Re: [cas-user] Re: 4.x SAML documentation

2016-04-22 Thread David Curry
> > I've been holding off on trying the snapshots so far, due mostly to other > things on my plate, but also because I'm waiting for 4.3.x and MFA to get a > little closer, as we want that, too. I sorta kinda get the overlays and > stuff, and even some coding, in that I managed to figure out

[cas-user] 4.x SAML documentation

2016-04-21 Thread David Curry
Hopefully this isn't too dumb a question; I haven't been able to find a definitive answer anywhere. Right now we're using CAS 3.5.x (we're waiting for summer and 4.3.x with MFA) as our primary authentication/single sign-on. We also have Shibboleth 2.4.x for those few services that don't

[cas-user] Services management webapp in HA configuration?

2016-07-27 Thread David Curry
I'm planning to build an active-active high availability configuration of multiple CAS servers behind a load balancer. I'm not sure which technology I'm going to use yet, but the configuration will include some sort of replicating service registry (I'm leaning toward MongoDB running on each

Re: [cas-user] Questions about configuration management (CAS 5.0)

2016-07-20 Thread David Curry
Thanks for the detailed answers; that all makes sense. The GitHub approach to storing the application.properties file(s) sounds pretty neat; especially if we were to ever do some kind of split on-prem/cloud deployment (which we have been kicking around but won't be in our first iteration).

[cas-user] Re: Step by Step guide

2016-09-09 Thread David Curry
For what it's worth, as I've been working on building a CAS 5.0 development/test environment here, I have been documenting every step along the way (starting from bare Red Hat 7 servers that you have to install Java and Tomcat on). I've been doing this for our own internal use, but have

Re: [cas-user] login page state

2016-10-27 Thread David Curry
So just to confirm... does that mean that this paragraph: There is a further consideration for active/active deployments: session affinity. Session affinity is a feature of most load balancer equipment where the device performs state management for incoming requests and routes a client to the

[cas-user] Dependency issues trying to enable SAML IdP support in 5.0 RC5-SNAPSHOT?

2016-11-02 Thread David Curry
RedHat 7, OpenJDK 1.8.0_111, Tomcat 8.5.6 (non-embedded) If I build RC5-SNAPSHOT using the cas-overlay-template with only the addition of the "cas-server-support-ldap" dependency, everything builds and works fine (it did with RC4-SNAPSHOT, too). However, now I'm working on adding SAML IdP

Re: [cas-user] Dependency issues trying to enable SAML IdP support in 5.0 RC5-SNAPSHOT?

2016-11-02 Thread David Curry
com/apereo/cas/issues/2103 > > > > --Misagh > > > > *From:* cas-...@apereo.org [mailto:cas-...@apereo.org > ] *On Behalf Of *David Curry > *Sent:* Wednesday, November 2, 2016 1:12 PM > *To:* CAS Community cas-...@apereo.org > *Subject:* [cas-user] Dependency i

[cas-user] Configuration management for properties - clue(s) needed

2016-10-30 Thread David Curry
So I'm building a development/planning a production high availability clustered setup of CAS 5.0 servers, and I'm trying to work out the best way to manage the property settings (/etc/cas/config/cas.properties). I've read the "Configuration Management" page, as well as the "Clustered

[cas-user] cas.authn.samlIdp.metadata.location not parsed as uri

2016-11-04 Thread David Curry
The documentation (https://apereo.github.io/cas/development/installation/Configuration-Properties.html#saml-idp) says that the cas.authn.samlIdp.metadata.location property should be set to a URI/URL like "file:/etc/cas/saml". However, if you do this, the server will die on startup with

Re: [cas-user] Configuration management for properties - clue(s) needed

2016-11-02 Thread David Curry
Thanks for the clarifications, Misagh. I think for the moment then, I may just kick this particular can down the road and just copy the properties file around. It's not like I don't have plenty of other features and settings and options to play around with. :-) --Dave On Wednesday, November

Re: [cas-user] Commercial companies using CAS?

