Lol.. Well I appreciate the commiseration. It sounds very similar to what I'm experiencing. I'm delegating to ADFS and the CAS server is forgetting it's in the middle of a SAML conversation. I just think this *should* work. Think I think I'm missing some config. I keep eyeing SAML IdP config but every time I look throug the CAS Docs, I'm like "Nope that won't do it."
It would be nice if someone who knows more than I do would take the time to explain why I'm wrong, so I could explain to my superiors why this doesn't work. -- Erik Mallory Server Analyst Wichita State University On Thu, 2020-07-23 at 14:26 +0000, Jon Anderson wrote: > CAUTION: This email originated from outside of Wichita State > University. Do not click links or open attachments unless you > recognize the sender and know the content is safe. > > > This isn't so helpful, but I once tried to get a CAS5 to speak SAML2 > with an SP but delegate the auth to older existing CAS server. I > ended up giving up on delegation, because I could never get it to > finish the SAML2 conversation. It would come back from the delegated > authentication, forget that it was in the middle of a SAML > conversation and try to finish with the SP speaking CAS. > ________________________________________ > From: 'Mallory, Erik' via CAS Community [[email protected]] > Sent: Thursday, July 23, 2020 9:12 AM > To: [email protected] > Subject: Re: [cas-user] CAS 6.1.7 ADFS Client Banner Applications > > CAUTION: THIS EMAIL ORIGINATED FROM OUTSIDE OF ORU > > So basically, what happens here is CAS "forgets" to speak SAML back > to > the Banner Application. When the conversation is between the CAS > server > and the banner app all is well. When the CAS server communicates to > the > Banner app, the banner app does not receive SAML data. > > So how would one configure CAS to send SAML data in addition to > responding to a saml request? > > Really I'm at a dead end here. > -- > Erik Mallory > Server Analyst > Wichita State University > > On Fri, 2020-07-17 at 20:22 +0000, 'Mallory, Erik' via CAS Community > wrote: > > CAUTION: This email originated from outside of Wichita State > > University. Do not click links or open attachments unless you > > recognize the sender and know the content is safe. > > > > > > So I've increased the logging for the Banner Application I'm trying > > to > > get configured. the Banner application uses SAML 1.1 to > > communicate. > > CAS hands off the authentication to ADFS and then back to CAS which > > then sends the user back to the Banner Application. CAS is not > > sending > > a SAML response at that time. > > > > If you open a second tab, and navigate to the application, it sends > > you > > to cas, you're authenticated, so cas sends you back with a SAML > > response and you are able to log in. > > I've attached the application logs if anyone is interested. > > > > -- > > Erik Mallory > > Server Analyst > > Wichita State University > > > > On Fri, 2020-07-17 at 16:29 +0000, 'Mallory, Erik' via CAS > > Community > > wrote: > > > CAUTION: This email originated from outside of Wichita State > > > University. Do not click links or open attachments unless you > > > recognize the sender and know the content is safe. > > > > > > > > > Thanks! > > > I'm working with Elluician now. It's strange to me that it works > > > with > > > just CAS but then does not work when CAS is configured as an ADFS > > > client. It's as if CAS is not speaking SAML for that initial log > > > in > > > but > > > it is speaking SAML for subsequent logins. > > > > > > -- > > > Erik Mallory > > > Server Analyst > > > Wichita State University > > > > > > On Thu, 2020-07-16 at 22:29 +0000, Ray Bon wrote: > > > > CAUTION: This email originated from outside of Wichita State > > > > University. Do not click links or open attachments unless you > > > > recognize the sender and know the content is safe. > > > > > > > > Erik, > > > > > > > > Our Banner setup uses SAML 1.1. During