apereo/cas

Apereo CAS - Single Sign On for All

王秀田

@wangxiutian_gitlab

cas.authn.errors.exceptions custom exceptions do not seem to take effect

Joshua Campbell

@jobjj

I am attempting to setup AD authentication, but running into issues. I need to know how to view debug logs. I have applied the settings below to the pom.xml config file, but I see no changes in logging. I am not seeing any errors regarding ldap either. please help

https://apereo.github.io/cas/6.3.x/installation/LDAP-Authentication.html

nicolopez77

@nicolopez77

Hi, we have a CAS 6.3 setup being used to authenticate Canvas LMS. We are experiencing an issue that apparently occurs only with Chromre: right after you login, instead of redirecting you to the application, it reloads the CAS login page. If you hit F5 the redirect happens. We read many old and new posts reporting this issue but never saw the solution...so I'm not sure if there is one. I can confirm it happens even with the newest versions of Chrome. Thanks!!!

Amin El Hossieni

@collysamin:matrix.org

[m]

i'need same help please

i need to configure my cas.properties

to connect my cas 6.32 with AD with port 636

nicolopez77

@nicolopez77

Hi, we have a CAS 6.3 setup being used to authenticate Canvas LMS. We are experiencing an issue that apparently occurs only with Chromre: right after you login, instead of redirecting you to the application, it reloads the CAS login page. If you hit F5 the redirect happens. We read many old and new posts reporting this issue but never saw the solution...so I'm not sure if there is one. I can confirm it happens even with the newest versions of Chrome. Thanks!!!

Additional information: it does not happen to every user, but to many of them. We could not find a reason, it even happens with the latest version of Chrome (v89).

ghyster

@ghyster

Hello, on 6.3.2 I have an exception when trying to fetch attributes from microsoft graph : java.lang.NoClassDefFoundError: okhttp3/logging/HttpLoggingInterceptor at org.apereo.services.persondir.support.MicrosoftGraphPersonAttributeDao.getPerson(MicrosoftGraphPersonAttributeDao.java:174)

is this a known issue ?

ghyster

@ghyster

solved by forcing update of person-directory-impl to 2.0.7

Joshua Campbell

@jobjj

Can anyone provide a sample log event of a known good ldap setup?

6.4

vonfoovonbar

@vonfoovonbar

cas.authn.attributeRepository.ldap[1].ldapUrl=ldaps:/xxx

cas.authn.attributeRepository.ldap[1].connectionStrategy=

cas.authn.attributeRepository.ldap[1].order=0

cas.authn.attributeRepository.ldap[1].useSsl=true

cas.authn.attributeRepository.ldap[1].useStartTls=false

cas.authn.attributeRepository.ldap[1].connectTimeout=10000
cas.authn.attributeRepository.ldap[1].baseDn=......
cas.authn.attributeRepository.ldap[1].userFilter=uid={user}
cas.authn.attributeRepository.ldap[1].subtreeSearch=true
cas.authn.attributeRepository.ldap[1].bindDn=uid=yyy
cas.authn.attributeRepository.ldap[1].bindCredential=zzz
cas.authn.attributeRepository.ldap[1].minPoolSize=3
cas.authn.attributeRepository.ldap[1].maxPoolSize=10
cas.authn.attributeRepository.ldap[1].validateOnCheckout=true
cas.authn.attributeRepository.ldap[1].validatePeriodically=true
cas.authn.attributeRepository.ldap[1].validatePeriod=600
cas.authn.attributeRepository.ldap[1].validateTimeout=5000
cas.authn.attributeRepository.ldap[1].failFast=true
cas.authn.attributeRepository.ldap[1].idleTime=500
cas.authn.attributeRepository.ldap[1].prunePeriod=600
cas.authn.attributeRepository.ldap[1].blockWaitTime=5000

1 reply

Łukasz

@lgwozniak

Hello anyone using Fido2 WebAuthN ? and it work ?

Łukasz

@lgwozniak

When i register a device with WebAuthN i got java.lang.IllegalArgumentException: Failed to derive trust for attestation key."

Alexey Anufriev

@alexey-anufriev

Hello,

I have a problem with SPRING_SESSION table. It is not being created and afterwards the job that cleans it up complains about this fact.

Still, in the config I have:

spring:
  session:
    store-type: jdbc
    jdbc:
      initialize-schema: always

The problem looks like this one https://stackoverflow.com/questions/62280248/apereo-cas-6-x-embeded-hsqldb-not-initialized (but I have a different DB)

And I also tried properties suggested in the answer, but with no luck.

kikecortes6

@kikecortes6

hello someone has used cas-server-support-azuread-authentication dependency successful?

