.util.TreeMap
  givenName: "urn:oid:2.5.4.42"
...



http://www.w3.org/2001/XMLSchema;
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; 
xsi:type="xsd:string">Jane



Anyone know of a way to specify a different value for FriendlyName than 
Name?


Thanks,
William

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a58be248-9a81-4d24-a3b4-701eaf90c9e9%40apereo.org.

Re: [cas-user] Re: Management Webapp 5.2 issue with attributes release

[William E.]

Hi Travis,

I have had similar issues.  Love the new look BTW, but the erturn mapped UI 
seems to have a bug or two.

Also, the Access strategy tab, maybe it's intentional, but it seems to 
autopopulate with all my defined attributes when I just click on that tab.  
So what I've accidentally run into is editing a service, clicking on access 
strategy to view settings, make no changes, click save service, and now my 
service(json) is set to require all my attributes.

One other, duplicate service has no "Save" button I can find.

Thanks for all your hard work on this!

-William




On Thursday, December 21, 2017 at 10:48:09 AM UTC-6, Travis Schmidt wrote:
>
> Ludovic, 
>   
>Thanks for reporting the issue with the cas-management application.  It 
> seems that I incompletely refactored some code in the attribute-release 
> screens.  A fix for the issue has been submitted as a PR and can be viewed 
> here:
>
> https://github.com/apereo/cas/pull/3108
>
> Once this is merged into the 5.2.x branch you should be able to pull it in 
> using the latest 5.2.x snapshot release.
>
> Thanks again,
> Travis
>
>
>
> On Thu, Dec 21, 2017 at 2:09 AM Ludovic Senecaux  > wrote:
>
>> And I have a problem to release mapped attributes too.
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/25f3e76e-da12-4e7b-8460-9f4fa728e9d8%40apereo.org
>>  
>> 
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5c329311-bb2c-47d0-b6ac-928e1f113446%40apereo.org.

[cas-user] Re: Recommendations for CATALINA_OPTS for cas 5.x with tomcat 8.5.x

[William E.]

Martin,

Thank you.  You might be on to something.  I was quoting from memory and I 
was wrong on swap.  Of the two nodes, both in my mind identical VM's, the 
secondary node has 8GB of swap and a tiny bit used, but the primary, the 
one that is crashing, has no swap configured.  I have requested our systems 
team add 8GB of swap to the primary.

Primary server:

  totalusedfree  shared  buff/cache  
 available
Mem:8010840 4872660  420488  107484 2717692
 2679336
Swap: 0   0   0



Secondary server:

  totalusedfree  shared  buff/cache  
 available
Mem:8010972 1192296 1530500   23196 5288176
 6449948
Swap:   83886044604 8384000


Not sure I understand why it would matter since in theory swap should not 
be needed on a server with 8GB of ram with jvm limit set to 6GB though.  
Any more insight on why, because I would really like to understand the 
reason.


Additionally, I've put the shibboleth IDP back into play, effectively 
rendering the saml services in cas "unused".  I am using proxy_ajp to front 
tomcat with apache so it was easy to copy the idp.war into tomcat and 
re-enable the shib-cas-authenticator. I guess my hope of moving from 
cas+shibb. to just cas will have to wait


Thanks, 
William

P.S. Jeff, thank you for posting your catalina opts!


