[cas-user] Help using {cipher} encrypted parameters in a standalone CAS 5.2.3 configuration

2018-05-08 Thread Mark Klinchin
Hi there,

I run CAS 5.2.3 as a standalone WEB Application war in the Tomcat 
container. I am trying to configure {cipher} option to encrypt passwords in 
the configuration files.

First, I added the following properties to CAS configuration and no 
{cipher} for any of the fields:

cas.standalone.config.security.psw=SomePassword
cas.standalone.config.security.alg=PBEWithMD5AndTripleDES

CAS log produces the following result that looks like everything is fine, 
CAS works in the standalone mode and reads the password and the algorithm 
correctly.

2018-05-08 17:38:39,791 TRACE 
[org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$KeyCondition]
 
- 
2018-05-08 17:38:41,171 DEBUG 
[org.apereo.cas.configuration.support.CasConfigurationJasyptDecryptor] - 

2018-05-08 17:38:41,173 DEBUG 
[org.apereo.cas.configuration.support.CasConfigurationJasyptDecryptor] - 

2018-05-08 17:38:41,174 DEBUG 
[org.apereo.cas.configuration.support.CasConfigurationJasyptDecryptor] - 

2018-05-08 17:38:41,406 DEBUG 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- 
2018-05-08 17:38:41,407 DEBUG 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- 
2018-05-08 17:38:41,415 DEBUG 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- 
2018-05-08 17:38:41,430 INFO 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- 
2018-05-08 17:38:41,438 DEBUG 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- 
2018-05-08 17:38:41,439 DEBUG 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- 
2018-05-08 17:38:41,442 DEBUG 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- 
2018-05-08 17:38:41,483 INFO 
[org.apereo.cas.web.CasWebApplicationServletInitializer] - 

However, as soon as I add an encrypted field to one of the fields like this 
one

cas.authn.ldap[1].bindCredential={cipher}EncryptedPassword

CAS produces the following exception immediately after startup without 
CasConfigurationJasyptDecryptor initialization as it did without mention of 
the {cipher} encrypted fields. 

It seems that CAS is trying to decrypt the ciphered field before 
initializing the decryptor. 

2018-05-08 17:47:02,231 TRACE 
[org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$KeyCondition]
 
- 
2018-05-08 17:47:03,565 ERROR [org.springframework.boot.SpringApplication] 
- 
java.lang.IllegalStateException: Cannot decrypt: 
key=cas.authn.ldap[1].bindCredential
at 
org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:201)
 
~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]
at 
org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:165)
 
~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]
at 
org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.initialize(EnvironmentDecryptApplicationInitializer.java:95)
 
~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]
at 
org.springframework.cloud.bootstrap.BootstrapApplicationListener$DelegatingEnvironmentDecryptApplicationInitializer.initialize(BootstrapApplicationListener.java:370)
 
~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]
at 
org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:567)
 
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
at 
org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:338)
 
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
at 
org.springframework.boot.SpringApplication.run(SpringApplication.java:301) 
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
at 
org.springframework.boot.web.support.SpringBootServletInitializer.run(SpringBootServletInitializer.java:154)
 
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
at 
org.springframework.boot.web.support.SpringBootServletInitializer.createRootApplicationContext(SpringBootServletInitializer.java:134)
 
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
at 
org.springframework.boot.web.support.SpringBootServletInitializer.onStartup(SpringBootServletInitializer.java:87)
 
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
at 
org.springframework.web.SpringServletContainerInitializer.onStartup(SpringServletContainerInitializer.java:169)
 
~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]
at 
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5196)
 
~[catalina.jar:8.5.15]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) 
~[catalina.jar:8.5.15]
at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:752) 
~[catalina.jar:8.5.15]
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:728) 
~[catalina.jar:8.5.15]
at org.apache.catalina.core.StandardHost.addChild(Stan

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

2018-05-08 Thread David Curry
Does the vendor require you to configure your IdP (CAS server) to obtain
the metadata from them dynamically? Or could you:

   1. Use curl to grab a copy of their metadata from
   https://vendor.com/metadata
   2. Edit the metadata yourself and get rid of the "validUntil" attribute
   3. Put the edited metadata on the CAS server somewhere (e.g.,
   /etc/cas/saml/sp-metadata/vendor.xml) and make sure it has the right
   owner/permissions so CAS can read it
   4. Change the "metadataLocation" field in your service registry entry to
   point at the file instead of the vendor's URL

Should work...

