date:20200513

Re: [cas-user] LDAP timeouts after Java upgrade

2020-05-13 Thread Baron Fujimoto


On Wed, May 06, 2020 at 08:40:51AM -1000, Baron Fujimoto wrote:

On Wed, May 06, 2020 at 02:15:39PM -0400, Daniel Fisher wrote:

On Wed, May 6, 2020 at 1:40 PM Baron Fujimoto  wrote:


On Tue, May 05, 2020 at 11:42:01PM -0400, Daniel Fisher wrote:

On Tue, May 5, 2020 at 11:15 PM Baron Fujimoto  wrote:


We're running CAS 5.0.10 under Tomcat 8.5.54 with LDAP (389DS) for
authentication and attributes. We were previously using Java 1.0.8_212
successfully. However, I recently upgraded the instance to use the

current

version of Java (251), and after doing so noticed that the LDAP

connections

quickly begin to time out with the following error:

javax.naming.NamingException: LDAP response read timed out, timeout
used:-1ms


Do you have a responseTimeout duration configured?


Not in our cas.properties, nor do I see a *responseTimeout in any of the
properties in the CAS 5.0.x cas.properties refererence here:

<
https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html




For the JNDI, I only find

com.sun.jndi.ldap.connect.timeout
com.sun.jndi.ldap.read.timeout
sun.jndi.ldap.connect.pool.timeout




https://docs.oracle.com/javase/8/docs/technotes/guides/jndi/jndi-ldap.html




Can you elaborate on this responseTimeout?



Looks like this property isn't available in CAS until v5.1.0.

Can you tell how long these operations are waiting? With that value set to
-1 it should default to the system TCP timeout.


I'm not sure what the best way to determine that time period? From our CAS 
debug logs, I see:

2020-05-06 07:57:31,653 DEBUG 
[org.apereo.cas.authentication.LdapAuthenticationHandler] - 
2020-05-06 07:57:31,653 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - 

2020-05-06 07:57:31,653 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - 

2020-05-06 07:57:31,654 DEBUG [org.ldaptive.SearchOperation] - 
2020-05-06 07:57:31,657 DEBUG [org.ldaptive.provider.jndi.NamingExceptionUtils] - 

2020-05-06 07:57:31,657 DEBUG [org.ldaptive.pool.SearchValidator] - 
org.ldaptive.LdapException: javax.naming.NamingException: LDAP response read 
timed out, timeout used:-1ms.; remaining name ''
   at 
org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:55)
 ~[ldaptive-1.2.0.jar:?]
   ...

So judging by the DEBUG timestamps, only 4 ms elapses between the start of the 
AuthN attempt and the SearchValidator timeout failure. Should I try to 
corroborate this vis LDAP logs?



There is or was open bugs related to this:
https://bugs.openjdk.java.net/browse/JDK-8057017
I wonder if there is a regression in later versions of Java 8.


I did find, as noted in another branch of this thread, this bugfix in v231, 
which coincidentally(?) is the version where we begin to see this problem. It's 
the only reference I found in the JDK v221+ release notes to javax.naming or 
LDAP related bugs.



We're still wrestling with this, but have uncovered a few more details in case 
it provides any new insight into the problem.

1) Our LDAP is actually a cluster behind an F5 load balancer. If we point CAS 
at non-load balanced LDAP host, we do not see the timeout problem. It appears 
that both JDK 8u231+ *and* LDAP behind the load balancer are necessary 
conditions to trigger the timeour error.

2) We've empirically determined that if we shorten the default value for the 
LDAP pool validation from 600s to, say, 60s 
(cas.authn.ldap[0].validatePeriod=60) then this also mitigates the timeout 
problem. The shortened pool validation period seems to be sufficient to 
function as some sort of keepalive.

