[cas-user] cas with o365
Hello. I have a CAS 5.2.3 running fine with a Tomcat 8.0.32, Openjdk 1.8 and connected to a OpenLdap so my users can login with the uid and the mail. This CAS is actually providing SSO between Alfresco and Liferay. I want to add the SSO with Office365 but only for a particular public domain and there are some questions: 1.- What FederationMetadata.xml is needed to provide in CAS, the one in https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml or the one with my EntityID provided from the Portal Azure Admin section? 2.- How to map the mail in the OpenLdap to be the same at O365 account? It's suposed the idp will map in the cas.samlSp.office365.attributes? adding this to my cas.properties should be enough? #/etc/cas/saml/frommsoft/federationmetadata.xml from https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml cas.samlSP.office365.metadata=/etc/cas/saml/frommsoft/federationmetadata.xml cas.samlSp.office365.name=O365 cas.samlSp.office365.description=Office365 Integration cas.samlSp.office365.nameIdAttribute=scopedImmutableID cas.samlSp.office365.attributes=IDPEmail,ImmutableID Thanks your comments. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/11c54835-f5d2-4e24-9c54-a920deedd4f4%40apereo.org.
[cas-user] Re: cas with o365
Thanks for the reply Robert Bond! So if I understand this: 1) I have to add an objectclass like the uidObject to have a uid parameter at the OpenLdap for each user in the ldap. This parameter doesn't have to change for the user never. 2) Configure the cas.properties like yours with the parameter from the ldap: cas.samlSP.office365.metadata= *https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml* cas.samlSp.office365.name=office365 cas.samlSp.office365.description=Office365 Integration cas.samlSp.office365.nameIdAttribute=*uid* cas.samlSp.office365.attributes=mail,*uid* 3) Configure the service like yours: { "id" : 23, "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "evaluationOrder" : 23, "metadataLocation" : "https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml";, "metadataExpirationDuration" : "PT60M", "signAssertions" : false, "skipGeneratingAssertionNameId" : false, "skipGeneratingSubjectConfirmationInResponseTo" : false, "skipGeneratingSubjectConfirmationNotOnOrAfter" : false, "skipGeneratingSubjectConfirmationRecipient" : false, "skipGeneratingSubjectConfirmationNotBefore" : true, "signResponses" : true, "encryptAssertions" : false, "metadataCriteriaRoles" : "SPSSODescriptor", "metadataCriteriaRemoveEmptyEntitiesDescriptors" : true, "metadataCriteriaRemoveRolelessEntityDescriptors" : true, "signingCredentialType" : "BASIC", "serviceId" : "urn:federation:MicrosoftOnline", "name" : "office365", "description" : "Office 365", "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", *"usernameAttribute" : "uid",* "canonicalizationMode" : "NONE", "encryptUsername" : false }, "logoutType" : "BACK_CHANNEL", "logoutUrl" : "https://login.microsoftonline.com/login.srf";, "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "enabled" : true, "ssoEnabled" : true } } And now how can be tested properly? Because from the O365 side they don't know that I have made changes from my local CAS to allow the login with my TGC. Let me know if I'm approaching to the right path! El martes, 2 de julio de 2019, 17:06:44 (UTC+2), Robert Bond escribió: > > > Let me know if the below makes since. > > For the integration you need to pass the attributes as follows: > > cas.samlSP.office365.metadata= > https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml > > <https://www.google.com/url?q=https%3A%2F%2Fnexus.microsoftonline-p.com%2Ffederationmetadata%2Fsaml20%2Ffederationmetadata.xml&sa=D&sntz=1&usg=AFQjCNEz1tzkIfEw8mu_UMi0VfFI_5xfTg> > cas.samlSP.office365.name=O365 > cas.samlSP.office365.description=O365 Integration > cas.samlSP.office365.nameIdAttribute=Something from your openldap that > does not change. like objectguid in Active Directory. need to sync this to > o365 as the immuatbleId > cas.samlSP.office365.attributes=mail 'from your openldap', objectguid > 'your immutableId again' > > > On Tuesday, July 2, 2019 at 9:38:53 AM UTC-5, Alfonso Veraluz wrote: >> >> Hello. >> >> I have a CAS 5.2.3 running fine with a Tomcat 8.0.32, Openjdk 1.8 and >> connected to a OpenLdap so my users can login with the uid and the mail. >> This CAS is actually providing SSO between Alfresco and Liferay. >> >> I want to add the SSO with Office365 but only for a particular public >> domain and there are some questions: >> >> 1.- What FederationMetadata.xml is needed to provide in CAS, the one in >> https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml >> >> or the one with my EntityID provided from the Portal Azure Admin section? >> 2.- How to map the mail in the OpenLdap to be the same at O365 account? >> It's suposed the idp will map in the cas.samlSp.office365.attributes? >> >> adding this to my cas.properties should be enough? >> >> #/etc/cas/saml/frommsoft/federationmetadata.xml from >> https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml >> >> cas.samlSP.office3
[cas-user] Re: cas with o365
