Hi Jen,
>From a security perspective doing this is perhaps not the best idea. By
giving this information you aid attackers looking to verify if an account
exists.
It is best not to give any indication that an account is valid or has been
locked.
Here is what we added for oracle setup:
sadf
org.apereo.cas
cas-server-support-jdbc-drivers
${cas.version}
com.oracle.jdbc
ojdbc8
12.2.0.1
Next add the ojdbc8.jar into the folder jdbc/oracle/ojdbc8.jar
[image: oracleJar.PNG]
We are using Oracle for just attribute resolution and AD LDAP
I am running into an error when setting up jdbc surrogate authentication on
CAS 5.2.3 .
The error "Unable to read meta-data for class
org.apereo.cas.config.SurrogateJdbcAuthenticationConfiguration>" leads me
to think that I am missing some dependency in pom.xml or bad config in
What is everyone using for CAS auditing?
Mongo, Redis, Postgres, Mysql or other?
I am working on a new deployment for CAS and trying to see what auditing
repository everyone is using.
Previously I used Mongo but I am leaning toward a relational db for ease of
reporting.
Look forward to
I have encountered issues with banner 9 using the cas protocol on cas
version 6.0.0 and greater.
see:
https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/banner$209|sort:date/cas-user/5B_wPaG7oXA/b2IzHaw3BAAJ
I am going to try setting up some of the banner 9 app using the SAML
Hi Matt,
Thanks for your reply.
I think it might just be a bug currently. Looks like there have been some
changes to how cas selects mfa. It currently does not work for finding the
service when it comes in using the TARGET= service method.
2019-02-25 09:47:54,016 DEBUG [
Hi Erik,
Can you provide an example of your AD config?
Here is an example of mine which is working on 6.1.0RC2:
## LDAP Settings ##
#
https://apereo.github.io/cas/development/configuration/Configuration-Properties-Common.html#ldap-connection-settings
### CONFIG for 6.1.0
Has the serviceParameter = 'SAMLart' and artifactParameterName ='TARGET '
depreciated in cas?
I am using trying to connect CAS 6.1.0-RC2-SNAPSHOT to Banner 9 Application
Navigator ver 3.1.
We had it working on 6.0.0-RC4-SNAPSHOT and CAS 5.1.2.
Despite being the most recent version of Banner
We tried using Ellucian's WSO2. We did not enjoy it. We tried using it in
in 2016. At that time Ellucian was super behind the real WSO2 project at
time. At the same time they had modified it in ways where trying to use
WSO2's documentation was problematic.
I have been super happy with cas, the
Dear Mike,
You are the best. It worked! Not sure why I did not have to do this on
previous versions of CAS.
Thanks so much, this has been the last piece preventing me from going
forward with a new deployment of cas using 6.1.0 RC2
You are seriously the best.
How has your deployment of "Banner 9"
I have been troubleshooting login with a CAS application that uses the
'TARGET' service parameter in the querystring instead of the normal
'service'.
It looks like 6.0.0 introduced a new process for multifactor selection
based on the service parameter. I think there is a bug in this process.
If you do not want to use Azure AD Connect you can create a process to sync
via powershell. I have an example on my github:
https://github.com/bondr007/office365UserSync it consumes a csv and does
some querys to AD. It could be modified for openldap.
The steps to actually enable SSO on office are
Let me know if the below makes since.
For the integration you need to pass the attributes as follows:
cas.samlSP.office365.metadata=
https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
Neat tip for anyone using cas with Office 365. You can have Microsoft
automatically redirect to your cas login by using a link like the below:
https://login.microsoftonline.com/?whr=example.com
A few other options mentioned here:
Were you able to complete the o365 setup with cas?
