Re: [cas-user] Testing multiple sites (Drupal & Moodle) with cas server 5.2

2020-05-29 Thread Raph C 
Hi Uma,

Is your CASTGS cookie is sent with the second login (beginning at Drupal)?

Le mar. 24 juil. 2018 à 18:29, Ray Bon  a écrit :

> Uma,
>
> What happens when you go to drupal first then moodle?
>
> Ray
>
> P.S. your encoding for the drupal url is odd but I do not think that is
> what is causing the problem.
>
> On Tue, 2018-07-24 at 18:23 +0530, Uma Pathy wrote:
>
> Hi David,
>
> These are urls i tried here.
>
>
> https://cas5.2.eluminaelearning.com.au:8443/cas/login?service=https%3A%2F%2Fstaging.aipmupdate.eluminaelearning.com.au%2Flogin%2Findex.php%3FauthCAS%3DCAS=true
>
>
> https://cas5.2.eluminaelearning.com.au:8443/cas/login?gateway=true=https%3A//drupal.eluminaelearning.com.au/casservice%3Freturnto%3Dhttps%253A//drupal.eluminaelearning.com.au/user/login
>
> But i could not find the solution yet even i turned on debug mode in CAS.
>
> Thanks & Regards,
> J Umapathy
>
> On Mon, Jul 23, 2018 at 9:27 PM, Chia-Ying (David) Yang <
> yangchiay...@gmail.com> wrote:
>
> Hi Uma,
>
> The service definition looks ok.  If you haven't customized the login page
> yet, do both login pages display "HTTPS and IMAPS" (upper right)?  What are
> the URLs for the login pages?  Also, after logging in the first time, do
> you have a TGC cookie in your browser for localhost /cas?
>
> You need to turn on debug-level logging for CAS so you can see why the
> second login page is triggered.
>
> David
>
>
>
>
> On 07/23/2018 07:42 AM, Uma Pathy wrote:
>
> Hi David,
>
> Have you found anything for me regarding this issue?
>
> Thanks & Regards,
> J Umapathy
>
> On Sat, Jul 21, 2018 at 3:10 PM, Uma Pathy  wrote:
>
> Hi,
>
> Please find my service definition here.
>
>
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "^(https|imaps)://.*",
>   "name" : "HTTPS and IMAPS",
>   "id" : 1001,
>   "description" : "This service definition authorizes all application urls
> that support HTTPS and IMAPS protocols.",
>   "evaluationOrder" : 1
> }
>
> Thanks & Regards,
> J Umapathy
>
> On Fri, Jul 20, 2018 at 5:09 PM, David Yang 
> wrote:
>
> Sounds like SSO issue, please share your service definitions?
>
> David
>
>
>
> On Fri, Jul 20, 2018, 3:50 AM Uma Pathy  wrote:
>
> Hi,
>
> I facing some issues in Testing the cas server 5.2 with multiple sites
> (Drupal & Moodle). Here please find my test steps below.
>
> *Expecting Result & Test steps:*
> a. I go to Moodle site, click the link 'CAS User' to redirect into CAS
> Server
> b. Login the CAS server, if login successful, redirect back to Moodle site
> c. Moodle site creates a session for the user and allow him into inside
> the Moodle Site
> d. *I go to Drupal site, Click the link 'CAS Login' to redirect into CAS
> Server*
> *e. Since the CAS User is already login, So it should skip the cas login
> and redirect back to drupal site*
> *f. Drupal will create a session for the user and allow him to inside the
> drupal.*
> *Actual Result:*
> a. Until the Moodle site, it is working fine.
> b. But in Drupal is,
> Once we click the CAS login, it redirects to CAS Server. it is displaying
> the cas login page. once we enter username & password and login getting
> successful, then only it redirects back to Drupal and then drupal creating
> a session for the user and allow him to inside.
>
> Please help me to sort the issue (When go to CAS server from Drupal site
> (ie. since the cas user already login), the cas login will have to be
> skipped and will rediect to Drupal with Ticketid [TGT-XXX], Then drupal
> will proceed further).
>
> Thanks & Regards,
> J Umapathy
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/01f49e04-d0cd-4737-9213-edf183ed06c6%40apereo.org
> 
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANc%3DAx31%3DRfmGAa13LodSMOaqfRWTJnORjRNbCbew-0F8pC%2BPQ%40mail.gmail.com
>

Re: [cas-user] Update Authentication attribute during a renew

2020-05-29 Thread Raph C 
Hi Ray,

No. In renew mode, CAS if user already has a valid session, ask
login/passwd, validate it and then genarate a new Service Ticket linked to
the current tgt (user current Cas Session). So authentication metadata are
not updated.