3) In an attempt to simplify our troubleshooting, we also set minPoolSize = 
maxPoolSize = 1. However, there are several things from the logs I don't 
understand. Despite the poolSize being set to 1, CAS appears to attempt to 
periodically validate 3 connections, all of which routinely fail. Ex.:

2020-05-13 06:00:59,008 WARN [org.ldaptive.pool.BlockingConnectionPool] - 

2020-05-13 06:00:59,087 WARN [org.ldaptive.pool.BlockingConnectionPool] - 

2020-05-13 06:00:59,191 WARN [org.ldaptive.pool.BlockingConnectionPool] - 

2020-05-13 06:01:59,008 WARN [org.ldaptive.pool.BlockingConnectionPool] - 

2020-05-13 06:01:59,087 WARN [org.ldaptive.pool.BlockingConnectionPool] - 

2020-05-13 06:01:59,192 WARN [org.ldaptive.pool.BlockingConnectionPool] - 

2020-05-13 06:02:59,008 WARN [org.ldaptive.pool.BlockingConnectionPool] - 

2020-05-13 06:02:59,087 WARN [org.ldaptive.pool.BlockingConnectionPool] - 

2020-05-13 06:02:59,191 WARN [org.ldaptive.pool.BlockingConnectionPool] - 


For each of these, there is a corresponding

2020-05-13 06:00:59,008 DEBUG [org.ldaptive.pool.BlockingConnectionPool] - 
= 1 for 
[org.ldaptive.pool.BlockingConnectionPool@[...]
...
2020-05-13 06:00:59,059 DEBUG [org.ldaptive.BindOperation] - 
2020-05-13 06:00:59,062 DEBUG [org.ldaptive.pool.BlockingConnectionPool] - 

As can be seen from the previous set of logs,

Re: [cas-user] SAML attribute release error

2020-05-13 Thread Ray Bon

Bryan,

Check your app certificate for a valid date.

Ray

On Wed, 2020-05-13 at 10:50 -0600, Bryan Wooten wrote:
Hi all,

I wrote a brain dead simple CAS servlet that demos attribute release about 5 
years ago. Worked as expected.

But suddenly it does this:

HTTP Status 500 – Internal Server Error


Type Exception Report

Message org.jasig.cas.client.validation.TicketValidationException: Error 
processing SAML response

Description The server encountered an unexpected condition that prevented it 
from fulfilling the request.

Exception

javax.servlet.ServletException: 
org.jasig.cas.client.validation.TicketValidationException: Error processing 
SAML response


org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:227)


org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)

Root Cause

org.jasig.cas.client.validation.TicketValidationException: Error processing 
SAML response


org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:162)


org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:201)


org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)


org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)

Root Cause

org.jasig.cas.client.validation.TicketValidationException: Invalid SAML 
assertion


org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:128)


org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:201)


org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)


org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)

Note The full stack trace of the root cause is available in the server logs.


I can't find any errors on the cas (5.x) server it self. Other apps hitting 
this cas server are not reporting any issues...

Any hints?

Cheers,


-Bryan

University of Utah

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2cfe1714f2659260dc9301cc5533e7d17a381483.camel%40uvic.ca.

Re: [cas-user] Account get locked in first failed login attempt

2020-05-13 Thread Ray Bon

Vikash,

See 
https://apereo.github.io/cas/6.1.x/installation/Configuring-Authentication-Throttling.html
Also check you ldap settings/logs to see if the issue is there.

Ray

On Wed, 2020-05-13 at 16:15 +0530, Vikash Chandra Ansh wrote:
Hi all,

I am getting an unusual behaviour. Currently I am using four ldaps for 
authentication. If suppose a user has entered wrong credentials at once,account 
is locked.
Kindly help me to resolve this.

I have added authentication type as authenticated.



--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c0a72976877ab465b2668c242229f6d806733132.camel%40uvic.ca.

Re: [cas-user] SAML attribute release error

2020-05-13 Thread Bryan Wooten

thanks, I am looking for a place to download the newest jar files...

so far I find: https://github.com/apereo/java-cas-client

I don't really want to build from scratch. Check maven central repo now...

