Re: [cas-user] SAML delegated authN in CAS 6.6.x, SLO has no signature element to external IDP?

2023-09-08 Thread Ray Bon 
Yan,

It is a wise idea to sign logout requests. This prevents a bad actor from 
creating false logouts.
'Validate SAML requests with signature ... ' is for the log in request.

When your client app sends a logout request to cas, does cas (as IdP) end its 
session with the client?

Ray

On Fri, 2023-09-08 at 13:18 -0700, Yan Zhou wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi,

I have almost completed SAML delegated authN with CAS and Okta, CAS delegates 
to Okta, except for SLO.

When client app initiates SLO, it goes to CAS, CAS redirects to Okta, but Okta 
says "invalid signature", the SAML Logout request from CAS has no signature 
element. See below.

I verified Okta setting, Nowhere says it requires signature in Logout Request,  
regardless, I cannot figure out how to get CAS to sign SLO request when in 
delgated authN. this setting made no difference even when set.

cas.authn.pac4j.saml[0].signServiceProviderLogoutRequest=true



This is the SLO from CAS to Okta, no signature element, I suppose that is why 
Okta says "Invalid Signature", but I do not know how to get Okta turn off 
checking, In Okta, "Validate SAML requests with signature certificates" is OFF.

Ideas?  thanks in advance

Yan

https://dev-...okta.com/app/dev-11p_1/ex..7/slo/saml"ID="_2701..ca870e07705"IssueInstant="2023-09-08T20:09:28.830Z"Version="2.0;
 
>https://localhost:8443/cas/samlspyan...com_4ba2..3a4b0

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/96ad7e3b201c00516e3a0f217d79facdfa4e0109.camel%40uvic.ca.

[cas-user] Customizing AUP Webflow Logic

2023-09-08 Thread Trevor Fong 
Hi All,
I'm trying to customize the AUP template view and some of the logic behind 
its SUBMIT button. The problem is that I'm running into some compiler 
errors when I try to do a "./gradlew clean build": 

$ ./gradlew clean build
Configuration on demand is an incubating feature.

> Task :compileTestJava FAILED
/Users/tjfong/git/aws-setup/cas6/cas-6.6.11-dev/cas-overlay-template-6.6.11/src/test/java/org/apereo/cas/aup/LdapAcceptableUsagePolicyRepositoryTests.java:3:
 
error: package org.apereo.cas.adaptors.ldap does not exist
import org.apereo.cas.adaptors.ldap.LdapIntegrationTestsOperations;
   ^
/Users/tjfong/git/aws-setup/cas6/cas-6.6.11-dev/cas-overlay-template-6.6.11/src/test/java/org/apereo/cas/aup/LdapAcceptableUsagePolicyRepositoryTests.java:7:
 
error: package org.apereo.cas.util.junit does not exist
import org.apereo.cas.util.junit.EnabledIfListeningOnPort;
^
/Users/tjfong/git/aws-setup/cas6/cas-6.6.11-dev/cas-overlay-template-6.6.11/src/test/java/org/apereo/cas/aup/LdapAcceptableUsagePolicyRepositoryTests.java:9:
 
error: package com.unboundid.ldap.sdk does not exist
import com.unboundid.ldap.sdk.LDAPConnection;
 ^
/Users/tjfong/git/aws-setup/cas6/cas-6.6.11-dev/cas-overlay-template-6.6.11/src/test/java/org/apereo/cas/aup/LdapAcceptableUsagePolicyRepositoryTests.java:52:
 
error: cannot find symbol
public class LdapAcceptableUsagePolicyRepositoryTests extends 
BaseAcceptableUsagePolicyRepositoryTests {
  ^
  symbol: class BaseAcceptableUsagePolicyRepositoryTests
/Users/tjfong/git/aws-setup/cas6/cas-6.6.11-dev/cas-overlay-template-6.6.11/src/test/java/org/apereo/cas/aup/LdapAcceptableUsagePolicyRepositoryTests.java:41:
 
error: cannot find symbol
@EnabledIfListeningOnPort(port = 10389)
 ^
  symbol: class EnabledIfListeningOnPort
5 errors

FAILURE: Build failed with an exception.


Would someone be able to tell me if I'm following the right path (see 
below) or tell me what I'm doing wrong?  Presumably I need to add extra 
'implementation "org.apereo.cas:blah"' references to build.gradle - how do 
I find out what to add?

