Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 06:19

    mmoayyed on master

    fix strapi puppeteer test (#556… (compare)

  • 06:19
    mmoayyed closed #5562
  • 03:59
    codecov[bot] commented #5561
  • 03:49
    codecov[bot] commented #5561
  • 03:37
    apereocas-bot labeled #5562
  • 03:37
    apereocas-bot milestoned #5562
  • 03:37
    apereocas-bot milestoned #5562
  • 03:37
    apereocas-bot labeled #5562
  • 03:37
    CLAassistant commented #5562
  • 03:37
    hdeadman opened #5562
  • 03:33
    codecov[bot] commented #5561
  • 02:53
    codecov[bot] commented #5561
  • 02:39
    codecov[bot] commented #5561
  • 02:31
    codecov[bot] commented #5561
  • 02:25
    codecov[bot] commented #5561
  • 02:17
    codecov[bot] commented #5561
  • 02:16
    codecov[bot] commented #5561
  • 02:11
    codecov[bot] commented #5561
  • 02:09
    codecov[bot] commented #5561
  • 02:07
    codecov[bot] commented #5561
Robin Dupret
@rdupret_gitlab
The regression seems to be between 6.0.0-RC5 and 6.6.0
kjkeane
@kjkeane:matrix.org
[m]
I do know when I went from 6.5.2 to 6.6.0 I had to clear out our Redis keys. Because it was failing to encrypt/decrypt them.
Robin Dupret
@rdupret_gitlab
@kjkeane:matrix.org : Thanks again but I already tried to empty Redis, restart it and reboot the whole machine, still the same :-/
Robin Dupret
@rdupret_gitlab
Actually, I still have INVALID_TICKET disabling Redis and using the default registry
dargur mikk
@dargurm_gitlab
After upgrading from 6.5.6 to 6.6.1 my application.yaml & application-foo.yaml don't get loaded anymore. Has anyone faced similar issue?
dargur mikk
@dargurm_gitlab
somehow classpath:config/appliction.yaml is being ignored but classpath:application.yaml gets loaded. according to spring boot 2.7 docs config/application.yaml should be loaded as before. so what did change in cas 6.6 that changed this behavior?
dargur mikk
@dargurm_gitlab
another weird bug: the commit cda8b7ff016cb3631ee7fdc47249b95e556e64bc after 6.6.0-RC5 introduced regex matching for ip addresses defined for actuator endpoint. seriously, regex for ip matching? so the proper ranges which were working before now don't work anymore. e.g.. required-ip-addresses: ["127.0.0.1", "172.18.0.0/22", "10.0.0.0/8"] don't work anymore. this undocumented breaking change caused deployment to fail because health endpoint cannot be accessed anymore
julioromero
@julioromero

Dear Apereo CAS community, I am in need of some help if someone has come across a similar issue.

I'n on CAS 6.6.0 and I'm trying to implement SAML 2.0 integration by having CAS acting as a SP and delegating authentication to external IDP.
I have configured all settings to generate the SP metadata file, and I was provided with the IDP metadata file as well.

The problem is that the IDP entity wants to use the Artifact resolution service and sends us back a SAMLart (artifact). At this point, the flow returns back to CAS and it stays there.
It seems that CAS does not know what to do with the SAML artifact once it receives it from IDP, when technically it should be calling the endpoint specified by the ArtifactResolutionService from the IDP metadata file.
From tracing the SAML request/responses, I can tell that CAS is not calling anything else once it receives the SAMLart from the IDP after user authenticates successfully.
I ran a separate test by using the IDP service at https://samltest.id/ and everything is working fine, but I think the difference here is that this IDP doesn't use artifact binding, it goes a simpler way of HTTP-POST I believe.

So my question is: Does CAS SAML 2.0 integration support this artifact binding (sending artifact resolve request / receiving artifact response)?
If so, what could I be missing in my configurations?
If not, where would I need to modify CAS code to perform a SOAP request with the SAML artifact to receive the assertion?

