Sorry to bother you all with this. I'm out of ideas here. Again, any help would be greatly appreciated. If anyone has a working config for a CAS as ADFS client I'd love to see it. I'd also like to know if there are changes elsewhere in the config that I need to make. I attempted to configure a wordpress blog to use the authorizer plugin. I get routed through cas to ADFS where I log in, then I get routed back to the app which routes me back to a cas logout page. Thanks, -- Erik Mallory Server Analyst Wichita State University
On Thu, 2020-07-02 at 19:25 +0000, 'Mallory, Erik' via CAS Community wrote: > CAUTION: This email originated from outside of Wichita State > University. Do not click links or open attachments unless you > recognize the sender and know the content is safe. > > > as I go through the debug looking for differences I've noticed that > on > the initial session cas does not send a SAML response to the > application. > The second session does send a saml response. > Why would that be? > > -- > Erik Mallory > Server Analyst > Wichita State University > > On Wed, 2020-07-01 at 21:43 +0000, 'Mallory, Erik' via CAS Community > wrote: > > CAUTION: This email originated from outside of Wichita State > > University. Do not click links or open attachments unless you > > recognize the sender and know the content is safe. > > > > > > I discovered that if I open a second tab I can get logged into the > > banner app just fine. Here's what I did: > > I browse to the application I am attempting to authenticate to. I > > get > > redirected to cas which redirects me to ADFS where I enter my > > credentials and then get passed to cas and then to the application. > > I > > get a "user/login denied invalid username/password" message from > > the > > application. I open a second browser tab and point it at the > > application and vola, I'm in. It works. > > The only real difference I see in the logs is > > DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - > > <Signaling flow to redirect to service > > [AbstractWebApplicationService(id= > > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check > > , originalUrl= > > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check > > , artifactId=null, principal=f282c439, source=service, > > loggedOutAlready=false, format=XML, attributes={})] via event > > [redirect]> > > > > DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - > > <Signaling flow to redirect to service > > [AbstractWebApplicationService(id= > > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check > > , originalUrl= > > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check > > , artifactId=null, principal=f282c439, source=TARGET, > > loggedOutAlready=false, format=XML, attributes={})] via event > > [redirect]> > > Again, any help would be greatly appreciated. > > > > -- > > Erik Mallory > > Server Analyst > > Wichita State University > > > > On Wed, 2020-07-01 at 20:25 +0000, 'Mallory, Erik' via CAS > > Community > > wrote: > > > CAUTION: This email originated from outside of Wichita State > > > University. Do not click links or open attachments unless you > > > recognize the sender and know the content is safe. > > > > > > > > > Hello, > > > My institution would like to make cas a client of ADFS. I started > > > working through the config and it mostly works EXCEPT passing the > > > banner UDC_IDENTIFIER to a Banner application. > > > Here is the relevant config for adfs: > > > > > > cas.authn.wsfed[0].identityProviderUrl= > > > https://sts.wichita.edu/adfs/ls/ > > > cas.authn.wsfed[0].identityProviderIdentifier= > > > http://sts.wichita.edu/adfs/services/trust > > > cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:cas-dev > > > #cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:cas- > > > dev.wichita.edu > > > cas.authn.wsfed[0].signingCertificateResources=file:/etc/cas/adfs > > > /w > > > su > > > - > > > adfs-signing.crt > > > cas.authn.wsfed[0].identityAttribute=upn > > > cas.authn.wsfed[0].attributesType=BOTH > > > #cas.authn.wsfed[0].attributesType=WSFED > > > cas.authn.wsfed[0].tolerance=10000 > > > cas.authn.wsfed[0].attributeResolverEnabled=true > > > cas.authn.wsfed[0].autoRedirect=true > > > cas.authn.wsfed[0].name= > > > cas.authn.wsfed[0].attributeMutatorScript.location=file:/etc/cas/ > > > ad > > > fs > > > /m > > > utator.groovy > > > cas.authn.wsfed[0].principal.principalAttribute=upn > > > cas.authn.wsfed[0].principal.returnNull=false > > > > > > # Private/Public keypair used to decrypt assertions, if any. > > > cas.authn.wsfed[0].encryptionPrivateKey=file:/etc/cas/adfs/assert > > > io > > > ns > > > - > > > private.key > > > cas.authn.wsfed[0].encryptionCertificate=file:/etc/cas/adfs/asser > > > ti > > > on > > > s- > > > certificate.crt > > > #cas.authn.wsfed[0].encryptionPrivateKeyPassword=NONE > > > > > > here is the groovy script > > > import org.apereo.cas.* > > > import java.util.* > > > import org.apereo.cas.authentication.* > > > > > > def Map run(final Object... args) { > > > def attributes = args[0] > > > def logger = args[1] > > > logger.warn("Mutating attributes {}", attributes) > > > return [UDC_IDENTIFIER: attributes.upn, upn: attributes.upn] > > > } > > > > > > The service is configured to use the principal as UDC_IDENTIFIER, > > > and > > > this configuration works for "regular" CAS logins. > > > > > > I noticed these differences in the CAS logs between "regular" cas > > > auth > > > and ADFS Client auth. > > > > > > 2:41 PM > > >  > > > ADFS > > > > > > DEBUG > > > [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflo > > > wE > > > ve > > > nt > > > Resolver] - <Resolving candidate authentication event for service > > > [AbstractWebApplicationService(id= > > > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check > > > , originalUrl= > > > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check > > > , artifactId=null, principal=null, source=service, > > > loggedOutAlready=false, format=XML, attributes={})] using > > > [DefaultMultifactorAuthenticationProviderWebflowEventResolver]> > > > reg cas...2020-07-01 14:16:12,807 DEBUG > > > [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - > > > > > > reg cas > > > > > > DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] > > > - > > > <Located service response builder > > > [org.apereo.cas.support.saml.authentication.principal.SamlService > > > Re > > > sp > > > on > > > seBuilder@71d2261e] for [AbstractWebApplicationService(id= > > > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check > > > , originalUrl= > > > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check > > > , artifactId=null, principal=f282c439, source=TARGET, > > > loggedOutAlready=false, format=XML, attributes={})]> > > > > > > Looks like the principal is not making it to the banner > > > application > > > in > > > the ADFS config > > > Any help would be greatly appreciated. > > > > > > -- > > > Erik Mallory > > > Server Analyst > > > Wichita State University > > > > > > -- > > > - Website: https://apereo.github.io/cas > > > - Gitter Chatroom: https://gitter.im/apereo/cas > > > - List Guidelines: https://goo.gl/1VRrw7 > > > - Contributions: https://goo.gl/mh7qDG > > > --- > > > You received this message because you are subscribed to the > > > Google > > > Groups "CAS Community" group. > > > To unsubscribe from this group and stop receiving emails from it, > > > send an email to [email protected]. > > > To view this discussion on the web visit > > > https://groups.google.com/a/apereo.org/d/msgid/cas-user/c87084b75a940a6aa31e3c76fa1206c97133d645.camel%40wichita.edu > > > . > > > > -- > > - Website: https://apereo.github.io/cas > > - Gitter Chatroom: https://gitter.im/apereo/cas > > - List Guidelines: https://goo.gl/1VRrw7 > > - Contributions: https://goo.gl/mh7qDG > > --- > > You received this message because you are subscribed to the Google > > Groups "CAS Community" group. > > To unsubscribe from this group and stop receiving emails from it, > > send an email to [email protected]. > > To view this discussion on the web visit > > https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ffec9813eb48302449d72adfe08d9f11d0ea11e.camel%40wichita.edu > > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/db557b86cb54f358218c27873fd8d15ebdba282f.camel%40wichita.edu > . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3abae86c3d6752cba8acd575aa4155bd3e02154c.camel%40wichita.edu.