-Bryan

On Wed, May 13, 2020 at 11:35 AM Daniel Ellentuck  wrote:

> Hi Bryan,
>
> Before debugging, I would bump up to the latest client (3.6.x).  Easy to
> do and might just fix it.
>
> Dan
>
>
> On Wed, May 13, 2020 at 1:17 PM Bryan Wooten  wrote:
>
>> cas-client-core-3.4.1.jar and cas-client-support-saml-3.40.jar
>>
>> I should have included that in the first place, apologies.
>>
>> -Bryan
>>
>> On Wed, May 13, 2020 at 11:00 AM Daniel Ellentuck 
>> wrote:
>>
>>> Hi Bryan,
>>>
>>> CAS client version, plus supporting libraries on your demo app?
>>>
>>> Dan
>>>
>>> Dan Ellentuck
>>> Columbia University I.T.
>>>
>>>
>>> On Wed, May 13, 2020 at 12:51 PM Bryan Wooten 
>>> wrote:
>>>
 Hi all,

 I wrote a brain dead simple CAS servlet that demos attribute release
 about 5 years ago. Worked as expected.

 But suddenly it does this:

 HTTP Status 500 – Internal Server Error
 --

 *Type* Exception Report

 *Message* org.jasig.cas.client.validation.TicketValidationException:
 Error processing SAML response

 *Description* The server encountered an unexpected condition that
 prevented it from fulfilling the request.

 *Exception*

 javax.servlet.ServletException: 
 org.jasig.cas.client.validation.TicketValidationException: Error 
 processing SAML response

 org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:227)

 org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)

 *Root Cause*

 org.jasig.cas.client.validation.TicketValidationException: Error 
 processing SAML response

 org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:162)

 org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:201)

 org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)

 org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)

 *Root Cause*

 org.jasig.cas.client.validation.TicketValidationException: Invalid SAML 
 assertion

 org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:128)

 org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:201)

 org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)

 org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)

 *Note* The full stack trace of the root cause is available in the
 server logs.


 I can't find any errors on the cas (5.x) server it self. Other apps
 hitting this cas server are not reporting any issues...

 Any hints?

 Cheers,


 -Bryan

 University of Utah

 --
 - Website: https://apereo.github.io/cas
 - Gitter Chatroom: https://gitter.im/apereo/cas
 - List Guidelines: https://goo.gl/1VRrw7
 - Contributions: https://goo.gl/mh7qDG
 ---
 You received this message because you are subscribed to the Google
 Groups "CAS Community" group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to cas-user+unsubscr...@apereo.org.
 To view this discussion on the web visit
 https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GWEYftEcsJL4567jfPH80an_XRye-un8q4RXUr1Oix2Jg%40mail.gmail.com
 
 .

>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFqYg5%2BOmBJck%2B1qHcm5r2E8abw31bkRr2CDt_-2gUEJ6AhaYA%40mail.gmail.com
>>> 
>>> .
>>>
>> --
>> - Website:

Re: [cas-user] SAML attribute release error

2020-05-13 Thread Daniel Ellentuck

Hi Bryan,

Before debugging, I would bump up to the latest client (3.6.x).  Easy to do
and might just fix it.

Dan


On Wed, May 13, 2020 at 1:17 PM Bryan Wooten  wrote:

