Yes. The one caveat is that you would need to enable the "Use a domain
specific" issuer on prod otherwise it will spit it out with generic values,
which doesn't have onu.edu in it. I don't remember what the generic values are.
When we upgraded CAS, I logged in to click that button to swap prod
Probably not? That sounds like code that is being hit somewhere that isn't
thread safe. The built in LDAP code to CAS should be just fine with that
respect. Assuming you're using a well supported LDAP server that wouldn't have
thread issues? I don't know how a HTTP proxy would impact this. I
The cert you were using under the old integration likely doesn't match your
SAML cert. You would need to upload your new SAML cert to Google. And yeah, you
want to remove the old bits of the old method, in particular the jars
associated with it as it fires before the generic SAML can.
On Tue,
You would normally use it with your favorite security library in Java.
Common ones include Apache Shiro, Pac4J, and Spring Security. From
there use the library specific instructions for bringing in the CAS
client library.
On Thu, 2020-12-03 at 13:23 +0530, rohini bansode wrote:
> IF you have some
I believe that it is serialized Java classes. So it's binary data. You
don't change it without an external service. I guess you could find the
code that does it and write you own service. But you don't be doing it
via direct DB manipulation.
On Fri, 2020-12-04 at 09:48 +, Francisco
Why are you trying to POST to the login URL? It looks like this isn't
the POST from the login page? What do the CAS logs say?
On Thu, 2021-01-21 at 15:27 -0800, Yan Zhou wrote:
> Hello,
>
> i am using CAS 5.3.X, but I think the same would apply to CAS4 or
> CA5.
>
>
So you want to turn CAS into a SAML 2 SP? You'll need to follow this
documentation:
https://apereo.github.io/cas/5.3.x/integration/Delegate-Authentication.html
On Thu, 2021-01-21 at 17:09 -0800, Yan Zhou wrote:
> Hi,
>
> Try to implement this: people logged into their app (that does not
> use
Maybe? That version was released nearly 7 years ago and isn't supported. I
would suggest moving to CAS 6.3.
On Thu, 2021-01-21 at 17:05 -0800, Kylie L wrote:
Will CAS 3.5.2 work with an Oracle 19c or 18c database?
Thanks
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom:
I'm guessing that it just doesn't exist anymore. Browsing from
https://repo.spring.io/snapshot/
They don't have anything for Duo that is obvious. It was a SNAPSHOT dependency,
and thus shouldn't have been used in anything released. I see in my pom:
org.apereo.cas
You have to do overlay exclusions. Which for me looks like. Obviously close the
XML out as appropriate. I have further build plugins.
maven-war-plugin
2.6
false
false
false
${project.build.directory}/war/work/org.apereo.cas/cas-server-webapp/META-INF/MANIFEST.MF
org.apereo.cas
For the Duo jar, you should put them in your own local repo? Or maybe the cache
dir? I know that by default it feels like you have to hunt through a variety
of external repos to find that dependency. I run a local Nexus install for us
so I only have to hunt down once.
For the LDAP problems, I
CAS can do multifactor. It can also release a bunch of attributes about
how the authentication went if you use the CAS 3 protocol. The service
directing the individual to CAS can also request that a fresh login is
used. Combined together, the service can be assured (so long as they
trust the
Adding user won't catch a spray over different usernames. I just use rate
throttling as well.
And yeah, if they go down to 1 per second, you'll never catch them with the
throttle. You also won't catch them if they come at you with hundreds of IPs.
On Mon, 2021-05-17 at 16:40 +, Ray Bon
Don't get me wrong, throttling is definitely good. The thing you want to watch
out for is when unexpected attempts succeed. So one bit of strange behavior to
be on the lookout for is an authentication that triggers MFA, but the MFA
success never happens. It will depend on your MFA solution.
Yes, very nicely done. I too will find the Azure bit helpful when I spin up a
social CAS instance in the future.
Richard
On Thu, 2021-05-13 at 21:59 -0700, Andy Ng wrote:
Hi Paul,
Thanks for the contribution! We soon also need to setup delegate auth to Azure,
so that section is going to be
Looks like it can't find the table?? Are there any tables in your DB? Is your
DB named vantage? You'll need to refer to the docs on how to get it to create
the tables if they aren't there. If they are there in that DB, I'm not sure.
