Problem integrating CAS 5.2.2 with WS Federation Identity Provider

[Steffen Fenger]

Hello,


I  would like configure a WS Federation Identity Provider with CAS Maven WAR Overlay. I'm added two Dependency to pom.xml

Based on this article

 https://apereo.github.io/cas/5.2.x/protocol/WS-Federation-Protocol.html#

        <dependency>
            <groupId>org.apereo.cas</groupId>
            <artifactId>cas-server-support-ws-sts</artifactId>
            <version>${cas.version}</version>
        </dependency>
        <dependency>
            <groupId>org.apereo.cas</groupId>
            <artifactId>cas-server-support-ws-idp</artifactId>
            <version>${cas.version}</version>
        </dependency>
 

The CAS Application Start's with follow Error:

Log file:

2018-02-02 13:35:01,533 WARN [org.apereo.cas.web.CasWebApplicationContext] - <Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'casReportsConfiguration': Unsatisfied dependency expressed through field 'cas3ServiceSuccessView'; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'casValidationConfiguration': Unsatisfied dependency expressed through field 'centralAuthenticationService'; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'centralAuthenticationService' defined in class path resource [org/apereo/cas/config/CasCoreConfiguration.class]: Unsatisfied dependency expressed through method 'centralAuthenticationService' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'authenticationServiceSelectionPlan' defined in class path resource [org/apereo/cas/config/CasCoreConfiguration.class]: Unsatisfied dependency expressed through method 'authenticationServiceSelectionPlan' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'coreWsSecurityIdentityProviderConfiguration': Unsatisfied dependency expressed through field 'loginFlowDefinitionRegistry'; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'casWebflowContextConfiguration': Unsatisfied dependency expressed through field 'registeredServiceViewResolver'; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'casThemesConfiguration': Unsatisfied dependency expressed through field 'authenticationRequestServiceSelectionStrategies'; nested exception is org.springframework.beans.factory.BeanCurrentlyInCreationException: Error creating bean with name 'authenticationServiceSelectionPlan': Requested bean is currently in creation: Is there an unresolvable circular reference?>
2018-02-02 13:35:04,075 ERROR [org.springframework.boot.diagnostics.LoggingFailureAnalysisReporter] - <

***************************
APPLICATION FAILED TO START
***************************

Description:

The dependencies of some of the beans in the application context form a cycle:

   casReportsConfiguration (field private org.springframework.web.servlet.View org.apereo.cas.web.report.config.CasReportsConfiguration.cas3ServiceSuccessView)
      ↓
   casValidationConfiguration (field private org.apereo.cas.CentralAuthenticationService org.apereo.cas.web.config.CasValidationConfiguration.centralAuthenticationService)
      ↓
   centralAuthenticationService defined in class path resource [org/apereo/cas/config/CasCoreConfiguration.class]
┌─────┐
|  authenticationServiceSelectionPlan defined in class path resource [org/apereo/cas/config/CasCoreConfiguration.class]
↑     ↓
|  coreWsSecurityIdentityProviderConfiguration (field private org.springframework.webflow.definition.registry.FlowDefinitionRegistry org.apereo.cas.config.CoreWsSecurityIdentityProviderConfiguration.loginFlowDefinitionRegistry)
↑     ↓
|  casWebflowContextConfiguration (field private org.springframework.web.servlet.ViewResolver org.apereo.cas.web.flow.config.CasWebflowContextConfiguration.registeredServiceViewResolver)
↑     ↓
|  casThemesConfiguration (field private org.apereo.cas.authentication.AuthenticationServiceSelectionPlan org.apereo.cas.services.web.config.CasThemesConfiguration.authenticationRequestServiceSelectionStrategies)


Thanks for your time.

[AT]

I am getting the same error in version 5.2.2.
(Btw, I was under the impression the cas-server-

support-ws-sts dependecy is not needed).

Any suggestion would be greatly appreciated.

[Man H]

<dependency>
  <groupId>org.apereo.cas</groupId>
  <artifactId>cas-server-support-ws-sts</artifactId>
  <version>${cas.version}</version>
</dependency>

YAGNI

You do not need to explicitly incude this component in your configuration and overlays. This is just to teach you that it exists. The security token service will be pulled in automatically once you declare the identity provider. Only include this module in your overlay if you need compile-time access to the components within.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/165a9895-2171-4592-8f70-e85fc260bb7c%40apereo.org.

[AT]

So it works under 5.3.0-RC2.

Cas autogenerates the encryption/signing keys (still not sure how to add them to the keystore permanently).

But, at this point I would like to test my idp; usually, from what I understand, the idp needs to provide:

• The Federation Service Identifier of the ADFS server, which is located on the main ADFS properties dialog in the ADFS management application. –
• The WS-Federation Passive endpoint for the ADFS server. The format is usually "https://myadfsserver.com/adfs/ls/" or similar. It is located in the ADFS management application, under the Endpoints section.

What are the corresponding urls for the cas server?

Thank you.

 

[Seb]

Hello,

same problem as Stephen with 5.2.2, 

problem still alive with 5.3.0-RC2.

