[cas-user] Re: TerminateWebSessionListener issue

2016-11-03 Thread Linda Toth 
Hello

I focused on the test environment, which has fewer users, making it easier
to trace a particular user session.  I was finally able to track down the
meaning of this exception in my logs, although the results was not what I
expected.

In the cas.log for 11/2/2015 on our TEST environment, I found references to
a Ticket Granting ticket, TGT-7-q699ZXxfKNPnHU1X9d3zBXfOKwXfLT
ZLaWQXplYhxX6pv9gauL-cas-test.alaska.edu


Today, 11/3, that ticket was still in memory so when the same user logged
in, it first attempted to get that ticket, found the FlowSession had
expired, then issued another ticket.  This is creating a phenomenon whereby
a user gets the successful login page, rather than the target URL.  If the
user backspaces or tries to enter the URL, a new TGT is granted, followed
by the service ticket.

I confirmed with the EAS staff member that in fact he did received that
message today when he logged into BEIS TEST.

The parameters on this system are not set for over 24 hours.  Why is that
ticket still active in memory?

Here are the parameters as they are currently set:














Linda Toth
University of Alaska - Office of Information Technology (OIT) - Identity
and Access Management
910 Yukon Drive, Suite 103
Fairbanks, Alaska 99775
Tel: 907-450-8320
Fax: 907-450-8381
linda.t...@alaska.edu | www.alaska.edu/oit/


On Thu, Nov 3, 2016 at 1:48 PM, Linda Toth  wrote:

> I think this issue contributed to CAS failing 10/31.  I noticed that it
> was opened as early as 2012 for 3.5.1, and there were several other reports
> of the same issue.
>
> I have been searching through the forums to find suggested parameter
> settings to resolve the issue.  Does anyone have any insight into this?
>
> Linda
>
>
> Linda Toth
> University of Alaska - Office of Information Technology (OIT) - Identity
> and Access Management
> 910 Yukon Drive, Suite 103
> Fairbanks, Alaska 99775
> Tel: 907-450-8320
> Fax: 907-450-8381
> linda.t...@alaska.edu | www.alaska.edu/oit/
>
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOi1v6OktwQ1pVU1jWcStbTJLXFnTFL%2Bu4d7Fyvc%3DkGgEa-Etw%40mail.gmail.com.

[cas-user] TerminateWebSessionListener issue

2016-11-03 Thread Linda Toth 
I think this issue contributed to CAS failing 10/31.  I noticed that it was
opened as early as 2012 for 3.5.1, and there were several other reports of
the same issue.

I have been searching through the forums to find suggested parameter
settings to resolve the issue.  Does anyone have any insight into this?

Linda


Linda Toth
University of Alaska - Office of Information Technology (OIT) - Identity
and Access Management
910 Yukon Drive, Suite 103
Fairbanks, Alaska 99775
Tel: 907-450-8320
Fax: 907-450-8381
linda.t...@alaska.edu | www.alaska.edu/oit/

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOi1v6NnfpvjcwETtFNrGMAMEceb%3D3Y27s0Vovhp_UZsfKXF6A%40mail.gmail.com.

[cas-user] CAS 5 RC4 and MFA Google authenticator

2016-11-03 Thread Huancar Vargas 
Could you give me an example to setup a google authenticator please?

I tried to do it with cas documentation  but i can't do it.

Thanks in Advance,
Huancar Vargas 

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/eed6b9f3-d8f3-4917-b141-1e18b631bb1e%40apereo.org.

[cas-user] Re: CAS - SAML 2.0, PHP and Facebook

2016-11-03 Thread Linda Toth 
Martin Bohun provided his source and experience for such an implemenation.

Thank everyone.

