Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Sep 28 19:27

    mmoayyed on 6.6.x

    Show user-agent for profile aud… (compare)

  • Sep 28 15:37

    mmoayyed on heroku-gradle-buildcache

    update cache (compare)

  • Sep 27 16:46

    mmoayyed on 6.6.x

    Update Configuration-Management… (compare)

  • Sep 27 16:41

    mmoayyed on master

    doc updates doc updates ensure device authz endpoint is… and 16 more (compare)

  • Sep 27 09:47

    mmoayyed on 6.6.x

    Update tomcat (compare)

  • Sep 24 06:02

    mmoayyed on master

    fix variable names redis protocol version improve proof reader for docs (compare)

  • Sep 24 06:00

    mmoayyed on 6.6.x

    [skip ci] (compare)

  • Sep 24 05:29

    mmoayyed on 6.6.x

    skip ci (compare)

  • Sep 24 05:18

    mmoayyed on 6.6.x

    redis protocol version tighten jackson import rules (compare)

  • Sep 23 16:35

    mmoayyed on heroku-caswebapp

    update cas (compare)

  • Sep 23 16:19

    mmoayyed on heroku-caswebapp

    update cas (compare)

  • Sep 23 16:16

    mmoayyed on heroku-caswebapp

    update cas (compare)

  • Sep 23 16:13

    mmoayyed on heroku-caswebapp

    update cas (compare)

  • Sep 23 16:07

    mmoayyed on heroku-caswebapp

    update cas (compare)

  • Sep 23 16:04

    mmoayyed on heroku-caswebapp

    update cas (compare)

  • Sep 23 16:00

    mmoayyed on heroku-caswebapp

    update cas (compare)

  • Sep 23 15:54

    mmoayyed on master

    fix mfa simple to handle impers… fix build tighten jackson import rules and 1 more (compare)

  • Sep 23 09:23

    mmoayyed on master

    fix typo support rabbitmq instead of act… switch jms registry + activemq … and 24 more (compare)

  • Sep 23 06:18

    mmoayyed on 6.6.x

    add missing config class (compare)

  • Sep 22 20:36

    mmoayyed on 6.6.x

    Update Password-Synchronization… (compare)

Łukasz
@lgwozniak
json is correct it work on normal json-service
sauravsh28
@sauravsh28
Hello - I am new to CAS server. I am trying to integrate CAS management to CAS server but I am getting below error message.
Application Not Authorized to Use CAS
The application you attempted to authenticate to is not authorized to use CAS. This usually indicates that the application is not registered with CAS, or its authorization policy defined in its registration record prevents it from leveraging CAS functionality, or it's malformed and unrecognized by CAS. Contact your CAS administrator to learn how you might register and integrate your application with CAS.
I used below service configuration
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "https://localhost:8443/cas-management/",
"name" : "casManagement",
"id" : 1001,
"logoutType" : "BACK_CHANNEL",
"logoutUrl" : "https://localhost:8443/cas-management/logout"
}
1 reply
lwp007
@lwp007
hello i am using /cas/v1/tickets rest api when integating qr login, but when i curl this api like this: “curl -X POST -k -d 'username=user1@test.com&password=testpass&token=true&additionalParam1=paramvalue' "https://localhost:8442/cas/v1/tickets”
I got this error:
"Service is not found in service registry."
can anyone help? thanks
lwp007
@lwp007

hello i am using /cas/v1/tickets rest api when integating qr login, but when i curl this api like this: “curl -X POST -k -d 'username=user1@test.com&password=testpass&token=true&additionalParam1=paramvalue' "https://localhost:8442/cas/v1/tickets”
I got this error:
"Service is not found in service registry."

solved, appending a service param can solve this.

raymondrewalker
@raymondrewalker
In CAS 6.5 when logging in (/cas/login) all internal attributes and values are showing up on the login page, even after manually disabling attribute release, by adding this:
cas.authn.authentication-attribute-release.enabled=false
Never enabled it in the past, don't use CAS for attribute release, so this is new default behavior.
1 reply
Upul
@UpulK
We are using CAS 6.1.7 and we have set up delegated authentication with Google, Microsoft etc. Once login with Google(or with any external SSO provider like Microsoft) and then logout from the CAS, user will be logout not only from CAS but with Google account as well. Could you please someone can tell whether there a option in CAS to avoid this behavior? i.e. I want to keep Google session alive when login out from CAS. Thank you.
mj77886699
@mj77886699

