Looks like they updated it, just haven't made a release
2 replies
Hello, I would like to set up cas 5.3.* but am not able to find the cas-overlay-template for this version. Anyone who can guide, i will appreciate am a bit new to CAS
2 replies
Hi everyone. I'm trying to configure Google OpenID Connect delegated authentication by using the pac4j support. Everything seems to work great, I can authenticate. But the principal that I'm returned is not "my username" but a long number. I mean, if I authenticate with my Google Account iblanco@whatever.com I would like the principal to be "iblanco" not 171230230123.
I managed to make at least the principal to be the e-mail by setting this config:
cas.authn.pac4j.oidc[0].google.principal-attribute-id=email
But I can not further progress. I have tried to configure a groovy script in a couple of places in order to "massage" the value myself and remove the part behind the @, but they don't seem to get triggered as I expected them to do.
Any pointer would be much appreciated.
I have tried with a principal transformation script by using this parameter:
cas.person-directory.principal-transformation.groovy.location=
But the script was never triggered and in fact I think this script might be to transform the principal before authentication, not after. So probably that's not the right way to proceed...
Maybe I have to define a new attribute and somehow make it programatically build what I need from an already existing attribute ?
I understand that what I'm getting as a principal id from google is probably a unique number to identify myself in Google, but I guess that what I'm trying to do is not so weird either, isn't it? I will just allow Google authentication from my domain so I can safely assume that the first part of the e-mail would be unique.
I could just use the e-mail but them I would have to modify all consumer applications so that they can understand that the user profile identified as iblanco and the ones identified a iblanco@whatever.com are the same user.
def run(Object[] args) {
def ALLOWED_EMAIL_DOMAIN="whatever.com"
def attributes = args[0];
def id = args[1];
def service = args[2];
def logger = args[3];
def suffix = "@" + ALLOWED_EMAIL_DOMAIN.toLowerCase()
if (id.toLowerCase().endsWith(suffix)) {
return id.substring(0, id.length() - suffix.length())
}
return id}
Hello All, I am trying to build cas management app and when I enable AWS service registry like dynamodb or S3, I get the following error, for dynamodb it creates the table and then fails to start:
APPLICATION FAILED TO START
Description:
Parameter 1 of method restAuthenticationService in org.apereo.cas.rest.config.CasCoreRestConfiguration$CasCoreRestAuthenticationConfiguration required a bean of type 'org.apereo.cas.authentication.MultifactorAuthenticationTriggerSelectionStrategy' that could not be found.
The injection point has the following annotations:
- @org.springframework.beans.factory.annotation.Qualifier(value="defaultMultifactorTriggerSelectionStrategy")Action:
Consider defining a bean of type 'org.apereo.cas.authentication.MultifactorAuthenticationTriggerSelectionStrategy' in your configuration.
Anyone have any ideas why this would be happening? if I remove the cas management AWS dependency it works fine.
cas version is 6.5.8
Hi Guys! I was perplexed by SLO for a long time.
I read the doc,I understand when CAS logout, the CAS server will callback the CAS Client's URL to remind the Clinet to destroy the session.And the Client should definition an API to destroy the local session.
I followed that , but the Client never received the callback.
I want to know,if the CAS server will callback the Client?
cas.authn.oauth.replicate-sessions=true
I want to know,if the CAS server will callback the Client?
It should. Check the nginx/apache log, you should see something like:
172.20.0.83 - - [16/Nov/2022:02:37:02 +0100] "POST /EsupUserApps/login?target=https%3A%2F%2Fent.univ-paris1.fr%2Faccueil%2F HTTP/1.1" 200 0 "-" "Apache-HttpClient/4.5.6 (Java/11.0.16)"
hi,
Probably a neophyte question but I can't find the simple way to define an attribute from a header field with "trusted" authentication.
