Unfortunately the only services working are on CAS 5.3.16, which we're trying to get away from. All services for 7.0.0 are going to be new. I don't have CAS management installed, but I'm working to try to get that up and running as well.
Is there any specific way to register a service other than creating the json registry? On Wednesday, June 14, 2023 at 12:58:44 PM UTC-4 Ray Bon wrote: > Dillon, > > Do any other services work? > > You can simplify your service definition. This one will handle any http > service: > https://github.com/apereo/cas/blob/master/webapp/cas-server-webapp-resources/src/main/resources/services/HTTPSandIMAPS-10000001.json > > The error message is saying that the service argument sent to cas for > login does not match any service you have registered. > > Note: to test cas login flow (MFA, password updating, etc.), you can make > up a service. I literally have a bookmark > https://local.uvic.ca/cas/login?service=https://local.uvic.ca/someMFA_URI > <https://dev.uvic.ca/cas/login?service=https://dev.uvic.ca/someMFA_URI> to > test MFA flow. I add the service (serviceId: > https://local.uvic.ca/someMFA_URI > <https://dev.uvic.ca/cas/login?service=https://dev.uvic.ca/someMFA_URI> ) > with only MFA configured. (local points to my laptop.) > > Ray > > On Wed, 2023-06-14 at 07:35 -0700, Dillon Power wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hi Ray, > > I was able to see what was wrong with the regex, and you were right about > that. > However, I'm still getting this error: " The application you attempted to > authenticate to is not authorized to use CAS. This usually indicates that > the application is not registered with CAS, or its authorization policy > defined in its registration record prevents it from leveraging CAS > functionality, or it's malformed and unrecognized by CAS. Contact your CAS > administrator to learn how you might register and integrate your > application with CAS." > > Is there any part of the service registry that I've configured that would > make it incompatible? > > Thanks! > Dillon > On Monday, June 12, 2023 at 12:14:04 PM UTC-4 Ray Bon wrote: > > Dillon, > > Your regex does not look right to me. Here is one of my test apps: > > <https://democasclientdev.uvic.ca/democasclient/callback%5C%5C?client_name=OidcClient> > > <https://bannerdev%5C%5C.uvic%5C%5C.ca/CommunicationManagement/.*> > ^https?://local\\.uvic\\.ca/~rbon/phpCAS/docs/examples/.* > > We are not escaping '/', but are escaping '.' with '\\' (the '.' for > security). Also, if the applications is sending a URN or parameters as part > of the URL, then you want to allow them, or, if it is the same for every > request, perhaps capture it in the serviceId. > > Check your serviceId regex against an actual service argument using an > online regex tester (ideally one for java). You may have to unencode some > characters. > > Ray > > On Fri, 2023-06-09 at 11:15 -0700, Dillon Power wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hi all, > > After installing and configuring CAS to work with our DegreeWorks install, > I'm seeing that the application is unable to login with CAS despite having > a service registry. Is there some formatting issues with our registry entry? > > For reference, we're running tomcat 10, cas 7.0.0, jdk17. > > here is my cas.properties: > cas.server.name=http://{casserver}.edu > cas.server.prefix=${cas.server.name}/cas > logging.config=file:/etc/cas/config/log4j2.xml > > #server.port=8080 > server.ssl.enabled=false > > #LDAP Configuration > cas.authn.ldap[0].type=AUTHENTICATED > cas.authn.ldap[0].ldap-url=ldap://ldapserver:389 > cas.authn.ldap[0].base-dn=OU=Accounts,DC=school,DC=edu > cas.authn.ldap[0].search-filter=(sAMAccountName={user}) > cas.authn.ldap[0].bind-dn=CN=ldap_user,OU=Accounts,DC=school,DC=edu > cas.authn.ldap[0].bind-credential=password > cas.authn.ldap[0].subtree-search=true > #cas.authn.ldap[0].principal-attribute-list=samAccountName:UDC_IDENTIFIER > #cas.authn.ldap[0].principal-attribute-password= > cas.authn.ldap[0].principal-attribute-id=UDC_IDENTIFIER > > #DUO MFA > cas.authn.mfa.duo[0].duo-api-host={apihostlink} > #cas.authn.mfa.duo[0].duo-application-key={key} > cas.authn.mfa.duo[0].duo-integration-key={integration_key} > cas.authn.mfa.duo[0].duo-secret-key={secret-key} > > #JSON Registry > cas.service-registry.core.init-from-json=false > cas.service-registry.json.location=file:/etc/cas/services > > here is the service registry for DegreeWorks: > /etc/cas/services/dashboard-849100.json > { > /*Dashboard TEST service registry*/ > "@class":"org.apereo.cas.services.CasRegisteredService", > "serviceId":"^(https:)\/\/degreeworks.school.edu:8491\/dashboard\/", > "name":"Degreeworks Dashboard TEST (degreeworks-test)", > "id":"849100", > "evaluationOrder":1, > "proxyPolicy":{ > > "@class":"org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy", > "pattern":"^ (https:)\/\/degreeworks.school.edu:8491 > \/dashboard\/", > //, > } > logoutType: BACK_CHANNEL > attributeReleasePolicy: > { > "@class" : > "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", > "allowedAttributes" : [ "java.util.ArrayList", [ "UDC_IDENTIFIER" ] ] > authorizedToReleaseCredentialPassword: false > authorizedToReleaseProxyGrantingTicket: true > excludeDefaultAttributes: false > authorizedToReleaseAuthenticationAttributes: true > } > > multifactorPolicy: > { > > "@class":"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy" > "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ > "mfa-duo" ] ] > /*failureMode: NOT_SET > * bypassEnabled: false*/ > > } > accessStrategy: > { > @class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy > order: 0 > enabled: true > ssoEnabled: true > requireAllAttributes: false > caseInsensitive: true > } > > } > > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a90b0bd-750c-4e63-9b82-0f05e8c5d89dn%40apereo.org.
