Re: [cas-user] CAS 4x and gssapi

2016-06-28 Thread Christophe Ségui 
done !


Thanks.


On 20/05/2016 17:22, Misagh Moayyed wrote:
>
> Sure. There is always a chance. Start by filing a feature request to
> ldaptive, if one isn’t already there.
>
>  
>
> *From:*cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of
> *Christophe Ségui
> *Sent:* Friday, May 20, 2016 12:50 AM
> *To:* Misagh Moayyed ; CAS Community
> 
> *Subject:* Re: [cas-user] CAS 4x and gssapi
>
>  
>
> On 19/05/2016 16:41, Misagh Moayyed wrote:
>
> Ldaptive supports GSSAPI, but I don’t think the new namespace DSL
> provides that, yet.
>
> Thanks for your answer.
>
> According to you, is there any chance to have this setup working with
> CAS 4x someday  ?
>
> Thanks,
>
>  
>
> *From:*cas-user@apereo.org 
> [mailto:cas-user@apereo.org] *On Behalf Of *Christophe Ségui
> *Sent:* Thursday, May 19, 2016 6:14 AM
> *To:* CAS Community  
> *Subject:* [cas-user] CAS 4x and gssapi
>
>  
>
> Hi list,
>
> Is there something like
> https://wiki.jasig.org/pages/viewpage.action?pageId=10650669 for
> CAS 4x ?
>
> Thanks,
>
> -- 
>
> 
>
>   
>
> *   Christophe Ségui**
> *   Responsable*
> *   informatique**
>
> Institut de Mathématiques de Toulouse
> Université de Toulouse - CNRS
> 118 Route de Narbonne
> 31062 Toulouse Cedex 09
>
> Tel : (+33) 5 61 55 63 78
> christophe.se...@math.univ-toulouse.fr
> 
> http://www.math.univ-toulouse.fr 
>
> -- 
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to cas-user+unsubscr...@apereo.org
> .
> To post to this group, send email to cas-user@apereo.org
> .
> Visit this group at
> https://groups.google.com/a/apereo.org/group/cas-user/.
> To view this discussion on the web visit
> 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/573DBC0A.2040508%40math.univ-toulouse.fr.
> For more options, visit
> https://groups.google.com/a/apereo.org/d/optout.
>
> -- 
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to cas-user+unsubscr...@apereo.org
> .
> To post to this group, send email to cas-user@apereo.org
> .
> Visit this group at
> https://groups.google.com/a/apereo.org/group/cas-user/.
> To view this discussion on the web visit
> 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/01a701d1b1dc%24845ddb40%248d1991c0%24%40unicon.net.
> For more options, visit
> https://groups.google.com/a/apereo.org/d/optout.
>
>  
>
> -- 
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to cas-user+unsubscr...@apereo.org
> .
> To post to this group, send email to cas-user@apereo.org
> .
> Visit this group at
> https://groups.google.com/a/apereo.org/group/cas-user/.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/573EC1B1.9020107%40math.univ-toulouse.fr
> .
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
>
> -- 
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to cas-user+unsubscr...@apereo.org
> .
> To post to this group, send email to cas-user@apereo.org
> .
> Visit this group at
> https://groups.google.com/a/apereo.org/group/cas-user/.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/006101d1b2ab%2463150a10%24293f1e30%24%40unicon.net
> .
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this g

[cas-user] cas other attribute

2016-06-28 Thread asep-002 
im using cas version 4.0, i want to take another attribute from my ldap 
server.

i see documentation 
 to 
take another other attribute there 2 step, first resolution and then 
release. im succesed resolution step, but my user unable to get mapping 
attribute.
heres my log.

 

