Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

[Mac Reid]

Hi,

The option `CASAuthNHeader On` must be configured in an .htaccess or a
directory/location directive. That will add headers that look like:

CAS_uid => mac
CAS_mail => mar...@mtu.edu

- Mac

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALX_e4kidvMdgtBYgejHvJkx%2BFOzS5KT3BWQt3o%2BCX1bqmfLzw%40mail.gmail.com.

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

[Francois Campbell]

Posting to an old thread, but I too struggled to get attributes visible in 
php

After making the following changes mine came through
If you have specified the CAS version in /etc/httpd/conf.d/cas.conf, 
comment it out.
# CASVersion 2

CASValidateUrlhttps:///cas/samlValidate
CASValidateSAML   On

In CAS itself ensure that the following are also present for each LDAP 
config, in etc/cas/config/cas.properties
cas.authn.attributeRepository.merger:   ADD
cas.authn.ldap[0].principalAttributeList=cn,sn,mail

For me the attributeRepository.ldap attributes did not display on the 
client side.
e.g cas.authn.attributeRepository.ldap[0].attributes.

On Friday, 16 February 2018 02:13:37 UTC+2, dhawes wrote:
>
> On Thu, Feb 15, 2018 at 2:51 PM, Mukunthini Jeyakumar 
> > wrote: 
> > Thanks dhawes. 
> > 
> > I'm using the php code to print the values retuned in the header 
> >   > foreach (getallheaders() as $name => $value) { 
> > echo "$name: $value\n"; 
> > } 
> >   ?> 
> > 
> > I've no issues if I use serviceValidate, but I'm only getting the 
> username, 
> > I do not see the rest of the attributes released 
> > 
> > CASValidateURL https://:8443/cas/serviceValidate 
> > CASValidateSAML   Off 
>
> Do you see the attributes in the validation response? You can see this 
> in the debug logs. 
>
> Note that only the code in master supports CASv2 attributes. If you 
> see the attributes in the validation response, try mod_auth_cas 
> master. 
>
> > if I use SAML then I get error 
> > 
> > CASValidateURL https://:8443/cas/samlValidate 
> > CASValidateSAML   On 
> > 
> > 
> > I already built CAS with SAML 1.1 by adding  cas-server-support-saml, 
>
> This sounds like a CAS server issue. Have you verified /samlValidate 
> is working? What does the validation response look like? 
>

-- 


See OpenCollab email disclaimer at 
http://www.opencollab.co.za/email-disclaimer 


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cf0cce1c-fed1-4bb7-9e12-2ab4d67bf823%40apereo.org.

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

[David Hawes]

On Thu, Feb 15, 2018 at 2:51 PM, Mukunthini Jeyakumar
 wrote:
> Thanks dhawes.
>
> I'm using the php code to print the values retuned in the header
>   foreach (getallheaders() as $name => $value) {
> echo "$name: $value\n";
> }
>   ?>
>
> I've no issues if I use serviceValidate, but I'm only getting the username,
> I do not see the rest of the attributes released
>
> CASValidateURL https://:8443/cas/serviceValidate
> CASValidateSAML   Off

Do you see the attributes in the validation response? You can see this
in the debug logs.

Note that only the code in master supports CASv2 attributes. If you
see the attributes in the validation response, try mod_auth_cas
master.

> if I use SAML then I get error
>
> CASValidateURL https://:8443/cas/samlValidate
> CASValidateSAML   On
>
>
> I already built CAS with SAML 1.1 by adding  cas-server-support-saml,

This sounds like a CAS server issue. Have you verified /samlValidate
is working? What does the validation response look like?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wB0t2SGDALhvdJXsf32YVa%3DDSsYMAo0tCx4Ai4FT5FaaA%40mail.gmail.com.

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

[Mukunthini Jeyakumar]

Thanks dhawes.

I'm using the php code to print the values retuned in the header
  $value) {
echo "$name: $value\n";
}
  ?>

I've no issues if I use serviceValidate, but I'm only getting the username, 
I do not see the rest of the attributes released 

CASValidateURL https://:8443/cas/serviceValidate 
CASValidateSAML   Off


if I use SAML then I get error

CASValidateURL https://:8443/cas/samlValidate 
CASValidateSAML   On 


I already built CAS with SAML 1.1 by adding  cas-server-support-saml, 

Thanks
Thini

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/293644e5-5f4f-4f26-a812-08aeb5f07603%40apereo.org.