2016-12-13 Thread David Curry
Well, for what it's worth, Misagh ran a survey in this group back in March, and shared the results at Open Apereo. From one of those slides, of 156 respondents: Healthcare: 4 (2.8%) Insurance: 5 (3.5%) Government: 11 (7.5%) Higher Ed: 109 (75.7%) Finance: 1 (0.7%) Travel: 1 (0.7%) Other: 25

Re: [cas-user] Service registry initialisation using JSON files. Help needed

2017-08-09 Thread David Curry
You also have to add org.apereo.cas cas-server-support-json-service-registry ${cas.version} to your pom.xml. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212

Re: [cas-user] CAS 5.1.0 not deploying in tomcat

2017-07-26 Thread David Curry
Tomcat 7 does not support Servlet Spec 3.1, which is required by CAS 5. You need to upgrade to Tomcat 8.5.x (supersedes the 8.0.x line). Note the special considerations documented for external Tomcat configurations here:

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

2017-07-19 Thread David Curry
l setup, which authenticates against Active Directory first and LDAP second, and merges attributes from both, I get: REMOTE_USER = curryd AuthenticationMethod = Active Directory displayName = David Curry successfulAuthenticationHandlers = Active Directory cn = x EmailAddress = david.cu...

Re: [cas-user] Re: 5.1.x - How to configure CAS to transfert some values from different attribut of LDAP

2017-09-15 Thread David Curry
Personally I would use the second option, as it gives you more flexibility. If you'd like a step-by-step example of setting up attribute release, see here: https://dacurry-tns.github.io/deploying-apereo-cas/building_server_ldap_resolution-release_overview.html (The above is not official

Re: [cas-user] Re: 5.1.x - How to configure CAS to transfert some values from different attribut of LDAP

2017-09-19 Thread David Curry
Did you configure the server to support releasing attributes with SAML 1.1? The CAS protocol didn't support attribute release until v3.0 of the protocol, which came out in v4.0 of the server. To support SAML 1.1 attribute release, you need this in pom.xml: org.apereo.cas

Re: [cas-user] Re: Service registry initialisation using JSON files. Help needed

2017-09-21 Thread David Curry
Didier, Is /etc/cas/json a file, or a directory? CAS is expecting it to be a directory, with individual JSON files for each service underneath, like this: / <-- file system root etc/ json/ Apereo-1002.json HTTPSandIMAPS-1001.json Assuming you have added the

Re: [cas-user] CAS config server credentials

2017-10-09 Thread David Curry
Normally you disable the static authentication handler altogether once you have a "real" authentication handler (e.g., LDAP or Active Directory) configured. To do that, put this in cas.properties: cas.authn.accept.users: Just leave the value empty. If you really and truly want to keep the

Re: [cas-user] Re: CAS5.1 ,Application Not Authorized to Use CAS , no service registry issue.???

2017-09-05 Thread David Curry
/04/520rc2-release/#minors. > > "Service registry initialization from JSON is now able to honor service > definitions found at the path specified via settings, rather than only > loading those found on the classpath’s services directory." > > > > On Tuesday, September 5,

Re: [cas-user] Re: FYI: Detailed CAS 5.1.x how-to documentation available

2017-09-06 Thread David Curry
login form/experience? > > Thank you! > > On Friday, September 1, 2017 at 4:24:25 PM UTC-4, David Curry wrote: >> >> Hi everyone, >> >> A couple of weeks ago there was a thread here asking for CAS 5.1.x >> step-by-step documentation. >> >> As I've

Re: [cas-user] A new CAS Adopter

2017-09-25 Thread David Curry
You might find this helpful; it's the step-by-step documentation I've been building to record our development environment for posterity. It's not the only way to do it, but if you're completely new to everything, it will at least get you off the ground with something you can then start to

Re: [cas-user] making an extra LDAP attribute visible via CAS

2017-09-26 Thread David Curry
Short answer: cas.authn.attributeRepository.ldap[0].attributes.employeeNumber: UDC_IDENTIFIER The last element of the property name is the name of the attribute in the directory, the value of the property is the name you want to give it when it's released to applications. The above assumes

Re: [cas-user] CAS authentication denial based on an attribute

2017-09-29 Thread David Curry
Most of the functionality for what you want is here, I think: https://apereo.github.io/cas/development/installation/Webflow-Customization-AUP.html It seems to be available in 5.1.x as well, although with fewer options for storing state that what 5.2.x is going to offer. I should mention that

Re: [cas-user] CAS authentication denial based on an attribute

2017-09-29 Thread David Curry
om O'Neill <one...@sigcorp.com> wrote: > Looks like I need to catch up on my 5.x – another good reference, thanks > Dave! > > > > Thanks, > > > > *Tom O’Neill* > > > > > > *From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behal

Re: [cas-user] Re: CAS5.1 ,Application Not Authorized to Use CAS , no service registry issue.???

