[cas-user] Re: CAS: 7.0 Office365 login with tenant common - broken

2024-05-31 Thread Łukasz Woźniak 
Problem is 
known: 
https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/460/cant-parse-azure-oidc-metadata-unencoded

piątek, 31 maja 2024 o 09:32:33 UTC+2 Łukasz Woźniak napisał(a):

> Hi, 
>
> We integrate with Office365 by OIDC. On version 6.5 it's work very good. 
> After upgrade configuration with "azure.tenant=common" doesn't work. 
>
> I found that library nimbussds:oauth2-oidc-sdk cannot handle issuer url 
> from 
> https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
>
> *"issuer": "https://login.microsoftonline.com/{tenantid}/v2.0 
> <https://login.microsoftonline.com/%7Btenantid%7D/v2.0>",*
>
>  Any one have solution for that ?
>
> Thanks,
> Łukasz
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a154e998-75be-43c4-9b76-6704351b000dn%40apereo.org.

[cas-user] CAS: 7.0 Office365 login with tenant common - broken

2024-05-31 Thread Łukasz Woźniak 
Hi, 

We integrate with Office365 by OIDC. On version 6.5 it's work very good. 
After upgrade configuration with "azure.tenant=common" doesn't work. 

I found that library nimbussds:oauth2-oidc-sdk cannot handle issuer url 
from 
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

*"issuer": "https://login.microsoftonline.com/{tenantid}/v2.0",*

 Any one have solution for that ?

Thanks,
Łukasz

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/07604837-5473-408f-9d83-6184344d9d01n%40apereo.org.

Re: [cas-user] Re: CAS 7 master mfa-gauth issue commit 15580dc action="@{/login}"

2024-05-28 Thread Łukasz Woźniak 
We override view and Madej change from mfa-gauth to login.

pon., 27 maj 2024, 11:47 użytkownik Frédéric Dussurget 
napisał:

> Hi there,
> just asking if somebody managed to resolve this pending issue ?
> regards,
>
> Le mardi 16 avril 2024 à 18:03:32 UTC+2, Frédéric Dussurget a écrit :
>
>> Hi,
>> context : mfa-gauth issue, since october, we have a 401 error trying to
>> acces /cas/mfa-gauth when trying to register new devices.
>>
>> according to this commit :
>>
>> https://github.com/apereo/cas/commit/15580dc#diff-217a31a51bb1b4b527e8866140a331dedf1278c2a806421a985a54ad1568986f
>>
>> When I roll back the "action" value in this form, from :
>> action="@{${'/' + activeFlowId} }"
>> to :
>> action="@{/login}"
>>
>> It is ... back to life and working again (in my case, but that is not the
>> case for everybody afaik ...)
>> The webflow might have changed from CAS 6 to 7 and there might be a
>> blocking spring permission on the /cas/mfa-gauth endpoint ...
>>
>> A lot of thanks to Al Faller, have a look at the previous discussion :
>> https://groups.google.com/a/apereo.org/g/cas-user/c/H4fvKej9NSs
>>
>> Regards,
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/79545cac-b5bb-46fa-9420-a216aa334b64n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD1CM_ioUovUrPH%2B_PrUvdkwRCeeT3RuJMKxdERwReJTpcP5QQ%40mail.gmail.com.

[cas-user] CAS 7.0.3 Office365 Integration and attributes problem

2024-05-08 Thread Łukasz Woźniak 
Hello,

We actually migrating from CAS 6.5 to 7.0. We are integrated with Office365 
but in version 7.0.3 is problem that We dont get family_name and given_name 
attributes. Our configuration in scope we have set: "openid profile email"

Anyone have similar problem ?

Thanks,
Lukas

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f1ec055a-30d4-4f67-a857-2c5f05ce90d8n%40apereo.org.

Re: [cas-user] CAS 7.0.3: missing LDAP principal attributes when using DUO MFA

2024-04-12 Thread Łukasz Woźniak 
Hi,

We are using CAS in version 6.5 on production with protocols OAuth, SAML,
OIDC. We use attributeRepository from LDAP because we need *memberOf *with
recursive data. There are many memberOf so we need to filter it out. We use
attributeReleasePolicy
with RegisteredServiceMutantRegexAttributeFilter. And on version 6.5 it
works*. *

We upgraded to version 7.0.3 and now resolving attributes is working very
bad. In OAuth 2.0 protocol we get all values from memberOf without
filtering. In SAML protocol it works good.

I've checked and ChainingAttributeReleasePolicy is returning good result.
But like Mike S sad this values are merged (all attributes + that filtered
out).



pt., 12 kwi 2024 o 20:40 Mike S  napisał(a):

> Thanks for your response Ray. I've been banging my head against this for a
> while and I thought it was something I was missing. I've verified the
> conflict resolver option doesn't work.
>
> The log debug log output  shows the LDAP and DUO attributes at one point
> are merged, but the result is discarded.
>
> Is there a suggested workaround?
>
> On Friday, April 12, 2024 at 12:24:47 p.m. UTC-2:30 Ray Bon wrote:
>
>> Mike,
>>
>> I can confirm this behaviour.
>> DefaultPrincipalElectionStrategy was changed between 6.5 and 7.0. The
>> change was in 5bcef20 about 5 months ago.
>>
>> The old behaviour was to select the first principle in a list; new
>> behaviour defaults to last.
>> Even setting this property,
>>
>> cas.person-directory.principal-resolution-conflict-strategy=first
>>
>> does not work.
>>
>> Printing the list of principals immediately before
>> PrincipalElectionStrategyConflictResolver is invoked:
>>
>> 2024-04-11 23:40:23,144 ERROR [
>> org.aper.cas.auth.prin.DefaultPrincipalElectionStrategy] - > SimplePrincipal(id=rbon, attributes={cn=[Ray Bon],
>> description=[ROLE_ADMIN], domain=[uvic.ca], ...
>> 2024-04-11 23:40:23,144 ERROR [
>> org.aper.cas.auth.prin.DefaultPrincipalElectionStrategy] - > SimplePrincipal(id=rbon, attributes={duoAud=[...],
>> duoAuthCtxAccessDeviceIp=[...], ...
>>
>> The principal id's are the same (so merging attributes should work).
>>
>> Our setup fetches attributes after authentication (instead of at the time
>> of authentication) but before duo flow.
>>
>> I will investigate if there is an effect of when ldap attributes are
>> retrieved; as well as look into other possible config settings that might
>> affect attribute merging.
>>
>> Ray
>>
>>
>> On Wed, 2024-04-10 at 12:47 -0700, Mike S wrote:
>>
>> Notice: This message was sent from outside the University of Victoria
>> email system. Please be cautious with links and sensitive information.
>>
>>
>> (Apologies for the repost. The CAS version has been added in the subject
>> line as well as the cas.properties file)
>>
>> We are testing a CAS 7.0.3 POC system using universal prompt DUO MFA. The
>> system is configured to use OpenLDAP for authentication. However, once DUO
>> MFA is enabled via the Fawnoos blog entry, the attributes returned for the
>> principal are from DUO.
>>
>> How do we tell CAS to only use the LDAP attribute repository?
>>
>> Thanks,
>> Mike
>>
>> *cas.properties*
>>
>> cas.server.name=https://cas-poc.xxx.yyy
>> cas.server.prefix=${cas.server.name}/cas
>> cas.server.scope=xxx.yyy
>> cas.host.name=xxx.yyy
>>
>> logging.config: file:/etc/cas/config/log4j2.xml
>> logging.level.org.apereoi.cas=debug
>>
>> server.port=8443
>> server.ssl.enabled=true
>> server.ssl.protocol=TLS
>> server.ssl.key-store=file:/etc/cas/config/keystore.jks
>> server.ssl.key-store-password=XXX
>> server.ssl.key-password=Y
>> server.ssl.key-store-type=JKS
>> server.ssl.key-alias=default
>>
>> server.servlet.context-path=/cas
>> server.servlet.application-display-name=cas
>>
>> cas.server.tomcat.http[0].enabled=false
>> cas.server.tomcat.http-proxy.enabled=true
>> cas.server.tomcat.http-proxy.secure=false
>> cas.server.tomcat.http-proxy.scheme=https
>> cas.server.tomcat.http-proxy.protocol=HTTP/2
>> server.tomcat.remoteip.internal-proxies=AAA.BBB.CCC.DDD
>> server.tomcat.accesslog.request-attributes-enabled=true
>> server.tomcat.max-http-form-post-size=2097152
>> server.tomcat.max-threads=200
>>
>> [service registry config omitted]
>>
>> cas.authn.accept.users=
>> cas.authn.accept.enabled=false
>>
>> cas.authn.ldap[0].type=AUTHENTICATED
>> cas.authn.ldap[0].ldap-url=ldaps://ldap1.xxx.yyy,ldaps://ldap2.xxx.yyy
>> cas.authn.ldap[0].base-dn=dc=xxx,dc=yyy
>> cas.authn.ldap[0].search-filter=(|(uid={user})(mailAddress={user}))
>> cas.authn.ldap[0].bind-dn=uid=ro-ldap-user,ou=users,dc=xxx,dc=yyy
>> cas.authn.ldap[0].bind-credential=XX
>>
>> cas.authn.ldap[0].principal-attribute-list=altEmailaltEmailDate,authViaAltEmailVerificationKey,[...]
>>
>> cas.authn.mfa.triggers.global.global-provider-id=mfa-duo
>> cas.authn.mfa.duo[0].account-status-enabled=true
>> cas.authn.mfa.duo[0].duo-secret-key=XX
>> cas.authn.mfa.duo[0].duo-integration-key=Y

[cas-user] CAS 7.0.3: SAML problem with returning attribute

2024-04-11 Thread Łukasz Woźniak 
Hello,

We upgrade CAS from version 6.5.9 to 7.0.3 and CAS in SAML stop returning 
*givenName 
*in attributes. Example configuration below. Any idea why is it stop 
working ?

"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"excludeDefaultAttributes": true,
"allowedAttributes": {
  "@class": "java.util.TreeMap",
  "email": "mail",
  "upn": "upn",
  "userPrincipalName": "upn",
  "given_name": "givenName",
  "givenName": "givenName",
  "family_name": "sn"
}
  }

Thanks for any idea and help.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/dd133950-28ab-408c-98cd-3615b18d9000n%40apereo.org.

Re: [cas-user] CAS v7.0.0 Performance issue.

