[cas-user] delegation to Azure AD via pac4j with ssoEnabled=false in service

[Pablo Vidaurri]

I have CAS setup to either delegate users to Azure for login using pac4j or 
authenticate against LDAP  Works well.

Now I have a service that requires the user to always be prompted for 
credentials using sseEnabled=false in service file. This works as expected 
for LDAP but when delegation to Azure AD, AD returns the token without 
prompting for credentails. I understand I can pass in prompt=login  to 
azure to force prompting but how can I trigger this behavior via the 
ssoEnabled service flag?

-psv

-- 
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4c790427-7313-4c16-88e5-efc28cf97b3bn%40apereo.org.

[cas-user] Delegated Auth to Azure, DISSESSIONAuthnDelegation cookie

[Pablo Vidaurri]

Can anyone describe how DISSESSIONAuthnDelegation cookie is used? I 
sometimes see an issue where the TST ticket is being persisted via JPA, 
then I see another TGT ticket with value from DISSESSIONAuthnDelegation 
cookie being persisted. Sometimes I get a constraint violation from JPA 
saying the  DISSESSIONAuthnDelegation TGT already exist.

-- 
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a0b335e7-8b89-411d-bf53-f60741a9f34dn%40apereo.org.

[cas-user] Re: Security concern allowing 127.0.0.1 (localhost) as allowed serviceID

[Pablo Vidaurri]

There is nothing stopping a user from adding an existing allowed serviceId 
into their host file pointing to 127.0.0.1. They'll be able to hit your 
login page, maybe even able to generate a TGT/ST but the ST will fail on 
samlValidate when cas tries to POST back to the serviceId.

I agree with the others though, if you enable localhost, you would not want 
this in your prod environment ... only something available within your 
internal network.

On Friday, July 12, 2024 at 3:53:04 AM UTC-5 jehan procaccia wrote:

> Hello
>
> developers ask us to allow serviceID of type https://localhost/*  or 
> https://127.0.0.1/* in order to allow them to develop on their local 
> machine ans test locally . 
> As system and network administrators we are afraid that this opening of 
> localhost serviceID might allow the entire world ( all Internet connected 
> device and hence hackers !) to access our CAS server, allowing them for 
> example to brute force the web login interface or whatever other mischief 
> possible .
> Is this a real security breach to allow serviceID like https://localhost/* 
> , or we are anyway already exposed by our production services which allows 
> https://*.our-domain.fr/* serviceID which could be also used by hackers 
> if the spoof our urls  ? 
>
> thanks for your security advice regarding this question . 
>  
>

-- 
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e2f40aa5-2f86-4f50-9663-3f06eb57d435n%40apereo.org.

[cas-user] Suggestions for registry cleaner when CAS is deployed to AWS

[Pablo Vidaurri]

Have CAS deployed to AWS with ability to auto scale new instances based on 
load/demand. At the moment the cas configuration directory where the 
cas.properties file is raising some doubts. 

There are a couple of settings like host name and registry cleaner enable 
flag. Host should usually be unique among instances and cleaner flag should 
only be set on one instance.

How best to have a common properties file and define these new flags per 
instance? I know I can pass in -D flag at startup but somewhere I still 
need to determine how to make host unique and reserve a single host to 
enable the cleaner.

Is there a way to invoke the cleaner with an API call that I can trigger 
with a scheduled lambda?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d5c4e13e-f3f3-4833-973c-186784b4863bn%40apereo.org.

[cas-user] login flow: delegatedAuthentication step transition on resume event

[Pablo Vidaurri]

Any idea what triggers the resume event while performing delegated 
authentication? It seems this is trying to insert a TST into the db which 
already exist and is causing a PK constraint violation then redirects to 
error page. It is happening multiple times  a day for some delegated users.

Login flow:
- delegatedAuthentication>
-- [TRANS] success -> createTicketGrantingTicket>
-- [TRANS] select -> delegatedAuthenticationSelectCredential>
-- [TRANS] generate -> initialAuthenticationRequestValidationCheck>
-- [TRANS] successWithWarnings -> showAuthenticationWarningMessages>
-- [TRANS] resume -> createTicketGrantingTicket>
-- [TRANS] authenticationFailure -> checkDelegatedAuthnFailureDecision>
-- [TRANS] stop -> stopWebflow>
-- [TRANS] warn -> warn>
-- [TRANS] generateServiceTicket -> generateServiceTicket>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/230cdd33-5e3d-40ed-933d-ec4e97e7fe2fn%40apereo.org.

[cas-user] Re: CAS 6.4 DelegatedAuthentication Loigout error

[Pablo Vidaurri]

Thank you for the link. I have reviewed, made slight  modification to use 
AzureAdProfile.class instead of OidcProfile.class. 

So far looking much better.
I appreciate the assist!

-psv


On Thursday, April 25, 2024 at 6:08:58 AM UTC-5 flo13270 wrote:

> Hello,
> Yes, I solved the problem by modifying the file 
> support/cas-server-support-pac4j-core-clients/src/main/java/org/apereo/cas/support/pac4j/serialization/DelegatedClientJacksonModule.java
>
> https://github.com/apereo/cas/pull/5626/files
>
> Hope it works for you too
> Le jeudi 18 avril 2024 à 06:43:45 UTC+2, Pablo Vidaurri a écrit :
>
>> Did you get around this issue. Facing the same problem with Azure AD 
>> delegation but I'm using Postgres not Mongo.
>>
>> Looks like perhaps when user profile is being saved to the session it may 
>> end up getting encrypted. On the saveAll, I see user profile in logs as 
>> plain text. But when reading user profile from session, debugger looks like 
>> it is trying to cast an encrypted string to a UserProfile object.
>>
>> -psv
>>
>> On Wednesday, March 29, 2023 at 9:15:00 AM UTC-5 flo13270 wrote:
>>
>>> Hi,
>>> We encounter a similar problem.
>>>
>>> Migration from CAS 5.3 (with Redis) to CAS 6.6 (with Mongo) broke the 
>>> logout of users authenticated through OIDC.
>>> ("class java.lang.String cannot be cast to class 
>>> org.pac4j.core.profile.UserProfile")
>>>
>>> Did you finally succeed in fixing it while still using Mongo?
>>>
>>> Thanks,
>>>
>>>
>>> Florian Nari,
>>> Software developer at Paris 1 Panthéon-Sorbonne University
>>> Le jeudi 26 août 2021 à 12:31:38 UTC+2, jdne...@gmail.com a écrit :
>>>
>>>> Hi, in my test i realize that there is some interaction with mongo 
>>>> registry tickets. When I set default tickets registry or now redis ticket 
>>>> registry there is no problem in logout, but mongo log is set in debug and 
>>>> no messages are displayed.
>>>>
>>>> Maybe i need to put on debug some other module than mongo, I thoght 
>>>> that something is broken when somethis is search for user profile.
>>>>
>>>> El miércoles, 25 de agosto de 2021 a las 10:24:45 UTC+2, Juan Manuel 
>>>> Díaz Nevado escribió:
>>>>
>>>>> hi, 
>>>>>
>>>>> I'm update from CAS 6.3 to 6.4 yesterday, not much changes in config 
>>>>> and all work nice, but logout when user is auth through Azure oidc 
>>>>> delegate 
>>>>> auth show java exception:
>>>>>
>>>>> org.springframework.webflow.execution.ActionExecutionException: 
>>>>> Exception thrown executing 
>>>>> org.apereo.cas.web.flow.DelegatedAuthenticationClientLogoutAction@d827673 
>>>>> in state 'terminateSession' of flow 'logout' -- action execution 
>>>>> attributes 
>>>>> were 'map[[empty]]' at 
>>>>> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:62)
>>>>>  
>>>>> at 
>>>>> org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
>>>>>  
>>>>> at 
>>>>> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
>>>>>  
>>>>> at 
>>>>> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
>>>>>  
>>>>> at 
>>>>> org.springframework.webflow.engine.ActionList.execute(ActionList.java:154)
>>>>>  
>>>>> at org.springframework.webflow.engine.State.enter(State.java:193) at 
>>>>> org.springframework.webflow.engine.Flow.start(Flow.java:527)
>>>>> 
>>>>> 
>>>>> at 
>>>>> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
>>>>>  
>>>>> at 
>>>>> org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
>>>>>  
>>>>> at 
>>>>> org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
>>>>>  
>>>>> at 
>>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>>>>  
>>>>> at java.base/java.lang.Thread.run(Thread.java:834) Caused by: 
>>>>

[cas-user] Re: CAS 6.4 DelegatedAuthentication Loigout error

[Pablo Vidaurri]

Did you get around this issue. Facing the same problem with Azure AD 
delegation but I'm using Postgres not Mongo.

Looks like perhaps when user profile is being saved to the session it may 
end up getting encrypted. On the saveAll, I see user profile in logs as 
plain text. But when reading user profile from session, debugger looks like 
it is trying to cast an encrypted string to a UserProfile object.

-psv

On Wednesday, March 29, 2023 at 9:15:00 AM UTC-5 flo13270 wrote:

> Hi,
> We encounter a similar problem.
>
> Migration from CAS 5.3 (with Redis) to CAS 6.6 (with Mongo) broke the 
> logout of users authenticated through OIDC.
> ("class java.lang.String cannot be cast to class 
> org.pac4j.core.profile.UserProfile")
>
> Did you finally succeed in fixing it while still using Mongo?
>
> Thanks,
>
>
> Florian Nari,
> Software developer at Paris 1 Panthéon-Sorbonne University
> Le jeudi 26 août 2021 à 12:31:38 UTC+2, jdne...@gmail.com a écrit :
>
>> Hi, in my test i realize that there is some interaction with mongo 
>> registry tickets. When I set default tickets registry or now redis ticket 
>> registry there is no problem in logout, but mongo log is set in debug and 
>> no messages are displayed.
>>
>> Maybe i need to put on debug some other module than mongo, I thoght that 
>> something is broken when somethis is search for user profile.
>>
>> El miércoles, 25 de agosto de 2021 a las 10:24:45 UTC+2, Juan Manuel Díaz 
>> Nevado escribió:
>>
>>> hi, 
>>>
>>> I'm update from CAS 6.3 to 6.4 yesterday, not much changes in config and 
>>> all work nice, but logout when user is auth through Azure oidc delegate 
>>> auth show java exception:
>>>
>>> org.springframework.webflow.execution.ActionExecutionException: 
>>> Exception thrown executing 
>>> org.apereo.cas.web.flow.DelegatedAuthenticationClientLogoutAction@d827673 
>>> in state 'terminateSession' of flow 'logout' -- action execution attributes 
>>> were 'map[[empty]]' at 
>>> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:62)
>>>  
>>> at 
>>> org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
>>>  
>>> at 
>>> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
>>>  
>>> at 
>>> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
>>>  
>>> at 
>>> org.springframework.webflow.engine.ActionList.execute(ActionList.java:154) 
>>> at org.springframework.webflow.engine.State.enter(State.java:193) at 
>>> org.springframework.webflow.engine.Flow.start(Flow.java:527)
>>> 
>>> 
>>> at 
>>> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
>>>  
>>> at 
>>> org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
>>>  
>>> at 
>>> org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
>>>  
>>> at 
>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>>  
>>> at java.base/java.lang.Thread.run(Thread.java:834) Caused by: 
>>> java.lang.ClassCastException: class java.lang.String cannot be cast to 
>>> class org.pac4j.core.profile.UserProfile (java.lang.String is in module 
>>> java.base of loader 'bootstrap'; org.pac4j.core.profile.UserProfile is in 
>>> unnamed module of loader 
>>> org.springframework.boot.loader.LaunchedURLClassLoader @25f38edc) at 
>>> org.pac4j.core.profile.ProfileManager.removeOrRenewExpiredProfiles(ProfileManager.java:90)
>>>  
>>> at 
>>> org.pac4j.core.profile.ProfileManager.retrieveAll(ProfileManager.java:81) 
>>> at org.pac4j.core.profile.ProfileManager.getProfile(ProfileManager.java:48) 
>>> at 
>>> org.apereo.cas.web.flow.DelegatedAuthenticationClientLogoutAction.findCurrentProfile(DelegatedAuthenticationClientLogoutAction.java:100)
>>>  
>>> at 
>>> org.apereo.cas.web.flow.DelegatedAuthenticationClientLogoutAction.doPreExecute(DelegatedAuthenticationClientLogoutAction.java:49)
>>>  
>>> at 
>>> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:186)
>>>  
>>> at jdk.internal.reflect.GeneratedMethodAccessor149.invoke(Unknown Source) 
>>> at 
>>> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>  
>>> at java.base/java.lang.reflect.Method.invoke(Method.java:566) at 
>>> org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282)
>>>  
>>> at 
>>> org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:485)
>>>  
>>> at 
>>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
>>>  
>>> at 
>>> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:215)
>>>  
>>> at com.sun.proxy.$Proxy292.execute(Unknown Source) at 
>>> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
>>>  
>>> ... 92 more
>>>
>>> A

[cas-user] Re: Azure AD Delegated login, issue with DISSESSION cookie during logout

[Pablo Vidaurri]

4LTYxODExM3QAA29pZHQAJDJmMmRlYTk0LTA1YzYtNGVjMS1iZmQ4LTdlOTllNTA3Y2JkNnQAA3V0aXQAFk1PQXN2QWRfRmt1R2NpOUV3QkV3QUF0AApnaXZlbl9uYW1ldAAESnVhbnQABW5vbmNldAArVDZZUXV1UGR4VXRIN3lTRWdNWmZVbGcwalNNOTBnYWxJTVZSN2F1V3A4c3QAA3RpZHQAJDY4NmVhMWQzLWJjMmItNGM2Zi1hOTJjLWQ5OWM1YzMwMTYzNXQAGHRva2VuX2V4cGlyYXRpb25fYWR2YW5jZXNyABFqYXZhLmxhbmcuSW50ZWdlchLioKT3gYc4AgABSQAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAdAADYXVkc3EAfgAQAXcEAXQAJGI3ZTFiYWMyLTljNDctNDA3YS04MGM1LTgxZjRhN2Q2MGM4Znh0AAt1bmlxdWVfbmFtZXQAFGp1YW4ucGFkaWxsYUBueHAuY29tdAADdXBudAAUanVhbi5wYWRpbGxhQG54cC5jb210AANuYmZzcgAOamF2YS51dGlsLkRhdGVoaoEBS1l0GQMAAHhwdwgAAAGO7hOuOHh0AAJyaHQANjAuQVFJQTA2RnVhQ3U4YjB5cExObWNYREFXTmNLNjRiZEhuSHBBZ01XQjlLZldESThDQUJzLnQABG5hbWV0AAxKdWFuIFBhZGlsbGF0AANleHBzcQB+ADF3CY7uTzCYeHQABmlwYWRkcnQACjQuNTYuMS4yNDZ0AANpYXRzcQB+ADF3CY7uE644eHQAC2ZhbWlseV9uYW1ldAAHUGFkaWxsYXhzcQB+AAc/QHcIEAB4dwEAc3IAEWphdmEudXRpbC5IYXNoU2V0ukSFlZa4tzQDAAB4cHcMED9AeHNxAH4AQHcMED9AeHQAEEF6dXJlQWRFbXBDbGllbnRweA==

Looking at debug statement for
2024-04-17 15:05:53,429 DEBUG [org.pac4j.core.profile.ProfileManager] 
(default task-1901) Saving profiles (session) ... I see values which look 
to be related to profile (azure ad user info).

Anyone dealt with this? Looks either to be a pac4j code issue or I'm 
missing a setting in my oidc config.

-psv


On Wednesday, January 10, 2024 at 10:28:32 PM UTC-6 Pablo Vidaurri wrote:

> CAS 6.6.8 
>
> A couple of problems with Azure AD delegated login via pac4j ODIC out of 
> the box button click feature.
> 1) Two TGC cookies are being created, the 2nd with an empty value. This is 
> causing the TGC not being available and my session is not being created. 
> actuator/sso even returns back a 400. To get around this I commented a line 
> of code from InitialFlowSetupAction.java. That seems to get around this 
> issue but I'm not certain if I'm causing other issues.
>
> 2) I see a DISSESSION cookie being created at login. I don't recall seeing 
> this cookie before enabling delegated login to Azure AD. The problem that 
> I'm seeing with this is that I get a 500 error when logging out. 
>
> 2024-01-08 15:29:13,937 ERROR 
> [org.springframework.boot.web.servlet.support.ErrorPageFilter] (default 
> task-454) Forwarding to error page from request [/logout] 
> due to exception [Exception thrown executing 
> org.apereo.cas.web.flow.actions.DelegatedAuthenticationClientLogoutAction@4120bab
>  
> in state 'terminateSession' of flow 'logout' 
> -- action execution attributes were 'map[[empty]]']: 
> org.springframework.webflow.execution.ActionExecutionException: 
> Exception thrown executing 
> org.apereo.cas.web.flow.actions.DelegatedAuthenticationClientLogoutAction@4120bab
>  
> in state 'terminateSession' of 
> flow 'logout' -- action execution attributes were 'map[[empty]]'
> .
> .
> .
> Caused by: java.lang.ClassCastException: class java.lang.String cannot be 
> cast to class org.pac4j.core.profile.UserProfile (java.lang.String is in 
> module java.base of loader 'bootstrap'; 
> org.pac4j.core.profile.UserProfile is in unnamed module of loader 
> 'deployment.cas.war' @512a9b9)
> at 
> deployment.cas.war//org.pac4j.core.profile.ProfileManager.removeOrRenewExpiredProfiles(ProfileManager.java:98)
> at 
> deployment.cas.war//org.pac4j.core.profile.ProfileManager.retrieveAll(ProfileManager.java:89)
> at 
> deployment.cas.war//org.pac4j.core.profile.ProfileManager.getProfile(ProfileManager.java:50)
>
> If I manually delete the cookie after login, I see my session is still 
> active, actuator/sso returns 200 with session info, and logout is not an 
> issue.
>
> -psv
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8fd951ad-d92e-4c31-b766-1cff21c641e7n%40apereo.org.

[cas-user] service file to support delegated and ldap authentication

[Pablo Vidaurri]

I have a service with a login form. The login form also has a link to Azure 
AD for delegated login for certain users.

When the link is used, I see a message in my logs:
Registered service [FOOBAR] does not define any authorized/supported 
delegated authentication providers. It is STRONGLY recommended that you 
authorize and assign providers to the service definition. While just a 
warning for now, this behavior will be enforced by CAS in future versions.

I assume it wants an entry in the service file like:
"delegatedAuthenticationPolicy" : {
  "@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
  "allowedProviders" : [[ "FOOBAR" ] ],
  "permitUndefined": true,
  "exclusive": false
 }

This should still allow LDAP authentication, correct?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c30b3a83-5d28-4667-a6e9-d8e5d820e49en%40apereo.org.

Re: [cas-user] CAS 6.2.X: TGC Cookie set twice

[Pablo Vidaurri]

Hi Petr, 

It looks like I must have changed it after that post. I did not comment out 
the entire clearTicketGrantingCookieFromContext call, just commented out 
the line contained within it:
// ticketGrantingTicketCookieGenerator.removeCookie(response);

I've dedicated today to debugging this:

ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-76) 
Batch entry 0 insert into Postgres_Jpa_Ticket_Entity (body, creation_Time, 
parent_Id, principal_Id, type, id) values 
('{"@class":"org.apereo.cas.ticket.TransientSessionTicketImpl","@id":1,"expirationPolicy":{"@class":"org.apereo.cas.ticket.expiration.MultiTimeUseOrTimeoutExpirationPolicy$TransientSessionTicketExpirationPolicy","numberOfUses":3,"timeToLive":180,"name":"TransientSessionTicketExpirationPolicy-2547f234-9127-460d-9310-b1f901df3e40"},"id":"TST-xxx","lastTimeUsed":"2024-04-03T15:15:44.23861Z","creationTime":"2024-04-03T15:15:44.23861Z","properties":{"@class":"java.util.HashMap","AzureAdClient$stateSessionParameter":{"@class":"com.nimbusds.oauth2.sdk.id.State","value":"561f9c172a"}},"prefix":"TST"}',
 
'2024-04-03 15:15:44.23861+00', NULL, '', 
'org.apereo.cas.ticket.TransientSessionTicketImpl', 'TST-xxx') was 
aborted: ERROR: duplicate key value violates unique constraint 
"postgres_jpa_ticket_entity_pkey"
  Detail: Key (id)=(TST-xxx) already exists.  Call getNextException to 
see other errors in the batch.

ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-76) 
ERROR: duplicate key value violates unique constraint 
"postgres_jpa_ticket_entity_pkey"
  Detail: Key (id)=(TST-xxx) already exists.

-psv
On Saturday, March 30, 2024 at 12:46:24 PM UTC-5 Petr Bodnár wrote:

> Hi Pablo,
>
> I should have probably added that I haven't tested the proposed solutions 
> yet. From what I've studied so far, I expected that commenting out just the 
> call to *removeCookie()* should work.
>
> Or is it so, that as you mention in the other thread 
> <https://groups.google.com/a/apereo.org/g/cas-user/c/QWRAFfqFwqY/m/_wfCtFD9AQAJ>,
>  
> you had to comment out even the call to the whole 
> *clearTicketGrantingCookieFromContex()*? I would guess *that* could 
> possibly cause the "tgt primary key constraint violation" you write about 
> (in the case of obtaining an expired TGC). But yes, this is just guessing 
> from me now...
>
> Petr
>
> On Wednesday 27 March 2024 at 19:13:25 UTC+1 Pablo Vidaurri wrote:
>
>> IPetr, you haven't seen any other issues with this work around? For my 
>> users authenticatng via delegated azure ad I'm getting a cas client not 
>> authorized error which is misleading because the issue in logs show a tgt 
>> primary key constraint violation. 
>>
>> -psv
>>
>> On Tuesday, March 26, 2024 at 11:40:57 AM UTC-7 Petr Bodnár wrote:
>>
>>> Hi all,
>>>
>>> thanks for the fruitful discussion. Some more fresh remarks to the topic:
>>>
>>> 1) The order of "Set-Cookie" response headers indeed depends on the 
>>> server
>>>
>>> While *Tomcat *clearly uses deterministic, insertion-time order (see 
>>> its Response.java 
>>> <https://github.com/apache/tomcat/blob/510c71b009085f94122bc18501d1981322846540/java/org/apache/catalina/connector/Response.java#L880>),
>>>  
>>> *JBoss*/*WildFly *for some weird reason stores cookies in a *TreeSet*, 
>>> so their output order should be random (see its 
>>> HttpServletResponseImpl.java 
>>> <https://github.com/undertow-io/undertow/blob/ddb4aeeb32f7ed58d715124acf1d464fc14b30dd/servlet/src/main/java/io/undertow/servlet/spec/HttpServletResponseImpl.java#L112>
>>>  
>>> and from there, HttpServerExchange.java 
>>> <https://github.com/undertow-io/undertow/blob/ddb4aeeb32f7ed58d715124acf1d464fc14b30dd/core/src/main/java/io/undertow/server/HttpServerExchange.java#L1255>
>>> ).
>>>
>>> 2) Since version 6.4.0, CAS deletes TGC cookie more aggressively
>>>
>>> In https://github.com/apereo/cas/commit/02e9c27a6b60505, a new method 
>>> *removeAll(request, 
>>> response)* was added (and is called) that additionally removes the 
>>> cookie only if it is present in the request.
>>>
>>> 3) Since version v7.0.0-RC2, CAS deletes TGC only when it is present in 
>>> the request
>>>
>>> In https://github.com/a

[cas-user] Cas 6.6.8, login flow executes twice

[Pablo Vidaurri]

Doesn't always happen but occasionally I see my custom login webflow get 
executed twice.it usually has no impact but it's causing SQL errors with 
dup primary key violation and log shows step in the flow executing within 
the same second which is impossible for a user to do.

Anyone facing this problem?

-psv

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/534df07c-acce-4598-86d7-065cee356407n%40apereo.org.

Re: [cas-user] CAS 6.2.X: TGC Cookie set twice

[Pablo Vidaurri]

IPetr, you haven't seen any other issues with this work around? For my 
users authenticatng via delegated azure ad I'm getting a cas client not 
authorized error which is misleading because the issue in logs show a tgt 
primary key constraint violation. 

-psv

On Tuesday, March 26, 2024 at 11:40:57 AM UTC-7 Petr Bodnár wrote:

> Hi all,
>
> thanks for the fruitful discussion. Some more fresh remarks to the topic:
>
> 1) The order of "Set-Cookie" response headers indeed depends on the server
>
> While *Tomcat *clearly uses deterministic, insertion-time order (see its 
> Response.java 
> <https://github.com/apache/tomcat/blob/510c71b009085f94122bc18501d1981322846540/java/org/apache/catalina/connector/Response.java#L880>),
>  
> *JBoss*/*WildFly *for some weird reason stores cookies in a *TreeSet*, so 
> their output order should be random (see its HttpServletResponseImpl.java 
> <https://github.com/undertow-io/undertow/blob/ddb4aeeb32f7ed58d715124acf1d464fc14b30dd/servlet/src/main/java/io/undertow/servlet/spec/HttpServletResponseImpl.java#L112>
>  
> and from there, HttpServerExchange.java 
> <https://github.com/undertow-io/undertow/blob/ddb4aeeb32f7ed58d715124acf1d464fc14b30dd/core/src/main/java/io/undertow/server/HttpServerExchange.java#L1255>
> ).
>
> 2) Since version 6.4.0, CAS deletes TGC cookie more aggressively
>
> In https://github.com/apereo/cas/commit/02e9c27a6b60505, a new method 
> *removeAll(request, 
> response)* was added (and is called) that additionally removes the cookie 
> only if it is present in the request.
>
> 3) Since version v7.0.0-RC2, CAS deletes TGC only when it is present in 
> the request
>
> In https://github.com/apereo/cas/commit/9454b38b8d95d7, just the 
> aforementioned new method *removeAll(request, response)* is used.
>
> 4) This issue doesn't affect just the delegated authentication, but also 
> authentication via Kerberos (SPNEGO)
>
> The Kerberos authentication seems to be affected in the very same way, but 
> possibly no one really noticed or cares, because the automatic login is 
> practically invisible to the user.
>
> 5) Conclusion
>
> All that being said, it looks like removing the unconditional call to 
> *ticketGrantingTicketCookieGenerator.removeCookie(response) 
> *actually IS the correct solution. And leaving just the new call to 
> *removeAll(request, 
> response)* should be just fine - because this call should be effective 
> only when being initially redirected to CAS login page with an invalid 
> (e.g. expired) TGC cookie.
>
> Feel free to correct me.
>
> Regards
> Petr
>
> On Thursday 4 January 2024 at 04:39:17 UTC+1 Pablo Vidaurri wrote:
>
>> Ran into the same issue with v6.6.8 and v6.6.14. Also removed the line 
>> in InitialFlowSetupAction.java that sets empty cookie and I get proper 
>> session now. But this does not look like a correct fix.
>>
>> On Monday, January 11, 2021 at 4:00:17 PM UTC-6 Ulrich Mayring wrote:
>>
>>> Ray,
>>> thanks a lot for your comments. I believe this more or less settles the 
>>> issue that we have a bug here, but it doesn't bite everyone. So I suppose 
>>> those, who are unaffected, can just carry on.
>>>
>>> We have fixed the issue in our overlay by simply removing the code that 
>>> sets the "empty" cookie. If you ever find that the order of cookies changes 
>>> on you, you can do the same thing. Our test suite is green, so I guess that 
>>> for our purposes this rather brute-force fix will work. I have no idea what 
>>> it would take to fix this in CAS main, but I did notice that the code to 
>>> remove a cookie was changed from using the Servlet API to a custom 
>>> implementation, where the header is set manually. So perhaps going back to 
>>> using the Servlet API (response.addCookie) would be enough.
>>>
>>> On Monday, 11 January 2021 at 17:25:28 UTC+1 Ray Bon wrote:
>>>
>>>> Ulrich,
>>>>
>>>> You are correct.
>>>> And I do receive the cookies with the expired cookie first.
>>>>
>>>> Ray
>>>>
>>>> On Sat, 2021-01-09 at 11:39 -0800, Ulrich Mayring wrote:
>>>>
>>>> Notice: This message was sent from outside the University of Victoria 
>>>> email system. Please be cautious with links and sensitive information. 
>>>>
>>>> Ray,
>>>> the section you refer to applies to the "Cookie" header the browser 
>>>> sends back. However, I was talking about the "Set-Cookie" header sent by 
>>>> the server. Its semantics are d

[cas-user] Custom authentication handler and jdbc attributes not executing

[Pablo Vidaurri]

I have a custom authentication handler. I notice when using my custom auth 
handler, my cas.authn.attributeRepository.jdbc[0] query does not execute. 
But when I enable out of the box ldap authentication my jdbc query runs and 
I get attributes back. Do I need to explicitly trigger something after my 
custom auth handler runs?

