I'm still trying to use CAS as SAML authenticator for my service desk plus
app. Username has to be in format: domain\user
I want use my LDAP sAMAccountName as user but I don't know how to prepare
regexp to domain\sAMAccountName. I have read
https://apereo.github.io/cas/6.3.x/integration/Attribute-Definitions.html
and prepare attribute-defns.json
{
"@class" : "java.util.TreeMap",
"userID" : {
"@class" :
"org.apereo.cas.authentication.attribute.DefaultAttributeDefinition",
"key" : "userID",
"friendlyName" : "userID",
"patternFormat": "domail\\{0}",
"attribute" : "sAMAccountName"
}
}
I load it in my cas.properties
...
cas.person-directory.attribute-definition-store.json.location=file:/etc/cas/config/attribute-defns.json
...
Here is my SAML app JSON file.
{
@class: org.apereo.cas.support.saml.services.SamlRegisteredService
serviceId: fashdfk3289_duhfdsf
name: serwis
id: 1616411747419
proxyTicketExpirationPolicy:
{
@class:
org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy
}
serviceTicketExpirationPolicy:
{
@class:
org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy
}
evaluationOrder: 2
attributeReleasePolicy:
{
@class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
principalIdAttribute: userID
allowedAttributes:
[
java.util.ArrayList
[
userID
]
]
}
metadataLocation:
file://etc/cas-mgmt/metadata/174faaa56d5138f63770fb792b1a35e26d5486e0.xml
requiredNameIdFormat:
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
signAssertions: true
signingCredentialType: X509
}
Can anyone tell me if I'm right.
piątek, 19 marca 2021 o 18:45:20 UTC+1 Bartosz Nitkiewicz napisał(a):
> Ok, so
> https://apereo.github.io/cas/6.3.x/integration/Attribute-Definitions.html#pattern-formats
>
> would be ok.
> How to setup CAS to pass desire attribute?
>
> I have this in my app.json. Is it ok?
> {
> @class: org.apereo.cas.support.saml.services.SamlRegisteredService
> serviceId: MExxx_05efd170-38cd-4893-9631-6891575asa197
> name: serwis
> id: 1616175519923
>
> proxyTicketExpirationPolicy:
> {
> @class:
> org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy
> }
> serviceTicketExpirationPolicy:
> {
> @class:
> org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy
> }
> evaluationOrder: 2
> usernameAttributeProvider:
> {
> @class:
> org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider
> usernameAttribute: sAMAccountName
>
> }
> attributeReleasePolicy:
> {
> @class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
> excludeDefaultAttributes: true
> authorizedToReleaseAuthenticationAttributes: false
> }
> metadataLocation:
> file://etc/cas-mgmt/metadata/174faaa56d5138f63770fb792b1a35e26d5486e0.xml
> requiredNameIdFormat:
> org.opensaml.saml.saml2.metadata.impl.NameIDFormatImpl@2afbaa5
> signAssertions: true
> signingCredentialType: X509
> }
> piątek, 19 marca 2021 o 16:30:44 UTC+1 Ray Bon napisał(a):
>
>> Bartosz,
>>
>> See,
>> https://apereo.github.io/cas/6.3.x/integration/Attribute-Definitions.html,
>> for modifying attributes.
>>
>> Ray
>>
>> On Fri, 2021-03-19 at 01:47 -0700, Bartosz Nitkiewicz wrote:
>>
>> Notice: This message was sent from outside the University of Victoria
>> email system. Please be cautious with links and sensitive information.
>>
>>
>> One more thing. How to change LDAP user name form sAMAccountName to
>> univ\sAMAccountName. Is it possible?
>>
>> czwartek, 18 marca 2021 o 14:05:48 UTC+1 Bartosz Nitkiewicz napisał(a):
>>
>> Thank You once again.
>> As you said, SAML profiles did the trick.It seems to work fine. Now I
>> have to pass user name from my LDAP to SAML SP. First I need to figure out
>> proper value for authorization.
>> Regards
>> BN
>>
>>
>> środa, 17 marca 2021 o 19:07:26 UTC+1 richard.frovarp napisał(a):
>>
>> The IdP automatically generates metadata. And the correct endpoints are
>> listed on this page, including the metadata endpoint:
>>
>>
>> https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Authentication.html
>>
>>
>> Usually with SAML you provide the SP with a copy of your metadata,
>> ideally loaded from the URL automatically. If you need to provide
>> separate URLs to the SP, you'll find the correct ones in the metadata
>> and/or using the paths from documentation.
>>
>> On Wed, 2021-03-17 at 10:26 -0700, Bartosz Nitkiewicz wrote:
>> > Hi,
>> > Thanks for reply.
>> > What do you mean your IdP generated metadata?