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

[David Hawes]

On Fri, Feb 9, 2018 at 4:00 PM, Mukunthini Jeyakumar
 wrote:
> Hi
>
> I'm seeing the same error even If I use /serviceValidate endpoint. As soon
> as I turn on CASValidateSAML, I'm getting the error
>
> Here is my mod_auth_cas. (I've used David Curry's Guide )
>
> LoadModule auth_cas_module modules/mod_auth_cas.so
>
> 
>
> AuthType CAS
> CASAuthNHeader  On
> 
> Require valid-user
> 
>
> 
> 
> AuthTypeCAS
> CASAuthNHeader  On
> 
> Require valid-user
> 
>
> 
>CASCertificatePath /etc/pki/tls/certs/
> CASCookiePath /var/lib/cas/
> CASValidateURL https://:8443/cas/serviceValidate
> #CASValidateURL https://:8443/cas/samlValidate
> CASLoginURL https://:8443/cas/login
> CASSSOEnabled On
> CASDebug  On
> CASValidateSAML   On
> LogLevel debug
> 

Use:

CASValidateURL https://:8443/cas/serviceValidate
CASValidateSAML   Off

or:

CASValidateURL https://:8443/cas/samlValidate
CASValidateSAML   On

What you have posted here will not work.

> 2018-02-09 15:55:50,016 WARN [org.springframework.web.servlet.PageNotFound]
> - 

SAML validation requires POST. Make sure you aren't mixing up your
directives (see above) and ensure that you can POST to
https://:8443/cas/samlValidate.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wCsEnNxGKB%2BiRYaT1aeoq3i7tUtTF9h8yAhnstHEUp03Q%40mail.gmail.com.

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

[Mukunthini Jeyakumar]

Hi

I'm seeing the same error even If I use /serviceValidate endpoint. As soon 
as I turn on CASValidateSAML, I'm getting the error

Here is my mod_auth_cas. (I've used David Curry's Guide )

LoadModule auth_cas_module modules/mod_auth_cas.so


   
AuthType CAS
CASAuthNHeader  On

Require valid-user




AuthTypeCAS
CASAuthNHeader  On

Require valid-user



   CASCertificatePath /etc/pki/tls/certs/
CASCookiePath /var/lib/cas/
CASValidateURL https://:8443/cas/serviceValidate
#CASValidateURL https://:8443/cas/samlValidate
CASLoginURL https://:8443/cas/login
CASSSOEnabled On
CASDebug  On
CASValidateSAML   On
LogLevel debug


>From the CAS Server, I do see the SERVICE_TICKET_CREATED but I don't see 
the Service Validation
But I'm seeing the following warning.

2018-02-09 15:55:50,016 WARN [org.springframework.web.servlet.PageNotFound] 
- 

I'm using CAS 5.2.2 and mod_auth_cas from github 
9https://github.com/apereo/mod_auth_cas)

And I've added support for SAML when I build the CAS

org.apereo.cas
cas-server-support-saml
${cas.version}


Thanks
Thini

>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/49e89131-1f58-42b6-b311-7d8c5480d3c8%40apereo.org.

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

[David Hawes]

Are you sure your server supports /samlValidate? Are you able to use
/serviceValidate?

Post your full mod_auth_cas config here.

The 406 you see is from the CAS server. Do you have any logs on the
CAS server that indicate why the request failed?

