Sairam, If cas.properties is configured properly, the SAML Keystore is accessible to CAS, the SP metadata was created successfully AND CAS has access to the IDP metadata then that is it. PAC4J integration should include the code to consume the SAML response and issue a TGT. If that is not happening you need to check the logs and perhaps turn them to debug. Trace out the CAS startup and the loading of PAC4J modules and look for WARN and ERRORS.
Then, once CAS is READY, tail the logs and initiate a login to CAS and look for messages about bad signature, lack of trust, in the response was there a valid Principle to use to complete the Authn and issue the TGT. I run CAS 5.2.6 on Tomcat 8.5x, Java 8. It would be helpful to see the errors you are getting in the logs to better understand what exactly is wrong with the response. Is it encrypted and no matching key, is it not signed correctly, is there some time skew on CAS servers greater than 5 minutes. There are all kinds of reasons SAML will fail. Mike On Tuesday, January 8, 2019 at 1:42:47 AM UTC-5, sairam wrote: > > Hi Mike, > Thanks for the reply, I have done the configurations in cas to > delegate auth to external-idp so once after the delegation the idp will > send the saml response. So what changes need to be done in cas in order to > consume that saml assertion and to grant a TGT. > I mean the CAS webflow once after it gets SAML Response from idp. > > Thanks & Regards, > Sairam > > On Mon, Jan 7, 2019 at 11:06 PM Mike Kriwonos <[email protected] > <javascript:>> wrote: > >> >> I am not sure exactly where you are having problems, but this is the high >> level process you need to work through: >> >> 1) Make sure CAS is built with the PAC4J-webflow depedency >> Use the Maven or Gradle properties defined here and use them for >> the cas.war build: >> https://apereo.github.io/cas/5.1.x/integration/Delegate-Authentication.html >> >> 2) Configure SAML in the cas.properties file >> Review pac4j.saml properties here: >> https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#saml >> See: Delegate authentication to an external SAML2 IdP >> >> You may be able to start with some of the SAML Keystore information >> (keystore password and private key password) blank and CAS can generate the >> keystore on an initial test. >> THIS IS ONLY FOR DEV and test Purpose. In a working DEV/PROD environment >> you should set up a real private key and keystore with passwords and enter >> this information in cas.properties using pac4j.saml properties defined in >> the document above. >> >> You need fill in the pac4j.saml properties to provide a path to the SAML >> keystore and CAS needs to be able to read from and write to that path to >> create and use the file >> You need fill in the pac4j.saml properties to provide the IDP entity ID. >> You need fill in the pac4j.saml properties to provide a path to the IDP >> metadata. This could be a file path or a URL.Either way CAS needs read >> permissions to the path. >> I direct the metadata to /etc/cas/config and the keystores to another >> folder /etc/cas/keystore. >> If set up correctly and keystore is usable CAS will generate >> sp-metada.xml file >> >> The IDP will need the ACS and entity ID from the SP Metadata. >> >> That should get you started. If you have done ALL of this then please >> include details from logs, etc of where you are having problems. >> Mike >> >> >> On Monday, January 7, 2019 at 4:06:12 AM UTC-5, sairam wrote: >>> >>> Hi all, >>> I'm trying to integrate CAS with SAML using >>> pac4j(CAS-server-support-pac4j-web flow) support project from CAS by >>> following below document : >>> >>> https://apereo.github.io/cas/5.1.x/integration/Delegate-Authentication.html >>> I am using SSO(ACS) URL as https://witty.wavity.net/saml/login to >>> consume SAML assertion. Now, when the user gets logged in at IDP i,e at >>> okta it was redirecting to ACS URL with the forbidden error. So how can I >>> configure CAS to consume SAML assertion from IDP and assert CAS to grant >>> TGT to the SAML asserted user? >>> >>> Can you please help me out with the steps I need to follow at CAS once >>> it receives SAML assertion from any of the IDP and also with the steps to >>> be followed at java-cas-client. >>> >>> Thanks & Regards, >>> Sairam >>> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ead2756-de50-4f44-8a77-b5380afd7917%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ead2756-de50-4f44-8a77-b5380afd7917%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bcbffcfb-fbe4-407e-8c77-0e98fdbb7252%40apereo.org.
