Re: [cas-user] CAS 5.2 Passing LDAP Attributes to Application

2022-01-18 Thread Gowtham Krishna 
Did you get solution to this, even i am having the same scenario and 
looking for the solution to the same question?

On Wednesday, 11 August 2021 at 16:38:36 UTC+5:30 fryc...@gmail.com wrote:

> Hello!
>
> And what to do if:
>
> I have CAS 5.2.3 and an LDAP connection.
>
> LDAP has 1 domain and 2 ou (ou = groups, ou = people). Each group has a cn 
> with the group name. Each such group contains several members, where the 
> username from ou = people is specified.
>  
> My task is to get the groups of the user when it is authenticated in order 
> to update them.
>  
> I just can't figure out how I can use CAS to get the groups of each user 
> out of LDAP.
>
> пятница, 31 августа 2018 г. в 22:17:12 UTC+3, waldbiec: 
>
>> Bill, 
>>
>> In `cas.properties`, in your LDAP section, you want a property like this: 
>>
>> cas.authn.ldap[0].principalAttributeList=uid,givenName,sn:surname,mail:email,memberOf
>>  
>>
>>
>> That says that the principal that is authenticated should get the above 
>> list of LDAP attributes. For the ones that have 2 items separated by a 
>> colon, that is just a rename from the LDAP attribute to the name that will 
>> be exposed via CAS. 
>>
>> In your service file for an individual service, you specify what 
>> attributes from the above list you want to release. The following sections 
>> from a service file are an example: 
>>
>> "attributeReleasePolicy" : { 
>> "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", 
>> "attributeFilter" : { 
>> "@class": 
>> "org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
>>  
>>
>> "patterns": { 
>> "@class" : "java.util.HashMap", 
>> "memberOf": "cn=administrators,ou=groups,dc=example,dc=org" 
>> }, 
>> "excludeUnmappedAttributes": false, 
>> "completeMatch": false, 
>> "order": 0 
>> }, 
>> "allowedAttributes" : [ "java.util.ArrayList", 
>> [ 
>> "uid", 
>> "memberOf", 
>> "email", 
>> "givenName", 
>> "surname" 
>> ] 
>> ] 
>> }, 
>>
>> The "attributeReleasePolicy" is used to filer the "memberOf" attribute 
>> down to a specific value (because he attribute is multi-valued, and you 
>> usually only want to release only one or a few of the values to a service). 
>> The "allowedAttributes" section specifies what attributes from the 
>> principal will be released at all. 
>>
>> Thanks, 
>> Carl Waldbieser 
>> ITS Identity Management 
>> Lafayette College 
>>
>> - Original Message - 
>> From: "Bill Scully"  
>> To: "cas-user"  
>> Sent: Friday, 31 August, 2018 15:00:09 
>> Subject: [cas-user] CAS 5.2 Passing LDAP Attributes to Application 
>>
>> Hi, 
>>
>> I'm having a hard time getting my head around where to start configuring 
>> CAS to provide LDAP attributes to the "RegisteredService" / application 
>> after authentication. I'm assuming there are 2 areas that I need to 
>> configure, cas.properties and service JSON files, but navigating the 
>> documentation to find what I need has been beyond me up to this point. 
>>
>> Can someone kindly point me to the right areas 
>> of https://apereo.github.io/cas/5.2.x/ or give me some tips on where I 
>> can 
>> figure out how to retrieve certain attributes from LDAP and share those 
>> selected values with the application? I hope I'm using "application" 
>> properly. 
>>
>> Thanks, 
>>
>> Bill 
>>
>> -- 
>> - Website: https://apereo.github.io/cas 
>> - Gitter Chatroom: https://gitter.im/apereo/cas 
>> - List Guidelines: https://goo.gl/1VRrw7 
>> - Contributions: https://goo.gl/mh7qDG 
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group. 
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org. 
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac28e9bc-9bdf-4d1d-9d59-d99ad23d2dc9%40apereo.org.
>>  
>>
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bffedc5b-da63-4b19-8c7b-aa6fc349dd6en%40apereo.org.

Re: [cas-user] CAS 5.2/5.3 cas.util.LdapUtils try connect to localhost for LDAP

2020-07-30 Thread mohsen saeedi 
The problem solved! with remove cas-server-support-ldap-service-registry 
from pom.xml

On Thursday, July 30, 2020 at 11:53:00 PM UTC+4:30 mohsen saeedi wrote:

> I think i added cas-server-support-ldap-service-registry as dependency. 
> and i don't have any configuration parameter for that on cas.properties. 
> maybe the problem caused for that!!! I will test again and send result here
>
> On Thursday, July 30, 2020 at 9:03:25 PM UTC+4:30 mohsen saeedi wrote:
>
>> The problem occur when it try to connect to ldap and finally failed to 
>> start. for example i defined 192.168.250.71 as ldapUrl but it try to 
>> connect to localhost! 
>>
>> Jul 30 20:58:38 SSO1 server[10311]: 2020-07-30 20:58:38,797 DEBUG 
>> [org.apereo.cas.util.LdapUtils] - > [ldap://localhost:389]>
>> Jul 30 20:58:38 SSO1 server[10311]: 2020-07-30 20:58:38,797 DEBUG 
>> [org.apereo.cas.util.LdapUtils] - > for [ldap://localhost:389]>
>> Jul 30 20:58:38 SSO1 server[10311]: 2020-07-30 20:58:38,798 DEBUG 
>> [org.apereo.cas.util.LdapUtils] - > [ldap://localhost:389] to [ldap://localhost:389]>
>> Jul 30 20:58:38 SSO1 server[10311]: 2020-07-30 20:58:38,798 DEBUG 
>> [org.apereo.cas.util.LdapUtils] - > native JVM truststore>
>> Jul 30 20:58:38 SSO1 server[10311]: 2020-07-30 20:58:38,798 DEBUG 
>> [org.apereo.cas.util.LdapUtils] - > configuration for [ldap://localhost:389]>
>> Jul 30 20:58:38 SSO1 server[10311]: 2020-07-30 20:58:38,799 WARN 
>> [org.apereo.cas.util.LdapUtils] - > for [ldap://localhost:389] given bind credentials are not specified>
>> Jul 30 20:58:38 SSO1 server[10311]: 2020-07-30 20:58:38,799 DEBUG 
>> [org.apereo.cas.util.LdapUtils] - > [ldap://localhost:389] and bindDn [null]>
>> Jul 30 20:58:38 SSO1 server[10311]: 2020-07-30 20:58:38,872 ERROR 
>> [org.ldaptive.pool.BlockingConnectionPool] - 
>> <[org.ldaptive.pool.BlockingConnectionPool@1048947778::name=null, 
>> poolConfig=[org.ldaptive.pool.PoolConfig@562606106::minPoolSize=3, 
>> maxPoolSize=10, validateOnCheckIn=false, validateOnCheckOut=true, 
>> validatePeriodically=true, validatePeriod=PT5M, validateTimeout=PT5S], 
>> activator=null, passivator=null, 
>> validator=[org.ldaptive.pool.SearchValidator@432073790::searchRequest=[org.ldaptive.SearchRequest@-1800458700::baseDn=,
>>  
>> searchFilter=[org.ldaptive.SearchFilter@1642584434::filter=(objectClass=*), 
>> parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=PT0S, 
>> sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, 
>> sortBehavior=UNORDERED, searchEntryHandlers=null, 
>> searchReferenceHandlers=[org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@4a664d6],
>>  
>> controls=null, 
>> referralHandler=org.ldaptive.referral.SearchReferralHandler@6d01e679, 
>> intermediateResponseHandlers=null]] 
>> pruneStrategy=[org.ldaptive.pool.IdlePruneStrategy@1513537499::prunePeriod=PT2H,
>>  
>> idleTime=PT10M], connectOnCreate=true, 
>> connectionFactory=[org.ldaptive.DefaultConnectionFactory@1545585902::provider=org.ldaptive.provider.jndi.JndiProvider@5d097df4,
>>  
>> config=[org.ldaptive.ConnectionConfig@1062824450::ldapUrl=ldap://localhost:389,
>>  
>> connectTimeout=PT5S, responseTimeout=PT5S, 
>> sslConfig=[org.ldaptive.ssl.SslConfig@1358873173::credentialConfig=null, 
>> trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, 
>> enabledCipherSuites=null, enabledProtocols=null, 
>> handshakeCompletedListeners=null], useSSL=true, useStartTLS=false, 
>> connectionInitializer=null, 
>> connectionStrategy=org.ldaptive.DefaultConnectionStrategy@72644410]], 
>> initialized=false, availableCount=0, activeCount=0] unable to connect to 
>> the ldap>
>> Jul 30 20:58:38 SSO1 server[10311]: 
>> org.ldaptive.provider.ConnectionException: 
>> javax.naming.CommunicationException: localhost:389 [Root exception is 
>> java.net.ConnectException: Connection refused (Connection refused)]
>>
>> but before this error CAS try to create LDAP connection factory to 
>> 192.168.250.71. here is logs:
>> Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,703 DEBUG 
>> [org.apereo.cas.util.LdapUtils] - > [ldap://192.168.250.71:389]>
>> Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,704 DEBUG 
>> [org.apereo.cas.util.LdapUtils] - > [ldap://192.168.250.71:389]>
>> Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,704 DEBUG 
>> [org.apereo.cas.util.LdapUtils] - > for [ldap://192.168.250.71:389]>
>> Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,708 DEBUG 
>> [org.apereo.cas.util.LdapUtils] - > 192.168.250.71:389] to [ldap://192.168.250.71:389]>
>> Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,708 DEBUG 
>> [org.apereo.cas.util.LdapUtils] - > native JVM truststore>
>> Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,710 DEBUG 
>> [org.apereo.cas.util.LdapUtils] - > initializer via [cn=manager,dc=uast,dc=ac,dc=ir]>
>> Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,723 DEBUG 
>> [org.apereo.cas.util.LdapUtils] - > configuration for

Re: [cas-user] CAS 5.2/5.3 cas.util.LdapUtils try connect to localhost for LDAP

2020-07-30 Thread mohsen saeedi 
I think i added cas-server-support-ldap-service-registry as dependency. and 
i don't have any configuration parameter for that on cas.properties. maybe 
the problem caused for that!!! I will test again and send result here

On Thursday, July 30, 2020 at 9:03:25 PM UTC+4:30 mohsen saeedi wrote:

> The problem occur when it try to connect to ldap and finally failed to 
> start. for example i defined 192.168.250.71 as ldapUrl but it try to 
> connect to localhost! 
>
> Jul 30 20:58:38 SSO1 server[10311]: 2020-07-30 20:58:38,797 DEBUG 
> [org.apereo.cas.util.LdapUtils] -  [ldap://localhost:389]>
> Jul 30 20:58:38 SSO1 server[10311]: 2020-07-30 20:58:38,797 DEBUG 
> [org.apereo.cas.util.LdapUtils] -  for [ldap://localhost:389]>
> Jul 30 20:58:38 SSO1 server[10311]: 2020-07-30 20:58:38,798 DEBUG 
> [org.apereo.cas.util.LdapUtils] -  [ldap://localhost:389] to [ldap://localhost:389]>
> Jul 30 20:58:38 SSO1 server[10311]: 2020-07-30 20:58:38,798 DEBUG 
> [org.apereo.cas.util.LdapUtils] -  native JVM truststore>
> Jul 30 20:58:38 SSO1 server[10311]: 2020-07-30 20:58:38,798 DEBUG 
> [org.apereo.cas.util.LdapUtils] -  configuration for [ldap://localhost:389]>
> Jul 30 20:58:38 SSO1 server[10311]: 2020-07-30 20:58:38,799 WARN 
> [org.apereo.cas.util.LdapUtils] -  for [ldap://localhost:389] given bind credentials are not specified>
> Jul 30 20:58:38 SSO1 server[10311]: 2020-07-30 20:58:38,799 DEBUG 
> [org.apereo.cas.util.LdapUtils] -  [ldap://localhost:389] and bindDn [null]>
> Jul 30 20:58:38 SSO1 server[10311]: 2020-07-30 20:58:38,872 ERROR 
> [org.ldaptive.pool.BlockingConnectionPool] - 
> <[org.ldaptive.pool.BlockingConnectionPool@1048947778::name=null, 
> poolConfig=[org.ldaptive.pool.PoolConfig@562606106::minPoolSize=3, 
> maxPoolSize=10, validateOnCheckIn=false, validateOnCheckOut=true, 
> validatePeriodically=true, validatePeriod=PT5M, validateTimeout=PT5S], 
> activator=null, passivator=null, 
> validator=[org.ldaptive.pool.SearchValidator@432073790::searchRequest=[org.ldaptive.SearchRequest@-1800458700::baseDn=,
>  
> searchFilter=[org.ldaptive.SearchFilter@1642584434::filter=(objectClass=*), 
> parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=PT0S, 
> sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, 
> sortBehavior=UNORDERED, searchEntryHandlers=null, 
> searchReferenceHandlers=[org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@4a664d6],
>  
> controls=null, 
> referralHandler=org.ldaptive.referral.SearchReferralHandler@6d01e679, 
> intermediateResponseHandlers=null]] 
> pruneStrategy=[org.ldaptive.pool.IdlePruneStrategy@1513537499::prunePeriod=PT2H,
>  
> idleTime=PT10M], connectOnCreate=true, 
> connectionFactory=[org.ldaptive.DefaultConnectionFactory@1545585902::provider=org.ldaptive.provider.jndi.JndiProvider@5d097df4,
>  
> config=[org.ldaptive.ConnectionConfig@1062824450::ldapUrl=ldap://localhost:389,
>  
> connectTimeout=PT5S, responseTimeout=PT5S, 
> sslConfig=[org.ldaptive.ssl.SslConfig@1358873173::credentialConfig=null, 
> trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, 
> enabledCipherSuites=null, enabledProtocols=null, 
> handshakeCompletedListeners=null], useSSL=true, useStartTLS=false, 
> connectionInitializer=null, 
> connectionStrategy=org.ldaptive.DefaultConnectionStrategy@72644410]], 
> initialized=false, availableCount=0, activeCount=0] unable to connect to 
> the ldap>
> Jul 30 20:58:38 SSO1 server[10311]: 
> org.ldaptive.provider.ConnectionException: 
> javax.naming.CommunicationException: localhost:389 [Root exception is 
> java.net.ConnectException: Connection refused (Connection refused)]
>
> but before this error CAS try to create LDAP connection factory to 
> 192.168.250.71. here is logs:
> Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,703 DEBUG 
> [org.apereo.cas.util.LdapUtils] -  [ldap://192.168.250.71:389]>
> Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,704 DEBUG 
> [org.apereo.cas.util.LdapUtils] -  [ldap://192.168.250.71:389]>
> Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,704 DEBUG 
> [org.apereo.cas.util.LdapUtils] -  for [ldap://192.168.250.71:389]>
> Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,708 DEBUG 
> [org.apereo.cas.util.LdapUtils] -  192.168.250.71:389] to [ldap://192.168.250.71:389]>
> Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,708 DEBUG 
> [org.apereo.cas.util.LdapUtils] -  native JVM truststore>
> Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,710 DEBUG 
> [org.apereo.cas.util.LdapUtils] -  initializer via [cn=manager,dc=uast,dc=ac,dc=ir]>
> Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,723 DEBUG 
> [org.apereo.cas.util.LdapUtils] -  configuration for [ldap://192.168.250.71:389]>
> Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,743 DEBUG 
> [org.apereo.cas.util.LdapUtils] -  [ldap://192.168.250.71:389] and bindDn [cn=manager,dc=uast,dc=ac,dc=ir]>
> Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30

Re: [cas-user] CAS 5.2/5.3 cas.util.LdapUtils try connect to localhost for LDAP

2020-07-30 Thread mohsen saeedi 
The problem occur when it try to connect to ldap and finally failed to 
start. for example i defined 192.168.250.71 as ldapUrl but it try to 
connect to localhost! 

Jul 30 20:58:38 SSO1 server[10311]: 2020-07-30 20:58:38,797 DEBUG 
[org.apereo.cas.util.LdapUtils] - ldap://localhost:389]>
Jul 30 20:58:38 SSO1 server[10311]: 2020-07-30 20:58:38,797 DEBUG 
[org.apereo.cas.util.LdapUtils] - ldap://localhost:389]>
Jul 30 20:58:38 SSO1 server[10311]: 2020-07-30 20:58:38,798 DEBUG 
[org.apereo.cas.util.LdapUtils] - ldap://localhost:389] to [ldap://localhost:389]>
Jul 30 20:58:38 SSO1 server[10311]: 2020-07-30 20:58:38,798 DEBUG 
[org.apereo.cas.util.LdapUtils] - 
Jul 30 20:58:38 SSO1 server[10311]: 2020-07-30 20:58:38,798 DEBUG 
[org.apereo.cas.util.LdapUtils] - ldap://localhost:389]>
Jul 30 20:58:38 SSO1 server[10311]: 2020-07-30 20:58:38,799 WARN 
[org.apereo.cas.util.LdapUtils] - ldap://localhost:389] given bind credentials are not specified>
Jul 30 20:58:38 SSO1 server[10311]: 2020-07-30 20:58:38,799 DEBUG 
[org.apereo.cas.util.LdapUtils] - ldap://localhost:389] and bindDn [null]>
Jul 30 20:58:38 SSO1 server[10311]: 2020-07-30 20:58:38,872 ERROR 
[org.ldaptive.pool.BlockingConnectionPool] - 
<[org.ldaptive.pool.BlockingConnectionPool@1048947778::name=null, 
poolConfig=[org.ldaptive.pool.PoolConfig@562606106::minPoolSize=3, 
maxPoolSize=10, validateOnCheckIn=false, validateOnCheckOut=true, 
validatePeriodically=true, validatePeriod=PT5M, validateTimeout=PT5S], 
activator=null, passivator=null, 
validator=[org.ldaptive.pool.SearchValidator@432073790::searchRequest=[org.ldaptive.SearchRequest@-1800458700::baseDn=,
 
searchFilter=[org.ldaptive.SearchFilter@1642584434::filter=(objectClass=*), 
parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=PT0S, 
sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, 
sortBehavior=UNORDERED, searchEntryHandlers=null, 
searchReferenceHandlers=[org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@4a664d6],
 
controls=null, 
referralHandler=org.ldaptive.referral.SearchReferralHandler@6d01e679, 
intermediateResponseHandlers=null]] 
pruneStrategy=[org.ldaptive.pool.IdlePruneStrategy@1513537499::prunePeriod=PT2H,
 
idleTime=PT10M], connectOnCreate=true, 
connectionFactory=[org.ldaptive.DefaultConnectionFactory@1545585902::provider=org.ldaptive.provider.jndi.JndiProvider@5d097df4,
 
config=[org.ldaptive.ConnectionConfig@1062824450::ldapUrl=ldap://localhost:389, 
connectTimeout=PT5S, responseTimeout=PT5S, 
sslConfig=[org.ldaptive.ssl.SslConfig@1358873173::credentialConfig=null, 
trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, 
enabledCipherSuites=null, enabledProtocols=null, 
handshakeCompletedListeners=null], useSSL=true, useStartTLS=false, 
connectionInitializer=null, 
connectionStrategy=org.ldaptive.DefaultConnectionStrategy@72644410]], 
initialized=false, availableCount=0, activeCount=0] unable to connect to 
the ldap>
Jul 30 20:58:38 SSO1 server[10311]: 
org.ldaptive.provider.ConnectionException: 
javax.naming.CommunicationException: localhost:389 [Root exception is 
java.net.ConnectException: Connection refused (Connection refused)]

but before this error CAS try to create LDAP connection factory to 
192.168.250.71. here is logs:
Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,703 DEBUG 
[org.apereo.cas.util.LdapUtils] - ldap://192.168.250.71:389]>
Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,704 DEBUG 
[org.apereo.cas.util.LdapUtils] - ldap://192.168.250.71:389]>
Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,704 DEBUG 
[org.apereo.cas.util.LdapUtils] - ldap://192.168.250.71:389]>
Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,708 DEBUG 
[org.apereo.cas.util.LdapUtils] - ldap://192.168.250.71:389] to [ldap://192.168.250.71:389]>
Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,708 DEBUG 
[org.apereo.cas.util.LdapUtils] - 
Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,710 DEBUG 
[org.apereo.cas.util.LdapUtils] - 
Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,723 DEBUG 
[org.apereo.cas.util.LdapUtils] - ldap://192.168.250.71:389]>
Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,743 DEBUG 
[org.apereo.cas.util.LdapUtils] - ldap://192.168.250.71:389] and bindDn [cn=manager,dc=uast,dc=ac,dc=ir]>
Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,751 DEBUG 
[org.apereo.cas.util.LdapUtils] - ldap://192.168.250.71:389]>
Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,751 DEBUG 
[org.apereo.cas.util.LdapUtils] - ldap://192.168.250.71:389]>
Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,751 DEBUG 
[org.apereo.cas.util.LdapUtils] - ldap://192.168.250.71:389] to [ldap://192.168.250.71:389]>
Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,752 DEBUG 
[org.apereo.cas.util.LdapUtils] - 
Jul 30 20:58:24 SSO1 server[10311]: 2020-07-30 20:58:24,752 DEBUG 
[org.apereo.cas.util.LdapUtils] - 
Jul 30 20:58:24 SSO1

Re: [cas-user] CAS 5.2/5.3 cas.util.LdapUtils try connect to localhost for LDAP

2020-07-30 Thread Daniel Fisher 
On Thu, Jul 30, 2020 at 3:23 AM mohsen saeedi 
wrote:

> Jul 30 11:24:40 SSO1 server[4213]: 2020-07-30 11:24:40,315 ERROR
> [org.ldaptive.pool.BlockingConnectionPool]
>

What error is reported here?

--Daniel Fisher

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFC6YwT8mjkvZojzMby%3D9zOKJ6WDF0a%2BjzjtoCuYO8AbO4iEMw%40mail.gmail.com.

[cas-user] CAS 5.2/5.3 cas.util.LdapUtils try connect to localhost for LDAP

2020-07-30 Thread mohsen saeedi 
Hi
I have experience more than 7 years on apereo CAS. after we updated our cas 
overlay version to 5.2.3 (test with 5.3.6 too) one problem occur during 
tomcat starting. 
We define ldapUrl, bindDn, bindCredential in cas configuration file. this 
config was working for older build (with 5.2.2 version). I think the 
problem is caused by poolPassivator has been added to overlay (maybe after 
5.1RC2). in this environment oldest build everything works like charms. 
however we enabled debugging for cas.util.LdapUtils and restart tomcat. on 
ldap initialization cas.util.LdapUtils try connect to our ldapUrl. sample 
log:


Jul 30 11:24:25 SSO1 server[4213]: 2020-07-30 11:24:25,594 DEBUG 
[org.apereo.cas.util.LdapUtils] - 
Jul 30 11:24:25 SSO1 server[4213]: 2020-07-30 11:24:25,595 DEBUG 
[org.apereo.cas.util.LdapUtils] - ldap://192.168.xxx.71:389 ldap://ldap.xxx.local:389]>
Jul 30 11:24:25 SSO1 server[4213]: 2020-07-30 11:24:25,582 DEBUG 
[org.apereo.cas.util.LdapUtils] - ldap://192.168.xxx.71:389 ldap://ldap.xxx.local:389] and bindDn 
[cn=manager,dc=domain]>

but after this logs, cas.util.LdapUtils try connect to localhost:389
Jul 30 11:24:40 SSO1 server[4213]: 2020-07-30 11:24:40,240 DEBUG 
[org.apereo.cas.util.LdapUtils] - ldap://localhost:389]>
Jul 30 11:24:40 SSO1 server[4213]: 2020-07-30 11:24:40,242 WARN 
[org.apereo.cas.util.LdapUtils] - ldap://localhost:389] given bind credentials are not specified>
Jul 30 11:24:40 SSO1 server[4213]: 2020-07-30 11:24:40,315 ERROR 
[org.ldaptive.pool.BlockingConnectionPool]


cas.authn.ldap[0].LdapUrl=ldap://192.168.xxx.71:389 
ldap://ldap.xxx.local:389
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].bindDn=cn=manager,dc=domain
cas.authn.ldap[0].bindCredential=ldap_manager_password
# Bind credentials used to connect to the LDAP instance
#
cas.authn.ldap[0].poolPassivator=NONE
cas.authn.ldap[0].connectionStrategy=DEFAULT
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
# cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].minPoolSize=0
cas.authn.ldap[0].maxPoolSize=10


I use CLOSE and BIND for passivator to test. what is the problem? when we 
switch back to our oldest cas (5.2.2 built with older ldaptive library) it 
starts without any problem. all config and ldap services are fixed during 
the test. 



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/dae63836-e633-4d45-baf8-678d89a2859ao%40apereo.org.

Re: [cas-user] CAS 5.2 - OIDC and attribute release

2020-06-09 Thread qla3fa 

I use apache module mod_auth_openidc to my test. My apache conf is :

OIDCProviderMetadataURL 
https://my-url.com/cas/oidc/.well-known/openid-configuration

OIDCClientID applicationQLA-testPHP
OIDCClientSecret x
#OIDCMetadataDir /var/cache/apache2/mod_auth_openidc/metadata
OIDCScope "openid email profile"
OIDCResponseType "code"
OIDCRemoteUserClaim email
OIDCRedirectURI http://localhost:8080/callback
OIDCCryptoPassphrase xxx


If I configure OIDCRemoteUserClaim with 'sub' remote_user variable 
content is ok. But with email value, apache log an error :


[Tue Jun 09 15:10:13.444122 2020] [auth_openidc:warn] [pid 11491] 
[client 10.0.2.2:63823] oidc_get_remote_user: JSON object did not 
contain a "email" string
[Tue Jun 09 15:10:13.22 2020] [auth_openidc:error] [pid 11491] 
[client 10.0.2.2:63823] oidc_set_request_user: OIDCRemoteUserClaimis set 
to "email", but could not set the remote user based on the requested 
claim "email" and the available claims for the user
[Tue Jun 09 15:10:13.444767 2020] [auth_openidc:error] [pid 11491] 
[client 10.0.2.2:63823] oidc_handle_authorization_response: remote user 
could not be set


Best regards,

QLA.

Le 09/06/2020 à 09:18, Jérôme Steve a écrit :
So, what is your client OIDC application configuration ? Have you 
configured the scope ?


Le lun. 8 juin 2020 à 18:23, qla3fa > a écrit :


Thanks for your response.

sn and mail are attributes I extract from my LDAP. I use it with
CAS services and it works... I configured Oauth2.0 module too and
I use and map these attributes with success... So I think it's ok
with these attributes. It's only with OIDC services it doesn't work...

Best regards.

QLA.

Le 08/06/2020 à 18:01, Jérôme Steve a écrit :

Hi,

Your OIDC configuration look good.

You map your claims like this :
cas.authn.oidc.claimsMap.name
=sn
cas.authn.oidc.claimsMap.email=mail
Maibe you don't have sn and email in your attribute repository ?



Le lun. 8 juin 2020 à 16:37, qla3fa mailto:qla...@gmail.com>> a écrit :

Hi,

I try to configure OIDC with CAS 5.2. I added module
"cas-server-support-oidc" and the config with lines :

# Configuration OIDC
cas.authn.oidc.issuer=https://my-url.com/cas/oidc
cas.authn.oidc.skew=5
cas.authn.oidc.jwksFile=file:/etc/cas/keystore.jwks
cas.authn.oidc.jwksCacheInMinutes=60
cas.authn.oidc.dynamicClientRegistrationMode=PROTECTED
cas.authn.oidc.subjectTypes=public,pairwise
cas.authn.oidc.scopes=openid, profile, email

cas.authn.oidc.claims=sub,name,preferred_username,family_name,given_name,middle_name,given_name,profile,picture,nickname,website,zoneinfo,locale,updated_at,birthdate,email,email_verified,phone_number,phone_number_verified,address
cas.authn.oidc.claimsMap.given_name=givenName
cas.authn.oidc.claimsMap.name
=sn
cas.authn.oidc.claimsMap.email=mail

For my App, I configure service :

{
  "@class" : "org.apereo.cas.services.OidcRegisteredService",
  "clientId": "applicationQLA-testPHP",
  "clientSecret": "x",
  "serviceId" : "^http://localhost:8080/.*;,
  "bypassApprovalPrompt": true,
  "supportedResponseTypes" : [ "java.util.HashSet", [ "code",
"token" ] ],
  "name" : "applicationQLAtestPHP",
  "scopes" : [ "java.util.HashSet",
    [ "openid", "email", "profile" ]
   ],
  "id" : 7,
  "evaluationOrder" : 7,
}

Oidc authentication works good but in my application the only
attributes I can get are :

sub, auth_time, jti, iss, aud, exp, iat, nbf, amr, state,
nonce, at_hash, preferred_username

But I can't get the attributes of email or profile scope...

In logs file I don't have error messages.

What is wrong with my config ?

Thanks for help.
Best regards,

QLA

-- 
- Website: https://apereo.github.io/cas

- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the
Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to cas-user+unsubscr...@apereo.org
.
To view this discussion on the web visit

https://groups.google.com/a/apereo.org/d/msgid/cas-user/838f0180-1c48-a196-2672-0981d6d971fb%40gmail.com

.

-- 
- Website:

Re: [cas-user] CAS 5.2 - OIDC and attribute release

2020-06-09 Thread Jérôme Steve 
So, what is your client OIDC application configuration ? Have you
configured the scope ?

Le lun. 8 juin 2020 à 18:23, qla3fa  a écrit :

> Thanks for your response.
>
> sn and mail are attributes I extract from my LDAP. I use it with CAS
> services and it works... I configured Oauth2.0 module too and I use and map
> these attributes with success... So I think it's ok with these attributes.
> It's only with OIDC services it doesn't work...
>
> Best regards.
>
> QLA.
> Le 08/06/2020 à 18:01, Jérôme Steve a écrit :
>
> Hi,
>
> Your OIDC configuration look good.
>
> You map your claims like this :
> cas.authn.oidc.claimsMap.name=sn
> cas.authn.oidc.claimsMap.email=mail
> Maibe you don't have sn and email in your attribute repository ?
>
>
>
> Le lun. 8 juin 2020 à 16:37, qla3fa  a écrit :
>
>> Hi,
>>
>> I try to configure OIDC with CAS 5.2. I added module
>> "cas-server-support-oidc" and the config with lines :
>>
>> # Configuration OIDC
>> cas.authn.oidc.issuer=https://my-url.com/cas/oidc
>> cas.authn.oidc.skew=5
>> cas.authn.oidc.jwksFile=file:/etc/cas/keystore.jwks
>> cas.authn.oidc.jwksCacheInMinutes=60
>> cas.authn.oidc.dynamicClientRegistrationMode=PROTECTED
>> cas.authn.oidc.subjectTypes=public,pairwise
>> cas.authn.oidc.scopes=openid, profile, email
>>
>> cas.authn.oidc.claims=sub,name,preferred_username,family_name,given_name,middle_name,given_name,profile,picture,nickname,website,zoneinfo,locale,updated_at,birthdate,email,email_verified,phone_number,phone_number_verified,address
>> cas.authn.oidc.claimsMap.given_name=givenName
>> cas.authn.oidc.claimsMap.name=sn
>> cas.authn.oidc.claimsMap.email=mail
>>
>> For my App, I configure service :
>>
>> {
>>   "@class" : "org.apereo.cas.services.OidcRegisteredService",
>>   "clientId": "applicationQLA-testPHP",
>>   "clientSecret": "x",
>>   "serviceId" : "^http://localhost:8080/.*;,
>>   "bypassApprovalPrompt": true,
>>   "supportedResponseTypes" : [ "java.util.HashSet", [ "code", "token" ] ],
>>   "name" : "applicationQLAtestPHP",
>>   "scopes" : [ "java.util.HashSet",
>> [ "openid", "email", "profile" ]
>>],
>>   "id" : 7,
>>   "evaluationOrder" : 7,
>> }
>>
>> Oidc authentication works good but in my application the only attributes
>> I can get are :
>>
>> sub, auth_time, jti, iss, aud, exp, iat, nbf, amr, state, nonce, at_hash,
>> preferred_username
>>
>> But I can't get the attributes of email or profile scope...
>>
>> In logs file I don't have error messages.
>>
>> What is wrong with my config ?
>>
>> Thanks for help.
>> Best regards,
>>
>> QLA
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/838f0180-1c48-a196-2672-0981d6d971fb%40gmail.com
>> 
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD6KnbwcvSbwj20pdAq46X7j1EGbAoOp7GH1fO1GcZuU_SqDbQ%40mail.gmail.com
> 
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ba709981-8ac5-fd63-f3b5-c31ea85ce277%40gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS

Re: [cas-user] CAS 5.2 - OIDC and attribute release

2020-06-08 Thread qla3fa 

Thanks for your response.

sn and mail are attributes I extract from my LDAP. I use it with CAS 
services and it works... I configured Oauth2.0 module too and I use and 
map these attributes with success... So I think it's ok with these 
attributes. It's only with OIDC services it doesn't work...


Best regards.

QLA.

Le 08/06/2020 à 18:01, Jérôme Steve a écrit :

Hi,

Your OIDC configuration look good.

You map your claims like this :
cas.authn.oidc.claimsMap.name =sn
cas.authn.oidc.claimsMap.email=mail
Maibe you don't have sn and email in your attribute repository ?



Le lun. 8 juin 2020 à 16:37, qla3fa > a écrit :


Hi,

I try to configure OIDC with CAS 5.2. I added module
"cas-server-support-oidc" and the config with lines :

# Configuration OIDC
cas.authn.oidc.issuer=https://my-url.com/cas/oidc
cas.authn.oidc.skew=5
cas.authn.oidc.jwksFile=file:/etc/cas/keystore.jwks
cas.authn.oidc.jwksCacheInMinutes=60
cas.authn.oidc.dynamicClientRegistrationMode=PROTECTED
cas.authn.oidc.subjectTypes=public,pairwise
cas.authn.oidc.scopes=openid, profile, email

cas.authn.oidc.claims=sub,name,preferred_username,family_name,given_name,middle_name,given_name,profile,picture,nickname,website,zoneinfo,locale,updated_at,birthdate,email,email_verified,phone_number,phone_number_verified,address
cas.authn.oidc.claimsMap.given_name=givenName
cas.authn.oidc.claimsMap.name
=sn
cas.authn.oidc.claimsMap.email=mail

For my App, I configure service :

{
  "@class" : "org.apereo.cas.services.OidcRegisteredService",
  "clientId": "applicationQLA-testPHP",
  "clientSecret": "x",
  "serviceId" : "^http://localhost:8080/.*;,
  "bypassApprovalPrompt": true,
  "supportedResponseTypes" : [ "java.util.HashSet", [ "code",
"token" ] ],
  "name" : "applicationQLAtestPHP",
  "scopes" : [ "java.util.HashSet",
    [ "openid", "email", "profile" ]
   ],
  "id" : 7,
  "evaluationOrder" : 7,
}

Oidc authentication works good but in my application the only
attributes I can get are :

sub, auth_time, jti, iss, aud, exp, iat, nbf, amr, state, nonce,
at_hash, preferred_username

But I can't get the attributes of email or profile scope...

In logs file I don't have error messages.

What is wrong with my config ?

Thanks for help.
Best regards,

QLA

-- 
- Website: https://apereo.github.io/cas

- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+unsubscr...@apereo.org
.
To view this discussion on the web visit

https://groups.google.com/a/apereo.org/d/msgid/cas-user/838f0180-1c48-a196-2672-0981d6d971fb%40gmail.com

.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD6KnbwcvSbwj20pdAq46X7j1EGbAoOp7GH1fO1GcZuU_SqDbQ%40mail.gmail.com 
.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ba709981-8ac5-fd63-f3b5-c31ea85ce277%40gmail.com.

Re: [cas-user] CAS 5.2 - OIDC and attribute release

2020-06-08 Thread Jérôme Steve 
Hi,

Your OIDC configuration look good.

You map your claims like this :
cas.authn.oidc.claimsMap.name=sn
cas.authn.oidc.claimsMap.email=mail
Maibe you don't have sn and email in your attribute repository ?



Le lun. 8 juin 2020 à 16:37, qla3fa  a écrit :

> Hi,
>
> I try to configure OIDC with CAS 5.2. I added module
> "cas-server-support-oidc" and the config with lines :
>
> # Configuration OIDC
> cas.authn.oidc.issuer=https://my-url.com/cas/oidc
> cas.authn.oidc.skew=5
> cas.authn.oidc.jwksFile=file:/etc/cas/keystore.jwks
> cas.authn.oidc.jwksCacheInMinutes=60
> cas.authn.oidc.dynamicClientRegistrationMode=PROTECTED
> cas.authn.oidc.subjectTypes=public,pairwise
> cas.authn.oidc.scopes=openid, profile, email
>
> cas.authn.oidc.claims=sub,name,preferred_username,family_name,given_name,middle_name,given_name,profile,picture,nickname,website,zoneinfo,locale,updated_at,birthdate,email,email_verified,phone_number,phone_number_verified,address
> cas.authn.oidc.claimsMap.given_name=givenName
> cas.authn.oidc.claimsMap.name=sn
> cas.authn.oidc.claimsMap.email=mail
>
> For my App, I configure service :
>
> {
>   "@class" : "org.apereo.cas.services.OidcRegisteredService",
>   "clientId": "applicationQLA-testPHP",
>   "clientSecret": "x",
>   "serviceId" : "^http://localhost:8080/.*;,
>   "bypassApprovalPrompt": true,
>   "supportedResponseTypes" : [ "java.util.HashSet", [ "code", "token" ] ],
>   "name" : "applicationQLAtestPHP",
>   "scopes" : [ "java.util.HashSet",
> [ "openid", "email", "profile" ]
>],
>   "id" : 7,
>   "evaluationOrder" : 7,
> }
>
> Oidc authentication works good but in my application the only attributes I
> can get are :
>
> sub, auth_time, jti, iss, aud, exp, iat, nbf, amr, state, nonce, at_hash,
> preferred_username
>
> But I can't get the attributes of email or profile scope...
>
> In logs file I don't have error messages.
>
> What is wrong with my config ?
>
> Thanks for help.
> Best regards,
>
> QLA
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/838f0180-1c48-a196-2672-0981d6d971fb%40gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD6KnbwcvSbwj20pdAq46X7j1EGbAoOp7GH1fO1GcZuU_SqDbQ%40mail.gmail.com.

