Re: [cas-user] Re: Migrating services from version 5 to 6

[Ray Bon]

To get a list of all properties (and some defunct ones) run:

./gradlew exportConfigMetadata

During startup, cas logs properties that are deprecated and prints out the 
current property key.

You are upgrading to 7 and not 6, right?

Ray

On Fri, 2024-01-19 at 11:23 -0800, atilling wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Dave Steiner,

Could you share your cas.properties file or a snippet of it so I can see how 
you enabled /status/services/export ? The CAS 5 documentation has been removed 
from GIT so I'm not finding information on how to enable.

On Tuesday, June 28, 2022 at 5:14:27 PM UTC-4 Dave Steiner wrote:
We are currently upgrading from v5 to v6 and use JPA like you are.  What we are 
doing is to use the CAS5 endpoint  /status/services/export to get a zip file of 
all our Service entries (~1000-1500).  We then need to make a minor change to 
those and will be using the CAS6 endpoint  /actuator/registeredServices/import 
to import each json file individually (we tried giving it a new zip file but it 
was duplicating entries for some reason).  I'm currently playing with this on 
Dev and will hopefully do this on Test in a few weeks.

-ds

On Wednesday, June 15, 2022 at 12:43:23 PM UTC-4 Trevor Fong wrote:
Thanks a lot for your reply Francois.

Dammit - that sucks that we both had such a poor experience!
I fear you might be right and I'll have to abandon the 300+ rules we've built 
up over the years due to inadequate support and documentation; it's not like 
they discontinued support for JPA - they just didn't provide any support at all 
for migration, which feels worse!  It's like saying "Sure you can do it, see 
all the cool things you can do" and not say how to do it.
I'll give myself to the end of the week and "cut bait" if I can't find a way 
out.  I'll reply if I should find anything of use.

Thanks again,
Trev

On Wed, 15 Jun 2022 at 08:11, fjannin4  wrote:

Hi Trev

Alas I didn't found anything to simply convert structured data from JPA to 
JSON... It was too tedious and time consuming and I gave up... None of cues and 
hints was working.

The whole online documentation of CAS 5.x has been removed (i have never seen 
so many Google results issueing 404 errors... dunno why they don't remove links 
?) , to enforce difficulty to find relevant informations, and I mess up working 
with partial remains in webarchives.

Instead I am going to replace my fine tuned granularity of service descriptions 
with one wildcard by domains name of internal applications, in JSON format, the 
only one that really has support from CAS Team and documented.

Doing this therefore, I will lost all level of details for each service : 
descriptions, logo and contacts, thas was before used in CAS and CAS management 
application...

High price to paid, just for CAS developpers team's taste to follow the fahsion 
for JSON and unilateral deprection for JPA ...

So, to keep your CAS installation working is a question of chance : if you bet 
on the good techno that wil survive to annual elegation, you won... We bet on 
JPA and lost...

Good luck !
Regards

Le 10/06/2022 à 19:45, Trevor Fong a écrit :
Hi Francois,

Just wondering if you were able to resolve your situation and if so, how?  I'm 
also facing a similar thing.

Thanks a lot,
Trev

On Thursday, March 31, 2022 at 10:54:41 AM utc-7fjan...@gmail.com wrote:

Thank you for the response.

We actually use CAS Management application, and I will follow your suggestion.

We have a bunch of services  to migrate : 140+, with their own contacts, 
policies and release attriibute settings.

I have tried the actuator end point /services from CAS Server , wich export all 
services in one file, but  JSON format seems different from the import format 
used in CAS 6.4.

i will try the management application way, with hopefully more success...

Best regards

Francois

Le 31/03/2022 à 17:35, 'Richard Frovarp' via CAS Community a écrit :
The tables in the post are for the service registry. If you don't migrate 
those, you will have to reconfigure from scratch.

I do not know what the plans are for the project with respect to the service 
registry. It's changed a bit between versions, and usually seems like a pain. 
We made the change in a previous upgrade to just drop JSON files on the 
filesystem and have CAS pick those up. It keeps us free of changes in the JPA 
method (which we had been using), and free from management app changes. In 
addition, we can keep service configuration in git, which is extremely nice.

What I gather from that post is you are going to need to change the source code 
of RegisteredServicesReportController either changing that method, or adding 
that method. Looks like it is adding the method. Compile, put into your 
deployment (or download your DB and run locally), and then hit that point to 
get the exported JSON services. If you are running the 

Re: [cas-user] CAS 7 and OIDC problems

[Ray Bon]

Let us try this again.

Cas does not need to know about appserver.my.domain; only HAProxy needs this.
cas.server.scope=public.my.domain
cas.server.name=https://${cas.server.scope}
cas.server.prefix=${cas.server.name}/cas
cas.authn.oidc.core.issuer=${cas.server.prefix}/oidc

Are you missing this config item (if missing, it should not be related to this 
problem):
cas.authn.oauth.access-token.crypto.signing.key

Your title says cas 7 but your log says 6.6. Could there be a library conflict?

Ray

On Wed, 2024-01-17 at 11:10 +0100, spfma.tech via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi,

I am trying to setup OIDC module, and I experience some problems.

My CAS server (let's name it "appserver.my.domain") is running on port 8080, 
with HAProxy exposing public URLs (let's name it "public.my.domain").

So after rebuilding the webapp including 
"org.apereo.cas:cas-server-support-oidc", I have added the following lines to 
my working "cas.properties" :

cas.authn.oauth.crypto.encryption.key=0ZJCKvFSVO6PUKlzUqWzE5eXDerK_T7G1oSfGHfaAGM
cas.authn.oauth.crypto.signing.key=_d6j3pacsAy_V7WP55RB-H0HtwfSawKav6aV8rUPuRPBDqDhAeJXpqjrtZwqTiUPkNOz2jcb5nLqJJ73ygqROw
cas.authn.oauth.access-token.crypto.encryption.key=8wK97XDbYzeDhSzZgfcFWp3SHW_Lr-h69cGtWYZjJz0
cas.authn.oidc.core.issuer=https://public.my.domain/cas/oidc
cas.authn.oidc.core.accepted-issuers-pattern=http:\/\/.*

The last line is the only syntax I have found accepting both 
"https://public.my.domain/cas/oidc; and 
"http://appserver.my.domain:8080/cas/oidc; as valid issuers, otherwise requests 
are denied.
Is it Ok ?

Then I have then added a basic servcice :

{
"@class" : "org.apereo.cas.services.OidcRegisteredService",
"scopes" : [ "java.util.HashSet", [ "profile", "openid", "email" ] ],
"clientId": "client",
"clientSecret": "secret",
"serviceId" : "http://localhost:8080/(.*)",
"name" : "test",
"id" : 2,
"idTokenIssuer": "https://public.my.domain/cas/oidc;
}


It seems to be working :

2024-01-17 11:04:01,722 DEBUG 
[org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] - 

2024-01-17 11:04:01,722 DEBUG 
[org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] - 

2024-01-17 11:04:01,722 DEBUG 
[org.apereo.cas.oidc.services.OidcServiceRegistryListener] - 
2024-01-17 11:04:01,722 DEBUG 
[org.apereo.cas.oidc.services.OidcServiceRegistryListener] - 
2024-01-17 11:04:01,722 DEBUG 
[org.apereo.cas.oidc.services.OidcServiceRegistryListener] - 

The RP is a Docker image I have found here : 
https://hub.docker.com/r/leplusorg/openid-connect-provider-debugger

When I try to reach the app's main URL (http://localhost:8080/), I am 
redirected to CAS but I get the follwing exception : 
"java.lang.IllegalArgumentException: Unable to locate authentication profile"

And on server side :

2024-01-17 11:03:48,217 DEBUG 
[org.springframework.security.web.FilterChainProxy] - 
2024-01-17 11:03:48,217 DEBUG 
[org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
 - 
2024-01-17 11:03:48,218 DEBUG 
[org.springframework.security.web.FilterChainProxy] - 
2024-01-17 11:03:48,218 DEBUG 
[org.springframework.web.servlet.DispatcherServlet] - 
2024-01-17 11:03:48,218 DEBUG 
[org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
 - 
2024-01-17 11:03:48,220 DEBUG 
[org.apereo.cas.web.FlowExecutionExceptionResolver] - 
2024-01-17 11:03:48,220 DEBUG 
[org.apereo.cas.web.FlowExecutionExceptionResolver] - 
at 
org.apereo.cas.oidc.web.controllers.authorize.OidcAuthorizeEndpointController.handleRequest(OidcAuthorizeEndpointController.java:58)
 ~[cas-server-support-oidc-core-api-6.6.10.jar!/:6.6.10]

Can someone tell me what this error clearly means ? I had a look at the source 
code, but found nothing obvious.

Is there something wrong or missing with the configuration above ?

Thanks for any kind of help

Regards




FreeMail powered by mail.fr

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/244783efe92186373375108899f1983d6a3c9235.camel%40uvic.ca.

Re: [cas-user] CAS 7 and OIDC problems

[Ray Bon]

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4c680c3bcde06bdc62b7f8d992a445829ddcd322.camel%40uvic.ca.

Re: [cas-user] casSimpleMultifactorAuthenticationTicketsCache table name as a property

[Ray Bon]

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d4f967900ba455becf295122c037cad29b399f5d.camel%40uvic.ca.

Re: [cas-user] cas redirect url has special characters like '#'

[Ray Bon]

Benny,

Something is amiss with your service URL
service=http://localhost:9280/cas/login...

The service parameter is the URL of the protected application.

Assuming 8881 is your cas server, your url should look like (perhaps with more 
characters escaped)
http://localhost:8881/cas/login?service=http://localhost:9280/login?ddtab=true%26target%3Dhttp%3A%2F%2Flocalhost%3A%2F%23%2Findex

If this is not correct, please explain your arrangement (which is cas server, 
which is the application you are trying to log in to and what the third service 
is)?

Ray

On Thu, 2024-01-11 at 15:43 +0800, Benny Lu wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hello:


As shown in the pic
The original url is
http://localhost:8881/login?service=http://localhost:9280/cas/login?ddtab=true%26target%3Dhttp%3A%2F%2Flocalhost%3A%2F%23%2Findex

but when the url got redirected the special characters disappears

I wonder when the special characters disappears and how can i keep the 
characters remain in my target url


Thanks!
regards

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c4545a2eadfc0bb2c1516fefde2a0ce3c2e8fa04.camel%40uvic.ca.

Re: [cas-user] Re: Duo MFA behavior on CAS 7

[Ray Bon]

Jeremiah,

Could a URL rewrite (that strips :8443) work?
After updating metadata ...

Ray

On Fri, 2024-01-05 at 12:40 -0800, Jeremiah Garmatter wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Thanks for the reply Baron,

Unfortunately, it seems that changing the cas.server.name only shifts the 
problem instead of getting around it.
I can choose whether to require the port in the URL or not, but I can not allow 
both situations by changing that configuration.
Ideally, I would be able to login in both situations, port specified or not, as 
I could with the older versions of CAS.

This behavior is important to me because I use CAS to authenticate CAS apps and 
SAML2 apps.
Unfortunately, we were not consistent in registering apps so many of the CAS 
apps were configured without the port specified and the opposite goes for our 
SAML2 apps.
It looks like I may have to make them all consistent now.


On Fri, Jan 5, 2024 at 2:25 PM Baron Fujimoto  wrote:
Hi Jeremiah,

We don't use the embedded Tomcat and have a load balancer forwarding port 443 
to 8443 on Tomcat, but I ran into the "MFA provider unavailable" issue when 
testing with an individual backend cluster node's hostname rather than the 
cluster's public CNAME. I was able to work around it for our testing purposes 
by setting cas.server.name in cas.properties to match 
what CAS is apparently expecting. Perhaps a similar approach may work for you?


#cas.server.name=publicname.example.edu
cas.server.name=nodename.example.edu:8443

Aloha,
-baron

On Fri, Jan 5, 2024 at 6:59 AM Jeremiah Garmatter 
mailto:j-garmat...@onu.edu>> wrote:
Hello,

I am trying out CAS 7 with the embedded Tomcat instance. I noticed a change in 
behavior that will impact my authentication flow and wanted to see if anyone 
else has come across it and found a work around.

I run my CAS server over port 8443 but, for user convenience, I forward traffic 
from port 443 to 8443. This way my users can access SSO without specifying a 
port number. In the past I have had no issues 
visitinghttps://my.cas.server/cas/login,
 authenticating via LDAP, then MFA via Duo.

On CAS 7, it seems like CAS is more aware of the URL used during authentication 
though. When I visit the URL without port 8443 specified, I can LDAP auth and 
MFA through Duo, but uponreturn from Duo to CAS I receive the "MFA provider 
unavailable" message. If I specify the 
port,https://my.cas.server:8443/cas/login,
 I have no trouble returning to CAS after Duo MFA.

If I can't get this to work, I'll have to reach out to all my CAS services and 
notify my organization to update any links.

--
- Website: 
https://apereo.github.io/cas
- Gitter Chatroom: 
https://gitter.im/apereo/cas
- List Guidelines: 
https://goo.gl/1VRrw7
- Contributions: 
https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
tocas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5be8a8f9-9921-498d-8219-773ab3011248n%40apereo.org.


--
Baron Fujimoto mailto:ba...@hawaii.edu>> ::: UH Information 
Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: 

Re: [cas-user] Duo MFA behavior on CAS 7

[Ray Bon]

Jeremiah,

It is simpler to change cas to run on 443 instead, i.e. no port specified. (One 
bit of work for you instead of many bits of work for all service providers).
Cas does not need to know the port if you are forwarding.
We front our tomcat (running 8443) with apache (default ports) which forwards 
to tomcat.

Ray

On Fri, 2024-01-05 at 08:28 -0800, Jeremiah Garmatter wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hello,

I am trying out CAS 7 with the embedded Tomcat instance. I noticed a change in 
behavior that will impact my authentication flow and wanted to see if anyone 
else has come across it and found a work around.

I run my CAS server over port 8443 but, for user convenience, I forward traffic 
from port 443 to 8443. This way my users can access SSO without specifying a 
port number. In the past I have had no issues visiting 
https://my.cas.server/cas/login, authenticating via LDAP, then MFA via Duo.

On CAS 7, it seems like CAS is more aware of the URL used during authentication 
though. When I visit the URL without port 8443 specified, I can LDAP auth and 
MFA through Duo, but uponreturn from Duo to CAS I receive the "MFA provider 
unavailable" message. If I specify the port, 
https://my.cas.server:8443/cas/login, I have no trouble returning to CAS after 
Duo MFA.

If I can't get this to work, I'll have to reach out to all my CAS services and 
notify my organization to update any links.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20fceec8cc177c1e841fdb138ca3ca7e4e33ef81.camel%40uvic.ca.

Re: [cas-user] Force a user session to expire

[Ray Bon]

Mark,

If you are talking about a service that insists that the user log in, the 
service should send the renew parameter 
https://apereo.github.io/cas/6.6.x/protocol/CAS-Protocol-Specification.html#211-parameters

If you are talking about administratively ending an SSO session, there are 
endpoints that can help 
https://apereo.github.io/cas/6.6.x/authentication/Configuring-SSO.html#actuator-endpoints

Ray

On Thu, 2023-12-14 at 12:52 -0800, Mark Thompson wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hello

How can I force a user(s) session to expire so they have to re-login ?

thanks
mark





CONFIDENTIALITY NOTE - AVIS: COURRIEL 
CONFIDENTIEL.

You can view the confidentiality terms at 
https://laurentian.ca/confidentiality. Notre avis de confidentialité est 
disponible au site https://laurentienne.ca/avis

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4009a3ae91018c4c279fa74bdb459486211199d0.camel%40uvic.ca.

Re: [cas-user] Re: cas 7.0.0-RC9 - slow groovy ?

[Ray Bon]

artur,

Does it take a long time on each request or only the first?
If only the first, then you could trigger all the scripts after deployment 
(thought this is not ideal).
I am no groovy expert, but even a few seconds to compile the script is too long.

Ray

On Wed, 2023-12-13 at 02:55 -0800, artur miś wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.


> Where does the additional metadata come from :

We  have  added it in groovy  staticly  for checking purposes .


> You could put a timer around each statement in the script to see which one(s) 
> takes a long time

Ray: 11ms but :


I have found out   that problem coming from groove just before executing script 
 :  2023-12-13 08:10:50,698 TRACE 
[org.apereo.cas.util.scripting.ScriptingUtils] - 
And this creation takes 5sec for very  basic script . Of course if you add 
somthing what  colecting  metadata this time rise up  to 10 sec.  This that 5 
sec is too much . We observed too thatfor dockerized cas  creating groovy 
object  instance for  basic script takes 10 sec but mor advanced scenario 15sec.

Startup without Contenetization
 ./gradlew clean build
./gradlew CopyCasConfiguration
 ./gradlew run

Start up with contenerization
docker start  etc/itd




how to reproduce this:

1) cas.properties

cas.authn.accept.enabled=true
cas.authn.accept.order=1
cas.authn.accept.users=test::test123
cas.authn.accept.name=Static Credentials
cas.authn.attribute-repository.groovy[0].location=file:/etc/cas/config/custom-attr.groovy
logging.level.org.apereo.cas=TRACE


2) /etc/cas/config/custom-attr.groovy

(default documentation script)

import java.util.*

def run(final Object... args) {
def (username,attributes,logger,properties,appContext) = args

def startTime = System.currentTimeMillis()

logger.debug("[{}]: The received uid is [{}]", this.class.simpleName, 
username)


def result = [username:[username], likes:["cheese", "food"], 
id:[1234,2,3,4,5], another:["attribute"]] < - aditional metadata comming from 
this script/line not from other  sophisticated resources  . In production we 
have other ldaps etc but not here, becouse we have discovered posibilile 
problems here so we simplified case  .

def stopTime = System.currentTimeMillis()
def executionTime = stopTime - startTime

logger.debug("Czas wykonania skryptu to: ${executionTime} ms")

return result

}




3) start cas and login as test/test123 few times

logs:

2023-12-13 08:10:50,698 TRACE [org.apereo.cas.util.scripting.ScriptingUtils] - 


commment: lag 9 seconds (creating groovy object)


2023-12-13 08:10:59,307 TRACE [org.apereo.cas.util.scripting.ScriptingUtils] - 


commment: script run in 11ms

2023-12-13 08:10:59,318 DEBUG 
[org.apereo.cas.authentication.principal.resolvers.InternalGroovyScriptDao] - 











wtorek, 12 grudnia 2023 o 19:12:55 UTC+1 Ray Bon napisał(a):
artur,

Where does the additional metadata come from?
That script looks very basic. You could put a timer around each statement in 
the script to see which one(s) takes a long time.

Ray

On Tue, 2023-12-12 at 02:19 -0800, artur miś wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Buddys i atached some more information :





I have got problem with long execution time of basic groovy script:


cas.authn.attribute-repository.groovy[0].location=file:/etc/cas/config/custom-attr.groovy


import java.util.*

import java.text.SimpleDateFormat

import groovy.transform.Field

import javax.naming.directory.*

import java.util.Hashtable

import javax.naming.*


@Field File file = new File("/etc/cas/config/groovy_logs.txt")



def run(final Object... args) {

def (username,attributes,logger,properties,appContext) = args

logger.debug("[{}]: The received uid is [{}]", this.class.simpleName, username)


file.append "\n login: "+args[0]+" cas-id:"+args[1]['principal']+"\n"

file.append "\n version groove: "+GroovySystem.version+"\n"



// All attribute values must be defined as a collection wrapped in []

return [username:[username], likes:["6cheese", "7food"], id:[1234,2,3,4,5], 
another:["attribute"] ]



println GroovySystem.version

}




System CAS:


CAS Version: 7.0.0-RC9

CAS Branch: master

CAS Commit Id: xxx

CAS Build Date/Time: 2023-11-25T07:12:15.881468Z

Spring Boot Version: 3.2.0

Spring Version: 6.1.0

Java Home: /usr/lib/jvm/zulu21-ca-amd64

Java Vendor: Azul Systems, Inc.

Java Version: 21.0.1

Servlet Version: 6.0.0

JVM Free Memory: 345 MB

JVM Maximum Memory: 4 GB

JVM Total Memory: 512 MB

OS Architecture: amd64

OS Name: Linux

OS Version: 5.4.0-167-generic

OS Date/Time: 2023-12-12T10:35:50.786113719

OS Temp Directory

Re: [cas-user] CAS as SP using SAML?

[Ray Bon]

Yan,

Cas is not an application that you 'log in to', but an application that 'logs 
you in'.

If you want to build this capability, pac4j, which is part of cas, can act as a 
service provider. Thought I do not know if it can be configured to handler more 
than one service. (If you do this once, you will be tempted to do it again.)

But this would mean that cas is an IdP (with proxy to okta) and a SP to the 
application at the same time.

The simplest approach would be to send the user from okta to the target 
application login flow, which would redirect to cas just like the simple case 
of accessing the application first. Or okta could redirect to 
cas/login?service=...
My experience with okta is using it as a service provider for our IdP, so I do 
not know what kind of capability it has.

Ray

On Mon, 2023-12-11 at 10:50 -0800, Yan Zhou wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

HI there,

I have CAS delegated authN via SAML working. But I have trouble getting a much 
simpler flow to work.

I would like CAS to act as a SAML2 ServiceProvider, it accepts a HTTP POST with 
SAML Response (user is already authenticated by another Idp such as Okta, which 
Posts SAML response to CAS), after validation, it gets the URL defined  in 
RelayState or ACS, and redirect browser to that URL.

Much like Idp initiated SSO flow, in this case, the initiating IdP is some 
other app such as Okta, user is already in Okta portal, he sets up a SAML 2.0 
integration in Okta,  with SSO Url points to CAS endpoint, and relayState or 
ACS has the URL to be launched (e.g., points to another app protected by CAS).

I have trouble getting this work,  With CAS SSO profiles, they all assume CAS 
is the IdP, and therefore, accepts only AuthnRequest. This sounds a lot simpler 
than delegated AuthN, but I cannot get it to work.

Here is what I am thinking,

CAS is a Spring Boot app, which can act as SAML2 SP, that requires the Spring 
dependency,  spring-security-saml2-service-provider, which is Not included in 
CAS by default. Is this something I need to do to get what I want to work? In 
other words, CAS is always intended to be IdP, to be an SP like an app., we 
need to do something different.

An alternative is to have Okta points SSO Url to the App, but that is not what 
I am looking for in this flow. The App does Not understand SAML, it uses CAS 
for authN. I want CAS to be the SP, and then some mechanism to redirect to the 
App after CAS session is created.

Thanks,
Yan


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a46eb5ed991d77850011c0d197310bc33d1bf893.camel%40uvic.ca.

Re: [cas-user] Re: cas 7.0.0-RC9 - slow groovy ?

[Ray Bon]

artur,

Where does the additional metadata come from?
That script looks very basic. You could put a timer around each statement in 
the script to see which one(s) takes a long time.

Ray

On Tue, 2023-12-12 at 02:19 -0800, artur miś wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Buddys i atached some more information :





I have got problem with long execution time of basic groovy script:


cas.authn.attribute-repository.groovy[0].location=file:/etc/cas/config/custom-attr.groovy


import java.util.*

import java.text.SimpleDateFormat

import groovy.transform.Field

import javax.naming.directory.*

import java.util.Hashtable

import javax.naming.*


@Field File file = new File("/etc/cas/config/groovy_logs.txt")



def run(final Object... args) {

def (username,attributes,logger,properties,appContext) = args

logger.debug("[{}]: The received uid is [{}]", this.class.simpleName, username)


file.append "\n login: "+args[0]+" cas-id:"+args[1]['principal']+"\n"

file.append "\n version groove: "+GroovySystem.version+"\n"



// All attribute values must be defined as a collection wrapped in []

return [username:[username], likes:["6cheese", "7food"], id:[1234,2,3,4,5], 
another:["attribute"] ]



println GroovySystem.version

}




System CAS:


CAS Version: 7.0.0-RC9

CAS Branch: master

CAS Commit Id: xxx

CAS Build Date/Time: 2023-11-25T07:12:15.881468Z

Spring Boot Version: 3.2.0

Spring Version: 6.1.0

Java Home: /usr/lib/jvm/zulu21-ca-amd64

Java Vendor: Azul Systems, Inc.

Java Version: 21.0.1

Servlet Version: 6.0.0

JVM Free Memory: 345 MB

JVM Maximum Memory: 4 GB

JVM Total Memory: 512 MB

OS Architecture: amd64

OS Name: Linux

OS Version: 5.4.0-167-generic

OS Date/Time: 2023-12-12T10:35:50.786113719

OS Temp Directory: /tmp




Logs:


2023-12-12 10:41:41,731 DEBUG 
[org.apereo.cas.authentication.attribute.PrincipalAttributeRepositoryFetcher] - 



no activity in the log (just waiting )



2023-12-12 10:41:55,497 DEBUG 
[org.apereo.cas.authentication.principal.resolvers.InternalGroovyScriptDao] - 
<[custom-attr]: The received uid is [christmas_banny]>


2023-12-12 10:41:55,497 DEBUG 
[org.apereo.cas.authentication.principal.resolvers.InternalGroovyScriptDao] - 






This problem has ocured only when we atached groovy without groovy 
authentication work smoth. Groovy is slow or wait but after let say 15sek 
returned additional metadata.What is the problem or where find out solution ?

środa, 6 grudnia 2023 o 17:02:45 UTC+1 artur miś napisał(a):
Hello,
Have you noticed that groovy 4.0.15 is slow ?  I have hached to 4.0.16 and the 
same .
Regards


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/22b00fbc07a6be876b5eab267bafec72ba63c6f3.camel%40uvic.ca.

Re: [cas-user] CAS 6.6.12 compiler error, though jars are in classpath

[Ray Bon]

Yan,

Try using compileOnly instead of implementation (though it should not matter).

Wait, are using gradlew or ./gradlew?

Make sure you are using the one in the project folder.

Ray

On Mon, 2023-12-11 at 10:37 -0800, Yan Zhou wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

gradlew --debug clean build,  i am using Gradle 7.6, JDK11, on Windows.

basically, everything comes with Overlay project, other than I am adding my own 
classes.

On Monday, December 11, 2023 at 12:31:50 PM UTC-5 Ray Bon wrote:
Yan,

What is your build command / process?

Ray

On Mon, 2023-12-11 at 07:01 -0800, Yan Zhou wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

HI,

i am using CAS 6.6.12 overlay, new to Gradle, so I maybe missing something 
obvious.

I need to create my own authentication handler class, so, In my build.gradle, I 
added:

implementation "org.apereo.cas:cas-server-core-authentication-api"
implementation "org.apereo.cas:cas-server-core-api-authentication"

keep getting compiler error, although the classes are there in my classpath.

this is the portion of my build.gradle file. the dependencies are listed there.

dependencies {
/**
* Do NOT modify the lines below or else you will risk breaking dependency 
management.
*/
implementation 
enforcedPlatform("org.apereo.cas:cas-server-support-bom:${project.'cas.version'}")
implementation 
platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)

/**
* Do NOT modify the lines below or else you will risk breaking the build.
*/
implementation "org.apereo.cas:cas-server-core-api-configuration-model"
implementation "org.apereo.cas:cas-server-webapp-init"

developmentOnly 
"org.springframework.boot:spring-boot-devtools:${project.springBootVersion}"

/**
* CAS dependencies and modules may be listed here.
*
* There is no need to specify the version number for each dependency
* since versions are all resolved and controlled by the dependency management
* plugin via the CAS bom.
**/
implementation "org.apereo.cas:cas-server-support-rest"
implementation "org.apereo.cas:cas-server-support-saml-idp"
implementation "org.apereo.cas:cas-server-support-pac4j-webflow"
implementation "org.apereo.cas:cas-server-support-json-service-registry"
implementation "org.apereo.cas:cas-server-core-authentication-api"
implementation "org.apereo.cas:cas-server-core-api-authentication"
implementation "org.apereo.cas:cas-server-core-webflow-api"
implementation "org.apereo.cas:cas-server-core-api-webflow"
implementation "org.apereo.cas:cas-server-core-web-api"

if (project.hasProperty("casModules")) {
...
}

testImplementation "org.springframework.boot:spring-boot-starter-test"
}

this is the output of gradle build, i verified that the classes are right there 
in the two jars, not sure why the build cannot find the two symbols: 
AuthenticationHandler and AbstractAuthenticationHandler.

2023-12-11T09:40:59.478-0500 [INFO] 
[org.gradle.jvm.toolchain.internal.DefaultToolchainJavaCompiler] Compiling with 
toolchain 'C:\Program Files\Java\jdk-11.0.12'.
2023-12-11T09:40:59.484-0500 [DEBUG] 
[org.gradle.api.internal.tasks.compile.NormalizingJavaCompiler] Compiler 
arguments: --release 11 -d 
C:\apereocas66x\cas-overlay-template\build\classes\java\main -encoding UTF-8 -h 
C:\apereocas66x\cas-overlay-template\build\generated\sources\headers\java\main 
-g -sourcepath "" -processorpath 
C:\Users\yaou\.gradle\caches\modules-2\files-2.1\org.projectlombok\lombok\1.18.28\a2ff5da8bcd8b1b26f36b806ced63213362c6dcc\lombok-1.18.28.jar
 -s 
C:\apereocas66x\cas-overlay-template\build\generated\sources\annotationProcessor\java\main
 -XDuseUnsharedTable=true -classpath 
C:\Users\yaou\.gradle\caches\modules-2\files-2.1\org.apereo.cas\cas-server-core-authentication-api\6.6.12\93b4e0a396cb935b7f967a813a70181976934f0e\cas-server-core-authentication-api-6.6.12.jar;
 . 
C:\Users\yaou\.gradle\caches\modules-2\files-2.1\org.apereo.cas\cas-server-core-api-authentication\6.6.12\38150afad77cd42a83879eb4027e272c85b6047c\cas-server-core-api-authentication-6.6.12.jar;..C:\Users\yaou\.m3\repository\com\github\scribejava\scribejava-java8\8.3.1\scribejava-java8-8.3.1.jar
 -parameters -Xlint:-processing 
C:\apereocas66x\cas-overlay-template\src\main\java\com\quest\cas\trusted\QdxTrustedSamlAuthenticationEventExecutionPlanConfiguration.java
 
C:\apereocas66x\cas-overlay-template\src\main\java\com\quest\cas\trusted\QdxTrustedSamlAuthenticationHandler.java
 
C:\apereocas66x\cas-overlay-template\src\main\java\org\apereo\cas\config\CasOverlayOverrideConfiguration.java
2023-12-11T09:40:59.485-0500 [INFO] 
[o

Re: [cas-user] CAS 6.6.12 compiler error, though jars are in classpath

[Ray Bon]

Yan,

What is your build command / process?

Ray

On Mon, 2023-12-11 at 07:01 -0800, Yan Zhou wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

HI,

i am using CAS 6.6.12 overlay, new to Gradle, so I maybe missing something 
obvious.

I need to create my own authentication handler class, so, In my build.gradle, I 
added:

implementation "org.apereo.cas:cas-server-core-authentication-api"
implementation "org.apereo.cas:cas-server-core-api-authentication"

keep getting compiler error, although the classes are there in my classpath.

this is the portion of my build.gradle file. the dependencies are listed there.

dependencies {
/**
* Do NOT modify the lines below or else you will risk breaking dependency 
management.
*/
implementation 
enforcedPlatform("org.apereo.cas:cas-server-support-bom:${project.'cas.version'}")
implementation 
platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)

/**
* Do NOT modify the lines below or else you will risk breaking the build.
*/
implementation "org.apereo.cas:cas-server-core-api-configuration-model"
implementation "org.apereo.cas:cas-server-webapp-init"

developmentOnly 
"org.springframework.boot:spring-boot-devtools:${project.springBootVersion}"

/**
* CAS dependencies and modules may be listed here.
*
* There is no need to specify the version number for each dependency
* since versions are all resolved and controlled by the dependency management
* plugin via the CAS bom.
**/
implementation "org.apereo.cas:cas-server-support-rest"
implementation "org.apereo.cas:cas-server-support-saml-idp"
implementation "org.apereo.cas:cas-server-support-pac4j-webflow"
implementation "org.apereo.cas:cas-server-support-json-service-registry"
implementation "org.apereo.cas:cas-server-core-authentication-api"
implementation "org.apereo.cas:cas-server-core-api-authentication"
implementation "org.apereo.cas:cas-server-core-webflow-api"
implementation "org.apereo.cas:cas-server-core-api-webflow"
implementation "org.apereo.cas:cas-server-core-web-api"

if (project.hasProperty("casModules")) {
...
}

testImplementation "org.springframework.boot:spring-boot-starter-test"
}

this is the output of gradle build, i verified that the classes are right there 
in the two jars, not sure why the build cannot find the two symbols: 
AuthenticationHandler and AbstractAuthenticationHandler.