> 2016-06-28 16:13:48,441 DEBUG 
> [org.jasig.cas.authentication.LdapAuthenticationHandler] -  authentication for asep+password>
> 2016-06-28 16:13:48,444 DEBUG 
> [org.jasig.cas.authentication.LdapAuthenticationHandler] -  [org.ldaptive.auth.AuthenticationResponse@1937247148::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS,
>  
> ldapEntry=[dn=uid=asep,ou=people,dc=eu,dc=id[[uid[asep]], 
> [mail[a...@staff.eu.id]], [sn[kampak]], [ou[research lab]], [cn[asep 
> kampak]]], responseControls=null, messageId=-1], accountState=null, 
> result=true, resultCode=SUCCESS, message=null, controls=null]>
> 2016-06-28 16:13:48,444 DEBUG 
> [org.jasig.cas.authentication.LdapAuthenticationHandler] -  attribute: [cn[asep kampak]]>
> 2016-06-28 16:13:48,444 DEBUG 
> [org.jasig.cas.authentication.LdapAuthenticationHandler] -  attribute: [mail[a...@staff.eu.id]]>
> 2016-06-28 16:13:48,445 DEBUG 
> [org.jasig.cas.authentication.LdapAuthenticationHandler] -  attribute: [sn[kampak]]>
> 2016-06-28 16:13:48,445 DEBUG 
> [org.jasig.cas.authentication.LdapAuthenticationHandler] -  attribute: [ou[research lab]]>
> 2016-06-28 16:13:48,445 INFO 
> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 
> 
> 2016-06-28 16:13:48,445 DEBUG 
> [org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver] - 
> 
> 2016-06-28 16:13:48,445 DEBUG 
> [org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver] - 
> 
> 2016-06-28 16:13:48,445 DEBUG 
> [org.jasig.cas.persondir.LdapPersonAttributeDao] -  map='{username=[asep]}' for uid='asep'>
> 2016-06-28 16:13:48,445 DEBUG 
> [org.jasig.cas.persondir.LdapPersonAttributeDao] -  'username' with value '[asep]' to query builder 'null'>
> 2016-06-28 16:13:48,445 DEBUG 
> [org.jasig.cas.persondir.LdapPersonAttributeDao] -  query [(uid={user})]>
> 2016-06-28 16:13:48,445 DEBUG 
> [org.jasig.cas.persondir.LdapPersonAttributeDao] -  '[org.ldaptive.SearchFilter@1028417470::filter=(uid={user}), 
> parameters={0=asep}]' from query Map {username=[asep]}.>
> 2016-06-28 16:13:48,543 DEBUG 
> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 
>   
> resolved asep from asep+password>
> 2016-06-28 16:13:48,543 INFO 
> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 
> 
> 2016-06-28 16:13:48,543 DEBUG 
> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -* 
> 
>


i can see my attribute at log* "Found prinicipal attribute" *but after 
resolve unable to my user.
my config for resolution in deployerConfigContext.xml.

 class="org.jasig.cas.authentication.LdapAuthenticationHandler"
>   p:principalIdAttribute="uid"
>   c:authenticator-ref="authenticator">
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>

release config

> 
>   
>   
>   
>   https://**"; />
>   
> 
>   simpleName
>   email
>   fullname
>   unit
>   
>   
>  
>

please give me some advice, i got stuck.
thank you.
 


-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d30106c8-0646-47f0-a730-28b1ccc61761%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.


deployerConfigContext.xml
Description: XML document

[cas-user] Reflexion around SPNEGO authentication and external IDP

2016-06-28 Thread Julien Gribonvald 

Hi,

In ESUP consortium we are looking for a way to do some possible use case 
on how to integrating the new French government central "identity 
provider", that french's administrations services will be able to 
integrate to authenticate all french peoples on their apps 
(FranceConnect and it use openId connect protocol).


So we know it's possible to integrate it without too much difficulties, 
we need only to use this service as authentication handler, but we have 
some workflow to develop. Our problems aren't for web authentication but 
on computer's auth (when using SPNEGO/kerberos...).


How can we do when the account's principals (login/password) are not 
known "localy" ? in this case how to do ? or how to delegate the 
computer authentication on a web only external service ?
Is their a way or is it possible to connect the user from a web access 
when the user log in from a computer ?


Reflexions are also welcome for a such use case !

Thanks,
--
Julien Gribonvald

--
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/577257A5.7010506%40recia.fr.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

RE: [cas-user] CAS 4.2.2 jpaTicketRegistry Issues

2016-06-28 Thread Tom O'Neill 
Misagh,

Thank you for the quick response!

I gave that a shot but unfortunately I am still seeing the same behavior.
I simplified the configuration by reverting to the baseline 4.2.4-SNAPSHOT 
deployerConfigContext.xml with a single modification:




After a successful authentication the application appears to hang and the 
following INSERT into the TGT table never completes.
I increased the logging level on the MySQL database and reviewed the 
transactions. Interestingly, I don’t see the INSERT in the MySQL logs.

