The CAS attributes are stored as request headers and won't be
available in the apache environment.
You'd have to store them as apache environment variables to be able to
get at them with RequestHeader (I think). Something like this should
work for you:
diff --git a/src/mod_auth_cas.c
On Fri, 16 Apr 2021 at 16:48, Mark H. Wood wrote:
>
> I'm tinkering with some test CGI scripts to prepare for a real
> project, and I noticed that a script protected by CAS doesn't get a
> value for AUTH_TYPE in its environment, whereas a similar location
> protected by one of the AuthType Basic
On Fri, 12 Feb 2021 at 12:25, KC Pullen wrote:
>
>
> Ray,
>
> I'll take a look at the LDAP logs and see if I can find anything...
What do your mod_authnz_ldap logs say?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines:
On Tue, 1 Dec 2020 at 15:22, Bryan K. Walton wrote:
> Is it possible to use an If Statement like this to make CAS auth
> optional? If not, is there another way to bypass CAS auth if a
> certain cookie is already present in the user's browser?
A similar config works for me in both Directory and
On Fri, 13 Dec 2019 at 14:58, Alan S wrote:
>
> Okay, via curl, this looks good (see the response below), and I'm getting the
> authenticated username returned. So, this is a good step forward in
> troubleshooting. Do you have advice for debugging the Apache module? I'm not
> sure what would
On Thu, 12 Dec 2019 at 18:09, Alan S wrote:
>
> Still wrestling with this, I'm now specifying just the serviceValidate
> endpoint to remove any possible problems with SAML attribute delivery. My
> Apache configuration now looks like this:
>
> LoadModule auth_cas_module
On Mon, 4 Nov 2019 at 12:01, Colin Ryan wrote:
>
> David,
>
> Yes I've built Apache2 itself with SSL using the safe external OpenSSL as I"m
> trying to use with the module. When I run the totally to stock ./configure
> line I posted it gives me
>
> checking for openssl/ssl.h in /opt/aa... yes
>
On Fri, 1 Nov 2019 at 15:41, Colin Ryan wrote:
>
> Folks,
>
> For various reason's I need to compile my own mod_auth_cas module for
> use in Apache. I also have my own builds of OpenSSL within this toolchain.
>
>
> I cannot for the life of me seem to get mod_auth_cas to use my external
> openssl
On Fri, Oct 25, 2019, 05:45 Alberto Cabello Sánchez wrote:
> On Thu, 24 Oct 2019 16:12:58 -0400
> David Hawes wrote:
>
> > What version of mod_auth_cas are you using?
>
> Sorry, I didn't included it in my question:
>
> mod_auth_cas is 1.2, freshly cloned from
On Thu, 24 Oct 2019 at 08:44, David Curry wrote:
>
> You should be safe from SAML messes; CASv2 attribute release via SAML 1.1 has
> been around for years and years; much longer than the CAS server's support
> for the SAML2 protocol and acting as an IdP/SP. You don't actually have to
>
What version of mod_auth_cas are you using? v1.2 supports CASv2
attributes, which should work with /serviceValidate provided your
server supports it.
Turn "CASDebug On" and you should be able to see the validation
response with the attributes returned from your server. With
CASAuthnHeader set to
On Wed, 17 Jul 2019 at 18:47, Paul Hirose wrote:
>
> RHEL7.6, mod_auth_cas-1.1-3.el7.x86_64 (from EPEL).
> I'd like to protect my overall site with CAS. I'd then additionally like to
> add IP restrictions on a subset of this site. I was hoping the first
> Location stanza would require CAS for
On Mon, 3 Jun 2019 at 17:13, Alan S wrote:
>
> Hi, all,
>
> Our previous Apache client (mod_auth_cas v1.0.9.1) worked seamlessly with our
> organization's CAS server, and retrieving SAML attributes was no problem at
> all. Currently, we're working toward a rollout of CAS 5.3.3, and I'm trying
On Tue, 14 May 2019 at 13:22, 'Will Gleich' via CAS Community
wrote:
> Has anyone else solved this problem – am I over-looking something? Perhaps I
> can spoof HTTPS with some apache header change.
Have you tried using CASRootProxiedAs with the virtual host on your LB
and setting session
The mod_auth_cas team is pleased to announce the release of mod_auth_cas 1.2.
https://github.com/apereo/mod_auth_cas/tree/v1.2
This release includes:
* OpenSSL 1.1 support.
