Re: [cas-user] SSO + Local Authentication

2018-03-26 Thread Man H 
Try connectButton href /cas/login?service=

El lunes, 26 de marzo de 2018, Maxime Marty-Dessus <
maxime.marty-des...@aidimpact.com> escribió:

> Hello everybody :)
>
> So here's my problem
> I work currently on a login interface project for our application. The
> client wants to have two ways of login to our app :
>
>- Login via their CAS (we don't own this CAS)
>- Login via a "local" login/password, if, for instance, the client
>wants an external consultant to access the application without registering
>him in the CAS
>
> We already managed to develop the interface. This is a simple webpage,
> where the client can either click on a "Connect" button, redirecting him to
> the CAS, or a "Local LogOn" button, which redirect him to a form to fill
> with local credentials. In both cases, the user is redirected to our app
> and logged in with correct credentials.
>
>
> BUT, the client doesn't want to click on the "Connect" button, but wants
> to be automatically redirected to our app if he is already connected on the
> CAS
>
> The problem is, if I automatically redirect him to the CAS, the user can't
> use the Local LogOn way because he will be blocked on the CAS.
>
>
> Is there a way to query the CAS if the user is already logged, without
> redirecting him to it ? Or another way to do the trick?
>
>
> If you have any hint to solve this problem, it will be very much
> appreciated.
>
>
> Thank you in advance for your future answers !
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/92235380-351b-460e-b3de-
> b78f9d4f99a7%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5mid_VPfEX7cQ2B4j_AeEMgVneiXXH4%3DtUvjuLTfRcM%2Bqqw%40mail.gmail.com.

[cas-user] CAS 5.3.0-RC2 LDAP Authentication and cas.authn.ldap[0].userFilter property

2018-03-26 Thread 'Darin T. Russell' via CAS Community 
Hello All

I've been running CAS 5.2.4-SNAPSHOT using LDAP authentication with no 
problems.  When I try to use CAS 5.3.0-RC2 I get errors with my 

cas.authn.ldap[0].userFilter=cn={user}

property.  When I have it in my cas.properties file, CAS exits with the 
following error on startup -

2018-03-27 00:59:53,803 WARN [org.apereo.cas.web.CasWebApplicationContext] - 


If I comment the property out, CAS gets to the point of trying to initialize my 
direct bind to the LDAP server, but then stops with this error - 

2018-03-27 01:22:16,484 WARN [org.apereo.cas.web.CasWebApplicationContext] - 


I know CAS 5.3.0 has made changes to configuration binding behaviour, and I 
have found and made some changes to my cas.properties, but I can't work this 
one out.  I've searched through the current Development docs, but can't find 
any reference to cas.authn.ldap[0].userFilter anywhere!  Has it been changed, 
and I am missing the new name, or is this a bug?  I am at a loss.

Thanks in advance
Darin

Darin Russell 
Assistant Manager Information Technology - Moore Theological College


Phone: +61 2 9577 9893 |  
Address: 1 King Street, Newtown NSW 2042 Australia | Web: www.moore.edu.au | 
CRICOS Provider Code: 00682B

Important Notice: This email is for the named recipient only.  Its contents are 
confidential and may contain legally privileged information.  The unauthorised 
use, disclosure, copying or alteration of this message is strictly forbidden.  
If you receive this email in error, please contact the sender immediately and 
delete the email and all attachments from your system. This email is subject to 
copyright. Copyright: Moore Theological College Council. 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/HK2PR0601MB1827C7EE71F98711A0CECF10DCAC0%40HK2PR0601MB1827.apcprd06.prod.outlook.com.

[cas-user] Re: SSO + Local Authentication

2018-03-26 Thread Andy Ng 
Hello :)

If your app you mean a web application, then I might able to help you. 
(Even if you are implementing with Android / iSO app, this might also help 
you)

A few months back, my colleague want to understand how to check if CAS is 
login success without actually showing the login page to the user. (like 
your case)

So I wrote this simple one page html + javascript demo, to help my 
colleague implement the check CAS logic. (The page is at the bottom of this 
email)

You might be able to reference this and understand how to implement such a 
check yourself. 

Cheers,
- Andy

What you need:
- Your service ID (You should be able to ask your client to provide you 
this):https://example.client.com/check_cas
- Your desitnation CAS server: https://their.cas.server

Few things to note for this program:

l   This page just ack as a demo, use it carefully and understand I am not 
responsible for any risk involved

l   Since I have no right for https://example.client.com/check_cas, hence 
this HTML was written without concerning  before running this script you 
need to *disable the same origin policy *(You may find this link useful: 
https://stackoverflow.com/questions/3102819/disable-same-origin-policy-in-chrome
)

n   Disabling same origin policy might cause security concern for your 
browser, *make sure to only access this HTML page when disabling same 
origin policy*

l   Detail usage of this page is contained inside the code (i.e. Click on 
Step 1 button, then click on Step 2 button)

n   The *time interval* between clicking the first button and the second 
button *should be less than 5 seconds*

n   Ultimately, both step 1 and step 2 should be done via programs, hence 
the ticket timeout duration should not matter


*index.html *(The same as the attached file)



  

Simple CAS Ticket Usage

https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js";>

 

 



  //Allow easy access to get parameter

  $.urlParam = function(url, name){

  var results = new RegExp('[\?&]' + name + '=([^&#]*)').exec(url);

  if (results==null){

 return null;

  }

  else{

 return decodeURI(results[1]) || 0;

  }

  }

  //Allow easy access to get parameter end

 

  $(function(){

 

var casUrl = "https://their.cas.server";;

var step1Url = casUrl+
"/cas/login?service=http%3A%2F%2Fexample.client.com%2Fcheck_cas";

var step2Url = casUrl+
"/cas/p3/serviceValidate?service=http%3A%2F%2Fexample.client.com%2Fcheck_cas&ticket={{TICKET_INSERT_HERE}}"
;

 

$("#step1Url").text(step1Url);

$("#step2Url").text(step2Url);

 

/STEP 1 LOGIC

$("#step1_checkCas").click(function(){

  document.getElementById('step1_iframe').src = step1Url;