1 reply
dargur mikk
@dargurm_gitlab

somehow classpath:config/appliction.yaml is being ignored but classpath:application.yaml gets loaded. according to spring boot 2.7 docs config/application.yaml should be loaded as before. so what did change in cas 6.6 that changed this behavior?

i tracked down this issue to some changes between 6.6.0-RC5 and 6.6.0. both versions use spring boot 2.7. so its not a boot problem. the changes in the cas code cause config files from classpath:config not being loaded even when are specified in src/main/resources/application.yml spring.config.additional-location=config/

dargur mikk
@dargurm_gitlab

can someone advice me how to force cas auth again when doChangePassword parameter is present? the problem is when a user is not logged in doChangePassword triggers password change flow after successful login. but if a customer is already logged in (TGC) it doesn't show login view in order o change password but redirects directly to the service

@mmoayyed can you please advice, how to trigger password change when sso is active (valid TGC present)? I tried renew=true but it just prompts for password and after login it redirects back to the service=foo instead of showing password change flow. so the only current way is to logout customer and redirect him to cas change his password. but if he cancels the password change action then he kind of logged out for nothing and has to log in back. not the best UX I guess. so the best would be i guess, to redirect to cas with renew=true&doChangePassword, after successful login, perform change password operation and logout (quite common flow on many portals)

1 reply
mrokitka
@mrokitka
Hi, is there a rough ETA on java-cas-client 4.x release? We're evaluating upgrading to Jakarta Servlet API, but lack of support in 3.x line is a blocker for this
mwbi
@mwbi

Hi, we want to use apareo cas as oidc server , but we have the problem, that attribute in the scope email, openid are returned as array not as string. we use ldap as datasource
cas.authn.attribute-repository.ldap[0].attributes.mail=email
cas.authn.attribute-repository.ldap[0].attributes.cn=name
cas.authn.attribute-repository.ldap[0].attributes.sn=family_name
cas.authn.attribute-repository.ldap[0].attributes.cn=name
cas.authn.attribute-repository.ldap[0].attributes.givenName=given_name

in the logs we see
attributes={name=[customuser2], given_name=[Elke], family_name=[Tretsuser], email=[foo2@bar.com]}, id=customuser2, scopes=[email, openid, profile], client_id=clientid}

cas version 6.6.0

dargur mikk
@dargurm_gitlab
anyone has idea how to visualize the webflow of cas? I need to figure out on which state can I hook my custom action but to get overview whats happening is very cumbersome
1 reply
dargur mikk
@dargurm_gitlab
image.png
Error messages created by org.apereo.cas.pm.web.flow.actions.PasswordChangeAction and may be other actions are not localized which leads to such inconsistent ux. any suggestions on how to link those with messageSource?
dargur mikk
@dargurm_gitlab
Even though in 6.6.1 there was an attempt to fix locale handling in the email communication but it still not working right. DefaultCommunicationsManager uses messageSource to localize email subject and message property resolution using #{foo.bar} works but the locale is wrong. the email body is correct because of the EmailMessageBodyBuilder uses resolved locale but communication manager never receives locale to use, thus, it uses default locale. so the email is body is in german but subject in english.
public class DefaultCommunicationsManager { ....
return messageSource.getMessage(matcher.group(1), args.toArray(),
                "Email Subject", ObjectUtils.defaultIfNull(emailRequest.getLocale(), Locale.getDefault()));
...
}
public class SendPasswordResetInstructionsAction  { .....
val emailRequest = EmailMessageRequest.builder().emailProperties(reset)
                .principal(person)
                .to(List.of(to)).body(text).build();
            return this.communicationsManager.email(emailRequest);
}
Joro Kushev
@jorokushev:matrix.org
[m]
Hello,
There is a new vulnerability with a very high CVE score (9.8) reported for Apache Commons Text. The vulnerable version is anything, between v1.5 till 1.9. In the current (latest) Apareo CAS 6.6 the version of the library which is in use is 1.9. Is there a plan for this to be upgraded to v1.10 or later?
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42889
kjkeane
@kjkeane:matrix.org
[m]