On Wednesday, December 20, 2017 at 11:30:40 PM UTC-6, Martin Bohun wrote:
>
> I have seen the behavior you are describing when people ran cas (tomcat, 
> mysql, etc.) on a (what I would consider a misconfigured) Linux box with 0 
> swap.
> However you are saying you have 4gb of swap.
> I still do prefer to set my swap to 2 * $MY_RAM; can you try that? adjust 
> or add a swapfile to your swap (so you have 8gb RAM / 16gb swap), I am 
> curious if that would help / solve your problem?
> What error messages are you getting in the jvm and syslog/systemd journal 
> from the OS?
>
> regards,
>
> martin
>
> On Thursday, December 21, 2017 at 1:35:45 PM UTC+11, William E. wrote:
>>
>> RHEL 7, 8GB ram, swap is 4GB.  It's a VM in our vSphere cluster+SAN.  I 
>> actually have three, two PROD nodes behind a load balancer and one test 
>> node.  All have same specs and all show the issue.  Steadily chews up 
>> memory until eventual crash, 1-6 hours depending on load.
>>
>> The asme servers were running cas 3.6 . + shibboleth 3.3.x for quite a 
>> while without memory issues.  Upgraded and tried to consolidate to just cas 
>> 5, using it's saml2 capabilities to replace the shibboleth component.  But, 
>> it's not going as well as I had hoped.
>>
>> Been working with Unicon Support on it, but it appears to be a memory 
>> leak in cas 5.2, based on heap analysis.  So I am kinda of stuck.
>>
>> Thanks for your help!
>>
>>
>>
>> On Wednesday, December 20, 2017 at 6:49:39 PM UTC-6, Martin Bohun wrote:
>>>
>>> What is your:
>>> 1. operation system
>>> 2. how much RAM do you have
>>> 3. how much swap do you have
>>>
>>> if you are on  Linux you can do:
>>> 1.uname -a
>>> 2-3. free -m
>>>
>>> and post the output here
>>>
>>> regards,
>>>
>>> martin
>>>
>>> On Thursday, December 21, 2017 at 11:00:30 AM UTC+11, William E. wrote:
>>>>
>>>> Does anyone have any recommendations for CATALINA_OPTS for cas 5.x on 
>>>> tomcat 8?
>>>>
>>>> I am finding that our setup steadily eats up memory to the point that 
>>>> it eventually crashes from out of memory and has to be restarted.
>>>>
>>>> Current settings:
>>>>
>>>> CATALINA_OPTS="-Djava.awt.headless=true -Dfile.encoding=UTF-8 -server 
>>>> -Xms1g -Xmx6g -XX:-UseGCOverheadLimit -XX:+UseConcMarkSweepGC 
>>>> -XX:-UseCompressedOops"
>>>>
>>>> JAVA_OPTS=$CATALINA_OPTS
>>>>
>>>>
>>>> Thanks,
>>>> William
>>>>
>>>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7e36f7d2-3bf7-49d2-bcd8-bbc0e22b901b%40apereo.org.

[cas-user] Re: Recommendations for CATALINA_OPTS for cas 5.x with tomcat 8.5.x

[William E.]

RHEL 7, 8GB ram, swap is 4GB.  It's a VM in our vSphere cluster+SAN.  I 
actually have three, two PROD nodes behind a load balancer and one test 
node.  All have same specs and all show the issue.  Steadily chews up 
memory until eventual crash, 1-6 hours depending on load.

The asme servers were running cas 3.6 . + shibboleth 3.3.x for quite a 
while without memory issues.  Upgraded and tried to consolidate to just cas 
5, using it's saml2 capabilities to replace the shibboleth component.  But, 
it's not going as well as I had hoped.

Been working with Unicon Support on it, but it appears to be a memory leak 
in cas 5.2, based on heap analysis.  So I am kinda of stuck.

Thanks for your help!



On Wednesday, December 20, 2017 at 6:49:39 PM UTC-6, Martin Bohun wrote:
>
> What is your:
> 1. operation system
> 2. how much RAM do you have
> 3. how much swap do you have
>
> if you are on  Linux you can do:
> 1.uname -a
> 2-3. free -m
>
> and post the output here
>
> regards,
>
> martin
>
> On Thursday, December 21, 2017 at 11:00:30 AM UTC+11, William E. wrote:
>>
>> Does anyone have any recommendations for CATALINA_OPTS for cas 5.x on 
>> tomcat 8?
>>
>> I am finding that our setup steadily eats up memory to the point that it 
>> eventually crashes from out of memory and has to be restarted.
>>
>> Current settings:
>>
>> CATALINA_OPTS="-Djava.awt.headless=true -Dfile.encoding=UTF-8 -server 
>> -Xms1g -Xmx6g -XX:-UseGCOverheadLimit -XX:+UseConcMarkSweepGC 
>> -XX:-UseCompressedOops"
>>
>> JAVA_OPTS=$CATALINA_OPTS
>>
>>
>> Thanks,
>> William
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bfe6c835-bf1e-4f24-b507-025d7c0e3172%40apereo.org.