2023-12-11T09:40:59.478-0500 [INFO] 
[org.gradle.jvm.toolchain.internal.DefaultToolchainJavaCompiler] Compiling with 
toolchain 'C:\Program Files\Java\jdk-11.0.12'.
2023-12-11T09:40:59.484-0500 [DEBUG] 
[org.gradle.api.internal.tasks.compile.NormalizingJavaCompiler] Compiler 
arguments: --release 11 -d 
C:\apereocas66x\cas-overlay-template\build\classes\java\main -encoding UTF-8 -h 
C:\apereocas66x\cas-overlay-template\build\generated\sources\headers\java\main 
-g -sourcepath "" -processorpath 
C:\Users\yaou\.gradle\caches\modules-2\files-2.1\org.projectlombok\lombok\1.18.28\a2ff5da8bcd8b1b26f36b806ced63213362c6dcc\lombok-1.18.28.jar
 -s 
C:\apereocas66x\cas-overlay-template\build\generated\sources\annotationProcessor\java\main
 -XDuseUnsharedTable=true -classpath 
C:\Users\yaou\.gradle\caches\modules-2\files-2.1\org.apereo.cas\cas-server-core-authentication-api\6.6.12\93b4e0a396cb935b7f967a813a70181976934f0e\cas-server-core-authentication-api-6.6.12.jar;
 . 
C:\Users\yaou\.gradle\caches\modules-2\files-2.1\org.apereo.cas\cas-server-core-api-authentication\6.6.12\38150afad77cd42a83879eb4027e272c85b6047c\cas-server-core-api-authentication-6.6.12.jar;..C:\Users\yaou\.m3\repository\com\github\scribejava\scribejava-java8\8.3.1\scribejava-java8-8.3.1.jar
 -parameters -Xlint:-processing 
C:\apereocas66x\cas-overlay-template\src\main\java\com\quest\cas\trusted\QdxTrustedSamlAuthenticationEventExecutionPlanConfiguration.java
 
C:\apereocas66x\cas-overlay-template\src\main\java\com\quest\cas\trusted\QdxTrustedSamlAuthenticationHandler.java
 
C:\apereocas66x\cas-overlay-template\src\main\java\org\apereo\cas\config\CasOverlayOverrideConfiguration.java
2023-12-11T09:40:59.485-0500 [INFO] 
[org.gradle.api.internal.tasks.compile.JdkJavaCompiler] Compiling with JDK Java 
compiler API.
2023-12-11T09:41:01.136-0500 [ERROR] [system.err] 
C:\apereocas66x\cas-overlay-template\src\main\java\com\quest\cas\trusted\QdxTrustedSamlAuthenticationEventExecutionPlanConfiguration.java:20:
 error: cannot find symbol
2023-12-11T09:41:01.137-0500 [ERROR] [system.err] public 
AuthenticationHandler qdxTrustedSamlAuthenticationHandler() {
2023-12-11T09:41:01.137-0500 [ERROR] [system.err]^
2023-12-11T09:41:01.137-0500 [ERROR] [system.err]   symbol:   class 
AuthenticationHandler
2023-12-11T09:41:01.137-0500 [ERROR] [system.err]   location: class 
QdxTrustedSamlAuthenticationEventExecutionPlanConfiguration
2023-12-11T09:41:01.137-0500 [ERROR] [system.err] 

Re: [cas-user] app not authorized error with IdP initiated SAML SSO

[Ray Bon]

Yan,

Assuming you have POST assertion consumer service in cas SP metadata.
I  do not see a way of changing the ACS in CAS with respect to 
https://apereo.github.io/cas/6.6.x/authentication/Configuring-SAML2-Authentication.html#unsolicited-sso

It is ok to send the response by GET (if it can be configured in okta). 
Encryption and signing the assertion can be set in the CAS SP metadata.

Are you including providerId currently (this may have an effect)?

Ray

On Wed, 2023-12-06 at 13:31 -0800, Yan Zhou wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

here is what I try to do,  AppB, authenticated by CAS. AppB does Not speak 
SAML, it uses CAS protocol to authenticate against CAS.

With SP initiated flow,  i go to AppB, it redirects to CAS (cas protocol, NO 
SAML),  CAS then delegates authN to Okta using SAML and validates SAML 
response, CAS SSO session created, user is in AppB. This is working.  There is 
No SAML between AppB and CAS,  there is SAML between CAS and Okta.

In IdP initiated flow, I want Okta to post SAMLResponse to CAS SSO endpoint: 
/idp/profile/SAML2/Unsolicited/SSO,  then something on URL (such as ProviderId 
parameter) will redirect to AppB URL after SAML response is validated and CAS 
session created. Next, user is directed to B, B uses CAS protocol for authN, 
CAS session is created, so user is in B.

When I tried, it does not work that way. I got error on  
/idp/profile/SAML2/Unsolicited/SSO, this does Not accept HTTP POST, it expects 
GET,  But IdP initiated flow always does POST since SAML response is included.

I hope that makes sense.
Yan


On Monday, December 4, 2023 at 2:46:08 PM UTC-5 Ray Bon wrote:
Yan,

Could you configure IdP initiated login to redirect to appB rather than cas?

fails due to the following,
Is something missing after this?

Ray

On Mon, 2023-11-27 at 11:36 -0800, Yan Zhou wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi,

I am on CAS 6.4.x. Two apps,  appA, authenticated by Okta, and appB, 
authenticated by CAS, cas delegates authN to Okta for appB.

This is working correctly:  I login to appA via Okta, when I got to appB URL, 
SSO happens. If I go straight to appB without login to Okta first, delegated 
authN takes me to Okta login page, etc.   That works, partly because I have 
setup an Application inside Okta Admin portal, for Okta to post SAML response 
to CAS SSO endpoint:  https:///cas/login?client_name=Okta

But, this is Not working.  I login to my Okta portal, I click on the SAML2 
application icon in Okta portal, i.e., Idp initiated flow,

I expect that I will be in appB via SSO, but I am getting "application not 
authorized error" on CAS. Using SAML tracer, I found the SAML payload is almost 
identical in both cases, but the IdP-initiated flow fails due to the following, 
is that because there is Not CAS delegating to Okta, since it is Okta-initiated 
request, so the call fails?

What do I need to do to make Idp initiated flow (i.e., initiated by Okta, which 
CAS delegates authN to) work?

Thanks!

protected TransientSessionTicket retrieveSessionTicketViaClientId(final 
WebContext webContext, final String clientId) {
try {
val ticket = 
configContext.getCentralAuthenticationService().getTicket(clientId, 
TransientSessionTicket.class);
LOGGER.debug("Located delegated authentication client identifier as 
[{}]", ticket.getId());
return ticket;
} catch (final Exception e) {
LOGGER.error("Delegated client identifier cannot be located in the 
authentication request [{}]", webContext.getFullRequestURL());
throw new 
UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, 
StringUtils.EMPTY);
}
}

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0ea7ee0a75c22f021b1271d47ec62faa046f5c9b.camel%40uvic.ca.

Re: [cas-user] Using the username field pre-authentication to do home realm discovery?

[Ray Bon]

Sean,

If you have multiple authentication sources (cas.authn. properties), cas will 
check each one for the username, and stop when when authn completes. This will 
work if each username is unique across realms or you can put authn sources in 
an order that would catch users, in multiple realms, with their main realm.

I seem to remember a discussion on the list about two step authn (enter 
username on one page, then password on the next).

Ray

On Mon, 2023-11-27 at 18:45 -0800, Sean F wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi. I'm curious if CAS can be used to do home realm discovery after the user 
enters their username?

My proposed workflow would be:

1. User enters a username
2. The authentication strategy would depend on what the user entered by looking 
up the username with a REST service (or some other strategy)
3. One type of username would use LDAP authentication, a different type of 
username would be sent to Azure AD to complete the authentication.

Thanks!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6e7d2276f6d7cc4edd10ed56e4c7c480ceed43f1.camel%40uvic.ca.

Re: [cas-user] app not authorized error with IdP initiated SAML SSO

[Ray Bon]

Yan,

Could you configure IdP initiated login to redirect to appB rather than cas?

fails due to the following,
Is something missing after this?

Ray

On Mon, 2023-11-27 at 11:36 -0800, Yan Zhou wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi,

I am on CAS 6.4.x. Two apps,  appA, authenticated by Okta, and appB, 
authenticated by CAS, cas delegates authN to Okta for appB.

This is working correctly:  I login to appA via Okta, when I got to appB URL, 
SSO happens. If I go straight to appB without login to Okta first, delegated 
authN takes me to Okta login page, etc.   That works, partly because I have 
setup an Application inside Okta Admin portal, for Okta to post SAML response 
to CAS SSO endpoint:  https:///cas/login?client_name=Okta

But, this is Not working.  I login to my Okta portal, I click on the SAML2 
application icon in Okta portal, i.e., Idp initiated flow,

I expect that I will be in appB via SSO, but I am getting "application not 
authorized error" on CAS. Using SAML tracer, I found the SAML payload is almost 
identical in both cases, but the IdP-initiated flow fails due to the following, 
is that because there is Not CAS delegating to Okta, since it is Okta-initiated 
request, so the call fails?

What do I need to do to make Idp initiated flow (i.e., initiated by Okta, which 
CAS delegates authN to) work?

Thanks!

protected TransientSessionTicket retrieveSessionTicketViaClientId(final 
WebContext webContext, final String clientId) {
try {
val ticket = 
configContext.getCentralAuthenticationService().getTicket(clientId, 
TransientSessionTicket.class);
LOGGER.debug("Located delegated authentication client identifier as 
[{}]", ticket.getId());
return ticket;
} catch (final Exception e) {
LOGGER.error("Delegated client identifier cannot be located in the 
authentication request [{}]", webContext.getFullRequestURL());
throw new 
UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, 
StringUtils.EMPTY);
}
}

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4897c340ae89a57cdc18c7538ff6d2fa19234f4f.camel%40uvic.ca.

Re: [cas-user] Re: CAS 5.3.16 loses service reference for SAML SP with ForcedAuth when CAS uses Delegated Auth

[Ray Bon]

Sorry Justin, I should not have been so lazy with my typing.
I was referring to resolveServiceFromRequestContext which you mentioned in an 
earlier email.

Ray

On Wed, 2023-11-22 at 19:18 +, Justin Isenhour wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

The ForceAutn appears to be working as expected. In both use cases CAS is 
redirecting to the delegated IDP for authentication. In both cases the IDP is 
sending back to CAS and triggering the DelegatedClientAuthenticationAction. The 
very first time there is no existing TGT, so the Trasient Session Ticket get 
restored, which includes the requested service. After force auth/renew, when 
the action is triggered there is a TGT in scope, sonit is used.  I see no calls 
to WebUtils.putService to put the service back into the scope and no 
interactions to retrieve the service from the TST.  When I trace the calls for 
LDAP auth I see the same TGT is reused, it's not issuing a new ticket, so I 
think the TGT being is scope is fine. Seems like thrre should be a call 
somewhere to restore from TST.

I am not familiar with the method you mentioned but will review it once I am 
back in front of my computer.

Thanks,
Justin



From: Ray Bon 
Sent: Wednesday, November 22, 2023 1:40:45 PM
To: cas-user@apereo.org 
Cc: isenh...@gmail.com 
Subject: Re: [cas-user] Re: CAS 5.3.16 loses service reference for SAML SP with 
ForcedAuth when CAS uses Delegated Auth

Justin,

Loggin out of the SP does not necessarily log out of cas (SLO is messy 
business).
If ForceAuthn is not forcing authentication, that should be your focus.
Perhaps cas is not sending ForceAuthn to the delegated authn server, or perhaps 
the delegated server is ignoring it.

Why does resolveServiceFromRequestContext return null?
Is the service removed from the context somewhere along the flow? Or perhaps 
resolve18Context is broken?

Ray

On Wed, 2023-11-22 at 09:34 -0800, Justin Isenhour wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

I've been tracing the code and have made the following observations:

The AuthNRequst from the SP comes into CAS and a TST is created with the 
service reference, then you are redirected to IDP.  After authenticating with 
IDP, you are redirected back to CAS, which triggers 
DelegatedClientAuthenticationAction.doExecute(final RequestContext 
context)<https://github.com/apereo/cas/blob/5.3.x/support/cas-server-support-pac4j-webflow/src/main/java/org/apereo/cas/web/flow/DelegatedClientAuthenticationAction.java#L184>.

For the first login, singleSignOnSessionExists(context) [L188] returns false.  
As a result of this, restoreAuthenticationRequestInContext(context, webContext, 
clientName) [L212] is called which restores the details from the TST, including 
the requested service reference.

After logout of SP and new AuthNRequest, singleSignOnSessionExists(context) 
[L188] returns true because the previously issued TGT is still in the webflow 
scope and the TGT is not expired.  Because of this, the code takes a different 
path, restoreAuthenticationRequestInContext is not called, instead the service 
is set by calling resolveServiceFromRequestContext(context) [L204], which 
returns null.

With debugging, I have seen that on the subsequent logins, if I have 
singleSignOnSessionExists return false like it does the first time through, it 
appears to work as desired and you land back in the client app every time.  
That points me to the TGT being in the webflow is causing this behavior.  
Thoughts?


DelegatedClientAuthenticationAction.doExecute code for reference:

@Override
public Event doExecute(final RequestContext context) {
final HttpServletRequest request = 
WebUtils.getHttpServletRequestFromExternalWebflowContext(context);
final HttpServletResponse response = 
WebUtils.getHttpServletResponseFromExternalWebflowContext(context);

if (!isLogoutRequest(request) && singleSignOnSessionExists(context)) {
final String tgt = WebUtils.getTicketGrantingTicketId(context);
final Optional authnResult = 
getSingleSignOnAuthenticationFrom(context);

if (authnResult.isPresent()) {
final Authentication authentication = authnResult.get();
final Object clientNames = authentication.getAttributes()

.getOrDefault(ClientCredential.AUTHENTICATION_ATTRIBUTE_CLIENT_NAME, new 
ArrayList<>());
final String clientName = 
CollectionUtils.firstElement(clientNames).map(Object::toString).orElse(StringUtils.EMPTY);
final Service service = 
resolveServiceFromRequestContext(context);
if (isDelegatedClientAuthorizedFor(clientName, service)) {
LOGGER.debug("An existi

Re: [cas-user] Re: CAS 5.3.16 loses service reference for SAML SP with ForcedAuth when CAS uses Delegated Auth

[Ray Bon]

Justin,

Loggin out of the SP does not necessarily log out of cas (SLO is messy 
business).
If ForceAuthn is not forcing authentication, that should be your focus.
Perhaps cas is not sending ForceAuthn to the delegated authn server, or perhaps 
the delegated server is ignoring it.

Why does resolveServiceFromRequestContext return null?
Is the service removed from the context somewhere along the flow? Or perhaps 
resolve18Context is broken?

Ray

On Wed, 2023-11-22 at 09:34 -0800, Justin Isenhour wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

I've been tracing the code and have made the following observations:

The AuthNRequst from the SP comes into CAS and a TST is created with the 
service reference, then you are redirected to IDP.  After authenticating with 
IDP, you are redirected back to CAS, which triggers 
DelegatedClientAuthenticationAction.doExecute(final RequestContext 
context).

For the first login, singleSignOnSessionExists(context) [L188] returns false.  
As a result of this, restoreAuthenticationRequestInContext(context, webContext, 
clientName) [L212] is called which restores the details from the TST, including 
the requested service reference.

After logout of SP and new AuthNRequest, singleSignOnSessionExists(context) 
[L188] returns true because the previously issued TGT is still in the webflow 
scope and the TGT is not expired.  Because of this, the code takes a different 
path, restoreAuthenticationRequestInContext is not called, instead the service 
is set by calling resolveServiceFromRequestContext(context) [L204], which 
returns null.

With debugging, I have seen that on the subsequent logins, if I have 
singleSignOnSessionExists return false like it does the first time through, it 
appears to work as desired and you land back in the client app every time.  
That points me to the TGT being in the webflow is causing this behavior.  
Thoughts?


DelegatedClientAuthenticationAction.doExecute code for reference:

@Override
public Event doExecute(final RequestContext context) {
final HttpServletRequest request = 
WebUtils.getHttpServletRequestFromExternalWebflowContext(context);
final HttpServletResponse response = 
WebUtils.getHttpServletResponseFromExternalWebflowContext(context);

if (!isLogoutRequest(request) && singleSignOnSessionExists(context)) {
final String tgt = WebUtils.getTicketGrantingTicketId(context);
final Optional authnResult = 
getSingleSignOnAuthenticationFrom(context);

if (authnResult.isPresent()) {
final Authentication authentication = authnResult.get();
final Object clientNames = authentication.getAttributes()

.getOrDefault(ClientCredential.AUTHENTICATION_ATTRIBUTE_CLIENT_NAME, new 
ArrayList<>());
final String clientName = 
CollectionUtils.firstElement(clientNames).map(Object::toString).orElse(StringUtils.EMPTY);
final Service service = 
resolveServiceFromRequestContext(context);
if (isDelegatedClientAuthorizedFor(clientName, service)) {
LOGGER.debug("An existing single sign-on session already 
exists. Skipping delegation and routing back to CAS authentication flow");
prepareForLoginPage(context);
return resumeWebflow();
}
}
final Service resolvedService = 
resolveServiceFromRequestContext(context);
LOGGER.debug("Single sign-on session in unauthorized for service 
[{}]", resolvedService);
centralAuthenticationService.deleteTicket(tgt);
}

final String clientName = 
request.getParameter(Pac4jConstants.DEFAULT_CLIENT_NAME_PARAMETER);
LOGGER.debug("Delegated authentication is handled by client name [{}]", 
clientName);
if (hasDelegationRequestFailed(request, 
response.getStatus()).isPresent()) {
throw new IllegalArgumentException("Delegated authentication has 
failed with client " + clientName);
}

final String logoutEndpoint = 
request.getParameter(SAML2ServiceProviderMetadataResolver.LOGOUT_ENDPOINT_PARAMETER);
final J2EContext webContext = Pac4jUtils.getPac4jJ2EContext(request, 
response);
if (StringUtils.isNotBlank(clientName)) {
final Service service;
if (StringUtils.isBlank(logoutEndpoint)) {
service = restoreAuthenticationRequestInContext(context, 
webContext, clientName);
} else {
service = null;
}
final BaseClient client = 
findDelegatedClientByName(request, clientName, service);

final Credentials credentials;
try {
 

Re: [cas-user] CAS 5.3.16 loses service reference for SAML SP with ForcedAuth when CAS uses Delegated Auth

[Ray Bon]

Justin,

Upgrading very likely will solve this problem (as well as provide a great deal 
more benefit). Customizing old code adds technical debt.

Ray

On Tue, 2023-11-21 at 11:41 -0800, Justin Isenhour wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hello,

I'm hoping someone may have a suggestion of where I can look for the root of 
this problem.

We are running CAS 5.3.16 and have a mix of authentication handlers setup 
including several LDAP auth handlers, delegated auth to AzureAD via OIDC, and 
SAML delegated auth to various other IDPs.  We have a SAML client that is 
sending an AuthNRequest with ForceAuthn="true" that is not working as expected 
when CAS uses Delegated auth.

On the first login request, everything seems to be working fine.  If you log 
out of that client application, then login again, you get prompted for 
authentication as expected, but instead of being redirected back to the 
requested client, CAS directs to the the generic success page.

This is only an issue when authentication is done via delegated authentication 
client, saml and oidc but have the same issue.  If authentication is done 
directly in CAS via LDAP auth handler, then the flow works as expected and you 
land back into the app every time.

I have CAS source code and am pretty familiar with the code, we been using CAS 
since 3.x, but I haven't been able to pin point the issue yet.  Anyone have any 
advice or suggestions?

Thanks in advance,
Justin Isenhour


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/55add5b61c720af489344d2ad32d3627b844fb22.camel%40uvic.ca.

Re: [cas-user] Doubt about mappedAttributes configuration in 6.6.13

[Ray Bon]

Jorge,

You can map attributes with the retrieval mechanism. 
https://fawnoos.com/2023/10/21/cas70x-dbauthn-tutorial/ shows a jdbc example.
And you can set names on a per service basis, 
https://apereo.github.io/cas/6.6.x/installation/Configuring-SAML2-Attribute-Release.html
 and links within.

Ray

On Tue, 2023-11-21 at 08:24 -0800, Jorge Bastida wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Good afternoon,

I am finishing the upgrade to 6.6.13 and I have the following properties in my 
cas.properties inherited from the 6.3.7 configuration.

cas.authn.pac4j.saml[0].mappedAttributes[0].name=urn:mace:terena.org:attribute-def:schacHomeOrganization
cas.authn.pac4j.saml[0].mappedAttributes[0].mappedTo=Sir.sHO
cas.authn.pac4j.saml[0].mappedAttributes[1].name=urn:mace:dir:attribute-def:eduPersonAffiliation
cas.authn.pac4j.saml[0].mappedAttributes[1].mappedTo=Sir.ePA
cas.authn.pac4j.saml[0].mappedAttributes[2].name=urn:mace:dir:attribute-def:mail
cas.authn.pac4j.saml[0].mappedAttributes[2].mappedTo=Sir.mail
cas.authn.pac4j.saml[0].mappedAttributes[3].name=urn:mace:dir:attribute-def:uid
cas.authn.pac4j.saml[0].mappedAttributes[3].mappedTo=Sir.uid
cas.authn.pac4j.saml[0].mappedAttributes[4].name=urn:mace:dir:attribute-def:givenName
cas.authn.pac4j.saml[0].mappedAttributes[4].mappedTo=Sir.gn
cas.authn.pac4j.saml[0].mappedAttributes[5].name=urn:mace:dir:attribute-def:sn
cas.authn.pac4j.saml[0].mappedAttributes[5].mappedTo=Sir.sn
cas.authn.pac4j.saml[0].mappedAttributes[6].name=urn:mace:terena.org:attribute-def:schacPersonalUniqueID
cas.authn.pac4j.saml[0].mappedAttributes[6].mappedTo=Sir.sPUID
cas.authn.pac4j.saml[0].mappedAttributes[7].name=urn:mace:terena.org:attribute-def:schacGender
cas.authn.pac4j.saml[0].mappedAttributes[7].mappedTo=Sir.sG

These are not valid in the new version 6.6.13 how could I apply them then?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5b15621b681573ff8d3df1290f468a06668d49d0.camel%40uvic.ca.

Re: [cas-user] how to custom service registry

[Ray Bon]

Night,

This might be the replacement, JpaServiceRegistry
It looks like the docs have not changed the name since the class no longer 
exists.

Ray

On Sat, 2023-11-18 at 06:30 -0800, Night King wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

i‘m trying to add custom service registry


package org.apereo.cas.support;
  @AutoConfiguration
@EnableConfigurationProperties(CasConfigurationProperties.class)
public class MyConfiguration implements ServiceRegistryExecutionPlanConfigurer {
  @Bean
  @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
  public ServiceRegistryDao serviceRegistry() {
  }
  @Override
  public void configureServiceRegistry(final ServiceRegistryExecutionPlan plan) 
{plan.registerServiceRegistry(serviceRegistry());
  } }

this is not working, ServiceRegistryDao is not found.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/54ca388c426e26a61fdf5d2f2280a5e2c87c0647.camel%40uvic.ca.

Re: [cas-user] CAS 6.6.9 Hazelcast and Ticket Registry errors

[Ray Bon]

Sathish,

Your async-backup-count and backup-count have non default values. Is it 
possible these values are causing hazelcast to consume memory?

Try using default values to see if memory use improves.

You can monitor the JVM with JDK Misson Control or jConsole.

Ray

P.S. To keep your config file as simple as possible, only add properties that 
are set to non default values.

P.P.S. The value for instance-name is usually something human readable and 
applies to all hazelcast members, such as 'cas-preprod' rather than an ip 
address.

On Tue, 2023-11-14 at 09:54 -0800, Sathish Sekar wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi Team,

Hazelcast is causing problem. Since we have 3 servers clustered. Earlier we 
have tomcat memory of 512mb min and max. I posted in CAS community and they 
suggested to increase memory by max 2gb. It is running fine for 12 days and 
stopped showing heap memory issue. The following are capturing during heap error
1. Catalina.out.log size is more than 500 mb
2. facing above hazelcast errors in logs

KINDLY DO NEEDFUL

On Tuesday, November 14, 2023 at 4:11:54 PM UTC+5:30 Sathish Sekar wrote:
Hi Team,

Prod server stopped due to following issues. Kindly help. I'm facing heap 
memory issue for long time :(



Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler 
in thread "hz.10.34.196.43.MetricsRegistry.thread-2"
Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler 
in thread "NioReceiver[Catalina-Channel]"
cpa-cas.tomcat is down code=28 .
cpa-cas.tomcat is down code=28 .
Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler 
in thread "hz.10.34.196.43.MetricsRegistry.thread-1"
Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler 
in thread "Catalina-utility-1"
Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler 
in thread "Catalina-utility-2"
Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler 
in thread "Tribes-MembershipReceiver[Catalina-Channel]"
Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler 
in thread "idle-timeout-task"
java.lang.OutOfMemoryError: Java heap space
Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler 
in thread "Tribes-MembershipReceiver[Catalina-Channel]"
Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler 
in thread "hz.10.34.196.41.MetricsRegistry.thread-2"
Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler 
in thread "PooledConnectionFactory@1754546700"
Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler 
in thread "Tribes-MembershipSender[Catalina-Channel]"


Caused by: org.springframework.beans.BeanInstantiationException: Failed to 
instantiate [com.hazelcast.core.HazelcastInstance]: Factory method 
'casTicketRegistryHazelcastInstance' threw exception; nested exception is 
java.lang.IllegalStateException: Node failed to start!
at 
org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185)
at 
org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
... 131 more
Caused by: java.lang.IllegalStateException: Node failed to start!
at 
com.hazelcast.instance.impl.HazelcastInstanceImpl.(HazelcastInstanceImpl.java:126)
at 
com.hazelcast.instance.impl.HazelcastInstanceFactory.constructHazelcastInstance(HazelcastInstanceFactory.java:217)
at 
com.hazelcast.instance.impl.HazelcastInstanceFactory.getOrCreateHazelcastInstance(HazelcastInstanceFactory.java:114)
at 
org.apereo.cas.config.HazelcastTicketRegistryConfiguration.casTicketRegistryHazelcastInstance(HazelcastTicketRegistryConfiguration.java:73)
at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at 
org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154)

On Thursday, November 2, 2023 at 1:27:56 AM UTC+5:30 Jonathon Taylor wrote:
Not sure why it's complaining about an IP address that's not in your 
configuration.  I wonder if it's picking up a second IP that's configured?  You 
could try setting this:

cas.ticket.registry.hazelcast.cluster.core.instance-name=localhost

Re: [cas-user] Allow REST login, but prohibit web login

[Ray Bon]

Ben,

This policy would prevent a login _after_ the REST session was established, 
https://apereo.github.io/cas/6.6.x/authentication/Configuring-Authentication-Policy-UniquePrincipal.html

There is also a custom groovy script option, 
https://apereo.github.io/cas/6.6.x/authentication/Configuring-Authentication-Policy-Groovy.html
Not sure if the script has access to the login flow session, and consequently, 
the service.

Other authn policies, 
https://apereo.github.io/cas/6.6.x/authentication/Configuring-Authentication-Policy.html

Ray

On Fri, 2023-11-10 at 05:08 -0800, Ben P wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Dear CAS-Community,

In our setup we'd like to use the TGT Rest mechanism 
(https://apereo.github.io/cas/6.5.x/protocol/REST-Protocol-Request-TicketGrantingTicket.html)
 for a specific(!) user (backed by LDAP) but
do not allow a web-login for this user.

So bascially any tried weblogin should be ignored by CAS (resp LDAP) and the 
account should not be locked

Any ideas to accomplish this?

tnx & regards




-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/31def1e208fa1862672e4d3e48c3e1f62fb4c23d.camel%40uvic.ca.

Re: [cas-user] Re: Implementing ORCID auth: Problem with cas.authn.pac4j.oauth2[0].profile-url

[Ray Bon]

Aleix,

That documentation is _very_ old. There have been a lot of changes to cas since 
2014; not the least of which is the change from org.jasig to org.apereo.
Reading that document may provide some general understanding.

You can increase the logging level [debug|trace] to see what classes are doing. 
Then look at cas source to see what / where to make changes.




Ray

On Wed, 2023-11-08 at 07:44 -0800, Aleix Mariné wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.


So, I have found 
this
 documentation that explain the inner classes used by CAS to manage the OAUTH 
stack.

Should I reimplement this class?

h) OAuth20ProfileController (org.jasig.cas.support.oauth.web)
This controller returns a profile for the authenticated user (identifier + 
attributes), found with the access token (CAS granting ticket).

Do you know which methods do I need to rewrite?
El miércoles, 8 de noviembre de 2023 a las 15:50:22 UTC+1, Aleix Mariné 
escribió:

Dear Meysam,

Thank you for your response.

I imagined the possibility of adding a bean that acts as a wrapper for that 
particular endpoint, but I do not know what bean I need to implement... Do you 
have any hint or tip of how this should be implemented? Or where I can find a 
documentation that talks about this process? Do you know any similar examples 
that I can take a look from?

Thank you so much!


Aleix

El miércoles, 8 de noviembre de 2023 a las 4:25:45 UTC+1, Meysam Shirazi 
escribió:
I think you need to develop a wrapper API for profile-url like this(a normal 
api):https://www.googleapis.com/oauth2/v3/userinfo, so you can get the uid and 
send it in custom format to 
https://api.sandbox.orcid.org/v3.0/{uid}/record.

On Tuesday, November 7, 2023 at 5:20:48 PM UTC+3:30 Aleix Mariné wrote:
So I am trying to implement ORCID authentication using three-legged OAUTH which 
uses the OAUTH2 stack.

In the ORCID documentation they explain three calls that can be 
made and also there is a tutorial on 
how to get an ORCID ID 
authenticated.
expand_moreAuthorize request

Provides an authorization code that can be exchanged for an access token and an 
authenticated ORCID iD.

Endpoint

https://sandbox.orcid.org/oauth/authorize

Scope

/authenticate

Response type

code

https://sandbox.orcid.org/oauth/authorize?client_id=APP-UL39T4BGTQ3TNB4L_type=code=/authenticate_uri=REPLACE
 WITH REDIRECT URI
expand_moreToken request

Provides an authenticated ORCID iD and an access token that can be used to read 
public information on the record.

Endpoint

https://sandbox.orcid.org/oauth/token

Response type

access token and ORCID iD

curl -i -L -k -H 'Accept: application/json' --data 
'client_id=APP-UL39T4BGTQ3TNB4L_secret=187854af-f113-43da-8de5-eeed661aacce_type=authorization_code_uri=REPLACE
 WITH REDIRECT URI=REPLACE WITH OAUTH CODE' 
https://sandbox.orcid.org/oauth/token
expand_moreOpenID/Implicit request

Provides an access token that can be used to read public information on the 
record and an id_token using OpenID Connect and client-side only implicit 
OAuth. More information on OpenID Connect 
Endpoint

Endpoint

https://sandbox.orcid.org/oauth/token

Scope

openid

Response type

token

https://sandbox.orcid.org/oauth/authorize?client_id=APP-UL39T4BGTQ3TNB4L_type=token=openid_uri=REPLACE
 WITH REDIRECT URI

In my CAS I put this properties:
cas.authn.pac4j.oauth2[0].clientName=ORCID
cas.authn.pac4j.oauth2[0].profileVerb=GET
cas.authn.pac4j.oauth2[0].secret=secretID
cas.authn.pac4j.oauth2[0].id=APP-UL39T4BGTQ3TNB4L
cas.authn.pac4j.oauth2[0].auth-url=https://sandbox.orcid.org/oauth/authorize
cas.authn.pac4j.oauth2[0].scope=/authenticate
cas.authn.pac4j.oauth2[0].token-url=https://sandbox.orcid.org/oauth/token
cas.authn.pac4j.oauth2[0].profile-url=https://api.sandbox.orcid.org/v3.0/{user}/record

cas.authn.pac4j.oauth2[0].customParams.response_type=code
cas.authn.pac4j.oauth2[0].customParams.client_id=code
cas.authn.pac4j.oauth2[0].profileAttrs.phone=phone
cas.authn.pac4j.oauth2[0].profileAttrs.id=APP-UL39T4BGTQ3TNB4L
cas.authn.pac4j.oauth2[0].profileAttrs.homeAddress=address

The problem comes from the property token-url. In order to retrieve the data of 
the user, I need to do an API request to the 
directionhttps://api.sandbox.orcid.org/v3.0/{user}/record
 , the problem is that I do not know how to configure CAS to substitute {user} 
with the User ID that is trying to log in.
For 

Re: [cas-user] Re: Implementing ORCID auth: Problem with cas.authn.pac4j.oauth2[0].profile-url

[Ray Bon]

And this property


warn

Ray

On Wed, 2023-11-08 at 07:44 -0800, Aleix Mariné wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.


So, I have found 
this
 documentation that explain the inner classes used by CAS to manage the OAUTH 
stack.

Should I reimplement this class?

h) OAuth20ProfileController (org.jasig.cas.support.oauth.web)
This controller returns a profile for the authenticated user (identifier + 
attributes), found with the access token (CAS granting ticket).

Do you know which methods do I need to rewrite?
El miércoles, 8 de noviembre de 2023 a las 15:50:22 UTC+1, Aleix Mariné 
escribió:

Dear Meysam,

Thank you for your response.

I imagined the possibility of adding a bean that acts as a wrapper for that 
particular endpoint, but I do not know what bean I need to implement... Do you 
have any hint or tip of how this should be implemented? Or where I can find a 
documentation that talks about this process? Do you know any similar examples 
that I can take a look from?

Thank you so much!


Aleix

El miércoles, 8 de noviembre de 2023 a las 4:25:45 UTC+1, Meysam Shirazi 
escribió:
I think you need to develop a wrapper API for profile-url like this(a normal 
api):https://www.googleapis.com/oauth2/v3/userinfo, so you can get the uid and 
send it in custom format to 
https://api.sandbox.orcid.org/v3.0/{uid}/record.

On Tuesday, November 7, 2023 at 5:20:48 PM UTC+3:30 Aleix Mariné wrote:
So I am trying to implement ORCID authentication using three-legged OAUTH which 
uses the OAUTH2 stack.

In the ORCID documentation they explain three calls that can be 
made and also there is a tutorial on 
how to get an ORCID ID 
authenticated.
expand_moreAuthorize request

Provides an authorization code that can be exchanged for an access token and an 
authenticated ORCID iD.

Endpoint

https://sandbox.orcid.org/oauth/authorize

Scope

/authenticate

Response type

code

https://sandbox.orcid.org/oauth/authorize?client_id=APP-UL39T4BGTQ3TNB4L_type=code=/authenticate_uri=REPLACE
 WITH REDIRECT URI
expand_moreToken request

Provides an authenticated ORCID iD and an access token that can be used to read 
public information on the record.

Endpoint

https://sandbox.orcid.org/oauth/token

Response type

access token and ORCID iD

curl -i -L -k -H 'Accept: application/json' --data 
'client_id=APP-UL39T4BGTQ3TNB4L_secret=187854af-f113-43da-8de5-eeed661aacce_type=authorization_code_uri=REPLACE
 WITH REDIRECT URI=REPLACE WITH OAUTH CODE' 
https://sandbox.orcid.org/oauth/token
expand_moreOpenID/Implicit request

Provides an access token that can be used to read public information on the 
record and an id_token using OpenID Connect and client-side only implicit 
OAuth. More information on OpenID Connect 
Endpoint

Endpoint

https://sandbox.orcid.org/oauth/token

Scope

openid

Response type

token

https://sandbox.orcid.org/oauth/authorize?client_id=APP-UL39T4BGTQ3TNB4L_type=token=openid_uri=REPLACE
 WITH REDIRECT URI

In my CAS I put this properties:
cas.authn.pac4j.oauth2[0].clientName=ORCID
cas.authn.pac4j.oauth2[0].profileVerb=GET
cas.authn.pac4j.oauth2[0].secret=secretID
cas.authn.pac4j.oauth2[0].id=APP-UL39T4BGTQ3TNB4L
cas.authn.pac4j.oauth2[0].auth-url=https://sandbox.orcid.org/oauth/authorize
cas.authn.pac4j.oauth2[0].scope=/authenticate
cas.authn.pac4j.oauth2[0].token-url=https://sandbox.orcid.org/oauth/token
cas.authn.pac4j.oauth2[0].profile-url=https://api.sandbox.orcid.org/v3.0/{user}/record

cas.authn.pac4j.oauth2[0].customParams.response_type=code
cas.authn.pac4j.oauth2[0].customParams.client_id=code
cas.authn.pac4j.oauth2[0].profileAttrs.phone=phone
cas.authn.pac4j.oauth2[0].profileAttrs.id=APP-UL39T4BGTQ3TNB4L
cas.authn.pac4j.oauth2[0].profileAttrs.homeAddress=address

The problem comes from the property token-url. In order to retrieve the data of 
the user, I need to do an API request to the 
directionhttps://api.sandbox.orcid.org/v3.0/{user}/record
 , the problem is that I do not know how to configure CAS to substitute {user} 
with the User ID that is trying to log in.
For example, let's say that the user 0009-0005-6065-7965 tries to log in. Then 
to retrieve their data I would do a request 
tohttps://api.sandbox.orcid.org/v3.0/0009-0005-6065-7965/record .
I am also not really sure if I really need to use the user record endpoint, 
since the token request also returns information of the user, but I also do not 

Re: [cas-user] impact of Google Chrome "HTTPS upgrades" on slow http login urls

[Ray Bon]

Pascal,

Are you saying that cas redirects to http://foo... and chrome changes the 
protocol to https://foo... ?
And then it only waits 3s for a response???
That sounds like stupid chrome behaviour (but not unexpected).

When serviceValidate is called, it has to be called from https://foo...
Are you sure there was no redirect to cas between the two tries (the ST would 
be different)?

Simplest solution would be to configure your foo web server to change any http 
into https.

Ray

On Tue, 2023-11-07 at 12:44 +0100, 'Pascal Rigaux' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.


Hi,

Google Chrome has started trying https when asked http URLs : 
https://blog.chromium.org/2023/08/towards-https-by-default.html
What is not clearly mentioned is the fallback on http: it will also happen if 
the https response is too slow (3 seconds).

This impacted an application here that works on both https :

https://cas/login?service=http://foo/
   -> 302 http://foo/?ticket=XXX

# Chrome tries https
https://foo/?ticket=XXX
   -> the app calls serviceValidate with ticket=XXX
   -> the app also computes many slow things
   -> after 3s, Chrome aborts (you will see HTTP 499 in server logs)

# Chrome retries in http
http://foo/?ticket=XXX
   -> the app calls serviceValidate with ticket=XXX
  -> which fails


In our cases, we did not really want the application to use http.
The pb was due to a http/https rev-proxy in front of a http application.
Correctly forcing the application to generate https service urls (*) fixes the 
issue.

cu


(*) with "SetEnv HTTPS on" for the Drupal

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f688aa1c-0475-49be-b490-c6fdf05b2950%40univ-paris1.fr.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2e9a93c8c58cbf0ad17f87da43996e8d37ce64e1.camel%40uvic.ca.

Re: [cas-user] CAS 6.6.x CSS with SSL Offload

[Ray Bon]

I see /css/** in my startup but not /themes/**. That could be because we have 
no custom theme.
Could it be a problem with a rewrite rule in VIP?

Ray

On Fri, 2023-11-03 at 07:24 -0700, atilling wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.


There is nothing on the VIP that specifies any security for any URI.


The developer console shows that cas.css is redirecting to cas.css,

[Screenshot 2023-11-03 at 10.22.53 AM.png]

During startup I'm seeing:

INFO [org.springframework.security.web.DefaultSecurityFilterChain] - 



On Thursday, November 2, 2023 at 3:22:24 PM UTC-4 Ray Bon wrote:
Is it possible that vip...themes is protected/secured and needs login to access?
Check your developer console to see where the redirects are going.
Check cas logs to see which URIs are unprotected (shows on startup).

Ray

On Thu, 2023-11-02 at 09:24 -0700, atilling wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Offloading SSL to F5 BigIP
In cas.properties we have:
server.port=8080
server.ssl.enabled=false

if we go to https://node.domain.tld:8080/cas/login the page displays fine and 
the CSS is loaded

if we go to https://vip.domain.tld/cas/login the page displays but the CSS is 
not loaded

https://node.domain.tld:8080/cas/login/themes/cc_main/css/cas.css loads fine

https://vip.domain.tld/cas/login/themes/cc_main/css/cas.css throws the error 
ERR_TOO_MANY_REDIRECTS

Tried adding
server.tomcat.remoteip.port-header=x-forwarded-port
server.tomcat.remoteip.protocol-header=x-forwarded-proto
server.tomcat.remoteip.remote-ip-header=x-forwarded-for

And there was no change.



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7192935503ecca74883c1e24aad0df9212c27813.camel%40uvic.ca.

Re: [cas-user] Re: No generated SAML metadata after migration

[Ray Bon]

Mohamed,

I have not used JPA for any cas config.
The metadata should be in some table in the datastore. see 
https://apereo.github.io/cas/6.6.x/installation/Configuring-SAML2-DynamicMetadata-JPA.html

Ray

On Thu, 2023-11-02 at 20:28 +0100, Mohamed Amdouni wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Thank you Ray for your response.

In previous versions the two dependencies are present. So I would like to keep 
the top options if possible.

I think there is a problem getting the service locator or and the generator 
bean when the two dependencies are presents


When keeping only jpa, do you know where to find the default idp saml metadata.


Best regards

Le jeu. 2 nov. 2023 à 20:22, Ray Bon mailto:r...@uvic.ca>> a 
écrit :
Mohamed,

jpa is an alternative to file system storage (default). Services can use the 
file system as well.
If you do not need/use it, remove it.

Ray

On Thu, 2023-11-02 at 18:24 +0100, Mohamed Amdouni wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hello,

When removing the saml-idp-metadata-jpa from the dendencies I’m able to 
generate the idp metadata from the endpoint /idp/metadata and files are 
generated on startup (idp metadata and certs ) in the folder /cas/saml.

Is it wrong to keep both idp-metadat and idp-metadata-jpa ? As I understand  
Jpa is used for per service metadata which is not the case for me. My cas 
server is acting as a saml idp. The dependencies was already present in the old 
version 5.3

Thank you for your help.

Best regards.

Le mar. 31 oct. 2023 à 18:19, Mohamed Amdouni 
mailto:me.amdo...@gmail.com>> a écrit :
Hi,

Update : when requesting the /idp/metadata I get a null pointer exception 
because the registered service is null.

I checked the required properties for saml like entity id etc and they are all 
specified …

Thank you in advance

Le ven. 27 oct. 2023 à 18:02, Mohamed Amdouni 
mailto:me.amdo...@gmail.com>> a écrit :
Hello,

I'm migrating the cas from 5.X to 6.6.12

So I created a new template from Cas Initializer and try to apply the 
properties i cas.properties.

Actually the server is started with the Ready message.

The authentication with an ldap user is OK.

But when testing cas as a SAML Idp, I have some issues:
1- The metadata of the IDP is not generated with the message : 


I configured the properties :
cas.authn.saml-idp.core.entity-id (this property has moved to core package)
cas.authn.saml-idp.metadata.file-system.location=/d:/mydir/etc/cas/saml

I notice that when activating the TRACE log, I see an exception about on 
RandomUtils : NativePRNGNonBlocking SecureRandom not available. I think it's 
related to Windows machine. I'm testin on local machine before deploying.


Is it related to the problem of generating the Idp metadata.

I tried to place the old version metadata without success : the url 
/cas/saml/metadata does not generate the metadata with a nullpointerException @ 
SamlIdpmetadataController 61.

Any idea?
Thanks.








--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
tocas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f1a36e5936f28544d4da78de89024917efd86705.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/f1a36e5936f28544d4da78de89024917efd86705.camel%40uvic.ca?utm_medium=email_source=footer>.


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/01384bf38990b9f48b8dfa62542ae102077f477e.camel%40uvic.ca.

Re: [cas-user] CAS 6.6.x CSS with SSL Offload

[Ray Bon]

Is it possible that vip...themes is protected/secured and needs login to access?
Check your developer console to see where the redirects are going.
Check cas logs to see which URIs are unprotected (shows on startup).

Ray

On Thu, 2023-11-02 at 09:24 -0700, atilling wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Offloading SSL to F5 BigIP
In cas.properties we have:
server.port=8080
server.ssl.enabled=false

if we go to https://node.domain.tld:8080/cas/login the page displays fine and 
the CSS is loaded

if we go to https://vip.domain.tld/cas/login the page displays but the CSS is 
not loaded

https://node.domain.tld:8080/cas/login/themes/cc_main/css/cas.css loads fine

https://vip.domain.tld/cas/login/themes/cc_main/css/cas.css throws the error 
ERR_TOO_MANY_REDIRECTS

Tried adding
server.tomcat.remoteip.port-header=x-forwarded-port
server.tomcat.remoteip.protocol-header=x-forwarded-proto
server.tomcat.remoteip.remote-ip-header=x-forwarded-for

And there was no change.


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8ca7f020d209b8c7d461e1aa5e8607943961c17f.camel%40uvic.ca.

Re: [cas-user] Re: No generated SAML metadata after migration

[Ray Bon]

Mohamed,

jpa is an alternative to file system storage (default). Services can use the 
file system as well.
If you do not need/use it, remove it.

Ray

On Thu, 2023-11-02 at 18:24 +0100, Mohamed Amdouni wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hello,

When removing the saml-idp-metadata-jpa from the dendencies I’m able to 
generate the idp metadata from the endpoint /idp/metadata and files are 
generated on startup (idp metadata and certs ) in the folder /cas/saml.

Is it wrong to keep both idp-metadat and idp-metadata-jpa ? As I understand  
Jpa is used for per service metadata which is not the case for me. My cas 
server is acting as a saml idp. The dependencies was already present in the old 
version 5.3

Thank you for your help.

Best regards.

Le mar. 31 oct. 2023 à 18:19, Mohamed Amdouni 
mailto:me.amdo...@gmail.com>> a écrit :
Hi,

Update : when requesting the /idp/metadata I get a null pointer exception 
because the registered service is null.

I checked the required properties for saml like entity id etc and they are all 
specified …

Thank you in advance

Le ven. 27 oct. 2023 à 18:02, Mohamed Amdouni 
mailto:me.amdo...@gmail.com>> a écrit :
Hello,

I'm migrating the cas from 5.X to 6.6.12

So I created a new template from Cas Initializer and try to apply the 
properties i cas.properties.

Actually the server is started with the Ready message.

The authentication with an ldap user is OK.

But when testing cas as a SAML Idp, I have some issues:
1- The metadata of the IDP is not generated with the message : 


I configured the properties :
cas.authn.saml-idp.core.entity-id (this property has moved to core package)
cas.authn.saml-idp.metadata.file-system.location=/d:/mydir/etc/cas/saml

I notice that when activating the TRACE log, I see an exception about on 
RandomUtils : NativePRNGNonBlocking SecureRandom not available. I think it's 
related to Windows machine. I'm testin on local machine before deploying.


Is it related to the problem of generating the Idp metadata.

I tried to place the old version metadata without success : the url 
/cas/saml/metadata does not generate the metadata with a nullpointerException @ 
SamlIdpmetadataController 61.

Any idea?
Thanks.







-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f1a36e5936f28544d4da78de89024917efd86705.camel%40uvic.ca.

Re: [cas-user] CAS 6.6.9

[Ray Bon]

Sathish,

I was not able to find recommended memory requirements in cas docs. This guide 
has a suggestion 
https://paulchauvet.github.io/deploying-cas/setting-up-the-environment/tomcat/systemd-service/

Memory is cheap, I would start at 2G. See tomcat docs to configure this.

Cas also has some performance testing options 
https://apereo.github.io/cas/6.6.x/high_availability/High-Availability-Performance-Testing.html

Ray

On Tue, 2023-10-31 at 03:10 -0700, Sathish Sekar wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Earlier I was using CAS 6.3.7.4 at that time we had tomcat server minimum 512 
and maximum 512 memory. But when I upgraded to 6.6.9 it is showing heap 
java.lang.OutOfMemoryError: Java heap space when i deployed in clustered 
servers. Can you provide more suggestions

On Tuesday, October 31, 2023 at 12:33:42 AM UTC+5:30 Sathish Sekar wrote:
Thanks Mohamed Amdouni. I'll give a try

On Monday, October 30, 2023 at 10:23:38 PM UTC+5:30 Mohamed Amdouni wrote:
Hello try to give more memory (set the Xmx jvm property ) 512 is very low in my 
opinion.
Best regards.


Le lun. 30 oct. 2023 à 17:45, Sathish Sekar  a écrit :
Hi Team,

I have upgraded CAS 6.3.7.4 to 6.6.9. After deployment I'm getting 
java.lang.OutOfMemoryError: Java heap spaceand server is getting stopped. It is 
stand alone application running in 3 clustered servers. Tomcat Catalina opts 
memory min 512 and max 512. I don't find any exceptions in logs. But my 
catalina.out.log is crossing more than 500mb in usage. Kindly do needful. 
Please find the logs below

[290380.058s][info][gc] GC(50184) Pause Full (G1 Evacuation Pause) 
510M->510M(512M) 469.263ms
[290380.538s][info][gc] GC(50185) Pause Full (G1 Evacuation Pause) 
510M->510M(512M) 480.044ms
[290380.540s][info][gc] GC(50180) Concurrent Cycle 1473.486ms
[290380.546s][info][gc] GC(50186) Pause Young (Normal) (G1 Evacuation Pause) 
510M->510M(512M) 4.905ms
[290381.023s][info][gc] GC(50187) Pause Full (G1 Evacuation Pause) 
510M->510M(512M) 476.467ms
[290381.498s][info][gc] GC(50188) Pause Full (G1 Evacuation Pause) 
510M->510M(512M) 474.670ms
java.lang.OutOfMemoryError: Java heap space
Dumping heap to /appdumps/cpa-cas.tomcat/java_pid9527.hprof ...
[290381.580s][info][gc] GC(50189) Pause Young (Concurrent Start) (G1 Evacuation 
Pause) 510M->510M(512M) 7.915ms
[290381.588s][info][gc] GC(50191) Concurrent Cycle
[290382.097s][info][gc] GC(50190) Pause Full (G1 Evacuation Pause) 
510M->510M(512M) 516.300ms
[290382.098s][info][gc] GC(50191) Concurrent Cycle 509.166ms
2023-10-30 07:01:45,456 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 
Final collection of attributes allowed are: 
[{CN=[01786fef-9779-4370-ba5a-1502e4841cdf], 
uid=[01786fef-9779-4370-ba5a-1502e4841cdf]}]
2023-10-30 07:01:45,457 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail 
record BEGIN
=
WHO: ceja.ste...@gmail.com
WHAT: {result=Service Access Granted, 
service=https://cp.mercuryinsurance.com/customer/, requiredAttributes={}}
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Mon Oct 30 07:01:45 PDT 2023
CLIENT IP ADDRESS: 23.206.195.119,2603:8001:4bf0:12b0:85d2:65:b0be:654b
SERVER IP ADDRESS: 10.34.196.41
=


[290382.109s][info][gc] GC(50192) To-space exhausted


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
tocas-user+u...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9a4190e9-f259-433a-9b2a-fd56f38a3789n%40apereo.org.




-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/02191dc5e4e2872f976a5d43eca5474482126af5.camel%40uvic.ca.

Re: [cas-user] Strange delegated SAML Error on RHEL (CAS6.4.6.6)

[Ray Bon]

Yan,

Does samlkeystore exist and is writable (same for path to sp metadata)?
But there should be no metadata file when cas starts if you want it to be 
generated.

You can also create metadata manually, see 
https://www.samltool.com/sp_metadata.php

Ray

On Tue, 2023-10-24 at 13:15 -0700, Yan Zhou wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi there,

I am using CAS 6.4.6.6 for delegated authN using SAML, CAS delegates authN to 
Okta. I run into a strange error, on Windows, this works fine (i.e., once I 
point to /cas/login, it generates SP metadata and keystore), but on Linux, CAS 
does not generate SP meta data and SP keystore.  I am not sure why. I did not 
see any error in logs.

This is the portion of relevant cas.properties.

cas.authn.saml-idp.core.entity-id= https://qa...com/idp

cas.authn.saml-idp.metadata.fileSystem.location=file:///opt/jboss/ssoconf/idpmetadata

cas.authn.pac4j.saml[0].keystorePath=/opt/jboss/ssoconf/samlsp/samlkeystore

cas.authn.pac4j.saml[0].keystorePassword=changeit

cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp

cas.authn.pac4j.saml[0].privateKeyPassword=changeit

cas.authn.pac4j.saml[0].serviceProviderEntityId=https://qa...com/cas/samlsp

cas.authn.pac4j.saml[0].clientName=Okta

cas.authn.pac4j.saml[0].forceAuth=false

cas.authn.pac4j.saml[0].passive=false

cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=3600

cas.authn.pac4j.saml[0].serviceProviderMetadataPath=/opt/jboss/ssoconf/samlsp/sp-metadata.xml

cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://dev-1..8.okta.com/app/e...b5d7/sso/saml/metadata

cas.authn.pac4j.saml[0].useNameQualifier=false

cas.authn.pac4j.saml[0].signAuthnRequest=true

cas.authn.pac4j.saml[0].signServiceProviderLogoutRequest=true



On windows (it says: Initializing: SAML2Client), then it generates keystore and 
SP metadata.

==

>

2023-10-24 16:05:23,317 DEBUG [https-openssl-nio-8443-exec-7] 
[org.apereo.cas.support.pac4j.RefreshableDelegatedClients] - https://localhost:8443/cas/login | urlResolver: null | 
callbackUrlResolver:org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@59d1889c
 | ajaxRequestResolver: null | redirectionActionBuilder: null | 
credentialsExtractor: null | authenticator: null | 
profileCreator:org.pac4j.core.profile.creator.AuthenticatorProfileCreator@4ddff72c
 | 
logoutActionBuilder:org.pac4j.core.logout.NoLogoutActionBuilder@1d8000ee
 | authorizationGenerators: [] | checkAuthenticationAttempt: true |]]>



2023-10-24 16:05:23,317 DEBUG [https-openssl-nio-8443-exec-7] 
[org.apereo.cas.validation.DelegatedAuthenticationAccessStrategyHelper] - 



2023-10-24 16:05:23,318 DEBUG [https-openssl-nio-8443-exec-7] 
[org.pac4j.core.util.InitializableObject] - 



2023-10-24 16:05:23,321 INFO [https-openssl-nio-8443-exec-7] 
[org.pac4j.saml.config.SAML2Configuration] - https://localhost:8443/cas/samlsp>



2023-10-24 16:05:23,321 DEBUG [https-openssl-nio-8443-exec-7] 
[org.pac4j.core.util.InitializableObject] - 



2023-10-24 16:05:23,326 WARN [https-openssl-nio-8443-exec-7] 
[org.pac4j.saml.config.SAML2Configuration] - 



2023-10-24 16:05:23,326 WARN [https-openssl-nio-8443-exec-7] 
[org.pac4j.saml.metadata.keystore.BaseSAML2KeystoreGenerator] - 



2023-10-24 16:05:23,435 INFO [https-openssl-nio-8443-exec-7] 
[org.pac4j.saml.metadata.keystore.BaseSAML2KeystoreGenerator] - 


On linux, notice it says:  Initializing: RefreshableDelegatedClients .  Not 
sure why it does not recognize it is a SAML2Client.  Any idea?

Thanks,

==

^[[m^[[36m2023-10-24 15:59:35,488 DEBUG [main] 
[org.apereo.cas.support.pac4j.authentication.DefaultDelegatedClientFactory] - 
https://qacom/cas/login | urlResolver: null | callbackUrlResolver: 
org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@76eec7bb
 | ajaxRequestResolver: null | redirectionActionBuilder: null | 
credentialsExtractor: null | authenticator: null | profileCreator: 
org.pac4j.core.profile.creator.AuthenticatorProfileCreator@6c83322b
 | logoutActionBuilder: 
org.pac4j.core.logout.NoLogoutActionBuilder@241532d3
 | authorizationGenerators: [] | checkAuthenticationAttempt: true |]>



^[[m^[[36m2023-10-24 15:59:35,489 DEBUG [main] 
[org.apereo.cas.support.pac4j.RefreshableDelegatedClients] - https://qacom/cas/login | urlResolver: null | callbackUrlResolver: 

Re: [cas-user] CAS management overlay broken

[Ray Bon]

Aleix,

The second repo is the one you want. It has a 6.6 branch as most recent.
Assuming you have checked out the 6.6 branch, it will build with
./gradlew clean build

It is better to post log messages as text rather than images. One, it is 
searchable; Two, images are hard to see in a desktop email client (maybe I am 
the last one on the desktop).

Ray

On Wed, 2023-10-18 at 07:52 -0700, Aleix Mariné wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

So I was following the official guide to use the CAS management 
overlay
 with my CAS instance.

The guide tells you to clone this 
repository. But it is 
archived and in the previous version of the CAS management software. I tried to 
run the software and I can not even build it. Is it broken or is something that 
I am doing wrong on my side? I attach here the debug log of the error:

[Screenshot-2023-10-18-16:35:44.png]

I tried to fork another repo 
that apparently contained (also) the CAS management overlay, but this time the 
version used is more recent (6.3) and is not archived. When I try to build it 
gradle tells me that cannot find the pom in the central maven repository (the 
link is actually broken). Here I attach photo of the log:

[Screenshot-2023-10-18-16:39:38.png]

So, am I doing something wrong? What is the correct way to configure an overlay 
for my CAS server?

Thank you for this project.


Aleix


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2c5e2f26850337caec6ad43c171b8fc710423da3.camel%40uvic.ca.

Re: [cas-user] Re: standalone configuration security

[Ray Bon]

Andrew,

interations is used in 
apereo/cas/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/support/CasConfigurationJasyptCipherExecutor.java

iteration is used in 
apereo/cas/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/core/config/standalone/StandaloneConfigurationSecurityProperties.java

So it looks like the property was changed in one location (the second path 
above) which generates the 'failed to bind' message, but not the first path 
above.


Ray

On Fri, 2023-10-13 at 09:05 -0700, Andrew Marker wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi all,

In 6.6 this still doesn't work as documented: 6.6x / Configuration / Securing 
Configuration 
Properties<https://apereo.github.io/cas/6.6.x/configuration/Configuration-Properties-Security-CAS.html#casstandaloneconfigurationsecurityiterationPropertyConfig>.


  *   If you use iteration (as documented)  OUTCOME: failure when the first 
encrypted property is accessed: CAS shuts down.

  *   If you use iterations OUTCOMES: success
 *   property is read and encrypted properties are decrypted during the 
initialization of CAS when they are accessed.
 *   An error message is written to the log

I have tested this passing it through at startup.

export CAS_STANDALONE_CONFIGURATION_SECURITY_ITERATION=35

or

--cas.standalone.configuration-security.iteration=35


When i use iterations it does, unless the iteration value is actually wrong.

I have been told that the unit test for this passes: great.  It doesn't 
actually mean at run time it functions as expected.


On Wednesday, September 7, 2022 at 5:03:10 PM UTC-5 Ray Bon wrote:
Andrew,

CamelCase or kabob-case does not matter, spring handles both (kabob is newer).
The options should have the same name regardless of where they are set. What 
differs is when they are processed during startup. Some other step is getting 
in the way for the property file, but it sounds like the developers know there 
is a problem with that 'other step'.

Ray

On Wed, 2022-09-07 at 13:02 -0700, Andrew Marker wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi Ray,

Thanks for the response.

I initially found the Issue I have described and provided the messages for when 
I was running v6.3.7.4.  it was not related to that version but it was at that 
point I was trying for the first time to encrypt properties.

I reached out to Unicon (in March 2022) with whom my organization contracts 
with for open source support. I was looking for help to encrypt properties and 
I was trying to follow the guidance I could find in the CAS documentation.

 After beginning the conversation much the way you have by identifying the 
properties as they are documented, we finally got beyond the point were we just 
refer to the documentation or the code references and through testing 
re-affirmed the failure I am describing.

I was told that it will be fixed in a future version an answer that satisfied 
my need as I could continue to leverage the camelCase as described in thequasi 
official CAS how-too 
blog<https://fawnoos.com/2019/05/08/cas61x-jasypt-encryption/> .  Today, in 
v6.5.9 It still works with camelCase.

I'm trying to surface the issue now because with the move to v6.5.9 during my 
review the error message appeared at startup.

-- You cannot use the property as 
documented<https://apereo.github.io/cas/6.5.x/configuration/Configuration-Properties-Security.html#standalone>
 or referred to in the Class you sent.   It just does not work when placed in 
the a commandLineArgs collection.


If I use:

--cas.standalone.configuration-security.iterations=999
--cas.standalone.configurationSecurity.iterations=999


2022-09-07 14:39:35,708 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - 


2022-09-07 14:39:35,710 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - 


2022-09-07 14:39:35,710 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - 


2022-09-07 14:39:35,717 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - 




2022-09-07 14:39:38,243 TRACE [org.apereo.cas.util.crypto.CipherExecutor] - 


2022-09-07 14:39:38,243 TRACE [org.apereo.cas.util.crypto.CipherExecutor] - 


2022-09-07 14:39:38,303 TRACE [org.apereo.cas.util.crypto.CipherExecutor] - 


2022-09-07 14:39:38,319 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - 



When I use what is documented:

--cas.standalone.configuration-security.iteration=999

2022-09-07 14:32:13,852 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - 


2022-09-07 14:32:13,853 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - 


2022-09-07 14:32:13,853 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - 


  NO ITERATOR Picked up

...

2022-09-07 

Re: [cas-user] CAS 7 MFA broken since last build

[Ray Bon]

Frédéric,

Are there any error messages in the logs?

Ray

On Fri, 2023-10-13 at 06:26 -0700, Frédéric Dussurget wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi,
latest build broke MFA (both gauth and web-authn). I have kept besides a 
cas.war from august 22nd which is working fine with the exact same build.gradle 
deps and /etc/cas/config/cas/yml config. One difference is that the new cas.war 
was compiled and run (external tomcat) with openjdk 21 vs the other one  was 
compiled and run with openjdk17
DB backend is Redis for everything.

Thanks if anyone could help ...
Regards,

Fred

Here are the deps I'm using :

build.gradle :

// ### MFA ###

//MFA TOTP
implementation 
"org.apereo.cas:cas-server-support-gauth:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-gauth-redis:${project.'cas.version'}"

// MFA FIDO2 WEBAUTHN
implementation 
"org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}"

//MFA TRUSTED DEVICE
implementation 
"org.apereo.cas:cas-server-support-trusted-mfa:${project.'cas.version'}"
implementation "org.apereo.cas:cas-server-support-trusted-mfa-redis:
${project.'cas.version'}"

Here is the MFA block in my cas.yml :

mfa:
  core:
provider-selection-enabled: true
  gauth:
core:
  issuer: CASIssuer
  label: Blah
  scratch-codes.encryption.key: blah-blah-blah
name: OATH Authentification
crypto:
  encryption:
key: blah-blah-blah
  signing:
key: blah-blah-blah
redis:
  host: localhost
  port: 6379
  username: default
  password: blah-blah-blah
  sentinel:
node[0]: blah-blah-blah:26379
node[1]: blah-blah-blah:26379
node[2]: blah-blah-blah:26379
master: instancecas

  web-authn:
core:
  relying-party-id: blah-blah-blah.fr
  relying-party-name: blah-blah-blah
  allowed-origins: blah-blah-blah
  trusted-device-enabled: false
  application-id: blah-blah-blah
crypto:
  encryption:
key: blah-blah-blah
  signing:
key: blah-blah-blah
redis:
  host: localhost
  port: 6379
  username: default
  password: blah-blah-blah
  sentinel:
node[0]: blah-blah-blah:26379
node[1]: blah-blah-blah:26379
node[2]: blah-blah-blah:26379
master: instancecas

  trusted:
core:
  auto-assign-device-name: true
  device-registration-enabled: true
  authentication-context-attribute: 
isFromTrustedMultifactorAuthentication
redis:
  host: localhost
  port: 6379
  username: default
  password: blah-blah-blah
  sentinel:
node[0]: blah-blah-blah:26379
node[1]: blah-blah-blah:26379
node[2]: blah-blah-blah:26379
master: instancecas
crypto:
  enabled: true
  signing:
key: blah-blah-blah
  encryption:
key: blah-blah-blah
device-fingerprint:
  cookie:
crypto:
  enabled: true
  signing:
key: blah-blah-blah
  encryption:
key: blah-blah-blah

And the stacktrace :

2023-10-13 11:19:17,196 DEBUG 
[org.apereo.cas.web.flow.login.InitialFlowSetupAction] - https://blah-blah-blah:9447/protected]>
2023-10-13 11:19:17,196 DEBUG 
[org.apereo.cas.web.flow.login.InitialFlowSetupAction] - https://blah-blah-blah] with id [48] in context scope>
2023-10-13 11:19:17,197 DEBUG 
[org.apereo.cas.web.flow.authentication.RegisteredServiceAuthenticationPolicySingleSignOnParticipationStrategy]
 - 
2023-10-13 11:19:17,197 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 

2023-10-13 11:19:27,246 DEBUG [org.apereo.cas.web.flow.CasFlowHandlerMapping] - 

2023-10-13 11:19:27,250 DEBUG [org.apereo.cas.web.flow.CasFlowHandlerMapping] - 

2023-10-13 11:19:27,260 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
 - 
2023-10-13 11:19:27,276 WARN 
[org.apereo.cas.authentication.attribute.PrincipalAttributeRepositoryFetcher] - 
https://blah-blah-blah:9447/protected}]>
2023-10-13 11:19:27,280 WARN 
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
 - 
java.lang.NullPointerException: Name is null
at java.lang.Enum.valueOf(Enum.java:291) ~[?:?]
at 
org.apereo.services.persondir.util.CaseCanonicalizationMode.valueOf(CaseCanonicalizationMode.java:26)
 ~[person-directory-impl-3.0.1.jar:?]
at 

Re: [cas-user] Custom webflow priority

[Ray Bon]

The order is part of spring webflow, so look into that.
Cas does have some helper methods. See 
https://github.com/apereo/cas/blob/6.6.x/core/cas-server-core-webflow-api/src/main/java/org/apereo/cas/web/flow/configurer/AbstractCasWebflowConfigurer.java
 which has an order field and a number of helper methods.


Ray

On Wed, 2023-10-11 at 11:45 +0200, spfma.tech via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi,

I managed to inject some custom webflow modifications and I am facing a problem 
: it seems other webflows (I first added 'mfa-gauth' and then 'simple-mfa')  
always supersede mine in the end, as seen in the logs :

2023-10-11 11:35:09,560 DEBUG 
[org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] - 

2023-10-11 11:35:11,188 DEBUG 
[org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] - 

2023-10-11 11:35:11,420 DEBUG 
[org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] - 

2023-10-11 11:35:11,524 DEBUG 
[org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] - 

2023-10-11 11:35:11,713 DEBUG [fr.tst.cas.web.flow.CustomConfiguration] - 
<[TST] configureWebflowExecutionPlan@CustomConfiguration - it's like 
registering flow definition [class fr.tst.cas.web.flow.CustomWebflowDefinition]>
2023-10-11 11:35:11,713 DEBUG [fr.tst.cas.web.flow.CustomConfiguration] - 
<[TST] configureWebflowExecutionPlan@CustomConfiguration - it's like 
registering flow definition [class fr.tst.cas.web.flow.CustomWebflowDefinition]>
2023-10-11 11:35:11,951 DEBUG 
[org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] - 

2023-10-11 11:35:11,954 DEBUG 
[org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] - 


What is it due to ?

Is there a way to manage some priorities or even force things ?

Regards




FreeMail powered by mail.fr

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/225604cbd3f8319ced26faf4daa78e1735394bad.camel%40uvic.ca.

Re: [cas-user] CAS 66x, how to make association between authentication handlers and attribute repositories / PersonAttributeDaos

[Ray Bon]

Luís,

It is possible to get attributes at time of authentication for ldap and jdbc.

cas.authn.ldap[0].principal-attribute-list= \
mail, \
cn, \
sn, \
givenName

That will give you one source. See 
https://apereo.github.io/cas/6.6.x/authentication/LDAP-Authentication.html

Does your user identifier exist in the non target DAOs?
If not, then that DAO will not return any attributes, so the only cost is time 
taken to perform the lookup.

There is a custom attribute resolver option, 
https://apereo.github.io/cas/6.6.x/integration/Attribute-Resolution-Custom.html

And scriptable filter option, 
https://apereo.github.io/cas/6.6.x/integration/Attribute-Resolution-LDAP.html#ldap-scriptable-search-filter
The applicationContext will have some properties that identify the authn method.

The above two approaches will get user attributes prior to person directory 
actions.

I have not worked with person directory so can not say how to manipulate it.

Ray


On Wed, 2023-10-11 at 06:48 -0700, Luís Costa wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hello,


I'm implementing CAS 6.6.x (currently I have 6.6.8), and I need to make an 
association between authentication handlers and attribute repositories / 
PersonAttributeDaos, for example, LdapAuthHandler[0] => Dao1, Dao2 and 
JdbcAuthHandler[0] => Dao1, Dao3.

The goal is that each auth handler only tries to get attributes from the 
attribute repositories that make sense to it.


I'm trying to do this, by creating a custom property in cas.properties for each 
auth handler, that holds a comma-separated list of one or more attribute 
repositories Ids (defined in standard props  
"cas.authn.attribute-repository..id").
I got this ideia from the standard property 
"cas.person-directory.active-attribute-repository-ids".

Then, my plan is to extend the PersonDirectoryPrincipalResolver and manipulate 
the context.attributeRepository.personAttributeDaos, so that only the Daos that 
the auth handler "supports" are "executed".


Does this makes sense? Is it a possible and logic solution? Is there a better 
"standard solution" ?


Best regards,

Luís Costa

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/afe9a491c4c31096c1841059f6c407b36797bded.camel%40uvic.ca.

Re: [cas-user] Migration process best practices

[Ray Bon]

Mohamed,

Unfortunately the overlay no longer has a git history, so upgrades are 
needlessly complex.

You are making a big upgrade so there will be property name changes.
It is possible to stick with maven, but most of the documentation assumes 
gradle. I switched to gradle when it was first an option, so unable to provide 
guidance on maven.

If you have local modifications / additions to cas files that are stored in 
your local version control repo, you may want to keep that history (and some of 
those files may need to be updated).
Assuming you have a development host, you could try the 'from scratch' approach 
first.
I do not think there is a recommended upgrade process.

Ray

On Wed, 2023-10-04 at 10:54 +0200, Mohamed Amdouni wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hello,

I would like to have your feedback about migrations.

What’s the best method? :
1- create a new overlay from scratch and modify property files : cas.properties
Or
2- modify only the cas.version

Is it required/ recommended to use gradle in overlay ?

My current project is with maven. Migration from 5.3.x to 6.6.x


Best regards.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f921eb26607c050e63262b38e05992e0dd3d1f05.camel%40uvic.ca.

Re: [cas-user] Debugging help

[Ray Bon]

Jeff,

Was this part of an upgrade?
It could be that a property has changed names. As artur said, you could start 
with a vanilla version and the items in one at a time.
There is also the possibility that there is an old/incompatible library hanging 
around.

These loggers may help:


















Ray

On Mon, 2023-10-02 at 11:14 -0400, Jeffrey Ramsay wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hello -

My application stopped working after a rebuild with the following error 
message, and I can't seem to find the reason.

Is there a debugging setting I can use to find which setting is the problem?

2023-10-02 11:10:38,217 WARN 
[org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext]
 - 
2023-10-02 11:10:38,462 ERROR [org.springframework.boot.SpringApplication] - 


Thanks,
-Jeff

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7e3cead75d77d0c162ab806b44ea5d62f4d25dc4.camel%40uvic.ca.

Re: [cas-user] Re: Submit a CAS evolution for 6.6.12

[Ray Bon]

Jérémie,

There is a cas developer list 
https://apereo.github.io/cas/Mailing-Lists.html#cas-developer-list-cas-devapereoorg

Ray

On Mon, 2023-09-25 at 00:48 -0700, Jérémie wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Yeah I see but I don't know how to split this much more.

I've contacted a few person also that tells me that this won't pass in 6.x but 
more in 7.x. How can I be sure that this feature will be (when fixed) validated 
for Cas, or how will I know in which release (and when).

We're working on removing all adherences to Authy right now.

Le vendredi 8 septembre 2023 à 17:09:38 UTC+2, John a écrit :
You have basically one large commit for all changes, its much easier for apereo 
to see what and where is being changed if you make a commit for each section of 
changes. Also, why is there authy stuff in the mfa module, should probably be 
renamed, the classes, etc.. to okta, for example, "package 
org.apereo.cas.adaptors.authy" is already used in cas, should be changed to 
probably something like "org.apereo.cas.okta" since it already exist and would 
stay in line with how modules are packaged, the config probably should be under 
"org.apereo.cas.config" and not be 'authyconfiguration'

On Friday, September 8, 2023 at 3:18:35 AM UTC-5 Jérémie wrote:
Hi,

I have developped a custom module for Apereo CAS to allow Okta MFA support for 
CAS Authentication

We have developed a custom working module based on a similar Authy project 
we've found online.

We are having trouble now to fork, adapt & submit our module to CAS 6.6.12 
release due for the end of september. Our Pull Request has been automatically 
rejected :https://github.com/apereo/cas/pull/5751/files

I've never done that so I might not see obvious steps here.

Thank you



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/15b12fea259e5ec519a57f2c8a0124b562ec21b4.camel%40uvic.ca.

Re: [cas-user] CAS 6, AbstractNonInteractiveCredentialsAction on Trusted AuthN with incoming SAML Assertion

[Ray Bon]

Yan,

Are you thinking of this 
https://apereo.github.io/cas/6.6.x/integration/Delegate-Authentication.html

Ray

On Tue, 2023-09-19 at 12:28 -0700, Yan Zhou wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

hello,

for historical reasons, our CAS set-up needs to support accepting an incoming 
SAML Assertion (validate, etc.) from HTTP request parameter, perform 
authentication as  the user principal in the incoming SAML assertion, 
basically, we trust the SAML authN done by our vendor earlier, and create CAS 
session so that user can SSO into our apps.

We have overridden AbstractNonInteractiveCredentialsAction  to 
constructCredentialsFromRequest(), i.e., we create a user-defined Credential 
object and then authenticate, create SSO, by overriding 
AbstractAuthenticationHandler.

that has worked well, but I do not see any documentation on this in CAS 6.6.x 
document, the class is still there in 6.6.x, is there now a better and easier 
way to implement Trusted Authentication based on SAML (XML) input from HTTP 
request parameter?

Thx!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c61e76428070a43382f796c5b1b8a1776e1b3010.camel%40uvic.ca.

Re: [cas-user] debugging login issues

[Ray Bon]

Pablo,

Cas creates a TGC (TicketGrantingCookie) to track the user session. You will be 
able to see it when on your logged in browser at 
https://login.server/cas/actuator/health
Your ticket store will have TGTs and STs. The STs are kept for performing 
single logout.
You can track session at 
https://login.server/cas/actuator/ssoSessions
 see https://apereo.github.io/cas/6.6.x/authentication/Configuring-SSO.html and 
https://fawnoos.com/2022/02/20/cas65-actuator-endpoints/

Cas protocol has a renew=true option that a service can send to force 
[re]authentication.
Is it possible that your service is forcing reauthen?
Why is your service session so short?

Use your browser developer tools to see the network requests / redirects and 
cookies being sent too and from cas (and your services).

Ray

On Fri, 2023-09-15 at 14:09 -0700, Pablo Vidaurri wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

How best to debug login issues?

What cookie should the browser be holding (JSESSIONID?)
What should exist in my Postgress DB (TGT, ST, ?)

I already verified that I am using default 2 hour idle session and 8 hour max 
session. I'm logged in site, a few minutes later I refresh page and being asked 
to log in again.

I do have
cas.ticket.tgt.core.only-track-most-recent-session=false
due to login having several apis behind cas running on same host (but different 
web context) that generate STs.

I'm trying to figure out why I'm being asked to login every few minutes.. I 
suspect a ticket or cookie is being invalidated.

-psv

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fd4b0c851d51503d39ca93eb139e68fe3eb9c4c9.camel%40uvic.ca.

Re: [cas-user] Customizing AUP Webflow Logic

[Ray Bon]

Trevor,

Test classes are not part of packaged jars. If you want test classes, you have 
to copy them into your src directory.
Beware, you may have to copy in dependencies of the test classes too; and 
remember to update them when you upgrade.
Is it possible to rework your logic to extend the existing flow, instead of 
changing it?

Ray


On Fri, 2023-09-08 at 17:14 -0700, Trevor Fong wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi All,
I'm trying to customize the AUP template view and some of the logic behind its 
SUBMIT button. The problem is that I'm running into some compiler errors when I 
try to do a "./gradlew clean build":

$ ./gradlew clean build
Configuration on demand is an incubating feature.

> Task :compileTestJava FAILED
/Users/tjfong/git/aws-setup/cas6/cas-6.6.11-dev/cas-overlay-template-6.6.11/src/test/java/org/apereo/cas/aup/LdapAcceptableUsagePolicyRepositoryTests.java:3:
 error: package org.apereo.cas.adaptors.ldap does not exist
import org.apereo.cas.adaptors.ldap.LdapIntegrationTestsOperations;
   ^
/Users/tjfong/git/aws-setup/cas6/cas-6.6.11-dev/cas-overlay-template-6.6.11/src/test/java/org/apereo/cas/aup/LdapAcceptableUsagePolicyRepositoryTests.java:7:
 error: package org.apereo.cas.util.junit does not exist
import org.apereo.cas.util.junit.EnabledIfListeningOnPort;
^
/Users/tjfong/git/aws-setup/cas6/cas-6.6.11-dev/cas-overlay-template-6.6.11/src/test/java/org/apereo/cas/aup/LdapAcceptableUsagePolicyRepositoryTests.java:9:
 error: package com.unboundid.ldap.sdk does not exist
import com.unboundid.ldap.sdk.LDAPConnection;
 ^
/Users/tjfong/git/aws-setup/cas6/cas-6.6.11-dev/cas-overlay-template-6.6.11/src/test/java/org/apereo/cas/aup/LdapAcceptableUsagePolicyRepositoryTests.java:52:
 error: cannot find symbol
public class LdapAcceptableUsagePolicyRepositoryTests extends 
BaseAcceptableUsagePolicyRepositoryTests {
  ^
  symbol: class BaseAcceptableUsagePolicyRepositoryTests
/Users/tjfong/git/aws-setup/cas6/cas-6.6.11-dev/cas-overlay-template-6.6.11/src/test/java/org/apereo/cas/aup/LdapAcceptableUsagePolicyRepositoryTests.java:41:
 error: cannot find symbol
@EnabledIfListeningOnPort(port = 10389)
 ^
  symbol: class EnabledIfListeningOnPort
5 errors

FAILURE: Build failed with an exception.


Would someone be able to tell me if I'm following the right path (see below) or 
tell me what I'm doing wrong?  Presumably I need to add extra 'implementation 
"org.apereo.cas:blah"' references to build.gradle - how do I find out what to 
add?

Here's what I did to get thus far:

cd /opt/cas/workspace/
git clone https://github.com/apereo/cas.git
## There doesn't seem to be a v6.6.11 tag?
git checkout v6.6.10

cd /opt/cas/workspace/cas-6.6.11-dev
getcas --directory cas-overlay-template-6.6.11 --type cas-overlay --casVersion 
6.6.11 --modules 
support-jpa-ticket-registry,support-jpa-service-registry,support-ldap,support-saml,support-duo,support-audit-jdbc,support-aup-ldap,support-aup-webflow

## Copy files that we want to customize from cas to the overlay
cp -prnv /opt/cas/workspace/cas/support/cas-server-support-aup-ldap/src/* 
/opt/cas/workspace/cas-6.6.11-dev/cas-overlay-template-6.6.11/src/

## Customize:
# 
cas-overlay-template-6.6.11/src/main/resources/templates/aup/casAcceptableUsagePolicyView.html
# 
cas-overlay-template-6.6.11/src/main/java/org/apereo/cas/aup/LdapAcceptableUsagePolicyRepository.java

## Add additional implementations to build.gradle to get rid of "class not 
found" type build errors
#implementation "org.apereo.cas:cas-server-support-aup-core"
#implementation "org.apereo.cas:cas-server-support-ldap-core"
#implementation "org.apereo.cas:cas-server-core-util"
#implementation "org.apereo.cas:cas-server-core-web-api"

cd /opt/cas/workspace
cd cas-6.6.11-dev/cas-overlay-template*
./gradlew clean build

See build errors above.

Thanks a lot,
Trev


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c4de80d79889315b8bf0c700b84f1f66de2c114a.camel%40uvic.ca.

Re: [cas-user] SAML delegated authN in CAS 6.6.x, SLO has no signature element to external IDP?

[Ray Bon]

Yan,

It is a wise idea to sign logout requests. This prevents a bad actor from 
creating false logouts.
'Validate SAML requests with signature ... ' is for the log in request.

When your client app sends a logout request to cas, does cas (as IdP) end its 
session with the client?

Ray

On Fri, 2023-09-08 at 13:18 -0700, Yan Zhou wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi,

I have almost completed SAML delegated authN with CAS and Okta, CAS delegates 
to Okta, except for SLO.

When client app initiates SLO, it goes to CAS, CAS redirects to Okta, but Okta 
says "invalid signature", the SAML Logout request from CAS has no signature 
element. See below.

I verified Okta setting, Nowhere says it requires signature in Logout Request,  
regardless, I cannot figure out how to get CAS to sign SLO request when in 
delgated authN. this setting made no difference even when set.

cas.authn.pac4j.saml[0].signServiceProviderLogoutRequest=true



This is the SLO from CAS to Okta, no signature element, I suppose that is why 
Okta says "Invalid Signature", but I do not know how to get Okta turn off 
checking, In Okta, "Validate SAML requests with signature certificates" is OFF.

Ideas?  thanks in advance

Yan

https://dev-...okta.com/app/dev-11p_1/ex..7/slo/saml"ID="_2701..ca870e07705"IssueInstant="2023-09-08T20:09:28.830Z"Version="2.0;
 
>https://localhost:8443/cas/samlspyan...com_4ba2..3a4b0

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/96ad7e3b201c00516e3a0f217d79facdfa4e0109.camel%40uvic.ca.

Re: [cas-user] Add a new controller to the CAS7 server

[Ray Bon]

See 
https://apereo.github.io/cas/6.6.x/webflow/Webflow-Customization-Extensions.html
 and https://fawnoos.com/2022/07/22/cas66-ui-themes/

Ray

On Fri, 2023-09-08 at 16:15 +0800, ztf863 wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.


Hello, I am a beginner in CAS. I want to add a new controller to the CAS7 
server, but it does not take effect. How should I implement it?Is there any 
documentation for this?Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4d2bd11d62bd88b45cb9cc5ff9477b55e2850ba6.camel%40uvic.ca.

Re: [cas-user] CAS-6.6.x war overlay by maven

[Ray Bon]

Are you trying to build cas as a developer or a an operator?
If you want to run cas as a sign on system, use the overlay, 
https://github.com/apereo/cas-overlay-template that is described in the 
previous link.
Developer info starts here, 
https://apereo.github.io/cas/6.6.x/developer/Build-Process.html

Ray

On Wed, 2023-09-06 at 19:13 -0700, Char Lin wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Sorry, I didn't find cas6.6 build through maven from this web page.

Is cas6.6 just support by gradle？

在2023年9月6日星期三 UTC+8 00:51:02 写道：
https://fawnoos.com/2022/08/06/cas66-gettingstarted-overlay/

On Mon, 2023-09-04 at 01:53 -0700, 'Char Lin' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi, all.

How to use the Maven build and package cas 6.6.x war?

I am not familiar with Gradle and the cost of learning is too high.

Thanks!


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/803691bf96d94d9df943af9e4390a3e13f856a2f.camel%40uvic.ca.

Re: [cas-user] [CAS 6.6.8] Custom MFA triggers

[Ray Bon]

These should help
https://fawnoos.com/2021/08/20/cas64-webflow-extensions/
https://fawnoos.com/2022/04/21/cas66-webflow-groovy-actions/

I have a helper class that can print out the flow
https://gist.github.com/rbonatuvic/d3ef9e8dc0c5a78870a8520bc2ab2b74

Ray

On Wed, 2023-09-06 at 14:46 +0200, spfma.tech via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi,

I spent some time studying your script and I think I will follow this way.
But I am having hard times gathering informations to write the script I need.

Here is what I am trying to do : now 'mfa-gauth' is working, I would like to 
"harden" it a little bit, as I think the authenticator registration procedure 
is too open by default (someone who managed to steal a password can register 
his own if he is faster than the account owner. So unsecure access should not 
be possible if no device has been registered in a safer way before).

I would like to alter the webflow in order to display a warning message if the 
user has not registered at least one authenticator already and is not coming 
from a trusted network, then move to a failed state.

I have spent a lot of time studying logfiles to understand how states and 
transitions are interacting, and I think I have to either modify "mfa-gauth" 
state in "login" webflow, or the "mfa-gauth" weblow iself as it is called as a 
subflow.

But I have no idea how to address another flow that "login", if and how I can 
query 'mfa-gauth' backend to check if there are some registered authenticators, 
or how to display and extra views.

Do you know where I could find informations and clues about this ? In fact I 
don't even know what namespaces are available in the script.

Regards



Le 25-Jul-2023 16:15:39 +0200, jbanner6...@gmail.com a écrit:
Maybe Misagh could put in his thoughts on this, but I would argue the opposite 
is more true in fact, having custom java code and having to register, etc.. 
rely's on way MORE base code in cas then the groovy methods. If you take a look 
at the way groovy scripts are written in cas it is mainly a simple execute 
groovy method passing the parameters and just reading the results. That code 
itself doesn't change much, we had thousands of lines of custom java code 
before the 6.x days, for all kinds of things. Now we maintain 2 individual java 
class files and working to get those changes pushed into cas, just need to 
write the test cases and scenarios.

One of the benefits to using groovy is the no compile time, they don't need to 
be compiled with your overlay! most if not all groovy scripts are reloaded on 
demand, when changed and take affect immediately with no restarts which makes a 
huge difference.

Not sure why the other posters simple-mfa wouldnt work but works no problem for 
us, it could be the trigger type being used, there is the 
cas.authn.mfa.core.provider-selector-groovy-script and what we use,  
cas.authn.mfa.groovy-script and we have some vendors/external services that use 
database auth and mfa is fine, we also use surrogate and in our groovy we have 
parts written to either bypass/force for surrogate situations.

We have been using CAS since the 3.x days and when groovy webflow came along, 
it was a blessing!! It is s much easier to maintain then custom java code. 
See the attached, this is one of about 4 different flow modifiers, using the 
"properties" in a service definition, we utilize this flow to inject custom 
post fields for services that require a POST response instead of REDIRECT.

I think, in my opinion, groovy is way more sustainable to maintain then the 
other.

Thanks,
John

On Tuesday, July 25, 2023 at 7:18:07 AM UTC-5 spfma...@e.mail.fr wrote:
Hi,
Thanks for your reply.
>From what I have read in the recommendations in the docs, scripting is ok but 
>coding is better and more sustainable (build time vs run time I guess).
So I am trying to understand how to implement something like what is described 
here 
:https://apereo.github.io/cas/6.6.x/mfa/Configuring-Multifactor-Authentication-Triggers-Custom.html
But so far I don't even know where to put the code, how to even have a single 
debug log line.
Thanks for this example (I think I saw it a couple of monthes ago),if will 
follow this way if it's the right one too.
But I can't forget I have to replicate an old "login-webflow.xml", which seems 
to be done programmatically only in current version.
Regards


Le 21-Jul-2023 20:00:53 +0200, rb...@uvic.ca a écrit:
This may provide some direction https://fawnoos.com/2018/11/22/cas5-groovy-mfa/
There may be other posts on this site that can help.

Ray

On Fri, 2023-07-21 at 08:49 +0200, spfma.tech via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi,
I would like to implement some conditional MFA scenarios (using a 

Re: [cas-user] CAS-6.6.x war overlay by maven

[Ray Bon]

https://fawnoos.com/2022/08/06/cas66-gettingstarted-overlay/

On Mon, 2023-09-04 at 01:53 -0700, 'Char Lin' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi, all.

How to use the Maven build and package cas 6.6.x war?

I am not familiar with Gradle and the cost of learning is too high.

Thanks!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a88832184773aa3a237cb3cda272dbda8e6a4b0d.camel%40uvic.ca.

Re: [cas-user] Delegated authentication attribute resolution

[Ray Bon]

Aaron,

Do you also have an attribute list for the authn definition? like:
cas.authn.ldap[0].principalAttributeList=cn,sn,...

If so, your attributes may be coming from attribute list instead of 
attribute-repository. Check you repository settings (and maybe comment out 
attribute list).

Cas can get attributes at time of authentication (at least for ldap, we do not 
use another source). attribute-repository is searched after authentication 
(requires another call to the remote service).

Ray

On Thu, 2023-08-31 at 12:34 -0700, Aaron Chantrill wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Yes, the attribute repository is cas.authn.attribute-repository.jdbc[0]

It works fine with my cas.authn.ldap[0] and cas.authn.jdbc.search[0] 
authentication services, but seems to get skipped when I use the 
cas.authn.pac4j.oidc[0].azure authentication service. The attributes I get back 
are the ones defined in my Azure AD application.

Thank you! (I hope I'm not spamming you, I just replied a few minutes ago but 
now I can't find it...)

On Thursday, August 31, 2023 at 11:54:26 AM UTC-4 Ray Bon wrote:
Aaron,

Do you have the attribute repository defined with:
cas.authn.attribute-repository. ... properties?

Ray

On Wed, 2023-08-30 at 13:04 -0700, Aaron Chantrill wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

I'm trying to use a specific attribute repository after authenticating with 
Azure AD as  a delegate identity provider.

Authenticating with Azure AD works fine and I can see the attributes, but 
really I just want to use the samaccountname attribute to retrieve attributes 
from a database.

Previously I had both LDAP and JDBC identity providers (for different types of 
users) and both of them used the only attribute repository I had defined, but 
it seems like delegate identity providers like to use their own attributes.

Is there some way to force CAS to append attributes from a different attribute 
provider after authenticating with a delegate identity provider?

Thank you!


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d6255a9893029e2f37f3ab470671aed7fcd7a0c3.camel%40uvic.ca.

Re: [cas-user] Delegated authentication attribute resolution

[Ray Bon]

Aaron,

Do you have the attribute repository defined with:
cas.authn.attribute-repository. ... properties?

Ray

On Wed, 2023-08-30 at 13:04 -0700, Aaron Chantrill wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

I'm trying to use a specific attribute repository after authenticating with 
Azure AD as  a delegate identity provider.

Authenticating with Azure AD works fine and I can see the attributes, but 
really I just want to use the samaccountname attribute to retrieve attributes 
from a database.

Previously I had both LDAP and JDBC identity providers (for different types of 
users) and both of them used the only attribute repository I had defined, but 
it seems like delegate identity providers like to use their own attributes.

Is there some way to force CAS to append attributes from a different attribute 
provider after authenticating with a delegate identity provider?

Thank you!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2c2e17b899751fc1c56cff4b0962e8107929eee0.camel%40uvic.ca.

Re: [cas-user] View and Edit of allowedAtributes in cas-management 6.6.3

[Ray Bon]

Martin,

Do you have attributes defined in the config file?

e.g. cas.authn.attributeRepository.stub.attributes.mail=mail

In 6.5 I have those in management.properties. Not sure if they can go in 
cas.properties.

Ray

On Tue, 2023-08-29 at 12:50 +, 'Büchler, Martin' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.


Hello there,

Question is, how do we mange 'allowedAttributes' if we cannot view or edit them 
in the cas-management app?

I want to view and edit the 'allowedAttributes' of 'attributeReleasePolicy' set 
up per service in the cas-management GUI. The XHR payload from URL 
http:///api/services/35 is

{
"@class": "org.apereo.cas.services.CasRegisteredService",
"serviceId": "^https?://.*",
"name": "Some Environement",
"id": 35,
"description": "Some Environement",
"evaluationOrder": 10,
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes": [
"subscriberid"
]
 }
}

The 'Attribute Release' tab shows
--
Attribute Release Policy

   Policy
   RETURN ALLOWED  v

   Return Allowedv
--

but the bottom control seems to be a read-only dropdown list with the single 
entry 'Return Allowed' instead of an editable list like you have it e.g. for 
the 'Allowed Providers' from the 'Access Strategy' tab

--
Delegated Authentication
   ...
   Allowed Providers

   Allowed Providers
   Google x   Github x
--

Regards
--
Martin

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BE1P281MB1460C938084069D883E9094292E7A%40BE1P281MB1460.DEUP281.PROD.OUTLOOK.COM.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9695e723938e63de4d707bf27ca74e0feba454c2.camel%40uvic.ca.

Re: [cas-user] what is the CAS 6.6.x SSO endpoint as SP in delegated SAML AuthN?

[Ray Bon]

Yan,

It still sounds like you are mixing the client with the delegated authn (okta).

If your client app is communicating with SAML, then cas should be configured as 
the IdP for client app. The client app will have cas IdP metadata (with cas url 
in it) and cas will have client app  SP metadata and the service will be 
registered as SamlRegisteredService. Hopefully you can test this setup with the 
default cas user (casuser:Mellon). (You will have to modify the client app json 
file to turn off redirect.)

Once the cas <-> client app is working correctly, then you can configure cas 
and okta.

Cas will get okta IdP metadata and okta will get cas SP metadata (_not_ client 
app). (Remember to turn on redirect in client app json file.)

Sorry about the oidc endpoint stuff. Cas SAML endpoints are here, 
https://apereo.github.io/cas/6.6.x/authentication/Configuring-SAML2-Authentication.html#saml-endpoints
You will most likely use the /idp/profile/SAML2/Redirect/SSO or 
/idp/profile/SAML2/POST/SSO endpoints set in your client app.

This post might be useful 
https://fawnoos.com/2022/03/25/cas66-saml-authn-refeds/

Ray

On Fri, 2023-08-25 at 17:05 -0400, Yan wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi there,

I made a mistake, changed dependencies without rebuilding the project.  Now 
made progress, auto-redirect is working now,

Client App goes to IDP directly (because the IDP meta data generated by CAS has 
Okta URL in it).  But after I login through Okta, it redirects to CAS, this is 
where I still got problem.

URL is:  https://localhost:8443/cas/login?client_name=bootsp2

Error:

2023-08-25 17:02:54,604 DEBUG [https-jsse-nio-8443-exec-5] 
[org.pac4j.core.client.Clients] - https://localhost:8443/cas/login | urlResolver: null | 
callbackUrlResolver: 
org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@2a2798a2 | 
ajaxRequestResolver: null | redirectionActionBuilder: null | 
credentialsExtractor: null | authenticator: null | profileCreator: 
org.pac4j.core.profile.creator.AuthenticatorProfileCreator@2b9ecd05 | 
logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@31f1b268 | 
authorizationGenerators: [] | checkAuthenticationAttempt: true | for name: 
bootsp2>
2023-08-25 17:02:54,604 DEBUG [https-jsse-nio-8443-exec-5] 
[org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - 

2023-08-25 17:02:54,605 DEBUG [https-jsse-nio-8443-exec-5] 
[org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - 

2023-08-25 17:02:54,605 ERROR [https-jsse-nio-8443-exec-5] 
[org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - 
https://localhost:8443/cas/login?client_name=bootsp2]>
2023-08-25 17:02:54,607 ERROR [https-jsse-nio-8443-exec-5] 
[org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <>
org.apereo.cas.services.UnauthorizedServiceException:
at 
org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager.retrieveSessionTicketViaClientId(DefaultDelegatedClientAuthenticationWebflowManager.java:236)
 ~[cas-server-support-pac4j-core-6.6.9.jar!/:6.6.9]
at 
org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager.retrieve(DefaultDelegatedClientAuthenticationWebflowManager.java:84)
 ~[cas-server-support-pac4j-core-6.6.9.jar!/:6.6.9]
at 
org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.restoreAuthenticationRequestInContext(DelegatedClientAuthenticationAction.java:285)
 ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9]
at 
org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.populateContextWithService(DelegatedClientAuthenticationAction.java:205)
 ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9]
at 
org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.lambda$doExecute$0(DelegatedClientAuthenticationAction.java:123)
 ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9]
at java.util.Optional.orElseGet(Optional.java:369) ~[?:?]
at 
org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.doExecute(DelegatedClientAuthenticationAction.java:123)
 ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9]
at 
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
 ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at 
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
 ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at 
org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
 ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]

On Fri, Aug 25, 2023 at 3:34 PM Ray Bon mailto:r...@uvic.ca>> 
wrote:
Yan,

My local OIDC goes to cas/oidc/oidcAuthorize where cas redirects to /cas/login. 
In your case, cas should redirect to the remote IdP.
The cas endpoints are described here, 
https://apereo.github.io/cas/6

Re: [cas-user] what is the CAS 6.6.x SSO endpoint as SP in delegated SAML AuthN?

