2FA options in Casa not available

By: Guilherme Capilé Account Admin 15 May 2019 at 1:54 p.m. CDT

10 Responses
Guilherme Capilé gravatar
Was expecting to see the Enabled authentication methods in Casa (3.1.6) available in the user credentials page, but the user credentials page is empty (only shows intro text, and no 2FA request is made). Independently of the authentication method configured in Gluu (several are enabled on _Manage Custom Scripts_, ncluding OTP, U2F and FIDO2), and enabled in Casa _Enabled authentication methods_ page, they don't show up for the user. Gluu is configured with cache refresh to an OpenLDAP server, and at some point we had to update the property mapping in cache refresh and LDAP authentication to have the authentication methods listed in Casa. Is there any required missing mapping or configuration? In our LDAP service, *uid* is a unique number and authentication should be done using *cn* or *mail*. Gluu config is: **Manage Authentication > Manage LDAP Authentication**: Primary Key: cn Local Primary Key: cn (I've enabled CN as an attribute in _Configuration > Attributes_) **Cache Refresh > Cache Refresh** Add source attribute to destination attribute mapping: - cn -> cn - mail -> mail - displayName -> displayName - memberOf -> memberOf - givenName -> givenName - sn -> sn - uid -> uid **Cache Refresh > Customer Backend Key/Attributes** Key Attribute: uid Source Attribute: - uid - memberOf - givenName - sn - mail - displayName - cn Thanks in advance, Guilherme Capilé
CentOS 7.0
closed

Answers

By Jose Gonzalez staff 16 May 2019 at 7:23 a.m. CDT

Copy
Jose Gonzalez gravatar
Hi, > OTP, U2F and FIDO2 There is no support for fido 2 in casa: https://gluu.org/docs/casa/#two-factor-authentication > at some point we had to update the property mapping in cache refresh and LDAP authentication to have the authentication methods listed in Casa. Conceptually I see no correlation of cache refresh wrt the list of methods. The basic supply for computing that list is the contents of your server's openId provider configuration URL, ie `https://<your-gluu-host>/.well-known/openid-configuration` (see section `acr_values_supported` of json document) Once you enable a script corresponding to an authentication method in oxTrust admin UI, it takes a moment for it to appear in Casa, as stated [here]( https://gluu.org/docs/casa/administration/admin-console/#configure-casa) > only shows intro text, and no 2FA request is made So there are no links to navigate to pages for enrolling credentials, right? like this: https://gluu.org/docs/casa/img/dashboard-no-creds-enrolled.png In that case, please do: 1. Set your casa to use TRACE logging level 2. Stop casa 3. Delete files in `/opt/gluu/jetty/casa/logs/` 4. Start casa 5. Login again with admin credentials 6. Attach or copy contents of `/opt/gluu/jetty/casa/logs/casa.log` 7. Attach or copy here `/etc/gluu/conf/casa.json`

