AW: [cas-user] CAS 5.3.3 - NameID in SAML response xml problem

2018-09-25 Thread Bergner, Arnold 
Have you tried to disable it? There are a few options regarding NameIDs in the 
service management app / service definition.



Von: cas-user@apereo.org [mailto:cas-user@apereo.org] Im Auftrag von 
magicserverpixiedust
Gesendet: Dienstag, 25. September 2018 23:31
An: CAS Community 
Betreff: [cas-user] CAS 5.3.3 - NameID in SAML response xml problem



5.1.4:

covf...@maga.us 
 



5.3.3-SNAPSHOT:

https://www.rarepepes.com> https://www.rarepepes.com; 
SPNameQualifier="  https://www.rarepepes.com; > 
 covf...@maga.us



Seeing an odd issue between CAS versions regarding SAML responses. 
Specifically, I have found in 5.3.3 the NameID portion of the response 
includes NameQualifier and SPNameQualifier by default.  I'm not seeing a way 
to disable this behavior.  This is breaking some of our apps in our test 
environment.  Waiting to put 5.3.3 in production till I figure this one out. 
Anyone else see this behavior in 5.3.x?  Thanks,





-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
 .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f702028-a6e4-48e9-b14b-8cb644dacbec%40apereo.org
 

 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fed13677615d48dfb957b81c8919a07e%40hrz.tu-darmstadt.de.


smime.p7s
Description: S/MIME cryptographic signature

Re: [cas-user] Re: CAS 5.3.x PAC4J

2018-09-25 Thread Colin Wilkinson 
Regarding Authentication I have ask a separate question to see if what I 
want to do is possible.

On Wednesday, 26 September 2018 08:14:00 UTC+10, Colin Wilkinson wrote:
>
> Hi Jérôme,
>
> I am not 100% sure, if it maybe a edge bug with CAS server itself. 
> Basically its an issue when serialising the session, there is no problem 
> when executing code only when trying to serialise the session and that made 
> the problem hard to track. Basically I had two beans that were session 
> scoped and proxy class targeted and the serialisation did not like one of 
> those session scope.
>
> The first session is about user information that is required to enable 
> talking between our Enterprise Service Bus (ESB) and our systems. We 
> configure this once and store it the session. This bean is still stored in 
> the session.
>
> The second session bean use to do a lot more that it does not and has been 
> reconfigured. Now it only configures the User Information and no longer 
> need to be stored in the session. The second session bean also stores a 
> reference to the first session bean and I think that is where the problem 
> lies.
>
> This beans a located in services module that is used across multiple 
> projects without a problem.
>
> I think there maybe a problem with CAS regarding authentication handlers. 
> I initially tried to add additional authentication handler that ran after 
> the main ClientAuthenticationHandler it did not fire. I will do some 
> testing today now that CAS is functioning and get back to if there is a 
> problem
>
> I have set cas.authn.policy.all.enabled=true as well
>
> Regards,
> Colin
>
> On Tuesday, 25 September 2018 18:05:09 UTC+10, leleuj wrote:
>>
>> Hi,
>>
>> Was it a bug on your customization or something from the CAS server 
>> itself?
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> On Tue, Sep 25, 2018 at 4:37 AM Colin Wilkinson  
>> wrote:
>>
>>> Hi,
>>>
>>> I have worked out what the issue was. It one of the scope session beans 
>>> being loaded after the initial request that was causing the issue.
>>>
>>> Regards,
>>>
>>> On Monday, 24 September 2018 15:59:52 UTC+10, Colin Wilkinson wrote:

 Hi,

 We at working are looking at implementing delegated authentication for 
 facebook, google, twitter, etc but there seems to be a weird issue with 
 it. 
 A little bit of background we have extended the delegated authentication 
 as 
 we need to map the email associated with facebook for instance back to a 
 staff or student account. If the email has no association then we navigate 
 to a registration screen which the user input a user name and password 
 otherwise it logs the staff or student in. If staff or student follow the 
 flow as designed then all works fine and there is no issue. If the staff 
 or 
 student registers using the username and password provided I trigger the 
 form authentication.

 The issue arises if the user does not navigate as expected, if when 
 they get the registration screen they realised they have clicked the wrong 
 client and decided to go back to the main login screen and choose the 
 right 
 client I am receiving

 org.springframework.web.util.NestedServletException: Handler dispatch 
 failed; nested exception is java.lang.OutOfMemoryError: Java heap space


 I am certain its not the modifications I have made as its failing 
 before the call to redirect to the client has happened the problem in the 
 "DelegatedClientNavigationController" class with the following line, place 
 debug statement proceeding the call and debug statement after the call.
  

  this.delegatedSessionCookieManager.store(webContext);

 The main dev cas server is running 16gb of ram as initially it was only 
 running 8gb of ram.
  
 The possible steps to replicate the issue are as followings

1. Navigate to CAS
2. Click Facebook (Authentication must fail)
3. Redirected back to login screen (Upon redirecting back PAC4J 
clients list goes missing)
4. Navigate back to CAS so that clients are there
5. Click Facebook should get a heap space error.

 I have tried this with both 5.3.3 and 5.3.4-SNAPSHOT with no success.

