Issues upgrading from CAS 7.0.x to CAS 7.1.x
784 views
Skip to first unread message
Phil Hale
Mar 19, 2025, 11:00:52 PMMar 19
to CAS Community
Hello,
I'm attempting to upgrade from CAS 7.0 to CAS 7.1. I can successfully build the war file and launch it without issues. When I attempt to log in I get the following error in the log file:
cas.war[331470]: 2025-03-19 15:38:17,967 WARN [org.apereo.cas.web.flow.DefaultDelegatedClientIdentityProviderConfigurationProducer] - <No delegated authentication providers could be determined based on the provided configuration. Either no identity providers are configured, or the current access strategy rules prohibit CAS from using authentication providers>
and the following on the web browser:
We have each service file set up to call out to a default identity provider with the following block in the service json file:
accessStrategy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
delegatedAuthenticationPolicy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy
allowedProviders:
[
java.util.ArrayList
[
TAMUCC_AAD
]
]
permitUndefined: false
exclusive: true
}
}
{
@class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
delegatedAuthenticationPolicy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy
allowedProviders:
[
java.util.ArrayList
[
TAMUCC_AAD
]
]
permitUndefined: false
exclusive: true
}
}
This works as expected in 7.0 but does not work in 7.1. In 7.0, we are automatically directed to the AAD login and after successfully logging in, given access to the app. I've compared the json service file formatting with what is documented and can't find any issues.
Hopefully someone has some suggestions on what changes we need to make to get this working again.
Thanks,
Phil
Pablo Vidaurri
Mar 20, 2025, 12:59:04 PMMar 20
to CAS Community, Phil Hale
Using OIDC I assume?
Have you tried these dependencies:
implementation "org.apereo.cas:cas-server-support-pac4j-oidc" <-- Looks like just introduced in 7.1.0
implementation "org.apereo.cas:cas-server-support-pac4j-webflow"
implementation "org.apereo.cas:cas-server-support-pac4j-webflow"
-psv
Phil Hale
Mar 20, 2025, 2:04:15 PMMar 20
to CAS Community, Pablo Vidaurri, Phil Hale
Hello Pablo,
I had
implementation "org.apereo.cas:cas-server-support-pac4j-webflow"'
I'll add
implementation "org.apereo.cas:cas-server-support-pac4j-oidc"
and see if it helps.
Thanks,
Phil
Phil Hale
Mar 20, 2025, 10:23:44 PMMar 20
to CAS Community, Pablo Vidaurri, Phil Hale
I added the missing dependency and restarted the services and I'm still getting the same warning in the logs:
2025-03-20 13:15:27,445 WARN [com.hazelcast.instance.impl.HazelcastInstanceFactory] - <Hazelcast is starting in a Java modular environment (Java 9 and newer) but without proper access to required Java packages. Use additional Java arguments to provide Hazelcast access to Java internal API. The internal API access is used to get the best performance results. Arguments to be used:
Are their any additional cas.properties I need to add to make this work again?
Phil
On Thursday, March 20, 2025 at 11:59:04 AM UTC-5 Pablo Vidaurri wrote:
Pablo Vidaurri
Mar 20, 2025, 11:13:47 PMMar 20
to CAS Community, Phil Hale, Pablo Vidaurri
In you service file, i see missing commas and double quotes. Is that what you really have ? I would exepct something like this:
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"delegatedAuthenticationPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
"allowedProviders" : [ "java.util.ArrayList", [ "TAMUCC_AAD" ] ],
"permitUndefined": false,
"exclusive": true
}
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"delegatedAuthenticationPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
"allowedProviders" : [ "java.util.ArrayList", [ "TAMUCC_AAD" ] ],
"permitUndefined": false,
"exclusive": true
}
Phil Hale
Mar 21, 2025, 10:32:30 AMMar 21
to CAS Community, Pablo Vidaurri, Phil Hale
Hello Pablo,
That was a sample from one of my working service files (with version 7.0.10). I used the CAS Manager tool to create the service files. Is there some type of lint tool I can use to check these files? I'm attempting to get Palantir under version 7.0 or 7.1 working but running into issues so I'm not sure how to check and fix syntax issues.
Phil
Richard Frovarp
Mar 21, 2025, 12:23:23 PMMar 21
to cas-...@apereo.org
You're going to have to read through
the documentation for Hazelcast to see what matches your needs.