2016-06-28 07:28:32,519 DEBUG 
[org.hibernate.engine.transaction.internal.TransactionImpl] - 
2016-06-28 07:28:32,576 DEBUG 
[org.hibernate.event.internal.AbstractSaveEventListener] - 
2016-06-28 07:28:32,674 INFO 
[org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 
2016-06-28 07:28:32,675 DEBUG 
[org.hibernate.engine.transaction.internal.TransactionImpl] - 
2016-06-28 07:28:32,676 DEBUG 
[org.hibernate.event.internal.AbstractFlushingEventListener] - 
2016-06-28 07:28:32,677 DEBUG 
[org.hibernate.event.internal.AbstractFlushingEventListener] - 
2016-06-28 07:28:32,685 DEBUG 
[org.hibernate.event.internal.AbstractFlushingEventListener] - 
2016-06-28 07:28:32,685 DEBUG 
[org.hibernate.event.internal.AbstractFlushingEventListener] - 
2016-06-28 07:28:32,688 DEBUG [org.hibernate.internal.util.EntityPrinter] - 

2016-06-28 07:28:32,689 DEBUG [org.hibernate.internal.util.EntityPrinter] - 

Hibernate: insert into TICKETGRANTINGTICKET (NUMBER_OF_TIMES_USED, 
CREATION_TIME, EXPIRATION_POLICY, LAST_TIME_USED, PREVIOUS_LAST_TIME_USED, 
ticketGrantingTicket_ID, AUTHENTICATION, EXPIRED, PROXIED_BY, 
SERVICES_GRANTED_ACCESS_TO, SUPPLEMENTAL_AUTHENTICATIONS, TYPE, ID) values (?, 
?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 'TGT', ?)
2016-06-28 07:28:32,726 DEBUG [org.hibernate.SQL] - 
2016-06-28 07:28:45,129 DEBUG [org.quartz.core.QuartzSchedulerThread] - 
2016-06-28 07:28:50,464 DEBUG [com.mchange.v2.resourcepool.BasicResourcePool] - 

2016-06-28 07:28:50,465 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 
2016-06-28 07:28:50,465 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 
2016-06-28 07:28:50,465 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 
2016-06-28 07:28:50,467 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 
2016-06-28 07:28:50,467 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 
2016-06-28 07:28:50,468 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 
2016-06-28 07:28:50,468 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 
2016-06-28 07:28:50,469 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 
2016-06-28 07:28:50,469 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 
2016-06-28 07:28:50,471 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 
2016-06-28 07:29:09,730 DEBUG [org.quartz.core.QuartzSchedulerThread] - 
2016-06-28 07:29:09,730 DEBUG [org.quartz.core.JobRunShell] - 
2016-06-28 07:29:09,730 INFO 
[org.jasig.cas.services.DefaultServicesManagerImpl] - 
2016-06-28 07:29:09,735 INFO 
[org.jasig.cas.services.DefaultServicesManagerImpl] - 

I’m starting to wonder if the issue could be the MySQL release. We are running 
5.7 but using the MySQL 5.7 InnoDB dialect for hibernate resulted in an 
exception during table creation.
The database initializes correctly using the MySQL 5 InnoDB dialect and the 
health check seems to work but obviously the INSERT isn’t working.

Thanks,

Tom O’Neill

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Misagh 
Moayyed
Sent: Monday, June 27, 2016 5:30 PM
To: cas-user@apereo.org
Subject: RE: [cas-user] CAS 4.2.2 jpaTicketRegistry Issues

Point your overlay to 4.2.4-SNAPSHOT and try again please. (make sure you force 
an update with –U)

From: cas-user@apereo.org 
[mailto:cas-user@apereo.org] On Behalf Of Tom O'Neill
Sent: Monday, June 27, 2016 12:05 PM
To: cas-user@apereo.org
Subject: [cas-user] CAS 4.2.2 jpaTicketRegistry Issues

Hi All,

Hopefully I’m just missing something simple…I appreciate any and all insight.
I’ve worked on 3.5.x extensively and 4.0.x briefly but 4.2.2 is giving me some 
trouble.

I am working on a 4.2.2 CAS build using the Maven overlay method and I’d like 
to use LDAP and JPA support.
I added LDAP support, JPA Ticket Registry support and MySQL 5.1.39 to my 
pom.xml:



org.jasig.cas
cas-server-webapp
${cas.version}
war
runtime


org.jasig.cas
cas-server-support-ldap
${cas.version}


org.jasig.cas
cas-server-support-jpa-ticket-registry
${cas.version}


   mysql
mysql-connector-java
5.1.39



After getting LDAP working with the default ticke

RE: [cas-user] CAS 4.2.2 jpaTicketRegistry Issues

2016-06-28 Thread Misagh Moayyed 
Well, unless you can produce logs to explain what’s going on I am inclined 
to blame MYSQL too. Turn up DEBUG logs for org.springframework.orm.jpa and 
org.springframework.transaction. See if you can spot anomalies.

If you want to post your overlay to the issues project so we can duplicate 
it, that’s fine too.



From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Tom 
O'Neill
Sent: Tuesday, June 28, 2016 5:38 AM
To: Misagh Moayyed ; cas-user@apereo.org
Subject: RE: [cas-user] CAS 4.2.2 jpaTicketRegistry Issues



Misagh,



Thank you for the quick response!