In this case, client when validate Service Ticket, see authentication
metadata from initial authentication not the renew ones.

Regards

Le ven. 29 mai 2020 à 17:55, Ray Bon  a écrit :

> Raph,
>
> Are you talking about ticket expiration?
> https://apereo.github.io/cas/6.1.x/ticketing/Configuring-Ticket-Expiration-Policy.html
>
> Ray
>
> On Fri, 2020-05-29 at 07:43 -0700, Raph C wrote:
>
> Hi all,
>
> I'm using CAS 5.3 version and have multiple authentication handler which
> supports different kind of credential. So let's imagine the following flow :
>
> A/ user authenticates with a custom credential (e.g header and not a
> login/password). all is ok, an authentication attribute (let's call it
> *amr*) is set to tgt to state which authn method was used ... then a CAS
> session is started
> B/ A few moment later (before CAS session expires), user agent is
> redirected to login page with renew param.
> C/ user has to enter its login/password. After validating it by another
> authentication handler, CAS generates a new Service Ticket but left tgt as
> is without updating *amr* attribute with new value. Finally CAS client
> will see an outdated information.
>
> How can I force CAS to update my TGT authentication attribute before
> generating service ticket ?
>
> Thanks for your help
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d6cb93970ae8c45f5ac4912c86c8d9ca1b36f1ba.camel%40uvic.ca
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJtMnTGYWTq84%3DKW%3DoudN9jAj%3DypF-zA2f%3DfBFXjHiJNkxLaWQ%40mail.gmail.com.

Re: [cas-user] Update Authentication attribute during a renew

2020-05-29 Thread Ray Bon 
Raph,

Are you talking about ticket expiration? 
https://apereo.github.io/cas/6.1.x/ticketing/Configuring-Ticket-Expiration-Policy.html

Ray

On Fri, 2020-05-29 at 07:43 -0700, Raph C wrote:
Hi all,

I'm using CAS 5.3 version and have multiple authentication handler which 
supports different kind of credential. So let's imagine the following flow :

A/ user authenticates with a custom credential (e.g header and not a 
login/password). all is ok, an authentication attribute (let's call it amr) is 
set to tgt to state which authn method was used ... then a CAS session is 
started
B/ A few moment later (before CAS session expires), user agent is redirected to 
login page with renew param.
C/ user has to enter its login/password. After validating it by another 
authentication handler, CAS generates a new Service Ticket but left tgt as is 
without updating amr attribute with new value. Finally CAS client will see an 
outdated information.

How can I force CAS to update my TGT authentication attribute before generating 
service ticket ?

Thanks for your help

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d6cb93970ae8c45f5ac4912c86c8d9ca1b36f1ba.camel%40uvic.ca.

[cas-user] Update Authentication attribute during a renew

2020-05-29 Thread Raph C 
Hi all,

I'm using CAS 5.3 version and have multiple authentication handler which 
supports different kind of credential. So let's imagine the following flow :

A/ user authenticates with a custom credential (e.g header and not a 
login/password). all is ok, an authentication attribute (let's call it *amr*) 
is set to tgt to state which authn method was used ... then a CAS session 
is started
B/ A few moment later (before CAS session expires), user agent is 
redirected to login page with renew param.
C/ user has to enter its login/password. After validating it by another 
authentication handler, CAS generates a new Service Ticket but left tgt as 
is without updating *amr* attribute with new value. Finally CAS client will 
see an outdated information.

How can I force CAS to update my TGT authentication attribute before 
generating service ticket ?

Thanks for your help 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f80d76ed-187f-4743-9ca4-5f3d192ccef3%40apereo.org.

[cas-user] Re: JWT without encryption key

2020-05-29 Thread dg 
hello, is there anybody that verify jwt with spring resource server? i have 
configuration like this. when i use custom oauth2 server, it works well. 
but when i change to cas oauth2 server, it cannot verify jwt.

cas oauth2
cas.authn.token.crypto.enabled=true

cas.authn.token.crypto.signing-enabled=true
cas.authn.oauth.crypto.signing.key=RwBkYP2TGd1qobBQnW0mraR1jJ5_uBT65LlnpP8xe_sy3IiNQ_6SnNUxagwcPxHUudONBN_hEPRRUHxaAsTzgQ
cas.authn.token.crypto.encryption-enabled=false
cas.authn.token.crypto.encryption.key=


spring resource server config


@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

private String signKey = 
"RwBkYP2TGd1qobBQnW0mraR1jJ5_uBT65LlnpP8xe_sy3IiNQ_6SnNUxagwcPxHUudONBN_hEPRRUHxaAsTzgQ";


@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey(signKey);
return converter;
}

@Bean
public TokenStore tokenStore() {
return new JwtTokenStore(accessTokenConverter());
}

@Bean
@Primary
public DefaultTokenServices tokenServices() {
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
return defaultTokenServices;
}

}

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/714914de-cba6-4428-a87e-51f51c94b25b%40apereo.org.

