Re: [cas-user] Help with CAS 4.0 AD
Any further suggestions on what might be causing the system to fail to authenticate users? Bind with manager password works. Certificates validate. sAMAccountName is set as the search filter. Any suggestions would be appreciated. On Wed, Jun 24, 2015 at 8:26 AM, Mike Seiler michaelsei...@fuller.edu wrote: Daniel, Thanks for your your response. I redeployed so that my log files would be fresh. I've attached the localhost log, the cas.log, and the catalina.out file to this email. Catalina.out has an enormous amount of DEBUG info; I hope it doesn't get in the way. I also deleted things before the system started loading secure certificates and connecting to the AD server (if you need the entire log, let me know and I'll resend). The cas and localhost logs don't seem to contain much at all. If it helps shed some light, I built my system using this Git Repo: https://github.com/UniconLabs/simple-cas4-overlay-template And then added in the AD layer using this documentation: http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#active_directory_authentication Thanks, Mike On Wed, Jun 24, 2015 at 6:39 AM, Daniel Fisher dfis...@vt.edu wrote: On Tue, Jun 23, 2015 at 6:33 PM, Mike Seiler michaelsei...@fuller.edu wrote: Daniel, Thanks. I turned on the debug for Ldaptive, and got multiple lines of DEBUG, but none seems to indicate a full error that I can see. If I manually set useSSL to true (in deployerConfigContext), the application initializes fine and cas.log still shows authentication failed but there are no other errors to indicate that something is wrong either in catalina.out or cas.log. Sounds like your properties aren't being applied to the deployerConfigContext.xml. The lines containing the useSSL and useStartTLS: --- 2015-06-23 15:12:46,814 DEBUG [org.ldaptive.pool.BlockingConnectionPool] - initialized available queue: [org.ldaptive.pool.Queue@458045035::queueType=LIFO, queue=[org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy@6a3096d4, org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy@630eaf38, org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy@2021f8cc ]] 2015-06-23 15:12:46,820 DEBUG [org.ldaptive.pool.BlockingConnectionPool] - prune pool task scheduled for [org.ldaptive.pool.BlockingConnectionPool@1188516673::name=null, poolConfig=[org.ldaptive.pool.PoolConfig@1654322364::minPoolSize=3, maxPoolSize=10, validateOnCheckIn=false, validateOnCheckOut=false, validatePeriodically=true, validatePeriod=300], activator=null, passivator=null, validator=[org.ldaptive.pool.SearchValidator@725194039 ::searchRequest=[org.ldaptive.SearchRequest@88681342::*baseDn=, searchFilter=*[org.ldaptive.SearchFilter@1642584434::filter=(objectClass=*), parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=0, sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, followReferrals=false, intermediateResponseHandlers=null]] pruneStrategy=[org.ldaptive.pool.IdlePruneStrategy@397920599::prunePeriod=300, idleTime=600], connectOnCreate=true, connectionFactory=[org.ldaptive.DefaultConnectionFactory@587430635 ::provider=org.ldaptive.provider.jndi.JndiProvider@397aec42, config=[org.ldaptive.ConnectionConfig@892141193::ldapUrl=ldap:// id.fuller.edu:636, connectTimeout=3000, responseTimeout=-1, sslConfig=[org.ldaptive.ssl.SslConfig@486207397 ::credentialConfig=[org.ldaptive.ssl.X509CredentialConfig@1427787790::trustCertificates=file:/etc/cas/id_app.pem, authenticationCertificate=null, authenticationKey=null], trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], *useSSL=true, useStartTLS=false*, connectionInitializer=null]], initialized=false, availableCount=3, activeCount=0] Your connection pool initialized successfully. You're likely having DN resolution issues, which may be further indication that your properties aren't being applied. If you post an entire log from a single authentication attempt I can probably point to the problem. --Daniel Fisher -- You are currently subscribed to cas-user@lists.jasig.org as: michaelsei...@fuller.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- *Michael Seiler*
Re: [cas-user] Embedding username info in Service ticket
Something to consider - CAS is an authentication service not a session manager. CAS will only generate a service ticket when the client's browser visits the CAS login page and authenticates (possibly automatically using their existing CAS session). Once your application has validated the service ticket, it should establish it's own session management for that client. Don't redirect back to CAS every time the client accesses your website/service. 1000 authentications per second would be a lot! But you don't want to CAS-authenticate the user for each API call. Authenticate once, establish a session (cookie, token, whatever), and validate the session from then on. Andy On Mon, 29 Jun 2015, Ajay Madhavan wrote: Hi Carl, I do have a distributed system where I have multiple services. Imaging each service to be a host by itself. I use cas for authenticating access to all services. I am expecting api scale to increase enormously over close to say 1000 api per second or so. I was trying to understand if I could avoid network calls if each of these services were inside a host by themselves. I do understand the CAS protocol, just wanted to see if there was a secure way of scaling horizontally. Regards Ajay On Mon, Jun 29, 2015 at 1:33 PM, Waldbieser, Carl waldb...