Hi Lynn Am trying a similar configuration using CAS-5.2.6 against Azure AD (SAML mode). Is there a sample file that I can use for => cas.authn.pac4j.saml[0].identityProviderMetadataPath How to generate this file to make it work against Azure AD ?
On Wednesday, August 8, 2018 at 1:29:00 AM UTC+5:30, lynndickison wrote: > > That’s a good idea, but *cas.authn.pac4j.saml[0].useNameQualifier=false* > isn’t a valid configuration option in CAS 5.3.2. When I put that into the > cas.properties file, CAS doesn’t start. > > > > Lynn Dickison > > > > *From:* [email protected] <javascript:> <[email protected] <javascript:>> > *On Behalf Of *Dmitriy Kopylenko > *Sent:* Tuesday, August 7, 2018 10:53 AM > *To:* [email protected] <javascript:> > *Subject:* Re: [cas-user] RE: CAS 5 SAML2 Azure AD delegated > authentication > > > > You could try *cas.authn.pac4j.saml[0].useNameQualifier=false* > > > > Best, > > D. > > > > > From: Dickison, Lynn E <[email protected]> <javascript:> > Reply: [email protected] <javascript:> <[email protected]> <javascript:> > Date: August 7, 2018 at 9:53:30 AM > To: [email protected] <javascript:> <[email protected]> <javascript:> > Subject: [cas-user] RE: CAS 5 SAML2 Azure AD delegated authentication > > > > I saw on another posting that someone else was trying to do delegated > authentication using ADFS. They were able to get it to work using CAS 5.2, > but it didn’t work with CAS 5.3. Since ADFS and Azure AD are both > Microsoft products, I decided to try out delegated authentication to Azure > AD using CAS 5.2. Lo and behold, IT WORKED! CAS 5.2 produces a SAML > authentication request that Azure AD considers valid. Here is the > comparison of the two: > > > > This one is from CAS 5.3.2, which DOES NOT work Azure AD SAML > authentication: > > > > <?xml version="1.0" encoding="UTF-8"?> > > <saml2p:AuthnRequest > > AssertionConsumerServiceURL=" > https://xxxxxxxx.yyyyyyyyyyyyy.edu:8443/cas/login?client_name=SAML2Client0"; > > > AttributeConsumingServiceIndex="0" > > Destination=" > https://login.microsoftonline.com/cad830e4-554f-4361-bae5-c865233fb77f/saml2"; > > > ForceAuthn="false" > > ID="_2nqagio59j7csvzqzu0mynfr4tsbfqzhnlleupl" > > IsPassive="false" > > IssueInstant="2018-08-02T21:50:33.174Z" > > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > > ProviderName="pac4j-saml" > > Version="2.0" > > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> > > <saml2:Issuer > > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" > > NameQualifier="https://xxxxxxxx.yyyyyyyyyyyyy.edu"; > > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> > > https://xxxxxxxx.yyyyyyyyyyyyy.edu > > </saml2:Issuer> > > </saml2p:AuthnRequest > > > > This one is from CAS 5.2.6, and DOES work with Azure AD SAML > authentication: > > > > <?xml version="1.0" encoding="UTF-8"?> > > <saml2p:AuthnRequest > > AssertionConsumerServiceURL=" > https://xxxxxxxx.yyyyyyyyyyyyy.edu:8443/cas/login?client_name=SAML2Client"; > > > AttributeConsumingServiceIndex="0" > > Destination=" > https://login.microsoftonline.com/cad830e4-554f-4361-bae5-c865233fb77f/saml2"; > > > ForceAuthn="false" > > ID="_3r88plxbege1ozzotobvkeqihy3x2jrk4sok94r" > > IsPassive="false" > > IssueInstant="2018-08-06T21:19:34.731Z" > > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > > ProviderName="pac4j-saml" > > Version="2.0" > > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> > > <saml2:Issuer > > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> > > https:// xxxxxxxx.yyyyyyyyyyyyy.edu > > </saml2:Issuer> > > </saml2p:AuthnRequest> > > > > The highlighted lines are the only ones I noticed that were different in > the format of the CAS 5.3.2 vs. CAS 5.2.6 SAML authentication requests. > > > > Can anyone tell me if there is a configuration setting that I can change > in CAS 5.2.3 that will make this work successfully? > > > > Lynn Dickison > > Missouri State University > > > > > > > > *From:* [email protected] <javascript:> <[email protected] <javascript:>> > *On Behalf Of *Dickison, Lynn E > *Sent:* Thursday, August 2, 2018 5:07 PM > *To:* [email protected] <javascript:> > *Subject:* [cas-user] CAS 5 SAML2 delegated authentication > > > > I’m trying to set up CAS 5.3.2 so that it delegates authentication to > Azure AD via SAML2. I’ve seen documentation on how to delegate > authentication to an external SAML2 IdP, and I’ve read the tutorial ( > https://apereo.github.io/2017/03/22/cas51-delauthn-tutorial/). The > tutorial showed how to set it up with Okta as the IdP, and I’m assuming > that works. However, Azure AD gives me an error message that the > authentication request is not a valid SAML2 protocol message. > > > > Here is the configuration I have in the cas.properties file: > > > > cas.authn.pac4j.saml[0].keystorePassword=****** > > cas.authn.pac4j.saml[0].privateKeyPassword=****** > > cas.authn.pac4j.saml[0].keystorePath=file:/etc/cas/saml/samlKeystore.jks > > cas.authn.pac4j.saml[0].keystoreAlias=******** > > > > cas.authn.pac4j.saml[0].serviceProviderEntityId= > https://xxxxxxxx.yyyyyyyyyyyyy.edu > > > cas.authn.pac4j.saml[0].serviceProviderMetadataPath=file:/etc/cas/saml/xxxxxxxx.xml > > > > # Path/URL to delegated IdP metadata > > > cas.authn.pac4j.saml[0].identityProviderMetadataPath=file:/etc/cas/saml/AzureADCAS.xml > > > > > > Here is an example authentication request that Microsoft says is valid in > their documentation: > > > > <samlp:AuthnRequest > > xmlns="urn:oasis:names:tc:SAML:2.0:metadata" > > ID="id6c1c178c166d486687be4aaf5e482730" > > Version="2.0" IssueInstant="2013-03-18T03:28:54.1839884Z" > > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> > > <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> > https://www.contoso.com</Issuer> > > </samlp:AuthnRequest> > > > > > > Here is an authentication request generated by CAS via pac4j: > > > > <?xml version="1.0" encoding="UTF-8"?> > > <saml2p:AuthnRequest > > AssertionConsumerServiceURL=" > https://xxxxxxxx.yyyyyyyyyyyyy.edu:8443/cas/login?client_name=SAML2Client0"; > > > AttributeConsumingServiceIndex="0" > > Destination=" > https://login.microsoftonline.com/cad830e4-554f-4361-bae5-c865233fb77f/saml2"; > > > ForceAuthn="false" ID="_2nqagio59j7csvzqzu0mynfr4tsbfqzhnlleupl" > > IsPassive="false" > > IssueInstant="2018-08-02T21:50:33.174Z" > > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > > ProviderName="pac4j-saml" > > Version="2.0" > > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> > > <saml2:Issuer > > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" > > NameQualifier="https://xxxxxxxx.yyyyyyyyyyyyy.edu"; > > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> > > https://xxxxxxxx.yyyyyyyyyyyyy.edu > > </saml2:Issuer> > > </saml2p:AuthnRequest> > > > > Here is the error message I’m getting from Azure: > > > > Request Id: 75ca32eb-47cb-426a-992d-ee70fc6a1b00 > > Correlation Id: 996cb2e6-b6b3-4077-abaa-a76e2578255a > > Timestamp: 2018-08-02T21:50:33Z > > Message: AADSTS75005: The request is not a valid Saml2 protocol message. > > Advanced diagnostics: Enable > > If you plan on getting support for an issue, turn this on and try to > reproduce the error. This will collect additional information that will > help troubleshoot the issue. > > > > *Root cause:* Azure AD doesn’t support the SAML request sent by the > application for Single sign-on. Some common issues are: > > · Missing required fields in the SAML request > > · SAML request encoded method > > > > > > If anyone has been able to get SAML2 delegated authentication working with > Azure AD as the IdP, or if you know why it won’t work, I would appreciate > any information you can supply. > > > > > > *Lynn Dickison* > Senior Enterprise Systems Administrator > Computer Services > > Missouri State University > 901 S. National Ave. > Springfield, MO 65897 > Phone: 417-836-4515 | Fax: 417-836-3192 > [email protected] <javascript:> | www.missouristate.edu > > [image: Missouri State University: Make Your Missouri Statement] > <http://www.missouristate.edu/> > > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN6PR01MB4191ED2D9B0F83BCA08E9682D92C0%40SN6PR01MB4191.prod.exchangelabs.com > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN6PR01MB4191ED2D9B0F83BCA08E9682D92C0%40SN6PR01MB4191.prod.exchangelabs.com?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN6PR01MB4191601A86A7BDD4F2011D75D9200%40SN6PR01MB4191.prod.exchangelabs.com > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN6PR01MB4191601A86A7BDD4F2011D75D9200%40SN6PR01MB4191.prod.exchangelabs.com?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.5b69c06e.293d8d21.162d%40unicon.net > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.5b69c06e.293d8d21.162d%40unicon.net?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ba5b8171-eca1-4b57-be00-03e6002b0877%40apereo.org.
