by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 19:30

    apereocas-bot on gh-pages

    Published docs [gh-pages]. (compare)

  • 19:29

    mmoayyed on master

    clean up build doc updates (compare)

  • 07:31
    stale[bot] labeled #4872
  • 07:31
    stale[bot] commented #4872
  • Aug 08 13:25

    apereocas-bot on gh-pages

    Published docs [gh-pages]. (compare)

  • Aug 08 13:24

    mmoayyed on master

    support matching strategies fix tests fix tests and 1 more (compare)

  • Aug 07 18:21

    apereocas-bot on gh-pages

    Published docs [gh-pages]. (compare)

  • Aug 07 18:20

    mmoayyed on master

    ensure saml request can be trac… fix tests add logout redirection support and 17 more (compare)

  • Aug 07 15:20
    codecov[bot] commented #4918
  • Aug 07 15:02
    Ajtak edited #4918
  • Aug 07 14:59
    Ajtak edited #4918
  • Aug 07 14:56
    apereocas-bot milestoned #4918
  • Aug 07 14:55
    Ajtak opened #4918
  • Aug 07 13:49
    Ajtak closed #4917
  • Aug 07 13:48
    apereocas-bot labeled #4917
  • Aug 07 13:48
    apereocas-bot milestoned #4917
  • Aug 07 13:47
    Ajtak opened #4917
  • Aug 07 08:19

    mmoayyed on 6.2.x

    bump tomcat (compare)

  • Aug 06 10:20

    mmoayyed on 6.2.x

    fix audit cleaner (compare)

  • Aug 06 06:03

    mmoayyed on 6.2.x

    add support for audit select qu… (compare)

Sebastian Dobrea
@TKSds
any thoughts?
nguyenhuy
@NguyenHuy93

Hi all,
I deployed CAS Apereo v6.2 and OpenLDAP server on Kubernetes.
I am configuring SAML 2 with CAS. I used DropBox as Service Provider and CAS as Identity Provider. There are my configuration below:

idp-metadata.xml:
<?xml version="1.0"?>

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2020-07-22T15:33:50Z" cacheDuration="PT1595864030S" entityID="https://host_name/cas/">

<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

<md:KeyDescriptor use="signing">

<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:X509Data>

<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>

<md:KeyDescriptor use="encryption">

<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:X509Data>

<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://host_name/cas/logout"/>

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>

<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://host_name/cas/login"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>

sp-metadata.xml:
<?xml version="1.0"?>

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2020-07-21T07:05:16Z" cacheDuration="PT604800S" entityID="https://www.dropbox.com/">

<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

<md:KeyDescriptor use="signing">

<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:X509Data>

<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>

<md:KeyDescriptor use="encryption">

<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:X509Data>

<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.dropbox.com/saml_login" index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>

saml-1.json:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "https://www.dropbox.com/",
"name" : "DropboxSAML",
"id" : 1,
"evaluationOrder" : 10,
"metadataLocation" : "/etc/cas/saml/sp-metadata/sp-metadata.xml",
"requiredNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"usernameAttributeProvider" : {
"@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail"
}
}

cas.properties:
cas.saml-core.ticketid-saml2=true
cas.authn.saml-idp.entity-id=https://host_name/cas/idp
cas.authn.saml-idp.metadata.location=file:/etc/cas/saml/idp-metadata/
cas.authn.saml-idp.response.attribute-name-formats=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
cas.saml-sp.dropbox.metadata=file:/etc/cas/saml/sp-metadata/
cas.saml-sp.dropbox.name=DropboxSAML
cas.saml-sp.dropbox.description=Dropbox SP Integration
cas.saml-sp.dropbox.name-id-attribute=mail
cas.saml-sp.dropbox.name-id-format=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
cas.saml-sp.dropbox.signature-location=
cas.saml-sp.dropbox.attributes=mail
cas.saml-sp.dropbox.entity-ids=https://www.dropbox.com/
cas.saml-sp.dropbox.sign-responses=true
cas.saml-sp.dropbox.sign-assertions=false