2024-03-01 Thread Łukasz Woźniak 
When You hit for accessToken CAS filterout claims that are diffrent than
declared for OIDC. This happened here
*org/apereo/cas/support/oauth/web/DefaultOAuth20RequestParameterResolver.java:169
*It shouldn't be like that for OAuth
For now, We override this class, and when someone ask for accessToken with
own claims we do not remove them.

wt., 27 lut 2024 o 22:02 Fatih Deniz  napisał(a):

> This we just experienced that uses OAuth protocol during a relatively high
> load scenario, would you be able to give more insights to this issue? What
> are some quick fix options available if you know any?
>
> On Tue, Feb 27, 2024, 9:10 PM Łukasz Woźniak 
> wrote:
>
>> What protocol do you use ? Do You use OAuth? In my situation, I found
>> that on the OAuth there is a bug in 7.0.0. CAS filter out scopes not
>> mentioned in properties for OIDC( it shouldn't be like that). So
>> application connecting with OAuth was doing Ddos, because It get empty
>> scopes.
>>
>> I know It is not related, but maybe It help.
>> Prometheus metrics help a lot.
>>
>> wt., 27 lut 2024, 19:57 użytkownik Ray Bon  napisał:
>>
>>> Shavi,
>>>
>>> Hazelcast is not listed as a storage option for services;
>>> ConcurrentIndexedCollection is related to service storage.
>>> What do you use for storing services?
>>> Have you tried increasing memory used by the application container?
>>>
>>> Ray
>>>
>>> On Tue, 2024-02-27 at 01:28 -0800, Shavi Teotia wrote:
>>>
>>> Notice: This message was sent from outside the University of Victoria
>>> email system. Please be cautious with links and sensitive information.
>>>
>>> Hi Ray and team,
>>>  Could you please help we are stuck at this point. Its been long we are
>>> trying to resolve this.
>>>
>>> On Friday 23 February 2024 at 20:29:54 UTC+5:30 Shavi Teotia wrote:
>>>
>>> Hi Ray and Team,
>>>
>>> We have an enterprise application, cannot change the backend. But Could
>>> you please suggest what would be the impact if the indexing is stopped from
>>> this piece of code.
>>>
>>> Another point we are using hazelcast registry, is there any specific
>>> setting  or property that needs to be done in that case.
>>>
>>>
>>> On Friday 23 February 2024 at 19:44:24 UTC+5:30 Ray Bon wrote:
>>>
>>> Shavi,
>>>
>>> Could this be related to the storage mechanism you use for services?
>>> Are you able to try a different back end?
>>>
>>> Ray
>>>
>>> On Fri, 2024-02-23 at 00:09 -0800, Shavi Teotia wrote:
>>>
>>> Notice: This message was sent from outside the University of Victoria
>>> email system. Please be cautious with links and sensitive information.
>>>
>>>
>>> I have recently updated the cas version on my application from 6.6.2 to
>>> 7.0.0.
>>> There is some performance issue, that usually occurs when there is no
>>> load on the server.
>>>
>>> My CPU utilization graph goes up till 98% and application goes down,
>>> start giving 503, we have to restart it or redeploy it.
>>> We checked through the heap dump we found, the issue is related to the
>>> ConcurrentIndexedCollection, which is used for registered service indexing.
>>>
>>> So my question is can we anyhow disable this or is there any other way
>>> to optimize, any specific property that needs to be declared.
>>>
>>> Please let me know if any other information is also required.
>>>
>>>
>>>
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/bcc288ede48052bb1a71aee72047a99789062c80.camel%40uvic.ca
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/bcc288ede48052bb1a71aee72047a99789062c80.camel%40uvic.ca?utm_medium=email_source=footer>
>>> .
>>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List

Re: [cas-user] CAS v7.0.0 Performance issue.

2024-02-27 Thread Łukasz Woźniak 
What protocol do you use ? Do You use OAuth? In my situation, I found that
on the OAuth there is a bug in 7.0.0. CAS filter out scopes not mentioned
in properties for OIDC( it shouldn't be like that). So application
connecting with OAuth was doing Ddos, because It get empty scopes.

I know It is not related, but maybe It help.
Prometheus metrics help a lot.

wt., 27 lut 2024, 19:57 użytkownik Ray Bon  napisał:

> Shavi,
>
> Hazelcast is not listed as a storage option for services;
> ConcurrentIndexedCollection is related to service storage.
> What do you use for storing services?
> Have you tried increasing memory used by the application container?
>
> Ray
>
> On Tue, 2024-02-27 at 01:28 -0800, Shavi Teotia wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> Hi Ray and team,
>  Could you please help we are stuck at this point. Its been long we are
> trying to resolve this.
>
> On Friday 23 February 2024 at 20:29:54 UTC+5:30 Shavi Teotia wrote:
>
> Hi Ray and Team,
>
> We have an enterprise application, cannot change the backend. But Could
> you please suggest what would be the impact if the indexing is stopped from
> this piece of code.
>
> Another point we are using hazelcast registry, is there any specific
> setting  or property that needs to be done in that case.
>
>
> On Friday 23 February 2024 at 19:44:24 UTC+5:30 Ray Bon wrote:
>
> Shavi,
>
> Could this be related to the storage mechanism you use for services?
> Are you able to try a different back end?
>
> Ray
>
> On Fri, 2024-02-23 at 00:09 -0800, Shavi Teotia wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
>
> I have recently updated the cas version on my application from 6.6.2 to
> 7.0.0.
> There is some performance issue, that usually occurs when there is no load
> on the server.
>
> My CPU utilization graph goes up till 98% and application goes down, start
> giving 503, we have to restart it or redeploy it.
> We checked through the heap dump we found, the issue is related to the
> ConcurrentIndexedCollection, which is used for registered service indexing.
>
> So my question is can we anyhow disable this or is there any other way to
> optimize, any specific property that needs to be declared.
>
> Please let me know if any other information is also required.
>
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/bcc288ede48052bb1a71aee72047a99789062c80.camel%40uvic.ca
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD1CM_jyyJqzdfrFUFnsneQJLY55C1c5bvW47ywa6afC8QbnRA%40mail.gmail.com.

Re: [cas-user] CAS v7.0.0 Performance issue.

2024-02-23 Thread Łukasz Woźniak 
Same happend to Us. We have CAS on AWS in kubernetes. We have git for
services and redis for tickets and mfa. We have 2 pod running with
Horizontal Pod Autoscaling enabled. Autoscale never grow higher than 3 pods.

When we deploy CAS from version 6.5 to 7.0, CPU is always almost 100%. HPA
scaled the app to 15 pods (max).

When I debug the App, I think CAS on 7.0 uses Virtual Thread from Java 21
and not all library is ready for that.

 Is IT possibile to turn this off ?

Lukas


pt., 23 lut 2024, 15:59 użytkownik Shavi Teotia 
napisał:

> Hi Ray and Team,
>
> We have an enterprise application, cannot change the backend. But Could
> you please suggest what would be the impact if the indexing is stopped from
> this piece of code.
>
> Another point we are using hazelcast registry, is there any specific
> setting  or property that needs to be done in that case.
>
>
> On Friday 23 February 2024 at 19:44:24 UTC+5:30 Ray Bon wrote:
>
>> Shavi,
>>
>> Could this be related to the storage mechanism you use for services?
>> Are you able to try a different back end?
>>
>> Ray
>>
>> On Fri, 2024-02-23 at 00:09 -0800, Shavi Teotia wrote:
>>
>> Notice: This message was sent from outside the University of Victoria
>> email system. Please be cautious with links and sensitive information.
>>
>>
>> I have recently updated the cas version on my application from 6.6.2 to
>> 7.0.0.
>> There is some performance issue, that usually occurs when there is no
>> load on the server.
>>
>> My CPU utilization graph goes up till 98% and application goes down,
>> start giving 503, we have to restart it or redeploy it.
>> We checked through the heap dump we found, the issue is related to the
>> ConcurrentIndexedCollection, which is used for registered service indexing.
>>
>> So my question is can we anyhow disable this or is there any other way to
>> optimize, any specific property that needs to be declared.
>>
>> Please let me know if any other information is also required.
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a7653e9-ca89-4e20-84e2-8fa5476e6765n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD1CM_ghK9F-GXVXPqG2PEpQmSb4EZUHU%2BNstA9%2B_TN4rYMCsA%40mail.gmail.com.

Re: [cas-user] Re: CAS 5.3 OAuth2 Delegated Authentication error Client not found

2023-07-24 Thread Łukasz Woźniak 
Many years ago I have been using CAS with version 5.3, but there was many
errors with delegated authentication. I suggest You to upgrade to version
6.6.x

sob., 22 lip 2023 o 06:34 mohsen saeedi 
napisał(a):

> Extra information is needed to answer this question?
>
> nobody is here to help me?
>
> Best Regards
>
> On Thursday, July 20, 2023 at 12:28:13 AM UTC+3:30 mohsen saeedi wrote:
>
>> Hello,
>>
>> I'm using CAS 5.3 latest version. I want to delegate authentication to
>> an external oauth2 identity server. I added new configuration key
>> starts with cas.authn.pac4j.oauth2[0] for authUrl, tokenUrl,
>> ProfileUrl and ... . also defined clientName (for example OAuth20).
>> Everything works fine but when user return back to cas, it prints
>> error: 2023-07-17 03:57:35,221 ERROR
>> [org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - > client found for name: OAuth20?code=74486072882b4f6b896b4476a11f56f9>
>> org.pac4j.core.exception.TechnicalException: No client found for name:
>> OAuth20?code=74486072882b4f6b896b4476a11f56f9
>> I read docs and blog posts and everything was on the internet about
>> this subject without any success. anyone can help me? I can't change
>> this version and switch to 6.x . it is not possible on short time.
>>
>> Mohsen Saeedi
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/08d73395-824d-42d1-9354-9c90e811aabcn%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD1CM_h7b4eW8xSEadrUscsCuKry1AYPXmSqeWhjjCOod19OiA%40mail.gmail.com.

[cas-user] Delegated Authetication and session cookie

2023-04-14 Thread Łukasz Woźniak 
Hello,

We are using CAS 6.5.X with dynamic delegated authentication with Azure AD 
as a default configuration. We have a problem, when user close the mobile 
application, and open it again, he must authenticate again. 

Is there a reason, why a cookie in dynamic delegated authentication is 
session cookie?

