Re: [cas-user] pac4j SAML2Client and principal

[Jérôme LELEU]

Hi,

The behavior is to create the CAS principal and attributes from the pac4j
principal and attributes. So you should get the pac4j attributes at the end.
Ignore the log about the ClientCredential, the toString method just outputs
the id (not the attributes).

Is the service configured properly (with ReturnAllAttributeReleasePolicy
for example)?

Thanks.
Best regards,
Jérôme


On Thu, Mar 22, 2018 at 4:25 PM, Scott Koranda  wrote:

> Hi,
>
> I am using CAS 5.1.3 (though I might be able to upgrade to 5.2.3,
> depending on the issue of which binding is being used for the
> , as detailed in an earlier note to this list).
>
> I am delegating authentication to a SAML2 IdP using pac4j.
>
> After a successful authentication I see in cas.log
>
> 2018-03-22 14:44:46,372 DEBUG [org.pac4j.saml.client.SAML2Client] -
>  OnEE09XX3FnuYElvWkhkCSbAshdwAYSR5WQq3x7qEeuj6lzDF18EwarKKWUh
> ElP5/dR+k1h1NlMaLBZmgeA/5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E
> 8uqJp0pzRmivQ== |
> attributes:
> {urn:oid:0.9.2342.19200300.100.1.3=[skora...@gmail.com], mail=[
> skora...@gmail.com],
> urn:oid:0.9.2342.19200300.100.1.1=[scott.koranda], displayName=[Scott
> Koranda], givenName=[Scott],
> urn:oid:2.5.4.42=[Scott], notBefore=2018-03-22T14:44:45.460Z,
> uid=[scott.koranda],
> urn:oid:2.16.840.1.113730.3.1.241=[Scott Koranda],
> urn:oid:1.3.6.1.4.1.5923.1.1.1.6=[scott.kora...@sphericalcowgroup.com],
> notOnOrAfter=2018-03-22T14:49:45.460Z,
> eduPersonPrincipalName=[scott.kora...@sphericalcowgroup.com],
> urn:oid:2.5.4.4=[Koranda], sn=[Koranda],
> sessionindex=_570a4d9a94551c4e52cf75415fac58f0} | roles: [] |
> permissions: [] | isRemembered: false | clientName: null | linkedId:
> null |>
>
> Those are the values for NameID (transient) and attributes that I
> expect.
>
> The next line in cas.log is
>
> 2018-03-22 14:44:46,402 INFO
> [org.apereo.cas.authentication.AbstractAuthenticationManager] -
>  [AAdzZWNyZXQxQJ7RzalR0+OnEE09XX3FnuYElvWkhkCSbAshdwAY
> SR5WQq3x7qEeuj6lzDF18EwarKKWUhElP5/dR+k1h1NlMaLBZmgeA/
> 5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E8uqJp0pzRmivQ==]
> with attributes [{}] via credentials
> [[org.apereo.cas.authentication.principal.ClientCredential@6c1c5d52[id=
> AAdzZWNyZXQxQJ7RzalR0+OnEE09XX3FnuYElvWkhkCSbAshdwAY
> SR5WQq3x7qEeuj6lzDF18EwarKKWUhElP5/dR+k1h1NlMaLBZmgeA/
> 5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E8uqJp0pzRmivQ==]]].>
>
> So it appears that the NameID value (transient) is being used as the
> principal, but none of the attributes are making it from the pac4j layer
> into the CAS layer.
>
> Is that a correct assessment?
>
> If so, how can I
>
> a) change what value is used for the principal? I would like to use the
> value from one of the asserted attributes.
>
> b) push the attributes into the CAS layer to make them available for
> assertion downstream to the CAS client?
>
> I have reviewed the documentation for the Delegated/pac4j authentication at
>
> https://apereo.github.io/cas/5.1.x/integration/Delegate-
> Authentication.html
>
> and that for Attribute Resolution at
>
> https://apereo.github.io/cas/5.1.x/integration/Attribute-Resolution.html
>
> but I am not able to find a configuration option that appears to tell
> pac4j to push the attributes into the Authentication object.
>
> Thank you for your consideration.
>
> Scott K
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/20180322152546.o52kuzuh6u227e5s%40paprika.
> local.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lxnu8HSxPMQzxLvCW0Ee0-RmBVEGq%2BC67PRqajwz0Q5Tg%40mail.gmail.com.

