[cas-user] Re: Auto-Reload of Properties File Not Working

[Andy Ng]

Hi Dustin,

> Is there a list somewhere of which properties can/can't auto-reload? The 
documentation I linked to in the original post states that "Most if not all 
CAS settings are eligible candidates for reloads."
Not that I am aware of, maybe other can provide insight if they know of 
such list.

> Most if not all CAS settings are eligible candidates for reloads
Not sure about this statement, from my understanding quite a lot of them 
can auto reload. However as you and me both found some setting not able to 
auto reload, so I guess the "all" CAS settings are eligible candidate is 
not true.


For me to check whether the properties consist of the following procedure:

1. Go to Apereo CAS github page: https://github.com/apereo/cas
2. Search for the properties keyword at top right searach bar: 
requiredIpAddresses
3. Doing multiple Searches and trace back the Bean responsible for the 
properties, in the requireIpAddress case I found this: 
https://github.com/apereo/cas/blob/v6.1.5/webapp/cas-server-webapp-config/src/main/java/org/apereo/cas/config/CasWebAppSecurityConfiguration.java#L51
4. Check if there is the keyword "RefreshScope", if you see it then it can 
reload, if not then cannot reload.
5. For your case, casWebSecurityConfigurerAdapter is a Bean without 
RefreshScope, so it cannot be reloaded.

For RefreshScope example, the properties under this Bean can refresh, due 
to having the keyword @RefreshScope:
https://github.com/apereo/cas/blob/v6.1.5/support/cas-server-support-actions/src/main/java/org/apereo/cas/web/config/CasSupportActionsConfiguration.java#L168



Although troublesome, this is the so far only way I found able to check for 
properties refresh Other then of course testing it using live server


See if the above helps.

Cheers!
Andy




-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/471e0f69-b84b-418b-9ee6-ca64d3a97712%40apereo.org.

[cas-user] Re: Login to Google delegate server on my custom button

[Andy Ng]

Hi Mindaugas,

I have encounter this issue before, from what i know there are 3 ways to 
handle this issue:

1. Update CAS to 5.3.x (Recommended), which will fix this issue
2. Update pac4j-oauth to latest version
  - In your Maven (suppose you are using maven), add an entry to pom.xml 
similar to like:


pac4j-oauth
3.8.3


>From my experience, it should be working ok, however still option 1 is the 
best fix.

3. Update Google2ProfileDefinition class directly (Can be done but not the 
best idea, would not recommend since the above would fix it nicely without 
manual fix)


See if the above helps you.

Cheers!
- Andy

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f62b48f5-3ad4-4881-aa87-1d3f4f8ab144%40apereo.org.

Re: [cas-user] CAS, Chrome 80 and SameSite cookies policy

[Andy Ng]

Hi all,

I have encounter this samesite issue as well for our 5.3.x CAS servers, and 
I come up with an ugly custom fix, I am sharing here if anyone need quick 
fix.

Since I manage multiple SPs for our CAS, and one SP with a different domain 
use CAS inside an iframe which trigger this issue.

There are multiple issue I encounter:
- *Spring issue*: CAS are using Spring, but seems the samesite issue still 
not fix on Spring end, so it is really hard to make clean fix 
- *Compatbility issue*: If you just enabled the samesite = None, it will 
break some recent version of Mac, which is really not ideal.

What we done to fix it:

*Spring issue:*

At least on last time I research, seems like Spring are still taking some 
time to fix this issue, so we will need to code it ourselves.

For that, we just use generateHeader logic from: 
https://github.com/apache/tomcat/blob/master/java/org/apache/tomcat/util/http/Rfc6265CookieProcessor.java

And implement our  own TGCCookieRetrievingCookieGenerator.


*Compatibility issue:*

We follows this: 
https://www.chromium.org/updates/same-site/incompatible-clients

And change it to Java.

We have tested enough device before making the deployment, and seems fairly 
stable no one complain about compatibility issue:

*SamesiteCookieChecker.java*
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/**
 * Follows the snippet in 
https://www.chromium.org/updates/same-site/incompatible-clients 
 * and convert it to Java compatible
 * 
 *
 */
public class SamesiteCookieChecker {

// Copyright 2019 Google LLC.
// SPDX-License-Identifier: Apache-2.0

// Don’t send `SameSite=None` to known incompatible clients.

public boolean shouldSendSameSiteNone(String useragent) {
return !isSameSiteNoneIncompatible(useragent);
}

// Classes of browsers known to be incompatible.

private boolean isSameSiteNoneIncompatible(String useragent) {
return hasWebKitSameSiteBug(useragent) ||
   dropsUnrecognizedSameSiteCookies(useragent);
}

private boolean hasWebKitSameSiteBug(String useragent) {
return isIosVersion(12, useragent) ||
   (isMacosxVersion(10, 14, useragent) &&
(isSafari(useragent) || isMacEmbeddedBrowser(useragent)));
}

private boolean dropsUnrecognizedSameSiteCookies(String useragent) {
if (isUcBrowser(useragent)){ 
return !isUcBrowserVersionAtLeast(12, 13, 2, useragent);
}
return isChromiumBased(useragent) &&
   isChromiumVersionAtLeast(51, useragent) &&
   !isChromiumVersionAtLeast(67, useragent);
}

// Regex parsing of User-Agent string. (See note above!)

private boolean isIosVersion(int major, String useragent) {
String regex = "\\(iP.+; CPU .*OS (\\d+)[_\\d]*.*\\) AppleWebKit\\/";
// Extract digits from first capturing group.
Matcher  m = Pattern.compile(regex).matcher(useragent);
if(!m.find()) {
return false;
}
//return useragent.regexMatch(regex)[0] == intToString(major);
return m.group(1).equals(String.valueOf(major));
}

private boolean isMacosxVersion(int major, int minor, String useragent) {
String regex = "\\(Macintosh;.*Mac OS X (\\d+)_(\\d+)[_\\d]*.*\\) 
AppleWebKit\\/";
// Extract digits from first and second capturing groups.
Matcher  m = Pattern.compile(regex).matcher(useragent);
if(!m.find()) {
return false;
}
// return (useragent.regexMatch(regex)[0] == intToString(major)) &&
//(useragent.regexMatch(regex)[1] == intToString(minor));
return m.group(1).equals(String.valueOf(major)) &&
m.group(2).equals(String.valueOf(minor));
}

private boolean isSafari(String useragent) {
String safari_regex = "Version\\/.* Safari\\/";
// return useragent.regexContains(safari_regex) &&
//!isChromiumBased(useragent);
return Pattern.compile(safari_regex).matcher(useragent).find() &&
   !isChromiumBased(useragent);
}

private boolean isMacEmbeddedBrowser(String useragent) {
String regex = "^Mozilla\\/[\\.\\d]+ \\(Macintosh;.*Mac OS X [_\\d]+\\) "
 + "AppleWebKit\\/[\\.\\d]+ \\(KHTML, like Gecko\\)$";
return Pattern.compile(regex).matcher(useragent).find();
}

private boolean isChromiumBased(String useragent) {
String regex = "Chrom(e|ium)";
return Pattern.compile(regex).matcher(useragent).find();
}

private boolean isChromiumVersionAtLeast(int major, String useragent) {
String regex = "Chrom[^ \\/]+\\/(\\d+)[\\.\\d]* ";
// Extract digits from first capturing group.
Matcher  m = Pattern.compile(regex).matcher(useragent);
if(!m.find()) {
return false;
}
String version = m.group(1);
int intVersion;
try {  
intVersion =  Integer.parseInt(version);  
} catch(NumberFormatException nfe) {
return false;
}
return intVersion >= major;
//int version = stringToInt(useragent.regexMatch(regex)[0]);
//return version >= major;
}

private boolean isUcBrowser(String useragent) {
String regex = "UCBrowser\\/";
return Pattern.compile(regex).matcher(useragent).find();
}

private boolean isUcBrowserVersionAtLeast(int major, int 

Re: [cas-user] Sign in with apple

[Andy Ng]

Hi all,

My CAS project also have the needs to include "Sign in with Apple".

CAS is using Pac4j library: https://github.com/pac4j/pac4j, and it 
currently didn't have an Apple implementation.

Well, due to urgency, I extended the pac4j library to include a custom 
"Sign in with Apple" component for our own project.

When I am free, I can see if I can clean up the component, and PR it to 
Pac4j, so it get officially added to pac4j hence CAS.

For now, I am quite busy with other stuff, didn't really have time to do 
that.

Cheers!
- Andy

On Friday, 29 May 2020 at 19:02:32 UTC+8 Francisco Castel-Branco wrote:

> Apple uses their REST API Authentication, which I think is not considered 
> an authentication standard. However, you should be able to configure 
> something like an "OAuth proxy" to interact with Apple's API. With a simple 
> search, I got a PHP version of this:
>
>  https://github.com/patrickbussmann/oauth2-apple
>
> Now, it's just a matter of pointing CAS OAuth2 delegation to the server 
> you configured for this hop.
>
> CAS Delegation properties: 
> https://apereo.github.io/cas/6.1.x/configuration/Configuration-Properties.html#pac4j-delegated-authn
> OAuth2 Delegation properties: 
> https://apereo.github.io/cas/6.1.x/configuration/Configuration-Properties.html#oauth20
>
>
> *Source:*
> API docs: 
> https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple
>
> A segunda, 18/05/2020, 08:06, Koen De Jaeger  escreveu:
>
>> I joined a project last week at work where they are using cas 5.x to 
>> login the user with Twitter, Facebook and Google. Now they want us to add 
>> 'Sign on with Apple'. Is there a reason why this is not implemented yet in 
>> 6.x?
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6e12683e-00e8-4926-a87a-fd95ac93b010%40apereo.org
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3a11fd45-3f44-4031-b4ec-73ade272e184n%40apereo.org.

Re: [cas-user] About ticket caching and properties handing in CAS 6.2

[Andy Ng]

Hi Sobhen,

1. Not sure what you mean, maybe this page can help you?
https://apereo.github.io/cas/6.2.x/configuration/Configuration-Server-Management.html

2. I never saw.that error before, sorry won't be able to give any insight.

BTW, since you are asking different questions, you might get better luck 
posting a new post in this group, instead of keep posting in this post.

Cheers.
- Andy


On Saturday, 26 December 2020 at 06:46:00 UTC+8 getra...@gmail.com wrote:

> Thanks a lot Andy. We followed the 3rd option and able to make it work. :)
>
> I do have couple of questions, as we didn't any solution for these. Please 
> provide some lights on these.
>
> 1.  Is there anyway to get the ldap url from Catelina.properite file for 
> an external tomcat server? As the environment specified configuration are 
> available in that property file.
>
> 2. We are getting okhttp jar related error whole deploying the 
> application. Feel like conflict is happening. We are using CAS 6.2.2 and it 
> is not happening in local and dev environment.
>
> Thank you in advance.
>
> On Wed, 23 Dec 2020, 7:40 am Andy Ng,  wrote:
>
>> Hi Sobhen,
>>
>> Would like to know more about your setup first, see if the below 
>> correctly describe your setup:
>>
>> - You setup your properties in: 
>>
>> https://apereo.github.io/cas/6.1.x/configuration/Configuration-Properties.html#ldap-authentication
>> - You extend the LdapAutheticationHandler and make your own 
>> CustomLdapAutneticaiontHandler, using the same *cas.authn.ldap[0]* as 
>> your source of Authentication
>> - You just intend to use the CustomLdapAuthentcaionHandler, the 
>> LdapAuthentcaiontHandler is should be disabled for all service
>>
>> If the above correctly describe your setup, then here's are some idea for 
>> fix (Not tested)
>>
>> *Fix #1, disabled LdapAutheticationHandler (Quick fix):*
>> - Based on: 
>> https://apereo.github.io/cas/6.2.x/services/Configuring-Service-AuthN-Policy.html
>> - Setup requiredAuthenticationHandlers for your service, set it to 
>> only CustomLdapAutneticaiontHandler
>> - Then, LdapAuthentcaiontHandler would never be called for your service
>> - This fix would have a problem of, if user going to 
>> https://cas.server/cas/login directly and login, they still would called 
>> to LdapAuthenticationHandler and that cannot be blocked from my 
>> understanding
>>
>> *Fix #2, override the LdapAuthenticaitonHandlers beans, and inject your 
>> own custom authentiaction handler:*
>> - The LdapAuthentiaciontHandler beans is here: 
>> https://github.com/apereo/cas/blob/v6.2.6/support/cas-server-support-ldap/src/main/java/org/apereo/cas/config/LdapAuthenticationConfiguration.java#L179
>> - You can, go and override it, then set it to use your own 
>> CusomterLdapAuthenticaiionHandler at this line 
>> https://github.com/apereo/cas/blob/v6.2.6/support/cas-server-support-ldap/src/main/java/org/apereo/cas/config/LdapAuthenticationConfiguration.java#L210
>> - That case, the default LadpAuthticationHandler willl not be used
>>
>> *Fix #3, use your own properties:*
>> - Instead of using cas.authn.ldap[0], which will setup and make 
>> LdapAuthentcaiontHander available, you can actually:
>> - Setup your own properties, like *your-org.authn.ldap[0]*, and setup 
>> your own properties extending this: 
>> https://github.com/apereo/cas/blob/v6.2.6/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/support/ldap/LdapAuthenticationProperties.java
>> - In your CustomerLdapAutneticainotHandler, make sure the properties is 
>> point to your own properties
>>
>> While all of them should works, if I would to setup something like this I 
>> would go for Fix #3.
>>
>> See if this would be helpful to you,
>>
>> Cheers.
>> - Andy
>> On Saturday, 19 December 2020 at 17:04:10 UTC+8 getra...@gmail.com wrote:
>>
>>> Hi Ray,
>>>
>>> Thank you very much. It helps.
>>> I had the following issue. Not sure, I am following the right way. Can 
>>> you please provide your guidance?
>>>
>>> I written a custom LdapAutheticationHandler in my code base and when the 
>>> authentication is success, the custom authenticator is working fine. But, 
>>> if the authentication fails, the default LdapAutheticationHandler is 
>>> getting executed after my custom handler. If I check the CAS source code, I 
>>> found that if any exception occurred, then the next handler will be 
>>> executed. Is there way to get rid of the default LdapAutheticationHandler 
>>> execution?
&

[cas-user] Unable to fetch user profile from Delegated Authentication in CAS 6.2.x

[Andy Ng]

Hi all,

I have found an issue with Delegated Authentication in CAS 6.2.x branch 
(Latest one, 6.2.6).

After login, I found that the UserProfile is not returned after loging in 
using Deleagted Authentication, below is an example using Google as 3rd 
party idp.
==
2020-12-07 10:39:03,817 ERROR 
[org.apereo.cas.authentication.PolicyBasedAuthent
icationManager] - Authentication has failed. Credentials may be incorrect 
or CA
S cannot find authentication handler that supports 
[ClientCredential(credential
s=#OAuth20Credentials# | code: 
4/0AY0e-
Qm0vSNOo732s6zvIqkTjepvcw | accessToken: 
com.github.scribejava.apis.openid.Open
IdOAuth2AccessToken@f1986644 |, clientName=GoogleProvider, 
typedIdUsed=true, us
erProfile=null)] of type [ClientCredential]. Examine the configuration to 
ensur
e a method of authentication is defined and analyze CAS logs at DEBUG level 
to
trace the authentication event.
2020-12-07 10:39:03,818 ERROR 
[org.apereo.cas.authentication.PolicyBasedAuthent
icationManager] - [DelegatedClientAuthenticationHandler]: [*Unable to fe*
*tch user profile*]
==

After some digging, I found that if I add the following in 
`DelegatedClientAuthenticationAction`, the userprofile can be fetch and 
login can proceed like normal:

https://github.com/apereo/cas/blob/v6.2.6/support/cas-server-support-pac4j-webflow/src/main/java/org/apereo/cas/web/flow/DelegatedClientAuthenticationAction.java#L228

DelegatedClientAuthenticationAction:


/**
 * Add in user profile to clientCredential if not existent from 
credentials
 *
 * @param client the client
 * @param webContext the web context
 * @param requestContext the request context
 */
@Override
protected void populateContextWithClientCredential(final 
BaseClient client, final JEEContext webContext,
   final RequestContext 
requestContext) {

LOGGER.debug("Fetching credentials from delegated client [{}]", 
client);
val credentials = getCredentialsFromDelegatedClient(webContext, 
client);
val clientCredential = new ClientCredential(credentials, 
client.getName());
// Customization: Add user profile from credential to 
clientCredential
Optional userProfile = 
client.getProfileCreator().create(credentials, webContext);
if(userProfile.isPresent()){
CommonProfile commonProfile = (CommonProfile) userProfile.get();
clientCredential.setUserProfile(commonProfile);
}
// Customization: Add user profile from credential to 
clientCredential END
LOGGER.info("Credentials are successfully authenticated using the 
delegated client [{}]", client.getName());
WebUtils.putCredential(requestContext, clientCredential);
}
==

Our Delegated Authentication flow is heavily customized, so it is possible 
this is an issue from our customization. 

However if others have encountered similar issue, it might be an bug and 
need fixing. See if this is an board issue.

Thanks!

Cheers!
- Andy


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7031e102-f69f-4c5e-913a-bf99750b1a01n%40apereo.org.

Re: [cas-user] Logging out from CAS logs me out from Google, too

[Andy Ng]

Hi Paul,

I am also agreeing with you that logout with CAS doesn't mean logout Google 
account / other 3rd party account.  However I don't spot such issue in my 
implementation.

I am using Google Delegated Authentication as well, I am using CAS 6.2.6.

No such issue spotted. Maybe you should try upgrading it to  6.2.6 see if 
the issue is fixed. 

Cheers!
- Andy

On Tuesday, 25 August 2020 at 00:24:19 UTC+8 Paul Roemer wrote:

> Hey denizg,
>
> first thanks for you suggestion. But I actually want SLO. I want to 
> destroy the SSO session and not only the application session. I also 
> configured front channel to make it work.
>
> No, the problem is something different: If I use delegated SSO provider 
> like Google or GitHub to authenticate against CAS (during Sign-In) and 
> logout again, I am not only logged out from the SSO session that CAS 
> manages but also from my Google or GitHub account. And that is what should 
> not happen and is new behavior.
>
> I wonder when this changed.
>
> On Monday, August 24, 2020 at 10:47:14 AM UTC+2 denizg wrote:
>
>> edit: single sign on  out
>>
>> dyte gyte , 24 Ağu 2020 Pzt, 11:46 tarihinde şunu 
>> yazdı:
>>
>>> Hello,
>>>
>>> afaik, there are 2 logout type: single logout and single sign-on. the 
>>> default behavior is single logout which means that if you logout current 
>>> app, you also logout all applications that cas is connected. this is the 
>>> situation you are facing. but you need single sign on as i understand. 
>>> basically, turn off this .(
>>> https://apereo.github.io/cas/6.2.x/installation/Logout-Single-Signout.html#turning-off-single-logout
>>> )
>>>
>>> reference: 
>>> https://apereo.github.io/cas/6.2.x/installation/Logout-Single-Signout.html#logout-and-single-logout-slo
>>>
>>> Paul Roemer , 24 Ağu 2020 Pzt, 11:26 tarihinde şunu 
>>> yazdı:
>>>
 Hey guys,

 we noticed some new behavior with delegated SSO authentication. When I 
 login with my Google SSO account at our CAS and logout again, I am not 
 only 
 logged out from CAS but also from my Google account. This also happens 
 with 
 delegated GitHub SSO.

 We are using CAS 6.2.1 but I am unsure when we noticed this behavior 
 the first time.

 Anyone else noticed it? Is there some configuration option to disable 
 it?

 Cheers,
   Paul

 -- 
 - Website: https://apereo.github.io/cas
 - Gitter Chatroom: https://gitter.im/apereo/cas
 - List Guidelines: https://goo.gl/1VRrw7
 - Contributions: https://goo.gl/mh7qDG
 --- 
 You received this message because you are subscribed to the Google 
 Groups "CAS Community" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to cas-user+u...@apereo.org.
 To view this discussion on the web visit 
 https://groups.google.com/a/apereo.org/d/msgid/cas-user/711682f7-6b0e-4872-9be3-f55426e1913fo%40apereo.org
  
 
 .

>>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/90f3e8c8-9df8-455e-a302-b8017419ddd3n%40apereo.org.

Re: [cas-user] CAS 6.2.1 attribute release not working with PersonDirectory

[Andy Ng]

Hi all,

I encountered the same issue, and want to chime in with some additional 
info:

I found that starting from CAS 6.2.x by default attributes from JDBC / LDAP 
/ other PersonDirecotry are not by default released.
See this line 
here: 
https://github.com/apereo/cas/blob/v6.2.6/core/cas-server-core-authentication-attributes/src/main/java/org/apereo/cas/authentication/principal/DefaultPrincipalAttributesRepository.java#L33

The `areAttributeRepositoryIdsDefined` is just checking if 
attributeRepositoryIds is empty.

