CAS 6.1.7 ADFS Client Banner Applications

106 views
Skip to first unread message

Mallory, Erik

unread,
Jul 16, 2020, 5:07:57 PM7/16/20
to cas-...@apereo.org
Hello I think I've narrowed the problem and I *think* it's on the
application side... but... is there any way to control the source
parameter that we see below in the logs. If I could configure cas to
always send source=TARGET I think this configuration would work for the
banner apps.

Log from inital login which produces "Invalid login/access denied"
<Built response
[org.apereo.cas.authentication.principal.DefaultResponse@323ac4df] for
[AbstractWebApplicationService(id=
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, originalUrl=
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, artifactId=null, principal=f282c439, source=service,
loggedOutAlready=false, format=XML, attributes={})]>
^^ Invalid login access denied.

Log from the an established CAS/ADFS session gaining access to the
application

<Located service [AbstractWebApplicationService(id=
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, originalUrl=
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, artifactId=null, principal=f282c439, source=TARGET,
loggedOutAlready=false, format=XML, attributes={})] from the context>
^^ works

In the applications there is a groovy file with a parameter

serviceParameter = 'TARGET'

I tried changing it to 'service' but had no luck.
--
Erik Mallory
Server Analyst
Wichita State University

Ray Bon

unread,
Jul 16, 2020, 6:29:51 PM7/16/20
to cas-...@apereo.org
Erik,

Our Banner setup uses SAML 1.1. During the log in request it is /cas/login?TARGET=blah/banner/applicationnavigator
'service' is used for CAS protocol. Check your banner setup.

Ray
--
Ray Bon
Programmer Analyst
Development Services, University Systems

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

Mallory, Erik

unread,
Jul 17, 2020, 12:30:01 PM7/17/20
to cas-...@apereo.org
Thanks!
I'm working with Elluician now. It's strange to me that it works with
just CAS but then does not work when CAS is configured as an ADFS
client. It's as if CAS is not speaking SAML for that initial log in but
it is speaking SAML for subsequent logins.

--
Erik Mallory
Server Analyst
Wichita State University

On Thu, 2020-07-16 at 22:29 +0000, Ray Bon wrote:
> CAUTION: This email originated from outside of Wichita State
> University. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.

Mallory, Erik

unread,
Jul 17, 2020, 4:22:07 PM7/17/20
to cas-...@apereo.org
So I've increased the logging for the Banner Application I'm trying to
get configured. the Banner application uses SAML 1.1 to communicate.
CAS hands off the authentication to ADFS and then back to CAS which
then sends the user back to the Banner Application. CAS is not sending
a SAML response at that time.

If you open a second tab, and navigate to the application, it sends you
to cas, you're authenticated, so cas sends you back with a SAML
response and you are able to log in.
I've attached the application logs if anyone is interested.

--
Erik Mallory
Server Analyst
Wichita State University

On Fri, 2020-07-17 at 16:29 +0000, 'Mallory, Erik' via CAS Community
wrote:
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6f456a2cc561e9552639d6e94a0b2956c51dcd2c.camel%40wichita.edu
> .
appnav-casadfs.log

Mallory, Erik

unread,
Jul 23, 2020, 10:12:41 AM7/23/20
to cas-...@apereo.org
So basically, what happens here is CAS "forgets" to speak SAML back to
the Banner Application. When the conversation is between the CAS server
and the banner app all is well. When the CAS server communicates to the
Banner app, the banner app does not receive SAML data.

So how would one configure CAS to send SAML data in addition to
responding to a saml request?

Really I'm at a dead end here.
--
Erik Mallory
Server Analyst
Wichita State University

On Fri, 2020-07-17 at 20:22 +0000, 'Mallory, Erik' via CAS Community
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/df7f6d4d48cfe420812672b7aa399234d145f24a.camel%40wichita.edu
> .

Jon Anderson

unread,
Jul 23, 2020, 10:26:11 AM7/23/20
to cas-...@apereo.org
This isn't so helpful, but I once tried to get a CAS5 to speak SAML2 with an SP but delegate the auth to older existing CAS server. I ended up giving up on delegation, because I could never get it to finish the SAML2 conversation. It would come back from the delegated authentication, forget that it was in the middle of a SAML conversation and try to finish with the SP speaking CAS.
________________________________________
From: 'Mallory, Erik' via CAS Community [cas-...@apereo.org]
Sent: Thursday, July 23, 2020 9:12 AM
To: cas-...@apereo.org
Subject: Re: [cas-user] CAS 6.1.7 ADFS Client Banner Applications

