Thanks Mike. Unfortunately, using the attributeReleasePolicy you stated in my JSON file and the ticketidSaml2=false setting in my cas.properties made no difference. I am grasping for any ideas, and appreciate your jumping in with them. Carl
On Friday, January 24, 2020 at 10:01:28 AM UTC-5, [email protected] wrote: > > Carl, > > I have this working with 6.0.x But I'm limiting the release to just > UDC_IDENTIFIER like this: > > "attributeReleasePolicy" : { > "@class" : > "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", > authorizedToReleaseCredentialPassword: false > authorizedToReleaseProxyGrantingTicket: false > excludeDefaultAttributes: true > authorizedToReleaseAuthenticationAttributes: false > "allowedAttributes": [ "java.util.ArrayList", [ "UDC_IDENTIFIER" ] ] > } > > and I have ticketidSaml2=false in my cas.properties file: > > cas.samlCore.ticketidSaml2=false > > > -Mike > > > > On Friday, January 24, 2020 at 9:42:06 AM UTC-5, crdaudt wrote: >> >> Adding org.apereo.cas:cas-server-support-saml to the build certainly made >> a difference: CAS now recognizes the JSON entry for our Ellucian Banner >> related service. >> >> Unfortunately, I am still not out of the woods. The Banner service is >> now reporting "HTTP Status 500 - >> org.jasig.cas.client.validation.TicketValidationException: No assertions >> found." >> From looking at the cas.log, it seems that CAS has the correct >> information for me (UDC_IDENTIFIER, sAMAccountName (same as my >> UDC_IDENTIFIER), displayName, mail, and memberOf (security groups I belong >> to)). My assumption is that the last few lines of my json file should >> release all of these to Banner, i.e., the following lines: >> ---LAST FEW LINES--- >> "usernameAttributeProvider": >> { >> "@class": >> "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider", >> "canonicalizationMode": "LOWER" >> } >> "attributeReleasePolicy": >> { >> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" >> } >> } >> ---END LAST FEW LINES--- >> >> Thanks for getting me over an important hurdle with getting saml support >> into the build. >> >> I would appreciate some ideas for how to satisfy the Ellucian Banner >> service with the required assertions. >> >> Carl >> >> On Friday, January 24, 2020 at 8:39:54 AM UTC-5, crdaudt wrote: >>> >>> Oh, no -- What I have is the following. I have: >>> compile "org.apereo.cas:cas-server-support-saml-idp:${casServerVersion}" >>> ...but I do not have: >>> compile "org.apereo.cas:cas-server-support-saml:${casServerVersion}" >>> >>> I will let you know what I find after adding, re-building, and testing. >>> >>> Carl >>> >>> On Friday, January 24, 2020 at 8:22:41 AM UTC-5, crdaudt wrote: >>>> >>>> Yes, that line is included in my build.gradle file. >>>> >>>> On Thursday, January 23, 2020 at 7:10:16 PM UTC-5, rbon wrote: >>>>> >>>>> Carl, >>>>> >>>>> Do you have saml support enabled: >>>>> compile "org.apereo.cas:cas-server-support-saml:${casServerVersion}" >>>>> >>>>> Ray >>>>> >>>>> >>>>> On Thu, 2020-01-23 at 15:32 -0800, crdaudt wrote: >>>>> >>>>> Here is the entire JSON file (using the real server names, but >>>>> blanking out the "memberOf" security groups): >>>>> ---BEGIN--- >>>>> { >>>>> "@class" : "org.apereo.cas.services.RegexRegisteredService", >>>>> "serviceId": "^http(s)?://servicespre\\.taylor(u)?\\.edu(/.*)?