@lafayette.edu wrote: Service ticket validation is more or less integral to how CAS works. Maybe if you could explain a bit more in depth what you are trying to accomplish, it might make more sense to the members of the community, and you could receive better advice. Also, why do you believe there would be some kind of bottleneck validating service tickets? What kind of volume have you measured or are you expecting in terms of validations per unit of time? Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College - Original Message - From: Ajay Madhavan ajayma...@gmail.com To: cas-user@lists.jasig.org Sent: Monday, June 29, 2015 4:20:49 PM Subject: Re: [cas-user] Embedding username info in Service ticket I do have a secure mechanism to encrypt my service ticket with the public key and then decrypt it later using the private-key. Also there are multiple webapps which are being protected by the CAS service and I dont want the service validate to be a bottle neck for each of those webapps. I know service ticket generation does do that. But I want to see if I can skip service validation at least. Thanks Ajay On Mon, Jun 29, 2015 at 1:04 PM, Dmitriy Kopylenko dkopyle...@unicon.net wrote: I second what Andy says, and just want to add that service ticket validation is the necessary step in a secure CAS protocol, and the simple answer is - “no, you cannot skip the ST validation step”. Best, Dmitriy. On Jun 29, 2015, at 3:55 PM, Andrew Morgan mor...@orst.edu wrote: On Mon, 29 Jun 2015, Ajay Madhavan wrote: I want to skip service validation. I want to distribute the validation among all my webapps where i can obtain the username from the service ticket. I still want to use CAS for service ticket generation. If you don't validate the ST over a back-channel connection, then how do you prevent someone from spoofing the username? An attacker could put whatever they want in the ST value to become any other user. Validating the ST is a necessary step for security. I don't understand what you mean by distribute the validation among all my webapps. Andy -- You are currently subscribed to cas-user@lists.jasig.org as: dkopyle...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ajayma...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ajayma...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: mor...@orst.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Embedding username info in Service ticket
Hi Carl, I do have a distributed system where I have multiple services. Imaging each service to be a host by itself. I use cas for authenticating access to all services. I am expecting api scale to increase enormously over close to say 1000 api per second or so. I was trying to understand if I could avoid network calls if each of these services were inside a host by themselves. I do understand the CAS protocol, just wanted to see if there was a secure way of scaling horizontally. Regards Ajay On Mon, Jun 29, 2015 at 1:33 PM, Waldbieser, Carl waldb...@lafayette.edu wrote: Service ticket validation is more or less integral to how CAS works. Maybe if you could explain a bit more in depth what you are trying to accomplish, it might make more sense to the members of the community, and you could receive better advice. Also, why do you believe there would be some kind of bottleneck validating service tickets? What kind of volume have you measured or are you expecting in terms of validations per unit of time? Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College - Original Message - From: Ajay Madhavan ajayma...@gmail.com To: cas-user@lists.jasig.org Sent: Monday, June 29, 2015 4:20:49 PM Subject: Re: [cas-user] Embedding username info in Service ticket I do have a secure mechanism to encrypt my service ticket with the public key and then decrypt it later using the private-key. Also there are multiple webapps which are being protected by the CAS service and I dont want the service validate to be a bottle neck for each of those webapps. I know service ticket generation does do that. But I want to see if I can skip service validation at least. Thanks Ajay On Mon, Jun 29, 2015 at 1:04 PM, Dmitriy Kopylenko dkopyle...@unicon.net wrote: I second what Andy says, and just want to add that service ticket validation is the necessary step in a secure CAS protocol, and the simple answer is - “no, you cannot skip the ST validation step”. Best, Dmitriy. On Jun 29, 2015, at 3:55 PM, Andrew Morgan mor...@orst.edu wrote: On Mon, 29 Jun 2015, Ajay Madhavan wrote: I want to skip service validation. I want to distribute the validation among all my webapps where i can obtain the username from the service ticket. I still want to use CAS for service ticket generation. If you don't validate the ST over a back-channel connection, then how do you prevent someone from spoofing the username? An attacker could put whatever they want in the ST value to become any other user. Validating the ST is a necessary step for security. I don't understand what you mean by distribute the validation among all my webapps. Andy -- You are currently subscribed to cas-user@lists.jasig.org as: dkopyle...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ajayma...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ajayma...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Embedding username info in Service ticket
On Mon, 29 Jun 2015, Ajay Madhavan wrote: I want to skip service validation. I want to distribute the validation among all my webapps where i can obtain the username from the service ticket. I still want to use CAS for service ticket generation. If you don't validate the ST over a back-channel connection, then how do you prevent someone from spoofing the username? An attacker could put whatever they want in the ST value to become any other user. Validating the ST is a necessary step for security. I don't understand what you mean by distribute the validation among all my webapps. Andy -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Embedding username info in Service ticket
