Hello, My institution would like to make cas a client of ADFS. I started working through the config and it mostly works EXCEPT passing the banner UDC_IDENTIFIER to a Banner application. Here is the relevant config for adfs:
cas.authn.wsfed[0].identityProviderUrl=https://sts.wichita.edu/adfs/ls/ cas.authn.wsfed[0].identityProviderIdentifier= http://sts.wichita.edu/adfs/services/trust cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:cas-dev #cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:cas-dev.wichita.edu cas.authn.wsfed[0].signingCertificateResources=file:/etc/cas/adfs/wsu- adfs-signing.crt cas.authn.wsfed[0].identityAttribute=upn cas.authn.wsfed[0].attributesType=BOTH #cas.authn.wsfed[0].attributesType=WSFED cas.authn.wsfed[0].tolerance=10000 cas.authn.wsfed[0].attributeResolverEnabled=true cas.authn.wsfed[0].autoRedirect=true cas.authn.wsfed[0].name= cas.authn.wsfed[0].attributeMutatorScript.location=file:/etc/cas/adfs/m utator.groovy cas.authn.wsfed[0].principal.principalAttribute=upn cas.authn.wsfed[0].principal.returnNull=false # Private/Public keypair used to decrypt assertions, if any. cas.authn.wsfed[0].encryptionPrivateKey=file:/etc/cas/adfs/assertions- private.key cas.authn.wsfed[0].encryptionCertificate=file:/etc/cas/adfs/assertions- certificate.crt #cas.authn.wsfed[0].encryptionPrivateKeyPassword=NONE here is the groovy script import org.apereo.cas.* import java.util.* import org.apereo.cas.authentication.* def Map run(final Object... args) { def attributes = args[0] def logger = args[1] logger.warn("Mutating attributes {}", attributes) return [UDC_IDENTIFIER: attributes.upn, upn: attributes.upn] } The service is configured to use the principal as UDC_IDENTIFIER, and this configuration works for "regular" CAS logins. I noticed these differences in the CAS logs between "regular" cas auth and ADFS Client auth. 2:41 PM  ADFS DEBUG [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEvent Resolver] - <Resolving candidate authentication event for service [AbstractWebApplicationService(id= https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check , originalUrl= https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check , artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})] using [DefaultMultifactorAuthenticationProviderWebflowEventResolver]> reg cas...2020-07-01 14:16:12,807 DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - reg cas DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - <Located service response builder [org.apereo.cas.support.saml.authentication.principal.SamlServiceRespon seBuilder@71d2261e] for [AbstractWebApplicationService(id= https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check , originalUrl= https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check , artifactId=null, principal=f282c439, source=TARGET, loggedOutAlready=false, format=XML, attributes={})]> Looks like the principal is not making it to the banner application in the ADFS config Any help would be greatly appreciated. -- Erik Mallory Server Analyst Wichita State University -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c87084b75a940a6aa31e3c76fa1206c97133d645.camel%40wichita.edu.
