[cas-user] OIDC? Vendor

[Bryan Wooten]

Ok we have a vendor Modolabs doing a mobile app connected to CAS with OIDC
config (JSON service registry)

Anyone have experience? Things ain't going well. (Modo claims CAS is
sending multiple 302 redirects for Service Ticket validation).

-Bryan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GVJzeexQ_GsER0FFGBaHZRCSQ8%2BqJbGaD9A2v%3DPQLn%2BPA%40mail.gmail.com.

Re: [cas-user] JSON log file format

[Bryan Wooten]

Thanks for the tip. I should have been more clear. We are on 6.1.7 so I
think this is what we want:

https://apereo.github.io/cas/6.1.x/configuration/Configuration-Properties.html#slf4j-audits

On Wed, Aug 26, 2020 at 10:16 AM Jason Everling 
wrote:

> We are using JSON format so that its more Filebeat friendly, did you also
> configure in your cas.properties? We didn’t have to change anything in the
> log4j xml besides enabling the audit file, the properties are below which
> comes from
> https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties.html#slf4j-audits
>
>
>
> cas.audit.slf4j.auditFormat=JSON
>
> cas.audit.slf4j.singlelineSeparator=|
>
> cas.audit.slf4j.useSingleLine=true
>
> cas.audit.slf4j.enabled=true
>
>
>
> *From: *Bryan Wooten 
> *Sent: *Wednesday, August 26, 2020 10:50 AM
> *To: *cas-user@apereo.org
> *Subject: *[cas-user] JSON log file format
>
>
>
> I know this is more of a log4j question, but my google foo is not working.
>
>
>
> My log4j2.xml has this:
>
>
>
>  append="true"
>
>  filePattern="/etc/cas/logs/cas_audit-%d{-MM-dd-HH}-%i.log">
> 
> 
> 
> 
> 
> 
> 
>
>
>
> Does anyone have an example showing a JSON PatternLayout?
>
>
>
> -Bryan
>
>
>
> University of Utah
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GVhAMkkTZNho63hxcmOv97bRjJ-rUAM7OmUi94E_kEm-w%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GVhAMkkTZNho63hxcmOv97bRjJ-rUAM7OmUi94E_kEm-w%40mail.gmail.com?utm_medium=email_source=footer>
> .
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/2E53CF11-E387-4241-BB35-1D29D77C4014%40hxcore.ol
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/2E53CF11-E387-4241-BB35-1D29D77C4014%40hxcore.ol?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GX5sYxcX%2BGnJR7s4W6cqNCbQz26A4nXgqAVEbGzEPE8_g%40mail.gmail.com.

[cas-user] JSON log file format

[Bryan Wooten]

I know this is more of a log4j question, but my google foo is not working.

My log4j2.xml has this:










Does anyone have an example showing a JSON PatternLayout?

-Bryan

University of Utah

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GVhAMkkTZNho63hxcmOv97bRjJ-rUAM7OmUi94E_kEm-w%40mail.gmail.com.

Re: [cas-user] cas-management 6.1.x incommon certificate

[Bryan Wooten]

First Ray, thanks to you and others that helped me with cas-management. I
hope I can return the favor.

I deployed my first JSON file created by cas-management today. Success
after some frustration. hehe.

I can't help with your issue, but why is an Incommon cert needed? Is your
CAS also a SAML IDP?

Cheers,

-Bryan

University of Utah

On Fri, Aug 21, 2020 at 2:11 PM Ray Bon  wrote:

> I am trying to run cas-management-overlay 6.1.7.
>
> It is complaining because I do not have an incommon certificate:
>
> 2020-08-20 16:06:24,685 ERROR [org.springframework.boot.SpringApplication]
> - 
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'samlController' defined in class path resource
> [org/apereo/cas/mgmt/config/CasManagementSamlConfiguration.class]: Bean
> instantiation via factory method failed; nested exception is
> org.springframework.beans.BeanInstantiationException: Failed to instantiate
> [org.apereo.cas.mgmt.SamlController]: Factory method 'samlController' threw
> exception; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'metadataAggregateResolver' defined in class path resource
> [org/apereo/cas/mgmt/config/CasManagementSamlConfiguration.class]: Bean
> instantiation via factory method failed; nested exception is
> org.springframework.beans.BeanInstantiationException: Failed to instantiate
> [org.apereo.cas.mgmt.MetadataAggregateResolver]: Factory method
> 'metadataAggregateResolver' threw exception; nested exception is
> java.lang.NullPointerException
>
> .
> .
> .
>
> Caused by: java.lang.NullPointerException
> at
> org.apereo.cas.mgmt.InCommonMetadataAggregateResolver.(InCommonMetadataAggregateResolver.java:54)
> ~[cas-mgmt-support-saml-6.1.7.jar:6.1.7]
> at
> org.apereo.cas.mgmt.config.CasManagementSamlConfiguration.metadataAggregateResolver(CasManagementSamlConfiguration.java:82)
> ~[cas-mgmt-config-saml-6.1.7.jar:6.1.7]
>
>
> Why does cas-management insist on an incommon certificate?
>
> How do I skip over this requirement?
>
> Thanks
>
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/62a1d976c9144e4c388c2191c4beef798dc76178.camel%40uvic.ca
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GW%3D5U_43sZhrHfbcZtqLWn1ipczTgzfvUjmsQbKYcyZEg%40mail.gmail.com.

[cas-user] CAS 6.1.6 status endpoints.

[Bryan Wooten]

We can't get the status/discovery endpoint to work following this:

https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties.html#cas-endpoints

We keep getting this error message:

Property: cas.monitor.endpoints.discovery.enabled
Value: true
Origin: "cas.monitor.endpoints.discovery.enabled" from property source
"bootstrapProperti
es"
Reason: The elements
[cas.monitor.endpoints.discovery.enabled,cas.monitor.endpoints.disco
very.sensitive,cas.monitor.endpoints.status.enabled,cas.monitor.endpoints.status.sensitive]
w
ere left unbound.
Property: cas.monitor.endpoints.discovery.sensitive
Value: false
Origin: "cas.monitor.endpoints.discovery.sensitive" from property
source "bootstrapProperties"
Reason: The elements
[cas.monitor.endpoints.discovery.enabled,cas.monitor.endpoints.discovery.sensitive,cas.monitor.endpoints.status.enabled,cas.monitor.endpoints.status.sensitive]
were left unbound.
Property: cas.monitor.endpoints.status.enabled
Value: true
Origin: "cas.monitor.endpoints.status.enabled" from property source
"bootstrapProperties"
Reason: The elements
[cas.monitor.endpoints.discovery.enabled,cas.monitor.endpoints.discovery.sensitive,cas.monitor.endpoints.status.enabled,cas.monitor.endpoints.status.sensitive]
were left unbound.

Any suggestions?

-Bryan

University of Utah

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GVwDQgDrVJH1M9-KGZ7yvMS_ryy%3DdHxcz0RRZFgoqsTyA%40mail.gmail.com.

[cas-user] CAS Management UI Question

[Bryan Wooten]

How do I add / remove allowed attributes to a service?

The json file (below) shows the attributes. Note this file was
imported from an earlier
cas system.

I can't find a way to make changes from the new UI.

I have the same issue trying to create a new service.

What am I missing?

-Bryan

University of Utah

{
  @class: org.apereo.cas.services.RegexRegisteredService
  serviceId: ^https://appserv01-test.idm.utah.edu/.*
  name: appserv01TestIdmUtahEdu
  id: 1014
  description: "Bryan Wooten "
  expirationPolicy:
  {
@class: org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy
deleteWhenExpired: false
notifyWhenDeleted: false
  }
  proxyPolicy:
  {
@class:
org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy
pattern: ^https?://.*
  }
  evaluationOrder: 0
  usernameAttributeProvider:
  {
@class: org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider
canonicalizationMode: NONE
encryptUsername: false
  }
  logoutType: BACK_CHANNEL
  requiredHandlers:
  [
java.util.HashSet
[]
  ]
  environments:
  [
java.util.HashSet
[]
  ]
  attributeReleasePolicy:
  {
@class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
principalAttributesRepository:
{
  @class:
org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository
  mergingStrategy: MULTIVALUED
  ignoreResolvedAttributes: false
}
consentPolicy:
{
  @class:
org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy
  enabled: true
  order: 0
}
authorizedToReleaseCredentialPassword: false
authorizedToReleaseProxyGrantingTicket: false
excludeDefaultAttributes: false
authorizedToReleaseAuthenticationAttributes: true
order: 0
allowedAttributes:
[
  java.util.ArrayList
  [
firstName
lastName
displayName
email
homephone
department
ou
cn
telephoneNumber
acadplan
almail
eduPersonAffiliation
uid
eduPersonPrincipalName
ummail
unid
uudept
uustudent
  ]
]
  }
  multifactorPolicy:
  {
@class:
org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
multifactorAuthenticationProviders:
[
  java.util.LinkedHashSet
  []
]
failureMode: UNDEFINED
bypassEnabled: false
  }
  accessStrategy:
  {
@class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
order: 0
enabled: true
ssoEnabled: true
delegatedAuthenticationPolicy:
{
  @class:
org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy
  allowedProviders:
  [
java.util.LinkedHashSet
[]
  ]
  permitUndefined: true
  exclusive: false
}
requireAllAttributes: true
requiredAttributes:
{
  @class: java.util.HashMap
}
rejectedAttributes:
{
  @class: java.util.HashMap
}
caseInsensitive: false
  }
  properties:
  {
@class: java.util.HashMap
  }
  contacts:
  [
java.util.ArrayList
[]
  ]
}

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GU5m9SidDLg88sNfTtWc42ngoKKBFDBy_zEjxLm2A2X3Q%40mail.gmail.com.

Re: [cas-user] Cas Management Properties.

[Bryan Wooten]

Thanks Ron! That did the trick.

And the insight into how properties are defined was a great insight.

-Bryan
University of Utah.

On Wed, Jul 15, 2020 at 2:43 PM Ray Bon  wrote:

> It is a combined attribute. This approach of spring config allows 'mixing
> and matching' properties files (for developers).
>
> mgmt is the 'name' for CasManagementConfigurationProperties.
> In this class is a reference, versionControl, to another properties class,
> VersionControl, defined in the same file (cf LdapAuthorizationProperties
> defined in the cas project).
> VersionControl has a few properties, one of which is syncScript.
>
> Ray
>
> On Wed, 2020-07-15 at 14:16 -0600, Bryan Wooten wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> Thanks, we'll give it a try. For some reason, searching for
> "versionControl" in that link I can't find mgmt.versionControl.syncScript.
>
> Cheers,
>
> Bryan
>
> On Wed, Jul 15, 2020 at 2:09 PM Ray Bon  wrote:
>
> Bryan,
>
> Looked at the source code,
> https://github.com/apereo/cas-management/blob/v6.1.0-RC4/api/cas-mgmt-api-configuration/src/main/java/org/apereo/cas/configuration/CasManagementConfigurationProperties.java
>
> This should be correct:
>
> mgmt.versionControl.syncScript
>
> Ray
>
> On Wed, 2020-07-15 at 13:32 -0600, Bryan Wooten wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> Unfortunately, same error with all lowercase letters.
>
> I was really hoping to get sync to work as the final piece...
>
> -Bryan
> University of Utah
>
> On Wed, Jul 15, 2020 at 11:54 AM Ray Bon  wrote:
>
> Bryan,
>
> Perhaps the documentation and code have diverged. Does it work with lower
> case 's'?
>
> Ray
>
> On Wed, 2020-07-15 at 11:43 -0600, Bryan Wooten wrote:
>
> Hello again,
>
> When we set:
> mgmt.syncScript=/etc/cas/sync.sh in management properties we get this
> error.
>
> Not sure why the case is being changed.
>
> Thanks,
>
> -Bryan
>
> ***
> APPLICATION FAILED TO START
> ***
>
> Description:
>
> Binding to target [Bindable@49af530d type =
> org.apereo.cas.configuration.CasManagementConfi
> gurationProperties, value = 'provided', annotations =
> array[@org.springframewor
> k.boot.context.properties.ConfigurationProperties(ignoreInvalidFields=false,
> ignoreUnknownF
> ields=false, prefix=mgmt, value=mgmt)]] failed:
>
> Property: mgmt.syncscript
> Value: /etc/cas/sync.sh
> Origin: "mgmt.syncScript" from property source "bootstrapProperties"
> Reason: The elements [mgmt.syncscript] were left unbound.
>
> Action:
>
> Update your application's configuration
>
> --
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b7b00a31a29732cce37dbd0e7bdc8befa168f257.camel%40uvic.ca
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b7b00a31a29732cce37dbd0e7bdc8befa168f257.camel%40uvic.ca?utm_medium=email_source=footer>
> .
>
> --
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@ap

Re: [cas-user] Cas Management Properties.

[Bryan Wooten]

Thanks, we'll give it a try. For some reason, searching for
"versionControl" in that link I can't find mgmt.versionControl.syncScript.

Cheers,

Bryan

On Wed, Jul 15, 2020 at 2:09 PM Ray Bon  wrote:

> Bryan,
>
> Looked at the source code,
> https://github.com/apereo/cas-management/blob/v6.1.0-RC4/api/cas-mgmt-api-configuration/src/main/java/org/apereo/cas/configuration/CasManagementConfigurationProperties.java
>
> This should be correct:
>
> mgmt.versionControl.syncScript
>
> Ray
>
> On Wed, 2020-07-15 at 13:32 -0600, Bryan Wooten wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> Unfortunately, same error with all lowercase letters.
>
> I was really hoping to get sync to work as the final piece...
>
> -Bryan
> University of Utah
>
> On Wed, Jul 15, 2020 at 11:54 AM Ray Bon  wrote:
>
> Bryan,
>
> Perhaps the documentation and code have diverged. Does it work with lower
> case 's'?
>
> Ray
>
> On Wed, 2020-07-15 at 11:43 -0600, Bryan Wooten wrote:
>
> Hello again,
>
> When we set:
> mgmt.syncScript=/etc/cas/sync.sh in management properties we get this
> error.
>
> Not sure why the case is being changed.
>
> Thanks,
>
> -Bryan
>
> ***
> APPLICATION FAILED TO START
> ***
>
> Description:
>
> Binding to target [Bindable@49af530d type =
> org.apereo.cas.configuration.CasManagementConfi
> gurationProperties, value = 'provided', annotations =
> array[@org.springframewor
> k.boot.context.properties.ConfigurationProperties(ignoreInvalidFields=false,
> ignoreUnknownF
> ields=false, prefix=mgmt, value=mgmt)]] failed:
>
> Property: mgmt.syncscript
> Value: /etc/cas/sync.sh
> Origin: "mgmt.syncScript" from property source "bootstrapProperties"
> Reason: The elements [mgmt.syncscript] were left unbound.
>
> Action:
>
> Update your application's configuration
>
> --
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b7b00a31a29732cce37dbd0e7bdc8befa168f257.camel%40uvic.ca
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b7b00a31a29732cce37dbd0e7bdc8befa168f257.camel%40uvic.ca?utm_medium=email_source=footer>
> .
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/aa4b322006309f1b693a150147c33341c0a407b7.camel%40uvic.ca
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/aa4b322006309f1b693a150147c33341c0a407b7.camel%40uvic.ca?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GXB%3DigFsE8zJxm2mzcsQekYVC3chuZqyLpbLnV-S5S7hA%40mail.gmail.com.

