[cas-user] CAS files not generating

Hello, I am trying to generate a deployment of CAS 7.0. From reading the documentation, I should (and am hopefully) using a clean WAR Overlay build. I am using guides I found in the CAS Community such as the following: - https://paulchauvet.github.io/deploying-cas/building-cas/init

Re: [cas-user] TGT Expiring not requiring log-in

it auto log out if the TGC is expired similar to ng-idle? Ben Chang On Monday, November 4, 2024 at 9:39:44 PM UTC-5 Dmitriy Kopylenko wrote: > This could be helpful > https://apereo.github.io/cas/7.0.x/installation/Logout-Single-Signout.html > > D. > > On Mon, Nov 4, 2024 at

Re: [cas-user] TGT Expiring not requiring log-in

I thought CAS superseded the client apps session? Is there a way to overwrite the local session? On Monday, November 4, 2024 at 1:38:23 PM UTC-5 Dmitriy Kopylenko wrote: > The client app could be keeping their own local session. > > D. > > On Mon, Nov 4, 2024 at 11:33 Ben wr

[cas-user] TGT Expiring not requiring log-in

Hello, I am trying to set up a service to require a specific application to log out after x (currently set to 5 as a test) seconds. I see the logs saying its logging out, but when I click around the website, refresh, or make user changes, I'm still logged in and it isn't requiring me to log in.

Re: [cas-user] TGT Expiring not requiring log-in

wrong or my SLO configured wrong? On Sunday, November 10, 2024 at 11:29:48 PM UTC-5 Ben Chang wrote: > So from my reading of tgts and the flow diagram you posted earlier, don’t > tgts grant service tickets (with help of the session cookie) which are only > valid during the maxtimetoli

Re: [cas-user] TGT Expiring not requiring log-in

10 }, "serviceTicketExpirationPolicy": { "@class": "org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy" , "numberOfUses": 1, "timeToLive": 15 }, "proxyTicketExpirationPolicy": {

Re: [cas-user] TGT Expiring not requiring log-in

Additionally, Ive set the logoutURL to my applications log out and its also not working. On Tuesday, November 5, 2024 at 11:04:50 AM UTC-5 Ben wrote: > I'm sure I'm misunderstanding it, but in my properties, I added the > following to try to resolve the issue: > > cas

Re: [cas-user] TGT Expiring not requiring log-in

UT_SUCCESS 2024-11-07 09:41:04 CLIENT_IP: unknown 2024-11-07 09:41:04 SERVER_IP: unknown 2024-11-07 09:41:04 ========= Ben On Wednesday, November 6, 2024 at 2:51:33 PM UTC-5 Ray Bon wrote: > Ben, > > logoutURL is where cas will

Re: [cas-user] TGT Expiring not requiring log-in

to logout? Am I misunderstanding this? Thanks, On Tuesday, November 5, 2024 at 11:38:01 PM UTC-5 Ray Bon wrote: > Ben, > > Cas session (TGT / TGC) and your application session are independent. > Logout requests are only sent by cas when cas/logout is visited. > Your application (cas c

[cas-user] Allow REST login, but prohibit web login

Dear CAS-Community, In our setup we'd like to use the TGT Rest mechanism (https://apereo.github.io/cas/6.5.x/protocol/REST-Protocol-Request-TicketGrantingTicket.html) for a specific(!) user (backed by LDAP) but do not allow a web-login for this user. So bascially any tried weblogin should be

[cas-user] java.lang.NoClassDefFoundError: Could not initialize class org.jcp.xml.dsig.internal.dom.DOMEnvelopedTransform

ent, but not my production environment. Environment Details: Red Hat Enterprise Linux 6.7 CAS 3.5.2 Java 1.7.0_91 (OpenJDK) Tomcat6 + User Session replication + EhCache Ticket Registry. Has anyone ran into this or similar situations like this? Many thanks in advance, Ben Branch UNIX/Linux Administrato

[cas-user] RE: cas 3.5.2.1

issue and use setroubleshootd to see what the recommended solutions are for the alerts. Good luck! Ben Branch UNIX/Linux Administrator University of Central Oklahoma ITIL Foundation v3, Network+, RHCE 100 N. University Drive, Box 122 Edmond, OK 73034 D: 405.974.2649 | M: 405.550.6804 | b

[cas-user] Sporadic issues with authentication stopping

.authentication.lppe.dateAttribute=pwdLastSet ldap.authentication.lppe.warningDaysAttribute ldap.authentication.lppe.validDaysAttribute=maxPwdAge ldap.authentication.lppe.warningDays=14 ldap.authentication.lppe.validDays=90 ldap.authentication.lppe.noWarnAttribute= ldap.authentication.lppe.noWarnValues= Ben

