date:20190516

[cas-user] phpCAS logging logins

2019-05-16 Thread Austin

Hello CAS-Users,

I am using phpCAS 1.3.7 and have the basic functionality working using
your simple
example
,
which I include on all of the pages I want to be authenticated.  However, I
would also like to log the user logins in my database after the initial
authentication.  However, is there any way to tell if the authentication is
due to a CAS login or if it's just authenticating against the phpCAS
session cookie?

Thanks,

Austin

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAKL84%3D%3D1OVbncDUfGj1zFY9vERU6iUxtf1tKHaXhKbGwTDcy4w%40mail.gmail.com.

[cas-user] AWS Lambda CAS client

2019-05-16 Thread Jim Mulvey

Hi, we have an interest in a CAS client implemented in AWS, for use with Lambda 
or Lambda-at-edge. Has anyone implemented such a thing?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DM5PR15MB128958193A78E98CA1E6C428F70B0%40DM5PR15MB1289.namprd15.prod.outlook.com.

Re: [cas-user] mod_auth_cas / phpCas - HTTP Apache Behind HTTPS Terminated Load Balancer

2019-05-16 Thread David Hawes

On Tue, 14 May 2019 at 13:22, 'Will Gleich' via CAS Community
 wrote:
> Has anyone else solved this problem – am I over-looking something? Perhaps I 
> can spoof HTTPS with some apache header change.

Have you tried using CASRootProxiedAs with the virtual host on your LB
and setting session affinity or sticky sessions or whatever your LB
calls it?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wAcE54a8RKB1wZ%3DTy%2B%2BbAU-ekNuwdktj%3DUOFYdpPTv%3DYQ%40mail.gmail.com.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [cas-user] CAS with a stateless API

2019-05-16 Thread Ray Bon

The proxy mechanism of CAS works when both the proxied application (your API) 
and the client (SDK implementer) are both registered in CAS.
Credentials are entered in CAS once (SSO), CAS sends the user a TGC (TGT 
remains on CAS server). Ticket Granting Cookie is used to verify SSO session 
for new services.
The proxy system does indeed work like like your description in b). Client 
application gets a PGT (Proxy Granting Ticket) and for each request to your API 
will get a PT which your API will verify with CAS. There is a lot of back and 
forth but security is not free.

I suspect, but do not know, that the TGC is somehow tied to the browser. Unless 
the SDK is on the same domain as CAS, there is no way for the SDK to get the 
TGC. And even if it could, your API may not be able to use it. Think about it 
like this, if the cookie could be shared, what would be the point of log in.

If you want to use a single PT for all API calls, that can be done as well. But 
then you have no way to know if the SSO session has expired (but maybe that 
does not matter). And when your API session ends, how do you let the SDK know?

You could also create your own token and send that to the client as the first 
call to the API. But you still have all the session baggage to deal with.

All this is already handled by CAS. You save yourself (and SDK developers) a 
shitload of work for the cost of a few milliseconds and some network traffic.

If you are still interested in a token based system, look into OAUTH 2.0. It 
was designed for API access. If you need to add identity to the mix, OIDC is 
the place to be. These systems may provide a more flexibility for end users of 
the SDK but perhaps a little more work on your part.

Ray

On Thu, 2019-05-16 at 13:33 -0700, Tõnis Ostrat wrote:
Let's walk through this step-by-step, maybe I can explain myself better or see 
the error of my ways. Either I'm just stupid (which is a real possibility :/ ) 
or we're talking about two different things.

Let's say that I have a working service accessible on 
"https://api.mydomain.com"; and now I want to ship a SDK to my users. Are you 
telling me the SDK is supposed to both know how to interact with my service and 
the CAS server? If so then what exactly happens when the user wants to make 4 
requests to get information from my service?

Should the SDK
a) send the user's credentials to CAS every time, receive a new TGT, request a 
ST for my service with that TGT and then pass that to my service?
or
b) send the user's credentials once on instantiation, store the TGT and before 
the requests use that TGT to request a ST and then pass that to my service?

If it's the former then it's just a shitload of useless back-and-forth between 
CAS and the SDK

If it's the latter then what's the difference between
a) requesting a ST from CAS, sending it to me and having me validate it in CAS
vs
b) sending me the TGT itself and having me validate that in CAS

On Thursday, May 16, 2019 at 10:27:05 PM UTC+3, rbon wrote:
That is the purpose of tools like CAS. Let it manage user authentication. Some 
application (client in OAUTH) will interact with your API. There is CAS proxy 
protocol for this. Client app interacts with CAS for log in; when it wants to 
call your API, it gets a proxy ticket and sends it to your API; your API 
validates the ticket and does what it does.

You can also checkout OIDC and OAUTH for an alternative approach using tokens.

Your idea is sound. But you do not need to reinvent access methods.

Ray

On Thu, 2019-05-16 at 10:31 -0700, Tõnis Ostrat wrote:
I strongly discourage you from asking a user for credentials

How do you propose then that I have my users authenticate themselves to be able 
to use my API if it's a completely standalone back-end service with no GUI?

On Thursday, May 16, 2019 at 6:20:09 PM UTC+3, rbon wrote:
Tõnis,

I strongly discourage you from asking a user for credentials; security, break 
SSO, etc., etc,.

There is a proxy option in CAS, 
https://apereo.github.io/cas/6.0.x/installation/Configuring-Proxy-Authentication.html

If the proxy option does not meet your needs the surely something else under 
https://apereo.github.io/cas/6.0.x/index.html Authentication | Methods (JWT or 
PAC4J might be good). You could also try OIDC, 
https://apereo.github.io/cas/6.0.x/protocol/OIDC-Protocol.html#openid-connect-protocol

Ray

On Thu, 2019-05-16 at 03:32 -0700, Tõnis Ostrat wrote:
Hey, everybody.

To preface this, I've tried both googling and looking through the discussions 
here but still haven't found an answer for the following situation.

I'm currently building a back-end service with no web-based nor native GUI and 
I'm having trouble coming up with a proper way to secure it with CAS (5.3, if 
that matters).

