Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jan 26 17:30
    mmoayyed commented #5593
  • Jan 26 17:03
    leleuj commented #5593
  • Jan 26 15:50
    mmoayyed commented #5593
  • Jan 26 14:53
    mmoayyed commented #5593
  • Jan 26 14:08
    leleuj commented #5593
  • Jan 26 11:56
    mmoayyed commented #5593
  • Jan 26 10:03
    mmoayyed commented #5593
  • Jan 26 09:15
    leleuj commented #5593
  • Jan 26 08:29
    unfurl-links[bot] commented #5593
  • Jan 26 08:29
    mmoayyed commented #5593
  • Jan 26 08:21
    leleuj commented #5593
  • Jan 26 07:42
    unfurl-links[bot] commented #5593
  • Jan 26 07:42
    mmoayyed commented #5593
  • Jan 26 07:41
    mmoayyed commented #5593
  • Jan 26 07:25
    leleuj commented #5593
  • Jan 25 18:35
    mmoayyed commented #5593
  • Jan 25 11:06
    leleuj commented #5593
  • Jan 25 10:22
    mmoayyed commented #5593
  • Jan 25 08:53
    leleuj commented #5593
  • Jan 25 08:52
    leleuj commented #5593
kjkeane
@kjkeane:matrix.org
[m]

Looks like they updated it, just haven't made a release

apereo/cas@2d38962

2 replies
Juliet N. Njeri
@juliett:matrix.org
[m]
Hello, I would like to set up cas 5.3.* but am not able to find the cas-overlay-template for this version. Anyone who can guide, i will appreciate am a bit new to CAS
2 replies
Dhanesh Kumar
@dhanesh238
Hi, I am trying to setup SSO using SAML2 with CAS running as IDP. But, underlying application currently validates only the JWT token. Is there any API in CAS that we can leverage to generate the JWT token from SAML assertion?
2 replies
igorbga
@igorbga
Hi everyone. I'm trying to configure Google OpenID Connect delegated authentication by using the pac4j support. Everything seems to work great, I can authenticate. But the principal that I'm returned is not "my username" but a long number. I mean, if I authenticate with my Google Account iblanco@whatever.com I would like the principal to be "iblanco" not 171230230123.
I managed to make at least the principal to be the e-mail by setting this config:
cas.authn.pac4j.oidc[0].google.principal-attribute-id=email
But I can not further progress. I have tried to configure a groovy script in a couple of places in order to "massage" the value myself and remove the part behind the @, but they don't seem to get triggered as I expected them to do.
Any pointer would be much appreciated.
I have tried with a principal transformation script by using this parameter:
cas.person-directory.principal-transformation.groovy.location=
But the script was never triggered and in fact I think this script might be to transform the principal before authentication, not after. So probably that's not the right way to proceed...
igorbga
@igorbga
I've also tried to set a script in the service's usernameAttributeProvider section, but they don't seem to trigger either...
Maybe I have to define a new attribute and somehow make it programatically build what I need from an already existing attribute ?
I understand that what I'm getting as a principal id from google is probably a unique number to identify myself in Google, but I guess that what I'm trying to do is not so weird either, isn't it? I will just allow Google authentication from my domain so I can safely assume that the first part of the e-mail would be unique.
igorbga
@igorbga
I could just use the e-mail but them I would have to modify all consumer applications so that they can understand that the user profile identified as iblanco and the ones identified a iblanco@whatever.com are the same user.
igorbga
@igorbga
[SOLVED] Finally I managed to do it using the usernameAttributeProvider in the service and a groovy script like this:

def run(Object[] args) {
def ALLOWED_EMAIL_DOMAIN="whatever.com"

def attributes = args[0];
def id = args[1];
def service = args[2];
def logger = args[3];


def suffix = "@" + ALLOWED_EMAIL_DOMAIN.toLowerCase()
if (id.toLowerCase().endsWith(suffix)) {
    return id.substring(0, id.length() - suffix.length())
}
return id

}

newbeeeeeee
@newbeeeeeee

Hello All, I am trying to build cas management app and when I enable AWS service registry like dynamodb or S3, I get the following error, for dynamodb it creates the table and then fails to start:


APPLICATION FAILED TO START


Description:
Parameter 1 of method restAuthenticationService in org.apereo.cas.rest.config.CasCoreRestConfiguration$CasCoreRestAuthenticationConfiguration required a bean of type 'org.apereo.cas.authentication.MultifactorAuthenticationTriggerSelectionStrategy' that could not be found.
The injection point has the following annotations:

- @org.springframework.beans.factory.annotation.Qualifier(value="defaultMultifactorTriggerSelectionStrategy")

Action:
Consider defining a bean of type 'org.apereo.cas.authentication.MultifactorAuthenticationTriggerSelectionStrategy' in your configuration.