> cas-client-core-3.4.1.jar and cas-client-support-saml-3.40.jar
>
> I should have included that in the first place, apologies.
>
> -Bryan
>
> On Wed, May 13, 2020 at 11:00 AM Daniel Ellentuck 
> wrote:
>
>> Hi Bryan,
>>
>> CAS client version, plus supporting libraries on your demo app?
>>
>> Dan
>>
>> Dan Ellentuck
>> Columbia University I.T.
>>
>>
>> On Wed, May 13, 2020 at 12:51 PM Bryan Wooten 
>> wrote:
>>
>>> Hi all,
>>>
>>> I wrote a brain dead simple CAS servlet that demos attribute release
>>> about 5 years ago. Worked as expected.
>>>
>>> But suddenly it does this:
>>>
>>> HTTP Status 500 – Internal Server Error
>>> --
>>>
>>> *Type* Exception Report
>>>
>>> *Message* org.jasig.cas.client.validation.TicketValidationException:
>>> Error processing SAML response
>>>
>>> *Description* The server encountered an unexpected condition that
>>> prevented it from fulfilling the request.
>>>
>>> *Exception*
>>>
>>> javax.servlet.ServletException: 
>>> org.jasig.cas.client.validation.TicketValidationException: Error processing 
>>> SAML response
>>> 
>>> org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:227)
>>> 
>>> org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)
>>>
>>> *Root Cause*
>>>
>>> org.jasig.cas.client.validation.TicketValidationException: Error processing 
>>> SAML response
>>> 
>>> org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:162)
>>> 
>>> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:201)
>>> 
>>> org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)
>>> 
>>> org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)
>>>
>>> *Root Cause*
>>>
>>> org.jasig.cas.client.validation.TicketValidationException: Invalid SAML 
>>> assertion
>>> 
>>> org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:128)
>>> 
>>> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:201)
>>> 
>>> org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)
>>> 
>>> org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)
>>>
>>> *Note* The full stack trace of the root cause is available in the
>>> server logs.
>>>
>>>
>>> I can't find any errors on the cas (5.x) server it self. Other apps
>>> hitting this cas server are not reporting any issues...
>>>
>>> Any hints?
>>>
>>> Cheers,
>>>
>>>
>>> -Bryan
>>>
>>> University of Utah
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GWEYftEcsJL4567jfPH80an_XRye-un8q4RXUr1Oix2Jg%40mail.gmail.com
>>> 
>>> .
>>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFqYg5%2BOmBJck%2B1qHcm5r2E8abw31bkRr2CDt_-2gUEJ6AhaYA%40mail.gmail.com
>> 
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this

Re: [cas-user] SAML attribute release error

2020-05-13 Thread Bryan Wooten

cas-client-core-3.4.1.jar and cas-client-support-saml-3.40.jar

I should have included that in the first place, apologies.

-Bryan

On Wed, May 13, 2020 at 11:00 AM Daniel Ellentuck  wrote:

> Hi Bryan,
>
> CAS client version, plus supporting libraries on your demo app?
>
> Dan
>
> Dan Ellentuck
> Columbia University I.T.
>
>
> On Wed, May 13, 2020 at 12:51 PM Bryan Wooten  wrote:
>
>> Hi all,
>>
>> I wrote a brain dead simple CAS servlet that demos attribute release
>> about 5 years ago. Worked as expected.
>>
>> But suddenly it does this:
>>
>> HTTP Status 500 – Internal Server Error
>> --
>>
>> *Type* Exception Report
>>
>> *Message* org.jasig.cas.client.validation.TicketValidationException:
>> Error processing SAML response
>>
>> *Description* The server encountered an unexpected condition that
>> prevented it from fulfilling the request.
>>
>> *Exception*
>>
>> javax.servlet.ServletException: 
>> org.jasig.cas.client.validation.TicketValidationException: Error processing 
>> SAML response
>>  
>> org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:227)
>>  
>> org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)
>>
>> *Root Cause*
>>
>> org.jasig.cas.client.validation.TicketValidationException: Error processing 
>> SAML response
>>  
>> org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:162)
>>  
>> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:201)
>>  
>> org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)
>>  
>> org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)
>>
>> *Root Cause*
>>
>> org.jasig.cas.client.validation.TicketValidationException: Invalid SAML 
>> assertion
>>  
>> org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:128)
>>  
>> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:201)
>>  
>> org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)
>>  
>> org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)
>>
>> *Note* The full stack trace of the root cause is available in the server
>> logs.
>>
>>
>> I can't find any errors on the cas (5.x) server it self. Other apps
>> hitting this cas server are not reporting any issues...
>>
>> Any hints?
>>
>> Cheers,
>>
>>
>> -Bryan
>>
>> University of Utah
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GWEYftEcsJL4567jfPH80an_XRye-un8q4RXUr1Oix2Jg%40mail.gmail.com
>> 
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFqYg5%2BOmBJck%2B1qHcm5r2E8abw31bkRr2CDt_-2gUEJ6AhaYA%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GXz%3DGz%3DvorAtKz%3D9hYJHBFs%3DT8byY-FHs2-stWv5UeQBg%40mail.gmail.com.

