As others have said, you start from scratch. The CAS IdP can do a great
many things. You need to understand what your current setup is doing. In
particular look at the dependencies from the Maven pom to tell you what
needs to be done. From there build out the new system one piece at a
time is e
Documentation indicates that you can run CAS 7 on Jetty 12. I wouldn't
run them both in the same container. I would run them in separate
containers. I just use the default embedded container in CAS 6.
On 8/13/24 06:04, 'Jeff Stone' via CAS Community wrote:
Hi Richard,
sorry about this, I've ne
On Fri, 2023-08-04 at 02:52 -0700, Jean-Paul JORDA wrote:
Hi,
We use apereo CAS for our applications, but unfortunately the login page is not
accessible to people with disabilities. That's a problem for these people of
course, and what's more we a bound by law to provide accessible web sites
(WC
Typically the helpful bit in a long stack like this is at the end
Error:
Caused by: java.net.MalformedURLException: no protocol:
login.unila.ac.id/cas
at java.base/java.net.URL.(URL.java:627)
at java.base/java.net.URL.(URL.java:523)
at java.base/java.net.URL.(URL.ja
I am trying to retrieve one specific attribute from a REST end point. I
have it connecting to it. However, I only have one service that should
get this attribute, and thus I only need to connect to the REST
attribute store for that one service. How do I configure this in my
service definition?
I have two otherwise identically configured CAS configurations, both on
6.6.6. Both are configured to use Duo, and both of them have the public
workstation checkbox in the login form. The only difference between the
two is that one uses the iframe Duo integration and one uses the
Universal Prom
APIs are handled differently from SPAs. You probably need to look at the CAS
REST protocol? https://apereo.github.io/cas/6.6.x/protocol/REST-Protocol.html
I would put APIs behind an API gateway. Conceptually they are the same thing as
CAS + AD, but specifically designed for API calls, especially
Not sure why that isn't starting up. I launch it differently with a java
-jar command. Good resource for getting going:
https://fawnoos.com/2022/03/04/cas65-gettingstarted-overlay/
That is for 6.5, but I think everything holds for 6.6. It also has
different instructions for launching.
On 3/
On 3/8/23 12:59, 'Richard Frovarp' via CAS Community wrote:
On CAS 6.6.6 and using the Duo Universal Prompt, it is exposing my
internal hostname, rather than the load balancer. It's not clear to me
why this is happening. It is also not clear to me what the correct
configuration
On CAS 6.6.6 and using the Duo Universal Prompt, it is exposing my
internal hostname, rather than the load balancer. It's not clear to me
why this is happening. It is also not clear to me what the correct
configuration options are for a load balanced CAS with respect to
hostname / proxy configu
and keys to whatever location cas thinks is
correct.
Not sure about the exception. Perhaps it is missing something related to git;
path, write permissions, initialized repo, etc.
Ray
On Fri, 2023-01-06 at 15:42 -0600, 'Richard Frovarp' via CAS Community wrote:
Notice: This message was sent
I'm having two different problems related to SAML 2 keys and metadata on
6.6.3.
If I have org.apereo.cas:cas-server-support-saml-idp-metadata-git
enabled, I get an NPE when trying to access the metadata URL. I have
enforced the default false flag to indicate that the IdP metadata
shouldn't ex
arated.
On Fri, Dec 23, 2022 at 5:28 AM 'Richard Frovarp' via CAS Community
wrote:
That could also work. Thanks.
On 12/22/22 07:50, Misagh wrote:
Did you mean this?
https://apereo.github.io/cas/6.6.x/installation/Configuring-SAML2-DynamicMetadata-Git.html
On Thu, Dec 22, 2022 at 4:52
That could also work. Thanks.
