Re: [cas-user] Security question about CasRegisteredService wildcards

Hi Joshua, Note this is based solely on my experience as a CAS admin at my institution. I hope others will add to the conversation. Your risk example is correct because it’s basically making any app that wants to use your CAS service a seemingly institutionally-supported resource, which can lead

[cas-user] Anyone using everbridge.net with SAML and running into 414 status?

We have a SAML SP service that has been working just fine for years, but they are now updating SSO certificates , and I'm running into an issue where the Duo flow is breaking because of the length of the URI in the initial SAML

Re: [cas-user] Such a thing as illegal characters in entityID for SAML?

gt; docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd > > So, I think your theory is correct. > > Take care, > Nate > > On Thu, Oct 6, 2022 at 1:03 PM Mike Osterman wrote: > >> Hi all, >> >> We are running into

[cas-user] Such a thing as illegal characters in entityID for SAML?

Hi all, We are running into an issue with a new SP, and despite turning on DEBUG for both org.apereo.cas.services.AbstractServicesManager and org.apereo.cas.support.saml.web.idp we can't find any hints for why this is showing up in the logs: 2022-10-06 09:57:15,798 WARN

[cas-user] Duo Universal Prompt - ready to go?

So as not to co-opt Baron's "CAS 6.5 w/ Duo MFA, was MFA actually used?" thread where Ray brings up Universal Prompt, I'm starting a new one. I seem to remember a while back there were issues with CAS + Duo's Universal Prompt. Is anyone using it successfully/happily in production, or is it better

Re: [cas-user] CAS 6.5 w/ Duo MFA, was MFA actually used?

We are also non-mandatory MFA at present, and doing what Richard suggests. If they are a memberOf the AD group in question, they are required to Duo, regardless of service. # Active Directory LDAP connection cas.authn.attributeRepository.ldap[0].attributes.memberOf=mfaAttribute

Re: [cas-user] Cannot open Apereo CAS version 5.3.x document

The 5.3.x documentation from that link is unfortunately broken, and has been for several weeks. I had assumed it was intentional, but maybe it's in error? When I needed it a while back, I resorted to accessing the 5.3.16 tag here and then typing the "." character (hats off to my co-worker Ocean

[cas-user] Resource: all-cas-properties.ref

Since I don't want to muddle the troubleshooting going on in the "cas.properties reference" thread, I'm starting a new one. I wanted to plug a reference that is an answer (Ray's technique is also solid) that I've found very helpful from Initializr that Misagh writes about here:

Re: [cas-user] Re: 6.1 put into production, CAS_AuthenticationException thrown.

Hi Rod, Are you seeing that same ticket ID being issued to the service earlier on in the logs? Also, do test and production share identical cas properties settings (apart from server name, that is)? I found a small mention of the INVALID_TICKET message in the Troubleshooting guide

Re: [cas-user] log4j vulnerability

Yeah, it seems like setting the log4j2.formatMsgNoLookups to "true" in the log4j2.xml config file might do to trick. I'm guessing we'd do that somewhere here at the top? /etc/cas/logs On Fri, Dec 10, 2021 at 10:41 AM 'Richard Frovarp' via CAS Community <

Re: [cas-user] CAS 6.4.2 cas.google-apps.*key-* unspoorted?

Oh! Apologies for misrepresenting that, Misagh. Thanks for chiming in! On Wed, Nov 24, 2021 at 8:45 AM Misagh wrote: > On Wed, Nov 24, 2021 at 8:42 PM Rod wrote: > >> Thanks Mike! >> >> I was hoping we would have a little more time with this feature. >> > > You do. It's not removed. > >

Re: [cas-user] CAS 6.4.2 cas.google-apps.*key-* unspoorted?

Hi Rod, I believe that this functionality has been removed from CAS in 6.x forward, and the only way to achieve SSO with Google Apps is via the CAS SAML2 IdP feature. Richard Frovarp wrote an excellent blog post on how to accomplish this:

[cas-user] Re: Sudden failure of certain SAML Services after system updates

esolution for this? We've experienced the same > issue and are looking for ways around until we can update CAS. > > Thanks > Jason > > On Monday, August 2, 2021 at 10:45:32 PM UTC-5 Mike Osterman wrote: > >> Hello, >> >> We have two SAML services on CAS 5.3.x (yes, I kn

[cas-user] Sudden failure of certain SAML Services after system updates

Hello, We have two SAML services on CAS 5.3.x (yes, I know we need to get to 6.3.x STAT) that stopped working suddenly with behavior identical to this thread: https://groups.google.com/a/apereo.org/g/cas-user/c/fc_biQnh1l4 The kicker is that we haven't rebuilt the cas.war file recently, and the

Re: [cas-user] How to release eduPersonTargetedID in correct format

Hi there, I had this issue early on, and it turned out that my service registry was not specifying the nameid format as persistent, but rather unspecified, which was making it transient. Here's a snippet from our service config for the requiredNameIdFormat and usernameAttributeProvider

Re: [cas-user] gradle versions of dependency documentation?

