Hi John, Thanks for the response (and creating the ws-federation module!). I haven't gotten it working yet, although I took a bit of a break to catch up on other stuff. I've attached the wresult form data as an XML file. The only other form element passed was "wa=wsignin1.0". The XML from ADFS looks reasonable to me, but I'm not at all well-versed in the ws-federation specification. It includes upn as the only attribute (as expected). On a related note, does the backingMap for the attributeRepository bean in deployerConfigContext.xml have to match the claims/attributes sent from ADFS? Or the modified attribute map? Thanks, Brian
-----Original Message----- From: Gasper, John [mailto:[email protected]] Sent: Thursday, November 14, 2013 1:08 PM To: [email protected] Subject: RE: [cas-user] CAS/ADFS/WS-Federation Hi Brian, Sorry I'm late to the ball. Did you get this figured out? I'd start by examining the data posted to CAS from ADFS. In Chrome you can use the Network tab in the Dev tools and look at the post headers. I'd take the posted response and save it to an .xml and open it in IE or Chrome for easier reading. That will make it very clear what is being passed to ADFS. John -----Original Message----- From: Brian Clayton [mailto:[email protected]] Sent: Thursday, November 7, 2013 11:11 AM To: [email protected] Subject: [cas-user] CAS/ADFS/WS-Federation I'm using John Gasper's WS-Federation module, setup for full delegation. I have the configuration working to the point that it redirects to the ADFS server for login, then redirects back to the CAS server upon success. At that point, I get the attached error message from the CAS server. I'm speculating that it might have to do with the AD attributes passed from ADFS to CAS (claims/assertions), but I'm not sure. I've tried everything I can think of, simplifying the claims to just UPN, and doing my own version of WsFedAttributeMutatorImpl accordingly. Nothing seems to be working. I figure I must have something misconfigured, but I'm at a complete loss so I'm hoping someone might have seen this before or have some idea of what's going on. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"><t:Lifetime><wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2013-11-14T22:03:22.609Z</wsu:Created><wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2013-11-14T23:03:22.609Z</wsu:Expires></t:Lifetime><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:federation:devcas</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><t:RequestedSecurityToken><saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_dd7717f9-90e7-450b-9182-6bbf3441c0d6" Issuer="http://adfs.clarku.edu/adfs/services/trust" IssueInstant="2013-11-14T22:03:22.609Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2013-11-14T22:03:22.609Z" NotOnOrAfter="2013-11-14T23:03:22.609Z"><saml:AudienceRestrictionCondition><saml:Audience>urn:federation:devcas</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AttributeStatement><saml:Subject><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:Attribute AttributeName="upn" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"><saml:AttributeValue>[email protected]</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2013-11-14T22:03:22.515Z"><saml:Subject><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><ds:Reference URI="#_dd7717f9-90e7-450b-9182-6bbf3441c0d6"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><ds:DigestValue>UOFP38uQt9rGUxfchbdqsxlt+XY=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>QRMPDEiUXh0BXU62tuyLMI0GMjisaX8/A424Qe5Pe3LbzEiaHmg3k61aR+L2LzjRQwJrzHUchLdJ2WO2dN9o2ll+NvlE40BAKfQf6yxntdxz9QYkensoD3kND18EF6z0dLb6JcARLX8CODeNL16Iu/msqxT3SZvsAOgiszXw2ryBotCKV3tOq7+eOOxgRC/ITFxYO0ocYLStjV1RYeAbdRKa51Aaq6ol+aXDrvbn6uRaEm7BJL4FBYtKWF5UBmFvxtDhpbSdYsGW3ARAtOIUiKdrMIaygRpLhtjHRNj7p9KgOuZ+WVX+Yr34bNr2J3BufYhe+En5JcyKeH6Lg4pcLw==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><X509Data><X509Certificate>MIIC2jCCAcKgAwIBAgIQNDMlEvXrpKtMqvghoZxAQjANBgkqhkiG9w0BAQsFADApMScwJQYDVQQDEx5BREZTIFNpZ25pbmcgLSBhZGZzLmNsYXJrdS5lZHUwHhcNMTMwMjIyMTc0NDAyWhcNMTQwMjIyMTc0NDAyWjApMScwJQYDVQQDEx5BREZTIFNpZ25pbmcgLSBhZGZzLmNsYXJrdS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCm3swkJoVOR9AuuZl0xVvj6peiivufUzv3k4INmMT2qzNGB+4I4W2dLQoExNx5yPxzoyTCLE3oN2Bow97KiGD0l+fBgWiX9+OJgWAqM6B8wPpb8tVlOaU4S47tB7HgsnmMYh2vU41LXsNB6LkzW66qnBhVil8ZXTpmrMYGwbuGVFW8/VJte7B1WOzrMsWL/B0X2tt2Frg8nYCCLUMLCgzT011ecVnIk0FMcHVMfv/CEJ3J80ncSx1JUs8dDBx2yTNRYZYgZgosv0kmxm92WiTgNnHOQRcqp3+VMmXJ+fDO6QCx+8WLKW1n0avs92nSKFtMt2AAn5g5aHAGa/xM2OVXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAB8jsBIm7qKib4u91xH4bA7BsGf9YUWE7lNTCVaFN0bVMdeqV6wO4hJSF4PGtzgIttvaN51GRu3ee8nFDxYdqdJJyJkFySajLqkvP6SE/pm9nV0BpnWPX/bKkpbIajDBcDYQVEkdRSYFe3xccP8oGf5yigL8XROj7r+tqeL2w2IYsnNafqV1iAKVeKu6Wm5He5+DfYX/6uRBl058dVZWriJbfTpP+uLnbwAZCHWgFboSRuiZaI0Ztu6SQe8SrZwt20IcVbixHKYyKe/fY7SaaHa+hL09vZSwO77H26hWVMEoZLvfhFcn+F+pHeNIaBWT8exRdOMO/zYDcXmZYAk1cMY=</X509Certificate></X509Data></KeyInfo></ds:Signature></saml:Assertion></t:RequestedSecurityToken><t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType><t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType><t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType></t:RequestSecurityTokenResponse>
