by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 18:19
    codecov[bot] commented #4897
  • 17:55
    apereocas-bot labeled #4898
  • 17:55
    apereocas-bot milestoned #4898
  • 17:55
    apereocas-bot labeled #4898
  • 17:54
    antoine777 opened #4898
  • 17:53
    apereocas-bot labeled #4897
  • 17:53
    apereocas-bot milestoned #4897
  • 17:52
    antoine777 opened #4897
  • 10:08

    mmoayyed on 6.2.x

    Update OidcLogoutEndpointContro… (compare)

  • 10:06

    mmoayyed on master

    Update OidcLogoutEndpointContro… (compare)

  • 06:42

    mmoayyed on master

    experimenting with spring secur… clean up protocol endpoints for… fix build and 3 more (compare)

  • Jul 08 20:41

    mmoayyed on gh-pages

    Update Project-Commitee.md (compare)

  • Jul 08 13:50

    mmoayyed on ssfix

    experimenting with spring secur… (compare)

  • Jul 08 10:37
    unfurl-links[bot] commented #4896
  • Jul 08 10:37
    apereocas-bot closed #4896
  • Jul 08 10:37
    apereocas-bot commented #4896
  • Jul 08 10:37
    apereocas-bot labeled #4896
  • Jul 08 10:37
    apereocas-bot labeled #4896
  • Jul 08 10:36
    CLAassistant commented #4896
  • Jul 08 10:36
    welcome[bot] commented #4896
CriCL
@CriCL
BTW, I'm working under the dockerized release.
CriCL
@CriCL
anyone?
opax7
@opax7

Hi CAS people! I'm new to CAS and have been trying to setup Delegated Authentication to an external SAML IDP. I've reached the point where CAS is creating the SP metadata, however I've hit a wall trying to get my IDP and the CAS to communicate. I'm also not that versed in SAML which is not helping.

My first focus is resolving the location that shows in the SP metadata. It is showing the backend server host addresses instead of the load balancer address. But I don't know how to change it. Anyone have any guidance on that?

opax7
@opax7
@CriCL I think by simply putting the "service=https://mysite.com" in the login URL will redirect back to the site after auth is successfully completed.
For example: navigating to "https://localhost:8443/cas/login?service=https://mysite.com" should prompt for login, and once successful will redirect back to https://mysite.com.
opax7
@opax7
I've answered my own question. I thought the "cas.server.prefix" property in the "cas.properties" file was what needed to change; however, I changed it and it appeared to have no effect. However through the course of other troubleshooting this setting did take effect. Apparently the generated "sp-metadata.xml" file does not get regenerated when config changes are made. In order to get it to regenerate, I had to (re)move the file and bounce the CAS server. That causes the file to get regenerated with the current settings in the "cas.properties" file.
esii-ed
@esii-ed

Hello
I'm using cas 6.1.x with oidc configure, but I'm unable to validate my jwt, with my application using spring-security(got an error "signed JWT rejected") after investigation, I see that ca/oic/jwks not return algorithm field:

{"keys":[{"kty":"RSA","n":"gEenxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxXKRbhiTm5g8l-DIw","e":"AQAB"}]}

by example "alg": "A256CBC-HS512" field, is missing, is there a way to configure cas to returning this field?

Jonathan Morrison
@jonfen
I am just getting started with cas, trying to determine if it is a good fit for my work. I work at a lock company (imlss.com) but we have lots of random applications that it would be nice to tie together. We do use Active Directory / LDAP, but we are exploring adding MFA with yubikey to combat phishing attacks.
Can the cas server work as a reverse proxy for the web applications themselves? so that all requests get validated through cas?
I also noticed that the latest version was v6.1.6, but the docker image was only v6.1.3
Heero
@heeropunjabi
HI Team
I hope everyone is fine during this covid19
anyone has an example for "cas.single-logout.enabled"
property in the springboot app
Sampath Kumar
@sampathp_gitlab
Team, we need to help
Sampath Kumar
@sampathp_gitlab
to run cas server on domain name based where should we do the changes
as its working for localhist
*localhist/localhost
Sampath Kumar
@sampathp_gitlab
any clue
Heero Punjabi
@heeropunjabikogx
Hi All
I hope everyone is fine during this covid19
one quick thing to check
anyone has done anything related to single logout functionality using spring-session-jdbc
i need SLO handler
veskoz
@veskoz
Hi guys,
I successfuly deploied cas 6.1 and 2 different ldaps
How can i query all the ldap in order to retrieve attributes for a user who exist in both and the only primary key which link both ldaps is let's say roomNumber ?
springnirps
@springnirps
I have OAuth server setup on my cas instance. I have two services of client_credential grant types setup. Requesting a token from either service works for either resource. How am I suppose to restrict tokens from one server to only be valid on one resource?
SkylerLin
@i672715631
Does anyone here?
what's going on with "
ERROR [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - <CAS has found a match for service [xxxx] in registry but the match is not defined as a SAML service>"?
Rum
@rumroman
Hi! I use CAS 6.1.x and could not overlay login-webflow.xml! It is always default login-webflow. Help pls.
I keep in /resources/webflow/login
In CAS 5.2.x works succesfully. What might be the problem?
Dipinrajc
@Dipinrajc
Hi, How to implement social login using CAS?
kakson68
@kakson68
Hi all, I am currently researching why CAS should be the SSO of choice to organizations .Any suggestion or useful links will be appreciated.I am really counting on experts in this forum for guaidiance.
mwolfley
@mwolfley

what's going on with "
ERROR [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - <CAS has found a match for service [xxxx] in registry but the match is not defined as a SAML service>"?