Here's what I did to get thus far:

cd /opt/cas/workspace/
git clone https://github.com/apereo/cas.git
## There doesn't seem to be a v6.6.11 tag?
git checkout v6.6.10
 
cd /opt/cas/workspace/cas-6.6.11-dev
getcas --directory cas-overlay-template-6.6.11 --type cas-overlay 
--casVersion 6.6.11 --modules 
support-jpa-ticket-registry,support-jpa-service-registry,support-ldap,support-saml,support-duo,support-audit-jdbc,support-aup-ldap,support-aup-webflow
 
## Copy files that we want to customize from cas to the overlay
cp -prnv /opt/cas/workspace/cas/support/cas-server-support-aup-ldap/src/* 
/opt/cas/workspace/cas-6.6.11-dev/cas-overlay-template-6.6.11/src/

## Customize:
# 
cas-overlay-template-6.6.11/src/main/resources/templates/aup/casAcceptableUsagePolicyView.html
# 
cas-overlay-template-6.6.11/src/main/java/org/apereo/cas/aup/LdapAcceptableUsagePolicyRepository.java
 
## Add additional implementations to build.gradle to get rid of "class not 
found" type build errors
#implementation "org.apereo.cas:cas-server-support-aup-core"
#implementation "org.apereo.cas:cas-server-support-ldap-core"
#implementation "org.apereo.cas:cas-server-core-util"
#implementation "org.apereo.cas:cas-server-core-web-api"
  
cd /opt/cas/workspace
cd cas-6.6.11-dev/cas-overlay-template*
./gradlew clean build
 
See build errors above.

Thanks a lot,
Trev

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e9a56978-7838-40dc-88e0-d60c4a8e5556n%40apereo.org.

Re: [cas-user] what is the CAS 6.6.x SSO endpoint as SP in delegated SAML AuthN?

2023-09-08 Thread Yan Zhou 
Thanks Ray!

Good direction, I finally made some progress after doing what you 
suggested, except SLO scenario, I posted a new message as that seems to be 
separate from what this is.

Yan

On Monday, August 28, 2023 at 1:09:58 PM UTC-4 Ray Bon wrote:

> Yan,
>
> It still sounds like you are mixing the client with the delegated authn 
> (okta).
>
> If your client app is communicating with SAML, then cas should be 
> configured as the IdP for client app. The client app will have cas IdP 
> metadata (with cas url in it) and cas will have client app  SP metadata and 
> the service will be registered as SamlRegisteredService. Hopefully you can 
> test this setup with the default cas user (casuser:Mellon). (You will have 
> to modify the client app json file to turn off redirect.)
>
> Once the cas <-> client app is working correctly, then you can configure 
> cas and okta.
>
> Cas will get okta IdP metadata and okta will get cas SP metadata (_not_ 
> client app). (Remember to turn on redirect in client app json file.)
>
> Sorry about the oidc endpoint stuff. Cas SAML endpoints are here, 
> https://apereo.github.io/cas/6.6.x/authentication/Configuring-SAML2-Authentication.html#saml-endpoints
> You will most likely use the /idp/profile/SAML2/Redirect/SSO or 
> /idp/profile/SAML2/POST/SSO endpoints set in your client app.
>
> This post might be useful 
> https://fawnoos.com/2022/03/25/cas66-saml-authn-refeds/
>
> Ray
>
> On Fri, 2023-08-25 at 17:05 -0400, Yan wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
> Hi there,  
>
> I made a mistake, changed dependencies without rebuilding the project.  
> Now made progress, auto-redirect is working now, 
>
> Client App goes to IDP directly (because the IDP meta data generated by 
> CAS has Okta URL in it).  But after I login through Okta, it redirects to 
> CAS, this is where I still got problem.
>
> URL is:  https://localhost:8443/cas/login?client_name=bootsp2
>
> Error:
>
> 2023-08-25 17:02:54,604 DEBUG [https-jsse-nio-8443-exec-5] 
> [org.pac4j.core.client.Clients] -  bootsp2 | callbackUrl:https://localhost:8443/cas/login | urlResolver: 
> null | callbackUrlResolver: 
> org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@2a2798a2 | 
> ajaxRequestResolver: null | redirectionActionBuilder: null | 
> credentialsExtractor: null | authenticator: null | profileCreator: 
> org.pac4j.core.profile.creator.AuthenticatorProfileCreator@2b9ecd05 | 
> logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@31f1b268 | 
> authorizationGenerators: [] | checkAuthenticationAttempt: true | for name: 
> bootsp2>
> 2023-08-25 17:02:54,604 DEBUG [https-jsse-nio-8443-exec-5] 
> [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] 
> -  relay-state for the SAML2 client>
> 2023-08-25 17:02:54,605 DEBUG [https-jsse-nio-8443-exec-5] 
> [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] 
> - 
> 2023-08-25 17:02:54,605 ERROR [https-jsse-nio-8443-exec-5] 
> [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] 
> -  request [https://localhost:8443/cas/login?client_name=bootsp2]>
> 2023-08-25 17:02:54,607 ERROR [https-jsse-nio-8443-exec-5] 
> [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <>
> org.apereo.cas.services.UnauthorizedServiceException: 
> at 
> org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager.retrieveSessionTicketViaClientId(DefaultDelegatedClientAuthenticationWebflowManager.java:236)
>  
> ~[cas-server-support-pac4j-core-6.6.9.jar!/:6.6.9]
> at 
> org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager.retrieve(DefaultDelegatedClientAuthenticationWebflowManager.java:84)
>  
> ~[cas-server-support-pac4j-core-6.6.9.jar!/:6.6.9]
> at 
> org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.restoreAuthenticationRequestInContext(DelegatedClientAuthenticationAction.java:285)
>  
> ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9]
> at 
> org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.populateContextWithService(DelegatedClientAuthenticationAction.java:205)
>  
> ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9]
> at 
> org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.lambda$doExecute$0(DelegatedClientAuthenticationAction.java:123)
>  
> ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9]
> at java.util.Optional.orElseGet(Optional.java:369) ~[?:?]
> at 
> org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.doExecute(DelegatedClientAuthenticationAction.java:123)
>  
> ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9]
> at 
> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
>  
> ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
> at 
>

