[cas-user] Re: gradlew getResource bug?

2020-08-24 Thread Pablo Vidaurri 
It looks like an issue from tasks.gradle and the path separators:
projects\cas-overlay-template\build/cas-resources
which causes string mismatch with
def toResourceFile = resourceFile.replace(fromFile, resourcesDir)

I added/modified to the task.gradle file getResource function:
 def resourcesDir = "${projectDir}/src/main/resources"
 def fileName = results[0].name
 def toResourceFile = "${resourcesDir}/${fileName}"

Now it executes and places resource in project/src/main/resource

Not sure if this is the correct solution or not. I also expected if I
overlaid static/image/cas-logo that it would place in the
appropriate src/resources folder but that is not the case

-psv

On Thu, Aug 20, 2020 at 11:13 PM Pablo Vidaurri 
wrote:

> Using CAS 6.2 template and using the following command to overlay the
> message.properties file:
> gradlew getResource -PresourceName=messages.properties
>
> The file does not get copied into my src/main/resources folder. This is
> the output of the command:
> > Task :getResource
> Copied file
> D:\workspaces\Spring_Workspace\cas-overlay-template\build\cas-resources\messages.properties
> to
> D:\workspaces\Spring_Workspace\cas-overlay-template\build\cas-resources\messages.properties
>
> the From and To paths are the same. Is this a bug?
> -psv
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOe-DO9Bh%3DvqxRJswFW07RU69mgiFkedtDVqphL2SU4o4X%3DdQQ%40mail.gmail.com.

Re: [cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues

2020-08-24 Thread Jérôme Steve 
Hi Nikolas,

Si after looking tour configuration, nom it's not "normal". Claims should
ne appear on thé top level ans not un an attributs claims.

First, try to remove your attributeReleasePolicy un you service.json.

Also I haven't test 6.2, I'm still In 6.1. So maybe it's an improvement,
but " "attributes" it's not a standard claims un OIDC ...



Le dim. 23 août 2020 à 07:39, Nikolas Stylianides 
a écrit :

> Hi Jerome. Please find below the configuration file and the service file.
>
> Service File
> =
>
>
> {
>   "@class" : "org.apereo.cas.services.OidcRegisteredService",
>   "serviceId" : "...",
>   "name" : "MYSERVICE",
>   "id" : 105,
>   "clientId": "...",
>   "clientSecret": "...",
>   "supportedGrantTypes":[ "java.util.HashSet",
> ["AUTHORIZATION_CODE","CLIENT_CREDENTIALS","PASSWORD","REFRESH_TOKEN"]
>   ],
>   "scopes": [ "java.util.HashSet",[ "openid","profile",
> "email","myownscope" ]],
>   "supportedResponseTypes":[ "java.util.HashSet", [
> "code","token","id_token","id_token token","code token" ] ],
>   "theme": "apereo",
>   "description" : "This service definition allows authorized applications
> that support HTTPS protocol.",
>   "evaluationOrder" : 10,
>   "attributeReleasePolicy" : {
> "@class" :
> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
> "allowedAttributes" : {
>   "@class" : "java.util.TreeMap",
>   "givenName" : "givenName",
>   "mail" : "mail",
>   "cn":"profile",
>
> }
>   },
>   "accessStrategy" : {
> "@class" :
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "enabled" : true,
> "ssoEnabled" : true
>   }
> }
>
> LDAP Configuration
> 
>
> cas.authn.ldap[0].principal-attribute-list=sn,cn,givenName,mail,c,l,telephoneNumber
>
> OID Connect configuration (the ones that are related to claims)
> 
> cas.authn.oidc.subject-types=public
>
> cas.authn.oidc.scopes=myownscope,openid,profile,email,address,phone,offline_access
>
> cas.authn.oidc.claims=mail,givenName,sub,name,preferred_username,family_name,given_name,middle_name,given_name,profile,picture,nickname,website,zoneinfo,locale,updated_at,birthdate,email,email_verified,phone_number,phone_number_verified
> cas.authn.oidc.userDefinedScopes.myownscopes=mail,givenName
>
> # Add more claims. They will appear in the "attributes" claim.
> #
> cas.authn.oidc.claimsMap.email=mail
> #cas.authn.oidc.claimsMap.preferred_username=given_name
> cas.authn.oidc.claimsMap.given_name=givenName
>
>
>
>
>
>
> On Sat, Aug 22, 2020 at 6:33 PM Nikolas Stylianides <
> nstyliani...@gmail.com> wrote:
>
>> I will send you the configuration files.
>> I am not declaring any attribute claim.
>>
>> email is both a scope and a claim.
>>
>>
>> Στις Σάβ, 22 Αυγ 2020, 16:35 ο χρήστης Jérôme Steve <
>> jerome.st...@gmail.com> έγραψε:
>>
>>> If you définie a custom clami "attributes" it's normal i think.
>>>
>>> Show me your custuom configuration to be sure.
>>>
>>> Le sam. 22 août 2020 à 15:16, Nikolas Stylianides <
>>> nstyliani...@gmail.com> a écrit :
>>>
 I have gone this further.
 I declare a SCOPE of my own. With specific CLAIMS.
 And this claims are mapped to attributes.

 All claims appear in field "attributes" and not in the top hierarchy.
 is this normal?





