[cas-user] How to SSO with normal web app and a restful client using RESTFUL api?

[Chan Wai Lun]

Hi all,

I have 1 app (APP A)using restful client to SSO CAS on CAS protocol, it is 
pac4j 3.6 client, no redirection on browser. and have another app (APP B) 
using spring security and following normal redirection flow.
So when APP A login, the browser won't have CASTGC on the CAS domain. 
Browser can only get this when accessing APP B.
Is it possible to to SSO in this case?

many thanks in advance.


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c331eea4-5666-40f5-b290-b2f1690fdbe8%40apereo.org.

Re: [cas-user] Issue with LPPE and memcached ticket registry

[Windham, Gary D - (windhamg)]

Doug, thank you very much for your feedback and the workaround. That does, 
indeed, fix the immediate issue at hand. Hopefully the Kryo serialization issue 
will be resolved soon.

Thanks again!
--Gary

--

Gary Windham

Principal Enterprise Systems Architect

University Information Technology Services

The University of Arizona



Email: windh...@email.arizona.edu

Office: +1 520 626 5981


On Sun, Apr 28, 2019 at 8:26 PM Doug Campbell 
mailto:wdouglascampb...@gmail.com>> wrote:
I don’t know if this is an ideal workaround but I found in my case if I changed 
the transcoder setting from KYRO to SERIAL that everything starting working 
great.

cas.ticket.registry.memcached.transcoder: SERIAL

In the documentation it recommends using KYRO stating “This component is 
recommended over the default Java serialization mechanism since it produces 
much more compact data, which benefits both storage requirements and 
throughput.”  There are two other options as well:  WHALIN and WHALINV1.

I am not sure if it really matters which one but since the use of KYRO seems 
buggy maybe the recommendation for using it is no longer the best.


From: cas-user@apereo.org 
[mailto:cas-user@apereo.org] On Behalf Of Doug 
Campbell
Sent: Monday, April 29, 2019 10:36 AM
To: cas-user@apereo.org
Subject: RE: [cas-user] Issue with LPPE and memcached ticket registry

Gary,

I don’t have an answer but I saw this same error yesterday when I was testing 
proxy authentication on my CAS 6.0.3 test setup.  In my case I haven’t 
configured LPPE.  I did try disabling it just now but that seemed to have no 
effect as the error still occurs.  In my case I am using spymemcache and not 
AWS Elasticache.  For now I have switched back to the default InMemory ticket 
registry and proxy authentication works fine with that.

If I figured out anything I will let you know and if you discover a solution 
please do report back.

Thanks!

From: cas-user@apereo.org 
[mailto:cas-user@apereo.org] On Behalf Of Windham, Gary D - (windhamg)
Sent: Monday, April 29, 2019 9:28 AM
To: cas-user@apereo.org
Subject: [cas-user] Issue with LPPE and memcached ticket registry

Hi all,

I've been building/testing CAS v6.1.0 (HEAD), and was getting along fairly well 
until I ran into an error with LPPE and the memcached ticket registry I'm using.

I am using 389 Directory server for LDAP authentication and have password 
policy configured as follows:

# LDAP Password Policy Enforcement (LPPE) parameters
cas.authn.ldap[0].passwordPolicy.type=GENERIC
cas.authn.ldap[0].passwordPolicy.enabled=true
cas.authn.ldap[0].passwordPolicy.policyAttributes.accountLocked=javax.security.auth.login.AccountLockedException
cas.authn.ldap[0].passwordPolicy.loginFailures=6
cas.authn.ldap[0].passwordPolicy.warningAttributeValue=
cas.authn.ldap[0].passwordPolicy.warningAttributeName=
cas.authn.ldap[0].passwordPolicy.displayWarningOnMatch=true
cas.authn.ldap[0].passwordPolicy.warnAll=true
cas.authn.ldap[0].passwordPolicy.warningDays=30
cas.authn.ldap[0].passwordPolicy.accountStateHandlingEnabled=true
cas.authn.ldap[0].passwordPolicy.strategy=DEFAULT

I am using memcached (with AWS Elasticache support) and am using all of the 
defaults (just setting cas.ticket.registry.memcached.servers to the 
configuration endpoint node).

