Integrating CAS 6.1 as ADFS client
72 views
Skip to first unread message
Mallory, Erik
Jul 1, 2020, 4:25:26 PM7/1/20
to cas-...@apereo.org
Hello,
My institution would like to make cas a client of ADFS. I started
working through the config and it mostly works EXCEPT passing the
banner UDC_IDENTIFIER to a Banner application.
Here is the relevant config for adfs:
cas.authn.wsfed[0].identityProviderUrl=https://sts.wichita.edu/adfs/ls/
cas.authn.wsfed[0].identityProviderIdentifier=
http://sts.wichita.edu/adfs/services/trust
cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:cas-dev
#cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:cas-dev.wichita.edu
cas.authn.wsfed[0].signingCertificateResources=file:/etc/cas/adfs/wsu-
adfs-signing.crt
cas.authn.wsfed[0].identityAttribute=upn
cas.authn.wsfed[0].attributesType=BOTH
#cas.authn.wsfed[0].attributesType=WSFED
cas.authn.wsfed[0].tolerance=10000
cas.authn.wsfed[0].attributeResolverEnabled=true
cas.authn.wsfed[0].autoRedirect=true
cas.authn.wsfed[0].name=
cas.authn.wsfed[0].attributeMutatorScript.location=file:/etc/cas/adfs/m
utator.groovy
cas.authn.wsfed[0].principal.principalAttribute=upn
cas.authn.wsfed[0].principal.returnNull=false
# Private/Public keypair used to decrypt assertions, if any.
cas.authn.wsfed[0].encryptionPrivateKey=file:/etc/cas/adfs/assertions-
private.key
cas.authn.wsfed[0].encryptionCertificate=file:/etc/cas/adfs/assertions-
certificate.crt
#cas.authn.wsfed[0].encryptionPrivateKeyPassword=NONE
here is the groovy script
import org.apereo.cas.*
import java.util.*
import org.apereo.cas.authentication.*
def Map run(final Object... args) {
def attributes = args[0]
def logger = args[1]
logger.warn("Mutating attributes {}", attributes)
return [UDC_IDENTIFIER: attributes.upn, upn: attributes.upn]
}
The service is configured to use the principal as UDC_IDENTIFIER, and
this configuration works for "regular" CAS logins.
I noticed these differences in the CAS logs between "regular" cas auth
and ADFS Client auth.
2:41 PM

ADFS
DEBUG
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEvent
Resolver] - <Resolving candidate authentication event for service
[AbstractWebApplicationService(id=
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, originalUrl=
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, artifactId=null, principal=null, source=service,
loggedOutAlready=false, format=XML, attributes={})] using
[DefaultMultifactorAuthenticationProviderWebflowEventResolver]>
reg cas...2020-07-01 14:16:12,807 DEBUG
[org.apereo.cas.web.flow.actions.RedirectToServiceAction] -
reg cas
DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] -
<Located service response builder
[org.apereo.cas.support.saml.authentication.principal.SamlServiceRespon
seBuilder@71d2261e] for [AbstractWebApplicationService(id=
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, originalUrl=
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, artifactId=null, principal=f282c439, source=TARGET,
loggedOutAlready=false, format=XML, attributes={})]>
Looks like the principal is not making it to the banner application in
the ADFS config
Any help would be greatly appreciated.
--
Erik Mallory
Server Analyst
Wichita State University
My institution would like to make cas a client of ADFS. I started
working through the config and it mostly works EXCEPT passing the
banner UDC_IDENTIFIER to a Banner application.
Here is the relevant config for adfs:
cas.authn.wsfed[0].identityProviderUrl=https://sts.wichita.edu/adfs/ls/
cas.authn.wsfed[0].identityProviderIdentifier=
http://sts.wichita.edu/adfs/services/trust
cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:cas-dev
#cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:cas-dev.wichita.edu
cas.authn.wsfed[0].signingCertificateResources=file:/etc/cas/adfs/wsu-
adfs-signing.crt
cas.authn.wsfed[0].identityAttribute=upn
cas.authn.wsfed[0].attributesType=BOTH
#cas.authn.wsfed[0].attributesType=WSFED
cas.authn.wsfed[0].tolerance=10000
cas.authn.wsfed[0].attributeResolverEnabled=true
cas.authn.wsfed[0].autoRedirect=true
cas.authn.wsfed[0].name=
cas.authn.wsfed[0].attributeMutatorScript.location=file:/etc/cas/adfs/m
utator.groovy
cas.authn.wsfed[0].principal.principalAttribute=upn
cas.authn.wsfed[0].principal.returnNull=false
# Private/Public keypair used to decrypt assertions, if any.
cas.authn.wsfed[0].encryptionPrivateKey=file:/etc/cas/adfs/assertions-
private.key
cas.authn.wsfed[0].encryptionCertificate=file:/etc/cas/adfs/assertions-
certificate.crt
#cas.authn.wsfed[0].encryptionPrivateKeyPassword=NONE
here is the groovy script
import org.apereo.cas.*
import java.util.*
import org.apereo.cas.authentication.*
def Map run(final Object... args) {
def attributes = args[0]
def logger = args[1]
logger.warn("Mutating attributes {}", attributes)
return [UDC_IDENTIFIER: attributes.upn, upn: attributes.upn]
}
The service is configured to use the principal as UDC_IDENTIFIER, and
this configuration works for "regular" CAS logins.
