apereo/cas

Apereo CAS - Single Sign On for All

xgdz

@xgdz

Is the part marked in red provided by the client?

Misagh Moayyed

@mmoayyed

yes

CHITHRA SHETTY

@CHITHRASHETTY2_twitter

Hello, I am having following setup .net core(AspNet.Security.CAS) -> CAS(delegating) -> SAML IdP. Able to authenticate to the Idp from CAS server so connection to external IdP is setup correctly. But when I login from the .net app, it is throwing below error.

2020-11-03 02:15:45,970 DEBUG [org.apereo.cas.web.DelegatedClientWebflowManager] - <Client identifier could not found as part of the request parameters. Looking at relay-state for the SAML2 client>
2020-11-03 02:15:45,970 DEBUG [org.apereo.cas.web.DelegatedClientWebflowManager] - <Located delegated client identifier for this request as [Optional.empty]>
2020-11-03 02:15:45,970 DEBUG [org.apereo.cas.AbstractCentralAuthenticationService] - <Ticket [] by type [TransientSessionTicket] cannot be found in the ticket registry.>
2020-11-03 02:15:45,970 ERROR [org.apereo.cas.web.DelegatedClientWebflowManager] - <Delegated client identifier cannot be located in the authentication request [https://mycasserver/cas/login?service=https%3A%2F%2Flocalhost%2Fsignin-cas%3Fstate%3DCfDJ8HgM412oj95DqYeKeBq8zOQjNWyHmcLcpasqvwAY0UFS0VoWduTQNZWIp2-8dN1kmseWmoFHt7qg32885lXa4aXQKScs5Rqr4MkSBQNgBfJToNa5O7fPN_PbAB0UNxMdK9P2ENAi1D7rUoqhZQA-MigfWyzCG5lNd0ACZl2L4XrARmOA8Ial7GQ79KRtGvXUYnXyJ5G4AsfiOnSiQWcIn4S-eHxh_xtR7MBHWka2j-YonCYC4ER2MVgaLhfWIUF8RHXQi_75YsU830QslcsK_LOyP0kb0qZlDGHPXEr46hRf1Y3qtCh2j1Qv3sufP5y2mHHGZsz4PGOo8m2ReEQKLt4&client_name=login]>
2020-11-03 02:15:45,970 ERROR [org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <>

Can someone please help me. Trying to fix this from so many days.

springnirps

@springnirps

cas 6.2.1 ... after logging in I only see the default user attribute page. How do I get CAS to redirect me back to the application?

Rafiek

@rafiek

Hi all, I am configuring the /actuator/metrics endpoint and I am interested in more metrics like ldap and hazelcast. Is there a way to enable them and push statistics on the /metrics endpoint?

Łukasz

@lgwozniak

Hello. I got CAS 6.2 .We got problem with client that has dynamic IPs they always must log in after ip is changed. Any idea why ?

Łukasz

@lgwozniak

@mmoayyed can You help me with dynamic ip problem we have got CAS 6.2.1

bpariente

@bpariente

Hi all! I hope you can help me, you are my last chance! I have CAS 5.2.6 and we are using the login webflow and redis as the ticket registry. The webflow was modified having a second screen to be able to select a field needed in the token. Well, everything worked perfect with one instance until we wanted to have CAS in HA (2 instances). With more than one instance, after the webflow process it starts to redirect internally to login, callback and authorized 2, 3 or 15 times (random) and after that the login fails. We observed that in those redirections it is creating N ST tickets in Redis(one per redirection) and in some point those ST tickets don contains our custom attributes. If we look at the documentation it says that too many redirections means that something is wrong configured. I don't know what else try and why is failing if there are more than one instance. Could you help me?

ilpizze

@ilpizze

Hi everyone! I'm using CAS 6.0. In trusted authentication scenario is it possible to pass the principal attributes (mail, complete name, ecc.) to the cas? Thank you everyone.

matrixbot

@matrixbot

mijutu What is the default mfa-opt-in parameter name? Or if there is none, how do I configure it? https://apereo.github.io/cas/6.2.x/mfa/Configuring-Multifactor-Authentication-Triggers.html#opt-in-request-parameterheader

matrixbot

@matrixbot

mijutu I'd like to force mfa for certain users (already did that with global-principal-attribute-value-regex) and let other users turn mfa on if they want it.

mijutu I was thinking that I let users to opt in with url parameter and force mfa on for those who have opted in at some point.

matrixbot

@matrixbot

mijutu I'm using cas-server-support-gauth-redis so I thought I use a rest-mfa-trigger to look up from redis whether the user has set up gauth or not.

mijutu Have I missed something? Is there an easier way to do it?

matrixbot

@matrixbot

mijutu I didn't need to use opt-in url parameter. Adding a service which has mfa forced on does the same.

