Hello Julien (and others)!
I have already achieved a state when CAS starts without problems with the
plugin, however it throws an error when the user accesses the /login page.
I'd like to ask two more questions about the plugin configuration.
1. Configuration in deployerConfigContext.xml:
You provided me (see your email from 24/06/2014 12:38) with 2 Spring beans
that should be inserted into deployerConfigContext.xml:
emailAddressesCredsToPrincipal, which goes to
authenticationManager/credentialsToPrincipalResolvers
ldapEmailAddressesAuthenticationHandler, which goes to
authenticationManager/authenticationHandlers
Concerning ldapEmailAddressesAuthenticationHandler, I don't quite
understand its purpose. I have looked into the source and it seems it only
communicates with an LDAP server. Does it mean the plugin requires an LDAP
server in addition to the SAML IdP? Because I expected that all user
attributes would come from the IdP as attributes. I'm afraid I will have
no LDAP server available for people authenticating via the SAML IdP. Or
maybe I misunderstood something here...
I would assume the deployerConfigContext.xml file will contain a handler
that communicates with the IdP using SAML messages. But I can't find any
in the source code, so maybe I am wrong.
2. Configuration in login-webflow.xml - expression initMultiDomainAction
File login-webflow.xml now contains the following definition of
initializeFlow:
<action-state id="initializeFlow">
<evaluate expression="initialFlowSetupAction" />
<evaluate expression="initMultiDomainAction">
<attribute name="name" value="initFinished" />
</evaluate>
<transition on="initFinished.success" to="checkSamlResponse" />
</action-state>
When I try to go to the /login page, I get an error and there is the
following stack trace in the log:
SEVERE: Servlet.service() for servlet [cas] in context with path
[/cas-web-app] threw exception [Request processing failed; nested
exception is
org.springframework.webflow.execution.ActionExecutionException: Exception
thrown executing [AnnotatedAction@709f98e4 targetAction =
[EvaluateAction@7deeda7f expression = initMultiDomainAction,
resultExpression = [null]], attributes = map['name' -> 'initFinished']] in
state 'initializeFlow' of flow 'login' -- action execution attributes were
'map[[empty]]'] with root cause
ognl.NoSuchPropertyException:
org.springframework.webflow.engine.impl.RequestControlContextImpl.initMultiDomainAction
at
ognl.ObjectPropertyAccessor.getProperty(ObjectPropertyAccessor.java:151)
at
org.springframework.webflow.expression.WebFlowOgnlExpressionParser$RequestContextPropertyAccessor.getProperty(WebFlowOgnlExpressionParser.java:118)
at ognl.OgnlRuntime.getProperty(OgnlRuntime.java:2210)
at ognl.ASTProperty.getValueBody(ASTProperty.java:114)
at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:212)
at ognl.SimpleNode.getValue(SimpleNode.java:258)
at ognl.Ognl.getValue(Ognl.java:494)
at
org.springframework.binding.expression.ognl.OgnlExpression.getValue(OgnlExpression.java:85)
at
org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:75)
at
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
at
org.springframework.webflow.execution.AnnotatedAction.execute(AnnotatedAction.java:145)
at
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
at
org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Flow.start(Flow.java:535)
at
org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:364)
at
org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:222)
at
org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140)
at
org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:193)
etc.
A colleague who is familiar with Spring WebFlow says there should be a
Spring bean named "initMultiDomainAction" defined somewhere, most likely
in cas-servlet.xml, but there is not any. I merged everything from
cas-servlet-saml2.xml, there is no such bean. Isn't it an omission? Could
you please have a look into your complete cas-servlet.xml, if there is
such a bean?
Thank you very much for your answer!
Best Regards,
Jarda
From: Julien Gribonvald <[email protected]>
To: [email protected]
Date: 24.06.2014 12:53
Subject: Re: [cas-user] Integrating CAS with the SAML2 plugin from
GIP-RECIA
One more information to the use of pac4j, you can look at
http://jasig.github.io/cas/4.0.0/integration/Delegate-Authentication.html,
this explain how to integrate in CAS 4 pac4j with somes examples (not the
SAML but it's a begining).
But if you go on this solution please give a feed back ;)
Thanks
Julien Gribonvald
Le 24/06/2014 12:38, Julien Gribonvald a écrit :
Hi,
I would suggest that you look at pac4j, it should replace the SAML plugin
developped by Maxime in the furtur for our use (Maxime worked for us in
this plugin before something more "generic" as pac4j comes). This
"toolbox" (i see it like that) will help to use the last version of CAS as
the Maxime's plugin should be reviewed for version of CAS after 3.4.x.
