[cas-user] Re: REST authn with X.509

2021-04-14 Thread Petr Gašparík - AMI Praha a . s .
Solved. Attributes need to be defined in attribute resolution configuration - if nothing is used, then all attributes are fetched EXCEPT for some (f.e. operational) https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#ldap On Wednesday, April 14, 2021 at 2:48:41 PM UTC+

[cas-user] REST authn with X.509

2021-04-14 Thread Petr Gašparík - AMI Praha a . s .
Hi, we use *X.509 authentication on REST interface* of Apereo with LDAP repository for attribute fetching (X509CredentialsAuthenticationHandler). In general, it works, but *we have troubles getting special attributes: nsRole, nsRoleDN and dn*. When REST interface of Apereo is called with usernam

Re: [cas-user] Looking for IAM solution

2020-05-07 Thread Petr Gašparík - AMI Praha a . s .
Second option (IMHO better, but that's point of view) is to use Evolveum's midPoint. It possesses a flexible authentication mechanism ( https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration), so you can use Apereo CAS as SAML IdP and Evolveum midPoint as SAML SP, for exam

Re: [cas-user] Problem with logout in case several nodes of CAS and several nodes of Keycloak are used

2020-01-15 Thread Petr Gašparík - AMI Praha a . s .
Hi Maksim, I have no experience with >2 nodes. Quick searching on Google (because Apereo docs has broken links) leads me to: https://www.ehcache.org/documentation/2.8/replication/rmi-replicated-caching.html best regards -- s pozdravem *Petr Gašparík* konzultant IT bezpečnosti gsm: [+420] 603

Re: [cas-user] Problem with logout in case several nodes of CAS and several nodes of Keycloak are used

2020-01-15 Thread Petr Gašparík - AMI Praha a . s .
Maksim, you definitely need to set up High Availability with ticket registry replication: https://apereo.github.io/cas/6.1.x/high_availability/High-Availability-Guide.html#high-availability-guide-haclustering We use Ehcase for this (just two nodes), so we have: - cas.properties: cas.ticket.re

Re: [cas-user] Seamless login

2019-11-27 Thread Petr Gašparík - AMI Praha a . s .
Hi, the solution was not selected for PoC. -- s pozdravem *Petr Gašparík* konzultant IT bezpečnosti gsm: [+420] 603 523 860 e‑mail: petr.gaspa...@ami.cz *AMI Praha a.s.* Pláničkova 11, 162 00 Praha 6 tel.: [+420] 274 783 239 | web: www.ami.cz [image: AMI Praha a.s.] Textem tohoto e‑mailu po

Re: [cas-user] Seamless login

2019-08-28 Thread Petr Gašparík - AMI Praha a . s .
Oh! I know! https://apereo.github.io/cas/6.0.x/installation/Surrogate-Authentication.html#preselected It is done simply by +user in REST authentication request, right? Genial! Petr On Wednesday, August 28, 2019 at 9:42:17 AM UTC+2, Petr Gašparík - AMI Praha a.s. wrote: > > Hi Misagh, > that's w

Re: [cas-user] Seamless login

2019-08-28 Thread Petr Gašparík - AMI Praha a . s .
Hi Misagh, that's what I don't know for sure. Can be REST used for issuing TGT for different user than authenticated one? Like "sudo make TGT for userX" ? I studied wiki, I think sudoer needs to know user's password. -- s pozdravem *Petr Gašparík* solution architect gsm: [+420] 603 523 860 e‑m

[cas-user] Seamless login

2019-08-27 Thread Petr Gašparík - AMI Praha a . s .
Hi, in my proof of concept, I want piece of code (program library) to *log in user to CASified application without user's password.* That could be done in this way: 1. library authenticates to CAS with its login/password - CAS responds with OK/fail 2. library requests to generate TGT

Re: [cas-user] logout requests behind load balancer / 'REMOTE_ADDR'