[cas-user] CAS 4.2.7 and Active Directory

s is already enabled. Any help would be greatly appreciated. Ben Branch UNIX/Linux Administrator University of Central Oklahoma ITIL Foundation v3, Network+, RHCE 100 N. University Drive, Box 122 Edmond, OK 73034 D: 405.974.2649 | M: 405.550.6804 | bbranch@uco.<mailto:bbranch@uco.&

RE: [cas-user] CAS 4.2.7 and Active Directory

Daniel, Worked like a champ. Many thanks! Now onto trying to configure the rest of the stuff! Ben Branch UNIX/Linux Administrator University of Central Oklahoma ITIL Foundation v3, Network+, RHCE 100 N. University Drive, Box 122 Edmond, OK 73034 D: 405.974.2649 | M: 405.550.6804 | bbranch

[cas-user] CAS Service Management Application 4.2.7

ies.adminRoles=ROLE_ADMIN pac4j.callback.defaultUrl=/manage.html Ben Branch UNIX/Linux Administrator University of Central Oklahoma ITIL Foundation v3, Network+, RHCE 100 N. University Drive, Box 122 Edmond, OK 73034 D: 405.974.2649 | M: 405.550.6804 | bbranch@uco.<mailto:bbranch@uco.>edu | www.uco.edu<

[cas-user] CAS 5.0.2 and logging errors on initial deployment

I feel like I am nowhere closer than when I started. Any help would be greatly appreciated. Ben Branch UNIX/Linux Administrator University of Central Oklahoma ITIL Foundation v3, Network+, RHCE 100 N. University Drive, Box 122 Edmond, OK 73034 D: 405.974.2649 | M: 405.550.6804 | bbranch@uco

Re: [cas-user] TGT Expiring not requiring log-in

questions, I’m new to CAS and trying to grasp it. The documentation is appearing to not be as straightforward as expected. ThanksBen Sent from my iPhoneOn Nov 8, 2024, at 1:36 PM, Ray Bon wrote: Ben, You are misunderstanding the nature of sessions. Cas session, TGT, is completely separate from your

Re: [cas-user] TGT Expiring not requiring log-in

in and sign out, just not force out after the time expires/logout_sucess log . BenSent from my iPhoneOn Nov 7, 2024, at 3:13 PM, Ray Bon wrote: Ben, TGT expiration policies are for life of cas session (how long does SSO last). see under per service tab https://apereo.github.io/cas/7.1.x

Re: [cas-user] TGT Expiring not requiring log-in

: Ben, cas/logout is an endpoint in cas. It tells cas to destroy its own session and send logout requests to all services associated with the TGT (depending on global and service config). see https://apereo.github.io/cas/7.1.x/protocol/CAS-Protocol-Specification.html If the service id was not

Re: [cas-user] Cas5 Ldap Authentication

Did you work it out? But the documentation suggests it'll just pick it up and run it (which means I'm doing wrong by overriding LdapAuthenticationConfiguration, creating much more work for myself on upgr

Re: [cas-user] CAS 5.2.2 how can I setting custom login page?

You can maven override it. Find loginform.html in the CAS source. Copy it (and as much of the associated parts as needed) into your maven override project. loginform.html will end up under src/main/resources/templates/fragments/loginform.html On 22 March 2018 at 07:43, ChangWon Son wrote: > H

Re: [cas-user] CAS +LDAP +ppolicy_

a real username. Ben On 6 December 2016 at 13:25, liu chenghai wrote: > Hi, > I use ppolicy overlay and enabled ppolicy_use_lockout to separate between > invalid password and locked accounts on openldap. > > > I tried to lock a user account by entering a wrong password couple of >

Re: [cas-user] accessing cas.properties from Thymeleaf

Couldn't you just put it in the messages.properties file and access it like the title eg "#{logo.file}"? On 31 January 2017 at 16:04, Jozef Kotlar - EEA.sk wrote: > Hello, > > In CAS version 4.2.x I was able to make URL in logo configurable using > > > http://www.apereo.org')" var="custom

Re: [cas-user] Not able to return user_roles from CAS Server to the Client.

Just in case it's helpful - when I had that problem (via Spring security) it was because I was using version 2 of the cas protocol (based on whatever guide I was following). To get attributes it needed to be version 3. On 31 January 2017 at 17:33, Martin Bohun wrote: > I am not 100% sure if we

Re: [cas-user] Problem setting up Proxy support

In Tomcat's conf/server.xml you'll have a tag. You can specify the keys and ca-cert Tomcat will use there eg : SSLEnabled="true" scheme="https" secure="true" >sslProtocol="TLSv1.2" > keystoreFile="C:\some_path\certs\keystore.p12" keystoreType="PKCS12" keystorePass="your password" >

Re: [cas-user] accessing cas.properties from Thymeleaf

es, but still it is > too constraining. > > Jozef > > > On Wednesday, February 1, 2017 at 11:44:14 AM UTC+1, Ben Howell-Thomas > wrote: >> >> Couldn't you just put it in the messages.properties file and access it >> like the title eg "#{logo.file}&quo

Re: [cas-user] Re: Not able to return user_roles from CAS Server to the Client.

