Application Not Authorized to Use CAS, After authentication.
123 views
Skip to first unread message
mohamed gamal
Nov 9, 2019, 1:36:06 PM11/9/19
to CAS Community
Hello everyone,
I am trying to integrate cas with a share point application using WS-FED I added the service file and the application connects normally to cas. the app redirects the user to cas for authentication, the user is authenticated by cas and I can see in logs that the user is authenticated and everything looks fine. But after the authentication the user is shown a message "Application Not Authorized to Use CAS". I am using the git service registry could this be the problem ? any idea how to solve this ?
kindest regards.
Steve Cheung
Nov 10, 2019, 7:39:57 PM11/10/19
to cas-...@apereo.org
Hi mohamed,
Please try this whether can help to solve your problem.
1. Enable the service registry module in CAS /etc/cas/config/cas.properties
cas.serviceRegistry.initFromJson=false
cas.serviceRegistry.json.location:file:/etc/cas/services
cas.serviceRegistry.json.location:file:/etc/cas/services
2. Place the enabled services file under /etc/cas/services
File name: HTTPSandIMAPS-10000001.json
Json content sample which only allows https and imaps call:
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "^(https|imaps)://.*",
"name": "HTTPS and IMAPS",
"id": 10000001,
"description": "This service definition authorizes all application urls that support HTTPS and IMAPS protocols.",
"evaluationOrder": 10000
}
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "^(https|imaps)://.*",
"name": "HTTPS and IMAPS",
"id": 10000001,
"description": "This service definition authorizes all application urls that support HTTPS and IMAPS protocols.",
"evaluationOrder": 10000
}
Regards, Steve
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8b7414a7-b714-400d-a1ea-16ee001b7f56%40apereo.org.
mohamed gamal
Nov 12, 2019, 12:39:01 AM11/12/19
to CAS Community
Hello Steve,
and this
Thanks for your support.
but now I am getting this error
DEBUG [org.apereo.cas.support.realm.UriRealmParser] - <URI realm parsed: [CAS]> ││2019-11-11 13:22:51,868 WARN [org.apache.cxf.sts.token.provider.SAMLTokenProvider] - <> ││java.lang.ClassCastException: class java.lang.String cannot be cast to class java.net.URI (java.lang.String and java.net.URI are in module java.base of loader 'bootstrap') ││ at org.apereo.cas.support.claims.CustomNamespaceWSFederationClaimsClaimsHandler$CustomNamespaceWSFederationClaimsList.contains(CustomNamespaceWSFederationClaimsClaimsHandler.java:58) ~[cas-server-suppor││ at org.apache.cxf.sts.claims.ClaimsManager.filterHandlerClaims(ClaimsManager.java:286) ~[cxf-services-sts-core-3.3.2.jar!/:3.3.2] ││ at org.apache.cxf.sts.claims.ClaimsManager.handleClaims(ClaimsManager.java:191) ~[cxf-services-sts-core-3.3.2.jar!/:3.3.2] ││ at org.apache.cxf.sts.claims.ClaimsManager.retrieveClaimValues(ClaimsManager.java:149) ~[cxf-services-sts-core-3.3.2.jar!/:3.3.2] ││ at org.apache.cxf.sts.claims.ClaimsManager.retrieveClaimValues(ClaimsManager.java:110) ~[cxf-services-sts-core-3.3.2.jar!/:3.3.2] ││ at org.apache.cxf.sts.claims.ClaimsUtils.processClaims(ClaimsUtils.java:57) ~[cxf-services-sts-core-3.3.2.jar!/:3.3.2] ││ at org.apache.cxf.sts.claims.ClaimsAttributeStatementProvider.getStatement(ClaimsAttributeStatementProvider.java:38) ~[cxf-services-sts-core-3.3.2.jar!/:3.3.2] ││ at org.apache.cxf.sts.token.provider.SAMLTokenProvider.createCallbackHandler(SAMLTokenProvider.java:336) ~[cxf-services-sts-core-3.3.2.jar!/:3.3.2] ││ at org.apache.cxf.sts.token.provider.SAMLTokenProvider.createSamlToken(SAMLTokenProvider.java:307) ~[cxf-services-sts-core-3.3.2.jar!/:3.3.2] ││ at org.apache.cxf.sts.token.provider.SAMLTokenProvider.createToken(SAMLTokenProvider.java:121) ~[cxf-services-sts-core-3.3.2.jar!/:3.3.2] ││ at org.apache.cxf.sts.operation.TokenIssueOperation.issueSingle(TokenIssueOperation.java:172) ~[cxf-services-sts-core-3.3.2.jar!/:3.3.2] ││ at org.apache.cxf.sts.operation.TokenIssueOperation.issue(TokenIssueOperation.java:85) ~[cxf-services-sts-core-3.3.2.jar!/:3.3.2] ││ at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?] ││ at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?] ││ at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?] ││ at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?] ││ at org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider.invoke(SecurityTokenServiceProvider.java:244) ~[cxf-rt-ws-security-3.3.2.jar!/:3.3.2] and this
