CAS 5.2 and Ellucian Banner 9 (XE)

562 views
Skip to first unread message

Matthew Uribe

unread,
Feb 21, 2018, 6:46:21 PM2/21/18
to CAS Community
Hello Community,

I am wondering whether anyone has had success with Banner 9 and CAS 5.2.x 

We have been using the Luminis delivered CAS 3.5.2, but are interested in the features available in 5, such as SAML2 IdP, and MFA using Duo. I have deployed CAS 5.2.0, included cas-server-support-ldap and cas-server-support-saml dependencies, and setup a service for one of our Banner 9 apps, but haven't been able to successfully access the application. I can access the CAS Dashboard, as well as the CAS-Management webapp, but the Banner apps are beyond me at this point. Right now, when I navigate to the Banner 9 app, I am redirected to the CAS login page. After logging in successfully, the browser gives me an error: "HTTP Status 403 - No assertions found".

I figure the problem is either in my service registry, or that I maybe need to import the CAS certificate into a keystore somewhere on the Banner 9 server. Since I don't see anything related to a cert import in the Banner 9 install guides, I'm focused on the first of these two possibilities, but after 2 days of going in circles I've run out of ideas and would eagerly accept the advice of this community.

Thank you,
Matt

Travis Schmidt

unread,
Feb 21, 2018, 7:18:20 PM2/21/18
to cas-...@apereo.org
I am helping a team with this exact issue right now.  Don't know anything about the banner side of things, but I had to map the attribute they were looking for to UDC_IDENTIFIER in the Service Registry for it to work.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/56930314-153c-4426-8eda-3f9bb5596089%40apereo.org.

Greg Booth

unread,
Feb 21, 2018, 7:48:41 PM2/21/18
to cas-...@apereo.org
We also had to map UDC_IDENTIFIER to get it to work, although we are on CAS 5.1.5.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEasSNK33m-WXAVmDYsQKX3CFDrV4kEesKkgrecBx01Nqw%40mail.gmail.com.



--
Gregory Booth
Senior Systems Administrator & Technical Team Lead
IT Operations
Information Technology
Michigan Technological University

Greg Booth

unread,
Feb 21, 2018, 7:50:36 PM2/21/18
to cas-...@apereo.org
Specifically, in cas.properties:

cas.authn.attributeRepository.ldap[0].attributes.udcid=UDC_IDENTIFIER


On Wed, Feb 21, 2018 at 7:48 PM, Greg Booth <gr...@mtu.edu> wrote:
We also had to map UDC_IDENTIFIER to get it to work, although we are on CAS 5.1.5.
On Wed, Feb 21, 2018 at 7:18 PM, Travis Schmidt <travis....@gmail.com> wrote:
I am helping a team with this exact issue right now.  Don't know anything about the banner side of things, but I had to map the attribute they were looking for to UDC_IDENTIFIER in the Service Registry for it to work.
On Wed, Feb 21, 2018 at 3:46 PM Matthew Uribe <matthe...@aims.edu> wrote:
Hello Community,

I am wondering whether anyone has had success with Banner 9 and CAS 5.2.x 

We have been using the Luminis delivered CAS 3.5.2, but are interested in the features available in 5, such as SAML2 IdP, and MFA using Duo. I have deployed CAS 5.2.0, included cas-server-support-ldap and cas-server-support-saml dependencies, and setup a service for one of our Banner 9 apps, but haven't been able to successfully access the application. I can access the CAS Dashboard, as well as the CAS-Management webapp, but the Banner apps are beyond me at this point. Right now, when I navigate to the Banner 9 app, I am redirected to the CAS login page. After logging in successfully, the browser gives me an error: "HTTP Status 403 - No assertions found".

I figure the problem is either in my service registry, or that I maybe need to import the CAS certificate into a keystore somewhere on the Banner 9 server. Since I don't see anything related to a cert import in the Banner 9 install guides, I'm focused on the first of these two possibilities, but after 2 days of going in circles I've run out of ideas and would eagerly accept the advice of this community.

Thank you,
Matt

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
--
Gregory Booth
Senior Systems Administrator & Technical Team Lead
IT Operations
Information Technology
Michigan Technological University

Matthew Uribe

unread,
Feb 22, 2018, 9:26:04 AM2/22/18
to CAS Community
Thanks Travis. That's the track I've been on. Can you tell me whether this service definition looks anything like what you ended up with?


