Re: [cas-user] pac4j SAML2Client and principal
Hi Jérôme, The issue goes away with CAS version 5.2.3 and pac4j version 2.3.1. Thanks, Scott K > Hi Jérôme, > > I am using the JSON service registry. The service is registered as > > { > "@class" : "org.apereo.cas.services.RegexRegisteredService", > "serviceId" : "https://my.org/testing/cas/phpclient/example_simple.php";, > "name" : "testClient01", > "id" : 1, > "evaluationOrder" : 10, > "attributeReleasePolicy" : { > "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" > }, > "usernameAttributeProvider" : { > "@class" : > "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", > "usernameAttribute" : "urn:oid:0.9.2342.19200300.100.1.1", > "canonicalizationMode" : "NONE" > } > } > > So I believe the correct attribute release policy is in place to release all > attributes to the service. > > The CAS log file contains this WARN message: > > 2018-03-24 10:02:59,411 WARN > [org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider] > - [AAdzZWNyZXQxoaZsp8jwcLkuGIb3wouQ4fg7MWmqgx+bnkd/EuWdmYlccwnzGtnBELaGS7ZMhiYxjvbzbXmlFcmhlQyJe9RyOsSx27yE14APpGvAWDpuR9bkuah8SfexOMbogtnYyK3aMRXjnFqsso5giA==] > does not have an attribute [urn:oid:0.9.2342.19200300.100.1.1] among > attributes [{}] so CAS cannot provide the user attribute the service expects. > CAS will instead return the default principal id > [AAdzZWNyZXQxoaZsp8jwcLkuGIb3wouQ4fg7MWmqgx+bnkd/EuWdmYlccwnzGtnBELaGS7ZMhiYxjvbzbXmlFcmhlQyJe9RyOsSx27yE14APpGvAWDpuR9bkuah8SfexOMbogtnYyK3aMRXjnFqsso5giA==]. > Ensure the attribute selected as the username is allowed to be released by > the service attribute release policy.> > > So CAS thinks there is no attribute "urn:oid:0.9.2342.19200300.100.1.1" but > earlier in the log file pac4j logs > > 2018-03-24 10:02:58,906 DEBUG [org.pac4j.saml.client.SAML2Client] - #S > AML2Profile# | id: > AAdzZWNyZXQxoaZsp8jwcLkuGIb3wouQ4fg7MWmqgx+bnkd/EuWdmYlccwnzG > tnBELaGS7ZMhiYxjvbzbXmlFcmhlQyJe9RyOsSx27yE14APpGvAWDpuR9bkuah8SfexOMbogtnYyK3aM > RXjnFqsso5giA== | attributes: > {urn:oid:0.9.2342.19200300.100.1.3=[skoranda@gmail > .com], mail=[skora...@gmail.com], > urn:oid:0.9.2342.19200300.100.1.1=[scott.koran > da], displayName=[Scott Koranda], givenName=[Scott], > urn:oid:2.5.4.42=[Scott], n > otBefore=2018-03-24T10:02:57.588Z, uid=[scott.koranda], > urn:oid:2.16.840.1.11373 > 0.3.1.241=[Scott Koranda], > urn:oid:1.3.6.1.4.1.5923.1.1.1.6=[scott.koranda@spher > icalcowgroup.com], notOnOrAfter=2018-03-24T10:07:57.588Z, > eduPersonPrincipalName > =[scott.kora...@sphericalcowgroup.com], urn:oid:2.5.4.4=[Koranda], > sn=[Koranda], > sessionindex=_0572dab54bff96c199e29f058aae9302} | roles: [] | permissions: > [] | > isRemembered: false | clientName: null | linkedId: null |> > > where the attribute urn:oid:0.9.2342.19200300.100.1.1 is explicitly shown to > be populated. > > Am I missing something in my JSON service configuration? > > Again this is for version 5.1.3. > > Thanks, > > Scott K > > > Hi, > > > > The behavior is to create the CAS principal and attributes from the pac4j > > principal and attributes. So you should get the pac4j attributes at the end. > > Ignore the log about the ClientCredential, the toString method just outputs > > the id (not the attributes). > > > > Is the service configured properly (with ReturnAllAttributeReleasePolicy > > for example)? > > > > Thanks. > > Best regards, > > Jérôme > > > > > > On Thu, Mar 22, 2018 at 4:25 PM, Scott Koranda wrote: > > > > > Hi, > > > > > > I am using CAS 5.1.3 (though I might be able to upgrade to 5.2.3, > > > depending on the issue of which binding is being used for the > > > , as detailed in an earlier note to this list). > > > > > > I am delegating authentication to a SAML2 IdP using pac4j. > > > > > > After a successful authentication I see in cas.log > > > > > > 2018-03-22 14:44:46,372 DEBUG [org.pac4j.saml.client.SAML2Client] - > > > > > OnEE09XX3FnuYElvWkhkCSbAshdwAYSR5WQq3x7qEeuj6lzDF18EwarKKWUh > > > ElP5/dR+k1h1NlMaLBZmgeA/5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E > > > 8uqJp0pzRmivQ== | > > > attributes: > > > {urn:oid:0.9.2342.19200300.100.1.3=[skora...