[Ray Bon]

Yan,

My local OIDC goes to cas/oidc/oidcAuthorize where cas redirects to /cas/login. 
In your case, cas should redirect to the remote IdP.
The cas endpoints are described here, 
https://apereo.github.io/cas/6.6.x/authentication/OIDC-Authentication.html 
(though I note that the protocol differs from what my client is doing above and 
says cas/oidc/authorize).

Your client app should know nothing about how or where the login takes place. 
It should only know about cas. That way you can change the upstream IdP in cas 
and not have to make changes to your client.

Ray

On Fri, 2023-08-25 at 11:49 -0700, Yan Zhou wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi,

This is my environment:

CAS 6.6.x, SAML2 delegated authN,  SpringBoot app -> CAS -> Okta (CAS delegates 
to Okta, CAS is a SP to Okta, Okta is IDP).

one trouble I have is on client app side, it needs to specify IDP, which should 
be CAS, but I do not know what should be the CAS SSO endpoint below (since CAS 
is also a SP to Okta).  I tried /cas/login, as I go to the client app, it 
redirects to CAS login page, I see the external identity provider on login 
page.   However, autoRedirect is not working, that tells me something is not 
set up correctly.

Did I have SSO endpoint correct in the following:  /cas/login, /cas/logout?

Yan

IDP meta data file placed on sprintboot client app side

http://www.okta.com/exkas4vj25jdUfJEx5d7;>



..

https://localhost:8443/cas/logout"/>
https://localhost:8443/cas/logout"/>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
https://localhost:8443/cas/login"/>
https://localhost:8443/cas/login"/>




cas.properties, runs on localhost:8443/cas
=

cas.authn.pac4j.saml[0].keystorePath=file:///C:/apereocas66x/config/casas-samlsp/samlkeystore
cas.authn.pac4j.saml[0].keystorePassword=changeit
cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp
cas.authn.pac4j.saml[0].privateKeyPassword=changeit
cas.authn.pac4j.saml[0].serviceProviderEntityId=https://localhost:8443/cas/samlsp
cas.authn.pac4j.saml[0].clientName=bootsp2
cas.authn.pac4j.saml[0].forceAuth=false
cas.authn.pac4j.saml[0].passive=false
cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=3600
cas.authn.pac4j.saml[0].serviceProviderMetadataPath=file:///C:/apereocas66x/config/casas-samlsp/sp-metadata.xml
cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://okta.com/app/.../sso/saml/metadata
cas.authn.pac4j.saml[0].destinationBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
cas.authn.pac4j.saml[0].userNameQualifier=false
cas.authn.pac4j.saml[0].autoRedirect=true

==

client app service registry, sprint boot app runs on localhost:8081

{
  "@class" : "org.apereo.cas.services.CasRegisteredService",
  "serviceId" : "^http://localhost:8081(/.*)?",
  "name" : "myclientapp",
  "id" : 1005,
  "description" : "sample",
  "accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"delegatedAuthenticationPolicy" : {
  "@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
  "allowedProviders" : [ "java.util.ArrayList", [ "bootsp2" ] ]
}
  }
}

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c398e5f77c4da0e97d32f36a3329163aff3becbe.camel%40uvic.ca.

Re: [cas-user] CAS 6.6.8 ST ticket generation with cas.host.name appended

[Ray Bon]

Pablo,

When using cas protocol for login, it is possible to include the host name 
(foobar1 in your case) to the ST. It escapes my how to set this, since my local 
does not do this but our prod servers do. This is handy when you have multiple 
cas servers.
The other form of the ST is probably for SAML1.1 protocol; there should be a 
URL parameter of SAMLart.

Ray

On Fri, 2023-08-25 at 10:06 -0700, Pablo Vidaurri wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

i have property:
cas.host.name=foobar1

Looking at my postgres_jpa_ticket_entity table, I do see some services tickets 
appended with this value and the format looks like to alphanumberic formatted 
ticket (ST-ABC123-foobar1)

But I am also seeing some service tickets without the foobar1 appended and 
these also have special characters such as plus (+) and slashes (/). Why is 
this format different and why is there no foobar1 appended to these?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a2874726880604c040fb77dd58bfa6901ff42003.camel%40uvic.ca.

Re: [cas-user] CAS 6.6.11 : help needed for cas-server-support-gauth-couchdb debugging

[Ray Bon]

Thanks for the tip on the ultimate edition.

Cas uses a number of keys for various tasks. If the key is not present in your 
config, cas will create one on boot. It will be different each time cas starts 
and, of course, anything persisted with the earlier key will no longer be 
accessible.
There will be some log messages to let you know:

cas | 2023-08-25 18:52:34,189 WARN [ 
org.aper.cas.util.ciph.BaseStringCipherExecutor] -  [main]
cas | 2023-08-25 18:52:34,201 WARN [ 
org.aper.cas.util.ciph.BaseStringCipherExecutor] -  [main]
cas | 2023-08-25 18:52:34,204 WARN [ 
org.aper.cas.util.ciph.BaseStringCipherExecutor] -  [main]
cas | 2023-08-25 18:52:34,204 WARN [ 
org.aper.cas.util.ciph.BaseStringCipherExecutor] - https://apereo.github.io/cas/development/developer/Build-Process.html#sample-build-aliases.)

You can also copy the jar file, to which you made code changes, to your 
~/.m2/repository/...

Ray

On Fri, 2023-08-25 at 11:18 +0200, spfma.tech via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi,

I thought the Ultimate edition has it : 
https://www.jetbrains.com/help/idea/remote-development-starting-page.html
But I will never be offered this tool anyhow !

I am using my main production logfile at "/etc/cas/config log4j2.xml", with all 
levels between "trace" and "debug". And I see plenty of debug messages so I 
think it's ok.

I am now studying the problem with a simple CAS instance built from the 
sources, with a dummy JSON service and the internal "casuser" account. I just 
added "cas-server-support-json-service-registry", ""cas-server-support-gauth" 
and "cas-server-support-gauth-couchdb" and the related "cas.properties" 
configuration directives :

##
# MFA (global settings) #
##
cas.authn.mfa.triggers.global.global-provider-id:mfa-gauth
#cas.authn.mfa.triggers.global.global-provider-id: mfa-simple



# Google Authenticator #


cas.authn.mfa.gauth.core.multiple-device-registration-enabled:true
cas.authn.mfa.gauth.core.issuer: CAS
cas.authn.mfa.gauth.core.label: OUR_CORP
cas.authn.mfa.gauth.couch-db.create-if-not-exists:true
cas.authn.mfa.gauth.couch-db.db-name: cas_gauth
cas.authn.mfa.gauth.couch-db.password: password
cas.authn.mfa.gauth.couch-db.username: admin
cas.authn.mfa.gauth.couch-db.url: http://localhost:5984

CouchDb is running as a local Docker container, with a persistent volume (I had 
to create the database manually, as in spite of having set 
"cas.authn.mfa.gauth.couch-db.create-if-not-exists" to true, there are no 
design documents inside and authenticators registering can not work. There is 
an older post in this ML about that, I used the informations they provided and 
it works after manually creating the missing items).

When I login for the first time, I am asked to pair a new authenticator and the 
process is successful. And can login again and again it's ok.
If I check the database, I have a record related to this authenticator, having 
a name, and id and user name.

If I restart CAS, the database content is still the same of course but the 
codes provided by the authenticator are not working anymore, as if they were 
wrong. And I have an error message in the logs :

2023-08-25 11:04:22,487 ERROR 
[org.apereo.cas.authentication.DefaultAuthenticationManager] - 
2023-08-25 11:04:22,487 ERROR 
[org.apereo.cas.authentication.DefaultAuthenticationManager] - 
<[GoogleAuthenticatorAuthenticationHandler]: [Secret cannot be null.]>

I still have this record in the databasen with id=1692865323865 in the 
database, related to the "casuser" and the registered authenticator". The 
"secretKey" property is still not null.

I have set "cas.authn.mfa.gauth.core.multiple-device-registration-enabled" to 
true, and I am indeed allowed to pair additional authenticators with my 
accounts. But doing so gives no result, there is still only one record in the 
database.
If I manually add a forged record corresponding to a second authenticator, it's 
better, I have a list of authenticators I can choose.

So I decided to study the internals a bit further, by adding logging directives 
here and there.

But I have more and more the feeling something is wrong or is beyond my current 
understanding to say the least.

As you suggested, maybe I am looking at the wrong place, expecting to see log 
messages from methods which are never called in this use case ?

There is some gargabe collector removing the old tokens (and it's working 
flawlessly) logging something like :
2023-08-25 11:01:11,218 DEBUG 
[org.apereo.cas.gauth.token.GoogleAuthenticatorCouchDbTokenRepository] - 


After greping the whole source tree, it seems this message is unique and indeed 
located in "cleanInternal" method from 

Re: [cas-user] Help about Front-end and back-end separation architecture

[Ray Bon]

Benny,

Front end customizations are described here, 
https://fawnoos.com/2022/08/06/cas66-gettingstarted-overlay/#user-interface-customizations
https://fawnoos.com/2022/07/22/cas66-ui-themes/
https://apereo.github.io/cas/6.6.x/ux/User-Interface-Customization.html

Cas has a rest interface, 
https://apereo.github.io/cas/6.6.x/protocol/REST-Protocol.html

Ray

On Thu, 2023-08-24 at 20:04 -0700, Benny Lu wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.


Hi：

After browsing extensively online about CAS SSO, I've noticed that most login 
pages utilize native frontend frameworks. Could you please provide information 
on how to personalize and customize our own login page, as well as how to 
implement a separated frontend-backend login page (for instance, using the 
Vue.js language)?

Regards

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/70edce25d9324bb9fb2fa1023aba0ee0cea92a40.camel%40uvic.ca.

Re: [cas-user] CAS 6.6.11 : help needed for cas-server-support-gauth-couchdb debugging

[Ray Bon]

The paid for version of intellij does not support remote editing either (sigh). 
Your dev setup sounds fine and you should not have to worry about your local 
machine since it is only used for editing. I only use intellij for code 
completion and class/method references. I always build/run on the command line.

Are you creating a log4j2.xml file or adding to the one already in the project, 
https://github.com/apereo/cas/blob/6.6.x/webapp/cas-server-webapp-resources/src/main/resources/log4j2.xml

When running, the default location for the log config file is 
/etc/cas/log4j2.xml (at least when using the overlay), so make sure you are 
editing the correct file. By setting your custom loggers to 'error' or 'fatal', 
you do not have to edit the log config.

When you say no records are in the database after a restart; are you talking 
about a cas restart, a couchdb restart, or both?
Is it possible that a cas restart re-initializes the db? (I have not used any 
cas db functionality, so am unfamiliar with its operation or config.)
Can you check that the records exist in couchdb?
How are cas tickets being stored?

I would guess that cas finds a record in couchdb by TGT id. If the ticket store 
is lost on a restart, then cas would have no way of finding anything in the db. 
(Again, I know nothing of how cas uses databases.)

Ray

On Thu, 2023-08-24 at 09:36 +0200, spfma.tech via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi,

Thanks for your answer.
 
https://github.com/apereo/cas/blob/6.6.x/webapp/cas-server-webapp-resources/src/main/resources/log4j2.xml
I chose this storage system because my goal is to setup an active/passive pair 
of servers (with continous db replication on the passive side and automatic 
seemless failover)  in order to provider high availability.
It was the only supported backend I have found providing an easy way to achieve 
this goal (no three tier cluster with qorum and/or manual failover with 
conventional RDBMS).

But according you John's answer, I think I will have to change my mind anyway.

As my computer does not meet the requirements for serious Java developement, I 
am working remotely on an beefed up VM with plenty of RAM and CPU cores. And 
for that, VSCode has a very nice remote session extension, using ssh. Since 
Java related extensions don't seem to work correctly this way (maybe they work 
better localy, I don't have enough resources to test it), I am indeed using two 
shell sessions to run commands : one for building (clean build), and the other 
one for running (bootRun).

I have seen some posts here and there relating unexplainable problems with 
Gradle, and wiping out all the folders solved them. So I gave a try too !

My actual log4j config has a logger defined this way :







And I am adding "LOGGER. debug" directives here in there. Should it be ok ?

I had a look at several IDE, and IDEA free has no remote support unfortunately. 
 Need to have a look at Eclipse and Netbeans too, but it seems they have the 
same limitations. So better make a wise choice before investing time and energy 
in such a complex product.

Regards

Le 23-Aug-2023 19:53:05 +0200, r...@uvic.ca a écrit:
Could you use a different storage system?

I do not see the couchdb module in the current development branch. Not sure if 
it is being removed or if a different module takes on that feature.

Instead of running gradlew in vscode, you can run it from the command line. The 
'clean' part of the command will remove all .class files; no need to get rid of 
gradle directories unless you are changing gradle version (which you should 
not).
Once you build the project, remove 'clean'; only modified packages will be 
rebuilt (will be fine for logging, but not for api changes).

It is possible that method is not being called. You could put your logging 
statement in every method in that class to be sure. Also, use error level 
logging. Default logging for that class may not show at info or debug. Or add 
to log4j2.xml:



If you want a more 'capable' development environment, here are some notes on 
intellij (I think there is a free version), 
https://apereo.github.io/cas/development/developer/Build-Process.html#intellij-idea

Ray

On Wed, 2023-08-23 at 17:43 +0200, spfma.tech via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi,

I am still trying to understand what is wrong with 
"cas-server-support-gauth-couchdb" (only the first authenticator is recorded in 
the database, none is working anymore after a restart).

As I am not a Java dev (I don't have the skills and don't have the most 
convenient tools), my idea was to add some logging directives here and there to 
trace the process, using the latest branch of the application source code (not 
the overlay one).

Can 

Re: [cas-user] CAS 6.6.0 MFA Per application trigger not working

[Ray Bon]

Diego,

A service (application) can be configured to trigger MFA 
https://apereo.github.io/cas/6.6.x/mfa/Configuring-Multifactor-Authentication-Triggers-PerApplication.html
 and block (bypass=false) or with groovy script 
https://apereo.github.io/cas/6.6.x/mfa/Configuring-Multifactor-Authentication-Bypass.html#bypass-via-groovy

Ray

On Wed, 2023-08-23 at 11:23 -0700, Diego Gimenez wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.


I tried using @class instead of _class for my service and CAS will not launch, 
I am struggling to find a solution. Can you show me your build.gradle and your 
cas.properties so I can try it and see if the problem may be in any of my local 
build.gradle or cas.properties?

What I mean with that sentence is that I am looking for other solutions to 
trigger an MFA based on an specific service. The one that I thought about was 
using Groovy to detect certain serviceId (i.e. https/http prefix) and decide if 
it should actually trigger an MFA authentication or not. So the part that I am 
missing is how to actually block an authentication attempt (based on testing, 
I've reached that if you return null on a Groovy script to trigger certain MFA, 
the authentication will proceed, and I want to do the opposite). I know is not 
optimal, but given the fact that I am unable to trigger an MFA authentication 
by service I am looking for options! The image below shows an example of what I 
want to do.


On Wednesday, 23 August 2023 at 13:12:06 UTC-3 John wrote:
Forgot, what do you mean by this? " Is there a way to block authentication when 
using Groovy to trigger the mfa? " can you post what your doing in groovy to 
get better idea?

On Wednesday, August 23, 2023 at 10:01:04 AM utc-5diego@unc.edu.ar wrote:
Hello John,

first of all, thanks for your response.

Unfortunately, it did not work. I am using the CAS overlay and set 
`cas.version=6.6.10` in `gradle.properties`. However, the trigger is still not 
working, I used a Groovy script to trigger mfa and printed the registered 
service as I did before. I have a question that is not directly related. Is 
there a way to block authentication when using Groovy to trigger the mfa? That 
would temporarily work. (The only method I found was to throw an exception on 
purpose, but that won't provide feedback to the user with what went wrong)

On Wednesday, 23 August 2023 at 10:13:38 UTC-3 John wrote:
You have an array set, there was a bug in earlier 6.6 versions and was fixed in 
a later 6.6 release. Please update to the latest 6.6.x release and it will work 
as it should.

On Wednesday, August 23, 2023 at 7:50:48 AM utc-5diego@unc.edu.ar wrote:
Hello Ray,

Sorry about that.

I attach the registered service and the providers I get from the service. I 
used a Groovy script to print the registered service.

I have tried using @class instead of _class and it did not made any difference, 
also tried to search through the CAS source code and I have the hypothesis that 
it might not be detecting either the policy or the providers I am using.

On Friday, 18 August 2023 at 20:19:18 UTC-3 Ray Bon wrote:
Diego,

Image did not come through.

Ray

On Fri, 2023-08-18 at 11:46 -0700, 'Diego Gimenez' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hello. As the title says I can't make an MFA trigger per service. Looks like 
the service can't detect such provider as shown in the following 
image[Displaying image.png]






-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0338b3c74afa45c9f024902444a95c32f8de84f0.camel%40uvic.ca.

Re: [cas-user] CAS 6.6.11 : help needed for cas-server-support-gauth-couchdb debugging

[Ray Bon]

Could you use a different storage system?

I do not see the couchdb module in the current development branch. Not sure if 
it is being removed or if a different module takes on that feature.

Instead of running gradlew in vscode, you can run it from the command line. The 
'clean' part of the command will remove all .class files; no need to get rid of 
gradle directories unless you are changing gradle version (which you should 
not).
Once you build the project, remove 'clean'; only modified packages will be 
rebuilt (will be fine for logging, but not for api changes).

It is possible that method is not being called. You could put your logging 
statement in every method in that class to be sure. Also, use error level 
logging. Default logging for that class may not show at info or debug. Or add 
to log4j2.xml:



If you want a more 'capable' development environment, here are some notes on 
intellij (I think there is a free version), 
https://apereo.github.io/cas/development/developer/Build-Process.html#intellij-idea

Ray

On Wed, 2023-08-23 at 17:43 +0200, spfma.tech via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi,

I am still trying to understand what is wrong with 
"cas-server-support-gauth-couchdb" (only the first authenticator is recorded in 
the database, none is working anymore after a restart).

As I am not a Java dev (I don't have the skills and don't have the most 
convenient tools), my idea was to add some logging directives here and there to 
trace the process, using the latest branch of the application source code (not 
the overlay one).

Can someone confirm I am doing the right way :
- add "import lombok.extern.slf4j.Slf4j;" if missing on the top of the class 
file
- anotate the class definition with "@Slf4j"
- put stuff like "LOGGER.debug" or "LOGGER.info" as needed

VSCode is my tool, and it seems convenient extensions for Java/Maven/Gradle are 
not able to handle a big project like CAS (language server crashing and 
restarting all the time, Gradle extensions unable to build a tree of all 
subprojects without crashing, ...) so I don't mind using the good old manual 
way instead of wasting time.

After modifying the code here and there, I rebuild the whole app with 
"./gradlew clean build --parallel --configure-on-demand --stacktrace 
--no-daemon -x checkstyleMain" at the root of the project.

And "cas/webapp/cas-server-webapp-jetty$ ../../gradlew bootRun --parallel 
--configure-on-demand --build-cache --stacktrace --no-daemon -x checkstyleMain" 
allows me to try it (we use it with Jetty in production).

The app is running, I can reproduce the problems but I have the feeling my 
modifications don't exist  as none of my custom logging messages is displayed.

For an example, I added a simple logging flag in this file 
"support/cas-server-support-gauth-couchdb/src/main/java/org/apereo/cas/couchdb/gauth/credential/GoogleAuthenticatorAccountCouchDbRepository.java"
 this way :

@View(name= "by_username", map= "function(doc) { if(doc.secretKey) { 
emit(doc.username, doc) } }")
public ListfindByUsername(finalString 
username) {
LOGGER.debug("[MY_DEBUG_STUFF] 
findByUsername@GoogleAuthenticatorAccountCouchDbRepository={}", username);
try {
return queryView("by_username",username.trim().toLowerCase());
} catch (finalDocumentNotFoundException e) {
LOGGER.trace(e.getMessage(), e);
}
return newArrayList<>(0);
}

as I think it's the one responsible for database lookup, according to the 
request I have seen coming on database side.

But nothing in the logs ... Maybe I am not tagging the right source file ?

So why not tweak a known existing log message, it is safer. In 
"support/cas-server-support-gauth-couchdb/src/main/java/org/apereo/cas/gauth/token/GoogleAuthenticatorCouchDbTokenRepository.java"
 I changed the message in "cleanInternal" method. The string "Removing tokens 
older than" is only found in this file, so I think it's spot on.

After rebuilding and restarting the application, I still get the original 
message in my logs.

DEBUG [org.apereo.cas.gauth.token.GoogleAuthenticatorCouchDbTokenRepository] - 
https://mail.fr>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1fcb4b113f2eca4c8c94cc8f70c28cbf3efcd130.camel%40uvic.ca.

Re: [cas-user] CAS 6.6.x manipulation of attribute-repository

[Ray Bon]

Florent,

In LDAP the 'role' (from the linked example) would/should be multi valued 
unlike the multi row of a database. If group1 has its own dn from group2, you 
could use a groovy script to merge them, 
https://apereo.github.io/cas/6.6.x/integration/Attribute-Resolution-Groovy.html

Ray

On Mon, 2023-08-21 at 06:31 -0700, Florent Thomas wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.


Hi everyone,
I'm running a fresh 6.6.x CAS connected to ldap.
I'm strating to work with attribute-repository and person directory.
I'm trying to add attribute that concatenate the ldap group to which the 
current user is member of.
At this point I'm succeeding in returning and sharing the first group of the 
ldap search
Yet I would like to have something like  : group1,group2,group3
This is well explained here 
https://fawnoos.com/2018/02/20/cas-service-rbac-attributeresolution/#jdbc-attribute-retrieval
 for jdbc part but not for LDAP part.
What is the process to aggregate / normalise the group list to a list of groups 
?
Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2cec4674512ae02ebfacdfc1176fa4823a6bdd23.camel%40uvic.ca.

Re: [cas-user] Version 6.5.9.2 not available for download in github

[Ray Bon]

Taieb,

You can set the two version properties in gradle.properties to 6.5.9.2 and 
build.

Ray

On Mon, 2023-08-21 at 01:48 -0700, Taieb Riahi wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi,

Version 6.5.9.1 not available for download in github. Should address the 
vulnerability issue CAS OpenID Connect Vulnerability Disclosure – Apereo 
Community Blog

Regards,
Taieb

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/53d11cb93035d16145e65bc7bdf8d85b4c5a8251.camel%40uvic.ca.

Re: [cas-user] CAS 6.6.0 MFA Per application trigger not working

[Ray Bon]

Diego,

Image did not come through.

Ray

On Fri, 2023-08-18 at 11:46 -0700, 'Diego Gimenez' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hello. As the title says I can't make an MFA trigger per service. Looks like 
the service can't detect such provider as shown in the following 
image[Displaying image.png]


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b8d8344b39eb099a136ce2d566d8745f4b1e7e80.camel%40uvic.ca.

Re: [cas-user] Radius -MFA in cas 6.6.8

[Ray Bon]

Vikash,

I have these ldap properties for cas authentication:

cas.authn.ldap[0].type=
cas.authn.ldap[0].ldapUrl=
cas.authn.ldap[0].connectTimeout=
cas.authn.ldap[0].baseDn=
cas.authn.ldap[0].subtreeSearch=
cas.authn.ldap[0].searchFilter=
cas.authn.ldap[0].bindDn=cn=
cas.authn.ldap[0].bindCredential=

I have not used Radius, so unfamiliar with it config. 
https://apereo.github.io/cas/6.6.x/mfa/RADIUS-Authentication.html

Ray

On Thu, 2023-08-17 at 15:46 +0530, Vikash Chandra Ansh wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi Ray,

Could you please suggest what all properties need to be enabled to use Radius 
as 2FA. My primary authentication will be LDAP

Thanks and Regards
Vikash Chandra

On Thu, Aug 10, 2023, 2:27 PM Vikash Chandra Ansh 
mailto:vikasharnav0...@gmail.com>> wrote:
Hi Ray,

We have NW change in place. There is UDP connectivity from my cas server to 
radius server(unidirectional ) on port 1812 and 1813 .


On Wed, Aug 9, 2023, 10:29 PM Ray Bon mailto:r...@uvic.ca>> wrote:
Vikash,

Is it possible there is a network issue?

Ray

On Tue, 2023-08-08 at 17:20 +0530, Vikash Chandra Ansh wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi Everyone,

We are trying to implement radius MFA in CAS. In our case our primary 
authentication will be LDAP and then for MFA we need RSA.

I have also added dependency as cas-server-support-radius-mfa.

I have added the required properties like client.inet-address and shared-secert.
But still I can not see any hit on the radius server.
Can anyone please help here.

Cas version I am using is 6.6.8.

Thanks and regards
Vikash Chandra


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
tocas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ebab25780f77a0697d2191e2fc4e466d00d59f56.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/ebab25780f77a0697d2191e2fc4e466d00d59f56.camel%40uvic.ca?utm_medium=email_source=footer>.



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/42932cfeeb2c1bfac9ca42c058f6017b46ab6196.camel%40uvic.ca.

Re: [cas-user] SAML delegation CAS 6.6.x, which XML to use on ClientApp side, IDP or SP metadata?

[Ray Bon]

Yan,

There are two independent steps; bootstp2 -> cas (SP -> IdP), and cas -> okta 
(SP -> IdP).
See 
https://apereo.github.io/cas/6.6.x/protocol/Protocol-Overview.html#the-bridge 
for explanation.

Delegation can be per service or global. I have not used delegation so am 
unsure why the cas login page is showing; unless it is giving user a chance to 
select the IdP.

For the IdP XML for bootstp2, you can paste the url in your browser and see if 
the metadata is correct (for cas as IdP).

Ray

On Wed, 2023-08-16 at 08:26 -0700, Yan Zhou wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

HI there,

I am a bit confused with a couple configuration.

Say,  client app (bootsp2) wants to authN against CAS 6.6.x via SAML2, which 
delegates to Okta IDP using SAML2.

CAS starts up fine, generates meta data for SP as well.

1. my CAS login page, under External Provider, shows "bootsp2", not "Okta".  
this does not sound right.

is that because of this line in cas.properties? i see no where else to indicate 
the name of the external provider.

cas.authn.pac4j.saml[0].clientName=bootsp2

2.  on my client app (bootstp2), it needs the IDP XML, which one should I use?

https://cinwl912vj2j.us.qdx.com:8443/cas/sp/metadata,  OR,
https://cinwl912vj2j.us.qdx.com:8443/cas/sp/idp/metadata

it feels like I need to take sp/metadata and place it as IDP on client side, 
since the flow is for client -> CAS -> Okta?

thanks,
yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6de0f03fe27cf1c42aec91836826b6fa3a0c3a45.camel%40uvic.ca.

Re: [cas-user] CAS 6.6.x SAML delegated authN to Okta not working

[Ray Bon]

Yan,

I was browsing the docs and
cas.authn.pac4j.saml[0].serviceProviderMetadataPath
cas.authn.pac4j.saml[0].serviceProviderEntityId
are for cas as a service provider metadata, not the destination application.
https://apereo.github.io/cas/6.6.x/integration/Delegate-Authentication-SAML.html

Ray


On Mon, 2023-08-14 at 12:25 -0700, Yan Zhou wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

i think i am missing something fundamentally, but I do not know what it is.

I first excluded the dependency on cas-server-support-saml-idp because CAS is 
delegating authN to Okta, I realize the login page does not even come up, 
nothing shows in SAML Tracer.   Then, I added this dependency, see below.

implementation 
"org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-pac4j-webflow:${project.'cas.version'}"

Now the login page comes up, and I can see authN request coming to CAS, but I 
do not see how CAS delegates authN.  It seems that something is missing so that 
CAS is -not- generating SP meta data, which it should. Not sure what I am 
missing.

I based on cas.properties from the following documentation, but it is not 
working, i.e., nothing is being generated by CAS, no error, either.

in delegated AutN, when client come to CAS, which then delegate to Okta, should 
/cas/idp/profile/SAML2/POST/SSO be called at all?
# Settings required for CAS SP metadata generation process # The keystore will 
be automatically generated by CAS with # keys required for the metadata 
generation and/or exchange. # # cas.authn.pac4j.saml[0].keystorePassword= # 
cas.authn.pac4j.saml[0].privateKeyPassword= # 
cas.authn.pac4j.saml[0].keystorePath= # The entityID assigned to CAS acting as 
the SP # cas.authn.pac4j.saml[0].serviceProviderEntityId= # Path to the 
auto-generated CAS SP metadata # 
cas.authn.pac4j.saml[0].serviceProviderMetadataPath= # 
cas.authn.pac4j.saml[0].maximumAuthenticationLifetime= # Path/URL to delegated 
IdP metadata # cas.authn.pac4j.saml[0].identityProviderMetadataPath=
On Monday, August 14, 2023 at 1:53:24 PM UTC-4 Ray Bon wrote:
Yan,

Is it possible that the okta-cas config is incorrect and okta is returning an 
error response which cas does not understand?
Are you using SAML Tracer to see the exchanges between SPs and IdPs?
If the keystore is not created, you can create it yourself. Or, turn off SAML 
encryption between SPs and IdPs.

Ray

On Fri, 2023-08-11 at 13:42 -0700, Yan Zhou wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.


 Hi there,

When CAS is the SAML2 IDP, I am able to run a client app authenticating 
successfully.  But have trouble when CAS delegates authN to Okta (cas is set up 
as a SP in Okta)

 Client app runs on localhost:8081,   CAS 6.6.x runs on localhost:8443, 
delegate to Okta SAML2 IDP.

Here is my problem, i likely misunderstood how delegated authN should work, but 
do not know how.

 When go to client:  localhost:8081, redirects to: 
http://localhost:8081/saml/login?idp=https%3A%2F%2Flocalhost%3A8443%2Fidp

 Redirects to:  https://localhost:8443/cas/idp/profile/SAML2/POST/SSO

 I would expect Okta login page comes up, but I am getting CAS error page that 
says: page Not found, I did not see any error in cas log.



In Okta, i configured my local CAS as a SAML 2.0 application

==

SSO URL:  https://localhost:8443/cas/login

Audience URI:   https://localhost:8443/cas/idp



 cas.properties

==

cas.authn.pac4j.saml[0].keystorePath=file:///C:/apereocas66x/config/casas-samlsp/samlkeystore

<== i do not see keystore being created, why is this not 
created?

cas.authn.pac4j.saml[0].keystorePassword=changeit

cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp

cas.authn.pac4j.saml[0].privateKeyPassword=changeit

cas.authn.pac4j.saml[0].serviceProviderEntityId=http://localhost:8081/saml/metadata

<== same SP entity ID when CAS was the IDP itself, without 
delegated authN

cas.authn.pac4j.saml[0].clientName=bootsp2

cas.authn.pac4j.saml[0].forceAuth=false

cas.authn.pac4j.saml[0].passive=false

cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=1209600

cas.authn.pac4j.saml[0].serviceProviderMetadataPath=file:///C:/apereocas66x/config/spmetadata/1005-metadata.xml

<== same SP meta data when CAS was the IDP itself, without 
delegated authN

cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://dev-11792448.okta.com/app/exkas4vj25jdUfJEx5d7/sso/saml/metadata

cas.authn.pac4j.saml[0].destinationBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

cas.authn.pac4j.saml[0].userNameQualifier=false





JSON file in service registry

===

Re: [cas-user] CAS 6.6.x SAML delegated authN to Okta not working

[Ray Bon]

Yan,

Is it possible that the okta-cas config is incorrect and okta is returning an 
error response which cas does not understand?
Are you using SAML Tracer to see the exchanges between SPs and IdPs?
If the keystore is not created, you can create it yourself. Or, turn off SAML 
encryption between SPs and IdPs.

