Re: [cas-user] Shibboleth and CAS

[David Curry]

r CAS server when we did some work with our
>>>> Activity Directory that provides group membership and needed it to get a
>>>> new IP address for the AD LDAP server(s).
>>>>
>>>> -Mike
>>>>
>>>> On Fri, Nov 13, 2020 at 11:18 AM Nathan Lewan 
>>>> wrote:
>>>>
>>>>> very interesting, thanks!
>>>>>
>>>>> so i tried to do a reverse dns lookup on the entity host based on the
>>>>> shibboleth entityid's hostname, and came up with no record.
>>>>>
>>>>> they are not being super helpful with me, so I tried to cheat. I just
>>>>> added a reverse lookup zone on the dns server that CAS talks to, and added
>>>>> the entry in there as a test. It did not seem to help, but:
>>>>>
>>>>> 1. I don't know if a cheat like that would actually work (this is just
>>>>> temporary, proof of concept, no way would I leave it like that in
>>>>> production)
>>>>> 2. I have not restarted CAS. I did do a dig -x on the CAS host, and it
>>>>> successfully reverse-resolved the IP of the entity server
>>>>>
>>>>> thanks very much for the quick response, i have a lead which feels
>>>>> very good!
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Nov 13, 2020 at 1:30 PM David Curry 
>>>>> wrote:
>>>>>
>>>>>> We just ran into this recently with an older version of CAS (5.2.9).
>>>>>>
>>>>>> CAS populates the SubjectLocality by doing a reverse DNS lookup on
>>>>>> the IP address of the entity that's calling it (the application the user 
>>>>>> is
>>>>>> trying to log into). If the DNS lookup fails, then it doesn't put
>>>>>> anything in there, which makes Shibboleth very unhappy.
>>>>>>
>>>>>> In our case, the fix was to get the company running the application
>>>>>> that was calling CAS to register DNS entries for their IP addresses. All 
>>>>>> of
>>>>>> a sudden everything started working.
>>>>>>
>>>>>> --Dave
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> DAVID A. CURRY, CISSP
>>>>>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>>>>>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>>>>>
>>>>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>>>>> +1 646 909-4728 <(646)%20909-4728> • david...@newschool.edu
>>>>>>
>>>>>>
>>>>>> On Fri, Nov 13, 2020 at 1:12 PM Nathan Lewan 
>>>>>> wrote:
>>>>>>
>>>>>>> hello!
>>>>>>>
>>>>>>> I am trying to get CAS 6.1.0 to integrate with a SP that uses
>>>>>>> shibboleth.
>>>>>>>
>>>>>>> i appear to have everything in place, however they are requiring my
>>>>>>> responses to have in the *AuthnStatement* a *SubjectLocality* entry.
>>>>>>>
>>>>>>> It is currently empty in all my responses. Here's what it looks like:
>>>>>>>
>>>>>>> >>>>>> "[removed]" >
>>>>>>> **
>>>>>>> 
>>>>>>> 
>>>>>>>
>>>>>>> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>>
>>>>>>> As you can see, it's blank, and I have no idea how to get it
>>>>>>> populated!
>>>>>>> Any hints would be appreciated. Looking for info on this, you can
>>>>>>> find much related to shibboleth, but I have not found anything on how 
>>>>>>> one
>>>>>>> could get CAS to populate this.
>>>>>>>
>>>>>>> thanks!
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> - Website: https://apereo.github.io/cas
>>>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>>>>> - Contributions: https://

Re: [cas-user] Shibboleth and CAS

[David Curry]

Back when I was debugging this the last time, I ran a bunch of tests
against all the SAML SPs we have authenticating against our CAS servers and
captured the SAML being exchanged, and in every case the SubjectLocality
element contained the IP address of the SP, not the CAS server.

For example, when I log in to Workday:


  
  

urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
  



The 209.177.165.18 address belongs to Workday, not to us.

You might want to grab the "SAML Chrome Panel" extension, which will let
you examine the entire SAML exchange between the SP and the IdP.

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Fri, Nov 13, 2020 at 3:01 PM Nathan Lewan  wrote:

> thanks everyone for the help so far.
> I did just do a restart of the service, and it would not populate that
> field. I checks another service with a similar setup, and that also does
> not have the subjectLocality populated, but that one works just fine.
>
>
>
>
> so here's the actual error i'm seeing:
> xmltooling::ValidationException at (https://[hostname]/SAML2/POST)
> SubjectLocality must have Address or DNSName.
>
>
>
>
>
>
> Looking at the code for CAS, this appears to be the function to populate
> the subjectLocality, but if i'm reading that right, it's trying to populate
> it with the CAS host address?
>
>
> protected SubjectLocality buildSubjectLocality(final Assertion assertion,
> final RequestAbstractType authnRequest,
> final SamlRegisteredServiceServiceProviderMetadataFacade adaptor,
> final String binding) throws SamlException {
> val subjectLocality = SamlUtils.newSamlObject(SubjectLocality.class);
> *val hostAddress =
> InetAddressUtils.getCasServerHostAddress(casProperties.getServer().getName());*
> val issuer = SamlIdPUtils.getIssuerFromSamlObject(authnRequest);
> LOGGER.debug("Built subject locality address [{}] for the saml
> authentication statement prepped for [{}]", hostAddress, issuer);
> *subjectLocality.setAddress(hostAddress);*
> return subjectLocality;
> }
>
> is the subjectLocality supposed to be my address, or their address?
>
>
> On Friday, November 13, 2020 at 2:39:04 PM UTC-5 Mike Osterman wrote:
>
>> Hi Nathan,
>>
>> I highly expect that #2 is why it's not yet working. Java, by default,
>> never lets go of a DNS resolution record until the application restarts.
>> You have to pass an argument at startup of your CAS application to indicate
>> an expiry TTL.
>>
>> I did this recently on our CAS server when we did some work with our
>> Activity Directory that provides group membership and needed it to get a
>> new IP address for the AD LDAP server(s).
>>
>> -Mike
>>
>> On Fri, Nov 13, 2020 at 11:18 AM Nathan Lewan  wrote:
>>
>>> very interesting, thanks!
>>>
>>> so i tried to do a reverse dns lookup on the entity host based on the
>>> shibboleth entityid's hostname, and came up with no record.
>>>
>>> they are not being super helpful with me, so I tried to cheat. I just
>>> added a reverse lookup zone on the dns server that CAS talks to, and added
>>> the entry in there as a test. It did not seem to help, but:
>>>
>>> 1. I don't know if a cheat like that would actually work (this is just
>>> temporary, proof of concept, no way would I leave it like that in
>>> production)
>>> 2. I have not restarted CAS. I did do a dig -x on the CAS host, and it
>>> successfully reverse-resolved the IP of the entity server
>>>
>>> thanks very much for the quick response, i have a lead which feels very
>>> good!
>>>
>>>
>>>
>>> On Fri, Nov 13, 2020 at 1:30 PM David Curry 
>>> wrote:
>>>
>>>> We just ran into this recently with an older version of CAS (5.2.9).
>>>>
>>>> CAS populates the SubjectLocality by doing a reverse DNS lookup on the
>>>> IP address of the entity that's calling it (the application the user is
>>>> trying to log into). If the DNS lookup fails, then it doesn't put
>>>> anything in there, which makes Shibboleth very unhappy.
>>>>
>>>> In our case, the fix was to get the company running the application
>>>> that was calling CAS to register DNS entries for their IP addresses. All of
>>>> a sudden everything started working.
>>>>
>>>> --Dave
>>>>
>>>>
>>>> --
>>>>
>>>> DAVI

Re: [cas-user] Shibboleth and CAS

[David Curry]

We just ran into this recently with an older version of CAS (5.2.9).

CAS populates the SubjectLocality by doing a reverse DNS lookup on the IP
address of the entity that's calling it (the application the user is trying
to log into). If the DNS lookup fails, then it doesn't put anything in
there, which makes Shibboleth very unhappy.

In our case, the fix was to get the company running the application that
was calling CAS to register DNS entries for their IP addresses. All of a
sudden everything started working.

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Fri, Nov 13, 2020 at 1:12 PM Nathan Lewan  wrote:

> hello!
>
> I am trying to get CAS 6.1.0 to integrate with a SP that uses shibboleth.
>
> i appear to have everything in place, however they are requiring my
> responses to have in the *AuthnStatement* a *SubjectLocality* entry.
>
> It is currently empty in all my responses. Here's what it looks like:
>
> 
> **
> 
> 
>
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> 
> 
> 
>
> As you can see, it's blank, and I have no idea how to get it populated!
> Any hints would be appreciated. Looking for info on this, you can find
> much related to shibboleth, but I have not found anything on how one could
> get CAS to populate this.
>
> thanks!
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABeAwjkrJ8hk5geJbz_tbN1NgVSxESjAGUAfqcmOd8vpTHuUYQ%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPbf2nhAiOuG7_R8-M7v4KUgjbCDnJunNU47V%2BVc%2BgHsw%40mail.gmail.com.

Re: [cas-user] Re: Deployment SAML Certificate Changes

[David Curry]

In our case, we run five servers (cas-srv01, cas-srv02, etc.) behind an F5
load balancer. The VIP on the F5 identifies as "sso.newschool.edu". We use
one "regular" SSL/TLS certificate for "sso.newschool.edu" and install it
both on the F5 AND on each of the CAS servers (in the Tomcat keystore) so
that every individual CAS server identifies itself as "sso.newschool.edu"
as well. Our SAML2 metadata also identifies itself as "sso.newschool.edu,"
and is installed on all five servers.  So the only server name the
outside world ever sees is "sso.newschool.edu" -- the individual server
names are only used internally.*

To handle getting the metadata files to be the same on all the servers, the
process is basically:

   1. Configure the CAS server to be a SAML2 IdP (cas.properties)
   2. Start ONE of the servers (it doesn't matter which one). This will
   create a bunch of files in /etc/cas/saml whose names all start with "idp-"
   (idp-encryption.crt, idp-encryption.key, idp-metadata.xml, idp-signing.crt,
   idp-signing.key).
   3. Shut the server back down and COPY those files to your overlay so
   that every time you rebuild your server, those files will be included in
   the installable package.
   4. Install the package (with the idp-* files) on all your servers.

Note that, unless you're using a distributed database of some sort to store
your SP metadata files, you will also need to make sure that each time you
set up a new client (SP), you copy its metadata file to
/etc/cas/saml/metadata/ on all of your servers, or you'll get weird
behavior depending on which server they're talking to.

You can find some more detail here:
https://dacurry-tns.github.io/deploying-apereo-cas/building_server_saml_overview.html
but realize that this was written for CAS 5.x (with Maven overlay instead
of Gradle) so you'll have to adapt it to CAS 6.x.

--Dave

* I lied above about the certificate. We also use MongoDB as our service
registry, and MongoDB talks using SSL/TLS as well. We used to use a
self-signed certificate for this, but at one time we had that certificate
expire on us and nobody noticed -- people were still able to log in, but
adding new services didn't behave correctly because the MongoDBs were not
replicating. So the last time we renewed the "sso.newschool.edu"
certificate we added all the individual server names to it as Subject
Alternative Names and now we use that one certificate for everything. This
is NOT required, but it's easier to manage.

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Thu, Sep 10, 2020 at 12:21 PM Jeremiah Garmatter 
wrote:

> Hello all,
>
> Please does anyone have familiarity with the SAML certificate and metadata
> generation process? Specifically how to create them for a HA deployment
> where users will sign in to server.onu.edu and authentication will be
> performed on either server-1.onu.edu or server-2.onu.edu?
>
> On Wednesday, September 9, 2020 at 11:02:20 AM UTC-4 Jeremiah Garmatter
> wrote:
>
>>
>> Hello,
>>
>> I am getting close to deployment of my CAS 6.2.1 instance. I would like
>> some advice on updating the idp-encryption{.crt,.key}, idp-metadata, and
>> the idp-signing{.crt,.key} for my production servers.
>>
>> I have two servers (we'll call them server-1.onu.edu and server-2.onu.edu)
>> that I would like to host as a HA cluster. I will be using DNS to send
>> requests made to server.onu.edu to both server-1.onu.edu and
>> server-2.onu.edu.
>>
>> My questions are, how should I generate the certificates and metadata for
>> deployment to server.onu.edu? Previously, I let CAS auto generate the
>> certificates and metadata so I do not know the process. Would I need
>> subject alt names of server.onu.edu, server-1.onu.edu and
>> server-2.onu.edu  or would only server.onu.edu suffice? Are there any
>> specific fields I should set in my new certificate? I noticed the
>> auto-generated .crt files have a SAN of DNS name and URI to
>> server1.onu.edu/idp/metadata, how can I add a URI to my custom
>> certificate and should I include both servers' metadata endpoints in it or
>> just server.onu.edu's?
>>
>> I know there is a lot there, I appreciate you taking the time to read
>> through it.
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0460dd87-23e5-4fe0-b6b6-8da3afe6f841n%40apereo.org
> 

Re: [cas-user] [Auto Reload CAS Server After Register New Service]

[David Curry]

That's great. Glad you figured it out.

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Tue, Aug 25, 2020 at 10:49 AM Nguyen Tran Thanh Lam <
naphaluan211...@gmail.com> wrote:

> Dear Mr David.
> I have success.
> Thank you very much.
>
> Vào Th 3, 25 thg 8, 2020 vào lúc 21:21 Nguyen Tran Thanh Lam <
> naphaluan211...@gmail.com> đã viết:
>
>> Dear Mr David Curry,
>> I have read the guide from your link.
>> Then I setup follow these step bellow:
>> *Step 1:*
>> I keep two properties in my CAS configuration to initialized CAS server
>> load some services in directory /etc/cas/services-repo to mongoDB
>>
>> "name":"cas.service-registry.json.location","value":"file:/etc/cas/services-repo"
>> "name":"cas.service-registry.mongo.drop-collection","value":"true"
>> Then I build CAS server (First time).
>> Result,
>> -CAS create collection "cas-service-registry"
>> -loaded to this collection
>> Done.
>> *Step 2:*
>> I stop CAS and remove two properties above.
>> Then I build CAS again.
>> Now CAS works with service registry in MongoDB
>> Here is my logs:
>> 2020-08-25 07:00:03,217 INFO
>> [org.apereo.cas.services.AbstractServicesManager] - > from [MongoDbServiceRegistry].>
>> *Step 3:*
>> I build my CAS Management Web App
>> Then I create a new service
>> But It still didn't store my new service registry in collection
>> "cas-service-registry".
>> It create new json file for this service and store this file in directory
>> "/etc/cas/service-repo"
>> Here is CAS Management log
>> 2020-08-25 06:55:29,029 INFO
>> [org.apereo.cas.mgmt.web.CasManagementWebApplication] - > profiles are active: mongodb>
>> 2020-08-25 06:55:58,528 INFO
>> [org.apereo.cas.authentication.config.CasMongoAuthenticationConfiguration]
>> - > [Mongo{options=MongoClientOptions{description='null',
>> applicationName='null', compressors='[]', readPreference=primary,
>> writeConcern=WriteConcern{w=null, wTimeout=null ms, fsync=null,
>> journal=null, retryWrites=false, readConcern=com.mongodb.ReadConcern@0,
>> codecRegistry=org.bson.codecs.configuration.ProvidersCodecRegistry@ac36d621,
>> serverSelector=null, clusterListeners=[], commandListeners=[],
>> minConnectionsPerHost=0, maxConnectionsPerHost=10,
>> threadsAllowedToBlockForConnectionMultiplier=5,
>> serverSelectionTimeout=3, maxWaitTime=12,
>> maxConnectionIdleTime=3, maxConnectionLifeTime=6,
>> connectTimeout=5000, socketTimeout=5000, socketKeepAlive=false,
>> sslEnabled=false, sslInvalidHostNamesAllowed=false,
>> sslContext=javax.net.ssl.SSLContext@52f9e8bb, alwaysUseMBeans=false,
>> heartbeatFrequency=1, minHeartbeatFrequency=500,
>> heartbeatConnectTimeout=5000, heartbeatSocketTimeout=5000,
>> localThreshold=15, requiredReplicaSetName='null',
>> dbDecoderFactory=com.mongodb.DefaultDBDecoder$1@2035d65b,
>> dbEncoderFactory=com.mongodb.DefaultDBEncoder$1@240a2619,
>> socketFactory=null, cursorFinalizerEnabled=true,
>> connectionPoolSettings=ConnectionPoolSettings{maxSize=10, minSize=0,
>> maxWaitQueueSize=50, maxWaitTimeMS=12, maxConnectionLifeTimeMS=6,
>> maxConnectionIdleTimeMS=3, maintenanceInitialDelayMS=0,
>> maintenanceFrequencyMS=6, connectionPoolListeners=[]},
>> socketSettings=SocketSettings{connectTimeoutMS=5000, readTimeoutMS=5000,
>> keepAlive=false, receiveBufferSize=0, sendBufferSize=0},
>> serverSettings=ServerSettings{heartbeatFrequencyMS=1,
>> minHeartbeatFrequencyMS=500, serverListeners='[]',
>> serverMonitorListeners='[]'},
>> heartbeatSocketSettings=SocketSettings{connectTimeoutMS=5000,
>> readTimeoutMS=5000, keepAlive=false, receiveBufferSize=0,
>> sendBufferSize=0}}}]>
>> 2020-08-25 06:56:02,609 INFO
>> [org.apereo.cas.mgmt.factory.FormDataFactory] - > status code from endpoint
>> https://casoverlay.vdc2.com.vn:8443/cas/actuator/discoveryProfile. Using
>> default FormData values.>
>> 2020-08-25 06:56:07,754 INFO
>> [org.apereo.cas.mgmt.web.CasManagementWebApplication] - > CasManagementWebApplication in 53.965 seconds (JVM running for 62.606)>
>> 2020-08-25 06:56:09,008 INFO
>> [org.apereo.cas.services.AbstractServicesManager] - > from [MongoDbServiceRegistry].>
>> 2020-08-25 06:56:09,009 INFO
>> [org.apereo.cas.mgmt.web.DefaultCas

Re: [cas-user] [Auto Reload CAS Server After Register New Service]

[David Curry]

You need to *turn off* the JSON registry in cas.properties so the server
will stop using it, and put the mongodb settings into cas.properties (and
management.properties) so the server will use it instead.

These instructions are for CAS 5.2.x so might not be exactly right for CAS
6.x (property names might be slightly different, etc.) but it should give
you the basic idea:

https://dacurry-tns.github.io/deploying-apereo-cas/high-avail_service-registry_overview.html


 --Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Tue, Aug 25, 2020 at 8:21 AM Nguyen Tran Thanh Lam <
naphaluan211...@gmail.com> wrote:

> Hi Mr David Curry,
> I understand your point.
> But when I use CAS server, I want to register my new service, what should
> I do?
> I can use CAS Management Web app to register my new service but, it still
> only create a json file in directory /etc/cas/services-repo.
> I have tried to config my CAS Management Web to insert new register
> service directly to MongoDB, but it still didn't work.
> Please help me.
> Note: my CAS version is 6.2.1 and my CAS Management Overlay Web App is
> 6.1.2 (the newest version)
> Here is my CAS Mamagement Web App Configuration:
> 1. build.gradle
> compile "org.apereo.cas:cas-server-webapp-tomcat:${casMgmtServerVersion}"
> compile
> "org.apereo.cas:cas-server-support-configuration-cloud-mongo:${casMgmtServerVersion}"
> compile "org.apereo.cas:cas-server-support-mongo:${casMgmtServerVersion}"
> compile
> "org.apereo.cas:cas-server-support-mongo-service-registry:${casMgmtServerVersion}"
> 2. Cas Management Global config in MongoDB
> "name":"cas.server.name","value":"https://casoverlay.vdc2.com.vn:8443;
> "name":"cas.server.prefix","value":"${cas.server.name}/cas"
> "name":"mgmt.serverName","value":"https://casoverlay.vdc2.com.vn:8088;
> "name":"mgmt.adminRoles[0]","value":"ROLE_ADMIN"
> "name":"mgmt.userPropertiesFile","value":"file:/etc/cas/config/users.json"
> "name":"mgmt.userRoles[0]","value":"ROLE_USER"
> "name":"spring.thymeleaf.mode","value":"HTML"
> "name":"server.port","value":"8088"
> "name":"server.ssl.enabled","value":"true"}
> "name":"server.ssl.keyStore","value":"file:/etc/cas/thekeystore"
> "name":"server.ssl.keyStorePassword","value":"changeit"
> "name":"server.ssl.keyPassword","value":"changeit"
> "name":"cas.service-registry.mongo.host","value":"203.162.141.22"
> "name":"cas.service-registry.mongo.client-uri","value":"mongodb://
> casuser:Mellon@203.162.141.22:27017/cas?authSource=admin=primary=MongoDB%20Compass%20Community=false
> "
> "name":"cas.service-registry.mongo.port","value":"27017"
> "name":"cas.service-registry.mongo.password","value":"Mellon"
>
> "name":"cas.service-registry.mongo.collection","value":"cas-service-registry"
> "name":"cas.service-registry.mongo.database-name","value":"cas"
> "name":"cas.service-registry.mongo.user-id","value":"casuser"
> "name":"cas.service-registry.mongo.ssl-enabled","value":"false"
> "name":"cas.service-registry.mongo.drop-collection","value":"false"
> Please help me.
> Thank you in advance.
>
> Vào Th 3, 25 thg 8, 2020 vào lúc 19:00 David Curry <
> david.cu...@newschool.edu> đã viết:
>
>> It doesn't do that because it's not supposed to.
>>
>> Populating an alternate service registry (MongoDB or whatever) from the
>> JSON files is a one-time thing the server does to help you "bootstrap" the
>> alternate service registry. After that, you don't need the JSON files any
>> more (and should turn that registry off). You use the cas-management
>> application to manage the service registry from that point forward.
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
&g

Re: [cas-user] [Auto Reload CAS Server After Register New Service]

[David Curry]

It doesn't do that because it's not supposed to.

Populating an alternate service registry (MongoDB or whatever) from the
JSON files is a one-time thing the server does to help you "bootstrap" the
alternate service registry. After that, you don't need the JSON files any
more (and should turn that registry off). You use the cas-management
application to manage the service registry from that point forward.


--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Tue, Aug 25, 2020 at 5:46 AM Napoleon Ponaparte <
naphaluan211...@gmail.com> wrote:

>
> I am successful store service registry in MongoDB, but I have a trouble in
> there.
>
> If I register new service store in  directory /etc/cas/services-repo, CAS
> server didn't auto store this service to MongoDB. I must restart CAS to do
> this.
>
> So, How could config CAS auto restart to load new service registry to
> MongoDB?
>
> Note: My CAS server at version 6.2.x.
>
> Thank you in advance.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/bbb8c8b6-a16e-4e94-88e3-74e2dd80a934n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOimF2-vHL-13Uj0vs98gcxpzZPQh%2Be1r4sUBBY_hYxvg%40mail.gmail.com.

Re: [cas-user] How to implement CAS(Idp) with SAML

[David Curry]

Can you attach the relevant piece of the cas log? (Not the whole thing,
just the lines around the error.)

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Tue, Jul 14, 2020 at 2:56 PM Vikash Chandra Ansh <
vikasharnav0...@gmail.com> wrote:

> Hi David.
>
> I am seeing this in cas log. Can we connect David?
>
> On Wed 15 Jul, 2020, 00:21 David Curry,  wrote:
>
>> When you say you're "getting an error," where are you getting it? In the
>> browser window? In the CAS log file? In the Tomcat log file?
>>
>> I'm not sure off the top of my head what it could be, as none of what
>> we're doing here (installing Shib, Apache, etc.) has anything to do with
>> columns or databases.
>>
>> --Dave
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 646 909-4728 • david.cu...@newschool.edu
>>
>>
>> On Tue, Jul 14, 2020 at 2:30 PM Vikash Chandra Ansh <
>> vikasharnav0...@gmail.com> wrote:
>>
>>> Hi Ray,
>>>
>>> I have added all the configuration accordingly and deployed the war
>>> file. I am getting an error invalid column name"expired". I don't have any
>>> clue on this.. Nothing as such is printed in logs. I am using Mssql as dB.
>>>
>>> Thanks & Regards
>>>
>>> On Mon 13 Jul, 2020, 17:43 Vikash Chandra Ansh, <
>>> vikasharnav0...@gmail.com> wrote:
>>>
>>>> Thanks Ray,
>>>> I will check and let you know in case of any issues.
>>>>
>>>> On Mon, Jul 13, 2020 at 3:58 AM David Curry 
>>>> wrote:
>>>>
>>>>> The Shibboleth SP lets web services use SAML2 to authenticate and do
>>>>> single sign-on. So if you have configured an Apache server with mod_shib,
>>>>> then you would use the Apache config files to define a protected area on
>>>>> your web server, and put your web-based application into that protected
>>>>> area. When the user tries to access the application, mod_shib will
>>>>> intercept the request for a protected file, and redirect to the Shib SP,
>>>>> which will in turn talk to the CAS IdP.
>>>>>
>>>>> For a simple example with just a dumb PHP script as the "application,"
>>>>> see  this link:
>>>>>
>>>>>
>>>>> https://dacurry-tns.github.io/deploying-apereo-cas/building_samlclient_overview.html
>>>>>
>>>>>
>>>>> It's for CAS 5.2.x rather than 6.x, but except for a
>>>>> configuration property name here or there, it should give you the idea.
>>>>>
>>>>> --
>>>>>
>>>>> DAVID A. CURRY, CISSP
>>>>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>>>>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>>>>
>>>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>>>> +1 646 909-4728 • david.cu...@newschool.edu
>>>>>
>>>>>
>>>>> On Sun, Jul 12, 2020 at 6:06 PM Vikash Chandra Ansh <
>>>>> vikasharnav0...@gmail.com> wrote:
>>>>>
>>>>>> Hi all.
>>>>>>
>>>>>> Kindly reply for my query.
>>>>>>
>>>>>> Thanks & Regards
>>>>>> Vikash Chandra
>>>>>>
>>>>>> On Sun 12 Jul, 2020, 03:53 Vikash Chandra Ansh, <
>>>>>> vikasharnav0...@gmail.com> wrote:
>>>>>>
>>>>>>> And moreover how cas will know that request will go to SP.
>>>>>>>
>>>>>>> I have added a json for the Sp using saml registry class proving SP
>>>>>>> url and metadata location of SP.
>>>>>>>
>>>>>>> PLEASE SUGGEST
>>>>>>>
>>>>>>> THANKS AND REGARDS
>>>>>>> VIKASH CHANDRA
>>>>>>>
>>>>>>> On Sun 12 Jul, 2020, 03:50 Vikash Chandra Ansh, <
>>>>>>> vikasharnav0...@gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>

Re: [cas-user] How to implement CAS(Idp) with SAML

[David Curry]

When you say you're "getting an error," where are you getting it? In the
browser window? In the CAS log file? In the Tomcat log file?

I'm not sure off the top of my head what it could be, as none of what we're
doing here (installing Shib, Apache, etc.) has anything to do with columns
or databases.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Tue, Jul 14, 2020 at 2:30 PM Vikash Chandra Ansh <
vikasharnav0...@gmail.com> wrote:

> Hi Ray,
>
> I have added all the configuration accordingly and deployed the war file.
> I am getting an error invalid column name"expired". I don't have any clue
> on this.. Nothing as such is printed in logs. I am using Mssql as dB.
>
> Thanks & Regards
>
> On Mon 13 Jul, 2020, 17:43 Vikash Chandra Ansh, 
> wrote:
>
>> Thanks Ray,
>> I will check and let you know in case of any issues.
>>
>> On Mon, Jul 13, 2020 at 3:58 AM David Curry 
>> wrote:
>>
>>> The Shibboleth SP lets web services use SAML2 to authenticate and do
>>> single sign-on. So if you have configured an Apache server with mod_shib,
>>> then you would use the Apache config files to define a protected area on
>>> your web server, and put your web-based application into that protected
>>> area. When the user tries to access the application, mod_shib will
>>> intercept the request for a protected file, and redirect to the Shib SP,
>>> which will in turn talk to the CAS IdP.
>>>
>>> For a simple example with just a dumb PHP script as the "application,"
>>> see  this link:
>>>
>>>
>>> https://dacurry-tns.github.io/deploying-apereo-cas/building_samlclient_overview.html
>>>
>>>
>>> It's for CAS 5.2.x rather than 6.x, but except for a
>>> configuration property name here or there, it should give you the idea.
>>>
>>> --
>>>
>>> DAVID A. CURRY, CISSP
>>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>>
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>> +1 646 909-4728 • david.cu...@newschool.edu
>>>
>>>
>>> On Sun, Jul 12, 2020 at 6:06 PM Vikash Chandra Ansh <
>>> vikasharnav0...@gmail.com> wrote:
>>>
>>>> Hi all.
>>>>
>>>> Kindly reply for my query.
>>>>
>>>> Thanks & Regards
>>>> Vikash Chandra
>>>>
>>>> On Sun 12 Jul, 2020, 03:53 Vikash Chandra Ansh, <
>>>> vikasharnav0...@gmail.com> wrote:
>>>>
>>>>> And moreover how cas will know that request will go to SP.
>>>>>
>>>>> I have added a json for the Sp using saml registry class proving SP
>>>>> url and metadata location of SP.
>>>>>
>>>>> PLEASE SUGGEST
>>>>>
>>>>> THANKS AND REGARDS
>>>>> VIKASH CHANDRA
>>>>>
>>>>> On Sun 12 Jul, 2020, 03:50 Vikash Chandra Ansh, <
>>>>> vikasharnav0...@gmail.com> wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> I have successfully configured Shibboleth as SP on Apache server. My
>>>>>> cas will work as IDP.
>>>>>>
>>>>>> Now, I have an application ABC which is integrated with CAS, so now
>>>>>> how request will go via SP through my IDP?And what will be the format of
>>>>>> url when I hit ABC application.
>>>>>>
>>>>>> Previously it used to be like cas url + service+ ABC url and after
>>>>>> submit a service ticket is generated and validated.
>>>>>>
>>>>>> Now after this SAML change how will be my request look like on
>>>>>> submit?
>>>>>>
>>>>>> Json for ABC application has been added in cas services folder.
>>>>>>
>>>>>> My cas version is 6.1.2.
>>>>>>
>>>>>> Thanks and regards
>>>>>> Vikash Chandra
>>>>>>
>>>>>>
>>>>>> On Thu 9 Jul, 2020, 21:39 Ray Bon,  wrote:
>>>>>>
>>>>>>> Vikash,
>>>>>>>
>>>>>>> Shib SP is described at
>>>>>>> https://wiki.shibboleth.net/confluence/display/SP3/Home
>&g

Re: [cas-user] How to implement CAS(Idp) with SAML

[David Curry]

The Shibboleth SP lets web services use SAML2 to authenticate and do single
sign-on. So if you have configured an Apache server with mod_shib, then you
would use the Apache config files to define a protected area on your web
server, and put your web-based application into that protected area. When
the user tries to access the application, mod_shib will intercept the
request for a protected file, and redirect to the Shib SP, which will in
turn talk to the CAS IdP.

For a simple example with just a dumb PHP script as the "application," see
this link:

https://dacurry-tns.github.io/deploying-apereo-cas/building_samlclient_overview.html


It's for CAS 5.2.x rather than 6.x, but except for a configuration property
name here or there, it should give you the idea.

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Sun, Jul 12, 2020 at 6:06 PM Vikash Chandra Ansh <
vikasharnav0...@gmail.com> wrote:

> Hi all.
>
> Kindly reply for my query.
>
> Thanks & Regards
> Vikash Chandra
>
> On Sun 12 Jul, 2020, 03:53 Vikash Chandra Ansh, 
> wrote:
>
>> And moreover how cas will know that request will go to SP.
>>
>> I have added a json for the Sp using saml registry class proving SP url
>> and metadata location of SP.
>>
>> PLEASE SUGGEST
>>
>> THANKS AND REGARDS
>> VIKASH CHANDRA
>>
>> On Sun 12 Jul, 2020, 03:50 Vikash Chandra Ansh, <
>> vikasharnav0...@gmail.com> wrote:
>>
>>> Hi all,
>>>
>>> I have successfully configured Shibboleth as SP on Apache server. My cas
>>> will work as IDP.
>>>
>>> Now, I have an application ABC which is integrated with CAS, so now how
>>> request will go via SP through my IDP?And what will be the format of url
>>> when I hit ABC application.
>>>
>>> Previously it used to be like cas url + service+ ABC url and after
>>> submit a service ticket is generated and validated.
>>>
>>> Now after this SAML change how will be my request look like on submit?
>>>
>>> Json for ABC application has been added in cas services folder.
>>>
>>> My cas version is 6.1.2.
>>>
>>> Thanks and regards
>>> Vikash Chandra
>>>
>>>
>>> On Thu 9 Jul, 2020, 21:39 Ray Bon,  wrote:
>>>
 Vikash,

 Shib SP is described at
 https://wiki.shibboleth.net/confluence/display/SP3/Home

 Ray

 On Thu, 2020-07-09 at 16:37 +0530, Vikash Chandra Ansh wrote:

 Notice: This message was sent from outside the University of Victoria
 email system. Please be cautious with links and sensitive information.

 Hi all,

 I have made CAS as idp and added properties for SAML. I am able to
 extract metadata.xml.

 Now I want to make shibboleth as SP that need to be configured on
 Apache httpd client 2.4.

 Could you suggest how to implement this?

 Note:my httpd Apache client is running on https as well.

 Thanks and regards
 Vikash Chandra

 --

 Ray Bon
 Programmer Analyst
 Development Services, University Systems
 2507218831 | CLE 019 | r...@uvic.ca

 I respectfully acknowledge that my place of work is located within the
 ancestral, traditional and unceded territory of the Songhees, Esquimalt and
 WSÁNEĆ Nations.

 --
 - Website: https://apereo.github.io/cas
 - Gitter Chatroom: https://gitter.im/apereo/cas
 - List Guidelines: https://goo.gl/1VRrw7
 - Contributions: https://goo.gl/mh7qDG
 ---
 You received this message because you are subscribed to the Google
 Groups "CAS Community" group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to cas-user+unsubscr...@apereo.org.
 To view this discussion on the web visit
 https://groups.google.com/a/apereo.org/d/msgid/cas-user/e454597816d473b162b17f55b96e5619fd13b44e.camel%40uvic.ca
 
 .

>>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BdrvxjQCbTcqunQbw7nvqTd3X-FAtVQ9CjS1qF3VVAwn0QxCQ%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: 

Re: [cas-user] CAS newbie 1st time install on RHEL problems with connection to LDAP server

[David Curry]

The CAS server (Tomcat) cannot validate the TLS certificate being returned
by your LDAP server. This could be for a few different reasons:

   1. The LDAP server's TLS certificate is not for the host name you're
   using to access the LDAP server (walnut.wccnet.edu)
   2. The LDAP server's TLS certificate requires an intermediate
   certificate that it's not providing itself (by concatenating certificates)
   and the Tomcat server doesn't have the intermediate certificate either
   3. Same as #2, but for the root certificate

Check #1 first; if that's not it, #2 is probably the issue, and it can be
fixed by having the LDAP server return a concatenated certificate
(basically, instead of just providing the server certificate, provide the
server cert, the intermediate cert, and [optionally] the root cert all
together).

--Dave

P.S. - The tip-off is this line:

org.ldaptive.ConnectException: javax.net.ssl.SSLException:
javax.net.ssl.SSLHandshakeException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target

and then you just read backwards to see what it's trying to connect to when
the error occurs.


