Anyone using ellucian banner 9 apps with saml on cas?
56 views
Skip to first unread message
Robert Bond
Feb 25, 2019, 5:16:42 PM2/25/19
to CAS Community
I have encountered issues with banner 9 using the cas protocol on cas version 6.0.0 and greater. see: https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/banner$209|sort:date/cas-user/5B_wPaG7oXA/b2IzHaw3BAAJ
I am going to try setting up some of the banner 9 app using the SAML protocol to avoid those issues. Does anyone have experience with banner 9 and SAML?
The documentation from ellucian is not great, looking for some sample config if anyone can share.
Thanks!
Matthew Uribe
Feb 25, 2019, 5:43:35 PM2/25/19
to CAS Community
Robert,
We looked at going 100% SAML2 about a year ago, and Banner was the single sticking point for us. At this time, we are still using CAS 5, and the CAS protocol for Banner 9. It's good to know that there may be complications with CAS 6.
While we were trying to make Banner work with SAML2 (both via CAS 5, and via Okta), I found a pretty helpful guide on eCommunities, attached in this thread as a PDF: https://ecommunities.ellucian.com/message/190536#190536
My recollection of the experience is, like you say, Ellucian's documentation is not great, and the support for SAML seems to be an afterthought. Most SPs are pretty easy to setup, but not Banner 9. We got the self service apps working alright, but the Admin pages workaround, along with the excessive effort required to maintain the metadata after each application release, just proved to be too much for our small shop. I believe one or two people in this thread went live with SAML2 and Banner 9: https://ecommunities.ellucian.com/message/194959#194959
Matt
Jon Anderson
Feb 25, 2019, 6:12:02 PM2/25/19
to cas-...@apereo.org
We're still using an old cas with Banner 9, but will eventually be trying a new cas as well.
As far as your other questions:
I don't think the TARGET parameter can go away.
SAMLart isn't actually part of the conversation is it? I think it just tells Banner 9 to call /cas/samlValidate as opposed to /cas/validate when validating the service tickets.
Also double check your urls etc in the Banner database:
select * from wtailor.twgbparm where twgbparm_param_name like 'IDM%';
Jon
From: 'Robert Bond' via CAS Community [cas-...@apereo.org]
Sent: Monday, February 25, 2019 4:16 PM
To: CAS Community
Subject: [cas-user] Anyone using ellucian banner 9 apps with saml on cas?
Sent: Monday, February 25, 2019 4:16 PM
To: CAS Community
Subject: [cas-user] Anyone using ellucian banner 9 apps with saml on cas?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/126f1663-f463-4564-87cc-7e68471d399c%40apereo.org.
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/126f1663-f463-4564-87cc-7e68471d399c%40apereo.org.
Robert Bond
Feb 27, 2019, 9:13:36 AM2/27/19
to CAS Community
Hi Matt,
Thanks for your reply.
I think it might just be a bug currently. Looks like there have been some changes to how cas selects mfa. It currently does not work for finding the service when it comes in using the TARGET= service method.
2019-02-25 09:47:54,016 DEBUG [org.apereo.cas.web.flow.resolver.impl.RankedMultifactorAuthenticationProviderWebflowEventResolver] - <No service is available to determine event for principal>
I have been trying to find what might be wrong by looking at the cas code, sadly I am not experienced enough with the cas code to find what might be the problem. The service is correctly found if I change the query-string parameter from 'TARGET' to 'service'
Relevant logs:
2019-02-25 09:47:54,010 DEBUG [org.springframework.webflow.executor.FlowExecutorImpl] - <Launching new execution of flow 'login' with input map['TARGET' -> 'https://appnav.dev.example.edu/applicationNavigator/j_spring_cas_security_check']>
2019-02-25 09:47:54,010 DEBUG [org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] - <Getting FlowDefinition with id 'login'>
2019-02-25 09:47:54,010 DEBUG [org.springframework.webflow.engine.impl.FlowExecutionImplFactory] - <Creating new execution of 'login'>
2019-02-25 09:47:54,010 DEBUG [org.springframework.webflow.engine.impl.FlowExecutionImpl] - <Starting in org.springframework.webflow.mvc.servlet.MvcExternalContext@70c7c555 with input map['TARGET' -> 'https://appnav.dev.example.edu/applicationNavigator/j_spring_cas_security_check']>
2019-02-25 09:47:54,010 DEBUG [org.springframework.webflow.engine.Flow] - <Creating [FlowVariable@77bd59b6 name = 'credential', valueFactory = [BeanFactoryVariableValueFactory@6eb4f0a4 type = UsernamePasswordCredential]]>
2019-02-25 09:47:54,014 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing [EvaluateAction@82c979c expression = initialFlowSetupAction, resultExpression = [null]]>
2019-02-25 09:47:54,014 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing org.apereo.cas.web.flow.login.InitialFlowSetupAction@6c15605e>
2019-02-25 09:47:54,015 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.apereo.cas.web.flow.login.InitialFlowSetupAction@6c15605e; result = success>
2019-02-25 09:47:54,015 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing [EvaluateAction@82c979c expression = initialFlowSetupAction, resultExpression = [null]]; result = success>
2019-02-25 09:47:54,015 DEBUG [org.springframework.webflow.engine.ActionState] - <Entering state 'initialAuthenticationRequestValidationCheck' of flow 'login'>
2019-02-25 09:47:54,015 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing [EvaluateAction@3070b35d expression = initialAuthenticationRequestValidationAction, resultExpression = [null]]>
2019-02-25 09:47:54,015 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing org.apereo.cas.web.flow.login.InitialAuthenticationRequestValidationAction@5f4d5654>
2019-02-25 09:47:54,016 DEBUG [org.apereo.cas.web.flow.resolver.impl.RankedMultifactorAuthenticationProviderWebflowEventResolver] - <No service is available to determine event for principal>
2019-02-25 09:47:54,016 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Resolved single event [success] via [org.apereo.cas.web.flow.resolver.impl.RankedMultifactorAuthenticationProviderWebflowEventResolver] for this context>
2019-02-25 09:47:54,016 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
Reply all
Reply to author
Forward
0 new messages