CAS authentication is simply done through an apache reverse proxy which defines an "APP_REMOTE_USER" header that I easily retrieve via:
cas.authn.trusted.remote-principal-header=app_remote_userThe proxy also provisions a 'GRP_FROM_APP' business header which I can clearly see in the debug log :
2022-11-17 10:02:56,702 DEBUG [org.apereo.cas.adaptors.trusted.web.flow.PrincipalFromRequestHeaderNonInteractiveCredentialsAction] - <Available request headers are [{referer=[https://XXXX], x-forwarded-port=[443], app_remote_user=[T01722], host=[XXX], connection=[Keep-Alive], cache-control=max-age=0],
....
grp_from_app=[017,223], cookie=[JSESSIONID=9Pt2j2GDjZTpmG09pVb525jCRRgVtTznCW8kgWDvJM8H2GJfGSMn!...
Chrome/107.0.0.0 Safari/537.36], sec-fetch-dest=[document]}]. Locating first header value for [app_remote_user]>
2022-11-17 10:02:56,705 DEBUG [org.apereo.cas.adaptors.trusted.web.flow.PrincipalFromRequestHeaderNonInteractiveCredentialsAction] - <Remote user [T01722] found in [app_remote_user] header>
2022-11-17 10:02:56,706 DEBUG [org.apereo.cas.adaptors.trusted.web.flow.BasePrincipalFromNonInteractiveCredentialsAction] - <User [T01722] found in request>
2022-11-17 10:02:56,708 DEBUG [org.apereo.cas.adaptors.trusted.web.flow.BasePrincipalFromNonInteractiveCredentialsAction] - <Attributes [{}] found in request>But there, I can't recover this header to transform it into an attribute. It looks like "Trusted" authentication doesn't provision any attributes other than the principal.
What method would allow me to add this attribute to cas clients?
Thanks
Hi Misagh,
I see you are working on Trusted attributes and thank you very much for that.
I didn't understand what the ShibbolethExtractor class was doing here and I understand better now that you removed it (probably an "old" reason).
However, in your new implementation, I don't understand why relying on a "PREFIXheader" (AJP) => "Prefix_Value" model for the extraction, à la Shibboleth, which doesn't seem to me to be the most common.
Why not have simply, or at least also, a simple extraction based on the exact names (or regex) of the headers (a java.util.List "header1, header2, header3...") with the same logic as the releaseattribute parameters?
This method seems to me more suitable for authentication via trusted.
Regards
I see you are working on Trusted attributes and thank you very much for that.
I didn't understand what the ShibbolethExtractor class was doing here and I understand better now that you removed it (probably an "old" reason).
However, in your new implementation, I don't understand why relying on a "PREFIXheader" (AJP) => "Prefix_Value" model for the extraction, à la Shibboleth, which doesn't seem to me to be the most common.
Why not have simply, or at least also, a simple extraction based on the exact names (or regex) of the headers (a java.util.List "header1, header2, header3...") with the same logic as the releaseattribute parameters?
This method seems to me more suitable for authentication via trusted.
Regards
Hello,
I upgraded to the latest version (7.0.0-snapshot) and now I easily and directly retrieve ALL the attributes present in the Trusted header.
I admit that I didn't easily understand how to use attribute-header-patterns in cas.properties.
In my case, I used:
cas.authn.trusted.attribute-header-patterns=(APP_REMOTE_USER|GRP_FROM_APP)->(.+)Not very intuitive but is it correct ?
Regards
Hi all,
Could someone please assist with the below issue I am facing? Thank you.
Here is my environment (note that the frontend and backend are served from different domains):
- CAS Server (implementing CAS 2)
- Frontend
- Backend
Tech stack:
org.jasig.cas.client:cas-client-core v3.4.1
spring boot 1.5.4
Java 1.8
Here is what is happening:
(1) user accesses the frontend, but there is no session cookie yet, so the user is redirected to CAS login page served by the CAS Server.
(2) user enters correct login, and the CAS login page redirects to the ticket validating endpoint (login/cas?ticket=XXX....) served by the backend.
(3) the backend responds with a session cookie and redirects to the frontend URL.
The problem is that the cookie in step 2 is only valid for the backend domain, and not the frontend domain so all the requests from the frontend fail because the cookie isn't sent to the backend in requests. Anyone know a way around this? Can the cookie somehow be made cross-domain? Perhaps via configuration on the CAS Server? Please excuse my lack of knowledge w.r.t. the CAS protocol. Thank you
Hi!