Ray

On Fri, 2023-08-11 at 13:42 -0700, Yan Zhou wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.


 Hi there,

When CAS is the SAML2 IDP, I am able to run a client app authenticating 
successfully.  But have trouble when CAS delegates authN to Okta (cas is set up 
as a SP in Okta)

 Client app runs on localhost:8081,   CAS 6.6.x runs on localhost:8443, 
delegate to Okta SAML2 IDP.

Here is my problem, i likely misunderstood how delegated authN should work, but 
do not know how.

 When go to client:  localhost:8081, redirects to: 
http://localhost:8081/saml/login?idp=https%3A%2F%2Flocalhost%3A8443%2Fidp

 Redirects to:  https://localhost:8443/cas/idp/profile/SAML2/POST/SSO

 I would expect Okta login page comes up, but I am getting CAS error page that 
says: page Not found, I did not see any error in cas log.



In Okta, i configured my local CAS as a SAML 2.0 application

==

SSO URL:  https://localhost:8443/cas/login

Audience URI:   https://localhost:8443/cas/idp



 cas.properties

==

cas.authn.pac4j.saml[0].keystorePath=file:///C:/apereocas66x/config/casas-samlsp/samlkeystore

<== i do not see keystore being created, why is this not 
created?

cas.authn.pac4j.saml[0].keystorePassword=changeit

cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp

cas.authn.pac4j.saml[0].privateKeyPassword=changeit

cas.authn.pac4j.saml[0].serviceProviderEntityId=http://localhost:8081/saml/metadata

<== same SP entity ID when CAS was the IDP itself, without 
delegated authN

cas.authn.pac4j.saml[0].clientName=bootsp2

cas.authn.pac4j.saml[0].forceAuth=false

cas.authn.pac4j.saml[0].passive=false

cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=1209600

cas.authn.pac4j.saml[0].serviceProviderMetadataPath=file:///C:/apereocas66x/config/spmetadata/1005-metadata.xml

<== same SP meta data when CAS was the IDP itself, without 
delegated authN

cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://dev-11792448.okta.com/app/exkas4vj25jdUfJEx5d7/sso/saml/metadata

cas.authn.pac4j.saml[0].destinationBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

cas.authn.pac4j.saml[0].userNameQualifier=false





JSON file in service registry

==

{

  "@class" : "org.apereo.cas.services.CasRegisteredService",

  "serviceId" : "bootsp2",

  "name" : "bootsp2",

  "id" : 1005,

  "description" : "sample",

  "attributeReleasePolicy" : {

"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",

"allowedAttributes" : [ "java.util.ArrayList", [ "name", "first_name", 
"middle_name" ] ]

  }

}


thanks,

Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d3a6fe1f993368f34660bba24350724934c9787a.camel%40uvic.ca.

Re: [cas-user] Cas prefix don't work with empty value (/cas instead of ROOT context)

[Ray Bon]

Julien,

This sounds like a tomcat config issue (I have not used embedded tomcat). Maybe 
a config on this page 
https://apereo.github.io/cas/6.6.x/installation/Configuring-Servlet-Container-Embedded-Tomcat.html

Ray

On Fri, 2023-08-11 at 08:53 -0700, Julien Weillaert wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi !

I use Apereo cas solution 6.6.10 successfully with the tomcat embedded.
It works great, but I never find a way to change the prefix in the url, for 
example :

https://server-ncas.i-wel.fr/login

instead of :

https://server-ncas.i-wel.fr/cas/login

I put this parameters in my cas.properties :
cas.server.name=https://server-ncas.i-wel.fr
cas.server.prefix=
cas.host.name: cas

But it continue to work only with :
https://server-ncas.i-wel.fr/cas/login

The other url give me a 404 not found.
And If I call https://server-ncas.i-wel.fr -> it redirects me to /cas/login

The problem have been already posted here a few month ago, but no solutions 
have been found.

I could use an external tomcat with some rewriting rule, but I don't want to, 
the embedded tomcat is much more simpler, and the settings should work.

I also tried :
cas.server.prefix=/
cas.server.prefix=/test
cas.server.prefix=https://server-ncas.i-wel.fr/
cas.server.prefix=https://server-ncas.i-wel.fr/test
But same thing, does not change anything, always cas.



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/afdfcd5c357dac7fee72b91220220152a9a69d07.camel%40uvic.ca.

Re: [cas-user] Re: CAS 5.1.X - In Delegated authentication mode, 'service' is coming as null from the session

[Ray Bon]

Sanjay,

Version 5.1 is very old. It is difficult to know if this is a bug in that 
version of cas or if it is a browser problem.
Your best, and safest, option is to upgrade and see if the issue persists.

Ray

On Thu, 2023-08-10 at 15:48 -0700, Sanjay Semwal wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

To add more to it. i have been getting the below pop-up for quite some time 
intermittently when i get response back from Delegated authentication. Any help 
would be highly appreciated.

[Screenshot 2023-08-10 at 3.45.12 PM.png]

Thanks
Sanjay

On Friday, June 9, 2023 at 9:01:44 PM UTC-7 sanjay...@rez1.mygbiz.com wrote:
Hello there,
I am using CAS 5.1.X, and facing this problem intermittently. Can you please 
suggest some solution?

In my case CAS is working as SP in delegated auth mode  and Azure is as IDP.  
So when authentication is done on Azure, i get the SAML response. After that 
the control flow goes to CAS library class 
"DelegatedClientAuthenticationAction" where it tries to fetch "service" from 
the session,  which is coming as null object.
Here is the code fragment from DelegatedClientAuthenticationAction: -

--
// retrieve parameters from web session
final Service service = (Service) 
session.getAttribute(CasProtocolConstants.PARAMETER_SERVICE);
context.getFlowScope().put(CasProtocolConstants.PARAMETER_SERVICE, service);
LOGGER.debug("Retrieve service: [{}]", service);


Any help would be appreciated on this.

Thanks
Sanjay

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3bd2cb54d2127f8933d5f7f9cc43fa61a72e3f08.camel%40uvic.ca.

Re: [cas-user] login with valid service but not getting ticket query parameter on redirect

[Ray Bon]

Pablo,


There are a number of maps associated with the web flow.
You can put to one of the maps, if needed. From your action class you can see 
their contents:

// authn attributes contains encrypted credential
// LOGGER.debug("auth attribs Map: " + 
WebUtils.getAuthentication(requestContext).getAttributes());
// printMap("attributes Map", requestContext.getAttributes().asMap());
// printMap("conversation Map", requestContext.getConversationScope().asMap());
// printMap("flash Map", requestContext.getFlashScope().asMap());
// printMap("flow scope Map", requestContext.getFlowScope().asMap());
// printMap("request Map", requestContext.getRequestScope().asMap());
// printMap("parameter Map", requestContext.getRequestParameters().asMap());


private void printMap(String identifier, Map mam) {
LOGGER.trace(identifier + ": [" + mam.keySet().size() + "]:");
for (String key : mam.keySet()) {
LOGGER.trace("\t" + key + " : " + mam.get(key));
}
}

Ray

On Wed, 2023-08-09 at 17:23 -0700, Pablo Vidaurri wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

It looks like I'm losing the request scope, or at least the service ticket:


2023-08-08 15:25:26,057 DEBUG 
[org.apereo.cas.web.flow.GenerateServiceTicketAction] - https://localhost:8443] and added it to the request 
scope>
2023-08-08 15:25:26,057 DEBUG [org.apereo.cas.web.flow.MyCustomAction] - 

...
2023-08-08 15:25:27,186 DEBUG 
[org.apereo.cas.web.flow.actions.RedirectToServiceAction] - 

Inside MyCustomAction.java, I can confirm I have a requestScope with ST. My 
customAction will trigger a redirect to a view. After my view it seems I lose 
the ST.

Do I need to pass my requestscope or ST along with my form inside my view via 
an input form parameter?

-psv


On Wednesday, August 9, 2023 at 2:50:18 PM UTC-5 Pablo Vidaurri wrote:
Hi Ray, looks to be a self inflicted issue.

We have a custom login webflow and have injected as view between 
generateServiceTicket and Redirect action/view states. When I disable this 
custom step all works fine. I haven't been able to trace my issue but it is my 
issue.

-psv

On Thursday, August 3, 2023 at 9:24:17 AM UTC-5 Ray Bon wrote:
Pablo,

What version of Cas is this?

Check your logs. The audit log records the authentication events, including 
ticket creation.

Ray

On Wed, 2023-08-02 at 14:39 -0700, Pablo Vidaurri wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

I am seeing a problem where after a successful login a redirect is happing back 
to the service URL but does not have a ticket=ST- query parameter. This of 
course means that the service has no ticket to go validate. But if I hit the 
login page again, i get the ticket on the 2nd try.

1) https://www.xxx.com/cas/login?service=https://myapp.xxx.com/cas/login
2) after login redirects to https://myapp.newco.com/cas/login, with no ticket
3) since no ticket, login to the app fails.
4) I go to 
https://www.xxx.com/cas/login?service=https://myapp.xxx.com/cas/login again
5) immediately redirects back to https://myapp.xxx.com/cas/login?ticket=ST-
6) now logged into the app

Why would ticket not be sent the first time?

-psv



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c5051cfaa43e42b1daef17e1a963f18b127b5085.camel%40uvic.ca.

Re: [cas-user] Re: Is Azure AD B2C Supported in CAS 6.6.8?

[Ray Bon]

Pablo,

This logger may help:




Ray

On Wed, 2023-08-09 at 12:12 -0700, Pablo Vidaurri wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Still having an issue. Trying to figure out if it's a config issue on CAS side 
or a setup issue on Azure AD side.

We are spinning up a new instance of Azure AD B2C. I was given an endpoint with 
an example payload to use to verify user credentials. Using postman, that api 
works. But it does not appear CAS is doing the same.

API used via postman where b2c_xxx_ropc is the user policy flow:

POST /b2cxyz..xxx/b2c_xxx_ropc/oauth2/v2.0/token HTTP/1.1
Host: xxx.b2clogin.com
Content-Type: application/x-www-form-urlencoded

body:
grant_type:password
scope:openid 
username:someu...@mydomain.com
password:myPwd123
client_id:
response_type:token id_token

I get back a token. Now trying with CAS:

For CAS, i'm using below config for Azure AD:
cas.authn.azure-active-directory.client-id
cas.authn.azure-active-directory.login-url=https:// 
xxx.b2clogin.com/b2cxyz..xxx/b2c_xxx_ropc/oauth2/v2.0/token

Message in log:
[Invalid credentials: com.microsoft.aad.adal4j.AuthenticationException: Server 
returned HTTP response code: 404 for URL : https:// 
xxx.b2clogin.com/common/userrealm/someuser@ .com?api-version=1.0, Error 
details : The resource you are looking for has been removed, had its name 
changed, or is temporarily unavailable.].>

Any assistance would be appreciated.

-psv
On Thursday, August 3, 2023 at 9:33:47 PM UTC-5 Pablo Vidaurri wrote:
Not sure if there is a difference between Azure AD and Azure AD B2C. is B2C 
supported in CAS 6.6.8?

Looking at integrating with Azure AD B2C via my custom login page. I see a 
connection being made but always with same error message. It feels like I need 
to define some attributes that are not supported until CAS 7.0.

cas.authn.azure-active-directory.client-secret=
cas.authn.azure-active-directory.tenant=xxx
cas.authn.azure-active-directory.scope=xxx

Error message:
2023-08-03 17:21:59,481 TRACE 
[org.apereo.cas.azure.ad.authentication.AzureActiveDirectoryAuthenticationHandler]
 - 
2023-08-03 17:21:59,493 DEBUG 
[org.apereo.cas.azure.ad.authentication.AzureActiveDirectoryAuthenticationHandler]
 - https://graph.microsoft.com/] and client id 
[x] for user [x...@x.com]>
2023-08-03 17:22:00,192 ERROR [com.microsoft.aad.adal4j.AuthenticationContext] 
- <[Correlation ID: x] Execution of class 
com.microsoft.aad.adal4j.AcquireTokenCallable failed.>
com.microsoft.aad.adal4j.AuthenticationException: 
{"trace_id":"xxx","error_description":"AADSTS50034: The user account 
{EmailHidden} does not exist in thex.com directory. To 
sign into this application, the account must be added to the directory.Trace 
ID:  Correlation ID: x Timestamp: 2023-08-03 
22:22:00Z","correlation_id":"x","error":"invalid_grant","error_uri":"https:\/\/login.microsoftonline.com\/error?code=50034","timestamp":"2023-08-03
 22:22:00Z"}
at 
com.microsoft.aad.adal4j.AdalTokenRequest.executeOAuthRequestAndProcessResponse(AdalTokenRequest.java:128)
 ~[adal4j-1.6.7.jar!/:1.6.7]
at 
com.microsoft.aad.adal4j.AuthenticationContext.acquireTokenCommon(AuthenticationContext.java:930)
 ~[adal4j-1.6.7.jar!/:1.6.7]
at 
com.microsoft.aad.adal4j.AcquireTokenCallable.execute(AcquireTokenCallable.java:70)
 ~[adal4j-1.6.7.jar!/:1.6.7]
at 
com.microsoft.aad.adal4j.AcquireTokenCallable.execute(AcquireTokenCallable.java:38)
 ~[adal4j-1.6.7.jar!/:1.6.7]
at com.microsoft.aad.adal4j.AdalCallable.call(AdalCallable.java:47) 
~[adal4j-1.6.7.jar!/:1.6.7]
at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) 
~[?:?]
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) 
~[?:?]
at java.lang.Thread.run(Thread.java:834) ~[?:?]


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/258dd549e2d310e7776ed731c283d50fb131dcad.camel%40uvic.ca.

Re: [cas-user] Radius -MFA in cas 6.6.8

[Ray Bon]

Vikash,

Is it possible there is a network issue?

Ray

On Tue, 2023-08-08 at 17:20 +0530, Vikash Chandra Ansh wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi Everyone,

We are trying to implement radius MFA in CAS. In our case our primary 
authentication will be LDAP and then for MFA we need RSA.

I have also added dependency as cas-server-support-radius-mfa.

I have added the required properties like client.inet-address and shared-secert.
But still I can not see any hit on the radius server.
Can anyone please help here.

Cas version I am using is 6.6.8.

Thanks and regards
Vikash Chandra

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ebab25780f77a0697d2191e2fc4e466d00d59f56.camel%40uvic.ca.

Re: [cas-user] SCIM configuration and I get an error "Using SCIM provisioning target [null]"

[Ray Bon]

Jakub,

This link, 
https://apereo.github.io/cas/6.6.x/integration/Delegate-Authentication-Provisioning.html#scim-provisioner,
 leads to, 
https://apereo.github.io/cas/6.6.x/integration/SCIM-Integration.html, which 
lists a required field (among others):
cas.scim.target

Ray

On Mon, 2023-08-07 at 21:31 -0700, JakubFr wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi.
On CAS, version 6.6, I've configured SCIM, but I'm getting this error.


  *   INFO [] - 
  *   DEBUG [] - 
  *   ERROR [] - 

I have no idea why I'm getting this error.

I enabled option cas.scim.enabled=true in cas.properties and I have this 
service (scimTarget seems exists):

{
"@class" : "org.apereo.cas.services.CasRegisteredService",
"serviceId" : "^https://.+;,
"name" : "SCIM",
"id" : 24,
"properties" : {
"@class" : "java.util.HashMap",
"scimOAuthToken" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "--REDACTED--" ] ]
},
"scimTarget" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "https://eu.[--REDACTED--]/v2; ] ]
}
}
}

Any idea why I'm getting this error?
Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d015c36fe1eca4bd52c443300414ab7689ab39a2.camel%40uvic.ca.

Re: [cas-user] shib-cas-authenticator, proxy tickets, and third-party services

[Ray Bon]

Janemarie,

Re proxy tickets. The user would not interact with service 2, just with service 
1. Service 1 can make make calls to service 2 for data, etc.; or service 1 
could screen scrape service 2, or some other mechanism, to make it look like 
the user is accessing service 2. But the user only ever logs in to service 1 
(only one service ticket is issued). Service 1 and service 2 have to be 
registered in cas as proxy services, 
https://apereo.github.io/cas/6.6.x/authentication/Configuring-Proxy-Authentication.html,
 and they need to know about cas so that service 1 can get proxy tickets and 
service 2 can validate them.

Cas can also support SAML. So perhaps adding that feature to cas and 
registering the  service with cas instead of shib might help. 
https://apereo.github.io/cas/6.6.x/authentication/Configuring-SAML2-Authentication.html

However, if the service URL is initiating a saml transaction, it sounds like 
this should be solved in the configuration of the tile in RE.

Ray

On Mon, 2023-08-07 at 13:30 -0400, Janemarie Duh wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Ray,

Thank you for your response.

Yes, your understanding is correct. For the one SAML service - there will be 
more - Shib hands off authn to CAS but Shibboleth controls the SSO session.

A barrier to Shib handling authn rather than CAS is that CAS logins are 
protected by 2FA. We don't have a solution in place yet for MFA on Shib for a 
number of reasons. Actually, in this case, that might not be an issue, but 
unless Shib could be made aware of the Ready Education auth token, or there is 
a Shib-native way to recognize the existing RE session, the user would still be 
prompted to log in a second time upon accessing service2.

Re: proxy tickets and back-end communication, wouldn't the proxy exchange work 
in cases where users access service2 from service1 and thus not require the 
user to log into service2? Particularly, if service2 was using CAS for authn, 
not shib-cas-authenticator?

  Janemarie

On Fri, Aug 4, 2023 at 4:08 PM Ray Bon mailto:r...@uvic.ca>> 
wrote:
Janemarie,

Proxy tickets are for backend service communication. The user does not interact 
with the other service. It is not the same thing as proxied/delegated 
authentication.

If I understand correctly, shibboleth is handling the username/password and 
therefore the SSO session.
Does the one SAML service redirect to shibboleth or cas?

If the SAML request goes to cas, perhaps it can be delegated to shib, 
https://apereo.github.io/cas/6.6.x/integration/Delegate-Authentication.html

Ray

On Fri, 2023-08-04 at 13:24 -0400, Janemarie Duh wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

We are running CAS v6.6.3 and Spring Boot v2.7.3 with two production nodes 
behind an LB. Hazelcast is used for managing tickets. CAS ticket timeouts are 
the default.

We are using shib-cas-authenticator v4.0.0 for external auth from our 
Shibboleth IdP (v4.1.6). Most, but not all, SAML services on the IdP go to CAS 
and there are numerous services that are CAS-only.

We have an implementation of Campus Cloud by Ready Education (makers of 
CampusGroups) as a portal to access third-party services that are integrated 
with the IdP or CAS. The Ready Education (RE) service itself uses SAML and 
shib-cas for SSO. The desired behavior is a user who is logged into RE / Campus 
Cloud should not be prompted to auth to a service they access from a tile 
within RE. The RE session itself only ends when a user clicks 'log out'.

There is no CAS client in front of RE. What RE does is create and pass its own 
auth token that CAS checks for using custom JAVA code. I'm not certain whether 
CAS creates tickets / sessions based on the presence of that token.The two 
CAS-only services we added as tiles to RE work as expected. The links on the 
tiles are in the form of $CAS_login_url?$service_url.

The one Shib-CAS service we added to RE doesn't work as desired. The service 
login URL initiates a SAML transaction and the user is prompted to 
authenticate. Our IdP controls SSO sessions, not CAS. Shib isn't aware of the 
RE auth token, plus it wouldn't know what to do with it. The question of how to 
make Shib aware of the RE token, possibly by configuring it to receive, store, 
and pass back the token to CAS might be a question for the Shib list.

Because of the shib-cas-authenticator integration, I'm starting with this list. 
Is anyone using RE's Campus Cloud or another portal platform with 
shib-cas-authenticator?

Though we're not particularly looking to replace the existing RE token java 
code, I question whether the implementation couldn't be streamlined by using 
CAS proxy tickets, particularly if they could be used in the Shib-CAS flow to 
provide seamless SSO.

Alternatively, cou

Re: [cas-user] shib-cas-authenticator, proxy tickets, and third-party services

[Ray Bon]

Janemarie,

Proxy tickets are for backend service communication. The user does not interact 
with the other service. It is not the same thing as proxied/delegated 
authentication.

If I understand correctly, shibboleth is handling the username/password and 
therefore the SSO session.
Does the one SAML service redirect to shibboleth or cas?

If the SAML request goes to cas, perhaps it can be delegated to shib, 
https://apereo.github.io/cas/6.6.x/integration/Delegate-Authentication.html

Ray

On Fri, 2023-08-04 at 13:24 -0400, Janemarie Duh wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

We are running CAS v6.6.3 and Spring Boot v2.7.3 with two production nodes 
behind an LB. Hazelcast is used for managing tickets. CAS ticket timeouts are 
the default.

We are using shib-cas-authenticator v4.0.0 for external auth from our 
Shibboleth IdP (v4.1.6). Most, but not all, SAML services on the IdP go to CAS 
and there are numerous services that are CAS-only.

We have an implementation of Campus Cloud by Ready Education (makers of 
CampusGroups) as a portal to access third-party services that are integrated 
with the IdP or CAS. The Ready Education (RE) service itself uses SAML and 
shib-cas for SSO. The desired behavior is a user who is logged into RE / Campus 
Cloud should not be prompted to auth to a service they access from a tile 
within RE. The RE session itself only ends when a user clicks 'log out'.

There is no CAS client in front of RE. What RE does is create and pass its own 
auth token that CAS checks for using custom JAVA code. I'm not certain whether 
CAS creates tickets / sessions based on the presence of that token.The two 
CAS-only services we added as tiles to RE work as expected. The links on the 
tiles are in the form of $CAS_login_url?$service_url.

The one Shib-CAS service we added to RE doesn't work as desired. The service 
login URL initiates a SAML transaction and the user is prompted to 
authenticate. Our IdP controls SSO sessions, not CAS. Shib isn't aware of the 
RE auth token, plus it wouldn't know what to do with it. The question of how to 
make Shib aware of the RE token, possibly by configuring it to receive, store, 
and pass back the token to CAS might be a question for the Shib list.

Because of the shib-cas-authenticator integration, I'm starting with this list. 
Is anyone using RE's Campus Cloud or another portal platform with 
shib-cas-authenticator?

Though we're not particularly looking to replace the existing RE token java 
code, I question whether the implementation couldn't be streamlined by using 
CAS proxy tickets, particularly if they could be used in the Shib-CAS flow to 
provide seamless SSO.

Alternatively, could CAS create an ST based on the presence of the RE token to 
pass with the entityID of the Shib-CAS service in the assertion back to the IdP?

Any insight is much appreciated.

 Janemarie


--
[https://ci3.googleusercontent.com/mail-sig/AIorK4zpRbtQKEfumFa024uUvgVX6y-TmDvn0IU1RsgcUZgQdNxzrpusMRfxo-LMo1knzn-fSC7LFRE]
Janemarie Duh
UD Information Technologies
Identity and Access Management Specialist
d...@udel.edu

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc2aa3b54a2635f7ed550ad3be88af8bcbe83958.camel%40uvic.ca.

Re: [cas-user] No CAS logs

[Ray Bon]

Andrew,

Tomcat has an access log, localhost_access_log.DATE.txt. Any problems should be 
in catalina.out.

Ray

On Thu, 2023-08-03 at 14:08 -0400, Andrew Tillinghast wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

We're going to be moving from cas 5.1.5 to cas 7 and I'm starting with cas 7 
vanilla to get used to the new changes and using gradle for overlay instead of 
maven.

I started a project with the Initializr and I'm deploying to Apache Tomcat 9. I 
made the logging change as per 
https://apereo.github.io/cas/6.6.x/installation/Configuring-Servlet-Container-External.html
 and did gradle build form the command line. copied the cas.war from build/lib 
and the tomcat logs show that cas deployed (I can browse through and see my 
changes) but when I try localhost:8080/cas or localhost:8080/cas/login I'm just 
getting a 404 error message and there is no cas.log file on the system.

I looked and the log4j2.xml in the /etc/cas/config and I changed the base.dir 
value to /var/log/tomcat restarted tomcat and no change still 404 and no cas.log

I'm not sure if I'm missing something with gradle or the changes to cas, if 
someone could point me in the right direction I'd appreciate it.

--
[http://www.conncoll.edu/media/website-media/is/images/ETS-logo.png]
Andrew Tillinghast
Sr. Web Developer
atill...@conncoll.edu
270 Mohegan Avenue
New London, CT 06320-4196
Ph:860 439-5265 Fax:860 439-2871
P Think before you print
CONFIDENTIALITY: This email (including any attachments) may contain 
confidential, proprietary and privileged information, and unauthorized 
disclosure or use is prohibited. If you received this email in error, please 
notify the sender and delete this email from your system.


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4e9913482d24ffd1cb9319f987e002822214fee9.camel%40uvic.ca.

Re: [cas-user] Setting up disk backup/log for Hazelcast cluster - Seeking advice

[Ray Bon]

Miguel,

If you have not done so already, you should post to hazelcast forums or see 
their documentation.

If you can rotate through your servers when bringing them down-up, hazelcast 
can preserve the tickets on the remaining hosts (if my understanding of 
hazelcast is correct).

Ray

On Fri, 2023-08-04 at 03:18 -0700, Miguel Martínez De Espronceda Cámara wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Dear CAS users,

I'm looking to set up a disk backup/log for our Hazelcast cluster to ensure 
automatic ticket recovery after a complete cluster restart.

If you have experience with Hazelcast backups, please share your insights on 
effective configuration.

Thank you!

Best regards,
Miguel


Este mensaje puede contener información confidencial. Si usted no es el 
destinatario o lo ha recibido por error, por favor, bórrelo de sus sistemas y 
comuníquelo a la mayor brevedad al remitente. Los datos personales incluidos en 
los correos electrónicos que intercambie con el personal de la Universidad de 
Navarra podrán ser almacenados en la libreta de direcciones de su interlocutor 
y/o en los servidores de la Universidad durante el tiempo fijado en su política 
interna de conservación de información. La Universidad de Navarra gestiona 
dichos datos con fines meramente operativos, para permitir el contacto por 
email entre sus trabajadores/colaboradores y terceros. Puede consultar la 
Política de Privacidad de la Universidad de Navarra en la dirección: 
https://www.unav.edu/aviso-legal



This email message may contain confidential information. If you are not the 
intended recipient of this message or their agent, or if this message has been 
addressed to you in error, please immediately alert the sender by reply email 
and then delete this message and any attachments.  The personal information 
included in email messages exchanged with employees of the University of 
Navarra may be stored in the database of your interlocutor and/or the servers 
of the University for the time-period stipulated by its internal information 
storage policy. The University stores such data for purely administrative 
purposes, to facilitate e-mail contact between its employees and third parties. 
The University of Navarra Privacy Policy may be accessed at 
https://www.unav.edu/aviso-legal



Antes de imprimir este mensaje o sus documentos anexos, asegúrese de que es 
necesario. Proteger el medio ambiente está en nuestras manos.
Before printing this e-mail or attachments, be sure it is necessary. It is in 
our hands to protect the environment.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/eb732d320486a3d34d71daab69bf3c77bf6fd1ea.camel%40uvic.ca.

Re: [cas-user] Failure throttling not working with Mixed SPNEGO authentication by-design?

[Ray Bon]

Petr,

Unfortunately, I do not have SPNEGO setup. We only have a single authn flow.

Ray

On Thu, 2023-08-03 at 08:58 -0700, Petr Bodnár wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Ray,

the problem is I know all of that and have throttling correctly setup and 
working,except this one scenario.

Do you think you could test this yourself? Or maybe you have done so already 
and failed to reproduce? I'm setting in log4j2.xml to see every request details in the CAS log.

Note that the protocols you write about are something else, I am discussing the 
authentication flow itself here. See 
https://apereo.github.io/cas/6.6.x/authentication/Configuring-Authentication-Throttling.html#failure-throttling,
 where this is written (and is apparently true; and increasing the rate to a 
high value would effectively go against the purpose of throttling):

> The failure threshold rate is calculated as: failureThreshold / 
> failureRangeInSeconds. For instance, the failure rate for the above scenario 
> would be 0.33. An authentication attempt may be considered throttled if 
> the request submission rate (calculated as the difference between the current 
> date and the last submission date) exceeds the failure threshold rate.

Petr

On Thursday, 3 August 2023 at 16:49:37 UTC+2 Ray Bon wrote:
Petr,

Check your throttling settings, 
https://apereo.github.io/cas/6.5.x/authentication/Configuring-Authentication-Throttling.html#configuration

It, cas.authn.throttle.failure.*, is a range per second (even when set to 
multiple seconds). If set, it should be more than 2 attempts per second.

If there is a round trip to the browser, it should be visible in the developer 
tools. Cas does perform some internal authentication to handle non cas 
protocols 
(https://apereo.github.io/cas/6.5.x/protocol/Protocol-Overview.html#the-bridge),
 the audit log events should state what is happening.

Ray

On Thu, 2023-08-03 at 00:17 -0700, Petr Bodnár wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

When turning on SPNEGO (typically for Kerberos SSO), together with CAS mixed 
authentication turned on (i.e. showing login form when SPNEGO fails), CAS login 
failure throttling seems to be broken.

Reproduction (tested with the 6.x CAS series, but probably manifests also in 
other versions):

  1.  User enters the CAS login page and SPNEGO fails for whatever reason (e.g. 
when in a testing environment).
  2.  User enters invalid credentials and submits the login form for the very 
first time (in a given period of time).
  3.  Expected: CAS shows "Invalid name or password" or similar to the user.
  4.  Actual: CAS shows "You've entered the wrong password for the user too 
many times. You've been throttled."

I couldn't find this reported anywhere, yet the issue's reason seems to be 
quite an evident shortcoming in the CAS Login Web Flow definition:

  *   there is this seemingly unnecessary transition from "failed login form 
submission" back to the very beginning of the login flow - which immediately 
launches the SPNEGO decision step, which sends the appropriate status 401 
andWWW-Authenticate<https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate>
 header to the browser again

  *   upon this, browser reacts according to the specs, i.e. re-posts the login 
form immediately with a corresponding Authorization header (caution: this 
second request is not visible in browser's network console)
  *   as this happens within a few (tens of) milliseconds, the Failure 
throttling mechanism evaluates this as misbehavior and blocks the user as 
described above

I wonder if anybody also experienced this issue. And if so, what was your 
solution? Altering the web flow, altering the SPNEGO decision action class to 
remember its last decision, or something else?


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/580b18707721b6c1ca8aa695b228bb40292eecee.camel%40uvic.ca.

Re: [cas-user] Failure throttling not working with Mixed SPNEGO authentication by-design?

[Ray Bon]

Petr,

Check your throttling settings, 
https://apereo.github.io/cas/6.5.x/authentication/Configuring-Authentication-Throttling.html#configuration

It, cas.authn.throttle.failure.*, is a range per second (even when set to 
multiple seconds). If set, it should be more than 2 attempts per second.

If there is a round trip to the browser, it should be visible in the developer 
tools. Cas does perform some internal authentication to handle non cas 
protocols 
(https://apereo.github.io/cas/6.5.x/protocol/Protocol-Overview.html#the-bridge),
 the audit log events should state what is happening.

Ray

On Thu, 2023-08-03 at 00:17 -0700, Petr Bodnár wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

When turning on SPNEGO (typically for Kerberos SSO), together with CAS mixed 
authentication turned on (i.e. showing login form when SPNEGO fails), CAS login 
failure throttling seems to be broken.

Reproduction (tested with the 6.x CAS series, but probably manifests also in 
other versions):

  1.  User enters the CAS login page and SPNEGO fails for whatever reason (e.g. 
when in a testing environment).
  2.  User enters invalid credentials and submits the login form for the very 
first time (in a given period of time).
  3.  Expected: CAS shows "Invalid name or password" or similar to the user.
  4.  Actual: CAS shows "You've entered the wrong password for the user too 
many times. You've been throttled."