Most of the time in the past, upgrades are reimplementations. It
is unfortunately a lot of work. OpenRewrite is supposed to help
that from the best I know. I don't know if it will work until you
get to 7.1 though. I haven't used it yet.
https://apereo.github.io/cas/7.1.x/installation/OpenRewrite-Upgrade-Recipes.html
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/cb0853c1-ee51-4a69-804d-06580dffe90dn%40apereo.org.
Phil Hale
Mar 24, 2025, 1:53:14 PMMar 24
to CAS Community, Pablo Vidaurri, Phil Hale
Hello Pablo,
I went and edited one of my test service files to match up with "commas and quotes" to what is available in the documentation. I'm still seeing the following in the log file when attempting to test login:
2025-03-24 11:55:54,331 INFO [org.apereo.inspektr.audit.AuditTrailManager] - <Audit trail record BEGIN
Mar 24 11:55:54 idm-cas2-test.tamucc.edu cas.war[108351]: =============================================================
Mar 24 11:55:54 idm-cas2-test.tamucc.edu cas.war[108351]: WHEN: 2025-03-24T16:55:54.330390765
Mar 24 11:55:54 idm-cas2-test.tamucc.edu cas.war[108351]: WHO: audit:unknown
Mar 24 11:55:54 idm-cas2-test.tamucc.edu cas.war[108351]: WHAT: {result=Service Access Granted, service=https://idm-cas-mgr-test.tamucc.edu/cas-management/callback?client_name=CasClient, requiredAttributes={}}
Mar 24 11:55:54 idm-cas2-test.tamucc.edu cas.war[108351]: ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
Mar 24 11:55:54 idm-cas2-test.tamucc.edu cas.war[108351]: CLIENT_IP: 192.168.155.189
Mar 24 11:55:54 idm-cas2-test.tamucc.edu cas.war[108351]: SERVER_IP: 0:0:0:0:0:0:0:1
Mar 24 11:55:54 idm-cas2-test.tamucc.edu cas.war[108351]: =============================================================
Mar 24 11:55:54 idm-cas2-test.tamucc.edu cas.war[108351]: >
Mar 24 11:55:54 idm-cas2-test.tamucc.edu cas.war[108351]: 2025-03-24 11:55:54,959 WARN [jakarta.persistence.spi] - <jakarta.persistence.spi::No valid providers found.>
Mar 24 11:56:04 idm-cas2-test.tamucc.edu cas.war[108351]: 2025-03-24 11:56:04,160 INFO [org.apereo.inspektr.audit.AuditTrailManager] - <Audit trail record BEGIN
Mar 24 11:56:04 idm-cas2-test.tamucc.edu cas.war[108351]: =============================================================
Mar 24 11:56:04 idm-cas2-test.tamucc.edu cas.war[108351]: WHEN: 2025-03-24T16:56:04.160205840
Mar 24 11:56:04 idm-cas2-test.tamucc.edu cas.war[108351]: WHO: audit:unknown
Mar 24 11:56:04 idm-cas2-test.tamucc.edu cas.war[108351]: WHAT: {source=RankedMultifactorAuthenticationProviderWebflowEventResolver, event=success, url=https://login-test.tamucc.edu/cas/login?service=https%3A%2F%2Fidm-cas-mgr-test.tamucc.edu%2Fcas-management%2Fcallback%3Fclient_name%3DCasClient, timestamp=2025-03-24T16:56:04.158}
Mar 24 11:56:04 idm-cas2-test.tamucc.edu cas.war[108351]: ACTION: AUTHENTICATION_EVENT_TRIGGERED
Mar 24 11:56:04 idm-cas2-test.tamucc.edu cas.war[108351]: CLIENT_IP: 192.168.155.189
Mar 24 11:56:04 idm-cas2-test.tamucc.edu cas.war[108351]: SERVER_IP: 0:0:0:0:0:0:0:1
Mar 24 11:56:04 idm-cas2-test.tamucc.edu cas.war[108351]: =============================================================
Mar 24 11:56:04 idm-cas2-test.tamucc.edu cas.war[108351]: >
Mar 24 11:56:04 idm-cas2-test.tamucc.edu cas.war[108351]: 2025-03-24 11:56:04,829 WARN [org.apereo.cas.web.flow.DefaultDelegatedClientIdentityProviderConfigurationProducer] - <No delegated authentication providers could be determined based on the provided configuration. Either no identity providers are configured, or the current access strategy rules prohibit CAS from using authentication providers>