Re: [cas-user] Cas Management Properties.

[Bryan Wooten]

Unfortunately, same error with all lowercase letters.

I was really hoping to get sync to work as the final piece...

-Bryan
University of Utah

On Wed, Jul 15, 2020 at 11:54 AM Ray Bon  wrote:

> Bryan,
>
> Perhaps the documentation and code have diverged. Does it work with lower
> case 's'?
>
> Ray
>
> On Wed, 2020-07-15 at 11:43 -0600, Bryan Wooten wrote:
>
> Hello again,
>
> When we set:
> mgmt.syncScript=/etc/cas/sync.sh in management properties we get this
> error.
>
> Not sure why the case is being changed.
>
> Thanks,
>
> -Bryan
>
> ***
> APPLICATION FAILED TO START
> ***
>
> Description:
>
> Binding to target [Bindable@49af530d type =
> org.apereo.cas.configuration.CasManagementConfi
> gurationProperties, value = 'provided', annotations =
> array[@org.springframewor
> k.boot.context.properties.ConfigurationProperties(ignoreInvalidFields=false,
> ignoreUnknownF
> ields=false, prefix=mgmt, value=mgmt)]] failed:
>
> Property: mgmt.syncscript
> Value: /etc/cas/sync.sh
> Origin: "mgmt.syncScript" from property source "bootstrapProperties"
> Reason: The elements [mgmt.syncscript] were left unbound.
>
> Action:
>
> Update your application's configuration
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b7b00a31a29732cce37dbd0e7bdc8befa168f257.camel%40uvic.ca
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b7b00a31a29732cce37dbd0e7bdc8befa168f257.camel%40uvic.ca?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GUX0VypGRzKmiskK%3DkuHYbfBd81%3DpK4M1rYDY1piBqKBQ%40mail.gmail.com.

[cas-user] Cas Management Properties.

[Bryan Wooten]

Hello again,

When we set:
mgmt.syncScript=/etc/cas/sync.sh in management properties we get this error.

Not sure why the case is being changed.

Thanks,

-Bryan

***
APPLICATION FAILED TO START
***

Description:

Binding to target [Bindable@49af530d type =
org.apereo.cas.configuration.CasManagementConfi
gurationProperties, value = 'provided', annotations =
array[@org.springframewor
k.boot.context.properties.ConfigurationProperties(ignoreInvalidFields=false,
ignoreUnknownF
ields=false, prefix=mgmt, value=mgmt)]] failed:

Property: mgmt.syncscript
Value: /etc/cas/sync.sh
Origin: "mgmt.syncScript" from property source "bootstrapProperties"
Reason: The elements [mgmt.syncscript] were left unbound.

Action:

Update your application's configuration

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GUVcqWQygUEKXHBAB6hpw5QK2GWV%2B68-Rk0B%3DNK4kfxkQ%40mail.gmail.com.

Re: [cas-user] cas-managent app again.

[Bryan Wooten]

Thanks Molly and Ray for the tips. The app now loads, but of course the
next issue comes up.

After entering user name / password on the CAS login page, it just hangs on
that page.

I believe I saw a post mentioning this issue. I have tried Chrome
(incognito) and Safari,

Anyway much thanks for your help.

-Bryan

University of Utah

On Wed, Jul 8, 2020 at 3:02 PM 'Molly Kewl' via CAS Community <
cas-user@apereo.org> wrote:

> Check
> https://github.com/apereo/cas-management/blob/master/api/cas-mgmt-api-configuration/src/main/java/org/apereo/cas/configuration/CasManagementConfigurationProperties.java
>
>
> ‐‐‐ Original Message ‐‐‐
> On Thursday, July 9, 2020 12:46 AM, Bryan Wooten 
> wrote:
>
> So when we load the app on the same Tomcat as the CAS server itself we get
> this error:
>
> ***
> APPLICATION FAILED TO START
> ***
>
> Description:
>
> Binding to target [Bindable@1471d5e6 type =
> org.apereo.cas.configuration.CasManagementConfigurationProperties, value =
> 'pro
> vided', annotations =
> array[@org.springframework.boot.context.properties.ConfigurationProperties(ignoreInvalidF
> ields=false, ignoreUnknownFields=false, prefix=mgmt, value=mgmt)]] failed:
>
> Property: mgmt.enabledelegatedmgmt
> Value: false
> Origin: "mgmt.enableDelegatedMgmt" from property source
> "bootstrapProperties"
> Reason: The elements
> [mgmt.enabledelegatedmgmt,mgmt.enableversioncontrol,mgmt.servicesrepo,mgmt.userreposdir]
> were left
>  unbound.
> Property: mgmt.enableversioncontrol
> Value: false
> Origin: "mgmt.enableVersionControl" from property source
> "bootstrapProperties"
> Reason: The elements
> [mgmt.enabledelegatedmgmt,mgmt.enableversioncontrol,mgmt.servicesrepo,mgmt.userreposdir]
> were left
>  unbound.
> Property: mgmt.servicesrepo
> Value: /etc/cas/config/services/servicesRepo
> Origin: "mgmt.servicesRepo" from property source "bootstrapProperties"
> Reason: The elements
> [mgmt.enabledelegatedmgmt,mgmt.enableversioncontrol,mgmt.servicesrepo,mgmt.userreposdir]
> were left
>  unbound.
> Property: mgmt.userreposdir
> Value: /etc/cas/config/userRepo
> Origin: "mgmt.userreposdir" from property source "bootstrapProperties"
> Reason: The elements
> [mgmt.enabledelegatedmgmt,mgmt.enableversioncontrol,mgmt.servicesrepo,mgmt.userreposdir]
> were left
>  unbound.
>
> Action:
>
> Update your application's configuration
>
> We have tried adding unbound to management.properties, adding directly to
> bootstrap.properties in the exploded war file and putting a copy of
> bootstrap.properties in /etc/cas/config.
>
> But I always get the error.
>
> We are building the Master branch from:
> https://github.com/apereo/cas-management-overlay/
>
> Any help appreciated.
>
> -Bryan
>
> University of Utah
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GW96WP21GoC5yDQYMht%3D-z%2BLD4591-6E24rYgWzT1tomg%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GW96WP21GoC5yDQYMht%3D-z%2BLD4591-6E24rYgWzT1tomg%40mail.gmail.com?utm_medium=email_source=footer>
> .
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CRrD5t0AB-6KC_MC1QoqOwauJoHfDZ-twgLGRNaEzwv7r2B_13lQoQxNdjmyjeyHuD1VBrgmNAWUBiAUmPdjOWgRUC8uHBNdef5omSkIRhA%3D%40protonmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CRrD5t0AB-6KC_MC1QoqOwauJoHfDZ-twgLGRNaEzwv7r2B_13lQoQxNdjmyjeyHuD1VBrgmNAWUBiAUmPdjOWgRUC8uHBNdef5omSkIRhA%3D%40protonmail.com?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.

[cas-user] cas-managent app again.

[Bryan Wooten]

So when we load the app on the same Tomcat as the CAS server itself we get
this error:

***
APPLICATION FAILED TO START
***

Description:

Binding to target [Bindable@1471d5e6 type =
org.apereo.cas.configuration.CasManagementConfigurationProperties, value =
'pro
vided', annotations =
array[@org.springframework.boot.context.properties.ConfigurationProperties(ignoreInvalidF
ields=false, ignoreUnknownFields=false, prefix=mgmt, value=mgmt)]] failed:

Property: mgmt.enabledelegatedmgmt
Value: false
Origin: "mgmt.enableDelegatedMgmt" from property source
"bootstrapProperties"
Reason: The elements
[mgmt.enabledelegatedmgmt,mgmt.enableversioncontrol,mgmt.servicesrepo,mgmt.userreposdir]
were left
 unbound.
Property: mgmt.enableversioncontrol
Value: false
Origin: "mgmt.enableVersionControl" from property source
"bootstrapProperties"
Reason: The elements
[mgmt.enabledelegatedmgmt,mgmt.enableversioncontrol,mgmt.servicesrepo,mgmt.userreposdir]
were left
 unbound.
Property: mgmt.servicesrepo
Value: /etc/cas/config/services/servicesRepo
Origin: "mgmt.servicesRepo" from property source "bootstrapProperties"
Reason: The elements
[mgmt.enabledelegatedmgmt,mgmt.enableversioncontrol,mgmt.servicesrepo,mgmt.userreposdir]
were left
 unbound.
Property: mgmt.userreposdir
Value: /etc/cas/config/userRepo
Origin: "mgmt.userreposdir" from property source "bootstrapProperties"
Reason: The elements
[mgmt.enabledelegatedmgmt,mgmt.enableversioncontrol,mgmt.servicesrepo,mgmt.userreposdir]
were left
 unbound.

Action:

Update your application's configuration

We have tried adding unbound to management.properties, adding directly to
bootstrap.properties in the exploded war file and putting a copy of
bootstrap.properties in /etc/cas/config.

But I always get the error.

We are building the Master branch from:
https://github.com/apereo/cas-management-overlay/

Any help appreciated.

-Bryan

University of Utah

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GW96WP21GoC5yDQYMht%3D-z%2BLD4591-6E24rYgWzT1tomg%40mail.gmail.com.

Re: [cas-user] cas-management application

[Bryan Wooten]

Thank you Ray. This helps.

I see you are very active/helpful on this list...

Perhaps one day I will return the favor.

-Bryan

University of Utah.

On Mon, Jul 6, 2020 at 1:04 PM Ray Bon  wrote:

> Bryan,
>
> I am just looking into cas management after a bit of a break from my first
> frustrating attempt. My impression is that cas management is trying to
> leverage the cas packages. The version of cas management must be the same
> as a source of cas packages (I am working with 6.1.4-SNAPSHOT), but does
> not have to be the same as the deployed cas ( it ca be older for sure).
> This also means that the properties will be the same as those for cas.
> I have not tried turning off version control for the services. First time
> I tried, it was problematic. For the extra step of confirming changes to a
> service, it is probably not worth the effort. Just create a writable
> directory (or make the default writable) for the git repo and be done with
> it.
> We store our services in ldap (so no file sync), but I am not that far
> along in my config, maybe later this week or next.
>
> Ray
>
> On Mon, 2020-07-06 at 11:52 -0600, Bryan Wooten wrote:
>
> I was wondering if any of you fine folks could help me.
>
> I am trying to get cas-management application (6.2) with a Cas 6.1.6
> server. (I can change the cas-management version if needed.
>
> Anyway I am having trouble understanding the docs and and
> management.properties settings.
>
> I am simply trying to manage a 1000 json file /etc/cas.config/services
> directory.
>
> We don't need/want version control at this time or any file sync.
>
> At startup we get errors like this:
>
> Origin: "mgmt.enableVersionControl" from property source
> "bootstrapProperties"
> Reason: The elements
> [mgmt.enabledelegatedmgmt,mgmt.enableversioncontrol,mgmt.servicesrepo,mgmt.syncscript,mgmt.userrep
> osdir] were left unbound.
>
> For example, what is mgmt.userrep?
>
> If someone could share the management properties file that would be great.
>
> -Bryan
>
> University of Utah
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8904bfe249d56466eaf2b60d566618b8baaa3d2c.camel%40uvic.ca
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/8904bfe249d56466eaf2b60d566618b8baaa3d2c.camel%40uvic.ca?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GVTa5zGEn3ghBBJ5BXU2SOU8p_F3upCQRepyEwv30KmWA%40mail.gmail.com.

[cas-user] cas-management application

[Bryan Wooten]

I was wondering if any of you fine folks could help me.

I am trying to get cas-management application (6.2) with a Cas 6.1.6
server. (I can change the cas-management version if needed.

Anyway I am having trouble understanding the docs and and
management.properties settings.

I am simply trying to manage a 1000 json file /etc/cas.config/services
directory.

We don't need/want version control at this time or any file sync.

At startup we get errors like this:

Origin: "mgmt.enableVersionControl" from property source
"bootstrapProperties"
Reason: The elements
[mgmt.enabledelegatedmgmt,mgmt.enableversioncontrol,mgmt.servicesrepo,mgmt.syncscript,mgmt.userrep
osdir] were left unbound.

For example, what is mgmt.userrep?

If someone could share the management properties file that would be great.

-Bryan

University of Utah

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GWgxUQgkoH1TiinTjapiL0h5qn_sXY8FnWK5S4EuFYbRA%40mail.gmail.com.

Re: [cas-user] Service Access Strategy help needed

[Bryan Wooten]

I agree with Ron. As a point of reference, we have 1000 json entries in our
service registry. I added 6 this morning.

Very few use any wild cards.

We are also working on getting the management app up and running.

-Bryan

University of Utah

On Wed, Jul 1, 2020 at 5:26 AM Emilian Mitocariu <
mitocariu.emil...@gmail.com> wrote:

> Hi, I have a CAS server with a service json that catches all incoming
> requests looking like this:
>
> *{*
> *  "@class": "org.apereo.cas.services.RegexRegisteredService",*
> *  "serviceId": "^(https|http)://.*",*
> *  "name": "HTTPS and HTTP",*
> *  "id": 2001,*
> *  "description": "This service definition authorizes all application urls
> that support HTTPS and HTTP protocols.",*
> *  "attributeReleasePolicy" : {*
> *"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"*
> *  },*
> *  "evaluationOrder": 201,"accessStrategy" : {*
> *"@class" :
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",*
> *"enabled" : true,*
> *"ssoEnabled" : true,*
> *"requiredAttributes" : {*
> *  "@class" : "java.util.HashMap",*
> *  "access_app_list" : [ "java.util.HashSet", [ "some-app" ] ]*
> *}*
> *  }*
> *}*
>
> Where *access_app_list* is retrieved from a DB. My question, is there a
> built-in variable that I can put instead of *some-app* that contains the
> domain of the service accessing CAS? Or do I need to use a groovy script
> for this? And if groovy is needed, any pointers on how I could do that?
>
> I would like to do this so I don't have to define a different service json
> for every app that needs to authenticate against CAS.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/fbc184d6-353a-4aaa-887f-acc77e1d4264n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GVw6gmhrvXMKWNZJPH9rzOrNz4iq09z3mseKAQvXG2Row%40mail.gmail.com.

Re: [cas-user] Re: Duo MFA error in 6.2 RC5

[Bryan Wooten]

We have the same issue. But not on the 6.2 master branch.