My plan right now is to have an endpoint in my API where the user can POST 
their credentials which I will forward to CAS's REST API (with the ID of my 
service) .I will then return the TGT that CAS gives me to the u

[cas-user] CAS 6.0.3 and DUO per service/ per attribute not forcing MFA

2019-05-16 Thread K S

I am having issue running CAS 6.0.3 and MFA DUO per service/ per attribute 
configured in JSON files , the configuration goes like this , during the 
deploy time i also see the error below 


2019-05-16 13:44:54,091 WARN 
[org.apereo.cas.services.util.RegisteredServiceMultifactorPolicyDeserializationProblemHandler]
 
- 


application.properties 

cas.authn.mfa.duo[0].trustedDeviceEnabled=false
cas.authn.mfa.duo[0].id=mfa-duo
cas.authn.mfa.duo[0].name=mfa-duo
cas.authn.mfa.duo[0].registrationUrl=https://xxx.yyy.zz/duo/
cas.authn.mfa.duo[0].rank=1
cas.authn.mfa.duo[0].duoSecretKey=3sdixxxpmXH7Z8OG
cas.authn.mfa.duo[0].duoApplicationKey=b382465d1f
cas.authn.mfa.duo[0].duoIntegrationKey=DIOTPXXQ6Y
cas.authn.mfa.duo[0].duoApiHost=apixxx.duosecurity.com


service_id.json


*{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^https*://xxx.y.com.*",
  "name" : "Handshake",
  "description" : "",
  "id" : 1422000,
  "theme" : "MY",
  "evaluationOrder" : 45500,
  "multifactorPolicy" :
  {
   "@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ 
"mfa-duo" ] ],
"principalAttributeNameTrigger" : "memberOf",
"principalAttributeValueToMatch" : "CN=IDM-duousers,OU=xx,DC=xx,DC=yy,DC=zz"
  },
  "usernameAttributeProvider" :
  {
"@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",
"canonicalizationMode" : "LOWER",
"encryptUsername" : false
  }
}*


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4c37c2cf-49e9-4deb-8d12-37f22ebc3eec%40apereo.org.

Re: [cas-user] CAS with a stateless API

2019-05-16 Thread Tõnis Ostrat

Let's walk through this step-by-step, maybe I can explain myself better or 
see the error of my ways. Either I'm just stupid (which is a real 
possibility :/ ) or we're talking about two different things.

Let's say that I have a working service accessible on 
"https://api.mydomain.com"; and now I want to ship a SDK to my users. Are 
you telling me the SDK is supposed to both know how to interact with my 
service *and* the CAS server? If so then what exactly happens when the user 
wants to make 4 requests to get information from my service?

Should the SDK
a) send the user's credentials to CAS every time, receive a new TGT, 
request a ST for my service with that TGT and then pass that to my service?
or
b) send the user's credentials once on instantiation, store the TGT and 
before the requests use that TGT to request a ST and then pass that to my 
service?

If it's the former then it's just a shitload of useless back-and-forth 
between CAS and the SDK

If it's the latter then what's the difference between
a) requesting a ST from CAS, sending it to me and having me validate it in 
CAS
vs
b) sending me the TGT itself and having me validate that in CAS

On Thursday, May 16, 2019 at 10:27:05 PM UTC+3, rbon wrote:
>
> That is the purpose of tools like CAS. Let it manage user authentication. 
> Some application (client in OAUTH) will interact with your API. There is 
> CAS proxy protocol for this. Client app interacts with CAS for log in; when 
> it wants to call your API, it gets a proxy ticket and sends it to your API; 
> your API validates the ticket and does what it does.
>
> You can also checkout OIDC and OAUTH for an alternative approach using 
> tokens.
>
> Your idea is sound. But you do not need to reinvent access methods.
>
> Ray
>
> On Thu, 2019-05-16 at 10:31 -0700, Tõnis Ostrat wrote:
>
> I strongly discourage you from asking a user for credentials
>
>
> How do you propose then that I have my users authenticate themselves to be 
> able to use my API if it's a completely standalone back-end service with no 
> GUI? 
>
> On Thursday, May 16, 2019 at 6:20:09 PM UTC+3, rbon wrote: 
>
> Tõnis,
>
> I strongly discourage you from asking a user for credentials; security, 
> break SSO, etc., etc,.
>
> There is a proxy option in CAS, 
> https://apereo.github.io/cas/6.0.x/installation/Configuring-Proxy-Authentication.html
>
> If the proxy option does not meet your needs the surely something else 
> under https://apereo.github.io/cas/6.0.x/index.html Authentication | 
> Methods (JWT or PAC4J might be good). You could also try OIDC, 
> https://apereo.github.io/cas/6.0.x/protocol/OIDC-Protocol.html#openid-connect-protocol
>
> Ray
>
> On Thu, 2019-05-16 at 03:32 -0700, Tõnis Ostrat wrote:
>
> Hey, everybody. 
>
> To preface this, I've tried both googling and looking through the 
> discussions here but still haven't found an answer for the following 
> situation.
>
> I'm currently building a back-end service with no web-based nor native GUI 
> and I'm having trouble coming up with a proper way to secure it with CAS 
> (5.3, if that matters).
>
> My plan right now is to have an endpoint in my API where the user can POST 
> their credentials which I will forward to CAS's REST API (with the ID of my 
> service) .I will then return the TGT that CAS gives me to the user and on 
> any subsequent data request I will try to extract the same TGT (header, 
> cookie, whatever) and validate it by requesting a ST for my own service 
> from CAS. It *works *but it sounds a bit stupid because I don't actually 
> do anything with ST, it's just a confirmation call to make sure the TGT is 
> valid.
>
> This flow is the one I've managed to piece together basically on my own as 
> the REST API portion of the official documentation is really lacking in my 
> opinion.
>
> Is there a better solution to this problem?
>
> -- 
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca
>
> -- 
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b263d1f8-85db-4217-86f6-42635a4844b3%40apereo.org.

Re: [cas-user] CAS with a stateless API

2019-05-16 Thread Ray Bon

That is the purpose of tools like CAS. Let it manage user authentication. Some 
application (client in OAUTH) will interact with your API. There is CAS proxy 
protocol for this. Client app interacts with CAS for log in; when it wants to 
call your API, it gets a proxy ticket and sends it to your API; your API 
validates the ticket and does what it does.

You can also checkout OIDC and OAUTH for an alternative approach using tokens.

Your idea is sound. But you do not need to reinvent access methods.

Ray

On Thu, 2019-05-16 at 10:31 -0700, Tõnis Ostrat wrote:
I strongly discourage you from asking a user for credentials

How do you propose then that I have my users authenticate themselves to be able 
to use my API if it's a completely standalone back-end service with no GUI?

On Thursday, May 16, 2019 at 6:20:09 PM UTC+3, rbon wrote:
Tõnis,

I strongly discourage you from asking a user for credentials; security, break 
SSO, etc., etc,.

There is a proxy option in CAS, 
https://apereo.github.io/cas/6.0.x/installation/Configuring-Proxy-Authentication.html

If the proxy option does not meet your needs the surely something else under 
https://apereo.github.io/cas/6.0.x/index.html Authentication | Methods (JWT or 
PAC4J might be good). You could also try OIDC, 
https://apereo.github.io/cas/6.0.x/protocol/OIDC-Protocol.html#openid-connect-protocol

Ray

On Thu, 2019-05-16 at 03:32 -0700, Tõnis Ostrat wrote:
Hey, everybody.