});

 

$('#step1_iframe').on('load', function() {

  var step1FinalUrl = document.getElementById("step1_iframe"
).contentWindow.location.href;

  var ticket = $.urlParam(step1FinalUrl, 'ticket');

  $("#step1_finalUrl").val(step1FinalUrl);

  if(ticket == null){

alert("User Not Login, please login user in the same browser");

step2Url = casUrl+
"/cas/p3/serviceValidate?service=http%3A%2F%2Fexample.client.com%2Fcheck_cas&ticket="
 
+ "{{TICKET_INSERT_HERE}}";

  }else{

$("#step1_Ticket").val(ticket);

step2Url = casUrl+
"/cas/p3/serviceValidate?service=http%3A%2F%2Fexample.client.com%2Fcheck_cas&ticket="
 
+ ticket;

$("#step2Url").text(step2Url);

  }

});

/STEP 1 LOGIC ENDS

 

/STEP 2 LOGIC

 

$("#step2_getUserInfo").click(function(){

 

 

  $.ajax({

  url: step2Url,

  type: "GET",

  dataType: "text",

  success: function(data) {

console.log( "Step 2 Loaded: ", data );

$("#step2_result").text(data);

  }

  });

});

/STEP 2 LOGIC ENDS

 

  })

 



 

  

  

Make sure to disable the same origin policy while 
using this html program

For Chrome, you can open chrome.exe like this[chrome.exe 
--disable-web-security --user-data-dir="D:/Chrome]

Note: disable the same origin policy have 
security concern for your browser, please review this code first, and only 
use the "same orgin policy disabled" browser for this page

For more info, read this https://stackoverflow.com/questions/3102819/disable-same-origin-policy-in-chrome
">
https://stackoverflow.com/questions/3102819/disable-same-origin-policy-in-chrome page

Step 1:



 

Step 1: Get Ticket  

[Accessing: ]

Step 1 Final

[cas-user] Re: SPNEGO \ LDAP \ KERBEROS and CAS 5.2 - 'map[[empty]]' error

2018-03-26 Thread Ss Zz 
This is FULL output while i'm trying to access application (CAS client) 
https://some_app.domen.com



 
2018-03-26 22:52:16,681 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - 

2018-03-26 22:52:16,681 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - 

2018-03-26 22:52:16,681 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - 

2018-03-26 22:52:16,681 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - 
 
[SpnegoCredential]>
2018-03-26 22:52:16,681 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - 
 
[JcifsSpnegoAuthenticationHandler]>
2018-03-26 22:52:16,681 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - 
 [[JcifsSpnegoAuthenticationHandler]]>
2018-03-26 22:52:16,681 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - 

2018-03-26 22:52:16,681 DEBUG 
[org.apereo.cas.authentication.DefaultPrincipalElectionStrategy] - 

2018-03-26 22:52:16,681 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - 

2018-03-26 22:52:16,681 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - 

2018-03-26 22:52:16,681 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - 

2018-03-26 22:52:16,681 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - 
https://some-app.apps.domen.com,originalUrl=https://some-app.apps.domen.com,artifactId=,principal=,loggedOutAlready=false,format=XML]]>
2018-03-26 22:52:16,681 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 

2018-03-26 22:52:16,681 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 

2018-03-26 22:52:16,681 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 

2018-03-26 22:52:16,681 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 

2018-03-26 22:52:16,681 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 

2018-03-26 22:52:16,681 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 

2018-03-26 22:52:16,681 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 

2018-03-26 22:52:16,681 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 

2018-03-26 22:52:16,681 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 

2018-03-26 22:52:16,681 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 

2018-03-26 22:52:16,697 DEBUG 
[org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - 
2018-03-26 22:52:16,697 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 
2018-03-26 22:52:16,697 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 

2018-03-26 22:52:16,697 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 

2018-03-26 22:52:16,697 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 

2018-03-26 22:52:16,697 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 

2018-03-26 22:52:16,697 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 

2018-03-26 22:52:16,697 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 

2018-03-26 22:52:16,697 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 

2018-03-26 22:52:16,697 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 

2018-03-26 22:52:16,697 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 

2018-03-26 22:52:16,697 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 

2018-03-26 22:52:16,697 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - 

2018-03-26 22:52:16,697 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - 

2018-03-26 22:52:16,697 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - 

2018-03-26 22:52:16,697 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - 
 
[SpnegoCredential]>
2018-03-26 22:52:16,713 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - 
 
[JcifsSpnegoAuthenticationHandler]>
2018-03-26 22:52:16,713 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - 
 [[JcifsSpnegoAuthenticationHandler]]>
2018-03-26 22:52:16,713 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - 

2018-03-26 22:52:16,713 DEBUG 
[org.apereo.cas.authentication.DefaultPrincipalElectionStrategy] - 

2018-03-26 22:52:16,713 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - 

2018-03-26 22:52:16,713 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - 

2018-03-26 22:52:16,713 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - 

2018-03-26 22:52:16,713

[cas-user] Jira 7.8 CAS issues

2018-03-26 Thread Justin Andrews 
Has anyone successfully used CAS w/Jira 7.8? We've had CAS protecting our 
Jira instance from upgade to upgrade - up to our current version running 
7.7.x but something in 7.8 broke our proven configuration. I've tried the 
latest clients and modifying config various ways with not much luck. Just 
wondering if anyone has it working w/7.8 then I'll know to keep putting 
more time into it or not. Thanks!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/53e73d23-a55a-418e-9148-41c41fe1573e%40apereo.org.