@gmail.com], mail=[ > > > skora...@gmail.com], > > > urn:oid:0.9.2
Re: [cas-user] build from source with additional modules
Hi, > This is not the information you gave on first place. > So try not to mislead answers. Again, thank you for your time. I appreciate that this is a community effort. I do not believe I have provided misleading information. My first note explained that I am building CAS from source following the instructions at https://apereo.github.io/cas/developer/Build-Process-5X.html The instructions show how to build CAS from source using Gradle. > Why you want to use gradle if you where using maven. I am using Maven with the overlap approach for production deployments. For building from source in order to help debug an issue with pac4j SAML in version 5.2 so that I may contribute back to the community I need to build a war file that includes the pac4j and JSON service registry functionality. I would like additional details not provided at the link https://apereo.github.io/cas/developer/Build-Process-5X.html on how to do that. I appreciate any insights that can provided. Thank you again, Scott K > > > El domingo, 25 de marzo de 2018, Scott Koranda > escribió: > > > Hi, > > > > > Copy etc/cas/properties to /etc/cas/properties > > > Add modules relevant properties to that. > > > See > > > https://apereo.github.io/cas/5.2.x/installation/ > > Configuration-Properties.html > > > > Thank you for your prompt reply, but this is not the information I need. > > > > I have a working and configured CAS deployment deployed using a standard > > Maven overlay approach. It is already configured to use the JSON service > > registry and pac4j modules. I did that by appropriately adding > > dependencies in my pom.xml file and then adding appropriate > > configurations to /etc/cas/config/cas.properties. > > > > Now I want to build CAS from source using gradle and use the same > > configuration. > > > > I am able to build from source as I detailed in my last note, but the > > war file I build does not have the JSON service registry or pac4j > > modules includes. > > > > I need a detailed explanation or example of how I modify a gradle > > build.gradle file to include the JSON service registry or pac4j module > > in the war file built from source. > > > > I would be grateful if someone could provide that information. > > > > Thank you for your time. > > > > Scott K > > > > -- > > - Website: https://apereo.github.io/cas > > - Gitter Chatroom: https://gitter.im/apereo/cas > > - List Guidelines: https://goo.gl/1VRrw7 > > - Contributions: https://goo.gl/mh7qDG > > --- > > You received this message because you are subscribed to the Google Groups > > "CAS Community" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to cas-user+unsubscr...@apereo.org. > > To view this discussion on the web visit https://groups.google.com/a/ > > apereo.org/d/msgid/cas-user/20180325135942.t7n63gsdppotycnd%40paprika. > > local. > > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5midiAa0_rXt1AefQ9M%2B4YmbfGNBtYyet8BnTPwuShXYuDw%40mail.gmail.com. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180325141827.s3fz3ze46kjpczob%40paprika.local.