CAUTION: THIS EMAIL ORIGINATED FROM OUTSIDE OF ORU

> > > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fbanxe-appdev.wichita.edu%2fapplicationNavigator%2fj_spring_cas_security_check&c=E,1,_wHiMvng_umeKmvsxV0b3328jsb34qW0q1W_weUee4fnXxJyrgejj3nMZTCgps9Vt_en1k2fBbpiw_X_To8y-7dMXLV7PhL2sBiPpC_tmZaRF5RGxQ,,&typo=1
> > > >
> > > > , originalUrl=
> > > >
> > > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fbanxe-appdev.wichita.edu%2fapplicationNavigator%2fj_spring_cas_security_check&c=E,1,pSSItGy53_1U4UzaUTeJ2dUbepUjbyD_A1pSR_B-ybTfXXguJqBQLTdme0d6NPSlArjfSpGnSypiX7rXwNvrGnF0ycXR2HdM-56f6svEonBW4sICUDNu4QHEG04,&typo=1


> > > >
> > > > , artifactId=null, principal=f282c439, source=service,
> > > > loggedOutAlready=false, format=XML, attributes={})]>
> > > > ^^ Invalid login access denied.
> > > >
> > > > Log from the an established CAS/ADFS session gaining access to
> > > > the
> > > > application
> > > >
> > > > <Located service [AbstractWebApplicationService(id=
> > > >

> > > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fbanxe-appdev.wichita.edu%2fapplicationNavigator%2fj_spring_cas_security_check&c=E,1,APvz6WmNsFgbhbr4vXVyxmbsWNHMA1X7mU6bw9e1XYzKl93VLJxY1i45LGbLAHgnPsRtn5VmCzKDGajGaFenI6XNvaYZKmMhedHMdJkm3SFl&typo=1
> > > >
> > > > , originalUrl=
> > > >
> > > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fbanxe-appdev.wichita.edu%2fapplicationNavigator%2fj_spring_cas_security_check&c=E,1,_4qKWJwqdJ7oJ72ItZL7A-4Qplk9cKai0qJIIIusfQN1EsFomVeRNZm2IGj3zehAWf0rr_BzdB9UGsho5KgCdgKC-tVc6RZZZFJOFxRhUg,,&typo=1


> > > >
> > > > , artifactId=null, principal=f282c439, source=TARGET,
> > > > loggedOutAlready=false, format=XML, attributes={})] from the
> > > > context>
> > > > ^^ works
> > > >
> > > > In the applications there is a groovy file with a parameter
> > > >
> > > > serviceParameter = 'TARGET'
> > > >
> > > > I tried changing it to 'service' but had no luck.
> > > > --
> > > > Erik Mallory
> > > > Server Analyst
> > > > Wichita State University
> > > >
> > >
> > > --
> > > Ray Bon
> > > Programmer Analyst
> > > Development Services, University Systems
> > > 2507218831 | CLE 019 | rb...@uvic.ca
> > >
> > > I respectfully acknowledge that my place of work is located
> > > within
> > > the ancestral, traditional and unceded territory of the Songhees,
> > > Esquimalt and WSÁNEĆ Nations.
> >
> > --

> > - Website: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fapereo.github.io%2fcas&c=E,1,XtiU0obUEY-CpWh4morjDxtIU2crYjIkCtrgR3nC5-jKawEZTuRQtwNL5S0118XSjQIEHSwL9rhWKUZxecBi7Xe6xLsArJdvROX_KUKucXMrnGCawawc8vNb&typo=1
> > - Gitter Chatroom: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgitter.im%2fapereo%2fcas&c=E,1,Uzqdg7zYOi9bv8c7mJCFt5mEJFwR8ZCyqSbODDTxCDQ5yLFvAMO822RGkD05qpxNOmicsTDVlxN4YHU8P61X70b15hdDYtETi1n4gvf79RqLzWpYNC1mocQ,&typo=1
> > - List Guidelines: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgoo.gl%2f1VRrw7&c=E,1,8080D7uKkJO3gejp8tzq_AVosGmXij9hwKxXm0xiFiaIvdZmI75eattfvyr6_hNWbIgnQ2RCVckXqePtw2vg-7HgbfZ0xiZjvhLEGVxcMdiggF4,&typo=1
> > - Contributions: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgoo.gl%2fmh7qDG&c=E,1,RAQZ8ppXp6hLS62P8rLyX3Zvx0AQAjS-B6TFdMp75_h3vZKn1COEMvvIFZtYi0fpbZSBimG1-htQuaI6r6pNea2bEGj96FB35I9gOgtF-JmYgjy-hfZ0EmY,&typo=1


> > ---
> > You received this message because you are subscribed to the Google
> > Groups "CAS Community" group.
> > To unsubscribe from this group and stop receiving emails from it,
> > send an email to cas-user+u...@apereo.org.
> > To view this discussion on the web visit

> > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgroups.google.com%2fa%2fapereo.org%2fd%2fmsgid%2fcas-user%2f6f456a2cc561e9552639d6e94a0b2956c51dcd2c.camel%40wichita.edu&c=E,1,uaksXkzgNuylj7T0tAPe39H32cUBc2bmx1cMTqUudAAW4b3v6y49HLOQuek7keqGsLkaNRtt1X6kEqbhyPteo18b7q7AyFgnAki9tBbJ82LnpB__&typo=1
> > .
>
> --
> - Website: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fapereo.github.io%2fcas&c=E,1,_YwJPrOE2Fsol9b5tn0NQbw4XjxgBKmbPRJfVzh_7c1Uqv0Yt8Vlhd0w1q02oyq-o8iG4pAzZkl-D7IlifZ1_-x01xdeLBxzjEwD3CgYXYIe2FE,&typo=1
> - Gitter Chatroom: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgitter.im%2fapereo%2fcas&c=E,1,luEDtZk1pRh3kzQOq9RfMudmg0SC569XkV2eXnM45xu7_g0G62TiB2Ui-oA9lrJ-cT093CQQbza0AX4M7DIods3zuWFgT0ckArqziEpbsq7HDG-bpA,,&typo=1
> - List Guidelines: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgoo.gl%2f1VRrw7&c=E,1,Qi3TJNhyWlZk4w6rRKqu_ukpdQriq3uUZ9Lo7EgMhdRVIoPegMCvnmgZp11KCawvIGgZsxOHRQVCSHGQqVe76BuoTm8e-kV859Z41Gx1WQ5XWQqRspMo3Q,,&typo=1
> - Contributions: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgoo.gl%2fmh7qDG&c=E,1,tg5BX5rg74VSCz4iH-XGCUwpR07JohbP-ug0FMxlRnBM0NIoTrfPko3jQk9cNM9hMZ9No2SM3ElyxCgZo1b_ponOL3eb9rHcnRIcZ9ADAqvenZlz1FHg_UZKVJEw&typo=1


> ---
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit

> https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgroups.google.com%2fa%2fapereo.org%2fd%2fmsgid%2fcas-user%2fdf7f6d4d48cfe420812672b7aa399234d145f24a.camel%40wichita.edu&c=E,1,_wxJmHmThBxDlhC-qYV0txwvEr8k6wXF9ITyZwrXikAjlSUdnSVMnuGduzmyAZgD_qt7DdC8w4Cqkm6S3cN2KDoMzWoCJH2uvXxYdmUmwg,,&typo=1
> .

--
- Website: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fapereo.github.io%2fcas&c=E,1,t46UGb0W3tIsoZFvXgrDPq9KKwj0N8G4b_TcoZwqwuxwq_m6-LSfIYAHfxJwcrQoQSM0o6o21rw0ME1Ab5KGPIOv6Lec25l0TlDxysF7NA,,&typo=1
- Gitter Chatroom: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgitter.im%2fapereo%2fcas&c=E,1,ZaMpQttlbxUrIqZXZhUXpDjfn4jxkFsrupuh8t0d7Xd8bP_UZ08c51k-8WsVkPxniNIx0V3Y29IdS8M2jldDt5gIJE7L92A_ZVNi8cQuFk_iuhj7krsw&typo=1
- List Guidelines: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgoo.gl%2f1VRrw7&c=E,1,5Jq3gAOeEzGaVTKNi4wyt_2oCoC3-MKyrnWFpBr7zdQWIyJdw4m-_qS1Zy8uaL7-xyiAQzirzeLF39jaEjBSsY7TUc7ovu2VROtpt7XiAF5lMSNdIYRMg_a82hOE&typo=1
- Contributions: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgoo.gl%2fmh7qDG&c=E,1,i2HZ1RYYlUOlgnmePut9c6GCSi81UKvP45elDrnj1gSvVb5qWF4sW-KtHUxgHdNGOMMBwbPzsmxxk92T1ZIs-q9gopRBTqpxWoPI9l6KE28,&typo=1


---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgroups.google.com%2fa%2fapereo.org%2fd%2fmsgid%2fcas-user%2f1fb61eebfc9965f0d7d0f4c5062c9e4bf9b7b86b.camel%40wichita.edu.&c=E,1,qsvfGDsKoMwG3NKiOJt3s2vU1igdrRnmJYVQmwu60GrvZyjkkqqv7eTkqGTN4qSsexjijvBVfw76wX2LFm1a3bRTA4qyNfv--IBmo9dLesEKTOjw8yPNIFI,&typo=1

Mallory, Erik

unread,
Jul 23, 2020, 11:33:07 AM7/23/20
to cas-...@apereo.org
Lol.. Well I appreciate the commiseration. It sounds very similar to
what I'm experiencing. I'm delegating to ADFS and the CAS server is
forgetting it's in the middle of a SAML conversation. I just think this
*should* work. Think I think I'm missing some config. I keep eyeing
SAML IdP config but every time I look throug the CAS Docs, I'm like
"Nope that won't do it."

It would be nice if someone who knows more than I do would take the
time to explain why I'm wrong, so I could explain to my superiors why
this doesn't work.

--
Erik Mallory
Server Analyst
Wichita State University

> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0A9BC9099B13904AA1708A7F1B6C840401556D941C%40Ntsrv75.int.oru.edu
> .
Reply all
Reply to author
Forward
0 new messages