Trystan987687

@Trystan987687_twitter

Hello, I am trying to setup the CAS Management webapp 6.2.2 with CAS Server 6.2.5. but I am running into the following issue : when I log in the cas management app with a user that exists in the users.json file of the Management webapp, the authentication with cas is successfull but I get the message "Management app is not available" and in the cas-management.log, I get the error: ERROR [org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas-management].[dispatcherServlet]] - <Servlet.service() for servlet [dispatcherServlet] in context with path [/cas-management] threw exception [Handler dispatch failed; nested exception is java.lang.NoSuchMethodError: 'org.pac4j.core.profile.InternalAttributeHandler org.pac4j.core.profile.ProfileHelper.getInternalAttributeHandler()'] with root cause>
java.lang.NoSuchMethodError: 'org.pac4j.core.profile.InternalAttributeHandler org.pac4j.core.profile.ProfileHelper.getInternalAttributeHandler()'

Any idea where this issue could come from?

From my understanding pac4j is the component evaluating the identity's attributes

in debug, I can see all the attributes of the identity in the cas-management log

Łukasz

@lgwozniak

I see in version 6.2.5 there is a problem with webflow decorators. In docker i got too many open files after 1h of working CAS

matrixbot

@matrixbot

mijutu I've been trying to set up trusted-mfa, but I don't understand why nothing seems to happen. After typing a totp, I just get redirected to the service and get no question whether to trust this device or not. Does that need to be configured separately? I already have cas.authn.mfa.trusted.device-fingerprint. and cas.authn.mfa.trusted.jpa. configs. And cas is creating table to the database. And cas.authn.mfa.trusted.device-registration-enabled=true

singhmanmohan432

@singhmanmohan432

Hello all ..can some help me on below exception getting while deploying wildfly16 server

yarra-srinivas Sep 28 18:41
Hi All, I have an issue with delegate authenticate to open id provider as keycloak; I stuck at login-flow.xml misconfiguration i believe;17:26:41,107|DEBUG|https-jsse-nio-0.0.0.0-8443-exec-2|org.springframework.webflow.engine.impl.FlowExecutionImpl|Attempting to handle [org.springframework.webflow.engine.NoMatchingTransitionException: No transition was matched on the event(s) signaled by the [1] action(s) that executed in this action state 'ticketGrantingTicketCheck' of flow 'login'; transitions must be defined to handle action result outcomes -- possible flow configuration error? Note: the eventIds signaled were: 'array<String>['success']', while the supported set of transitional criteria for this action state is 'array<TransitionCriteria>[notExists, invalid, valid]']
2020-09-28 17:26:41,107|DEBUG|https-jsse-nio-0.0.0.0-8443-exec-2|org.springframework.webflow.engine.impl.FlowExecutionImpl|Rethrowing unhandled flow execution exception
2020-09-28 17:26:41,107|DEBUG|https-jsse-nio-0.0.0.0-8443-exec-2|org.jasig.cas.web.FlowExecutionExceptionResolver|Ignoring the received exception due to a type mismatch
org.springframework.webflow.engine.NoMatchingTransitionException: No transition was matched on the event(s) signaled by the [1] action(s) that executed in this action state 'ticketGrantingTicketCheck' of flow 'login'; transitions must be defined to handle action result outcomes -- possible flow configuration error? Note: the eventIds signaled were: 'array<String>['success']', while the supported set of transitional criteria for this action state is 'array<TransitionCriteria>[notExists, invalid, valid]'
at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:132)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Transition.execute(Transition.java:227)
at org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Flow.start(Flow.java:535)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:366)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:222)
at org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140)
at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:193)

Khalidaba Sep 30 17:16
Hi, new in this dev world,
i saw there is a .NET CAS client, but i started a project in Blazor server side( last .NET Framwork),
is it possible to make it work with cas client, or its not compatible ?
Thanks for the help.
1 reply

Philipp Berger Oct 02 15:51
Hi,
I wanted to update some spring versions to get rid of the latest vulnerabilities in 5.3.x.
I created a pull-request #4950 but this has been closed immediately.
EOL of 5.3.x is end of October.
How can I contribute security-patches to 5.3.x?
Thanks for your help.