Looks like they updated it, just haven't made a release

apereo/cas@2d38962

2 replies
Juliet N. Njeri
@juliett:matrix.org
[m]
Hello, I would like to set up cas 5.3.* but am not able to find the cas-overlay-template for this version. Anyone who can guide, i will appreciate am a bit new to CAS
2 replies
Dhanesh Kumar
@dhanesh238
Hi, I am trying to setup SSO using SAML2 with CAS running as IDP. But, underlying application currently validates only the JWT token. Is there any API in CAS that we can leverage to generate the JWT token from SAML assertion?
2 replies
igorbga
@igorbga
Hi everyone. I'm trying to configure Google OpenID Connect delegated authentication by using the pac4j support. Everything seems to work great, I can authenticate. But the principal that I'm returned is not "my username" but a long number. I mean, if I authenticate with my Google Account iblanco@whatever.com I would like the principal to be "iblanco" not 171230230123.
I managed to make at least the principal to be the e-mail by setting this config:
cas.authn.pac4j.oidc[0].google.principal-attribute-id=email
But I can not further progress. I have tried to configure a groovy script in a couple of places in order to "massage" the value myself and remove the part behind the @, but they don't seem to get triggered as I expected them to do.
Any pointer would be much appreciated.
I have tried with a principal transformation script by using this parameter:
cas.person-directory.principal-transformation.groovy.location=
But the script was never triggered and in fact I think this script might be to transform the principal before authentication, not after. So probably that's not the right way to proceed...
igorbga
@igorbga
I've also tried to set a script in the service's usernameAttributeProvider section, but they don't seem to trigger either...
Maybe I have to define a new attribute and somehow make it programatically build what I need from an already existing attribute ?
I understand that what I'm getting as a principal id from google is probably a unique number to identify myself in Google, but I guess that what I'm trying to do is not so weird either, isn't it? I will just allow Google authentication from my domain so I can safely assume that the first part of the e-mail would be unique.
igorbga
@igorbga
I could just use the e-mail but them I would have to modify all consumer applications so that they can understand that the user profile identified as iblanco and the ones identified a iblanco@whatever.com are the same user.
igorbga
@igorbga
[SOLVED] Finally I managed to do it using the usernameAttributeProvider in the service and a groovy script like this:

def run(Object[] args) {
def ALLOWED_EMAIL_DOMAIN="whatever.com"

def attributes = args[0];
def id = args[1];
def service = args[2];
def logger = args[3];


def suffix = "@" + ALLOWED_EMAIL_DOMAIN.toLowerCase()
if (id.toLowerCase().endsWith(suffix)) {
    return id.substring(0, id.length() - suffix.length())
}
return id

}

newbeeeeeee
@newbeeeeeee

Hello All, I am trying to build cas management app and when I enable AWS service registry like dynamodb or S3, I get the following error, for dynamodb it creates the table and then fails to start:


APPLICATION FAILED TO START


Description:
Parameter 1 of method restAuthenticationService in org.apereo.cas.rest.config.CasCoreRestConfiguration$CasCoreRestAuthenticationConfiguration required a bean of type 'org.apereo.cas.authentication.MultifactorAuthenticationTriggerSelectionStrategy' that could not be found.
The injection point has the following annotations:

- @org.springframework.beans.factory.annotation.Qualifier(value="defaultMultifactorTriggerSelectionStrategy")

Action:
Consider defining a bean of type 'org.apereo.cas.authentication.MultifactorAuthenticationTriggerSelectionStrategy' in your configuration.

Anyone have any ideas why this would be happening? if I remove the cas management AWS dependency it works fine.

Łukasz
@lgwozniak
Hello, does anybody know about some problems with logging on OAuth2 with Office365 ?
cas version is 6.5.8
chenbo6398
@chenbo6398

Hi Guys! I was perplexed by SLO for a long time.
I read the doc,I understand when CAS logout, the CAS server will callback the CAS Client's URL to remind the Clinet to destroy the session.And the Client should definition an API to destroy the local session.
I followed that , but the Client never received the callback.

I want to know,if the CAS server will callback the Client?

Łukasz
@lgwozniak

Hello, does anybody know about some problems with logging on OAuth2 with Office365 ?

If any one has similar problem this properties fix this:

cas.authn.oauth.replicate-sessions=true
Pascal Rigaux
@prigaux

I want to know,if the CAS server will callback the Client?

It should. Check the nginx/apache log, you should see something like:

172.20.0.83 - - [16/Nov/2022:02:37:02 +0100] "POST /EsupUserApps/login?target=https%3A%2F%2Fent.univ-paris1.fr%2Faccueil%2F HTTP/1.1" 200 0 "-" "Apache-HttpClient/4.5.6 (Java/11.0.16)"
tvoyat
@tvoyat

hi,

Probably a neophyte question but I can't find the simple way to define an attribute from a header field with "trusted" authentication.
CAS authentication is simply done through an apache reverse proxy which defines an "APP_REMOTE_USER" header that I easily retrieve via:

cas.authn.trusted.remote-principal-header=app_remote_user

The proxy also provisions a 'GRP_FROM_APP' business header which I can clearly see in the debug log :