You don't *need *to use the cas-management UI to set it up. You do need to set an attributeReleasePolicy in the services .json file. (You also need to specify the attributes to be returned somewhere per previous responses). It's the Spring side that I found most confusing. Below is an excerpt from

[cas-user] LDAP BindPassivator needed for pooled DirectBind connections where LDAP denies anonymous search

(l.getBindCredential())); > cp.setPassivator(new BindPassivator(br)); Another workaround of course would be to change the LDAP configuration. thanks, Ben # ps some relevant LDAP settings for reference cas.authn.ldap[0].type=DIRECT cas.authn.ldap[0].useSsl=false cas.authn.ldap[0].useStartTls=false

Re: [cas-user] LDAP BindPassivator needed for pooled DirectBind connections where LDAP denies anonymous search

RC2. Ah yes, I think I've connected the dots, the release announcement has : - Removed the need to re-create LDAP connection pools during LDAP authentication for entry resolution, etc. That'll be it - Thanks Misagh :) Ben On 24 February 2017 at 23:59, Tom Poage wrote: > This

Re: [cas-user] LDAP BindPassivator needed for pooled DirectBind connections where LDAP denies anonymous search

ll of which is probably worse than upgrading ;) Ben On 15 March 2017 at 15:53, Jérôme Nenert wrote: > > Ben Howell-Thomas a écrit : > > Thanks for confirming I'm not the only one who had that issue. >> >> I hadn't got around to raising an issue so I thought I was g

Re: [cas-user] Accessing user credentials in webflow (CAS 5.0)?

I think this from login-webflow.xml already puts them into "credential" : > > > > On 12 May 2017 at 22:07, Adam Causey wrote: > Is there a way to get a user's credentials in CAS 5.0.5 when extending the > Webflow? I am using this as an example on ex

Re: [cas-user] Accessing user credentials in webflow (CAS 5.0)?

ng in an @Configuration class : @Bean > public MyAction myAction() { > return new MyAction(); > } On 15 May 2017 at 18:16, Adam Causey wrote: > Thanks for the response. Any idea how to actually access that credential > model in Java code within the WebflowConfigure

Re: [cas-user] HTTPSandIMAPS-10000001.json keeps coming back

Don't know if it's the best solution but we've created blank (ie empty file) versions of those files in our project so the originals get overridden. On 24 May 2017 at 07:14, Petr Gašparík - AMI Praha a.s. < petr.gaspa...@ami.cz> wrote: > That's exactly my question, that is not covered by docs, AF

Re: [cas-user] Re: How to disable certificate check or trust a self-signed certificate?

If it's this : https://apereo.github.io/cas/development/installation/Configuration-Properties.html#http-client Then we needed to override HttpClientProperties to make it support a suitable Truststore for our self-signed certificate. On 31 May 2017 at 08:06, Emilian Mitocariu wrote: > I tried t

Re: [cas-user] CAS 5.1 Password expired issues

Have a look at : cas.authn.pm.enabled=true which I think you need to set. Also login-webflow.xml has a handleAuthenticationFailure step which handles all the different exceptions, including CredentialExpiredException. On 7 June 2017 at 13:54, Pavlos Drandakis wrote: > Hello all, > > I am tr

Re: [cas-user] CAS 5.1 Password expired issues

This bug https://github.com/apereo/cas/issues/2322 previously could stop the expired password being handled but it's fixed in 5.1 RC2. On 8 June 2017 at 15:10, Pavlos Drandakis wrote: > Hi Ben, > > Thanks for your suggestion, but I have already tried it (and tried it once >

Re: [cas-user] CAS 5.1.0 Password Policy Setup

RE #2 It's probably showing {1} because you need to pass a parameter when getting the bundle text. See casPostResponseView.html for an example (search for th:text). On 12 June 2017 at 02:56, pingminadmin wrote: > I am working on CAS 5.1.0 with openLDAP 2.4. I get confused by Password > Policy a

Re: [cas-user] CAS 5.1 Password expired issues

If you get to the bottom of it, please share the solution. I'll be working on upgrading to 5.1 in a few weeks. On 13 June 2017 at 11:59, Ludovic Senecaux wrote: > Hello, > > I have exactly the same problem for locked accounts (pwdAccountLockedTime) > or accounts whose password has been reset (p

Re: [cas-user] CAS 5.1 Password expired issues

Regarding : Eventually, everything seems to work ok, after adding in login-webflow.xml > the following (which is present in CAS v5.0.x but not in CAS v5.1.0): > > > to="casAccountDisabledView"/> > > to="casExpiredPassView"/> > to="casMustChangePass