AT can you share your cas.properties and your pom.xml?

thank you

[Misagh Moayyed]

Do you see the same problem with 5.2.3-SNAPSHOT? 

--Misagh

---

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0c96d4e7-7215-4ed7-9f4e-ead7148f72cd%40apereo.org.

[Seb]

It is better with 5.2.3-SNAPSHOT.

Now i've this error :

WARN [org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext] - <Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'scopedTarget.casRealm' defined in class path resource [org/apereo/cas/config/CoreWsSecuritySecurityTokenServiceConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.apache.cxf.sts.token.realm.RealmProperties]: Factory method 'casRealm' threw exception; nested exception is org.springframework.beans.factory.BeanCreationException: Keystore file, password or alias assigned to the realm must be defined>^[[m

^[[33m2018-02-21 22:51:33,971 WARN [org.apereo.cas.util.io.PathWatcherService] - <Directory key is no longer valid. Quitting watcher service>^[[m

^[[1;31m2018-02-21 22:51:34,015 ERROR [org.springframework.boot.SpringApplication] - <Application startup failed>^[[m

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'scopedTarget.casRealm' defined in class path resource [org/apereo/cas/config/CoreWsSecuritySecurityTokenServiceConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.apache.cxf.sts.token.realm.RealmProperties]: Factory method 'casRealm' threw exception; nested exception is org.springframework.beans.factory.BeanCreationException: Keystore file, password or alias assigned to the realm must be defined

Any Help?

Thank you

[AT]

My cas.properties:

cas.server.name: https://xxxx/xxx

cas.server.prefix: https://xxxx/xxx

cas.serviceRegistry.initFromJson=true

cas.authn.wsfedIdp.idp.realm=urn:org:apereo:cas:ws:idp:realm-CAS

cas.authn.wsfedIdp.idp.realmName=CAS

cas.authn.wsfedIdp.sts.signingKeystoreFile=

cas.authn.wsfedIdp.sts.signingKeystorePassword=

cas.authn.wsfedIdp.sts.encryptionKeystoreFile=

cas.authn.wsfedIdp.sts.encryptionKeystorePassword=

# cas.authn.wsfedIdp.sts.subjectNameIdFormat=unspecified

cas.authn.wsfedIdp.sts.encryptTokens=false

cas.authn.wsfedIdp.sts.realm.keystoreFile=/etc/cas/configadvise/stscasrealm.jks

cas.authn.wsfedIdp.sts.realm.keystorePassword=storepass

cas.authn.wsfedIdp.sts.realm.keystoreAlias=realmcas

cas.authn.wsfedIdp.sts.realm.keyPassword=storepass

cas.authn.wsfedIdp.sts.crypto.enabled=false

[AT]

Here is my pom.xml.

[AT]

So, to summarize, why is cas showing the error "Application not authorized" when I am trying to go to url https://mycasserver/ws/idp/federation?

[AT]

The error that I see in the logs:

^[[33m WARN [org.apache.cxf.phase.PhaseInterceptorChain] - <Application {http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue has thrown exception, unwinding now>^[[m
org.apache.cxf.interceptor.Fault: object is not an instance of declaring class while invoking public javax.xml.transform.Source org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider.invoke(javax.xml.transform.Source) with params [org.apache.cxf.staxutils.StaxSource@161e9950].
        at org.apache.cxf.service.invoker.AbstractInvoker.createFault(AbstractInvoker.java:166) ~[cxf-core-3.2.1.jar:3.2.1]
        at org.apache.cxf.jaxws.AbstractJAXWSMethodInvoker.createFault(AbstractJAXWSMethodInvoker.java:267) ~[cxf-rt-frontend-jaxws-3.2.1.jar:3.2.1]
        at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:140) ~[cxf-core-3.2.1.jar:3.2.1]
 

[AT]

Are the log entries before the error normal, is it ok that no service can be extracted? Any suggestion would be useful at this point. Thank you.

^[[36m2018-04-27 06:34:11,481 DEBUG [org.apereo.cas.web.support.DefaultArgumentExtractor] - <No service could be extracted based on the given request>^[[m

^[[36m2018-04-27 06:34:11,481 DEBUG [org.apereo.cas.web.support.AbstractArgumentExtractor] - <Extractor did not generate service.>^[[m

^[[36m2018-04-27 06:34:11,506 DEBUG [org.apache.wss4j.dom.processor.TimestampProcessor] - <Found Timestamp list element>^[[m

^[[36m2018-04-27 06:34:11,506 DEBUG [org.apache.wss4j.common.util.DateUtil] - <Validation of Created: Everything is ok>^[[m

^[[36m2018-04-27 06:34:11,506 DEBUG [org.apache.wss4j.dom.processor.UsernameTokenProcessor] - <Found UsernameToken list element>^[[m

^[[36m2018-04-27 06:34:11,508 DEBUG [org.apereo.cas.util.EncodingUtils] - <Decrypting value...>^[[m