For those attribute to release, seems like we need to explictly set the 
`attributeRepositoryIds ` , which is a bit troubling but oh well.

A wild card works fine, so this:
=
"attributeReleasePolicy": {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
"principalAttributesRepository" : {
  "@class" : 
"org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",
  "attributeRepositoryIds": ["java.util.HashSet", [ "*" ]]
},
},
=
With the above, and keeping all the CAS 5.3.x settings, is good enough to 
output those attributes in my case.

Cheers!
- Andy

On Saturday, 21 November 2020 at 03:06:32 UTC+8 pvn...@gmail.com wrote:

> I am adding the following from the cas.log file , maybe someone can help 
> me understand what is missing in the default attribute release policy and 
> why is Person Directory not triggered:
>
> 2020-11-18 16:59:43,750 DEBUG 
> [org.apereo.cas.config.CasPersonDirectoryConfiguration] -  multi-row JDBC attribute repository for [jdbc:oracle:thin:@//...]>
> 2020-11-18 16:59:43,757 DEBUG [com.zaxxer.hikari.HikariConfig] -  class oracle.jdbc.OracleDriver found in Thread context class loader 
> org.springframework.boot.loader.LaunchedURLClassLoader@1b604f19>
> 2020-11-18 16:59:43,760 DEBUG 
> [org.apereo.cas.config.CasPersonDirectoryConfiguration] -  multi-row JDBC column mappings for [jdbc:oracle:thin:@//...] are 
> [{attribute_name=attribute_value}]>
> 2020-11-18 16:59:43,765 DEBUG 
> [org.apereo.cas.config.CasPersonDirectoryConfiguration] -  result attribute mapping for [jdbc:oracle:thin:@//...] to be 
> [{inherited_group=inherited_group, role=role, userstatus=userstatus, 
> user_name=username, work_phone=work_phone, last_name=last_name, 
> active=active, middle_name=middle_name, user_id=user_id, 
> accessMetadata=accessMetadata, organization_id=organization_id, 
> phone_extension=phone_extension, first_name=first_name, 
> crm_user_id=crm_user_id, email=email, group=group}]>
> 2020-11-18 16:59:43,775 TRACE 
> [org.apereo.cas.config.CasPersonDirectoryConfiguration] -  attribute repositories is 
> [[org.apereo.services.persondir.support.jdbc.MultiRowJdbcPersonAttributeDao@53e7cc08]]>
> 2020-11-18 16:59:43,781 TRACE 
> [org.apereo.cas.config.CasPersonDirectoryConfiguration] -  repository sources are defined and available for person-directory principal 
> resolution chain. >
> 
> 2020-11-18 16:59:43,971 WARN 
> [org.apereo.cas.config.CasPersonDirectoryConfiguration] -  repository caching is disabled>
> 2020-11-18 16:59:43,975 TRACE 
> [org.apereo.cas.config.CasPersonDirectoryConfiguration] -  merging strategy for attribute sources is [multivalued]>
> 2020-11-18 16:59:43,979 DEBUG 
> [org.apereo.cas.config.CasPersonDirectoryConfiguration] -  attribute repository sources to merge together: [[AMS]]>
>
>
> 2020-11-18 17:02:12,382 DEBUG 
> [org.apereo.cas.DefaultCentralAuthenticationService] -  [ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
>  
> principalAttributesRepository=DefaultPrincipalAttributesRepository(), 
> consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, 
> excludedAttributes=null, includeOnlyAttributes=null, order=0), 
> authorizedToReleaseCredentialPassword=false, 
> authorizedToReleaseProxyGrantingTicket=false, 
> excludeDefaultAttributes=false, 
> authorizedToReleaseAuthenticationAttributes=true, 
> principalIdAttribute=null, order=0), allowedAttributes=[])] is associated 
> with service [AbstractRegisteredService(serviceId=http*://.*, name=HTTP, 
> theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=0, 
> description=HTTP, 
> expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
>  
> notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null), 
> acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true,
>  
> messageCode=null, text=null), 
> proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, 
> proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null, 
> serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null, 
> evaluationOrder=0, 
> usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2,
>  
> logoutType=BACK_CHANNEL, 

[cas-user] Re: Hazelcast Ticket Registry break when reloading properties for CAS 6.2.5

[Andy Ng]

Confirm is a bug, here's the PR: https://github.com/apereo/cas/pull/5003

Cheers!
- Andy

On Wednesday, 2 December 2020 at 21:14:45 UTC+8 Andy Ng wrote:

> Hi all,
>
> I was trying to implement Hazelcast Ticket Registry and reloading 
> properties.
>
> I find that, when I change `cas.properties` and force a reload based on 
> this tutorial: 
> https://fawnoos.com/2020/05/02/cas62x-reloadable-configuration/, it 
> stopped the Hazelcast Ticket Registry instance which makes later login 
> failed.
>
> I find the solution to be removing the RefreshScope here:
>
> https://github.com/apereo/cas/blob/v6.2.5/support/cas-server-support-hazelcast-ticket-registry/src/main/java/org/apereo/cas/config/HazelcastTicketRegistryConfiguration.java#L52,
>  
> then the Ticket Registry would not be stopped.
>
> Anybody have similar issue? Thanks.
>
> Cheers!
> - Andy
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/aa1f6765-25e9-4204-b1d5-59d83284f0d6n%40apereo.org.

[cas-user] Hazelcast Ticket Registry break when reloading properties for CAS 6.2.5

[Andy Ng]

Hi all,

I was trying to implement Hazelcast Ticket Registry and reloading 
properties.

I find that, when I change `cas.properties` and force a reload based on 
this 
tutorial: https://fawnoos.com/2020/05/02/cas62x-reloadable-configuration/, 
it stopped the Hazelcast Ticket Registry instance which makes later login 
failed.

I find the solution to be removing the RefreshScope here:
https://github.com/apereo/cas/blob/v6.2.5/support/cas-server-support-hazelcast-ticket-registry/src/main/java/org/apereo/cas/config/HazelcastTicketRegistryConfiguration.java#L52,
 
then the Ticket Registry would not be stopped.

Anybody have similar issue? Thanks.

Cheers!
- Andy

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/df231373-6a77-4114-9e29-bfa8eb565dden%40apereo.org.

[cas-user] Re: Error when add support-radius dependency in build.gradle

[Andy Ng]

Hi Irvan,

Have you try adding the repo: 
*maven { url "https://jitpack.io; } *

As well? 

I found some old code of mine 
(https://github.com/NgSekLong/SelectUrCAS/blob/master/source/cas-overlay/build.gradle#L34)
 
and see that jitpack.io is needed at that time, see if that would help your 
issue

Cheers,
Andy
On Saturday, 19 December 2020 at 18:07:27 UTC+8 irvans...@gmail.com wrote:

> Hello,
>
> At the moment I am developing a CAS Server using the WAR OVERLAY methods. 
> Version 6.3.X Snapshot.
>
> I am trying to make CAS authentication using freeradius. Based on the 
> documentation, we are directed to add gradle (implementation 
> "org.apereo.cas: cas-server-support-radius: $ {project.'cas.version '}")
>
> But when I build with the command "/.gradelew build" I get the following 
> error after adding the radius dependency.
>
> Based on previous problems I found in this group. I've also added this 
> repository:
> maven {
> url "https://maven.repository.redhat.com/ga/;
> }
> But the results are still the same.
>
> How to fix the problem? I really need your help.
>
> Thank you for reading.
>
> Regards,
> Irvan
> ___
>
> The following is an error message in the build process:
>
>
> * What went wrong:
> Execution failed for task ': bootWar'.
> > Could not resolve all files for configuration ': runtimeClasspath'.
>> Could not resolve net.jradius: jradius-extras: 1.1.6.
>  Required by:
>  project:> org.apereo.cas: cas-server-support-radius: 
> 6.3.0-SNAPSHOT: 20201217.210825-213> org.apereo.cas: 
> cas-server-support-radius-core: 6.3.0-SNAPSHOT: 20201217.210825 -213
>   > Could not resolve net.jradius: jradius-extras: 1.1.6.
>  > Could not get resource '
> https://mvnrepository.com/artifact/org.apereo.cas/cas-server-webapp-tomcat/net/jradius/jradius-extras/1.1.6/jradius-extras-1.1.6.
>  
> pom '.
> > Could not GET '
> https://mvnrepository.com/artifact/org.apereo.cas/cas-server-webapp-tomcat/net/jradius/jradius-extras/1.1.6/jradius-extras-1.1.6.pom
>  
> '. Received status code 403 from server: Forbidden
>   > Could not resolve net.jradius: jradius-extras: 1.1.6.
>  > Could not get resource '
> https://mvnrepository.com/artifact/org.apereo.cas/cas-server-support-radius/net/jradius/jradius-extras/1.1.6/jradius-extras-1.1.6.
>  
> pom '.
> > Could not GET '
> https://mvnrepository.com/artifact/org.apereo.cas/cas-server-support-radius/net/jradius/jradius-extras/1.1.6/jradius-extras-1.1.6.pom
>  
> '. Received status code 403 from server: Forbidden
>> Could not resolve net.jradius: jradius-apps: 1.1.6.
>  Required by:
>  project:> org.apereo.cas: cas-server-support-radius: 
> 6.3.0-SNAPSHOT: 20201217.210825-213> org.apereo.cas: 
> cas-server-support-radius-core: 6.3.0-SNAPSHOT: 20201217.210825 -213
>   > Could not resolve net.jradius: jradius-apps: 1.1.6.
>  > Could not get resource '
> https://mvnrepository.com/artifact/org.apereo.cas/cas-server-webapp-tomcat/net/jradius/jradius-apps/1.1.6/jradius-apps-1.1.6.
>  
> pom '.
> > Could not GET '
> https://mvnrepository.com/artifact/org.apereo.cas/cas-server-webapp-tomcat/net/jradius/jradius-apps/1.1.6/jradius-apps-1.1.6.pom
>  
> '. Received status code 403 from server: Forbidden
>   > Could not resolve net.jradius: jradius-apps: 1.1.6.
>  > Could not get resource '
> https://mvnrepository.com/artifact/org.apereo.cas/cas-server-support-radius/net/jradius/jradius-apps/1.1.6/jradius-apps-1.1.6.
>  
> pom '.
> > Could not GET '
> https://mvnrepository.com/artifact/org.apereo.cas/cas-server-support-radius/net/jradius/jradius-apps/1.1.6/jradius-apps-1.1.6.pom
>  
> '. Received status code 403 from server: Forbidden
>> Could not resolve net.jradius: jradius-dictionary: 1.1.6.
>  Required by:
>  project:> org.apereo.cas: cas-server-support-radius: 
> 6.3.0-SNAPSHOT: 20201217.210825-213> org.apereo.cas: 
> cas-server-support-radius-core: 6.3.0-SNAPSHOT: 20201217.210825 -213
>   > Could not resolve net.jradius: jradius-dictionary: 1.1.6.
>  > Could not get resource '
> https://mvnrepository.com/artifact/org.apereo.cas/cas-server-webapp-tomcat/net/jradius/jradius-dictionary/1.1.6/jradius-dictionary-1.1.6.
>  
> pom '.
> > Could not GET '
> https://mvnrepository.com/artifact/org.apereo.cas/cas-server-webapp-tomcat/net/jradius/jradius-dictionary/1.1.6/jradius-dictionary-1.1.6.pom
>  
> '. Received status code 403 from server: Forbidden
>   > Could not resolve net.jradius: jradius-dictionary: 1.1.6.
>  > Could not get resource '
> https://mvnrepository.com/artifact/org.apereo.cas/cas-server-support-radius/net/jradius/jradius-dictionary/1.1.6/jradius-dictionary-1.1.6.
>  
> pom '.
> > Could not GET '
> https://mvnrepository.com/artifact/org.apereo.cas/cas-server-support-radius/net/jradius/jradius-dictionary/1.1.6/jradius-dictionary-1.1.6.pom
>  
> '. 

Re: [cas-user] Managing Services with JPA (SQL)

[Andy Ng]

Hi Francisco,

If I recalled correctly, you are suppose to use CAS Management Web app 
along side with CAS to allow for modification on those service stored under 
JPA.

CAS Management Web app: https://github.com/apereo/cas-management

Also, although the best way to interact with service is through CAS 
Managemnt, 
I found that if you really want to edit those service but not use CAS 
management, repo like MongoDB can be used. It is possible to edit Mongo 
entry since they are JSON anyway, but not recommended.

Cheers!
- Andy


On Friday, 4 December 2020 at 23:46:40 UTC+8 richard.frovarp wrote:

> I believe that it is serialized Java classes. So it's binary data. You
> don't change it without an external service. I guess you could find the
> code that does it and write you own service. But you don't be doing it
> via direct DB manipulation.
>
> On Fri, 2020-12-04 at 09:48 +, Francisco Castel-Branco wrote:
> > Hi everyone,
> > 
> > I can't figure out how can I determine accessStrategies and stuff
> > through the JPA service manager in version 6.2(.4). I have all the
> > automatically generated tables, but I cant seem to understand what
> > goes into the LONGBLOB columns.
> > 
> > How can I modify these parameters with or without an external
> > service?
> > 
> > Thanks
> > -- 
> > Francisco Castel-Branco
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/902abab3-3bfc-4389-a9c9-2aac4ffe5dcan%40apereo.org.

[cas-user] CAS 5.2.6 ConcurrentModificationException for logout during stress test

[Andy Ng]

Hi all,

We have encountered ConcurrentModificationException for logout during our 
stress test.

Putting a `synchornized(this)` block for:
https://github.com/apereo/cas/blob/v6.2.6/core/cas-server-core-logout-api/src/main/java/org/apereo/cas/logout/DefaultLogoutManager.java#L61
Seems to fix the issue.

Anybody also encountered the same issue? Or is this an issue on our own? 
Thanks!

Cheers!
- Andy

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a893bcb1-9a30-4a51-b7f1-bdadcb0e86a2n%40apereo.org.

[cas-user] Re: override cas.example.org DNS name

[Andy Ng]

Hello,

The endpoint seems to use the *cas.server.name* properties, see: 
https://github.com/apereo/cas/blob/v6.2.6/support/cas-server-support-saml-idp-core/src/main/java/org/apereo/cas/support/saml/idp/metadata/generator/BaseSamlIdPMetadataGenerator.java#L121

Have you these *cas.server.name* for your CAS server? like 
so: 
https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties.html#cas-server

If no, try and see if this fix it. FYI you also need to remove the 
idp-metadata.xml and the cert files for it to regenerate those files.

Cheers!
- Andy
On Tuesday, 22 December 2020 at 13:48:13 UTC+8 yap.s...@gmail.com wrote:

> Hi,
>
> cas version: 6.2.6
>
> I have added the following line inside application.properties:
>
> cas.authn.saml-idp.entity-id=https://xx.xx.xx.xx:8443/cas/idp/metadata
>
> However, the certificate generated in /etc/cas/saml/idp-metadata.xml still 
> shows:
> X509v3 Subject Alternative Name:
> DNS:cas.example.org, URI:cas.example.org/idp/metadata
>
> How can I override the default value?
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d578e93f-70a5-4727-aa12-72ad43b64c14n%40apereo.org.

[cas-user] Re: Error when add support-radius dependency in build.gradle

[Andy Ng]

Hi Irvan,

Greet to hear that! BTW I think you should go for 6.2.x instead of 6.1.x if 
the radius error only exists for 6.3.x.

6.2.x (current 6.2.6) is a stable build as well, so I would think it should 
support your usage as well.

Cheers!
- Andy

On Tuesday, 22 December 2020 at 23:40:40 UTC+8 irvans...@gmail.com wrote:

> Hi andy,
>
> Thank you for the answers you give.
> I think all this time, my problems are in use cas 6.3.X versions are still 
> in development. I've done several ways to call the repository but there are 
> still problems.
>
> In the end I tried to use the old version. I am trying to use version 
> 6.1.X which is on your github. After configuring I was finally able to 
> integrate between my cas server and my freeradius.
>
> Thanks again Andy!
> Cheers,
>
> Irvan
> Pada Senin, 21 Desember 2020 pukul 14.16.49 UTC+7 Andy Ng menulis:
>
>> Hi Irvan,
>>
>> Have you try adding the repo: 
>> *maven { url "https://jitpack.io <https://jitpack.io>" } *
>>
>> As well? 
>>
>> I found some old code of mine (
>> https://github.com/NgSekLong/SelectUrCAS/blob/master/source/cas-overlay/build.gradle#L34)
>>  
>> and see that jitpack.io is needed at that time, see if that would help 
>> your issue
>>
>> Cheers,
>> Andy
>> On Saturday, 19 December 2020 at 18:07:27 UTC+8 irvans...@gmail.com 
>> wrote:
>>
>>> Hello,
>>>
>>> At the moment I am developing a CAS Server using the WAR OVERLAY 
>>> methods. Version 6.3.X Snapshot.
>>>
>>> I am trying to make CAS authentication using freeradius. Based on the 
>>> documentation, we are directed to add gradle (implementation 
>>> "org.apereo.cas: cas-server-support-radius: $ {project.'cas.version '}")
>>>
>>> But when I build with the command "/.gradelew build" I get the following 
>>> error after adding the radius dependency.
>>>
>>> Based on previous problems I found in this group. I've also added this 
>>> repository:
>>> maven {
>>> url "https://maven.repository.redhat.com/ga/;
>>> }
>>> But the results are still the same.
>>>
>>> How to fix the problem? I really need your help.
>>>
>>> Thank you for reading.
>>>
>>> Regards,
>>> Irvan
>>> ___
>>>
>>> The following is an error message in the build process:
>>>
>>>
>>> * What went wrong:
>>> Execution failed for task ': bootWar'.
>>> > Could not resolve all files for configuration ': runtimeClasspath'.
>>>> Could not resolve net.jradius: jradius-extras: 1.1.6.
>>>  Required by:
>>>  project:> org.apereo.cas: cas-server-support-radius: 
>>> 6.3.0-SNAPSHOT: 20201217.210825-213> org.apereo.cas: 
>>> cas-server-support-radius-core: 6.3.0-SNAPSHOT: 20201217.210825 -213
>>>   > Could not resolve net.jradius: jradius-extras: 1.1.6.
>>>  > Could not get resource '
>>> https://mvnrepository.com/artifact/org.apereo.cas/cas-server-webapp-tomcat/net/jradius/jradius-extras/1.1.6/jradius-extras-1.1.6.
>>>  
>>> pom '.
>>> > Could not GET '
>>> https://mvnrepository.com/artifact/org.apereo.cas/cas-server-webapp-tomcat/net/jradius/jradius-extras/1.1.6/jradius-extras-1.1.6.pom
>>>  
>>> '. Received status code 403 from server: Forbidden
>>>   > Could not resolve net.jradius: jradius-extras: 1.1.6.
>>>  > Could not get resource '
>>> https://mvnrepository.com/artifact/org.apereo.cas/cas-server-support-radius/net/jradius/jradius-extras/1.1.6/jradius-extras-1.1.6.
>>>  
>>> pom '.
>>> > Could not GET '
>>> https://mvnrepository.com/artifact/org.apereo.cas/cas-server-support-radius/net/jradius/jradius-extras/1.1.6/jradius-extras-1.1.6.pom
>>>  
>>> '. Received status code 403 from server: Forbidden
>>>> Could not resolve net.jradius: jradius-apps: 1.1.6.
>>>  Required by:
>>>  project:> org.apereo.cas: cas-server-support-radius: 
>>> 6.3.0-SNAPSHOT: 20201217.210825-213> org.apereo.cas: 
>>> cas-server-support-radius-core: 6.3.0-SNAPSHOT: 20201217.210825 -213
>>>   > Could not resolve net.jradius: jradius-apps: 1.1.6.
>>>  > Could not get resource '
>>> https://mvnrepository.com/artifact/org.apereo.cas/cas-server-webapp-tomcat/net/jradius/jradius-apps/1.1.6/jradius-apps-1.1.6.
>>>  

[cas-user] Re: override cas.example.org DNS name

[Andy Ng]

np, glad it helps - Andy

On Tuesday, 22 December 2020 at 23:36:41 UTC+8 yap.s...@gmail.com wrote:

> Yes, changing cas.server.name does the trick. Thanks a lot!
>
> Andy Ng 在 2020年12月22日 星期二下午10:29:37 [UTC+8] 的信中寫道：
>
>> Hello,
>>
>> The endpoint seems to use the *cas.server.name <http://cas.server.name>* 
>> properties, see: 
>>
>> https://github.com/apereo/cas/blob/v6.2.6/support/cas-server-support-saml-idp-core/src/main/java/org/apereo/cas/support/saml/idp/metadata/generator/BaseSamlIdPMetadataGenerator.java#L121
>>
>> Have you these *cas.server.name <http://cas.server.name>* for your CAS 
>> server? like so: 
>> https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties.html#cas-server
>>
>> If no, try and see if this fix it. FYI you also need to remove the 
>> idp-metadata.xml and the cert files for it to regenerate those files.
>>
>> Cheers!
>> - Andy
>> On Tuesday, 22 December 2020 at 13:48:13 UTC+8 yap.s...@gmail.com wrote:
>>
>>> Hi,
>>>
>>> cas version: 6.2.6
>>>
>>> I have added the following line inside application.properties:
>>>
>>> cas.authn.saml-idp.entity-id=https://xx.xx.xx.xx:8443/cas/idp/metadata
>>>
>>> However, the certificate generated in /etc/cas/saml/idp-metadata.xml 
>>> still shows:
>>> X509v3 Subject Alternative Name:
>>> DNS:cas.example.org, URI:cas.example.org/idp/metadata
>>>
>>> How can I override the default value?
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/98a601b3-eb17-4c1a-b093-693af3731b70n%40apereo.org.

