Thanks Charles & Christian. It sounds like getting this working is going to be a bit more involved than I imaged! I will have to try and have a better look at it when we have a bit more time.
On Friday, May 18, 2018 at 10:14:12 PM UTC+10, Christian Poirier wrote: > > Hi Charles > > I am using the 5.3.0-RC3. I illustrated the webflow to see the logic. The > webflow logic is built in the code. > I will check if the implementation based on a > RegisteredServiceAccessStrategy is possible. > > Christian Poirier > Mobile: 418-473-2824 > > 2018-05-18 1:28 GMT-04:00 Charles Le Gallic <[email protected] > <javascript:>>: > >> Hi Christian, >> >> Which version of CAS do you use ? >> >> It seems to be a version below CAS 5.0.x (org.jasig packages and XML >> spring configurations). SPNEGO client selection strategy was working on 4.x >> version, but I cannot make it work after having upgrade to CAS 5.1.x.... >> >> Regards, >> >> Charles >> >> <http://www.amoae.com/> >> 12, impasse du Malrigou, 31140 Montberon >> <https://maps.google.com/?q=12,+impasse+du+Malrigou,%C2%A031140+Montberon&entry=gmail&source=g> >> [email protected] <javascript:> | 06 24 73 04 98 | *amoae.com* >> <http://amoae.com/> >> >> >> Le jeu. 17 mai 2018 à 15:25, Christian Poirier <[email protected] >> <javascript:>> a écrit : >> >>> Hi Nicolas, >>> >>> In our organization, we need to let the user choose between the default >>> login and SPNEGO upon a list of criteria and sometimes we need to go >>> directly to the SPNEGO authentication upon other criteria. For this >>> feature, I extended the SPNEGO module. I show a button with the label >>> "LOGIN WITH MY WINDOWS ACCOUNT" when the IP address matches a regular >>> expression. When the service matches a regular expression and the IP >>> address also matches its regular expression, I force SPNEGO authentication >>> without giving the user the chance to authenticate otherwise. If none of >>> the previous conditions are present, then the user must authenticate >>> normally with his user ID and password. >>> If you look the following webflow, you will find this logic inside. >>> >>> <var name="credentials" class= >>> "org.jasig.cas.authentication.principal.UsernamePasswordCredentials" /> >>> >>> <on-start> >>> >>> <evaluate expression="initialFlowSetupAction" /> >>> >>> <set name="flowScope.displaySPNegoButton" value="false" /> >>> >>> </on-start> >>> >>> >>> <decision-state id="ticketGrantingTicketExistsCheck"> >>> >>> <if test="flowScope.ticketGrantingTicketId neq null" then= >>> "hasServiceCheck" else="gatewayRequestCheck" /> >>> >>> </decision-state> >>> >>> >>> <decision-state id="gatewayRequestCheck"> >>> >>> <if test="externalContext.requestParameterMap['gateway'] neq '' >>> && externalContext.requestParameterMap['gateway'] neq null >>> && flowScope.service neq null" then= >>> "gatewayServicesManagementCheck" else="startAuthenticateCheck" /> >>> >>> </decision-state> >>> >>> >>> <decision-state id="hasServiceCheck"> >>> >>> <if test="flowScope.service != null" then="renewRequestCheck" else= >>> "viewGenericLoginSuccess" /> >>> >>> </decision-state> >>> >>> >>> <decision-state id="renewRequestCheck"> >>> >>> <if test="externalContext.requestParameterMap['renew'] neq '' >>> && externalContext.requestParameterMap['renew'] neq null" then= >>> "startAuthenticateCheck" else="generateServiceTicket" /> >>> >>> </decision-state> >>> >>> >>> <!-- >>> >>> The "warn" action makes the determination of whether to redirect >>> directly to the requested >>> >>> service or display the "confirmation" page to go back to the >>> server. >>> >>> --> >>> >>> <decision-state id="warn"> >>> >>> <if test="flowScope.warnCookieValue" then="showWarningView" else= >>> "redirect" /> >>> >>> </decision-state> >>> >>> >>> <!-- >>> >>> <action-state id="startAuthenticate"> >>> >>> <action bean="x509Check" /> >>> >>> <transition on="success" to="sendTicketGrantingTicket" /> >>> >>> <transition on="warn" to="warn" /> >>> >>> <transition on="error" to="generateLoginTicket" /> >>> >>> </action-state> >>> >>> --> >>> >>> <decision-state id="startAuthenticateCheck"> >>> >>> <if test="externalContext.requestParameterMap['spnego'] neq '' >>> && externalContext.requestParameterMap['spnego'] neq null >>> && externalContext.requestParameterMap['spnego'] eq 'off'" then= >>> "generateLoginTicket" else="spnegoForceCheckAction" /> >>> >>> </decision-state> >>> >>> >>> <decision-state id="spnegoForceCheckAction"> >>> >>> <if test="externalContext.requestParameterMap['forcespnego'] neq '' >>> && externalContext.requestParameterMap['forcespnego'] neq null >>> && externalContext.requestParameterMap['forcespnego'] eq 'true'" >>> then="spnegoIPCheckAction2" else="spnegoAppCheckAction" /> >>> >>> </decision-state> >>> >>> >>> <action-state