ADFS and CAS Issue

336 views
Skip to first unread message

David Abney

unread,
Apr 7, 2016, 9:30:34 AM4/7/16
to cas-...@apereo.org

I have updated to CAS 4.2.0 and I am trying to setup the integration between CAS and ADFS 2.0.  I believe I have the cas.properties file setup correctly with my information about our ADFS server.  I believe I have setup the ADFS relying party information correctly.  When I go to the CAS server I get redirected to the ADFS login page and I am authenticated by ADFS (so far so good), but I am redirected back to a blank CAS login page.  It doesn’t appear to be in a redirect loop, I am sent back to the CAS login page url, but the page is just blank.  Any thoughts on why this problem is occurring?  Could it be how I setup my claims being sent from ADFS?

 

The cataline.out file has this error message in it:

09:14:33.148 [http-bio-8443-exec-5] ERROR org.jasig.cas.support.wsfederation.web.flow.WsFederationAction - Validation credential cannot be null

net.shibboleth.utilities.java.support.logic.ConstraintViolationException: Validation credential cannot be null

       at net.shibboleth.utilities.java.support.logic.Constraint.isNotNull(Constraint.java:227)

        at org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl.validate(ApacheSantuarioSignatureValidationProviderImpl.java:51)

        at org.opensaml.xmlsec.signature.support.SignatureValidator.validate(SignatureValidator.java:54)

        at org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine.verifySignature(BaseSignatureTrustEngine.java:242)

        at org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine.validate(BaseSignatureTrustEngine.java:198)

        at org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine.doValidate(ExplicitKeySignatureTrustEngine.java:108)

        at org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine.validate(BaseSignatureTrustEngine.java:105)

        at org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine.validate(BaseSignatureTrustEngine.java:62)

        at org.jasig.cas.support.wsfederation.WsFederationHelper.validateSignature_aroundBody4(WsFederationHelper.java:179)

        at org.jasig.cas.support.wsfederation.WsFederationHelper$AjcClosure5.run(WsFederationHelper.java:1)

        at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)

        at org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)

        at org.jasig.cas.support.wsfederation.WsFederationHelper.validateSignature(WsFederationHelper.java:157)

        at org.jasig.cas.support.wsfederation.web.flow.WsFederationAction.doExecute(WsFederationAction.java:107)

        at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)

        at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)

        at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)

        at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)

        at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)

        at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101)

        at org.springframework.webflow.engine.State.enter(State.java:194)

        at org.springframework.webflow.engine.Flow.start(Flow.java:527)

        at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368)

        at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223)

        at org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140)

        at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:238)

        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)

        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)

        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)

        at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)

        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.jasig.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:227)

        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)

        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.jasig.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:250)

        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)

        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121)

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)

        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)

        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)

        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)

        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)

        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:315)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

        at java.lang.Thread.run(Thread.java:745)

 

I am sending back the UPN from ADFS and we have ADFS working with other systems, so the UPN is not blank.  I did skip the part of the CAS setup where you can manipulate the claims coming from ADFS.

 

––––––––––––––––––––

David Abney

ITS Web Developer/Programmer

 

600 West Walnut Street

Danville, Kentucky 40422

859.238.5761

 

email_logo

www.centre.edu

 

John Gasper

unread,
Apr 7, 2016, 10:16:45 AM4/7/16
to David Abney, cas-...@apereo.org
Hi David,

The null validation credential appears to be the signature credential. Did you copy the ADFS signing key over to CAS and point the config at the exported cert?

John

-- 
John Gasper
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef


--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/938486a38f3d424ca218e63fa6bb43f0%40Exchange-MB2.centre.edu.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

David Abney

unread,
Apr 7, 2016, 3:39:00 PM4/7/16
to John Gasper, cas-...@apereo.org

Well it turns out that I copied the ADFS settings into the cas.properties file twice, so it must have been using classpath:adfs-signing.crt instead of the setting that was above it that actually pointed to my adfs certificate.   I removed the extra ADFS settings in the cas.properties file and I got a new error message:

 

15:34:34.692 [http-bio-8443-exec-2] ERROR org.jasig.cas.support.wsfederation.web.flow.WsFederationAction - WS Requested Security Token is blank or the signature is not valid.

 

So, I assume I grabbed the incorrect certificate from ADFS.  I will make sure to grab the signing certificate and try again and see what happens.

 

Thanks,

 

––––––––––––––––––––

David Abney

ITS Web Developer/Programmer

 

600 West Walnut Street

Danville, Kentucky 40422

859.238.5761

 

email_logo

www.centre.edu

 

Tuấn Vũ Anh

unread,
Aug 23, 2016, 1:33:38 PM8/23/16
to CAS Community, jga...@unicon.net
I have same error, i imported ADFS signing.cer to keystore and configure certificate file to ADFS (C:/Keystore/signing.cer).
Please help me and thank every help or idea help solved this error (sorry, i speak english not well). 

Vào 02:39:00 UTC+7 Thứ Sáu, ngày 08 tháng 4 năm 2016, david.abney đã viết:

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.


To view this discussion on the web visit

Reply all
Reply to author
Forward
0 new messages