[cas-user] SAML delegated authN in CAS 6.6.x, SLO has no signature element to external IDP?

2023-09-08 Thread Yan Zhou 
Hi,

I have almost completed SAML delegated authN with CAS and Okta, CAS 
delegates to Okta, except for SLO. 

When client app initiates SLO, it goes to CAS, CAS redirects to Okta, but 
Okta says "invalid signature", the SAML Logout request from CAS has no 
signature element. See below.  

I verified Okta setting, Nowhere says it requires signature in Logout 
Request,  regardless, I cannot figure out how to get CAS to sign SLO 
request when in delgated authN. this setting made no difference even when 
set. 

cas.authn.pac4j.saml[0].signServiceProviderLogoutRequest=true



This is the SLO from CAS to Okta, no signature element, I suppose that is 
why Okta says "Invalid Signature", but I do not know how to get Okta turn 
off checking, In Okta, "Validate SAML requests with signature certificates" 
is OFF.

Ideas?  thanks in advance

Yan

https://dev-...okta.com/app/dev-11p_1/ex..7/slo/saml; ID=
"_2701..ca870e07705" IssueInstant="2023-09-08T20:09:28.830Z" Version
="2.0" > 
https://localhost:8443/cas/samlsp yan...com _4ba2..3a4b0 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/24badbd3-7615-4ff8-9395-b3f4a3f70437n%40apereo.org.

[cas-user] Re: InResponseTo being added to on IdP initated SSO's

2023-09-08 Thread 'Matthew Gordon' via CAS Community 
Actually according to the SAML2 Specification it should not be returning 
the InResponseTo for any unsolicited/ IdP Initiated 
SSO's: https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf

4.1.5 Unsolicited Responses
An identity provider MAY initiate this profile by delivering an unsolicited 
 message to a
service provider.
An unsolicited  MUST NOT contain an InResponseTo attribute, nor 
should any bearer
 elements contain one. If metadata as specified in 
[SAMLMeta] is used,
the  or artifact SHOULD be delivered to the 
 endpoint
of the service provider designated as the default.
Of special mention is that the identity provider MAY include a 
binding-specific "RelayState" parameter that
indicates, based on mutual agreement with the service provider, how to 
handle subsequent interactions
with the user agent. This MAY be the URL of a resource at the service 
provider. The service provider
SHOULD be prepared to handle unsolicited responses by designating a default 
location to send the user
agent subsequent to processing a response successfully.