-psv

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5e1de1aa-5051-4649-8c81-25b334a5c80en%40apereo.org.

[cas-user] Re: How is TST suppose to work, keep getting db errors

[Pablo Vidaurri]

I'm still dealing with upset users over this issue ... any input on fine 
tuning time to kill or reg cleaner?

On Sunday, March 3, 2024 at 2:35:40 PM UTC-6 Pablo Vidaurri wrote:

> CAS 6.6.8
>
> I'm using delegated auth to Azure AD using OIDC. Things seem to be mostly 
> working but I noticed a couple of different db errors:
>
>1. Delegated client identifier cannot be located in the authentication 
>request* *
>2. org.postgresql.util.PSQLException: ERROR: duplicate key value 
>violates unique constraint "postgres_jpa_ticket_entity_pkey"  Detail: Key 
>(id)=(TST-6f93a6cc-3732-4dbb-9361-706f92a54787) already exists.
>
> Issue #1, gives a false message as the error is actually thrown from 
> DefaultDelegatedClientAuthenticationWebflowManager 
> <https://github.com/apereo/cas/blob/v6.6.8/support/cas-server-support-pac4j-core/src/main/java/org/apereo/cas/web/flow/DefaultDelegatedClientAuthenticationWebflowManager.java#L235C27-L235C61>
>  as 
> a result of not finding the ticket in the ticket registry.  I think ticket 
> is not found due to a couple of things:
>
>1. Once user is redirected to Azure AD, I see TST ticket created in 
>the registry. But the user is taking too long to enter credentials. By the 
>time they are redirected back to CAS the TST has already expired and 
> purged 
>from ticket registry.
>2. An issue with default 
>cas.ticket.tst.time-to-kill-in-seconds=5 being too short. I have increased 
>this to 120sec hoping that is enough time to provide credentials on Azure 
>AD side. Along with this, I also have my registry cleaner set to every 60 
>seconds. It seems to be helping but still getting this error occasionally.
>
> Issue #2, I'm not sure what is causing this one. Logging in and out, and 
> logging in again somehow the same TST gets generated for the user and he 
> TST from first login is still in the db. Perhaps the 120sec time to kill is 
> too long but then I'm back at issue #1. I would think a new TST would be 
> created at this point.
>
> What is the logic of TST? I think this would be solved if TST creation is 
> more unique with perhaps including timestamp.
>
> Any suggestions?
>
> -psv
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/637fa79b-26b4-444c-b31a-eed7b37c72a7n%40apereo.org.

Re: [cas-user] CAS v7.0.0 Performance issue.

[Pablo Vidaurri]

Interesting that you bring up VT with JDK21. There are many articles out 
there about issues with VT JDK21with pinning issues:
https://www.infoworld.com/article/3713220/java-virtual-threads-hit-with-pinning-issue.html

On Friday, February 23, 2024 at 1:12:43 PM UTC-6 Łukasz Woźniak wrote:

> Same happend to Us. We have CAS on AWS in kubernetes. We have git for 
> services and redis for tickets and mfa. We have 2 pod running with 
> Horizontal Pod Autoscaling enabled. Autoscale never grow higher than 3 pods.
>
> When we deploy CAS from version 6.5 to 7.0, CPU is always almost 100%. HPA 
> scaled the app to 15 pods (max).
>
> When I debug the App, I think CAS on 7.0 uses Virtual Thread from Java 21 
> and not all library is ready for that. 
>
>  Is IT possibile to turn this off ?
>
> Lukas
>
>
> pt., 23 lut 2024, 15:59 użytkownik Shavi Teotia  
> napisał:
>
>> Hi Ray and Team,
>>
>> We have an enterprise application, cannot change the backend. But Could 
>> you please suggest what would be the impact if the indexing is stopped from 
>> this piece of code.
>>
>> Another point we are using hazelcast registry, is there any specific 
>> setting  or property that needs to be done in that case.
>>
>>
>> On Friday 23 February 2024 at 19:44:24 UTC+5:30 Ray Bon wrote:
>>
>>> Shavi,
>>>
>>> Could this be related to the storage mechanism you use for services?
>>> Are you able to try a different back end?
>>>
>>> Ray
>>>
>>> On Fri, 2024-02-23 at 00:09 -0800, Shavi Teotia wrote:
>>>
>>> Notice: This message was sent from outside the University of Victoria 
>>> email system. Please be cautious with links and sensitive information.
>>>
>>>
>>> I have recently updated the cas version on my application from 6.6.2 to 
>>> 7.0.0. 
>>> There is some performance issue, that usually occurs when there is no 
>>> load on the server.
>>>
>>> My CPU utilization graph goes up till 98% and application goes down, 
>>> start giving 503, we have to restart it or redeploy it.
>>> We checked through the heap dump we found, the issue is related to the 
>>> ConcurrentIndexedCollection, which is used for registered service indexing.
>>>
>>> So my question is can we anyhow disable this or is there any other way 
>>> to optimize, any specific property that needs to be declared.
>>>
>>> Please let me know if any other information is also required.
>>>
>>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a7653e9-ca89-4e20-84e2-8fa5476e6765n%40apereo.org
>>  
>> 
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7b6f529c-1234-40f2-905b-e0156c394a81n%40apereo.org.

[cas-user] How is TST suppose to work, keep getting db errors

[Pablo Vidaurri]

CAS 6.6.8

I'm using delegated auth to Azure AD using OIDC. Things seem to be mostly 
working but I noticed a couple of different db errors:

   1. Delegated client identifier cannot be located in the authentication 
   request* *
   2. org.postgresql.util.PSQLException: ERROR: duplicate key value 
   violates unique constraint "postgres_jpa_ticket_entity_pkey"  Detail: Key 
   (id)=(TST-6f93a6cc-3732-4dbb-9361-706f92a54787) already exists.

Issue #1, gives a false message as the error is actually thrown from 
DefaultDelegatedClientAuthenticationWebflowManager 

 as 
a result of not finding the ticket in the ticket registry.  I think ticket 
is not found due to a couple of things:

   1. Once user is redirected to Azure AD, I see TST ticket created in the 
   registry. But the user is taking too long to enter credentials. By the time 
   they are redirected back to CAS the TST has already expired and purged from 
   ticket registry.
   2. An issue with default cas.ticket.tst.time-to-kill-in-seconds=5 being 
   too short. I have increased this to 120sec hoping that is enough time to 
   provide credentials on Azure AD side. Along with this, I also have my 
   registry cleaner set to every 60 seconds. It seems to be helping but still 
   getting this error occasionally.

Issue #2, I'm not sure what is causing this one. Logging in and out, and 
logging in again somehow the same TST gets generated for the user and he 
TST from first login is still in the db. Perhaps the 120sec time to kill is 
too long but then I'm back at issue #1. I would think a new TST would be 
created at this point.

What is the logic of TST? I think this would be solved if TST creation is 
more unique with perhaps including timestamp.

Any suggestions?

-psv


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2e52b6fd-5331-45ce-8f83-1b1aff6553cfn%40apereo.org.

[cas-user] Re: Sending queries to multiple databases

[Pablo Vidaurri]

I have different authentication systems and I do indeed rely on each being 
processed in order until a user is authenticated. 

Maybe set 
 cas.authn.jdbc.query[0].order=0
 cas.authn.jdbc.query[1].order=1

On Wednesday, February 28, 2024 at 11:15:32 PM UTC-6 폴폴 wrote:

> I am using Apereo CAS version 6.6.15. Currently, I'm trying to use a 
> database-driven authentication method by sending queries to multiple 
> databases. 
>
> In the official documentation, it looks like cas.authn.jdbc.query[0], so I 
> intuitively wrote query[1]. This is my application.yml file.
>
>  cas:
>   authn:
> jdbc:
>   query[0]:
> driver-class: "com.mysql.cj.jdbc.Driver"
> url: "jdbc:mysql://{my public 
> IP}:3306/test?autoReconnect=true&allowMultiQuries=true&serverTimezone=UTC"
> sql: "select id, login_id, login_pw from test.sso where login_id = 
> ?;"
> user: "mysql"
> password: "root"
> field-password: "login_pw"
> password-encoder:
>   type: "NONE"
>   query[1]:
> driver-class: "com.mysql.cj.jdbc.Driver"
> url: "jdbc:mysql://{my public 
> IP}:3306/test2?autoReconnect=true&allowMultiQueries=true&serverTimezone=UTC"
> sql: "select id, username, password from test2.kva_user where 
> username = ?;"
> user: "mysql"
> password: "root"
> field-password: "password"
> password-encoder:
>   type: "NONE"
>
> User in test DB: ks3254
> User in test2 DB: ks32541007
>
> The test DB user corresponding to query[0] is logged in normally, but the 
> test2 DB user corresponding to query[1] gets a message that there is no 
> user. 
>
> I looked up the official documentation and found that
>
> "CAS's authentication policy consists of multiple handlers, and if 
> authentication fails in one handler, it will be passed to the next handler."
>
> Based on this sentence, I thought that if there is no value corresponding 
> to query[0], it does not execute query[1], but just terminates the handler 
> and moves on to the next handler. 
>
> But what I'm puzzled about here is that the developer was led to believe 
> that it was an array, making them feel like they could create query[1], and 
> then query[1] wasn't sent, and I don't understand why the database-driven 
> authentication failed based on the results of query[0] and query[1], the 
> first of which was query[0]. 
>
> To my intuition, this seems very odd and it would make more sense to at 
> least run all the queries you set in application.yml before moving on to 
> the next handler. 
>
> Is my hypothesis correct? Isn't CAS supposed to be able to connect to 
> multiple databases and fire off multiple queries?
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cd66b2e5-ab0e-4990-81c8-549b02b9c984n%40apereo.org.

[cas-user] Re: client_name parameter issue

[Pablo Vidaurri]

closer inspecting of my issue, i see the client was redirecting to 
cas/login/login?service=https://example.com  ... the client accidently had 
double login as the cas login url. So with OIDC enabled, anything after 
/cas/login was interpreted as a  client_name

-psv

On Friday, March 1, 2024 at 2:07:05 AM UTC-6 Pablo Vidaurri wrote:

> Did you find a working solution for this?
>
> On Sunday, March 5, 2023 at 6:11:24 AM UTC-6 Mm Mm wrote:
>
>> hello everybody I have an issue with the client_name parameter in URL. 
>> one of my organization application when trying to authenticate using cas 
>> sends extra parameter in addition to service parameter eg:service=
>> https://example.com&client_name=login  
>>
>> I've already register the service but always cas return application not 
>> registered   and when I remove the extra parameter it works fine
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ad9879b4-bc38-439b-9f92-dfecd8e44b1dn%40apereo.org.

[cas-user] Re: client_name parameter issue

[Pablo Vidaurri]

Did you find a working solution for this?

On Sunday, March 5, 2023 at 6:11:24 AM UTC-6 Mm Mm wrote:

> hello everybody I have an issue with the client_name parameter in URL. one 
> of my organization application when trying to authenticate using cas sends 
> extra parameter in addition to service parameter eg:service=
> https://example.com&client_name=login  
>
> I've already register the service but always cas return application not 
> registered   and when I remove the extra parameter it works fine
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fb23680c-cfb9-4cb1-bedf-aab8ea77d7aan%40apereo.org.

Re: [cas-user] Deleteged Azure AD, duplicate pk in postgres_jpa_ticket_entity

[Pablo Vidaurri]

Yep, it is  delegated  Azure Ad (not deleted).

The issue is not consistent. Sometimes it works others it does not. At the 
moment I am on a single node so it's not a difference in nodes.

I do not have metadata as this is oidc. Should oidc still have metedata for 
the ad? How about a service config? So far it is usually working without it.
I was assuming a false error message was displayed and actual error is due 
to sql error not missing idp config.

-psv 

On Tuesday, February 27, 2024 at 12:57:39 PM UTC-6 Ray Bon wrote:

> Pablo,
>
> Is that deleted or delegated?
> Is it possible that azure ad metadata is missing or not in the location 
> that cas thinks it is?
>
> Ray
>
> On Mon, 2024-02-26 at 13:44 -0800, Pablo Vidaurri wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
>
> This is happening often, users login via Deleted Azure AD and get an 
> "Unauthorized Access" exception with "Unable to locate or parse the idp 
> config ...".  
>
> Logs show:  
>
> ERROR: duplicate key value violates unique constraint 
> "postgres_jpa_ticket_entity_pkey"
>   Detail: Key (id)=(TST-81a34fa7-a23d-4799-8167-1c86f7e79498) already 
> exists.  Call getNextException to see other errors in the batch.
>
> Any idea why this would be happening?
>
> -psv
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3957ab77-ccd0-405a-9523-545d875c0114n%40apereo.org.

[cas-user] Deleteged Azure AD, duplicate pk in postgres_jpa_ticket_entity

[Pablo Vidaurri]

This is happening often, users login via Deleted Azure AD and get an 
"Unauthorized Access" exception with "Unable to locate or parse the idp 
config ...". 

Logs show: 

ERROR: duplicate key value violates unique constraint 
"postgres_jpa_ticket_entity_pkey"
  Detail: Key (id)=(TST-81a34fa7-a23d-4799-8167-1c86f7e79498) already 
exists.  Call getNextException to see other errors in the batch.

Any idea why this would be happening?

-psv

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0fecb669-f951-4787-8099-3f2ec30aab5en%40apereo.org.

[cas-user] Re: Alway Error 404 after compilation deployment

[Pablo Vidaurri]

What endpoint are you getting 404 at? if deploying from localhost, are you 
hitting https://localhost:8443/cas/login ?

On Sunday, February 4, 2024 at 11:38:26 AM UTC-6 Jérémie Pilette wrote:

> Hi everybody,
> I try to compile and deploy cas-overlay-template from initializr but I 
> have always Error 404 Not found.
>
> Requirement
>
> *Java Version:* 11
> *Spring Boot Version:* 2.7.3
> *Gradle Version:* 7.6
> *Tomcat Version:* 9.0.84
>
>
> I have 
>
> *Java Version:* 18
> *Spring Boot Version:* 2.7.3
> *Gradle Version:* 7.6
> *Tomcat Version:* 10.1.6
>
> Do I forget something ?
>
> Thank you ?
>
>
> Jérémie
>
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/72669c5c-1019-4758-8ee8-b9a2e6976515n%40apereo.org.

Re: [cas-user] Delegated Azure callbackUrl by service

[Pablo Vidaurri]

Sorry, correction, should be:   *defining required callback-url for each 
that differs from the original*

custom.azure.redirect-url.uk=https://www.myapp.uk
custom.azure.redirect-url.cn=https://www.myapp.cn

cas.authn.pac4j.oidc[0].azure.id=
cas.authn.pac4j.oidc[0].azure.secret=
cas.authn.pac4j.oidc[0].azure.auto-redirect-type=NONE

cas.authn.pac4j.oidc[1].azure.id=${cas.authn.pac4j.oidc[0].azure.id}
cas.authn.pac4j.oidc[1].azure.secret=${cas.authn.pac4j.oidc[0].azure.secret}
cas.authn.pac4j.oidc[1].azure.tenant=${cas.authn.pac4j.oidc[0].azure.tenant}
cas.authn.pac4j.oidc[1].azure.callback-url=${custom.azure.redirect-url.uk}/cas/login
cas.authn.pac4j.oidc[1].azure.auto-redirect-type=${cas.authn.pac4j.oidc[0].azure.auto-redirect-type}

cas.authn.pac4j.oidc[2].azure.id=${cas.authn.pac4j.oidc[0].azure.id}
cas.authn.pac4j.oidc[2].azure.secret=${cas.authn.pac4j.oidc[0].azure.secret}
cas.authn.pac4j.oidc[2].azure.tenant=${cas.authn.pac4j.oidc[0].azure.tenant}
cas.authn.pac4j.oidc[2].azure.callback-url=${custom.azure.redirect-url.cn}/cas/login
cas.authn.pac4j.oidc[2].azure.auto-redirect-type=${cas.authn.pac4j.oidc[0].azure.auto-redirect-type}


On Saturday, February 3, 2024 at 6:59:03 PM UTC-6 Pablo Vidaurri wrote:

> Thanks for the pointer.
>
> I went the KISS route ...
>
> I added duplicate configs in my cas.properties file, one for each 
> region/language defining required auto-redirect-type for each that 
> differs from the original:
>
> custom.azure.redirect-url.uk=https://www.myapp.uk
> custom.azure.redirect-url.cn=https://www.myapp.cn
>
> cas.authn.pac4j.oidc[0].azure.id=
> cas.authn.pac4j.oidc[0].azure.secret= cas.authn.pac4j.oidc[0].azure.tenant=
> cas.authn.pac4j.oidc[0].azure.auto-redirect-type=NONE
>
> cas.authn.pac4j.oidc[1].azure.id=${cas.authn.pac4j.oidc[0].azure.id}
>
> cas.authn.pac4j.oidc[1].azure.secret=${cas.authn.pac4j.oidc[0].azure.secret}
>
> cas.authn.pac4j.oidc[1].azure.tenant=${cas.authn.pac4j.oidc[0].azure.tenant}
> cas.authn.pac4j.oidc[1].azure.callback-url=${custom.azure.redirect-url.uk
> }/cas/login
>
> cas.authn.pac4j.oidc[1].azure.auto-redirect-type=${cas.authn.pac4j.oidc[0].azure.auto-redirect-type}
>
> cas.authn.pac4j.oidc[2].azure.id=${cas.authn.pac4j.oidc[0].azure.id}
>
> cas.authn.pac4j.oidc[2].azure.secret=${cas.authn.pac4j.oidc[0].azure.secret}
>
> cas.authn.pac4j.oidc[2].azure.tenant=${cas.authn.pac4j.oidc[0].azure.tenant}
> cas.authn.pac4j.oidc[2].azure.callback-url=${custom.azure.redirect-url.cn
> }/cas/login
>
> cas.authn.pac4j.oidc[2].azure.auto-redirect-type=${cas.authn.pac4j.oidc[0].azure.auto-redirect-type}
>
> Then updated my login form to only display appropriate delegated 
> button/link for the given region/language.
>
> On Saturday, February 3, 2024 at 8:13:18 AM UTC-6 Ray Bon wrote:
>
>> Pablo,
>>
>> This may give some ideas https://fawnoos.com/2017/10/23/cas-multitenancy/
>>
>> Ray
>>
>> On Fri, 2024-02-02 at 21:10 -0800, Pablo Vidaurri wrote:
>>
>> Notice: This message was sent from outside the University of Victoria 
>> email system. Please be cautious with links and sensitive information.
>>
>>
>> I have a situation where the same app is deployed on different domains, 
>> each for a different region... so something like mysite.uk, mysite.jp, 
>> etc. They all log into a central CAS and CAS delegates to AD.  
>>
>> What I need is to define the callback url depending on the service.
>>
>>- I see i can 
>>define cas.authn.pac4j.oidc[0].azure.callback-url=foobar but that will be 
>>used by all the domains.
>>- In loginProviders.html, it looks like I can update redirectUrl, but 
>>it is being ignored and continues to use ${cas.server.prefix}/login 
>>
>> th:attr="autoRedirectType=${#strings.toLowerCase(entry.autoRedirectType)},redirectUrl=@{${entry.redirectUrl}}"
>>- Looks like not support out of the box with a service config (filter 
>>for OIDC) 
>>
>> https://apereo.github.io/cas/6.6.x/services/Configuring-Service-Custom-Properties.html#supported-properties
>>
>> Short of overriding a class and introducing new properties, any other 
>> ideas?
>>
>> -psv
>>
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/66f1d4fc-4d25-49ce-8d55-9f38cee6c9c7n%40apereo.org.

Re: [cas-user] Delegated Azure callbackUrl by service

[Pablo Vidaurri]

Thanks for the pointer.

I went the KISS route ...

I added duplicate configs in my cas.properties file, one for each 
region/language defining required auto-redirect-type for each that differs 
from the original:

custom.azure.redirect-url.uk=https://www.myapp.uk
custom.azure.redirect-url.cn=https://www.myapp.cn

cas.authn.pac4j.oidc[0].azure.id=
cas.authn.pac4j.oidc[0].azure.secret=
cas.authn.pac4j.oidc[0].azure.auto-redirect-type=NONE

cas.authn.pac4j.oidc[1].azure.id=${cas.authn.pac4j.oidc[0].azure.id}
cas.authn.pac4j.oidc[1].azure.secret=${cas.authn.pac4j.oidc[0].azure.secret}
cas.authn.pac4j.oidc[1].azure.tenant=${cas.authn.pac4j.oidc[0].azure.tenant}
cas.authn.pac4j.oidc[1].azure.callback-url=${custom.azure.redirect-url.uk}/cas/login
cas.authn.pac4j.oidc[1].azure.auto-redirect-type=${cas.authn.pac4j.oidc[0].azure.auto-redirect-type}

cas.authn.pac4j.oidc[2].azure.id=${cas.authn.pac4j.oidc[0].azure.id}
cas.authn.pac4j.oidc[2].azure.secret=${cas.authn.pac4j.oidc[0].azure.secret}
cas.authn.pac4j.oidc[2].azure.tenant=${cas.authn.pac4j.oidc[0].azure.tenant}
cas.authn.pac4j.oidc[2].azure.callback-url=${custom.azure.redirect-url.cn}/cas/login
cas.authn.pac4j.oidc[2].azure.auto-redirect-type=${cas.authn.pac4j.oidc[0].azure.auto-redirect-type}

Then updated my login form to only display appropriate delegated 
button/link for the given region/language.

On Saturday, February 3, 2024 at 8:13:18 AM UTC-6 Ray Bon wrote:

> Pablo,
>
> This may give some ideas https://fawnoos.com/2017/10/23/cas-multitenancy/
>
> Ray
>
> On Fri, 2024-02-02 at 21:10 -0800, Pablo Vidaurri wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
>
> I have a situation where the same app is deployed on different domains, 
> each for a different region... so something like mysite.uk, mysite.jp, 
> etc. They all log into a central CAS and CAS delegates to AD.  
>
> What I need is to define the callback url depending on the service.
>
>- I see i can define cas.authn.pac4j.oidc[0].azure.callback-url=foobar 
>but that will be used by all the domains.
>- In loginProviders.html, it looks like I can update redirectUrl, but 
>it is being ignored and continues to use ${cas.server.prefix}/login 
>
> th:attr="autoRedirectType=${#strings.toLowerCase(entry.autoRedirectType)},redirectUrl=@{${entry.redirectUrl}}"
>- Looks like not support out of the box with a service config (filter 
>for OIDC) 
>
> https://apereo.github.io/cas/6.6.x/services/Configuring-Service-Custom-Properties.html#supported-properties
>
> Short of overriding a class and introducing new properties, any other 
> ideas?
>
> -psv
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/40e175b3-23e7-4ed2-9a8e-2f37c63324den%40apereo.org.

[cas-user] Delegated Azure callbackUrl by service

[Pablo Vidaurri]

I have a situation where the same app is deployed on different domains, 
each for a different region... so something like mysite.uk, mysite.jp, etc. 
They all log into a central CAS and CAS delegates to AD. 

What I need is to define the callback url depending on the service.

   - I see i can define cas.authn.pac4j.oidc[0].azure.callback-url=foobar 
   but that will be used by all the domains.
   - In loginProviders.html, it looks like I can update redirectUrl, but it 
   is being ignored and continues to use ${cas.server.prefix}/login 
   
th:attr="autoRedirectType=${#strings.toLowerCase(entry.autoRedirectType)},redirectUrl=@{${entry.redirectUrl}}"
   - Looks like not support out of the box with a service config (filter 
   for 
   OIDC) 
https://apereo.github.io/cas/6.6.x/services/Configuring-Service-Custom-Properties.html#supported-properties

Short of overriding a class and introducing new properties, any other ideas?

-psv


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9c4c6f96-bb1b-4264-97d2-ec2ca7734b67n%40apereo.org.

[cas-user] Delegated Authentication to Azure AD, logout issue

[Pablo Vidaurri]

I have property for azure logout-url

cas.authn.pac4j.oidc[0].azure.logout-url=https://login.microsoftonline.com//oauth2/v2.0/logout

Delegated login is working, but I never see a front end call to logout-url. 
So when I log back into my CAS application I auto get logged in because my 
azure session is still valid.

If I logout of my app, then manually hit the logout url, when going back to 
my app I get azure prompting for credentials as expected.

is there something I'm missing to get deletegated logout working?

-psv

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/828c4502-50db-42bf-9167-cb6aef3c9deen%40apereo.org.

[cas-user] Re: Azure deletegated authentication and mapping attributes

[Pablo Vidaurri]

Sorry, title should have been "delegated", not "deleted".