--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Tue, Jun 16, 2020 at 4:01 PM David Lacerte  wrote:

> At Washtenaw Community College Ann Arbor Michigan I am working to replace
> a old CAS 3.x server with a new CAS 6.2 server running on RHEL 8.1
>
> We have encountered an error when we perform a 'gradlew run' command in
> which we see this error:
>
>
> AS Version: 6.2.0-SNAPSHOT
> CAS Branch: master
> CAS Commit Id: 4ac819eb72848f0ca995bb369526727479fa8cbf
> CAS Build Date/Time: 2020-06-16T19:16:54Z
> Spring Boot Version: 2.2.8.RELEASE
> Spring Version: 5.2.6.RELEASE
> Java Home: /usr/lib/jvm/java-11-openjdk-11.0.7.10-1.el8_1.x86_64
> Java Vendor: Oracle Corporation
> Java Version: 11.0.7
> JVM Free Memory: 409 MB
> JVM Maximum Memory: 2 GB
> JVM Total Memory: 478 MB
> JCE Installed: Yes
> OS Architecture: amd64
> OS Name: Linux
> OS Version: 4.18.0-147.5.1.el8_1.x86_64
> OS Date/Time: 2020-06-16T15:56:59.381046
> OS Temp Directory: /tmp
> Apache Tomcat Version: Apache Tomcat/9.0.36
> 
>
>
> 2020-06-16 15:02:49,204 INFO
> [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator]
> -  [/etc/cas/config/cas.properties]]] unde  r
> profile(s) [[standalone]]>
> 2020-06-16 15:02:49,381 INFO [org.apereo.cas.web.CasWebApplication] -  following profiles are active: standalone>
> 2020-06-16 15:02:52,616 INFO
> [org.apereo.cas.configuration.CasConfigurationPropertiesValidator] -
>  successfully.>
> 2020-06-16 15:03:00,848 INFO
> [org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration]
> - <
>
> Using generated security password: xx
> >
> 2020-06-16 15:03:01,045 INFO
> [org.springframework.security.web.access.channel.ChannelProcessingFilter] -
> 
> 2020-06-16 15:03:01,063 INFO
> [org.springframework.security.web.DefaultSecurityFilterChain] -  filter chain: any request,
> [org.springframework.security.web.access.channel.ChannelProcessingFilter@1a6d
> c5ea,
> org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@3d88ce0e,
> org.springframework.security.web.context.SecurityContextPersistenceFilter@31b741e2,
> org.springframework
> .security.web.savedrequest.RequestCacheAwareFilter@28f05b0c,
> org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@5fdb7394,
> org.springframework.security.web.authentication.Anon
> ymousAuthenticationFilter@31f7eb8,
> org.springframework.security.web.session.SessionManagementFilter@1846ad0f,
> org.springframework.security.web.access.ExceptionTranslationFilter@432c0f1,
> org.springframework.s
> ecurity.web.access.intercept.FilterSecurityInterceptor@70884875]>
> 2020-06-16 15:03:02,145 ERROR
> [org.ldaptive.transport.netty.NettyConnection] -  for org.ldaptive.transport.netty.NettyConnection@193667460
> ::ldapUrl=[org.ldaptive.LdapURL@-120939274::sc
> heme=ldaps, hostname=walnut.wccnet.edu, port=636, baseDn=null,
> attributes=null, scope=null, filter=null, inetAddress=null], isOpen=false,
> connectTime=null, connectionConfig=[org.ldaptive.ConnectionConfig@697
> 975769::ldapUrl=ldaps://walnut.wccnet.edu:636, connectTimeout=PT5S,
> responseTimeout=PT5S, reconnectTimeout=PT2M, autoReconnect=true,
> autoReconnectCondition=org.ldaptive.ConnectionConfig$$Lambda$953/0x000
> 8408e9840@ccd000e, autoReplay=true,
> sslConfig=[org.ldaptive.ssl.SslConfig@1604700367::credentialConfig=null,
> trustManagers=null,
> hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@d7055be,
> enabledCiph  erSuites=null, 

Re: [cas-user] Handling multiple accounts for one person

[David Curry]

If the double-account people are still the exception rather than the rule
(even with a couple hundred), I recommend a consistent naming scheme for
them with a prefix or something (like our "adm_netid"). Then you can just
refer to "your xyz account" where "xyz" is the prefix, and it's always
clear which one you're talking about.


--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Mon, May 18, 2020 at 5:12 PM mbar...@scad.edu  wrote:

> Thank you again for responding.   I wish we didn't split email, but we did
> a long time ago - during the initial email implementation -  and we never
> tried to consolidate.
>
> Fortunately, I don't have the "which account" problems.  Students get a
> pretty clear setup, and anything extra would go to a staff account.  I just
> have a couple of services (email, file sharing) where certain people are
> going to have a separate student and staff account.  I need a clear way for
> the user (and CAS) to know which account.  I think your idea of separate
> logins will handle that, but we'll just need to communicate with those
> double-account people.
>
> Thanks again,
> Mike
>
>
> On Monday, May 18, 2020 at 4:25:03 PM UTC-4, richard.frovarp wrote:
>>
>> Now I get to say "Same as Dave". Secondary accounts are for administrator
>> or test access for the most part in our environment. Splitting something
>> like email is a pain, and that has spawned a great many threads over on the
>> Educause IAM (née Idm) list. Bigger issue is making sure others know which
>> account to reference to grant permissions.
>>
>> On Mon, 2020-05-18 at 15:26 -0400, David Curry wrote:
>>
>> In our case no, because the "staff" account is really just an
>> "administrator" account -- so it's the one used to be an application (or
>> system) admin rather than the user's regular account. Most of the people
>> who have those are IT people, although a few non-IT people are starting to
>> get them as we roll out new applications and systems.
>>
>> So when I log into an application (like the CAS management console, or
>> the Duo admin pages, or a Linux box where I want to use "sudo" to do root-y
>> things, or a Windows server where I need admin rights), I log in as
>> "adm_curryd" instead of "curryd". When I want to do things as a normal
>> person, I log in as "curryd".
>>
>> --Dave
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 646 909-4728 • david...@newschool.edu
>>
>>
>> On Mon, May 18, 2020 at 3:21 PM mba...@scad.edu  wrote:
>>
>> David, Richard,
>>
>> Thank you very much.  Did you or do you have issues with students/staff
>> getting confused on which account to use? Any tips for handling that other
>> than FAQs?  We've got several hundred people with dual accounts.
>>
>> Thank you,
>> Mike
>>
>> On Monday, May 18, 2020 at 2:05:05 PM UTC-4, David Curry wrote:
>>
>> We do pretty much the same thing Richard is doing. The different accounts
>> are in different OUs in AD, and IAM handles the provisioning. Way back
>> when, we configured CAS with multiple "directories" that are the same AD
>> server with different DNs (one for each OU). We could probably stop doing
>> that now and just use one "directory" with a less-specific OU, but it's
>> working fine the way it is.
>>
>> We don't have separate Duo setups; we are using the alternate username
>> feature of Duo that Richard mentioned to allow multiple accounts to use the
>> same profile. We also use that feature to handle this one stupid app we
>> have that insists on the username being shaped like an email address.
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 646 909-4728 • david...@newschool.edu
>>
>>
>> On Mon, May 18, 2020 at 1:49 PM Richard Frovarp 
>> wrote:
>>
>> We just have separate accounts in AD, which is where we are
>> authenticating and doing attribute release from. The IAM system is
>> responsible for correctly populating the directory and end application
>> if needed in the correct way for each ac

Re: [cas-user] Handling multiple accounts for one person

[David Curry]

In our case no, because the "staff" account is really just an
"administrator" account -- so it's the one used to be an application (or
system) admin rather than the user's regular account. Most of the people
who have those are IT people, although a few non-IT people are starting to
get them as we roll out new applications and systems.

So when I log into an application (like the CAS management console, or the
Duo admin pages, or a Linux box where I want to use "sudo" to do root-y
things, or a Windows server where I need admin rights), I log in as
"adm_curryd" instead of "curryd". When I want to do things as a normal
person, I log in as "curryd".

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Mon, May 18, 2020 at 3:21 PM mbar...@scad.edu  wrote:

> David, Richard,
>
> Thank you very much.  Did you or do you have issues with students/staff
> getting confused on which account to use? Any tips for handling that other
> than FAQs?  We've got several hundred people with dual accounts.
>
> Thank you,
> Mike
>
> On Monday, May 18, 2020 at 2:05:05 PM UTC-4, David Curry wrote:
>>
>> We do pretty much the same thing Richard is doing. The different accounts
>> are in different OUs in AD, and IAM handles the provisioning. Way back
>> when, we configured CAS with multiple "directories" that are the same AD
>> server with different DNs (one for each OU). We could probably stop doing
>> that now and just use one "directory" with a less-specific OU, but it's
>> working fine the way it is.
>>
>> We don't have separate Duo setups; we are using the alternate username
>> feature of Duo that Richard mentioned to allow multiple accounts to use the
>> same profile. We also use that feature to handle this one stupid app we
>> have that insists on the username being shaped like an email address.
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 646 909-4728 • david...@newschool.edu
>>
>>
>> On Mon, May 18, 2020 at 1:49 PM Richard Frovarp 
>> wrote:
>>
>>> We just have separate accounts in AD, which is where we are
>>> authenticating and doing attribute release from. The IAM system is
>>> responsible for correctly populating the directory and end application
>>> if needed in the correct way for each account. This requires multiple
>>> accounts and passwords, and currently multiple Duo setups. Although,
>>> thinking of it now, we could use alternate usernames on Duo to use the
>>> same configuration between different accounts.
>>>
>>> On Mon, 2020-05-18 at 10:19 -0700, mba...@scad.edu wrote:
>>> > At our university, we have some applications where one person will
>>> > only have one account and the application is aware of the different
>>> > "roles" a person might have, i.e., student, staff, faculty and/or
>>> > alumni.   We also have some other applications where a person may
>>> > have a student account and also a faculty/staff account.  Due to
>>> > historical reasons, our CAS is built around the former, one-person-
>>> > to-one-account model.  Up until now, we've a been able to handle
>>> > multiple accounts via separate login URLs to the same service, and
>>> > CAS will respond with the appropriate staff or student attributes.
>>> >
>>> > We're now integrating with some Cloud services and the separate login
>>> > URL does not appear to be a possibility. We'll just have one URL for
>>> > the Cloud service.
>>> >
>>> > How are other organizations handling this?  I'd love to hear some
>>> > ideas.
>>> >
>>> > I can think of a couple ways, but I'm not sure I like them.
>>> >
>>> > Thank you very much,
>>> > Mike
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-...@apere

Re: [cas-user] Handling multiple accounts for one person

[David Curry]

We do pretty much the same thing Richard is doing. The different accounts
are in different OUs in AD, and IAM handles the provisioning. Way back
when, we configured CAS with multiple "directories" that are the same AD
server with different DNs (one for each OU). We could probably stop doing
that now and just use one "directory" with a less-specific OU, but it's
working fine the way it is.

We don't have separate Duo setups; we are using the alternate username
feature of Duo that Richard mentioned to allow multiple accounts to use the
same profile. We also use that feature to handle this one stupid app we
have that insists on the username being shaped like an email address.

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Mon, May 18, 2020 at 1:49 PM Richard Frovarp 
wrote:

> We just have separate accounts in AD, which is where we are
> authenticating and doing attribute release from. The IAM system is
> responsible for correctly populating the directory and end application
> if needed in the correct way for each account. This requires multiple
> accounts and passwords, and currently multiple Duo setups. Although,
> thinking of it now, we could use alternate usernames on Duo to use the
> same configuration between different accounts.
>
> On Mon, 2020-05-18 at 10:19 -0700, mbar...@scad.edu wrote:
> > At our university, we have some applications where one person will
> > only have one account and the application is aware of the different
> > "roles" a person might have, i.e., student, staff, faculty and/or
> > alumni.   We also have some other applications where a person may
> > have a student account and also a faculty/staff account.  Due to
> > historical reasons, our CAS is built around the former, one-person-
> > to-one-account model.  Up until now, we've a been able to handle
> > multiple accounts via separate login URLs to the same service, and
> > CAS will respond with the appropriate staff or student attributes.
> >
> > We're now integrating with some Cloud services and the separate login
> > URL does not appear to be a possibility. We'll just have one URL for
> > the Cloud service.
> >
> > How are other organizations handling this?  I'd love to hear some
> > ideas.
> >
> > I can think of a couple ways, but I'm not sure I like them.
> >
> > Thank you very much,
> > Mike
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/792d3a4e0fe3167f3ec9f165b8e6ead0744d9a71.camel%40ndsu.edu
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAN%3DnWeSx979QgUruvkQtOpTZitGqPcUL2hz4fb%3DpKMHkA%40mail.gmail.com.

Re: [cas-user] CAS V5.3 with Zoom SSO???

[David Curry]

We're running it with CAS 5.2.x as a SAML2 service. I didn't personally set
it up, but the guy who did says it was just a "regular" SAML2 setup
(they're pretty routine for us these days). Release the attributes Zoom
wants and tell it which attribute is what, and you're good to go.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Tue, May 12, 2020 at 5:37 PM Keith Alston (Staff) 
wrote:

> Anyone set up Zoom SSO with CAS?? Any pointers/tips??
>
>
>
> -Keith Alston
>
> keit...@regent.edu
>
> Regent University
>
> 757-619-3421
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/BL0PR10MB2995C18C69E942E80155BD7CD9BE0%40BL0PR10MB2995.namprd10.prod.outlook.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAM9GqsmY2oBxdTadmwxS9x2%3DSJ6Wuyxz%3DQR8mBLjJaTgA%40mail.gmail.com.

Re: [cas-user] cas5 rebuild and restart for every change??

[David Curry]

Just to add to what Richard said, you'll also want to put

spring.thymeleaf.cache: false

in your cas.properties so that you can edit the files and see the changes
"immediately" without having to bounce Tomcat. Note that it seems to only
refresh every 60 seconds though; so my usual approach was to save the files
you've changed, run "date" and see what time it is, and then wait until the
seconds reach ":00" before refreshing the browser. Annoying, but still a
lot faster than rebuilding/redeploying.

Once you've changed everything, copy the files back into your maven repo,
take the cache line from about out of cas.properties, rebuild and redeploy.

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Thu, Apr 9, 2020 at 3:28 PM Richard Frovarp 
wrote:

> If you deploy to an external container like Tomcat, you can instead of
> using the war, explode it into the webapp directory. Wars and jars are
> just zip files. Or let Tomcat explode it for you the first time, stop
> Tomcat, then delete war. You can edit content without having to
> rebuild.
>
> I think that the HTML / CSS can be updated live enough if you use the
> method above. If nothing else it saves you the build step even if you
> have to bounce Tomcat.
>
> On Thu, 2020-04-09 at 12:16 -0700, Yan Zhou wrote:
> > Hi there,
> >
> > CAS5.3.x overlay.  It looks like we have to build it into a WAR file
> > first, then either run it as an executable WAR or deploy to external
> > container.
> >
> > There is also a way to run CAS as an executable WAR via Spring Boot's
> > maven plugin, but that requires NO change to CAS dependencies, which
> > is not my use case (I have made a lot changes in CAS dependencies).
> >
> > Is there some way that I can do a hot swap, e.g., see the static
> > HTML/CSS change with the refresh of a browser?
> >
> > Even in standalone mode, it takes several minutes for CAS 5.3 to
> > startup.
> > Thanks,
> > Yan
> >
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/bb3e28f3ade53f5c94ca10aea400869a577a8e00.camel%40ndsu.edu
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANyiHOBaqU%2BAkuu7YvLNkaNLHOCvbhXx3vashtCpPCPnQ%40mail.gmail.com.

Re: [cas-user] What's your production version?

[David Curry]

We're running 5.2.9.

The release schedule moves way too quickly for us to keep up with, and so
far, the features that have been added, while a couple of them are
interesting, are not significant enough to justify the effort to move.

The one thing that concerns us is that 5.2.x is no longer supported, even
for security patches. IMHO the CAS maintenance plan is not terribly
realistic in giving only 12 months' support to a release. I understand why,
but that doesn't make it better.

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Thu, Mar 12, 2020 at 8:50 AM Jack  wrote:

> Hello,
>
> Over the time, we have burnt our fingers with different versions. We're
> still running 5.1.
>
> What's the stable version or your production version now?
>
> Thanks!
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CACNfiM%2B0uG%3DjuFZXt-iQv%2B4Ohf2%3Di_m4q6ervcPDqCWavg%2Bp0w%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPFnfH%2BG_rxaucyVpcvErDrn0TFxmAbSD3nseocrr3f8w%40mail.gmail.com.

Re: [cas-user] Re: Chrome and samesite cookies

[David Curry]

We're running CAS 5.2 and have not had any reported issues with Canvas or
any of the other applications that log in through it.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Thu, Feb 27, 2020 at 9:59 AM William E.  wrote:

> Not us.  Canvas is hosted with the vendor, our CAS is local, we're on 5.3.
>
> -W
>
>
> On Wednesday, February 26, 2020 at 12:13:47 PM UTC-6, ste...@rutgers.edu
> wrote:
>>
>> We received an email stating there are issues authenticating to our
>> Canvas instance due to the Chrome SameSite changes.  Has anyone else had
>> issues?  Is there a fix for this?  We're running v3.6 at the moment,
>> upgrading to v5.3 within the next 6 months.
>>
>> thanks,
>> ds
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/f54fdc28-520b-45de-b27b-27d2b0e1feb9%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAP%2B9Mw30mkoS7oZdpY79v4HuRoK1RxDXT5tfzLJ6y7O0g%40mail.gmail.com.

Re: [cas-user] Re: CAS 6 - Dockerized Deployments on two VMs with ticket registry

[David Curry]

I believe, if you have 4 members, that asyncBackupCount should be 3.
Because a node doesn't back itself up. (Hazelcast might be smart enough to
fix that itself, but I don't know.)

Also, I'm curious as to why you have tcpIpEnabled set to true? You'd be
much better off, from a performance standpoint, setting it to false and
using UDP. TCP blocks, UDP doesn't.

I've never run this in docker, so I don't know what, if anything, you need
to do differently. But I would be at least a little suspicious of the
interactions there -- it should work of course, but could you be missing
something in the docker config, or the config on the host?


--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Thu, Feb 6, 2020 at 4:36 PM 'Maksim Kopeyka' via CAS Community <
cas-user@apereo.org> wrote:

> Hi David,
>
> I tried similar config with 4 nodes:
>
>> cas.ticket.registry.hazelcast.cluster.members=${HAZELCAST_CLUSTER_MEMBERS}
>> cas.ticket.registry.hazelcast.cluster.asyncBackupCount=4
>> cas.ticket.registry.hazelcast.cluster.backupCount=0
>> cas.ticket.registry.hazelcast.cluster.port=5701
>> cas.ticket.registry.hazelcast.cluster.portAutoIncrement=false
>> cas.ticket.registry.hazelcast.cluster.instanceName=localhost
>>
>> cas.ticket.registry.hazelcast.cluster.publicAddress=${HAZELCAST_PUBLIC_ADDRESS}
>> cas.ticket.registry.hazelcast.cluster.tcpipEnabled=true
>> cas.ticket.registry.hazelcast.crypto.enabled=false
>
>
> I see this output on each node i.e. hazelcast creates a cluster and sees
> all nodes:
>
> 2020-02-06 21:20:49,235 INFO
>> [com.hazelcast.internal.cluster.ClusterService] -
>> <[ecdc-rant-affiliateidp-dev-1]:5701 [dev] [3.12.4]
>> Members {size:4, ver:4} [
>> Member [wcdc-rant-affiliateidp-dev-1]:5701 -
>> a245c93b-beb0-4929-b831-e40a323cad8b
>> Member [ecdc-rant-affiliateidp-dev-2]:5701 -
>> bcbcd799-8cb8-4e5d-8802-5d95d4015ffd
>> Member [wcdc-rant-affiliateidp-dev-2]:5701 -
>> 9d3f52c9-1475-462e-844a-1b534efdca73
>> Member [ecdc-rant-affiliateidp-dev-1]:5701 -
>> e9f81f52-7a99-4428-a402-5a2f48cba838 this
>> ]
>> >
>
>
> However tickets distribution doesn't work. Nodes 1, 2, 3 don't know about
> session on Node 4.
>
> I don't see any errors in the logs related to hazelcast but this one
> appears time to time
>
>> 2020-02-06 17:31:56,248 ERROR
>> [org.apereo.cas.web.flow.executor.EncryptedTranscoder] - 
>> java.lang.IllegalArgumentException: Null input buffer
>> at javax.crypto.Cipher.doFinal(Unknown Source) ~[?:?]
>> at
>> org.apereo.cas.util.cipher.BaseBinaryCipherExecutor.decode(BaseBinaryCipherExecutor.java:92)
>> ~[cas-server-core-util-api-6.1.3.jar!/:6.1.3]
>
>
>
> On Wednesday, February 5, 2020 at 9:28:43 PM UTC+2, David Curry wrote:
>>
>> Maksim,
>>
>> If you don't want to ever lose tickets, then you would want all nodes to
>> back up all other nodes. So if you have 3 member nodes, you would want 2
>> async backup nodes (asyncBackupCount) and also you'd probably want to
>> disable the default sync backup (backupCount) node since it will block.
>> Here are the settings we're running with in production (although this is
>> CAS 5):
>>
>> cas.ticket.registry.hazelcast.cluster.members:
>> cas01.newschool.edu,cas02.newschool.edu,cas03.newschool.edu,
>> cas04.newschool.edu,cas05.newschool.edu
>> cas.ticket.registry.hazelcast.cluster.asyncBackupCount: 4
>> cas.ticket.registry.hazelcast.cluster.backupCount:  0
>> cas.ticket.registry.hazelcast.cluster.port: 5701
>> cas.ticket.registry.hazelcast.cluster.portAutoIncrement:false
>> cas.ticket.registry.hazelcast.crypto.encryption.key:
>> xxxIoXN6SBU5bF+iAVTKgw==
>> cas.ticket.registry.hazelcast.crypto.signing.key:
>>  
>> xxxmEbPGT_MXg0JWYLTe4oFaOaklocCqlY2VuHBdAHuh0V6-PdQxmgi4tTA3CZZos8TUbzg-L9nYHJpA5RqcvA
>> cas.ticket.registry.hazelcast.crypto.enabled:   true
>>
>> This works well for us behind an F5 load balancer; we do not use sticky
>> sessions. We can (and do) reboot servers in the pool without anyone getting
>> re-prompted to log in (just don't reboot them all at once).
>>
>> The crypto stuff (last three lines) is not needed for this to work, but
>> you (arguably) might want it in production. You can leave it off while
>> getting things to work and enable it later.
>>
>> One other thing -- did you remember to open 5701 in the firewall on all
>> the servers?
>>
>> -

Re: [cas-user] Re: CAS 6 - Dockerized Deployments on two VMs with ticket registry

[David Curry]

Maksim,

If you don't want to ever lose tickets, then you would want all nodes to
back up all other nodes. So if you have 3 member nodes, you would want 2
async backup nodes (asyncBackupCount) and also you'd probably want to
disable the default sync backup (backupCount) node since it will block.
Here are the settings we're running with in production (although this is
CAS 5):

cas.ticket.registry.hazelcast.cluster.members:  cas01.newschool.edu,
cas02.newschool.edu,cas03.newschool.edu,cas04.newschool.edu,
cas05.newschool.edu
cas.ticket.registry.hazelcast.cluster.asyncBackupCount: 4
cas.ticket.registry.hazelcast.cluster.backupCount:  0
cas.ticket.registry.hazelcast.cluster.port: 5701
cas.ticket.registry.hazelcast.cluster.portAutoIncrement:false
cas.ticket.registry.hazelcast.crypto.encryption.key:
xxxIoXN6SBU5bF+iAVTKgw==
cas.ticket.registry.hazelcast.crypto.signing.key:
 
xxxmEbPGT_MXg0JWYLTe4oFaOaklocCqlY2VuHBdAHuh0V6-PdQxmgi4tTA3CZZos8TUbzg-L9nYHJpA5RqcvA
cas.ticket.registry.hazelcast.crypto.enabled:   true

This works well for us behind an F5 load balancer; we do not use sticky
sessions. We can (and do) reboot servers in the pool without anyone getting
re-prompted to log in (just don't reboot them all at once).

The crypto stuff (last three lines) is not needed for this to work, but you
(arguably) might want it in production. You can leave it off while getting
things to work and enable it later.

One other thing -- did you remember to open 5701 in the firewall on all the
servers?

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Wed, Feb 5, 2020 at 1:40 PM Ray Bon  wrote:

> Maksim,
>
> There is this config setting
> cas.ticket.registry.hazelcast.cluster.members=
> Add IPs of all members to the list.
> https://apereo.github.io/cas/6.1.x/configuration/Configuration-Properties.html#hazelcast-ticket-registry
> and the link to common settings.
>
> There are some hazelcast loggers in log4j2.xml
>
>  level="${sys:hazelcast.log.level}" includeLocation="true" />
>
> Ray
>
> On Wed, 2020-02-05 at 09:16 -0800, 'Maksim Kopeyka' via CAS Community
> wrote:
>
> Ray,
>
> I asked about CAS functionality to distribute tickets across nodes. I need
> specific CAS functionality based on Hazelcast and seems to me this
> functionality doesn't work as expected so I need to check it somehow. Maybe
> with some debug logging.
> I have a cluster with several nodes of CAS with hazelcast ticket registry
> and I have a load balancer. If I turn off sticky sessions CAS asks me about
> username/password every time. This cluster works in the same way without
> hazelcast ticket registry. So seems to me this functionality doesn't work
> and I don't see any errors in the logs.
>
> On Wednesday, February 5, 2020 at 7:03:55 PM UTC+2, rbon wrote:
>
> Maksim,
>
> I do not know if there is a stand alone client for accessing hazelcast
> data. In the docs,
> https://docs.hazelcast.org/docs/4.0/manual/html-single/index.html, there
> is a section on clients and one on management. It looks like you would have
> to create an application yourself but someone has probably done that
> already.
>
> Ray
>
> On Wed, 2020-02-05 at 08:11 -0800, 'Maksim Kopeyka' via CAS Community
> wrote:
>
> Hi Ray,
>
> Seems to me Hazelcast doesn't distribute data across all nodes because
> each node doesn't have information about sessions on other nodes.
> How to check data distribution?
>
> On Friday, January 31, 2020 at 11:02:05 PM UTC+2, rbon wrote:
>
> Maksim,
>
> Hazelcast is distributed but not replicated. Thus, when a server goes
> down, the tickets on that server are lost. You have to relogin only if your
> ticket was on that server.
> Hazelcast has some mechanism of determining which node has which ticket.
> It may also be possible to make hazelcast replicated but I have not tried.
>
> Ray
>
> P.S. you have two node3s in your config.
>
> On Fri, 2020-01-31 at 11:51 -0800, 'Maksim Kopeyka' via CAS Community
> wrote:
>
> Hi Andy,
>
> Your example is very helpful. Thank you.
> I see how hazelcast tickets registry works on my local env. I turned off
> active container and another container continues to work with my active
> session without relogin.
>
> However on my remote env. with CAS 6.1.3 it doesn't work in this way. Load
> balancer ask me to re-login If I turn off active container.
> Each node with hazelcast sees other nodes. I see such messages on all
> nodes in case node1 is turned off:
>
> WARN [com.hazelcast.nio.tcp.TcpIpConnectionErrorHandler] - <[node2]:5701 [
> dev] [3.12.4] Removing connection to endpoint [node1]:5701 Cause => java.
> net.SocketException {Connection refused to address node1/xx.xx.xx.xx:5701
> }, Error-Count: 5>
> WARN [com.hazelcast.internal.cluster.impl.MembershipManager] - <[node2]:
> 5701 [dev] [3.12.4] Member [node1]:5701 - 

Re: [cas-user] Re: CAS 5.3.x with Mongo Ticket Store (anyone had any issues)

[David Curry]

Since the first and last messages in the thread Andy points to were mine,
I'll add a follow-up with current information. We did indeed switch from a
MongoDB ticket registry (which seemed to have issues under heavy-ish load)
to a Hazelcast ticket registry, based on what we learned from that thread.

Since we did that about 11 months ago, we have not had any issues with the
ticket registry.

Based on our experience, I would not recommend MongoDB for the ticket
registry (it continues to work very well for us as the service registry,
however).

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Sat, Feb 1, 2020 at 10:55 PM Andy Ng  wrote:

> Hi Justin,
>
> This thread might be a good read for your :)
>
> https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/mongodb$20service$20david|sort:date/cas-user/tCk7jJz5pnE/Tilp-dbqBwAJ
>
> Basically, it seem if too high stress and MongoDB will have some minor
> problem, you can check out more detail in the thread above.
>
> Cheers!
> - Andy
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a541b16d-beab-4ce6-8cfd-ce5015e70a81%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPMXeEc8ph9qQSZPQAQKjjXOA8Pw7UiV7TghxmaoqYjcQ%40mail.gmail.com.

Re: [cas-user] cas 5.2.x leaking connections

[David Curry]

You might want to experiment with turning the passivator off, or changing
its setting. Not sure that's it, but it might help?

https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#why-passivators


--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Fri, Jan 10, 2020 at 5:40 PM Trenton D. Adams 
wrote:

> Good day,
>
> We are having some problems with CAS 5.2.x leaking connections in our
> production environment.  We're not sure how or why this is happening.  What
> we do know is that they are no longer part of the pool, because if they
> were we'd run out of connections in the pool.  However, there is a limit to
> the number of connections an LDAP server can handle, so it requires a CAS
> restart regularly.
>
> Below is the configuration we're using for both LDAP and the password
> manager.  We were hoping someone understand why this could be happening, as
> the CAS documentation is not very good for these settings, and neither are
> the javadoc or Ldaptive docs.  I hope someone with more CAS experience,
> such as a dev, might be able to help?
>
>
> cas.authn.ldap[0].type=ANONYMOUS
>
> cas.authn.ldap[0].ldapUrl=ldap://ldap.example.com:389
>
> cas.authn.ldap[0].useSsl=false
>
> cas.authn.ldap[0].baseDn=ou=Student,ou=People,dc=example,dc=com
>
> cas.authn.ldap[0].userFilter=uid={user}
>
> cas.authn.ldap[0].principalAttributeId=uid
>
> cas.authn.ldap[0].principalAttributeList=uid,udcid:UDC_IDENTIFIER
>
> cas.authn.ldap[1].type=ANONYMOUS
>
> cas.authn.ldap[1].ldapUrl=ldap://ldap.example.ca:389
>
> cas.authn.ldap[1].useSsl=false
>
> cas.authn.ldap[1].baseDn=ou=Staff,ou=People,dc=example,dc=com
>
> cas.authn.ldap[1].userFilter=uid={user}
>
> cas.authn.ldap[1].principalAttributeId=uid
>
> cas.authn.ldap[1].principalAttributeList=uid,udcid:UDC_IDENTIFIER
>
>
> cas.authn.pm.ldap.type=GENERIC
>
> cas.authn.pm.ldap.ldapUrl=ldap://ldap.example.com:389
>
> cas.authn.pm.ldap.connectionStrategy=ACTIVE_PASSIVE
>
> cas.authn.pm.ldap.useSsl=false
>
> cas.authn.pm.ldap.useStartTls=false
>
> cas.authn.pm.ldap.connectTimeout=5000
>
> cas.authn.pm.ldap.baseDn=ou=People,dc=example,dc=com
>
> cas.authn.pm.ldap.userFilter=uid={user}
>
> cas.authn.pm.ldap.subtreeSearch=true
>
> cas.authn.pm.ldap.bindDn=cn=Manager,dc=example,dc=com
>
> cas.authn.pm.ldap.bindCredential=
>
> cas.authn.pm.ldap.trustCertificates=
>
> cas.authn.pm.ldap.poolPassivator=BIND
>
> cas.authn.pm.ldap.minPoolSize=3
>
> cas.authn.pm.ldap.maxPoolSize=10
>
> cas.authn.pm.ldap.validateOnCheckout=true
>
> cas.authn.pm.ldap.validatePeriodically=true
>
> cas.authn.pm.ldap.validatePeriod=600
>
> cas.authn.pm.ldap.validateTimeout=5000
>
> cas.authn.pm.ldap.failFast=false
>
> cas.authn.pm.ldap.idleTime=500
>
> cas.authn.pm.ldap.prunePeriod=600
>
> cas.authn.pm.ldap.blockWaitTime=5000
>
> cas.authn.pm.ldap.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
>
> cas.authn.pm.ldap.securityQuestionsAttributes.challengeQuestion=challengeResponse
>
> cas.authn.pm.ldap.validator.type=SEARCH
>
> cas.authn.pm.ldap.validator.baseDn=ou=Staff,ou=People,dc=example,dc=com
>
> cas.authn.pm.ldap.validator.searchFilter=(uid=some-user)
>
> cas.authn.pm.ldap.validator.scope=ONELEVEL
>
> cas.authn.pm.ldap.validator.attributeName=cn
>
> cas.authn.pm.ldap.validator.attributeValues=Some Name
>
> cas.authn.pm.ldap.validator.dn=
>
> --
> Trenton D. Adams
> Senior Systems Analyst/Web Software Developer
> Applications Unit - ITS
> Athabasca University
> (780) 675-6195
>
> It is only when you are surrounded by a supportive team, that you can achieve
> your best.  Instead of tearing people down, try building them up!
>
> --
>
> This communication is intended for the use of the recipient to whom it is
> addressed, and may contain confidential, personal, and or privileged
> information. Please contact us immediately if you are not the intended
> recipient of this communication, and do not copy, distribute, or take
> action relying on it. Any communications received in error, or subsequent
> reply, should be deleted or destroyed.
>
> ---
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8a565299-d009-ea66-8a01-b3b8bdb4146d%40athabascau.ca
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: 

Re: [cas-user] Tips for changing Google Apps 3rd-party SSO - CAS 5.3.x

[David Curry]

We did this when we rolled out CAS 5 as well. New servers, new DNS names,
the whole deal.

To answer your specific questions:

   1. We generated new ones. I don't think you have to, but it just seemed
   to make more sense to "start fresh" so we knew what components we had
   installed.
   2. It was pretty straight forward; I don't recall any gotchas. You might
   find this helpful just to make sure you haven't left anything out:
   https://dacurry-tns.github.io/deploying-apereo-cas/googleapps_overview.html
   3. We didn't experience any issues in this area, although we don't use
   much of this to begin with.
   4. Not really, It's pretty simple.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Wed, Jan 8, 2020 at 9:02 PM Mike Osterman  wrote:

> We're finally getting up to CAS 5.3.x, and for a variety of reasons, we
> built a new server with a different host name. As part of the transition,
> we'll be updating the "Third-party identity provider" settings in Google
> Apps with the new URL and keys.
>
> As I'm sure others have gone through this, so I thought I'd ask a few
> questions here:
>
>1. Did you reuse the X509 certificates from your previous CAS instance?
>2. The CAS side seems pretty well-documented and straightforward:
>https://apereo.github.io/cas/5.3.x/integration/Google-Apps-Integration.html
>
>Is there anything you'd add to this? For example, does your service
>registry entry match that on the documentation, or did you need to add more
>attributes?
>3. Were there any gotchas you didn't foresee, such as all users' OAuth
>tokens being expired due to the changes? (I'm not certain this will happen,
>just trying to think of things that might happen as an unintended
>byproduct.)
>4. Are there additional preparations you wish you'd done given
>hindsight?
>
> Thanks!
> Mike
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHXw2PEKEuvqgi0T4MaAwGAaqMc4iKoNdJzyY8_RqG6zKg%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAN-9uuHAOzkry_qU6k__Loe00dEpvk0_J4dyyd6FWtEKA%40mail.gmail.com.

