CAS 5 SAML2 delegated authentication

237 views
Skip to first unread message

Dickison, Lynn E

unread,
Aug 2, 2018, 6:06:55 PM8/2/18
to cas-...@apereo.org

I’m trying to set up CAS 5.3.2 so that it delegates authentication to Azure AD via SAML2.  I’ve seen documentation on how to delegate authentication to an external SAML2 IdP, and I’ve read the tutorial (https://apereo.github.io/2017/03/22/cas51-delauthn-tutorial/).  The tutorial showed how to set it up with Okta as the IdP, and I’m assuming that works.  However, Azure AD gives me an error message that the authentication request is not a valid SAML2 protocol message.

 

Here is the configuration I have in the cas.properties file:

 

cas.authn.pac4j.saml[0].keystorePassword=******

cas.authn.pac4j.saml[0].privateKeyPassword=******

cas.authn.pac4j.saml[0].keystorePath=file:/etc/cas/saml/samlKeystore.jks

cas.authn.pac4j.saml[0].keystoreAlias=********

 

cas.authn.pac4j.saml[0].serviceProviderEntityId=https://xxxxxxxx.yyyyyyyyyyyyy.edu

cas.authn.pac4j.saml[0].serviceProviderMetadataPath=file:/etc/cas/saml/xxxxxxxx.xml

 

# Path/URL to delegated IdP metadata

cas.authn.pac4j.saml[0].identityProviderMetadataPath=file:/etc/cas/saml/AzureADCAS.xml

 

 

Here is an example authentication request that Microsoft says is valid in their documentation:

 

<samlp:AuthnRequest

        xmlns="urn:oasis:names:tc:SAML:2.0:metadata"

        ID="id6c1c178c166d486687be4aaf5e482730"

        Version="2.0" IssueInstant="2013-03-18T03:28:54.1839884Z"

        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://www.contoso.com</Issuer>

</samlp:AuthnRequest>

 

 

Here is an authentication request generated by CAS via pac4j:

 

<?xml version="1.0" encoding="UTF-8"?>

<saml2p:AuthnRequest

        AssertionConsumerServiceURL="https://xxxxxxxx.yyyyyyyyyyyyy.edu:8443/cas/login?client_name=SAML2Client0"

        AttributeConsumingServiceIndex="0"

        Destination="https://login.microsoftonline.com/cad830e4-554f-4361-bae5-c865233fb77f/saml2"

        ForceAuthn="false" ID="_2nqagio59j7csvzqzu0mynfr4tsbfqzhnlleupl"

        IsPassive="false"

        IssueInstant="2018-08-02T21:50:33.174Z"

        ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

        ProviderName="pac4j-saml"

        Version="2.0"

        xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">

    <saml2:Issuer

            Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"

            NameQualifier="https://xxxxxxxx.yyyyyyyyyyyyy.edu"

            xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

        https://xxxxxxxx.yyyyyyyyyyyyy.edu

    </saml2:Issuer>

</saml2p:AuthnRequest>

 

Here is the error message I’m getting from Azure:

 

Request Id: 75ca32eb-47cb-426a-992d-ee70fc6a1b00

Correlation Id: 996cb2e6-b6b3-4077-abaa-a76e2578255a

Timestamp: 2018-08-02T21:50:33Z

Message: AADSTS75005: The request is not a valid Saml2 protocol message.

Advanced diagnostics: Enable

If you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.

 

Root cause: Azure AD doesn’t support the SAML request sent by the application for Single sign-on. Some common issues are:​​

·         Missing required fields in the SAML request​​

·         SAML request encoded method​

 

 

If anyone has been able to get SAML2 delegated authentication working with Azure AD as the IdP, or if you know why it won’t work, I would appreciate any information you can supply.

 

 

Lynn Dickison
Senior Enterprise Systems Administrator
Computer Services

Missouri State University
901 S. National Ave.
Springfield, MO 65897
Phone: 417-836-4515 | Fax: 417-836-3192
lynndi...@missouristate.edu | www.missouristate.edu

Missouri State University: Make Your Missouri Statement

 

Reply all
Reply to author
Forward
0 new messages