What version of CAS are you on? I'm trying v6.6.8 with a similar cas.authn.pac4j.oidc[0].azure config you have posted cas.authn.pac4j.oidc[0].azure.client-name=AZURE-AD-NEWCO //set AD side to have redirect url of https://localhost:8443/cas/login?client_name=AZURE-AD-NEWCO
but getting an "Invalid CORS request" on redirect back to my cas instance. Looking at SAML tracer i am getting a 403 (I have wildcarded service defined): POST https://localhost:8443/cas/login?client_name=AZURE-AD-NEWCO HTTP/1.1 Referer: https://login.microsoftonline.com/ HTTP/1.1 403 Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers -psv On Tuesday, July 4, 2023 at 12:00:44 PM UTC-5 Ray Bon wrote: > Jerome, > > Sorry, I should have also mentioned that you need to enable the JSON > service registry (first link in my previous email). With your current > config it is using the in memory service registry. > And remember to put your service file in the destination directory. > > Ray > > On Tue, 2023-07-04 at 09:21 +0200, Jerome Denechaud wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hello Ray > > thanks for your answer so , I added : > cas.service-registry.json.location=file:/etc/cas/services > > move cas.properties in /etc/cas/config > 00:06:00 INFO [o.a.c.c.DefaultCasConfigurationPropertiesSourceLocator] - > <Configuration files found at [/etc/cas/config] are [[file > [/etc/cas/config/cas.properties]]] under profile(s) [[standalone]]> > 2023-07-04 07:06:00,785 INFO > [org.apereo.cas.configuration.CasConfigurationPropertiesValidator] - > <Validated CAS property sources and configuration successfully.> > 2023-07-04 07:06:00,789 INFO [org.apereo.cas.web.CasWebApplication] - <The > following 1 profile is active: "standalone"> > > but still have > 2023-07-04 07:06:30,841 INFO > [org.apereo.cas.services.AbstractServicesManager] - <Loaded [0] service(s) > from [InMemoryServiceRegistry].> > > Bests > > > > On Mon, Jul 3, 2023 at 10:59 PM Ray Bon <rb...@uvic.ca> wrote: > > Jerome, > > Your test service is not being loaded. > > 05:22:45 INFO [o.a.c.s.AbstractServicesManager] - <Loaded [0] service(s) > from [InMemoryServiceRegistry].> > > See > https://apereo.github.io/cas/6.6.x/services/JSON-Service-Management.html > and https://apereo.github.io/cas/6.6.x/services/Service-Management.html > > Ray > > On Mon, 2023-07-03 at 06:17 -0700, Jerome Denechaud (wanexa) wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hello > > trying to deploy cas server for delegate azure ad auth > I'm working with docker image apereo/cas:latest > I added cas.properties file as below > cas.authn.pac4j.oidc[0].azure.display-name= cas > cas.authn.pac4j.oidc[0].azure.auto-redirect-type= SERVER > cas.authn.pac4j.oidc[0].azure.client-name= cas > cas.authn.pac4j.oidc[0].azure.enabled= true > cas.authn.pac4j.oidc[0].azure.id= xxxxxxxxxxxx > cas.authn.pac4j.oidc[0].azure.response-mode= form_post > cas.authn.pac4j.oidc[0].azure.response-type= id_token > cas.authn.pac4j.oidc[0].azure.scope= openid > cas.authn.pac4j.oidc[0].azure.secret= xxxxxxxxxxxx > cas.authn.pac4j.oidc[0].azure.tenant= xxxxxxxxxxxxxx > cas.authn.pac4j.oidc[0].azure.use-nonce= true > cas.authn.pac4j.oidc[0].azure.discovery-uri= > https://login.microsoftonline.com/xxxxxxxxxxxxx/v2.0/.well-known/openid-configuration > cas.authn.pac4j.oidc[0].azure.logout-url= > https://login.microsoftonline.com/common/oauth2/logout > cas.serviceRegistry.json.location: file:/etc/cas/services > > test-1.json > { > "@class" : "org.apereo.cas.services.CasRegisteredService", > "serviceId" : "^(https?)://.*", > "name" : "test", > "id" : 1, > "evaluationOrder" : 1 > } > > on azure side > https://x.x.x.x/cas/login?client_name=AzureClient > public address no dns > > when I'm trying to authenticate on my app portal > 06:10:07 ERROR > [o.a.c.s.w.s.RegisteredServiceResponseHeadersEnforcementFilter] - <Service > unauthorized > > RegisteredServiceAccessStrategyAuditableEnforcer.java:lambda$execute$6:200 > Optional.java:orElseGet:364 > RegisteredServiceAccessStrategyAuditableEnforcer.java:execute:194 > > > > switch to debug in log4j but can't find anything more > startup log: > 05:22:12 INFO [o.a.c.c.CasConfigurationPropertiesValidator] - <Validated > CAS property sources and configuration successfully.> > 05:22:16 INFO [o.a.c.c.DefaultCasConfigurationPropertiesSourceLocator] - > <Configuration files found at [/etc/cas/config] are [[]] under profile(s) > [[standalone]]> > 05:22:16 INFO [o.a.c.c.CasConfigurationPropertiesValidator] - <Validated > CAS property sources and configuration successfully.> > 05:22:16 INFO [o.a.c.w.CasWebApplication] - <The following 1 profile is > active: "standalone"> > 05:22:29 INFO [o.a.c.c.CasCoreServicesConfiguration] - <Runtime memory is > used as the persistence storage for retrieving and persisting service > definitions. Changes that ar > e made to service definitions during runtime WILL be LOST when the CAS > server is restarted. Ideally for production, you should choose a storage > option (JSON, JDBC, MongoDb, etc > ) to track service definitions.> > 05:22:36 WARN [o.s.b.a.s.s.UserDetailsServiceAutoConfiguration] - < > > Using generated security password: jkljljlk > > This generated password is for development use only. Your security > configuration must be updated before running your application in production. > > > 05:22:37 INFO [o.s.s.w.a.c.ChannelProcessingFilter] - <Validated > configuration attributes> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will secure any > request with > [org.springframework.security.web.access.channel.ChannelProcessingFilter@69069866, > > org.sp > ringframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@2f9addd4, > > org.springframework.web.filter.CorsFilter@1c43df76, > org.springframework.security.web > .servletapi.SecurityContextHolderAwareRequestFilter@1d7c9811, > org.springframework.security.web.authentication.AnonymousAuthenticationFilter@ff2266c, > > org.springframework.securit > y.web.access.ExceptionTranslationFilter@7757a37f, > org.springframework.security.web.access.intercept.AuthorizationFilter@2335aef2]> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/login/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/logout/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/validate/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/serviceValidate/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/p3/serviceValidate/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/proxyValidate/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/p3/proxyValidate/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/proxy/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/webjars/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/js/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/css/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/images/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/static/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/error']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/favicon.ico']> > 05:22:41 INFO [o.a.c.c.CasCoreTicketsConfiguration] - <Runtime memory is > used as the persistence storage for retrieving and managing tickets. > Tickets that are issued during > runtime will be LOST when the web server is restarted. This MAY impact > SSO functionality.> > 05:22:41 INFO [o.a.c.u.CoreTicketUtils] - <Ticket registry > encryption/signing is turned off. This MAY NOT be safe in a clustered > production environment. Consider using othe > r choices to handle encryption, signing and verification of ticket > registry tickets, and verify the chosen ticket registry does support this > behavior.