I couldn't find this reported anywhere, yet the issue's reason seems to be 
quite an evident shortcoming in the CAS Login Web Flow definition:

  *   there is this seemingly unnecessary transition from "failed login form 
submission" back to the very beginning of the login flow - which immediately 
launches the SPNEGO decision step, which sends the appropriate status 401 
andWWW-Authenticate
 header to the browser again
  *   upon this, browser reacts according to the specs, i.e. re-posts the login 
form immediately with a corresponding Authorization header (caution: this 
second request is not visible in browser's network console)
  *   as this happens within a few (tens of) milliseconds, the Failure 
throttling mechanism evaluates this as misbehavior and blocks the user as 
described above

I wonder if anybody also experienced this issue. And if so, what was your 
solution? Altering the web flow, altering the SPNEGO decision action class to 
remember its last decision, or something else?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e03a7ec31f19e0773457833e69b88fcf2eaf645b.camel%40uvic.ca.

Re: [cas-user] login with valid service but not getting ticket query parameter on redirect

[Ray Bon]

Pablo,

What version of Cas is this?

Check your logs. The audit log records the authentication events, including 
ticket creation.

Ray

On Wed, 2023-08-02 at 14:39 -0700, Pablo Vidaurri wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

I am seeing a problem where after a successful login a redirect is happing back 
to the service URL but does not have a ticket=ST- query parameter. This of 
course means that the service has no ticket to go validate. But if I hit the 
login page again, i get the ticket on the 2nd try.

1) https://www.xxx.com/cas/login?service=https://myapp.xxx.com/cas/login
2) after login redirects to https://myapp.newco.com/cas/login, with no ticket
3) since no ticket, login to the app fails.
4) I go to 
https://www.xxx.com/cas/login?service=https://myapp.xxx.com/cas/login again
5) immediately redirects back to https://myapp.xxx.com/cas/login?ticket=ST-
6) now logged into the app

Why would ticket not be sent the first time?

-psv

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/191369e472bd36292537b050ddb947eb08119a05.camel%40uvic.ca.

Re: [cas-user] cas-management overlay 6.6.3 with support-mongo-service-registry does not bind cas properties

[Ray Bon]

Martin,

This logger may help:



I also have this line in my log output:
cas | 2023-07-27 19:10:08,677 INFO [ org.aper.cas.util.io.PathWatcherService] - 
 [main]

Check to make sure it is looking in the correct place for management.properties 
(even though /etc/cas/config is the default).

Ray

On Thu, 2023-07-27 at 09:17 -0700, 'martin@springer.com' via CAS Community 
wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi cas-users,

We generated a minimal cas-management overlay using

curl 
"https://casinit.herokuapp.com/starter.tgz?artifactId=cas=6.6.3=false=support-mongo-service-registry=executable=WAR%20overlay%20to%20use%20as%20a%20starting%20template%20for%20Apereo%20CAS%20deployments.=false=false=org.apereo.cas=false=false=11=java=cas=false=org.apereo=war=false=cas-management-overlay=1.0.0;
 | tar -xzvf -

Setting cas.service-registry.mongo.client-uri=mongodb://localhost/somedb in 
etc/cas/config/management.properties

results in

Caused by: java.lang.IllegalArgumentException: The connection string is 
invalid. Connection strings must start with either 'mongodb://' or 
'mongodb+srv://
at com.mongodb.ConnectionString.(ConnectionString.java:303) 
~[mongodb-driver-core-4.7.1.jar!/:?]
at 
org.apereo.cas.mongo.MongoDbConnectionFactory.mongoDbFactory(MongoDbConnectionFactory.java:191)
 ~[cas-server-support-mongo-core-6.6.0.jar!/:6.6.0]
at 
org.apereo.cas.mongo.MongoDbConnectionFactory.buildMongoTemplate(MongoDbConnectionFactory.java:287)
 ~[cas-server-support-mongo-core-6.6.0.jar!/:6.6.0]
at 
org.apereo.cas.config.MongoDbServiceRegistryConfiguration.mongoDbServiceRegistryTemplate(MongoDbServiceRegistryConfiguration.java:50)
 ~[cas-server-support-mongo-service-registry-6.6.0.jar!/:6.6.10]

No matter how we try, the mandatory db config value are never getting bound to 
CasConfigurationProperties.

But, actually we are able to start cas-management using system properties:

java -Dcas.service-registry.mongo.client-uri=mongodb://localhost/somedb -jar 
build/libs/cas-management.war

Is this a known problem?

Where and how should cas.service-registry.mongo.client-uri be set using a 
properties file?

Regards

Martin



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e2ca2dedd18c48261363c949b352e1b2c9e4387f.camel%40uvic.ca.

Re: [cas-user] ERROR CAS 6.1 SAML IDP GOOGLE

[Ray Bon]

What Richard said.

Ray

On Thu, 2023-07-27 at 09:45 -0500, 'Richard Frovarp' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Typically the helpful bit in a long stack like this is at the end

Error:
Caused by: java.net.MalformedURLException: no protocol: 
login.unila.ac.id/cas
at java.base/java.net.URL.(URL.java:627)
at java.base/java.net.URL.(URL.java:523)
at java.base/java.net.URL.(URL.java:470)
at 
org.apereo.cas.config.SamlIdPMetadataConfiguration.samlSelfSignedCertificateWriter(SamlIdPMetadataConfiguration.java:154)
at 
org.apereo.cas.config.SamlIdPMetadataConfiguration$$EnhancerBySpringCGLIB$$150398bf.CGLIB$samlSelfSignedCertificateWriter$3()
at 
org.apereo.cas.config.SamlIdPMetadataConfiguration$$EnhancerBySpringCGLIB$$150398bf$$FastClassBySpringCGLIB$$4511572f.invoke()
at 
org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:244)
at 
org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:363)
at 
org.apereo.cas.config.SamlIdPMetadataConfiguration$$EnhancerBySpringCGLIB$$150398bf.samlSelfSignedCertificateWriter()
at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at 
org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154)
... 111 more


So you are missing the protocol (https://) bit from that value. Digging through 
the code, that comes from:

val url = new URL(casProperties.getServer().getPrefix());

In my CAS config I have:

cas.server.prefix=${cas.server.name}/cas

which is what it is trying to read.

I then have:

cas.server.name=https://.ndsu.edu


So look in that area of your config to add the protocol. Obligatory note that 
6.1 is old and you should upgrade.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8141e3632c027a465596fa9581f594ba7d2fe6d2.camel%40uvic.ca.

Re: [cas-user] ERROR CAS 6.1 SAML IDP GOOGLE

[Ray Bon]

Muhammad,

Your config has entity-id=https://cas.example.com/idp but it looks like cas is 
trying to create the certificate with login.unila.ac.id/cas
I am not sure why it insists on a protocol, should not matter for a self signed 
cert.
You could also make sure your cas.server.name has a protocol.

If your entityId does have a protocol, you can create the metadata yourself. 
See https://www.samltool.com/idp_metadata.php

Your version is quite old, so it may be hard to diagnose problems.

Ray

On Wed, 2023-07-26 at 19:43 -0700, Muhammad Ikhsan wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

i have an error implementing cas 6.1 as saml idp for google. please help me to 
tell what should i do

Config:
cas.authn.saml-idp.entity-id=https://cas.example.com/idp

Build.gradle:
// Other CAS dependencies/modules may be listed here...
implementation 
"org.apereo.cas:cas-server-webapp-tomcat:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-jdbc:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-jdbc-drivers:${project.'cas.version'}"
// compile "org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-jpa-service-registry:${project.'cas.version'}"
compile 
"org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"
// compile 
"org.apereo.cas:cas-server-support-gauth:${project.'cas.version'}"

// implementation 
"org.apereo.cas:cas-server-support-saml:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
// implementation 
"org.apereo.cas:cas-server-support-saml-idp-metadata:${project.'cas.version'}"
// implementation 
"org.apereo.cas:cas-server-support-saml-idp-web:${project.'cas.version'}"
// implementation 
"org.apereo.cas:cas-server-support-saml-idp-core:${project.'cas.version'}"
// implementation 
"org.apereo.cas:cas-server-support-saml-googleapps:${project.'cas.version'}"

Error:
27-Jul-202309:37:27.526 SEVERE [main] 
org.apache.catalina.startup.HostConfig.deployWAR Error deploying web 
application archive [C:\Program Files\Apache Software 
Foundation\Tomcat9.0\webapps\cas.war]
java.lang.IllegalStateException:Error starting child
at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:729)
at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:698)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:696)
at 
org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1023)
at 
org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1910)
at 
java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at 
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at 
java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:118)
at 
org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:824)
at 
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:474)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1617)
at 
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:318)
at 
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
at 
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
at 
org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366)
at 
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:943)
at 
org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:835)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at 
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1393)
at 
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1383)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at 
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at 
java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:140)
at 
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:916)
at 
org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:265)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at 
org.apache.catalina.core.StandardService.startInternal(StandardService.java:430)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at 

Re: [cas-user] Simple MFA to Surrogate bypasses surrogate selection

[Ray Bon]

Anthony,

Does surrogate+username / password approach work, or is it only the surrogate 
selection that does not work?

If I use surrogate+ with a service that requires MFA, it goes through the mfa 
flow for username and then to service as surrogate. But I do not have any 
groovy scripts running.

Ray

On Tue, 2023-07-25 at 10:31 -0700, Anthony Oslund wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Start by stating current deployment uses 6.6.6 with DBMS authentication, not 
LDAP.

Deployment uses the groovy approach for triggering simple MFA.

Based on much testing and researching of this archive determined that if simple 
MFA is activated through groovy script that CAS will bypass surrogate 
selection.  From researching this archive others have run into the same 
limitation (at least for 6.6.6 and earlier, not sure about later versions).

For surrogate logging in using the +username / pass approach and then selecting 
surrogate from drop down.

Surrogate process functions correctly, but only if MFA not selected by the 
groovy script.  This is true even if MFA not required in that exact login 
instance, having been satisfied by recent/previous login/MFA.  For example, 
groovy script determines that MFA is required for +username... system examines 
recent MFA cache... regardless if MFA required/not required at this moment 
surrogate process bypassed and authenticated/released parameters are for 
original +username.

Current deployment's security requirements restrict surrogate to internal use 
only, while only requiring MFA externally so at this time not an issue as both 
MFA and surrogate are working within their separate external/internal scopes.  
Future requirements may likely require MFA internally as well, which with 
current deployment would conflict with internal scope surrogate process.


Looking at attached groovy scripts from other posts it appears they are 
potentially using other MFA ("mfa-gauth", "mfa-webauthn").  Perhaps issue with 
our deployment is a default web flow issue specific to simple MFA.


Simple MFA currently works in all instances, but does not flow to surrogate.  
If groovy script below returns null for MFA then flow to surrogate selection 
works as intended.


import java.util.*

class SampleGroovyProviderSelection {

def String run(final Object... args) {
def service = args[0]
def authentication = args[2]
def request = args[3]
def logger = args[4]

def mfa = null

def email = authentication.principal.attributes['email']
def phone = authentication.principal.attributes['phone']
def mfaMode = authentication.principal.attributes['mfa_mode']

logger.info('Groovy script for mfa')
logger.info(mfaMode)
logger.info(email)
logger.info(phone)

/*
   If user lacks both email and phone then bypass MFA

   If plan is to prevent the user from authenticating if
   they cannot use MFA, that should be handled further upstream
   through the DBMS view.  It can simply prevent them from
   ever authenticating (if that is the desired outcome), in
   which case they will never even get to this point
*/
if (mfaMode && (email || phone)) {
  if (mfaMode.contains("Y")) {
 mfa = ["mfa-simple"]
  }
}
return mfa
}
}

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20272de383073f777e3a1ee94e936bbeb5d0d816.camel%40uvic.ca.

Re: [cas-user] Re: CAS 5.3 OAuth2 Delegated Authentication error Client not found

[Ray Bon]

Mohsen,

Version 5 is very old. If the problem is in cas, there may be no one that can 
help.
If the log says that client name was not found (serviceId in service 
definition). Then check your service definition. serviceId can be a regex.

Ray

On Fri, 2023-07-21 at 21:08 -0700, mohsen saeedi wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Extra information is needed to answer this question?

nobody is here to help me?

Best Regards

On Thursday, July 20, 2023 at 12:28:13 AM UTC+3:30 mohsen saeedi wrote:
Hello,

I'm using CAS 5.3 latest version. I want to delegate authentication to
an external oauth2 identity server. I added new configuration key
starts with cas.authn.pac4j.oauth2[0] for authUrl, tokenUrl,
ProfileUrl and ... . also defined clientName (for example OAuth20).
Everything works fine but when user return back to cas, it prints
error: 2023-07-17 03:57:35,221 ERROR
[org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - 
org.pac4j.core.exception.TechnicalException: No client found for name:
OAuth20?code=74486072882b4f6b896b4476a11f56f9
I read docs and blog posts and everything was on the internet about
this subject without any success. anyone can help me? I can't change
this version and switch to 6.x . it is not possible on short time.

Mohsen Saeedi


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f1412607392351f6e0bc9edd452b0a0a7cfbdf07.camel%40uvic.ca.

Re: [cas-user] Duo Universal Prompt configuration?

[Ray Bon]

Baron,

Try creating a new service in Duo to check if the problem is on their side.

Ray

On Fri, 2023-07-21 at 15:02 -1000, Baron Fujimoto wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

We're trying to upgrade from CAS 6.6 using the old Duo iFrame MFA to CAS 7 
using the new Duo Universal Prompt.

In our CAS 6.6/iFrame version, we configured this with the following properties:

cas.authn.mfa.duo[0].duo-application-key=
cas.authn.mfa.duo[0].duo-api-host=
cas.authn.mfa.duo[0].duo-integration-key=
cas.authn.mfa.duo[0].duo-application-key=

For our CAS 7/Universal Prompt version, we're using:

cas.authn.mfa.duo[0].duo-api-host=
cas.authn.mfa.duo[0].duo-integration-key=
cas.authn.mfa.duo[0].duo-application-key=

Our duo-api-host does not differ for these two, and our Duo admin panel is 
configured to "Show Universal Prompt" for our Duo application we reference in 
our CAS 7 properties.

However, after entering a username and password, we get the following error:
===
MFA Provider Unavailable

CAS was unable to reach your configured MFA provider at this time. Due to 
failure policies configured for the service you are attempting to access, 
authentication can not be granted at this time.
===

Our CAS log reports:
WARN 
[org.apereo.cas.adaptors.duo.authn.UniversalPromptDuoSecurityAuthenticationService]
 - 

Any ideas what we may have amiss or how we may further troubleshoot this?

I've been using the following resources for reference:
Duo documentation –
- 
- 
CAS documentation –
- 

Fawnoos documentation –
- 

I note that the Duo documentation says to create the Duo application type as 
"CAS (Central Authentication Service)" whereas Fawnoos says to use WebSDK. Does 
this matter?
--
Baron Fujimoto mailto:ba...@hawaii.edu>> ::: UH Information 
Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2e9eb8d5db6882c1553ad81aceb51465d10c6646.camel%40uvic.ca.

Re: [cas-user] How to easily fix an application after CAS upgrade

[Ray Bon]

Radek,

If you have custom code, there really are only two options; drop it or upgrade 
it.
With the large jump you are going to, it may make more sense to move to version 
7 (to be official in a few months) and re-implement your features.
You will have to search the code base to see how the new way is done.
See https://fawnoos.com/2023/01/31/cas70x-war-overlay-overrides/

If your modifications are generally useful, you can try to get them added into 
the project, thus avoiding this problem in the future.

Ray

On Fri, 2023-07-21 at 08:04 -0700, Radek Ch. wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi

We're planning to upgrade CAS from 6.1 to 6.6.9 but apparently there are lots 
of changes which break our current code.
What would be the best / easiest / recommended way to upgrade our application 
to use the new CAS given that our current team doesn't have much experience 
with CAS and it's therefore difficult to find out what exact parameters we need 
to pass to the new CAS methods / contructors (which don't exist in our 6.1 
version of CAS).
How would you proceed?
I may check source files of the new CAS version to find out how and where any 
given parameter is used but since I have no idea, what the given piece of 
functionality is supposed to do, there's not much reason doing so...
What do you think?

Thanks.

Radek

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e1b09f4f4ac033f70f8429746dcc42377c63b68f.camel%40uvic.ca.

Re: [cas-user] Custom Audit Log to DB

[Ray Bon]

Shing,

Are you looking for an audit entry that is different from those in 
COM_AUDIT_TRAIL?

You may be able to create a web flow event to do that.
But NOTE: I was not able to insert my custom login flow after the Duo universal 
prompt flow. Unfortunately it looks like the cas modules (cas 6.5.x) have 
lowest priority, meaning that they are inserted into the webflow after others. 
It would be nice if the cas modules had a middle priority, making it easier for 
deployers to insert before or after as needed.
YMMV

Ray

On Thu, 2023-07-20 at 23:55 -0700, Ps Chu wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi all,

Besides writing the audit log to CAS default audit database table 
[COM_AUDIT_TRAIL], may I know any methods that can custom my own audit log to 
another database table for storing the authentication result in database?

Do I need to extend the login flow and create a simple DAO class to insert 
record into the database after authentication action?

Thanks,
Shing

[Baptist University Logo]

Disclaimer

This message (including any attachments) may contain confidential information 
intended for a specific individual and/or purpose. If you are not the intended 
recipient, please delete this message and notify the sender and the University 
immediately. Any disclosure, copying, or distribution of this message, or the 
taking of any action based on it, is prohibited as it may be unlawful.

In addition, the University specifically denies any responsibility for the 
accuracy or quality of information obtained through University E-mail 
Facilities. Any views and opinions expressed in the email(s) are those of the 
author(s), and do not necessarily represent the views and opinions of the 
University. The University accepts no liability whatsoever for any losses or 
damages that may be incurred or caused to any party as a result of the use of 
such information.


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a1a6ca284fe784d24fda35f760cd1c91f1c1c513.camel%40uvic.ca.

Re: [cas-user] [CAS 6.6.8] Custom MFA triggers

[Ray Bon]

This may provide some direction https://fawnoos.com/2018/11/22/cas5-groovy-mfa/
There may be other posts on this site that can help.

Ray

On Fri, 2023-07-21 at 08:49 +0200, spfma.tech via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi,
I would like to implement some conditional MFA scenarios (using a different 
provider depending on the network is the first one), but 
readinghttps://apereo.github.io/cas/6.6.x/mfa/Configuring-Multifactor-Authentication-Triggers-Custom.html
 does not provide a lot of help.
Is there some code snippet available somewhere I could use as an example ?
Regards


FreeMail powered by mail.fr

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bb46adc7f28972fa27ec9c2dff448b6e487c4152.camel%40uvic.ca.

Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5

[Ray Bon]

Niral,

Start with the cas docs 
https://apereo.github.io/cas/6.6.x/monitoring/Monitoring-Statistics.html
There is also some guidance at 
https://fawnoos.com/2022/02/20/cas65-actuator-endpoints/

'Too many redirects' can happen when the client (stage.eclkc.info ?) does not 
process the login from cas correctly (the service ticket: ST...).

Ray

P.S. This a different issue from expiration policies, you should create a new 
thread

On Wed, 2023-07-19 at 16:34 +, 'Niral Kunadia' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Ray,

I am able to deploy cas.war file on server and it is working. Some how I am not 
able to access management endpoints. Do I have to add anything in 
cas.properties or as dependencies. I am getting this and also cas-managemnt 
displaying same error.

[cid:image001.png@01D9BA3D.52E87E00]



From: cas-user@apereo.org  On Behalf OfRay Bon
Sent: Thursday, July 6, 2023 3:43 PM
To: cas-user@apereo.org
Subject: Re: [cas-user] CAS session management - Ticket Expiration Policies - 
CAS 6.5


WARNING: THIS IS AN EXTERNAL EMAIL THAT ORIGINATED OUTSIDE OF OUR EMAIL SYSTEM. 
DO NOT CLICK links / attachments unless you know that the content is safe! For 
suspicious emails, report using the Phish Alert Report button on the upper left 
of your email. For marketing/SPAM emails, delete.


Niral,

Is it possible the hosted environment has more than one tomcat server?
If TGTs are not shared between cas instances, then, when switching tomcat 
servers (controlled by the hosting service / load balancer), the second cas 
will not know about the login session and force the login screen.

Ticket registry is described 
https://apereo.github.io/cas/6.6.x/ticketing/Configuring-Ticketing-Components.html
Alternatively, start with a single cas server, then add more cas servers and 
the ticket registry when other config is more or less complete.

Ray


On Thu, 2023-07-06 at 14:04 +, 'Niral Kunadia' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Thank you Ray,

Are you deploying the war to more than one tomcat? : I created .war file with 
gradle on local and deploying to test environment which is some hosted 
environment.
Is the tomcat on your local dev computer or some hosted environment? : some 
hosted environment

Thank you for reply.



From: cas-user@apereo.org 
mailto:cas-user@apereo.org>>On Behalf OfRay Bon
Sent: Wednesday, July 5, 2023 4:37 PM
To: cas-user@apereo.org
Subject: Re: [cas-user] CAS session management - Ticket Expiration Policies - 
CAS 6.5


WARNING: THIS IS AN EXTERNAL EMAIL THAT ORIGINATED OUTSIDE OF OUR EMAIL SYSTEM. 
DO NOT CLICK links / attachments unless you know that the content is safe! For 
suspicious emails, report using the Phish Alert Report button on the upper left 
of your email. For marketing/SPAM emails, delete.


Niral,

To see a list of all cas properties:

$ ./gradlew exportConfigMetadata

Which will create a file called config-metadata.properties
You can search for 'tgt' or 'tgc'
The default value will be shown beside the property.
TicketGgrantingTicket is the server side session and TGC is the client side 
cookie used to find the TGT.

To see other gradlew commands:

$ ./gradlew tasks

There are some management endpoints that can provide some info, 
https://apereo.github.io/cas/6.6.x/monitoring/Monitoring-Statistics.html

Here are some related blog posts:
https://fawnoos.com/2022/02/20/cas65-actuator-endpoints/
https://fawnoos.com/2021/09/06/cas65-sso-sessions/

Some URLs that I use:
https://local.uvic.ca/cas/actuator/ssoSessions
https://local.uvic.ca/cas/actuator/ticketExpirationPolicies

I do not think this is an issue with tomcat.
Your steps 3. and 4. suggest that it is working correctly.


You say 'Restarted tomcat services'.
Are you deploying the war to more than one tomcat?
Is the tomcat on your local dev computer or some hosted environment?


On my local I have a sym link from tomcat/webapps/cas.war to 
devdir/build/lib/cas.war (this will save a step if tomcat is local).
You can also use the docker build and deploy or embedded tomcat run approach. 
These options are described at the bottom of 
https://fawnoos.com/2022/08/06/cas66-gettingstarted-overlay/

Ray

On Wed, 2023-07-05 at 15:27 +, 'Niral Kunadia' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Ray,

I am upgraded CAS to 6.6.9 from 6.5.8, I am able to login to cas with 
authentication and on refresh somehow TGC is expiring and asking for login 
credentials again.

Is there any setting I have to add in cas.properties?

I did these steps:

  1.  Copy cas.war to test environment. Restarted 

Re: [cas-user] embedded tomcat startup error cas6.6.x

[Ray Bon]

Yan,

There is this 
https://apereo.github.io/cas/developer/Contributor-Guidelines.html#how-do-i-do-this
 and this https://apereo.github.io/cas/development/developer/Build-Process.html 
for developing cas.

There is a step for getting submodules; Was that missed?

Ray

On Tue, 2023-07-18 at 12:21 -0700, Yan Zhou wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

HI Ray,

Overlay did work, thx a lot!   Still,  I should be able to run CAS as any CAS 
developer would,  not sure why i run into this

this is what I did on my Windows, overlay works fine with additional command 
line arguments, so I attempted the same on CAS project,

C:\apereocas66x\cas-server\webapp\cas-server-webapp-tomcat>"../../gradlew" 
build bootRun --parallel --offline --configure-on-demand --build-cache 
--stacktrace 
--args=--spring.profiles.active=standalone,--cas.standalone.configuration-directory=C:\apereocas66x\config
Configuration on demand is an incubating feature.

> Task :api:cas-server-core-api-configuration-model:compileJava
Note: Some input files use or override a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
Note: 
C:\apereocas66x\cas-server\api\cas-server-core-api-configuration-model\src\main\java\org\apereo\cas\configuration\metadata\ConfigurationMetadataGenerator.java
 uses unchecked or unsafe operations.
Note: Recompile with -Xlint:unchecked for details.

> Task :support:cas-server-support-thymeleaf:compileJava FAILED
<==---> 82% EXECUTING [1m 46s]
> :api:cas-server-core-api-configuration-model:generateConfigurationMetadata


In my IntelliJ IDE, it reports this error,  I am sure the CAS project itself 
has no problem, but I cannot figure out why it is missing Thymeleaf layout 
dialect jar, and where is this supposed to be specified?

:support:cas-server-support-openid-webflow:test: Could not find 
nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:3.1.0 .
Required by:
project :support:cas-server-support-openid-webflow > project 
:support:cas-server-support-thymeleaf

Possible solution:
 - Declare repository providing the artifact, see the documentation at 
https://docs.gradle.org/current/userguide/declaring_repositories.html


Thanks,
Yan
On Tuesday, July 18, 2023 at 12:29:49 PM UTC-4 Ray Bon wrote:
Yan,

It looks like you are using cas instead of cas-overlay-template. The main 
project is for developers. This is for deployers 
https://github.com/apereo/cas-overlay-template

Ray

On Mon, 2023-07-17 at 12:15 -0700, Yan Zhou wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

HI

i followed doc to this step, but not sure why it failed. I am on Windows and 
using CAS 6.6.9. it built fine, but when running in embedded tomcat, run into 
error.

not sure what it tries to do in /etc/cas/templates, I am on Windows, so I am 
hoping to find where it is specified and change it to Windows path.

thanks in advance!

Yan

C:\apereocas66x\cas-server\webapp\cas-server-webapp-tomcat>"../../gradlew" 
build bootRun --parallel --offline --configure-on-demand --build-cache 
--stacktrace
Configuration on demand is an incubating feature.
<-> 0% CONFIGURING [1m 24s]
> Task :webapp:cas-server-webapp-tomcat:processBootRunResources FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task 
':webapp:cas-server-webapp-tomcat:processBootRunResources'.
> Cannot fingerprint input file property 'rootSpec$1': Could not stat file 
> \\etc\cas\templates


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3588bca6c41fb3c7793060b751fb9ad0a0875f03.camel%40uvic.ca.

Re: [cas-user] embedded tomcat startup error cas6.6.x

[Ray Bon]

Yan,

It looks like you are using cas instead of cas-overlay-template. The main 
project is for developers. This is for deployers 
https://github.com/apereo/cas-overlay-template

Ray

On Mon, 2023-07-17 at 12:15 -0700, Yan Zhou wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

HI

i followed doc to this step, but not sure why it failed. I am on Windows and 
using CAS 6.6.9. it built fine, but when running in embedded tomcat, run into 
error.

not sure what it tries to do in /etc/cas/templates, I am on Windows, so I am 
hoping to find where it is specified and change it to Windows path.

thanks in advance!

Yan

C:\apereocas66x\cas-server\webapp\cas-server-webapp-tomcat>"../../gradlew" 
build bootRun --parallel --offline --configure-on-demand --build-cache 
--stacktrace
Configuration on demand is an incubating feature.
<-> 0% CONFIGURING [1m 24s]
> Task :webapp:cas-server-webapp-tomcat:processBootRunResources FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task 
':webapp:cas-server-webapp-tomcat:processBootRunResources'.
> Cannot fingerprint input file property 'rootSpec$1': Could not stat file 
> \\etc\cas\templates

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0952be098ef56c143121f643e6b9bb6724b89f11.camel%40uvic.ca.

Re: [cas-user] CAS support oauth, how store the authCode -CAS 7.0.0-SNAPSHOT

[Ray Bon]

Redis ticket storage is described here 
https://apereo.github.io/cas/6.6.x/ticketing/Redis-Ticket-Registry.html

Ray

On Thu, 2023-07-13 at 20:12 -0700, 'Char Lin' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

hi, everyone.
I open the supported oauth of CAS 7.0.0-SNAPSHOT,  and it operation perfect.

Now i want store the authCode generate by cas-oauth in redis, but i don't how?

I couldn't find the desired guidance in the official documents either.

Please, thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/66cf0b715b331530126fc873d2c7f5596f857745.camel%40uvic.ca.

Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5

[Ray Bon]

Niral,

It is possible that you can access the user session. If so, you can check the 
state of the TGT.
See this post for some code to print out cas data 
https://groups.google.com/a/apereo.org/g/cas-user/c/XkePPqT3lK8/m/y4MfckOCAwAJ

Ray

On Thu, 2023-07-13 at 14:08 +, 'Niral Kunadia' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Ray,

We are using one tomcat only. I found we added code in  
“cas-overlay-template\src\main\java\org\apereo\cas\authentication\handler\support\AbstractUsernamePasswordAuthenticationHandler.java
” Which is calling CAS Rest API for two factor authentication.

Code is look like this in our 6.5.8:

protected voidtransformPassword(finalUsernamePasswordCredential userPass)throws 
FailedLoginException,AccountNotFoundException{
if(StringUtils.isBlank(userPass.toPassword())) {
throw newFailedLoginException("Password is null.");
}

LOGGER.debug("Attempting to encode credential password via [{}] for [{}]", 
this.passwordEncoder.getClass().getName(), userPass.getUsername());
/* REST api */
LOGGER.debug("Get token [{}]", 
userPass.getCustomFields().get("tokenid").toString());

String password = newString(userPass.getPassword());


if(!StringUtils.isBlank(userPass.getCustomFields().get("tokenid").toString())) {
try{
String passToken = password+ ""+ 
userPass.getCustomFields().get("tokenid").toString();
password ="Token_"+ URLEncoder.encode(passToken,"UTF-8");
} catch(UnsupportedEncodingExceptione) {
System.out.println("Issue for encoding" +e.getMessage());
}
}

As 6.9.8 was complaining some deprecated code I changed code for

String password = new String(userPass.getPassword());



to



String password = userPass.toPassword();

So new code look like this:

protected void transformPassword(final UsernamePasswordCredential userPass) 
throws FailedLoginException, AccountNotFoundException {
if (StringUtils.isBlank(userPass.toPassword())) {
throw new FailedLoginException("Password is null.");
}

LOGGER.debug("Attempting to encode credential password via [{}] for [{}]", 
this.passwordEncoder.getClass().getName(), userPass.getUsername());
/* REST api */
LOGGER.debug("Get token [{}]", 
userPass.getCustomFields().get("tokenid").toString());

String password = userPass.toPassword();



if(!StringUtils.isBlank(userPass.getCustomFields().get("tokenid").toString())) {
try{
String passToken = password+ ""+ 
userPass.getCustomFields().get("tokenid").toString();
password ="Token_"+ URLEncoder.encode(passToken,"UTF-8");
} catch(UnsupportedEncodingExceptione) {
System.out.println("Issue for encoding" +e.getMessage());
}
}

Do you think that is issue for expiring TGC ?








From: 
cas-user@apereo.org<mailto:cas-user@apereo.org>cas-user@apereo.org<mailto:cas-user@apereo.org>
 On Behalf Of Ray Bon
Sent: Friday, July 7, 2023 2:07 PM
To: cas-user@apereo.org
Subject: Re: [cas-user] CAS session management - Ticket Expiration Policies - 
CAS 6.5


WARNING: THIS IS AN EXTERNAL EMAIL THAT ORIGINATED OUTSIDE OF OUR EMAIL SYSTEM. 
DO NOT CLICK links / attachments unless you know that the content is safe! For 
suspicious emails, report using the Phish Alert Report button on the upper left 
of your email. For marketing/SPAM emails, delete.


Niral,

I would be surprised if there were any changes in the way tickets are handled 
by cas in the upgrade (it is fundamental in the way cas operates).
Spring is good at logging when there is a mismatch between your config and 
class properties. Is there anything in the logs that would suggest values are 
not being set?

Petr suggested using your browser's dev tools. If you step through the network 
traffic, you can see cookies and values being sent and you will see if a TGC is 
being resent [with a different value].