Re: [cas-user] Service Registry in MongoDB (with replication)

[David Curry]

Do you have the   cas-server-support-mongo-service-registry   dependency in
the cas-management pom.xml as well as the cas server pom.xml? I didn't see
it in the excerpt you provided.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Thu, Nov 14, 2019 at 10:53 AM Shawn Cutting  wrote:

> Good morning,
>
> I am at a total loss here about how to get CAS services to load from (and
> to) MongoDB.  Following the instructions on David Curry's site
> 
> (very well written, by the way), I have the mongodb server running and
> replicating across 3 servers.  I am also able to successfully
> auto-initialize the database with the JSON files.  I verify this by opening
> mongodb and searching the collection "casServiceRegistry."
>
> *CAS version 5.3.14*, by the way.
>
> When I start the tomcat server and watch the debug logs, I see that CAS is
> loading the entry from the database:
>
> - snippet -
> 2019-11-13 16:24:22,706 DEBUG
> [org.apereo.cas.services.AbstractServicesManager] -  [org.apereo.cas.services.ChainingServiceRegistry@3971e14f]>
> 2019-11-13 16:24:22,728 DEBUG
> [org.apereo.cas.services.AbstractServicesManager] -  service [http(|s)://cas(|.*).messiah.edu(|.*)/cas-management(|/.*)]>
> 2019-11-13 16:24:22,729 INFO
> [org.apereo.cas.services.AbstractServicesManager] -  from [MongoDbServiceRegistry].>
>
>
> Here is where it gets weird: when I load the management app, I see one
> service entry that does NOT match the one loaded on startup.  I should also
> note that I have the ticket registry replicated on the same MongoDB server
> and it works perfectly.
>
> That's the short story, here are the details (these settings match on all
> 3 servers "*cas-ha01, cas-ha02, cas-ha03*":
>
> -- cas.properties: --
> cas.server.name=https://cas-ha.messiah.edu
> cas.server.prefix=${cas.server.name}/cas
> cas.view.templatePrefixes[0]=file:///etc/cas/templates
> cas.logout.followServiceRedirects=true
> logging.config=file:/etc/cas/config/log4j2.xml
>
> mongo.db=casdb
> mongo.rs=rs0
> mongo.opts==true
> mongo.creds=mongocas:**
> mongo.hosts=cas-ha01.messiah.edu,cas-ha02.messiah.edu,cas-ha03.messiah.edu
> # The connection string, assembled
> mongo.uri=mongodb://${mongo.creds}@
> ${mongo.hosts}/${mongo.db}?replicaSet=${mongo.rs}${mongo.opts}
>
> ### Remove default/local users (must be left blank) ###
> cas.authn.accept.users=
>
> ### Service Registry Setup ###
> #cas.serviceRegistry.json.location=file:/etc/cas/services
> #cas.serviceRegistry.initFromJson=true
> cas.serviceRegistry.mongo.databaseName=${mongo.db}
> cas.serviceRegistry.mongo.clientUri=${mongo.uri}
> cas.serviceRegistry.mongo.collection=casServiceRegistry
> cas.serviceRegistry.mongo.replicaSet=${mongo.rs}
> cas.serviceRegistry.mongo.sslEnabled=true
> cas.ticket.registry.mongo.clientUri=${mongo.uri}
>
>
> -- management.properties: --
> cas.server.name=https://cas-ha.messiah.edu
> cas.server.prefix=${cas.server.name}/cas
> mgmt.serverName=${cas.server.name}
> mgmt.userPropertiesFile=file:/etc/cas/config/adminusers.properties
>
> mongo.db=casdb
> mongo.rs=rs0
> mongo.opts==true
> mongo.creds=mongocas:**
> mongo.hosts=cas-ha01.messiah.edu,cas-ha02.messiah.edu,cas-ha03.messiah.edu
> # The connection string, assembled
> mongo.uri=mongodb://${mongo.creds}@
> ${mongo.hosts}/${mongo.db}?replicaSet=${mongo.rs}${mongo.opts}
>
> ### Service Registry Setup ###
> #cas.serviceRegistry.json.location=file:/etc/cas/services
> cas.serviceRegistry.mongo.clientUri=${mongo.uri}
> cas.serviceRegistry.mongo.collection=casServiceRegistry
>
> -- pom.xml (cas server, dependencies): --
> ...
> 
> org.apereo.cas
> cas-server-webapp${app.server}
> ${cas.version}
> war
> runtime
> 
> 
> org.apereo.cas
> cas-server-support-ldap
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-ldap-core
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-webapp-config-security
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-interrupt-core
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-interrupt-api
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-interrupt-webflow
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-rest
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-gauth
> ${cas.version}
> 
> 
>org.apereo.cas
>cas-server-support-jdbc-drivers
>${cas.version}
> 
> 
>  org.apereo.cas
>  cas-server-support-gauth-jpa
>  ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-trusted-mfa
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-trusted-mfa-jdbc
> ${cas.version}
> 
> 
> org.apereo.cas
> 

Re: [cas-user] Hazelcast-Ticket Registry config

[David Curry]

I have not done this with Tomcat 9 / Java 11 or CAS 6.x,  but it seems to
me you need to fix this:

07-Nov-2019 05:57:51.789 WARNING [main]
com.hazelcast.instance.HazelcastInstanceFactory.null Hazelcast is starting
in a Java modular environment (Java 9 and newer) but without proper access
to required Java packages. Use additional Java arguments to provide
Hazelcast access to Java internal API. The internal API access is used to
get the best performance results. Arguments to be used:

 --add-modules java.se --add-exports java.base/jdk.internal.ref=ALL-UNNAMED
--add-opens java.base/java.lang=ALL-UNNAMED --add-opens
java.base/java.nio=ALL-UNNAMED --add-opens java.base/sun.nio.ch=ALL-UNNAMED
--add-opens java.management/sun.management=ALL-UNNAMED --add-opens
jdk.management/com.sun.management.internal=ALL-UNNAMED


Also, are you sure the port 5701 is open in the firewall on both hosts? If
it's not, the Hazelcasts can't talk to each other.

Are the host names you're using to configure the Hazelcast members the
actual names of the hosts that resolve to their direct IP addresses? Or do
they resolve to the load balancer? You want them talking directly to each
other, not through the load balancer (it's an entirely "back end"
conversation that doesn't involve the client.

And see Andy's suggestions, as well.

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Thu, Nov 7, 2019 at 6:40 AM M.Pedis  wrote:

> Hi Dave ,
>
> Thanks for your reply . I have tested if it works or not with as you
> mentioned before , but it didnt work. Also i have newly errors about other
> sites . Briefly explain my env. ;
>
> - I have two CAS -- casuno.example.edu.tr and casdos.example.edu.tr  and
> one virtual ip behind netscaler LB - casnlb.x.edu.tr  ( they have
> proper DNS A records , they are all in same subnet/vlan ,their ufw has
> disabled -- their OS Ubuntu 1804 ) ;
>
>-  Both they have  openjdk 11.0.4 2019-07-16  and tomcat
>9.0.26 , with https: - ssl 8443 and http : 8080
>-  Both they have ; nginx ; i use them as reverse proxy ;
>casuno.example.edu.tr:8443 redirects https://casnlb.example.edu.tr  (
>casnlb has virtual ip behind netscaler LB , and roundrobin tcp 443 -  )
>-  Both they have ; cas-overlay--- build.gradle --
>- compile "org.apereo.cas:cas-server-support-ldap:${casServerVersion}"
>   - compile
>   
> "org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}"
>   - compile
>   
> "org.apereo.cas:cas-server-support-hazelcast-ticket-registry:${casServerVersion}
>- Both they have ; cas-management-overlay--- build.gradle -- (
>default )
>
>
> *Below my cas.properties ; ( differences between are just crypto keys ! ) *
>
> #
> cas.server.name:https://casnlb..edu.tr
> server.prefix=${server.name}/cas
> logging.config: file:/etc/cas/config/log4j2.xml
> cas.authn.accept.users=
>
> ##TGC-Secure###
> cas.tgc.secure:true
> cas.tgc.crypto.encryption.key:MXXs
>
> cas.tgc.crypto.signing.key:BXXXQ
> cas.webflow.crypto.encryption.key:j==
>
> cas.webflow.crypto.signing.key:MXXXA
>
> ##LDAP#
> cas.authn.ldap[0].type=AUTHENTICATED
>
> cas.authn.ldap[0].principalAttributeList=cn,givenName,userPrincipalName,description
> #cas.authn.ldap[0].bindDn=cn=Users,DC=example,DC=edu,DC=tr
> cas.authn.ldap[0].ldapUrl=ldap://adc.example.edu.tr:389
> #cas.authn.ldap[0].searchFilter=cn={user}
> cas.authn.ldap[0].searchFilter=(userPrincipalName={user})
> cas.authn.ldap[0].bindDn=cn=CAS ldap,cn=users,dc=,dc=edu,dc=tr
> cas.authn.ldap[0].bindCredential=HHHH
> cas.authn.ldap[0].baseDn=OU=Users,DC=x,DC=edu,DC=tr
> cas.authn.ldap[0].subtreeSearch=true
> cas.authn.ldap[0].useSsl=false
>
> ##Services##
> cas.serviceRegistry.json.location=file:/etc/cas/services
>
> ##Hazelcast#
> cas.ticket.registry.hazelcast.cluster.members:
> casuno.x.edu.tr,casdos.x.edu.tr
> cas.ticket.registry.hazelcast.cluster.asyncBackupCount: 1
> cas.ticket.registry.hazelcast.cluster.backupCount:  0
> cas.ticket.registry.hazelcast.cluster.port: 5701
> 

Re: [cas-user] CAS 5.2.4 Endpoint access

[David Curry]

At least in CAS 5.[1-3].x, the /status endpoint itself is secured by the IP
address pattern (and nothing else). It's a Java regular expression, so you
can get pretty fancy with it, though. We use something like this:

cas.adminPagesSecurity.ip:
 ^192\\.168\\.(1\\.[0-9]{1,3}|2\\.1[45]|3\\.1[56])$

which permits access from any host on the 192.168.1 subnet, two hosts on
the 192.168.2 subnet (.14 and .15), and two hosts on the 192.168.3 subnets
(.15 and .16).

That's the "IT staff" subnet (.1), and the "inside side" of the load
balancers (the production ones on .2, and the test ones on .3). The load
balancers are there so they can hit /status to check that the server is up
(we use a pool).

--Dave



--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Tue, Oct 29, 2019 at 12:29 AM Sam Erie  wrote:

> Thank you very much, that did the trick. Your site is a huge help, very
> nice to have clear examples and explanations. The only thing I am still not
> sure about is how to secure the /status endpoint.
>
> On Fri, Oct 25, 2019 at 3:45 AM David Curry 
> wrote:
>
>> At first blush it looks like your cas.properties property names are
>> wrong; there might be other things too that you didn't happen to quote.
>> Here's a step-by-step for enabling them all, if you find it helpful:
>>
>>
>> https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_overview.html
>>
>>
>> --Dave
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 646 909-4728 • david.cu...@newschool.edu
>>
>>
>> On Fri, Oct 25, 2019 at 1:09 AM Sam Erie  wrote:
>>
>>> I have been struggling to get access to development CAS v5.2.4 status
>>> endpoints. I was unable to get them unsecured and went on to add Spring
>>> Security with master user, who it is correctly validating, but somehow my
>>> IP is still not authorized. Following are relevant properties and logs. I'm
>>> confused by the fact that it should be matching any IP with .+ yet it still
>>> says Unauthorized IP address. Any help would be much appreciated.
>>>
>>>
>>> endpoints.status.enabled=true
>>> endpoints.status.sensitive=false
>>> endpoints.dashboard.enabled=true
>>> endpoints.dashboard.sensitive=false
>>> cas.adminPagesSecurity.ip=.+
>>> security.user.name=admin
>>> security.user.password=admin
>>>
>>>
>>> 2019-10-23 21:58:11,093 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] 
>>> - <===
>>> SECURITY ===>
>>>
>>> 2019-10-23 21:58:11,093 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] 
>>> - >> https://sanitized/cas/status>
>>>
>>> 2019-10-23 21:58:11,093 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] 
>>> - 
>>>
>>> 2019-10-23 21:58:11,093 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] 
>>> - 
>>>
>>> 2019-10-23 21:58:11,094 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic]
>>>  - >> #IpClient# | name: IpClient | credentialsExtractor: null | authenticator: 
>>> IpRegexpAuthenticator[.+ ]
>>>
>>>  | profileCreator: 
>>> org.pac4j.core.profile.creator.AuthenticatorProfileCreator@290e9599
>>>  | authorizationGenerators: [] |]>
>>>
>>> 2019-10-23 21:58:11,095 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] 
>>> - 
>>>
>>> 2019-10-23 21:58:11,110 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] 
>>> - 
>>>
>>> 2019-10-23 21:58:11,110 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic]
>>>  - >> #IpClient# | name: IpClient | credentialsExtractor: null | authenticator: 
>>> IpRegexpAuthenticator[.+ ]
>>>
>>>  | profileCreator: 
>>> org.pac4j.core.profile.creator.AuthenticatorProfileCreator@290e9599
>>>  | authorizationGenerators: [] |>
>>>
>>> 2019-10-23 21:58:11,126 DEBUG [org.pac4j.http.client.direct.IpClient] - 
>>> 
>>>
>>> 2019-10-23 21:58:11,126 INFO [org.pac4j.http.client.direct.IpClient] - 
>>> >> 172.21.96.74>
>>>
>>> 2019-10-23 21:58:11,126 DEBUG [org.pac4j.http.client.direct.IpClient] - 
>>> 
>>>
>>> org.pac4j.core.exception.CredentialsException: Unauthorized IP address: 
>&g

Re: [cas-user] CAS 5.2.4 Endpoint access

[David Curry]

At first blush it looks like your cas.properties property names are wrong;
there might be other things too that you didn't happen to quote. Here's a
step-by-step for enabling them all, if you find it helpful:

https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_overview.html


--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Fri, Oct 25, 2019 at 1:09 AM Sam Erie  wrote:

> I have been struggling to get access to development CAS v5.2.4 status
> endpoints. I was unable to get them unsecured and went on to add Spring
> Security with master user, who it is correctly validating, but somehow my
> IP is still not authorized. Following are relevant properties and logs. I'm
> confused by the fact that it should be matching any IP with .+ yet it still
> says Unauthorized IP address. Any help would be much appreciated.
>
>
> endpoints.status.enabled=true
> endpoints.status.sensitive=false
> endpoints.dashboard.enabled=true
> endpoints.dashboard.sensitive=false
> cas.adminPagesSecurity.ip=.+
> security.user.name=admin
> security.user.password=admin
>
>
> 2019-10-23 21:58:11,093 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - 
> <===
> SECURITY ===>
>
> 2019-10-23 21:58:11,093 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - 
>  https://sanitized/cas/status>
>
> 2019-10-23 21:58:11,093 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - 
> 
>
> 2019-10-23 21:58:11,093 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - 
> 
> 2019-10-23 21:58:11,094 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic]
>  -  #IpClient# | name: IpClient | credentialsExtractor: null | authenticator: 
> IpRegexpAuthenticator[.+ ]
>
>  | profileCreator: 
> org.pac4j.core.profile.creator.AuthenticatorProfileCreator@290e9599
>  | authorizationGenerators: [] |]>
>
> 2019-10-23 21:58:11,095 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - 
> 
>
> 2019-10-23 21:58:11,110 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - 
> 
> 2019-10-23 21:58:11,110 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic]
>  -  #IpClient# | name: IpClient | credentialsExtractor: null | authenticator: 
> IpRegexpAuthenticator[.+ ]
>
>  | profileCreator: 
> org.pac4j.core.profile.creator.AuthenticatorProfileCreator@290e9599
>  | authorizationGenerators: [] |>
>
> 2019-10-23 21:58:11,126 DEBUG [org.pac4j.http.client.direct.IpClient] - 
> 
>
> 2019-10-23 21:58:11,126 INFO [org.pac4j.http.client.direct.IpClient] - 
>  172.21.96.74>
>
> 2019-10-23 21:58:11,126 DEBUG [org.pac4j.http.client.direct.IpClient] - 
> 
>
> org.pac4j.core.exception.CredentialsException: Unauthorized IP address: 
> 172.21.96.74
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMM6z%2BLYuO2dihVM96XAKC-EXEJBjMqyYhqau1jHMBwHJ9Bncw%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAP6HfJqfdVtX2J639vo7XnMHY_vwGaFqyp0Z7OLYqs%3DSA%40mail.gmail.com.

Re: [cas-user] mod_auth_cas and attributes

[David Curry]

I stand corrected. Although the AuthNHeader documentation (README) is not
at all clear (to me, anyway) on that.


David A. Curry,  CISSP
Director • Information Security & Privacy
The New School • Information Technology
71 Fifth Ave., 9th Fl., New York, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu
Sent from my phone; please excuse typos and inane auto-corrections.


On Thu, Oct 24, 2019, 16:20 David Hawes  wrote:

> On Thu, 24 Oct 2019 at 08:44, David Curry 
> wrote:
> >
> > You should be safe from SAML messes; CASv2 attribute release via SAML
> 1.1 has been around for years and years; much longer than the CAS server's
> support for the SAML2 protocol and acting as an IdP/SP. You don't actually
> have to configure anything at all; just use the other endpoint
> (samlValidate instead of serviceValidate).
>
> Note that you can use /serviceValidate with mod_auth_cas v1.2 if your
> server releases attributes.
>
> > CASAuthnHeader is an on/off attribute. (See the documentation:
> https://github.com/apereo/mod_auth_cas). If you want to change the
> attribute headers to start with something other than "CAS_", that's the
> CASAttributePrefix directive.
>
> CASAuthNHeader specifies the name of a header. It is used like:
>
> CASAuthNHeader username
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wC_eCURZNpGzC%2BLQGaLzN7yWk9b7L0KjS7eYk9u%2Bb6tGA%40mail.gmail.com
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAM4uyBT7bBCiNK%2Bdb2H8ksnBV7iS7Ld6%2Bzr1yTHTfuMwQ%40mail.gmail.com.

Re: [cas-user] mod_auth_cas and attributes

[David Curry]

You should be safe from SAML messes; CASv2 attribute release via SAML 1.1
has been around for years and years; much longer than the CAS
server's support for the SAML2 protocol and acting as an IdP/SP. You don't
actually have to configure anything at all; just use the other endpoint (
samlValidate instead of serviceValidate).

CASSSOEnabled is for supporting CAS Single Sign Out. If you're not using
that, you should not need it. Although leaving it on won't hurt anything,
either. Personally, I have always just left it on, and have never had an
issue.

CASAuthnHeader is an on/off attribute. (See the documentation:
https://github.com/apereo/mod_auth_cas). If you want to change the
attribute headers to start with something other than "CAS_", that's the
CASAttributePrefix directive.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Thu, Oct 24, 2019 at 8:27 AM Alberto Cabello Sánchez 
wrote:

> Thank you very much. I'll try later, hoping not to end in a SAML mess, as
> I usually do.
>
> Regarding Apache directives,
>
> * Do I need "CASSSOEnabled On", even if I'm not using SSOut capabilities?
>
> * Is "CASAuthNHeader On" correct? I just did that and ended with a "On"
> header containing only the authenticated username, not what I wanted...
> I thought CASAuthNHeader is not an On/Off directive but it takes a string
> value to set the header name.
>
> Regards.
>
> On Thu, 24 Oct 2019 08:13:18 -0400
> David Curry  wrote:
>
> > In your service registry:
> >
> > {
> >   *...*
> >   "attributeReleasePolicy" : {
> >   "@class" :
> "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
> >   },
> >   *...*}
> >
> > In /etc/httpd/conf.d/cas.conf:
> >
> > LoadModule auth_cas_module modules/mod_auth_cas.so
> >  > mod_auth_cas.c>AuthTypeCAS
> > CASAuthNHeader  On
> > 
> > Require valid-user
> > CASLoginUrl   https://casserver.example.org/cas/login
> > CASValidateUrlhttps://casserver.example.org/cas/samlValidate
> > CASCookiePath /var/cache/httpd/mod_auth_cas/
> > CASValidateSAML   On
> > CASSSOEnabled On
> > CASDebug  Off
> >
> > Note that CASv2 uses SAML 1.1 to return attributes; hence the use of
> > samlValidate. This is *not* the same thing as configuring the CAS server
> as
> > a SAML2 IdP and using SAML instead of CAS to auhenticate.
> >
> > This will put all your attributes into Apache headers. You can access
> them
> > in various ways; here's a simple PHP example that you can put into
> > /var/www/html/secured-by-cas/index.php or whatever:
> >
> > 
> >   
> > Hello, World!
> > 
> > 
> >  > href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
> >   
> >   
> > 
> >   Secured Content
> >   This is some secure content. You should not be able to
> > see it until you have entered your username and password.
> >   Attributes Returned by CAS
> >> echo "";
> >
> > if (array_key_exists('REMOTE_USER', $_SERVER)) {
> > echo "REMOTE_USER = " . $_SERVER['REMOTE_USER'] . "";
> > }
> >
> > $headers = getallheaders();
> > foreach ($headers as $key => $value) {
> > if (strpos($key, 'CAS_') === 0) {
> > echo substr($key, 4) . " = " . $value . "";
> > }
> > }
> >
> > echo "";
> >   ?>
> > 
> >   
> >
> >
> > --Dave
> >
> > --
> >
> > DAVID A. CURRY, CISSP
> > *DIRECTOR • INFORMATION SECURITY & PRIVACY*
> > THE NEW SCHOOL • INFORMATION TECHNOLOGY
> >
> > 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> > +1 646 909-4728 • david.cu...@newschool.edu
> >
> >
> >
> > On Thu, Oct 24, 2019 at 6:26 AM Alberto Cabello Sánchez  >
> > wrote:
> >
> > > Hi,
> > >
> > > I'm trying to get attributes released by CAS through mod_auth_cas and
> CASv2
> > > protocol (not SAML), but I'm not sure how to achieve it.
> > >
> > > I set
> > >
> > > CASAuthNHeader ATTR
> > >
> > > but it just gives the authenticated user, even if succes

Re: [cas-user] mod_auth_cas and attributes

[David Curry]

In your service registry:

{
  *...*
  "attributeReleasePolicy" : {
  "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
  },
  *...*}

In /etc/httpd/conf.d/cas.conf:

LoadModule auth_cas_module modules/mod_auth_cas.so
AuthTypeCAS
CASAuthNHeader  On

Require valid-user
CASLoginUrl   https://casserver.example.org/cas/login
CASValidateUrlhttps://casserver.example.org/cas/samlValidate
CASCookiePath /var/cache/httpd/mod_auth_cas/
CASValidateSAML   On
CASSSOEnabled On
CASDebug  Off

Note that CASv2 uses SAML 1.1 to return attributes; hence the use of
samlValidate. This is *not* the same thing as configuring the CAS server as
a SAML2 IdP and using SAML instead of CAS to auhenticate.

This will put all your attributes into Apache headers. You can access them
in various ways; here's a simple PHP example that you can put into
/var/www/html/secured-by-cas/index.php or whatever:


  
Hello, World!



  
  

  Secured Content
  This is some secure content. You should not be able to
see it until you have entered your username and password.
  Attributes Returned by CAS
  ";

if (array_key_exists('REMOTE_USER', $_SERVER)) {
echo "REMOTE_USER = " . $_SERVER['REMOTE_USER'] . "";
}

$headers = getallheaders();
foreach ($headers as $key => $value) {
if (strpos($key, 'CAS_') === 0) {
echo substr($key, 4) . " = " . $value . "";
}
}

echo "";
  ?>

  


--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu



On Thu, Oct 24, 2019 at 6:26 AM Alberto Cabello Sánchez 
wrote:

> Hi,
>
> I'm trying to get attributes released by CAS through mod_auth_cas and CASv2
> protocol (not SAML), but I'm not sure how to achieve it.
>
> I set
>
> CASAuthNHeader ATTR
>
> but it just gives the authenticated user, even if successful login page
> shows
> correctly the attributes defined in application.properties.
>
> Attribute release policy for that service is
> "attributeReleasePolicy" : {
> "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
> },
>
> My validation URL is
>
> CASValidateURL /serviceValidate
>
> I don't know if this is correct. I found another value when using SAML
> validation, but I don't know if I have to change this one for CASv2 (only
> found this information regarding the SAML version).
>
> Thanks in advance,
>
> --
> Alberto Cabello Sánchez
> Servicio de Informática
> Universidad de Extremadura
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/20191024122634.9aee358820053e3c75081f5e%40unex.es
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPmyrxJ%3DS_qSSa%2BHQFgdAFSBofFYLW8QWtVNeiMYNqJzQ%40mail.gmail.com.

Re: [cas-user] Hazelcast-Ticket Registry config

[David Curry]

The way I usually test things, since we have a cluster of CAS servers, is:

   1. Start an incognito/private mode browser so there are no cookies
   2. Log in to Application 1 through CAS
   3. Check the CAS logs to figure out which server handled my login
   4. Shut that CAS server down
   5. Go back to the browser and access another CAS-protected service -- if
   it lets me in without username/password then Hazelcast is at least
   nominally working; if I get prompted again, then something is wrong

The warnings you're seeing are not familiar to me but seem to suggest
something's wrong with your Java configuration. But since they're warnings
and not errors, things should(?) still work.

Did you remember to open the firewall on the CAS servers to let them
communicate with each other over port 5701/udp and 5701/tcp?

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Fri, Oct 18, 2019 at 9:49 AM M.Pedis  wrote:

> Hi Dave ,
>
> Thaks for your reply. I have configured my env. as you say  and it works .
> But i have some warning messages , i dont know how to get rid of them. One
> more , how can i test it , it works properly or not ? It seems everything
> ok , but how can i test hazelcast , i dont know how hazelcast replicates
> tickets and how can i verify each node can has same ticket? Simply i want
> to test it by stopping one of the cas node's tomcat service ,then refresh
> the browser but other node couldnt send any reply, my session has end and
> it forced me login to active node again. You or someone could please help
> me about that? Thank you.
>
>
>
> --
>
> 2019-10-16 09:19:50,525 INFO
> [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator]
> -  [/etc/cas/config/cas.properties]]] under profile(s) [[standalone]]>
> 2019-10-16 09:19:50,595 INFO
> [org.apereo.cas.web.CasWebApplicationServletInitializer] -  profiles are active: standalone>
> 2019-10-16 09:19:56,393 INFO
> [org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] -
> 
> 2019-10-16 09:19:56,401 INFO [org.apereo.cas.util.io.PathWatcherService] -
> 
> 2019-10-16 09:19:58,088 INFO
> [org.apereo.cas.config.LdapAuthenticationConfiguration] -  authentication for [LdapAuthenticationHandler]>
>
>
> 16-Oct-2019 09:19:58.727 WARNING [main]
> com.hazelcast.instance.HazelcastInstanceFactory.null Hazelcast is starting
> in a Java modular environment (Java 9 and newer) but without proper access
> to required Java packages. Use additional Java arguments to provide
> Hazelcast access to Java internal API. The internal API access is used to
> get the best performance results. Arguments to be used:
>  --add-modules java.se --add-exports
> java.base/jdk.internal.ref=ALL-UNNAMED --add-opens
> java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.nio=ALL-UNNAMED
> --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens
> java.management/sun.management=ALL-UNNAMED --add-opens
> jdk.management/com.sun.management.internal=ALL-UNNAMED
> 2019-10-16 09:19:58,818 WARN [com.hazelcast.instance.AddressPicker] -
> <[LOCAL] [dev] [3.12.3] You configured your member address as host name.
> Please be aware of that your dns can be spoofed. Make sure that your dns
> configurations are correct.>
> 2019-10-16 09:19:58,819 WARN [com.hazelcast.instance.AddressPicker] -
> <[LOCAL] [dev] [3.12.3] You configured your member address as host name.
> Please be aware of that your dns can be spoofed. Make sure that your dns
> configurations are correct.>
> WARNING: An illegal reflective access operation has occurred
> WARNING: Illegal reflective access by
> com.hazelcast.internal.networking.nio.SelectorOptimizer
> (file:/opt/tomcat/webapps/cas/WEB-INF/lib/hazelcast-3.12.3.jar) to field
> sun.nio.ch.SelectorImpl.selectedKeys
> WARNING: Please consider reporting this to the maintainers of
> com.hazelcast.internal.networking.nio.SelectorOptimizer
> WARNING: Use --illegal-access=warn to enable warnings of further illegal
> reflective access operations
> WARNING: All illegal access operations will be denied in a future release
> 2019-10-16 09:20:09,517 INFO
> [org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration]
> - <
>
> Using generated security password: 2ab6b74e-418b-4915-8094-82415aa231ca
> >
> 2019-10-16 09:20:09,672 INFO
> [org.springframework.security.web.access.channel.ChannelProcessingFilter] -
> 
> 2019-10-16 09:20:09,691 INFO
> [org.springframework.security.web.DefaultSecurityFilterChain] -  filter chain: any request,
> [org.springframework.security.web.access.channel.ChannelProcessingFilter@db39fa0,
> 

Re: [cas-user] Hazelcast-Ticket Registry config

[David Curry]

Your properties should be named cas.ticket.registry.hazelcast.cluster.
**, not cas.cluster.**. See here:

https://apereo.github.io/cas/development/configuration/Configuration-Properties.html#hazelcast-ticket-registry


For example, this is what we're using in our  three-server development
environment:

cas.ticket.registry.hazelcast.cluster.members:
casdev-srv01.newschool.edu,casdev-srv02newschool.edu,
casdev-srv03.newschool.edu
cas.ticket.registry.hazelcast.cluster.asyncBackupCount: 2
cas.ticket.registry.hazelcast.cluster.backupCount:  0
cas.ticket.registry.hazelcast.cluster.port: 5701
cas.ticket.registry.hazelcast.cluster.portAutoIncrement:false
cas.ticket.registry.hazelcast.crypto.encryption.key:
 feAISBU5AVTKxx==
cas.ticket.registry.hazelcast.crypto.signing.key:
EHdmT_MXYLTeOakllY2VAHuhPdQxtTA3s8TUL9nY5RqcvA
cas.ticket.registry.hazelcast.crypto.enabled:   true

Our five-server production environment is exactly the same, except the list
of servers has 5 hosts in it and asyncBackupCount=4 (it should always be
N-1). And of course, different crypto keys.

For initial testing, you can skip the crypto stuff (
cas.ticket.registry.crypto.**); it's optional (but recommended
for production).

The above is for CAS 5.2.x, but the settings should be the same for CAS
5.3.x and CAS 6.x.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Tue, Oct 15, 2019 at 7:44 AM M.Pedis  wrote:

>   Hi Everyone ,
>
> I have two nodes of CAS server . They have LDAP auth method . Seperately
> they work well. ( For both , i am able to login with our active directory
> accounts and cas-management sites also work properly . ) . I just want to
> take this two node behind HA - cluster. I add hazelcast-ticket-registry
> dependincie but could not configured it well. Could anyone share me or help
> me about configuration of hazelcast? What should be in cas.properties_?
>
> I just add that config as shown below but not worked . Could anyone can
> help? Thanks.
>
> -
> #For node1
> #cas.cluster.members=cas01,cas02
> #cas.cluster.instanceName=cas01..edu
> #cas.cluster.port=5701
>
> #For node2
> #cas.cluster.members=cas01,cas02
> #cas.cluster.instanceName=cas02..edu
> #cas.cluster.port=5701
>
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/e83f4a0d-3cc8-42d3-a5a0-c180c305a71c%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAO7QygDNDO-wmnn7ZsawsL7SEK7pW9%3DL5jr_f-Nk72nmg%40mail.gmail.com.

Re: [cas-user] Debugging - saving (temporarily) full CAS XML response

[David Curry]

I got this solution from Misagh way back when:

   1. Install the SAML Chrome Panel extension in your Chrome browser.
   2. Go to your application (or the CAS login screen if it redirects you
   there).
   3. Right-click and select "Inspect" to open the Chrome developer console
   and click on the "SAML" tab (SAML Chrome Panel)
   4. Log in as normal

All the SAML back-and-forth will be there. Note that SAML Chrome Panel
doesn't resize itself with the developer console, so look for the scroll
bar to see all of the SAML response (I forget this every time).

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Tue, Oct 1, 2019 at 12:28 PM Paul Chauvet  wrote:

> Hi all,
>
> I’m trying to troubleshoot an issue with an external vendor using our CAS
> server to authenticate our users.  I’m doing attribute release the same way
> as I’ve done for a ton of other services, but this vendor is claiming they
> are not receiving the attribute we’re sending over (the Banner SPRIDEN
> ID).  The vendor is saying the attribute is not in the response.  They
> *appear* to be doing a CAS version 3 serviceValidate (based on the get
> request to /cas/p3/serviceValidate?service=https%3A%2F%2Fiss.newpaltz.edu
> =REDACTED).
>
>
>
> What I’m wondering is if there’s a way to (temporarily) capture/log the
> XML response that is being sent back to the CAS client (the vendor)?  I
> have debug mode enabled, which is giving me information like the following,
> but not the actual response.
>
>
>
> We’re using CAS 5.2.9 (we have our test environment upgraded to 5.3.12.1 –
> with plans on doing the same in production in the coming weeks in case
> there’s a 5.3 way of doing this).
>
>
>
> Thanks in advance for any guidance or advice on this!
>
>
>
>
>
>
>
> Paul Chauvet, CISSP
>
> Information Security Officer
>
> State University of New York at New Paltz
>
> 845-257-3828
>
> chauv...@newpaltz.edu
>
> [image: emlogo]
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/MWHPR20MB1471D738F83EE589F1AD5EF3A79D0%40MWHPR20MB1471.namprd20.prod.outlook.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPVFACgXo9-eU1bGqU6B71ry6o_sN_zienhzybXm_kmvA%40mail.gmail.com.

[cas-user] Re: [cas-dev] Re: Release Announcement: CAS Security Patches

[David Curry]

But Jim's original question remains: why was 5.2.x suddenly removed from
the support list 6 days ago when it was originally not scheduled to hit EOL
until November 27th?

If there's no way to fix it and an upgrade is required, then say that. But
just removing it from the list of supported releases 60 days before its
support is scheduled to end, with no notice and no explanation, is not
helpful.


--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Tue, Oct 1, 2019 at 9:55 AM Riley Wills  wrote:

> This thread doesn't appear to relate to the current vulnerability. A CVE
> does exist at https://www.cvedetails.com/cve/CVE-2019-10754/ which might
> help answer some questions. Seems like the path forward for 5.2.x
> deployments is to upgrade to 5.3.12.1 or a newer version.
>
> On Tuesday, October 1, 2019 at 8:49:37 AM UTC-5, Jim Mulvey wrote:
>>
>> Hi David, based on this thread:
>> https://groups.google.com/a/apereo.org/forum/#!topic/cas-appsec-public/zXqxDN9rB8A
>> I believe the solution for those on the 5.2 branch is to upgrade to 5.2.7
>> Also, that thread suggests that if you're using an alternative MFA
>> solution (we're using Duo) then we're unaffected.
>>
>> I'm not the authority on this, but that's what I'm piecing together.
>> - Jim
>>
>> On Tuesday, October 1, 2019 at 9:24:11 AM UTC-4, David Curry wrote:
>>>
>>> Bump. We have the same questions that Jim asked...
>>>
>>> --
>>>
>>> DAVID A. CURRY, CISSP
>>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>>
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>> +1 646 909-4728 • david...@newschool.edu
>>>
>>>
>>> On Mon, Sep 30, 2019 at 11:16 AM Jim Mulvey  wrote:
>>>
>>>> Hello, I see that CAS 5.2.x was removed from the Maintenace Policy (and
>>>> thus considered EOL) 5 days ago, although it was previously set to go EOL
>>>> on November 27th, 2019.
>>>> What does this vulnerability mean to those of us running 5.2.x ? Are we
>>>> advised to upgrade to 5.3.x immediately? Why did support for 5.2.x end so
>>>> abruptly?
>>>>
>>>> On Monday, September 30, 2019 at 5:29:43 AM UTC-4, Misagh Moayyed wrote:
>>>>>
>>>>> Please see https://apereo.github.io/2019/09/27/numvulndisc/
>>>>> --
>>>>> *- Misagh*
>>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "CAS Developer" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to cas...@apereo.org.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-dev/132ff915-c774-4eb6-a04c-a0cc1767b72d%40apereo.org
>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-dev/132ff915-c774-4eb6-a04c-a0cc1767b72d%40apereo.org?utm_medium=email_source=footer>
>>>> .
>>>>
>>> --
> You received this message because you are subscribed to the Google Groups
> "CAS Developer" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-dev+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-dev/6709ae84-6460-476d-8085-18f4f7306097%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-dev/6709ae84-6460-476d-8085-18f4f7306097%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPnxhhezt4zs5Vf2VmxvZEuFTtAxjc%2BmSJu-g%3DW6ph%3DxA%40mail.gmail.com.

[cas-user] Re: [cas-dev] Re: Release Announcement: CAS Security Patches

[David Curry]

Bump. We have the same questions that Jim asked...

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Mon, Sep 30, 2019 at 11:16 AM Jim Mulvey  wrote:

> Hello, I see that CAS 5.2.x was removed from the Maintenace Policy (and
> thus considered EOL) 5 days ago, although it was previously set to go EOL
> on November 27th, 2019.
> What does this vulnerability mean to those of us running 5.2.x ? Are we
> advised to upgrade to 5.3.x immediately? Why did support for 5.2.x end so
> abruptly?
>
> On Monday, September 30, 2019 at 5:29:43 AM UTC-4, Misagh Moayyed wrote:
>>
>> Please see https://apereo.github.io/2019/09/27/numvulndisc/
>> --
>> *- Misagh*
>>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Developer" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-dev+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-dev/132ff915-c774-4eb6-a04c-a0cc1767b72d%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPGbdUFuKi3%3DJVE4cfwmiZ7tT9zpG8%2B14-Wj2cqGyUN%2Bg%40mail.gmail.com.

Re: [cas-user] Cas Cookie

[David Curry]

No, you can't put a timeout on it. That's now how session cookies work.
Again, if you want an application to stay logged in across browser
invocations, that is the application's responsibility.

I do not understand what you mean by "the application will register how the
user reads from the cas's database." Users and applications do not read
from CAS' database(s).

But if you log in directly to the CAS UI by going to
https://casserver/cas/login that's fine; once you're logged in just open
the application you want in the same invocation of the browser -- the same
window, a new window, a new tab, whatever.

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Fri, Sep 20, 2019 at 8:42 AM merve ceylan  wrote:

> Hi,
>
> The application will register how the user reads from the cas's database.
> After logging into the cas application with casuser without connecting the
> application, I close the browser and it is automatically logout. Is this
> Cas's working mechanism? Can't we put a timeout for that?
>
> Thanks,
>
> 20 Eylül 2019 Cuma 14:46:15 UTC+3 tarihinde David Curry yazdı:
>>
>> That's how it's supposed to work. The CAS cookies are session cookies.
>> When you end the session (close your browser), the cookies are deleted.
>>
>> Managing application sessions is outside of CAS' scope. If an application
>> wants to stay logged in across browser sessions, then that application
>> should have its own cookie to do that. Lots of applications do that if you
>> check some sort of "stay logged in" box -- Google, Facebook, Twitter, etc.
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 646 909-4728 • david...@newschool.edu
>>
>>
>> On Fri, Sep 20, 2019 at 2:25 AM merve ceylan  wrote:
>>
>>> Hello,
>>>
>>> After logging in with cas, when I close the browser and open it again,
>>> it becomes a logout and the login screen appears again. Session closes and
>>> the cookie is deleted. What should I do to avoid logout when I close the
>>> browser?
>>>
>>> Thanks,
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ed7e3085-7fbc-45a5-acd0-7db7fe9e575c%40apereo.org
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/ed7e3085-7fbc-45a5-acd0-7db7fe9e575c%40apereo.org?utm_medium=email_source=footer>
>>> .
>>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a18de201-2fcc-4535-926a-8b7855659a57%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/a18de201-2fcc-4535-926a-8b7855659a57%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANbRSSPvnNKXeycv-gA%2BFJrSoTykOyo-UNzNVkViRwcDg%40mail.gmail.com.