Łukasz Woźniak

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b39453a1-ff19-4d99-8c72-1c1a0dc89e18n%40apereo.org.

Re: [cas-user] locale parameters after upgrading from 6.1.7 to 6.5.7

2022-10-27 Thread Łukasz Woźniak 
Sorry i miss lead you. I have problem with locale on version 6.5.7 and CAS
could not parse locale correctly with delegation authentication.

czw., 27 paź 2022, 18:27 użytkownik Łukasz Woźniak 
napisał:

> I've got the same problem upgrade to at least 6.5.8.
>
> śr., 26 paź 2022, 16:18 użytkownik Andrea Colajacomo <
> andrea.colajac...@alecsandria.it> napisał:
>
>> Hello everyone,
>> we are testing an upgrade as indicated in subject and we have an issue
>> regarding locale recognition in cases where we use different language for
>> the same country
>> With cas 6.1.7 we use ?locale=
>> and this is the example for Switzerland
>> en-CH
>> it-CH
>> fr-CH
>>
>> Our messages file is with this filename pattern are correctly loaded
>> message_it_CH
>> message_en_CH
>> message_fr_CH
>> It seems like CAS convert automatically - in _
>>
>>
>>
>> Now with 6.7.1
>> taking the same example
>> en-CH
>> it-CH
>> fr-CH
>> CAS try to load
>> message_it-CH
>> message_en-CH
>> message_fr-CH
>>
>> and this way does not work.
>>
>> Any suggestions or ideas on how to manage this?
>>
>> We don't want to change how URLs is written because there was a lot of
>> URL distribuited
>>
>> Bye
>> Andrea
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ea981f5f-5c61-40e2-8212-c5871b345b01n%40apereo.org
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/ea981f5f-5c61-40e2-8212-c5871b345b01n%40apereo.org?utm_medium=email_source=footer>
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD1CM_itvY4%3DwzGApsAM-ticdd7OefxBe3d2PagpoOjHUCqdSw%40mail.gmail.com.

Re: [cas-user] locale parameters after upgrading from 6.1.7 to 6.5.7

2022-10-27 Thread Łukasz Woźniak 
I've got the same problem upgrade to at least 6.5.8.

śr., 26 paź 2022, 16:18 użytkownik Andrea Colajacomo <
andrea.colajac...@alecsandria.it> napisał:

> Hello everyone,
> we are testing an upgrade as indicated in subject and we have an issue
> regarding locale recognition in cases where we use different language for
> the same country
> With cas 6.1.7 we use ?locale=
> and this is the example for Switzerland
> en-CH
> it-CH
> fr-CH
>
> Our messages file is with this filename pattern are correctly loaded
> message_it_CH
> message_en_CH
> message_fr_CH
> It seems like CAS convert automatically - in _
>
>
>
> Now with 6.7.1
> taking the same example
> en-CH
> it-CH
> fr-CH
> CAS try to load
> message_it-CH
> message_en-CH
> message_fr-CH
>
> and this way does not work.
>
> Any suggestions or ideas on how to manage this?
>
> We don't want to change how URLs is written because there was a lot of URL
> distribuited
>
> Bye
> Andrea
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ea981f5f-5c61-40e2-8212-c5871b345b01n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD1CM_iB4Yq1-6Qkn0PuDfBc8wKs6Ax9hXZdtZ%3DkJEiW2ZXurA%40mail.gmail.com.

Re: [cas-user] Help needed in upgrading CAS Server

2022-09-26 Thread Łukasz Woźniak 
I Was upgrading cas from same version to 6.5.x . It wasn't hard. It depends
on module You are using. Upgrade to 6.5.8, in lower version of 6.5.x there
is a bug with languages and delegation authentication.

pon., 26 wrz 2022 o 17:23 Morning Star (vidivelli) 
napisał(a):

> Hi all,
> Thanks for your help in advance.
>
> We are working on upgrading CAS server version from 6.3.7.4 to 6.5.3.
> Can someone please help with the checklist?
>
> At least if someone share the pom.xml file of 6.5.3 version, it will be
> very helpful.
>
> Regards,
> Anusuya.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/fd03b3be-275a-4380-ba1a-072d60cd62cdn%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD1CM_hsOujPN4up1zBR-wSvXu1RH-PSwrdP2CKpsJdmnWsz%2Bw%40mail.gmail.com.

[cas-user] Re: v. 6.5.5 - problem with cookie Locale

2022-09-01 Thread Łukasz Woźniak 
If someone have similar problems bug was fixed in this 
commit 
https://github.com/apereo/cas/commit/c6006aa1d0a2d6e26cf315f79e7293464fd77527 



środa, 8 czerwca 2022 o 10:33:07 UTC+2 Łukasz Woźniak napisał(a):

> Hi,
>
> We are using verison 6.5.5 with Delegated Authentication Discovery 
> Selection 
> <https://apereo.github.io/cas/6.5.x/integration/Delegate-Authentication-DiscoverySelection.html>
>  . 
> And I've got a problem, when user come back form Office365 on address 
> /login?client_name=Office365 he get 2 set-cookie from the response:
>
>
> * Set-Cookie: 
> org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=pl-PL; 
> Max-Age=2147483647 <(214)%20748-3647>; Expires=Mon, 26-Jun-2090 11:36:24 
> GMT; Path=/; Secure; HttpOnlySet-Cookie: 
> org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=und; 
> Max-Age=2147483647 <(214)%20748-3647>; Expires=Mon, 26-Jun-2090 11:36:24 
> GMT; Path=/; Secure; HttpOnl*y
>
> Any one have a clue what is the problem? I've tested on default settings 
> for the locale and with not pin-to-session settings to false. Same result. 
> User've got random with locale.
>
> Thanks for help,
> Lukas
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/eab39e63-4364-4c29-98a2-8cc50ba8a4b0n%40apereo.org.

Re: [cas-user] Re: Logout Redirect Issue

2022-07-13 Thread Łukasz Woźniak 
Hello,

We are using 6.3 version and we've got the same problem. We have
configuration single delegate authentication with flag exclusive on true,
and after go to *logout?service=https://* CAS didn't logout from
Office365. And it redirect to the Office365 there is a session, so it's
back to the service.


>
>
>
>
>
>
> * "accessStrategy": {"@class":
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "delegatedAuthenticationPolicy": {  "@class":
> "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
> "allowedProviders": [ "java.util.ArrayList", [  "Office365"
> ]   ],  "exclusive": true}  },*


śr., 29 cze 2022 o 14:50 Smith, Daniel  napisał(a):

> Filipe,
>
> In my scenario it had to do with a warning that started appearing in 6.3.
> The idp metadata I had did not provide an entry for SingleLogoutService
> using POST. After enabling debug, I could see this warning appearing when I
> logged out.
>
> I am using Google which doesn't support this -- so I ended up putting a
> junk url in it that we control. After doing that, it didn't show the error
> anymore and the logout redirection worked.
>
> Daniel Smith
> Database Administrator
>
> dsm...@jeffco.edu
> (636) 481-3193
> TDD (636) 789-5772
>
> Mailing Address:
> 1000 Viking Drive, Hillsboro MO 63050
> [image: Jeffco Logo]
> Thanks for supporting Jefferson College’s mission to deliver quality
> learning opportunities that empower individuals to achieve their goals.
>
>
>
> On Wed, Jun 29, 2022 at 5:48 AM Filipe Ribeiro  wrote:
>
>> Hi Dan,
>>
>> I'm having the same problem. Did you discovered anything more regarding
>> this?
>>
>> Best Regards,
>> Filipe
>>
>> A quarta-feira, 15 de junho de 2022 à(s) 15:20:52 UTC+1, Dan S escreveu:
>>
>>> I have some more information after testing yesterday.
>>>
>>> I thought it was specific to the logout sent from my app but it's not.
>>> If I go to cas/login I can see all my information. If I use the logout link
>>> there with no redirect, it logs out of cas. I
>>>
>>> If I enter cas/logout with a service redirect url in the browser, it
>>> goes to a blank screen. If I press enter on the url again while on the
>>> blank screen - it works. The only difference I can see in debug is that it
>>> recognizes that there is no cas session to terminate and it continues on to
>>> the service redirect. The debug for the first entry appears to work
>>> correctly -- the only part that seems to be missing is the last line that
>>> indicates it redirected to the external url.
>>>
>>> If I use the cas.logout.redirect-url= parameter, the logout link on the
>>> page doesn't work. It just goes to the blank page. I can tell that cas has
>>> been logged out. It definitely doesn't continue to the redirect url or
>>> correctly show the cas logout page.
>>>
>>> I am using a delegated login. In testing today, I am planning to enable
>>> to regular login and see if logout works with that.
>>>
>>> Dan
>>>
>>> On Tuesday, June 14, 2022 at 10:30:42 AM UTC-5 Dan S wrote:
>>>
 I am working on upgrading our CAS instance from 6.1 to 6.5. I have been
 able to get everything working as expected except the logout redirect.

 I am using the parameter:
 cas.logout.follow-service-redirects=true

 I have tried using the parameter for a redirect and setting the global
 redirect.

 If you enter the logout url directly in the browser, it correctly sends
 back a 302 and the browser is redirected.

 If we have an app that sends the browser to the cas logout url, cas
 sends back a 200 response with a blank screen.

 Anyone have any ideas?

 Thanks,

 Dan

 --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD_9FojqOopswAKqhfkU8Z3ix9_Xum3idJNgB%3D6R%2B00pZqVwLQ%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit

[cas-user] v. 6.5.5 - problem with cookie Locale

2022-06-08 Thread Łukasz Woźniak 
Hi,

We are using verison 6.5.5 with Delegated Authentication Discovery Selection 

 . 
And I've got a problem, when user come back form Office365 on address 
/login?client_name=Office365 he get 2 set-cookie from the response:


* Set-Cookie: 
org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=pl-PL; 
Max-Age=2147483647; Expires=Mon, 26-Jun-2090 11:36:24 GMT; Path=/; Secure; 
HttpOnlySet-Cookie: 
org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=und; 
Max-Age=2147483647; Expires=Mon, 26-Jun-2090 11:36:24 GMT; Path=/; Secure; 
HttpOnl*y

Any one have a clue what is the problem? I've tested on default settings 
for the locale and with not pin-to-session settings to false. Same result. 
User've got random with locale.

Thanks for help,
Lukas

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a397c332-538a-44c9-a880-8937cd833e9cn%40apereo.org.