I noticed these differences in the CAS logs between "regular" cas auth
and ADFS Client auth.
2:41 PM

ADFS
DEBUG
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEvent
Resolver] - <Resolving candidate authentication event for service
[AbstractWebApplicationService(id=
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, originalUrl=
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, artifactId=null, principal=null, source=service,
loggedOutAlready=false, format=XML, attributes={})] using
[DefaultMultifactorAuthenticationProviderWebflowEventResolver]>
reg cas...2020-07-01 14:16:12,807 DEBUG
[org.apereo.cas.web.flow.actions.RedirectToServiceAction] -
reg cas
DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] -
<Located service response builder
[org.apereo.cas.support.saml.authentication.principal.SamlServiceRespon
seBuilder@71d2261e] for [AbstractWebApplicationService(id=
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, originalUrl=
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, artifactId=null, principal=f282c439, source=TARGET,
loggedOutAlready=false, format=XML, attributes={})]>
Looks like the principal is not making it to the banner application in
the ADFS config
Any help would be greatly appreciated.
--
Erik Mallory
Server Analyst
Wichita State University
Mallory, Erik
Jul 1, 2020, 5:43:30 PM7/1/20
to cas-...@apereo.org
I discovered that if I open a second tab I can get logged into the
banner app just fine. Here's what I did:
I browse to the application I am attempting to authenticate to. I get
redirected to cas which redirects me to ADFS where I enter my
credentials and then get passed to cas and then to the application. I
get a "user/login denied invalid username/password" message from the
application. I open a second browser tab and point it at the
application and vola, I'm in. It works.
The only real difference I see in the logs is
DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] -
<Signaling flow to redirect to service
loggedOutAlready=false, format=XML, attributes={})] via event
[redirect]>
DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] -
<Signaling flow to redirect to service
loggedOutAlready=false, format=XML, attributes={})] via event
[redirect]>
Again, any help would be greatly appreciated.
--
Erik Mallory
Server Analyst
Wichita State University
On Wed, 2020-07-01 at 20:25 +0000, 'Mallory, Erik' via CAS Community
wrote:
> CAUTION: This email originated from outside of Wichita State
> University. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c87084b75a940a6aa31e3c76fa1206c97133d645.camel%40wichita.edu
> .
banner app just fine. Here's what I did:
I browse to the application I am attempting to authenticate to. I get
redirected to cas which redirects me to ADFS where I enter my
credentials and then get passed to cas and then to the application. I
get a "user/login denied invalid username/password" message from the
application. I open a second browser tab and point it at the
application and vola, I'm in. It works.
The only real difference I see in the logs is
DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] -
<Signaling flow to redirect to service
[AbstractWebApplicationService(id=
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, originalUrl=
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, artifactId=null, principal=f282c439, source=service,
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, originalUrl=
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
loggedOutAlready=false, format=XML, attributes={})] via event
[redirect]>
DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] -
<Signaling flow to redirect to service
[AbstractWebApplicationService(id=
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, originalUrl=
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, artifactId=null, principal=f282c439, source=TARGET,
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
, originalUrl=
https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check
loggedOutAlready=false, format=XML, attributes={})] via event
[redirect]>
Again, any help would be greatly appreciated.
--
Erik Mallory
Server Analyst
Wichita State University
wrote:
> CAUTION: This email originated from outside of Wichita State
> University. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c87084b75a940a6aa31e3c76fa1206c97133d645.camel%40wichita.edu
> .
Mallory, Erik
Jul 2, 2020, 3:26:28 PM7/2/20
to cas-...@apereo.org
as I go through the debug looking for differences I've noticed that on
the initial session cas does not send a SAML response to the
application.
The second session does send a saml response.
Why would that be?
--
Erik Mallory
Server Analyst
Wichita State University
On Wed, 2020-07-01 at 21:43 +0000, 'Mallory, Erik' via CAS Community
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ffec9813eb48302449d72adfe08d9f11d0ea11e.camel%40wichita.edu
> .
the initial session cas does not send a SAML response to the
application.
The second session does send a saml response.
Why would that be?
--
Erik Mallory
Server Analyst
Wichita State University
> .
Mallory, Erik
Jul 9, 2020, 5:15:05 PM7/9/20
to cas-...@apereo.org
Sorry to bother you all with this. I'm out of ideas here. Again, any
help would be greatly appreciated. If anyone has a working config for a
CAS as ADFS client I'd love to see it. I'd also like to know if there
are changes elsewhere in the config that I need to make. I attempted to
configure a wordpress blog to use the authorizer plugin. I get routed
through cas to ADFS where I log in, then I get routed back to the app
which routes me back to a cas logout page.
Thanks,
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/db557b86cb54f358218c27873fd8d15ebdba282f.camel%40wichita.edu
> .
help would be greatly appreciated. If anyone has a working config for a
CAS as ADFS client I'd love to see it. I'd also like to know if there
are changes elsewhere in the config that I need to make. I attempted to
configure a wordpress blog to use the authorizer plugin. I get routed
through cas to ADFS where I log in, then I get routed back to the app
which routes me back to a cas logout page.
Thanks,
--
Erik Mallory
Server Analyst
Wichita State University
On Thu, 2020-07-02 at 19:25 +0000, 'Mallory, Erik' via CAS Community
Erik Mallory
Server Analyst
Wichita State University
> .
Reply all
Reply to author
Forward
0 new messages