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Tue, May 8, 2018 at 3:01 PM, John D Giotta  wrote:

> We're the identify provider and the vendor is the service provider.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/125fbfc6-d66b-46c8-8922-
> 069d914944c8%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANQ8HduJbiC%3DJXz1PhMQ-_OL3bc601popa0q%2BM%2BSVerpA%40mail.gmail.com.


Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

2018-05-08 Thread John D Giotta
We're the identify provider and the vendor is the service provider.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/125fbfc6-d66b-46c8-8922-069d914944c8%40apereo.org.


Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

2018-05-08 Thread David Curry
Just to make sure your terminology is right:

   - The Service Provider is the service that you, as a user, want to use.
   For example, here at The New School we have Adobe Creative Cloud, Tableau,
   Workday, Zoom, etc. as SPs.
   - The Identity Provider (IdP) is the system that the user authenticates
   against.  The IdP is connected to our Active Directory, and prompts users
   for their usernames and passwords (and, perhaps, Duo MFA). It returns
   success/failure to the SP that called it, along with (perhaps) user
   attributes like name, email address, etc.

So if I go to https://newschool.workday.com (for example), that's the SP.
Workday redirects me to our CAS server (sso.newschool.edu -- the IdP),
where I enter my username and password, and then perform a Duo
authentication. CAS then sends "success" and some attributes back to
Workday, and I'm logged in.

So if the vendor you're trying to connect with is really the Identity
Provider, then I assume what you're wanting to happen is, when a user gets
redirected to your CAS server to authenticate, you want the CAS server to
consult with the vendor IdP instead of with your local LDAP (or whatever)
to authenticate the user. In that case, you don't want CAS to be an IdP,
you want to configure it for delegated authentication:

That's described here:
https://apereo.github.io/cas/development/integration/Delegate-Authentication.html

If, on the other hand, what you're expecting to happen is that when the
user is talking to the vendor's IdP you want the user to be sent to your
CAS server to authenticate instead of authenticating against whatever local
user database the IdP has, you need to configure the IdP to redirect to CAS
(usually as a CAS service). This is what we used to do with Shibboleth in
the CAS 3.x days, for example, to let CAS "support" SAML2 SPs. But how you
do that is IdP-dependent, and you'll probably need to talk to your vendor
for help.

Does that clarify anything for you?




--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Tue, May 8, 2018 at 2:29 PM, John D Giotta  wrote:

> Ok, this is just a guess here, but the vendor I'm trying to implement CAS
> SAML to is for Identity Provider. Is it possible we've got this confused,
> because our metadata.xml is setup for SPSSODescriptor.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/f70ba402-2e30-4950-8be4-
> 23ef0ab04e62%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMfDyo1ADdG72baKq2yo7kLfxb%2B-pU1v8wXhd3Z5KCCKQ%40mail.gmail.com.


Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

2018-05-08 Thread John D Giotta
Ok, this is just a guess here, but the vendor I'm trying to implement CAS 
SAML to is for Identity Provider. Is it possible we've got this confused, 
because our metadata.xml is setup for SPSSODescriptor.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f70ba402-2e30-4950-8be4-23ef0ab04e62%40apereo.org.


[cas-user] .Net Cas client adding returns to ticket.

2018-05-08 Thread Stephen Meier
Good Morning,

We are trying to connection our custom application to PortalGuard who is 
CAS 3 compliant.

It seems that the .net cas client that we are using (version 1.1) is 
injecting into the ticket some white spaces.  Because of this, PortalGuard 
is not able to search its database for the cas ticket.

Would anyone know how to remove the white space from the ticket?

Any help is greatly appreciated.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1ad4a79d-0e99-4b87-abf7-8d3085a810a6%40apereo.org.


[cas-user] LDAP gradle-overlay setup not working

2018-05-08 Thread Spider Main
Hello, 

I generated a war file from cas-gradle-overlow and deployed on to Tomcat9. 
Default Username/Password authentication worked and now I'm trying to 
change it to LDAP but for some reason, am not able to see authentication 
with LDAP. Can anyone of you guys suggest what's going on? 