I gave that a shot but unfortunately I am still seeing the same behavior.

I simplified the configuration by reverting to the baseline 4.2.4-SNAPSHOT 
deployerConfigContext.xml with a single modification:









After a successful authentication the application appears to hang and the 
following INSERT into the TGT table never completes.

I increased the logging level on the MySQL database and reviewed the 
transactions. Interestingly, I don’t see the INSERT in the MySQL logs.



2016-06-28 07:28:32,519 DEBUG 
[org.hibernate.engine.transaction.internal.TransactionImpl] - 

2016-06-28 07:28:32,576 DEBUG 
[org.hibernate.event.internal.AbstractSaveEventListener] - 

2016-06-28 07:28:32,674 INFO 
[org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

2016-06-28 07:28:32,675 DEBUG 
[org.hibernate.engine.transaction.internal.TransactionImpl] - 

2016-06-28 07:28:32,676 DEBUG 
[org.hibernate.event.internal.AbstractFlushingEventListener] - 

2016-06-28 07:28:32,677 DEBUG 
[org.hibernate.event.internal.AbstractFlushingEventListener] - 

2016-06-28 07:28:32,685 DEBUG 
[org.hibernate.event.internal.AbstractFlushingEventListener] - 

2016-06-28 07:28:32,685 DEBUG 
[org.hibernate.event.internal.AbstractFlushingEventListener] - 

2016-06-28 07:28:32,688 DEBUG [org.hibernate.internal.util.EntityPrinter] - 


2016-06-28 07:28:32,689 DEBUG [org.hibernate.internal.util.EntityPrinter] - 
mailto:expirationPolicy=org.jasig.cas.ticket.support.TicketGrantingTicketExpirationPolicy@60ea79d1>
 
expirationPolicy=org.jasig.cas.ticket.support.TicketGrantingTicketExpirationPolicy@60ea79d1,
 
services={}, ticketGrantingTicket=null, 

 
authentication=org.jasig.cas.authentication.ImmutableAuthentication@cf5621ae}>

Hibernate: insert into TICKETGRANTINGTICKET (NUMBER_OF_TIMES_USED, 
CREATION_TIME, EXPIRATION_POLICY, LAST_TIME_USED, PREVIOUS_LAST_TIME_USED, 
ticketGrantingTicket_ID, AUTHENTICATION, EXPIRED, PROXIED_BY, 
SERVICES_GRANTED_ACCESS_TO, SUPPLEMENTAL_AUTHENTICATIONS, TYPE, ID) values 
(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 'TGT', ?)

2016-06-28 07:28:32,726 DEBUG [org.hibernate.SQL] - 

2016-06-28 07:28:45,129 DEBUG [org.quartz.core.QuartzSchedulerThread] - 


2016-06-28 07:28:50,464 DEBUG 
[com.mchange.v2.resourcepool.BasicResourcePool] - 

2016-06-28 07:28:50,465 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 

2016-06-28 07:28:50,465 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 

2016-06-28 07:28:50,465 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 

2016-06-28 07:28:50,467 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 

2016-06-28 07:28:50,467 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 

2016-06-28 07:28:50,468 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 

2016-06-28 07:28:50,468 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 

2016-06-28 07:28:50,469 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 

2016-06-28 07:28:50,469 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 

2016-06-28 07:28:50,471 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 

2016-06-28 07:29:09,730 DEBUG [org.quartz.core.QuartzSchedulerThread] - 


2016-06-28 07:29:09,730 DEBUG [org.quartz.core.JobRunShell] - 

2016-06-28 07:29:09,730 INFO 
[org.jasig.cas.services.DefaultServicesManagerImpl] - 

2016-06-28 07:29:09,735 INFO 
[org.jasig.cas.services.DefaultServicesManagerImpl] - 



I’m starting to wonder if the issue could be the MySQL release. We are 
running 5.7 but using the MySQL 5.7 InnoDB dialect for hibernate resulted in 
an exception during table creation.

The database initializes correctly using the MySQL 5 InnoDB dialect and the 
health check seems to work but obviously the INSERT isn’t working.



Thanks,



Tom O’Neill



From: cas-user@apereo.org  
[mailto:cas-user@apereo.org] On Behalf Of Misagh Moayyed
Sent: Monday, June 27, 2016 5:30 PM
To: cas-user@apereo.org 
Subject: RE: [cas-user] CAS 4.2.2 jpaTicketRegistry Issues



Point your overlay to 4.2.4-SNAPSHOT and try again please. (make sure you 
force an update with –U)



From: cas-user@apereo.org  
[mailto:cas-user@apereo.org] On Behalf Of Tom O'Neill
Sent: Monday, June 27, 2016

Re: [cas-user] .Net client and redirect issue

2016-06-28 Thread Roger Spears 
Hello,

Thank you for the suggestion.   You are absolutely correct with the timing
issues.  We did experience this in one of our other CASified apps.  After
reading your suggestion, we double checked just to be sure..both
servers (CAS and CASified .Net app) are both pulling from the same time
source.

