Ok I'll let you know on Monday ________________________________________ From: Julien Gribonvald [[email protected]] Sent: Tuesday, June 24, 2014 4:38 AM To: [email protected] Subject: Re: [cas-user] Integrating CAS with the SAML2 plugin from GIP-RECIA
Hi, I would suggest that you look at pac4j, it should replace the SAML plugin developped by Maxime in the furtur for our use (Maxime worked for us in this plugin before something more "generic" as pac4j comes). This "toolbox" (i see it like that) will help to use the last version of CAS as the Maxime's plugin should be reviewed for version of CAS after 3.4.x. After I don't know if we can use it for that, but maybe Jérome Leleu could give some words of this use or point to a documentation ? Else for the use of this pluugin see in attachment an example of our SP metadata file that we use in production on our CAS (obviously without certificates and custom datas, so replace A_DOMAIN_NAME by your domain name,ADD CERTIFICATE HERE, and see on other custom datas). About IDP it was tested over a shibboleth idp and in production with an other idp than shibboleth (seems a fork for private use, or something related with ibm, but we don't know a lot about it), but working in the same way as all is based on SAML specs so i think this should works. After about configuration all files that you have to modify and deploy are on https://github.com/GIP-RECIA/cas/tree/feature-saml2/cas-server-support-saml2/sample-* but i think you don't have to modify a lot, setting all properties should do the works. And the properties in config.properties should be added in the original file cas.properties. If I look on our deployment and something that i don't see in the source are : - in deployerConfigContext.xml : in the bean authenticationManager, in the property credentialsToPrincipalResolvers, added the credentialResolver mapped to the saml service, we use the EmailAddressesCredentialsToPrincipalResolver.java as example : <bean id="emailAddressesCredsToPrincipal" class="org.esco.cas.authentication.principal.EmailAddressesCredentialsToPrincipalResolver"> <property name="attributeRepository" ref="attributeRepository" /> </bean> <bean id="ldapEmailAddressesAuthenticationHandler" class="org.esco.cas.authentication.handler.support.LdapEmailAddressesAuthenticationHandler"> <property name="searchBase" value="${ldap.basedn}" /> <property name="contextSource" ref="contextSource" /> <property name="principalAttributeName" value="${ldap.identifier.attribute}" /> <property name="timeout" value="5000" /> <property name="authenticationLdapFiltersArray" value="${ldap.authentication.email.filters}" /> </bean> - in cas-servlet.xml youd should add the import of cas-servlet-saml2.xml<https://github.com/GIP-RECIA/cas/blob/feature-saml2/cas-server-support-saml2/sample-config/cas-servlet-saml2.xml> I hope this will help, but don't hesitate to ask, i can provide some other examples... After for the documentation, we have one in french explaining properties and how it works but that's all, after you are welcome to make a pull request for contributions if you succeed to install the plugin. Thanks Julien Gribonvald Le 24/06/2014 11:09, Jaroslav Kacer a écrit : Hello everybody! I'm trying to integrate CAS and the SAML2 plugin which was discussed in this list on Oct 22 2013 by Maxime Bossard (https://groups.google.com/d/msg/jasig-cas-user/FVrTSnXMJbk/SHzarllCF2kJ). As I am experiencing some issues, I wonder if someone (possibly Maxime) could help me. I have already asked directly in the Google group but the message did not propagate to this list, so I am posting the question again. The version of CAS I use is 3.4.12.1 because the plugin's POM file points to 3.4.11-RC1 and 3.4.12.1 is the latest version in the 3.4.x line. I have merged the provided sample XML configuration files with those of CAS, also the two properies files, some JSPs and web.xml. Now I am getting errors from the plugin complaining about SP metadata. Obviously the plugin expects some SAML2 endpoints with various bindings that are not in my SP metadata. Maxime, could you please provide a list of all expected endpoints with their bindings and URLs that should be enumerated in the SP metadata file? Or, an example SP metadata file would be even better :-) Although the error message clearly says what service/binding the plugin expects, I don't know how to create the URLs for the bindings. Are they fixed or does the plugin first read the metadata file and then uses the URLs specified there? I would also like to ask about the IdP side. I assume you used the plugin against Shibboleth. Have you tested it against other IdP servers? I'd like to use Microsoft ADFS. Are any special settings needed? (I don't have access to the server yet so I cannot test it at the moment.) At the moment, I am using an example IdP metadata file from Shibboleth (just to make it run) but I will have to adapt it later. It would be great if the documentation for the plugin could be more elaborated, mainly the section "Plugin Configuration". I've already spent 2 days putting CAS and the plugin together. Or is there anything else than the ReadMe.md file from Github? Thank you in advance for your answer! Best Regards, Jarda Kacer, IDC -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