Mar 24 11:55:54 idm-cas2-test.tamucc.edu cas.war[108351]: =============================================================
Mar 24 11:55:54 idm-cas2-test.tamucc.edu cas.war[108351]: WHEN: 2025-03-24T16:55:54.330390765
Mar 24 11:55:54 idm-cas2-test.tamucc.edu cas.war[108351]: WHO: audit:unknown
Mar 24 11:55:54 idm-cas2-test.tamucc.edu cas.war[108351]: WHAT: {result=Service Access Granted, service=https://idm-cas-mgr-test.tamucc.edu/cas-management/callback?client_name=CasClient, requiredAttributes={}}
Mar 24 11:55:54 idm-cas2-test.tamucc.edu cas.war[108351]: ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
Mar 24 11:55:54 idm-cas2-test.tamucc.edu cas.war[108351]: CLIENT_IP: 192.168.155.189
Mar 24 11:55:54 idm-cas2-test.tamucc.edu cas.war[108351]: SERVER_IP: 0:0:0:0:0:0:0:1
Mar 24 11:55:54 idm-cas2-test.tamucc.edu cas.war[108351]: =============================================================
Mar 24 11:55:54 idm-cas2-test.tamucc.edu cas.war[108351]: >
Mar 24 11:55:54 idm-cas2-test.tamucc.edu cas.war[108351]: 2025-03-24 11:55:54,959 WARN [jakarta.persistence.spi] - <jakarta.persistence.spi::No valid providers found.>
Mar 24 11:56:04 idm-cas2-test.tamucc.edu cas.war[108351]: 2025-03-24 11:56:04,160 INFO [org.apereo.inspektr.audit.AuditTrailManager] - <Audit trail record BEGIN
Mar 24 11:56:04 idm-cas2-test.tamucc.edu cas.war[108351]: =============================================================
Mar 24 11:56:04 idm-cas2-test.tamucc.edu cas.war[108351]: WHEN: 2025-03-24T16:56:04.160205840
Mar 24 11:56:04 idm-cas2-test.tamucc.edu cas.war[108351]: WHO: audit:unknown
Mar 24 11:56:04 idm-cas2-test.tamucc.edu cas.war[108351]: WHAT: {source=RankedMultifactorAuthenticationProviderWebflowEventResolver, event=success, url=https://login-test.tamucc.edu/cas/login?service=https%3A%2F%2Fidm-cas-mgr-test.tamucc.edu%2Fcas-management%2Fcallback%3Fclient_name%3DCasClient, timestamp=2025-03-24T16:56:04.158}
Mar 24 11:56:04 idm-cas2-test.tamucc.edu cas.war[108351]: ACTION: AUTHENTICATION_EVENT_TRIGGERED
Mar 24 11:56:04 idm-cas2-test.tamucc.edu cas.war[108351]: CLIENT_IP: 192.168.155.189
Mar 24 11:56:04 idm-cas2-test.tamucc.edu cas.war[108351]: SERVER_IP: 0:0:0:0:0:0:0:1
Mar 24 11:56:04 idm-cas2-test.tamucc.edu cas.war[108351]: =============================================================
Mar 24 11:56:04 idm-cas2-test.tamucc.edu cas.war[108351]: >
Mar 24 11:56:04 idm-cas2-test.tamucc.edu cas.war[108351]: 2025-03-24 11:56:04,829 WARN [org.apereo.cas.web.flow.DefaultDelegatedClientIdentityProviderConfigurationProducer] - <No delegated authentication providers could be determined based on the provided configuration. Either no identity providers are configured, or the current access strategy rules prohibit CAS from using authentication providers>
It's still not finding the external identity provider.
Not sure what else to do at this point. The overlay builds clean and starts and runs without issues.
Phil
On Thursday, March 20, 2025 at 10:13:47 PM UTC-5 Pablo Vidaurri wrote:
Phil Hale
Mar 24, 2025, 1:53:19 PMMar 24
to CAS Community, Richard Frovarp
Hello Richard,
Thanks for the information. I tried running thru the test of going from 7.0.10 to 7.1.5 using the OpenRewrite process and it really didn't find anything significant it would change. Just versions of items. I do clean stock builds of the overlays without modifying anything. The overlay for 7.1.5 builds clean without issues. My issue is that my service files that work under 7.0.10 to route my authentication to my external provider do not work under 7.1.5, and don't include much assistance in the logging to provide guidance on a solution.
