RE: [cas-user] single log out and login-webflow.xml

2015-08-14 Thread Misagh Moayyed 
Regardless of how your TGT expires, when it does and whether it's manual
or automatic via the expiration policy, SLO will initiate. You no longer
have an SSO session, and you will be logged out every application you have
authenticated to via CAS. 

 

Starting with 4.1 I think, you will have the ability to turn off SLO on a
per application basis. If you have applications that tend to stay in use
longer than your SSO session, you can exclude those from SLO, and when the
user logs out, simply redirect that logout to the CAS logout and kill the
session entirely. 

 

Another possibility is, your CAS client could keep your session alive by
sending a heartbeat signal. This depends on your application and the
client, whether it provides that feature. Even with that capability,
assuming you use the default expiration policy the signal is only going to
extend your inactivity timeout. Once you pass the hard timeout on the
application side, you're back to the same issue. 

 

Most tend to turn off SLO entirely, for reasons that are SLO-specific and
less CAS-specific some of which you have run into. 

 

 

From: Lapanja, Bob@POST [mailto:bob.lapa...@post.ca.gov] 
Sent: Thursday, August 13, 2015 2:10 PM
To: cas-user@lists.jasig.org
Subject: [cas-user] single log out and login-webflow.xml

 

Using 4.0.0

 

I'm configuring single log out on some services and I have encountered a
situation I would appreciate some clarity on.  For this particular use
case, we want the logout callback to be called if the user visits
/cas/logout directly, but not when the TGT expires and is cleared out by
the registry cleaner (accomplished thanks to logUserOutOfServices).  Some
users may spend a long time working in a single application.  However,
after doing some testing, I came across a third situation I hadn't
considered.

 

The user signs into ServiceA and continues actively using it, keeping the
application session alive past the point where the TGT expires.  The user
then attempts to sign into ServiceB.  At this point, it seems that
login-webflow checks the TGT for validity, and if it is invalid calls
terminateSessionAction.terminate, which fires the logout callbacks and
logs the user out of ServiceA.  Since this seems to be the same function
called during logout-webflow, does that mean that this scenario must be
considered to be the same as if the user explicitly visited /cas/logout,
triggering the same logout callbacks?

 

Since some (many) of our users have no concept of the distinction between
the application session and the PASS session, the logout could be
unexpected and the aborting of their active work could be frustrating.  Am
I missing something relevant about how people manage SLO's and users that
may spend a lot of time in a single application at a time?

 

Thank you for any information.

 

-bob

 
-- 
You are currently subscribed to cas-user@lists.jasig.org
mailto:cas-user@lists.jasig.org  as: mmoay...@unicon.net
mailto:mmoay...@unicon.net 
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] CAS protocol flow sequence: AuthN then check service registry?

2015-08-14 Thread Baron Fujimoto 
Sorry, I should have included that. Version 3.4.11.

On Thu, Aug 13, 2015 at 10:42:17PM -0700, Misagh Moayyed wrote:
 But wouldn't it be better to check against the registry first and
disallowing unauthorized service URLs before bothering with
authentication?

What CAS version are you on? That is the exact current behavior. 

 -Original Message-
 From: Baron Fujimoto [mailto:ba...@hawaii.edu]
 Sent: Thursday, August 13, 2015 8:54 PM
 To: cas-user@lists.jasig.org
 Subject: [cas-user] CAS protocol flow sequence: AuthN then check service
 registry?
 
 Given the following scenario:
 
 CAS URL: https://cas.example.com
 Bogus unauthorized service URL: https://bogus.example.net Real
authorized
 serviceURL : https://authorized.example.org
 
 User is tricked (by phish, perhaps) to visit
 https://cas.example.com/cas/login?service=https://bogus.example.net
 
 The user does not have an SSO session, so is presented with the CAS
Login
 Form.
 
 The user submits the form with the username, password, and login ticket
 POSTed in the body.
 
 CAS authenticates the user and creates/sets an SSO session CASTGT cookie
 in the user's browser which contains the session key for the SSO session
 (TGT).
 
 It appears that at this point, CAS verifies the ?service= parameter
 against the registry of authorized service URLs. The user is presented
 with the Application Not Authorized error.
 
