SAML AuthnRequest resolved by Trusted Authentication in federated Single Sign-On flow

[JON]

Hi,

I have the following running:

cas-overlay-template-master 5.2.X with

 

- SAML IdP

 

- Trusted Authentication

 

   configured inside

I must cover the following Single Sign-On federated flow:

1.- CAS SAML IdP (A), through the user's browser, receives a SAML AuthnRequest in /cas/idp/profile/SAML2/POST/SSO

2.- then, the user's browser must be redirected to a remote site (B) (outside the CAS control)

3.- the remote site (B) will redirect the user's browser to CAS, providing the information needed by CAS Trust Authentication (C) to build a CAS session

4.- finally, CAS SAML IdP (A) must respond to the original SAML AuthnRequest with the corresponding SAML AuthnResponse

All this must happen in a transparent way, without user intervention in any place controlled by CAS.

What is the best option to achieve this transparent flow ?

I don't know if this should be treated as a Multi-Factor Authentication ?

I hope this can be done.

[At this time, in step 2, the user is redirected to the CAS login screen. After manually invoking Trusted Authentication, the screen with the user information is displayed. After that, SAML AuthnRequest must be invoked again, and SAML AuthnResponse is finally delivered].

In the following link you can see how I got here: https://groups.google.com/a/apereo.org/d/msg/cas-user/I3sUJ29n_ig/1bcp8OM3AAAJ with the great help of members of this community.

Thanks in advance

Jon

[Man H]

Authentication flow ends BEFORE redirection (point 4 before 3)

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/74362124-bf40-4c81-a4b0-0f32141e09c2%40apereo.org.

[Man H]

Test trusted and idp separately

El lunes, 23 de abril de 2018, JON <usuari...@gmail.com> escribió:

[JON]

Thanks Manfredo

Both work correctly

Manually invoking the steps, the full flow works

Theese are the steps I follow [all by browser]:

1.- I lunch the URL of a pac4j-saml client, that makes the SAML AuthnRequest to the CAS SAML IdP (A)

2.- the browser is redirected by CAS, to the CAS login page. Then, instead of inserting the user / password, I invoke manually the URL of the remote site (B) that builds the Trusted Authentication Request

3.- the remote site (B) redirects the user's browser to CAS, providing the information needed by CAS Trust Authentication (C) to create a CAS session

4.- CAS creates the session (based on the trust on B) and redirects the browser to the CAS page in wich it shows user name and the logoff link. Then to retrieve the SAML AuthnRequest, I have to repeat the step 1. And the final SAML AuthnResponse is finally delivered to the client.

But I need no manual intervention.

Thank you

           Jon

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

[Man H]

where comes user name in 4) from?

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4813370e-f4f2-4194-b720-1bc4adf4ff80%40apereo.org.

[JON]

It comes from a PrincipalBearingCredential generated in BasePrincipalFromNonInteractiveCredentialsAction

TrustedAuthenticationConfiguration

 

remoteUserAuthenticationAction

 

BasePrincipalFromNonInteractiveCredentialsAction

The CAS page displayed to the user contains the following text:

"Log In Successful

You, userJON, have successfully logged into the Central Authentication Service. However, you are seeing this page because CAS does not know about your target destination and how to get you there. Examine the authentication request again and make sure a target service/application that is authorized and registered with CAS is specified.

When you are finished, for security reasons, please log out and exit your web browser."

I don't know if this is enough to try to explain the origin.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4813370e-f4f2-4194-b720-1bc4adf4ff80%40apereo.org.

[Man H]

in 1) did you try with queryparameter TARGET={url of 2)}

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c530e0ce-1847-474a-8cfa-675ecffb1bce%40apereo.org.