Jasig CAS and ADFS Troobleshooting blank screen after successfull login

[Yves]

Hello,

 

I've setup Jasig Central Authentication System (CAS) 4.0.2 with adfs-support-wsfederation

I've used the maven overlay cas-adfs-integration-master

I've setup an adfs server (Windows Server 2012 R2)

When I try logon to https://srv-jasig01.ict-toulouse.fr:4443/cas I've been redirected to https://adfs.ict-toulouse.fr/adfs/ls/?wa=wsignin1.0&wtrealm=urn:federation:cas

That produces this log :

2016-04-20 11:58:31,103 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor did not generate service.>

2016-04-20 11:58:31,105 DEBUG [net.unicon.cas.support.wsfederation.web.flow.WsFederationAction] - <wresult : <t:RequestSecurityTokenResponse [truncated]

2016-04-20 11:58:31,115 DEBUG [net.unicon.cas.support.wsfederation.WsFederationUtils] - <parseTokenFromString: org.opensaml.saml1.core.impl.AssertionImpl@304d6837>

2016-04-20 11:58:31,125 DEBUG [net.unicon.cas.support.wsfederation.WsFederationUtils] - <validateSignature: Signature is valid.>

2016-04-20 11:58:31,126 DEBUG [net.unicon.cas.support.wsfederation.WsFederationUtils] - <createCredentialFromToken: retrieved on 2016-04-20T09:58:31.126Z>

2016-04-20 11:58:31,126 DEBUG [net.unicon.cas.support.wsfederation.WsFederationUtils] - <createCredentialFromToken: processed attribute: UPN>

2016-04-20 11:58:31,127 DEBUG [net.unicon.cas.support.wsfederation.WsFederationUtils] - <createCredentialFromToken: processed attribute: surname>

2016-04-20 11:58:31,127 DEBUG [net.unicon.cas.support.wsfederation.WsFederationUtils] - <createCredentialFromToken: processed attribute: givenname>

2016-04-20 11:58:31,127 DEBUG [net.unicon.cas.support.wsfederation.WsFederationUtils] - <createCredentialFromToken: processed attribute: Group>

2016-04-20 11:58:31,127 DEBUG [net.unicon.cas.support.wsfederation.WsFederationUtils] - <createCredentialFromToken: processed attribute: Email>

2016-04-20 11:58:31,127 DEBUG [net.unicon.cas.support.wsfederation.WsFederationUtils] - <createCredentialFromToken: ID: _d9fdfc33-6787-4bd9-8b4f-eb7b5c25d704

Issuer: http://adfs.ict-toulouse.fr/adfs/services/trust

Audience: urn:federation:cas

Audience Method: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Issued On: 2016-04-20T09:58:31.246Z

Valid After: 2016-04-20T09:58:31.239Z

Valid Before: 2016-04-20T10:58:31.239Z

Attributes:

  Group: [ict\oSecretariats, ict\Utilisa. du domaine, ict\oDES-SG, ict\Groupe Projet Aurion, ict\Utilisateurs Info, ict\oAdministratif, ict\Utilisateurs ICT, ict\oDES-SG-SystemesDInformations]

  UPN: yves...@ict-toulouse.fr

  Email: yves...@ict-toulouse.fr

  surname: MOYA

  givenname: Yves

>

2016-04-20 11:58:31,128 DEBUG [net.unicon.cas.support.wsfederation.authentication.principal.WsFederationCredential] - <.isValid: credential is valid.>

Then I've been redirected back to https://srv-jasig01.ict-toulouse.fr:8443/cas/login

That show me a blank page. source code of this page is :

<html><head><title>Opération en cours...</title></head><body><form method="POST" name="hiddenform" action="https://srv-jasig01.ict-toulouse.fr:8443/cas/login">

