CAS 6.3 + SAML

349 views
Skip to first unread message

Bartosz Nitkiewicz

unread,
Mar 17, 2021, 9:21:44 AM3/17/21
to CAS Community
Hi,
Another day another CAS problem :)
I'm trying to authenticate servicedeskplus.com application through SAML protocol.
  • I've compiled in cas-server-support-saml-idp in my CAS app.
  • Added service registry in CAS-Management app. I used xml file form servicedesk.

Everything seems to work but if I want to authenticate serivcedesk it redirects me to this:


service.xlm as attachement (without real cert)

Please help me.



service.xml

Richard Frovarp

unread,
Mar 17, 2021, 11:49:11 AM3/17/21
to cas-...@apereo.org
Did you provide the app your IdP generated metadata or provide the SP with the information in a different method? As that's the wrong end point for the SP to be sending you to:

Bartosz Nitkiewicz

unread,
Mar 17, 2021, 1:26:38 PM3/17/21
to CAS Community, richard.frovarp
Hi,
Thanks for reply.
What do you mean your IdP generated metadata?

I did something like this as they recommended: https://help.servicedeskplus.com/saml-authentication$configuration

As loginURL I've provided my https://myserver.org/cas/idp, I don't know if it is correct url?
I'm wondering what is Assertion Consumer URL and where should I place it?

Also I've uploaded my certificate.

my cas.properties for SAML looks like this:

## SAML2 ##

cas.authn.saml-idp.entity-id: ${cas.server.prefix}/idp
cas.authn.saml-idp.metadata.location=file:/etc/cas/saml

and service registry for app:

{
  @class: org.apereo.cas.support.saml.services.SamlRegisteredService
  serviceId: MExx_6d2ea86d-b4e1-4473-8d4b-7a1378964e8b
  name: serwisapp
  id: 1615981648113
  proxyTicketExpirationPolicy:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy
  }
  serviceTicketExpirationPolicy:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy
  }
  evaluationOrder: 2
  attributeReleasePolicy:
  {
    @class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
    excludeDefaultAttributes: true
    authorizedToReleaseAuthenticationAttributes: false
  }
  metadataLocation: file://etc/cas-mgmt/metadata/174faaa56d5138f63770fb792b1a35e26d5486e0.xml <- (this is correct as cas-managment app create this directory)
  requiredAuthenticationContextClass: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
  requiredNameIdFormat: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
  nameIdQualifier: ""
  signAssertions: true
  signingCredentialType: X509
  assertionAudiences: https://servicedeskplus.com/SamlResponseServlet
}

Regards,
BN

Richard Frovarp

unread,
Mar 17, 2021, 2:07:26 PM3/17/21
to cas-...@apereo.org
The IdP automatically generates metadata. And the correct endpoints are
listed on this page, including the metadata endpoint:

https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Authentication.html

Usually with SAML you provide the SP with a copy of your metadata,
ideally loaded from the URL automatically. If you need to provide
separate URLs to the SP, you'll find the correct ones in the metadata
and/or using the paths from documentation.

On Wed, 2021-03-17 at 10:26 -0700, Bartosz Nitkiewicz wrote:
> Hi,
Message has been deleted

Bartosz Nitkiewicz

unread,
Mar 18, 2021, 9:05:48 AM3/18/21
to CAS Community, richard.frovarp
Thank You once again.
As you said, SAML profiles did the trick.It seems to work fine. Now I have to pass user name from my LDAP to SAML SP. First I need to figure out proper value for authorization.
Regards
BN

Bartosz Nitkiewicz

unread,
Mar 19, 2021, 4:47:56 AM3/19/21
to CAS Community, Bartosz Nitkiewicz, richard.frovarp
One more thing. How to change LDAP user name form sAMAccountName to univ\sAMAccountName. Is it possible?