[cas-user] Re: What is sign key for JWT in CAS OAuth2?

2020-05-29 Thread dg 
hey, thanks for response. i have tried both cas.authn.token.crypto and 
cas.authn.oauth.accessToken.crypto prefixes, but still validation error. 
anybody knows where is the sign key or how can i set sign key?

by the way, i dont need to encyprtion jwt, just signing it enough.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/99facf65-8c66-438e-a682-c23c82004399%40apereo.org.

[cas-user] Re: v6.2-RC3 Attrubute release problem

2020-05-29 Thread Francisco Castel-Branco 
Nevermind, I've figured it out.

Please add to the RC4 blog post that some properties had their keys changed.

In this case was *cas.authn.attributeRepository* to
*cas.authn.attribute-repository*

On Fri, May 29, 2020 at 11:32 AM Francisco Castel-Branco <
franciscoc...@gmail.com> wrote:

> Hi,
>
> I've been testing v6.2-RC3 and it was working similarly to 6.1 for my
> configuration. Switching to v6.2-RC4 makes it no longer releasing
> attributes from repositories (I only have LDAPs to test out).
>
> Checking the blog post, link below, It doesn't mention anything about
> incompatibility. I'm using the same config for 6.1, 6.2-RC3 and 6.2-RC4,
> and RC4 is the only one to not work properly.
>
> In RC3, it is mentioned stuff like *Attribute Definition Store *(link
> below), but as it was working fine, I don't think that's the way to figure
> this out.
>
> Any suggestions?
>
> Sources:
>
>- RC4 Blog post: https://apereo.github.io/2020/04/17/620rc4-release/
>- RC3 Blog post (Attribute definition store):
>
> https://apereo.github.io/2020/03/03/620rc3-release/#attribute-definitions-store
>
>
> Thanks
> --
> Francisco Castel-Branco
>


-- 
Francisco Castel-Branco

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMrou-NqRC%2B8C3vET7-apYUqKJQ72Fic3CEBWfdJgoY%2B9h2t-g%40mail.gmail.com.

Re: [cas-user] Sign in with apple

2020-05-29 Thread Francisco Castel-Branco 
Apple uses their REST API Authentication, which I think is not considered
an authentication standard. However, you should be able to configure
something like an "OAuth proxy" to interact with Apple's API. With a simple
search, I got a PHP version of this:

 https://github.com/patrickbussmann/oauth2-apple

Now, it's just a matter of pointing CAS OAuth2 delegation to the server you
configured for this hop.

CAS Delegation properties:
https://apereo.github.io/cas/6.1.x/configuration/Configuration-Properties.html#pac4j-delegated-authn
OAuth2 Delegation properties:
https://apereo.github.io/cas/6.1.x/configuration/Configuration-Properties.html#oauth20


*Source:*
API docs:
https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple

A segunda, 18/05/2020, 08:06, Koen De Jaeger  escreveu:

> I joined a project last week at work where they are using cas 5.x to login
> the user with Twitter, Facebook and Google. Now they want us to add 'Sign
> on with Apple'. Is there a reason why this is not implemented yet in 6.x?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6e12683e-00e8-4926-a87a-fd95ac93b010%40apereo.org
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMrou-Mca%3DQ2M5MpKFYnQorEgpg7w%2BLDdHVru1izv1%2BuTc5uXQ%40mail.gmail.com.

[cas-user] v6.2-RC3 Attrubute release problem

2020-05-29 Thread Francisco Castel-Branco 
Hi,

I've been testing v6.2-RC3 and it was working similarly to 6.1 for my
configuration. Switching to v6.2-RC4 makes it no longer releasing
attributes from repositories (I only have LDAPs to test out).

Checking the blog post, link below, It doesn't mention anything about
incompatibility. I'm using the same config for 6.1, 6.2-RC3 and 6.2-RC4,
and RC4 is the only one to not work properly.

In RC3, it is mentioned stuff like *Attribute Definition Store *(link
below), but as it was working fine, I don't think that's the way to figure
this out.

Any suggestions?

Sources:

   - RC4 Blog post: https://apereo.github.io/2020/04/17/620rc4-release/
   - RC3 Blog post (Attribute definition store):
   
https://apereo.github.io/2020/03/03/620rc3-release/#attribute-definitions-store


Thanks
-- 
Francisco Castel-Branco

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMrou-PW5nbVYYE2w1Vh_Vg%3DXeLq%2BChyxnuXXMTL5zMtHa_Ghg%40mail.gmail.com.