On 12/22/22 07:50, Misagh wrote:
Did you mean this?
https://apereo.github.io/cas/6.6.x/installation/Configuring-SAML2-DynamicMetadata-Git.html
On Thu, Dec 22, 2022 at 4:52 AM 'Richard Frovarp' via CAS Community
wrote:
Is it possible to have CAS use two
I discovered that the git service repository is not recursive. So, I can put
the hand maintained metadata in a subdirectory in the repo, and we are good.
From: 'Richard Frovarp' via CAS Community
Sent: Tuesday, December 20, 2022 2:52:21 PM
To: cas-user@
Is it possible to have CAS use two different repos, with one of them
NOT being services in 6.6? I have a repo of all of my hand maintained
metadata that isn't in the same repo as the JSON files for service
configuration.
Thanks,
Richard
--
- Website: https://apereo.github.io/cas
- Gitter Chatroo
, 'Richard Frovarp' via CAS Community wrote:
Browsers will insert the intermediate certificates if they know them.
So you can't trust the browser. Scanners look for the chain with no
prior knowledge, and thus are more reliable in determining if you have
everything setup correctly.
On 11/
Browsers will insert the intermediate certificates if they know them. So
you can't trust the browser. Scanners look for the chain with no prior
knowledge, and thus are more reliable in determining if you have
everything setup correctly.
On 11/3/22 12:47, Ray Bon wrote:
Michael,
I have not ru
Is there a metrics prefix for StatsD (or any of the other ones) that we
can provide? Generally we run one StatsD for multiple systems, and it
not using a prefix to group it together is going to make things
complicated / impossible. There used to be one, but I can't seem to find
anything in the
On Tue, 2022-11-01 at 09:06 -0400, Mark H. Wood wrote:
> On Mon, Oct 31, 2022 at 03:25:12PM -0700, Benjamin Bini wrote:
> > Which project removes documentation as a way to encourage people to
> > upgrade?
> > What is the next step? Removing the code from GitHub and removing
> > artifacts
> > from
Part of the response metadata coming back is if the authentication is
from a new login. I think it will also tell you what time the auth
happened. Don't trust the user provided data, validate that what CAS is
telling you matches your security requirement. If it doesn't, don't let
them pass.
O
How are you triggering MFA / Duo? You likely only want to trigger Duo on
a local attribute and setup the integration to force Duo always. If you
are leaving it up to Duo to decide if the user is enrolled and bypass if
not, the old Duo Web integration couldn't tell you what happen, just
that the
Amazon stores a decent amount of info at the account layer. Different
application sessions across different devices share cart. But the
solution for this is to do it at the application layer. Extend the
session out there. Then at the security layer, it should have the
functionality to know when
I would change the application and not do it via CAS. Changing the application
session timeout to what they want. Because otherwise it will do a SSO session
again, which will interrupt anything the end user is trying to do with the
browser open for the past two days. So anything done via CAS won
The tables in the post are for the service registry. If you don't
migrate those, you will have to reconfigure from scratch.
I do not know what the plans are for the project with respect to the
service registry. It's changed a bit between versions, and usually seems
like a pain. We made the cha
Looks like the clock on your server isn't correct?
2022-02-17 20:14:10,479 ERROR
[org.apereo.cas.adaptors.duo.authn.DuoSecurityAuthenticationHandler] -
Caused by: com.auth0.jwt.exceptions.InvalidClaimException: The Token
can't be used before Thu Feb 17 20:15:11 UTC 2022.
I don't know about
Newer version of the JDK are still affected. The newer JDK versions stop JNDI
from running remote code, it doesn't stop JNDI lookup. An attacker can still
exfil data through the DNS lookup. Also, there are other paths to exploit with
this attack. It was first found via JNDI LDAP to execute remot
okups to "true" in
the log4j2.xml config file might do to trick.
I'm guessing we'd do that somewhere here at the top?
/etc/cas/logs
On Fri, Dec 10, 2021 at 10:41 AM 'Richard Frovarp' via CAS Community
mailto:cas-user@apereo.org>> w
Using a new enough version of the JDK might also alleviate it? The other
option is to throw the config option at the JDK to stop it from
happening. That would seem to be easiest.
