CAS 6.1 and sharepoint 2013

34 views

Skip to first unread message

mohamed gamal

unread,

Nov 28, 2019, 5:01:34 AM11/28/19

to CAS Community

Hello everyone,

I am trying to integrate CAS 6.1 and share point 2013. I managed to adjust the mapping and everything looks fine.

unfortunately I am getting this error from share point

[FailedAuthenticationException: The Audience URI could not be validated.]
   Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler.ValidateConditions(SamlConditions conditions, Boolean enforceAudienceRestriction) +147
   Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token) +322
   Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token) +127
   Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) +147
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +508
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +323
   Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +138
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +142
   System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +75
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +93

on CAS side I get no error. I tried to investigate further and found that share point is looking for a different namespace than the one sent by cas

share point is looking for

<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
    <t:Lifetime>

But CAS returns :

<RequestSecurityTokenResponseCollection xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
                                        xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                                        xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                                        xmlns:ns4="http://www.w3.org/2005/08/addressing"
                                        xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-trust/200802"
                                        >
    <RequestSecurityTokenResponse>

This is our service definition:

{
    "@class" : "org.apereo.cas.ws.idp.services.WSFederationRegisteredService",
    "serviceId" : "^(https|http)://xxx.xxx.xxx.xxx(.*)",
    "realm" : "urn:org:apereo:cas:ws:idp:realm-CAS",
    "name" : "Simple WS fed test application",
    "id" : 101,
    "evaluationOrder" : 2,
    "tokenType" : "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1",
    "attributeReleasePolicy" : {
      "@class" : "org.apereo.cas.ws.idp.services.WSFederationClaimsReleasePolicy",
      "allowedAttributes" : {
        "@class" : "java.util.TreeMap",
        "USER_PRINCIPAL_NAME":"groovy { return attributes['mail'].get(0) }",
        "COMMON_NAME":"groovy { return attributes['displayName'].get(0) }",
        "ROLE":"file:/tmp/cas-service-registry/script.groovy",
        "EMAIL_ADDRESS":"groovy { return attributes['mail'].get(0) }"
      }
    }
    }

Any idea how can I solve this problem ??

kindest regards.

Reply all

Reply to author

Forward

0 new messages