Ok thanks. Let me know if you can confirm that current native implementation is buggy.
Regards, Charles <http://www.amoae.com/> 12, impasse du Malrigou, 31140 Montberon [email protected] | 06 24 73 04 98 | *amoae.com* <http://amoae.com/> Le mer. 23 mai 2018 à 04:46, Christian Poirier <[email protected]> a écrit : > Hi Charles > > Yes I did, but with my own development and my properties. I will check if > I can implement with Client Access Strategy by implementing my own SPNEGO > Service Access Strategy > > Christian Poirier > Mobile: 418-473-2824 > > 2018-05-22 1:58 GMT-04:00 Charles Le Gallic <[email protected]>: > >> Hi Christian, >> >> Did you achieved to make IP based SPNEGO client selection works on CAS >> 5.x ? >> >> In that case, is there any other configuration to setup in addition to >> cas.properties configuration ? >> >> Regards, >> >> Charles >> >> <http://www.amoae.com/> >> 12, impasse du Malrigou, 31140 Montberon >> <https://maps.google.com/?q=12,+impasse+du+Malrigou,%C2%A031140+Montberon&entry=gmail&source=g> >> [email protected] | 06 24 73 04 98 | *amoae.com* <http://amoae.com/> >> >> >> Le ven. 18 mai 2018 à 14:14, Christian Poirier <[email protected]> a >> écrit : >> >>> Hi Charles >>> >>> I am using the 5.3.0-RC3. I illustrated the webflow to see the logic. >>> The webflow logic is built in the code. >>> I will check if the implementation based on a >>> RegisteredServiceAccessStrategy is possible. >>> >>> Christian Poirier >>> Mobile: 418-473-2824 >>> >>> 2018-05-18 1:28 GMT-04:00 Charles Le Gallic <[email protected]>: >>> >>>> Hi Christian, >>>> >>>> Which version of CAS do you use ? >>>> >>>> It seems to be a version below CAS 5.0.x (org.jasig packages and XML >>>> spring configurations). SPNEGO client selection strategy was working on 4.x >>>> version, but I cannot make it work after having upgrade to CAS 5.1.x.... >>>> >>>> Regards, >>>> >>>> Charles >>>> >>>> <http://www.amoae.com/> >>>> 12, impasse du Malrigou, 31140 Montberon >>>> <https://maps.google.com/?q=12,+impasse+du+Malrigou,%C2%A031140+Montberon&entry=gmail&source=g> >>>> [email protected] | 06 24 73 04 98 | *amoae.com* <http://amoae.com/> >>>> >>>> >>>> Le jeu. 17 mai 2018 à 15:25, Christian Poirier <[email protected]> >>>> a écrit : >>>> >>>>> Hi Nicolas, >>>>> >>>>> In our organization, we need to let the user choose between the >>>>> default login and SPNEGO upon a list of criteria and sometimes we need to >>>>> go directly to the SPNEGO authentication upon other criteria. For this >>>>> feature, I extended the SPNEGO module. I show a button with the label >>>>> "LOGIN WITH MY WINDOWS ACCOUNT" when the IP address matches a regular >>>>> expression. When the service matches a regular expression and the IP >>>>> address also matches its regular expression, I force SPNEGO authentication >>>>> without giving the user the chance to authenticate otherwise. If none of >>>>> the previous conditions are present, then the user must authenticate >>>>> normally with his user ID and password. >>>>> If you look the following webflow, you will find this logic inside. >>>>> >>>>> <var name="credentials" class= >>>>> "org.jasig.cas.authentication.principal.UsernamePasswordCredentials" >>>>> /> >>>>> >>>>> <on-start> >>>>> >>>>> <evaluate expression="initialFlowSetupAction" /> >>>>> >>>>> <set name="flowScope.displaySPNegoButton" value="false" /> >>>>> >>>>> </on-start> >>>>> >>>>> >>>>> <decision-state id="ticketGrantingTicketExistsCheck"> >>>>> >>>>> <if test="flowScope.ticketGrantingTicketId neq null" then= >>>>> "hasServiceCheck" else="gatewayRequestCheck" /> >>>>> >>>>> </decision-state> >>>>> >>>>> >>>>> <decision-state id="gatewayRequestCheck"> >>>>> >>>>> <if