[cas-user] CAS ADFS Integration

[Mohannad Henno]

Hi There,

I am trying to integrate our CAS system with ADFS using the WSFederation. 
The issue which i am facing is that when CAS is trying to redirect to ADFS 
i am getting unauthorized service exception as following:

CAS is unable to process this request: "500:Internal Server Error"

There was an error trying to complete your request. *Please notify your 
support desk or try again.* 
Apereo
 is a non-profit open source software governance foundation. The CAS 
software is an Apereo sponsored project and is freely downloadable and 
usable by anyone. However, Apereo does not operate the systems of anyone
 using the software and in most cases doesn't even know who is using it 
or how to contact them unless they are an active part of the Apereo 
community.

If you are having problems logging in using CAS, *you will need to contact 
the IT staff or Help Desk of your organization for assistance*. 

We wish we could be more directly helpful to you.




org.apereo.cas.services.UnauthorizedServiceException: 
at 
org.apereo.cas.support.wsfederation.web.WsFederationNavigationController.redirectToProvider(WsFederationNavigationController.java:77)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at 
org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205)
at 
org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:133)
at 
org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:97)
at 
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:827)
at 
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:738)
at 
org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
at 
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967)
at 
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
at 
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
at 
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
at 
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
org.apereo.cas.web.support.AuthenticationCredentialsThreadLocalBinderClearingFilter.doFilter(AuthenticationCredentialsThreadLocalBinderClearingFilter.java:30)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
org.apereo.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:261)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
org.apereo.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:237)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
org.apereo.cas.security.AddResponseHeadersFilter.doFilter(AddResponseHeadersFilter.java:94)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
org.springframework.boot.actuate.trace.WebRequestTraceFilter.doFilterInternal(WebRequestTraceFilter.java:111)
at 

Re: [cas-user] CAS ADFS Integration

[Mr Rao]

Hi Anton, Can you share your demo app? I've exact same requirement.  Also 
which version of cas you are using?

Thanks
Rao



On Monday, July 24, 2017 at 11:24:04 PM UTC-7, Антон Шихмат wrote:
>
> Okay, so I did it.
> I've updated loginform.html with a link to the adfs:
>
> 
>  th:value="${flowExecutionKey}"/>
> 
> 
>  onclick="$('#adfsLoginForm').submit();" >Login via ADFS
> 
> 
>
> And I've updated a workflow, so by default regular login form is 
> displayed, but in case adfsLoginForm link is selected, CAS will redirect to 
> ADFS and use it for authentication.
> For this purpose I've created a class ADFSWebflowConfigurer that adds 
> additional check if user was authenticated using ADFS.
> For this purpose "ticketGrantingTicketCheck" state is updated, so in case 
> of "notExist" ADFS check will be executed additionally.
>
> On Thursday, July 20, 2017 at 1:43:45 PM UTC+3, Антон Шихмат wrote:
>>
>> Right now have another issue. 
>> I've added link to the login page to redirect to the ADFS login page 
>> using Webflow functionality. But after successful login, default login page 
>> is displayed again for some reason.
>> If login using credentials from the database - everything works as 
>> expected. Do I need to add some additional configuration? I mean maybe some 
>> webflow update needed?
>>
>> On Tuesday, July 18, 2017 at 2:26:23 AM UTC+3, Misagh Moayyed wrote:
>>>
>>> Yes; there is a setting that controls auto-redirect to ADFS. Set that to 
>>> false, and put the link on the login page.
>>>
>>> --Misagh
>>>
>>> On July 17, 2017 at 1:51:10 PM, Uxío Prego (upr...@madiva.com) wrote:
>>>
>>> Let us hope am wrong, but reminds me vaguely of
>>>
>>> https://groups.google.com/a/apereo.org/d/msg/cas-user/BwnFLyc8TnY/6NjFsnIEAQAJ
>>>
>>> Best of luck,
>>>
>>> On 17 Jul 2017, at 09:23, Антон Шихмат  wrote:
>>>
>>> Hello everyone,
>>>
>>> On my current project we use CAS with configured custom database 
>>> authentication provider.
>>>
>>> Few weeks ago we received request from our client to integrate CAS with 
>>> their ADFS.
>>> I did it using provided tutorial on CAS website. After that only ADFS 
>>> authentication can be used. What I mean – when user tries to open secured 
>>> page, ADFS logic page is displayed, so user can use only his ADFS 
>>> credentials and cannot navigate to regular logic page (where database 
>>> authentication is configured).
>>>
>>> So my question is – is it possible to have a database authentication 
>>> provider configured as primary one (with default login page) and to have 
>>> button on that page that will redirect to ADFS authentication provider?
>>>
>>> Thanks,
>>> Anton
>>>
>>> --
>>> - CAS gitter chatroom: https://gitter.im/apereo/cas
>>> - CAS mailing list guidelines: 
>>> https://apereo.github.io/cas/Mailing-Lists.html
>>> - CAS documentation website: https://apereo.github.io/cas
>>> - CAS project website: https://github.com/apereo/cas
>>> ---
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/5254c733-f507-46e0-ab43-a0a67022c2a5%40apereo.org
>>>  
>>> 
>>> .
>>>
>>>
>>> --
>>> - CAS gitter chatroom: https://gitter.im/apereo/cas
>>> - CAS mailing list guidelines: 
>>> https://apereo.github.io/cas/Mailing-Lists.html
>>> - CAS documentation website: https://apereo.github.io/cas
>>> - CAS project website: https://github.com/apereo/cas
>>> ---
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/B6930B01-0EDC-4199-B933-E1053778E231%40madiva.com
>>>  
>>> 
>>> .
>>>
>>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/60cb3bc8-d064-4302-9c00-cfa19092cf37%40apereo.org.