>> >
>> > I did something like this as they recommended:
>> > https://help.servicedeskplus.com/saml-authentication$configuration
>> >
>> > As loginURL I've provided my https://myserver.org/cas/idp, I don't
>> > know if it is correct url?
>> > I'm wondering what is Assertion Consumer URL and where should I place
>> > it?
>> >
>> > Also I've uploaded my certificate.
>> >
>> > my cas.properties for SAML looks like this:
>> >
>> > ## SAML2 ##
>> >
>> > cas.authn.saml-idp.entity-id: ${cas.server.prefix}/idp
>> > cas.authn.saml-idp.metadata.location=file:/etc/cas/saml
>> >
>> > and service registry for app:
>> >
>> > {
>> > @class: org.apereo.cas.support.saml.services.SamlRegisteredService
>> > serviceId: MExx_6d2ea86d-b4e1-4473-8d4b-7a1378964e8b
>> > name: serwisapp
>> > id: 1615981648113
>> > proxyTicketExpirationPolicy:
>> > {
>> > @class:
>> > org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpiration
>> > Policy
>> > }
>> > serviceTicketExpirationPolicy:
>> > {
>> > @class:
>> > org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirati
>> > onPolicy
>> > }
>> > evaluationOrder: 2
>> > attributeReleasePolicy:
>> > {
>> > @class:
>> > org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
>> > excludeDefaultAttributes: true
>> > authorizedToReleaseAuthenticationAttributes: false
>> > }
>> > metadataLocation: file://etc/cas-
>> > mgmt/metadata/174faaa56d5138f63770fb792b1a35e26d5486e0.xml <- (this
>> > is correct as cas-managment app create this directory)
>> > requiredAuthenticationContextClass:
>> > urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
>> > requiredNameIdFormat: urn:oasis:names:tc:SAML:2.0:nameid-
>> > format:transient
>> > nameIdQualifier: ""
>> > signAssertions: true
>> > signingCredentialType: X509
>> > assertionAudiences: https://servicedeskplus.com/SamlResponseServlet
>> > }
>> >
>> > Regards,
>> > BN
>> >
>> > środa, 17 marca 2021 o 16:49:11 UTC+1 richard.frovarp napisał(a):
>> > > Did you provide the app your IdP generated metadata or provide the
>> > > SP with the information in a different method? As that's the wrong
>> > > end point for the SP to be sending you to:
>> > >
>> > >
>> https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Authentication.html
>>
>> > >
>> > > On Wed, 2021-03-17 at 06:21 -0700, Bartosz Nitkiewicz wrote:
>> > > > Hi,
>> > > > Another day another CAS problem :)
>> > > > I'm trying to authenticate servicedeskplus.com application
>> > > > through SAML protocol.
>> > > > I've compiled in cas-server-support-saml-idp in my CAS app.
>> > > > Added service registry in CAS-Management app. I used xml file
>> > > > form servicedesk.
>> > > >
>> > > > Everything seems to work but if I want to authenticate
>> > > > serivcedesk it redirects me to this:
>> > > >
>> > > >
>> https://myserver.org/cas/idp?SAMLRequest=fZJfb5swFMWf10%2BBeDdgCCFYSaS02bRI7YaSbA97qRz70loCm%2FmadNunn01XtdWkvB6f3%2F1zrpfI%2B25gm9E96j38HAFddBX96juNbHpaxaPVzHBUyDTvAZkT7LC5u2V5krHBGmeE6eJ30GWGI4J1yugA7bar%2BO7j%2FYwLSSWn5NSWOZnRuiQLkUsyP0EhOM9o3s6D%2FTtY9OQq9oUmHHGEnUbHtfNillOSFYRWR1owmrGy%2BhFcjTVnJcF%2B8bOEds9k4wdRZy%2B0vEMIWrT16yvN3dTi0bkBWZo6LwqOySj%2BQKcVT8anPgE5JkOXej1VcvjXZIriWmmp9MPlDE7PJmSfj8eGNF8Px1Bi85LMjdE49mAPYM9KwLf97es43vKk8O0QBx%2F5HnDwEASiAxevr6IPy3ALNkVk1z7krIRW0iojxUJIMlvUBannBSXzRU3LquSc1tUyfQu9FBlYiG63bUynxO%2Fok7E9d5c3DIqSpJ2sbAh3QwfaxVE6lU3%2F%2F3jrvw%3D%3D
>>
>> > > >
>> > > > service.xlm as attachement (without real cert)
>> > > >
>> > > > Please help me.
>> > > >
>> > > >
>> > > >
>>
>>
>> --
>>
>> Ray Bon
>> Programmer Analyst
>> Development Services, University Systems
>> 2507218831 <(250)%20721-8831> | CLE 019 | [email protected]
>>
>> I respectfully acknowledge that my place of work is located within the
>> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
>> WSÁNEĆ Nations.
>>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0f23c804-5d97-49a8-a773-57fbe54f90ebn%40apereo.org.
