apereo/cas

Apereo CAS - Single Sign On for All

Pierre Yager

@zedalaye_gitlab

Hello, I try to use the cas-management webui but it crashes at runtime and I just don't what to do :
cas-management_1 | 2020-11-26 14:58:24,452 WARN [org.apereo.cas.support.saml.SamlUtils] - <Resource [class path resource [incommon.pem]] cannot be located>
cas-management_1 | 2020-11-26 14:58:24,456 WARN [org.apereo.cas.mgmt.web.CasManagementWebApplicationContext] - <Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'samlController' defined in class path resource [org/apereo/cas/mgmt/config/CasManagementSamlConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.apereo.cas.mgmt.SamlController]: Factory method 'samlController' threw exception; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'metadataAggregateResolver' defined in class path resource [org/apereo/cas/mgmt/config/CasManagementSamlConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.apereo.cas.mgmt.MetadataAggregateResolver]: Factory method 'metadataAggregateResolver' threw exception; nested exception is java.lang.NullPointerException>
cas-management_1 | 2020-11-26 14:58:24,489 ERROR [org.springframework.boot.SpringApplication] - <Application run failed>
cas-management_1 | org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'samlController' defined in class path resource [org/apereo/cas/mgmt/config/CasManagementSamlConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.apereo.cas.mgmt.SamlController]: Factory method 'samlController' threw exception; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'metadataAggregateResolver' defined in class path resource [org/apereo/cas/mgmt/config/CasManagementSamlConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.apereo.cas.mgmt.MetadataAggregateResolver]: Factory method 'metadataAggregateResolver' threw exception; nested exception is java.lang.NullPointerException

Pierre Yager

@zedalaye_gitlab

Hello, still trying to have an ApereoCAS instance up and running :) I set up JsonServiceRegistry and RestAuthentication. my test application successfully redirect to CAS Login page, but when I enter user credentials, the CAS cannot validate the SSL peer :
cas_1 | 2020-11-27 13:47:21,351 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [UsernamePasswordCredential(username=toto, source=null, customFields={})] of type [UsernamePasswordCredential]. Examine the configuration to ensure a method of authentication is defined and analyze CAS logs at DEBUG level to trace the authentication event.>
cas_1 | 2020-11-27 13:47:21,352 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[app_users]: [I/O error on POST request for "https://users.docker:3443/cas/authenticate": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target / PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]>
The fact is that I can navigate to https://users.docker:3443 from my local browser. Do you have any tip on how to make this work ?

matrixbot

@matrixbot

mijutu I guess you need to get java to trust the certificate of users.docker. I don't remember how to do that (I use letsencrypt), but those instructions should be easy to find. You need to add the ca cert that signed users.docker's certificate.

milu-milu

@milu-milu

Hi All

I'm dealing with CAS 5.3 using LDAP as backend...

I can authenticate....

but I want to retrieve the groups the user belongs to

I know both queries and it works as expected but...

I only able to provide the last group...

I use the cas.authn.attributeRepository.ldap[0]....

I also set the cas.authn.attributeRepository.ldap[0].allowMultipleDns=true
cas.authn.attributeRepository.ldap[0].allowMultipleEntries=true

Any Idea how to set a multi value?

i query all the groups with ldap://ldap_host '(&(objectClass=posixGroup)(memberUid={user}))'

and I know some user belongs to several groups but it only reports the last one

milu-milu

@milu-milu

@cade-rea can you see a line like 'cas.service-registry.json.location=file:/etc/cas/services"in you cas.properties'?

小虫哥

@imbugge

hello

hjthjw

@hjthjw

anyone here ?

milu-milu

@milu-milu

Yes, someone

Amir Hosseinbor

@Sprew

Hello, I have set up CAS with WSFED and the default configuration given by the documentation (https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties.html#ws-fed-delegated-authentication) but when I head over to the log-in page it says "Authorization Denied" and i get redirected to "/cas/wsfedredirect?wsfedclientid=77f30f54-6150-46a7-a75d-7518af062c55". So... I know something is working atleast. I suspect that I need more than "org.apereo.cas:cas-server-support-wsfederation-webflow:${project.'cas.version'}" as dependency to make this work. Any guidance?

heyiwu

@whuhyw

what files should i modify for slo?