By Guilherme Capilé Account Admin 16 May 2019 at 2 p.m. CDT

Copy
Guilherme Capilé gravatar
Ola, here is the contents of /opt/gluu/jetty/casa/logs/casa.log: ``` 16-05 20:36:49.234 INFO [main] casa.core.filter.LocaleInterceptor LocaleInterceptor.java:29- Locale filter initialized 16-05 20:36:49.635 INFO [main] gluu.casa.core.ZKService ZKService.java:57- ZK initialized 16-05 20:36:49.840 INFO [main] gluu.casa.core.ConfigurationHandler ConfigurationHandler.java:84- ConfigurationHandler inited 16-05 20:36:50.206 INFO [main] gluu.casa.conf.MainSettingsProducer MainSettingsProducer.java:60- init. Obtaining global settings 16-05 20:36:50.220 INFO [main] gluu.casa.conf.MainSettingsProducer MainSettingsProducer.java:63- init. Gluu base inferred was /etc/gluu 16-05 20:36:50.483 INFO [main] gluu.casa.core.LogService LogService.java:97- Using TRACE for log level 16-05 20:36:51.657 INFO [main] gluu.casa.core.LdapService LdapService.java:95- LDAPService was initialized successfully 16-05 20:36:51.665 INFO [main] gluu.casa.core.ZKService ZKService.java:92- Loading application labels 16-05 20:36:51.666 TRACE [main] gluu.casa.core.ZKService ZKService.java:107- War labels base is file:/opt/jetty-9.4/temp/jetty-localhost-8091-casa.war-_casa-any-5791662628236963088.dir/webapp/WEB-INF/classes/labels/ 16-05 20:36:51.666 INFO [main] gluu.casa.core.ZKService ZKService.java:117- War resource bundles are: [general, admin, user] 16-05 20:36:51.684 DEBUG [main] gluu.casa.core.ZKService ZKService.java:143- Locales supported are: [] 16-05 20:36:51.685 INFO [main] gluu.casa.core.ZKService ZKService.java:151- Labels registered 16-05 20:36:51.710 INFO [main] gluu.casa.misc.CssRulesResolver CssRulesResolver.java:35- CssRules ZK VariableResolver initialized successfully 16-05 20:36:52.500 INFO [main] casa.core.filter.CorsFilter CorsFilter.java:39- CORS filter initialized 16-05 20:36:57.213 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:311- Found system extension 'org.gluu.casa.plugins.authnmethod.OTPSmsExtension' for twilio_sms 16-05 20:36:57.231 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:311- Found system extension 'org.gluu.casa.plugins.authnmethod.SuperGluuExtension' for super_gluu 16-05 20:36:57.231 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:311- Found system extension 'org.gluu.casa.plugins.authnmethod.SecurityKeyExtension' for u2f 16-05 20:36:57.231 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:311- Found system extension 'org.gluu.casa.plugins.authnmethod.OTPExtension' for otp 16-05 20:36:57.232 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:94- Loading external plugins... 16-05 20:36:57.291 DEBUG [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:223- Loaded plugin custom-branding, now in state RESOLVED 16-05 20:36:57.299 DEBUG [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:223- Loaded plugin strong-authn-settings, now in state RESOLVED 16-05 20:36:57.299 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:107- Total plugins loaded 2 16-05 20:36:57.302 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:283- Plugin custom-branding started 16-05 20:36:57.303 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:345- Extracting resources for plugin custom-branding to /opt/jetty-9.4/temp/jetty-localhost-8091-casa.war-_casa-any-579166262823 6963088.dir/webapp/pl/custom-branding 16-05 20:36:57.309 TRACE [casaScheduler_Worker-1] gluu.casa.core.ResourceExtractor ResourceExtractor.java:112- Extracting assets/ 16-05 20:36:57.309 TRACE [casaScheduler_Worker-1] gluu.casa.core.ResourceExtractor ResourceExtractor.java:112- Extracting assets/admin/ 16-05 20:36:57.310 TRACE [casaScheduler_Worker-1] gluu.casa.core.ResourceExtractor ResourceExtractor.java:112- Extracting assets/admin/index.zul 16-05 20:36:57.310 TRACE [casaScheduler_Worker-1] gluu.casa.core.ResourceExtractor ResourceExtractor.java:112- Extracting assets/admin/menu.zul 16-05 20:36:57.311 INFO [casaScheduler_Worker-1] gluu.casa.core.ZKService