Hello Robert Users from the openLdap and from the O365 are not synced at all at the moment. It's supossed to achive this with the Azure AD Connect but this means a new server on Windows and seems the only option it may fit is with the Passthrough option (https://docs.microsoft.com/es-es/azure/active-directory/hybrid/how-to-connect-pta) . Not sure about it and i can test it but will require some time to build and configure it. This can be achieved via powershell? As @casuser, the steps to be done in the O365 are not very clear in the documentation Thanks El martes, 2 de julio de 2019, 23:41:11 (UTC+2), Robert Bond escribió: > > > Were you able to complete the setup? > > Thanks! > On Tuesday, July 2, 2019 at 9:38:53 AM UTC-5, Alfonso Veraluz wrote: >> >> Hello. >> >> I have a CAS 5.2.3 running fine with a Tomcat 8.0.32, Openjdk 1.8 and >> connected to a OpenLdap so my users can login with the uid and the mail. >> This CAS is actually providing SSO between Alfresco and Liferay. >> >> I want to add the SSO with Office365 but only for a particular public >> domain and there are some questions: >> >> 1.- What FederationMetadata.xml is needed to provide in CAS, the one in >> https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml >> >> or the one with my EntityID provided from the Portal Azure Admin section? >> 2.- How to map the mail in the OpenLdap to be the same at O365 account? >> It's suposed the idp will map in the cas.samlSp.office365.attributes? >> >> adding this to my cas.properties should be enough? >> >> #/etc/cas/saml/frommsoft/federationmetadata.xml from >> https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml >> >> cas.samlSP.office365.metadata=/etc/cas/saml/frommsoft/federationmetadata.xml >> cas.samlSp.office365.name=O365 >> cas.samlSp.office365.description=Office365 Integration >> cas.samlSp.office365.nameIdAttribute=scopedImmutableID >> cas.samlSp.office365.attributes=IDPEmail,ImmutableID >> >> Thanks your comments. >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/49ba8f0f-fee3-4bcb-a154-d2345360178d%40apereo.org.
Re: [cas-user] Re: cas with o365
Hello. No. I made an advance adding values like to the inmutableId in the 365 users but after that: 1) I can login to Cas but it doesn't login on the login.microsoftonline.com 2) I can login in login.microsoftonline.com but doesn't sso with my Cas. It's just both systems are not connected after all. El lunes, 8 de julio de 2019, 15:28:10 (UTC+2), Robert Bond escribió: > > Were you able to complete the o365 setup with cas? > > On Wednesday, July 3, 2019 at 9:26:36 AM UTC-5, Robert Bond wrote: >> >> If you do not want to use Azure AD Connect you can create a process to >> sync via powershell. I have an example on my github: >> https://github.com/bondr007/office365UserSync it consumes a csv and does >> some querys to AD. It could be modified for openldap. >> >> The steps to actually enable SSO on office are hard to find, It has to be >> done via powershell. Here is what I used: >> >> http://malithiedirisinghe.blogspot.com/2015/12/office-365-saml-20-federation-with-wso2.html >> >> <http://www.google.com/url?q=http%3A%2F%2Fmalithiedirisinghe.blogspot.com%2F2015%2F12%2Foffice-365-saml-20-federation-with-wso2.html&sa=D&sntz=1&usg=AFQjCNHNwyabwzLWU09P3slgH4uSWF2xtQ> >> >> Here are the specific settings I used when configuring office 365 >> federation with cas. >> ActiveLogOnUri : >> DefaultInteractiveAuthenticationMethod : >> FederationBrandName: >> IssuerUri : >> https://logon.example.com/cas/idp >> LogOffUri : >> https://logon.example/cas/logout?service=http%3A%2F%2Fportal.office.com%2F >> MetadataExchangeUri: >> NextSigningCertificate : >> OpenIdConnectDiscoveryEndpoint : >> PassiveLogOnUri: >> https://logon.example.com/cas/idp/profile/SAML2/POST/SSO >> >> Let me know if that helps. >> >> >> On Wed, Jul 3, 2019 at 5:19 AM Alfonso Veraluz > > wrote: >> >>> Hello Robert >>> >>> Users from the openLdap and from the O365 are not synced at all at the >>> moment. It's supossed to achive this with the Azure AD Connect but this >>> means a new server on Windows and seems the only option it may fit is with >>> the Passthrough option ( >>> https://docs.microsoft.com/es-es/azure/active-directory/hybrid/how-to-connect-pta) >>> >>> . Not sure about it and i can test it but will require some time to build >>> and configure it. This can be achieved via powershell? >>> >>> As @casuser, the steps to be done in the O365 are not very clear in the >>> documentation >>> >>> Thanks >>> >>> El martes, 2 de julio de 2019, 23:41:11 (UTC+2), Robert Bond escribió: >>>> >>>> >>>> Were you able to complete the setup? >>>> >>>> Thanks! >>>> On Tuesday, July 2, 2019 at 9:38:53 AM UTC-5, Alfonso Veraluz wrote: >>>>> >>>>> Hello. >>>>> >>>>> I have a CAS 5.2.3 running fine with a Tomcat 8.0.32, Openjdk 1.8 and >>>>> connected to a OpenLdap so my users can login with the uid and the mail. >>>>> This CAS is actually providing SSO between Alfresco and Liferay. >>>>> >>>>> I want to add the SSO with Office365 but only for a particular public >>>>> domain and there are some questions: >>>>> >>>>> 1.- What FederationMetadata.xml is needed to provide in CAS, the one >>>>> in >>>>> https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml >>>>> >>>>> or the one with my EntityID provided from the Portal Azure Admin section? >>>>> 2.- How to map the mail in the OpenLdap to be the same at O365 >>>>> account? It's suposed the idp will map in the >>>>> cas.samlSp.office365.attributes? >>>>> >>>>> adding this to my cas.properties should be enough? >>>>> >>>>> #/etc/cas/saml/frommsoft/federationmetadata.xml from >>>>> https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml >>>>> >>>>> >>>>> cas.samlSP.office365.metadata=/etc/cas/saml/frommsoft/federationmetadata.xml >>>>> cas.samlSp.office365.name=O365 >>>>> cas.samlSp.office365.description=Office365 Integration >>>>> cas.samlSp.off