I want to define a register using overlay, I put a controller directly into the src/main/java directory

@RestController
public class RegisterController {

@RequestMapping("/register")
public String register(String userName,String password) {
    return "register success " + userName;
}

}

1 reply
Luis Faria
@luis100
Hello, I found an issue with the latest release (6.5.0) when enabling cas.authn.pac4j.cas[0].auto-redirect-type=SERVER, the first login works fine, but if the application tries to login again and CAS still has the login session, the redirect to the service gets confused with the redirect to the delegated authentication and an exception is thrown, anyone else getting this issue?
2022-02-18 10:35:33,281 ERROR [org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas].[dispatcherServlet]] - <Servlet.service() for servlet [dispatcherServlet] in context with path [/cas] threw exception [Request processing failed; nested exception is java.lang.IllegalStateException: Cannot call sendRedirect() after the response has been committed] with root cause>
java.lang.IllegalStateException: Cannot call sendRedirect() after the response has been committed
    at org.apache.catalina.connector.ResponseFacade.sendRedirect(ResponseFacade.java:488) ~[tomcat-embed-core-9.0.58.jar!/:9.0.58]
(...)
    at org.apereo.cas.web.support.AuthenticationCredentialsThreadLocalBinderClearingFilter.doFilter(AuthenticationCredentialsThreadLocalBinderClearingFilter.java:28) ~[cas-server-core-web-api-6.5.0.jar!/:6.5.0]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.58.jar!/:9.0.58]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.58.jar!/:9.0.58]
    at org.apereo.cas.web.support.filters.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:401) ~[cas-server-core-web-api-6.5.0.jar!/:6.5.0]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.58.jar!/:9.0.58]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.58.jar!/:9.0.58]
    at org.apereo.cas.web.support.filters.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:200) ~[cas-server-core-web-api-6.5.0.jar!/:6.5.0]
(...)
4 replies
katrix
@katrix:xirtak.com
[m]
Is anyone running into an issue where SAML services are not releasing any attributes in 6.5-SNAPSHOT? We're preparing our QA environment and noticed it pretty early in testing. CAS protocol attribute releases appear to be fine.
lshc
@lshc666

Hello there,

We are trying to enable FIDO2 WebAuthN support in CAS with both Yubikeys and using the built-in browser support for FIDO2, namely for Safari on Mac OS.

While Yubikey registration and authentication works fine out of the box, when trying to register a FIDO2 device using the native Safari support for FIDO2 (without a Yubikey), we are presented with the following error on the registration step :

"java.lang.IllegalArgumentException: Failed to obtain attestation trust anchors."

Any ideas why this is happening and maybe how we can configure our own attestation trust anchors to include other sources than Yubikeys ?

Vittore Zen
@vittore.zen_gitlab
Poll: What is your preferred ticketing storage?
lshc
@lshc666
Using the mfa-webauthn method, after completing the verification through yubico, the following error will be jumped.
image.png
cas.authn.mfa.web-authn.redis.host=172.24.200.126
cas.authn.mfa.web-authn.redis.port=6379
cas.authn.mfa.web-authn.redis.password=xxxxx
cas.authn.mfa.web-authn.redis.enabled=true
cas.authn.mfa.web-authn.redis.database=6
cas.authn.mfa.web-authn.core.enabled=true
cas.authn.mfa.web-authn.core.display-name-attribute=sAMAccountName
#cas.authn.mfa.web-authn.core.relying-party-name=CAS WebAuthn
cas.authn.mfa.web-authn.core.allow-primary-authentication=false
cas.authn.mfa.web-authn.core.allow-unrequested-extensions=false
cas.authn.mfa.web-authn.core.allow-untrusted-attestation=true
cas.authn.mfa.web-authn.core.validate-signature-counter=true
cas.authn.mfa.web-authn.core.trusted-device-enabled=false
#cas.authn.mfa.web-authn.core.relying-party-id=xxxx
cas.authn.mfa.web-authn.crypto.enabled=true
cas.authn.mfa.web-authn.crypto.signing.key=********
cas.authn.mfa.web-authn.crypto.encryption.key=***********
cas.authn.mfa.web-authn.redis.read-from=MASTER
sauravsh28
@sauravsh28
how to include custom attributes in id token?
I add cas.authn.oidc.user-defined-scopes.cas=street,department,job_title,city,zip_code in cas.properties but these attributes are not showing in id token
gvlarson3
@gvlarson3

Hello and I'm really glad there is a CAS chat where I can ask questions!