ZKService.java:161- Registering labels of plugin custom-branding 16-05 20:36:57.336 INFO [casaScheduler_Worker-1] gluu.casa.core.RSRegistryHandler RSRegistryHandler.java:84- RestEasy registry is accessible. Addition of REST services at runtime will be available 16-05 20:36:57.339 INFO [casaScheduler_Worker-1] gluu.casa.core.RSRegistryHandler RSRegistryHandler.java:205- 0 RestEasy resource class(es) registered 16-05 20:36:57.363 INFO [casaScheduler_Worker-1] gluu.casa.core.LogService LogService.java:68- Adding logger for org.gluu.casa.plugins 16-05 20:36:57.363 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:124- Plugin custom-branding (org.gluu.casa.plugins.branding.CustomBrandingPlugin) started 16-05 20:36:57.364 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:128- Plugin's extensions are at: [org.gluu.casa.plugins.branding.CustomBrandingMenu] 16-05 20:36:57.364 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:131- 16-05 20:36:57.365 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:283- Plugin strong-authn-settings started 16-05 20:36:57.368 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:345- Extracting resources for plugin strong-authn-settings to /opt/jetty-9.4/temp/jetty-localhost-8091-casa.war-_casa-any-579166 2628236963088.dir/webapp/pl/strong-authn-settings 16-05 20:36:57.368 TRACE [casaScheduler_Worker-1] gluu.casa.core.ResourceExtractor ResourceExtractor.java:112- Extracting assets/ 16-05 20:36:57.368 TRACE [casaScheduler_Worker-1] gluu.casa.core.ResourceExtractor ResourceExtractor.java:112- Extracting assets/admin/ 16-05 20:36:57.369 TRACE [casaScheduler_Worker-1] gluu.casa.core.ResourceExtractor ResourceExtractor.java:112- Extracting assets/admin/menu.zul 16-05 20:36:57.369 TRACE [casaScheduler_Worker-1] gluu.casa.core.ResourceExtractor ResourceExtractor.java:112- Extracting assets/admin/strongauth.zul 16-05 20:36:57.369 TRACE [casaScheduler_Worker-1] gluu.casa.core.ResourceExtractor ResourceExtractor.java:112- Extracting assets/index.zul 16-05 20:36:57.370 TRACE [casaScheduler_Worker-1] gluu.casa.core.ResourceExtractor ResourceExtractor.java:112- Extracting assets/policy.zul 16-05 20:36:57.370 INFO [casaScheduler_Worker-1] gluu.casa.core.ZKService ZKService.java:161- Registering labels of plugin strong-authn-settings 16-05 20:36:57.371 INFO [casaScheduler_Worker-1] gluu.casa.core.RSRegistryHandler RSRegistryHandler.java:205- 0 RestEasy resource class(es) registered 16-05 20:36:57.371 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:124- Plugin strong-authn-settings (org.gluu.casa.plugins.strongauthn.StrongAuthnSettingsPlugin) started 16-05 20:36:57.372 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:128- Plugin's extensions are at: [org.gluu.casa.plugins.strongauthn.StrongAuthnSettingsFragment, org.gluu.casa.plugins.strongaut hn.StrongAuthnSettingsMenu] 16-05 20:36:57.372 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:131- 16-05 20:36:57.372 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:139- Total plugins started: 2 16-05 20:36:57.372 INFO [casaScheduler_Worker-1] gluu.casa.core.ZKService ZKService.java:182- Refreshing labels 16-05 20:36:57.457 INFO [casaScheduler_Worker-1] gluu.casa.core.ConfigurationHandler ConfigurationHandler.java:161- === WEBAPP INITIALIZED SUCCESSFULLY === 16-05 20:36:58.528 TRACE [casaScheduler_Worker-2] gluu.casa.core.LdapService LdapService.java:272- modify. Operation result was 'success' 16-05 20:37:19.502 INFO [qtp1254526270-16] casa.core.filter.LocaleInterceptor LocaleInterceptor.java:54- Locale for this session will be 'en' 16-05 20:37:20.001 DEBUG [qtp1254526270-16] casa.core.navigation.HomeInitiator HomeInitiator.java:103- Starting authorization flow 16-05 20:37:20.195 DEBUG [qtp1254526270-16] gluu.casa.misc.WebUtils WebUtils.java:95- Redirecting to URL=https://sso.example.com/oxauth/restv1/authorize?response_type=code&client_id=@!FCBB.2A20.2C7C.87DB!0001!D925.D236!0008!2A11.20FC.6D 