My problem is when the authentification is succeeded, I stay always at CAS page, not redirected to Dropbox page.
Does anyone know what is the issues of my case?
Thanks in advance for any suggestion

nguyenhuy
@NguyenHuy93
And I don't see any logs which concern saml after authentication logs
Terry Appleby
@tappleby
Anyone here loading their CAS services from a S3 bucket? Currently we run a separate s3 sync docker container to a volume but curious about a more native approach
Sebastian Dobrea
@TKSds
any ideas on this?
FAILED CAS Authentication Filter: java.lang.IllegalArgumentException: serverName or service must be set.
upgraded from servlet 2.5 to 3.1
so I imagine I need to do some configj, maybe in web.xml?
Any help would be highly apreciated
Giorgio Ascani
@gascani
Hi, I need to transform principal before get attribute. I'm using CAS 6.1 and the class that creates the Principal is: PersonDirectoryPrincipalResolver (https://github.com/apereo/cas/blob/5.1.x/core/cas-server-core-authentication/src/main/java/org/apereo/cas/authentication/principal/resolvers/PersonDirectoryPrincipalResolver.java).
How can I transform the principal? There is a principalNameTransformer attribute but I don't know how to configure it
mahyar_shariati
@MahyarShariati_twitter
Hi guys
i have a specific question from you developers
on scale of 1 to 5 (low to high) how do you rate your "teamWork" skill?
kakson68
@kakson68
@Sabi610 I am having same issue were you able to resolove it. If so , can you please share it.
MARC Matthieu
@blink38
Hi, I am configuring CAS 6.1 and I am trying to get prometheus actuator working. I added the following configuration lines to my application.properties :
management.endpoints.web.exposure.include=info,health,status,scheduledtasks,refresh,metrics,prometheus,configprops
management.endpoint.prometheus.enabled=true
cas.monitor.endpoints.endpoint.prometheus.access=ANONYMOUS
But when I go to /actuator I do not see the prometheus one, and /actuator/prometheus return me 404.
Do someone can give me working configuration to get prometheus work? Thanks.
Eduardo Asafe
@asafe-eduardo

hi folks.

i using cas 6.1 and i wanna know if is possible configure 2 jdbc queries to authenticate ? and if is possible how i do it?

example: do my query to authenticate, if user dont exist try another different query

thanks in advance

VikashChandra1996
@VikashChandra1996
Hi All,
I want to implement SAML using CAS. I have made CAS as IDP and ADFS or Shibboleth as and SP. I have an other java application which will be authenticated by idp.
could you let me know how to handle the login of java application via saml with CAS as IDP and ADFS/shibboleth as SP
Eduardo Asafe
@asafe-eduardo

Hi All,

hi, i did do a authentication with CAS with SAML, but the application that use CAS as IDP stay in a jboss and jboss have the libs that comunicate with my CAS.

how i did to work its put the saml libs in pom.xml of CAS, after this i created the service SAML in serviceRegistry configuration and created a xml with idp-metadata.

may seems generic but you can follow the documentation
and if you have some specific doubt (very common) i will try help.
mohsensaeedi
@mohsensaeedi

Hi All,
I have a problem when use new cas overlay version. the problem is after build. i built cas.war without any problem with ldap support. I define ldapUrl, bindDn, bindCredential.
when i try to start tomcat, it fails. it try to initialize ldap. and try to connect to ldap server defined on cas config. but suddenly switch to localhost:389. I am confused. After 3 weeks i can't solve it.
I ask a question in below link on Google group:
https://groups.google.com/a/apereo.org/g/cas-user/c/bHCtF4XNUvw

Logs and config file can be seen in that link. please help me.

mohsensaeedi
@mohsensaeedi

Hi All,
I have a problem when use new cas overlay version. the problem is after build. i built cas.war without any problem with ldap support. I define ldapUrl, bindDn, bindCredential.
when i try to start tomcat, it fails. it try to initialize ldap. and try to connect to ldap server defined on cas config. but suddenly switch to localhost:389. I am confused. After 3 weeks i can't solve it.
I ask a question in below link on Google group:
https://groups.google.com/a/apereo.org/g/cas-user/c/bHCtF4XNUvw

Logs and config file can be seen in that link. please help me.

and i have experience for more than 7 years on CAS from version 3.5

Eduardo Asafe
@asafe-eduardo
hi
you are overwrite this configuration by file properties or bean overlay?
mohsensaeedi
@mohsensaeedi
hi. I just use cas.properties for cas configuration parameters.
mohsensaeedi
@mohsensaeedi
I think i added cas-server-support-ldap-service-registry as dependency. and i don't have any configuration parameter for that. maybe the problem caused for that!!! I will test again and send result here
mohsensaeedi
@mohsensaeedi

I think i added cas-server-support-ldap-service-registry as dependency. and i don't have any configuration parameter for that. maybe the problem caused for that!!! I will test again and send result here

The problem solved! with remove cas-server-support-ldap-service-registry from pom.xml. Thanks @asafe-eduardo

Eduardo Asafe
@asafe-eduardo
nice @mohsensaeedi

hi folks.

i using cas 6.1 and i wanna know if is possible configure 2 jdbc queries to authenticate ? and if is possible how i do it?

example: do my query to authenticate, if user dont exist try another different query

thanks in advance

my problem too has solved, i did do a bean overwrite of cas create my own authenticationHandler extending AbstractJdbcUsernamePasswordAuthenticationHandler and i can able to customize my login method.