{
  @class:               org.apereo.cas.services.RegexRegisteredService
  name:                 TEST General SSB XE
  id:                       12345
  attributeReleasePolicy: 
  {
    @class:             org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
    allowedAttributes:
    {
      @class:           java.util.TreeMap
      UDC_IDENTIFIER:   UDC_IDENTIFIER
    }
  }
  "evaluationOrder" :   5
}

Matthew Uribe

unread,
Feb 22, 2018, 9:32:23 AM2/22/18
to CAS Community
Thanks Greg. I've got all the following attributes listed in by cas.properties. When I look in /cas/status/ssosessions I see all of these attributes in the TGT. That's why I was thinking it must be something to do with the way the attributes are released in the service definition.

cas.authn.attributeRepository.ldap[0].attributes.cn:    cn
cas.authn.attributeRepository.ldap[0].attributes.displayName:   displayName
cas.authn.attributeRepository.ldap[0].attributes.givenName:     givenName
cas.authn.attributeRepository.ldap[0].attributes.mail:  mail
cas.authn.attributeRepository.ldap[0].attributes.sn:    sn
cas.authn.attributeRepository.ldap[0].attributes.udcid: UDC_IDENTIFIER
cas.authn.attributeRepository.ldap[0].attributes.uid:   uid

William E.

unread,
Feb 22, 2018, 9:47:40 AM2/22/18
to CAS Community
We are on cas 5.2.2, banner 8 via ssomanager and banner 9 admin apps.  Seems to work fine since we upgraded to cas 5.2.2 in late December.

We populate the udcid in ldap from banner, then map it in cas as:

cas.authn.attributeRepository.ldap[0].attributes.uahUDCID=UDC_IDENTIFIER

Please note, without full BEIS the udcid in banner is not automatically populated when new users are created.  Our IDM calls a delivered BEIS component to populate any blank udcid values in banner before ldap provisioning since we don't use BEIS.

IP_IDENTITY_DATA_EXPORT_UTIL.P_ASSIGN_UDCID();


-William

BEIS = Banner Enterprise Identity Services

Mary Lashinsky

unread,
Feb 22, 2018, 10:39:11 AM2/22/18
to cas-...@apereo.org
Looking for Java Developers with CAS experience in Torrance, California!  If you know anyone please contact me directly at ma...@docmagic.com

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/524db851-6ae3-4c5a-8670-389faeda2356%40apereo.org.

Greg Booth

unread,
Feb 22, 2018, 11:10:24 AM2/22/18
to cas-...@apereo.org
Matthew,

Here is our service definition:

{
  @class: org.apereo.cas.services.RegexRegisteredService
  id: 9999
  name: Banner
  description: Self-Service
  serviceId: https://(www\.)?bannerweb.mtu.edu(:443)?/.*
  attributeReleasePolicy: {
    @class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
    allowedAttributes: ["java.util.ArrayList", ["UDC_IDENTIFIER", "michigantechRIDM"]]
  }
}

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
 To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0550c55b-5029-4105-ade6-fb017b4d3b56%40apereo.org.

Matthew Uribe

unread,
Feb 22, 2018, 5:02:37 PM2/22/18
to CAS Community
My thanks to all who have responded. I finally spotted the issue. In the logs, I found this:
 <Service ticket [ST-AAHn21AEQFRQnJ3kjH1H/VWjCTCumXuhWQiE3Cx/WAPhxR97XJp/xtY9] with service [https://testssbxe.aims.edu:8444/Ba
nnerGeneralSsb/j_spring_cas_security_check] does not match supplied service [org.apereo.cas.support.saml.authentication.principal.SamlService@640edaac[id=https://testssbxe1.aims.edu:8444/BannerGeneralSsb/j_sprin
eady=false,format=XML]]> 
 
That "1" really does not stand out very well, and is a product of our load balanced setup. At first I thought I needed to make the regex in the service definition match either URL, but in the end found that the issue was in the BannerGeneralSsb_configuration.groovy file. I changed the serviceUrl to reflect the 1, and have had a successful login!

Thanks again.
Reply all
Reply to author
Forward
0 new messages