Ray Bon

unread,
Mar 19, 2021, 11:30:44 AM3/19/21
to cas-...@apereo.org
Bartosz,


Ray

On Fri, 2021-03-19 at 01:47 -0700, Bartosz Nitkiewicz wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. 
--
Ray Bon
Programmer Analyst
Development Services, University Systems

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

Bartosz Nitkiewicz

unread,
Mar 19, 2021, 1:45:20 PM3/19/21
to CAS Community, Ray Bon
How to setup CAS to pass desire attribute?

I have this in my app.json. Is it ok?
{
  @class: org.apereo.cas.support.saml.services.SamlRegisteredService
  serviceId: MExxx_05efd170-38cd-4893-9631-6891575asa197
  name: serwis
  id: 1616175519923

  proxyTicketExpirationPolicy:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy
  }
  serviceTicketExpirationPolicy:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy
  }
  evaluationOrder: 2
  usernameAttributeProvider:
  {
    @class: org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider
    usernameAttribute: sAMAccountName

  }
  attributeReleasePolicy:
  {
    @class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
    excludeDefaultAttributes: true
    authorizedToReleaseAuthenticationAttributes: false
  }
  metadataLocation: file://etc/cas-mgmt/metadata/174faaa56d5138f63770fb792b1a35e26d5486e0.xml
  requiredNameIdFormat: org.opensaml.saml.saml2.metadata.impl.NameIDFormatImpl@2afbaa5
  signAssertions: true
  signingCredentialType: X509
}

Bartosz Nitkiewicz

unread,
Mar 22, 2021, 12:03:03 PM3/22/21
to CAS Community, Bartosz Nitkiewicz, Ray Bon
I'm still trying to use CAS as SAML authenticator for my service desk plus app. Username has to be in format: domain\user
I want use my LDAP sAMAccountName as user but I don't know how to prepare regexp to domain\sAMAccountName. I have read https://apereo.github.io/cas/6.3.x/integration/Attribute-Definitions.html and prepare attribute-defns.json

{
    "@class" : "java.util.TreeMap",
    "userID" : {
      "@class" : "org.apereo.cas.authentication.attribute.DefaultAttributeDefinition",
      "key" : "userID",
      "friendlyName" : "userID",
      "patternFormat": "domail\\{0}",
      "attribute" : "sAMAccountName"
    }
}

I load it in my cas.properties
...
cas.person-directory.attribute-definition-store.json.location=file:/etc/cas/config/attribute-defns.json
...

Here is my SAML app JSON file.

{
  @class: org.apereo.cas.support.saml.services.SamlRegisteredService
  serviceId: fashdfk3289_duhfdsf
  name: serwis
  id: 1616411747419

  proxyTicketExpirationPolicy:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy
  }
  serviceTicketExpirationPolicy:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy
  }
  evaluationOrder: 2
  attributeReleasePolicy:
  {
    @class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
    principalIdAttribute: userID
    allowedAttributes:
    [
      java.util.ArrayList
      [
        userID
      ]
    ]
  }
  metadataLocation: file://etc/cas-mgmt/metadata/174faaa56d5138f63770fb792b1a35e26d5486e0.xml
  requiredNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  signAssertions: true
  signingCredentialType: X509
}

Can anyone tell me if I'm right.

Bartosz Nitkiewicz

unread,
Mar 22, 2021, 12:04:32 PM3/22/21
to CAS Community, Bartosz Nitkiewicz, Ray Bon
This is of course not "patternFormat": "domail\\{0}", but "patternFormat": "domain\\{0}",

Richard Frovarp

unread,
Mar 22, 2021, 6:24:11 PM3/22/21
to cas-...@apereo.org
If I'm understanding you correctly, I've never done it that way.

You are saying that you have an attribute already setup called sAMAccountName right? And you want to release it to this system as domain\sAMAcountName as userID?

I've always done such a thing via Groovy attribute return with simple concatenation. 

Bartosz Nitkiewicz

unread,
Mar 23, 2021, 1:17:42 AM3/23/21
to cas-...@apereo.org
That's right. I have found it 2 hours before you replay to this post ;)
It's about releasing sAMAccountName as domain\sAMAccountName done with inline groovy script.
Than you once again.
Regards
BN
Reply all
Reply to author
Forward
0 new messages