Re: [cas-user] About ticket caching and properties handing in CAS 6.2

[Andy Ng]

Hi Sobhen,

Would like to know more about your setup first, see if the below correctly 
describe your setup:

- You setup your properties in: 
https://apereo.github.io/cas/6.1.x/configuration/Configuration-Properties.html#ldap-authentication
- You extend the LdapAutheticationHandler and make your own 
CustomLdapAutneticaiontHandler, using the same *cas.authn.ldap[0]* as your 
source of Authentication
- You just intend to use the CustomLdapAuthentcaionHandler, the 
LdapAuthentcaiontHandler is should be disabled for all service

If the above correctly describe your setup, then here's are some idea for 
fix (Not tested)

*Fix #1, disabled LdapAutheticationHandler (Quick fix):*
- Based 
on: 
https://apereo.github.io/cas/6.2.x/services/Configuring-Service-AuthN-Policy.html
- Setup requiredAuthenticationHandlers for your service, set it to 
only CustomLdapAutneticaiontHandler
- Then, LdapAuthentcaiontHandler would never be called for your service
- This fix would have a problem of, if user going to 
https://cas.server/cas/login directly and login, they still would called to 
LdapAuthenticationHandler and that cannot be blocked from my understanding

*Fix #2, override the LdapAuthenticaitonHandlers beans, and inject your own 
custom authentiaction handler:*
- The LdapAuthentiaciontHandler beans is 
here: 
https://github.com/apereo/cas/blob/v6.2.6/support/cas-server-support-ldap/src/main/java/org/apereo/cas/config/LdapAuthenticationConfiguration.java#L179
- You can, go and override it, then set it to use your own 
CusomterLdapAuthenticaiionHandler at this 
line 
https://github.com/apereo/cas/blob/v6.2.6/support/cas-server-support-ldap/src/main/java/org/apereo/cas/config/LdapAuthenticationConfiguration.java#L210
- That case, the default LadpAuthticationHandler willl not be used

*Fix #3, use your own properties:*
- Instead of using cas.authn.ldap[0], which will setup and make 
LdapAuthentcaiontHander available, you can actually:
- Setup your own properties, like *your-org.authn.ldap[0]*, and setup your 
own properties extending 
this: 
https://github.com/apereo/cas/blob/v6.2.6/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/support/ldap/LdapAuthenticationProperties.java
- In your CustomerLdapAutneticainotHandler, make sure the properties is 
point to your own properties

While all of them should works, if I would to setup something like this I 
would go for Fix #3.

See if this would be helpful to you,

Cheers.
- Andy
On Saturday, 19 December 2020 at 17:04:10 UTC+8 getra...@gmail.com wrote:

> Hi Ray,
>
> Thank you very much. It helps.
> I had the following issue. Not sure, I am following the right way. Can you 
> please provide your guidance?
>
> I written a custom LdapAutheticationHandler in my code base and when the 
> authentication is success, the custom authenticator is working fine. But, 
> if the authentication fails, the default LdapAutheticationHandler is 
> getting executed after my custom handler. If I check the CAS source code, I 
> found that if any exception occurred, then the next handler will be 
> executed. Is there way to get rid of the default LdapAutheticationHandler 
> execution?
>
> With regards,
> Sobhen
>
> On Fri, 18 Dec 2020, 10:36 pm Ray Bon,  wrote:
>
>> Rakesh,
>>
>> 1. There are a number of options for caching, 
>> https://apereo.github.io/cas/6.2.x/ticketing/Configuring-Ticketing-Components.html.
>>  
>> Your choice will depend on what you already have (software and human), and 
>> how you configure you cas cluster. I have worked with ehcache and 
>> hazelcast. ehcache is distributed and replicated. replication takes time; 
>> you will have to determine if it is fast enough for your needs. hazelcast 
>> is not replicated (though maybe it can be configured). When a node goes 
>> down, that cache is lost; you will have to determine if that frequency is 
>> too disruptive for your users.
>>
>> 2. 
>> https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Security.html
>>  for 
>> security options. We use the spring cloud server, 
>> https://apereo.github.io/cas/6.2.x/configuration/Configuration-Server-Management.html
>>  which 
>> can have encrypted secrets. I recall that someone on this list posted a way 
>> to have a local secrets store that was outside of tomcat (and/or the 
>> packaged image/container; if you are going that route). I would advise 
>> against putting secrets in tomcat (setenv.sh or some such) as tomcat will 
>> print them into the log on startup.
>>
>> 3. There are options for consent, 
>> https://apereo.github.io/cas/6.2.x/webflow/Webflow-Customization-AUP.html, 
>> and password management, 
>> https://apereo.github.io/cas/6.2.x/password_management/Password-Management.html.
>>  
>> We have a separate user management system, so I have not used the above 
>> systems.
>>
>> Ray
>>
>> On Fri, 2020-12-18 at 08:11 +0530, Rakesh K M wrote:
>>
>> Notice: This message was sent from outside the University of 

[cas-user] SAML 2.0 message replay protection

[Andy Ng]

Hi all,

I am reading on the importance of preventing replay attack 
https://www.idm-360.com/idm360/the-dangers-of-saml-replay-attacks/, which 
is a requirement from our client.

I was wondering if CAS natively already prevent such attack for SAML 2.0 
protocol acting both as *sp *or as *idp*. Using the CAS 6.2.x.

Would like to see if any one have any insights, if not we would go ahead 
and do some testing on this.

Thanks!

Cheers!
- Andy

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/96f0f3c3-aebb-4c6c-a142-ece68b6886fdn%40apereo.org.

Re: [cas-user] Unauthorized Service Access when directing login page to cas from web app in apache server.

[Andy Ng]

Hi Irvan,

Please check if the following insight helps:
*1. *In order to use JSON as service registry, you need to *enable it* 
first using 
this 
https://apereo.github.io/cas/6.2.x/services/JSON-Service-Management.html#json-service-registry
 
Put this in your build.gradle:
org.apereo.cas:cas-server-support-json-service-registry:${cas.version}

*2. *For the service path, do note that it needs to be at the *root*, so

Corret path is : /etc/cas/services
Correct path in Windows: C:/etc/cas/services
Not correct path: 
/opt/somedirectory/that/your/cas/is/installed/etc/cas/services

See if these works. thanks.

Cheers.
- Andy


On Wednesday, 30 December 2020 at 18:18:33 UTC+8 irvans...@gmail.com wrote:

> Hi Arti,
>
> I've tried ur recomendation, but its still not working.
>
> Here's my error log :
>
> 2020-12-30 17:10:32,071 WARN [org.apereo.cas.util.RegexUtils] -  cannot be null/blank>
> 2020-12-30 17:10:32,326 WARN [javax.persistence.spi] - 
> 
> 2020-12-30 17:10:32,368 WARN 
> [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - 
> 
>
> The log shows there is no valid providers, what kind of providers I need 
> to use and how to use it?
> and The Service is not found in the service registry but I've been created 
> the service reqistry on my /etc/services
>
> Any recomendation?
>
>  Thanks,
> Irvan 
>
> Pada Selasa, 29 Desember 2020 pukul 13.41.27 UTC+7 arti wavale menulis:
>
>> Hello,
>>
>> Check once CASValidateUrl and use *Client_IP *in  CASRootProxiedAs 
>> properties
>>
>> try this service registry file: 
>> --
>> {
>>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>>   "serviceId" : "^https://*Client_IP*/secured-by-cas(\\z|/.*)",
>>   "name" : "Apache Secured By CAS",
>>   "id" : 20191127030720,
>>   "description" : "CAS development Apache mod_auth_cas server with 
>> username/password protection",
>>   "attributeReleasePolicy" : {
>> "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
>>   },
>>   "evaluationOrder" : 1100
>> }
>> ---
>>
>> Thanks and Regards
>> Arti
>>
>> On Mon, Dec 28, 2020 at 1:05 PM irvan suryadi  
>> wrote:
>>
>>> Hi All,
>>>
>>> I'm currently trying to develop cas on my localhost network. I'm 
>>> currently trying to add a web application in the apache server as a client 
>>> for SSO CAS. I try to follow directions like:
>>>
>>> - Installing and configuring mod_auth_cas on my apache server.
>>> - added a wildcard registry service (which I will attach below this 
>>> message)
>>>
>>> But after I run the application I get an error like : unauthorized 
>>> Service Access. Service [ ] is not found in service registry.
>>>
>>> Is there anything I missed? And to add a web app to cas are we needto 
>>> install the cas management overlay?
>>>
>>> Currently I am still trying to install the service manually.
>>>
>>> 
>>> The following is a service registry file 
>>> (HTTPSandIMAPSwildcard-1608903630.json in / etc / cas / services):
>>>
>>> {
>>> "@class": "org.apereo.cas.services.RegexRegisteredService",
>>> "serviceId": "^ (https | imaps): //.*",
>>> "name": "HTTPS and IMAPS wildcard",
>>> "id": 1608903630,
>>> "evaluationOrder": 9
>>> }
>>>
>>> -- 
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/bf168b68-e084-4ff6-93bf-4ba65942d782n%40apereo.org
>>>  
>>> 
>>> .
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1934cb16-75d2-490d-a436-e0fd29fddd50n%40apereo.org.

[cas-user] Re: Sanitize username

[Andy Ng]

Hi Rafiek,

I can think of 3 methods of implementing your requirement:

   1. *Using Principal Transformation:*
  1. e.g. 
https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#authentication-principal-transformation
 
  for Principal transformation for database
  2. However, this kind of principal transformation only do 
  transformation, it will not output error if the transformation not work
  3. Also, you are bounded by the default set of princiapl 
  transformation option allowed (to upper, to lower), which is doubt is 
your 
  goal
   2. *Using pre-processor by Groovy script :*
  1. While I didn't used this before, by the description it seems match 
  your use case:
  2. 
  
https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties.html#authentication-pre-processing
  3. See if this will be useful, if not use the other options
   3. *Using custom Authentication Handler:*
  1. Another ways is to implement custom authentication handler
  2. see this for how to do it in older version of CAS: 
  https://apereo.github.io/2018/06/12/cas53-authn-handlers/  
  3. It is a lot more custom code, but those code usually is backward 
  compatible (I use custom authen starting from 5.1 all the way to 6.2, 
seems 
  like still working without much edit)
  4. The best thing about this option, is that you will have full 
  control on how you sanitize the username, including using maybe other 
  component (e.g. JDBC) for your santization if you so choose
   
See if this is useful. Or maybe other option available as well, if so other 
can add in.

Cheers!
- Andy

On Monday, 18 January 2021 at 20:22:51 UTC+8 rafiek.moh...@gmail.com wrote:

> Hi all,
>
> Does anybody know how to sanitize the username? We are able to send any 
> sequence of characters for the username, but we would like to limit the 
> allowed set of characters.
>
> regards,
> Rafiek
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/db37407e-9b2f-478f-af75-9f42d5416f9an%40apereo.org.

Re: [cas-user] Unauthorized Service Access when directing login page to cas from web app in apache server.

[Andy Ng]

Hi Irvan,

Hmm... If so maybe you need to look into how to fix the "no valid provider 
found" issue, and maybe you actually need to fix that first.

In my implementation, I never saw that warning, so maybe that's is the 
issue you are encountering.

FYI, the "Pattern cannot be null/blank" is located 
here: 
https://github.com/apereo/cas/blob/v6.2.7/core/cas-server-core-util-api/src/main/java/org/apereo/cas/util/RegexUtils.java#L83,
 
which indicate CAS cannot see your service pattern.

I am not familar with javax so see if other can add comment on what happens.

Cheers.
- Andy



On Sunday, 3 January 2021 at 09:47:12 UTC+8 irvans...@gmail.com wrote:

> Hi Andy,
>
> I've made sure that the requirements and steps I used before.
>
> But I still can't use my application (unauthorized service) and got some 
> error messages like "no valid providers found" and "service is not found".
>
> Do I need to use a valid service provider? or is this just my fault in 
> configuring the service?
>
> Previously, thank you Andy for your response.
>
> Cheers,
> Irvan
>
> Pada Kamis, 31 Desember 2020 pukul 13.43.05 UTC+7 Andy Ng menulis:
>
>> Hi Irvan,
>>
>> Please check if the following insight helps:
>> *1. *In order to use JSON as service registry, you need to *enable it* 
>> first using this 
>> https://apereo.github.io/cas/6.2.x/services/JSON-Service-Management.html#json-service-registry
>>  
>> Put this in your build.gradle:
>> org.apereo.cas:cas-server-support-json-service-registry:${cas.version}
>>
>> *2. *For the service path, do note that it needs to be at the *root*, so
>>
>> Corret path is : /etc/cas/services
>> Correct path in Windows: C:/etc/cas/services
>> Not correct path: 
>> /opt/somedirectory/that/your/cas/is/installed/etc/cas/services
>>
>> See if these works. thanks.
>>
>> Cheers.
>> - Andy
>>
>>
>> On Wednesday, 30 December 2020 at 18:18:33 UTC+8 irvans...@gmail.com 
>> wrote:
>>
>>> Hi Arti,
>>>
>>> I've tried ur recomendation, but its still not working.
>>>
>>> Here's my error log :
>>>
>>> 2020-12-30 17:10:32,071 WARN [org.apereo.cas.util.RegexUtils] - >> cannot be null/blank>
>>> 2020-12-30 17:10:32,326 WARN [javax.persistence.spi] - 
>>> 
>>> 2020-12-30 17:10:32,368 WARN 
>>> [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - 
>>> 
>>>
>>> The log shows there is no valid providers, what kind of providers I need 
>>> to use and how to use it?
>>> and The Service is not found in the service registry but I've been 
>>> created the service reqistry on my /etc/services
>>>
>>> Any recomendation?
>>>
>>>  Thanks,
>>> Irvan 
>>>
>>> Pada Selasa, 29 Desember 2020 pukul 13.41.27 UTC+7 arti wavale menulis:
>>>
>>>> Hello,
>>>>
>>>> Check once CASValidateUrl and use *Client_IP *in  CASRootProxiedAs 
>>>> properties
>>>>
>>>> try this service registry file: 
>>>> --
>>>> {
>>>>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>>>>   "serviceId" : "^https://*Client_IP*/secured-by-cas(\\z|/.*)",
>>>>   "name" : "Apache Secured By CAS",
>>>>   "id" : 20191127030720,
>>>>   "description" : "CAS development Apache mod_auth_cas server with 
>>>> username/password protection",
>>>>   "attributeReleasePolicy" : {
>>>> "@class" : 
>>>> "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
>>>>   },
>>>>   "evaluationOrder" : 1100
>>>> }
>>>> ---
>>>>
>>>> Thanks and Regards
>>>> Arti
>>>>
>>>> On Mon, Dec 28, 2020 at 1:05 PM irvan suryadi  
>>>> wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> I'm currently trying to develop cas on my localhost network. I'm 
>>>>> currently trying to add a web application in the apache server as a 
>>>>> client 
>>>>> for SSO CAS. I try to follow directions like:
>>>>>
>>>>> - Installing and configuring mod_auth_cas on my apache server.
>>>>> - added a wildcard registry service (which I will attach below this 
>>>>> message)
>>

[cas-user] Anybody get "Sign in with Apple" working in CAS natively?

[Andy Ng]

Hi all,

Would like to know anybody got "Sign in with Apple" working in CAS natively?

I got it working my doing some customization (I will attach below) because 
of some weird issue which I cannot understand.

While I would like to investigate on submiting a PR, but I am not sure if I 
am the only one having issue with this or not so want to ask the group 
first.

Cheers!
- Andy

Attached is my customization which makes Sign in with Apple work:
=
*MyOrgAppleOidcAuthenticator.java*
/**
 * Fix an issue which the secret cannot be refresh again during validation.
 *
 */
@Slf4j
public class MyOrgAppleOidcAuthenticator extends OidcAuthenticator {
public MyOrgAppleOidcAuthenticator(OidcConfiguration configuration, 
OidcClient client) {
super(configuration, client);
}

/**
 * If client is secret post, set the client authentication again so the 
secret can be get again
 * 
 * Also, set the user profile after validate, so it can validate the 
userprofile
 *
 * @param cred
 * @param context
 */
@Override
public void validate(final OidcCredentials cred, final WebContext 
context) {
ClientAuthentication clientAuthentication = 
getClientAuthentication();
if (clientAuthentication instanceof ClientSecretPost) {
LOGGER.debug("Get secret again from validate for Apple Login");
final ClientID clientId = new 
ClientID(configuration.getClientId());
final Secret secret = new Secret(configuration.getSecret());
ClientSecretPost clientSecretPost = new 
ClientSecretPost(clientId, secret);
setClientAuthentication(clientSecretPost);
}
super.validate(cred, context);
}
}
=

*MyOrgDefaultDelegatedClientFactory.java*
/**
 * Set Apple Client
 *
 */
@Slf4j
@Getter
public class MyOrgDefaultDelegatedClientFactory extends 
DefaultDelegatedClientFactory {
private final CasConfigurationProperties casProperties;

public MyOrgDefaultDelegatedClientFactory(
CasConfigurationProperties casProperties,
Collection customizers) {
super(casProperties, customizers);
this.casProperties = casProperties;
}

@Override
protected void configureClient(final IndirectClient client, final 
Pac4jBaseClientProperties props) {
if(client instanceof AppleClient){
client.setAuthenticator(
new MyOrgAppleOidcAuthenticator(((AppleClient) 
client).getConfiguration(), (AppleClient) client)
);
}
super.configureClient(client, props);
}
}
=
*cas.yml*
cas:
  authn:
pac4j:
  oidc:
- apple:
client-name: 
private-key: file:/abd/def/myapplecert.p8
private-key-id: 
team-id: x
id: xxx.yyy.zzz
response-mode: form_post
scope: openid name
response-type: code id_token
use-nonce: true

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/435d7384-b268-44c2-af0a-fc6cf0e258ccn%40apereo.org.

[cas-user] Re: Guide to Deploying CAS 6 - with Ansible, MFA, and Delegated authentication

[Andy Ng]

Hi Paul, 

Thanks for the contribution! We soon also need to setup delegate auth to 
Azure, so that section is going to be useful to me.
Now whenever people asking for a CAS 6 guide I know where to point them to 
:)

Cheers!
- Andy

On Thursday, 13 May 2021 at 05:12:14 UTC+8 chauvetp wrote:

> Hi all,
>
> Over the past couple of months - in my (vanishingly small) free time, I 
> created a guide to deploying Apereo CAS 6 (6.3.x specifically).  I did this 
> because I've benefited from the documentation others have done in the past 
> (especially David Curry's CAS 5 version) - and wanted see if my stumbling, 
> experimentation, trial and error could benefit others.
>
> The documentation is available on Github.io: 
> http://paulchauvet.github.io/deploying-cas
>
> It covers the following topics:
>
>- Using Ansible to deploy Tomcat and CAS (including configs, services, 
>etc.)
>- Vanilla CAS deployment - with functionality progressively added to it
>- Service Configuration
>- Active Directory authentication and attribute release
>- Duo MFA support
>- Ticket registry via Hazelcast
>- Delegating authentication from CAS to Azure
>- Theming (this one is very incomplete - I'll add more to that soon).
>
>
> I can't guarantee it will be usable for anyone - and even for those who it 
> is usable for whether all of it will be usable.  I am not the CAS expert 
> that many here on the list are - and I don't know the underlying Java code 
> well enough to cover that here.  But hopefully some will find some benefit 
> on it.
>
> This is my first public documentation like this (my other documentation is 
> meant for internal IT staff, or end-users).  I started this as a way to 
> document for other IT staff members in case the proverbial bus hits me - 
> but realized it may have benefit to others.
>
> If you have suggestions/corrections/objections/etc., let me know.
>
> P.S.  I've got a ton of help from others on various topics - both on the 
> CAS list and colleagues within SUNY.  I apologize if I missed anyone here!
> Acknowledgements 
> 
>
>
>
> Paul Chauvet, CISSP
>
> Information Security Officer
>
> State University of New York at New Paltz
>
> chau...@newpaltz.edu
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1ff5ccd8-4351-4ba1-ab67-f9ad3637a227n%40apereo.org.