2017-09-05 Thread David Curry
To use a separate JSON registry (e.g., /etc/cas/services/), you have to add the cas-server-support-json-service-registry dependency to pom.xml and rebuild the server. Then you can set cas.serviceRegistry.config.location:file:/etc/cas/services and put your service declarations in there.

Re: [cas-user] Service Registry

2017-12-04 Thread David Curry
I don't have a specific MySQL-ish answer, but if you've configured the dashboard ("admin pages"), the "Registered Services" button will give you a JSON document that contains the entire registry. It's just a REST endpoint (https://your.server.name/cas/status/services), so depending on how you've

Re: [cas-user] CAS 5.2.0

2017-12-04 Thread David Curry
Two dumb questions (but I've gotten caught by both): 1. Did you pull down a new copy (or do a git pull) from the Github repo for cas-maven-overlay? It is not (or at least not always) sufficient to just update the ${cas.version}, because other information in pom.xml changes sometimes.

Re: [cas-user] Re: having difficulty with dependencies when upgrading to CAS 5.2.0

2017-12-12 Thread David Curry
Just a thought... When you went from 5.1.4 to 5.2.0, did you update the Maven overlay template from GitHub and then re-apply your local changes, or did you just update ${cas.version}? In my (limited) experience, just updating the version doesn't always work, and it's better to update from the

Re: [cas-user] having difficulty with dependencies when upgrading to CAS 5.2.0

2017-12-14 Thread David Curry
ou might try removing or updating > the version of the ldaptive-unboundid artifact to the latest version or > even try removing it as a test to see if the error message goes away or > changes. > ​​ > > ​-Adam​ > > > On Thu, Dec 14, 2017 at 12:13 PM, David Curry <david.cu.

Re: [cas-user] having difficulty with dependencies when upgrading to CAS 5.2.0

2017-12-14 Thread David Curry
This is PURE speculation, but I see this dependency in your 5.2 pom.xml: org.ldaptive ldaptive-unboundid 1.0 What is that? I cannot find any mention of it in the CAS documentation searching for "ldaptive-unboundid", which makes me think it

Re: [cas-user] JSON Service Registry cas.serviceRegistry.config.location property setting ineffective after upgrading to CAS version 5.2

2017-12-18 Thread David Curry
You have the wrong property name (I forget when it changed). cas.serviceRegistry.json.location: file:/etc/cas/services Also, since you have your own non-empty service registry, you should have cas.serviceRegistry.initFromJson: false That property tells the CAS server to load an otherwise

Re: [cas-user] how to access admin or management page?

2017-12-19 Thread David Curry
Here is one way to do it. It's not the only way, since CAS gives you so many options, but it should be enough to get you started. 1. Set these to enable the dashboard (these settings enable all of the endpoints; you can also pick and choose): cas.adminPagesSecurity.actuatorEndpointsEnabled:

Re: [cas-user] Exception in async processing

2017-12-15 Thread David Curry
This is a servlet container configuration issue, not a code issue -- no pr needed. The embedded servlet container comes pre-configured with async support enabled, but if you're using an external servlet container, you have to enable it yourself. This is documented here:

Re: [cas-user] Re: having difficulty with dependencies when upgrading to CAS 5.2.0

2017-12-13 Thread David Curry
> I updated from the repo. My guess is that I missed something in doing so, > but I have not been able to figure out what I missed. Thanks Dave. > > On Tuesday, December 12, 2017 at 11:29:24 AM UTC-5, David Curry wrote: >> >> Just a thought... >> >> When you went f

Re: [cas-user] JSON Service Registry cas.serviceRegistry.config.location property setting ineffective after upgrading to CAS version 5.2

2017-12-19 Thread David Curry
. How can this be avoided? > > Just to reiterate: My primary issue has been resolved. > > > > On Monday, December 18, 2017 at 3:50:22 PM UTC-5, David Curry wrote: >> >> You have the wrong property name (I forget when it changed). >> >> cas.serviceRegistry.js

Re: [cas-user] CAS ldap against AD?

