OK, back at the desk now so have extracted the relevant sections from my build documentation. Screenshots are missing but the text should provide enough detail (if not too much ;-).
I doubt it is 100% correct as I stumbled though it myself, also the exact same config failed with 5.3.0 but was OK with 5.3.2 and 5.2.3 so seems there was a bug added then fixed (or my config just did not work with that build). Hopefully this will help you/someone and maybe if someone who knows better spots some mistakes in my config I can learn some more also ;-)
Configure ADFS
The CAS Service will be configured to redirect to ADFS before CAS can be setup to do this the Relying Party needs to be setup on the ADFS server.
Login to the ADFS server and launch “AD FS Management”
Expand the tree to “Relying Party Trusts”.
Right click on “Relying Party Trusts” and select “Add Relying Party Trust..”
Click the “Start” button:
Select “Enter the data about the relying party manually” Then click Next.
Enter a Display Name and Notes then click “Next”.
On the “Choose Profile” section leave as AD FS Profile and click “Next”.
Click “Next” on the “Configure Certificate” screen.
Click “Next” on the “Configure URL” page.
On the “Configure Identifiers” page enter a unique identifier e.g. urn:
cas-svr.domain.com for the CAS service and click “Add” then “Next”.
Leave the Multi-factor authentication as “I do not want to configure..” and click “Next”:
On the “Choose Issuance Authorization Rules” page leave it as “Permit all users to access this relying party” and click “Next”.
Click “Next” on the “Ready to Add Trust” page
Click “Close”.
Double click on the new Relying Party entry and select the “Endpoints” tab.
Click on “Add WS-Federation..".
Click “OK” then “OK” again to close the properties window.
Right click on the CAS Relying Party and select “Edit Claim Rules”.
Click “Add Rule” on the "Issuance Transform Rules" screen.
Select “Send LDAP Attributes as Claims” and click “Next”.
Complete the “Configure Claim Rule” page as required, my settings were "LDAP Attribute"= "SAM-Account-Name" mapped to "Outgoing Claim Type"="UPN".
Click "finish".
Export the Token-signing Certificate
CAS will need to have access to the ADFS Token-signing certificate, export this from "AD FS Manager" and store it on the CAS server for later use.
CAS Maven pom.xml
Edit the Maven pom.xml, find the section below and add the lines in Green:
<dependencies>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp${app.server}</artifactId>
<version>${cas.version}</version>
<type>war</type>
<scope>runtime</scope>
</dependency>
<!--
...Additional dependencies may be placed here...
-->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-json-service-registry</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-wsfederation-webflow</artifactId>
<version>${cas.version}</version>
</dependency>
</dependencies>
Save the pom.xml file.
ADFS token-signing certificate
Now open the etc/cas/config folder and copy the ADFS token-signing certificate file to this folder (File in this example is "my-adfs-token-signing.cer").
CAS ADFS settings
Edit the cas.properties file in this folder and add the contents below:
# Logout settings if required uncomment below and change the cas.slo.disabled setting
cas.slo.disabled=true
#cas.logout.followServiceRedirects=true
# ADFS Note http on the "identityProviderIdentifier" this is not a mistake..
cas.authn.wsfed[0].attributesType=WSFED
cas.authn.wsfed[0].signingCertificateResources=file:///etc/cas/config/my-adfs-token-signing.cer
cas.authn.wsfed[0].tolerance=10000
cas.authn.wsfed[0].identityAttribute=upn
cas.authn.wsfed[0].attributeResolverEnabled=true
cas.authn.wsfed[0].autoRedirect=true
# cas.authn.wsfed[0].name=
# cas.authn.wsfed[0].principal.principalAttribute=
# cas.authn.wsfed[0].principal.returnNull=false
# Private/Public keypair used to decrypt assertions, if any.
# cas.authn.wsfed[0].encryptionPrivateKey=classpath:private.key
# cas.authn.wsfed[0].encryptionCertificate=classpath:certificate.crt
# cas.authn.wsfed[0].encryptionPrivateKeyPassword=NONE
Build and deploy CAS.
Make sure the configuration is copied by running “build copy” or manually copying the files to the correct location.
Run the Package command to generate the .war file “build package”: