Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 20:55
    apereocas-bot synchronize #4813
  • 19:25
    apereocas-bot synchronize #4813
  • 17:55
    apereocas-bot synchronize #4813
  • 17:55
    apereocas-bot synchronize #4814
  • 17:42
    larsgrefer commented #4811
  • 16:24

    mmoayyed on gh-pages

    Published docs from master to [… (compare)

  • 14:55
    apereocas-bot synchronize #4813
  • 14:55
    apereocas-bot synchronize #4814
  • 14:52
    apereocas-bot labeled #4775
  • 14:52
    apereocas-bot labeled #4775
  • 14:51
    apereocas-bot unlabeled #4775
  • 14:51
    apereocas-bot unlabeled #4775
  • 14:51
    apereocas-bot unlabeled #4775
  • 14:50
    stale[bot] labeled #4775
  • 14:50
    stale[bot] commented #4775
  • 14:37
    leleuj commented #4814
  • 14:19
    mmoayyed commented #4814
  • 14:18
    mmoayyed labeled #4811
  • 14:18
    mmoayyed closed #4811
  • 14:18
    mmoayyed commented #4811
napoleon211092
@napoleon211092
I have success CAS ticket service use mongoDB but CAS service registry not work
Sabi
@Sabi610
That's great! Could you please share properties that you have set and packages in pom ?
I also having issue when I enabled cloud config, service registry and ticket related packages in pom.xml.
Will post my findings.
Sabi
@Sabi610
Authentication and Ticket registry is working great, still stuck with service registry errors.