Phil
Phil Hale
Mar 24, 2025, 1:53:20 PMMar 24
to CAS Community
All,
I switched the log to debug mode and got the following information on the failure:
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:37,248 INFO [org.apereo.inspektr.audit.AuditTrailManager] - <Audit trail record BEGIN
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: =============================================================
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: WHEN: 2025-03-24T17:04:37.243024734
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: WHO: audit:unknown
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: WHAT: {result=Service Access Granted, service=https://idm-cas-mgr-test.tamucc.edu/cas-management/callback?client_name=CasClient, requiredAttributes={}}
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: CLIENT_IP: 192.168.155.189
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: SERVER_IP: 0:0:0:0:0:0:0:1
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: =============================================================
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: >
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:37,256 DEBUG [org.apereo.cas.web.flow.CasFlowHandlerMapping] - <Mapped to [FlowHandlerMapping.DefaultFlowHandler@577337d8]>
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:37,259 DEBUG [org.apereo.cas.web.flow.CasFlowHandlerAdapter] - <Configuring CAS webflow execution plan...>
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:37,315 DEBUG [org.apereo.cas.web.flow.configurer.AbstractCasWebflowConfigurer] - <[OidcWebflowConfigurer] could not find flow definition [account]. Available flow definition ids are [[clientredirect, login]]>
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:37,438 WARN [jakarta.persistence.spi] - <jakarta.persistence.spi::No valid providers found.>
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:37,494 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for cookies for warn cookie generator to: [/cas/]>
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:37,494 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for cookies for TGC cookie generator to: [/cas/]>
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:37,496 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing service in context scope: [https://idm-cas-mgr-test.tamucc.edu/cas-management/callback?client_name=CasClient]>
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:37,498 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing registered service [https\:\/\/idm\-cas\-mgr\-test\.tamucc\.edu\/.*] with id [1617150001173] in context scope>
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:37,502 DEBUG [org.apereo.cas.web.flow.authentication.RegisteredServiceAuthenticationPolicySingleSignOnParticipationStrategy] - <Evaluating authentication policy [DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], excludedAuthenticationHandlers=[], criteria=null)] for [CAS_Management_Test]>
Mar 24 12:04:39 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:39,720 DEBUG [org.apereo.cas.support.saml.DefaultOpenSamlConfigBean] - <Initialized OpenSaml successfully.>
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:40,012 DEBUG [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Using pre-defined signing key to use for [cas.authn.oauth.session-replication.cookie.crypto.signing.key]>
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:40,012 DEBUG [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Using pre-defined encryption key to use for [cas.authn.oauth.session-replication.cookie.crypto.encryption.key]>
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:40,087 DEBUG [org.apereo.cas.logout.DefaultLogoutExecutionPlan] - <Registering logout handler [DelegatedAuthenticationEventExecutionPlanConfiguration$DelegatedAuthenticationEventExecutionPlanLogoutConfiguration$$Lambda/0x00007fabc531f1c8]>
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:40,087 DEBUG [org.apereo.cas.logout.DefaultLogoutExecutionPlan] - <Registering logout handler [CasOAuth20Configuration$CasOAuth20LogoutConfiguration$$Lambda/0x00007fabc531f428]>
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:40,249 DEBUG [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <Setting path for cookies for distributed session cookie generator to: [/cas/]>
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:40,259 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Resolved single event [success] via [org.apereo.cas.web.flow.resolver.impl.RankedMultifactorAuthenticationProviderWebflowEventResolver] for this context>
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:40,262 INFO [org.apereo.inspektr.audit.AuditTrailManager] - <Audit trail record BEGIN
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: =============================================================
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: WHEN: 2025-03-24T17:04:40.261826275
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: WHO: audit:unknown
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: WHAT: {source=RankedMultifactorAuthenticationProviderWebflowEventResolver, event=success, url=https://login-test.tamucc.edu/cas/login?service=https%3A%2F%2Fidm-cas-mgr-test.tamucc.edu%2Fcas-management%2Fcallback%3Fclient_name%3DCasClient, timestamp=2025-03-24T17:04:40.259}
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: ACTION: AUTHENTICATION_EVENT_TRIGGERED
