SPNEGO Client Selection Strategy

[Nicholas Wylie]

Hi CAS Community,

I've successfully configured CAS 5.2 with LDAP/SPNEGO authentication against our Active Directory.

What we have noticed though is that non-domain joined computers see a pop-up prompt for credentials when they visit the CAS login page. From my reading, I believe we can fix this by configuring the LDAP Client Selection Strategy for SPNEGO, but the documentation for which properties need to be configured seems to be a bit scarce.

Can someone offer any guidance (or a link to some documentation) as to which properties I need to configure to use the LDAP Client Selection Strategy?

Thanks,
Nicholas

[Charles Le Gallic]

Hi Nicholas,

It's seems to me that Kerberos / SPNEGO client selection strategy is broken since Alfresco 5.0.x.

Indeed, there are several other messages in this discussion list referring to this problem : here, here and here, and I didn't achieved to make it work (IP based) in CAS 5.1.7 release.

SPNEGO Client Selection strategy setup is done in the SpengoWebflowConfigurer class, using the "cas.authn.spnego.hostNameClientActionStrategy" parameter value to set the strategy (default to "hostnameSpnegoClientAction"). You can use the "ldapSpnegoClientAction" value to use a LDAP Client Selection Strategy.

The problem is the Spring MVC Web Flow is configured for using the "START_SPNEGO_AUTHENTICATE" action state by default, instead of the "EVALUATE_SPNEGO_CLIENT" action state (evaluateClientRequest).

Therefore, the Client Selection Strategy is never applied. I didn't found any way to use CAS configuration properties to add the evaluateClientRequest action state before the startSpnegoAuthenticate state.

The only way to do this may be to overidde the CasWebflowConstants.STATE_ID_INIT_LOGIN_FORM state (as done here) in a custom bean and configure it to transition to the evaluateClientRequest state.

I may have missed something, and I hope a CAS Developer can clarify it.

Regards,

Charles

[Christian Poirier]

Hi Nicolas,

In our organization, we need to let the user choose between the default login and SPNEGO upon a list of criteria and sometimes we need to go directly to the SPNEGO authentication upon other criteria. For this feature, I extended the SPNEGO module. I show a button with the label "LOGIN WITH MY WINDOWS ACCOUNT" when the IP address matches a regular expression. When the service matches a regular expression and the IP address also matches its regular expression, I force SPNEGO authentication without giving the user the chance to authenticate otherwise. If none of the previous conditions are present, then the user must authenticate normally with his user ID and password.

If you look the following webflow, you will find this logic inside.

<var name="credentials" class="org.jasig.cas.authentication.principal.UsernamePasswordCredentials" />

<on-start>

<evaluate expression="initialFlowSetupAction" />

       <set name="flowScope.displaySPNegoButton" value="false" />

</on-start>

<decision-state id="ticketGrantingTicketExistsCheck">

  <if test="flowScope.ticketGrantingTicketId neq null" then="hasServiceCheck" else="gatewayRequestCheck" />

</decision-state>

<decision-state id="gatewayRequestCheck">

      <if test="externalContext.requestParameterMap['gateway'] neq '' &amp;&amp; externalContext.requestParameterMap['gateway'] neq null &amp;&amp; flowScope.service neq null" then="gatewayServicesManagementCheck" else="startAuthenticateCheck" />

</decision-state>

<decision-state id="hasServiceCheck">

  <if test="flowScope.service != null" then="renewRequestCheck" else="viewGenericLoginSuccess" />

</decision-state>

<decision-state id="renewRequestCheck">

<if test="externalContext.requestParameterMap['renew'] neq '' &amp;&amp; externalContext.requestParameterMap['renew'] neq null" then="startAuthenticateCheck" else="generateServiceTicket" />

</decision-state>

<!--

   The "warn" action makes the determination of whether to redirect directly to the requested

     service or display the "confirmation" page to go back to the server.

-->

<decision-state id="warn">

      <if test="flowScope.warnCookieValue" then="showWarningView" else="redirect" />

</decision-state>

<!--

<action-state id="startAuthenticate">

     <action bean="x509Check" />

    <transition on="success" to="sendTicketGrantingTicket" />

      <transition on="warn" to="warn" />

     <transition on="error" to="generateLoginTicket" />

</action-state>

-->

<decision-state id="startAuthenticateCheck">

      <if test="externalContext.requestParameterMap['spnego'] neq '' &amp;&amp; externalContext.requestParameterMap['spnego'] neq null &amp;&amp; externalContext.requestParameterMap['spnego'] eq 'off'" then="generateLoginTicket" else="spnegoForceCheckAction" />

</decision-state>

<decision-state id="spnegoForceCheckAction">

   <if test="externalContext.requestParameterMap['forcespnego'] neq '' &amp;&amp; externalContext.requestParameterMap['forcespnego'] neq null &amp;&amp; externalContext.requestParameterMap['forcespnego'] eq 'true'" then="spnegoIPCheckAction2" else="spnegoAppCheckAction" />

</decision-state>

<action-state id="spnegoAppCheckAction">

       <evaluate expression="spNegoAppCheck" />

       <transition on="yes" to="spnegoIPCheckAction2" />

      <transition on="no" to="spnegoIPCheckAction" />

</action-state>

<action-state id="spnegoIPCheckAction">

<evaluate expression="spNegoIPCheck" />

<transition on="yes" to="generateLoginTicket" >

        <set name="flowScope.displaySPNegoButton" value="true" />                

      </transition>

  <transition on="no" to="generateLoginTicket" />

</action-state>

<action-state id="spnegoIPCheckAction2">

       <evaluate expression="spNegoIPCheck" />

<transition on="yes" to="startAuthenticate" />

 <transition on="no" to="generateLoginTicket" />

</action-state>

<action-state id="startAuthenticate">

  <evaluate expression="negociateSpnego" />

      <transition on="success" to="spnego" />

</action-state>

<action-state id="spnego">

     <evaluate expression="spnego" />

       <transition on="success" to="sendTicketGrantingTicket" />

      <transition on="error" to="generateLoginTicket" />

</action-state>

<action-state id="generateLoginTicket">

<evaluate expression="generateLoginTicketAction.generate(flowRequestContext)" />

       <transition on="success" to="viewLoginForm" />

</action-state>

Here are my new spnego.properties

# cas.authn.spnego.spnegoMode=direct: indicates to go directly to the SPNEGO by changing the succes transition of initialLoginForm action-state to startSpnegoAuthenticate
# cas.authn.spnego.spnegoMode=evaluateClient: indicates to evaluate the client based on the client action strategy defined in evaluateClientActionStrategy.
#                                                     It changes the success transition of initialLoginForm action-state to evaluateClientRequest

cas.authn.spnego.spnegoMode=evaluateClient|direct

# The following property is deprecated

#cas.authn.spnego.hostNameClientActionStrategy=serviceNameSpnegoClientAction

# cas.authn.spnego.evaluateClientActionStrategy=hostnameSpnegoClientAction where CAS checks to see if the request?s remote hostname matches a predefine pattern

# cas.authn.spnego.evaluateClientActionStrategy=ldapSpnegoClientAction where CAS checks an LDAP instance for the remote hostname, 
#                                                                               to locate a pre-defined attribute whose mere existence would allow the webflow to resume to SPNEGO

# cas.authn.spnego.evaluateClientActionStrategy=serviceNameSpnegoClientAction where CAS checks if the service corresponds to a regularExpression

#                                        defined in serviceNamePatternString and the ip corresponds to ipsToCheckPattern implemented

#                                        in baseSpnegoClientAction

cas.authn.spnego.evaluateClientActionStrategy=serviceNameSpnegoClientAction

cas.authn.spnego.ipsToCheckPattern=((127\.0)|(122.110))(\.[0-9]{1,3}){2}

cas.authn.spnego.serviceNamePatternString=(app1\.domain\.ca)|(app2\.domain\.ca)

It works well for me. If you want it, I could send you the code.

[Charles Le Gallic]

Hi Christian,

Which version of CAS do you use ?

It seems to be a version below CAS 5.0.x (org.jasig packages and XML spring configurations). SPNEGO client selection strategy was working on 4.x version, but I cannot make it work after having upgrade to CAS 5.1.x....

Regards,

Charles

12, impasse du Malrigou, 31140 Montberon

con...@amoae.com | 06 24 73 04 98 | amoae.com

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/_jUtK7VnhFs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/deeb374f-38e0-4bb0-8b18-35cc3ee46a7c%40apereo.org.

[Christian Poirier]

Hi Charles

I am using the 5.3.0-RC3. I illustrated the webflow to see the logic. The webflow logic is built in the code.

I will check if the implementation based on a RegisteredServiceAccessStrategy is possible.

Christian Poirier
Mobile: 418-473-2824

To unsubscribe from this group and all its topics, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/deeb374f-38e0-4bb0-8b18-35cc3ee46a7c%40apereo.org.

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---

You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANjq9ChHNPOLZSeU%3DmHs1MP3cyB1F69imxA7LzrDrc56oSWzTQ%40mail.gmail.com.

[Nicholas Wylie]

Thanks Charles & Christian.

It sounds like getting this working is going to be a bit more involved than I imaged! I will have to try and have a better look at it when we have a bit more time.

Christian Poirier
Mobile: 418-473-2824

To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/deeb374f-38e0-4bb0-8b18-35cc3ee46a7c%40apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

[Charles Le Gallic]

Hi Christian,

Did you achieved to make IP based SPNEGO client selection works on CAS 5.x ?

In that case, is there any other configuration to setup in addition to cas.properties configuration ?

Regards,

Charles

12, impasse du Malrigou, 31140 Montberon

con...@amoae.com | 06 24 73 04 98 | amoae.com

Christian Poirier
Mobile: 418-473-2824

To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/deeb374f-38e0-4bb0-8b18-35cc3ee46a7c%40apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANjq9ChHNPOLZSeU%3DmHs1MP3cyB1F69imxA7LzrDrc56oSWzTQ%40mail.gmail.com.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/_jUtK7VnhFs/unsubscribe.

