Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Sep 20 13:46

    mmoayyed on gh-pages

    Published documentation from 5.… (compare)

  • Sep 20 12:08
    mmoayyed commented #4212
  • Sep 20 12:07
    codecov[bot] commented #4264
  • Sep 20 12:07
    apereocas-bot synchronize #4264
  • Sep 20 12:07

    apereocas-bot on attributetests

    fix test cases Merged branch master into attri… (compare)

  • Sep 20 12:05

    mmoayyed on master

    fix test cases (compare)

  • Sep 20 11:15

    mmoayyed on gh-pages

    Published documentation from 6.… (compare)

  • Sep 20 09:48
    charlibot commented #4212
  • Sep 20 09:46

    mmoayyed on 5.3.x

    improve rnd number gen (compare)

  • Sep 20 09:37

    mmoayyed on 6.0.x

    improve rnd number gen (compare)

  • Sep 20 02:41
    codecov[bot] commented #4264
  • Sep 20 02:41
    hdeadman synchronize #4264
  • Sep 20 02:41

    hdeadman on attributetests

    add test for custom scope relea… (compare)

  • Sep 19 18:46
    codecov[bot] commented #4262
  • Sep 19 18:46
    vinayknl synchronize #4262
  • Sep 19 18:46
    codecov[bot] commented #4267
  • Sep 19 18:45
    vinayknl synchronize #4267
  • Sep 19 18:26
    codecov[bot] commented #4264
  • Sep 19 18:26
    apereocas-bot synchronize #4264
  • Sep 19 18:26

    apereocas-bot on attributetests

    clean up test cases Merged branch master into attri… (compare)

Cemal
@cmlonder
I have a JSON problem while returning custom attributes in my custom authentication handler. In the method, return createHandlerResult( credential, this.getPrincipalFactory( ).createPrincipal( credential.getId( ), attributes) ) it returns always List of objects whether my object is String or List inside the Object of attributes(Map<String, Object>). I debugged and see that because after calling mergeAttributes of DefaultAuthenticationResultBuilder class, everything in the Principal is returned as List. Is it expected behaviour? Does everyone returns their attributes like -> {"appName": ["TestApp"]}? instead of {"appName":"TestApp"}
Sai Dinesh
@svallamsetti
The timeout specified has expired: proxy: prefetch request body failed anyone has suggestions
what's this error is
Wilber Saca
@wsaca
@mmoayyed Password reset stop working after this commit: https://github.com/apereo/cas/commit/34d55a8b189d2b8a0ec2a4037c4d63197b6a8ab9#diff-01fb73bbe90d1e3ed02364b36eef3db3
Could you check it? You changed the param name to "token" instead of "pswdrst" and you removed this line: this.ticketRegistry.addTicket(ticket);
Misagh Moayyed
@mmoayyed
Sure. I’ll take a look.
Wilber Saca
@wsaca
@mmoayyed There are things that I don't understand for now, but I will continue reading the code to learn and report any issue found. Thanks you.
Scott Williams
@vwbusguy
Thanks to all who worked on 5.3.12. We're using a mongodb backend and the CAS deployments are now using less than 1/3 of the memory they were on 5.3.11 and the logins are noticeably faster as well.
sga1122
@sga1122
How does the TGT getLastTimeUsed get updated? My client is active but because the TGT date doesn’t get update my session expires... is there something that needs to be set on the client that forces updating of this value?
sga1122
@sga1122
Or is there a programmatic way to logout of cas so that I can set TGT to never expire?
howieqdd
@howieqdd
hello boy
i
need help
The website and the background realize login by accessing different login addresses, do not want the website to develop a system, and develop a system in the background.
CAS
Can a CAS configure multiple login paths?
For example, the website login accesses cas/a/login, and the other accesses cas/b/login
ok
Cemal
@cmlonder
Hi everyone, I described in detail my problem here, glad if I can get some clue how to continue: https://stackoverflow.com/questions/57788482/cas-custom-authentication-handler-principal-json-problem
springnirps
@springnirps
can an oauth2 client using spring security work with a cas oauth2 server? Looks like tokens are written to different tables.
Cemal
@cmlonder
I solved my problem about Principal attributes, I may create a pull request @mmoayyed just for information to others but it is not directly related with CAS so I'm not sure for PR, anyway you can have a look : https://stackoverflow.com/a/57819588/3000280
Wilber Saca
@wsaca
@mmoayyed If you don't have enough time I would like to fix the reset password issue that I reported, I only need to know if I should use the ticketRegistry to store a transient ticket or not?
Wilber Saca
@wsaca
We need to improve the password history, I needed to create my custom implementation to use a different SQL schema, the documentation is not clear explaining how to use the jdbc password history.
Ilkka Järstä
@ilu

What would be the best way to file a bug with CAS? We're implementing SSO through JWT with a client that uses CAS. We've noticed that the JWTs issued by CAS do not follow the JWT spec as they include base64 padding (https://tools.ietf.org/html/rfc7515#section-2). This means the tokens fail on JWT libraries like https://github.com/brianloveswords/node-jws and https://github.com/panva/jose

Sorry if this has been covered already, I couldn't find anything on this topic.