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: CLIENT_IP: 192.168.155.189
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: SERVER_IP: 0:0:0:0:0:0:0:1
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: =============================================================
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: >
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:40,309 DEBUG [org.apereo.cas.oidc.web.flow.OidcRegisteredServiceUIAction] - <Found registered service [https\:\/\/idm\-cas\-mgr\-test\.tamucc\.edu\/.*] from the context>
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:40,548 DEBUG [org.apereo.cas.web.flow.DefaultDelegatedClientIdentityProviderConfigurationProducer] - <Initialized context with request parameters [{service=[https://idm-cas-mgr-test.tamucc.edu/cas-management/callback?client_name=CasClient]}]>
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:40,548 DEBUG [org.apereo.cas.support.pac4j.authentication.clients.BaseDelegatedIdentityProviderFactory] - <Builder [DelegatedClientOidcBuilder] provides [0] clients>
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:40,549 DEBUG [org.apereo.cas.support.pac4j.authentication.clients.RefreshableDelegatedIdentityProviders] - <The following clients are built: [[]]>
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:40,550 WARN [org.apereo.cas.web.flow.DefaultDelegatedClientIdentityProviderConfigurationProducer] - <No delegated authentication providers could be determined based on the provided configuration. Either no identity providers are configured, or the current access strategy rules prohibit CAS from using authentication providers>
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: =============================================================
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: WHEN: 2025-03-24T17:04:37.243024734
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: WHO: audit:unknown
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: WHAT: {result=Service Access Granted, service=https://idm-cas-mgr-test.tamucc.edu/cas-management/callback?client_name=CasClient, requiredAttributes={}}
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: CLIENT_IP: 192.168.155.189
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: SERVER_IP: 0:0:0:0:0:0:0:1
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: =============================================================
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: >
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:37,256 DEBUG [org.apereo.cas.web.flow.CasFlowHandlerMapping] - <Mapped to [FlowHandlerMapping.DefaultFlowHandler@577337d8]>
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:37,259 DEBUG [org.apereo.cas.web.flow.CasFlowHandlerAdapter] - <Configuring CAS webflow execution plan...>
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:37,315 DEBUG [org.apereo.cas.web.flow.configurer.AbstractCasWebflowConfigurer] - <[OidcWebflowConfigurer] could not find flow definition [account]. Available flow definition ids are [[clientredirect, login]]>
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:37,438 WARN [jakarta.persistence.spi] - <jakarta.persistence.spi::No valid providers found.>
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:37,494 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for cookies for warn cookie generator to: [/cas/]>
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:37,494 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for cookies for TGC cookie generator to: [/cas/]>
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:37,496 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing service in context scope: [https://idm-cas-mgr-test.tamucc.edu/cas-management/callback?client_name=CasClient]>
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:37,498 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing registered service [https\:\/\/idm\-cas\-mgr\-test\.tamucc\.edu\/.*] with id [1617150001173] in context scope>
Mar 24 12:04:37 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:37,502 DEBUG [org.apereo.cas.web.flow.authentication.RegisteredServiceAuthenticationPolicySingleSignOnParticipationStrategy] - <Evaluating authentication policy [DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], excludedAuthenticationHandlers=[], criteria=null)] for [CAS_Management_Test]>
Mar 24 12:04:39 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:39,720 DEBUG [org.apereo.cas.support.saml.DefaultOpenSamlConfigBean] - <Initialized OpenSaml successfully.>
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:40,012 DEBUG [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Using pre-defined signing key to use for [cas.authn.oauth.session-replication.cookie.crypto.signing.key]>
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:40,012 DEBUG [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Using pre-defined encryption key to use for [cas.authn.oauth.session-replication.cookie.crypto.encryption.key]>
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:40,087 DEBUG [org.apereo.cas.logout.DefaultLogoutExecutionPlan] - <Registering logout handler [DelegatedAuthenticationEventExecutionPlanConfiguration$DelegatedAuthenticationEventExecutionPlanLogoutConfiguration$$Lambda/0x00007fabc531f1c8]>
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:40,087 DEBUG [org.apereo.cas.logout.DefaultLogoutExecutionPlan] - <Registering logout handler [CasOAuth20Configuration$CasOAuth20LogoutConfiguration$$Lambda/0x00007fabc531f428]>