[cas-user] Re: Spnego ERROR on CAS 5.2.0

2018-03-26 Thread Ss Zz 

>
> This error happens, because SPNEGO is not configured properly.
>
These minimum parameters are set in my cas.properties :
>

cas.authn.spnego.jcifsDomain=domen.com
cas.authn.spnego.jcifsDomainController=domen.com
cas.authn.spnego.jcifsServicePassword=X
cas.authn.spnego.jcifsServicePrincipal=HTTP/xxx...@domen.com
cas.authn.spnego.jcifsUsername=XXX
cas.authn.spnego.jcifsPassword=XXX
cas.authn.spnego.kerberosConf=D:\\applications\\buap-services\\cas\\webapps\\cas\\WEB-INF\\classes\\krb.conf
cas.authn.spnego.kerberosDebug=true
cas.authn.spnego.kerberosKdc=kdcserver.domen.com
cas.authn.spnego.kerberosRealm=domen.com
cas.authn.spnego.loginConf=file:/D:/applications/buap-services/cas/webapps/cas/WEB-INF/classes/login.conf
cas.authn.spnego.mixedModeAuthentication=false
cas.authn.spnego.ntlm=false
cas.authn.spnego.ntlmAllowed=true
cas.authn.spnego.principalWithDomainName=false
cas.authn.spnego.send401OnAuthenticationFailure=true
cas.authn.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit
cas.authn.spnego.timeout=30 


Also you should set LDAP properties for SPNEGO :
... 
cas.authn.spnego.ldap.ldapUrl=ldap://some_server.domen.com
cas.authn.spnego.ldap.baseDn=DC=XX,DC=net
cas.authn.spnego.ldap.userFilter=(uid={user})
cas.authn.spnego.ldap.bindDn=CN=X,OU=Local,OU=Service 
Accounts,OU=Users,OU=Enterprise,DC=XXX,DC=net
cas.authn.spnego.ldap.bindCredential=X
cas.authn.spnego.ldap.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
cas.authn.spnego.ldap.connectTimeout=5000
cas.authn.spnego.ldap.useStartTls=false
...


Also if you are using AES 256 then you need replace policy files in your 
java8:
C:\Program Files\Java\jre1.8.0_111\lib\security
local_policy.jar
US_export_policy.jar

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3be15c5f-e250-4df4-8be3-a74d0fd95888%40apereo.org.

[cas-user] SPNEGO \ LDAP \ KERBEROS and CAS 5.2 - 'map[[empty]]' error

2018-03-26 Thread Ss Zz 
When i access /cas/login page then CAS works successfully - it's identify 
user automatically.

But when i access application (cas client https://some-apps.domen.com) then 
500 error happens:
https://cas01-test.apps.domen.com/cas/login?service=https%3A%2F%2Fsome-apps.domen.com

2018-03-26 17:46:57,211 DEBUG 
[org.apereo.cas.web.FlowExecutionExceptionResolver] - 
org.springframework.webflow.execution.ActionExecutionException: Exception 
thrown executing [AnnotatedAction@38fcaa83 targetAction = 
[EvaluateAction@3f587030 expression = 
flowScope.service.getResponse(requestScope.serviceTicketId), 
resultExpression = requestScope.response], attributes = map[[empty]]] in 
state 'redirect' of flow 'login' -- action execution attributes were 
'map[[empty]]'
..
Caused by: org.springframework.binding.expression.EvaluationException: An 
ELException occurred getting the value for expression 
'flowScope.service.getResponse(requestScope.serviceTicketId)' on context 
[class org.springframework.webflow.engine.impl.RequestControlContextImpl]

... 133 more
Caused by: org.springframework.expression.spel.SpelEvaluationException: 
EL1004E: Method call: Method getResponse(java.lang.String) cannot be found 
on org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl 
type

... 133 more
2018-03-26 17:46:57,211 DEBUG 
[org.apereo.cas.web.FlowExecutionExceptionResolver] - 
org.springframework.webflow.execution.ActionExecutionException: Exception 
thrown executing [AnnotatedAction@38fcaa83 targetAction = 
[EvaluateAction@3f587030 expression = 
flowScope.service.getResponse(requestScope.serviceTicketId), 
resultExpression = requestScope.response], attributes = map[[empty]]] in 
state 'redirect' of flow 'login' -- action execution attributes were 
'map[[empty]]'



Could you please advise how to fix it?



MY CONFIGURATION:
1. I added this into pom.xml to use maven overlay to build cas.war:

#TO ENABLE SPNEGO IN CAS

org.apereo.cas
cas-server-support-spnego-webflow
${cas.version}

#TO ENABLE JSON REGISTRY TO BE ABLE GRANT ACCESS FOR CAS CLIENTS (some 
applications)

org.apereo.cas
cas-server-support-json-service-registry
${cas.version}


2. my cas.properties
cas.server.name=https://cas01-test.apps.domen.com
cas.server.prefix=https://cas01-test.apps.domen.com/cas
server.context-path=/cas
server.port=8443

server.max-http-header-size=2097152
server.max-http-post-size=2097152
server.use-forward-headers=true
   
server.tomcat.basedir=build/tomcat
server.tomcat.accesslog.enabled=true
server.tomcat.accesslog.pattern=%t %a "%r" %s (%D ms)
server.tomcat.accesslog.suffix=.log
server.tomcat.max-threads=5
server.tomcat.port-header=X-Forwarded-Port
server.tomcat.protocol-header=X-Forwarded-Proto
server.tomcat.protocol-header-https-value=https
server.tomcat.remote-ip-header=X-FORWARDED-FOR
server.tomcat.uri-encoding=UTF-8
server.error.include-stacktrace=ALWAYS

spring.http.encoding.charset=UTF-8
spring.http.encoding.enabled=true
spring.http.encoding.force=true

endpoints.enabled=true
endpoints.sensitive=true
management.context-path=/status
endpoints.restart.enabled=false
endpoints.shutdown.enabled=false


##
# CAS Web Application Session Configuration
#
server.session.timeout=300
server.session.cookie.http-only=false
server.session.tracking-modes=COOKIE
server.session.trackingModes=COOKIE

##
# CAS Thymeleaf View Configuration
#
spring.thymeleaf.encoding=UTF-8
spring.thymeleaf.cache=false
spring.thymeleaf.mode=HTML
##
# CAS Log4j Configuration
#
# logging.config=file:/etc/cas/log4j2.xml
server.context-parameters.isLog4jAutoInitializationDisabled=true