<input type="hidden" name="wa" value="wsignin1.0" /><input type="hidden" name="wresult" value="&lt;t:RequestSecurityTokenResponse xmlns:t=&quot;http://schemas.xmlsoap.org/ws/2005/02/trust&quot;>&lt;t:Lifetime>&lt;wsu:Created xmlns:wsu=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd&quot;>2016-04-20T10:02:08.672Z&lt;/wsu:Created>&lt;wsu:Expires xmlns:wsu=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd&quot;>2016-04-20T11:02:08.672Z&lt;/wsu:Expires>&lt;/t:Lifetime>&lt;wsp:AppliesTo xmlns:wsp=&quot;http://schemas.xmlsoap.org/ws/2004/09/policy&quot;>&lt;wsa:EndpointReference xmlns:wsa=&quot;http://www.w3.org/2005/08/addressing&quot;>&lt;wsa:Address>urn:federation:cas&lt;/wsa:Address>&lt;/wsa:EndpointReference>&lt;/wsp:AppliesTo>&lt;t:RequestedSecurityToken>&lt;saml:Assertion MajorVersion=&quot;1&quot; MinorVersion=&quot;1&quot; AssertionID=&quot;_97282ee8-e8af-4e1d-a809-d050b0f34c5c&quot; Issuer=&quot;http://adfs.ict-toulouse.fr/adfs/services/trust&quot; IssueInstant=&quot;2016-04-20T10:02:08.682Z&quot; xmlns:saml=&quot;urn:oasis:names:tc:SAML:1.0:assertion&quot;>&lt;saml:Conditions NotBefore=&quot;2016-04-20T10:02:08.672Z&quot; NotOnOrAfter=&quot;2016-04-20T11:02:08.672Z&quot;>&lt;saml:AudienceRestrictionCondition>&lt;saml:Audience>urn:federation:cas&lt;/saml:Audience>&lt;/saml:AudienceRestrictionCondition>&lt;/saml:Conditions>&lt;saml:AttributeStatement>&lt;saml:Subject>&lt;saml:SubjectConfirmation>&lt;saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer&lt;/saml:ConfirmationMethod>&lt;/saml:SubjectConfirmation>&lt;/saml:Subject>&lt;saml:Attribute AttributeName=&quot;UPN&quot; AttributeNamespace=&quot;urn:federation:cas&quot;>&lt;saml:AttributeValue>yves...@ict-toulouse.fr&lt;/saml:AttributeValue>&lt;/saml:Attribute>&lt;saml:Attribute AttributeName=&quot;surname&quot; AttributeNamespace=&quot;urn:federation:cas&quot;>&lt;saml:AttributeValue>MOYA&lt;/saml:AttributeValue>&lt;/saml:Attribute>&lt;saml:Attribute AttributeName=&quot;givenname&quot; AttributeNamespace=&quot;urn:federation:cas&quot;>&lt;saml:AttributeValue>Yves&lt;/saml:AttributeValue>&lt;/saml:Attribute>&lt;saml:Attribute AttributeName=&quot;Group&quot; AttributeNamespace=&quot;urn:federation:cas&quot;>&lt;saml:AttributeValue>ict\oSecretariats&lt;/saml:AttributeValue>&lt;saml:AttributeValue>ict\Utilisa. du domaine&lt;/saml:AttributeValue>&lt;saml:AttributeValue>ict\oDES-SG&lt;/saml:AttributeValue>&lt;saml:AttributeValue>ict\Groupe Projet Aurion&lt;/saml:AttributeValue>&lt;saml:AttributeValue>ict\Utilisateurs Info&lt;/saml:AttributeValue>&lt;saml:AttributeValue>ict\oAdministratif&lt;/saml:AttributeValue>&lt;saml:AttributeValue>ict\Utilisateurs ICT&lt;/saml:AttributeValue>&lt;saml:AttributeValue>ict\oDES-SG-SystemesDInformations&lt;/saml:AttributeValue>&lt;/saml:Attribute>&lt;saml:Attribute AttributeName=&quot;Email&quot; AttributeNamespace=&quot;urn:federation:cas&quot;>&lt;saml:AttributeValue>yves...