 On Sat, Aug 22, 2020 at 3:43 PM Nikolas Stylianides <
 nstyliani...@gmail.com> wrote:

> Hi Jerome. Keep in mind that my CAS release is 6.2.1.
>
> I have no attributes.username since I collect my attributes during the
> LDAP authentication.
> I have also tried mapping claims to attributes with no luck.
>
>
> In the document action it says that If no mapping is provide then the
> attributes names must much the claim names. I do that also in my service
> definition file.
> Still no luck.
>
> All claims are included under the field "attributes"
>
> Which is not the response I expect.
>
> Has anyone solved this in 6.2.1?
> Maybe is a bug?
>
> Στις Σάβ, 22 Αυγ 2020, 12:49 ο χρήστης Jérôme Steve <
> jerome.st...@gmail.com> έγραψε:
>
>> First,I think you have to définie attributs.username correspondibg to
>> jour login :
>>
>>
>> https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-Policies.html
>>
>> After you have to maps attributs to claims :
>>
>>
>> https://apereo.github.io/cas/5.1.x/installation/OIDC-Authentication.html#mapping-claims
>>
>>
>>
>> Le sam. 22 août 2020 à 10:34, Nikolas Stylianides <
>> nstyliani...@gmail.com> a écrit :
>>
>>> Anyone with an answer for this behavior?
>>> I can now release attributes but only under the field "attributes".
>>> Anything i am missing to be able to release claims in the format:
>>> {
>>> "email": "inf...@gmail.com ",
>>> "given_name": "test",
>>>

Re: [cas-user] CAS-Management not starting due to Self Signed Certificate Error - Anyone?

2020-08-24 Thread Colin Ryan 

Ray,


I'll try it but the public key for it already is as it's the same cert. 
I was using for the /cas deployment itself in an external tomcat 
deployment. It was complaining about un-trusted certs until I did that.



Coln

On 8/24/20 3:47 PM, Ray Bon wrote:

Colin,

Maybe add your certificate to the java ketstore. 
https://docs.oracle.com/cd/E54932_01/doc.705/e54936/cssg_create_ssl_cert.htm#CSVSG180


Ray

On Mon, 2020-08-24 at 15:25 -0400, Colin Ryan wrote:
Notice: This message was sent from outside the University of Victoria 
email system. Please be cautious with links and sensitive information.


Folks,

So I've still not managed to move past this. Even even started from 
scratch.


git clone https://github.com/apereo/cas-management-overlay.git

git checkout 6.0.x

./build.sh clean

./build.sh run - breaks because it can't seem to find some of the 
required components for the 6.0.x gradle.properties of 6.0.2-SNAPSHOT


So I go fine, old branch, I'll try master.

git checkout master

./build.sh clean

./build.sh run


gives again the whole dialog below. It cannot open my keystore file. 
But the keystore file is fine. In fact as mentioned below if I change 
reference to the file it errors out appropriately, indicating it's 
consuming the correct configuration.


At this point I  can't seem to get the Management Interface to 
function. As you can see also below I even created a new self signed 
keystore with a basic password thinking that maybe special characters 
were the issue. Not go, again was working before my development 
environment blew up. I have a backup of it, but build and run for 
that can't find components (old branch?).


Any idea what stupidity I'm missing.

Thanks


On 8/12/20 12:43 PM, Colin Ryan wrote:


Folks,

I'm nearly embarrassed having to ask this but I'm having issues 
starting up the Management Interface in the embedded Tomcat scenario.


The error is technically obvious:

Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe 
contents entry: javax.crypto.BadPaddingException: Given final block not 
properly padded. Such issues can arise if a bad key is used during decryption.

Environment is:

CAS Version: 6.1.0-RC4
CAS Commit Id: caabdd579ab6190a896de03ceeeb1b26d0bab81a
CAS Build Date/Time: 2020-08-12T16:06:56.197Z
Spring Boot Version: 2.2.0.M3
Spring Version: 5.2.0.M2
Java Home: 
/Library/Java/JavaVirtualMachines/jdk-11.0.7.jdk/Contents/Home

Java Vendor: Oracle Corporation
Java Version: 11.0.7
JVM Free Memory: 240 MB
JVM Maximum Memory: 2 GB
JVM Total Memory: 378 MB
JCE Installed: Yes
OS Architecture: x86_64
OS Name: Mac OS X
OS Version: 10.15.5


Now this isn't my first rodeo ride with certificates so here is what 
I've done so far trying to solve this.



* Confirmed the the management.properties file being picked up by 
the run-time is correct (put in incorrect directive and it complained).


* Confirmed Syntax for the Certificate Directives via examples and 
the CAS interactive Shell.


management.server.ssl.key-store: 
file:/Users/colinr/DevTree/devkeystore.jks

management.server.ssl.key-store-password: 

It should be noted that the keystore is of type PKCS12 and it's the 
exact same keystore as being used by my standalone Tomcat 9.0.26 
environment that CAS itself runs on successfully. Said tomcat 
environment is started by the same users that runs the embedded one.


* I've opened up permissions to the file totally.

* I'm able to "keytool -list" the certificate in this keystore 
directly via "keytool" and responds properly to the correct and 
incorrect keystore password.


* I'm able to view details of certificate via keytool

* Certificate alias is tomcat

* Certificate is NOT expired.

* Certificate is loaded in the the Java's truststore via the 
InstallCert tool.


* I tried generating a new keystore via "keytool -genkeypair -alias 
tomcat -keyalg RSA -keysize 2048 -keystore managementkeystore.jks 
-validity 3650 -storepass testadmin" same result.