=====================================================
org.springframework.data.mapping.model.MappingInstantiationException: Failed to instantiate org.apereo.cas.services.RegisteredService using constructor NO_CONSTRUCTOR with arguments
at org.springframework.data.convert.ReflectionEntityInstantiator.createInstance(ReflectionEntityInstantiator.java:67) ~[spring-data-commons-2.2.5.RELEASE.jar!/:2.2.5.RELEASE]
at org.springframework.data.convert.ClassGeneratingEntityInstantiator.createInstance(ClassGeneratingEntityInstantiator.java:84) ~[spring-data-commons-2.2.5.RELEASE.jar!/:2.2.5.RELEASE]
at org.springframework.data.mongodb.core.convert.MappingMongoConverter.read(MappingMongoConverter.java:321) ~[spring-data-mongodb-2.2.5.RELEASE.jar!/:2.2.5.RELEASE]
at org.springframework.data.mongodb.core.convert.MappingMongoConverter.read(MappingMongoConverter.java:294) ~[spring-data-mongodb-2.2.5.RELEASE.jar!/:2.2.5.RELEASE]
at org.springframework.data.mongodb.core.convert.MappingMongoConverter.read(MappingMongoConverter.java:225) ~[spring-data-mongodb-2.2.5.RELEASE.jar!/:2.2.5.RELEASE]
at org.springframework.data.mongodb.core.convert.MappingMongoConverter.read(MappingMongoConverter.java:221) ~[spring-data-mongodb-2.2.5.RELEASE.jar!/:2.2.5.RELEASE]
at org.springframework.data.mongodb.core.convert.MappingMongoConverter.read(MappingMongoConverter.java:94) ~[spring-data-mongodb-2.2.5.RELEASE.jar!/:2.2.5.RELEASE]
at org.springframework.data.mongodb.core.MongoTemplate$ReadDocumentCallback.doWith(MongoTemplate.java:3162) ~[spring-data-mongodb-2.2.5.RELEASE.jar!/:2.2.5.RELEASE]
at org.springframework.data.mongodb.core.MongoTemplate.executeFindMultiInternal(MongoTemplate.java:2799) ~[spring-data-mongodb-2.2.5.RELEASE.jar!/:2.2.5.RELEASE]
at org.springframework.data.mongodb.core.MongoTemplate.findAll(MongoTemplate.java:1809) ~[spring-data-mongodb-2.2.5.RELEASE.jar!/:2.2.5.RELEASE]
at org.apereo.cas.services.MongoDbServiceRegistry.load(MongoDbServiceRegistry.java:70) ~[cas-server-support-mongo-service-registry-6.1.5.jar!/:6.1.5]
at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195) ~[na:na]
at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1654) ~[na:na]
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[na:na]
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[na:na]
at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913) ~[na:na]
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[na:na]
at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578) ~[na:na]
at org.apereo.cas.services.ChainingServiceRegistry.load(ChainingServiceRegistry.java:74) ~[cas-server-core-services-registry-6.1.5.jar!/:6.1.5]
at jdk.internal.reflect.GeneratedMethodAccessor144.invoke(Unknown Source) ~[na:na]
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
at java.base/java.lang.reflect.Method.invoke(Method.java:566) ~[na:na]
at org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282) ~[spring-core-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
at org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499) ~[spring-cloud-context-2.2.0.RC1.jar!/:2.2.0.RC1]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212) ~[spring-aop-5.2.4.RELEASE.jar!/:5.2.4.RELEASE]
at com.sun.proxy.$Proxy187.load(Unknown Source) ~[na:na]
ilyassesalama
@ilyassesalama
@Pirateking2341 a feen l mgharba fin ma mchity 🤷
jeorth87
@jeorth87
I am having slow authentication times. (About 2 seconds to complete the authentication). Besides DEBUG logs anyone have any place to look or tips?
napoleon211092
@napoleon211092
go
James
@WhiteGryphonFIT
Hello. I am attempting to migrate from CAS 5.2.x to 6.1.5 and am running into a couple issues with the CAS management web app. The main issue is the service storage location the app is (/etc/cas/services-repo). I've disabled the version control using mgmt.versionControl.enabled=false and specified a location using cas.serviceRegistry.json.location=file:/etc/cas/61/services, but the management web app only saves to, and display services from, /etc/cas/services-repo. I've found people having a similar issue in the Google groups, but no answer. Can/should I just set mgmt.servicesRepo= to the location I want to force the web app to keep everything where I need it to go?
James
@WhiteGryphonFIT
The second issue is on a service rename. When a service name is changed, the VersionControlServicesManager class performs the checkForRename function which builds the path and appends ".json" to the end. This has the effect of making the filename contain two periods (MyService..json), which, of course, cannot be found and throws an error as shown below. This happens on services created and edited only in the management web app.
DEBUG [org.apereo.cas.mgmt.GitUtil] - Attempting to move [CAS6ServuceManagementTEST-1585162164930..json] to [CAS6ServiceManagementTEST-1585162164930..json]
DEBUG [org.apereo.cas.mgmt.GitUtil] - Moving [/etc/cas/services-repo/CAS6ServuceManagementTEST-1585162164930..json] to [/etc/cas/services-repo/CAS6ServiceManagementTEST-1585162164930..json]
ERROR [org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas-management].[dispatcherServlet]] - Servlet.service() for servlet [dispatcherServlet] in context with path [/cas-management] threw exception
java.nio.file.NoSuchFileException: /etc/cas/services-repo/CAS6ServuceManagementTEST-1585162164930..json
        at sun.nio.fs.UnixException.translateToIOException(UnixException.java:92) ~[?:?]
        at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) ~[?:?]
        at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:116) ~[?:?]
        at sun.nio.fs.UnixCopyFile.move(UnixCopyFile.java:430) ~[?:?]
        at sun.nio.fs.UnixFileSystemProvider.move(UnixFileSystemProvider.java:267) ~[?:?]
        at java.nio.file.Files.move(Files.java:1421) ~[?:?]
        at org.apereo.cas.mgmt.GitUtil.move(GitUtil.java:1202) ~[cas-mgmt-support-version-control-6.1.0-RC4.jar!/:6.1.0-RC4]
        at org.apereo.cas.mgmt.VersionControlServicesManager.checkForRename(VersionControlServicesManager.java:77) ~[cas-mgmt-support-version-control-6.1.0-RC4.jar!/:6.1.0-RC4]
        at org.apereo.cas.mgmt.controller.ServiceController.save(ServiceController.java:118) ~[cas-mgmt-core-6.1.0-RC4.jar!/:6.1.0-RC4]
        at org.apereo.cas.mgmt.controller.ServiceController.saveService(ServiceController.java:108) ~[cas-mgmt-core-6.1.0-RC4.jar!/:6.1.0-RC4]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
...
Kamil Chalczyński
@kchalczynski