Łukasz
@lgwozniak
Hi, any one got problem on cas-overlay-template with jakarta.mail package? I cannot override CommunicationsManager. Got error error: cannot access MimeMessage
var message = this.mailSender.createMimeMessage();
^
CAS 6.2.1 is compiling with jakarta.mail witch has package javax.mail :/
Łukasz
@lgwozniak
i needed to add jakarta.mail module to project
Cardo Kambla
@CardoKambla
I think the jdbc audit module has some problems. It is trying to cast to some class and is getting a ClassCastException. I noticed that it is a problem from version 6.2.0-RC5.
2020-08-04 13:02:00,170 ERROR [org.springframework.scheduling.support.TaskUtils$LoggingErrorHandler] - <Unexpected error occurred in scheduled task> java.lang.ClassCastException: Cannot cast com.sun.proxy.$Proxy218 to org.apereo.inspektr.common.Cleanable at java.lang.Class.cast(Class.java:3606) ~[?:?] at org.apereo.cas.audit.config.CasSupportJdbcAuditConfiguration$1.clean(CasSupportJdbcAuditConfiguration.java:139) ~[cas-server-support-audit-jdbc-6.2.1.jar!/:6.2.1] at jdk.internal.reflect.GeneratedMethodAccessor219.invoke(Unknown Source) ~[?:?] at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?] at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?] at org.springframework.scheduling.support.ScheduledMethodRunnable.run(ScheduledMethodRunnable.java:84) ~[spring-context-5.2.6.RELEASE.jar!/:5.2.6.RELEASE] at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54) ~[spring-context-5.2.6.RELEASE.jar!/:5.2.6.RELEASE] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) ~[?:?] at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) ~[?:?] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) ~[?:?] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?] at java.lang.Thread.run(Thread.java:834) [?:?]
Łukasz
@lgwozniak
anyone was checking oidc office365 logging in 6.2.1 version ?
Łukasz
@lgwozniak
can anyone help what is wrong with this oidc delegation after update i got: 2020-08-04 15:20:10,839 ERROR [org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/].[dispatcherServlet]] - <Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.web.flow.DelegatedClientAuthenticationAction@e23af91 in state 'delegatedAuthenticationAction' of flow 'login' -- action execution attributes were 'map[[empty]]'] with root cause>
Łukasz
@lgwozniak
I got diffrent session when request come back from Office365 set sessionId 4b90c26f-4932-4220-b794-6ef946f56252 for keyOffice365$stateSessionParameter get sessionId c0c6c25f-c2da-4427-884e-a54c8bfb9249 for keyOffice365$stateSessionParameter
Can it be problem with embedded tomcat ?
Marco Crank
@MCrank

Hello. I am trying to get to get Redis running with the Google Authenticator? I have my Redis Sentinel system up and running. I am able to write the registration records to Redis when clients register their MFA devices but on subsequent logins it does not seem to be pulling the registrations from Redis and goes back to the Device Registration QR code page? Any idea what I might be missing config wise? Here is what I have for my Redis config:

CAS v6.2.x

Not sure I need the regular redis.host settings but I have tried to put them in just to see if I got different results.

cas.authn.mfa.gauth.redis.host=redis.cas.svc.cluster.local
cas.authn.mfa.gauth.redis.port=6379
cas.authn.mfa.gauth.redis.database=0
cas.authn.mfa.gauth.redis.read-from=MASTER
cas.authn.mfa.gauth.redis.sentinel.master=mymaster
cas.authn.mfa.gauth.redis.sentinel.node[0]=redis.cas.svc.cluster.local:26379

I just wanted to follow up on this in case someone else comes across this issue. I had configured persistence for storing MFA device registrations in Redis. I was able to write the values to the store but once my container restarted it would no longer read the values. I could see the read requests hit the DB for the key but, CAS would just throw me back to the device registration page like it was a new device. I also tried the local JSON file as well with the same results.

