Questions about migrating CAS 3.5.2 to CAS 6.2.2

Joseph Zhou

unread,

Jan 28, 2021, 10:03:13 AM1/28/21

to CAS Community

Hi, folks,

We are having issue to migrate SP from an old CAS 3.5.2 to a new CAS 6.2.2 server.

In the old server 3.5.2, it was configured as:

<list>

<value>UDC_IDENTIFIER</value>

</list>

</property>

</bean>

On the new server 6.2.2 we tried different ways (no luck on any one), now it is:

{

"@class": "org.apereo.cas.services.RegexRegisteredService",

"serviceId": "https://banner-dev.wccnet.edu/balancer-manager",

"name": "CASbanfrontdev",

"id": 1010,

"evaluationOrder": 20,

"usernameAttributeProvider" : {

"@class" : "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",

"usernameAttribute" : "username"

}

"attributeReleasePolicy" : {

"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",

"allowedAttributes" : [ "java.util.ArrayList", ["username"]]

}

When connecting to the old server, we got in the SP httpd log (the SP needs username):

207.73.128.2 - hpjozou [27/Jan/2021:17:23:08 -0500] "GET /balancer-manager?ticket=ST-235770-aDCGnkjkNkZDuaZ11w

1f-login.wccnet.edu HTTP/1.1" 302 234 "https://login.wccnet.edu/cas/login?service=https%3a%2f%2fbanner-dev.wc

cnet.edu%2fbalancer-manager" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0"

"-" - 443 banner-dev.wccnet.edu 0 43528 98087m -,-

207.73.128.2 - hpjozou [27/Jan/2021:17:23:08 -0500] "GET /balancer-manager HTTP/1.1" 200 980 "https://login.wc

cnet.edu/cas/login?service=https%3a%2f%2fbanner-dev.wccnet.edu%2fbalancer-manager" "Mozilla/5.0 (Windows NT 1

0.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0" "-" on 443 banner-dev.wccnet.edu 0 43528 877m -,-

On connecting to the new one, we got in the SP httpd log:

207.73.128.2 - - [27/Jan/2021:17:31:34 -0500] "GET /balancer-manager HTTP/1.1" 302 280 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36" "-" - 443 banner-dev.wccnet.edu 0 43962 260m -,-

207.73.128.2 - - [27/Jan/2021:17:31:59 -0500] "GET /balancer-manager?ticket=ST-1-mm7K5F-4Bu-nqhrLD-3DDcJiuws-cas2 HTTP/1.1" 401 381 "https://cas2.wccnet.edu/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36" "-" - 443 banner-dev.wccnet.edu 0 43962 93523m -,-

Then, we ended up to Unauthorized in the SP page after CAS authentication going through the new CAS.

Our questions:

- How could we make sure the username was responded to the SP?

- How could we see the xml file responded in the new CAS 6.2.2 server for CAS 2.0?

- How could we see the xml file responded in the SP httpd log?

Thank you very much for your help!

Joe

Ray Bon

unread,

Jan 28, 2021, 12:14:06 PM1/28/21

to cas-...@apereo.org

Joseph,

To see what the cas server is finding for attributes, use this logger:

<!-- DEBUG Found principal attributes [...] for [username]

Attribute policy [???] allows release of [...] for [username]

Final collection of attributes allowed are: [...] -->

We also use map UDC_IDENTIFIER in the service definition. See, https://apereo.github.io/cas/6.2.x/integration/Attribute-Release-Policies.html#return-mapped.

Ray

On Thu, 2021-01-28 at 07:03 -0800, Joseph Zhou wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

--

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

Joseph Zhou

unread,

Jan 28, 2021, 1:17:09 PM1/28/21

to CAS Community, Ray Bon

Hi, Ray,

Thank you very much for your quick response!

I'll try test again, and see how it goes.

Appreciated your time and kind help very much!

Best Regards,

Joe

Reply all

Reply to author

Forward