##
# CAS AspectJ Configuration
#
spring.aop.auto=true
spring.aop.proxy-target-class=true

##
# CAS Authentication Credentials
#
# cas.authn.accept.users=
logging.level.org.apereo=DEBUG

#CAS JSON REGISTRY
cas.serviceRegistry.json.location=file:/D:/applications/buap-services/cas/webapps/cas/WEB-INF/classes/services

#CAS WEBFLOW
cas.webflow.autoconfigure=true
#cas.webflow.alwaysPauseRedirect=false
#cas.webflow.refresh=true
#cas.webflow.redirectSameState=false

#CAS SPNEGO ATTRIBUTES

#cas.authn.spnego.alternativeRemoteHostAttribute=alternateRemoteHeader
#cas.authn.spnego.dnsTimeout=2000
#cas.authn.spnego.hostNamePatternString=.+
#cas.authn.spnego.ipsToCheckPattern=10.+
#cas.authn.spnego.jcifsNetbiosWins=
cas.authn.spnego.principal.principalAttribute=uid
#cas.authn.spnego.principal.returnNull=false
cas.authn.spnego.spnegoAttributeName=uid
#cas.authn.spnego.useSubjectCredsOnly=false
cas.authn.spnego.cachePolicy=600
#cas.authn.spnego.hostNameClientActionStrategy=hostnameSpnegoClientAction
cas.authn.spnego.hostNameClientActionStrategy=ldapSpnegoClientAction
cas.authn.spnego.jcifsDomain=domen.com
cas.authn.spnego.jcifsDomainController=domen.com
cas.authn.spnego.jcifsServicePassword=X
cas.authn.spnego.jcifsServicePrincipal=HTTP/xxx...@domen.com
cas.authn.spnego.jcifsUsername=XXX
cas.authn.spnego.jcifsPassword=XXX

[cas-user] Send reset password email in html instead of plain text

2018-03-26 Thread Marc Maurice 
Hello all,

We need to send the reset password email in html instead of plain text 
(marketing demands).

Looking at the source code it seems simple. It's just a matter of adding a 
"true" parameter to tell spring that the email is in html :

https://github.com/apereo/cas/blob/5.2.x/core/cas-server-core-util/src/main/java/org/apereo/cas/util/io/CommunicationsManager.java#L102

https://docs.spring.io/spring/docs/3.0.0.M3/reference/html/ch26s03.html

Do you know any simple way to patch the cas server core using the overlay 
way ? Or do we have to compile the entire stack ?

We really would like to keep the overlay system, in order to ease future 
updates.

Thanks in advance,
Marc

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/02164d28-5769-4cde-9ac2-6e0f2bb18a00%40apereo.org.

Re: [cas-user] CAS 5.2 delegate authentication to custom CAS 3

2018-03-26 Thread Diego Henrique Pagani 
I've already read that but it doesn't explain how it works.
I saw on cas properties four parameters that I've set to several values and
nothing changes.

In other versions, we have to (I found it on
https://wiki.jasig.org/download/attachments/48596744/How+to+Trust+Another+CAS+Server.pdf?version=1=1321479461428
but
it's from 2011) :

1 . Set the trusted authentication handler
2. Modify the spring webflow login
3. The use of CAS "gateway" mode

My SSO sessions is working, I can login on CAS3 and it get back to my
applications(using CAS5 as a bridge). My problem is to set CAS5 to ignore
the login page and go directly to CAS3.





Em qui, 22 de mar de 2018 às 18:18, Man H  escreveu:

> see
> https://apereo.github.io/cas/5.2.x/installation/Trusted-Authentication.html
>
> 2018-03-22 17:52 GMT-03:00 Diego Henrique Pagani :
>
>> Hello,
>>
>> I have a problem guys:
>> We have an legacy CAS3, witch has some customizations inside the source
>> code and some application that *only authenticate* with this specific
>> CAS (Let's call it app1).
>> Recently, I configured a new CAS5,  some applications (Let's call app2)
>> usign Oauth2 protocol to communicate with CAS5 and everything is working
>> fine, until now.
>>
>> We need a SSO session between app1 and app2, but app1 only uses CAS3 and
>> app2 only uses CAS5. So, I have configured CAS5 to delegate authentication
>> to CAS3,
>> witch is working but I have to click on the login screen to redirect to
>> CAS3. Is it possible to redirect to cas 3 directly?
>>
>>
>>
>>
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6865a0ec-5190-4eca-beb3-929d3ab4f9fd%40apereo.org
>> 
>> .
>>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5mifnk8%2B2m%2Bt_subG_XXGj_rddzRzdwNkQAzcx7C-9SPjHg%40mail.gmail.com
> 
> .
>
-- 
Diego Henrique Pagani

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALwCSESy4xx7CAeY59j8voEKThxLTGfM3F9CznFuzeVtA1cdZg%40mail.gmail.com.

[cas-user] Re: Service Ticket - intermittent memcached deserialization error in cas overlay template in 5.1.3

2018-03-26 Thread santosh sah 
Did you get the solution? Please post i am also getting the same issue with 
memcached.

