Thank Ray, I'd think this is a fairly common scenario, so not sure why it's been so difficult to find information around it. Hopefully someone with more experience can chime in.
On Friday, September 20, 2019 at 9:27:25 AM UTC-7, rbon wrote: > > Bobby, > > I have not used ADFS so I am unable to comment. > Hopefully some else on the list has a better understanding of it. > > Ray > > On Fri, 2019-09-20 at 09:07 -0700, Bobby Esfandiari wrote: > > Ray, > > I don't have access to the ADFS server, so I will have to wait on the > admin to get back to me on that. > > I did look through the CAS src and it looks like that message is fired off > in ../authentication/PolicyBasedAuthenticationManager.java when: > handler.supports(credential) == true > > The supports method for wsfederationauthenticationhandler is: > credentials != null && WsFederationCredential.class.isAssignableFrom( > credentials.getClass()) > > Since the credentials are populated (I can see them in the logs), I can > only assume that it's because it's failing to > convert UsernamePasswordCredential into WsFederationCredential. > > This is concerning since the WsFederationCredential looks like the token > that should be created from the ADFS response, with the > UsernamePasswordCredential being part of the request that is sent to ADFS > for the delegated authentication process. > > Am I misunderstanding some part of this process? > > Regards, > Bobby > > > On Thursday, September 19, 2019 at 3:51:59 PM UTC-7, rbon wrote: > > I think the 'does not support' message just means that the > username:password could not be found in ADFS with the settings you provided. > It could be more than incorrect username and or password; could be bad > keys/certs, typos in properties, ADFS config, maybe even network woes. > Check logs for ADFS. > > Ray > > On Thu, 2019-09-19 at 15:15 -0700, Bobby Esfandiari wrote: > > Just wanted add an update based on the progress I've made so far... > > I added the properties outlined in the docs, based on my configuration, to > the top of the properties file (*before the cas.authn.jdbc entries*): > cas.authn.wsfed[0].identityProviderUrl=https://test.adfs.com/adfs/ls/ > cas.authn.wsfed[0].identityProviderIdentifier= > https://test.adfs.com/adfs/services/trust > cas.authn.wsfed[0].relyingPartyIdentifier=https://my.cas.com > cas.authn.wsfed[0].identityAttribute=E-Mail Address > cas.authn.wsfed[0].signingCertificateResources=file:/certs/adfs.cer > cas.authn.wsfed[0].attributesType=WSFED > cas.authn.wsfed[0].tolerance=10000 > cas.authn.wsfed[0].autoRedirect=false > cas.authn.wsfed[0].name=ADFS > > # Private/Public keypair used to decrypt assertions, if any. > echo "cas.authn.wsfed[0].encryptionPrivateKey=file:/certs/adfs-enc.key > echo "cas.authn.wsfed[0].encryptionCertificate=file:/certs/adfs-enc.crt > echo "cas.authn.wsfed[0].encryptionPrivateKeyPassword=NONE > > When I look at the CAS logs, it identifies the following handlers for the > request: > DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > <Candidate resolved authentication handlers for this transaction are > [[org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@6a543e09, > > auth.CustomAuthenticationHandler@7ba1cdbe, > org.apereo.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler@7c0e4e4e, > org.apereo.cas.support.wsfederation.authentication.handler.support.WsFederationAuthenticationHandler@1a66be41]]> > > > I modified my existing CustomAuthenticationHandler to *not* support the > users of this domain so that all of the handlers fail until it gets to > the WsFederationAuthenticationHandler. I assumed at this point CAS would > use the properties I've added to authenticate the user by delegating > authentication to ADFS, but instead I get this: > > DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > <Authentication handler [ADFS] does not support the credential type > [UsernamePasswordCredential(username=testUser@mydomain, source=null, > customFields={})]. Trying next...> > cas_1 | 2019-09-19 21:39:51,804 DEBUG > [org.apereo.cas.support.events.listener.LoggingCasEventListener] - > <Authentication transaction failed for credential: > [UsernamePasswordCredential(username=testUser@mydomain, source=null, > customFields={})] > > Does anyone know what needs to change here? Do I need to create another > custom handler that extends *WsFederationAuthenticationHandler *and > change it to also support *UsernamePasswordCredential*? > > I'd appreciate any assistance. > > > On Wednesday, September 4, 2019 at 10:32:56 AM UTC-7, Bobby Esfandiari > wrote: > > Hi Ray, > > I should've been a bit more specific. > I want to be able to hit CAS from web and mobile clients. > I can pass along a domain parameter with the request to determine whether > the authentication process should use the database or ADFS. > > What I'd like to be able to do on the CAS side is extend the login > functionality to: > 1 - run some logic to verify the domain for that user > 2 - direct the request to either the DB authentication or ADFS > 3 - possibly do some manual manipulation of the attributes in the response > > I've looked through the ADFS Integration page and I only see info about > modifying the claims. > I already have a gradle overlay in place for running some custom logic > around the db authentication, but I'm not sure how to override the > functionality I'm looking for in points (1) and (2). > > On Wednesday, September 4, 2019 at 9:21:05 AM UTC-7, rbon wrote: > > Bobby, > > Authentication options are processed in the order they are listed in the > properties. > See https://apereo.github.io/cas/6.0.x/integration/ADFS-Integration.html > > Ray > > On Tue, 2019-09-03 at 16:34 -0700, Bobby Esfandiari wrote: > > Hello, > > I've been using CAS + DB Authentication for a number of services. Now I > need to integrate ADFS for a new client's users, but I'd like to retain the > ability to authenticate using the existing database. I've searched previous > topics and the CAS docs, but could not find a direct answer. > > I'd like to know if this is possible and if so, what would be the best way > of implementing it? I have some experience with the overlay functionality > (if that's needed), but I do not know the classes that would have to be > extended in this case. > > Thank you! > > -- > > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > > -- > > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] <javascript:> > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7d628cfa-4c9c-4c76-b1cd-93115cf16ed3%40apereo.org.