0B.CF8D&redirect_uri=https://sso.example.com/casa&scope=openid+profile+user_name+clientinfo&state=pshgvq0o2kuk9fdsl4dndk8q2j&nonce=nm6of3gc3f8sg3k4qhnm03fj9f&acr_values=casa 16-05 20:37:27.147 DEBUG [qtp1254526270-9] casa.core.navigation.HomeInitiator HomeInitiator.java:70- Authorization code=efd4e107-62a6-4568-9670-87d1d17dad8c, Access token=c8a818be-1fb4-48f9-a314-fb0fefc869ee, Id token eyJraWQiOiI4MGE1 ZTFhZS02YjhjLTRkYjgtODQwMi1mYjljMDA1NzE1NWMiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL3Nzby5maXJzdC5vcmciLCJhdWQiOiJAIUZDQkIuMkEyMC4yQzdDLjg3REIhMDAwMSFEOTI1LkQyMzYhMDAwOCEyQTExLjIwRkMuNkQwQi5DRjhEIiwiZXhwIjoxNTU4MDM1N DQ3LCJpYXQiOjE1NTgwMzE4NDcsImFjciI6ImNhc2EiLCJhbXIiOlsiMSJdLCJub25jZSI6Im5tNm9mM2djM2Y4c2czazRxaG5tMDNmajlmIiwiYXV0aF90aW1lIjoxNTU4MDMxODQ1LCJhdF9oYXNoIjoiWGZUMVVRb1ZPTzJmVjFJVjlkTXpodyIsIm94T3BlbklEQ29ubmVjdFZlcnNpb24iOiJvcGVuaWRjb25 uZWN0LTEuMCIsInN1YiI6IkpvSk1XbzZZNWpQWldKbjdEYTJoZzNWM2ZQS0hGZkZtUmNZN3ZNaTR5TDAifQ.sGbF7zJdyzVsPGdb0HvVnTjLm9dhVJiGI-6Y3N5MFPQxOtBqMz8C45U5E8s48HVTSsqe0ZQz53x01wx8Zxi1lSjvn9ZInIxrdqyhEcO9tyV-GlSXvgs9qPkAhMnUV3IhXqICpsz2oYaOWh_9M_SIUm UmXRw3xGf0Ck7M9dkBepBusBGttwICJHTG5eujPOhTkpcN7nnQFp9DJh-V3Xa2HitfVPVNqF0RMukJ9GCUBJD3vZwDpRLfhuuizCKwraB3JnOhCgi7Al0iCJycZlatqq3cWjTK5LfGCFhdTQwJiVArj0ZrRrBlWOLYRBoNkx1u5xbsfunGu-X-_5RPf6W2vQ 16-05 20:37:27.237 TRACE [qtp1254526270-9] gluu.casa.core.UserService UserService.java:61- Creating a user instance from claims. Username is 18300256 16-05 20:37:27.256 DEBUG [qtp1254526270-9] casa.core.navigation.HomeInitiator HomeInitiator.java:74- Adding user to session 16-05 20:37:29.794 TRACE [qtp1254526270-10] casa.ui.vm.HomeViewModel HomeViewModel.java:56- Browser data is {"description":"Firefox 68.0 on Linux 64-bit","layout":"Gecko","manufacturer":null,"name":"Firefox","prerelease":null,"product ":null,"ua":null,"version":"68.0","os":{"architecture":64,"family":"Linux","version":null},"offset":-10800,"screenWidth":1920} 16-05 20:37:29.795 TRACE [qtp1254526270-10] casa.ui.vm.HomeViewModel HomeViewModel.java:78- Time offset for session is -03:00 16-05 20:37:29.795 TRACE [qtp1254526270-10] casa.ui.vm.HomeViewModel HomeViewModel.java:62- Detected browser is not mobile 16-05 20:37:30.297 DEBUG [qtp1254526270-14] casa.core.navigation.HomeInitiator HomeInitiator.java:85- Taking user to homepage... 16-05 20:37:30.298 DEBUG [qtp1254526270-14] gluu.casa.misc.WebUtils WebUtils.java:95- Redirecting to URL=user.zul ``` And this is the content of **/etc/gluu/conf/casa.json**: ``` { "enable_pass_reset" : true, "use_branding" : false, "log_level" : "TRACE", "min_creds_2FA" : 2, "ldap_settings" : { "salt" : "/etc/gluu/conf/salt", "ox-ldap_location" : "/etc/gluu/conf/ox-ldap.properties" }, "policy_2fa" : [ "EVERY_LOGIN" ], "acr_plugin_mapping" : { "otp" : null }, "plugins" : [ { "id" : "custom-branding", "relativePath" : "custom-branding-3.1.6.Final_.jar", "state" : "STARTED" }, { "id" : "strong-authn-settings", "relativePath" : "strong-authn-settings-3.1.6.Final_.jar", "state" : "STARTED" } ], "extra_css" : ".cust-header{ background-color : #ffffff; }\n.cust-footer-rule{ content: 'FIRST.Org, Inc. SSO ?; }\n", "oxd_config" : { "host" : "localhost", "port" : 8099, "authz_redirect_uri" : "https://sso.example.com/casa", "post_logout_uri" : "https://sso.example.com/casa/bye.zul", "frontchannel_logout_uri" : "https://sso.example.com/casa/autologout", "use_https_extension" : false, "client" : { "oxdId" : "cdf54392-58f5-4c0c-90e1-7d0d1cca548c", "clientName" : "gluu-casa_1557880127" } } } ``` I thought the issue was with the cn/uid mapping, and changing the user_name claim and the LDAP authentication keys between cn/uid still prevented the display of the 2FA options. ![screnshot](https://tecnodz.com/gluu-blank.png) The only error/warning I get in the logs is this line in the oxauth.log: ``` 2019-05-16 20:48:39,307 ERROR [qtp1094834071-23933] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:608) - Failed to get attributes from session ``` Best regards, Guilherme Capilé

