Re: [cas-user] Hazelcast deployment architecture - secure tunnel between nodes?

"cas-user" <cas-user@lists.jasig.org> Sent: Thursday, October 29, 2015 3:15:51 PM Subject: Re: [cas-user] Hazelcast deployment architecture - secure tunnel between nodes? On Mon, Oct 26, 2015 at 11:16:42AM -0400, Waldbieser, Carl wrote: > For those of you who have deploye

[cas-user] Hazelcast deployment architecture - secure tunnel between nodes?

For those of you who have deployed Hazelcast, are you using a secure tunnel between CAS nodes (e.g. ipsec)? If so, do you monitor that the tunnel stays up, and how do you do that? Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College -- You are currently subscribed to

Re: [cas-user] Access Denied, cas-management

Looks like you authenticated successfully, but CAS is unable to authorize you to use the service. Not sure how it works in CAS4, but in 3.x you have to specifically configure a list of admin users. Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College - Original Message -

Re: [cas-user] Authorize users from another organisation

If you want to support some kind of federated identity management (and it sounds like you do), using some kind of SAML2 based solution is probably going to be more straightforward than trying to adapt CAS to that space. Shibboleth is a prime example of a SAML-based solution, but there are

[cas-user] CAS behind proxy - Log client IP recorded at proxy

When placing CAS behind an HTTP proxy, it is possible to include the client IP connecting to the proxy in an HTTP header that is passed on to the back end CAS service (e.g. X-Forwarded-For). Is it possible to configure CAS to log the value of such a header rather than the actual client IP

Re: [cas-user] mod_auth_cas

of the session file expiring. What I am getting is nothing expires and nothing times out ever unless I close IE. I hate IE but that what the customer uses. Thanks -Original Message- From: Waldbieser, Carl [mailto:waldb...@lafayette.edu] Sent: Tuesday, October 13, 2015 12:36 PM To

Re: [cas-user] mod_auth_cas

as still open. I think that CAS has a 2 hour hard timeout as well. 7200 seconds. This still leaves me with just the issue of this. How to hook SLO to delete the CAS ticket and then prox back to the web server and delete the temp file in mod_auth _cas? -Original Message- From: Waldbieser,

Re: [cas-user] mod_auth_cas

Chris, Can you provide more detail? I.e. what is your expectation as to what is going to happen, and what actually happens? Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College - Original Message - From: "Chris Cheltenham" To: "cas-user"

Re: [cas-user] cas ticket expiration

The /logout resource on the CAS server should destroy the TGT for that user. It should also destroy the corresponding TGC for the *cas server domain*. Apache + mod_auth_cas is an extra session for a cas client. From a user-agent point of view, this session appears to be part of the cas client

Re: [cas-user] cas 3.5.2 catalina logs

I think the way to handle this is for your application to kill all cookies for your site, which would include the mod_auth_cas session. It goes something like this: 1) User clicks on logout button/link. 2) Script/program in your app clears out all cookies for the app domain (app session,

Re: [cas-user] mod_auth_cas

Chris, It is really an Apache setting [1]. `Directory` indicates the enclosed directives apply to the underlying file system. `Location` indicates the enclosed directives apply to resources located outside of the file system. Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College

Re: [cas-user] CAS 2 protocol ticket validation issue

success with passing attributes using the CAS 2 protocol? Thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu From: Waldbieser, Carl waldb...@lafayette.edu Sent: Wednesday, August 26, 2015 2:09 PM To: cas-user

Re: [cas-user] CAS 2 protocol ticket validation issue

In fact, this sounded so familiar, I realized I had wrote a shell script to do exactly that. It is attached as service_validate_curl.txt. Thanks, Carl - Original Message - From: waldbiec waldb...@lafayette.edu To: cas-user cas-user@lists.jasig.org Sent: Wednesday, August 26, 2015

Re: [cas-user] CAS 2 protocol ticket validation issue

I forget whether the PHP CAS client DEBUG mode has a setting where you can see the raw response. That would be the thing to see. Otherwise, you make a cURL request with a valid TGC cookie to request an ST. Once you have it, you can make a second cURL request to validate it and see the