 The dump statement where as follows

 LOGGER.debug("PRIOR TO CALLING DELEGTED SESSION COOKIE MANAGER STORE");
 this.delegatedSessionCookieManager.store(webContext);
 LOGGER.debug("AFTER TO CALLING DELEGTED SESSION COOKIE MANAGER STORE");


 Attached are is the success results and the heap space error results.

 I apologise if this does not make sense.

 Regards,
 Colin


 -- 
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> --- 
>>> You received

[cas-user] CAS Authentication Handlers

2018-09-25 Thread Colin Wilkinson 
Hi,

I wondering if its possible to have multiple authentication handlers run 
for the same credential type. Take "ClientCredential" for instance, I am 
trying to have multiple authentication handlers run. I am trying to leave 
your default ClientAuthenticationHandler as and have second Authentication 
handler that maps the Client email to our staff and student id's, if no map 
is found then proceed to a registration screen.

My custom authentication is named 
"VicUniClientToLoginIdAuthenticationHandler" for instance, added for 
discussion purpose.

The problem I have is that is if I have 
VicUniClientToLoginIdAuthenticationHandler set to run prior to 
ClientAuthenticationHandler and it fails the failure is register, but the 
moment ClientAuthenticationHandler an succeeds then the failure is simply 
ignored and success flow is triggered.

But if I have the ClientAuthenticationHandler set to go first and succeeds 
then VicUniClientToLoginIdAuthenticationHandler is never called.

Is this possible and how?

Regards,
Colin

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/74cb78f4-6b2d-4b89-987c-b19f337b77fb%40apereo.org.

Re: [cas-user] Re: CAS 5.3.x PAC4J

2018-09-25 Thread Colin Wilkinson 
Hi Jérôme,

I am not 100% sure, if it maybe a edge bug with CAS server itself. 
Basically its an issue when serialising the session, there is no problem 
when executing code only when trying to serialise the session and that made 
the problem hard to track. Basically I had two beans that were session 
scoped and proxy class targeted and the serialisation did not like one of 
those session scope.

The first session is about user information that is required to enable 
talking between our Enterprise Service Bus (ESB) and our systems. We 
configure this once and store it the session. This bean is still stored in 
the session.

The second session bean use to do a lot more that it does not and has been 
reconfigured. Now it only configures the User Information and no longer 
need to be stored in the session. The second session bean also stores a 
reference to the first session bean and I think that is where the problem 
lies.

This beans a located in services module that is used across multiple 
projects without a problem.

I think there maybe a problem with CAS regarding authentication handlers. I 
initially tried to add additional authentication handler that ran after the 
main ClientAuthenticationHandler it did not fire. I will do some testing 
today now that CAS is functioning and get back to if there is a problem

I have set cas.authn.policy.all.enabled=true as well

Regards,
Colin

On Tuesday, 25 September 2018 18:05:09 UTC+10, leleuj wrote:
>
> Hi,
>
> Was it a bug on your customization or something from the CAS server itself?
> Thanks.
> Best regards,
> Jérôme
>
>
> On Tue, Sep 25, 2018 at 4:37 AM Colin Wilkinson  > wrote:
>
>> Hi,
>>
>> I have worked out what the issue was. It one of the scope session beans 
>> being loaded after the initial request that was causing the issue.
>>
>> Regards,
>>
>> On Monday, 24 September 2018 15:59:52 UTC+10, Colin Wilkinson wrote:
>>>
>>> Hi,
>>>
>>> We at working are looking at implementing delegated authentication for 
>>> facebook, google, twitter, etc but there seems to be a weird issue with it. 
>>> A little bit of background we have extended the delegated authentication as 
>>> we need to map the email associated with facebook for instance back to a 
>>> staff or student account. If the email has no association then we navigate 
>>> to a registration screen which the user input a user name and password 
>>> otherwise it logs the staff or student in. If staff or student follow the 
>>> flow as designed then all works fine and there is no issue. If the staff or 
>>> student registers using the username and password provided I trigger the 
>>> form authentication.
>>>
>>> The issue arises if the user does not navigate as expected, if when they 
>>> get the registration screen they realised they have clicked the wrong 
>>> client and decided to go back to the main login screen and choose the right 
>>> client I am receiving
>>>
>>> org.springframework.web.util.NestedServletException: Handler dispatch 
>>> failed; nested exception is java.lang.OutOfMemoryError: Java heap space
>>>
>>>
>>> I am certain its not the modifications I have made as its failing before 
>>> the call to redirect to the client has happened the problem in the 
>>> "DelegatedClientNavigationController" class with the following line, place 
>>> debug statement proceeding the call and debug statement after the call.
>>>  
>>>
>>>  this.delegatedSessionCookieManager.store(webContext);
>>>
>>> The main dev cas server is running 16gb of ram as initially it was only 
>>> running 8gb of ram.
>>>  
>>> The possible steps to replicate the issue are as followings
>>>
>>>1. Navigate to CAS
>>>2. Click Facebook (Authentication must fail)
>>>3. Redirected back to login screen (Upon redirecting back PAC4J 
>>>clients list goes missing)
>>>4. Navigate back to CAS so that clients are there
>>>5. Click Facebook should get a heap space error.
>>>
>>> I have tried this with both 5.3.3 and 5.3.4-SNAPSHOT with no success.
>>>
>>> The dump statement where as follows
>>>
>>> LOGGER.debug("PRIOR TO CALLING DELEGTED SESSION COOKIE MANAGER STORE");
>>> this.delegatedSessionCookieManager.store(webContext);
>>> LOGGER.debug("AFTER TO CALLING DELEGTED SESSION COOKIE MANAGER STORE");
>>>
>>>
>>> Attached are is the success results and the heap space error results.
>>>
>>> I apologise if this does not make sense.
>>>
>>> Regards,
>>> Colin
>>>
>>>
>>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>>