The redirect problem has been resolved!

I was originally using this web app:
https://github.com/UniconLabs/cas-sample-dotnet-webapp

Misagh suggested I use this tutorial (and the app it links to):
https://wiki.jasig.org/display/CASUM/HOWTO+CASifying+ASP.NET+WebApp+-+ExampleWebsite

I downloaded the web app linked in that tutorial, configured it per the
directions, and uploaded it to our .Net server.  it worked without any
issues.  The AD attributes appear to be working as well.  I'm not sure the
difference between the original web app I was using and the one in that
tutorial, but this issue is resolved.

Thanks to all that responded with suggestions,
Roger


On Mon, Jun 27, 2016 at 11:28 AM, Richard Frovarp 
wrote:

> What's the time sensitivity of the .Net client and/or your implementation?
> I know that somewhere in my Java stack (might be in Apache Shiro) the
> sensitivity for time skew is only a couple of seconds. If you aren't
> running NTP (like on a default install of Ubuntu on a desktop), eventually
> you hit a skew large enough to cause issues. You log into CAS, it sends you
> back to the web app, it tries to back channel validate, but rejects because
> of time skew, redirects you back to CAS, SSO on CAS kicks you in, sends you
> over with a new ticket, which that still is rejected because of skew, SSO,
> repeat until the browser finally gives up.
>
> 
> From: cas-user@apereo.org  on behalf of Roger Spears
> 
> Sent: Friday, June 24, 2016 2:59:09 PM
> To: cas-user@apereo.org
> Subject: [cas-user] .Net client and redirect issue
>
> Hello,
>
> Using the example and instructions located at:
> https://github.com/UniconLabs/cas-sample-dotnet-webapp
>
> We deployed the .Net client to a Windows Server 2012 running IIS 8.
>
> The .Net app is pointing at our CAS installation (version 3.5.2.1).  Our
> CAS works with other applications, but none of them are .Net applications.
> When we load the .Net app in a browser, we are sent to the CAS login page.
> After providing our login credentials, we eventually see a message that
> states "The page isn't redirecting properly" in the browser.  When the
> message appears, the URL in the URL bar of the browser is:
> https:///Public/Default.aspx
>
> At this point, the browser has 2 cookies for CAS.  There is a JSESSIONID
> cookie and a CASTGC cookie.  Both are set to the /cas/ path.  The CASTGC
> cookie has a value that begins with TGT.
>
> We set the logs to DEBUG.  In the log(s) I can see the authentication is
> working against our AD, complete with attributes.
>
> If we adjust the web.config file so the redirectAfterValidation="false",
> we do see the default CAS login page and after entering valid credentials
> we see the "You have successfully logged in" message on the CAS login
> page...but we are never sent back to the .Net application.
>
> Things we tried that didn't make a difference:
> 1. Setting the defaultURL in the  section of the web.config to be:
> https:///Public/Default.aspx
> 2. Setting the path in the  section to "/"
>
> What's in the log that is questionable:
> 1. CAS and catalina log:  Error getting service from flow state / no
> active flowsession to access; this FlowExecution has ended.  I don't know
> enough to tell if this is the cause or a result of the cause.
> 2. localhost log for Tomcat lists the following entries:
> CASSERVER -- POST -- 
> /cas/login;jsessionid=97fbds?service=https:///Public/Default.aspx
> -- 302
> NETAPPLICATION -- GET -- 
> /validate?service=https:///Public/Default.aspx&ticket=ST-1-ingfsdJKdklam
> -- 404
> CASSERVER -- GET -- /cas/login?service=https:///Public/Default.aspx
> -- 302
> NETAPPLICATION -- GET -- 
> /validate?service=https:///Public/Default.aspx&ticket=ST-2-Bsdjklwe39fdsm
> -- 404
> These repeat and the ST increases all the way to ST-7
>
> Any hints on what might be mis-configured?
>
> Thanks,
> Roger
> --
> Roger Spears
> Northwest State Community College
> 22600 State Route 34
> Archbold, Ohio  43502
> P: 419-267-1304
> F: 419-267-3891
>
> ***
> This message and any attachment are confidential, intended solely for the
> use of the individual or entity to whom it is addressed and may be
> protected under FERPA ( http://www2.ed.gov/policy/gen/reg/ferpa/index.html
> ). If you have received it by mistake, or are not the named recipient(s),
> please immediately notify the sender and delete the message. You are hereby
> notified that any unauthorized use, copying or dissemination of any or all
> information contained in this message is prohibited.  Northwest State
> Community College and/or any part thereof shall not be liable for the

RE: [cas-user] CAS 4.2.2 jpaTicketRegistry Issues

2016-06-28 Thread Tom O'Neill 
Misagh,

I think that sounds like a reasonable approach and I will try increasing 
logging for those packages specifically.
I had hibernate set to DEBUG but the current output isn’t providing any clues 
at this point.