Re: [cas-user] problem with POST requests

If you could go into more detail, that would probably help. Do you have a link or docs for the web service you are trying to use? Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College - Original Message - From: Mahantesh Prasad Katti mahantesh.ka...@indecomm.net To: cas-user

Re: [cas-user] mod_auth_cas - trust question

, August 12, 2015 10:21:06 PM Subject: Re: [cas-user] mod_auth_cas - trust question On Wed, Aug 12, 2015 at 8:57 PM, Waldbieser, Carl waldb...@lafayette.edu wrote: I still wasn't able to get using a folder of PEM files to work. Did you hash the files with OpenSSL's c_rehash? -- You are currently

Re: [cas-user] mod_auth_cas - trust question

, Aug 12, 2015 at 2:59 PM, Waldbieser, Carl waldb...@lafayette.edu wrote: I have mod_auth_cas protecting a web site. If I *don't* set `CASCertificatePath`, then everything works how I would expect (CAS authenticates user, service ticket validated, user identifed to site via REMOTE_USER). However

Re: [cas-user] mod_auth_cas - trust question

Subject: Re: [cas-user] mod_auth_cas - trust question On Wed, Aug 12, 2015 at 2:59 PM, Waldbieser, Carl waldb...@lafayette.edu wrote: I have mod_auth_cas protecting a web site. If I *don't* set `CASCertificatePath`, then everything works how I would expect (CAS authenticates user, service ticket

[cas-user] mod_auth_cas - trust question

I have mod_auth_cas protecting a web site. If I *don't* set `CASCertificatePath`, then everything works how I would expect (CAS authenticates user, service ticket validated, user identifed to site via REMOTE_USER). However, if I set `CASCertificatePath` to the full path of a PEM file

[cas-user] Java CAS client and Trust Store

Is there some way to tell the Java CAS client what trust store it should be using? I may be using the incorrect terminology, so put another way: Is there a way to tell the Java CAS client that I want it to trust the CA certificates in a particular keystore file (.jks file) rather than the

Re: [cas-user] Java CAS client and Trust Store

for sslConfigFile here in the project's README/docs: https://github.com/Jasig/java-cas-client I don't know if that will stop the client from looking into the Java keystore though. Probably not. -Original Message- From: Waldbieser, Carl [mailto:waldb...@lafayette.edu] Sent: Wednesday

Re: [cas-user] Java CAS client and Trust Store

...@unicon.net To: cas-user@lists.jasig.org Sent: Wednesday, August 5, 2015 11:55:32 AM Subject: RE: [cas-user] Java CAS client and Trust Store Yes, that should do it. -Original Message- From: Waldbieser, Carl [mailto:waldb...@lafayette.edu] Sent: Wednesday, August 5, 2015 8:37 AM To: cas

Re: [cas-user] Attribute repository with multiple different sources

Geoffrey, Can you just map both 'uid' and 'cn' to 'UDC_IDENTIFIER'? I could see a potential issue with that if one directory supports both attributes and there would be some potential ambiguity about which attribute would actually end up being mapped. I am guessing there is likely to be a

Re: [cas-user] Querying CAS audit data with Splunk

Not sure how the mail list likes attachments. I have attached a tarball cas-splunk.tgz that has several of the more useful dashboards. Nothing that follows every service access-- I think that will require some unusual joins. However, some of the statisics dashboards give some good high level

Re: [cas-user] Querying CAS audit data with Splunk

Yes, I have some nice splunk dashboards for CAS I can share if there is interest. Though I can sympathize with Marvin about the output format. It required at the very least some newline mangling before splunk could ingest the logs very well. Something like: key1=value, key2=value,

Re: [cas-user] Querying CAS audit data with Splunk

Also, here are my settings for cas from $SPLUNK_HOME/etc/apps/search/local/props.conf: [cas] SHOULD_LINEMERGE = True BREAK_ONLY_BEFORE = ^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3} EXTRACT-cas_log_level =

Re: [cas-user] Inconsistant Ldap Authentication Failure

Rebecca, On the LDAP side, do the LDAP logs agree that invalid credentials was presented? Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College - Original Message - From: Rebecca Fountain rfount...@tacomacc.edu To: cas-user@lists.jasig.org Sent: Wednesday, July 15, 2015