Re: [cas-user] pac4j SAML2Client and principal
Hi Jérôme, I am using the JSON service registry. The service is registered as { "@class" : "org.apereo.cas.services.RegexRegisteredService", "serviceId" : "https://my.org/testing/cas/phpclient/example_simple.php";, "name" : "testClient01", "id" : 1, "evaluationOrder" : 10, "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" }, "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute" : "urn:oid:0.9.2342.19200300.100.1.1", "canonicalizationMode" : "NONE" } } So I believe the correct attribute release policy is in place to release all attributes to the service. The CAS log file contains this WARN message: 2018-03-24 10:02:59,411 WARN [org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider] - So CAS thinks there is no attribute "urn:oid:0.9.2342.19200300.100.1.1" but earlier in the log file pac4j logs 2018-03-24 10:02:58,906 DEBUG [org.pac4j.saml.client.SAML2Client] - where the attribute urn:oid:0.9.2342.19200300.100.1.1 is explicitly shown to be populated. Am I missing something in my JSON service configuration? Again this is for version 5.1.3. Thanks, Scott K > Hi, > > The behavior is to create the CAS principal and attributes from the pac4j > principal and attributes. So you should get the pac4j attributes at the end. > Ignore the log about the ClientCredential, the toString method just outputs > the id (not the attributes). > > Is the service configured properly (with ReturnAllAttributeReleasePolicy > for example)? > > Thanks. > Best regards, > Jérôme > > > On Thu, Mar 22, 2018 at 4:25 PM, Scott Koranda wrote: > > > Hi, > > > > I am using CAS 5.1.3 (though I might be able to upgrade to 5.2.3, > > depending on the issue of which binding is being used for the > > , as detailed in an earlier note to this list). > > > > I am delegating authentication to a SAML2 IdP using pac4j. > > > > After a successful authentication I see in cas.log > > > > 2018-03-22 14:44:46,372 DEBUG [org.pac4j.saml.client.SAML2Client] - > > > OnEE09XX3FnuYElvWkhkCSbAshdwAYSR5WQq3x7qEeuj6lzDF18EwarKKWUh > > ElP5/dR+k1h1NlMaLBZmgeA/5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E > > 8uqJp0pzRmivQ== | > > attributes: > > {urn:oid:0.9.2342.19200300.100.1.3=[skora...@gmail.com], mail=[ > > skora...@gmail.com], > > urn:oid:0.9.2342.19200300.100.1.1=[scott.koranda], displayName=[Scott > > Koranda], givenName=[Scott], > > urn:oid:2.5.4.42=[Scott], notBefore=2018-03-22T14:44:45.460Z, > > uid=[scott.koranda], > > urn:oid:2.16.840.1.113730.3.1.241=[Scott Koranda], > > urn:oid:1.3.6.1.4.1.5923.1.1.1.6=[scott.kora...@sphericalcowgroup.com], > > notOnOrAfter=2018-03-22T14:49:45.460Z, > > eduPersonPrincipalName=[scott.kora...@sphericalcowgroup.com], > > urn:oid:2.5.4.4=[Koranda], sn=[Koranda], > > sessionindex=_570a4d9a94551c4e52cf75415fac58f0} | roles: [] | > > permissions: [] | isRemembered: false | clientName: null | linkedId: > > null |> > > > > Those are the values for NameID (transient) and attributes that I > > expect. > > > > The next line in cas.log is > > > > 2018-03-22 14:44:46,402 INFO > > [org.apereo.cas.authentication.AbstractAuthenticationManager] - > > > [AAdzZWNyZXQxQJ7RzalR0+OnEE09XX3FnuYElvWkhkCSbAshdwAY > > SR5WQq3x7qEeuj6lzDF18EwarKKWUhElP5/dR+k1h1NlMaLBZmgeA/ > > 5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E8uqJp0pzRmivQ==] > > with attributes [{}] via credentials > > [[org.apereo.cas.authentication.principal.ClientCredential@6c1c5d52[id= > > AAdzZWNyZXQxQJ7RzalR0+OnEE09XX3FnuYElvWkhkCSbAshdwAY > > SR5WQq3x7qEeuj6lzDF18EwarKKWUhElP5/dR+k1h1NlMaLBZmgeA/ > > 5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E8uqJp0pzRmivQ==]]].