I could not get/find an answer anywhere and even found a person on here with the exact same issue. This morning I started troubleshooting again and after staring at the logs for a long time I noticed one thing in the log that soon became apparent. I was not specifying the following settings and allowed CAS to autogenerate them. After thinking about these settings for a minute it made sense to me:

cas.authn.mfa.gauth.crypto.encryption.key
cas.authn.mfa.gauth.crypto.signing.key

Since the keys would be the same upon restart CAS was able to decrypt the Device Registration keys it was storing in the DB. It would be nice if there was an error thrown in the logs or if the documentation indicated that the autogenerated keys could cause an issue like this. It could have saved me a substantial amount of time.

Łukasz
@lgwozniak
W oidc and embedded tomcat i had to add 'cas.session-replication.cookie.path=/'
Łukasz
@lgwozniak
Anyone know how to configure git service registry over ssh session ?
VikashChandra1996
@VikashChandra1996

Hi All,

I am using cas version 5.2.9.
I have implemented password management through LDAP. Whenever I click on reset your password, a new screen is coming and it asks for providing a username.

Upon giving username,,a secure link will go to my mail for reset option.

But I want to break this flow. My requirement is , whenever a user enters his username ,security ques page should come and upon answering it I can change my password. I don't want any link in my mails for reset password.

Is this flow possible? Plzz guide.

jphan169
@jphan169

Hi, I deployed CAS 6.3 on a local server and be able to login with default account casuser/Mellon. I tried to add a custom service to service registry but when I forward to CAS login page, it still throw Application Not Authorized to Use CAS error. I tried a few suggestions but nothing seems working. These are my configuration:
build.gradle

compile "org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"

cas.properties

cas.server.name=https://'my-dormain-name':8443
cas.server.prefix=${cas.server.name}/cas
cas.serviceRegistry.initFromJson=true
cas.serviceRegistry.json.location=file:/etc/cas/services-repo
logging.config=file:/etc/cas/config/log4j2.xml
server.ssl.enabled=true
server.ssl.keyStore=/etc/cas/thekeystore
server.ssl.keyStorePassword=changeit
server.ssl.keyPassword=changeit

service.json

{
  @class: org.apereo.cas.services.RegexRegisteredService
  serviceId: 'https://'my-hostname'/login/index.php?authCAS=CAS'
  name: custom
  id: 1596620416602
  accessStrategy:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
    order: 0
    enabled: true
    ssoEnabled: true
    delegatedAuthenticationPolicy:
    {
      @class: org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy
      allowedProviders:
      [
        java.util.ArrayList
        []
      ]
      permitUndefined: true
      exclusive: false
    }
    requireAllAttributes: true
    requiredAttributes:
    {
      @class: java.util.LinkedHashMap
    }
    rejectedAttributes:
    {
      @class: java.util.LinkedHashMap
    }
    caseInsensitive: false
  }

Please give me some advice
. Thank you all.

Here is the logs:
2020-08-08 05:07:47,866 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [1] service(s) from [JsonServiceRegistry].>
2020-08-08 05:08:37,876 WARN [org.apereo.cas.services.AbstractRegisteredService] - <Assigning a collection of required authentication handlers to a registered service is deprecated. This field is scheduled to be removed in the future. If you need to, consider defining an authentication policy for the registered service instead to specify required authentication handlers [[]]>
2020-08-08 05:08:37,877 WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Unauthorized Service Access. Service [] is not found in service registry.>
VikashChandra1996
@VikashChandra1996
Could u check whether endpoints for client applications is set properly or not
Łukasz
@lgwozniak
I include to my project in version 6.2.1 git service-support and i got problem with okhttp library
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [okhttp3.OkHttpClient$Builder]: Factory method 'okHttpClientBuilder' threw exception; nested exception is java.lang.NoSuchFieldError: Companion
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185)
at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:651)
... 60 more
Caused by: java.lang.NoSuchFieldError: Companion
at okhttp3.internal.Util.<clinit>(Util.kt:72)
at okhttp3.internal.concurrent.TaskRunner.<clinit>(TaskRunner.kt:309)
at okhttp3.ConnectionPool.<init>(ConnectionPool.kt:41)
at okhttp3.ConnectionPool.<init>(ConnectionPool.kt:47)
at okhttp3.OkHttpClient$Builder.<init>(OkHttpClient.kt:471)
at org.springframework.cloud.commons.httpclient.HttpClientConfiguration$OkHttpClientConfiguration.okHttpClientBuilder(HttpClientConfiguration.java:77)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154)
... 61 more
can anyone helm me ?
Łukasz
@lgwozniak
in my project there is 2 libary on runtime okhttp in version 3.14.9 and 4.7.1.