* keytool and activated Java environment for the run time is from 
the same distribution.


* I've run the overlay before like this without issues, however that 
was 6.0.2-SNAPSHOT on 10.15.4.



Frankly I'm totally stumped but expect the issue to be an 
embarrassingly obvious one.


Cheers


Colin




--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas 


- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, 
send an email to cas-user+unsubscr...@apereo.org 
.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/71606001-1c08-d1a9-962d-4f725e8dd42a%40caveo.ca

Re: [cas-user] CAS-Management not starting due to Self Signed Certificate Error - Anyone?

2020-08-24 Thread Ray Bon 
Colin,

Maybe add your certificate to the java ketstore. 
https://docs.oracle.com/cd/E54932_01/doc.705/e54936/cssg_create_ssl_cert.htm#CSVSG180

Ray

On Mon, 2020-08-24 at 15:25 -0400, Colin Ryan wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.


Folks,

So I've still not managed to move past this. Even even started from scratch.

git clone https://github.com/apereo/cas-management-overlay.git

git checkout 6.0.x

./build.sh clean

./build.sh run - breaks because it can't seem to find some of the required 
components for the 6.0.x gradle.properties of 6.0.2-SNAPSHOT

So I go fine, old branch, I'll try master.

git checkout master

./build.sh clean

./build.sh run


gives again the whole dialog below. It cannot open my keystore file. But the 
keystore file is fine. In fact as mentioned below if I change reference to the 
file it errors out appropriately, indicating it's consuming the correct 
configuration.

At this point I  can't seem to get the Management Interface to function. As you 
can see also below I even created a new self signed keystore with a basic 
password thinking that maybe special characters were the issue. Not go, again 
was working before my development environment blew up. I have a backup of it, 
but build and run for that can't find components (old branch?).

Any idea what stupidity I'm missing.

Thanks


On 8/12/20 12:43 PM, Colin Ryan wrote:

Folks,

I'm nearly embarrassed having to ask this but I'm having issues starting up the 
Management Interface in the embedded Tomcat scenario.

The error is technically obvious:

Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe 
contents entry: javax.crypto.BadPaddingException: Given final block not 
properly padded. Such issues can arise if a bad key is used during decryption.



Environment is:

CAS Version: 6.1.0-RC4
CAS Commit Id: caabdd579ab6190a896de03ceeeb1b26d0bab81a
CAS Build Date/Time: 2020-08-12T16:06:56.197Z
Spring Boot Version: 2.2.0.M3
Spring Version: 5.2.0.M2
Java Home: /Library/Java/JavaVirtualMachines/jdk-11.0.7.jdk/Contents/Home
Java Vendor: Oracle Corporation
Java Version: 11.0.7
JVM Free Memory: 240 MB
JVM Maximum Memory: 2 GB
JVM Total Memory: 378 MB
JCE Installed: Yes
OS Architecture: x86_64
OS Name: Mac OS X
OS Version: 10.15.5


Now this isn't my first rodeo ride with certificates so  here is what I've done 
so far trying to solve this.


* Confirmed the the management.properties file being picked up by the run-time 
is correct (put in incorrect directive and it complained).

* Confirmed Syntax for the Certificate Directives via examples and the CAS 
interactive Shell.

management.server.ssl.key-store: file:/Users/colinr/DevTree/devkeystore.jks
management.server.ssl.key-store-password: 

It should be noted that the keystore is of type PKCS12 and it's the exact same 
keystore as being used by my standalone Tomcat 9.0.26 environment that CAS 
itself runs on successfully. Said tomcat environment is started by the same 
users that runs the embedded one.

* I've opened up permissions to the file totally.

* I'm able to "keytool -list" the certificate in this keystore directly via 
"keytool" and responds properly to the correct and incorrect keystore password.

* I'm able to view details of certificate via keytool

* Certificate alias is tomcat

* Certificate is NOT expired.

* Certificate is loaded in the the Java's truststore via the InstallCert tool.

* I tried generating a new keystore via "keytool -genkeypair -alias tomcat 
-keyalg RSA -keysize 2048 -keystore managementkeystore.jks -validity 3650  
-storepass testadmin" same result.

* keytool and activated Java environment for the run time is from the same 
distribution.

* I've run the overlay before like this without issues, however that was 
6.0.2-SNAPSHOT on 10.15.4.


Frankly I'm totally stumped but expect the issue to be an embarrassingly 
obvious one.

Cheers


Colin




--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/71606001-1c08-d1a9-962d-4f725e8dd42a%40caveo.ca.

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt

Re: [cas-user] CAS-Management not starting due to Self Signed Certificate Error - Anyone?

2020-08-24 Thread Colin Ryan 

Folks,

So I've still not managed to move past this. Even even started from scratch.

git clone https://github.com/apereo/cas-management-overlay.git

git checkout 6.0.x

./build.sh clean

./build.sh run - breaks because it can't seem to find some of the 
required components for the 6.0.x gradle.properties of 6.0.2-SNAPSHOT


So I go fine, old branch, I'll try master.

git checkout master

./build.sh clean

./build.sh run


gives again the whole dialog below. It cannot open my keystore file. But 
the keystore file is fine. In fact as mentioned below if I change 
reference to the file it errors out appropriately, indicating it's 
consuming the correct configuration.