Re: [cas-user] CAS SSO User stuck on Login Page

If you crank up the log levels on Tomcat, you should see an HTTP POST in the access logs. That would indicate the credentials are delivered successfully to the CAS application. Do you see any evidence in your LDAP logs that an LDAP connection was dropped mid-stream? Thanks, Carl Waldbieser

Re: [cas-user] Problem with CAS Clustering and LT parameter

Dave, We are going ahead with sticky sessions behind an nginx proxy. Authentication at the CAS server is not RESTful due to (I believe) the Spring conversational state. A shared session would be one way to accomplish that, but that seems like a rather complex solution to me. We've tested with

Re: [cas-user] Help with CAS 4.0 AD

Mike, Are you sure it is not some kind of ACL issue on the AD side? When one account can cause the system to behave correctly but another cannot, it usually boils down to a permission issue. If LDAP logs are inaccessible or difficult to decipher, I sometimes insert an LDAP proxy between my

Re: [cas-user] Help with CAS 4.0 AD

) ldap.authn.format=%s...@fuller.edu Thanks for taking a looking at this. On Tue, Jun 30, 2015 at 12:06 PM, Waldbieser, Carl waldb...@lafayette.edu wrote: Mike, Could you post the non-sensitive parts of your LDAP configuration? We are using CAS 3.x and usin OpenLDAP so it is not necessarily

Re: [cas-user] Help with CAS 4.0 AD

Mike, Could you post the non-sensitive parts of your LDAP configuration? We are using CAS 3.x and usin OpenLDAP so it is not necessarily a good match, but our settings look like: # == LDAP Authentication settings == ldap.authentication.filter=uid=%u

Re: [cas-user] Help with CAS 4.0 AD

to authenticate the user. Thanks, Mike On Tue, Jun 30, 2015 at 1:17 PM, Waldbieser, Carl waldb...@lafayette.edu wrote: Mike, I did notice this while going over the instructions: The following configuration authenticates users by sAMAccountName without performing a search, which requires

Re: [cas-user] Embedding username info in Service ticket

Service ticket validation is more or less integral to how CAS works. Maybe if you could explain a bit more in depth what you are trying to accomplish, it might make more sense to the members of the community, and you could receive better advice. Also, why do you believe there would be some

Re: [cas-user] Bugfix for phpCAS _isHttps()

Phil, You could issue a pull request on GitHub: https://github.com/Jasig/phpCAS Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College - Original Message - From: Phil Romov pro...@harryfox.com To: cas-user@lists.jasig.org Sent: Monday, June 8, 2015 10:56:41 AM Subject:

Re: [cas-user] Help with Attributes

Jason, What do you put for the baseDN when it *does* work? Something like `ou=physics,dc=test,dc=com`? Are you able to use a generic LDAP query tool (e.g. `ldapsearch`) to query from both base DNs using the *same* credentials that CAS is trying to use? It sounds like it could be an ACL

Re: [cas-user] Problem with JSON Services Registry

Jason, Is this for CAS server 4.x? To clarify, are you saying that any service entries you add dynamically via the web interface end up in the JSON file, but no longer appear in the web interface? Is CAS acception login requests for those services or not? Thanks, Carl Waldbieser ITS Systems

Re: [cas-user] Problem with JSON Services Registry

with JSON Services Registry This is for CAS 3.5.3. Yes, any service entries added via the web interface end up in the JSON file but not in the web interface. CAS does not authorize the websites that are added. On Fri, Jun 5, 2015 at 12:11 PM, Waldbieser, Carl waldb...@lafayette.edu wrote: Jason

Re: [cas-user] debugging AUTHENTICATION_FAILED

how to enable it It might also be something to do with tomcat, as I copied over the entire webapps/cas directory from an older working version, and it doesn’t work on my new tomcat install. Really puzzled. Any pointers are appreciated. Thanks! Phil On 5/28/15, 9:28 AM, Waldbieser, Carl waldb