On Friday, September 8, 2017 at 4:06:00 AM UTC+5:45, bobsan...@gmail.com 
wrote:
>
> Hi, all.
>
> I've been prototyping and learning Apereo CAS 5.1.3, using the Cas Overlay 
> Template.
>
> I am able to get it set up so I can run an instance on my workstation, and 
> hit https://localhost:8443/cas/login and authenticate.  Then, I'm able to 
> hit https://localhost:8443/cas/status/dashboard to see the CAS Dashboard 
> app.  That was using the default in-memory token store.
>
> Then I tried to change the token store to memcached, and started getting 
> an intermittent errors.  I've been trying to debug it, and am at the point 
> where I need help.
>
> Basically, the ST token gets written OK to the memcached client I'm using 
> (I can see it in the memcached console, and in the debugger it successfully 
> gets through MemCacheTicketRegistry method addTitket, including the 'sanity 
> check' that reads back that cache entity.
>
> However - the next call to getTicket for the ST token fails.  The raw 
> memcached retrieve works - it's the Kryo based deserialization that fails.  
> It gets to the lastTimeUsed field when deserializing to ServiceTicketImpl, 
> and gets this exception (this is just the deepest section):
>
> Caused by: java.time.DateTimeException: Invalid ID for region-based 
> ZoneId, invalid format: ST-1-ekjABqJkYU9gJdlkLxHd-DL-GB46TC2
> at java.time.ZoneRegion.checkName(ZoneRegion.java:151) 
> ~[?:1.8.0_131]
> at java.time.ZoneRegion.ofId(ZoneRegion.java:116) ~[?:1.8.0_131]
> at java.time.ZoneId.of(ZoneId.java:411) ~[?:1.8.0_131]
> at java.time.ZoneId.of(ZoneId.java:359) ~[?:1.8.0_131]
> at 
> org.apereo.cas.ticket.registry.support.kryo.serial.ZonedDateTimeTranscoder.read(ZonedDateTimeTranscoder.java:26)
>  
> ~[cas-server-support-memcached-ticket-registry-5.1.3.jar!/:5.1.3]
> at 
> org.apereo.cas.ticket.registry.support.kryo.serial.ZonedDateTimeTranscoder.read(ZonedDateTimeTranscoder.java:16)
>  
> ~[cas-server-support-memcached-ticket-registry-5.1.3.jar!/:5.1.3]
> at com.esotericsoftware.kryo.Kryo.readObjectOrNull(Kryo.java:789) 
> ~[kryo-4.0.0.jar!/:?]
> at 
> com.esotericsoftware.kryo.serializers.ObjectField.read(ObjectField.java:132) 
> ~[kryo-4.0.0.jar!/:?]
> at 
> com.esotericsoftware.kryo.serializers.FieldSerializer.read(FieldSerializer.java:540)
>  
> ~[kryo-4.0.0.jar!/:?]
> at 
> com.esotericsoftware.kryo.Kryo.readClassAndObject(Kryo.java:816) 
> ~[kryo-4.0.0.jar!/:?]
> at 
> org.apereo.cas.ticket.registry.support.kryo.KryoTranscoder.decode(KryoTranscoder.java:187)
>  
> ~[cas-server-support-memcached-ticket-registry-5.1.3.jar!/:5.1.3]
> at 
> net.spy.memcached.transcoders.TranscodeService$1.call(TranscodeService.java:63)
>  
> ~[spymemcached-2.12.1.jar!/:2.12.1]
> at java.util.concurrent.FutureTask.run(FutureTask.java:266) 
> ~[?:1.8.0_131]
> at 
> net.spy.memcached.transcoders.TranscodeService$Task.run(TranscodeService.java:110)
>  
> ~[spymemcached-2.12.1.jar!/:2.12.1]
> at 
> net.spy.memcached.transcoders.TranscodeService$Task.get(TranscodeService.java:96)
>  
> ~[spymemcached-2.12.1.jar!/:2.12.1]
> at net.spy.memcached.internal.GetFuture.get(GetFuture.java:70) 
> ~[spymemcached-2.12.1.jar!/:2.12.1]
> at 
> net.spy.memcached.MemcachedClient.get(MemcachedClient.java:1229) 
> ~[spymemcached-2.12.1.jar!/:2.12.1]
> ... 121 more
>
> You can see that for some reason, when trying to get the time zone (in 
> ZonedDateTimeTranscoder, line 26) it doesn't find a 'Z' (which it did on 
> the initial, successful sanity check read), but seems to find the token ID 
> instead.
>
> If I log out from the CAS console, and then log in again, I don't see any 
> further exceptions.
>
> So - after starting up CAS, the SECOND cache read fails consistently - but 
> that's the only one.
>
> Any ideas?
>
> Should I report this as a bug, or wait and see if anyone here has any 
> ideas?
>
>
> How to replicate:
> 1. Start with a fresh clone 
> of ssh://git@bitbucket/sand/cas-server-overlay.git
>
> 2. Set it up to be able to run the console and the dashboard.  (These are 
> an attempt at a minimal change to the repo to reproduce the proboem)
>
> 2a. create etc\cas\config\services\HTTPSandIMAPS-1001.json with 
> contents:
>
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "^(https|imaps)://.*",
>   "name" : "HTTPS and IMAPS",
>   "id" : 1001,
>   "description" : "This service definition authorizes all application urls 
> that support HTTPS and IMAPS protocols.",
>   "evaluationOrder" : 1
> }
>
>
> 2b. create etc\cas\config\adminusers.properties with contents:
>
>
> casuser=notused,ROLE_ADMIN
>
>
> 2c. update etc\cas\config\cas.properties to look like this:
>
> cas.server.name=https://localhost:8443
>

Re: [cas-user] pac4j SAML2Client and principal

2018-03-26 Thread Scott Koranda 
Hi Jérôme,

The issue goes away with CAS version 5.2.3 and pac4j version 2.3.1.