$", >>>>> "name": "TOWER -- services", >>>>> "id": 11000904, >>>>> "description": "You are authenticating to >>>>> ___servicespre.taylor.edu___", >>>>> "evaluationOrder": 104, >>>>> "accessStrategy" : >>>>> { >>>>> "@class" : >>>>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", >>>>> "enabled" : true, >>>>> "unauthorizedRedirectUrl" : " >>>>> https://sso.taylor.edu/cas_access_denied/bannersso.html";, >>>>> "requireAllAttributes" : false, >>>>> "ssoEnabled" : true, >>>>> "requiredAttributes" : >>>>> { >>>>> "@class" : "java.util.HashMap", >>>>> "memberOf" : [ "java.util.HashSet", [ >>>>> "CN=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx","CN=xx2,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx",(and >>>>> >>>>> so forth...)" ] ] >>>>> } >>>>> } >>>>> "usernameAttributeProvider": >>>>> { >>>>> "@class": >>>>> "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider", >>>>> "canonicalizationMode": "LOWER" >>>>> } >>>>> "attributeReleasePolicy": >>>>> { >>>>> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" >>>>> } >>>>> } >>>>> ---END--- >>>>> >>>>> On Thursday, January 23, 2020 at 6:09:49 PM UTC-5, crdaudt wrote: >>>>> >>>>> { >>>>> "serviceId": >>>>> "^http(s)?://our_banner_server\\.taylor(u)?\\.edu(/.*)?$", >>>>> "name": "TOWER -- services", >>>>> (and so forth) >>>>> } >>>>> >>>>> On Thursday, January 23, 2020 at 5:48:01 PM UTC-5, rbon wrote: >>>>> >>>>> Carl, >>>>> >>>>> TARGET is used with SAML 1.1 protocol (which Banner uses), service >>>>> with CAS protocol(s). >>>>> What is your service Id? >>>>> It is odd that it works with service= and not TARGET=. >>>>> >>>>> Ray >>>>> >>>>> >>>>> On Thu, 2020-01-23 at 14:24 -0800, crdaudt wrote: >>>>> >>>>> We have had our Ellucian Banner service authenticating users through >>>>> our CAS 5.2.2 service for several years, and are now attempting to >>>>> migrate >>>>> to our CAS 6.1.3 service. However, CAS does not recognize the JSON entry >>>>> that we have in place for Banner. I believe the issue is related to the >>>>> fact that the service ticket request includes the parameter "TARGET=..." >>>>> rather than "service=..." in the URL. I.e.,: >>>>> >>>>> >>>>> https://our.cas.server.edu/cas/login?TARGET=https%3A%2F%2Four.banner.server.edu%2FEmployeeSelfService%2Flogin%2Fcas >>>>> >>>>> rather than: >>>>> >>>>> >>>>> https://our.cas.server.edu/cas/login?service=https%3A%2F%2Four.banner.server.edu%2FEmployeeSelfService%2Flogin%2Fcas >>>>> >>>>> If I manually replace 'TARGET=' with 'service=', the JSON entry is >>>>> recognized and a service ticket is created. However, the banner service >>>>> itself fails to do anything with the service ticket. >>>>> >>>>> Let me reiterate that the same JSON entry worked in our CAS 5 >>>>> environment, but fails to work in our CAS 6.1 environment. >>>>> >>>>> Any ideas? >>>>> Carl >>>>> >>>>> -- >>>>> >>>>> >>>>> Ray Bon >>>>> Programmer Analyst >>>>> Development Services, University Systems >>>>> 2507218831 | CLE 019 | [email protected] >>>>> >>>>> I respectfully acknowledge that my place of work is located within the >>>>> ancestral, traditional and unceded territory of the Songhees, Esquimalt >>>>> and >>>>> WSÁNEĆ Nations. >>>>> >>>>> -- >>>>> >>>>> Ray Bon >>>>> Programmer Analyst >>>>> Development Services, University Systems >>>>> 2507218831 | CLE 019 | [email protected] >>>>> >>>>> I respectfully acknowledge that my place of work is located within the >>>>> ancestral, traditional and unceded territory of the Songhees, Esquimalt >>>>> and >>>>> WSÁNEĆ Nations. >>>>> >>>> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/68ec520a-5bda-445c-98f8-a19527382ab8%40apereo.org.
