CAS Services Management "Access Denied"

[Eric Kyle]

The title says it call. I have CAS (4.2 RC2) setup to authenticate against ADFS, which works fine when I got to localhost/cas, but when I try to go to the deployed cas-services page (which also authenticates successfully against cas/adfs), I get the message

Access Denied

You are not authorized to access this resource. Contact your CAS administrator for more info

This is the one thing holding me back from authenticating uPortal and our other services. I have looked in the deployerConfigContext.xml file and a hundred other places, but I can't seem to figure out how to authenticate properly. Any help would be greatly appreciated.

Eric

[Misagh Moayyed]

Relevant docs:

http://jasig.github.io/cas/4.2.x/installation/Installing-ServicesMgmt-Webapp.html

 

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

[Warren White]

And more specifically, the

Static List of Users

With my setup, I had to add the default casuser=Mellon,ROLE_ADMIN to the user-details.properties, then it allowed me to log in.

[Dan Reeder]

Hi Eric, did you ever manage to get this working? 

We're using CAS 4.2 with the additional cas-services app. CAS is setup to use our ADFS which works beautifully for other registered json services, but I can't figure out how to get the cas-services app to also pay attention to ADFS auth tickets. It would be nice if cas-services could check for an attribute being passed back from adfs (such as the presence of a particular AD group membership), but I'd settle for a static list of permitted principal usernames. 

cheers,

Dan

[Eric Kyle]

Hi Dan,

No, I still haven't figured this out - though I haven't had much time to look at it. I plan on digging back into it this summer.

Eric

--

You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To post to this group, send email to cas-...@apereo.org.

Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/99f3bace-3e66-4bad-b660-4ea34689b905%40apereo.org.

For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[Dan Reeder]

I figured it out in the end... the users listed in /etc/cas/user-details.properties were required to have the "enabled" flag on the end, despite the comments indicating it was optional.

eg:

jsmith=notused,ROLE_ADMIN,enabled

cheers,

Dan

[Misagh Moayyed]

This probably points to some other underlying issue. I have never had to set that.

 

You can see the configuration of the demo webapp running on heroku. There is no reference to that flag.

https://github.com/apereo/cas/blob/heroku-mgmtwebapp/src/main/resources/user-details.properties

 

From: cas-...@apereo.org [mailto:cas-...@apereo.org] On Behalf Of Dan Reeder

Sent: Tuesday, June 7, 2016 8:24 PM
To: CAS Community <cas-...@apereo.org>

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f8bf7ee7-8170-4baa-b2df-7ed2b15960d2%40apereo.org.

[Eric Kyle]

Are you logging into your cas-services app with ADFS? I can't figure out how to get cas-services to either use ADFS or ignore it and use the user in the user.details file.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f8bf7ee7-8170-4baa-b2df-7ed2b15960d2%40apereo.org.