 However, by now the user has a valid TGT, and if they subsequently visit
 https://authorized.example.org, they will be able to utilize it to
login
 via SSO.
 
 Is there any reason for concern here? I believe the scope of exposure is
 only limited to anyone who has access to the browser session (e.g.
 say, a publically accessible computer). But wouldn't it be better to
check
 against the registry first and disallowing unauthorized service URLs
 before bothering with authentication? Or perhaps destroying the TGT if
the
 service URL is unauthorized?
 
 Or am I missing something, or perhaps some best practices configuration
of
 CAS to mitigate against this sort of situation?
 
 -baron
 --
 Baron Fujimoto ba...@hawaii.edu :: UH Information Technology Services
 minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
 
 --
 You are currently subscribed to cas-user@lists.jasig.org as:
 mmoay...@unicon.net To unsubscribe, change settings or access archives,
 see http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: ba...@hawaii.edu
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re:[cas-user] Attribute Release

2015-08-14 Thread Ray Bon 
Chris,


Clearly I did not look closely enough at the logs.

In the log you have Created seed map='{username=[cirwin]}' for uid='cirwin'

followed by Generated query builder 'null' from query Map {username=[cirwin]}


In my log between these two lines I get Adding attribute 'uid' with value 
'[rbon]' to query builder 'null'

followed by Generated query builder '(uid=rbon)' from query Map 
{username=[rbon]}​


In your configuration you have util:map id=queryAttributeMap
   entry key=user value=uid /
  /util:map


Try changing the key in the configuration from 'user' to 'username'.


Ray



From: Chris Irwin chris.ir...@sadasystems.com
Sent: August 14, 2015 05:02
To: cas-user@lists.jasig.org
Subject: RE:[cas-user] Attribute Release

Ray,

In the log below you can see the results of the query.  You can also see the 
attributes I have listed in the ldapAuthenticationHandler’s 
principalAttributeMap get returned in the “Found principal attribute”  This is 
what I want to return back to the app but all I’m getting is the following:

cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'
cas:authenticationSuccess
cas:usercirwin/cas:user


/cas:authenticationSuccess
/cas:serviceResponse

I thought I just needed to wire up so that the attributes resolved here are 
released:

2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [sAMAccountName[CIrwin]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [cn[Chris Irwin]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [givenName[Chris]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [sn[Irwin]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [mail[chris.ir...@sadasystems.com]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [displayName[Chris Irwin]]

Is that different?

Chris
From: Ray Bon [mailto:r...@uvic.ca]
Sent: Thursday, August 13, 2015 6:17 PM
To: cas-user@lists.jasig.org
Subject: Re:[cas-user] Attribute Release


​Check what attributes are being released from your LDAP server.

The items in the LDAP response may be provided as part of the authenticated 
user info but not necessarily the released attributes.



Ray


From: Chris Irwin 
chris.ir...@sadasystems.commailto:chris.ir...@sadasystems.com
Sent: August 13, 2015 13:58
To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org
Subject: [cas-user] Attribute Release


I'm not sure what i'm missing here.  I can see the attributes resolved but they 
are never released to the client:



2015-08-13 16:31:20,456 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Attempting LDAP 
authentication for cirwin+password
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response: 
[org.ldaptive.auth.AuthenticationResponse@110158567::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS,
 ldapEntry=[dn=CN=Chris 
Irwin,OU=SADA,OU=Consultants,dc=root,dc=njcu[[mail[chris.ir...@sadasystems.com]],
 [uSNCreated[75502415]], [description[SADA Consultant]], 
[whenChanged[20150805152738.0Z]], [objectClass[top, person, 
organizationalPerson, user]], [primaryGroupID[513]], [givenName[Chris]], 
[objectGUID[??D?a??[??]], [objectSid[    q??K9?l??u??V  ]], 
[instanceType[4]], [whenCreated[20150410141222.0Z]], 
[dSCorePropagationData[20150520202442.0Z, 20150410142342.0Z, 
1601010100.0Z]], [sn[Irwin]], [userAccountControl[66048]], 
[lastLogonTimestamp[130832620538887202]], [cn[Chris Irwin]], 
[sAMAccountName[CIrwin]], [sAMAccountType[805306368]], 
[userPrincipalName[cir...@njcu.edu]], [displayName[Chris Irwin]], 
[pwdLastSet[130731491217059125]], [name[Chris Irwin]], 
[objectCategory[CN=Person,CN=Schema,CN=Configuration,DC=root,DC=njcu]], 
[distinguishedName[CN=Chris Irwin,OU=SADA,OU=Consultants,DC=root,DC=njcu]], 
[memberOf[CN=rdpadmins,CN=Users,DC=root,DC=njcu, 
CN=VPN,CN=Users,DC=root,DC=njcu, CN=Domain Admins,CN=Users,DC=root,DC=njcu]], 
[uSNChanged[90371268]]], responseControls=null, messageId=-1], 
accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [sAMAccountName[CIrwin]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [cn[Chris Irwin]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [givenName[Chris]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found

