That’s a good idea, but cas.authn.pac4j.saml[0].useNameQualifier=false isn’t a 
valid configuration option in CAS 5.3.2.  When I put that into the 
cas.properties file, CAS doesn’t start.

Lynn Dickison

From: cas-user@apereo.org <cas-user@apereo.org> On Behalf Of Dmitriy Kopylenko
Sent: Tuesday, August 7, 2018 10:53 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] RE: CAS 5 SAML2 Azure AD delegated authentication

You could try cas.authn.pac4j.saml[0].useNameQualifier=false

Best,
D.


From: Dickison, Lynn E 
<lynndicki...@missouristate.edu><mailto:lynndicki...@missouristate.edu>
Reply: cas-user@apereo.org<mailto:cas-user@apereo.org> 
<cas-user@apereo.org><mailto:cas-user@apereo.org>
Date: August 7, 2018 at 9:53:30 AM
To: cas-user@apereo.org<mailto:cas-user@apereo.org> 
<cas-user@apereo.org><mailto:cas-user@apereo.org>
Subject:  [cas-user] RE: CAS 5 SAML2 Azure AD delegated authentication


I saw on another posting that someone else was trying to do delegated 
authentication using ADFS.  They were able to get it to work using CAS 5.2, but 
it didn’t work with CAS 5.3.  Since ADFS and Azure AD are both Microsoft 
products, I decided to try out delegated authentication to Azure AD using CAS 
5.2.  Lo and behold, IT WORKED!  CAS 5.2 produces a SAML authentication request 
that Azure AD considers valid.  Here is the comparison of the two:

This one is from CAS 5.3.2, which DOES NOT work Azure AD SAML authentication:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest
        
AssertionConsumerServiceURL="https://xxxxxxxx.yyyyyyyyyyyyy.edu:8443/cas/login?client_name=SAML2Client0";
        AttributeConsumingServiceIndex="0"
        
Destination="https://login.microsoftonline.com/cad830e4-554f-4361-bae5-c865233fb77f/saml2";
        ForceAuthn="false"
 ID="_2nqagio59j7csvzqzu0mynfr4tsbfqzhnlleupl"
        IsPassive="false"
        IssueInstant="2018-08-02T21:50:33.174Z"
        ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        ProviderName="pac4j-saml"
        Version="2.0"
        xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer
            Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
            NameQualifier="https://xxxxxxxx.yyyyyyyyyyyyy.edu";
            xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        https://xxxxxxxx.yyyyyyyyyyyyy.edu
    </saml2:Issuer>
</saml2p:AuthnRequest

This one is from CAS 5.2.6, and DOES work with Azure AD SAML authentication:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest
        
AssertionConsumerServiceURL="https://xxxxxxxx.yyyyyyyyyyyyy.edu:8443/cas/login?client_name=SAML2Client";
        AttributeConsumingServiceIndex="0"
        
Destination="https://login.microsoftonline.com/cad830e4-554f-4361-bae5-c865233fb77f/saml2";
        ForceAuthn="false"
        ID="_3r88plxbege1ozzotobvkeqihy3x2jrk4sok94r"
        IsPassive="false"
        IssueInstant="2018-08-06T21:19:34.731Z"
        ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        ProviderName="pac4j-saml"
        Version="2.0"
        xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer
            xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        https:// xxxxxxxx.yyyyyyyyyyyyy.edu
    </saml2:Issuer>
</saml2p:AuthnRequest>

The highlighted lines are the only ones I noticed that were different in the 
format of the CAS 5.3.2 vs. CAS 5.2.6 SAML authentication requests.

Can anyone tell me if there is a configuration setting that I can change in CAS 
5.2.3 that will make this work successfully?

Lynn Dickison
Missouri State University



From: cas-user@apereo.org<mailto:cas-user@apereo.org> 
<cas-user@apereo.org<mailto:cas-user@apereo.org>> On Behalf Of Dickison, Lynn E
Sent: Thursday, August 2, 2018 5:07 PM
To: cas-user@apereo.org<mailto:cas-user@apereo.org>
Subject: [cas-user] CAS 5 SAML2 delegated authentication

I’m trying to set up CAS 5.3.2 so that it delegates authentication to Azure AD 
via SAML2.  I’ve seen documentation on how to delegate authentication to an 
external SAML2 IdP, and I’ve read the tutorial 
(https://apereo.github.io/2017/03/22/cas51-delauthn-tutorial/).  The tutorial 
showed how to set it up with Okta as the IdP, and I’m assuming that works.  
However, Azure AD gives me an error message that the authentication request is 
not a valid SAML2 protocol message.