id="spnegoAppCheckAction"> >>> >>> <evaluate expression="spNegoAppCheck" /> >>> >>> <transition on="yes" to="spnegoIPCheckAction2" /> >>> >>> <transition on="no" to="spnegoIPCheckAction" /> >>> >>> </action-state> >>> >>> >>> <action-state id="spnegoIPCheckAction"> >>> >>> <evaluate expression="spNegoIPCheck" /> >>> >>> <transition on="yes" to="generateLoginTicket" > >>> >>> <set name="flowScope.displaySPNegoButton" value="true" /> >>> >>> >>> </transition> >>> >>> <transition on="no" to="generateLoginTicket" /> >>> >>> </action-state> >>> >>> >>> <action-state id="spnegoIPCheckAction2"> >>> >>> <evaluate expression="spNegoIPCheck" /> >>> >>> <transition on="yes" to="startAuthenticate" /> >>> >>> <transition on="no" to="generateLoginTicket" /> >>> >>> </action-state> >>> >>> >>> <action-state id="startAuthenticate"> >>> >>> <evaluate expression="negociateSpnego" /> >>> >>> <transition on="success" to="spnego" /> >>> >>> </action-state> >>> >>> >>> <action-state id="spnego"> >>> >>> <evaluate expression="spnego" /> >>> >>> <transition on="success" to="sendTicketGrantingTicket" /> >>> >>> <transition on="error" to="generateLoginTicket" /> >>> >>> </action-state> >>> >>> >>> <action-state id="generateLoginTicket"> >>> >>> <evaluate expression= >>> "generateLoginTicketAction.generate(flowRequestContext)" /> >>> >>> <transition on="success" to="viewLoginForm" /> >>> >>> </action-state> >>> >>> >>> Here are my new spnego.properties >>> # cas.authn.spnego.spnegoMode=direct: indicates to go directly to the >>> SPNEGO by changing the succes transition of initialLoginForm action-state >>> to startSpnegoAuthenticate >>> # cas.authn.spnego.spnegoMode=evaluateClient: indicates to evaluate the >>> client based on the client action strategy defined in >>> evaluateClientActionStrategy. >>> >>> # It changes the >>> success transition of initialLoginForm action-state to evaluateClientRequest >>> cas.authn.spnego.spnegoMode=evaluateClient|direct >>> # The following property is deprecated >>> >>> #cas.authn.spnego.hostNameClientActionStrategy=serviceNameSpnegoClientAction >>> # cas.authn.spnego.evaluateClientActionStrategy=hostnameSpnegoClientAction >>> where CAS checks to see if the request?s remote hostname matches a >>> predefine pattern >>> # cas.authn.spnego.evaluateClientActionStrategy=ldapSpnegoClientAction >>> where CAS checks an LDAP instance for the remote hostname, >>> # >>> to locate a pre-defined attribute whose mere existence would allow >>> the webflow to resume to SPNEGO >>> # >>> cas.authn.spnego.evaluateClientActionStrategy=serviceNameSpnegoClientAction >>> where CAS checks if the service corresponds to a regularExpression >>> # defined in >>> serviceNamePatternString and the ip corresponds to ipsToCheckPattern >>> implemented >>> # in baseSpnegoClientAction >>> cas.authn.spnego.evaluateClientActionStrategy= >>> serviceNameSpnegoClientAction >>> cas.authn.spnego.ipsToCheckPattern=((127\.0)|(122.110))(\.[0-9]{1,3}){2} >>> >>> cas.authn.spnego.serviceNamePatternString=(app1\.domain\.ca)|(app2\.domain\.ca) >>> >>> >>> It works well for me. If you want it, I could send you the code. >>> >>> Le jeudi 17 mai 2018 01:47:54 UTC-4, Nicholas Wylie a écrit : >>>> >>>> Hi CAS Community, >>>> >>>> I've successfully configured CAS 5.2 with LDAP/SPNEGO authentication >>>> against our Active Directory. >>>> >>>> What we have noticed though is that non-domain joined computers see a >>>> pop-up prompt for credentials when they visit the CAS login page. From my >>>> reading, I believe we can fix this by configuring the LDAP Client >>>> Selection >>>> Strategy for SPNEGO, but the documentation for which properties need to be >>>> configured seems to be a bit scarce. >>>> >>>> Can someone offer any guidance (or a link to some documentation) as to >>>> which properties I need to configure to use the LDAP Client Selection >>>> Strategy? >>>> >>>> Thanks, >>>> Nicholas >>>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "CAS Community" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/a/apereo.org/d/topic/cas-user/_jUtK7VnhFs/unsubscribe >>> . >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected] <javascript:>. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/deeb374f-38e0-4bb0-8b18-35cc3ee46a7c%40apereo.org >>> >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/deeb374f-38e0-4bb0-8b18-35cc3ee46a7c%40apereo.org?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANjq9ChHNPOLZSeU%3DmHs1MP3cyB1F69imxA7LzrDrc56oSWzTQ%40mail.gmail.com >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANjq9ChHNPOLZSeU%3DmHs1MP3cyB1F69imxA7LzrDrc56oSWzTQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/049959ab-d02f-4dad-9037-fa963a687341%40apereo.org.