You do not need a real service to check cas's management of TGCs. I added a 
fake service to my service registry; I literally have this bookmark:
https://local.uvic.ca/cas/login?service=https://blah

after login your browser will display a message about not findinghttps://blah 
(firefox displays: Hmm. We’re having trouble finding that site.), and in the 
address bar will be:
https://blah/?ticket=ST-...<https://blah/?ticket=ST-2-Yu3QNsx8MDwqKdCBqQTLhAVfQ64-1c5e8582b054>

If you open a new tab and try to log in with the bookmark, you will not see the 
log in page but get redirected tohttps://blah with a new ST

Ray

On Thu, 2023-07-06 at 19:56 +, 'Niral Kunadia' via CAS Community wrote:
Notice: This message was sent from out

Re: [cas-user] OIDC /authorize - Authorization Denied

[Ray Bon]

The issue could be with what the request is asking for (such as scope, etc.) 
and the service not being configured to release them.

My test client (created with cas management application):

{"@class":"org.apereo.cas.services.OidcRegisteredService",
"serviceId":"https://local.uvic.ca/democasclient/callback\\?client_name=OidcClient;,
"name":"fresh oidc on dev",
"id":160605843,"expirationPolicy":null,
"singleSignOnParticipationPolicy":{"@class":"org.apereo.cas.services.ChainingRegisteredServiceSingleSignOnParticipationPolicy"},
"evaluationOrder":163,"environments":null,"multifactorPolicy":{"@class":"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders":null,"bypassEnabled":true},
"clientSecret":"6b5KjVIX6tiiyxnmqKrSnPz1tEADCjlKUfyo",
"clientId":"tZzif5NfwfBS9enpN0nqXceBSdcYgxw3fw3w",
"supportedResponseTypes":["java.util.HashSet",["code"]],
"signIdToken":false,"subjectType":"PUBLIC",
"scopes":["java.util.HashSet",["eduPersonScope","openid","email","profile"]]}

and the request:

https://local.uvic.ca/cas/oidc/oidcAuthorize?scope=openid profile email 
eduPersonScope_type=code_uri=https://local.uvic.ca/democasclient/callback?client_name=OidcClient=280b0aca20_challenge_method=S256=K8DQJJX2V5tK7tIT96cgEsngu1MT_OwbEW3EFIvSNCM_id=tZzif5NfwfBS9enpN0nqXceBSdcYgxw3fw3w_challenge=KskfeAWacT0Ru303Bo08R2_4qQ9i83pHUGJM07OrOLM

Try this logger:



So far I have done a lot of guess work to get OIDC to work and I am not sure 
why things happen the way they do. It is a complex protocol.

What version of cas are you using (I have 6.5.8)?

Ray

On Tue, 2023-07-11 at 07:25 -0700, Jérémie wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

I've found the issue, it was coming from the service file not loaded by cas. 
I've added the following line to my cas.properties :
cas.service-registry.json.location=file:/C:/Program Files/Tomcat 
9.0/etc/cas/config

But now I'm having a new error :
2023-07-11 14:20:47,712 ERROR 
[org.springframework.boot.web.servlet.support.ErrorPageFilter] - 

And from what I've found on Google, some had this error but I didn't see any 
solution for it.

This my last try, after that I'll turn off everything and go for a better 
documented product unfortunatly
Le mardi 11 juillet 2023 à 15:44:08 UTC+2, Jérémie a écrit :
Indeed redirect_uri wasn't consistent between conf, but after updating it 
nothing has changed.

This is my service file now :
{
  "@class": "org.apereo.cas.services.OidcRegisteredService",
  "serviceId": "http://localhost:3000;,

  "name": "OIDC",
  "id": 1,
  "clientId": "41ff9715-bd3e-473c-9888-e2d5a1364c2a",
  "clientSecret": "da31dc03-443c-4391-963b-86be2d9a4d45",

  "bypassApprovalPrompt": true,
  "generateRefreshToken": true,
  "evaluationOrder": 1
}


And the URL called : 
https://{URL}/cas/oidc/authorize?client_id=41ff9715-bd3e-473c-9888-e2d5a1364c2a=openid
 profile email 
read:all_type=code_mode=query=T0xJV2hyOXFQdVY5anNsX1VsUURrMEVIRlREQ3JGRF9vYzFvZVBXRUpFNw===eUFOTnU4NFVBQ0lDQjRteGcxV3E5V1I0N05OT0dzT29ubEwxQ3I4SE1uWg==_uri=http://localhost:3000_challenge=TxDYuTGk_M6AUKwC79VwUCZGE8WejkIwYAtcTkisvRk_challenge_method=S256=eyJuYW1lIjoiYXV0aDAtc3BhLWpzIiwidmVyc2lvbiI6IjEuMTkuNCJ9

I'm not seeing something that could cause the data causing the mismatch.

And the error doesn't give much detail on the specific issue (maybe my loggers 
aren't good ?)

Le lundi 10 juillet 2023 à 19:51:00 UTC+2, Ray Bon a écrit :
Jérémie,

The redirect_uri in the URL sent to cas must match the serviceId in your 
service file. serviceId can be a regex. The client_id matches clientId (this is 
more obvious).
There may be other parameters that are sent to cas by your application that are 
not identified in the service file. These other  parameters may or may not be a 
factor (I am still learning OIDC).

In short, 'Unauthorized Service Access ...', means that there is a mismatch 
between the service requested in the browser and the service file.

Ray


On Sun, 2023-07-09 at 23:35 -0700, Jérémie wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi,

I'm simply getting :
2023-07-10 06:31:50,609 INFO [org.apereo.cas.web.CasWebApplicationReady] - 

2023-07-10 06:32:21,021 INFO 
[org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0] expired 
tickets removed.>
2023-07-10 06:33:48,750 WA

Re: [cas-user] OIDC /authorize - Authorization Denied

[Ray Bon]

Jérémie,

The redirect_uri in the URL sent to cas must match the serviceId in your 
service file. serviceId can be a regex. The client_id matches clientId (this is 
more obvious).
There may be other parameters that are sent to cas by your application that are 
not identified in the service file. These other  parameters may or may not be a 
factor (I am still learning OIDC).

In short, 'Unauthorized Service Access ...', means that there is a mismatch 
between the service requested in the browser and the service file.

Ray


On Sun, 2023-07-09 at 23:35 -0700, Jérémie wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi,

I'm simply getting :
2023-07-10 06:31:50,609 INFO [org.apereo.cas.web.CasWebApplicationReady] - 

2023-07-10 06:32:21,021 INFO 
[org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0] expired 
tickets removed.>
2023-07-10 06:33:48,750 WARN 
[org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - 

And no I'm not connected, I'm reaching directly this page and I'm always doing 
these tests in a private browser session.

Le mardi 4 juillet 2023 à 20:36:08 UTC+2, Ray Bon a écrit :
Jérémie,

What do the cas logs say about the authentication event (may need debug level)?

The authorize URL comes after the authentication step. Are you logged in, in 
that browser?

Ray

On Tue, 2023-06-27 at 06:30 -0700, Jérémie wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi,

I'm pretty new to cas (6.6.8) and I'm trying to connect an test application to 
my CAS server using OIDC. I'm used to Okta, Auth0, etc so OIDC is not new to 
me, just CAS configuration.

My Cas is also connected to an AD to sign in.

This is my Cas server configuration using OIDC module 
(org.apereo.cas:cas-server-support-oidc) :

# Server
server.port=443

# SSL
server.ssl.enabled=true
server.ssl.key-store=file:{path}
server.ssl.key-store-password=xxx
server.ssl.key-password=xxx

# CAS
cas.server.name<http://cas.server.name>=https://URL:443
cas.server.prefix=${cas.server.name<http://cas.server.name>}/cas
cas.logout.followServiceRedirects=true
cas.authn.accept.enabled=false

# Active Directory
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://localhost:389
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].baseDn=DC=AAA,DC=BBB
cas.authn.ldap[0].search-filter=(sAMAccountName={user})
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].bindDn=USER
cas.authn.ldap[0].bindCredential=XXX

# OIDC settings
cas.authn.oidc.core.issuer=https://URL/cas/oidc
cas.authn.oidc.core.skew=5
cas.authn.oidc.jwks.file-system.jwks-file=file:C:\Program Files\Tomcat 
9.0\etc\cas\config\keystore.jwks

# Encryption/Signing keys
cas.tgc.crypto.encryption.key=SN7Vpa8oHvXfh2hDZp8ANxZGRkF1DvKbYLTy_Vip2dI
cas.tgc.crypto.signing.key=KwbtZl2y5sidXFMShjVm4PiGwjVQ0Fq-ZBp0A_HUK6IOnoS2h0E5cSfp7vy8uioqX04yKIBXcU0kUm6DRuPCZQ
cas.webflow.crypto.signing.key=MltIqyj_vGFgZKFfw8vmoqYIYYu_KEU20AyZaAIDZl_Xjhl0ZGpPNe4h4N7-8p1_pNi-s97TQKb1-INp9VEwEA
cas.webflow.crypto.encryption.key=3Mh_pdDFLPCMgacDL6z8SQ

---

This is my /etc/config/services file :
{
  "@class": "org.apereo.cas.services.OidcRegisteredService",
  "serviceId": "https://localhost:3000/callback;, --> my app URL
  "name": "OIDC",
  "id": 1,
  "clientId": "41ff9715-bd3e-473c-9888-e2d5a1364c2a",
  "clientSecret": "SECRET",
  "bypassApprovalPrompt": true,
  "generateRefreshToken": true,
  "evaluationOrder": 1
}

---

This is my test application config (Node.js app) :
{
  "domain": "cas.lyvoc.com/cas/oidc<http://cas.lyvoc.com/cas/oidc>",
  "clientId": "41ff9715-bd3e-473c-9888-e2d5a1364c2a",
}

This application was used for other IdP so it won't come from this. When 
hitting login on it, this is the /authorize URL I'm getting redirected to :
https://URL/cas/oidc/authorize?client_id=41ff9715-bd3e-473c-9888-e2d5a1364c2a=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F2007%2F06%2Fmulti-factor=openid%20profile%20email%20read%3Aall_type=code_mode=query=dGEwS21Ddm52WUNXc254c2ptRmNzQjBOZGNTSGlPZzZ1R1AxVldOTl9lMA%3D%3D=RUIzY1hEbWJmWDZJYjNWOWh3QVJZcjBBdVNDOGt0RVdjYVl6WEZ1R0tXYQ%3D%3D_uri=http%3A%2F%2Flocalhost%3A3000_challenge=2Mln96FLN8s0qylEMY9yuC7ucbKioF9cGMIYG5B4q8s_challenge_method=S256=eyJuYW1lIjoiYXV0aDAtc3BhLWpzIiwidmVyc2lvbiI6IjEuMTkuNCJ9

The issue is that I'm getting redirected to a CAS page, but saying 
"Authorization Denied". I'm not getting redirected to the authentication page 
or anything like that :
[firefox_u32LfLkefz.png]

I'm not finding anything on the net for this.

Thanks for any help !


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom

Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5

[Ray Bon]

Niral,

I would be surprised if there were any changes in the way tickets are handled 
by cas in the upgrade (it is fundamental in the way cas operates).
Spring is good at logging when there is a mismatch between your config and 
class properties. Is there anything in the logs that would suggest values are 
not being set?

Petr suggested using your browser's dev tools. If you step through the network 
traffic, you can see cookies and values being sent and you will see if a TGC is 
being resent [with a different value].

You do not need a real service to check cas's management of TGCs. I added a 
fake service to my service registry; I literally have this bookmark:

https://local.uvic.ca/cas/login?service=https://blah

after login your browser will display a message about not finding https://blah 
(firefox displays: Hmm. We’re having trouble finding that site.), and in the 
address bar will be:
https://blah/?ticket=ST-...

If you open a new tab and try to log in with the bookmark, you will not see the 
log in page but get redirected to https://blah with a new ST

Ray

On Thu, 2023-07-06 at 19:56 +, 'Niral Kunadia' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Ray,

I can double check if hosted environment have more than one tomcat server. FYI, 
this was working perfectly fine with 6.5.9 , TGC ticket expiring only with 
6.6.9 version.

Is there any public repo you are aware of with CAS 6.6.9 available for test 
with login and logout form.

Thank you for reply!

Niral




From: cas-user@apereo.org  On Behalf OfRay Bon
Sent: Thursday, July 6, 2023 3:43 PM
To: cas-user@apereo.org
Subject: Re: [cas-user] CAS session management - Ticket Expiration Policies - 
CAS 6.5


WARNING: THIS IS AN EXTERNAL EMAIL THAT ORIGINATED OUTSIDE OF OUR EMAIL SYSTEM. 
DO NOT CLICK links / attachments unless you know that the content is safe! For 
suspicious emails, report using the Phish Alert Report button on the upper left 
of your email. For marketing/SPAM emails, delete.


Niral,

Is it possible the hosted environment has more than one tomcat server?
If TGTs are not shared between cas instances, then, when switching tomcat 
servers (controlled by the hosting service / load balancer), the second cas 
will not know about the login session and force the login screen.

Ticket registry is described 
https://apereo.github.io/cas/6.6.x/ticketing/Configuring-Ticketing-Components.html
Alternatively, start with a single cas server, then add more cas servers and 
the ticket registry when other config is more or less complete.

Ray


On Thu, 2023-07-06 at 14:04 +, 'Niral Kunadia' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Thank you Ray,

Are you deploying the war to more than one tomcat? : I created .war file with 
gradle on local and deploying to test environment which is some hosted 
environment.
Is the tomcat on your local dev computer or some hosted environment? : some 
hosted environment

Thank you for reply.



From: cas-user@apereo.org 
mailto:cas-user@apereo.org>>On Behalf OfRay Bon
Sent: Wednesday, July 5, 2023 4:37 PM
To: cas-user@apereo.org
Subject: Re: [cas-user] CAS session management - Ticket Expiration Policies - 
CAS 6.5


WARNING: THIS IS AN EXTERNAL EMAIL THAT ORIGINATED OUTSIDE OF OUR EMAIL SYSTEM. 
DO NOT CLICK links / attachments unless you know that the content is safe! For 
suspicious emails, report using the Phish Alert Report button on the upper left 
of your email. For marketing/SPAM emails, delete.


Niral,

To see a list of all cas properties:

$ ./gradlew exportConfigMetadata

Which will create a file called config-metadata.properties
You can search for 'tgt' or 'tgc'
The default value will be shown beside the property.
TicketGgrantingTicket is the server side session and TGC is the client side 
cookie used to find the TGT.

To see other gradlew commands:

$ ./gradlew tasks

There are some management endpoints that can provide some info, 
https://apereo.github.io/cas/6.6.x/monitoring/Monitoring-Statistics.html

Here are some related blog posts:
https://fawnoos.com/2022/02/20/cas65-actuator-endpoints/
https://fawnoos.com/2021/09/06/cas65-sso-sessions/

Some URLs that I use:
https://local.uvic.ca/cas/actuator/ssoSessions
https://local.uvic.ca/cas/actuator/ticketExpirationPolicies

I do not think this is an issue with tomcat.
Your steps 3. and 4. suggest that it is working correctly.


You say 'Restarted tomcat services'.
Are you deploying the war to more than one tomcat?
Is the tomcat on your local dev computer or some hosted environment?


On my local I have a sym link from 

Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5

[Ray Bon]

Niral,

Is it possible the hosted environment has more than one tomcat server?
If TGTs are not shared between cas instances, then, when switching tomcat 
servers (controlled by the hosting service / load balancer), the second cas 
will not know about the login session and force the login screen.

Ticket registry is described 
https://apereo.github.io/cas/6.6.x/ticketing/Configuring-Ticketing-Components.html
Alternatively, start with a single cas server, then add more cas servers and 
the ticket registry when other config is more or less complete.

Ray


On Thu, 2023-07-06 at 14:04 +, 'Niral Kunadia' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Thank you Ray,

Are you deploying the war to more than one tomcat? : I created .war file with 
gradle on local and deploying to test environment which is some hosted 
environment.
Is the tomcat on your local dev computer or some hosted environment? : some 
hosted environment

Thank you for reply.



From: cas-user@apereo.org  On Behalf OfRay Bon
Sent: Wednesday, July 5, 2023 4:37 PM
To: cas-user@apereo.org
Subject: Re: [cas-user] CAS session management - Ticket Expiration Policies - 
CAS 6.5


WARNING: THIS IS AN EXTERNAL EMAIL THAT ORIGINATED OUTSIDE OF OUR EMAIL SYSTEM. 
DO NOT CLICK links / attachments unless you know that the content is safe! For 
suspicious emails, report using the Phish Alert Report button on the upper left 
of your email. For marketing/SPAM emails, delete.


Niral,

To see a list of all cas properties:

$ ./gradlew exportConfigMetadata

Which will create a file called config-metadata.properties
You can search for 'tgt' or 'tgc'
The default value will be shown beside the property.
TicketGgrantingTicket is the server side session and TGC is the client side 
cookie used to find the TGT.

To see other gradlew commands:

$ ./gradlew tasks

There are some management endpoints that can provide some info, 
https://apereo.github.io/cas/6.6.x/monitoring/Monitoring-Statistics.html

Here are some related blog posts:
https://fawnoos.com/2022/02/20/cas65-actuator-endpoints/
https://fawnoos.com/2021/09/06/cas65-sso-sessions/

Some URLs that I use:
https://local.uvic.ca/cas/actuator/ssoSessions
https://local.uvic.ca/cas/actuator/ticketExpirationPolicies

I do not think this is an issue with tomcat.
Your steps 3. and 4. suggest that it is working correctly.


You say 'Restarted tomcat services'.
Are you deploying the war to more than one tomcat?
Is the tomcat on your local dev computer or some hosted environment?


On my local I have a sym link from tomcat/webapps/cas.war to 
devdir/build/lib/cas.war (this will save a step if tomcat is local).
You can also use the docker build and deploy or embedded tomcat run approach. 
These options are described at the bottom of 
https://fawnoos.com/2022/08/06/cas66-gettingstarted-overlay/

Ray

On Wed, 2023-07-05 at 15:27 +, 'Niral Kunadia' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Ray,

I am upgraded CAS to 6.6.9 from 6.5.8, I am able to login to cas with 
authentication and on refresh somehow TGC is expiring and asking for login 
credentials again.

Is there any setting I have to add in cas.properties?

I did these steps:

  1.  Copy cas.war to test environment. Restarted tomcat services.
  2.  Open URL in browser cas/login
  3.  Able to login and getting profile info.
  4.  On refresh still able to see profile page.
  5.  Then I logout cas/logout
  6.  Again open login screen and entered credentials. Able to login and on 
refresh it is displaying profile.

If don’t do cas/logout, somehow tgc ticket is expiring.

But after few second somehow TGC is expiring. How can I add expiration time in 
6.6.9. I don’t have any setting related to tgc in my 6.5.8 version.



From: cas-user@apereo.org 
mailto:cas-user@apereo.org>>On Behalf OfRay Bon
Sent: Thursday, June 22, 2023 10:20 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] CAS session management - Ticket Expiration Policies - 
CAS 6.5


WARNING: THIS IS AN EXTERNAL EMAIL THAT ORIGINATED OUTSIDE OF OUR EMAIL SYSTEM. 
DO NOT CLICK links / attachments unless you know that the content is safe! For 
suspicious emails, report using the Phish Alert Report button on the upper left 
of your email. For marketing/SPAM emails, delete.


Niral,

Is the page you are refreshing the cas default login page or is it a page in 
your client application?

Can you post the URL when you land on the cas login page after a refresh?

Ray

On Wed, 2023-06-21 at 19:34 +, 'Niral Kunadia' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Thank you so much Ray for quick reply.

Re: [cas-user] Unauthorized URL conditional on enforced attributes?

[Ray Bon]

Baron,

I have used the cas source and spring api docs to understand see what these 
objects hold.
They are all complex objects and I print their contents to the logs to find 
what is available (it is a tedious process).

Ray

This is from one of our scripts:

class MfaSelector {
def String run(final Object... args) {
def authentication = args[0]
def registeredService = args[1]
def httpRequest = args[2]
def service = args[3]
def applicationContext = args[4]
def logger = args[5]

// logger.error('principal: ' + authentication.principal)
// logger.error('service: ' + service)
...

But the types and number of args may change based on context. The above differs 
from 
https://apereo.github.io/cas/6.5.x/authentication/Groovy-Authentication.html

If you have a java class you can do something like this:

// printMap("attributes Map", requestContext.getAttributes().asMap());
// printMap("conversation Map", requestContext.getConversationScope().asMap());
// printMap("flash Map", requestContext.getFlashScope().asMap());
// printMap("flow scope Map", requestContext.getFlowScope().asMap());
// printMap("request Map", requestContext.getRequestScope().asMap());
// printMap("parameter Map", requestContext.getRequestParameters().asMap());


private void printMap(String identifier, Map mam) {
LOGGER.trace(identifier + ": [" + mam.keySet().size() + "]:");
for (String key : mam.keySet()) {
LOGGER.trace("\t" + key + " : " + mam.get(key));
}
}

On Wed, 2023-07-05 at 09:45 -1000, Baron Fujimoto wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Thanks, for the pointer. I did find this fairly old Fawnoos article 
<https://fawnoos.com/2018/04/23/cas-access-strategy-url-redirects/>, but it 
seems to describe a strategy that is perhaps even more low level that the 
Groovy script suggested in the more current documentation.

One aspect I have found a little frustrating is just knowing what is available 
to work with in such a script. The Unauthorized URL doc mentions that the 
following parameters are provided to the script: registeredService, 
requestContext, applicationContext, and logger but I'm not sure where I can 
find more information about those objects themselves. Do we need to consult 
more generic Spring Webflow docs for the methods available to requestContext 
and applicationContext, and whether they would contain the desired info re the 
specific requiredAttributes conditions that were not met?



On Tue, Jul 4, 2023 at 6:56 AM Ray Bon mailto:r...@uvic.ca>> 
wrote:
Baron,

There may be something in the fawnoos blog 
https://fawnoos.com/blog/<https://urldefense.com/v3/__https://fawnoos.com/blog/__;!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dKvsknkqATEr4quJ$>

Ray

On Mon, 2023-07-03 at 15:48 -1000, Baron Fujimoto wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

When using Attribute Based Access Control (ABAC) in a service access strategy, 
is there a way to conditionally specify the unauthorized URL to redirect to 
depending on the failure to satisfy a particular attribute requirement?

The Unauthorized URL documentation suggests perhaps this could be done with a 
dynamic URL via a Groovy script? But it's not really clear to me how, assuming 
this is possible, you would actually do so in the script?

E.g., given something like:

{
  "@class" : "org.apereo.cas.services.CasRegisteredService",
  "name" : "Conditional_Unauthorized_URL",
  "serviceId" : 
"^https://example<https://urldefense.com/v3/__https://example__;!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dKvsknkqAXmPvBBk$>\\.edu",
  "description" : "Unauthorized URL depends on which ABAC condition fails",
  "id" : 20230703153748,
  "evaluationOrder" : 10,
  "accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"unauthorizedRedirectUrl" : 
"file:/etc/cas/config/unauthz-redirect-url.groovy",
"requiredAttributes" : {
"@class" : "java.util.HashMap",
  "attr_1" : [ "java.util.HashSet", [ "required_attr_1_val" ] ],
  "attr_2" : [ "java.util.HashSet", [ "required_attr_2_val" ] ],
}
  }
}

If attr_1 is not required_attr_1_val then set unauthorizedRedirectUrl to 
https://www.example.edu/unauthz-redirect_attr_1.html<https://urldefense.com/v3/__https://www.example.edu/unauthz-redirect_attr_1.html__;!!PvDODwlR4mBZyAb0!VQiAY7qK0Q9EL4SySo_kEYycOG9GxZ5wVCvL8UPMtPhj3LGTj4qa2Sr8Cd75dK

Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5

[Ray Bon]

Niral,

To see a list of all cas properties:

$ ./gradlew exportConfigMetadata

Which will create a file called config-metadata.properties
You can search for 'tgt' or 'tgc'
The default value will be shown beside the property.
TicketGgrantingTicket is the server side session and TGC is the client side 
cookie used to find the TGT.

To see other gradlew commands:

$ ./gradlew tasks

There are some management endpoints that can provide some info, 
https://apereo.github.io/cas/6.6.x/monitoring/Monitoring-Statistics.html

Here are some related blog posts:
https://fawnoos.com/2022/02/20/cas65-actuator-endpoints/
https://fawnoos.com/2021/09/06/cas65-sso-sessions/

Some URLs that I use:
https://local.uvic.ca/cas/actuator/ssoSessions
https://local.uvic.ca/cas/actuator/ticketExpirationPolicies

I do not think this is an issue with tomcat.
Your steps 3. and 4. suggest that it is working correctly.


You say 'Restarted tomcat services'.
Are you deploying the war to more than one tomcat?
Is the tomcat on your local dev computer or some hosted environment?


On my local I have a sym link from tomcat/webapps/cas.war to 
devdir/build/lib/cas.war (this will save a step if tomcat is local).
You can also use the docker build and deploy or embedded tomcat run approach. 
These options are described at the bottom of 
https://fawnoos.com/2022/08/06/cas66-gettingstarted-overlay/

Ray

On Wed, 2023-07-05 at 15:27 +, 'Niral Kunadia' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Ray,

I am upgraded CAS to 6.6.9 from 6.5.8, I am able to login to cas with 
authentication and on refresh somehow TGC is expiring and asking for login 
credentials again.

Is there any setting I have to add in cas.properties?

I did these steps:

  1.  Copy cas.war to test environment. Restarted tomcat services.
  2.  Open URL in browser cas/login
  3.  Able to login and getting profile info.
  4.  On refresh still able to see profile page.
  5.  Then I logout cas/logout
  6.  Again open login screen and entered credentials. Able to login and on 
refresh it is displaying profile.

If don’t do cas/logout, somehow tgc ticket is expiring.

But after few second somehow TGC is expiring. How can I add expiration time in 
6.6.9. I don’t have any setting related to tgc in my 6.5.8 version.



From: cas-user@apereo.org  On Behalf OfRay Bon
Sent: Thursday, June 22, 2023 10:20 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] CAS session management - Ticket Expiration Policies - 
CAS 6.5


WARNING: THIS IS AN EXTERNAL EMAIL THAT ORIGINATED OUTSIDE OF OUR EMAIL SYSTEM. 
DO NOT CLICK links / attachments unless you know that the content is safe! For 
suspicious emails, report using the Phish Alert Report button on the upper left 
of your email. For marketing/SPAM emails, delete.


Niral,

Is the page you are refreshing the cas default login page or is it a page in 
your client application?

Can you post the URL when you land on the cas login page after a refresh?

Ray

On Wed, 2023-06-21 at 19:34 +, 'Niral Kunadia' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Thank you so much Ray for quick reply.

I am able to fix custom theme issue and page loading with all css properly and 
I am able to login to CAS and able to see my credentials with other profile 
info. But when I refresh page it is automatically log me out. Any suggestions 
or idea?


From: cas-user@apereo.org 
mailto:cas-user@apereo.org>>On Behalf OfRay Bon
Sent: Wednesday, June 21, 2023 10:27 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] CAS session management - Ticket Expiration Policies - 
CAS 6.5


WARNING: THIS IS AN EXTERNAL EMAIL THAT ORIGINATED OUTSIDE OF OUR EMAIL SYSTEM. 
DO NOT CLICK links / attachments unless you know that the content is safe! For 
suspicious emails, report using the Phish Alert Report button on the upper left 
of your email. For marketing/SPAM emails, delete.


Niral,

Here is a handy blog, https://fawnoos.com/2022/07/22/cas66-ui-themes/

Ray

On Fri, 2023-06-16 at 12:08 +, 'Niral Kunadia' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hello Ray,

As I am upgrading from 6.5.9 to 6.6.8 As we are using custom login page UI.  I 
have to do few changes in src folder. I have below code in 
src/main/resources/templates/layouts.html.





 

I would like to add webjars dependency in build.gradle. I did not find any 
sample for this. Please help! As webjars not finding this it is displaying 
blank page instead of custom login page.

Thank you
Niral






From: cas-user@apereo.org 
mailto:cas-user@apereo.org>>On Behalf OfRay Bon

Re: [cas-user] OIDC /authorize - Authorization Denied

[Ray Bon]

Jérémie,

What do the cas logs say about the authentication event (may need debug level)?

The authorize URL comes after the authentication step. Are you logged in, in 
that browser?

Ray

On Tue, 2023-06-27 at 06:30 -0700, Jérémie wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi,

I'm pretty new to cas (6.6.8) and I'm trying to connect an test application to 
my CAS server using OIDC. I'm used to Okta, Auth0, etc so OIDC is not new to 
me, just CAS configuration.

My Cas is also connected to an AD to sign in.

This is my Cas server configuration using OIDC module 
(org.apereo.cas:cas-server-support-oidc) :

# Server
server.port=443

# SSL
server.ssl.enabled=true
server.ssl.key-store=file:{path}
server.ssl.key-store-password=xxx
server.ssl.key-password=xxx

# CAS
cas.server.name=https://URL:443
cas.server.prefix=${cas.server.name}/cas
cas.logout.followServiceRedirects=true
cas.authn.accept.enabled=false

# Active Directory
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://localhost:389
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].baseDn=DC=AAA,DC=BBB
cas.authn.ldap[0].search-filter=(sAMAccountName={user})
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].bindDn=USER
cas.authn.ldap[0].bindCredential=XXX

# OIDC settings
cas.authn.oidc.core.issuer=https://URL/cas/oidc
cas.authn.oidc.core.skew=5
cas.authn.oidc.jwks.file-system.jwks-file=file:C:\Program Files\Tomcat 
9.0\etc\cas\config\keystore.jwks

# Encryption/Signing keys
cas.tgc.crypto.encryption.key=SN7Vpa8oHvXfh2hDZp8ANxZGRkF1DvKbYLTy_Vip2dI
cas.tgc.crypto.signing.key=KwbtZl2y5sidXFMShjVm4PiGwjVQ0Fq-ZBp0A_HUK6IOnoS2h0E5cSfp7vy8uioqX04yKIBXcU0kUm6DRuPCZQ
cas.webflow.crypto.signing.key=MltIqyj_vGFgZKFfw8vmoqYIYYu_KEU20AyZaAIDZl_Xjhl0ZGpPNe4h4N7-8p1_pNi-s97TQKb1-INp9VEwEA
cas.webflow.crypto.encryption.key=3Mh_pdDFLPCMgacDL6z8SQ

---

This is my /etc/config/services file :
{
  "@class": "org.apereo.cas.services.OidcRegisteredService",
  "serviceId": "https://localhost:3000/callback;, --> my app URL
  "name": "OIDC",
  "id": 1,
  "clientId": "41ff9715-bd3e-473c-9888-e2d5a1364c2a",
  "clientSecret": "SECRET",
  "bypassApprovalPrompt": true,
  "generateRefreshToken": true,
  "evaluationOrder": 1
}

---

This is my test application config (Node.js app) :
{
  "domain": "cas.lyvoc.com/cas/oidc",
  "clientId": "41ff9715-bd3e-473c-9888-e2d5a1364c2a",
}

This application was used for other IdP so it won't come from this. When 
hitting login on it, this is the /authorize URL I'm getting redirected to :
https://URL/cas/oidc/authorize?client_id=41ff9715-bd3e-473c-9888-e2d5a1364c2a=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F2007%2F06%2Fmulti-factor=openid%20profile%20email%20read%3Aall_type=code_mode=query=dGEwS21Ddm52WUNXc254c2ptRmNzQjBOZGNTSGlPZzZ1R1AxVldOTl9lMA%3D%3D=RUIzY1hEbWJmWDZJYjNWOWh3QVJZcjBBdVNDOGt0RVdjYVl6WEZ1R0tXYQ%3D%3D_uri=http%3A%2F%2Flocalhost%3A3000_challenge=2Mln96FLN8s0qylEMY9yuC7ucbKioF9cGMIYG5B4q8s_challenge_method=S256=eyJuYW1lIjoiYXV0aDAtc3BhLWpzIiwidmVyc2lvbiI6IjEuMTkuNCJ9

The issue is that I'm getting redirected to a CAS page, but saying 
"Authorization Denied". I'm not getting redirected to the authentication page 
or anything like that :
[firefox_u32LfLkefz.png]

I'm not finding anything on the net for this.

Thanks for any help !

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a6eb80b08db8b08878f77e316172be94e5569a7d.camel%40uvic.ca.