2017-12-13 Thread David Curry
You might find this link helpful. It's a work in progress and not "official" documentation, but it does include, among other things, an example and step-by-step instructions for how to configure for AD, both authentication and attributes. https://dacurry-tns.github.io/deploying-apereo-cas/

Re: [cas-user] CAS 5.1.5: Change SAML Attribute Names

2017-11-10 Thread David Curry
This is the way I did it with the Shib SP (Apache mod_shib) as well. Not sure it's the "right" way, but it works. In our experience, just about every SAML SP we work with (mostly third-party SaaS platforms) requires their own custom attribute list anyway, so doing this seems like it will be a

Re: [cas-user] Running CAS 5.1 as a service in linux

2017-11-13 Thread David Curry
Embedded Tomcat or external Tomcat? If the latter, this might help: https://dacurry-tns.github.io/deploying-apereo-cas/setup_tomcat_configure-systemd-to-start-tomcat.html But I'm not sure how helpful that is for the embedded option. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION

Re: [cas-user] Re: Dumb question

2017-11-14 Thread David Curry
I agree that in the particular case of IP addresses, it probably doesn't matter, because the '.' is going to match either a '.' or a single character of any value but that will almost always be a '.' anyway, since IP addresses have a more or less fixed format. I guess my question is a bit more

[cas-user] Re: Help! Weird JSON service registry crash

2017-11-01 Thread David Curry
e happy to help test if someone else is able to do them... --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School] On Tue, Oct 31, 2017 at

Re: [cas-user] CAS5 how large for tomcat maxHttpHeaderSize

2017-11-01 Thread David Curry
Tomcat's default value for maxPostSize is 2097152, so that's "normal." ( https://tomcat.apache.org/tomcat-8.5-doc/config/http.html) Tomcat's default value for maxHttpHeaderSize is 8192 (see same link, above), but the CAS documentation for configuring the server as a SAML2 IdP recommends setting

Re: [cas-user] phpCAS and returnin SAML attributes

2017-11-08 Thread David Curry
> eventual goal of authentication with SSO Banner. The project installation > guide > <https://dacurry-tns.github.io/deploying-apereo-cas/building_server_ldap_authentication_overview.html> > kindly provided by David Curry has been a great help as I am new to CAS. > Many thank

Re: [cas-user] Custom License Validator Implementaion

2017-12-04 Thread David Curry
I'm not completely sure I understand what you want to do, but could you use the Acceptable Use Policy piece of the workflow, and just replace the text of the AUP (which you have to put into it anyway) with whatever license you need?

Re: [cas-user] Unknown encryption/secret key WARN message at startup

2017-12-04 Thread David Curry
Those are probably referring to missing signing/encryption keys for Spring Webflow encryption, since you say you have the tgc properties configured. (Although you should also check the properties you have set for tgc encryption; all the sigining/encryption key properties were "rationalized" in one

Re: [cas-user] Service Registry

2017-12-06 Thread David Curry
a full database > recovery. > > Thanks, > -Jeff > > On Wed, Dec 6, 2017 at 7:49 AM, David Curry <david.cu...@newschool.edu> > wrote: > >> Looks like you're right; it was added in 5.2RC1: >> >> https://apereo.github.io/2017/06/30/520rc1-release/#016-regi &

Re: [cas-user] Service Registry

2017-12-06 Thread David Curry
n Mon, Dec 4, 2017 at 4:01 PM, Jeffrey Ramsay <jeffrey.ram...@gmail.com> > wrote: > >> Well, I had that turned on but didn't notice that option so, I'll >> redeploy. >> >> Thank you, >> -Jeff >> >> On Mon, Dec 4, 2017 at 2:51 PM, David Curry <d

[cas-user] Help! Weird JSON service registry crash

2017-10-31 Thread David Curry
CAS 5.2.0-SNAPSHOT built this morning with the Maven WAR overlay. Okay, so I have my JSON service registry set up to load JSON files from /etc/cas/services/. This has been working just fine for weeks. One of the files I have in there is called "HTTPSandIMAPSwildcard-20170828090137.json", which

Re: [cas-user] how to access admin or management page?