[cas-user] CAS 5.3.3 - NameID in SAML response xml problem

2018-09-25 Thread magicserverpixiedust 
5.1.4:
covf...@maga.us

5.3.3-SNAPSHOT:
https://www.rarepepes.com; 
SPNameQualifier="https://www.rarepepes.com"* >covf...@maga.us

Seeing an odd issue between CAS versions regarding SAML responses.  
Specifically, I have found in 5.3.3 the NameID portion of the response 
includes NameQualifier and SPNameQualifier by default.  I'm not seeing a 
way to disable this behavior.  This is breaking some of our apps in our 
test environment.  Waiting to put 5.3.3 in production till I figure this 
one out.  Anyone else see this behavior in 5.3.x?  Thanks,


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f702028-a6e4-48e9-b14b-8cb644dacbec%40apereo.org.

[cas-user] How to Remove Port: https://login.domain.com:8443/cas to https://login.domain.com

2018-09-25 Thread Fahmi L. Ramdhani 
Hello, how to remove ports (to 443) while i use NGINX too. I want to like 
*https://login.domain.com/*. Following cas configuration:

*etc/cas/config/cas.properties:*
cas.server.name: https://login.domain.com:8443
cas.server.prefix: ${cas.server.name}/cas


*nginx/sites-available/login.domain.com*
server {
 listen [::]:443 ssl ipv6only=on;
 listen 443 ssl;

 server_name login.domain.com;
 root /var/www/login.domain.com;

 charset utf-8;

 location / {
proxy_pass  ???
 }

 ssl_certificate .;
 ssl_certificate_key ;
 include /etc/letsencrypt/options-ssl-nginx.conf;
 ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}


Please help me to complete the configuration at cas.properties or nginx. 
Thank you.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ed074a70-3d26-4146-9954-9fb414405f7f%40apereo.org.

[cas-user] Re: CAS 5.3, how to get TGT?

2018-09-25 Thread Yan Zhou 
Figured out, the cookie is secure, so it is only sent via TLS.  I was 
running CAS on Plain HTTP.

Yan

On Tuesday, September 25, 2018 at 2:54:17 PM UTC-4, Yan Zhou wrote:
>
> Hello,
>
> I need to extend my overlay of CAS 5.3.3, to support an additional 
> endpoint.
>
> MyController looks like this.  User login to CAS already. I want to get 
> the authenticated user Id when user comes to this endpoint.
>
> But, I am unable to get TGT below.  What would be the right approach?
>
> Thx!
> Yan
>
> @Autowired
> CookieRetrievingCookieGenerator ticketGrantingTicketCookieGenerator;
> @Autowired
> private TicketRegistry ticketRegistry;
>
> @RequestMapping(value = "/xyz", method = RequestMethod.GET)
> public ModelAndView doSomething(HttpServletRequest httpRequest) {
>
> TicketGrantingTicket ticket = 
> CookieUtils.getTicketGrantingTicketFromRequest(ticketGrantingTicketCookieGenerator,
>  
> ticketRegistry, httpRequest); 
> Principal principal = ticket.getAuthentication().getPrincipal();
>
>  }
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f02911f6-483b-4300-b2aa-9e6abc365cdc%40apereo.org.

Re: [cas-user] CAS SSO login issue with cluster environment

2018-09-25 Thread Ray Bon 
Uvaraj,

See, 
https://apereo.github.io/cas/4.1.x/installation/Configuring-Ticket-Expiration-Policy.html#service-ticket-policies

The time between ticket issue (16:06:58,320) and time of check on server 2 
(16:07:12,665), more than 14 seconds, is an eternity in the digital realm.
Either there is a problem with the client application, a network issue or your 
servers clocks are not synchronized.
The default ST life is 10s. Before changing this, check other issues above.

Ray

On Tue, 2018-09-25 at 11:52 -0700, uvaraj s wrote:
Hi CAS Users,

We are using CAS 4.1.2 which is running on the cluster environment( One My SQL 
DB-> connecting Two CAS tomcat application under 1 Application LB) and we do 
not have any cache implemented.

intermittently when the user tries to login the user are redirected to Login 
page itself. Below are the logs from Tomcat server 1 and server 2

In the server 1 log, we can see that the ticket is getting removed before the 
validation happens from the server 2.

Is there any way to increase the time and not to remove the ticket so that the 
validate from server 2 goes through without any issue?.