By Jose Gonzalez staff 17 May 2019 at 7:37 a.m. CDT

Copy
Jose Gonzalez gravatar
Everything looking fine there. After deeper inspection in code I found the origin of the problem: the widgets in the home page are shown as long as the user has a local password (for 2fa to make sense) unless there is cache refresh in place… Casa is unable to correctly determine whether you are using CR or not. Apparently the check in place needs to be relaxed a bit I opened an [issue](https://github.com/GluuFederation/casa/issues/64) for it. The fix is very simple so I can regenerate the application war file for you to patch it. I'll update here soon....

By Jose Gonzalez staff 17 May 2019 at 10:51 a.m. CDT

Copy
Jose Gonzalez gravatar
Hi, here are the steps in case you want to include the hotfix: 1. Login to gluu chroot (eg `service gluu-server-3.1.6 login`) 2. Backup current app war: `cp /opt/gluu/jetty/casa/webapps/casa.war casa.war.bak` 3. Download war with latest fix: `wget https://ox.gluu.org/maven/org/xdi/casa/3.1.6.Final/casa-3.1.6.Final.war` 4. Stop casa: `service casa stop` 5. Overwrite file: `mv casa-3.1.6.Final.war /opt/gluu/jetty/casa/webapps/casa.war` 6. Start casa From there you should be able to see in the log messages like "Backend ldap for cache refresh was detected" and "Pass reset set automatically to false..." which indicates that casa is aware of CR presence. The menus and widgets for enrollment should appear now. Let me know if that worked.

