apereo/cas

Apereo CAS - Single Sign On for All

Lars Grefer

@larsgrefer

@Alizee-Me

Hello, I'm trying to implement the validation of user by using a rest API, everything seems to working well, and the test was working well in 6.3, but now I've upgrade the version of apereo to 6.5.4 and the authentication is't not working anymore, there is this message in the console :
2022-05-19 09:14:45,946 ERROR [org.apereo.cas.adaptors.rest.RestAuthenticationHandler] - <Could not resolve subtype of [map type; class java.util.Map, [simple type, class java.lang.String] -> [collection type; class jav a.util.List, contains [simple type, class java.lang.Object]]]: missing type id property '@class' (for POJO property 'attributes') cas-portal | at [Source: (String)"{"@class":"org.apereo.cas.authentication.principal.SimplePrincipal","id":"casuser","attributes":{}}"; line: 1, column: 98] (through reference chain: org.apereo.cas.authentication.principal.SimplePrincipal["attributes"])>
Did anybody have an idea to fix this issue ?
Thanks :)
If needed here is my simple code to test the rest authentication :
$test = '{"@class":"org.apereo.cas.authentication.principal.SimplePrincipal","id":"casuser","attributes":{}}'; return new JsonResponse($test, 200, array('Content-Type' => 'application/json'), true);

I've found the solution, I removed ","attributes":{}" from my response and It's working now.
PS: I've followed this doc https://apereo.github.io/cas/6.5.x/authentication/Rest-Authentication.html and I didn't notice that an empty attributes will make it failed ^^'
PS2: The search bar of 6.5 version is only broken for me ?
Thanks ;)

I have the same problem. Why was the expected JSON-Format changed from 6.3 to 6.5?

1 reply

Néjwàa K

@nejwa:matrix.org

[m]

Hello, does anyone know what i have to do to solve this ??? i always get this page that says that The application you attempted to authenticate to is not authorized to use CAS. This usually indicates that the application is not registered with CAS, or its authorization policy defined in its registration record prevents it from leveraging CAS functionality, or it's malformed and unrecognized by CAS.

5 replies

CAS.PNG

Baba Ndiaye

@mrbabandiaye_twitter

Hello guys
I'm using Haproxy (public IP) and moodle for my backend (private IP). Now it's work nice. But when i use CAS SSO for the authentication in my url service i have the address of my backend moodle and not my frontend like this https://mycas.example.com/cas/login?service=https%3A%2F%2Fmymoodleinterne.mydomainlocal.com%2Flogin%2Findex.php%3FauthCAS%3DCAS
my frontend url adress myhaproxy.example.com
my moodle url address mymoodleinterne.mydomainlocal.com
i want if that my CAS use myhaproxy url and not mymoodleinterne

mancheaka

@mancheaka

Hello, I'm trying to get a configuration server overlay to read properties from AWS SSM. However, I'm getting an error as soon as I add the dependency on cas-server-support-configuration-cloud-aws-ssm . I have my AWS creds/etc in application.yml and the trace messages indicate that it's connecting and reading them successfully. The error I get is this:
'<==2022-06-16 13:44:52,223 INFO [org.springframework.boot.web.embedded.tomcat.TomcatWebServer] - <Tomcat started on port(s): 8888 (https) with context path '/casconfigserver'>
<==2022-06-16 13:44:53,007 TRACE [org.apereo.cas.rest.config.CasCoreRestConfiguration] - <building REST credential factory from [[org.apereo.cas.rest.config.CasCoreRestConfiguration$CasCoreRestCredentialFactoryPlanConfiguration$$Lambda$2003/0x0000000800aa5440@4f6fd101]]>
2022-06-16 13:44:53,007 TRACE [org.apereo.cas.rest.config.CasCoreRestConfiguration] - <Configuring credential factory: [org.apereo.cas.rest.config.CasCoreRestConfiguration$CasCoreRestCredentialFactoryPlanConfiguration$$Lambda$2003/0x0000000800aa5440@4f6fd101]>
2022-06-16 13:44:53,013 WARN [org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext] - <Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'restAuthenticationService' defined in class path resource [org/apereo/cas/rest/config/CasCoreRestConfiguration$CasCoreRestAuthenticationConfiguration.class]: Unsatisfied dependency expressed through method 'restAuthenticationService' parameter 1; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type 'org.apereo.cas.authentication.MultifactorAuthenticationTriggerSelectionStrategy' available: expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {@org.springframework.beans.factory.annotation.Qualifier(value="defaultMultifactorTriggerSelectionStrategy")}>'

Can anyone tell me what I'm missing here?

