[cas-user] Re: CAS 5.3.7 Issue Pac4J OIDC + SAML2 Delegation

[kyra1510]

Any help?
I don't know where is the problem.

Le mercredi 6 février 2019 08:56:47 UTC+1, kyra1510 a écrit :
>
> Hy all,
>
> I apologize for my French English.
>
> I have a problem when I upgrade my CAS 5.2.x to CAS 5.3.7 with the SAML 
> delegation.
> My Cas 5.3.7 is configure to use the OpenIdConnect authentication but it 
> is possible to delegate the authentication to an IDP SAML2.
> I have no problem with the delegation in CAS 5.2.x 
>
> When I use the OIDC authentication without delegation, the workflow is 
> correct.
> Workflow:
> 1 The user enter its password and login in the authentication page
> 2 The user is redirect to a consent page
> 3 When click on the button "allow", an authorization code is returned
>
> But when I use the SAML2 delegation, I am not redirect to the consent page:
> 1 The user click on the button which redirect to the correct IDP
> 2 The user logged on the IDP SAML  
> 3 After the user is returned to my CAS 5.3.7 and arrived on the page 
> service?ticket=ST-x 
> xxx
>  
> and I have a code 302
>
>
> I found this issue in the github which seems to correspond to my problem 
> https://github.com/apereo/cas/pull/3664.
> It describe the same issue in CAS 5.3.x in the SAML2 protocol before the 
> bug was fixed. It didn't concern the delegation.
> Could it be this problem is related to my issue?
>
> Thanks for any help.
>
> Kyra
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a0151f25-c356-43eb-a886-feb7373cdce5%40apereo.org.

[cas-user] Using protocol SAML2.0

[Pameliya Mukherjee]

As I am new to CAS, please give me a brief idea how can I change CAS 
protocol to SAML2.0 protocol into my application.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a7685540-785e-4286-89de-122d289ff7b6%40apereo.org.

[cas-user] OAuth authentication issue

[Lorenzo Di Cola]

Hi all,
I'm using CAS 5.3.7 and I'm working on the OAuth authentication following 
the guide [1]. I need to use the Resource Owner Credentials [2].
I'm calling the endpoint */oauth2.0/accessToken *passing the parameters 
*grant_type=password&client_id=ID&client_secret=&username=USERNAME&password=PASSWORD*
 
(obviously). 
With the same user's credentials passed to the previous call I'm able to 
login successfully inside CAS.
The issue for me is: if during the call at the endpoint */oauth2.0/accessToken 
*I set, in the parameters, a wrong username and/or a wrong password I'm 
always able to get the Access Token. 
I tried to search inside the code where the authentication, in this 
endpoint, should be done but I was not able to find it.
Is it possible that the authentication, for this endpoint, is never done?

Thanks all for your support.
Best regards,
Lorenzo Di Cola

[1] 
https://apereo.github.io/cas/5.3.x/installation/OAuth-OpenId-Authentication.html#oauthopenid-authentication
[2] 
https://apereo.github.io/cas/5.3.x/installation/OAuth-OpenId-Authentication.html#resource-owner-credentials

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/15e21bd0-796a-4849-aac4-79f36387f9a9%40apereo.org.

Re: [cas-user] Re: CAS integration with multiple OpenID Providers

[P Shreyas Holla]

Jérôme, is it possible to mention the application url as part of 
/clientredirect like 
"http://localhost:8080/cas/clientredirect?client_name=Google2Client&redirect_uri=http://test.com";,
 
after successful authentication from openid, i want to redirect to 
applications from which request was received.