@ict-toulouse.fr&lt;/saml:AttributeValue>&lt;/saml:Attribute>&lt;/saml:AttributeStatement>&lt;saml:AuthenticationStatement AuthenticationMethod=&quot;urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport&quot; AuthenticationInstant=&quot;2016-04-20T09:58:31.205Z&quot;>&lt;saml:Subject>&lt;saml:SubjectConfirmation>&lt;saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer&lt;/saml:ConfirmationMethod>&lt;/saml:SubjectConfirmation>&lt;/saml:Subject>&lt;/saml:AuthenticationStatement>&lt;ds:Signature xmlns:ds=&quot;http://www.w3.org/2000/09/xmldsig#&quot;>&lt;ds:SignedInfo>&lt;ds:CanonicalizationMethod Algorithm=&quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot; />&lt;ds:SignatureMethod Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#rsa-sha1&quot; />&lt;ds:Reference URI=&quot;#_97282ee8-e8af-4e1d-a809-d050b0f34c5c&quot;>&lt;ds:Transforms>&lt;ds:Transform Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#enveloped-signature&quot; />&lt;ds:Transform Algorithm=&quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot; />&lt;/ds:Transforms>&lt;ds:DigestMethod Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#sha1&quot; />&lt;ds:DigestValue>FM+gP64NCIMiXtXR/Dc0ayjfA2c=&lt;/ds:DigestValue>&lt;/ds:Reference>&lt;/ds:SignedInfo>&lt;ds:SignatureValue>VhHMXjliT/69Sbx8XvkQxx8s1oTsWd1wVUsqbBBNROGZnkt7lKsZDV/XM8Kmdgt9mIWOZnStauRCwzevxKKzDr0HRBp4YkSDjA1A5i4F5neqQR+amztCac93yZyF1G22wGeyr2YZgSVUNYikhppQlkR1kjeg12AStzTURkDK4bzChbABeDW01KDMDx+CP0Cz9+m542bUxIblnauH8K8tQs4C2yznT6v8BU1nbDh/sO0S3NiDdwHwBF2txHLZ+08j5KZcpeBV8CUUUkm37APvTzKz7rxwpBErd8x7Osju6sJT92wSGxs3uqMHfpwhJftZNpCLC9VuHS4s3VtAz/Bfxg==&lt;/ds:SignatureValue>&lt;KeyInfo xmlns=&quot;http://www.w3.org/2000/09/xmldsig#&quot;>&lt;X509Data>&lt;X509Certificate>MIIC5DCCAcygAwIBAgIQX/hzgUzQraZAdHY06sGvdDANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNBREZTIFNpZ25pbmcgLSBhZGZzLmljdC10b3Vsb3VzZS5mcjAeFw0xNjAzMDkxMDE1MTBaFw0xNzAzMDkxMDE1MTBaMC4xLDAqBgNVBAMTI0FERlMgU2lnbmluZyAtIGFkZnMuaWN0LXRvdWxvdXNlLmZyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4ucaOaY0fD0YKHqLtKecU/AYHMgiyXWngaEWx+soBfjI8eqICCCg0f9P/PrtN5OFC8p7cmb0T/cYlow7gBZEwfEF6V5Hc4P7OFM0UOMuFm51a2fiDDY3NmYasrfn/3cvvH/DjVrxwFmgiteNCf6motCiHRbpfE4bZo4b/szct3x8ftICjkDYVzUxauOy6xrCarHNzq907fFM8bwqLqGJ338WzX1dMwSzQSwzO1m4h3cwNmNv6dbLdJg0BDZnLROg8BxqRBdcn2ZT143SLRar5Bt0eWOmM4g0hqQLcBsf7rHOgr8u84lJ85GSLoe9jUqp5JFu4N/dMbYEcsvFVuBfpwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAfDl/biqaMedwhrazYrEmvtA+eWFaIGNGkl4dUT3Zrx6KrGsXANXuSm9ZrqX4TcrGLH3Z1wiFypC7128IXXwHOAAs2RluO8ojMGIFvAr6dF43sIYLwV6Yhg8dr//MPn4ZcFr1xr3BAOIWpGTYsr/yaQ/HtCWtv1oQTBdgfQxVWqj8lhja4jhFT1hKpUa78ml2w+Dif440j5We58/5yIODru1PxzMNGiIme3wvuccvuQY7G0JL1Iab3j/A32903OcKHM1ca9fBCbUG2nuPRIXdOmPcypyFkbQXP/Embfg9o+LC3xz82e/USf/fExa+jl3rocNataeTD9Dexv3ITnW3p&lt;/X509Certificate>&lt;/X509Data>&lt;/KeyInfo>&lt;/ds:Signature>&lt;/saml:Assertion>&lt;/t:RequestedSecurityToken>&lt;t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion&lt;/t:TokenType>&lt;t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue&lt;/t:RequestType>&lt;t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey&lt;/t:KeyType>&lt;/t:RequestSecurityTokenResponse>" /><noscript><p>Le script est désactivé. Cliquez sur Envoyer pour continuer.</p><input type="submit" value="Envoyer" /></noscript></form><script language="javascript">window.setTimeout('document.forms[0].submit()', 0);</script></body></html>