Re: [cas-user] SAML attribute release error

2020-05-13 Thread Daniel Ellentuck

Hi Bryan,

CAS client version, plus supporting libraries on your demo app?

Dan

Dan Ellentuck
Columbia University I.T.


On Wed, May 13, 2020 at 12:51 PM Bryan Wooten  wrote:

> Hi all,
>
> I wrote a brain dead simple CAS servlet that demos attribute release about
> 5 years ago. Worked as expected.
>
> But suddenly it does this:
>
> HTTP Status 500 – Internal Server Error
> --
>
> *Type* Exception Report
>
> *Message* org.jasig.cas.client.validation.TicketValidationException:
> Error processing SAML response
>
> *Description* The server encountered an unexpected condition that
> prevented it from fulfilling the request.
>
> *Exception*
>
> javax.servlet.ServletException: 
> org.jasig.cas.client.validation.TicketValidationException: Error processing 
> SAML response
>   
> org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:227)
>   
> org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)
>
> *Root Cause*
>
> org.jasig.cas.client.validation.TicketValidationException: Error processing 
> SAML response
>   
> org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:162)
>   
> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:201)
>   
> org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)
>   
> org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)
>
> *Root Cause*
>
> org.jasig.cas.client.validation.TicketValidationException: Invalid SAML 
> assertion
>   
> org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:128)
>   
> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:201)
>   
> org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)
>   
> org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)
>
> *Note* The full stack trace of the root cause is available in the server
> logs.
>
>
> I can't find any errors on the cas (5.x) server it self. Other apps
> hitting this cas server are not reporting any issues...
>
> Any hints?
>
> Cheers,
>
>
> -Bryan
>
> University of Utah
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GWEYftEcsJL4567jfPH80an_XRye-un8q4RXUr1Oix2Jg%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFqYg5%2BOmBJck%2B1qHcm5r2E8abw31bkRr2CDt_-2gUEJ6AhaYA%40mail.gmail.com.

[cas-user] SAML attribute release error

2020-05-13 Thread Bryan Wooten

Hi all,

I wrote a brain dead simple CAS servlet that demos attribute release about
5 years ago. Worked as expected.

But suddenly it does this:

HTTP Status 500 – Internal Server Error
--

*Type* Exception Report

*Message* org.jasig.cas.client.validation.TicketValidationException: Error
processing SAML response

*Description* The server encountered an unexpected condition that prevented
it from fulfilling the request.

*Exception*

javax.servlet.ServletException:
org.jasig.cas.client.validation.TicketValidationException: Error
processing SAML response

org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:227)

org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)

*Root Cause*

org.jasig.cas.client.validation.TicketValidationException: Error
processing SAML response

org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:162)

org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:201)

org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)

org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)

*Root Cause*

org.jasig.cas.client.validation.TicketValidationException: Invalid
SAML assertion

org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:128)

org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:201)

org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)

org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:164)

*Note* The full stack trace of the root cause is available in the server
logs.


I can't find any errors on the cas (5.x) server it self. Other apps hitting
this cas server are not reporting any issues...

Any hints?

Cheers,


-Bryan

University of Utah

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GWEYftEcsJL4567jfPH80an_XRye-un8q4RXUr1Oix2Jg%40mail.gmail.com.

Re: [cas-user] CAS with LDAP: ObjectGUID retrieved with attribute repository different than with authentication handler

2020-05-13 Thread Jonathon Taylor

I think it's fine to share these and the pull requests are submitted.
You'll have to add both of these to your overlay in the appropriate
/src/main/java directories:

https://github.com/apereo/person-directory/commit/15d34378e9303d6be7d099d910bc4e7a7837bd06#diff-544920f35ec4115f8fefcec687ea43c3

https://github.com/apereo/cas/pull/4850/commits/242eaac3d2e570fe4f4557310cc5af5fbe66e57a

