Hello, I've solved this by modify wsfederation.xml
<property name="identityProviderIdentifier" value="http://adfs.ict-toulouse.fr/adfs/services/trust"; /> <property name="identityProviderUrl" value="https://adfs.ict-toulouse.fr/adfs/ls/"; /> <!-- <property name="identityAttribute" value="upn" /> --> <property name="identityAttribute" value="sAMAccountName" /> <property name="relyingPartyIdentifier" value="urn:federation:cas" /> <property name="tolerance" value="60000" /> <property name="attributeMutator"> <bean class="org.example.cas.support.wsfederation.WsFedAttributeMutatorImpl" /> I didn't know why upn didn't work. Does it be case sensitive ? ADFS return UPN not upn Or maybe caused by WsFedAttributeMutatorImpl.java who remove @ict-toulouse.fr form UPN but for me it's made after. isn't it ? Thanks Le mercredi 20 avril 2016 12:15:20 UTC+2, Yves a écrit : > > Hello, > > I've setup Jasig Central Authentication System (CAS) 4.0.2 with > adfs-support-wsfederation > I've used the maven overlay cas-adfs-integration-master > > I've setup an adfs server (Windows Server 2012 R2) > > When I try logon to https://srv-jasig01.ict-toulouse.fr:4443/cas I've > been redirected to > https://adfs.ict-toulouse.fr/adfs/ls/?wa=wsignin1.0&wtrealm=urn:federation:cas > > That produces this log : > > 2016-04-20 11:58:31,103 DEBUG > [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor did not > generate service.> > 2016-04-20 11:58:31,105 DEBUG > [net.unicon.cas.support.wsfederation.web.flow.WsFederationAction] - > <wresult : <t:RequestSecurityTokenResponse [truncated] > 2016-04-20 11:58:31,115 DEBUG > [net.unicon.cas.support.wsfederation.WsFederationUtils] - > <parseTokenFromString: org.opensaml.saml1.core.impl.AssertionImpl@304d6837> > 2016-04-20 11:58:31,125 DEBUG > [net.unicon.cas.support.wsfederation.WsFederationUtils] - > <validateSignature: Signature is valid.> > 2016-04-20 11:58:31,126 DEBUG > [net.unicon.cas.support.wsfederation.WsFederationUtils] - > <createCredentialFromToken: retrieved on 2016-04-20T09:58:31.126Z> > 2016-04-20 11:58:31,126 DEBUG > [net.unicon.cas.support.wsfederation.WsFederationUtils] - > <createCredentialFromToken: processed attribute: UPN> > 2016-04-20 11:58:31,127 DEBUG > [net.unicon.cas.support.wsfederation.WsFederationUtils] - > <createCredentialFromToken: processed attribute: surname> > 2016-04-20 11:58:31,127 DEBUG > [net.unicon.cas.support.wsfederation.WsFederationUtils] - > <createCredentialFromToken: processed attribute: givenname> > 2016-04-20 11:58:31,127 DEBUG > [net.unicon.cas.support.wsfederation.WsFederationUtils] - > <createCredentialFromToken: processed attribute: Group> > 2016-04-20 11:58:31,127 DEBUG > [net.unicon.cas.support.wsfederation.WsFederationUtils] - > <createCredentialFromToken: processed attribute: Email> > 2016-04-20 11:58:31,127 DEBUG > [net.unicon.cas.support.wsfederation.WsFederationUtils] - > <createCredentialFromToken: ID: _d9fdfc33-6787-4bd9-8b4f-eb7b5c25d704 > Issuer: http://adfs.ict-toulouse.fr/adfs/services/trust > Audience: urn:federation:cas > Audience Method: > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport > Issued On: 2016-04-20T09:58:31.246Z > Valid After: 2016-04-20T09:58:31.239Z > Valid Before: 2016-04-20T10:58:31.239Z > Attributes: > Group: [ict\oSecretariats, ict\Utilisa. du domaine, ict\oDES-SG, > ict\Groupe Projet Aurion, ict\Utilisateurs Info, ict\oAdministratif, > ict\Utilisateurs ICT, ict\oDES-SG-SystemesDInformations] > UPN: [email protected] > Email: [email protected] > surname: MOYA > givenname: Yves > > > 2016-04-20 11:58:31,128 DEBUG > [net.unicon.cas.support.wsfederation.authentication.principal.WsFederationCredential] > > - <.isValid: credential is valid.