[cas-user] CAS 5.2 - OIDC and attribute release

2020-06-08 Thread qla3fa 

Hi,

I try to configure OIDC with CAS 5.2. I added module 
"cas-server-support-oidc" and the config with lines :


# Configuration OIDC
cas.authn.oidc.issuer=https://my-url.com/cas/oidc
cas.authn.oidc.skew=5
cas.authn.oidc.jwksFile=file:/etc/cas/keystore.jwks
cas.authn.oidc.jwksCacheInMinutes=60
cas.authn.oidc.dynamicClientRegistrationMode=PROTECTED
cas.authn.oidc.subjectTypes=public,pairwise
cas.authn.oidc.scopes=openid, profile, email
cas.authn.oidc.claims=sub,name,preferred_username,family_name,given_name,middle_name,given_name,profile,picture,nickname,website,zoneinfo,locale,updated_at,birthdate,email,email_verified,phone_number,phone_number_verified,address
cas.authn.oidc.claimsMap.given_name=givenName
cas.authn.oidc.claimsMap.name=sn
cas.authn.oidc.claimsMap.email=mail

For my App, I configure service :

{
  "@class" : "org.apereo.cas.services.OidcRegisteredService",
  "clientId": "applicationQLA-testPHP",
  "clientSecret": "x",
  "serviceId" : "^http://localhost:8080/.*;,
  "bypassApprovalPrompt": true,
  "supportedResponseTypes" : [ "java.util.HashSet", [ "code", "token" ] ],
  "name" : "applicationQLAtestPHP",
  "scopes" : [ "java.util.HashSet",
    [ "openid", "email", "profile" ]
   ],
  "id" : 7,
  "evaluationOrder" : 7,
}

Oidc authentication works good but in my application the only attributes 
I can get are :


sub, auth_time, jti, iss, aud, exp, iat, nbf, amr, state, nonce, 
at_hash, preferred_username


But I can't get the attributes of email or profile scope...

In logs file I don't have error messages.

What is wrong with my config ?

Thanks for help.
Best regards,

QLA

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/838f0180-1c48-a196-2672-0981d6d971fb%40gmail.com.

Re: [cas-user] cas 5.2.x leaking connections

2020-01-13 Thread Daniel Fisher 
On Mon, Jan 13, 2020 at 11:26 AM Trenton D. Adams 
wrote:

> We are using Java 8 though, and we are using the UnboundIDProvider.
>

Can you post some logs that demonstrate the problem? Both application logs
and OS netstat logs would be useful.

--Daniel Fisher

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFC6YwSn5CJrc5Uyf1-zbWfTYRgmHe9N6WK3ezU3NQ7eMoj2Dw%40mail.gmail.com.

Re: [cas-user] cas 5.2.x leaking connections

2020-01-13 Thread Trenton D. Adams 

We are using Java 8 though, and we are using the UnboundIDProvider.

On 2020-01-11 8:25 a.m., Daniel Fisher wrote:
On Fri, Jan 10, 2020 at 5:40 PM Trenton D. Adams 
mailto:tre...@athabascau.ca>> wrote:

Below is the configuration we're using for both LDAP and the password manager.  
We were hoping someone understand why this could be happening, as the CAS 
documentation is not very good for these settings, and neither are the javadoc 
or Ldaptive docs.  I hope someone with more CAS experience, such as a dev, 
might be able to help?

There is a JNDI bug in java versions >= 9 that leaks connections. Switching to 
the UnboundID provider is the simplest solution.

cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider

I thought that CAS used the UnboundID provider by default, so I'm curious why 
you were impacted by this bug.

(Another solution is to use Java 8)

--Daniel Fisher

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to 
cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFC6YwR3Enjmvqt-rsYAiUJhbJN5aQ3aScqdYbT9rRa_mA5eYg%40mail.gmail.com.

--
Trenton D. Adams
Senior Systems Analyst/Web Software Developer
Applications Unit - ITS
Athabasca University
(780) 675-6195

It is only when you are surrounded by a supportive team, that you can achieve
your best.  Instead of tearing people down, try building them up!

--
This communication is intended for the use of the recipient to whom it is 
addressed, and may contain confidential, personal, and or privileged 
information. Please contact us immediately if you are not the intended 
recipient of this communication, and do not copy, distribute, or take action 
relying on it. Any communications received in error, or subsequent reply, 
should be deleted or destroyed.
---

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1667ca8b-4446-1699-cc55-b27b70158595%40athabascau.ca.

Re: [cas-user] cas 5.2.x leaking connections

2020-01-11 Thread Daniel Fisher 
On Fri, Jan 10, 2020 at 5:40 PM Trenton D. Adams 
wrote:

> Below is the configuration we're using for both LDAP and the password
> manager.  We were hoping someone understand why this could be happening, as
> the CAS documentation is not very good for these settings, and neither are
> the javadoc or Ldaptive docs.  I hope someone with more CAS experience,
> such as a dev, might be able to help?
>

There is a JNDI bug in java versions >= 9 that leaks connections. Switching
to the UnboundID provider is the simplest solution.

cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider

I thought that CAS used the UnboundID provider by default, so I'm curious
why you were impacted by this bug.

(Another solution is to use Java 8)

--Daniel Fisher

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFC6YwR3Enjmvqt-rsYAiUJhbJN5aQ3aScqdYbT9rRa_mA5eYg%40mail.gmail.com.

Re: [cas-user] cas 5.2.x leaking connections

2020-01-10 Thread Trenton Adams 
Those docs appear to imply that passivators are essentially require, or 
authenticated state information gets shared, no?


From: cas-user@apereo.org  on behalf of David Curry 

Sent: January 10, 2020 5:15 PM
To: CAS Community 
Subject: Re: [cas-user] cas 5.2.x leaking connections

You might want to experiment with turning the passivator off, or changing its 
setting. Not sure that's it, but it might help?

https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#why-passivators



--

DAVID A. CURRY, CISSP
DIRECTOR • INFORMATION SECURITY & PRIVACY
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu<mailto:david.cu...@newschool.edu>


On Fri, Jan 10, 2020 at 5:40 PM Trenton D. Adams 
mailto:tre...@athabascau.ca>> wrote:

Good day,

We are having some problems with CAS 5.2.x leaking connections in our 
production environment.  We're not sure how or why this is happening.  What we 
do know is that they are no longer part of the pool, because if they were we'd 
run out of connections in the pool.  However, there is a limit to the number of 
connections an LDAP server can handle, so it requires a CAS restart regularly.

Below is the configuration we're using for both LDAP and the password manager.  
We were hoping someone understand why this could be happening, as the CAS 
documentation is not very good for these settings, and neither are the javadoc 
or Ldaptive docs.  I hope someone with more CAS experience, such as a dev, 
might be able to help?


cas.authn.ldap[0].type=ANONYMOUS

cas.authn.ldap[0].ldapUrl=ldap://ldap.example.com:389

cas.authn.ldap[0].useSsl=false

cas.authn.ldap[0].baseDn=ou=Student,ou=People,dc=example,dc=com

cas.authn.ldap[0].userFilter=uid={user}

cas.authn.ldap[0].principalAttributeId=uid

cas.authn.ldap[0].principalAttributeList=uid,udcid:UDC_IDENTIFIER

cas.authn.ldap[1].type=ANONYMOUS

cas.authn.ldap[1].ldapUrl=ldap://ldap.example.ca:389

cas.authn.ldap[1].useSsl=false

cas.authn.ldap[1].baseDn=ou=Staff,ou=People,dc=example,dc=com

cas.authn.ldap[1].userFilter=uid={user}

cas.authn.ldap[1].principalAttributeId=uid

cas.authn.ldap[1].principalAttributeList=uid,udcid:UDC_IDENTIFIER



cas.authn.pm.ldap.type=GENERIC

cas.authn.pm.ldap.ldapUrl=ldap://ldap.example.com:389

cas.authn.pm.ldap.connectionStrategy=ACTIVE_PASSIVE

cas.authn.pm.ldap.useSsl=false

cas.authn.pm.ldap.useStartTls=false

cas.authn.pm.ldap.connectTimeout=5000

cas.authn.pm.ldap.baseDn=ou=People,dc=example,dc=com

cas.authn.pm.ldap.userFilter=uid={user}

cas.authn.pm.ldap.subtreeSearch=true

cas.authn.pm.ldap.bindDn=cn=Manager,dc=example,dc=com

cas.authn.pm.ldap.bindCredential=

cas.authn.pm.ldap.trustCertificates=

cas.authn.pm.ldap.poolPassivator=BIND

cas.authn.pm.ldap.minPoolSize=3

cas.authn.pm.ldap.maxPoolSize=10

cas.authn.pm.ldap.validateOnCheckout=true

cas.authn.pm.ldap.validatePeriodically=true

cas.authn.pm.ldap.validatePeriod=600

cas.authn.pm.ldap.validateTimeout=5000

cas.authn.pm.ldap.failFast=false

cas.authn.pm.ldap.idleTime=500

cas.authn.pm.ldap.prunePeriod=600

cas.authn.pm.ldap.blockWaitTime=5000

cas.authn.pm.ldap.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider

cas.authn.pm.ldap.securityQuestionsAttributes.challengeQuestion=challengeResponse

cas.authn.pm.ldap.validator.type=SEARCH

cas.authn.pm.ldap.validator.baseDn=ou=Staff,ou=People,dc=example,dc=com

cas.authn.pm.ldap.validator.searchFilter=(uid=some-user)

cas.authn.pm.ldap.validator.scope=ONELEVEL

cas.authn.pm.ldap.validator.attributeName=cn

cas.authn.pm.ldap.validator.attributeValues=Some Name

cas.authn.pm.ldap.validator.dn=

--
Trenton D. Adams
Senior Systems Analyst/Web Software Developer
Applications Unit - ITS
Athabasca University
(780) 675-6195

It is only when you are surrounded by a supportive team, that you can achieve
your best.  Instead of tearing people down, try building them up!

--
This communication is intended for the use of the recipient to whom it is 
addressed, and may contain confidential, personal, and or privileged 
information. Please contact us immediately if you are not the intended 
recipient of this communication, and do not copy, distribute, or take action 
relying on it. Any communications received in error, or subsequent reply, 
should be deleted or destroyed.
---

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8a565299-d009-ea66-8a01-b3

Re: [cas-user] cas 5.2.x leaking connections

2020-01-10 Thread David Curry 
You might want to experiment with turning the passivator off, or changing
its setting. Not sure that's it, but it might help?

https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#why-passivators


--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Fri, Jan 10, 2020 at 5:40 PM Trenton D. Adams 
wrote:

> Good day,
>
> We are having some problems with CAS 5.2.x leaking connections in our
> production environment.  We're not sure how or why this is happening.  What
> we do know is that they are no longer part of the pool, because if they
> were we'd run out of connections in the pool.  However, there is a limit to
> the number of connections an LDAP server can handle, so it requires a CAS
> restart regularly.
>
> Below is the configuration we're using for both LDAP and the password
> manager.  We were hoping someone understand why this could be happening, as
> the CAS documentation is not very good for these settings, and neither are
> the javadoc or Ldaptive docs.  I hope someone with more CAS experience,
> such as a dev, might be able to help?
>
>
> cas.authn.ldap[0].type=ANONYMOUS
>
> cas.authn.ldap[0].ldapUrl=ldap://ldap.example.com:389
>
> cas.authn.ldap[0].useSsl=false
>
> cas.authn.ldap[0].baseDn=ou=Student,ou=People,dc=example,dc=com
>
> cas.authn.ldap[0].userFilter=uid={user}
>
> cas.authn.ldap[0].principalAttributeId=uid
>
> cas.authn.ldap[0].principalAttributeList=uid,udcid:UDC_IDENTIFIER
>
> cas.authn.ldap[1].type=ANONYMOUS
>
> cas.authn.ldap[1].ldapUrl=ldap://ldap.example.ca:389
>
> cas.authn.ldap[1].useSsl=false
>
> cas.authn.ldap[1].baseDn=ou=Staff,ou=People,dc=example,dc=com
>
> cas.authn.ldap[1].userFilter=uid={user}
>
> cas.authn.ldap[1].principalAttributeId=uid
>
> cas.authn.ldap[1].principalAttributeList=uid,udcid:UDC_IDENTIFIER
>
>
> cas.authn.pm.ldap.type=GENERIC
>
> cas.authn.pm.ldap.ldapUrl=ldap://ldap.example.com:389
>
> cas.authn.pm.ldap.connectionStrategy=ACTIVE_PASSIVE
>
> cas.authn.pm.ldap.useSsl=false
>
> cas.authn.pm.ldap.useStartTls=false
>
> cas.authn.pm.ldap.connectTimeout=5000
>
> cas.authn.pm.ldap.baseDn=ou=People,dc=example,dc=com
>
> cas.authn.pm.ldap.userFilter=uid={user}
>
> cas.authn.pm.ldap.subtreeSearch=true
>
> cas.authn.pm.ldap.bindDn=cn=Manager,dc=example,dc=com
>
> cas.authn.pm.ldap.bindCredential=
>
> cas.authn.pm.ldap.trustCertificates=
>
> cas.authn.pm.ldap.poolPassivator=BIND
>
> cas.authn.pm.ldap.minPoolSize=3
>
> cas.authn.pm.ldap.maxPoolSize=10
>
> cas.authn.pm.ldap.validateOnCheckout=true
>
> cas.authn.pm.ldap.validatePeriodically=true
>
> cas.authn.pm.ldap.validatePeriod=600
>
> cas.authn.pm.ldap.validateTimeout=5000
>
> cas.authn.pm.ldap.failFast=false
>
> cas.authn.pm.ldap.idleTime=500
>
> cas.authn.pm.ldap.prunePeriod=600
>
> cas.authn.pm.ldap.blockWaitTime=5000
>
> cas.authn.pm.ldap.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
>
> cas.authn.pm.ldap.securityQuestionsAttributes.challengeQuestion=challengeResponse
>
> cas.authn.pm.ldap.validator.type=SEARCH
>
> cas.authn.pm.ldap.validator.baseDn=ou=Staff,ou=People,dc=example,dc=com
>
> cas.authn.pm.ldap.validator.searchFilter=(uid=some-user)
>
> cas.authn.pm.ldap.validator.scope=ONELEVEL
>
> cas.authn.pm.ldap.validator.attributeName=cn
>
> cas.authn.pm.ldap.validator.attributeValues=Some Name
>
> cas.authn.pm.ldap.validator.dn=
>
> --
> Trenton D. Adams
> Senior Systems Analyst/Web Software Developer
> Applications Unit - ITS
> Athabasca University
> (780) 675-6195
>
> It is only when you are surrounded by a supportive team, that you can achieve
> your best.  Instead of tearing people down, try building them up!
>
> --
>
> This communication is intended for the use of the recipient to whom it is
> addressed, and may contain confidential, personal, and or privileged
> information. Please contact us immediately if you are not the intended
> recipient of this communication, and do not copy, distribute, or take
> action relying on it. Any communications received in error, or subsequent
> reply, should be deleted or destroyed.
>
> ---
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8a565299-d009-ea66-8a01-b3b8bdb4146d%40athabascau.ca
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom:

[cas-user] cas 5.2.x leaking connections

2020-01-10 Thread Trenton D. Adams 

Good day,

We are having some problems with CAS 5.2.x leaking connections in our 
production environment.  We're not sure how or why this is happening.  What we 
do know is that they are no longer part of the pool, because if they were we'd 
run out of connections in the pool.  However, there is a limit to the number of 
connections an LDAP server can handle, so it requires a CAS restart regularly.

Below is the configuration we're using for both LDAP and the password manager.  
We were hoping someone understand why this could be happening, as the CAS 
documentation is not very good for these settings, and neither are the javadoc 
or Ldaptive docs.  I hope someone with more CAS experience, such as a dev, 
might be able to help?


cas.authn.ldap[0].type=ANONYMOUS

cas.authn.ldap[0].ldapUrl=ldap://ldap.example.com:389

cas.authn.ldap[0].useSsl=false

cas.authn.ldap[0].baseDn=ou=Student,ou=People,dc=example,dc=com

cas.authn.ldap[0].userFilter=uid={user}

cas.authn.ldap[0].principalAttributeId=uid

cas.authn.ldap[0].principalAttributeList=uid,udcid:UDC_IDENTIFIER

cas.authn.ldap[1].type=ANONYMOUS

cas.authn.ldap[1].ldapUrl=ldap://ldap.example.ca:389

cas.authn.ldap[1].useSsl=false

cas.authn.ldap[1].baseDn=ou=Staff,ou=People,dc=example,dc=com

cas.authn.ldap[1].userFilter=uid={user}

cas.authn.ldap[1].principalAttributeId=uid

cas.authn.ldap[1].principalAttributeList=uid,udcid:UDC_IDENTIFIER



cas.authn.pm.ldap.type=GENERIC

cas.authn.pm.ldap.ldapUrl=ldap://ldap.example.com:389

cas.authn.pm.ldap.connectionStrategy=ACTIVE_PASSIVE

cas.authn.pm.ldap.useSsl=false

cas.authn.pm.ldap.useStartTls=false

cas.authn.pm.ldap.connectTimeout=5000

cas.authn.pm.ldap.baseDn=ou=People,dc=example,dc=com

cas.authn.pm.ldap.userFilter=uid={user}

cas.authn.pm.ldap.subtreeSearch=true

cas.authn.pm.ldap.bindDn=cn=Manager,dc=example,dc=com

cas.authn.pm.ldap.bindCredential=

cas.authn.pm.ldap.trustCertificates=

cas.authn.pm.ldap.poolPassivator=BIND

cas.authn.pm.ldap.minPoolSize=3

cas.authn.pm.ldap.maxPoolSize=10

cas.authn.pm.ldap.validateOnCheckout=true

cas.authn.pm.ldap.validatePeriodically=true

cas.authn.pm.ldap.validatePeriod=600

cas.authn.pm.ldap.validateTimeout=5000

cas.authn.pm.ldap.failFast=false

cas.authn.pm.ldap.idleTime=500

cas.authn.pm.ldap.prunePeriod=600

cas.authn.pm.ldap.blockWaitTime=5000

cas.authn.pm.ldap.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider

cas.authn.pm.ldap.securityQuestionsAttributes.challengeQuestion=challengeResponse

cas.authn.pm.ldap.validator.type=SEARCH

cas.authn.pm.ldap.validator.baseDn=ou=Staff,ou=People,dc=example,dc=com

cas.authn.pm.ldap.validator.searchFilter=(uid=some-user)

cas.authn.pm.ldap.validator.scope=ONELEVEL

cas.authn.pm.ldap.validator.attributeName=cn

cas.authn.pm.ldap.validator.attributeValues=Some Name

cas.authn.pm.ldap.validator.dn=

--
Trenton D. Adams
Senior Systems Analyst/Web Software Developer
Applications Unit - ITS
Athabasca University
(780) 675-6195

It is only when you are surrounded by a supportive team, that you can achieve
your best.  Instead of tearing people down, try building them up!

--
This communication is intended for the use of the recipient to whom it is 
addressed, and may contain confidential, personal, and or privileged 
information. Please contact us immediately if you are not the intended 
recipient of this communication, and do not copy, distribute, or take action 
relying on it. Any communications received in error, or subsequent reply, 
should be deleted or destroyed.
---

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8a565299-d009-ea66-8a01-b3b8bdb4146d%40athabascau.ca.

Re: [cas-user] CAS 5.2.x OAuth2 Server support

2019-10-17 Thread Gandhi Pullalarevu 
Hi Rao,

Can you share the sample request? It would be helpful for me.

Thanks,
Gandhi Reddy P.

On Thu, Oct 17, 2019 at 9:57 PM Mr Rao  wrote:

> Hi Gandhi,
>
> Thank you for your quick response. Actually its working when you pass in
> the body instead of params. I tried using Postman to test it.
>
> Rao
>
> On Wednesday, October 16, 2019 at 9:50:42 PM UTC-7, Gandhi wrote:
>>
>> Hi Rao,
>>
>> Yes, I faced the same issue as the sensitive information is passed over
>> request params. You can configure Tomcat to not log the request params as
>> below:
>>
>>
>> In tomcat server.xml, at the end of the file, find the below entry
>>
>> > directory="logs"
>>
>>prefix="localhost_access_log." suffix=".txt"
>>
>>pattern="%h %l %u %t %r %s %b" />
>>
>> and update it to
>>
>> > directory="logs"
>>
>>prefix="localhost_access_log." suffix=".txt"
>>pattern="%h %l %u %t %m %U %H %s %b" />
>>
>>
>> Hope this helps.
>>
>> Thanks,
>> Gandhi Reddy P.
>>
>> On Thu, Oct 17, 2019 at 5:34 AM Mr Rao  wrote:
>>
>>> Hi,
>>>
>>>
>>>
>>> Currently we use CAS for SSO between web applications, now I'm trying to
>>> use for restful webservices token based authentication using OAuth2/JWT
>>> tokens.
>>>
>>>
>>>
>>>
>>> When I was playing with it I noticed that  for accessing token we need
>>> to pass  client_id, client_secret for Grant type client credential and
>>> username/password for Grant type password as parameters. I think its very
>>> unsecured because these show up in tomcat access logs.
>>>
>>>
>>>
>>> Is there any way to pass as part of body or http headers instead of
>>> params without me override lot of cas code ?
>>>
>>>
>>>
>>> Thanks
>>>
>>>
>>>
>>> Rao
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/48a85b67-1292-40c0-ac6c-c514af786687%40apereo.org
>>> 
>>> .
>>>
>>
>> *This mail contains confidential information intended only for the
>> individual(s) named. If you’re not the named addressee, don’t disseminate,
>> distribute or copy this e-mail. Please notify the sender immediately and
>> delete it from your system.If you wish not to receive such e-mails you may
>> reply with text “Unsubscribe”.*
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/479f0191-b3cf-4869-8275-41b2965e89cb%40apereo.org
> 
> .
>

-- 
_This mail contains confidential information intended only for the 
individual(s) named. If you’re not the named addressee, don’t disseminate, 
distribute or copy this e-mail. Please notify the sender immediately and 
delete it from your system.If you wish not to receive such e-mails you may 
reply with text “Unsubscribe”._

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAXuvfOd4TgnR_ci%2BJqzXt1qFntTDtdVsNCt5SUxwCso9N4P%2BA%40mail.gmail.com.

Re: [cas-user] CAS 5.2.x OAuth2 Server support

2019-10-17 Thread Mr Rao 
Hi Gandhi,

Thank you for your quick response. Actually its working when you pass in 
the body instead of params. I tried using Postman to test it.

Rao

On Wednesday, October 16, 2019 at 9:50:42 PM UTC-7, Gandhi wrote:
>
> Hi Rao,
>
> Yes, I faced the same issue as the sensitive information is passed over 
> request params. You can configure Tomcat to not log the request params as 
> below:
>
>
> In tomcat server.xml, at the end of the file, find the below entry
>
>  directory="logs"
>
>prefix="localhost_access_log." suffix=".txt"
>
>pattern="%h %l %u %t %r %s %b" />
>
> and update it to
>
>  directory="logs"
>
>prefix="localhost_access_log." suffix=".txt"
>pattern="%h %l %u %t %m %U %H %s %b" />
>
>
> Hope this helps.
>
> Thanks,
> Gandhi Reddy P.
>
> On Thu, Oct 17, 2019 at 5:34 AM Mr Rao > 
> wrote:
>
>> Hi,
>>
>>  
>>
>> Currently we use CAS for SSO between web applications, now I'm trying to 
>> use for restful webservices token based authentication using OAuth2/JWT 
>> tokens.
>>
>>
>>  
>>
>> When I was playing with it I noticed that  for accessing token we need to 
>> pass  client_id, client_secret for Grant type client credential and 
>> username/password for Grant type password as parameters. I think its very 
>> unsecured because these show up in tomcat access logs.
>>
>>  
>>
>> Is there any way to pass as part of body or http headers instead of 
>> params without me override lot of cas code ?
>>
>>  
>>
>> Thanks
>>
>>  
>>
>> Rao
>>
>>  
>>
>>  
>>
>>  
>>
>>  
>>
>>  
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/48a85b67-1292-40c0-ac6c-c514af786687%40apereo.org
>>  
>> 
>> .
>>
>
> *This mail contains confidential information intended only for the 
> individual(s) named. If you’re not the named addressee, don’t disseminate, 
> distribute or copy this e-mail. Please notify the sender immediately and 
> delete it from your system.If you wish not to receive such e-mails you may 
> reply with text “Unsubscribe”.*

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/479f0191-b3cf-4869-8275-41b2965e89cb%40apereo.org.

Re: [cas-user] CAS 5.2.x OAuth2 Server support

2019-10-16 Thread Gandhi Pullalarevu 
Hi Rao,

Yes, I faced the same issue as the sensitive information is passed over
request params. You can configure Tomcat to not log the request params as
below:


In tomcat server.xml, at the end of the file, find the below entry



and update it to




Hope this helps.

Thanks,
Gandhi Reddy P.

On Thu, Oct 17, 2019 at 5:34 AM Mr Rao  wrote:

> Hi,
>
>
>
> Currently we use CAS for SSO between web applications, now I'm trying to
> use for restful webservices token based authentication using OAuth2/JWT
> tokens.
>
>
>
>
> When I was playing with it I noticed that  for accessing token we need to
> pass  client_id, client_secret for Grant type client credential and
> username/password for Grant type password as parameters. I think its very
> unsecured because these show up in tomcat access logs.
>
>
>
> Is there any way to pass as part of body or http headers instead of params
> without me override lot of cas code ?
>
>
>
> Thanks
>
>
>
> Rao
>
>
>
>
>
>
>
>
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/48a85b67-1292-40c0-ac6c-c514af786687%40apereo.org
> 
> .
>

-- 
_This mail contains confidential information intended only for the 
individual(s) named. If you’re not the named addressee, don’t disseminate, 
distribute or copy this e-mail. Please notify the sender immediately and 
delete it from your system.If you wish not to receive such e-mails you may 
reply with text “Unsubscribe”._

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAXuvfMpHHiwArXVDz4XcEtSd-aLoWFTiB%3DsUVTq23jvaZ0PAA%40mail.gmail.com.

[cas-user] CAS 5.2.x OAuth2 Server support

2019-10-16 Thread Mr Rao 


Hi,

 

Currently we use CAS for SSO between web applications, now I'm trying to 
use for restful webservices token based authentication using OAuth2/JWT 
tokens.


 

When I was playing with it I noticed that  for accessing token we need to 
pass  client_id, client_secret for Grant type client credential and 
username/password for Grant type password as parameters. I think its very 
unsecured because these show up in tomcat access logs.

 

Is there any way to pass as part of body or http headers instead of params 
without me override lot of cas code ?

 

Thanks

 

Rao

 

 

 

 

 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/48a85b67-1292-40c0-ac6c-c514af786687%40apereo.org.

Re: [cas-user] CAS 5.2 and AD - Auth fail for just one OU

2019-03-26 Thread Matthew Uribe 
Thanks David.

After getting someone from the AD side to sit down and look at it with me, 
we were able to find in the logs on the DC the following error for the 
affected users: "The user has not been granted the requested logon type 
(aka logon right) at this machine"

It looks like the issue really is on the AD side, so I'll let them work it 
out.

Thanks again.
Matt


On Monday, March 25, 2019 at 3:21:27 PM UTC-6, David Curry wrote:
>
> Just a quick off the cuff thought, but could there be a syntax error in 
> the properties file somewhere before the dn setting that's causing that 
> line to be misread?
>
>
>
> David A. Curry,  CISSP
> Director of Information Security
> The New School - Information Technology
> 71 Fifth Ave., 9th Fl. ~ New York, NY 10003
> +1 212 229-5300 x4728 ~ david...@newschool.edu 
> Sent from my phone; please excuse typos and inane auto-corrections.
> 
>
> On Mon, Mar 25, 2019, 17:08 Matthew Uribe  > wrote:
>
>> Hi everyone,
>>
>> I'm only just beginning to use AD with my CAS 5.2 deployment, and with 
>> the information in many previous posts here, I've been successful in 
>> authenticating users in CAS with their AD accounts. There is one exception, 
>> however, and that is the Active Students OU. Accounts in that OU fail to 
>> authenticate. If I move one of the accounts out of Active Students and into 
>> an OU where accounts are able to authenticate, they still can't 
>> authenticate. Likewise, accounts from any other OU, if moved into Active 
>> Students, do successfully authenticate. This leads me to believe that it 
>> must be something specific to those accounts, but I don't know what it 
>> would be.
>>
>> I initially used the following settings for AD in the cas.properties:
>>
>> cas.authn.ldap[1].order:1
>> cas.authn.ldap[1].name: Test Empl Active Directory
>> cas.authn.ldap[1].type: AD
>> cas.authn.ldap[1].ldapUrl:  ldaps://testaimsdc1.test.aims.edu
>> cas.authn.ldap[1].validatePeriod:   270
>> cas.authn.ldap[1].poolPassivator:   NONE
>> cas.authn.ldap[1].userFilter:   sAMAccountName={user}
>> cas.authn.ldap[1].baseDn:   dc=test,dc=aims,dc=edu
>> cas.authn.ldap[1].dnFormat: %s...@test.aims.edu 
>>
>>
>> This worked, as I said, for all accounts but those contained in Active 
>> Students.
>>
>> I've also tried configuring a connection for each OU, but the results are 
>> the same. I've tried different LDAP types, such as AUTHENTICATED, which 
>> also works, except for the Active Students accounts.
>>
>> The accounts in the Active Students OU are able to sign in to domain 
>> joined workstations with no problem, which has the AD team pointing to CAS 
>> as the issue, so I finally set the ldaptive log level to debug and found 
>> the following: When an affected user tries to sign in to CAS, these are 
>> some of the first lines to appear in the log:
>>
>> 2019-03-25 15:00:34,499 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] 
>> - > context=null]>
>> 2019-03-25 15:00:34,499 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] 
>> - 
>> 2019-03-25 15:00:34,502 DEBUG [org.ldaptive.SearchOperation] - > request=[org.ldaptive.SearchRequest@-1061412749::baseDn=, 
>> searchFilter=[org.ldaptive.SearchFilter@1642584434::filter=(objectClass=*), 
>> parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=PT0S, 
>> sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, 
>> sortBehavior=UNORDERED, searchEntryHandlers=null, 
>> searchReferenceHandlers=[org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@42336fb8],
>>  
>> controls=null, 
>> referralHandler=org.ldaptive.referral.SearchReferralHandler@1b0ccd3c, 
>> intermediateResponseHandlers=null] with 
>> connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1455399867::config=[org.ldaptive.ConnectionConfig@904794016::ldapUrl=ldaps://
>> testaimsdc1.test.aims.edu, connectTimeout=PT5S, responseTimeout=PT5S, 
>> sslConfig=[org.ldaptive.ssl.SslConfig@866800436::credentialConfig=null, 
>> trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, 
>> enabledCipherSuites=null, enabledProtocols=null, 
>> handshakeCompletedListeners=null], useSSL=true, useStartTLS=false, 
>> connectionInitializer=[org.ldaptive.BindConnectionInitializer@792450504::bindDn=cn=svc-ri-ad,ou=Service,ou=Users,ou=Enterprise
>>  
>> Support,dc=test,dc=aims,dc=edu, bindSaslConfig=null, bindControls=null], 
>> connectionStrategy=org.ldaptive.DefaultConnectionStrategy@5542e5a6], 
>> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@1596835154::metadata=[ldapUrl=ldaps://
>> testaimsdc1.test.aims.edu, count=1], 
>> environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory,
>>  
>> com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3, 
>> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, 
>>

Re: [cas-user] CAS 5.2 and AD - Auth fail for just one OU

2019-03-25 Thread David Curry 
Just a quick off the cuff thought, but could there be a syntax error in the
properties file somewhere before the dn setting that's causing that line to
be misread?



David A. Curry,  CISSP
Director of Information Security
The New School - Information Technology
71 Fifth Ave., 9th Fl. ~ New York, NY 10003
+1 212 229-5300 x4728 ~ david.cu...@newschool.edu
Sent from my phone; please excuse typos and inane auto-corrections.


On Mon, Mar 25, 2019, 17:08 Matthew Uribe  wrote:

> Hi everyone,
>
> I'm only just beginning to use AD with my CAS 5.2 deployment, and with the
> information in many previous posts here, I've been successful in
> authenticating users in CAS with their AD accounts. There is one exception,
> however, and that is the Active Students OU. Accounts in that OU fail to
> authenticate. If I move one of the accounts out of Active Students and into
> an OU where accounts are able to authenticate, they still can't
> authenticate. Likewise, accounts from any other OU, if moved into Active
> Students, do successfully authenticate. This leads me to believe that it
> must be something specific to those accounts, but I don't know what it
> would be.
>
> I initially used the following settings for AD in the cas.properties:
>
> cas.authn.ldap[1].order:1
> cas.authn.ldap[1].name: Test Empl Active Directory
> cas.authn.ldap[1].type: AD
> cas.authn.ldap[1].ldapUrl:  ldaps://testaimsdc1.test.aims.edu
> cas.authn.ldap[1].validatePeriod:   270
> cas.authn.ldap[1].poolPassivator:   NONE
> cas.authn.ldap[1].userFilter:   sAMAccountName={user}
> cas.authn.ldap[1].baseDn:   dc=test,dc=aims,dc=edu
> cas.authn.ldap[1].dnFormat: %s...@test.aims.edu
>
>
> This worked, as I said, for all accounts but those contained in Active
> Students.
>
> I've also tried configuring a connection for each OU, but the results are
> the same. I've tried different LDAP types, such as AUTHENTICATED, which
> also works, except for the Active Students accounts.
>
> The accounts in the Active Students OU are able to sign in to domain
> joined workstations with no problem, which has the AD team pointing to CAS
> as the issue, so I finally set the ldaptive log level to debug and found
> the following: When an affected user tries to sign in to CAS, these are
> some of the first lines to appear in the log:
>
> 2019-03-25 15:00:34,499 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] -
>  context=null]>
> 2019-03-25 15:00:34,499 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] -
> 
> 2019-03-25 15:00:34,502 DEBUG [org.ldaptive.SearchOperation] -  request=[org.ldaptive.SearchRequest@-1061412749::baseDn=,
> searchFilter=[org.ldaptive.SearchFilter@1642584434::filter=(objectClass=*),
> parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=PT0S,
> sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null,
> sortBehavior=UNORDERED, searchEntryHandlers=null,
> searchReferenceHandlers=[org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@42336fb8],
> controls=null,
> referralHandler=org.ldaptive.referral.SearchReferralHandler@1b0ccd3c,
> intermediateResponseHandlers=null] with
> connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1455399867
> ::config=[org.ldaptive.ConnectionConfig@904794016::ldapUrl=ldaps://
> testaimsdc1.test.aims.edu, connectTimeout=PT5S, responseTimeout=PT5S,
> sslConfig=[org.ldaptive.ssl.SslConfig@866800436::credentialConfig=null,
> trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null,
> enabledCipherSuites=null, enabledProtocols=null,
> handshakeCompletedListeners=null], useSSL=true, useStartTLS=false,
> connectionInitializer=[org.ldaptive.BindConnectionInitializer@792450504::bindDn=cn=svc-ri-ad,ou=Service,ou=Users,ou=Enterprise
> Support,dc=test,dc=aims,dc=edu, bindSaslConfig=null, bindControls=null],
> connectionStrategy=org.ldaptive.DefaultConnectionStrategy@5542e5a6],
> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@1596835154
> ::metadata=[ldapUrl=ldaps://testaimsdc1.test.aims.edu, count=1],
> environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory,
> com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3,
> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
> java.naming.security.protocol=ssl, com.sun.jndi.ldap.read.timeout=5000},
> classLoader=null,
> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@792845762::operationExceptionResultCodes=[PROTOCOL_ERROR,
> SERVER_DOWN], properties={},
> controlProcessor=org.ldaptive.provider.ControlProcessor@21226762,
> environment=null, tracePackets=null, removeDnUrls=true,
> searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
> PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null,
> hostnameVerifier=null]],
> providerConnection=org.ldaptive.provider.jndi.JndiConnection@1b1dc06c]>
> .
> .
> .
>

[cas-user] CAS 5.2 and AD - Auth fail for just one OU

2019-03-25 Thread Matthew Uribe 
Hi everyone,

I'm only just beginning to use AD with my CAS 5.2 deployment, and with the 
information in many previous posts here, I've been successful in 
authenticating users in CAS with their AD accounts. There is one exception, 
however, and that is the Active Students OU. Accounts in that OU fail to 
authenticate. If I move one of the accounts out of Active Students and into 
an OU where accounts are able to authenticate, they still can't 
authenticate. Likewise, accounts from any other OU, if moved into Active 
Students, do successfully authenticate. This leads me to believe that it 
must be something specific to those accounts, but I don't know what it 
would be.

I initially used the following settings for AD in the cas.properties:

cas.authn.ldap[1].order:1
cas.authn.ldap[1].name: Test Empl Active Directory
cas.authn.ldap[1].type: AD
cas.authn.ldap[1].ldapUrl:  ldaps://testaimsdc1.test.aims.edu
cas.authn.ldap[1].validatePeriod:   270
cas.authn.ldap[1].poolPassivator:   NONE
cas.authn.ldap[1].userFilter:   sAMAccountName={user}
cas.authn.ldap[1].baseDn:   dc=test,dc=aims,dc=edu
cas.authn.ldap[1].dnFormat: %s...@test.aims.edu


This worked, as I said, for all accounts but those contained in Active 
Students.

I've also tried configuring a connection for each OU, but the results are 
the same. I've tried different LDAP types, such as AUTHENTICATED, which 
also works, except for the Active Students accounts.

The accounts in the Active Students OU are able to sign in to domain joined 
workstations with no problem, which has the AD team pointing to CAS as the 
issue, so I finally set the ldaptive log level to debug and found the 
following: When an affected user tries to sign in to CAS, these are some of 
the first lines to appear in the log:

2019-03-25 15:00:34,499 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - 

2019-03-25 15:00:34,499 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - 

2019-03-25 15:00:34,502 DEBUG [org.ldaptive.SearchOperation] - 
.
.
.
2019-03-25 15:00:34,545 INFO [org.ldaptive.auth.PooledSearchDnResolver] - 

2019-03-25 15:00:34,545 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - 

2019-03-25 15:00:34,545 DEBUG [org.ldaptive.auth.Authenticator] - 

2019-03-25 15:00:34,545 WARN 
[org.apereo.cas.authentication.LdapAuthenticationHandler] - 

Why would the DN be null, only for a specific set of users?

Thanks for any insight anyone may have.

Matt Uribe

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a9bcbfaa-762b-4243-b033-9d9b7d7546ab%40apereo.org.

[cas-user] CAS 5.2 PAC4J SAML 2.0 Delegation Behavior

2019-01-24 Thread Tom O'Neill 
Hi All,

I am troubleshooting application integration and looking for some insight.

We have a CAS 5.2 instance with the PAC4J module, which is being used to 
delegate authentication to an IdP using SAML 2.0.
Based on some testing, it seems like the CAS server is delegating 
authentication to the IdP any time the CAS login method is hit.

We're have the PAC4J autoRedirect property set to true - so I don't expect or 
want CAS to present a login page but I also didn't expect it to redirect to the 
IDP if the user has a valid TGT.
cas.authn.pac4j.autoRedirect=true

Can anyone confirm that this is the designed and expected behavior?
Is anyone aware of a different setting or combination of settings that might 
adjust the behavior to what I'm looking for?

Hopefully I'm missing something.