I bet that's because you have a wildcarded CAS service registry entry that is picking up first, fix that and you will probably get your service to request correctly

@i672715631 you can't have a wildcarded service with an evaluation order lower than other services or it will pick up all
Mathieu LARCHET
@mlarchet
Hi, I'm trying to configure Single Logout through Spring Boot Autoconfig but I keep having the following error :
    Property: cas.single-logout.enabled
    Value: true
    Origin: class path resource [application.yml]:324:14
    Reason: The elements [cas.single-logout.enabled] were left unbound.
Sairaj Madhavan
@sairajm
Hello! I'm looking for some guidance on Trusted Devices in Multifactor Authentication. I'm working on a CAS 6.1.5 overlay. I was able to get the MFA flows working properly with appropriate triggers, and bypass for GAuth. Trusted Device flow works as intended when I have a service. When I try to login without a Service, the MultifactorAuthenticationVerifyTrustAction fails because it cannot decide if it shouldBypassTrustedDevice. My login fails with an UnauthorizedServiceException. Any help with this is greatly appreciated!
kakson68
@kakson68
I'm working on a CAS 6.1.5 overlay and I need help in using ldap for authentication. please help. i am using ApacheDS as the LDAP server and is working fine. I only need to intergrate it with the CAS server.
Marco Crank
@MCrank

Hello, Looking for some insight on how to enable the gauthCredentialRepository endpoint for Google Authenticator MFA. I am building a docker image from the 6.2 branch from here cas-overlay. I can't seem to find an example anywhere. So far everything is working as expected with LDAPS(Active Directory) and the registration of the devices and tokens but I'd like to have that endpoint to manage the devices if need be without going in and mucking with the DB. Would like to have that endpoint authenticated if possible which I believe I can from what I have been reading. I just do not know the values to put in the cas properties files to enable it.

Thank you

joemanavalan
@joemanavalan

Hi
Is it possible to suppress the client_name from the url of IDP [Custom IDP] for delegated authentication ? Trying CAS 5.2
https://stackoverflow.com/questions/62782606/cas-server-delegated-authentication
On clicking IDP Authentication link, the url is appended with %3Fclient_name%3DGenericOAuth20Client. If I manually replace %3F with "&" or remove the whole param, the idp link get displayed or else error out saying invalid redirect_url. Param separator in rest of the url comes as "&" though.

Thanks

napoleon211092
@napoleon211092
I have successed Configuration Security w/ Jasypt for CAS 6.1.5
My CAS is authen user from MongoDB with these config
compile "org.apereo.cas:cas-server-support-mongo:6.1.7" (in build.gradle)
and these config in cas.properties
{"_id":{"$oid":"5e1795cfe86e43023c89b9ea"},"name":"cas.authn.accept.users","value":""}
{"_id":{"$oid":"5e17bdf6e86e43023c89b9f4"},"name":"cas.authn.accept.name","value":""}
{"_id":{"$oid":"5e17be04e86e43023c89b9f5"},"name":"cas.authn.accept.credentialCriteria","value":""}
{"_id":{"$oid":"5e17be1be86e43023c89b9f6"},"name":"cas.authn.mongo.name","value":"users"}
{"_id":{"$oid":"5e17be28e86e43023c89b9f7"},"name":"cas.authn.mongo.databaseName","value":"users"}
{"_id":{"$oid":"5e17be3ae86e43023c89b9f8"},"name":"cas.authn.mongo.collection","value":"users"}
{"_id":{"$oid":"5e17be78e86e43023c89b9f9"},"name":"cas.authn.mongo.usernameAttribute","value":"username"}
{"_id":{"$oid":"5e17be8be86e43023c89b9fa"},"name":"cas.authn.mongo.passwordAttribute","value":"password"}
But password is plain-text
How to auth user with encrypt password using w/ Jasypt
arti wavale
@artiwavale_gitlab
I am using cas 5.2 so i would like to ask one question, I am working on password management with LDAP database users so is there any compulsion to use ldaps(ssl connection) for reset a password or i can use ldap (simple connection) for reset password ?
anyone can help me for password management task
arti wavale
@artiwavale_gitlab

Pom.xml:

<dependency>

<groupId>org.apereo.cas</groupId>

<artifactId>cas-server-support-pm-ldap</artifactId>

<version>${cas.version}</version>
</dependency>
cas.properties:
cas.authn.accept.users=
cas.authn.ldap[0].order=0
cas.authn.ldap[0].name=LDAP Server
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://localhost
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=50000
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].validatePeriod=270
cas.authn.ldap[0].userFilter=cn={user}

cas.authn.ldap[0].userFilter=(|(uid={user})(cn={user})(mail={user}))

cas.authn.ldap[0].baseDn=dc=example,dc=com

cas.authn.ldap[0].enhanceWithEntryResolver=true

cas.authn.ldap[0].dnFormat:cn=%s,cn=admin,dc=example,dc=com

cas.authn.ldap[0].bindDn=cn=admin,dc=example,dc=com
cas.authn.ldap[0].bindCredential=administrator
cas.authn.ldap[0].enhanceWithEntryResolver=true
cas.authn.ldap[0].dnFormat:cn=%s,cn=admin,dc=example,dc=com
cas.authn.ldap[0].principalAttributeList=memberOf,uid,cn,mail
cas.authn.ldap[0].collectDnAttribute=false
cas.authn.ldap[0].principalAttributeId=cn
cas.authn.ldap[0].principalAttributePassword=userPassword

attributes to be retrieved from LDAP userPassword

cas.authn.ldap[0].principalAttributeList=uid,cn,mail

cas.authn.ldap[0].collectDnAttribute=false

cas.authn.ldap[0].principalDnAttributeName=principalLdapDn
cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
cas.authn.ldap[0].allowMissingPrincipalAttributeValue=true

cas.authn.ldap[0].credentialCriteria=

LDAP Password Encoding

cas.authn.ldap[0].passwordEncoder.type=

cas.authn.ldap[0].passwordEncoder.characterEncoding=UTF-8

cas.authn.ldap[0].passwordEncoder.encodingAlgorithm=SHA

LDAP Pooling

cas.authn.ldap[0].minPoolSize=3
cas.authn.ldap[0].maxPoolSize=50
cas.authn.ldap[0].validateOnCheckout=true
cas.authn.ldap[0].validatePeriodically=true
cas.authn.ldap[0].validatePeriod=600
cas.authn.ldap[0].failFast=true
cas.authn.ldap[0].idleTime=5000
cas.authn.ldap[0].prunePeriod=5000
cas.authn.ldap[0].blockWaitTime=5000
cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvide
r
cas.authn.ldap[0].allowMultipleDns=false#Password Management
spring.mail.host=mail.technology.com
spring.mail.port=587
spring.mail.username=xyz@technology.com
spring.mail.password=xxxxxx
spring.mail.testConnection=true
spring.mail.properties.mail.smtp.auth=true
spring.mail.properties.mail.smtp.starttls.enable=true
cas.authn.pm.enabled=true

cas.authn.pm.policyPattern=^(?=.?[A-Z])(?=.?[a-z])(?=.?[0-9])(?=.?[#?!@$

%~()_{}-]).{8,}$

cas.authn.pm.reset.text=password reset:%s

cas.authn.pm.reset.text=Reset your password with this link: %s

cas.authn.pm.reset.subject=armor password reset

cas.authn.pm.reset.subject=Password Reset Request
cas.authn.pm.reset.from=${spring.mail.username}
cas.authn.pm.reset.expirationMinutes=10
cas.authn.pm.reset.emailAttribute=mail
cas.authn.pm.reset.securityQuestionsEnabled=false
cas.authn.pm.autoLogin=false
cas.authn.pm.reset.crypto.encryption.key=xxxxxxxxxxxxxxxxxxxxxxxx
cas.authn.pm.reset.crypto.signing.key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
cas.authn.pm.reset.crypto.enabled=true

cas.authn.pm.enabled=true

cas.authn.pm.ldap.type=GENERIC
cas.authn.pm.ldap.ldapUrl=${cas.authn.ldap[0].ldapUrl}
cas.authn.pm.ldap.useSsl=false
cas.authn.pm.ldap.connectTimeout=5000
cas.authn.pm.ldap.baseDn=${cas.authn.ldap[0].baseDn}
cas.authn.pm.ldap.userFilter=${cas.authn.ldap[0].userFilter}
cas.authn.pm.ldap.subtreeSearch=true
cas.authn.pm.ldap.bindDn=cn=admin,dc=example,dc=com
cas.authn.pm.ldap.bindCredential=administrator
cas.authn.pm.ldap.poolPassivator=BIND
cas.authn.pm.ldap.minPoolSize=3
cas.authn.pm.ldap.maxPoolSize=10
cas.authn.pm.ldap.validateOnCheckout=true
cas.authn.pm.ldap.validatePeriodically=true
cas.authn.pm.ldap.validatePeriod=600
cas.authn.pm.ldap.validateTimeout=5000
cas.authn.pm.ldap.failFast=true
cas.authn.pm.ldap.idleTime=500
cas.authn.pm.ldap.prunePeriod=600
cas.authn.pm.ldap.blockWaitTime=5000
cas.authn.pm.ldap.providerClass=org.ldaptive.provider.unboundid.

validator

cas.authn.pm.ldap.validator.type=SEARCH
cas.authn.pm.ldap.validator.baseDn=dc=example,dc=com

cas.authn.pm.ldap.validator.searchFilter=(objectClass=*)

cas.authn.pm.ldap.validator.scope=SUBTREE