^[[33m2018-04-27 06:34:11,519 WARN [org.apache.cxf.phase.PhaseInterceptorChain] - <Application {http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue has thrown exception, unwinding now>^[[m

org.apache.cxf.interceptor.Fault: object is not an instance of declaring class while invoking public javax.xml.transform.Source org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider.invoke(javax.xml.transform.Source) with params [org.apache.cxf.staxutils.StaxSource@5056ac0].

        at org.apache.cxf.service.invoker.AbstractInvoker.createFault(AbstractInvoker.java:166) ~[cxf-core-3.2.2.jar:3.2.2]

        at org.apache.cxf.jaxws.AbstractJAXWSMethodInvoker.createFault(AbstractJAXWSMethodInvoker.java:267) ~[cxf-rt-frontend-jaxws-3.2.2.jar:3.2.2]

        at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:140) ~[cxf-core-3.2.2.jar:3.2.2]

        at org.apache.cxf.jaxws.AbstractJAXWSMethodInvoker.invoke(AbstractJAXWSMethodInvoker.java:232) ~[cxf-rt-frontend-jaxws-3.2.2.jar:3.2.2]

        at org.apache.cxf.jaxws.JAXWSMethodInvoker.invoke(JAXWSMethodInvoker.java:85) ~[cxf-rt-frontend-jaxws-3.2.2.jar:3.2.2]

        at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:74) ~[cxf-core-3.2.2.jar:3.2.2]

        at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59) ~[cxf-core-3.2.2.jar:3.2.2]

        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) ~[?:1.8.0_121]

[AT]

There are some encryption parameters that I have tried, but I am not sure what they do. I generated my own jks with the java keytool and placed them at the specified locations. Do these settings have anything to do with the cxf error above? Maybe, I tried to generate jks files with keytool, otherwise the server does not start, but am I doing it wrong?

keytool -genkey -alias realmcas -keyalg RSA -validity 10800 -keystore stscasrealm.jks

keytool -export -alias ralmcas -keystore stscasrealm.jks -rfc -file X509_certificate.cer

 

 

 cas.authn.wsfedIdp.idp.realm=urn:org:apereo:cas:ws:idp:realm-CAS

 cas.authn.wsfedIdp.idp.realmName=CAS

 cas.authn.wsfedIdp.sts.signingKeystoreFile=/etc/cas/config/ststrust.jks

 cas.authn.wsfedIdp.sts.signingKeystorePassword=storepass

 cas.authn.wsfedIdp.sts.encryptionKeystoreFile=/etc/cas/config/stsencrypt.jks

 cas.authn.wsfedIdp.sts.encryptionKeystorePassword=storepass

# cas.authn.wsfedIdp.sts.subjectNameIdFormat=unspecified

# cas.authn.wsfedIdp.sts.encryptTokens=true

# cas.authn.wsfedIdp.sts.realm.keystoreFile=/etc/cas/config/stscasrealm.jks

# cas.authn.wsfedIdp.sts.realm.keystorePassword=storepass

# cas.authn.wsfedIdp.sts.realm.keystoreAlias=realmcas

# cas.authn.wsfedIdp.sts.realm.keyPassword=cas

# cas.authn.wsfedIdp.sts.realm.issuer=CAS

 

[Alin Tomoiaga]

I got  a reply from one of the apereo developers and he did not rule out the possibility of a bug; advised I should stand up cas in debug mode which I will work on.

[Alin Tomoiaga]

Brought up cas under debug mode:

- the error happens in org.apache.cxf.ws.security.trust.AbstractSTSClient.issue() at this line:
Object[] obj = this.client.invoke(boi, new Object[]{new DOMSource(writer.getDocument().getDocumentElement())});

The error is:
org.apache.cxf.binding.soap.SoapFault: object is not an instance of declaring class while invoking public javax.xml.transform.Source org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider.invoke(javax.xml.transform.Source) with params [org.apache.cxf.staxutils.StaxSource@601c0935].

[Alin Tomoiaga]

[Alin Tomoiaga]

One correction:

In the cxf sources, it is not

Object[] obj = this.client.invoke(boi, new Object[]{new 
DOMSource(writer.getDocument().getDocumentElement())}); 

Instead it's: 

Object obj[] = client.invoke(boi, new DOMSource(writer.getDocument(). 
getDocumentElement())); 

[Beniamin Marcu]

Hi Alin, 

Have you been able to start CAS server with the generated keys? How did you manage to generate the required keyStore files and the stscasrealm.jks in the end?

Please advice. I am dealing with this for over a week and I'm not able to start CAS server with WS Fed support. 

thank you so much.

Beni

[Alin Tomoiaga]

Hi Beni,

This has been a very frustrating issue and I have never managed to get it working correctly.

Interestingly, different cas versions error out but with different errors: 5.1.9 seemed to get past this cxf error but had another problem.

(on the other hand, saml support worked like a charm with various cas versions)

I generated the keystore using keytool, but at this point, I am pretty sure this cxf error is a bug...

I would still like to get it working so still open to suggestions.

[Beniamin Marcu]

I think I'm not going to dig more into it. It looks too much like a rabbit hole. I was giving a thought to Fediz IDP from Apache. This is basically is used in CAS.

I'm running out of time to prove this one out, and I'm going to leave it.

thank you for your reply.