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:40,249 DEBUG [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <Setting path for cookies for distributed session cookie generator to: [/cas/]>
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:40,259 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Resolved single event [success] via [org.apereo.cas.web.flow.resolver.impl.RankedMultifactorAuthenticationProviderWebflowEventResolver] for this context>
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:40,262 INFO [org.apereo.inspektr.audit.AuditTrailManager] - <Audit trail record BEGIN
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: =============================================================
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: WHEN: 2025-03-24T17:04:40.261826275
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: WHO: audit:unknown
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: WHAT: {source=RankedMultifactorAuthenticationProviderWebflowEventResolver, event=success, url=https://login-test.tamucc.edu/cas/login?service=https%3A%2F%2Fidm-cas-mgr-test.tamucc.edu%2Fcas-management%2Fcallback%3Fclient_name%3DCasClient, timestamp=2025-03-24T17:04:40.259}
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: ACTION: AUTHENTICATION_EVENT_TRIGGERED
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: CLIENT_IP: 192.168.155.189
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: SERVER_IP: 0:0:0:0:0:0:0:1
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: =============================================================
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: >
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:40,309 DEBUG [org.apereo.cas.oidc.web.flow.OidcRegisteredServiceUIAction] - <Found registered service [https\:\/\/idm\-cas\-mgr\-test\.tamucc\.edu\/.*] from the context>
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:40,548 DEBUG [org.apereo.cas.web.flow.DefaultDelegatedClientIdentityProviderConfigurationProducer] - <Initialized context with request parameters [{service=[https://idm-cas-mgr-test.tamucc.edu/cas-management/callback?client_name=CasClient]}]>
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:40,548 DEBUG [org.apereo.cas.support.pac4j.authentication.clients.BaseDelegatedIdentityProviderFactory] - <Builder [DelegatedClientOidcBuilder] provides [0] clients>
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:40,549 DEBUG [org.apereo.cas.support.pac4j.authentication.clients.RefreshableDelegatedIdentityProviders] - <The following clients are built: [[]]>
Mar 24 12:04:40 idm-cas2-test.tamucc.edu cas.war[111646]: 2025-03-24 12:04:40,550 WARN [org.apereo.cas.web.flow.DefaultDelegatedClientIdentityProviderConfigurationProducer] - <No delegated authentication providers could be determined based on the provided configuration. Either no identity providers are configured, or the current access strategy rules prohibit CAS from using authentication providers>
I'm not seeing much in the logs to help me determine the issue, but it's the same error as before.
Phil
On Friday, March 21, 2025 at 11:23:23 AM UTC-5 Richard Frovarp wrote:
Richard Frovarp
Mar 24, 2025, 2:22:31 PMMar 24
to cas-...@apereo.org
There are possibly other errors or warnings on startup before that line. Seriously, you need to approach this as a re-implementation as though you are starting from scratch. Review the documents that way.
https://apereo.github.io/cas/7.1.x/integration/Delegate-Authentication.html
I've never done delegation. Maybe?
https://apereo.github.io/cas/7.1.x/integration/Delegate-Authentication-Provider-Registration.html
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/64ff6ef5-3bf3-45cb-9795-73974378817en%40apereo.org.
Pablo Vidaurri
Mar 25, 2025, 11:03:27 PMMar 25
to CAS Community, Phil Hale
It looks like maybe you are missing a config property. There are many various OIDC configs depending on the flavor you are using (Azure, generic, google, etc). For example, I'm using generic oidc and these some of these are the properties I have defined:
cas.authn.pac4j.oidc[0].generic.enabled=true
cas.authn.pac4j.oidc[0].generic.use-nonce=true
cas.authn.pac4j.oidc[0].generic.use-nonce=true
cas.authn.pac4j.oidc[0].generic.client-name=myClient
cas.authn.pac4j.oidc[0].generic.include-access-token-claims=true
cas.authn.pac4j.oidc[0].generic.response-type=id_token
cas.authn.pac4j.oidc[0].generic.discovery-uri=zzzzz
cas.authn.pac4j.oidc[0].generic.id=yyyyy
cas.authn.pac4j.oidc[0].generic.secret=xxxxx
cas.authn.pac4j.oidc[0].generic.auto-redirect-type=SERVER
cas.authn.pac4j.oidc[0].generic.callback-url-type=PATH_PARAMETER
cas.authn.pac4j.oidc[0].generic.callback-url=${cas.server.prefix}/login
cas.authn.pac4j.oidc[0].generic.include-access-token-claims=true
cas.authn.pac4j.oidc[0].generic.response-type=id_token
cas.authn.pac4j.oidc[0].generic.discovery-uri=zzzzz
cas.authn.pac4j.oidc[0].generic.id=yyyyy
cas.authn.pac4j.oidc[0].generic.secret=xxxxx
cas.authn.pac4j.oidc[0].generic.auto-redirect-type=SERVER
cas.authn.pac4j.oidc[0].generic.callback-url-type=PATH_PARAMETER
cas.authn.pac4j.oidc[0].generic.callback-url=${cas.server.prefix}/login
Do you have a client-name defined that is matching the client name you provided in your service file? I myself have auto-redirect-type set to SERVER so that I do not have to define a delegation in my service files but with my use case I need all clients to go to the same OIDC idp.