2019-06-25 Thread Petr Gašparík - AMI Praha a . s .
Hi, it is pretty much possible. In our implementation, the loadbalancer is configured something like this: [image: image.png] -- s pozdravem *Petr Gašparík* solution architect gsm: [+420] 603 523 860 e‑mail: petr.gaspa...@ami.cz *AMI Praha a.s.* Pláničkova 11, 162 00 Praha 6 tel.: [+420] 274

Re: [cas-user] Documentation Recommends https

2017-12-05 Thread Petr Gašparík - AMI Praha a . s .
Hi Aarton, you can do it in service json file. just find default one (HTTPSandIMAPS-1001.json) just change "serviceId" : "^(https|imaps)://.*", to "serviceId" : "^(http|https)://.*", -- s pozdravem Petr Gašparík solution architect gsm: [+420] 603 523 860 e-mail: petr.gaspa...@ami.cz

Re: [cas-user] Re: Configuring SPNEGO with CAS 5.2.0-RC3-SNAPSHOT

2017-09-07 Thread Petr Gašparík - AMI Praha a . s .
Hi Fabio, We also changed login-webflow.xml: -- s pozdravem Petr Gašparík solution architect gsm: [+420] 603 523 860 e-mail: petr.gaspa...@ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 783 239 web: www.ami.cz [image: AMI

Re: [cas-user] Re: No Signing or Encryption Key

2017-08-17 Thread Petr Gašparík - AMI Praha a . s .
Don't forget, if docs is wrong or missing, correct it and make a Pull Request. Thanks! -- s pozdravem Petr Gašparík solution architect gsm: [+420] 603 523 860 e-mail: petr.gaspa...@ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 783 239 web: www.ami.cz [image: AMI Praha

[cas-user] Property for password change URL

2017-08-02 Thread Petr Gašparík - AMI Praha a . s .
Hi, in CAS 4.2 there was this property: password.policy.url=https://password.example.edu/change I believe, that is points to URL where the user is redirected, when his/her password is about to expire or expired. *What is name of this property in Apereo 5.1?* Thank you! Petr -- - CAS gitter

Re: [cas-user] question about conf files with 5.1

2017-06-29 Thread Petr Gašparík - AMI Praha a . s .
Yeah, autowiring in 5.x is great servant... but bad master :) -- s pozdravem Petr Gašparík solution architect gsm: [+420] 603 523 860 e-mail: petr.gaspa...@ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 783 239 web: www.ami.cz [image: AMI Praha a.s.] [image: AMI Praha

Re: [cas-user] how to upgradation from CAS 3.5.2 to CAS 5.0.

2017-06-28 Thread Petr Gašparík - AMI Praha a . s .
It will hurt. Better reimplement it. A lot of changes... -- s pozdravem Petr Gašparík solution architect gsm: [+420] 603 523 860 e-mail: petr.gaspa...@ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 783 239 web: www.ami.cz [image: AMI Praha a.s.] [image: AMI Praha a.s.]

Re: [cas-user] cas.sso.missingService and cas.sso.renewedAuthn

2017-06-21 Thread Petr Gašparík - AMI Praha a . s .
No, sorry. I was just hoping to look into log file for something that hit me. -- s pozdravem Petr Gašparík solution architect gsm: [+420] 603 523 860 e-mail: petr.gaspa...@ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 783 239 web: www.ami.cz [image: AMI Praha a.s.] [i

Re: [cas-user] cas.sso.missingService and cas.sso.renewedAuthn

2017-06-20 Thread Petr Gašparík - AMI Praha a . s .
Hi, what says the log file? -- s pozdravem Petr Gašparík solution architect gsm: [+420] 603 523 860 e-mail: petr.gaspa...@ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 783 239 web: www.ami.cz [image: AMI Praha a.s.] [image: AMI Praha a.s.]