On Fri, Jun 26, 2020 at 3:07 PM Amit Poddar  wrote:

> Hi,
>
> I am dealing with the same issue, did you get a resolution to this?  If
> yes then would you be willing to share the resolution?
>
> Thanks,
> Amit
>
> On Thursday, June 4, 2020 at 4:44:50 PM UTC-4, mba...@scad.edu wrote:
>>
>> Doh, I didn't post  the actual error.  Here it is:
>>
>> ERROR
>> [org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas-web].[dispatcherServlet]]
>> - > [/cas-web] threw exception [Request processing failed; nested exception is
>> org.springframework.webflow.execution.ActionExecutionException: Exception
>> thrown executing
>> org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityPrepareWebLoginFormAction@5c3e7128
>> in state 'viewLoginFormDuo' of flow 'mfa-duo' -- action execution
>> attributes were 'map['resolvedAuthenticationEvents' -> list[mfa-duo]]']
>> with root cause>
>> java.lang.NullPointerException: null
>> at java.util.Objects.requireNonNull(Objects.java:221) ~[?:?]
>> at
>> org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityPrepareWebLoginFormAction.doExecute(DuoSecurityPrepareWebLoginFormAction.java:31)
>> ~[cas-server-support-duo-core-6.2.0-RC5.jar!/:6.2.0-RC5]
>> at
>> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
>> ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
>>
>> Thanks in advance.
>>
>>
>> On Thursday, June 4, 2020 at 4:18:07 PM UTC-4, mba...@scad.edu wrote:
>>>
>>> I'm testing out 6.2 RC5 and am getting an error with Duo:
>>>
>>> DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - >> the received exception
>>> [org.springframework.webflow.execution.ActionExecutionException: Exception
>>> thrown executing
>>> org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityPrepareWebLoginFormAction@5afaae7e
>>> in state 'viewLoginFormDuo' of flow 'mfa-duo' -- action execution
>>> attributes were 'map['resolvedAuthenticationEvents' -> list[mfa-duo]]'] due
>>> to a type mismatch with handler
>>> [[FlowHandlerMapping.DefaultFlowHandler@5f5b9239]]>
>>>
>>> I'm using pretty much the same Duo configuration from 6.0.x (which is
>>> working), but switched from camelCase to dashes as listed in the latest
>>> development documentation.  I got the same error with camel case too.
>>>
>>> #  DUO 
>>> cas.authn.mfa.duo[0].duo-secret-key=${CAS_DUO_SKEY}
>>> cas.authn.mfa.duo[0].rank=0
>>> cas.authn.mfa.duo[0].duo-application-key=${CAS_DUO_AKEY}
>>> cas.authn.mfa.duo[0].duo-integration-key=${CAS_DUO_IKEY}
>>> cas.authn.mfa.duo[0].duo-api-host=${CAS_DUO_HOST}
>>> cas.authn.mfa.duo[0].trusted-device-enabled=false
>>> cas.authn.mfa.duo[0].id=mfa-duo
>>> cas.authn.mfa.duo[0].name=SCAD DUO
>>> cas.authn.mfa.duo[0].order=1
>>> # but this one stays camelCase
>>> cas.authn.mfa.groovyScript=file:/etc/cas/ScadMfa.groovy
>>>
>>> And I can actually see a response from Duo early in the log that
>>> indicates it retrieved my account info.
>>>
>>> Also, I am using the default theme with no changes.
>>>
>>> Any help would be appreciated.
>>>
>>> Thank you,
>>> Mike
>>>
>>>
>>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a5ad9a82-e295-4af9-9d80-c83faa7d20c0o%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GVLMNWXCig3bqaTqgqGmX2GK8gLQkMPL44E-Nd0YxUWvA%40mail.gmail.com.

[cas-user] OpenID

[Bryan Wooten]

We are trying to test:

https://github.com/cas-projects/openid-sample-java-webapp

But in the CAS logs I see:

[1;31m2020-06-24 13:43:52,517 ERROR
[org.springframework.boot.web.servlet.support.ErrorPageFilter] -
ESC[m
org.thymeleaf.exceptions.TemplateInputException: Error resolving template
[openIdProviderView], template might not exist or might not be accessible
by any of the configured Template Resolvers

We can't find openIdProviderView HTML file in any repo.

What are we missing?

Thanks,

Bryan

University of Utah

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GU0PP7%2BEYyLO6AHvhxKxJeocZuu34xdmJpozfW%3DD5mo9A%40mail.gmail.com.

[cas-user] CAS 6.2 Monitoring and Statistics

[Bryan Wooten]

We are trying to get the /status /health endpoints to work on the CAS 6.2
main branch following this guide:

https://apereo.github.io/cas/development/monitoring/Monitoring-Statistics.html

We have this in our pom.xml:

implementation
"org.apereo.cas:cas-server-support-reports:${project.'cas.version'}"

Our cas.properties has:
#settings for monitoring and statistics
spring.boot.admin.url=https://cas6test.go.utah.edu:8444
spring.boot.admin.client.managementUrl=${cas.server.prefix}/status

management.endpoints.web.exposure.include=*
management.endpoints.enabled-by-default=true
cas.monitor.endpoints.endpoint.defaults.access=AUTHENTICATED

spring.security.user.name=casuser
spring.security.user.password=Mellon

I don't see port 8444 open using:
netstat -tulpn | grep LISTEN

In catalina.out I see:

 22-Jun-2020 10:53:21.601 WARNING
[AsyncReporter{org.springframework.cloud.sleuth.zipkin2.sender.RestTemplateSender@1063035f}]
zipkin2.reporter.AsyncReporter$BoundedAsyncReporter.flush Dropped 2 spans
due to ResourceAccessException(I/O error on POST request for "
http://localhost:9411/api/v2/spans": Connection refused (Connection
refused); nested exception is java.net.ConnectException: Connection refused
(Connection refused))

org.springframework.web.client.ResourceAccessException: I/O error
on POST request for "http://localhost:9411/api/v2/spans": Connection
refused (Connection refused); nested exception is
java.net.ConnectException: Connection refused (Connection refused)

at
org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:751)

at
org.springframework.cloud.sleuth.zipkin2.sender.ZipkinRestTemplateWrapper.doExecute(ZipkinRestTemplateSenderConfiguration.java:228)

at
org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:644)

Any hints or clues? We need this as it seems to be a prerequisite for:

https://apereo.github.io/cas/6.0.x/monitoring/Configuring-Monitoring-Administration.html#configuration


Thanks,

Bryan

University of Utah

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GWtaRwDPbMP%2B%3D6Lmpu9BHbjJNV__BJiMfguav0%2BdaGS8w%40mail.gmail.com.

Re: [cas-user] CAS 6 Attribute release not working

[Bryan Wooten]

Thanks for the hint.

So to clarify, cas.authn.ldap[0].principalAttributeList is the superset of
attributes that may be released. The service registry json defines the
attributes (subset) allowed to be released to the service?

-Bryan

On Mon, Jun 15, 2020 at 3:08 PM Jason Everling 
wrote:

> I didnt think CAS pulls attributes from ldap based on the service
> definition? You have to add all attributes you expect to fetch from ldap,
> so in your config
>
>
> cas.authn.ldap[0].principalAttributeList=unid,cn,psrole,mail,uuemployee,uustudent,uuaffiliate,uudept,almail,sn,givenName
>
> Change it to
>
> cas.authn.ldap[0].principalAttributeList=firstName,lastName,displayName,email,homephone,department,ou,cn,telephoneNumber,acadplan,almail,eduPersonAffiliation,uid,eduPersonPrincipalName,ummail,unid,uudept,uuemployee,
> uustudent,psrole
>
> On Mon, Jun 15, 2020 at 3:00 PM Bryan Wooten  wrote:
>
>> Hi all,
>> We are unable to get attributes to release (CAS 6 Master).
>> Java client 3.6.1
>>
>> We have a json service registry entry:
>> {
>>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>>   "serviceId" : "^https://cas6test.go.utah.edu/.*;,
>>   "name" : "cas6testGoUtahEdu",
>>   "id" : 2020052801,
>>   "description" : "bryan.woo...@utah.edu",
>>   "logoutType" : "FRONT_CHANNEL",
>>"attributeReleasePolicy" : {
>> "@class" :
>> "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
>> "allowedAttributes" : [ "java.util.ArrayList", [ "firstName",
>> "lastName", "displayName", "email", "homephone", "department", "ou", "cn",
>> "telephoneNumber", "acadplan", "almail", "eduPersonAffiliation", "uid",
>> "eduPersonPrincipalName", "ummail", "unid", "uudept", "uuemployee",
>> "uustudent","psrole" ] ]
>>   }
>> }
>>
>> LDAP config in cas.properties:
>>
>> # attr repo creds
>> cas.authn.attributeRepository.ldap[0].ldapUrl=ldap://
>> ldaptest.sys.utah.edu:9292
>> cas.authn.attributeRepository.ldap[0].baseDn=ou=people,o=utah.edu
>> cas.authn.attributeRepository.ldap[0].bindDn=uid=xxx,ou=System Accounts,o=
>> utah.edu
>> cas.authn.attributeRepository.ldap[0].bindCredential=
>> cas.authn.attributeRepository.ldap[0].userFilter=unid={user}
>> # end attr repo creds
>>
>> cas.authn.attributeRepository.ldap[0].attributes.uuMFA=uuMFA
>> cas.authn.attributeRepository.ldap[0].attributes.cn=cn
>> cas.authn.attributeRepository.ldap[0].attributes.givenName=firstName
>> cas.authn.attributeRepository.ldap[0].attributes.sn=lastName
>> etc
>>
>>
>> cas.authn.attributeRe36m2020-06-15 13:11:30,732 DEBUG
>> [org.apereo.cas.util.LdapUtils] - > [ldap://ldaptest.sys.utah.edu:9292] and bindDn [uid=pscas,ou=System
>> Accounts,o=utah.edu]>ESC[m
>> ESC[36m2020-06-15 13:11:30,876 DEBUG
>> [org.apereo.cas.config.CasPersonDirectoryConfiguration] - > are fetched from [ldap://ldaptest.sys.utah.edu:9292] via filter
>> [null]>ESC[m
>> ESC[36m2020-06-15 13:11:30,877 DEBUG
>> [org.apereo.cas.config.CasPersonDirectoryConfiguration] - > result attribute mapping for [ldap://ldaptest.sys.utah.edu:9292] to be
>> [{classnumber=classnumber, isonbr=isonbr, uuInst=uuInst,
>> teachingAssistant=teachingAssistant, almail=almail,
>>
>> I am unclear about LDAP attributes are fetched from [ldap://
>> ldaptest.sys.utah.edu:9292] via filter [null]> being null when I have:
>>
>> cas.authn.attributeRepository.ldap[0].userFilter=unid={user}
>>
>> But if I add this line:
>>
>> cas.authn.ldap[0].principalAttributeList=unid,cn,psrole,mail,uuemployee,uustudent,uuaffiliate,uudept,almail,sn,givenName
>>
>> I will get some but not all the attributes (they are all valid attrs for
>> the test user, me)... But i want to release attributes on a per json file.
>>
>> This is also set: cas.authn.authenticationAttributeRelease.enabled=true
>>
>> Also strange is that if I add:
>>
>> #cas.authn.attributeRepository.defaultAttributesToRelease=givenName,eduPersonAffiliation,cn,uuemployee,uustudent,mail,psrole,firstName,lastName
>>
>> Then I stop getting any attributes.
>>
>> Any help appreciated. This driving me crazy.
>>
>> -Bryan
>> University of Utah
>>
>> --
>> - Website: https://aper

[cas-user] CAS 6 Attribute release not working

[Bryan Wooten]

Hi all,
We are unable to get attributes to release (CAS 6 Master).
Java client 3.6.1

We have a json service registry entry:
{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^https://cas6test.go.utah.edu/.*;,
  "name" : "cas6testGoUtahEdu",
  "id" : 2020052801,
  "description" : "bryan.woo...@utah.edu",
  "logoutType" : "FRONT_CHANNEL",
   "attributeReleasePolicy" : {
"@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "firstName",
"lastName", "displayName", "email", "homephone", "department", "ou", "cn",
"telephoneNumber", "acadplan", "almail", "eduPersonAffiliation", "uid",
"eduPersonPrincipalName", "ummail", "unid", "uudept", "uuemployee",
"uustudent","psrole" ] ]
  }
}

LDAP config in cas.properties:

# attr repo creds
cas.authn.attributeRepository.ldap[0].ldapUrl=ldap://
ldaptest.sys.utah.edu:9292
cas.authn.attributeRepository.ldap[0].baseDn=ou=people,o=utah.edu
cas.authn.attributeRepository.ldap[0].bindDn=uid=xxx,ou=System Accounts,o=
utah.edu
cas.authn.attributeRepository.ldap[0].bindCredential=
cas.authn.attributeRepository.ldap[0].userFilter=unid={user}
# end attr repo creds

cas.authn.attributeRepository.ldap[0].attributes.uuMFA=uuMFA
cas.authn.attributeRepository.ldap[0].attributes.cn=cn
cas.authn.attributeRepository.ldap[0].attributes.givenName=firstName
cas.authn.attributeRepository.ldap[0].attributes.sn=lastName
etc


cas.authn.attributeRe36m2020-06-15 13:11:30,732 DEBUG
[org.apereo.cas.util.LdapUtils] - ldap://ldaptest.sys.utah.edu:9292] and bindDn [uid=pscas,ou=System
Accounts,o=utah.edu]>ESC[m
ESC[36m2020-06-15 13:11:30,876 DEBUG
[org.apereo.cas.config.CasPersonDirectoryConfiguration] - ldap://ldaptest.sys.utah.edu:9292] via filter [null]>ESC[m
ESC[36m2020-06-15 13:11:30,877 DEBUG
[org.apereo.cas.config.CasPersonDirectoryConfiguration] - ldap://ldaptest.sys.utah.edu:9292] to be
[{classnumber=classnumber, isonbr=isonbr, uuInst=uuInst,
teachingAssistant=teachingAssistant, almail=almail,

I am unclear about LDAP attributes are fetched from [ldap://
ldaptest.sys.utah.edu:9292] via filter [null]> being null when I have:

cas.authn.attributeRepository.ldap[0].userFilter=unid={user}

But if I add this line:
cas.authn.ldap[0].principalAttributeList=unid,cn,psrole,mail,uuemployee,uustudent,uuaffiliate,uudept,almail,sn,givenName

I will get some but not all the attributes (they are all valid attrs for
the test user, me)... But i want to release attributes on a per json file.

This is also set: cas.authn.authenticationAttributeRelease.enabled=true

Also strange is that if I add:
#cas.authn.attributeRepository.defaultAttributesToRelease=givenName,eduPersonAffiliation,cn,uuemployee,uustudent,mail,psrole,firstName,lastName

Then I stop getting any attributes.

Any help appreciated. This driving me crazy.

-Bryan
University of Utah

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GXBBt6hfbFZPa0WWLvLkNdpq%2BK9k417PygSizp9ouFdvg%40mail.gmail.com.

Re: [cas-user] CAS 6 Attribute Release

[Bryan Wooten]

I added those log settings...

We also tried changing our gradle.properties from SNAPSHOT to RC5 and that
just broke the Duo login flow...