Wilber Saca
@wsaca
What auth method are you using? have you tested the latest RC?
Ilkka Järstä
@ilu

Hi @wsaca !

The issued token says "authenticationMethod": "MongoDbAuthenticationHandler".
We have no control over their CAS installation, but I doubt they would be using the latest RC.

We can probably circumvent the problem, I just wanted to file a bug as I could not find anything mentioned about this non-rfc-compliant behaviour.

Wilber Saca
@wsaca
Maybe this problem was fixed in CAS 6.1.0, the class that encode a JWT ticket is JwtTicketCipherExecutor.
Ilkka Järstä
@ilu

@wsaca I now noticed there was a similar PR about this by you: apereo/cas#4142

Changing the encoding to base64url should solve this, but as far as I can see we're already getting back base64url encoded data (as + and / are replaced with - and _) but it does include the padding, which is optional for base64url. Org.apache.commons.codec.binary.Base64 should omit the padding according to the docs, so I don't really know what's going on.

Anyway, thanks for the help and let's hope 6.1.0 fixes this!

springnirps
@springnirps
Can I assign a scope in CAS OAuth Server for a client_credentials grant for each client_id?
Omar Bouras
@bourasom
Hello,
I am working on CAS SAML2 integration as IDP. The SP side redirect to the CAS authent. However, after authent, cas doesn't recognize the final destination to reach.
Can somebody help please?
springnirps
@springnirps
-Dcas.standalone.configurationDirectory=/my/path does not seem to work for me, deploying to wildfly ... i would like to use config path other than default /etc/cas/config
Rushita Trivedi
@rushita-trivedi
Hello, I want to integrate CAS auth SSO service in serverless. but I am not getting any appropriate result related to that. can anyone help me with this?
Wilber Saca
@wsaca
@mmoayyed This commit "https://github.com/apereo/cas/commit/34d55a8b189d2b8a0ec2a4037c4d63197b6a8ab9#diff-01fb73bbe90d1e3ed02364b36eef3db3" appends the service param to the url that is sent to the user email, but when the user click the button on this page:
"https://github.com/apereo/cas/blob/master/webapp/cas-server-webapp-resources/src/main/resources/templates/casPasswordUpdateSuccessView.html"
then the user is redirected to the login page but the service param is lost. is that the right behavior? Maybe this file should be modified:
"https://github.com/apereo/cas/blob/master/support/cas-server-support-pm-webflow/src/main/java/org/apereo/cas/pm/web/flow/PasswordManagementWebflowConfigurer.java#L147"
rattobondo
@rattobondo
hello guys i am trying to integrate cas-simple mfa with the native Rest APi for TGT and ST. It seems that those components are completely indipendent. Creating TGT with Rest API does not trigger the MFA. Does anybody have done something similar=
?
Jyotish
@jyotishp
Hi, we are using CAS at our university. We recently upgraded to 6.0.x and we started seeing this weird behavior where CAS opens a connection to LDAP but doesn't seem to close it. The number of open connections from CAS don't seem to be going down at all but are gradually increasing (and our LDAP is running out of FDs eventually). Can someone point a few directions to debug this?
Ian Shannon
@50L1DU5
Hey all, I am willing to bet someone has run into this issue: Authentication is successful (using SAML2), and I can see the success messages logged in debug mode. The SSO page renders "Invalid Credentials" 
=============================================================
WHO: bob
WHAT: Supplied credentials: [UsernamePasswordCredential(username=bob)]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Tue Sep 17 09:58:03 MDT 2019
CLIENT IP ADDRESS: 192.168.126.202
SERVER IP ADDRESS: 192.168.112.11
=============================================================

>
2019-09-17 09:58:03,631 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationTransactionManager] - <Successful authentication; Collecting authentication result [org.apereo.cas.authentication.DefaultAuthentication@952fbcc5]>
2019-09-17 09:58:03,631 DEBUG [org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy] - <Skipping access strategy policy, since no attributes rules are defined>
2019-09-17 09:58:03,632 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: bob
WHAT: [result=Service Access Granted,service=https://cas.i.secure64.com:8443/cas/i...,principal=SimplePrincipal(id=bob, attributes={Callback-Number=1.970.555.6666}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Tue Sep 17 09:58:03 MDT 2019
CLIENT IP ADDRESS: 192.168.126.202
SERVER IP ADDRESS: 192.168.112.11
=============================================================