Thanks!!!
Tom


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BN7PR02MB50098001DBCF6CAF1552DCE2CB9A0%40BN7PR02MB5009.namprd02.prod.outlook.com.

[cas-user] CAS 5.2 OAuth 2 Redirect to root - not regularly

2018-11-28 Thread Amin M.Tehrani 
Hi,

we have a problem with cas 5.2.x using *OAuth 2*.
The problem is like following and it happens not all the time:

cas : www.example.com/cas/
app: www.example.com/app/

with that said, the usual approach is after correct login, cas will 
redirect to www.example.com/app/somelink#accessToken=

the bug that we have is, that sometimes cas redirects to the root 
(www.example.com) instead of redirecting to www.example.com/app/somelink...


Thank you in advance


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/140d5e93-b0d0-4285-a582-af52876130a2%40apereo.org.

Re: [cas-user] CAS 5.2 Passing LDAP Attributes to Application

2018-08-31 Thread Bill Scully 
Yup, it was just the CAS client configuration.  All is well.  Thanks!

On Friday, August 31, 2018 at 4:02:11 PM UTC-5, Bill Scully wrote:
>
> Thank you both for your helpful links and examples!
>
> I haven't been able to successfully retrieve any specified attributes in 
> our testing, but it may our client configuration.
>
> On to troubleshooting!
>
> Many, many thanks to both of you, again!
>
> On Friday, August 31, 2018 at 2:17:12 PM UTC-5, waldbiec wrote:
>>
>> Bill, 
>>
>> In `cas.properties`, in your LDAP section, you want a property like this: 
>>
>> 
>> cas.authn.ldap[0].principalAttributeList=uid,givenName,sn:surname,mail:email,memberOf
>>  
>>
>>
>> That says that the principal that is authenticated should get the above 
>> list of LDAP attributes.  For the ones that have 2 items separated by a 
>> colon, that is just a rename from the LDAP attribute to the name that will 
>> be exposed via CAS. 
>>
>> In your service file for an individual service, you specify what 
>> attributes from the above list you want to release.  The following sections 
>> from a service file are an example: 
>>
>>   "attributeReleasePolicy" : { 
>> "@class" : 
>> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", 
>> "attributeFilter" : { 
>>   "@class": 
>> "org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
>>  
>>
>>   "patterns": { 
>>   "@class" : "java.util.HashMap", 
>>   "memberOf": "cn=administrators,ou=groups,dc=example,dc=org" 
>>   }, 
>>   "excludeUnmappedAttributes": false, 
>>   "completeMatch": false, 
>>   "order": 0 
>> }, 
>> "allowedAttributes" : [ "java.util.ArrayList", 
>> [ 
>> "uid", 
>> "memberOf", 
>> "email", 
>> "givenName", 
>> "surname" 
>> ] 
>> ] 
>>   }, 
>>
>> The "attributeReleasePolicy" is used to filer the "memberOf" attribute 
>> down to a specific value (because he attribute is multi-valued, and you 
>> usually only want to release only one or a few of the values to a service). 
>>  The "allowedAttributes" section specifies what attributes from the 
>> principal will be released at all. 
>>
>> Thanks, 
>> Carl Waldbieser 
>> ITS Identity Management 
>> Lafayette College 
>>
>> - Original Message - 
>> From: "Bill Scully"  
>> To: "cas-user"  
>> Sent: Friday, 31 August, 2018 15:00:09 
>> Subject: [cas-user] CAS 5.2 Passing LDAP Attributes to Application 
>>
>> Hi, 
>>
>> I'm having a hard time getting my head around where to start configuring 
>> CAS to provide LDAP attributes to the "RegisteredService" / application 
>> after authentication.  I'm assuming there are 2 areas that I need to 
>> configure, cas.properties and service JSON files, but navigating the 
>> documentation to find what I need has been beyond me up to this point. 
>>
>> Can someone kindly point me to the right areas 
>> of https://apereo.github.io/cas/5.2.x/ or give me some tips on where I 
>> can 
>> figure out how to retrieve certain attributes from LDAP and share those 
>> selected values with the application?  I hope I'm using "application" 
>> properly. 
>>
>> Thanks, 
>>
>> Bill 
>>
>> -- 
>> - Website: https://apereo.github.io/cas 
>> - Gitter Chatroom: https://gitter.im/apereo/cas 
>> - List Guidelines: https://goo.gl/1VRrw7 
>> - Contributions: https://goo.gl/mh7qDG 
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group. 
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org. 
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac28e9bc-9bdf-4d1d-9d59-d99ad23d2dc9%40apereo.org.
>>  
>>
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/714d92bf-5b86-44eb-8af7-3769a862738d%40apereo.org.

Re: [cas-user] CAS 5.2 Passing LDAP Attributes to Application

2018-08-31 Thread Bill Scully 
Thank you both for your helpful links and examples!

I haven't been able to successfully retrieve any specified attributes in 
our testing, but it may our client configuration.

On to troubleshooting!

Many, many thanks to both of you, again!

On Friday, August 31, 2018 at 2:17:12 PM UTC-5, waldbiec wrote:
>
> Bill, 
>
> In `cas.properties`, in your LDAP section, you want a property like this: 
>
> 
> cas.authn.ldap[0].principalAttributeList=uid,givenName,sn:surname,mail:email,memberOf
>  
>
>
> That says that the principal that is authenticated should get the above 
> list of LDAP attributes.  For the ones that have 2 items separated by a 
> colon, that is just a rename from the LDAP attribute to the name that will 
> be exposed via CAS. 
>
> In your service file for an individual service, you specify what 
> attributes from the above list you want to release.  The following sections 
> from a service file are an example: 
>
>   "attributeReleasePolicy" : { 
> "@class" : 
> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", 
> "attributeFilter" : { 
>   "@class": 
> "org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
>  
>
>   "patterns": { 
>   "@class" : "java.util.HashMap", 
>   "memberOf": "cn=administrators,ou=groups,dc=example,dc=org" 
>   }, 
>   "excludeUnmappedAttributes": false, 
>   "completeMatch": false, 
>   "order": 0 
> }, 
> "allowedAttributes" : [ "java.util.ArrayList", 
> [ 
> "uid", 
> "memberOf", 
> "email", 
> "givenName", 
> "surname" 
> ] 
> ] 
>   }, 
>
> The "attributeReleasePolicy" is used to filer the "memberOf" attribute 
> down to a specific value (because he attribute is multi-valued, and you 
> usually only want to release only one or a few of the values to a service). 
>  The "allowedAttributes" section specifies what attributes from the 
> principal will be released at all. 
>
> Thanks, 
> Carl Waldbieser 
> ITS Identity Management 
> Lafayette College 
>
> - Original Message - 
> From: "Bill Scully" > 
> To: "cas-user" > 
> Sent: Friday, 31 August, 2018 15:00:09 
> Subject: [cas-user] CAS 5.2 Passing LDAP Attributes to Application 
>
> Hi, 
>
> I'm having a hard time getting my head around where to start configuring 
> CAS to provide LDAP attributes to the "RegisteredService" / application 
> after authentication.  I'm assuming there are 2 areas that I need to 
> configure, cas.properties and service JSON files, but navigating the 
> documentation to find what I need has been beyond me up to this point. 
>
> Can someone kindly point me to the right areas 
> of https://apereo.github.io/cas/5.2.x/ or give me some tips on where I 
> can 
> figure out how to retrieve certain attributes from LDAP and share those 
> selected values with the application?  I hope I'm using "application" 
> properly. 
>
> Thanks, 
>
> Bill 
>
> -- 
> - Website: https://apereo.github.io/cas 
> - Gitter Chatroom: https://gitter.im/apereo/cas 
> - List Guidelines: https://goo.gl/1VRrw7 
> - Contributions: https://goo.gl/mh7qDG 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group. 
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org . 
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac28e9bc-9bdf-4d1d-9d59-d99ad23d2dc9%40apereo.org.
>  
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/75e63571-f1e0-40c6-99c4-35784432e1dc%40apereo.org.

Re: [cas-user] CAS 5.2 Passing LDAP Attributes to Application

2018-08-31 Thread Bill Scully 
Thank you both for your helpful links and examples!

I haven't been able to successfully retrieve any specified attributes in 
our testing, but it may our client configuration.

On to troubleshooting!

Many, many thanks to both of you, again!

On Friday, August 31, 2018 at 2:17:12 PM UTC-5, waldbiec wrote:
>
> Bill, 
>
> In `cas.properties`, in your LDAP section, you want a property like this: 
>
> 
> cas.authn.ldap[0].principalAttributeList=uid,givenName,sn:surname,mail:email,memberOf
>  
>
>
> That says that the principal that is authenticated should get the above 
> list of LDAP attributes.  For the ones that have 2 items separated by a 
> colon, that is just a rename from the LDAP attribute to the name that will 
> be exposed via CAS. 
>
> In your service file for an individual service, you specify what 
> attributes from the above list you want to release.  The following sections 
> from a service file are an example: 
>
>   "attributeReleasePolicy" : { 
> "@class" : 
> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", 
> "attributeFilter" : { 
>   "@class": 
> "org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
>  
>
>   "patterns": { 
>   "@class" : "java.util.HashMap", 
>   "memberOf": "cn=administrators,ou=groups,dc=example,dc=org" 
>   }, 
>   "excludeUnmappedAttributes": false, 
>   "completeMatch": false, 
>   "order": 0 
> }, 
> "allowedAttributes" : [ "java.util.ArrayList", 
> [ 
> "uid", 
> "memberOf", 
> "email", 
> "givenName", 
> "surname" 
> ] 
> ] 
>   }, 
>
> The "attributeReleasePolicy" is used to filer the "memberOf" attribute 
> down to a specific value (because he attribute is multi-valued, and you 
> usually only want to release only one or a few of the values to a service). 
>  The "allowedAttributes" section specifies what attributes from the 
> principal will be released at all. 
>
> Thanks, 
> Carl Waldbieser 
> ITS Identity Management 
> Lafayette College 
>
> - Original Message - 
> From: "Bill Scully" > 
> To: "cas-user" > 
> Sent: Friday, 31 August, 2018 15:00:09 
> Subject: [cas-user] CAS 5.2 Passing LDAP Attributes to Application 
>
> Hi, 
>
> I'm having a hard time getting my head around where to start configuring 
> CAS to provide LDAP attributes to the "RegisteredService" / application 
> after authentication.  I'm assuming there are 2 areas that I need to 
> configure, cas.properties and service JSON files, but navigating the 
> documentation to find what I need has been beyond me up to this point. 
>
> Can someone kindly point me to the right areas 
> of https://apereo.github.io/cas/5.2.x/ or give me some tips on where I 
> can 
> figure out how to retrieve certain attributes from LDAP and share those 
> selected values with the application?  I hope I'm using "application" 
> properly. 
>
> Thanks, 
>
> Bill 
>
> -- 
> - Website: https://apereo.github.io/cas 
> - Gitter Chatroom: https://gitter.im/apereo/cas 
> - List Guidelines: https://goo.gl/1VRrw7 
> - Contributions: https://goo.gl/mh7qDG 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group. 
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org . 
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac28e9bc-9bdf-4d1d-9d59-d99ad23d2dc9%40apereo.org.
>  
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20140c81-415e-47f4-8862-9c0e99eac889%40apereo.org.

Re: [cas-user] CAS 5.2 Passing LDAP Attributes to Application

2018-08-31 Thread Carl Waldbieser 
Bill,

In `cas.properties`, in your LDAP section, you want a property like this:


cas.authn.ldap[0].principalAttributeList=uid,givenName,sn:surname,mail:email,memberOf

That says that the principal that is authenticated should get the above list of 
LDAP attributes.  For the ones that have 2 items separated by a colon, that is 
just a rename from the LDAP attribute to the name that will be exposed via CAS.

In your service file for an individual service, you specify what attributes 
from the above list you want to release.  The following sections from a service 
file are an example:

  "attributeReleasePolicy" : {
"@class" : 
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"attributeFilter" : {
  "@class": 
"org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
  "patterns": {
  "@class" : "java.util.HashMap",
  "memberOf": "cn=administrators,ou=groups,dc=example,dc=org"
  },
  "excludeUnmappedAttributes": false,
  "completeMatch": false,
  "order": 0
},
"allowedAttributes" : [ "java.util.ArrayList",
[
"uid",
"memberOf",
"email",
"givenName",
"surname"
]
]
  },

The "attributeReleasePolicy" is used to filer the "memberOf" attribute down to 
a specific value (because he attribute is multi-valued, and you usually only 
want to release only one or a few of the values to a service).  The 
"allowedAttributes" section specifies what attributes from the principal will 
be released at all.

Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College

- Original Message -
From: "Bill Scully" 
To: "cas-user" 
Sent: Friday, 31 August, 2018 15:00:09
Subject: [cas-user] CAS 5.2 Passing LDAP Attributes to Application

Hi,

I'm having a hard time getting my head around where to start configuring 
CAS to provide LDAP attributes to the "RegisteredService" / application 
after authentication.  I'm assuming there are 2 areas that I need to 
configure, cas.properties and service JSON files, but navigating the 
documentation to find what I need has been beyond me up to this point.

Can someone kindly point me to the right areas 
of https://apereo.github.io/cas/5.2.x/ or give me some tips on where I can 
figure out how to retrieve certain attributes from LDAP and share those 
selected values with the application?  I hope I'm using "application" 
properly.

Thanks,

Bill

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac28e9bc-9bdf-4d1d-9d59-d99ad23d2dc9%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1473853490.82791165.1535742993465.JavaMail.zimbra%40lafayette.edu.

Re: [cas-user] CAS 5.2 Passing LDAP Attributes to Application

2018-08-31 Thread Ray Bon 
Bill,

Service config:
https://apereo.github.io/cas/5.2.x/integration/Attribute-Release-Policies.html

CAS config:
https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#passivators

in particular, cas.authn.ldap[0].principalAttributeList

Ray

On Fri, 2018-08-31 at 12:00 -0700, Bill Scully wrote:
Hi,

I'm having a hard time getting my head around where to start configuring CAS to 
provide LDAP attributes to the "RegisteredService" / application after 
authentication.  I'm assuming there are 2 areas that I need to configure, 
cas.properties and service JSON files, but navigating the documentation to find 
what I need has been beyond me up to this point.

Can someone kindly point me to the right areas of 
https://apereo.github.io/cas/5.2.x/ or give me some tips on where I can figure 
out how to retrieve certain attributes from LDAP and share those selected 
values with the application?  I hope I'm using "application" properly.

Thanks,

Bill

--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1535742584.2864.46.camel%40uvic.ca.

[cas-user] CAS 5.2 Passing LDAP Attributes to Application

2018-08-31 Thread Bill Scully 
Hi,

I'm having a hard time getting my head around where to start configuring 
CAS to provide LDAP attributes to the "RegisteredService" / application 
after authentication.  I'm assuming there are 2 areas that I need to 
configure, cas.properties and service JSON files, but navigating the 
documentation to find what I need has been beyond me up to this point.

Can someone kindly point me to the right areas 
of https://apereo.github.io/cas/5.2.x/ or give me some tips on where I can 
figure out how to retrieve certain attributes from LDAP and share those 
selected values with the application?  I hope I'm using "application" 
properly.

Thanks,

Bill

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac28e9bc-9bdf-4d1d-9d59-d99ad23d2dc9%40apereo.org.

[cas-user] CAS 5.2.x does not support Oracle DB for service registry, specially in case of SAML?

2018-05-20 Thread nilesh choudhary 
We are trying to setup CAS 5.2.x using oracle DB as service registry 
storage. 
We are not using SAML as of now for CAS Server so it seems to be working 
fine. 
But cas-management server on start up tries to load some properties from 
RegexRegisteredService which are way long more that permitted 30 char 
limit. 
I am afraid this issue might be hit in CAS server as well when we try to 
use it for SAML. 

Does this mean CAS won't support SAML and cas-management-webapp even 
without saml is service registry storage is Oracle DB? Any plan to take 
care of this in coming releases? are there are no work-around present?

Many thanks in advance in case of any replies.

Hibernate sql which is failing when starting cas-management-webapp

select
abstractre0_.id as id2_0_,
abstractre0_.access_strategy as access_strategy3_0_,
abstractre0_.attribute_release as attribute_release4_0_,
abstractre0_.description as description5_0_,
abstractre0_.evaluation_order as evaluation_order6_0_,
abstractre0_.expiration_policy as expiration_policy7_0_,
abstractre0_.informationUrl as informationUrl8_0_,
abstractre0_.logo as logo9_0_,
abstractre0_.logout_type as logout_type10_0_,
abstractre0_.logout_url as logout_url11_0_,
abstractre0_.mfa_policy as mfa_policy12_0_,
abstractre0_.name as name13_0_,
abstractre0_.privacyUrl as privacyUrl14_0_,
abstractre0_.proxy_policy as proxy_policy15_0_,
abstractre0_.public_key as public_key16_0_,
abstractre0_.required_handlers as required_handlers17_0_,
abstractre0_.serviceId as serviceId18_0_,
abstractre0_.theme as theme19_0_,
abstractre0_.username_attr as username_attr20_0_,
abstractre0_.bypassApprovalPrompt as bypassApprovalPro21_0_,
abstractre0_.clientId as clientId22_0_,
abstractre0_.clientSecret as clientSecret23_0_,
abstractre0_.generateRefreshToken as generateRefreshTo24_0_,
abstractre0_.jsonFormat as jsonFormat25_0_,
abstractre0_.supported_grants as supported_grants26_0_,
abstractre0_.supported_responses as supported_respons27_0_,
abstractre0_.DYNAMIC_REG_TIME as DYNAMIC_REG_TIME28_0_,
abstractre0_.dynamicallyRegistered as dynamicallyRegist29_0_,
abstractre0_.encryptIdToken as encryptIdToken30_0_,
abstractre0_.idTokenEncryptionAlg as idTokenEncryption31_0_,
abstractre0_.idTokenEncryptionEncoding as idTokenEncryption32_0_,
abstractre0_.implicit as implicit33_0_,
abstractre0_.jwks as jwks34_0_,
abstractre0_.scopes as scopes35_0_,
abstractre0_.sectorIdentifierUri as sectorIdentifierU36_0_,
abstractre0_.signIdToken as signIdToken37_0_,
abstractre0_.subjectType as subjectType38_0_,
abstractre0_.addressingNamespace as addressingNamespa39_0_,
abstractre0_.appliesTo as appliesTo40_0_,
abstractre0_.namespace as namespace41_0_,
abstractre0_.policyNamespace as policyNamespace42_0_,
abstractre0_.protocol as protocol43_0_,
abstractre0_.realm as realm44_0_,
abstractre0_.tokenType as tokenType45_0_,
abstractre0_.wsdlEndpoint as wsdlEndpoint46_0_,
abstractre0_.wsdlLocation as wsdlLocation47_0_,
abstractre0_.wsdlService as wsdlService48_0_,
abstractre0_.encryptAssertions as encryptAssertions49_0_,
abstractre0_.metadataCriteriaDirection as metadataCriteriaD50_0_,
abstractre0_.metadataCriteriaPattern as metadataCriteriaP51_0_,
abstractre0_.metadataCriteriaRemoveEmptyEntitiesDescriptors as 
metadataCriteriaR52_0_,
abstractre0_.metadataCriteriaRemoveRolelessEntityDescriptors as 
metadataCriteriaR53_0_,
abstractre0_.metadataCriteriaRoles as metadataCriteriaR54_0_,
abstractre0_.metadataExpirationDuration as metadataExpiratio55_0_,
abstractre0_.metadataLocation as metadataLocation56_0_,
abstractre0_.metadataMaxValidity as metadataMaxValidi57_0_,
abstractre0_.metadataSignatureLocation as metadataSignature58_0_,
abstractre0_.nameIdQualifier as nameIdQualifier59_0_,
abstractre0_.requiredAuthenticationContextClass as 
requiredAuthentic60_0_,
abstractre0_.requiredNameIdFormat as requiredNameIdFor61_0_,
abstractre0_.serviceProviderNameIdQualifier as 
serviceProviderNa62_0_,
abstractre0_.signAssertions as signAssertions63_0_,
abstractre0_.signResponses as signResponses64_0_,
abstractre0_.signingCredentialType as signingCredential65_0_,
abstractre0_.skipGeneratingAssertionNameId as 
skipGeneratingAss66_0_,
abstractre0_.skipGeneratingSubjectConfirmationInResponseTo as 
skipGeneratingSub67_0_,
abstractre0_.skipGeneratingSubjectConfirmationNotBefore as 
skipGeneratingSub68_0_,
abstractre0_.skipGeneratingSubjectConfirmationNotOnOrAfter as 
skipGeneratingSub69_0_,

[cas-user] CAS 5.2 Can't restrict access to service by two LDAP attributes

2018-04-26 Thread Viacheslav Babanin 
Hello,

I am using CAS 5.2 and I am trying to restrict access to a service in such 
fashion that it is only accessible for *full time students*.
I am using LDAP and person record has 2 attributes:
 "role" which can have value "*student*", "teacher", "worker" etc.
 "type" which can be "*full-time*", "part-time" etc.

My service definition looks like this:


{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "https://test.cas.edu.com/;,
  "name" : "test-application",
  "id" : 5,
  "accessStrategy" : {
"@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true,
"requireAllAttributes" : true,
"requiredAttributes" : {
  "@class" : "java.util.HashMap",
  "role" : [ "java.util.HashSet", [ "student" ] ],
  "type" : [ "java.util.HashSet", [ "full-time" ] ]
  }
   },
"attributeReleasePolicy" : {
"@class" : 
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "cn", "role", 
"type" ] ]
  }

}

The problem I encounter is that CAS allows access to application if *ONE OF* 
required attributes is equall to corresponding value. So it allows access 
to any student, without taking into account value of the type field.

I have read documentation on service access and I am really confused: 
https://apereo.github.io/cas/5.2.x/installation/Configuring-Service-Access-Strategy.html

1.  requireAllAttributes - ... Default value is "true". Note that this flag 
only controls which and how many of the attribute NAMES must be present. If 
attribute names satisfy the CAS configuration, at the next step *at least 
one matching attribute value* is required for the access strategy to 
proceed successfully.

So it basicly says that it requires both attributes to be present but have 
atlease one matching value.


2. Example 
here: 
https://apereo.github.io/cas/5.2.x/installation/Configuring-Service-Access-Strategy.html#enforce-attributes
 
"To access the service, the principal must have a cn attribute with the 
value of admin AND a givenName attribute with the value of Administrator"

"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true,
"requiredAttributes" : {
  "@class" : "java.util.HashMap",
  "cn" : [ "java.util.HashSet", [ "admin", "Admin", "TheAdmin" ] ]
}
  }

And next example is for the cases when you want *OR* access 
https://apereo.github.io/cas/5.2.x/installation/Configuring-Service-Access-Strategy.html#enforce-combined-attribute-conditions

Titled:

To access the service, the principal must have a cn attribute whose value is 
either of admin, Admin or TheAdmin, *OR *the principal must have a 
memberattribute whose value is either of admins, adminGroup or staff.

 "accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"requireAllAttributes" : false,
"ssoEnabled" : true,
"requiredAttributes" : {
  "@class" : "java.util.HashMap",
  "cn" : [ "java.util.HashSet", [ "admin, Admin, TheAdmin" ] ],
  "member" : [ "java.util.HashSet", [ "admins", "adminGroup", "staff" ] ]
}
  }

So from title of this example I assume that first example configuration is used 
if I want both attributes to have matching values.

Isn't it contradictory with "requireAllAttributes" definition?

My configuration behaves exactly like "requireAllAttributes" parameter 
definition states. It grants access if atleast one value matches.


So my question:

Is it possible to grant access if both attribute values match?

Please help.


Thank you in advance,

Viacheslav Babanin

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a067b4d8-0fd6-4323-8372-0748e1453ffb%40apereo.org.

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-25 Thread Viacheslav Babanin 
I have checked apache access.log on web server where client is placed and 
there is no POST requests on logout. 0 messages or requests completely. 
Thats while logging out with my cas 5.2.3
I have checked same log when i issue logout from cas 4.1.9 where SLO works 
on same client, and I can see POST request in access.log correctly.

вторник, 24 апреля 2018 г., 18:42:19 UTC+2 пользователь rbon написал:
>
> Check your Apache access.log to see if the request is getting through.
> I see this when CAS sends logout request:
>
> 2018-04-24T09:32:57.816-07:00 lo...@z.comp.uvic.ca  
> local2.notice httpd[2310]: access: coursespaces2d.uvic.ca: 
> 111.104.118.193 - - [24/Apr/2018:09:32:57 -0700] "POST /login/logout.php 
> HTTP/1.1" 200 26 "-" "Apache-HttpClient/4.5.3 (Java/1.8.0_121)" "__utma=-; 
> __utmb=-; __utmc=-; __utmk=-; __utmx=-; __utmz=-;"
>
> Ray
>
>
> On Tue, 2018-04-24 at 03:27 -0700, Viacheslav Babanin wrote:
>
> It seems like I have a problem witch CAS 5.2.3 and SAML logout requests. 
> Single logout doesn't work and from the logs it seems like CAS constructs 
> SAML logout request but not actually sends it. I am using examplary phpCAS 
> client from docs and when i go to ${cas-server}/cas/logout endpoint in 
> there is nothing in phpCAS logs. If I use THE SAME client. only changing 
> cas endpoint and protocol, with cas 4.1.9 (not configured by me but i have 
> administrator access to it) everything works great and phpCAS actually gets 
> logout request and correctly processes it. What should i look into? Please 
> help.
>
> понедельник, 23 апреля 2018 г., 18:35:17 UTC+2 пользователь rbon написал: 
>
> Viacheslav,
>
> You will want to have handleLogoutRequests(true) so that logout is 
> handled. While testing, skip the CAS server array, just in case the network 
> config changes the apparent source of the request.
>
> Put this in your CAS log4j2.xml to see what happens on CAS side of things:
>
> 
> 
> 
>  level="debug">
> 
>  onMismatch="NEUTRAL" />
>  onMismatch="DENY" />
> 
> 
> 
>  name="org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder" 
> level="debug" />
> 
>  name="org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler" 
> level="debug" />
> 
>  name="org.apereo.cas.logout.SamlCompliantLogoutMessageCreator" 
> level="debug" />
>
> Ray
>
> On Mon, 2018-04-23 at 07:41 -0700, Viacheslav Babanin wrote:
>
> That's how phpCAS.log looks if i provide it with 
> phpCAS::handleLogoutRequests(false); 
>
> DA64 .=> phpCAS::client('S1', 'cas-1.server.test.pl', 443, '/cas') 
> [index.php:13]
> DA64 .|=> CAS_Client::__construct('S1', false, 'cas-1.server.test.pl', 
> 443, '/cas', true) [CAS.php:360]
> DA64 .||Starting a new session 
> ST-27-xTftALKF-XM9TG94QFnab2R5994-v-cas-1 [Client.php:932]
> DA64 .||Session is authenticated as: babanin [Client.php:936]
> DA64 .|<= ''
> DA64 .<= ''
> DA64 .=> phpCAS::setNoCasServerValidation() [index.php:20]
> DA64 .|You have configured no validation of the legitimacy of the cas 
> server. This is not recommended for production use. [CAS.php:1644]
> DA64 .<= ''
> DA64 .=> CAS_Client::handleLogoutRequests(false, false) [CAS.php:1276]
> DA64 .|Not a logout request [Client.php:1739]
> DA64 .<= ''
> DA64 .=> phpCAS::forceAuthentication() [index.php:27]
> DA64 .|=> CAS_Client::forceAuthentication() [CAS.php:1098]
> DA64 .||=> CAS_Client::isAuthenticated() [Client.php:1280]
> DA64 .|||=> CAS_Client::_wasPreviouslyAuthenticated() 
> [Client.php:1393]
> DA64 .||||user = `babanin' [Client.php:1622]
> DA64 .|||<= true
> DA64 .|||user was already authenticated, no need to look for 
> tickets [Client.php:1417]
> DA64 .||<= true
> DA64 .||no need to authenticate [Client.php:1282]
> DA64 .|<= true
> DA64 .<= ''
>
>
> понедельник, 23 апреля 2018 г., 16:33:09 UTC+2 пользователь Viacheslav 
> Babanin написал: 
>
> Could you elaborate, please? 
>
> Quoting official documentation at 
> https://wiki.jasig.org/display/casc/phpcas+examples
>
> "By default phpCAS by default only handles requests that emanate from the 
> CAS host exclusively (declared in phpCAS::client() or phpCAS::proxy()). 
> Failure to restrict SAML logout requests to authorized hosts could allow 
> denial of service attacks where at the least the server is tied up parsing 
> bogus XML messages.
>
> To disable access control on logout requests, use: 
>
> phpCAS::handleLogoutRequests(false);
>
> The hosts allowed to send logout requests can also be passed in an array 
> which might be usefull in with clustered cas servers:
>
> phpCAS::handleLogoutRequests(true, array("server1.domain.edu", 
> "server2.domain.edu"));
>
>
> "
>
> As i understand, it should be enough either to use 
> phpCAS::handleLogoutRequests(false); 
> (which I tried and it seems like

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-25 Thread Viacheslav Babanin 
This shouldn't matter since cas 4.1.9 sends same request and SAME client, 
placed in same directory on the same server handles it correctly.
>From phpCAS.log

SAML REQUEST: @NOT_USED@ST-149-YAFlxnMQjDojiStFG4eN-cas.uek.krakow.pl
 
[Client.php:1752]


вторник, 24 апреля 2018 г., 19:09:17 UTC+2 пользователь Manfredo Hopp 
написал:
>
> from your log 
>
> 2018-04-24 08:59:48,360 DEBUG 
> [org.apereo.cas.logout.SamlCompliantLogoutMessageCreator] -  message: [ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
> ID="LR-3-ERN1ZJGXY-JGjGfB---2avgK" Version="2.0" 
> IssueInstant="2018-04-24T08:59:48Z"> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@ST-3-PppjmWz1yAHPFrZwFNMCRW5wsvI-v-cas-1]>
>
>
> its SAML2 whereas your client is SAML1
>
> 2018-04-24 7:27 GMT-03:00 Viacheslav Babanin  >:
>
>> It seems like I have a problem witch CAS 5.2.3 and SAML logout requests. 
>> Single logout doesn't work and from the logs it seems like CAS constructs 
>> SAML logout request but not actually sends it. I am using examplary phpCAS 
>> client from docs and when i go to ${cas-server}/cas/logout endpoint in 
>> there is nothing in phpCAS logs. If I use THE SAME client. only changing 
>> cas endpoint and protocol, with cas 4.1.9 (not configured by me but i have 
>> administrator access to it) everything works great and phpCAS actually gets 
>> logout request and correctly processes it. What should i look into? Please 
>> help.
>>
>> понедельник, 23 апреля 2018 г., 18:35:17 UTC+2 пользователь rbon написал:
>>>
>>> Viacheslav,
>>>
>>> You will want to have handleLogoutRequests(true) so that logout is 
>>> handled. While testing, skip the CAS server array, just in case the network 
>>> config changes the apparent source of the request.
>>>
>>> Put this in your CAS log4j2.xml to see what happens on CAS side of 
>>> things:
>>>
>>> 
>>> 
>>> 
>>> >> level="debug">
>>> 
>>> >> onMismatch="NEUTRAL" />
>>> >> onMismatch="DENY" />
>>> 
>>> 
>>> 
>>> >> name="org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder" 
>>> level="debug" />
>>> 
>>> >> name="org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler" 
>>> level="debug" />
>>> 
>>> >> name="org.apereo.cas.logout.SamlCompliantLogoutMessageCreator" 
>>> level="debug" />
>>>
>>> Ray
>>>
>>> On Mon, 2018-04-23 at 07:41 -0700, Viacheslav Babanin wrote:
>>>
>>> That's how phpCAS.log looks if i provide it with 
>>> phpCAS::handleLogoutRequests(false); 
>>>
>>> DA64 .=> phpCAS::client('S1', 'cas-1.server.test.pl', 443, '/cas') 
>>> [index.php:13]
>>> DA64 .|=> CAS_Client::__construct('S1', false, 'cas-1.server.test.pl', 
>>> 443, '/cas', true) [CAS.php:360]
>>> DA64 .||Starting a new session 
>>> ST-27-xTftALKF-XM9TG94QFnab2R5994-v-cas-1 [Client.php:932]
>>> DA64 .||Session is authenticated as: babanin [Client.php:936]
>>> DA64 .|<= ''
>>> DA64 .<= ''
>>> DA64 .=> phpCAS::setNoCasServerValidation() [index.php:20]
>>> DA64 .|You have configured no validation of the legitimacy of the 
>>> cas server. This is not recommended for production use. [CAS.php:1644]
>>> DA64 .<= ''
>>> DA64 .=> CAS_Client::handleLogoutRequests(false, false) [CAS.php:1276]
>>> DA64 .|Not a logout request [Client.php:1739]
>>> DA64 .<= ''
>>> DA64 .=> phpCAS::forceAuthentication() [index.php:27]
>>> DA64 .|=> CAS_Client::forceAuthentication() [CAS.php:1098]
>>> DA64 .||=> CAS_Client::isAuthenticated() [Client.php:1280]
>>> DA64 .|||=> CAS_Client::_wasPreviouslyAuthenticated() 
>>> [Client.php:1393]
>>> DA64 .||||user = `babanin' [Client.php:1622]
>>> DA64 .|||<= true
>>> DA64 .|||user was already authenticated, no need to look for 
>>> tickets [Client.php:1417]
>>> DA64 .||<= true
>>> DA64 .||no need to authenticate [Client.php:1282]
>>> DA64 .|<= true
>>> DA64 .<= ''
>>>
>>>
>>> понедельник, 23 апреля 2018 г., 16:33:09 UTC+2 пользователь Viacheslav 
>>> Babanin написал: 
>>>
>>> Could you elaborate, please? 
>>>
>>> Quoting official documentation at 
>>> https://wiki.jasig.org/display/casc/phpcas+examples
>>>
>>> "By default phpCAS by default only handles requests that emanate from 
>>> the CAS host exclusively (declared in phpCAS::client() or phpCAS::proxy()). 
>>> Failure to restrict SAML logout requests to authorized hosts could allow 
>>> denial of service attacks where at the least the server is tied up parsing 
>>> bogus XML messages.
>>>
>>> To disable access control on logout requests, use: 
>>>
>>> phpCAS::handleLogoutRequests(false);
>>>
>>> The hosts allowed to send logout requests can also be passed in an array 
>>> which might be usefull in with clustered cas servers:
>>>
>>> phpCAS::handleLogoutRequests(true, array("server1.domain.edu", 
>>> "server2.domain.edu"));
>>>
>>>
>>> "
>>>
>>> As i

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-25 Thread Viacheslav Babanin 

 Yes, and it releases attributes via saml with no issues. Only SLO doesn't 
work.


