@hsartoris-bard i made the recommended changes i got this error 2020-10-14 14:43:16,728 ERROR [org.springframework.boot.web.servlet.support.ErrorPageFilter] - <Forwarding to error page from request [/login] due to exception [Exception thrown executing org.apereo.cas.webauthn.web.flow.WebAuthnAccountCheckRegistrationAction@ad2154a in state 'accountRegistrationCheck' of flow 'mfa-webauthn' -- action execution attributes were 'map['resolvedAuthenticationEvents' -> list[mfa-webauthn]]']>
org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.webauthn.web.flow.WebAuthnAccountCheckRegistrationAction@ad2154a in state 'accountRegistrationCheck' of flow 'mfa-webauthn' -- action execution attributes were 'map['resolvedAuthenticationEvents' -> list[mfa-webauthn]]'
org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.webauthn.web.flow.WebAuthnAccountCheckRegistrationAction@ad2154a in state 'accountRegistrationCheck' of flow 'mfa-webauthn' -- action execution attributes were 'map['resolvedAuthenticationEvents' -> list[mfa-webauthn]]'
Can spnego authentication mode support a highly available deployment ? Why it does not work when I add a nginx server between a client browser and the cas server which is configured to use spnego authentication mode? The nginx proxy upstream I configured domain name already,but it alse dosen't work.
I'm having problems with Kerberos.
The keys and principals are correct, the account is active.
But you can't log in. (version 6.3.0)
The keys and principals are correct, the account is active.
But you can't log in. (version 6.3.0)
klist -e might help you
@kripalsingh Start here: https://apereo.github.io/cas/development/installation/Passwordless-Authentication.html
You will need to set cas.authn.passwordless.multifactor-authentication-activated=true and then flag the target accounts as eligible as demonstrated in the example here. Unfortunately, I am not aware of how to integrate flagging the account with the webauthn repository; i.e., to ask it who is registered and flag as such. I'm sure there is a way but I do not know of it at this time.
Good morning to everyone.
I am currently trying to run a build in the master branch and I am receiving the following error:
Could not determine the dependencies of task ':support:cas-server-support-simple-mfa-core:compileTestJava'.
Could not resolve all dependencies for configuration ':support:cas-server-support-simple-mfa-core:testAnnotationProcessor'.
Failed to calculate the value of task ':support:cas-server-support-simple-mfa-core:compileJava' property 'javaCompiler'.
Unable to configure Java installation, probing failed with the following message: A problem occurred starting process 'command '/usr/lib/jvm/openjdk-11/bin/java''
My $JAVA_HOME does not point to this path and I cannot find why the build process searches for java in that particular path.
I face the current problem only when cloning the master branch and trying to run a build.
If I switch to 6.2 branch, the build is successful.
Has anyone else tried to clone and build the master branch and received a similar error?
@fotis120 It seems that there is a problem with gradle's toolchain feature, when locating jvm. The build process completes successfully by commenting out lines 181-185 in build.gradle or by adding in gradle.properties the following lines
org.gradle.java.installations.auto-detect=false
org.gradle.java.installations.auto-download=false
org.gradle.java.installations.paths=/THE_PATH_WHERE_YOUR_JDK_IS
org.gradle.java.installations.auto-detect=false
org.gradle.java.installations.auto-download=false
org.gradle.java.installations.paths=/THE_PATH_WHERE_YOUR_JDK_IS
Hello all,
We have observed a behavior (regression?) change between 6.2.2 and 6.2.3/6.2.4, regarding forced renew.
(I have not been able to bisect further and propose a fix: I still have not found the exact command line to build and deploy to my maven local from sources. But this this another topic. Help wanted.).
In 6.2.2:
Go http://cas/login?renew=true&TARGET=http://testapp/ (note: our testapp does not validate the service ticket – but this may be irrelevant)
Login
Go http://cas/login?renew=true&TARGET=http://testapp/
Result (as expected): the UI shows ‘welcome back ‘user’, …’
In 6.2.3/6.2.4:
Same steps
Result: the UI does not show ‘welcome back ‘user’, …’
(e.g. existingSingleSignOnSessionAvailable seems to be false in context of loginform.html)
Hey all! I'm finally moving into the world of Spring Security! Trying to build out my first app that uses Spring Security and CAS...I can't quite figure out how to properly use the setUserDetailsService to load the CAS info (all I really need is principle/username). The examples I've found override a service loadUserDetails, but that may be depreciated? The newer examples all use loadUserByName, but when I try that, I get a "cannot return ResultSet" error. Anybody know of a good, up to date guide for this? Thanks!
mijutu Hello. Is there an easy way to add mapping of usernames per service? For example user logs in to cas with her username and password. When she goes to serviceA, the serviceA gets the username usual. But when she goes to serviceB, cas would look up an alternative username and return that to serviceB.