I added this to cas.properties: #Attribute Release

cas.authn.authenticationAttributeRelease.enabled=true

And I also change the JSON service registry to:"attributeReleasePolicy" : {
   "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
  }

Still no luck

On Mon, Jun 1, 2020 at 10:06 AM Ray Bon  wrote:

> Bryan,
>
> Maybe these loggers can help.
>  
> 
>  name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
> level="warn"/>
>
> 
>  name="org.apereo.cas.services.DenyAllAttributeReleasePolicy" level="warn"/>
>
> Ray
>
> On Mon, 2020-06-01 at 08:34 -0600, Bryan Wooten wrote:
>
> We are doing a POC with CAS 6. We are building using the war overlay. Are
> build is from the CAS 6 Master branch.
>
> I have a simple Java client app configured for SAML1.1. This app is
> running on the same Tomcat as CAS 6 itself. This is its JSON service
> registry entry:
>
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "^https://cas6test.go.utah.edu/.*;,
>   "name" : "cas6dev-1IdmUtahEdu",
>   "id" : 2020052801,
>   "description" : "bryan.woo...@utah.edu",
>   "logoutType" : "FRONT_CHANNEL",
>"attributeReleasePolicy" : {
> "@class" :
> "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
> "allowedAttributes" : [ "java.util.ArrayList", [ "firstName",
> "lastName", "displayName", "email", "homephone", "department", "ou", "cn",
> "telephoneNumber", "acadplan", "almail", "eduPersonAffiliation", "uid",
> "eduPersonPrincipalName", "ummail", "unid", "uudept", "uuemployee",
> "uustudent","psrole" ] ]
>   }
> }
>
> In the cas.log I see:
> allowedAttributes=[firstName, lastName, displayName, email, homephone,
> department, ou, cn, telephoneNumber, acadplan, almail,
> eduPersonAffiliation, uid, eduPersonPrincipalName, ummail, unid, uudept,
> uuemployee, uustudent, psrole]),
> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[],
> failureMode=UNDEFINED, principalAttributeNameTrigger=null,
> principalAttributeValueToMatch=null, bypassEnabled=false,
> forceExecution=false, bypassTrustedDeviceEnabled=false, bypassPrincipa
>
> That looks good.
>
> But when the SAML assertion is built it doesn't include those attribute:
>
> Any ideas on what I am missing?
>
> 
> http://schemas.xmlsoap.org/soap/envelope/;>
> 
>  InResponseTo="_0f257af65322193bce619eb2d16895e7"
> IssueInstant="2020-06-01T13:54:43.797Z" MajorVersion="1"
> MinorVersion="1"
> ResponseID="_07a0fc4799c4445d58e12d00aa84603b"
> xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol">
> 
> 
> 
>  AssertionID="_c4f37a7ef71853b1fb8e472d6db12faf"
> IssueInstant="2020-06-01T13:54:43.797Z"
> Issuer="localhost" MajorVersion="1" MinorVersion="1"
> xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
>  NotOnOrAfter="2020-06-01T13:55:13.797Z">
> 
> 
> https://cas6test.go.utah.edu/attrrelease-1.0-SNAPSHOT/attrrelease
> 
> 
> 
>  AuthenticationInstant="2020-06-01T13:54:48.138Z"
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:passwor
> d">
> 
>
> u0519980
> 
>
> 
> 
> 
> 
> 
>
> u0519980
> 
>
> urn:oasis:names:tc:SAML:1.0:cm:artifact
> 
> 
>  AttributeNamespace="http://www.ja-sig.org/products/cas/;>
>
> UsernamePasswordCredential
>
> DuoSecurityCredential
> 
> 
> AttributeName=&qu

[cas-user] CAS 6 Attribute Release

[Bryan Wooten]

We are doing a POC with CAS 6. We are building using the war overlay. Are
build is from the CAS 6 Master branch.

I have a simple Java client app configured for SAML1.1. This app is running
on the same Tomcat as CAS 6 itself. This is its JSON service registry entry:

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^https://cas6test.go.utah.edu/.*;,
  "name" : "cas6dev-1IdmUtahEdu",
  "id" : 2020052801,
  "description" : "bryan.woo...@utah.edu",
  "logoutType" : "FRONT_CHANNEL",
   "attributeReleasePolicy" : {
"@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "firstName",
"lastName", "displayName", "email", "homephone", "department", "ou", "cn",
"telephoneNumber", "acadplan", "almail", "eduPersonAffiliation", "uid",
"eduPersonPrincipalName", "ummail", "unid", "uudept", "uuemployee",
"uustudent","psrole" ] ]
  }
}

In the cas.log I see:
allowedAttributes=[firstName, lastName, displayName, email, homephone,
department, ou, cn, telephoneNumber, acadplan, almail,
eduPersonAffiliation, uid, eduPersonPrincipalName, ummail, unid, uudept,
uuemployee, uustudent, psrole]),
multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[],
failureMode=UNDEFINED, principalAttributeNameTrigger=null,
principalAttributeValueToMatch=null, bypassEnabled=false,
forceExecution=false, bypassTrustedDeviceEnabled=false, bypassPrincipa

That looks good.

But when the SAML assertion is built it doesn't include those attribute:

Any ideas on what I am missing?


http://schemas.xmlsoap.org/soap/envelope/
">









https://cas6test.go.utah.edu/attrrelease-1.0-SNAPSHOT/attrrelease






u0519980








u0519980


urn:oasis:names:tc:SAML:1.0:cm:artifact


http://www.ja-sig.org/products/cas/;>

UsernamePasswordCredential

DuoSecurityCredential

http://www.ja-sig.org/products/cas/;>

urn:oasis:names:tc:SAML:1.0:am:password

urn:oasis:names:tc:SAML:1.0:am:unspecified

http://www.ja-sig.org/products/cas/;>

u0519980

http://www.ja-sig.org/products/cas/;>
true

http://www.ja-sig.org/products/cas/;>
false

http://www.ja-sig.org/products/cas/;>

2020-06-01T13:54:48.138360Z

 http://www.ja-sig.org/products/cas/;>
true

http://www.ja-sig.org/products/cas/;>
false

http://www.ja-sig.org/products/cas/;>

2020-06-01T13:54:48.138360Z

http://www.ja-sig.org/products/cas/;>

LdapAuthenticationHandler
mfa-duo

http://www.ja-sig.org/products/cas/;>
mfa-duo

http://www.ja-sig.org/products/cas/;>

LdapAuthenticationHandler
mfa-duo

http://www.ja-sig.org/products/cas/;>
false

http://www.ja-sig.org/products/cas/;>
BRYAN
WOOTEN



saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact

Thanks,

Bryan (University of Utah)

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GUFcdjVkzo5nP%2BOTD3cR_AczB8E67JRqLr8WkGfxRo%3Duw%40mail.gmail.com.

Re: [cas-user] SAML attribute release error

[Bryan Wooten]

thanks, I am looking for a place to download the newest jar files...

so far I find: https://github.com/apereo/java-cas-client

I don't really want to build from scratch. Check maven central repo now...

-Bryan

On Wed, May 13, 2020 at 11:35 AM Daniel Ellentuck  wrote:

> Hi Bryan,
>
> Before debugging, I would bump up to the latest client (3.6.x).  Easy to
> do and might just fix it.
>
> Dan
>
>
> On Wed, May 13, 2020 at 1:17 PM Bryan Wooten  wrote:
>
>> cas-client-core-3.4.1.jar and cas-client-support-saml-3.40.jar
>>
>> I should have included that in the first place, apologies.
>>
>> -Bryan
>>
>> On Wed, May 13, 2020 at 11:00 AM Daniel Ellentuck 
>> wrote:
>>
>>> Hi Bryan,
>>>
>>> CAS client version, plus supporting libraries on your demo app?
>>>
>>> Dan
>>>
>>> Dan Ellentuck
>>> Columbia University I.T.
>>>
>>>
>>> On Wed, May 13, 2020 at 12:51 PM Bryan Wooten 
>>> wrote:
>>>
>>>> Hi all,
>>>>
>>>> I wrote a brain dead simple CAS servlet that demos attribute release
>>>> about 5 years ago. Worked as expected.
>>>>
>>>> But suddenly it does this:
>>>>
>>>> HTTP Status 500 – Internal Server Error
>>>> --
>>>>
>>>> *Type* Exception Report
>>>>
>>>> *Message* org.jasig.cas.client.validation.TicketValidationException:
>>>> Error processing SAML response
>>>>
>>>> *Description* The server encountered an unexpected condition that
>>>> prevented it from fulfilling the request.
>>>>
>>>> *Exception*
>>>>
>>>> javax.servlet.ServletException: 
>>>> org.jasig.cas.client.validation.TicketValidationException: Error 
>>>> processing SAML response
>>>>
>>>> org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:227)
>>>>
>>>> org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)
>>>>
>>>> *Root Cause*
>>>>
>>>> org.jasig.cas.client.validation.TicketValidationException: Error 
>>>> processing SAML response
>>>>
>>>> org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:162)
>>>>
>>>> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:201)
>>>>
>>>> org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)
>>>>
>>>> org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)
>>>>
>>>> *Root Cause*
>>>>
>>>> org.jasig.cas.client.validation.TicketValidationException: Invalid SAML 
>>>> assertion
>>>>
>>>> org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:128)
>>>>
>>>> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:201)
>>>>
>>>> org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)
>>>>
>>>> org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)
>>>>
>>>> *Note* The full stack trace of the root cause is available in the
>>>> server logs.
>>>>
>>>>
>>>> I can't find any errors on the cas (5.x) server it self. Other apps
>>>> hitting this cas server are not reporting any issues...
>>>>
>>>> Any hints?
>>>>
>>>> Cheers,
>>>>
>>>>
>>>> -Bryan
>>>>
>>>> University of Utah
>>>>
>>>> --
>>>> - Website: https://apereo.github.io/cas
>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>> - Contributions: https://goo.gl/mh7qDG
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "CAS Community" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to cas-user+unsubscr...

Re: [cas-user] SAML attribute release error

[Bryan Wooten]

cas-client-core-3.4.1.jar and cas-client-support-saml-3.40.jar

I should have included that in the first place, apologies.

-Bryan

On Wed, May 13, 2020 at 11:00 AM Daniel Ellentuck  wrote:

> Hi Bryan,
>
> CAS client version, plus supporting libraries on your demo app?
>
> Dan
>
> Dan Ellentuck
> Columbia University I.T.
>
>
> On Wed, May 13, 2020 at 12:51 PM Bryan Wooten  wrote:
>
>> Hi all,
>>
>> I wrote a brain dead simple CAS servlet that demos attribute release
>> about 5 years ago. Worked as expected.
>>
>> But suddenly it does this:
>>
>> HTTP Status 500 – Internal Server Error
>> --
>>
>> *Type* Exception Report
>>
>> *Message* org.jasig.cas.client.validation.TicketValidationException:
>> Error processing SAML response
>>
>> *Description* The server encountered an unexpected condition that
>> prevented it from fulfilling the request.
>>
>> *Exception*
>>
>> javax.servlet.ServletException: 
>> org.jasig.cas.client.validation.TicketValidationException: Error processing 
>> SAML response
>>  
>> org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:227)
>>  
>> org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)
>>
>> *Root Cause*
>>
>> org.jasig.cas.client.validation.TicketValidationException: Error processing 
>> SAML response
>>  
>> org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:162)
>>  
>> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:201)
>>  
>> org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)
>>  
>> org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)
>>
>> *Root Cause*
>>
>> org.jasig.cas.client.validation.TicketValidationException: Invalid SAML 
>> assertion
>>  
>> org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:128)
>>  
>> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:201)
>>  
>> org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)
>>  
>> org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)
>>
>> *Note* The full stack trace of the root cause is available in the server
>> logs.
>>
>>
>> I can't find any errors on the cas (5.x) server it self. Other apps
>> hitting this cas server are not reporting any issues...
>>
>> Any hints?
>>
>> Cheers,
>>
>>
>> -Bryan
>>
>> University of Utah
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GWEYftEcsJL4567jfPH80an_XRye-un8q4RXUr1Oix2Jg%40mail.gmail.com
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GWEYftEcsJL4567jfPH80an_XRye-un8q4RXUr1Oix2Jg%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFqYg5%2BOmBJck%2B1qHcm5r2E8abw31bkRr2CDt_-2gUEJ6AhaYA%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFqYg5%2BOmBJck%2B1qHcm5r2E8abw31bkRr2CDt_-2gUEJ6AhaYA%40mail.gmail.com?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GXz%3DGz%3DvorAtKz%3D9hYJHBFs%3DT8byY-FHs2-stWv5UeQBg%40mail.gmail.com.

[cas-user] SAML attribute release error

[Bryan Wooten]

Hi all,

I wrote a brain dead simple CAS servlet that demos attribute release about
5 years ago. Worked as expected.

But suddenly it does this:

HTTP Status 500 – Internal Server Error
--

*Type* Exception Report

*Message* org.jasig.cas.client.validation.TicketValidationException: Error
processing SAML response

*Description* The server encountered an unexpected condition that prevented
it from fulfilling the request.

*Exception*

javax.servlet.ServletException:
org.jasig.cas.client.validation.TicketValidationException: Error
processing SAML response

org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:227)

org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)

*Root Cause*

org.jasig.cas.client.validation.TicketValidationException: Error
processing SAML response

org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:162)

org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:201)

org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)

org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)

*Root Cause*

org.jasig.cas.client.validation.TicketValidationException: Invalid
SAML assertion

org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:128)

org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:201)

org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)

org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)

*Note* The full stack trace of the root cause is available in the server
logs.


I can't find any errors on the cas (5.x) server it self. Other apps hitting
this cas server are not reporting any issues...

Any hints?

Cheers,


-Bryan

University of Utah

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GWEYftEcsJL4567jfPH80an_XRye-un8q4RXUr1Oix2Jg%40mail.gmail.com.

Re: [cas-user] CAS 6.1.4 - Unable to resolve Duo and Hazelcast dependencies

[Bryan Wooten]

Much appreciated

I found our error. Looking at:
https://apereo.github.io/2019/01/07/cas61-gettingstarted-overlay/#dependencies

We cut and pasted: compile
"org.apereo.cas:cas-server-support-hazlcast-ticket-registry:${casServerVersion}"

There is a slight typo, "hazlcast" vs. "hazelcast".