Re: [cas-user] CAS ADFS Integration

[Антон Шихмат]

Okay, so I did it.
I've updated loginform.html with a link to the adfs:





Login via ADFS



And I've updated a workflow, so by default regular login form is displayed, 
but in case adfsLoginForm link is selected, CAS will redirect to ADFS and 
use it for authentication.
For this purpose I've created a class ADFSWebflowConfigurer that adds 
additional check if user was authenticated using ADFS.
For this purpose "ticketGrantingTicketCheck" state is updated, so in case 
of "notExist" ADFS check will be executed additionally.

On Thursday, July 20, 2017 at 1:43:45 PM UTC+3, Антон Шихмат wrote:
>
> Right now have another issue. 
> I've added link to the login page to redirect to the ADFS login page using 
> Webflow functionality. But after successful login, default login page is 
> displayed again for some reason.
> If login using credentials from the database - everything works as 
> expected. Do I need to add some additional configuration? I mean maybe some 
> webflow update needed?
>
> On Tuesday, July 18, 2017 at 2:26:23 AM UTC+3, Misagh Moayyed wrote:
>>
>> Yes; there is a setting that controls auto-redirect to ADFS. Set that to 
>> false, and put the link on the login page.
>>
>> --Misagh
>>
>> On July 17, 2017 at 1:51:10 PM, Uxío Prego (upr...@madiva.com) wrote:
>>
>> Let us hope am wrong, but reminds me vaguely of
>>
>> https://groups.google.com/a/apereo.org/d/msg/cas-user/BwnFLyc8TnY/6NjFsnIEAQAJ
>>
>> Best of luck,
>>
>> On 17 Jul 2017, at 09:23, Антон Шихмат  wrote:
>>
>> Hello everyone,
>>
>> On my current project we use CAS with configured custom database 
>> authentication provider.
>>
>> Few weeks ago we received request from our client to integrate CAS with 
>> their ADFS.
>> I did it using provided tutorial on CAS website. After that only ADFS 
>> authentication can be used. What I mean – when user tries to open secured 
>> page, ADFS logic page is displayed, so user can use only his ADFS 
>> credentials and cannot navigate to regular logic page (where database 
>> authentication is configured).
>>
>> So my question is – is it possible to have a database authentication 
>> provider configured as primary one (with default login page) and to have 
>> button on that page that will redirect to ADFS authentication provider?
>>
>> Thanks,
>> Anton
>>
>> --
>> - CAS gitter chatroom: https://gitter.im/apereo/cas
>> - CAS mailing list guidelines: 
>> https://apereo.github.io/cas/Mailing-Lists.html
>> - CAS documentation website: https://apereo.github.io/cas
>> - CAS project website: https://github.com/apereo/cas
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/5254c733-f507-46e0-ab43-a0a67022c2a5%40apereo.org
>>  
>> 
>> .
>>
>>
>> --
>> - CAS gitter chatroom: https://gitter.im/apereo/cas
>> - CAS mailing list guidelines: 
>> https://apereo.github.io/cas/Mailing-Lists.html
>> - CAS documentation website: https://apereo.github.io/cas
>> - CAS project website: https://github.com/apereo/cas
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/B6930B01-0EDC-4199-B933-E1053778E231%40madiva.com
>>  
>> 
>> .
>>
>>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e3ec3c85-8649-4b34-9a11-9134db74f5c3%40apereo.org.