On Fri, Feb 9, 2018 at 2:09 PM, Mukunthini Jeyakumar
 wrote:
> Hi dhawes,
>
> With the debug on,
>
>
> [Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(2076): [client
> 129.100.6.30] Entering cas_authenticate(), referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
> [Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(654): [client
> 129.100.6.30] Modified r->args (now ''), referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
> [Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(1779): [client
> 129.100.6.30] entering getResponseFromServer(), referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
> [Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(584): [client
> 129.100.6.30] CAS Service
> 'https%3a%2f%2f%2freturn-mapped%2findex.php', referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
> [Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(1856): [client
> 129.100.6.30] Validation response:  lang="en">HTTP Status 406 \xe2\x80\x93 Not
> Acceptableh1
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
> h2
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
> h3
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
> body
> {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
> p
> {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}
> a {color:black;} a.name {color:black;} .line
> {height:1px;background-color:#525D76;border:none;}HTTP
> Status 406 \xe2\x80\x93 Not AcceptableType
> Status ReportDescription The target resource does not have a
> current representation that would be acceptable to the user agent, according
> to the proactive negotiation header fields received in the request, and the
> server is unwilling to supply a default representation. />Apache Tomcat/8.5.23, referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
> [Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(1440): [client
> 129.100.6.30] entering isValidCASTicket(), referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
> [Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(1446): [client
> 129.100.6.30] MOD_AUTH_CAS: response =  lang="en">HTTP Status 406 \xe2\x80\x93 Not
> Acceptableh1
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
> h2
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
> h3
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
> body
> {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
> p
> {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}
> a {color:black;} a.name {color:black;} .line
> {height:1px;background-color:#525D76;border:none;}HTTP
> Status 406 \xe2\x80\x93 Not AcceptableType
> Status ReportDescription The target resource does not have a
> current representation that would be acceptable to the user agent, according
> to the proactive negotiation header fields received in the request, and the
> server is unwilling to supply a default representation. />Apache Tomcat/8.5.23, referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
> [Thu Feb 08 16:07:44 2018] [error] [client 129.100.6.30] MOD_AUTH_CAS: error
> parsing CASv2 response: XML parser error code: syntax error (2), referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
>
>
> MOD_AUTH_CAS: error parsing CASv2 response: XML parser error code:
> syntax error (2), referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
>
> Thanks
> Thini
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8020e24a-fa21-4a35-af09-5eb5a2a274dd%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: 

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

[Mukunthini Jeyakumar]

Hi dhawes,

With the debug on,


[Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(2076): [client 
129.100.6.30] Entering cas_authenticate(), referer: 
https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
[Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(654): [client 
129.100.6.30] Modified r->args (now ''), referer: 
https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
[Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(1779): [client 
129.100.6.30] entering getResponseFromServer(), referer: 
https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
[Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(584): [client 
129.100.6.30] CAS Service 
'https%3a%2f%2f%2freturn-mapped%2findex.php', referer: 
https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
[Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(1856): [client 
129.100.6.30] Validation response: HTTP Status 406 \xe2\x80\x93 Not 
Acceptableh1 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
 
h2 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
 
h3 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
 
body 
{font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} 
p 
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}
 
a {color:black;} a.name {color:black;} .line 
{height:1px;background-color:#525D76;border:none;}HTTP 
Status 406 \xe2\x80\x93 Not AcceptableType Status ReportDescription The target resource 
does not have a current representation that would be acceptable to the user 
agent, according to the proactive negotiation header fields received in the 
request, and the server is unwilling to supply a default 
representation.Apache 
Tomcat/8.5.23, referer: 
https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
[Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(1440): [client 
129.100.6.30] entering isValidCASTicket(), referer: 
https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
[Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(1446): [client 
129.100.6.30] MOD_AUTH_CAS: response = HTTP Status 406 \xe2\x80\x93 Not 
Acceptableh1 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
 
h2 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
 
h3 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
 
body 
{font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} 
p 
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}
 
a {color:black;} a.name {color:black;} .line 
{height:1px;background-color:#525D76;border:none;}HTTP 
Status 406 \xe2\x80\x93 Not AcceptableType Status ReportDescription The target resource 
does not have a current representation that would be acceptable to the user 
agent, according to the proactive negotiation header fields received in the 
request, and the server is unwilling to supply a default 
representation.Apache 
Tomcat/8.5.23, referer: 
https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
[Thu Feb 08 16:07:44 2018] [error] [client 129.100.6.30] MOD_AUTH_CAS: 
error parsing CASv2 response: XML parser error code: syntax error (2), 
referer: 
https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php


 MOD_AUTH_CAS: error parsing CASv2 response: XML parser error code: 
syntax error (2), referer: 
https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
 


Thanks
Thini

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8020e24a-fa21-4a35-af09-5eb5a2a274dd%40apereo.org.

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

[David Hawes]

Set:

LogLevel debug
CASDebug On

and check your error logs. You should have information as to why you
get this error.