We are good to go now.. :)

Cheers,

-Bryan


On Tue, Feb 25, 2020 at 3:41 AM Jérôme LELEU  wrote:

> Hi,
>
> The Hazelcast dependency is available in the Maven central repository as
> most dependencies.
> Thanks.
> Best regards,
> Jérôme
>
>
> Le lun. 24 févr. 2020 à 17:43, Bryan Wooten  a
> écrit :
>
>> Thanks for the fast reply!
>>
>> They URL you sent was added to the build.gradle and resolved the Duo
>> issue.
>>
>> Unfortunately, the build is still failing on the Hazelcast dependency.
>>
>> -Bryan
>>
>> On Mon, Feb 24, 2020 at 9:34 AM Jérôme LELEU  wrote:
>>
>>> Hi,
>>>
>>> You need to add the Unicon repository:
>>> https://github.com/apereo/cas/blob/master/gradle/maven.gradle#L197
>>> Thanks.
>>> Best regards,
>>> Jérôme
>>>
>>>
>>> Le lun. 24 févr. 2020 à 17:14, Bryan Wooten  a
>>> écrit :
>>>
>>>> Following the instructions here:
>>>>
>>>>
>>>> https://apereo.github.io/2019/01/07/cas61-gettingstarted-overlay/#dependencies
>>>>
>>>>
>>>> We are trying to add dependencies for Hazelcast and Duo by adding to
>>>> the build.gradle file:
>>>>
>>>> compile "org.apereo.cas:cas-server-support-duo:${casServerVersion}"
>>>>
>>>> compile
>>>> "org.apereo.cas:cas-server-support-hazlcast-ticket-registry:${casServerVersion}"
>>>>
>>>> Any help appreciated,
>>>>
>>>> -Bryan
>>>>
>>>> But we get these errors:
>>>>
>>>> Could not resolve all files for configuration ':runtimeClasspath'.
>>>>> Could not resolve
>>>> org.apereo.cas:cas-server-support-hazlcast-ticket-registry:6.1.4.
>>>>  Required by:
>>>>  project :
>>>>   > Could not resolve
>>>> org.apereo.cas:cas-server-support-hazlcast-ticket-registry:6.1.4.
>>>>  > Could not get resource '
>>>> https://oss.jfrog.org/artifactory/oss-snapshot-local/org/apereo/cas/cas-server-support-hazlcast-ticket-registry/6.1.4/cas-server-support-hazlcast-ticket-registry-6.1.4.pom'
>>>> .
>>>> > Could not GET '
>>>> https://oss.jfrog.org/artifactory/oss-snapshot-local/org/apereo/cas/cas-server-support-hazlcast-ticket-registry/6.1.4/cas-server-support-hazlcast-ticket-registry-6.1.4.pom'.
>>>>  Received
>>>> status code 409 from server:
>>>>> Could not resolve net.unicon.iam:duo-client:0.2.2.
>>>>  Required by:
>>>>  project : > org.apereo.cas:cas-server-support-duo:6.1.4 >
>>>> org.apereo.cas:cas-server-support-duo-core:6.1.4
>>>>   > Could not resolve net.unicon.iam:duo-client:0.2.2.
>>>>  > Could not get resource '
>>>> https://oss.jfrog.org/artifactory/oss-snapshot-local/net/unicon/iam/duo-client/0.2.2/duo-client-0.2.2.pom'
>>>> .
>>>> > Could not HEAD '
>>>> https://oss.jfrog.org/artifactory/oss-snapshot-local/net/unicon/iam/duo-client/0.2.2/duo-client-0.2.2.pom'.
>>>>  Received
>>>> status code 409 from server:
>>>>
>>>>
>>>> --
>>>> - Website: https://apereo.github.io/cas
>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>> - Contributions: https://goo.gl/mh7qDG
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "CAS Community" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to cas-user+unsubscr...@apereo.org.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GX1wMGVBYDp1FQvsgopoek4C57yLSoSTc9CkguQyT5YMQ%40mail.gmail.com
>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GX1wMGVBYDp1FQvsgopoek4C57yLSoSTc9CkguQyT5YMQ%40mail.gmail.com?utm_medium=email_source=footer>
>>>> .
>>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>

Re: [cas-user] CAS 6.1.4 - Unable to resolve Duo and Hazelcast dependencies

[Bryan Wooten]

Thanks for the fast reply!

They URL you sent was added to the build.gradle and resolved the Duo issue.

Unfortunately, the build is still failing on the Hazelcast dependency.

-Bryan

On Mon, Feb 24, 2020 at 9:34 AM Jérôme LELEU  wrote:

> Hi,
>
> You need to add the Unicon repository:
> https://github.com/apereo/cas/blob/master/gradle/maven.gradle#L197
> Thanks.
> Best regards,
> Jérôme
>
>
> Le lun. 24 févr. 2020 à 17:14, Bryan Wooten  a
> écrit :
>
>> Following the instructions here:
>>
>>
>> https://apereo.github.io/2019/01/07/cas61-gettingstarted-overlay/#dependencies
>>
>>
>> We are trying to add dependencies for Hazelcast and Duo by adding to the
>> build.gradle file:
>>
>> compile "org.apereo.cas:cas-server-support-duo:${casServerVersion}"
>>
>> compile
>> "org.apereo.cas:cas-server-support-hazlcast-ticket-registry:${casServerVersion}"
>>
>> Any help appreciated,
>>
>> -Bryan
>>
>> But we get these errors:
>>
>> Could not resolve all files for configuration ':runtimeClasspath'.
>>> Could not resolve
>> org.apereo.cas:cas-server-support-hazlcast-ticket-registry:6.1.4.
>>  Required by:
>>  project :
>>   > Could not resolve
>> org.apereo.cas:cas-server-support-hazlcast-ticket-registry:6.1.4.
>>  > Could not get resource '
>> https://oss.jfrog.org/artifactory/oss-snapshot-local/org/apereo/cas/cas-server-support-hazlcast-ticket-registry/6.1.4/cas-server-support-hazlcast-ticket-registry-6.1.4.pom'
>> .
>> > Could not GET '
>> https://oss.jfrog.org/artifactory/oss-snapshot-local/org/apereo/cas/cas-server-support-hazlcast-ticket-registry/6.1.4/cas-server-support-hazlcast-ticket-registry-6.1.4.pom'.
>>  Received
>> status code 409 from server:
>>> Could not resolve net.unicon.iam:duo-client:0.2.2.
>>  Required by:
>>  project : > org.apereo.cas:cas-server-support-duo:6.1.4 >
>> org.apereo.cas:cas-server-support-duo-core:6.1.4
>>   > Could not resolve net.unicon.iam:duo-client:0.2.2.
>>  > Could not get resource '
>> https://oss.jfrog.org/artifactory/oss-snapshot-local/net/unicon/iam/duo-client/0.2.2/duo-client-0.2.2.pom'
>> .
>> > Could not HEAD '
>> https://oss.jfrog.org/artifactory/oss-snapshot-local/net/unicon/iam/duo-client/0.2.2/duo-client-0.2.2.pom'.
>>  Received
>> status code 409 from server:
>>
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GX1wMGVBYDp1FQvsgopoek4C57yLSoSTc9CkguQyT5YMQ%40mail.gmail.com
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GX1wMGVBYDp1FQvsgopoek4C57yLSoSTc9CkguQyT5YMQ%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LyS78qvpKf_vh375g_vR3R3Y5YCr_zfq0Owk%2B3_eJXx9A%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LyS78qvpKf_vh375g_vR3R3Y5YCr_zfq0Owk%2B3_eJXx9A%40mail.gmail.com?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GVwzBkazWaEWbmSyf92xEYvdx-bQvCQgcAkss1Uottwsg%40mail.gmail.com.

[cas-user] CAS 6.1.4 - Unable to resolve Duo and Hazelcast dependencies

[Bryan Wooten]

Following the instructions here:

https://apereo.github.io/2019/01/07/cas61-gettingstarted-overlay/#dependencies


We are trying to add dependencies for Hazelcast and Duo by adding to the
build.gradle file:

compile "org.apereo.cas:cas-server-support-duo:${casServerVersion}"

compile
"org.apereo.cas:cas-server-support-hazlcast-ticket-registry:${casServerVersion}"

Any help appreciated,

-Bryan

But we get these errors:

Could not resolve all files for configuration ':runtimeClasspath'.
   > Could not resolve
org.apereo.cas:cas-server-support-hazlcast-ticket-registry:6.1.4.
 Required by:
 project :
  > Could not resolve
org.apereo.cas:cas-server-support-hazlcast-ticket-registry:6.1.4.
 > Could not get resource '
https://oss.jfrog.org/artifactory/oss-snapshot-local/org/apereo/cas/cas-server-support-hazlcast-ticket-registry/6.1.4/cas-server-support-hazlcast-ticket-registry-6.1.4.pom'
.
> Could not GET '
https://oss.jfrog.org/artifactory/oss-snapshot-local/org/apereo/cas/cas-server-support-hazlcast-ticket-registry/6.1.4/cas-server-support-hazlcast-ticket-registry-6.1.4.pom'.
Received
status code 409 from server:
   > Could not resolve net.unicon.iam:duo-client:0.2.2.
 Required by:
 project : > org.apereo.cas:cas-server-support-duo:6.1.4 >
org.apereo.cas:cas-server-support-duo-core:6.1.4
  > Could not resolve net.unicon.iam:duo-client:0.2.2.
 > Could not get resource '
https://oss.jfrog.org/artifactory/oss-snapshot-local/net/unicon/iam/duo-client/0.2.2/duo-client-0.2.2.pom'
.
> Could not HEAD '
https://oss.jfrog.org/artifactory/oss-snapshot-local/net/unicon/iam/duo-client/0.2.2/duo-client-0.2.2.pom'.
Received
status code 409 from server:

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GX1wMGVBYDp1FQvsgopoek4C57yLSoSTc9CkguQyT5YMQ%40mail.gmail.com.

[cas-user] CAS - Docker - SLO

[Bryan Wooten]

Ok I have 800+ servers using CAS, SLO is an ongoing issue.

So now I have a major department moving to Docker, my SLO "solution" to SLO
does work at ( forwarding SLO requests in a load balanced sticky session
env). It depends on static DNS server names.

Anyone doing Docker SLO? It is all new territory for me.

Thanks,

Bryan

University of Utah

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GX8kVV%3DeTJPXzqECswG0-eLPN8EWhMy0v%3DeWR6%3DBuokMw%40mail.gmail.com.

Re: [cas-user] Deadlocks and Uncommited Transaction

[Bryan Wooten]

We started with JPA ticket registry back in the 3.x days. Ran into the same
issue.

We moved to ehcache then to hazelcast.

We do about 300k (with Duo) logins per day. I would never recommend JPA
because of this exact issue.

-Bryan

University of Utah

On Fri, Oct 5, 2018 at 5:50 PM Trevor Fong  wrote:

> Hi There,
>
> We've trying out CAS 5.2.4 in a clustered environment with the ticket
> registry in an Oracle 12c database.  We've been seeing tons of persistent
> deadlock errors after a load test - you kill one locker and another
> deadlock springs up.
> Our DBA tells us that deadlocks were seen against the tables LOCKS,
> SERVICETICKET, TICKETGRANTINGTICKET
> Checking the catalina.out log, tons of messages like this:
>
> 2018-10-04 22:45:06,347 WARN
> [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] -  SQLState: 61000>
> 2018-10-04 22:45:06,347 ERROR
> [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] -  detected while waiting for resource
> >
> 2018-10-04 22:45:06,347 ERROR
> [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] -
>  statement>
> javax.persistence.PersistenceException:
> org.hibernate.exception.LockAcquisitionException: could not execute
> statement
> at
> org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:149)
> ~[hibernate-core-5.2.13.Final.jar:5.2.13.Final]
> at
> org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:157)
> ~[hibernate-core-5.2.13.Final.jar:5.2.13.Final]
> at
> org.hibernate.query.internal.AbstractProducedQuery.executeUpdate(AbstractProducedQuery.java:1514)
> ~[hibernate-core-5.2.13.Final.jar:5.2.13.Final]
> at
> org.apereo.cas.ticket.registry.JpaTicketRegistry.deleteTicketGrantingTickets(JpaTicketRegistry.java:177)
> ~[cas-server-support-jpa-ticket-registry-5.2.4.jar:5.2.4]
> at
> org.apereo.cas.ticket.registry.JpaTicketRegistry.deleteSingleTicket(JpaTicketRegistry.java:145)
> ~[cas-server-support-jpa-ticket-registry-5.2.4.jar:5.2.4]
> at
> org.apereo.cas.ticket.registry.AbstractTicketRegistry.deleteTicket(AbstractTicketRegistry.java:126)
> ~[cas-server-core-tickets-5.2.4.jar:5.2.4]
> at
> org.apereo.cas.ticket.registry.AbstractTicketRegistry$$FastClassBySpringCGLIB$$d3c67a11.invoke()
> ~[cas-server-core-tickets-5.2.4.jar:5.2.4]
> at
> org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
> ~[spring-core-4.3.16.RELEASE.jar:4.3.16.RELEASE]
> at
> org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:669)
> ~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE]
> at
> org.apereo.cas.ticket.registry.JpaTicketRegistry$$EnhancerBySpringCGLIB$$45967896.deleteTicket()
> ~[cas-server-support-jpa-ticket-registry-5.2.4.jar:5.2.4]
> at sun.reflect.GeneratedMethodAccessor351.invoke(Unknown Source)
> ~[?:?]
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:1.8.0_172]
> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_172]
> at
> org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333)
> ~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE]
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
> ~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE]
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
> ~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE]
> at
> org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:133)
> ~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE]
> at
> org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:121)
> ~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE]
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
> ~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE]
> at
> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
> ~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE]
> at com.sun.proxy.$Proxy104.deleteTicket(Unknown Source) ~[?:?]
> at
> org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner.cleanTicket(DefaultTicketRegistryCleaner.java:78)
> ~[cas-server-core-tickets-5.2.4.jar:5.2.4]
> at
> java.util.stream.ReferencePipeline$4$1.accept(ReferencePipeline.java:210)
> ~[?:1.8.0_172]
> at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:175)
> ~[?:1.8.0_172]
> at java.util.Iterator.forEachRemaining(Iterator.java:116)
> ~[?:1.8.0_172]
> at
> java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801)
> ~[?:1.8.0_172]
> at
> 

Re: [cas-user] Re: CAS not redirecting to service after successful authentication.

[Bryan Wooten]

Is there a load balancer involved?

I see you have a mix of https and http in the configuration.

We had a similar issue with .Net. Our load balancer was not configured to
redirect http to https.

-Bryan

On Tue, Mar 26, 2019 at 4:30 PM Pablo Vidaurri  wrote:

> Have you found a solution for this? I'm using a java client also using
> saml11 filter and I cant get my cas server to redirect back to my
> application after login
>
>
>
> On Monday, May 7, 2018 at 9:12:34 AM UTC-5, Neha Gupta wrote:
>>
>> Dear All,
>>
>> I am trying to integrate CAS with ASP.NET application.
>> Everything is working fine but CAS is not able to redirect to the
>> destination service and showing its own logged in page.
>>
>> Final URL is: - https://idiv-dev1:8443/cas/login?TARGET=
>> *http%3a%2f%2flocalhost%3a60397%2f*
>>
>> where in TARGET my service URL is defined where i want CAS to redirect .
>>
>> Following configuration i have done in "*web.config*" file: -
>>
>> *> casServerLoginUrl="https://idiv-dev1:8443/cas/login;
>> casServerUrlPrefix="https://idiv-dev1:8443/cas/;
>> serverName="http://localhost:60397/;
>> notAuthorizedUrl="~/NotAuthorized.aspx"
>> redirectAfterValidation="true"
>>  renew="false"
>> singleSignOut="true"
>> ticketValidatorName="Saml11"
>> serviceTicketManager="CacheServiceTicketManager"
>> * />*
>>
>> * *
>>   https://idiv-dev1:8443/cas/login; cookieless="UseCookies" />
>> **
>>
>> Along with this configuration i have also mentioned in "*FilterConfig.cs*"
>> below two lines: -
>>
>> filters.Add(new System.Web.Mvc.AuthorizeAttribute());
>> filters.Add(new RequireHttpsAttribute());
>>
>>
>> Please let me know where is the problem as i have no clue.
>>
>> PS: - I have registered the service with CAS and also below service is
>> present which authorizes all services to pass through CAS: -
>> {
>>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>>   "serviceId" : "*^(https|imaps|http)://.**",
>>   "name" : "Apereo",
>>   "theme" : "apereo",
>>   "id" : 1002,
>>   "description" : "Apereo foundation sample service",
>>   "evaluationOrder" : 1
>>"accessStrategy" : {
>> "@class" :
>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>> "enabled" : true,
>> "ssoEnabled" : true
>>   }
>> }
>>
>>
>>
>>
>> Regards
>> Neha Gupta
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/982757c8-ec4f-4625-a944-5700f7edaa63%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GWRH18BDF%2BpBnJFe6Pd1aeUbi4GuH1603pbTZukoodDwg%40mail.gmail.com.