> > > > > So it appears that the NameID value (transient) is being used as the > > principal, but none of the attributes are making it from the pac4j layer > > into the CAS layer. > > > > Is that a correct assessment? > > > > If so, how can I > > > > a) change what value is used for the principal? I would like to use the > > value from one of the asserted attributes. > > > > b) push the attributes into the CAS layer to make them available for > > assertion downstream to the CAS client? > > > > I have reviewed the documentation for the Delegated/pac4j authentication at > > &
[cas-user] Re: pac4j SAML2 authn request protocol binding
> I am using pac4j delegated authentication with SAML2 so that CAS uses a > SAML2 Identity Provider (IdP) for authentication. > > With CAS version 5.1.3 the sent to the IdP has > > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > > as I expect, and that matches the metadata for the CAS server SP that > was given to the IdP. The CAS server auto-generated SP SAML metadata > contains > > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > Location="https://my.server/cas/login?client_name=SAML2Client"; > index="0"/> > > So this is consistent and the SAML flow works as expected. > > With CAS version 5.2.3 the sent to the IdP has instead > > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" > > That is not what I expect and appears to be a regression. > > Further if I delete the auto-generated SP metadata so that CAS version > 5.2.3 re-generates it I see in the metadata > >Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" > Location="https://my.server/cas/login?client_name=SAML2Client"; > index="0"/> > > Again, this is not what I expect for the SP ACS. I would expect it to > be using the HTTP-POST binding. > > Can someone confirm that this is a regression somewhere between 5.1.3 > and 5.2.3? I used a Maven overlay to build version 5.2.3 but then after Tomcat exploded the WAR I did cd /var/lib/tomcat8/webapps/cas/WEB-INF/lib rm pac4j-saml-2.2.0.jar cp /home/skoranda/pac4j/pac4j-saml/target/pac4j-saml-2.3.1-SNAPSHOT.jar . and restarted Tomcat. The pac4j version 2.3.1 jar was one I built from source by doing git clone g...@github.com:pac4j/pac4j.git cd pac4j git checkout 2.2.x mvn install -DskipTests That caused the issue to go away: the from the CAS SP to the remote IdP included ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" as I expected and it matched the element in the existing SP metadata. By default when CAS 5.2.3 is deployed with a Maven overly version 2.2.0 of pac4j is used but with version 2.3.1 of pac4j the issue is resolved. I edited my pom.xml file and changed org.apereo.cas cas-server-support-pac4j-webflow ${cas.version} to be instead org.apereo.cas cas-server-support-pac4j-webflow ${cas.version} org.pac4j pac4j-saml org.pac4j pac4j-saml 2.3.1 This allowed CAS version 5.2.3 to leverage pac4j version 2.3.1 and resolved the issue. Thanks, Scott K -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180325203321.4jxx32nojpmisywx%40paprika.local.