вторник, 24 апреля 2018 г., 15:16:32 UTC+2 пользователь Manfredo Hopp 
написал:
>
> Do you have saml support dependency
>
> El martes, 24 de abril de 2018, Viacheslav Babanin  > escribió:
>
>> It seems like I have a problem witch CAS 5.2.3 and SAML logout requests. 
>> Single logout doesn't work and from the logs it seems like CAS constructs 
>> SAML logout request but not actually sends it. I am using examplary phpCAS 
>> client from docs and when i go to ${cas-server}/cas/logout endpoint in 
>> there is nothing in phpCAS logs. If I use THE SAME client. only changing 
>> cas endpoint and protocol, with cas 4.1.9 (not configured by me but i have 
>> administrator access to it) everything works great and phpCAS actually gets 
>> logout request and correctly processes it. What should i look into? Please 
>> help.
>>
>> понедельник, 23 апреля 2018 г., 18:35:17 UTC+2 пользователь rbon написал:
>>>
>>> Viacheslav,
>>>
>>> You will want to have handleLogoutRequests(true) so that logout is 
>>> handled. While testing, skip the CAS server array, just in case the network 
>>> config changes the apparent source of the request.
>>>
>>> Put this in your CAS log4j2.xml to see what happens on CAS side of 
>>> things:
>>>
>>> 
>>> 
>>> 
>>> >> level="debug">
>>> 
>>> >> onMismatch="NEUTRAL" />
>>> >> onMismatch="DENY" />
>>> 
>>> 
>>> 
>>> >> name="org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder" 
>>> level="debug" />
>>> 
>>> >> name="org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler" 
>>> level="debug" />
>>> 
>>> >> name="org.apereo.cas.logout.SamlCompliantLogoutMessageCreator" 
>>> level="debug" />
>>>
>>> Ray
>>>
>>> On Mon, 2018-04-23 at 07:41 -0700, Viacheslav Babanin wrote:
>>>
>>> That's how phpCAS.log looks if i provide it with 
>>> phpCAS::handleLogoutRequests(false); 
>>>
>>> DA64 .=> phpCAS::client('S1', 'cas-1.server.test.pl', 443, '/cas') 
>>> [index.php:13]
>>> DA64 .|=> CAS_Client::__construct('S1', false, 'cas-1.server.test.pl', 
>>> 443, '/cas', true) [CAS.php:360]
>>> DA64 .||Starting a new session 
>>> ST-27-xTftALKF-XM9TG94QFnab2R5994-v-cas-1 [Client.php:932]
>>> DA64 .||Session is authenticated as: babanin [Client.php:936]
>>> DA64 .|<= ''
>>> DA64 .<= ''
>>> DA64 .=> phpCAS::setNoCasServerValidation() [index.php:20]
>>> DA64 .|You have configured no validation of the legitimacy of the 
>>> cas server. This is not recommended for production use. [CAS.php:1644]
>>> DA64 .<= ''
>>> DA64 .=> CAS_Client::handleLogoutRequests(false, false) [CAS.php:1276]
>>> DA64 .|Not a logout request [Client.php:1739]
>>> DA64 .<= ''
>>> DA64 .=> phpCAS::forceAuthentication() [index.php:27]
>>> DA64 .|=> CAS_Client::forceAuthentication() [CAS.php:1098]
>>> DA64 .||=> CAS_Client::isAuthenticated() [Client.php:1280]
>>> DA64 .|||=> CAS_Client::_wasPreviouslyAuthenticated() 
>>> [Client.php:1393]
>>> DA64 .||||user = `babanin' [Client.php:1622]
>>> DA64 .|||<= true
>>> DA64 .|||user was already authenticated, no need to look for 
>>> tickets [Client.php:1417]
>>> DA64 .||<= true
>>> DA64 .||no need to authenticate [Client.php:1282]
>>> DA64 .|<= true
>>> DA64 .<= ''
>>>
>>>
>>> понедельник, 23 апреля 2018 г., 16:33:09 UTC+2 пользователь Viacheslav 
>>> Babanin написал: 
>>>
>>> Could you elaborate, please? 
>>>
>>> Quoting official documentation at 
>>> https://wiki.jasig.org/display/casc/phpcas+examples
>>>
>>> "By default phpCAS by default only handles requests that emanate from 
>>> the CAS host exclusively (declared in phpCAS::client() or phpCAS::proxy()). 
>>> Failure to restrict SAML logout requests to authorized hosts could allow 
>>> denial of service attacks where at the least the server is tied up parsing 
>>> bogus XML messages.
>>>
>>> To disable access control on logout requests, use: 
>>>
>>> phpCAS::handleLogoutRequests(false);
>>>
>>> The hosts allowed to send logout requests can also be passed in an array 
>>> which might be usefull in with clustered cas servers:
>>>
>>> phpCAS::handleLogoutRequests(true, array("server1.domain.edu", 
>>> "server2.domain.edu"));
>>>
>>>
>>> "
>>>
>>> As i understand, it should be enough either to use 
>>> phpCAS::handleLogoutRequests(false); 
>>> (which I tried and it seems like it has no impact) or to specify cas 
>>> server which is allowed to send logout requests in an array (which I did in 
>>> example above).
>>>
>>>
>>>
>>>
>>> понедельник, 23 апреля 2018 г., 16:25:18 UTC+2 пользователь Manfredo 
>>> Hopp написал: 
>>>
>>> Logout requests are handled by clients. 
>>>
>>> .=> CAS_Client::handleLogoutRequests(true, array (  0 => '
>>> cas-1.server.test.pl',)) [CAS.php:1276]

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-24 Thread Man H 
from your log

2018-04-24 08:59:48,360 DEBUG
[org.apereo.cas.logout.SamlCompliantLogoutMessageCreator] - @NOT_USED@ST-3-PppjmWz1yAHPFrZwFNMCRW5wsvI-v-cas-1]>


its SAML2 whereas your client is SAML1

2018-04-24 7:27 GMT-03:00 Viacheslav Babanin :

> It seems like I have a problem witch CAS 5.2.3 and SAML logout requests.
> Single logout doesn't work and from the logs it seems like CAS constructs
> SAML logout request but not actually sends it. I am using examplary phpCAS
> client from docs and when i go to ${cas-server}/cas/logout endpoint in
> there is nothing in phpCAS logs. If I use THE SAME client. only changing
> cas endpoint and protocol, with cas 4.1.9 (not configured by me but i have
> administrator access to it) everything works great and phpCAS actually gets
> logout request and correctly processes it. What should i look into? Please
> help.
>
> понедельник, 23 апреля 2018 г., 18:35:17 UTC+2 пользователь rbon написал:
>>
>> Viacheslav,
>>
>> You will want to have handleLogoutRequests(true) so that logout is
>> handled. While testing, skip the CAS server array, just in case the network
>> config changes the apparent source of the request.
>>
>> Put this in your CAS log4j2.xml to see what happens on CAS side of things:
>>
>> 
>> 
>> 
>> > level="debug">
>> 
>> > onMismatch="NEUTRAL" />
>> > onMismatch="DENY" />
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>>
>> Ray
>>
>> On Mon, 2018-04-23 at 07:41 -0700, Viacheslav Babanin wrote:
>>
>> That's how phpCAS.log looks if i provide it with
>> phpCAS::handleLogoutRequests(false);
>>
>> DA64 .=> phpCAS::client('S1', 'cas-1.server.test.pl', 443, '/cas')
>> [index.php:13]
>> DA64 .|=> CAS_Client::__construct('S1', false, 'cas-1.server.test.pl',
>> 443, '/cas', true) [CAS.php:360]
>> DA64 .||Starting a new session 
>> ST-27-xTftALKF-XM9TG94QFnab2R5994-v-cas-1
>> [Client.php:932]
>> DA64 .||Session is authenticated as: babanin [Client.php:936]
>> DA64 .|<= ''
>> DA64 .<= ''
>> DA64 .=> phpCAS::setNoCasServerValidation() [index.php:20]
>> DA64 .|You have configured no validation of the legitimacy of the cas
>> server. This is not recommended for production use. [CAS.php:1644]
>> DA64 .<= ''
>> DA64 .=> CAS_Client::handleLogoutRequests(false, false) [CAS.php:1276]
>> DA64 .|Not a logout request [Client.php:1739]
>> DA64 .<= ''
>> DA64 .=> phpCAS::forceAuthentication() [index.php:27]
>> DA64 .|=> CAS_Client::forceAuthentication() [CAS.php:1098]
>> DA64 .||=> CAS_Client::isAuthenticated() [Client.php:1280]
>> DA64 .|||=> CAS_Client::_wasPreviouslyAuthenticated()
>> [Client.php:1393]
>> DA64 .||||user = `babanin' [Client.php:1622]
>> DA64 .|||<= true
>> DA64 .|||user was already authenticated, no need to look for
>> tickets [Client.php:1417]
>> DA64 .||<= true
>> DA64 .||no need to authenticate [Client.php:1282]
>> DA64 .|<= true
>> DA64 .<= ''
>>
>>
>> понедельник, 23 апреля 2018 г., 16:33:09 UTC+2 пользователь Viacheslav
>> Babanin написал:
>>
>> Could you elaborate, please?
>>
>> Quoting official documentation at https://wiki.jasig.org/disp
>> lay/casc/phpcas+examples
>>
>> "By default phpCAS by default only handles requests that emanate from the
>> CAS host exclusively (declared in phpCAS::client() or phpCAS::proxy()).
>> Failure to restrict SAML logout requests to authorized hosts could allow
>> denial of service attacks where at the least the server is tied up parsing
>> bogus XML messages.
>>
>> To disable access control on logout requests, use:
>>
>> phpCAS::handleLogoutRequests(false);
>>
>> The hosts allowed to send logout requests can also be passed in an array
>> which might be usefull in with clustered cas servers:
>>
>> phpCAS::handleLogoutRequests(true, array("server1.domain.edu", 
>> "server2.domain.edu"));
>>
>>
>> "
>>
>> As i understand, it should be enough either to use
>> phpCAS::handleLogoutRequests(false); (which I tried and it seems like it
>> has no impact) or to specify cas server which is allowed to send logout
>> requests in an array (which I did in example above).
>>
>>
>>
>>
>> понедельник, 23 апреля 2018 г., 16:25:18 UTC+2 пользователь Manfredo Hopp
>> написал:
>>
>> Logout requests are handled by clients.
>>
>> .=> CAS_Client::handleLogoutRequests(true, array (  0 => '
>> cas-1.server.test.pl',)) [CAS.php:1276]
>> D0EE .|Not a logout request [Client.php:1739]
>>
>> See phpcas
>>
>> El lunes, 23 de abril de 2018, Viacheslav Babanin 
>> escribió:
>>
>> Hello, I have encountered issue with SSO for SAML 1.1 clients with CAS
>> 5.2
>>
>> I am rather new cas user and probably i am missing something obvious.
>>
>> I am using folowing phpCAS client:
>>
>> > require_once 'phpcas/source/CAS.php';
>> // Enable debugging
>>

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-24 Thread Ray Bon 
Check your Apache access.log to see if the request is getting through.
I see this when CAS sends logout request:

2018-04-24T09:32:57.816-07:00 
lo...@z.comp.uvic.ca local2.notice 
httpd[2310]: access: coursespaces2d.uvic.ca: 111.104.118.193 - - 
[24/Apr/2018:09:32:57 -0700] "POST /login/logout.php HTTP/1.1" 200 26 "-" 
"Apache-HttpClient/4.5.3 (Java/1.8.0_121)" "__utma=-; __utmb=-; __utmc=-; 
__utmk=-; __utmx=-; __utmz=-;"

Ray


On Tue, 2018-04-24 at 03:27 -0700, Viacheslav Babanin wrote:
It seems like I have a problem witch CAS 5.2.3 and SAML logout requests. Single 
logout doesn't work and from the logs it seems like CAS constructs SAML logout 
request but not actually sends it. I am using examplary phpCAS client from docs 
and when i go to ${cas-server}/cas/logout endpoint in there is nothing in 
phpCAS logs. If I use THE SAME client. only changing cas endpoint and protocol, 
with cas 4.1.9 (not configured by me but i have administrator access to it) 
everything works great and phpCAS actually gets logout request and correctly 
processes it. What should i look into? Please help.

понедельник, 23 апреля 2018 г., 18:35:17 UTC+2 пользователь rbon написал:
Viacheslav,

You will want to have handleLogoutRequests(true) so that logout is handled. 
While testing, skip the CAS server array, just in case the network config 
changes the apparent source of the request.

Put this in your CAS log4j2.xml to see what happens on CAS side of things:

















Ray

On Mon, 2018-04-23 at 07:41 -0700, Viacheslav Babanin wrote:
That's how phpCAS.log looks if i provide it with 
phpCAS::handleLogoutRequests(false);

DA64 .=> phpCAS::client('S1', 
'cas-1.server.test.pl', 443, '/cas') [index.php:13]
DA64 .|=> CAS_Client::__construct('S1', false, 
'cas-1.server.test.pl', 443, '/cas', true) 
[CAS.php:360]
DA64 .||Starting a new session 
ST-27-xTftALKF-XM9TG94QFnab2R5994-v-cas-1 [Client.php:932]
DA64 .||Session is authenticated as: babanin [Client.php:936]
DA64 .|<= ''
DA64 .<= ''
DA64 .=> phpCAS::setNoCasServerValidation() [index.php:20]
DA64 .|You have configured no validation of the legitimacy of the cas 
server. This is not recommended for production use. [CAS.php:1644]
DA64 .<= ''
DA64 .=> CAS_Client::handleLogoutRequests(false, false) [CAS.php:1276]
DA64 .|Not a logout request [Client.php:1739]
DA64 .<= ''
DA64 .=> phpCAS::forceAuthentication() [index.php:27]
DA64 .|=> CAS_Client::forceAuthentication() [CAS.php:1098]
DA64 .||=> CAS_Client::isAuthenticated() [Client.php:1280]
DA64 .|||=> CAS_Client::_wasPreviouslyAuthenticated() 
[Client.php:1393]
DA64 .||||user = `babanin' [Client.php:1622]
DA64 .|||<= true
DA64 .|||user was already authenticated, no need to look for 
tickets [Client.php:1417]
DA64 .||<= true
DA64 .||no need to authenticate [Client.php:1282]
DA64 .|<= true
DA64 .<= ''


понедельник, 23 апреля 2018 г., 16:33:09 UTC+2 пользователь Viacheslav Babanin 
написал:
Could you elaborate, please?

Quoting official documentation at 
https://wiki.jasig.org/display/casc/phpcas+examples


"By default phpCAS by default only handles requests that emanate from the CAS 
host exclusively (declared in phpCAS::client() or phpCAS::proxy()). Failure to 
restrict SAML logout requests to authorized hosts could allow denial of service 
attacks where at the least the server is tied up parsing bogus XML messages.

To disable access control on logout requests, use:

phpCAS::handleLogoutRequests(false);


The hosts allowed to send logout requests can also be passed in an array which 
might be usefull in with clustered cas servers:

phpCAS::handleLogoutRequests(true, 
array("server1.domain.edu", 
"server2.domain.edu"));

"

As i understand, it should be enough either to use 
phpCAS::handleLogoutRequests(false); (which I tried and it seems like it has no 
impact) or to specify cas server which is allowed to send logout requests in an 
array (which I did in example above).




понедельник, 23 апреля 2018 г., 16:25:18 UTC+2 пользователь Manfredo Hopp 
написал:
Logout requests are handled by clients.

.=> CAS_Client::handleLogoutRequests(true, array (  0 => 
'cas-1.server.test.pl',)) [CAS.php:1276]
D0EE .|Not a logout request [Client.php:1739]

See phpcas

El lunes, 23 de abril de 2018, Viacheslav Babanin  
escribió:
Hello, I have encountered issue with SSO for SAML 1.1 clients with CAS 5.2

I am rather new cas user and probably i am missing something obvious.

I am using folowing phpCAS client:

http://cas-1.uek.krakow.pl>';
// Context of the CAS Server
$cas_context = '/cas';
//

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-24 Thread Man H 
See


https://github.com/apereo/cas/tree/5.2.x/core/cas-server-core-logout/src/main/java/org/apereo/cas/logout



El martes, 24 de abril de 2018, Viacheslav Babanin 
escribió:

> It seems like I have a problem witch CAS 5.2.3 and SAML logout requests.
> Single logout doesn't work and from the logs it seems like CAS constructs
> SAML logout request but not actually sends it. I am using examplary phpCAS
> client from docs and when i go to ${cas-server}/cas/logout endpoint in
> there is nothing in phpCAS logs. If I use THE SAME client. only changing
> cas endpoint and protocol, with cas 4.1.9 (not configured by me but i have
> administrator access to it) everything works great and phpCAS actually gets
> logout request and correctly processes it. What should i look into? Please
> help.
>
> понедельник, 23 апреля 2018 г., 18:35:17 UTC+2 пользователь rbon написал:
>>
>> Viacheslav,
>>
>> You will want to have handleLogoutRequests(true) so that logout is
>> handled. While testing, skip the CAS server array, just in case the network
>> config changes the apparent source of the request.
>>
>> Put this in your CAS log4j2.xml to see what happens on CAS side of things:
>>
>> 
>> 
>> 
>> > level="debug">
>> 
>> > onMismatch="NEUTRAL" />
>> > onMismatch="DENY" />
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>>
>> Ray
>>
>> On Mon, 2018-04-23 at 07:41 -0700, Viacheslav Babanin wrote:
>>
>> That's how phpCAS.log looks if i provide it with
>> phpCAS::handleLogoutRequests(false);
>>
>> DA64 .=> phpCAS::client('S1', 'cas-1.server.test.pl', 443, '/cas')
>> [index.php:13]
>> DA64 .|=> CAS_Client::__construct('S1', false, 'cas-1.server.test.pl',
>> 443, '/cas', true) [CAS.php:360]
>> DA64 .||Starting a new session 
>> ST-27-xTftALKF-XM9TG94QFnab2R5994-v-cas-1
>> [Client.php:932]
>> DA64 .||Session is authenticated as: babanin [Client.php:936]
>> DA64 .|<= ''
>> DA64 .<= ''
>> DA64 .=> phpCAS::setNoCasServerValidation() [index.php:20]
>> DA64 .|You have configured no validation of the legitimacy of the cas
>> server. This is not recommended for production use. [CAS.php:1644]
>> DA64 .<= ''
>> DA64 .=> CAS_Client::handleLogoutRequests(false, false) [CAS.php:1276]
>> DA64 .|Not a logout request [Client.php:1739]
>> DA64 .<= ''
>> DA64 .=> phpCAS::forceAuthentication() [index.php:27]
>> DA64 .|=> CAS_Client::forceAuthentication() [CAS.php:1098]
>> DA64 .||=> CAS_Client::isAuthenticated() [Client.php:1280]
>> DA64 .|||=> CAS_Client::_wasPreviouslyAuthenticated()
>> [Client.php:1393]
>> DA64 .||||user = `babanin' [Client.php:1622]
>> DA64 .|||<= true
>> DA64 .|||user was already authenticated, no need to look for
>> tickets [Client.php:1417]
>> DA64 .||<= true
>> DA64 .||no need to authenticate [Client.php:1282]
>> DA64 .|<= true
>> DA64 .<= ''
>>
>>
>> понедельник, 23 апреля 2018 г., 16:33:09 UTC+2 пользователь Viacheslav
>> Babanin написал:
>>
>> Could you elaborate, please?
>>
>> Quoting official documentation at https://wiki.jasig.org/disp
>> lay/casc/phpcas+examples
>>
>> "By default phpCAS by default only handles requests that emanate from the
>> CAS host exclusively (declared in phpCAS::client() or phpCAS::proxy()).
>> Failure to restrict SAML logout requests to authorized hosts could allow
>> denial of service attacks where at the least the server is tied up parsing
>> bogus XML messages.
>>
>> To disable access control on logout requests, use:
>>
>> phpCAS::handleLogoutRequests(false);
>>
>> The hosts allowed to send logout requests can also be passed in an array
>> which might be usefull in with clustered cas servers:
>>
>> phpCAS::handleLogoutRequests(true, array("server1.domain.edu", 
>> "server2.domain.edu"));
>>
>>
>> "
>>
>> As i understand, it should be enough either to use
>> phpCAS::handleLogoutRequests(false); (which I tried and it seems like it
>> has no impact) or to specify cas server which is allowed to send logout
>> requests in an array (which I did in example above).
>>
>>
>>
>>
>> понедельник, 23 апреля 2018 г., 16:25:18 UTC+2 пользователь Manfredo Hopp
>> написал:
>>
>> Logout requests are handled by clients.
>>
>> .=> CAS_Client::handleLogoutRequests(true, array (  0 => '
>> cas-1.server.test.pl',)) [CAS.php:1276]
>> D0EE .|Not a logout request [Client.php:1739]
>>
>> See phpcas
>>
>> El lunes, 23 de abril de 2018, Viacheslav Babanin 
>> escribió:
>>
>> Hello, I have encountered issue with SSO for SAML 1.1 clients with CAS
>> 5.2
>>
>> I am rather new cas user and probably i am missing something obvious.
>>
>> I am using folowing phpCAS client:
>>
>> > require_once 'phpcas/source/CAS.php';
>> // Enable debugging
>> phpCAS::setDebug('phpCAS.log');
>> // Enable verbose error messages. Disable in production!
>>

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-24 Thread Man H 
Do you have saml support dependency

El martes, 24 de abril de 2018, Viacheslav Babanin 
escribió:

> It seems like I have a problem witch CAS 5.2.3 and SAML logout requests.
> Single logout doesn't work and from the logs it seems like CAS constructs
> SAML logout request but not actually sends it. I am using examplary phpCAS
> client from docs and when i go to ${cas-server}/cas/logout endpoint in
> there is nothing in phpCAS logs. If I use THE SAME client. only changing
> cas endpoint and protocol, with cas 4.1.9 (not configured by me but i have
> administrator access to it) everything works great and phpCAS actually gets
> logout request and correctly processes it. What should i look into? Please
> help.
>
> понедельник, 23 апреля 2018 г., 18:35:17 UTC+2 пользователь rbon написал:
>>
>> Viacheslav,
>>
>> You will want to have handleLogoutRequests(true) so that logout is
>> handled. While testing, skip the CAS server array, just in case the network
>> config changes the apparent source of the request.
>>
>> Put this in your CAS log4j2.xml to see what happens on CAS side of things:
>>
>> 
>> 
>> 
>> > level="debug">
>> 
>> > onMismatch="NEUTRAL" />
>> > onMismatch="DENY" />
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>>
>> Ray
>>
>> On Mon, 2018-04-23 at 07:41 -0700, Viacheslav Babanin wrote:
>>
>> That's how phpCAS.log looks if i provide it with
>> phpCAS::handleLogoutRequests(false);
>>
>> DA64 .=> phpCAS::client('S1', 'cas-1.server.test.pl', 443, '/cas')
>> [index.php:13]
>> DA64 .|=> CAS_Client::__construct('S1', false, 'cas-1.server.test.pl',
>> 443, '/cas', true) [CAS.php:360]
>> DA64 .||Starting a new session 
>> ST-27-xTftALKF-XM9TG94QFnab2R5994-v-cas-1
>> [Client.php:932]
>> DA64 .||Session is authenticated as: babanin [Client.php:936]
>> DA64 .|<= ''
>> DA64 .<= ''
>> DA64 .=> phpCAS::setNoCasServerValidation() [index.php:20]
>> DA64 .|You have configured no validation of the legitimacy of the cas
>> server. This is not recommended for production use. [CAS.php:1644]
>> DA64 .<= ''
>> DA64 .=> CAS_Client::handleLogoutRequests(false, false) [CAS.php:1276]
>> DA64 .|Not a logout request [Client.php:1739]
>> DA64 .<= ''
>> DA64 .=> phpCAS::forceAuthentication() [index.php:27]
>> DA64 .|=> CAS_Client::forceAuthentication() [CAS.php:1098]
>> DA64 .||=> CAS_Client::isAuthenticated() [Client.php:1280]
>> DA64 .|||=> CAS_Client::_wasPreviouslyAuthenticated()
>> [Client.php:1393]
>> DA64 .||||user = `babanin' [Client.php:1622]
>> DA64 .|||<= true
>> DA64 .|||user was already authenticated, no need to look for
>> tickets [Client.php:1417]
>> DA64 .||<= true
>> DA64 .||no need to authenticate [Client.php:1282]
>> DA64 .|<= true
>> DA64 .<= ''
>>
>>
>> понедельник, 23 апреля 2018 г., 16:33:09 UTC+2 пользователь Viacheslav
>> Babanin написал:
>>
>> Could you elaborate, please?
>>
>> Quoting official documentation at https://wiki.jasig.org/disp
>> lay/casc/phpcas+examples
>>
>> "By default phpCAS by default only handles requests that emanate from the
>> CAS host exclusively (declared in phpCAS::client() or phpCAS::proxy()).
>> Failure to restrict SAML logout requests to authorized hosts could allow
>> denial of service attacks where at the least the server is tied up parsing
>> bogus XML messages.
>>
>> To disable access control on logout requests, use:
>>
>> phpCAS::handleLogoutRequests(false);
>>
>> The hosts allowed to send logout requests can also be passed in an array
>> which might be usefull in with clustered cas servers:
>>
>> phpCAS::handleLogoutRequests(true, array("server1.domain.edu", 
>> "server2.domain.edu"));
>>
>>
>> "
>>
>> As i understand, it should be enough either to use
>> phpCAS::handleLogoutRequests(false); (which I tried and it seems like it
>> has no impact) or to specify cas server which is allowed to send logout
>> requests in an array (which I did in example above).
>>
>>
>>
>>
>> понедельник, 23 апреля 2018 г., 16:25:18 UTC+2 пользователь Manfredo Hopp
>> написал:
>>
>> Logout requests are handled by clients.
>>
>> .=> CAS_Client::handleLogoutRequests(true, array (  0 => '
>> cas-1.server.test.pl',)) [CAS.php:1276]
>> D0EE .|Not a logout request [Client.php:1739]
>>
>> See phpcas
>>
>> El lunes, 23 de abril de 2018, Viacheslav Babanin 
>> escribió:
>>
>> Hello, I have encountered issue with SSO for SAML 1.1 clients with CAS
>> 5.2
>>
>> I am rather new cas user and probably i am missing something obvious.
>>
>> I am using folowing phpCAS client:
>>
>> > require_once 'phpcas/source/CAS.php';
>> // Enable debugging
>> phpCAS::setDebug('phpCAS.log');
>> // Enable verbose error messages. Disable in production!
>> phpCAS::setVerbose(true);
>> // Initialize phpCAS
>> $cas_host =

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-24 Thread Viacheslav Babanin 
It seems like I have a problem witch CAS 5.2.3 and SAML logout requests. 
Single logout doesn't work and from the logs it seems like CAS constructs 
SAML logout request but not actually sends it. I am using examplary phpCAS 
client from docs and when i go to ${cas-server}/cas/logout endpoint in 
there is nothing in phpCAS logs. If I use THE SAME client. only changing 
cas endpoint and protocol, with cas 4.1.9 (not configured by me but i have 
administrator access to it) everything works great and phpCAS actually gets 
logout request and correctly processes it. What should i look into? Please 
help.

понедельник, 23 апреля 2018 г., 18:35:17 UTC+2 пользователь rbon написал:
>
> Viacheslav,
>
> You will want to have handleLogoutRequests(true) so that logout is 
> handled. While testing, skip the CAS server array, just in case the network 
> config changes the apparent source of the request.
>
> Put this in your CAS log4j2.xml to see what happens on CAS side of things:
>
> 
> 
> 
>  level="debug">
> 
>  onMismatch="NEUTRAL" />
>  onMismatch="DENY" />
> 
> 
> 
>  name="org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder" 
> level="debug" />
> 
>  name="org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler" 
> level="debug" />
> 
>  name="org.apereo.cas.logout.SamlCompliantLogoutMessageCreator" 
> level="debug" />
>
> Ray
>
> On Mon, 2018-04-23 at 07:41 -0700, Viacheslav Babanin wrote:
>
> That's how phpCAS.log looks if i provide it with 
> phpCAS::handleLogoutRequests(false); 
>
> DA64 .=> phpCAS::client('S1', 'cas-1.server.test.pl', 443, '/cas') 
> [index.php:13]
> DA64 .|=> CAS_Client::__construct('S1', false, 'cas-1.server.test.pl', 
> 443, '/cas', true) [CAS.php:360]
> DA64 .||Starting a new session 
> ST-27-xTftALKF-XM9TG94QFnab2R5994-v-cas-1 [Client.php:932]
> DA64 .||Session is authenticated as: babanin [Client.php:936]
> DA64 .|<= ''
> DA64 .<= ''
> DA64 .=> phpCAS::setNoCasServerValidation() [index.php:20]
> DA64 .|You have configured no validation of the legitimacy of the cas 
> server. This is not recommended for production use. [CAS.php:1644]
> DA64 .<= ''
> DA64 .=> CAS_Client::handleLogoutRequests(false, false) [CAS.php:1276]
> DA64 .|Not a logout request [Client.php:1739]
> DA64 .<= ''
> DA64 .=> phpCAS::forceAuthentication() [index.php:27]
> DA64 .|=> CAS_Client::forceAuthentication() [CAS.php:1098]
> DA64 .||=> CAS_Client::isAuthenticated() [Client.php:1280]
> DA64 .|||=> CAS_Client::_wasPreviouslyAuthenticated() 
> [Client.php:1393]
> DA64 .||||user = `babanin' [Client.php:1622]
> DA64 .|||<= true
> DA64 .|||user was already authenticated, no need to look for 
> tickets [Client.php:1417]
> DA64 .||<= true
> DA64 .||no need to authenticate [Client.php:1282]
> DA64 .|<= true
> DA64 .<= ''
>
>
> понедельник, 23 апреля 2018 г., 16:33:09 UTC+2 пользователь Viacheslav 
> Babanin написал: 
>
> Could you elaborate, please? 
>
> Quoting official documentation at 
> https://wiki.jasig.org/display/casc/phpcas+examples
>
> "By default phpCAS by default only handles requests that emanate from the 
> CAS host exclusively (declared in phpCAS::client() or phpCAS::proxy()). 
> Failure to restrict SAML logout requests to authorized hosts could allow 
> denial of service attacks where at the least the server is tied up parsing 
> bogus XML messages.
>
> To disable access control on logout requests, use: 
>
> phpCAS::handleLogoutRequests(false);
>
> The hosts allowed to send logout requests can also be passed in an array 
> which might be usefull in with clustered cas servers:
>
> phpCAS::handleLogoutRequests(true, array("server1.domain.edu", 
> "server2.domain.edu"));
>
>
> "
>
> As i understand, it should be enough either to use 
> phpCAS::handleLogoutRequests(false); 
> (which I tried and it seems like it has no impact) or to specify cas 
> server which is allowed to send logout requests in an array (which I did in 
> example above).
>
>
>
>
> понедельник, 23 апреля 2018 г., 16:25:18 UTC+2 пользователь Manfredo Hopp 
> написал: 
>
> Logout requests are handled by clients. 
>
> .=> CAS_Client::handleLogoutRequests(true, array (  0 => '
> cas-1.server.test.pl',)) [CAS.php:1276]
> D0EE .|Not a logout request [Client.php:1739]
>
> See phpcas
>
> El lunes, 23 de abril de 2018, Viacheslav Babanin  
> escribió:
>
> Hello, I have encountered issue with SSO for SAML 1.1 clients with CAS 5.2 
>
> I am rather new cas user and probably i am missing something obvious.
>
> I am using folowing phpCAS client:
>
>  require_once 'phpcas/source/CAS.php';
> // Enable debugging
> phpCAS::setDebug('phpCAS.log');
> // Enable verbose error messages. Disable in production!
> phpCAS::setVerbose(true);
> // Initialize phpCAS
>

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-24 Thread Viacheslav Babanin 
Ray,

I have set handleLogoutRequests(true) and added those Loggers to CAS 
log4j2.xml, restarted CAS server in tomcat and nothing changes, and it 
seems in log like its publishing logout request but no details.
That's exactyly what I did:

1. Added Loggers to CAS log4j2.xml
2. Restarted CAS in tomcat
3. Set handleLogoutRequests(true) in my saml client.
4. Open incognite mode in Chrome browser.
5. Open tab with https://cas-client.ssl.stub/
6. CAS login page shows up. I logged in.
7. Opened new tab with {cas-server}/cas/logout . Got message that I am 
successfully logged out.
8. Refreshed tab with client. I am still logged in. phpCAS log says that 
user is already authenticated no reason to authenticate. Application 
session still lives.

I have tried it both with BACK_CHANNEL and FRONT_CHANNEL set as a 
logoutType attributes in service definition.

I am attaching logs from CAS.

Thanks, 
Viacheslav



понедельник, 23 апреля 2018 г., 18:35:17 UTC+2 пользователь rbon написал:
>
> Viacheslav,
>
> You will want to have handleLogoutRequests(true) so that logout is 
> handled. While testing, skip the CAS server array, just in case the network 
> config changes the apparent source of the request.
>
> Put this in your CAS log4j2.xml to see what happens on CAS side of things:
>
> 
> 
> 
>  level="debug">
> 
>  onMismatch="NEUTRAL" />
>  onMismatch="DENY" />
> 
> 
> 
>  name="org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder" 
> level="debug" />
> 
>  name="org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler" 
> level="debug" />
> 
>  name="org.apereo.cas.logout.SamlCompliantLogoutMessageCreator" 
> level="debug" />
>
> Ray
>
> On Mon, 2018-04-23 at 07:41 -0700, Viacheslav Babanin wrote:
>
> That's how phpCAS.log looks if i provide it with 
> phpCAS::handleLogoutRequests(false); 
>
> DA64 .=> phpCAS::client('S1', 'cas-1.server.test.pl', 443, '/cas') 
> [index.php:13]
> DA64 .|=> CAS_Client::__construct('S1', false, 'cas-1.server.test.pl', 
> 443, '/cas', true) [CAS.php:360]
> DA64 .||Starting a new session 
> ST-27-xTftALKF-XM9TG94QFnab2R5994-v-cas-1 [Client.php:932]
> DA64 .||Session is authenticated as: babanin [Client.php:936]
> DA64 .|<= ''
> DA64 .<= ''
> DA64 .=> phpCAS::setNoCasServerValidation() [index.php:20]
> DA64 .|You have configured no validation of the legitimacy of the cas 
> server. This is not recommended for production use. [CAS.php:1644]
> DA64 .<= ''
> DA64 .=> CAS_Client::handleLogoutRequests(false, false) [CAS.php:1276]
> DA64 .|Not a logout request [Client.php:1739]
> DA64 .<= ''
> DA64 .=> phpCAS::forceAuthentication() [index.php:27]
> DA64 .|=> CAS_Client::forceAuthentication() [CAS.php:1098]
> DA64 .||=> CAS_Client::isAuthenticated() [Client.php:1280]
> DA64 .|||=> CAS_Client::_wasPreviouslyAuthenticated() 
> [Client.php:1393]
> DA64 .||||user = `babanin' [Client.php:1622]
> DA64 .|||<= true
> DA64 .|||user was already authenticated, no need to look for 
> tickets [Client.php:1417]
> DA64 .||<= true
> DA64 .||no need to authenticate [Client.php:1282]
> DA64 .|<= true
> DA64 .<= ''
>
>
> понедельник, 23 апреля 2018 г., 16:33:09 UTC+2 пользователь Viacheslav 
> Babanin написал: 
>
> Could you elaborate, please? 
>
> Quoting official documentation at 
> https://wiki.jasig.org/display/casc/phpcas+examples
>
> "By default phpCAS by default only handles requests that emanate from the 
> CAS host exclusively (declared in phpCAS::client() or phpCAS::proxy()). 
> Failure to restrict SAML logout requests to authorized hosts could allow 
> denial of service attacks where at the least the server is tied up parsing 
> bogus XML messages.
>
> To disable access control on logout requests, use: 
>
> phpCAS::handleLogoutRequests(false);
>
> The hosts allowed to send logout requests can also be passed in an array 
> which might be usefull in with clustered cas servers:
>
> phpCAS::handleLogoutRequests(true, array("server1.domain.edu", 
> "server2.domain.edu"));
>
>
> "
>
> As i understand, it should be enough either to use 
> phpCAS::handleLogoutRequests(false); 
> (which I tried and it seems like it has no impact) or to specify cas 
> server which is allowed to send logout requests in an array (which I did in 
> example above).
>
>
>
>
> понедельник, 23 апреля 2018 г., 16:25:18 UTC+2 пользователь Manfredo Hopp 
> написал: 
>
> Logout requests are handled by clients. 
>
> .=> CAS_Client::handleLogoutRequests(true, array (  0 => '
> cas-1.server.test.pl',)) [CAS.php:1276]
> D0EE .|Not a logout request [Client.php:1739]
>
> See phpcas
>
> El lunes, 23 de abril de 2018, Viacheslav Babanin  
> escribió:
>
> Hello, I have encountered issue with SSO for SAML 1.1 clients with CAS 5.2 
>
> I am rather new cas

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-23 Thread Ray Bon 
Viacheslav,

You will want to have handleLogoutRequests(true) so that logout is handled. 
While testing, skip the CAS server array, just in case the network config 
changes the apparent source of the request.

Put this in your CAS log4j2.xml to see what happens on CAS side of things:

















Ray

On Mon, 2018-04-23 at 07:41 -0700, Viacheslav Babanin wrote:
That's how phpCAS.log looks if i provide it with 
phpCAS::handleLogoutRequests(false);

DA64 .=> phpCAS::client('S1', 'cas-1.server.test.pl', 443, '/cas') 
[index.php:13]
DA64 .|=> CAS_Client::__construct('S1', false, 'cas-1.server.test.pl', 443, 
'/cas', true) [CAS.php:360]
DA64 .||Starting a new session 
ST-27-xTftALKF-XM9TG94QFnab2R5994-v-cas-1 [Client.php:932]
DA64 .||Session is authenticated as: babanin [Client.php:936]
DA64 .|<= ''
DA64 .<= ''
DA64 .=> phpCAS::setNoCasServerValidation() [index.php:20]
DA64 .|You have configured no validation of the legitimacy of the cas 
server. This is not recommended for production use. [CAS.php:1644]
DA64 .<= ''
DA64 .=> CAS_Client::handleLogoutRequests(false, false) [CAS.php:1276]
DA64 .|Not a logout request [Client.php:1739]
DA64 .<= ''
DA64 .=> phpCAS::forceAuthentication() [index.php:27]
DA64 .|=> CAS_Client::forceAuthentication() [CAS.php:1098]
DA64 .||=> CAS_Client::isAuthenticated() [Client.php:1280]
DA64 .|||=> CAS_Client::_wasPreviouslyAuthenticated() 
[Client.php:1393]
DA64 .||||user = `babanin' [Client.php:1622]
DA64 .|||<= true
DA64 .|||user was already authenticated, no need to look for 
tickets [Client.php:1417]
DA64 .||<= true
DA64 .||no need to authenticate [Client.php:1282]
DA64 .|<= true
DA64 .<= ''


понедельник, 23 апреля 2018 г., 16:33:09 UTC+2 пользователь Viacheslav Babanin 
написал:
Could you elaborate, please?

Quoting official documentation at 
https://wiki.jasig.org/display/casc/phpcas+examples


"By default phpCAS by default only handles requests that emanate from the CAS 
host exclusively (declared in phpCAS::client() or phpCAS::proxy()). Failure to 
restrict SAML logout requests to authorized hosts could allow denial of service 
attacks where at the least the server is tied up parsing bogus XML messages.

To disable access control on logout requests, use:

phpCAS::handleLogoutRequests(false);


The hosts allowed to send logout requests can also be passed in an array which 
might be usefull in with clustered cas servers:

phpCAS::handleLogoutRequests(true, 
array("server1.domain.edu", 
"server2.domain.edu"));

"

As i understand, it should be enough either to use 
phpCAS::handleLogoutRequests(false); (which I tried and it seems like it has no 
impact) or to specify cas server which is allowed to send logout requests in an 
array (which I did in example above).




понедельник, 23 апреля 2018 г., 16:25:18 UTC+2 пользователь Manfredo Hopp 
написал:
Logout requests are handled by clients.

.=> CAS_Client::handleLogoutRequests(true, array (  0 => 
'cas-1.server.test.pl',)) [CAS.php:1276]
D0EE .|Not a logout request [Client.php:1739]

See phpcas

El lunes, 23 de abril de 2018, Viacheslav Babanin  
escribió:
Hello, I have encountered issue with SSO for SAML 1.1 clients with CAS 5.2

I am rather new cas user and probably i am missing something obvious.

