Sorry, you had made it sound like it had successfully redirected so I hadn't even thought of that!
I'll add a note. Cheers, Scott On Wed, Aug 4, 2010 at 3:07 PM, Patrick O'Connor <[email protected]> wrote: > My issues seemed to be fixed by following > > https://issues.jasig.org/browse/CAS-868 > > Perhaps a note on the wiki would save others using 3.4 somsome time when > using Google Apps. > > Regards, > Patrick > > ----- Reply message ----- > From: "Scott Battaglia" <[email protected]> > Date: Tue, Aug 3, 2010 8:58 pm > > Subject: [cas-user] Google Apps Attribute Mapping > To: <[email protected]> > Cc: <[email protected]> > > > Do you have any logs on the Google side? From the CAS side it looks like > its working. > > > On Tue, Aug 3, 2010 at 10:38 PM, Patrick O'Connor <[email protected]>wrote: > >> If I spit out the SAML response before it is signed... >> >> <SAML Response: <samlp:Response >> ID="mfccfaigkbmefihadiaapfhcbomdanehphogadnk" >> IssueInstant="2010-08-03T15:34:57Z" Version="2.0" >> xmlns="urn:oasis:names:tc:SAML:2.0:assertion" >> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc=" >> http://www.w3.org/2001/04/xmlenc#";><samlp:Status><samlp:StatusCode >> Value="urn:oasis:names:tc:SAML:2.0:status:Success" >> /></samlp:Status><Assertion ID="dopkddaknljenfoedeilminkhcdpbcfgpheahlpc" >> IssueInstant="2003-04-17T00:46:02Z" Version="2.0" >> xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer> >> https://www.opensaml.org/IDP</Issuer><Subject><NameID >> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress">coyotej</NameID><SubjectConfirmation >> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData >> Recipient="https://www.google.com/a/domain.edu/acs"; >> NotOnOrAfter="2011-08-03T15:34:57Z" >> InResponseTo="kmoggafpialfgjioldcingippdjmbichhgnjnacj" >> /></SubjectConfirmation></Subject><Conditions >> NotBefore="2003-04-17T00:46:02Z" >> NotOnOrAfter="2011-08-03T15:34:57Z"><AudienceRestriction><Audience> >> https://www.google.com/a/domain.edu/acs</Audience></AudienceRestriction></Conditions><AuthnStatement >> AuthnInstant="2010-08-03T15:34:57Z"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>> >> >> Yet Google returns a blank page when using 3.4.2.1 >> >> >> ----- Reply message ----- >> From: "Scott Battaglia" <[email protected]> >> Date: Tue, Aug 3, 2010 6:48 pm >> Subject: [cas-user] Google Apps Attribute Mapping >> To: <[email protected]> >> >> Does the generated SAML response show it? If so, then you're sending it >> properly. >> >> >> On Tue, Aug 3, 2010 at 6:08 PM, Patrick O'Connor <[email protected]>wrote: >> >>> Hello All, >>> >>> >>> >>> Could someone please verify the following? I am trying to map an >>> AlternateUsername to Google. >>> >>> I can verify that in GoogleAccountsService.java, the SAML response is >>> being created with the correctly mapped attribute meaning LDAP/attribute >>> repository/resolvers seem to all be configured correctly, also the >>> argumentExtractor seems to be pulling the alternateUsername correctly, >>> please see below: >>> >>> >>> >>> private String constructSamlResponse() { >>> >>> String samlResponse = TEMPLATE_SAML_RESPONSE; >>> >>> >>> >>> final Calendar c = Calendar.getInstance(); >>> >>> c.setTime(new Date()); >>> >>> c.add(Calendar.YEAR, 1); >>> >>> >>> >>> final String userId; >>> >>> log.debug("AlternameUserName: " + this.alternateUserName); >>> >>> if (this.alternateUserName == null) { >>> >>> userId = getPrincipal().getId(); >>> >>> } else { >>> >>> final String attributeValue = (String) >>> getPrincipal().getAttributes().get(this.alternateUserName); >>> >>> log.debug("AttributeValue