Hi Baron, I too am working on 5.x to 6.3.x and have been getting help from Unicon. While I'm not sure if "compile" works, here's what I picked up from working with them. Here are our dependencies: implementation "org.apereo.cas:cas-server-webapp-init:${casServerVersion}" implementation

Re: [cas-user] No registered service found/Freshworks SAML2/ CAS 5.3

I'm also a little surprised that the metadata url above is throwing an exception. My understanding is that if your SP metadata is based on a URL, it has to return metadata XML. I suppose there could be some form of ACLs at the SP level that is causing me to get an error when trying to access

Re: [cas-user] SAML to CAS but no SAML response after authentication

If I'm reading your message correctly about the SP displaying an exception, you might also want to ask the SP to check their logs as well. I've had cases where I did everything I could to debug on my end, and it ended up that the SP had misconfigured our IdP registration on their end. Good luck!

Re: [cas-user] InCommon and NIH changes

found this from a couple of > months ago that looks promising given that Misagh wrote it: > https://fawnoos.com/2020/12/07/cas63x-saml2-mfa-refeds-duo/ > > On Wed, 2021-03-10 at 15:19 -0800, Mike Osterman wrote: > > For those that are using CAS SAML IdP as their InCommon IdP (we are

Re: [cas-user] Sample SAML2 service definition for Google Apps?

don't make the values you need to know to setup the metadata > known anywhere obvious. > > Depending on what version you are on, the legacy method might be > supported, but it will get in the way of normal SAML 2 IdP operations. > > On Wed, 2021-03-10 at 14:54 -0800, Mike Osterma

[cas-user] InCommon and NIH changes

For those that are using CAS SAML IdP as their InCommon IdP (we are almost there but haven't made the switch), there are some upcoming requirements (September 21, 2021) for users of electronic Research Administration (eRA):

Re: [cas-user] Sample SAML2 service definition for Google Apps?

is a previous post on this list on how to do it the new way. I have > internal documentation that I can turn into external documentation tonight > and post the link back here. > > On Wed, 2021-03-10 at 13:58 -0800, Mike Osterman wrote: > > We're looking to migrate from the now legacy (fro

[cas-user] Sample SAML2 service definition for Google Apps?

We're looking to migrate from the now legacy (from a supported versions perspective) Google Apps Integration ( https://apereo.github.io/cas/5.3.x/integration/Google-Apps-Integration.html) to a generic SAML2 service configuration. Our current service config is very sparse: { "@class" :

Re: [cas-user] Re: Per Service Ticket Expiration in 5.2.x?

ogs to see the request(s). > I set my local with very short TGT life time to test repeated login and > ticket expiry behaviour (this would not be practical in production): > > cas.ticket.tgt.maxTimeToLiveInSeconds=300 > cas.ticket.tgt.timeToKillInSeconds=120 > > Ray > &g

Re: [cas-user] Re: Per Service Ticket Expiration in 5.2.x?

Hi Bill, I was dealing with people getting logged out Canvas frequently, and ended up changing a couple config properties. I had our CSM team set the Canvas-side timeout really high, but it didn't work. There's something unusual about the way the Canvas application interacts with CAS protocol. I

Re: [cas-user] Shibboleth and CAS

Hi Nathan, I highly expect that #2 is why it's not yet working. Java, by default, never lets go of a DNS resolution record until the application restarts. You have to pass an argument at startup of your CAS application to indicate an expiry TTL. I did this recently on our CAS server when we did

[cas-user] Re: [cas-dev] Release Announcement: CAS Security Patches

Thanks, Jérôme! Based on the opening statement of "affects the handling of secret keys with Google Authenticator for multifactor authentication" is it safe to assume that this only affects CAS implementations that use Google Authenticator for MFA (as opposed to Duo or another MFA implementation)?

Re: [cas-user] SAML2.0 deployment

Hi Umut, I looked at our Zoom configuration with our 5.3.x CAS IdP, and this sounds like it might be a question of a couple Zoom SSO properties. Here's what we have in our Zoom SSO config: Sign-in page URL: {REPLACE-WITH-CAS-BASE-URL}/idp/profile/SAML2/Redirect/SSO (this is also the

Re: [cas-user] Any CAS + Canvas schools having problems with frequent Canvas session timeouts?

vel="error" /> > > Ray > > On Fri, 2020-08-21 at 19:43 -0700, Mike Osterman wrote: > > Disclaimer: I know this is a CAS list, not a Canvas list, but the > combination of the two is having issues, and I've run out of road working > with Instructure support. > &

[cas-user] Re: Any CAS + Canvas schools having problems with frequent Canvas session timeouts?

issues. > Regards, > EWG > > On Friday, August 21, 2020 at 10:43:23 PM UTC-4 Mike Osterman wrote: > >> Disclaimer: I know this is a CAS list, not a Canvas list, but the >> combination of the two is having issues, and I've run out of road working >> with Instructure suppor

[cas-user] Any CAS + Canvas schools having problems with frequent Canvas session timeouts?