I am using folowing phpCAS client:

http://cas-1.uek.krakow.pl>';
// Context of the CAS Server
$cas_context = '/cas';
// Port of your CAS server. Normally for a https server it's 443
$cas_port = 443;
phpCAS::client(SAML_VERSION_1_1, $cas_host, $cas_port, $cas_context);
// For production use set the CA certificate that is the issuer of the cert
// on the CAS server and uncomment the line below
// phpCAS::setCasServerCACert($cas_server_ca_cert_path);
// For quick testing you can disable SSL validation of the CAS server.
// THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION.
// VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS PROTOCOL!
phpCAS::setNoCasServerValidation();
// force CAS authentication

$cas_real_hosts = array('cas-1.uek.krakow.pl');


phpCAS::handleLogoutRequests(true, $cas_real_hosts);

phpCAS::forceAuthentication();
// at this step, the user has been authenticated by the CAS server
// and the user's login name can be read with phpCAS::getUser().
// logout if desired
// logout if desired
if (isset($_REQUEST['logout'])) {
phpCAS::logout();
}
?>


Advanced SAML 1.1 example



Advanced SAML 1.1 example


Authentication succeeded for user
.
User has attributes
.
User Attributes

 $value) {
if (is_array($value)) {
echo '', $key, ':';
foreach ($value as $item) {

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-23 Thread Viacheslav Babanin 
That's how phpCAS.log looks if i provide it with 
phpCAS::handleLogoutRequests(false);

DA64 .=> phpCAS::client('S1', 'cas-1.server.test.pl', 443, '/cas') 
[index.php:13]
DA64 .|=> CAS_Client::__construct('S1', false, 'cas-1.server.test.pl', 
443, '/cas', true) [CAS.php:360]
DA64 .||Starting a new session 
ST-27-xTftALKF-XM9TG94QFnab2R5994-v-cas-1 [Client.php:932]
DA64 .||Session is authenticated as: babanin [Client.php:936]
DA64 .|<= ''
DA64 .<= ''
DA64 .=> phpCAS::setNoCasServerValidation() [index.php:20]
DA64 .|You have configured no validation of the legitimacy of the cas 
server. This is not recommended for production use. [CAS.php:1644]
DA64 .<= ''
DA64 .=> CAS_Client::handleLogoutRequests(false, false) [CAS.php:1276]
DA64 .|Not a logout request [Client.php:1739]
DA64 .<= ''
DA64 .=> phpCAS::forceAuthentication() [index.php:27]
DA64 .|=> CAS_Client::forceAuthentication() [CAS.php:1098]
DA64 .||=> CAS_Client::isAuthenticated() [Client.php:1280]
DA64 .|||=> CAS_Client::_wasPreviouslyAuthenticated() 
[Client.php:1393]
DA64 .||||user = `babanin' [Client.php:1622]
DA64 .|||<= true
DA64 .|||user was already authenticated, no need to look for 
tickets [Client.php:1417]
DA64 .||<= true
DA64 .||no need to authenticate [Client.php:1282]
DA64 .|<= true
DA64 .<= ''


понедельник, 23 апреля 2018 г., 16:33:09 UTC+2 пользователь Viacheslav 
Babanin написал:
>
> Could you elaborate, please?
>
> Quoting official documentation at 
> https://wiki.jasig.org/display/casc/phpcas+examples
>
> "By default phpCAS by default only handles requests that emanate from the 
> CAS host exclusively (declared in phpCAS::client() or phpCAS::proxy()). 
> Failure to restrict SAML logout requests to authorized hosts could allow 
> denial of service attacks where at the least the server is tied up parsing 
> bogus XML messages.
>
> To disable access control on logout requests, use: 
>
> phpCAS::handleLogoutRequests(false);
>
> The hosts allowed to send logout requests can also be passed in an array 
> which might be usefull in with clustered cas servers:
>
> phpCAS::handleLogoutRequests(true, array("server1.domain.edu", 
> "server2.domain.edu"));
>
>
> "
>
> As i understand, it should be enough either to use 
> phpCAS::handleLogoutRequests(false); 
> (which I tried and it seems like it has no impact) or to specify cas 
> server which is allowed to send logout requests in an array (which I did in 
> example above).
>
>
>
>
> понедельник, 23 апреля 2018 г., 16:25:18 UTC+2 пользователь Manfredo Hopp 
> написал:
>>
>> Logout requests are handled by clients.
>>
>> .=> CAS_Client::handleLogoutRequests(true, array (  0 => '
>> cas-1.server.test.pl',)) [CAS.php:1276]
>> D0EE .|Not a logout request [Client.php:1739]
>>
>> See phpcas
>>
>> El lunes, 23 de abril de 2018, Viacheslav Babanin  
>> escribió:
>>
>>> Hello, I have encountered issue with SSO for SAML 1.1 clients with CAS 
>>> 5.2
>>>
>>> I am rather new cas user and probably i am missing something obvious.
>>>
>>> I am using folowing phpCAS client:
>>>
>>> >> require_once 'phpcas/source/CAS.php';
>>> // Enable debugging
>>> phpCAS::setDebug('phpCAS.log');
>>> // Enable verbose error messages. Disable in production!
>>> phpCAS::setVerbose(true);
>>> // Initialize phpCAS
>>> $cas_host = 'cas-1.uek.krakow.pl';
>>> // Context of the CAS Server
>>> $cas_context = '/cas';
>>> // Port of your CAS server. Normally for a https server it's 443
>>> $cas_port = 443;
>>> phpCAS::client(SAML_VERSION_1_1, $cas_host, $cas_port, $cas_context);
>>> // For production use set the CA certificate that is the issuer of the 
>>> cert
>>> // on the CAS server and uncomment the line below
>>> // phpCAS::setCasServerCACert($cas_server_ca_cert_path);
>>> // For quick testing you can disable SSL validation of the CAS server.
>>> // THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION.
>>> // VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS 
>>> PROTOCOL!
>>> phpCAS::setNoCasServerValidation();
>>> // force CAS authentication
>>>
>>> $cas_real_hosts = array('cas-1.uek.krakow.pl');
>>>
>>>
>>> phpCAS::handleLogoutRequests(true, $cas_real_hosts);
>>>
>>> phpCAS::forceAuthentication();
>>> // at this step, the user has been authenticated by the CAS server
>>> // and the user's login name can be read with phpCAS::getUser().
>>> // logout if desired
>>> // logout if desired
>>> if (isset($_REQUEST['logout'])) {
>>> phpCAS::logout();
>>> }
>>> ?>
>>> 
>>> 
>>> Advanced SAML 1.1 example
>>> 
>>> 
>>> 
>>> Advanced SAML 1.1 example
>>> 
>>>
>>> Authentication succeeded for user
>>> .
>>> User has attributes
>>> >> echo 'true';
>>> }
>>> else {
>>> echo 'false';
>>> }
>>>
>>> ?>.
>>> User Attributes
>>> 
>>> >> foreach (phpCAS::getAttributes() as $key => $value) {
>>> if (is_array($value)) {
>>> echo '',

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-23 Thread Viacheslav Babanin 
Could you elaborate, please?

Quoting official documentation 
at https://wiki.jasig.org/display/casc/phpcas+examples

"By default phpCAS by default only handles requests that emanate from the 
CAS host exclusively (declared in phpCAS::client() or phpCAS::proxy()). 
Failure to restrict SAML logout requests to authorized hosts could allow 
denial of service attacks where at the least the server is tied up parsing 
bogus XML messages.

To disable access control on logout requests, use: 

phpCAS::handleLogoutRequests(false);

The hosts allowed to send logout requests can also be passed in an array 
which might be usefull in with clustered cas servers:

phpCAS::handleLogoutRequests(true, array("server1.domain.edu", 
"server2.domain.edu"));


"

As i understand, it should be enough either to use 
phpCAS::handleLogoutRequests(false); 
(which I tried and it seems like it has no impact) or to specify cas server 
which is allowed to send logout requests in an array (which I did in 
example above).




понедельник, 23 апреля 2018 г., 16:25:18 UTC+2 пользователь Manfredo Hopp 
написал:
>
> Logout requests are handled by clients.
>
> .=> CAS_Client::handleLogoutRequests(true, array (  0 => '
> cas-1.server.test.pl',)) [CAS.php:1276]
> D0EE .|Not a logout request [Client.php:1739]
>
> See phpcas
>
> El lunes, 23 de abril de 2018, Viacheslav Babanin  > escribió:
>
>> Hello, I have encountered issue with SSO for SAML 1.1 clients with CAS 5.2
>>
>> I am rather new cas user and probably i am missing something obvious.
>>
>> I am using folowing phpCAS client:
>>
>> > require_once 'phpcas/source/CAS.php';
>> // Enable debugging
>> phpCAS::setDebug('phpCAS.log');
>> // Enable verbose error messages. Disable in production!
>> phpCAS::setVerbose(true);
>> // Initialize phpCAS
>> $cas_host = 'cas-1.uek.krakow.pl';
>> // Context of the CAS Server
>> $cas_context = '/cas';
>> // Port of your CAS server. Normally for a https server it's 443
>> $cas_port = 443;
>> phpCAS::client(SAML_VERSION_1_1, $cas_host, $cas_port, $cas_context);
>> // For production use set the CA certificate that is the issuer of the 
>> cert
>> // on the CAS server and uncomment the line below
>> // phpCAS::setCasServerCACert($cas_server_ca_cert_path);
>> // For quick testing you can disable SSL validation of the CAS server.
>> // THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION.
>> // VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS 
>> PROTOCOL!
>> phpCAS::setNoCasServerValidation();
>> // force CAS authentication
>>
>> $cas_real_hosts = array('cas-1.uek.krakow.pl');
>>
>>
>> phpCAS::handleLogoutRequests(true, $cas_real_hosts);
>>
>> phpCAS::forceAuthentication();
>> // at this step, the user has been authenticated by the CAS server
>> // and the user's login name can be read with phpCAS::getUser().
>> // logout if desired
>> // logout if desired
>> if (isset($_REQUEST['logout'])) {
>> phpCAS::logout();
>> }
>> ?>
>> 
>> 
>> Advanced SAML 1.1 example
>> 
>> 
>> 
>> Advanced SAML 1.1 example
>> 
>>
>> Authentication succeeded for user
>> .
>> User has attributes
>> > echo 'true';
>> }
>> else {
>> echo 'false';
>> }
>>
>> ?>.
>> User Attributes
>> 
>> > foreach (phpCAS::getAttributes() as $key => $value) {
>> if (is_array($value)) {
>> echo '', $key, ':';
>> foreach ($value as $item) {
>> echo '', $item, '';
>> }
>> echo '';
>> } else {
>> echo '', $key, ': ', $value, '' . 
>> PHP_EOL;
>> }
>> }
>> ?>
>> 
>> Logout
>> 
>> 
>>
>>
>> Single sign in works like expected. If I have several CAS clients, when I 
>> log in to one of them, I am authenticated in all, like expected.
>>
>> But Single Logout completely doesn't work for me. When I log out using 
>> CAS logout endpoint "{cas-server}/cas/logout" i receive message that I am 
>> logged out from CAS and I can see in SSO manager that CAS Session is 
>> terminated.
>> But all application sessions are still alive, I am allowed not only to 
>> navigate client pages but also close\open tabs and I am still logged in.
>>
>> I have tried to configure service with client application with both 
>> "BACK_CHANNEL" and "FRONT_CHANNEL" logoutType with no luck.
>>
>> 1. If I use BACK_CHANNEL.
>>
>> Thats how service definition looks like:
>>
>> {
>>   "@class" : "org.jasig.cas.services.RegexRegisteredService",
>>   "serviceId" : "https://cas-client.ssl.stub/;,
>>   "name" : "example_simple_citest",
>>   "id" : 7,
>>   "logoutType" : "BACK_CHANNEL",
>>
>>   "attributeReleasePolicy" : {
>> "@class" : 
>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>> "allowedAttributes" : {
>>   "@class" : "java.util.TreeMap",
>>   "uid" : "user_id",
>> "sn" : "surname"
>>  }
>> }
>>   }
>>
>>
>> When I log out using "{cas-server}/cas/logout" endpoint CAS server log 
>> looks like this:

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-23 Thread Man H 
Logout requests are handled by clients.

.=> CAS_Client::handleLogoutRequests(true, array (  0 => '
cas-1.server.test.pl',)) [CAS.php:1276]
D0EE .|Not a logout request [Client.php:1739]

See phpcas

El lunes, 23 de abril de 2018, Viacheslav Babanin 
escribió:

> Hello, I have encountered issue with SSO for SAML 1.1 clients with CAS 5.2
>
> I am rather new cas user and probably i am missing something obvious.
>
> I am using folowing phpCAS client:
>
>  require_once 'phpcas/source/CAS.php';
> // Enable debugging
> phpCAS::setDebug('phpCAS.log');
> // Enable verbose error messages. Disable in production!
> phpCAS::setVerbose(true);
> // Initialize phpCAS
> $cas_host = 'cas-1.uek.krakow.pl';
> // Context of the CAS Server
> $cas_context = '/cas';
> // Port of your CAS server. Normally for a https server it's 443
> $cas_port = 443;
> phpCAS::client(SAML_VERSION_1_1, $cas_host, $cas_port, $cas_context);
> // For production use set the CA certificate that is the issuer of the cert
> // on the CAS server and uncomment the line below
> // phpCAS::setCasServerCACert($cas_server_ca_cert_path);
> // For quick testing you can disable SSL validation of the CAS server.
> // THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION.
> // VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS
> PROTOCOL!
> phpCAS::setNoCasServerValidation();
> // force CAS authentication
>
> $cas_real_hosts = array('cas-1.uek.krakow.pl');
>
>
> phpCAS::handleLogoutRequests(true, $cas_real_hosts);
>
> phpCAS::forceAuthentication();
> // at this step, the user has been authenticated by the CAS server
> // and the user's login name can be read with phpCAS::getUser().
> // logout if desired
> // logout if desired
> if (isset($_REQUEST['logout'])) {
> phpCAS::logout();
> }
> ?>
> 
> 
> Advanced SAML 1.1 example
> 
> 
> 
> Advanced SAML 1.1 example
> 
>
> Authentication succeeded for user
> .
> User has attributes
>  echo 'true';
> }
> else {
> echo 'false';
> }
>
> ?>.
> User Attributes
> 
>  foreach (phpCAS::getAttributes() as $key => $value) {
> if (is_array($value)) {
> echo '', $key, ':';
> foreach ($value as $item) {
> echo '', $item, '';
> }
> echo '';
> } else {
> echo '', $key, ': ', $value, '' .
> PHP_EOL;
> }
> }
> ?>
> 
> Logout
> 
> 
>
>
> Single sign in works like expected. If I have several CAS clients, when I
> log in to one of them, I am authenticated in all, like expected.
>
> But Single Logout completely doesn't work for me. When I log out using CAS
> logout endpoint "{cas-server}/cas/logout" i receive message that I am
> logged out from CAS and I can see in SSO manager that CAS Session is
> terminated.
> But all application sessions are still alive, I am allowed not only to
> navigate client pages but also close\open tabs and I am still logged in.
>
> I have tried to configure service with client application with both
> "BACK_CHANNEL" and "FRONT_CHANNEL" logoutType with no luck.
>
> 1. If I use BACK_CHANNEL.
>
> Thats how service definition looks like:
>
> {
>   "@class" : "org.jasig.cas.services.RegexRegisteredService",
>   "serviceId" : "https://cas-client.ssl.stub/;,
>   "name" : "example_simple_citest",
>   "id" : 7,
>   "logoutType" : "BACK_CHANNEL",
>
>   "attributeReleasePolicy" : {
> "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePo
> licy",
> "allowedAttributes" : {
>   "@class" : "java.util.TreeMap",
>   "uid" : "user_id",
> "sn" : "surname"
>  }
> }
>   }
>
>
> When I log out using "{cas-server}/cas/logout" endpoint CAS server log
> looks like this: back.txt (see attachment)
>
> phpCAS.log doesn't log anything in this case. And application session
> still lives untill I close browser.
>
> 2. If I use FRONT_CHANNEL.
>
> Thats how service definition looks like:
>
> {
>   "@class" : "org.jasig.cas.services.RegexRegisteredService",
>   "serviceId" : "https://cas-client.ssl.stub/;,
>   "name" : "example_simple_citest",
>   "id" : 7,
>   "logoutType" : "FRONT_CHANNEL",
>
>   "attributeReleasePolicy" : {
> "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePo
> licy",
> "allowedAttributes" : {
>   "@class" : "java.util.TreeMap",
>   "uid" : "user_id",
> "sn" : "surname"
>  }
> }
>   }
>
> When I log out using "{cas-server}/cas/logout" endpoint CAS server log
> looks like this: front.txt (see attachment)
>
> And I see following message upon logout on endpoint page:
>
>
> 
>
>
>
>
> W
> Which tells me that logout notification has been sent.
>
> At the same time, when endpoint logout happens, phpCAS.log logs following
> message.
>
> D0EE .START (2018-04-23 15:37:16) phpCAS-1.3.5

[cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-23 Thread Viacheslav Babanin 
Hello, I have encountered issue with SSO for SAML 1.1 clients with CAS 5.2

I am rather new cas user and probably i am missing something obvious.

I am using folowing phpCAS client:




Advanced SAML 1.1 example



Advanced SAML 1.1 example


Authentication succeeded for user
.
User has attributes
.
User Attributes

 $value) {
if (is_array($value)) {
echo '', $key, ':';
foreach ($value as $item) {
echo '', $item, '';
}
echo '';
} else {
echo '', $key, ': ', $value, '' . 
PHP_EOL;
}
}
?>

Logout




Single sign in works like expected. If I have several CAS clients, when I 
log in to one of them, I am authenticated in all, like expected.

But Single Logout completely doesn't work for me. When I log out using CAS 
logout endpoint "{cas-server}/cas/logout" i receive message that I am 
logged out from CAS and I can see in SSO manager that CAS Session is 
terminated.
But all application sessions are still alive, I am allowed not only to 
navigate client pages but also close\open tabs and I am still logged in.

I have tried to configure service with client application with both 
"BACK_CHANNEL" and "FRONT_CHANNEL" logoutType with no luck.

1. If I use BACK_CHANNEL.

Thats how service definition looks like:

{
  "@class" : "org.jasig.cas.services.RegexRegisteredService",
  "serviceId" : "https://cas-client.ssl.stub/;,
  "name" : "example_simple_citest",
  "id" : 7,
  "logoutType" : "BACK_CHANNEL",

  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "uid" : "user_id",
"sn" : "surname"
 }
}
  }


When I log out using "{cas-server}/cas/logout" endpoint CAS server log 
looks like this: back.txt (see attachment)

phpCAS.log doesn't log anything in this case. And application session still 
lives untill I close browser.

2. If I use FRONT_CHANNEL.

Thats how service definition looks like:

{
  "@class" : "org.jasig.cas.services.RegexRegisteredService",
  "serviceId" : "https://cas-client.ssl.stub/;,
  "name" : "example_simple_citest",
  "id" : 7,
  "logoutType" : "FRONT_CHANNEL",

  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "uid" : "user_id",
"sn" : "surname"
 }
}
  }

When I log out using "{cas-server}/cas/logout" endpoint CAS server log 
looks like this: front.txt (see attachment)

And I see following message upon logout on endpoint page:






W
Which tells me that logout notification has been sent.

At the same time, when endpoint logout happens, phpCAS.log logs following 
message.

D0EE .START (2018-04-23 15:37:16) phpCAS-1.3.5 ** 
[CAS.php:468]
D0EE .=> phpCAS::client('S1', 'cas-1.server.test.pl', 443, '/cas') 
[index.php:13]
D0EE .|=> CAS_Client::__construct('S1', false, 'cas-1.server.test.pl', 
443, '/cas', true) [CAS.php:360]
D0EE .||Starting a new session 
ST-26-6Ad0C8OCIF5n-1zWgmiE8HZdw-E-v-cas-1 [Client.php:932]
D0EE .||Session is authenticated as: babanin [Client.php:936]
D0EE .|<= ''
D0EE .<= ''
D0EE .=> phpCAS::setNoCasServerValidation() [index.php:20]
D0EE .|You have configured no validation of the legitimacy of the cas 
server. This is not recommended for production use. [CAS.php:1644]
D0EE .<= ''
D0EE .=> CAS_Client::handleLogoutRequests(true, array (  0 => 
'cas-1.server.test.pl',)) [CAS.php:1276]
D0EE .|Not a logout request [Client.php:1739]
D0EE .<= ''
D0EE .=> phpCAS::forceAuthentication() [index.php:27]
D0EE .|=> CAS_Client::forceAuthentication() [CAS.php:1098]
D0EE .||=> CAS_Client::isAuthenticated() [Client.php:1280]
D0EE .|||=> CAS_Client::_wasPreviouslyAuthenticated() 
[Client.php:1393]
D0EE .||||user = `babanin' [Client.php:1622]
D0EE .|||<= true
D0EE .|||user was already authenticated, no need to look for 
tickets [Client.php:1417]
D0EE .||<= true
D0EE .||no need to authenticate [Client.php:1282]
D0EE .|<= true
D0EE .<= ''

This message looks exactly like regular login message, but it appers when 
tab with application is closed and at the exact time when CAS sends logout 
notification.
It seems like client receives FRONT_CHANNEL connection from server but 
fails to recognise it as logout request.


So, summarising:

Logging out from cas using both endpoint and casified applications causes 
CAS to terminate SSO session but fails to terminate application sessions.
As a client I am using example code from phpCAS documentation.
Please help me to solve this issue, or, atlease get understanding of

[cas-user] CAS 5.2.x as IDP using SAML 2.0

2018-04-12 Thread Jay 
Hello everyone,

We are recently in process of upgrading from CAS3.5 to CAS5.2 as part of 
this effort we need to provide support of SAML authentication to an 
external application (say 'abc' application).

Here 'abc' will be the SP and new CAS5.x will be the identity provider.

Could someone guide us or tell how to achieve since we are new to CAS5.x 
framework, it would be very helpful the achieve this implementation.

Thanks,
Jay

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2dfb8750-be37-4603-8621-5cc51142d6e4%40apereo.org.

Re: [cas-user] CAS 5.2 return JWT for service

2018-04-11 Thread Cristina Vlaicu 
Rhfbc

On Thu, Apr 12, 2018, 01:40 William E.  wrote:

> Hi all,
>
>
> I am trying to follow the CAS docs to configure a service to return jwt's
> but not having much success.
>
> Docs I am reading on this:
>
>
> https://apereo.github.io/cas/5.2.x/installation/Configure-ServiceTicket-JWT.html
>
>  https://apereo.github.io/2017/10/17/cas-jwt-authn-with-duo/ (JWT Service
> Tickets portion)
>
>
> My cas.properties has:
>
> cas.authn.token.crypto.enabled=true
> cas.authn.token.crypto.encryptionEnabled=true
> cas.authn.token.crypto.signing.key=/etc/cas/config/token-signing.jwk
> cas.authn.token.crypto.signing.keySize=512
> cas.authn.token.crypto.encryption.key=/etc/cas/config/token-encryption.jwk
> cas.authn.token.crypto.encryption.keySize=256
> cas.authn.token.crypto.alg=AES
>
>
> jwk's generated per docs:
>
> wget https://raw.githubusercontent.com/apereo/cas/master/etc/jwk-gen.jar
> java -jar jwk-gen.jar -t oct -s 512 >/etc/cas/config/token-signing.jwk
> java -jar jwk-gen.jar -t oct -s 256 >/etc/cas/config/token-encryption.jwk
>
> $ file /etc/cas/config/token*
> /etc/cas/config/token-encryption.jwk: ASCII text
> /etc/cas/config/token-signing.jwk: ASCII text
>
>
> Using maven overlay, my pom.xml has the rest snippet:
>
> 
> org.apereo.cas
> cas-server-support-token-tickets
> ${cas.version}
> 
>
>
> My service has the jwt as ticket property:
>
> properties:
> {
> @class: java.util.LinkedHashMap
> jwtAsServiceTicket:
> {
> @class: org.apereo.cas.services.DefaultRegisteredServiceProperty
> values:
> [
> java.util.HashSet
> [
> "true"
> ]
> ]
> }
> }
>
> In the CAS CLI I can generate a jwt that appears valid. But when I use my
> service via web browser I see no header or cookie referencing a ticket with
> JWT- prefix, nor a jwt formatted base64 string, I just see the normal ST-
> ticket. I'm using a simple tomcat webapp wit cas client filters and
> java-cas-client 3.5.0.
>
> Anyone made JWT's work yet for cas 5.2.3?  Any idea what step I missed?
>
> Thanks,
> William
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/2ce63d92-fef6-41c4-9167-9c388f73d3e7%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALm%2ByJ0J5P6me6cOtoEgA_YKUTD0AF2B9eF-QMqBf_PrciCzQA%40mail.gmail.com.

[cas-user] CAS 5.2 return JWT for service

2018-04-11 Thread William E. 
Hi all,


I am trying to follow the CAS docs to configure a service to return jwt's 
but not having much success. 

Docs I am reading on this:

 
https://apereo.github.io/cas/5.2.x/installation/Configure-ServiceTicket-JWT.html
 
 https://apereo.github.io/2017/10/17/cas-jwt-authn-with-duo/ (JWT Service 
Tickets portion)


My cas.properties has:

cas.authn.token.crypto.enabled=true
cas.authn.token.crypto.encryptionEnabled=true
cas.authn.token.crypto.signing.key=/etc/cas/config/token-signing.jwk
cas.authn.token.crypto.signing.keySize=512
cas.authn.token.crypto.encryption.key=/etc/cas/config/token-encryption.jwk
cas.authn.token.crypto.encryption.keySize=256
cas.authn.token.crypto.alg=AES


jwk's generated per docs:

wget https://raw.githubusercontent.com/apereo/cas/master/etc/jwk-gen.jar
java -jar jwk-gen.jar -t oct -s 512 >/etc/cas/config/token-signing.jwk
java -jar jwk-gen.jar -t oct -s 256 >/etc/cas/config/token-encryption.jwk

$ file /etc/cas/config/token*
/etc/cas/config/token-encryption.jwk: ASCII text
/etc/cas/config/token-signing.jwk: ASCII text


Using maven overlay, my pom.xml has the rest snippet:


org.apereo.cas
cas-server-support-token-tickets
${cas.version}



My service has the jwt as ticket property:

properties:
{
@class: java.util.LinkedHashMap
jwtAsServiceTicket:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceProperty
values:
[
java.util.HashSet
[
"true"
]
]
}
}

In the CAS CLI I can generate a jwt that appears valid. But when I use my 
service via web browser I see no header or cookie referencing a ticket with 
JWT- prefix, nor a jwt formatted base64 string, I just see the normal ST- 
ticket. I'm using a simple tomcat webapp wit cas client filters and 
java-cas-client 3.5.0. 

Anyone made JWT's work yet for cas 5.2.3?  Any idea what step I missed?

Thanks,
William


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2ce63d92-fef6-41c4-9167-9c388f73d3e7%40apereo.org.

[cas-user] CAS 5.2 login with UPN removing domain

2018-04-11 Thread dag 
Hi all,

I've configured Apereo CAS 5.2, and it's running fine using UPN.
However is there any parameter to include in cas.properties config file to 
allow authenticacion through UPN without typing the domain name?

Thanks in advance.


Regards.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f510ee68-9d98-4189-ac15-2900085a1516%40apereo.org.

Re: [cas-user] CAS 5.2 delegate authentication to custom CAS 3

2018-03-26 Thread Diego Henrique Pagani 
I've already read that but it doesn't explain how it works.
I saw on cas properties four parameters that I've set to several values and
nothing changes.

In other versions, we have to (I found it on
https://wiki.jasig.org/download/attachments/48596744/How+to+Trust+Another+CAS+Server.pdf?version=1=1321479461428
but
it's from 2011) :

1 . Set the trusted authentication handler
2. Modify the spring webflow login
3. The use of CAS "gateway" mode

My SSO sessions is working, I can login on CAS3 and it get back to my
applications(using CAS5 as a bridge). My problem is to set CAS5 to ignore
the login page and go directly to CAS3.





Em qui, 22 de mar de 2018 às 18:18, Man H  escreveu:

> see
> https://apereo.github.io/cas/5.2.x/installation/Trusted-Authentication.html
>
> 2018-03-22 17:52 GMT-03:00 Diego Henrique Pagani :
>
>> Hello,
>>
>> I have a problem guys:
>> We have an legacy CAS3, witch has some customizations inside the source
>> code and some application that *only authenticate* with this specific
>> CAS (Let's call it app1).
>> Recently, I configured a new CAS5,  some applications (Let's call app2)
>> usign Oauth2 protocol to communicate with CAS5 and everything is working
>> fine, until now.
>>
>> We need a SSO session between app1 and app2, but app1 only uses CAS3 and
>> app2 only uses CAS5. So, I have configured CAS5 to delegate authentication
>> to CAS3,
>> witch is working but I have to click on the login screen to redirect to
>> CAS3. Is it possible to redirect to cas 3 directly?
>>
>>
>>
>>
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6865a0ec-5190-4eca-beb3-929d3ab4f9fd%40apereo.org
>> 
>> .
>>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5mifnk8%2B2m%2Bt_subG_XXGj_rddzRzdwNkQAzcx7C-9SPjHg%40mail.gmail.com
> 
> .
>
-- 
Diego Henrique Pagani

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALwCSESy4xx7CAeY59j8voEKThxLTGfM3F9CznFuzeVtA1cdZg%40mail.gmail.com.

Re: [cas-user] CAS 5.2 delegate authentication to custom CAS 3

2018-03-26 Thread Diego Henrique Pagani 
Hi, after I read at documentation on 'Delegate Authentication' :
User
Interface

All available clients are automatically displayed on the login page as
clickable buttons. CAS does allow options for auto-redirection of the
authentication flow to a provider, if only there is a single provider
available and configured.

I've removed all the authentication method and
set cas.authn.pac4j.autoRedirect=true  and everything works fine.


Thanks

Em sex, 23 de mar de 2018 às 10:31, Diego Henrique Pagani <
dhpag...@gmail.com> escreveu:

> I've already read that but it doesn't explain how it works.
> I saw on cas properties four parameters that I've set to several values
> and nothing changes.
>
> In other versions, we have to (I found it on
> https://wiki.jasig.org/download/attachments/48596744/How+to+Trust+Another+CAS+Server.pdf?version=1=1321479461428
>  but
> it's from 2011) :
>
> 1 . Set the trusted authentication handler
> 2. Modify the spring webflow login
> 3. The use of CAS "gateway" mode
>
> My SSO sessions is working, I can login on CAS3 and it get back to my
> applications(using CAS5 as a bridge). My problem is to set CAS5 to ignore
> the login page and go directly to CAS3.
>
>
>
>
>
> Em qui, 22 de mar de 2018 às 18:18, Man H 
> escreveu:
>
>> see
>> https://apereo.github.io/cas/5.2.x/installation/Trusted-Authentication.html
>>
>> 2018-03-22 17:52 GMT-03:00 Diego Henrique Pagani :
>>
>>> Hello,
>>>
>>> I have a problem guys:
>>> We have an legacy CAS3, witch has some customizations inside the source
>>> code and some application that *only authenticate* with this specific
>>> CAS (Let's call it app1).
>>> Recently, I configured a new CAS5,  some applications (Let's call app2)
>>> usign Oauth2 protocol to communicate with CAS5 and everything is working
>>> fine, until now.
>>>
>>> We need a SSO session between app1 and app2, but app1 only uses CAS3 and
>>> app2 only uses CAS5. So, I have configured CAS5 to delegate authentication
>>> to CAS3,
>>> witch is working but I have to click on the login screen to redirect to
>>> CAS3. Is it possible to redirect to cas 3 directly?
>>>
>>>
>>>
>>>
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6865a0ec-5190-4eca-beb3-929d3ab4f9fd%40apereo.org
>>> 
>>> .
>>>
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5mifnk8%2B2m%2Bt_subG_XXGj_rddzRzdwNkQAzcx7C-9SPjHg%40mail.gmail.com
>> 
>> .
>>
> --
> Diego Henrique Pagani
>
-- 
Diego Henrique Pagani

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALwCSETowkobrxU8M3PNLBq2XHt%2BbigkMvg6rTenw%3DmEG6EU-A%40mail.gmail.com.

Re: [cas-user] CAS 5.2 delegate authentication to custom CAS 3

2018-03-22 Thread Man H 
see
https://apereo.github.io/cas/5.2.x/installation/Trusted-Authentication.html

2018-03-22 17:52 GMT-03:00 Diego Henrique Pagani :

> Hello,
>
> I have a problem guys:
> We have an legacy CAS3, witch has some customizations inside the source
> code and some application that *only authenticate* with this specific CAS
> (Let's call it app1).
> Recently, I configured a new CAS5,  some applications (Let's call app2)
> usign Oauth2 protocol to communicate with CAS5 and everything is working
> fine, until now.
>
> We need a SSO session between app1 and app2, but app1 only uses CAS3 and
> app2 only uses CAS5. So, I have configured CAS5 to delegate authentication
> to CAS3,
> witch is working but I have to click on the login screen to redirect to
> CAS3. Is it possible to redirect to cas 3 directly?
>
>
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/6865a0ec-5190-4eca-beb3-
> 929d3ab4f9fd%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5mifnk8%2B2m%2Bt_subG_XXGj_rddzRzdwNkQAzcx7C-9SPjHg%40mail.gmail.com.

[cas-user] CAS 5.2.x oauth property set doesn't work

2018-03-08 Thread Leo Pintos 
Hi I'm trying to set the grant types and response types but something is 
wrong

I put the bellow configuration in my OAuthRegisteredService json:

  "supported_grants" : ["authorization_code", "password", 
"client_credentials", "refresh_token"],
  "supported_responses" : ["code", "token", "id_token token"],

I can see this fields empty in the log.


Any help?
Thank in advance.
Leo

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/04ac841e-ee14-4927-aa55-d723c6f36602%40apereo.org.

[cas-user] CAS 5.2 WS-Federation IDP

2018-03-01 Thread sre...@cdg33.fr 
Hello,

I'am trying to use CAS as idp with WS-Federation protocol.

Does someone know why this service is created by default

Name : RegexRegisteredService
Service URL : /ws/idp/federationcallback.+
Descritpion : WS-Federation Authentication Request

I cant make it desapeared?

Any idea?

Thank you

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cff85cfa-5349-492c-b703-158b028753f7%40apereo.org.

Re: [cas-user] [CAS 5.2.x] [OAuth] [Theme] How to make custom theme for OAuth sp

2018-02-28 Thread Man H 
Try with


https://mysite.example.com:443/cas/oauth2.0/callbackAuthorize
?
client_name=XXX&
client_id=OAuthApp&
redirect_uri=http://www.example.com/sp;
response_type=code


as serviceId


El miércoles, 28 de febrero de 2018, Andy Ng  escribió:

> Hi Manfredo,
>
> I have the custom theme loaded no problem without oauth, is just that when
> I do it with oauth, setting the theme seems like a difficult task.
>
> -Andy
>
> On Wednesday, 28 February 2018 11:55:23 UTC+8, Manfredo Hopp wrote:
>>
>>  open browser developper tool to see if itheme gets loaded
>>
>> El miércoles, 28 de febrero de 2018, Man H 
>> escribió:
>>
>>> Cant you just build a simple webapp with index.html
>>>
>>> El miércoles, 28 de febrero de 2018, Andy Ng 
>>> escribió:
>>>
 Thanks Manfedo,

 Do you mean that I should:
 - Redirect user to login using Non Oauth Service first (with theme)
 - Then redirect user to login using Oauth Service for actual Oauth login

 Am I correct?

 I would prefer not to do the above, since that mean the service
 provider need to change their code, but if needed I think the above is
 still feasible, thanks Manfedo.

 I would like to see if there are a solution that, to not use non oauth
 login first. Thanks.

 -Andy

 On Wednesday, 28 February 2018 11:26:24 UTC+8, Manfredo Hopp wrote:
>
> Try to.load that theme on a regular service, that is non oauth
>
> El miércoles, 28 de febrero de 2018, Andy Ng 
> escribió:
>
>> Hi all,
>>
>> I am using CAS 5.2.x, and using OAuth for one service provider. The
>> provider now would like to have a custom theme.
>>
>> I thought I can just do this:
>>
>> {
>>   "@class" : "org.apereo.cas.support.oauth.
>> services.OAuthRegisteredService",
>>   "clientId": "OAuthApp",
>>   "clientSecret": "xx",
>>   "serviceId" : "^http://www.example.com/sp.*;,
>>   "name" : "OAuthApp",
>>   "id" : 1000,
>>   "evaluationOrder" : 1000,
>>   "supportedResponseTypes" : [ "java.util.HashSet", [ "code" ] ],
>>   "supportedGrantTypes" : [ "java.util.HashSet",  [
>> "authorization_code" , "refresh_token"] ],
>>   "theme" : "awesome_theme"
>> }
>>
>>
>>
>> However it seems that the service the returned service is the below:
>>
>> https://mysite.example.com:443/cas/oauth2.0/callbackAuthorize?
>> client_name=XXX&
>> client_id=OAuthApp&
>> redirect_uri=http://www.example.com/sp;
>> response_type=code
>>
>>
>> So the *theme *will not load. So my question is, is it possible for
>> me to make custom theme for my OAuth SP provider?
>>
>> Thanks in advance!
>>
>> - Andy
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google
>> Groups "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> send an email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/3fa4
>> db3b-f7e5-4751-8ba6-f3ee872f0f16%40apereo.org
>> 
>> .
>>
> --
 - Website: https://apereo.github.io/cas
 - Gitter Chatroom: https://gitter.im/apereo/cas
 - List Guidelines: https://goo.gl/1VRrw7
 - Contributions: https://goo.gl/mh7qDG
 ---
 You received this message because you are subscribed to the Google
 Groups "CAS Community" group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to cas-user+u...@apereo.org.
 To view this discussion on the web visit https://groups.google.com/a/ap
 ereo.org/d/msgid/cas-user/66302352-d0d5-40fe-803e-5d01101a48
 73%40apereo.org
 
 .

>>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/34df67cc-57aa-436a-90ef-
>

Re: [cas-user] Cas 5.2 OpenLDap notworking: authentication failure and sucess

2018-02-28 Thread Man H 
Log says

 - 
escribió:

> I config Cas 5.2 Authen user login by OpenLDap, but not working
> My cas.properties:
> cas.authn.accept.users=
> cas.authn.ldap[0].type=AUTHENTICATED
> cas.authn.ldap[0].ldapUrl=ldap://localhost:389
> cas.authn.ldap[0].useSsl=false
> cas.authn.ldap[0].baseDn=ou=Users,dc=xx-cas,dc=com
> cas.authn.ldap[0].userFilter=uid={user}
> cas.authn.ldap[0].bindDn=cn=Manager,dc=xx-cas,dc=com
> cas.authn.ldap[0].bindCredential=
>
> Log:
> 2018-02-28 13:43:09,886 DEBUG [org.apereo.cas.authentication.adaptive.
> DefaultAdaptiveAuthenticationPolicy] -  has authorized client [xxx.xxx.xxx.xxx] to proceed.>
> 2018-02-28 13:43:09,887 DEBUG [org.apereo.cas.web.support.WebUtils] -
> 
> 2018-02-28 13:43:09,887 DEBUG [org.apereo.cas.web.support.WebUtils] -
> 
> 2018-02-28 13:43:09,889 DEBUG [org.apereo.cas.authentication.
> RegisteredServiceAuthenticationHandlerResolver] -  authentication handlers are required for this transaction>
> 2018-02-28 13:43:09,890 DEBUG [org.apereo.cas.authentication.
> RegisteredServiceAuthenticationHandlerResolver] -  handlers used for this transaction are [HttpBasedServiceCredentialsAut
> henticationHandler]>
> 2018-02-28 13:43:09,891 ERROR [org.apereo.cas.authentication.
> PolicyBasedAuthenticationManager] -  Credentials may be incorrect or CAS cannot find authentication handler that
> supports [test] of type [UsernamePasswordCredential].>
>
> 2018-02-28 13:43:09,893 INFO 
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager]
> -  WHO: test
> WHAT: Supplied credentials: [test]
> ACTION: AUTHENTICATION_SUCCESS
> APPLICATION: CAS
> WHEN: Wed Feb 28 13:43:09 GMT+07:00 2018
> CLIENT IP ADDRESS: xxx.xxx.xxx
>
> SERVER IP ADDRESS: xxx.xxx.xxx
> >
> 2018-02-28 13:43:09,945 DEBUG 
> [org.apereo.cas.web.view.CasReloadableMessageBundle]
> -  plain properties nor XML>
> 2018-02-28 13:43:09,947 DEBUG 
> [org.apereo.cas.web.view.CasReloadableMessageBundle]
> -  properties nor XML>
> 2018-02-28 13:43:09,949 DEBUG 
> [org.apereo.cas.web.view.CasReloadableMessageBundle]
> -  properties nor XML>
> 2018-02-28 13:43:09,950 DEBUG 
> [org.apereo.cas.web.view.CasReloadableMessageBundle]
> -  been modified>
>
> Any pointers to this will be highly appreciated . Thanks.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/6b17b820-db5e-44c3-9538-
> 19014843ab2b%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5micsUP_paSjidJfbuavP7yYc-nWo8x7T8RQFGyQDafvvEQ%40mail.gmail.com.