Below is the config for LDAP: 
cas.authn.accept.users=
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://xx:3268
cas.authn.ldap[0].connectionStrategy=
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].baseDn=dc=ad,dc=,dc=com
cas.authn.ldap[0].userFilter=sAMAccountName={user}
cas.authn.ldap[0].bindCredential=ldap
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].validator.type=SEARCH
cas.authn.ldap[0].validator.baseDn=dc=ad,dc=xxx,dc=com
cas.authn.ldap[0].validator.attributeValues=top
cas.authn.ldap[0].validator.scope=SUBTREE
cas.authn.ldap[0].bindDn=cn=ldap user,ou=System Accounts,dc=ad,dc=xxx,dc=com

ldap.url=ldap://ldap.xxx.com:3268
ldap.useStartTLS=false
ldap.baseDn=dc=ad,dc=,dc=com
ldap.connectTimeout=3000
ldap.managerDn=cn=ldap user,ou=System Accounts,dc=ad,dc=xx,dc=com
ldap.managerPassword=ldap
ldap.authn.searchFilter=sAMAccountName={user}
ldap.domain=cxtec.com
ldap.allowMultipleDns=false

2018-05-08 13:53:38,070 ERROR 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 

2018-05-08 13:53:38,074 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7ee48f04-0e0c-46dd-879c-3a0136994668%40apereo.org.


Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

2018-05-08 Thread David Curry
I do not see it in the metadata from any of the SPs we have in production
here, so my guess would be probably not. But that's just a guess; I don't
pretend to be an authority on SAML.

--Dave




--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Tue, May 8, 2018 at 1:36 PM, John D Giotta  wrote:

> Is that attribute required? Right now it is static.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/fcb7ecd8-9207-4257-ab5e-
> 7fb43504a9de%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAP1sKkxR8%3D2G_LzKGr%3Ds%3DaAKx5-ncijpLMNNUbDgpDa5g%40mail.gmail.com.


Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

2018-05-08 Thread John D Giotta
Is that attribute required? Right now it is static.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fcb7ecd8-9207-4257-ab5e-7fb43504a9de%40apereo.org.


Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

2018-05-08 Thread David Curry
This may be your problem, then?

validUntil="2018-05-03T20:29:06Z

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Tue, May 8, 2018 at 1:14 PM, Matthew Uribe 
wrote:

> What do you get back when you do a curl on https://link-to-metadata.com  ?
>
> On Tuesday, May 8, 2018 at 11:10:44 AM UTC-6, John D Giotta wrote:
>>
>> Looking at the logs more I did find these WARNs:
>>
>> 2018-05-08 17:02:31,227 WARN [org.apereo.cas.support.saml.s
>>> ervices.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade]
>>> - https://vendor-site.com/Pages/Auth/Login.aspx]
>>> in metadata provider Ensure the metadata is valid and has not expired.>
>>
>> 2018-05-08 17:02:31,227 WARN [org.apereo.cas.support.saml.w
>>> eb.idp.profile.AbstractSamlProfileHandlerController] - >> could be found for [https://vendor-site.com/Pages/Auth/Login.aspx]>
>>
>>
>> The service is loaded, but metadata is wrong?
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/01ed8331-53df-4bbd-93f7-
> 520370e536df%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAP68McOmkxsC33QNjEJgcUvJTU44F9Lr7dGnKm5t%2B%3Dc%2BQ%40mail.gmail.com.


Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

2018-05-08 Thread John D Giotta
I get the XML output as expected.


https://vendor-site.com/Pages/Auth/Login.aspx";>

https://vendor-site.com/Pages/Auth/Login.aspx"; index="1" />




-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b61978b4-807b-443f-bc95-b1cbaf5f88f5%40apereo.org.


Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

2018-05-08 Thread Matthew Uribe
What do you get back when you do a curl on https://link-to-metadata.com  ?

On Tuesday, May 8, 2018 at 11:10:44 AM UTC-6, John D Giotta wrote:
>
> Looking at the logs more I did find these WARNs:
>
> 2018-05-08 17:02:31,227 WARN 
>> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade]
>>  
>> - https://vendor-site.com/Pages/Auth/Login.aspx] in 
>> metadata provider Ensure the metadata is valid and has not expired.>
>
> 2018-05-08 17:02:31,227 WARN 
>> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
>>  
>> - > https://vendor-site.com/Pages/Auth/Login.aspx]> 
>
>
> The service is loaded, but metadata is wrong? 
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/01ed8331-53df-4bbd-93f7-520370e536df%40apereo.org.


Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

2018-05-08 Thread John D Giotta
Looking at the logs more I did find these WARNs:

2018-05-08 17:02:31,227 WARN 
> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade]
>  
> - https://vendor-site.com/Pages/Auth/Login.aspx] in 
> metadata provider Ensure the metadata is valid and has not expired.>

2018-05-08 17:02:31,227 WARN 
> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
>  
> -  https://vendor-site.com/Pages/Auth/Login.aspx]> 


The service is loaded, but metadata is wrong? 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/56c9fadc-e3a9-4821-8131-63e388a3864c%40apereo.org.


Re: [cas-user] Re: CAS not redirecting to service after successful authentication.

2018-05-08 Thread Ray Bon
Neha,

There may be other settings that need to be modified when switching from SAML11 
to CAS20. ST are being created but not validated. Your ASP.NET client is not 
configured correctly.

Ray

On Tue, 2018-05-08 at 03:56 -0700, Neha Gupta wrote:
Hello Andy,

Thanks for reply.
I was also wondering about the TARGET in the URL and i think its because of the 
ticketValidatorName="Saml11" mentioned in the web.config file of ASP.NET 
application and when i change the value of "ticketValidatorName" to Cas10 or 
Cas20 then it does not work at all.Also please find attached traces of the same.

Hope this will help.


Regards
Neha Gupta




On Tuesday, May 8, 2018 at 3:40:21 AM UTC+2, Andy Ng wrote:
Hi Neha,

Would like to know in which documentation do you know about the parameter 
TARGET in 
"https://idiv-dev1:8443/cas/login?TARGET=http%3a%2f%2flocalhost%3a60397%2f";, I 
didn't see this parameter in the official documentation.
Maybe it is something related to ASP.NET?

Anyway, the usual parameter for defining service in CAS is "service", that 
means your url should be 
"https://idiv-dev1:8443/cas/login?service=http%3a%2f%2flocalhost%3a60397%2f";

It is nice that you attached the debug log:
- I can see that the service is register successfully based on "", so your service registration 
is correct.

Regarding the part related to ASP.NET, I have no idea so I 
would not comment on that. But i think since you can login success, the 
ASP.NET part should be fine as is.

Cheers!
- Andy


On Monday, 7 May 2018 22:12:34 UTC+8, Neha Gupta wrote:
Dear All,

I am trying to integrate CAS with ASP.NET application.
Everything is working fine but CAS is not able to redirect to the destination 
service and showing its own logged in page.

Final URL is: - 
https://idiv-dev1:8443/cas/login?TARGET=http%3a%2f%2flocalhost%3a60397%2f

where in TARGET my service URL is defined where i want CAS to redirect .

Following configuration i have done in "web.config" file: -

https://idiv-dev1:8443/cas/login";
casServerUrlPrefix="https://idiv-dev1:8443/cas/";
serverName="http://localhost:60397/";
notAuthorizedUrl="~/NotAuthorized.aspx"
redirectAfterValidation="true"
 renew="false"
singleSignOut="true"
ticketValidatorName="Saml11"
serviceTicketManager="CacheServiceTicketManager"
 />

 
  https://idiv-dev1:8443/cas/login"; cookieless="UseCookies" />


Along with this configuration i have also mentioned in "FilterConfig.cs" below 
two lines: -

filters.Add(new System.Web.Mvc.AuthorizeAttribute());
filters.Add(new RequireHttpsAttribute());


Please let me know where is the problem as i have no clue.

PS: - I have registered the service with CAS and also below service is present 
which authorizes all services to pass through CAS: -
{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^(https|imaps|http)://.*",
  "name" : "Apereo",
  "theme" : "apereo",
  "id" : 1002,
  "description" : "Apereo foundation sample service",
  "evaluationOrder" : 1
   "accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
  }
}




Regards
Neha Gupta



--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1525797572.1797.17.camel%40uvic.ca.


[cas-user] CAS Training?

2018-05-08 Thread Keith Alston (Staff)
Anyone know of any organized CAS training? Just a good solid day or two with 
some fundamentals? Anyone know of anything??