Re: [cas-user] Cas Cookie

[David Curry]

That's how it's supposed to work. The CAS cookies are session cookies. When
you end the session (close your browser), the cookies are deleted.

Managing application sessions is outside of CAS' scope. If an application
wants to stay logged in across browser sessions, then that application
should have its own cookie to do that. Lots of applications do that if you
check some sort of "stay logged in" box -- Google, Facebook, Twitter, etc.

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Fri, Sep 20, 2019 at 2:25 AM merve ceylan  wrote:

> Hello,
>
> After logging in with cas, when I close the browser and open it again, it
> becomes a logout and the login screen appears again. Session closes and the
> cookie is deleted. What should I do to avoid logout when I close the
> browser?
>
> Thanks,
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ed7e3085-7fbc-45a5-acd0-7db7fe9e575c%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANweeMnjRKFTHPcEq7UtMiyH4Nt4aRd%2BDtFFUAdoOuMfA%40mail.gmail.com.

Re: [cas-user] CAS 5.1.1. EhCacheTicketRegistry problem.

[David Curry]

We had a similar problem when using MongoDB as our ticket cache.

We were able to alleviate it temporarily using the solution Ray suggests,
of making one of the CAS servers primary on the load balancer. But we
didn't like that as a long-term answer.

Once we were able to, we replaced MongoDB with Hazelcast for the ticket
registry and haven't had a single problem since. We still use MongoDB for
the service registry, though.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Tue, Sep 3, 2019 at 2:21 PM Ray Bon  wrote:

> Filip,
>
> Ehcache is rather slow at storing/distributing tickets. If validation is
> done on a different server than where ticket was created, CAS will think ST
> is invalid.
>
> You could set your CAS servers to be primary/secondary rather than round
> robin on your load balancer or switch to a different cache system.
>
> Ray
>
> On Fri, 2019-08-30 at 07:22 -0700, Filip Majernik wrote:
>
> Hello,
> I am using the EhCacheTicketRegistry, within an instance of CAS 5.1.1. Our
> performance tests of the application showed, that about a 50% of our log-in
> request fail. The reason for that is that sometimes the service ticket is
> not found in the ticket registry, although it has been successfully
> generated and put there (I can see it in the logs). I have managed to
> reproduce this behavior even manually with two browsers. If I login quickly
> from two separate sessions, sometimes the second login attempt fails on the
> validation of a service ticket. If I do not use the EhCacheTicketRegistry,
> this issue dissappears. Is there maybe some configuration, which I am
> missing?
>
> Thx, Filip.
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/5471439968b04ef9f58bc965ef26f04c890dadd7.camel%40uvic.ca
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPXq_VWg1Mc2%2BmShqZruJTjQmuwjzE4fhAJzt64DNrYWQ%40mail.gmail.com.

Re: [cas-user] Re: Connection refused / Your account is forbidden to login at this thime

[David Curry]

ON: CAS
> WHEN: Fri Aug 30 13:50:37 CEST 2019
> CLIENT IP ADDRESS: 172.16.9.25
> SERVER IP ADDRESS: 192.168.200.11
> =
>
>
> 2019-08-30 13:52:12,289 ERROR [org.jasig.cas.client.util.CommonUtils] -
> Error getting response from host: [ssp.emd-management.fr] with path:
> [/cas/p3/serviceValidate] and protocol: [https] Error Message: Connection
> refused (Connection refused)
>
>
> Le vendredi 30 août 2019 13:49:04 UTC+2, Samuel GARÇON a écrit :
>>
>> Hello David,
>>
>> The CAS Dashboard and the CAS Management are running on the same host.
>> The DNS is pointing on the CAS server :
>>
>> C:\Users\Samuel.GARCON>nslookup ssp.emd-management.fr
>> Server:  w-app-1.emd-management.fr
>> Address:  172.16.17.3
>>
>> Name:ssp.emd-management.fr
>> Address:  192.168.200.11
>>
>> root@L-APP-2:/etc/cas/config# ifconfig
>> ens192: flags=4163  mtu 1500
>> inet 192.168.200.11  netmask 255.255.255.0  broadcast
>> 192.168.200.255
>> inet6 fe80::250:56ff:fe95:689b  prefixlen 64  scopeid 0x20
>> ether 00:50:56:95:68:9b  txqueuelen 1000  (Ethernet)
>> RX packets 151921  bytes 27672266 (26.3 MiB)
>> RX errors 0  dropped 19  overruns 0  frame 0
>> TX packets 134584  bytes 171085379 (163.1 MiB)
>> TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>>
>> Thanks,
>>
>> Sam
>>
>> Le vendredi 30 août 2019 13:38:31 UTC+2, David Curry a écrit :
>>>
>>> Are the CAS dashboard and CAS management server running on the same
>>> host? Is your DNS doing the wrong thing and you're connecting to localhost
>>> (127.0.0.1) instead of the interface where Tomcat is listening?
>>>
>>> I would turn on some logging or tracing and verify that the IP/port your
>>> client is connecting to is the same one where the server is listening.
>>>
>>> --
>>>
>>> DAVID A. CURRY, CISSP
>>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>>
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>> +1 646 909-4728 • david...@newschool.edu
>>>
>>>
>>> On Fri, Aug 30, 2019 at 7:30 AM Samuel GARÇON 
>>> wrote:
>>>
>>>> Hi Matthew,
>>>>
>>>> SSL cert used is valid util 21-Oct-20.
>>>> There is a firewall between the server and the client, but nothing is
>>>> blocked, and some services (CAS/SAML) are working.
>>>>
>>>> When i'm testing from the cas dashboard or from the cas-management web
>>>> aps the connection is refused.
>>>> But if i'm testing from a wordpress using cas, it's working
>>>>
>>>> - G Suite (SAML via SAML SP Integration) OK
>>>> - WordPress Auth (CAS) OK
>>>> - SalesForce (SAML via SAML SP Integration) NOK
>>>> - CAS Admin Dashboard (CAS) NOK
>>>> - CAS Management Web (CAS) NOK
>>>>
>>>> I'm using CAS 5.3.11.
>>>>
>>>> Thanks for your help,
>>>>
>>>> Sam
>>>>
>>>> Le vendredi 30 août 2019 12:46:31 UTC+2, Matthew Uribe a écrit :
>>>>>
>>>>> Just my initial thoughts: is there an expired SSL cert or a closed
>>>>> port in a firewall? The connection refused seems to indicate something
>>>>> possibly along those lines.
>>>>>
>>>>> On Fri, Aug 30, 2019, 3:23 AM Samuel GARÇON 
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I'm sorry to post again, but i really need some help.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Sam
>>>>>>
>>>>>> Le jeudi 29 août 2019 18:11:25 UTC+2, Samuel GARÇON a écrit :
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> After somme extensive debug, some services are working :
>>>>>>>
>>>>>>> - G Suite (SAML via SAML SP Integration) OK
>>>>>>> - WordPress Auth (CAS) OK
>>>>>>> - SalesForce (SAML via SAML SP Integration) NOK
>>>>>>> - CAS Admin Dashboard (CAS) NOK
>>>>>>>
>>>>>>> The problem seems to be located on the service validate side :
>>>>>>>
>>>>>>> 2019-08-29 18:08:5

Re: [cas-user] Re: Connection refused / Your account is forbidden to login at this thime

[David Curry]

Are the CAS dashboard and CAS management server running on the same host?
Is your DNS doing the wrong thing and you're connecting to localhost
(127.0.0.1) instead of the interface where Tomcat is listening?

I would turn on some logging or tracing and verify that the IP/port your
client is connecting to is the same one where the server is listening.

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Fri, Aug 30, 2019 at 7:30 AM Samuel GARÇON 
wrote:

> Hi Matthew,
>
> SSL cert used is valid util 21-Oct-20.
> There is a firewall between the server and the client, but nothing is
> blocked, and some services (CAS/SAML) are working.
>
> When i'm testing from the cas dashboard or from the cas-management web aps
> the connection is refused.
> But if i'm testing from a wordpress using cas, it's working
>
> - G Suite (SAML via SAML SP Integration) OK
> - WordPress Auth (CAS) OK
> - SalesForce (SAML via SAML SP Integration) NOK
> - CAS Admin Dashboard (CAS) NOK
> - CAS Management Web (CAS) NOK
>
> I'm using CAS 5.3.11.
>
> Thanks for your help,
>
> Sam
>
> Le vendredi 30 août 2019 12:46:31 UTC+2, Matthew Uribe a écrit :
>>
>> Just my initial thoughts: is there an expired SSL cert or a closed port
>> in a firewall? The connection refused seems to indicate something possibly
>> along those lines.
>>
>> On Fri, Aug 30, 2019, 3:23 AM Samuel GARÇON  wrote:
>>
>>> Hi,
>>>
>>> I'm sorry to post again, but i really need some help.
>>>
>>> Thanks,
>>>
>>> Sam
>>>
>>> Le jeudi 29 août 2019 18:11:25 UTC+2, Samuel GARÇON a écrit :

 Hi,

 After somme extensive debug, some services are working :

 - G Suite (SAML via SAML SP Integration) OK
 - WordPress Auth (CAS) OK
 - SalesForce (SAML via SAML SP Integration) NOK
 - CAS Admin Dashboard (CAS) NOK

 The problem seems to be located on the service validate side :

 2019-08-29 18:08:50,183 ERROR [org.jasig.cas.client.util.CommonUtils] -
 >>> ]
 with path: [/cas/p3/serviceValidate] and protocol: [https] Error Message:
 Connection refused (Connection refused)>


 Thanks for your help.

 Sam


 Le jeudi 29 août 2019 14:11:02 UTC+2, Samuel GARÇON a écrit :
>
> This issue is very problematic for me.
>
> So please find below more informations about my configuration
>
> - Directory used : AD
> - No logon_hour are configured
>
> Thanks for your help :)
>
> Sam
>
> Le jeudi 29 août 2019 09:51:21 UTC+2, Samuel GARÇON a écrit :
>>
>> Hi,
>>
>> After rebooting my cas server, i can't accessing services.
>>
>> Authentification seems to be OK, but ticket granting seems to fail :
>>
>> Error: java.net.ConnectException: Connection refused (Connection refused)
>>
>>
>> Your account is forbidden to login at this thime ( web broswer header)
>>
>> Any ideas ?
>>
>> Thanks,
>>
> --
>>> - Website: https://apereo.github.io/cas
>>> 
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> 
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> 
>>> - Contributions: https://goo.gl/mh7qDG
>>> 
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a8ace89-f67f-4e25-ae99-955909bed2a9%40apereo.org
>>> 

Re: [cas-user] Custom casLoginView - problem calculating URLs

[David Curry]

The cas.server.name and cas.server.prefix shouldn't matter for this.
Basically cas.server.name is the URL of your server, and cas.server.prefix
includes that plus the application prefix in the J2EE container. Like this:

cas.server.name: https://casserver.yourdomain.com
cas.server.prefix:   ${cas.server.name}/cas

cas.server.name can include ports or whatever, like:

cas.server.name: https://casserver.yourdomain.com:8443

As for customizing the UI, you might find this helpful:

https://dacurry-tns.github.io/deploying-apereo-cas/ui_overview.html

That's the "top" page... see the menu on the left of the page for the
following sections. It's written for 5.2.x, but should be pretty much the
same for 5.3.x.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Tue, Aug 20, 2019 at 12:37 PM Pedro Rosas 
wrote:

> Hi David,
>
> Changing it to ~{cas-overlay/layout} makes it return a 500 internal error:
>
> Error resolving template "cas-overlay/layout", template might not exist or
> might not be accessible by any of the configured Template Resolvers.
>
>
> Could this be related to the cas.server.name and cas.server.prefix
> properties?
> I tried several combinations on this, but none were successful.
>
> I still did not understand the role of these 2 properties...
>
> Thanks.
>   Pedro Rosas
>
>
>
> On Tuesday, August 20, 2019 at 5:11:14 PM UTC+1, David Curry wrote:
>>
>> It's been a while since I messed with this stuff, but did you remember to
>> update your custom casLoginView.html to use your custom layout.html by
>> changing the layout:decorate attribute of the html tag from ~{layout} to
>> ~{cas-overlay/layout}?
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 646 909-4728 • david...@newschool.edu
>>
>>
>> On Tue, Aug 20, 2019 at 11:58 AM Pedro Rosas  wrote:
>>
>>> Hi all,
>>>
>>> I'm facing a weird issue on the URL calculation.
>>> I get different outputs for the same inputs...
>>>
>>> On my custom "casLoginView.html" I have the following image:
>>>
>>> **
>>>
>>>
>>> *On runtime this is replaced by:*
>>>
>>> *   -- This path
>>> doesn't exist... The correct one should be
>>> "/prefix/cas-overlay/themes/"*
>>>
>>> -
>>>
>>> But... On my custom "layout.html" I also have an image:
>>>
>>> 
>>>
>>> *But this one gets replaced by:*
>>>
>>> *   --
>>> The double '//' is a bad thing... but this version works correctly and gets
>>> the correct prefix **"/prefix/cas-overlay/themes/"*
>>>
>>> *-*
>>>
>>> Do you guys have any idea why the URL replacement logic is different?
>>> Why is the first one missing the "/cas-overlay" prefix?
>>>
>>>
>>> Thanks in advance.
>>> Best Regards,
>>>   Pedro Rosas
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/189e87ae-f5cf-4fa5-a0c5-8aed4fb49e4a%40apereo.org
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/189e87ae-f5cf-4fa5-a0c5-8aed4fb49e4a%40apereo.org?utm_medium=email_source=footer>
>>> .
>>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/35fa2509-2bfd-4a19-ac32-f547bf432b5b%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/35fa2509-2bfd-4a19-ac32-f547bf432b5b%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANZEqcGmU40GWzv98zz9TtvqDee1LY3yvpdNyjJPNx%3DDw%40mail.gmail.com.

Re: [cas-user] Custom casLoginView - problem calculating URLs

[David Curry]

It's been a while since I messed with this stuff, but did you remember to
update your custom casLoginView.html to use your custom layout.html by
changing the layout:decorate attribute of the html tag from ~{layout} to
~{cas-overlay/layout}?

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Tue, Aug 20, 2019 at 11:58 AM Pedro Rosas 
wrote:

> Hi all,
>
> I'm facing a weird issue on the URL calculation.
> I get different outputs for the same inputs...
>
> On my custom "casLoginView.html" I have the following image:
>
> **
>
>
> *On runtime this is replaced by:*
>
> *   -- This path doesn't
> exist... The correct one should be "/prefix/cas-overlay/themes/"*
>
> -
>
> But... On my custom "layout.html" I also have an image:
>
> 
>
> *But this one gets replaced by:*
>
> *   -- The
> double '//' is a bad thing... but this version works correctly and gets the
> correct prefix **"/prefix/cas-overlay/themes/"*
>
> *-*
>
> Do you guys have any idea why the URL replacement logic is different?
> Why is the first one missing the "/cas-overlay" prefix?
>
>
> Thanks in advance.
> Best Regards,
>   Pedro Rosas
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/189e87ae-f5cf-4fa5-a0c5-8aed4fb49e4a%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMPQHADdOR_Y2pnCCp4aX8qC7aihYMU6BnHJ3dJWQWP6g%40mail.gmail.com.

Re: [cas-user] CAS 3.5.x CPU utilization problem

[David Curry]

At the moment we're using Tomcat 8.5.x and Java 1.8.x (OpenJDK).

I don't have Tomcat settings like the ones you show (property file style),
because I use an external Tomcat and it's configured with XML files. The
settings are the same as what's documented here:

https://dacurry-tns.github.io/deploying-apereo-cas/setup_tomcat_overview.html


The only performance-related changes there would be enabling resource
caching, enabling asynchronous requests (I don't believe CAS will work
without this), and making sure that asynchronous logging is enabled.

The SSL configuration does enable a better-performing SSL library, but I
can't imagine that your problem lies there. (My reasons for enabling it
were less for performance reasons and more for better support of newer
ciphers, etc.)


--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Mon, Jul 29, 2019 at 7:33 AM abdelrahman halawa <
abdelrahmanhal...@gmail.com> wrote:

> Hi david.curry,
> How are youCould you tell me the Tomcat version you use?
> Also, If you don't mind, reply to the previous email
>
>
> On Sun, Jul 28, 2019 at 6:36 PM abdelrahman halawa <
> abdelrahmanhal...@gmail.com> wrote:
>
>> Nice, I will try your JVM settings.
>> By the way, the CPU reaches about 100% only with Java (CAS).
>> Here my Tomcat configuration:
>>
>> server.max-http-header-size=2097152
>> server.use-forward-headers=true
>> server.connection-timeout=2
>> server.error.include-stacktrace=NEVER
>> server.compression.enabled=true
>>
>> server.compression.mime-types=application/javascript,application/json,application/xml,text/html,text/xml,text/plain
>> server.tomcat.max-http-post-size=2097152
>> server.tomcat.min-spare-threads=20
>> server.tomcat.max-threads=200
>> server.tomcat.accept-count=1024
>> server.tomcat.max-connections=1
>> server.tomcat.port-header=X-Forwarded-Port
>> server.tomcat.protocol-header=X-Forwarded-Proto
>> server.tomcat.protocol-header-https-value=https
>> server.tomcat.remote-ip-header=X-FORWARDED-FOR
>> server.tomcat.uri-encoding=UTF-8
>>
>> Could you share your Tomcat configuration with me?
>> I want to check if the CPU issue related to Tomcat misconfiguration or not
>>
>>
>> On Sun, Jul 28, 2019 at 5:47 PM David Curry 
>> wrote:
>>
>>> Well, I'm not too knowledgeable about Windows Server, but that seems
>>> reasonable. Is the server in general at 90% CPU, or is it the actual Java
>>> process that's at 90%?
>>>
>>> I don't run the embedded server so don't know its defaults -- What's the
>>> Java heap size limited to? Should be less than the physical memory. What
>>> garbage collector is it using? On our 4-core 16GB Linux servers we run this:
>>>
>>> jsvc.exec -Dcatalina.home=/opt/tomcat/latest
>>> -Dcatalina.base=/opt/tomcat/latest -Djava.awt.headless=true
>>> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
>>> -Djava.util.logging.config.file=/opt/tomcat/latest/conf/logging.properties
>>> -cp
>>> /opt/tomcat/latest/bin/commons-daemon.jar:/opt/tomcat/latest/bin/bootstrap.jar:/opt/tomcat/latest/bin/tomcat-juli.jar
>>> -pidfile /var/run/tomcat.pid -java-home /usr/lib/jvm/java-openjdk -user
>>> tomcat -Xms512M -Xmx8192M -XX:+DisableExplicitGC
>>> -XX:+UseConcMarkSweepGC -XX:+UseParNewGC -XX:MaxGCPauseMillis=500
>>> -server org.apache.catalina.startup.Bootstrap
>>>
>>> which is enough for CAS with Hazelcast ticket registry and the
>>> management webapp (all in the same Tomcat process). We're also running a
>>> small mongod (2gb cache size) on each server which handles the services
>>> registry. Most of the time, the servers are idle or very close to it.
>>>
>>> Could you have something that takes a (relatively) long time that
>>> causing the server to block? A slow LDAP, or slow database query, or
>>> something? We had problems like that when we were using MongoDB as our
>>> ticket registry; under heavy activity Mongo was too slow and the CAS
>>> threads would block waiting on it to complete. It wasn't pretty.
>>>
>>> --Dave
>>>
>>>
>>> --
>>>
>>> DAVID A. CURRY, CISSP
>>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>>
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>> +1 646 909-4728 • david.cu...@newschool.edu
>>>
>>>
>>> On Sun, Jul 2

Re: [cas-user] CAS 3.5.x CPU utilization problem

[David Curry]

Well, I'm not too knowledgeable about Windows Server, but that seems
reasonable. Is the server in general at 90% CPU, or is it the actual Java
process that's at 90%?

I don't run the embedded server so don't know its defaults -- What's the
Java heap size limited to? Should be less than the physical memory. What
garbage collector is it using? On our 4-core 16GB Linux servers we run this:

jsvc.exec -Dcatalina.home=/opt/tomcat/latest
-Dcatalina.base=/opt/tomcat/latest -Djava.awt.headless=true
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.util.logging.config.file=/opt/tomcat/latest/conf/logging.properties
-cp
/opt/tomcat/latest/bin/commons-daemon.jar:/opt/tomcat/latest/bin/bootstrap.jar:/opt/tomcat/latest/bin/tomcat-juli.jar
-pidfile /var/run/tomcat.pid -java-home /usr/lib/jvm/java-openjdk -user
tomcat -Xms512M -Xmx8192M -XX:+DisableExplicitGC -XX:+UseConcMarkSweepGC
-XX:+UseParNewGC -XX:MaxGCPauseMillis=500 -server
org.apache.catalina.startup.Bootstrap

which is enough for CAS with Hazelcast ticket registry and the management
webapp (all in the same Tomcat process). We're also running a small mongod
(2gb cache size) on each server which handles the services registry. Most
of the time, the servers are idle or very close to it.

Could you have something that takes a (relatively) long time that causing
the server to block? A slow LDAP, or slow database query, or something? We
had problems like that when we were using MongoDB as our ticket registry;
under heavy activity Mongo was too slow and the CAS threads would block
waiting on it to complete. It wasn't pretty.

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Sun, Jul 28, 2019 at 11:00 AM abdelrahman halawa <
abdelrahmanhal...@gmail.com> wrote:

> How many CPUs?
>  *4X* Intel(R) Xeon(R) @ 2.40GHz, 2400 Mhz, 2 Core(s)
> How much memory?
>  16G
> What operating system?
> Windows Server 2012
> What else is running on the server (nothing, hopefully)?
> Nothing
> Is the server paging or swapping (you don't want it to be)?
> The default of Windows Server
>
>
>
> On Sun, Jul 28, 2019 at 4:44 PM David Curry 
> wrote:
>
>> How many CPUs?
>> How much memory?
>> What operating system?
>> What else is running on the server (nothing, hopefully)?
>> Is the server paging or swapping (you don't want it to be)?
>> If you're running on Linux VMs, do you have an entropy source for the
>> crypto (you should)?
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 646 909-4728 • david.cu...@newschool.edu
>>
>>
>> On Sun, Jul 28, 2019 at 7:51 AM abdelrahman halawa <
>> abdelrahmanhal...@gmail.com> wrote:
>>
>>> Hello all,
>>>
>>> I noticed that the CPU utilization of my CAS server reaches above 90%
>>> with only 75 concurrent users or maybe less.
>>>
>>> Has this happened with you as well? Any suggestions to overcome this?
>>>
>>> I use embedded Tomcat with default settings.
>>>
>>> Thanks in advance.
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/fe73e941-cf70-4d77-a747-1f1c4d76a527%40apereo.org
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/fe73e941-cf70-4d77-a747-1f1c4d76a527%40apereo.org?utm_medium=email_source=footer>
>>> .
>>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/a

Re: [cas-user] CAS 3.5.x CPU utilization problem

[David Curry]

How many CPUs?
How much memory?
What operating system?
What else is running on the server (nothing, hopefully)?
Is the server paging or swapping (you don't want it to be)?
If you're running on Linux VMs, do you have an entropy source for the
crypto (you should)?


--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Sun, Jul 28, 2019 at 7:51 AM abdelrahman halawa <
abdelrahmanhal...@gmail.com> wrote:

> Hello all,
>
> I noticed that the CPU utilization of my CAS server reaches above 90% with
> only 75 concurrent users or maybe less.
>
> Has this happened with you as well? Any suggestions to overcome this?
>
> I use embedded Tomcat with default settings.
>
> Thanks in advance.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/fe73e941-cf70-4d77-a747-1f1c4d76a527%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPPO%3D_pb%3Dg7_f5T28aUWLWEkYpyTNn_p27cq5tZQqLcOw%40mail.gmail.com.

Re: [cas-user] Re: CAS management

[David Curry]

Check that the process is actually running as tomcat. Turn on debug logging
and see what's happening. Compare the owners and modes of the working logs
(cas) to the non-working ones (cas-management).

There's a permission that's wrong, or it's running as the wrong user, or
there's a typo in a path name, or something. It's really just a matter of
meticulously checking everything. Don't assume anything, check everything.

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Wed, Jul 24, 2019 at 9:13 AM alain ubfc  wrote:

> David,
>
> I have the log of tomcat /var/log/tomcat/catalina.ou. And it works.
>
> Here is my file /etc/fstab
>
> # /etc/fstab: static file system information.
> #
> # Use 'blkid' to print the universally unique identifier for a
> # device; this may be used with UUID= as a more robust way to name devices
> # that works even if disks are added and removed. See fstab(5).
> #
> #
> /dev/mapper/casermgnt--vg-root /   ext4errors=remount-ro 0
>   1
> # /boot was on /dev/sda1 during installation
> UUID=af1e7cbd-4161-4099-9000-a7ebbb14c336 /boot   ext2
>  defaults0   2
> /dev/mapper/casermgnt--vg-home /home   ext4defaults0
>   2
> /dev/mapper/casermgnt--vg-tmp /tmpext4defaults0
> 2
> /dev/mapper/casermgnt--vg-var /varext4defaults0
> 2
> /dev/mapper/casermgnt--vg-swap_1 noneswapsw  0
>   0
> /dev/sr0/media/cdrom0   udf,iso9660 user,noauto 0   0
>
> I don't see it.
>
>
> Le mercredi 24 juillet 2019 13:30:30 UTC+2, David Curry a écrit :
>>
>> [2019-07-22 08:57:45] [info] 2019-07-22 08:57:45,023 main ERROR
>> RollingFileManager (/var/log/cas-management/cas-management.log)
>> java.io.FileNotFoundException: /var/log/cas-management/cas-management.log 
>> (Read-only
>> file system)
>>
>> Is your file system mounted read-only? Is the directory writable by the
>> tomcat user (or whatever user is running the tomcat process)?
>> RollingFileAppenders need write permission to the directory the log files
>> are in, not just the log files themselves.
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 646 909-4728 • david...@newschool.edu
>>
>>
>> On Wed, Jul 24, 2019 at 2:14 AM alain ubfc  wrote:
>>
>>> Hello,
>>>
>>> In fact I noticed that the/var/log/case-management file has nothing in
>>> it.
>>>
>>> Yet I set the rights for the file cas-management.log with the chown -R
>>> tomcat:tomcat/var/log/cas-management command.
>>>
>>> [2019-07-22 08:57:43] [info] 2019-07-22 08:57:43,429 main ERROR Could
>>> not create plugin of type class org.apache.logging.log4j.core.appender.
>>> RollingFileAppender for element RollingFile: java.lang.
>>> IllegalStateException: ManagerFactory [org.apache.logging.log4j.core.
>>> appender.rolling.RollingFileManager$RollingFileManagerFactory@6ea59bb2]
>>> unable to create manager for [/var/log/cas-management/cas-management.log
>>> ] with data [org.apache.logging.log4j.core.appender.rolling.
>>> RollingFileManager$FactoryData@506344b1[pattern=/var/log/cas-management/
>>> cas-%d{-MM-dd-HH}-%i.log, append=true, bufferedIO=true, bufferSize=
>>> 8192, policy=CompositeTriggeringPolicy(policies=[
>>> OnStartupTriggeringPolicy, SizeBasedTriggeringPolicy(size=10485760),
>>> TimeBasedTriggeringPolicy(nextRolloverMillis=0, interval=1, modulate=
>>> false)]), strategy=DefaultRolloverStrategy(min=1, max=5, useMax=true),
>>> advertiseURI=null, layout=%highlight{%d %p [%c] - <%m>%n},
>>> filePermissions=null, fileOwner=null]] java.lang.IllegalStateException:
>>> ManagerFactory [org.apache.logging.log4j.core.appender.rolling.
>>> RollingFileManager$RollingFileManagerFactory@6ea59bb2] unable to create
>>> manager for [/var/log/cas-management/cas-management.log] with data [org.
>>> apache.logging.log4j.core.appender.rolling.
>>> RollingFileManager$FactoryData@506344b1[pattern=/var/log/cas-management/
>>> cas-%d{-MM-dd-HH}-%i.log, append=true, bufferedIO=true, bufferSize=
>>> 8192, policy=CompositeTriggeringPolicy(policies=[
>>> OnStartupTriggeringPolicy, SizeBasedTriggeringPolicy(size=10485760),
>>> TimeBa

Re: [cas-user] Re: CAS management

[David Curry]

Are you positive that the tomcat process is actually running as the tomcat
user?

The error message says read-only file system. Are you sure the file system
is mounted read-write? Can you create files in it?

Have you turned on debug-level logging to get a more granular idea of
what's going on?

Are all the file and directory names spelled correctly everywhere?

Is the regular cas log file (not the management server) in /var/log/cas? Is
it being successfully written to?

Beyond "check everything" I'm not sure what advice to give you; it could be
a dozen different things.


--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Wed, Jul 24, 2019 at 8:49 AM alain ubfc  wrote:

> Hello David,
>
> Thank you for your answer.
>
> The directory /var/log/cas-management has the following rights :
>
> drwxr-x---  2 tomcat adm  4096 juil. 22 09:23 cas-management
>
> And for the filecas-management.log
>
> -rw-r-  1 tomcat tomcat0 juil. 19 14:39 cas-management.log
>
> That's what i did. And i doesn't work.
>
> How to do this ?
>
> Best regard
>
> Le mercredi 24 juillet 2019 13:30:30 UTC+2, David Curry a écrit :
>>
>> [2019-07-22 08:57:45] [info] 2019-07-22 08:57:45,023 main ERROR
>> RollingFileManager (/var/log/cas-management/cas-management.log)
>> java.io.FileNotFoundException: /var/log/cas-management/cas-management.log 
>> (Read-only
>> file system)
>>
>> Is your file system mounted read-only? Is the directory writable by the
>> tomcat user (or whatever user is running the tomcat process)?
>> RollingFileAppenders need write permission to the directory the log files
>> are in, not just the log files themselves.
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 646 909-4728 • david...@newschool.edu
>>
>>
>> On Wed, Jul 24, 2019 at 2:14 AM alain ubfc  wrote:
>>
>>> Hello,
>>>
>>> In fact I noticed that the/var/log/case-management file has nothing in
>>> it.
>>>
>>> Yet I set the rights for the file cas-management.log with the chown -R
>>> tomcat:tomcat/var/log/cas-management command.
>>>
>>> [2019-07-22 08:57:43] [info] 2019-07-22 08:57:43,429 main ERROR Could
>>> not create plugin of type class org.apache.logging.log4j.core.appender.
>>> RollingFileAppender for element RollingFile: java.lang.
>>> IllegalStateException: ManagerFactory [org.apache.logging.log4j.core.
>>> appender.rolling.RollingFileManager$RollingFileManagerFactory@6ea59bb2]
>>> unable to create manager for [/var/log/cas-management/cas-management.log
>>> ] with data [org.apache.logging.log4j.core.appender.rolling.
>>> RollingFileManager$FactoryData@506344b1[pattern=/var/log/cas-management/
>>> cas-%d{-MM-dd-HH}-%i.log, append=true, bufferedIO=true, bufferSize=
>>> 8192, policy=CompositeTriggeringPolicy(policies=[
>>> OnStartupTriggeringPolicy, SizeBasedTriggeringPolicy(size=10485760),
>>> TimeBasedTriggeringPolicy(nextRolloverMillis=0, interval=1, modulate=
>>> false)]), strategy=DefaultRolloverStrategy(min=1, max=5, useMax=true),
>>> advertiseURI=null, layout=%highlight{%d %p [%c] - <%m>%n},
>>> filePermissions=null, fileOwner=null]] java.lang.IllegalStateException:
>>> ManagerFactory [org.apache.logging.log4j.core.appender.rolling.
>>> RollingFileManager$RollingFileManagerFactory@6ea59bb2] unable to create
>>> manager for [/var/log/cas-management/cas-management.log] with data [org.
>>> apache.logging.log4j.core.appender.rolling.
>>> RollingFileManager$FactoryData@506344b1[pattern=/var/log/cas-management/
>>> cas-%d{-MM-dd-HH}-%i.log, append=true, bufferedIO=true, bufferSize=
>>> 8192, policy=CompositeTriggeringPolicy(policies=[
>>> OnStartupTriggeringPolicy, SizeBasedTriggeringPolicy(size=10485760),
>>> TimeBasedTriggeringPolicy(nextRolloverMillis=0, interval=1, modulate=
>>> false)]), strategy=DefaultRolloverStrategy(min=1, max=5, useMax=true>> style="color:rgb(102,102,0
>>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this

Re: [cas-user] Re: CAS management

[David Curry]

[2019-07-22 08:57:45] [info] 2019-07-22 08:57:45,023 main ERROR
RollingFileManager (/var/log/cas-management/cas-management.log)
java.io.FileNotFoundException:
/var/log/cas-management/cas-management.log (Read-only
file system)

Is your file system mounted read-only? Is the directory writable by the
tomcat user (or whatever user is running the tomcat process)?
RollingFileAppenders need write permission to the directory the log files
are in, not just the log files themselves.

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Wed, Jul 24, 2019 at 2:14 AM alain ubfc  wrote:

> Hello,
>
> In fact I noticed that the/var/log/case-management file has nothing in it.
>
> Yet I set the rights for the file cas-management.log with the chown -R
> tomcat:tomcat/var/log/cas-management command.
>
> [2019-07-22 08:57:43] [info] 2019-07-22 08:57:43,429 main ERROR Could not
> create plugin of type class org.apache.logging.log4j.core.appender.
> RollingFileAppender for element RollingFile: java.lang.
> IllegalStateException: ManagerFactory [org.apache.logging.log4j.core.
> appender.rolling.RollingFileManager$RollingFileManagerFactory@6ea59bb2]
> unable to create manager for [/var/log/cas-management/cas-management.log]
> with data [org.apache.logging.log4j.core.appender.rolling.
> RollingFileManager$FactoryData@506344b1[pattern=/var/log/cas-management/
> cas-%d{-MM-dd-HH}-%i.log, append=true, bufferedIO=true, bufferSize=
> 8192, policy=CompositeTriggeringPolicy(policies=[OnStartupTriggeringPolicy
> , SizeBasedTriggeringPolicy(size=10485760), TimeBasedTriggeringPolicy(
> nextRolloverMillis=0, interval=1, modulate=false)]), strategy=
> DefaultRolloverStrategy(min=1, max=5, useMax=true), advertiseURI=null,
> layout=%highlight{%d %p [%c] - <%m>%n}, filePermissions=null, fileOwner=
> null]] java.lang.IllegalStateException: ManagerFactory [org.apache.logging
> .log4j.core.appender.rolling.
> RollingFileManager$RollingFileManagerFactory@6ea59bb2] unable to create
> manager for [/var/log/cas-management/cas-management.log] with data [org.
> apache.logging.log4j.core.appender.rolling.
> RollingFileManager$FactoryData@506344b1[pattern=/var/log/cas-management/
> cas-%d{-MM-dd-HH}-%i.log, append=true, bufferedIO=true, bufferSize=
> 8192, policy=CompositeTriggeringPolicy(policies=[OnStartupTriggeringPolicy
> , SizeBasedTriggeringPolicy(size=10485760), TimeBasedTriggeringPolicy(
> nextRolloverMillis=0, interval=1, modulate=false)]), strategy=
> DefaultRolloverStrategy(min=1, max=5, useMax=true), advertiseURI=null,
> layout=%highlight{%d %p [%c] - <%m>%n}, filePermissions=null, fileOwner=
> null]]
>
>
> [2019-07-22 08:57:43] [info] 2019-07-22 08:57:43,442 main ERROR Null
> object returned for RollingFile in Appenders.
> [2019-07-22 08:57:45] [info] 2019-07-22 08:57:45,023 main ERROR
> RollingFileManager (/var/log/cas-management/cas-management.log) java.io.
> FileNotFoundException: /var/log/cas-management/cas-management.log (Read-only
> file system) java.io.FileNotFoundException: /var/log/cas-management/cas-
> management.log (Read-only file system)
>
>
> Do you have any idea?
>
> Thank you
>
> Best regard
>
> Le lundi 22 juillet 2019 12:04:48 UTC+2, alain ubfc a écrit :
>>
>> Hello,
>>
>> I’ve been stuck on cas-management for several weeks now.
>>
>> I followed the Dacurry documentation
>> https://dacurry-tns.github.io/deploying-apereo-cas/building_svcmgmt_overview.html
>> but nothing works.
>>
>> Here is my configuration of my cas-management.properties file
>>
>> # Adresse du Serveur CAS
>> cas.server.name=https://cas.osnetworking.com:8443
>> cas.server.prefix=https://cas.osnetworking.com:8443/cas
>> #cas.server.prefix=${cas.server.name}/cas
>>
>> logging.config=file:/etc/cas/config/log4j2-management.xml
>>
>> ##
>> # Update this URL to point at server running this management app #
>> ##
>>
>> #cas.mgmt.serverName: ${cas.server.name}
>> mgmt.serverName=https://casmanagement.osnetworking.com:8443
>> server.context-path=/cas-management
>> #server.port=8443
>>
>> spring.thymeleaf.mode = HTML
>>
>> mgmt.adminRoles[0]=ROLE_ADMIN
>> mgmt.userRoles[0]=ROLE_USER
>>
>> mgmt.userPropertiesFile=file:/etc/cas/config/users.json
>>
>> ##
>> # Gestion des Logs de cas-management #
>> ##
>>
>> logging.config=file:/etc/cas/config/log4j2-management.xml
>>
>> 
>> # Gestion des services en JSON #
>> 
>>
>> cas.serviceRegistry.json.location=file:/etc/cas/services
>> cas.serviceRegistry.initFromJson = true
>>
>> 
>> # Liste des attributs sélectionables depuis le CAS-Manager #
>> 

Re: [cas-user] CAS5 management

[David Curry]

Have you tried setting logging to DEBUG and tracing what's happening? My
initial suspects would be that either (a) CAS is not reading your
adminusers.properties file ("./" makes me nervous, since you don't
necessarily know where "." is) or (b) it's not matching your username
correctly.