Logs From Server 1:

2018-09-25 16:06:58,320 INFO 
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 

2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 
2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 
2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - 
2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - 
2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy] - 
2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy] - 
2018-09-25 16:06:58,320 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] 
- 
2018-09-25 16:06:58,320 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] 
- 
2018-09-25 16:06:58,320 DEBUG [org.jasig.cas.ticket.registry.JpaTicketRegistry] 
- 
2018-09-25 16:06:58,320 DEBUG [org.jasig.cas.ticket.registry.JpaTicketRegistry] 
- 
2018-09-25 16:06:58,320 DEBUG [org.jasig.cas.ticket.registry.JpaTicketRegistry] 
- 
2018-09-25 16:06:58,320 DEBUG [org.jasig.cas.ticket.registry.JpaTicketRegistry] 
- 
2018-09-25 16:06:58,320 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - 
https://client.mysite.org/sso] for user [suvaraj+g...@gmail.com]>
2018-09-25 16:06:58,320 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - 
https://client.mysite.org/sso] for user [suvaraj+g...@gmail.com]>
2018-09-25 16:06:58,321 DEBUG 
[org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - 
2018-09-25 16:06:58,321 DEBUG 
[org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - 
2018-09-25 16:07:02,813 DEBUG [org.jasig.cas.util.DefaultCipherExecutor] - 

2018-09-25 16:07:02,813 DEBUG [org.jasig.cas.util.DefaultCipherExecutor] - 

2018-09-25 16:07:02,813 DEBUG [org.jasig.cas.util.DefaultCipherExecutor] - 

2018-09-25 16:07:02,813 DEBUG [org.jasig.cas.util.DefaultCipherExecutor] - 

2018-09-25 16:07:02,813 DEBUG 
[org.jasig.cas.web.support.DefaultCasCookieValueManager] - 
2018-09-25 16:07:02,813 DEBUG 
[org.jasig.cas.web.support.DefaultCasCookieValueManager] - 
2018-09-25 16:07:02,814 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] 
- 
2018-09-25 16:07:02,814 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] 
- 
2018-09-25 16:07:02,818 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] 
- 
2018-09-25 16:07:02,818 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] 
- 
2018-09-25 16:07:02,818 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - 
https://client.mysite.org/j_spring_security_logout] for service 
[https://client.mysite.org/sso]>
2018-09-25 16:07:02,818 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - 
https://client.mysite.org/j_spring_security_logout] for service 
[https://client.mysite.org/sso]>
2018-09-25 16:07:02,818 DEBUG 
[org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - @NOT_USED@ST-13449-gCFWnpSdkGe2Ll1HBvFo-cas-tomcat-prod-app-i-00e883b0f45ab9503.mysite.org]>
2018-09-25 16:07:02,818 DEBUG 
[org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - @NOT_USED@ST-13449-gCFWnpSdkGe2Ll1HBvFo-cas-tomcat-prod-app-i-00e883b0f45ab9503.mysite.org]>
2018-09-25 16:07:02,818 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - 
https://client.mysite.org/sso]>
2018-09-25 16:07:02,818 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - 
https://client.mysite.org/sso]>
2018-09-25 16:07:02,818 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - 
https://client.mysite.org/j_spring_security_logout,message=@NOT_USED@ST-13449-gCFWnpSdkGe2Ll1HBvFo-cas-tomcat-prod-app-i-00e883b0f45ab9503.mysite.org,asynchronous=true,contentType=application/x-www-form-urlencoded]]>
2018-09-25 16:07:02,818 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] -

Re: [cas-user] Re: AUP and X509 authentication

2018-09-25 Thread Curtis Ruck 
While that looks like it would address the issue, i believe I will wait as 
my copy+paste'd solution works now.  I really dislike the arbitrary nature 
of CAS now, while the xml wasn't easy/fun, i definitely think we've gone 
backwards now.

On Monday, September 24, 2018 at 11:51:48 PM UTC-4, Colin Wilkinson wrote:
>
> Hi,
>
> I had to do something similar for the Password Management and did not want 
> to recreate everything. So the solution I came up with was to remove the 
> passwordManagementWebflowConfigurer from the execution plan and set the 
> order to one before my configurer and readd the 
> passwordManagementWebflowConfigurer.
>
> It's serious issue and pain that you can set a definite order to the item 
> like these CasWebflowConfigurer that actually rely on the order to execute. 
> This needs to be able to be configured.
>
> I hope this helps.
>
> @Autowired
> @Qualifier("passwordManagementWebflowConfigurer")
> private CasWebflowConfigurer passwordManagementWebflowConfigurer;
>
> @Override
> public void configureWebflowExecutionPlan(final 
> CasWebflowExecutionPlan plan) {
> plan.getWebflowConfigurers().removeIf(casWebflowConfigurer -> 
> casWebflowConfigurer.getName().equals(passwordManagementWebflowConfigurer.getName()));
> final int order = Ordered.LOWEST_PRECEDENCE - 100;
>
> try {
> if 
> (AopUtils.isJdkDynamicProxy(passwordManagementWebflowConfigurer)) {
> ((PasswordManagementWebflowConfigurer) ((Advised) 
> passwordManagementWebflowConfigurer).getTargetSource().getTarget()).setOrder(order);
> } else {
> ((PasswordManagementWebflowConfigurer) 
> passwordManagementWebflowConfigurer).setOrder(order);
> }
> } catch (final Exception exception) {
> LOGGER.error("The following error ocurred during reconfigure 
> of startup sequence.", exception);
> }
>
> 
> plan.registerWebflowConfigurer(passwordManagementWebflowConfigurer);
> 
> plan.registerWebflowConfigurer(vicUniPasswordManagementWebflowReconfigurer());
> }
>
>
>
> On Tuesday, 25 September 2018 12:49:25 UTC+10, Andy Ng wrote:
>>
>> Hi Curtis,
>>
>> Ah I missed to mention something, 
>>
>> when you tries to override a Bean inside a Configuration file, whether or 
>> not is actually override success depends on the load sequence. Which one 
>> load last will be the actual bean to be used.
>> See: 
>> https://stackoverflow.com/questions/11833804/overriding-bean-configuration-in-spring
>>
>> To make sure your defined bean takes effect, you might need to use the 
>> @Import notation.
>>
>> So you could try out the following:
>>
>> ===
>> @Configuration("myDomainX509AuthenticationWebflowConfiguration ")
>> @EnableConfigurationProperties(CasConfigurationProperties.class)
>> @Slf4j
>> @Import(X509AuthenticationWebflowConfiguration.class)
>> public class MyDomainX509AuthenticationWebflowConfiguration implements 
>> CasWebflowExecutionPlanConfigurer {
>>
>> ..
>>
>>
>>
>>
>> ===
>>
>> If this still doens't work, then maybe you might needs to stick to your 
>> solution then...
>>
>> Cheers!
>> - Andy
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5c83782a-506f-41d7-9c64-4fecac01b347%40apereo.org.

