Scott, Glad you're finding the documentation helpful. I've never used phpCAS so I can't be much help with that (but it looks like others have jumped in), but in regard to your dependencies question, the cas-server-support-saml dependency adds support for SAML1.1-based attribute release, so yes, you do need that to release attributes to CAS-based clients.*
The cas-server-support-saml-idp dependency adds support to enable the CAS server to also function as a SAML2 Identity Provider (like Shibboleth, for example). You do not need that to perform attribute release to CAS clients; you only need it if you have clients that want to speak the SAML2 protocol instead of the CAS protocol. --Dave * Unless your CAS client is speaking v3.x of the CAS protocol, but there aren't many (any?) of those. -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School] On Wed, Nov 8, 2017 at 9:55 AM, Scott Gennari <sgenn...@simons-rock.edu> wrote: > Hi All, > > We're are in the process of testing a CAS 5.1.5 server instance with the > eventual goal of authentication with SSO Banner. The project installation > guide > <https://dacurry-tns.github.io/deploying-apereo-cas/building_server_ldap_authentication_overview.html> > kindly provided by David Curry has been a great help as I am new to CAS. > Many thanks to David for making this available. > > This will be a low volume server used by a handful of staff members so no > need for multiple servers/load balancing or Duo. I have completed the setup > through 'Adding SAML support' and to most extents for 'building the SAML > client', although I'm not certain I need this. At this point I thought we > could use phpCAS to test for SAML attribute release but I cannot get this > to work and am seeking your help. > > The CAS server successfully authenticates against our LDAP (openldap) > service. There is a single wildcard JSON in the service registry > (/etc/cas/services) that catches all requests and includes basic attribute > releases sn,cn and employeeNumber (remapped to UDC_IDENTIFER). > > /etc/cas/services/wildcard.json > > *{* > * /** > * * Wildcard service definition that applies to any https or imaps url.* > * * Do not use this definition in a production environment.* > * */* > * "@class" : "org.apereo.cas.services.RegexRegisteredService",* > * "serviceId" : "^(https|http|imaps)://.*",* > * "name" : "Service entry for Banner SSO",* > * "id" : 20170828090137,* > > * "attributeReleasePolicy" : {* > * "@class" : > "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",* > * "allowedAttributes" : {* > * "@class" : "java.util.TreeMap",* > * "sn" : "sn",* > * "cn" : "cn",* > * "employeeNumber" : "UDC_IDENTIFIER"* > * }* > * },* > > * "evaluationOrder" : 6* > *}* > > > Dependencies in pom.xml (do I need saml-ipd for phpCAS examples?) > > * <dependencies>* > * <dependency>* > * <groupId>org.apereo.cas</groupId>* > * <artifactId>cas-server-webapp${app.server}</artifactId>* > * <version>${cas.version}</version>* > * <type>war</type>* > * <scope>runtime</scope>* > * </dependency>* > * <dependency>* > * <groupId>org.apereo.cas</groupId>* > * <artifactId>cas-server-support-json-service-registry</artifactId>* > * <version>${cas.version}</version>* > * </dependency>* > *<dependency>* > * <groupId>org.apereo.cas</groupId>* > * <artifactId>cas-server-support-ldap</artifactId>* > * <version>${cas.version}</version>* > * </dependency>* > * <dependency>* > * <groupId>org.apereo.cas</groupId>* > * <artifactId>cas-server-support-saml</artifactId>* > * <version>${cas.version}</version>* > * </dependency>* > *<dependency>* > * <groupId>org.apereo.cas</groupId>* > * <artifactId>cas-server-support-saml-idp</artifactId>* > * <version>${cas.version}</version>* > * </dependency>* > *</dependencies>* > > > > The goal is to successfully release these attributes via phpCAS using > example_advanced_saml11.php but it fails with > > CAS Authentication failed! > > You were not authenticated. > > You may submit your request again by clicking here > <https://d2h157.sta-fac.simons-rock.edu/example_advanced_saml11.php>. > > If the problem persists, you may contact the administrator of this site > <webmaster@localhost>. > ------------------------------ > phpCAS 1.3.4 using server https://srcastic.simons-rock.edu:8443/cas/ (CAS > S1) > > > > > In the CAS log all I see is the ticket was generated despite phpCAS's > authentication failure after a successful LDAP login. > > *2017-11-08 09:48:04,773 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN* > *=============================================================* > *WHO: audit:unknown* > *WHAT: [event=success,timestamp=Wed Nov 08 09:48:04 EST > 2017,source=InitialAuthenticationAttemptWebflowEventResolver]* > *ACTION: AUTHENTICATION_EVENT_TRIGGERED* > *APPLICATION: CAS* > *WHEN: Wed Nov 08 09:48:04 EST 2017* > *CLIENT IP ADDRESS: 10.30.2.157* > *SERVER IP ADDRESS: 192.168.2.105* > *=============================================================* > > *>* > *2017-11-08 09:48:04,784 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN* > *=============================================================* > *WHO: sgennari* > *WHAT: ST-10-Krnl7ST1bj2wyKFNuMTn-srcastic for > http://localhost/example_advanced_saml11.php > <http://localhost/example_advanced_saml11.php>* > *ACTION: SERVICE_TICKET_CREATED* > *APPLICATION: CAS* > *WHEN: Wed Nov 08 09:48:04 EST 2017* > *CLIENT IP ADDRESS: 10.30.2.157* > *SERVER IP ADDRESS: 192.168.2.105* > *=============================================================* > > > > > The script example_simple.php is successful. It redirects to cas login, > authenticates with LDAP and returns user ID. > > *Successfull Authentication!* *Current script* *example_simple.php* > *session_name():* * session_for:example_simple_php* *session_id():* * > ST-8-dKPGD2LytcWA2lQ1wtAu-srcastic* > > *the user's login is **sgennari**.* > > *phpCAS version is **1.3.4**.* > > *Logout <http://localhost/example_simple.php?logout=>* > > > Any assistance or advice would be greatly appreciated. > > Thank you, > Scott Gennari > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/dc223e2f-b060-f9e4-ee92- > d4a764a40343%40simons-rock.edu > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc223e2f-b060-f9e4-ee92-d4a764a40343%40simons-rock.edu?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPBWt4k9yajPpC3GeVtarmJwp%2BKLX%2B5Eep3eaV2bu0Opw%40mail.gmail.com.