Thank you,
Matt

On Friday, September 8, 2023 at 2:08:17 PM UTC-4 Matthew Gordon wrote:

> Hello,
>
> When using the built in IdP functonality as of CAS 6.6.11 with an IdP 
> initiated a.k.a. Unsolicited SSO the SAML response now includes a 
> "inResponseTo" attribute within the "saml2p:Response" tag. There is no 
> option to disable it here, only within the subject. We have a vendor that 
> does not handle this possibility, and it makes it appear as if it's a SP 
> initiated SSO rather than an IdP initiated to their SP.
>
> e.x. you go to:  
> https://idp/cas/idp/profile/SAML2/Unsolicited/SSO?providerId=https://sp
>
> *6.6.11:*
> https://sp/saml/assertionconsumerservice;
>  ID="_2025749187894792192"
>  InResponseTo="_2327057598197701632"
>  IssueInstant="2023-09-07T11:49:38.388Z"
>  Version="2.0"
>  xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>  >
>xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>   >https://idp/cas/idp
> http://www.w3.org/2000/09/xmldsig#;>
> 
> http://www.w3.org/2001/10/xml-exc-c14n#; />
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256; />
> 
> 
> http://www.w3.org/2000/09/xmldsig#enveloped-signature; />
> http://www.w3.org/2001/10/xml-exc-c14n#; />
> 
> http://www.w3.org/2001/04/xmlenc#sha256; />
> 
> lbux+715IPQofujJcxFrugbIJCGSu71RzspyDtqWrUY=
> 
> 
> [removed]
> 
> 
> [removed]
> 
> 
> 
> 
>  Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
> 
>   IssueInstant="2023-09-07T11:49:38.341Z"
>  Version="2.0"
>  xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>  >
> https://idp/cas/idp
> 
>  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
>   NameQualifier="https://idp/cas/idp;
>   SPNameQualifier="https://sp;
>   >[removed]
>  Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>
>  InResponseTo="_2327057598197701632"
>   
>  NotOnOrAfter="2023-09-07T11:50:08.341Z"
>Recipient="
> https://sp/saml/assertionconsumerservice;
>/>
> 
> 
>NotOnOrAfter="2023-09-07T11:50:08.388Z"
>   >
> 
> https://sp
> 
> 
>SessionIndex="_7306874654027032576"
>   
> SessionNotOnOrAfter="2023-09-08T11:50:08.332Z"
>   >
> 
> 
> 
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> 
> 
> 
>   Name="Email"
> 
>  NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>  >
> [removed]
> 
>   Name="LastName"
> 
>  NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>  >
> [removed]
> 
>   Name="FirstName"
> 
>  NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>  >
>

[cas-user] Re: CAS 6.6.x Service Registry with MongoDB

2023-09-08 Thread Petr Bodnár 
Hi Diego,

glad to help. :)

But it looks like I need to correct myself a bit: the field was renamed, 
yet an annotation *@JsonProperty("multifactorPolicy")* was added to the 
class field at the same time. That's why the documentation is still 
generally correct when writing about *multifactorPolicy*. But *MongoDB *doesn't 
seem to support this annotation out of the box (see @JsonProperty 
annotation is getting ignored in mongodb collection 

).

So I just wonder now, how do you actually manage the records within the 
MongoDB? I couldn't find any hint in the CAS documentation on this. Do you 
write the records to the MongoDB directly? Provided you would use the CAS 
Management webapp, would it automatically take care of the corresponding 
transformations?

Regards
Petr
On Friday, 8 September 2023 at 16:56:17 UTC+2 Diego Gimenez wrote:

> Hi Petr,
>
> thank you very much for your response! Changing the name from 
> *multifactorPolicy* to *multifactorAuthenticationPolicy* worked, I just 
> followed the documentation and the attribute has the name I was trying to 
> use. That's why I thought it was a bug, I did not expect it was a simple 
> rename!
>
> Diego
> On Friday, 8 September 2023 at 01:44:36 UTC-3 Petr Bodnár wrote:
>
>> Hi Diego,
>>
>> the reason why *multifactorPolicy *is not picked up by CAS 6.6.x seems 
>> to be trivial: the attribute was renamed to *multifactorAuthenticationPolicy 
>> *in this commit 
>> .
>>  
>> So your problem doesn't seem to be related just to MongoDB.
>>
>> Regarding the MongoDB's usage of "_class" instead of "@class", I've 
>> googled it for a while and it looks like this is the way how MongoDB stores 
>> Java objects in its "own" JSON format. I wonder if there are also some 
>> other differences from the "regular" JSON file format which CAS 
>> documentation commonly uses in the examples.
>>
>> I hope this helps
>> Petr
>>
>> On Wednesday, 6 September 2023 at 15:55:38 UTC+2 Diego Gimenez wrote:
>>
>>> Hello,
>>>
>>> I would like to clarify some things that I didn't say in the message 
>>> above.
>>> First of all. We were using MongoDB the way is shown for four years, and 
>>> it never happened something like this. That is why I decided to initiate 
>>> the conversation here. It is extremely rare that the only attribute it's 
>>> not reading is this particular one.
>>>
>>> Second. I tried using a local defined json files to test and those ones 
>>> reads perfectly the attribute (using "@class" instead of "_class" in those 
>>> definitions).
>>>
>>> Diego
>>>
>>> On Monday, 4 September 2023 at 16:41:13 UTC-3 Diego Gimenez wrote:
>>>
 Hello,

 I am having trouble with reading the specific attribute of 
 multifactorPolicy when using CAS with MongoDB as my Service Registry 
 database. There are two problems, but the main one is that all the 
 attributes at the registered services are perfectly understood by CAS, 
 except the multifactorPolicy attribute. The question is: Is it possible 
 that CAS has a problem with multifactorPolicy attribute being read from 
 MongoDB?
 I tried using other attributes such as attributeReleasePolicy and it 
 didn't have any problem reading it, the test were made using a Groovy 
 script that prints all the attributes the registered service has.

 The other problem is that when I use the definition provided by CAS 
 documentation of a service, it defines an attribute named "@class", the 
 problem with this is that if I define a service this way, CAS does not 
 understand the class this registry belongs to, but when I define it with 
 "_class" and the same value (org.apereo.cas.services.CasRegisteredService) 
 it works and CAS can understand it. I did some research and I didn't find 
 anything that can tell me why this happens. If you know anything and can 
 tell or have an insight of what might be happening would be much 
 appreciated.

 Diego

>>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e1cde131-5c7c-42b0-abcb-22c03e05d9e5n%40apereo.org.

[cas-user] Re: Request: CAS Letter of Support

2023-09-08 Thread Patrick Masson 

Hi Jeremiah,

Thank you so much for your reply. You can simply email me your letter 
and I will attach it to our application paperwork.


Thanks so much for your help,
Patrick

On 9/8/23 1:56 PM, Jeremiah Garmatter wrote:

Hi Patrick,

Where should we send our completed letters?

On Thursday, September 7, 2023 at 2:20:02 PM UTC-4 Patrick Masson wrote:

/(Cross-posting on CAS Announcements and CAS Community)/

Dear CAS Community,

*TL;DR:* Apereo is seeking grant funding to support the continued
development and maintenance of CAS and needs letters of support
from the user and development community as part of our
application. Will you please help?

The Apereo Foundation, the non-profit home of CAS, is currently
seeking grant funding to support our ongoing development and
maintenance of CAS. We believe those working directly with CAS are
best positioned to affirm CAS's pivotal role in ensuring secure
access to their organization's digital resources. Your
organization's endorsement through a letter of support will
significantly bolster our grant application by demonstrating the
global community's reliance on and commitment to the CAS project.
We kindly ask that you consider drafting a letter of support
affirming the value of CAS and its impact on your organization's
operations.

Ideally, your letter will highlight the importance of continued
development and the benefits CAS brings to your organization. Your
support will not only aid in securing funding but also reinforce
the collaborative spirit of the Apereo Foundation and the broader
open source community. In the long run, this letter actually
supports your own work and your organization. We greatly
appreciate your consideration and are happy to provide any
information or assistance you may require to complete the letter.
*We have attached a draft letter that you may use as is, requiring
only a signature, or as a template for your own personal letter.*

Thank you for your ongoing support and dedication to open source
software. Your contribution will be instrumental in ensuring CAS
remains a robust and reliable authentication service for
organizations worldwide.

Best regards,

Patrick Masson,    Misagh Moayyed,
Executive Director,    Chairman, Project Management Committee,
Apereo Foundation   Central Authentication Service (CAS) 


--
|  | | || | | || | || | | || ||| | | | || | | || ||| || | || | | ||| 
| | | | || |


Patrick Masson
Executive Director
Apereo Foundation
9450 SW Gemini Dr PMB 98572
Beaverton, OR 97008-7105
Mobile: +1 (970) 4-MASSON
Website: www.apereo.org

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b233802f-9024-18dc-422a-f0eb20637c52%40apereo.org.