Linda Toth
University of Alaska - Office of Information Technology (OIT) - Identity
and Access Management
910 Yukon Drive, Suite 103
Fairbanks, Alaska 99775
Tel: 907-450-8320
Fax: 907-450-8381
linda.t...@alaska.edu | www.alaska.edu/oit/


On Wed, Nov 2, 2016 at 3:28 PM, Linda Toth  wrote:

> Has anyone integrated CAS SSO to Facebook?
>
> Linda
>
> --
> Linda Toth
> University of Alaska - Office of Information Technology (OIT) - Identity
> and Access Management
> 910 Yukon Drive, Suite 103
> Fairbanks, Alaska 99775
> Tel: 907-450-8320
> Fax: 907-450-8381
> linda.t...@alaska.edu | www.alaska.edu/oit/
>
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOi1v6Pqf4Wnu%3DyFofL8yQ2%2BqQCSpZk1f4fK9bJuKFH7eRs8%3DQ%40mail.gmail.com.

Re: [cas-user] Can application get TGT ticket?

2016-11-03 Thread Yan Zhou 
Thanks for the suggestions.

Going with my scenario, first, user logins to A via CAS, then, AngularJS
calls B.  There is no session for B, so the REST call returns 401, however,
we should not be asking user to login again, since he already logged into
A.  A and B are SSO via CAS.

What we need to do is to get CAS login flow to work in Ajax just as it is
in browser.

The issue with redirect you provided is when B session expires. A won't
know, thus, there is not a way to repeat the redirect trick. Further, we
likely will have B, C, E all as REST services backend, that gets a little
hard to manage.

Thanks,
Yan

On Thu, Nov 3, 2016 at 12:02 PM, Pascal Rigaux  wrote:

> On 02/11/2016 21:12, Yan Zhou wrote:
>
> Can you elaborate on JSONP?
>>
> > Would app. B now have to know user's password?
>
> No need.
> JSONP is pre-CORS. It has some limitations compared to Ajax, but some
> useful possibilities, like auto CAS login.
> Here is an example of adding auto login in angularJS:
> https://github.com/prigaux/angular-seed/commit/4d51d23280eb9
> 59a3d1773b2fcc69c4cf50ccd88
>
> By the way, another simpler solution is to allow restricted redirect after
> login in app B.
> Make the user go to:
> - https://b/login?redirect=https://a/
>   which redirects to (normal CAS login)
> - https://cas/login?service= https://b/login?redirect=https://a/
>   which redirects to
> - https://b/login?redirect=https://a/=
>   => set-cookie of application b
>   which redirects to
> - https://a
>   this app can do AJAX request https://b/rest
>   => works since cookie of app B
>
> cu
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/M
> ailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> --- You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/ap
> ereo.org/d/msgid/cas-user/9fb6de0f-4362-e621-cad3-ba50c19a22
> 77%40univ-paris1.fr.
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFSoZemQzePzJE861k%3DDN3VTOXF-BHg0Y2epCDsbJTVS5AJtTQ%40mail.gmail.com.

[cas-user] 5.x configuring management webapp

2016-11-03 Thread Richard Frovarp 
I'm having a very difficult time configuring the management web 
application. Using RC5-SNAPSHOT. I keep getting URLs like this:


https://wings.cc.ndsu.nodak.edu/cas/login?service=http%3A%2F%2Flocalhost%3A8081%2Fcas-management%2Fcallback%3Fclient_name%3DCasClient

Problem is that the management application isn't running on 8081, so I 
have no idea where that port number is coming from. I also thought I 
configured it to use the actual host name instead of localhost. I can't 
figure how and where the service URL is being configured. Grepping 
through absolutely everything, I can't find 8081. CAS itself is running 
on 8081, but is being proxied via HTTPD. I have another PHP based 
application from a different host going to this CAS just fine, and it 
isn't insisting on sticking 8081 in for the port.



server.name=https://wings.cc.ndsu.nodak.edu
server.port=8080
cas.server.name=https://wings.cc.ndsu.nodak.edu
cas.server.prefix=${cas.server.name}/cas
cas.mgmt.serverName=https://wings.cc.ndsu.nodak.edu

Where is the localhost and 8081 coming from?