I second what Andy says, and just want to add that service ticket validation is the necessary step in a secure CAS protocol, and the simple answer is - “no, you cannot skip the ST validation step”. Best, Dmitriy. On Jun 29, 2015, at 3:55 PM, Andrew Morgan mor...@orst.edu wrote: On Mon, 29 Jun 2015, Ajay Madhavan wrote: I want to skip service validation. I want to distribute the validation among all my webapps where i can obtain the username from the service ticket. I still want to use CAS for service ticket generation. If you don't validate the ST over a back-channel connection, then how do you prevent someone from spoofing the username? An attacker could put whatever they want in the ST value to become any other user. Validating the ST is a necessary step for security. I don't understand what you mean by distribute the validation among all my webapps. Andy -- You are currently subscribed to cas-user@lists.jasig.org as: dkopyle...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Embedding username info in Service ticket
I do have a secure mechanism to encrypt my service ticket with the public key and then decrypt it later using the private-key. Also there are multiple webapps which are being protected by the CAS service and I dont want the service validate to be a bottle neck for each of those webapps. I know service ticket generation does do that. But I want to see if I can skip service validation at least. Thanks Ajay On Mon, Jun 29, 2015 at 1:04 PM, Dmitriy Kopylenko dkopyle...@unicon.net wrote: I second what Andy says, and just want to add that service ticket validation is the necessary step in a secure CAS protocol, and the simple answer is - “no, you cannot skip the ST validation step”. Best, Dmitriy. On Jun 29, 2015, at 3:55 PM, Andrew Morgan mor...@orst.edu wrote: On Mon, 29 Jun 2015, Ajay Madhavan wrote: I want to skip service validation. I want to distribute the validation among all my webapps where i can obtain the username from the service ticket. I still want to use CAS for service ticket generation. If you don't validate the ST over a back-channel connection, then how do you prevent someone from spoofing the username? An attacker could put whatever they want in the ST value to become any other user. Validating the ST is a necessary step for security. I don't understand what you mean by distribute the validation among all my webapps. Andy -- You are currently subscribed to cas-user@lists.jasig.org as: dkopyle...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ajayma...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Embedding username info in Service ticket
Service ticket validation is more or less integral to how CAS works. Maybe if you could explain a bit more in depth what you are trying to accomplish, it might make more sense to the members of the community, and you could receive better advice. Also, why do you believe there would be some kind of bottleneck validating service tickets? What kind of volume have you measured or are you expecting in terms of validations per unit of time? Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College - Original Message - From: Ajay Madhavan ajayma...@gmail.com To: cas-user@lists.jasig.org Sent: Monday, June 29, 2015 4:20:49 PM Subject: Re: [cas-user] Embedding username info in Service ticket I do have a secure mechanism to encrypt my service ticket with the public key and then decrypt it later using the private-key. Also there are multiple webapps which are being protected by the CAS service and I dont want the service validate to be a bottle neck for each of those webapps. I know service ticket generation does do that. But I want to see if I can skip service validation at least. Thanks Ajay On Mon, Jun 29, 2015 at 1:04 PM, Dmitriy Kopylenko dkopyle...@unicon.net wrote: I second what Andy says, and just want to add that service ticket validation is the necessary step in a secure CAS protocol, and the simple answer is - “no, you cannot skip the ST validation step”. Best, Dmitriy. On Jun 29, 2015, at 3:55 PM, Andrew Morgan mor...@orst.edu wrote: On Mon, 29 Jun 2015, Ajay Madhavan wrote: I want to skip service validation. I want to distribute the validation among all my webapps where i can obtain the username from the service ticket. I still want to use CAS for service ticket generation. If you don't validate the ST over a back-channel connection, then how do you prevent someone from spoofing the username? An attacker could put whatever they want in the ST value to become any other user. Validating the ST is a necessary step for security. I don't understand what you mean by distribute the validation among all my webapps. Andy -- You are currently subscribed to cas-user@lists.jasig.org as: dkopyle...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ajayma...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Embedding username info in Service ticket