Is there a way to run CAS, in HA mode, without using sticky sessions, for OAuth/OIDC protocols (as mentioned in this comment: https://groups.google.com/a/apereo.org/g/cas-user/c/mzO_JpUqU3A/m/sMWhnIKrEgAJ)?
All CAS instances are already using a shared Ticket Storage, but, it seems that the Authorization Code Flow is not working properly without session affinity feature enabled in LB.
Thank you!
Is there a way to run CAS, in HA mode, without using sticky sessions, for OAuth/OIDC protocols (as mentioned in this comment: https://groups.google.com/a/apereo.org/g/cas-user/c/mzO_JpUqU3A/m/sMWhnIKrEgAJ)?
All CAS instances are already using a shared Ticket Storage, but, it seems that the Authorization Code Flow is not working properly without session affinity feature enabled in LB.
Thank you!
im search for a good saml delegation example, with a redirection based on an LDAP attribute. I'm not sure if it is possible to solve this problem with groovy an the cas.authn.pac4j.core.groovy-redirection-strategy.location option. I would be very grateful for starting tips
There are some good working examples on https://fawnoos.com/ but i didn't find things like a Provider Selection by an LDAP attrribute
2022-12-09 09:26:36,831 ERROR [org.springframework.boot.web.servlet.support.ErrorPageFilter] - <Forwarding to error page from request [/login] due to exception [Badly formatted flow execution key '', the expected format is '<uuid>_<base64-encoded-flow-state>']>
org.springframework.webflow.execution.repository.BadlyFormattedFlowExecutionKeyException: Badly formatted flow execution key '', the expected format is '<uuid>_<base64-encoded-flow-state>'
org.springframework.webflow.execution.repository.BadlyFormattedFlowExecutionKeyException: Badly formatted flow execution key '', the expected format is '<uuid>_<base64-encoded-flow-state>'
I am getting also that warning;
2022-12-09 09:26:42,835 WARN [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <>
org.apereo.cas.services.UnauthorizedServiceException:
at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.restoreAuthenticationRequestInContext(DelegatedClientAuthenticationAction.java:288) ~[cas-server-support-pac4j-webflow-6.6.0-SNAPSHOT.jar:6.6.0-SNAPSHOT]
at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.populateContextWithService(DelegatedClientAuthenticationAction.java:180) ~[cas-server-support-pac4j-webflow-6.6.0-SNAPSHOT.jar:6.6.0-SNAPSHOT]
at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.doExecute(DelegatedClientAuthenticationAction.java:113) ~[cas-server-support-pac4j-webflow-6.6.0-SNAPSHOT.jar:6.6.0-SNAPSHOT]
org.apereo.cas.services.UnauthorizedServiceException:
at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.restoreAuthenticationRequestInContext(DelegatedClientAuthenticationAction.java:288) ~[cas-server-support-pac4j-webflow-6.6.0-SNAPSHOT.jar:6.6.0-SNAPSHOT]
at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.populateContextWithService(DelegatedClientAuthenticationAction.java:180) ~[cas-server-support-pac4j-webflow-6.6.0-SNAPSHOT.jar:6.6.0-SNAPSHOT]
at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.doExecute(DelegatedClientAuthenticationAction.java:113) ~[cas-server-support-pac4j-webflow-6.6.0-SNAPSHOT.jar:6.6.0-SNAPSHOT]
Can someone explain me the reason of that?
2022-12-12 08:55:13,322 WARN [org.apereo.cas.web.flow.SpnegoCredentialsAction] - <SPNEGO Authorization header not found under [Authorization] or it does not begin with the prefix [Negotiate ]>
2022-12-12 08:55:13,323 WARN [org.apereo.cas.web.flow.AbstractNonInteractiveCredentialsAction] - <No credentials detected. Navigating to error...>
2022-12-12 08:55:13,323 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.apereo.cas.web.flow.SpnegoCredentialsAction@7ad7acc3; result = error>
2022-12-12 08:55:13,323 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing [EvaluateAction@78743393 expression = spnego, resultExpression = [null]]; result = error>
2022-12-12 08:55:13,323 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@755845e8 on = error, to = viewLoginForm]>
2022-12-12 08:55:13,323 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'spnego'>
2022-12-12 08:55:13,323 WARN [org.apereo.cas.web.flow.AbstractNonInteractiveCredentialsAction] - <No credentials detected. Navigating to error...>
2022-12-12 08:55:13,323 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.apereo.cas.web.flow.SpnegoCredentialsAction@7ad7acc3; result = error>
2022-12-12 08:55:13,323 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing [EvaluateAction@78743393 expression = spnego, resultExpression = [null]]; result = error>
2022-12-12 08:55:13,323 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@755845e8 on = error, to = viewLoginForm]>
2022-12-12 08:55:13,323 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'spnego'>
Hello, Gauth and JPA broken in CAS 6.6.3 ?