2022-11-17 10:02:56,702 DEBUG [org.apereo.cas.adaptors.trusted.web.flow.PrincipalFromRequestHeaderNonInteractiveCredentialsAction] - <Available request headers are [{referer=[https://XXXX], x-forwarded-port=[443],  app_remote_user=[T01722], host=[XXX], connection=[Keep-Alive], cache-control=max-age=0], 
....
grp_from_app=[017,223], cookie=[JSESSIONID=9Pt2j2GDjZTpmG09pVb525jCRRgVtTznCW8kgWDvJM8H2GJfGSMn!...
Chrome/107.0.0.0 Safari/537.36], sec-fetch-dest=[document]}]. Locating first header value for [app_remote_user]>
2022-11-17 10:02:56,705 DEBUG [org.apereo.cas.adaptors.trusted.web.flow.PrincipalFromRequestHeaderNonInteractiveCredentialsAction] - <Remote user [T01722] found in [app_remote_user] header>
2022-11-17 10:02:56,706 DEBUG [org.apereo.cas.adaptors.trusted.web.flow.BasePrincipalFromNonInteractiveCredentialsAction] - <User [T01722] found in request>
2022-11-17 10:02:56,708 DEBUG [org.apereo.cas.adaptors.trusted.web.flow.BasePrincipalFromNonInteractiveCredentialsAction] - <Attributes [{}] found in request>

But there, I can't recover this header to transform it into an attribute. It looks like "Trusted" authentication doesn't provision any attributes other than the principal.
What method would allow me to add this attribute to cas clients?

Thanks

tvoyat
@tvoyat
Hi Misagh,
I see you are working on Trusted attributes and thank you very much for that.
I didn't understand what the ShibbolethExtractor class was doing here and I understand better now that you removed it (probably an "old" reason).
However, in your new implementation, I don't understand why relying on a "PREFIXheader" (AJP) => "Prefix_Value" model for the extraction, à la Shibboleth, which doesn't seem to me to be the most common.
Why not have simply, or at least also, a simple extraction based on the exact names (or regex) of the headers (a java.util.List "header1, header2, header3...") with the same logic as the releaseattribute parameters?
This method seems to me more suitable for authentication via trusted.
Regards
tvoyat
@tvoyat

Hello,
I upgraded to the latest version (7.0.0-snapshot) and now I easily and directly retrieve ALL the attributes present in the Trusted header.
I admit that I didn't easily understand how to use attribute-header-patterns in cas.properties.
In my case, I used:

cas.authn.trusted.attribute-header-patterns=(APP_REMOTE_USER|GRP_FROM_APP)->(.+)

Not very intuitive but is it correct ?
Regards

John Lucey
@john.lucey.2011_gitlab

Hi all,

Could someone please assist with the below issue I am facing? Thank you.

Here is my environment (note that the frontend and backend are served from different domains):

  • CAS Server (implementing CAS 2)
  • Frontend
  • Backend

Tech stack:
org.jasig.cas.client:cas-client-core v3.4.1
spring boot 1.5.4
Java 1.8

Here is what is happening:
(1) user accesses the frontend, but there is no session cookie yet, so the user is redirected to CAS login page served by the CAS Server.
(2) user enters correct login, and the CAS login page redirects to the ticket validating endpoint (login/cas?ticket=XXX....) served by the backend.
(3) the backend responds with a session cookie and redirects to the frontend URL.

The problem is that the cookie in step 2 is only valid for the backend domain, and not the frontend domain so all the requests from the frontend fail because the cookie isn't sent to the backend in requests. Anyone know a way around this? Can the cookie somehow be made cross-domain? Perhaps via configuration on the CAS Server? Please excuse my lack of knowledge w.r.t. the CAS protocol. Thank you

mcaccessa
@mcaccessa
Hi!
Is there a way to run CAS, in HA mode, without using sticky sessions, for OAuth/OIDC protocols (as mentioned in this comment: https://groups.google.com/a/apereo.org/g/cas-user/c/mzO_JpUqU3A/m/sMWhnIKrEgAJ)?
All CAS instances are already using a shared Ticket Storage, but, it seems that the Authorization Code Flow is not working properly without session affinity feature enabled in LB.
Thank you!
chenbo6398
@chenbo6398
HI!
How could make the CAS server return an attribute with a List?
I am using JDBC, and single row.
And should I return authority in attributes?
mwbi
@mwbi
HI,
im search for a good saml delegation example, with a redirection based on an LDAP attribute. I'm not sure if it is possible to solve this problem with groovy an the cas.authn.pac4j.core.groovy-redirection-strategy.location option. I would be very grateful for starting tips
mwbi
@mwbi
There are some good working examples on https://fawnoos.com/ but i didn't find things like a Provider Selection by an LDAP attrribute