Re: [cas-user] Which ticket repository are you using?

[Bryan Wooten]

1, Hazelcast
2. 4
3. 4
4. Same server
5. 200k per day using Duo (employees) Students add more. I have seen 400k
total per day.
6. No issues

Bryan
University of Utah

On Fri, Feb 22, 2019 at 10:12 AM  wrote:

> Hi everyone,
>
> A few questions for those of you who are using a distributed or high
> availability CAS implementation (i.e., more than one server in a pool of
> some sort):
>
>1. Which technology are you using for your ticket repository?
>2. How many CAS servers are you running?
>3. How many ticket repository servers?
>4. Are CAS and the ticket repository running on the same server or
>different?
>5. What's your average / peak load in terms of number of logins per
>second/minute/something?
>6. What problems have you had, if any?
>
> To answer these for us:
>
> 1. Mongo DB
> 2. 5
> 3. 5
> 4. Same servers
> 5. 30,000 STs validated in an average day.
> 6. Under peak load (like during course registration, when all the students
> try to log in right at 8:00am), we have had problems with CAS working fine
> for TGT and ST creation, but then ST validation fails because the ticket
> isn't in the database yet. We're pretty sure that the problem has to do
> with how Mongo DB writes things to disk, and think it might be possible to
> fix it with some tweaking, but advanced Mongo DB configuration seems to be
> somewhat of a black art, and the documentation frankly sucks.
>
> The decision to use Mongo DB for the ticket registry was made for no
> better reason than "...well, we're already using it for the service
> registry, and we don't know much about any of the other options anyway,
> so..." :-). So maybe it wasn't the best choice--certainly there's no reason
> that tickets actually need to reside on disk.
>
> And now we're thinking it might be easier to just replace it with a better
> technology for the ticket registry rather than trying to figure out the
> magical incantations that might make it work better. Hence the questions
> above -- we'd like to know what other folks' experiences have been, so that
> maybe we can make a better choice the second time around.
>
> Thanks,
> --Dave
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a91a5905-6809-46cb-9e56-e2e03e879516%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GUC%2Bued448HrLzncUFfyRK%2BpHTvGGAtHM1AQ3_kvGnE_w%40mail.gmail.com.

Re: [cas-user] Cas heap filling up quickly

[Bryan Wooten]

We also use hazelcast across 4 Cas nodes, all active (behind a Citrix
Netscaler with sticky sessions). We do about 400k logins per day. (30k
students and 20k staff).

Duo enabled for all employees. We don't use any Proxy Tickets at this time.

I have 600+ servers in the JSON Service Registry, all wild carded after the
DNS name, so probably well over 1000 applications.

We are on CAS 5.2.x running on Tomcat. This ps -ef shows our start up
settings. We never re-boot. We use the default 8 hour TGT timeout.

/opt/java/java/bin/java
-Djava.util.logging.config.file=/opt/tomcat/tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Xms4096m
-Xmx4096m -Xloggc:/opt/tomcat/tomcat/logs/gc.log -XX:+PrintHeapAtGC
-XX:+PrintGCDetails -XX:+PrintGCTimeStamps -XX:-HeapDumpOnOutOfMemoryError
-XX:HeapDumpPath=/var/tmp/tomcat-7 -XX:+DisableExplicitGC
-XX:+UseConcMarkSweepGC -XX:+UseParNewGC -XX:MaxGCPauseMillis=500
-Djava.endorsed.dirs=/opt/tomcat/tomcat/endorsed -classpath
/opt/tomcat/tomcat/bin/bootstrap.jar:/opt/tomcat/tomcat/bin/tomcat-juli.jar
-Dcatalina.base=/opt/tomcat/tomcat -Dcatalina.home=/opt/tomcat/tomcat
-Djava.io.tmpdir=/opt/tomcat/tomcat/temp
org.apache.catalina.startup.Bootstrap start

GC with Java is a black art. This just works for us.

Hope this helps.

-Bryan

University of Utah

On Fri, Nov 16, 2018 at 2:49 PM Nono  wrote:

> Hello everyone,
>
> We successfully deployed on production a cas v5.2.3 a couple of days ago.
>
> Our configuration is : two active/passive cas nodes with a in memory (save
> JVM as cas) hazelcast cluster that replicates the tickets.
>
> Everything worked fine for the first two hours, but when the connections
> ramped up, the active node froze. We realized that the heap (2g max) was
> full, so we stopped both nodes to bump up the xmx to 6g on each nodes.
>
> After that cas worked perfectly.
> When monitoring the heap through the day, we noticed a very steep curve
> going from 1g around 9am to a max around 11am at 5.5g. Then the curve
> flattened and stayed around 5.5 until 8pm. After that the heap when down to
> around 4g
>
> During the 11am - 8pm period, several things happened :
>
> - master GC time increased up to 3s degrading the reponse time of the
> applications that use cas. We suspect this is related to cache eviction,
> the frequency was around one major GC every 30 min.
>
> - some users where disconnected without notice during the afternoon (or
> had issues granting PTs), obviously a consequence of the cache hitting its
> max allowed size and aggressively evicting tickets.
>
> We suspected an eviction problem with hazelcast, so we did a heap dump and
> we installed hazecast management center.
>
> Our first observations were :
>
> - we had a backup count set at 1 which doubled the size of the cluster.
> - we had a huge amount of PGT : around 20 for 3000 TGT
> - PGT are quite big >10k (dixit hazelcast mancenter)
>
> So for the next day we disabled the hazelcast backup.
>
> Now our heap usage is a little better.
> The heap start around 1g at 9am to plateau at 5.5g around 12. From 12 to
> 4pm the curve stay flat around 5.5g with only minor GC. Around 4pm major gc
> occurs every 30 min until 6pm, the the heap goes down.
>
> Our tickets are supposed to expire after 6h. So, the way I read this is :
> people start working around 9am,they produce a lot of tickets between 9 and
> 12, hence the steep curve. Between 12 and 14 the activity slows downs and
> ticket production stops while the tickets created around 8am start to be
> evicted slowly. After 14 activity starts again and tickets are created.
> Around 4pm the cache is full and massively evicts the tickets created in
> the morning hence the major GCs
>
> No users complained about being disconnected, but the heap stay close to
> its max a good part of the day,and we still have around 20 pgts for
> 3000 TGT. And we have around 350 thread runing all day.
>
> Our configuration is :
> Xmx 6g
> Eviction policy : default with TTL 6h ttk 6h for tgt (and PGT)
> LFU
> Hazelcast max heap size 70
> GC g1c java 8
> Cas War overlay with undertow
> A dozen webapps using 60+ webservices all protected by cas
>
>
> For now it works but we have to restart the nodes every nights to clean
> the heap.
> I don't like the idea of the heap being 90% full all the day, if the
> number of connections increases we might have unwanted disconnections
> again. And the thread number is a concern as well. And I would like to do
> something about these issues.
>
> My questions :
>
> - are these numbers normal ?
>   - 20 pgts for 3000 tgt
>   - 3g of pgts ?
>   - 350 thread all day ?
>   - 90% of the heap full all day ?
>   - is our eviction policy correct ?
>
> I can't decide if we have a memory leak or if it's a normal situation
> considering our 3000 users and our 70+ applications linked by cas.
> We would feel more comfortable is the heap wasn't at 90% all day.
>
> We have several options now :
>
> - try 

[cas-user] WSO2 Gateway integration

[Bryan Wooten]

Hi all,

I am working with a team using WSO2 for "micro services"/ restful api using
OAuth / JWT.

So to start with we are using CAS 5.2.x customized for Duo to our specs
(Thanks Unicon).

I am new at this OAuth stuff so forgive me if I have this all wrong...

So using this as a start:

https://apereo.github.io/cas/5.2.x/installation/OAuth-OpenId-Authentication.html

I need to add this to our overlay to begin?:


  org.apereo.cas
  cas-server-support-oauth-webflow
  ${cas.version}


This creates OAuth end points on the CAS server that I can specify/require
in my JSON service registry for the OAuth client app?

So the flow is this? (Trying to keep Oauth terminology)

1. Resource owner (ie. user) contacts client (Web app or other)
2. Client asks CAS for login creds.
3. CAS defers auth to WSO2 OAuth Gateway for auth
4. WSO2 uses the SAME CAS to Auth
5. Many 302 redirects later...
6. Resource owner sends JWT to client?
7. Client verifies JWT with WSO2
8. WSO2 verifies JWT
9. Client returns data/access to user/resource owner

Is this even close?

As always, any tips/help/resources appreciated.

Bryan

University of Utah

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GVbu9pqqbRrtwuEzs_xPe9prUoKZorHOzJAM-d9mm3SJA%40mail.gmail.com.

[cas-user] Home brewed PHP CAS client

[Bryan Wooten]

Hi all,

So I have this one application (PHP on Apache) that wants to write their
own CAS PHP client. Yeah a bad idea I know.

Anyway they they don't like mod_auth_cas because it takes auth out of the
application and delegates it to Apache? (My opinion is that this is the
least effort solution)

They don't like the PHP CAS client because it has a dependency on libcurl?
(Apparently ten years ago IT didn't allow libcurl to be installed? Not the
case today.)

This idea is going to ISO for approval, but in the meantime I could use all
the pros(?)/cons of this approach.

In the event this does get approved what are some behaviors I can monitor
on the CAS server side to minimize / test for issues? I know SLO will be a
big one as well as session timeout.

Thanks,

Bryan

University of Utah

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GUnBYY%2BsyxM9xLFXML1scccEcgcmGPpxkW6yEzBpVGhMw%40mail.gmail.com.

[cas-user] Quick Java client filter mapping question.

[Bryan Wooten]

I believe filter mappings are regex expressions.

So with the proper regex I can protect:

/secure/* but exclude a url like:

/secure/notsensitve/*

Thanks,
Bryan

University of Utah

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GUMnman7evyMK1NzmYt1F3zk1nkPVRdn6j%2BNeuCNf0Mng%40mail.gmail.com.

[cas-user] CAS Proxy

[Bryan Wooten]

All,

I am trying to implement our first CAS proxy.

I have read
https://apereo.github.io/cas/5.0.x/installation/Configuring-Proxy-Authentication.html

This is our exact use case. But I am having trouble truly understanding.

Currently our JSON service registry has this entry for the desired server:


"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "^https://gatetest.acs.utah.edu/.*;,
"name": "testCis",
"id": 4,
"description": "Test Portal",
"evaluationOrder": 4,
"proxyPolicy": {
"@class":
"org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
"pattern": "^https?://.*"
},
"accessStrategy": {
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled": true,
"ssoEnabled": true
}
}

Our CAS server is behind a Citrix Load Balancer that does SSL termination.
So I am not sure if I need SSL on the CAS server itself for this.

Also my JSON service registry file does not seem to match this (from above
link):

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^https://.+;,
  "name" : "test",
  "id" : 1,
  "evaluationOrder" : 0,
  "attributeReleasePolicy" : {
"@class" :
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"principalAttributesRepository" : {
  "@class" :
"org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository"
},
"authorizedToReleaseCredentialPassword" : false,
"authorizedToReleaseProxyGrantingTicket" : true
  },
  "publicKey" : {
"@class" : "org.apereo.cas.services.RegisteredServicePublicKeyImpl",
"location" : "classpath:RSA1024Public.key",
"algorithm" : "RSA"
  }
}

All endpoints are Java.

I would love examples of client side Java filter configuration and CAS
server side JSON service registry configuration.

Do I really need SSL and associated keys if the Load Balancer is doing SSL
offloading?

Thanks for any and all help,

Bryan

University of Utah

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GUzXxsnRdGebkP5bvGr4ckLeGQ45YmrGsKB_-5zQ9_YEA%40mail.gmail.com.

[cas-user] mod_auth_cas and mod_auth_basic compatiblity

[Bryan Wooten]

Hi all,

I have department that uses mod_auth_basic for local login (non UofU
persons) and defers to an ancient home grown CAS proxy (don't ask) for SSO
for UofU persons.

Anyway if I understand Apache at all, each of these can be configured to
protect specific endpoints and afterward subsequent URLs should not be
asking to login.

Does that make sense?

Any tips, comments appreciated.

-Bryan (from my home email)

University of Utah

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GV2PjJKEwswzpU2cprccGD-k8qfMkQJXXRrmCqXzrifmQ%40mail.gmail.com.

[cas-user] Java CAS client /Tomcat Realm

[Bryan Wooten]

I am trying to implement the Java Client on my Tomcat server but I am now
running into this exception:

java.lang.ClassCastException: org.jasig.cas.client.validation.AssertionImpl
cannot be cast to org.jasig.cas.client.validation.Assertion
at
org.jasig.cas.client.tomcat.AuthenticatorDelegate.authenticate(AuthenticatorDelegate.java:83)

My server.xml looks like this:


   If you do not need to map users to roles via a
grouper-users.properties file use this.
   
 https://test.go.utah.edu/cas/login;
 casServerUrlPrefix="https://test.go.utah.edu/cas/;
 serverName="iam-grouper3.idm.utah.edu:8080"
   />
  
  


And my Tomcat-users.xml has this:



We built the CAS client from here: https://github.com/apereo/java-cas-client

I had to add the following jars to tomcat/lib:
-rw-r--r-- 1 root root   18544 Sep  4 10:35
cas-client-integration-tomcat-v85-3.5.1-SNAPSHOT.jar
-rw-r--r-- 1 root root  148773 Sep  4 10:59
cas-client-core-3.5.1-SNAPSHOT.jar
-rw-r--r-- 1 root root   12355 Sep  4 10:59
cas-client-integration-tomcat-common-3.5.1-SNAPSHOT.jar
-rw-r--r-- 1 root root  228154 Sep  4 15:34 log4j-api-2.8.2.jar
-rw-r--r-- 1 root root   32684 Sep  4 15:34 log4j-web-2.8.2.jar
-rw-r--r-- 1 root root   23124 Sep  4 15:34 log4j-slf4j-impl-2.8.2.jar
-rw-r--r-- 1 root root   12670 Sep  4 15:34 log4j-jcl-2.8.2.jar
-rw-r--r-- 1 root root 1407853 Sep  4 15:34 log4j-core-2.8.2.jar
-rw-r--r-- 1 root root   41203 Sep  4 15:35 slf4j-api-1.7.25.jar
-rw-r--r-- 1 root root   61829 Sep  4 15:47 commons-logging-1.2.jar
-rw-r--r-- 1 root root   10460 Sep  5 14:28
cas-client-support-saml-3.5.1-SNAPSHOT.jar
-rw-r--r-- 1 root root  640835 Sep  7 08:01 joda-time-2.10.jar

Any thoughts appreciated.