[cas-user] Does anyone use ssoEnabled in service definitions

[Ted Fisher]

I’d like to try to rephrase my question since I only got one response:

Is anyone using ssoEnabled set false in service definitions to effect the same 
as renew=true from the client side?

I haven’t been able to get it to work and even insane levels of logging don’t 
reveal much, which puts me at a dead end.

Can anyone suggest what the problem might be or where I could look for how to 
get it working?

Thanks.

Ted Fisher

From: cas-user@apereo.org  On Behalf Of Ted Fisher
Sent: Tuesday, March 20, 2018 10:09 AM
To: cas-user@apereo.org
Subject: [cas-user] ssoEnabled in service definition not working correctly


We are running CAS 4.1.5 and we need to make a couple services do 
authentication only through CAS without creating an SSO session – that is force 
renew=true from the CAS server and do not create a session after authenticating 
(no TGT).  My understanding of how to do this (per 
https://apereo.github.io/cas/4.2.x/installation/Configuring-SSO-Session-Cookie.html)
  is to set create.sso.renewed.authn=false in cas.properties and include these 
in the service definition:
   "accessStrategy" : {
"@class" : "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : false
   },

However, when I do this it does not allow authentication at all with the 
following complaint in the log:
[org.jasig.cas.CentralAuthenticationServiceImpl] - ServiceManagement: Service 
[https://ssotest.bgsu.edu … is not allowed to use SSO.
Am I missing something?  Can anyone suggest why it is not processing the 
service parameters as it seems it should?

Thanks.

Ted Fisher
ITS, BGSU


--
- Website: 
https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CY4PR05MB29339FFE13545423F8F44CA8C0AB0%40CY4PR05MB2933.namprd05.prod.outlook.com.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CY4PR05MB293322A0CE40570D36D9C929C0A90%40CY4PR05MB2933.namprd05.prod.outlook.com.

Re: [cas-user] Does anyone use ssoEnabled in service definitions

[Man H]

Put service with ssoenabled=false in first order of evaluation

El jueves, 22 de marzo de 2018, Ted Fisher  escribió:

> I’d like to try to rephrase my question since I only got one response:
>
>
>
> Is anyone using ssoEnabled set false in service definitions to effect the
> same as renew=true from the client side?
>
>
>
> I haven’t been able to get it to work and even insane levels of logging
> don’t reveal much, which puts me at a dead end.
>
>
>
> Can anyone suggest what the problem might be or where I could look for how
> to get it working?
>
>
>
> Thanks.
>
>
>
> Ted Fisher
>
>
>
> *From:* cas-user@apereo.org  *On Behalf Of *Ted
> Fisher
> *Sent:* Tuesday, March 20, 2018 10:09 AM
> *To:* cas-user@apereo.org
> *Subject:* [cas-user] ssoEnabled in service definition not working
> correctly
>
>
>
>
>
> We are running CAS 4.1.5 and we need to make a couple services do
> authentication only through CAS without creating an SSO session – that is
> force renew=true from the CAS server and do not create a session after
> authenticating (no TGT).  My understanding of how to do this (per
> https://apereo.github.io/cas/4.2.x/installation/Configuring-SSO-Session-
> Cookie.html
> )
>  is to set create.sso.renewed.authn=false in cas.properties and include
> these in the service definition:
>
>"accessStrategy" : {
>
> "@class" : "org.jasig.cas.services.DefaultRegisteredServiceAccess
> Strategy",
>
> "enabled" : true,
>
> "ssoEnabled" : false
>
>},
>
>
>
> However, when I do this it does not allow authentication at all with the
> following complaint in the log:
>
> [org.jasig.cas.CentralAuthenticationServiceImpl] - ServiceManagement:
> Service [https://ssotest.bgsu.edu *… is not allowed to use SSO.*
>
> Am I missing something?  Can anyone suggest why it is not processing the
> service parameters as it seems it should?
>
>
>
> Thanks.
>
>
>
> Ted Fisher
>
> ITS, BGSU
>
>
>
>
>
> --
> - Website: https://apereo.github.io/cas
> 
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/CY4PR05MB29339FFE13545423F8F44
> CA8C0AB0%40CY4PR05MB2933.namprd05.prod.outlook.com
> 
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/CY4PR05MB293322A0CE40570D36D9C
> 929C0A90%40CY4PR05MB2933.namprd05.prod.outlook.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Com