RE: [cas-user] Attribute Release

2015-08-14 Thread Misagh Moayyed 
You are not getting anything from CAS because you’re not allowing any 
attributes to be released. Your logs/config show you’re only resolving 
attributes. Your service registry needs to release them next.



See:

http://jasig.github.io/cas/4.0.x/integration/Attribute-Release.html



From: Ray Bon [mailto:r...@uvic.ca]
Sent: Friday, August 14, 2015 10:25 AM
To: cas-user@lists.jasig.org
Subject: Re:[cas-user] Attribute Release



Chris,



Clearly I did not look closely enough at the logs.

In the log you have Created seed map='{username=[cirwin]}' for 
uid='cirwin'

followed by Generated query builder 'null' from query Map 
{username=[cirwin]}



In my log between these two lines I get Adding attribute 'uid' with value 
'[rbon]' to query builder 'null'

followed by Generated query builder '(uid=rbon)' from query Map 
{username=[rbon]}​



In your configuration you have util:map id=queryAttributeMap
   entry key=user value=uid /
  /util:map



Try changing the key in the configuration from 'user' to 'username'.



Ray



  _

From: Chris Irwin chris.ir...@sadasystems.com 
mailto:chris.ir...@sadasystems.com 
Sent: August 14, 2015 05:02
To: cas-user@lists.jasig.org mailto:cas-user@lists.jasig.org
Subject: RE:[cas-user] Attribute Release



Ray,



In the log below you can see the results of the query.  You can also see the 
attributes I have listed in the ldapAuthenticationHandler’s 
principalAttributeMap get returned in the “Found principal attribute”  This 
is what I want to return back to the app but all I’m getting is the 
following:



cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'

cas:authenticationSuccess

cas:usercirwin/cas:user





/cas:authenticationSuccess

/cas:serviceResponse



I thought I just needed to wire up so that the attributes resolved here are 
released:



2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [sAMAccountName[CIrwin]]

2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [cn[Chris Irwin]]

2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [givenName[Chris]]

2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [sn[Irwin]]

2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [mail[chris.ir...@sadasystems.com]]

2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [displayName[Chris Irwin]]



Is that different?



Chris

From: Ray Bon [mailto:r...@uvic.ca]
Sent: Thursday, August 13, 2015 6:17 PM
To: cas-user@lists.jasig.org mailto:cas-user@lists.jasig.org
Subject: Re:[cas-user] Attribute Release



​Check what attributes are being released from your LDAP server.

The items in the LDAP response may be provided as part of the authenticated 
user info but not necessarily the released attributes.



Ray

  _

From: Chris Irwin chris.ir...@sadasystems.com 
mailto:chris.ir...@sadasystems.com 
Sent: August 13, 2015 13:58
To: cas-user@lists.jasig.org mailto:cas-user@lists.jasig.org
Subject: [cas-user] Attribute Release



I'm not sure what i'm missing here.  I can see the attributes resolved but 
they are never released to the client:



2015-08-13 16:31:20,456 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Attempting LDAP 
authentication for cirwin+password
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response: 
[org.ldaptive.auth.AuthenticationResponse@110158567::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS,
 
ldapEntry=[dn=CN=Chris 
Irwin,OU=SADA,OU=Consultants,dc=root,dc=njcu[[mail[chris.ir...@sadasystems.com]],
 