If I don’t find anything solid I will swap out the MySQL versions to see if 
that makes a difference.
I appreciate the insight and feedback.

Thanks!

Tom O’Neill
Senior Consultant
Strata Information Group
one...@sigcorp.com
Mobile : (401) 644-4847
Corporate : (619) 296-0170

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Misagh 
Moayyed
Sent: Tuesday, June 28, 2016 9:23 AM
To: cas-user@apereo.org
Subject: RE: [cas-user] CAS 4.2.2 jpaTicketRegistry Issues

Well, unless you can produce logs to explain what’s going on I am inclined to 
blame MYSQL too. Turn up DEBUG logs for org.springframework.orm.jpa and 
org.springframework.transaction. See if you can spot anomalies.
If you want to post your overlay to the issues project so we can duplicate it, 
that’s fine too.

From: cas-user@apereo.org 
[mailto:cas-user@apereo.org] On Behalf Of Tom O'Neill
Sent: Tuesday, June 28, 2016 5:38 AM
To: Misagh Moayyed mailto:mmoay...@unicon.net>>; 
cas-user@apereo.org
Subject: RE: [cas-user] CAS 4.2.2 jpaTicketRegistry Issues

Misagh,

Thank you for the quick response!

I gave that a shot but unfortunately I am still seeing the same behavior.
I simplified the configuration by reverting to the baseline 4.2.4-SNAPSHOT 
deployerConfigContext.xml with a single modification:




After a successful authentication the application appears to hang and the 
following INSERT into the TGT table never completes.
I increased the logging level on the MySQL database and reviewed the 
transactions. Interestingly, I don’t see the INSERT in the MySQL logs.

2016-06-28 07:28:32,519 DEBUG 
[org.hibernate.engine.transaction.internal.TransactionImpl] - 
2016-06-28 07:28:32,576 DEBUG 
[org.hibernate.event.internal.AbstractSaveEventListener] - 
2016-06-28 07:28:32,674 INFO 
[org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 
2016-06-28 07:28:32,675 DEBUG 
[org.hibernate.engine.transaction.internal.TransactionImpl] - 
2016-06-28 07:28:32,676 DEBUG 
[org.hibernate.event.internal.AbstractFlushingEventListener] - 
2016-06-28 07:28:32,677 DEBUG 
[org.hibernate.event.internal.AbstractFlushingEventListener] - 
2016-06-28 07:28:32,685 DEBUG 
[org.hibernate.event.internal.AbstractFlushingEventListener] - 
2016-06-28 07:28:32,685 DEBUG 
[org.hibernate.event.internal.AbstractFlushingEventListener] - 
2016-06-28 07:28:32,688 DEBUG [org.hibernate.internal.util.EntityPrinter] - 

2016-06-28 07:28:32,689 DEBUG [org.hibernate.internal.util.EntityPrinter] - 
mailto:expirationPolicy=org.jasig.cas.ticket.support.TicketGrantingTicketExpirationPolicy@60ea79d1>,
 services={}, ticketGrantingTicket=null, 
authentication=org.jasig.cas.authentication.ImmutableAuthentication@cf5621ae}>
Hibernate: insert into TICKETGRANTINGTICKET (NUMBER_OF_TIMES_USED, 
CREATION_TIME, EXPIRATION_POLICY, LAST_TIME_USED, PREVIOUS_LAST_TIME_USED, 
ticketGrantingTicket_ID, AUTHENTICATION, EXPIRED, PROXIED_BY, 
SERVICES_GRANTED_ACCESS_TO, SUPPLEMENTAL_AUTHENTICATIONS, TYPE, ID) values (?, 
?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 'TGT', ?)
2016-06-28 07:28:32,726 DEBUG [org.hibernate.SQL] - 
2016-06-28 07:28:45,129 DEBUG [org.quartz.core.QuartzSchedulerThread] - 
2016-06-28 07:28:50,464 DEBUG [com.mchange.v2.resourcepool.BasicResourcePool] - 