> > 05:22:43 WARN [o.a.c.u.c.BaseStringCipherExecutor] - <Secret key for > encryption is not defined for [Ticket-granting Cookie]; CAS will attempt to > auto-generate the encryptio > n key> > 05:22:43 WARN [o.a.c.u.c.BaseStringCipherExecutor] - <Generated encryption > key [jklhkjjk] of size [256] for [Ticket-granting Cookie]. The > generated key MUST be added to CAS settings: > > cas.tgc.crypto.encryption.key=jklhkjjk > > > > 05:22:43 WARN [o.a.c.u.c.BaseStringCipherExecutor] - <Secret key for > signing is not defined for [Ticket-granting Cookie]. CAS will attempt to > auto-generate the signing key> > > 05:22:43 WARN [o.a.c.u.c.BaseStringCipherExecutor] - <Generated signing > key > [oQ30Tk3YNd_mYgu7um3kuIUFzPamDVkfSjdDVaEvhW6Wh1YhgqRNgwoYHh5eSJhyc8sTin7naLdaob4UARLseA] > > of size > [512] for [Ticket-granting Cookie]. The generated key MUST be added to > CAS settings: > > > cas.tgc.crypto.signing.key=oQ30Tk3YNd_mYgu7um3kuIUFzPamDVkfSjdDVaEvhW6Wh1YhgqRNgwoYHh5eSJhyc8sTin7naLdaob4UARLseA > > > > 05:22:43 WARN [o.a.c.u.c.BaseBinaryCipherExecutor] - <Secret key for > signing is not defined under [cas.webflow.crypto.signing.key]. CAS will > attempt to auto-generate the si > gning key> > 05:22:43 WARN [o.a.c.u.c.BaseBinaryCipherExecutor] - <Generated signing > key > [gBCy5m2niOKZMNmLE-_yVJFhBRK2mCw1diQZHcr16CRqAs7aMUxyLHo-zYWyFizksC_JVaq7tLjYw0SYlW9s5Q] > > of size > [512]. The generated key MUST be added to CAS settings: > > > cas.webflow.crypto.signing.key=gBCy5m2niOKZMNmLE-_yVJFhBRK2mCw1diQZHcr16CRqAs7aMUxyLHo-zYWyFizksC_JVaq7tLjYw0SYlW9s5Q > > > > 05:22:43 WARN [o.a.c.u.c.BaseBinaryCipherExecutor] - <Secret key for > encryption is not defined under [cas.webflow.crypto.encryption.key]. CAS > will attempt to auto-generate > the encryption key> > 05:22:43 WARN [o.a.c.u.c.BaseBinaryCipherExecutor] - <Generated encryption > key [knHc-h7pqGrVVLbZYNXiuA] of size [16]. The generated key MUST be added > to CAS settings: > > cas.webflow.crypto.encryption.key=knHc-h7pqGrVVLbZYNXiuA > > > > 05:22:45 WARN > [o.a.c.c.s.a.AcceptUsersAuthenticationEventExecutionPlanConfiguration] - <> > 05:22:45 WARN > [o.a.c.c.s.a.AcceptUsersAuthenticationEventExecutionPlanConfiguration] - < > > > ____ _____ ___ ____ _ > / ___|_ _/ _ \| _ \| | > \___ \ | || | | | |_) | | > ___) || || |_| | __/|_| > |____/ |_| \___/|_| (_) > > > CAS is configured to accept a static list of credentials for > authentication. While this is generally useful for demo purposes, it is > STRONGLY recommended that you DISABLE this > authentication method by setting 'cas.authn.accept.enabled=false' and > switch to a mode that is more suitable for production.> > 05:22:45 WARN > [o.a.c.c.s.a.AcceptUsersAuthenticationEventExecutionPlanConfiguration] - <> > 05:22:45 INFO [o.a.c.w.CasWebApplication] - <Started CasWebApplication in > 33.514 seconds (JVM running for 37.949)> > 05:22:45 INFO [o.a.c.s.AbstractServicesManager] - <Loaded [0] service(s) > from [InMemoryServiceRegistry].> > 05:22:45 INFO [o.a.c.w.CasWebApplicationReady] - <> > 05:22:45 INFO [o.a.c.w.CasWebApplicationReady] - < > > > ____ _____ _ ______ __ > | _ \| ____| / \ | _ \ \ / / > | |_) | _| / _ \ | | | \ V / > | _ <| |___ / ___ \| |_| || | > |_| \_\_____/_/ \_\____/ |_| > > > > 05:22:45 INFO [o.a.c.w.CasWebApplicationReady] - <> > 05:22:45 INFO [o.a.c.w.CasWebApplicationReady] - <Ready to process > requests @ [2023-07-03T12:22:45.529Z]> > 05:23:15 INFO [o.a.c.t.r.DefaultTicketRegistryCleaner] - <[0] expired > tickets removed.> > 05:23:40 INFO [o.a.i.a.s.Slf4jLoggingAuditTrailManager] - <Audit trail > record BEGIN > ============================================================= > WHO: audit:unknown > WHAT: {result=Service Access Denied, service=https://xxx.com/login.php} > ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED > APPLICATION: CAS > WHEN: Mon Jul 03 12:23:40 UTC 2023 > CLIENT IP ADDRESS: x.x.x.x > SERVER IP ADDRESS: x.x.x.x > ============================================================= > > > > > Any help please ? > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to a topic in the > Google Groups "CAS Community" group. > To unsubscribe from this topic, visit > https://groups.google.com/a/apereo.org/d/topic/cas-user/Jfk3gFG1bgU/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > cas-user+u...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b7f4f358afc5c8864760c17be117f0a50c4278a.camel%40uvic.ca > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b7f4f358afc5c8864760c17be117f0a50c4278a.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0dc687cb-1aec-4be6-a484-52494ada8129n%40apereo.org.