[uSNCreated[75502415]], [description[SADA Consultant]], 
[whenChanged[20150805152738.0Z]], [objectClass[top, person, 
organizationalPerson, user]], [primaryGroupID[513]], [givenName[Chris]], 
[objectGUID[??D?a??[??]], [objectSid[    q??K9?l??u??V  ]], 
[instanceType[4]], [whenCreated[20150410141222.0Z]], 
[dSCorePropagationData[20150520202442.0Z, 20150410142342.0Z, 
1601010100.0Z]], [sn[Irwin]], [userAccountControl[66048]], 
[lastLogonTimestamp[130832620538887202]], [cn[Chris Irwin]], 
[sAMAccountName[CIrwin]], [sAMAccountType[805306368]], 
[userPrincipalName[cir...@njcu.edu]], [displayName[Chris Irwin]], 
[pwdLastSet[130731491217059125]], [name[Chris Irwin]], 
[objectCategory[CN=Person,CN=Schema,CN=Configuration,DC=root,DC=njcu]], 
[distinguishedName[CN=Chris Irwin,OU=SADA,OU=Consultants,DC=root,DC=njcu]], 
[memberOf[CN=rdpadmins,CN=Users,DC=root,DC=njcu, 
CN=VPN,CN=Users,DC=root,DC=njcu, CN=Domain 
Admins,CN=Users,DC=root,DC=njcu]], [uSNChanged[90371268]]], 
responseControls=null, messageId=-1], accountState=null, result=true, 
resultCode=SUCCESS, message=null,

Re: [cas-user] CAS protocol flow sequence: AuthN then check service registry?

2015-08-14 Thread Dmitriy Kopylenko 
Yep, that’s old. That was the behavior which was changed to check service 
authorization before the author transaction start in 3.5.1+ (I don’t remember 
the exact 3.5.x version where it went in).

Cheers,
Dmitriy.

 On Aug 14, 2015, at 1:59 PM, Baron Fujimoto ba...@hawaii.edu wrote:
 
 Sorry, I should have included that. Version 3.4.11.
 
 On Thu, Aug 13, 2015 at 10:42:17PM -0700, Misagh Moayyed wrote:
 But wouldn't it be better to check against the registry first and
 disallowing unauthorized service URLs before bothering with
 authentication?
 
 What CAS version are you on? That is the exact current behavior. 
 
 -Original Message-
 From: Baron Fujimoto [mailto:ba...@hawaii.edu]
 Sent: Thursday, August 13, 2015 8:54 PM
 To: cas-user@lists.jasig.org
 Subject: [cas-user] CAS protocol flow sequence: AuthN then check service
 registry?
 
 Given the following scenario:
 
 CAS URL: https://cas.example.com
 Bogus unauthorized service URL: https://bogus.example.net Real
 authorized
 serviceURL : https://authorized.example.org
 
 User is tricked (by phish, perhaps) to visit
 https://cas.example.com/cas/login?service=https://bogus.example.net
 
 The user does not have an SSO session, so is presented with the CAS
 Login
 Form.
 
 The user submits the form with the username, password, and login ticket
 POSTed in the body.
 
 CAS authenticates the user and creates/sets an SSO session CASTGT cookie
 in the user's browser which contains the session key for the SSO session
 (TGT).
 
 It appears that at this point, CAS verifies the ?service= parameter
 against the registry of authorized service URLs. The user is presented
 with the Application Not Authorized error.
 
 However, by now the user has a valid TGT, and if they subsequently visit
 https://authorized.example.org, they will be able to utilize it to
 login
 via SSO.
 
 Is there any reason for concern here? I believe the scope of exposure is
 only limited to anyone who has access to the browser session (e.g.
 say, a publically accessible computer). But wouldn't it be better to
 check
 against the registry first and disallowing unauthorized service URLs
 before bothering with authentication? Or perhaps destroying the TGT if
 the
 service URL is unauthorized?
 
 Or am I missing something, or perhaps some best practices configuration
 of
 CAS to mitigate against this sort of situation?
 