* CASv2 attributes.
* CASPreserveTicket, which allows tickets to pass through when a valid
session exists.
*
mod_auth_cas v1.2-RC1 has been tagged:
https://github.com/apereo/mod_auth_cas/tree/v1.2-RC1
Various bugfixes and documentation updates are included as well as:
- OpenSSL 1.1 support
- CASv2 attributes
- CASPreserveTicket, which allows tickets to pass through when a valid
session exists.
If
The order of these directives matters. You may want to review:
http://httpd.apache.org/docs/current/sections.html#merging
We'd need more config to tell what's going on in your case.
On Fri, 30 Nov 2018 at 19:46, Shankaranand Bahushrutham
wrote:
>
>
> I have 2 single page applications developed
On 2 October 2018 at 01:16, Fahmi L. Ramdhani
wrote:
> Thanks dhawes,
> I have a little trouble about this, even though it should be able to. I
> configure it according to the documentation about attributes. Below are logs
> from mod_auth_cas:
The log excerpt looks like it was after validation.
On 1 October 2018 at 15:18, Fahmi L. Ramdhani
wrote:
> Hi,
>
> I'am unable to retrieves CAS User Attributes using mod_auth_cas. Below is my
> configuration:
> 100-domain.com.conf
>
>
> ServerName domain.com
> ServerAlias www.domain.com
> ServerAdmin ad...@domain.com
>
>
On 1 October 2018 at 14:02, Ramakrishna G wrote:
> David,
>
> Can you pls share code snippet or link for setting headers to response
> attribute.
The wording was confusing in my last email, but we are just talking
about attribute release here. You should review the documentation for
your CAS
Just so I understand, you are setting headers on the validation
response to mod_auth_cas in your CAS server and expect the headers to
show up?
They will not show up.
You will need add those headers to the attributes sent back in the
validation response for them to be available as headers in you
For reference:
https://github.com/apereo/mod_auth_cas/issues/151
On 20 August 2018 at 16:28, Matt T wrote:
> Hi Everyone,
>
> I'm pulling my hair out here. We run Cognos and front-end it with Apache
> 2.4. We've CASified the application by using mod_auth_cas. We've compiled
> from source and
On Fri, Aug 3, 2018 at 5:56 AM, Ramakrishna G wrote:
> Hello Team,
>
> I have multiple CAS client (mod_auth_cas) connected to a load balancer. My
> problem is mod_auth_cas ask CASCOOKIEPATH to set to store the user
> information locally.
>
> I am planning to use NFS for the same but I feel there
On Tue, Apr 10, 2018 at 2:41 PM, Bryan K. Walton wrote:
> What does "Invalid cache cookie length" mean in the cas debug logs?
>
> For example:
> [Mon Apr 09 16:17:29.340510 2018] [:debug] [pid 7828]
> mod_auth_cas.c(897): [client xxx.xxx.xxx.xxx:64395] Invalid cache cookie
>
On Thu, Feb 22, 2018 at 4:14 PM, Bryan K. Walton wrote:
> We have a mod_auth_cas installation where the CAS server on the other
> end is sending us XML attributes in their response. I don't have any
> details on their CAS server version. What I do know is that we are
>
On Thu, Feb 15, 2018 at 2:51 PM, Mukunthini Jeyakumar
wrote:
> Thanks dhawes.
>
> I'm using the php code to print the values retuned in the header
> foreach (getallheaders() as $name => $value) {
> echo "$name: $value\n";
> }
> ?>
>
> I've no
On Tue, Feb 13, 2018 at 10:23 AM, Fabio Martelli
wrote:
> Hi All, is there a way to force mod_auth_cas to put retrieved principal
> attributes as env variable instead of headers?
We're talking Apache environment variables, right?
Do you need anything other than
On Fri, Feb 9, 2018 at 4:00 PM, Mukunthini Jeyakumar
wrote:
> Hi
>
> I'm seeing the same error even If I use /serviceValidate endpoint. As soon
> as I turn on CASValidateSAML, I'm getting the error
>
> Here is my mod_auth_cas. (I've used David Curry's Guide )
>
> LoadModule
Are you sure your server supports /samlValidate? Are you able to use
/serviceValidate?