Thanks,

Scott K

> Hi Jérôme,
> 
> I am using the JSON service registry. The service is registered as
> 
> {
> "@class" : "org.apereo.cas.services.RegexRegisteredService",
> "serviceId" : "https://my.org/testing/cas/phpclient/example_simple.php;,
> "name" : "testClient01",
> "id" : 1,
> "evaluationOrder" : 10,
> "attributeReleasePolicy" : {
> "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
> },
> "usernameAttributeProvider" : {
> "@class" : 
> "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
> "usernameAttribute" : "urn:oid:0.9.2342.19200300.100.1.1",
> "canonicalizationMode" : "NONE"
> }
> }
> 
> So I believe the correct attribute release policy is in place to release all
> attributes to the service.
> 
> The CAS log file contains this WARN message:
> 
> 2018-03-24 10:02:59,411 WARN 
> [org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider] 
> -  [AAdzZWNyZXQxoaZsp8jwcLkuGIb3wouQ4fg7MWmqgx+bnkd/EuWdmYlccwnzGtnBELaGS7ZMhiYxjvbzbXmlFcmhlQyJe9RyOsSx27yE14APpGvAWDpuR9bkuah8SfexOMbogtnYyK3aMRXjnFqsso5giA==]
>  does not have an attribute [urn:oid:0.9.2342.19200300.100.1.1] among 
> attributes [{}] so CAS cannot provide the user attribute the service expects. 
> CAS will instead return the default principal id 
> [AAdzZWNyZXQxoaZsp8jwcLkuGIb3wouQ4fg7MWmqgx+bnkd/EuWdmYlccwnzGtnBELaGS7ZMhiYxjvbzbXmlFcmhlQyJe9RyOsSx27yE14APpGvAWDpuR9bkuah8SfexOMbogtnYyK3aMRXjnFqsso5giA==].
>  Ensure the attribute selected as the username is allowed to be released by 
> the service attribute release policy.>
> 
> So CAS thinks there is no attribute  "urn:oid:0.9.2342.19200300.100.1.1" but 
> earlier in the log file pac4j logs
> 
> 2018-03-24 10:02:58,906 DEBUG [org.pac4j.saml.client.SAML2Client] -  #S
> AML2Profile# | id: 
> AAdzZWNyZXQxoaZsp8jwcLkuGIb3wouQ4fg7MWmqgx+bnkd/EuWdmYlccwnzG
> tnBELaGS7ZMhiYxjvbzbXmlFcmhlQyJe9RyOsSx27yE14APpGvAWDpuR9bkuah8SfexOMbogtnYyK3aM
> RXjnFqsso5giA== | attributes: 
> {urn:oid:0.9.2342.19200300.100.1.3=[skoranda@gmail
> .com], mail=[skora...@gmail.com], 
> urn:oid:0.9.2342.19200300.100.1.1=[scott.koran
> da], displayName=[Scott Koranda], givenName=[Scott], 
> urn:oid:2.5.4.42=[Scott], n
> otBefore=2018-03-24T10:02:57.588Z, uid=[scott.koranda], 
> urn:oid:2.16.840.1.11373
> 0.3.1.241=[Scott Koranda], 
> urn:oid:1.3.6.1.4.1.5923.1.1.1.6=[scott.koranda@spher
> icalcowgroup.com], notOnOrAfter=2018-03-24T10:07:57.588Z, 
> eduPersonPrincipalName
> =[scott.kora...@sphericalcowgroup.com], urn:oid:2.5.4.4=[Koranda], 
> sn=[Koranda],
>  sessionindex=_0572dab54bff96c199e29f058aae9302} | roles: [] | permissions: 
> [] |
>  isRemembered: false | clientName: null | linkedId: null |>
> 
> where the attribute urn:oid:0.9.2342.19200300.100.1.1 is explicitly shown to
> be populated.
> 
> Am I missing something in my JSON service configuration?
> 
> Again this is for version 5.1.3.
> 
> Thanks,
> 
> Scott K
> 
> > Hi,
> > 
> > The behavior is to create the CAS principal and attributes from the pac4j
> > principal and attributes. So you should get the pac4j attributes at the end.
> > Ignore the log about the ClientCredential, the toString method just outputs
> > the id (not the attributes).
> > 
> > Is the service configured properly (with ReturnAllAttributeReleasePolicy
> > for example)?
> > 
> > Thanks.
> > Best regards,
> > Jérôme
> > 
> > 
> > On Thu, Mar 22, 2018 at 4:25 PM, Scott Koranda  wrote:
> > 
> > > Hi,
> > >
> > > I am using CAS 5.1.3 (though I might be able to upgrade to 5.2.3,
> > > depending on the issue of which binding is being used for the
> > > , as detailed in an earlier note to this list).
> > >
> > > I am delegating authentication to a SAML2 IdP using pac4j.
> > >
> > > After a successful authentication I see in cas.log
> > >
> > > 2018-03-22 14:44:46,372 DEBUG [org.pac4j.saml.client.SAML2Client] -
> > >  > > OnEE09XX3FnuYElvWkhkCSbAshdwAYSR5WQq3x7qEeuj6lzDF18EwarKKWUh
> > > ElP5/dR+k1h1NlMaLBZmgeA/5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E
> > > 8uqJp0pzRmivQ== |
> > > attributes:
> > > {urn:oid:0.9.2342.19200300.100.1.3=[skora...@gmail.com], mail=[
> > > skora...@gmail.com],
> > > urn:oid:0.9.2342.19200300.100.1.1=[scott.koranda], displayName=[Scott
> > > Koranda], givenName=[Scott],
> > > urn:oid:2.5.4.42=[Scott], notBefore=2018-03-22T14:44:45.460Z,
> > > uid=[scott.koranda],
> > > urn:oid:2.16.840.1.113730.3.1.241=[Scott Koranda],
> > > urn:oid:1.3.6.1.4.1.5923.1.1.1.6=[scott.kora...@sphericalcowgroup.com],
> > > notOnOrAfter=2018-03-22T14:49:45.460Z,
> > > eduPersonPrincipalName=[scott.kora...@sphericalcowgroup.com],
> > > urn:oid:2.5.4.4=[Koranda], sn=[Koranda],
> > > sessionindex=_570a4d9a94551c4e52cf75415fac58f0} | roles: [] |
> > > permissions: [] | isRemembered: false | clientName: null | linkedId:
> > > null |>
> > >
> > > Those are the values

Re: [cas-user] build from source with additional modules

2018-03-26 Thread Scott Koranda 
Hi,

> This is not the information you gave on first place.
> So try not to mislead answers.

Again, thank you for your time. I appreciate that this is a community
effort.

I do not believe I have provided misleading information. My first note
explained that I am building CAS from source following the instructions
at

https://apereo.github.io/cas/developer/Build-Process-5X.html

The instructions show how to build CAS from source using Gradle.

> Why you want to use gradle if you where using maven.

I am using Maven with the overlap approach for production deployments.

For building from source in order to help debug an issue with pac4j SAML
in version 5.2 so that I may contribute back to the community I need to
build a war file that includes the pac4j and JSON service registry
functionality.

I would like additional details not provided at the link

https://apereo.github.io/cas/developer/Build-Process-5X.html

on how to do that.

I appreciate any insights that can provided.

