Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Nov 25 19:24

    mmoayyed on gh-pages

    Update Demos.md (compare)

  • Nov 25 09:24
    CLAassistant commented #5550
  • Nov 25 09:23

    mmoayyed on master

    complete revision of the german… (compare)

  • Nov 25 09:22
    unfurl-links[bot] commented #5550
  • Nov 25 09:22
    welcome[bot] commented #5550
  • Nov 25 09:22
    mmoayyed closed #5550
  • Nov 25 08:25
    apereocas-bot labeled #5550
  • Nov 25 08:25
    apereocas-bot milestoned #5550
  • Nov 25 08:25
    apereocas-bot milestoned #5550
  • Nov 25 08:25
    CLAassistant commented #5550
  • Nov 25 08:25
    welcome[bot] commented #5550
  • Nov 25 08:24
    ThomasSeliger opened #5550
  • Nov 25 06:17

    mmoayyed on v6.6.3

    next release (compare)

  • Nov 24 05:35

    mmoayyed on master

    add more oidc chinese translati… (compare)

  • Nov 24 05:35
    mmoayyed closed #5549
  • Nov 24 05:02
    apereocas-bot labeled #5549
  • Nov 24 05:02
    apereocas-bot labeled #5549
  • Nov 24 05:02
    apereocas-bot labeled #5549
  • Nov 24 05:02
    CLAassistant commented #5549
  • Nov 24 05:02
    apereocas-bot labeled #5549
kindly ping @mmoayyed since you implemented MFA
alvinyue
@alvinyue
Hi all, How can I turn off CAS' Login prompt only for one of the webapps? Thank you!
1 reply
cctgteddy
@cctgteddy
What is the way to override theme files on 6.x? When I was building our 5.3 deployment several years ago I would run it under Tomcat which extracted the war file completely and I could edit the template files in there and see the changes right away. Once I was done I would take the modified files back to the overlay directory commit changes.
I'm not sure how to access the theme files now on this new one. I'm running it as an executable war file.
4 replies
ohinckel
@ohinckel
Still, (in CAS 6.5.4) it seems not possible to force MFA for a SAML application when user already have a SSO session without MFA. No MFA prompt will be shown, users can access the MFA SAML application without using MFA. Really looks like a security bug to me. Opinions?
2 replies
dlemp1
@dlemp1

Anyone using Spring Boot with CAS and able to get Single Sign Out to work? Our CAS is version 6.5, and I'm using spring-security-cas version 5.7.2.

I've been working on a Spring Boot app that uses CAS for SSO for days now. Single sign on works great! And I have a logout button within the app that works as well. The problem I'm running in to is Single Logout (SLO) does not work. Meaning when I log out of another application, SLO works everywhere except for this app. When I log out of this app, though, I am logged out of everything else. So it seems like this app here isn't listening for when an SSO session is ended.

1 reply
lshc
@lshc666

Still, (in CAS 6.5.4) it seems not possible to force MFA for a SAML application when user already have a SSO session without MFA. No MFA prompt will be shown, users can access the MFA SAML application without using MFA. Really looks like a security bug to me. Opinions?

@mmoayyed I had the same problem.

jiangying
@jiangying000
Hello all, is there an official Single Logout flow diagram in CAS doc? I can not find one now.
5 replies
changel23
@changel23
Hello, I am using apereo cas behind an apache load balancer (ubuntu) . Specifically i have two app servers with each one having cas server configuration and 2 apache servers behind a load balancer) and I face an issue with too many redirects when trying to login, the apache is forwarding the request and trying to read (cas.css cas.js) files but fails. So the response at the load balancer faces an issue with too many redirects (http 302 code) and the login theme is not displayed correctly. Does anyone know how to fix too many redirects issue?
wnowicloud
@wnowicloud
I'm updating from cas 5.2 to 6.4 and am noticing a difference in the login screen's handling of an incorrect password. In cas 5.2, when the user enters an invalid password the /cas/login screen is reloaded (with an appropriate message) and the username previously entered is populated in the username field. In cas 6.4 the username field is empty. Debugging into the code I can see that the ClearWebflowCredentialAction is executing which is clearing out the username. Is this an intentional change in CAS? Is there some way to revert to the previous behavior?
rrhale
@rrhale
Hi, folks. Can anybody lend a hand with the CAS Management webapp using a MongoDB service registry? We have been running this configuration for years, and now we are updating from 5.2 to 6.5. I've got CAS up and running, and I've been able to export old services and fix the syntax so that they can be reinitialized from JSON into MongoDB. The Management webapp picks up the services fine, but I am unable to save any changes or create any new services. It throws an error about not being able to create a json file within the cas-management file tree. With init-from-json turned off and the service-registry settings copied from cas.properties into management.properties, it should be trying to write these changes to MongoDB but it's clearly looking for a local file repo. Would anyone have any idea as to why this is? I can't find any MongoDB property definitions for the Management webapp to know what the syntax should even be. The Persistence Storage page in the documentation is a dead link. Any assistance would be greatly appreciated.
frugalcloud
@frugalcloud
hello good people.... can someone point me to the information on configuring Cas for AWS SSo as a IDP providor ?
dargur mikk
@dargur_gitlab