On 12/10/21 12:36 PM, King, Robert wrote:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
Has anyon
"I understand you can make CAS use ADFS for backend authentication, or
vise-a-versa, but i'm not sure that's exactly what i'm asking here... or
is it?"
Yes, that is what you are asking. Otherwise they are two independent
applications that know nothing about the state of one another, even
thou
The issue is that this happens before the service release policy can trigger.
For some reason it is going against AD with 'richard.frovarp ', which results
in a failed AD lookup. So it can't even get the extra attributes to return.
So it appears that the result of the principal transformation is
What's the way to do that? I thought I figured that out, but it turns
out I haven't. I think one of my systems is accomplishing it via JS in
the page. Another CAS instance for a different org doesn't have that JS.
Random trailing spaces is causing attribute resolution to fail. Somehow
authentic
Fernando's message below is great advice. The version of the CAS server
isn't going to matter too terribly much. It will depend on what protocol
you are planning to use against CAS. I'm going to guess CAS Protocol v3,
which gives you everything you need. You are going to want a security
library
CAS can do multifactor. It can also release a bunch of attributes about
how the authentication went if you use the CAS 3 protocol. The service
directing the individual to CAS can also request that a fresh login is
used. Combined together, the service can be assured (so long as they
trust the CA
Looks like it can't find the table?? Are there any tables in your DB? Is your
DB named vantage? You'll need to refer to the docs on how to get it to create
the tables if they aren't there. If they are there in that DB, I'm not sure.
You are on an ancient version of CAS. If this is setting it up
At the very bottom it is saying it can't find the DB driver. Likely you don't
have the DB2 JDBC driver in the classpath?
On Wed, 2021-05-19 at 15:30 -0700, shirisha wrote:
I have CAS doing the single sign on for our application on WAS 7.0 and Java 6.
After migrating to the WAS 9.0 , having CAS
Yes, very nicely done. I too will find the Azure bit helpful when I spin up a
social CAS instance in the future.
Richard
On Thu, 2021-05-13 at 21:59 -0700, Andy Ng wrote:
Hi Paul,
Thanks for the contribution! We soon also need to setup delegate auth to Azure,
so that section is going to be use
Don't get me wrong, throttling is definitely good. The thing you want to watch
out for is when unexpected attempts succeed. So one bit of strange behavior to
be on the lookout for is an authentication that triggers MFA, but the MFA
success never happens. It will depend on your MFA solution. Howe
Adding user won't catch a spray over different usernames. I just use rate
throttling as well.
And yeah, if they go down to 1 per second, you'll never catch them with the
throttle. You also won't catch them if they come at you with hundreds of IPs.
On Mon, 2021-05-17 at 16:40 +, Ray Bon wrot
olicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"ExtensionAttribute1" : "Email",
"givenname" : "FirstName",
"sn" : "LastName"
}
}
}
Keith Alston
Regent
ot;allowedAttributes" : {
"@class" : "java.util.TreeMap",
"ExtensionAttribute1" : "Email",
"givenname" : "FirstName",
"sn" : "LastName"
}
}
}
Keith Alston
Regent University
IT Depar
Since I saw someone create the URL by hand the other day, I'm going to ask the
simple question: is the request hitting the HTTP-POST binding location? POST
and Redirect are two different URLs in CAS (and I'm guessing most IdPs).
I've never had to do anything different to handle the two different
Or rather
serviceId :
instead of the regex you have there.
On Mon, 2021-04-12 at 18:50 +, 'Richard Frovarp' via CAS Community wrote:
Don't do a regex for the serviceId for SAML2. Do the entityId instead.
On Mon, 2021-04-12 at 18:46 +, Keith Alston (Staff) wrote:
An
Don't do a regex for the serviceId for SAML2. Do the entityId instead.