By Guilherme Capilé Account Admin 20 May 2019 at 1:59 p.m. CDT

Copy
Guilherme Capilé gravatar
Ola, it partially worked. We can see now the 2FA credentials and sub pages after logging into Casa, but the admin page is gone . Also, the 2FA is not being requested at signin, only after entering 2 different 2FA we're allowed to change our _Preferred Authentication Mechanism_ and then make it appear at the login screen. Nonetheless, we suspect that this might be configurable, if only we could see the admin screen . I even reverted to the casa.war.bak, but to no avail, we still could not see the admin screen (is this any caching issue?). No errors at the log, this is what appears on start and signin: ``` 20-05 20:53:01.241 INFO [main] gluu.casa.core.ZKService ZKService.java:57- ZK initialized 20-05 20:53:01.594 INFO [main] gluu.casa.core.ConfigurationHandler ConfigurationHandler.java:84- ConfigurationHandler inited 20-05 20:53:02.093 INFO [main] gluu.casa.conf.MainSettingsProducer MainSettingsProducer.java:60- init. Obtaining global settings 20-05 20:53:02.096 INFO [main] gluu.casa.conf.MainSettingsProducer MainSettingsProducer.java:63- init. Gluu base inferred was /etc/gluu 20-05 20:53:02.406 INFO [main] gluu.casa.core.LogService LogService.java:97- Using TRACE for log level 20-05 20:53:03.662 INFO [main] gluu.casa.core.LdapService LdapService.java:359- Backend ldap for cache refresh was detected 20-05 20:53:03.662 INFO [main] gluu.casa.core.LdapService LdapService.java:95- LDAPService was initialized successfully 20-05 20:53:03.675 INFO [main] gluu.casa.core.ZKService ZKService.java:92- Loading application labels 20-05 20:53:03.676 TRACE [main] gluu.casa.core.ZKService ZKService.java:107- War labels base is file:/opt/jetty-9.4/temp/jetty-localhost-8091-casa.war-_casa-any-7745586300552582309.dir/webapp/WEB-INF/classes/labels/ 20-05 20:53:03.677 INFO [main] gluu.casa.core.ZKService ZKService.java:117- War resource bundles are: [general, admin, user] 20-05 20:53:03.678 DEBUG [main] gluu.casa.core.ZKService ZKService.java:143- Locales supported are: [] 20-05 20:53:03.703 INFO [main] gluu.casa.core.ZKService ZKService.java:151- Labels registered 20-05 20:53:03.727 INFO [main] gluu.casa.misc.CssRulesResolver CssRulesResolver.java:35- CssRules ZK VariableResolver initialized successfully 20-05 20:53:04.893 INFO [main] casa.core.filter.CorsFilter CorsFilter.java:39- CORS filter initialized 20-05 20:53:09.492 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:311- Found system extension 'org.gluu.casa.plugins.authnmethod.OTPSmsExtension' for twilio_sms 20-05 20:53:09.510 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:311- Found system extension 'org.gluu.casa.plugins.authnmethod.SuperGluuExtension' for super_gluu 20-05 20:53:09.510 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:311- Found system extension 'org.gluu.casa.plugins.authnmethod.SecurityKeyExtension' for u2f 20-05 20:53:09.511 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:311- Found system extension 'org.gluu.casa.plugins.authnmethod.OTPExtension' for otp 20-05 20:53:09.511 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:94- Loading external plugins... 20-05 20:53:09.561 DEBUG [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:223- Loaded plugin custom-branding, now in state RESOLVED 20-05 20:53:09.569 DEBUG [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:223- Loaded plugin strong-authn-settings, now in state RESOLVED 20-05 20:53:09.570 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:107- Total plugins loaded 2 20-05 20:53:09.589 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:283- Plugin custom-branding started 20-05 20:53:09.592 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:345- Extracting resources for plugin custom-branding to /opt/jetty-9.4/temp/jetty-localhost-8091-casa.war-_casa-any-7745586300552582309.dir/webapp/pl/custom-branding 20-05 20:53:09.594 TRACE [casaScheduler_Worker-1] gluu.casa.core.ResourceExtractor ResourceExtractor.java:112- Extracting assets/ 20-05 20:53:09.595 TRACE [casaScheduler_Worker-1] gluu.casa.core.ResourceExtractor ResourceExtractor.java:112- Extracting assets/admin/ 20-05 20:53:09.595 TRACE [casaScheduler_Worker-1] gluu.casa.core.ResourceExtractor ResourceExtractor.java:112- Extracting assets/admin/index.zul 20-05 20:53:09.606 TRACE [casaScheduler_Worker-1] gluu.casa.core.ResourceExtractor ResourceExtractor.java:112- Extracting assets/admin/menu.zul 20-05 20:53:09.607 INFO [casaScheduler_Worker-1] gluu.casa.core.ZKService ZKService.java:161- Registering labels of plugin custom-branding 20-05 20:53:09.661 INFO [casaScheduler_Worker-1] gluu.casa.core.RSRegistryHandler RSRegistryHandler.java:84- RestEasy registry is accessible. Addition of REST services at runtime will be available 20-05 20:53:09.676 INFO [casaScheduler_Worker-1] gluu.casa.core.RSRegistryHandler RSRegistryHandler.java:205- 0 RestEasy resource class(es) registered 20-05 20:53:09.676 INFO [casaScheduler_Worker-1] gluu.casa.core.LogService LogService.java:68- Adding logger for org.gluu.casa.plugins 20-05 20:53:09.677 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:124- Plugin custom-branding (org.gluu.casa.plugins.branding.CustomBrandingPlugin) started 20-05 20:53:09.677 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:128- Plugin's extensions are at: [org.gluu.casa.plugins.branding.CustomBrandingMenu] 