Anyone have any ideas why this would be happening? if I remove the cas management AWS dependency it works fine.

Łukasz
@lgwozniak
Hello, does anybody know about some problems with logging on OAuth2 with Office365 ?
cas version is 6.5.8
chenbo6398
@chenbo6398

Hi Guys! I was perplexed by SLO for a long time.
I read the doc,I understand when CAS logout, the CAS server will callback the CAS Client's URL to remind the Clinet to destroy the session.And the Client should definition an API to destroy the local session.
I followed that , but the Client never received the callback.

I want to know,if the CAS server will callback the Client?

Łukasz
@lgwozniak

Hello, does anybody know about some problems with logging on OAuth2 with Office365 ?

If any one has similar problem this properties fix this:

cas.authn.oauth.replicate-sessions=true
Pascal Rigaux
@prigaux

I want to know,if the CAS server will callback the Client?

It should. Check the nginx/apache log, you should see something like:

172.20.0.83 - - [16/Nov/2022:02:37:02 +0100] "POST /EsupUserApps/login?target=https%3A%2F%2Fent.univ-paris1.fr%2Faccueil%2F HTTP/1.1" 200 0 "-" "Apache-HttpClient/4.5.6 (Java/11.0.16)"
tvoyat
@tvoyat

hi,

Probably a neophyte question but I can't find the simple way to define an attribute from a header field with "trusted" authentication.
CAS authentication is simply done through an apache reverse proxy which defines an "APP_REMOTE_USER" header that I easily retrieve via:

cas.authn.trusted.remote-principal-header=app_remote_user

The proxy also provisions a 'GRP_FROM_APP' business header which I can clearly see in the debug log :

2022-11-17 10:02:56,702 DEBUG [org.apereo.cas.adaptors.trusted.web.flow.PrincipalFromRequestHeaderNonInteractiveCredentialsAction] - <Available request headers are [{referer=[https://XXXX], x-forwarded-port=[443],  app_remote_user=[T01722], host=[XXX], connection=[Keep-Alive], cache-control=max-age=0], 
....
grp_from_app=[017,223], cookie=[JSESSIONID=9Pt2j2GDjZTpmG09pVb525jCRRgVtTznCW8kgWDvJM8H2GJfGSMn!...
Chrome/107.0.0.0 Safari/537.36], sec-fetch-dest=[document]}]. Locating first header value for [app_remote_user]>
2022-11-17 10:02:56,705 DEBUG [org.apereo.cas.adaptors.trusted.web.flow.PrincipalFromRequestHeaderNonInteractiveCredentialsAction] - <Remote user [T01722] found in [app_remote_user] header>
2022-11-17 10:02:56,706 DEBUG [org.apereo.cas.adaptors.trusted.web.flow.BasePrincipalFromNonInteractiveCredentialsAction] - <User [T01722] found in request>
2022-11-17 10:02:56,708 DEBUG [org.apereo.cas.adaptors.trusted.web.flow.BasePrincipalFromNonInteractiveCredentialsAction] - <Attributes [{}] found in request>

But there, I can't recover this header to transform it into an attribute. It looks like "Trusted" authentication doesn't provision any attributes other than the principal.
What method would allow me to add this attribute to cas clients?

Thanks

tvoyat
@tvoyat
Hi Misagh,
I see you are working on Trusted attributes and thank you very much for that.
I didn't understand what the ShibbolethExtractor class was doing here and I understand better now that you removed it (probably an "old" reason).
However, in your new implementation, I don't understand why relying on a "PREFIXheader" (AJP) => "Prefix_Value" model for the extraction, à la Shibboleth, which doesn't seem to me to be the most common.
Why not have simply, or at least also, a simple extraction based on the exact names (or regex) of the headers (a java.util.List "header1, header2, header3...") with the same logic as the releaseattribute parameters?
This method seems to me more suitable for authentication via trusted.
Regards
tvoyat
@tvoyat

Hello,
I upgraded to the latest version (7.0.0-snapshot) and now I easily and directly retrieve ALL the attributes present in the Trusted header.
I admit that I didn't easily understand how to use attribute-header-patterns in cas.properties.
In my case, I used:

cas.authn.trusted.attribute-header-patterns=(APP_REMOTE_USER|GRP_FROM_APP)->(.+)

Not very intuitive but is it correct ?
Regards

John Lucey
@john.lucey.2011_gitlab

Hi all,

Could someone please assist with the below issue I am facing? Thank you.