For that second one our consultant also had me place a *lombok.config* file
in the same path to address a build issue:

lombok.log.fieldName=LOGGER
lombok.log.fieldIsStatic=true
lombok.toString.doNotUseGetters=true
lombok.equalsAndHashCode.doNotUseGetters=true
lombok.addLombokGeneratedAnnotation = true
config.stopBubbling=true

Finally, in addition to adding
org.apereo.cas.cas-server-support-person-directory to our dependencies, I
had to add a bunch more in order to get our build to work.  We are still
using maven / pom.xml

org.apereo.cas.cas-server-support-person-directory ${cas.version}
org.apereo.cas.cas-server-core-authentication-api ${cas.version}
org.apereo.cas.cas-server-core-util-api ${cas.version}
org.apereo.cas.cas-server-support-ldap-core ${cas.version}
com.github.ben-manes.caffeine.caffeine 2.8.2
org.ldaptive.ldaptive 1.2.4
org.slf4j.slf4j-api 1.7.25
org.apache.logging.log4j.log4j-core 2.7
org.apache.logging.log4j.log4j-slf4j-impl 2.7
org.projectlombok.lombok 1.18.0



On Wed, May 13, 2020 at 12:54 AM Benjamin Bini  wrote:

> Thank you a lot for your answer, I feel less lonely with my issue!
> If you are allowed to share any code or patch I would gladly try to apply
> it to my instance to see if it fixes this.
>
> Have a nice day,
>
> Benjamin
>
> Le mardi 12 mai 2020 18:53:40 UTC+2, Jonathon Taylor a écrit :
>>
>> Benjamin,
>>
>> We are running into a similar issue with CAS 5.3.15.1.  In our case AD is
>> a secondary attribute repository and we specifically need the objectGUID.
>> We are seeing the same behavior where the GUID is not being converted
>> correctly.   We use a third-party vendor for CAS customizations/support (in
>> our case Unicon) and they helped identify a bug whereby it appears
>> the binaryAttributes property is not respected.
>>
>> We are testing a patch to both the CAS person-directory configuration and
>> the person-directory LDAP implementation that appears to fix the problem
>> by implementing support for binary attributes.  I'm hoping there will be
>> some pull requests for this soon.  I believe I can share what we have
>> tested so far if it sounds like what you are seeing.
>>
>> Jonathon
>>
>>
>>
>>
>>
>> On Tue, May 12, 2020 at 3:23 AM Benjamin Bini  wrote:
>>
>>> The property for AttributeRepository does not exist.
>>>
>>> For the authentication handler though it returns the GUID correctly.
>>>
>>> Le mercredi 6 mai 2020 04:14:31 UTC+2, dfisher a écrit :

 On Mon, May 4, 2020 at 4:42 AM Benjamin Bini  wrote:

> Is this a known issue? Is there a problem with my configuration? Can I
> do anything to solve this or provide any other information for someone to
> help me with this issue?
>

 If you add

 cas.authn.ldap[0].searchEntryHandlers[0].type=OBJECT_GUID
 and

 cas.authn.attributeRepository.ldap[0].searchEntryHandlers[0].type=OBJECT_GUID

 Do you get the string representation of the objectGUID and are they the
 same?

 --Daniel Fisher

 --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/677ccd72-69b8-4a61-92d0-3fb020c63501%40apereo.org
>>> 
>>> .
>>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6dac267d-acd9-41a3-a52b-d0cf8da6bb99%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions:

[cas-user] Surrogate module extension

2020-05-13 Thread Raph C

Hi all,

In our previous version based on CAS 5.2 we decided to fork module webflow 
and authentication to handle our own implementation. I'm currently 
upgrading to 5.3.15.1 and I would like to extend base module instead of 
fork it but I'm facing an issue: bean SurrogateInitialAuthenticationAction 
authenticationViaFormAction 
(SurrogateAuthenticationWebflowConfiguration in surrogate-webflow is not 
easy overridable.

Do you know is there any way to force our app to override 
authenticationViaFormAction bean definition ?

NB: I already tried @Primary but it doesn't work. I thought of 
AutoConfigureBefore but not sure of the result.

Regards, 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d5a436ee-2158-47c4-9605-ffa317770bcc%40apereo.org.