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Fri, Jul 19, 2019 at 3:05 PM Anil Kumar Reddy gajulapalli <
g.anilreddy...@gmail.com> wrote:

> Hello David,
>
> I am trying to resolve this issue from the last 3 days, nevertheless, I am
> lost with no hope.
>
> 2019-07-19 18:46:47,815 WARN
> [org.apereo.cas.mgmt.authz.CasRoleBasedAuthorizer] -  access, since the authenticated profile [#CasProfile# | id:
> anil.ku...@socalled.com | attributes:
> {credentialType=UsernamePasswordCredential,
> samlAuthenticationStatementAuthMethod=urn:oasis:names:tc:SAML:1.0:am:password,
> isFromNewLogin=true, mail=anil.ku...@socalled.com,
> authenticationDate=2019-07-19T18:46:45.197052Z[UTC],
> authenticationMethod=Open DJ, givenName=Anil,
> successfulAuthenticationHandlers=Open DJ,
> longTermAuthenticationRequestTokenUsed=false, cn=anil.ku...@socalled.com,
> title=devOps Engineer} | roles: [] | permissions: [] | isRemembered: false
> | clientName: CasClient | linkedId: null |] does not contain any required
> roles>
>
> CAS-Management is taking me to CAS server for Authentication. Once the
> Authentication is validated while coming back to Management App, I see the
> above error in the Management logs.
>
> I have adminusers.properties as below:
>
> anil.ku...@socalled.com=notused,ROLE_ADMIN,enabled
> Anil=notused,ROLE_ADMIN,enabled
>
> and management.properties have below details:
>
> cas.mgmt.adminRoles[0]=ROLE_ADMIN
> cas.mgmt.userPropertiesFile=file:./adminusers.properties
>
>
> Can you guide me where am making a mistake? I have referred docs at:
> https://dacurry-tns.github.io/deploying-apereo-cas/building_svcmgmt_configure-webapp-properties.html
>  too.
>
> On Friday, 23 February 2018 14:48:32 UTC-5, David Curry wrote:
>>
>> >  Someone should pay you for them.
>>
>> Well, I have to write it up as part of my job anyway; I just decided to
>> go a little further and make it available to world+dog. So I do get paid
>> for the work. Glad you (and others) are finding them helpful.
>>
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Fri, Feb 23, 2018 at 2:30 PM, Cheltenham, Chris <
>> cchelte...@philasd.org> wrote:
>>
>>> Oh right , you do have good docs.
>>>
>>>
>>>
>>> Thanks
>>>
>>>
>>>
>>> Someone should pay you for them.
>>>
>>>
>>>
>>>
>>>
>>> ===
>>>
>>> Thank You;
>>>
>>> Chris Cheltenham
>>> Technology Services
>>> The School District of Philadelphia
>>>
>>> Work # 215-400-5025
>>> Cell # 215-301-6571
>>>
>>> *From:* cas-...@apereo.org [mailto:cas-...@apereo.org] *On Behalf Of *David
>>> Curry
>>> *Sent:* Friday, February 23, 2018 1:48 PM
>>>
>>> *To:* cas-...@apereo.org
>>> *Subject:* Re: [cas-user] CAS5 management
>>>
>>>
>>>
>>>
>>>
>>> The /status endpoint (but not the endpoints underneath it) is only
>>> protected by an IP address pattern. You need to set the
>>> cas.adminPagesSecurity.ip property to a regular expression that matches
>>> the IP address(es) you want to allow access from.
>>>
>>>
>>>
>>> See
>>> https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_configure-admin-pages-properties.html#configure-endpoint-security
>>> for an example.
>>>
>>>
>>>
>>> --Dave
>>>
>>>
>>>
>>>
>>> --
>>>
>>> *DAVID A. CURRY, CISSP*
>>> *DIRECTOR OF INFORMATION SECURITY*
>>> INFORMATION TECHNOLOGY
>>>
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003=gmail=g>
>>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>&

Re: [cas-user] Re: references to CAS production setups

[David Curry]

Lafayette College provided their load testing results for CAS 5.1.x back in
2017:

https://apereo.github.io/2017/09/25/cas51-perfresults-LafayetteCollege/

The Locust configuration they used for this is available on Github:
https://github.com/cwaldbieser/locustfiles

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Tue, Jul 9, 2019 at 9:02 AM Andy Ng  wrote:

> Hi Kaiser,
>
> Well, I might not be the best person to speak for high load, since our CAS
> 5 expected stress level is much lower than yours. However, would still like
> to make some comment:
>
> > CAS architecture is inherently non-reactive and thread-blocking all the
> way
> I am pretty sure most core component of CAS is multi-thread enabled, where
> do you get the info that CAS is thread-blocking all the way?
>
> I have just look back and found one of my PR which fix a thread related
> issue: https://github.com/apereo/cas/pull/3679, so pretty sure CAS is
> mult-threaded.
>
> > CAS is primarily used for extranets in academic world, not for wider
> public audience (aka internets)
> Our CAS is internet facing :)
>
> >
> https://apereo.atlassian.net/wiki/spaces/CAS/pages/102927127/CAS+Production+Set+Ups
> Here's a thing... The server listed are CAS 2 and 3, which don't have
> OpenID enabled. So if you want to check the stress level for OpenID, you
> got to either find some new data (hopefully in this thread!) or test it
> yourself
>
> > or maybe someone here can share a success story about production CAS
> installation running at the scale of several million identities and
> thousands logins per second?
> This I cannot comment on, but you can always do stress test. It should be
> quite easy to setup a JMeter to test CAS using OpenID
> https://github.com/apereo/cas/blob/master/etc/loadtests/jmeter/CAS_Oauth.jmx
>
> See if the above info helps you!
>
> Cheers!
> - Andy
>
>
>
>
>
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/f493fe78-c639-4918-9c01-4d0092d539d7%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPS0Mja5%3D%2BkxuMk7yA%3DeM%3DJ8Kztr%3DEd0QZX%2BtpNMSNEUQ%40mail.gmail.com.

Re: [cas-user] Re: How do I enable cas/status page with CAS 5.3.2?

[David Curry]

Don't change the default configuration. Add the service to your service
registry, wherever that is. If you don't have a service registry, you
should set one of those up first.

And unless the CAS server actually has an SSL certificate with
localhost. as a valid CN, you should be using the actual hostname of
the CAS server.

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Fri, Jun 28, 2019 at 7:45 AM 123 456  wrote:

> {
> "services":[
> {
> "@class":"org.apereo.cas.services.RegexRegisteredService",
> "id":123456789,
> "serviceId":"https://localhost:/cas/status/dashboard;,
> "name":"cas_status",
> "description":"CAS dashboard and administrative endpoints"
> }
> ]
> }
>
> I get the following error as well:
>
> ERROR
> [org.apereo.cas.util.serialization.AbstractJacksonBackedStringSerializer] -
>  [{"services":[{"@class":"org.apereo.cas.services.RegexRegisteredService","id":123456789,"serviceId":"https://localhost:...]
> to deserialize into type [interface
> org.apereo.cas.services.RegisteredService]. This may be caused in the
> absence of a configuration/support module that knows how to interpret the
> JSON fragment, specially if the fragment describes a CAS registered service
> definition. Internal parsing error is [Missing type id when trying to
> resolve subtype of [simple type, class
> org.apereo.cas.services.RegisteredService]: missing type id property
> '@class'
>  at [Source:
> (String)"{"services":[{"@class":"org.apereo.cas.services.RegexRegisteredService","id":123456789,"serviceId":"
> https://localhost:8443/cas/status/dashboard","name":"cas_status","description":"CAS
> dashboard and administrative endpoints"}]}"; line: 1, column: 226]]>
>
>
> In which folder should I be making the changes to the default
> configurations?
>
>
> quarta-feira, 26 de Junho de 2019 às 17:09:20 UTC+1, 123 456 escreveu:
>>
>> Template:  https://github.com/apereo/cas-gradle-overlay-template
>>
>> #=
>> # cas.properties
>> #=
>>
>>
>> server.port = 
>> cas.server.name: https://{server}:
>> cas.server.prefix: https://{server}:/cas
>>
>> cas.adminPagesSecurity.ip=127\.0\.0\.1
>>
>> logging.config: file:/etc/cas/config/log4j2.xml
>> #cas.serviceRegistry.json.location: classpath:/etc/cas/services-repo
>>
>> # SSL
>> server.ssl.enabled=true
>> server.ssl.keyStore=file:/etc/cas/thekeystore
>> server.ssl.keyStorePassword=changeit
>> server.ssl.keyPassword=changeit
>>
>> cas.authn.accept.users=
>>
>> #
>> # Service Registry
>> #
>> cas.serviceRegistry.watcherEnabled=true
>> cas.serviceRegistry.initFromJson=true
>> cas.serviceRegistry.json.location=classpath:/etc/cas/services
>>
>> #==
>> # Status
>> #==
>>
>> cas.adminPagesSecurity.actuatorEndpointsEnabled=true
>> cas.monitor.endpoints.enabled=true
>> endpoints.enabled=true
>>
>> cas.monitor.endpoints.sensitive=false
>> endpoints.sensitive=false
>> cas.monitor.endpoints.status.enabled=false
>> cas.monitor.endpoints.status.sensitive=true
>>
>> cas.adminPagesSecurity.loginUrl=https://{server}/cas/login
>> cas.adminPagesSecurity.service=https://{server}/cas/status
>> cas.adminPagesSecurity.users=file:/etc/cas/config/admusers.properties
>> cas.adminPagesSecurity.adminRoles[0]=ROLE_ADMIN
>>
>>
>> ***
>>
>>
>> #
>> #  admnusers.properties
>> #
>>
>> # This file lists the users who are allowed access to the CAS /status/*
>> # endpoints ("adminpages").
>> #
>> # The syntax for each line is:
>> #
>> # username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]
>> #
>> casuser=notused,ROLE_ADMIN
>>
>>
>>
>> 
>>
>>
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/9adce229-6461-4ad4-bd57-c6263915a4af%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: 

Re: [cas-user] How do I enable cas/status page with CAS 5.3.2?

[David Curry]

The overlay template you're using shouldn't make any difference. It's all
about configuration.

You need to set the cas.adminPagesSecurity.ip to a regex that matches where
you want to access it from. For example:

cas.adminPagesSecurity.ip:
 ^192\\.168\\.(50\\.[0-9]{1,3}|1\\.[12]0)$

This says allow anything on the 192.168.50.0/24 network, plus 192.168.1.10
and 192.168.1.20.

All the other items you had looked okay to me. I'm not aware that anything
in this area changed between 5.2.x (what we're running) and 5.3.x, so that
should do it. If not, up the logging level on CAS and see what it says...

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Thu, Jun 27, 2019 at 11:21 AM 123 456  wrote:

> Sorry, my mistake.. I'm running CAS 5.3 with the following release:
> https://github.com/apereo/cas-gradle-overlay-template.
>
> quinta-feira, 27 de Junho de 2019 às 16:02:27 UTC+1, David Curry escreveu:
>>
>> I'm not running CAS 6, so I can't tell you specifically for that release;
>> maybe someone else can.
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 646 909-4728 • david...@newschool.edu
>>
>>
>> On Thu, Jun 27, 2019 at 10:51 AM 123 456  wrote:
>>
>>> Still not working ..
>>>
>>> The used template is the right one? I used the following:
>>> https://github.com/apereo/cas-overlay-template
>>>
>>>
>>> quinta-feira, 27 de Junho de 2019 às 12:46:12 UTC+1, David Curry
>>> escreveu:
>>>>
>>>> My apologies... I told you to comment it out, but that's the default
>>>> value, so it's still picking it up from the default properties. You need to
>>>> set it to a pattern that matches the host(s) you want to be able to access
>>>> it from. See this page:
>>>>
>>>>
>>>> https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_configure-admin-pages-properties.html
>>>>
>>>>
>>>> for some more detail.
>>>>
>>>> --Dave
>>>>
>>>>
>>>> --
>>>>
>>>> DAVID A. CURRY, CISSP
>>>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>>>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>>>
>>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>>> +1 646 909-4728 • david...@newschool.edu
>>>>
>>>>
>>>> On Thu, Jun 27, 2019 at 4:46 AM 123 456  wrote:
>>>>
>>>>> I have commented out this line, but still doesn't work. I get the
>>>>> following error message when trying to access cas/status :
>>>>>
>>>>> [image: Capture.PNG]
>>>>>
>>>>>
>>>>> quarta-feira, 26 de Junho de 2019 às 18:07:19 UTC+1, David Curry
>>>>> escreveu:
>>>>>>
>>>>>> Unless you really want it to only be accessible from the local host
>>>>>> that the server is running on, you need to comment out this line:
>>>>>>
>>>>>> cas.adminPagesSecurity.ip=127\.0\.0\.1
>>>>>>
>>>>>> Or more appropriately, set it to a value that matches the IPs you
>>>>>> want to be able to reach the status page. It's a Java regex, so you can 
>>>>>> do
>>>>>> just about anything.
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> DAVID A. CURRY, CISSP
>>>>>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>>>>>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>>>>>
>>>>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>>>>> +1 646 909-4728 • david...@newschool.edu
>>>>>>
>>>>>>
>>>>>> On Wed, Jun 26, 2019 at 12:09 PM 123 456  wrote:
>>>>>>
>>>>>>> Template:  https://github.com/apereo/cas-gradle-overlay-template
>>>>>>>
>>>>>>> #=
>>>>>>> # cas.properties
>>>>>>> #=
>>>>>>>
>>>>>>>
>>>>>>> server.port = 
>>>>>>> cas.server.name: https://{server}:
>>>&g

Re: [cas-user] How do I enable cas/status page with CAS 5.3.2?

[David Curry]

I'm not running CAS 6, so I can't tell you specifically for that release;
maybe someone else can.

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Thu, Jun 27, 2019 at 10:51 AM 123 456  wrote:

> Still not working ..
>
> The used template is the right one? I used the following:
> https://github.com/apereo/cas-overlay-template
>
>
> quinta-feira, 27 de Junho de 2019 às 12:46:12 UTC+1, David Curry escreveu:
>>
>> My apologies... I told you to comment it out, but that's the default
>> value, so it's still picking it up from the default properties. You need to
>> set it to a pattern that matches the host(s) you want to be able to access
>> it from. See this page:
>>
>>
>> https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_configure-admin-pages-properties.html
>>
>>
>> for some more detail.
>>
>> --Dave
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 646 909-4728 • david...@newschool.edu
>>
>>
>> On Thu, Jun 27, 2019 at 4:46 AM 123 456  wrote:
>>
>>> I have commented out this line, but still doesn't work. I get the
>>> following error message when trying to access cas/status :
>>>
>>> [image: Capture.PNG]
>>>
>>>
>>> quarta-feira, 26 de Junho de 2019 às 18:07:19 UTC+1, David Curry
>>> escreveu:
>>>>
>>>> Unless you really want it to only be accessible from the local host
>>>> that the server is running on, you need to comment out this line:
>>>>
>>>> cas.adminPagesSecurity.ip=127\.0\.0\.1
>>>>
>>>> Or more appropriately, set it to a value that matches the IPs you want
>>>> to be able to reach the status page. It's a Java regex, so you can do just
>>>> about anything.
>>>>
>>>>
>>>> --
>>>>
>>>> DAVID A. CURRY, CISSP
>>>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>>>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>>>
>>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>>> +1 646 909-4728 • david...@newschool.edu
>>>>
>>>>
>>>> On Wed, Jun 26, 2019 at 12:09 PM 123 456  wrote:
>>>>
>>>>> Template:  https://github.com/apereo/cas-gradle-overlay-template
>>>>>
>>>>> #=
>>>>> # cas.properties
>>>>> #=
>>>>>
>>>>>
>>>>> server.port = 
>>>>> cas.server.name: https://{server}:
>>>>> cas.server.prefix: https://{server}:/cas
>>>>>
>>>>> cas.adminPagesSecurity.ip=127\.0\.0\.1
>>>>>
>>>>> logging.config: file:/etc/cas/config/log4j2.xml
>>>>> #cas.serviceRegistry.json.location: classpath:/etc/cas/services-repo
>>>>>
>>>>> # SSL
>>>>> server.ssl.enabled=true
>>>>> server.ssl.keyStore=file:/etc/cas/thekeystore
>>>>> server.ssl.keyStorePassword=changeit
>>>>> server.ssl.keyPassword=changeit
>>>>>
>>>>> cas.authn.accept.users=
>>>>>
>>>>> #
>>>>> # Service Registry
>>>>> #
>>>>> cas.serviceRegistry.watcherEnabled=true
>>>>> cas.serviceRegistry.initFromJson=true
>>>>> cas.serviceRegistry.json.location=classpath:/etc/cas/services
>>>>>
>>>>> #==
>>>>> # Status
>>>>> #==
>>>>>
>>>>> cas.adminPagesSecurity.actuatorEndpointsEnabled=true
>>>>> cas.monitor.endpoints.enabled=true
>>>>> endpoints.enabled=true
>>>>>
>>>>> cas.monitor.endpoints.sensitive=false
>>>>> endpoints.sensitive=false
>>>>> cas.monitor.endpoints.status.enabled=false
>>>>> cas.monitor.endpoints.status.sensitive=true
>>>>>
>>>>> cas.adminPagesSecurity.loginUrl=https://{server}/cas/login
>>>>> cas.adminPagesSecurity.service=https://{server}/cas/status
>>>>&

Re: [cas-user] How do I enable cas/status page with CAS 5.3.2?

[David Curry]

My apologies... I told you to comment it out, but that's the default value,
so it's still picking it up from the default properties. You need to set it
to a pattern that matches the host(s) you want to be able to access it
from. See this page:

https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_configure-admin-pages-properties.html


for some more detail.

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Thu, Jun 27, 2019 at 4:46 AM 123 456  wrote:

> I have commented out this line, but still doesn't work. I get the
> following error message when trying to access cas/status :
>
> [image: Capture.PNG]
>
>
> quarta-feira, 26 de Junho de 2019 às 18:07:19 UTC+1, David Curry escreveu:
>>
>> Unless you really want it to only be accessible from the local host that
>> the server is running on, you need to comment out this line:
>>
>> cas.adminPagesSecurity.ip=127\.0\.0\.1
>>
>> Or more appropriately, set it to a value that matches the IPs you want to
>> be able to reach the status page. It's a Java regex, so you can do just
>> about anything.
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 646 909-4728 • david...@newschool.edu
>>
>>
>> On Wed, Jun 26, 2019 at 12:09 PM 123 456  wrote:
>>
>>> Template:  https://github.com/apereo/cas-gradle-overlay-template
>>>
>>> #=
>>> # cas.properties
>>> #=
>>>
>>>
>>> server.port = 
>>> cas.server.name: https://{server}:
>>> cas.server.prefix: https://{server}:/cas
>>>
>>> cas.adminPagesSecurity.ip=127\.0\.0\.1
>>>
>>> logging.config: file:/etc/cas/config/log4j2.xml
>>> #cas.serviceRegistry.json.location: classpath:/etc/cas/services-repo
>>>
>>> # SSL
>>> server.ssl.enabled=true
>>> server.ssl.keyStore=file:/etc/cas/thekeystore
>>> server.ssl.keyStorePassword=changeit
>>> server.ssl.keyPassword=changeit
>>>
>>> cas.authn.accept.users=
>>>
>>> #
>>> # Service Registry
>>> #
>>> cas.serviceRegistry.watcherEnabled=true
>>> cas.serviceRegistry.initFromJson=true
>>> cas.serviceRegistry.json.location=classpath:/etc/cas/services
>>>
>>> #==
>>> # Status
>>> #==
>>>
>>> cas.adminPagesSecurity.actuatorEndpointsEnabled=true
>>> cas.monitor.endpoints.enabled=true
>>> endpoints.enabled=true
>>>
>>> cas.monitor.endpoints.sensitive=false
>>> endpoints.sensitive=false
>>> cas.monitor.endpoints.status.enabled=false
>>> cas.monitor.endpoints.status.sensitive=true
>>>
>>> cas.adminPagesSecurity.loginUrl=https://{server}/cas/login
>>> cas.adminPagesSecurity.service=https://{server}/cas/status
>>> cas.adminPagesSecurity.users=file:/etc/cas/config/admusers.properties
>>> cas.adminPagesSecurity.adminRoles[0]=ROLE_ADMIN
>>>
>>>
>>> ***
>>>
>>>
>>> #
>>> #  admnusers.properties
>>> #
>>>
>>> # This file lists the users who are allowed access to the CAS /status/*
>>> # endpoints ("adminpages").
>>> #
>>> # The syntax for each line is:
>>> #
>>> #
>>> username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]
>>> #
>>> casuser=notused,ROLE_ADMIN
>>>
>>>
>>>
>>> 
>>>
>>>
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-...@apereo.org.
>>> To view this dis

Re: [cas-user] How do I enable cas/status page with CAS 5.3.2?

[David Curry]

Unless you really want it to only be accessible from the local host that
the server is running on, you need to comment out this line:

cas.adminPagesSecurity.ip=127\.0\.0\.1

Or more appropriately, set it to a value that matches the IPs you want to
be able to reach the status page. It's a Java regex, so you can do just
about anything.


--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Wed, Jun 26, 2019 at 12:09 PM 123 456  wrote:

> Template:  https://github.com/apereo/cas-gradle-overlay-template
>
> #=
> # cas.properties
> #=
>
>
> server.port = 
> cas.server.name: https://{server}:
> cas.server.prefix: https://{server}:/cas
>
> cas.adminPagesSecurity.ip=127\.0\.0\.1
>
> logging.config: file:/etc/cas/config/log4j2.xml
> #cas.serviceRegistry.json.location: classpath:/etc/cas/services-repo
>
> # SSL
> server.ssl.enabled=true
> server.ssl.keyStore=file:/etc/cas/thekeystore
> server.ssl.keyStorePassword=changeit
> server.ssl.keyPassword=changeit
>
> cas.authn.accept.users=
>
> #
> # Service Registry
> #
> cas.serviceRegistry.watcherEnabled=true
> cas.serviceRegistry.initFromJson=true
> cas.serviceRegistry.json.location=classpath:/etc/cas/services
>
> #==
> # Status
> #==
>
> cas.adminPagesSecurity.actuatorEndpointsEnabled=true
> cas.monitor.endpoints.enabled=true
> endpoints.enabled=true
>
> cas.monitor.endpoints.sensitive=false
> endpoints.sensitive=false
> cas.monitor.endpoints.status.enabled=false
> cas.monitor.endpoints.status.sensitive=true
>
> cas.adminPagesSecurity.loginUrl=https://{server}/cas/login
> cas.adminPagesSecurity.service=https://{server}/cas/status
> cas.adminPagesSecurity.users=file:/etc/cas/config/admusers.properties
> cas.adminPagesSecurity.adminRoles[0]=ROLE_ADMIN
>
>
> ***
>
>
> #
> #  admnusers.properties
> #
>
> # This file lists the users who are allowed access to the CAS /status/*
> # endpoints ("adminpages").
> #
> # The syntax for each line is:
> #
> # username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]
> #
> casuser=notused,ROLE_ADMIN
>
>
>
> 
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/7330ab0c-ba94-4f6d-9926-18a3d8458311%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOCUZthvNcKfkvQWSmya6aUmFiZRXpv8pPP2jiM%3DBXjMw%40mail.gmail.com.

Re: [cas-user] New CAS Installation

[David Curry]

You might find this helpful; it takes you step by step from an
out-of-the-box RHEL 7 install to a full-blown CAS implementation:

https://dacurry-tns.github.io/deploying-apereo-cas/

Note however that it's based on CAS 5.2.x, not CAS 6.x.

For the most part that shouldn't matter, except that you'll need to do
things like install Java 11 instead of Java 8, Tomcat 9 instead of Tomcat
8, etc. and some of the configuration properties will probably have
different names. The biggest difference you're likely to encounter is that
I used Maven to manage the WAR overlays, because CAS 5 supported both Maven
and Gradle overlays. CAS 6 dropped the Maven overlays, so you'll need to
adapt all the Maven-based examples to Gradle. That's not as hard as it
sounds though; the tools do more or less the same thing at this level, it's
just the config files have different formats. Combined with the official
CAS documentation, you shouldn't have too much trouble translating the
Maven examples to their Gradle equivalents.

But even with all that, if you're completely lost as to where to start,
this should at least get you headed in the right direction.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Wed, Jun 26, 2019 at 9:54 AM heather essink 
wrote:

> I am semi new to the world of Linux based OS and completely new to CAS.
> Is there a good step by step installation guide on how to install and
> configure CAS.  Our main goal with CAS is to set up multi factor
> authentication to work with the many sites/applications we have on campus.
> I did look at the installation documentation on the site, but since I am
> not familiar with waroverlays or the basics to installing CAS I was hoping
> to get a more detailed installation guide.
>
> Thank you
> Heather
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/870b420e-13c7-498a-bc18-96508da55a76%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAM%3DT5W4d9sEoLYdzk1-4rMUg6eV2msRzWQcJ6aF%3DF6_9g%40mail.gmail.com.

Re: [cas-user] Re: Connecting SAML SP to CAS 6

[David Curry]

If you don't feel like (or can't) setting up a web server as an SP, you can
also use this:

https://sptest.iamshowcase.com/

Click on Instructions > SP Initiated SSO to begin.

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Thu, Jun 6, 2019 at 2:14 PM Matthew Uribe  wrote:

> Is there any other simplistic service I could try to see if CAS loads
>> anything correct?
>
>
> That same tutorial you mentioned contains steps for setting up a basic CAS
> or SAML client in order to test your CAS server.
>
> Since you don't have any other services currently working with this CAS
> server, I would just ask you to confirm that your json files are in the
> location specified in your cas.properties cas.serviceRegistry.json.location
> line.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/62aaf973-6768-41f9-ba47-a386e01b190a%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAP7Y6QwFAqf6Rb9mzg4HyVcEoWsprPw7sWZnc0kmmOoAg%40mail.gmail.com.

Re: [cas-user] Re: Connecting SAML SP to CAS 6

[David Curry]

> But I am not sure if this is needed - but CAS loads it successfully on
boot.

At least in CAS 5, SAML2 will not work if you do not have that service. I
don't know if CAS 6 still requires it, but I would assume that it does
unless you can find something that says it doesn't.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Thu, Jun 6, 2019 at 10:41 AM Fabian Schipp  wrote:

> There is one more service called SAML2CallbackProfile wich was suggested
> in a tutorial:
>
> https://dacurry-tns.github.io/deploying-apereo-cas/building_server_saml_update-the-service-registry.html#create-a-service-definition-for-the-idp-endpoint
>
> {
>   /*
>* The CAS SAML IdP creates this endpoint as part of its initialization
>* process at server startup time. If the service registry doesn't
> already
>* contain an entry whose serviceId matches the endpoint, CAS will create
>* a new service definition and save it to the registry. If the CAS
> server
>* doesn't have write access to the registry, then the save will fail and
>* the server will not start.
>*
>* To avoid that situation, and to make it clear that this endpoint is a
>* "desired" service, it is defined explicitly here.
>*/
>   "@class" :"org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "https://
> /cas/idp/profile/SAML2/Callback.+",
>   "name" :  "SAML Authentication Request",
>   "id" :1558621367337136,
>   "evaluationOrder" :   100
> }
>
>
>
> But I am not sure if this is needed - but CAS loads it successfully on
> boot.
>
> Is there any other simplistic service I could try to see if CAS loads
> anything correct?
>
> On Thursday, June 6, 2019 at 4:21:04 PM UTC+2, Matthew Uribe wrote:
>>
>> OK. So if root is running CAS, and root owns the json file, then that
>> part should be fine. Do you have any other services registered that CAS is
>> reading correctly?
>>
>> On Thursday, June 6, 2019 at 7:54:52 AM UTC-6, Fabian Schipp wrote:
>>>
>>> I am running the .war overlay. therefore I have no tomcat user.
>>> But I checked the file, it's owned by the root user.
>>> I then checked the process running the war file environment in the jdk
>>> folder - it is also the root user.
>>>
>>> Am Donnerstag, 6. Juni 2019 15:37:05 UTC+2 schrieb Matthew Uribe:

 Is the devConfluence-1558621301329267.json file readable for whatever
 user/service is running CAS? When I forget to change ownership of my json
 files to the tomcat user, I run into the same issue.


 On Thursday, June 6, 2019 at 7:06:50 AM UTC-6, Fabian Schipp wrote:
>
> Hi everyone,
>
> I am currently trying to connect Confluence as SAML SP with a CAS 6
> instance.
> CAS Server on its own is running fine. I added a SAML service I
> created using the docs chapter on SAML services:
>
> https://apereo.github.io/cas/6.0.x/installation/Configuring-SAML2-Authentication.html#saml-services
>
> My SAML service:
> {
> "@class" :
> "org.apereo.cas.support.saml.services.SamlRegisteredService",
> "serviceId" : "https:///
> plugins/servlet/samlsso",
> "name" : "dev Confluence Application",
> "id" : 1558621301329267,
> "metadataLocation" : "https://
> /plugins/servlet/samlsso/metadata",
> "evaluationOrder" : 10
> }
>
> But CAS does load the service but it looks like it is malformed in
> some way.
>
> I checked some things that might have gone wrong:
> - the metadata-URL does link to the correct metadata of the SP
> - the serviceId matches the corresponding URL from the confluence
> system
> - the id field matches the name of the service-filename (it is called
> devConfluence-1558621301329267.json)
>
> The output I get is this:
> 2019-06-06 14:56:58,002 DEBUG
> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
> - /plugins/servlet/samlsso]
> from authentication request>
>
> 2019-06-06 14:56:58,004 DEBUG
> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
> -  [AbstractWebApplicationService(id=https:///plugins/servlet/samlsso,
> originalUrl=https:///plugins/servlet/samlsso,
> artifactId=null, principal=null, source=null, loggedOutAlready=false,
> format=XML, attributes={})]>
>
> 2019-06-06 14:56:58,024 WARN
> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
> - <[https:///plugins/servlet/samlsso] is not found
> in the registry or service access is denied. Ensure service is registered
> in service registry>
>
> So there is another service registry I have to register my service in?
> Are there any more 

Re: [cas-user] Re: CAS documentation for a new user is terrible

[David Curry]

Va,

The link I gave you was to documentation that I developed for use in my
organization. It was produced to meet our needs (not yours) and it does
that quite well. We contributed it to the community in the hopes that
others might find it useful, too. Apparently at least a few people have,
because they have let me know it was helpful to them. But we never
advertised it as being the perfect answer for everybody.

So if you don't like it or don't find it helpful, that's fine, nobody's
forcing you to use it.

Good luck with your project.

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Thu, May 16, 2019 at 8:54 AM Va Sja  wrote:

> Hello David,
> many thanks for your explanation. I am sure - CAS  works on many
> productions environments, and support a lot of possible protocols and
> standarts. But...
> ...did  You played with Lego? There you can be successful already in 20
> minutes. Then you just increase your success step-by-step. Did you install
> some server from latest past? MySQL, Tomcat, Cassandra? How many steps you
> need to "read-download-install-configure-start-check"? Is it oft takes more
> then 20 min to understand what you really do ?
>
> As I and many other peoples has already explained : for CAS there are no
> way to do it from read-2-check in 10 mins, 10 hours, and even in 10 days!
> ...the latests readable documentation is minimum 2-3 years old. Then we
> have a lot of linked and not readable pages.
>   You can check yourself the link, what you sendet to me and try to answer
> for
> a)  who need to know as first page about for ex ?:
>- Support for many SPs built in: Adobe Creative Cloud, Google Apps,
> Office 365,
> b) what version is possible to start when on the same page are:
>- .. CAS 6._ , CAS 5., CAS 3.5 , CAS 5.2.7,  CAS 5.3.*x* .,CAS 4 ...
> c) where is the start ?
> d) what should I DO ?
> e) am I really need so complex solution, when it is not possible to setup
> even Plain-User-Password-Auth for 1 web-site in weeks?
> f) there are a lot of left-menu-Items, but is all I need to read and
> understand for very first installation? Create? Build? Configure? Install?
> Commit? Add?
>
>  ( BTW even on Intro-page there are no explanation WHAT IS CAS!!!  You
> have to search it somewhere else over Google? )
>
> i will appreciate your answers and constructive feedback without links
> this time  !  We can then "attach it" to already existing Documentation
> portals as only one new page like "CAS for Dummy" , "CAS for lazy admin" or
> "CAS in 20 minutes" :)
>
> Kindest regards
>
>
>
>
>
> Am Donnerstag, 16. Mai 2019 14:02:00 UTC+2 schrieb David Curry:
>>
>> Va,
>>
>> If you want 1-2-3 FINISH then perhaps, as Matthew already suggested, this
>> is what you're looking for:
>>
>> https://dacurry-tns.github.io/deploying-apereo-cas/
>>
>>
>> It starts from zero knowledge of CAS and goes step-by-step to an
>> installation that is running in production today. And it does it in
>> increments, so you can check that things are working along the way. The
>> initial "Building the CAS server" section will in fact get you a running
>> server in 1-2-3-4-FINISH (create an overlay project, build the default
>> server, edit a couple of config files, install and test).
>>
>> But just as "Hello World" is a pretty useless program, the CAS server
>> you're going to get in 4 steps is a pretty useless server. If you want to
>> use it to do any real work, you're going to have to configure it to talk to
>> your user directories, define the services you want it to manage, figure
>> out the attributes you need to release, perhaps enable multifactor
>> authentication, customize the user interface to meet your corporate
>> branding standards, perhaps enable other protocols like SAML2 or OAuth,
>> perhaps add in support for high availability, etc. Every one of those
>> things is supported by CAS, most of them in multiple flavors. But to use
>> them, you're going to have to learn how to add them to the server and
>> configure them. The above guide shows how to do that for one set (sometimes
>> two) of choices; they may not be the choices you want, but it should be
>> easy to extrapolate from one to another once you see how the basic setup
>> works.
>>
>> If you don't want to exert the effort to learn how the software works, or
>> don't have the patience to start a project that's going to take more than
>> 20 minutes to complete, then perhaps doing it yourself isn'

Re: [cas-user] Re: CAS documentation for a new user is terrible

[David Curry]

Va,

If you want 1-2-3 FINISH then perhaps, as Matthew already suggested, this
is what you're looking for:

https://dacurry-tns.github.io/deploying-apereo-cas/


It starts from zero knowledge of CAS and goes step-by-step to an
installation that is running in production today. And it does it in
increments, so you can check that things are working along the way. The
initial "Building the CAS server" section will in fact get you a running
server in 1-2-3-4-FINISH (create an overlay project, build the default
server, edit a couple of config files, install and test).

But just as "Hello World" is a pretty useless program, the CAS server
you're going to get in 4 steps is a pretty useless server. If you want to
use it to do any real work, you're going to have to configure it to talk to
your user directories, define the services you want it to manage, figure
out the attributes you need to release, perhaps enable multifactor
authentication, customize the user interface to meet your corporate
branding standards, perhaps enable other protocols like SAML2 or OAuth,
perhaps add in support for high availability, etc. Every one of those
things is supported by CAS, most of them in multiple flavors. But to use
them, you're going to have to learn how to add them to the server and
configure them. The above guide shows how to do that for one set (sometimes
two) of choices; they may not be the choices you want, but it should be
easy to extrapolate from one to another once you see how the basic setup
works.