Is the part marked in red provided by the client?
Hello, I am having following setup .net core(AspNet.Security.CAS) -> CAS(delegating) -> SAML IdP. Able to authenticate to the Idp from CAS server so connection to external IdP is setup correctly. But when I login from the .net app, it is throwing below error.
2020-11-03 02:15:45,970 DEBUG [org.apereo.cas.web.DelegatedClientWebflowManager] - <Client identifier could not found as part of the request parameters. Looking at relay-state for the SAML2 client>
2020-11-03 02:15:45,970 DEBUG [org.apereo.cas.web.DelegatedClientWebflowManager] - <Located delegated client identifier for this request as [Optional.empty]>
2020-11-03 02:15:45,970 DEBUG [org.apereo.cas.AbstractCentralAuthenticationService] - <Ticket [] by type [TransientSessionTicket] cannot be found in the ticket registry.>
2020-11-03 02:15:45,970 ERROR [org.apereo.cas.web.DelegatedClientWebflowManager] - <Delegated client identifier cannot be located in the authentication request [https://mycasserver/cas/login?service=https%3A%2F%2Flocalhost%2Fsignin-cas%3Fstate%3DCfDJ8HgM412oj95DqYeKeBq8zOQjNWyHmcLcpasqvwAY0UFS0VoWduTQNZWIp2-8dN1kmseWmoFHt7qg32885lXa4aXQKScs5Rqr4MkSBQNgBfJToNa5O7fPN_PbAB0UNxMdK9P2ENAi1D7rUoqhZQA-MigfWyzCG5lNd0ACZl2L4XrARmOA8Ial7GQ79KRtGvXUYnXyJ5G4AsfiOnSiQWcIn4S-eHxh_xtR7MBHWka2j-YonCYC4ER2MVgaLhfWIUF8RHXQi_75YsU830QslcsK_LOyP0kb0qZlDGHPXEr46hRf1Y3qtCh2j1Qv3sufP5y2mHHGZsz4PGOo8m2ReEQKLt4&client_name=login]>
2020-11-03 02:15:45,970 ERROR [org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <> Can someone please help me. Trying to fix this from so many days.
Hi all! I hope you can help me, you are my last chance! I have CAS 5.2.6 and we are using the login webflow and redis as the ticket registry. The webflow was modified having a second screen to be able to select a field needed in the token. Well, everything worked perfect with one instance until we wanted to have CAS in HA (2 instances). With more than one instance, after the webflow process it starts to redirect internally to login, callback and authorized 2, 3 or 15 times (random) and after that the login fails. We observed that in those redirections it is creating N ST tickets in Redis(one per redirection) and in some point those ST tickets don contains our custom attributes. If we look at the documentation it says that too many redirections means that something is wrong configured. I don't know what else try and why is failing if there are more than one instance. Could you help me?
mijutu What is the default mfa-opt-in parameter name? Or if there is none, how do I configure it? https://apereo.github.io/cas/6.2.x/mfa/Configuring-Multifactor-Authentication-Triggers.html#opt-in-request-parameterheader
mijutu I was thinking that I let users to opt in with url parameter and force mfa on for those who have opted in at some point.
mijutu Have I missed something? Is there an easier way to do it?
Hello, I am trying to setup the CAS Management webapp 6.2.2 with CAS Server 6.2.5. but I am running into the following issue : when I log in the cas management app with a user that exists in the users.json file of the Management webapp, the authentication with cas is successfull but I get the message "Management app is not available" and in the cas-management.log, I get the error: ERROR [org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas-management].[dispatcherServlet]] - <Servlet.service() for servlet [dispatcherServlet] in context with path [/cas-management] threw exception [Handler dispatch failed; nested exception is java.lang.NoSuchMethodError: 'org.pac4j.core.profile.InternalAttributeHandler org.pac4j.core.profile.ProfileHelper.getInternalAttributeHandler()'] with root cause>
java.lang.NoSuchMethodError: 'org.pac4j.core.profile.InternalAttributeHandler org.pac4j.core.profile.ProfileHelper.getInternalAttributeHandler()'
java.lang.NoSuchMethodError: 'org.pac4j.core.profile.InternalAttributeHandler org.pac4j.core.profile.ProfileHelper.getInternalAttributeHandler()'
Any idea where this issue could come from?
From my understanding pac4j is the component evaluating the identity's attributes
in debug, I can see all the attributes of the identity in the cas-management log
mijutu I've been trying to set up trusted-mfa, but I don't understand why nothing seems to happen. After typing a totp, I just get redirected to the service and get no question whether to trust this device or not. Does that need to be configured separately? I already have cas.authn.mfa.trusted.device-fingerprint. and cas.authn.mfa.trusted.jpa. configs. And cas is creating table to the database. And cas.authn.mfa.trusted.device-registration-enabled=true