Łukasz

@lgwozniak

Hi i have a question about Google Authenticator is there any possibility to show again QR Code after registration ?

anosingh1

@anosingh1

Hi, I have a CAS setup for 2-factor authentication and it works fine with Chrome browser but with I.E the 2FA window doesn't show up. This appears to be the problem with URL length limit in I.E https://support.microsoft.com/en-us/help/208427/maximum-url-length-is-2-083-characters-in-internet-explorer

Any suggestions on the above query is highly appreciated

Riley W.

@rileyw

@anosingh1 Is Internet Explorer a requirement for your use case?

anosingh1

@anosingh1

@rileyw, Yes, there is an Application that is hardcoded to use I.E for authentication

Riley W.

@rileyw

What type of 2FA are you trying to rollout? Duo, Google Authenticator?

anosingh1

@anosingh1

Its a Duo

life is fantastic

@lifeisfantasti5_twitter

Is there any CAS official member here?I want to say something secret.

Francisco Castel-Branco

@Khorsan

Hi, i'm having trouble delegating SAML from CAS. My requested attributes are not in the SAMLRequest. Anyone had a similar issue?

P.O. TERRISSE

@PTerrisse_twitter

Hi Francisco, you have to permit attribute release, see https://apereo.github.io/cas/6.2.x/integration/Attribute-Release-Policies.html.

Francisco Castel-Branco

@Khorsan

@PTerrisse_twitter That was not the problem. pac4j (therefore, CAS) does not support Extensions for SAML AuthnRequest.

Dominick Piganell

@DPiganell

Hi All! Quick question. I'm using ClearPass in a load-balanced environment. However, when making a request to clearpass, only the tier that was originally logged in with has the password. I'm on CAS 5.1. Is there a standard solution to this?

imythu

@imythu

Can cas.server.prefix be dynamically generated ?

lshc

@lshc666

Guys, how to configure awsRoles, awsRoleSessionName using CAS to integrate AWS?

I received the above warning and the integration failed

Łukasz

@lgwozniak

Hi, in MFA Google Authenticator is there any possibility to check that user add TOTP QR code ? Like this is done in big applications (AZURE, GOOGLE ) ?

2/3 people just miss to scan this code and click next

lshc

@lshc666

@lgwozniak
I think this check is done by the Google Authenticator plug-in integrated by CAS. After user registration, Google Authenticator will be stored in the place you specify, such as a file in JSON format.

You can delete the QR records of these users in the records and let the users re-register

Jognu

@Jognu

Hello. I use CAS server with SAML, and I defined the metadataLocation on the services config file. But it seems that the metadata are downloaded on the file /etc/cas/saml/metadata-backups/metadata for every services, so if I have 2 services, I can't use both

Abhishek-Kun

@Abhishek-Kun

@singhmanmohan432 im facing the same issue were you able to fix it

Rafiek

@rafiek

Hi, is it possible to get an authenticated principal through ldap, but the credentials are unknown in ldap?

Rafiek

@rafiek

Does anyone know how to sanitize the username? We are able to submit almost anything, but we would like to limit the allowed set of characters.

ChrisSom

@chrissomm_twitter

After migration from Cas 6.2.6 to 6.3 I am getting an Exception while authenticating via OIDC: org.jose4j.lang.InvalidAlgorithmException: Signature algorithm header (alg) not set. Anyone who experienced the same?

Łukasz

@lgwozniak

@chrissomm_twitter i will be migrating from 6.2 to 6.3 and i will tell You. If i got th same.

guojianning

@guojianning

cas 5.3.2 客户端通过SecurityUtils.getSubject().getPrincipals() 获取的Map为空，但是id又能获取到这是为什么呢？

Curtis Ruck

@ruckc

my organization has a long history with CAS, and about 9 years ago we wrapped our web services in CAS w/ CAS Protocol 2.0... and i'm trying to figure out a better way to handle webapp and thick client authentication to web services with something like a JWT bearer token that can be sent on every request, and doesn't require handling an expired cookie/session and catching 302 redirects... i.e. what is a good transparent method for simple CAS secured API authentication?

Where communities thrive

People

Repo info

Activity