Thank you again,

Scott K

> 
> 
> El domingo, 25 de marzo de 2018, Scott Koranda 
> escribió:
> 
> > Hi,
> >
> > > Copy etc/cas/properties to /etc/cas/properties
> > > Add modules relevant properties to that.
> > > See
> > > https://apereo.github.io/cas/5.2.x/installation/
> > Configuration-Properties.html
> >
> > Thank you for your prompt reply, but this is not the information I need.
> >
> > I have a working and configured CAS deployment deployed using a standard
> > Maven overlay approach. It is already configured to use the JSON service
> > registry and pac4j modules. I did that by appropriately adding
> > dependencies in my pom.xml file and then adding appropriate
> > configurations to /etc/cas/config/cas.properties.
> >
> > Now I want to build CAS from source using gradle and use the same
> > configuration.
> >
> > I am able to build from source as I detailed in my last note, but the
> > war file I build does not have the JSON service registry or pac4j
> > modules includes.
> >
> > I need a detailed explanation or example of how I modify a gradle
> > build.gradle file to include the JSON service registry or pac4j module
> > in the war file built from source.
> >
> > I would be grateful if someone could provide that information.
> >
> > Thank you for your time.
> >
> > Scott K
> >
> > --
> > - Website: https://apereo.github.io/cas
> > - Gitter Chatroom: https://gitter.im/apereo/cas
> > - List Guidelines: https://goo.gl/1VRrw7
> > - Contributions: https://goo.gl/mh7qDG
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "CAS Community" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to cas-user+unsubscr...@apereo.org.
> > To view this discussion on the web visit https://groups.google.com/a/
> > apereo.org/d/msgid/cas-user/20180325135942.t7n63gsdppotycnd%40paprika.
> > local.
> >
> 
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5midiAa0_rXt1AefQ9M%2B4YmbfGNBtYyet8BnTPwuShXYuDw%40mail.gmail.com.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180325141827.s3fz3ze46kjpczob%40paprika.local.

Re: [cas-user] pac4j SAML2Client and principal

2018-03-26 Thread Scott Koranda 
Hi Jérôme,

I am using the JSON service registry. The service is registered as

{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "https://my.org/testing/cas/phpclient/example_simple.php;,
"name" : "testClient01",
"id" : 1,
"evaluationOrder" : 10,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"usernameAttributeProvider" : {
"@class" : 
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "urn:oid:0.9.2342.19200300.100.1.1",
"canonicalizationMode" : "NONE"
}
}

So I believe the correct attribute release policy is in place to release all
attributes to the service.

The CAS log file contains this WARN message:

2018-03-24 10:02:59,411 WARN 
[org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider] - 


So CAS thinks there is no attribute  "urn:oid:0.9.2342.19200300.100.1.1" but 
earlier in the log file pac4j logs

2018-03-24 10:02:58,906 DEBUG [org.pac4j.saml.client.SAML2Client] - 

where the attribute urn:oid:0.9.2342.19200300.100.1.1 is explicitly shown to
be populated.

Am I missing something in my JSON service configuration?

Again this is for version 5.1.3.

Thanks,

Scott K

> Hi,
> 
> The behavior is to create the CAS principal and attributes from the pac4j
> principal and attributes. So you should get the pac4j attributes at the end.
> Ignore the log about the ClientCredential, the toString method just outputs
> the id (not the attributes).
> 
> Is the service configured properly (with ReturnAllAttributeReleasePolicy
> for example)?
> 
> Thanks.
> Best regards,
> Jérôme
> 
> 
> On Thu, Mar 22, 2018 at 4:25 PM, Scott Koranda  wrote:
> 
> > Hi,
> >
> > I am using CAS 5.1.3 (though I might be able to upgrade to 5.2.3,
> > depending on the issue of which binding is being used for the
> > , as detailed in an earlier note to this list).
> >
> > I am delegating authentication to a SAML2 IdP using pac4j.
> >
> > After a successful authentication I see in cas.log
> >
> > 2018-03-22 14:44:46,372 DEBUG [org.pac4j.saml.client.SAML2Client] -
> >  > OnEE09XX3FnuYElvWkhkCSbAshdwAYSR5WQq3x7qEeuj6lzDF18EwarKKWUh
> > ElP5/dR+k1h1NlMaLBZmgeA/5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E
> > 8uqJp0pzRmivQ== |
> > attributes:
> > {urn:oid:0.9.2342.19200300.100.1.3=[skora...@gmail.com], mail=[
> > skora...@gmail.com],
> > urn:oid:0.9.2342.19200300.100.1.1=[scott.koranda], displayName=[Scott
> > Koranda], givenName=[Scott],
> > urn:oid:2.5.4.42=[Scott], notBefore=2018-03-22T14:44:45.460Z,
> > uid=[scott.koranda],
> > urn:oid:2.16.840.1.113730.3.1.241=[Scott Koranda],
> > urn:oid:1.3.6.1.4.1.5923.1.1.1.6=[scott.kora...@sphericalcowgroup.com],
> > notOnOrAfter=2018-03-22T14:49:45.460Z,
> > eduPersonPrincipalName=[scott.kora...@sphericalcowgroup.com],
> > urn:oid:2.5.4.4=[Koranda], sn=[Koranda],
> > sessionindex=_570a4d9a94551c4e52cf75415fac58f0} | roles: [] |
> > permissions: [] | isRemembered: false | clientName: null | linkedId:
> > null |>
> >
> > Those are the values for NameID (transient) and attributes that I
> > expect.
> >
> > The next line in cas.log is
> >
> > 2018-03-22 14:44:46,402 INFO
> > [org.apereo.cas.authentication.AbstractAuthenticationManager] -
> >  > [AAdzZWNyZXQxQJ7RzalR0+OnEE09XX3FnuYElvWkhkCSbAshdwAY
> > SR5WQq3x7qEeuj6lzDF18EwarKKWUhElP5/dR+k1h1NlMaLBZmgeA/
> > 5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E8uqJp0pzRmivQ==]
> > with attributes [{}] via credentials
> > [[org.apereo.cas.authentication.principal.ClientCredential@6c1c5d52[id=
> > AAdzZWNyZXQxQJ7RzalR0+OnEE09XX3FnuYElvWkhkCSbAshdwAY
> > SR5WQq3x7qEeuj6lzDF18EwarKKWUhElP5/dR+k1h1NlMaLBZmgeA/
> > 5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E8uqJp0pzRmivQ==]]].>
> >
> > So it appears that the NameID value (transient) is being used as the
> > principal, but none of the attributes are making it from the pac4j layer
> > into the CAS layer.
> >
> > Is that a correct assessment?
> >
> > If so, how can I
> >
> > a) change what value is used for the principal? I would like to use the
> > value from one of the asserted attributes.
> >
> > b) push the attributes into the CAS layer to make them available for
> > assertion downstream to the CAS client?
> >
> > I have reviewed the documentation for the Delegated/pac4j authentication at
> >
> > https://apereo.github.io/cas/5.1.x/integration/Delegate-
> > Authentication.html
> >
> > and that for Attribute Resolution at
> >
> > https://apereo.github.io/cas/5.1.x/integration/Attribute-Resolution.html
> >
> > but I am not able to find a configuration option that appears to tell
> > pac4j to push the attributes into the Authentication object.
> >
> > Thank you for your consideration.
> >
> > Scott K
> >
> >
> > --
> > - Website: https://apereo.github.io/cas
> > - Gitter Chatroom: https://gitter.im/apereo/cas
> > - List Guidelines: https://goo.gl/1VRrw7
> > - Contributions: https://goo.gl/mh7qDG
> >

