...
Bloc de code |
---|
####################### ## Parametre serveur ## ####################### cas.server.name: https://cas.univ-rouen.fr cas.server.prefix: https://cas.univ-rouen.fr cas.audit.ignoreAuditFailures=false cas.audit.appCode=CAS cas.audit.numberOfDaysInHistory=30 cas.audit.includeValidationAssertion=false cas.audit.alternateServerAddrHeaderName= cas.audit.engine.alternate-client-addr-header-name=X-Forwarded-For cas.audit.useServerHostAddress=false # clearpass cas.clearpass.cacheCredential=true cas.clearpass.crypto.encryption.key=xxxxxxxxxxxxxxxxxxxxxxxxx cas.clearpass.crypto.signing.key=xxxxxxxxxxxxxxxxxxxxxxxxx # décommenter pour tester le modifs html sans redémarrer tomcat (doit être égal à false) spring #spring.thymeleaf.cache=truefalse ### On active le cache pour le formulaire d'authentication (par défaut:true) # When true, will inject the following headers into the response for non-static resources. # Cache-Control: no-cache, no-store, max-age=0, must-revalidate # Pragma: no-cache # Expires: 0 cas.http-web-request.header.cache=true ### Modification du timeout pour l'affichage du session report dans le dashboard (par défaut: 5s) cas.http-client.asyncTimeout=PT60S cas.http-client.connectionTimeout=PT5S cas.http-client.readTimeout=PT5S ### Valeur d'expiration des TGTs # Set to a negative value to never expire tickets cas.ticket.tgt.primary.max-time-to-live-in-seconds=1209600 cas.ticket.tgt.primary.time-to-kill-in-seconds=28800 ### Valeur expiration tickets service/proxy : 10sec par défaut, on augmente car latence sur les sogo ... cas.ticket.pt.timeToKillInSeconds=60 cas.ticket.st.timeToKillInSeconds=60 # rememberme cas.ticket.tgt.rememberMe.enabled=true cas.ticket.tgt.rememberMe.timeToKillInSeconds=1209600 # rememberme 2 semaines ok pour le cookie tgc.remember.me.maxAge=1209600 cas.tgc.rememberMeMaxAge=1209600 # pinToSession = false pour que ça fonctionne même si chgt d'IP par exemple. cas.tgc.pinToSession=false # Redirection vers l'url du service au lieu de la page de déconnexion du cas après logout cas.logout.follow-service-redirects=true ######### ## SLO ## ######### cas.slo.asynchronous=true cas.slo.disabled=false ###################### ## Access dashboard ## ###################### # https://apereo.github.io/2018/11/06/cas6-admin-endpoints-security/ management.endpoints.web.exposure.include=* management.endpoints.enabled-by-default=true cas.monitor.endpoints.endpoint.defaults.access=IP_ADDRESS cas.monitor.endpoints.endpoint.defaults.requiredIpAddresses=127.0.0.1,10.0.0.3 ######### ## Log ## ######### logging.config: file:/etc/cas/config/log4j2.xml ############################# ## parametre generique CAS ## ############################# cas.authn.accept.users= # Liste des atributs à renvoyer par défaut (si non défini dans le service) cas.authn.attributeRepository.core.defaultAttributesToRelease=uid,mail,displayName,eduPersonPrincipalName,eduPersonAffiliation,sn,givenname # throttle (pour limiter le nombre de tentative d'authentification) cas.authn.throttle.failure.range-seconds=30 cas.authn.throttle.failure.threshold=12 # pour throttle sur IP *et* username cas.authn.throttle.core.username-parameter=username ########################### ## Authentification LDAP ## ########################### cas.authn.ldap[0].name=openldap cas.authn.ldap[0].order=0 cas.authn.ldap[0].type=DIRECT cas.authn.ldap[0].ldapUrl=ldap://ldap.univ-rouen.fr ldap://ldap-clone.univ-rouen.fr cas.authn.ldap[0].baseDn=ou=people,dc=univ-rouen,dc=fr