Also, you can review code to see what is causing log messages to display. For example, in your log you have this message "could not find flow definition" that AbstractCasWebflowConfigurer is displaying. You can look for the class such as (you many need a github acct to search)
Select the version of cas you are using, and search for the string. You'll see it on line 681. It appears to me that register is not null but the flow def in is not found. Again, maybe double check your config.
Phil Hale
Mar 26, 2025, 12:45:09 PMMar 26
to CAS Community, Pablo Vidaurri, Phil Hale
Hello Pablo,
Here is what I have configured for my SAML Auth against Azure EntraID. I do have the client-name set, but I do not have some of the other options:
cas.authn.pac4j.saml[0].clientName=TAMUCC_AAD
cas.authn.pac4j.saml[0].keystore-password=PASS
cas.authn.pac4j.saml[0].private-key-password=PASS
cas.authn.pac4j.saml[0].keystore-path=file:/etc/cas/saml/saml_keystore.jks
cas.authn.pac4j.saml[0].service-provider-entity-id=login-test.tamucc.edu
cas.authn.pac4j.saml[0].metadata.service-provider.file-system.location=file:/etc/cas/saml/login-test_sp_metadata.xml
cas.authn.pac4j.saml[0].metadata.identity-provider-metadata-path=https://login.microsoftonline.com/METADATA_HERE
cas.authn.pac4j.saml[0].maximum-authentication-lifetime=7776000
cas.authn.pac4j.saml[0].use-name-qualifier=false
cas.authn.pac4j.saml[0].keystore-password=PASS
cas.authn.pac4j.saml[0].private-key-password=PASS
cas.authn.pac4j.saml[0].keystore-path=file:/etc/cas/saml/saml_keystore.jks
cas.authn.pac4j.saml[0].service-provider-entity-id=login-test.tamucc.edu
cas.authn.pac4j.saml[0].metadata.service-provider.file-system.location=file:/etc/cas/saml/login-test_sp_metadata.xml
cas.authn.pac4j.saml[0].metadata.identity-provider-metadata-path=https://login.microsoftonline.com/METADATA_HERE
cas.authn.pac4j.saml[0].maximum-authentication-lifetime=7776000
cas.authn.pac4j.saml[0].use-name-qualifier=false
I'll see if I can add a few of the missing configs.
Phil
Pablo Vidaurri
Mar 26, 2025, 2:34:08 PMMar 26
to CAS Community, Phil Hale, Pablo Vidaurri
So I see in your logs you have (client_name=CasClient, perhaps define in service file??)
but in your config you have
cas.authn.pac4j.saml[0].clientName=TAMUCC_AAD
cas.authn.pac4j.saml[0].clientName=TAMUCC_AAD
If you have client name defined in service file, then your config needs to have a clientName with the same value as your service file.
-psv
Phil Hale
Mar 26, 2025, 10:58:52 PMMar 26
to CAS Community, Pablo Vidaurri, Phil Hale
Hey Pablo,
I do have the TAMUCC_AAD defined in each of the client service files. Example:
accessStrategy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
delegatedAuthenticationPolicy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy
allowedProviders:
[
java.util.ArrayList
[
TAMUCC_AAD
]
]
permitUndefined: false
exclusive: true
}
}
{
@class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
delegatedAuthenticationPolicy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy
allowedProviders:
[
java.util.ArrayList
[
TAMUCC_AAD
]
]
permitUndefined: false
exclusive: true
}
}
Phil
Brian T. Huntley
May 7, 2025, 10:33:22 PMMay 7
to cas-...@apereo.org, Phil Hale
Phil - did you ever have any luck with this? I'm running into the same problem. 7.1.6.
