as I go through the debug looking for differences I've noticed that on the initial session cas does not send a SAML response to the application. The second session does send a saml response. Why would that be?
-- Erik Mallory Server Analyst Wichita State University On Wed, 2020-07-01 at 21:43 +0000, 'Mallory, Erik' via CAS Community wrote: > CAUTION: This email originated from outside of Wichita State > University. Do not click links or open attachments unless you > recognize the sender and know the content is safe. > > > I discovered that if I open a second tab I can get logged into the > banner app just fine. Here's what I did: > I browse to the application I am attempting to authenticate to. I get > redirected to cas which redirects me to ADFS where I enter my > credentials and then get passed to cas and then to the application. I > get a "user/login denied invalid username/password" message from the > application. I open a second browser tab and point it at the > application and vola, I'm in. It works. > The only real difference I see in the logs is > DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - > <Signaling flow to redirect to service > [AbstractWebApplicationService(id= > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check > , originalUrl= > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check > , artifactId=null, principal=f282c439, source=service, > loggedOutAlready=false, format=XML, attributes={})] via event > [redirect]> > > DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - > <Signaling flow to redirect to service > [AbstractWebApplicationService(id= > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check > , originalUrl= > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check > , artifactId=null, principal=f282c439, source=TARGET, > loggedOutAlready=false, format=XML, attributes={})] via event > [redirect]> > Again, any help would be greatly appreciated. > > -- > Erik Mallory > Server Analyst > Wichita State University > > On Wed, 2020-07-01 at 20:25 +0000, 'Mallory, Erik' via CAS Community > wrote: > > CAUTION: This email originated from outside of Wichita State > > University. Do not click links or open attachments unless you > > recognize the sender and know the content is safe. > > > > > > Hello, > > My institution would like to make cas a client of ADFS. I started > > working through the config and it mostly works EXCEPT passing the > > banner UDC_IDENTIFIER to a Banner application. > > Here is the relevant config for adfs: > > > > cas.authn.wsfed[0].identityProviderUrl= > > https://sts.wichita.edu/adfs/ls/ > > cas.authn.wsfed[0].identityProviderIdentifier= > > http://sts.wichita.edu/adfs/services/trust > > cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:cas-dev > > #cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:cas- > > dev.wichita.edu > > cas.authn.wsfed[0].signingCertificateResources=file:/etc/cas/adfs/w > > su > > - > > adfs-signing.crt > > cas.authn.wsfed[0].identityAttribute=upn > > cas.authn.wsfed[0].attributesType=BOTH > > #cas.authn.wsfed[0].attributesType=WSFED > > cas.authn.wsfed[0].tolerance=10000 > > cas.authn.wsfed[0].attributeResolverEnabled=true > > cas.authn.wsfed[0].autoRedirect=true > > cas.authn.wsfed[0].name= > > cas.authn.wsfed[0].attributeMutatorScript.location=file:/etc/cas/ad > > fs > > /m > > utator.groovy > > cas.authn.wsfed[0].principal.principalAttribute=upn > > cas.authn.wsfed[0].principal.returnNull=false > > > > # Private/Public keypair used to decrypt assertions, if any. > > cas.authn.wsfed[0].encryptionPrivateKey=file:/etc/cas/adfs/assertio > > ns > > - > > private.key > > cas.authn.wsfed[0].encryptionCertificate=file:/etc/cas/adfs/asserti > > on > > s- > > certificate.crt > > #cas.authn.wsfed[0].encryptionPrivateKeyPassword=NONE > > > > here is the groovy script > > import org.apereo.cas.* > > import java.util.* > > import org.apereo.cas.authentication.* > > > > def Map run(final Object... args) { > > def attributes = args[0] > > def logger = args[1] > > logger.warn("Mutating attributes {}", attributes) > > return [UDC_IDENTIFIER: attributes.upn, upn: attributes.upn] > > } > > > > The service is configured to use the principal as UDC_IDENTIFIER, > > and > > this configuration works for "regular" CAS logins. > > > > I noticed these differences in the CAS logs between "regular" cas > > auth > > and ADFS Client auth. > > > > 2:41 PM > >  > > ADFS > > > > DEBUG > > [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowE > > ve > > nt > > Resolver] - <Resolving candidate authentication event for service > > [AbstractWebApplicationService(id= > > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check > > , originalUrl= > > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check > > , artifactId=null, principal=null, source=service, > > loggedOutAlready=false, format=XML, attributes={})] using > > [DefaultMultifactorAuthenticationProviderWebflowEventResolver]> > > reg cas...2020-07-01 14:16:12,807 DEBUG > > [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - > > > > reg cas > > > > DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - > > <Located service response builder > > [org.apereo.cas.support.saml.authentication.principal.SamlServiceRe > > sp > > on > > seBuilder@71d2261e] for [AbstractWebApplicationService(id= > > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check > > , originalUrl= > > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check > > , artifactId=null, principal=f282c439, source=TARGET, > > loggedOutAlready=false, format=XML, attributes={})]> > > > > Looks like the principal is not making it to the banner application > > in > > the ADFS config > > Any help would be greatly appreciated. > > > > -- > > Erik Mallory > > Server Analyst > > Wichita State University > > > > -- > > - Website: https://apereo.github.io/cas > > - Gitter Chatroom: https://gitter.im/apereo/cas > > - List Guidelines: https://goo.gl/1VRrw7 > > - Contributions: https://goo.gl/mh7qDG > > --- > > You received this message because you are subscribed to the Google > > Groups "CAS Community" group. > > To unsubscribe from this group and stop receiving emails from it, > > send an email to [email protected]. > > To view this discussion on the web visit > > https://groups.google.com/a/apereo.org/d/msgid/cas-user/c87084b75a940a6aa31e3c76fa1206c97133d645.camel%40wichita.edu > > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ffec9813eb48302449d72adfe08d9f11d0ea11e.camel%40wichita.edu > . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/db557b86cb54f358218c27873fd8d15ebdba282f.camel%40wichita.edu.