Thanks
Shreyas


On Wednesday, January 23, 2019 at 1:29:10 PM UTC+5:30, leleuj wrote:
>
> Hi,
>
> Starting with the version 5.3, you have the /clientredirect URL with the 
> service and client_name parameters. You may use that.
> Thanks.
> Best regards,
> Jérôme
>
>
> Le mer. 23 janv. 2019 à 05:54, P Shreyas Holla  > a écrit :
>
>>
>> leleuj , we want to achieve something like* http://localhost:8080/cas 
>> ?client_name=AzureAdClient* for Azure and 
>> *http://localhost:8080/cas 
>> ?client_name=GoogleClient *for google 
>> provider. Would this be possible?
>>
>> Thanks
>> Shreyas
>>
>> On Tuesday, January 22, 2019 at 8:00:29 PM UTC+5:30, leleuj wrote:
>>>
>>> Hi,
>>>
>>> You can log in at Azure or Google via the authentication delegation 
>>> feature: 
>>> https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties.html#openid-connect-1
>>>
>>> Choosing the OpenID Connect provider per service is a customization.
>>>
>>> Thanks.
>>> Best regards,
>>> Jéôme
>>>
>>>
>>> Le mardi 22 janvier 2019 09:58:39 UTC+1, P Shreyas Holla a écrit :

 Suppose we have User1 and User2.

 1)Whenever user1 acesses the application URL, he has to be redirected 
 to google login page,

 2) Whenever user2 acesses the application URL, he has to be redirected 
 to microsoft Azure login page.

 On Tuesday, January 22, 2019 at 2:20:25 PM UTC+5:30, P Shreyas Holla 
 wrote:
>
> We need to integrate CAS with multiple OpenID Providers like with 
> Google and Azure. How can we achieve it?
>
 -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f16a773-03fc-433b-884f-e206e3979469%40apereo.org
>>  
>> 
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bb1fb7f0-9aac-4bce-86fc-fd7a42afd80c%40apereo.org.

[cas-user] Re: Using protocol SAML2.0

['Arnauld Peyrou' via CAS Community]

Le mercredi 13 février 2019 09:02:53 UTC+1, Pameliya Mukherjee a écrit :
>
> As I am new to CAS, please give me a brief idea how can I change CAS 
> protocol to SAML2.0 protocol into my application.
>

the answer is here:

https://dacurry-tns.github.io/deploying-apereo-cas/building_server_saml_overview.html
  


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/43529e02-d2a0-427e-91ce-c441f69c3831%40apereo.org.

[cas-user] CAS is Federated SSO?

[Yan Zhou]

Hello!

We have been using CAS in our enterprise quite well. Various apps inside 
our corporation use the CAS protocol to achieve SSO.

A vendor wants to integrate with us and they agree that CAS is the single 
identity provider. But, they want Open ID Connect or SAML2, not CAS 
protocol. It is true that using standards is better, CAS protocol is very 
light-weight, but it is not an industry standard. 

As far as I can tell, CAS4 and CAS5 does provide federated SSO (provided 
that CAS is the only identity provider). Does that sound right?   If there 
is one single identity provider, user does not authenticate against any 
app., and app talks to CAS server.  It all sound Federated SSO to me. 

In this particular context, I do not know what Open ID Connect or SAML2 
will offer that CAS protocol does not, other than we would be using a 
standard protocol but a lot more complicated.

Thx!
Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/87a9ab48-0fd0-45d8-a492-8b671ea11abd%40apereo.org.

RE: [cas-user] CAS is Federated SSO?

['Tom O'Neill' via CAS Community]

Yan,

Sounds like you’re on the right track and CAS can probably continue to meet 
your SSO needs.

What version of CAS are you on now? With the right modules and configuration, a 
CAS server could support Open ID and SAML 2.0, in addition to CAS.

Tom

From: cas-user@apereo.org  On Behalf Of Yan Zhou
Sent: Wednesday, February 13, 2019 10:28 AM
To: CAS Community 
Subject: [cas-user] CAS is Federated SSO?

Hello!

We have been using CAS in our enterprise quite well. Various apps inside our 
corporation use the CAS protocol to achieve SSO.