 -baron
 --
 Baron Fujimoto ba...@hawaii.edu :: UH Information Technology Services
 minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
 
 --
 You are currently subscribed to cas-user@lists.jasig.org as:
 mmoay...@unicon.net To unsubscribe, change settings or access archives,
 see http://www.ja-sig.org/wiki/display/JSG/cas-user
 
 -- 
 You are currently subscribed to cas-user@lists.jasig.org as: ba...@hawaii.edu
 To unsubscribe, change settings or access archives, see 
 http://www.ja-sig.org/wiki/display/JSG/cas-user
 
 -- 
 You are currently subscribed to cas-user@lists.jasig.org as: 
 dkopyle...@unicon.net
 To unsubscribe, change settings or access archives, see 
 http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] CAS protocol flow sequence: AuthN then check service registry?

2015-08-14 Thread Baron Fujimoto 
Ok, thanks, that's helpful info. How backwards compatible is 3.5.x (or
3.6?) to 3.4x with regard to their configs? I'm assuming there's even more
drift to the 4x stuff. I'm trying to get sense of what upgrading will
entail. In the old docs, there are some guidelines for updating within the
3.4x or within the 3.5x lines, but not from 3.4x to other minor or major
releases that I found. I did not find it in the newer
http://jasig.github.io/ docs either, but I'm happy to RTFM if someone can
provide a pointer (a search feature for the documentation may be helpful?).

Aloha,
-baron

On Fri, Aug 14, 2015 at 02:02:01PM -0400, Dmitriy Kopylenko wrote:
Yep, that’s old. That was the behavior which was changed to check service 
authorization before the author transaction start in 3.5.1+ (I don’t remember 
the exact 3.5.x version where it went in).

Cheers,
Dmitriy.

 On Aug 14, 2015, at 1:59 PM, Baron Fujimoto ba...@hawaii.edu wrote:
 
 Sorry, I should have included that. Version 3.4.11.
 
 On Thu, Aug 13, 2015 at 10:42:17PM -0700, Misagh Moayyed wrote:
 But wouldn't it be better to check against the registry first and
 disallowing unauthorized service URLs before bothering with
 authentication?
 
 What CAS version are you on? That is the exact current behavior. 
 
 -Original Message-
 From: Baron Fujimoto [mailto:ba...@hawaii.edu]
 Sent: Thursday, August 13, 2015 8:54 PM
 To: cas-user@lists.jasig.org
 Subject: [cas-user] CAS protocol flow sequence: AuthN then check service
 registry?
 
 Given the following scenario:
 
 CAS URL: https://cas.example.com
 Bogus unauthorized service URL: https://bogus.example.net Real
 authorized
 serviceURL : https://authorized.example.org
 
 User is tricked (by phish, perhaps) to visit
 https://cas.example.com/cas/login?service=https://bogus.example.net
 
 The user does not have an SSO session, so is presented with the CAS
 Login
 Form.
 
 The user submits the form with the username, password, and login ticket
 POSTed in the body.
 
 CAS authenticates the user and creates/sets an SSO session CASTGT cookie
 in the user's browser which contains the session key for the SSO session
 (TGT).
 
 It appears that at this point, CAS verifies the ?service= parameter
 against the registry of authorized service URLs. The user is presented
 with the Application Not Authorized error.
 
 However, by now the user has a valid TGT, and if they subsequently visit
 https://authorized.example.org, they will be able to utilize it to
 login
 via SSO.
 
 Is there any reason for concern here? I believe the scope of exposure is
 only limited to anyone who has access to the browser session (e.g.
 say, a publically accessible computer). But wouldn't it be better to
 check
 against the registry first and disallowing unauthorized service URLs
 before bothering with authentication? Or perhaps destroying the TGT if
 the
 service URL is unauthorized?
 
 Or am I missing something, or perhaps some best practices configuration
 of
 CAS to mitigate against this sort of situation?
 