Re: [cas-user] cas.sso.missingService and cas.sso.renewedAuthn

2017-06-20 Thread Petr Gašparík - AMI Praha a . s .
Hi, if you are upgrading from 3.5, be aware, that there is a lot of things changed (for example, service json files are not default option). GlobalSSO works out of the box, so try to configure CAS server from the scratch in 5.1 -- s pozdravem Petr Gašparík solution architect gsm: [+420] 603 52

Re: [cas-user] CAS 5 - SNPEGO with LDAP fallback

2017-06-20 Thread Petr Gašparík - AMI Praha a . s .
*Solved*. It was on client side. So, if you want to skip login dialog, do this in every related zone (or all, internet, intranet, trusted) Custom level: User Authentication -> Logon -> Automatic logon with current user name and password [image: Vložený obrázek 1] -- s pozdravem Petr Gašparík

[cas-user] TGC Signing + Encryption in HA

2017-06-14 Thread Petr Gašparík - AMI Praha a . s .
Hi, What is best practice for signing and encryption key in HA enviroment (2 CAS nodes behind VIP router)? No signing and encryption works ok, but what if we want more security? Do we have to use encryption and signing the same? Does TGC works this way (theres hostname in TGC value) ? thanks!

Re: [cas-user] SPNEGO Configuration

2017-06-06 Thread Petr Gašparík - AMI Praha a . s .
Hi, better *append *whole log file. P. -- s pozdravem Petr Gašparík solution architect gsm: [+420] 603 523 860 e-mail: petr.gaspa...@ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 783 239 web: www.ami.cz [image: AMI Praha a.s.] [image: AMI Praha a.s.]

Re: [cas-user] CAS 5 - SNPEGO with LDAP fallback

2017-06-02 Thread Petr Gašparík - AMI Praha a . s .
Hi, I have still that *annoying login dialog, *that I dont want to see. [image: Vložený obrázek 1] How to get rid of it? SPNEGO is working in domain ok, I see dialog only OUTSIDE of AD domain. I mean: if SPNEGO fails, show LoginView *My configuration (details obfruscated):* *cas.properties:* ##

Re: [cas-user] HTTPSandIMAPS-10000001.json keeps coming back

2017-05-23 Thread Petr Gašparík - AMI Praha a . s .
That's exactly my question, that is not covered by docs, AFAIK. Misagh or Dima, please, let us know how to turn off creation of these files. So far we use this workaround: on overlay, create empty files in this location: src\main\resources\services\HTTPSandIMAPS-1001.json src\main\resources\s

Re: [cas-user] CAS 5 - SNPEGO with LDAP fallback

2017-04-06 Thread Petr Gašparík - AMI Praha a . s .
Hi, it is browser dialog: [image: Vložený obrázek 1] We try to turn off ntlm, so I think it is in cas.properties: cas.spnego.ntlm.allowed=false -- s pozdravem Petr Gašparík solution architect gsm: [+420] 603 523 860 e-mail: petr.gaspa...@ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6

[cas-user] CAS 5 - SNPEGO with LDAP fallback

2017-04-06 Thread Petr Gašparík - AMI Praha a . s .
Hi, we integrated Apereo CAS with AD via SPNEGO, with fallback to LDAP. It works like this: 1. Try SPNEGO auth 2. If it fails, show browser dialog for Kerberos login (L/P from AD) 3. If it fails, show login page for LDAP auth Now, how to get rid of step 2? Use case: 1. Try SPNEGO

[cas-user] searchLocation in overlay?

2017-01-31 Thread Petr Gašparík - AMI Praha a . s .
Hi, is it possible to define searchLocation in overlay project? ...so I can change file:///etc/cas/config right in the build. thanks! -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website

[cas-user] Gateway = proxy?

2017-01-11 Thread Petr Gašparík - AMI Praha a . s .
Hi, is the term gateway in Jasig wiki the same as proxy term in Apereo wiki? I am looking for the man-in-the-middle scenario, where app does not communicate directly with the CAS server. regards Petr Gašparík -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines:

[cas-user] Authentication with certificate

2017-01-02 Thread Petr Gašparík - AMI Praha a . s .
Hi, does anyone successfully *authenticated user with certificate *in non-interactive way? Scenario: Service Provider handles CAS user certificate and CAS compare this certificate against LDAP/AD to find matching user. If, what approach did you use? SAML 2 or something else? Could you spare c