ArtiWavale Oct 03 14:41
Hello,

I have successfully completed password management tasks for LDAP, MySql and Active directory databases but When I am trying to integrate these three tasks at a cas.properties file in CAS server then reset password management working for only one database(LDAP or MySql or Active directory), Not working for three databases.

Do you have any solution on it?

how can we integrate password management for ldap, MySql and active directory at cas.properties file in CAS server and it will work with these three databases. I am really thankful for quick response.

Thanks and Regards
Arti

XpLoDWilD Oct 05 20:32
Hi, I'm trying to customize CAS view and stumbled upon "build.sh getview" references. However, it looks like this build.sh thing has disappered since, what's its new equivalent?

Terry Appleby Oct 06 06:05
If I wanted to add some new endpoints to a CAS instance (custom user confirmation + password reset flows) does it make sense to use a similar approach as the OAuth modules (custom ModeAndView's + using CasProtocolViewFa

singhmanmohan432

@singhmanmohan432

Hello ..all I getting below issue while deploying the cas war file in wildfiy server could some help me one this..

Caused by: java.lang.NoSuchMethodException: org.apereo.cas.ticket.registry.DefaultTicketRegistrySupportEnhancerBySpringCGLIBEnhancerBySpringCGLIB51689c97.<init>()"}}
08:27:53,767 INFO [org.jboss.as.server] (DeploymentScanner-threads - 2) WFLYSRV0010: Deployed "cas-server-webapp-6.2.4-SNAPSHOT.war" (runtime-name : "cas-server-webapp-6.2.4-SNAPSHOT.war")
08:27:53,768 INFO [org.jboss.as.controller] (DeploymentScanner-threads - 2) WFLYCTL0183: Service status report
WFLYCTL0186: Services which failed to start: service jboss.deployment.unit."cas-server-webapp-6.2.4-SNAPSHOT.war".undertow-deployment: java.lang.RuntimeException: org.springframework.context.ApplicationContextException: Unable to start web server; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'threadContextMDCServletFilter' defined in class path resource [org/apereo/cas/logging/config/CasLoggingConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.boot.web.servlet.FilterRegistrationBean]: Factory method 'threadContextMDCServletFilter' threw exception; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'defaultTicketRegistrySupport' defined in class path resource [org/apereo/cas/config/CasCoreTicketsConfiguration.class]: Initialization of bean failed; nested exception is org.springframework.aop.framework.AopConfigException: Unexpected AOP exception; nested exception is org.springframework.aop.framework.AopConfigException: Unable to instantiate proxy using Objenesis, and regular proxy instantiation via default constructor fails as well; nested exception is java.lang.NoSuchMethodException: org.apereo.cas.ticket.registry.DefaultTicketRegistrySupport$$E