On Wednesday, July 3, 2019 at 9:26:36 AM UTC-5, Robert Bond wrote:
>
> If you do not want to use Azure AD Connect you can create a process to
> sync via powershell. I have an example on my github:
> https://github.com/bondr007/office365UserSync
Here is a blog post by Misagh Moayyed about it:
https://apereo.github.io/2018/11/06/cas6-admin-endpoints-security/
On Wednesday, April 24, 2019 at 8:29:05 AM UTC-5, Juna Grosse Lengerich
wrote:
>
> Hi,
>
> we're having a problem with the actuator configuration for our cas config
> server.
>
You need to have an immutableId that is shared with Office365 through your
import process. This can be almost anything just cannot be changed on the
o365 side. Typically people use the account guid from their directory
server.
You can use the integration like how you are currently or below
Yep, you also need to add the uid as the ImmutableId on creation of the
accounts in office365. How are you syncing users to office365?
To set the ImmutableId on a user via powershell:
Set-MsolUser -UserPrincipalName a...@example.com L
-ImmutableId 71cfd66c-2c72-43ee-a88e-8e29458eb3b0
On
Mr. Bond,
I have not configured cas for triggering multi-factor based off a singular
attribute. I have for a multi-valued memberOf attribute, It should be
basically the same.
Here is my config for looking at the memberOf attributes:
# Activate MFA globally based on principal attributes
Have you switched office 365 over to use federated login via
the Set-MsolDomainAuthentication powershell command?
On Monday, July 8, 2019 at 11:28:18 AM UTC-5, Alfonso Veraluz wrote:
>
> Hello.
>
> No. I made an advance adding values like to the inmutableId in the 365
> users but after that:
>
I have been running into this same issue for quite a while now. Have not
been able to identify the source.
On Thu, Nov 21, 2019 at 11:25 AM Chris G wrote:
> I'm just wondering if anyone figured this out. I have the same issue--SAML
> Responses from CAS are NOT base64 encoded, but all the
6.1.0RC6, I switched to using ssh keys and it worked.
Thanks,
Robert Bond.
On Tue, Oct 29, 2019 at 5:28 AM Misagh Moayyed
wrote:
> Are you still seeing this with 6.1.0?
>
> On Saturday, October 12, 2019 at 12:07:47 AM UTC+4, Robert Bond wrote:
>>
>> Getting an error when using a private git
Running into an odd doubling of attribute values when surrogate access is
enabled.
On CAS 6.1.0 RC6
Here is my Surrogate config, Active Directory Auth config, and Attribute
repository:
# Surrogate config
cas.authn.surrogate.separator=+
t; Could it be that the second entry is the surrogate; and if no surrogate is
> supplied in the log in form, then the same subject exists for both [that
> is, for the surrogate plugin, an array is required]?
>
> Ray
>
> On Mon, 2019-10-07 at 13:10 -0700, 'Robert Bond' via CAS Community wrote:
&g
gate plugin, an array is required]?
>
> Ray
>
> On Mon, 2019-10-07 at 13:10 -0700, 'Robert Bond' via CAS Community wrote:
>
> Running into an odd doubling of attribute values when surrogate access is
> enabled.
> On CAS 6.1.0 RC6
>
>
> Here is my Surrogate co
Getting an error when using a private git repo for cas service registry. It
works correctly if I remove the username and password config options are
use a public repo.
Here is my config for the registry:
cas.serviceRegistry.git.repositoryUrl
=https://gitlab.example.edu/cas-service-registry.git
settings because machine certs are only valid
> for 12 months
> ------
> *From:* 'Robert Bond' via CAS Community
> *Sent:* Friday, February 21, 2020 8:36:59 AM
> *To:* cas-user@apereo.org
> *Subject:* Re: [cas-user] Secure Ldap (LDAPS) --(
You can also just pass it just the (CA or client) cert file. Like so:
cas.authn.ldap[0].trustCertificates=file:/etc/cas/ldaps_cert.crt
On Wed, Feb 19, 2020 at 7:34 PM Jason Everling
wrote:
> Grab your LDAPS certificates, create a new JKS keystore type and add your
> certificates to it. The
Does that work if you specify the root or only the end entity certificate?