2016-06-28 07:28:50,465 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 
2016-06-28 07:28:50,465 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 
2016-06-28 07:28:50,465 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 
2016-06-28 07:28:50,467 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 
2016-06-28 07:28:50,467 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 
2016-06-28 07:28:50,468 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 
2016-06-28 07:28:50,468 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 
2016-06-28 07:28:50,469 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 
2016-06-28 07:28:50,469 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 
2016-06-28 07:28:50,471 DEBUG 
[com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool] - 
2016-06-28 07:29:09,730 DEBUG [org.quartz.core.QuartzSchedulerThread] - 
2016-06-28 07:29:09,730 DEBUG [org.quartz.core.JobRunShell] - 
2016-06-28 07:29:09,730 INFO 
[org.jasig.cas.services.DefaultServicesManagerImpl] - 
2016-06-28 07:29:09,735 INFO 
[org.jasig.cas.services.DefaultServicesManagerImpl] - 

I’m starting to wonder if the issue could be the MySQL release. We are running 
5.7 but using the MySQL 5.7 InnoDB dialect for hibernate resulted in an 
exception during table cr

[cas-user] Lost Password

2016-06-28 Thread Eric PAPET 
Hi,

Is it possible, when a user has lost his password to generate mail with 
URL+TGC-ID.


best regard's
Eric Papet

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e417c761-b3b6-4f8d-bf61-613785effe97%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] custom authentication components and flow.

2016-06-28 Thread Rob Shepherd 
Hello, I would like a few pointers - or possible a suggestion to where to 
get further help.

I have some users that are authenticated via OpenID delegates (works) and 
some users that are authenticated via a web service to a central database.
I also need to let the user pick a "role" before the authentication 
concludes.

I must decide via which auth route to take based on a webservice call using 
their email address.

1. USER enter email
1b. CAS call webservice to lookup account type 
1c. if(password) then (goto 3) if(google openid) then (goto 2) end if

2. CAS trigger openid client delegate
2b. CAS collect user profile
2c. goto 4

3. USER enter password
3b. CAS authenticate using username and password to webservice
3c. goto 4.

4. CAS lookup roles using webservice
4a. USER choose role
4b. define a Principle that includes the email address and attributes based 
on the role chosen

5. login complete, grant tickets and service access etc.


In order to provide these components I just need to gain a better 
understanding of the CAS Terminology that describes the workings.

I will use a simple webflow and actions to perform all of (1)
I already have working the openid client for (2), i just need to wire it up 
in the scheme.
I can use a custom Handler to make the authentication call for (3) 

I will use a policy that appreciates the state of either (2) or (3) and 
only authenticates properly when (4) has been concluded also.

I will use a sub-flow and actions to perform the role choosing components 
in the form of a RoleChoiceCredential and a custom handler for that to to 
implement (4)

I think I can use a custom PrincipleResolver to solve (4b) but haven't 
quite worked out how to glue together the results of a few stages of the 
authentication 

My current understanding fails at the follow points:

Looking at the source: within AuthenticationViaFormAction.submit(...) I can 
see whole heap of internal logic to do with tickets and cookies etc that I 
don't want to break the functionality of.  

E.g. isRequestAskingForServiceTicket(...) & grantServiceTicket(...)  Do 
these need to be retained somewhere?  I don't see these being used in other 
login actions (such as x509)

Any pointers would be appreciated.

Thanks

Rob

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6d70c068-4af9-4088-8fa6-7c7ff4126ca7%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] Getting A Proxy Granting Ticket from A Proxy Granting Ticket IOU

2016-06-28 Thread William 
I am writing a test case according to 
https://wiki.jasig.org/display/CAS/CAS+Functional+Tests

The particular test case I am writing is: "CAS 2.0 validation, acquire 
proxy-granting ticket, proxy authentication"

The step I am stuck is: "6. Using your callback, correlate PGTIOU with PGT"

I am able to obtain a PGTIOU, but I am not able to get a PGT which I need 
for step 7 and onward.

CAS uses a callback that is set in the CAS client application (web.xml) to 
get the Proxy Granting Ticket which I cannot access.

I have tried providing a TGT (and Service Ticket) has the pgtId along with 
the PGTIOU like this URL:

/protected-web-app/proxyUrl?pgtId=TGT-1-UGTYmYoRP1NGBoMfNIM1asjWXd0RxYOywXTZEkB3VVTutHyAk6-cas01.example.org&pgtIou=PGTIOU-1-yrW7pUikYVZMOvaKolHCmGT4OW3rTZcxg01eVvplbvjrKWwyaw-cas01.example.org

However, I only get the "proxySuccess" back with no proxy ticket back:


http://www.yale.edu/tp/casClient"; 
/>

I should be getting the following back:


  
PGT-xx
  



Anyone know how I can get the PGT from the PGTIOU?

