Unable to recognize JSON entry for service ticket request from our Ellucian Banner service with CAS 6.1.x

64 views
Skip to first unread message

crdaudt

unread,
Jan 23, 2020, 5:24:13 PM1/23/20
to CAS Community
We have had our Ellucian Banner service authenticating users through our CAS 5.2.2 service for several years, and are now attempting to migrate to our CAS 6.1.3 service.  However, CAS does not recognize the JSON entry that we have in place for Banner.  I believe the issue is related to the fact that the service ticket request includes the parameter "TARGET=..." rather than "service=..." in the URL.  I.e.,:
rather than:
https://our.cas.server.edu/cas/login?service=https%3A%2F%2Four.banner.server.edu%2FEmployeeSelfService%2Flogin%2Fcas
If I manually replace 'TARGET=' with 'service=', the JSON entry is recognized and a service ticket is created.  However, the banner service itself fails to do anything with the service ticket.

Let me reiterate that the same JSON entry worked in our CAS 5 environment, but fails to work in our CAS 6.1 environment.

Any ideas?
Carl

Ray Bon

unread,
Jan 23, 2020, 5:48:01 PM1/23/20
to cas-...@apereo.org
Carl,

TARGET is used with SAML 1.1 protocol (which Banner uses), service with CAS protocol(s).
What is your service Id?
It is odd that it works with service= and not TARGET=.

Ray
--
Ray Bon
Programmer Analyst
Development Services, University Systems

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

crdaudt

unread,
Jan 23, 2020, 6:09:49 PM1/23/20
to CAS Community
{
  "serviceId": "^http(s)?://our_banner_server\\.taylor(u)?\\.edu(/.*)?$",
  "name": "TOWER -- services",
  (and so forth)

crdaudt

unread,
Jan 23, 2020, 6:32:58 PM1/23/20
to CAS Community
Here is the entire JSON file (using the real server names, but blanking out the "memberOf" security groups):
---BEGIN---
{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId": "^http(s)?://servicespre\\.taylor(u)?\\.edu(/.*)?$",
  "name": "TOWER -- services",
  "id": 11000904,
  "description": "You are authenticating to ___servicespre.taylor.edu___",
  "evaluationOrder": 104,
  "accessStrategy" :
  {
    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
    "enabled" : true,
    "unauthorizedRedirectUrl" : "https://sso.taylor.edu/cas_access_denied/bannersso.html",
    "requireAllAttributes" : false,
    "ssoEnabled" : true,
    "requiredAttributes" :
    {
      "@class" : "java.util.HashMap",
      "memberOf" : [ "java.util.HashSet", [ "CN=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx","CN=xx2,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx",(and so forth...)" ] ]
    }
  }
  "usernameAttributeProvider":
  {
    "@class": "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",
    "canonicalizationMode": "LOWER"
  }
  "attributeReleasePolicy":
  {
    "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
  }
}
---END---

Ray Bon

unread,
Jan 23, 2020, 7:10:16 PM1/23/20
to cas-...@apereo.org
Carl,

Do you have saml support enabled:
compile "org.apereo.cas:cas-server-support-saml:${casServerVersion}"

Ray

crdaudt

unread,
Jan 24, 2020, 8:22:41 AM1/24/20
to CAS Community
Yes, that line is included in my build.gradle file.

crdaudt

unread,
Jan 24, 2020, 8:39:54 AM1/24/20
to CAS Community
Oh, no -- What I have is the following.  I have:
compile "org.apereo.cas:cas-server-support-saml-idp:${casServerVersion}"
  ...but I do not have:
compile "org.apereo.cas:cas-server-support-saml:${casServerVersion}"

I will let you know what I find after adding, re-building, and testing.

Carl

crdaudt

unread,
Jan 24, 2020, 9:42:06 AM1/24/20
to CAS Community
Adding org.apereo.cas:cas-server-support-saml to the build certainly made a difference:  CAS now recognizes the JSON entry for our Ellucian Banner related service.

Unfortunately, I am still not out of the woods.  The Banner service is now reporting "HTTP Status 500 - org.jasig.cas.client.validation.TicketValidationException: No assertions found."
From looking at the cas.log, it seems that CAS has the correct information for me (UDC_IDENTIFIER, sAMAccountName (same as my UDC_IDENTIFIER), displayName, mail, and memberOf (security groups I belong to)).  My assumption is that the last few lines of my json file should release all of these to Banner, i.e., the following lines:
---LAST FEW LINES---
  "usernameAttributeProvider":
  {
    "@class": "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",
    "canonicalizationMode": "LOWER"
  }
  "attributeReleasePolicy":
  {
    "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
  }
}
---END LAST FEW LINES---

Thanks for getting me over an important hurdle with getting saml support into the build.

I would appreciate some ideas for how to satisfy the Ellucian Banner service with the required assertions.