You are on an ancient version of CAS. If this is setting it up
Fernando's message below is great advice. The version of the CAS server
isn't going to matter too terribly much. It will depend on what protocol
you are planning to use against CAS. I'm going to guess CAS Protocol v3,
which gives you everything you need. You are going to want a security
at 5:20 AM 'Richard Frovarp' via CAS Community
mailto:cas-user@apereo.org>> wrote:
Sorry, you don't need it in 5.3 as that one is default. So I didn't see that in
my dependencies. You'll need the ldaptive dependency for that. You'll want to
match version to the other ldaptive version you h
figuration-Properties-Common.html#ldap-connection-settings but this
property is also listed in the 5.0.x properties
<https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html>
On Thu, Jan 28, 2021 at 11:18 AM 'Richard Frovarp' via CAS Community
mailto:cas-user@apereo.org>>
If I'm understanding you correctly, I've never done it that way.
You are saying that you have an attribute already setup called sAMAccountName
right? And you want to release it to this system as domain\sAMAcountName as
userID?
I've always done such a thing via Groovy attribute return with
My guess is that the bind user is going to ignore the base DN as it happens
before the search is done. As for the rest, it likely should follow the base
DN. You may have something effectively double defined there that is causing it
to work outside. I'm not sure what the dnFormat parameter does.
I'm running my InCommon membership through Shibboleth, so I'm not looking for a
CAS solution. However, here is what I know:
1) R is documented as you point out. If you are going to provide REFEDS R
to REFEDS R SPs, you probably want to go into the InCommon Federation Manager
and assert that
The IdP automatically generates metadata. And the correct endpoints are
listed on this page, including the metadata endpoint:
https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Authentication.html
Usually with SAML you provide the SP with a copy of your metadata,
ideally loaded
Did you provide the app your IdP generated metadata or provide the SP with the
information in a different method? As that's the wrong end point for the SP to
be sending you to:
https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Authentication.html
On Wed, 2021-03-17 at 06:21
Get a test instance. It's pretty easy to do. Takes a little bit, but easy to
do. You really only need one or two users in it to test anyway.
There is a previous post on this list on how to do it the new way. I have
internal documentation that I can turn into external documentation tonight and
-0800, Mike Osterman wrote:
Thanks, Richard!
On Wed, Mar 10, 2021 at 2:40 PM 'Richard Frovarp' via CAS Community
mailto:cas-user@apereo.org>> wrote:
Get a test instance. It's pretty easy to do. Takes a little bit, but easy to
do. You really only need one or two users in it to test
Does single logout trigger upon CAS session expiration? I would expect
not, but maybe there's a setting to flip that? Or maybe something else
is triggering single logout at two hours, and that is triggering
Canvas?
On Fri, 2021-03-05 at 22:49 +0400, Misagh wrote:
> > Instructure's Canvas (LMS)
On Fri, 2021-03-05 at 11:20 -0800, Bill Scully wrote:
Does single logout trigger upon CAS session expiration? I would expect
not, but maybe there's a setting to flip that? Or maybe something else
is triggering single logout at two hours, and that is triggering
Canvas?
According to Instructure
It's doing something with Single Logout. Turn it off / block it, or something:
https://community.canvaslms.com/t5/Integration-Documents/Configuring-CAS-and-Canvas-Authentication/ta-p/387390
Look at the end for "User is randomly logged out of Canvas"
On Fri, 2021-03-05 at 12:41 -0800, Mike
, 'Richard Frovarp' via CAS Community
wrote:
> It's doing something with Single Logout. Turn it off / block it, or
> something:
>
> https://community.canvaslms.com/t5/Integration-Documents/Configuring-CAS-and-Canvas-Authentication/ta-p/387390
>
> Look at the end for "User
Don't do a regex for the serviceId for SAML2. Do the entityId instead.
On Mon, 2021-04-12 at 18:46 +, Keith Alston (Staff) wrote:
Any ideas on what might be going on here?
I get the "Application Not Authorized to Use CAS" page when redirected to CAS.
2021-04-12 14:21:32,474 WARN
Or rather
serviceId :
instead of the regex you have there.
On Mon, 2021-04-12 at 18:50 +, 'Richard Frovarp' via CAS Community wrote:
Don't do a regex for the serviceId for SAML2. Do the entityId instead.
On Mon, 2021-04-12 at 18:46 +, Keith Alston (Staff) wrote:
Any ideas on what
Since I saw someone create the URL by hand the other day, I'm going to ask the
simple question: is the request hitting the HTTP-POST binding location? POST
and Redirect are two different URLs in CAS (and I'm guessing most IdPs).