1 reply

DjokerR

@DjokerR

cas-mangement 5.3.1 start failed 2022-06-17 09:19:57,016 ERROR [org.springframework.boot.diagnostics.LoggingFailureAnalysisReporter] - <

APPLICATION FAILED TO START

Description:

Field personDirectoryPrincipalResolver in org.apereo.cas.adaptors.jdbc.config.CasJdbcAuthenticationConfiguration required a bean of type 'org.apereo.cas.authentication.principal.PrincipalResolver' that could not be found.

Action:

Consider defining a bean of type 'org.apereo.cas.authentication.principal.PrincipalResolver' in your configuration.
>

Can anyone tell me what I'm missing here? about PersonDirectoryPrincipalResolver

Matt Benson

@mbenson

hi everyone, when using the CAS Maven overlay, CAS builds, as is well-known, a self-contained WAR archive. Is there a well-understood mechanism for using the jib Maven plugin to create a container image that runs such a WAR using its embedded servlet engine? I can easily build such an image using the spotify dockerfile plugin (actually its successor maintained by Jason Van Zyl), but I am exploring alternatives.

Palmurugan

@palmuruganchandran

CAS 6.5.X While I am trying to logout with service parameter, I am getting the below error. Can anyone please help me?

2022-06-21 17:42:27,060 ERROR [org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter] - <Service unauthorized>
org.apereo.cas.services.UnauthorizedServiceException: Service unauthorized
at org.apereo.cas.services.RegisteredServiceAccessStrategyAuditableEnforcer.lambda$execute$6(RegisteredServiceAccessStrategyAuditableEnforcer.java:194) ~[cas-server-core-services-api-6.5.2.jar!/:6.5.2]
at java.util.Optional.orElseGet(Optional.java:364) ~[?:?]

Robin Dupret

@rdupret_gitlab

Hello,

I would like to define the expiration of trusted devices but I can't manage to find the settings to do so.

There used to be cas.authn.mfa.trusted.expiration but it looks like it has been removed in apereo/cas@a4c49ab

However, I don't understand by which settings the above has been replaced. Can anyone help me please ?

1 reply

Juliusz Marciniak

@rechandler12

Hello,
I've got problem with OAuth2 login, when i set in service:

"jwtAccessToken": true

Here's an error:

[1;31m2022-06-27 09:27:09,369 ERROR [org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController] - <Invalid or unauthorized grant>[m
java.lang.ClassCastException: Cannot cast org.apereo.cas.support.oauth.services.OAuthRegisteredService to org.apereo.cas.services.OidcRegisteredService
at java.lang.Class.cast(Unknown Source) ~[?:?]
at org.apereo.cas.oidc.token.OidcRegisteredServiceJwtAccessTokenCipherExecutor.getSigningKey(OidcRegisteredServiceJwtAccessTokenCipherExecutor.java:67) ~[cas-server-support-oidc-core-api-6.5.4.jar!/:6.5.4]
at org.apereo.cas.token.cipher.RegisteredServiceJwtTicketCipherExecutor.supports(RegisteredServiceJwtTicketCipherExecutor.java:58) ~[cas-server-support-token-core-api-6.5.4.jar!/:6.5.4]
at org.apereo.cas.token.JwtBuilder.build(JwtBuilder.java:154) ~[cas-server-support-token-core-api-6.5.4.jar!/:6.5.4]
at org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20JwtAccessTokenEncoder.encode(OAuth20JwtAccessTokenEncoder.java:55) ~[cas-server-support-oauth-core-api-6.5.4.jar!/:6.5.4]
at org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20DefaultAccessTokenResponseGenerator.encodeAccessToken(OAuth20DefaultAccessTokenResponseGenerator.java:134) ~[cas-server-support-oauth-core-api-6.5.4.jar!/:6.5.4]
at org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20DefaultAccessTokenResponseGenerator.lambda$getAccessTokenResponseModel$2(OAuth20DefaultAccessTokenResponseGenerator.java:116) ~[cas-server-support-oauth-core-api-6.5.4.jar!/:6.5.4]
at java.util.Optional.ifPresent(Unknown Source) ~[?:?]
at org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20DefaultAccessTokenResponseGenerator.getAccessTokenResponseModel(OAuth20DefaultAccessTokenResponseGenerator.java:115) ~[cas-server-support-oauth-core-api-6.5.4.jar!/:6.5.4]
at org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20DefaultAccessTokenResponseGenerator.generateResponseForAccessToken(OAuth20DefaultAccessTokenResponseGenerator.java:102) ~[cas-server-support-oauth-core-api-6.5.4.jar!/:6.5.4]
at org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20DefaultAccessTokenResponseGenerator.generate(OAuth20DefaultAccessTokenResponseGenerator.java:59) ~[cas-server-support-oauth-core-api-6.5.4.jar!/:6.5.4]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
at java.lang.reflect.Method.invoke(Unknown Source) ~[?:?]