At this point I  can't seem to get the Management Interface to function. 
As you can see also below I even created a new self signed keystore with 
a basic password thinking that maybe special characters were the issue. 
Not go, again was working before my development environment blew up. I 
have a backup of it, but build and run for that can't find components 
(old branch?).


Any idea what stupidity I'm missing.

Thanks


On 8/12/20 12:43 PM, Colin Ryan wrote:


Folks,

I'm nearly embarrassed having to ask this but I'm having issues 
starting up the Management Interface in the embedded Tomcat scenario.


The error is technically obvious:

Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe 
contents entry: javax.crypto.BadPaddingException: Given final block not 
properly padded. Such issues can arise if a bad key is used during decryption.


Environment is:

CAS Version: 6.1.0-RC4
CAS Commit Id: caabdd579ab6190a896de03ceeeb1b26d0bab81a
CAS Build Date/Time: 2020-08-12T16:06:56.197Z
Spring Boot Version: 2.2.0.M3
Spring Version: 5.2.0.M2
Java Home: /Library/Java/JavaVirtualMachines/jdk-11.0.7.jdk/Contents/Home
Java Vendor: Oracle Corporation
Java Version: 11.0.7
JVM Free Memory: 240 MB
JVM Maximum Memory: 2 GB
JVM Total Memory: 378 MB
JCE Installed: Yes
OS Architecture: x86_64
OS Name: Mac OS X
OS Version: 10.15.5


Now this isn't my first rodeo ride with certificates so  here is what 
I've done so far trying to solve this.



* Confirmed the the management.properties file being picked up by the 
run-time is correct (put in incorrect directive and it complained).


* Confirmed Syntax for the Certificate Directives via examples and the 
CAS interactive Shell.


management.server.ssl.key-store: 
file:/Users/colinr/DevTree/devkeystore.jks

management.server.ssl.key-store-password: 

It should be noted that the keystore is of type PKCS12 and it's the 
exact same keystore as being used by my standalone Tomcat 9.0.26 
environment that CAS itself runs on successfully. Said tomcat 
environment is started by the same users that runs the embedded one.


* I've opened up permissions to the file totally.

* I'm able to "keytool -list" the certificate in this keystore 
directly via "keytool" and responds properly to the correct and 
incorrect keystore password.


* I'm able to view details of certificate via keytool

* Certificate alias is tomcat

* Certificate is NOT expired.

* Certificate is loaded in the the Java's truststore via the 
InstallCert tool.


* I tried generating a new keystore via "keytool -genkeypair -alias 
tomcat -keyalg RSA -keysize 2048 -keystore managementkeystore.jks 
-validity 3650  -storepass testadmin" same result.


* keytool and activated Java environment for the run time is from the 
same distribution.


* I've run the overlay before like this without issues, however that 
was 6.0.2-SNAPSHOT on 10.15.4.



Frankly I'm totally stumped but expect the issue to be an 
embarrassingly obvious one.


Cheers


Colin




--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/71606001-1c08-d1a9-962d-4f725e8dd42a%40caveo.ca 
.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7b750507-24d3-c8c0-bf3a-46edc537ab4e%40caveo.ca.

Re: [cas-user] Any CAS + Canvas schools having problems with frequent Canvas session timeouts?

2020-08-24 Thread Mike Osterman 
Thanks, Ray! I appreciate the pointer. It's nice to have another lead to
chase down.

On Mon, Aug 24, 2020 at 9:41 AM Ray Bon  wrote:

> Mike,
>
> This sounds like a proxy failure. The user successfully logs in, but when
> a proxy ticket is required, there is a failure and the user is returned to
> the log in page (am I understanding correctly?).
>
> Check your access logs for Canvas and cas to see if communication is
> successful when a PT is needed.
> You can use the below to get some logging from cas:
>
> 
> 
>
> 
>  level="error" />
>
> Ray
>
> On Fri, 2020-08-21 at 19:43 -0700, Mike Osterman wrote:
>
> Disclaimer: I know this is a CAS list, not a Canvas list, but the
> combination of the two is having issues, and I've run out of road working
> with Instructure support.
>
> Late last semester, we started experiencing issues where Canvas users were
> getting logged out frequently. I believe it started around the time that we
> switched Canvas from CAS 3.x to our CAS 5.3.x IdP. We also made the switch
> from defaulting login to CAS for all users, where external "guest" accounts
> had to know the native Canvas account login URL, to the Discovery page
> setup, where users are presented with Door #1 (Institutional SSO) and Door
> #2 (native Canvas accounts).
>
> I worked with Instructure support, and they insisted that the cause was
> our CAS server, which doesn't track with the pattern I see with most
> CASified applications: app redirect to CAS to authenticate and get returned
> some attributes, but upon successful login flow, the app manages its own
> internal session state and timeout.
>
> That said, in testing out a different CAS IdP implementation with Canvas
> provided by Technolutions in the Slate platform, I learned that the CAS
> client that Canvas uses only uses proxyValidate. (The Slate IdP only
> supports /serviceValidate). I'm not sure this is in any way related, but
> it's another data point.
>
> Finally, we had Instructure hard-code our Canvas application session
> timeout to 8 hours, which has had zero impact on the short session timeouts
> in CAS.
>
> Has anyone else dealt with this issue with CAS + Canvas, and better still,
> solved it?
>
> Thanks for any and all pointers, suggestions, etc.
>
> -Mike
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/11b6ce7d3ad57e30b5448244d6ef02f1c8f1617e.camel%40uvic.ca
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHVSzjjW7pRqsEw-Ezj_H%2BKFRG5Fr7Wi_ZOkApkPEf81XQ%40mail.gmail.com.

