[cas-user] CAS as IDP for AzureAD (WS Federation)

[Enrique Guerrero]

Hi there.

I want to use my custom CAS instance (v.6.4.4.1) as IDP for AzureAD. I 
would like to authenticate users from a certain domain which I configure in 
AzureAD against my CAS. 

It's necessary to configure the integration through Ws-Fed protocol (not 
SAML), because the authentication would be during the users login in theirs 
Windows laptops.

I configured my CAS as follow: 

        1. Enabling following dependencies in build.gradle file:

                compile 
"org.apereo.cas:cas-server-support-ws-sts:${casServerVersion}"
                compile 
"org.apereo.cas:cas-server-support-ws-idp:${casServerVersion}"

        2. Including following properties in cas.properties file:

                #################
                # Ws Federation #
                #################
                
cas.authn.wsfed-idp.idp.realm=urn:org:apereo:cas:ws:idp:realm-CAS
                cas.authn.wsfed-idp.idp.realm-name=CAS

                
cas.authn.wsfed-idp.sts.signing-keystore-file=/etc/cas/ws/ststrust.jks
                cas.authn.wsfed-idp.sts.signing-keystore-password=<PASSWORD>
                
cas.authn.wsfed-idp.sts.encryption-keystore-file=/etc/cas/config/stsencrypt.jks
                
cas.authn.wsfed-idp.sts.encryption-keystore-password=<PASSWORD>

                cas.authn.wsfed-idp.sts.subject-name-id-format=unspecified
                
cas.authn.wsfed-idp.sts.subject-name-qualifier=http://cxf.apache.org/sts
                cas.authn.wsfed-idp.sts.encrypt-tokens=true
                cas.authn.wsfed-idp.sts.sign-tokens=true

                
cas.authn.wsfed-idp.sts.conditions-accept-client-lifetime=true
                
cas.authn.wsfed-idp.sts.conditions-fail-lifetime-exceedance=false
                cas.authn.wsfed-idp.sts.conditions-future-time-to-live=PT60S
                cas.authn.wsfed-idp.sts.conditions-lifetime=PT30M
                cas.authn.wsfed-idp.sts.conditions-max-lifetime=PT12H

                
cas.authn.wsfed-idp.sts.realm.keystore-file=/etc/cas/ws/stscasrealm.jks
                cas.authn.wsfed-idp.sts.realm.keystore-password=<PASSWORD>
                
cas.authn.wsfed-idp.sts.realm.keystore-alias=<CUSTOM_CAS_ALIAS>
                cas.authn.wsfed-idp.sts.realm.key-password=<PASSWORD>
                cas.authn.wsfed-idp.sts.realm.issuer=CAS

        3. CAS MongoDB client:

                {
                    "_id" : 290,
                    "_class" : 
"org.apereo.cas.ws.idp.services.WSFederationRegisteredService",
                    "serviceId" : 
"https://login.microsoftonline.com/login.srf";,
                    "realm" : "urn:federation:MicrosoftOnline",
                    "name" : "WSFED",
                    "attributeReleasePolicy" : {
                        "_class" : 
"org.apereo.cas.ws.idp.services.WSFederationClaimsReleasePolicy",
                        "allowedAttributes" : {
                            "EMAIL_ADDRESS_2005" : [ 
                                "email"
                            ],
                            "GIVEN_NAME" : [ 
                                "givenName"
                            ],
                            "COMMON_NAME" : [ 
                                "cn"
                            ],
                            "SURNAME" : [ 
                                "sn"
                            ],
                            "PUID" : [ 
                                "uid"
                            ]
                        }
                    },
                    "tokenType" : 
"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
                }

        4. After that, next services have been enabled in my web CAS 
instance:

                https://<CUSTOM_CAS_ALIAS>/cas/ws/idpmetadata
                https://<CUSTOM_CAS_ALIAS>/cas/ws/idp/federation
                https://<CUSTOM_CAS_ALIAS>/cas/ws/sts/
                
https://<CUSTOM_CAS_ALIAS>/cas/ws/sts/CAS/STSServiceTransportUT?wsdl
                
https://<CUSTOM_CAS_ALIAS>/cas/ws/sts/CAS/STSServiceTransportUT?wsdl=ws-trust-1.4.wsdl


I don't know so much about WsFed protocol, and looking for some login 
service url into 
https://<CUSTOM_CAS_ALIAS>/cas/ws/sts/CAS/STSServiceTransportUT?wsdl I 
didn't find any clue. 

*Do you know what is the CAS WsFed login service url that need to be use 
for this purpose?* I tried with 
https://<CUSTOM_CAS_ALIAS>/cas/ws/idp/federation (CAS documentation says 
"Endpoint to receive initial GET authentication requests from clients, 
typically identified as the issuer." in 
https://apereo.github.io/cas/6.3.x/protocol/WS-Federation-Protocol.html). 
But when Microsfot attempt to redirect to CAS I get the message 
"Application Not Authorized to Use CAS". CAS logs message as this point:


2022-01-19 16:11:38,419 INFO 
[org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0] 
expired tickets removed.>
2022-01-19 16:11:51,856 WARN 
[org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - 
<Unauthorized Service Access. Service [null] is not found in service 
registry.>
2022-01-19 16:12:35,203 INFO 
[org.apereo.cas.services.AbstractServicesManager] - <Loaded [25] service(s) 
from [JsonServiceRegistry,MongoDbServiceRegistry].>


*Probably I need to configure better the CAS MongoDB Client? I need to use 
other CAS WsFed login service url ? Other issue?*

Thanks so much for your support!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8cfe9b1c-fd3d-456f-a2b4-52747ea53843n%40apereo.org.