To preface this, I've tried both googling and looking through the discussions 
here but still haven't found an answer for the following situation.

I'm currently building a back-end service with no web-based nor native GUI and 
I'm having trouble coming up with a proper way to secure it with CAS (5.3, if 
that matters).

My plan right now is to have an endpoint in my API where the user can POST 
their credentials which I will forward to CAS's REST API (with the ID of my 
service) .I will then return the TGT that CAS gives me to the user and on any 
subsequent data request I will try to extract the same TGT (header, cookie, 
whatever) and validate it by requesting a ST for my own service from CAS. It 
works but it sounds a bit stupid because I don't actually do anything with ST, 
it's just a confirmation call to make sure the TGT is valid.

This flow is the one I've managed to piece together basically on my own as the 
REST API portion of the official documentation is really lacking in my opinion.

Is there a better solution to this problem?

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e749ed5f243b80aabb4d7f0f924397b19fce9e52.camel%40uvic.ca.

Re: [cas-user] Re: CAS documentation for a new user is terrible

2019-05-16 Thread jm

If you want to set up a usable CAS server and you are sure you will not 
need some extra features provided by apereo CAS, just take a look at CASino 
. It is written in Ruby, supports Database 
credential, or LDAP credential. It runs well before we migrate to apereo 
CAS, they set up it within 1 hour and migrate all web sites to CAS --- 
that's why we use apereo CAS now.

在 2019年5月16日星期四 UTC+8下午8:54:10，Va Sja写道：
>
> Hello David,
> many thanks for your explanation. I am sure - CAS  works on many 
> productions environments, and support a lot of possible protocols and 
> standarts. But...
> ...did  You played with Lego? There you can be successful already in 20 
> minutes. Then you just increase your success step-by-step. Did you install 
> some server from latest past? MySQL, Tomcat, Cassandra? How many steps you 
> need to "read-download-install-configure-start-check"? Is it oft takes more 
> then 20 min to understand what you really do ?
>
> As I and many other peoples has already explained : for CAS there are no 
> way to do it from read-2-check in 10 mins, 10 hours, and even in 10 days!
> ...the latests readable documentation is minimum 2-3 years old. Then we 
> have a lot of linked and not readable pages. 
>   You can check yourself the link, what you sendet to me and try to answer 
> for
> a)  who need to know as first page about for ex ?:
>- Support for many SPs built in: Adobe Creative Cloud, Google Apps, 
> Office 365, 
> b) what version is possible to start when on the same page are: 
>- .. CAS 6._ , CAS 5., CAS 3.5 , CAS 5.2.7,  CAS 5.3.*x* .,CAS 4 ...
> c) where is the start ?
> d) what should I DO ? 
> e) am I really need so complex solution, when it is not possible to setup 
> even Plain-User-Password-Auth for 1 web-site in weeks?
> f) there are a lot of left-menu-Items, but is all I need to read and 
> understand for very first installation? Create? Build? Configure? Install? 
> Commit? Add?
>
>  ( BTW even on Intro-page there are no explanation WHAT IS CAS!!!  You 
> have to search it somewhere else over Google? )
>
> i will appreciate your answers and constructive feedback without links 
> this time  !  We can then "attach it" to already existing Documentation 
> portals as only one new page like "CAS for Dummy" , "CAS for lazy admin" or 
> "CAS in 20 minutes" :) 
>
> Kindest regards
>
>
>
>
>
> Am Donnerstag, 16. Mai 2019 14:02:00 UTC+2 schrieb David Curry:
>>
>> Va,
>>
>> If you want 1-2-3 FINISH then perhaps, as Matthew already suggested, this 
>> is what you're looking for:
>>
>> https://dacurry-tns.github.io/deploying-apereo-cas/ 
>>
>>
>> It starts from zero knowledge of CAS and goes step-by-step to an 
>> installation that is running in production today. And it does it in 
>> increments, so you can check that things are working along the way. The 
>> initial "Building the CAS server" section will in fact get you a running 
>> server in 1-2-3-4-FINISH (create an overlay project, build the default 
>> server, edit a couple of config files, install and test).
>>
>> But just as "Hello World" is a pretty useless program, the CAS server 
>> you're going to get in 4 steps is a pretty useless server. If you want to 
>> use it to do any real work, you're going to have to configure it to talk to 
>> your user directories, define the services you want it to manage, figure 
>> out the attributes you need to release, perhaps enable multifactor 
>> authentication, customize the user interface to meet your corporate 
>> branding standards, perhaps enable other protocols like SAML2 or OAuth, 
>> perhaps add in support for high availability, etc. Every one of those 
>> things is supported by CAS, most of them in multiple flavors. But to use 
>> them, you're going to have to learn how to add them to the server and 
>> configure them. The above guide shows how to do that for one set (sometimes 
>> two) of choices; they may not be the choices you want, but it should be 
>> easy to extrapolate from one to another once you see how the basic setup 
>> works.
>>
>> If you don't want to exert the effort to learn how the software works, or 
>> don't have the patience to start a project that's going to take more than 
>> 20 minutes to complete, then perhaps doing it yourself isn't the right 
>> answer. There are  several third party service providers that will provide 
>> consulting expertise to help you configure and support it; some of them 
>> will even host and operate it for you.
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 212 229-5300 x4728 • david...@newschool.edu
>>
>>
>> On Thu, May 16, 2019 at 6:47 AM Va Sja  wrote:
>>
>>> Matthew, you are fully right - there are a lot of much worse software as 
>>> well as documentation. And in case, when is the goal "getting as much as 
>>> more money for support" - it is exactly the right tactic -  to m

Re: [cas-user] Re: Anyone having issues with Duo today? (5/15/2019)

2019-05-16 Thread J Truts

Issue turned out to be internal - AD administrator removed all staff from
the IT department from the Duo access group.  :)

On Wed, May 15, 2019 at 10:23 AM J Truts  wrote:

> Thanks - per Duo Status everything seems up: https://status.duo.com/
>
> but it seems to be an error on their end since we haven't changed anything
> on our side.  Even with Debug logging on though I'm not seeing much of
> anything that would indicate an error with Duo other than the original log
> I posted (which I still haven't seen again).
>
> Josh
>
>
> On Wednesday, May 15, 2019 at 10:18:26 AM UTC-5, David Curry wrote:
>>
>> It's working fine for us (CAS 5.2.x).
>>
>> That error looks familiar though... I won't swear it's the same one, but
>> there was an outage a couple of months ago too, and that was a problem on
>> the Duo side.
>>
>> --Dave
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 212 229-5300 x4728 • david...@newschool.edu
>>
>>
>> On Wed, May 15, 2019 at 10:51 AM J Truts  wrote:
>>
>>> Forgot to mention CAS version is 5.3.6.
>>>
>>> On Wednesday, May 15, 2019 at 9:50:03 AM UTC-5, J Truts wrote:

 Without having made any changes to our CAS application servers or
 services today Duo MFA challenge is no longer being presented after logging
 into CAS.