[cas-user] Limiting login forms on CAS login page in multiple auth handler environment

2020-08-24 Thread Doug Secord 

In our CAS environment, some services need to authenticate users using LDAP 
(Active Directory) and others need to authenticate through delegation with 
Azure.

Ideally, the we'd like to have the user be presented with only a single 
login form on the CAS login page. With the delegated authentication, this 
can be achieved with the use of allowedProviders list in the 
delegatedAuthenticationPolicy block of the service definition.

For example:
  "accessStrategy" : {
"@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"delegatedAuthenticationPolicy" : {
  "@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
  // Allowed providers is a list of external identity provider names 
(i.e. client
  // names from cas.properties)
  "allowedProviders" : [ "java.util.ArrayList", [ "Student Login", 
"Employee Login”] ],
  "permitUndefined": true,
  "exclusive": true
}
  }

This works well for delegated services. However, I have not been able to 
find a similar method for services that are authenticated via LDAP, and the 
login page still shows the delegated login buttons (“Student Login” and 
“Employee Login”) beside the usual CAS login form. I have tried using 
requiredHandlers, but this doesn't have a noticeable effect (from 
https://apereo.github.io/cas/6.1.x/services/Configuring-Service-Required-AuthN.html
 
and this blog 
https://apereo.github.io/2019/12/23/cas62x-authn-handler-resolution/): 

{
  /*
   * Custom applications requiring CAS authentication against LDAP (Active 
Directory)
   */
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^https://exampleserver.com/studentApp/.*;,
  "name" : "Student App",
  "id" : 2020082414,
  "evaluationOrder" : 5,
  "enabled" : true,
  "requiredHandlers" : [ "java.util.HashSet", [ "StudentActiveDirectory" ] 
],
  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "sn" : "sn",
  "cn" : "cn"
}
  }
}

And of course, here are the appropriate snippets from our cas.properties:

cas.authn.ldap[0].order:0
cas.authn.ldap[0].name:EmployeeActiveDirectory
...
cas.authn.ldap[1].order:1
cas.authn.ldap[1].name:StudentActiveDirectory
...
cas.authn.pac4j.saml[0].clientName:   Employee Login
...
cas.authn.pac4j.saml[1].clientName:   Student Login

This warning shows up in the cas.log:

2020-08-24 10:03:06,162 WARN 
[org.apereo.cas.services.AbstractRegisteredService] - 

And this, as well, though I'm not sure if it's related, I wouldn't expect 
to see it considering the use of requiredHandlers in the service definition:

2020-08-24 10:03:17,441 WARN 
[org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy] 
- 

We're using CAS 6.2.1 on Tomcat 9.0.33 and Java 11.

Any ideas and/or suggestions are greatly appreciated.

Doug

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d2368420-c70b-4eea-b6fc-734154a5ea60n%40apereo.org.

[cas-user] Display single login form in multiple authenticator environment

2020-08-24 Thread Doug Secord 

In our CAS environment, some services need to authenticate users using LDAP 
(Active Directory) and others need to authenticate through delegation with 
Azure.

Ideally, the we'd like to have the user be presented with only a single 
login form on the CAS login page. With the delegated authentication, this 
can be achieved with the use of allowedProviders list in the 
delegatedAuthenticationPolicy block of the service definition.

For example:
  "accessStrategy" : {
"@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"delegatedAuthenticationPolicy" : {
  "@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
  // Allowed providers is a list of external identity provider names 
(i.e. client
  // names from cas.properties)
  "allowedProviders" : [ "java.util.ArrayList", [ "Student Login", 
"Employee Login"] ],
  "permitUndefined": true,
  "exclusive": true
}
  }

This works well for delegated services. However, I have not been able to 
find a similar method for services that are authenticated via LDAP, and the 
login page still shows the delegated login buttons beside the usual CAS 
login form. I have tried using requiredAuthenticationHandlers, but this 
doesn't have a noticeable effect (from 
https://apereo.github.io/cas/6.1.x/services/Configuring-Service-Required-AuthN.html
 
and this blog 
https://apereo.github.io/2019/12/23/cas62x-authn-handler-resolution/): 

{
  /*
   * Custom applications requiring CAS authentication against LDAP (Active 
Directory)
   */
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^https://exampleserver.com/studentApp/.*;,
  "name" : "Student App",
  "id" : 2020082414,
  "evaluationOrder" : 5,
  "enabled" : true,
  "requiredHandlers" : [ "java.util.HashSet", [ "StudentActiveDirectory" ] 
],
  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "sn" : "sn",
  "cn" : "cn"
}
  }
}

And of course, here are the appropriate snippets from our cas.properties:

cas.authn.ldap[0].order:0
cas.authn.ldap[0].name: EmployeeActiveDirectory
...
cas.authn.ldap[1].order:1
cas.authn.ldap[1].name: StudentActiveDirectory
...
cas.authn.pac4j.saml[0].clientName:   Employee Login
...
cas.authn.pac4j.saml[1].clientName:   Student Login


This warning shows up in the cas.log:

2020-08-24 10:03:06,162 WARN 
[org.apereo.cas.services.AbstractRegisteredService] - 

And this, as well, though I'm not sure if it's related, I wouldn't expect 
to see it considering the use of requiredHandlers in the service definition:

2020-08-24 10:03:17,441 WARN 
[org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy] 
- 

We're using CAS 6.2.1 on Tomcat 9.0.33 and Java 11.

