With the attachment it's better I forgot to add it :-P
Thanks
Julien
Le 24/06/2014 13:18, Jaroslav Kacer a écrit :
> Hello Julien!
>
> Thank you very much for replying and helping me.
>
> PAC4J - I will definitely have a look, so far I haven't read anything
> about it.
>
> Could you please send the example of SP metadata directly to me or
> paste it inline? It seems the list does not accept attachments :-(
>
> Concerning the samples: Yes, this is the place where I took the files
> from, this seems to be OK, I managed to copy/merge them into CAS. I
> kept the properties files independent and added them to
> propertyFileConfigurer.xml.
>
> Concerning deployerConfigContext.xml: So far I haven't made any
> modifications here, thank you for pointing this out.
>
> I will post my results here when I finish, hopefully soon...
>
> And, any documentation is fine, even if it's only in French ( I speak
> French) :-)
>
> Best Regards,
> Jarda Kacer
>
>
>
>
> From: Julien Gribonvald <[email protected]>
> To: [email protected]
> Date: 24.06.2014 12:39
> Subject: Re: [cas-user] Integrating CAS with the SAML2 plugin from
> GIP-RECIA
> ------------------------------------------------------------------------
>
>
>
> Hi,
>
> I would suggest that you look at pac4j, it should replace the SAML
> plugin developped by Maxime in the furtur for our use (Maxime worked
> for us in this plugin before something more "generic" as pac4j comes).
> This "toolbox" (i see it like that) will help to use the last version
> of CAS as the Maxime's plugin should be reviewed for version of CAS
> after 3.4.x. After I don't know if we can use it for that, but maybe
> Jérome Leleu could give some words of this use or point to a
> documentation ?
>
> Else for the use of this pluugin see in attachment an example of our
> SP metadata file that we use in production on our CAS (obviously
> without certificates and custom datas, so replace A_DOMAIN_NAME by
> your domain name,ADD CERTIFICATE HERE, and see on other custom datas).
>
> About IDP it was tested over a shibboleth idp and in production with
> an other idp than shibboleth (seems a fork for private use, or
> something related with ibm, but we don't know a lot about it), but
> working in the same way as all is based on SAML specs so i think this
> should works.
>
> After about configuration all files that you have to modify and deploy
> are on
> _https://github.com/GIP-RECIA/cas/tree/feature-saml2/cas-server-support-saml2/_sample-*
>
> but i think you don't have to modify a lot, setting all properties
> should do the works.
> And the properties in config.properties should be added in the
> original file cas.properties.
>
> If I look on our deployment and something that i don't see in the
> source are :
> - in deployerConfigContext.xml : in the bean authenticationManager, in
> the property credentialsToPrincipalResolvers, added the
> credentialResolver mapped to the saml service, we use the
> EmailAddressesCredentialsToPrincipalResolver.java as example :
> <bean id="emailAddressesCredsToPrincipal"
> class="org.esco.cas.authentication.principal.EmailAddressesCredentialsToPrincipalResolver">
> <property name="attributeRepository" ref="attributeRepository" />
> </bean>
>
> <bean id="ldapEmailAddressesAuthenticationHandler"
> class="org.esco.cas.authentication.handler.support.LdapEmailAddressesAuthenticationHandler">
> <property name="searchBase" value="${ldap.basedn}" />
> <property name="contextSource" ref="contextSource" />
> <property name="principalAttributeName"
> value="${ldap.identifier.attribute}" />
>
> <property name="timeout" value="5000" />
>
> <property name="authenticationLdapFiltersArray"
> value="${ldap.authentication.email.filters}" />
> </bean>
>
> - in cas-servlet.xml youd should add the import of
> _cas-servlet-saml2.xml_
> <https://github.com/GIP-RECIA/cas/blob/feature-saml2/cas-server-support-saml2/sample-config/cas-servlet-saml2.xml>
>
> I hope this will help, but don't hesitate to ask, i can provide some
> other examples...
>
> After for the documentation, we have one in french explaining
> properties and how it works but that's all, after you are welcome to
> make a pull request for contributions if you succeed to install the
> plugin.
>
> Thanks
>
> Julien Gribonvald
>
>
> Le 24/06/2014 11:09, Jaroslav Kacer a écrit :
> Hello everybody!