A vendor wants to integrate with us and they agree that CAS is the single 
identity provider. But, they want Open ID Connect or SAML2, not CAS protocol. 
It is true that using standards is better, CAS protocol is very light-weight, 
but it is not an industry standard.

As far as I can tell, CAS4 and CAS5 does provide federated SSO (provided that 
CAS is the only identity provider). Does that sound right?   If there is one 
single identity provider, user does not authenticate against any app., and app 
talks to CAS server.  It all sound Federated SSO to me.

In this particular context, I do not know what Open ID Connect or SAML2 will 
offer that CAS protocol does not, other than we would be using a standard 
protocol but a lot more complicated.

Thx!
Yan
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/87a9ab48-0fd0-45d8-a492-8b671ea11abd%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN6PR02MB4958302551B2B2B9DFC91E20CB660%40SN6PR02MB4958.namprd02.prod.outlook.com.

[cas-user] CAS 5.3.8 Release Annoucement

[Misagh Moayyed]

CAS 5.3.8 is released: 
https://github.com/apereo/cas/releases/tag/v5.3.8 

--Misagh 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1651870135.8254483.1550075422289.JavaMail.zimbra%40unicon.net.

Re: [cas-user] CAS is Federated SSO?

[Yan Zhou]

We have both CAS 4.1.9 and CAS 5.3.5. 

True, we could support, but I do not see any benefit with all the extra 
work.

I am reading about Open ID Connect, other than the flow/payload, CAS 
protocol has very similar concepts. Technically, we can replace OpenID 
Connect with CAS protcol, and it should be just as secure, is not it?

Yan

On Wednesday, February 13, 2019 at 10:41:30 AM UTC-5, oneill wrote:
>
> Yan,
>
>  
>
> Sounds like you’re on the right track and CAS can probably continue to 
> meet your SSO needs.
>
>  
>
> What version of CAS are you on now? With the right modules and 
> configuration, a CAS server could support Open ID and SAML 2.0, in addition 
> to CAS.
>
>  
>
> Tom
>
>  
>
> *From:* cas-...@apereo.org  > 
> *On Behalf Of *Yan Zhou
> *Sent:* Wednesday, February 13, 2019 10:28 AM
> *To:* CAS Community >
> *Subject:* [cas-user] CAS is Federated SSO?
>
>  
>
> Hello!
>
>  
>
> We have been using CAS in our enterprise quite well. Various apps inside 
> our corporation use the CAS protocol to achieve SSO.
>
>  
>
> A vendor wants to integrate with us and they agree that CAS is the single 
> identity provider. But, they want Open ID Connect or SAML2, not CAS 
> protocol. It is true that using standards is better, CAS protocol is very 
> light-weight, but it is not an industry standard. 
>
>  
>
> As far as I can tell, CAS4 and CAS5 does provide federated SSO (provided 
> that CAS is the only identity provider). Does that sound right?   If there 
> is one single identity provider, user does not authenticate against any 
> app., and app talks to CAS server.  It all sound Federated SSO to me. 
>
>  
>
> In this particular context, I do not know what Open ID Connect or SAML2 
> will offer that CAS protocol does not, other than we would be using a 
> standard protocol but a lot more complicated.
>
>  
>
> Thx!
>
> Yan
>
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/87a9ab48-0fd0-45d8-a492-8b671ea11abd%40apereo.org
>  
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4bdc40a1-8ce7-4381-b43b-5b900fb71b12%40apereo.org.

Re: [cas-user] CAS is Federated SSO?

[Ray Bon]

Yan,

If you have control of the client app, then set up CAS protocol.
Many third party apps and cloud service providers use SAML 2 or one of its 
'descendants' as a protocol. It has a rich set of features (more than SAML 1.1) 
and existed prior to CAS protocol 3 (I think).

Ray

On Wed, 2019-02-13 at 08:58 -0800, Yan Zhou wrote:
We have both CAS 4.1.9 and CAS 5.3.5.