Post your full mod_auth_cas config here.
The 406 you see is from the CAS server. Do you have any logs on the
CAS server that indicate why the request failed?
On Fri, Feb 9, 2018 at 2:09 PM, Mukunthini
Set:
LogLevel debug
CASDebug On
and check your error logs. You should have information as to why you
get this error.
On Thu, Feb 8, 2018 at 1:13 PM, Mukunthini Jeyakumar
wrote:
> Hi David,
>
> I'm using mod_auth_cas configured to use the "samlValidate" endpoint. When I
>
SRootProxiedAs https://192.168.111.12
>>
>> CASValidateURL https://192.168.111.12:9443/cas/serviceValidate
>>
>> #CASProxyValidateURL https://192.168.111.12:9443/cas/proxyValidate
>>
>> CASDebug On
>>
>> LogLevel debug
>>
>> CASValidateSAM
On 23 January 2018 at 08:52, Ramakrishna G wrote:
> Unauthorized
>
> This server could not verify that you are authorized to access the document
> requested. Either you supplied the wrong credentials (e.g., bad password),
> or your browser doesn't understand how to supply
On 23 January 2018 at 08:56, Ramakrishna G wrote:
> Hello all,,
>
>
> I am using mod_auth_cas. While i hit cas url I give ip and cas automatically
> change it to host name. Can anyone suggest how to stop this?
>
>
> Eg: my url: https://192.168.111.XX => It redirets to my
Have you tried using the /samlValidate endpoint with "CASValidateSaml On"?
/serviceValidate may or may not return attributes, depending on your
CAS server. If it does, you can use mod_auth_cas from git master,
which supports CASv2 attributes.
On 14 September 2017 at 09:11, Micas Camela
On 19 July 2017 at 15:11, David Curry wrote:
>
> You need to have mod_auth_cas configured to use the "samlValidate" endpoint
> on the CAS server, and also have the "CASAuthNHeader" setting turned on in
> /etc/httpd/conf.d/cas.conf (or wherever your config file is).
now where the problem is... I need a ProxyPassReverse for the
> rewrite rule I have since it is redirecting with an address that has 8080
> appended.
> What do you think? If so, how would you write the ProxyPassReverse for that
> rewrite rule?
>
> On Monday, May 22, 2017 at 5:49:09
; 302 587 "-"
> "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101
> Firefox/52.0"
>
> 10.55.1.102 - USER567 [18/May/2017:20:39:33 +] "GET / HTTP/1.1" 302
> 16773 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12;
On 18 May 2017 at 17:40, Pooya Eslami wrote:
> Same if that line is deleted or set to /
> I keep getting sent to cas and redirected back to site.
> I would like to try RewriteCond, but where would I stop?! If I stop at cas
> it will not redirect to cas, if stop after site, it
On 16 February 2017 at 22:05, RJ Guroo wrote:
> I have a requirement to ignore SSO for subsequent folders within a protected
> folder.
>
> For example: We have to protect the URI, /app1/
>
> /app1/ should be protected
> /app1/dir1/ .. protected by the first rule
> /app1/dir2/
On Thu, Feb 2, 2017 at 2:41 PM, Tom Barber wrote:
> Hello folks
>
> I see in the readme the cas-attribute directive is for use with SAML, it is
> only SAML and not serviceValidate endpoints?
serviceValidate is supported in git master:
On 26 January 2017 at 13:23, Bryan Wooten wrote:
> We have our Peoplesoft environment CASified by adding CAS filters to the
> Weblogin web.xml and writing some custom signon Peoplecode. It works well.
>
> Any we doing a proof of concept where the Weblogic is behind Apache.
On 25 January 2017 at 08:23, Bryan K. Walton <bwal...@leepfrog.com> wrote:
> On Tue, Jan 24, 2017 at 06:51:22PM -0500, David Hawes wrote:
>> On 24 January 2017 at 08:45, Bryan K. Walton <bwal...@leepfrog.com> wrote:
>> ...
>> > However, that same CAS s
On 24 January 2017 at 21:43, Chris Cheltenham
wrote:
...
>
>
> Authtype CAS
>
> require valid-user
>
> CASAuthNHeader CAS_USER
>
>
Try using CAS-USER here.
2.4 is more strict with headers.
