Carl,
This debug line will let you know what is being returned:
<!-- DEBUG Found principal attributes [...] for [username]
Attribute policy [???] allows release of [...] for [username]
Final collection of attributes allowed are: [...] -->
<AsyncLogger
name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
level="debug"/>
Ray
On Fri, 2020-01-24 at 06:42 -0800, crdaudt wrote:
Adding org.apereo.cas:cas-server-support-saml to the build certainly made a
difference: CAS now recognizes the JSON entry for our Ellucian Banner related
service.
Unfortunately, I am still not out of the woods. The Banner service is now
reporting "HTTP Status 500 -
org.jasig.cas.client.validation.TicketValidationException: No assertions found."
>From looking at the cas.log, it seems that CAS has the correct information for
>me (UDC_IDENTIFIER, sAMAccountName (same as my UDC_IDENTIFIER), displayName,
>mail, and memberOf (security groups I belong to)). My assumption is that the
>last few lines of my json file should release all of these to Banner, i.e.,
>the following lines:
---LAST FEW LINES---
"usernameAttributeProvider":
{
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",
"canonicalizationMode": "LOWER"
}
"attributeReleasePolicy":
{
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
}
}
---END LAST FEW LINES---
Thanks for getting me over an important hurdle with getting saml support into
the build.
I would appreciate some ideas for how to satisfy the Ellucian Banner service
with the required assertions.
Carl
On Friday, January 24, 2020 at 8:39:54 AM UTC-5, crdaudt wrote:
Oh, no -- What I have is the following. I have:
compile "org.apereo.cas:cas-server-support-saml-idp:${casServerVersion}"
...but I do not have:
compile "org.apereo.cas:cas-server-support-saml:${casServerVersion}"
I will let you know what I find after adding, re-building, and testing.
Carl
On Friday, January 24, 2020 at 8:22:41 AM UTC-5, crdaudt wrote:
Yes, that line is included in my build.gradle file.
On Thursday, January 23, 2020 at 7:10:16 PM UTC-5, rbon wrote:
Carl,
Do you have saml support enabled:
compile "org.apereo.cas:cas-server-support-saml:${casServerVersion}"
Ray
On Thu, 2020-01-23 at 15:32 -0800, crdaudt wrote:
Here is the entire JSON file (using the real server names, but blanking out the
"memberOf" security groups):
---BEGIN---
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "^http(s)?://servicespre\\.taylor(u)?\\.edu(/.*)?$",
"name": "TOWER -- services",
"id": 11000904,
"description": "You are authenticating to ___servicespre.taylor.edu___",
"evaluationOrder": 104,
"accessStrategy" :
{
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"unauthorizedRedirectUrl" :
"https://sso.taylor.edu/cas_access_denied/bannersso.html";,
"requireAllAttributes" : false,
"ssoEnabled" : true,
"requiredAttributes" :
{
"@class" : "java.util.HashMap",
"memberOf" : [ "java.util.HashSet", [
"CN=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx","CN=xx2,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx",(and
so forth...)" ] ]
}
}
"usernameAttributeProvider":
{
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",
"canonicalizationMode": "LOWER"
}
"attributeReleasePolicy":
{
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
}
}
---END---
On Thursday, January 23, 2020 at 6:09:49 PM UTC-5, crdaudt wrote:
{
"serviceId": "^http(s)?://our_banner_server\\.taylor(u)?\\.edu(/.*)?$",
"name": "TOWER -- services",
(and so forth)
}
On Thursday, January 23, 2020 at 5:48:01 PM UTC-5, rbon wrote:
Carl,
TARGET is used with SAML 1.1 protocol (which Banner uses), service with CAS
protocol(s).
What is your service Id?
It is odd that it works with service= and not TARGET=.
Ray
On Thu, 2020-01-23 at 14:24 -0800, crdaudt wrote:
We have had our Ellucian Banner service authenticating users through our CAS
5.2.2 service for several years, and are now attempting to migrate to our CAS
6.1.3 service. However, CAS does not recognize the JSON entry that we have in
place for Banner. I believe the issue is related to the fact that the service
ticket request includes the parameter "TARGET=..." rather than "service=..." in
the URL. I.e.,:
https://our.cas.server.edu/cas/login?TARGET=https%3A%2F%2Four.banner.server.edu%2FEmployeeSelfService%2Flogin%2Fcas
rather than:
https://our.cas.server.edu/cas/login?service=https%3A%2F%2Four.banner.server.edu%2FEmployeeSelfService%2Flogin%2Fcas
If I manually replace 'TARGET=' with 'service=', the JSON entry is recognized
and a service ticket is created. However, the banner service itself fails to
do anything with the service ticket.
Let me reiterate that the same JSON entry worked in our CAS 5 environment, but
fails to work in our CAS 6.1 environment.
Any ideas?
Carl
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<mailto:[email protected]>
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/df959189b510e49003c8a5ab17649601799874ce.camel%40uvic.ca.