On Thu, Feb 8, 2018 at 1:13 PM, Mukunthini Jeyakumar
 wrote:
> Hi David,
>
> I'm using mod_auth_cas configured to use the "samlValidate" endpoint. When I
> turn on CASValidateSAML and configure saml endpoint I'm getting the
> following error
>
> Authorization Required
>
> This server could not verify that you are authorized to access the document
> requested. Either you supplied the wrong credentials (e.g., bad password),
> or your browser doesn't understand how to supply the credentials required.
>
>
> But I was able to get the principal user id without SAML endpoint
>
> I'm using CAS 5.2.2
>
>
> Thanks
>
> Thini
>
>
>>>
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/2b1892e8-e858-459a-9107-6b1b93d46ac2%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wDtfkG6iC6eE%2B0Ju-4-Uz%2BPH6Yh2U5TyEL_f%3D81yAMhqw%40mail.gmail.com.

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

[Mukunthini Jeyakumar]

Hi David,

I'm using mod_auth_cas configured to use the "samlValidate" endpoint. When 
I turn on CASValidateSAML and configure saml endpoint I'm getting the 
following error

Authorization Required

This server could not verify that you are authorized to access the document 
requested. Either you supplied the wrong credentials (e.g., bad password), 
or your browser doesn't understand how to supply the credentials required.


But I was able to get the principal user id without SAML endpoint

I'm using CAS 5.2.2


Thanks

Thini


>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2b1892e8-e858-459a-9107-6b1b93d46ac2%40apereo.org.

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

[David Hawes]

On 19 July 2017 at 15:11, David Curry  wrote:
>
> You need to have mod_auth_cas configured to use the "samlValidate" endpoint 
> on the CAS server, and also have the "CASAuthNHeader" setting turned on in 
> /etc/httpd/conf.d/cas.conf (or wherever your config file is). Like this:
>
> 
> 
> AuthTypeCAS
> CASAuthNHeader  On
> 
>
> Require valid-user
> 
>
> 
> CASLoginUrl https://cas.example.com/cas/login
> CASValidateUrl  https://cas.example.com/cas/samlValidate
> CASCookiePath   /var/cache/httpd/mod_auth_cas/
> CASValidateSAML On
> CASSSOEnabled   On
> CASDebugOff
> 
>
>
> This will give you a bunch of headers whose names begin with "CAS_". If you 
> want a different prefix instead of "CAS_", you can set it with the 
> "CASAttributePrefix" option.
>
> Anyway, then in your PHP script, you can have something like this:
>
>echo "";
>
> if (array_key_exists('REMOTE_USER', $_SERVER)) {
> echo "REMOTE_USER = " . $_SERVER['REMOTE_USER'] . "";
> }
>
> $headers = getallheaders();
> foreach ($headers as $key => $value) {
> if (strpos($key, 'CAS_') === 0) {
> echo substr($key, 4) . " = " . $value . "";
> }
> }
>
> echo "";
>   ?>
>
> to print them all out. Note that you will get more than just the attributes 
> you released; you'll also get some other information from the CAS server. For 
> example, on my current devel setup, which authenticates against Active 
> Directory first and LDAP second, and merges attributes from both, I get:
>
> REMOTE_USER = curryd
> AuthenticationMethod = Active Directory
> displayName = David Curry
> successfulAuthenticationHandlers = Active Directory
> cn = x
> EmailAddress = david.cu...@newschool.edu
> Role = staff
> samlAuthenticationStatementAuthMethod = 
> urn:oasis:names:tc:SAML:1.0:am:password
> uid = curryd
> UDC_IDENTIFIER = xxx
> Active-Directory.curryd = cn=curryd,ou=TNSUsers,dc=tns,dc=newschool,dc=edu
> sn = Curry
> Formatted-Name = David

Just wanted to +1 Dave's reply. Good stuff.

I also wanted to note that CASv2 attributes from /serviceValicate are
now supported in git master, if you need to go that route.

https://github.com/apereo/mod_auth_cas/pull/110

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wBGy142k8aLGkC8B1O852jWz%2BVQ4OXdGRhQAAotDGPKrA%40mail.gmail.com.