of alternateusername: " + >>> attributeValue); >>> >>> if (attributeValue == null) { >>> >>> userId = getPrincipal().getId(); >>> >>> } else { >>> >>> userId = attributeValue; >>> >>> } >>> >>> } >>> >>> log.debug("UserId value: " + userId); >>> >>> >>> >>> samlResponse = samlResponse.replace("<USERNAME_STRING>", userId); >>> >>> samlResponse = samlResponse.replace("<RESPONSE_ID>", createID()); >>> >>> samlResponse = samlResponse.replace("<ISSUE_INSTANT>", SamlUtils >>> >>> .getCurrentDateAndTime()); >>> >>> samlResponse = samlResponse.replace("<AUTHN_INSTANT>", SamlUtils >>> >>> .getCurrentDateAndTime()); >>> >>> samlResponse = samlResponse.replaceAll("<NOT_ON_OR_AFTER>", >>> SamlUtils >>> >>> .getFormattedDateAndTime(c.getTime())); >>> >>> samlResponse = samlResponse.replace("<ASSERTION_ID>", >>> createID()); >>> >>> samlResponse = samlResponse.replaceAll("<ACS_URL>", getId()); >>> >>> samlResponse = samlResponse.replace("<REQUEST_ID>", >>> this.requestId); >>> >>> >>> >>> return samlResponse; >>> >>> } >>> >>> >>> >>> The extra log.debug lines allowed me to see that the correct values are >>> indeed getting populated. The final result is my application redirecting me >>> to a URL in the form of https://www.google.com/a/domain.edu/acs but the >>> page is blank… From the start, I havent changed any of the configurations, >>> but still fail to get the attribute mapping/SAML responses to Google >>> correctly. Here is some of the cas.log during this process. >>> >>> >>> >>> 2010-08-03 14:49:07,886 DEBUG >>> [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor did not >>> generate service.> >>> >>> 2010-08-03 14:49:07,887 DEBUG >>> [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor did not >>> generate service.> >>> >>> 2010-08-03 14:49:07,897 DEBUG >>> [org.jasig.cas.web.support.GoogleAccountsArgumentExtractor] - <Extractor >>> generated service for: https://www.google.com/a/domain.edu/acs> >>> >>> 2010-08-03 14:49:07,898 DEBUG >>> [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Placing service in >>> FlowScope: https://www.google.com/a/domain.edu/acs> >>> >>> 2010-08-03 14:49:17,894 DEBUG >>> [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - <Performing >>> LDAP bind with credential: uid=000226420,ou=people,dc=domain,dc=edu> >>> >>> 2010-08-03 14:49:18,017 INFO >>> [org.jasig.cas.authentication.AuthenticationManagerImpl] - >>> <AuthenticationHandler: >>> org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully >>> authenticated the user which provided the following credentials: [username: >>> 000226420]> >>> >>> 2010-08-03 14:49:18,018 DEBUG >>> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >>> - <Attempting to resolve a principal...> >>> >>> 2010-08-03 14:49:18,018 DEBUG >>> [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] >>> - <Attempting to resolve a principal...> >>> >>> 2010-08-03 14:49:18,019 DEBUG >>> [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] >>> - <Creating SimplePrincipal for [000226420]> >>> >>> 2010-08-03 14:49:18,019 DEBUG >>> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >>> - <Resolved 000226420. Trying LDAP resolve now...