Hi Julien, Thank you so so much for your explanation.
I believe my previous email was not clear enough, I am sorry about it. The thing is that I have been using CAS 3.0.5 for about two years already with a number of applications integrated and working fine :-) They all communicate with CAS using exactly the steps you described. They are all using the CAS protocol, so the used URLs are: /cas/login /cas/serviceValidate Now, I have a new application that needs to be integrated using the SAML 1.1 protocol. Since it seems clear that CAS 3.0.5 does not support SAML (from my recent post to this mailing list :-) I decided to upgrade to CAS 3.3.1. My CAS 3.3.1 is working fine. I am able to authenticate against my backend servers (Microsoft Active Directory) just fine using the CAS protocol, with the URLs: /cas/login /cas/serviceValidate What I am not clear about is if the SAML support is working fine :-) - * - * - * - Wow Julien, thank you so so much, I followed the steps below to test SAML and my CAS 3.3.1 is working fine :-), Example (for the records): 1) Login and ticket generation: https://mycasdomainname/cas/login?service=http://localhost/foo http://localhost/foo?ticket=ST-1-DvuJvba6fwTP0uydDtuN-cas Hence, my ticket is: ST-1-DvuJvba6fwTP0uydDtuN-cas 2) SAML validation: https://mycasdomainname/cas/samlValidate?TARGET=http://localhost/foo&ticket=ST-1-DvuJvba6fwTP0uydDtuN-cas 3) Response: <SOAP-ENV:Envelope> <SOAP-ENV:Header/> <SOAP-ENV:Body> <Response IssueInstant="2009-03-05T01:53:57.398Z" MajorVersion="1" MinorVersion="1" Recipient="http://localhost/foo"; ResponseID="_3aed1e4a58dbde84dd9d7815d61e9fb7"> <Status> <StatusCode Value="samlp:Responder"/> <StatusMessage>Success</StatusMessage> </Status> </Response> </SOAP-ENV:Body> </SOAP-ENV:Envelope> THANK YOU SO MUCH! unai On Wed, 04 Mar 2009 11:12:31 +0100, Julien Gribonvald <[email protected]> wrote: > Hi, > > In my mind you aren't understood how it should works. First you need to > go to the cas/login url to connect (if not already done), cas will > transmit a ticket to the service which requested a connection, after > only you application will make a request to cas/samlValidate with the > ticket given by CAS, and only after validation of the ticket from cas > you will get informations... > > So on your side you should have configured filters in your web.xml. > > You can find an exemple here : > http://www.middleware.vt.edu/doku.php?do=export_html&id=middleware:cas:client > > Else when i see that : > > <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> > <cas:authenticationFailure code='INVALID_REQUEST'> > 'service' and 'ticket' parameters are both required > </cas:authenticationFailure> > </cas:serviceResponse> > > It didn't tell that your cas work... > > So if you want to check if your login works you should try that (under > firefox) : > > - first go on you CAS login : > https://your.domain.org/cas/login?service=http://localhost/foo > - cas should redirect you on your fake url with a ticket in the url, > something like that : > http://localhost/foo?ticket=ST-158-cuhLZGC43dWFf4VsbJ1r > - so now go again on cas with your url returned modified like that : > https://your.domain.org/cas/serviceValidate?service=http://localhost/foo&ticket=ST-158-cuhLZGC43dWFf4VsbJ1r > don't forget to modify the '?' by a '&' and Cas should give you a ticket > with your user id, and a message success... > - If it's succeed you can try to validate the ticket with the > samlService with an url like that : > https://your.domain.org/cas/samlValidate?TARGET=http://localhost/foo&ticket=ST-158-cuhLZGC43dWFf4VsbJ1r > and you will obtain your saml. > > Juste one thing, the ticket ST is valide only for one validation, and > the saml returned by CAS doesn't contains attributes with this checking > process described. > > Julien G. > > > Unai Rodriguez a écrit : >> Dear All, >> >> I have the following CAS setup: >> >> - Debian Linux 5.0 >> - Tomcat 5.5.23 >> - Java 1.5.0_08 >> - CAS 3.3.1 >> >> I need to integrate an application with CAS using SAML 1.1 protocol. >> >> Using the CAS protocol, things work fine through the URL: >> >> /cas/serviceValidate >> >> Now the issue is that when I try to connect using a browser to what I >> think >> (not sure yet) is the SAML validation URL: >> >> /cas/samlValidate >> >> then CAS displays the following exception: >> >> http://pastebin.ca/1352524 >> >> I have been researching online for a while but I am still a bit lost. >> >> I am not yet sure to which URL the application should be connecting. From >> this response it seems that it should be /login -- >> http://tp.its.yale.edu/pipermail/cas/2007-October/006307.html -- while >> from >> another entry it seems that the URL should be /samlValidate (sorry, do >> not >> have the link it is a recent post from this week, not sure how to link >> responses from the new archive). Which one should it be? >> >> Also, I am not sure if the error that I am getting while taking my >> browser >> to /cas/samlValidate means that my CAS is not properly installed. I >> understood on the CAS mailing list >> (http://www.mail-archive.com/[email protected]/msg03391.html) that CAS >> shows the error because the browser is not sending CAS proper SAML 1.1. >> In >> the other hand, if I connect to the CAS protocol service validation URL >> '/cas/serviceValidate' I get this output (i.e. CAS does not throw an >> exception): >> >> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> >> <cas:authenticationFailure code='INVALID_REQUEST'> >> 'service' and 'ticket' parameters are both required >> </cas:authenticationFailure> >> </cas:serviceResponse> >> >> I have been trying to test that SAML is properly setup, I found this >> couple >> of links but I am not able to open them: >> >> http://www.ja-sig.org/wiki/display/CASC/JASIG+Client+SAML+Saml11TicketValidationFilter+Example >> xxxx (Oops.. I cannot connect to the WIKI at all right now >> (http://www.ja-sig.org/wiki/display/CASUM/Home)... It might be down, I >> will >> try later.) >> >> Would anyone post a link/document with some information on how to set and >> test SAML? >> >> Thank you all so much, >> unai >> >> >> >> -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