[cas-user] Re: build from source with additional modules
> I would like to build CAS from source so that I can add some additional > debugging to troubleshoot an issue with the pac4j SAML2 client support > for version 5.2.x. > > I did > > git clone g...@github.com:apereo/cas.git cas-server > cd cas-server > git checkout 5.2.x > ./gradlew war --parallel -x test -x javadoc -x check > > The build completed successfully. > > I was then able to do > > sudo cp \ > > ./webapp/cas-server-webapp/build/libs/cas-server-webapp-5.2.4-SNAPSHOT.war \ > /var/lib/tomcat8/webapps/cas.war > > restart Tomcat 8.5 > > and see the CAS server start up and access /cas/login. > > I need, however, to add the module for pac4j support and for the JSON > service registry. > > I see on this page > > https://apereo.github.io/cas/developer/Build-Process-5X.html > > the text > > "To test the functionality provided by a given CAS module, execute the > following steps: > > Add the module reference to the build script (i.e. build.gradle) of web > application you intend to run (i.e Web App, Management Web App, etc)" > > and the example > > implementation project(":support:cas-server-support-modulename") > > I did add the line > > implementation project(":support:cas-server-support-json-service-registry") > > to the file > > webapp/build.gradle > > but when I copied over the war file and restarted Tomcat the configured > JSON service registry was not recognized. > > What step am I missing to add the JSON service registry support to the > war file I build from source? Apologies for answering my own post, but for the archives... A correct recipe for building version 5.2.x from source with support for the JSON service registry and the pac4j SAML functionality is git clone g...@github.com:apereo/cas.git cas-server cd cas-server git checkout 5.2.x Then edit the file webapp/cas-server-webapp/build.gradle and add the lines dependencies { implementation project(path: ":support:cas-server-support-json-service-registry") implementation project(path: ":support:cas-server-support-pac4j-webflow") } Then execute ./gradlew war --parallel -x test -x javadoc -x check sudo cp ./webapp/cas-server-webapp/build/libs/cas-server-webapp-5.2.4-SNAPSHOT.war /var/lib/tomcat8/webapps/cas.war After restarting Tomcat8 the code built from source will be in effect. Thanks, Scott K -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180325200932.jtmbs3jckk7v5g2d%40paprika.local.
Re: [cas-user] build from source with additional modules
Hi, > Copy etc/cas/properties to /etc/cas/properties > Add modules relevant properties to that. > See > https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html Thank you for your prompt reply, but this is not the information I need. I have a working and configured CAS deployment deployed using a standard Maven overlay approach. It is already configured to use the JSON service registry and pac4j modules. I did that by appropriately adding dependencies in my pom.xml file and then adding appropriate configurations to /etc/cas/config/cas.properties. Now I want to build CAS from source using gradle and use the same configuration. I am able to build from source as I detailed in my last note, but the war file I build does not have the JSON service registry or pac4j modules includes. I need a detailed explanation or example of how I modify a gradle build.gradle file to include the JSON service registry or pac4j module in the war file built from source. I would be grateful if someone could provide that information. Thank you for your time. Scott K -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180325135942.t7n63gsdppotycnd%40paprika.local.
[cas-user] build from source with additional modules
Hi, I would like to build CAS from source so that I can add some additional debugging to troubleshoot an issue with the pac4j SAML2 client support for version 5.2.x. I did git clone g...@github.com:apereo/cas.git cas-server cd cas-server git checkout 5.2.x ./gradlew war --parallel -x test -x javadoc -x check The build completed successfully. I was then able to do sudo cp \ ./webapp/cas-server-webapp/build/libs/cas-server-webapp-5.2.4-SNAPSHOT.war \ /var/lib/tomcat8/webapps/cas.war restart Tomcat 8.5 and see the CAS server start up and access /cas/login. I need, however, to add the module for pac4j support and for the JSON service registry. I see on this page https://apereo.github.io/cas/developer/Build-Process-5X.html the text "To test the functionality provided by a given CAS module, execute the following steps: Add the module reference to the build script (i.e. build.gradle) of web application you intend to run (i.e Web App, Management Web App, etc)" and the example implementation project(":support:cas-server-support-modulename") I did add the line implementation project(":support:cas-server-support-json-service-registry") to the file webapp/build.gradle but when I copied over the war file and restarted Tomcat the configured JSON service registry was not recognized. What step am I missing to add the JSON service registry support to the war file I build from source? Thanks, Scott K -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180324163227.ca72ilrewnfdnojn%40paprika.local.