[cas-user] Cas 5.2 OpenLDap notworking: authentication failure and sucess

2018-02-28 Thread s 1 
I config Cas 5.2 Authen user login by OpenLDap, but not working
My cas.properties:
cas.authn.accept.users=
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://localhost:389
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].baseDn=ou=Users,dc=xx-cas,dc=com
cas.authn.ldap[0].userFilter=uid={user}
cas.authn.ldap[0].bindDn=cn=Manager,dc=xx-cas,dc=com
cas.authn.ldap[0].bindCredential=

Log:
2018-02-28 13:43:09,886 DEBUG 
[org.apereo.cas.authentication.adaptive.DefaultAdaptiveAuthenticationPolicy] 
- 
2018-02-28 13:43:09,887 DEBUG [org.apereo.cas.web.support.WebUtils] - 

2018-02-28 13:43:09,887 DEBUG [org.apereo.cas.web.support.WebUtils] - 

2018-02-28 13:43:09,889 DEBUG 
[org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] 
- 
2018-02-28 13:43:09,890 DEBUG 
[org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] 
- 
2018-02-28 13:43:09,891 ERROR 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 


2018-02-28 13:43:09,893 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 
2018-02-28 13:43:09,945 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 
2018-02-28 13:43:09,947 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 
2018-02-28 13:43:09,949 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 
2018-02-28 13:43:09,950 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 

Any pointers to this will be highly appreciated . Thanks.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6b17b820-db5e-44c3-9538-19014843ab2b%40apereo.org.

Re: [cas-user] [CAS 5.2.x] [OAuth] [Theme] How to make custom theme for OAuth sp

2018-02-27 Thread Man H 
 open browser developper tool to see if itheme gets loaded

El miércoles, 28 de febrero de 2018, Man H 
escribió:

> Cant you just build a simple webapp with index.html
>
> El miércoles, 28 de febrero de 2018, Andy Ng  escribió:
>
>> Thanks Manfedo,
>>
>> Do you mean that I should:
>> - Redirect user to login using Non Oauth Service first (with theme)
>> - Then redirect user to login using Oauth Service for actual Oauth login
>>
>> Am I correct?
>>
>> I would prefer not to do the above, since that mean the service provider
>> need to change their code, but if needed I think the above is still
>> feasible, thanks Manfedo.
>>
>> I would like to see if there are a solution that, to not use non oauth
>> login first. Thanks.
>>
>> -Andy
>>
>> On Wednesday, 28 February 2018 11:26:24 UTC+8, Manfredo Hopp wrote:
>>>
>>> Try to.load that theme on a regular service, that is non oauth
>>>
>>> El miércoles, 28 de febrero de 2018, Andy Ng 
>>> escribió:
>>>
 Hi all,

 I am using CAS 5.2.x, and using OAuth for one service provider. The
 provider now would like to have a custom theme.

 I thought I can just do this:

 {
   "@class" : "org.apereo.cas.support.oauth.
 services.OAuthRegisteredService",
   "clientId": "OAuthApp",
   "clientSecret": "xx",
   "serviceId" : "^http://www.example.com/sp.*;,
   "name" : "OAuthApp",
   "id" : 1000,
   "evaluationOrder" : 1000,
   "supportedResponseTypes" : [ "java.util.HashSet", [ "code" ] ],
   "supportedGrantTypes" : [ "java.util.HashSet",  [
 "authorization_code" , "refresh_token"] ],
   "theme" : "awesome_theme"
 }



 However it seems that the service the returned service is the below:

 https://mysite.example.com:443/cas/oauth2.0/callbackAuthorize?
 client_name=XXX&
 client_id=OAuthApp&
 redirect_uri=http://www.example.com/sp;
 response_type=code


 So the *theme *will not load. So my question is, is it possible for me
 to make custom theme for my OAuth SP provider?

 Thanks in advance!

 - Andy

 --
 - Website: https://apereo.github.io/cas
 - Gitter Chatroom: https://gitter.im/apereo/cas
 - List Guidelines: https://goo.gl/1VRrw7
 - Contributions: https://goo.gl/mh7qDG
 ---
 You received this message because you are subscribed to the Google
 Groups "CAS Community" group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to cas-user+u...@apereo.org.
 To view this discussion on the web visit https://groups.google.com/a/ap
 ereo.org/d/msgid/cas-user/3fa4db3b-f7e5-4751-8ba6-f3ee872f0f
 16%40apereo.org
 
 .

>>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit https://groups.google.com/a/ap
>> ereo.org/d/msgid/cas-user/66302352-d0d5-40fe-803e-5d01101a48
>> 73%40apereo.org
>> 
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5midCJCmyEH_%3DQQC6F%2B4C5bo7KjHVAFcd-Y_FXpyiE7ND0Q%40mail.gmail.com.

Re: [cas-user] [CAS 5.2.x] [OAuth] [Theme] How to make custom theme for OAuth sp

2018-02-27 Thread Man H 
Cant you just build a simple webapp with index.html

El miércoles, 28 de febrero de 2018, Andy Ng  escribió:

> Thanks Manfedo,
>
> Do you mean that I should:
> - Redirect user to login using Non Oauth Service first (with theme)
> - Then redirect user to login using Oauth Service for actual Oauth login
>
> Am I correct?
>
> I would prefer not to do the above, since that mean the service provider
> need to change their code, but if needed I think the above is still
> feasible, thanks Manfedo.
>
> I would like to see if there are a solution that, to not use non oauth
> login first. Thanks.
>
> -Andy
>
> On Wednesday, 28 February 2018 11:26:24 UTC+8, Manfredo Hopp wrote:
>>
>> Try to.load that theme on a regular service, that is non oauth
>>
>> El miércoles, 28 de febrero de 2018, Andy Ng  escribió:
>>
>>> Hi all,
>>>
>>> I am using CAS 5.2.x, and using OAuth for one service provider. The
>>> provider now would like to have a custom theme.
>>>
>>> I thought I can just do this:
>>>
>>> {
>>>   "@class" : "org.apereo.cas.support.oauth.
>>> services.OAuthRegisteredService",
>>>   "clientId": "OAuthApp",
>>>   "clientSecret": "xx",
>>>   "serviceId" : "^http://www.example.com/sp.*;,
>>>   "name" : "OAuthApp",
>>>   "id" : 1000,
>>>   "evaluationOrder" : 1000,
>>>   "supportedResponseTypes" : [ "java.util.HashSet", [ "code" ] ],
>>>   "supportedGrantTypes" : [ "java.util.HashSet",  [ "authorization_code"
>>> , "refresh_token"] ],
>>>   "theme" : "awesome_theme"
>>> }
>>>
>>>
>>>
>>> However it seems that the service the returned service is the below:
>>>
>>> https://mysite.example.com:443/cas/oauth2.0/callbackAuthorize?
>>> client_name=XXX&
>>> client_id=OAuthApp&
>>> redirect_uri=http://www.example.com/sp;
>>> response_type=code
>>>
>>>
>>> So the *theme *will not load. So my question is, is it possible for me
>>> to make custom theme for my OAuth SP provider?
>>>
>>> Thanks in advance!
>>>
>>> - Andy
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit https://groups.google.com/a/ap
>>> ereo.org/d/msgid/cas-user/3fa4db3b-f7e5-4751-8ba6-f3ee872f0f
>>> 16%40apereo.org
>>> 
>>> .
>>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/66302352-d0d5-40fe-803e-
> 5d01101a4873%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5mifHTaGJMRiMf3zOzcOoeu9QFtjzjjuCgAzYrNq9vivu7A%40mail.gmail.com.

Re: [cas-user] [CAS 5.2.x] [OAuth] [Theme] How to make custom theme for OAuth sp

2018-02-27 Thread Andy Ng 
Thanks Manfedo,

Do you mean that I should:
- Redirect user to login using Non Oauth Service first (with theme)
- Then redirect user to login using Oauth Service for actual Oauth login

Am I correct?

I would prefer not to do the above, since that mean the service provider 
need to change their code, but if needed I think the above is still 
feasible, thanks Manfedo.

I would like to see if there are a solution that, to not use non oauth 
login first. Thanks.

-Andy

On Wednesday, 28 February 2018 11:26:24 UTC+8, Manfredo Hopp wrote:
>
> Try to.load that theme on a regular service, that is non oauth
>
> El miércoles, 28 de febrero de 2018, Andy Ng  > escribió:
>
>> Hi all,
>>
>> I am using CAS 5.2.x, and using OAuth for one service provider. The 
>> provider now would like to have a custom theme.
>>
>> I thought I can just do this:
>>
>> {
>>   "@class" : 
>> "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
>>   "clientId": "OAuthApp",
>>   "clientSecret": "xx",
>>   "serviceId" : "^http://www.example.com/sp.*;,
>>   "name" : "OAuthApp",
>>   "id" : 1000,
>>   "evaluationOrder" : 1000,
>>   "supportedResponseTypes" : [ "java.util.HashSet", [ "code" ] ],
>>   "supportedGrantTypes" : [ "java.util.HashSet",  [ "authorization_code" 
>> , "refresh_token"] ],
>>   "theme" : "awesome_theme"
>> }
>>
>>
>>
>> However it seems that the service the returned service is the below:
>>
>> https://mysite.example.com:443/cas/oauth2.0/callbackAuthorize?
>> client_name=XXX&
>> client_id=OAuthApp&
>> redirect_uri=http://www.example.com/sp;
>> response_type=code
>>
>>
>> So the *theme *will not load. So my question is, is it possible for me 
>> to make custom theme for my OAuth SP provider?
>>
>> Thanks in advance!
>>
>> - Andy
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/3fa4db3b-f7e5-4751-8ba6-f3ee872f0f16%40apereo.org
>>  
>> 
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/66302352-d0d5-40fe-803e-5d01101a4873%40apereo.org.

[cas-user] [CAS 5.2.x] [OAuth] [Theme] How to make custom theme for OAuth sp

2018-02-27 Thread Andy Ng 
Hi all,

I am using CAS 5.2.x, and using OAuth for one service provider. The 
provider now would like to have a custom theme.

I thought I can just do this:

{
  "@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
  "clientId": "OAuthApp",
  "clientSecret": "xx",
  "serviceId" : "^http://www.example.com/sp.*;,
  "name" : "OAuthApp",
  "id" : 1000,
  "evaluationOrder" : 1000,
  "supportedResponseTypes" : [ "java.util.HashSet", [ "code" ] ],
  "supportedGrantTypes" : [ "java.util.HashSet",  [ "authorization_code" , 
"refresh_token"] ],
  "theme" : "awesome_theme"
}



However it seems that the service the returned service is the below:

https://mysite.example.com:443/cas/oauth2.0/callbackAuthorize?
client_name=XXX&
client_id=OAuthApp&
redirect_uri=http://www.example.com/sp;
response_type=code


So the *theme *will not load. So my question is, is it possible for me to 
make custom theme for my OAuth SP provider?

Thanks in advance!

- Andy

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3fa4db3b-f7e5-4751-8ba6-f3ee872f0f16%40apereo.org.

[cas-user] CAS 5.2 Password Variable

2018-02-27 Thread Kevin Liu 
Does anyone know how to reference the login page password in 
cas.properties? I know for username, you use %s but what about the password?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/895cfc75-7a68-4355-a489-d3f0275390b2%40apereo.org.

[cas-user] CAS 5.2 LDAP Quert and Output

2018-02-27 Thread Kevin Liu 
Hello All,

Is there a way to see the response that CAS gets back from LDAP? Also is 
there a tutorial anywhere for specific LDAP queries from CAS? For example, 
if I need to check to see if a member is part of a specific OU?

Thanks,
Kevin

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/90f2afb8-ff60-42ca-a4cb-0e8fd815648f%40apereo.org.

[cas-user] CAS 5.2 - SAML2 SLO

2018-02-26 Thread Dan S 
I am trying to use SAML2 with CAS 5.2. I have it setup as the idp and I 
have two services connected to it. Everything works as expected with one 
service - but the second service does not receive a POST to its logout url 
when signing out of CAS.

Steps:

Sign in to both applications. Only first requires sign in to CAS. Hit cas 
logout url. One app receives a POST to its sign out url - 
/saml/SingleLogout. The other app doesn't receive any logout signal. 

I have debug turned on for opensaml but I am not seeing anything with the 
logout activity. Not sure where to look next.

Any help would be appreciated.

Dan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/16021ea6-f941-4e19-bd2e-9ce9b3a1df53%40apereo.org.

Re: [cas-user] CAS 5.2 -- Custom Authenticator and UserDetailsService

2018-02-23 Thread Misagh Moayyed 
See: 
https://apereo.github.io/cas/5.2.x/installation/Configuration-Management-Extensions.html
 
https://apereo.github.io/2017/02/21/cas-autocfg-strategy/ 
https://apereo.github.io/2016/06/26/survey-results/ 

And refer to Spring Boot docs. 

--Misagh 

> From: "Michael MacEachran" <mmaceach...@gmail.com>
> To: "CAS Community" <cas-user@apereo.org>
> Sent: Friday, February 23, 2018 12:55:45 PM
> Subject: [cas-user] CAS 5.2 -- Custom Authenticator and UserDetailsService

> It's been a few years since my last CAS deployment, and oh dear have things
> changed! I need to use my own AuthenticationManager and UserDetailsService. I
> see there is no more .xml configuration. So how do I add by own custom beans
> now?

> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups "CAS
> Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email
> to cas-user+unsubscr...@apereo.org .
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/76763b75-5952-4d8f-9b21-fd0bd8e86dee%40apereo.org
> .

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1978831808.15239320.1519421943765.JavaMail.zimbra%40unicon.net.

[cas-user] CAS 5.2 -- Custom Authenticator and UserDetailsService

2018-02-23 Thread Michael MacEachran 
It's been a few years since my last CAS deployment,  and oh dear have 
things changed!   I need to use my own AuthenticationManager and 
UserDetailsService.  I see there is no more .xml configuration.  So how do 
I add by own custom beans now?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/76763b75-5952-4d8f-9b21-fd0bd8e86dee%40apereo.org.

Re: [cas-user] CAS 5.2

2018-02-23 Thread Uxío 
Hi,
I've known a CAS customisation where after logging in from no particular 
CASified service an attribute would be passed for a default redirect URL to 
then re redirect the user to a particular default service for that particular 
user (the thing is really just a little bit more complicated than that, but let 
hold there).

Is there any CAS facility, contrib module or artifact to help sinking that 
responsibility in CAS or nearer to it in a simple single-responsibility 
well-known _service_? And more importantly, which is roughly the best practice 
at this requirement?

Thanks, have a nice weekend, regards,

Sent from my iPhone

> On 23 Feb 2018, at 18:59, Ray Bon <r...@uvic.ca> wrote:
> 
> It is a property in cas.properties (or whatever file you are using for 
> properties). If a login request does not have a service parameter, the 
> redirect goes to this value.
> See, 
> https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#views
> 
> Ray
> 
>> On Fri, 2018-02-23 at 12:43 -0500, Cheltenham, Chris wrote:
>> Ray,
>>  
>> I appreciate that but I don’t know what you mean.
>>  
>>  
>>  
>> ===
>> 
>> Thank You;
>> 
>> Chris Cheltenham
>> Technology Services
>> The School District of Philadelphia
>> 
>> Work # 215-400-5025
>> Cell # 215-301-6571
>> From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Ray Bon
>> Sent: Friday, February 23, 2018 12:36 PM
>> To: cas-user@apereo.org
>> Subject: Re: [cas-user] CAS 5.2
>>  
>> Chris,
>>  
>> cas.view.defaultRedirectUrl=
>>  
>> Ray
>>  
>> On Fri, 2018-02-23 at 08:36 -0500, Cheltenham, Chris wrote:
>> Hello Everyone,
>>  
>> I am sure most folks change the default landing page AFTER you get login to 
>> work.
>>  
>> It looks like it lands on a page called casGenericSuccessView.html.
>>  
>> My question is how do you change that page?
>>  
>>  
>>  
>> ===
>> 
>> Thank You;
>> 
>> Chris Cheltenham
>> Technology Services
>> The School District of Philadelphia
>> 
>> Work # 215-400-5025
>> Cell # 215-301-6571
>> -- 
>> Ray Bon
>> Programmer analyst
>> Development Services, University Systems
>> 2507218831 | CLE 019 | r...@uvic.ca
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1519407337.1765.69.camel%40uvic.ca.
>  -- 
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1519408754.1765.76.camel%40uvic.ca.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/43976099-3FE1-400B-BBAF-F7E27019D736%40madiva.com.

Re: [cas-user] CAS 5.2

2018-02-23 Thread Ray Bon 
It is a property in cas.properties (or whatever file you are using for 
properties). If a login request does not have a service parameter, the redirect 
goes to this value.
See, 
https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#views

Ray

On Fri, 2018-02-23 at 12:43 -0500, Cheltenham, Chris wrote:
Ray,

I appreciate that but I don’t know what you mean.



===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571
From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Ray Bon
Sent: Friday, February 23, 2018 12:36 PM
To: cas-user@apereo.org
Subject: Re: [cas-user] CAS 5.2

Chris,

cas.view.defaultRedirectUrl=

Ray

On Fri, 2018-02-23 at 08:36 -0500, Cheltenham, Chris wrote:
Hello Everyone,

I am sure most folks change the default landing page AFTER you get login to 
work.

It looks like it lands on a page called casGenericSuccessView.html.

My question is how do you change that page?



===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

--

Ray Bon

Programmer analyst

Development Services, University Systems

2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1519407337.1765.69.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/1519407337.1765.69.camel%40uvic.ca?utm_medium=email_source=footer>.

--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1519408754.1765.76.camel%40uvic.ca.

RE: [cas-user] CAS 5.2

2018-02-23 Thread Cheltenham, Chris 
Ray,



I appreciate that but I don’t know what you mean.







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Ray Bon
Sent: Friday, February 23, 2018 12:36 PM
To: cas-user@apereo.org
Subject: Re: [cas-user] CAS 5.2



Chris,



cas.view.defaultRedirectUrl=



Ray



On Fri, 2018-02-23 at 08:36 -0500, Cheltenham, Chris wrote:

Hello Everyone,



I am sure most folks change the default landing page AFTER you get login to 
work.



It looks like it lands on a page called casGenericSuccessView.html.



My question is how do you change that page?







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca <mailto:r...@uvic.ca>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1519407337.1765.69.camel%40uvic.ca
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/1519407337.1765.69.camel%40uvic.ca?utm_medium=email_source=footer>
 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/010b01d3accd%24c02af430%244080dc90%24%40philasd.org.

Re: [cas-user] CAS 5.2

2018-02-23 Thread Ray Bon 
Chris,

cas.view.defaultRedirectUrl=

Ray

On Fri, 2018-02-23 at 08:36 -0500, Cheltenham, Chris wrote:

Hello Everyone,

I am sure most folks change the default landing page AFTER you get login to 
work.

It looks like it lands on a page called casGenericSuccessView.html.

My question is how do you change that page?



===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1519407337.1765.69.camel%40uvic.ca.

Re: [cas-user] CAS 5.2

2018-02-23 Thread David Curry 
In theory, people shouldn't ever see that page, because they should be
hitting the CAS server from an application, which they then get sent back
to after authenticating.

The only time you'll see this page is if go to "/cas/login" with no
"?service=" parameter. And if you set the CAS server to send people to a
default service when they do that (I forget what the setting is), you won't
even see it then.

But... there a couple of helpful posts from the forum on how to change all
the pages. I followed these for doing ours (which I'll write up in my
document when I get a chance):

https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/themes/cas-user/k-yfoou7Zy0/BXry1PxgFAAJ

https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/template/cas-user/3eaKVAMhFYE/uuj7eEpCAwAJ

In my case, the only thing I did to casGenericSuccessView.html was change
the layout line to include my theme's layout (see the links above), which
resulted in adding the theme's header, background, footer, etc.

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Fri, Feb 23, 2018 at 8:36 AM, Cheltenham, Chris <
ccheltenham-...@philasd.org> wrote:

> Hello Everyone,
>
>
>
> I am sure most folks change the default landing page AFTER you get login
> to work.
>
>
>
> It looks like it lands on a page called casGenericSuccessView.html.
>
>
>
> My question is how do you change that page?
>
>
>
>
>
>
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/002f01d3acab%243f965c00%
> 24bec31400%24%40philasd.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOrNWYJ%2BHMiMmyMv05HWf3%3DCf_rL9M_vaTscB0jh8F4Sw%40mail.gmail.com.

[cas-user] CAS 5.2

2018-02-23 Thread Cheltenham, Chris 


Hello Everyone,

 

I am sure most folks change the default landing page AFTER you get login
to work.

 

It looks like it lands on a page called casGenericSuccessView.html.

 

My question is how do you change that page?

 

 

 

===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/002f01d3acab%243f965c00%24bec31400%24%40philasd.org.

Re: [cas-user] CAS 5.2 and Ellucian Banner 9 (XE)

2018-02-22 Thread Matthew Uribe 
My thanks to all who have responded. I finally spotted the issue. In the 
logs, I found this:

 https://testssbxe.aims.edu:8444/Ba
nnerGeneralSsb/j_spring_cas_security_check] does not match supplied service 
[org.apereo.cas.support.saml.authentication.principal.SamlService@640edaac[id=https://testssbxe
1.aims.edu:8444/BannerGeneralSsb/j_sprin
g_cas_security_check,originalUrl=https://testssbxe1.aims.edu:8444/BannerGeneralSsb/j_spring_cas_security_check,artifactId=ST-AAHn21AEQFRQnJ3kjH1H/VWjCTCumXuhWQiE3Cx/WAPhxR97XJp/xtY9,principal=,loggedOutAlr
eady=false,format=XML]]> 

 

That "1" really does not stand out very well, and is a product of our load 
balanced setup. At first I thought I needed to make the regex in the 
service definition match either URL, but in the end found that the issue 
was in the BannerGeneralSsb_configuration.groovy file. I changed 
the serviceUrl to reflect the 1, and have had a successful login!

Thanks again.

On Thursday, February 22, 2018 at 9:10:24 AM UTC-7, Greg Booth wrote:
>
> Matthew,
>
> Here is our service definition:
>
> {
>   @class: org.apereo.cas.services.RegexRegisteredService
>   id: 
>   name: Banner
>   description: Self-Service
>   logo: https://www.mtu.edu/images/mtu-logo.png
>   serviceId: https://(www\.)?bannerweb.mtu.edu(:443)?/.*
>   attributeReleasePolicy: {
> @class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
> allowedAttributes: ["java.util.ArrayList", ["UDC_IDENTIFIER", 
> "michigantechRIDM"]]
>   }
> }
>
> On Thu, Feb 22, 2018 at 9:26 AM, Matthew Uribe  > wrote:
>
>> Thanks Travis. That's the track I've been on. Can you tell me whether 
>> this service definition looks anything like what you ended up with?
>>
>>
>> {
>>   @class:   org.apereo.cas.services.RegexRegisteredService
>>   serviceId:^
>> https://ban9server.school.edu:8444/BannerGeneralSsb(\z|/.*)
>>   name: TEST General SSB XE
>>   id:   12345
>>   attributeReleasePolicy: 
>>   {
>> @class:
>>  org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
>> allowedAttributes:
>> {
>>   @class:   java.util.TreeMap
>>   UDC_IDENTIFIER:   UDC_IDENTIFIER
>> }
>>   }
>>   "evaluationOrder" :   5
>> }
>>
>>
>> On Wednesday, February 21, 2018 at 5:18:20 PM UTC-7, Travis Schmidt wrote:
>>>
>>> I am helping a team with this exact issue right now.  Don't know 
>>> anything about the banner side of things, but I had to map the attribute 
>>> they were looking for to UDC_IDENTIFIER in the Service Registry for it to 
>>> work.
>>>
>>> On Wed, Feb 21, 2018 at 3:46 PM Matthew Uribe  
>>> wrote:
>>>
 Hello Community,

 I am wondering whether anyone has had success with Banner 9 and CAS 
 5.2.x 

 We have been using the Luminis delivered CAS 3.5.2, but are interested 
 in the features available in 5, such as SAML2 IdP, and MFA using Duo. I 
 have deployed CAS 5.2.0, included cas-server-support-ldap and 
 cas-server-support-saml 
 dependencies, and setup a service for one of our Banner 9 apps, but 
 haven't 
 been able to successfully access the application. I can access the CAS 
 Dashboard, as well as the CAS-Management webapp, but the Banner apps are 
 beyond me at this point. Right now, when I navigate to the Banner 9 app, I 
 am redirected to the CAS login page. After logging in successfully, the 
 browser gives me an error: "HTTP Status 403 - No assertions found".

 I figure the problem is either in my service registry, or that I maybe 
 need to import the CAS certificate into a keystore somewhere on the Banner 
 9 server. Since I don't see anything related to a cert import in the 
 Banner 
 9 install guides, I'm focused on the first of these two possibilities, but 
 after 2 days of going in circles I've run out of ideas and would eagerly 
 accept the advice of this community.

 Thank you,
 Matt

 -- 
 - Website: https://apereo.github.io/cas
 - Gitter Chatroom: https://gitter.im/apereo/cas
 - List Guidelines: https://goo.gl/1VRrw7
 - Contributions: https://goo.gl/mh7qDG
 --- 
 You received this message because you are subscribed to the Google 
 Groups "CAS Community" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to cas-user+u...@apereo.org.
 To view this discussion on the web visit 
 https://groups.google.com/a/apereo.org/d/msgid/cas-user/56930314-153c-4426-8eda-3f9bb5596089%40apereo.org
  
 
 .

>>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>>

Re: [cas-user] CAS 5.2 and Ellucian Banner 9 (XE)

2018-02-22 Thread Greg Booth 
Matthew,

Here is our service definition:

{
  @class: org.apereo.cas.services.RegexRegisteredService
  id: 
  name: Banner
  description: Self-Service
  logo: https://www.mtu.edu/images/mtu-logo.png
  serviceId: https://(www\.)?bannerweb.mtu.edu(:443)?/.*
  attributeReleasePolicy: {
@class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
allowedAttributes: ["java.util.ArrayList", ["UDC_IDENTIFIER",
"michigantechRIDM"]]
  }
}

On Thu, Feb 22, 2018 at 9:26 AM, Matthew Uribe 
wrote:

> Thanks Travis. That's the track I've been on. Can you tell me whether this
> service definition looks anything like what you ended up with?
>
>
> {
>   @class:   org.apereo.cas.services.RegexRegisteredService
>   serviceId:^https://ban9server.school.
> edu:8444/BannerGeneralSsb(\z|/.*)
>   name: TEST General SSB XE
>   id:   12345
>   attributeReleasePolicy:
>   {
> @class: org.apereo.cas.services.
> ReturnMappedAttributeReleasePolicy
> allowedAttributes:
> {
>   @class:   java.util.TreeMap
>   UDC_IDENTIFIER:   UDC_IDENTIFIER
> }
>   }
>   "evaluationOrder" :   5
> }
>
>
> On Wednesday, February 21, 2018 at 5:18:20 PM UTC-7, Travis Schmidt wrote:
>>
>> I am helping a team with this exact issue right now.  Don't know anything
>> about the banner side of things, but I had to map the attribute they were
>> looking for to UDC_IDENTIFIER in the Service Registry for it to work.
>>
>> On Wed, Feb 21, 2018 at 3:46 PM Matthew Uribe  wrote:
>>
>>> Hello Community,
>>>
>>> I am wondering whether anyone has had success with Banner 9 and CAS
>>> 5.2.x
>>>
>>> We have been using the Luminis delivered CAS 3.5.2, but are interested
>>> in the features available in 5, such as SAML2 IdP, and MFA using Duo. I
>>> have deployed CAS 5.2.0, included cas-server-support-ldap and 
>>> cas-server-support-saml
>>> dependencies, and setup a service for one of our Banner 9 apps, but haven't
>>> been able to successfully access the application. I can access the CAS
>>> Dashboard, as well as the CAS-Management webapp, but the Banner apps are
>>> beyond me at this point. Right now, when I navigate to the Banner 9 app, I
>>> am redirected to the CAS login page. After logging in successfully, the
>>> browser gives me an error: "HTTP Status 403 - No assertions found".
>>>
>>> I figure the problem is either in my service registry, or that I maybe
>>> need to import the CAS certificate into a keystore somewhere on the Banner
>>> 9 server. Since I don't see anything related to a cert import in the Banner
>>> 9 install guides, I'm focused on the first of these two possibilities, but
>>> after 2 days of going in circles I've run out of ideas and would eagerly
>>> accept the advice of this community.
>>>
>>> Thank you,
>>> Matt
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit https://groups.google.com/a/ap
>>> ereo.org/d/msgid/cas-user/56930314-153c-4426-8eda-3f9bb55960
>>> 89%40apereo.org
>>> 
>>> .
>>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/0550c55b-5029-4105-ade6-
> fb017b4d3b56%40apereo.org
> 
> .
>



-- 
Gregory Booth
Senior Systems Administrator & Technical Team Lead
IT Operations
Information Technology
Michigan Technological University
(906) 487-1797 <9064871797>
www.mtu.edu
www.it.mtu.edu

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit

Re: [cas-user] CAS 5.2 and Ellucian Banner 9 (XE)

2018-02-22 Thread Matthew Uribe 
Thanks Greg. I've got all the following attributes listed in by 
cas.properties. When I look in /cas/status/ssosessions I see all of these 
attributes in the TGT. That's why I was thinking it must be something to do 
with the way the attributes are released in the service definition.

cas.authn.attributeRepository.ldap[0].attributes.cn:cn
cas.authn.attributeRepository.ldap[0].attributes.displayName:   displayName
cas.authn.attributeRepository.ldap[0].attributes.givenName: givenName
cas.authn.attributeRepository.ldap[0].attributes.mail:  mail
cas.authn.attributeRepository.ldap[0].attributes.sn:sn
cas.authn.attributeRepository.ldap[0].attributes.udcid: UDC_IDENTIFIER
cas.authn.attributeRepository.ldap[0].attributes.uid:   uid


On Wednesday, February 21, 2018 at 5:50:36 PM UTC-7, Greg Booth wrote:
>
> Specifically, in cas.properties:
>
> cas.authn.attributeRepository.ldap[0].attributes.udcid=UDC_IDENTIFIER
>
>
> On Wed, Feb 21, 2018 at 7:48 PM, Greg Booth  
> wrote:
>
>> We also had to map UDC_IDENTIFIER to get it to work, although we are on 
>> CAS 5.1.5.
>>
>> On Wed, Feb 21, 2018 at 7:18 PM, Travis Schmidt > > wrote:
>>
>>> I am helping a team with this exact issue right now.  Don't know 
>>> anything about the banner side of things, but I had to map the attribute 
>>> they were looking for to UDC_IDENTIFIER in the Service Registry for it to 
>>> work.
>>>
>>> On Wed, Feb 21, 2018 at 3:46 PM Matthew Uribe >> > wrote:
>>>
 Hello Community,

 I am wondering whether anyone has had success with Banner 9 and CAS 
 5.2.x 

 We have been using the Luminis delivered CAS 3.5.2, but are interested 
 in the features available in 5, such as SAML2 IdP, and MFA using Duo. I 
 have deployed CAS 5.2.0, included cas-server-support-ldap and 
 cas-server-support-saml 
 dependencies, and setup a service for one of our Banner 9 apps, but 
 haven't 
 been able to successfully access the application. I can access the CAS 
 Dashboard, as well as the CAS-Management webapp, but the Banner apps are 
 beyond me at this point. Right now, when I navigate to the Banner 9 app, I 
 am redirected to the CAS login page. After logging in successfully, the 
 browser gives me an error: "HTTP Status 403 - No assertions found".

 I figure the problem is either in my service registry, or that I maybe 
 need to import the CAS certificate into a keystore somewhere on the Banner 
 9 server. Since I don't see anything related to a cert import in the 
 Banner 
 9 install guides, I'm focused on the first of these two possibilities, but 
 after 2 days of going in circles I've run out of ideas and would eagerly 
 accept the advice of this community.

 Thank you,
 Matt

 -- 
 - Website: https://apereo.github.io/cas
 - Gitter Chatroom: https://gitter.im/apereo/cas
 - List Guidelines: https://goo.gl/1VRrw7
 - Contributions: https://goo.gl/mh7qDG
 --- 
 You received this message because you are subscribed to the Google 
 Groups "CAS Community" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to cas-user+u...@apereo.org .
 To view this discussion on the web visit 
 https://groups.google.com/a/apereo.org/d/msgid/cas-user/56930314-153c-4426-8eda-3f9bb5596089%40apereo.org
  
 
 .

>>> -- 
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org .
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEasSNK33m-WXAVmDYsQKX3CFDrV4kEesKkgrecBx01Nqw%40mail.gmail.com
>>>  
>>> 
>>> .
>>>
>>
>>
>>
>> -- 
>> Gregory Booth
>> Senior Systems Administrator & Technical Team Lead
>> IT Operations
>> Information Technology
>> Michigan Technological University
>> (906) 487-1797
>> www.mtu.edu
>> www.it.mtu.edu
>>
>
>
>
> -- 
> Gregory Booth
> Senior Systems Administrator & Technical Team Lead
> IT Operations
> Information Technology
> Michigan Technological University
> (906) 487-1797
> www.mtu.edu
> www.it.mtu.edu
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---

Re: [cas-user] CAS 5.2 and Ellucian Banner 9 (XE)

2018-02-22 Thread Matthew Uribe 
Thanks Travis. That's the track I've been on. Can you tell me whether this 
service definition looks anything like what you ended up with?


{
  @class:   org.apereo.cas.services.RegexRegisteredService
  serviceId:
^https://ban9server.school.edu:8444/BannerGeneralSsb(\z|/.*)
  name: TEST General SSB XE
  id:   12345
  attributeReleasePolicy: 
  {
@class:
 org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
allowedAttributes:
{
  @class:   java.util.TreeMap
  UDC_IDENTIFIER:   UDC_IDENTIFIER
}
  }
  "evaluationOrder" :   5
}


On Wednesday, February 21, 2018 at 5:18:20 PM UTC-7, Travis Schmidt wrote:
>
> I am helping a team with this exact issue right now.  Don't know anything 
> about the banner side of things, but I had to map the attribute they were 
> looking for to UDC_IDENTIFIER in the Service Registry for it to work.
>
> On Wed, Feb 21, 2018 at 3:46 PM Matthew Uribe  > wrote:
>
>> Hello Community,
>>
>> I am wondering whether anyone has had success with Banner 9 and CAS 5.2.x 
>>
>> We have been using the Luminis delivered CAS 3.5.2, but are interested in 
>> the features available in 5, such as SAML2 IdP, and MFA using Duo. I have 
>> deployed CAS 5.2.0, included cas-server-support-ldap and 
>> cas-server-support-saml 
>> dependencies, and setup a service for one of our Banner 9 apps, but haven't 
>> been able to successfully access the application. I can access the CAS 
>> Dashboard, as well as the CAS-Management webapp, but the Banner apps are 
>> beyond me at this point. Right now, when I navigate to the Banner 9 app, I 
>> am redirected to the CAS login page. After logging in successfully, the 
>> browser gives me an error: "HTTP Status 403 - No assertions found".
>>
>> I figure the problem is either in my service registry, or that I maybe 
>> need to import the CAS certificate into a keystore somewhere on the Banner 
>> 9 server. Since I don't see anything related to a cert import in the Banner 
>> 9 install guides, I'm focused on the first of these two possibilities, but 
>> after 2 days of going in circles I've run out of ideas and would eagerly 
>> accept the advice of this community.
>>
>> Thank you,
>> Matt
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/56930314-153c-4426-8eda-3f9bb5596089%40apereo.org
>>  
>> 
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0550c55b-5029-4105-ade6-fb017b4d3b56%40apereo.org.

Re: [cas-user] CAS 5.2 and Ellucian Banner 9 (XE)

2018-02-21 Thread Greg Booth 
Specifically, in cas.properties:

cas.authn.attributeRepository.ldap[0].attributes.udcid=UDC_IDENTIFIER


On Wed, Feb 21, 2018 at 7:48 PM, Greg Booth  wrote:

> We also had to map UDC_IDENTIFIER to get it to work, although we are on
> CAS 5.1.5.
>
> On Wed, Feb 21, 2018 at 7:18 PM, Travis Schmidt 
> wrote:
>
>> I am helping a team with this exact issue right now.  Don't know anything
>> about the banner side of things, but I had to map the attribute they were
>> looking for to UDC_IDENTIFIER in the Service Registry for it to work.
>>
>> On Wed, Feb 21, 2018 at 3:46 PM Matthew Uribe 
>> wrote:
>>
>>> Hello Community,
>>>
>>> I am wondering whether anyone has had success with Banner 9 and CAS
>>> 5.2.x
>>>
>>> We have been using the Luminis delivered CAS 3.5.2, but are interested
>>> in the features available in 5, such as SAML2 IdP, and MFA using Duo. I
>>> have deployed CAS 5.2.0, included cas-server-support-ldap and 
>>> cas-server-support-saml
>>> dependencies, and setup a service for one of our Banner 9 apps, but haven't
>>> been able to successfully access the application. I can access the CAS
>>> Dashboard, as well as the CAS-Management webapp, but the Banner apps are
>>> beyond me at this point. Right now, when I navigate to the Banner 9 app, I
>>> am redirected to the CAS login page. After logging in successfully, the
>>> browser gives me an error: "HTTP Status 403 - No assertions found".
>>>
>>> I figure the problem is either in my service registry, or that I maybe
>>> need to import the CAS certificate into a keystore somewhere on the Banner
>>> 9 server. Since I don't see anything related to a cert import in the Banner
>>> 9 install guides, I'm focused on the first of these two possibilities, but
>>> after 2 days of going in circles I've run out of ideas and would eagerly
>>> accept the advice of this community.
>>>
>>> Thank you,
>>> Matt
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit https://groups.google.com/a/ap
>>> ereo.org/d/msgid/cas-user/56930314-153c-4426-8eda-3f9bb55960
>>> 89%40apereo.org
>>> 
>>> .
>>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit https://groups.google.com/a/ap
>> ereo.org/d/msgid/cas-user/CAC_RtEasSNK33m-WXAVmDYsQKX3CFDrV4
>> kEesKkgrecBx01Nqw%40mail.gmail.com
>> 
>> .
>>
>
>
>
> --
> Gregory Booth
> Senior Systems Administrator & Technical Team Lead
> IT Operations
> Information Technology
> Michigan Technological University
> (906) 487-1797 <9064871797>
> www.mtu.edu
> www.it.mtu.edu
>



-- 
Gregory Booth
Senior Systems Administrator & Technical Team Lead
IT Operations
Information Technology
Michigan Technological University
(906) 487-1797 <9064871797>
www.mtu.edu
www.it.mtu.edu

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH%2BQwmiOkaRa27fiLUZjDQHqsoaZzB8yHhpmkobFqU9aBr8q0g%40mail.gmail.com.