On Mon, 2021-04-12 at 18:46 +, Keith Alston (Staff) wrote:
Any ideas on what might be going on here?
I get the "Application Not Authorized to Use CAS" page when redirected to CAS.
2021-04-12 14:21:32,474 WARN
[org.apereo
My guess is that the bind user is going to ignore the base DN as it happens
before the search is done. As for the rest, it likely should follow the base
DN. You may have something effectively double defined there that is causing it
to work outside. I'm not sure what the dnFormat parameter does.
If I'm understanding you correctly, I've never done it that way.
You are saying that you have an attribute already setup called sAMAccountName
right? And you want to release it to this system as domain\sAMAcountName as
userID?
I've always done such a thing via Groovy attribute return with simpl
The IdP automatically generates metadata. And the correct endpoints are
listed on this page, including the metadata endpoint:
https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Authentication.html
Usually with SAML you provide the SP with a copy of your metadata,
ideally loaded fro
Did you provide the app your IdP generated metadata or provide the SP with the
information in a different method? As that's the wrong end point for the SP to
be sending you to:
https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Authentication.html
On Wed, 2021-03-17 at 06:21 -070
I'm running my InCommon membership through Shibboleth, so I'm not looking for a
CAS solution. However, here is what I know:
1) R&S is documented as you point out. If you are going to provide REFEDS R&S
to REFEDS R&S SPs, you probably want to go into the InCommon Federation Manager
and assert th
-03-10 at 14:54 -0800, Mike Osterman wrote:
Thanks, Richard!
On Wed, Mar 10, 2021 at 2:40 PM 'Richard Frovarp' via CAS Community
mailto:cas-user@apereo.org>> wrote:
Get a test instance. It's pretty easy to do. Takes a little bit, but easy to
do. You really only need one or tw
Get a test instance. It's pretty easy to do. Takes a little bit, but easy to
do. You really only need one or two users in it to test anyway.
There is a previous post on this list on how to do it the new way. I have
internal documentation that I can turn into external documentation tonight and
p
, 'Richard Frovarp' via CAS Community
wrote:
> It's doing something with Single Logout. Turn it off / block it, or
> something:
>
> https://community.canvaslms.com/t5/Integration-Documents/Configuring-CAS-and-Canvas-Authentication/ta-p/387390
>
> Look at the end fo
It's doing something with Single Logout. Turn it off / block it, or something:
https://community.canvaslms.com/t5/Integration-Documents/Configuring-CAS-and-Canvas-Authentication/ta-p/387390
Look at the end for "User is randomly logged out of Canvas"
On Fri, 2021-03-05 at 12:41 -0800, Mike Osterm
On Fri, 2021-03-05 at 11:20 -0800, Bill Scully wrote:
Does single logout trigger upon CAS session expiration? I would expect
not, but maybe there's a setting to flip that? Or maybe something else
is triggering single logout at two hours, and that is triggering
Canvas?
According to Instructure Sup
Does single logout trigger upon CAS session expiration? I would expect
not, but maybe there's a setting to flip that? Or maybe something else
is triggering single logout at two hours, and that is triggering
Canvas?
On Fri, 2021-03-05 at 22:49 +0400, Misagh wrote:
> > Instructure's Canvas (LMS) od
I don't remember the fine specifics of the logs well enough to know. It's
possible that both are at fault? Make sure you are listing attributes to lookup
in your ldap attribute repository configuration. If they aren't there, that'll
be problem one. The other thing is that by default the CAS 2 pr
configuration. I'm guessing you can't anonymous bind
to LDAP from HTTPD.