Re: [cas-user] cas 5.3.3 management webapp overlay issue

2018-09-25 Thread magicserverpixiedust 
If I start cas.war and wait for it to complete, then start 
cas-management.war - then CAS Management app starts fine without the hang 
up during Tomcat start.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d6bc3505-9104-4ccd-aefc-34e7977a4eaa%40apereo.org.

[cas-user] CAS 5.3, how to get TGT?

2018-09-25 Thread Yan Zhou 
Hello,

I need to extend my overlay of CAS 5.3.3, to support an additional endpoint.

MyController looks like this.  User login to CAS already. I want to get the 
authenticated user Id when user comes to this endpoint.

But, I am unable to get TGT below.  What would be the right approach?

Thx!
Yan

@Autowired
CookieRetrievingCookieGenerator ticketGrantingTicketCookieGenerator;
@Autowired
private TicketRegistry ticketRegistry;

@RequestMapping(value = "/xyz", method = RequestMethod.GET)
public ModelAndView doSomething(HttpServletRequest httpRequest) {

TicketGrantingTicket ticket = 
CookieUtils.getTicketGrantingTicketFromRequest(ticketGrantingTicketCookieGenerator,
 
ticketRegistry, httpRequest); 
Principal principal = ticket.getAuthentication().getPrincipal();

 }

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4d82476a-7831-4b42-abe8-49837bd22456%40apereo.org.

[cas-user] CAS SSO login issue with cluster environment

2018-09-25 Thread uvaraj s 
Hi CAS Users,

We are using CAS 4.1.2 which is running on the cluster environment( One My 
SQL DB-> connecting Two CAS tomcat application under 1 Application LB) and 
we do not have any cache implemented.

intermittently when the user tries to login the user are redirected to 
Login page itself. Below are the logs from Tomcat server 1 and server 2

In the server 1 log, we can see that the ticket is getting removed before 
the validation happens from the server 2. 

Is there any way to increase the time and not to remove the ticket so that 
the validate from server 2 goes through without any issue?.

*Logs From Server 1:*

2018-09-25 16:06:58,320 INFO 
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 

2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 

2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 

2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - 
2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - 
2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy] - 
2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy] - 
2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.CentralAuthenticationServiceImpl] - 
2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.CentralAuthenticationServiceImpl] - 
2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.ticket.registry.JpaTicketRegistry] - 
2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.ticket.registry.JpaTicketRegistry] - 
2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.ticket.registry.JpaTicketRegistry] - 
2018-09-25 16:06:58,320 DEBUG 
[org.jasig.cas.ticket.registry.JpaTicketRegistry] - 
2018-09-25 16:06:58,320 INFO 
[org.jasig.cas.CentralAuthenticationServiceImpl] - https://client.mysite.org/sso] for user 
[suvaraj+g...@gmail.com]>
2018-09-25 16:06:58,320 INFO 
[org.jasig.cas.CentralAuthenticationServiceImpl] - https://client.mysite.org/sso] for user 
[suvaraj+g...@gmail.com]>
2018-09-25 16:06:58,321 DEBUG 
[org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - 
2018-09-25 16:06:58,321 DEBUG 
[org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - 
2018-09-25 16:07:02,813 DEBUG [org.jasig.cas.util.DefaultCipherExecutor] - 