Re: [cas-user] CAS 5.2 delegate authentication to custom CAS 3

2018-03-26 Thread Diego Henrique Pagani 
Hi, after I read at documentation on 'Delegate Authentication' :
User
Interface

All available clients are automatically displayed on the login page as
clickable buttons. CAS does allow options for auto-redirection of the
authentication flow to a provider, if only there is a single provider
available and configured.

I've removed all the authentication method and
set cas.authn.pac4j.autoRedirect=true  and everything works fine.


Thanks

Em sex, 23 de mar de 2018 às 10:31, Diego Henrique Pagani <
dhpag...@gmail.com> escreveu:

> I've already read that but it doesn't explain how it works.
> I saw on cas properties four parameters that I've set to several values
> and nothing changes.
>
> In other versions, we have to (I found it on
> https://wiki.jasig.org/download/attachments/48596744/How+to+Trust+Another+CAS+Server.pdf?version=1=1321479461428
>  but
> it's from 2011) :
>
> 1 . Set the trusted authentication handler
> 2. Modify the spring webflow login
> 3. The use of CAS "gateway" mode
>
> My SSO sessions is working, I can login on CAS3 and it get back to my
> applications(using CAS5 as a bridge). My problem is to set CAS5 to ignore
> the login page and go directly to CAS3.
>
>
>
>
>
> Em qui, 22 de mar de 2018 às 18:18, Man H 
> escreveu:
>
>> see
>> https://apereo.github.io/cas/5.2.x/installation/Trusted-Authentication.html
>>
>> 2018-03-22 17:52 GMT-03:00 Diego Henrique Pagani :
>>
>>> Hello,
>>>
>>> I have a problem guys:
>>> We have an legacy CAS3, witch has some customizations inside the source
>>> code and some application that *only authenticate* with this specific
>>> CAS (Let's call it app1).
>>> Recently, I configured a new CAS5,  some applications (Let's call app2)
>>> usign Oauth2 protocol to communicate with CAS5 and everything is working
>>> fine, until now.
>>>
>>> We need a SSO session between app1 and app2, but app1 only uses CAS3 and
>>> app2 only uses CAS5. So, I have configured CAS5 to delegate authentication
>>> to CAS3,
>>> witch is working but I have to click on the login screen to redirect to
>>> CAS3. Is it possible to redirect to cas 3 directly?
>>>
>>>
>>>
>>>
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6865a0ec-5190-4eca-beb3-929d3ab4f9fd%40apereo.org
>>> 
>>> .
>>>
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5mifnk8%2B2m%2Bt_subG_XXGj_rddzRzdwNkQAzcx7C-9SPjHg%40mail.gmail.com
>> 
>> .
>>
> --
> Diego Henrique Pagani
>
-- 
Diego Henrique Pagani

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALwCSETowkobrxU8M3PNLBq2XHt%2BbigkMvg6rTenw%3DmEG6EU-A%40mail.gmail.com.

[cas-user] Re: certificates

2018-03-26 Thread Matthew Uribe 
It's my understanding that these settings have to do with the embedded 
Tomcat container:

# By default and if you remove this setting, CAS runs on port 8080
server.port=8443

# To disable SSL configuration, comment out the following settings or set 
to blank values.
server.ssl.keyStore=file:/etc/cas/thekeystore
server.ssl.keyStorePassword=changeit
server.ssl.keyPassword=changeit
# server.ssl.ciphers=
# server.ssl.clientAuth=
# server.ssl.enabled=
# server.ssl.keyAlias=
# server.ssl.keyStoreProvider=
# server.ssl.keyStoreType=
# server.ssl.protocol=
# server.ssl.trustStore=
# server.ssl.trustStorePassword=
# server.ssl.trustStoreProvider=
# server.ssl.trustStoreType=

server.maxHttpHeaderSize=2097152
server.useForwardHeaders=true
server.connectionTimeout=2


If you're running CAS in a standalone container, such as Tomcat, you can 
omit these properties from your cas.properties file. That's been my 
experience anyway.

On Friday, March 23, 2018 at 7:17:06 PM UTC-6, Chris Cheltenham wrote:
>
> Hello Everyone,
>
> Are we to create a certificate XX.der configured in cas.properties 
> separate from the tomcat or jetty kestore?
>
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571 
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6495cf92-1d31-43cc-8521-dee105288653%40apereo.org.

[cas-user] Connecting to Google Directory

2018-03-26 Thread yashwanth chowdary 
Hi Team,

I need to find user who is registered in google directory,I have the public 
key , private key ang google certificate.How do i connect to google ?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/edcec61a-410b-402c-8066-d2c8a0ac5866%40apereo.org.