[cas-user] Re: CAS5.3, SSO between native Mobile App and Web App

[Andy Ng]

Hi Omer,

Thanks for reaching out, I do not mind sharing my experience. However if I 
am sharing anything related to CAS, I prefer to share it on this group so 
it can act as reference to all the members, not just particular teams :) So 
I instead of verbal discussion, I would like to be in text and share in 
here.

After looking back to the email conversation, I think I already said all 
the generic information about our mobile to web integration, which is the 
use of AppAuth and not use WebView. Maybe you have specific question you 
would like to ask? If so, you can put all question you would like to ask 
here, so me (and other member) can add our insight on the matter when we 
are free.

Cheers!
- Andy

*P.S. CAS 5.3 is already 
EOL 
https://apereo.github.io/cas/developer/Maintenance-Policy.html#eol-schedule, 
i.e. if you encounter issue with CAS 5.3 it would not be fix. You should 
consider an upgrade to CAS 6.x asap.*

On Friday, 14 May 2021 at 23:26:38 UTC+8 omatary wrote:

> Hi Andy,
> I wonder if you have few minutes to talk about your integration?.   At 
> Rutgers , our Portal team is working on building a mobile app and they  
> need to establish SSO with CAS so that users can access other applications 
> without the need to re-authenticate .
>
> If you are available , I will have one of my IdM and Portal engineers to 
> talk to you .  We are using CAS 5.3 .
>
> My University email address is "oalm...@oit.rutgers.edu" 
>
> Much appreciated .
>  
> Regards,
> Omer AlMatary
>
> On Thursday, April 11, 2019 at 10:02:52 PM UTC-4 Andy Ng wrote:
>
>> Hi Yan,
>>
>> We have built something like this before, 
>>
>> And the answer is: yes you can! When user login to webapp using CAS 
>> protocol, they can SSO to their native app.
>>
>> However some implementation is needed, I can give you some information on 
>> this:
>> - So achieve this, you would want the native app to *not use WebView* to 
>> open browser, instead us Chrome Custom Tab for Android / Safari View 
>> Controller for iOS
>> - it is quite complicated to setup the Chrome custom tab or Safari View 
>> Controller yourself, so I recommend using the AppAuth library (supported by 
>> Google) instead:
>>- AppAuth iOS: https://github.com/openid/AppAuth-iOS
>>- AppAuth Android: https://github.com/openid/AppAuth-Android
>> - The behavior is like the below:
>>- When user login to your app, it will pop up a in-app browser inside 
>> the app (instead of redirecting to the outside browser / instead of using 
>> webview)
>>- Since user already login, CAS will redirect to the redirect_uri, so 
>> this screen will flash for a sec
>>- The in-app browser then will be closed, and AppAuth library will 
>> handle the rest of the login.
>>
>> In the case where user it not login yet, CAS login screen will be shown, 
>> and the flow will be the same after user authenticate successfully
>>
>> See if the above helps you.
>>
>> Cheers!
>> - Andy
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5adddfab-3e4b-4529-8891-56399540e659n%40apereo.org.

[cas-user] Re: Finally Finish My College

[Andy Ng]

Hi Irvan, Congrats on your achievement! Glad we helped :)  Cheers! -Andy

On Wednesday, 19 May 2021 at 02:11:45 UTC+8 irvans...@gmail.com wrote:

> Hi Guys,
>
> On April 20, 2021. I finally finished my final project. The image below is 
> of me holding a monitor that says "Terimakasih". In Indonesian 
> "Terimakasih" means "Thank you". And I want to thank all of you who have 
> helped me in solving the problems I have found, to Mr. Misagh Moayed, Andy 
> Ng, Ray Bon, and anyone else that I can't mention.
>
> Cheers,
> Irvan :)
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/55e04a2f-783d-44fd-b544-1b7892104ac8n%40apereo.org.

[cas-user] Re: CAS Logout Redirect with Front Channel Logout

[Andy Ng]

Hi John,

It will use Ajax for frontend call, see 
this: 
https://github.com/apereo/cas/blob/master/support/cas-server-support-thymeleaf/src/main/resources/templates/logout/casPropagateLogoutView.html

Note that, due to the recent 3rd party cookie blocking enforced in some of 
the popular browser, CAS frontend login mechanism have become unreliable if 
the service do not sure the same domain.

I think either use some custom login for logout, or use backend logout is 
needed if you need cross domain logout (e.g. CAS in www.example1.com, 
service in www.example2.com).

Cheers!
- Andy

On Tuesday, 25 May 2021 at 01:29:11 UTC+8 john.b...@keap.com wrote:

>
> Hi all,
>
> I maintain a CAS server, we have multiple services registered with 
> different configurations. Some of the services are registered with Front 
> Channel Logout. I have noticed that CAS will not redirect to the specified 
> service on logout if one of the Front Channel Logout Services has been 
> authenticated against. Is this a limitation of the Front Channel Logout 
> feature or do I have something configured improperly?
>
> Thanks,
>
> John
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b6eb93b7-71e2-493c-90b2-d5b4a50aca47n%40apereo.org.

[cas-user] Re: CAS 6.3.2 CAS Cookie timeout value & redirect issue

[Andy Ng]

Hi Anusuya,

> Q1. What is the default timeout value of CAS cookie after login & its 
related property?
CAS is relatively complicated in this part, so basically:
- There are TGC cookie which is a cookie stored in user browser indicating 
they have login, that one expired when user close the browser
https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#ticket-granting-cookie
- There is a TGT ticket, that one default expired 8 hours
https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#ticket-granting-tickets
- There is a thing called sliding windows, if user do not login within 
sliding windows, they will be considered not active. Default sliding 
windows is 2 hours
https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#default

> Q2. We are getting the below default login successful page if there is no 
service param in url.
You can override 
the 
https://github.com/apereo/cas/blob/master/support/cas-server-support-thymeleaf/src/main/resources/templates/login/casGenericSuccessView.html

For how to override a file, this might 
help. https://groups.google.com/a/apereo.org/g/cas-user/c/k-yfoou7Zy0 
I don't have time to write a full on guide, you can google a bit see how it 
works.

After you override the casGenericSuccessView.html, add whatever you like 
and your edit will completely override the one from CAS default :)

> Q3: cas.view.default-redirect-url=https://mydomain.com/home - *This will 
be executed only when there is no service provided right? Can someone 
confirm on the same?*
Yes, it only execute only when no service provider

Hope this helps,

Cheers!
- Andy

On Sunday, 23 May 2021 at 23:01:47 UTC+8 anusu...@gmail.com wrote:

> Hi Team,
>
> We are using CAS 6.3.2 server and JDK 11. I would be grateful if someone 
> clears my doubt.
> We are facing the below issue in production:
>
> 1. What is the default timeout value of CAS cookie after login & its 
> related property?
> 2. We are getting the below default login successful page if there is no 
> service param in url.
> *https://mydomain.com/cas/login *
> We make sure to provide service parameter in all use cases. But if end 
> user gives "/cas/login", he is able to see this page.
>
> Is there any way to override the default login success page and show 
> different page with back button? 
> [image: cas.png]
>
> We are authenticating 2 domains using CAS.
> *https://mydomain.com/cas/login?service= 
> **https://mydomain.com/home 
> *
> *https://mydomain.com/cas/login?service= 
> **https://mydomain2.com/home 
> *
>
> *Saw this property in CAS documentation.*
> cas.view.default-redirect-url=https://mydomain.com/home - *This will be 
> executed only when there is no service provided right? Can someone confirm 
> on the same?*
>
> Thanks in advance!
>
> Regards,
> Anusuya.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0ca0e554-cbd2-4fa5-902c-349b135976e6n%40apereo.org.

Re: [cas-user] replace the default login cas page to delegated provider

[Andy Ng]

Hello,

Can you try turn the `auto-redirect` property to true see if that match 
your needs?

Ref: 
https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#delegated-authentication-settings

Cheers,
- Andy

On Wednesday, 2 June 2021 at 23:54:06 UTC+8 Ray Bon wrote:

> Mostafa,
>
> The client application should not know that authentication is delegated, 
> it all happens in Cas.
> Take a look at 
> https://apereo.github.io/cas/6.3.x/integration/Delegate-Authentication.html
>
> Ray
>
> On Wed, 2021-06-02 at 04:25 -0700, Mostafa Tabal wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information. 
>
>
> I need my service use delegation provider login instead of going to cas 
> login page 
>  when i write my service in url go to login page of delegation provider 
> instead of cas login page
>
> how can i do that ?
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5248d8b7-efe2-4137-96b4-a7252df325e1n%40apereo.org.

[cas-user] Re: Registered service [name] does not define any authorized/supported delegated authentication provider

[Andy Ng]

Hi Fernando,

We use something like this:
==
  "accessStrategy": {
"@class": 
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"delegatedAuthenticationPolicy" : {
  "@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
  "allowedProviders" : [ "java.util.ArrayList", [ "Facebook", "Twitter" 
] ]
}
  },
==
Also, you should also make sure `Facebook` and `Twitter` is the correct 
name for your provider, for us the name is a bit different because we set a 
differernt name in the properties for our provider.

Cheers!
- Andy

On Friday, 4 June 2021 at 04:37:05 UTC+8 Fernando Gomez wrote:

> Hello, the following warning is coming out in my logs:
>
> * 
> [org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy]
>  
> - *
> * delegated authentication providers. It is STRONGLY recommended that you 
> authorize and assign providers to the service definition. While just a 
> warning for now, this behavior will be enforced by CAS in future versions.>*
>
> The problem is that the production log is filling up very quickly for this 
> issue.
> I have my service configured as follows:
>
>
> {
> "@class": "org.apereo.cas.services.RegexRegisteredService",
> "serviceId": "^(http|https)://(.*)URL(.*)",
> "name": "name",
> "id": 003,
> "description": " ",
> "theme" : "Theme",
> "accessStrategy" : {
> "@class" : 
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "enabled" : true,
> "ssoEnabled" : true
> },
>  "delegatedAuthenticationPolicy" : {
>   "@class" : 
> "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
>   "allowedProviders" : [[ "Facebook", "Twitter" ] ],
>   "permitUndefined": true,
>  },
>  "singleSignOnParticipationPolicy" : {
>   "@class": 
> "org.apereo.cas.services.ChainingRegisteredServiceSingleSignOnParticipationPolicy",
>   "policies": [
> "java.util.ArrayList",
> [
>   {
> "@class": 
> "org.apereo.cas.services.AuthenticationDateRegisteredServiceSingleSignOnParticipationPolicy",
> "timeUnit": "SECONDS",
> "timeValue": 2592000,
> "order": 0
>   }
> ]
>   ],
>  "createCookieOnRenewedAuthentication": "TRUE"
> },
> "properties" : {
> "@class" : "java.util.HashMap",
> "httpHeaderEnableXFrameOptions" : {
>   "@class" : 
> "org.apereo.cas.services.DefaultRegisteredServiceProperty",
>   "values" : [ "java.util.HashSet", [ "true" ] ]
> }
>   }
> 
> }
>
>
> I have the REST, Facebook and google login enabled.
>
> I have the Delegated Authentication Policy enabled in the service, can you 
> help me see what error I am making?
>
> Thank you very much in advance!
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3a6e8037-048b-432c-83fb-217c0989c799n%40apereo.org.

[cas-user] I have created an customizable full stack CAS sample project, want to get your feedback!

[Andy Ng]

Hi all,

I have created a new project called "*Select Ur CAS*", want to share it 
here to get some feedback :)

Github link: https://github.com/NgSekLong/SelectUrCAS
Video introduction: https://www.youtube.com/watch?v=0c-QbP4igzU

"Select Ur CAS" is a project aims to provide a customizable full stack CAS 
example, so you can have a solid working example to work on top of when you 
start building your own CAS server. 

For example, if you want to use *Redis *Ticket Registry, *SAML 2 *and *OAuth 
2* clients, plus maybe *LDAP *as authentication source. Using this project 
you can just spin up a complete working stack by just executing one docker 
command, no manual config needed on your end.

I am creating this to hopefully give beginners a way to start an Apereo CAS 
stack from the get go and able to get familiar with it right away.

While Select Ur CAS is work in progress, it currently supports:
6 authentication source, 3 attribute source, 3 CAS client, 3 ticket 
registry, and SAML, OAuth, OIDC client

I was going to polish it a lot more before sharing it to this group, but it 
is 2 years in production so I reckon to share it first, get some feedback, 
then further polish it later. 

Cheers!
- Andy

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/29a62c73-843c-4cec-b499-57c458acab24n%40apereo.org.

Re: [cas-user] I have created an customizable full stack CAS sample project, want to get your feedback!

[Andy Ng]

 Hi Ray,

Thanks for sharing the Apereo CAS Initializr project! I do know about this 
project and it is a definitely a good starting point for beginners. 

One thing I wish (as a beginner point of view) is to also have the other 
side of the component ready and connected, like those Redis, MongoDB, SQL 
and so on, which is what my project trying to do.

Now that you mention it, I do think I might be able to incorporate 
Initializr into my project (or in reverse) in some way, let me take a look 
into it and see.

Many thanks!

Cheers!
- Andy

On Tuesday, 6 July 2021 at 02:06:06 UTC+8 Ray Bon wrote:

> Andy,
>
> Here is a similar project, 
> https://fawnoos.com/2021/02/28/cas64-cas-initializr/
>
> Ray
>
> On Sat, 2021-07-03 at 07:30 -0700, Andy Ng wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information. 
>
>
> Hi all, 
>
> I have created a new project called "*Select Ur CAS*", want to share it 
> here to get some feedback :)
>
> Github link: https://github.com/NgSekLong/SelectUrCAS
> Video introduction: https://www.youtube.com/watch?v=0c-QbP4igzU
>
> "Select Ur CAS" is a project aims to provide a customizable full stack CAS 
> example, so you can have a solid working example to work on top of when you 
> start building your own CAS server. 
>
> For example, if you want to use *Redis *Ticket Registry, *SAML 2 * and *OAuth 
> 2* clients, plus maybe *LDAP *as authentication source. Using this 
> project you can just spin up a complete working stack by just executing one 
> docker command, no manual config needed on your end.
>
> I am creating this to hopefully give beginners a way to start an Apereo 
> CAS stack from the get go and able to get familiar with it right away.
>
> While Select Ur CAS is work in progress, it currently supports:
> 6 authentication source, 3 attribute source, 3 CAS client, 3 ticket 
> registry, and SAML, OAuth, OIDC client
>
> I was going to polish it a lot more before sharing it to this group, but 
> it is 2 years in production so I reckon to share it first, get some 
> feedback, then further polish it later. 
>
> Cheers!
> - Andy
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1bf46469-de19-4c87-8f88-8262ad642d15n%40apereo.org.

Re: [cas-user] CAS 6.3 logging sensitive information

[Andy Ng]

Hi Baron,

Ray suggestion is good.

Another way might work is to add this logging property in your host: 
https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#logging

In your case would be something like this:
logging.level.org.apereo.cas.web.flow=INFO

Which should be able to disable the Spring warning per host.

Cheers!
- Andy



On Tuesday, 6 July 2021 at 02:02:10 UTC+8 Ray Bon wrote:

> Baron,
>
> The order of the loggers does not matter, just specificity. You might want 
> to include additivity so nothing bubbles up to more general loggers.
>
>  additivity="false">
> 
> 
>
> You will have to keep an eye on your log output to track sensitive 
> details. Perhaps a test user with a distinctive password that could be 
> searched with a cron script. Searching cas code base for 'password' may be 
> to general and would not catch printing of collections.
>
> Ray
>
> On Fri, 2021-07-02 at 16:41 -1000, Baron Fujimoto wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information. 
>
>
> When our CAS starts up, it warns:
> WARN 
> [org.springframework.security.config.annotation.web.builders.WebSecurity] - 
> <
> 
> **Security debugging is enabled.   *
> **This may include sensitive information.  *
> **  Do not use in a production system! *
> 
> >
>
> And I find log entries such as the following where the password is logged 
> in plaintext:
> DEBUG 
> [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 
>  [AbstractWebApplicationService(id=https://www.example.com/app, 
> originalUrl=https://www.example.com/app, artifactId=null, principal=null, 
> source=service, loggedOutAlready=false, format=XML, 
> attributes={execution=[...], password=[PASSWORD], _eventId=[submit], 
> username=[USERNAME], geolocation=[]})]>
>
> I assume this is the result of the following in log4j2.xml?
>
> debug
> ...
>  level="${sys:cas.log.level}" includeLocation="true"/>
>
> For hosts where we do want detailed debug-level logs (but do not want to 
> reveal passwords) can this be mitigated via a cas property to redact the 
> passwords? Or should it be handled via logging conf something like this?
>
> debug
> info
> ...
>  name="org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver" 
> level="${sys:cas.log.level.sensitive}" includeLocation="true"/>
>  level="${sys:cas.log.level}" includeLocation="true"/>
>
> If this is the correct approach, is this sufficient to eliminate the log 
> entries containing plaintext passwords, or are there additional classes(?) 
> we need to worry about as well? Does the order of the AsyncLogger entries 
> matter?
>
> -- 
> Baron Fujimoto  :: UH Information Technology Services
> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/73ad3efd-c7f4-4b36-b89f-94a4824e63a7n%40apereo.org.

Re: [cas-user] Hide CAS login box (and only use external identity providers)

[Andy Ng]

Hi Paul, 

The document is awesome, can't wait for the complete version :)

Cheers!
- Andy

On Friday, 30 April 2021 at 21:55:31 UTC+8 ro...@mun.ca wrote:

> Fantastic documentation!  
>
>  
>
> *From:* cas-...@apereo.org  *On Behalf Of *Paul 
> Chauvet
> *Sent:* Thursday, April 29, 2021 12:39 PM
> *To:* cas-...@apereo.org
> *Subject:* [EXTERNAL SENDER] Re: [cas-user] Hide CAS login box (and only 
> use external identity providers)
>
>  
>
> Hi Ray,
>
>
> Thanks for getting back to me!  The redirect comment was exactly what I 
> needed.
>
>  
>
> I ended up adding the following to the cas properties which handles that 
> automatic redirect:
>
> cas.authn.pac4j.saml[0].autoRedirect=true
>
>  
>
> P.S.: It's still not done - but I'm trying to document my whole journey in 
> getting CAS 6 (with Duo, Delegated Auth, and using Ansible to 
> deploy/maintain CAS and Tomcat).  It's inspired by what David Curry did for 
> his CAS 5 guide plus the Ansible stuff I've done in CAS the past couple 
> years.
>
>
> https://paulchauvet.github.io/deploying-cas/
>
>  
>
> When it's complete (still need to do a couple more things - mostly on 
> theming) I'll announce it to the list formally.  Hopefully someone else can 
> benefit from where I've stumbled 
>
>  
>
>  
>
>  
>
>  
>
> Paul Chauvet, CISSP
>
> Information Security Officer
>
> State University of New York at New Paltz
>
> chau...@newpaltz.edu
>
>  
> --
>
> *From:* cas-...@apereo.org  on behalf of Ray Bon <
> rb...@uvic.ca>
> *Sent:* Wednesday, April 28, 2021 5:27 PM
> *To:* cas-...@apereo.org 
> *Subject:* Re: [cas-user] Hide CAS login box (and only use external 
> identity providers) 
>
>  
>
> *CAUTION: *Message from a non-New Paltz email server. Treat message, 
> links, and attachments with extra caution.
>
>  
>
> Paul,
>
>  
>
> If a service is defined as using delegated auth, the redirect will happen 
> automatically. The login page may be visible during the redirect.
>
> See, 
> https://apereo.github.io/cas/6.3.x/integration/Delegate-Authentication.html#user-interface
>
> I have not tested with only delegated auth, so I do not know if you have 
> to set delegated auth for each service.
>
>  
>
> Ray
>
>  
>
> On Wed, 2021-04-28 at 20:17 +, Paul Chauvet wrote:
>
> *Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information. *
>
>  
>
> Hi all,
>
>  
>
> Is there a way (without making UI/theme changes) to completely hide the 
> login box in CAS 6.3?
>
>  
>
> We're going to be delegating authentication to Azure via SAML - but I'd 
> prefer to hide the regular login box completely and just want to leave the 
> button under "External Identity Providers" there.
>
>  
>
> Apologies if I missed something obvious - and thanks all for any advice 
> you can share.
>
>  
>
>  
>
>  
>
>  
>
> Paul Chauvet, CISSP
>
> Information Security Officer
>
> State University of New York at New Paltz
>
> chau...@newpaltz.edu
>
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d30df82f42cedf2e0e7b0e23179fe84be6204252.camel%40uvic.ca
>  
> 
> .
>
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org.
>
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/MN2PR20MB30051BC684711ADAB83D095AA75F9%40MN2PR20MB3005.namprd20.prod.outlook.com
>  
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 

[cas-user] Re: Cas overlay ver 6.3.x integration with pure RADIUS (not MFA RADIUS)

[Andy Ng]

Hi there,

While it is CAS 6.2.x and it is quite a long time ago so I forget about 
most of what I did.