 -baron
 --
 Baron Fujimoto ba...@hawaii.edu :: UH Information Technology Services
 minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
 
 --
 You are currently subscribed to cas-user@lists.jasig.org as:
 mmoay...@unicon.net To unsubscribe, change settings or access archives,
 see http://www.ja-sig.org/wiki/display/JSG/cas-user
 
 -- 
 You are currently subscribed to cas-user@lists.jasig.org as: 
 ba...@hawaii.edu
 To unsubscribe, change settings or access archives, see 
 http://www.ja-sig.org/wiki/display/JSG/cas-user
 
 -- 
 You are currently subscribed to cas-user@lists.jasig.org as: 
 dkopyle...@unicon.net
 To unsubscribe, change settings or access archives, see 
 http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to cas-user@lists.jasig.org as: ba...@hawaii.edu
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
Baron Fujimoto ba...@hawaii.edu :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Attribute Release

2015-08-14 Thread Chris Irwin 
Misagh,

I have the LDAP component using this example:

bean id=ldapPersonAttributeDao
  class=org.jasig.cas.persondir.LdapPersonAttributeDao
  p:connectionFactory-ref=pooledLdapConnectionFactory
  p:baseDN=${ldap.baseDn}
  p:searchControls-ref=searchControls
  p:searchFilter=mail={0}
property name=resultAttributeMapping
map
!--
   | Key is LDAP attribute name, value is principal attribute name.
   --
entry key=member value=member /
entry key=mail value=mail /
entry key=displayName value=displayName /
/map
/property
/bean

I believe I need to add this as well:

bean class=org.jasig.cas.services.RegisteredServiceImpl
  property name=id value=0 /
  property name=name value=HTTPS Services /
  property name=description value=YOUR HTTP Service /
  property name=serviceId value=https://**; /
  property name=allowedAttributes
list
  valueyourAttributeName/value
/list
  /property
/bean

My question is, can I do this to release the same set of attributes for any 
service?  This looks like it’s going to require me to set this up for every new 
service.

Sincerely,

Christopher Irwin

From: Misagh Moayyed [mailto:mmoay...@unicon.net]
Sent: Friday, August 14, 2015 1:50 PM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] Attribute Release

You are not getting anything from CAS because you’re not allowing any 
attributes to be released. Your logs/config show you’re only resolving 
attributes. Your service registry needs to release them next.

See:
http://jasig.github.io/cas/4.0.x/integration/Attribute-Release.html

From: Ray Bon [mailto:r...@uvic.ca]
Sent: Friday, August 14, 2015 10:25 AM
To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org
Subject: Re:[cas-user] Attribute Release


Chris,



Clearly I did not look closely enough at the logs.

In the log you have Created seed map='{username=[cirwin]}' for uid='cirwin'

followed by Generated query builder 'null' from query Map {username=[cirwin]}



In my log between these two lines I get Adding attribute 'uid' with value 
'[rbon]' to query builder 'null'

followed by Generated query builder '(uid=rbon)' from query Map 
{username=[rbon]}​



In your configuration you have util:map id=queryAttributeMap
   entry key=user value=uid /
  /util:map



Try changing the key in the configuration from 'user' to 'username'.



Ray




From: Chris Irwin 
chris.ir...@sadasystems.commailto:chris.ir...@sadasystems.com
Sent: August 14, 2015 05:02
To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org
Subject: RE:[cas-user] Attribute Release

Ray,

In the log below you can see the results of the query.  You can also see the 
attributes I have listed in the ldapAuthenticationHandler’s 
principalAttributeMap get returned in the “Found principal attribute”  This is 
what I want to return back to the app but all I’m getting is the following:

cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'
cas:authenticationSuccess
cas:usercirwin/cas:user


/cas:authenticationSuccess
/cas:serviceResponse

I thought I just needed to wire up so that the attributes resolved here are 
released:

2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [sAMAccountName[CIrwin]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [cn[Chris Irwin]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [givenName[Chris]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [sn[Irwin]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [mail[chris.ir...@sadasystems.com]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [displayName[Chris Irwin]]

Is that different?

Chris
From: Ray Bon [mailto:r...@uvic.ca]
Sent: Thursday, August 13, 2015 6:17 PM
To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org
Subject: Re:[cas-user] Attribute Release


​Check what attributes are being released from your LDAP server.

The items in the LDAP response may be provided as part of the authenticated 
user info but not necessarily the released attributes.