>
2019-09-17 09:58:03,635 ERROR [org.apereo.cas.adaptors.radius.web.flow.RadiusAccessChallengedAuthenticationWebflowEventResolver] - <No multifactor authentication providers are available in the application context>
the ERROR in the last line, is it a symptom of the authentication failing?
shimashi
@shimashi
Hi.. I am CAS newbie and running some issue with X509 and ldap authentication integration. I was able to pull EDIPI from the smart card but it's not followed with LDAP search base on EDIPI. Here is my config snippet. Thanks for your help.
cas.authn.x509.regExTrustedIssuerDnPattern=CN=CA-[1-4][0-9]xxxx
cas.authn.x509.maxPathLengthAllowUnspecified=true
cas.authn.x509.checkKeyUsage=false
cas.authn.x509.requireKeyUsage=false
cas.authn.x509.principalType=CN_EDIPI
cas.authn.x509.ldap.ldapUrl=ldaps://ldap.abc.edu:636
cas.authn.x509.ldap.useSsl=true
cas.authn.x509.ldap.baseDn=dc=abc,dc=edu
cas.authn.x509.ldap.bindDn=uid=ldapreader,ou=Special Users,dc=abc,dc=edu
cas.authn.x509.ldap.bindCredential=password
cas.authn.x509.ldap.poolPassivator=BIND
cas.authn.x509.ldap.connectTimeout=5000
cas.authn.x509.ldap.validateOnCheckout=true
cas.authn.x509.ldap.validatePeriodically=true
cas.authn.x509.ldap.validatePeriod=600
cas.authn.x509.ldap.failFast=true
cas.authn.x509.ldap.searchFilter=usuhsEDIPI={user}
cas.authn.x509.ldap.principalAttributeList=uid
Torben Breitkreutz
@dasnebbi
Hi, is there a documentation for the CAS Management App 6.0.x? I've only found some docs 5.3...? https://apereo.github.io/cas-management/5.3.x/index.html
Henrik Larsen
@skruestik

Hi,
I've a RADIUS MFA setup simular to what Misagh Moayyed describe here: https://apereo.github.io/2018/10/18/cas5-radius-mfa-authn/
I can not get ldap to fetch attributes. The only attributes I see is from radius:

2019-09-18 11:54:02,373 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Final principal resolved for this authentication event is [SimplePrincipal(id=xxx@xxx.xx, attributes={State=[Binary Data (length=38)], Reply-Message=Enter PASSCODE})]>

2019-09-18 11:54:16,515 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - <Determined primary authentication principal to be [SimplePrincipal(id=user@xxx.xx, attributes={MS-CHAP2-Success=[[Binary Data (length=43)]], MS-MPPE-Send-Key=[[Binary Data (length=34)]], Class=[[Binary Data (length=44)]], Reply-Message=[Enter PASSCODE], State=[[Binary Data (length=38)]], MS-MPPE-Recv-Key=[[Binary Data (length=34)]]})]>

When change to use builtin test auth cas.authn.accept.users=user@xxx.xx::xxx the attrbutes are fetched from ldap. I've tried CAS overlays 5.3.8 - 5.3.12.
I guess I've missed somthing in config. Also see this:

No principal resolution is configured for [RadiusAuthenticationHandler]
mohamed ahmed
@habi3000
Hello everyone, we are facing a weird issue with cas 6.0.4 it seems like it does not close connections with users. we are getting too many open files error-running on centos 7- at the begging we thought that maybe the default limit is just too low for our env but after monitoring it in real-time, I can definitely say that it does not go down, it just keeps going up. We restarted the service at 3 PM, now its 7 PM and there are around 1400 open file descriptors keep in mind this is not peak time. Is there is any way we can find the source of this leak? when does cas close the connection? did we misconfigure something? is there is a recommended limit for # of file descriptors?
Jyotish
@jyotishp
@habi3000 We are facing a similar issue with CAS 6.0.4 and 6.0.5 as well. It's not only exhausting FDs on CAS host but also the FDs on our auth back-end. We tried limiting the FDs to ~2000 and then CAS basically froze after exhausting FDs. So, limiting FDs is probably not going to work.
straldev
@straldev
I have a client who's attempting to setup SAML2 via Apereo CAS against our SP. The problem is their SAMLResponse POST variable is not base64 encoded, which is breaking our OneLogin SP lib. Any idea why the SAMLResponse value is not base64 encoded?
mohamed ahmed
@habi3000
@jyotishp That is confusing, tomorrow I will inspect the source code maybe I can find out when does it close the connection if does. I will keep you updated if I find anything please, please do likewise.
Frank
@frank-cq
hey guys. Do I set custom payload of jwt when i use jwt as ST ? My version is cas 6.0
Torben Breitkreutz
@dasnebbi
Hi, is there a way to handle different dnFormats using one LDAP configuration, e.g. via regex?
Wilber Saca
@wsaca
CAS Overlay can't be built because of this error "Could not HEAD 'https://oss.jfrog.org/artifactory/oss-snapshot-local/com/github/coova/jradius/jradius-1.1.5/jradius-jradius-1.1.5.pom'. Received status code 409 from server: " I think the groupId is wrong.