I've never had to do anything different to handle the two
t; : {
"@class" : "java.util.TreeMap",
"ExtensionAttribute1" : "Email",
"givenname" : "FirstName",
"sn" : "LastName"
}
}
}
Keith Alston
Regent University
IT Department
keit...@regent
lowedAttributes" : {
"@class" : "java.util.TreeMap",
"ExtensionAttribute1" : "Email",
"givenname" : "FirstName",
"sn" : "LastName"
}
}
}
Keith Alston
Regent University
IT Department
I wouldn't mix the two methods. There's probably a way to make that work, but
that's an HTTPD question, not a CAS question. You can have CAS authenticate
against LDAP from the CAS IdP. That can either then return the list of
attributes to have mod_auth_cas filter on. Or you can have the IdP do
configuration. I'm guessing you can't anonymous bind
to LDAP from HTTPD.
On Fri, 2021-02-12 at 15:10 +, 'Richard Frovarp' via CAS Community wrote:
I wouldn't mix the two methods. There's probably a way to make that work, but
that's an HTTPD question, not a CAS question. You can have CAS
I don't remember the fine specifics of the logs well enough to know. It's
possible that both are at fault? Make sure you are listing attributes to lookup
in your ldap attribute repository configuration. If they aren't there, that'll
be problem one. The other thing is that by default the CAS 2
What's the way to do that? I thought I figured that out, but it turns
out I haven't. I think one of my systems is accomplishing it via JS in
the page. Another CAS instance for a different org doesn't have that JS.
Random trailing spaces is causing attribute resolution to fail. Somehow
The issue is that this happens before the service release policy can trigger.
For some reason it is going against AD with 'richard.frovarp ', which results
in a failed AD lookup. So it can't even get the extra attributes to return.
So it appears that the result of the principal transformation
"I understand you can make CAS use ADFS for backend authentication, or
vise-a-versa, but i'm not sure that's exactly what i'm asking here... or
is it?"
Yes, that is what you are asking. Otherwise they are two independent
applications that know nothing about the state of one another, even
Newer version of the JDK are still affected. The newer JDK versions stop JNDI
from running remote code, it doesn't stop JNDI lookup. An attacker can still
exfil data through the DNS lookup. Also, there are other paths to exploit with
this attack. It was first found via JNDI LDAP to execute
Using a new enough version of the JDK might also alleviate it? The other
option is to throw the config option at the JDK to stop it from
happening. That would seem to be easiest.
On 12/10/21 12:36 PM, King, Robert wrote:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
Has
to "true" in
the log4j2.xml config file might do to trick.
I'm guessing we'd do that somewhere here at the top?
/etc/cas/logs
On Fri, Dec 10, 2021 at 10:41 AM 'Richard Frovarp' via CAS Community
mailto:cas-user@apereo.org>> wrote:
Using a ne
Looks like the clock on your server isn't correct?
2022-02-17 20:14:10,479 ERROR
[org.apereo.cas.adaptors.duo.authn.DuoSecurityAuthenticationHandler] -
Caused by: com.auth0.jwt.exceptions.InvalidClaimException: The Token
can't be used before Thu Feb 17 20:15:11 UTC 2022.
I don't know about
The tables in the post are for the service registry. If you don't
migrate those, you will have to reconfigure from scratch.
I do not know what the plans are for the project with respect to the
service registry. It's changed a bit between versions, and usually seems
like a pain. We made the
Amazon stores a decent amount of info at the account layer. Different
application sessions across different devices share cart. But the
solution for this is to do it at the application layer. Extend the
session out there. Then at the security layer, it should have the
functionality to know
How are you triggering MFA / Duo? You likely only want to trigger Duo on
a local attribute and setup the integration to force Duo always. If you
are leaving it up to Duo to decide if the user is enrolled and bypass if
not, the old Duo Web integration couldn't tell you what happen, just
that
I would change the application and not do it via CAS. Changing the application
session timeout to what they want. Because otherwise it will do a SSO session
again, which will interrupt anything the end user is trying to do with the
browser open for the past two days. So anything done via CAS
Part of the response metadata coming back is if the authentication is
from a new login. I think it will also tell you what time the auth
happened. Don't trust the user provided data, validate that what CAS is
telling you matches your security requirement. If it doesn't, don't let
them pass.
I discovered that the git service repository is not recursive. So, I can put
the hand maintained metadata in a subdirectory in the repo, and we are good.
From: 'Richard Frovarp' via CAS Community
Sent: Tuesday, December 20, 2022 2:52:21 PM
To: cas-user@apereo.org
That could also work. Thanks.
On 12/22/22 07:50, Misagh wrote:
Did you mean this?
https://apereo.github.io/cas/6.6.x/installation/Configuring-SAML2-DynamicMetadata-Git.html
On Thu, Dec 22, 2022 at 4:52 AM 'Richard Frovarp' via CAS Community
wrote:
Is it possible to have CAS use two different
I'm having two different problems related to SAML 2 keys and metadata on
6.6.3.