cctgteddy

@cctgteddy

Hi, I'm trying to add a third party to authenticate to my CAS instance. They have only provided me with the following entries: Entity ID, IDP Initiated Assertion Consumer Service URL, SP Initiated Assertion Consumer Service URL, eLearning Assertion Consumer Service URL, Relay State for IDP Initiated
How do I register them as a service with this info? They do not provide a metadata URL

chirag111shah

@chirag111shah

We have been using CAS for our applications' authentication with the regular "CAS Web flow".

One of our newer flows is doing a LoginWithoutTicket instead of credentials. So, in this flow

User was sent to CAS with
CAS_BASE_URL/loginWithoutTicket? _eventId=submit&username=@SSID@&password=@SSID@project@sessionToken&service=https://example.com/home
My code picks up the sessionToken and does the login work. Upon successful login it redirects the user to https://example.com/home. This flow is working.
In case the token was bad I need to redirect the url to a specific url and not show them the CAS login prompt.

Can someone please let me know if there is a way to do this? Any suggestions on how to achieve this would be much appreciated.

Maël BOEUF

@mael-boeuf

Hello everyone. I'm trying to get the current registered service name in a custom authentication handler. Is that possible ? If yes, how to implement it ? I use CAS 6.5.4. Thanks

ohinckel

@ohinckel

Hi, another problem we have with the management app 6.5.4 is, that it is still using default server cas.example.org:8443 instead of the cas.server.name provided in the management.yml file. Previous version works, but after upgrade the defaults are used. Somebody here which found this issue and knows a solution how to configure CAS authentication for management app?

1 reply

Robin Dupret

@rdupret_gitlab

Hello,

Excuse-me, I have a tiny question regarding MFA providers : why all of them have their order value defined as the rank provided in properties ? (e.g. https://github.com/apereo/cas/blob/6e29bc0001e3c304375efc5f8cbb04918d8f8691/support/cas-server-support-duo-core/src/main/java/org/apereo/cas/adaptors/duo/authn/DuoSecurityMultifactorAuthenticationProviderFactory.java#L58)

Although it looks like order and rank are two different properties : https://github.com/apereo/cas/blob/73f816c9e887cd1c51e3ae12483fac407b3465e2/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/support/mfa/BaseMultifactorAuthenticationProviderProperties.java#L28-L53

kindly ping @mmoayyed since you implemented MFA

alvinyue

@alvinyue

Hi all, How can I turn off CAS' Login prompt only for one of the webapps? Thank you!

1 reply

cctgteddy

@cctgteddy

What is the way to override theme files on 6.x? When I was building our 5.3 deployment several years ago I would run it under Tomcat which extracted the war file completely and I could edit the template files in there and see the changes right away. Once I was done I would take the modified files back to the overlay directory commit changes.
I'm not sure how to access the theme files now on this new one. I'm running it as an executable war file.

4 replies

ohinckel

@ohinckel

Still, (in CAS 6.5.4) it seems not possible to force MFA for a SAML application when user already have a SSO session without MFA. No MFA prompt will be shown, users can access the MFA SAML application without using MFA. Really looks like a security bug to me. Opinions?

2 replies

dlemp1

@dlemp1

Anyone using Spring Boot with CAS and able to get Single Sign Out to work? Our CAS is version 6.5, and I'm using spring-security-cas version 5.7.2.

I've been working on a Spring Boot app that uses CAS for SSO for days now. Single sign on works great! And I have a logout button within the app that works as well. The problem I'm running in to is Single Logout (SLO) does not work. Meaning when I log out of another application, SLO works everywhere except for this app. When I log out of this app, though, I am logged out of everything else. So it seems like this app here isn't listening for when an SSO session is ended.

1 reply

lshc

@lshc666

Still, (in CAS 6.5.4) it seems not possible to force MFA for a SAML application when user already have a SSO session without MFA. No MFA prompt will be shown, users can access the MFA SAML application without using MFA. Really looks like a security bug to me. Opinions?

@mmoayyed I had the same problem.

jiangying

@jiangying000

Hello all, is there an official Single Logout flow diagram in CAS doc? I can not find one now.