Wilber Saca

@wsaca

Hi, do you know why OIDC is displaying twice the button "Deny" when I have configured the AccessStrategy with unauthorizedRedirectUrl? Should the openid scope be consent?

Wilber Saca

@wsaca

Is the error response implemented? https://tools.ietf.org/html/rfc6749#section-4.1.2.1
"If a user rejects consent to the application, they will be redirected to the redirect_uri with an access_denied error"

程泽群

@chengzequn

hello someone has used cas-server-support-theme-collections dependency successful?

EL HAJJIOUI Nabil

@nabilm2i

Hello everyone

hope you are all fine,

i want to customize email html templates for my email using a external template file, and i don't know how i can do that ! any help woul be appreciated .. thanks in advance !

ghyster

@ghyster

Hello everyone,

I'm trying to use mongodb to store mfa tokens and for ticket registry. cas won't boot and throw the following error :

Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'gridFsTemplate' defined in class path resource [org/springframework/boot/autoconfigure/data/mongo/MongoDatabaseFactoryDependentConfiguration.class]: Unsatisfied dependency expressed through method 'gridFsTemplate' parameter 1; nested exception is org.springframework.beans.factory.NoUniqueBeanDefinitionException: No qualifying bean of type 'org.springframework.data.mongodb.core.MongoTemplate' available: expected single matching bean but found 2: mongoDbGoogleAuthenticatorTemplate,mongoDbTicketRegistryTemplate

is this a known issue ?

ghyster

@ghyster

found a solution, added following property :

spring.autoconfigure.exclude= \
org.springframework.boot.autoconfigure.mongo.MongoAutoConfiguration,\
org.springframework.boot.autoconfigure.data.mongo.MongoDataAutoConfiguration

Wilber Saca

@wsaca

@mmoayyed I would like your help to understand if the next behavior is intentional or not:
I have a service registered with scopes "A" and "B", when I request an access token using the Authorization Code flow or Client credentials grant with the scopes "A" and "C" CAS is creating an access token with scopes "A" and "C" but the scope "C" is not registered in my service.
For me this is a bug, but I want to be sure because I found more things that could be fixed, for example:

"org.apereo.cas.services.RegisteredService" in the access token header.
"grant_type", "client_id", "oauthClientId" in the access token.
"client_id" in the ID token.
"state" in the access token an ID token, this value should be returned as a query parameter if the request included it in the URI.
"nonce" in the access token, but it should be added only in the ID token.
"nonce" in the ID token with an empty value, it should be added only if the request included it.

offramp78

@offramp78:matrix.org

[m]

We're trying to get the Syslog Appender working in version 4.0.1 of CAS - It's a long, boring story why we're still on this version.

I found this info in the Manual for ver 4.2.x:
https://apereo.github.io/cas/4.2.x/installation/Monitoring-Statistics.html#routing-logs-to-syslog

But we're using 4.0.1 of CAS - attempting to apply this directive as is results in numerous errors.

log4j:WARN Element type "Appenders" must be declared.
log4j:WARN Continuable parsing error 27 and column 41
log4j:WARN Element type "Syslog" must be declared.
log4j:WARN Continuable parsing error 173 and column 23
log4j:WARN The content of element type "log4j:configuration" must match "(renderer,throwableRenderer?,appender,plugin,(category|logger),root?,(categoryFactory|loggerFactory)?)".
log4j:WARN Unrecognized element Appenders
log4j:ERROR No appender named [SYSLOG] could be found.

If I change "Appenders" to "appender" as declared in other sections of the config I get a stack trace and various problems when starting this in the tomcat container. Any advice would be appreciated.

Ali A Jalbani

@ajalbani1

Hello I have my local CAS Server Up and Running. I get this message

You, casuser, have successfully logged into the Central Authentication Service. However, you are seeing this page because CAS does not know about your target destination and how to get you there. Examine the authentication request again and make sure a target service/application that is authorized and registered with CAS is specified.

Is there a guide to how to add a service etc?