Hey maintainers, I have found a bug in https://github.com/apereo/cas/blame/master/core/cas-server-core-web-api/src/main/java/org/apereo/cas/web/support/CasLocaleChangeInterceptor.java

the code

val locale = new Locale(newLocale);

will work only for values such as en, de,... but not for en-US, pt-BR..
the correct way would have been

val locale = Locale.forLanguageTag(newLocale);

can you please suggest be how to "hotfix" this without overriding whole class just to fix this line? i am on version 6.5.6
THANKS

1 reply
dargur mikk
@dargurm_gitlab
Hi here,
i have a question regarding debugging of cas. In my configuration i have some classes overridden (e.g. PasswordEncoderUtils). When I run or debug with gradle run/debug + jvm remote debugging, all works as expected. the overridden file is used. But when i use ./gradlew bootRun in normal or debugging mode it uses the original file and not the overridden one. seems the ./gradlew bootRun doesnt build the overlay war properly.
any idea how to fix this? thanks a lot
Juliusz Marciniak
@rechandler12

Hello, how to disable login without service params?

I want to forbid people to login in directly to CAS.

1 reply
swatowskig
@swatowskig
Hi all, the documentation for the 6.2.x version is not available on the github anymore (https://apereo.github.io/cas/6.2.x/ - 404). Does anyone know if this is permanent (and where to find the docs to download) or if page will come back? Best regards.
1 reply
Léventé NAGY
@guitaro
Hi community :) I'm trying to integrate OpenID Connect delegation with a CAS 4.2.1 (pretty old yes but my client had made his choices...). And I'm very confused about logout workflow because when we do a logout action, the CAS doesn't seem to call the revocation_endpoint to invalidate the tokens on the client IDP side.
Is it normal ? Is it a feature integrated in release > 4.2.x ? Many thanks guys :)
dargur mikk
@dargurm_gitlab
Is there a way to store logged in user sessions in order to display/invalidate them. something like "You have logged in sessions on following devices" or send notification saying that login from a new device has been detected? this is pretty much common practice in the industry. especially we need it for single logout but not in terms of from all apps but from all logged in sessions.
Baba Ndiaye
@mrbabandiaye_twitter
image.png
Hello guys
i'm using nginx for proxy (cas.example.com:8443 to cas.example.com). So when i use this url cas.example.com:8443 i can get the real ip source and ip client but with cas.example.com i only have 127.0.0.1
image.png
how can i solve it????
Baba Ndiaye
@mrbabandiaye_twitter

I solve the issue by adding this lines in server.xml tomcat

<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="X-Forwarded-For" requestAttributesEnabled="true" internalProxies="127\.0\.0\.1" />

Ron Olson
@tachoknight
hi all, i'm looking to add MFA to my existing cas setup. Does cas have the ability to use MFA at the email/login level? In other words, if people sign in with "@bigcompany.com" addresses, I want to use MFA, but email addresses with "@someothercompany.com" just bypass MFA altogether
i believe there's a way to intercept the login and check and redirect to the appropriate flow, but wanted to make sure that idea was generally correct
vbryandc
@vbryandc

Hello friends, someone has this error when debugging cas:

Task :api:cas-server-core-api-configuration-model:generateConfigurationMetadata FAILED
Error: Could not find or load main class org.apereo.cas.configuration.metadata.ConfigurationMetadataGenerator
Caused by: java.lang.ClassNotFoundException: org.apereo.cas.configuration.metadata.ConfigurationMetadataGenerator
Could not find or load main class org.apereo.cas.configuration.metadata.ConfigurationMetadataGenerator

dargur mikk
@dargurm_gitlab
HI all, can anyone suggest me how to make subjects of the emails sent by cas to be translated just as everything else? cannot access @messageSource in spel. so looks like i need to fork the org.apereo.cas.util.spring.SpringExpressionLanguageValueResolver. but may be there is a better way?
1 reply
dargur mikk
@dargurm_gitlab

HI all,
i want to customize email templates but cas doesn't find them in the classpath, so i am forced to place them somewhere on the file system outside of the cas.war. this would make deployment harder than it should be. i tried something like text: classpath:ResetPasswordEmailTemplate.html but then it doesn't find it Caused by: java.io.FileNotFoundException: class path resource [ResetPasswordEmailTemplate.html] cannot be resolved to absolute file path because it does not reside in the file system: jar:file:/home/user/cas/build/libs/cas.war!/WEB-INF/classes!/ResetPasswordEmailTemplate.html even though the file is there. So it looks like the EmailMessageBodyBuilder is loading files only from fs.