>>
>> On Thu, Feb 20, 2020 at 8:33 AM 'Robert Bond' via CAS Community <
>> cas-user@apereo.org> wrote:
>>
>>> You can also just pass it just the (CA or client) cert file. Like so:
Thu, Feb 20, 2020 at 8:33 AM 'Robert Bond' via CAS Community <
> cas-user@apereo.org> wrote:
>
>> You can also just pass it just the (CA or client) cert file. Like so:
>> cas.authn.ldap[0].trustCertificates=file:/etc/cas/ldaps_cert.crt
>>
>> On Wed, Feb
We are on 6.1.5,
6.1.X has been very stable for us. Once we got the config up to date from
our 6.0.4 build.
At times the release schedule can be a little uncertain, in that we can be
uncertain of what version we want to move to.
I do not think "keeping up" with the release schedule is too
Are you running into any issues?
You need to have SAML setup first.
Here is a modified copy of our service registry entry: (modify attributes
as needed)
{
"id" : 12,
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"metadataLocation" :
No problem.
Glad to hear it is working.
A lot of those parameters are default
Thanks!
On Fri, May 22, 2020 at 8:17 AM Keith Alston (Staff)
wrote:
> WOW! Thanks for sharing your registry entry.
>
>
>
> I did get this working and it actually was pretty straightforward. My
> registry entry was
I get those also. Duo still works fine. Tried looking on the duo side to
grant additional privileges, did not find any.
On Tue, Aug 25, 2020 at 8:54 AM 'Mallory, Erik' via CAS Community <
cas-user@apereo.org> wrote:
> Hello,
>
>
> CAS Version: 6.1.5
>
> We're getting the following warning in the
I have done this with one of our services.
Here is the groovy code to handle something similar. Probably not the
cleanest.
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"mail" : "groovy
alyst
> Wichita State University
>
> On Tue, 2020-08-25 at 13:04 -0500, 'Robert Bond' via CAS Community
> wrote:
> > CAUTION: This email originated from outside of Wichita State
> > University. Do not click links or open attachments unless you
> > recognize the sender and know
It might be better to just have your in ingress controller do a 301
redirect to the /cas
I have seen third parties hard code the /cas in their cas integration, even
if they don't might throw them off initially.
On Wednesday, July 15, 2020 at 4:06:21 PM UTC-5 Ray Bon wrote:
> Landon,
>
> I
I am having issues finding the audits for surrogate logins in Cas 6.1.5.
Inside the audit log and in the console output I never see the audit even
for a surrogate login like it is described in the docs here:
Hi Bryan,
Are you using SpringBoot Admin Server?
Here is how we have monitoring configured without SpringBoot Admin Server:
## Management/Monitoring Settings ##
# Blog post:
https://apereo.github.io/2018/11/06/cas6-admin-endpoints-security/
# And
You can use the following config to specify the cert of the CA, if that is
what is needed:
cas.authn.ldap[0].trustCertificates=file:/etc/cas/ca_ldaps_cert.crt
On Tue, Jun 16, 2020 at 3:10 PM David Curry
wrote:
> The CAS server (Tomcat) cannot validate the TLS certificate being returned
> by
Hi Tobey,
Thanks for the further insight. To potentially simplify your setup, is
there a reason you cannot use just cas?
After taking a look I am guessing you do not have an option. Looks like
ADFS is controlled by your regents? https://adfs.sdbor.edu/
Unfortunately I have not setup a relaying
Hi Tobey,
Can you explain the scenario a little more?
What Role is the ADFS server playing? SP?
What role is the cas server fulfilling? IDP?
Do you have this working on CAS 5?
Thanks!
On Thursday, June 4, 2020 at 11:40:47 AM UTC-5, Toby Archer wrote:
>
> We are looking to upgrade from
42 matches
Mail list logo