20-05 20:53:09.677 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:131- 20-05 20:53:09.685 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:283- Plugin strong-authn-settings started 20-05 20:53:09.687 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:345- Extracting resources for plugin strong-authn-settings to /opt/jetty-9.4/temp/jetty-localhost-8091-casa.war-_casa-any-7745586300552582309.dir/webapp/pl/strong-authn-settings 20-05 20:53:09.688 TRACE [casaScheduler_Worker-1] gluu.casa.core.ResourceExtractor ResourceExtractor.java:112- Extracting assets/ 20-05 20:53:09.688 TRACE [casaScheduler_Worker-1] gluu.casa.core.ResourceExtractor ResourceExtractor.java:112- Extracting assets/admin/ 20-05 20:53:09.689 TRACE [casaScheduler_Worker-1] gluu.casa.core.ResourceExtractor ResourceExtractor.java:112- Extracting assets/admin/menu.zul 20-05 20:53:09.689 TRACE [casaScheduler_Worker-1] gluu.casa.core.ResourceExtractor ResourceExtractor.java:112- Extracting assets/admin/strongauth.zul 20-05 20:53:09.690 TRACE [casaScheduler_Worker-1] gluu.casa.core.ResourceExtractor ResourceExtractor.java:112- Extracting assets/index.zul 20-05 20:53:09.705 TRACE [casaScheduler_Worker-1] gluu.casa.core.ResourceExtractor ResourceExtractor.java:112- Extracting assets/policy.zul 20-05 20:53:09.707 INFO [casaScheduler_Worker-1] gluu.casa.core.ZKService ZKService.java:161- Registering labels of plugin strong-authn-settings 20-05 20:53:09.708 INFO [casaScheduler_Worker-1] gluu.casa.core.RSRegistryHandler RSRegistryHandler.java:205- 0 RestEasy resource class(es) registered 20-05 20:53:09.709 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:124- Plugin strong-authn-settings (org.gluu.casa.plugins.strongauthn.StrongAuthnSettingsPlugin) started 20-05 20:53:09.709 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:128- Plugin's extensions are at: [org.gluu.casa.plugins.strongauthn.StrongAuthnSettingsFragment, org.gluu.casa.plugins.strongauthn.StrongAuthnSettingsMenu] 20-05 20:53:09.709 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:131- 20-05 20:53:09.710 INFO [casaScheduler_Worker-1] gluu.casa.core.ExtensionsManager ExtensionsManager.java:139- Total plugins started: 2 20-05 20:53:09.710 INFO [casaScheduler_Worker-1] gluu.casa.core.ZKService ZKService.java:182- Refreshing labels 20-05 20:53:09.791 INFO [casaScheduler_Worker-1] gluu.casa.core.ConfigurationHandler ConfigurationHandler.java:161- === WEBAPP INITIALIZED SUCCESSFULLY === 20-05 20:53:10.952 TRACE [casaScheduler_Worker-2] gluu.casa.core.LdapService LdapService.java:272- modify. Operation result was 'success' === siginin 20-05 20:53:42.862 INFO [qtp1254526270-16] casa.core.filter.LocaleInterceptor LocaleInterceptor.java:54- Locale for this session will be 'en' 20-05 20:53:43.544 DEBUG [qtp1254526270-16] casa.core.navigation.HomeInitiator HomeInitiator.java:103- Starting authorization flow 20-05 20:53:43.782 DEBUG [qtp1254526270-16] gluu.casa.misc.WebUtils WebUtils.java:95- Redirecting to URL=https://sso.example.com/oxauth/restv1/authorize?response_type=code&client_id=****&redirect_uri=https://sso.example.com/casa&scope=openid+profile+user_name+clientinfo&state=7217g94a1u03pl6qqiulbqckhp&nonce=ocfiolv3uhmq75cici1bolg0tr&acr_values=casa 20-05 20:53:59.899 DEBUG [qtp1254526270-9] casa.core.navigation.HomeInitiator HomeInitiator.java:70- Authorization code=****, Access token=****, Id token **** 20-05 20:54:00.110 TRACE [qtp1254526270-9] gluu.casa.core.UserService UserService.java:61- Creating a user instance from claims. Username is 18300256 20-05 20:54:00.157 DEBUG [qtp1254526270-9] casa.core.navigation.HomeInitiator HomeInitiator.java:74- Adding user to session 20-05 20:54:03.008 TRACE [qtp1254526270-16] casa.ui.vm.HomeViewModel HomeViewModel.java:56- Browser data is {"description":"Firefox 68.0 on Linux 64-bit","layout":"Gecko","manufacturer":null,"name":"Firefox","prerelease":null,"product":null,"ua":null,"version":"68.0","os":{"architecture":64,"family":"Linux","version":null},"offset":-10800,"screenWidth":1920} 20-05 20:54:03.010 TRACE [qtp1254526270-16] casa.ui.vm.HomeViewModel HomeViewModel.java:78- Time offset for session is -03:00 20-05 20:54:03.012 TRACE [qtp1254526270-16] casa.ui.vm.HomeViewModel HomeViewModel.java:62- Detected browser is not mobile 20-05 20:54:03.595 DEBUG [qtp1254526270-41] casa.core.navigation.HomeInitiator HomeInitiator.java:85- Taking user to homepage... 20-05 20:54:03.596 DEBUG [qtp1254526270-41] gluu.casa.misc.WebUtils WebUtils.java:95- Redirecting to URL=user.zul 20-05 20:54:04.601 INFO [qtp1254526270-9] plugins.authnmethod.service.U2fService U2fService.java:64- U2f settings found were: {"appId":"https://sso.example.com","endpointUrl":"https://sso.example.com/.well-known/fido-configuration"} 20-05 20:54:05.198 INFO [qtp1254526270-9] ui.vm.user.UserPreferenceViewModel UserPreferenceViewModel.java:96- Number of credentials for user 18300256: 2 20-05 20:54:05.395 TRACE [qtp1254526270-9] plugins.authnmethod.service.OTPService OTPService.java:101- getDevices. User '@!FCBB.2A20.2C7C.87DB!0001!D925.D236!0000!31D9.4ADA' has [1358604167, -1013968402] 20-05 20:54:05.418 TRACE [qtp1254526270-9] plugins.authnmethod.service.FidoService FidoService.java:143- getDevices. User '@!FCBB.2A20.2C7C.87DB!0001!D925.D236!0000!31D9.4ADA' has [] ``` Thanks for all the hard work! Best regards, Guilherme Capilé