True, we could support, but I do not see any benefit with all the extra work.

I am reading about Open ID Connect, other than the flow/payload, CAS protocol 
has very similar concepts. Technically, we can replace OpenID Connect with CAS 
protcol, and it should be just as secure, is not it?

Yan

On Wednesday, February 13, 2019 at 10:41:30 AM UTC-5, oneill wrote:
Yan,

Sounds like you’re on the right track and CAS can probably continue to meet 
your SSO needs.

What version of CAS are you on now? With the right modules and configuration, a 
CAS server could support Open ID and SAML 2.0, in addition to CAS.

Tom

From: cas-...@apereo.org > On 
Behalf Of Yan Zhou
Sent: Wednesday, February 13, 2019 10:28 AM
To: CAS Community >
Subject: [cas-user] CAS is Federated SSO?

Hello!

We have been using CAS in our enterprise quite well. Various apps inside our 
corporation use the CAS protocol to achieve SSO.

A vendor wants to integrate with us and they agree that CAS is the single 
identity provider. But, they want Open ID Connect or SAML2, not CAS protocol. 
It is true that using standards is better, CAS protocol is very light-weight, 
but it is not an industry standard.

As far as I can tell, CAS4 and CAS5 does provide federated SSO (provided that 
CAS is the only identity provider). Does that sound right?   If there is one 
single identity provider, user does not authenticate against any app., and app 
talks to CAS server.  It all sound Federated SSO to me.

In this particular context, I do not know what Open ID Connect or SAML2 will 
offer that CAS protocol does not, other than we would be using a standard 
protocol but a lot more complicated.

Thx!
Yan
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+u...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/87a9ab48-0fd0-45d8-a492-8b671ea11abd%40apereo.org.


--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1550081866.3634.20.camel%40uvic.ca.

[cas-user] CAS 5.1.3 -> 5.3.7: Missing TGT creation?

[Drew Liscomb]

We are trying to upgrade from CAS 5.1.3 to 5.3.7 to get per-service JWT 
encryption & signing keys.
I believe I ported all of our customized code to the new versions of the 
files & classes in question:

   - CasCoreWebflowConfiguration - add 3 handled exceptions
   - DefaultLoginWebflowConfigurer - additional action states for 
   non-standard login flow
   - DefaultLogoutWebflowConfigurer - redirect to our version of 
   casFrontChannelLogoutAction
   - InitializeLoginAction - add in CSRF token; pass in some configuration 
   values into the flow scope
   - LogoutAction - URLDecode the service param; handle our session synch 
   cookie.
   - AbstractServiceValidateController - expose attributes for use in 
   service validation web page
   - login-webflow.xml - insert CSRF token validation; add 'change your 
   password' flow; 
   
Currently, I'm seeing that 
org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver.grantTicketGrantingTicketToAuthenticationResult()
 
is no longer creating the TGT that sendTicketGrantingTicketAction will 
later pack up into the TGC during login-webflow.
Blindly, I tried inserting createTicketGrantingTicketAction in the flow, 
but of course that didn't work.

Can someone point me to where CAS now expects to be creating the TGT?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fb24568f-41fd-4e68-866b-cd0502b96a60%40apereo.org.

Re: [cas-user] CAS 5.1.3 -> 5.3.7: Missing TGT creation?

[Ray Bon]

Drew,

How are you inserting your webflow?

>From 5.2 to 6.x webflow has become more 'fine grained'. I created a gist, 
>https://gist.github.com/rbonatuvic/d3ef9e8dc0c5a78870a8520bc2ab2b74, to help 
>figure out where to make my flow inserts.