[cas-user] Multiple PAC4J Clients - Unauthorized Access

[RJ]

One PAC4J client works great, however, when multiple clients are defined,

Login flow throws an error:

/cas/login?client_name=abc, throws error:Unauthorized Access
/cas/login?client_name=def, throws error :Unauthorized Access
/cas/login throws default login page


properties:
cas.authn.pac4j.saml[0].clientName=abc
cas.authn.pac4j.saml[0].keystorePassword=
cas.authn.pac4j.saml[0].privateKeyPassword=
cas.authn.pac4j.saml[0].serviceProviderEntityId=https://tempsp01.example.com
..

cas.authn.pac4j.saml[1].clientName=def
cas.authn.pac4j.saml[1].keystorePassword=
cas.authn.pac4j.saml[1].privateKeyPassword=
cas.authn.pac4j.saml[1].serviceProviderEntityId=https://tempsp01.example.com
..

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CACNfiMJt1ccrL9pngiB1GaHispJVCEN59v3U54AVU36MvSUrnA%40mail.gmail.com.

Re: [cas-user] CAS 5.2.2 how can I setting custom login page?

[Ben Howell-Thomas]

You can maven override it.  Find loginform.html in the CAS source.

Copy it (and as much of the associated parts as needed) into your maven
override project.

loginform.html will end up
under src/main/resources/templates/fragments/loginform.html

On 22 March 2018 at 07:43, ChangWon Son  wrote:

> Hi.
>
> build cas server using cas-overlay-template project
> I can't find any document about custom login page setting.
>
> https://apereo.github.io/cas/5.2.x/installation/Configuratio
> n-Properties.html#views
> or
> https://apereo.github.io/cas/5.2.x/installation/User-Interfa
> ce-Customization.html
>
> display only default cas login theme
>
>
> https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/k-yfoou7Zy0
> same setting above article
>
> custom casLoginView.html created and put in 
> cas-gradle-overlay-template/src/main/resources/templates
> directory
>
> cas.properties
>
> cas.theme.paramName=theme
> cas.theme.defaultThemeName=
>
> and..
>
> cas-gradle-overlay-template/src/main/resources/service/-1001.json
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "^https://.*";,
>   "name" : "",
>   "theme": "",
>   "id" : 1001,
>   "evaluationOrder" : 10,
>   "attributeReleasePolicy" : {
> "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>   }
> }
>
>
>
> but only display default theme login page..
>
> how can I setting custom login page?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/fa93aa61-cb1c-467e-80a7-
> f1639ef5459f%40apereo.org
> 
> .
>

-- 
This email is sent on behalf of Northgate Public Services (UK) Limited and 
its associated companies including Rave Technologies (India) Pvt Limited 
(together "Northgate Public Services") and is strictly confidential and 
intended solely for the addressee(s). 
If you are not the intended recipient of this email you must: (i) not 
disclose, copy or distribute its contents to any other person nor use its 
contents in any way or you may be acting unlawfully;  (ii) contact 
Northgate Public Services immediately on +44(0)1442 768445 quoting the name 
of the sender and the addressee then delete it from your system.
Northgate Public Services has taken reasonable precautions to ensure that 
no viruses are contained in this email, but does not accept any 
responsibility once this email has been transmitted.  You should scan 
attachments (if any) for viruses.

Northgate Public Services (UK) Limited, registered in England and Wales 
under number 00968498 with a registered address of Peoplebuilding 2, 
Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 
4NW.  Rave Technologies (India) Pvt Limited, registered in India under 
number 117068 with a registered address of 2nd Floor, Ballard House, Adi 
Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 41.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD0p8pvAgF7NQdAzC9oEW2TgxUaEb-Z18qfVdu_WGkXK8DD0YQ%40mail.gmail.com.

[cas-user] certificates

[Cheltenham, Chris]

Hello Everyone, 

Are we to create a certificate XX.der configured in cas.properties separate 
from the tomcat or jetty kestore? 




=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1290511545.2780565.1521854222781.JavaMail.zimbra%40philasd.org.