CAS as IDP for AzureAD (WS Federation)
70 views
Skip to first unread message
Enrique Guerrero
Jan 19, 2022, 11:10:59 AM1/19/22
to CAS Community
Hi there.
I want to use my custom CAS instance (v.6.4.4.1) as IDP for AzureAD. I would like to authenticate users from a certain domain which I configure in AzureAD against my CAS.
It's necessary to configure the integration through Ws-Fed protocol (not SAML), because the authentication would be during the users login in theirs Windows laptops.
I configured my CAS as follow:
1. Enabling following dependencies in build.gradle file:
compile "org.apereo.cas:cas-server-support-ws-sts:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-ws-idp:${casServerVersion}"
2. Including following properties in cas.properties file:
#################
# Ws Federation #
#################
cas.authn.wsfed-idp.idp.realm=urn:org:apereo:cas:ws:idp:realm-CAS
cas.authn.wsfed-idp.idp.realm-name=CAS
cas.authn.wsfed-idp.sts.signing-keystore-file=/etc/cas/ws/ststrust.jks
cas.authn.wsfed-idp.sts.signing-keystore-password=<PASSWORD>
cas.authn.wsfed-idp.sts.encryption-keystore-file=/etc/cas/config/stsencrypt.jks
cas.authn.wsfed-idp.sts.encryption-keystore-password=<PASSWORD>
cas.authn.wsfed-idp.sts.subject-name-id-format=unspecified
cas.authn.wsfed-idp.sts.subject-name-qualifier=http://cxf.apache.org/sts
cas.authn.wsfed-idp.sts.encrypt-tokens=true
cas.authn.wsfed-idp.sts.sign-tokens=true
cas.authn.wsfed-idp.sts.conditions-accept-client-lifetime=true
cas.authn.wsfed-idp.sts.conditions-fail-lifetime-exceedance=false
cas.authn.wsfed-idp.sts.conditions-future-time-to-live=PT60S
cas.authn.wsfed-idp.sts.conditions-lifetime=PT30M
cas.authn.wsfed-idp.sts.conditions-max-lifetime=PT12H
cas.authn.wsfed-idp.sts.realm.keystore-file=/etc/cas/ws/stscasrealm.jks
cas.authn.wsfed-idp.sts.realm.keystore-password=<PASSWORD>
cas.authn.wsfed-idp.sts.realm.keystore-alias=<CUSTOM_CAS_ALIAS>
cas.authn.wsfed-idp.sts.realm.key-password=<PASSWORD>
cas.authn.wsfed-idp.sts.realm.issuer=CAS
3. CAS MongoDB client:
{
"_id" : 290,
"_class" : "org.apereo.cas.ws.idp.services.WSFederationRegisteredService",
"serviceId" : "https://login.microsoftonline.com/login.srf",
"realm" : "urn:federation:MicrosoftOnline",
"name" : "WSFED",
"attributeReleasePolicy" : {
"_class" : "org.apereo.cas.ws.idp.services.WSFederationClaimsReleasePolicy",
"allowedAttributes" : {
"EMAIL_ADDRESS_2005" : [
"email"
],
"GIVEN_NAME" : [
"givenName"
],
"COMMON_NAME" : [
"cn"
],
"SURNAME" : [
"sn"
],
"PUID" : [
"uid"
]
}
},
"tokenType" : "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
}
4. After that, next services have been enabled in my web CAS instance:
https://<CUSTOM_CAS_ALIAS>/cas/ws/idpmetadata
https://<CUSTOM_CAS_ALIAS>/cas/ws/idp/federation
https://<CUSTOM_CAS_ALIAS>/cas/ws/sts/
https://<CUSTOM_CAS_ALIAS>/cas/ws/sts/CAS/STSServiceTransportUT?wsdl
https://<CUSTOM_CAS_ALIAS>/cas/ws/sts/CAS/STSServiceTransportUT?wsdl=ws-trust-1.4.wsdl
I don't know so much about WsFed protocol, and looking for some login service url into https://<CUSTOM_CAS_ALIAS>/cas/ws/sts/CAS/STSServiceTransportUT?wsdl I didn't find any clue.
Do you know what is the CAS WsFed login service url that need to be use for this purpose? I tried with https://<CUSTOM_CAS_ALIAS>/cas/ws/idp/federation (CAS documentation says "Endpoint to receive initial GET authentication requests from clients, typically identified as the issuer." in https://apereo.github.io/cas/6.3.x/protocol/WS-Federation-Protocol.html). But when Microsfot attempt to redirect to CAS I get the message "Application Not Authorized to Use CAS". CAS logs message as this point:
2022-01-19 16:11:38,419 INFO [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0] expired tickets removed.>
2022-01-19 16:11:51,856 WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Unauthorized Service Access. Service [null] is not found in service registry.>
2022-01-19 16:12:35,203 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [25] service(s) from [JsonServiceRegistry,MongoDbServiceRegistry].>
Probably I need to configure better the CAS MongoDB Client? I need to use other CAS WsFed login service url ? Other issue?