Ray


On Wed, 2019-02-13 at 10:22 -0800, Drew Liscomb wrote:
We are trying to upgrade from CAS 5.1.3 to 5.3.7 to get per-service JWT 
encryption & signing keys.
I believe I ported all of our customized code to the new versions of the files 
& classes in question:

  *   CasCoreWebflowConfiguration - add 3 handled exceptions
  *   DefaultLoginWebflowConfigurer - additional action states for non-standard 
login flow
  *   DefaultLogoutWebflowConfigurer - redirect to our version of 
casFrontChannelLogoutAction
  *   InitializeLoginAction - add in CSRF token; pass in some configuration 
values into the flow scope
  *   LogoutAction - URLDecode the service param; handle our session synch 
cookie.
  *   AbstractServiceValidateController - expose attributes for use in service 
validation web page
  *   login-webflow.xml - insert CSRF token validation; add 'change your 
password' flow;

Currently, I'm seeing that 
org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver.grantTicketGrantingTicketToAuthenticationResult()
 is no longer creating the TGT that sendTicketGrantingTicketAction will later 
pack up into the TGC during login-webflow.
Blindly, I tried inserting createTicketGrantingTicketAction in the flow, but of 
course that didn't work.

Can someone point me to where CAS now expects to be creating the TGT?

--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1550082924.3634.27.camel%40uvic.ca.

[cas-user] Re: CAS JWT Service ticket validation getting failed

[dkopyle...@unicon.net]

In just released 2.2.0-GA version of cas-client-autoconfig-support library, 
there is a new configuration option to turn off ticket validation 
interaction by the Java CAS client (useful for this exact use case of JWTs 
as tickets). It looks like this: cas.skipTicketValidation=true

Once that's set, after authentication transaction, client apps will receive 
JWTs in the 'ticket' request parameter(if CAS server is set up to do that, 
of course) and CAS client will not attempt to validate it. Then you could 
do whatever you please with it.

Best,
D.

On Wednesday, 6 February 2019 10:38:18 UTC-5, srmudigan wrote:
>
> Hi Michele,
>
> Yes you are right, cas is not internally validating the JWT. The cas 
> client which in my case is spring boot based web app which is 
> using cas-client-autoconfig-support and with @EnableCasClient annotation. I 
> am using the validation-type: CAS3 in the client. And when I authenticate 
> against cas server, the cas is generating the JWT but the client is trying 
> to validate the JWT like ST by sending it back to cas.  Looks like the 
> client is using Cas20ServiceTicketValidator to validate the JWT ticket 
> which I think it should not. What changes did you do in client to not send 
> it back to cas for validating ? 
>
> Thanks,
> srmudiganti 
>
> On Wednesday, February 6, 2019 at 3:50:04 AM UTC-5, Michele Melluso wrote:
>>
>> Hi,
>>
>> cas is not supposed at all to internally validate the JWT, since it 
>> should be generated by cas only after the ST is internally validated, (as 
>> its shown on the documentation flow diagram).
>>
>> When it happened to me, it was because i was using a cas client which was 
>> applying the cas protocol providing back the ticket argument to the 
>> validation endpoint of cas.
>> Could you check that you are not using any cas client and provide your 
>> app code that you are using to validate the jwt?
>>
>> regards
>> Michele
>>
>> On Monday, February 4, 2019 at 7:24:23 PM UTC+1, srmudigan wrote:
>>>
>>> Hi Michele,
>>>
>>> I have gone through the link. But before I implement reading the token 
>>> on client side, i need to disable the validation happening on cas side. 
>>> Could you help me how to disable the validation that's happening on cas as 
>>> it's doing JWTvalidation like ST ticket ? It looks like after JWT is 
>>> generated, it's getting validated on cas. The generated URL has 
>>> redirected=true&ticket=JWT-ticket. May be that's causing the automatic 
>>> validation ? It looks like the jwt ticket is not even reaching client. So 
>>> can you please suggest how to stop the validation ? 
>>>
>>> Thank you for your help.
>>>
>>> Regards,
>>> srmudiganti
>>>
>>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9d751869-1156-4321-be26-27054d2d4b35%40apereo.org.

Re: [cas-user] CAS is Federated SSO?

