phpCAS and returnin SAML attributes
233 views
Skip to first unread message
Scott Gennari
Nov 8, 2017, 9:55:54 AM11/8/17
to cas-...@apereo.org
Hi All,
We're are in the process of testing a CAS 5.1.5 server instance with the eventual goal of authentication with SSO Banner. The project installation guide kindly provided by David Curry has been a great help as I am new to CAS. Many thanks to David for making this available.
This will be a low volume server used by a handful of staff members so no need for multiple servers/load balancing or Duo. I have completed the setup through 'Adding SAML support' and to most extents for 'building the SAML client', although I'm not certain I need this. At this point I thought we could use phpCAS to test for SAML attribute release but I cannot get this to work and am seeking your help.
The CAS server successfully authenticates against our LDAP (openldap) service. There is a single wildcard JSON in the service registry (/etc/cas/services) that catches all requests and includes basic attribute releases sn,cn and employeeNumber (remapped to UDC_IDENTIFER).
/etc/cas/services/wildcard.json
{
/*
* Wildcard service definition that applies to any https or imaps url.
* Do not use this definition in a production environment.
*/
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https|http|imaps)://.*",
"name" : "Service entry for Banner SSO",
"id" : 20170828090137,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"sn" : "sn",
"cn" : "cn",
"employeeNumber" : "UDC_IDENTIFIER"
}
},
"evaluationOrder" : 6
}
Dependencies in pom.xml (do I need saml-ipd for phpCAS examples?)
<dependencies>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp${app.server}</artifactId>
<version>${cas.version}</version>
<type>war</type>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-json-service-registry</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-saml</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-saml-idp</artifactId>
<version>${cas.version}</version>
</dependency>
</dependencies>
The goal is to successfully release these attributes via phpCAS using example_advanced_saml11.php but it fails with
phpCAS 1.3.4 using server https://srcastic.simons-rock.edu:8443/cas/ (CAS S1)
In the CAS log all I see is the ticket was generated despite phpCAS's authentication failure after a successful LDAP login.
2017-11-08 09:48:04,773 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [event=success,timestamp=Wed Nov 08 09:48:04 EST 2017,source=InitialAuthenticationAttemptWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Wed Nov 08 09:48:04 EST 2017
CLIENT IP ADDRESS: 10.30.2.157
SERVER IP ADDRESS: 192.168.2.105
=============================================================
>
2017-11-08 09:48:04,784 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: sgennari
WHAT: ST-10-Krnl7ST1bj2wyKFNuMTn-srcastic for http://localhost/example_advanced_saml11.php
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Wed Nov 08 09:48:04 EST 2017
CLIENT IP ADDRESS: 10.30.2.157
SERVER IP ADDRESS: 192.168.2.105
=============================================================
The script example_simple.php is successful. It redirects to cas login, authenticates with LDAP and returns user ID.
Any assistance or advice would be greatly appreciated.
Thank you,
Scott Gennari
We're are in the process of testing a CAS 5.1.5 server instance with the eventual goal of authentication with SSO Banner. The project installation guide kindly provided by David Curry has been a great help as I am new to CAS. Many thanks to David for making this available.
This will be a low volume server used by a handful of staff members so no need for multiple servers/load balancing or Duo. I have completed the setup through 'Adding SAML support' and to most extents for 'building the SAML client', although I'm not certain I need this. At this point I thought we could use phpCAS to test for SAML attribute release but I cannot get this to work and am seeking your help.
The CAS server successfully authenticates against our LDAP (openldap) service. There is a single wildcard JSON in the service registry (/etc/cas/services) that catches all requests and includes basic attribute releases sn,cn and employeeNumber (remapped to UDC_IDENTIFER).
/etc/cas/services/wildcard.json
{
/*
* Wildcard service definition that applies to any https or imaps url.
* Do not use this definition in a production environment.
*/
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https|http|imaps)://.*",
"name" : "Service entry for Banner SSO",
"id" : 20170828090137,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"sn" : "sn",
"cn" : "cn",
"employeeNumber" : "UDC_IDENTIFIER"
}
},
"evaluationOrder" : 6
}
Dependencies in pom.xml (do I need saml-ipd for phpCAS examples?)
<dependencies>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp${app.server}</artifactId>
<version>${cas.version}</version>
<type>war</type>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-json-service-registry</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-saml</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-saml-idp</artifactId>
<version>${cas.version}</version>
</dependency>
</dependencies>
The goal is to successfully release these attributes via phpCAS using example_advanced_saml11.php but it fails with
CAS Authentication failed!
You were not authenticated.
You may submit your request again by clicking here.
