CAS 7.0.0 - Service unauthorized to use CAS

[Dillon Power]

Hi all, 

After installing and configuring CAS to work with our DegreeWorks install, I'm seeing that the application is unable to login with CAS despite having a service registry. Is there some formatting issues with our registry entry?

For reference, we're running tomcat 10, cas 7.0.0, jdk17. 

here is my cas.properties:

cas.server.name=http://{casserver}.edu
cas.server.prefix=${cas.server.name}/cas
logging.config=file:/etc/cas/config/log4j2.xml

#server.port=8080
server.ssl.enabled=false

#LDAP Configuration
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldap-url=ldap://ldapserver:389
cas.authn.ldap[0].base-dn=OU=Accounts,DC=school,DC=edu
cas.authn.ldap[0].search-filter=(sAMAccountName={user})
cas.authn.ldap[0].bind-dn=CN=ldap_user,OU=Accounts,DC=school,DC=edu
cas.authn.ldap[0].bind-credential=password
cas.authn.ldap[0].subtree-search=true
#cas.authn.ldap[0].principal-attribute-list=samAccountName:UDC_IDENTIFIER
#cas.authn.ldap[0].principal-attribute-password=
cas.authn.ldap[0].principal-attribute-id=UDC_IDENTIFIER

#DUO MFA
cas.authn.mfa.duo[0].duo-api-host={apihostlink}
#cas.authn.mfa.duo[0].duo-application-key={key}
cas.authn.mfa.duo[0].duo-integration-key={integration_key}
cas.authn.mfa.duo[0].duo-secret-key={secret-key}

#JSON Registry
cas.service-registry.core.init-from-json=false
cas.service-registry.json.location=file:/etc/cas/services

here is the service registry for DegreeWorks: /etc/cas/services/dashboard-849100.json

{
/*Dashboard TEST service registry*/
"@class":"org.apereo.cas.services.CasRegisteredService",
"serviceId":"^(https:)\/\/degreeworks.school.edu:8491\/dashboard\/",
"name":"Degreeworks Dashboard TEST (degreeworks-test)",
"id":"849100",
"evaluationOrder":1,
"proxyPolicy":{
        "@class":"org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
        "pattern":"^ (https:)\/\/degreeworks.school.edu:8491\/dashboard\/",  
//,
        }
 logoutType: BACK_CHANNEL
  attributeReleasePolicy:
  {
    "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
    "allowedAttributes" : [ "java.util.ArrayList", [ "UDC_IDENTIFIER" ] ]
    authorizedToReleaseCredentialPassword: false
    authorizedToReleaseProxyGrantingTicket: true
    excludeDefaultAttributes: false
    authorizedToReleaseAuthenticationAttributes: true
  }

  multifactorPolicy:
  {
   "@class":"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy"
    "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-duo" ] ]
    /*failureMode: NOT_SET
 *     bypassEnabled: false*/

  }
  accessStrategy:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
    order: 0
    enabled: true
    ssoEnabled: true
    requireAllAttributes: false
    caseInsensitive: true
  }

}

[Ray Bon]

Dillon,

Your regex does not look right to me. Here is one of my test apps:

^https?://local\\.uvic\\.ca/~rbon/phpCAS/docs/examples/.*

We are not escaping '/', but are escaping '.' with '\\' (the '.' for security). Also, if the applications is sending a URN or parameters as part of the URL, then you want to allow them, or, if it is the same for every request, perhaps capture it in the serviceId.

Check your serviceId regex against an actual service argument using an online regex tester (ideally one for java). You may have to unencode some characters.

Ray

On Fri, 2023-06-09 at 11:15 -0700, Dillon Power wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

[Dillon Power]

Hi Ray, 

I was able to see what was wrong with the regex, and you were right about that. 

However, I'm still getting this error: " The application you attempted to authenticate to is not authorized to use CAS. This usually indicates that the application is not registered with CAS, or its authorization policy defined in its registration record prevents it from leveraging CAS functionality, or it's malformed and unrecognized by CAS. Contact your CAS administrator to learn how you might register and integrate your application with CAS."

Is there any part of the service registry that I've configured that would make it incompatible?

Thanks!

Dillon

[Ray Bon]

Dillon,

Do any other services work?

You can simplify your service definition. This one will handle any http service: https://github.com/apereo/cas/blob/master/webapp/cas-server-webapp-resources/src/main/resources/services/HTTPSandIMAPS-10000001.json

The error message is saying that the service argument sent to cas for login does not match any service you have registered.

Note: to test cas login flow (MFA, password updating, etc.), you can make up a service. I literally have a bookmark

https://local.uvic.ca/cas/login?service=https://local.uvic.ca/someMFA_URI to test MFA flow. I add the service (serviceId: https://local.uvic.ca/someMFA_URI ) with only MFA configured. (local points to my laptop.)

Ray

[Ray Bon]

Dillon,

You can create the services manually. Just put them in a directory and point cas at it.

https://apereo.github.io/cas/6.6.x/services/JSON-Service-Management.html

Ray

On Wed, 2023-06-14 at 10:39 -0700, Dillon Power wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Unfortunately the only services working are on CAS 5.3.16, which we're trying to get away from. 

All services for 7.0.0 are going to be new. I don't have CAS management installed, but I'm working to try to get that up and running as well. 

Is there any specific way to register a service other than creating the json registry?

[Dillon Power]

Unfortunately the only services working are on CAS 5.3.16, which we're trying to get away from. 

All services for 7.0.0 are going to be new. I don't have CAS management installed, but I'm working to try to get that up and running as well. 

Is there any specific way to register a service other than creating the json registry?