[cas-user] OAuth 2.0 - client credentials - with clientID and ClientSecret as LDAP user

2022-05-24 Thread Łukasz Woźniak 
Hi,

We use CAS in version 6.3. Is is possible to use OAuth 2.0 "client 
credentials" mode 
https://apereo.github.io/cas/6.3.x/installation/OAuth-OpenId-Authentication.html#client-credentials
 with 
authorization based on the ActiveDirectory or based on the configured 
authorization mechanizm in CAS.

Regards

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3cf42b4d-e0e9-4439-936c-e7c664ed7673n%40apereo.org.

Re: [cas-user] How to configure TST ticket used in reset password management workflow for high availability ?

2022-03-15 Thread Łukasz Woźniak 
We have CAS on 5 pods in K8s and We using Spring session in Redis. It work
good.

Lukas

sob., 12 mar 2022 o 09:50 Jérôme Steve  napisał(a):

> Ray,
>
> Thank you for your reply. Unfortunately not.
> Maybe I should have cached the webflow session ? But I'm not sure if this
> ticket is stored inside it or not.
>
> Jérôme.
>
> Le ven. 11 mars 2022 à 20:01, Ray Bon  a écrit :
>
>> Jérôme,
>>
>> Is it possible for you to set your load balancer to sticky sessions for
>> cas?
>>
>> Ray
>>
>> On Fri, 2022-03-11 at 08:52 -0800, ste wrote:
>>
>> Notice: This message was sent from outside the University of Victoria
>> email system. Please be cautious with links and sensitive information.
>>
>> Hi,
>>
>> TST ticket used in reset password management workflow is store in session
>> (webflow ?).
>>
>> So, isn't working in a multi node architecture for hight availability. Is
>> there a way to store it in cached storage like other tickect ? Or change it
>> to use other ticket ?
>>
>> Thanks,
>> Jérôme.
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a232087d7dde67c7bc81c6eed6e219554123802.camel%40uvic.ca
>> 
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD6KnbzCu_ZqgDDS3GW-Vtq4eU75Eoj--yH8E4OSfag6raxW%2BA%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD1CM_jfnTn76bo1ODUipPHZu2g8LWyQKA5TxXrMfZg9XzZxZg%40mail.gmail.com.

Re: [cas-user] Password does not match the password policy requirement.

2022-03-15 Thread Łukasz Woźniak 
You've upgrade or have new fresh version? I've got similar problem but I'm
upgrading instance from 6.3.7. And there was change in the template and
policyPattern was null, because it was changed to passwordPolicyPattern.
Check the template if You override it.

wt., 15 mar 2022 o 00:25 stonej  napisał(a):

> Hello All,
>
> I am using CAS 6.5.1 and using the password management add on.  It all
> works fine with picking up the AD password expired setting, but I cannot
> seem to get a good password.
>
> It asks for 1 lowercase, 1 uppercase, 1 number and 1 special character but
> no matter what I try i comes up that the password does not match
> requirements.
>
> Any help ?
> Thanks
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/7842071e-ad46-420d-b3f1-6fef11247c44n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD1CM_jKgw3nnrXpEP%2BTc1q2gGV8wL6SKudaCOWghFHh4EXqFA%40mail.gmail.com.

Re: [cas-user] Re: Google Auth Redis record format change...anyone know how to migrate?

2021-07-11 Thread Łukasz Woźniak 
Hi,

I've got the same problem. I write new actuator endpoint and migrate the
records.You need to resave them in new format (i put new machine name as
username).



pon., 12 lip 2021 o 03:16 He vincent  napisał(a):

> I got same issue with gauth + mongodDB. from cas5.3 to cas 6.4.
>
>
> Stewart在 2021年7月12日星期一上午6:13:34 [UTC+8]寫道:
>
>> Looks like formats for storing Google Authenticator records in Redis have
>> changed somewhere between 6.1.x and 6.3.x.  Has anyone come up with a
>> migration tool or method?
>>
>> I've tried exporting via REST interface, but POSTing into the
>> gauthCredentialRespository doesn't seem to work (or at least it seems to be
>> blocked...says POST is not permitted).
>>
>> I'm sure one could dive into the code and compare versions and come up
>> with a tool...but I'm hoping this is an issue someone else has already
>> solved...anyone?
>>
>> The only other message on here regarding this issue was someone else
>> looking for the same (He Vincent).
>>
>> Thanks!
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/e1fb4f56-fc53-4a9d-8766-4b687399f197n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD1CM_j%3D9v9r2MhTv%3D8-qwc_GZmz%3Dq1kTJiHY8pM-5SEtJBfWw%40mail.gmail.com.

Re: [cas-user] CAS 6.3.x + Google Auth as 2FA

2021-04-13 Thread Łukasz Woźniak 
It should stay mfa-gauth. Sorry phone dictionary problem 

wt., 13 kwi 2021, 16:30 użytkownik Łukasz Woźniak 
napisał:

> Hi, I have czas 6.3.2 with Google mfa and it works. Dont change config
> cas.authn.mfa.gauth.name it stole stary mfa-gauth
>
> wt., 13 kwi 2021, 16:04 użytkownik Bartosz Nitkiewicz <
> bart...@nitkiewicz.eu> napisał:
>
>> I have cloned CAS sources and
>> copy 
>> cas/support/cas-server-support-gauth-core/src/main/java/org/apereo/cas/gauth/credential/GoogleAuthenticatorOneTimeTokenCredentialValidator.java
>> to 
>> cas-overlay-template/src/main/java/org/apereo/cas/gauth/credential/GoogleAuthenticatorOneTimeTokenCredentialValidator.java
>>
>> and I have build issues down below:
>>
>> https://dpaste.com/8X6QFAGR2
>>
>>
>> Maybe there is another way?
>> wtorek, 13 kwietnia 2021 o 15:22:29 UTC+2 Philippe MARASSE napisał(a):
>>
>>> A good question indeed :-)
>>>
>>> I've took a look over my overlay, it seem that I only overloaded the
>>> flawed class from the commit :
>>>
>>>
>>> cas-overlay/src/main/java/org/apereo/cas/gauth/credential/GoogleAuthenticatorOneTimeTokenCredentialValidator.java
>>>
>>> CAS 6.3.2 is older than the patch I think.
>>>
>>> So :
>>>   - fetch CAS sources from github
>>>   - Copy the GoogleAuthenticatorOneTimeTokenCredentialValidator.java in
>>> your overlay
>>>   - build your overlay
>>>
>>> and test it :-).
>>>
>>> Regards.
>>>
>>>
>>> Le 13/04/2021 à 14:24, Bartosz Nitkiewicz a écrit :
>>>
>>> I have CAS v 6.3.2 which is quite new. But I'm not sure if its newer
>>> than this patch.
>>> Hmm, I've cloned this overlay
>>> https://github.com/apereo/cas-overlay-template/tree/6.3 with latest
>>> commit 995813b on 14 Feb
>>>
>>>
>>> So how to make it work? I don't want to build CAS form sources:
>>> https://github.com/apereo/cas/tree/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f
>>>
>>> I'm wondering, where is this
>>> GoogleAuthenticatorOneTimeTokenCredentialValidator.java
>>> <https://github.com/apereo/cas/commit/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f#diff-1df13ecfa59195b04a0fb8db8cfe2d11ef4a09ef52fab4832edff1caaeeb8a81>
>>>  file
>>> after build. Maybe it's possible to replace/edit it?
>>> Regards
>>> Bartek
>>>
>>>
>>> wtorek, 13 kwietnia 2021 o 14:06:08 UTC+2 Philippe MARASSE napisał(a):
>>>
>>>> Hello,
>>>>
>>>> It has been fixed there
>>>> https://github.com/apereo/cas/commit/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f
>>>>
>>>> Verify that you version of CAS is newer than that commit, it should be
>>>> fine.
>>>>
>>>> Regards
>>>>
>>>>
>>>> Le 13/04/2021 à 13:04, Bartosz Nitkiewicz a écrit :
>>>>
>>>> Hi,
>>>> The setup looks like this:
>>>>
>>>> CAS + Vault (config file) + LDAP + 2FA (mfa-gauth) + redis for gauth
>>>> and ticket registration.
>>>>
>>>> After testing before production deployment I've noticed that user can
>>>> authorize providing user and pass, when asking for Gauth token* it can
>>>> be anything (even one character)* and CAS will pass it through. I
>>>> don't know where I have mistake:
>>>>
>>>> Here is my config form VAULT
>>>>
>>>>
>>>> "cas.authn.mfa.gauth.crypto.encryption.key": "[redacted]",
>>>>   "cas.authn.mfa.gauth.crypto.signing.key": "[redacted]",
>>>>   "cas.authn.mfa.gauth.issuer": "CAS",
>>>>   "cas.authn.mfa.gauth.label": "CAS",
>>>>   "cas.authn.mfa.gauth.multiple-device-registration-enabled": "false",
>>>>   "cas.authn.mfa.gauth.name": "CAS",
>>>>   "cas.authn.mfa.gauth.redis.database": "0",
>>>>   "cas.authn.mfa.gauth.redis.host": "localhost",
>>>>   "cas.authn.mfa.gauth.redis.password": "[redacted]",
>>>>   "cas.authn.mfa.gauth.redis.port": "6379",
>>>>   "cas.authn.mfa.gauth.redis.read-from": "MASTER",
>>>>   "cas.authn.mfa.gauth.redis.timeout": "2000",
>>>>   "cas.authn.mfa.gauth.redis.use-ssl": "false"

Re: [cas-user] CAS 6.3.x + Google Auth as 2FA

2021-04-13 Thread Łukasz Woźniak 
Hi, I have czas 6.3.2 with Google mfa and it works. Dont change config
cas.authn.mfa.gauth.name it stole stary mfa-gauth

wt., 13 kwi 2021, 16:04 użytkownik Bartosz Nitkiewicz 
napisał:

> I have cloned CAS sources and
> copy 
> cas/support/cas-server-support-gauth-core/src/main/java/org/apereo/cas/gauth/credential/GoogleAuthenticatorOneTimeTokenCredentialValidator.java
> to 
> cas-overlay-template/src/main/java/org/apereo/cas/gauth/credential/GoogleAuthenticatorOneTimeTokenCredentialValidator.java
>
> and I have build issues down below:
>
> https://dpaste.com/8X6QFAGR2
>
>
> Maybe there is another way?
> wtorek, 13 kwietnia 2021 o 15:22:29 UTC+2 Philippe MARASSE napisał(a):
>
>> A good question indeed :-)
>>
>> I've took a look over my overlay, it seem that I only overloaded the
>> flawed class from the commit :
>>
>>
>> cas-overlay/src/main/java/org/apereo/cas/gauth/credential/GoogleAuthenticatorOneTimeTokenCredentialValidator.java
>>
>> CAS 6.3.2 is older than the patch I think.
>>
>> So :
>>   - fetch CAS sources from github
>>   - Copy the GoogleAuthenticatorOneTimeTokenCredentialValidator.java in
>> your overlay
>>   - build your overlay
>>
>> and test it :-).
>>
>> Regards.
>>
>>
>> Le 13/04/2021 à 14:24, Bartosz Nitkiewicz a écrit :
>>
>> I have CAS v 6.3.2 which is quite new. But I'm not sure if its newer than
>> this patch.
>> Hmm, I've cloned this overlay
>> https://github.com/apereo/cas-overlay-template/tree/6.3 with latest
>> commit 995813b on 14 Feb
>>
>>
>> So how to make it work? I don't want to build CAS form sources:
>> https://github.com/apereo/cas/tree/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f
>>
>> I'm wondering, where is this
>> GoogleAuthenticatorOneTimeTokenCredentialValidator.java
>> 
>>  file
>> after build. Maybe it's possible to replace/edit it?
>> Regards
>> Bartek
>>
>>
>> wtorek, 13 kwietnia 2021 o 14:06:08 UTC+2 Philippe MARASSE napisał(a):
>>
>>> Hello,
>>>
>>> It has been fixed there
>>> https://github.com/apereo/cas/commit/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f
>>>
>>> Verify that you version of CAS is newer than that commit, it should be
>>> fine.
>>>
>>> Regards
>>>
>>>
>>> Le 13/04/2021 à 13:04, Bartosz Nitkiewicz a écrit :
>>>
>>> Hi,
>>> The setup looks like this:
>>>
>>> CAS + Vault (config file) + LDAP + 2FA (mfa-gauth) + redis for gauth and
>>> ticket registration.
>>>
>>> After testing before production deployment I've noticed that user can
>>> authorize providing user and pass, when asking for Gauth token* it can
>>> be anything (even one character)* and CAS will pass it through. I don't
>>> know where I have mistake:
>>>
>>> Here is my config form VAULT
>>>
>>>
>>> "cas.authn.mfa.gauth.crypto.encryption.key": "[redacted]",
>>>   "cas.authn.mfa.gauth.crypto.signing.key": "[redacted]",
>>>   "cas.authn.mfa.gauth.issuer": "CAS",
>>>   "cas.authn.mfa.gauth.label": "CAS",
>>>   "cas.authn.mfa.gauth.multiple-device-registration-enabled": "false",
>>>   "cas.authn.mfa.gauth.name": "CAS",
>>>   "cas.authn.mfa.gauth.redis.database": "0",
>>>   "cas.authn.mfa.gauth.redis.host": "localhost",
>>>   "cas.authn.mfa.gauth.redis.password": "[redacted]",
>>>   "cas.authn.mfa.gauth.redis.port": "6379",
>>>   "cas.authn.mfa.gauth.redis.read-from": "MASTER",
>>>   "cas.authn.mfa.gauth.redis.timeout": "2000",
>>>   "cas.authn.mfa.gauth.redis.use-ssl": "false",
>>>   "cas.authn.mfa.global-provider-id": "mfa-gauth",
>>>
>>> "cas.authn.mfa.triggers.principal.global-principal-attribute-name-triggers":
>>> "memberOf",
>>>
>>> "cas.authn.mfa.triggers.principal.global-principal-attribute-value-regex":
>>> "[redacted]"
>>>
>>> Maybe its ticket registering with redis:
>>>
>>> "cas.ticket.registry.redis.crypto.alg": "AES",
>>>   "cas.ticket.registry.redis.crypto.enabled": "false",
>>>   "cas.ticket.registry.redis.crypto.encryption.key": "",
>>>   "cas.ticket.registry.redis.crypto.encryption.key-size": "16",
>>>   "cas.ticket.registry.redis.crypto.signing.key": "",
>>>   "cas.ticket.registry.redis.crypto.signing.key-size": "512",
>>>   "cas.ticket.registry.redis.database": "1",
>>>   "cas.ticket.registry.redis.host": "localhost",
>>>   "cas.ticket.registry.redis.password": "[redacted]",
>>>   "cas.ticket.registry.redis.pool.enabled": "false",
>>>   "cas.ticket.registry.redis.pool.fairness": "false",
>>>   "cas.ticket.registry.redis.pool.lifo": "true",
>>>   "cas.ticket.registry.redis.pool.max-active": "8",
>>>   "cas.ticket.registry.redis.pool.max-idle": "8",
>>>   "cas.ticket.registry.redis.pool.max-wait": "-1",
>>>   "cas.ticket.registry.redis.pool.min-evictable-idle-time-millis": "0",
>>>   "cas.ticket.registry.redis.pool.min-idle": "0",
>>>   "cas.ticket.registry.redis.pool.num-tests-per-eviction-run": "0",
>>>   "cas.ticket.registry.redis.pool.soft-min-evictable-idle-time-millis":
>>> "0",
>>>

Re: [cas-user] Cas can’t see exteralized customised views. Cas overlay ver 6.3.2.

2021-03-12 Thread Łukasz Woźniak 
I've got same problem with this. Problem is that You have to override main
templates to able to use fragments. For example to in file layout.html. You
have to override to use fragment from nextor


Footer fragment will go here



śr., 10 mar 2021 o 16:36 artur miś  napisał(a):

> *Gradle.properties*
>
> ss@zal:~/cas.6.3_10_10_2020_update/cas-overlay-template-master$ cat
> gradle.properties
>
> cas.version=6.3.2
>
> springBootVersion=2.3.4.RELEASE
>
> appServer=-tomcat
>
> executable=false
>
> tomcatVersion=9.0.38
>
> group=org.apereo.cas
>
> sourceCompatibility=11
>
> targetCompatibility=11
>
> jibVersion=2.8.0
>
> shellDir=build/libs
>
> ivyVersion=2.4.0
>
> gradleDownloadTaskVersion=4.1.1
>
> gradleMavenPluginVersion=5.2.1
>
> gradleLombokPluginVersion=5.2.1
>
> baseDockerImage=adoptopenjdk/openjdk11:alpine-jre
>
> allowInsecureRegistries=false
>
>
>
> *cas.propierties*
>
> spring.thymeleaf.prefix=classpath:/templates/
>
> cas.view.template-prefixes[0]=file:///etc/cas/templates ← store for  views
> outside the cas.war
>
>
>
>
> *services*:
>
> ss@zal:/cas/cas7/services$ cat  prg-3.json
>
> {
>
>   "@class" : "org.jasig.cas.services.RegexRegisteredService",
>
>   "serviceId" : "^(http|https|imaps)://newton.xx/.*",
>
>   "name" : "PRG_PABLO",
>
>   "id" : 3,
>
>   "evaluationOrder" : 0,
>
>   "theme" : "nextor",
>
>"authenticationPolicy" : {
>
> "@class" :
> "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",
>
> "requiredAuthenticationHandlers" : ["java.util.TreeSet", ["xxx",
> "" ]]
>
>   },
>
> }
>
>
> *Copy templates outside the webapp:*
>
> cp -rp
> :~/cas.6.3_10_10_2020_update/cas-overlay-template-master/src/main/resources
> /cas/cas7/templates
>
> /cas/cas7$ ls
>
> config  services  templates  thekeystore
>
>
>
> *Removing templates from cas overlay:*
>
> cd
> ~/cas.6.3_10_10_2020_update/cas-overlay-template-master/src/main/resources$
> ls
>
> messages_pl.properties  nextor.properties  static  templates
>
> rm -rf templates
>
>
>
> *Theme files/tree:*
>
> ss@zal~/cas.6.3_10_10_2020_update/cas-overlay-template-master/src/main/resources$
> cd static/
>
> ss@zal:~/cas.6.3_10_10_2020_update/cas-overlay-template-master/src/main/resources/static$
> ls
>
> css  images  js  themes
>
> ss@zal:~/cas.6.3_10_10_2020_update/cas-overlay-template-master/src/main/resources/static$
> cd themes/
>
> ss@zal:~/cas.6.3_10_10_2020_update/cas-overlay-template-master/src/main/resources/static/themes$
> ls
>
> nextor
>
> ss@zal:~/cas.6.3_10_10_2020_update/cas-overlay-template-master/src/main/resources/static/themes$
> cd nextor/
>
> ss@zal:~/cas.6.3_10_10_2020_update/cas-overlay-template-master/src/main/resources/static/themes/nextor$
> ls
>
> css  images  js
>
>
>
> *Theme def:for service nextor*
>
> ss@zal~/cas.6.3_10_10_2020_update/cas-overlay-template-master/src/main/resources$
> cat nextor.properties
>
> cas.theme.defaultThemeName=nextor
>
> cas.standard.css.file=/themes/nextor/css/cas.css
>
> cas.standard.js.file=/themes/nextor/js/cas.js
>
>
> *Image creation:*
>
> ./gradlew --info build jibDockerBuild
>
>
> *Creation container:*
>
> sudo docker run  --name cas2localTT-v /cas/cas7:/etc/cas -p
> 127.0.0.1::8443 -d org.apereo.cas/cas:latest
>
>
>
> *Result:*
>
> reguest: https://sample.xx/casphp/login?service=https://newton.xx/
>
> It is using files from  /etc/cas/templates  but only for  default files
> (/etc/cas/templates/fragments/footer.html)  . It doesn’t uses nextor views
> at all. I thought that if i have theme  nextor.properties it will be use
> views defined in  folder templates/nextor .  Problably i have missed
> something  but i don’t know what. Could you help me please ?
>
> How i menssioned before:
>
> ss@zal/cas/cas7/templates$ ls
>
> casLoginView.html  fragments  nextor
>
> If i change footer.html i can see changes on website but if i change
> footer.htm in nextor  i can not  see result.
>
> Obviously if I  have all in  cas.war   I have customised  view nextor
> working.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/9fde0bf8-e0b1-41c0-a03e-f9548bd5fbd8n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from

