Ray, I don't have access to the ADFS server, so I will have to wait on the admin to get back to me on that.
I did look through the CAS src and it looks like that message is fired off in ../authentication/PolicyBasedAuthenticationManager.java when: handler.supports(credential) == true The supports method for wsfederationauthenticationhandler is: credentials != null && WsFederationCredential.class.isAssignableFrom( credentials.getClass()) Since the credentials are populated (I can see them in the logs), I can only assume that it's because it's failing to convert UsernamePasswordCredential into WsFederationCredential. This is concerning since the WsFederationCredential looks like the token that should be created from the ADFS response, with the UsernamePasswordCredential being part of the request that is sent to ADFS for the delegated authentication process. Am I misunderstanding some part of this process? Regards, Bobby On Thursday, September 19, 2019 at 3:51:59 PM UTC-7, rbon wrote: > > I think the 'does not support' message just means that the > username:password could not be found in ADFS with the settings you provided. > It could be more than incorrect username and or password; could be bad > keys/certs, typos in properties, ADFS config, maybe even network woes. > Check logs for ADFS. > > Ray > > On Thu, 2019-09-19 at 15:15 -0700, Bobby Esfandiari wrote: > > Just wanted add an update based on the progress I've made so far... > > I added the properties outlined in the docs, based on my configuration, to > the top of the properties file (*before the cas.authn.jdbc entries*): > cas.authn.wsfed[0].identityProviderUrl=https://test.adfs.com/adfs/ls/ > cas.authn.wsfed[0].identityProviderIdentifier= > https://test.adfs.com/adfs/services/trust > cas.authn.wsfed[0].relyingPartyIdentifier=https://my.cas.com > cas.authn.wsfed[0].identityAttribute=E-Mail Address > cas.authn.wsfed[0].signingCertificateResources=file:/certs/adfs.cer > cas.authn.wsfed[0].attributesType=WSFED > cas.authn.wsfed[0].tolerance=10000 > cas.authn.wsfed[0].autoRedirect=false > cas.authn.wsfed[0].name=ADFS > > # Private/Public keypair used to decrypt assertions, if any. > echo "cas.authn.wsfed[0].encryptionPrivateKey=file:/certs/adfs-enc.key > echo "cas.authn.wsfed[0].encryptionCertificate=file:/certs/adfs-enc.crt > echo "cas.authn.wsfed[0].encryptionPrivateKeyPassword=NONE > > When I look at the CAS logs, it identifies the following handlers for the > request: > DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > <Candidate resolved authentication handlers for this transaction are > [[org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@6a543e09, > > auth.CustomAuthenticationHandler@7ba1cdbe, > org.apereo.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler@7c0e4e4e, > org.apereo.cas.support.wsfederation.authentication.handler.support.WsFederationAuthenticationHandler@1a66be41]]> > > > I modified my existing CustomAuthenticationHandler to *not* support the > users of this domain so that all of the handlers fail until it gets to > the WsFederationAuthenticationHandler. I assumed at this point CAS would > use the properties I've added to authenticate the user by delegating > authentication to ADFS, but instead I get this: > > DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > <Authentication handler [ADFS] does not support the credential type > [UsernamePasswordCredential(username=testUser@mydomain, source=null, > customFields={})]. Trying next...> > cas_1 | 2019-09-19 21:39:51,804 DEBUG > [org.apereo.cas.support.events.listener.LoggingCasEventListener] - > <Authentication transaction failed for credential: > [UsernamePasswordCredential(username=testUser@mydomain, source=null, > customFields={})] > > Does anyone know what needs to change here? Do I need to create another > custom handler that extends *WsFederationAuthenticationHandler *and > change it to also support *UsernamePasswordCredential*? > > I'd appreciate any assistance. > > > On Wednesday, September 4, 2019 at 10:32:56 AM UTC-7, Bobby Esfandiari > wrote: > > Hi Ray, > > I should've been a bit more specific. > I want to be able to hit CAS from web and mobile clients. > I can pass along a domain parameter with the request to determine whether > the authentication process should use the database or ADFS. > > What I'd like to be able to do on the CAS side is extend the login > functionality to: > 1 - run some logic to verify the domain for that user > 2 - direct the request to either the DB authentication or ADFS > 3 - possibly do some manual manipulation of the attributes in the response > > I've looked through the ADFS Integration page and I only see info about > modifying the claims. > I already have a gradle overlay in place for running some custom logic > around the db authentication, but I'm not sure how to override the > functionality I'm looking for in points (1) and (2). > > On Wednesday, September 4, 2019 at 9:21:05 AM UTC-7, rbon wrote: > > Bobby, > > Authentication options are processed in the order they are listed in the > properties. > See https://apereo.github.io/cas/6.0.x/integration/ADFS-Integration.html > > Ray > > On Tue, 2019-09-03 at 16:34 -0700, Bobby Esfandiari wrote: > > Hello, > > I've been using CAS + DB Authentication for a number of services. Now I > need to integrate ADFS for a new client's users, but I'd like to retain the > ability to authenticate using the existing database. I've searched previous > topics and the CAS docs, but could not find a direct answer. > > I'd like to know if this is possible and if so, what would be the best way > of implementing it? I have some experience with the overlay functionality > (if that's needed), but I do not know the classes that would have to be > extended in this case. > > Thank you! > > -- > > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] <javascript:> > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9233a825-7954-45e1-be2c-55ee3f7512f0%40apereo.org.