[Andy Ng]

Hi Yan,

Our CAS server are concurrently supporting service providers connecting 
through OAuth, SAML and CAS Protocol, so server is running healthy so CAS 
do support you to connect to multiple protocol.

> I do not see any benefit with all the extra work.
>From my own experience, some service provider is using only SAML or only 
OpenID. So not allowing SAML/OpenID to connect to your server might be a 
missed opportunity in the long run.

Cheers!
- Andy


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bbf3d110-3849-4bba-9410-1ad7bc8cc06e%40apereo.org.

[cas-user] Cas Concurrent Load

[Ramakrishna G]

Hi All,

I am using Mod_auth_cas(CAS Client) & CAS Server on two different VM's. I
would like to measure the load that these systems can take at any
given time. I am using Jmeter to pump-in 1000's of login request, but is
there a way to exactly measure the concurrent load of these two systems can
handle & fine tune to get maximum out of these two servers?

Thanks
Ramakrishna G

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P9C0Z9KT8y8vfdxziumC6ypvgdQOERGRtSj1B3uu0%3DtmQ%40mail.gmail.com.

Re: [cas-user] Re: CAS integration with multiple OpenID Providers

[P Shreyas Holla]

Jérôme, I tried the url 
"http://localhost8080/cas/clientredirect?client_name=AzureAdClient&targetService=http://localhost:8080/app";
 
which returns to application url but with serviceticket, is it possible to 
get the OAuthCode/accesstoken or using serviceticket can i get the 
accessToken.

Thanks
Shreyas

On Wednesday, February 13, 2019 at 3:43:25 PM UTC+5:30, P Shreyas Holla 
wrote:
>
> Jérôme, is it possible to mention the application url as part of 
> /clientredirect like "
> http://localhost:8080/cas/clientredirect?client_name=Google2Client&redirect_uri=http://test.com";,
>  
> after successful authentication from openid, i want to redirect to 
> applications from which request was received.
>
>
> Thanks
> Shreyas
>
>
> On Wednesday, January 23, 2019 at 1:29:10 PM UTC+5:30, leleuj wrote:
>>
>> Hi,
>>
>> Starting with the version 5.3, you have the /clientredirect URL with the 
>> service and client_name parameters. You may use that.
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> Le mer. 23 janv. 2019 à 05:54, P Shreyas Holla  a 
>> écrit :
>>
>>>
>>> leleuj , we want to achieve something like* http://localhost:8080/cas 
>>> ?client_name=AzureAdClient* for Azure and 
>>> *http://localhost:8080/cas 
>>> ?client_name=GoogleClient *for google 
>>> provider. Would this be possible?
>>>
>>> Thanks
>>> Shreyas
>>>
>>> On Tuesday, January 22, 2019 at 8:00:29 PM UTC+5:30, leleuj wrote:

 Hi,

 You can log in at Azure or Google via the authentication delegation 
 feature: 
 https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties.html#openid-connect-1

 Choosing the OpenID Connect provider per service is a customization.

 Thanks.
 Best regards,
 Jéôme


 Le mardi 22 janvier 2019 09:58:39 UTC+1, P Shreyas Holla a écrit :
>
> Suppose we have User1 and User2.
>
> 1)Whenever user1 acesses the application URL, he has to be redirected 
> to google login page,
>
> 2) Whenever user2 acesses the application URL, he has to be redirected 
> to microsoft Azure login page.
>
> On Tuesday, January 22, 2019 at 2:20:25 PM UTC+5:30, P Shreyas Holla 
> wrote:
>>
>> We need to integrate CAS with multiple OpenID Providers like with 
>> Google and Azure. How can we achieve it?
>>
> -- 
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f16a773-03fc-433b-884f-e206e3979469%40apereo.org
>>>  
>>> 
>>> .
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d3e37d4e-beb4-4a3b-992a-4676e0fe1f61%40apereo.org.