Then in log file I have 

2016-04-20 11:58:31,129 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <WsFederationAuthenticationHandler successfully authenticated ID: _d9fdfc33-6787-4bd9-8b4f-eb7b5c25d704

Issuer: http://adfs.ict-toulouse.fr/adfs/services/trust

Audience: urn:federation:cas

Audience Method: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Issued On: 2016-04-20T09:58:31.246Z

Valid After: 2016-04-20T09:58:31.239Z

Valid Before: 2016-04-20T10:58:31.239Z

Attributes:

  UPN: yves.moya

  Email: yves...@ict-toulouse.fr

  FirstName: Yves

  Groups: [ict\oSecretariats, ict\Utilisa. du domaine, ict\oDES-SG, ict\Groupe Projet Aurion, ict\Utilisateurs Info, ict\oAdministratif, ict\Utilisateurs ICT, ict\oDES-SG-SystemesDInformations]

  LastName: MOYA

>

2016-04-20 11:58:31,129 DEBUG [net.unicon.cas.support.wsfederation.authentication.principal.WsFederationCredentialsToPrincipalResolver] - <Attempting to resolve a principal...>

2016-04-20 11:58:31,129 ERROR [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <net.unicon.cas.support.wsfederation.authentication.principal.WsFederationCredentialsToPrincipalResolver@509cf131 failed to resolve principal from ID: _d9fdfc33-6787-4bd9-8b4f-eb7b5c25d704

Issuer: http://adfs.ict-toulouse.fr/adfs/services/trust

Audience: urn:federation:cas

Audience Method: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Issued On: 2016-04-20T09:58:31.246Z

Valid After: 2016-04-20T09:58:31.239Z

Valid Before: 2016-04-20T10:58:31.239Z

Attributes:

  UPN: yves.moya

  Email: yves...@ict-toulouse.fr

  FirstName: Yves

  Groups: [ict\oSecretariats, ict\Utilisa. du domaine, ict\oDES-SG, ict\Groupe Projet Aurion, ict\Utilisateurs Info, ict\oAdministratif, ict\Utilisateurs ICT, ict\oDES-SG-SystemesDInformations]

  LastName: MOYA

>

java.lang.NullPointerException

        at net.unicon.cas.support.wsfederation.authentication.principal.WsFederationCredentialsToPrincipalResolver.extractPrincipalId(WsFederationCredentialsToPrincipalResolver.java:49)

[truncated]

2016-04-20 11:58:31,130 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: audit:unknown

WHAT: supplied credentials: [ID: _d9fdfc33-6787-4bd9-8b4f-eb7b5c25d704

Issuer: http://adfs.ict-toulouse.fr/adfs/services/trust

Audience: urn:federation:cas

Audience Method: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Issued On: 2016-04-20T09:58:31.246Z

Valid After: 2016-04-20T09:58:31.239Z

Valid Before: 2016-04-20T10:58:31.239Z

Attributes:

  UPN: yves.moya

  Email: yves...@ict-toulouse.fr

  FirstName: Yves

  Groups: [ict\oSecretariats, ict\Utilisa. du domaine, ict\oDES-SG, ict\Groupe Projet Aurion, ict\Utilisateurs Info, ict\oAdministratif, ict\Utilisateurs ICT, ict\oDES-SG-SystemesDInformations]

  LastName: MOYA

]

ACTION: AUTHENTICATION_FAILED

APPLICATION: CAS

WHEN: Wed Apr 20 11:58:31 CEST 2016

CLIENT IP ADDRESS: 172.21.10.106

SERVER IP ADDRESS: 192.168.254.113

=============================================================

>

2016-04-20 11:58:31,138 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: audit:unknown

WHAT: No resolver produced a principal.

