Well it turns out that I copied the ADFS settings into the cas.properties file twice, so it must have been using classpath:adfs-signing.crt instead of the setting that was above it that actually pointed to my adfs certificate. I removed the extra ADFS settings in the cas.properties file and I got a new error message:
15:34:34.692 [http-bio-8443-exec-2] ERROR org.jasig.cas.support.wsfederation.web.flow.WsFederationAction - WS Requested Security Token is blank or the signature is not valid. So, I assume I grabbed the incorrect certificate from ADFS. I will make sure to grab the signing certificate and try again and see what happens. Thanks, –––––––––––––––––––– David Abney ITS Web Developer/Programmer 600 West Walnut Street Danville, Kentucky 40422 859.238.5761 [email_logo] www.centre.edu<http://www.centre.edu/> From: John Gasper [mailto:[email protected]] Sent: Thursday, April 07, 2016 10:17 AM To: David Abney <[email protected]>; [email protected] Subject: Re: [cas-user] ADFS and CAS Issue Hi David, The null validation credential appears to be the signature credential. Did you copy the ADFS signing key over to CAS and point the config at the exported cert? John -- John Gasper IAM Consultant Unicon, Inc. PGP/GPG Key: 0xbafee3ef From: <[email protected]<mailto:[email protected]>> on behalf of David Abney <[email protected]<mailto:[email protected]>> Date: Thursday, April 7, 2016 at 7:30 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: [cas-user] ADFS and CAS Issue I have updated to CAS 4.2.0 and I am trying to setup the integration between CAS and ADFS 2.0. I believe I have the cas.properties file setup correctly with my information about our ADFS server. I believe I have setup the ADFS relying party information correctly. When I go to the CAS server I get redirected to the ADFS login page and I am authenticated by ADFS (so far so good), but I am redirected back to a blank CAS login page. It doesn’t appear to be in a redirect loop, I am sent back to the CAS login page url, but the page is just blank. Any thoughts on why this problem is occurring? Could it be how I setup my claims being sent from ADFS? The cataline.out file has this error message in it: 09:14:33.148 [http-bio-8443-exec-5] ERROR org.jasig.cas.support.wsfederation.web.flow.WsFederationAction - Validation credential cannot be null net.shibboleth.utilities.java.support.logic.ConstraintViolationException: Validation credential cannot be null at net.shibboleth.utilities.java.support.logic.Constraint.isNotNull(Constraint.java:227) at org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl.validate(ApacheSantuarioSignatureValidationProviderImpl.java:51) at org.opensaml.xmlsec.signature.support.SignatureValidator.validate(SignatureValidator.java:54) at org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine.verifySignature(BaseSignatureTrustEngine.java:242) at org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine.validate(BaseSignatureTrustEngine.java:198) at org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine.doValidate(ExplicitKeySignatureTrustEngine.java:108) at org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine.validate(BaseSignatureTrustEngine.java:105) at org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine.validate(BaseSignatureTrustEngine.java:62) at org.jasig.cas.support.wsfederation.WsFederationHelper.validateSignature_aroundBody4(WsFederationHelper.java:179) at org.jasig.cas.support.wsfederation.WsFederationHelper$AjcClosure5.run(WsFederationHelper.java:1) at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) at org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44) at org.jasig.cas.support.wsfederation.WsFederationHelper.validateSignature(WsFederationHelper.java:157) at org.jasig.cas.support.wsfederation.web.flow.WsFederationAction.doExecute(WsFederationAction.java:107) at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101) at org.springframework.webflow.engine.State.enter(State.java:194) at org.springframework.webflow.engine.Flow.start(Flow.java:527) at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368) at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223) at org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140) at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:238) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970) at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872) at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.jasig.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:227) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.jasig.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:250) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:315) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) I am sending back the UPN from ADFS and we have ADFS working with other systems, so the UPN is not blank. I did skip the part of the CAS setup where you can manipulate the claims coming from ADFS. –––––––––––––––––––– David Abney ITS Web Developer/Programmer 600 West Walnut Street Danville, Kentucky 40422 859.238.5761 [email_logo] www.centre.edu<http://www.centre.edu/> -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/938486a38f3d424ca218e63fa6bb43f0%40Exchange-MB2.centre.edu<https://groups.google.com/a/apereo.org/d/msgid/cas-user/938486a38f3d424ca218e63fa6bb43f0%40Exchange-MB2.centre.edu?utm_medium=email&utm_source=footer>. For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/415d5ed1cff64ba1af317e1fe064f7fe%40Exchange-MB2.centre.edu. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