Re: [cas-user] Re: cas with o365

2019-07-10 Thread Łukasz Woźniak 
Hi,

I was integrated with o365 but on OPENID on version 5.2.x but this version
has poor support for integration with o365. Try too use version 5.3.x or if
You can 6.0.x. In version 5.2.x is problem that O365 don't support redirect
url with parameter, and CAS generate url with parameter version 5.3.x fixed
that.

wt., 9 lip 2019 o 21:30 'Robert Bond' via CAS Community 
napisał(a):

> Have you switched office 365 over to use federated login via
> the Set-MsolDomainAuthentication powershell command?
>
> On Monday, July 8, 2019 at 11:28:18 AM UTC-5, Alfonso Veraluz wrote:
>>
>> Hello.
>>
>> No. I made an advance adding values like to the inmutableId in the 365
>> users but after that:
>>  1) I can login to Cas but it doesn't login on the
>> login.microsoftonline.com
>>  2) I can login in login.microsoftonline.com but doesn't sso with my
>> Cas.
>>
>> It's just both systems are not connected after all.
>>
>> El lunes, 8 de julio de 2019, 15:28:10 (UTC+2), Robert Bond escribió:
>>>
>>> Were you able to complete the o365 setup with cas?
>>>
>>> On Wednesday, July 3, 2019 at 9:26:36 AM UTC-5, Robert Bond wrote:

 If you do not want to use Azure AD Connect you can create a process to
 sync via powershell. I have an example on my github:
 https://github.com/bondr007/office365UserSync it consumes a csv and
 does some querys to AD. It could be modified for openldap.

 The steps to actually enable SSO on office are hard to find, It has to
 be done via powershell. Here is what I used:

 http://malithiedirisinghe.blogspot.com/2015/12/office-365-saml-20-federation-with-wso2.html
 

 Here are the specific settings I used when configuring office 365
 federation with cas.
 ActiveLogOnUri :
 DefaultInteractiveAuthenticationMethod :
 FederationBrandName:
 IssuerUri  :
 https://logon.example.com/cas/idp
 LogOffUri  :
 https://logon.example/cas/logout?service=http%3A%2F%2Fportal.office.com%2F
 MetadataExchangeUri:
 NextSigningCertificate :
 OpenIdConnectDiscoveryEndpoint :
 PassiveLogOnUri:
 https://logon.example.com/cas/idp/profile/SAML2/POST/SSO

 Let me know if that helps.


 On Wed, Jul 3, 2019 at 5:19 AM Alfonso Veraluz 
 wrote:

> Hello Robert
>
> Users from the openLdap and from the O365 are not synced at all at the
> moment. It's supossed to achive this with the Azure AD Connect but this
> means a new server on Windows and seems the only option it may fit is with
> the Passthrough option (
> https://docs.microsoft.com/es-es/azure/active-directory/hybrid/how-to-connect-pta)
> . Not sure about it and i can test it but will require some time to build
> and configure it. This can be achieved via powershell?
>
> As @casuser, the steps to be done in the O365 are not very clear in
> the documentation
>
> Thanks
>
> El martes, 2 de julio de 2019, 23:41:11 (UTC+2), Robert Bond escribió:
>>
>>
>> Were you able to complete the setup?
>>
>> Thanks!
>> On Tuesday, July 2, 2019 at 9:38:53 AM UTC-5, Alfonso Veraluz wrote:
>>>
>>> Hello.
>>>
>>> I have a CAS 5.2.3 running fine with a Tomcat 8.0.32, Openjdk 1.8
>>> and connected to a OpenLdap so my users can login with the uid and the
>>> mail.
>>> This CAS is actually providing SSO between Alfresco and Liferay.
>>>
>>> I want to add the SSO with Office365 but only for a particular
>>> public domain and there are some questions:
>>>
>>> 1.- What FederationMetadata.xml is needed to provide in CAS, the one
>>> in
>>> https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
>>> or the one with my EntityID provided from the Portal Azure Admin 
>>> section?
>>> 2.- How to map the mail in the OpenLdap to be the same at O365
>>> account? It's suposed the idp will map in the
>>> cas.samlSp.office365.attributes?
>>>
>>> adding this to my cas.properties should be enough?
>>>
>>> #/etc/cas/saml/frommsoft/federationmetadata.xml from
>>> https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
>>>
>>>  
>>> cas.samlSP.office365.metadata=/etc/cas/saml/frommsoft/federationmetadata.xml
>>>  cas.samlSp.office365.name=O365
>>>  cas.samlSp.office365.description=Office365 Integration
>>>  cas.samlSp.office365.nameIdAttribute=scopedImmutableID
>>>  cas.samlSp.office365.attributes=IDPEmail,ImmutableID
>>>
>>> Thanks your comments.
>>>
>> --
> - Website:

Re: [cas-user] CAS 6.1.x Ldaps configuration problem

2019-06-25 Thread Łukasz Woźniak 
Hello,

Help me too. Thanks!

Regards,

Łukasz

W dniu sobota, 26 stycznia 2019 16:40:59 UTC+1 użytkownik David Gelhar 
napisał:
>
> Using Java8 probably isn't an option - CAS 6.x requires Java11
>
> We have been able to work around the issue by using the UnboundID provider 
> as suggested, with settings like this:
>
> cas.properties :
> cas.authn.ldap[0].providerClass=
> org.ldaptive.provider.unboundid.UnboundIDProvider
>
> build.gradle:
> // to use UnboundID ldap provider instead of JNDI
> compile "com.unboundid:unboundid-ldapsdk:4.0.9"
>
>
> On Friday, January 25, 2019 at 5:47:00 PM UTC-5, dfisher wrote:
>>
>> This appears to be a bug in JNDI code that manifests with an NPE in the 
>> ldaptive thread local code.
>> I've filed an issue, but there isn't a resolution yet.
>>
>> Work arounds include:
>> * Use startTLS
>> * Use the UnboundID provider
>> * Use Java 8 (versions 9-12 are all affected)
>>
>> --Daniel Fisher
>>
>> On Fri, Jan 25, 2019 at 1:28 PM Julien Gribonvald  
>> wrote:
>>
>>> Hi,
>>>
>>> I'm beginning a new CAS configuration with latest dev version with the 
>>> overlay packaging and when configuring ldaps I'm having a such error :
>>>
>>> java.lang.NullPointerException: Thread local SslConfig has not been set
>>>  at 
>>> org.ldaptive.ssl.ThreadLocalTLSSocketFactory.getDefault(ThreadLocalTLSSocketFactory.java:53)
>>>  
>>>
>>> ~[ldaptive-1.2.4.jar!/:?]
>>>
>>> With no ssl conf I don't have any problems, here are my change to move 
>>> on ssl use:
>>>
>>> cas.authn.ldap[0].ldapUrl=ldaps://my.domain.fr:636
>>> #cas.authn.ldap[0].ldapUrl=ldap://my.domain.fr:389
>>> #cas.authn.ldap[0].useSsl=false
>>>
>>> Did I make something wrong or ?
>>>
>>> Is there someone having the same problem or not ?
>>>
>>> After googling a bit it seems that could be a problem with ldaptive lib 
>>> and jdk11... Any information about a such problem ?
>>>
>>> Thanks
>>>
>>> -- 
>>>
>>> Julien Gribonvald
>>>
>>> -- 
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b098c57c-feb6-ecaa-88a0-579ca6bb963c%40recia.fr
>>> .
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/030ddbd4-0b6a-4f65-9eab-c0c6b88938cb%40apereo.org.

[cas-user] Re: cas5.3X Multiple system login

2019-06-13 Thread Łukasz Woźniak 
Solved. The problem in my case was in FirePHP:

Invalid cookie.

 Required user-agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 FirePHP/4Chrome
  does not match Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 FirePHP/4Chrome 
FirePHP/4Chrome




W dniu środa, 12 czerwca 2019 23:53:48 UTC+2 użytkownik Łukasz Woźniak 
napisał:
>
> i got the same problem with version 5.3.10. But I saw that when i'm again 
> on login page. when i hit F5 it will log me in.
>
> W dniu wtorek, 23 kwietnia 2019 04:34:31 UTC+2 użytkownik 李雁敏 napisał:
>>
>> Yes, I got the tgc information when I entered the second application, but 
>> I still need to log in to get in. At this time, tgc is regenerated.
>> Google also made some configuration information, but it didn't work.
>>
>> 在 2019年4月12日星期五 UTC+8上午9:21:30,李雁敏写道:
>>>
>>> With cas5.3x, in the LAN, multiple different systems are connected to 
>>> the same cas, and you need to log in again when you enter different systems.
>>> How do I log in once to enter different systems without logging in? This 
>>> place is very confused, I found that tiket is saved under / service
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/78715f8e-f7a4-4698-b826-acb7f316dd62%40apereo.org.

[cas-user] Re: cas5.3X Multiple system login

2019-06-12 Thread Łukasz Woźniak 
i got the same problem with version 5.3.10. But I saw that when i'm again 
on login page. when i hit F5 it will log me in.

W dniu wtorek, 23 kwietnia 2019 04:34:31 UTC+2 użytkownik 李雁敏 napisał:
>
> Yes, I got the tgc information when I entered the second application, but 
> I still need to log in to get in. At this time, tgc is regenerated.
> Google also made some configuration information, but it didn't work.
>
> 在 2019年4月12日星期五 UTC+8上午9:21:30,李雁敏写道:
>>
>> With cas5.3x, in the LAN, multiple different systems are connected to the 
>> same cas, and you need to log in again when you enter different systems.
>> How do I log in once to enter different systems without logging in? This 
>> place is very confused, I found that tiket is saved under / service
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/078b9f2e-852a-4581-9775-7beffbb6da8b%40apereo.org.

Re: [cas-user] Example config for authing against Azure / O365?

2019-06-03 Thread Łukasz Woźniak 
When user open CAS state parameter is set on the session, but when user 
comeback from Azure/OpenID state Parameter is exist on request but on the 
session is null.


