Do you have any logs on the Google side? From the CAS side it looks like its working.
On Tue, Aug 3, 2010 at 10:38 PM, Patrick O'Connor <[email protected]>wrote: > If I spit out the SAML response before it is signed... > > <SAML Response: <samlp:Response > ID="mfccfaigkbmefihadiaapfhcbomdanehphogadnk" > IssueInstant="2010-08-03T15:34:57Z" Version="2.0" > xmlns="urn:oasis:names:tc:SAML:2.0:assertion" > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc=" > http://www.w3.org/2001/04/xmlenc#";><samlp:Status><samlp:StatusCode > Value="urn:oasis:names:tc:SAML:2.0:status:Success" > /></samlp:Status><Assertion ID="dopkddaknljenfoedeilminkhcdpbcfgpheahlpc" > IssueInstant="2003-04-17T00:46:02Z" Version="2.0" > xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer> > https://www.opensaml.org/IDP</Issuer><Subject><NameID > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress">coyotej</NameID><SubjectConfirmation > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData > Recipient="https://www.google.com/a/domain.edu/acs"; > NotOnOrAfter="2011-08-03T15:34:57Z" > InResponseTo="kmoggafpialfgjioldcingippdjmbichhgnjnacj" > /></SubjectConfirmation></Subject><Conditions > NotBefore="2003-04-17T00:46:02Z" > NotOnOrAfter="2011-08-03T15:34:57Z"><AudienceRestriction><Audience> > https://www.google.com/a/domain.edu/acs</Audience></AudienceRestriction></Conditions><AuthnStatement > AuthnInstant="2010-08-03T15:34:57Z"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>> > > Yet Google returns a blank page when using 3.4.2.1 > > > ----- Reply message ----- > From: "Scott Battaglia" <[email protected]> > Date: Tue, Aug 3, 2010 6:48 pm > Subject: [cas-user] Google Apps Attribute Mapping > To: <[email protected]> > > Does the generated SAML response show it? If so, then you're sending it > properly. > > > On Tue, Aug 3, 2010 at 6:08 PM, Patrick O'Connor <[email protected]>wrote: > >> Hello All, >> >> >> >> Could someone please verify the following? I am trying to map an >> AlternateUsername to Google. >> >> I can verify that in GoogleAccountsService.java, the SAML response is >> being created with the correctly mapped attribute meaning LDAP/attribute >> repository/resolvers seem to all be configured correctly, also the >> argumentExtractor seems to be pulling the alternateUsername correctly, >> please see below: >> >> >> >> private String constructSamlResponse() { >> >> String samlResponse = TEMPLATE_SAML_RESPONSE; >> >> >> >> final Calendar c = Calendar.getInstance(); >> >> c.setTime(new Date()); >> >> c.add(Calendar.YEAR, 1); >> >> >> >> final String userId; >> >> log.debug("AlternameUserName: " + this.alternateUserName); >> >> if (this.alternateUserName == null) { >> >> userId = getPrincipal().getId(); >> >> } else { >> >> final String attributeValue = (String) >> getPrincipal().getAttributes().get(this.alternateUserName); >> >> log.debug("AttributeValue of alternateusername: " + >> attributeValue); >> >> if (attributeValue == null) { >> >> userId = getPrincipal().getId(); >> >> } else { >> >> userId = attributeValue; >> >> } >> >> } >> >> log.debug("UserId value: " + userId); >> >> >> >> samlResponse = samlResponse.replace("<USERNAME_STRING>", userId); >> >> samlResponse = samlResponse.replace("<RESPONSE_ID>", createID()); >> >> samlResponse = samlResponse.replace("<ISSUE_INSTANT>", SamlUtils >> >> .getCurrentDateAndTime()); >> >> samlResponse = samlResponse.replace("<AUTHN_INSTANT>", SamlUtils >> >> .getCurrentDateAndTime()); >> >> samlResponse = samlResponse.replaceAll("<NOT_ON_OR_AFTER>", >> SamlUtils >> >> .getFormattedDateAndTime(c.getTime())); >> >> samlResponse = samlResponse.replace("<ASSERTION_ID>", createID()); >> >> samlResponse = samlResponse.replaceAll("<ACS_URL>", getId()); >> >> samlResponse = samlResponse.replace("<REQUEST_ID>", >> this.requestId); >> >> >> >> return samlResponse; >> >> } >> >> >> >> The extra log.debug lines allowed me to see that the correct values are >> indeed getting populated. The final result is my application redirecting me >> to a URL in the form of https://www.google.com/a/domain.edu/acs but the >> page is blank… From the start, I havent changed any of the configurations, >> but still fail to get the attribute mapping/SAML responses to Google >> correctly. Here is some of the cas.log during this process. >> >> >> >> 2010-08-03 14:49:07,886 DEBUG >> [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor did not >> generate service.> >> >> 2010-08-03 14:49:07,887 DEBUG >> [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor did not >> generate service.