> >>> >>> 2010-08-03 14:49:18,019 DEBUG >>> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >>> - <LDAP search with filter "(uid=000226420)"> >>> >>> 2010-08-03 14:49:18,019 DEBUG >>> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >>> - <returning searchcontrols: scope=2; search >>> base=ou=people,dc=domain,dc=edu; attributes=[uid]; timeout=1000> >>> >>> 2010-08-03 14:49:18,139 DEBUG >>> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >>> - <CredentialResolver attribute: uid: 000226420> >>> >>> 2010-08-03 14:49:18,140 DEBUG >>> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >>> - <Resolved 000226420 to 000226420> >>> >>> 2010-08-03 14:49:18,140 DEBUG >>> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >>> - <Creating SimplePrincipal for [000226420]> >>> >>> 2010-08-03 14:49:18,140 DEBUG >>> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - >>> <Created seed map='{username=[000226420]}' for uid='000226420'> >>> >>> 2010-08-03 14:49:18,141 DEBUG >>> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - <Adding >>> attribute 'uid' with value '[000226420]' to query builder 'null'> >>> >>> 2010-08-03 14:49:18,141 DEBUG >>> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - >>> <Generated query builder '(uid=000226420)' from query Map >>> {username=[000226420]}.> >>> >>> 2010-08-03 14:49:18,271 DEBUG >>> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - <Query >>> Result Size: 1> >>> >>> 2010-08-03 14:49:18,272 DEBUG >>> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - >>> <QueryUserName in For Loop: 000226420> >>> >>> 2010-08-03 14:49:18,272 DEBUG >>> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - <Query >>> People Attributes: >>> [CaseInsensitiveNamedPersonImpl[name=000226420,attributes={domainEduPersonAltUid=[coyotej]}]]> >>> >>> 2010-08-03 14:49:18,273 DEBUG >>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket >>> [TGT-2-IBZxI5sOdCVMuLP5Z3YAM27i4e9rhrEn9XHymsYK0WZZ2taIB7-cas] to registry.> >>> >>> 2010-08-03 14:49:18,274 DEBUG >>> [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Removed >>> cookie with name [CASPRIVACY]> >>> >>> 2010-08-03 14:49:18,276 DEBUG >>> [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Added cookie >>> with name [CASTGC] and value >>> [TGT-2-IBZxI5sOdCVMuLP5Z3YAM27i4e9rhrEn9XHymsYK0WZZ2taIB7-cas]> >>> >>> 2010-08-03 14:49:18,277 DEBUG >>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to >>> retrieve ticket >>> [TGT-2-IBZxI5sOdCVMuLP5Z3YAM27i4e9rhrEn9XHymsYK0WZZ2taIB7-cas]> >>> >>> 2010-08-03 14:49:18,277 DEBUG >>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket >>> [TGT-2-IBZxI5sOdCVMuLP5Z3YAM27i4e9rhrEn9XHymsYK0WZZ2taIB7-cas] found in >>> registry.> >>> >>> 2010-08-03 14:49:18,279 DEBUG >>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket >>> [ST-2-Ac2CVEeJJtfKrAf4Vo5a-cas] to registry.> >>> >>> 2010-08-03 14:49:18,279 INFO >>> [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket >>> [ST-2-Ac2CVEeJJtfKrAf4Vo5a-cas] for service [ >>> https://www.google.com/a/domain.edu/acs] for user [000226420]> >>> >>> 2010-08-03 14:49:18,282 DEBUG >>> [org.jasig.cas.authentication.principal.GoogleAccountsService] - >>> <AlternameUserName: domainEduPersonAltUid> >>> >>> 2010-08-03 14:49:18,282 DEBUG >>> [org.jasig.cas.authentication.principal.GoogleAccountsService] - >>> <AttributeValue of alternateusername: coyotej> >>> >>> 2010-08-03 14:49:18,282 DEBUG >>> [org.jasig.cas.authentication.principal.GoogleAccountsService] - <UserId >>> value: coyotej> >>> >>> >>> >>> Anyone experience anything similar? >>> >>> >>> >>> >>> >>> Patrick O’Connor >>> >>> *Operating Systems Analyst* >>> >>> * * >>> >>> Administrative Computing Services & >>> >>> Common Management System, >>> >>> California State University, San Bernardino >>> Office: (909) 537-5000 Ext: 73758 >>> Email: *[email protected]* >>> >>> >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> >>> >>> >>> >>> >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> >> >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