Hey, is there any way to disable SAML in the CAS Management web app? I'm trying to use it with CAS 6.1.5 and services registered in DB (jpa service registry with Oracle database), but I get "ORA-00972: identifier is too long" or "ORA-00910: specified length too long for its datatype" while trying to execute some DDL after starting the management web app.

Second question, is it possible to change (upgrade) version of CAS Server in CAS Management Overlay? I have problem with conficts in dependencies versions when importing changes made in CAS 6.1.5, which forces me to set their version to the same as Management Overlay (6.1.0-RC4)

andreeahash
@andreeahash
Hello. I am using cas 6.1.3 and I am trying to configure passwordManagement. It worked to send reset-password links properly with in-memory database, but now I needed to setup a local database (mariadb) and I've configurd ticket.registry.jpa - it works properly for login, but now when I want to reset my password, it send an email, but when I try to access the link in the email it fails with error: Error: Exception thrown executing org.apereo.cas.pm.web.flow.actions.VerifyPasswordResetRequestAction@66589252 in state 'verifyPasswordResetRequest' of flow 'pswdreset' -- action execution attributes were 'map[[empty]]' .... caused by:
Caused by: javax.persistence.TransactionRequiredException: Executing an update/delete query
at org.hibernate.internal.AbstractSharedSessionContract.checkTransactionNeededForUpdateOperation(AbstractSharedSessionContract.java:409)
at org.hibernate.query.internal.AbstractProducedQuery.executeUpdate(AbstractProducedQuery.java:1601)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.base/java.lang.reflect.Method.invoke(Unknown Source)
at org.springframework.orm.jpa.SharedEntityManagerCreator$DeferredQueryInvocationHandler.invoke(SharedEntityManagerCreator.java:409)
at com.sun.proxy.$Proxy264.executeUpdate(Unknown Source)
at org.apereo.cas.ticket.registry.JpaTicketRegistry.deleteSingleTicket(JpaTicketRegistry.java:209)
can you help me with this?
I've already spent a few days, playing with the configuration, but I couldn't get it to work
Cardo Kambla
@CardoKambla
@andreeahash I have had the same problem with JPA ticket registry and password management module. I have not found an easy solution. You could try to extend Spring Webflow and override the VerifyPasswordResetRequestAction bean with your own bean that ignores the ticket deletion method. Afterwards, the ticket registry cleaner might delete the ticket. I tried overriding the bean and commenting out the ticket deletion. It worked for me.
fgf2001
@fgf2001
Hello, I need to give the SameSite parameter value of None when generating the "Ticket Granting Ticket Cookie" (TGC) Cookie, I am editing the: ticketGrantingTicketCookieGenerator.xml, but I can't get the value to the parameter, does anyone know what I can do?
fgf2001
@fgf2001
image.png
ricky2015
@ricky2015
Hello, I have a question, does CAS support API level access strategy configruation ?
Andreas
@borchsenius

Single-logout error at IDP: "Missing signature element"?!
We are having a problem with saml2 and single-logout. I just wanted to check with you guys if you have experienced something similar.
Our external IDP rejects our logout-request. No response is given. The error in the IDP logs is "missing signature element". SSO works fine besides SLO and the application is using CAS 5.3.14. A logout-request sent from our application looks something like this