2017-12-20 Thread David Curry
ices.RegexRegisteredService", > > "serviceId" : "^https://cas.beloit.edu:8443/ > cas/status/dashboard(\\z|/.*)", > > "name" : "CAS Admin Dashboard", > > "id" : 123456789, > > "description" : "CAS dashboar

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

2018-05-08 Thread David Curry
Just to make sure your terminology is right: - The Service Provider is the service that you, as a user, want to use. For example, here at The New School we have Adobe Creative Cloud, Tableau, Workday, Zoom, etc. as SPs. - The Identity Provider (IdP) is the system that the user

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

2018-05-08 Thread David Curry
Does the vendor require you to configure your IdP (CAS server) to obtain the metadata from them dynamically? Or could you: 1. Use curl to grab a copy of their metadata from https://vendor.com/metadata 2. Edit the metadata yourself and get rid of the "validUntil" attribute 3. Put the

Re: [cas-user] cas.properties file

2018-05-14 Thread David Curry
Either one; they are interchangeable. Personally I like colons better, but I'm pretty sure I'm in the minority on that. The official spec is documented in the java.util.Properties documentation , but I find this description

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

2018-05-07 Thread David Curry
Do you have the dashboard endpoints enabled? Can you go to the "services" endpoint, which dumps the service registry, and see if there's something else in there? Alternatively, I think if you turn on debug mode logging, it will tell you what services are loaded. I'm thinking you might be getting

Re: [cas-user] Favicon.ico file location (when building CAS 5.2.x with Maven)

2018-05-09 Thread David Curry
Unless told otherwise by a tag, browsers expect favicon.ico to be at the document root ("/"). That's WEB-INF/classes/static, so I believe you should put it in src/main/resources/static/favicon.ico. I think. I ended up doing a custom template as well as a custom theme, so I just used a tag in

Re: [cas-user] Deployment Question from the Excellent Docs at: 'dacurry-tns.github.io'

2018-05-09 Thread David Curry
s > than coherent. > > > On Wednesday, May 9, 2018 at 5:59:59 PM UTC-7, David Curry wrote: >> >> In my configuration (which is essentially what this guide is describing), >> I use an external Tomcat, not the embedded one. So, my setup follows the >> Tomcat hardening

Re: [cas-user] Deployment Question from the Excellent Docs at: 'dacurry-tns.github.io'

2018-05-09 Thread David Curry
In my configuration (which is essentially what this guide is describing), I use an external Tomcat, not the embedded one. So, my setup follows the Tomcat hardening guidelines, which recommend deploying exploded directories rather than WAR files. See the section on installing Tomcat (under Setting

Re: [cas-user] error in catalina.out Address already in use

2018-05-10 Thread David Curry
I _think_ that's caused by a missing or too-low-version library -- either the Tomcat Native Library, or the Apache Portable Runtime, or OpenSSL would be my guess. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY

Re: [cas-user] SAML Public Key for Metadata

2018-05-10 Thread David Curry
Assuming you mean for CAS to be your IdP... When you start CAS for the first time with the SAML IdP enabled, it will generate keys and store them in /etc/cas/saml for you. You need to copy them from there back to a safe location so that they get re-deployed whenever you update the server. See,

Re: [cas-user] SAML Public Key for Metadata

2018-05-10 Thread David Curry
Sorry, I don't. We don't use ADFS, so have no need for it. David A. Curry, CISSP Director of Information Security The New School - Information Technology 71 Fifth Ave., 9th Fl. ~ New York, NY 10003 +1 212 229-5300 x4728 ~ david.cu...@newschool.edu Sent from my phone; please excuse typos and

Re: [cas-user] CAS5 LDAP

2018-05-12 Thread David Curry
Did you add the LDAP dependency to pom.xml and rebuild the WAR? David A. Curry, CISSP Director of Information Security The New School - Information Technology 71 Fifth Ave., 9th Fl. ~ New York, NY 10003 +1 212 229-5300 x4728 ~ david.cu...@newschool.edu Sent from my phone; please excuse typos

Re: [cas-user] cas.authn.ldap[0].poolPassivator=NONE|CLOSE|BIND

2018-05-12 Thread David Curry
See this link. https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#passivators David A. Curry, CISSP Director of Information Security The New School - Information Technology 71 Fifth Ave., 9th Fl. ~ New York, NY 10003 +1 212 229-5300 x4728 ~ david.cu...@newschool.edu