Re: [cas-user] CAS 5.1 Password expired issues

Pavlos Drandakis wrote: > > Hi Ben, > > No, I hadn't, but I just did it: https://github.com/apereo/cas/issues/2703 > Cheers, > Pavlos > > On 22/06/2017 06:43 μμ, Ben Howell-Thomas wrote: > > Regarding : > > Eventually, everything seems to work ok, after addin

Re: [cas-user] CAS 5.1 Missing cas.properties

It's not supposed to be copied. See https://apereo.github.io/cas/development/installation/Configuration-Management.html#overview and also bootstrap.properties. There's lots of different ways to get the config. I think we set our servers to get it via the -D vm argument (see bootstrap.properties)

[cas-user] Re: MongoDbTicketRegistry TTL Index

I've just finished setting up a Mongo backed ticket registry for 5.1.1 and agree with you. It's setting the expireAt field to the TTL rather than expireAfterSeconds which might do what's intended. On Saturday, 24 June 2017 21:18:56 UTC+1, Geoff wrote: > > Has anyone else run into problems with

Re: [cas-user] Re: MongoDbTicketRegistry TTL Index

Raised issue https://github.com/apereo/cas/issues/2748. It is using an expireAfterSeconds index but isn't setting a date. On 4 July 2017 at 12:44, wrote: > I've just finished setting up a Mongo backed ticket registry for 5.1.1 and > agree with you. It's setting the expireAt field to the TTL ra

Re: [cas-user] Surrogate + LDAP authentication in CAS 5.1.0

I don't know for sure, but looking at SurrogateAuthenticationConfiguration and the properties documentation it looks like you need to specify the ldap configuration specifically for the surrogate lookup eg cas.authn.*surrogate* .ldap.ldapUrl. On 11 July 2017 at 23:45, Jozef Kotlar - EEA.sk wrote:

Re: [cas-user] Help with CAS 5.1.3 & LDAP

You can put this in your log4j2.xml file to see what ldap connections are happening : > > > On 16 August 2017 at 20:53, 'Daniel M.' via CAS Community < cas-user@apereo.org> wrote: > OK, before you even try to configure CAS did you use a tool like > l

Re: [cas-user] Upgrade CAS 3.3.5 to 4 or 5?

I'd vote for 5 so you only go through the pain once ;) TBH I don't know 3, but 4 to 5 changes a lot (hence it's a major version number change I guess). On 6 September 2017 at 16:50, Micas Camela wrote: > Hi there! > > I have CAS 3.3.5 with some customizations (developed classes) integrated > wit

Re: [cas-user] Avoid default services recreation cas overlay

We add empty versions of those files to our maven override project - much easier. On 11 October 2017 at 07:31, Christian Axel Schmidt Dick < christianaxel.schm...@gmail.com> wrote: > Thanks Brian, you nailed it. It works! > > El mar., 10 oct. 2017 a las 14:36, Brian Gibson (< > gibson_br...@wheat

Re: [cas-user] Simple httpd load balancer to use 2 CAS instances on 2 different machines

> > After login it does not keep session, so I think I need to configure CAS > in order to share session between existing instances but I don't know how > to do that. Check the docs for "Ticket Registry". There's

Re: [cas-user] CAS 5.2.1 report failed authentications as AUTHENTICATION_SUCCESS

I'm seeing this too. Attached image of debugging shows it goes to the wrong resolveFrom method in org.apereo.inspektr.audit.spi.support.DefaultAuditActionResolver. ie one version of the method takes an Object (for success messages) and the other takes an Exception (for failure). It should go to t

Re: [cas-user] CAS 5.2.1 report failed authentications as AUTHENTICATION_SUCCESS

n helpful. I'm sorry but I haven't got time to submit a patch (partly because upgrading to 5.2 has taken so long ;). If it's not something anyone's likely to pick up I could maybe look at it next week. blessings, Ben On 19 January 2018 at 14:52, Jeffrey Ramsay wrote: > Ho

Re: [cas-user] CAS 5.2.1 report failed authentications as AUTHENTICATION_SUCCESS

Thankyou :) On 23 January 2018 at 16:27, Oscar del Pozo wrote: > Hi, > > I've made a pull request solving this issue: https://github.com/ > apereo/inspektr/pull/10. It has been already approved. > > El viernes, 19 de enero de 2018, 16:47:02 (UTC+1), Ben Howell-Thomas

Re: [cas-user] CAS 5.2.1 report failed authentications as AUTHENTICATION_SUCCESS

ted right now the new version and it seems to fail. This issue > should be re-opened at the github project > > El lunes, 29 de enero de 2018, 15:34:54 (UTC+1), Ben Howell-Thomas > escribió: >> >> Thankyou :) >> >> On 23 January 2018 at 16:27, Oscar del Pozo w