Re: [cas-user] CAS 5.2 and Ellucian Banner 9 (XE)

2018-02-21 Thread Greg Booth 
We also had to map UDC_IDENTIFIER to get it to work, although we are on CAS
5.1.5.

On Wed, Feb 21, 2018 at 7:18 PM, Travis Schmidt 
wrote:

> I am helping a team with this exact issue right now.  Don't know anything
> about the banner side of things, but I had to map the attribute they were
> looking for to UDC_IDENTIFIER in the Service Registry for it to work.
>
> On Wed, Feb 21, 2018 at 3:46 PM Matthew Uribe 
> wrote:
>
>> Hello Community,
>>
>> I am wondering whether anyone has had success with Banner 9 and CAS 5.2.x
>>
>> We have been using the Luminis delivered CAS 3.5.2, but are interested in
>> the features available in 5, such as SAML2 IdP, and MFA using Duo. I have
>> deployed CAS 5.2.0, included cas-server-support-ldap and 
>> cas-server-support-saml
>> dependencies, and setup a service for one of our Banner 9 apps, but haven't
>> been able to successfully access the application. I can access the CAS
>> Dashboard, as well as the CAS-Management webapp, but the Banner apps are
>> beyond me at this point. Right now, when I navigate to the Banner 9 app, I
>> am redirected to the CAS login page. After logging in successfully, the
>> browser gives me an error: "HTTP Status 403 - No assertions found".
>>
>> I figure the problem is either in my service registry, or that I maybe
>> need to import the CAS certificate into a keystore somewhere on the Banner
>> 9 server. Since I don't see anything related to a cert import in the Banner
>> 9 install guides, I'm focused on the first of these two possibilities, but
>> after 2 days of going in circles I've run out of ideas and would eagerly
>> accept the advice of this community.
>>
>> Thank you,
>> Matt
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit https://groups.google.com/a/
>> apereo.org/d/msgid/cas-user/56930314-153c-4426-8eda-
>> 3f9bb5596089%40apereo.org
>> 
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/CAC_RtEasSNK33m-WXAVmDYsQKX3CFDrV4kEesKkgrecBx
> 01Nqw%40mail.gmail.com
> 
> .
>



-- 
Gregory Booth
Senior Systems Administrator & Technical Team Lead
IT Operations
Information Technology
Michigan Technological University
(906) 487-1797 <9064871797>
www.mtu.edu
www.it.mtu.edu

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH%2BQwmiBTYXPkYQ3zYqqgaDRkRvTJ8jaEu9J0jYpzezXKazViA%40mail.gmail.com.

Re: [cas-user] CAS 5.2 and Ellucian Banner 9 (XE)

2018-02-21 Thread Travis Schmidt 
I am helping a team with this exact issue right now.  Don't know anything
about the banner side of things, but I had to map the attribute they were
looking for to UDC_IDENTIFIER in the Service Registry for it to work.

On Wed, Feb 21, 2018 at 3:46 PM Matthew Uribe 
wrote:

> Hello Community,
>
> I am wondering whether anyone has had success with Banner 9 and CAS 5.2.x
>
> We have been using the Luminis delivered CAS 3.5.2, but are interested in
> the features available in 5, such as SAML2 IdP, and MFA using Duo. I have
> deployed CAS 5.2.0, included cas-server-support-ldap and 
> cas-server-support-saml
> dependencies, and setup a service for one of our Banner 9 apps, but haven't
> been able to successfully access the application. I can access the CAS
> Dashboard, as well as the CAS-Management webapp, but the Banner apps are
> beyond me at this point. Right now, when I navigate to the Banner 9 app, I
> am redirected to the CAS login page. After logging in successfully, the
> browser gives me an error: "HTTP Status 403 - No assertions found".
>
> I figure the problem is either in my service registry, or that I maybe
> need to import the CAS certificate into a keystore somewhere on the Banner
> 9 server. Since I don't see anything related to a cert import in the Banner
> 9 install guides, I'm focused on the first of these two possibilities, but
> after 2 days of going in circles I've run out of ideas and would eagerly
> accept the advice of this community.
>
> Thank you,
> Matt
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/56930314-153c-4426-8eda-3f9bb5596089%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEasSNK33m-WXAVmDYsQKX3CFDrV4kEesKkgrecBx01Nqw%40mail.gmail.com.

[cas-user] CAS 5.2 and Ellucian Banner 9 (XE)

2018-02-21 Thread Matthew Uribe 
Hello Community,

I am wondering whether anyone has had success with Banner 9 and CAS 5.2.x 

We have been using the Luminis delivered CAS 3.5.2, but are interested in 
the features available in 5, such as SAML2 IdP, and MFA using Duo. I have 
deployed CAS 5.2.0, included cas-server-support-ldap and 
cas-server-support-saml 
dependencies, and setup a service for one of our Banner 9 apps, but haven't 
been able to successfully access the application. I can access the CAS 
Dashboard, as well as the CAS-Management webapp, but the Banner apps are 
beyond me at this point. Right now, when I navigate to the Banner 9 app, I 
am redirected to the CAS login page. After logging in successfully, the 
browser gives me an error: "HTTP Status 403 - No assertions found".

I figure the problem is either in my service registry, or that I maybe need 
to import the CAS certificate into a keystore somewhere on the Banner 9 
server. Since I don't see anything related to a cert import in the Banner 9 
install guides, I'm focused on the first of these two possibilities, but 
after 2 days of going in circles I've run out of ideas and would eagerly 
accept the advice of this community.

Thank you,
Matt

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/56930314-153c-4426-8eda-3f9bb5596089%40apereo.org.

Re: [SOLVED] Re: [cas-user] CAS 5.2.x SAML IdP Issues

2018-02-15 Thread Misagh Moayyed 
Nice. If and when you get to it, turn it into once of these: 
https://apereo.github.io/cas/development/integration/Configuring-SAML-SP-Integrations.html
 

--Misagh 

> From: "vnick" <nick.e.couch...@gmail.com>
> To: "CAS Community" <cas-user@apereo.org>
> Cc: "Misagh Moayyed" <mmoay...@unicon.net>
> Sent: Thursday, February 15, 2018 11:46:57 AM
> Subject: Re: [SOLVED] Re: [cas-user] CAS 5.2.x SAML IdP Issues

> I'm writing a SAML authentication extension for the Guacamole Project
> (http://guacamole.apache.org).
> -Nick

> On Thursday, February 15, 2018 at 1:24:24 PM UTC-5, Misagh Moayyed wrote:
>> Cool. Who exactly is the SP in this scenario?

>> --Misagh

>>> From: "vnick" < nick.e@gmail.com >
>>> To: "CAS Community" < cas-...@apereo.org >
>>> Cc: "Misagh Moayyed" < mmoa...@unicon.net >
>>> Sent: Thursday, February 15, 2018 10:48:25 AM
>>> Subject: [SOLVED] Re: [cas-user] CAS 5.2.x SAML IdP Issues

>>> Well, this put me on the right path - turns out the number of services the 
>>> log
>>> file told me was loading just happened to match what was in the services
>>> directory, but the CAS configuration was not pointing at anything but the
>>> default location, so it wasn't actually loading my services. Problem is
>>> resolved - all works well, now!
>>> -Nick

>>> On Thursday, February 15, 2018 at 12:29:00 PM UTC-5, Misagh Moayyed wrote:
>>>> Do you have other JSON service definitions in the registry? Anything with a
>>>> lower evaluation order or a more relaxed regex pattern?

>>>> --Misagh

>>>>> From: "vnick" < nick.e@gmail.com >
>>>>> To: "CAS Community" < cas-...@apereo.org >
>>>>> Sent: Thursday, February 15, 2018 10:15:40 AM
>>>>> Subject: [cas-user] CAS 5.2.x SAML IdP Issues

>>>>> Hey, everyone,
>>>>> I'm trying to get SAML2 authentication working against my CAS server. 
>>>>> I've got
>>>>> CAS protocol authentications working just fine, but am struggling getting 
>>>>> the
>>>>> SAML IdP configured correctly. I have the following items configured in 
>>>>> my main
>>>>> CAS configuration:

>>>>> ## SAML Provider
>>>>> cas.authn.samlIdp.entityId= https://server.domain.com/cas/idp
>>>>> cas.authn.samlIdp.hostName= server.domain.com
>>>>> cas.authn.samlIdp.scope= domain.com
>>>>> cas.authn.samlIdp.metadata.cacheExpirationMinutes=30
>>>>> cas.authn.samlIdp.metadata.failFast=true
>>>>> cas.authn.samlIdp.metadata.location=file:///etc/cas/saml
>>>>> cas.authn.samlIdp.metadata.privateKeyAlgName=RSA
>>>>> cas.authn.samlIdp.metadata.requireValidMetadata=true
>>>>> cas.authn.samlIdp.logout.forceSignedLogoutRequests=true
>>>>> cas.authn.samlIdp.logout.singleLogoutCallbacksDisabled=false
>>>>> cas.authn.samlIdp.response.skewAllowance=0
>>>>> cas.authn.samlIdp.response.signError=false
>>>>> cas.authn.samlIdp.response.useAttributeFriendlyName=true

>>>>> I also have a JSON-based service registry configured, and have the 
>>>>> following
>>>>> entry for the SP that I'm trying to authenticate with:

>>>>> {
>>>>> "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
>>>>> "serviceId": " https://1.2.3.4/guacamole/api/tokens ",
>>>>> "name": "GuacamoleSAML",
>>>>> "id": 1002,
>>>>> "evaluationsOrder": 1002,
>>>>> "metadataLocation": "file:///etc/cas/saml/sp-guacamole.xml"
>>>>> }

>>>>> and, finally, I used the web site mentioned in the CAS SAML IdP 
>>>>> documentation to
>>>>> generate the metadata:

>>>>> 
>>>>> >>>> validUntil="2018-02-17T03:16:28Z"
>>>>> cacheDuration="PT604800S"
>>>>> entityID=" https://1.2.3.4/guacamole/api/tokens ">
>>>>> >>>> WantAssertionsSigned="false"
>>>>> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>>>>> urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
>>>>> >>>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-P

Re: [SOLVED] Re: [cas-user] CAS 5.2.x SAML IdP Issues

2018-02-15 Thread vnick 
I'm writing a SAML authentication extension for the Guacamole Project 
(http://guacamole.apache.org).

-Nick

On Thursday, February 15, 2018 at 1:24:24 PM UTC-5, Misagh Moayyed wrote:
>
> Cool. Who exactly is the SP in this scenario? 
>
> --Misagh
>
> --
>
> *From: *"vnick" <nick.e@gmail.com >
> *To: *"CAS Community" <cas-...@apereo.org >
> *Cc: *"Misagh Moayyed" <mmoa...@unicon.net >
> *Sent: *Thursday, February 15, 2018 10:48:25 AM
> *Subject: *[SOLVED] Re: [cas-user] CAS 5.2.x SAML IdP Issues
>
> Well, this put me on the right path - turns out the number of services the 
> log file told me was loading just happened to match what was in the 
> services directory, but the CAS configuration was not pointing at anything 
> but the default location, so it wasn't actually loading my services.  
> Problem is resolved - all works well, now!
> -Nick
>
> On Thursday, February 15, 2018 at 12:29:00 PM UTC-5, Misagh Moayyed wrote:
>>
>> Do you have other JSON service definitions in the registry? Anything with 
>> a lower evaluation order or a more relaxed regex pattern? 
>>
>> --Misagh
>>
>> --
>>
>> *From: *"vnick" <nick.e@gmail.com <http://JAVASCRIPT-BLOCKED>>
>> *To: *"CAS Community" <cas-...@apereo.org <http://JAVASCRIPT-BLOCKED>>
>> *Sent: *Thursday, February 15, 2018 10:15:40 AM
>> *Subject: *[cas-user] CAS 5.2.x SAML IdP Issues
>>
>> Hey, everyone,
>> I'm trying to get SAML2 authentication working against my CAS server.  
>> I've got CAS protocol authentications working just fine, but am struggling 
>> getting the SAML IdP configured correctly.  I have the following items 
>> configured in my main CAS configuration:
>>
>> ## SAML Provider
>> cas.authn.samlIdp.entityId=https://server.domain.com/cas/idp
>> cas.authn.samlIdp.hostName=server.domain.com
>> cas.authn.samlIdp.scope=domain.com
>> cas.authn.samlIdp.metadata.cacheExpirationMinutes=30
>> cas.authn.samlIdp.metadata.failFast=true
>> cas.authn.samlIdp.metadata.location=file:///etc/cas/saml
>> cas.authn.samlIdp.metadata.privateKeyAlgName=RSA
>> cas.authn.samlIdp.metadata.requireValidMetadata=true
>> cas.authn.samlIdp.logout.forceSignedLogoutRequests=true
>> cas.authn.samlIdp.logout.singleLogoutCallbacksDisabled=false
>> cas.authn.samlIdp.response.skewAllowance=0
>> cas.authn.samlIdp.response.signError=false
>> cas.authn.samlIdp.response.useAttributeFriendlyName=true
>>
>> I also have a JSON-based service registry configured, and have the 
>> following entry for the SP that I'm trying to authenticate with:
>>
>> {
>> "@class": 
>> "org.apereo.cas.support.saml.services.SamlRegisteredService",
>> "serviceId": "https://1.2.3.4/guacamole/api/tokens;,
>> "name": "GuacamoleSAML",
>> "id": 1002,
>> "evaluationsOrder": 1002,
>> "metadataLocation": "file:///etc/cas/saml/sp-guacamole.xml"
>> }
>>
>> and, finally, I used the web site mentioned in the CAS SAML IdP 
>> documentation to generate the metadata:
>>
>> 
>> >  validUntil="2018-02-17T03:16:28Z"
>>  cacheDuration="PT604800S"
>>  entityID="https://1.2.3.4/guacamole/api/tokens;>
>> > WantAssertionsSigned="false" 
>> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>> 
>> urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
>> > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>>  Location="
>> https://1.2.3.4/guacamole/api/ext/saml/callback;
>>  index="1" />
>> 
>> 
>> 
>>
>> However, every time I try to authenticate with this app, I receive the 
>> following error:
>>
>> 2018-02-15 12:12:52,559 INFO 
>> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
>>  
>> - 
>> 2018-02-15 12:12:52,581 ERROR 
>> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
>>  
>> - > https://1.2.3.4/guacamole/api/tokens] in registry but the match is not 
>> defined as a SAML service>
>>
>> I can't seem to get much more detail - I think something must be wrong 
>> with my logging c

Re: [SOLVED] Re: [cas-user] CAS 5.2.x SAML IdP Issues

2018-02-15 Thread Misagh Moayyed 
Cool. Who exactly is the SP in this scenario? 

--Misagh 

> From: "vnick" <nick.e.couch...@gmail.com>
> To: "CAS Community" <cas-user@apereo.org>
> Cc: "Misagh Moayyed" <mmoay...@unicon.net>
> Sent: Thursday, February 15, 2018 10:48:25 AM
> Subject: [SOLVED] Re: [cas-user] CAS 5.2.x SAML IdP Issues

> Well, this put me on the right path - turns out the number of services the log
> file told me was loading just happened to match what was in the services
> directory, but the CAS configuration was not pointing at anything but the
> default location, so it wasn't actually loading my services. Problem is
> resolved - all works well, now!
> -Nick

> On Thursday, February 15, 2018 at 12:29:00 PM UTC-5, Misagh Moayyed wrote:
>> Do you have other JSON service definitions in the registry? Anything with a
>> lower evaluation order or a more relaxed regex pattern?

>> --Misagh

>>> From: "vnick" < nick.e@gmail.com >
>>> To: "CAS Community" < cas-...@apereo.org >
>>> Sent: Thursday, February 15, 2018 10:15:40 AM
>>> Subject: [cas-user] CAS 5.2.x SAML IdP Issues

>>> Hey, everyone,
>>> I'm trying to get SAML2 authentication working against my CAS server. I've 
>>> got
>>> CAS protocol authentications working just fine, but am struggling getting 
>>> the
>>> SAML IdP configured correctly. I have the following items configured in my 
>>> main
>>> CAS configuration:

>>> ## SAML Provider
>>> cas.authn.samlIdp.entityId= https://server.domain.com/cas/idp
>>> cas.authn.samlIdp.hostName= server.domain.com
>>> cas.authn.samlIdp.scope= domain.com
>>> cas.authn.samlIdp.metadata.cacheExpirationMinutes=30
>>> cas.authn.samlIdp.metadata.failFast=true
>>> cas.authn.samlIdp.metadata.location=file:///etc/cas/saml
>>> cas.authn.samlIdp.metadata.privateKeyAlgName=RSA
>>> cas.authn.samlIdp.metadata.requireValidMetadata=true
>>> cas.authn.samlIdp.logout.forceSignedLogoutRequests=true
>>> cas.authn.samlIdp.logout.singleLogoutCallbacksDisabled=false
>>> cas.authn.samlIdp.response.skewAllowance=0
>>> cas.authn.samlIdp.response.signError=false
>>> cas.authn.samlIdp.response.useAttributeFriendlyName=true

>>> I also have a JSON-based service registry configured, and have the following
>>> entry for the SP that I'm trying to authenticate with:

>>> {
>>> "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
>>> "serviceId": " https://1.2.3.4/guacamole/api/tokens ",
>>> "name": "GuacamoleSAML",
>>> "id": 1002,
>>> "evaluationsOrder": 1002,
>>> "metadataLocation": "file:///etc/cas/saml/sp-guacamole.xml"
>>> }

>>> and, finally, I used the web site mentioned in the CAS SAML IdP 
>>> documentation to
>>> generate the metadata:

>>> 
>>> >> validUntil="2018-02-17T03:16:28Z"
>>> cacheDuration="PT604800S"
>>> entityID=" https://1.2.3.4/guacamole/api/tokens ">
>>> >> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>>> urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
>>> >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>>> Location=" https://1.2.3.4/guacamole/api/ext/saml/callback "
>>> index="1" />
>>> 
>>> 

>>> However, every time I try to authenticate with this app, I receive the 
>>> following
>>> error:

>>> 2018-02-15 12:12:52,559 INFO
>>> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
>>> - 
>>> 2018-02-15 12:12:52,581 ERROR
>>> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
>>> - https://1.2.3.4/guacamole/api/tokens 
>>> ]
>>> in registry but the match is not defined as a SAML service>

>>> I can't seem to get much more detail - I think something must be wrong with 
>>> my
>>> logging configuration, because I can't get any debugging. Also, most of the
>>> parameters in the cas configuration file for SAML (cas.authn.samlIdp.*) 
>>> seem to
>>> lack documentation - for example, I feel like this could be related to the
>>> "cas.authn.samlIdp.scope= domain.com ", but there's no documentation on 
>>> what's
>>> expected or acceptable for the scope, and whether th

[SOLVED] Re: [cas-user] CAS 5.2.x SAML IdP Issues

2018-02-15 Thread vnick 
Well, this put me on the right path - turns out the number of services the 
log file told me was loading just happened to match what was in the 
services directory, but the CAS configuration was not pointing at anything 
but the default location, so it wasn't actually loading my services.  
Problem is resolved - all works well, now!

-Nick

On Thursday, February 15, 2018 at 12:29:00 PM UTC-5, Misagh Moayyed wrote:
>
> Do you have other JSON service definitions in the registry? Anything with 
> a lower evaluation order or a more relaxed regex pattern? 
>
> --Misagh
>
> --
>
> *From: *"vnick" <nick.e@gmail.com >
> *To: *"CAS Community" <cas-...@apereo.org >
> *Sent: *Thursday, February 15, 2018 10:15:40 AM
> *Subject: *[cas-user] CAS 5.2.x SAML IdP Issues
>
> Hey, everyone,
> I'm trying to get SAML2 authentication working against my CAS server.  
> I've got CAS protocol authentications working just fine, but am struggling 
> getting the SAML IdP configured correctly.  I have the following items 
> configured in my main CAS configuration:
>
> ## SAML Provider
> cas.authn.samlIdp.entityId=https://server.domain.com/cas/idp
> cas.authn.samlIdp.hostName=server.domain.com
> cas.authn.samlIdp.scope=domain.com
> cas.authn.samlIdp.metadata.cacheExpirationMinutes=30
> cas.authn.samlIdp.metadata.failFast=true
> cas.authn.samlIdp.metadata.location=file:///etc/cas/saml
> cas.authn.samlIdp.metadata.privateKeyAlgName=RSA
> cas.authn.samlIdp.metadata.requireValidMetadata=true
> cas.authn.samlIdp.logout.forceSignedLogoutRequests=true
> cas.authn.samlIdp.logout.singleLogoutCallbacksDisabled=false
> cas.authn.samlIdp.response.skewAllowance=0
> cas.authn.samlIdp.response.signError=false
> cas.authn.samlIdp.response.useAttributeFriendlyName=true
>
> I also have a JSON-based service registry configured, and have the 
> following entry for the SP that I'm trying to authenticate with:
>
> {
> "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
> "serviceId": "https://1.2.3.4/guacamole/api/tokens;,
> "name": "GuacamoleSAML",
> "id": 1002,
> "evaluationsOrder": 1002,
> "metadataLocation": "file:///etc/cas/saml/sp-guacamole.xml"
> }
>
> and, finally, I used the web site mentioned in the CAS SAML IdP 
> documentation to generate the metadata:
>
> 
>   validUntil="2018-02-17T03:16:28Z"
>  cacheDuration="PT604800S"
>  entityID="https://1.2.3.4/guacamole/api/tokens;>
>  WantAssertionsSigned="false" 
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
> 
> urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
>  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>  Location="
> https://1.2.3.4/guacamole/api/ext/saml/callback;
>  index="1" />
> 
> 
> 
>
> However, every time I try to authenticate with this app, I receive the 
> following error:
>
> 2018-02-15 12:12:52,559 INFO 
> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
>  
> - 
> 2018-02-15 12:12:52,581 ERROR 
> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
>  
> - https://1.2.3.4/guacamole/api/tokens] 
> in registry but the match is not defined as a SAML service>
>
> I can't seem to get much more detail - I think something must be wrong 
> with my logging configuration, because I can't get any debugging.  Also, 
> most of the parameters in the cas configuration file for SAML 
> (cas.authn.samlIdp.*) seem to lack documentation - for example, I feel like 
> this could be related to the "cas.authn.samlIdp.scope=domain.com", but 
> there's no documentation on what's expected or acceptable for the scope, 
> and whether this would generate the error message I'm seeing above?  Other 
> than that, as far as I can tell, my JSON service entry matches the 
> documentation, is valid JSON, and defines the mentioned service as a SAML 
> service, so its unclear to me what's leading to this error.
>
> Any pointers would be appreciated!
>
> -Nick
>
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
>

Re: [cas-user] CAS 5.2.x SAML IdP Issues

2018-02-15 Thread vnick 
There are other service definitions in the registry, yes, but none that 
should overlap with this definition.  There are only two other service 
definitions - one is the OAuth Callback, which is automatically generated 
by CAS, and the other is one for the server on which CAS is running, which 
is different from the URL of the SAML application.  I will try disabling 
the one for the server where CAS is running just to be sure, but I the 
RegEx for that is pretty specific to that host and I don't see how it could 
overlap.

-Nick

On Thursday, February 15, 2018 at 12:29:00 PM UTC-5, Misagh Moayyed wrote:
>
> Do you have other JSON service definitions in the registry? Anything with 
> a lower evaluation order or a more relaxed regex pattern? 
>
> --Misagh
>
> --
>
> *From: *"vnick" <nick.e@gmail.com >
> *To: *"CAS Community" <cas-...@apereo.org >
> *Sent: *Thursday, February 15, 2018 10:15:40 AM
> *Subject: *[cas-user] CAS 5.2.x SAML IdP Issues
>
> Hey, everyone,
> I'm trying to get SAML2 authentication working against my CAS server.  
> I've got CAS protocol authentications working just fine, but am struggling 
> getting the SAML IdP configured correctly.  I have the following items 
> configured in my main CAS configuration:
>
> ## SAML Provider
> cas.authn.samlIdp.entityId=https://server.domain.com/cas/idp
> cas.authn.samlIdp.hostName=server.domain.com
> cas.authn.samlIdp.scope=domain.com
> cas.authn.samlIdp.metadata.cacheExpirationMinutes=30
> cas.authn.samlIdp.metadata.failFast=true
> cas.authn.samlIdp.metadata.location=file:///etc/cas/saml
> cas.authn.samlIdp.metadata.privateKeyAlgName=RSA
> cas.authn.samlIdp.metadata.requireValidMetadata=true
> cas.authn.samlIdp.logout.forceSignedLogoutRequests=true
> cas.authn.samlIdp.logout.singleLogoutCallbacksDisabled=false
> cas.authn.samlIdp.response.skewAllowance=0
> cas.authn.samlIdp.response.signError=false
> cas.authn.samlIdp.response.useAttributeFriendlyName=true
>
> I also have a JSON-based service registry configured, and have the 
> following entry for the SP that I'm trying to authenticate with:
>
> {
> "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
> "serviceId": "https://1.2.3.4/guacamole/api/tokens;,
> "name": "GuacamoleSAML",
> "id": 1002,
> "evaluationsOrder": 1002,
> "metadataLocation": "file:///etc/cas/saml/sp-guacamole.xml"
> }
>
> and, finally, I used the web site mentioned in the CAS SAML IdP 
> documentation to generate the metadata:
>
> 
>   validUntil="2018-02-17T03:16:28Z"
>  cacheDuration="PT604800S"
>  entityID="https://1.2.3.4/guacamole/api/tokens;>
>  WantAssertionsSigned="false" 
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
> 
> urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
>  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>  Location="
> https://1.2.3.4/guacamole/api/ext/saml/callback;
>  index="1" />
> 
> 
> 
>
> However, every time I try to authenticate with this app, I receive the 
> following error:
>
> 2018-02-15 12:12:52,559 INFO 
> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
>  
> - 
> 2018-02-15 12:12:52,581 ERROR 
> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
>  
> - https://1.2.3.4/guacamole/api/tokens] 
> in registry but the match is not defined as a SAML service>
>
> I can't seem to get much more detail - I think something must be wrong 
> with my logging configuration, because I can't get any debugging.  Also, 
> most of the parameters in the cas configuration file for SAML 
> (cas.authn.samlIdp.*) seem to lack documentation - for example, I feel like 
> this could be related to the "cas.authn.samlIdp.scope=domain.com", but 
> there's no documentation on what's expected or acceptable for the scope, 
> and whether this would generate the error message I'm seeing above?  Other 
> than that, as far as I can tell, my JSON service entry matches the 
> documentation, is valid JSON, and defines the mentioned service as a SAML 
> service, so its unclear to me what's leading to this error.
>
> Any pointers would be appreciated!
>
> -Nick
>
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://go

Re: [cas-user] CAS 5.2.x SAML IdP Issues

2018-02-15 Thread Misagh Moayyed 
Do you have other JSON service definitions in the registry? Anything with a 
lower evaluation order or a more relaxed regex pattern? 

--Misagh 

> From: "vnick" <nick.e.couch...@gmail.com>
> To: "CAS Community" <cas-user@apereo.org>
> Sent: Thursday, February 15, 2018 10:15:40 AM
> Subject: [cas-user] CAS 5.2.x SAML IdP Issues

> Hey, everyone,
> I'm trying to get SAML2 authentication working against my CAS server. I've got
> CAS protocol authentications working just fine, but am struggling getting the
> SAML IdP configured correctly. I have the following items configured in my 
> main
> CAS configuration:

> ## SAML Provider
> cas.authn.samlIdp.entityId=https://server.domain.com/cas/idp
> cas.authn.samlIdp.hostName=server.domain.com
> cas.authn.samlIdp.scope=domain.com
> cas.authn.samlIdp.metadata.cacheExpirationMinutes=30
> cas.authn.samlIdp.metadata.failFast=true
> cas.authn.samlIdp.metadata.location=file:///etc/cas/saml
> cas.authn.samlIdp.metadata.privateKeyAlgName=RSA
> cas.authn.samlIdp.metadata.requireValidMetadata=true
> cas.authn.samlIdp.logout.forceSignedLogoutRequests=true
> cas.authn.samlIdp.logout.singleLogoutCallbacksDisabled=false
> cas.authn.samlIdp.response.skewAllowance=0
> cas.authn.samlIdp.response.signError=false
> cas.authn.samlIdp.response.useAttributeFriendlyName=true

> I also have a JSON-based service registry configured, and have the following
> entry for the SP that I'm trying to authenticate with:

> {
> "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
> "serviceId": "https://1.2.3.4/guacamole/api/tokens;,
> "name": "GuacamoleSAML",
> "id": 1002,
> "evaluationsOrder": 1002,
> "metadataLocation": "file:///etc/cas/saml/sp-guacamole.xml"
> }

> and, finally, I used the web site mentioned in the CAS SAML IdP documentation 
> to
> generate the metadata:

> 
>  validUntil="2018-02-17T03:16:28Z"
> cacheDuration="PT604800S"
> entityID="https://1.2.3.4/guacamole/api/tokens;>
>  protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
> urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
>  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Location="https://1.2.3.4/guacamole/api/ext/saml/callback;
> index="1" />
> 
> 

> However, every time I try to authenticate with this app, I receive the 
> following
> error:

> 2018-02-15 12:12:52,559 INFO
> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
> - 
> 2018-02-15 12:12:52,581 ERROR
> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
> - https://1.2.3.4/guacamole/api/tokens] in
> registry but the match is not defined as a SAML service>

> I can't seem to get much more detail - I think something must be wrong with my
> logging configuration, because I can't get any debugging. Also, most of the
> parameters in the cas configuration file for SAML (cas.authn.samlIdp.*) seem 
> to
> lack documentation - for example, I feel like this could be related to the
> "cas.authn.samlIdp.scope=domain.com", but there's no documentation on what's
> expected or acceptable for the scope, and whether this would generate the 
> error
> message I'm seeing above? Other than that, as far as I can tell, my JSON
> service entry matches the documentation, is valid JSON, and defines the
> mentioned service as a SAML service, so its unclear to me what's leading to
> this error.

> Any pointers would be appreciated!

> -Nick

> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups "CAS
> Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email
> to cas-user+unsubscr...@apereo.org .
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/abc5ef3d-26d5-4070-a08f-aa40db37a7fc%40apereo.org
> .

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1493015488.14716721.1518715738613.JavaMail.zimbra%40unicon.net.

[cas-user] CAS 5.2.x SAML IdP Issues

2018-02-15 Thread vnick 
Hey, everyone,
I'm trying to get SAML2 authentication working against my CAS server.  I've 
got CAS protocol authentications working just fine, but am struggling 
getting the SAML IdP configured correctly.  I have the following items 
configured in my main CAS configuration:

## SAML Provider
cas.authn.samlIdp.entityId=https://server.domain.com/cas/idp
cas.authn.samlIdp.hostName=server.domain.com
cas.authn.samlIdp.scope=domain.com
cas.authn.samlIdp.metadata.cacheExpirationMinutes=30
cas.authn.samlIdp.metadata.failFast=true
cas.authn.samlIdp.metadata.location=file:///etc/cas/saml
cas.authn.samlIdp.metadata.privateKeyAlgName=RSA
cas.authn.samlIdp.metadata.requireValidMetadata=true
cas.authn.samlIdp.logout.forceSignedLogoutRequests=true
cas.authn.samlIdp.logout.singleLogoutCallbacksDisabled=false
cas.authn.samlIdp.response.skewAllowance=0
cas.authn.samlIdp.response.signError=false
cas.authn.samlIdp.response.useAttributeFriendlyName=true

I also have a JSON-based service registry configured, and have the 
following entry for the SP that I'm trying to authenticate with:

{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": "https://1.2.3.4/guacamole/api/tokens;,
"name": "GuacamoleSAML",
"id": 1002,
"evaluationsOrder": 1002,
"metadataLocation": "file:///etc/cas/saml/sp-guacamole.xml"
}

and, finally, I used the web site mentioned in the CAS SAML IdP 
documentation to generate the metadata:


https://1.2.3.4/guacamole/api/tokens;>


urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
https://1.2.3.4/guacamole/api/ext/saml/callback;
 index="1" />




However, every time I try to authenticate with this app, I receive the 
following error:

2018-02-15 12:12:52,559 INFO 
[org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
 
- 
2018-02-15 12:12:52,581 ERROR 
[org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
 
- https://1.2.3.4/guacamole/api/tokens] 
in registry but the match is not defined as a SAML service>

I can't seem to get much more detail - I think something must be wrong with 
my logging configuration, because I can't get any debugging.  Also, most of 
the parameters in the cas configuration file for SAML (cas.authn.samlIdp.*) 
seem to lack documentation - for example, I feel like this could be related 
to the "cas.authn.samlIdp.scope=domain.com", but there's no documentation 
on what's expected or acceptable for the scope, and whether this would 
generate the error message I'm seeing above?  Other than that, as far as I 
can tell, my JSON service entry matches the documentation, is valid JSON, 
and defines the mentioned service as a SAML service, so its unclear to me 
what's leading to this error.

Any pointers would be appreciated!

-Nick

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/abc5ef3d-26d5-4070-a08f-aa40db37a7fc%40apereo.org.

[cas-user] CAS 5.2.x Could not update the account password

2018-02-08 Thread casuser 
I am using CAS 5.2.x. For reset password, I get the reset password email 
and from the link I can get to the reset password page where I enter my new 
password and retype it but I get this error on the browser "Could not 
update the account password" and nothing in the server log. I am using LDAP 
active directory. 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/651db4bf-c702-42f1-9f08-30a9f2a8be54%40apereo.org.

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris 
Good for you David, 

We are still using LDAP with almost 200k users and maybe 30 attributes. 
Its complicated. 

Maybe M$ will loosen the cost of AD for a k-12 school district. 
Would be nice. 




=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry" <david.cu...@newschool.edu> 
To: "cas-user" <cas-user@apereo.org> 
Sent: Thursday, February 8, 2018 12:31:22 PM 
Subject: Re: [cas-user] CAS 5.2.x 

It's a pain in the butt, mostly. :-) 

One of these days we're going to consolidate everything into the One True 
Active Directory and get rid of the second directory, which will make our lives 
easier in all sorts of ways, but that's still somewhere out on the horizon. 

The use of two AD configs just to handle two different OUs is mostly because 
there's another OU besides those two that we don't want to authenticate 
against, and so this was the simplest (although perhaps not the most efficient) 
way to do it. 

--Dave 




-- 


DAVID A. CURRY, CISSP 
DIRECTOR OF INFORMATION SECURITY 
INFORMATION TECHNOLOGY 

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
+1 212 229-5300 x4728 • david.cu...@newschool.edu 




On Thu, Feb 8, 2018 at 12:18 PM, Cheltenham, Chris < 
ccheltenham-...@philasd.org > wrote: 



Thanks David, 

Thats a bit eye opening, the orders and different authorizing entites. 




=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry" < david.cu...@newschool.edu > 
To: "cas-user" < cas-user@apereo.org > 
Sent: Thursday, February 8, 2018 12:13:48 PM 

Subject: Re: [cas-user] CAS 5.2.x 

These could probably be shortened up in a couple of ways by: 


* combining the [0] and [2] Active Directory configs, which go against 
different OUs of the same directory (but are otherwise identical), and 
* performing attribute resolution as part of the authentication process, 
which you can do now, but couldn't do in olden days. 

On the other hand, there's something to be said for configuring it in a way 
that makes sense to you, and this makes sense to me. And, of course, there's 
the fact that it works. :-) 

--Dave 

## 
## LDAP AUTHENTICATION CONFIGURATION 
## 
# 
# Active Directory LDAP authentication configuration (regular user accounts) 
# 
cas.authn.ldap[0].order: 0 
cas.authn.ldap[0].name: Active Directory 
cas.authn.ldap[0].type: AD 
cas.authn.ldap[0].ldapUrl: ldaps:// zuul.newschool.edu 
cas.authn.ldap[0].validatePeriod: 270 
cas.authn.ldap[0].poolPassivator: NONE 
cas.authn.ldap[0].userFilter: sAMAccountName={user} 
cas.authn.ldap[0].baseDn: ou=TNSUsers,dc=tns,dc=newschool,dc=edu 
cas.authn.ldap[0].dnFormat: cn=%s,ou=TNSUsers,dc=tns,dc=newschool,dc=edu 

# 
# Luminis 5 LDAP authentication configuration (all user accounts) 
# 
cas.authn.ldap[1].order: 1 
cas.authn.ldap[1].name: Luminis LDAP 
cas.authn.ldap[1].type: AUTHENTICATED 
cas.authn.ldap[1].ldapUrl: ldaps:// janus.newschool.edu 
cas.authn.ldap[1].validatePeriod: 270 
cas.authn.ldap[1].userFilter: uid={user} 
cas.authn.ldap[1].baseDn: ou=People,o=cp 
cas.authn.ldap[1].bindDn: uid=ldap_ssotest,ou=People,o=cp 
cas.authn.ldap[1].bindCredential:  

# 
# Active Directory LDAP authentication configuration (admin user accounts) 
# 
cas.authn.ldap[2].order: 2 
cas.authn.ldap[2].name: Active Directory 
cas.authn.ldap[2].type: AD 
cas.authn.ldap[2].ldapUrl: ldaps:// zuul.newschool.edu 
cas.authn.ldap[2].validatePeriod: 270 
cas.authn.ldap[2].poolPassivator: NONE 
cas.authn.ldap[2].userFilter: sAMAccountName={user} 
cas.authn.ldap[2].baseDn: ou=Network,dc=tns,dc=newschool,dc=edu 
cas.authn.ldap[2].dnFormat: cn=%s,ou=Network,dc=tns,dc=newschool,dc=edu 

## 
## LDAP ATTRIBUTE REPOSITORY CONFIGURATION 
## 
# 
# Collect attributes in the repository on a keep-first-value-found basis; 
# duplicate attributes (even if they have different values) in subsequent 
# sources will be ignored. 
# 
cas.authn.attributeRepository.merger: ADD 

# 
# Active Directory LDAP attribute lookup configuration (regular user accounts) 
# 
cas.authn.attributeRepository.ldap[0].order: 0 
cas.authn.attributeRepository.ldap[0].ldapUrl: ldaps:// zuul.newschool.edu 
cas.authn.attributeRepository.ldap[0].validatePeriod: 270 
cas.authn.attributeRepository.ldap[0].userFilter: sAMAccountName={user} 
cas.authn.attributeRepository.ldap[0].baseDn: 
ou=TNSUsers,dc=tns,dc=newschool,dc=edu 
cas.authn.attributeRepository.ldap[0].bindDn: 
cn=ldap_ssotest

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris 
Yes I hear you. 

I got talked into using gradle by a senior co worker but I am scrapping that. 
I am not a developer and I am trying to understand the developers environment. 

I think NOW after Mr Curry helped me with the pom.xml I am now in 
cas.properties hell. 

There are just so many options and ways to do it. 

But thank you gentlemen , hopefully i can figure out the rest. 