Re: [cas-user] CAS5 LDAP

2018-05-12 Thread David Curry
gt; somehow be skipping LDAP altogether. > > > < org.apereo.cas > < cas-server-support-ldap > < ${cas.version} > < > > On Saturday, May 12, 2018 at 4:30:06 PM UTC-7, David Curry wrote: >>

Re: [cas-user] CAS5 LDAP

2018-05-12 Thread David Curry
12, 2018, 22:19 Lionel Samuel <lionel.samue...@gmail.com> wrote: > Thanks David! > > Your guidance helped tremendously --- I had inadvertently commented out > the ' cas.authn.ldap[0].type' line. > > have a great weekend. > > On Saturday, May 12, 2018 at 5:03:

Re: [cas-user] CAS5 LDAP

2018-05-12 Thread David Curry
MultiplePrincipalAttributeValues=true > > > > # Bind credentials used to connect to the LDAP instance > # > cas.authn.ldap[0].bindDn=uid=foo,ou=edu > cas.authn.ldap[0].bindCredential=snip > > cas.authn.accept.users: > > > On Saturday, May 12, 2018 at 4:43:24

Re: [cas-user] 5.2.X Service Registry

2018-05-13 Thread David Curry
There are a whole bunch of options, from JSON/YAML to JPA (multiple databases) to REST-ful web interfaces. Go to the CAS documentation ( https://apereo.github.io/cas/5.2.x/index.html) and then on the right-hand side menu, click on "Services" and then "Storage" to see the whole list. We have been

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

2018-05-07 Thread David Curry
For the service definition, you should only have one, which is a SamlRegisteredService. You do not need (or want) a RegexRegisteredService for a SAML service. And as Matthew said, you should also set cas.authn.samlIdp.entityId: ${cas.server.prefix}/idp cas.authn.samlIdp.scope:

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

2018-05-08 Thread David Curry
No, it's the "adminpages" stuff: https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_overview.html It's enabled solely in the CAS server; you don't need the management webapp. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

2018-05-07 Thread David Curry
Just a thought, do you still have the "HTTP|IMAP" wildcard service in there? And does it have a lower evaluation order than your service-specific entry? --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

2018-05-07 Thread David Curry
Well, I used the one file per service model with them all in the /etc/cas/services directory. But I believe you can keep them all in one big JSON file if you want. David A. Curry, CISSP Director of Information Security The New School - Information Technology 71 Fifth Ave., 9th Fl. ~ New York,

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

2018-05-08 Thread David Curry
This may be your problem, then? validUntil="2018-05-03T20:29:06Z --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School] On Tue, May 8, 2018

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

2018-05-08 Thread David Curry
I do not see it in the metadata from any of the SPs we have in production here, so my guess would be probably not. But that's just a guess; I don't pretend to be an authority on SAML. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE.,

Re: [cas-user] can't run mvnw clean package - TrustAnchors parameter must be non-empty

2018-05-04 Thread David Curry
Are you running Oracle Java, or OpenJDK? I assume Oracle, because "/usr/java" is not a path used by OpenJDK. If you're running Oracle, did you run the "alternatives" command to set up all the links to point at the right things? (I've never installed the Oracle Java, so I'm not sure this is a

Re: [cas-user] can't run mvnw clean package - TrustAnchors parameter must be non-empty

2018-05-04 Thread David Curry
...@newschool.edu [image: The New School] On Fri, May 4, 2018 at 10:43 AM, David Curry <david.cu...@newschool.edu> wrote: > Are you running Oracle Java, or OpenJDK? I assume Oracle, because > "/usr/java" is not a path used by OpenJDK. > > If you're running Oracle, d

Re: [cas-user] Authentication issues - CAS cannot find authentication handler that supports [UsernamePasswordCredential].