cas_1 | 2022-12-12 11:05:00,606 WARN [org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext] - <Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'serviceValidateController' defined in class path resource [org/apereo/cas/web/config/CasValidationConfiguration$CasValidationControllerConfiguration.class]: Unsatisfied dependency expressed through method 'serviceValidateController' parameter 1; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'defaultAuthenticationSystemSupport' defined in class path resource [org/apereo/cas/config/CasCoreAuthenticationSupportConfiguration$CasCoreAuthenticationSupportBaseConfiguration.class]: Unsatisfied dependency expressed through method 'defaultAuthenticationSystemSupport' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'authenticationTransactionManager' defined in class path resource [org/apereo/cas/config/CasCoreAuthenticationConfiguration$CasCoreAuthenticationManagerConfiguration.class]: Unsatisfied dependency expressed through method 'authenticationTransactionManager' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'casAuthenticationManager' defined in class path resource [org/apereo/cas/config/CasCoreAuthenticationConfiguration$CasCoreAuthenticationManagerConfiguration.class]: Unsatisfied dependency expressed through method 'casAuthenticationManager' parameter 2; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'authenticationEventExecutionPlan' defined in class path resource [org/apereo/cas/config/CasCoreAuthenticationConfiguration$CasCoreAuthenticationPlanConfiguration.class]: Unsatisfied dependency expressed through method 'authenticationEventExecutionPlan' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'googleAuthenticatorAuthenticationEventExecutionPlanConfigurer' defined in class path resource [org/apereo/cas/config/support/authentication/GoogleAuthenticatorAuthenticationEventExecutionPlanConfiguration$GoogleAuthenticatorMultifactorAuthenticationPlanConfiguration.class]: Unsatisfied dependency expressed through method 'googleAuthenticatorAuthenticationEventExecutionPlanConfigurer' parameter 2; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'googleAuthenticatorAuthenticationHandler' defined in class path resource [org/apereo/cas/config/support/authentication/GoogleAuthenticatorAuthenticationEventExecutionPlanConfiguration$GoogleAuthenticatorAuthenticationEventExecutionPlaHandlerConfiguration.class]: Unsatisfied dependency expressed through method 'googleAuthenticatorAuthenticationHandler' parameter 3; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'googleAuthenticatorOneTimeTokenCredentialValidator' defined in class path resource [org/apereo/cas/config/support/authentication/GoogleAuthenticatorAuthenticationEventExecutionPlanConfiguration$GoogleAuthenticatorMultifactorAuthenticationTokenConfiguration.class]: Unsatisfied dependency expressed through method 'googleAuthenticatorOneTimeTokenCredentialValidator' parameter 1; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'googleAuthenticatorAccountRegistry': Injection of persistence dependencies failed; nested exception is java.lang.ClassCastException: class org.springframework.beans.factory.support.NullBean cannot be cast to class javax.persistence.EntityManagerFactory (org.springframework.beans.factory.support.NullBean and javax.persistence.EntityManagerF
cas_1 | 2022-12-12 11:05:00,606 WARN [org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext] - <Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'serviceValidateController' defined in class path resource [org/apereo/cas/web/config/CasValidationConfiguration$CasValidationControllerConfiguration.class]: Unsatisfied dependency expressed through method 'serviceValidateController' parameter 1; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'defaultAuthenticationSystemSupport' defined in class path resource [org/apereo/cas/config/CasCoreAuthenticationSupportConfiguration$CasCoreAuthenticationSupportBaseConfiguration.class]: Unsatisfied dependency expressed through method 'defaultAuthenticationSystemSupport' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'authenticationTransactionManager' defined in class path resource [org/apereo/cas/config/CasCoreAuthenticationConfiguration$CasCoreAuthenticationManagerConfiguration.class]: Unsatisfied dependency