But these configuration is what I used for when I successfully login to 
Radius using CAS 6.2.x during my demo project:

https://github.com/NgSekLong/SelectUrCAS/tree/master/source/authentication/freeradius

Note:

   - I am using Free Radius
   - CAS 6.2.x might differs from CAS 6.3.x 
   - The Github structure is a bit strange because it is suppose to work as 
   a complete demo project, but I think you can get the most important info 
   just from the path I give above

The most important different I see is that I included 

   - compile 
   "org.apereo.cas:cas-server-support-simple-mfa:${project.'cas.version'}"

And I marked that this is needed for bug fixes, see if adding that will 
help you as well.

Cheers,
Andy
On Tuesday, 20 April 2021 at 00:15:02 UTC+8 artur...@gmail.com wrote:

>
>
>
> I have changed cas.propierties to :
>
>
> cas.authn.radius.server.nasPortId=-1
> cas.authn.radius.server.nasRealPort=-1
> cas.authn.radius.server.protocol=EAP_MSCHAPv2
> cas.authn.radius.server.retries=3
> cas.authn.radius.server.nasPortType=-1
> cas.authn.radius.server.nasPort=-1
> cas.authn.radius.server.nasIpAddress=
> cas.authn.radius.server.nasIpv6Address=
> cas.authn.radius.server.nasIdentifier=-1
>
> cas.authn.radius.client.authenticationPort=1812
> cas.authn.radius.client.sharedSecret=string
> cas.authn.radius.client.socketTimeout=0
> cas.authn.radius.client.inetAddress=IPadresradius
> cas.authn.radius.client.accountingPort=1813
>
> cas.authn.radius.name=Radius
> cas.authn.radius.failoverOnException=false
> cas.authn.radius.failoverOnAuthenticationFailure=false
>
> But still no restult i cant see any issues in: 
> docker logs -f container.
>
> I can do like this too but i think it is the same :
> ${configurationKey}=cas.authn.radius
> an then:
> ${configurationKey}.server.nasPortId=-1 and than the same .
>
> I have given up .
> środa, 14 kwietnia 2021 o 17:51:08 UTC+2 artur miś napisał(a):
>
>> Dears,
>> I have cas.propierties like:
>>
>> #Radius
>> cas.authn.radius.name=Radius
>> cas.authn.radius.server.protocol=EAP_MSCHAPv2
>> cas.authn.radius.server.retries=1
>> cas.authn.radius.client.authenticationPort=1812
>> cas.authn.radius.client.sharedSecret=somestring
>> cas.authn.radius.client.inetAddress=IP
>> cas.authn.radius.client.accountingPort=1813
>>
>>
>> build.gradle:
>> dependencies {
>> // Add modules in format compatible with overlay casModules property
>> if (project.hasProperty("casModules")) {
>> def dependencies = project.getProperty("casModules").split(",")
>> dependencies.each {
>> def projectsToAdd = rootProject.subprojects.findAll {project 
>> ->
>> project.name == "cas-server-core-${it}" || project.name 
>> == "cas-server-support-${it}"
>>implementation 
>> "org.apereo.cas:cas-server-support-radius:${project.'cas.version'}"
>>   // implementation 
>> "org.apereo.cas:cas-server-support-simple-mfa:${project.'cas.version'}"
>> }
>> projectsToAdd.each {implementation it}
>> }
>> }
>>
>>
>> I am able prepare image of container .Container is opperating. But i 
>> cannnot see any hits on network trafic  if i try to log to  singned 
>> services .Of course i cant log in.What more after   sudo docker -f logs 
>>  i cannot see any problems with connection to radius side. 
>> Dears  Any idea ?
>>
>>
>>
>> {
>>   "@class" : "org.jasig.cas.services.RegexRegisteredService",
>>   "serviceId" : "^(http|https|imaps)://*",
>>   "name" : "PRG_PABLO",
>>   "id" : 3,
>>   "evaluationOrder" : 0,
>>   "theme" : "nextor",
>>"authenticationPolicy" : {
>> "@class" : 
>> "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",
>> "requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "Radius" ]]
>>   }
>>
>> }
>>
>>
>> Is it generaly possible auth via RADIUS in cas 6.3.x noweaday ?
>>
>> Any debug setting  in log4j2.xml ?
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0371996b-fc27-401d-b5bf-8395ccff3578n%40apereo.org.

Re: [cas-user] Using an alias as userlogin

[Andy Ng]

Hi Andrea,

Another way to achieve your requirement would be to allow user to input 
either phone, email and other in the same username box.

   - Then, use multiple authentication handler to handle different type of 
   user input.
   - Since we can configured CAS to allow login when any of the 
   authentication handler success, like so: 
  - 
  
https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#authentication-policy
   - User should be able to input any of the above, and able to 
   successfully login to CAS

I would say this is a more naturial way to handle multiple type of input. 
Instead of needing user pick their input. See if my suggestion applies to 
your case.

Cheers!
- Andy


On Wednesday, 28 April 2021 at 23:03:42 UTC+8 Ray Bon wrote:

> Andrea,
>
> You can create a custom authentication handler, 
> https://apereo.github.io/cas/6.3.x/installation/Configuring-Custom-Authentication.html
>  to 
> process your custom log in screen (I should have included that link 
> yesterday).
>
> Ray
>
> On Tue, 2021-04-27 at 23:12 +0200, Andrea Colajacomo wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information. 
>
> Thank you Ray. 
> It seems documentation speak about additional custom fields. I'm searching 
> how to use another custom fields insted of standard userlogin or let the 
> the user choose wich field want ti use.
>
> Thanks
> Bye
>
> Il mar 27 apr 2021, 17:09 Ray Bon  ha scritto:
>
> Andrea,
>
> There are ways to customize the login page. See 
> https://apereo.github.io/cas/6.3.x/ux/User-Interface-Customization-Views.html#custom-fields
>
> Ray
>
> On Tue, 2021-04-27 at 04:39 -0700, Andrea Colajacomo wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information. 
>
> Hello,  
> is it possible to use userlogin alternatives on CAS?
> For example:
> let the user choose to use email or phone number (or any other custom 
> filed) in the login form
>
> Thanks
> Bye
>
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to a topic in the 
> Google Groups "CAS Community" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/a/apereo.org/d/topic/cas-user/oHcEn39WFC8/unsubscribe
> .
> To unsubscribe from this group and all its topics, send an email to 
> cas-user+u...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/62696cec61e8b81397e7e2353d6e5279b4ce820d.camel%40uvic.ca
>  
> 
> .
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ef946434-6df1-4f32-b5fb-24a6eef2fd68n%40apereo.org.

Re: [cas-user] CAS 6.4 - Attribute release does'nt work

[Andy Ng]

Hi Jérémie,

I saw that you are using CAS 6.4, which is still in RC. Have you try it in 
CAS 6.3.2? Or even 6.2.x?

Even though 6.4.x is in RC, sometime bug do occurs and using slightly older 
version might help identify your issue.

Anyway, It is not so certain what the issue is, below are some suggestion, 
see if implementing them would help or not:

*Q: How can I clean the CAS cache ?*
You can do this by disable CAS attribtue cache so to verify if cache is the 
issue:


*cas.authn.attribute-repository.expiration-time=0*
See: 
https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#authentication-attributes

But, I don't think that is the issue, considering you never get any 
attribute in the first place. 

*Another possible solution:*
In CAS 6.2.x, if order for attribute to release, I need to add
=
*  "attributeReleasePolicy" : {*
*.*
*"principalAttributesRepository" : {*
*  "@class" : 
"org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",*
*  "attributeRepositoryIds": ["java.util.HashSet", [ "*" ]]*
*},*
*.*
*  },*
=
Detail see this post
https://groups.google.com/a/apereo.org/g/cas-user/c/713M457X1bI/m/g6q3-ddKAQAJ

Not sure if this is the same behavior as 6.4.x, you can try it and see if 
this fix it for you.

Hopefully this helps!

Cheers,
Andy

On Friday, 26 March 2021 at 04:24:49 UTC+8 Jérémie Pilette wrote:

> I htink so.
> Where can we see it ?
>
> Le jeudi 25 mars 2021 à 20:54:04 UTC+1, jrautureau a écrit :
>
>> Hi Jérémy 
>>
>> Is the passwordPolicy is enabled ?
>>
>> Le jeu. 25 mars 2021 à 20:26, Jérémie Pilette  a 
>> écrit :
>>
>>>
>>> The attribute and the value are good in the LDAP. 
>>> By watching the ldap.log.level=debug, I do not see something strange.. I 
>>> can see all the values with their attributes, no error messages...
>>> Le jeudi 25 mars 2021 à 18:57:34 UTC+1, Ray Bon a écrit :
>>>
 Jérémie,

 Check ldap to be sure an attribute and value exist for id_attribute for 
 your user. You could also check your ldap logs to see why the value is not 
 released.

 If cas is having difficulties connecting to ldap, you can set, 
 debug
 which is at the top of the log4j2.xml file.

 Ray

 On Thu, 2021-03-25 at 10:04 -0700, Jérémie Pilette wrote:

 Notice: This message was sent from outside the University of Victoria 
 email system. Please be cautious with links and sensitive information. 

 Yes I have this file. I try to do with it ok.

 And in my */var.lib/tomcat9/Cataline.out*, I have this line :
 [2021-03-25 18:02:39] [info] #033[33m2021-03-25 18:02:39,848 WARN 
 [org.apereo.cas.services.ReturnMappedAttributeReleasePolicy] - >>> find value for mapped attribute [*codeNYP*] that is based off of [
 *id_attribute*] in the allowed attributes list. Ensure the original 
 attribute [*id_attribute*] is retrieved and contains at least a single 
 value. Attribute [*codeNYP*] will and can not be released without the 
 presence of a value.>#033[m


 Le jeudi 25 mars 2021 à 17:55:46 UTC+1, Ray Bon a écrit :

 Jérémie,

 The cas logger bit can be added to etc/cas/config/log4j2.xml).

 Ray

 On Thu, 2021-03-25 at 09:35 -0700, Jérémie Pilette wrote:

 Notice: This message was sent from outside the University of Victoria 
 email system. Please be cautious with links and sensitive information. 

 Thank you for your response Ray Bon, but where I have to do that ?
 Should I uncomment these lines in a file or add these lines in a 
 specific file ?
 Thank you.


 Le jeudi 25 mars 2021 à 16:46:34 UTC+1, Ray Bon a écrit :

 Jérémie,

 Try this logger to see what cas is doing with the attributes:

 
 >>> name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
  
 level="debug"/>

 The client application must be configured to call the CASv3 endpoint.

 Ray

 On Thu, 2021-03-25 at 01:56 -0700, Jérémie Pilette wrote:

 Notice: This message was sent from outside the University of Victoria 
 email system. Please be cautious with links and sensitive information. 



 Hi,
 I would like to use Attribute release for one application (Yparéo).
 I was usin CAS 5.1, and it was operationnal.

 Now with the new version 6.4, it does'nt work.

 I am using json file configuration :
 **
 {
 "@class" : "org.apereo.cas.services.RegexRegisteredService",
 "serviceId" : "^(https|http)://URL/cas.*",
 "name" : "netYpareo",
 "id" : 1005,
 "description" : "NetYparéo",
 "evaluationOrder" : 3,
 "accessStrategy" :
 

Re: [cas-user] Problem with CAS 6.2.6

[Andy Ng]

Hello,

Nice to hear that the Chrome throttling idea leader to new discovery.

It seems like this post might describe your 
issue: https://support.f5.com/csp/article/K85361055

It specifically said upgrading to at least 9.0.34 or above can solve the 
issue, so that's excluding your previous 9.0.33 which is possible why it 
have the issue. 

Cheers,
Andy

On Saturday, 27 March 2021 at 07:12:00 UTC+8 nicol...@gmail.com wrote:

> Finally after doing some research we updated the Tomcat from v9.0.33 to 
> 9.0.43 and the issue seems to be solved. At least we tested with one 
> particular user that was having this problem almost all the time, and with 
> the Chrome throttling and we couldn't reproduce it again.
>
> El viernes, 26 de marzo de 2021 a las 11:27:15 UTC-3, Nicolás López 
> escribió:
>
>> Additional information: using the Chrome throttling, with a custom 
>> profile entering ANY value for the upload speed (even 100Mb) the issue can 
>> be reproduced.
>>
>> Can anybody please test if it happens under this scenario?
>>
>> El viernes, 26 de marzo de 2021 a las 10:19:48 UTC-3, Nicolás López 
>> escribió:
>>
>>> If I use the 3G throttling in Chrome for log in I can reproduce the 
>>> issue consistently...now what should I do with this information? :D
>>> Using firefox, even with the GPRS profile it logs in without any problem.
>>>
>>> With the throttling you can just set upload/download max speed and 
>>> latency, it looks so wierd.
>>>
>>>
>>> El viernes, 26 de marzo de 2021 a las 7:01:39 UTC-3, Andy Ng escribió:
>>>
>>>> Hi all,
>>>>
>>>> I think I also am running out of idea, let see if the following would 
>>>> help identify the issue:
>>>>
>>>>
>>>>1. Would it be your firewall blocking other browser but allow only 
>>>>Firefox?
>>>>   - You said using 4G will work but Wifi will not work. Usually 
>>>>   company firewall only block Wifi and not 4G, so it is a possible 
>>>> issue
>>>>2. CAS server and client need to have communication between them, 
>>>>good to take a look see if that is ok
>>>>3. Would there be a special proxy in firefox that make it a 
>>>>different browser than Chrome / Edge
>>>>   - it is normal for me to forget to turn of proxy for Firefox 
>>>>   after use, maybe it is the same issue as well
>>>>4. If network is involved, Chrome does have a Network speed 
>>>>throttle feature, which might or might not be helpful:
>>>>   1. Open Chome, 
>>>>   2. Press F12,
>>>>   3. Click on "No throttling"
>>>>   4. Select Fast 3G or other type of throttling
>>>>   5. Well Sometime this type of throttling will produced 
>>>>   differnet result than using just using normal network speed browser. 
>>>> If 
>>>>   nothing happen then oh well
>>>>   
>>>> See if this would helps...
>>>>
>>>> Cheers,
>>>> Andy
>>>> On Friday, 26 March 2021 at 16:49:18 UTC+8 Florent Vallée wrote:
>>>>
>>>>> Hello, 
>>>>>
>>>>> We tried the 2 solutions but none worked. We don't have any issues if 
>>>>> we're connected on wifi, we only have the issue with 4G connection 
>>>>> (smartphone with 4G or on computer with 4G shared connection)
>>>>> We tried with version 6.1, 6.2 and 6.3.
>>>>> Any other ideas ?
>>>>> We are desperate.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Florent
>>>>>
>>>>>
>>>>> --
>>>>> *De: *"Andy Ng" 
>>>>> *À: *"CAS Community" 
>>>>> *Cc: *"nicol...@gmail.com" , "jrautureau" <
>>>>> jraut...@gmail.com>
>>>>> *Envoyé: *Jeudi 25 Mars 2021 02:44:03
>>>>>
>>>>> *Objet: *Re: [cas-user] Problem with CAS 6.2.6
>>>>> Hi all,
>>>>> On our side we are using 6.2.x and in production, no such problem 
>>>>> observed.
>>>>>
>>>>> We did implemented a customization multiple customization regarding 
>>>>> cookies, which are:
>>>>>
>>>>>- Samesite = None
>>>>>- 3rd party cookie 
>>>>>
>>>>> Since I

[cas-user] Re: CAS 6.3.x Password Policy

[Andy Ng]

Hi BN,

Seems like you can override this file to set a custom URL.

https://github.com/apereo/cas/blob/v6.3.3/support/cas-server-support-thymeleaf/src/main/resources/templates/fragments/pwdupdateform.html#L154

However, I suspect this link can be set somewhere else as well, maybe you 
can trace the logic see if you can find where it is set.
If not, I think this is a bug, seems weird you need to override a file to 
change such a URL

See if this helps,

Cheers!
Andy



On Tuesday, 30 March 2021 at 22:08:23 UTC+8 Bartosz Nitkiewicz wrote:

> Hi.
> After successful login to CAS I see password expiration days warning. In 
> polish messages_pl.properties there is section:
>
> password.expiration.warning=Termin ważności hasła upływa za {0} dni. 
> Proszę zmienić hasło
>
> It gives me something like this:
> Termin ważności hasła upływa za *11* <- this is proper value dni. Proszę *11 
> *zmienić hasło.
>
> I noticed that in other languages there is: Please  class="link-change-password">change your password. So I've changed it 
> to *1.*
>
> I want to set this value for custom URL with application for changing 
> password.
> Where should I look for it? Maybe there is some cas.properties setting for 
> it?
> Any hints?
> Regards
> BN
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b976ad5e-e73a-40a5-8cdc-688e03d01300n%40apereo.org.

Re: [cas-user] Problem with CAS 6.2.6

[Andy Ng]

Hi all,

On our side we are using 6.2.x and in production, no such problem observed.

We did implemented a customization multiple customization regarding 
cookies, which are:

   - Samesite = None
   - 3rd party cookie 

Since I cannot reproduce the issue now, if anybody is free please help try 
the following verification method to identify the issue:

*Note: Just throwing some idea out here, it might not work but I think 
worth some testing*

*For Samesite=None:*
I made a post a while ago regarding this and the code needed for the fix, 
so not reposting again.

For some additional reading what is samesite=None, and code to fix the 
issue, see 
this: https://www.chromium.org/updates/same-site/incompatible-clients

For checking if this is indeed the issue, try the following (After enabled 
only visit trusted website, and rollback immediately is recommended):

   1. Open Chrome:
   2. Go to chrome://flags/
   3. Search "samesite"
   4. Set all 3 items to "Disabled"
   5. Restarts
   6. Try to login again, see if issue is solve
   7. Rememeber to go back to  chrome://flags/ and restore setting after 
   testing

*For 3rd party cookie:*
This is unlikely the issue but let's also try verify it:

   1. Open Chrome
   2. Go to Setting > Privacy and Security > Cookie and Site Data
   3. Set All cookie
   4. Restarts
   5. Try to login again, see if issue is solve
   6. Remember to rollback if want to 


If issue indeed is one of them, can work on implementing a patch to CAS to 
fix the issue. If not then, well I am currently out of idea...

Regards,
Andy



On Tuesday, 23 March 2021 at 22:19:39 UTC+8 nicol...@gmail.com wrote:

> Unfortunately it did not solve the issue. But it seems to be a very old 
> problem https://bugs.chromium.org/p/chromium/issues/detail?id=533625
> Anybody else experiencing the same behaviour?
>
>
> El jueves, 18 de marzo de 2021 a las 11:47:34 UTC-3, Nicolás López 
> escribió:
>
>> We are goint to try it and then will share the results.
>> Thanks!
>>
>> El jueves, 18 de marzo de 2021 a las 4:31:40 UTC-3, jrautureau escribió:
>>
>>> Hello
>>>
>>> Have you tried to set cas.tgc.pin-to-session to false ?
>>>
>>> We had issues on tgc cookie witch were invalidated due to network 
>>> changes. For instance, when we switch to a new http proxy or when we 
>>> connect to a VPN.
>>>
>>> Since the property set to false the tgc remains valid.
>>>
>>> We are using the remember me feature.
>>>
>>> Le jeu. 18 mars 2021 à 03:32, Nicolás López  a 
>>> écrit :
>>>
 Same issue here. Did anybody find a solution or workaround?