I was hired for my position 6 months ago at a small Community College, and the college does not have Single Sign On.

Administration purchased a product that requires SSO, and tossed it in my lap. In my investigations it turns out that SSO will cost us 50,000 (2.00 a month/user minimum) a year or more if we go with a third party.

So after much research we decided to go with CAS 6.5.x. The learning curve has been very steep as I knew nothing about SSO originally.

We decided to use GSuite as our IDP since we are using Gmail for Education as our email.

I was able to setup CAS to Delegate Authentication to Gmail and the product was set to use CAS for SSO so it worked perfectly. I'm really pleased with CAS and the documentation provided for getting this all set up.

Now for my problem :(

We have another application (Ellucian Self-Service) that students log into and we want to add SSO to this app. However, this application uses SAML2 only.

I'm having problems finding how to configure CAS to return SAML2 to this application.
I've added the

implementation "org.apereo.cas:cas-server-support-saml-sp-integrations:${project.'cas.version'}"

to build.gradle as Ellucian is one of the supported SPs. But I'm not sure what needs to be done to the registered service to get CAS to respond properly.

I would appreciate it immensely if someone can point me in the correct direction.
Maxime Robert
@maxime.robert_gitlab

Hi, I was wondering if I'm miss-understanding the expected behavior of usernameAttributeProvider or if it's a bug (and if there is an alternate solution).
I have the following service:

{
  "@class": "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
  ...
  "usernameAttributeProvider": {
    "@class": "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
    "usernameAttribute": "uidNumber",
    "canonicalizationMode": "NONE"
  },
  ...
}

The goal is to provide to this service another identifier than the one used for other services (default identifier for other services is uid).
N.B.: both (uid and uidNumber) come from LDAP.

This works well (I can connect to the service), but I detected an unexpected behavior.
When a user connects to the above-mentioned service, in CAS logs, the WHO: is the uid for every ACTION except for SERVICE_TICKET_VALIDATED for which it is the uidNumber.
After connecting to the above-mentioned service (and only after connecting to this specific service), if the user accesses an OidcRegisteredService service, the sub in the OIDC response is the uidNumber whereas it is expecting to receive the uid (which makes it fail to authenticate the user). The OidcRegisteredService` service configuration doesn't provide any specific config for the usernameAttribute:

{
  "@class": "org.apereo.cas.services.OidcRegisteredService",
  "serviceId": "...",
  "name": "...",
  "id": ...,
  "clientId": "...",
  "clientSecret": "...",
  "bypassApprovalPrompt": true,
  "scopes": ["java.util.HashSet", ["openid", "profile", "email", "offline_access"]]
}

That means that depending on whether the user connected to the first described OAuthRegisteredService or not, he can connect to the OidcRegisteredService service or not.
Note that it doesn't affect other RegexRegisteredService services or a SamlRegisteredService that specifies its own usernameAttributeProvider

Am I missing something? Should I force the usernameAttributeProvider in the OidcRegisteredService? Why?

1 reply
rain Falcon
@thirteen13Floor

Ticketvalidationexception, St ticket verification failed,

  1. The servicename and casserverloginurl configurations are OK. Which configurations affect st ticket verification failure?

  2. Can you explain the principle of St verification?

Teddy Brown
@cctgteddy_gitlab

Hi, I'm trying to get started with CAS 6.4 (previous user of 5.3) . I have this in /etc/cas/config/cas.properties

server.port=8080
server.ssl.enabled=false
cas.server.tomcat.http.enabled=false
cas.server.tomcat.http-proxy.enabled=true
cas.server.tomcat.http-proxy.secure=true
cas.server.tomcat.http-proxy.scheme=https

Trying to run standalone executable but ultimately it crashes on this message The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.

I'm not sure where to set secretRequired=false

This will be running behind HAProxy

6 replies
jbanner6736
@jbanner6736
I had posted here but before I continue trying to confirm would like to get dev feedback. It seems that the MFA triggers, at least 'Principal Attribute Per Application' does not work when there is more than a single provider supplied. Example, [ "mfa-gauth", "mfa-webauthn"] it doesn't trigger, changing to either [ "mfa-gauth"] or [ "mfa-webauthn"] triggers. Forum link https://groups.google.com/a/apereo.org/g/cas-user/c/bvK-BKoWcS0
mcaccessa
@mcaccessa

Hi! Trying to use „cas-server-support-jpa-service-registry” module, I'm getting this error:

Error creating bean with name 'jpaMappingContext': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: JPA metamodel must not be empty!