expressed through method 'authenticationTransactionManager' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'casAuthenticationManager' defined in class path resource [org/apereo/cas/config/CasCoreAuthenticationConfiguration$CasCoreAuthenticationManagerConfiguration.class]: Unsatisfied dependency expressed through method 'casAuthenticationManager' parameter 2; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'authenticationEventExecutionPlan' defined in class path resource [org/apereo/cas/config/CasCoreAuthenticationConfiguration$CasCoreAuthenticationPlanConfiguration.class]: Unsatisfied dependency expressed through method 'authenticationEventExecutionPlan' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'googleAuthenticatorAuthenticationEventExecutionPlanConfigurer' defined in class path resource [org/apereo/cas/config/support/authentication/GoogleAuthenticatorAuthenticationEventExecutionPlanConfiguration$GoogleAuthenticatorMultifactorAuthenticationPlanConfiguration.class]: Unsatisfied dependency expressed through method 'googleAuthenticatorAuthenticationEventExecutionPlanConfigurer' parameter 2; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'googleAuthenticatorAuthenticationHandler' defined in class path resource [org/apereo/cas/config/support/authentication/GoogleAuthenticatorAuthenticationEventExecutionPlanConfiguration$GoogleAuthenticatorAuthenticationEventExecutionPlaHandlerConfiguration.class]: Unsatisfied dependency expressed through method 'googleAuthenticatorAuthenticationHandler' parameter 3; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'googleAuthenticatorOneTimeTokenCredentialValidator' defined in class path resource [org/apereo/cas/config/support/authentication/GoogleAuthenticatorAuthenticationEventExecutionPlanConfiguration$GoogleAuthenticatorMultifactorAuthenticationTokenConfiguration.class]: Unsatisfied dependency expressed through method 'googleAuthenticatorOneTimeTokenCredentialValidator' parameter 1; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'googleAuthenticatorAccountRegistry': Injection of persistence dependencies failed; nested exception is java.lang.ClassCastException: class org.springframework.beans.factory.support.NullBean cannot be cast to class javax.persistence.EntityManagerFactory (org.springframework.beans.factory.support.NullBean and javax.persistence.EntityManagerF
Someone have a workaround ?
Using phpCAS with version 6.3.x sometimes we don't get any extra attributes (released) from ldap (most of the time it works), but sometimes it doesn't. Is it expected behavior for CAS (saml or protocol 3) to sometimes not pass back attributes and it's up to the client (phpCAS application) to deal with, or could there be something else wrong. For example, we have catchall-rule at the bottom of cas-manager to pass back none. Is it possible for cas manager to fail the regexp in some cases.
I should probably add when I say sometimes, it's no like one application works and the other doesn't. E.g. a user could logon the application, get not attributes, 5 seconds later switch to incognito mode and they get their attributes
Hello everyone. I'm trying to get the current registered service name in a custom authentication handler. Is that possible ? If yes, how to implement it ? I use CAS 6.5.4. Thanks (lol beans)
Hello. We're using CAS (6.5.3) to implement login/SSO integration with Azure Active Directory for our internal applications. Everything works fine on my local environment. However, within our cloud infrastructure (clustered nomad runtime behind a fabio load balancer), when my client application hits the CAS server, the redirect URL from the login endpoint adds a port
80 to the URL - something like https://<domain>:80/cas/clientredirect?client_name=AzureAD&service=https://<clientapp domain>/login instead of https://<domain>/cas/clientredirect?client_name=AzureAD&service=https://<clientapp domain>/login. This causes the redirect URL to break on the browser side. If we remove the 80 port manually from the URL within the browser, then things work fine. Is there a way to stop this port being added to the URL? I tried to configure the auto-redirect-type parameter for this service to be "SERVICE" thinking that it would make CAS invisible to the client but that didn't make any difference either