 We opened a call with Duo as well but haven't heard anything.

 I did notice this error in the logs:

 2019-05-15 07:45:04,820 WARN
 [org.apereo.cas.adaptors.duo.authn.BaseDuoSecurityAuthenticationService] -
 >>> and detail [Wrong integration type for this API.] when determining user
 account.  This maybe a configuration error in the admin request and Duo
 will still be considered available>

 We have one Duo API setup with the "CAS" Integration Type and another
 with "WebSDK" - neither seems to be working though.  Since restarting the
 cas service though I haven't seen this error thrown again, but still no Duo
 challenge.

 Curious if anyone else is noticing issues with Duo?

 Thanks,

 Josh

>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/deaad936-ade5-44f8-9d67-e3ee3932423f%40apereo.org
>>> 
>>> .
>>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/3db18fd3-64bf-42a1-9ae4-68e6310a6ce3%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABOP7TQ84_nJ60cM77b%3D705F%2B-3A1hLKG5LYSO8NNAPOt9ZKXQ%40mail.gmail.com.

Re: [cas-user] CAS with a stateless API

2019-05-16 Thread Tõnis Ostrat


>
> I strongly discourage you from asking a user for credentials
>

How do you propose then that I have my users authenticate themselves to be 
able to use my API if it's a completely standalone back-end service with no 
GUI? 

On Thursday, May 16, 2019 at 6:20:09 PM UTC+3, rbon wrote:
>
> Tõnis,
>
> I strongly discourage you from asking a user for credentials; security, 
> break SSO, etc., etc,.
>
> There is a proxy option in CAS, 
> https://apereo.github.io/cas/6.0.x/installation/Configuring-Proxy-Authentication.html
>
> If the proxy option does not meet your needs the surely something else 
> under https://apereo.github.io/cas/6.0.x/index.html Authentication | 
> Methods (JWT or PAC4J might be good). You could also try OIDC, 
> https://apereo.github.io/cas/6.0.x/protocol/OIDC-Protocol.html#openid-connect-protocol
>
> Ray
>
> On Thu, 2019-05-16 at 03:32 -0700, Tõnis Ostrat wrote:
>
> Hey, everybody. 
>
> To preface this, I've tried both googling and looking through the 
> discussions here but still haven't found an answer for the following 
> situation.
>
> I'm currently building a back-end service with no web-based nor native GUI 
> and I'm having trouble coming up with a proper way to secure it with CAS 
> (5.3, if that matters).
>
> My plan right now is to have an endpoint in my API where the user can POST 
> their credentials which I will forward to CAS's REST API (with the ID of my 
> service) .I will then return the TGT that CAS gives me to the user and on 
> any subsequent data request I will try to extract the same TGT (header, 
> cookie, whatever) and validate it by requesting a ST for my own service 
> from CAS. It *works *but it sounds a bit stupid because I don't actually 
> do anything with ST, it's just a confirmation call to make sure the TGT is 
> valid.
>
> This flow is the one I've managed to piece together basically on my own as 
> the REST API portion of the official documentation is really lacking in my 
> opinion.
>
> Is there a better solution to this problem?
>
> -- 
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ceefdeff-c6fd-4544-a180-140a266230ad%40apereo.org.

[cas-user] CAS Error principal cannot be null

2019-05-16 Thread Juan Quintanilla

Hi,


We are running into an interesting issue when load testing our CAS 
implementation. It seems that after about 3 hours of load testing we begin to 
encounter the following error:


2019-05-16 12:57:30,074 WARN 
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
 - <'principal' cannot be null.
Check the correctness of @Audit annotation at the following audit point: 
execution(public org.apereo.cas.authentication.Authentication 
org.apereo.cas.authentication.AbstractAuthenticationManager.authenticate(org.apereo.cas.authentication.AuthenticationTransaction))>
java.lang.IllegalArgumentException: 'principal' cannot be null.


Once we encounter this error we cannot log into CAS anymore we are just left on 
the login page. After a restart of Tomcat it start working again. When checking 
the logs we can see that the authentication piece is working as the attributes 
are being returned and the user is authenticated.


2019-05-16 12:57:29,855 DEBUG 
[org.apereo.cas.authentication.LdapAuthenticationHandler] - 
2019-05-16 12:57:29,855 DEBUG 
[org.apereo.cas.authentication.AbstractAuthenticationManager] - 


We are running CAS 5.1.9 with Tomcat 8.5.41, Java 8 update 211, and hazelcast 
for ticket registry we have also tested with Mongodb running on the webserver 
and we encounter the same issue.  I have also encountered the same issue when 
testing CAS 5.3.


We have checked Memory and it doesn't seem to be the case were it runs out of 
memory.


If we have mongodb running on a different server then we don't encounter the 
issue the same goes for an Oracle Database. It only happens when running on the 
same server as the CAS Application.


Has anyone encountered anything similar to this?


Thanks!

___
Juan Quintanilla

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN6PR05MB51828093EAE4F7A4E1D098E5860A0%40SN6PR05MB5182.namprd05.prod.outlook.com.

Re: [cas-user] Re: CAS documentation for a new user is terrible

2019-05-16 Thread Ray Bon

Va,

I understand your frustration. It took me quite some time to learn and 
understand what goes on with CAS.

But, it solves a complex problem in a flexible way. Out of all the 
authentication mechanisms, you probably only need one. Which one is up to you.

You should be able to get the code from, 
https://github.com/apereo/cas-overlay-template and run the docker or embedded 
tomcat within a few minutes. 
https://apereo.github.io/cas/6.0.x/installation/WAR-Overlay-Installation.html

You can also pay for support. We used Unicon, https://www.unicon.net/. (I am 
not affiliated with them.)

Ray

On Thu, 2019-05-16 at 05:54 -0700, Va Sja wrote:
Hello David,
many thanks for your explanation. I am sure - CAS  works on many productions 
environments, and support a lot of possible protocols and standarts. But...
...did  You played with Lego? There you can be successful already in 20 
minutes. Then you just increase your success step-by-step. Did you install some 
server from latest past? MySQL, Tomcat, Cassandra? How many steps you need to 
"read-download-install-configure-start-check"? Is it oft takes more then 20 min 
to understand what you really do ?