[cas-user] Re: Request: CAS Letter of Support

2023-09-08 Thread 'Matthew Gordon' via CAS Community 
Hello Patrick,

Thank you for the prompt. Where should we send this letter? Or would an 
email be sufficient?

Thank you,
Matt 


On Thursday, September 7, 2023 at 2:20:02 PM UTC-4 Patrick Masson wrote:

> *(Cross-posting on CAS Announcements and CAS Community)*
>
> Dear CAS Community, 
>
> *TL;DR:* Apereo is seeking grant funding to support the continued 
> development and maintenance of CAS and needs letters of support from the 
> user and development community as part of our application. Will you please 
> help?
>
> The Apereo Foundation, the non-profit home of CAS, is currently seeking 
> grant funding to support our ongoing development and maintenance of CAS. We 
> believe those working directly with CAS are best positioned to affirm CAS's 
> pivotal role in ensuring secure access to their organization's digital 
> resources. Your organization's endorsement through a letter of support will 
> significantly bolster our grant application by demonstrating the global 
> community's reliance on and commitment to the CAS project. We kindly ask 
> that you consider drafting a letter of support affirming the value of CAS 
> and its impact on your organization's operations.
>
> Ideally, your letter will highlight the importance of continued 
> development and the benefits CAS brings to your organization. Your support 
> will not only aid in securing funding but also reinforce the collaborative 
> spirit of the Apereo Foundation and the broader open source community. In 
> the long run, this letter actually supports your own work and your 
> organization. We greatly appreciate your consideration and are happy to 
> provide any information or assistance you may require to complete the 
> letter. *We have attached a draft letter that you may use as is, 
> requiring only a signature, or as a template for your own personal letter.*
>
> Thank you for your ongoing support and dedication to open source software. 
> Your contribution will be instrumental in ensuring CAS remains a robust and 
> reliable authentication service for organizations worldwide. 
>
> Best regards, 
>
> Patrick Masson,Misagh Moayyed, 
> Executive Director,Chairman, Project Management Committee, 
> Apereo Foundation   Central Authentication Service (CAS) 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0f850e72-02ff-456f-befc-728f8859c687n%40apereo.org.

[cas-user] Re: Request: CAS Letter of Support

2023-09-08 Thread Jeremiah Garmatter 
Hi Patrick,

Where should we send our completed letters?

On Thursday, September 7, 2023 at 2:20:02 PM UTC-4 Patrick Masson wrote:

> *(Cross-posting on CAS Announcements and CAS Community)*
>
> Dear CAS Community, 
>
> *TL;DR:* Apereo is seeking grant funding to support the continued 
> development and maintenance of CAS and needs letters of support from the 
> user and development community as part of our application. Will you please 
> help?
>
> The Apereo Foundation, the non-profit home of CAS, is currently seeking 
> grant funding to support our ongoing development and maintenance of CAS. We 
> believe those working directly with CAS are best positioned to affirm CAS's 
> pivotal role in ensuring secure access to their organization's digital 
> resources. Your organization's endorsement through a letter of support will 
> significantly bolster our grant application by demonstrating the global 
> community's reliance on and commitment to the CAS project. We kindly ask 
> that you consider drafting a letter of support affirming the value of CAS 
> and its impact on your organization's operations.
>
> Ideally, your letter will highlight the importance of continued 
> development and the benefits CAS brings to your organization. Your support 
> will not only aid in securing funding but also reinforce the collaborative 
> spirit of the Apereo Foundation and the broader open source community. In 
> the long run, this letter actually supports your own work and your 
> organization. We greatly appreciate your consideration and are happy to 
> provide any information or assistance you may require to complete the 
> letter. *We have attached a draft letter that you may use as is, 
> requiring only a signature, or as a template for your own personal letter.*
>
> Thank you for your ongoing support and dedication to open source software. 
> Your contribution will be instrumental in ensuring CAS remains a robust and 
> reliable authentication service for organizations worldwide. 
>
> Best regards, 
>
> Patrick Masson,Misagh Moayyed, 
> Executive Director,Chairman, Project Management Committee, 
> Apereo Foundation   Central Authentication Service (CAS) 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9d42-a707-459d-92da-26d05648d997n%40apereo.org.