Thanks,

Bryan

University of Utah

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GWmPkvivLwuzr6CuQA6xYVrOO6LP%2BtdOb0JqjKCJ54UDw%40mail.gmail.com.

[cas-user] CAS Java Client - Realms

[Bryan Wooten]

Hi all,



We are trying to CASify Grouper 2.4 (just released) per this:



https://spaces.at.internet2.edu/display/Grouper/Implementing+CAS+Authentication+for+Grouper



And reading this: https://github.com/apereo/java-cas-client



*Tomcat 6/7/8 Integration*

The client supports container-based CAS authentication and authorization
support for the Tomcat servlet container.

Suppose a single Tomcat container hosts multiple Web applications with
similar authentication and authorization needs. Prior to Tomcat container
support, each application would require a similar configuration of CAS
servlet filters and authorization configuration in the web.xml servlet
descriptor. Using the new container-based authentication/authorization
feature, a single CAS configuration can be applied to the container and
leveraged by all Web applications hosted by the container.

CAS authentication support for Tomcat is based on the Tomcat-specific Realm
component. The Realm component has a fairly broad surface area and
RealmBase is provided as a convenient superclass for custom
implementations; the CAS realm implementations derive from RealmBase.
Unfortunately RealmBase and related components have proven to change over
both major and minor number releases, which requires version-specific CAS
components for integration. We have provided 3 packages with similar
components with the hope of supporting all 6.x, 7.x and 8.x versions. *No
support for 5.x is provided.*





Using org.jasig.cas.client.tomcat.v85.PropertiesCasRealm works fine but
when we try using

org.jasig.cas.client.tomcat.v85.AssertionCasRealm and
org.jasig.cas.client.tomcat.v85.Saml11Authenticator



We get a Joda noClassDefFound error. So we are apparently missing some jar
file in tomcat/lib.



Any recommendations are where we should obtain this jar file?



Thanks,


-Bryan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GUTWYBXFwSojcL7kViBxYA72tu%2BAEW7qskdtXzALj4bEA%40mail.gmail.com.

Re: [cas-user] Re: CAS documentation for a new user is terrible

[Bryan Wooten]

 agree.

But in all honesty commercial software is not really better…

As a community there are limited resources that can be dedicated to docs,
it certainly will not gain me or you any points ($) at our org.

Just as a member of this community I sincerely appreciate any docs
/experiences/config you share.

And feel free to reach out to me personally, I will share anything I can.

-Bryan



On Fri, Jul 20, 2018 at 6:44 PM, Elendrys Yagami  wrote:

> I was totally thinking about posting a complain about the doc. I spent
> hours a year ago to understand how to setup the soft. I am deploying the
> latest version now and while I forgot a lot about what I did and what I
> got, I also see that it grew.
>
> We can easily get "you want to do that, compile the module and add the
> settings". And I'd like to congratulate CAS developers to move from XML
> Land to a readable property file. But it's also true that the thousands
> lines long config page mixes everything in a messy way. You may not see the
> sentence with a link to extended explanations and get lost.
>
> You may use resources to make the project more attractive by giving a good
> doc. The payed solution should be an engeneering assistance, not a "hey we
> develop it for free but the doc is so odd that you may not successfully
> deploy it on your own". Look at Docker, opensource, easy, clear, and then
> they add paid improvments for enterprise class services. They a
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/10a8adf7-8beb-429a-8785-
> 19b5791f2864%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GX7wLukmHGvk-52%2BZvnNofLiGuB9e4Tn7_79ZfD3%3DKBPw%40mail.gmail.com.

Re: [cas-user] Blackboard Ultra

[Bryan Wooten]

"I certainly hope that Bb is not sending a logout request to CAS when 'its'
session expires (not user initiated). That would single logout the user out
of all services (that participate in SLO) regardless of CAS settings ==>
unhappy users & confused administrators."

This topic begs the question: What does logout mean in an SSO world? Logout
of a single app or logout of SSO (all apps in the SSO session).

In an SSO environment if you logout of a single app but not the SSO
session, then if you go back to the app you get straight in because the SSO
session is still valid.

Now individual apps a can mitigate this by setting "renew = true", but that
somewhat defeats the purpose of SSO does it not?

We have 500 servers in our CAS service registry and 90 using Shib (using
CAS for authentication). CAS includes on prem apps and cloud apps (off prem)

As the CAS / Shib admin I cannot control how all the servers will react.
They may or not listen/respond to logout messages, heck they even maintain
their own session cookies for SLO/timeout.

It is a mess and has been since as long as my first IAM conference.

What does SLO/Logout even mean? Is it even possible to enforce any policy?
Let's not even address aggressive caching by browsers across tabs / windows
/ instances.

I gave up trying years ago, it is what it is.

Logout to me means the following steps:

1. Click logout.
2. Clear cache/cookies
3. Power off computer
4. Shoot computer with 12 gauge shotgun
5. Throw computer into nearest lake/ocean/river.

Without all those steps I don't believe you are "logged out".

On Tue, Jan 30, 2018 at 4:27 PM, Richard Frovarp 
wrote:

> I think that they are. From my recollection that was what came up on the
> Bb admin list a couple of years ago. You have to specify a logout URL, and
> it sends the user to it after it kills its own session. People are
> providing the IdP logout URL, so that kicks it off. My suggestion would be
> to provide a different logout URL other than the IdP.
>
>
> On 01/30/2018 11:38 AM, Ray Bon wrote:
>
> I certainly hope that Bb is not sending a logout request to CAS when 'its'
> session expires (not user initiated). That would single logout the user out
> of all services (that participate in SLO) regardless of CAS settings ==>
> unhappy users & confused administrators.
>
> Ray
>
> On Tue, 2018-01-30 at 09:42 -0600, Richard Frovarp wrote:
>
> Do you have a logout URL configured? Best I know is that when a session
> expires in Bb, it kills the Bb session, then sends the browser to the IdP
> logout URL, which would kill your TGT.
>
> On 01/30/2018 07:08 AM, Michael O Holstein wrote:
>
> We recently moved onto Blackboard's SaaS offering (aka "Ultra") and random
> users are telling us it times out of them. While I suspect this is an issue
> of opening the app, letting it sit for 2 hours, and then noticing their
> session went away (which should re-auth as the TGT is still valid on our
> end).
>
>
> Anyone else seen this? How'd you fix it? Our TGT/ST lifetimes are
> as-delivered default.
>
>
> Thanks,
>
>
> Michael Holstein CISSP
>
> Mgr. Network  & Data Security
>
> Cleveland State University
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/CO2PR0801MB6478C3DA610FAD823AD
> 852283E40%40CO2PR0801MB647.namprd08.prod.outlook.com
> 
> .
>
>
> --
> Ray Bon
> Programmer analyst
> Development Services, University Systems2507218831 <(250)%20721-8831> | CLE 
> 019 | r...@uvic.ca
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/1517333882.1782.42.camel%40uvic.ca
> 
> .
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you 

Re: [cas-user] Disaster Recovery Site

[Bryan Wooten]

Thanks Eric,

Your configuration is almost identical to ours. Except we use OpenDJ for
credential store, have Duo enabled and use a JSON service registry.

What you describe is exactly what I had in mind.

I think the bigger challenge for me will be getting our LDAPs set up in the
DR site.

-Bryan

On Wed, Jan 10, 2018 at 10:07 AM, 'Mallory, Erik' via CAS Community <
cas-user@apereo.org> wrote:

> I did this last year.  We have a DR site with a VMware cluster. All told
> we have three vmware clusters two are in our main data center and the
> previously mentioned DR cluster. I created three RHEL 7 vms, set up maven,
> java 8 and tomcat 8 (not part of the base install RHEL 7)
>
> I use 389 on each host and leverage replication for service definitions.
> The idea is that each host can be nearly dependency free, save for our
> credential store, AD.
>
> All three hosts are configured behind a netscaler using a least connection
> strategy. SSL is terminated on the netscaler and communication is encrypted
> on the back end to each cas node. We are using Hazelcast for ticket
> registry, ldap for connections to our credential store and as previously
> mentioned, for our service definition store.
>
> I hope this helps, if you have questions I can probably help.
>
> Best,
>
> Erik Mallory
>
> Server Analyst
>
> Wichita State University
>
>
>
>
>
> *From: *<cas-user@apereo.org> on behalf of Bryan Wooten <
> ttbaja...@gmail.com>
> *Reply-To: *"cas-user@apereo.org" <cas-user@apereo.org>
> *Date: *Tuesday, January 9, 2018 at 7:04 PM
> *To: *"cas-user@apereo.org" <cas-user@apereo.org>
> *Subject: *[cas-user] Disaster Recovery Site
>
>
>
> Looking for any guidance / best practices for setting up CAS 5.x in a DR
> site.
>
>
>
> I have been tasked to architect CAS for our much broader DR project.
>
>
>
> We already have a remote Data Center as a location.
>
>
>
> Now I know once you start talking CAS many other systems get involved
> (Like LDAP which I am also responsible for).
>
>
>
> So I'll take any White Papers, personal experience, project plans,
> diagrams, etc.
>
>
>
> Cheers,
>
>
>
> Bryan
>
>
>
> University of Utah
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/CAG9x2GW1ZAHFFgVqCojV0KbiuUq_
> 9BB_Y5%3Dv8%3DENgP1paEgwUA%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GW1ZAHFFgVqCojV0KbiuUq_9BB_Y5%3Dv8%3DENgP1paEgwUA%40mail.gmail.com?utm_medium=email_source=footer>
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/857DC8AA-36F8-4983-873C-
> 4A26B575E7D8%40wichita.edu
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/857DC8AA-36F8-4983-873C-4A26B575E7D8%40wichita.edu?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GV%3D3rzJ048Bacw%3DtnCcqD%2BJG3AC_BKwk4r%2BA1KdxHD4WQ%40mail.gmail.com.

Re: [cas-user] CAS itself doing AuthZ (deny users)

[Bryan Wooten]

Thanks Dima.

That may be just the ticket!

-Bryan

On Fri, Jun 23, 2017 at 2:06 PM, <dkopyle...@unicon.net> wrote:

> https://apereo.github.io/cas/5.1.x/installation/
> Configuring-Service-Access-Strategy.html
>
> D.
>
> On Jun 23, 2017, 15:59 -0400, Bryan Wooten <ttbaja...@gmail.com>, wrote:
>
> I just got this request from one our developers:
>
> "The QA-team has an app called “QA Dashboard”.  They have asked us to
> CASify it, we’re assigning that work to BobtheDev.  But the app does have
> to be constrained to a very narrow set of authorized users.  Of course we
> could create a table to manage this, or develop an LDAP-attribute and then
> have CAS do CAS-AR, but I’m curious about the ability (or not?) to just
> have CAS auto-deny anyone who doesn’t have a specific LDAP-attribute?  Is
> that something CAS is capable of doing?  If not, is there a better approach
> than the LDAP/CAS-AR one?"
>
> Has anyone done anything like this? BTW, this would be with CAS 5.1.
>
> TIA,
>
> Bryan
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/CAG9x2GWuRcZhS_k2D%2BdoqKUYM41p66ApAgW8e6RXT%
> 3DwAS%2B%2B0UA%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GWuRcZhS_k2D%2BdoqKUYM41p66ApAgW8e6RXT%3DwAS%2B%2B0UA%40mail.gmail.com?utm_medium=email_source=footer>
> .
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/b76017d4-d0a7-4b40-892a-4e6d8e2d9b48%40Spark
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b76017d4-d0a7-4b40-892a-4e6d8e2d9b48%40Spark?utm_medium=email_source=footer>
> .
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GUnivNe%2Bq1Ry3cgAqpdUB9MVMJJEG8r4x3xja%2BWoy7BDA%40mail.gmail.com.

[cas-user] CAS itself doing AuthZ (deny users)

[Bryan Wooten]

I just got this request from one our developers:

"The QA-team has an app called “QA Dashboard”.  They have asked us to
CASify it, we’re assigning that work to BobtheDev.  But the app does have
to be constrained to a very narrow set of authorized users.  Of course we
could create a table to manage this, or develop an LDAP-attribute and then
have CAS do CAS-AR, but I’m curious about the ability (or not?) to just
have CAS auto-deny anyone who doesn’t have a specific LDAP-attribute?  Is
that something CAS is capable of doing?  If not, is there a better approach
than the LDAP/CAS-AR one?"

Has anyone done anything like this? BTW, this would be with CAS 5.1.

TIA,

Bryan

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GWuRcZhS_k2D%2BdoqKUYM41p66ApAgW8e6RXT%3DwAS%2B%2B0UA%40mail.gmail.com.

Re: [cas-user] bad json service definition breaks cas 5.0.x?

[Bryan Wooten]

You are not wrong.

We restart CAS once a week. We are currently running 3.6.x, it has a memory
leak with load over time. We do 400k logins per day. (CPU goes to 100%
doing nothing but garbage collection)

The weekly restart mitigates / solves (?) this issue,

But if in the interval we messed up the JSON Service Registry then the CAS
server is not working.

So yes perhaps an enhancement request for better notification of a bad
Service Registry re-load may be warranted.

I think a proper log4.xml setting in conjunction with monitoring like
Solarwinds/Orion or even ELK would solve this issue with a timely
notification to the correct people.

So many moving pieces. We do the best we can to support our organization.



On Tue, May 2, 2017 at 5:48 PM, Baron Fujimoto <ba...@hawaii.edu> wrote:

> Yes, but one of the nice things about CAS was that we could drop new
> service definitions into a running instance and have them picked up
> automatically. Anything that requires us to actually restart our service
> get us involved in a formal change management process and restricts us to
> weekend early mornings. :(
>
> The thing that seems inconsistent to me in this case, is that the bad
> service definition doesn't tank an already running instance. The faulty
> definition just doesn't get incorporated into the running config. This
> seems much preferable to breaking everything should the system be
> restarted for some reason, IMO.
>
> So, I guess I understand the way it is, but must it be that way? Should
> it be that way?
>
> On Mon, May 01, 2017 at 07:20:00PM -0600, Bryan Wooten wrote:
> >Ok, If you are manually editing the JSON service registry or using any
> tool
> >(home grown or provided by Apereo) you MUST carefully validate the final
> >JSON file syntax.
> >
> >I never make a change during normal hours.
> >
> >We are HA with 4 CAS servers. I make the change on one server. (They are
> >all standalone no rsync or cross mounts for any config file) I then
> restart
> >that one server and verify is comes back up and starts servicing tickets.
> >(All CAS servers are behind a Citirix Netscalar Load Balancer). So there
> is
> >no outage.
> >
> >After I confirm the change has the correct JSON syntax I then push the
> >change to the other servers.
> >
> >Owning SSO is terrifying.  We can never have an outage for 60k users and
> >500 servers. Never. Or my life gets bad.
> >
> >So yeah, it is manual and I take great care and someday I hope to put in
> >place an automated system.
> >
> >Until then I live with a little stress.
> >
> >On Mon, May 1, 2017 at 6:29 PM, Baron Fujimoto <ba...@hawaii.edu> wrote:
> >
> >> So this happened. We are using CAS 5.0.3.1 with JSON service registry
> >> files. We inadvertantly created a service registration with an error in
> >> the regex for the serviceID (improperly escaped "\\." as "\."). Although
> >> we didn't notice it at the time, this was logged with the error/warnings
> >>
> >> ERROR [org.apereo.cas.services.AbstractResourceBasedServiceRegistryDao]
> -
> >> 
> >> java.lang.IllegalArgumentException: org.hjson.ParseException: Expected
> >> valid escape sequence at 3:30
> >> ...
> >> WARN [org.apereo.cas.services.AbstractResourceBasedServiceRegistryDao]
> -
> >>  >> serviceID-20170328162739.json>
> >> WARN [org.apereo.cas.services.AbstractResourceBasedServiceRegistryDao]
> -
> >> <1 errors encountered when loading service definitions. New definitions
> are
> >> not loaded until errors are corrected>
> >>
> >> But CAS continued on working in general. However, some time later, the
> CAS
> >> service was restarted after an OS reboot. Upon restart, the same errors
> >> are noted, but there was crucial difference
> >>
> >> INFO [org.apereo.cas.services.DefaultServicesManagerImpl] -  >> services from JsonServiceRegistryDao.>
> >>
> >> None of the other valid service definitions were loaded, and thus our
> CAS
> >> was effectively broken for everyone by this one bad definition.
> >>
> >> Is there a way to configure CAS to just ignore the bad definitions
> rather
> >> than just fail completely in situations like this? While we probably
> should
> >> have caught this sooner, it definitely turned out to be a time bomb for
> >> us. Is there a good reason for this behavior that we're missing?
> >>
> >> Aloha,
> >> -baron
> >> --
> >> Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technolog

Re: [cas-user] bad json service definition breaks cas 5.0.x?