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:836) ~[tomcat-coyote-9.0.20.jar!/:9.0.20] ││ at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1839) ~[tomcat-coyote-9.0.20.jar!/:9.0.20] ││ at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-coyote-9.0.20.jar!/:9.0.20] ││ at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?] ││ at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?] ││ at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-9.0.20.jar!/:9.0.20] ││ at java.lang.Thread.run(Thread.java:834) [?:?] ││2019-11-11 13:22:51,868 WARN [org.apache.cxf.sts.operation.TokenIssueOperation] - <> ││org.apache.cxf.ws.security.sts.provider.STSException: The specified request failed ││ at org.apache.cxf.sts.token.provider.SAMLTokenProvider.createToken(SAMLTokenProvider.java:181) ~[cxf-services-sts-core-3.3.2.jar!/:3.3.2] ││ at org.apache.cxf.sts.operation.TokenIssueOperation.issueSingle(TokenIssueOperation.java:172) ~[cxf-services-sts-core-3.3.2.jar!/:3.3.2] ││ at org.apache.cxf.sts.operation.TokenIssueOperation.issue(TokenIssueOperation.java:85) ~[cxf-services-sts-core-3.3.2.jar!/:3.3.2] ││ at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?] ││ at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?] ││ at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?] ││ at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?] ││ at org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider.invoke(SecurityTokenServiceProvider.java:244) ~[cxf-rt-ws-security-3.3.2.jar!/:3.3.2] ││ at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?] ││ at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?] ││To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.
Abdelrahman Halawa
Nov 12, 2019, 3:40:40 AM11/12/19
to cas-...@apereo.org
Hi Mohammed,
Could you share your WS-Fed configuration with the CAS and JSON file of the service as well may I help you.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/baa7c049-66d7-4266-845d-6812e6c81782%40apereo.org.
Best regards,
------------------------------------
 | Abdelrahman Halawa Teacher Assistant, Computer and Systems Department, Al-Azhar University
|
Message has been deleted
mohamed gamal
Nov 12, 2019, 6:25:15 AM11/12/19
to CAS Community
Dear Abdelrahman,
Below you can find the configuration and ther service json.
Thanks for your support
cas.authn.wsfedIdp.idp.realm=urn:org:apereo:cas:ws:idp:realm-CAS
cas.authn.wsfedIdp.idp.realmName=CAS
cas.authn.wsfedIdp.sts.subjectNameIdFormat=unspecified
cas.authn.wsfedIdp.sts.encryptTokens=false
cas.authn.wsfedIdp.sts.signingKeystoreFile=file:/etc/cas/config/signing.jks
cas.authn.wsfedIdp.sts.signingKeystorePassword=changeit
cas.authn.wsfedIdp.sts.encryptionKeystoreFile=file:/etc/cas/config/encryption.jks
cas.authn.wsfedIdp.sts.encryptionKeystorePassword=changeit
cas.authn.wsfedIdp.sts.realm.keystoreFile=file:/etc/cas/config/realmcas.jks
cas.authn.wsfedIdp.sts.realm.keystorePassword=changeit
cas.authn.wsfedIdp.sts.realm.keystoreAlias=realmcas
cas.authn.wsfedIdp.sts.realm.keyPassword=changeit
cas.authn.wsfedIdp.sts.realm.issuer=CAS
cas.authn.wsfedIdp.sts.crypto.signing.key=xxxxxx
cas.authn.wsfedIdp.sts.crypto.signing.keySize=xxx
cas.authn.wsfedIdp.sts.crypto.encryption.key=xxxxxx
cas.authn.wsfedIdp.sts.crypto.encryption.keySize=xxx
cas.authn.wsfedIdp.sts.crypto.enabled=true
{
"@class" : "org.apereo.cas.ws.idp.services.WSFederationRegisteredService",
"serviceId" : "https://devsp.xxx.xxx.xxx/.*",
"realm" : "urn:org:apereo:cas:ws:idp:realm-CAS",
"name" : "Simple WS fed test application",
"id" : 101,
"evaluationOrder" : 2,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled":true,
"caseInsensitive":true
}
}
Abdelrahman Halawa
Nov 12, 2019, 10:47:05 AM11/12/19
to cas-...@apereo.org
Hi Mohammed,
Everything looks good except you need to set the token type in JSON file to be SAMLV1.1.