By Jose Gonzalez staff 20 May 2019 at 3:01 p.m. CDT

Copy
Jose Gonzalez gravatar
> I even reverted to the casa.war.bak, but to no avail, we still could not see the admin screen (is this any caching issue?). Not seeing admin options even using original war? that's weird! Casa will show admin options if user (inum) is part of administrative group of local ldap. Can you double check this user really belongs to admin group in oxTrust? Every time a user logs in, the membership check is performed, so no browser cache here... > Also, the 2FA is not being requested at signin, only after entering 2 different 2FA we're allowed to change our Preferred Authentication Mechanism and then make it appear at the login screen. That's the expected behavior: enrolling first, then make 2FA effective (both once you are in Casa). We don't request the 2-3 required credentials for 2FA at sign-in time. If you want to offer an experience like forcing users to enroll from first usage, you can employ [this feature](https://gluu.org/docs/casa/administration/2fa-basics/#forcing-users-to-enroll-a-specific-credential-before-2fa-is-available) which may result useful although it is not exactly the same.

By Guilherme Capilé Account Admin 20 May 2019 at 8:19 p.m. CDT

Copy
Guilherme Capilé gravatar
ahh, that made the trick! I was also copying the **memberOf** attribute, so it was overwriting Gluu's. Browsing through the internal LDAP server I was able to preview the full record. May I ask a couple more questions on the Cache Refresh and Gluu/Casa behavior? Does CR make a full comparison between the two LDAP servers, or does it use an internal property, like **modifyTimestamp** to check if the records should be compared? Because even though I changed the CR source to destination mapping (renaming it to groups), they are not being removed from Gluu's LDAP... Or is memberOf, being an overlay, not affected by this? Many thanks! Best regards, Guilherme Capilé

By Aliaksandr Samuseu staff 21 May 2019 at 1:09 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Guilherme. I'll try to answer this on Jose's behalf: >Does CR make a full comparison between the two LDAP servers, or does it use an internal property, like modifyTimestamp to check if the records should be compared? It's something in the middle. CR will use the attribute you designated as a key, as well as (optionally) additional filter conditions, to retrieve all entries under the specified branch in the source directory. It doesn't use any advanced logic, like comparing timestamps etc, just takes all entries which are returned with this filter, and then compares them against a set of hashes it created for them previously (stored in the snapshot dir location of which you can find on its config page); if a hash is absent, or doesn't match the current one, this user is considered new / updated, and then it's marked for further processing, and the other data received from the source is discarded. >Because even though I changed the CR source to destination mapping (renaming it to groups), they are not being removed from Gluu's LDAP That's a different thing entirely. After mappings are changed, to push this change into user entires already cached by CR, it effectively needs to initiate full update of "ou=people" sub-tree. By design, this update isn't triggered automatically on mappings' change (though newly added users, and users changed in the source directory will see their locally cached entries updated according to the new mappings). To make sure new mappings are applied you need to stop CR from web UI, remove everything in the snapshot directory, and start it again. On its next run it will recreate the hash table and will treat all users as updated, thus will process them all. > Or is memberOf, being an overlay, not affected by this? A memberOf is a tricky attribute, indeed. I would recommend to not use it for your own needs in such scenario, but instead create a custom attribute to store group membership data for your users. Hope this helps. If you have additional questions, please open a new ticket for each so we can keep each ticket as tightly focused as possible.

By Aliaksandr Samuseu staff 21 May 2019 at 1:16 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Also, I'm pretty sure CR won't remove previously mapped attributes from entries if you'll remove a mapping for them at some point, nor right when you do it, neither after you'll trigger full update using the method I suggested above. At least it didn't in the past (though we discussed possible change of this logic before internally). I haven't tested this specific thing recently, though. I'll try it out when I have time.

By Guilherme Capilé Account Admin 21 May 2019 at 1:58 p.m. CDT

Copy
Guilherme Capilé gravatar
many thanks for all the prompt responses! all problems solved. Best regards, Guilherme Capilé

Post an answer