If I have org.apereo.cas:cas-server-support-saml-idp-metadata-git
enabled, I get an NPE when trying to access the metadata URL. I have
enforced the default false flag to indicate that the IdP metadata
shouldn't
location cas thinks is
correct.
Not sure about the exception. Perhaps it is missing something related to git;
path, write permissions, initialized repo, etc.
Ray
On Fri, 2023-01-06 at 15:42 -0600, 'Richard Frovarp' via CAS Community wrote:
Notice: This message was sent from outside the University
d.
On Fri, Dec 23, 2022 at 5:28 AM 'Richard Frovarp' via CAS Community
wrote:
That could also work. Thanks.
On 12/22/22 07:50, Misagh wrote:
Did you mean this?
https://apereo.github.io/cas/6.6.x/installation/Configuring-SAML2-DynamicMetadata-Git.html
On Thu, Dec 22, 2022 at 4:52 AM 'Richard Fr
Is it possible to have CAS use two different repos, with one of them
NOT being services in 6.6? I have a repo of all of my hand maintained
metadata that isn't in the same repo as the JSON files for service
configuration.
Thanks,
Richard
--
- Website: https://apereo.github.io/cas
- Gitter
Browsers will insert the intermediate certificates if they know them. So
you can't trust the browser. Scanners look for the chain with no prior
knowledge, and thus are more reliable in determining if you have
everything setup correctly.
On 11/3/22 12:47, Ray Bon wrote:
Michael,
I have not
, 'Richard Frovarp' via CAS Community wrote:
Browsers will insert the intermediate certificates if they know them.
So you can't trust the browser. Scanners look for the chain with no
prior knowledge, and thus are more reliable in determining if you have
everything setup correctly.
On 11/3/22 12:47, Ray
Is there a metrics prefix for StatsD (or any of the other ones) that we
can provide? Generally we run one StatsD for multiple systems, and it
not using a prefix to group it together is going to make things
complicated / impossible. There used to be one, but I can't seem to find
anything in the
On Tue, 2022-11-01 at 09:06 -0400, Mark H. Wood wrote:
> On Mon, Oct 31, 2022 at 03:25:12PM -0700, Benjamin Bini wrote:
> > Which project removes documentation as a way to encourage people to
> > upgrade?
> > What is the next step? Removing the code from GitHub and removing
> > artifacts
> > from
On CAS 6.6.6 and using the Duo Universal Prompt, it is exposing my
internal hostname, rather than the load balancer. It's not clear to me
why this is happening. It is also not clear to me what the correct
configuration options are for a load balanced CAS with respect to
hostname / proxy
On 3/8/23 12:59, 'Richard Frovarp' via CAS Community wrote:
On CAS 6.6.6 and using the Duo Universal Prompt, it is exposing my
internal hostname, rather than the load balancer. It's not clear to me
why this is happening. It is also not clear to me what the correct
configuration options
Not sure why that isn't starting up. I launch it differently with a java
-jar command. Good resource for getting going:
https://fawnoos.com/2022/03/04/cas65-gettingstarted-overlay/
That is for 6.5, but I think everything holds for 6.6. It also has
different instructions for launching.
On
APIs are handled differently from SPAs. You probably need to look at the CAS
REST protocol? https://apereo.github.io/cas/6.6.x/protocol/REST-Protocol.html
I would put APIs behind an API gateway. Conceptually they are the same thing as
CAS + AD, but specifically designed for API calls,
Typically the helpful bit in a long stack like this is at the end
Error:
Caused by: java.net.MalformedURLException: no protocol:
login.unila.ac.id/cas
at java.base/java.net.URL.(URL.java:627)
at java.base/java.net.URL.(URL.java:523)
at
I am trying to retrieve one specific attribute from a REST end point. I
have it connecting to it. However, I only have one service that should
get this attribute, and thus I only need to connect to the REST
attribute store for that one service. How do I configure this in my
service definition?
On Fri, 2023-08-04 at 02:52 -0700, Jean-Paul JORDA wrote:
Hi,
We use apereo CAS for our applications, but unfortunately the login page is not
accessible to people with disabilities. That's a problem for these people of
course, and what's more we a bound by law to provide accessible web sites
I have two otherwise identically configured CAS configurations, both on
6.6.6. Both are configured to use Duo, and both of them have the public
workstation checkbox in the login form. The only difference between the
two is that one uses the iframe Duo integration and one uses the
Universal
68 matches
Mail list logo