Ali A Jalbani

@ajalbani1

I am trying to add a service to my local nodejs server.

mijutu

@mijutu:ellipsis.fi

[m]

You need to go to cas with a service parameter, like .../cas/login?service=https://url/to/service

VuPhungNgocKim

@VuPhungNgocKim

i seen error when download package from pac4j-*

Could not resolve org.pac4j:pac4j-core:3.1.0-SNAPSHOT.
Required by:
project :core:cas-server-core-util-api

Could not resolve org.pac4j:pac4j-core:3.1.0-SNAPSHOT.
Unable to load Maven meta-data from https://repo.spring.io/plugins-release/org/pac4j/pac4j-core/3.1.0-SNAPSHOT/maven-metadata.xml.
Could not get resource 'https://repo.spring.io/plugins-release/org/pac4j/pac4j-core/3.1.0-SNAPSHOT/maven-metadata.xml'.
Could not GET 'https://repo.spring.io/plugins-release/org/pac4j/pac4j-core/3.1.0-SNAPSHOT/maven-metadata.xml'. Received status code 401 from server: Unauthorized

ksphinx

@ksphinx:matrix.org

[m]

Hello Everyone - I'm having some trouble with CAS after upgrading from 6.1.5 to 6.3.3 and I was hoping you would be able to help... I have traced it back to this commit : https://github.com/apereo/cas/commit/7cd1f0cae4a5814ebc285cc39014a169a180ea5b#diff-a525be753615ee1c1b5f84f8b35ac6d79203f8a7a514abf7b628eecdd747b1e9

In a nutshell, I am trying to obtain an attribute from the attribute repository. This attribute has a value of 1. When going through this code it is translating it into a 'true' value. Its not a boolean - its a number.
I was going to create a PR to reverse the change but thought I'd better check in case it should be using toBooleanObject(final String str, final String trueString, final String falseString, final String nullString) or simlar instead. e.g.
if (claimValue.size() == 1) {
val value = CollectionUtils.firstElement(claimValue);
value.ifPresent(v -> {
val bool = BooleanUtils.toBooleanObject(v.toString(), "true", "false", null);
claims.setClaim(entry.getKey(), Objects.requireNonNullElse(bool, v));
});
}

ksphinx

@ksphinx:matrix.org

[m]

ok, spot the deliberate mistake. A better example would be: if (claimValue.size() == 1) {
val value = CollectionUtils.firstElement(claimValue);
value.ifPresent(v -> {
val bool = BooleanUtils.toBooleanObject(v.toString(), "t", "f", null);
claims.setClaim(entry.getKey(), Objects.requireNonNullElse(bool, v));
});
}

mijutu

@mijutu:ellipsis.fi

[m]

I just installed password policy overlay on slapd. How can I make cas warn when password is about to expire.

What means ${configurationKey}.warning-attribute-name?

Is it name of an attribute that cas generates as a warning or is it a name of an attribute that ldap is supposed to give to cas as a warning?

And when cas does warn about soon expiring password, is that done by showing a webpage before forwarding back to service or by adding an attribute?

chris_hodgson

@chris_hodgson:matrix.org

[m]

I have a random question about CAS and was wondering if you guys could help? Is it possible for a CAS server to process requests both using the CAS and OAuth2 protocols so that it is able to process requests using either. I am working on a very old codebase and need to integrate new services using modern Auth and want to know if I need to set up a second CAS server or not?

xiutian wang

@1584286140

How to integrate jwt in the latest version?

paulchauvet

@paulchauvet

Hi @chris_hodgson:matrix.org - I've not done this - but I'm almost positive you can. If you have both OAuth2 and CAS enabled - they'll both have different targets. A CAS protocol service would connect to (for example) /cas/validate, where a OAuth one would go to /cas/OAuth2.0/ (https://apereo.github.io/cas/5.2.x/installation/OAuth-OpenId-Authentication.html)

Sorry - I'm going a slightly different method to handle newer protocols and delegating auth from CAS to an external SAML provider (Azure) - and also pointing OAuth clients there instead of at CAS so haven't done it myself :(

Wilber Saca

@wsaca

Hi, how could I override OidcLogoutEndpointController? its adding the "client_id" to the "post_logout_redirect_uri" and I would like to avoid it, but this bean has not the annotation @ConditionalOnMissingBean...

runiq

@runiq

Hi :) Has there been any movement on nested LDAP groups (like described here or here)? We'd really like that for our university.

Brian Monroe

@ParadoxGuitarist

We have MFA enabled in our CAS stack, but I wasn't sure about all the config options. Currently when a new user gets enrolled for MFA, The OTP setup and keys are generated at next login. Is there a way to set that up prior to the next login?

Where communities thrive

People

Repo info

Activity

cas.authn.attributeRepository.ldap[1].connectionStrategy=

cas.authn.attributeRepository.ldap[1].order=0

cas.authn.attributeRepository.ldap[1].useStartTls=false