2018-09-25 16:07:02,813 DEBUG [org.jasig.cas.util.DefaultCipherExecutor] - 

2018-09-25 16:07:02,813 DEBUG [org.jasig.cas.util.DefaultCipherExecutor] - 

2018-09-25 16:07:02,813 DEBUG [org.jasig.cas.util.DefaultCipherExecutor] - 

2018-09-25 16:07:02,813 DEBUG 
[org.jasig.cas.web.support.DefaultCasCookieValueManager] - 
2018-09-25 16:07:02,813 DEBUG 
[org.jasig.cas.web.support.DefaultCasCookieValueManager] - 
2018-09-25 16:07:02,814 DEBUG 
[org.jasig.cas.CentralAuthenticationServiceImpl] - 
2018-09-25 16:07:02,814 DEBUG 
[org.jasig.cas.CentralAuthenticationServiceImpl] - 
2018-09-25 16:07:02,818 DEBUG 
[org.jasig.cas.CentralAuthenticationServiceImpl] - 
2018-09-25 16:07:02,818 DEBUG 
[org.jasig.cas.CentralAuthenticationServiceImpl] - 
2018-09-25 16:07:02,818 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - 
https://client.mysite.org/j_spring_security_logout] for service 
[https://client.mysite.org/sso]>
2018-09-25 16:07:02,818 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - 
https://client.mysite.org/j_spring_security_logout] for service 
[https://client.mysite.org/sso]>
2018-09-25 16:07:02,818 DEBUG 
[org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - @NOT_USED@ST-13449-gCFWnpSdkGe2Ll1HBvFo-cas-tomcat-prod-app-i-00e883b0f45ab9503.mysite.org]>
2018-09-25 16:07:02,818 DEBUG 
[org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - @NOT_USED@ST-13449-gCFWnpSdkGe2Ll1HBvFo-cas-tomcat-prod-app-i-00e883b0f45ab9503.mysite.org]>
2018-09-25 16:07:02,818 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - 
https://client.mysite.org/sso]>
2018-09-25 16:07:02,818 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - 
https://client.mysite.org/sso]>
2018-09-25 16:07:02,818 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - 
https://client.mysite.org/j_spring_security_logout,message=@NOT_USED@ST-13449-gCFWnpSdkGe2Ll1HBvFo-cas-tomcat-prod-app-i-00e883b0f45ab9503.mysite.org,asynchronous=true,contentType=application/x-www-form-urlencoded]]>
2018-09-25 16:07:02,818 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - 
https://client.mysite.org/j_spring_security_logout,message=@NOT_USED@ST-13449-gCFWnpSdkGe2Ll1HBvFo-cas-tomcat-prod-app-i-00e883b0f45ab9503.mysite.org,asynchronous=true,contentType=application/x-www-form-urlencoded]]>
2018-09-25 16:07:02,818 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - 
https://client.mysite.org/sso,status=SUCCESS]]>
2018-09-25 16:07:02,818 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - 
https://client.mysite.org/sso,status=SUCCESS]]>



*Logs From Server 2*

2018-09-25 16:07:12,665 INFO 
[org.jasig.cas.CentralAuthenticationServiceImpl] - 
2018-09-25

Re: [cas-user] CAS SSO fails for External ticket repository post restart of CAS server

2018-09-25 Thread Ray Bon 
You can check the contents of redis with the redis command line tool, 
https://redis.io/documentation.
Do you have the signing and encryption keys for redis and the tickets in the 
confing file? If not, they will be generated on each start.

Ray

On Tue, 2018-09-25 at 07:01 -0700, Casseora wrote:
Currently i am using apereo CAS 5.2.1 .

I am  using redis as ticket repository .

SSO works fine if the server instance is not restarted .

Post restart even providing the same TGC value the server fails to perform SSO 
and ask for credentials.

Redis conf :

cas.ticket.registry.redis.host=localhost
cas.ticket.registry.redis.database=0
cas.ticket.registry.redis.port=6379
cas.ticket.registry.redis.password=
# cas.ticket.registry.redis.timeout=2000
# cas.ticket.registry.redis.usePool=true

cas.ticket.registry.redis.pool.max-active=20
cas.ticket.registry.redis.pool.maxIdle=8
cas.ticket.registry.redis.pool.minIdle=0
cas.ticket.registry.redis.pool.maxActive=8
cas.ticket.registry.redis.pool.maxWait=-1
cas.ticket.registry.redis.pool.numTestsPerEvictionRun=0
cas.ticket.registry.redis.pool.softMinEvictableIdleTimeMillis=0
cas.ticket.registry.redis.pool.minEvictableIdleTimeMillis=0
cas.ticket.registry.redis.pool.lifo=true
cas.ticket.registry.redis.pool.fairness=false

cas.ticket.registry.redis.pool.testOnCreate=false
cas.ticket.registry.redis.pool.testOnBorrow=false
cas.ticket.registry.redis.pool.testOnReturn=false
cas.ticket.registry.redis.pool.testWhileIdle=false

cas.ticket.registry.redis.crypto.signing.key=
cas.ticket.registry.redis.crypto.signing.keySize=512

cas.ticket.registry.redis.crypto.encryption.key=
cas.ticket.registry.redis.crypto.encryption.keySize=16

cas.ticket.registry.redis.crypto.alg=AES

 Ticket Conf :

cas.ticket.tgt.hardTimeout.timeToKillInSeconds=28800
cas.ticket.tgt.throttledTimeout.timeToKillInSeconds=28800
cas.ticket.tgt.throttledTimeout.timeInBetweenUsesInSeconds=5

cas.ticket.tgt.maxTimeToLiveInSeconds=28800
cas.ticket.tgt.timeToKillInSeconds=7200
cas.ticket.tgt.onlyTrackMostRecentSession=true
cas.ticket.tgt.maxLength=50
cas.ticket.tgt.rememberMe.enabled=true
cas.ticket.tgt.rememberMe.timeToKillInSeconds=28800

cas.ticket.st.timeToKillInSeconds=7200
cas.ticket.st.numberOfUses=1

Any help is highly appreciated .