Thanks,

Richard

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c4838dbc-e8b8-db55-0a27-eb56e002c029%40ndsu.edu.

Re: [cas-user] Can application get TGT ticket?

2016-11-03 Thread Pascal Rigaux 

On 02/11/2016 21:12, Yan Zhou wrote:


Can you elaborate on JSONP?

> Would app. B now have to know user's password?

No need.
JSONP is pre-CORS. It has some limitations compared to Ajax, but some useful 
possibilities, like auto CAS login.
Here is an example of adding auto login in angularJS:
https://github.com/prigaux/angular-seed/commit/4d51d23280eb959a3d1773b2fcc69c4cf50ccd88

By the way, another simpler solution is to allow restricted redirect after 
login in app B.
Make the user go to:
- https://b/login?redirect=https://a/
  which redirects to (normal CAS login)
- https://cas/login?service= https://b/login?redirect=https://a/
  which redirects to
- https://b/login?redirect=https://a/=
  => set-cookie of application b
  which redirects to
- https://a
  this app can do AJAX request https://b/rest
  => works since cookie of app B

cu

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9fb6de0f-4362-e621-cad3-ba50c19a2277%40univ-paris1.fr.

Re: [cas-user] Can application get TGT ticket?

2016-11-03 Thread Dmitriy Kopylenko 
Just to be clear - CAS protocol was never designed to work with Ajax and REST 
resources (non-interactive service-to-service)