Here is my environment (note that the frontend and backend are served from different domains):

  • CAS Server (implementing CAS 2)
  • Frontend
  • Backend

Tech stack:
org.jasig.cas.client:cas-client-core v3.4.1
spring boot 1.5.4
Java 1.8

Here is what is happening:
(1) user accesses the frontend, but there is no session cookie yet, so the user is redirected to CAS login page served by the CAS Server.
(2) user enters correct login, and the CAS login page redirects to the ticket validating endpoint (login/cas?ticket=XXX....) served by the backend.
(3) the backend responds with a session cookie and redirects to the frontend URL.

The problem is that the cookie in step 2 is only valid for the backend domain, and not the frontend domain so all the requests from the frontend fail because the cookie isn't sent to the backend in requests. Anyone know a way around this? Can the cookie somehow be made cross-domain? Perhaps via configuration on the CAS Server? Please excuse my lack of knowledge w.r.t. the CAS protocol. Thank you

mcaccessa
@mcaccessa
Hi!
Is there a way to run CAS, in HA mode, without using sticky sessions, for OAuth/OIDC protocols (as mentioned in this comment: https://groups.google.com/a/apereo.org/g/cas-user/c/mzO_JpUqU3A/m/sMWhnIKrEgAJ)?
All CAS instances are already using a shared Ticket Storage, but, it seems that the Authorization Code Flow is not working properly without session affinity feature enabled in LB.
Thank you!
chenbo6398
@chenbo6398
HI!
How could make the CAS server return an attribute with a List?
I am using JDBC, and single row.
And should I return authority in attributes?
mwbi
@mwbi
HI,
im search for a good saml delegation example, with a redirection based on an LDAP attribute. I'm not sure if it is possible to solve this problem with groovy an the cas.authn.pac4j.core.groovy-redirection-strategy.location option. I would be very grateful for starting tips
mwbi
@mwbi
There are some good working examples on https://fawnoos.com/ but i didn't find things like a Provider Selection by an LDAP attrribute
Javier Rojo
@frojomar
Hello, I am getting that error when I do a "Delegated Authentication - Auto Redirection/Selection":
2022-12-09 09:26:36,831 ERROR [org.springframework.boot.web.servlet.support.ErrorPageFilter] - <Forwarding to error page from request [/login] due to exception [Badly formatted flow execution key '', the expected format is '<uuid>_<base64-encoded-flow-state>']>
org.springframework.webflow.execution.repository.BadlyFormattedFlowExecutionKeyException: Badly formatted flow execution key '', the expected format is '<uuid>_<base64-encoded-flow-state>'
I am getting also that warning;
2022-12-09 09:26:42,835 WARN [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <>
org.apereo.cas.services.UnauthorizedServiceException:
at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.restoreAuthenticationRequestInContext(DelegatedClientAuthenticationAction.java:288) ~[cas-server-support-pac4j-webflow-6.6.0-SNAPSHOT.jar:6.6.0-SNAPSHOT]
at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.populateContextWithService(DelegatedClientAuthenticationAction.java:180) ~[cas-server-support-pac4j-webflow-6.6.0-SNAPSHOT.jar:6.6.0-SNAPSHOT]
at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.doExecute(DelegatedClientAuthenticationAction.java:113) ~[cas-server-support-pac4j-webflow-6.6.0-SNAPSHOT.jar:6.6.0-SNAPSHOT]
Can someone explain me the reason of that?
abdulrazakbg
@abdulrazakbg
Hi, is apreo cas version 6.x works with java 1.8 ? Do we have a backward compatibility ?
mayhemizer
@mayhemizer
total CAS noob asks where to start when after november microsoft patch kerberos gssapi stopped working...
2022-12-12 08:55:13,322 WARN [org.apereo.cas.web.flow.SpnegoCredentialsAction] - <SPNEGO Authorization header not found under [Authorization] or it does not begin with the prefix [Negotiate ]>
2022-12-12 08:55:13,323 WARN [org.apereo.cas.web.flow.AbstractNonInteractiveCredentialsAction] - <No credentials detected. Navigating to error...>
2022-12-12 08:55:13,323 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.apereo.cas.web.flow.SpnegoCredentialsAction@7ad7acc3; result = error>
2022-12-12 08:55:13,323 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing [EvaluateAction@78743393 expression = spnego, resultExpression = [null]]; result = error>
2022-12-12 08:55:13,323 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@755845e8 on = error, to = viewLoginForm]>
2022-12-12 08:55:13,323 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'spnego'>
mixman68
@mixman68
Hello, Gauth and JPA broken in CAS 6.6.3 ?