[cas-user] InResponseTo being added to on IdP initated SSO's

2023-09-08 Thread 'Matthew Gordon' via CAS Community 
Hello,

When using the built in IdP functonality as of CAS 6.6.11 with an IdP 
initiated a.k.a. Unsolicited SSO the SAML response now includes a 
"inResponseTo" attribute within the "saml2p:Response" tag. There is no 
option to disable it here, only within the subject. We have a vendor that 
does not handle this possibility, and it makes it appear as if it's a SP 
initiated SSO rather than an IdP initiated to their SP.

e.x. you go to:  
https://idp/cas/idp/profile/SAML2/Unsolicited/SSO?providerId=https://sp

*6.6.11:*
https://sp/saml/assertionconsumerservice;
 ID="_2025749187894792192"
 InResponseTo="_2327057598197701632"
 IssueInstant="2023-09-07T11:49:38.388Z"
 Version="2.0"
 xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
 >
https://idp/cas/idp
http://www.w3.org/2000/09/xmldsig#;>

http://www.w3.org/2001/10/xml-exc-c14n#; />
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256; />


http://www.w3.org/2000/09/xmldsig#enveloped-signature; />
http://www.w3.org/2001/10/xml-exc-c14n#; />

http://www.w3.org/2001/04/xmlenc#sha256; />

lbux+715IPQofujJcxFrugbIJCGSu71RzspyDtqWrUY=


[removed]


[removed]







https://idp/cas/idp

https://idp/cas/idp;
  SPNameQualifier="https://sp;
  >[removed]

https://sp/saml/assertionconsumerservice;
   />




https://sp






urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport




[removed]


[removed]


[removed]




 
*6.6.10:*
https://sp/saml/assertionconsumerservice;
 ID="_8596234070664411136"
 IssueInstant="2023-09-07T11:54:55.123Z"
 Version="2.0"
 xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
 >
https://idp/cas/idp
http://www.w3.org/2000/09/xmldsig#;>

http://www.w3.org/2001/10/xml-exc-c14n#; />
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256; />


http://www.w3.org/2000/09/xmldsig#enveloped-signature; />
http://www.w3.org/2001/10/xml-exc-c14n#; />

http://www.w3.org/2001/04/xmlenc#sha256; />
[removed]


[removed]


[removed]







https://idp/cas/idp

https://idp/cas/idp;
  SPNameQualifier="https://sp;
  >[removed]

https://sp/saml/assertionconsumerservice;
   />




https://sp






urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport




[removed]


[removed]


[removed]






Any ideas how I can get it to stop sending the InResponseTo in the Response?

Thank you,
Matt

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/589bfc3e-22cf-4d47-a0b0-550e84285195n%40apereo.org.

Re: [cas-user] Add a new controller to the CAS7 server

2023-09-08 Thread Ray Bon 
See 
https://apereo.github.io/cas/6.6.x/webflow/Webflow-Customization-Extensions.html
 and https://fawnoos.com/2022/07/22/cas66-ui-themes/

Ray

On Fri, 2023-09-08 at 16:15 +0800, ztf863 wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.


Hello, I am a beginner in CAS. I want to add a new controller to the CAS7 
server, but it does not take effect. How should I implement it?Is there any 
documentation for this?Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4d2bd11d62bd88b45cb9cc5ff9477b55e2850ba6.camel%40uvic.ca.

[cas-user] Re: Submit a CAS evolution for 6.6.12

2023-09-08 Thread John 
You have basically one large commit for all changes, its much easier for 
apereo to see what and where is being changed if you make a commit for each 
section of changes. Also, why is there authy stuff in the mfa module, 
should probably be renamed, the classes, etc.. to okta, for example, 
"package org.apereo.cas.adaptors.authy" is already used in cas, should be 
changed to probably something like "org.apereo.cas.okta" since it already 
exist and would stay in line with how modules are packaged, the config 
probably should be under "org.apereo.cas.config" and not be 
'authyconfiguration'

On Friday, September 8, 2023 at 3:18:35 AM UTC-5 Jérémie wrote:

> Hi,
>  
> I have developped a custom module for Apereo CAS to allow Okta MFA support 
> for CAS Authentication
>
> We have developed a custom working module based on a similar Authy project 
> we've found online. 
>
> We are having trouble now to fork, adapt & submit our module to CAS 6.6.12 
> release due for the end of september. Our Pull Request has been 
> automatically rejected : https://github.com/apereo/cas/pull/5751/files
>
> I've never done that so I might not see obvious steps here.
>
> Thank you  
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/71d7d4a4-2f7d-4a33-a88a-f6d0f27ce15bn%40apereo.org.