As I and many other peoples has already explained : for CAS there are no way to 
do it from read-2-check in 10 mins, 10 hours, and even in 10 days!
...the latests readable documentation is minimum 2-3 years old. Then we have a 
lot of linked and not readable pages.
  You can check yourself the link, what you sendet to me and try to answer for
a)  who need to know as first page about for ex ?:
   - Support for many SPs built in: Adobe Creative Cloud, Google Apps, Office 
365,
b) what version is possible to start when on the same page are:
   - .. CAS 6._ , CAS 5., CAS 3.5 , CAS 5.2.7,  CAS 5.3.x .,CAS 4 ...
c) where is the start ?
d) what should I DO ?
e) am I really need so complex solution, when it is not possible to setup even 
Plain-User-Password-Auth for 1 web-site in weeks?
f) there are a lot of left-menu-Items, but is all I need to read and understand 
for very first installation? Create? Build? Configure? Install? Commit? Add?

 ( BTW even on Intro-page there are no explanation WHAT IS CAS!!!  You have to 
search it somewhere else over Google? )

i will appreciate your answers and constructive feedback without links this 
time  !  We can then "attach it" to already existing Documentation portals as 
only one new page like "CAS for Dummy" , "CAS for lazy admin" or "CAS in 20 
minutes" :)

Kindest regards





Am Donnerstag, 16. Mai 2019 14:02:00 UTC+2 schrieb David Curry:
Va,

If you want 1-2-3 FINISH then perhaps, as Matthew already suggested, this is 
what you're looking for:

https://dacurry-tns.github.io/deploying-apereo-cas/

It starts from zero knowledge of CAS and goes step-by-step to an installation 
that is running in production today. And it does it in increments, so you can 
check that things are working along the way. The initial "Building the CAS 
server" section will in fact get you a running server in 1-2-3-4-FINISH (create 
an overlay project, build the default server, edit a couple of config files, 
install and test).

But just as "Hello World" is a pretty useless program, the CAS server you're 
going to get in 4 steps is a pretty useless server. If you want to use it to do 
any real work, you're going to have to configure it to talk to your user 
directories, define the services you want it to manage, figure out the 
attributes you need to release, perhaps enable multifactor authentication, 
customize the user interface to meet your corporate branding standards, perhaps 
enable other protocols like SAML2 or OAuth, perhaps add in support for high 
availability, etc. Every one of those things is supported by CAS, most of them 
in multiple flavors. But to use them, you're going to have to learn how to add 
them to the server and configure them. The above guide shows how to do that for 
one set (sometimes two) of choices; they may not be the choices you want, but 
it should be easy to extrapolate from one to another once you see how the basic 
setup works.

If you don't want to exert the effort to learn how the software works, or don't 
have the patience to start a project that's going to take more than 20 minutes 
to complete, then perhaps doing it yourself isn't the right answer. There are  
several third party service providers that will provide consulting expertise to 
help you configure and support it; some of them will even host and operate it 
for you.


--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu


On Thu, May 16, 2019 at 6:47 AM Va Sja > wrote:
Matthew, you are fully right - there are a lot of much worse software as well 
as documentation. And in case, when is the goal "getting as much as more money 
for support" - it is exactly the right tactic -  to make documentation 
unusable, and relea

Re: [cas-user] CAS with a stateless API

2019-05-16 Thread Ray Bon

Tõnis,

I strongly discourage you from asking a user for credentials; security, break 
SSO, etc., etc,.

There is a proxy option in CAS, 
https://apereo.github.io/cas/6.0.x/installation/Configuring-Proxy-Authentication.html

If the proxy option does not meet your needs the surely something else under 
https://apereo.github.io/cas/6.0.x/index.html Authentication | Methods (JWT or 
PAC4J might be good). You could also try OIDC, 
https://apereo.github.io/cas/6.0.x/protocol/OIDC-Protocol.html#openid-connect-protocol

Ray

On Thu, 2019-05-16 at 03:32 -0700, Tõnis Ostrat wrote:
Hey, everybody.

To preface this, I've tried both googling and looking through the discussions 
here but still haven't found an answer for the following situation.

I'm currently building a back-end service with no web-based nor native GUI and 
I'm having trouble coming up with a proper way to secure it with CAS (5.3, if 
that matters).

My plan right now is to have an endpoint in my API where the user can POST 
their credentials which I will forward to CAS's REST API (with the ID of my 
service) .I will then return the TGT that CAS gives me to the user and on any 
subsequent data request I will try to extract the same TGT (header, cookie, 
whatever) and validate it by requesting a ST for my own service from CAS. It 
works but it sounds a bit stupid because I don't actually do anything with ST, 
it's just a confirmation call to make sure the TGT is valid.

This flow is the one I've managed to piece together basically on my own as the 
REST API portion of the official documentation is really lacking in my opinion.

Is there a better solution to this problem?

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4a291bd5f14ef0711ed0f9d9d3d22a520c0490de.camel%40uvic.ca.

[cas-user] Re: CAS 5.3.9 Access Strategy Groovy script

2019-05-16 Thread Raphaël CHANE

Hello,

I'd like to do the same thing but I dont really understand the syntax, 
because I'm new to Groovy...

Hello guys, 
>
>
> I'm looking for a configuration of Access Strategy with a Groovy Script. 
>
> I'd like to set some attributes required and redirection url. 
>
> For example if the account attribute = Active, i'll be able to join the 
> service
>
> but 
>
> if the account attribute = blocked, i'll be redirect to 
> https://blocked.acc.html 
>
> or 
>
> if the account attribute = waiting, i'll be redirect to 
> https://waiting.acc/html
>
> Can someone help me? 
>
>
> best regards,
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5f2ddb3c-05ad-4117-82f9-3182752b81d7%40apereo.org.

Re: [cas-user] Re: CAS documentation for a new user is terrible

2019-05-16 Thread David Curry

Va,

The link I gave you was to documentation that I developed for use in my
organization. It was produced to meet our needs (not yours) and it does
that quite well. We contributed it to the community in the hopes that
others might find it useful, too. Apparently at least a few people have,
because they have let me know it was helpful to them. But we never
advertised it as being the perfect answer for everybody.

So if you don't like it or don't find it helpful, that's fine, nobody's
forcing you to use it.

Good luck with your project.