Here is the configuration I have in the cas.properties file:

cas.authn.pac4j.saml[0].keystorePassword=******
cas.authn.pac4j.saml[0].privateKeyPassword=******
cas.authn.pac4j.saml[0].keystorePath=file:/etc/cas/saml/samlKeystore.jks
cas.authn.pac4j.saml[0].keystoreAlias=********

cas.authn.pac4j.saml[0].serviceProviderEntityId=https://xxxxxxxx.yyyyyyyyyyyyy.edu
cas.authn.pac4j.saml[0].serviceProviderMetadataPath=file:/etc/cas/saml/xxxxxxxx.xml

# Path/URL to delegated IdP metadata
cas.authn.pac4j.saml[0].identityProviderMetadataPath=file:/etc/cas/saml/AzureADCAS.xml


Here is an example authentication request that Microsoft says is valid in their 
documentation:

<samlp:AuthnRequest
        xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
        ID="id6c1c178c166d486687be4aaf5e482730"
        Version="2.0" IssueInstant="2013-03-18T03:28:54.1839884Z"
        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer 
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://www.contoso.com</Issuer<https://www.contoso.com%3c/Issuer>>
</samlp:AuthnRequest>


Here is an authentication request generated by CAS via pac4j:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest
        
AssertionConsumerServiceURL="https://xxxxxxxx.yyyyyyyyyyyyy.edu:8443/cas/login?client_name=SAML2Client0";
        AttributeConsumingServiceIndex="0"
        
Destination="https://login.microsoftonline.com/cad830e4-554f-4361-bae5-c865233fb77f/saml2";
        ForceAuthn="false" ID="_2nqagio59j7csvzqzu0mynfr4tsbfqzhnlleupl"
        IsPassive="false"
        IssueInstant="2018-08-02T21:50:33.174Z"
        ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        ProviderName="pac4j-saml"
        Version="2.0"
        xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer
            Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
            NameQualifier="https://xxxxxxxx.yyyyyyyyyyyyy.edu";
            xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        https://xxxxxxxx.yyyyyyyyyyyyy.edu
    </saml2:Issuer>
</saml2p:AuthnRequest>

Here is the error message I’m getting from Azure:

Request Id: 75ca32eb-47cb-426a-992d-ee70fc6a1b00
Correlation Id: 996cb2e6-b6b3-4077-abaa-a76e2578255a
Timestamp: 2018-08-02T21:50:33Z
Message: AADSTS75005: The request is not a valid Saml2 protocol message.
Advanced diagnostics: Enable
If you plan on getting support for an issue, turn this on and try to reproduce 
the error. This will collect additional information that will help troubleshoot 
the issue.

Root cause: Azure AD doesn’t support the SAML request sent by the application 
for Single sign-on. Some common issues are:​​
•         Missing required fields in the SAML request​​
•         SAML request encoded method​


If anyone has been able to get SAML2 delegated authentication working with 
Azure AD as the IdP, or if you know why it won’t work, I would appreciate any 
information you can supply.


Lynn Dickison
Senior Enterprise Systems Administrator
Computer Services
Missouri State University
901 S. National Ave.
Springfield, MO 65897
Phone: 417-836-4515 | Fax: 417-836-3192
lynndicki...@missouristate.edu<mailto:lynndicki...@missouristate.edu> | 
www.missouristate.edu<http://www.missouristate.edu/>
[Missouri State University: Make Your Missouri 
Statement]<http://www.missouristate.edu/>

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN6PR01MB4191ED2D9B0F83BCA08E9682D92C0%40SN6PR01MB4191.prod.exchangelabs.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN6PR01MB4191ED2D9B0F83BCA08E9682D92C0%40SN6PR01MB4191.prod.exchangelabs.com?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN6PR01MB4191601A86A7BDD4F2011D75D9200%40SN6PR01MB4191.prod.exchangelabs.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN6PR01MB4191601A86A7BDD4F2011D75D9200%40SN6PR01MB4191.prod.exchangelabs.com?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.5b69c06e.293d8d21.162d%40unicon.net<https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.5b69c06e.293d8d21.162d%40unicon.net?utm_medium=email&utm_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN6PR01MB41915B4C444AA0A7D5149932D9270%40SN6PR01MB4191.prod.exchangelabs.com.

Reply via email to