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

[David Curry]

You need to have mod_auth_cas configured to use the "samlValidate" endpoint
on the CAS server, and also have the "CASAuthNHeader" setting turned on in
/etc/httpd/conf.d/cas.conf (or wherever your config file is). Like this:



AuthTypeCAS
CASAuthNHeader  On


Require valid-user



CASLoginUrl https://cas.example.com/cas/login
CASValidateUrl  https://cas.example.com/cas/samlValidate
CASCookiePath   /var/cache/httpd/mod_auth_cas/
CASValidateSAML On
CASSSOEnabled   On
CASDebugOff



This will give you a bunch of headers whose names begin with "CAS_". If you
want a different prefix instead of "CAS_", you can set it with the
"CASAttributePrefix" option.

Anyway, then in your PHP script, you can have something like this:

  ";

if (array_key_exists('REMOTE_USER', $_SERVER)) {
echo "REMOTE_USER = " . $_SERVER['REMOTE_USER'] . "";
}

$headers = getallheaders();
foreach ($headers as $key => $value) {
if (strpos($key, 'CAS_') === 0) {
echo substr($key, 4) . " = " . $value . "";
}
}

echo "";
  ?>

to print them all out. Note that you will get more than just the attributes
you released; you'll also get some other information from the CAS server.
For example, on my current devel setup, which authenticates against Active
Directory first and LDAP second, and merges attributes from both, I get:

REMOTE_USER = curryd
AuthenticationMethod = Active Directory
displayName = David Curry
successfulAuthenticationHandlers = Active Directory
cn = x
EmailAddress = david.cu...@newschool.edu
Role = staff
samlAuthenticationStatementAuthMethod =
urn:oasis:names:tc:SAML:1.0:am:password
uid = curryd
UDC_IDENTIFIER = xxx
Active-Directory.curryd = cn=curryd,ou=TNSUsers,dc=tns,dc=newschool,dc=edu
sn = Curry
Formatted-Name = David


Hope this helps,
--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Wed, Jul 19, 2017 at 1:19 PM, Kapetanakis Giannis <
bil...@edu.physics.uoc.gr> wrote:

> On 19/07/17 18:27, Fabio Martelli wrote:
>
>> Hi All, I would like to retrieve user principal attributes from a php
>> application.
>>
>> I successfully configured mod_auth_cas but at the moment I'm just able to
>> retrieve the principal name in HTTP Header.
>>
>> Can you share a piece of code that can help me with my php application?
>>
>> Thank you in advance.
>>
>> BR,
>>
>> F.
>>
>>
> Maybe you can get it from $_SERVER['REMOTE_USER']
>
> alternative options:
>
> a) do the authentication in PHP with phpCAS and not in apache
> b) check if user is authenticated in php (again with phpCAS) and get what
> ever attribute you need (including attributed returned by CAS)
>
> G
> ps.
> https://github.com/apereo/phpCAS/blob/master/docs/examples/
> example_hardening.php
> https://wiki.jasig.org/display/casc/phpcas+examples
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/M
> ailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> --- You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/ap
> ereo.org/d/msgid/cas-user/ea919a47-a804-89e6-7a24-9563f2b2f4
> a6%40edu.physics.uoc.gr.
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANeJTz4F-YMqstp%3DNtXd-LAUqXefas3jPvPJJXiT9fguQ%40mail.gmail.com.

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

[Kapetanakis Giannis]

On 19/07/17 18:27, Fabio Martelli wrote:
Hi All, I would like to retrieve user principal attributes from a php 
application.


I successfully configured mod_auth_cas but at the moment I'm just able 
to retrieve the principal name in HTTP Header.


Can you share a piece of code that can help me with my php application?

Thank you in advance.

BR,

F.



Maybe you can get it from $_SERVER['REMOTE_USER']

alternative options:

a) do the authentication in PHP with phpCAS and not in apache
b) check if user is authenticated in php (again with phpCAS) and get 
what ever attribute you need (including attributed returned by CAS)


G
ps.
https://github.com/apereo/phpCAS/blob/master/docs/examples/example_hardening.php
https://wiki.jasig.org/display/casc/phpcas+examples

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ea919a47-a804-89e6-7a24-9563f2b2f4a6%40edu.physics.uoc.gr.