On Fri, 2021-02-12 at 15:10 +, 'Richard Frovarp' via CAS Community wrote:
I wouldn't mix the two methods. There's probably a way to make that work, but
that's an HTTPD question, n
I wouldn't mix the two methods. There's probably a way to make that work, but
that's an HTTPD question, not a CAS question. You can have CAS authenticate
against LDAP from the CAS IdP. That can either then return the list of
attributes to have mod_auth_cas filter on. Or you can have the IdP do f
n Fri, Jan 29, 2021 at 5:20 AM 'Richard Frovarp' via CAS Community
mailto:cas-user@apereo.org>> wrote:
Sorry, you don't need it in 5.3 as that one is default. So I didn't see that in
my dependencies. You'll need the ldaptive dependency for that. You'll want to
em to find a 5.0.x version of
/Configuration-Properties-Common.html#ldap-connection-settings but this
property is also listed in the 5.0.x properties
<https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html>
On Thu, Jan 28, 2021 at 11:18 AM 'Richard Frovarp' via CAS
I'm guessing that it just doesn't exist anymore. Browsing from
https://repo.spring.io/snapshot/
They don't have anything for Duo that is obvious. It was a SNAPSHOT dependency,
and thus shouldn't have been used in anything released. I see in my pom:
org.apereo.cas
cas-server-sup
You have to do overlay exclusions. Which for me looks like. Obviously close the
XML out as appropriate. I have further build plugins.
maven-war-plugin
2.6
false
false
false
${project.build.directory}/war/work/org.apereo.cas/cas-server-webapp/META-INF/MANIFEST.MF
org.apereo.cas
cas-server-
For the Duo jar, you should put them in your own local repo? Or maybe the cache
dir? I know that by default it feels like you have to hunt through a variety
of external repos to find that dependency. I run a local Nexus install for us
so I only have to hunt down once.
For the LDAP problems, I
Maybe? That version was released nearly 7 years ago and isn't supported. I
would suggest moving to CAS 6.3.
On Thu, 2021-01-21 at 17:05 -0800, Kylie L wrote:
Will CAS 3.5.2 work with an Oracle 19c or 18c database?
Thanks
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gi
So you want to turn CAS into a SAML 2 SP? You'll need to follow this
documentation:
https://apereo.github.io/cas/5.3.x/integration/Delegate-Authentication.html
On Thu, 2021-01-21 at 17:09 -0800, Yan Zhou wrote:
> Hi,
>
> Try to implement this: people logged into their app (that does not
> use
Why are you trying to POST to the login URL? It looks like this isn't
the POST from the login page? What do the CAS logs say?
On Thu, 2021-01-21 at 15:27 -0800, Yan Zhou wrote:
> Hello,
>
> i am using CAS 5.3.X, but I think the same would apply to CAS4 or
> CA5.
>
> action="https://.MyCASE
I believe that it is serialized Java classes. So it's binary data. You
don't change it without an external service. I guess you could find the
code that does it and write you own service. But you don't be doing it
via direct DB manipulation.
On Fri, 2020-12-04 at 09:48 +, Francisco Castel-Bran
You would normally use it with your favorite security library in Java.
Common ones include Apache Shiro, Pac4J, and Spring Security. From
there use the library specific instructions for bringing in the CAS
client library.
On Thu, 2020-12-03 at 13:23 +0530, rohini bansode wrote:
> IF you have some
Probably not? That sounds like code that is being hit somewhere that isn't
thread safe. The built in LDAP code to CAS should be just fine with that
respect. Assuming you're using a well supported LDAP server that wouldn't have
thread issues? I don't know how a HTTP proxy would impact this. I gue
The cert you were using under the old integration likely doesn't match your
SAML cert. You would need to upload your new SAML cert to Google. And yeah, you
want to remove the old bits of the old method, in particular the jars
associated with it as it fires before the generic SAML can.
On Tue, 2
Yes. The one caveat is that you would need to enable the "Use a domain
specific" issuer on prod otherwise it will spit it out with generic values,
which doesn't have onu.edu in it. I don't remember what the generic values are.
When we upgraded CAS, I logged in to click that button to swap prod o
71 matches
Mail list logo