Any ideas and/or suggestions are greatly appreciated.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9dd0b96b-eeb3-40bb-a2c3-0769d32a8f89n%40apereo.org.

[cas-user] CAS 6.2.x signing.key-size not working

2020-08-24 Thread denizg 
Hello,

I am using cas overlay template and i have configured cas as oauth2 server. 
it works perfectly. but, when i change the jwt sign key size (default 512 
https://github.com/apereo/cas/blob/master/api/cas-server-core-api-util/src/main/java/org/apereo/cas/util/crypto/CipherExecutor.java)
 
to 256, this changes are not reflected. 

here is the config
cas.authn.oauth.access-token.crypto.signing.key=
bBUhVvw9c2h2qwJd8hPRYatugQGGI4Xd
cas.authn.oauth.accessToken.crypto.signing.key-size=256

here is the error log
*Caused by: org.jose4j.lang.InvalidKeyException: A key of the same size as 
the hash output (i.e. 512 bits for HS512) or larger MUST be used with the 
HMAC SHA algorithms but this key is only 256 bits*

where am i missing? is it bug? thanks for response

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1919bcb6-f7e6-4547-b1e7-a043511c38c6n%40apereo.org.

Re: [cas-user] Any CAS + Canvas schools having problems with frequent Canvas session timeouts?

2020-08-24 Thread Ray Bon 
Mike,

This sounds like a proxy failure. The user successfully logs in, but when a 
proxy ticket is required, there is a failure and the user is returned to the 
log in page (am I understanding correctly?).

Check your access logs for Canvas and cas to see if communication is successful 
when a PT is needed.
You can use the below to get some logging from cas:







Ray

On Fri, 2020-08-21 at 19:43 -0700, Mike Osterman wrote:
Disclaimer: I know this is a CAS list, not a Canvas list, but the combination 
of the two is having issues, and I've run out of road working with Instructure 
support.

Late last semester, we started experiencing issues where Canvas users were 
getting logged out frequently. I believe it started around the time that we 
switched Canvas from CAS 3.x to our CAS 5.3.x IdP. We also made the switch from 
defaulting login to CAS for all users, where external "guest" accounts had to 
know the native Canvas account login URL, to the Discovery page setup, where 
users are presented with Door #1 (Institutional SSO) and Door #2 (native Canvas 
accounts).

I worked with Instructure support, and they insisted that the cause was our CAS 
server, which doesn't track with the pattern I see with most CASified 
applications: app redirect to CAS to authenticate and get returned some 
attributes, but upon successful login flow, the app manages its own internal 
session state and timeout.

That said, in testing out a different CAS IdP implementation with Canvas 
provided by Technolutions in the Slate platform, I learned that the CAS client 
that Canvas uses only uses proxyValidate. (The Slate IdP only supports 
/serviceValidate). I'm not sure this is in any way related, but it's another 
data point.

Finally, we had Instructure hard-code our Canvas application session timeout to 
8 hours, which has had zero impact on the short session timeouts in CAS.

Has anyone else dealt with this issue with CAS + Canvas, and better still, 
solved it?

Thanks for any and all pointers, suggestions, etc.

-Mike

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/11b6ce7d3ad57e30b5448244d6ef02f1c8f1617e.camel%40uvic.ca.

Re: [cas-user] Logging out from CAS logs me out from Google, too

2020-08-24 Thread Paul Roemer 
Hey denizg,

first thanks for you suggestion. But I actually want SLO. I want to destroy 
the SSO session and not only the application session. I also configured 
front channel to make it work.

No, the problem is something different: If I use delegated SSO provider 
like Google or GitHub to authenticate against CAS (during Sign-In) and 
logout again, I am not only logged out from the SSO session that CAS 
manages but also from my Google or GitHub account. And that is what should 
not happen and is new behavior.

I wonder when this changed.

On Monday, August 24, 2020 at 10:47:14 AM UTC+2 denizg wrote:

> edit: single sign on  out
>
> dyte gyte , 24 Ağu 2020 Pzt, 11:46 tarihinde şunu 
> yazdı:
>
>> Hello,
>>
>> afaik, there are 2 logout type: single logout and single sign-on. the 
>> default behavior is single logout which means that if you logout current 
>> app, you also logout all applications that cas is connected. this is the 
>> situation you are facing. but you need single sign on as i understand. 
>> basically, turn off this .(
>> https://apereo.github.io/cas/6.2.x/installation/Logout-Single-Signout.html#turning-off-single-logout
>> )
>>
>> reference: 
>> https://apereo.github.io/cas/6.2.x/installation/Logout-Single-Signout.html#logout-and-single-logout-slo
>>
>> Paul Roemer , 24 Ağu 2020 Pzt, 11:26 tarihinde şunu 
>> yazdı:
>>
>>> Hey guys,
>>>
>>> we noticed some new behavior with delegated SSO authentication. When I 
>>> login with my Google SSO account at our CAS and logout again, I am not only 
>>> logged out from CAS but also from my Google account. This also happens with 
>>> delegated GitHub SSO.
>>>
>>> We are using CAS 6.2.1 but I am unsure when we noticed this behavior the 
>>> first time.
>>>
>>> Anyone else noticed it? Is there some configuration option to disable it?
>>>
>>> Cheers,
>>>   Paul
>>>
>>> -- 
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/711682f7-6b0e-4872-9be3-f55426e1913fo%40apereo.org
>>>  
>>> 
>>> .
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a128a3e-e0f7-4466-9c76-28bd2583e08fn%40apereo.org.