W dniu poniedziałek, 3 czerwca 2019 22:39:23 UTC+2 użytkownik Łukasz 
Woźniak napisał:
>
> Problem is on connection Cas <> Azure/OpenId. State Parameter for CSRF is 
> null sometime when request come from Azure to Cas. I check and state is set 
> on the Session.
>
> W dniu poniedziałek, 3 czerwca 2019 18:06:00 UTC+2 użytkownik rbon napisał:
>>
>> Łukasz, This sounds like the client application is sending the user to 
>> CAS with one URL in the service parameter and a different URL when 
>> validating the service ticket. There should be log messages describing why 
>> the 'State paramerter ...' is output. You may have to turn up the log 
>> level. Ray 
>> On Mon, 2019-06-03 at 01:42 -0700, Łukasz Woźniak wrote:
>>
>> We use 5.2.9 version of CAS. And We have problem every day when user try 
>> to authenticate. They get "Unautorized access" and in log we get CSRF 
>> error: 
>>
>> State
>>
>>  parameter 
>>
>> is
>>
>>  different 
>>
>> from
>>
>>  the one sent 
>>
>> in
>>
>>  authentication request
>>
>> .
>>
>>  Session
>>
>>  expired 
>>
>> or
>>
>>  possible threat of cross
>>
>> -
>>
>> site request forgery
>>
>>
>> Problem appear only first time every day. Any idea why ?
>>
>>
>> W dniu piątek, 29 marca 2019 21:59:24 UTC+1 użytkownik richard.frovarp 
>> napisał: 
>>
>> Need to add CAS 5.3.9. I have Google and Twitter working through 
>> delegated auth. So I have that much working. 
>>
>> On 3/29/19 3:57 PM, Richard Frovarp wrote: 
>> > Does anyone have an example config or documentation on how to delegate 
>> > to Azure AD? This is operating at the very edge of my understanding, 
>> and 
>> > I'm having some difficulty. Not entirely sure what configs are 
>> required, 
>> > or exactly what to set in Azure. 
>> > 
>> > Right now I have: 
>> > 
>> > cas.authn.pac4j.oidc[0].type=AZURE 
>> > cas.authn.pac4j.oidc[0].id= 
>> > cas.authn.pac4j.oidc[0].secret= 
>> > cas.authn.pac4j.oidc[0].clientName=AZURE 
>> > cas.authn.pac4j.oidc[0].discoveryUri=
>> https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
>>  
>> > cas.authn.pac4j.oidc[0].scope=openid email profile phone 
>> > cas.authn.pac4j.oidc[0].azureTenantId= 
>> > 
>> > 
>> > No idea if those scopes are right. 
>> > 
>> > Getting: 
>> > 
>> > 2019-03-29 15:53:33,486 ERROR 
>> > [org.springframework.boot.web.support.ErrorPageFilter] - > > error page from request [/clientredirect] due to exception 
>> > [java.lang.ClassCastException: java.util.Collections$SingletonList 
>> > cannot be cast to java.lang.String]> 
>> > org.pac4j.core.exception.TechnicalException: 
>> > java.lang.ClassCastException: java.util.Collections$SingletonList 
>> cannot 
>> > be cast to java.lang.String 
>> >   at 
>> > 
>> org.pac4j.oidc.redirect.OidcRedirectActionBuilder.buildAuthenticationRequestUrl(OidcRedirectActionBuilder.java:113)
>>  
>>
>> > ~[pac4j-oidc-3.6.1.jar:?] 
>> >   at 
>> > 
>> org.pac4j.oidc.redirect.OidcRedirectActionBuilder.redirect(OidcRedirectActionBuilder.java:78)
>>  
>>
>> > ~[pac4j-oidc-3.6.1.jar:?] 
>> >   at 
>> > 
>> org.pac4j.core.client.IndirectClient.getRedirectAction(IndirectClient.java:109)
>>  
>>
>> > ~[pac4j-core-3.6.1.jar:?] 
>> > 
>> > Caused by: java.lang.ClassCastException: 
>> > java.util.Collections$SingletonList cannot be cast to java.lang.String 
>> >   at 
>> > 
>> com.nimbusds.oauth2.sdk.AuthorizationRequest.parse(AuthorizationRequest.java:972)
>>  
>>
>> > ~[oauth2-oidc-sdk-5.62.jar:5.62] 
>> >   at 
>> > 
>> com.nimbusds.openid.connect.sdk.AuthenticationRequest.parse(AuthenticationRequest.java:1374)
>>  
>>
>> > ~[oauth2-oidc-sdk-5.62.jar:5.62] 
>> >   at 
>> > 
>> com.nimbusds.openid.connect.sdk.AuthenticationRequest.parse(AuthenticationRequest.java:1340)
>>  
>>
>> > ~[oauth2-oidc-sdk-5.62.jar:5.62] 
>> >   at 
>> > 
>> org.pac4j.oidc.redirect.OidcRedirectActionBuilder.bui

Re: [cas-user] Example config for authing against Azure / O365?

2019-06-03 Thread Łukasz Woźniak 
Problem is on connection Cas <> Azure/OpenId. State Parameter for CSRF is 
null sometime when request come from Azure to Cas. I check and state is set 
on the Session.

W dniu poniedziałek, 3 czerwca 2019 18:06:00 UTC+2 użytkownik rbon napisał:
>
> Łukasz, This sounds like the client application is sending the user to CAS 
> with one URL in the service parameter and a different URL when validating 
> the service ticket. There should be log messages describing why the 'State 
> paramerter ...' is output. You may have to turn up the log level. Ray 
> On Mon, 2019-06-03 at 01:42 -0700, Łukasz Woźniak wrote:
>
> We use 5.2.9 version of CAS. And We have problem every day when user try 
> to authenticate. They get "Unautorized access" and in log we get CSRF 
> error: 
>
> State
>
>  parameter 
>
> is
>
>  different 
>
> from
>
>  the one sent 
>
> in
>
>  authentication request
>
> .
>
>  Session
>
>  expired 
>
> or
>
>  possible threat of cross
>
> -
>
> site request forgery
>
>
> Problem appear only first time every day. Any idea why ?
>
>
> W dniu piątek, 29 marca 2019 21:59:24 UTC+1 użytkownik richard.frovarp 
> napisał: 
>
> Need to add CAS 5.3.9. I have Google and Twitter working through 
> delegated auth. So I have that much working. 
>
> On 3/29/19 3:57 PM, Richard Frovarp wrote: 
> > Does anyone have an example config or documentation on how to delegate 
> > to Azure AD? This is operating at the very edge of my understanding, and 
> > I'm having some difficulty. Not entirely sure what configs are required, 
> > or exactly what to set in Azure. 
> > 
> > Right now I have: 
> > 
> > cas.authn.pac4j.oidc[0].type=AZURE 
> > cas.authn.pac4j.oidc[0].id= 
> > cas.authn.pac4j.oidc[0].secret= 
> > cas.authn.pac4j.oidc[0].clientName=AZURE 
> > cas.authn.pac4j.oidc[0].discoveryUri=
> https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
>  
> > cas.authn.pac4j.oidc[0].scope=openid email profile phone 
> > cas.authn.pac4j.oidc[0].azureTenantId= 
> > 
> > 
> > No idea if those scopes are right. 
> > 
> > Getting: 
> > 
> > 2019-03-29 15:53:33,486 ERROR 
> > [org.springframework.boot.web.support.ErrorPageFilter] -  > error page from request [/clientredirect] due to exception 
> > [java.lang.ClassCastException: java.util.Collections$SingletonList 
> > cannot be cast to java.lang.String]> 
> > org.pac4j.core.exception.TechnicalException: 
> > java.lang.ClassCastException: java.util.Collections$SingletonList cannot 
> > be cast to java.lang.String 
> >   at 
> > 
> org.pac4j.oidc.redirect.OidcRedirectActionBuilder.buildAuthenticationRequestUrl(OidcRedirectActionBuilder.java:113)
>  
>
> > ~[pac4j-oidc-3.6.1.jar:?] 
> >   at 
> > 
> org.pac4j.oidc.redirect.OidcRedirectActionBuilder.redirect(OidcRedirectActionBuilder.java:78)
>  
>
> > ~[pac4j-oidc-3.6.1.jar:?] 
> >   at 
> > 
> org.pac4j.core.client.IndirectClient.getRedirectAction(IndirectClient.java:109)
>  
>
> > ~[pac4j-core-3.6.1.jar:?] 
> > 
> > Caused by: java.lang.ClassCastException: 
> > java.util.Collections$SingletonList cannot be cast to java.lang.String 
> >   at 
> > 
> com.nimbusds.oauth2.sdk.AuthorizationRequest.parse(AuthorizationRequest.java:972)
>  
>
> > ~[oauth2-oidc-sdk-5.62.jar:5.62] 
> >   at 
> > 
> com.nimbusds.openid.connect.sdk.AuthenticationRequest.parse(AuthenticationRequest.java:1374)
>  
>
> > ~[oauth2-oidc-sdk-5.62.jar:5.62] 
> >   at 
> > 
> com.nimbusds.openid.connect.sdk.AuthenticationRequest.parse(AuthenticationRequest.java:1340)
>  
>
> > ~[oauth2-oidc-sdk-5.62.jar:5.62] 
> >   at 
> > 
> org.pac4j.oidc.redirect.OidcRedirectActionBuilder.buildAuthenticationRequestUrl(OidcRedirectActionBuilder.java:110)
>  
>
> > ~[pac4j-oidc-3.6.1.jar:?] 
> >   ... 98 more 
> > 
> > Any suggestions would be helpful, because I'm having difficulty pulling 
> > off the right search to find the right set of documentation at MS. 
> > 
> > Thanks, 
> > 
> > Richard 
> > 
>
> -- 
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fc48c3cb-123f-4ae9-8faa-abbfaf0d08de%40apereo.org.

Re: [cas-user] Example config for authing against Azure / O365?

2019-06-03 Thread Łukasz Woźniak 
We use 5.2.9 version of CAS. And We have problem every day when user try to 
authenticate. They get "Unautorized access" and in log we get CSRF error:

State parameter is different from the one sent in authentication request. 
Session expired or possible threat of cross-site request forgery


Problem appear only first time every day. Any idea why ?