>
> I'm trying to integrate CAS and the SAML2 plugin which was discussed
> in this list on Oct 22 2013 by Maxime Bossard
> (_https://groups.google.com/d/msg/jasig-cas-user/FVrTSnXMJbk/SHzarllCF2kJ_).
> As I am experiencing some issues, I wonder if someone (possibly
> Maxime) could help me. I have already asked directly in the Google
> group but the message did not propagate to this list, so I am posting
> the question again.
>
> The version of CAS I use is 3.4.12.1 because the plugin's POM file
> points to 3.4.11-RC1 and 3.4.12.1 is the latest version in the 3.4.x line.
>
> I have merged the provided sample XML configuration files with those
> of CAS, also the two properies files, some JSPs and web.xml. Now I am
> getting errors from the plugin complaining about SP metadata.
> Obviously the plugin expects some SAML2 endpoints with various
> bindings that are not in my SP metadata.
>
>
> Maxime, could you please provide a list of all expected endpoints with
> their bindings and URLs that should be enumerated in the SP metadata
> file? Or, an example SP metadata file would be even better :-)
> Although the error message clearly says what service/binding the
> plugin expects, I don't know how to create the URLs for the bindings.
> Are they fixed or does the plugin first read the metadata file and
> then uses the URLs specified there?
>
>
> I would also like to ask about the IdP side. I assume you used the
> plugin against Shibboleth. Have you tested it against other IdP
> servers? I'd like to use Microsoft ADFS. Are any special settings
> needed? (I don't have access to the server yet so I cannot test it at
> the moment.) At the moment, I am using an example IdP metadata file
> from Shibboleth (just to make it run) but I will have to adapt it later.
>
>
> It would be great if the documentation for the plugin could be more
> elaborated, mainly the section "Plugin Configuration". I've already
> spent 2 days putting CAS and the plugin together.
> Or is there anything else than the ReadMe.md file from Github?
>
>
> Thank you in advance for your answer!
>
> Best Regards,
> Jarda Kacer, IDC
>
> --
> You are currently subscribed to [email protected]_
> <mailto:[email protected]>as: [email protected]_
> <mailto:[email protected]>
> To unsubscribe, change settings or access archives, see
> _http://www.ja-sig.org/wiki/display/JSG/cas-user_
>
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://A_DOMAIN_NAME/cas/Shibboleth.sso";>
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:KeyName>A_DOMAIN_NAME</ds:KeyName>
<ds:X509Data>
<ds:X509Certificate>
ADD CERTIFICATE HERE
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleLogoutService Location="https://A_DOMAIN_NAME/cas/Shibboleth.sso/SLO/Redirect";
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<SingleLogoutService Location="https://A_DOMAIN_NAME/cas/Shibboleth.sso/SLO/POST";
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<AssertionConsumerService Location="https://A_DOMAIN_NAME/cas/Shibboleth.sso/SAML2/Redirect";
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" index="1"/>
<AssertionConsumerService Location="https://A_DOMAIN_NAME/cas/Shibboleth.sso/SAML2/POST";
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" index="2"/>
<AttributeConsumingService index="1">
<ServiceName xml:lang="en-us">ORGANIZATION (Redirect binding)</ServiceName>
<ServiceDescription xml:lang="en-us">ORGANIZATION avec identification par email.</ServiceDescription>
<RequestedAttribute FriendlyName="mail" Name="mail"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="true"></RequestedAttribute>
</AttributeConsumingService>
<AttributeConsumingService index="2">
<ServiceName xml:lang="en-us">ORGANIZATION (POST binding)</ServiceName>
<ServiceDescription xml:lang="en-us">ORGANIZATION avec identification par email.</ServiceDescription>
<RequestedAttribute FriendlyName="mail" Name="mail"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="true"></RequestedAttribute>
</AttributeConsumingService>
</SPSSODescriptor>
<Organization>
<OrganizationName xml:lang="fr">ORGANIZATION</OrganizationName>
<OrganizationDisplayName xml:lang="fr">ORGANIZATION</OrganizationDisplayName>
</Organization>
<ContactPerson contactType="technical">
<GivenName>XXXXX</GivenName>
<SurName>YYYYYY</SurName>
<EmailAddress>[email protected]</EmailAddress>
</ContactPerson>
</EntityDescriptor>