Thanks so much for your support!
I want to use my custom CAS instance (v.6.4.4.1) as IDP for AzureAD. I would like to authenticate users from a certain domain which I configure in AzureAD against my CAS.
It's necessary to configure the integration through Ws-Fed protocol (not SAML), because the authentication would be during the users login in theirs Windows laptops.
I configured my CAS as follow:
1. Enabling following dependencies in build.gradle file:
compile "org.apereo.cas:cas-server-support-ws-sts:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-ws-idp:${casServerVersion}"
2. Including following properties in cas.properties file:
#################
# Ws Federation #
#################
cas.authn.wsfed-idp.idp.realm=urn:org:apereo:cas:ws:idp:realm-CAS
cas.authn.wsfed-idp.idp.realm-name=CAS
cas.authn.wsfed-idp.sts.signing-keystore-file=/etc/cas/ws/ststrust.jks
cas.authn.wsfed-idp.sts.signing-keystore-password=<PASSWORD>
cas.authn.wsfed-idp.sts.encryption-keystore-file=/etc/cas/config/stsencrypt.jks
cas.authn.wsfed-idp.sts.encryption-keystore-password=<PASSWORD>
cas.authn.wsfed-idp.sts.subject-name-id-format=unspecified
cas.authn.wsfed-idp.sts.subject-name-qualifier=http://cxf.apache.org/sts
cas.authn.wsfed-idp.sts.encrypt-tokens=true
cas.authn.wsfed-idp.sts.sign-tokens=true
cas.authn.wsfed-idp.sts.conditions-accept-client-lifetime=true
cas.authn.wsfed-idp.sts.conditions-fail-lifetime-exceedance=false
cas.authn.wsfed-idp.sts.conditions-future-time-to-live=PT60S
cas.authn.wsfed-idp.sts.conditions-lifetime=PT30M
cas.authn.wsfed-idp.sts.conditions-max-lifetime=PT12H
cas.authn.wsfed-idp.sts.realm.keystore-file=/etc/cas/ws/stscasrealm.jks
cas.authn.wsfed-idp.sts.realm.keystore-password=<PASSWORD>
cas.authn.wsfed-idp.sts.realm.keystore-alias=<CUSTOM_CAS_ALIAS>
cas.authn.wsfed-idp.sts.realm.key-password=<PASSWORD>
cas.authn.wsfed-idp.sts.realm.issuer=CAS
3. CAS MongoDB client:
{
"_id" : 290,
"_class" : "org.apereo.cas.ws.idp.services.WSFederationRegisteredService",
"serviceId" : "https://login.microsoftonline.com/login.srf",
"realm" : "urn:federation:MicrosoftOnline",
"name" : "WSFED",
"attributeReleasePolicy" : {
"_class" : "org.apereo.cas.ws.idp.services.WSFederationClaimsReleasePolicy",
"allowedAttributes" : {
"EMAIL_ADDRESS_2005" : [
"email"
],
"GIVEN_NAME" : [
"givenName"
],
"COMMON_NAME" : [
"cn"
],
"SURNAME" : [
"sn"
],
"PUID" : [
"uid"
]
}
},
"tokenType" : "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
}
4. After that, next services have been enabled in my web CAS instance:
https://<CUSTOM_CAS_ALIAS>/cas/ws/idpmetadata
https://<CUSTOM_CAS_ALIAS>/cas/ws/idp/federation
https://<CUSTOM_CAS_ALIAS>/cas/ws/sts/
https://<CUSTOM_CAS_ALIAS>/cas/ws/sts/CAS/STSServiceTransportUT?wsdl
https://<CUSTOM_CAS_ALIAS>/cas/ws/sts/CAS/STSServiceTransportUT?wsdl=ws-trust-1.4.wsdl
I don't know so much about WsFed protocol, and looking for some login service url into https://<CUSTOM_CAS_ALIAS>/cas/ws/sts/CAS/STSServiceTransportUT?wsdl I didn't find any clue.
Do you know what is the CAS WsFed login service url that need to be use for this purpose? I tried with https://<CUSTOM_CAS_ALIAS>/cas/ws/idp/federation (CAS documentation says "Endpoint to receive initial GET authentication requests from clients, typically identified as the issuer." in https://apereo.github.io/cas/6.3.x/protocol/WS-Federation-Protocol.html). But when Microsfot attempt to redirect to CAS I get the message "Application Not Authorized to Use CAS". CAS logs message as this point:
2022-01-19 16:11:38,419 INFO [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0] expired tickets removed.>
2022-01-19 16:11:51,856 WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Unauthorized Service Access. Service [null] is not found in service registry.>
2022-01-19 16:12:35,203 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [25] service(s) from [JsonServiceRegistry,MongoDbServiceRegistry].>
Probably I need to configure better the CAS MongoDB Client? I need to use other CAS WsFed login service url ? Other issue?
Thanks so much for your support!
Reply all
Reply to author
Forward
0 new messages