I already had a custom web flow setup, so I just remapped the attributes 
and added them back into the principal attributes:

val authentication = WebUtils.getAuthentication(context);
Principal principle = authentication.getPrincipal();
Map> attributesMap = principle.getAttributes();

remapAttribute(attributesMap, "Email", "upn");

private void remapAttribute(Map> attributesMap, String 
keyToAdd, String keyToCopy) {
if(!attributesMap.containsKey(keyToAdd) && 
attributesMap.containsKey(keyToCopy)) {
attributesMap.put(keyToAdd, 
Arrays.asList(attributesMap.get(keyToCopy).get(0)));
}
}
On Wednesday, January 31, 2024 at 10:49:51 PM UTC-6 Pablo Vidaurri wrote:

> I'm about to authenticate against azure, and process the token for user 
> attrubutes. I am also able to remap attributes via service config:
> {
> "@class": 
> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
> "allowedAttributes": {
> "@class": "java.util.TreeMap",
> "upn": "Email",
> "givenName": "firstName",
> "surName": "lastName"
> }
> }
>
> *But I need the mapped attributes during my login webflow action. *The 
> mapped attribute does not exist at this point until after the service 
> ticket is created I assume.
>
> Remapping via
> cas.authn.pac4j.oidc[0].azure.mapped-claims=upn->Email
> per documentation located at 
> https://apereo.github.io/cas/6.6.x/integration/Delegate-Authentication-Azure-AD.html
> does not appear to be fully implemented in v6.6.8. 
>
> Is there anyway to map this or should I resort to modifying principal 
> attributes during my login webflow?
>
> -psv
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5fd4455f-634d-4459-b5b7-b236a3b0ce10n%40apereo.org.

[cas-user] Azure deleted authentication and mapping attributes

[Pablo Vidaurri]

I'm about to authenticate against azure, and process the token for user 
attrubutes. I am also able to remap attributes via service config:
{
"@class": 
"org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes": {
"@class": "java.util.TreeMap",
"upn": "Email",
"givenName": "firstName",
"surName": "lastName"
}
}

*But I need the mapped attributes during my login webflow action. *The 
mapped attribute does not exist at this point until after the service 
ticket is created I assume.

Remapping via
cas.authn.pac4j.oidc[0].azure.mapped-claims=upn->Email
per documentation located at 
https://apereo.github.io/cas/6.6.x/integration/Delegate-Authentication-Azure-AD.html
does not appear to be fully implemented in v6.6.8. 

Is there anyway to map this or should I resort to modifying principal 
attributes during my login webflow?

-psv

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fbf30714-d85c-4e0d-980b-be5cb50e12e9n%40apereo.org.

[cas-user] Azure AD Delegated login, issue with DISSESSION cookie during logout

[Pablo Vidaurri]

CAS 6.6.8 

A couple of problems with Azure AD delegated login via pac4j ODIC out of 
the box button click feature.
1) Two TGC cookies are being created, the 2nd with an empty value. This is 
causing the TGC not being available and my session is not being created. 
actuator/sso even returns back a 400. To get around this I commented a line 
of code from InitialFlowSetupAction.java. That seems to get around this 
issue but I'm not certain if I'm causing other issues.

2) I see a DISSESSION cookie being created at login. I don't recall seeing 
this cookie before enabling delegated login to Azure AD. The problem that 
I'm seeing with this is that I get a 500 error when logging out. 

2024-01-08 15:29:13,937 ERROR 
[org.springframework.boot.web.servlet.support.ErrorPageFilter] (default 
task-454) Forwarding to error page from request [/logout] 
due to exception [Exception thrown executing 
org.apereo.cas.web.flow.actions.DelegatedAuthenticationClientLogoutAction@4120bab
 
in state 'terminateSession' of flow 'logout' 
-- action execution attributes were 'map[[empty]]']: 
org.springframework.webflow.execution.ActionExecutionException: 
Exception thrown executing 
org.apereo.cas.web.flow.actions.DelegatedAuthenticationClientLogoutAction@4120bab
 
in state 'terminateSession' of 
flow 'logout' -- action execution attributes were 'map[[empty]]'
.
.
.
Caused by: java.lang.ClassCastException: class java.lang.String cannot be 
cast to class org.pac4j.core.profile.UserProfile (java.lang.String is in 
module java.base of loader 'bootstrap'; 
org.pac4j.core.profile.UserProfile is in unnamed module of loader 
'deployment.cas.war' @512a9b9)
at 
deployment.cas.war//org.pac4j.core.profile.ProfileManager.removeOrRenewExpiredProfiles(ProfileManager.java:98)
at 
deployment.cas.war//org.pac4j.core.profile.ProfileManager.retrieveAll(ProfileManager.java:89)
at 
deployment.cas.war//org.pac4j.core.profile.ProfileManager.getProfile(ProfileManager.java:50)

If I manually delete the cookie after login, I see my session is still 
active, actuator/sso returns 200 with session info, and logout is not an 
issue.

-psv

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cf2f353b-94f6-43eb-a650-8e7dee58a0c6n%40apereo.org.

[cas-user] mapped-claims supported in CAS v6.6.8?

[Pablo Vidaurri]

I've been trying to use the following property:
cas.authn.pac4j.oidc[0].azure.mapped-claims=upn->email
per documentation located at 
https://apereo.github.io/cas/6.6.x/integration/Delegate-Authentication-Azure-AD.html

It didn't seem to work so I started digging thru the code. 
I see mappedClaims property in BasePac4jOidcClientProperties:
/**
 * List arbitrary mappings of claims when fetching user profiles.
 * Uses a "directed list" where the allowed
 * syntax would be {@code claim->attribute}.
 */
private List mappedClaims = new ArrayList<>();

but I dont see mappedClaims being referenced anywhere except 
for BaseDelegatedIdentityProviderFactory.java class which is new in 
v7.0.0-RC9.

How else to map a claim to a custom attribute which I plan on releasing 
downstream?
-psv

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/86b944f5-45a2-4253-a7b6-c6cfcbd3d943n%40apereo.org.

[cas-user] Re: Still struggling with Azure AD delegated login

[Pablo Vidaurri]

To close on this issue. I found it was related to having to TGC cookies. 
Stumbling across this post 
<https://groups.google.com/u/1/a/apereo.org/g/cas-user/c/xsc-_CTMjvA>, I 
see the same use case being an issue since 2021. I have users either login 
into CAS login page directly which authenticates against LDAP or the user 
clicks on a delegated login button (out of the box function via config) 
which redirects them to Azure AD for authentication. It is when the user 
clicks on the Azure AD button that I get two TGC and no session get created 
on the browser.

I've worked around this for now by commenting out this line from 
*InitialFlowSetupAction*.java *configureWebflowForTicketGrantingTicket *
method.
   clearTicketGrantingCookieFromContext(context, null);

-psv

On Tuesday, January 2, 2024 at 8:33:58 PM UTC-6 Pablo Vidaurri wrote:

> It looks like TGC is getting clobbered. 
>
> On redirect back to CAS with id_token: 
> https://mydomain.com/cas/login?id_token=
> &state=bfed6b9641&session_state=&client_name=AzureAdClient
>
> I'm getting two TGC cookie values:
> TGC=; Path=/cas; SameSite=None; Secure; HttpOnly
> LANGUAGE_OPTION=en; path=/; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 
> GMT
> TGC=""; Version=1; Path=/cas; Secure; HttpOnly; Max-Age=0; Expires=Thu, 
> 01-Jan-1970 00:00:00 GMT; Comment="CAS Cookie"
>
> This is out of the box CAS v 6.6.14.
>
> -psv
>
> On Tuesday, January 2, 2024 at 10:31:58 AM UTC-6 Pablo Vidaurri wrote:
>
>> Hello, still struggling with getting Azure AD setup. Tried with both CAS 
>> 6.6.8 and 6.6.12.
>>
>>- I am able to display the button for delegated login
>>- I get redirected to Azure when clicked
>>- I am able to login with my AD credentials
>>- I get redirected to my app with id_token query param which contains 
>>jwt of my user attributes
>>- I can verify the id_token value using jwt.ms to view the decoded 
>>token.
>>- I am able to see default casGenericSuccessView.html page with 
>>principal and user attributes from AD
>>- But it does not look like a session is actually created. 
>>https://mydomain.com/security/actuator/sso returns a 400
>>
>> This is not problem when I use ldap to authenticate.
>>
>> In my db, i see TransientSessionTicket and TicketGrantingTicket records 
>> being created.
>>
>> I have the following config:
>>
>> cas.authn.pac4j.oidc[0].azure.discovery-uri=
>> https://login.microsoftonline.com/
>> /v2.0/.well-known/openid-configuration
>> cas.authn.pac4j.oidc[0].azure.id=
>> cas.authn.pac4j.oidc[0].azure.secret=
>> cas.authn.pac4j.oidc[0].azure.tenant=
>> cas.authn.pac4j.oidc[0].azure.mapped-claims.Email=upn
>>
>> cas.authn.pac4j.oidc[0].azure.enabled=true
>> cas.authn.pac4j.oidc[0].azure.client-name=AzureAdClient
>> cas.authn.pac4j.oidc[0].azure.display-name=Azure AD
>> cas.authn.pac4j.oidc[0].azure.auto-redirect-type=NONE
>> cas.authn.pac4j.oidc[0].azure.callback-url-type=PATH_PARAMETER
>> cas.authn.pac4j.oidc[0].azure.logout-url=
>> https://login.microsoftonline.com/common/oauth2/logout
>> cas.authn.pac4j.oidc[0].azure.use-nonce=true
>>
>> cas.authn.pac4j.oidc[0].azure.principal-attribute-id=userId
>> cas.authn.pac4j.oidc[0].azure.response-mode=form_post
>> cas.authn.pac4j.oidc[0].azure.response-type=id_token
>> cas.authn.pac4j.oidc[0].azure.scope=openid,profile,email
>>
>> Any insight would be appreciated.
>> -psv
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f773008b-8570-46c2-88d3-ec7371bda023n%40apereo.org.

Re: [cas-user] CAS 6.2.X: TGC Cookie set twice

[Pablo Vidaurri]

Ran into the same issue with v6.6.8 and v6.6.14. Also removed the line 
in InitialFlowSetupAction.java that sets empty cookie and I get proper 
session now. But this does not look like a correct fix.

On Monday, January 11, 2021 at 4:00:17 PM UTC-6 Ulrich Mayring wrote:

> Ray,
> thanks a lot for your comments. I believe this more or less settles the 
> issue that we have a bug here, but it doesn't bite everyone. So I suppose 
> those, who are unaffected, can just carry on.
>
> We have fixed the issue in our overlay by simply removing the code that 
> sets the "empty" cookie. If you ever find that the order of cookies changes 
> on you, you can do the same thing. Our test suite is green, so I guess that 
> for our purposes this rather brute-force fix will work. I have no idea what 
> it would take to fix this in CAS main, but I did notice that the code to 
> remove a cookie was changed from using the Servlet API to a custom 
> implementation, where the header is set manually. So perhaps going back to 
> using the Servlet API (response.addCookie) would be enough.
>
> On Monday, 11 January 2021 at 17:25:28 UTC+1 Ray Bon wrote:
>
>> Ulrich,
>>
>> You are correct.
>> And I do receive the cookies with the expired cookie first.
>>
>> Ray
>>
>> On Sat, 2021-01-09 at 11:39 -0800, Ulrich Mayring wrote:
>>
>> Notice: This message was sent from outside the University of Victoria 
>> email system. Please be cautious with links and sensitive information. 
>>
>> Ray,
>> the section you refer to applies to the "Cookie" header the browser sends 
>> back. However, I was talking about the "Set-Cookie" header sent by the 
>> server. Its semantics are defined in section 4.1.2 of the RFC and it 
>> clearly states that the server can delete a cookie by sending a Set-Cookie 
>> header with an expired date.
>>
>> What's more, RFC 6265 clearly states that the server SHOULD NOT include 
>> more than one Set-Cookie header field in the same response with the same 
>> cookie-name. So CAS clearly is in violation of that. Most user-agents will 
>> probably react to that by accepting the last Set-Cookie header and so the 
>> order of those headers really matters.
>>
>> Therefore my question to you was whether you are receiving the 
>> "Set-Cookie" headers in a different order than I am, because that would 
>> explain why your browser processes them differently.
>>
>> Kind regards,
>> Ulrich
>> On Friday, 8 January 2021 at 21:01:44 UTC+1 Ray Bon wrote:
>>
>> Ulrich,
>>
>> According to, https://tools.ietf.org/html/rfc6265, in particular 4.2.2, 
>> the order of cookies in the header should not matter.
>> Is it possible that the app server is setting/modifying the order? 
>> I am using tomcat 9.
>>
>> Ray
>>
>> On Fri, 2021-01-08 at 10:01 -0800, Ulrich Mayring wrote:
>>
>> Notice: This message was sent from outside the University of Victoria 
>> email system. Please be cautious with links and sensitive information. 
>>
>> Different workflow here. I access my application and it redirects to the 
>> CAS Login Page. On the CAS Login Page I can choose whether to log in 
>> directly (via CAS protocol) or externally (via Azure). To that end there is 
>> a button that will take me to the Azure login page.
>>
>> However, my browser will also have seen the "empty" cookie, since I'm 
>> passing through the CAS login page. But I don't think that can have any 
>> effect - what difference should it make to the browser, whether a cookie 
>> has been seen before? Have you checked in which order you receive the two 
>> cookies? Perhaps the "empty" cookie comes first in your case, so it is then 
>> overwritten by the "full" cookie?
>>
>> My cookie is also named TGC-1.2.3, I'm using the CAS default as well.
>>
>> cheers,
>> Ulrich
>>
>> On Friday, 8 January 2021 at 18:29:19 UTC+1 Ray Bon wrote:
>>
>> Ulrich,
>>
>> Same versions of chrome and firefox on linux.
>> When I use delegated auth to azure, I first pass through the cas log in 
>> page and it redirects to azure. Thus my browser has already 'seen' the 
>> empty TGC.
>> Is this your flow, or do you go to azure first?
>>
>> Also, does your TGC have a suffix, '-1.2.3'?
>> I am using the default cas setting that has no suffix, the cookie label 
>> is 'TGC'. This should not matter, but stranger things have happened.
>>
>> Ray
>>
>> On Fri, 2021-01-08 at 01:21 -0800, Ulrich Mayring wrote:
>>
>> Notice: This message was sent from outside the University of Victoria 
>> email system. Please be cautious with links and sensitive information. 
>>
>> I have tested this with Firefox 84 and Chrome 87.0.4280.88 and in both 
>> cases no cookie is sent with the next request, thus failing to login the 
>> user.
>>
>> As far as I understand, the server is allowed to send multiple 
>> "Set-Cookie" headers with different values. The client (browser), however, 
>> is only allowed to send one "Cookie" header back. He can concatenate the 
>> multiple values into that one field, though. But it appears that in my case 
>> the brow

[cas-user] Re: Still struggling with Azure AD delegated login

[Pablo Vidaurri]

It looks like TGC is getting clobbered. 

On redirect back to CAS with 
id_token: 
https://mydomain.com/cas/login?id_token=&state=bfed6b9641&session_state=&client_name=AzureAdClient

I'm getting two TGC cookie values:
TGC=; Path=/cas; SameSite=None; Secure; HttpOnly
LANGUAGE_OPTION=en; path=/; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT
TGC=""; Version=1; Path=/cas; Secure; HttpOnly; Max-Age=0; Expires=Thu, 
01-Jan-1970 00:00:00 GMT; Comment="CAS Cookie"

This is out of the box CAS v 6.6.14.

-psv

On Tuesday, January 2, 2024 at 10:31:58 AM UTC-6 Pablo Vidaurri wrote:

> Hello, still struggling with getting Azure AD setup. Tried with both CAS 
> 6.6.8 and 6.6.12.
>
>- I am able to display the button for delegated login
>- I get redirected to Azure when clicked
>- I am able to login with my AD credentials
>- I get redirected to my app with id_token query param which contains 
>jwt of my user attributes
>- I can verify the id_token value using jwt.ms to view the decoded 
>token.
>- I am able to see default casGenericSuccessView.html page with 
>principal and user attributes from AD
>- But it does not look like a session is actually created. 
>https://mydomain.com/security/actuator/sso returns a 400
>
> This is not problem when I use ldap to authenticate.
>
> In my db, i see TransientSessionTicket and TicketGrantingTicket records 
> being created.
>
> I have the following config:
>
> cas.authn.pac4j.oidc[0].azure.discovery-uri=
> https://login.microsoftonline.com/
> /v2.0/.well-known/openid-configuration
> cas.authn.pac4j.oidc[0].azure.id=
> cas.authn.pac4j.oidc[0].azure.secret=
> cas.authn.pac4j.oidc[0].azure.tenant=
> cas.authn.pac4j.oidc[0].azure.mapped-claims.Email=upn
>
> cas.authn.pac4j.oidc[0].azure.enabled=true
> cas.authn.pac4j.oidc[0].azure.client-name=AzureAdClient
> cas.authn.pac4j.oidc[0].azure.display-name=Azure AD
> cas.authn.pac4j.oidc[0].azure.auto-redirect-type=NONE
> cas.authn.pac4j.oidc[0].azure.callback-url-type=PATH_PARAMETER
> cas.authn.pac4j.oidc[0].azure.logout-url=
> https://login.microsoftonline.com/common/oauth2/logout
> cas.authn.pac4j.oidc[0].azure.use-nonce=true
>
> cas.authn.pac4j.oidc[0].azure.principal-attribute-id=userId
> cas.authn.pac4j.oidc[0].azure.response-mode=form_post
> cas.authn.pac4j.oidc[0].azure.response-type=id_token
> cas.authn.pac4j.oidc[0].azure.scope=openid,profile,email
>
> Any insight would be appreciated.
> -psv
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f3a0d67-6f2d-4662-bd4d-fdc6be600baen%40apereo.org.

[cas-user] Re: problem to update cas 6.3.7.4 to 6.6.14

[Pablo Vidaurri]

Under where it has 
// Other CAS dependencies/modules may be listed here...

include:
implementation 
"org.apereo.cas:cas-server-support-pac4j-api:${project.'cas.version'}"

On Tuesday, January 2, 2024 at 9:09:16 AM UTC-6 Danielo De León wrote:

> Hi, thank you for responding, I am not able to add the dependency that you 
> suggest. I attached my build.gradle, could you help me?
>
> buildscript {
> repositories {
> mavenLocal()
> gradlePluginPortal()
> mavenCentral()
> jcenter()
> maven { 
> url "https://repo.spring.io/libs-milestone"; 
> mavenContent { releasesOnly() }
> }
> maven { 
> url "https://repo.spring.io/libs-snapshot"; 
> mavenContent { snapshotsOnly() }
> }
> maven { 
> url "https://plugins.gradle.org/m2/"; 
> mavenContent { releasesOnly() }
> }
> }
> dependencies {
> classpath 
> "de.undercouch:gradle-download-task:${project.gradleDownloadTaskVersion}"
> classpath 
> "org.springframework.boot:spring-boot-gradle-plugin:${project.springBootVersion}"
> classpath 
> "gradle.plugin.com.google.cloud.tools:jib-gradle-plugin:${project.jibVersion}"
> classpath 
> "io.freefair.gradle:maven-plugin:${project.gradleMavenPluginVersion}"
> classpath 
> "io.freefair.gradle:lombok-plugin:${project.gradleLombokPluginVersion}"
> classpath "org.apereo.cas.authentication.principal.ClientCredential"
> }
> }
>
> repositories {
> mavenLocal()
> mavenCentral()
> jcenter()
> maven { 
> url "https://oss.sonatype.org/content/repositories/snapshots"; 
> mavenContent { snapshotsOnly() }
> }
> maven { 
> mavenContent { releasesOnly() }
> url "
> https://build.shibboleth.net/nexus/content/repositories/releases/"; 
> }
> maven { 
> mavenContent { releasesOnly() }
> url "https://repo.spring.io/milestone/"; 
> }
> maven { 
> url "https://repo.spring.io/snapshot/"; 
> mavenContent { snapshotsOnly() }
> }
> maven { 
> mavenContent { snapshotsOnly() }
> url "https://oss.jfrog.org/artifactory/oss-snapshot-local"; 
> }
> }
>
> def casServerVersion = project.'cas.version'
> def casWebApplicationBinaryName = "cas.war"
>
> project.ext."casServerVersion" = casServerVersion
> project.ext."casWebApplicationBinaryName" = casWebApplicationBinaryName
>
> apply plugin: "io.freefair.war-overlay"
> apply plugin: "io.freefair.lombok"
> apply from: rootProject.file("gradle/tasks.gradle")
>
> apply plugin: "war"
> apply plugin: "eclipse"
> apply plugin: "idea"
>
> apply from: rootProject.file("gradle/springboot.gradle")
> apply from: rootProject.file("gradle/dockerjib.gradle")
>
> dependencies {
> // Other CAS dependencies/modules may be listed here...
> implementation 
> "org.apereo.cas:cas-server-support-rest-authentication:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-support-pac4j-authentication:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-support-pac4j-webflow:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-core-api-authentication:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-support-pac4j-core:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-core-web-api:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-core-authentication-api:${project.'cas.version'}"
>
> 
>
> compile 
> "org.apereo.cas:cas-server-support-google-analytics:${project.'cas.version'}"
> compile group: 'org.apache.logging.log4j', name: 'log4j-core', 
> version: '2.17.0'
> compile group: 'org.bitbucket.b_c', name: 'jose4j', version: '0.7.0'
> 
>
> }
>
> tasks.findByName("jibDockerBuild")
> .dependsOn(copyWebAppIntoJib, copyConfigIntoJib)
> .finalizedBy(deleteWebAppFromJib)
>
> tasks.findByName("jib")
> .dependsOn(copyWebAppIntoJib, copyConfigIntoJib)
> .finalizedBy(deleteWebAppFromJib)
>
> configurations.all {
> resolutionStrategy {
> cacheChangingModulesFor 0, "seconds"
> cacheDynamicVersionsFor 0, "seconds"
>
> preferProjectModules()
>
> def failIfConflict = project.hasProperty("failOnVersionConflict") 
> && Boolean.valueOf(project.getProperty("failOnVersionConflict"))
> if (failIfConflict) {
> failOnVersionConflict()
> }
> }
> }
>
> eclipse {
> classpath {
> downloadSources = true
> downloadJavadoc = true
> }
> }
>
> idea {
> module {
> downloadJavadoc = true
> downloadSources = true
> }
> }
>
> El domingo, 31 de diciembre de 2023 a las 5:41:03 UTC-3, Meysam Shirazi 
> escribió:
>
>> Hi,
>> Check your dependencies(cas-server-support-pac4j-api) in your 
>> build.gradle file.
>>
>> On Friday, December 29, 2023 at 5:39:11 PM UTC+3

[cas-user] Still struggling with Azure AD delegated login

[Pablo Vidaurri]

Hello, still struggling with getting Azure AD setup. Tried with both CAS 
6.6.8 and 6.6.12.

   - I am able to display the button for delegated login
   - I get redirected to Azure when clicked
   - I am able to login with my AD credentials
   - I get redirected to my app with id_token query param which contains 
   jwt of my user attributes
   - I can verify the id_token value using jwt.ms to view the decoded token.
   - I am able to see default casGenericSuccessView.html page with 
   principal and user attributes from AD
   - But it does not look like a session is actually 
   created. https://mydomain.com/security/actuator/sso returns a 400

This is not problem when I use ldap to authenticate.

In my db, i see TransientSessionTicket and TicketGrantingTicket records 
being created.

I have the following config:

cas.authn.pac4j.oidc[0].azure.discovery-uri=https://login.microsoftonline.com//v2.0/.well-known/openid-configuration
cas.authn.pac4j.oidc[0].azure.id=
cas.authn.pac4j.oidc[0].azure.secret=
cas.authn.pac4j.oidc[0].azure.tenant=
cas.authn.pac4j.oidc[0].azure.mapped-claims.Email=upn

cas.authn.pac4j.oidc[0].azure.enabled=true
cas.authn.pac4j.oidc[0].azure.client-name=AzureAdClient
cas.authn.pac4j.oidc[0].azure.display-name=Azure AD
cas.authn.pac4j.oidc[0].azure.auto-redirect-type=NONE
cas.authn.pac4j.oidc[0].azure.callback-url-type=PATH_PARAMETER
cas.authn.pac4j.oidc[0].azure.logout-url=https://login.microsoftonline.com/common/oauth2/logout
cas.authn.pac4j.oidc[0].azure.use-nonce=true

cas.authn.pac4j.oidc[0].azure.principal-attribute-id=userId
cas.authn.pac4j.oidc[0].azure.response-mode=form_post
cas.authn.pac4j.oidc[0].azure.response-type=id_token
cas.authn.pac4j.oidc[0].azure.scope=openid,profile,email

Any insight would be appreciated.
-psv

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c9407fbd-2cbe-40bc-9dcb-0a2fbe50bddcn%40apereo.org.

[cas-user] Re: multiple IPs causing TGC to be dropped

[Pablo Vidaurri]

We are now using 
cas.audit.engine.alternate-client-addr-header-name
property with a custom header that has the clients real ip.

X-FORWAREDED-FOR is the header sending two IPs.

On Thursday, December 7, 2023 at 1:31:56 PM UTC-6 Pablo Vidaurri wrote:

> Seeing sessions get dropped prematurely, I see messages from CAS that TGC 
> cookie is based partly on client ip address. In log, I am seeing client id 
> along with the edge server IP. This seems to be having an impact when a 
> user is routed thru a different edge sever and causing the session to be 
> lost. But looking at inspektr code I see it is setting this based of 
> clientInfo.getClientIpAddress() which is only retuning the actual client id.
>
>
> Has anyone else experienced this issue? I see someone suggested 
> pin-to-session property but I really do not want to disable that.
>
>
> =
> WHO: audit:unknown WHAT: 
> {source=RankedMultifactorAuthenticationProviderWebflowEventResolver, 
> event=success, timestamp=Thu Dec 07 00:00:01 MST 2023} ACTION: 
> AUTHENTICATION_EVENT_TRIGGERED APPLICATION: CAS WHEN: Thu Dec 07 00:00:01 
> MST 2023 CLIENT IP ADDRESS: 123.xx.xx.xxx, 23.xx.xx.xx SERVER IP ADDRESS: 
> www.z.com <https://www.nxp.com>
>
> = 
>
>
> -psv
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/473b9c92-d0d2-46d0-a0d2-474033793646n%40apereo.org.

[cas-user] multiple IPs causing TGC to be dropped

[Pablo Vidaurri]

Seeing sessions get dropped prematurely, I see messages from CAS that TGC 
cookie is based partly on client ip address. In log, I am seeing client id 
along with the edge server IP. This seems to be having an impact when a 
user is routed thru a different edge sever and causing the session to be 
lost. But looking at inspektr code I see it is setting this based of 
clientInfo.getClientIpAddress() which is only retuning the actual client id.


Has anyone else experienced this issue? I see someone suggested 
pin-to-session property but I really do not want to disable that.


