Possible to simultaneously use ADFS and DB Authentication?

[Bobby Esfandiari]

Hello,

I've been using CAS + DB Authentication for a number of services. Now I need to integrate ADFS for a new client's users, but I'd like to retain the ability to authenticate using the existing database. I've searched previous topics and the CAS docs, but could not find a direct answer.

I'd like to know if this is possible and if so, what would be the best way of implementing it? I have some experience with the overlay functionality (if that's needed), but I do not know the classes that would have to be extended in this case.

Thank you!

[Ray Bon]

Bobby,

Authentication options are processed in the order they are listed in the properties.

See https://apereo.github.io/cas/6.0.x/integration/ADFS-Integration.html

Ray

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[Bobby Esfandiari]

Hi Ray,

I should've been a bit more specific. 

I want to be able to hit CAS from web and mobile clients. 

I can pass along a domain parameter with the request to determine whether the authentication process should use the database or ADFS. 

What I'd like to be able to do on the CAS side is extend the login functionality to:

1 - run some logic to verify the domain for that user

2 - direct the request to either the DB authentication or ADFS 

3 - possibly do some manual manipulation of the attributes in the response

I've looked through the ADFS Integration page and I only see info about modifying the claims. 

I already have a gradle overlay in place for running some custom logic around the db authentication, but I'm not sure how to override the functionality I'm looking for in points (1) and (2).

[Bobby Esfandiari]

Just wanted add an update based on the progress I've made so far...

I added the properties outlined in the docs, based on my configuration, to the top of the properties file (before the cas.authn.jdbc entries):

cas.authn.wsfed[0].identityProviderUrl=https://test.adfs.com/adfs/ls/

cas.authn.wsfed[0].identityProviderIdentifier=https://test.adfs.com/adfs/services/trust

cas.authn.wsfed[0].relyingPartyIdentifier=https://my.cas.com

cas.authn.wsfed[0].identityAttribute=E-Mail Address

cas.authn.wsfed[0].signingCertificateResources=file:/certs/adfs.cer

cas.authn.wsfed[0].attributesType=WSFED

cas.authn.wsfed[0].tolerance=10000

cas.authn.wsfed[0].autoRedirect=false

cas.authn.wsfed[0].name=ADFS

# Private/Public keypair used to decrypt assertions, if any.

echo "cas.authn.wsfed[0].encryptionPrivateKey=file:/certs/adfs-enc.key

echo "cas.authn.wsfed[0].encryptionCertificate=file:/certs/adfs-enc.crt

echo "cas.authn.wsfed[0].encryptionPrivateKeyPassword=NONE

When I look at the CAS logs, it identifies the following handlers for the request:

DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Candidate resolved authentication handlers for this transaction are [[org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@6a543e09, auth.CustomAuthenticationHandler@7ba1cdbe, org.apereo.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler@7c0e4e4e, org.apereo.cas.support.wsfederation.authentication.handler.support.WsFederationAuthenticationHandler@1a66be41]]>

I modified my existing CustomAuthenticationHandler to not support the users of this domain so that all of the handlers fail until it gets to the WsFederationAuthenticationHandler. I assumed at this point CAS would use the properties I've added to authenticate the user by delegating authentication to ADFS, but instead I get this:

DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication handler [ADFS] does not support the credential type [UsernamePasswordCredential(username=testUser@mydomain, source=null, customFields={})]. Trying next...>

cas_1                | 2019-09-19 21:39:51,804 DEBUG [org.apereo.cas.support.events.listener.LoggingCasEventListener] - <Authentication transaction failed for credential: [UsernamePasswordCredential(username=testUser@mydomain, source=null, customFields={})]

Does anyone know what needs to change here? Do I need to create another custom handler that extends WsFederationAuthenticationHandler and change it to also support UsernamePasswordCredential?

I'd appreciate any assistance.

[Ray Bon]

I think the 'does not support' message just means that the username:password could not be found in ADFS with the settings you provided.

It could be more than incorrect username and or password; could be bad keys/certs, typos in properties, ADFS config, maybe even network woes.

Check logs for ADFS.

Ray

[Bobby Esfandiari]

Ray,

I don't have access to the ADFS server, so I will have to wait on the admin to get back to me on that.

I did look through the CAS src and it looks like that message is fired off in ../authentication/PolicyBasedAuthenticationManager.java when:

handler.supports(credential) == true

The supports method for wsfederationauthenticationhandler is:

credentials != null && WsFederationCredential.class.isAssignableFrom(credentials.getClass())

Since the credentials are populated (I can see them in the logs), I can only assume that it's because it's failing to convert UsernamePasswordCredential into WsFederationCredential.

This is concerning since the WsFederationCredential looks like the token that should be created from the ADFS response, with the UsernamePasswordCredential being part of the request that is sent to ADFS for the delegated authentication process.

Am I misunderstanding some part of this process? 

Regards,

Bobby

[Ray Bon]

Bobby,

I have not used ADFS so I am unable to comment.

Hopefully some else on the list has a better understanding of it.

Ray

[Bobby Esfandiari]

Thank Ray, 

I'd think this is a fairly common scenario, so not sure why it's been so difficult to find information around it. Hopefully someone with more experience can chime in.