Carl

mba...@scad.edu

unread,
Jan 24, 2020, 10:01:28 AM1/24/20
to CAS Community
Carl,

I have this working with 6.0.x  But I'm limiting the release to just UDC_IDENTIFIER like this:

  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
    authorizedToReleaseCredentialPassword: false
    authorizedToReleaseProxyGrantingTicket: false
    excludeDefaultAttributes: true
    authorizedToReleaseAuthenticationAttributes: false
    "allowedAttributes": [ "java.util.ArrayList", [ "UDC_IDENTIFIER" ] ]
  }

and I have ticketidSaml2=false in my cas.properties file:

cas.samlCore.ticketidSaml2=false


-Mike

crdaudt

unread,
Jan 24, 2020, 11:06:46 AM1/24/20
to CAS Community
Thanks Mike.  Unfortunately, using the attributeReleasePolicy you stated in my JSON file and the ticketidSaml2=false setting in my cas.properties made no difference.
I am grasping for any ideas, and appreciate your jumping in with them.
Carl

Ray Bon

unread,
Jan 24, 2020, 12:11:21 PM1/24/20
to cas-...@apereo.org
Carl,

This debug line will let you know what is being returned:

        <!-- DEBUG Found principal attributes [...] for [username]
                   Attribute policy [???] allows release of [...] for [username]
                   Final collection of attributes allowed are: [...] -->
        <AsyncLogger name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" level="debug"/>

Ray

crdaudt

unread,
Jan 24, 2020, 3:55:30 PM1/24/20
to CAS Community
Hmmm, no debug lines are being added to the log.  Either I do not have the debug line entered correctly in log4j2.xml, or none of these attributes are being released.
Here is a portion of my log4j2.xml:

---BEGIN PORTION OF log4j2.xml---
...
        <AsyncLogger name="com.couchbase" level="warn" includeLocation="true"/>
        <AsyncLogger name="de.codecentric" level="${sys:spring.boot.admin.log.level}" includeLocation="true"/>
        <AsyncLogger name="net.jradius" level="warn" includeLocation="true" />
        <AsyncLogger name="org.openid4java" level="warn" includeLocation="true" />
        <AsyncLogger name="org.ldaptive" level="${sys:ldap.log.level}" includeLocation="true"/>
        <AsyncLogger name="com.hazelcast" level="${sys:hazelcast.log.level}" includeLocation="true"/>

        <!-- following line added by CRDaudt 20200124 on recommendation by cas-user forum post -->
        <AsyncLogger name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" level="debug" includeLocation="true"/>

        <!-- Log audit to all root appenders, and also to audit log (additivity is not false) -->
        <AsyncLogger name="org.apereo.inspektr.audit.support" level="debug" includeLocation="true" >
            <AppenderRef ref="casAudit"/>
        </AsyncLogger>

        <!-- All Loggers inherit appenders specified here, unless additivity="false" on the Logger -->
        <AsyncRoot level="warn">
            <AppenderRef ref="casFile"/>
...
---END PORTION OF log4j2.xml---

Carl

Ray Bon

unread,
Jan 24, 2020, 7:55:25 PM1/24/20
to cas-...@apereo.org
There should be output right after audit line, SERVICE_TICKET_VALIDATED.

You could also set cas.log.level to debug or trace.

Ray

crdaudt

unread,
Jan 27, 2020, 3:28:04 PM1/27/20
to CAS Community
Okay, my issue is resolved.  I had inadvertently left a local host entry that was pointing my server for Ellucian Banner applications pointing to the wrong CAS host (oops!).

In summary:

--I now have included the following two lines in my build.gradle file for building the war file (Thanks Ray):
  compile "org.apereo.cas:cas-server-support-saml-idp:${casServerVersion}"
  compile "org.apereo.cas:cas-server-support-saml:${casServerVersion}"
The first line was already in the build, but I also needed the second line.
Let me point out that without the second line compiled into the build, there were no warnings present in the log to indicate that my cas build was not equipped to handle a "...TARGET=..." saml request that was being made from the Ellucian Banner SSO service provider.  Does it make sense for cas to be designed to detect and log this fact with a warning?

--I am not sure that the following is necessary, but I have also included the following in cas.properties as recommended by Mike:
  cas.samlCore.ticketidSaml2=false

--Contrary to Mike's recommendation I am not limiting my attribute release to "udc_identifier", because we also need the LDAP "member_of" attribute in order to limit our authorization of CAS logins to a subset of our users.  Currently, I am using the following in our JSON entry for Banner:
---BEGIN---
...
  "attributeReleasePolicy":
  {
    "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
  }
...
---END---
Perhaps I need to trim this down.

--As might be predicted, the DEBUG lines suggested by Ray were important in figuring out what was happening.

Thank you Ray and Mike for your assistance in leading me to a quick fix.

Take care,
Carl
Reply all
Reply to author
Forward
0 new messages