=
WHO: audit:unknown WHAT: 
{source=RankedMultifactorAuthenticationProviderWebflowEventResolver, 
event=success, timestamp=Thu Dec 07 00:00:01 MST 2023} ACTION: 
AUTHENTICATION_EVENT_TRIGGERED APPLICATION: CAS WHEN: Thu Dec 07 00:00:01 
MST 2023 CLIENT IP ADDRESS: 123.xx.xx.xxx, 23.xx.xx.xx SERVER IP ADDRESS: 
www.z.com 

= 


-psv

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/344d5f0b-e151-47d3-aba2-e6610b985f0en%40apereo.org.

[cas-user] openrewrite

[Pablo Vidaurri]

Looking at latest 6.6.10 cas overlay template. Looks like there is an 
upgrade method to use openrewrite. I assume I first need to manually 
upgrade to a version that supports openrewrite to where I can then use it 
for future upgrades?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e5e10a40-cf9c-4fa9-a110-52ea5b9ab5c4n%40apereo.org.

Re: [cas-user] CAS + Azure AD Auth Delegation

[Pablo Vidaurri]

It looks like this in only happening when I have a target/service query 
parameter at the login page

On Friday, November 17, 2023 at 1:37:09 AM UTC-6 Pablo Vidaurri wrote:

> Did you solve your problem? I get access my app, it redirects me to cas 
> login page, I click on button to redirect me to Azure. I login into azure, 
> looks like majic is happening  but then i land back on my login page 
> without being logged in.
>
> My logs show login successful, I see the correct principle value but then 
> last message:
>
> WHO: audit:unknown
> WHAT: {result=Client Access Granted, service=
> https://uat..com/profile/home, client=AzureAdClient, 
> registeredService=UAT:^https?://uat.x.com(/?|/.*)}
> ACTION: DELEGATED_CLIENT_SUCCESS
> APPLICATION: CAS
> WHEN: Fri Nov 17 00:08:09 MST 2023
> CLIENT IP ADDRESS: xxx.xxx.xx.xx, xxx.xxx.xx.xx
> SERVER IP ADDRESS: uat.xx.com
>
> Only difference I see from others is that my Azure App registration, it is 
> named Newco-Test  but my 
> cas.authn.pac4j.oidc[0].azure.client-name=AzureADClient (also using this 
> AzureADClient value in Azure redirect URL). Unfortunately I cannot just 
> update Azure prosperities.
>
> -psv
> On Friday, May 26, 2023 at 12:17:08 AM UTC-5 Rod B wrote:
>
>> Hello Ray and Bartosz!
>> Thanks for posting your configs, I think I'm close to getting CAS working 
>> with Azure (going into detail to maybe help the next person)
>>
>> For CAS 6.6.7
>>
>> I added this module to build.gradle and built the cas.war:
>>
>> // Azure support
>> implementation 
>> "org.apereo.cas:cas-server-support-pac4j-webflow:${project.'cas.version'}"
>>
>> This is what my cas.properties is, on azure I made an app called "cas"
>>
>> cas.authn.pac4j.oidc[0].azure.display-name= cas
>> cas.authn.pac4j.oidc[0].azure.auto-redirect-type= SERVER
>> cas.authn.pac4j.oidc[0].azure.client-name= cas
>> cas.authn.pac4j.oidc[0].azure.enabled= true
>> cas.authn.pac4j.oidc[0].azure.id= [client ap id of cas app]
>> cas.authn.pac4j.oidc[0].azure.response-mode= form_post
>> cas.authn.pac4j.oidc[0].azure.response-type= id_token
>> cas.authn.pac4j.oidc[0].azure.scope= openid
>> cas.authn.pac4j.oidc[0].azure.secret= [cas client app secret]
>> cas.authn.pac4j.oidc[0].azure.tenant= [tenant id]
>> cas.authn.pac4j.oidc[0].azure.use-nonce= true
>> cas.authn.pac4j.oidc[0].azure.discovery-uri= 
>> https://login.microsoftonline.com/[tenant 
>> id]/oauth2/v2.0/cas.authn.pac4j.oidc[0].azure.logout-url= 
>> https://login.microsoftonline.com/common/oauth2/logout
>>
>> On Azure, I enabled id_token and set the redirect url to: 
>>
>> https://cas.dev.schoolname.ca/cas/login?client_name= 
>> <https://local.uvic.ca/cas/login?client_name=CasAsAClient>cas
>>
>> service fiile for CasTest-1.json
>>
>> {
>>   "@class" : "org.apereo.cas.services.CasRegisteredService",
>>   "serviceId" : "http://cas-test.dev.ecuad.ca/wp-login.php*";,
>>"name" : "CasTest"
>>"id" : 1,
>>"evaluationOrder" : 1,
>>
>> }
>>
>> Catalina.out when I go to the Cas Test page (word press site):
>>
>> 2023-05-25 15:25:02,294 INFO 
>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - > trail record BEGIN
>>
>> =
>>
>> WHO: audit:unknown
>>
>> WHAT: {result=Client Access Granted, service=
>> http://cas-test.dev.schoolname.ca/wp-login.php, client=cas, 
>> registeredService=CasTest:http://cas-test.dev.ecuad.ca/wp-login.php*}
>>
>> ACTION: DELEGATED_CLIENT_SUCCESS
>>
>> APPLICATION: CAS
>>
>> WHEN: Thu May 25 15:25:02 PDT 2023
>>
>> CLIENT IP ADDRESS: xxx
>>
>> SERVER IP ADDRESS: unknown
>>
>> =
>>
>>
>> The problem I'm having is the web page will go to:
>>
>> https://cas.dev.schoolname.ca/cas/login?client_name= 
>> <https://local.uvic.ca/cas/login?client_name=CasAsAClient>cas
>>
>> and time out. I'm not sure what I need to set so CAS (or Azure) will 
>> redirect to the WordPress site.
>>
>> Any help is appreciated.
>>
>> Thank you,
>>
>> Rod
>> On Friday, 23 April 2021 at 00:30:51 UTC-7 Bartosz Nitkiewicz wrote:
>>
>>> Ray, 
>>>
>>> Thank You. Now its working as expected.
>>>
>>> Regards 
>>

Re: [cas-user] CAS + Azure AD Auth Delegation

[Pablo Vidaurri]

Did you solve your problem? I get access my app, it redirects me to cas 
login page, I click on button to redirect me to Azure. I login into azure, 
looks like majic is happening  but then i land back on my login page 
without being logged in.

My logs show login successful, I see the correct principle value but then 
last message:

WHO: audit:unknown
WHAT: {result=Client Access Granted, 
service=https://uat..com/profile/home, client=AzureAdClient, 
registeredService=UAT:^https?://uat.x.com(/?|/.*)}
ACTION: DELEGATED_CLIENT_SUCCESS
APPLICATION: CAS
WHEN: Fri Nov 17 00:08:09 MST 2023
CLIENT IP ADDRESS: xxx.xxx.xx.xx, xxx.xxx.xx.xx
SERVER IP ADDRESS: uat.xx.com

Only difference I see from others is that my Azure App registration, it is 
named Newco-Test  but my 
cas.authn.pac4j.oidc[0].azure.client-name=AzureADClient (also using this 
AzureADClient value in Azure redirect URL). Unfortunately I cannot just 
update Azure prosperities.

-psv
On Friday, May 26, 2023 at 12:17:08 AM UTC-5 Rod B wrote:

> Hello Ray and Bartosz!
> Thanks for posting your configs, I think I'm close to getting CAS working 
> with Azure (going into detail to maybe help the next person)
>
> For CAS 6.6.7
>
> I added this module to build.gradle and built the cas.war:
>
> // Azure support
> implementation 
> "org.apereo.cas:cas-server-support-pac4j-webflow:${project.'cas.version'}"
>
> This is what my cas.properties is, on azure I made an app called "cas"
>
> cas.authn.pac4j.oidc[0].azure.display-name= cas
> cas.authn.pac4j.oidc[0].azure.auto-redirect-type= SERVER
> cas.authn.pac4j.oidc[0].azure.client-name= cas
> cas.authn.pac4j.oidc[0].azure.enabled= true
> cas.authn.pac4j.oidc[0].azure.id= [client ap id of cas app]
> cas.authn.pac4j.oidc[0].azure.response-mode= form_post
> cas.authn.pac4j.oidc[0].azure.response-type= id_token
> cas.authn.pac4j.oidc[0].azure.scope= openid
> cas.authn.pac4j.oidc[0].azure.secret= [cas client app secret]
> cas.authn.pac4j.oidc[0].azure.tenant= [tenant id]
> cas.authn.pac4j.oidc[0].azure.use-nonce= true
> cas.authn.pac4j.oidc[0].azure.discovery-uri= 
> https://login.microsoftonline.com/[tenant 
> id]/oauth2/v2.0/cas.authn.pac4j.oidc[0].azure.logout-url= 
> https://login.microsoftonline.com/common/oauth2/logout
>
> On Azure, I enabled id_token and set the redirect url to: 
>
> https://cas.dev.schoolname.ca/cas/login?client_name= 
> cas
>
> service fiile for CasTest-1.json
>
> {
>   "@class" : "org.apereo.cas.services.CasRegisteredService",
>   "serviceId" : "http://cas-test.dev.ecuad.ca/wp-login.php*";,
>"name" : "CasTest"
>"id" : 1,
>"evaluationOrder" : 1,
>
> }
>
> Catalina.out when I go to the Cas Test page (word press site):
>
> 2023-05-25 15:25:02,294 INFO 
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -  trail record BEGIN
>
> =
>
> WHO: audit:unknown
>
> WHAT: {result=Client Access Granted, service=
> http://cas-test.dev.schoolname.ca/wp-login.php, client=cas, 
> registeredService=CasTest:http://cas-test.dev.ecuad.ca/wp-login.php*}
>
> ACTION: DELEGATED_CLIENT_SUCCESS
>
> APPLICATION: CAS
>
> WHEN: Thu May 25 15:25:02 PDT 2023
>
> CLIENT IP ADDRESS: xxx
>
> SERVER IP ADDRESS: unknown
>
> =
>
>
> The problem I'm having is the web page will go to:
>
> https://cas.dev.schoolname.ca/cas/login?client_name= 
> cas
>
> and time out. I'm not sure what I need to set so CAS (or Azure) will 
> redirect to the WordPress site.
>
> Any help is appreciated.
>
> Thank you,
>
> Rod
> On Friday, 23 April 2021 at 00:30:51 UTC-7 Bartosz Nitkiewicz wrote:
>
>> Ray, 
>>
>> Thank You. Now its working as expected.
>>
>> Regards 
>> Bartek
>>
>> czwartek, 22 kwietnia 2021 o 22:58:02 UTC+2 Ray Bon napisał(a):
>>
>>> Bartosz,
>>>
>>> The only cas properties I have that you do not are:
>>> cas.authn.pac4j.oidc[0].azure.discoveryUri= 
>>> 
>>> https://login.microsoftonline.com/[tenant id goes here]/oauth2/v2.0/
>>> cas.authn.pac4j.oidc[0].azure.logoutUrl=
>>> https://login.microsoftonline.com/common/oauth2/logout
>>>
>>> When I go from cas to azure, this is the link (from developer tools):
>>>
>>> 
>>> https://login.microsoftonline.com/[tenant id goes 
>>> here]/oauth2/authorize?response_type=code&redirect_uri=
>>> https://local.uvic.ca/cas/login?client_name=CasAsAClient&state=TST-1-...&client_id=[client
>>>  id 
>>> goes here]&scope=openid profile email
>>>
>>> In azure I

[cas-user] cas.authn.ldap[0].principal-transformation.case-conversion

[Pablo Vidaurri]

This was working. now on v 6.6.8 and does not seem to be working any more:

Config:
cas.authn.ldap[0].searchFilter:(|(uid={user})(mail={user}))
cas.authn.ldap[0].principal-attribute-id: uid
cas.authn.ldap[0].principal-transformation.case-conversion: LOWERCASE

Ldap has uid attribute = mixed.c...@example.com

In my login webflow, i have a step that does this:
val authentication = WebUtils.getAuthentication(context);
String userId = authentication.getPrincipal().getId();

value of userId is set to mixed.c...@example.com without lowercasing it.

What gives?
-psv



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/58d38dd3-cf7a-42ea-9a7b-42ee7882b383n%40apereo.org.

[cas-user] Re: CAS delegated auth - AzureAD

[Pablo Vidaurri]

Wow, perfect timing. I was about to ask if the discovery URL is the only 
URL that needs to be allowed thru our firewall because fudging out the one 
in my cas.properties did not seem to make a difference. Thanks for pointing 
out it is hardcoded and based on tenant id. It explains why it's working on 
my localhost but not in our DMZ.

I'm not sure why your query param is "appid". Mine is "client_name". I also 
use the following:
cas.authn.pac4j.oidc[0].azure.callback-url-type=PATH_PARAMETER
as I read in Azure AD config that it does not like query params in the 
redirect URL.

I have also had to comment out these 3 lines and Azure was returning the 
wrong token and turns out default settings is enough for me. Maybe you are 
trying to parse the wrong token (user token instead of authorization 
token). Also note the scope I use.
#cas.authn.pac4j.oidc[0].azure.response-mode=form_post
#cas.authn.pac4j.oidc[0].azure.response-type=id_token
#cas.authn.pac4j.oidc[0].azure.response-type=code
cas.authn.pac4j.oidc[0].azure.scope=openid profile email

On Monday, October 23, 2023 at 7:45:31 AM UTC-5 Catalin wrote:

> Hi,
>
> I'm trying to delegate auth to Azure AD in CAS 6.6.13. 
> It seems to delegate the auth to azure, the login is done but afterwards 
> it fails when trying to decode the returned JWT
>
> here's the error: 
>
> : [DelegatedClientAuthenticationHandler]: 
> [org.pac4j.core.exception.TechnicalException: 
> com.nimbusds.jose.proc.BadJOSEException:* Signed JWT rejected: Another 
> algorithm expected, or no matching key(s) found / 
> com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another 
> algorithm expected, or no matching key(s) found]*
>
> and this happens because the sign keys are not matching, so in azure there 
> are some commons keys and there seems to be some client specific keys. 
> In the case of client specific sign keys, the discovery url should look 
> like this:
>
> https://login.microsoftonline.com/
> /.well-known/openid-configuration?appid= 
>
> as you can see the appid paremeter at the end, here's some azure 
> explanation why the keys are specific for app: 
> https://learn.microsoft.com/en-us/answers/questions/1163810/where-can-i-find-the-jwks-uri-for-azure-ad
>
> I tried to add the discovery-url obviously from cas.properties, but from 
> what have debugged the value is hardcoded in:
>
> org.pac4j.oidc.config.AzureAdOidcConfiguration
>
> code snippet below:
> @Override
> public String getDiscoveryURI() {
> return "https://login.microsoftonline.com/"; + tenant + 
> "/.well-known/openid-configuration";
> }
>
> I also checked the altest pac4j sources, and the code is similar
>
> here the cas properties that I added in order to enable this delegation
> cas.authn.pac4j.oidc[0].azure.tenant=tenantID
> cas.authn.pac4j.oidc[0].azure.id=clientID
> cas.authn.pac4j.oidc[0].azure.secret=secret
> cas.authn.pac4j.oidc[0].azure.client-name=Azure
> cas.authn.pac4j.oidc[0].azure.display-name=Azure Login
> cas.authn.pac4j.oidc[0].azure.principal-attribute-id=name
> cas.authn.pac4j.oidc[0].azure.callback-url=
> http://localhost:81/cas/login?client_name=Azure
> cas.authn.pac4j.oidc[0].azure.discovery-uri=
> https://login.microsoftonline.com/tenantID/.well-known/openid-configuration?appid=clientID
>
> So is this a limitation in pac4j? is there any easy way on how to override 
> that discovery URL? I was thinking to try something with byte buddy
>
> Any suggestions appreciated
>
> thanks
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4b9c090a-3cda-4b3c-ba4d-b864894e2e8en%40apereo.org.

[cas-user] Delegated authentication to Azure B2C and Azure AD

[Pablo Vidaurri]

Cas 6.6.8, I have delegated authentication working for Azure B2C. We also 
have Azure AD federated to B2C and have created a user flow to authenticate 
AD users:
User -> CAS -> Azure B2C -> Azure AD

But in order to trigger the authentication against Azure AD, I am required 
to invoke a user flow via query parameter. I do not see an option for this 
or did I miss it? Otherwise looks like I would need another custom 
authentictor.

Thanks.
-psv

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8eb2ccd2-e717-42c1-819d-082ec62bb802n%40apereo.org.

[cas-user] Re: Using a delegated authority with CAS auth providers

[Pablo Vidaurri]

Considering some thing similar. For users with xyz email domain delegate to 
Azure AD, all others use out of the box ldap integration.

Find anything?

On Wednesday, September 27, 2023 at 9:55:51 PM UTC-5 Aaron Chantrill wrote:

> I would like to be able to have my users type in their username and then 
> use a regular expression match to direct the user to either a delegated 
> authority or to a form where they put in their password for an ldap or JDBC 
> authentication.
>
> I see where I can use a regular expression to match to different delegated 
> authorities, but it doesn't seem like I can say to use the non-delegated 
> form if none are matched.
>
> Has anyone figured out how to do something similar?
>
> Thank you,
> Aaron
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ca0c96b-ca7d-473c-9ab0-44e26fc5fc7dn%40apereo.org.

[cas-user] Re: Spring Security fixes

[Pablo Vidaurri]

Look at gradle.properties. It has springBootVersion  maybe set to 2.7.3 
for CAS template v6.6.12.

Per https://github.com/spring-projects/spring-boot/releases/tag/v2.7.16, 
springboot v2.7.16, it is using Spring 5.3.30. Update the property above

On Thursday, September 28, 2023 at 4:13:36 AM UTC-5 stonej wrote:

> Hello,
>
> I am using the cas-overlay-template, version 6.6.12.  Is it possible on 
> the build.gradle script to push a certain version of the spring framework ?
>
> There is a security issue with 5.3 and I wanted to update it to 5.3.30 the 
> latest.  At the moment I am editing the war file to put the updates in, is 
> there a simpler way of doing this ?
>
> Thanks
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9afecf1b-995f-4a85-a58f-47ea9421a4b0n%40apereo.org.

Re: [cas-user] Cas Azure AD

[Pablo Vidaurri]

What version of CAS are you on?

I'm trying v6.6.8 with a similar cas.authn.pac4j.oidc[0].azure config you 
have posted 
cas.authn.pac4j.oidc[0].azure.client-name=AZURE-AD-NEWCO  //set AD side to 
have redirect url of 
https://localhost:8443/cas/login?client_name=AZURE-AD-NEWCO

but getting an "Invalid CORS request" on redirect back to my cas instance. 

Looking at SAML tracer i am getting a 403 (I have wildcarded service 
defined):

POST https://localhost:8443/cas/login?client_name=AZURE-AD-NEWCO HTTP/1.1  
Referer: https://login.microsoftonline.com/  
HTTP/1.1 403
Vary: Origin, Access-Control-Request-Method, 
Access-Control-Request-Headers  

-psv

On Tuesday, July 4, 2023 at 12:00:44 PM UTC-5 Ray Bon wrote:

> Jerome,
>
> Sorry, I should have also mentioned that you need to enable the JSON 
> service registry (first link in my previous email). With your current 
> config it is using the in memory service registry.
> And remember to put your service file in the destination directory.
>
> Ray
>
> On Tue, 2023-07-04 at 09:21 +0200, Jerome Denechaud wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
> Hello Ray 
>
> thanks for your answer so , I added :
> cas.service-registry.json.location=file:/etc/cas/services
>
> move cas.properties in /etc/cas/config 
> 00:06:00 INFO [o.a.c.c.DefaultCasConfigurationPropertiesSourceLocator] - 
>  [/etc/cas/config/cas.properties]]] under profile(s) [[standalone]]>
> 2023-07-04 07:06:00,785 INFO 
> [org.apereo.cas.configuration.CasConfigurationPropertiesValidator] - 
> 
> 2023-07-04 07:06:00,789 INFO [org.apereo.cas.web.CasWebApplication] -  following 1 profile is active: "standalone">
>
> but still have
> 2023-07-04 07:06:30,841 INFO 
> [org.apereo.cas.services.AbstractServicesManager] -  from [InMemoryServiceRegistry].>
>
> Bests
>
>
>
> On Mon, Jul 3, 2023 at 10:59 PM Ray Bon  wrote:
>
> Jerome,
>
> Your test service is not being loaded.
>
> 05:22:45 INFO [o.a.c.s.AbstractServicesManager] -  from [InMemoryServiceRegistry].>
>
> See 
> https://apereo.github.io/cas/6.6.x/services/JSON-Service-Management.html
>  and https://apereo.github.io/cas/6.6.x/services/Service-Management.html
>
> Ray
>
> On Mon, 2023-07-03 at 06:17 -0700, Jerome Denechaud (wanexa) wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
> Hello 
>
> trying to deploy cas server for delegate azure ad auth
> I'm working with docker image apereo/cas:latest
> I added cas.properties file as below
> cas.authn.pac4j.oidc[0].azure.display-name= cas
> cas.authn.pac4j.oidc[0].azure.auto-redirect-type= SERVER
> cas.authn.pac4j.oidc[0].azure.client-name= cas
> cas.authn.pac4j.oidc[0].azure.enabled= true
> cas.authn.pac4j.oidc[0].azure.id= 
> cas.authn.pac4j.oidc[0].azure.response-mode= form_post
> cas.authn.pac4j.oidc[0].azure.response-type= id_token
> cas.authn.pac4j.oidc[0].azure.scope= openid
> cas.authn.pac4j.oidc[0].azure.secret= 
> cas.authn.pac4j.oidc[0].azure.tenant= xx
> cas.authn.pac4j.oidc[0].azure.use-nonce= true
> cas.authn.pac4j.oidc[0].azure.discovery-uri= 
> https://login.microsoftonline.com/x/v2.0/.well-known/openid-configuration
> cas.authn.pac4j.oidc[0].azure.logout-url= 
> https://login.microsoftonline.com/common/oauth2/logout
> cas.serviceRegistry.json.location:file:/etc/cas/services
>
> test-1.json
> {
>   "@class" : "org.apereo.cas.services.CasRegisteredService",
>   "serviceId" :  "^(https?)://.*",
>"name" : "test",
>"id" : 1,
>"evaluationOrder" : 1
> }
>
> on azure side 
> https://x.x.x.x/cas/login?client_name=AzureClient
> public address no dns 
>
> when I'm trying to authenticate  on my app portal 
> 06:10:07 ERROR 
> [o.a.c.s.w.s.RegisteredServiceResponseHeadersEnforcementFilter] -  unauthorized
> 
> RegisteredServiceAccessStrategyAuditableEnforcer.java:lambda$execute$6:200
> Optional.java:orElseGet:364
> RegisteredServiceAccessStrategyAuditableEnforcer.java:execute:194
> >
>
> switch to debug in log4j but can't find anything more
> startup log:
> 05:22:12 INFO [o.a.c.c.CasConfigurationPropertiesValidator] -  CAS property sources and configuration successfully.>
> 05:22:16 INFO [o.a.c.c.DefaultCasConfigurationPropertiesSourceLocator] - 
>  [[standalone]]>
> 05:22:16 INFO [o.a.c.c.CasConfigurationPropertiesValidator] -  CAS property sources and configuration successfully.>
> 05:22:16 INFO [o.a.c.w.CasWebApplication] -  active: "standalone">
> 05:22:29 INFO [o.a.c.c.CasCoreServicesConfiguration] -  used as the persistence storage for retrieving and persisting service 
> definitions. Changes that ar
> e made to service definitions during runtime WILL be LOST when the CAS 
> server is restarted. Ideally for production, you should choose a storage 
> option (JSON, JDBC, MongoDb, etc
> ) to track servi

[cas-user] debugging login issues

[Pablo Vidaurri]

How best to debug login issues?

What cookie should the browser be holding (JSESSIONID?)
What should exist in my Postgress DB (TGT, ST, ?)

I already verified that I am using default 2 hour idle session and 8 hour 
max session. I'm logged in site, a few minutes later I refresh page and 
being asked to log in again.

I do have 
*cas.ticket.tgt.core.only-track-most-recent-session=false *
*due to login having several apis behind cas running on same host (but 
different web context) that generate STs.*

*I'm trying to figure out why I'm being asked to login every few minutes.. 
I suspect a ticket or cookie is being invalidated.*

*-psv*

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/af17924c-a354-430e-9bf3-450b8bfd9b62n%40apereo.org.

[cas-user] Delegate Azure users and continue to support LDAP for other users

[Pablo Vidaurri]

Is there an out of the box configuration to allow a user to enter their 
email then based on email domain either delegate the user to Azure AD or 
authenticate to LDAP?

I'm also trying to set an order so that LDAP is check first then redirect 
to Azure but it does not look like the following is a valid config:
cas.authn.pac4j.oidc[0].azure.order=2

So when I try to configure both Azure and LDAP with LDAP having order =1 it 
always redirects to Azure.

I think I have to implement my own custom authentication class to 
accomplish what I need??

Thanks.
-psv

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e584d84e-04c7-40c4-b08b-bac426357712n%40apereo.org.

[cas-user] Re: CAS 7 bug? /cas/login recalls previous specific service registration

[Pablo Vidaurri]

Hi Baron, I happen to have RC7 installed for evaluation.

I do not see the behavior you are describing while testing your scenarios.

Did you add any customization or is this out of the box? 

Maybe share your cas.properties to review.

-psv

On Monday, September 11, 2023 at 9:04:18 PM UTC-5 Baron Fujimoto wrote:

> While testing CAS 7 (RC7), we encountered either a puzzling bug, or some 
> configuration effect we don't understand.
>
> Normally, if we don't specify an application with for /cas/login, after 
> authentication we expect to be directed to a "Log In Successful" page for 
> an unknown target destination that displays the attributes and their values 
> for the user. We've found however, that once we've successfully logged in 
> for a target destination we actually have a service registration for (e.g. 
> "/cas/login?renew=true&service=https%3A%2F%2Fexample%2Ecom" [*], any 
> subsequent attempts to use /cas/login without a target destination always 
> redirects us to the first successful target destination we successfully log 
> in to (e.g., example.com in this case). This even happens after 
> /cas/logout, a new private/incognito browser window, or even a different 
> browser, so it seems to be tied to the CAS server itself.
>
> [*] For example, with the following JSON service registration for 
> example.com:
>
> {
>   "@class" : "org.apereo.cas.services.CasRegisteredService",
>   "name" : "Example_Default_MFA",
>   "serviceId" : "^https://example\\.com(/.*)*",
>   "description" : "Default MFA Test example.com",
>   "id" : 20230720150127,
>   "evaluationOrder" : 1009,
>   "multifactorPolicy" : {
> "@class" : 
> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
> "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ 
> "mfa-duo" ] ],
> "failureMode" : "OPEN"
>   }
> }
>
> If we restart CAS, and try just "/cas/login", we get the expected 
> attributes results page. If we then try 
> "/cas/login?renew=true&service=https%3A%2F%2Fexample%2Ecom", we get the 
> expected example.com page. But if we then try just "/cas/login" again, we 
> are only directed back to example.com as previously described. 
>
> Only restarting CAS seems to clear the condition. After restart, if we 
> first try it with the example.com target, then without logging out try it 
> without a target using just "/cas/login" we get the expected attributes 
> page. However, if we then logout with "/cas/logout" and then once again use 
> just the target-less  "/cas/login", we get directed back to example.com 
> rather than the attributes page.
>
> -- 
> Baron Fujimoto  ::: UH Information Technology Services
> minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b8b2276e-33fa-46cd-8ed2-5e1316fad768n%40apereo.org.