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Thu, May 16, 2019 at 8:54 AM Va Sja  wrote:

> Hello David,
> many thanks for your explanation. I am sure - CAS  works on many
> productions environments, and support a lot of possible protocols and
> standarts. But...
> ...did  You played with Lego? There you can be successful already in 20
> minutes. Then you just increase your success step-by-step. Did you install
> some server from latest past? MySQL, Tomcat, Cassandra? How many steps you
> need to "read-download-install-configure-start-check"? Is it oft takes more
> then 20 min to understand what you really do ?
>
> As I and many other peoples has already explained : for CAS there are no
> way to do it from read-2-check in 10 mins, 10 hours, and even in 10 days!
> ...the latests readable documentation is minimum 2-3 years old. Then we
> have a lot of linked and not readable pages.
>   You can check yourself the link, what you sendet to me and try to answer
> for
> a)  who need to know as first page about for ex ?:
>- Support for many SPs built in: Adobe Creative Cloud, Google Apps,
> Office 365,
> b) what version is possible to start when on the same page are:
>- .. CAS 6._ , CAS 5., CAS 3.5 , CAS 5.2.7,  CAS 5.3.*x* .,CAS 4 ...
> c) where is the start ?
> d) what should I DO ?
> e) am I really need so complex solution, when it is not possible to setup
> even Plain-User-Password-Auth for 1 web-site in weeks?
> f) there are a lot of left-menu-Items, but is all I need to read and
> understand for very first installation? Create? Build? Configure? Install?
> Commit? Add?
>
>  ( BTW even on Intro-page there are no explanation WHAT IS CAS!!!  You
> have to search it somewhere else over Google? )
>
> i will appreciate your answers and constructive feedback without links
> this time  !  We can then "attach it" to already existing Documentation
> portals as only one new page like "CAS for Dummy" , "CAS for lazy admin" or
> "CAS in 20 minutes" :)
>
> Kindest regards
>
>
>
>
>
> Am Donnerstag, 16. Mai 2019 14:02:00 UTC+2 schrieb David Curry:
>>
>> Va,
>>
>> If you want 1-2-3 FINISH then perhaps, as Matthew already suggested, this
>> is what you're looking for:
>>
>> https://dacurry-tns.github.io/deploying-apereo-cas/
>>
>>
>> It starts from zero knowledge of CAS and goes step-by-step to an
>> installation that is running in production today. And it does it in
>> increments, so you can check that things are working along the way. The
>> initial "Building the CAS server" section will in fact get you a running
>> server in 1-2-3-4-FINISH (create an overlay project, build the default
>> server, edit a couple of config files, install and test).
>>
>> But just as "Hello World" is a pretty useless program, the CAS server
>> you're going to get in 4 steps is a pretty useless server. If you want to
>> use it to do any real work, you're going to have to configure it to talk to
>> your user directories, define the services you want it to manage, figure
>> out the attributes you need to release, perhaps enable multifactor
>> authentication, customize the user interface to meet your corporate
>> branding standards, perhaps enable other protocols like SAML2 or OAuth,
>> perhaps add in support for high availability, etc. Every one of those
>> things is supported by CAS, most of them in multiple flavors. But to use
>> them, you're going to have to learn how to add them to the server and
>> configure them. The above guide shows how to do that for one set (sometimes
>> two) of choices; they may not be the choices you want, but it should be
>> easy to extrapolate from one to another once you see how the basic setup
>> works.
>>
>> If you don't want to exert the effort to learn how the software works, or
>> don't have the patience to start a project that's going to take more than
>> 20 minutes to complete, then perhaps doing it yourself isn't the right
>> answer. There are  several third party service providers that will provide
>> consulting expertise to help you configure and support it; some of them
>> will even host and operate it for you.
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 212 229-5300 x4728 • david...@n

[cas-user] CAS 5.3.9 Access Strategy Groovy script

2019-05-16 Thread Debian HNT

Hello guys, 


I'm looking for a configuration of Access Strategy with a Groovy Script. 

I'd like to set some attributes required and redirection url. 

For example if the account attribute = Active, i'll be able to join the 
service

but 

if the account attribute = blocked, i'll be redirect to 
https://blocked.acc.html 

or 

if the account attribute = waiting, i'll be redirect to 
https://waiting.acc/html

Can someone help me? 


best regards,


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/17af6b60-5bb6-4b0b-a6d8-d79770f43cc9%40apereo.org.

Re: [cas-user] Re: CAS documentation for a new user is terrible

2019-05-16 Thread Va Sja

Hello David,
many thanks for your explanation. I am sure - CAS  works on many 
productions environments, and support a lot of possible protocols and 
standarts. But...
...did  You played with Lego? There you can be successful already in 20 
minutes. Then you just increase your success step-by-step. Did you install 
some server from latest past? MySQL, Tomcat, Cassandra? How many steps you 
need to "read-download-install-configure-start-check"? Is it oft takes more 
then 20 min to understand what you really do ?

As I and many other peoples has already explained : for CAS there are no 
way to do it from read-2-check in 10 mins, 10 hours, and even in 10 days!
...the latests readable documentation is minimum 2-3 years old. Then we 
have a lot of linked and not readable pages. 
  You can check yourself the link, what you sendet to me and try to answer 
for
a)  who need to know as first page about for ex ?:
   - Support for many SPs built in: Adobe Creative Cloud, Google Apps, 
Office 365, 
b) what version is possible to start when on the same page are: 
   - .. CAS 6._ , CAS 5., CAS 3.5 , CAS 5.2.7,  CAS 5.3.*x* .,CAS 4 ...
c) where is the start ?
d) what should I DO ? 
e) am I really need so complex solution, when it is not possible to setup 
even Plain-User-Password-Auth for 1 web-site in weeks?
f) there are a lot of left-menu-Items, but is all I need to read and 
understand for very first installation? Create? Build? Configure? Install? 
Commit? Add?

 ( BTW even on Intro-page there are no explanation WHAT IS CAS!!!  You have 
to search it somewhere else over Google? )

i will appreciate your answers and constructive feedback without links this 
time  !  We can then "attach it" to already existing Documentation portals 
as only one new page like "CAS for Dummy" , "CAS for lazy admin" or "CAS in 
20 minutes" :) 

Kindest regards





Am Donnerstag, 16. Mai 2019 14:02:00 UTC+2 schrieb David Curry:
>
> Va,
>
> If you want 1-2-3 FINISH then perhaps, as Matthew already suggested, this 
> is what you're looking for:
>
> https://dacurry-tns.github.io/deploying-apereo-cas/ 
>
>
> It starts from zero knowledge of CAS and goes step-by-step to an 
> installation that is running in production today. And it does it in 
> increments, so you can check that things are working along the way. The 
> initial "Building the CAS server" section will in fact get you a running 
> server in 1-2-3-4-FINISH (create an overlay project, build the default 
> server, edit a couple of config files, install and test).
>
> But just as "Hello World" is a pretty useless program, the CAS server 
> you're going to get in 4 steps is a pretty useless server. If you want to 
> use it to do any real work, you're going to have to configure it to talk to 
> your user directories, define the services you want it to manage, figure 
> out the attributes you need to release, perhaps enable multifactor 
> authentication, customize the user interface to meet your corporate 
> branding standards, perhaps enable other protocols like SAML2 or OAuth, 
> perhaps add in support for high availability, etc. Every one of those 
> things is supported by CAS, most of them in multiple flavors. But to use 
> them, you're going to have to learn how to add them to the server and 
> configure them. The above guide shows how to do that for one set (sometimes 
> two) of choices; they may not be the choices you want, but it should be 
> easy to extrapolate from one to another once you see how the basic setup 
> works.
>
> If you don't want to exert the effort to learn how the software works, or 
> don't have the patience to start a project that's going to take more than 
> 20 minutes to complete, then perhaps doing it yourself isn't the right 
> answer. There are  several third party service providers that will provide 
> consulting expertise to help you configure and support it; some of them 
> will even host and operate it for you.
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david...@newschool.edu 
>
>
> On Thu, May 16, 2019 at 6:47 AM Va Sja > 
> wrote:
>
>> Matthew, you are fully right - there are a lot of much worse software as 
>> well as documentation. And in case, when is the goal "getting as much as 
>> more money for support" - it is exactly the right tactic -  to make 
>> documentation unusable, and release as often as possible new releases with 
>> more and more features, that will be selled as a next. But it is not really 
>> the main vector for open-source, when you need weeks and some hundred gurus 
>> for install at least "HelloWorld".  And you point me again to some " very 
>> easy to follow guide " may be very informative but for my case unusable 
>> documentation, when I need really to jumping over hundreds links just to 
>> getting again the understanding - IT IS TOO COMPLEX TO UNDERSTAND. It is 
>> exactly " very ea

