by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • May 31 12:59
    mmoayyed commented #4870
  • May 30 08:05

    mmoayyed on heroku-githubbot

    update bot (compare)

  • May 30 07:54
    leeyc0 commented #4870
  • May 30 05:45
    leeyc0 edited #4870
  • May 30 05:44
    leeyc0 commented #4870
  • May 30 05:41
    leeyc0 commented #4870
  • May 30 05:41
    leeyc0 commented #4870
  • May 30 05:41
    leeyc0 commented #4870
  • May 30 05:37
    leeyc0 commented #4870
  • May 30 05:37
    leeyc0 commented #4870
  • May 30 05:36
    unfurl-links[bot] commented #4870
  • May 30 05:36
    apereocas-bot closed #4870
  • May 30 05:36
    apereocas-bot commented #4870
  • May 30 05:36
    apereocas-bot labeled #4870
  • May 30 05:36
    apereocas-bot labeled #4870
  • May 30 05:35
    leeyc0 synchronize #4870
  • May 29 11:58

    mmoayyed on v6.2.0-RC5

    (compare)

  • May 29 11:15
    codecov[bot] commented #4854
  • May 29 11:15
    codecov[bot] commented #4854
  • May 29 11:13
    codecov[bot] commented #4854
MARC Matthieu
@blink38
Hi everybody. I am using CAS 5.2.9 and I am trying to migrate to 6.1.5. Using maven overlay (or with gradle), when I am starting the web application, it always stop after the message "CasWebApplication : the following profiles are active : standalone". I am using tomcat embedded. With debug, I can't find any message which can help me to identify the problem. Is someone could help me ?
MARC Matthieu
@blink38
Ok, so running my CAS configuration into tomcat (and not embedded tomcat) show me errors on configuration (Failed to bind properties under 'cas' to org.apereo.cas.configuration.CasConfigurationProperties) which means that I used some old configuration items with deprecated name. Resolved it let me start the application.
Francisco Castel-Branco
@Khorsan

Hi, everyone.
I'm having the same issue for a month, now. I can't seem to resolve it.

I'm configuring a SAML delegation and my IdP requires that I use SHA1 with RSA. The thing is pac4j isn't letting me using it. It returns me this message:

ERROR [org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignerProviderImpl] - <An error occured computing the digital signature: The requested algorithm SHA1withRSA does not exist. Original Message was: SHA1withRSA MessageDigest not available>

My configuration option is this:
[...]signatureReferenceDigestMethods: http://www.w3.org/2000/09/xmldsig#rsa-sha1

3 replies
Kirill Gagarski
@gagarski

Hi, all!

I am thinking about upgrading CAS 5.3 to CAS 6.1.
As far as I understand, cas-overlay-template does not support Maven anymore.

I still use Maven in my project which is inspired by old Maven overlay template (not exactly, I do not like the concept of class shading, but still uses the same plugins). It also relies on cas-server-support-bom

Is there any success stories about upgrading cas from version 5.3 and also staying with Maven build? I tried to update versions in my pom.xml. Seems like dependencies are resolved successfully but I still need to migrate my custom code.

Can I concentrate on migrating my code or should I rewrite my build configurations to gradle?

Oh, just saw that @blink38 mentioned this migration. Were you able to build it with Maven? Did you have any problem with it? (sorry for the mention)
catudo
@catudo
@syedabuturabgithub I reccomend you add the following line cas.authn.accept.users=casuser:Mellon, futhermore the properties files must be in C:\etc\cas in windows enviroment
catudo
@catudo

Hi everyone I have the following issue,I implemented a CAS client and configure the CAS overlay server, everything works fine if I get authenticated by web explorer, however, when I authenticated by restful service I cannot do it, I did the following steps:

I get the ticket with this endpoint https://localhost:8443/v1/tickets and returned this:
TGT-6-D-SS3TDLIpY5RDUqSXVjV-8NF4odaD4kecdTwv7fwAUg7qfYY-9sShkYqR3xPeRnp-Y-DESKTOP-SV9Q6OU
then with this ticket, I get the token with the following endpoint:

https://localhost:8443/v1/tickets/TGT-6-D-SS3TDLIpY5RDUqSXVjV-8NF4odaD4kecdTwv7fwAUg7qfYY-9sShkYqR3xPeRnp-Y-DESKTOP-SV9Q6OU

And it returned this:
ST-23-GbT6Tq2Rh6i-qo8GVaH-yld--9A-DESKTOP-SV9Q6OU

My cas client has the following service
http://localhost:8900/test_service

But I dont know how to consume my service that is protected by CAS, I tried

http://localhost:8900/test_service?ticket=ST-23-GbT6Tq2Rh6i-qo8GVaH-yld--9A-DESKTOP-SV9Q6OU

however it returns the page to get authenticated by cas

dlemp1
@dlemp1

Having another little issue with Spring Security & CAS. Following this example here still: https://www.baeldung.com/spring-security-cas-sso

Everything looks like it works, I log in through my CAS system, but it still thinks my email address is test@test.com. I'm sure it has to do with this snippet of code, but not sure how to modify it for my usage:

@Bean
public CasAuthenticationProvider casAuthenticationProvider(
TicketValidator ticketValidator,
ServiceProperties serviceProperties) {
CasAuthenticationProvider provider = new CasAuthenticationProvider();
provider.setServiceProperties(serviceProperties);
provider.setTicketValidator(ticketValidator);
provider.setUserDetailsService(
s -> new User("test@test.com", "Mellon", true, true, true, true,
AuthorityUtils.createAuthorityList("ROLE_ADMIN")));
provider.setKey("CAS_PROVIDER_LOCALHOST_8900");
return provider;
}

Philipp Berger
@philippberger
Hi all,
I have a general question:
Let's assume Single Logout is enabled. Should there be a LogoutRequest for each authenticated Service and also for Services authentication by a ProxyTicket?
MARC Matthieu
@blink38
@gagarski I was using maven for CAS 5.3 but I used gradle for CAS 6.1 according the documentation. I rewrite my build configuration to gradle just adding dependencies. It's quick. My problems were with the config which changed (some keys were renamed)
Florent A.
@ft-at

Hello there,

I have a problem with CAS 6.1.6 in a Tomcat 9 (JDK11).
The server responds correctly, but as soon as it is called in HTTPS via a Load Balancer, Tomcat loops on 302 responses.
The problem seems the same as apereo/cas#4784, except that it happens on an external servlet container.
Do you know if I need to add something special in the configuration?

umutarus1
@umutarus1

Hello,

Is there anybody used "Multi Domain CAS Login Filter" at https://web.liferay.com/marketplace/-/mp/application/54315044 or appreciate your multi domain for CAS suggestions.

thanks.

tdelaitre
@tdelaitre
hello, I'm getting Unauthorized, This server could not verify that you are authorized to access the document requested. WHO: audit:unknown
WHAT: ST-35-cas
ACTION: SERVICE_TICKET_VALIDATE_FAILED
APPLICATION: CAS
Suhas Bansude
@suhasbansude
I have issue with login flow customization please help me
Dipinrajc
@Dipinrajc
I have an issue while adding a certificate in CAS, Alias name [null] does not identify a key entry
systemcia
@systemcia
hello,all:
recently, i have occurred one problem , when i login the cas with my service and test the error scene , for example type the wrong password or use the invalidate user login , i have found the web page transition to the cas/login without my service , have someone solved the same problem? pls share the method to me , thank you all .
systemcia
@systemcia
this is my problem screen
image.png
image.png
VikashChandra1996
@VikashChandra1996
Hello all, I am getting an unuasual behaviour
I am using 4 ldaps for my authentication purpose. Suppose if m entering the wrong credentials for once, its giving me acount has been locked. KIindly help me to resolve this issue
aprillu
@aprillu
@jaolivan I got the same problem. Any idea to resolve it?
Hagen Pache
@beardedN5rd