SharePoint supports SAMLV1.1 only and the default in CAS is SAMLv2.
Change your JSON file as below and try again
................
..............
"evaluationOrder" : 2,..............
.................
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4795c1da-9100-4bdd-a3c3-d22be3a5c0ca%40apereo.org.
mohamed gamal
Nov 13, 2019, 9:09:37 AM11/13/19
to CAS Community
Unfortunatly Mr Abdelrahman,
we are still facing the same error
Abdelrahman Halawa
Nov 14, 2019, 4:50:34 AM11/14/19
to cas-...@apereo.org
Hi Mohammed,
below is my JSON file, you are free to use it and try. but you must configure the SharePoint to use UPN and mail claims as the JSON shows.
Hint: It is a must to use the realmcas certificate as the signing certificate for SharePoint config.
{
"@class" : "org.apereo.cas.ws.idp.services.WSFederationRegisteredService",
"serviceId" : "https://xxxxxxxx.xxx.xxx.*",
"@class" : "org.apereo.cas.ws.idp.services.WSFederationRegisteredService",
"serviceId" : "https://xxxxxxxx.xxx.xxx.*",
"realm" : "urn:org:apereo:cas:ws:idp:realm-CAS",
"name" : "Simple WS fed test application",
"id" : "101",
"description" : "SharePoint",
"evaluationOrder" : 1,
"tokenType" : "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.ws.idp.services.WSFederationClaimsReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"USER_PRINCIPAL_NAME_2005" : "upn",
"EMAIL_ADDRESS_2005" : "mail"
}
}
}
"evaluationOrder" : 1,
"tokenType" : "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.ws.idp.services.WSFederationClaimsReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"USER_PRINCIPAL_NAME_2005" : "upn",
"EMAIL_ADDRESS_2005" : "mail"
}
}
}
On Wed, 13 Nov 2019 at 16:09, mohamed gamal <mahmedg...@gmail.com> wrote:
Unfortunatly Mr Abdelrahman,we are still facing the same error
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/82015f25-f74b-46d6-8504-8c85c1f28a2e%40apereo.org.
mohamed gamal
Nov 17, 2019, 2:44:22 AM11/17/19
to CAS Community
Mr Abdelrahman, thanks for your support.
which version are you using ?
Abdelrahman Halawa
Nov 17, 2019, 6:33:08 AM11/17/19
to cas-...@apereo.org
CAS v5.3.x
On Sun, 17 Nov 2019 at 09:44, mohamed gamal <mahmedg...@gmail.com> wrote:
Mr Abdelrahman, thanks for your support.which version are you using ?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d2798992-7c7e-469d-9283-6a2ba279aef1%40apereo.org.
mohamed gamal
Nov 17, 2019, 7:00:56 AM11/17/19
to cas-...@apereo.org
Maybe this is what is causing your config not to work with us, we are using version 6.1.0-RC4.
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/PysooL5aXXs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAHr-WtbVeSNdQa8i52iVKoUYeSGbfXS9xR%2BGsFDGcePtzrEMWw%40mail.gmail.com.
Mohamed Ahmed Moursi
Computer Engineer.
Al-kharj, Saudi Arabia.
Mobile SA: +966555192325
Skype: live:b155f044caf1b8b6
Reply all
Reply to author
Forward
0 new messages