Re: [cas-user] CAS 6.4 OIDC JWKS missing key fields?

2023-03-17 Thread Carl Waldbieser
Yan,

No, our jwks doesn't have that property.  But since that is just the
algorithm (see
https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-set-properties),
you could probably manually specify the algorithm being used in the key by
adding it directly to the JSON.

Thanks,
Carl Waldbieser
ITS
Lafayette College

On Fri, Mar 17, 2023 at 12:04 PM Yan Zhou  wrote:

> Does your JWKS have "alg" field?  it does not seem to have that option.
>
> This is what JWKS looks like in general, they do have "alg" field. I do
> not know how to get CAS JWKS to include it.
>
> Yan
>
> On Tuesday, March 7, 2023 at 10:29:12 AM UTC-5 waldbiec wrote:
>
>> I noticed my JWKS was missing a kid and causing weird results in one of
>> the OIDC libraries I use for testing.
>> I just added the kid to my key in the "keystore.jwks" manually.  I just
>> generated a uuid4, but you can use any ID unique to your keystore from what
>> I understand.
>> The kid then appears on the endpoint.
>>
>> Thanks,
>> Carl Waldbieser
>> ITS
>> Lafayette College
>>
>> On Tue, Mar 7, 2023 at 12:13 AM Yan Zhou  wrote:
>>
>>> Hi,,
>>>
>>> CAS 6.4  OIDC JWKS endpoint looks like this.  Our vendor has problem
>>> with its missing fields such as  alg, kid, and use.
>>>
>>> Anyone knows how to show these fields in JWKS?  They showed us what Okta
>>> and Google OIDC provider presents, yes, they do have these fields.
>>>
>>> This probably affects OIDC JWT access token header attributes as well.
>>>
>>> Thanks,
>>> Yan
>>>
>>> {
>>>
>>> "keys":
>>>
>>> [
>>>
>>> {
>>>
>>> "kty":"RSA",
>>>
>>> "n":"pwNNGZn0..RW18eq6Asiw",
>>>
>>> "e":"AQAB"
>>>
>>> }
>>>
>>> ]
>>>
>>> }
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a816b9c5-662f-4a75-b87e-414f350df5d3n%40apereo.org
>>> 
>>> .
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbM-mAJJCmWEXRZ2YyoUeeh9nPKeXSiRpLPOsO7M57CGGg%40mail.gmail.com.


Re: [cas-user] Re: per-service cas.saml-core.skew-allowance?

2023-03-17 Thread Baron Fujimoto
Mahalo!

On Wed, Mar 15, 2023 at 5:25 PM 'Olivier Begon' via CAS Community <
cas-user@apereo.org> wrote:

> Hi Baron,
>
> We are running CAS version 6.5.9 and I was able to set a skew allowance
> value per service as follows:
> {
>"@class" : "org.apereo.cas.services.RegexRegisteredService",
>"serviceId" : "^https://.*";,
>"name" : "Sample",
>"id" : 10,
>"skewAllowance": 40
> }
>
> Note: Setting a negative  *skewAllowance* value will not work in 6.5.9 du
> to a bug (fixed in 6.6.x)
>
> Hope this helps.
>
> Thanks
> Olivier Begon
> ITS -  Florida State University
>
> On Tuesday, March 14, 2023 at 4:17:27 PM UTC-4 baron wrote:
>
>> On a CAS 6.5 system, we're trying to troubleshoot a problem with one of
>> our CAS clients applications. One experiment we'd like to try is to
>> increase cas.saml-core.skew-allowance from its default 30s to perhaps 40s.
>>
>> Ideally we'd like to try this on a per-service basis to limit the scope
>> of the change, but I don't see an example of this in the documentation at <
>> https://apereo.github.io/cas/6.5.x/protocol/SAML-Protocol.html#configuration
>> >
>>
>> Perhaps something like:
>>
>> {
>> "@class" : "org.apereo.cas.services.RegexRegisteredService",
>> "serviceId" : "^https://.*";,
>> "name" : "Sample",
>> "id" : 10,
>> "notSureWhatIdentifierToUseHere": {
>>   "@class": "
>> org.apereo.cas.configuration.model.support.saml.SamlCoreProperties",
>>   "skew-allowance": PT40S
>> }
>> }
>>
>> This was modeled from the example for
>> cas.ticket.st.time-to-kill-in-seconds at <
>> https://apereo.github.io/cas/6.5.x/ticketing/Configuring-Ticket-Expiration-Policy.html#per-service>.
>> However, assuming this is possible, I don't know what would be appropriate
>> where I have the placeholder "notSureWhatIdentifierToUseHere".
>>
>> --
>> Baron Fujimoto  ::: UH Information Technology Services
>> minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0c5da7ec-19f2-4d1f-9583-59c6a7d95c9an%40apereo.org
> 
> .
>