<saml2p:LogoutRequest Destination="https://login.example.org/adfs/ls/"
   ID="_lkjyzegb4qeAAAAf8wfbwq5hfetnlokw34cj11" IssueInstant="2020-03-25T08:00:04.282Z"
   Version="2.0"
   xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
   <saml2:Issuer
       xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://saml.example-sp1.org
   </saml2:Issuer>
   <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
       xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">C=DK,O=no organization,CN=Jens Jensen,Serial=PID:1234-5678-0-123456789456123
   </saml2:NameID>
   <saml2p:SessionIndex>00-00-0B-87-8A-DC-E8-D0-70-13-08-F2-87-6B-D8-0F-56-11-DA-B0</saml2p:SessionIndex>
</saml2p:LogoutRequest>

Any ideas what might be the cause?

(We have contacted the IDP and they are looking into it.)

mwolfley
@mwolfley
@borchsenius I was thinking CAS didn't support full logout to ADFS delegated AuthN and the only options were to end logout at CAS OR add a link/button to the logout page to extend logout to ADFS
EmilioBellomoReply
@EmilioBellomoReply
Hello everyone, I'm trying to integrate a Google SAML app with CAS, using this configuration https://apereo.github.io/cas/6.1.x/integration/Delegate-Authentication.html
But, I'm having this error "Delegated client identifier cannot be located in the authentication request".
Can anyone help me, please?
anastassiaI
@anastassiaI

Also tried:

logging.level.org.apereo=DEBUG
logging.level.org.hibernate.SQL=TRACE
logging.level.org.hibernate.type.descriptor.sql.BasicBinder=TRACE

nothing works
Andreas
@borchsenius
@borchsenius @mwolfley Thank you for responding. I'm not sure I fully understand. The application can send a logout-request to the external IDP. That would be step 2 in the process outlined here http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html#5.3.2.SP-Initiated%20Single%20Logout%20with%20Multiple%20SPs|outline.
The IDP, however, is to my big surprise not able to process the logoutRequest. The XML request looks fine but gets rejected with the rather cryptic message. "Missing signature element". I couldn't find a signature element in the logoutRequest specification.
I found the text "The <LogoutRequest> message is digitally signed and then transmitted using the HTTP Redirect binding. The identity provider verifies that the <LogoutRequest> originated from a known and trusted service provider."
Do I need to configure CAS to sign the logoutRequest or is it signed as default?
mwolfley
@mwolfley
@borchsenius The delegated IdP is ADFS/WSFED correct?
Andreas
@borchsenius
@mwolfley yes, the delegated IdP is ADFS
mwolfley
@mwolfley
So found here CAS won't send logout all the way back to the IdP and gives options to log out there
mwolfley
@mwolfley
@borchsenius Probably because WSFED expects the logout request to be signed the same way CAS signs authN requests but CAS isn't signing logout requests?
Andreas
@borchsenius
@mwolfley Okay., thanks. I have somewhat limited access to the external IdP's logs, and I can confirm that they (the IdP) receive the logout request. Their internal logs states "missing signature element" and they don't notify the other potential active SP's as a result. The session in our application is terminated, but not in the potential multiple SPs or the IdP. The consequence is that if the user tries to log in again, the session is still active at the IdP and the user has logged in again without any password and 2fa authorization...
However, if one of the other SP's initiate a single-logout, our application gets notified and the session gets terminated correctly. That works flawlessly.
I'll look into making CAS signing the logout request
Jeff Walker
@Jeff-Walker
I've been looking at cas for the last few days. I saw the Initalizr and it seems like a neat way to get started, but the version says 5.1.0. Is there one for the latest version, or is this an outdated concept? If I need to just start with cas-overlay-template, is there a list of all the "official" modules that may be included? I've read the documentation on the war overlay, but I'm just not sure how to get all the components that I need.
EmilioBellomoReply
@EmilioBellomoReply