Cas version .2

2.5.6

singhmanmohan432

@singhmanmohan432

Getting Exception on Cas-overlay 6.2.5 deployment on WILDFLY 16 server

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'threadContextMDCServletFilter' defined in class path resource [org/apereo/cas/logging/config/CasLoggingConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.boot.web.servlet.FilterRegistrationBean]: Factory method 'threadContextMDCServletFilter' threw exception; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'defaultTicketRegistrySupport' defined in class path resource [org/apereo/cas/config/CasCoreTicketsConfiguration.class]: Initialization of bean failed; nested exception is org.springframework.aop.framework.AopConfigException: Unexpected AOP exception; nested exception is org.springframework.aop.framework.AopConfigException: Unable to instantiate proxy using Objenesis, and regular proxy instantiation via default constructor fails as well; nested exception is java.lang.NoSuchMethodException: org.apereo.cas.ticket.registry.DefaultTicketRegistrySupport $EnhancerBySpringCGLIB$ 7af39688.<init>()
at org.wildfly.extension.undertow@16.0.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at org.jboss.threads@2.3.3.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.base/java.lang.Thread.run(Thread.java:834)
at org.jboss.threads@2.3.3.Final//org.jboss.threads.JBossThread.run(JBossThread.java:485)
Caused by: java.lang.RuntimeException: org.springframework.context.ApplicationContextException: Unable to start web server; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'threadContextMDCServletFilter' defined in class path resource [org/apereo/cas/logging/config/CasLoggingConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.boot.web.servlet.FilterRegistrationBean]: Factory method 'threadContextMDCServletFilter' threw exception; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'defaultTicketRegistrySupport' defined in class path resource [org/apereo/cas/config/CasCoreTicketsConfiguration.class]: Initialization of bean failed; nested exception is org.springframework.aop.framework.AopConfigException: Unexpected AOP exception; nested exception is org.springframework.aop.framework.AopConfigException: Unable to instantiate proxy using Objenesis, and regular proxy instantiation via default constructor fails as well; nested exception is java.lang.NoSuchMethodException: org.apereo.cas.ticket.registry.DefaultTicketRegistrySupport $EnhancerBySpringCGLIB$ 7af39688.<init>()
at io.undertow.servlet@2.0.19.Final//io.undertow.servlet.core.DeploymentMa

Pierre Yager

@zedalaye_gitlab

Hello. I'm new to Apereo CAS. I want to start an instance with docker. It looks like I'm missing lots of configuration. Is there a starting point out there to have Apereo CAS running ?

Is there something like a tutorial somewhere that shows how to run Apereo CAS and connect an application ?

matrixbot

@matrixbot

mijutu Start with https://apereo.github.io/cas/6.2.x/

Clone https://github.com/apereo/cas-overlay-template

Checkout the 6.2 branch and then create a new branch from it for your own changes. Later you need to add more implementation-lines to build.gradle depending on your needs. Run ./gradlew build to get a war package.

You need to add configuration to /etc/cas/config/cas.properties to let CAS know from where it should verify passwords.

You need to write at least one /etc/cas/services/foo-1.json to tell CAS which service-parameters are allowed.

CAS documentation is actually quite good, but at first it might seem confusing. Note how all the configuration properties are listed in one huge webpage that you should not try to read all at once. Instead each topic has links to the correct places on the properties page.

I suggest you first build a war package and get it running. After that, decide how cas should validate user's passwords and add configuration for it.

Pierre Yager

@zedalaye_gitlab

I managed to use the cas-overlay-template to run ApereoCAS locally. Now I'm a bit blocked. Is there some documentation about service Json files ?

matrixbot

@matrixbot

mijutu https://apereo.github.io/cas/6.2.x/services/JSON-Service-Management.html#json-service-registry

matrixbot

@matrixbot

mijutu And the json service registry is only one option. (The "you need to" I wrote was actually wrong). Service definitions can be set up in many other ways: https://apereo.github.io/cas/6.2.x/services/Service-Management.html#storage

Pierre Yager

@zedalaye_gitlab

It works. I can now "authenticate" as casuser/Mellon

The next step is to "add users" ?

matrixbot

@matrixbot

mijutu Yes, add and configure some backend to check the passwords. I have used ldap so far, but there are many other ways.

mohsensaeedi

@mohsensaeedi

We are using some tags on ldap attributes. for example if we want to store user's cn in different language we can use cn and cn;lang-en-US and cn;lang-fr and ... or maybe when we want to store student number for BSC and MSC, we can use tags (called ldap attribute option too) for it. for example edu-bsc and edu-msc.
but the question is: How we can read and release this type of attributes with Apereo CAS. For example i defined studentNumber attribute on properties file, but it just return studentNumber without any tags! if we store attribute with tags, cas doesn't return that. anyone has a solution for this?

xgdz

@xgdz

Hello everyone, the cas5.x server connects to ldap and returns multiple attribute values, but the client cannot get the value. The configuration is as follows