Thank you in advance

--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1537892880.2750.20.camel%40uvic.ca.

[cas-user] CAS SSO fails for External ticket repository post restart of CAS server

2018-09-25 Thread Casseora 
Currently i am using apereo CAS 5.2.1 . 

I am  using redis as ticket repository . 

SSO works fine if the server instance is not restarted . 

Post restart even providing the same TGC value the server fails to perform 
SSO and ask for credentials. 

Redis conf :

cas.ticket.registry.redis.host=localhost
cas.ticket.registry.redis.database=0
cas.ticket.registry.redis.port=6379
cas.ticket.registry.redis.password=
# cas.ticket.registry.redis.timeout=2000
# cas.ticket.registry.redis.usePool=true

cas.ticket.registry.redis.pool.max-active=20
cas.ticket.registry.redis.pool.maxIdle=8
cas.ticket.registry.redis.pool.minIdle=0
cas.ticket.registry.redis.pool.maxActive=8
cas.ticket.registry.redis.pool.maxWait=-1
cas.ticket.registry.redis.pool.numTestsPerEvictionRun=0
cas.ticket.registry.redis.pool.softMinEvictableIdleTimeMillis=0
cas.ticket.registry.redis.pool.minEvictableIdleTimeMillis=0
cas.ticket.registry.redis.pool.lifo=true
cas.ticket.registry.redis.pool.fairness=false

cas.ticket.registry.redis.pool.testOnCreate=false
cas.ticket.registry.redis.pool.testOnBorrow=false
cas.ticket.registry.redis.pool.testOnReturn=false
cas.ticket.registry.redis.pool.testWhileIdle=false

cas.ticket.registry.redis.crypto.signing.key=
cas.ticket.registry.redis.crypto.signing.keySize=512

cas.ticket.registry.redis.crypto.encryption.key=
cas.ticket.registry.redis.crypto.encryption.keySize=16

cas.ticket.registry.redis.crypto.alg=AES

 Ticket Conf :

cas.ticket.tgt.hardTimeout.timeToKillInSeconds=28800
cas.ticket.tgt.throttledTimeout.timeToKillInSeconds=28800
cas.ticket.tgt.throttledTimeout.timeInBetweenUsesInSeconds=5

cas.ticket.tgt.maxTimeToLiveInSeconds=28800
cas.ticket.tgt.timeToKillInSeconds=7200
cas.ticket.tgt.onlyTrackMostRecentSession=true
cas.ticket.tgt.maxLength=50
cas.ticket.tgt.rememberMe.enabled=true
cas.ticket.tgt.rememberMe.timeToKillInSeconds=28800

cas.ticket.st.timeToKillInSeconds=7200
cas.ticket.st.numberOfUses=1

Any help is highly appreciated .

Thank you in advance 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f30f576d-05cc-4347-89ac-98f89b65f26a%40apereo.org.

[cas-user] Re: Unauthorized After Login

2018-09-25 Thread Fahmi L. Ramdhani 
Hi all, It is resolved.

casuser# mkdir /opt/tomcat/keystore
casuser# openssl pkcs12 -export -in 
/etc/letsencrypt/live/cas.domain.com/fullchain.pem -inkey 
/etc/letsencrypt/live/cas.domain.com/privkey.pem -out 
/opt/tomcat/keystore/cas.domain.com.p12 -password pass:changeit
casuser# keytool -importkeystore -srckeystore 
/opt/tomcat/keystore/cas.sentrasoft.com.p12 -srcstoretype pkcs12 
-srcstorepass changeit -destkeystore 
/opt/tomcat/keystore/cas.sentrasoft.com.keystore -deststoretype jks 
-deststorepass changeit


*In /opt/tomcat/conf/server.xml *use this:


Thank you all.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fe339f3d-a455-459e-9d38-0e04129b15ab%40apereo.org.

Re: [cas-user] Re: CAS 5.3.x PAC4J

2018-09-25 Thread Jérôme LELEU 
Hi,

Was it a bug on your customization or something from the CAS server itself?
Thanks.
Best regards,
Jérôme


On Tue, Sep 25, 2018 at 4:37 AM Colin Wilkinson  wrote:

> Hi,
>
> I have worked out what the issue was. It one of the scope session beans
> being loaded after the initial request that was causing the issue.
>
> Regards,
>
> On Monday, 24 September 2018 15:59:52 UTC+10, Colin Wilkinson wrote:
>>
>> Hi,
>>
>> We at working are looking at implementing delegated authentication for
>> facebook, google, twitter, etc but there seems to be a weird issue with it.
>> A little bit of background we have extended the delegated authentication as
>> we need to map the email associated with facebook for instance back to a
>> staff or student account. If the email has no association then we navigate
>> to a registration screen which the user input a user name and password
>> otherwise it logs the staff or student in. If staff or student follow the
>> flow as designed then all works fine and there is no issue. If the staff or
>> student registers using the username and password provided I trigger the
>> form authentication.
>>
>> The issue arises if the user does not navigate as expected, if when they
>> get the registration screen they realised they have clicked the wrong
>> client and decided to go back to the main login screen and choose the right
>> client I am receiving
>>
>> org.springframework.web.util.NestedServletException: Handler dispatch
>> failed; nested exception is java.lang.OutOfMemoryError: Java heap space
>>
>>
>> I am certain its not the modifications I have made as its failing before
>> the call to redirect to the client has happened the problem in the
>> "DelegatedClientNavigationController" class with the following line, place
>> debug statement proceeding the call and debug statement after the call.
>>
>>
>>  this.delegatedSessionCookieManager.store(webContext);
>>
>> The main dev cas server is running 16gb of ram as initially it was only
>> running 8gb of ram.
>>
>> The possible steps to replicate the issue are as followings
>>
>>1. Navigate to CAS
>>2. Click Facebook (Authentication must fail)
>>3. Redirected back to login screen (Upon redirecting back PAC4J
>>clients list goes missing)
>>4. Navigate back to CAS so that clients are there
>>5. Click Facebook should get a heap space error.
>>
>> I have tried this with both 5.3.3 and 5.3.4-SNAPSHOT with no success.
>>
>> The dump statement where as follows
>>
>> LOGGER.debug("PRIOR TO CALLING DELEGTED SESSION COOKIE MANAGER STORE");
>> this.delegatedSessionCookieManager.store(webContext);
>> LOGGER.debug("AFTER TO CALLING DELEGTED SESSION COOKIE MANAGER STORE");
>>
>>
>> Attached are is the success results and the heap space error results.
>>
>> I apologise if this does not make sense.
>>
>> Regards,
>> Colin
>>
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/cbf7bd25-bc0d-44b8-92dd-40b8e7d653c3%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LxTEm6XnYz_HBo%2B3Org-BJZHxU41GSQFE%3D7J8GNqL9dTQ%40mail.gmail.com.

[cas-user] Re: SAML2 SLO SP initiated

2018-09-25 Thread Misagh Moayyed 
Your analysis is correct. I believe more recent versions of 6 handle this 
scenario.

On Thursday, September 13, 2018 at 12:41:08 PM UTC+4:30, Fabio Martelli 
wrote:
>
> Il 12/09/2018 17:20, Fabio Martelli ha scritto:
>
> Hi All, I have some trouble with SAML2 SLO. 
>
> It seems that my IdP CAS 5.2.X does not provide any SAML logout response 
> to the SP sending SLO request to it. 
>
> What am I missing? Is there any particular configuration to be provided? 
> Does not CAS IdP support SP initiated? 
>
> Thank you in advance for your help. 
>
> Kind regards, 
>
> F. 
>
> Hi, looking into the code I found the abstract class 
> AbstractSamlSLOProfileHandlerController 
> [1].
>
> If I correctly interpreted its implementation, the SLO request handling 
> will result into a redirect to the path /cas/logout.
>
> In this way, a logout response will never be provided to the calling SP. 
> As far as I know, this is in contrast with SAML2 SLO specifications.
>
> Assuming that my analysis is correct, is there the possibility that this 
> behavior will be fixed in the future? I'm a bit worried about the fact that 
> the master provides the same implementation ...
>
> Please, let me have your feedback about.
>
> Regards,
>
> F.
>
> [1] 
> https://github.com/apereo/cas/blob/v5.2.7/support/cas-server-support-saml-idp/src/main/java/org/apereo/cas/support/saml/web/idp/profile/slo/AbstractSamlSLOProfileHandlerController.java#L101
>
> -- 
> Fabio 
> Martellihttps://it.linkedin.com/pub/fabio-martelli/1/974/a44http://blog.tirasa.net/author/fabio/index.html
>
> Tirasa - Open Source 
> Excellencehttp://www.tirasa.net/index.html?pk_campaign=email_kwd=fm
>
> Apache Syncope PMChttp://people.apache.org/~fmartelli/
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8f573ae4-6e7c-4c2d-9138-9b6949aed7e2%40apereo.org.

[cas-user] Re: A rumor about CAS loosing ADFS integration

2018-09-25 Thread Misagh Moayyed 
The CAS integration with ADFS is fine. Though "Perfectly" is perhaps too 
strong a word :) But seriously, there is no basis to the rumor AFAIK. 
You're probably thinking of the Azure MFA SDK, whose integration is one 
that was removed from CAS about 8-9 months ago.

On Friday, September 7, 2018 at 6:59:21 PM UTC+4:30, Toby Archer wrote:
>
> There is a rumor roaming around my office right now that Microsoft is 
> terminating some SDK that CAS uses to integrate with ADFS. I can't seem to 
> get to the root of it, as with all rumors everyone heard it from some one 
> else, and some one heard it from an official blog post, though no one knows 
> which one. I've searched around the internet and haven't found anything. So 
> I figured I would ask here for clarification: Is there any validity to said 
> rumor? Or is CAS's integration with ADFS perfectly fine?
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fddcd24a-a684-481a-b175-76a000b3cef6%40apereo.org.