 El viernes, 5 de febrero de 2021 a las 7:35:18 UTC-3, 
 lanfd...@gmail.com escribió:

> Same issue : 
> https://groups.google.com/a/apereo.org/g/cas-user/c/2CVCGqJOhgE/m/OlV7o8UoAgAJ
>  
>
> Any idea ?
>
> Le mardi 2 février 2021 à 14:33:21 UTC+1, Florent Vallée a écrit :
>
>> Hello,
>>
>> I installed a CAS server in version 6.2.7. No worries for the connection 
>> and the connection to the different services.
>> We are only having a weird problem. On a computer, with Firefox no 
>> worries, on the other hand with Chrome, Edge, etc. and even on a 
>> smartphone with any browser, the CAS connection page loops permanently 
>> and does not connect to the service. It sometimes happens that by trying 
>> again 4-5 times in a row it will work but it is very random. If we 
>> simply connect to the login page we can connect well.
>> Can it be a problem with cookies management, redirects or other?
>> I can't find what options added in the cas.properties
>> Does anyone have any configuration examples?
>>
>>  
>> Thank you for your help.
>>
>>
>> *Florent *
>>
>>
>>
>> --
>> *De: *"Ray Bon" 
>> *À: *"CAS Community" 
>> *Envoyé: *Lundi 1 Février 2021 18:24:29
>> *Objet: *Re: [cas-user] Problem with CAS 6.2.6
>>
>> Florent,
>>
>> Once you have authenticated, cas will return a TGC (ticket granting 
>> cookie) to the browser. As long as this cookie is active, you should not 
>> see the log in page.
>> Those browsers my have some security settings that affect the TGC. 
>> Use you developer tools to see if the TGC is being  deleted or not sent 
>> to 
>> cas. There are some cookie setting, 
>> https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties-Common.html#cookie-properties
>>  and 
>> https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#ticket-granting-cookie
>> .
>>
>> Ray
>>
>> On Mon, 2021-02-01 at 14:19 +0100, Florent Vallée wrote:
>>
>> Notice: This message was sent from outside the University of Victoria 
>> email system. Please be cautious with links and sensitive information. 
>>
>> Hello,
>>
>>
>> I have a problem with CAS, I have access on any browser to the 

Re: [cas-user] Problem with CAS 6.2.6

[Andy Ng]

Hi all,

I think I also am running out of idea, let see if the following would help 
identify the issue:


   1. Would it be your firewall blocking other browser but allow only 
   Firefox?
  - You said using 4G will work but Wifi will not work. Usually company 
  firewall only block Wifi and not 4G, so it is a possible issue
   2. CAS server and client need to have communication between them, good 
   to take a look see if that is ok
   3. Would there be a special proxy in firefox that make it a different 
   browser than Chrome / Edge
  - it is normal for me to forget to turn of proxy for Firefox after 
  use, maybe it is the same issue as well
   4. If network is involved, Chrome does have a Network speed throttle 
   feature, which might or might not be helpful:
  1. Open Chome, 
  2. Press F12,
  3. Click on "No throttling"
  4. Select Fast 3G or other type of throttling
  5. Well Sometime this type of throttling will produced differnet 
  result than using just using normal network speed browser. If nothing 
  happen then oh well
  
See if this would helps...

Cheers,
Andy
On Friday, 26 March 2021 at 16:49:18 UTC+8 Florent Vallée wrote:

> Hello, 
>
> We tried the 2 solutions but none worked. We don't have any issues if 
> we're connected on wifi, we only have the issue with 4G connection 
> (smartphone with 4G or on computer with 4G shared connection)
> We tried with version 6.1, 6.2 and 6.3.
> Any other ideas ?
> We are desperate.
>
> Regards,
>
> Florent
>
>
> --
> *De: *"Andy Ng" 
> *À: *"CAS Community" 
> *Cc: *"nicol...@gmail.com" , "jrautureau" <
> jraut...@gmail.com>
> *Envoyé: *Jeudi 25 Mars 2021 02:44:03
>
> *Objet: *Re: [cas-user] Problem with CAS 6.2.6
> Hi all,
> On our side we are using 6.2.x and in production, no such problem observed.
>
> We did implemented a customization multiple customization regarding 
> cookies, which are:
>
>- Samesite = None
>- 3rd party cookie 
>
> Since I cannot reproduce the issue now, if anybody is free please help try 
> the following verification method to identify the issue:
>
> *Note: Just throwing some idea out here, it might not work but I think 
> worth some testing*
>
> *For Samesite=None:*
> I made a post a while ago regarding this and the code needed for the fix, 
> so not reposting again.
>
> For some additional reading what is samesite=None, and code to fix the 
> issue, see this: 
> https://www.chromium.org/updates/same-site/incompatible-clients
>
> For checking if this is indeed the issue, try the following (After enabled 
> only visit trusted website, and rollback immediately is recommended):
>
>1. Open Chrome:
>2. Go to chrome://flags/
>3. Search "samesite"
>4. Set all 3 items to "Disabled"
>5. Restarts
>6. Try to login again, see if issue is solve
>7. Rememeber to go back to  chrome://flags/ and restore setting after 
>testing
>
> *For 3rd party cookie:*
> This is unlikely the issue but let's also try verify it:
>
>1. Open Chrome
>2. Go to Setting > Privacy and Security > Cookie and Site Data
>3. Set All cookie
>4. Restarts
>5. Try to login again, see if issue is solve
>6. Remember to rollback if want to 
>
>
> If issue indeed is one of them, can work on implementing a patch to CAS to 
> fix the issue. If not then, well I am currently out of idea...
>
> Regards,
> Andy
>
>
>
> On Tuesday, 23 March 2021 at 22:19:39 UTC+8 nicol...@gmail.com wrote:
>
>> Unfortunately it did not solve the issue. But it seems to be a very old 
>> problem https://bugs.chromium.org/p/chromium/issues/detail?id=533625
>> Anybody else experiencing the same behaviour?
>>
>>
>> El jueves, 18 de marzo de 2021 a las 11:47:34 UTC-3, Nicolás López 
>> escribió:
>>
>>> We are goint to try it and then will share the results.
>>> Thanks!
>>>
>>> El jueves, 18 de marzo de 2021 a las 4:31:40 UTC-3, jrautureau escribió:
>>>
>>>> Hello
>>>>
>>>> Have you tried to set cas.tgc.pin-to-session to false ?
>>>>
>>>> We had issues on tgc cookie witch were invalidated due to network 
>>>> changes. For instance, when we switch to a new http proxy or when we 
>>>> connect to a VPN.
>>>>
>>>> Since the property set to false the tgc remains valid.
>>>>
>>>> We are using the remember me feature.
>>>>
>>>> Le jeu. 18 mars 2021 à 03:32, Nicolás López  a 
>>>> écrit :
>>>>

[cas-user] Re: Cas can’t see exteralized customised views. Cas overlay ver 6.3.2.

[Andy Ng]

Hi there,

I have managed to make external customized views works in CAS 6.2.x, I 
don't have the time to test this out in CAS 6.3 yet but please try this out 
see if it works:

Instead of putting *nextor *in:
- /your/external/folder/templates/*nextor*
You should do it like this:
-  /your/external/folder/templates/*themes*/*nextor*

I didn't found this in the official doc, I found this my looking at CAS 
source code some time ago.

See if this still works in CAS 6.3... If it does not work I have no idea 
what's wrong as well. Or maybe CAS 6.3 have some new change.

Cheers,
Andy
On Saturday, 13 March 2021 at 00:34:06 UTC+8 artur...@gmail.com wrote:

>
> Accorging to :
> https://dacurry-tns.github.io/deploying-apereo-cas/ui_develop_update-the-layout-template.html
> "By default, Thymeleaf interprets all relative file paths as if they were 
> rooted at the templates directory. If we do not make this change, we will 
> be including the fragments from the default layout (rooted at templates), 
> not our custom layout (rooted at templates/newschool)."
>
>
> But not work.Probably Above mentioned tutorial is for older version form 
> 6.2.x.  Other possiblity  cas cant reach  templates/nextor when is outside 
> the webapp. I don know. 
>
> środa, 10 marca 2021 o 16:36:28 UTC+1 artur miś napisał(a):
>
>> *Gradle.properties*
>>
>> ss@zal:~/cas.6.3_10_10_2020_update/cas-overlay-template-master$ cat 
>> gradle.properties
>>
>> cas.version=6.3.2
>>
>> springBootVersion=2.3.4.RELEASE
>>
>> appServer=-tomcat
>>
>> executable=false
>>
>> tomcatVersion=9.0.38
>>
>> group=org.apereo.cas
>>
>> sourceCompatibility=11
>>
>> targetCompatibility=11
>>
>> jibVersion=2.8.0
>>
>> shellDir=build/libs
>>
>> ivyVersion=2.4.0
>>
>> gradleDownloadTaskVersion=4.1.1
>>
>> gradleMavenPluginVersion=5.2.1
>>
>> gradleLombokPluginVersion=5.2.1
>>
>> baseDockerImage=adoptopenjdk/openjdk11:alpine-jre
>>
>> allowInsecureRegistries=false
>>
>>
>>
>> *cas.propierties*
>>
>> spring.thymeleaf.prefix=classpath:/templates/
>>
>> cas.view.template-prefixes[0]=file:///etc/cas/templates ← store for  
>> views outside the cas.war
>>
>>
>>
>>
>> *services*:
>>
>> ss@zal:/cas/cas7/services$ cat  prg-3.json
>>
>> {
>>
>>   "@class" : "org.jasig.cas.services.RegexRegisteredService",
>>
>>   "serviceId" : "^(http|https|imaps)://newton.xx/.*",
>>
>>   "name" : "PRG_PABLO",
>>
>>   "id" : 3,
>>
>>   "evaluationOrder" : 0,
>>
>>   "theme" : "nextor",
>>
>>"authenticationPolicy" : {
>>
>> "@class" : 
>> "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",
>>
>> "requiredAuthenticationHandlers" : ["java.util.TreeSet", ["xxx",  
>> "" ]]
>>
>>   },
>>
>> }
>>
>>
>> *Copy templates outside the webapp:*
>>
>> cp -rp  
>> :~/cas.6.3_10_10_2020_update/cas-overlay-template-master/src/main/resources 
>> /cas/cas7/templates
>>
>> /cas/cas7$ ls
>>
>> config  services  templates  thekeystore
>>
>>
>>
>> *Removing templates from cas overlay:*
>>
>> cd 
>> ~/cas.6.3_10_10_2020_update/cas-overlay-template-master/src/main/resources$ 
>> ls
>>
>> messages_pl.properties  nextor.properties  static  templates
>>
>> rm -rf templates
>>
>>
>>
>> *Theme files/tree:*
>>
>> ss@zal~/cas.6.3_10_10_2020_update/cas-overlay-template-master/src/main/resources$
>>  
>> cd static/
>>
>> ss@zal:~/cas.6.3_10_10_2020_update/cas-overlay-template-master/src/main/resources/static$
>>  
>> ls
>>
>> css  images  js  themes
>>
>> ss@zal:~/cas.6.3_10_10_2020_update/cas-overlay-template-master/src/main/resources/static$
>>  
>> cd themes/
>>
>> ss@zal:~/cas.6.3_10_10_2020_update/cas-overlay-template-master/src/main/resources/static/themes$
>>  
>> ls
>>
>> nextor
>>
>> ss@zal:~/cas.6.3_10_10_2020_update/cas-overlay-template-master/src/main/resources/static/themes$
>>  
>> cd nextor/
>>
>> ss@zal:~/cas.6.3_10_10_2020_update/cas-overlay-template-master/src/main/resources/static/themes/nextor$
>>  
>> ls
>>
>> css  images  js
>>
>>
>>
>> *Theme def:for service nextor*
>>
>> ss@zal~/cas.6.3_10_10_2020_update/cas-overlay-template-master/src/main/resources$
>>  
>> cat nextor.properties
>>
>> cas.theme.defaultThemeName=nextor
>>
>> cas.standard.css.file=/themes/nextor/css/cas.css
>>
>> cas.standard.js.file=/themes/nextor/js/cas.js
>>
>>
>> *Image creation:*
>>
>> ./gradlew --info build jibDockerBuild
>>
>>
>> *Creation container:*
>>
>> sudo docker run  --name cas2localTT-v /cas/cas7:/etc/cas -p 
>> 127.0.0.1::8443 -d org.apereo.cas/cas:latest
>>
>>
>>
>> *Result:* 
>>
>> reguest: https://sample.xx/casphp/login?service=https://newton.xx/
>>
>> It is using files from  /etc/cas/templates  but only for  default files 
>> (/etc/cas/templates/fragments/footer.html)  . It doesn’t uses nextor views 
>> at all. I thought that if i have theme  nextor.properties it will be use  
>> views defined in  folder templates/nextor .  Problably i have missed 
>> something  but i don’t know what. Could you help me please ?
>>
>> How i menssioned before:
>>
>> ss@zal/cas/cas7/templates$ ls

[cas-user] CAS 5 and 6, consent JDBC database name from "ConsentDecision" to "Consent_Decision" issue and fix

[Andy Ng]

Hi all,

During migration from CAS 5 to CAS 6, I encountered an issue:

   - My consent table, originally called `ConsentDecision` , is now renamed 
   to `Consent_Decision`
   - Moreover, the fields name is also changed, same pattern

We have found a solution and want to share here:

   - it is actually changes in *Spring boot* library behavior, detail see 
   this 
  - 
  
https://stackoverflow.com/questions/29087626/entity-class-name-is-transformed-into-sql-table-name-with-underscores
   - Adding this properties should work now:
  - 
  
spring.jpa.hibernate.naming.physical-strategy=org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl
  
Add this here in case other encounter same issue, cheers!

Regards,
Andy

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/184d472b-15a9-48f8-826f-44500156ebb4n%40apereo.org.

[cas-user] Re: Configuring clustered servers in Production

[Andy Ng]

Dear Anusuya,

The best step by step guide I know of is the one from David Curry:
https://dacurry-tns.github.io/deploying-apereo-cas/introduction_sso-environment-architecture.html
- Clustered setup is included in the guide.

This document is written for CAS 5.x, but the majority of the document 
should still be applicable for CAS 6.x.

>From my quick re-read, the major change from 5 to 6 that is missing in the 
David's guide should be:
- tomcat version, 
- CAS properties style (snake-case instead of camelCase)
- gradle instead of maven

I don't know any CAS 6 complete step by step guide, maybe other can chime 
in with the knowledge if there is one?

Cheers!
- Andy

On Monday, 1 March 2021 at 02:56:34 UTC+8 anusu...@gmail.com wrote:

> Hi Team,
>
> Can anyone please help by providing step by step guide on configuring 
> clustered servers in production?
>
> Regards,
> Anusuya.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9da77c7b-beff-4400-ba5e-910878e598fen%40apereo.org.

Re: [cas-user] Re: Jdbc PasswordManagement

[Andy Ng]

Dear Lars,

Glad it at least work. That autocommit = true setting is a very old setting 
in my server, it does run on prod no issue.

Thanks for mentioning the potential issue with autocommit, I will also look 
into it and see if I can figure out another way to fix this issue without 
resulting to changing authcommit. 
In the meantime, I am keeping my setting as it does work for a very long 
time and I think is safe to keep it as is for a while still.

If you find any solution later on, please share them to this discussion :) 
I am also very interested on any more elegant solution!

Cheers!
- Andy

On Wednesday, 3 March 2021 at 15:36:54 UTC+8 Lars Feistner wrote:

> Dear Andy,
>
> thank you very much that did the trick. But to be honest running a 
> production server with autocommit = true is not really something you want 
> to have.
>
> So it looks like there is a bug with the transaction management in 5.3.x? 
> Or is there another jdbc parameter that I have to tweak to make it work 
> with autocommit = false?
>
> Best regards,
> Lars
>
> On 01.03.21 05:39, Andy Ng wrote:
>
> Dear Lars, 
>
> I have not encountered your issue, but I encountered a similar issue 
> before (Not able to insert row to JDBC in another component)
>
> I found that setting *autocommit *to *true *seems to fix my issue, not 
> sure about the root cause since JDBC is not my strong suit.
>
> https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties-Common.html#database-settings
>
> Might not fix you issue, but you can try see if it helps.
>
> Cheers.
> - Andy
>
> On Thursday, 25 February 2021 at 22:06:15 UTC+8 Lars Feistner wrote:
>
>> Dear all,
>>
>> I am experirncing something weird. I set up Password Management, 
>> pm-webflow and pm-jdbc. I turned off security questions.
>>
>> Everything works as expected. I can reset my password, get the email, 
>> setting my new password after clicking the link in the email. But after a 
>> successful message that I changed my password the value in the column in 
>> the database is still the old one.
>>
>> I debugged the code, the update count was 1. I turned on debug logging 
>> for spring. The log files says 'SQL update affected 1 rows'.
>>
>> I attached the log.
>>
>> It seems as if some kind of transaction is not commited or rolled back 
>> but nothing appears in the log file. Can anyone think of anything that I 
>> missed?
>>
>> I am using cas version 5.3.16.
>>
>> 2021-02-25 14:59:19,007 DEBUG 
>> [org.springframework.beans.factory.support.DefaultListableBeanFactory] - 
>> 
>> 2021-02-25 14:59:19,007 DEBUG 
>> [org.apereo.cas.pm.web.flow.actions.PasswordChangeAction] - > current credential from webflow [UsernamePasswordCredential(username=ucan)]>
>> 2021-02-25 14:59:19,007 DEBUG 
>> [org.apereo.cas.pm.web.flow.actions.PasswordChangeAction] - > validate the provided password>
>> 2021-02-25 14:59:19,008 DEBUG 
>> [org.apereo.cas.pm.web.flow.actions.PasswordChangeAction] - > update the password>
>> 2021-02-25 14:59:19,008 DEBUG 
>> [org.apereo.cas.authentication.support.password.PasswordEncoderUtils] - 
>> > configuration>
>> 2021-02-25 14:59:19,008 DEBUG 
>> [org.apereo.cas.authentication.support.password.PasswordEncoderUtils] - 
>> 
>> 2021-02-25 14:59:19,560 DEBUG 
>> [org.springframework.core.env.PropertySourcesPropertyResolver] - > find key 'config.client.state' in any property source>
>> 2021-02-25 14:59:19,931 DEBUG 
>> [org.springframework.jdbc.core.JdbcTemplate] - > update>
>> 2021-02-25 14:59:19,932 DEBUG 
>> [org.springframework.jdbc.core.JdbcTemplate] - > statement [UPDATE cus_auth_method SET password=? WHERE account_id=(SELECT 
>> id from cus_account where login = ?)]>
>> 2021-02-25 14:59:19,932 DEBUG 
>> [org.springframework.jdbc.datasource.DataSourceUtils] - > Connection from DataSource>
>> 2021-02-25 14:59:19,934 DEBUG 
>> [org.springframework.jdbc.core.JdbcTemplate] - 
>> 2021-02-25 14:59:19,935 INFO 
>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - > trail record BEGIN
>> =
>> WHO: audit:unknown
>> WHAT: UsernamePasswordCredential(username=ucan)
>> ACTION: CHANGE_PASSWORD_SUCCESS
>> APPLICATION: CAS
>> WHEN: Thu Feb 25 14:59:19 CET 2021
>> CLIENT IP ADDRESS: 192.168.1.125
>> SERVER IP ADDRESS: 192.168.1.199
>> =
>>
>> Best regards,
>> Lars
>> -- 
>> *Lars Feistner*
>> Entwicklungsleitung
>

[cas-user] Re: Jdbc PasswordManagement

[Andy Ng]

Dear Lars,

I have not encountered your issue, but I encountered a similar issue before 
(Not able to insert row to JDBC in another component)

I found that setting *autocommit *to *true *seems to fix my issue, not sure 
about the root cause since JDBC is not my strong suit.
https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties-Common.html#database-settings

Might not fix you issue, but you can try see if it helps.