2018-05-15 Thread David Curry
If you're using ldap.type=AD, you should not be using a bind credential. If you want to use a bind credential, you should use ldap.type=AUTHENTICATED. See https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#ldap-authentication-1 for more info on ldap.type. --Dave

Re: [cas-user] User Attributes for SAML 2.0

2018-05-16 Thread David Curry
I'm not sure I understand the question. If you mean could you copy the example I provided directly into a jdbc/jpa service registry, then I have to say I don't know, because I don't know how the information is stored in the database. The first example I gave (the Apache one) is a json file from a

Re: [cas-user] User Attributes for SAML 2.0

2018-05-16 Thread David Curry
Here's a JSON definition for an Apache HTTPD with the Shibboleth mod_shib/shibd plug-in: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "https://casdev-samlsp.newschool.edu/shibboleth;, "name" : "Apache Secured By SAML", "id" : 1509030300,

Re: [cas-user] Service Registry -- Getting the 1st Application Entered

2018-05-15 Thread David Curry
Lionel and Jann, Did you ever have the JSON service registry working? If not, I recommend that you take all the JPA stuff out of pom.xml and cas.properties and get that working correctly first, so that you're only trying to debug one thing at a time. Once you have the JSON service registry

Re: [cas-user] Re: Error - Service Registry json

2018-05-16 Thread David Curry
Yes, but the rest of the name has to match the service name, as well. Again, JSON fileName = serviceName + "-" + serviceNumericId + ".json" so based on your first post in this thread, you should have two files: The first file, called HTTPSIMAPSwildcard-20170905111650.json, contains {

Re: [cas-user] New Error -- I broke it LOL

2018-05-15 Thread David Curry
vax.naming.AuthenticationException: [LDAP: error code 49 - > 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, > data 52e, v2580], controls=null]]> > 2018-05-15 13:27:45,877 ERROR [org.apereo.cas.authentication. > PolicyBasedAuthenticationManager] - Credentials ma

Re: [cas-user] Error - Service Registry json

2018-05-15 Thread David Curry
If you're using the JSON service registry, services are supposed to be defined one service per file, with all the files stored in a directory. And there is a naming convention for the files: JSON fileName = serviceName + "-" + serviceNumericId + ".json" See

Re: [cas-user] New Error -- I broke it LOL

2018-05-15 Thread David Curry
Looks like the CAS webapp isn't starting. catalina.out should tell you what happened? -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School] On Tue,

Re: [cas-user] cas admin pages from every IP?

2018-05-15 Thread David Curry
You need to set cas.adminPagesSecurity.ip to a regular expression that matches the IPs you want to let in. To allow all of 10.28.51 in, you'd have something like this: cas.adminPagesSecurity.ip: ^10\\.28\\.51\\.[0-9]{1,3}$ I have something like this: cas.adminPagesSecurity.ip:

Re: [cas-user] User Attributes for SAML 2.0

2018-05-21 Thread David Curry
Someone smarter than me may need to weigh in on this... but I'll try. As I understand it, SAML SPs will accept two forms of attribute names. One form is that "urn" notation that Shibboleth seems to like: The other form is the "friendly name," which is basically just a string, like "cn"

Re: [cas-user] Failed to get nested archive for entry /WEB-INF/lib/getopt-1.0.13.jar

2018-05-21 Thread David Curry
CAS 5 requires Tomcat 8 or better. That may not be the cause (or only cause) of your problem, but I would start there. David A. Curry, CISSP Director of Information Security The New School - Information Technology 71 Fifth Ave., 9th Fl. ~ New York, NY 10003 +1 212 229-5300 x4728 ~

Re: [cas-user] User Attributes for SAML 2.0

2018-05-21 Thread David Curry
Can you attach the relevant section of cas.properties (the part where you define which attributes you're going to resolve) and the service definition for the SAML SP? -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1

Re: [cas-user] User Attributes for SAML 2.0

2018-05-21 Thread David Curry
Could be, but as I don't use the jdbc stuff, I can't help you with that. The {0} gets replaced with some dynamic value generated by the Java code. My guess would be it's some condition like column=value, but that's pretty a guess. I would suggest if you haven't yet to see the CAS log level to

Re: [cas-user] User Attributes for SAML 2.0

2018-05-21 Thread David Curry
Based on the SELECT, I think these definitions are flipped: cas.authn.attributeRepository.jdbc[0].attributes.uid=id cas.authn.attributeRepository.jdbc[0].attributes.givenName=first_name cas.authn.attributeRepository.jdbc[0].attributes.emailaddress=email