Keith Alston
Regent University
IT Department
keit...@regent.edu
757.352.4081

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BYAPR10MB263092DA80A983CC6F8686E0D99A0%40BYAPR10MB2630.namprd10.prod.outlook.com.


[cas-user] Re: [WS Federation] Source/StaxSource error on Security Token Service Provider

2018-05-08 Thread Alin Tomoiaga
Dmitri, Misagh Moayyed (apereo developer) advised to stand up cas in debug 
mode and step through the code.
This sounds like a lot of moving pieces will need to be configured, but 
that is the only reply I managed to get. Just fyi.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/dab61088-fda3-49e2-a885-138d5bbcb6b2%40apereo.org.


[cas-user] Re: Problem integrating CAS 5.2.2 with WS Federation Identity Provider

2018-05-08 Thread Alin Tomoiaga
I got  a reply from one of the apereo developers and he did not rule out 
the possibility of a bug; advised I should stand up cas in debug mode which 
I will work on.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9da5d4fa-a253-409a-bcf8-9669c089a0b1%40apereo.org.


Re: [cas-user] CAS Scalling

2018-05-08 Thread Richard Frovarp
Yeah, but you still don't need to couple mod_auth_cas and CAS server on 
the same system one to one. They can be running in separate instances. 
It's likely easier to do so. Have your IdP (CAS Server) running on a 
different subdomain, so sso.example.com. Then scale your IdP and your 
application with mod_auth_cas independently.


For your "what I need", just load balance from NGINX directly to Tomcat. 
That will work just fine. Otherwise, you're turning HTTPD into a load 
balancer. In that case you need mod_proxy_balancer.


On 05/08/2018 02:35 AM, Ramakrishna G wrote:

In short my current setup is

1. We have 2 active CAS nodes installed on Apache Tomcat 8.0.
2. Each tomcat is behind a Apache Webserver which does the proxy.*i.e 
2 Tomcat & 2 Apache Webserver*

3. Both webserver are behind a load balancer(NGINX).

and what I need is

1. 2 active CAS nodes installed on Apache Tomcat 8.0.
2. Both tomcat behind a Single Apache webserver which does the proxy. 
*i.e 2 Tomcat & 1 Apache Webserver*

3. Single webserver behind a load balancer(NGINX)

*Note*: 2 active CAS nodes will increase. I have used 2 as reference 
number. Entire setup can scale either horizontally or vertically.




On Tue, May 8, 2018 at 12:02 PM, Ramakrishna G > wrote:


 I have a requirement where I hit a url say www.abc.com/123
 which redirects to cas if not logged in,
generates tickets and then redirects to specified url. User is
unaware of CAS. Internally we are handling the request to forward
to CAS or specified url based on ticket. This is the reason I am
using Mod_Auth_CAS

Can you pls elaborate mod_proxy_balancer and how will it help my
requirement to meet?

Thanks in Advance
Ramakrishna G

On Mon, May 7, 2018 at 8:29 PM, Richard Frovarp
mailto:richard.frov...@ndsu.edu>> wrote:

A bit confused as to why you need the IdP (CAS Server) and the
SP (mod_auth_cas) on every system. You don't need mod_auth_cas
to run the CAS Server. There is mod_proxy_balancer in HTTPD
which can do load balancing to multiple backends.


On 05/07/2018 09:13 AM, Ramakrishna G wrote:

Hello

I am running a load balancer(NGINX) which redirects the
request to Mod_Auth_Cas(Apache) and its corresponding CAS
Server(Tomcat).





Drawback of current approach what I am using is

-> One tomcat for one apache which I want to remove. Also I
need to remove multiple node connection.


Is there a way I can configure single Apache to talk to
multiple Tomcat. In other words single Mod_Auth_Cas will talk
to multiple Cas Server. How can I achive it.

Note: I know it can be achieved by adding NGINX in between
Apache and Tomcat to make it work. But I am looking for a
cost efficient and less utilized(node) approach.

Thanks
Ramakrishna G
-- 
- Website: https://apereo.github.io/cas

- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the
Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to cas-user+unsubscr...@apereo.org
.
To view this discussion on the web visit

https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P-%3De%2BCrUzWEOBkX%2BN89cba31Cnh70p9%2BebN-5RMGc-Gog%40mail.gmail.com

.