I am really hoping I do not get any responses of "Why do you need the PGT?" 
 To write this test I do need a PGT.

Regards

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/40be567f-1e93-4386-aa68-9e294d188040%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

RE: [cas-user] Reflexion around SPNEGO authentication and external IDP

2016-06-28 Thread Misagh Moayyed 
I am not sure I am entirely clear on your use case. You want to implement 
"computer auth" or domain-based AuthN via FrenchConnect's OIDC support?

To answer your other questions: Authentication can always be delegated to an 
external provider, such as another CAS server, a SAML2 IDP, an OIDC/OpenID 
provider, FB, Twitter, G+, etc. These are web-based. Not domain-based. There 
is no straight forward way to do this. In a nutshell and as a first, you 
need to know which OIDC profiles FrenchConnect supports. If they support 
implicit or hybrid, we can talk more. Otherwise, this is probably not 
possible without a whole lot of pain assuming I have understood your case 
correctly.

> -Original Message-
> From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Julien
> Gribonvald
> Sent: Tuesday, June 28, 2016 3:56 AM
> To: cas-user@apereo.org
> Subject: [cas-user] Reflexion around SPNEGO authentication and external 
> IDP
>
> Hi,
>
> In ESUP consortium we are looking for a way to do some possible use case 
> on
> how to integrating the new French government central "identity provider", 
> that
> french's administrations services will be able to integrate to 
> authenticate all
> french peoples on their apps (FranceConnect and it use openId connect
> protocol).
>
> So we know it's possible to integrate it without too much difficulties, we 
> need
> only to use this service as authentication handler, but we have some 
> workflow
> to develop. Our problems aren't for web authentication but on computer's 
> auth
> (when using SPNEGO/kerberos...).
>
> How can we do when the account's principals (login/password) are not known
> "localy" ? in this case how to do ? or how to delegate the computer
> authentication on a web only external service ?
> Is their a way or is it possible to connect the user from a web access 
> when the
> user log in from a computer ?
>
> Reflexions are also welcome for a such use case !
>
> Thanks,
> --
> Julien Gribonvald
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email
> to cas-user+unsubscr...@apereo.org.
> To post to this group, send email to cas-user@apereo.org.
> Visit this group at 
> https://groups.google.com/a/apereo.org/group/cas-user/.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-
> user/577257A5.7010506%40recia.fr.
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/008701d1d187%24cc7a6ae0%24656f40a0%24%40unicon.net.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

RE: [cas-user] Getting A Proxy Granting Ticket from A Proxy Granting Ticket IOU

2016-06-28 Thread Misagh Moayyed 
There is a backchannel call made to your pgtUrl with the PGT in it, which 
your app should receive and then correlate with the PGTIOU it received from 
the original validation response. You’ll need to trace that call. Proxying 
could be disabled, the app could be disallowed or some weirdness with SSL 
outbound calls perhaps.



From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of William
Sent: Tuesday, June 28, 2016 2:49 PM
To: CAS Community 
Subject: [cas-user] Getting A Proxy Granting Ticket from A Proxy Granting 
Ticket IOU



I am writing a test case according to 
https://wiki.jasig.org/display/CAS/CAS+Functional+Tests



The particular test case I am writing is: "CAS 2.0 validation, acquire 
proxy-granting ticket, proxy authentication"



The step I am stuck is: "6. Using your callback, correlate PGTIOU with PGT"



I am able to obtain a PGTIOU, but I am not able to get a PGT which I need 
for step 7 and onward.



CAS uses a callback that is set in the CAS client application (web.xml) to 
get the Proxy Granting Ticket which I cannot access.



I have tried providing a TGT (and Service Ticket) has the pgtId along with 
the PGTIOU like this URL:



/protected-web-app/proxyUrl?pgtId=TGT-1-UGTYmYoRP1NGBoMfNIM1asjWXd0RxYOywXTZEkB3VVTutHyAk6-cas01.example.org&pgtIou=PGTIOU-1-yrW7pUikYVZMOvaKolHCmGT4OW3rTZcxg01eVvplbvjrKWwyaw-cas01.example.org



However, I only get the "proxySuccess" back with no proxy ticket back:





http://www.yale.edu/tp/casClient"; 
/>



I should be getting the following back:




  
PGT-xx
  




Anyone know how I can get the PGT from the PGTIOU?



I am really hoping I do not get any responses of "Why do you need the PGT?" 
To write this test I do need a PGT.



Regards

-- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
 .
To post to this group, send email to cas-user@apereo.org 
 .
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/40be567f-1e93-4386-aa68-9e294d188040%40apereo.org
 

 
.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/009301d1d18a%248c278fb0%24a476af10%24%40unicon.net.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.