[cas-user] Re: CAS 6.6.x Service Registry with MongoDB

2023-09-08 Thread 'Diego Gimenez' via CAS Community 
Hi Petr,

thank you very much for your response! Changing the name from 
*multifactorPolicy* to *multifactorAuthenticationPolicy* worked, I just 
followed the documentation and the attribute has the name I was trying to 
use. That's why I thought it was a bug, I did not expect it was a simple 
rename!

Diego
On Friday, 8 September 2023 at 01:44:36 UTC-3 Petr Bodnár wrote:

> Hi Diego,
>
> the reason why *multifactorPolicy *is not picked up by CAS 6.6.x seems to 
> be trivial: the attribute was renamed to *multifactorAuthenticationPolicy 
> *in this commit 
> .
>  
> So your problem doesn't seem to be related just to MongoDB.
>
> Regarding the MongoDB's usage of "_class" instead of "@class", I've 
> googled it for a while and it looks like this is the way how MongoDB stores 
> Java objects in its "own" JSON format. I wonder if there are also some 
> other differences from the "regular" JSON file format which CAS 
> documentation commonly uses in the examples.
>
> I hope this helps
> Petr
>
> On Wednesday, 6 September 2023 at 15:55:38 UTC+2 Diego Gimenez wrote:
>
>> Hello,
>>
>> I would like to clarify some things that I didn't say in the message 
>> above.
>> First of all. We were using MongoDB the way is shown for four years, and 
>> it never happened something like this. That is why I decided to initiate 
>> the conversation here. It is extremely rare that the only attribute it's 
>> not reading is this particular one.
>>
>> Second. I tried using a local defined json files to test and those ones 
>> reads perfectly the attribute (using "@class" instead of "_class" in those 
>> definitions).
>>
>> Diego
>>
>> On Monday, 4 September 2023 at 16:41:13 UTC-3 Diego Gimenez wrote:
>>
>>> Hello,
>>>
>>> I am having trouble with reading the specific attribute of 
>>> multifactorPolicy when using CAS with MongoDB as my Service Registry 
>>> database. There are two problems, but the main one is that all the 
>>> attributes at the registered services are perfectly understood by CAS, 
>>> except the multifactorPolicy attribute. The question is: Is it possible 
>>> that CAS has a problem with multifactorPolicy attribute being read from 
>>> MongoDB?
>>> I tried using other attributes such as attributeReleasePolicy and it 
>>> didn't have any problem reading it, the test were made using a Groovy 
>>> script that prints all the attributes the registered service has.
>>>
>>> The other problem is that when I use the definition provided by CAS 
>>> documentation of a service, it defines an attribute named "@class", the 
>>> problem with this is that if I define a service this way, CAS does not 
>>> understand the class this registry belongs to, but when I define it with 
>>> "_class" and the same value (org.apereo.cas.services.CasRegisteredService) 
>>> it works and CAS can understand it. I did some research and I didn't find 
>>> anything that can tell me why this happens. If you know anything and can 
>>> tell or have an insight of what might be happening would be much 
>>> appreciated.
>>>
>>> Diego
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/99ae28bc-9c24-4dee-a33a-589e64a32726n%40apereo.org.

[cas-user] Add a new controller to the CAS7 server

2023-09-08 Thread ztf863 
Hello, I am a beginner in CAS. I want to add a new controller to the 
CAS7 server, but it does not take effect. How should I implement it? Is 
there any documentation for this? Thanks


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/35660eca-59a3-4be3-a14e-cd346ebe4db7%40gmail.com.

[cas-user] Submit a CAS evolution for 6.6.12

2023-09-08 Thread Jérémie 
Hi,
 
I have developped a custom module for Apereo CAS to allow Okta MFA support 
for CAS Authentication

We have developed a custom working module based on a similar Authy project 
we've found online. 

We are having trouble now to fork, adapt & submit our module to CAS 6.6.12 
release due for the end of september. Our Pull Request has been 
automatically rejected : https://github.com/apereo/cas/pull/5751/files

I've never done that so I might not see obvious steps here.

Thank you  

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b9a1d361-7e04-4d2e-9512-ef29918569e3n%40apereo.org.