[cas-user] Re: JDBC attribute repository sql search by principal

[Pablo Vidaurri]

> primary attribute for both
> authentication approaches so that after the above attribute repository 
> (resolution) it would always use
> the username as the "usernameAttribute" (for the benefit of the client app)
>
> Note that in this case releasing attributes from azuretostandardusername
>
>
>  "usernameAttributeProvider" : {
> "@class" : 
> "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
> "usernameAttribute" : "username",
> "canonicalizationMode" : "NONE"
>   },
> "attributeReleasePolicy" : {
> "principalAttributesRepository" : {
>   "@class" : 
> "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",
>   "ignoreResolvedAttributes": false,
>   "attributeRepositoryIds": ["java.util.HashSet", [ 
> "azuretostandardusername" ]],
>   "mergingStrategy" : "SOURCE"
> },
> "@class" : 
> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
> "allowedAttributes" : [ "java.util.ArrayList", [ "email", "username", 
> ...] ]
>   }
>
> On Wednesday, July 26, 2023 at 11:54:54 AM UTC-5 Pablo Vidaurri wrote:
>
>> Digging thru code:
>> SimpleUsernameAttributeProvider.java, method getUsernameAttributeValues, 
>> there is this line:
>> if (query.containsKey(this.usernameAttribute)) { ...}
>>
>> I see I can perhaps override the username with a userNameAttribute. I 
>> have not found any config where I can define this value. 
>>
>> Anyone know what property controls this?
>>
>> -psv
>>
>> On Wednesday, July 19, 2023 at 3:58:01 PM UTC-5 Pablo Vidaurri wrote:
>>
>>> Config info:
>>>
>>> cas.authn.attribute-repository.jdbc[0].sql=select a, b, c from 
>>> user_table where {0}
>>> cas.authn.attributeRepository.jdbc[0].username=USER_ID
>>> cas.authn.ldap[0].principalAttributeId: uid   <-- uid is jsmith but 
>>> login user name at UI is john@foobar.com
>>>
>>> Looks like principle (uid) is not being used and instead the username 
>>> from credentials. *Is this a bug?*
>>>
>>> Log info:
>>>
>>> 2023-07-19 13:22:08,418 DEBUG 
>>> [org.apereo.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao]
>>>  
>>> - >> query builder 'null'>
>>>
>>> 2023-07-19 13:22:08,429 DEBUG 
>>> [org.apereo.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao]
>>>  
>>> - >> from query Map {principal=[jsmith], Email=[john@foobar.com], 
>>> firstName=[John], GivenName=[John], lastName=[Smith], 
>>> credentialClass=[UsernamePasswordCredential], credentialId=[
>>> john@foobar.com], username=[john@foobar.com]}.>
>>>
>>> 2023-07-19 13:22:08,430 DEBUG 
>>> [org.apereo.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao]
>>>  
>>> - >> john@foobar.com]>
>>>
>>> 2023-07-19 13:22:09,818 DEBUG 
>>> [org.apereo.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao]
>>>  
>>> - >> john@foobar.com] and got results []>
>>>
>>> On Friday, July 14, 2023 at 5:10:14 AM UTC-5 Pablo Vidaurri wrote:
>>>
>>>> I have a single row lookup, so i have in my config:
>>>> cas.authn.attribute-repository.jdbc[0].sql=select * from user_table 
>>>> where {0}
>>>> cas.authn.attributeRepository.jdbc[0].username=USER_ID
>>>>
>>>> This seems to search by the user id entered at the login page. But I'd 
>>>> like to use the value from the resolved principle provided by LDAP:
>>>>
>>>> cas.authn.ldap[0].principalAttributeId: uid
>>>>
>>>> So user logs in with jsmith88 and ldap resolves the principle to be 
>>>> j.s...@example.com.
>>>> I'd like to use the principle value to look up jdbc userAttributes.
>>>>
>>>> Any way to configure CAS to do that?
>>>>
>>>>
>>>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ab58b42-4e96-44fc-8439-b1c09e01e3ben%40apereo.org.

[cas-user] cas.ticket.registry.jpa.autocommit=true ... why not?

[Pablo Vidaurri]

Seems default for JPA ticket registry has 
cas.ticket.registry.jpa.autocommit=false

>From its description:  The default auto-commit behavior of connections in 
the pool. Determined whether queries such as update/insert should be 
immediately executed without waiting for an underlying transaction 

Why would you not want this enabled? I'm seeing many of these errors after 
JpaTicketRegistry updates:

DEBUG [com.zaxxer.hikari.pool.ProxyConnection] (default task-3) 
HikariPool-2 - Executed rollback on connection 
org.postgresql.jdbc.PgConnection@7ffadda2 due to dirty commit state on 
close(). 

-psv

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4de2ed09-3429-41a6-97cc-7683a4f9ce53n%40apereo.org.

[cas-user] Re: CAS 6.6.8 invalid ST

[Pablo Vidaurri]

Okay, the last issue was due to ticket taking more than 10sec to validate. 
That is resolved.

One thing I did not notice before is that I'm seeing errors in my logs that 
TGT already exist so I get a unique constraint violation when inserting 
into postgres db. Would this be due to  
*cas.ticket.tgt.core.only-track-most-recent-session=false 
?*

On Sunday, August 20, 2023 at 2:03:35 AM UTC-5 Pablo Vidaurri wrote:

> Thanks Petr,
>
> setting  *cas.ticket.tgt.core.only-track-most-recent-session=false *did 
> help, all calls are working now with exception of 1. I will dig into that 
> one to see if it is doing something different.
>
> -psv
>
> On Saturday, August 19, 2023 at 12:52:27 PM UTC-5 p.bo...@centrum.cz 
> wrote:
>
>> Hi Pablo,
>>
>> > ... Could many request for ST's be clobbering other tickets before the 
>> others get validated first
>>
>> The answer seems YES, provided you use CAS v6.6.0-RC4+ and create ST's 
>> for the same base URL - see https://github.com/apereo/cas/pull/5688 
>> which I have created recently. So the 1 way to "fix" this is to set "
>> *cas.ticket.tgt.core.only-track-most-recent-session=false*", the other 
>> is to change the corresponding CAS Java class. 
>>
>> Unfortunately, authors of CAS haven't responded at all since this problem 
>> was firstly discovered here 
>> <https://github.com/apereo/cas/commit/901d8895f99dd72d72973a951cd2d8876c6ac6ff#r87291886>...
>>  
>>
>>
>> Petr
>>
>> On Saturday, 19 August 2023 at 07:09:22 UTC+2 Pablo Vidaurri wrote:
>>
>>> Testing CAS 6.6.8.
>>>
>>> I have ST persisted to postgres db.
>>>
>>> User logs in, i see ticket created in CAS logs. Then I see in browser a 
>>> redirect with SAMLart query parameter with the same ticket and a 500.
>>>
>>> CAS logs then show ticket is invalid even though ST was created with the 
>>> same second and this is the first time being used:
>>>   WHO: audit:unknown
>>>WHAT: 
>>> {ticket=ST-AAHJiT+kQbIMdHbOBFu0HYQw8IWXSOsHmkv0HGmNGYU6zeAGd04MwG8u,  
>>> service=https://www.xxx.com/myapp/api/user/profile}
>>>   ACTION: SERVICE_TICKET_VALIDATE_FAILED
>>>APPLICATION: CAS
>>>   WHEN: Fri Aug 18 13:54:51 MST 2023
>>>   CLIENT IP ADDRESS: xxx.xx.xxx.xxx
>>>   SERVER IP ADDRESS: www.xxx.com
>>>
>>> And throws back a denied Saml response:
>>>
>>> [>> xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" 
>>> InResponseTo="_ec2e5252a76f05a00f75d5b7a97f5a65" 
>>> IssueInstant="2023-08-18T20:54:29.255Z" MajorVersion="1" MinorVersion="1" 
>>> ResponseID="_8c3c28ff013ed82e1dc573a02b7a949b">
>>> 
>>> 
>>> Ticket 
>>> 'ST-AAHJiT+kQbIMdHbOBFu0HYQw8IWXSOsHmkv0HGmNGYU6zeAGd04MwG8u' not 
>>> recognized
>>> 
>>> 
>>> ]
>>>
>>> I have about 6 async API calls behind CAS and first call to them trigger 
>>> a service ticket. What could be causing this? I thought maybe there was a 
>>> delay so I tried using in Memory db for ticket but issue is still there. 
>>> Could many request for ST's be clobbering other tickets before the others 
>>> get validated first?
>>>
>>> -psv
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a80dbc10-fadd-4639-88ac-318d57c066f4n%40apereo.org.

[cas-user] CAS 6.6.8 ST ticket generation with cas.host.name appended

[Pablo Vidaurri]

i have property:
cas.host.name=foobar1

Looking at my postgres_jpa_ticket_entity table, I do see some services 
tickets appended with this value and the format looks like to alphanumberic 
formatted ticket (ST-ABC123-foobar1)

But I am also seeing some service tickets without the foobar1 appended and 
these also have special characters such as plus (+) and slashes (/). Why is 
this format different and why is there no foobar1 appended to these?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ab3f702f-79bb-4fa4-8d46-7a432493057dn%40apereo.org.

[cas-user] Re: CAS 6.6.8 invalid ST

[Pablo Vidaurri]

Thanks Petr,

setting  *cas.ticket.tgt.core.only-track-most-recent-session=false *did 
help, all calls are working now with exception of 1. I will dig into that 
one to see if it is doing something different.

-psv

On Saturday, August 19, 2023 at 12:52:27 PM UTC-5 p.bo...@centrum.cz wrote:

> Hi Pablo,
>
> > ... Could many request for ST's be clobbering other tickets before the 
> others get validated first
>
> The answer seems YES, provided you use CAS v6.6.0-RC4+ and create ST's for 
> the same base URL - see https://github.com/apereo/cas/pull/5688 which I 
> have created recently. So the 1 way to "fix" this is to set "
> *cas.ticket.tgt.core.only-track-most-recent-session=false*", the other is 
> to change the corresponding CAS Java class. 
>
> Unfortunately, authors of CAS haven't responded at all since this problem 
> was firstly discovered here 
> <https://github.com/apereo/cas/commit/901d8895f99dd72d72973a951cd2d8876c6ac6ff#r87291886>...
>  
>
>
> Petr
>
> On Saturday, 19 August 2023 at 07:09:22 UTC+2 Pablo Vidaurri wrote:
>
>> Testing CAS 6.6.8.
>>
>> I have ST persisted to postgres db.
>>
>> User logs in, i see ticket created in CAS logs. Then I see in browser a 
>> redirect with SAMLart query parameter with the same ticket and a 500.
>>
>> CAS logs then show ticket is invalid even though ST was created with the 
>> same second and this is the first time being used:
>>   WHO: audit:unknown
>>WHAT: 
>> {ticket=ST-AAHJiT+kQbIMdHbOBFu0HYQw8IWXSOsHmkv0HGmNGYU6zeAGd04MwG8u,  
>> service=https://www.xxx.com/myapp/api/user/profile}
>>   ACTION: SERVICE_TICKET_VALIDATE_FAILED
>>APPLICATION: CAS
>>   WHEN: Fri Aug 18 13:54:51 MST 2023
>>   CLIENT IP ADDRESS: xxx.xx.xxx.xxx
>>   SERVER IP ADDRESS: www.xxx.com
>>
>> And throws back a denied Saml response:
>>
>> [> xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" 
>> InResponseTo="_ec2e5252a76f05a00f75d5b7a97f5a65" 
>> IssueInstant="2023-08-18T20:54:29.255Z" MajorVersion="1" MinorVersion="1" 
>> ResponseID="_8c3c28ff013ed82e1dc573a02b7a949b">
>> 
>> 
>> Ticket 
>> 'ST-AAHJiT+kQbIMdHbOBFu0HYQw8IWXSOsHmkv0HGmNGYU6zeAGd04MwG8u' not 
>> recognized
>> 
>> 
>> ]
>>
>> I have about 6 async API calls behind CAS and first call to them trigger 
>> a service ticket. What could be causing this? I thought maybe there was a 
>> delay so I tried using in Memory db for ticket but issue is still there. 
>> Could many request for ST's be clobbering other tickets before the others 
>> get validated first?
>>
>> -psv
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2f1a8665-1ad2-4518-ae64-6e63ae1eb79an%40apereo.org.

[cas-user] CAS 6.6.8 invalid ST

[Pablo Vidaurri]

Testing CAS 6.6.8.

I have ST persisted to postgres db.

User logs in, i see ticket created in CAS logs. Then I see in browser a 
redirect with SAMLart query parameter with the same ticket and a 500.

CAS logs then show ticket is invalid even though ST was created with the 
same second and this is the first time being used:
  WHO: audit:unknown
   WHAT: 
{ticket=ST-AAHJiT+kQbIMdHbOBFu0HYQw8IWXSOsHmkv0HGmNGYU6zeAGd04MwG8u,  
service=https://www.xxx.com/myapp/api/user/profile}
  ACTION: SERVICE_TICKET_VALIDATE_FAILED
   APPLICATION: CAS
  WHEN: Fri Aug 18 13:54:51 MST 2023
  CLIENT IP ADDRESS: xxx.xx.xxx.xxx
  SERVER IP ADDRESS: www.xxx.com

And throws back a denied Saml response:

[


Ticket 
'ST-AAHJiT+kQbIMdHbOBFu0HYQw8IWXSOsHmkv0HGmNGYU6zeAGd04MwG8u' not recognized



]

I have about 6 async API calls behind CAS and first call to them trigger a 
service ticket. What could be causing this? I thought maybe there was a 
delay so I tried using in Memory db for ticket but issue is still there. 
Could many request for ST's be clobbering other tickets before the others 
get validated first?

-psv

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c4b22c4-36fc-45e6-92ee-00415f8ba844n%40apereo.org.

Re: [cas-user] login with valid service but not getting ticket query parameter on redirect

[Pablo Vidaurri]

Thanks Ray, I owe you a case of what ever your vice is by now.

In retrospect it makes sense now. The service ticket was being searched for 
in the requestScope as the log reflects:
2023-08-08 15:25:26,057 DEBUG 
[org.apereo.cas.web.flow.GenerateServiceTicketAction] - https://localhost:8443] and added it to the 
request scope>

Since I was redirecting the user to a view, this triggered a new request 
which would lose the request scope including the service ticket.

So, right before I redirect the user to the view, I saved the requestScope 
object into flowScope, then after action was taken in the view I triggered 
another action that would put the temp requestScope object from the 
flowScope back into requestScope and finally removed the temp requestScope 
object from flowScope.

-psv

On Wednesday, August 9, 2023 at 9:09:00 PM UTC-5 Ray Bon wrote:

> Pablo,
>
>
> There are a number of maps associated with the web flow. 
> You can put to one of the maps, if needed. From your action class you can 
> see their contents:
>
> // authn attributes contains encrypted credential
> // LOGGER.debug("auth attribs Map: " + 
> WebUtils.getAuthentication(requestContext).getAttributes());
> // printMap("attributes Map", requestContext.getAttributes().asMap());
> // printMap("conversation Map", 
> requestContext.getConversationScope().asMap());
> // printMap("flash Map", requestContext.getFlashScope().asMap());
> // printMap("flow scope Map", requestContext.getFlowScope().asMap());
> // printMap("request Map", requestContext.getRequestScope().asMap());
> // printMap("parameter Map", 
> requestContext.getRequestParameters().asMap());
>
>
> private void printMap(String identifier, Map mam) {
> LOGGER.trace(identifier + ": [" + mam.keySet().size() + "]:");
> for (String key : mam.keySet()) {
> LOGGER.trace("\t" + key + " : " + mam.get(key));
> }
> }
>
> Ray
>
> On Wed, 2023-08-09 at 17:23 -0700, Pablo Vidaurri wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
> It looks like I'm losing the request scope, or at least the service 
> ticket: 
>
>
> 2023-08-08 15:25:26,057 DEBUG 
> [org.apereo.cas.web.flow.GenerateServiceTicketAction] -  ticket [ST-2-9u96HVcbf8-https://localhost:8443] and added it to 
> the request scope>
> 2023-08-08 15:25:26,057 DEBUG [org.apereo.cas.web.flow.MyCustomAction] - 
> 
> ...
> 2023-08-08 15:25:27,186 DEBUG 
> [org.apereo.cas.web.flow.actions.RedirectToServiceAction] -  service ticket [null] from the context>
>
> Inside MyCustomAction.java, I can confirm I have a requestScope with ST. 
> My customAction will trigger a redirect to a view. After my view it seems I 
> lose the ST.
>
> Do I need to pass my requestscope or ST along with my form inside my view 
> via an input form parameter?
>
> -psv
>
>
> On Wednesday, August 9, 2023 at 2:50:18 PM UTC-5 Pablo Vidaurri wrote:
>
> Hi Ray, looks to be a self inflicted issue.
>
> We have a custom login webflow and have injected as view between 
> generateServiceTicket and Redirect action/view states. When I disable this 
> custom step all works fine. I haven't been able to trace my issue but it is 
> my issue.
>
> -psv
>
> On Thursday, August 3, 2023 at 9:24:17 AM UTC-5 Ray Bon wrote:
>
> Pablo,
>
> What version of Cas is this?
>
> Check your logs. The audit log records the authentication events, 
> including ticket creation.
>
> Ray
>
> On Wed, 2023-08-02 at 14:39 -0700, Pablo Vidaurri wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
>
> I am seeing a problem where after a successful login a redirect is happing 
> back to the service URL but does not have a ticket=ST- query parameter. 
> This of course means that the service has no ticket to go validate. But if 
> I hit the login page again, i get the ticket on the 2nd try. 
>
> 1) https://www.xxx.com/cas/login?service=https://myapp.xxx.com/cas/login
> 2) after login redirects to https://myapp.newco.com/cas/login, with no 
> ticket
> 3) since no ticket, login to the app fails.
> 4) I go to 
> https://www.xxx.com/cas/login?service=https://myapp.xxx.com/cas/login 
> again
> 5) immediately redirects back to 
> https://myapp.xxx.com/cas/login?ticket=ST-
> 6) now logged into the app
>
> Why would ticket not be sent the first time?
>
> -psv
>
>
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b9a850fb-dd71-48e2-a0d3-7ada7f703911n%40apereo.org.

Re: [cas-user] login with valid service but not getting ticket query parameter on redirect

[Pablo Vidaurri]

It looks like I'm losing the request scope, or at least the service ticket:


2023-08-08 15:25:26,057 DEBUG 
[org.apereo.cas.web.flow.GenerateServiceTicketAction] - https://localhost:8443] and added it to the 
request scope>
2023-08-08 15:25:26,057 DEBUG [org.apereo.cas.web.flow.MyCustomAction] - 

...
2023-08-08 15:25:27,186 DEBUG 
[org.apereo.cas.web.flow.actions.RedirectToServiceAction] - 

Inside MyCustomAction.java, I can confirm I have a requestScope with ST. My 
customAction will trigger a redirect to a view. After my view it seems I 
lose the ST.

Do I need to pass my requestscope or ST along with my form inside my view 
via an input form parameter?

-psv


On Wednesday, August 9, 2023 at 2:50:18 PM UTC-5 Pablo Vidaurri wrote:

> Hi Ray, looks to be a self inflicted issue.
>
> We have a custom login webflow and have injected as view between 
> generateServiceTicket and Redirect action/view states. When I disable this 
> custom step all works fine. I haven't been able to trace my issue but it is 
> my issue.
>
> -psv
>
> On Thursday, August 3, 2023 at 9:24:17 AM UTC-5 Ray Bon wrote:
>
>> Pablo,
>>
>> What version of Cas is this?
>>
>> Check your logs. The audit log records the authentication events, 
>> including ticket creation.
>>
>> Ray
>>
>> On Wed, 2023-08-02 at 14:39 -0700, Pablo Vidaurri wrote:
>>
>> Notice: This message was sent from outside the University of Victoria 
>> email system. Please be cautious with links and sensitive information.
>>
>>
>> I am seeing a problem where after a successful login a redirect is 
>> happing back to the service URL but does not have a ticket=ST- query 
>> parameter. This of course means that the service has no ticket to go 
>> validate. But if I hit the login page again, i get the ticket on the 2nd 
>> try. 
>>
>> 1) https://www.xxx.com/cas/login?service=https://myapp.xxx.com/cas/login
>> 2) after login redirects to https://myapp.newco.com/cas/login, with no 
>> ticket
>> 3) since no ticket, login to the app fails.
>> 4) I go to 
>> https://www.xxx.com/cas/login?service=https://myapp.xxx.com/cas/login 
>> again
>> 5) immediately redirects back to 
>> https://myapp.xxx.com/cas/login?ticket=ST-
>> 6) now logged into the app
>>
>> Why would ticket not be sent the first time?
>>
>> -psv
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ab0bf42-62f1-43e6-8ae2-9fa02251cc3cn%40apereo.org.

Re: [cas-user] login with valid service but not getting ticket query parameter on redirect

[Pablo Vidaurri]

Hi Ray, looks to be a self inflicted issue.

We have a custom login webflow and have injected as view between 
generateServiceTicket and Redirect action/view states. When I disable this 
custom step all works fine. I haven't been able to trace my issue but it is 
my issue.

-psv

On Thursday, August 3, 2023 at 9:24:17 AM UTC-5 Ray Bon wrote:

> Pablo,
>
> What version of Cas is this?
>
> Check your logs. The audit log records the authentication events, 
> including ticket creation.
>
> Ray
>
> On Wed, 2023-08-02 at 14:39 -0700, Pablo Vidaurri wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
>
> I am seeing a problem where after a successful login a redirect is happing 
> back to the service URL but does not have a ticket=ST- query parameter. 
> This of course means that the service has no ticket to go validate. But if 
> I hit the login page again, i get the ticket on the 2nd try. 
>
> 1) https://www.xxx.com/cas/login?service=https://myapp.xxx.com/cas/login
> 2) after login redirects to https://myapp.newco.com/cas/login, with no 
> ticket
> 3) since no ticket, login to the app fails.
> 4) I go to 
> https://www.xxx.com/cas/login?service=https://myapp.xxx.com/cas/login 
> again
> 5) immediately redirects back to 
> https://myapp.xxx.com/cas/login?ticket=ST-
> 6) now logged into the app
>
> Why would ticket not be sent the first time?
>
> -psv
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/08df51ec-259c-4619-ba3b-b0e5f4718f86n%40apereo.org.

[cas-user] Re: Is Azure AD B2C Supported in CAS 6.6.8?

[Pablo Vidaurri]

Still having an issue. Trying to figure out if it's a config issue on CAS 
side or a setup issue on Azure AD side.

We are spinning up a new instance of Azure AD B2C. I was given an endpoint 
with an example payload to use to verify user credentials. Using postman, 
that api works. But it does not appear CAS is doing the same.
 
API used via postman where b2c_xxx_ropc is the user policy flow:

POST /b2cxyz..xxx/b2c_xxx_ropc/oauth2/v2.0/token HTTP/1.1
Host: xxx.b2clogin.com
Content-Type: application/x-www-form-urlencoded

body:
grant_type:password
scope:openid 
username:someu...@mydomain.com
password:myPwd123
client_id:
response_type:token id_token

I get back a token. Now trying with CAS:

For CAS, i'm using below config for Azure AD:
cas.authn.azure-active-directory.client-id
cas.authn.azure-active-directory.login-url=https:// 
xxx.b2clogin.com/b2cxyz..xxx/b2c_xxx_ropc/oauth2/v2.0/token

Message in log:
[Invalid credentials: com.microsoft.aad.adal4j.AuthenticationException: 
Server returned HTTP response code: 404 for URL : https:// 
xxx.b2clogin.com/common/userrealm/someuser@ .com?api-version=1.0, Error 
details : The resource you are looking for has been removed, had its name 
changed, or is temporarily unavailable.].>

Any assistance would be appreciated.

-psv
On Thursday, August 3, 2023 at 9:33:47 PM UTC-5 Pablo Vidaurri wrote:

> Not sure if there is a difference between Azure AD and Azure AD B2C. is 
> B2C supported in CAS 6.6.8?
>
> Looking at integrating with Azure AD B2C via my custom login page. I see a 
> connection being made but always with same error message. It feels like I 
> need to define some attributes that are not supported until CAS 7.0.
>
> cas.authn.azure-active-directory.client-secret=
> cas.authn.azure-active-directory.tenant=xxx
> cas.authn.azure-active-directory.scope=xxx
>
> Error message:
> 2023-08-03 17:21:59,481 TRACE 
> [org.apereo.cas.azure.ad.authentication.AzureActiveDirectoryAuthenticationHandler]
>  
> - 
> 2023-08-03 17:21:59,493 DEBUG 
> [org.apereo.cas.azure.ad.authentication.AzureActiveDirectoryAuthenticationHandler]
>  
> - https://graph.microsoft.com/] and client 
> id [x] for user [x...@x.com]>
> 2023-08-03 17:22:00,192 ERROR 
> [com.microsoft.aad.adal4j.AuthenticationContext] - <[Correlation ID: x] 
> Execution of class com.microsoft.aad.adal4j.AcquireTokenCallable failed.>
> com.microsoft.aad.adal4j.AuthenticationException: 
> {"trace_id":"xxx","error_description":"AADSTS50034: The user account 
> {EmailHidden} does not exist in the x.com directory. To sign into 
> this application, the account must be added to the directory.Trace ID:  
> Correlation ID: x Timestamp: 2023-08-03 
> 22:22:00Z","correlation_id":"x","error":"invalid_grant","error_uri":"https:\/\/
> login.microsoftonline.com\/error?code=50034","timestamp":"2023-08-03 
> 22:22:00Z"}
> at 
> com.microsoft.aad.adal4j.AdalTokenRequest.executeOAuthRequestAndProcessResponse(AdalTokenRequest.java:128)
>  
> ~[adal4j-1.6.7.jar!/:1.6.7]
> at 
> com.microsoft.aad.adal4j.AuthenticationContext.acquireTokenCommon(AuthenticationContext.java:930)
>  
> ~[adal4j-1.6.7.jar!/:1.6.7]
> at 
> com.microsoft.aad.adal4j.AcquireTokenCallable.execute(AcquireTokenCallable.java:70)
>  
> ~[adal4j-1.6.7.jar!/:1.6.7]
> at 
> com.microsoft.aad.adal4j.AcquireTokenCallable.execute(AcquireTokenCallable.java:38)
>  
> ~[adal4j-1.6.7.jar!/:1.6.7]
> at com.microsoft.aad.adal4j.AdalCallable.call(AdalCallable.java:47) 
> ~[adal4j-1.6.7.jar!/:1.6.7]
> at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
>  
> ~[?:?]
> at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
>  
> ~[?:?]
> at java.lang.Thread.run(Thread.java:834) ~[?:?]
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f8217de6-bafe-48ac-ad98-a4dbee7c4ffcn%40apereo.org.