Re: [cas-user] debugging AUTHENTICATION_FAILED

to modify the deployed war. Set org.jasig or other appropriate packages to DEBUG. Depending on your configuration, logs will be written to cas.log or tomcat's log directory, etc. -Original Message- From: Waldbieser, Carl [mailto:waldb...@lafayette.edu] Sent: Friday, May 29, 2015 11:13 AM

Re: [cas-user] debugging AUTHENTICATION_FAILED

pointing to the logs! At this point I might try to sniff the network traffic instead :X Any other ideas are welcome Thanks Phil On 5/26/15, 3:18 PM, Waldbieser, Carl waldb...@lafayette.edu wrote: Phil, Can you tell if your CAS instance is actually connecting to your MySQL database

Re: [cas-user] debugging AUTHENTICATION_FAILED

Phil, Can you tell if your CAS instance is actually connecting to your MySQL database to authenticate? Can you look at the MySQL query log to see what queries your CAS instance is making against it? https://dev.mysql.com/doc/refman/5.1/en/query-log.html Thanks, Carl Waldbieser ITS Systems

Re: [cas-user] phpCAS get Ldap Attributes

You need to use the CAS v3.0 protocol, or there is a hack that lets you use attributes with the CAS v2.0 protocol. Since you are using the v4.0 server, I would just use the v3.0 services. Thanks, Carl Waldbieser ITS System Programmer Lafayette College - Original Message - From: Fredy

Re: [cas-user] CAS Nginx

PM, Waldbieser, Carl waldb...@lafayette.edu wrote: We use nginx in front of CAS-proteted services at Lafayette. Can you share any details of your setup? Do you have just a single CAS node? Where does the communication break down? Can you not browse to CAS? Does the redirect to the service

Re: [cas-user] CAS Nginx

We use nginx in front of CAS-proteted services at Lafayette. Can you share any details of your setup? Do you have just a single CAS node? Where does the communication break down? Can you not browse to CAS? Does the redirect to the service fail? Is the service not able to perform the back

Re: [cas-user] webservice authentication via cas

Nancy, If you use the RESTful API, I think your robot would need to present a credential to CAS to authenticate. If you are using proxy-CAS, the user presents a credential to the CAS server and then some service the user authenticates to via CAS is allowed to authenticate to another service

Re: [cas-user] SSL problem (I need tutorial!!) Cas Server on remote machine , Java Cas Client other machine

to create another own CA or have I to import server CA into $JAVA_HOME/jre/lib/security/cacerts (client)?? Sorry but all this is new for me!! Thanks Gianluca Il giorno martedì 24 marzo 2015 16:29:55 UTC+1, Waldbieser, Carl ha scritto: Gianluca, Is this a development environment

Re: [cas-user] SSL problem (I need tutorial!!) Cas Server on remote machine , Java Cas Client other machine

*mydomain.crt* -keystore *keystore.jks*Thanks Gianluca Il giorno mercoledì 25 marzo 2015 14:21:07 UTC+1, Waldbieser, Carl ha scritto: Gianluca, For development, I like to use the openssl tools to create my own CA and use it to sign my own certificates rather than using a self-signed certificate

Re: [cas-user] SSL problem (I need tutorial!!) Cas Server on remote machine , Java Cas Client other machine

Gianluca, Is this a development environment or is it a production environment where user's web browsers need to trust the certificate? In the latter case, you will need to generate a private key, make a certificate request, and get certificate signed from a Certificate Authority (CA). In a

Re: [cas-user] CAS 4.1 - ServiceID

If your are using a Regex matcher, you need to end in something like '.*' ('.' means any character, '*' means zero or more times). Thanks, Carl Waldbieser ITS System Programmer Lafayette College - Original Message - From: Yannick MOLINET yann...@adn-systemes.fr To:

Re: [cas-user] Logout using phpCAS

test it out myself, but I don't have access to the application, nor any current PHP applications to test with at the moment. On 2/19/15, 9:57 AM, Waldbieser, Carl waldb...@lafayette.edu wrote: Ben, Likely, you also have some kind of PHP session for the application. = Generally speaking, logging