Best,
D.
--

> On Thursday, Nov 03, 2016 at 11:10 AM, Yan Zhou  (mailto:yanand...@gmail.com)> wrote:
> Hello,
>
> The basic problem is that CAS login flow works in browser. However, because 
> of the series of redirect involved, CAS login flow does not seem to work in 
> Ajax.
>
> This is my set-up: App A has UI with AngularJS and backend, App B has NO UI 
> and it offers REST services including Credit card services. Both are casified 
> and we have total control. We are trying to use CAS to protect REST services 
> in B.
>
> App B must be deployed in a PCI environment, but App A does not. If App A was 
> going to talk to or proxy App B, that is not allowed by PCI standards, 
> because A would see credit card info. passing along to B, but A is not 
> deployed in PCI environment.
>
> The idea is for UI (AngularJS) to talk to App B directly, so that there is 
> not anything else between user and PCI environment. I am making the point 
> that Proxy Authentication is not a solution here.
>
> Here is what I am trying to do: user from Internet first login to CAS and 
> goes to App A's UI. From there, javascript makes Ajax call to App B's REST 
> service. This results in a series of redirect before an application session 
> in B is established and REST call can proceed. In Ajax, it is failing.
>
> Thanks,
> Yan
>
>
> On Wed, Nov 2, 2016 at 5:42 PM, Ray Bon  
> wrote:
> > Yan,
> >
> > If I understand correctly, you have deployed App A and App B. You are not 
> > able nor willing to change CAS config on App B because it breaches PCI 
> > compliance.
> > It seems odd that PCI compliance would allow any user access but not allow 
> > a proxy.
> > Did you create app A or are both apps from third party vendors?
> >
> > If app B needs to know the user that is sending the request, then you will 
> > have to use clearpass, 
> > https://apereo.github.io/cas/4.0.x/integration/ClearPass.html.
> > If app B only needs to have an authenticated user, then perhaps App A can 
> > perform the log in on behalf of all users. The Ajax calls would go from App 
> > A UI to App A service that makes the REST calls.
> >
> > What do the creators of App B suggest for authentication?
> >
> > Ray
> >
> >
> > On 2016-11-02 13:12, Yan Zhou wrote:
> > > thanks for the feedback.
> > >
> > > Unfortunately, we cannot use Proxy Authentication, due to PCI 
> > > implication. A non PCI-compliant App proxy a PCI (credit card) service, 
> > > that would not be allowed by PCI standards.
> > >
> > > The reason we run into problem with CAS protected REST services (App B, 
> > > no UI), is that Ajax somehow does not handle redirect (even after I 
> > > enable CORS). Browser does it fine, but fails when Ajax tries to access 
> > > the REST endpoint without an application session in place, thus triggers 
> > > CAS login flow with all the redirect.
> > >
> > > I do not see how OAuth solve that problem. Does that requires a Login 
> > > page UI to redirect to and back, would not that run into the same problem 
> > > with Ajax?
> > >
> > > Can you elaborate on JSONP? Would app. B now have to know user's 
> > > password? CAS is nice because the application does not see user's 
> > > password, only CAS server does.
> > >
> > > Thx,
> > > Yan
> > >
> > > On Wed, Nov 2, 2016 at 5:41 AM, Pascal Rigaux 
> > >  
> > > wrote:
> > > > Hi,
> > > >
> > > > Solutions:
> > > > - proxy CAS: As the proxy ticket can only be validated once, you will 
> > > > need to cache the ticket, or create your own session
> > > > - JWT: create a JWT and check it on app B.
> > > > - oauth
> > > > - JSONP login on app B. We are using this quite a lot. Simple and works 
> > > > great.
> > > > Commits implementing this on angular-seed : 
> > > > https://github.com/prigaux/angular-seed/commits/master
> > > > and especially the first one: 
> > > > https://github.com/prigaux/angular-seed/commit/27eae718ff6fd3206f60926317c7a24ddfd79b68
> > > > I wrote some doc on this, alas in french: 
> > > > http://prigaux.github.io/presentation-web-widgets-cas-jsonp/index.html#/7
> > > >
> > > > Happy CAS,
> > > > cu
> > > >
> > > > On 01/11/2016 20:22, Yan Zhou wrote:
> > > > > Hello,
> > > > >
> > > > > CAS protocol does not let the apps (CAS client) get TGT ticket. We 
> > > > > have a need for that.
> > > > >
> > > > > We have two web apps, both are casified in CAS 4.1.X. One web app has 
> > > > > AngularJS (Javascript) front end, and, the other webapp is UI-Less, 
> > > > > it just offers REST services.
> > > > >
> > > > > Javascript code in App A wants to call REST API in App B. We run into 
> > > > > problem with CORS, etc. But, even after CORS are enabled, still run 
> > > > > into trouble.
> > > > >
> > > > > So, the thought is, if Javascript code can

Re: [cas-user] CAS - SAML 2.0, PHP and Facebook

2016-11-03 Thread Doug Wismer 
Not sure if you could do that.  But if you are an Ellucian customer, you
could try Ethos Identity Service.  There is no extra license fee for it.

http://www.ellucian.com/Solution-Sheets/Ellucian-Identity-Service/

It provides Single Sign-On protocol translation across CAS, SAML,
WSTrust/WS-Federation, OpenID Connect as well as others.  I would assume
Facebook supports SAML

On Wed, Nov 2, 2016 at 5:28 PM Linda Toth  wrote:

> Has anyone integrated CAS SSO to Facebook?
>
> Linda
>
> --
> Linda Toth
> University of Alaska - Office of Information Technology (OIT) - Identity
> and Access Management
> 910 Yukon Drive, Suite 103
> Fairbanks, Alaska 99775
> Tel: 907-450-8320 <(907)%20450-8320>
> Fax: 907-450-8381 <(907)%20450-8381>
> linda.t...@alaska.edu | www.alaska.edu/oit/
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines:
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOi1v6MWTHUg7x%2BA03itP8_3oA7VY2tvS%3D91VaNNYFiYQfhzCw%40mail.gmail.com
> 
> .
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEmi-u0xX5Xk7KRr5ZJtaYwKSk1S2BhH0ZJogYM9RGkgQjrQgw%40mail.gmail.com.