Ray


From: Chris Irwin 
chris.ir...@sadasystems.commailto:chris.ir...@sadasystems.com
Sent: August 13, 2015 13:58
To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org
Subject: [cas-user] Attribute Release


I'm not sure what i'm missing here.  I can see the attributes resolved but they 
are never released to the client:



2015-08-13 16:31:20,456 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Attempting LDAP 
authentication for cirwin+password

RE:[cas-user] Attribute Release

2015-08-14 Thread Chris Irwin 
Ray,

In the log below you can see the results of the query.  You can also see the 
attributes I have listed in the ldapAuthenticationHandler’s 
principalAttributeMap get returned in the “Found principal attribute”  This is 
what I want to return back to the app but all I’m getting is the following:

cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'
cas:authenticationSuccess
cas:usercirwin/cas:user


/cas:authenticationSuccess
/cas:serviceResponse

I thought I just needed to wire up so that the attributes resolved here are 
released:

2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [sAMAccountName[CIrwin]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [cn[Chris Irwin]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [givenName[Chris]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [sn[Irwin]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [mail[chris.ir...@sadasystems.com]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [displayName[Chris Irwin]]

Is that different?

Chris
From: Ray Bon [mailto:r...@uvic.ca]
Sent: Thursday, August 13, 2015 6:17 PM
To: cas-user@lists.jasig.org
Subject: Re:[cas-user] Attribute Release


​Check what attributes are being released from your LDAP server.

The items in the LDAP response may be provided as part of the authenticated 
user info but not necessarily the released attributes.



Ray


From: Chris Irwin 
chris.ir...@sadasystems.commailto:chris.ir...@sadasystems.com
Sent: August 13, 2015 13:58
To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org
Subject: [cas-user] Attribute Release


I'm not sure what i'm missing here.  I can see the attributes resolved but they 
are never released to the client:



2015-08-13 16:31:20,456 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Attempting LDAP 
authentication for cirwin+password
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response: 
[org.ldaptive.auth.AuthenticationResponse@110158567::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS,
 ldapEntry=[dn=CN=Chris 
Irwin,OU=SADA,OU=Consultants,dc=root,dc=njcu[[mail[chris.ir...@sadasystems.com]],
 [uSNCreated[75502415]], [description[SADA Consultant]], 
[whenChanged[20150805152738.0Z]], [objectClass[top, person, 
organizationalPerson, user]], [primaryGroupID[513]], [givenName[Chris]], 
[objectGUID[??D?a??[??]], [objectSid[    q??K9?l??u??V  ]], 
[instanceType[4]], [whenCreated[20150410141222.0Z]], 
[dSCorePropagationData[20150520202442.0Z, 20150410142342.0Z, 
1601010100.0Z]], [sn[Irwin]], [userAccountControl[66048]], 
[lastLogonTimestamp[130832620538887202]], [cn[Chris Irwin]], 
[sAMAccountName[CIrwin]], [sAMAccountType[805306368]], 
[userPrincipalName[cir...@njcu.edu]], [displayName[Chris Irwin]], 
[pwdLastSet[130731491217059125]], [name[Chris Irwin]], 
[objectCategory[CN=Person,CN=Schema,CN=Configuration,DC=root,DC=njcu]], 
[distinguishedName[CN=Chris Irwin,OU=SADA,OU=Consultants,DC=root,DC=njcu]], 
[memberOf[CN=rdpadmins,CN=Users,DC=root,DC=njcu, 
CN=VPN,CN=Users,DC=root,DC=njcu, CN=Domain Admins,CN=Users,DC=root,DC=njcu]], 
[uSNChanged[90371268]]], responseControls=null, messageId=-1], 
accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [sAMAccountName[CIrwin]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [cn[Chris Irwin]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [givenName[Chris]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [sn[Irwin]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [mail[chris.ir...@sadasystems.com]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [displayName[Chris Irwin]]
2015-08-13 16:31:20,565 INFO 
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 
LdapAuthenticationHandler successfully authenticated cirwin+password
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver] - 
Attempting to resolve a principal...
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver] - 
Creating SimplePrincipal