5 replies

like this one https://apereo.github.io/cas/6.5.x/images/cas_flow_diagram.png

changel23

@changel23

Hello, I am using apereo cas behind an apache load balancer (ubuntu) . Specifically i have two app servers with each one having cas server configuration and 2 apache servers behind a load balancer) and I face an issue with too many redirects when trying to login, the apache is forwarding the request and trying to read (cas.css cas.js) files but fails. So the response at the load balancer faces an issue with too many redirects (http 302 code) and the login theme is not displayed correctly. Does anyone know how to fix too many redirects issue?

wnowicloud

@wnowicloud

I'm updating from cas 5.2 to 6.4 and am noticing a difference in the login screen's handling of an incorrect password. In cas 5.2, when the user enters an invalid password the /cas/login screen is reloaded (with an appropriate message) and the username previously entered is populated in the username field. In cas 6.4 the username field is empty. Debugging into the code I can see that the ClearWebflowCredentialAction is executing which is clearing out the username. Is this an intentional change in CAS? Is there some way to revert to the previous behavior?

rrhale

@rrhale

Hi, folks. Can anybody lend a hand with the CAS Management webapp using a MongoDB service registry? We have been running this configuration for years, and now we are updating from 5.2 to 6.5. I've got CAS up and running, and I've been able to export old services and fix the syntax so that they can be reinitialized from JSON into MongoDB. The Management webapp picks up the services fine, but I am unable to save any changes or create any new services. It throws an error about not being able to create a json file within the cas-management file tree. With init-from-json turned off and the service-registry settings copied from cas.properties into management.properties, it should be trying to write these changes to MongoDB but it's clearly looking for a local file repo. Would anyone have any idea as to why this is? I can't find any MongoDB property definitions for the Management webapp to know what the syntax should even be. The Persistence Storage page in the documentation is a dead link. Any assistance would be greatly appreciated.

frugalcloud

@frugalcloud

hello good people.... can someone point me to the information on configuring Cas for AWS SSo as a IDP providor ?

dargur mikk

@dargur_gitlab

Hey maintainers, I have found a bug in https://github.com/apereo/cas/blame/master/core/cas-server-core-web-api/src/main/java/org/apereo/cas/web/support/CasLocaleChangeInterceptor.java

the code

val locale = new Locale(newLocale);

will work only for values such as en, de,... but not for en-US, pt-BR..
the correct way would have been

val locale = Locale.forLanguageTag(newLocale);

can you please suggest be how to "hotfix" this without overriding whole class just to fix this line? i am on version 6.5.6
THANKS

1 reply

dargur mikk

@dargurm_gitlab

Hi here,
i have a question regarding debugging of cas. In my configuration i have some classes overridden (e.g. PasswordEncoderUtils). When I run or debug with gradle run/debug + jvm remote debugging, all works as expected. the overridden file is used. But when i use ./gradlew bootRun in normal or debugging mode it uses the original file and not the overridden one. seems the ./gradlew bootRun doesnt build the overlay war properly.
any idea how to fix this? thanks a lot

Juliusz Marciniak

@rechandler12

Hello, how to disable login without service params?

I want to forbid people to login in directly to CAS.

1 reply

swatowskig

@swatowskig

Hi all, the documentation for the 6.2.x version is not available on the github anymore (https://apereo.github.io/cas/6.2.x/ - 404). Does anyone know if this is permanent (and where to find the docs to download) or if page will come back? Best regards.

1 reply

Léventé NAGY

@guitaro

Hi community :) I'm trying to integrate OpenID Connect delegation with a CAS 4.2.1 (pretty old yes but my client had made his choices...). And I'm very confused about logout workflow because when we do a logout action, the CAS doesn't seem to call the revocation_endpoint to invalidate the tokens on the client IDP side.
Is it normal ? Is it a feature integrated in release > 4.2.x ? Many thanks guys :)

dargur mikk

@dargurm_gitlab

Is there a way to store logged in user sessions in order to display/invalidate them. something like "You have logged in sessions on following devices" or send notification saying that login from a new device has been detected? this is pretty much common practice in the industry. especially we need it for single logout but not in terms of from all apps but from all logged in sessions.

Baba Ndiaye

@mrbabandiaye_twitter

Hello guys
i'm using nginx for proxy (cas.example.com:8443 to cas.example.com). So when i use this url cas.example.com:8443 i can get the real ip source and ip client but with cas.example.com i only have 127.0.0.1

how can i solve it????

Baba Ndiaye

@mrbabandiaye_twitter

I solve the issue by adding this lines in server.xml tomcat

Where communities thrive

People

Repo info

Activity