OK, back at the desk now so have extracted the relevant sections from my build documentation. Screenshots are missing but the text should provide enough detail (if not too much ;-).
I doubt it is 100% correct as I stumbled though it myself, also the exact same config failed with 5.3.0 but was OK with 5.3.2 and 5.2.3 so seems there was a bug added then fixed (or my config just did not work with that build). Hopefully this will help you/someone and maybe if someone who knows better spots some mistakes in my config I can learn some more also ;-) *Configure ADFS* The CAS Service will be configured to redirect to ADFS before CAS can be setup to do this the Relying Party needs to be setup on the ADFS server. Login to the ADFS server and launch “AD FS Management” Expand the tree to “Relying Party Trusts”. Right click on “Relying Party Trusts” and select “Add Relying Party Trust..” Click the “Start” button: Select “Enter the data about the relying party manually” Then click Next. Enter a Display Name and Notes then click “Next”. On the “Choose Profile” section leave as AD FS Profile and click “Next”. Click “Next” on the “Configure Certificate” screen. Click “Next” on the “Configure URL” page. On the “Configure Identifiers” page enter a unique identifier e.g. urn:cas-svr.domain.com for the CAS service and click “Add” then “Next”. Leave the Multi-factor authentication as “I do not want to configure..” and click “Next”: On the “Choose Issuance Authorization Rules” page leave it as “Permit all users to access this relying party” and click “Next”. Click “Next” on the “Ready to Add Trust” page Click “Close”. Double click on the new Relying Party entry and select the “Endpoints” tab. Click on “Add WS-Federation..". Populate with the CAS login URL for your CAS server e.g. https://cas-svr.domain.com/cas/login. Click “OK” then “OK” again to close the properties window. Right click on the CAS Relying Party and select “Edit Claim Rules”. Click “Add Rule” on the "Issuance Transform Rules" screen. Select “Send LDAP Attributes as Claims” and click “Next”. Complete the “Configure Claim Rule” page as required, my settings were "LDAP Attribute"= "SAM-Account-Name" mapped to "Outgoing Claim Type"="UPN". Click "finish". *Export the Token-signing Certificate* CAS will need to have access to the ADFS Token-signing certificate, export this from "AD FS Manager" and store it on the CAS server for later use. *CAS Maven pom.xml* Edit the Maven pom.xml, find the section below and add the lines in Green: <dependencies> <dependency> <groupId>org.apereo.cas</groupId> <artifactId>cas-server-webapp${app.server}</artifactId> <version>${cas.version}</version> <type>war</type> <scope>runtime</scope> </dependency> <!-- ...Additional dependencies may be placed here... --> <dependency> <groupId>org.apereo.cas</groupId> <artifactId>cas-server-support-json-service-registry</artifactId> <version>${cas.version}</version> </dependency> <dependency> <groupId>org.apereo.cas</groupId> <artifactId>cas-server-support-wsfederation-webflow</artifactId> <version>${cas.version}</version> </dependency> </dependencies> Save the pom.xml file. *ADFS token-signing certificate* Now open the etc/cas/config folder and copy the ADFS token-signing certificate file to this folder (File in this example is "my-adfs-token-signing.cer"). *CAS ADFS settings* Edit the cas.properties file in this folder and add the contents below: # Logout settings if required uncomment below and change the cas.slo.disabled setting #cas.logout.redirectUrl=https://adfs-svr.domain.com/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas-svr.domain.com cas.slo.disabled=true #cas.logout.followServiceRedirects=true # ADFS Note http on the "identityProviderIdentifier" this is not a mistake.. cas.authn.wsfed[0].identityProviderUrl=https://adfs-svr.domain.com/adfs/ls/ cas.authn.wsfed[0].identityProviderIdentifier=http://adfs-svr.domain.com/adfs/services/trust cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:cas-svr.domain.com cas.authn.wsfed[0].attributesType=WSFED cas.authn.wsfed[0].signingCertificateResources=file:///etc/cas/config/my-adfs-token-signing.cer cas.authn.wsfed[0].tolerance=10000 cas.authn.wsfed[0].identityAttribute=upn cas.authn.wsfed[0].attributeResolverEnabled=true cas.authn.wsfed[0].autoRedirect=true # cas.authn.wsfed[0].name= # cas.authn.wsfed[0].principal.principalAttribute= # cas.authn.wsfed[0].principal.returnNull=false # Private/Public keypair used to decrypt assertions, if any. # cas.authn.wsfed[0].encryptionPrivateKey=classpath:private.key # cas.authn.wsfed[0].encryptionCertificate=classpath:certificate.crt # cas.authn.wsfed[0].encryptionPrivateKeyPassword=NONE Build and deploy CAS. Make sure the configuration is copied by running “build copy” or manually copying the files to the correct location. Run the Package command to generate the .war file “build package”: -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/66ad8d40-f5f9-4a8c-9c56-f54f650a11d8%40apereo.org.