test="externalContext.requestParameterMap['gateway'] neq '' >>>>> && externalContext.requestParameterMap['gateway'] neq null >>>>> && flowScope.service neq null" then= >>>>> "gatewayServicesManagementCheck" else="startAuthenticateCheck" /> >>>>> >>>>> </decision-state> >>>>> >>>>> >>>>> <decision-state id="hasServiceCheck"> >>>>> >>>>> <if test="flowScope.service != null" then="renewRequestCheck" else= >>>>> "viewGenericLoginSuccess" /> >>>>> >>>>> </decision-state> >>>>> >>>>> >>>>> <decision-state id="renewRequestCheck"> >>>>> >>>>> <if test="externalContext.requestParameterMap['renew'] neq '' >>>>> && externalContext.requestParameterMap['renew'] neq null" then >>>>> ="startAuthenticateCheck" else="generateServiceTicket" /> >>>>> >>>>> </decision-state> >>>>> >>>>> >>>>> <!-- >>>>> >>>>> The "warn" action makes the determination of whether to redirect >>>>> directly to the requested >>>>> >>>>> service or display the "confirmation" page to go back to the >>>>> server. >>>>> >>>>> --> >>>>> >>>>> <decision-state id="warn"> >>>>> >>>>> <if test="flowScope.warnCookieValue" then="showWarningView" else >>>>> ="redirect" /> >>>>> >>>>> </decision-state> >>>>> >>>>> >>>>> <!-- >>>>> >>>>> <action-state id="startAuthenticate"> >>>>> >>>>> <action bean="x509Check" /> >>>>> >>>>> <transition on="success" to="sendTicketGrantingTicket" /> >>>>> >>>>> <transition on="warn" to="warn" /> >>>>> >>>>> <transition on="error" to="generateLoginTicket" /> >>>>> >>>>> </action-state> >>>>> >>>>> --> >>>>> >>>>> <decision-state id="startAuthenticateCheck"> >>>>> >>>>> <if test="externalContext.requestParameterMap['spnego'] neq '' >>>>> && externalContext.requestParameterMap['spnego'] neq null >>>>> && externalContext.requestParameterMap['spnego'] eq 'off'" >>>>> then="generateLoginTicket" else="spnegoForceCheckAction" /> >>>>> >>>>> </decision-state> >>>>> >>>>> >>>>> <decision-state id="spnegoForceCheckAction"> >>>>> >>>>> <if test="externalContext.requestParameterMap['forcespnego'] neq >>>>> '' && externalContext.requestParameterMap['forcespnego'] neq null >>>>> && externalContext.requestParameterMap['forcespnego'] eq 'true'" >>>>> then="spnegoIPCheckAction2" else="spnegoAppCheckAction" /> >>>>> >>>>> </decision-state> >>>>> >>>>> >>>>> <action-state id="spnegoAppCheckAction"> >>>>> >>>>> <evaluate expression="spNegoAppCheck" /> >>>>> >>>>> <transition on="yes" to="spnegoIPCheckAction2" /> >>>>> >>>>> <transition on="no" to="spnegoIPCheckAction" /> >>>>> >>>>> </action-state> >>>>> >>>>> >>>>> <action-state id="spnegoIPCheckAction"> >>>>> >>>>> <evaluate expression="spNegoIPCheck" /> >>>>> >>>>> <transition on="yes" to="generateLoginTicket" > >>>>> >>>>> <set name="flowScope.displaySPNegoButton" value="true" /> >>>>> >>>>> >>>>> </transition> >>>>> >>>>> <transition on="no" to="generateLoginTicket" /> >>>>> >>>>> </action-state> >>>>> >>>>> >>>>> <action-state id="spnegoIPCheckAction2"> >>>>> >>>>> <evaluate expression="spNegoIPCheck" /> >>>>> >>>>> <transition on="yes" to="startAuthenticate" /> >>>>> >>>>> <transition on="no" to="generateLoginTicket" /> >>>>> >>>>> </action-state> >>>>> >>>>> >>>>> <action-state id="startAuthenticate"> >>>>> >>>>> <evaluate expression="negociateSpnego" /> >>>>> >>>>> <transition on="success" to="spnego" /> >>>>> >>>>> </action-state> >>>>> >>>>> >>>>> <action-state id="spnego"> >>>>> >>>>> <evaluate expression="spnego" /> >>>>> >>>>> <transition on="success" to="sendTicketGrantingTicket" /> >>>>> >>>>> <transition on="error" to="generateLoginTicket" /> >>>>> >>>>> </action-state> >>>>> >>>>> >>>>> <action-state id="generateLoginTicket"> >>>>> >>>>> <evaluate expression= >>>>> "generateLoginTicketAction.generate(flowRequestContext)" /> >>>>> >>>>> <transition