Just wanted add an update based on the progress I've made so far...
I added the properties outlined in the docs, based on my configuration, to
the top of the properties file (*before the cas.authn.jdbc entries*):
cas.authn.wsfed[0].identityProviderUrl=https://test.adfs.com/adfs/ls/
cas.authn.wsfed[0].identityProviderIdentifier=https://test.adfs.com/adfs/services/trust
cas.authn.wsfed[0].relyingPartyIdentifier=https://my.cas.com
cas.authn.wsfed[0].identityAttribute=E-Mail Address
cas.authn.wsfed[0].signingCertificateResources=file:/certs/adfs.cer
cas.authn.wsfed[0].attributesType=WSFED
cas.authn.wsfed[0].tolerance=10000
cas.authn.wsfed[0].autoRedirect=false
cas.authn.wsfed[0].name=ADFS
# Private/Public keypair used to decrypt assertions, if any.
echo "cas.authn.wsfed[0].encryptionPrivateKey=file:/certs/adfs-enc.key
echo "cas.authn.wsfed[0].encryptionCertificate=file:/certs/adfs-enc.crt
echo "cas.authn.wsfed[0].encryptionPrivateKeyPassword=NONE
When I look at the CAS logs, it identifies the following handlers for the
request:
DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<Candidate resolved authentication handlers for this transaction are
[[org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@6a543e09,
auth.CustomAuthenticationHandler@7ba1cdbe,
org.apereo.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler@7c0e4e4e,
org.apereo.cas.support.wsfederation.authentication.handler.support.WsFederationAuthenticationHandler@1a66be41]]>
I modified my existing CustomAuthenticationHandler to *not* support the
users of this domain so that all of the handlers fail until it gets to
the WsFederationAuthenticationHandler. I assumed at this point CAS would
use the properties I've added to authenticate the user by delegating
authentication to ADFS, but instead I get this:
DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<Authentication handler [ADFS] does not support the credential type
[UsernamePasswordCredential(username=testUser@mydomain, source=null,
customFields={})]. Trying next...>
cas_1 | 2019-09-19 21:39:51,804 DEBUG
[org.apereo.cas.support.events.listener.LoggingCasEventListener] -
<Authentication transaction failed for credential:
[UsernamePasswordCredential(username=testUser@mydomain, source=null,
customFields={})]
Does anyone know what needs to change here? Do I need to create another
custom handler that extends *WsFederationAuthenticationHandler *and change
it to also support *UsernamePasswordCredential*?
I'd appreciate any assistance.
On Wednesday, September 4, 2019 at 10:32:56 AM UTC-7, Bobby Esfandiari
wrote:
>
> Hi Ray,
>
> I should've been a bit more specific.
> I want to be able to hit CAS from web and mobile clients.
> I can pass along a domain parameter with the request to determine whether
> the authentication process should use the database or ADFS.
>
> What I'd like to be able to do on the CAS side is extend the login
> functionality to:
> 1 - run some logic to verify the domain for that user
> 2 - direct the request to either the DB authentication or ADFS
> 3 - possibly do some manual manipulation of the attributes in the response
>
> I've looked through the ADFS Integration page and I only see info about
> modifying the claims.
> I already have a gradle overlay in place for running some custom logic
> around the db authentication, but I'm not sure how to override the
> functionality I'm looking for in points (1) and (2).
>
> On Wednesday, September 4, 2019 at 9:21:05 AM UTC-7, rbon wrote:
>>
>> Bobby,
>>
>> Authentication options are processed in the order they are listed in the
>> properties.
>> See https://apereo.github.io/cas/6.0.x/integration/ADFS-Integration.html
>>
>> Ray
>>
>> On Tue, 2019-09-03 at 16:34 -0700, Bobby Esfandiari wrote:
>>
>> Hello,
>>
>> I've been using CAS + DB Authentication for a number of services. Now I
>> need to integrate ADFS for a new client's users, but I'd like to retain the
>> ability to authenticate using the existing database. I've searched previous
>> topics and the CAS docs, but could not find a direct answer.
>>
>> I'd like to know if this is possible and if so, what would be the best
>> way of implementing it? I have some experience with the overlay
>> functionality (if that's needed), but I do not know the classes that would
>> have to be extended in this case.
>>
>> Thank you!
>>
>> --
>>
>> Ray Bon
>> Programmer Analyst
>> Development Services, University Systems
>> 2507218831 | CLE 019 | [email protected]
>>
>> I respectfully acknowledge that my place of work is located within the
>> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
>> WSÁNEĆ Nations.
>>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/28f1ce0a-98a9-4874-aadf-ae52ee685f4f%40apereo.org.