Cheers.
- Andy

On Thursday, 25 February 2021 at 22:06:15 UTC+8 Lars Feistner wrote:

> Dear all,
>
> I am experirncing something weird. I set up Password Management, 
> pm-webflow and pm-jdbc. I turned off security questions.
>
> Everything works as expected. I can reset my password, get the email, 
> setting my new password after clicking the link in the email. But after a 
> successful message that I changed my password the value in the column in 
> the database is still the old one.
>
> I debugged the code, the update count was 1. I turned on debug logging for 
> spring. The log files says 'SQL update affected 1 rows'.
>
> I attached the log.
>
> It seems as if some kind of transaction is not commited or rolled back but 
> nothing appears in the log file. Can anyone think of anything that I missed?
>
> I am using cas version 5.3.16.
>
> 2021-02-25 14:59:19,007 DEBUG 
> [org.springframework.beans.factory.support.DefaultListableBeanFactory] - 
> 
> 2021-02-25 14:59:19,007 DEBUG 
> [org.apereo.cas.pm.web.flow.actions.PasswordChangeAction] -  current credential from webflow [UsernamePasswordCredential(username=ucan)]>
> 2021-02-25 14:59:19,007 DEBUG 
> [org.apereo.cas.pm.web.flow.actions.PasswordChangeAction] -  validate the provided password>
> 2021-02-25 14:59:19,008 DEBUG 
> [org.apereo.cas.pm.web.flow.actions.PasswordChangeAction] -  update the password>
> 2021-02-25 14:59:19,008 DEBUG 
> [org.apereo.cas.authentication.support.password.PasswordEncoderUtils] - 
>  configuration>
> 2021-02-25 14:59:19,008 DEBUG 
> [org.apereo.cas.authentication.support.password.PasswordEncoderUtils] - 
> 
> 2021-02-25 14:59:19,560 DEBUG 
> [org.springframework.core.env.PropertySourcesPropertyResolver] -  find key 'config.client.state' in any property source>
> 2021-02-25 14:59:19,931 DEBUG [org.springframework.jdbc.core.JdbcTemplate] 
> - 
> 2021-02-25 14:59:19,932 DEBUG [org.springframework.jdbc.core.JdbcTemplate] 
> -  WHERE account_id=(SELECT id from cus_account where login = ?)]>
> 2021-02-25 14:59:19,932 DEBUG 
> [org.springframework.jdbc.datasource.DataSourceUtils] -  Connection from DataSource>
> 2021-02-25 14:59:19,934 DEBUG [org.springframework.jdbc.core.JdbcTemplate] 
> - 
> 2021-02-25 14:59:19,935 INFO 
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -  trail record BEGIN
> =
> WHO: audit:unknown
> WHAT: UsernamePasswordCredential(username=ucan)
> ACTION: CHANGE_PASSWORD_SUCCESS
> APPLICATION: CAS
> WHEN: Thu Feb 25 14:59:19 CET 2021
> CLIENT IP ADDRESS: 192.168.1.125
> SERVER IP ADDRESS: 192.168.1.199
> =
>
> Best regards,
> Lars
> -- 
> *Lars Feistner*
> Entwicklungsleitung
> Phone: +49 6221/186749-5
> Mail: l.fei...@cares.institute 
> *Institut für Kommunikations- und Prüfungsforschung gGmbH*
> Institute for Communication and Assessment Research
> Wieblinger Weg 92a
> 69123 Heidelberg, Germany
> Web: www.ucan-assess.org 
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/dd8f1038-b331-412b-a57f-df3f3c7fff9fn%40apereo.org.

[cas-user] Re: How CAS supports multi tenancy

[Andy Ng]

Hello,

Would like to know if you are referring to multiple tenant in Active 
Directory / Azure / other technology? 

*If multi-tenant in Active Directory:*
CAS can be configured so to use *multiple authentication sources *and *either 
one of them success *allow for login.

In here:
https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#ldap-authentication

You should setup your multiple tenant using the indexes:
cas.authn.ldap[0].xxx
cas.authn.ldap[0].xxx
cas.authn.ldap[0].xxx
cas.authn.ldap[1].xxx
cas.authn.ldap[1].xxx
cas.authn.ldap[1].xxx
 and more

*If **multi-tenant **in Azure, *
You can setup multiple OIDC properties using the build in pac4j to achieve 
delegated authentication:
https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#azure-ad
cas.authn.pac4j.oidc[0].xxx=yyy
cas.authn.pac4j.oidc[0].xxx=yyy
cas.authn.pac4j.oidc[1].xxx=yyy
cas.authn.pac4j.oidc[1].xxx=yyy
... and more

See if this info helps.

Cheers.
- Andy



On Monday, 22 February 2021 at 21:15:35 UTC+8 versati...@gmail.com wrote:

>
> Can someone please provide any documentation link on how CAS supports 
> multi tenancy.
> I want single CAS deployment for supporting multiple tenants .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d4fb783e-7147-4527-96d2-aa5c9fbe5067n%40apereo.org.

[cas-user] Re: how to download the cas-server-support-theme-collections

[Andy Ng]

Maybe you can look into 
this: 
https://github.com/apereo/cas/tree/master/support/cas-server-support-themes-collection

Cheers!
- Andy

On Wednesday, 7 April 2021 at 11:37:02 UTC+8 程泽群 wrote:

> I look the resources  
> https://apereo.github.io/cas/6.3.x/ux/User-Interface-Customization-Themes.html#theme-collections
>  
> ,  and I want to use  the Theme Collections,but I can`t download 
> the cas-server-support-theme-collections
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3970848e-589d-4fcb-918d-3c289492bcd5n%40apereo.org.

Re: [cas-user] Configuring syslog appender in CAS 4.0.1

[Andy Ng]

Hi Thatcher,

I also agree with Ray, an upgrade is necessary to bring this feature in. 

In terms of why CAS 4.0.1 vs 4.2.x have this feature different:

the log4j library is at *1.2.17* on CAS 4.0.1
https://github.com/apereo/cas/blob/v4.0.1/pom.xml#L985

While the log4j library is at *2.5+* at the CAS 4.2.x build:
https://github.com/apereo/cas/blob/v4.2.0/gradle.properties#L23

Therefore, without upgrading your CAS, you will not be able to use this 
feature. Not only that, maintenance for CAS 4.x is EOL a very long time 
ago: 
https://apereo.github.io/cas/developer/Maintenance-Policy.html#eol-schedule. 
Upgrade to 6.x is highly recommended.

Cheers.
Andy
On Wednesday, 14 April 2021 at 00:01:47 UTC+8 Ray Bon wrote:

> Thatcher,
>
> We are Using cas 6.2. I am not sure what version we started with syslog 
> output.
> log4j2 is quite an improvement over 1.2.
>
> You may find it more beneficial to spend the time upgrading cas instead of 
> working with the old log4j.
>
> Ray
>
> On Tue, 2021-04-13 at 08:53 -0700, Thatcher Rea wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information. 
>
> Thanks Ray, syslog is running and accessible.
> This is using the version 1.2 of log4j - Is the config example you pasted 
> from CAS 4.0.x ?
>
> Many thanks
>
> On Tuesday, April 13, 2021 at 10:43:33 AM UTC-5 Ray Bon wrote:
>
> Thatcher,
>
> Is syslog running and accessible?
>
> This is what we use for syslog:
>
>
>  protocol="TCP">
> 
> %level{TRACE=169, DEBUG=175, INFO=174, WARN=172, ERROR=171, 
> Fatal=168}%d{-MM-dd}T%d{HH:mm:ss.SSS} cas_app[%pid]: ${env:NAME}: 
> %-5p %t(%T) %c{10} - %m%n%ex{none}
> 
> 
>
>
> 
> 
> 
>
> You can ignore the pattern element or modify to suit your needs.
>
> If you are using the old log4j (version 1.2, I think), you may be able to 
> use documentation from that version.
>
> Ray
>
> On Tue, 2021-04-13 at 06:50 -0700, Thatcher Rea wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information. 
>
>
> As the title suggests i'm trying to get this working - I found this bit of 
> info in the documentation:
>
>
> https://apereo.github.io/cas/4.2.x/installation/Monitoring-Statistics.html#routing-logs-to-syslog
>
> But we're using 4.0.1 of CAS - attempting to apply this directive as is 
> results in numerous errors.
>
> log4j:WARN Element type "Appenders" must be declared.
> log4j:WARN Continuable parsing error 27 and column 41
> log4j:WARN Element type "Syslog" must be declared.
> log4j:WARN Continuable parsing error 173 and column 23
> log4j:WARN The content of element type "log4j:configuration" must match 
> "(renderer*,throwableRenderer?,appender*,plugin*,(category|logger)*,root?,(categoryFactory|loggerFactory)?)".
> log4j:WARN Unrecognized element Appenders
> log4j:ERROR No appender named [SYSLOG] could be found.
>
> If I change "Appenders" to "appender" as declared in other sections of the 
> config I get a stack trace and various problems when starting this in the 
> tomcat container. Any advice would be appreciated.
>
> -- 
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the 
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
> WSÁNEĆ Nations.
>
> -- 
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the 
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
> WSÁNEĆ Nations.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a712ed33-c7e9-49aa-816f-994faaab8c2fn%40apereo.org.

Re: [cas-user] gradle versions of dependency documentation?

[Andy Ng]

Hi Baron,

Agreed with Mike, as for compile v.s. implementation, for the use case of 
CAS build.gradle, you should use *implementation*. 

See: 
https://stackoverflow.com/questions/44493378/whats-the-difference-between-implementation-and-compile-in-gradle

Cheers!
- Andy

On Wednesday, 14 April 2021 at 12:00:29 UTC+8 Mike Osterman wrote:

> Hi Baron,
>
> I too am working on 5.x to 6.3.x and have been getting help from Unicon.
>
> While I'm not sure if "compile" works, here's what I picked up from 
> working with them. Here are our dependencies:
>
> implementation "org.apereo.cas:cas-server-webapp-init:${casServerVersion}"
> implementation 
> "org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-support-duo:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-support-saml:${project.'cas.version'}"
>
> You can see where this starts in the base 6.3 build.gradle here on line 
> 84: 
> https://github.com/apereo/cas-overlay-template/blob/6.3/build.gradle
>
> It looks like a lot of this is covered in the README.md at the root of the 
> project:
> https://github.com/apereo/cas-overlay-template/tree/6.3
>
> Check out the "Adding Modules" section, which suggests:
> dependencies {
> implementation 
> "org.apereo.cas:cas-server-some-module:${project.casVersion}"
> ...
> }
>
> I'm not sure where the *${project.'cas.version'}* syntax (slightly 
> different from above) comes from, but it has been working for our build.
>
> Good luck!
> Mike
>
>
>
> On Tue, Apr 13, 2021 at 7:29 PM Baron Fujimoto  wrote:
>
>> I'm working on upgrading our old cas 5.x to a current 6.3 version. For 
>> our old cas, we used maven and pom.xml for the war overlay and 
>> dependencies. Apparently that's been deprecated in favor of gradle, but it 
>> looks like the documentation still uses XML. For example:
>>
>> > >
>>
>> I think it's equivalent should now go in the dependencies block of 
>> build.gradle, but it's not clear how to specify the gradle version of this 
>> dependency there based on that documentation.
>>
>> Based on this blog post, <
>> https://apereo.github.io/2019/11/03/cas62-gettingstarted-overlay/>, it 
>> looks like:
>>
>> compile "org.apereo.cas:cas-server-support-ldap:${casServerVersion}"
>>
>> Does this format generally hold true for translating such dependencies? 
>> I.e.:
>>
>> compile ${groupId}:${artifactId}:${casServerVersion}
>>
>> FWIW, I'm finding it challenging to use the CAS documentation as a 
>> starting point for these tasks, since many things don't seem to be included 
>> (e.g., without that blog post, I wouldn't have known about running "gradlew 
>> clean" to set gradle up, or even about gradlew itself, for that matter). 
>> Unless I missed it, I don't see any clear connection between these 
>> necessary steps.
>> -- 
>> Baron Fujimoto  :: UH Information Technology Services
>> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0Nj-DGE_5Jn7mgfXbu1w83f9eqfW95ncd3TB17XdN1pQ%40mail.gmail.com
>>  
>> 
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bb16f62c-683c-475d-a7b4-6f32b45ca41en%40apereo.org.

[cas-user] How to put metrics data into CAS 6 (just like perfStats.log in CAS 5)

[Andy Ng]

Hi all,

About CAS Metrics:

Previously in CAS 5, we have a "perfStats.log" containing all the metrics 
of CAS in a file format. Which is useful for our troubleshooting.
See: 
https://github.com/apereo/cas/blob/v5.3.16/webapp/resources/log4j2.xml#L43

However, in CAS 6, the "perfStats.log" file is now removed and also the 
documentation for CAS 6 exclude that file:
5.3: https://apereo.github.io/cas/5.3.x/installation/Configuring-Metrics.html
6.3: https://apereo.github.io/cas/6.3.x/monitoring/Configuring-Metrics.html

I do saw a list of awesome metrics plugin for CAS 6 which down the line we 
can leverage, but at the moment we just want a simple "perfStats.log" which 
allow our colleague to troubleshoot CAS statistics if any issue happen.

I did know the way to retrieve the metrics using endopint 
`/cas/actuator/metrics/system.cpu.usage`, but a file can preserved the 
history of those metrics which an endpoint cannot help.

Does anybody knows how to reproduce the same / similar "perfStats.log" 
without introducing an additional component?

Cheers!
- Andy

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20c5eaf4-19da-4f4d-857c-59cd0192c645n%40apereo.org.

[cas-user] Re: Trimming username for attribute resolution

[Andy Ng]

Hi Richard,

I am also not aware on any native attribute trimming feature, maybe other 
can chime in on that.

However, if you think groovy can solve your issue but you don't want 
external files, you can always use *inline Groovy*.

Ref: 
https://apereo.github.io/cas/6.3.x/integration/Attribute-Release-Policies.html#inline-groovy-attributes

So, you can do it with something like this:


{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "sample",
  "name" : "sample",
  "id" : 300,
  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "uid" : "groovy { return attributes['uid'].trim() }"
}
  }
}

This would not be the prettiest solution, but should be able to get the job 
done.

Cheers!
- Andy
On Wednesday, 1 September 2021 at 05:28:09 UTC+8 richard.frovarp wrote:

> What's the way to do that? I thought I figured that out, but it turns 
> out I haven't. I think one of my systems is accomplishing it via JS in 
> the page. Another CAS instance for a different org doesn't have that JS. 
> Random trailing spaces is causing attribute resolution to fail. Somehow 
> authentication is working, despite both of them using the same LDAP/AD 
> filter:
>
> sAMAccountName={user}
>
> I can always add the JS and redeploy, but this feels like something that 
> should be able to be done via config file. I know you can specify an 
> external Groovy file for principalTransformation, but I'm not entirely 
> sure if that goes through attribute retrieval, and I would prefer to not 
> reference an external file.
>
> Thanks,
>
> Richard
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/33ecefc6-73a5-4401-be16-650c016d92adn%40apereo.org.

Re: [cas-user] CAS 6.3.5-Azure AD Delegation-OIDC-JDBC-LDAP

[Andy Ng]

Hi William,

A shot in the dark here, since not sure if my suggestion would work.

But in your service, have you tried setting principalIdAttribute to email 
and see if it would be effective?
https://apereo.github.io/cas/6.3.x/integration/Attribute-Release-Policies.html

Cheers,
- Andy

On Friday, 30 July 2021 at 06:00:50 UTC+8 William Jojo wrote:

> Hmmm, well this gets more interesting as I cannot seem to get CAS to Stop 
> doing this:
>
> 2021-07-29 17:41:09,855 DEBUG 
> [org.apereo.cas.integration.pac4j.authentication.handler.support.AbstractPac4jAuthenticationHandler]
>  
> -  the identifier [w.j...@hvcc.edu]>
> 2021-07-29 17:41:09,856 DEBUG 
> [org.apereo.cas.integration.pac4j.authentication.handler.support.AbstractPac4jAuthenticationHandler]
>  
> - 
> [successful auth]
>
> 2021-07-29 17:41:09,863 DEBUG 
> [org.apereo.cas.authentication.principal.resolvers.PersonDirectoryPrincipalResolver]
>  
> -  [SimplePrincipal(id=w.j...@hvcc.edu, attributes={access_token=[PAQABAAA 
> [...] unique_name=[w.j...@hvcc.edu], upn=[w.j...@hvcc.edu], 
> uti=[brPdbjEuO0KNgcIU456FAA], ver=[1.0]})] as it's not configured to use 
> the currently-resolved principal id and will fall back onto using the 
> identifier for the credential, that is 
> [oASsZI-izB_hpkO3eSE_2Mg6rkWRqxY6uh6BkvzYNkY], for principal resolution>
> 2021-07-29 17:41:09,863 DEBUG 
> [org.apereo.cas.authentication.principal.resolvers.PersonDirectoryPrincipalResolver]
>  
> - 
>
>
> I have been going over the docs for how the principal resolver and person 
> directory works, but I am not getting any closer. 
>
> Any insight would be most helpful. I cannot be the only person using the 
> feature.
>
> Bill
>
>
>
> On Thu, Jul 29, 2021 at 1:55 PM William Jojo  wrote:
>
>> To anyone who is familiar with the username (user) value being set by the 
>> claims of OIDC in Azure AD Delegation. CAS is setting the username to the 
>> subject (sub) claim. This totally trashes the ability to use JDBC attribute 
>> resolution like:
>>
>> 2021-07-29 13:47:18,371 DEBUG 
>> [org.springframework.jdbc.core.JdbcTemplate] - > query>
>> 2021-07-29 13:47:18,372 DEBUG 
>> [org.springframework.jdbc.core.JdbcTemplate] - > statement [SELECT username BANNER_LDAP, udc_id BANNER_UDC_ID, s_id 
>> BANNER_SID, banner_id BANNER_OID, dob BANNER_DOB, last4 BANNER_LAST4  FROM 
>> idmap WHERE *username = ?*]>
>> 2021-07-29 13:47:18,377 DEBUG 
>> [org.springframework.jdbc.datasource.DataSourceUtils] - > Connection from DataSource>
>> 2021-07-29 13:47:18,727 TRACE 
>> [org.springframework.jdbc.core.StatementCreatorUtils] - > statement parameter value: column index 1, parameter value [
>> *oASsZI-izB_hpkO3eXRqxY6uh6BkvzYNkY*], value class 
>> [java.lang.String], SQL type unknown>
>>
>> This is not the username. The UPN and other values look perfect - except 
>> this. I cannot find anything in the CAS docs or with Azure AD that allows 
>> me to compensate for this. Since the JDBC argument injection is so 
>> primitive there is no way for me to adjust and substitute another value at 
>> the time this gets invoked for additional attributes.
>>
>> Can anyone shed light on this?
>>
>> Thank you!
>>
>> Bill
>>
>>
>>
>> On Wed, Jul 28, 2021 at 6:52 PM William Jojo  wrote:
>>
>>> Hello,
>>>
>>> I will try to keep this to the point.
>>>
>>> CAS is using the subject claim from AzureAD Delegation upon return from 
>>> auth and setting it as the username regardless of the setting of:
>>>
>>> cas.authn.pac4j.oidc[0].azure.principal-attribute-id=email
>>>
>>> I can use email, upn, does not matter, it is always the subject (sub) 
>>> claim from AzureAD. Even when I tried generic:
>>>
>>> cas.authn.pac4j.oidc[0].generic.principal-attribute-id=email
>>>
>>> I am getting all the way through the delegation, completing the 
>>> authentication, completing the MFA on the account and returning to the app 
>>> only to have the username be the subject (sub) claim. 
>>>
>>> Even if I set the usernameAttributeProvider it does not change anything.
>>>
>>> Anyone have an idea of what is going on?
>>>
>>> Bill
>>>
>>> -- 
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/41fec87d-5c75-40e1-8df6-6154201c5112n%40apereo.org
>>>  
>>> 
>>> .
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 

[cas-user] Re: how can i keep recaptcha enabled on pm page and disabled on main cas page cas/login

[Andy Ng]

Hi,

Probably not possible by just editing loginform.html, as you can see here:
https://github.com/apereo/cas/blob/master/support/cas-server-support-captcha-core/src/main/java/org/apereo/cas/web/flow/ValidateCaptchaAction.java

Even if you removed the recaptchtoken on the page, it still would check in 
the backend.

Since the use case is very specific, I don't think it is in CAS yet.