Disclaimer: I know this is a CAS list, not a Canvas list, but the combination of the two is having issues, and I've run out of road working with Instructure support. Late last semester, we started experiencing issues where Canvas users were getting logged out frequently. I believe it started

Re: [cas-user] Re: CAS Release/Security Announcements

I asked pretty much the same question as Dustin about a week ago: https://groups.google.com/a/apereo.org/g/cas-user/c/xTu0yzJQHBo I hope we don't have to use an RSS reader to get alerts about security vulnerabilities. To Dustin's (and my) point, the documented security announcement paths

[cas-user] Current location for CAS public security announcements?

I came across this announcement on an RSS feed: https://apereo.github.io/2020/07/24/credvuln/ I searched for it on the public security list ( https://groups.google.com/a/apereo.org/forum/#!forum/cas-appsec-public) listed here: https://apereo.github.io/cas/Mailing-Lists.html And I didn’t see any

[cas-user] 5.3.x SAML2 + OverDrive, anyone?

I'm having difficulty configuring a SAML2 integration to work with the OverDrive SP, and I'm wondering if anyone has a (redacted as needed) working configuration they'd be willing to share? Thank you! Mike -- - Website: https://apereo.github.io/cas - Gitter Chatroom:

Re: [cas-user] Re: groovyScript: expecting String concatenation, getting array?

That did it--thanks! On Thu, May 7, 2020 at 1:04 AM Misagh Moayyed wrote: > Try: > > "groovy { return attributes['wcWhitmanId'][0] + '@whitman.edu' }" > > "wcWhitmanId'" is resolved internally as a multi-valued attribute. > > > On Thursday, May 7

[cas-user] groovyScript: expecting String concatenation, getting array?

Hi all, I'm setting up a SAML2 service and running into unexpected behavior with the syntax for building the PrincipalID using the GroovyRegisteredServiceUsernameProvider. Here's what I'm attempting to do: [snip] "requiredNameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",

[cas-user] Using Principal-Id variable in configuration?

Given that our users sometimes interpret "username" to be their email address, we added this ldap filter to our user matching: cas.authn.ldap[0].searchFilter=(|(uid={user})(mail={user})) That way, if they enter either "username" or "usern...@whitman.edu" they'll be found correctly. We've just

Re: [cas-user] Re: Trying to determine why CAS is returning an encoded attribute to SAML SP

hub.com/apereo/cas/blob/master/docs/cas-server-documentation/installation/Configuring-SAML2-Authentication.md . Thanks again for the troubleshooting pointers! -Mike On Wed, Jan 29, 2020 at 2:22 PM Mike Osterman wrote: > Thanks, Misagh! Responses below: > > On Wed, Jan 29, 2020 at 2:23 AM

[cas-user] Blackboard Transact SAM/E-Accounts SAML service?

We're looking to transition the few SAML services we have on our Shibbloeth IdP over to CAS 5.3.x, and so far, it's been great. I realize we can bridge Shib to CAS, but running one SSO service instead of two would reduce our overall maintenance. We've run into a new service, however, that says

Re: [cas-user] Re: Trying to determine why CAS is returning an encoded attribute to SAML SP

Thanks, Misagh! Responses below: On Wed, Jan 29, 2020 at 2:23 AM Misagh Moayyed wrote: > >> None of this would be a big deal if we hadn't run into a bizarre problem >> that the encoded attribute being sent *CHANGED*. >> > > It would be helpful to describe the steps you took to create/duplicate

[cas-user] Trying to determine why CAS is returning an encoded attribute to SAML SP

Hello, I've been trying to determine for several hours now why a SAML-based SP is being sent different values of the Id as part of the authentication flow. Here's a sample of the "WHO" line from a single login in transaction: WHO: usern...@whitman.edu WHO: usern...@whitman.edu WHO:

Re: [cas-user] Re: [CAS 6.1] Base64 decoding failed / incorrect header check

Hi all, Just another piece to the puzzle... We have been on 5.3.x for a while, but it wasn't until we added and deployed support for Google Apps that we started seeing this error. Note that not too far down the error stack you find this line: "at

[cas-user] Tips for changing Google Apps 3rd-party SSO - CAS 5.3.x

We're finally getting up to CAS 5.3.x, and for a variety of reasons, we built a new server with a different host name. As part of the transition, we'll be updating the "Third-party identity provider" settings in Google Apps with the new URL and keys. As I'm sure others have gone through this, so

[cas-user] Return uid in attribute list?

Hello, We're new to "modern" CAS (moving from 3.x to 5.x), and have run into an issue. We configured an attribute release filter to return mail & uid: "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", "allowedAttributes" : [