> >> >> 2010-08-03 14:49:07,897 DEBUG >> [org.jasig.cas.web.support.GoogleAccountsArgumentExtractor] - <Extractor >> generated service for: https://www.google.com/a/domain.edu/acs> >> >> 2010-08-03 14:49:07,898 DEBUG >> [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Placing service in >> FlowScope: https://www.google.com/a/domain.edu/acs> >> >> 2010-08-03 14:49:17,894 DEBUG >> [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - <Performing >> LDAP bind with credential: uid=000226420,ou=people,dc=domain,dc=edu> >> >> 2010-08-03 14:49:18,017 INFO >> [org.jasig.cas.authentication.AuthenticationManagerImpl] - >> <AuthenticationHandler: >> org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully >> authenticated the user which provided the following credentials: [username: >> 000226420]> >> >> 2010-08-03 14:49:18,018 DEBUG >> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >> - <Attempting to resolve a principal...> >> >> 2010-08-03 14:49:18,018 DEBUG >> [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] >> - <Attempting to resolve a principal...> >> >> 2010-08-03 14:49:18,019 DEBUG >> [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] >> - <Creating SimplePrincipal for [000226420]> >> >> 2010-08-03 14:49:18,019 DEBUG >> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >> - <Resolved 000226420. Trying LDAP resolve now...> >> >> 2010-08-03 14:49:18,019 DEBUG >> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >> - <LDAP search with filter "(uid=000226420)"> >> >> 2010-08-03 14:49:18,019 DEBUG >> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >> - <returning searchcontrols: scope=2; search >> base=ou=people,dc=domain,dc=edu; attributes=[uid]; timeout=1000> >> >> 2010-08-03 14:49:18,139 DEBUG >> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >> - <CredentialResolver attribute: uid: 000226420> >> >> 2010-08-03 14:49:18,140 DEBUG >> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >> - <Resolved 000226420 to 000226420> >> >> 2010-08-03 14:49:18,140 DEBUG >> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >> - <Creating SimplePrincipal for [000226420]> >> >> 2010-08-03 14:49:18,140 DEBUG >> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - >> <Created seed map='{username=[000226420]}' for uid='000226420'> >> >> 2010-08-03 14:49:18,141 DEBUG >> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - <Adding >> attribute 'uid' with value '[000226420]' to query builder 'null'> >> >> 2010-08-03 14:49:18,141 DEBUG >> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - >> <Generated query builder '(uid=000226420)' from query Map >> {username=[000226420]}.> >> >> 2010-08-03 14:49:18,271 DEBUG >> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - <Query >> Result Size: 1> >> >> 2010-08-03 14:49:18,272 DEBUG >> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - >> <QueryUserName in For Loop: 000226420> >> >> 2010-08-03 14:49:18,272 DEBUG >> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - <Query >> People Attributes: >> [CaseInsensitiveNamedPersonImpl[name=000226420,attributes={domainEduPersonAltUid=[coyotej]}]]> >> >> 2010-08-03 14:49:18,273 DEBUG >> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket >> [TGT-2-IBZxI5sOdCVMuLP5Z3YAM27i4e9rhrEn9XHymsYK0WZZ2taIB7-cas] to registry.> >> >> 2010-08-03 14:49:18,274 DEBUG >> [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Removed >> cookie with name [CASPRIVACY]> >> >> 2010-08-03 14:49:18,276 DEBUG >> [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Added cookie >> with name [CASTGC] and value >> [TGT-2-IBZxI5sOdCVMuLP5Z3YAM27i4e9rhrEn9XHymsYK0WZZ2taIB7-cas]> >> >> 2010-08-03 14:49:18,277 DEBUG >> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to >> retrieve ticket >> [TGT-2-IBZxI5sOdCVMuLP5Z3YAM27i4e9rhrEn9XHymsYK0WZZ2taIB7-cas]> >> >> 2010-08-03 14:49:18,277 DEBUG >> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket >> [TGT-2-IBZxI5sOdCVMuLP5Z3YAM27i4e9rhrEn9XHymsYK0WZZ2taIB7-cas] found in >> registry.> >> >> 2010-08-03 14:49:18,279 DEBUG >> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket >> [ST-2-Ac2CVEeJJtfKrAf4Vo5a-cas] to registry.> >> >> 2010-08-03 14:49:18,279 INFO >> [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket >> [ST-2-Ac2CVEeJJtfKrAf4Vo5a-cas] for service [ >> https://www.google.com/a/domain.edu/acs] for user [000226420]> >> >> 2010-08-03 14:49:18,282 DEBUG >> [org.jasig.cas.authentication.principal.GoogleAccountsService] - >> <AlternameUserName: domainEduPersonAltUid> >> >> 2010-08-03 14:49:18,282 DEBUG >> [org.jasig.cas.authentication.principal.GoogleAccountsService] - >> <AttributeValue of alternateusername: coyotej> >> >> 2010-08-03 14:49:18,282 DEBUG >> [org.jasig.cas.authentication.principal.GoogleAccountsService] - <UserId >> value: coyotej> >> >> >> >> Anyone experience anything similar? >> >> >> >> >> >> Patrick O’Connor >> >> *Operating Systems Analyst* >> >> * * >> >> Administrative Computing Services & >> >> Common Management System, >> >> California State University, San Bernardino >> Office: (909) 537-5000 Ext: 73758 >> Email: *[email protected]* >> >> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> >> >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