[Bryan Wooten]

Ok, If you are manually editing the JSON service registry or using any tool
(home grown or provided by Apereo) you MUST carefully validate the final
JSON file syntax.

I never make a change during normal hours.

We are HA with 4 CAS servers. I make the change on one server. (They are
all standalone no rsync or cross mounts for any config file) I then restart
that one server and verify is comes back up and starts servicing tickets.
(All CAS servers are behind a Citirix Netscalar Load Balancer). So there is
no outage.

After I confirm the change has the correct JSON syntax I then push the
change to the other servers.

Owning SSO is terrifying.  We can never have an outage for 60k users and
500 servers. Never. Or my life gets bad.

So yeah, it is manual and I take great care and someday I hope to put in
place an automated system.

Until then I live with a little stress.

On Mon, May 1, 2017 at 6:29 PM, Baron Fujimoto  wrote:

> So this happened. We are using CAS 5.0.3.1 with JSON service registry
> files. We inadvertantly created a service registration with an error in
> the regex for the serviceID (improperly escaped "\\." as "\."). Although
> we didn't notice it at the time, this was logged with the error/warnings
>
> ERROR [org.apereo.cas.services.AbstractResourceBasedServiceRegistryDao] -
> 
> java.lang.IllegalArgumentException: org.hjson.ParseException: Expected
> valid escape sequence at 3:30
> ...
> WARN [org.apereo.cas.services.AbstractResourceBasedServiceRegistryDao] -
>  serviceID-20170328162739.json>
> WARN [org.apereo.cas.services.AbstractResourceBasedServiceRegistryDao] -
> <1 errors encountered when loading service definitions. New definitions are
> not loaded until errors are corrected>
>
> But CAS continued on working in general. However, some time later, the CAS
> service was restarted after an OS reboot. Upon restart, the same errors
> are noted, but there was crucial difference
>
> INFO [org.apereo.cas.services.DefaultServicesManagerImpl] -  services from JsonServiceRegistryDao.>
>
> None of the other valid service definitions were loaded, and thus our CAS
> was effectively broken for everyone by this one bad definition.
>
> Is there a way to configure CAS to just ignore the bad definitions rather
> than just fail completely in situations like this? While we probably should
> have caught this sooner, it definitely turned out to be a time bomb for
> us. Is there a good reason for this behavior that we're missing?
>
> Aloha,
> -baron
> --
> Baron Fujimoto  :: UH Information Technology Services
> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/20170502002914.mfo3dcbcul3oo5k5%
> 40combobulate.mgt.hawaii.edu.
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GVK0zMcb2Swb0KhKK6n%3D4pG%3DiZFnu8aRLtdxb%2BtJN7%2B3Q%40mail.gmail.com.

Re: [cas-user] CAS Deployment Stalls When Deploying to Tomcat

[Bryan Wooten]

Just my 2 cents and hope it helps.

We use a time based RollingFileAppender. The size based created issues.

And check your Tomcat localhost (not access log) log file. I found that
some errors go to cas.log others to catalina.out and some of the more
esoteric ones go to localhost.

Also note that setting levels to debug or trace can/will create very large
logs depending on your load.

On Thu, Mar 9, 2017 at 1:44 PM, Wickham, Jeremy 
wrote:

> Yes I am using an external tomcat instance. I am also using the CAS
> overlay project because I had some customization that is required for our
> deployment. Is there a way to use the embedded tomcat with the CAS maven
> overlay?
>
>
>
> *From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *Misagh
> Moayyed
> *Sent:* Thursday, March 09, 2017 2:32 PM
> *To:* cas-user@apereo.org
>
> *Subject:* RE: [cas-user] CAS Deployment Stalls When Deploying to Tomcat
>
>
>
> Sounds like this an external tomcat instance. I’d look into various other
> log files for Tomcat under /logs. If there isnt anything there, I’d adjust
> log levels for both CAS and Tomcat and see what might be happening. I’d
> also try the embedded tomcat and see if that shows the same thing.
>
>
>
> --
> Misagh
>
>
> From: Wickham, Jeremy 
> 
> Reply: cas-user@apereo.org  
> Date: March 9, 2017 at 11:49:06 PM
> To: cas-user@apereo.org  
> Subject:  RE: [cas-user] CAS Deployment Stalls When Deploying to Tomcat
>
>
>
> Yes, it is writing the same thing to the cas.log in the tomcat logs
> directory. But it does write rolling log files on start up to the webapps
> directory. Which I don’t understand why.
>
>
>
> My logging config:
>
> logging.config: file:/etc/cas/config/log4j2.xml
>
>
>
>
>
>  append="true"
>
>  filePattern="cas-%d{-MM-dd-HH}-%i.log">
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
>
>
> To note: If the cas.war is deployed to tomcat, and I restart tomcat,
> tomcat never fully comes up because it is in some sort of hung state. When
> I shut down tomcat, it errors off saying there is no connection on 8080. If
> I deploy the war file onto a clean tomcat, it just sits there and writes
> nothing to the log files. I’ve left it running for 20-30 minutes before I
> will shut it down and start over.
>
>
>
> I say about every 4 times I restart/deploy the cas.war it will fully come
> up and I am able to test it. This is just a best guess average.
>
>
>
> *From:* cas-user@apereo.org [mailto:cas-user@apereo.org
> ] *On Behalf Of *Misagh Moayyed
> *Sent:* Thursday, March 09, 2017 1:25 PM
> *To:* cas-user@apereo.org
> *Subject:* Re: [cas-user] CAS Deployment Stalls When Deploying to Tomcat
>
>
>
>  The following is what is written to my log file—After the profile log,
> there is nothing else written to catalina.out. What are some
> recommendations I need to look at?
>
> I doubt this has anything to do with Tomcat. You provided a log4j config
> file to CAS, correct? Is writing to the right place? Does it have
> permission to do so?
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/etPan.58c1ac19.30cd6afd.c1e%40unicon.net
> 
> .
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/3a5ffc2d970247b291199683336f49
> 75%40mail04.ad.msstate.edu
> 
> .
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> 

Re: [cas-user] For fun can you beat this? CAS Logins per day.

[Bryan Wooten]

We run an 8 hour CAS session. We have about 60k users.



To honest our numbers are high because we have a really aggressive
Solarwinds monitoring system. It is does end to end “synthetic
transactions” from up to 50 locations on campus and on AWS. The monitoring
hits 100s of apps that are all protected by CAS.


-Bryan

On Tue, Feb 28, 2017 at 8:45 AM, Tom Poage <tfpo...@ucdavis.edu> wrote:

> Bryan,
>
> Curious, what is your session lifetime?
>
> Ours is (a legacy) 12 hours. We have roughly 73k core affiliate (faculty,
> staff, student, ...) accounts, so people generally login only once a day or
> so.
>
> 24 Feb:
>
> AUTHENTICATION_SUCCESS: 91116
> SERVICE_TICKET_VALIDATED: 161060
>
> Cf.
>
> for h in casweb{6,7,8,10}
>   do ssh $h 'gzip -dc /path.../logs/cas_audit-2017-02-24-1.gz | fgrep
> SERVICE_TICKET_VALIDATED'
> done | wc -l
>
> On Feb 25, 2017, at 2:24 PM, Bryan Wooten <ttbaja...@gmail.com> wrote:
>
> We have two CAS 3.6.x servers behind a Netscaler running on Tomcat 8.
> Hazelcast Ticket Registry. JSON Service Registry with 500+ entries (all
> wild carded for urls). Duo for all employees. (30k)
>
> CAS1
>
> grep AUTHENTICATION_SUCCESS cas.log.2017-02-24* | wc -l
>
> 215743
>
> CAS2
>
> grep AUTHENTICATION_SUCCESS cas.log.2017-02-24* | wc -l
>
> 207414
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/D21DC291-C03A-40C4-9160-
> 4127A60D7F03%40ucdavis.edu
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/D21DC291-C03A-40C4-9160-4127A60D7F03%40ucdavis.edu?utm_medium=email_source=footer>
> .
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GUgSCjcxn1_abydYcFVBAzdKsQnxbAFq9dNiu8G2%3Dsi%2BQ%40mail.gmail.com.

[cas-user] For fun can you beat this? CAS Logins per day.

[Bryan Wooten]

We have two CAS 3.6.x servers behind a Netscaler running on Tomcat 8.
Hazelcast Ticket Registry. JSON Service Registry with 500+ entries (all
wild carded for urls). Duo for all employees. (30k)

CAS1

grep AUTHENTICATION_SUCCESS cas.log.2017-02-24* | wc -l

215743

CAS2

grep AUTHENTICATION_SUCCESS cas.log.2017-02-24* | wc -l

207414

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GUx6mJMBcvu09ru_9f5LO4eqRLhYeeY99aq2YZ25PB0gQ%40mail.gmail.com.

Re: [cas-user] CASifying Peoplesoft

[Bryan Wooten]

If anyone wants the slides I would be happy to email them.

On Fri, Jan 27, 2017 at 4:26 PM, David Hawes <dha...@vt.edu> wrote:

> On 26 January 2017 at 13:23, Bryan Wooten <ttbaja...@gmail.com> wrote:
> > We have our Peoplesoft environment CASified by adding CAS filters to the
> > Weblogin web.xml and writing some custom signon  Peoplecode. It works
> well.
> >
> > Any we doing a proof of concept where the Weblogic is behind Apache. We
> have
> > installed mod_auth_cas on the Apache. REMOTE_USER is getting set.
> >
> > But for some reason either Weblogic is ignoring this header or is
> dropping
> > it.
>
> Can you see any of the headers in Weblogic?
>
> Maybe try using some other header that you set with CASAuthNHeader?
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/CAAgu-wB3Ybnfe-OH-8xTeb75rNX%
> 3D0gg%2B%3D4rVReyYQioyShS%2BZQ%40mail.gmail.com.
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GVMZ6gyEOZYG6fRGAeYmkOinQ_UKZTwDYfh5br-ipGMhw%40mail.gmail.com.

Re: [cas-user] CASifying Peoplesoft

[Bryan Wooten]

I did it myself a few years ago and actually gave a presentation at an
Apereo conference with Unicon. You should be able to find the presentation
on youtube.


We are trying a new configuration using mod_auth_cas on Apache. If we can
make this work I think it will a better solution than hacking the Weblogic
web.xml and adding the Java client to the class path.


If this does not work we will try putting it all behind a Shib SP.


At some point I will give a write up of our experience.


Cheers,


Bryan

On Thu, Jan 26, 2017 at 1:56 PM, Joel Levin <joel.aaron.le...@gmail.com>
wrote:

> This won't answer your questions -- only as an FYI.
>
> The consultants working on this gave a large price tag (with the
> associated backend authorizations etc)-- as it is not part of the usual
> PeopleSoft supported flow.
>
> So we went with LDAP.
>
>
> On Thu, Jan 26, 2017 at 10:23 AM, Bryan Wooten <ttbaja...@gmail.com>
> wrote:
>
>> We have our Peoplesoft environment CASified by adding CAS filters to the
>> Weblogin web.xml and writing some custom signon  Peoplecode. It works well.
>>
>> Any we doing a proof of concept where the Weblogic is behind Apache. We
>> have installed mod_auth_cas on the Apache. REMOTE_USER is getting set.
>>
>> But for some reason either Weblogic is ignoring this header or is
>> dropping it.
>>
>> Our custom signon Peoplcode depends on REMOTE_USER being set.
>>
>> Does anyone have any ideas or suggestions>
>>
>> Thanks,
>>
>> Bryan
>>
>> University of Utah
>>
>> --
>> - CAS gitter chatroom: https://gitter.im/apereo/cas
>> - CAS mailing list guidelines: https://apereo.github.io/cas/M
>> ailing-Lists.html
>> - CAS documentation website: https://apereo.github.io/cas
>> - CAS project website: https://github.com/apereo/cas
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit https://groups.google.com/a/ap
>> ereo.org/d/msgid/cas-user/CAG9x2GUnMyXx%2B7Hm0e6jGt7jAnVjM9q
>> -FuJu8EgMMp%2BX3nOYSw%40mail.gmail.com
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GUnMyXx%2B7Hm0e6jGt7jAnVjM9q-FuJu8EgMMp%2BX3nOYSw%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/CAGfxv%2B_maSQf1mr__
> uw8bXjGxDH2CgiSGF-J6Bbuhgd%2Bs-q6pg%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGfxv%2B_maSQf1mr__uw8bXjGxDH2CgiSGF-J6Bbuhgd%2Bs-q6pg%40mail.gmail.com?utm_medium=email_source=footer>
> .
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GUBvwurf2hK-REfcoTC5kWgEzkL175WpFYKohopgBp%2BTw%40mail.gmail.com.

[cas-user] mod_utah_cas service url

[Bryan Wooten]

We have an Apache server running mod_auth_cas that sits behind a Citrix 
load balancer that does SSL termination.

So the user goes to https://server.utah.edu/secure and the load balancer 
hits the real server at http://server.utah.edu/secure due to the SSL 
termination.

This results in mod_auth_cas trying to validate a ticket with a service URL 
of http://server.utah.edu/secure. Naturally CAS refuses to validate the 
ticket (http://server.utah.edu is not in our service registry).

With the Java client we can explicitly set the service url to https even 
when the load balancer is doing SSL termination.

I can't find a way to explicitly set the service url with the mod_auth_cas 
client. Am I missing something?

Any ideas? Or is this a Citrix LB question?

Thanks.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.