See:
On 24 January 2017 at 16:19, Chris Cheltenham
wrote:
> Bryon ,
>
> According to my tcpdump mod_auth_cas is pushing REMOTE_USER no matter what we
> configure it to be.
> So when we changed the behavior of the other side to EXPECT the REMOTE_USER
> variable , it
On 24 January 2017 at 08:45, Bryan K. Walton wrote:
...
> However, that same CAS server passes some users in lowercase. Is there
> a way in mod_auth_cas to convert all usernames to either uppercase or
> lowercase, overriding what the CAS authentication server sends?
There
ne :) Thank you very much. After
>> holydays i'will try to do more tests to be sure... i'll let you know.
>>
>> Le mercredi 21 décembre 2016 22:11:49 UTC+1, Hansi PIERRE a écrit :
>>>
>>> Ho !! tks a lot :) ... i'll try it tomorrow :)
>>>
>>> Le
On 21 December 2016 at 11:22, David Hawes <dha...@vt.edu> wrote:
...
> I've attached a horrible, inflexible, mostly untested and probably
> buggy patch against git master that should rewrite the Host header to
> the service URL. Let me know if it works for your case.
The previous
On 21 December 2016 at 04:27, Hansi PIERRE wrote:
> Hello ... first thank you for the answer.
>
> Le mardi 20 décembre 2016 23:04:48 UTC+1, dhawes a écrit :
>>
>>
>> I'm not sure I follow. What prevents you from using a URL with
>> CASRootProxiedAs?
>
>
> Because my proxified
On 20 December 2016 at 08:51, Hansi PIERRE wrote:
...
> It seems like the variable is not resolved.
> Is there a way to set a variable as value of "CASRootProxiedAs" ?
No, you cannot have variables in the URL.
> More generally my apache is proxyfied and i can't get the
I see no mod_auth_cas configuration here.
On 13 December 2016 at 18:44, Chris Cheltenham
<cchelten...@swaintechs.com> wrote:
> David,
>
> Again I appreciate your help.
>
>
>
> -Original Message-
> From: cas-user@apereo.org [mailto:cas-user@apereo.org] On B
On 12 December 2016 at 17:57, Chris Cheltenham
wrote:
> David,
>
> He mod_auth_cas is attached.
Can you post your Apache config?
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
-
Please post your mod_auth_cas configuration.
Next, set your LogLevel to debug and CASDebug on. Do you see anything
useful in the error log?
On 10 December 2016 at 11:41, Chris Cheltenham
wrote:
> Hello everyone,
>
>
>
> We are using RHEL 7.3 with apache 2.4.6 and CAS
I'd expect by the end of the year at the latest.
On 23 November 2016 at 12:21, pouria Mahmoudi wrote:
> Oh by the way,
> Is it possible to tell me how soon this change would be merged?
>
> Thanks
>
>
> On Wednesday, November 23, 2016 at 9:00:14 AM UTC-8, pouria
On 22 November 2016 at 16:40, pouria Mahmoudi wrote:
> Hi Everyone,
> I have a problem with getting group working with mod_auth_cas.
>
> Here is the snippet:
>
>
> Authtype CAS
> Require valid-user
> Require
On 21 November 2016 at 16:13, pouria Mahmoudi wrote:
...
> Description: If enabled, this will store the user returned by CAS in an HTTP
> header
> accessible to your web applications.
...
> but it doesn't look like I have an http header. At least by doing Inspect
>
On 12 July 2016 at 11:32, Travis Schmidt wrote:
> I have been trying to come up with a way to configure a landing page for an
> app that uses gateway to determine if the user is logged in or not with
> Apache 2.4 and mod_auth_cas. I thought at first just doing something
On 30 June 2016 at 12:40, mostolog wrote:
> Hi
>
>
> Finally, I managed to solve it.
>
> Seems that cas-attribute headers are only sent if CASAuthNHeader directive
> is enabled.
That's correct.
Also note that you may want to set your CASAttributePrefix to
something that does
On 21 March 2016 at 11:00, Philippe MARASSE
wrote:
> Hello,
>
> I'm trying to compile mod_auth_cas on a Debian 8 jessie, sources are
> cloned from github. ./configure works but make complains about missing
> aclocal-1.15.
>
> automake package for Debian 8 ships
58 matches
Mail list logo