=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "Chris Peck" <crp...@wm.edu> 
To: "cas-user" <cas-user@apereo.org> 
Sent: Thursday, February 8, 2018 11:38:10 AM 
Subject: Re: [cas-user] CAS 5.2.x 

All we do to build just the cas.war file is run this command in the directory 
with the pom.xml file & our src overlay directory: 
mvn clean package 
then it will poop out the warfile in target/cas.war 

We don't use their scripts. 
We keep the pom.xml file & our src overlay directory in git, when we push a 
change to our gitlab server it will build the warfile in a docker container, 
which then scp's the warfile to our cas servers automagically. This ensures a 
clean build environment every time. We don't do auto-deploy, we then ssh into 
the cas-servers and do the deploy manually. Eventually we plan on running CAS 
in docker, but, since we were under pressure to get it up version 5 we decided 
to do that later. 
Helpful - or - just more confusing? 
Chris 


On Thu, Feb 8, 2018 at 11:27 AM David Curry < david.cu...@newschool.edu > 
wrote: 




I'm afraid Gradle is a complete mystery to me. Hopefully someone else can jump 
in. 

--Dave 




-- 


DAVID A. CURRY, CISSP 
DIRECTOR OF INFORMATION SECURITY 
INFORMATION TECHNOLOGY 

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
+1 212 229-5300 x4728 • david.cu...@newschool.edu 




On Thu, Feb 8, 2018 at 11:13 AM, Cheltenham, Chris < 
ccheltenham-...@philasd.org > wrote: 

BQ_BEGIN

David, 

Unfortunately that did not make a difference when I built the cas.war with 
gradle. 
When I used maven I got the same list you have. 

[root@devcas5 lib]# ll | grep ldap 
-rw-r- 1 root root 14296 Feb 8 11:02 cas-server-support-ldap-5.2.2.jar 
-rw-r- 1 root root 35536 Feb 8 11:02 cas-server-support-ldap-core-5.2.2.jar 
-rw-r- 1 root root 802456 Feb 8 11:02 ldaptive-1.2.3.jar 
-rw-r- 1 root root 37195 Feb 8 11:02 ldaptive-apache-1.2.3.jar 
-rw-r- 1 root root 100050 Feb 8 11:02 ldaptive-beans-1.2.3.jar 
-rw-r- 1 root root 40832 Feb 8 11:02 ldaptive-unboundid-1.2.3.jar 
-rw-r- 1 root root 1991909 Aug 13 01:08 unboundid-ldapsdk-3.2.1.jar 
-rw-r- 1 root root 3574892 Feb 8 11:02 unboundid-ldapsdk-4.0.1.jar 

The bad news is I have to rebuild cas.properties because the maven build wiped 
it out. 
Bummer ... 

Hope this is the issue. 

Thanks David. 





=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry" < david.cu...@newschool.edu > 
To: "cas-user" < cas-user@apereo.org > 
Sent: Thursday, February 8, 2018 10:49:08 AM 

Subject: Re: [cas-user] CAS 5.2.x 

Try changing what you have: 

 
org.apereo.cas 
cas-server-support-ldap 
 

to this: 

 
org.apereo.cas 
cas-server-support-ldap 
${cas.version} 
 

I'm pretty sure you have to have a version in there, so Maven knows which one 
to give you. 

--Dave 




-- 


DAVID A. CURRY, CISSP 
DIRECTOR OF INFORMATION SECURITY 
INFORMATION TECHNOLOGY 

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
+1 212 229-5300 x4728 • david.cu...@newschool.edu 




On Thu, Feb 8, 2018 at 10:22 AM, Cheltenham, Chris < 
ccheltenham-...@philasd.org > wrote: 

BQ_BEGIN

David, 

These are my my pom.xml dependencies. 
Its funny we are all kind of guessing , that's why we are here I suppose. 
I certainly am guessing. 


 
 
org.apereo.cas 
cas-server-support-ldap 
 

 
org.apereo.cas 
cas-server-webapp${app.server} 
${cas.version} 
war 
runtime 
 
 

=== 



Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry" < david.cu...@newschool.edu > 
To: "cas-user" < cas-user@apereo.org > 
Sent: Thursday, February 8, 2018 10:18:41 AM 

Subject: Re: [cas-user] CAS 5.2.x 

I do not see this one: 


BQ_BEGIN

cas-server-support-ldap-5.2.2.jar 




which, I believe, is the one you need. I don't pretend to be an expert on these 
things. But when I build from the Maven overlay with this dependency included 
in pom.xml : 

 
org.apereo.cas 
cas-server-support-ldap 
${cas.version} 
 

Here's what I get: 


BQ_BEGIN

WEB-INF/lib/cas-server-support-ldap-5.2.2.jar 
WEB-INF/lib/cas-server-support-ldap-core-5.2.2.jar 
WEB-INF/lib/ldaptive-1.2.3.jar 
WEB-INF/lib/ldaptive-beans-1.2.3.jar

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread David Curry 
We're also using Shibboleth today, and we're also planning to drop it in
favor of CAS' SAML2 support. I have played a bit with using CAS as the IdP
and it seems to work in my limited testing against the Shibboleth SP
(mod_auth_shib) on Apache HTTPD.

My project this month is to actually move what I've been doing in dev into
test/prod with our Workday instance as the initial application, and Workday
wants SAML, so I'm about to learn more. :-)

The SAML stuff I've done is documented here:

https://dacurry-tns.github.io/deploying-apereo-cas/building_server_saml_overview.html
https://dacurry-tns.github.io/deploying-apereo-cas/building_samlclient_overview.html

--Dave



--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Thu, Feb 8, 2018 at 12:30 PM, Cheltenham, Chris <
ccheltenham-...@philasd.org> wrote:

> David,
>
> Thats really interesting actaully.
> Do you incorporate SAML2 proxy delegation in that properties file?
>
> We are using Shibboleth but plan to drop Shib and use SAML2 in CAS 5.
>
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>
> --
> *From: *"David Curry" <david.cu...@newschool.edu>
> *To: *"cas-user" <cas-user@apereo.org>
> *Sent: *Thursday, February 8, 2018 12:13:48 PM
>
> *Subject: *Re: [cas-user] CAS 5.2.x
>
> These could probably be shortened up in a couple of ways by:
>
>- combining the [0] and [2] Active Directory configs, which go against
>different OUs of the same directory (but are otherwise identical), and
>- performing attribute resolution as part of the authentication
>process, which you can do now, but couldn't do in olden days.
>
> On the other hand, there's something to be said for configuring it in a
> way that makes sense to you, and this makes sense to me. And, of course,
> there's the fact that it works. :-)
>
> --Dave
>
> 
> ##
> ## LDAP AUTHENTICATION CONFIGURATION
> 
> ##
> #
> # Active Directory LDAP authentication configuration (regular user
> accounts)
> #
> cas.authn.ldap[0].order:0
> cas.authn.ldap[0].name: Active Directory
> cas.authn.ldap[0].type: AD
> cas.authn.ldap[0].ldapUrl:  ldaps://zuul.newschool.edu
> cas.authn.ldap[0].validatePeriod:   270
> cas.authn.ldap[0].poolPassivator:   NONE
> cas.authn.ldap[0].userFilter:   sAMAccountName={user}
> cas.authn.ldap[0].baseDn:   ou=TNSUsers,dc=tns,dc=
> newschool,dc=edu
> cas.authn.ldap[0].dnFormat: cn=%s,ou=TNSUsers,dc=tns,dc=
> newschool,dc=edu
>
> #
> # Luminis 5 LDAP authentication configuration (all user accounts)
> #
> cas.authn.ldap[1].order:1
> cas.authn.ldap[1].name: Luminis LDAP
> cas.authn.ldap[1].type: AUTHENTICATED
> cas.authn.ldap[1].ldapUrl:  ldaps://janus.newschool.edu
> cas.authn.ldap[1].validatePeriod:   270
> cas.authn.ldap[1].userFilter:   uid={user}
> cas.authn.ldap[1].baseDn:   ou=People,o=cp
> cas.authn.ldap[1].bindDn:   uid=ldap_ssotest,ou=People,o=cp
> cas.authn.ldap[1].bindCredential:   
>
> #
> # Active Directory LDAP authentication configuration (admin user accounts)
> #
> cas.authn.ldap[2].order:2
> cas.authn.ldap[2].name: Active Directory
> cas.authn.ldap[2].type: AD
> cas.authn.ldap[2].ldapUrl:  ldaps://zuul.newschool.edu
> cas.authn.ldap[2].validatePeriod:   270
> cas.authn.ldap[2].poolPassivator:   NONE
> cas.authn.ldap[2].userFilter:   sAMAccountName={user}
> cas.authn.ldap[2].baseDn:   ou=Network,dc=tns,dc=
> newschool,dc=edu
> cas.authn.ldap[2].dnFormat: cn=%s,ou=Network,dc=tns,dc=
> newschool,dc=edu
>
> 
> ##
> ## LDAP ATTRIBUTE REPOSITORY CONFIGURATION
> 
> ##
> #
> # Collect attributes in the repository on a keep-first-value-found basis;
> # duplicate attributes (even if they have different values) in subsequent
> # sources will be ignored.
> #
> cas.authn.attributeRepository.merger:   ADD
>
> #
> #

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread David Curry 
It's a pain in the butt, mostly. :-)

One of these days we're going to consolidate everything into the One True
Active Directory and get rid of the second directory, which will make our
lives easier in all sorts of ways, but that's still somewhere out on the
horizon.

The use of two AD configs just to handle two different OUs is mostly
because there's another OU besides those two that we don't want to
authenticate against, and so this was the simplest (although perhaps not
the most efficient) way to do it.

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Thu, Feb 8, 2018 at 12:18 PM, Cheltenham, Chris <
ccheltenham-...@philasd.org> wrote:

> Thanks David,
>
> Thats a bit eye opening, the orders and different authorizing entites.
>
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>
> --
> *From: *"David Curry" <david.cu...@newschool.edu>
> *To: *"cas-user" <cas-user@apereo.org>
> *Sent: *Thursday, February 8, 2018 12:13:48 PM
>
> *Subject: *Re: [cas-user] CAS 5.2.x
>
> These could probably be shortened up in a couple of ways by:
>
>- combining the [0] and [2] Active Directory configs, which go against
>different OUs of the same directory (but are otherwise identical), and
>- performing attribute resolution as part of the authentication
>process, which you can do now, but couldn't do in olden days.
>
> On the other hand, there's something to be said for configuring it in a
> way that makes sense to you, and this makes sense to me. And, of course,
> there's the fact that it works. :-)
>
> --Dave
>
> 
> ##
> ## LDAP AUTHENTICATION CONFIGURATION
> 
> ##
> #
> # Active Directory LDAP authentication configuration (regular user
> accounts)
> #
> cas.authn.ldap[0].order:0
> cas.authn.ldap[0].name: Active Directory
> cas.authn.ldap[0].type: AD
> cas.authn.ldap[0].ldapUrl:  ldaps://zuul.newschool.edu
> cas.authn.ldap[0].validatePeriod:   270
> cas.authn.ldap[0].poolPassivator:   NONE
> cas.authn.ldap[0].userFilter:   sAMAccountName={user}
> cas.authn.ldap[0].baseDn:   ou=TNSUsers,dc=tns,dc=
> newschool,dc=edu
> cas.authn.ldap[0].dnFormat: cn=%s,ou=TNSUsers,dc=tns,dc=
> newschool,dc=edu
>
> #
> # Luminis 5 LDAP authentication configuration (all user accounts)
> #
> cas.authn.ldap[1].order:1
> cas.authn.ldap[1].name: Luminis LDAP
> cas.authn.ldap[1].type: AUTHENTICATED
> cas.authn.ldap[1].ldapUrl:  ldaps://janus.newschool.edu
> cas.authn.ldap[1].validatePeriod:   270
> cas.authn.ldap[1].userFilter:   uid={user}
> cas.authn.ldap[1].baseDn:   ou=People,o=cp
> cas.authn.ldap[1].bindDn:   uid=ldap_ssotest,ou=People,o=cp
> cas.authn.ldap[1].bindCredential:   
>
> #
> # Active Directory LDAP authentication configuration (admin user accounts)
> #
> cas.authn.ldap[2].order:2
> cas.authn.ldap[2].name: Active Directory
> cas.authn.ldap[2].type: AD
> cas.authn.ldap[2].ldapUrl:  ldaps://zuul.newschool.edu
> cas.authn.ldap[2].validatePeriod:   270
> cas.authn.ldap[2].poolPassivator:   NONE
> cas.authn.ldap[2].userFilter:   sAMAccountName={user}
> cas.authn.ldap[2].baseDn:   ou=Network,dc=tns,dc=
> newschool,dc=edu
> cas.authn.ldap[2].dnFormat: cn=%s,ou=Network,dc=tns,dc=
> newschool,dc=edu
>
> 
> ##
> ## LDAP ATTRIBUTE REPOSITORY CONFIGURATION
> 
> ##
> #
> # Collect attributes in the repository on a keep-first-value-found basis;
> # duplicate attributes (even if they have different values) in subsequent
> # sources will be ignored.
> #
> cas.authn.attributeRepository.merger:   ADD
>
> #
> # Active Directory LDAP attribute lookup configuration (regular user
> accounts)
> #
> cas.authn.attributeRepository.ldap[0].order:0
> cas.authn.attributeRepository.ldap[0].ldapUrl:  ldaps://
> zuul.newschool.edu
> cas.authn.a

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris 
David, 

Thats really interesting actaully. 
Do you incorporate SAML2 proxy delegation in that properties file? 

We are using Shibboleth but plan to drop Shib and use SAML2 in CAS 5. 




=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry" <david.cu...@newschool.edu> 
To: "cas-user" <cas-user@apereo.org> 
Sent: Thursday, February 8, 2018 12:13:48 PM 
Subject: Re: [cas-user] CAS 5.2.x 

These could probably be shortened up in a couple of ways by: 


* combining the [0] and [2] Active Directory configs, which go against 
different OUs of the same directory (but are otherwise identical), and 
* performing attribute resolution as part of the authentication process, 
which you can do now, but couldn't do in olden days. 

On the other hand, there's something to be said for configuring it in a way 
that makes sense to you, and this makes sense to me. And, of course, there's 
the fact that it works. :-) 

--Dave 

## 
## LDAP AUTHENTICATION CONFIGURATION 
## 
# 
# Active Directory LDAP authentication configuration (regular user accounts) 
# 
cas.authn.ldap[0].order: 0 
cas.authn.ldap[0].name: Active Directory 
cas.authn.ldap[0].type: AD 
cas.authn.ldap[0].ldapUrl: ldaps:// zuul.newschool.edu 
cas.authn.ldap[0].validatePeriod: 270 
cas.authn.ldap[0].poolPassivator: NONE 
cas.authn.ldap[0].userFilter: sAMAccountName={user} 
cas.authn.ldap[0].baseDn: ou=TNSUsers,dc=tns,dc=newschool,dc=edu 
cas.authn.ldap[0].dnFormat: cn=%s,ou=TNSUsers,dc=tns,dc=newschool,dc=edu 

# 
# Luminis 5 LDAP authentication configuration (all user accounts) 
# 
cas.authn.ldap[1].order: 1 
cas.authn.ldap[1].name: Luminis LDAP 
cas.authn.ldap[1].type: AUTHENTICATED 
cas.authn.ldap[1].ldapUrl: ldaps:// janus.newschool.edu 
cas.authn.ldap[1].validatePeriod: 270 
cas.authn.ldap[1].userFilter: uid={user} 
cas.authn.ldap[1].baseDn: ou=People,o=cp 
cas.authn.ldap[1].bindDn: uid=ldap_ssotest,ou=People,o=cp 
cas.authn.ldap[1].bindCredential:  

# 
# Active Directory LDAP authentication configuration (admin user accounts) 
# 
cas.authn.ldap[2].order: 2 
cas.authn.ldap[2].name: Active Directory 
cas.authn.ldap[2].type: AD 
cas.authn.ldap[2].ldapUrl: ldaps:// zuul.newschool.edu 
cas.authn.ldap[2].validatePeriod: 270 
cas.authn.ldap[2].poolPassivator: NONE 
cas.authn.ldap[2].userFilter: sAMAccountName={user} 
cas.authn.ldap[2].baseDn: ou=Network,dc=tns,dc=newschool,dc=edu 
cas.authn.ldap[2].dnFormat: cn=%s,ou=Network,dc=tns,dc=newschool,dc=edu 

## 
## LDAP ATTRIBUTE REPOSITORY CONFIGURATION 
## 
# 
# Collect attributes in the repository on a keep-first-value-found basis; 
# duplicate attributes (even if they have different values) in subsequent 
# sources will be ignored. 
# 
cas.authn.attributeRepository.merger: ADD 

# 
# Active Directory LDAP attribute lookup configuration (regular user accounts) 
# 
cas.authn.attributeRepository.ldap[0].order: 0 
cas.authn.attributeRepository.ldap[0].ldapUrl: ldaps:// zuul.newschool.edu 
cas.authn.attributeRepository.ldap[0].validatePeriod: 270 
cas.authn.attributeRepository.ldap[0].userFilter: sAMAccountName={user} 
cas.authn.attributeRepository.ldap[0].baseDn: 
ou=TNSUsers,dc=tns,dc=newschool,dc=edu 
cas.authn.attributeRepository.ldap[0].bindDn: 
cn=ldap_ssotest,ou=Service,ou=Users,ou=Enterprise 
Support,dc=tns,dc=newschool,dc=edu 
cas.authn.attributeRepository.ldap[0].bindCredential:  
cas.authn.attributeRepository.ldap[0]. attributes.cn : uid 
cas.authn.attributeRepository.ldap[0].attributes.displayName: displayName 
cas.authn.attributeRepository.ldap[0].attributes.givenName: givenName 
cas.authn.attributeRepository.ldap[0].attributes.mail: mail 
cas.authn.attributeRepository.ldap[0]. attributes.sn : sn 
cas.authn.attributeRepository.ldap[0].attributes.tnsGoogleAppsRole: role 
cas.authn.attributeRepository.ldap[0].attributes.tnsIDNumber: cn 

# 
# Luminis 5 LDAP attribute lookup configuration (all user accounts) 
# 
cas.authn.attributeRepository.ldap[1].order: 1 
cas.authn.attributeRepository.ldap[1].ldapUrl: ldaps:// janus.newschool.edu 
cas.authn.attributeRepository.ldap[1].validatePeriod: 270 
cas.authn.attributeRepository.ldap[1].userFilter: uid={user} 
cas.authn.attributeRepository.ldap[1].baseDn: ou=People,o=cp 
cas.authn.attributeRepository.ldap[1].bindDn: uid=ldap_ssotest,ou=People,o=cp 
cas.authn.attributeRepository.ldap[1].bindCredential:  
cas.authn.attributeRepository.ldap[1]. attributes.cn : cn 
cas.authn.attributeRepository.ldap[1].attributes.displayName: displayName 
cas.authn.attributeReposit

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris 
Thanks David, 

Thats a bit eye opening, the orders and different authorizing entites. 




=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry" <david.cu...@newschool.edu> 
To: "cas-user" <cas-user@apereo.org> 
Sent: Thursday, February 8, 2018 12:13:48 PM 
Subject: Re: [cas-user] CAS 5.2.x 

These could probably be shortened up in a couple of ways by: 


* combining the [0] and [2] Active Directory configs, which go against 
different OUs of the same directory (but are otherwise identical), and 
* performing attribute resolution as part of the authentication process, 
which you can do now, but couldn't do in olden days. 

On the other hand, there's something to be said for configuring it in a way 
that makes sense to you, and this makes sense to me. And, of course, there's 
the fact that it works. :-) 

--Dave 

## 
## LDAP AUTHENTICATION CONFIGURATION 
## 
# 
# Active Directory LDAP authentication configuration (regular user accounts) 
# 
cas.authn.ldap[0].order: 0 
cas.authn.ldap[0].name: Active Directory 
cas.authn.ldap[0].type: AD 
cas.authn.ldap[0].ldapUrl: ldaps:// zuul.newschool.edu 
cas.authn.ldap[0].validatePeriod: 270 
cas.authn.ldap[0].poolPassivator: NONE 
cas.authn.ldap[0].userFilter: sAMAccountName={user} 
cas.authn.ldap[0].baseDn: ou=TNSUsers,dc=tns,dc=newschool,dc=edu 
cas.authn.ldap[0].dnFormat: cn=%s,ou=TNSUsers,dc=tns,dc=newschool,dc=edu 

# 
# Luminis 5 LDAP authentication configuration (all user accounts) 
# 
cas.authn.ldap[1].order: 1 
cas.authn.ldap[1].name: Luminis LDAP 
cas.authn.ldap[1].type: AUTHENTICATED 
cas.authn.ldap[1].ldapUrl: ldaps:// janus.newschool.edu 
cas.authn.ldap[1].validatePeriod: 270 
cas.authn.ldap[1].userFilter: uid={user} 
cas.authn.ldap[1].baseDn: ou=People,o=cp 
cas.authn.ldap[1].bindDn: uid=ldap_ssotest,ou=People,o=cp 
cas.authn.ldap[1].bindCredential:  

# 
# Active Directory LDAP authentication configuration (admin user accounts) 
# 
cas.authn.ldap[2].order: 2 
cas.authn.ldap[2].name: Active Directory 
cas.authn.ldap[2].type: AD 
cas.authn.ldap[2].ldapUrl: ldaps:// zuul.newschool.edu 
cas.authn.ldap[2].validatePeriod: 270 
cas.authn.ldap[2].poolPassivator: NONE 
cas.authn.ldap[2].userFilter: sAMAccountName={user} 
cas.authn.ldap[2].baseDn: ou=Network,dc=tns,dc=newschool,dc=edu 
cas.authn.ldap[2].dnFormat: cn=%s,ou=Network,dc=tns,dc=newschool,dc=edu 

## 
## LDAP ATTRIBUTE REPOSITORY CONFIGURATION 
## 
# 
# Collect attributes in the repository on a keep-first-value-found basis; 
# duplicate attributes (even if they have different values) in subsequent 
# sources will be ignored. 
# 
cas.authn.attributeRepository.merger: ADD 

# 
# Active Directory LDAP attribute lookup configuration (regular user accounts) 
# 
cas.authn.attributeRepository.ldap[0].order: 0 
cas.authn.attributeRepository.ldap[0].ldapUrl: ldaps:// zuul.newschool.edu 
cas.authn.attributeRepository.ldap[0].validatePeriod: 270 
cas.authn.attributeRepository.ldap[0].userFilter: sAMAccountName={user} 
cas.authn.attributeRepository.ldap[0].baseDn: 
ou=TNSUsers,dc=tns,dc=newschool,dc=edu 
cas.authn.attributeRepository.ldap[0].bindDn: 
cn=ldap_ssotest,ou=Service,ou=Users,ou=Enterprise 
Support,dc=tns,dc=newschool,dc=edu 
cas.authn.attributeRepository.ldap[0].bindCredential:  
cas.authn.attributeRepository.ldap[0]. attributes.cn : uid 
cas.authn.attributeRepository.ldap[0].attributes.displayName: displayName 
cas.authn.attributeRepository.ldap[0].attributes.givenName: givenName 
cas.authn.attributeRepository.ldap[0].attributes.mail: mail 
cas.authn.attributeRepository.ldap[0]. attributes.sn : sn 
cas.authn.attributeRepository.ldap[0].attributes.tnsGoogleAppsRole: role 
cas.authn.attributeRepository.ldap[0].attributes.tnsIDNumber: cn 

# 
# Luminis 5 LDAP attribute lookup configuration (all user accounts) 
# 
cas.authn.attributeRepository.ldap[1].order: 1 
cas.authn.attributeRepository.ldap[1].ldapUrl: ldaps:// janus.newschool.edu 
cas.authn.attributeRepository.ldap[1].validatePeriod: 270 
cas.authn.attributeRepository.ldap[1].userFilter: uid={user} 
cas.authn.attributeRepository.ldap[1].baseDn: ou=People,o=cp 
cas.authn.attributeRepository.ldap[1].bindDn: uid=ldap_ssotest,ou=People,o=cp 
cas.authn.attributeRepository.ldap[1].bindCredential:  
cas.authn.attributeRepository.ldap[1]. attributes.cn : cn 
cas.authn.attributeRepository.ldap[1].attributes.displayName: displayName 
cas.authn.attributeRepository.ldap[1].attributes.givenName: givenName 
cas.authn.attributeReposito

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread David Curry 
cas.authn.attributeRepository.ldap[1].attributes.uid:   uid

#
# Active Directory LDAP attribute lookup configuration (admin user accounts)
#
cas.authn.attributeRepository.ldap[2].order:2
cas.authn.attributeRepository.ldap[2].ldapUrl:  ldaps://
zuul.newschool.edu
cas.authn.attributeRepository.ldap[2].validatePeriod:   270
cas.authn.attributeRepository.ldap[2].userFilter:
 sAMAccountName={user}
cas.authn.attributeRepository.ldap[2].baseDn:
 ou=Network,dc=tns,dc=newschool,dc=edu
cas.authn.attributeRepository.ldap[2].bindDn:
 cn=ldap_ssotest,ou=Service,ou=Users,ou=Enterprise
Support,dc=tns,dc=newschool,dc=edu
cas.authn.attributeRepository.ldap[2].bindCredential:   
cas.authn.attributeRepository.ldap[2].attributes.cn:uid
cas.authn.attributeRepository.ldap[2].attributes.displayName:   displayName
cas.authn.attributeRepository.ldap[2].attributes.givenName: givenName
cas.authn.attributeRepository.ldap[2].attributes.mail:  mail
cas.authn.attributeRepository.ldap[2].attributes.sn:sn




--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Thu, Feb 8, 2018 at 11:54 AM, Cheltenham, Chris <
ccheltenham-...@philasd.org> wrote:

> David,
>
> Would you be able to share your Cas 5 cas.properties section?
> please make sure and blank out like passwords.
>
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>
> --
> *From: *"David Curry" <david.cu...@newschool.edu>
> *To: *"cas-user" <cas-user@apereo.org>
> *Sent: *Thursday, February 8, 2018 11:27:48 AM
>
> *Subject: *Re: [cas-user] CAS 5.2.x
>
>
> I'm afraid Gradle is a complete mystery to me. Hopefully someone else can
> jump in.
>
> --Dave
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003=gmail=g>
> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>
> [image: The New School]
>
> On Thu, Feb 8, 2018 at 11:13 AM, Cheltenham, Chris <
> ccheltenham-...@philasd.org> wrote:
>
>> David,
>>
>> Unfortunately that did not make a difference when I built the cas.war
>> with gradle.
>> When I used maven I got the same list you have.
>>
>> [root@devcas5 lib]# ll | grep ldap
>> -rw-r- 1 root root 14296 Feb 8 11:02 cas-server-support-ldap-5.2.2.
>> jar
>> -rw-r- 1 root root 35536 Feb 8 11:02 cas-server-support-ldap-core-
>> 5.2.2.jar
>> -rw-r- 1 root root 802456 Feb 8 11:02 ldaptive-1.2.3.jar
>> -rw-r- 1 root root 37195 Feb 8 11:02 ldaptive-apache-1.2.3.jar
>> -rw-r- 1 root root 100050 Feb 8 11:02 ldaptive-beans-1.2.3.jar
>> -rw-r- 1 root root 40832 Feb 8 11:02 ldaptive-unboundid-1.2.3.jar
>> -rw-r- 1 root root 1991909 Aug 13 01:08 unboundid-ldapsdk-3.2.1.jar
>> -rw-r- 1 root root 3574892 Feb 8 11:02 unboundid-ldapsdk-4.0.1.jar
>>
>> The bad news is I have to rebuild cas.properties because the maven build
>> wiped it out.
>> Bummer ...
>>
>> Hope this is the issue.
>>
>> Thanks David.
>>
>>
>>
>> =======
>>
>> Thank You;
>>
>> Chris Cheltenham
>> Technology Services
>> The School District of Philadelphia
>>
>> Work # 215-400-5025
>> Cell # 215-301-6571
>>
>> --
>> *From: *"David Curry" <david.cu...@newschool.edu>
>> *To: *"cas-user" <cas-user@apereo.org>
>> *Sent: *Thursday, February 8, 2018 10:49:08 AM
>>
>> *Subject: *Re: [cas-user] CAS 5.2.x
>>
>> Try changing what you have:
>>
>> 
>> org.apereo.cas
>> cas-server-support-ldap
>> 
>>
>> to this:
>>
>> 
>> org.apereo.cas
>> cas-server-support-ldap
>> ${cas.version}
>> 
>>
>> I'm pretty sure you have to have a version in there, so Maven knows which
>> one to give you.
>>
>> --Dave
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003=gmail=g>
&

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris 
David, 

Would you be able to share your Cas 5 cas.properties section? 
please make sure and blank out like passwords. 




=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry" <david.cu...@newschool.edu> 
To: "cas-user" <cas-user@apereo.org> 
Sent: Thursday, February 8, 2018 11:27:48 AM 
Subject: Re: [cas-user] CAS 5.2.x 


I'm afraid Gradle is a complete mystery to me. Hopefully someone else can jump 
in. 

--Dave 




-- 


DAVID A. CURRY, CISSP 
DIRECTOR OF INFORMATION SECURITY 
INFORMATION TECHNOLOGY 

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
+1 212 229-5300 x4728 • david.cu...@newschool.edu 




On Thu, Feb 8, 2018 at 11:13 AM, Cheltenham, Chris < 
ccheltenham-...@philasd.org > wrote: 



David, 

Unfortunately that did not make a difference when I built the cas.war with 
gradle. 
When I used maven I got the same list you have. 

[root@devcas5 lib]# ll | grep ldap 
-rw-r- 1 root root 14296 Feb 8 11:02 cas-server-support-ldap-5.2.2.jar 
-rw-r- 1 root root 35536 Feb 8 11:02 cas-server-support-ldap-core-5.2.2.jar 
-rw-r- 1 root root 802456 Feb 8 11:02 ldaptive-1.2.3.jar 
-rw-r- 1 root root 37195 Feb 8 11:02 ldaptive-apache-1.2.3.jar 
-rw-r- 1 root root 100050 Feb 8 11:02 ldaptive-beans-1.2.3.jar 
-rw-r- 1 root root 40832 Feb 8 11:02 ldaptive-unboundid-1.2.3.jar 
-rw-r- 1 root root 1991909 Aug 13 01:08 unboundid-ldapsdk-3.2.1.jar 
-rw-r- 1 root root 3574892 Feb 8 11:02 unboundid-ldapsdk-4.0.1.jar 

The bad news is I have to rebuild cas.properties because the maven build wiped 
it out. 
Bummer ... 

Hope this is the issue. 

Thanks David. 





=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry" < david.cu...@newschool.edu > 
To: "cas-user" < cas-user@apereo.org > 
Sent: Thursday, February 8, 2018 10:49:08 AM 

Subject: Re: [cas-user] CAS 5.2.x 

Try changing what you have: 

 
org.apereo.cas 
cas-server-support-ldap 
 

to this: 

 
org.apereo.cas 
cas-server-support-ldap 
${cas.version} 
 

I'm pretty sure you have to have a version in there, so Maven knows which one 
to give you. 

--Dave 




-- 


DAVID A. CURRY, CISSP 
DIRECTOR OF INFORMATION SECURITY 
INFORMATION TECHNOLOGY 

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
+1 212 229-5300 x4728 • david.cu...@newschool.edu 




On Thu, Feb 8, 2018 at 10:22 AM, Cheltenham, Chris < 
ccheltenham-...@philasd.org > wrote: 

BQ_BEGIN

David, 

These are my my pom.xml dependencies. 
Its funny we are all kind of guessing , that's why we are here I suppose. 
I certainly am guessing. 


 
 
org.apereo.cas 
cas-server-support-ldap 
 

 
org.apereo.cas 
cas-server-webapp${app.server} 
${cas.version} 
war 
runtime 
 
 

=== 



Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry" < david.cu...@newschool.edu > 
To: "cas-user" < cas-user@apereo.org > 
Sent: Thursday, February 8, 2018 10:18:41 AM 

Subject: Re: [cas-user] CAS 5.2.x 

I do not see this one: 


BQ_BEGIN

cas-server-support-ldap-5.2.2.jar 




which, I believe, is the one you need. I don't pretend to be an expert on these 
things. But when I build from the Maven overlay with this dependency included 
in pom.xml : 

 
org.apereo.cas 
cas-server-support-ldap 
${cas.version} 
 

Here's what I get: 


BQ_BEGIN

WEB-INF/lib/cas-server-support-ldap-5.2.2.jar 
WEB-INF/lib/cas-server-support-ldap-core-5.2.2.jar 
WEB-INF/lib/ldaptive-1.2.3.jar 
WEB-INF/lib/ldaptive-beans-1.2.3.jar 
WEB-INF/lib/ldaptive-unboundid-1.2.3.jar 
WEB-INF/lib/unboundid-ldapsdk-4.0.1.jar 
WEB-INF/lib/ldaptive-apache-1.2.3.jar 
WEB-INF/lib/unboundid-ldapsdk-3.2.1.jar 

BQ_END


and when I build from the same pom.xml but with that dependency removed, here's 
what I get: 


BQ_BEGIN

WEB-INF/lib/cas-server-support-ldap-core-5.2.2.jar 
WEB-INF/lib/ldaptive-apache-1.2.3.jar 
WEB-INF/lib/ldaptive-beans-1.2.3.jar 
WEB-INF/lib/ldaptive-unboundid-1.2.3.jar 
WEB-INF/lib/ldaptive-1.2.3.jar 
WEB-INF/lib/unboundid-ldapsdk-3.2.1.jar 

BQ_END


So that tells me (or suggests, anyway) that you should be seeing 

WEB-INF/lib/cas-server-support-ldap-5.2.2.jar 

(and maybe WEB-INF/lib/unboundid-ldapsdk-4.0.1.jar ). 

Are you building with the Maven overlay? Have you tried deleting your Maven 
cache directory and re-doing the " mvnw clean package "? 

--Dave 





-- 


DAVID A. CURRY, CISSP 
DIRECTOR OF INFORMATION SECURITY 
INFORMATION TECHNOLOGY 

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
+1 212 229-5300 x4728 • david.cu...@newschool.edu 




On Thu, Feb 8, 2018 at 10:00 AM, Cheltenham, Chris < 
ccheltenham-...@phila

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread David Curry 
I'm afraid Gradle is a complete mystery to me. Hopefully someone else can
jump in.

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Thu, Feb 8, 2018 at 11:13 AM, Cheltenham, Chris <
ccheltenham-...@philasd.org> wrote:

> David,
>
> Unfortunately that did not make a difference when I built the cas.war with
> gradle.
> When I used maven I got the same list you have.
>
> [root@devcas5 lib]# ll | grep ldap
> -rw-r- 1 root root 14296 Feb 8 11:02 cas-server-support-ldap-5.2.2.jar
> -rw-r- 1 root root 35536 Feb 8 11:02 cas-server-support-ldap-core-
> 5.2.2.jar
> -rw-r- 1 root root 802456 Feb 8 11:02 ldaptive-1.2.3.jar
> -rw-r- 1 root root 37195 Feb 8 11:02 ldaptive-apache-1.2.3.jar
> -rw-r- 1 root root 100050 Feb 8 11:02 ldaptive-beans-1.2.3.jar
> -rw-r- 1 root root 40832 Feb 8 11:02 ldaptive-unboundid-1.2.3.jar
> -rw-r- 1 root root 1991909 Aug 13 01:08 unboundid-ldapsdk-3.2.1.jar
> -rw-r- 1 root root 3574892 Feb 8 11:02 unboundid-ldapsdk-4.0.1.jar
>
> The bad news is I have to rebuild cas.properties because the maven build
> wiped it out.
> Bummer ...
>
> Hope this is the issue.
>
> Thanks David.
>
>
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>
> --
> *From: *"David Curry" <david.cu...@newschool.edu>
> *To: *"cas-user" <cas-user@apereo.org>
> *Sent: *Thursday, February 8, 2018 10:49:08 AM
>
> *Subject: *Re: [cas-user] CAS 5.2.x
>
> Try changing what you have:
>
> 
> org.apereo.cas
> cas-server-support-ldap
> 
>
> to this:
>
> 
> org.apereo.cas
> cas-server-support-ldap
> ${cas.version}
> 
>
> I'm pretty sure you have to have a version in there, so Maven knows which
> one to give you.
>
> --Dave
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003=gmail=g>
> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>
> [image: The New School]
>
> On Thu, Feb 8, 2018 at 10:22 AM, Cheltenham, Chris <
> ccheltenham-...@philasd.org> wrote:
>
>> David,
>>
>> These are my my pom.xml dependencies.
>> Its funny we are all kind of guessing , that's why we are here I suppose.
>> I certainly am guessing.
>>
>>
>> 
>> 
>> org.apereo.cas
>> cas-server-support-ldap
>> 
>>
>> 
>> org.apereo.cas
>> cas-server-webapp${app.server}
>> ${cas.version}
>> war
>> runtime
>> 
>> 
>>
>> ===
>>
>>
>> Thank You;
>>
>> Chris Cheltenham
>> Technology Services
>> The School District of Philadelphia
>>
>> Work # 215-400-5025
>> Cell # 215-301-6571
>>
>> --
>> *From: *"David Curry" <david.cu...@newschool.edu>
>> *To: *"cas-user" <cas-user@apereo.org>
>> *Sent: *Thursday, February 8, 2018 10:18:41 AM
>>
>> *Subject: *Re: [cas-user] CAS 5.2.x
>>
>> I do not see this one:
>>
>> cas-server-support-ldap-5.2.2.jar
>>
>>
>> which, I believe, is the one you need. I don't pretend to be an expert on
>> these things. But when I build from the Maven overlay with this dependency
>> included in pom.xml:
>>
>> 
>> org.apereo.cas
>> cas-server-support-ldap
>> ${cas.version}
>> 
>>
>> Here's what I get:
>>
>> WEB-INF/lib/cas-server-support-ldap-5.2.2.jar
>> WEB-INF/lib/cas-server-support-ldap-core-5.2.2.jar
>> WEB-INF/lib/ldaptive-1.2.3.jar
>> WEB-INF/lib/ldaptive-beans-1.2.3.jar
>> WEB-INF/lib/ldaptive-unboundid-1.2.3.jar
>> WEB-INF/lib/unboundid-ldapsdk-4.0.1.jar
>> WEB-INF/lib/ldaptive-apache-1.2.3.jar
>> WEB-INF/lib/unboundid-ldapsdk-3.2.1.jar
>>
>>
>> and when I build from the same pom.xml but with that dependency removed,
>> here's what I get:
>>
>> WEB-INF/lib/cas-server-support-ldap-core-5.2.2.jar
>> WEB-INF/lib/ldaptive-apache-1.2.3.jar
>> WEB-INF/lib/ldaptive-beans-1.2.3.jar
>> WEB-INF/lib/lda

  1   2   >