Thanks,
Brian
Brian T. Huntley, CISSP
Director of Network Services and Information Security
Office of Information Technology
Clarkson University
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/621e0fb6-8b1a-4c57-8216-410306f1282an%40apereo.org.
Brian T. Huntley
May 9, 2025, 10:22:04 PMMay 9
to Phil Hale, CAS Community
Hi Phil thanks for the reply. I've still not had any luck either.
Community -
Does /anyone/ have a working config for the Palantir admin interface they'd be willing to share or at least a comprehensive list of cas.properties entries that are required to make it work?
Thanks in advance
Brian
Brian T. Huntley, CISSP
Director of Network Services and Information Security
Office of Information Technology
Clarkson University
On Fri, May 9, 2025 at 2:46 PM Phil Hale <phal...@gmail.com> wrote:
Hello Brian,No, I've not found an answer yet. I've even moved on to trying to upgrade to the 7.2.x release and I'm still encounting the same issues. I've compared the config settings for Delegated Authentication from the 7.2 (and 7.1) CAS documentation and as far as I can tell, I'm not missing any property changes. I'm not sure what to do at this point. We are attempting to get some consulting hours from Unicon, but I'm not sure yet if my bosses are going to approve the funding. Hopefully someone can point us in the right direction.Phil
Phil Hale
May 9, 2025, 10:53:46 PMMay 9
to CAS Community, Brian T. Huntley, Phil Hale
Hello Brian,
No, I've not found an answer yet. I've even moved on to trying to upgrade to the 7.2.x release and I'm still encounting the same issues. I've compared the config settings for Delegated Authentication from the 7.2 (and 7.1) CAS documentation and as far as I can tell, I'm not missing any property changes. I'm not sure what to do at this point. We are attempting to get some consulting hours from Unicon, but I'm not sure yet if my bosses are going to approve the funding. Hopefully someone can point us in the right direction.
Phil
On Wednesday, May 7, 2025 at 9:33:22 PM UTC-5 Brian T. Huntley wrote:
Aaron Chantrill
May 12, 2025, 4:38:25 PMMay 12
to cas-...@apereo.org
I had a similar issue. I found that I had to add:
cas.service-registry.core.init-from-json=true
cas.service-registry.json.location=file:c:\etc\cas\services
to my system.properties file to get my configuration to locate and read my json service files. This started in CAS 7.1.
To unsubscribe from this group and stop receiving emails from it, send an email to https://url.us.m.mimecastprotect.com/s/vPkWClYkq5cXvg8QLu1tBfzQWu-?domain=apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/621e0fb6-8b1a-4c57-8216-410306f1282an%40apereo.org.
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/70f94a61-c160-439a-84e8-e6c43cd5032an%40apereo.org.
--
Ray Bon
May 12, 2025, 4:38:39 PMMay 12
to cas-...@apereo.org
For Palantir; in build.gradle
implementation "org.apereo.cas:cas-server-support-palantir"
// and maybe
implementation "org.apereo.cas:cas-server-support-reports"
implementation "org.apereo.cas:cas-server-support-metrics"
implementation "org.apereo.cas:cas-server-support-metrics"
in application.properties
spring.security.user.name=casuser
spring.security.user.password=Mellon
# affects: health.show-details
management.endpoints.access.default=UNRESTRICTED
management.endpoints.web.exposure.include=*
cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS
That should get you in to palantir. I am still trying to piece it all together.
Ray
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Phil Hale <phal...@gmail.com>
Sent: May 9, 2025 11:46
To: CAS Community <cas-...@apereo.org>
Cc: Brian T. Huntley <bhun...@clarkson.edu>; Phil Hale <phal...@gmail.com>
Subject: Re: [cas-user] Re: Issues upgrading from CAS 7.0.x to CAS 7.1.x
Sent: May 9, 2025 11:46
To: CAS Community <cas-...@apereo.org>
Cc: Brian T. Huntley <bhun...@clarkson.edu>; Phil Hale <phal...@gmail.com>
Subject: Re: [cas-user] Re: Issues upgrading from CAS 7.0.x to CAS 7.1.x
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/70f94a61-c160-439a-84e8-e6c43cd5032an%40apereo.org.
Reply all
Reply to author
Forward
0 new messages