W dniu piątek, 29 marca 2019 21:59:24 UTC+1 użytkownik richard.frovarp 
napisał:
>
> Need to add CAS 5.3.9. I have Google and Twitter working through 
> delegated auth. So I have that much working. 
>
> On 3/29/19 3:57 PM, Richard Frovarp wrote: 
> > Does anyone have an example config or documentation on how to delegate 
> > to Azure AD? This is operating at the very edge of my understanding, and 
> > I'm having some difficulty. Not entirely sure what configs are required, 
> > or exactly what to set in Azure. 
> > 
> > Right now I have: 
> > 
> > cas.authn.pac4j.oidc[0].type=AZURE 
> > cas.authn.pac4j.oidc[0].id= 
> > cas.authn.pac4j.oidc[0].secret= 
> > cas.authn.pac4j.oidc[0].clientName=AZURE 
> > cas.authn.pac4j.oidc[0].discoveryUri=
> https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
>  
> > cas.authn.pac4j.oidc[0].scope=openid email profile phone 
> > cas.authn.pac4j.oidc[0].azureTenantId= 
> > 
> > 
> > No idea if those scopes are right. 
> > 
> > Getting: 
> > 
> > 2019-03-29 15:53:33,486 ERROR 
> > [org.springframework.boot.web.support.ErrorPageFilter] -  > error page from request [/clientredirect] due to exception 
> > [java.lang.ClassCastException: java.util.Collections$SingletonList 
> > cannot be cast to java.lang.String]> 
> > org.pac4j.core.exception.TechnicalException: 
> > java.lang.ClassCastException: java.util.Collections$SingletonList cannot 
> > be cast to java.lang.String 
> >   at 
> > 
> org.pac4j.oidc.redirect.OidcRedirectActionBuilder.buildAuthenticationRequestUrl(OidcRedirectActionBuilder.java:113)
>  
>
> > ~[pac4j-oidc-3.6.1.jar:?] 
> >   at 
> > 
> org.pac4j.oidc.redirect.OidcRedirectActionBuilder.redirect(OidcRedirectActionBuilder.java:78)
>  
>
> > ~[pac4j-oidc-3.6.1.jar:?] 
> >   at 
> > 
> org.pac4j.core.client.IndirectClient.getRedirectAction(IndirectClient.java:109)
>  
>
> > ~[pac4j-core-3.6.1.jar:?] 
> > 
> > Caused by: java.lang.ClassCastException: 
> > java.util.Collections$SingletonList cannot be cast to java.lang.String 
> >   at 
> > 
> com.nimbusds.oauth2.sdk.AuthorizationRequest.parse(AuthorizationRequest.java:972)
>  
>
> > ~[oauth2-oidc-sdk-5.62.jar:5.62] 
> >   at 
> > 
> com.nimbusds.openid.connect.sdk.AuthenticationRequest.parse(AuthenticationRequest.java:1374)
>  
>
> > ~[oauth2-oidc-sdk-5.62.jar:5.62] 
> >   at 
> > 
> com.nimbusds.openid.connect.sdk.AuthenticationRequest.parse(AuthenticationRequest.java:1340)
>  
>
> > ~[oauth2-oidc-sdk-5.62.jar:5.62] 
> >   at 
> > 
> org.pac4j.oidc.redirect.OidcRedirectActionBuilder.buildAuthenticationRequestUrl(OidcRedirectActionBuilder.java:110)
>  
>
> > ~[pac4j-oidc-3.6.1.jar:?] 
> >   ... 98 more 
> > 
> > Any suggestions would be helpful, because I'm having difficulty pulling 
> > off the right search to find the right set of documentation at MS. 
> > 
> > Thanks, 
> > 
> > Richard 
> > 
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a4a9f6d6-f12e-453f-8263-3ab93c6f50cd%40apereo.org.

Re: [cas-user] CAS 5.2.6 + Delegated Authentication + Microsoft Azure AD + How to map attributes

2018-10-08 Thread Łukasz Woźniak 
Hi,

I'm working on integration with Azure AD too. I was able to connect wia
OpenID. To map attribute You need to define default attribute. Example
below:

cas.authn.attributeRepository.merger=REPLACE
cas.authn.releaseProtocolAttributes=true
cas.authn.attributeRepository.defaultAttributesToRelease=email,given_name,family_name,name

After that Attribute mapping start working for me.

Can You share configuration how integration with Saml Ip working for You ?
With oAuth 2.0 and OpenID I had problem with Azure AD. Redirect_url
parameter does not redirect with get parameters, and I had to override
default Pac4j configuration.

Thanks,
Lukas



pt., 5 paź 2018 o 23:15 Raghavan TV  napisał(a):

> Hi All
>
> We were able to successfully integrate CAS 5.2.6 using delegated
> authentication agianst Azure AD (SAML Idp)
>
> We are now looking to map the SAML (claims) attributes to more meaningful
> names
>
> Azure SAML Response
>
>  Destination="
> https://somedomain.cloudapp.azure.com:8443/cas/login?client_name=MY_SAML;
> ID="_6a00b756-53f4-4702-b329-7a6af0145fa0"
> InResponseTo="_d5nkosrzkcj29rlldngsuozq3uwtb5znanfm616"
> IssueInstant="2018-10-04T13:22:05.275Z" Version="2.0"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
> 
> https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/
>  Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
>  IssueInstant="2018-10-04T13:22:05.275Z"
> Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> 
> https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/
> http://www.w3.org/2000/09/xmldsig#;>
> http://www.w3.org/2001/10/xml-exc-c14n#"/>http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> 
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> BkenglDOQwAFlKJ3hLrZ4vUzAg9gOD9EFUjGKH9hsI4=
> 
> 
>
> HAKazQ1ApJ5w0NtxJs5E/qECDRz8C5xYjHtGDJtuuuULrM07HUjkoenQ4L34UhSO4qm6Jgo0roIP1bQAGDlq0DWmPu7P9nyPSaQbKiBMtDAO759rM/g0neTWWfYYuNfDFauA+CBuu1N2W15h/oYU85z2D//W8RJQDMB7JvkycPgKF9BY0RON+Rlo2qOFsZ8Z6TxNJgyDxPCQG5natKgVoAZ57lC4+giarBQJQgCFGjy5uckKx4tq2qDuSGnyxqpxqSSm0WNhRR4AqY+kMtNLvEv0aimLX5ezzeOTy7yGmnWNf+l8+FAai2US19Fu/G9xeMH9c3MjZ69MujIkFGqc3A==
> 
> 
>
> MIIDBTCCAe2gAwIBAgIQWOnQG5bZiIFAbuSzrxjvbDANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTE4MDgwMTAwMDAwMFoXDTIwMDgwMTAwMDAwMFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALM5fWyNaHwYqnCfxVBEqhfDHKWnNhqmVHH9McYM+bsRs9xl7DkuwsbvD6vOb4rANtVOuly+Eiv/fYhhwn8UFE4kzTRXWREIH+uoFCUDyItwtT8vNn253XzXuFiIeHEkSoHM4vckdP+G7lPEQRZtQjV2TTB/76eBrtnLdP/AAgp4KE4/kjSuKEvn4lwiKtQWYPmCBPh18erwmIFwBramK5CzNKT31ycTYpi3LZpjbIljzW7gzvX9P6/U+dmTmpOufKzJbAnnXKveMcRUZl7wXWxQpyKGAZ0q+8FKIcVbrO0mlbyPuQGynAOofsnhqPQVeO4lbsEgcmL9QXWdxdn6kYsCAwEAAaMhMB8wHQYDVR0OBBYEFMXZ+lF0trQrd4uWs+lQ7h0mls63MA0GCSqGSIb3DQEBCwUAA4IBAQAA/TRp5Cx6WWA04dCvoJNTd80KSO8uGrM2V4VhTlIU1zf8cjMocmBXSA0v+P3onkBHHwnMJs6fWuwcBL4vhqZ4jonPcgl3tUIGgDwywM3V4mC1JLZJXlBZASsAuKmHm6qwge6RVs+Ub1fcpOIViMgW/1Wj1tZm/v/NGHQ+EEJV1UXtE5OnFnzD+9TrfOTI/l855ryKNS6I+XNbtcIJUL87OWkMRgNgjOhBnmldA27sWWkFWfvxB0J7FvOkyWaLlyNe/jqCL3jYXzz0XBNGMbatmeKS3fgIihVUJ32Vt7GXI4ed0HuvhhZ6d+fvMnBPWdfteu018YHKeXyk/c2aegcj
> 
> 
> 
> 
>  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">nX16LJA-9igFhluTHQGlDUOK0CNPy_XfliMDJ3iud88
>  Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> InResponseTo="_d5nkosrzkcj29rlldngsuozq3uwtb5znanfm616"
> NotOnOrAfter="2018-10-04T13:27:05.275Z"
> Recipient="
> https://somedomain.cloudapp.azure.com:8443/cas/login?client_name=MY_SAML
> "/>
> 
>  NotOnOrAfter="2018-10-04T14:17:05.275Z">
> 
>
> spn:8b4fcc4d-6781-4da0-acc9-0c28a3317695
> 
> 
> 
> http://schemas.microsoft.com/identity/claims/tenantid;>
>
> 522b3803-a001-4675-b3b5-1d727d43585a
> 
> http://schemas.microsoft.com/identity/claims/objectidentifier;>
>
> 8fa1e8a3-41b8-440e-91cf-fafa246ab571
> 
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name;>
> xx...@.onmicrosoft.com
> 
> 
> http://schemas.microsoft.com/identity/claims/displayname;>
> Firstname Lastname
> 
> http://schemas.microsoft.com/identity/claims/identityprovider;>
> 
> https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/
> 
> 
> http://schemas.microsoft.com/claims/authnmethodsreferences;>
> 
> http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
> 
> 
>

[cas-user] Re: cas 5.3 and office 365 sp

2018-09-19 Thread Łukasz Woźniak 


Antoine Gambino, 

Did you manage to configure integration with office365, as you described?

Thanks,
Lukas
W dniu piątek, 13 lipca 2018 09:41:29 UTC+2 użytkownik Antoine Gambino 
napisał:
>
>
> thank you for the answer
>
> if i understand.
>
> i need to dowload the lastest file of asure metadata and put it on the 
> folder /etc/cas/saml/
>
>
> https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
> .
>
> then i uncomment thee configuration like this
>
> cas.samlSP.office365.metadata=/etc/cas/saml/federationmetadata.xml 
> 
> cas.samlSP.office365.name=O365
> cas.samlSP.office365.description=O365 Integration
> cas.samlSP.office365.nameIdAttribute=scopedImmutableID 
> cas.samlSP.office365.attributes=IDPEmail,ImmutableID
>
> and i configure the trust like this procedure.
>
> https://msdn.microsoft.com/en-us/library/azure/dn641269.aspx
>
> and that all ?
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a6a19ffa-70be-4ce1-9597-546184f94282%40apereo.org.