[cas-user] CAS 6.3.2 out of the box OAuth: "Apparent connection leak detected"

2021-04-22 Thread Pablo Vidaurri
Downloaded CAS template overlay 6.3.2 Have include below depenacnies: implementation "org.apereo.cas:cas-server-support-jdbc-drivers:${project.'cas.version'}" implementation "org.apereo.cas:cas-server-support-jpa-ticket-registry:${project.'cas.version'}" implementation "org.apereo.c

Re: [cas-user] CAS + Azure AD Auth Delegation

2021-04-22 Thread Ray Bon
Bartosz, The only cas properties I have that you do not are: cas.authn.pac4j.oidc[0].azure.discoveryUri=https://login.microsoftonline.com/[tenant id goes here]/oauth2/v2.0/ cas.authn.pac4j.oidc[0].azure.logoutUrl

Re: [cas-user] CAS + Azure AD Auth Delegation

2021-04-22 Thread Bartosz Nitkiewicz
I want to setup Azure as default auth for all services. But it gives me this error AADSTS900971: No reply address provided. There are no logs on CAS server side. I think that I have missconfigure something during Azure app registration. I don't know how it shoud be configure. I want to delagate

Re: [cas-user] CAS + Azure AD Auth Delegation

2021-04-22 Thread Ray Bon
Bartosz, After successful login on azure, cas will redirect to your intended service. Are there any error messages in the logs? Ray On Thu, 2021-04-22 at 10:18 -0700, Bartosz Nitkiewicz wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautiou

[cas-user] CAS + Azure AD Auth Delegation

2021-04-22 Thread Bartosz Nitkiewicz
Hi. I got stucked. I've managed to delegate auth to Azure AD. I can login with my user and password. But after that I have AADSTS900971: No reply address provided. I don't know how to set it up properly. My registered CAS app (Azure) is redirected to my CAS server https://example.org/cas with

Re: [cas-user] CSRF protection for login page

2021-04-22 Thread Ray Bon
Paul, All log in systems would suffer from this same problem. Since the secured phase of the session has not yet begun, there is no way to protect the user (save the limited case of ip/machine verification with intranet only log in - must be rare these days). The fake site could run a script o

Re: [cas-user] CSRF protection for login page

2021-04-22 Thread Paul Roemer
Hey Carl, you are right. The problem described is not a CSRF issue. Still, I wonder if users of CAS are aware of it. In the end it means that attackers can easily trigger any flow provided by CAS, right? That bugs me. Before, I was under the assumption that the Webflow execution ID was used a

[cas-user] Re: Cas overlay ver 6.3.x integration with pure RADIUS (not MFA RADIUS)

2021-04-22 Thread Andy Ng
Hi there, While it is CAS 6.2.x and it is quite a long time ago so I forget about most of what I did. But these configuration is what I used for when I successfully login to Radius using CAS 6.2.x during my demo project: https://github.com/NgSekLong/SelectUrCAS/tree/master/source/authenticatio