If you don't want to exert the effort to learn how the software works, or
don't have the patience to start a project that's going to take more than
20 minutes to complete, then perhaps doing it yourself isn't the right
answer. There are  several third party service providers that will provide
consulting expertise to help you configure and support it; some of them
will even host and operate it for you.

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Thu, May 16, 2019 at 6:47 AM Va Sja  wrote:

> Matthew, you are fully right - there are a lot of much worse software as
> well as documentation. And in case, when is the goal "getting as much as
> more money for support" - it is exactly the right tactic -  to make
> documentation unusable, and release as often as possible new releases with
> more and more features, that will be selled as a next. But it is not really
> the main vector for open-source, when you need weeks and some hundred gurus
> for install at least "HelloWorld".  And you point me again to some " very
> easy to follow guide " may be very informative but for my case unusable
> documentation, when I need really to jumping over hundreds links just to
> getting again the understanding - IT IS TOO COMPLEX TO UNDERSTAND. It is
> exactly " very easy to follow " with a lot of links , but "absolutely not
> possible to understand what this manual about. Sorry that I am scream -
> otherwise I have to cry :)
>
> May be we understand the words "follow", "understand", "jump", "start",
> "finish", "result", "productivity" different?
>
> The documentation should help to focus to the problem, and your link make
> exactly opposite: it point me in next 2-3 sentences to jump to some another
> Web Page. Nothing more. But I need to know steps to success: 1-2-3-FINISH.
> And there are no complete story about "how to do install HelloWorld?". U
> cannot push all of it into your brain in  1 hour, 1 day, 1 week, but you
> need much more!
>
> May be U are absolutely right: "  the documentation does in fact tell me
> what I need to know ". And you a able to "getting started"! But it not help
> to finish some minimal positive result.
>
> Alternatively you have to pay for somebody else who know this software -
> that is the only one Idea, what you have to get from such documentation.
> Unfortunately...
> ...and it is not only my view. Fortunately! 8-)
>
> Am Mittwoch, 15. Mai 2019 15:10:46 UTC+2 schrieb Matthew Uribe:
>>
>> Va,
>>
>> I would like to mention that your complaint is about a product that you
>> get to use *for free*. I support some paid software with worse
>> documentation. I do understand the frustration, as the learning curve is
>> steep, but that's where this community comes in. Everyone here tries to be
>> very helpful, giving one another their time *for free*. I've been
>> supporting CAS 5 in my organization now for just over a year, and I find
>> that the documentation does in fact tell me what I need to know. It's just
>> that getting start

Re: [cas-user] Re: Anyone having issues with Duo today? (5/15/2019)

[David Curry]

It's working fine for us (CAS 5.2.x).

That error looks familiar though... I won't swear it's the same one, but
there was an outage a couple of months ago too, and that was a problem on
the Duo side.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Wed, May 15, 2019 at 10:51 AM J Truts  wrote:

> Forgot to mention CAS version is 5.3.6.
>
> On Wednesday, May 15, 2019 at 9:50:03 AM UTC-5, J Truts wrote:
>>
>> Without having made any changes to our CAS application servers or
>> services today Duo MFA challenge is no longer being presented after logging
>> into CAS.
>>
>> We opened a call with Duo as well but haven't heard anything.
>>
>> I did notice this error in the logs:
>>
>> 2019-05-15 07:45:04,820 WARN
>> [org.apereo.cas.adaptors.duo.authn.BaseDuoSecurityAuthenticationService] -
>> > and detail [Wrong integration type for this API.] when determining user
>> account.  This maybe a configuration error in the admin request and Duo
>> will still be considered available>
>>
>> We have one Duo API setup with the "CAS" Integration Type and another
>> with "WebSDK" - neither seems to be working though.  Since restarting the
>> cas service though I haven't seen this error thrown again, but still no Duo
>> challenge.
>>
>> Curious if anyone else is noticing issues with Duo?
>>
>> Thanks,
>>
>> Josh
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/deaad936-ade5-44f8-9d67-e3ee3932423f%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMUQWU-%3DzMXyQP0_YWeZ1e5NSS2ka3u87PGFgxaN_qkcg%40mail.gmail.com.

Re: [cas-user] Migrating from file based service registry to DynamoDB service registry.

[David Curry]

At least on CAS 5.2.x with a Mongo DB service registry, the way you did it
was:

   1. Edit the dependencies in pom.xml and:
  1. REMOVE the cas-server-support-json-service-registry dependency
  2. ADD the cas-server-support-mongo-service-registry dependency
   2. Rebuild the server.
   3. Add the Mongo DB service registry configuration properties to
   cas.properties.
   4. Add the settings to cas.properties to tell it to *initialize* the
   service registry from JSON:
cas.serviceRegistry.json.location: file:/etc/cas/services
cas.serviceRegistry.initFromJson:  true
   5. Start the new server built in Step 2. This should initialize the
   service registry from the JSON files and create all the entries in the
   Mongo DB service registry. (You only need to start one server; you don't
   need to start all of them if you're in a pool.)
   6. Use the MongoDB command line shell to check the database and verify
   that the service registry entries have been created.
   7. Shut down the server.
   8. Remove the JSON service registry properties (added in Step 4) from
   cas.properties.
   9. Restart the server and now you're using a Mongo DB service registry.
   10. Don't forget to make the dependency and property changes (Steps 1
   and 3) to the management webapp as well.

See here
https://dacurry-tns.github.io/deploying-apereo-cas/high-avail_service-registry_overview.html
for
a more in-depth example.

No guarantees, but my guess is that something similar would/should work for
DynamoDB.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu



On Wed, Apr 17, 2019 at 7:04 AM Richard Nicholas <
richardnichola...@gmail.com> wrote:

> I've got a demo cas instance which worked well using JSON service
> registries, but I want to migrate the registry to DynamoDB (among other
> things to deliver a HA solution.)
>
> What's not entirely clear is how I convert the JSON files into objects
> that can be put into the database.
>
> I see there is an id field, which is a string.
>
> I just need to know how a JSON file like below:
>
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "http://localhost:8080/.*;,
>   "name" : "Jenkins",
>   "id" : 1,
>   "attributeReleasePolicy" : {
> "@class" :
> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
> "allowedAttributes" : [ "java.util.ArrayList", [ "name", "email",
> "groups" ] ]
>   }
> }
>
> translates into an item in the dynamoDB table, so I can load in the
> services.   I tried to see if loading the default service would cause it to
> be persisted into dynamoDB, but the database stays empty although the
> registry on cas shows one entry.
>
> Using the management console wasn't much help, as it wasn't clear to me
> how I create an object like the above (which also would not import).
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/cb887d94-d5c2-487c-a319-1cadda92e6c6%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOyOGAfgOob6SpjLeYOpjPbSQ1aLaBvHUbB0APmKKYQ%3Dg%40mail.gmail.com.

Re: [cas-user] CAS Management - Collection of Attributes in Attribute Release Policy

[David Curry]

I'm afraid I don't know the answer to that one.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Fri, Apr 5, 2019 at 9:23 AM Fahmi L. Ramdhani <
fahmilestianramdh...@gmail.com> wrote:

>
> Can the configuration be dynamic? The example in the settings has several
> attributes (*Multi Row* attribute resolution), I hope CAS Management can
> take attributes based on existing attributes (*attribute key*).
>
> Can it be like that?
> Thank you David
>
> Sent from my iPhone
>
> On 5 Apr 2019, at 18.45, David Curry  wrote:
>
> For CAS 5.2.x, you configure the "stub" attribute repository with all the
> attribute names you want the management app to be able to work with (add
> these to the management.properties file, not cas.properties):
>
> cas.authn.attributeRepository.stub.attributes.UDC_IDENTIFIER:
>  UDC_IDENTIFIER
> cas.authn.attributeRepository.stub.attributes.cn:   cn
> cas.authn.attributeRepository.stub.attributes.displayName:  displayName
> cas.authn.attributeRepository.stub.attributes.givenName:givenName
> cas.authn.attributeRepository.stub.attributes.mail: mail
> cas.authn.attributeRepository.stub.attributes.sn:   sn
> cas.authn.attributeRepository.stub.attributes.uid:  uid
>
> I assume that's still the case with CAS 5.3.x and CAS 6.x, but it doesn't
> seem to be documented any longer.
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>
>
> On Fri, Apr 5, 2019 at 4:01 AM Fahmi L. Ramdhani <
> fahmilestianramdh...@gmail.com> wrote:
>
>> Hello,
>>
>> How to configure the attribute list in the Attribute Release Policy
>> (Return Allowed) in CAS Management? There only displays *uid, eppn *and
>> *givenName*. While the attributes available in the database are *uid,
>> email, username, nip, phone *and others. I want to display the array
>> list based on the available attributes.
>>
>> Thank you.
>> Fahmi
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/7575817d-2e4a-43dd-84f9-e051f17a8f73%40apereo.org
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/7575817d-2e4a-43dd-84f9-e051f17a8f73%40apereo.org?utm_medium=email_source=footer>
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMrzTdHjUdUBmhUe%2BesEx_gt5VN0MCksV3fGsCfRMkNMA%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMrzTdHjUdUBmhUe%2BesEx_gt5VN0MCksV3fGsCfRMkNMA%40mail.gmail.com?utm_medium=email_source=footer>
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/7BF37BB2-C0CC-47AC-8A2A-8606EEA34456%40gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/7BF37BB2-C0CC-47AC-8A2A-8606EEA34456%40gmail.com?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPsKa1HphyzTtX%3Dfq0vnck_%2BD57qbpy%3D-%2BF2qe9dN9Kag%40mail.gmail.com.

Re: [cas-user] CAS 5.1.9 Mongodb ticket cleanup

[David Curry]

When we were using mongodb as our ticket repository (CAS 5.2.x), we just
took the default ticket registry cleaner that came out of the box, and it
worked pretty well.

However, mongodb itself as a ticket registry gave us some problems under
heavier load (like when a few thousand students were all logging in at the
same time to register for classes). We ended up moving to Hazelcast for our
ticket registry based on what other people on this list are doing, and it
performed much better (this week was registration).

As long as you have more than one server so you can replicate ticket
storage, there's really no need for tickets to be stored on disk. So unless
you have some other good reason for using mongodb to do it, I would
recommend using one of the memory-based caches instead.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Thu, Apr 4, 2019 at 11:32 AM Juan Quintanilla  wrote:

> Hi,
>
>
> We are testing CAS 5.1.9 with mongodb for the ticket registry and wanted
> know if someone can provide some guidance on how your are performing ticket
> cleanup.
>
>
> Appreciate any suggestions on this setup.
>
>
> Thanks!
>
>
> ___
> Juan Quintanilla
> jquin...@fiu.edu
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN6PR05MB5182704CB9156950025D0C7386500%40SN6PR05MB5182.namprd05.prod.outlook.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANumBxjt1Zf0vSRXvzQFVux5d1f53hgQSANViM%2BXa1VDg%40mail.gmail.com.

Re: [cas-user] CAS Management - Collection of Attributes in Attribute Release Policy

[David Curry]

For CAS 5.2.x, you configure the "stub" attribute repository with all the
attribute names you want the management app to be able to work with (add
these to the management.properties file, not cas.properties):

cas.authn.attributeRepository.stub.attributes.UDC_IDENTIFIER:
 UDC_IDENTIFIER
cas.authn.attributeRepository.stub.attributes.cn:   cn
cas.authn.attributeRepository.stub.attributes.displayName:  displayName
cas.authn.attributeRepository.stub.attributes.givenName:givenName
cas.authn.attributeRepository.stub.attributes.mail: mail
cas.authn.attributeRepository.stub.attributes.sn:   sn
cas.authn.attributeRepository.stub.attributes.uid:  uid

I assume that's still the case with CAS 5.3.x and CAS 6.x, but it doesn't
seem to be documented any longer.

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Fri, Apr 5, 2019 at 4:01 AM Fahmi L. Ramdhani <
fahmilestianramdh...@gmail.com> wrote:

> Hello,
>
> How to configure the attribute list in the Attribute Release Policy
> (Return Allowed) in CAS Management? There only displays *uid, eppn *and
> *givenName*. While the attributes available in the database are *uid,
> email, username, nip, phone *and others. I want to display the array list
> based on the available attributes.
>
> Thank you.
> Fahmi
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/7575817d-2e4a-43dd-84f9-e051f17a8f73%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMrzTdHjUdUBmhUe%2BesEx_gt5VN0MCksV3fGsCfRMkNMA%40mail.gmail.com.

Re: [cas-user] CAS 5.2 and AD - Auth fail for just one OU

[David Curry]

Just a quick off the cuff thought, but could there be a syntax error in the
properties file somewhere before the dn setting that's causing that line to
be misread?



David A. Curry,  CISSP
Director of Information Security
The New School - Information Technology
71 Fifth Ave., 9th Fl. ~ New York, NY 10003
+1 212 229-5300 x4728 ~ david.cu...@newschool.edu
Sent from my phone; please excuse typos and inane auto-corrections.


On Mon, Mar 25, 2019, 17:08 Matthew Uribe  wrote:

> Hi everyone,
>
> I'm only just beginning to use AD with my CAS 5.2 deployment, and with the
> information in many previous posts here, I've been successful in
> authenticating users in CAS with their AD accounts. There is one exception,
> however, and that is the Active Students OU. Accounts in that OU fail to
> authenticate. If I move one of the accounts out of Active Students and into
> an OU where accounts are able to authenticate, they still can't
> authenticate. Likewise, accounts from any other OU, if moved into Active
> Students, do successfully authenticate. This leads me to believe that it
> must be something specific to those accounts, but I don't know what it
> would be.
>
> I initially used the following settings for AD in the cas.properties:
>
> cas.authn.ldap[1].order:1
> cas.authn.ldap[1].name: Test Empl Active Directory
> cas.authn.ldap[1].type: AD
> cas.authn.ldap[1].ldapUrl:  ldaps://testaimsdc1.test.aims.edu
> cas.authn.ldap[1].validatePeriod:   270
> cas.authn.ldap[1].poolPassivator:   NONE
> cas.authn.ldap[1].userFilter:   sAMAccountName={user}
> cas.authn.ldap[1].baseDn:   dc=test,dc=aims,dc=edu
> cas.authn.ldap[1].dnFormat: %s...@test.aims.edu
>
>
> This worked, as I said, for all accounts but those contained in Active
> Students.
>
> I've also tried configuring a connection for each OU, but the results are
> the same. I've tried different LDAP types, such as AUTHENTICATED, which
> also works, except for the Active Students accounts.
>
> The accounts in the Active Students OU are able to sign in to domain
> joined workstations with no problem, which has the AD team pointing to CAS
> as the issue, so I finally set the ldaptive log level to debug and found
> the following: When an affected user tries to sign in to CAS, these are
> some of the first lines to appear in the log:
>
> 2019-03-25 15:00:34,499 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] -
>  context=null]>
> 2019-03-25 15:00:34,499 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] -
> 
> 2019-03-25 15:00:34,502 DEBUG [org.ldaptive.SearchOperation] -  request=[org.ldaptive.SearchRequest@-1061412749::baseDn=,
> searchFilter=[org.ldaptive.SearchFilter@1642584434::filter=(objectClass=*),
> parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=PT0S,
> sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null,
> sortBehavior=UNORDERED, searchEntryHandlers=null,
> searchReferenceHandlers=[org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@42336fb8],
> controls=null,
> referralHandler=org.ldaptive.referral.SearchReferralHandler@1b0ccd3c,
> intermediateResponseHandlers=null] with
> connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1455399867
> ::config=[org.ldaptive.ConnectionConfig@904794016::ldapUrl=ldaps://
> testaimsdc1.test.aims.edu, connectTimeout=PT5S, responseTimeout=PT5S,
> sslConfig=[org.ldaptive.ssl.SslConfig@866800436::credentialConfig=null,
> trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null,
> enabledCipherSuites=null, enabledProtocols=null,
> handshakeCompletedListeners=null], useSSL=true, useStartTLS=false,
> connectionInitializer=[org.ldaptive.BindConnectionInitializer@792450504::bindDn=cn=svc-ri-ad,ou=Service,ou=Users,ou=Enterprise
> Support,dc=test,dc=aims,dc=edu, bindSaslConfig=null, bindControls=null],
> connectionStrategy=org.ldaptive.DefaultConnectionStrategy@5542e5a6],
> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@1596835154
> ::metadata=[ldapUrl=ldaps://testaimsdc1.test.aims.edu, count=1],
> environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory,
> com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3,
> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
> java.naming.security.protocol=ssl, com.sun.jndi.ldap.read.timeout=5000},
> classLoader=null,
> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@792845762::operationExceptionResultCodes=[PROTOCOL_ERROR,
> SERVER_DOWN], properties={},
> controlProcessor=org.ldaptive.provider.ControlProcessor@21226762,
> environment=null, tracePackets=null, removeDnUrls=true,
> searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
> PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null,
> hostnameVerifier=null]],
> providerConnection=org.ldaptive.provider.jndi.JndiConnection@1b1dc06c]>
> .
> .
> .
> 

Re: [cas-user] Migrating from CAS 3.5.2 to CAS 6.1.0

[David Curry]

1. If you're only using a single server, then you don't need a ticket
registry at all beyond the in-memory one that CAS uses by default. If
you're using multiple servers, then the ticket registry lets the servers
cross-validate each others' issued tickets. But there is no need for this
registry to reside on disk, so disk-based databases are kind of overkill
for the problem.

Up until this morning, we were using MongoDB for our ticket registry
(because it had replication and we were already using it for the service
registry). Yeah, it worked just fine most of the time. But we had problems
last fall when class registration was going on (lots and lots of people
logging in at the second the window opens). People would log in and get
their TGT, but then when the target application came back to validate the
TGT it would fail, because the data hadn't made it to disk yet. This could
"probably" be fixed with some advanced performance tuning of our MongoDB
setup, but we don't have a MongoDB wizard, and Mongo's documentation of the
topic frankly sucks.

So instead, based on the experiences of some other members of this group
with volumes much, much higher than ours, we are as of this morning using
Hazelcast on our production CAS servers (we've been running it for a few
weeks in test). It was dead simple to configure across our five CAS
servers, and so far anyway, it seems to be working fine. Registration opens
in a few weeks, so we'll know more then, but we're anticipating that it
will be better.

2. For MongDB most of these settings are on the MongoDB side (in its config
file), not the CAS side. But it may be different for other databases.

3. I don't think there's a right answer here; both methods work fine, and
people are doing both today. IMHO external Tomcat is better because you get
more control over the configuration and you can deploy multiple apps (CAS
and CAS-mamagement, for example) to the same server. But there are good
arguments for the embedded option, too. Use whichever way you're more
comfortable with, or fits into your system/application management processes
better.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Mon, Mar 18, 2019 at 10:59 AM The Jej  wrote:

> Hello everyone,
>
> I'm planning to upgrade our (very) old CAS 3.5.2 to the lastest version
> 6.1.x
> Since 3.5.x a lot have changed. I managed to make a developement version
> working but I'm a little bit confused on some aspects.
>
> Before thinking of pushing a version to production, I would like to make
> sure to have covered all my needs.
>
> Here is a quick summary of how we're using CAS:
>
> We're using CAS for students to access our different applications. Most of
> the time we only use 1 server.
>
> They're is 1 month were we are publishing some competitive examination
> results and during that period our host adds a second CAS server. Load
> balancing is managed by a F5 loadbalancer.
>
> our current configuration uses oracle to retrive user/password and to
> share tickets (TGT / ST ...)
>
>
> What I've done so far with CAS 6.1.x :
>
> - Getting default overlay to work :)
> - Configuring my database witch is oracle (using cas.authn.jdbc.query[0].x
> config) to retreive login/password
> - Enabled JSON services and creating a service for my apps
> - Using custom theme for my services
>
> I keep reading as much as I can on CAS and common uses, so I have come
> with several questions:
>
> 1. Ticket registry management:
>
> If I understand correctly, if I want to make things work like we have
> today, I have to configure a jpa ticket registry.
> I've read that a lot of cas users are using hazelcast for ticket registry.
>
> Is it a better way to go ? If so, I have to install hazelcast IMDG on the
> server itself ?
>
> 2. Performance optimization: Is there common optimization params that can
> be set to optimize database access ?
>
> 3. For production, is it prefered to use an embedded tomcat or a generated
> cas.war deployed on a tomcat instance ?
>
> 4. Do I have miss something important ? :)
>
> Thanks for your help !
>
> Jeremy
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEhrmrwcYdNLq4g1zFjggkEH_8mFkiAA4FP0FKD4E41PmaKjnQ%40mail.gmail.com
> 
> .
>

-- 
- Website: 

Re: [cas-user] Re: Which ticket repository are you using?

[David Curry]

Thanks to everyone who responded to this thread. I switched our dev servers
over to a Hazelcast  ticket registry (keeping MongoDb for the service
registry) this afternoon, and assuming no problems, we'll gradually move it
from dev to test to production.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Tue, Feb 26, 2019 at 12:12 PM Drew Liscomb 
wrote:

> Hi Dave,
>
> We are shifting our SSO to AWS, so our current config is first, and our
> intended configuration is after the arrow.
>
>1. Hazelcast -> Redis
>2. 2 -> 2?
>3. 2 -> 1
>4. Same VM -> Different
>5. ServiceTicket validations: >150k /day on the busiest day in the
>past 7 days
>6. Currently, the ticket registry is ephemeral intentionally through
>Hazelcast.  Getting it configured isn't hard, but it can be complicated.
>We're moving to Redis because the auto-discovery requirements don't play
>well in AWS.
>
> So, to answer your real query, I would recommend Hazelcast.  The in-memory
> aspect gives us the performance needed.  Furthermore, we have a load
> balancer that pins each IP to a single CAS node with a 'sticky session'
> cookie.  That way, the TGT & ST are 'right there' for any return trips.
>
> Kind regards,
> Drew
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/11e12270-3247-4372-8afe-7bd74d7b3cfb%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANjk4gLjmrVxhRC9kG%2BZmiC_9BkKLrqzQtevZfd3DieGg%40mail.gmail.com.

Re: [cas-user] Re: DUO MFA Issues

[David Curry]

Just passing along that we heard back from Duo support late this afternoon
that the issue had been escalated to engineering and that a fix has now
been rolled out.

But given that it's late on Friday afternoon we're waiting until Monday to
try it, so I can't say for sure whether it's really been fixed or not.

--Dave


David A. Curry,  CISSP
Director of Information Security
The New School - Information Technology
71 Fifth Ave., 9th Fl. ~ New York, NY 10003
+1 212 229-5300 x4728 ~ david.cu...@newschool.edu
Sent from my phone; please excuse typos and inane auto-corrections.


On Fri, Feb 22, 2019, 11:55 atilling  wrote:

> For our institution it was first reported on the 19th around 5pm EST
> shortly after a server restart.
>
> On Friday, February 22, 2019 at 9:39:00 AM UTC-5, Mallory, Erik wrote:
>>
>> Hello,
>>
>> Yesterday about 3:30 CST Duo quit working for CAS, we contacted Duo
>> support and it was determined to be a problem with Duo, given the number of
>> educational institutions that were contacting Duo at the same time we were.
>> I’m starting a thread here if anyone cares to share any information and I
>> will share what information I have as we get it.
>>
>>
>>
>> Thanks,
>>
>> Erik Mallory
>>
>> Server Analyst
>>
>> Wichita State University
>>
>>
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8f04c8d4-b6c7-4fab-a901-776c83534be6%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOsUA3bDCGfuRHj5i%3DayWo68hJ5UVf2gWBzPZO6%3DfddyA%40mail.gmail.com.

Re: [cas-user] DUO MFA Issues

[David Curry]

It quit working for us (or at least we first received complaints) as well
around 3:30pm EST yesterday (2/21). We have a ticket open with Duo,
although I'm not aware that we've heard anything back from them yet. I'll
share anything we learn as well.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Fri, Feb 22, 2019 at 9:39 AM 'Mallory, Erik' via CAS Community <
cas-user@apereo.org> wrote:

> Hello,
>
> Yesterday about 3:30 CST Duo quit working for CAS, we contacted Duo
> support and it was determined to be a problem with Duo, given the number of
> educational institutions that were contacting Duo at the same time we were.
> I’m starting a thread here if anyone cares to share any information and I
> will share what information I have as we get it.
>
>
>
> Thanks,
>
> Erik Mallory
>
> Server Analyst
>
> Wichita State University
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/001D06E1-43CE-4A74-ADE9-3D3480A644F9%40wichita.edu
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANPWVDiAbJS1ncAjPfKTCL6j0gZTPrDz5nHs4fipJKqvA%40mail.gmail.com.

Re: [cas-user] Re: How to register a service in CAS while using SAM2.0 protocol

[David Curry]

For SAML2 to work, you need a single entry like this in your service
registry:

{
  "@class" :"org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "
https://cas.example.org/cas/idp/profile/SAML2/Callback.+;,
  "name" :  "SAML Authentication Request",
  "id" :12345678,
  "evaluationOrder" :   123
}


You do not need to have a registry entry for any other "/SAML2" path.

And then of course you need the service registry entry for the service
itself:

{
"@class" :
"org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "http://www.workday.com/tenant;,
"name" :  "Workday",
"id" :23456789,
"description" :   "Workday",
"metadataLocation" :  "/etc/cas/saml/sp-metadata/workday.xml",
"attributeReleasePolicy" : {
"@class" :
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [
"uid"
],
},
"evaluationOrder" :   234
}

Or something like that.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Fri, Feb 22, 2019 at 7:07 AM Matthew Uribe 
wrote:

> I don't think you can use regex in the service id for SAML services. You
> have to specify the service name exactly.
>
> On Fri, Feb 22, 2019, 2:31 AM Pameliya Mukherjee <
> pameliya.mukherj...@gmail.com> wrote:
>
>> I am using CAS 5.3.8.
>>
>> I have created the service like below and kept the file in
>> etc\cas\services:
>>
>> {
>>"@class" : "org.apereo.cas.services.RegexRegisteredService",
>>   "serviceId" : "^https://.+;,
>>   "name" :  "SAML Authentication Request",
>>   "id" : 20190219131300,
>>   "accessStrategy" : {
>> "@class" :
>> "org.apereo.cas.services.RemoteEndpointServiceAccessStrategy",
>> "endpointUrl" : "
>> https://cas.example.org/idp/profile/SAML2/Redirect/SSO;,
>> "acceptableResponseCodes" : "200,202"
>>   }
>> }
>>
>> CAS properties like:
>> cas.authn.samlIdp.entityId=https://cas.example.org/cas/idp
>> cas.authn.samlIdp.scope=example.org
>>
>>
>> On Friday, February 22, 2019 at 12:40:16 PM UTC+5:30, Pameliya Mukherjee
>> wrote:
>>>
>>> While I am hitting an endpoint like : "
>>> https://localhost:8443/cas/login?service=https://cas.example.org/cas/idp/profile/SAML2/Redirect/SSO=https://cas.org.example/cas/idp
>>> 
>>> "
>>>
>>> I am getting error like:
>>>
>>> 2019-02-22 12:31:13,015 WARN
>>> [org.apereo.cas.web.flow.ServiceAuthorizationCheck] -<*Service
>>> Management: missing service. Service
>>> [https://cas.example.org/cas/idp/profile/SAML2/Redirect/SSO
>>> ]
>>> is not found in service registry.>*
>>> 2019-02-22 12:31:13,017 WARN
>>> [org.apereo.cas.services.web.RegisteredServiceThemeResolver] - <*No
>>> registered service is found to match
>>> [AbstractWebApplicationService(id=https://cas.example.org/cas/idp/profile/SAML2/Redirect/SSO
>>> ,
>>> originalUrl=https://cas.example.org/cas/idp/profile/SAML2/Redirect/SSO
>>> ,
>>> artifactId=null, principal=null, source=service, loggedOutAlready=false,
>>> format=XML, attributes={})] or access is denied. Using default theme
>>> [cas-theme-default]>*
>>>
>>> *Please Help. I am new to this.*
>>>
>>> --
>> - Website: https://apereo.github.io/cas
>> 
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> 

Re: [cas-user] I am facing issue with CAS 3.4.11 to communicate with LDAP with TLS 1.2 enabled.

[David Curry]

Ray is right, the best answer is upgrade. But, assuming that's not an
immediate option...

I don't believe CAS 3.x had any of its own support for SSL/TLS; I think it
just relied on what the underlying Java JVM gave it. So... what version of
Java are you using?

TLSv1.2 was not supported in Java 6 until Update 111; it was supported in
Java 7, but not enabled by default until Update 131. Assuming you have a
version that supports TLSv1.2, you may need to start your Java process with
either

-Dhttps.protocols=TLSv1.2


or

‑Djdk.tls.client.protocols=TLSv1.2


Sorry, I don't know which one of those you'll need (they affect different
things, so you should only need one or the other). I honestly don't know if
just setting one of those will solve your problem, but that's where I'd
start.

See this link for more  info, but be aware that some of the settings here
can make things much LESS secure if you don't know what you're doing.
https://www.java.com/en/configure_crypto.html

Good luck,
--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Wed, Jan 30, 2019 at 12:08 PM Ray Bon  wrote:

> Prashant,
>
> The simplest answer, upgrade.
>
> I started with CAS about 5 years ago and we were on 3.5. You may get lucky
> and someone here has a good memory.
> Is there any indication in the docs that this version of CAS supports TLS
> 1.2?
>
> Ray
>
> On Wed, 2019-01-30 at 00:31 -0800, prashant pokharna wrote:
>
> Hi Experts,
> Our project uses CAS 3.4.11 and i am trying to access a LDAP machine with
> only TLS 1.2 enabled but it fails with error
> " com.emc.csp.error.IOException: Could not connect to the LDAP server "
> If i disable TLS 1.2 and enable only 1.0, it works fine.
> Any suggestion how to make CAS 3.4.11 compatible with TLS 1.2 ?
>
> Thanks,
> Prashant.
>
> --
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1548868099.4037.36.camel%40uvic.ca
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANgv8wSr0KfRSS8t-PRb4NdHoQcL1Am_6MLP4oTq4wcCg%40mail.gmail.com.

Re: [cas-user] Authentication Policies are documented, but do they work?

[David Curry]

Hi Daniel, thanks for your response. I spent a lot of time looking at
those. And although it's likely that we will ultimately need to write our
own policy or authentication handler, I was wanting to play with the
existing ones to see if we could do anything interesting with them.

But I was having difficulty getting them actually enabled with the
configuration file lines as described in the documentation. Running at
TRACE level in the authentication code, I was always seeing the "any"
policy getting run, and the "notPrevented" if it was enabled, but I never
saw any of the others getting executed, even if enabled. And the "any"
policy seems to run even if you explicitly set
"cas.authn.policy.any.enabled=false", which just seems wrong to me.

At the end of the day it may not matter as I don't think the existing
things will do what we want, but I haven't seen anything in the forum at
all about this stuff except one other unanswered question, so I was
wondering if there was anyone out there using it successfully.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Wed, Jan 16, 2019 at 5:53 PM Daniel Ellentuck  wrote:

> Hi David,
>
> Take a look at: the authentication policy configuration in
> cas-server-core-authentication:
> org.apereo.cas.config.CasCoreAuthenticationPolicyCon
> 
> figuration
> 
> and the actual authentication policies in
> cas-server-core-authentication-api:
> org.apereo.cas.authentication.policy
> 
> and ensure you're clear on what the policies do. If you have a truly custom
> case, you may have to implement your own authentication policy and add it
> via the AuthenticationEventExecutionPlanConfigurer.  If not, could you
> describe what behavior you'd like to see and what you've done to effect it?
>
> (I'm referring to CAS v.5.3.7.)
> 
>
> Dan
>
>
> On Wed, Jan 16, 2019 at 3:23 PM  wrote:
>
>>
>> Has anyone figured out how to make Authentication Policies, as documented
>> here:
>>
>>
>> https://apereo.github.io/cas/5.2.x/installation/Configuring-Authentication-Components.html#authentication-policy
>>
>>
>> and here:
>>
>>
>> https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#authentication-policy
>>
>>
>> actually work? I've been messing around with it for an entire day now,
>> and it seems to me that:
>>
>>1. You cannot DISABLE the "any" policy; you can only enable/disable
>>the "tryAll" option
>>2. You CAN enable the "notPrevented" policy, but you have no way to
>>control what it considers "Prevented"
>>3. You CANNOT enable the "all" or "allHandlers" policies
>>
>> We're running CAS 5.2.7, but I'll take answers for any version, at this
>> point.
>>
>> Thanks,
>> --Dave
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c3d3dd00-5156-4d52-a1a6-32739d7d03b5%40apereo.org
>> 
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFqYg5JM6CxODTv%2BixsCGf92_%2BbdibdDV%3DfxVvuP0B4axVWB-g%40mail.gmail.com
> 
> .
>

On Wed, Jan 16, 2019 at 5:53 PM Daniel Ellentuck  wrote:

> Hi David,
>
> Take a look at: the authentication policy configuration in
> cas-server-core-authentication:
> 

Re: [cas-user] username cas in CAS

[David Curry]

"Ellucian" - from the Latin for "software crap-fest" :-)

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Wed, Dec 19, 2018 at 12:13 PM Jennifer LaVoie 
wrote:

> Actually, it did fix it for us in our previous version.  The gobumap table
> in Banner AND the AD SamAccountName had either be both lower or both
> upper.
>
> In our new cas version, all other allucian products work even though we
> made no changes in their .json service files.  This one app was the only
> problem, and it's now fixed.
>
> I swear, I am not lying  :)
>
> On Wed, Dec 19, 2018 at 12:09 PM Richard Frovarp 
> wrote:
>
>> No, changing it in AD will not fix it. The username attribute matches the
>> case provided by the user, unless you change it with CAS config. The cn,
>> sAMAccount name and similar will follow what is returned by AD. The problem
>> you were seeing with it changing case as you did, affects the username
>> attribute to all services by default. So either those services are using
>> something that is being returned as an attribute from AD, are doing the
>> fixup on their own, don't really need a particular case, or the service
>> definition is remapping what the username attribute is.
>>
>> On 12/19/18 11:04 AM, Jennifer LaVoie wrote:
>>
>> Hi Richard
>>
>> We actually addressed this in our old version of CAS by changing our
>> usernames in AD to be UPPER CASE.  All the other allucian apps work...it
>> was just this particular one.  But now that is also working...
>>
>> it's a bit maddening to be sure.
>>
>> Jen
>>
>> On Wed, Dec 19, 2018 at 11:51 AM Richard Frovarp <
>> richard.frov...@ndsu.edu> wrote:
>>
>>> That will take care of it for the service, which will solve your problem
>>> here. However, the case of the username matches the case that the user
>>> entered it in at that time. So if you have applications storing information
>>> based off of the username attribute, and they are using a case sensitive
>>> way of looking them up in say Oracle (which is case sensitive), they are
>>> brittle. Those applications are dependent on the user entering their
>>> username in with matching case each time. You can address that by globally
>>> setting some sort of consistency across CAS. Of course any application in
>>> the current brittle mode will have problems, but it's best to address them
>>> early. I've been bit by this in the past. You can use the piece below to
>>> address differences in services. Either way, they shouldn't be subject to
>>> the user's casing at that instance.
>>>
>>>
>>> https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#ldap-password-encoding--principal-transformation
>>>
>>> On 12/19/18 10:48 AM, Tom O'Neill wrote:
>>>
>>> Jen,
>>>
>>>
>>>
>>> You need something like this in the service provider JSON:
>>>
>>>
>>>
>>> "usernameAttributeProvider" : {
>>>
>>> "@class" :
>>> "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",
>>>
>>> "canonicalizationMode" : "UPPER"
>>>
>>>   }
>>>
>>>
>>>
>>> The canonicalizationMode: “UPPER” should do the trick.
>>>
>>>
>>>
>>> Thanks,
>>>
>>>
>>>
>>> *Tom*
>>>
>>>
>>>
>>> *From:* cas-user@apereo.org   *On
>>> Behalf Of *Jennifer LaVoie
>>> *Sent:* Wednesday, December 19, 2018 11:20 AM
>>> *To:* CAS Community  
>>> *Subject:* [cas-user] username cas in CAS
>>>
>>>
>>>
>>> Hello Everyone
>>>
>>>
>>>
>>> We have 1 app that wants the username returned in UPPERCASE.  We have
>>> the attribute set to pull SamAccountName and in AD, that is UPPER
>>> CASE...but when I log into CAS with lower case, it is passing my username
>>> to the app in lower case...when I log in as upper case, it passes to the
>>> app in upper case...how can I fix this?
>>>
>>>
>>>
>>> Thank you
>>>
>>> Jen
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/15b14998-d661-443e-a784-7e9ce61b4120%40apereo.org
>>> 
>>> .
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> 

Re: [cas-user] Pulse Secure VPN SAML2 SP to CAS SAML2 IdP?