[cas-user] Re: JWT without encryption key

2020-08-24 Thread denizg 
I realized that It were because of different algorithm types. spring 
resource server uses hmacsha256 default when using symmetric key, but cas 
sends hmacsha512. so i updated accessTokenConverter() method like below;

@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
String key = 
"RwBkYP2TGd1qobBQnW0mraR1jJ5_uBT65LlnpP8xe_sy3IiNQ_6SnNUxagwcPxHUudONBN_hEPRRUHxaAsTzgQ";
SignatureVerifier sha512Verifier = new MacSigner("HMACSHA512", new 
SecretKeySpec(key.getBytes(), "HMACSHA512"));
converter.setVerifier(sha512Verifier);
return converter;
}

29 Mayıs 2020 Cuma tarihinde saat 16:41:33 UTC+3 itibarıyla denizg şunları 
yazdı:

> hello, is there anybody that verify jwt with spring resource server? i 
> have configuration like this. when i use custom oauth2 server, it works 
> well. but when i change to cas oauth2 server, it cannot verify jwt.
>
> cas oauth2
> cas.authn.token.crypto.enabled=true
>
> cas.authn.token.crypto.signing-enabled=true
> cas.authn.oauth.crypto.signing.key=RwBkYP2TGd1qobBQnW0mraR1jJ5_uBT65LlnpP8xe_sy3IiNQ_6SnNUxagwcPxHUudONBN_hEPRRUHxaAsTzgQ
> cas.authn.token.crypto.encryption-enabled=false
> cas.authn.token.crypto.encryption.key=
>
>
> spring resource server config
>
>
> @Configuration
> @EnableResourceServer
> public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
>
> private String signKey = 
> "RwBkYP2TGd1qobBQnW0mraR1jJ5_uBT65LlnpP8xe_sy3IiNQ_6SnNUxagwcPxHUudONBN_hEPRRUHxaAsTzgQ";
>
>
> @Bean
> public JwtAccessTokenConverter accessTokenConverter() {
> JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
> converter.setSigningKey(signKey);
> return converter;
> }
>
> @Bean
> public TokenStore tokenStore() {
> return new JwtTokenStore(accessTokenConverter());
> }
>
> @Bean
> @Primary
> public DefaultTokenServices tokenServices() {
> DefaultTokenServices defaultTokenServices = new 
> DefaultTokenServices();
> defaultTokenServices.setTokenStore(tokenStore());
> return defaultTokenServices;
> }
>
> }
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f3dd32a9-4def-4d3b-a4f1-5ec76ca971c7n%40apereo.org.

Re: [cas-user] Re: Spring-web

2020-08-24 Thread Mickaël 
Jeremiah,

Sorry for long time of response.

For exemple, if you want to integrate dependency from CAS to connect to a 
database, you should use the same version of spring otherwize you got an 
error.
For CAS 6.1.x : 
https://github.com/apereo/cas/blob/6.1.x/gradle.properties#L94 with 
CAS-Manager 
https://github.com/apereo/cas-management/blob/a959befb50ee2a9bf55c4b14842128e3cecbdb35/gradle.properties#L97

Sincerely,

Mickaël

Le jeudi 30 juillet 2020 à 20:15:03 UTC+2, j-gar...@onu.edu a écrit :

> Mickaël
>
> Could you explain this in more detail? I use the Maven overlay, not 
> Gradle, but perhaps there is configuration overlap.
>
> Also, I was interested if I could install another version of 
> cas-manangement app. I use CAS 5.3.14 for my login server, would it be 
> possible to use management-server 5.2.x or another version, or are they too 
> different?
>
> On Thursday, July 30, 2020 at 12:00:35 PM UTC-4 Mickaël wrote:
>
>> Hi,
>>
>> To solve this problem, I choose CAS dependency to integrate in my 
>> cas-manager by checking the spring version in apereo/cas gradle.build file 
>> for matching the cas-manager version.
>>
>> Mickaël
>>
>> Le jeu. 30 juil. 2020 à 15:27, Jeremiah Garmatter  a 
>> écrit :
>>
>>> Follow-up:
>>>
>>> I've placed the absolute ordering tag within the ROOT application's 
>>> web.xml file and I was able to get past the spring_web web-fragment error. 
>>> However, once I did that, I received the same error for log4j, 
>>> note-for-note. After looking within cas-management/WEB-INF/lib, I found 
>>> dozens of repeated jar files. The same jar, but different versions. For 
>>> example, spring-web-4.3.17.RELEASE.jar and spring-web-4.3.20.RELEASE.jar. I 
>>> tried playing around with the versions maven uses to resolve dependencies 
>>> with cas-management-overlay-5.3/pom.xml without luck. Currently, I receive 
>>> the same error as posted yesterday with or without the  
>>> tag inside ROOT/WEB-INF/web.xml. I even tried making a web.xml for the 
>>> cas-management server in a misunderstood attempt at a solution.
>>>
>>> Has anyone seen this before?
>>>
>>> On Wednesday, July 29, 2020 at 4:15:01 PM UTC-4 Jeremiah Garmatter wrote:
>>>

