Is it possible to delegate CAS authentication to a custom remote identity provider ?

[JON JON]

Hi

Is it possible to delegate authentication to a custom remote identity provider?

This does not speak CAS, SAML, OAuth or OpenId Connect. It has its own SSO mechanism. End users use web browser to interact.

Our identity provider has its own authentication mechanism, based on http, over j2ee, for users registered in a database.
It can return a token with the user's profile (authentication mechanism, identity, context, and authorization attributes).

Now we need to delegate CAS authentication to this identity provider. Do you think it is possible with any of the mechanisms provided by CAS?

The ultimate goal is for CAS to be a SAML identity provider based on the identity information provided by our identity provider.

Thanks in advance

Jon

[Man H]

See trusted authentication.

Local cas server should receive translated remote id entity through valve or other mechanism. 

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9289aac5-4ab1-43a0-9a72-b6d31e2e67e3%40apereo.org.

[JON]

Hi again

I am trying to test the Trusted Authentication, adding code in the Maven Overlay. The code is the one existing in the cas-server-support-trusted module. I have been falling in a cascade of compilation errors that I have tried to overcome by adding dependencies in pom.xml

The errors have been getting more and more primitive. And in the end I have come to

[ERROR] /H:/aplic_saml_apereo_v5.2.0/cas-overlay-template-master/src/main/java/org/apereo/cas/adaptors/trusted/authentication/principal/ShibbolethServiceProviderRequestPrincipalAttributesExtractor.java:[26,31] cannot find symbol

[ERROR]   symbol:   method toUpperCase()

[ERROR]   location: variable t of type java.lang.Object

[ERROR] /H:/aplic_saml_apereo_v5.2.0/cas-overlay-template-master/src/main/java/org/apereo/cas/adaptors/trusted/authentication/principal/ShibbolethServiceProviderRequestPrincipalAttributesExtractor.java:[27,71] incompatible types: java.lang.Object cannot be converted to java.lang.String

[ERROR] /H:/aplic_saml_apereo_v5.2.0/cas-overlay-template-master/src/main/java/org/apereo/cas/adaptors/trusted/authentication/principal/ShibbolethServiceProviderRequestPrincipalAttributesExtractor.java:[28,49] incompatible types: java.lang.Object cannot be converted to java.lang.String

[ERROR] /H:/aplic_saml_apereo_v5.2.0/cas-overlay-template-master/src/main/java/org/apereo/cas/adaptors/trusted/authentication/principal/ShibbolethServiceProviderRequestPrincipalAttributesExtractor.java:[29,25] incompatible types: java.lang.Object cannot be converted to java.util.Map<java.lang.String,java.lang.Object>

[ERROR] -> [Help 1]

org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.3:compile (default-compile) on project cas-overlay: Compilation failure

Thank you very much

El domingo, 1 de abril de 2018, 23:46:07 (UTC+2), Manfredo Hopp escribió:

See trusted authentication.

Local cas server should receive translated remote id entity through valve or other mechanism. 

El domingo, 1 de abril de 2018, JON JON <usuari...@gmail.com> escribió:

Hi

Is it possible to delegate authentication to a custom remote identity provider?

This does not speak CAS, SAML, OAuth or OpenId Connect. It has its own SSO mechanism. End users use web browser to interact.

Our identity provider has its own authentication mechanism, based on http, over j2ee, for users registered in a database.
It can return a token with the user's profile (authentication mechanism, identity, context, and authorization attributes).

Now we need to delegate CAS authentication to this identity provider. Do you think it is possible with any of the mechanisms provided by CAS?

The ultimate goal is for CAS to be a SAML identity provider based on the identity information provided by our identity provider.

Thanks in advance

Jon

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

[Man H]

Hi you just add maven/gradle dependency to original overlay

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a64d99c2-0365-4860-a97a-6e68b5efa218%40apereo.org.

[JON]

Hi

Before following your advice, I must tell you that if I delete the code, everything works fine (including SAML IdP), with the exception of Trusted Authentication.

The code that I am trying to compile, is the original downloaded from the repository repository.

I just inserted it to start with a known stable version.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a64d99c2-0365-4860-a97a-6e68b5efa218%40apereo.org.

[Ray Bon]

Are you trying to build CAS or did you download the code just for Trusted Authentication?

Building a single class (or even a few) can result in a lot of dependency management (as you have seen). Sometimes the dependency you add brings in others behind the scenes (transitive dependencies). Your error may be a result of mismatched versions.

If you still want to proceed down this route, you can see what libraries are being pulled into your build with:

mvn dependency:tree

There is a grails command to do the same if that is what you are using.

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

[JON]

Hi

I have found a workaround to solve the compilation problem, simply by removing the class that caused the compile error: "ShibbolethServiceProviderRequestPrincipalAttributesExtractor.java"

First, I went back to the original "cas-overlay-template-master" distribution, and added only the maven dependencies. The compilation was correct. But by adding the source classes corresponding to "cas-server-support-trusted-webflow" and "cas-server-support-trusted", the compilation error reappeared. I don't know why.

Now, I have Trusted Authentication running.

I also have CAS running as SAML IdP.

Everything works, almost as I need. Although, I need to be able to delegate SAML IdP authentication in Trusted Authentication.

When a SAML Authentication Request is done, it redirects the user to the CAS login screen.

Instead, I need to redirect the user to a remote server (custom IdP) that can return to the CAS server with a Trusted Authentication Request. Where the SAML Authentication Response can finally be completed.

Is there an easy way to get it, without having to dive a lot ?

If not, which one is the recommended way to do it ?

Thanks a lot !!

               Jon

[JON]

Hi again

I think we'd better open another topic where better to expose the situation

this is the link https://groups.google.com/a/apereo.org/forum/?hl=en#!topic/cas-user/jewd_Hzlens


Thank you very much, Manfredo and Ray

Jon