Re: [cas-user] Logout using phpCAS

Ben, Likely, you also have some kind of PHP session for the application. = Generally speaking, logging out of CAS SSO does *NOT* log you out of any application sessions. = So you might want to clear any normal PHP session prior to calling `phpCAS::logout()`. Thanks, Carl Waldbieser ITS

Re: [cas-user] CAS - Cookies

I have noticed the JSESSIONID cookie, typical for a lot of Java apps. Thanks, Carl Waldbieser ITS System Programmer Lafayette College - Original Message - From: Jayakumar Jayaraman india@gmail.com To: cas-user@lists.jasig.org Sent: Monday, February 16, 2015 12:24:40 PM Subject:

Re: [cas-user] ServiceTicket [...] does not exist. after Removing ticket [...] from registry

=$SERVICE --data ticket=$ST $SERVICE_VALIDATE On Wed, 11 Feb 2015, Waldbieser, Carl wrote: Can you use a command line HTTP client like cURL[1] or httpie[2] to request an ST and validate it? Here is a unix shell script I use with httpie to inspect CAS validation responses: #! /bin

Re: [cas-user] ServiceTicket [...] does not exist. after Removing ticket [...] from registry

Can you use a command line HTTP client like cURL[1] or httpie[2] to request an ST and validate it? Here is a unix shell script I use with httpie to inspect CAS validation responses: #! /bin/sh CAS_LOGIN=https://cas.example.net/cas/login;

Re: [cas-user] ServiceTicket [...] does not exist. after Removing ticket [...] from registry

Yes. The service ticket can only be used once. Once a service validates the service ticket, it ought to establish some kind of local application specific session. The fact that the ticket is being validated twice suggests that maybe the client is configured incorrectly. Thanks, Carl Waldbieser

Re: [cas-user] How does CAS perform Sessioln Management?

On Wed, Feb 11, 2015 at 10:01 AM, Durga Prasad cdp@gmail.com wrote: Hi Carl, Superb explanation. Really articulated well. Thanks much. Regards, Prasad On Mon, Feb 9, 2015 at 10:33 PM, Waldbieser, Carl waldb...@lafayette.edu wrote: Prasad, 1. CAS uses a Ticket Granting cookie

Re: [cas-user] How does CAS perform Sessioln Management?

Prasad, 1. CAS uses a Ticket Granting cookie (TGC) to track the TGT issued during authentication. 2. CAS does not specifically protect from these attacks. However, if you are using TLS as the transport layer for your services, that protects againast MITM and replay attacks. Cross Site

Re: [cas-user] Cas client gateway mode

] Cas client gateway mode No, it doesn't have the extra parameters, if I change the form to submit data by GET method, then it works OK, but when I do it by POST, extra parameters are discarded. El lunes, 2 de febrero de 2015, 16:24:40 (UTC-2), Waldbieser, Carl escribió: Carlos, When

Re: [cas-user] Cas client gateway mode

, somehow it doesn't preserve post parameters. Maybe that's the way it is supposed to work, but if that is the case, I need to know how to submit with POST method without losing the form data. El lunes, 2 de febrero de 2015, 17:54:19 (UTC-2), Waldbieser, Carl escribió: Carlos, Are you saying

Re: [cas-user] 3.4.2.1 to 3.5.2.1 in deployerConfigContext.xml

Linda, Is there any indication (e.g. from proxy logs) that the accounts that are failing over are actually making requests against the proxy? In other words, do you have any indication whether the issue is that the fail over requests are never being made or that the requests are being made

Re: [cas-user] Cas client gateway mode

Carlos, When the user's browser is redirected to CAS for authentication, does the `service` parameter already have the extra parameters embedded and properly encoded in it? I.e., can you use something like [developer tools] - [network] in Chrome and show us what the HTTP request parameters

Re: [cas-user] question about Service Management

Chris, It is true, you don't need to use a Service Manager, but that means that *any* service can use your CAS. This might not be what you want-- a rouge service provider could leverage your CAS in order to fool your users into thinking it is trustworthy service. Once authenticated, it may