> > > Then I've been redirected back to > https://srv-jasig01.ict-toulouse.fr:8443/cas/login > > That show me a blank page. source code of this page is : > <html><head><title>Opération en cours...</title></head><body><form > method="POST" name="hiddenform" action=" > https://srv-jasig01.ict-toulouse.fr:8443/cas/login";> > <input type="hidden" name="wa" value="wsignin1.0" /><input type="hidden" > name="wresult" value="<t:RequestSecurityTokenResponse xmlns:t=" > http://schemas.xmlsoap.org/ws/2005/02/trust"><t:Lifetime><wsu:Created > > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-04-20T10:02:08.672Z</wsu:Created><wsu:Expires > > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-04-20T11:02:08.672Z</wsu:Expires></t:Lifetime><wsp:AppliesTo > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference > > xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:federation:cas</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><t:RequestedSecurityToken><saml:Assertion > > MajorVersion="1" MinorVersion="1" > AssertionID="_97282ee8-e8af-4e1d-a809-d050b0f34c5c" Issuer=" > http://adfs.ict-toulouse.fr/adfs/services/trust" > IssueInstant="2016-04-20T10:02:08.682Z" > xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions > > NotBefore="2016-04-20T10:02:08.672Z" > NotOnOrAfter="2016-04-20T11:02:08.672Z"><saml:AudienceRestrictionCondition><saml:Audience>urn:federation:cas</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AttributeStatement><saml:Subject><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:Attribute > > AttributeName="UPN" > AttributeNamespace="urn:federation:cas"><saml:AttributeValue> > [email protected]</saml:AttributeValue></saml:Attribute><saml:Attribute > > AttributeName="surname" > AttributeNamespace="urn:federation:cas"><saml:AttributeValue>MOYA</saml:AttributeValue></saml:Attribute><saml:Attribute > > AttributeName="givenname" > AttributeNamespace="urn:federation:cas"><saml:AttributeValue>Yves</saml:AttributeValue></saml:Attribute><saml:Attribute > > AttributeName="Group" > AttributeNamespace="urn:federation:cas"><saml:AttributeValue>ict\oSecretariats</saml:AttributeValue><saml:AttributeValue>ict\Utilisa. > > du > domaine</saml:AttributeValue><saml:AttributeValue>ict\oDES-SG</saml:AttributeValue><saml:AttributeValue>ict\Groupe > > Projet > Aurion</saml:AttributeValue><saml:AttributeValue>ict\Utilisateurs > Info</saml:AttributeValue><saml:AttributeValue>ict\oAdministratif</saml:AttributeValue><saml:AttributeValue>ict\Utilisateurs > > ICT</saml:AttributeValue><saml:AttributeValue>ict\oDES-SG-SystemesDInformations</saml:AttributeValue></saml:Attribute><saml:Attribute > > AttributeName="Email" > AttributeNamespace="urn:federation:cas"><saml:AttributeValue> > [email protected]</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><saml:AuthenticationStatement > > AuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" > > AuthenticationInstant="2016-04-20T09:58:31.205Z"><saml:Subject><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><ds:Signature > > xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" > /><ds:SignatureMethod Algorithm=" > http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><ds:Reference > URI="#_97282ee8-e8af-4e1d-a809-d050b0f34c5c"><ds:Transforms><ds:Transform > > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" > /><ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#" > /></ds:Transforms><ds:DigestMethod Algorithm=" > http://www.w3.org/2000/09/xmldsig#sha1" > /><ds:DigestValue>FM+gP64NCIMiXtXR/Dc0ayjfA2c=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>VhHMXjliT/69Sbx8XvkQxx8s1oTsWd1wVUsqbBBNROGZnkt7lKsZDV/XM8Kmdgt9mIWOZnStauRCwzevxKKzDr0HRBp4YkSDjA1A5i4F5neqQR+amztCac93yZyF1G22wGeyr2YZgSVUNYikhppQlkR1kjeg12AStzTURkDK4bzChbABeDW01KDMDx+CP0Cz9+m542bUxIblnauH8K8tQs4C2yznT6v8BU1nbDh/sO0S3NiDdwHwBF2txHLZ+08j5KZcpeBV8CUUUkm37APvTzKz7rxwpBErd8x7Osju6sJT92wSGxs3uqMHfpwhJftZNpCLC9VuHS4s3VtAz/Bfxg==</ds:SignatureValue><KeyInfo > > xmlns="http://www.w3.org/2000/09/xmldsig#" > ;><X509Data><X509Certificate>MIIC5DCCAcygAwIBAgIQX/hzgUzQraZAdHY06sGvdDANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNBREZTIFNpZ25pbmcgLSBhZGZzLmljdC10b3Vsb3VzZS5mcjAeFw0xNjAzMDkxMDE1MTBaFw0xNzAzMDkxMDE1MTBaMC4xLDAqBgNVBAMTI0FERlMgU2lnbmluZyAtIGFkZnMuaWN0LXRvdWxvdXNlLmZyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4ucaOaY0fD0YKHqLtKecU/AYHMgiyXWngaEWx+soBfjI8eqICCCg0f9P/PrtN5OFC8p7cmb0T/cYlow7gBZEwfEF6V5Hc4P7OFM0UOMuFm51a2fiDDY3NmYasrfn/3cvvH/DjVrxwFmgiteNCf6motCiHRbpfE4bZo4b/szct3x8ftICjkDYVzUxauOy6xrCarHNzq907fFM8bwqLqGJ338WzX1dMwSzQSwzO1m4h3cwNmNv6dbLdJg0BDZnLROg8BxqRBdcn2ZT143SLRar5Bt0eWOmM4g0hqQLcBsf7rHOgr8u84lJ85GSLoe9jUqp5JFu4N/dMbYEcsvFVuBfpwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAfDl/biqaMedwhrazYrEmvtA+eWFaIGNGkl4dUT3Zrx6KrGsXANXuSm9ZrqX4TcrGLH3Z1wiFypC7128IXXwHOAAs2RluO8ojMGIFvAr6dF43sIYLwV6Yhg8dr//MPn4ZcFr1xr3BAOIWpGTYsr/yaQ/HtCWtv1oQTBdgfQxVWqj8lhja4jhFT1hKpUa78ml2w+Dif440j5We58/5yIODru1PxzMNGiIme3wvuccvuQY7G0JL1Iab3j/A32903OcKHM1ca9fBCbUG2nuPRIXdOmPcypyFkbQXP/Embfg9o+LC3xz82e/USf/fExa+jl3rocNataeTD9Dexv3ITnW3p</X509Certificate></X509Data></KeyInfo></ds:Signature></saml:Assertion></t:RequestedSecurityToken><t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType><t:RequestType> > http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType > ><t:KeyType> > http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType></t:RequestSecurityTokenResponse>" > > /><noscript><p>Le script est désactivé. Cliquez sur Envoyer pour > continuer.</p><input type="submit" value="Envoyer" > /></noscript></form><script > language="javascript">window.setTimeout('document.forms[0].submit()', > 0);</script></body></html> > > Then in log file I have > > > 2016-04-20 11:58:31,129 INFO > [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - > <WsFederationAuthenticationHandler successfully authenticated ID: > _d9fdfc33-6787-4bd9-8b4f-eb7b5c25d704 > Issuer: http://adfs.ict-toulouse.fr/adfs/services/trust > Audience: urn:federation:cas > Audience Method: > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport > Issued On: 2016-04-20T09:58:31.246Z > Valid After: 2016-04-20T09:58:31.239Z > Valid Before: 2016-04-20T10:58:31.239Z > Attributes: > UPN: yves.moya > Email: [email protected] > FirstName: Yves > Groups: [ict\oSecretariats, ict\Utilisa. du domaine, ict\oDES-SG, > ict\Groupe Projet Aurion, ict\Utilisateurs Info, ict\oAdministratif, > ict\Utilisateurs ICT, ict\oDES-SG-SystemesDInformations] > LastName: MOYA > > > 2016-04-20 11:58:31,129 DEBUG > [net.unicon.cas.support.wsfederation.authentication.principal.WsFederationCredentialsToPrincipalResolver] > > - <Attempting to resolve a principal...