When I disable LPPE, everything works as expected--I can login, get a TGC, ST 
validation works, etc). When I enable LPPE and set my password expiration date 
to a threshold within 30 days, I get the expected "your password is about to 
expire" page, with the green "Continue" button. When I click that, I'm 
redirected to the CAS login page and the following errors appear in the log:

2019-04-29 01:10:22,684 ERROR 
[org.apereo.cas.ticket.registry.MemcachedTicketRegistry] - 
com.esotericsoftware.kryo.KryoException: 
com.esotericsoftware.kryo.KryoException: java.lang.IllegalArgumentException: 
Class is not registered: 
org.apereo.cas.authentication.support.password.PasswordExpiringWarningMessageDescriptor
Note: To register this class use: 
kryo.register(org.apereo.cas.authentication.support.password.PasswordExpiringWarningMessageDescriptor.class);

<...followed by big stack trace...>

Is there something I'm overlooking, or failed to add, in my config? Any 
pointers appreciated!

Thanks,
--Gary

--

Gary Windham

Principal Enterprise Systems Architect

University Information Technology Services

The University of Arizona



Email: windh...@email.arizona.edu

Office: +1 520 626 5981
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this 

[cas-user] CAS 6.1 RC3 Release Annoucement

[Misagh Moayyed]

CAS 6.1 RC3 is released: 
https://github.com/apereo/cas/releases/tag/v6.1.0-RC3 

--Misagh 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/205766402.885568.1556563758154.JavaMail.zimbra%40unicon.net.

[cas-user] How to disable the delegatedclientid HTTP parameter in a OpenIDConnect?

[Boris P1]

Good morning all,

We are doing the migration of CAS to its 5.3.9 version.
The step we are attempting to realize is the authentication delegation with 
OIDC.
Always according to the apereo.github documentation, we implement the CAS 
overlay template to reach it.
Nevertheless, we have recently discovered that the Maven dependency related 
to pac4j, cas-server-support-pac4j-webflow, does not respect rigorously the 
OIDC protocol because one class does force the delegatedclientid HTTP 
parameter to be in the URL handled by FranceConnect (implementing OIDC), 
which is explicitly not necessary with OIDC.
The concerning class is the following:
org.apereo.cas.web.DelegatedClientWebflowManager
Which is here:
https://github.com/apereo/cas/blob/master/support/cas-server-support-pac4j-webflow/src/main/java/org/apereo/cas/web/DelegatedClientWebflowManager.java
 

During the delegation process, FranceConnect stops it and specifies some 
informations about this parameter:
"The following fields are not supposed to be present : delegatedclientid"
For information, the different existing HTTP parameters in the URL are the 
following:
scope
response_type
redirect_uri
state
nonce
delegatedclientid
client_id

Please, is this parameter very necessary in this class or is there a way to 
disable it?

Boris.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/eccb20ec-6fb0-497e-8e4e-3e0b893e62e7%40apereo.org.

Re: [cas-user] CAS 6.x delegated auth chanied with different attributeRepository

[Julien Gribonvald]

Thanks Misagh,

Ok, so don't hesitate to notify me when the feature will be available.

Julien

Le 26/04/2019 à 20:36, Misagh Moayyed a écrit :
This isn't quite possible to do as you describe it today. I'd suggest 
you wait until 6.1 RC4 as this is being somewhat worked. Otherwise, 
you might need to write your authentication handler and in there 
decide how to fetch attributes based on the client, etc.


On Tuesday, April 16, 2019 at 2:33:04 AM UTC-7, Julien Gribonvald wrote:

Hi,

Sorry to re-run the question but how can I do that ? I've found
how to
define a policy with authenticationHandlers but it doesn't help to
chain
with an attributeRepository.

Is it possible to do what I want or I should chain all delegated
authenticationHandlers with all attributeResolver ?

Thanks,

Julien


Le 12/04/2019 à 11:24, Julien Gribonvald a écrit :
> Hi,
>
> Is there something already existing to map to a specific authn
> configuration a specific authn.attributeRepository ?
>
> I have several kind of external auth system and so the attribute
> resolution locally (local LDAP) should be done by different LDAP
> search request (and so attributeRepository), each authn system
should
> have his own attributeRepository, and I need to avoid to chain all
> attributeRepository. Is it possible or should I implement
something ?
>
> If I should implement something could you tell me what is the
best way
> (and where to look) ?
>
> I'm following the CAS master branch.
>
> Thanks,
>
-- 
Julien Gribonvald


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c38d176-bd4f-4fbc-80dd-12c33924df04%40apereo.org 
.

--
Julien Gribonvald

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6e7e710e-7bbc-f3e3-9db5-932605cadf1d%40recia.fr.