To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bg7XA%3DdcrpWp1uqxttB9kA4sqb2w%2BHqysEcTsBeTg2Upmr6pg%40mail.gmail.com.

[Christian Poirier]

Hi Charles

Yes I did, but with my own development and my properties. I will check if I can implement with Client Access Strategy by implementing my own SPNEGO Service Access Strategy

Christian Poirier
Mobile: 418-473-2824

Christian Poirier
Mobile: 418-473-2824

To unsubscribe from this group and all its topics, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/deeb374f-38e0-4bb0-8b18-35cc3ee46a7c%40apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANjq9ChHNPOLZSeU%3DmHs1MP3cyB1F69imxA7LzrDrc56oSWzTQ%40mail.gmail.com.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/_jUtK7VnhFs/unsubscribe.

To unsubscribe from this group and all its topics, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bg7XA%3DdcrpWp1uqxttB9kA4sqb2w%2BHqysEcTsBeTg2Upmr6pg%40mail.gmail.com.

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANjq9CgQNUpKKbtOY7rdQHtW-rGLxajwPRUj-W5XrjrWkAAiYw%40mail.gmail.com.

[Charles Le Gallic]

Ok thanks. Let me know if you can confirm that current native implementation is buggy.

Regards,

Charles

12, impasse du Malrigou, 31140 Montberon

con...@amoae.com | 06 24 73 04 98 | amoae.com

Christian Poirier
Mobile: 418-473-2824

Christian Poirier
Mobile: 418-473-2824

To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/deeb374f-38e0-4bb0-8b18-35cc3ee46a7c%40apereo.org.

--
- Website:

[Christian Poirier]

I think I know what you mean by "is buggy". I check the code and it misses something. The webflow is not configured correctly even if you configure to use hostname filter and/or IP address filter. It just jumps directly to SPNEGO negotiate transition. I corrected this with the changes I made to the code. There was no way to choose to go directly to SPNEGO or evaluate the client before starts SPNEGO.

Christian Poirier
Mobile: 418-473-2824

...

[Message tronqué]  

[Charles Le Gallic]

Hi,

I'm glad to see that you confirm the bug. I'll try to make a Pull Request, but I need to setup a full CAS dev env before.

Regards,

Charles

[Christian Poirier]

Hi Charles,

I should have mentioned that using the mixedModeAuthentication property allow to display the authentication page when the browser does not match, or the IP address does not match

Regards

Christian

[Lalot Dominique]

Hi Christian

I'm facing the same problem and this is not good. For example, if we do that, every brother will display a basic auth window to do ntlm authenticate as a fallback. If you answer nothing, you will get the login form, but it's a liitle bit tricky..

And we don't want to see that kind of window. Changing the ntlm related properties didn't solve the problem.

I suppose there is very little chance for that to be considered as a bug (anyway, don't see an easy way to file a bug without being a developer..)

Is there something we can do around the webflow?

Thanks

Dom

[Anthony Lofton]

I was about to post about this and found this topic about it being broken since 5.0.x.  Looking through the code, the issue is the evaluateClientRequest is never called within the SpnegoWebConfigurer class.  The issue is easily resolved by registering it first as it called the startSpnegoAuthenticate if set, however the false action registers the start state which creates an infinite loop.  I changed it to register the viewLoginForm as it does with Spnego and it works fine.  I was going to create a pull request with my suggestion but I wasn't sure if this was intended behavior and I was doing something wrong or not. I'll go ahead and create one and link it once I have.

Thanks!

[Anthony Lofton]

I have submitted three pull requests which should fix this issue on various releases.

https://github.com/apereo/cas/pull/3408

https://github.com/apereo/cas/pull/3410

https://github.com/apereo/cas/pull/3411

[Lalot Dominique]

Yes, and your pull requests have been accepted. We should get them in 5.2.7, 5.3 and 6.x

Thanks a lot

Dom

[Charles Le Gallic]

Hi Anthony,

Many thanks for the fix !

Regards,

Charles

12, impasse du Malrigou, 31140 Montberon

con...@amoae.com | 06 24 73 04 98 | amoae.com

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/_jUtK7VnhFs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9046fc76-097e-415b-af98-41e54264fb54%40apereo.org.

[Grégory Trucy]

Hi every one,

I have created 3 requests pull too ... which should fix the issue with the use of cas.authn.spnego.supportedBrowsers.

I removed the hard-coded list of supported browsers to make the "cas.authn.spnego.supportedBrowsers" (cas.properties) directive usable.
Before this change, the "cas.authn.spnego.supportedBrowsers" allowed only to add more extra supported browser to original list (MSIE,Trident,Firefox,AppleWebKit). 

But, for example, if you didn't want to activate spnego with Chrome using "cas.authn.spnego.supportedBrowsers=MSIE,Trident,Firefox", it didn't work.

Greg

[Grégory Trucy]

Here are the pull request.

https://github.com/apereo/cas/pull/3428 for 5.2.x

https://github.com/apereo/cas/pull/3429 for 5.3.x

https://github.com/apereo/cas/pull/3430 for master

Greg