> > 2016-04-20 11:58:31,129 ERROR > [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - > <net.unicon.cas.support.wsfederation.authentication.principal.WsFederationCredentialsToPrincipalResolver@509cf131 > > failed to resolve principal from ID: _d9fdfc33-6787-4bd9-8b4f-eb7b5c25d704 > Issuer: http://adfs.ict-toulouse.fr/adfs/services/trust > Audience: urn:federation:cas > Audience Method: > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport > Issued On: 2016-04-20T09:58:31.246Z > Valid After: 2016-04-20T09:58:31.239Z > Valid Before: 2016-04-20T10:58:31.239Z > Attributes: > UPN: yves.moya > Email: [email protected] > FirstName: Yves > Groups: [ict\oSecretariats, ict\Utilisa. du domaine, ict\oDES-SG, > ict\Groupe Projet Aurion, ict\Utilisateurs Info, ict\oAdministratif, > ict\Utilisateurs ICT, ict\oDES-SG-SystemesDInformations] > LastName: MOYA > > > java.lang.NullPointerException > at > net.unicon.cas.support.wsfederation.authentication.principal.WsFederationCredentialsToPrincipalResolver.extractPrincipalId(WsFederationCredentialsToPrincipalResolver.java:49) > [truncated] > 2016-04-20 11:58:31,130 INFO > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: audit:unknown > WHAT: supplied credentials: [ID: _d9fdfc33-6787-4bd9-8b4f-eb7b5c25d704 > Issuer: http://adfs.ict-toulouse.fr/adfs/services/trust > Audience: urn:federation:cas > Audience Method: > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport > Issued On: 2016-04-20T09:58:31.246Z > Valid After: 2016-04-20T09:58:31.239Z > Valid Before: 2016-04-20T10:58:31.239Z > Attributes: > UPN: yves.moya > Email: [email protected] > FirstName: Yves > Groups: [ict\oSecretariats, ict\Utilisa. du domaine, ict\oDES-SG, > ict\Groupe Projet Aurion, ict\Utilisateurs Info, ict\oAdministratif, > ict\Utilisateurs ICT, ict\oDES-SG-SystemesDInformations] > LastName: MOYA > ] > ACTION: AUTHENTICATION_FAILED > APPLICATION: CAS > WHEN: Wed Apr 20 11:58:31 CEST 2016 > CLIENT IP ADDRESS: 172.21.10.106 > SERVER IP ADDRESS: 192.168.254.113 > ============================================================= > > > 2016-04-20 11:58:31,138 INFO > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: audit:unknown > WHAT: No resolver produced a principal. > ACTION: TICKET_GRANTING_TICKET_NOT_CREATED > APPLICATION: CAS > WHEN: Wed Apr 20 11:58:31 CEST 2016 > CLIENT IP ADDRESS: 172.21.10.106 > SERVER IP ADDRESS: 192.168.254.113 > ============================================================= > > > > 2016-04-20 11:58:31,138 ERROR > [net.unicon.cas.support.wsfederation.web.flow.WsFederationAction] - <No > resolver produced a principal.> > org.jasig.cas.authentication.UnresolvedPrincipalException: No resolver > produced a principal. > [truncated] > avr. 20, 2016 11:58:34 AM org.apache.catalina.startup.HostConfig > checkResources > PRÉCIS: Checking context[/cas] redeploy resource > /var/lib/tomcat8/webapps/cas.war > > Can you help me to solve this ? > > Best regards > > Yves > -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f83f2ede-93bc-4a91-9d36-394b3825b5fa%40apereo.org. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