-- 
Baron Fujimoto  ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL1HBMMAAr-qMVfLYqss8mfvxmqujfgj-i0u24-7OsS28Q%40mail.gmail.com.


Re: [cas-user] CAS 6.4 OIDC JWKS missing key fields?

2023-03-17 Thread Yan Zhou
Does your JWKS have "alg" field?  it does not seem to have that option.

This is what JWKS looks like in general, they do have "alg" field. I do not 
know how to get CAS JWKS to include it.

Yan

On Tuesday, March 7, 2023 at 10:29:12 AM UTC-5 waldbiec wrote:

> I noticed my JWKS was missing a kid and causing weird results in one of 
> the OIDC libraries I use for testing.
> I just added the kid to my key in the "keystore.jwks" manually.  I just 
> generated a uuid4, but you can use any ID unique to your keystore from what 
> I understand.
> The kid then appears on the endpoint.
>
> Thanks,
> Carl Waldbieser
> ITS
> Lafayette College
>
> On Tue, Mar 7, 2023 at 12:13 AM Yan Zhou  wrote:
>
>> Hi,,
>>
>> CAS 6.4  OIDC JWKS endpoint looks like this.  Our vendor has problem with 
>> its missing fields such as  alg, kid, and use. 
>>
>> Anyone knows how to show these fields in JWKS?  They showed us what Okta 
>> and Google OIDC provider presents, yes, they do have these fields.
>>
>> This probably affects OIDC JWT access token header attributes as well.
>>
>> Thanks,
>> Yan
>>
>> {
>>
>> "keys": 
>>
>> [
>>
>> {
>>
>> "kty":"RSA",
>>
>> "n":"pwNNGZn0..RW18eq6Asiw",
>>
>> "e":"AQAB"
>>
>> }
>>
>> ]
>>
>> }
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a816b9c5-662f-4a75-b87e-414f350df5d3n%40apereo.org
>>  
>> 
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/449d95f3-714d-479a-84b8-caeb1db30c15n%40apereo.org.


[cas-user] Re: Request for assistance with CAS and OpenLDAP integration

2023-03-17 Thread Vincent Delhommmeau
Hi,

1) you must add the dependancy in build.gradle for ldap support

implementation 
"org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"

2) then you configure it in cas.properties. here is a sample :

cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://ldap1.domain.com:389 
ldap://ldap2.domain.com:389
cas.authn.ldap[0].baseDn=ou=people,dc=domain,dc=com
cas.authn.ldap[0].searchFilter=uid={user}
cas.authn.ldap[0].dnFormat=uid=%s,ou=people,dc=domain,dc=com
cas.authn.ldap[0].pool-passivator=NONE
cas.authn.attribute-repository.ldap[0].pool-passivator=NONE
cas.authn.ldap[0].principalAttributeList=uid,mail,displayName ...

you will have to adapt it to your environment

Regards,


Le jeudi 16 mars 2023 à 06:50:30 UTC+1, pth...@gmail.com a écrit :

> Hi guys,
> I hope this email finds you well. I am writing to request your assistance 
> with integrating CAS and OpenLDAP for my SSO system.
> I have already installed CAS 6.6.5 on Tomcat 9 in Ubuntu and now I would 
> like to integrate it with OpenLDAP. Unfortunately, I have been unable to 
> find any documentation on how to configure this integration.
> I am hoping that you can provide me with guidance on how to proceed. 
> Specifically, I would greatly appreciate it if you could provide me with 
> any relevant documentation, tutorials, or tips for integrating CAS and 
> OpenLDAP.
> Thank you for your time and I look forward to hearing back from you soon.
>
> Best regards,
> Phuong Thao
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6f746312-cbbe-4842-b9b1-b0c636ad8d77n%40apereo.org.