After I don't know if we can use it for that, but maybe Jérome Leleu could
give some words of this use or point to a documentation ?
Else for the use of this pluugin see in attachment an example of our SP
metadata file that we use in production on our CAS (obviously without
certificates and custom datas, so replace A_DOMAIN_NAME by your domain
name,ADD CERTIFICATE HERE, and see on other custom datas).
About IDP it was tested over a shibboleth idp and in production with an
other idp than shibboleth (seems a fork for private use, or something
related with ibm, but we don't know a lot about it), but working in the
same way as all is based on SAML specs so i think this should works.
After about configuration all files that you have to modify and deploy are
on
https://github.com/GIP-RECIA/cas/tree/feature-saml2/cas-server-support-saml2/
sample-* but i think you don't have to modify a lot, setting all
properties should do the works.
And the properties in config.properties should be added in the original
file cas.properties.
If I look on our deployment and something that i don't see in the source
are :
- in deployerConfigContext.xml : in the bean authenticationManager, in the
property credentialsToPrincipalResolvers, added the credentialResolver
mapped to the saml service, we use the
EmailAddressesCredentialsToPrincipalResolver.java as example :
<bean id="emailAddressesCredsToPrincipal"
class="org.esco.cas.authentication.principal.EmailAddressesCredentialsToPrincipalResolver">
<property name="attributeRepository"
ref="attributeRepository" />
</bean>
<bean id="ldapEmailAddressesAuthenticationHandler"
class="org.esco.cas.authentication.handler.support.LdapEmailAddressesAuthenticationHandler">
<property name="searchBase" value="${ldap.basedn}" />
<property name="contextSource" ref="contextSource" />
<property name="principalAttributeName"
value="${ldap.identifier.attribute}" />
<property name="timeout" value="5000" />
<property name="authenticationLdapFiltersArray"
value="${ldap.authentication.email.filters}" />
</bean>
- in cas-servlet.xml youd should add the import of cas-servlet-saml2.xml
I hope this will help, but don't hesitate to ask, i can provide some other
examples...
After for the documentation, we have one in french explaining properties
and how it works but that's all, after you are welcome to make a pull
request for contributions if you succeed to install the plugin.
Thanks
Julien Gribonvald
Le 24/06/2014 11:09, Jaroslav Kacer a écrit :
Hello everybody!
I'm trying to integrate CAS and the SAML2 plugin which was discussed in
this list on Oct 22 2013 by Maxime Bossard (
https://groups.google.com/d/msg/jasig-cas-user/FVrTSnXMJbk/SHzarllCF2kJ).
As I am experiencing some issues, I wonder if someone (possibly Maxime)
could help me. I have already asked directly in the Google group but the
message did not propagate to this list, so I am posting the question
again.
The version of CAS I use is 3.4.12.1 because the plugin's POM file points
to 3.4.11-RC1 and 3.4.12.1 is the latest version in the 3.4.x line.
I have merged the provided sample XML configuration files with those of
CAS, also the two properies files, some JSPs and web.xml. Now I am getting
errors from the plugin complaining about SP metadata. Obviously the plugin
expects some SAML2 endpoints with various bindings that are not in my SP
metadata.
Maxime, could you please provide a list of all expected endpoints with
their bindings and URLs that should be enumerated in the SP metadata file?
Or, an example SP metadata file would be even better :-)
Although the error message clearly says what service/binding the plugin
expects, I don't know how to create the URLs for the bindings. Are they
fixed or does the plugin first read the metadata file and then uses the
URLs specified there?
I would also like to ask about the IdP side. I assume you used the plugin
against Shibboleth. Have you tested it against other IdP servers? I'd like
to use Microsoft ADFS. Are any special settings needed? (I don't have
access to the server yet so I cannot test it at the moment.) At the
moment, I am using an example IdP metadata file from Shibboleth (just to
make it run) but I will have to adapt it later.
It would be great if the documentation for the plugin could be more
elaborated, mainly the section "Plugin Configuration". I've already spent
2 days putting CAS and the plugin together.
Or is there anything else than the ReadMe.md file from Github?
Thank you in advance for your answer!
Best Regards,
Jarda Kacer, IDC
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