Re: [cas-user] CAS Client Proxy distributed cache size

Adam, Proxy Granting tickets *are* reused. Service providers get a PGT during proxy validation, and then can use them to request proxy tickets multiple times. Proxy Tickets (PTs) are one use only, just like service tickets (STs). The current protocol spec [1] states (section 3.3.1)

Re: [cas-user] Authentication problems using MySQL with CAS 4.0.0 and Tomcat 8

Chris, What happens in this scenario? 1) Restart Tomcat. 2) Browse to login page (assuming you mean CAS login with no service) = SUCCESS 3) Use another browser, log in as *same user* as in #2 = ??? Not sure, but I think plain text encoding for the password is probably a default. For LDAP

Re: [cas-user] Authentication problems using MySQL with CAS 4.0.0 and Tomcat 8

= FAIL #-Original Message- #From: Waldbieser, Carl [mailto:waldb...@lafayette.edu] #Sent: Wednesday, January 21, 2015 9:20 AM #To: cas-user@lists.jasig.org #Subject: Re: [cas-user] Authentication problems using MySQL with CAS 4.0.0 #and Tomcat 8 # #Chris, # #What happens in this scenario

Re: [cas-user] certifications

Chris, Here are some links that might help: http://security.stackexchange.com/questions/20803/how-does-ssl-tls-work http://datacenteroverlords.com/2011/09/25/ssl-who-do-you-trust/ The basic idea is that in that when you surf the web, your browser connects to a web server over a TCP

Re: [cas-user] LockTimeoutException: Unable to acquire conversation lock after 30 seconds

Zac, This SO question/answer describes what the error is trying to tell you: http://stackoverflow.com/questions/9533786/spring-web-flow-locktimeoutexception So it looks like the Spring Webflow conversation is taking too long. As the answer points out, troubleshooting is tricky because the

Re: [cas-user] Extra Attributes from Active Directory

to use the LdapPersonAttributeDao in the attributeRepository. What else do I need to do to enable them at the server? Thanks for your help. Mike On Thu, Jan 8, 2015 at 12:10 PM, Waldbieser, Carl waldb...@lafayette.edu wrote: Mike, Try turning on debug output in the client with something like

Re: [cas-user] Extra Attributes from Active Directory

Mike, Try turning on debug output in the client with something like `phpCAS::setDebug($debug_file);`. Then you can see if the attributes are being returned. If not, you may need to enable them at the server. Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College - Original

Re: [cas-user] Rapid Memory Consumption and Interpreting Heap Dump

I found login rate limiting info here: https://wiki.jasig.org/display/CASUM/Throttling+Login+Attempts Is there a means to limit how many ST validations are allowed per user in a given unit of time? Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College - Original Message

Re: [cas-user] Rapid Memory Consumption and Interpreting Heap Dump

Dave, This is more or less what happened to us. We received alerts from our monitoring systems that /var was filling up on our cas host. In our case, we had EHCache configured to dump to disk after a certain size limit was reached. We bounced the service and removed the ticket file. We

Re: [cas-user] Rapid Memory Consumption and Interpreting Heap Dump

I looked back at the logs-- we actually ran into trouble because this account was requesting and validating *Proxy Granting Tickets*, so perhaps I spoke to soon. I would still be interested in limiting the number of *PGTs* that can be issued per user over a period of time, though. Thanks,

Re: [cas-user] Cas for Cognos

-586-2369 -Original Message- From: Waldbieser, Carl [mailto:waldb...@lafayette.edu] Sent: Tuesday, December 02, 2014 12:52 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] Cas for Cognos Chris, The typical scenario is for the user to authenticate with CAS. The credentials

Re: [cas-user] Cas for Cognos

: Waldbieser, Carl [mailto:waldb...@lafayette.edu] Sent: Wednesday, December 03, 2014 9:24 AM To: cas-user@lists.jasig.org Subject: Re: [cas-user] Cas for Cognos Chris, So what is your service setup like? I.e. what CAS client are you using? For example, if you are using an Apache front end