However, you might be able to do something like this to make your use case 
work:
1. Override ValidateCaptchaAction
  - In doExecute, check for your desired case and return null to stop 
recaptcha from activiting only in selected case
  - You can check the get param / check the flow value / check serviceId 
etc in here
2. Add a custom class extending CasCaptchaConfiguration
- Setup a Bean for validateCaptchaAction like 
this: 
https://github.com/apereo/cas/blob/master/support/cas-server-support-captcha/src/main/java/org/apereo/cas/web/flow/config/CasCaptchaConfiguration.java#L72
3. Then, setup your src/main/resources/META-INF/spring.factories to include 
your configuration

See if this is helpful to you

Cheers,
- Andy



On Thursday, 5 August 2021 at 00:12:00 UTC+8 artur...@gmail.com wrote:

> maybe it was wrong question . I want have recaptch in password change  
> view  but in login page i want disable it.  how can i mage it ?
>
>
>
> I am able rem code 
>
>
> /cas/cas11t /templates/fragments/loginform.html 
>
> 
>
> 
>
>  th:value="${flowExecutionKey}"/>
>  value="submit"/>
> 
>
>  th:if="${#request.getMethod().equalsIgnoreCase('POST')}">
> 
> 
>  th:name="${entry.key}" th:value="${entryValue}"/>
> 
> 
> 
> 
>
>  however i cant see  recaptacha on login page  but i cannot log in. 
>
> poniedziałek, 26 lipca 2021 o 14:32:39 UTC+2 artur miś napisał(a):
>
>> This bellow is giving to me   posibility  to use  recaptch  in  view  
>> password change  and in main cas login page cas/login. 
>>
>> cas.authn.pm.captcha-enabled=true
>>
>>
>> cas.google-recaptcha.enabled=true
>> cas.google-recaptcha.verify-url=
>> https://www.google.com/recaptcha/api/siteverify
>> cas.google-recaptcha.site-key=6keya
>> cas.google-recaptcha.secret=6keyb
>>
>> does it exist sollution to limit view  recaptcha to  only  pm view?
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8518bc91-3e3e-4024-a0f1-763a11516e3dn%40apereo.org.

Re: SOLVED Re: [cas-user] Re: Cas 6.1 SSO not working [for our configuration, requesting help]

[Andy Ng]

Hi Rod, Glad it helps! -Andy

On Saturday, 4 December 2021 at 01:11:20 UTC+8 rodbal...@gmail.com wrote:

> Hi Andy,
>
> Thank you so much for your help. 
>
> The issue was I was testing with one domain, and also using another. 
>
> I.e externally CAS I was using example.com, internally I alaised the CAS 
> server as example.net.
>
> As I've now learned the hard way the CAS server cannot be set for multiple 
> domains. 
>
> Thanks to Ray and everyone else that looked at my configs and logs. I only 
> hope I can help someone out on here someday too!
>
> -Rod
>
>
> On Thu., Dec. 2, 2021, 5:58 p.m. Andy Ng,  wrote:
>
>> Hi Rod,
>>
>> Agree with Ray, your cas.properties does not seems to have any out of the 
>> ordinary config.
>>
>> Not able to see any issue with the log as well, but the cookie doesn't 
>> seems to works when you open Google Apps
>>
>> Since I also don't know what is the issue, let's go through some 
>> alternative solution just want to make sure it is not some browser issue:
>> - Is your website or google loaded in an iframe?
>>   - Modern browser and iframe does not work really well together
>> - In the CAS properties for 6.2 forward, there is a config called 
>> "same-site-policy"
>>   - 
>> https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#cookie-properties
>>   - In some cases I found that I need to set TGC cookie same site policy 
>> to *none *in order for the SSO to load
>>   - You can try modifying it directly using Chrome debugger, see if the 
>> SSO show after the change
>> - You can try different browser
>> - You can try disable all cookie blocking mechanism for the browser (e.g. 
>> 3rd party cookie block, same site policy restriction, etc)
>> - Double check both your website and Google App are pointing to the same 
>> CAS domain (CAS server itself cannot be set using multiple domain)
>>
>>
>> Well, if the above not helping, then might be an CAS bug, maybe update to 
>> using a different CAS version then 6.1 and see if it works better?
>>
>> Cheers!
>> - Andy
>>
>>
>>
>>
>> On Friday, 3 December 2021 at 06:00:29 UTC+8 Ray Bon wrote:
>>
>>> Rod,
>>>
>>> Nothing looks out of the ordinary in the log (except the lack of SSO).
>>> Is it possible that the ticket store is not working/configured correctly?
>>>
>>> Check the properties against those listed in the cas docs for 6.4. There 
>>> may be some name changes.
>>>
>>> Ray
>>>
>>> On Thu, 2021-12-02 at 12:22 -0800, Rod B wrote:
>>>
>>> Notice: This message was sent from outside the University of Victoria 
>>> email system. Please be cautious with links and sensitive information. 
>>>
>>> Ok, I've sanitized the catalina.out log with the debug info. Nothing 
>>> really sticks out to me. I see SSO is enabled. The only thing I do see is 
>>> in the INFO section the CAS server doesn't know it's IP? 
>>>
>>> SERVER IP ADDRESS: unknown
>>>
>>> However because SSO works logging into the same test site repeatedly, I 
>>> think something else is afoot.
>>>
>>> So the this debug log captures me going to the test site, being 
>>> redirected to the CAS login page and then redirected to the test site. Then 
>>> the next set of events is when I attempt to go to 
>>> https://www.google.com/calendar/hosted/testdomain.ca. I stopped it when 
>>> I was redirected to the CAS login page, because I thought this is the bit 
>>> that should have captured the cookie being requested from my browser to SSO 
>>> me in.
>>>
>>> Thanks again for the eyes on this!
>>>
>>> Rod
>>>
>>> On Thursday, 2 December 2021 at 10:36:41 UTC-8 Rod B wrote:
>>>
>>> Hi Ray, 
>>>
>>> I have confirmed there are no stale TGC's hanging around. Once we sign 
>>> into the test site, opening another tab and going to the same test web page 
>>> is SSO'd. It also works when I remove the Session cookie, open another tab 
>>> and go to the same test site.
>>>
>>> When I open an incognito browser, authenticate through the CAS page and 
>>> am redirected to the registered test site. I think as expected no session 
>>> cookie is set, however when I open a browser tab and put in the URL for the 
>>> test site, I'm properly logged into the site through SSO.
>>>
>>> The issue is happening where I authenticate through 

Re: [cas-user] log4j vulnerability remediation

[Andy Ng]

And... 2.17.1 is out as well.

On Tuesday, 21 December 2021 at 03:50:00 UTC+8 Pablo Vidaurri wrote:

>
> 2.17.0 is actually out now
> On Thursday, December 16, 2021 at 2:27:13 PM UTC-6 Raph C wrote:
>
>> Hi,
>>
>> You have to exclude log4j* from WEB-INF/lib form overlay plugin and add 
>> correct version as dependency( use 2.16.0 instead, a new CVE appeared on 
>> Tuesday)
>> Regards,
>>
>> Le mar. 14 déc. 2021 à 17:02, apereo_cas_user  a 
>> écrit :
>>
>>> We use cas 6.1.7  overlay template [still in pre-prod] for delegated 
>>> authentication.
>>> As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and 
>>> bounced tomcat.
>>> Is there a way we can exclude 2.12.1 from the build . [I can pull in 
>>> 2.15.0 by adding in build.gradle but conflict with 2.12.1].  We have issues 
>>> when upgrading to 6.3.7.2 
>>>
>>> Thanks
>>>
>>> -- 
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org.
>>>
>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org
>>>  
>>> 
>>> .
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5fb5c6d4-0a05-4f00-a4a1-a1afa89cce21n%40apereo.org.

Re: [cas-user] Re: Cas 6.1 SSO not working [for our configuration, requesting help]

[Andy Ng]

Hi Rod,

Agree with Ray, your cas.properties does not seems to have any out of the 
ordinary config.

Not able to see any issue with the log as well, but the cookie doesn't 
seems to works when you open Google Apps

Since I also don't know what is the issue, let's go through some 
alternative solution just want to make sure it is not some browser issue:
- Is your website or google loaded in an iframe?
  - Modern browser and iframe does not work really well together
- In the CAS properties for 6.2 forward, there is a config called 
"same-site-policy"
  
- 
https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#cookie-properties
  - In some cases I found that I need to set TGC cookie same site policy to 
*none 
*in order for the SSO to load
  - You can try modifying it directly using Chrome debugger, see if the SSO 
show after the change
- You can try different browser
- You can try disable all cookie blocking mechanism for the browser (e.g. 
3rd party cookie block, same site policy restriction, etc)
- Double check both your website and Google App are pointing to the same 
CAS domain (CAS server itself cannot be set using multiple domain)


Well, if the above not helping, then might be an CAS bug, maybe update to 
using a different CAS version then 6.1 and see if it works better?

Cheers!
- Andy




On Friday, 3 December 2021 at 06:00:29 UTC+8 Ray Bon wrote:

> Rod,
>
> Nothing looks out of the ordinary in the log (except the lack of SSO).
> Is it possible that the ticket store is not working/configured correctly?
>
> Check the properties against those listed in the cas docs for 6.4. There 
> may be some name changes.
>
> Ray
>
> On Thu, 2021-12-02 at 12:22 -0800, Rod B wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information. 
>
> Ok, I've sanitized the catalina.out log with the debug info. Nothing 
> really sticks out to me. I see SSO is enabled. The only thing I do see is 
> in the INFO section the CAS server doesn't know it's IP? 
>
> SERVER IP ADDRESS: unknown
>
> However because SSO works logging into the same test site repeatedly, I 
> think something else is afoot.
>
> So the this debug log captures me going to the test site, being redirected 
> to the CAS login page and then redirected to the test site. Then the next 
> set of events is when I attempt to go to 
> https://www.google.com/calendar/hosted/testdomain.ca. I stopped it when I 
> was redirected to the CAS login page, because I thought this is the bit 
> that should have captured the cookie being requested from my browser to SSO 
> me in.
>
> Thanks again for the eyes on this!
>
> Rod
>
> On Thursday, 2 December 2021 at 10:36:41 UTC-8 Rod B wrote:
>
> Hi Ray, 
>
> I have confirmed there are no stale TGC's hanging around. Once we sign 
> into the test site, opening another tab and going to the same test web page 
> is SSO'd. It also works when I remove the Session cookie, open another tab 
> and go to the same test site.
>
> When I open an incognito browser, authenticate through the CAS page and am 
> redirected to the registered test site. I think as expected no session 
> cookie is set, however when I open a browser tab and put in the URL for the 
> test site, I'm properly logged into the site through SSO.
>
> The issue is happening where I authenticate through the test site and then 
> attempt to go to https://www.google.com/calendar/hosted/testdomain.ca
> I'm redirected to the CAS login page.
>
> Whereas with our very old implementation the SSO kicks in and works.
>
> I'll look up how to increase logging in the CAS server.
>
> Thank you,
>
> Rod
>
> On Thursday, 2 December 2021 at 09:59:46 UTC-8 Ray Bon wrote:
>
> Rod,
>
> Use your browser developer tools to see the TGC sent from and to cas. 
> Verify that there are no stale TGCs (there should only be one and it should 
> not change during an sso session).
> Does this behaviour happen in a new private window?
>
> You can test repeated logins to your test app by removing its session 
> cookie (NOT the TGC). This should trigger the test app to go to cas where 
> you 'should' be SSOed.
>
> You may want to turn up logging on the cas server to see what it thinks is 
> going on.
>
> Ray
>
> On Thu, 2021-12-02 at 08:50 -0800, Rod B wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information. 
>
>
> Hi Andy, 
>
> I've attached our cleansed cas.properties file. We do use https. I'm also 
> including our virtual hosts set up that shows we redirect to https if a 
> http request to the CAS server come

[cas-user] Re: Cas 6.1 SSO not working

[Andy Ng]

Hi Rod,

Usually this happen when you setup your CAS as *http *instead of https.
- When CAS is in http, SSO will not work. Making sure it is https should 
make it work again.
- The services you provided seems fine, didn't see any issue on them.
- But the ssoEnabled part should be not neccesary since that would be the 
default

If the above still not able to solve your issue, then you might need to 
provide a little bit more information, like a full cas.properties 
(sensitive data removed of course). 

Cheers!
- Andy

On Thursday, 2 December 2021 at 08:49:09 UTC+8 rodbal...@gmail.com wrote:

> Hello Everyone!
>
> I'm held up deploying 6.4.2 so I'm back on 6.1 for the Google App 
> integration provided by it.
>
> I'm able to log into a testing site in the /etc/cas/services directory. 
> I'm redirected to the CAS login page. Once I authenticate, I continue to 
> the testing site.
>
> I'm also able to log into Google calendar where I'm redirected to the CAS 
> login page. Once I authenticate I continue to the Google calendar.
>
> However, when I log into the testing site and then attempt on another tab 
> go to Google calendar, I'm redirected to the CAS login page and not SSO'd 
> into Google Calendar.
>
> This happens also if I log into Google Calendar and then attempt to access 
> the testing site.
>
> I believe this is the relevant bits of the /etc/cas/config/cas.properties 
> file (I could be missing something)
>
>
> cas.tgc.crypto.encryption.key=**redacted**
> cas.tgc.crypto.signing.key=**redacted**
> cas.webflow.crypto.signing.key=**redacted**
> cas.webflow.crypto.encryption.key=**redacted**
>
> This is how it looks for the two /etc/cas/services JSON files:
>
> google_apps-44.json 
>
> {
>
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "https://www.google.com/a/example.com/acs;,
>   "name" : "Google Apps",
>   "theme" : "ourschool",
>   "id" : 44,
>   "accessStrategy" : {
> "@class" : 
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "ssoEnabled" : true
>   }
> "evaluationOrder" : 10
> }
> For the test site:
>
> {
> "@class" : "org.apereo.cas.services.RegexRegisteredService"
> "serviceId" : "http://cas-test.dev.ourschool.ca/wp-login.php*;,
> "name" : "CasTest",
> "id" : 1,
> "accessStrategy" : {
> "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy"
> "ssoEnabled" : true
>   }
> "theme" : "ourschool"
> "evaluationOrder" : 1
> }
> I'm thinking I'm missing something in cas.properties as I don't think I 
> need to put in the accessStrategy part, I was just seeing if it would work.
>
> I do see that a TGC cookie is granted on the browser.
>
> Thank you for any suggestions and help.
>
> Rod
>
>
>
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/599c1e2d-625d-4468-b341-f3cf57549128n%40apereo.org.

Re: [cas-user] Potential Feature: QR Code as a Login "Badge"

[Andy Ng]

Hello Ben,

I am also interested in the login by badge mechanism, I am exploring if 
this feature would help SEN students easier access.

It is true that the major issue with your implementation is the security 
concern, making it a CAS module definitely helps with the security concern.

Another implementation issue would be how the QR code generating mechanism 
be implemented, since the QR code that need to be distributed to the SEN 
students need to be generated somewhere.

Cheers!
Andy

On Wednesday, 9 December 2020 at 11:33:43 UTC+8 bwin...@philasd.org wrote:

> Hi Lam,
>
> Thanks for replying! The way we have it working, and how we've envisioned 
> the module working thus far, follows this basic flow:
>
> 1. Johnny Student is in Kindergarten. His teacher has given him a QR code 
> that he can use to log in, instead of typing in his username and password.
> 2. When Johnny logs in, instead of typing in his credentials, he clicks a 
> button that says something like "QR Login".
> 3. His webcam turns on, and he holds his QR code in front of the camera.
> 4. The webcam reads and interprets the QR code, and sends the information 
> to the server for decryption.
> 5. The credentials are decrypted, and are posted to the login process as 
> if they had been typed in directly.
> 6. Johnny Student is logged in!
>
> For the Proof of Concept, we were able to insert some simple Javascript 
> into the main login page to turn on the camera and read the QR code, and 
> stood up a separate service to decrypt the results and send back the 
> credentials in plain text. Obviously, there are security concerns with this 
> (along with logistical concerns), so my hope is to build it as a CAS module 
> to alleviate these (and make it available for the community!).
>
> One of our big goals was to bring this ease of use (QR logins) without any 
> underlying change to how credentials are stored (or what needs to be 
> stored). To do this, the QR code itself is just a representation of the 
> user's encrypted login credentials. Because it's not it's own dedicated way 
> of logging in, only piggy-backing off the already existing credentials, it 
> should work with any underlying credential storage mechanism.
>
> I feel like I'm not explaining it as well as I could, and I'd be happy to 
> put together a little screencast showing how it works if that would be 
> helpful!
>
> Ben
>
> --
> *From: *"Nguyen Tran Thanh Lam" 
> *To: *"CAS Community" 
> *Sent: *Tuesday, December 8, 2020 8:33:36 PM
> *Subject: *Re: [cas-user] Potential Feature: QR Code as a Login "Badge"
>
> WARNING: This message originated from outside the School District of 
> Philadelphia.
> DO NOT CLICK links or open attachments unless you recognize the sender 
> and are expecting the email.
> Hi Ben,
> QR code is good way to replace typing password by keyboard. 
> If you can, please share how to integrated CAS and QR code. 
> In future, I think Facial recognition integrated with CAS should be 
> considered.
> Thank you.
> Lam
>
> Vào Th 4, 9 thg 12, 2020 vào lúc 03:55 Benjamin Winston <
> bwin...@philasd.org> đã viết:
>
>> Hi all!
>>
>> My name is Ben Winston, and I'm a developer at the School District of 
>> Philadelphia. We've been happy CAS users for a few years now, and we're 
>> always looking for new ways to improve the login process for our students.
>>
>> We've been experimenting with a new login methodology targeted towards 
>> students who do not have the ability to type in their credentials on a 
>> typical login form. Instead of using a keyboard, these students will be 
>> able to present a QR Code (containing their encrypted credentials), which 
>> is scanned by their device's webcam and automatically logs them in. The 
>> process is similar in concept to gaining access to a locked room with an 
>> RFID badge. We have implemented a Proof of Concept for this methodology as 
>> a separate service that exists alongside our CAS deployment, and we are 
>> exploring the possibility of writing a module for CAS to bring this 
>> functionality to the community at large.
>>
>> What I'm wondering is: is this a feature that would be of interest to the 
>> community? I would love to hear any feedback you have on this idea, and 
>> whether you would make use of this feature if it were available. As I 
>> mentioned, our target user base for this feature would be primarily users 
>> who have particular difficulty logging in with a typical login form (such 
>> as young students or students with an IEP), so this may be more interesting 
>> for K12 school districts than higher ed. I'm also happy to give a demo of 
>> what we have working if anyone is interested.
>>
>> Hope you're all staying safe!
>>
>> Ben 
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you 

Re: [EXTERNAL SENDER] [cas-user] CSP script-src breaks SAML functionality in 6.3.X?

[Andy Ng]

Dear all,

An alternative method would be to modify the saml2-post-binding.vm file 
directly:

In your cas project, add:
cas\src\main\resources\templates\saml2-post-binding.vm

And add hash / add nonce / do whatever you want to the file to satisfied CSP

For the actual content of saml2-post-binding.vm, you need to find it in 
shibboleth, or an unoffical reference would be 
here: 
https://github.com/zeigeist/opensaml/blob/master/saml/src/main/resources/templates/saml2-post-binding.vm

Cheers!
Andy


On Tuesday, 14 September 2021 at 19:39:38 UTC+8 ro...@mun.ca wrote:

> In case anyone runs into this situation, the solution was to enable 
> “unsafe-hashes” and add the hash for the inline script.
>
>  
>
> An example Apache directive:
>
>  
>
> 
>
>   Header set Content-Security-Policy: “script-src ‘unsafe-hashes’ ‘self’ 
> ‘sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='”
>
> 
>
>  
>
> Where the SHA256 hash is for the inline script 
> “document.forms[0].submit()”.
>
>  
>
>  
>
> *From:* cas-...@apereo.org  *On Behalf Of *Michael 
> Daniel Seymour
> *Sent:* Friday, September 3, 2021 12:49 PM
> *To:* CAS Community 
> *Subject:* [EXTERNAL SENDER] [cas-user] CSP script-src breaks SAML 
> functionality in 6.3.X?
>
>  
>
> Hi all,
>
>  
>
> I believe enabling the *script-src* Content Security Policy in Apache 
> will break SAML.
>
>  
>
> https://content-security-policy.com/script-src/
>
>  
>
> "The execution of all JS event handlers from inline HTML markup are 
> blocked default, onclick, onload, onmouseover, onsubmit, etc. You can get 
> them to work via a 'unsafe-hashes' source list expression, however that is 
> only supported on CSP Level 3 browsers."
>
>  
>
> The callback from CAS through to the SAML SP fails because it contains 
> some of these handlers. I have yet to try it, but possibly the 
> *unsafe-hashes* policy could be used. But, it is not the safe or 
> recommended way. They recommend refactoring the offending code.
>
> Page loaded from 
> https://cas.server.com/idp/profile/SAML2/Callback?entityId=ENTITYID=TICKET
>
>  
>
>
> 
> 
> 
> 
> 
> 
> 
> 
> Note: Since your browser does not support 
> JavaScript,
> you must press the Continue button once to proceed.
> 
> 
> 
>  method="post">
> 
>
>  
> 
>  value="SAMLRESPONSE"/>
> 
> 
> 
> 
> 
> 
> 
> 
> 
>
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/40ab7a36-8f57-41b0-afb1-ce790d9df43an%40apereo.org
>  
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/04592907-14cb-4300-867d-9aba1273f8c7n%40apereo.org.