cas.authn.ldap[0].searchFilter=(&(uid={user})(objectclass=eduPerson)) cas.authn.ldap[0].dnFormat=uid=%s,ou=people,dc=univ-rouen,dc=fr cas.authn.ldap[0].connectionStrategy=ROUND_ROBIN cas.authn.ldap[0].useSsl=false cas.authn.ldap[0].useStartTls=false cas.authn.ldap[0].connectTimeout=20 cas.authn.ldap[0].subtreeSearch=false #cas.authn.ldap[0].principalAttributeId=uid # limite le nombre d'attributs demandés (c'est l'attribute filter pour le ldapsearch) cas.authn.ldap[0].principalAttributeList=uid,mail,displayName,eduPersonPrincipalName,eduPersonAffiliation,radiusFilterId,memberOf # le cache utilise en clef un hash non injectif (collisions possibles) cas.authn.attribute-repository.core.expiration-time = 0 # Attribute repository pour récupérer les attributs (utile si authentification autre que openldap) cas.authn.attributeRepository.maximum-cache-size=0 # hack pour ne PAS récupérer TOUS les attributs LDAP (permet aussi de mapper les attributs, ex: xxx.ldap[0].attributes.nom=givenName) # pour spnego, le .* DOIT être évité #cas.authn.attributeRepository.ldap[0].attributes.*= cas.authn.attributeRepository.ldap[0].attributes.uid = uid cas.authn.attributeRepository.ldap[0].attributes.mail = mail cas.authn.attributeRepository.ldap[0].attributes.displayName = displayName cas.authn.attributeRepository.ldap[0].attributes.eduPersonPrincipalName = eduPersonPrincipalName cas.authn.attributeRepository.ldap[0].attributes.eduPersonAffiliation = eduPersonAffiliation cas.authn.attributeRepository.ldap[0].attributes.radiusFilterId = radiusFilterId cas.authn.attributeRepository.ldap[0].attributes.memberOf = memberOf cas.authn.attributeRepository.ldap[0].attributes.dn = dn cas.authn.attributeRepository.ldap[0].attributes.givenname = givenname cas.authn.attributeRepository.ldap[0].attributes.sn = sn cas.authn.attributeRepository.ldap[0].attributes.mobile = mobile cas.authn.attributeRepository.ldap[0].ldapUrl=ldap://ldap.univ-rouen.fr cas.authn.attributeRepository.ldap[0].connectionStrategy=ROUND_ROBIN cas.authn.attributeRepository.ldap[0].order=0 cas.authn.attributeRepository.ldap[0].useSsl=false cas.authn.attributeRepository.ldap[0].useStartTls=false cas.authn.attributeRepository.ldap[0].connectTimeout=20 cas.authn.attributeRepository.ldap[0].baseDn=ou=people,dc=univ-rouen,dc=fr cas.authn.attributeRepository.ldap[0].searchFilter=(&(uid={user})(objectclass=eduPerson)) cas.authn.attributeRepository.ldap[0].subtreeSearch=false cas.authn.attributeRepository.ldap[0].bindDn=cn=cas,dc=univ-rouen,dc=fr cas.authn.attributeRepository.ldap[0].bindCredential=xxxxxxxxxxxxxxxxxxxxxxxxx cas.authn.attributeRepository.ldap[0].poolPassivator=NONE cas.authn.attributeRepository.ldap[0].minPoolSize=2 cas.authn.attributeRepository.ldap[0].maxPoolSize=10 cas.authn.attributeRepository.ldap[0].validateOnCheckout=true cas.authn.attributeRepository.ldap[0].validatePeriodically=true cas.authn.attributeRepository.ldap[0].validatePeriod=60 cas.authn.attributeRepository.ldap[0].validateTimeout=30 cas.authn.attributeRepository.ldap[0].failFast=true cas.authn.attributeRepository.ldap[0].idleTime=300 cas.authn.attributeRepository.ldap[0].prunePeriod=300 cas.authn.attributeRepository.ldap[0].blockWaitTime=300 cas.authn.attributeRepository.