ACTION: TICKET_GRANTING_TICKET_NOT_CREATED

APPLICATION: CAS

WHEN: Wed Apr 20 11:58:31 CEST 2016

CLIENT IP ADDRESS: 172.21.10.106

SERVER IP ADDRESS: 192.168.254.113

=============================================================

>

2016-04-20 11:58:31,138 ERROR [net.unicon.cas.support.wsfederation.web.flow.WsFederationAction] - <No resolver produced a principal.>

org.jasig.cas.authentication.UnresolvedPrincipalException: No resolver produced a principal.

[truncated]

avr. 20, 2016 11:58:34 AM org.apache.catalina.startup.HostConfig checkResources

PRÉCIS: Checking context[/cas] redeploy resource /var/lib/tomcat8/webapps/cas.war

Can you help me to solve this ?

Best regards

Yves

[Yves]

Hello,

I've solved this by modify wsfederation.xml

<property name="identityProviderIdentifier" value="http://adfs.ict-toulouse.fr/adfs/services/trust" />

        <property name="identityProviderUrl" value="https://adfs.ict-toulouse.fr/adfs/ls/" />

<!--        <property name="identityAttribute" value="upn" /> -->

        <property name="identityAttribute" value="sAMAccountName" />

        <property name="relyingPartyIdentifier" value="urn:federation:cas" />

        <property name="tolerance" value="60000" />

        <property name="attributeMutator">

            <bean class="org.example.cas.support.wsfederation.WsFedAttributeMutatorImpl" />

I didn't know why upn didn't work. Does it be case sensitive ? ADFS return UPN not upn

Or maybe caused by WsFedAttributeMutatorImpl.java who remove @ict-toulouse.fr form UPN but for me it's made after. isn't it ?