 Hello,

 Recently, I've built a new(er) version of CAS for my university's SSO.
 I am utilizing CAS maven overlay to build CAS 5.3 deployed through 
 tomcat. I recently decided to add the management webapp (v5.3) and after 
 adding it to tomcat's webapps directory, I received this error:

 29-Jul-2020 16:08:00.669 SEVERE [localhost-startStop-1] 
 org.apache.catalina.core.ContainerBase.addChildInternal 
 ContainerBase.addChild: start: 
 org.apache.catalina.LifecycleException: Failed to start 
 component 
 [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/cas-management]]
 at 
 org.apache.catalina.util.LifecycleBase.handleSubClassException(LifecycleBase.java:440)
 at 
 org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:198)
 at 
 org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:743)
 at 
 org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:719)
 at 
 org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705)
 at 
 org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1125)
 at 
 org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1858)
 at 
 java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
 at 
 java.util.concurrent.FutureTask.run(FutureTask.java:266)
 at 
 java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
 at 
 java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
 at java.lang.Thread.run(Thread.java:748)
 *Caused by: java.lang.IllegalArgumentException: More than one 
 fragment with the name [spring_web] was found. This is not legal with 
 relative ordering. See section 8.2.2 2c of the Servlet specification for 
 details. Consider using absolute ordering.*
 at 
 org.apache.tomcat.util.descriptor.web.WebXml.orderWebFragments(WebXml.java:2203)
 at 
 org.apache.tomcat.util.descriptor.web.WebXml.orderWebFragments(WebXml.java:2162)
 at 
 org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1131)
 at 
 org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:776)
 at 
 org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:299)
 at

Re: [cas-user] Logging out from CAS logs me out from Google, too

2020-08-24 Thread dyte gyte 
edit: single sign on  out

dyte gyte , 24 Ağu 2020 Pzt, 11:46 tarihinde şunu
yazdı:

> Hello,
>
> afaik, there are 2 logout type: single logout and single sign-on. the
> default behavior is single logout which means that if you logout current
> app, you also logout all applications that cas is connected. this is the
> situation you are facing. but you need single sign on as i understand.
> basically, turn off this .(
> https://apereo.github.io/cas/6.2.x/installation/Logout-Single-Signout.html#turning-off-single-logout
> )
>
> reference:
> https://apereo.github.io/cas/6.2.x/installation/Logout-Single-Signout.html#logout-and-single-logout-slo
>
> Paul Roemer , 24 Ağu 2020 Pzt, 11:26 tarihinde şunu
> yazdı:
>
>> Hey guys,
>>
>> we noticed some new behavior with delegated SSO authentication. When I
>> login with my Google SSO account at our CAS and logout again, I am not only
>> logged out from CAS but also from my Google account. This also happens with
>> delegated GitHub SSO.
>>
>> We are using CAS 6.2.1 but I am unsure when we noticed this behavior the
>> first time.
>>
>> Anyone else noticed it? Is there some configuration option to disable it?
>>
>> Cheers,
>>   Paul
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/711682f7-6b0e-4872-9be3-f55426e1913fo%40apereo.org
>> 
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BbzwYFxvw5v7L%3DPnbq%2BeBuOD5RZuv1PTZs%3DsyPoNQ5d9xTLqw%40mail.gmail.com.

Re: [cas-user] Logging out from CAS logs me out from Google, too

2020-08-24 Thread dyte gyte 
Hello,

afaik, there are 2 logout type: single logout and single sign-on. the
default behavior is single logout which means that if you logout current
app, you also logout all applications that cas is connected. this is the
situation you are facing. but you need single sign on as i understand.
basically, turn off this .(
https://apereo.github.io/cas/6.2.x/installation/Logout-Single-Signout.html#turning-off-single-logout
)

reference:
https://apereo.github.io/cas/6.2.x/installation/Logout-Single-Signout.html#logout-and-single-logout-slo

Paul Roemer , 24 Ağu 2020 Pzt, 11:26 tarihinde şunu yazdı:

> Hey guys,
>
> we noticed some new behavior with delegated SSO authentication. When I
> login with my Google SSO account at our CAS and logout again, I am not only
> logged out from CAS but also from my Google account. This also happens with
> delegated GitHub SSO.
>
> We are using CAS 6.2.1 but I am unsure when we noticed this behavior the
> first time.
>
> Anyone else noticed it? Is there some configuration option to disable it?
>
> Cheers,
>   Paul
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/711682f7-6b0e-4872-9be3-f55426e1913fo%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BbzwYHiXSCyAKSsnuPyd4cZo284MKVGmORQziuKDAmsdcVD7w%40mail.gmail.com.

[cas-user] Logging out from CAS logs me out from Google, too

2020-08-24 Thread Paul Roemer 
Hey guys,

we noticed some new behavior with delegated SSO authentication. When I 
login with my Google SSO account at our CAS and logout again, I am not only 
logged out from CAS but also from my Google account. This also happens with 
delegated GitHub SSO.

We are using CAS 6.2.1 but I am unsure when we noticed this behavior the 
first time.

Anyone else noticed it? Is there some configuration option to disable it?

Cheers,
  Paul

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/711682f7-6b0e-4872-9be3-f55426e1913fo%40apereo.org.