[cas-user] Is Azure AD B2C Supported in CAS 6.6.8?

[Pablo Vidaurri]

Not sure if there is a difference between Azure AD and Azure AD B2C. is B2C 
supported in CAS 6.6.8?

Looking at integrating with Azure AD B2C via my custom login page. I see a 
connection being made but always with same error message. It feels like I 
need to define some attributes that are not supported until CAS 7.0.

cas.authn.azure-active-directory.client-secret=
cas.authn.azure-active-directory.tenant=xxx
cas.authn.azure-active-directory.scope=xxx

Error message:
2023-08-03 17:21:59,481 TRACE 
[org.apereo.cas.azure.ad.authentication.AzureActiveDirectoryAuthenticationHandler]
 
- 
2023-08-03 17:21:59,493 DEBUG 
[org.apereo.cas.azure.ad.authentication.AzureActiveDirectoryAuthenticationHandler]
 
- https://graph.microsoft.com/] and client 
id [x] for user [x...@x.com]>
2023-08-03 17:22:00,192 ERROR 
[com.microsoft.aad.adal4j.AuthenticationContext] - <[Correlation ID: x] 
Execution of class com.microsoft.aad.adal4j.AcquireTokenCallable failed.>
com.microsoft.aad.adal4j.AuthenticationException: 
{"trace_id":"xxx","error_description":"AADSTS50034: The user account 
{EmailHidden} does not exist in the x.com directory. To sign into this 
application, the account must be added to the directory.Trace ID:  
Correlation ID: x Timestamp: 2023-08-03 
22:22:00Z","correlation_id":"x","error":"invalid_grant","error_uri":"https:\/\/login.microsoftonline.com\/error?code=50034","timestamp":"2023-08-03
 
22:22:00Z"}
at 
com.microsoft.aad.adal4j.AdalTokenRequest.executeOAuthRequestAndProcessResponse(AdalTokenRequest.java:128)
 
~[adal4j-1.6.7.jar!/:1.6.7]
at 
com.microsoft.aad.adal4j.AuthenticationContext.acquireTokenCommon(AuthenticationContext.java:930)
 
~[adal4j-1.6.7.jar!/:1.6.7]
at 
com.microsoft.aad.adal4j.AcquireTokenCallable.execute(AcquireTokenCallable.java:70)
 
~[adal4j-1.6.7.jar!/:1.6.7]
at 
com.microsoft.aad.adal4j.AcquireTokenCallable.execute(AcquireTokenCallable.java:38)
 
~[adal4j-1.6.7.jar!/:1.6.7]
at com.microsoft.aad.adal4j.AdalCallable.call(AdalCallable.java:47) 
~[adal4j-1.6.7.jar!/:1.6.7]
at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) 
~[?:?]
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) 
~[?:?]
at java.lang.Thread.run(Thread.java:834) ~[?:?]

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/42c988a3-e54d-4a11-a874-57866ac00570n%40apereo.org.

[cas-user] login with valid service but not getting ticket query parameter on redirect

[Pablo Vidaurri]

I am seeing a problem where after a successful login a redirect is happing 
back to the service URL but does not have a ticket=ST- query parameter. 
This of course means that the service has no ticket to go validate. But if 
I hit the login page again, i get the ticket on the 2nd try.

1) https://www.xxx.com/cas/login?service=https://myapp.xxx.com/cas/login
2) after login redirects to https://myapp.newco.com/cas/login, with no 
ticket
3) since no ticket, login to the app fails.
4) I go to 
https://www.xxx.com/cas/login?service=https://myapp.xxx.com/cas/login again
5) immediately redirects back to 
https://myapp.xxx.com/cas/login?ticket=ST-
6) now logged into the app

Why would ticket not be sent the first time?

-psv

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7c3e8ce3-e45d-4ece-90d2-b08ca06ed742n%40apereo.org.

[cas-user] Re: JDBC attribute repository sql search by principal

[Pablo Vidaurri]

Digging thru code:
SimpleUsernameAttributeProvider.java, method getUsernameAttributeValues, 
there is this line:
if (query.containsKey(this.usernameAttribute)) { ...}

I see I can perhaps override the username with a userNameAttribute. I have 
not found any config where I can define this value. 

Anyone know what property controls this?

-psv

On Wednesday, July 19, 2023 at 3:58:01 PM UTC-5 Pablo Vidaurri wrote:

> Config info:
>
> cas.authn.attribute-repository.jdbc[0].sql=select a, b, c from user_table 
> where {0}
> cas.authn.attributeRepository.jdbc[0].username=USER_ID
> cas.authn.ldap[0].principalAttributeId: uid   <-- uid is jsmith but login 
> user name at UI is john@foobar.com
>
> Looks like principle (uid) is not being used and instead the username from 
> credentials. *Is this a bug?*
>
> Log info:
>
> 2023-07-19 13:22:08,418 DEBUG 
> [org.apereo.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao] 
> -  builder 'null'>
>
> 2023-07-19 13:22:08,429 DEBUG 
> [org.apereo.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao] 
> -  from query Map {principal=[jsmith], Email=[john@foobar.com], 
> firstName=[John], GivenName=[John], lastName=[Smith], 
> credentialClass=[UsernamePasswordCredential], credentialId=[
> john@foobar.com], username=[john@foobar.com]}.>
>
> 2023-07-19 13:22:08,430 DEBUG 
> [org.apereo.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao] 
> -  john@foobar.com]>
>
> 2023-07-19 13:22:09,818 DEBUG 
> [org.apereo.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao] 
> -  john@foobar.com] and got results []>
>
> On Friday, July 14, 2023 at 5:10:14 AM UTC-5 Pablo Vidaurri wrote:
>
>> I have a single row lookup, so i have in my config:
>> cas.authn.attribute-repository.jdbc[0].sql=select * from user_table where 
>> {0}
>> cas.authn.attributeRepository.jdbc[0].username=USER_ID
>>
>> This seems to search by the user id entered at the login page. But I'd 
>> like to use the value from the resolved principle provided by LDAP:
>>
>> cas.authn.ldap[0].principalAttributeId: uid
>>
>> So user logs in with jsmith88 and ldap resolves the principle to be 
>> j.s...@example.com.
>> I'd like to use the principle value to look up jdbc userAttributes.
>>
>> Any way to configure CAS to do that?
>>
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20f7ec99-6575-4148-809b-f93695c96e4fn%40apereo.org.

[cas-user] Re: Errors when Upgrading from 6.4 to 6.5

[Pablo Vidaurri]

Try adding to your build.gradle ... 

implementation "org.springframework:spring-context-indexer:5.3.28"
annotationProcessor "org.springframework:spring-context-indexer:5.3.28"

On Tuesday, July 25, 2023 at 3:20:45 PM UTC-5 neilbh...@gmail.com wrote:

> When I upgrade CAS from 6.4 to 6.5 I am getting the error:
>
> cas_6x_overlay-casuseradmin-1  | ***
> cas_6x_overlay-casuseradmin-1  | APPLICATION FAILED TO START
> cas_6x_overlay-casuseradmin-1  | ***
> cas_6x_overlay-casuseradmin-1  |
> cas_6x_overlay-casuseradmin-1  | Description:
> cas_6x_overlay-casuseradmin-1  |
> cas_6x_overlay-casuseradmin-1  | Parameter 0 of method 
> defaultCasWebflowAuthenticationExceptionHandler in 
> org.apereo.cas.web.flow.config.CasCoreWebflowConfiguration$CasCoreWebflowExceptionHandlingConfiguration
>  
> required a bean of type 
> 'org.apereo.cas.web.flow.authentication.CasWebflowExceptionCatalog' that 
> could not be found.
> cas_6x_overlay-casuseradmin-1  |
> cas_6x_overlay-casuseradmin-1  |
> cas_6x_overlay-casuseradmin-1  | Action:
> cas_6x_overlay-casuseradmin-1  |
> cas_6x_overlay-casuseradmin-1  | Consider defining a bean of type 
> 'org.apereo.cas.web.flow.authentication.CasWebflowExceptionCatalog' in your 
> configuration.
> cas_6x_overlay-casuseradmin-1  | >
> cas_6x_overlay-casuseradmin-1  | 25-Jul-2023 18:30:42.347 SEVERE [main] 
> org.apache.catalina.startup.HostConfig.deployDirectory Error deploying web 
> application directory [/usr/local/tomcat/webapps/cas]
> cas_6x_overlay-casuseradmin-1  |java.lang.IllegalStateException: 
> Error starting child
> cas_6x_overlay-casuseradmin-1  |at 
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:686)
> cas_6x_overlay-casuseradmin-1  |at 
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:658)
> cas_6x_overlay-casuseradmin-1  |at 
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:662)
> cas_6x_overlay-casuseradmin-1  |at 
> org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1184)
> cas_6x_overlay-casuseradmin-1  |at 
> org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1932)
> cas_6x_overlay-casuseradmin-1  |at 
> java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
> cas_6x_overlay-casuseradmin-1  |at 
> java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
> cas_6x_overlay-casuseradmin-1  |at 
> org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
> cas_6x_overlay-casuseradmin-1  |at 
> java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:118)
> cas_6x_overlay-casuseradmin-1  |at 
> org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:1094)
> cas_6x_overlay-casuseradmin-1  |at 
> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:476)
> cas_6x_overlay-casuseradmin-1  |at 
> org.apache.catalina.startup.HostConfig.start(HostConfig.java:1617)
> cas_6x_overlay-casuseradmin-1  |at 
> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:318)
> cas_6x_overlay-casuseradmin-1  |at 
> org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
> cas_6x_overlay-casuseradmin-1  |at 
> org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
> cas_6x_overlay-casuseradmin-1  |at 
> org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366)
> cas_6x_overlay-casuseradmin-1  |at 
> org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:893)
> cas_6x_overlay-casuseradmin-1  |at 
> org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:795)
> cas_6x_overlay-casuseradmin-1  |at 
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> cas_6x_overlay-casuseradmin-1  |at 
> org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1328)
> cas_6x_overlay-casuseradmin-1  |at 
> org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1318)
> cas_6x_overlay-casuseradmin-1  |at 
> java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
> cas_6x_overlay-casuseradmin-1  |at 
> org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
> cas_6x_overlay-casuseradmin-1  |at 
> java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:140)
> cas_6x_overlay-casuseradmin-1  |at 
> org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:866)
> cas_6x_overlay

[cas-user] Re: JDBC attribute repository sql search by principal

[Pablo Vidaurri]

Config info:

cas.authn.attribute-repository.jdbc[0].sql=select a, b, c from user_table 
where {0}
cas.authn.attributeRepository.jdbc[0].username=USER_ID
cas.authn.ldap[0].principalAttributeId: uid   <-- uid is jsmith but login 
user name at UI is john.sm...@foobar.com

Looks like principle (uid) is not being used and instead the username from 
credentials. *Is this a bug?*

Log info:

2023-07-19 13:22:08,418 DEBUG 
[org.apereo.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao] 
- 

2023-07-19 13:22:08,429 DEBUG 
[org.apereo.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao] 
- 

2023-07-19 13:22:08,430 DEBUG 
[org.apereo.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao] 
- 

2023-07-19 13:22:09,818 DEBUG 
[org.apereo.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao] 
- 

On Friday, July 14, 2023 at 5:10:14 AM UTC-5 Pablo Vidaurri wrote:

> I have a single row lookup, so i have in my config:
> cas.authn.attribute-repository.jdbc[0].sql=select * from user_table where 
> {0}
> cas.authn.attributeRepository.jdbc[0].username=USER_ID
>
> This seems to search by the user id entered at the login page. But I'd 
> like to use the value from the resolved principle provided by LDAP:
>
> cas.authn.ldap[0].principalAttributeId: uid
>
> So user logs in with jsmith88 and ldap resolves the principle to be 
> j.s...@example.com.
> I'd like to use the principle value to look up jdbc userAttributes.
>
> Any way to configure CAS to do that?
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/02b033ff-1cc8-47e8-89f6-02b76c0e8467n%40apereo.org.

[cas-user] Re: start up error CAS 6.6.x embedded tomcat

[Pablo Vidaurri]

Something does not look right ...

CAS Version: Not Available
CAS Branch: master
CAS Commit Id: Not Available

-Dcas.standalone.configuration-directory=C:\apereocas66x\config

Do you have cas.properties in here? Or dis you copy all the default 
settings to application-standalone.properties ?

I believe the source code has an /etc folder that can be copied over as an 
initial start.

-psv



On Monday, July 17, 2023 at 12:36:42 PM UTC-5 Yan Zhou wrote:

> hi there,
>
> i am following CAS doc to setup Intellij to start up CAS via embedded 
> tomcat container, but keeps getting this error.
>
> I do not understand why it keeps saying the bean is already registered..
>
> thanks in advance!
> Yan
>
>  attempt: 
> org.springframework.beans.factory.support.BeanDefinitionOverrideException: 
> Invalid bean definition with name 'messageSource' defined in class path 
> resource 
> [org/apereo/cas/config/CasCoreWebConfiguration$CasCoreWebMessageSourceConfiguration.class]:
>  
> Cannot register bean definition [Root bean: class [null]; scope=refresh; 
> abstract=false; lazyInit=null; autowireMode=3; dependencyCheck=0; 
> autowireCandidate=true; primary=false; 
> factoryBeanName=CasCoreWebMessageSourceConfiguration; 
> factoryMethodName=messageSource; initMethodName=null; 
> destroyMethodName=(inferred); defined in class path resource 
> [org/apereo/cas/config/CasCoreWebConfiguration$CasCoreWebMessageSourceConfiguration.class]]
>  
> for bean 'messageSource': There is already [Root bean: class [null]; 
> scope=; abstract=false; lazyInit=null; autowireMode=3; dependencyCheck=0; 
> autowireCandidate=true; primary=false; 
> factoryBeanName=org.springframework.boot.autoconfigure.context.MessageSourceAutoConfiguration;
>  
> factoryMethodName=messageSource; initMethodName=null; 
> destroyMethodName=(inferred); defined in class path resource 
> [org/springframework/boot/autoconfigure/context/MessageSourceAutoConfiguration.class]]
>  
> bound.>
>
> here is the output console. 
>
> "C:\Program Files\Java\jdk-11.0.12\bin\java.exe" 
> -agentlib:jdwp=transport=dt_socket,address=127.0.0.1:54125,suspend=y,server=n 
> -Duser.timezone=UTC -Dspring.profiles.active=standalone 
> -Dcas.standalone.configuration-directory=C:\apereocas66x\config 
> -javaagent:C:\Users\y..\AppData\Local\JetBrains\IdeaIC2023.1\groovyHotSwap\gragent.jar
>  
> -javaagent:C:\Users\y..\AppData\Local\JetBrains\IdeaIC2023.1\captureAgent\debugger-agent.jar=file:/C:/Users/y../AppData/Local/Temp/capture1.props
>  
> -Dfile.encoding=UTF-8 
> @C:\Users\y..\AppData\Local\Temp\idea_arg_file593654062 
> org.apereo.cas.web.CasWebApplication
> Connected to the target VM, address: '127.0.0.1:54125', transport: 
> 'socket'
> 2023-07-17 15:10:36.066  INFO 18084 --- [  restartedMain] 
> .c.c.CasConfigurationPropertiesValidator : Validated CAS property sources 
> and configuration successfully.
> 2023-07-17 15:10:39.022  INFO 18084 --- [  restartedMain] 
> .e.DevToolsPropertyDefaultsPostProcessor : Devtools property defaults 
> active! Set 'spring.devtools.add-properties' to 'false' to disable
>
>
>  _  _   _ ___ _  
> / \  |  _ \| |  _ \| / _ \   / ___|  / \  / ___| 
>/ _ \ | |_) |  _| | |_) |  _|| | | | | | / _ \ \___ \ 
>   / ___ \|  __/| |___|  _ <| |__| |_| | | |___ / ___ \ ___) |
>  /_/   \_\_|   |_|_| \_\_\___/   \/_/   \_\/ 
>  
>
> CAS Version: Not Available
> CAS Branch: master
> CAS Commit Id: Not Available
> CAS Build Date/Time: 2023-07-14T19:43:48.113Z
> Spring Boot Version: 2.7.3
> Spring Version: 5.3.22
> Java Home: C:\Program Files\Java\jdk-11.0.12
> Java Vendor: Oracle Corporation
> Java Version: 11.0.12
> JVM Free Memory: 195 MB
> JVM Maximum Memory: 7 GB
> JVM Total Memory: 610 MB
> OS Architecture: amd64
> OS Name: Windows 10
> OS Version: 10.0
> OS Date/Time: 2023-07-17T15:10:47.610637600
> OS Temp Directory: C:\Users\Y...\AppData\Local\Temp\
> 
> Apache Tomcat Version: Apache Tomcat/9.0.76
> 
>
>
> 2023-07-17 15:10:47.861  INFO 18084 --- [  restartedMain] 
> c.c.c.ConfigServicePropertySourceLocator : Fetching config from server at : 
> http://localhost:
> 2023-07-17 15:10:50.339  INFO 18084 --- [  restartedMain] 
> c.c.c.ConfigServicePropertySourceLocator : Connect Timeout Exception on Url 
> - http://localhost:. Will be trying the next url if available
> 2023-07-17 15:10:50.339  WARN 18084 --- [  restartedMain] 
> c.c.c.ConfigServicePropertySourceLocator : Could not locate PropertySource: 
> I/O error on GET request for "http://localhost:/application/standalone": 
> Connection refused: connect; nested exception is java.net.ConnectException: 
> Connection refused: connect
> 2023-07-17 15:10:50.456  INFO 18084 --- [  restartedMain] 
> tCasConfigurationPropertiesSourceLocator : Configuration fi

[cas-user] JDBC attribute repository sql search by principal

[Pablo Vidaurri]

I have a single row lookup, so i have in my config:
cas.authn.attribute-repository.jdbc[0].sql=select * from user_table where 
{0}
cas.authn.attributeRepository.jdbc[0].username=USER_ID

This seems to search by the user id entered at the login page. But I'd like 
to use the value from the resolved principle provided by LDAP:

cas.authn.ldap[0].principalAttributeId: uid

So user logs in with jsmith88 and ldap resolves the principle to be 
j.sm...@example.com.
I'd like to use the principle value to look up jdbc userAttributes.

Any way to configure CAS to do that?


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/80c2fed7-1346-4ba4-ac74-eb2d185b47a6n%40apereo.org.

[cas-user] DefaultTicketRegistryCleaner cannot find INT_LOCK table

[Pablo Vidaurri]

Upgraded to CAS 6.6.8 from 6.3.7. 

cas.ticket.registry.jpa.ddlAuto=create
also tried update. 

I only see one table created: postgres_jpa_ticket_entity

but I'm getting this error:


2023-07-07 16:25:05,647 ERROR 
[org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/38fac90e-8d3b-41cf-9364-7ae75f62c884n%40apereo.org.

[cas-user] Re: CAS 6.5.2 - JPA ticket service registry does not create int_lock table

[Pablo Vidaurri]

Same issue with CAS 6.6.8



On Wednesday, April 6, 2022 at 8:14:36 AM UTC-5 fred...@lohier.org wrote:

> Hello,
>
> I am upgrading our CAS 6.4.6.1 to CAS 6.5.2.
> We are using the JPA ticket registry (PostgreSQL 11).
>
> During startup, CAS creates the "postgres_jpa_ticket_entity" table (name 
> changed from "cas_tickets" in 6.4.x) but *does not create the "int_locks" 
> table* (name changed from "locks" in 6.4.x).
>
> As a result, during an saml or oidc authentication, I get the following 
> error:
>
> 2022-04-06 14:28:25,148 DEBUG 
> [org.hibernate.engine.transaction.internal.TransactionImpl] -  TransactionImpl creation, JpaCompliance#isJpaTransactionComplianceEnabled 
> == false>
>
> 2022-04-06 14:28:25,148 DEBUG 
> [org.hibernate.engine.transaction.internal.TransactionImpl] - 
>
> 2022-04-06 14:28:25,160 DEBUG 
> [org.hibernate.engine.transaction.internal.TransactionImpl] -  TransactionImpl creation, JpaCompliance#isJpaTransactionComplianceEnabled 
> == false>
>
> 2022-04-06 14:28:25,160 DEBUG 
> [org.hibernate.engine.transaction.internal.TransactionImpl] - 
>
> 2022-04-06 14:28:25,410 DEBUG 
> [org.hibernate.engine.transaction.internal.TransactionImpl] - 
>
> 2022-04-06 14:28:25,414 INFO 
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -  trail record BEGIN
>
> =
>
> WHO: 
>
> WHAT: 
> https:idp/profile/SAML2/Callback?entityId=
>
> ACTION: SERVICE_TICKET_NOT_CREATED
>
> APPLICATION: CAS
>
> WHEN: Wed Apr 06 14:28:25 CEST 2022
>
> CLIENT IP ADDRESS: 
>
> SERVER IP ADDRESS: 
>
> =
>
> > 
>
> 2022-04-06 14:28:25,414 DEBUG 
> [org.hibernate.engine.transaction.internal.TransactionImpl] - 
>
> 2022-04-06 14:28:25,415 DEBUG 
> [org.springframework.webflow.engine.impl.FlowExecutionImpl] -  to handle [org.springframework.webflow.execution.ActionExecutionException: 
> Exception thrown executing 
> org.apereo.cas.web.flow.GenerateServiceTicketAction@3d3709d0 in state 
> 'generateServiceTicket' of flow 'login' -- action execution attributes were 
> 'map[[empty]]'] with root cause *[org.postgresql.util.PSQLException: 
> ERROR: relation "int_lock" does not exist*
>
>   Position: 8]>
>
> I was able to workaround this by manually creating the int_lock table 
> using the spring_integration SQL script here : 
>
>
> https://github.com/spring-projects/spring-integration/blob/5.5.x/spring-integration-jdbc/src/main/resources/org/springframework/integration/jdbc/schema-postgresql.sql
>
>
> -Frederic
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3c3c0244-aa71-4b73-8241-e096b02dbe58n%40apereo.org.

[cas-user] Re: Unsupported class file major version 65

[Pablo Vidaurri]

You you sure JAVA_HOME is set correctly? What does the CAS banner state 
during startup?

On Monday, June 26, 2023 at 11:40:03 PM UTC-5 chaof...@foxitsoftware.com 
wrote:

> I installed JDK 21-ea, but this exception still appears...
>
> A problem occurred configuring root project 'cas'.
> > java.util.concurrent.ExecutionException: org.gradle.api.GradleException: 
> Failed to create Jar file 
> C:\Users\f\.gradle\caches\jars-9\e68c7e667170499f021871f6fff47fa2\spring-core-6.1.0-M1.jar.
>
> * Try:
> > Run with --info or --debug option to get more log output.
> > Run with --scan to get full insights.
> > Get more help at https://help.gradle.org.
>
> * Exception is:
> org.gradle.api.ProjectConfigurationException: A problem occurred 
> configuring root project 'cas'.
> at 
> org.gradle.configuration.project.LifecycleProjectEvaluator.wrapException(LifecycleProjectEvaluator.java:84)
> at 
> org.gradle.configuration.project.LifecycleProjectEvaluator.addConfigurationFailure(LifecycleProjectEvaluator.java:77)
> at 
> org.gradle.configuration.project.LifecycleProjectEvaluator.access$400(LifecycleProjectEvaluator.java:55)
> at 
> org.gradle.configuration.project.LifecycleProjectEvaluator$EvaluateProject.lambda$run$0(LifecycleProjectEvaluator.java:111)
> at 
> org.gradle.api.internal.project.DefaultProjectStateRegistry$ProjectStateImpl.lambda$applyToMutableState$1(DefaultProjectStateRegistry.java:395)
> at 
> org.gradle.api.internal.project.DefaultProjectStateRegistry$ProjectStateImpl.lambda$fromMutableState$2(DefaultProjectStateRegistry.java:418)
> at 
> org.gradle.internal.work.DefaultWorkerLeaseService.withReplacedLocks(DefaultWorkerLeaseService.java:345)
> at 
> org.gradle.api.internal.project.DefaultProjectStateRegistry$ProjectStateImpl.fromMutableState(DefaultProjectStateRegistry.java:418)
> at 
> org.gradle.api.internal.project.DefaultProjectStateRegistry$ProjectStateImpl.applyToMutableState(DefaultProjectStateRegistry.java:394)
> at 
> org.gradle.configuration.project.LifecycleProjectEvaluator$EvaluateProject.run(LifecycleProjectEvaluator.java:100)
> at 
> org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:29)
> at 
> org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:26)
> at 
> org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
> at 
> org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
> at 
> org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
> at 
> org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
> at 
> org.gradle.internal.operations.DefaultBuildOperationRunner.run(DefaultBuildOperationRunner.java:47)
> at 
> org.gradle.internal.operations.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:68)
> at 
> org.gradle.configuration.project.LifecycleProjectEvaluator.evaluate(LifecycleProjectEvaluator.java:72)
> at 
> org.gradle.api.internal.project.DefaultProject.evaluate(DefaultProject.java:782)
> at 
> org.gradle.api.internal.project.DefaultProject.evaluate(DefaultProject.java:156)
> at 
> org.gradle.api.internal.project.ProjectLifecycleController.lambda$ensureSelfConfigured$2(ProjectLifecycleController.java:84)
> at 
> org.gradle.internal.model.StateTransitionController.lambda$doTransition$14(StateTransitionController.java:255)
> at 
> org.gradle.internal.model.StateTransitionController.doTransition(StateTransitionController.java:266)
> at 
> org.gradle.internal.model.StateTransitionController.doTransition(StateTransitionController.java:254)
> at 
> org.gradle.internal.model.StateTransitionController.lambda$maybeTransitionIfNotCurrentlyTransitioning$10(StateTransitionController.java:199)
> at 
> org.gradle.internal.work.DefaultSynchronizer.withLock(DefaultSynchronizer.java:34)
> at 
> org.gradle.internal.model.StateTransitionController.maybeTransitionIfNotCurrentlyTransitioning(StateTransitionController.java:195)
> at 
> org.gradle.api.internal.project.ProjectLifecycleController.ensureSelfConfigured(ProjectLifecycleController.java:84)
> at 
> org.gradle.api.internal.project.DefaultProjectStateRegistry$ProjectStateImpl.ensureConfigured(DefaultProjectStateRegistry.java:369)
> at 
> org.gradle.execution.TaskPathProjectEvaluator.configure(TaskPathProjectEvaluator.java:33)
> at 
> org.gradle.execution.TaskPathProjectEvaluator.configureHierarchy(TaskPathProjectEvaluator.java:47)
> at 
> org.gradle.configuration.DefaultProjectsPreparer.prepareProjects(DefaultProjectsPreparer.java:42)
> at 
> org.gradle.configuration.BuildTreePreparingProjectsPreparer.prepareProjects(BuildTreePreparingProjectsPreparer.java:65)
> at 
> org.gradle.configuration.BuildOperationFiringProjectsPreparer$ConfigureBuild.run(BuildOperationFiringProjectsPreparer.java:52)
> at 
> org.gradle.internal.operations.Defa