Thanks

<input type="hidden" name="wa" value="wsignin1.0" /><input type="hidden" name="wresult" value="&lt;t:RequestSecurityTokenResponse xmlns:t=&quot;http://schemas.xmlsoap.org/ws/2005/02/trust&quot;>&lt;t:Lifetime>&lt;wsu:Created xmlns:wsu=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd&quot;>2016-04-20T10:02:08.672Z&lt;/wsu:Created>&lt;wsu:Expires xmlns:wsu=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd&quot;>2016-04-20T11:02:08.672Z&lt;/wsu:Expires>&lt;/t:Lifetime>&lt;wsp:AppliesTo xmlns:wsp=&quot;http://schemas.xmlsoap.org/ws/2004/09/policy&quot;>&lt;wsa:EndpointReference xmlns:wsa=&quot;http://www.w3.org/2005/08/addressing&quot;>&lt;wsa:Address>urn:federation:cas&lt;/wsa:Address>&lt;/wsa:EndpointReference>&lt;/wsp:AppliesTo>&lt;t:RequestedSecurityToken>&lt;saml:Assertion MajorVersion=&quot;1&quot; MinorVersion=&quot;1&quot; AssertionID=&quot;_97282ee8-e8af-4e1d-a809-d050b0f34c5c&quot; Issuer=&quot;http://adfs.ict-toulouse.fr/adfs/services/trust&quot; IssueInstant=&quot;2016-04-20T10:02:08.682Z&quot; xmlns:saml=&quot;urn:oasis:names:tc:SAML:1.0:assertion&quot;>&lt;saml:Conditions NotBefore=&quot;2016-04-20T10:02:08.672Z&quot; NotOnOrAfter=&quot;2016-04-20T11:02:08.672Z&quot;>&lt;saml:AudienceRestrictionCondition>&lt;saml:Audience>urn:federation:cas&lt;/saml:Audience>&lt;/saml:AudienceRestrictionCondition>&lt;/saml:Conditions>&lt;saml:AttributeStatement>&lt;saml:Subject>&lt;saml:SubjectConfirmation>&lt;saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer&lt;/saml:ConfirmationMethod>&lt;/saml:SubjectConfirmation>&lt;/saml:Subject>&lt;saml:Attribute AttributeName=&quot;UPN&quot; AttributeNamespace=&quot;urn:federation:cas&quot;>&lt;saml:AttributeValue>yves.moya@ict-toulouse.fr&lt;/saml:AttributeValue>&lt;/saml:Attribute>&lt;saml:Attribute AttributeName=&quot;surname&quot; AttributeNamespace=&quot;urn:federation:cas&quot;>&lt;saml:AttributeValue>MOYA&lt;/saml:AttributeValue>&lt;/saml:Attribute>&lt;saml:Attribute AttributeName=&quot;givenname&quot; AttributeNamespace=&quot;urn:federation:cas&quot;>&lt;saml:AttributeValue>Yves&lt;/saml:AttributeValue>&lt;/saml:Attribute>&lt;saml:Attribute AttributeName=&quot;Group&quot; AttributeNamespace=&quot;urn:federation:cas&quot;>&lt;saml:AttributeValue>ict\oSecretariats&lt;/saml:AttributeValue>&lt;saml:AttributeValue>ict\Utilisa. du domaine&lt;/saml:AttributeValue>&lt;saml:AttributeValue>ict\oDES-SG&lt;/saml:AttributeValue>&lt;saml:AttributeValue>ict\Groupe Projet Aurion&lt;/saml:AttributeValue>&lt;saml:AttributeValue>ict\Utilisateurs Info&lt;/saml:AttributeValue>&lt;saml:AttributeValue>ict\oAdministratif&lt;/saml:AttributeValue>&lt;saml:AttributeValue>ict\Utilisateurs ICT&lt;/saml:AttributeValue>&lt;saml:AttributeValue>ict\oDES-SG-SystemesDInformations&lt;/saml:AttributeValue>&lt;/saml:Attribute>&lt;saml:Attribute AttributeName=&quot;Email&quot; AttributeNamespace=&quot;urn:federation:cas&quot;>&lt;saml:AttributeValue>yves.moya@ict-toulouse.fr&lt;/saml:AttributeValue>&lt;/saml:Attribute>&lt;/saml:AttributeStatement>&lt;saml:AuthenticationStatement AuthenticationMethod=&quot;urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport&quot; AuthenticationInstant=&quot;2016-04-20T09:58:31.205Z&quot;>&lt;saml:Subject>&lt;saml:SubjectConfirmation>&lt;saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer&lt;/saml:ConfirmationMethod>&lt;/saml:SubjectConfirmation>&lt;/saml:Subject>&lt;/saml:AuthenticationStatement>&lt;ds:Signature