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider ## ETAT de sante LDAPs cas.authn.ldap[0].validator.type=SEARCH cas.authn.ldap[0].validator.baseDn=ou=people,dc=univ-rouen,dc=fr cas.authn.ldap[0].validator.searchFilter=(objectClass=organizationalUnit) cas.authn.ldap[0].validator.scope=OBJECT cas.authn.ldap[0].validator.attributeName=objectClass cas.authn.ldap[0].validator.attributeValues=top cas.authn.ldap[0].validator.dn=ou=people,dc=univ-rouen,dc=fr ## Passivator (utilisé si utilisation de DIRECT ou AUTHENTICATED pour l'authn Ldap) # permet de passifier les connexions dans le pool (https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#passivators) cas.authn.ldap[0].poolPassivator=NONE cas.authn.ldap[0].minPoolSize=1 cas.authn.ldap[0].maxPoolSize=10 cas.authn.ldap[0].validateOnCheckout=false cas.authn.ldap[0].validatePeriodically=true cas.authn.ldap[0].validatePeriod=60 cas.authn.ldap[0].validateTimeout=30 cas.authn.ldap[0].failFast=true cas.authn.ldap[0].idleTime=300 cas.authn.ldap[0].prunePeriod=300 cas.authn.ldap[0].blockWaitTime=300 ###################### ## SPNEGO ## ###################### cas.authn.spnego.mixedModeAuthentication=true #cas.authn.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit cas.authn.spnego.supportedBrowsers=Firefox cas.authn.spnego.send401OnAuthenticationFailure=true cas.authn.spnego.ntlmAllowed=false cas.authn.spnego.principalWithDomainName=false cas.authn.spnego.name=spnego cas.authn.spnego.ntlm=false cas.authn.spnego.order=0 cas.authn.spnego.system.kerberosConf=file:/etc/krb5.conf cas.authn.spnego.system.loginConf=file:/etc/cas/config/login.conf cas.authn.spnego.system.kerberosRealm=UR.UNIV-ROUEN.FR cas.authn.spnego.system.kerberosDebug=false cas.authn.spnego.system.useSubjectCredsOnly=false cas.authn.spnego.system.kerberosKdc=10.0.0.12 cas.authn.spnego.properties[0].jcifsUsername=cas-spnego cas.authn.spnego.properties[0].jcifsDomainController=notread.univ-rouen.fr cas.authn.spnego.properties[0].jcifsDomain=UR.UNIV-ROUEN.FR cas.authn.spnego.properties[0].jcifsServicePassword=xxxxxxxxxxxxxxxxxxxxxxxxx cas.authn.spnego.properties[0].jcifsPassword=xxxxxxxxxxxxxxxxxxxxxxxxx cas.authn.spnego.properties[0].jcifsServicePrincipal=HTTP/nommachinecas.univ-rouen.fr@UR.UNIV-ROUEN.FR cas.authn.spnego.properties[0].cachePolicy=600 cas.authn.spnego.properties[0].timeout=300000 cas.authn.spnego.properties[0].jcifsNetbiosWins= ### SPNEGO Client Selection Strategy cas.authn.spnego.hostNameClientActionStrategy=hostnameSpnegoClientAction ### SPNEGO Client Selection Hostname cas.authn.spnego.alternativeRemoteHostAttribute=alternateRemoteHeader # IPs internes sans VPN ? TODO : à fixer ... :-/ #cas.authn.spnego.ipsToCheckPattern=10\.[1-9][0-9]\d{0,3}\.[0-9]\d{0,3}\.[0-9]\d{0,3} cas.authn.spnego.ipsToCheckPattern=.+ cas.authn.spnego.dnsTimeout=2000 # hostname du boitier vpn à exclure de spnego #cas.authn.spnego.hostNamePatternString=^(?!.*vpn[ct]-aa\.univ-rouen\.fr).*$ cas.authn.spnego.hostNamePatternString=^(?!.*(vpn|vqn|vrn|vsn)-aa\.univ-rouen\.fr).*$ ###################### ## Service REGISTRY ## ###################### # Pour relire les services à la volée cas.serviceRegistry.watcherEnabled=false cas.serviceRegistry.schedule.repeatInterval=10000 cas.serviceRegistry.schedule.startDelay=1000 ## Utile pour créer les premiers services en BDD lorsqu'on utilise cas-management-overlay # Auto-initialize the registry from default JSON service definitions # cas.serviceRegistry.initFromJson=false ####################################################### ## Parametrage JSON pour la persistence des services ## ####################################################### cas.serviceRegistry.json.location=file:/etc/cas/services ######################### ## Paramétrage WebFlow ## ######################### cas.webflow.crypto.enabled=true cas.webflow.crypto.signing.key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx cas.webflow.crypto.signing.keySize=512 cas.webflow.crypto.encryption.keySize=16 cas.webflow.crypto.encryption.key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx cas.webflow.crypto.alg=AES ##################### ## Paramétrage TGC ## ##################### # Positione les flags secure et httpOnly cas.tgc.secure=true cas.tgc.httpOnly=true # Crypte les TGC ... à noter que lorsque crypté, le TGC contient l'ip et le user-agent du demandeur. # Si pour x raisons il y a un changement d'user-agent (rare) ou d'adresse IP (plus fréquent avec l'itinérance) pendant la session, # CAS le détecte lors de la présentation du cookie et celui-ci est invalidé. Une réauthentification est alors nécessaire. # true pour activer cas.tgc.crypto.enabled=true cas.tgc.crypto.encryption.key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx cas.tgc.crypto.signing.key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx ####################################################### ## Parametrage REDIS pour la persistence des tickets ## ####################################################### cas.ticket.registry.redis.host=localhost cas.ticket.registry.redis.database=0 cas.ticket.registry.redis.port=6379 cas.ticket.registry.redis.password= cas.ticket.registry.redis.timeout=2000 cas.ticket.registry.redis.useSsl=false cas.ticket.registry.redis.crypto.enabled=false cas.ticket.registry.redis.crypto.signing.key= cas.ticket.registry.redis.crypto.signing.keySize=512 cas.ticket.registry.redis.crypto.encryption.key= cas.ticket.registry.redis.crypto.encryption.keySize=16 cas.ticket.registry.redis.crypto.alg=AES ############################## ## Locale ## ############################## cas.locale.defaultValue=fr ############################## ## ESUP-SMSU ## ############################## cas.smsProvider.rest.url=http://esup-smsu-api.univ-rouen.fr/apereo-cas #cas.smsProvider.rest.url=http://esup-smsu-api-test.univ-rouen.fr/apereo-cas cas.smsProvider.rest.basicAuthUsername=sms-cas-account cas.smsProvider.rest.basicAuthPassword=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx ############################## ## MFA ## ############################## cas.authn.mfa.globalFailureMode=OPEN cas.authn.mfa.groovy-script.location=file:/etc/cas/config/mfaGroovyTrigger.groovy cas.authn.mfa.simple.name=smsu cas.authn.mfa.simple.order=0 cas.authn.mfa.simple.timeToKillInSeconds=300 cas.authn.mfa.simple.sms.from=Université de Rouen Normandie cas.authn.mfa.simple.sms.text=Bonjour, voici le code SMS requis pour votre authentification CAS : %s cas.authn.mfa.simple.sms.attributeName=mobile # Add translations, you will need to check what are the default from CAS "Message Bundles" properties cas.messageBundle.baseNames=classpath:custom_messages,classpath:messages,classpath:esupnfccas_messages,classpath:esupotp_message ############################## ## MFA TRUSTED DEVICES ## ############################## cas.authn.mfa.trusted.mongo.clientUri=mongodb://localhost/cas-mongo-database cas.authn.mfa.trusted.authenticationContextAttribute=isFromTrustedMultifactorAuthentication cas.authn.mfa.trusted.deviceRegistrationEnabled=true cas.authn.mfa.trusted.expiration=7 cas.authn.mfa.trusted.timeUnit=DAYS cas.authn.mfa.trusted.crypto.enabled=true cas.authn.mfa.trusted.crypto.encryption.key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx cas.authn.mfa.trusted.crypto.signing.key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.encryption.key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.signing.key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
...