Re: [EXT] Re: [cas-user] CAS 6.6.8 - Authenticate using AD

[Pablo Vidaurri]

both formats are fine for Spring... 

cas.authn.ldap[0].base-dn
cas.authn.ldap[0].baseDn

On Thursday, June 22, 2023 at 9:30:27 AM UTC-5 oneill wrote:

> It looks like you have a mix of different formats for property names.
>
> Can you share your current properties?
>
>  
>
> You have some older names mixed with some current names.
>
>  
>
> For example, after reviewing your original message, the ‘base DN’ property 
> should be ‘cas.authn.ldap[0].base-dn’ and not ‘cas.authn.ldap[0].baseDn’.
>
> Also, the ‘sub-tree search’ should be ‘cas.authn.ldap[0].subtree-search’ 
> and not ‘cas.authn.ldap[0].subtreeSearch’.
>
>  
>
> # Active Directory
> cas.authn.ldap[0].type=AD
> cas.authn.ldap[0].ldapUrl=ldap://localhost:389
> cas.authn.ldap[0].useStartTls=false
> cas.authn.ldap[0].baseDn=DC=AAA,DC=BBB
> cas.authn.ldap[0].search-filter=(sAMAccountName={user})
> cas.authn.ldap[0].subtreeSearch=true
> cas.authn.ldap[0].dn-format=cn=%s,DC=AAA,DC=BBB
>
>  
>
> For reference:
>
> https://apereo.github.io/cas/6.6.x/authentication/LDAP-Authentication.html
>
>  
>
> Thanks,
>
> Tom
>
>  
>
> *From:* cas-...@apereo.org  *On Behalf Of *Jason 
> Everling
> *Sent:* Wednesday, June 21, 2023 10:59 AM
> *To:* CAS Community 
> *Cc:* Ray Bon ; dfisher 
> *Subject:* [EXT] Re: [cas-user] CAS 6.6.8 - Authenticate using AD
>
>  
>
> *CAUTION: This email originated from outside of SIG. Exercise caution when 
> opening attachments or clicking links, especially from unknown senders.* 
>
> [EXT-STAMP-ADDED] 
>
> Try authenticated type instead, 
>
>  
>
> cas.authn.ldap[0].type=AUTHENTICATED
>
> cas.authn.ldap[0].bindDn=YOUR_BIND_DN, Can be upn format as well instead 
> of full dn
> cas.authn.ldap[0].bindCredential=YOUR_BIND_PASSWORD
>
>  
>
> On Wednesday, June 21, 2023 at 9:42:15 AM UTC-5 Ray Bon wrote:
>
> Jérémie,
>
>  
>
> 'Unknown user name or bad password.'
>
>  
>
> Suggests that this is an issue on AD side.
>
> See https://fawnoos.com/2022/11/24/cas70x-azure-active-directory/ or this 
> older one https://fawnoos.com/2017/11/22/cas-saml-integration-adfs/
>
>  
>
> Ray
>
>  
>
> On Mon, 2023-06-19 at 00:41 -0700, Jérémie wrote:
>
> *Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.*
>
>  
>
> All logs were already set to DEBUG.  
>
>  
>
> I don't think firewall rules are causing the issue here as I'm reaching 
> the AD.
>
>  
>
> Tomcat stdout logs : 
>
>
>
>
>
>
>
>
>
> *2023-06-19 07:32:52,281 INFO 
> [org.apereo.cas.authentication.DefaultAuthenticationManager] - 
> <[LdapAuthenticationHandler] exception details: [].> 2023-06-19 
> 07:32:52,281 INFO 
> [org.apereo.cas.authentication.DefaultAuthenticationManager] - <[Static 
> Credentials] exception details: [cas not found in backing map.].> 
> 2023-06-19 07:32:52,281 INFO 
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -  trail record BEGIN 
> = WHO: cas 
> WHAT: [UsernamePasswordCredential(username=cas, source=null, 
> customFields={})] ACTION: AUTHENTICATION_FAILED APPLICATION: CAS WHEN: Mon 
> Jun 19 07:32:52 UTC 2023*
>
>  
>
> *cas* is my user to recall. 
>
>  
>
> AD Logs (not sure if I can get more detailed, not an AD expert) : 
>
>
> Account For Which Logon Failed:
> Security ID:  NULL SID
> Account Name:  cas
> Account Domain:
>
> AAA
>
> Failure Information:
> Failure Reason:
>
> Unknown user name or bad password.
> Status:  0xC06D
> Sub Status:  0xC06A
>
> Process Information:
> Caller Process ID:
>
> 0x34c
> Caller Process Name:
>
> C:\Windows\System32\lsass.exe
>
> Network Information:
> Workstation Name:
>
> XXX
> Source Network Address:
>
> 127.0.0.1
> Source Port:  51309
>
> Detailed Authentication Information:
> Logon Process:
>
> Advapi  
> Authentication Package:
>
> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Transited Services:
>
> -
> Package Name (NTLM only):
>
> -
> Key Length:  0
>
> Le samedi 17 juin 2023 à 06:38:24 UTC+2, dfisher a écrit :
>
> On Fri, Jun 16, 2023 at 5:56 AM Jérémie  wrote:
>
> Thank for the logger, I've added it at the end of log4j2 file and set 
> level to*debug*
>
>  
>
>  
>
> You'll probably get a more complete picture if you set all of 
> `org.ldaptive` to DEBUG.
>
>  
>
>  
>
> Here is my error log now (debug logs doesn't seem to give much more 
> information) : 
>
>  
>
>
> *2023-06-16 09:12:06,090 INFO 
> [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0] 
> expired tickets removed.> 2023-06-16 09:12:22,891 WARN 
> [org.ldaptive.transport.netty.NettyConnection] -  exception for 
> org.ldaptive.transport.netty.NettyConnection@472298790::ldapUrl=[org.ldaptive.LdapURL@1454060764::scheme=ldap,
>  
> hostname=localhost, port=389, baseDn=null, attributes=null, scope=null, 
> filter=null, inetAddress=null], isOpen=true, 
> connectTime=2023-06-16T09:09:32.569972500Z, 
> connectionConfig=[org.ldaptive.ConnectionConfig@1751226570::ldapUrl=ldap://

[cas-user] chaining multiple authentication methods

[Pablo Vidaurri]

We are currently using LDAP but also want to integrate with Azure AD.

I was looking at chaining these so that Azure AD is check first, then falls 
back to LDAP if user not found in AD. I see these two properties for both 
methods:

cas.authn.azure-active-directory.order=0
cas.authn.attributeRepository.ldap[0].order=1

I do not have access yet to Azure AD but would this setting work to look in 
AD first then in LDAP? For some reason this does not look like ordering 
would be honored unless the same method is in an array like 
ldap[0].order=1, ldap[1].order=0

-psv


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9c3b169e-5dd2-4e73-8e1f-9659f332d707n%40apereo.org.

[cas-user] Displaying random views

[Pablo Vidaurri]

When I do gradlew listTemplateViews, i see one of the templates such as:
templates\casBadHoursView.html

How can I view this page to see what it looks like out of the box? I've 
tried myserver/cas/badHours, myserver/cas/BadHours, myserver/cas/badhours, 
etc and cannot find the page. Only thing I can view is cas/login and 
cas/logout.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d38451b3-95f6-49fe-b769-64203a04bc7cn%40apereo.org.

[cas-user] CAS working with multidomain

[Pablo Vidaurri]

planning to have a dedicated login domain such as 
https://login-newco.com/cas/login

I also plan on having multiple regional domains such as 

   - https://www.newco.com
   - https://www.newco.cn
   - https://www.newco.eu


I also have multiple web contexts including APIs behind a cas client 
endpoint for each regional domain such as:

   - https://www.newco.com/users/v1
   - https://www.newco.eu/users/v1
   - https://www.newco.eu/products/v1

They are all configured to use Saml11AuthenticationFilter 
and Saml11TicketValidationFilter.

When have everything under 1 domain including login (no 
https://login-newco.com/cas/login) 
but just https://newco.com/cas/login all works fine. But I get CORS issue 
on the client side when trying to use a separate login domain with regional 
application domains:

Reason: CORS header ‘Access-Control-Allow-Origin’ missing

Not sure how to proceed. Hopefully I'm not hitting a limitation on CAS. 



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a639d265-6eca-46bc-b35a-c11e06e6cc3an%40apereo.org.

[cas-user] Re: Two instances of CAS

[Pablo Vidaurri]

are you running two instances of cas under the same jvm (same tomcat)?

On Monday, March 27, 2023 at 12:39:54 AM UTC-5 wilc...@gmail.com wrote:

> Hi,
>
> We have picked up a weird issue during our development of a our CAS 
> upgrade. We are running two instances of CAS an instance handle only the 
> delegation authentication for employee/students to Azure Ad and applicants 
> to the second instance of CAS for on premise AD.
>
> This issue when you try and run CAS configuration from another directory 
> e.g. "/etc/applicantCas/config" and the main directory of "/etc/cas/config" 
> is not accessible (not writtable).
>
> The issue looks that either the configuration is not be read or or 
> something as I am getting the following error
>
> Caused by: java.io.FileNotFoundException: /etc/cas/config/keystore.jwks 
> (Permission denied)
>
> Even though I have the following set
>
>
> cas.authn.oidc.jwks.fileSystem.jwks-file=file:/etc/applicantCas/config/defaultKeystore.jwks
>
> I have overlay configured with
> implementation "org.apereo.cas:cas-server-core-api-configuration-model"
> implementation "org.apereo.cas:cas-server-webapp-init"
> implementation 
> "org.apereo.cas:cas-server-support-json-service-registry"
> implementation "org.apereo.cas:cas-server-support-oauth-webflow"
> implementation "org.apereo.cas:cas-server-support-oidc"
> implementation "org.apereo.cas:cas-server-support-ldap"
>
> Tomcat is set to 
> with -Dcas.standalone.configuration-directory=/etc/applicantCas/config
> Tomcat is set to run from user/group tomcat1012 (tomcat 10 instance 2)
>
> The main CAS configuration "/etc/cas/config/" is set to user/group 
> tomcat101 (tomcat 10 instance 1) and hence the main configuration is 
> writtable from tomcat1012.
>
> I think part of the issue that 
> in FileSystemOidcJsonWebKeystoreProperties.java the variable  jwksFile is 
> hardcoded to  "file:/etc/cas/config/keystore.jwks"
>
> Should not the above variable honor the  
> cas.standalone.configuration-directory setting.
>
> I apologies if this is not clear.
>
> Regards,
> Colin
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6844a29d-ed4d-449b-90d3-4a58d9be8277n%40apereo.org.

Re: [cas-user] Re: JWT as Service Ticket, not found in JPA DB

[Pablo Vidaurri]

Hi Ray, I was referring to the client receiving the JWT, verifying the 
signature, and extracting the JWT contents for further validation. It looks 
like this requires a custom filter and suprised the cas client does not 
already support this.

Btw, when I get the JWT as the ticket, it comes in as a query parameter. Is 
there a way to get this via header? What is the redirect query parameter 
for?

myapp/cas/login?redirect=true&ticket=abc.123.xyz

-psv

On Monday, April 3, 2023 at 11:19:03 AM UTC-5 Ray Bon wrote:

> Pablo,
>
> Are you looking for this flow diagram, 
> https://apereo.github.io/cas/6.6.x/installation/Configure-ServiceTicket-JWT.html#flow-diagram
>  ?
>
> JWTs are validated on the service side, not in CAS.
>
> Ray
>
> On Fri, 2023-03-31 at 19:07 -0700, Pablo Vidaurri wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
>
> For JWT as a service, what is the appropriate CAS Validation Filter to use 
> on the client side? Or does this have to be custom Filter where I need to 
> verify the signature, decode, and create the Assertion with principle?
>
> On Thursday, March 30, 2023 at 11:05:28 AM UTC-5 Pablo Vidaurri wrote:
>
> I'm following this to setup JWT as a service ticket: 
> https://apereo.github.io/cas/6.5.x/installation/Configure-ServiceTicket-JWT.html
>
> I am using global keys and not defining them in service json file.
>
> I am able to login but get a failure when validating the ST. Looks like 
> the ST being check is the encrypted/signed JWT:
>
> ERROR [org.apereo.cas.ticket.DefaultTicketCatalog] -  for [eyJhbGciOiJu...qOWxGRS1sb2NhbGhvc3QifQ.] cannot be found in the ticket 
> catalog which only contains the following ticket types: [[TGT, ST, RT, AT, 
> PT, TST, OC, SART, ODUC, PGT, SATQ, ODT]]>
> WARN [org.apereo.cas.DefaultCentralAuthenticationService] -  ticket [eyJhbGciOiJu...qOWxGRS1sb2NhbGhvc3QifQ.] does not exist.>
> 2023-03-30 10:15:43,875 INFO 
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -  trail record BEGIN
> =
> WHO: audit:unknown
> WHAT: eyJhbGciOiJu...qOWxGRS1sb2NhbGhvc3QifQ. for 
> http://localhost:9003/login/cas
> ACTION: SERVICE_TICKET_VALIDATE_FAILED
> APPLICATION: CAS
> WHEN: Thu Mar 30 10:15:43 CDT 2023
> CLIENT IP ADDRESS: 127.0.0.1
> SERVER IP ADDRESS: 127.0.0.1
> =
>
> Is there a config missing that is not in the doucment?
>
> -psv
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c9ba8cb8-fd6a-46cf-922e-003606555286n%40apereo.org.

[cas-user] Re: JWT as Service Ticket, not found in JPA DB

[Pablo Vidaurri]

For JWT as a service, what is the appropriate CAS Validation Filter to use 
on the client side? Or does this have to be custom Filter where I need to 
verify the signature, decode, and create the Assertion with principle?

On Thursday, March 30, 2023 at 11:05:28 AM UTC-5 Pablo Vidaurri wrote:

> I'm following this to setup JWT as a service ticket: 
> https://apereo.github.io/cas/6.5.x/installation/Configure-ServiceTicket-JWT.html
>
> I am using global keys and not defining them in service json file.
>
> I am able to login but get a failure when validating the ST. Looks like 
> the ST being check is the encrypted/signed JWT:
>
> ERROR [org.apereo.cas.ticket.DefaultTicketCatalog] -  for [eyJhbGciOiJu...qOWxGRS1sb2NhbGhvc3QifQ.] cannot be found in the ticket 
> catalog which only contains the following ticket types: [[TGT, ST, RT, AT, 
> PT, TST, OC, SART, ODUC, PGT, SATQ, ODT]]>
> WARN [org.apereo.cas.DefaultCentralAuthenticationService] -  ticket [eyJhbGciOiJu...qOWxGRS1sb2NhbGhvc3QifQ.] does not exist.>
> 2023-03-30 10:15:43,875 INFO 
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -  trail record BEGIN
> =
> WHO: audit:unknown
> WHAT: eyJhbGciOiJu...qOWxGRS1sb2NhbGhvc3QifQ. for 
> http://localhost:9003/login/cas
> ACTION: SERVICE_TICKET_VALIDATE_FAILED
> APPLICATION: CAS
> WHEN: Thu Mar 30 10:15:43 CDT 2023
> CLIENT IP ADDRESS: 127.0.0.1
> SERVER IP ADDRESS: 127.0.0.1
> =
>
> Is there a config missing that is not in the doucment?
>
> -psv
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e42317a4-9926-4637-ba0c-573e0e6384b7n%40apereo.org.

[cas-user] JWT as Service Ticket, not found in JPA DB

[Pablo Vidaurri]

I'm following this to setup JWT as a service ticket: 
https://apereo.github.io/cas/6.5.x/installation/Configure-ServiceTicket-JWT.html

I am using global keys and not defining them in service json file.

I am able to login but get a failure when validating the ST. Looks like the 
ST being check is the encrypted/signed JWT:

ERROR [org.apereo.cas.ticket.DefaultTicketCatalog] - 
WARN [org.apereo.cas.DefaultCentralAuthenticationService] - 
2023-03-30 10:15:43,875 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - http://localhost:9003/login/cas
ACTION: SERVICE_TICKET_VALIDATE_FAILED
APPLICATION: CAS
WHEN: Thu Mar 30 10:15:43 CDT 2023
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=

Is there a config missing that is not in the doucment?

-psv

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0f048d6b-6b3d-4c60-94d7-23fb3dc28a4an%40apereo.org.

[cas-user] Re: CAS Client help

[Pablo Vidaurri]

So how did you handle this. I too have API's behind CAS ... which is 
causing problems of its own.

On Tuesday, November 22, 2022 at 10:56:47 PM UTC-6 Michael Remijan wrote:

> Hello user community,
>
>  
>
> I am looking for some information on a CAS client and I haven’t been able 
> to find it anywhere online.
>
>  
>
> All CAS Client references I’ve find have been for configuring a Web App so 
> that user login integrates with CAS for authentication. Unfortunately, this 
> is not what I need.
>
>  
>
> I have an REST API endpoint I need to integrate with in a 
> headless/background process kind of way.  Basic data integration 
> stuff…periodically call the API throughout the day, get the data, process 
> data.  So I need an example of this kind of integration…having a background 
> process pass the CAS authentication server what it needs to authenticate 
> the request in a non-interactive, headless manner so my process can 
> integrate with a REST API.
>
>  
>
> Any examples like this exist?  Any help would be appreciated.
>
>  
>
> Mike
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/37254582-5edd-4771-aaea-ecff7976ebe9n%40apereo.org.

[cas-user] Re: Fail to config JPA service registry

[Pablo Vidaurri]

How about letting us know the mistake you made incase we (like @Gregory C) 
also make the same mistake? :)

On Wednesday, March 15, 2023 at 11:13:08 PM UTC-5 Ps Chu wrote:

> Finally I figure out it is my configuration mistake. It is working after 
> upgraded the cas version 6.6.6 with a correct configuration.
> Thanks all.
>
> On Thursday, 16 March 2023 at 10:17:17 UTC+8 Ps Chu wrote:
>
>> Hi Gregory,
>>
>> Would you be able to solve this issue? I have tried to upgrade to cas 
>> version 6.6.6 but still no luck.
>>
>> On Friday, 16 December 2022 at 04:24:10 UTC+8 Gregory G wrote:
>>
>>> I have the same error since CAS 6.6 with JPA, something is broken ?
>>>
>>> Le mardi 22 novembre 2022 à 09:44:09 UTC+1, Ps Chu a écrit :
>>>
 Hi all,

 I have successfully config the service registry using JSON. However, I 
 failed to config the JPA service registry when connecting to MSSQL. As I 
 am 
 new to CAS as well as the Spring, anyone could give some advices is much 
 appreciated. 

 *Background:*
 CAS version: 6.6.2
 OS: Windows 10
 JDK: 11
 Executed with embedded Tomcat by [gradle run]

 *Configuration *[cas.properties]
 cas.service-registry.jpa.user=XXX
 cas.service-registry.jpa.password=

 cas.service-registry.jpa.driver-class=com.microsoft.sqlserver.jdbc.SQLServerDriver

 cas.service-registry.jpa.url=jdbc:sqlserver://XXX.XXX.XXX.XXX:;encrypt=false;databaseName=xxx_db;

 cas.service-registry.jpa.dialect=org.hibernate.dialect.SQLServer2016Dialect
 cas.service-registry.jpa.ddlAuto=create-drop
 cas.service-registry.jpa.autocommit=true
 cas.service-registry.jpa.idle-timeout=5000

 *Dependencies*
 implementation 
 "org.apereo.cas:cas-server-support-jpa-service-registry:${project.'cas.version'}"

 *Below is the error I got when [gradle run] the project.*
 2022-11-22 16:35:43,579 ERROR 
 [org.springframework.boot.web.embedded.tomcat.TomcatStarter] - >>> starting Tomcat context. Exception: 
 org.springframework.beans.factory.UnsatisfiedDependencyException. Message: 
 Error
 creating bean with name 'casCorsFilter' defined in class path resource 
 [org/apereo/cas/config/CasFiltersConfiguration$CasFiltersCorsConfiguration.class]:
  
 Unsatisfied dependency expressed through method 'casCorsFilter'
  parameter 1; nested exception is 
 org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
 creating bean with name 'corsHttpWebRequestConfigurationSource' defined in 
 class path resource [org/apereo/cas/
 config/CasFiltersConfiguration$CasFiltersCorsConfiguration.class]: 
 Unsatisfied dependency expressed through method 
 'corsHttpWebRequestConfigurationSource' parameter 3; nested exception is 
 org.springframework.beans.fac
 tory.UnsatisfiedDependencyException: Error creating bean with name 
 'servicesManager' defined in class path resource 
 [org/apereo/cas/config/CasCoreServicesConfiguration$CasCoreServicesManagerConfiguration.class]:
  
 Unsat
 isfied dependency expressed through method 'servicesManager' parameter 
 0; nested exception is 
 org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
 creating bean with name 'defaultServicesManagerExec
 utionPlanConfigurer' defined in class path resource 
 [org/apereo/cas/config/CasCoreServicesConfiguration$CasCoreServicesManagerExecutionPlanConfiguration.class]:
  
 Unsatisfied dependency expressed through method 'default
 ServicesManagerExecutionPlanConfigurer' parameter 1; nested exception 
 is org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
 creating bean with name 'servicesManagerConfigurationContext' defined in
  class path resource 
 [org/apereo/cas/config/CasCoreServicesConfiguration$CasCoreServicesManagerExecutionPlanConfiguration.class]:
  
 Unsatisfied dependency expressed through method 
 'servicesManagerConfigurationContext' p
 arameter 0; nested exception is 
 org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
 creating bean with name 'serviceRegistry' defined in class path resource 
 [org/apereo/cas/config/CasCoreServicesCo
 nfiguration$CasCoreServiceRegistryConfiguration.class]: Unsatisfied 
 dependency expressed through method 'serviceRegistry' parameter 2; nested 
 exception is org.springframework.beans.factory.BeanCreationException: Error
  creating bean with name 'serviceRegistryExecutionPlan' defined in 
 class path resource 
 [org/apereo/cas/config/CasCoreServicesConfiguration$CasCoreServiceRegistryPlanConfiguration.class]:
  
 Bean instantiation via factory
  method failed; nested exception is 
 org.springframework.beans.BeanInstantiationException: Failed to 
 instantiate 
 [org.apereo.cas.services.ServiceRegistryExecutionPlan]: Fac

[cas-user] Re: principle conversion

[Pablo Vidaurri]

Not sure where I got 
cas.authn.ldap[0].principalAttribute*Id*

but I've updated to 
cas.authn.ldap[0].principalAttribute

and transformation is working.
On Wednesday, March 15, 2023 at 10:25:47 PM UTC-5 Pablo Vidaurri wrote:

> Running CAS 6.3.4 and LDAP for authentication.
>
> I see some users have a mix of upper/lower case chars for the uid in LDAP.
>
> I have the following cas props:
> cas.authn.ldap[0].principalAttributeId=uid
> cas.authn.ldap[0].principalTransformation.caseConversion=LOWERCASE
>
> But principle on my cas login webflow is still showing mixed case: 
> principle = authentication.getPrincipal()  //jane@purplepaint.com
>
> I do have correct JAR:
> org.apereo.cas:cas-server-core-api-configuration-model:6.3.7.4
>
> What am I missing?
> -psv
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cf15b3bb-b76f-4dc7-9b16-046943fb694cn%40apereo.org.

[cas-user] principle conversion

[Pablo Vidaurri]

Running CAS 6.3.4 and LDAP for authentication.

I see some users have a mix of upper/lower case chars for the uid in LDAP.

I have the following cas props:
cas.authn.ldap[0].principalAttributeId=uid
cas.authn.ldap[0].principalTransformation.caseConversion=LOWERCASE

But principle on my cas login webflow is still showing mixed case: 
principle = authentication.getPrincipal()  //jane.fo...@purplepaint.com

I do have correct JAR:
org.apereo.cas:cas-server-core-api-configuration-model:6.3.7.4

What am I missing?
-psv

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/189b6d05-7160-4a6e-8b59-53c1a1486561n%40apereo.org.

[cas-user] Re: Testing with a CAS server locally

[Pablo Vidaurri]

I test the same way. I have a simple CAS client using Spring Security 
running on localhost but on a different port that CAS. When logging into to 
t heis simple client, i get redirected to CAS login page then after 
successful login I get redirected back to my app.

Make sure your cas client is configured apprpiately, in my simple app I 
have:
server.port=9000
app.service.home=http://localhost:9000/
cas.server.root=https://localhost:8443
cas.url.prefix=${cas.server.root}/cas/
cas.service.login=${cas.server.root}/cas/login
cas.service.logout=${cas.server.root}/cas/logout


-psv

On Sunday, February 19, 2023 at 4:07:07 AM UTC-6 same...@gmail.com wrote:

> I set up a CAS server locally so that I can test an application. Both the 
> client application and CAS server runs on the same machine. 
>
> The application redirects to the CAS server but the CAS server sees that 
> the client IP address and the CAS server IP address is the same as shown 
> below:
>
> CLIENT IP ADDRESS: 127.0.0.1
> SERVER IP ADDRESS: 127.0.0.1
>
> I believe this is the reason why when the CAS server redirects back after 
> authentication, the base URL of the redirect URL is the URL of the CAS 
> server(localhost and CAS server port).
>
> As both the client application and CAS server runs on the same machine on 
> different ports, how can I ensure that the CAS server after authentication 
> redirects to the client app url(localhost and client application port) 
> rather than the CAS server?
>
> Thank you
>
>
>
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0eff3553-2a54-46c4-986a-e3997527080en%40apereo.org.

[cas-user] locale per service

[Pablo Vidaurri]

I see this in docs for CAS  6.5.x and newer but not in 6.3 or 6.4. I assume 
since it does not work in 6.3 it was introduced in 6.5. I know not 
everything is documented so not sure if this was available before 6.5

locale definition per service
{ 
  "@class" : "org.apereo.cas.services.RegexRegisteredService", 
  "serviceId" : "^https://www.example.org";,
"name" : "MyTheme", 
  "locale" : "de", 
  "id" : 1 
}

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/af1b3574-ca66-49b6-bc43-7cc6cd6f11c4n%40apereo.org.

[cas-user] AWS Cognito to authenticate users

[Pablo Vidaurri]

Currently using Oracle LDAP with CAS to authenticate users. We only store 
email address and hashed password. Looking at replacing with AWS Cognito.