Re: [cas-user] Cas for Cognos

@lists.jasig.org Sent: Wednesday, December 3, 2014 9:59:43 AM Subject: RE: [cas-user] Cas for Cognos Carl, I'll give it a shot and let you know. Thanks Thank You, Chris Cheltenham SwainTechs / HHS Cell# 267-586-2369 -Original Message- From: Waldbieser, Carl [mailto:waldb...@lafayette.edu

Re: [cas-user] Cas for Cognos

is very similar but none of seems to work for us. Thank You, Chris Cheltenham SwainTechs / HHS Cell# 267-586-2369 -Original Message- From: Waldbieser, Carl [mailto:waldb...@lafayette.edu] Sent: Wednesday, December 03, 2014 10:18 AM To: cas-user@lists.jasig.org Subject: Re: [cas-user

Re: [cas-user] Cas for Cognos

are doing is very similar but none of seems to work for us. Thank You, Chris Cheltenham SwainTechs / HHS Cell# 267-586-2369 -Original Message- From: Waldbieser, Carl [mailto:waldb...@lafayette.edu] Sent: Wednesday, December 03, 2014 10:18 AM To: cas-user@lists.jasig.org Subject: Re

Re: [cas-user] Cas for Cognos

Message- From: Waldbieser, Carl [mailto:waldb...@lafayette.edu] Sent: Wednesday, December 03, 2014 10:52 AM To: cas-user@lists.jasig.org Subject: Re: [cas-user] Cas for Cognos Chris, Is the following relevant documentation for Cognos that you are working with? http://www.ibm.com

Re: [cas-user] Cas for Cognos

Cheltenham cchelten...@swaintechs.com To: cas-user@lists.jasig.org Sent: Wednesday, December 3, 2014 2:10:16 PM Subject: RE: [cas-user] Cas for Cognos Carl, See below Thanks again. Thank You, Chris Cheltenham SwainTechs / HHS Cell# 267-586-2369 -Original Message- From: Waldbieser, Carl

Re: [cas-user] Cas for Cognos

Isn't the whole point of CAS so that the service provider *does not get the user credentials*? Thanks, Carl Waldbieser ITS System Programmer Lafayette College - Original Message - From: Chris Cheltenham cchelten...@swaintechs.com To: cas-user@lists.jasig.org Sent: Tuesday, December 2,

Re: [cas-user] Cas for Cognos

to log in twice which defeats the purpose of SSO. What service provider are you talking about. Thank You, Chris Cheltenham SwainTechs / HHS Cell# 267-586-2369 -Original Message- From: Waldbieser, Carl [mailto:waldb...@lafayette.edu] Sent: Tuesday, December 02, 2014 10:49 AM To: cas

Re: [cas-user] CAS with User/Role webapp manager

will redirect to C? Anyway I think is possible to change the logic flow on CAS to redirect to webapp C. Another question: if I correctly modify CAS flow how I can have a SAML token on webapp C ? Cheers, Federico Il 03/nov/2014 19:02 Waldbieser, Carl waldb...@lafayette.edu ha scritto: Federico, If all

Re: [cas-user] loginToken expiration

3, 2014 11:01:20 AM UTC-5, Waldbieser, Carl wrote: From the protocol spec [1]: Its purpose is to prevent the replaying of credentials due to bugs in web browsers. [1] https://github.com/Jasig/cas/blob/master/cas-server-protocol/3.0/cas_protocol_3_0.md#35-login-ticket Thanks

Re: [cas-user] CAS with User/Role webapp manager

? In the documentation related to Java CAS Client there isn't a Filter I can use to validate using CAS 3.0 protocol 2014-11-04 14:55 GMT+01:00 Waldbieser, Carl waldb...@lafayette.edu: Federico, CAS redirects you to the service parameter passed to the login screen. A could pass C's service URL

Re: [cas-user] loginToken expiration

From the protocol spec [1]: Its purpose is to prevent the replaying of credentials due to bugs in web browsers. [1] https://github.com/Jasig/cas/blob/master/cas-server-protocol/3.0/cas_protocol_3_0.md#35-login-ticket Thanks, Carl Waldbieser ITS System PRogrammer Lafayette College -