on="success" to="viewLoginForm" /> >>>>> >>>>> </action-state> >>>>> >>>>> >>>>> Here are my new spnego.properties >>>>> # cas.authn.spnego.spnegoMode=direct: indicates to go directly to the >>>>> SPNEGO by changing the succes transition of initialLoginForm action-state >>>>> to startSpnegoAuthenticate >>>>> # cas.authn.spnego.spnegoMode=evaluateClient: indicates to evaluate >>>>> the client based on the client action strategy defined in >>>>> evaluateClientActionStrategy. >>>>> >>>>> # It changes the >>>>> success transition of initialLoginForm action-state to >>>>> evaluateClientRequest >>>>> cas.authn.spnego.spnegoMode=evaluateClient|direct >>>>> # The following property is deprecated >>>>> >>>>> #cas.authn.spnego.hostNameClientActionStrategy=serviceNameSpnegoClientAction >>>>> # cas.authn.spnego.evaluateClientActionStrategy=hostnameSpnegoClientAction >>>>> where CAS checks to see if the request?s remote hostname matches a >>>>> predefine pattern >>>>> # cas.authn.spnego.evaluateClientActionStrategy=ldapSpnegoClientAction >>>>> where CAS checks an LDAP instance for the remote hostname, >>>>> # >>>>> to locate a pre-defined attribute whose mere existence would >>>>> allow >>>>> the webflow to resume to SPNEGO >>>>> # >>>>> cas.authn.spnego.evaluateClientActionStrategy=serviceNameSpnegoClientAction >>>>> where CAS checks if the service corresponds to a regularExpression >>>>> # defined in >>>>> serviceNamePatternString and the ip corresponds to ipsToCheckPattern >>>>> implemented >>>>> # in baseSpnegoClientAction >>>>> cas.authn.spnego.evaluateClientActionStrategy= >>>>> serviceNameSpnegoClientAction >>>>> >>>>> cas.authn.spnego.ipsToCheckPattern=((127\.0)|(122.110))(\.[0-9]{1,3}){2} >>>>> >>>>> cas.authn.spnego.serviceNamePatternString=(app1\.domain\.ca)|(app2\.domain\.ca) >>>>> >>>>> >>>>> It works well for me. If you want it, I could send you the code. >>>>> >>>>> Le jeudi 17 mai 2018 01:47:54 UTC-4, Nicholas Wylie a écrit : >>>>>> >>>>>> Hi CAS Community, >>>>>> >>>>>> I've successfully configured CAS 5.2 with LDAP/SPNEGO authentication >>>>>> against our Active Directory. >>>>>> >>>>>> What we have noticed though is that non-domain joined computers see a >>>>>> pop-up prompt for credentials when they visit the CAS login page. From my >>>>>> reading, I believe we can fix this by configuring the LDAP Client >>>>>> Selection >>>>>> Strategy for SPNEGO, but the documentation for which properties need to >>>>>> be >>>>>> configured seems to be a bit scarce. >>>>>> >>>>>> Can someone offer any guidance (or a link to some documentation) as >>>>>> to which properties I need to configure to use the LDAP Client Selection >>>>>> Strategy? >>>>>> >>>>>> Thanks, >>>>>> Nicholas >>>>>> >>>>> -- >>>>> - Website: https://apereo.github.io/cas >>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>> - Contributions: https://goo.gl/mh7qDG >>>>> --- >>>>> You received this message because you are subscribed to a topic in the >>>>> Google Groups "CAS Community" group. >>>>> To unsubscribe from this topic, visit >>>>> https://groups.google.com/a/apereo.org/d/topic/cas-user/_jUtK7VnhFs/unsubscribe >>>>> . >>>>> To unsubscribe from this group and all its topics, send an email to >>>>> [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/deeb374f-38e0-4bb0-8b18-35cc3ee46a7c%40apereo.org >>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/deeb374f-38e0-4bb0-8b18-35cc3ee46a7c%40apereo.org?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>>> - Website: <https://apereo.github.io/cas> >>> >>> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANjq9Cim2YZK15%3DDB5s0-OWcMfOV5scsHTg9wKPNUDsr61bBEQ%40mail.gmail.com.