Hello everyone, I have encountered this error "org.opensaml.messaging.decoder.MessageDecodingException: This message decoder only supports the HTTP POST method" when I try to authenticate using an external SAML idp (Google)
I'm using cas version 6.1.3 with delegate authentication (cas-server-support-pac4j-webflow) and this configuration:

cas.authn.pac4j.saml[0].clientName=test
cas.authn.pac4j.saml[0].serviceProviderEntityId=${cas.server.name}
cas.authn.pac4j.saml[0].serviceProviderMetadataPath=file:/etc/cas/saml/cas_metadata.xml
cas.authn.pac4j.saml[0].identityProviderMetadataPath=file:/etc/cas/saml/GoogleIDPMetadata-test.com.xml
cas.authn.pac4j.saml[0].signAuthnRequest=true
cas.authn.pac4j.saml[0].destinationBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
cas.authn.pac4j.saml[0].keystorePath=file:/etc/cas/saml/samlKeystore.jks
cas.authn.pac4j.saml[0].keystorePassword=A**O
cas.authn.pac4j.saml[0].privateKeyPassword=X**i
cas.authn.pac4j.saml[0].autoRedirect=true

did I do something wrong?

mwolfley
@mwolfley
change your destination binding to POST maybe
EmilioBellomoReply
@EmilioBellomoReply
I tried
cas.authn.pac4j.saml[0].destinationBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
cas.authn.pac4j.saml[0].autoRedirect=false
same error :\
mwolfley
@mwolfley
Most likely need to change it in the metadata too
EmilioBellomoReply
@EmilioBellomoReply

Here?

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/cas/login?client_name=test" index="0"/>

mwolfley
@mwolfley
Yep, that should do it
EmilioBellomoReply
@EmilioBellomoReply
still not work :(
mwolfley
@mwolfley
Did you change that at the delegate?
EmilioBellomoReply
@EmilioBellomoReply
yes, this is the new configuration:
cas.authn.pac4j.saml[0].clientName=test
cas.authn.pac4j.saml[0].serviceProviderEntityId=${cas.server.name}
cas.authn.pac4j.saml[0].serviceProviderMetadataPath=file:/etc/cas/saml/cas_metadata.xml
cas.authn.pac4j.saml[0].identityProviderMetadataPath=file:/etc/cas/saml/GoogleIDPMetadata-test.com.xml
cas.authn.pac4j.saml[0].signAuthnRequest=true
cas.authn.pac4j.saml[0].destinationBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
cas.authn.pac4j.saml[0].keystorePath=file:/etc/cas/saml/samlKeystore.jks
cas.authn.pac4j.saml[0].keystorePassword=A**O
cas.authn.pac4j.saml[0].privateKeyPassword=X**i
cas.authn.pac4j.saml[0].autoRedirect=false
mwolfley
@mwolfley
Yeah, but did you re-exchange the SP metadata to Google?
EmilioBellomoReply
@EmilioBellomoReply
It should take the new metadata via url
EmilioBellomoReply
@EmilioBellomoReply
It seems the problem is the redirect method, but not in google side
image.png
mwolfley
@mwolfley
clear cache maybe? you restarted the CAS server after making those changes?
EmilioBellomoReply
@EmilioBellomoReply
sure, it's running in a kubernetes environment, it restarts on every change
mwolfley
@mwolfley
Do you get the error before you even go to Google or after successful authentication?
EmilioBellomoReply
@EmilioBellomoReply
after
mwolfley
@mwolfley
Then Google is responding to the request over GET?
EmilioBellomoReply
@EmilioBellomoReply
nope, google call is in POST, the internal redirect is in GET.
in the previous screenshot, the first call is google, the second one is the internal
Maxim Kopeyka
@mkopeyka
Hello, does anyone use Keycloak + CAS with backchannel logout function on Keycloak side? It means when you click "Sign Out" in Keycloak CAS does logout in background too.