Any ideas how to solve this?

1 reply
Frédéric Praca
@FredPraca
Hi all
I'm facing a problem which should not be. When setting cas.pm-links.enabled=false in my theme property file, I still get a link for forgotten password. The value false is correctly sent through the template. Do I have to edit loginform.html to get rid of it ?
5 replies
dargur mikk
@dargurm_gitlab
it feels like this channel is like a church: its place for questions and not for answers ;)
its quite rare that a question from anyone gets an answer
Frédéric Praca
@FredPraca
@dargurm_gitlab unless you find it yourself and post it here :)
cctgteddy
@cctgteddy
Hi, I'm working on developing a new theme for our CAS server. Is there any way to "hot edit" the theme files in such a way I don't need to recompile the war file each time? I'm compiling it as a standalone executable
2 replies
XianzheTM
@xianzheTM
Hello ,firends.
If I only have a Provider, how do I make the delegated authentication redirect directly to it?
I want CAS to be transparent to users and not make them choose which delegated authentication to use.
image.png
dargur mikk
@dargurm_gitlab

another question, may be will get some answers ;)
cas is configured to use locale cookie for localization. i use locale resolver which sets request attributes and it works for the whole UI. But the password managment email builder doesn't respect the locale cookie because it uses request.getLocale() which reads from Accept-Language header.
here is the snippet from cas email builder

val text = EmailMessageBodyBuilder.builder()
                .properties(reset)
                .parameters(parameters)
                .locale(Optional.ofNullable(request.getLocale()))

any suggestion on how to set request locale somewhere in locale resolver so it works here as well. otherwise i would need to fork the class and make it use request attribute instead of getLocale(). but that would be very dirty hack

1 reply
Łukasz
@lgwozniak

Hello ,firends.
If I only have a Provider, how do I make the delegated authentication redirect directly to it?
I want CAS to be transparent to users and not make them choose which delegated authentication to use.

I'm configure proces on CAS 6.5 to automaticaly go to Dynamic Delegation Resolver View, and then base on email go to providers

1 reply
Marc K.
@V3ndetta
Anyone else expecting errors on TicketCleanup with 6.4 ERROR [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <Expected valid string character at 1:2887>
mijutu
@mijutu:ellipsis.fi
[m]
@xianzheTM: You could redirect users who want to login to https://domain.tld/cas/clientredirect?client_name=NAME&sercvice=https://... where NAME is a client-name from cas.properties. This way cas asks the user nothing and forwards directly to the delegated login page.
1 reply
Chip Ivormi
@Ivormi_twitter

So, we're attempting to implement surrogate authentication / impersonation in CAS 6.3.7.4, using a JDBC repository. Basic impersonation works, and I see the new user id pass through to other applications. However we have SAML integrated applications that rely on the email address as the user identifier (not username), and in these situations, all of the attributes are those of the primary, not the surrogate, which results in the SAML authentication passing the primary's email address to the SP application.

I've tried configuring some of the settings related to cas.authn.surrogate.principal.attribute-resolution-enabled and some of the associated settings, without success.

I guess my question is - is this feature just working 'as intended', and we are correctly seeing the surrogateId of the surrogateUser, with rest of the attributes from the surrogatePrincipal (email, group memberships, etc.) or am I missing a key configuration here?

1 reply
Joro Kushev
@jorokushev:matrix.org
[m]
Hi All. Can someone point me to any release notes/comparison between CAS 7 and CAS 6? We are about to upgrade to the latest release of CAS 6.6, but we also see that CAS 7 is about to be released in early 2023. Where we can get some insights of the expected features and comparison between v6 and v7? Thanks
4 replies
dargur mikk
@dargurm_gitlab
Can someone advice how to prevent form resubmission on some pages? e.g. password reset email is resent every time successfully sent page is refreshed. same applies to password change or login resubmission pages. i can change password by just refreshing a page.
choidkdk
@choidkdk

hi, I got this error after run cas about 1 day. Im runing CAS overlay 6.5. How I can resolve that? 🙇‍♂️

Screen Shot 2022-09-09 at 15.50.52.png

1 reply
zhang wn
@zhangw9_gitlab

Hi. We are upgrading our CAS4.x application to 6.x. Looking at the documentation, a lot has changed in Webflows. We plan to change our main login flow with the token login process to use the new method.
However, we have two custom authentication flows and I don't know how to connect to the CAS service. Looking at our 4.x configuration, we first define servlet mappings, map URLs, then update the supportedFlowIds set, and finally point Spring to the actual XML to specify these flows. These are called by the application to /token_login_flow on the CAS servlet.