xmlns:ds=&quot;http://www.w3.org/2000/09/xmldsig#&quot;>&lt;ds:SignedInfo>&lt;ds:CanonicalizationMethod Algorithm=&quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot; />&lt;ds:SignatureMethod Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#rsa-sha1&quot; />&lt;ds:Reference URI=&quot;#_97282ee8-e8af-4e1d-a809-d050b0f34c5c&quot;>&lt;ds:Transforms>&lt;ds:Transform Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#enveloped-signature&quot; />&lt;ds:Transform Algorithm=&quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot; />&lt;/ds:Transforms>&lt;ds:DigestMethod Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#sha1&quot; />&lt;ds:DigestValue>FM+gP64NCIMiXtXR/Dc0ayjfA2c=&lt;/ds:DigestValue>&lt;/ds:Reference>&lt;/ds:SignedInfo>&lt;ds:SignatureValue>VhHMXjliT/69Sbx8XvkQxx8s1oTsWd1wVUsqbBBNROGZnkt7lKsZDV/XM8Kmdgt9mIWOZnStauRCwzevxKKzDr0HRBp4YkSDjA1A5i4F5neqQR+amztCac93yZyF1G22wGeyr2YZgSVUNYikhppQlkR1kjeg12AStzTURkDK4bzChbABeDW01KDMDx+CP0Cz9+m542bUxIblnauH8K8tQs4C2yznT6v8BU1nbDh/sO0S3NiDdwHwBF2txHLZ+08j5KZcpeBV8CUUUkm37APvTzKz7rxwpBErd8x7Osju6sJT92wSGxs3uqMHfpwhJftZNpCLC9VuHS4s3VtAz/Bfxg==&lt;/ds:SignatureValue>&lt;KeyInfo xmlns=&quot;http://www.w3.org/2000/09/xmldsig#&quot;>&lt;X509Data>&lt;X509Certificate>MIIC5DCCAcygAwIBAgIQX/hzgUzQraZAdHY06sGvdDANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNBREZTIFNpZ25pbmcgLSBhZGZzLmljdC10b3Vsb3VzZS5mcjAeFw0xNjAzMDkxMDE1MTBaFw0xNzAzMDkxMDE1MTBaMC4xLDAqBgNVBAMTI0FERlMgU2lnbmluZyAtIGFkZnMuaWN0LXRvdWxvdXNlLmZyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4ucaOaY0fD0YKHqLtKecU/AYHMgiyXWngaEWx+soBfjI8eqICCCg0f9P/PrtN5OFC8p7cmb0T/cYlow7gBZEwfEF6V5Hc4P7OFM0UOMuFm51a2fiDDY3NmYasrfn/3cvvH/DjVrxwFmgiteNCf6motCiHRbpfE4bZo4b/szct3x8ftICjkDYVzUxauOy6xrCarHNzq907fFM8bwqLqGJ338WzX1dMwSzQSwzO1m4h3cwNmNv6dbLdJg0BDZnLROg8BxqRBdcn2ZT143SLRar5Bt0eWOmM4g0hqQLcBsf7rHOgr8u84lJ85GSLoe9jUqp5JFu4N/dMbYEcsvFVuBfpwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAfDl/biqaMedwhrazYrEmvtA+eWFaIGNGkl4dUT3Zrx6KrGsXANXuSm9ZrqX4TcrGLH3Z1wiFypC7128IXXwHOAAs2RluO8ojMGIFvAr6dF43sIYLwV6Yhg8dr//MPn4ZcFr1xr3BAOIWpGTYsr/yaQ/HtCWtv1oQTBdgfQxVWqj8lhja4jhFT1hKpUa78ml2w+Dif440j5We58/5yIODru1PxzMNGiIme3wvuccvuQY7G0JL1Iab3j/A32903OcKHM1ca9fBCbUG2nuPRIXdOmPcypyFkbQXP/Embfg9o+LC3xz82e/USf/fExa+jl3rocNataeTD9Dexv3ITnW3p&lt;/X509Certificate>&lt;/X509Data>&lt;/KeyInfo>&lt;/ds:Signature>&lt;/saml:Assertion>&lt;/t:RequestedSecurityToken>&lt;t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion&lt;/t:TokenType>&lt;t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue&lt;/t:RequestType>&lt;t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey&lt;/t:KeyType>&lt;/t:RequestSecurityTokenResponse>" /><noscript><p>Le script est désactivé. Cliquez sur Envoyer pour continuer.</p><input type="submit" value="Envoyer" /></noscript></form><script language="javascript">window.setTimeout('document.forms[0].submit()', 0);</script></body></html>

[John Gasper]

It's been a while since I looked at that code, but it would not surprise me that the identity attribute is case sensitive. The other possibility is that the attributeMutator is renaming or removing the UPN attribute. That depends upon the code implemented in the class and is designed to be customized. In your log you do not show sAMAccountName being returned by ADFS, so I'm guessing that your mutator is creating it. Otherwise I'm not sure what is going on.

-- 

John Gasper
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f83f2ede-93bc-4a91-9d36-394b3825b5fa%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.