-- 
- Website: https://apereo.github.io/cas

- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the
Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to cas-user+unsubscr...@apereo.org
.
To view this discussion on the web visit

https://groups.google.com/a/apereo.org/d/msgid/cas-user/7180e6b8-7801-e55b-eb4f-402d3852201b%40ndsu.edu

.



--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group a

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

2018-05-08 Thread David Curry
No, it's the "adminpages" stuff:

https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_overview.html

It's enabled solely in the CAS server; you don't need the management webapp.

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Tue, May 8, 2018 at 9:25 AM, John D Giotta  wrote:

> Thanks, David. Is the dashboard the management overlay?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/aac77cff-6bb0-46b4-a386-
> 9493d716c690%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAN91PNtWMRn%2BZRBCye2JRnAgKBhSV1Z08TVyJ2MXfaPLg%40mail.gmail.com.


Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

2018-05-08 Thread John D Giotta
Thanks, David. Is the dashboard the management overlay?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/aac77cff-6bb0-46b4-a386-9493d716c690%40apereo.org.


Re: [cas-user] CAS Scalling

2018-05-08 Thread Ramakrishna G
 In short my current setup is

1. We have 2 active CAS nodes installed on Apache Tomcat 8.0.
2. Each tomcat is behind a Apache Webserver which does the proxy.* i.e 2
Tomcat & 2 Apache Webserver*
3. Both webserver are behind a load balancer(NGINX).

and what I need is

1.  2 active CAS nodes installed on Apache Tomcat 8.0.
2.  Both tomcat behind a Single Apache webserver which does the proxy. *
i.e 2 Tomcat & 1 Apache Webserver*
3. Single webserver behind a load balancer(NGINX)

*Note*: 2 active CAS nodes will increase. I have used 2 as reference
number. Entire setup can scale either horizontally or vertically.



On Tue, May 8, 2018 at 12:02 PM, Ramakrishna G  wrote:

>  I have a requirement where I hit a url say www.abc.com/123 which
> redirects to cas if not logged in, generates tickets and then redirects to
> specified url. User is unaware of CAS. Internally we are handling the
> request to forward to CAS or specified url based on ticket. This is the
> reason I am using Mod_Auth_CAS
>
> Can you pls elaborate  mod_proxy_balancer and how will it help my
> requirement to meet?
>
> Thanks in Advance
> Ramakrishna G
>
> On Mon, May 7, 2018 at 8:29 PM, Richard Frovarp 
> wrote:
>
>> A bit confused as to why you need the IdP (CAS Server) and the SP
>> (mod_auth_cas) on every system. You don't need mod_auth_cas to run the CAS
>> Server. There is mod_proxy_balancer in HTTPD which can do load balancing to
>> multiple backends.
>>
>>
>> On 05/07/2018 09:13 AM, Ramakrishna G wrote:
>>
>> Hello
>>
>> I am running a load balancer(NGINX) which redirects the request to
>> Mod_Auth_Cas(Apache) and its corresponding CAS Server(Tomcat).
>>
>>
>>
>>
>>
>> Drawback of current approach what I am using is
>>
>> -> One tomcat for one apache which I want to remove. Also I need to
>> remove multiple node connection.
>>
>>
>> Is there a way I can configure single Apache to talk to multiple Tomcat.
>> In other words single Mod_Auth_Cas will talk to multiple Cas Server. How
>> can I achive it.
>>
>> Note: I know it can be achieved by adding NGINX in between Apache and
>> Tomcat to make it work. But I am looking for a cost efficient and less
>> utilized(node) approach.
>>
>> Thanks
>> Ramakrishna G
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit https://groups.google.com/a/ap
>> ereo.org/d/msgid/cas-user/CAGST5P-%3De%2BCrUzWEOBkX%2BN89cba
>> 31Cnh70p9%2BebN-5RMGc-Gog%40mail.gmail.com
>> 
>> .
>>
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit https://groups.google.com/a/ap
>> ereo.org/d/msgid/cas-user/7180e6b8-7801-e55b-eb4f-402d3852201b%40ndsu.edu
>> 
>> .
>>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P_C8X_U_zWo1vmG%2BZQjJxax%3DrhT2hpVMykQegAQLYstiA%40mail.gmail.com.