Re: [cas-user] CAS 3.5.x CPU utilization problem
You can try to raise the server.tomcat.max-threads from 200 to 800 and check if Tomcat performs better. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fafb0c21-d4c9-425d-a876-b9f66548a53f%40apereo.org.
[cas-user] Problem with a ChainingRegisteredServiceAccessStrategy service
Hello, I have a CAS 6.6.15 working in this configuration: In general, users that via Spnego when they are in some ip range, if not they go to the login form and that is configured with ldap. For a determined url, we have a service json that redirects to a Dualshield and returns when they are logged in. The problem is when i try to configure a service json that pretends: The user goes to extranet.company.com If the user is in a test ip, it should go to Dualshield for authentication. If the users is not in the test ip, it should go to the login form. Pretty sure that should be configured with a ChainingRegisteredServiceAccessStrategy but the criteria of the strategies is not very clear at the Doc. Like this testsite-1.json: { "@class": "org.apereo.cas.services.CasRegisteredService", "serviceId": "https://extranet.company.com/.*";, "name": "testsite", "id": 1, "evaluationOrder": 1, "accessStrategy" : { "@class": "org.apereo.cas.services.ChainingRegisteredServiceAccessStrategy", "strategies": [ "java.util.ArrayList", [ { "@class" : "org.apereo.cas.services.HttpRequestRegisteredServiceAccessStrategy", "ipAddress" : "192.168.1.55", "delegatedAuthenticationPolicy": { "@class": "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy", "allowedProviders": [ "java.util.ArrayList", [ "DualShield" ] ], "permitUndefined": false, "exclusive": true } }, { "@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "enabled": true } ] ], "operator": "OR" } } This kind of json and some variants tested fails in two ways: 1) I recieve an error 500 on the cas/login screen and in the log says: ERROR [org.springframework.boot.web.servlet.support.ErrorPageFilter] - org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.web.flow.actions.DelegatedAuthenticationGenerateClientsAction@28a6a1b0 in state 'viewLoginForm' of flow 'login' -- action execution attributes were 'map[[empty]]' at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:62) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE] at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE] at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE] at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE] at org.springframework.webflow.engine.ActionList.execute(ActionList.java:154) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE] at org.springframework.webflow.engine.ViewState.render(ViewState.java:291) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE] at org.springframework.webflow.engine.ViewState.doEnter(ViewState.java:185) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE] ... Caused by: java.lang.NullPointerException at org.apereo.cas.pac4j.client.DefaultDelegatedClientIdentityProviderRedirectionStrategy.select(DefaultDelegatedClientIdentityProviderRedirectionStrategy.java:63) ~[cas-server-support-pac4j-core-6.6.15.jar:6.6.15] at org.apereo.cas.pac4j.client.ChainingDelegatedClientIdentityProviderRedirectionStrategy.lambda$select$0(ChainingDelegatedClientIdentityProviderRedirectionStrategy.java:40) ~[cas-server-support-pac4j-core-6.6.15.jar:6.6.15] at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195) ~[?:?] at java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1632) ~[?:?] at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:127) ~[?:?] at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:502) ~[?:?] at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:488) ~[?:?] at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?] at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150) ~[?:?] at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?] at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:543) ~[?:?] at org.apereo.cas.pac4j.client.ChainingDelegatedClientIdentityProviderRedirectionStrategy.select(ChainingDelegatedClientIdentityProviderRedirectionStrategy.java:43) ~[cas-server-support-pac4j-core-6.6.15.jar:6.6.15] at org.apereo.cas.web.flow.DefaultDelegatedClientIdentityProviderConfigurationProducer.produce(DefaultDelegatedClientIdentityProviderConfigurationProducer.java:64) ~[cas-server-support-pac4j-core-6.6.15.jar:6.6.15] at