If the problem persists, you may contact the administrator of this site.
phpCAS 1.3.4 using server https://srcastic.simons-rock.edu:8443/cas/ (CAS S1)
In the CAS log all I see is the ticket was generated despite phpCAS's authentication failure after a successful LDAP login.
2017-11-08 09:48:04,773 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [event=success,timestamp=Wed Nov 08 09:48:04 EST 2017,source=InitialAuthenticationAttemptWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Wed Nov 08 09:48:04 EST 2017
CLIENT IP ADDRESS: 10.30.2.157
SERVER IP ADDRESS: 192.168.2.105
=============================================================
>
2017-11-08 09:48:04,784 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: sgennari
WHAT: ST-10-Krnl7ST1bj2wyKFNuMTn-srcastic for http://localhost/example_advanced_saml11.php
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Wed Nov 08 09:48:04 EST 2017
CLIENT IP ADDRESS: 10.30.2.157
SERVER IP ADDRESS: 192.168.2.105
=============================================================
The script example_simple.php is successful. It redirects to cas login, authenticates with LDAP and returns user ID.
Successfull Authentication!
- Current script
- example_simple.php
- session_name():
- session_for:example_simple_php
- session_id():
- ST-8-dKPGD2LytcWA2lQ1wtAu-srcastic
the user's login is sgennari.
phpCAS version is 1.3.4.
Any assistance or advice would be greatly appreciated.
Thank you,
Scott Gennari
Ray Bon
Nov 8, 2017, 11:11:19 AM11/8/17
to cas-...@apereo.org
Scott,
In saml11 example, what is in the CAS log after ticket creation?
Ray
-- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | rb...@uvic.ca
Scott Gennari
Nov 8, 2017, 11:28:43 AM11/8/17
to cas-...@apereo.org, Ray Bon
On 11/08/2017 11:11 AM, Ray Bon wrote:
Scott,
In saml11 example, what is in the CAS log after ticket creation?
Ray
Hi Ray,
Thanks for responding. On the CAS server side, in /var/log/cas/cas.log there is nothing other than
Thanks for responding. On the CAS server side, in /var/log/cas/cas.log there is nothing other than
2017-11-08 09:48:04,773 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [event=success,timestamp=Wed Nov 08 09:48:04 EST 2017,source=InitialAuthenticationAttemptWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Wed Nov 08 09:48:04 EST 2017
CLIENT IP ADDRESS: 10.30.2.157
SERVER IP ADDRESS: 192.168.2.105
=============================================================
>
2017-11-08 09:48:04,784 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: sgennari
WHAT: ST-10-Krnl7ST1bj2wyKFNuMTn-srcastic for http://localhost/example_advanced_saml11.php
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Wed Nov 08 09:48:04 EST 2017
CLIENT IP ADDRESS: 10.30.2.157
SERVER IP ADDRESS: 192.168.2.105
=============================================================
but on the phpCAS side (requestor) in /tmp/phpCAS.log there is:
AF9B .| | | | | => CAS_Client::getURL() [AuthenticationException.php:76]
AF9B .| | | | | <= 'https://d2h157.sta-fac.simons-rock.edu/example_advanced_saml11.php'
AF9B .| | | | | CAS URL: https://srcastic.simons-rock.edu:8443/cas/samlValidate?TARGET=https%3A%2F%2Fd2h157.sta-fac.simons-rock.edu%2Fexample_advanced_saml11.php [AuthenticationException.php:79]
AF9B .| | | | | Authentication failure: SA not validated [AuthenticationException.php:80]
AF9B .| | | | | Reason: bad response from the CAS server [AuthenticationException.php:85]
AF9B .| | | | | CAS response: <!doctype html><html lang="en"><head><title>HTTP Status 406 – Not Acceptable</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 406 – Not Acceptable</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Description</b> The target resource does not have a current representation that would be acceptable to the user agent, according to the proactive negotiation header fields received in the request, and the server is unwilling to supply a default representation.</p><hr class="line" /><h3>Apache Tomcat/8.5.23</h3></body></html> [AuthenticationException.php:101]
Thanks,
Scott
AF9B .| | | | | => CAS_Client::getURL() [AuthenticationException.php:76]
AF9B .| | | | | <= 'https://d2h157.sta-fac.simons-rock.edu/example_advanced_saml11.php'
AF9B .| | | | | CAS URL: https://srcastic.simons-rock.edu:8443/cas/samlValidate?TARGET=https%3A%2F%2Fd2h157.sta-fac.simons-rock.edu%2Fexample_advanced_saml11.php [AuthenticationException.php:79]
AF9B .| | | | | Authentication failure: SA not validated [AuthenticationException.php:80]
AF9B .| | | | | Reason: bad response from the CAS server [AuthenticationException.php:85]
AF9B .| | | | | CAS response: <!doctype html><html lang="en"><head><title>HTTP Status 406 – Not Acceptable</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 406 – Not Acceptable</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Description</b> The target resource does not have a current representation that would be acceptable to the user agent, according to the proactive negotiation header fields received in the request, and the server is unwilling to supply a default representation.</p><hr class="line" /><h3>Apache Tomcat/8.5.23</h3></body></html> [AuthenticationException.php:101]
Thanks,
Scott
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1510157468.1757.64.camel%40uvic.ca.