Re: [cas-user] CAS with User/Role webapp manager

Federico, It sounds like your users should authenticate with CAS to webapp A or B. Those services should request proxy granting tickets for webapp C. They should then request proxy tickets for webapp C and attempt get the user's roles on a back channel. Your users would never browse to or

Re: [cas-user] CAS with User/Role webapp manager

Waldbieser, Carl waldb...@lafayette.edu: Federico, It sounds like your users should authenticate with CAS to webapp A or B. Those services should request proxy granting tickets for webapp C. They should then request proxy tickets for webapp C and attempt get the user's roles on a back

Re: [cas-user] CAS with User/Role webapp manager

for those scenario I want to protect some services without direct interaction of users. Anything can be done using CAS for my scenario? Thanks, Federico 2014-11-03 18:13 GMT+01:00 Waldbieser, Carl waldb...@lafayette.edu: Federico, When a user authenticates to C, can C transparently get the data

Re: [cas-user] Issue with Zope and CAS 4.0.0

Dave, I haven't worked with Zope before, though I have heard of it. What CAS-client are your clients using? I would expect that if the SSL handshake failed, you wouldn't even see it in your server access logs. Thanks, Carl Waldbieser ITS System Programmer Lafayette College - Original

Re: [cas-user] Issue with Zope and CAS 4.0.0

IS the CAS client. It seems to be some sort of Python-based portal with CAS client support built into it. I found some very old (ca 2005-2007) references to it in the JASig CAS documentation even, so it appears to have worked with CAS at least at some point. On 10/28/14 11:39 AM, Waldbieser, Carl

Re: [cas-user] CAS Server 4.0 Login webflow

If your form pops up *after* the user enters credentials but *before* the user is redirected the the service, that will probably cause the service ticket (ST) to expire before it can be validated. STs typically have a short lifetime (~ 5-10 seconds). Thanks, Carl Waldbieser ITS System

Re: [cas-user] Allowing non-https services

Adam, Yes, CAS is only responding to an HTTP request during a /serviceValidate call, so it has no way of authenticating the requesting host. Thanks, Carl Waldbieser System Programmer Lafayette College - Original Message - From: Adam Causey apcau...@vcu.edu To: cas-user@lists.jasig.org

Re: [cas-user] Casifying Webspher 7.0

Niva, Do you have any public facing infrastructure in place for which you could give us a URL, or are your services and CAS deployment all in a private development area? What should happen is if you give a URL like this:

Re: [cas-user] Has anybody done this?

if a person can MITM an SSL webpage? I don't see how MFA would help either. Andy On Thu, 16 Oct 2014, Waldbieser, Carl wrote: The idea is if MITM is possible, this scheme falls down. The MITM can just present the same pictures. If it is just someone who phished a password, it does

Re: [cas-user] Has anybody done this?

unless it had already authenticated the user. Andy On Thu, 16 Oct 2014, Waldbieser, Carl wrote: Or if I set up my phishing web site to look like your login page and pull your pictures off of your legitimate site. That is not MITM per say, but I am still positioning myself between

Re: [cas-user] Determine service URLs actively using CAS

Adam, We feed our CAS log files to Splunk. It can show us some nice reports on service usage. I also use it to plot TGT creation on a map, which is sometimes interesting. Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College - Original Message - From: Adam Causey

Re: [cas-user] no sql database support for storing ticket session

Since NoSQL is a kind of catch-all term for any kind of data store that isn't a RDBMS, it may be hard to generalize. If you look at some of the more popular present-day NoSQL solutions, many of them seem to aim at prioritizing Availability and Partition Tolerance over Consistency (from the CAP

Re: [cas-user] client side password encryption

If SSL/TLS is not available, you are going to have a lot of problems. Simply encrypting the password is not going to solve them. Here are some questions you might think about: For symmetric encyption/decryption to work, the browser and the server must both have access to a shared secret. How

Re: [cas-user] Fwd: Problem to upload files behind CAS Server (HttpServletRequestWrapperFilter)

Etienne, Can you clarify? Is your CAS login form trying to upload a file during the authentication process? It is not clear to me what you mean when you say you are using a multipart form request with CAS. (I do understand what a multipart form is-- just not how you are using one with CAS).

  1   2   >