Re: [cas-user] Re: CAS documentation for a new user is terrible

2019-05-16 Thread David Curry

Va,

If you want 1-2-3 FINISH then perhaps, as Matthew already suggested, this
is what you're looking for:

https://dacurry-tns.github.io/deploying-apereo-cas/

It starts from zero knowledge of CAS and goes step-by-step to an
installation that is running in production today. And it does it in
increments, so you can check that things are working along the way. The
initial "Building the CAS server" section will in fact get you a running
server in 1-2-3-4-FINISH (create an overlay project, build the default
server, edit a couple of config files, install and test).

But just as "Hello World" is a pretty useless program, the CAS server
you're going to get in 4 steps is a pretty useless server. If you want to
use it to do any real work, you're going to have to configure it to talk to
your user directories, define the services you want it to manage, figure
out the attributes you need to release, perhaps enable multifactor
authentication, customize the user interface to meet your corporate
branding standards, perhaps enable other protocols like SAML2 or OAuth,
perhaps add in support for high availability, etc. Every one of those
things is supported by CAS, most of them in multiple flavors. But to use
them, you're going to have to learn how to add them to the server and
configure them. The above guide shows how to do that for one set (sometimes
two) of choices; they may not be the choices you want, but it should be
easy to extrapolate from one to another once you see how the basic setup
works.

If you don't want to exert the effort to learn how the software works, or
don't have the patience to start a project that's going to take more than
20 minutes to complete, then perhaps doing it yourself isn't the right
answer. There are  several third party service providers that will provide
consulting expertise to help you configure and support it; some of them
will even host and operate it for you.

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

On Thu, May 16, 2019 at 6:47 AM Va Sja  wrote:

> Matthew, you are fully right - there are a lot of much worse software as
> well as documentation. And in case, when is the goal "getting as much as
> more money for support" - it is exactly the right tactic -  to make
> documentation unusable, and release as often as possible new releases with
> more and more features, that will be selled as a next. But it is not really
> the main vector for open-source, when you need weeks and some hundred gurus
> for install at least "HelloWorld".  And you point me again to some " very
> easy to follow guide " may be very informative but for my case unusable
> documentation, when I need really to jumping over hundreds links just to
> getting again the understanding - IT IS TOO COMPLEX TO UNDERSTAND. It is
> exactly " very easy to follow " with a lot of links , but "absolutely not
> possible to understand what this manual about. Sorry that I am scream -
> otherwise I have to cry :)
>
> May be we understand the words "follow", "understand", "jump", "start",
> "finish", "result", "productivity" different?
>
> The documentation should help to focus to the problem, and your link make
> exactly opposite: it point me in next 2-3 sentences to jump to some another
> Web Page. Nothing more. But I need to know steps to success: 1-2-3-FINISH.
> And there are no complete story about "how to do install HelloWorld?". U
> cannot push all of it into your brain in  1 hour, 1 day, 1 week, but you
> need much more!
>
> May be U are absolutely right: "  the documentation does in fact tell me
> what I need to know ". And you a able to "getting started"! But it not help
> to finish some minimal positive result.
>
> Alternatively you have to pay for somebody else who know this software -
> that is the only one Idea, what you have to get from such documentation.
> Unfortunately...
> ...and it is not only my view. Fortunately! 8-)
>
> Am Mittwoch, 15. Mai 2019 15:10:46 UTC+2 schrieb Matthew Uribe:
>>
>> Va,
>>
>> I would like to mention that your complaint is about a product that you
>> get to use *for free*. I support some paid software with worse
>> documentation. I do understand the frustration, as the learning curve is
>> steep, but that's where this community comes in. Everyone here tries to be
>> very helpful, giving one another their time *for free*. I've been
>> supporting CAS 5 in my organization now for just over a year, and I find
>> that the documentation does in fact tell me what I need to know. It's just
>> that getting started can be tough.
>>
>> Yet another free resource you may find helpful: David Curry, one of our
>> community members, created a very easy to follow guide to implementing CAS
>> 5. Check it out here:
>> https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html
>>

[cas-user] Questions on pac4j saml module

2019-05-16 Thread Julien Gribonvald


Hi folks,
I have few questions about the pac4j saml configuration:

 * is there a way to customize the button generated with the clientName
   text on CAS login page ? I mean using a displayName and a
   description, is there something already existing or I could purpose
   a Pull Request to be able to customize ?
 * How are you generating metadata after cas server launch ? the
   default configuration generate metadatas if they doesn't exist only
   when a request is made, I would like that these metadatas available
   when the cas is available, like that IDPs can request them before a
   user access !
 * what is the best way to share files generated (metadata, keystore,
   certificates) between each CAS instance used in load-balancing (not
   in cluster) ? I'm using a git repo to share my configurations only
   (in the /xxx/cas-properties/), but I'm not sure that is a good
   practice, even more if we delete certificates and metadata to renew
   them. What are your advices/practices ?

Thanks
--
Julien Gribonvald

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ee78d0d-152e-f384-9e1a-dc70efa4ead8%40recia.fr.

[cas-user] Re: CAS with a stateless API

2019-05-16 Thread Tõnis Ostrat

After looking at the docs again (and opening my eyes a bit more) I would 
make a small change to the token authentication method - instead of 
requesting a dummy ST for each request I just try to validate the TGT with 
this endpoint:

GET /cas/v1/tickets/[TGT]


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9be19816-87b1-4408-a5b5-07418e8fd166%40apereo.org.