Configure CAS to know when to see /token_login_flow to start custom webflow?
Make CAS actions (like granting tickets, etc.) available to this custom web process?

<bean id="loginHandlerAdapter" class="cas.tokensso.SelectiveFlowHandlerAdapter" p:flowExecutor-ref="loginFlowExecutor" p:flowUrlHandler-ref="loginFlowUrlHandler" >

<property name="supportedFlowIds">

<util:list list-class="java.util.ArrayList">

<value>login</value>

<value>token_login</value>
<!-- <value>ip_login</value>-->
</util:list>
</property>
</bean>

<webflow:flow-registry id="loginFlowRegistry" flow-builder-services="builder">

<webflow:flow-location path="/WEB-INF/login-webflow.xml" id="login" />

<webflow:flow-location path="/WEB-INF/token-login-webflow.xml" id="token_login"/>
</webflow:flow-registry>
Please, can anybody help me? Thank you!

1 reply
Andrea Orellana
@DaniuKb_twitter
Hola a todos, estoy usando la versión de CAS gradle 6.5.6, estoy intentando crear temas propios, al desplegarlo si me presenta la pantalla de login el problema se da cuando intento navegar hacia otra pantalla, no me reconoce el tema y me presenta las pantallas por default del CAS. Cómo puedo hacer para que siempre me presente las pantallas del tema indicado en el service? Alguién conoce una forma de solucionar esto?
dargur mikk
@dargurm_gitlab
Can someone advice me how to "configure" cas to support password reset by email instead of username? there is forgot username function but what i want is reset by "username or email" directly. we already have login by username or email. with custom password change in a external app. now we want to use cas pm for that.
1 reply
Mostafa Qanbaryan
@mostafaqanbaryan
Hi.
I want to implement a CAS passwordless service.
I did that with Initializr and everything (so far) works fine.
But now I want to use CAS REST API for logins, but based on https://apereo.github.io/cas/6.5.x/protocol/REST-Protocol-CredentialAuthentication.html, I have to provide password.
How can I use passwordless with REST?
Chip Ivormi
@Ivormi_twitter

Another issue with Surrogate/Impersonation. This time, I've run into an interesting situation with Impersonation + MFA. Using out of the box 6.6.0, I can get mfa-simple and impersonation/surrogate working separately. However, as soon as I try and turn them both on, things break.

If I have them both on, and try to log in as +username, I go through the MFA routine and it logs in as username, without giving me the option of selecting a surrogate user.

If I have them both on, and try to log in as surrogateusername+username, I start the MFA routine, but CAS throws the following error:

2022-09-21 10:43:13,779 WARN [org.apereo.cas.mfa.simple.validation.DefaultCasSimpleMultifactorAuthenticationService] - <Principal assigned to token [username] is unauthorized for token [CASMFA-#######]>
2022-09-21 10:43:13,811 ERROR [org.apereo.cas.mfa.simple.CasSimpleMultifactorAuthenticationHandler] - <Failed to authenticate code CASMFA-###### DefaultCasSimpleMultifactorAuthenticationService.java:validate:76 CasSimpleMultifactorAuthenticationHandler.java:doAuthentication:63 AbstractPreAndPostProcessingAuthenticationHandler.java:authenticate:47 >

This means that, if I want Impersonation, it seems that I need to disable MFA, and vice versa. Has anyone been able to get both of these working simultaneously with recent (6.5.x, 6.6.x) versions of CAS?

Thanks!

Ripplet
@ripplet:matrix.org
[m]

Hello there, I think casinit.herokuapp.com is broken because regardless of the specified cas version I get:

version=7.0.0-SNAPSHOT
# CAS server version
cas.version=7.0.0-SNAPSHOT

Inside gradle.properties

Ripplet
@ripplet:matrix.org
[m]

:point_up: Edit: Hello there, I think casinit.herokuapp.com is broken because regardless of the specified cas version I get:

version=7.0.0-SNAPSHOT
# CAS server version
cas.version=7.0.0-SNAPSHOT

Inside "gradle.properties"