=============================================================
WHO: P0888888
WHAT: [result=Service Access Granted,service=http://localhost:8088/index.jsp,principal=SimplePrincipal(id=P0888888, attributes={mail=[sstest3@pacteraedge.com], employeeNumber=[P0888888]}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Tue Nov 24 16:09:51 CST 2020
CLIENT IP ADDRESS: 127.0.0.1

SERVER IP ADDRESS: 127.0.0.1

2020-11-24 16:09:51,669 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

WHO: P0888888
WHAT: TGT-1-**-JXR63rzNhsBAC1500995-PC
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Nov 24 16:09:51 CST 2020
CLIENT IP ADDRESS: 127.0.0.1

SERVER IP ADDRESS: 127.0.0.1

2020-11-24 16:09:51,685 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

WHO: P0888888
WHAT: [result=Service Access Granted,service=http://localhost:8088/index.jsp,requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Tue Nov 24 16:09:51 CST 2020
CLIENT IP ADDRESS: 127.0.0.1

SERVER IP ADDRESS: 127.0.0.1

>
2020-11-24 16:09:51,702 INFO [org.apereo.cas.DefaultCentralAuthenticationService] - <Granted ticket [ST-1-xxYlJ4yG8XdlqLrnb1qx9AAdGdYBAC1500995-PC] for service [http://localhost:8088/index.jsp] and principal [P0888888]>

2020-11-24 16:09:51,706 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

WHO: P0888888
WHAT: ST-1-xxYlJ4yG8XdlqLrnb1qx9AAdGdYBAC1500995-PC for http://localhost:8088/index.jsp
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Nov 24 16:09:51 CST 2020
CLIENT IP ADDRESS: 127.0.0.1

SERVER IP ADDRESS: 127.0.0.1

2020-11-24 16:09:51,811 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

WHO: audit:unknown
WHAT: [result=Service Access Granted,service=http://localhost:8088/index.jsp,principal=SimplePrincipal(id=P0888888, attributes={}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Tue Nov 24 16:09:51 CST 2020
CLIENT IP ADDRESS: 127.0.0.1

SERVER IP ADDRESS: 127.0.0.1

Łukasz

@lgwozniak

Try with cas.authn.attributeRepository.defaultAttributesToRelease, i have to add this with cas.authn.attributeRepository.merger policy

matrixbot

@matrixbot

mijutu I got it to work recently (with 6.2.5) by setting cas.authn.mfa.global-principal-attribute-name-triggers=foo and cas.authn.mfa.global-principal-attribute-value-regex=bar. Where foo is pricipal attribute name (not ldap attribute name) from cas.authn.ldap[0].principalAttributeList

Pierre Yager

@zedalaye_gitlab

Is there a way to allow redirect to "http" services (not https) during development ?

mohsensaeedi

@mohsensaeedi

We are using some tags on ldap attributes. for example if we want to store user's cn in different language we can use cn and cn;lang-en-US and cn;lang-fr and ... or maybe when we want to store student number for BSC and MSC, we can use tags (called ldap attribute option too) for it. for example edu-bsc and edu-msc.
but the question is: How we can read and release this type of attributes with Apereo CAS. For example i defined studentNumber attribute on properties file, but it just return studentNumber without any tags! if we store attribute with tags, cas doesn't return that. anyone has a solution for this?

who can help me about this matter?

Pierre Yager

@zedalaye_gitlab

@mohsensaeedi sorry I don't know anything about LDAP :)

Is it possible to overwrite variables defined in the configuration file /etc/cas/config/cas.properties using environment variables ?

mohsensaeedi

@mohsensaeedi

I have a deep knowledge about LDAP. but Apereo CAS does not return attribute with tags. I think a expert guy can help me. I think he is @mmoayyed :)

Where communities thrive

People

Repo info

Activity

SERVER IP ADDRESS: 127.0.0.1

2020-11-24 16:09:51,669 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

SERVER IP ADDRESS: 127.0.0.1

2020-11-24 16:09:51,685 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

SERVER IP ADDRESS: 127.0.0.1

2020-11-24 16:09:51,706 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

SERVER IP ADDRESS: 127.0.0.1

2020-11-24 16:09:51,811 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

SERVER IP ADDRESS: 127.0.0.1