Hey guys,
I am new to CAS and shall evaluate the project an get stuck at the beginning.
Since I know I need some aspects like Oauth2, JWT, MFA I tried to start with the Oauth2 example(https://apereo.github.io/2019/02/19/cas61-as-oauth-authz-server/), but didn't get it running since the client failed to build

so i included my changes according to the example into cas-overlay-template and started it with docker-compose.
GOOD -> it builds, runs and I can use the "normal" endpoint to authenitcate casuser
BAD -> trying to reach the accessToken endpoint via https://localhost:8443/cas/oauth2.0/accessToken?grant_type=password&username=casuser&password=Mellon&client_id=foo&client_secret=bar fails, I always get
2020-05-14 07:50:10,167 WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Unauthorized Service Access. Service [] is not found in service registry.>

CAS Server is running inside docker, Request comes from my host machine. I added an oauth.json with the following content

{
  "@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
  "clientId": "foo",
  "clientSecret": "bar",
  "serviceId" : "^https://localhost.*",
  "name" : "OAuthService",
  "id" : 1000,
  "supportedGrantTypes": [ "password" ]
}

Any clues what I have done wrong?

Zoran Kokeza
@zoran995
Hi, I am trying to connect geonetwork with CAS but authentication constantly fails. When I try to sign in the geonetwork it redirects me to https://localhost:8443/cas/login?service=https%3A%2F%2Flocalhost%3A8443%2Fgeonetwork%2Fsignin-cas and after entering the credentials it redirects me to https://localhost:8443/geonetwork/signin-cas?ticket=ST-4-IMGr5Flo9FHSKhba9BVWucPyuW0GIS-kokeza with service ticket but it seems that authentication fails due to proxy callback URL. Does anyone have an idea what could go wrong, my logs can be found here along with some configuration data (original implementation of cas in geonetwork can be found here https://github.com/geonetwork/core-geonetwork/blob/70c2afba48f9a2a4c797b674a1b2d1a916b871b6/web/src/main/webapp/WEB-INF/config-security/config-security-cas.xml).
Thanks in advance.
Koen De Jaeger
@kdejaeger
Hello everyone. I joined a project last week at work where they are using cas 5.x to login the user with Twitter, Facebook and Google. Now they want us to add 'Sign on with Apple'. Is there a reason why this is not implemented yet in 6.x?
2 replies
Hmm I'll ask in Google groups instead.
Charl Thiem
@trojanc
Hi. I need some help setting up CAS with OIDC please. I'm just trying to get the most basic example working but I'm not having much luck. If anyone is willing to share some ideas or config with me... I have posted on the forum what my problem is https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/QZ97Jg_44Oc
Its just the part where the "code" should be sent and a "authorization_code" grant_type should be returned... I get a 403 there... I've been playing for a few days with all sorts of config, and even tried the suggested example app on the documentation... All give the same 403 when trading in the code... So I'm pretty sure it's some silly config I'm missing :(
johnjcool
@johnjcool
@trojanc Which version you use? Try 6.1.5
VikashChandra1996
@VikashChandra1996
Hello all, I am getting an unusual behavior
I am using 4 ldaps for my authentication purpose. Suppose if m entering the wrong credentials for once, its giving me account has been locked. Kindly help me to resolve this issue.

