I think the 'does not support' message just means that the username:password could not be found in ADFS with the settings you provided. It could be more than incorrect username and or password; could be bad keys/certs, typos in properties, ADFS config, maybe even network woes. Check logs for ADFS.
Ray On Thu, 2019-09-19 at 15:15 -0700, Bobby Esfandiari wrote: Just wanted add an update based on the progress I've made so far... I added the properties outlined in the docs, based on my configuration, to the top of the properties file (before the cas.authn.jdbc entries): cas.authn.wsfed[0].identityProviderUrl=https://test.adfs.com/adfs/ls/ cas.authn.wsfed[0].identityProviderIdentifier=https://test.adfs.com/adfs/services/trust cas.authn.wsfed[0].relyingPartyIdentifier=https://my.cas.com cas.authn.wsfed[0].identityAttribute=E-Mail Address cas.authn.wsfed[0].signingCertificateResources=file:/certs/adfs.cer cas.authn.wsfed[0].attributesType=WSFED cas.authn.wsfed[0].tolerance=10000 cas.authn.wsfed[0].autoRedirect=false cas.authn.wsfed[0].name=ADFS # Private/Public keypair used to decrypt assertions, if any. echo "cas.authn.wsfed[0].encryptionPrivateKey=file:/certs/adfs-enc.key echo "cas.authn.wsfed[0].encryptionCertificate=file:/certs/adfs-enc.crt echo "cas.authn.wsfed[0].encryptionPrivateKeyPassword=NONE When I look at the CAS logs, it identifies the following handlers for the request: DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Candidate resolved authentication handlers for this transaction are [[org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@6a543e09, auth.CustomAuthenticationHandler@7ba1cdbe, org.apereo.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler@7c0e4e4e, org.apereo.cas.support.wsfederation.authentication.handler.support.WsFederationAuthenticationHandler@1a66be41]]> I modified my existing CustomAuthenticationHandler to not support the users of this domain so that all of the handlers fail until it gets to the WsFederationAuthenticationHandler. I assumed at this point CAS would use the properties I've added to authenticate the user by delegating authentication to ADFS, but instead I get this: DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication handler [ADFS] does not support the credential type [UsernamePasswordCredential(username=testUser@mydomain, source=null, customFields={})]. Trying next...> cas_1 | 2019-09-19 21:39:51,804 DEBUG [org.apereo.cas.support.events.listener.LoggingCasEventListener] - <Authentication transaction failed for credential: [UsernamePasswordCredential(username=testUser@mydomain, source=null, customFields={})] Does anyone know what needs to change here? Do I need to create another custom handler that extends WsFederationAuthenticationHandler and change it to also support UsernamePasswordCredential? I'd appreciate any assistance. On Wednesday, September 4, 2019 at 10:32:56 AM UTC-7, Bobby Esfandiari wrote: Hi Ray, I should've been a bit more specific. I want to be able to hit CAS from web and mobile clients. I can pass along a domain parameter with the request to determine whether the authentication process should use the database or ADFS. What I'd like to be able to do on the CAS side is extend the login functionality to: 1 - run some logic to verify the domain for that user 2 - direct the request to either the DB authentication or ADFS 3 - possibly do some manual manipulation of the attributes in the response I've looked through the ADFS Integration page and I only see info about modifying the claims. I already have a gradle overlay in place for running some custom logic around the db authentication, but I'm not sure how to override the functionality I'm looking for in points (1) and (2). On Wednesday, September 4, 2019 at 9:21:05 AM UTC-7, rbon wrote: Bobby, Authentication options are processed in the order they are listed in the properties. See https://apereo.github.io/cas/6.0.x/integration/ADFS-Integration.html Ray On Tue, 2019-09-03 at 16:34 -0700, Bobby Esfandiari wrote: Hello, I've been using CAS + DB Authentication for a number of services. Now I need to integrate ADFS for a new client's users, but I'd like to retain the ability to authenticate using the existing database. I've searched previous topics and the CAS docs, but could not find a direct answer. I'd like to know if this is possible and if so, what would be the best way of implementing it? I have some experience with the overlay functionality (if that's needed), but I do not know the classes that would have to be extended in this case. Thank you! -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected] I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected]<mailto:[email protected]> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b26b36510d58eeaec0225c4ca2426e1d79134293.camel%40uvic.ca.