Re: [cas-user] User Attributes for SAML 2.0

2018-05-22 Thread David Curry
I'm pretty sure that if you enable debug-level logging on org.apereo.services.persondir in */etc/cas/config/log4j2.xml*, you'll see the SQL query in *cas.log*. You can do that most easily by changing this line near the top of the file: warn to: debug You shouldn't even need to restart the

Re: [cas-user] CAS Login Page Cutomization

2018-05-23 Thread David Curry
These two threads are somewhat helpful: https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/themes/cas-user/k-yfoou7Zy0/BXry1PxgFAAJ https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/template/cas-user/3eaKVAMhFYE/uuj7eEpCAwAJ Assuming you're making new templates, most

Re: [cas-user] Re: (Ask) CAS 5.2 Basic Installation Step by Step

2018-05-22 Thread David Curry
Check the Tomcat log file (catalina.out) for errors. You should see it starting up the CAS service, etc. Also check the CAS log file. David A. Curry, CISSP Director of Information Security The New School - Information Technology 71 Fifth Ave., 9th Fl. ~ New York, NY 10003 +1 212 229-5300 x4728

Re: [cas-user] SLO and SSO using Mod_auth_cas

2018-05-24 Thread David Curry
School] On Thu, May 24, 2018 at 9:45 AM Ramakrishna G <r...@tts.in> wrote: > Hey David, > > Firstly thanks for your response and clarifying few things. My query to > you now is > > Does logoutUrl property support SLO? If so, which all cookie should I be > deleting?

Re: [cas-user] SLO and SSO using Mod_auth_cas

2018-05-24 Thread David Curry
What do you mean when you say you are "using mod_auth_cas for reverse proxy to my cas server"? Mod_auth_cas is not a (reverse) proxy. It's simply a way to control access to content on an Apache web server using CAS authentication. Think of it as an alternative to HTTP Basic Authentication. It

Re: [cas-user] Re: CAS5.3.x - Health & Version monitor Page

2018-05-24 Thread David Curry
https://apereo.github.io/cas/development/installation/Monitoring-Statistics.html You do not need the CAS Management Overlay to enable the above; it's accomplished with just some settings in cas.properties and creating the user file and a service registry entry. If you'd like step-by-step

Re: [cas-user] How to route new page

2018-05-24 Thread David Curry
How strongly do you feel about having "https://server/cas/timeout; as opposed to "https://server/cas/timeout.html;? If you're fine with the latter, you should just be able to drop "timeout.html" into the same place where all the other casWhateverView.html pages are and redirect to

Re: [cas-user] How to route new page

2018-05-24 Thread David Curry
y to redirect, I'm upgrading an old version of > cas so I may be using an outdated method. I do window.location = > myRedirect; in a script in the loginform.html fragment. Where myRedirect is > "/cas/timedOut.html". It just goes to https://server/cas/timedOut.html. > > Thank you fo

Re: [cas-user] Re: cas-management question

2018-05-17 Thread David Curry
Haven't seen that one, that I can recall. Is that a CAS error (shows in a CAS-branded web page) or a Tomcat error? Do the logs (cas.log and/or catalina.out) say anything helpful? -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW

Re: [cas-user] log in error question

2018-05-18 Thread David Curry
There is. You can enable LDAP Password Policy Enforcement (LPPE): https://apereo.github.io/cas/development/installation/Password-Policy-Enforcement.html This is separate from Password Management (further down the page). All I had to do was add cas.authn.ldap[0].passwordPolicy.enabled: true

Re: [cas-user] Re: cas-management question

2018-05-17 Thread David Curry
You have "server.name" instead of "cas.server.name" (oops) -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School] On Thu, May 17, 2018 at 3:23

Re: [cas-user] cas-management question

2018-05-17 Thread David Curry
etc/cas/config/management.properties --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School] On Thu, May 17, 2018 at 3:18 PM, Jennifer

Re: [cas-user] cas-management question

2018-05-17 Thread David Curry
Not sure if you copy-n-pasted this: https://cashost/cas/login?service=https%3A%2F%2Fcashost%3A8443%2Fcas-management%2Fmanage.html or typed it by hand, but I see both "cashost" and "cashost:8443". Normally they'd both be the same (since Tomcat is usually only listening on the one port). --Dave

  1   2   3   >