[cas-user] Re: CAS V5.3 with Zoom SSO???

2020-05-13 Thread William E.

We did with saml too, but with the Shibboleth "half" of our CAS+Shibboleth 
combined service.  If you are looking for guidance using CAS as saml IDP 
with it, sorry, can't help.

As for the integration, once you get it going, on the zoom side you can map 
attribute values to zoom roles.  And it auto-creates user account on first 
sso login to zoom.

-William

On Tuesday, May 12, 2020 at 4:37:03 PM UTC-5, Keith Alston (Staff) wrote:
>
> Anyone set up Zoom SSO with CAS?? Any pointers/tips??
>
>  
>
> -Keith Alston
>
> kei...@regent.edu 
>
> Regent University
>
> 757-619-3421
>
>  
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/773af5d2-9d83-4f2c-b931-a3afbd02486a%40apereo.org.

Re: [cas-user] CAS with LDAP: ObjectGUID retrieved with attribute repository different than with authentication handler

2020-05-13 Thread Benjamin Bini

Thank you a lot for your answer, I feel less lonely with my issue!
If you are allowed to share any code or patch I would gladly try to apply 
it to my instance to see if it fixes this.

Have a nice day,

Benjamin

Le mardi 12 mai 2020 18:53:40 UTC+2, Jonathon Taylor a écrit :
>
> Benjamin,
>
> We are running into a similar issue with CAS 5.3.15.1.  In our case AD is 
> a secondary attribute repository and we specifically need the objectGUID.  
> We are seeing the same behavior where the GUID is not being converted 
> correctly.   We use a third-party vendor for CAS customizations/support (in 
> our case Unicon) and they helped identify a bug whereby it appears 
> the binaryAttributes property is not respected.
>
> We are testing a patch to both the CAS person-directory configuration and 
> the person-directory LDAP implementation that appears to fix the problem 
> by implementing support for binary attributes.  I'm hoping there will be 
> some pull requests for this soon.  I believe I can share what we have 
> tested so far if it sounds like what you are seeing.
>
> Jonathon
>
>
>
>
>
> On Tue, May 12, 2020 at 3:23 AM Benjamin Bini  > wrote:
>
>> The property for AttributeRepository does not exist.
>>
>> For the authentication handler though it returns the GUID correctly.
>>
>> Le mercredi 6 mai 2020 04:14:31 UTC+2, dfisher a écrit :
>>>
>>> On Mon, May 4, 2020 at 4:42 AM Benjamin Bini  wrote:
>>>
 Is this a known issue? Is there a problem with my configuration? Can I 
 do anything to solve this or provide any other information for someone to 
 help me with this issue?

>>>
>>> If you add
>>>
>>> cas.authn.ldap[0].searchEntryHandlers[0].type=OBJECT_GUID
>>> and
>>>
>>> cas.authn.attributeRepository.ldap[0].searchEntryHandlers[0].type=OBJECT_GUID
>>>
>>> Do you get the string representation of the objectGUID and are they the 
>>> same?
>>>
>>> --Daniel Fisher
>>>
>>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/677ccd72-69b8-4a61-92d0-3fb020c63501%40apereo.org
>>  
>> 
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6dac267d-acd9-41a3-a52b-d0cf8da6bb99%40apereo.org.

Re: [cas-user] LDAP timeouts after Java upgrade

Re: [cas-user] SAML attribute release error

Re: [cas-user] Account get locked in first failed login attempt

Re: [cas-user] SAML attribute release error

Re: [cas-user] SAML attribute release error

Re: [cas-user] SAML attribute release error

Re: [cas-user] SAML attribute release error

[cas-user] SAML attribute release error

Re: [cas-user] CAS with LDAP: ObjectGUID retrieved with attribute repository different than with authentication handler

[cas-user] Surrogate module extension

[cas-user] Re: CAS V5.3 with Zoom SSO???

Re: [cas-user] CAS with LDAP: ObjectGUID retrieved with attribute repository different than with authentication handler

12 matches

Site Navigation

Mail list logo

Footer information