Re: [cas-user] CAS 4.1 - Routing logs to SysLog - is it possible

2016-12-08 Thread Petr Gašparík - AMI Praha a . s .
Martin, is that applicable also to CAS 4.1? Do you have an experience with that? thanks, Petr -- s pozdravem Petr Gašparík solution architect gsm: [+420] 603 523 860 e-mail: petr.gaspa...@ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 783 239 web: www.ami.cz [image: AM

Re: [cas-user] Java versions client vs server

2016-12-07 Thread Petr Gašparík - AMI Praha a . s .
Thank you for your answer. To rephrase my question, can I use latest CAS 5.0 client on Java 6 machines? -- s pozdravem Petr Gašparík solution architect gsm: [+420] 603 523 860 e-mail: petr.gaspa...@ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 783 239 web: www.ami.cz

[cas-user] Java versions client vs server

2016-12-06 Thread Petr Gašparík - AMI Praha a . s .
Hi all, what is the dependence between Java version on CAS server and CAS client? For example, if I have installed CAS server 5.0 in Java EE 8 enviroment, and I want to connect Java client running in Java EE 6 enviroment, will it work? Or do I have to upgrade client env to Java 8 in first place?

[cas-user] Logging events

2016-12-06 Thread Petr Gašparík - AMI Praha a . s .
Hi, is there a list of events in log files? I searched wiki but I have found only some sample like WHO: org.jasig.cas.support.oauth.authentication.principal.OAuthCredentials@6cd7c975 WHAT: TGT-9-qj2jZKQUmu1gQvXNf7tXQOJPOtROvOuvYAxybhZiVrdZ6pCUwW-cas01.example.org ACTION: TICKET_GRANTING_TICKET

Re: [cas-user] CAS 4x and gssapi

2016-05-19 Thread Petr Gašparík - AMI Praha a . s .
I don't think so. If it is not here : https://apereo.github.io/cas/4.2.x/ it is not anywhere. -- s pozdravem Petr Gašparík solution architect gsm: [+420] 603 523 860 e-mail: petr.gaspa...@ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 783 239 web: www.ami.cz [image: AMI

[cas-user] Converting App Logout to SLO

2016-04-05 Thread Petr Gašparík - AMI Praha a . s .
Hi, in my understanding, SLO ensures that once user is logged out from CAS server, s/he is also automatically logged out from application. Please, help me understand it better: 1. Is it the best practice, to point "Log Out" button in application to "/cas/logout" URL? 2. /cas/logout lands on CAS

RE: [cas-user] Re: [cas-announce] CAS Survey

2016-03-03 Thread Petr Gašparík - AMI Praha a . s .
Sorry, cruel typo… …so far we have NO problem J As for the customers, I don’t understand the question, but feel free to write to me in private. -- regards Petr Gašparík *From:* Vipin Jain [mailto:vjsat...@gmail.com] *Sent:* Thursday, March 3, 2016 1:59 PM *To:* Petr Gašparík - AMI Praha

RE: [cas-user] Re: [cas-announce] CAS Survey

2016-03-03 Thread Petr Gašparík - AMI Praha a . s .
Hi Vipin, We use CAS in Azure on Tomcat Web component and so far we have problem. It uses REST authentization. -- s pozdravem Petr Gašparík *From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *Vipin Jain *Sent:* Thursday, March 3, 2016 1:42 PM *To:* Misagh Moayyed *Cc:

[cas-user] CAS 4.1.x: passing attributes from LDAP to app

2016-02-10 Thread Petr Gašparík - AMI Praha a . s .
Hi, I am trying to pass attributes from LDAP authorization source to app using CAS 2.0 protocol. So far, only username is passed. It seams that my configuration is wrong. Please help me correct it. I used Attributes release

[cas-user] How to replace SimplePrincipal? (4.0->4.1)

2016-02-08 Thread Petr Gašparík - AMI Praha a . s .
Hi, We have extended CAS with MFA in version 4.0. This piece of code worked ok, creating new principal attrs.put(PRINCIPAL_ATTR_ROLES, roles); attrs.put(PRINCIPAL_ATTR_EMAIL_ADDRESS, emailAddress); logger.info("Creating new principal - username: {}, emailA

