What is needed to get ADFS in CAS6?

[Toby Archer]

We are looking to upgrade from CAS 5 to CAS 6. I have a fresh setup so I've just got the default json services and ADFS.. This guide suggests I need this line:

compile "org.apereo.cas:cas-server-support-wsfederation-webflow:${project.'cas.version'}"

In my build.gradle file. Presumably in the area right below:

dependencies {
    // Other CAS dependencies/modules may be listed here...
    // implementation "org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}"
    compile "org.apereo.cas:cas-server-support-wsfederation-webflow:${project.'cas.version'}"

And then I copied over the attributes from our test box, which appears to be the same in 5.x as it is in 6.x:

cas.authn.wsfed[0].identityProviderUrl=https://adfs.usd.edu/adfs/ls/
cas.authn.wsfed[0].identityProviderIdentifier=http://adfs.usd.edu/adfs/services/trust
cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:test-sso.usd.edu
cas.authn.wsfed[0].attributesType=WSFED
cas.authn.wsfed[0].autoRedirect=true
cas.authn.wsfed[0].signingCertificateResources=file:/etc/cas/adfs_signing2019.cer

But nothing happens. No redirect, no mention of ADFS in the logs. Was there something else I had to do?

[Robert Bond]

Hi Tobey,

Can you explain the scenario a little more? 

What Role is the ADFS server playing? SP?

What role is the cas server fulfilling? IDP? 

Do you have this working on CAS 5? 

Thanks!

[Toby Archer]

Thank you for your help. Yes, a little more detail. ADFS will be doing the authenticating, so if I've got my abbreviations straight, yes it will be SP. You hit CAS, it redirects you to ADFS where you login, and ADFS sends you back to CAS which sends you back to the service requesting a login. Through this whole process, the user never sees CAS. CAS adds no information to the ADFS responses, so it can be thought of as strictly a relying party which acts as a translator/adapter for services that can't connect directly to ADFS.

[Toby Archer]

Oh, and yes, this is our current functioning configuration in production with CAS5. Works like a charm.

[Robert Bond]

Hi Tobey,

Thanks for the further insight. To potentially simplify your setup, is there a reason you cannot use just cas?

After taking a look I am guessing you do not have an option. Looks like ADFS is controlled by your regents? https://adfs.sdbor.edu/

Unfortunately I have not setup a relaying trust with ADFS before. I have configured CAS to work with an SP using ADFS. 

Potentially this guide can help:

https://apereo.github.io/2018/07/31/cas6-delegated-authn-adfs/

Hope that helps!

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e80feb56-1d2a-42f7-a13b-753cd20bd745o%40apereo.org.

--

Robert Bond
Network Administrator
(918) 444-5886
Northeastern State University

[Toby Archer]

Hrm. Sadly that doesn't seem to be working. It's so annoying that I don't even have any indication as to why. If the logs would spit out what is broken I could fix it but it seems like CAS isn't even aware that I've enabled WS-FED. :c

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e80feb56-1d2a-42f7-a13b-753cd20bd745o%40apereo.org.