[David Curry]

Thanks, Andres! That was exactly the problem.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Thu, Dec 13, 2018 at 10:43 AM Andres Rattur 
wrote:

> Hi Dave,
>
> Yes, we are using this combination: Pulse Secure VPN + CAS as SAML2 IdP
> and it works well.
>
> If this highlighted string from log is exactly the same as in your service
> registry id then perhaps the problem is in question mark, it has to be
> escaped:
> As-Is: "serviceId" : "^
> https://vpn.newschool.edu/dana-na/auth/saml-endpoint.cgi?p=sp1;
> To-Be: "serviceId" : "^
> https://vpn.newschool.edu/dana-na/auth/saml-endpoint.cgi\\?p=sp1;
>
> From documentation:
> https://apereo.github.io/cas/5.2.x/installation/JSON-Service-Management.html
>
> "If the service is defined as a regular expression, certain regex
> constructs such as "." and "\d" need to be doubly escaped."
>
> With best regards,
> Andres
>
> Kontakt  kirjutas kuupäeval N, 13. detsember 2018
> kell 17:13:
>
>> Has anyone managed to configure their Pulse Secure VPN as a SAML2 SP to
>> use CAS as a SAML2 IdP?
>>
>> I've got (according to the documentation) all the configuration bits on
>> the Pulse Secure box set up, and I've put an entry into the CAS service
>> registry for a SAML2 service with the correct entityId.
>>
>> And when I access the VPN endpoint that's supposed to go to CAS, it does
>> indeed redirect to the CAS server. But CAS fails with:
>>
>> 2018-12-13 09:56:25,661 WARN
>> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
>> - <[https://vpn.newschool.edu/dana-na/auth/saml-endpoint.cgi?p=sp1] is
>> not found in the registry or service access is denied. Ensure service is
>> registered in service registry>
>>
>> despite the fact that the string highlighted above is exactly what's
>> listed in the service registry and as the entityId in the metadata
>> downloaded from the Pulse Secure appliance. I have also tried with the
>> entityId set to that string minus the "?p=sp1" bit (because depending on
>> where you download the metadata from in the Pulse UI, it's either a part of
>> the entityId or it's not), but the string in the warning message is always
>> the same.
>>
>> Clearly I'm missing something fundamental here, but turning on DEBUG
>> logging on the CAS server doesn't offer any clues, nor do the logs on the
>> Pulse.
>>
>> Any ideas / answers / guesses appreciated...
>>
>> CAS 5.2.7 / Pulse 8.2R3.1
>>
>> Thanks,
>> --Dave
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a1e8ff0b-10b4-41f2-852b-9358d9c875c9%40apereo.org
>> 
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOQH-Q37sVvEaXfnrL5LTpqHgY_ncgLVR3toG7ECsOpL169CGA%40mail.gmail.com
> 
> .
>

On Thu, Dec 13, 2018 at 10:43 AM Andres Rattur 
wrote:

> Hi Dave,
>
> Yes, we are using this combination: Pulse Secure VPN + CAS as SAML2 IdP
> and it works well.
>
> If this highlighted string from log is exactly the same as in your service
> registry id then perhaps the problem is in question mark, it has to be
> escaped:
> As-Is: "serviceId" : "^
> https://vpn.newschool.edu/dana-na/auth/saml-endpoint.cgi?p=sp1;
> To-Be: "serviceId" : "^
> https://vpn.newschool.edu/dana-na/auth/saml-endpoint.cgi\\?p=sp1;
>
> From documentation:
> https://apereo.github.io/cas/5.2.x/installation/JSON-Service-Management.html
>
> "If the service is defined as a regular expression, certain regex
> constructs such as "." and "\d" need to be doubly escaped."
>
> With best regards,
> Andres
>
> Kontakt  kirjutas kuupäeval N, 13. detsember 2018
> kell 17:13:
>
>> Has anyone managed to configure their Pulse Secure VPN as a SAML2 SP to
>> use CAS 

Re: [cas-user] Runtime memory is used as the persistence storage

[David Curry]

By default, the CAS server keeps the service registry in memory. So if you
make changes to it, and then shut down or restart the server, all your
changes will be lost.

You should look into setting up a JSON (file-based) service registry at a
minimum, or a more flexible one based on some sort of database, such as
MongoDB or MySQL or whatever.

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Thu, Dec 6, 2018 at 6:04 AM Emmanuel Chukwu 
wrote:

> Dear All,
> Please what is the implication of this warning in the catalina.out log of
> new CAS installation and what do I do to clear it?
>
> WARN [org.apereo.cas.config.CasCoreServicesConfiguration] -  memory is used as the persistence storage for retrieving and persisting
> service definitions. Changes that are made to service definitions during
> runtime WILL be LOST when the web server is restarted. Ideally for
> production, you need to choose a storage option (JDBC, etc) to store and
> track  service definitions.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1a3e55f8-ffa7-42da-b5fe-04c571d39cc4%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAN5XH2mZmrASM-s3NtSk6N5UYdV9bSgKO8H%2BCbrY%2BK0Dg%40mail.gmail.com.

Re: [cas-user] Httpt 404 Error while trying to access CAS login page

[David Curry]

Check your Tomcat logs (especially catalina.out) -- did the CAS server
successfully start?

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Wed, Dec 5, 2018 at 12:31 PM Emmanuel Chukwu 
wrote:

> Dear all,
> Please I need help.
> I just installed CAS using David's notes: :
> https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html
>
> I tried to access the login page through https://:8443/cas/login
> but it is giving 404 error
>
> HTTP Status 404 – Not Found
> --
>
> *Type* Status Report
>
> *Message* /cas/login
>
> *Description* The origin server did not find a current representation for
> the target resource or is not willing to disclose that one exists.
> --
> Apache Tomcat/8.5.35
>
>
> Tomcat is installed and loading very well at
> https://:8443
>
> What could be the problem?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c0512ade-5c93-4a58-a759-56cb3db9356c%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANFF1zyv6n0tY3Khnuz30%3DohXq0YZU_A9a9PqRrfc%3DYUA%40mail.gmail.com.

Re: [cas-user] saml2.0 - idp-signing.key creation

[David Curry]

So while I'm eating lunch I did a bit of fiddling around...

It looks like you can do:

openssl genrsa -des3 -out tmp.key 2048


When it prompts for a password, enter "" (or whatever, just remember
it). This gives you an encrypted key file. Then run:

openssl rsa -in tmp.key -out server-signing.key


and enter the password again. This gives you an unencrypted key. Then you
can run:

openssl req -key server-sigining.key -new -x509 -days 3650 -subj /CN=
server.domain.com -out server-signing.crt


And you'll get a certificate that seems to resemble what CAS creates.

I haven't tried actually feeding these to CAS to see if it likes them, but
looking at them with openssl, they seem to have the same properties, except
that the one I generated as above has this X509v3 Extension:

X509v3 Basic Constraints:
CA:TRUE

that the CAS-generated one doesn't have. You can make that go away with an
OpenSSL config file, but the syntax of those things is (apparently) beyond
me. Left as an exercise to the reader. :-)

--Dave









--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Tue, Dec 4, 2018 at 12:55 PM Curtis Ruck  wrote:

> This works though: openssl rsa -in test2.pem -out test3.pem
>
> It properly converts from PKCS#8 into PKCS#1, which then triggers BC to
> return a PEMKeyPair object.
>
>
> On Tuesday, December 4, 2018 at 12:16:43 PM UTC-5, rbon wrote:
>>
>> Curtis,
>>
>> Will this work:
>> https://stackoverflow.com/questions/991758/how-to-get-pem-file-from-key-and-crt-files
>>
>> Ray
>>
>> On Tue, 2018-12-04 at 08:59 -0800, Curtis Ruck wrote:
>>
>> Does anyone know how to generate the idp-signing.key/crt with openssl?
>> It seems CAS is hardcoded to expect a PEMKeyPair
>> 
>>  object
>> coming out of PEMParser, but I can't figure out how to use OpenSSL to
>> generate an appropriate key file.
>>
>> Yes, CAS generates it fine, using bouncycastle, but I have to generate
>> these keys/certificates outside of CAS so I can distribute the trust to the
>> various SAML 2.0 applications.
>>
>> --
>> Ray Bon
>> Programmer analyst
>> Development Services, University Systems
>> 2507218831 | CLE 019 | rb...@uvic.ca
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4ac43b2-ba8f-43a6-bd49-921ebb32f176%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMAQMDK5vjTrbv5-vgiAVGWofTyjQGa2YQujq3uiiT6wg%40mail.gmail.com.

Re: [cas-user] saml2.0 - idp-signing.key creation

[David Curry]

1,000 CAS servers. Ow. :-)


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Tue, Dec 4, 2018 at 12:31 PM Curtis Ruck  wrote:

> Dave,
>
> Keys generated/signed by CA plus we need 100% automated solution.  We
> don't just have 1 CAS server, we have 1,000 or so, and they each need
> unique keys.  Our CAS use case is unique, in that we essentially run CAS
> w/applications at the edge of the network, with extremely poor
> communications back up to an centralized enterprise; so we have to automate
> as much as possible.
>
> Ideally, I'd just submit a couple PRs to make the PrivateKeyFactoryBean
> handle multiple outputs from the PEMParser, but i'm working against a tight
> schedule, and can't wait for a CAS release at the moment.
>
> On Tuesday, December 4, 2018 at 12:12:29 PM UTC-5, David Curry wrote:
>>
>> This doesn't really answer your question (I don't know the answer), but
>> can't you just start CAS and let it generate the keys (they end up in
>> /etc/cas/saml), then stop CAS and copy the keys somewhere for
>> safekeeping/redistribution?
>>
>> For our installation with multiple CAS servers behind a load balancer
>> that's what I did, and copied the keys into the Maven overlay's
>> etc/cas/saml directory. Then when I install everything, I end up with the
>> same keys (and metadata) on all the servers. And we've uploaded them to a
>> SAML SP here and there, as well. Seems to work fine, so far.
>>
>> Or do you need to use keys generated/signed by your CA or something?
>>
>> --Dave
>>
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 212 229-5300 x4728 • david...@newschool.edu
>>
>>
>> On Tue, Dec 4, 2018 at 11:59 AM Curtis Ruck  wrote:
>>
>>> Does anyone know how to generate the idp-signing.key/crt with openssl?
>>> It seems CAS is hardcoded to expect a PEMKeyPair
>>> <https://github.com/apereo/cas/blob/5.3.x/core/cas-server-core-util-api/src/main/java/org/apereo/cas/util/crypto/PrivateKeyFactoryBean.java#L57>
>>>  object
>>> coming out of PEMParser, but I can't figure out how to use OpenSSL to
>>> generate an appropriate key file.
>>>
>>> Yes, CAS generates it fine, using bouncycastle, but I have to generate
>>> these keys/certificates outside of CAS so I can distribute the trust to the
>>> various SAML 2.0 applications.
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/36a4ed0f-a015-4438-a9a1-501f9fd5eaec%40apereo.org
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/36a4ed0f-a015-4438-a9a1-501f9fd5eaec%40apereo.org?utm_medium=email_source=footer>
>>> .
>>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c426ef78-6b75-43d4-9c77-4fe4701e1466%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c426ef78-6b75-43d4-9c77-4fe4701e1466%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPGDviiQh%3DiSq8SqOnYsyVjAmXouBQ2EV5yapcgOSBvvA%40mail.gmail.com.

Re: [cas-user] saml2.0 - idp-signing.key creation

[David Curry]

This doesn't really answer your question (I don't know the answer), but
can't you just start CAS and let it generate the keys (they end up in
/etc/cas/saml), then stop CAS and copy the keys somewhere for
safekeeping/redistribution?

For our installation with multiple CAS servers behind a load balancer
that's what I did, and copied the keys into the Maven overlay's
etc/cas/saml directory. Then when I install everything, I end up with the
same keys (and metadata) on all the servers. And we've uploaded them to a
SAML SP here and there, as well. Seems to work fine, so far.

Or do you need to use keys generated/signed by your CA or something?

--Dave



--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Tue, Dec 4, 2018 at 11:59 AM Curtis Ruck  wrote:

> Does anyone know how to generate the idp-signing.key/crt with openssl?  It
> seems CAS is hardcoded to expect a PEMKeyPair
> 
>  object
> coming out of PEMParser, but I can't figure out how to use OpenSSL to
> generate an appropriate key file.
>
> Yes, CAS generates it fine, using bouncycastle, but I have to generate
> these keys/certificates outside of CAS so I can distribute the trust to the
> various SAML 2.0 applications.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/36a4ed0f-a015-4438-a9a1-501f9fd5eaec%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAO%2BJtqRL2x6yLSy0Y3RDdYY%2BhLURhs%2BanP_yRry%3DEpVZg%40mail.gmail.com.

Re: [cas-user] Protect Single Page application using mod_auth_cas

[David Curry]

Directory works fine with mod_auth_cas. For example, I usually use some
variation on this for /etc/httpd/conf.d/cas.conf:

LoadModule auth_cas_module modules/mod_auth_cas.so




AuthTypeCAS
CASAuthNHeader  On


Require valid-user



CASLoginUrl   https://casdev.newschool.edu/cas/login
CASValidateUrlhttps://casdev.newschool.edu/cas/samlValidate
CASCookiePath /var/cache/httpd/mod_auth_cas/
CASValidateSAML   On
CASSSOEnabled On
CASDebug  Off



And there's no need to limit yourself to one Directory section... I
actually have three of them on this server (the different directory names
produce different URLs for different service registry entries with
different settings).

Note: if you don't need attribute values returned from the CAS server, you
can use "serviceValidate" instead of "samlValidate" on the CASValidateUrl,
and get rid of the CASAuthNHeader setting.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Tue, Dec 4, 2018 at 10:44 AM Shankaranand Bahushrutham <
sbahushrut...@mercuryinsurance.com> wrote:

> Thanks. This is very informative. I was under the assumption that
> mod_auth_cas will understand only Location. Does this mean mod_auth_cas can
> act on Directory as well?
>
> On Monday, December 3, 2018 at 3:53:28 PM UTC-8, dhawes wrote:
>>
>> The order of these directives matters. You may want to review:
>>
>> http://httpd.apache.org/docs/current/sections.html#merging
>>
>> We'd need more config to tell what's going on in your case.
>> On Fri, 30 Nov 2018 at 19:46, Shankaranand Bahushrutham
>>  wrote:
>> >
>> >
>> > I have 2 single page applications developed in angular 6. I want to
>> protect one of them with CAS and the other one should not be protected. In
>> apache webserver, i have them under htdocs folder with the name 'unsecured'
>> and 'secured'. Below is my mod_auth_cas configuration and it isn't working.
>> It protects fine if i give  but the problem is
>> that it protects the unsecured app as well.
>> >
>> > 
>> >   Authtype CAS
>> >   require valid-user
>> >   CASAuthNHeader sm_user
>> >   CASScope /secured
>> > 
>> >
>> > I have a rewrite rule to rewrite /* to /secured and another rule
>> /unsecured to /unsecured (this is placed above the /* so that unsecured
>> rule executes first)
>> >
>> > Please advise the right configuration
>> >
>> > --
>> > - Website: https://apereo.github.io/cas
>> > - Gitter Chatroom: https://gitter.im/apereo/cas
>> > - List Guidelines: https://goo.gl/1VRrw7
>> > - Contributions: https://goo.gl/mh7qDG
>> > ---
>> > You received this message because you are subscribed to the Google
>> Groups "CAS Community" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an email to cas-user+u...@apereo.org.
>> > To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/56801da5-25b9-41e5-a94d-b788f4000626%40apereo.org.
>>
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/843e0e42-88f5-4654-9118-e90e81684311%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOTVss9RL8MJEdtGKeib%3Dw0sN-gEgs7oyJVW5r1cjhwug%40mail.gmail.com.

Re: [cas-user] Re: CAS 5.2.2 SAML IdP vs. Workday

[David Curry]

You do need to create a metadata file; Workday won't do it for you. We use
this site:

https://www.samltool.com/sp_metadata.php


Once you've created it for one Workday tenant, you can just copy it and
edit the XML directly for the other tenants; you don't have to use this
site for each tenant.

Then do something like this (copied from our internal wiki, and I'm not the
Workday guy, so I hope it makes sense to you!)

Configure Workday: Edit Tenant Setup - Security

   1. Single Sign-on
  1. Redirection URLs
 -

 Login Redirect URL:
 https://www.myworkday.com/nYOURTENANTNAME/login-saml2.htmld
 
 -

 Logout Redirect URL:
 -

 Timeout Redirect URL:
 -

 Mobile App Login Redirect URL:
 https://www.myworkday.com/YOURTENANTNAME/login-saml2.htmld
 
 -

 Mobile Browser Login Redirect URL:
 https://www.myworkday.com/YOURTENANTNAME/login-saml2.htmld
 
 -

 Environment: Production
 2. SAML Setup
  -

  Enable SAML Authentication  [image: (tick)]
  - x509 Private Key Pair: YOURPRIVATEKEYPAIR
  - Enable Mobile Browser SSO for Native Apps [image: (error)]
  - Enable Certificate Based SSO [image: (error)]
  - Enable Dynamic Certificate Pinning [image: (error)]
  - Service Provider ID: http://www.workday.com/Y
  OURTENANTNAME
  - Enable SP Initiated SAML Authentication (Will be Deprecated)  [image:
  (tick)]
  - IdP SSO Service URL:
  https://YOURCASSERVER/cas/idp/profile/SAML2/POST/SSO
  
  - Sign SP-initiated Authentication Request [image: (tick)]
  - Do Not Deflate SP-initiated Authentication Request [image: (tick)]
  - Always Require IdP Authentication [image: (error)]
  - Authentication Request Signature Method: SHA256
  - Enable Signature KeyInfo Validation [image: (error)]
   1. SAML Identity Providers
 1. Identity Provider Name: SSO (CAS 5)
- Disabled [image: (error)]
- Issuer: https://YOURCASSERVER/cas/idp

- x509 Certificate: YOUR CAS SIGNING CERT
(/etc/cas/saml/idp-signing.crt)
   1.

   As of Workday 27, the cert must begin with "-BEGIN
   CERTIFICATE-" and end with "-END CERTIFICATE-".
   -

Enable IdP Initiated Logout [image: (error)]
-

Logout Response URL:
-

Enable Workday Initiated Logout [image: (tick)]
-

Logout Request URL:
https://YOURCASESERVER/logout/myday/YOURTENANTNAME.html

-

Use Unspecified Name ID Format for Logout Request [image:
(error)]
-

SP Initiated [image: (error)]
-

IdP SSO Service URL:
-

Managed Device Attribute:
-

Used for Environments: Production


Note: for "Logout Request URL" we send the users to a little "logout" page
rather than the standard SAML logout. This is OPTIONAL. We put ours in
.../tomcat/webapps/ROOT/logout/myday/YOURTENANTNAME.html on the CAS
server.  It's basically just this:



  

  
  You have either logged out or timed out of your Workday session. To
protect your sensitive information, we recommend that you close
your browser.
  You may also https://www.myworkday.com/YOURTENANTNAME;>
log in to Workday again.

  



The metadata we upload (generated by the site above) looks like the
attached.

Hope this helps.

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Thu, Nov 29, 2018 at 3:08 PM Danny  wrote:

> I'm working on getting CAS 5.3 SAML2 IdP working with Workday, but not
> making much progress.  Workday says the metadata file isn't required, but I
> can't see anyway to set it up with out one.  Can you give more details on
> how you go this to work?
>
> Thanks
>
> On Tuesday, March 13, 2018 at 2:34:16 PM UTC-5, cur...@newschool.edu
> wrote:
>>
>> We are trying to configure our Workday Preview tenant to authenticate via
>> SAML2 to a CAS 5.2.2 IdP.
>>
>> In the management webapp, we have defined a "SAML2 Service Provider"
>> service. The EntityID is set to:
>>
>> https://impl.workday.com/x
>>
>>
>> which matches the EntityID in the SP's metadata.  When we try to log in
>> to Workday, we receive this error from the Workday 

Re: [cas-user] Re: CAS 5.3.0-RC2 LDAP Authentication and cas.authn.ldap[0].userFilter property

[David Curry]

This is a completely different problem than the one you were talking about
a few messages ago. You really should start a new thread for a new problem,
to help other people searching the forum for answers.

As for this problem, have you enabled the password management features of
the CAS server? Those would need to be enabled for it to detect the "change
password at next login" state and do something intelligent with it. (We
don't use those features, so I don't know for sure that they handle that
particular condition, but I assume they do.)


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Tue, Nov 27, 2018 at 1:53 AM Sudhan Samyraj <
sud...@eluminaelearning.com.au> wrote:

> Hi David,
>
>   I will describe my problem clearly , please help me
> to sort it out once the user login with the userprincipalname it is login
> me fine.
>
> if once i click the user must change password at next login checbox in AD
> the user in not able to login in CAS.
>
> Regards,
>
> [image: photo]
> S.Sudhanraj
> Network Engineer
>
> A: 309 Kent Street, Sydney, NSW 2000
> <https://maps.google.com/?q=309+Kent+Street,+Sydney,+NSW=gmail=g>
>
>
>
> Email: helpd...@eluminaelearning.com.au
>
>
> On Tue, Nov 27, 2018 at 12:29 AM David Curry 
> wrote:
>
>> What version of CAS are you using?
>> What "login error" are you getting (include the actual text of the error)?
>> Do you see any errors in your log file(s) about it? If so, what are they
>> (copy and paste relevant lines)?
>> Have you tried turning on debug-level logging? Did it tell you anything?
>> If so, what (copy and paste relevant lines)?
>> Please do share your cas.properties, at least the LDAP-related bits, so
>> we can see what you're doing.
>>
>> I'm guessing, since you say you're getting a login error rather than a
>> startup error, that you're not experiencing the same issue as the original
>> poster was, so I'm a little unclear as to why you're posing in this thread
>> instead of starting a new one? (If you are having the same issue as the
>> original poster, the answer to that problem is in the second post in this
>> thread.)
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>>
>> On Mon, Nov 26, 2018 at 1:30 PM Sudhan Samyraj <
>> sud...@eluminaelearning.com.au> wrote:
>>
>>> Hi Ray
>>>
>>> The forum is very helpful for me but my issue was
>>> not fixed
>>>
>>> by using this  cas.authn.ldap[0].userFilter:
>>>  sAMAccountName={user} am getting login error
>>>
>>> can i share my cas.properties file please help me to sort it out
>>>
>>>
>>> [image: photo]
>>> S.Sudhanraj
>>> Network Engineer
>>>
>>> A: 309 Kent Street, Sydney, NSW 2000
>>> <https://maps.google.com/?q=309+Kent+Street,+Sydney,+NSW=gmail=g>
>>>
>>>
>>>
>>> Email: helpd...@eluminaelearning.com.au
>>>
>>>
>>> On Mon, Nov 26, 2018 at 11:26 PM Ray Bon  wrote:
>>>
>>>> Could this conversation be of help:
>>>>
>>>> https://groups.google.com/a/apereo.org/forum/?utm_medium=email_source=footer#!searchin/cas-user/sAMAccountname/cas-user/C0KcFq97yVg/qR7VuogOAgAJ
>>>>
>>>> A general search for sAMAccountname:
>>>>
>>>> https://groups.google.com/a/apereo.org/forum/?utm_medium=email_source=footer#!searchin/cas-user/sAMAccountname;context-place=msg/cas-user/e_zIvfJPil8/yhehxDT-CQAJ
>>>>
>>>> Ray
>>>>
>>>> On Mon, 2018-11-26 at 09:48 -0800, Sudhan Samyraj wrote:
>>>>
>>>> Hi Please anyone suggest me below,
>>>>
>>>> I have sync the moodle and AD is working fine for me and sync the ad &
>>>> cas it is not considering the sAMAccountname
>>>>
>>>> It is taking me to login only with the display name, please share any
>>>> configuration for common attributes between sAMAccountname /
>>>> Useprincipalname and cas.
>>>>
>>>> Regards,
>>>> S.Sudhanraj
>>>>
>>>> On Tuesday, March 27, 2018 at 7:59:1

Re: [cas-user] Re: CAS 5.3.0-RC2 LDAP Authentication and cas.authn.ldap[0].userFilter property

[David Curry]

What version of CAS are you using?
What "login error" are you getting (include the actual text of the error)?
Do you see any errors in your log file(s) about it? If so, what are they
(copy and paste relevant lines)?
Have you tried turning on debug-level logging? Did it tell you anything? If
so, what (copy and paste relevant lines)?
Please do share your cas.properties, at least the LDAP-related bits, so we
can see what you're doing.

I'm guessing, since you say you're getting a login error rather than a
startup error, that you're not experiencing the same issue as the original
poster was, so I'm a little unclear as to why you're posing in this thread
instead of starting a new one? (If you are having the same issue as the
original poster, the answer to that problem is in the second post in this
thread.)

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Mon, Nov 26, 2018 at 1:30 PM Sudhan Samyraj <
sud...@eluminaelearning.com.au> wrote:

> Hi Ray
>
> The forum is very helpful for me but my issue was not
> fixed
>
> by using this  cas.authn.ldap[0].userFilter:
>  sAMAccountName={user} am getting login error
>
> can i share my cas.properties file please help me to sort it out
>
>
> [image: photo]
> S.Sudhanraj
> Network Engineer
>
> A: 309 Kent Street, Sydney, NSW 2000
> 
>
>
>
> Email: helpd...@eluminaelearning.com.au
>
>
> On Mon, Nov 26, 2018 at 11:26 PM Ray Bon  wrote:
>
>> Could this conversation be of help:
>>
>> https://groups.google.com/a/apereo.org/forum/?utm_medium=email_source=footer#!searchin/cas-user/sAMAccountname/cas-user/C0KcFq97yVg/qR7VuogOAgAJ
>>
>> A general search for sAMAccountname:
>>
>> https://groups.google.com/a/apereo.org/forum/?utm_medium=email_source=footer#!searchin/cas-user/sAMAccountname;context-place=msg/cas-user/e_zIvfJPil8/yhehxDT-CQAJ
>>
>> Ray
>>
>> On Mon, 2018-11-26 at 09:48 -0800, Sudhan Samyraj wrote:
>>
>> Hi Please anyone suggest me below,
>>
>> I have sync the moodle and AD is working fine for me and sync the ad &
>> cas it is not considering the sAMAccountname
>>
>> It is taking me to login only with the display name, please share any
>> configuration for common attributes between sAMAccountname /
>> Useprincipalname and cas.
>>
>> Regards,
>> S.Sudhanraj
>>
>> On Tuesday, March 27, 2018 at 7:59:17 AM UTC+5:30, darin.russell wrote:
>>
>> Hello All
>>
>> I've been running CAS 5.2.4-SNAPSHOT using LDAP authentication with no
>> problems.  When I try to use CAS 5.3.0-RC2 I get errors with my
>>
>> cas.authn.ldap[0].userFilter=cn={user}
>>
>> property.  When I have it in my cas.properties file, CAS exits with the
>> following error on startup -
>>
>> 2018-03-27 00:59:53,803 WARN
>> [org.apereo.cas.web.CasWebApplicationContext] - > during context initialization - cancelling refresh attempt:
>> org.springframework.beans.factory.BeanCreationException: Error creating
>> bean with name 'casBeanValidationPostProcessor' defined in class path
>> resource [org/apereo/cas/config/CasCoreUtilConfiguration.class]:
>> BeanPostProcessor before instantiation of bean failed; nested exception is
>> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
>> creating bean with name
>> 'org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration':
>> Unsatisfied dependency expressed through method 'setConfigurers' parameter
>> 0; nested exception is
>> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
>> creating bean with name 'casCoreTicketsConfiguration': Unsatisfied
>> dependency expressed through field 'casProperties'; nested exception is
>> org.springframework.beans.factory.BeanCreationException: Error creating
>> bean with name
>> 'cas-org.apereo.cas.configuration.CasConfigurationProperties': Could not
>> bind properties to CasConfigurationProperties (prefix=cas,
>> ignoreInvalidFields=false, ignoreUnknownFields=false,
>> ignoreNestedProperties=false); nested exception is
>> org.springframework.boot.bind.RelaxedBindingNotWritablePropertyException:
>> Failed to bind 'cas.authn.ldap[0].userFilter' from
>> 'applicationProfilesProperties' to 'authn.ldap[0].userFilter' property on
>> 'org.apereo.cas.configuration.model.core.authentication.AuthenticationProperties'>
>>
>>
>> If I comment the property out, CAS gets to the point of trying to
>> initialize my direct bind to the LDAP server, but then stops with this
>> error -
>>
>> 2018-03-27 01:22:16,484 WARN
>> [org.apereo.cas.web.CasWebApplicationContext] - > during context initialization - cancelling refresh attempt:
>> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
>> creating bean with name 'authenticationTransactionManager' defined in class
>> path resource
>> 

Re: [cas-user] User Attributes for SAML 2.0

[David Curry]

Well, I also said we don't do that here, so I don't actually know how to do
it, just that I think you can. :-)

But seriously, I believe it depends on what you're using for an attribute
repository. And I'm not sure whether it's going to give you what you want:

https://aws.amazon.com/SAML/Attributes/Role
<https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D=D=1=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg>
">
ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM
ACCOUNT2_AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM
ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM


or if it's going to give you something more like

https://aws.amazon.com/SAML/Attributes/Role
<https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D=D=1=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg>
">
ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM,
ACCOUNT2_AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM,ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM



You might have to write a custom resolver or something (I'm not the one to
help you with that).

Maybe someone else could weigh in here and give William some better
information?

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Fri, Nov 16, 2018 at 12:10 PM Willian Gonzales 
wrote:

> David,
>
> What i want is to log in into multiple AWS Accounts using SAML2. I've
> managed to log into only one account. But to log in into multiple accounts
> you have to send the response like this:
>
> https://aws.amazon.com/SAML/Attributes/Role
> <https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D=D=1=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg>
> ">
> ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM > ACCOUNT2_AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM AttributeValue> ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM
>  
>
> Right now i'm sending only one value in the attributevalue like this
>
> https://aws.amazon.com/SAML/Attributes/Role
> <https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D=D=1=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg>
> ">
> ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM > 
>
> I need to send multiple values so i can choose what account i want to log
> in. You said that there's a way to return a multi-value attribute,  can you
> show me how to return multi-value attribute?
>
> Thank You!
>
>
>
>
> Em sexta-feira, 16 de novembro de 2018 14:39:26 UTC-2, David Curry
> escreveu:
>>
>> The "ReturnMappedAttributeReleasePolicy" is not a method for returning
>> attribute values, it's a method for changing the name of an attribute when
>> you release it.
>>
>> For example, suppose you have an application that wants you to give it an
>> attribute called "LastName". But your Active Directory, of course, keeps
>> the last name in an attribute called "sn". So, in the service registry for
>> that service, you would specify something like this:
>>
>> ...
>>  "attributeReleasePolicy" : {
>> "@class" :
>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>> "allowedAttributes" : {
>>   "@class" : "java.util.TreeMap",
>>   "sn" : "LastName",
>>
>>   "givenName" : "givenName",
>>
>>   "cn" : "cn",
>> }
>>   },
>> ...
>>
>>
>> This says you're going to get the values of the cn, givenName, and sn
>> values from your attribute repository (Active Directory or whatever), and
>> send them over to the client. BUT, when you do that, you're going to call
>> them cn, givenName, and LastName instead. So for me, the client might get
>> something like:
>>
>> cn=curryd, givenName=David, LastName=Curry
>>
>>
>> (in whatever format the protocol it's speaking with the CAS server
>> provides that information).
>>
>> So what you're specifying there, is that you're going to send four
>> attributes back to AWS: description, extenstionAttribute1,
>> extensionAttribute2, and extensionAttribute3. But when you send them back,
>> you're going to call them by those 3 URLs and "SessionDuration". So AWS is
>> going to get something like:
>>
>> https://aws.amazon.com/SAML/Attributes/Role=,
>> https://aws.amazon.com/SAML/Attributes/Role=
>> <https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D=D=1=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg>> value>,https://aws.amazon.com/SAML/Attributes/R

Re: [cas-user] User Attributes for SAML 2.0

[David Curry]

ipalAttributePassword=unicodePwd
>
> cas.authn.ldap[0].principalAttributeList=givenName,sn,mail,displayName,description,extensionAttribute1,extensionAttribute2,extensionAttribute3
> cas.authn.ldap[0].failFast=false
> cas.authn.attributeRepository.ldap[0].ldapUrl=ldap://192.168.12.22:389/
> cas.authn.attributeRepository.ldap[0].bindDn=will...@shoracius.com.br
> cas.authn.attributeRepository.ldap[0].bindCredential=
> cas.authn.attributeRepository.ldap[0].poolPassivator=BIND
>
> cas.authn.attributeRepository.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
> cas.authn.attributeRepository.ldap[0].useSsl=false
> cas.authn.attributeRepository.ldap[0].useStartTls=false
> cas.authn.attributeRepository.ldap[0].name=AD
> cas.authn.attributeRepository.expirationTime=30
> cas.authn.attributeRepository.expirationTimeUnit=MINUTES
> cas.authn.attributeRepository.maximumCacheSize=1
> cas.authn.attributeRepository.merger=MERGE
>
> cas.authn.attributeRepository.ldap[0].attributes.description=extensionAttribute1
> # cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
> # cas.authn.attributeRepository.ldap[0].attributes.cn=commonName
>
> Can you help me on this quest.?
>
> I'm from Brazil, so i'm sorry for my English or anything.
>
> Thanks in advice and i've appreciate your help.
>
>
> Em sexta-feira, 16 de novembro de 2018 13:26:22 UTC-2, David Curry
> escreveu:
>>
>> Since I'm the only "David" I see in this thread I assume you're asking
>> me... but I'm not sure I understand the question. Where are you putting the
>> JSON that you're expecting CAS to consume it and then spit it out in a SAML
>> response?
>>
>> Normally, CAS will get the attributes from whatever repositories you
>> configure it to use, and take care of putting them into the response
>> itself; you don't have to specify any JSON. As far as I know, multi-valued
>> attributes should work just fine with that.
>>
>> The JSON I provided back earlier in this thread was in a service registry
>> definition to show how to rename attributes, not provide their values.
>>
>> --Dave
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 212 229-5300 x4728 • david...@newschool.edu
>>
>>
>> On Fri, Nov 16, 2018 at 10:08 AM Willian Gonzales 
>> wrote:
>>
>>> Hi David!
>>>
>>> i'm praying that you see my question now because i really need your help.
>>> I want to thank you because you really helped me showing the .json
>>> configurattion.
>>> But i need some help on this.
>>>
>>> How do i manage to do a multi value attribute on json.
>>> I need the SAML response to be like this
>>>
>>>  1 <
>>> AttributeValue>2 3 >> Attribute>
>>>
>>> Can you help me on this man?
>>>
>>> Regards
>>>
>>> Em quarta-feira, 16 de maio de 2018 11:49:10 UTC-3, David Curry escreveu:
>>>>
>>>>
>>>>
>>>> Here's a JSON definition for an Apache HTTPD with the Shibboleth
>>>> mod_shib/shibd plug-in:
>>>>
>>>> {
>>>>   "@class" :
>>>> "org.apereo.cas.support.saml.services.SamlRegisteredService",
>>>>   "serviceId" : "https://casdev-samlsp.newschool.edu/shibboleth;,
>>>>   "name" : "Apache Secured By SAML",
>>>>   "id" : 1509030300,
>>>>   "description" : "CAS development Apache mod_shib/shibd server with
>>>> username/password protection",
>>>>   "metadataLocation" : "
>>>> https://casdev-samlsp.newschool.edu/Shibboleth.sso/Metadata;,
>>>>   "attributeReleasePolicy" : {
>>>> "@class" :
>>>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>>>> "allowedAttributes" : {
>>>>   "@class" : "java.util.TreeMap",
>>>>   "cn" : "urn:oid:2.5.4.3",
>>>>   "displayName" : "urn:oid:2.16.840.1.113730.3.1.241",
>>>>   "givenName" : "urn:oid:2.5.4.42",
>>>>   "mail" : "urn:oid:0.9.2342.19200300.100.1.3",
>>>>   "role" : "urn:newschool:attribute-def:role",
>>>>   "sn" : "urn:oid:2.

Re: [cas-user] User Attributes for SAML 2.0

[David Curry]

Since I'm the only "David" I see in this thread I assume you're asking
me... but I'm not sure I understand the question. Where are you putting the
JSON that you're expecting CAS to consume it and then spit it out in a SAML
response?

Normally, CAS will get the attributes from whatever repositories you
configure it to use, and take care of putting them into the response
itself; you don't have to specify any JSON. As far as I know, multi-valued
attributes should work just fine with that.

The JSON I provided back earlier in this thread was in a service registry
definition to show how to rename attributes, not provide their values.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Fri, Nov 16, 2018 at 10:08 AM Willian Gonzales 
wrote:

> Hi David!
>
> i'm praying that you see my question now because i really need your help.
> I want to thank you because you really helped me showing the .json
> configurattion.
> But i need some help on this.
>
> How do i manage to do a multi value attribute on json.
> I need the SAML response to be like this
>
>  1 <
> AttributeValue>2 3  Attribute>
>
> Can you help me on this man?
>
> Regards
>
> Em quarta-feira, 16 de maio de 2018 11:49:10 UTC-3, David Curry escreveu:
>>
>>
>>
>> Here's a JSON definition for an Apache HTTPD with the Shibboleth
>> mod_shib/shibd plug-in:
>>
>> {
>>   "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
>>   "serviceId" : "https://casdev-samlsp.newschool.edu/shibboleth;,
>>   "name" : "Apache Secured By SAML",
>>   "id" : 1509030300,
>>   "description" : "CAS development Apache mod_shib/shibd server with
>> username/password protection",
>>   "metadataLocation" : "
>> https://casdev-samlsp.newschool.edu/Shibboleth.sso/Metadata;,
>>   "attributeReleasePolicy" : {
>> "@class" :
>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>> "allowedAttributes" : {
>>   "@class" : "java.util.TreeMap",
>>   "cn" : "urn:oid:2.5.4.3",
>>   "displayName" : "urn:oid:2.16.840.1.113730.3.1.241",
>>   "givenName" : "urn:oid:2.5.4.42",
>>   "mail" : "urn:oid:0.9.2342.19200300.100.1.3",
>>   "role" : "urn:newschool:attribute-def:role",
>>   "sn" : "urn:oid:2.5.4.4",
>>   "uid" : "urn:oid:0.9.2342.19200300.100.1.1",
>>   "UDC_IDENTIFIER": "urn:newschool:attribute-def:UDC_IDENTIFIER"
>> }
>>   },
>>   "evaluationOrder" : 1125
>> }
>>
>> But if your SP doesn't care about the funky notation, you can just do it
>> the "regular" way... here's a definition for a test SP created via RSA's
>> free IAMShowcase site (this is a cut-down copy of the entire registry entry
>> to show the part you're interested in):
>>
>> {
>> "serviceId": "IAMShowcase",
>> "name": "RSA SAML Test Service Provider",
>> "theme": null,
>> "informationUrl": null,
>> "privacyUrl": null,
>> "id": 1202469081,
>> "description": "The URL for the SP that talks to this service is
>> https://sptest.iamshowcase.com/ixs?idp=",
>> "evaluationOrder": -1,
>> "attributeReleasePolicy": {
>> "@class":
>> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
>> "allowedAttributes": [
>> "displayName",
>> "givenName",
>> "sn",
>> "uid"
>> ]
>> }
>> }
>>
>>
>> --Dave
>>
>>
>>
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Wed, May 16, 2018 at 9:07 AM, John D Giotta  wrote:
>>
>>> Do you have an example of this?
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>

Re: [cas-user] Force service to authenticate every time from server side?

[David Curry]

Luminis 5 sends you to the /cas/logout page. That might be a configuration
option, but it's what ours does. Luminis is currently in "don't touch it
and hope it doesn't break before we replace it"  status here, so we're
stuck with that behavior.

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu




On Fri, Nov 2, 2018 at 6:29 PM Ray Bon  wrote:

> Luminis' session ending should _not_ send a log out to CAS. Is this still
> the case?
>
> Ray
>
> On Fri, 2018-11-02 at 15:05 -0400, David Curry wrote:
>
> We already had to turn off SLO because of that issue between tabs (people
> would log into Luminis in one tab and Canvas in another, and get kicked out
> of Canvas when Luminis timed out). My position is that this was The Wrong
> Thing To Do, but the problem is that our CAS 3.x deployment always had it
> turned off (thanks, Ellucian) and so now that's what everything considers
> "normal."
>
> It seems to me the easiest way to just avoid the whole issue would be to
> simply use Browser X for Banner 9 and Browser Y for everything else, but
> what do I know? :-)
>
> --Dave
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>
>
>
>
> On Fri, Nov 2, 2018 at 2:57 PM Matthew Uribe 
> wrote:
>
> Hi David,
>
> FWIW we've been on Banner 9 for a little over a year, and we advise users
> not to have multiple tabs open. The issue we see is that one tab will "time
> out" even though the users are actively entering data in another tab. It
> can be rather frustrating. I'm not sure if your unchecking the "participate
> in sso" will make a difference either, since the timeout just calls the
> cas/logout endpoint resulting in the destruction of the TGTs. You may at
> least want to revisit the timeout values for AppNav, etc...
>
> Matt
>
> On Friday, November 2, 2018 at 12:13:39 PM UTC-6, David Curry wrote:
>
> Actually, I think my problem in this case was using mod_auth_cas to test
> it. Maybe that little cookie cache it has was affecting the results.
>
> When we unchecked the "participate in sso"  access strategy for the actual
> application in question (Banner 9), it started behaving the way they
> wanted. Subject to more exhaustive testing, anyway.
>
> I know all about how the cookies work and so on. But those technical
> details are completely irrelevant to business people who just want the new
> version (using CAS) to work like the old version (not using CAS).
>
> Thanks for everyone's suggestions, though.
>
> --Dave
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>
>
>
>
> On Fri, Nov 2, 2018 at 1:52 PM Ray Bon  wrote:
>
> I agree with Christian on this. Cookies exist in a browser instance, not a
> tab instance; in some cases a new window is still not enough.
> It sounds like your client does not understand how web browser technology
> works.
>
> You could always offer to build a custom browser ;)
>
> Ray
>
> On Fri, 2018-11-02 at 13:01 -0400, David Curry wrote:
>
> Well, If I had my way, we wouldn't be doing it at all. :-)
>
> But one of the business units here wants their application to (a) use the
> "standard" login page provided by the CAS server but (b) prompt for
> credentials every time you open a tab/window and go to it. "But that's not
> single sign-on," I say. "But it's what we want," they say. Sigh.
>
> --Dave
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>
>
>
>
> On Fri, Nov 2, 2018 at 12:31 PM Christian Poirier 
> wrote:
>
> Hi Dave
>
> I think the better way to do this is to open a new instance of your
> browser application instead of open a new tab. The new tab is in the same
> context of your first tab and then using the same authentication cookie. If
> you want CAS as you mention, you lose the essential use of a SSO. If you're
> renew for the follwoing tab, you will lose the authentication of the first
> tab.
>
> Christian Poirier
> Université TÉLUQ
> Québec, QC CANADA
>
>
> Le ven. 2 nov. 2018, à 10 h 41, David Curry  a
> écrit :
>
>
> Can I force a service to authentic

Re: [cas-user] Force service to authenticate every time from server side?

[David Curry]

We already had to turn off SLO because of that issue between tabs (people
would log into Luminis in one tab and Canvas in another, and get kicked out
of Canvas when Luminis timed out). My position is that this was The Wrong
Thing To Do, but the problem is that our CAS 3.x deployment always had it
turned off (thanks, Ellucian) and so now that's what everything considers
"normal."

It seems to me the easiest way to just avoid the whole issue would be to
simply use Browser X for Banner 9 and Browser Y for everything else, but
what do I know? :-)

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu




On Fri, Nov 2, 2018 at 2:57 PM Matthew Uribe  wrote:

> Hi David,
>
> FWIW we've been on Banner 9 for a little over a year, and we advise users
> not to have multiple tabs open. The issue we see is that one tab will "time
> out" even though the users are actively entering data in another tab. It
> can be rather frustrating. I'm not sure if your unchecking the "participate
> in sso" will make a difference either, since the timeout just calls the
> cas/logout endpoint resulting in the destruction of the TGTs. You may at
> least want to revisit the timeout values for AppNav, etc...
>
> Matt
>
> On Friday, November 2, 2018 at 12:13:39 PM UTC-6, David Curry wrote:
>>
>> Actually, I think my problem in this case was using mod_auth_cas to test
>> it. Maybe that little cookie cache it has was affecting the results.
>>
>> When we unchecked the "participate in sso"  access strategy for the
>> actual application in question (Banner 9), it started behaving the way they
>> wanted. Subject to more exhaustive testing, anyway.
>>
>> I know all about how the cookies work and so on. But those technical
>> details are completely irrelevant to business people who just want the new
>> version (using CAS) to work like the old version (not using CAS).
>>
>> Thanks for everyone's suggestions, though.
>>
>> --Dave
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>>
>>
>>
>> On Fri, Nov 2, 2018 at 1:52 PM Ray Bon  wrote:
>>
>>> I agree with Christian on this. Cookies exist in a browser instance, not
>>> a tab instance; in some cases a new window is still not enough.
>>> It sounds like your client does not understand how web browser
>>> technology works.
>>>
>>> You could always offer to build a custom browser ;)
>>>
>>> Ray
>>>
>>> On Fri, 2018-11-02 at 13:01 -0400, David Curry wrote:
>>>
>>> Well, If I had my way, we wouldn't be doing it at all. :-)
>>>
>>> But one of the business units here wants their application to (a) use
>>> the "standard" login page provided by the CAS server but (b) prompt for
>>> credentials every time you open a tab/window and go to it. "But that's not
>>> single sign-on," I say. "But it's what we want," they say. Sigh.
>>>
>>> --Dave
>>>
>>> --
>>>
>>> DAVID A. CURRY, CISSP
>>> *DIRECTOR OF INFORMATION SECURITY*
>>> INFORMATION TECHNOLOGY
>>>
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>>
>>>
>>>
>>>
>>> On Fri, Nov 2, 2018 at 12:31 PM Christian Poirier 
>>> wrote:
>>>
>>> Hi Dave
>>>
>>> I think the better way to do this is to open a new instance of your
>>> browser application instead of open a new tab. The new tab is in the same
>>> context of your first tab and then using the same authentication cookie. If
>>> you want CAS as you mention, you lose the essential use of a SSO. If you're
>>> renew for the follwoing tab, you will lose the authentication of the first
>>> tab.
>>>
>>> Christian Poirier
>>> Université TÉLUQ
>>> Québec, QC CANADA
>>>
>>>
>>> Le ven. 2 nov. 2018, à 10 h 41, David Curry  a
>>> écrit :
>>>
>>>
>>> Can I force a service to authenticate every time from the CAS server
>>> side, e.g., by setting something in the service registry? Basically, I want
>>> to mimic the behavior of "=true" but not have to change anything on
>>> the client side.
&

Re: [cas-user] Force service to authenticate every time from server side?

[David Curry]

Actually, I think my problem in this case was using mod_auth_cas to test
it. Maybe that little cookie cache it has was affecting the results.

When we unchecked the "participate in sso"  access strategy for the actual
application in question (Banner 9), it started behaving the way they
wanted. Subject to more exhaustive testing, anyway.

I know all about how the cookies work and so on. But those technical
details are completely irrelevant to business people who just want the new
version (using CAS) to work like the old version (not using CAS).

Thanks for everyone's suggestions, though.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu




On Fri, Nov 2, 2018 at 1:52 PM Ray Bon  wrote:

> I agree with Christian on this. Cookies exist in a browser instance, not a
> tab instance; in some cases a new window is still not enough.
> It sounds like your client does not understand how web browser technology
> works.
>
> You could always offer to build a custom browser ;)
>
> Ray
>
> On Fri, 2018-11-02 at 13:01 -0400, David Curry wrote:
>
> Well, If I had my way, we wouldn't be doing it at all. :-)
>
> But one of the business units here wants their application to (a) use the
> "standard" login page provided by the CAS server but (b) prompt for
> credentials every time you open a tab/window and go to it. "But that's not
> single sign-on," I say. "But it's what we want," they say. Sigh.
>
> --Dave
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>
>
>
>
> On Fri, Nov 2, 2018 at 12:31 PM Christian Poirier 
> wrote:
>
> Hi Dave
>
> I think the better way to do this is to open a new instance of your
> browser application instead of open a new tab. The new tab is in the same
> context of your first tab and then using the same authentication cookie. If
> you want CAS as you mention, you lose the essential use of a SSO. If you're
> renew for the follwoing tab, you will lose the authentication of the first
> tab.
>
> Christian Poirier
> Université TÉLUQ
> Québec, QC CANADA
>
>
> Le ven. 2 nov. 2018, à 10 h 41, David Curry  a
> écrit :
>
>
> Can I force a service to authenticate every time from the CAS server side,
> e.g., by setting something in the service registry? Basically, I want to
> mimic the behavior of "=true" but not have to change anything on the
> client side.
>
> I thought setting "accessStrategy.ssoEnabled: false" in the service
> registry entry would do this, but in testing this morning, it appears
> that's not the case. That setting forces the service to prompt for login
> even if you've signed into something else through CAS, but it doesn't
> require you to re-enter your credentials every time you access the same
> service. What I want is "Open tab, go to X, enter credentials. Open another
> tab, go to X again, have to enter credentials again."
>
> CAS 5.2.x, BTW.
>
> Thanks,
> --Dave
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAO0A_FHTayuNX25UxC0rpY2DPzy5_d1xuyk%3DVSfCqR18g%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAO0A_FHTayuNX25UxC0rpY2DPzy5_d1xuyk%3DVSfCqR18g%40mail.gmail.com?utm_medium=email_source=footer>
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user

Re: [cas-user] Force service to authenticate every time from server side?

[David Curry]

Well, If I had my way, we wouldn't be doing it at all. :-)

But one of the business units here wants their application to (a) use the
"standard" login page provided by the CAS server but (b) prompt for
credentials every time you open a tab/window and go to it. "But that's not
single sign-on," I say. "But it's what we want," they say. Sigh.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu




On Fri, Nov 2, 2018 at 12:31 PM Christian Poirier 
wrote:

> Hi Dave
>
> I think the better way to do this is to open a new instance of your
> browser application instead of open a new tab. The new tab is in the same
> context of your first tab and then using the same authentication cookie. If
> you want CAS as you mention, you lose the essential use of a SSO. If you're
> renew for the follwoing tab, you will lose the authentication of the first
> tab.
>
> Christian Poirier
> Université TÉLUQ
> Québec, QC CANADA
>
>
> Le ven. 2 nov. 2018, à 10 h 41, David Curry  a
> écrit :
>
>>
>> Can I force a service to authenticate every time from the CAS server
>> side, e.g., by setting something in the service registry? Basically, I want
>> to mimic the behavior of "=true" but not have to change anything on
>> the client side.
>>
>> I thought setting "accessStrategy.ssoEnabled: false" in the service
>> registry entry would do this, but in testing this morning, it appears
>> that's not the case. That setting forces the service to prompt for login
>> even if you've signed into something else through CAS, but it doesn't
>> require you to re-enter your credentials every time you access the same
>> service. What I want is "Open tab, go to X, enter credentials. Open another
>> tab, go to X again, have to enter credentials again."
>>
>> CAS 5.2.x, BTW.
>>
>> Thanks,
>> --Dave
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAO0A_FHTayuNX25UxC0rpY2DPzy5_d1xuyk%3DVSfCqR18g%40mail.gmail.com
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAO0A_FHTayuNX25UxC0rpY2DPzy5_d1xuyk%3DVSfCqR18g%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bg7XAnSc3604EUQLPe0qGf71UnDdDJG%2B-Wrqm6RsCVYgO5o9g%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bg7XAnSc3604EUQLPe0qGf71UnDdDJG%2B-Wrqm6RsCVYgO5o9g%40mail.gmail.com?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMv2MTcyioBfXbWBFHoFm-dTmLD10iqDBv0QSKZ0XCvQQ%40mail.gmail.com.

Re: [cas-user] Force service to authenticate every time from server side?

[David Curry]

Actually, now that you mention it, I'm not. I was using mod_auth_cas to
test it, but maybe that's not the best test case. I'll see if I can find
another one and "verify" what I'm seeing.

Thanks,
--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu




On Fri, Nov 2, 2018 at 11:10 AM Daniel Ellentuck  wrote:

> Hi David,
>
> Are you sure the client application is redirecting the browser back to the
> CAS login following the initial login to the app?  Sounds like it's an
> issue of controlling the user's application session rather than the user's
> CAS SSO session.
>
> Dan
>
> Dan Ellentuck
> Columbia University I.T.
>
> On Fri, Nov 2, 2018 at 10:41 AM David Curry 
> wrote:
>
>>
>> Can I force a service to authenticate every time from the CAS server
>> side, e.g., by setting something in the service registry? Basically, I want
>> to mimic the behavior of "=true" but not have to change anything on
>> the client side.
>>
>> I thought setting "accessStrategy.ssoEnabled: false" in the service
>> registry entry would do this, but in testing this morning, it appears
>> that's not the case. That setting forces the service to prompt for login
>> even if you've signed into something else through CAS, but it doesn't
>> require you to re-enter your credentials every time you access the same
>> service. What I want is "Open tab, go to X, enter credentials. Open another
>> tab, go to X again, have to enter credentials again."
>>
>> CAS 5.2.x, BTW.
>>
>> Thanks,
>> --Dave
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAO0A_FHTayuNX25UxC0rpY2DPzy5_d1xuyk%3DVSfCqR18g%40mail.gmail.com
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAO0A_FHTayuNX25UxC0rpY2DPzy5_d1xuyk%3DVSfCqR18g%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFqYg5LMf7G%3Dh%3DoRHyWreeh0x2z3ghg31jwBTVNN_-K7VwjoLw%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFqYg5LMf7G%3Dh%3DoRHyWreeh0x2z3ghg31jwBTVNN_-K7VwjoLw%40mail.gmail.com?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAM_GVguWHw9SR7jLX_BXO0EMyNG_C-pGki7ROBBxkB66Q%40mail.gmail.com.

[cas-user] Force service to authenticate every time from server side?

[David Curry]

Can I force a service to authenticate every time from the CAS server side,
e.g., by setting something in the service registry? Basically, I want to
mimic the behavior of "=true" but not have to change anything on the
client side.

I thought setting "accessStrategy.ssoEnabled: false" in the service
registry entry would do this, but in testing this morning, it appears
that's not the case. That setting forces the service to prompt for login
even if you've signed into something else through CAS, but it doesn't
require you to re-enter your credentials every time you access the same
service. What I want is "Open tab, go to X, enter credentials. Open another
tab, go to X again, have to enter credentials again."

CAS 5.2.x, BTW.

Thanks,
--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAO0A_FHTayuNX25UxC0rpY2DPzy5_d1xuyk%3DVSfCqR18g%40mail.gmail.com.

[cas-user] Deploying Apereo CAS document updated (finally)!

[David Curry]

For those of you who have been waiting (and waiting, and waiting, ...) for
me to update my *Deploying Apereo CAS* documentation, I have finally gotten
enough time to do that. Aside from dozens of minor updates and corrections
accumulated over the last 8 or 9 months, the following major sections have
been completed/added:

   - Customizing the CAS user interface
  - How CAS themes work
  - How Thymeleaf layouts work
  - Add a new theme to the overlay
  - Build and deploy the overlay
  - Develop the custom theme
   - Google Apps (G Suite) integration
  - Generate keys and certificates
  - Configure Google single sign-on
   - Moving to production
   - Configuration changes
  - Problems encountered

As always, the documentation can be found here:
https://dacurry-tns.github.io/deploying-apereo-cas/

This pretty much does it for now -- the document more or less reflects what
we're running in production (CAS 5.2.*x*), and we don't plan to go to CAS
5.3 unless something forces us to. The next major release for us will be
CAS 6.*something.* I will almost certainly be updating the document once we
start working on that, since we use it internally as a reference as well.
But that probably won't happen until the end of this year or the beginning
of next year at the earliest (sorry).

Enjoy,
--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAO_O%2B9v2_Owur%2B95%2B6YE3%3DRjhQJB3SjvhpU0o1BbzH9JQ%40mail.gmail.com.

Re: [cas-user] Re: Which dependencies can I remove if I am not using embedded Tomcat?

[David Curry]

Ganesh,

Our CAS 5.2.7 WAR file is 121MB with the following dependencies:

cas-server-support-mongo-service-registry
cas-server-support-ldap
cas-server-support-saml
cas-server-support-saml-idp
cas-server-support-saml-googleapps
cas-server-support-duo
cas-server-support-mongo-ticket-registry


We deploy it to a standalone Tomcat, but we deploy as an exploded WAR file
(directory).

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]


On Thu, Oct 18, 2018 at 12:48 PM Ganesh Prasad  wrote:

> Thanks for your help, Andy, and sorry for troubling you again.
>
> I could remove all the other libraries below:
>
> tomcat-embed-core
> tomcat-embed-el
> jstl
> javax.inject
> servlet-api
>
> But when I removed tomcat-catalina, I got an error when Maven was about to
> build the war file:
>
> Failed to execute goal org.apache.maven.plugins:maven-war-plugin:3.2.1:war
> (default-war) on project iam: Error assembling WAR: webxml attribute is
> required (or pre-existing WEB-INF/web.xml if executing in update mode)
>
> What could be going wrong?
>
> Also, since you deploy the war file to a standalone Tomcat server, how
> large is your war file? Mine is 102 MB. Is this reasonable?
>
> Regards,
> Ganesh
>
> On Thursday, 18 October 2018 18:56:03 UTC+11, Andy Ng wrote:
>>
>> Hi Ganesh,
>>
>> I forget to clarify, our CAS server is also using Tomcat war deployment
>> (CAS 5.x, been running for at least 5 months now), and I don't have the
>> following in my pom.xml
>>
>>- tomcat-embed-core
>>- tomcat-embed-el
>>- tomcat-catalina
>>- jstl
>>
>> So I think it is safe to assume those are not needed.
>>
>> As for:
>>
>>- javax.inject
>>- servlet-api
>>
>> Those are used by us to enable some custom features. If I remove those
>> customization, those 2 are not needed as well.
>>
>> Hope these info give you more peace in mind when cleaning up your pom.xml
>> :)
>>
>> Cheers!
>> - Andy
>>
>>
>>
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/86b2862a-dc53-4d78-94a6-352a49e40258%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOp67wrF3TnWKtCR1LxmHazKOBvL%2BTw9qJTgdzjeVAf3g%40mail.gmail.com.

Re: [cas-user] Unable to Retrieve CAS User Attributes (CAS 5.3.x)

[David Curry]

You should be using the samlValidate endpoint, not the serviceValidate
endpoint in the CASValidateUrl. See the mod_auth_cas documentation.




--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]


On Mon, Oct 1, 2018 at 3:18 PM Fahmi L. Ramdhani <
fahmilestianramdh...@gmail.com> wrote:

> Hi,
>
> I'am unable to retrieves CAS User Attributes using mod_auth_cas. Below is
> my configuration:
> *100-domain.com.conf*
> 
> 
> ServerName domain.com
> ServerAlias www.domain.com
> ServerAdmin ad...@domain.com
>
>
> DocumentRoot /home/user/www/sites/domain.com
> 
> 
> CASAuthNHeader On
> AuthType CAS
> 
>
>
> # Options Indexes FollowSymLinks
> # AllowOverride All
> # Require all granted
> Require valid-user
> 
>
>
> ErrorLog ${APACHE_LOG_DIR}/error.log
> CustomLog ${APACHE_LOG_DIR}/access.log combined
>
>
> SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
> SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
>
>
> Include /etc/letsencrypt/options-ssl-apache.conf
>
>
> 
> CASLoginUrl   https://login.domain.com/cas/login
> CASValidateUrlhttps://login.domain.com/cas/serviceValidate
> CASValidateServer off
> CASCookiePath /var/cache/apache2/mod_auth_cas/
> CASSSOEnabled On
> CASDebug  Off
> 
>
>
> 
>
>
> And this is my *cas.properties*:
> ## ATTRIBUTES
> cas.authn.attributeRepository.jdbc[0].sql = SELECT * FROM user_attributes
> WHERE {0}
> cas.authn.attributeRepository.jdbc[0].healthQuery = SELECT 1
> cas.authn.attributeRepository.jdbc[0].driverClass = com.mysql.jdbc.Driver
> cas.authn.attributeRepository.jdbc[0].url = jdbc:mysql:
> //localhost:3306/cas
> cas.authn.attributeRepository.jdbc[0].user = root
> cas.authn.attributeRepository.jdbc[0].password = xxx
> cas.authn.attributeRepository.jdbc[0].dialect = org.hibernate.dialect.
> MySQLDialect
> cas.authn.attributeRepository.jdbc[0].singleRow = false
> cas.authn.attributeRepository.jdbc[0].username = email
> cas.authn.attributeRepository.jdbc[0].columnMappings.key = value
>
> cas.authn.attributeRepository.defaultAttributesToRelease=first_name,
> last_name,company_name
>
>
> Loging has successfuly but HTML output is:
> Secured Content
>
> This is some secure content. You should not be able to see it until you
> have entered your username and password.
>
>
> Attributes Returned by CAS
>
> REMOTE_USER = u...@domain.com
> HostConnectionCache-ControlUpgrade-Insecure-RequestsUser-AgentAcceptRefererAccept-EncodingAccept-LanguageCookieOn
>
>
> Attributes not showing. Does anyone have a solution to this problem?
> Thanks.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/f3b5da87-1254-4155-998c-ad868cca%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPrQz7Cf5b5t63dBOjGnBV2iNhooS33cpQUgkuGHDVA0w%40mail.gmail.com.

Re: [cas-user] Re: Applying Custom Theme CAS 5.3.x

[David Curry]

The static/themes/skeleton and templates/skeleton subdirectories do not
belong in etc/cas/config; they belong in src/main/resources in your overlay
so that they get bundled into cas.war.

Like this:

/opt/workspace/cas-overlay-template/
├── LICENSE.txt
├── README.md
├── build.cmd
├── build.sh*
├── etc/
│   └── cas/
│   ├── config/
│   │   ├── admusers.properties
│   │   ├── application.yml
│   │   ├── cas.properties
│   │   └── log4j2.xml
│   ├── google/
│   │   ├── privatekey.der
│   │   ├── privatekey.pem
│   │   ├── publickey.der
│   │   └── x509.pem
│   ├── saml/
│   │   ├── idp-encryption.crt
│   │   ├── idp-encryption.key
│   │   ├── idp-metadata.xml
│   │   ├── idp-signing.crt
│   │   └── idp-signing.key
│   └── services/
├── maven/
├── mvnw*
├── mvnw.bat*
├── pom.xml*
├── src/
│   └── main/
│   └── resources/
│   ├── custom_messages.properties
│   ├── newschool.properties
│   ├── static/
│   │   └── themes/
│   │   └── newschool/
│   │   ├── css/
│   │   │   ├── admin.css
│   │   │   ├── bootstrap-material-design.min.css
│   │   │   ├── newschool.css
│   │   │   └── ripples.min.css
│   │   ├── fonts/
│   │   │   └── Neue/
│   │   │   ├── Neue-Black.eot
│   │   │   ├── Neue-Black.svg
│   │   │   ├── Neue-Black.ttf
│   │   │   ├── Neue-Black.woff
│   │   │   ├── Neue-Bold.eot
│   │   │   ├── Neue-Bold.svg
│   │   │   ├── Neue-Bold.ttf
│   │   │   ├── Neue-Bold.woff
│   │   │   ├── Neue-BoldItalic.svg
│   │   │   ├── Neue-BoldItalic.ttf
│   │   │   ├── Neue-BoldItalic.woff
│   │   │   ├── Neue-Regular.eot
│   │   │   ├── Neue-Regular.svg
│   │   │   ├── Neue-Regular.ttf
│   │   │   ├── Neue-Regular.woff
│   │   │   ├── Neue-RegularItalic.eot
│   │   │   ├── Neue-RegularItalic.svg
│   │   │   ├── Neue-RegularItalic.ttf
│   │   │   ├── Neue-RegularItalic.woff
│   │   │   ├── NeueDisplay-Black.eot
│   │   │   ├── NeueDisplay-Black.svg
│   │   │   ├── NeueDisplay-Black.ttf
│   │   │   ├── NeueDisplay-Black.woff
│   │   │   ├── NeueDisplay-Random.eot
│   │   │   ├── NeueDisplay-Random.svg
│   │   │   ├── NeueDisplay-Random.ttf
│   │   │   ├── NeueDisplay-Random.woff
│   │   │   ├── NeueDisplay-Ultra.eot
│   │   │   ├── NeueDisplay-Ultra.svg
│   │   │   ├── NeueDisplay-Ultra.ttf
│   │   │   ├── NeueDisplay-Ultra.woff
│   │   │   ├── NeueDisplay-Wide.eot
│   │   │   ├── NeueDisplay-Wide.svg
│   │   │   ├── NeueDisplay-Wide.ttf
│   │   │   └── NeueDisplay-Wide.woff
│   │   ├── images/
│   │   │   ├── appleicon.png
│   │   │   ├── background.jpg
│   │   │   └── favicon.ico
│   │   └── js/
│   │   ├── duo/
│   │   │   ├── Duo-Web-v2-fix.js
│   │   │   └── Duo-Web-v2-fix.min.js
│   │   ├── material.min.js
│   │   ├── newschool.js
│   │   └── ripples.min.js
│   └── templates/
│   └── newschool/
│   ├── casAcceptableUsagePolicyView.html
│   ├── casAccountDisabledView.html
│   ├── casAccountLockedView.html
│   ├── casAuthenticationBlockedView.html
│   ├── casAuthyLoginView.html
│   ├── casAzureAuthenticatorLoginView.html
│   ├── casBadHoursView.html
│   ├── casBadWorkstationView.html
│   ├── casConfirmLogoutView.html
│   ├── casConfirmView.html
│   ├── casConsentLogoutView.html
│   ├── casConsentReviewView.html
│   ├── casConsentView.html
│   ├── casDuoLoginView.html
│   ├── casExpiredPassView.html
│   ├── casGenericSuccessView.html
│   ├── casGoogleAuthenticatorLoginView.html
│   ├── casGoogleAuthenticatorRegistrationView.html
│   ├── casGuaDisplayUserGraphicsView.html
│   ├── casGuaGetUserIdView.html
│   ├── casInterruptView.html
│   ├── 

Re: [cas-user] TARGET URL parameter associated with samlValidate can be misused to redirect to malicious sites (?)

[David Curry]

I think Andy's right here... when I try this on my CAS server, which does
*not* have the wildcard service registry entry, I get (correctly)
redirected to the "Application not authorized to use SSO" page.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]


On Thu, Sep 27, 2018 at 5:15 AM Andy Ng  wrote:

> Hi Ganesh,
>
> There is a default service that will secretly enable all https based
> service called "HTTPSandIMAPS-1001.json"
>
> https://github.com/apereo/cas/blob/master/webapp/resources/services/HTTPSandIMAPS-1001.json
>
> Refer to this to how to disable such service:
>
> https://groups.google.com/a/apereo.org/forum/#!msg/cas-user/yD9WXk3n1K8/Hy0ssGBiAAAJ;context-place=forum/cas-user
>
> See if this is your problem?
>
> Cheers!
> - Andy
>
>
> On Thursday, 27 September 2018 15:49:28 UTC+8, Bergner, Arnold wrote:
>>
>> Hi Ganesh,
>>
>>
>>
>> when I submit “/login?TARGET=https://yahoo.com” to our cas v5.2, I get
>> an “application not authorized” error, so no redirection is happening.
>>
>>
>>
>> Maybe it’s a hole resulting from your service definitions?
>>
>>
>>
>> Regards,
>>
>> Arnold
>>
>>
>>
>> *Von:* cas-...@apereo.org [mailto:cas-...@apereo.org] *Im Auftrag von *Ganesh
>> Prasad
>> *Gesendet:* Donnerstag, 27. September 2018 08:31
>> *An:* CAS Community 
>> *Betreff:* [cas-user] TARGET URL parameter associated with samlValidate
>> can be misused to redirect to malicious sites (?)
>>
>>
>>
>> Hi,
>>
>>
>>
>> We recently commissioned a third-party security audit of our application,
>> and one of the findings was this:
>>
>>
>>
>> Cross-Site Redirection (Medium Impact, Moderate Difficulty in exploiting)
>>
>>
>>
>> If one pastes this string into the browser https://*cas.mydomain.com*
>> /cas/login?TARGET=https://yahoo.com
>> 
>>
>>
>>
>> then, after authentication, the browser is redirected without complaint
>> to yahoo.com.
>>
>>
>>
>> The report said in detail:
>>
>>
>>
>> "The application was found to take a URL as a parameter to determine
>> where to direct the user.  found that this URL can be any value
>> allowing an attacker to insert a malicious URL that can be used to redirect
>> to an external site before or after authentication.
>>
>> A link to the login page, containing this URL could therefore be created,
>> which can then be sent to a victim (e.g. as an email phishing attack). When
>> the victim accesses this link, they are initially sent to the valid site.
>> After authentication they can be redirected to a third party site without
>> their knowledge.
>>
>> This second site could be under the control of an attacker, and perform
>> such actions as re-requesting their authentication details and performing a
>> man-in-the-middle attack between the victim and the client's site,
>> ultimately giving the attacker authenticated access to the application."
>>
>>
>>
>> My questions are:
>>
>> 1. Is this a security hole in CAS as suggested by the security auditor?
>>
>> 2. Is there a workaround that we can implement?
>>
>>
>>
>> Regards,
>>
>> Ganesh
>>
>>
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/099ee631-39d7-4d6a-b559-5e11a5f32467%40apereo.org
>> 
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff33ffe0-cbc0-4b52-89f6-e2a4cf46b939%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop 

Re: [cas-user] Re: Unauthorized After Login

[David Curry]

Using casuer/Mellon shouldn't make any difference.

Try turning mod_auth_cas debug logging on (CASDebug on) and see what it
tells you. Note that you also need to set the Apache logging level on the
virtual host to Debug to see the logs.

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]


On Sun, Sep 23, 2018 at 12:33 PM Fahmi L. Ramdhani <
fahmilestianramdh...@gmail.com> wrote:

> I forgot to tell. I am logged in using the static cas user that is user:
> *casuser* and password: *Mellon*. Is there a problem from that?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8ef9424d-c357-4654-b9ec-0f5fc3dd9c68%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAN0p6qTREYWW61jZpXfOOptg%2B6mXWJnD0r%2BL3iUsczVxw%40mail.gmail.com.

Re: [cas-user] Unauthorized After Login

[David Curry]

That's usually a certificate problem. Are you using a self-signed
certificate on the CAS server? If so, you need to have

CASCertificatePath/etc/pki/tls/certs/casserver.crt

in the mod_auth_cas configuration.

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]


On Sun, Sep 23, 2018 at 3:00 AM Fahmi L. Ramdhani <
fahmilestianramdh...@gmail.com> wrote:

> Hello, all. I tried to build CAS server based on the guidelines from
> https://dacurry-tns.github.io/deploying-apereo-cas. In the trial phase my
> client application gets a problem:
>
>
>> *Unauthorized*This server could not verify that you are authorized to
>> access the document requested. Either you supplied the wrong credentials
>> (e.g., bad password), or your browser doesn't understand how to supply the
>> credentials required.
>
>
> This problem appears after logging in. The following configuration of the
> cas:
>
> *etc/cas/config/cas.properties*
> cas.server.name: https://cas.domain.com:8443
> cas.server.prefix: https://cas.domain.com:8443/cas
>
> cas.adminPagesSecurity.ip=127\.0\.0\.1
>
> cas.tgc.secure: true
> cas.tgc.crypto.signing.key: 
> cas.tgc.crypto.encryption.key: 
>
> cas.webflow.crypto.signing.key: x
> cas.webflow.crypto.encryption.key: xx
>
> cas.serviceRegistry.initFromJson: true
> cas.serviceRegistry.json.location: file:/etc/cas/services
>
> logging.config: file:/etc/cas/config/log4j2.xml
>
> *etc/cas/services/**HTTPSandIMAPSwildcard-1503925297.json*
>
> {
>   /*
>* Wildcard service definition that applies to any https or imaps url.
>* Do not use this definition in a production environment.
>*/
>   "@class" :"org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" :  "^(https|imaps)://.*",
>   "name" :  "HTTPS and IMAPS wildcard",
>   "id" :1503925297,
>   "evaluationOrder" :   9
> }
>
>
> *apache site virtualhost configuration*
> 
> ServerName cas.domain.com
> ServerAdmin ad...@domain.com
>
> 
> 
> AuthType CAS
> 
> Require valid-user
> 
>
> 
> CASLoginUrl
> https://cas.domain.com:8443/cas/login
> CASValidateUrlhttps://cas.domain
> .com:8443/cas/serviceValidate
> CASCookiePath /var/cache/apache2/mod_auth_cas/
> CASSSOEnabled On
> CASDebug  Off
> 
>
> ErrorLog ${APACHE_LOG_DIR}/error.log
> CustomLog ${APACHE_LOG_DIR}/access.log combined
>
> SSLCertificateFile /etc/pki/tls/certs/cas.crt
> SSLCertificateKeyFile /etc/pki/tls/private/cas.key
> 
>
>
> How to solve this problem? I hope anyone can provide a detailed solution
> about this. Thank you.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b7cf7903-1f56-40e0-b177-d2bd67ee1eb8%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMZxXSdBr7bkbOVp1o8G8sE_8qiigsBcZB3yshS7%2B9v%2BA%40mail.gmail.com.