${configurationKey}.ldapUrl=ldaps://ldap1.example.edu ldaps://ldap2.example.edu ldaps://ldap3.example.edu ldaps://ldap4.example.edu

${configurationKey}.bindDn=cn=Directory Manager,dc=example,dc=org

${configurationKey}.bindCredential=Password

${configurationKey}.poolPassivator=BIND

${configurationKey}.connectionStrategy=

${configurationKey}.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider

${configurationKey}.connectTimeout=PT5S

${configurationKey}.minPoolSize=3

${configurationKey}.maxPoolSize=10

${configurationKey}.validateOnCheckout=true

${configurationKey}.validatePeriodically=true

${configurationKey}.validatePeriod=PT5M

${configurationKey}.validateTimeout=PT5S

${configurationKey}.failFast=true

${configurationKey}.idleTime=PT10M

${configurationKey}.prunePeriod=PT2H

${configurationKey}.blockWaitTime=PT3S

${configurationKey}.useSsl=true

${configurationKey}.useStartTls=false

${configurationKey}.responseTimeout=PT5S

${configurationKey}.allowMultipleDns=false

${configurationKey}.allowMultipleEntries=false

${configurationKey}.followReferrals=false

${configurationKey}.binaryAttributes=objectGUID,someOtherAttribute

These are the properties i am using
hansonjan
@hansonjan
How to use the bind mode on cas?
hansonjan
@hansonjan
@MarKoCeg Hiļ¼Œhave you solved the matter about bind mode? I get the same matter now.
mwolfley
@mwolfley
@kdejaeger You can integrate with whatever SAML2 IdP you want, doesn't have to be one named there
XiaoKang87
@XiaoKang87
hello, i want to store access_strategy in mysql, i saw the field typ is blob, anyone knows how to set that field?
CriCL
@CriCL
I've a question. I'd like to integrate two apps. 1st app is an onpremise (which doesn't support saml 2.0). 2nd app is cloud based application which supports saml 2.0.
Both apps must use G Suite credentials. 2nd app has a native configuration, but 1st one doesn't. Any ideas for implemeting CAS SSO?
Scott Williams
@vwbusguy
Google uses SAML, so if you use CAS as the SaML provider for Google, you can use Google as the provider and it will call CAS when a user logs in with your domain
Unless you're talking about logging into CAS itself with Google, in which case, you'll want to set up Google as an delegated provider for your CAS instance - https://apereo.github.io/cas/6.1.x/integration/Delegate-Authentication.html
@CriCL ^^
CriCL
@CriCL

Hi @vwbusguy ! thanks a lot for replying. Let me check if I understood well.

If my 2nd App already is integrated with G Suite and signs In perfectly.
1 ) Do I only have to plug my 1st App with CAS with achieve SAML 2.0 and Sign in?
or
2) Do I have to plug both Apps to my CAS Server to login with G Suite?

My problem here is the hybrid solution I already have. My cloud app opens a new tab which jumps to my onpremise solution to run a report. Here is where I need to avoid 2nd login

Best regards

Scott Williams
@vwbusguy
That's the decision you have to make. I can tell you that what I do here is that Google authenticates through our provider through SAML and any 3rd party Google login integrations for our domain end up going to our identity provider over SAML. That doesn't mean that that is necessarily what's best for you use case and identity management strategy though. Generally, I prefer using SAML when integrating with external 3rd parties.
As far as app 1 goes - if it's internal, keep in mind that you will need to setup a SAML service provider in the app. That is generally more work than using CAS protocol. You might find CAS protocol to be simpler to implement for an internal application in general.
It just depends on how you will integrate with Google, if that if your end goal (oauth, delegated auth, SAML)
CriCL
@CriCL
Perfect. I see now.
Thank you again @vwbusguy , appreciate you help
Scott Williams
@vwbusguy
YW :-)
CriCL
@CriCL
Hey again,
I need some backup!
https://stackoverflow.com/questions/62096130/cas-sso-docker-image-fails-caused-by-tomcat-server
Scott Williams
@vwbusguy
That log entry itself doesn't give much to go on. There should be something above that in the logs that tells why it failed.
Oh- I didn't notice the pictures with it
The protocol handler failed - my guess is that there's maybe some problem with the SSL certs for 8443?
Normally it should read the cert/key from a java keystore