the log in request it is > > > > /cas/login?TARGET=blah/banner/applicationnavigator > > > > 'service' is used for CAS protocol. Check your banner setup. > > > > > > > > Ray > > > > > > > > On Thu, 2020-07-16 at 21:07 +0000, 'Mallory, Erik' via CAS > > > > Community > > > > wrote: > > > > > Hello I think I've narrowed the problem and I *think* it's on > > > > > the > > > > > application side... but... is there any way to control the > > > > > source > > > > > parameter that we see below in the logs. If I could configure > > > > > cas > > > > > to > > > > > always send source=TARGET I think this configuration would > > > > > work > > > > > for > > > > > the > > > > > banner apps. > > > > > > > > > > Log from inital login which produces "Invalid login/access > > > > > denied" > > > > > <Built response > > > > > [ > > > > > org.apereo.cas.authentication.principal.DefaultResponse@323ac4df > > > > > ] > > > > > for > > > > > [AbstractWebApplicationService(id= > > > > > > > > > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fbanxe-appdev.wichita.edu%2fapplicationNavigator%2fj_spring_cas_security_check&c=E,1,_wHiMvng_umeKmvsxV0b3328jsb34qW0q1W_weUee4fnXxJyrgejj3nMZTCgps9Vt_en1k2fBbpiw_X_To8y-7dMXLV7PhL2sBiPpC_tmZaRF5RGxQ,,&typo=1 > > > > > > > > > > , originalUrl= > > > > > > > > > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fbanxe-appdev.wichita.edu%2fapplicationNavigator%2fj_spring_cas_security_check&c=E,1,pSSItGy53_1U4UzaUTeJ2dUbepUjbyD_A1pSR_B-ybTfXXguJqBQLTdme0d6NPSlArjfSpGnSypiX7rXwNvrGnF0ycXR2HdM-56f6svEonBW4sICUDNu4QHEG04,&typo=1 > > > > > > > > > > , artifactId=null, principal=f282c439, source=service, > > > > > loggedOutAlready=false, format=XML, attributes={})]> > > > > > ^^ Invalid login access denied. > > > > > > > > > > Log from the an established CAS/ADFS session gaining access > > > > > to > > > > > the > > > > > application > > > > > > > > > > <Located service [AbstractWebApplicationService(id= > > > > > > > > > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fbanxe-appdev.wichita.edu%2fapplicationNavigator%2fj_spring_cas_security_check&c=E,1,APvz6WmNsFgbhbr4vXVyxmbsWNHMA1X7mU6bw9e1XYzKl93VLJxY1i45LGbLAHgnPsRtn5VmCzKDGajGaFenI6XNvaYZKmMhedHMdJkm3SFl&typo=1 > > > > > > > > > > , originalUrl= > > > > > > > > > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fbanxe-appdev.wichita.edu%2fapplicationNavigator%2fj_spring_cas_security_check&c=E,1,_4qKWJwqdJ7oJ72ItZL7A-4Qplk9cKai0qJIIIusfQN1EsFomVeRNZm2IGj3zehAWf0rr_BzdB9UGsho5KgCdgKC-tVc6RZZZFJOFxRhUg,,&typo=1 > > > > > > > > > > , artifactId=null, principal=f282c439, source=TARGET, > > > > > loggedOutAlready=false, format=XML, attributes={})] from the > > > > > context> > > > > > ^^ works > > > > > > > > > > In the applications there is a groovy file with a parameter > > > > > > > > > > serviceParameter = 'TARGET' > > > > > > > > > > I tried changing it to 'service' but had no luck. > > > > > -- > > > > > Erik Mallory > > > > > Server Analyst > > > > > Wichita State University > > > > > > > > > > > > > -- > > > > Ray Bon > > > > Programmer Analyst > > > > Development Services, University Systems > > > > 2507218831 | CLE 019 | [email protected] > > > > > > > > I respectfully acknowledge that my place of work is located > > > > within > > > > the ancestral, traditional and unceded territory of the > > > > Songhees, > > > > Esquimalt and WSÁNEĆ Nations. > > > > > > -- > > > - Website: > > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fapereo.github.io%2fcas&c=E,1,XtiU0obUEY-CpWh4morjDxtIU2crYjIkCtrgR3nC5-jKawEZTuRQtwNL5S0118XSjQIEHSwL9rhWKUZxecBi7Xe6xLsArJdvROX_KUKucXMrnGCawawc8vNb&typo=1 > > > - Gitter Chatroom: > > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgitter.im%2fapereo%2fcas&c=E,1,Uzqdg7zYOi9bv8c7mJCFt5mEJFwR8ZCyqSbODDTxCDQ5yLFvAMO822RGkD05qpxNOmicsTDVlxN4YHU8P61X70b15hdDYtETi1n4gvf79RqLzWpYNC1mocQ,&typo=1 > > > - List Guidelines: > > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgoo.gl%2f1VRrw7&c=E,1,8080D7uKkJO3gejp8tzq_AVosGmXij9hwKxXm0xiFiaIvdZmI75eattfvyr6_hNWbIgnQ2RCVckXqePtw2vg-7HgbfZ0xiZjvhLEGVxcMdiggF4,&typo=1 > > > - Contributions: > > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgoo.gl%2fmh7qDG&c=E,1,RAQZ8ppXp6hLS62P8rLyX3Zvx0AQAjS-B6TFdMp75_h3vZKn1COEMvvIFZtYi0fpbZSBimG1-htQuaI6r6pNea2bEGj96FB35I9gOgtF-JmYgjy-hfZ0EmY,&typo=1 > > > --- > > > You received this message because you are subscribed to the > > > Google > > > Groups "CAS Community" group. > > > To unsubscribe from this group and stop receiving emails from it, > > > send an email to [email protected]. > > > To view this discussion on the web visit > > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgroups.google.com%2fa%2fapereo.org%2fd%2fmsgid%2fcas-user%2f6f456a2cc561e9552639d6e94a0b2956c51dcd2c.camel%40wichita.edu&c=E,1,uaksXkzgNuylj7T0tAPe39H32cUBc2bmx1cMTqUudAAW4b3v6y49HLOQuek7keqGsLkaNRtt1X6kEqbhyPteo18b7q7AyFgnAki9tBbJ82LnpB__&typo=1 > > > . > > > > -- > > - Website: > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fapereo.github.io%2fcas&c=E,1,_YwJPrOE2Fsol9b5tn0NQbw4XjxgBKmbPRJfVzh_7c1Uqv0Yt8Vlhd0w1q02oyq-o8iG4pAzZkl-D7IlifZ1_-x01xdeLBxzjEwD3CgYXYIe2FE,&typo=1 > > - Gitter Chatroom: > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgitter.im%2fapereo%2fcas&c=E,1,luEDtZk1pRh3kzQOq9RfMudmg0SC569XkV2eXnM45xu7_g0G62TiB2Ui-oA9lrJ-cT093CQQbza0AX4M7DIods3zuWFgT0ckArqziEpbsq7HDG-bpA,,&typo=1 > > - List Guidelines: > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgoo.gl%2f1VRrw7&c=E,1,Qi3TJNhyWlZk4w6rRKqu_ukpdQriq3uUZ9Lo7EgMhdRVIoPegMCvnmgZp11KCawvIGgZsxOHRQVCSHGQqVe76BuoTm8e-kV859Z41Gx1WQ5XWQqRspMo3Q,,&typo=1 > > - Contributions: > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgoo.gl%2fmh7qDG&c=E,1,tg5BX5rg74VSCz4iH-XGCUwpR07JohbP-ug0FMxlRnBM0NIoTrfPko3jQk9cNM9hMZ9No2SM3ElyxCgZo1b_ponOL3eb9rHcnRIcZ9ADAqvenZlz1FHg_UZKVJEw&typo=1 > > --- > > You received this message because you are subscribed to the Google > > Groups "CAS Community" group. > > To unsubscribe from this group and stop receiving emails from it, > > send an email to [email protected]. > > To view this discussion on the web visit > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgroups.google.com%2fa%2fapereo.org%2fd%2fmsgid%2fcas-user%2fdf7f6d4d48cfe420812672b7aa399234d145f24a.camel%40wichita.edu&c=E,1,_wxJmHmThBxDlhC-qYV0txwvEr8k6wXF9ITyZwrXikAjlSUdnSVMnuGduzmyAZgD_qt7DdC8w4Cqkm6S3cN2KDoMzWoCJH2uvXxYdmUmwg,,&typo=1 > > . > > -- > - Website: > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fapereo.github.io%2fcas&c=E,1,t46UGb0W3tIsoZFvXgrDPq9KKwj0N8G4b_TcoZwqwuxwq_m6-LSfIYAHfxJwcrQoQSM0o6o21rw0ME1Ab5KGPIOv6Lec25l0TlDxysF7NA,,&typo=1 > - Gitter Chatroom: > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgitter.im%2fapereo%2fcas&c=E,1,ZaMpQttlbxUrIqZXZhUXpDjfn4jxkFsrupuh8t0d7Xd8bP_UZ08c51k-8WsVkPxniNIx0V3Y29IdS8M2jldDt5gIJE7L92A_ZVNi8cQuFk_iuhj7krsw&typo=1 > - List Guidelines: > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgoo.gl%2f1VRrw7&c=E,1,5Jq3gAOeEzGaVTKNi4wyt_2oCoC3-MKyrnWFpBr7zdQWIyJdw4m-_qS1Zy8uaL7-xyiAQzirzeLF39jaEjBSsY7TUc7ovu2VROtpt7XiAF5lMSNdIYRMg_a82hOE&typo=1 > - Contributions: > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgoo.gl%2fmh7qDG&c=E,1,i2HZ1RYYlUOlgnmePut9c6GCSi81UKvP45elDrnj1gSvVb5qWF4sW-KtHUxgHdNGOMMBwbPzsmxxk92T1ZIs-q9gopRBTqpxWoPI9l6KE28,&typo=1 > --- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > To view this discussion on the web visit > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgroups.google.com%2fa%2fapereo.org%2fd%2fmsgid%2fcas-user%2f1fb61eebfc9965f0d7d0f4c5062c9e4bf9b7b86b.camel%40wichita.edu.&c=E,1,qsvfGDsKoMwG3NKiOJt3s2vU1igdrRnmJYVQmwu60GrvZyjkkqqv7eTkqGTN4qSsexjijvBVfw76wX2LFm1a3bRTA4qyNfv--IBmo9dLesEKTOjw8yPNIFI,&typo=1 > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/0A9BC9099B13904AA1708A7F1B6C840401556D941C%40Ntsrv75.int.oru.edu > . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4c8be3078f47b1e6e8def33cbc0ee1529ea7d5b9.camel%40wichita.edu.