Has anyone been able to get authentication working with Cognito? For now, I 
only need to validate credentials without redirecting the user to AWS ... 
just like today it's a backend call to LDAP, I would like for it to still 
be using backend calls.

I'm looking at the config ... looks simple enough ...
https://apereo.github.io/cas/6.6.x/authentication/AWS-Cognito-Authentication.html

Stepping thru what I need to setup for AWS from scratch.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4fd547c-ce6f-45fb-8b42-1b36c435f7c5n%40apereo.org.

[cas-user] Re: Support for renew=1 when using delegated auth to Azure AD?

[Pablo Vidaurri]

try renew=true

It should work as cas will force reauthenciation again.

On Tuesday, October 25, 2022 at 9:14:55 AM UTC-5 Dennis Sjögren wrote:

> Hi,
>
> I've been experimenting with Delegated Authentication to Azure AD (via 
> pac4j) and it works like a charm. The last day or so I've been searching 
> for an answer to whether renew=1 can be propagated to the authorize call to 
> Azure AD somehow. If I'm not mistaken, a parameter of prompt=login could be 
> the way to go.
>
> When I test from a CAS enabled app, renew=1 seems to be forcing a new 
> request to Microsofts authorize endpoint, but since I already have an 
> active session in Azure, I'm not prompted for my credentials again.
>
> I've been looking into the CAS codebase for a configuration hint or 
> something. I've been a full time developer for 25+ years, unfortunately not 
> in Java - so needless to say, I'm not being particularly successful. :)
>
> So my question is: Is it possible to force re-validation of credentials 
> using renew=1 when delegating to Azure AD?
>
> Regards,
> Dennis
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8f45609f-6360-4ada-97ef-ac2a8c306bf0n%40apereo.org.

[cas-user] debug cas wildfly deployment

[Pablo Vidaurri]

I know I can debug CAS in my local development environment by passing debug 
flag into gradle then use eclipse/inteillij to connect "remote java 
application" on localhost port 5005. I can then proceed to step thru line 
breaks, etc.

But how can I debug this CAS war file deployment on wildfly? I have other 
apps running on the same wildfly instance that I can connect to and debug 
those, but CAS breakpoints are just ignored.

-psv

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bcb42ccc-bc68-44e5-b792-bec5eb73dbb5n%40apereo.org.

[cas-user] Re: Usage/Configuration of Infinispan

[Pablo Vidaurri]

So I see in cas v6.6 
<https://apereo.github.io/cas/6.6.x/ticketing/Infinispan-Ticket-Registry.html> 
Infinispan is being deprecated.

What have others used for a distributed memory data store with success? JPA 
does seem fast enough in our environment.

On Friday, September 23, 2022 at 9:30:59 AM UTC-5 Pablo Vidaurri wrote:

> Also, how would CAS know which infinispan instance to connect to? No where 
> in the properties or xml file is there a definition for host or port.
>
> On Friday, September 23, 2022 at 12:57:48 AM UTC-5 Pablo Vidaurri wrote:
>
>> Following CAS Infinispan doc 
>> <https://apereo.github.io/cas/6.5.x/ticketing/Infinispan-Ticket-Registry.html>
>>
>> Have depenedency and config in place ... included inifinispan.xml too.
>>
>> Maybe a conflict in library or has not been testing/supported any longer?
>>
>> Generating the following error on startup:
>>
>> 2022-09-23 00:28:55,277 WARN 
>> [org.apereo.cas.web.CasWebApplicationContext] - > during context initialization - cancelling refresh attempt: 
>> org.springframework.beans.factory.BeanCreationException: Error creating 
>> bean with name 'scopedTarget.ticketRegistry' defined in class path resource 
>> [org/apereo/cas/ticket/registry/config/InfinispanTicketRegistryConfiguration.class]:
>>  
>> Bean instantiation via factory method failed; nested exception is 
>> org.springframework.beans.BeanInstantiationException: Failed to instantiate 
>> [org.apereo.cas.ticket.registry.TicketRegistry]: Factory method 
>> 'ticketRegistry' threw exception; nested exception is 
>> java.lang.IllegalStateException: @Bean method 
>> InfinispanTicketRegistryConfiguration.cacheManager called as bean reference 
>> for type [org.infinispan.manager.EmbeddedCacheManager] but overridden by 
>> non-compatible bean instance of type 
>> [org.springframework.cache.caffeine.CaffeineCacheManager]. Overriding 
>> bean of same name declared in: class path resource 
>> [org/springframework/boot/autoconfigure/cache/CaffeineCacheConfiguration.class]>
>>
>> -psv
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c64dd7fe-1033-4de9-8511-19f4445f001en%40apereo.org.

[cas-user] Re: Usage/Configuration of Infinispan

[Pablo Vidaurri]

Also, how would CAS know which infinispan instance to connect to? No where 
in the properties or xml file is there a definition for host or port.

On Friday, September 23, 2022 at 12:57:48 AM UTC-5 Pablo Vidaurri wrote:

> Following CAS Infinispan doc 
> <https://apereo.github.io/cas/6.5.x/ticketing/Infinispan-Ticket-Registry.html>
>
> Have depenedency and config in place ... included inifinispan.xml too.
>
> Maybe a conflict in library or has not been testing/supported any longer?
>
> Generating the following error on startup:
>
> 2022-09-23 00:28:55,277 WARN [org.apereo.cas.web.CasWebApplicationContext] 
> -  attempt: org.springframework.beans.factory.BeanCreationException: Error 
> creating bean with name 'scopedTarget.ticketRegistry' defined in class path 
> resource 
> [org/apereo/cas/ticket/registry/config/InfinispanTicketRegistryConfiguration.class]:
>  
> Bean instantiation via factory method failed; nested exception is 
> org.springframework.beans.BeanInstantiationException: Failed to instantiate 
> [org.apereo.cas.ticket.registry.TicketRegistry]: Factory method 
> 'ticketRegistry' threw exception; nested exception is 
> java.lang.IllegalStateException: @Bean method 
> InfinispanTicketRegistryConfiguration.cacheManager called as bean reference 
> for type [org.infinispan.manager.EmbeddedCacheManager] but overridden by 
> non-compatible bean instance of type 
> [org.springframework.cache.caffeine.CaffeineCacheManager]. Overriding 
> bean of same name declared in: class path resource 
> [org/springframework/boot/autoconfigure/cache/CaffeineCacheConfiguration.class]>
>
> -psv
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c3e04b95-c3ef-4c77-8c15-a3c1ad766deen%40apereo.org.

[cas-user] Usage/Configuration of Infinispan

[Pablo Vidaurri]

Following CAS Infinispan doc 


Have depenedency and config in place ... included inifinispan.xml too.

Maybe a conflict in library or has not been testing/supported any longer?

Generating the following error on startup:

2022-09-23 00:28:55,277 WARN [org.apereo.cas.web.CasWebApplicationContext] 
- 

-psv

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c25f9922-7310-4831-be65-5d37ed4d3718n%40apereo.org.

Re: [cas-user] Confirmation of issue with invalid TGT

[Pablo Vidaurri]

I enabled JPA logging.

I do see a message that it is creating the ticket.
   [org.apereo.cas.ticket.registry.JpaTicketRegistry] Added ticket [xxx] to 
registry.

30ms later I see a message that the ticket is being destroyed:
   [org.apereo.cas.web.flow.login.SendTicketGrantingTicketAction] (default 
task-6) Setting ticket-granting cookie for current session linked to [xxx].
   [org.apereo.cas.web.flow.GenerateServiceTicketAction] (default task-6) 
Ticket-granting ticket found in the context is [xxx]
   [org.apereo.cas.ticket.registry.JpaTicketRegistry] (default task-6) No 
record could be found for ticket
   [org.apereo.cas.web.flow.GenerateServiceTicketAction] (default task-6) 
CAS has determined ticket-granting ticket [xxx] is invalid and must be 
destroyed
   [org.apereo.cas.ticket.registry.JpaTicketRegistry] (default task-6) No 
record could be found for ticket [xxx]
   [org.apereo.cas.ticket.registry.AbstractTicketRegistry] (default task-6) 
Ticket [xxx] could not be fetched from the registry; it may have been 
expired and deleted.

Even though it logs "must be destroyed", it does not appear that this is 
actually removing from db because I still see the TGT in the table.

Looks like 30ms is too fast to query for a ticket after it has been added. 
Is there a retry or delay config that can be added? Doesn't happen often 
but often enough to cause a bad user experience.

-psv

On Wednesday, September 14, 2022 at 11:24:40 AM UTC-5 Ray Bon wrote:

> Pablo,
>
> If it works with the default in memory store, try turning up the logging 
> JPA/hibernate related classes.
> Can you view the ticket in postgres or see postgres logs?
>
> Ray
>
> On Wed, 2022-09-14 at 08:29 -0700, Pablo Vidaurri wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information. 
>
>
> We are running into a strange issue where login sometimes does not work. 
> The TGT is created, and 40ms later the ticket is determined to be invalid 
> so the TGT gets destroyed.  
>
> We are using JPA against a postgres db. Is this just not fast enough to 
> persist the ticket?
>
> Bumping up log level for org.apereo.cas.web.flow package reveals the 
> following: 
>
> 08:13:25,645 INFO 
>  [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] (default 
> task-3363) Audit trail record BEGIN
> =
> WHO: xx...@x.com
> WHAT: 
> TGT-8132-5BH4unLipbzoIApkH8R27D6atlA6-6uoT-TKG3wFbuvXrx9Poc6jyh5RkxKBqt2lHck
> ACTION: TICKET_GRANTING_TICKET_CREATED
> APPLICATION: CAS
> WHEN: Wed Sep 14 08:13:25 MST 2022
> CLIENT IP ADDRESS: xx.xx.xx.xx
> SERVER IP ADDRESS: www.xx.com
> =
>
>
> 08:13:25,683 DEBUG [org.apereo.cas.web.flow.GenerateServiceTicketAction] 
> (default task-3363) Ticket-granting ticket found in the context is 
> [TGT-8132-5BH4unLipbzoIApkH8R27D6atlA6-6uoT-TKG3wFbuvXrx9Poc6jyh5RkxKBqt2lHck]
> 08:13:25,685 DEBUG [org.apereo.cas.web.flow.GenerateServiceTicketAction] 
> (default task-3363) CAS has determined ticket-granting ticket 
> [TGT-8132-5BH4unLipbzoIApkH8R27D6atlA6-6uoT-TKG3wFbuvXrx9Poc6jyh5RkxKBqt2lHck]
>  
> is invalid and must be destroyed
> 08:13:25,686 INFO 
>  [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] (default 
> task-3363) Audit trail record BEGIN
> =
> WHO: xx...@x.com
> WHAT: 
> TGT-8132-5BH4unLipbzoIApkH8R27D6atlA6-6uoT-TKG3wFbuvXrx9Poc6jyh5RkxKBqt2lHck
> ACTION: TICKET_DESTROYED
> APPLICATION: CAS
> WHEN: Wed Sep 14 08:13:25 MST 2022
> CLIENT IP ADDRESS: xx.xx.xx.xx
> SERVER IP ADDRESS: www.xx.com
> =
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7d68b079-f336-4b6a-9e77-405194850fafn%40apereo.org.

[cas-user] Confirmation of issue with invalid TGT

[Pablo Vidaurri]

We are running into a strange issue where login sometimes does not work. 
The TGT is created, and 40ms later the ticket is determined to be invalid 
so the TGT gets destroyed. 

We are using JPA against a postgres db. Is this just not fast enough to 
persist the ticket?

Bumping up log level for org.apereo.cas.web.flow package reveals the 
following:

08:13:25,645 INFO 
 [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] (default 
task-3363) Audit trail record BEGIN
=
WHO: x...@x.com
WHAT: 
TGT-8132-5BH4unLipbzoIApkH8R27D6atlA6-6uoT-TKG3wFbuvXrx9Poc6jyh5RkxKBqt2lHck
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Wed Sep 14 08:13:25 MST 2022
CLIENT IP ADDRESS: xx.xx.xx.xx
SERVER IP ADDRESS: www.xx.com
=


08:13:25,683 DEBUG [org.apereo.cas.web.flow.GenerateServiceTicketAction] 
(default task-3363) Ticket-granting ticket found in the context is 
[TGT-8132-5BH4unLipbzoIApkH8R27D6atlA6-6uoT-TKG3wFbuvXrx9Poc6jyh5RkxKBqt2lHck]
08:13:25,685 DEBUG [org.apereo.cas.web.flow.GenerateServiceTicketAction] 
(default task-3363) CAS has determined ticket-granting ticket 
[TGT-8132-5BH4unLipbzoIApkH8R27D6atlA6-6uoT-TKG3wFbuvXrx9Poc6jyh5RkxKBqt2lHck] 
is invalid and must be destroyed
08:13:25,686 INFO 
 [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] (default 
task-3363) Audit trail record BEGIN
=
WHO: x...@x.com
WHAT: 
TGT-8132-5BH4unLipbzoIApkH8R27D6atlA6-6uoT-TKG3wFbuvXrx9Poc6jyh5RkxKBqt2lHck
ACTION: TICKET_DESTROYED
APPLICATION: CAS
WHEN: Wed Sep 14 08:13:25 MST 2022
CLIENT IP ADDRESS: xx.xx.xx.xx
SERVER IP ADDRESS: www.xx.com
=

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e11a6415-aca7-4e34-8926-ecfcd027735fn%40apereo.org.

[cas-user] Re: Wants to know your location

[Pablo Vidaurri]

To follow up, adding  cas.events.track-geolocation=false did not work. Even 
tried cas.events.*core*.track-geolocation=false. I'm still being prompted 
to allow access to my location.
On Wednesday, August 10, 2022 at 10:59:02 AM UTC-5 CAS Community wrote:

> You probably need: cas.events.track-geolocation=false
>
> On Thursday, June 30, 2022 at 11:35:15 PM UTC+4 Pablo Vidaurri wrote:
>
>> Since upgrading to CAS 6.3.x from 3.5.2 there is this pop up that prompts 
>> for allowing to k now  your location. Is this something coming from CAS? We 
>> have our custom JS/CSS running on other parts of our site and it never 
>> prompts for this info until we hit the login page. 
>>
>> Where is this coming from and can I turn it off? I don't need geolocation 
>> services for my site.
>>
>> -psv
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/37371b69-9695-454a-966f-a73068fd0261n%40apereo.org.

[cas-user] Re: custom aws jar file, not finding credentials

[Pablo Vidaurri]

To follow up on this ... I was able to get this to work after adding the 
proper dependencies in the build.gradle file ... specifically, I was 
missing the "mavenBom 'software.amazon.awssdk:bom:2.17.xxx" in 
my dependencyManagement block.

On Wednesday, August 17, 2022 at 10:23:07 PM UTC-5 Pablo Vidaurri wrote:

> I have a custom jar file that makes use of awssdk jar and publishes to 
> SNS. This jar works fine with a demo gradle project but I cannot get it to 
> work with CAS 6.3.x.
>
> java.lang.NullPointerException: Credentials must not be null. at 
> software.amazon.awssdk.utils.Validate.paramNotNull(Validate.java:156) 
> ~[utils-2.17.216.jar!/:?]
>
> I have tried to included the credentials in the standard ~/aws/credentials 
> file (which the demo finds), tried setting ENV vars, tried passing into 
> gradlew command line with -Daws.accessKeyId=xxx -Daws.secretKey=yyy options 
> but I still get the credentials must not be null.
>
> Is CAS expecting credentials in a different location or is it doing 
> something to clobber the standard location?
>
> -psv
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7316c48f-7d86-458c-b874-4e91a83aad44n%40apereo.org.

[cas-user] custom aws jar file, not finding credentials

[Pablo Vidaurri]

I have a custom jar file that makes use of awssdk jar and publishes to SNS. 
This jar works fine with a demo gradle project but I cannot get it to work 
with CAS 6.3.x.

java.lang.NullPointerException: Credentials must not be null. at 
software.amazon.awssdk.utils.Validate.paramNotNull(Validate.java:156) 
~[utils-2.17.216.jar!/:?]

I have tried to included the credentials in the standard ~/aws/credentials 
file (which the demo finds), tried setting ENV vars, tried passing into 
gradlew command line with -Daws.accessKeyId=xxx -Daws.secretKey=yyy options 
but I still get the credentials must not be null.

Is CAS expecting credentials in a different location or is it doing 
something to clobber the standard location?

-psv

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6d9bebae-a1a8-465d-adce-734adf17f8can%40apereo.org.

[cas-user] Re: User management : ask user for missing email

[Pablo Vidaurri]

You can do this by injecting a step in the the default cas login webflow.

Change the webflow to do an emailCheck action before the generation the 
TGT. This will simply check if the email exist. If it does then return 
success and proceed to the TGT step. Otherwise return some other string 
like "addEmailAction" which will prompt for the email and insert it into 
your target system. Then have that "addEmailAction" return success to 
continue to the TGT step.

-psv

On Friday, August 5, 2022 at 11:51:42 AM UTC-5 vjo...@gmail.com wrote:

> Hello,
>
> Context : I use CAS 6.5 with LDAP.
>
> I have a question for which I will need your advice on the best practice 
> to follow.
>
> When creating our users in LDAP, they don't have an email address.
> Their connection is made with an employee number and a password provided, 
> which they must change on the first connection.
> This all works, however we would like to require users to fill in their 
> email if it is not.
>
> Is it possible to do this natively with CAS, or should interrupts be used 
> to redirect to another application?
>
> Thank you in advance for your help !
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/029b2c17-9d4a-4fc8-a956-2aeffa824f7dn%40apereo.org.

Re: [cas-user] renew=true, risk of bypassing?

[Pablo Vidaurri]

cant as the same app requires normal session and renew session ... 
exploring Misagh's suggestion of renew on ticket validation

On Tuesday, August 16, 2022 at 12:39:07 PM UTC-5 Ray Bon wrote:

> Pablo,
>
> You can turn off SSO for an application in the service definition, 
> https://apereo.github.io/cas/6.5.x/services/Configuring-Service-Access-Strategy.html
>
> Ray
>
> On Tue, 2022-08-16 at 10:13 -0700, Pablo Vidaurri wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information. 
>
>
> So I have an application with certain parts allowing a  long SSO session 
> and other areas that require login every time. 
>
> I know I can leverage the renew query parameter but how to avoid the user 
> from simply removing it and then access the secured part of the app without 
> logging in again?
>
> For example, I want the user to provide their credentials every time they 
> access their profile. So if there is already have an active session for 
> https://www.myapp.com and they access their profile, i will redirect them 
> to 
> https://www.mycas.com/auth/login?renew=true&TARGET=https://www.myapp.com/myprofile
>
> This works, but I can also remove the renew query parameter and directly 
> hit myprofile page since I already have a session to the app.
>
> -- 
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca
>
> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional 
> territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ 
> peoples whose historical relationships with the land continue to this day.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/882f34cf-8760-46dd-a8cf-921fbda1bb5cn%40apereo.org.

[cas-user] renew=true, risk of bypassing?

[Pablo Vidaurri]

So I have an application with certain parts allowing a  long SSO session 
and other areas that require login every time.

I know I can leverage the renew query parameter but how to avoid the user 
from simply removing it and then access the secured part of the app without 
logging in again?

For example, I want the user to provide their credentials every time they 
access their profile. So if there is already have an active session for 
https://www.myapp.com and they access their profile, i will redirect them 
to 
https://www.mycas.com/auth/login?renew=true&TARGET=https://www.myapp.com/myprofile

This works, but I can also remove the renew query parameter and directly 
hit myprofile page since I already have a session to the app.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ea11170-164e-4408-bc66-422bf188c108n%40apereo.org.

Re: [cas-user] ideas for persistence login session

[Pablo Vidaurri]

How can I enforce the renew option? It looks like a query parameter which 
the user can remove and bypass forced authenciation.

On Thursday, July 28, 2022 at 9:36:12 AM UTC-5 richard.frovarp wrote:

> Amazon stores a decent amount of info at the account layer. Different 
> application sessions across different devices share cart. But the solution 
> for this is to do it at the application layer. Extend the session out 
> there. Then at the security layer, it should have the functionality to know 
> when the last authentication was. If they are doing something that requires 
> higher security, that last login time is queried and a forced 
> authentication is done if it isn't high enough. You could do a normal SSO 
> auth if your IdP session is less than your critical time period. You can 
> force an auth through CAS, even with an active session, but using the renew 
> option.
>
> On 7/28/22 09:07, Pablo Vidaurri wrote:
>
> Sorry,  waldbiec is correct ... ST is using the default value of 10 sec 
> ... I meant the application session is 2hrs.  
>
> Basically we are looking at how to mimic sites like amazon ... once you 
> login you can browse for days, add stuff to your cart, maybe even check 
> out. But once you go to modify your account details (shipping/billing, etc) 
> you get prompted to login again.
>
> -psv
>
> On Wednesday, July 27, 2022 at 6:34:15 PM UTC-5 richard.frovarp wrote:
>
>> I would change the application and not do it via CAS. Changing the 
>> application session timeout to what they want. Because otherwise it will do 
>> a SSO session again, which will interrupt anything the end user is trying 
>> to do with the browser open for the past two days. So anything done via CAS 
>> won't give a good user experience. 
>> --
>> *From:* cas-...@apereo.org  on behalf of Ray Bon <
>> rb...@uvic.ca>
>> *Sent:* Wednesday, July 27, 2022 4:34:56 PM
>> *To:* cas-...@apereo.org 
>> *Subject:* Re: [cas-user] ideas for persistence login session 
>>  
>> Pablo,
>>
>> The long running pages could be added as a service with longer TGT life, 
>> https://apereo.github.io/cas/6.5.x/ticketing/Configuring-Ticket-Expiration-Policy.html#per-service
>>
>> Ray
>>
>> On Wed, 2022-07-27 at 12:16 -0700, Pablo Vidaurri wrote:
>>
>> Notice: This message was sent from outside the University of Victoria 
>> email system. Please be cautious with links and sensitive information. 
>>
>> Currently CAS TGT is an 8hr session, ST is a 2hr session. Client is 
>> requesting to enable certain parts of their site (protected) to include a 
>> longer ST (for weeks) while maintaining a 2hr session for other secured 
>> parts like "Account/Profile". 
>>
>> I understand the application needs to change, but is there anything on 
>> the CAS side that I can do to help in this effort?
>>
>> Would JWT help? When a user successfully logs in, issue a JWT good for 4 
>> weeks with user's credentials. Now lets assume the TGT/ST are no longer 
>> valid and the user is trying to access part of the site where not logging 
>> is not required for days (protected area). The JWT would then be used to 
>> auto login the user. Achievable or pure abuse?
>>
>> Also considered increasing the TGT TTL for weeks and  creating separate 
>> services to define an 
>> AuthenticationDateRegisteredServiceSingleSignOnParticipationPolicy of 
>> 2hrs/8hrs, etc but this this means certain parts of the site need to be 
>> under specific URL patterns.
>>
>> Any suggestions?
>>
>> -psv
>>
>> -- 
>>
>> Ray Bon
>> Programmer Analyst
>> Development Services, University Systems
>> 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca
>>
>> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional 
>> territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ 
>> peoples whose historical relationships with the land continue to this day.
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a5c8a9514a354884dd7a78daba1dba5272b9620f.camel%

Re: [cas-user] ideas for persistence login session

[Pablo Vidaurri]

Sorry,  waldbiec is correct ... ST is using the default value of 10 sec ... 
I meant the application session is 2hrs. 

Basically we are looking at how to mimic sites like amazon ... once you 
login you can browse for days, add stuff to your cart, maybe even check 
out. But once you go to modify your account details (shipping/billing, etc) 
you get prompted to login again.

-psv

On Wednesday, July 27, 2022 at 6:34:15 PM UTC-5 richard.frovarp wrote:

> I would change the application and not do it via CAS. Changing the 
> application session timeout to what they want. Because otherwise it will do 
> a SSO session again, which will interrupt anything the end user is trying 
> to do with the browser open for the past two days. So anything done via CAS 
> won't give a good user experience. 
> --
> *From:* cas-...@apereo.org  on behalf of Ray Bon <
> rb...@uvic.ca>
> *Sent:* Wednesday, July 27, 2022 4:34:56 PM
> *To:* cas-...@apereo.org 
> *Subject:* Re: [cas-user] ideas for persistence login session 
>  
> Pablo,
>
> The long running pages could be added as a service with longer TGT life, 
> https://apereo.github.io/cas/6.5.x/ticketing/Configuring-Ticket-Expiration-Policy.html#per-service
>
> Ray
>
> On Wed, 2022-07-27 at 12:16 -0700, Pablo Vidaurri wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information. 
>
> Currently CAS TGT is an 8hr session, ST is a 2hr session. Client is 
> requesting to enable certain parts of their site (protected) to include a 
> longer ST (for weeks) while maintaining a 2hr session for other secured 
> parts like "Account/Profile". 
>
> I understand the application needs to change, but is there anything on the 
> CAS side that I can do to help in this effort?
>
> Would JWT help? When a user successfully logs in, issue a JWT good for 4 
> weeks with user's credentials. Now lets assume the TGT/ST are no longer 
> valid and the user is trying to access part of the site where not logging 
> is not required for days (protected area). The JWT would then be used to 
> auto login the user. Achievable or pure abuse?
>
> Also considered increasing the TGT TTL for weeks and  creating separate 
> services to define an 
> AuthenticationDateRegisteredServiceSingleSignOnParticipationPolicy of 
> 2hrs/8hrs, etc but this this means certain parts of the site need to be 
> under specific URL patterns.
>
> Any suggestions?
>
> -psv
>
> -- 
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca
>
> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional 
> territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ 
> peoples whose historical relationships with the land continue to this day.
>
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a5c8a9514a354884dd7a78daba1dba5272b9620f.camel%40uvic.ca
>  
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/a5c8a9514a354884dd7a78daba1dba5272b9620f.camel%40uvic.ca?utm_medium=email&utm_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b8b0a792-35a3-4188-ae66-ef699650732an%40apereo.org.

[cas-user] ideas for persistence login session

[Pablo Vidaurri]

Currently CAS TGT is an 8hr session, ST is a 2hr session. Client is 
requesting to enable certain parts of their site (protected) to include a 
longer ST (for weeks) while maintaining a 2hr session for other secured 
parts like "Account/Profile".

I understand the application needs to change, but is there anything on the 
CAS side that I can do to help in this effort?

Would JWT help? When a user successfully logs in, issue a JWT good for 4 
weeks with user's credentials. Now lets assume the TGT/ST are no longer 
valid and the user is trying to access part of the site where not logging 
is not required for days (protected area). The JWT would then be used to 
auto login the user. Achievable or pure abuse?

Also considered increasing the TGT TTL for weeks and  creating separate 
services to define an 
AuthenticationDateRegisteredServiceSingleSignOnParticipationPolicy of 
2hrs/8hrs, etc but this this means certain parts of the site need to be 
under specific URL patterns.

Any suggestions?

-psv

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/793b6932-8c4d-48d3-a5e7-945988566788n%40apereo.org.