[cas-user] pac4j SAML2Client and principal
Hi, I am using CAS 5.1.3 (though I might be able to upgrade to 5.2.3, depending on the issue of which binding is being used for the , as detailed in an earlier note to this list). I am delegating authentication to a SAML2 IdP using pac4j. After a successful authentication I see in cas.log 2018-03-22 14:44:46,372 DEBUG [org.pac4j.saml.client.SAML2Client] - Those are the values for NameID (transient) and attributes that I expect. The next line in cas.log is 2018-03-22 14:44:46,402 INFO [org.apereo.cas.authentication.AbstractAuthenticationManager] - So it appears that the NameID value (transient) is being used as the principal, but none of the attributes are making it from the pac4j layer into the CAS layer. Is that a correct assessment? If so, how can I a) change what value is used for the principal? I would like to use the value from one of the asserted attributes. b) push the attributes into the CAS layer to make them available for assertion downstream to the CAS client? I have reviewed the documentation for the Delegated/pac4j authentication at https://apereo.github.io/cas/5.1.x/integration/Delegate-Authentication.html and that for Attribute Resolution at https://apereo.github.io/cas/5.1.x/integration/Attribute-Resolution.html but I am not able to find a configuration option that appears to tell pac4j to push the attributes into the Authentication object. Thank you for your consideration. Scott K -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180322152546.o52kuzuh6u227e5s%40paprika.local.
[cas-user] pac4j SAML2 authn request protocol binding
Hi, I am using pac4j delegated authentication with SAML2 so that CAS uses a SAML2 Identity Provider (IdP) for authentication. With CAS version 5.1.3 the sent to the IdP has ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" as I expect, and that matches the metadata for the CAS server SP that was given to the IdP. The CAS server auto-generated SP SAML metadata contains https://my.server/cas/login?client_name=SAML2Client"; index="0"/> So this is consistent and the SAML flow works as expected. With CAS version 5.2.3 the sent to the IdP has instead ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" That is not what I expect and appears to be a regression. Further if I delete the auto-generated SP metadata so that CAS version 5.2.3 re-generates it I see in the metadata https://my.server/cas/login?client_name=SAML2Client"; index="0"/> Again, this is not what I expect for the SP ACS. I would expect it to be using the HTTP-POST binding. Can someone confirm that this is a regression somewhere between 5.1.3 and 5.2.3? Thanks, Scott K -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180321212411.yrgvkw5jcbldzbla%40paprika.local.
[cas-user] only delegated (pac4j SAML) authentication and no button click
Hello, I am running CAS 5.2.2. I have successfully configured CAS to use pac4j for delegated authentication. Specifically CAS/pac4j is configured as a SAML SP. When I browse to a CAS client I am redirected to the CAS server login page. I can then click a button to kick off the SAML flow and am redirected to the SAML IdP for authentication. After returning to the CAS/pac4j SAML SP I am then redirected to the CAS client with a ticket, which is later validated and I successfully access the resource. I would like the delegated SAML authentication flow to be the only CAS authentication mechanism and I would like it so that I do not have to click a button to kick off the SAML flow. Ideally the user would never "see" the CAS server at all. I thought this configuration would make that happen: cas.authn.policy.requiredHandlerAuthenticationPolicyEnabled=true cas.authn.policy.req.handlerName=Pac4j cas.authn.policy.req.tryAll=false cas.authn.policy.req.enabled=true cas.authn.accept.users= With this configuration I still see the login page and have to click a button to cause the SAML flow. Is it possible to have the SAML flow start immediately without having to click the button? If so what configuration do I need? Thanks, Scott K -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e93b3d08-8bf3-42e3-b7e0-5e856b8f8af8%40apereo.org.