Re: [cas-user] CAS ADFS Integration

[Антон Шихмат]

Right now have another issue. 
I've added link to the login page to redirect to the ADFS login page using 
Webflow functionality. But after successful login, default login page is 
displayed again for some reason.
If login using credentials from the database - everything works as 
expected. Do I need to add some additional configuration? I mean maybe some 
webflow update needed?

On Tuesday, July 18, 2017 at 2:26:23 AM UTC+3, Misagh Moayyed wrote:
>
> Yes; there is a setting that controls auto-redirect to ADFS. Set that to 
> false, and put the link on the login page.
>
> --Misagh
>
> On July 17, 2017 at 1:51:10 PM, Uxío Prego (upr...@madiva.com 
> ) wrote:
>
> Let us hope am wrong, but reminds me vaguely of
>
> https://groups.google.com/a/apereo.org/d/msg/cas-user/BwnFLyc8TnY/6NjFsnIEAQAJ
>
> Best of luck,
>
> On 17 Jul 2017, at 09:23, Антон Шихмат  
> wrote:
>
> Hello everyone,
>
> On my current project we use CAS with configured custom database 
> authentication provider.
>
> Few weeks ago we received request from our client to integrate CAS with 
> their ADFS.
> I did it using provided tutorial on CAS website. After that only ADFS 
> authentication can be used. What I mean – when user tries to open secured 
> page, ADFS logic page is displayed, so user can use only his ADFS 
> credentials and cannot navigate to regular logic page (where database 
> authentication is configured).
>
> So my question is – is it possible to have a database authentication 
> provider configured as primary one (with default login page) and to have 
> button on that page that will redirect to ADFS authentication provider?
>
> Thanks,
> Anton
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: 
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/5254c733-f507-46e0-ab43-a0a67022c2a5%40apereo.org
>  
> 
> .
>
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: 
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/B6930B01-0EDC-4199-B933-E1053778E231%40madiva.com
>  
> 
> .
>
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/43d4879e-0caa-45ef-8756-6e4b6ac3f868%40apereo.org.

Re: [cas-user] CAS ADFS Integration

[Uxío Prego]

Let us hope am wrong, but reminds me vaguely of
https://groups.google.com/a/apereo.org/d/msg/cas-user/BwnFLyc8TnY/6NjFsnIEAQAJ

Best of luck,

> On 17 Jul 2017, at 09:23, Антон Шихмат  wrote:
> 
> Hello everyone,
> 
> On my current project we use CAS with configured custom database 
> authentication provider.
> 
> Few weeks ago we received request from our client to integrate CAS with their 
> ADFS. 
> I did it using provided tutorial on CAS website. After that only ADFS 
> authentication can be used. What I mean – when user tries to open secured 
> page, ADFS logic page is displayed, so user can use only his ADFS credentials 
> and cannot navigate to regular logic page (where database authentication is 
> configured).
> 
> So my question is – is it possible to have a database authentication provider 
> configured as primary one (with default login page) and to have button on 
> that page that will redirect to ADFS authentication provider?
> 
> Thanks,
> Anton
> 
> 
> -- 
> - CAS gitter chatroom: https://gitter.im/apereo/cas 
> 
> - CAS mailing list guidelines: 
> https://apereo.github.io/cas/Mailing-Lists.html 
> 
> - CAS documentation website: https://apereo.github.io/cas 
> 
> - CAS project website: https://github.com/apereo/cas 
> 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org 
> .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/5254c733-f507-46e0-ab43-a0a67022c2a5%40apereo.org
>  
> .

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/B6930B01-0EDC-4199-B933-E1053778E231%40madiva.com.

[cas-user] CAS ADFS Integration

[Антон Шихмат]

Hello everyone,

On my current project we use CAS with configured custom database 
authentication provider.

Few weeks ago we received request from our client to integrate CAS with 
their ADFS. 
I did it using provided tutorial on CAS website. After that only ADFS 
authentication can be used. What I mean – when user tries to open secured 
page, ADFS logic page is displayed, so user can use only his ADFS 
credentials and cannot navigate to regular logic page (where database 
authentication is configured).

So my question is – is it possible to have a database authentication 
provider configured as primary one (with default login page) and to have 
button on that page that will redirect to ADFS authentication provider?

Thanks,
Anton

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5254c733-f507-46e0-ab43-a0a67022c2a5%40apereo.org.