[cas-user] Recommendations for CATALINA_OPTS for cas 5.x with tomcat 8.5.x

[William E.]

Does anyone have any recommendations for CATALINA_OPTS for cas 5.x on 
tomcat 8?

I am finding that our setup steadily eats up memory to the point that it 
eventually crashes from out of memory and has to be restarted.

Current settings:

CATALINA_OPTS="-Djava.awt.headless=true -Dfile.encoding=UTF-8 -server 
-Xms1g -Xmx6g -XX:-UseGCOverheadLimit -XX:+UseConcMarkSweepGC 
-XX:-UseCompressedOops"

JAVA_OPTS=$CATALINA_OPTS


Thanks,
William

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fe0ba2b3-4918-4e07-870a-3d4196207e87%40apereo.org.

[cas-user] Re: CAS 5.1.0 LDAP - How to get all groups that a user is a member of?

[William E.]

Perhaps try adding these to cas.properties?

cas.authn.attributeRepository.ldap[0].attributes.member=member
cas.authn.attributeRepository.ldap[0].attributes.memberof=memberof



On Thursday, November 23, 2017 at 4:41:33 AM UTC-6, Sanjaya Addula wrote:
>
> Hi,
>
> How can I configure cas to get the LDAP user groups details as a principal 
> attribute.
>
> cas.authn.ldap[0].type=DIRECT
> cas.authn.ldap[0].ldapUrl=ldapurl
> cas.authn.ldap[0].useSsl=false
> cas.authn.ldap[0].useStartTls=false
> cas.authn.ldap[0].connectTimeout=5000
> #cas.authn.ldap[0].baseDn=ou=groups,dc=ec2,dc=internal
> cas.authn.ldap[0].baseDn=ou=Users,dc=ec2,dc=internal
> #cas.authn.ldap[0].userFilter=uid=%s,ou=Users,dc=ec2,dc=internal
> cas.authn.ldap[0].userFilter=(&(uid={user})(objectclass=inetOrgPerson))
> cas.authn.ldap[0].subtreeSearch=true
> cas.authn.ldap[0].usePasswordPolicy=false
> cas.authn.ldap[0].bindDn=uid=user2,ou=Users,dc=ec2,dc=internal
> cas.authn.ldap[0].bindCredential=xyz
>
> cas.authn.ldap[0].dnFormat=uid=%s,ou=Users,dc=ec2,dc=internal
> cas.authn.ldap[0].principalAttributeId=uid
>
> cas.authn.ldap[0].principalAttributeList=sn,title,mail,telephoneNumber,mobile,manager
>
>
>
> 
>
>
>
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f8204b37-ad0f-456c-86ae-05042d0ee1f3%40apereo.org.

[cas-user] Re: CAS management - new service username attribute provider options

[William E.]

Nope.  In my cas 5.1 pom I only have:



org.apereo.cas
cas-server-webapp${app.server}
${cas.version}
war
runtime


   org.apereo.cas
   cas-server-support-ldap
   ${cas.version}





org.apereo.cas
cas-server-support-json-service-registry
${cas.version}


  org.apereo.cas
  cas-server-support-saml-idp
  ${cas.version}


 org.apereo.cas
 cas-server-support-token-webflow
 ${cas.version}


 org.apereo.cas
 cas-server-support-saml-sp-integrations
 ${cas.version}








In my cas-management 5.1 pom.xml:



org.apereo.cas
cas-management-webapp
${cas.version}
war





org.apereo.cas
cas-server-support-json-service-registry
${cas.version}










On Wednesday, November 22, 2017 at 7:26:40 AM UTC-6, Justin Andrews wrote:
>
> Gotcha. Do you also have these defined in your pom.xml ?
>
> 
> org.apereo.service.persondir
> person-directory-api
> ${person.directory.version}
> 
> 
> org.apereo.service.persondir
> person-directory-impl
> ${person.directory.version}
> 
>
>
> On Tuesday, November 21, 2017 at 10:24:47 PM UTC-5, William E. wrote:
>>
>> I had to add them to mine for the username drop down in cas management to 
>> get populated.
>>
>>
>> On Tuesday, November 21, 2017 at 2:01:09 PM UTC-6, Justin Andrews wrote:
>>>
>>> No, I do not have those in my cas.properties...
>>>
>>> On Tuesday, November 21, 2017 at 10:49:13 AM UTC-5, William E. wrote:
>>>>
>>>> Do you have entries like below in your cas.properties file?
>>>>
>>>> cas.authn.attributeRepository.ldap[0].attributes.uid=uid
>>>> cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
>>>> cas.authn.attributeRepository.ldap[0].attributes.cn=commonName
>>>>
>>>> cas.authn.attributeRepository.ldap[0].attributes.affiliation=eduPersonAffiliation
>>>> .
>>>>
>>>>
>>>>
>>>> On Monday, November 20, 2017 at 8:56:41 AM UTC-6, Justin Andrews wrote:
>>>>>
>>>>> Hi folks - What are the requirements to be able to adjust the username 
>>>>> attribute via the CAS management GUI? This is all I see.
>>>>>
>>>>>
>>>>> <https://lh3.googleusercontent.com/-CTPBkMm3cX0/WhLtHf_H7XI/Ahs/eKc-wpYGg80qUzBr54KA00FMkYHYqUPPwCLcBGAs/s1600/Screen%2BShot%2B2017-11-20%2Bat%2B9.54.31%2BAM.png>
>>>>>
>>>>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/edfcce91-7e7b-42c5-8653-1d59d6b5e144%40apereo.org.

[cas-user] Re: CAS management - new service username attribute provider options

[William E.]

I had to add them to mine for the username drop down in cas management to 
get populated.


On Tuesday, November 21, 2017 at 2:01:09 PM UTC-6, Justin Andrews wrote:
>
> No, I do not have those in my cas.properties...
>
> On Tuesday, November 21, 2017 at 10:49:13 AM UTC-5, William E. wrote:
>>
>> Do you have entries like below in your cas.properties file?
>>
>> cas.authn.attributeRepository.ldap[0].attributes.uid=uid
>> cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
>> cas.authn.attributeRepository.ldap[0].attributes.cn=commonName
>>
>> cas.authn.attributeRepository.ldap[0].attributes.affiliation=eduPersonAffiliation
>> .
>>
>>
>>
>> On Monday, November 20, 2017 at 8:56:41 AM UTC-6, Justin Andrews wrote:
>>>
>>> Hi folks - What are the requirements to be able to adjust the username 
>>> attribute via the CAS management GUI? This is all I see.
>>>
>>>
>>> <https://lh3.googleusercontent.com/-CTPBkMm3cX0/WhLtHf_H7XI/Ahs/eKc-wpYGg80qUzBr54KA00FMkYHYqUPPwCLcBGAs/s1600/Screen%2BShot%2B2017-11-20%2Bat%2B9.54.31%2BAM.png>
>>>
>>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff7d81b5-5caf-46a4-a27a-5be615d04fb5%40apereo.org.

[cas-user] Re: CAS management - new service username attribute provider options

[William E.]

Do you have entries like below in your cas.properties file?

cas.authn.attributeRepository.ldap[0].attributes.uid=uid
cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
cas.authn.attributeRepository.ldap[0].attributes.cn=commonName
cas.authn.attributeRepository.ldap[0].attributes.affiliation=eduPersonAffiliation
.



On Monday, November 20, 2017 at 8:56:41 AM UTC-6, Justin Andrews wrote:
>
> Hi folks - What are the requirements to be able to adjust the username 
> attribute via the CAS management GUI? This is all I see.
>
>
> 
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8bea6203-c587-42cd-8ddc-baf76d9c768f%40apereo.org.