cas_1 | 2022-12-12 11:05:00,606 WARN [org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext] - <Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'serviceValidateController' defined in class path resource [org/apereo/cas/web/config/CasValidationConfiguration$CasValidationControllerConfiguration.class]: Unsatisfied dependency expressed through method 'serviceValidateController' parameter 1; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'defaultAuthenticationSystemSupport' defined in class path resource [org/apereo/cas/config/CasCoreAuthenticationSupportConfiguration$CasCoreAuthenticationSupportBaseConfiguration.class]: Unsatisfied dependency expressed through method 'defaultAuthenticationSystemSupport' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'authenticationTransactionManager' defined in class path resource [org/apereo/cas/config/CasCoreAuthenticationConfiguration$CasCoreAuthenticationManagerConfiguration.class]: Unsatisfied dependency expressed through method 'authenticationTransactionManager' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'casAuthenticationManager' defined in class path resource [org/apereo/cas/config/CasCoreAuthenticationConfiguration$CasCoreAuthenticationManagerConfiguration.class]: Unsatisfied dependency expressed through method 'casAuthenticationManager' parameter 2; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'authenticationEventExecutionPlan' defined in class path resource [org/apereo/cas/config/CasCoreAuthenticationConfiguration$CasCoreAuthenticationPlanConfiguration.class]: Unsatisfied dependency expressed through method 'authenticationEventExecutionPlan' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'googleAuthenticatorAuthenticationEventExecutionPlanConfigurer' defined in class path resource [org/apereo/cas/config/support/authentication/GoogleAuthenticatorAuthenticationEventExecutionPlanConfiguration$GoogleAuthenticatorMultifactorAuthenticationPlanConfiguration.class]: Unsatisfied dependency expressed through method 'googleAuthenticatorAuthenticationEventExecutionPlanConfigurer' parameter 2; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'googleAuthenticatorAuthenticationHandler' defined in class path resource [org/apereo/cas/config/support/authentication/GoogleAuthenticatorAuthenticationEventExecutionPlanConfiguration$GoogleAuthenticatorAuthenticationEventExecutionPlaHandlerConfiguration.class]: Unsatisfied dependency expressed through method 'googleAuthenticatorAuthenticationHandler' parameter 3; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'googleAuthenticatorOneTimeTokenCredentialValidator' defined in class path resource [org/apereo/cas/config/support/authentication/GoogleAuthenticatorAuthenticationEventExecutionPlanConfiguration$GoogleAuthenticatorMultifactorAuthenticationTokenConfiguration.class]: Unsatisfied dependency expressed through method 'googleAuthenticatorOneTimeTokenCredentialValidator' parameter 1; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'googleAuthenticatorAccountRegistry': Injection of persistence dependencies failed; nested exception is java.lang.ClassCastException: class org.springframework.beans.factory.support.NullBean cannot be cast to class javax.persistence.EntityManagerFactory (org.springframework.beans.factory.support.NullBean and javax.persistence.EntityManagerF
mixman68
@mixman68
Some one reported the same error with JPA Service Registry @mmoayyed
Someone have a workaround ?
conwayatmundotca
@conwayatmundotca
Using phpCAS with version 6.3.x sometimes we don't get any extra attributes (released) from ldap (most of the time it works), but sometimes it doesn't. Is it expected behavior for CAS (saml or protocol 3) to sometimes not pass back attributes and it's up to the client (phpCAS application) to deal with, or could there be something else wrong. For example, we have catchall-rule at the bottom of cas-manager to pass back none. Is it possible for cas manager to fail the regexp in some cases.
I should probably add when I say sometimes, it's no like one application works and the other doesn't. E.g. a user could logon the application, get not attributes, 5 seconds later switch to incognito mode and they get their attributes
johny210943
@johny210943
Hello everyone. I'm trying to get the current registered service name in a custom authentication handler. Is that possible ? If yes, how to implement it ? I use CAS 6.5.4. Thanks (lol beans)
VikashChandra1996
@VikashChandra1996
Hi All...we are trying to CASify Angular module. moreover we need to secure its api as well.. Can someone suggest how to achieve this. we are using cas version 6.6.2.
Fl0w
@fl0wx
hey ho, anyone has experience with apereo + oidc + SPA (singlepageapp)? i always get 401 error while trying to get an accessToken
abhishek2bommakanti
@abhishek2bommakanti
Hello. We're using CAS (6.5.3) to implement login/SSO integration with Azure Active Directory for our internal applications. Everything works fine on my local environment. However, within our cloud infrastructure (clustered nomad runtime behind a fabio load balancer), when my client application hits the CAS server, the redirect URL from the login endpoint adds a port 80 to the URL - something like https://<domain>:80/cas/clientredirect?client_name=AzureAD&service=https://<clientapp domain>/login instead of https://<domain>/cas/clientredirect?client_name=AzureAD&service=https://<clientapp domain>/login. This causes the redirect URL to break on the browser side. If we remove the 80 port manually from the URL within the browser, then things work fine. Is there a way to stop this port being added to the URL? I tried to configure the auto-redirect-type parameter for this service to be "SERVICE" thinking that it would make CAS invisible to the client but that didn't make any difference either