Exactly. To give you some perspective, the CAS service at Lafayette College never broke 500 authentications in a given *hour* in the last 24 hours. Thanks, Carl On Jun 29, 2015 6:39 PM, Andrew Morgan mor...@orst.edu wrote: Something to consider - CAS is an authentication service not a session manager. CAS will only generate a service ticket when the client's browser visits the CAS login page and authenticates (possibly automatically using their existing CAS session). Once your application has validated the service ticket, it should establish it's own session management for that client. Don't redirect back to CAS every time the client accesses your website/service. 1000 authentications per second would be a lot! But you don't want to CAS-authenticate the user for each API call. Authenticate once, establish a session (cookie, token, whatever), and validate the session from then on. Andy On Mon, 29 Jun 2015, Ajay Madhavan wrote: Hi Carl, I do have a distributed system where I have multiple services. Imaging each service to be a host by itself. I use cas for authenticating access to all services. I am expecting api scale to increase enormously over close to say 1000 api per second or so. I was trying to understand if I could avoid network calls if each of these services were inside a host by themselves. I do understand the CAS protocol, just wanted to see if there was a secure way of scaling horizontally. Regards Ajay On Mon, Jun 29, 2015 at 1:33 PM, Waldbieser, Carl waldb...@lafayette.edu wrote: Service ticket validation is more or less integral to how CAS works. Maybe if you could explain a bit more in depth what you are trying to accomplish, it might make more sense to the members of the community, and you could receive better advice. Also, why do you believe there would be some kind of bottleneck validating service tickets? What kind of volume have you measured or are you expecting in terms of validations per unit of time? Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College - Original Message - From: Ajay Madhavan ajayma...@gmail.com To: cas-user@lists.jasig.org Sent: Monday, June 29, 2015 4:20:49 PM Subject: Re: [cas-user] Embedding username info in Service ticket I do have a secure mechanism to encrypt my service ticket with the public key and then decrypt it later using the private-key. Also there are multiple webapps which are being protected by the CAS service and I dont want the service validate to be a bottle neck for each of those webapps. I know service ticket generation does do that. But I want to see if I can skip service validation at least. Thanks Ajay On Mon, Jun 29, 2015 at 1:04 PM, Dmitriy Kopylenko dkopyle...@unicon.net wrote: I second what Andy says, and just want to add that service ticket validation is the necessary step in a secure CAS protocol, and the simple answer is - “no, you cannot skip the ST validation step”. Best, Dmitriy. On Jun 29, 2015, at 3:55 PM, Andrew Morgan mor...@orst.edu wrote: On Mon, 29 Jun 2015, Ajay Madhavan wrote: I want to skip service validation. I want to distribute the validation among all my webapps where i can obtain the username from the service ticket. I still want to use CAS for service ticket generation. If you don't validate the ST over a back-channel connection, then how do you prevent someone from spoofing the username? An attacker could put whatever they want in the ST value to become any other user. Validating the ST is a necessary step for security. I don't understand what you mean by distribute the validation among all my webapps. Andy -- You are currently subscribed to cas-user@lists.jasig.org as: dkopyle...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ajayma...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ajayma...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: mor...@orst.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: cwaldbie...@gmail.com To unsubscribe, change settings or access archives, see
Re: [cas-user] Help with CAS 4.0 AD
On Mon, Jun 29, 2015 at 1:28 PM, Mike Seiler michaelsei...@fuller.edu wrote: Any further suggestions on what might be causing the system to fail to authenticate users? Bind with manager password works. Certificates validate. sAMAccountName is set as the search filter. Any suggestions would be appreciated. I didn't see the LDAP authentication component being exercised. Your LDAP pools initialize correctly, but the authentication handler does not appear to use them. I don't know enough about the v4 config to say what's wrong, but I would look for something fundamental in the authentication wiring, not in the LDAP config. --Daniel Fisher -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Embedding username info in Service ticket
On Mon, 29 Jun 2015, Ajay Madhavan wrote: Is there any way to embed the username in the service ticket being generated. I see support to add suffix and even work on the random generator. But I dont see any way to add context like username in the service ticket. Meaning embed it. The Service Ticket is an opaque identifier that is valid for one time. The username can be retrieved when the ST is validated. What is your use case? Andy -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Embedding username info in Service ticket
I want to skip service validation. I want to distribute the validation among all my webapps where i can obtain the username from the service ticket. I still want to use CAS for service ticket generation. Ajay On Mon, Jun 29, 2015 at 12:31 PM, Andrew Morgan mor...@orst.edu wrote: On Mon, 29 Jun 2015, Ajay Madhavan wrote: Is there any way to embed the username in the service ticket being generated. I see support to add suffix and even work on the random generator. But I dont see any way to add context like username in the service ticket. Meaning embed it. The Service Ticket is an opaque identifier that is valid for one time. The username can be retrieved when the ST is validated. What is your use case? Andy -- You are currently subscribed to cas-user@lists.jasig.org as: ajayma...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user