-- Scott Gennari ITS System Administrator Bard College at Simon's Rock 84 Alford Road Great Barrington, MA 01230 (413) 644-4286 (voice) (413) 528-7405 (fax) sgen...@simons-rock.edu
Ray Bon
Nov 8, 2017, 12:01:02 PM11/8/17
to cas-...@apereo.org
Scott,
The service ticket is created with 'localhost...'
but phpCAS sends a target of 'd2h157...'
These need to be the same.
Check config files.
Ray
David Curry
Nov 8, 2017, 12:53:21 PM11/8/17
to cas-...@apereo.org
Scott,
Glad you're finding the documentation helpful. I've never used phpCAS so I can't be much help with that (but it looks like others have jumped in), but in regard to your dependencies question, the cas-server-support-saml dependency adds support for SAML1.1-based attribute release, so yes, you do need that to release attributes to CAS-based clients.*
The cas-server-support-saml-idp dependency adds support to enable the CAS server to also function as a SAML2 Identity Provider (like Shibboleth, for example). You do not need that to perform attribute release to CAS clients; you only need it if you have clients that want to speak the SAML2 protocol instead of the CAS protocol.
--Dave
* Unless your CAS client is speaking v3.x of the CAS protocol, but there aren't many (any?) of those.
--
DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc223e2f-b060-f9e4-ee92-d4a764a40343%40simons-rock.edu.
Scott Gennari
Nov 10, 2017, 12:54:49 PM11/10/17
to cas-...@apereo.org, David Curry
On 11/08/2017 12:53 PM, David Curry
wrote:
Scott,
Glad you're finding the documentation helpful. I've never used phpCAS so I can't be much help with that (but it looks like others have jumped in), but in regard to your dependencies question, the cas-server-support-saml dependency adds support for SAML1.1-based attribute release, so yes, you do need that to release attributes to CAS-based clients.*
The cas-server-support-saml-idp dependency adds support to enable the CAS server to also function as a SAML2 Identity Provider (like Shibboleth, for example). You do not need that to perform attribute release to CAS clients; you only need it if you have clients that want to speak the SAML2 protocol instead of the CAS protocol.
--Dave
* Unless your CAS client is speaking v3.x of the CAS protocol, but there aren't many (any?) of those.
Hi Dave and CAS gang,
Ok, that makes sense. I opted to forgo phpCAS testing and went ahead with setting up an apache CAS client instead and it works as advertised. The mapped SAML attributes are releasing correctly!
LDAP:
At this point in the test phase, cas.properties is using a privileged LDAP account, otherwise attributes such as 'employeeNumber' would not release .
cas.authn.ldap[0].bindDn=cn=admin,dc=simons-rock,dc=edu
cas.authn.ldap[0].bindCredential=xxxxxxxxxxxx
So this needs to change before going into production. Is there a way have CAS bind "as the user" who is trying to login for LDAP authentication? That way they are viewing their own credentials and can release all their related attributes.
Or would the best practice to create something like a cn=cas,ou=serviceaccounts entry in LDAP and adjust permissions to release privileged attributes?
Scott
Ok, that makes sense. I opted to forgo phpCAS testing and went ahead with setting up an apache CAS client instead and it works as advertised. The mapped SAML attributes are releasing correctly!
LDAP:
At this point in the test phase, cas.properties is using a privileged LDAP account, otherwise attributes such as 'employeeNumber' would not release .
cas.authn.ldap[0].bindDn=cn=admin,dc=simons-rock,dc=edu
cas.authn.ldap[0].bindCredential=xxxxxxxxxxxx
So this needs to change before going into production. Is there a way have CAS bind "as the user" who is trying to login for LDAP authentication? That way they are viewing their own credentials and can release all their related attributes.
Or would the best practice to create something like a cn=cas,ou=serviceaccounts entry in LDAP and adjust permissions to release privileged attributes?
Scott
Reply all
Reply to author
Forward
0 new messages