[cas-user] Web SSO between CAS protocol and OAuth

2016-01-21 Thread Petr Gašparík - AMI Praha a . s .
Hi, If I have two applications, - AppC connected to CAS server via CAS client (CAS protocol), - AppO second connected to CAS server via OAuth protocol, does the Web SSO work? Is user logged into AppC automatically logged into AppO? If not, it is possible to do it in some way? This s

RE: [cas-user] Re: CAS 4.2.0 RC1 release announcement

2016-01-18 Thread Petr Gašparík - AMI Praha a . s .
Hi Misagh, As long as wiki documentation is a part of repository, there should also be „Changelog“ page for new version, being filled throughout the development of this version. Best regards, PEtr PS: Misagh, I sometimes wonder – how many lives you have? Being able to do so many things J

RE: [cas-user] Re: duo integration with CAS

2016-01-17 Thread Petr Gašparík - AMI Praha a . s .
Hi, Please also note that DuoSecurity support should be out-of-the-box when 4.2 is out. I tis now in RC1 stage. https://wiki.jasig.org/display/CAS/CAS+4.2+Roadmap -- s pozdravem Petr Gašparík *From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *Pierce, Eric *Sent:* F

RE: [cas-user] Hazelcast management console

2016-01-14 Thread Petr Gašparík - AMI Praha a . s .
Curl always worked for me as standard browser, when it came to the cookie mgmt. See http://curl.haxx.se/docs/http-cookies.html „Netscape once created a file format for storing cookies on disk so that they would survive browser restarts. curl adopted that file format to allow sharing the cookies

RE: [cas-user] Re: How to get CAS 4.1.3 war file from tar and zip files and how to enable SSL in apache tomcat in windows

2016-01-12 Thread Petr Gašparík - AMI Praha a . s .
Hi Pradeep. This is the work for System architect/Solution architect on concept side, and Developer on Proof of concept side. There are not short answers to your questions, as it takes some experience to get and understand them. I don’t know your role as „Test Engineer“ in this, as usually T

RE: [cas-user] Re: How to get CAS 4.1.3 war file from tar and zip files and how to enable SSL in apache tomcat in windows

2016-01-12 Thread Petr Gašparík - AMI Praha a . s .
Hi Pradeep, You got it right. That’s all you can see on default CAS UI. Everything else has to be implemented by you, developer. Now, I would advice you to start learning more about CAS. This can be good page to start with: http://jasig.github.io/cas/4.1.x/index.html. For example, this is how

Re: [cas-user] Re: How to get CAS 4.1.3 war file from tar and zip files and how to enable SSL in apache tomcat in windows

2016-01-12 Thread Petr Gašparík - AMI Praha a . s .
casuser/Mellon https://wiki.jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven+WAR+Overlay+Method It was funny to learn where that password word came from :) As for SSL, do not forget to uncomment the SSL section in server.xml. If it doesn't help. dig deeper. regards,

Re: [cas-user] How to get CAS 4.1.3 war file from tar and zip files and how to enable SSL in apache tomcat in windows

2016-01-12 Thread Petr Gašparík - AMI Praha a . s .
...amd for Tomcat SSL, I went everythime thought this and was successful: https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html -- s pozdravem Petr Gašparík solution architect gsm: [+420] 603 523 860 e-mail: petr.gaspa...@ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 7

[cas-user] CAS 4.1 - How to open to all services

2016-01-11 Thread Petr Gašparík - AMI Praha a . s .
Hi, as of documentation, CAS 4.1 server should be by default open to all services. However, when I try ?service=http://example.org, I get "Application Not Authorized" Can I open CAS 4.1 server to all applications/services, without using CAS webapp management? Thank you! -- You received this

[cas-user] CAS client: TARGET={redirect_url} instead of SERVICE={redirect_url}

2016-01-04 Thread Petr Gašparík - AMI Praha a . s .
Hi, We use CAS client as in https://wiki.jasig.org/display/CASC/Saml11TicketValidationFilter+Example. Authentication is ok, but CAS server does not redirects back. It seems that the reason is, that CAS client generated TARGET={redirect_url} instead of SERVICE={redirect_url}. CAS server is 4.1.