The properties that I'm using are:

cas.service-registry.initFromJson=true
cas.service-registry.json.location=file:///etc/cas/config/services

cas.jdbc.showSql=true
cas.service-registry.jpa.url=jdbc:sqlserver://...
cas.service-registry.jpa.user=...
cas.service-registry.jpa.password=...
cas.service-registry.jpa.default-schema=...
cas.service-registry.jpa.dialect=org.hibernate.dialect.SQLServer2008Dialect
cas.service-registry.jpa.driver-class=com.microsoft.sqlserver.jdbc.SQLServerDriver
cas.service-registry.jpa.ddl-auto=create

Am I missing something in this configuration? Thank you!

1 reply
Łukasz
@lgwozniak
Any one got problem to run cas 6.5 with suppor-oidc from cas-overlay-template ?
I've got Invalid mapping on handler class [org.apereo.cas.oidc.web.controllers.discovery.OidcWellKnownEndpointController]: public org.springframework.http.ResponseEntity org.apereo.cas.oidc.web.controllers.discovery.OidcWellKnownEndpointController.getWellKnownDiscoveryConfiguration(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)>
juanmariareina
@juanmariareina
Hello everybody
I'm struggling to let working a cas-management that is intalled on a server behind a proxy. When I start it, it tries to connect to mdq.incommon.org (dunno why, I'm newby and still don't understand many details) and it eventually fails because a connect time-out.
Then I realized that this server is installed behind a proxy so I've tried to start it by "java -Dhttp-proxyHost=... -Dhttp-proxyPort=... -jar $PATH_WHERE_MY/cas-management.jar", but with no result... It doesn't use my proxy configuration, it still tries to connect directly...
juanmariareina
@juanmariareina
I will be very grateful if some of you guys could help me as I'm totally stuck with this...
I've forgot to mention that I'm using 6.3.0
MaherMehri
@MaherMehri
image.png
Hello everybody, i have this error when I need to use case server in my custom application
I will be very grateful if some of you guys could help me
lwp007
@lwp007
did you register the app as a service? @MaherMehri
Łukasz
@lgwozniak
Hello, any one know how can i change implementation that verify clientId and clientSecret in OAuth2 for Client Credentials type to authorized based on LDAP User account ?
Julien G.
@jgribonvald:matrix.org
[m]
Hey folks,
I'm looking for a way to check and maintain sessions accross several services and to propagate a SLO when no activity remains after 10/15 mins on a list of services, 30/45 min other list of services...
And I'm wondering if it would be possible to request a logout on CAS on a back-channel way from a service
maybe a new project feature for CAS...
averybalster
@averybalster
how do I register my computer for CAS
Charles LE GALLIC
@clegallic

Hi CAS maintainers

I've recently upgraded from CAS 6.2.2 to CAS 6.5.1, and I had an issue with SAML2 registered services
Each time I tried to validate a SAML2 service access by the CAS IDP, I had an "Application Not Authorized to Use CAS" error
It was working well in 6.2.2, and also with CAS 6.3.x, but not with CAS 6.4.x and CAS 6.5.1
I fixed the problem by providing a custom implementation of SamlIdPServicesManagerRegisteredServiceLocator supports(...) method, removing the check on getSamlParameterValue(registeredService, service).isPresent().
Because when AbstractServiceManager tries to check if the locator supports this SamlRegisteredService, service attributes are not fullfilled, and the getSamlParameterValue() returns Optional.empty().
But I'm not sure my solution is the best, as the getSamlParameterValue(..).isPresent() check must be there for a good reason...
Does anybody also had this problem with SAML IDP and CAS >= 6.4.x ?
Did I missed something allowing me to remove this fix ?

*2
choidkdk
@choidkdk
Hi guys, I'm using Google Delegated Authentication on CAS 6.4
I got issue when logout CAS. Google account logout too, how to stop that?
1 reply
lshc
@lshc666
I found a two-factor bug in version 6.4.5. I have two more applications, one requires Gauth MFA, and the other does not. First, after logging in through the application that does not require MFA, the session is successfully obtained. MFA is also not required to log into another app. I'm triggering a two-factor through a service file on each registration.
Obtaining a session via password authentication will bypass other services that require two-factor.