[cas-user] Re: CAS documentation for a new user is terrible

2019-05-16 Thread Va Sja

Matthew, you are fully right - there are a lot of much worse software as 
well as documentation. And in case, when is the goal "getting as much as 
more money for support" - it is exactly the right tactic -  to make 
documentation unusable, and release as often as possible new releases with 
more and more features, that will be selled as a next. But it is not really 
the main vector for open-source, when you need weeks and some hundred gurus 
for install at least "HelloWorld".  And you point me again to some " very 
easy to follow guide " may be very informative but for my case unusable 
documentation, when I need really to jumping over hundreds links just to 
getting again the understanding - IT IS TOO COMPLEX TO UNDERSTAND. It is 
exactly " very easy to follow " with a lot of links , but "absolutely not 
possible to understand what this manual about. Sorry that I am scream - 
otherwise I have to cry :)  

May be we understand the words "follow", "understand", "jump", "start", 
"finish", "result", "productivity" different? 

The documentation should help to focus to the problem, and your link make 
exactly opposite: it point me in next 2-3 sentences to jump to some another 
Web Page. Nothing more. But I need to know steps to success: 1-2-3-FINISH. 
And there are no complete story about "how to do install HelloWorld?". U 
cannot push all of it into your brain in  1 hour, 1 day, 1 week, but you 
need much more! 

May be U are absolutely right: "  the documentation does in fact tell me 
what I need to know ". And you a able to "getting started"! But it not help 
to finish some minimal positive result.

Alternatively you have to pay for somebody else who know this software - 
that is the only one Idea, what you have to get from such documentation. 
Unfortunately...
...and it is not only my view. Fortunately! 8-)

Am Mittwoch, 15. Mai 2019 15:10:46 UTC+2 schrieb Matthew Uribe:
>
> Va,
>
> I would like to mention that your complaint is about a product that you 
> get to use *for free*. I support some paid software with worse 
> documentation. I do understand the frustration, as the learning curve is 
> steep, but that's where this community comes in. Everyone here tries to be 
> very helpful, giving one another their time *for free*. I've been 
> supporting CAS 5 in my organization now for just over a year, and I find 
> that the documentation does in fact tell me what I need to know. It's just 
> that getting started can be tough.
>
> Yet another free resource you may find helpful: David Curry, one of our 
> community members, created a very easy to follow guide to implementing CAS 
> 5. Check it out here:  
> https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html 
> 
>
> Matt
>
> On Wednesday, May 15, 2019 at 7:01:39 AM UTC-6, Va Sja wrote:
>>
>> As I see after almost 2 years documentation still don't getted better ...
>> ... there are no some 1-2-3-Specs to finish even HelloWorld with CAS. But 
>> the release number grows extremely. 3.6, 4.0-1-2-3, 5.0-1-2-3, 6.0. 
>>
>> So - looks like the developers stacked in the similar way as users :)   
>> I would wait till first release with suffix "STABLE", before start to use 
>> IT. After a week of rolling over LinkDoc-to-LinkDoc-to-LinkDoc-to-LinkDoc I 
>> give Up. Jan has created *___THE_BEST_MANUAL_EVER__ *, but currently on 
>> my side I reach the pont, that I can logIn, but* LogOut not works *as 
>> expected...
>>
>> Hope somebody from DigitalOcean  can 
>> repeat success from already thousand of HOW_TO like that : 
>> how-to-install-mysql-on-ubuntu-18-04 
>> 
>>  . 
>> It should be not harder as 10 mins, isn't- it?
>>
>>
>>
>> Am Montag, 30. Oktober 2017 14:50:43 UTC+1 schrieb Jan:
>>>
>>> Hello,
>>>
>>> As a new user of CAS, I'd like to voice my opinion that the official 
>>> documentation of how one can get started with CAS is just awful. By this I 
>>> mean not the lack of it, but rather how indirect, not step-by-step it is. 
>>> Clarity could often be improved too.
>>>
>>> In the end I managed to do what I hoped for, ie investigate CAS locally 
>>> as an SSO solution, for which I needed to (1) run CAS server locally, (2) 
>>> connect and authenticate using a simple CAS client locally, (3) run the 
>>> service management app. However, the difficulty I had at most steps of 
>>> getting it all to work make me really want to use something else even if I 
>>> have to implement parts of it from scratch..
>>>
>>> Only now, when wanting to post this message, did I find this helpful 
>>> guide: https://dacurry-tns.github.io/deploying-apereo-cas/ Could the 
>>> CAS team incorporate some step-by-step tutorial like this into the official 
>>> documentation?
>>>
>

[cas-user] CAS with a stateless API

2019-05-16 Thread Tõnis Ostrat

Hey, everybody.

To preface this, I've tried both googling and looking through the 
discussions here but still haven't found an answer for the following 
situation.

I'm currently building a back-end service with no web-based nor native GUI 
and I'm having trouble coming up with a proper way to secure it with CAS 
(5.3, if that matters).

My plan right now is to have an endpoint in my API where the user can POST 
their credentials which I will forward to CAS's REST API (with the ID of my 
service) .I will then return the TGT that CAS gives me to the user and on 
any subsequent data request I will try to extract the same TGT (header, 
cookie, whatever) and validate it by requesting a ST for my own service 
from CAS. It *works *but it sounds a bit stupid because I don't actually do 
anything with ST, it's just a confirmation call to make sure the TGT is 
valid.

This flow is the one I've managed to piece together basically on my own as 
the REST API portion of the official documentation is really lacking in my 
opinion.

Is there a better solution to this problem?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c4d561cf-8734-40ef-97ea-2c193147bc10%40apereo.org.

[cas-user] phpCAS logging logins

[cas-user] AWS Lambda CAS client

Re: [cas-user] mod_auth_cas / phpCas - HTTP Apache Behind HTTPS Terminated Load Balancer

Re: [cas-user] CAS with a stateless API

[cas-user] CAS 6.0.3 and DUO per service/ per attribute not forcing MFA

Re: [cas-user] CAS with a stateless API

Re: [cas-user] CAS with a stateless API

Re: [cas-user] Re: CAS documentation for a new user is terrible

Re: [cas-user] Re: Anyone having issues with Duo today? (5/15/2019)

Re: [cas-user] CAS with a stateless API

[cas-user] CAS Error principal cannot be null

Re: [cas-user] Re: CAS documentation for a new user is terrible

Re: [cas-user] CAS with a stateless API

[cas-user] Re: CAS 5.3.9 Access Strategy Groovy script

Re: [cas-user] Re: CAS documentation for a new user is terrible

[cas-user] CAS 5.3.9 Access Strategy Groovy script

Re: [cas-user] Re: CAS documentation for a new user is terrible

Re: [cas-user] Re: CAS documentation for a new user is terrible

[cas-user] Questions on pac4j saml module

[cas-user] Re: CAS with a stateless API

[cas-user] Re: CAS documentation for a new user is terrible

[cas-user] CAS with a stateless API

22 matches

Site Navigation

Mail list logo

Footer information