CAS (6.2.6) using delegated authentication to Azure
213 views
Skip to first unread message
Paul Chauvet
Jan 8, 2021, 10:58:13 AM1/8/21
to cas-...@apereo.org
Hi all,
I'm trying to setup a new CAS 6.2.6 environment to eventually replace our 5.3.x environment. Unlike our current environment (where we do regular LDAP authentication against on-prem Active Directory) - I wanted to setup delegated authentication, pointed at
Azure AD.
I started by following the steps at the blog post below - but I feel like I'm missing something as I can't get it working.
(Apologies for the long email - wanted to make sure I have as much info as possible on my environment and the errors).
My environment is RHEL 8 with OpenJDK 11 and Tomcat
9.0.41.
What I've done:
- In Azure, I created an Enterprise Application within Azure, and within Single Sign-on chose SAML.
- For CAS - I've built via gradle via the cas-overlay-template. Beyond the default, I've included the following dependencies:
compile "org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-pm-webflow:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-jmx:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-hazelcast-ticket-registry:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-pac4j-webflow:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-saml:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-generic:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-reports:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-hazelcast-monitor:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-metrics:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-core-monitor:${project.'cas.version'}"
-
Within cas.properties I have:
cas.authn.pac4j.saml[0].keystorePassword=<REDACTED>
cas.authn.pac4j.saml[0].privateKeyPassword=<REDACTED>
cas.authn.pac4j.saml[0].keystorePath=/etc/cas/config/samlKeystore.jks
cas.authn.pac4j.saml[0].serviceProviderEntityId=urn:mace:saml:pac4j.org (is this right?)
cas.authn.pac4j.saml[0].serviceProviderMetadataPath=/etc/cas/config/sp-metadata.xml
cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://login.microsoftonline.com/<REDACTED>/federationmetadata/2007-06/federationmetadata.xml?appid=<REDACTED>cas.authn.pac4j.saml[0].clientName=AzureADDev
- And defined a single CAS service:
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "https://sts.windows.net/ebd45737-b352-4722-bb0c-9f539bcbfa65/",
"name" : "AzureAD-Dev",
"id" : 1593461500,
"evaluationOrder" : 50,
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"delegatedAuthenticationPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
"allowedProviders" : [ "java.util.ArrayList", [ "AzureADDev" ] ]
}
}
}
What happens is when I go to CAS and click on the external identity provider, I get an error from Microsoft:
Sorry, but we’re having trouble signing you in.
AADSTS7500525: There was an XML error in the SAML message at line 2, position 701. Verify that the XML content of the SAML messages conforms to the SAML protocol specifications.Request Id: 70508434-e2f2-4e05-a2a5-2f10ddae9500Correlation Id: e6abfced-3724-44ce-b005-b7f18aa812cfTimestamp: 2020-07-07T16:21:31ZMessage: AADSTS7500525: There was an XML error in the SAML message at line 2, position 701. Verify that the XML content of the SAML messages conforms to the SAML protocol specifications.
If I try to go there from the Azure side (by choosing the CAS app in Azure), CAS says the application isn't authorized and shows the following in the CAS logs:
2021-01-08 10:54:10,298 ERROR [org.apereo.cas.web.DelegatedClientWebflowManager] - <Delegated client identifier cannot be located in the authentication request [https://login6deva.newpaltz.edu/cas/login?client_name=AzureADDev]>2021-01-08 10:54:10,298 ERROR [org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <>2021-01-08 10:54:10,298 WARN [org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <>org.apereo.cas.services.UnauthorizedServiceException:at org.apereo.cas.web.flow.DelegatedClientAuthenticationAction.restoreAuthenticationRequestInContext(DelegatedClientAuthenticationAction.java:322) ~[cas-server-support-pac4j-webflow-6.2.6.jar:6.2.6]at org.apereo.cas.web.flow.DelegatedClientAuthenticationAction.populateContextWithService(DelegatedClientAuthenticationAction.java:211) ~[cas-server-support-pac4j-webflow-6.2.6.jar:6.2.6]at org.apereo.cas.web.flow.DelegatedClientAuthenticationAction.doExecute(DelegatedClientAuthenticationAction.java:125) ~[cas-server-support-pac4j-webflow-6.2.6.jar:6.2.6]at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]at org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282) ~[spring-core-5.2.6.RELEASE.jar:5.2.6.RELEASE]at org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499) ~[spring-cloud-context-2.2.2.RELEASE.jar:2.2.2.RELEASE]
....
(this continues for a long while - can provide the full stack trace if needed)
My apologies if I'm missing something obvious here - but I'd appreciate any ideas you may have.
P.S. I tried this again back in the Fall on CAS 6.1.6 but had the same issues (then pulled into a bunch of other unrelated projects so I'm only getting back to this months later).
Thanks!
Paul Chauvet
Ray Bon
Jan 8, 2021, 12:38:51 PM1/8/21
to cas-...@apereo.org
Paul,
I, too, received that error message with SAML delegation. I did get OIDC working.
It looks like the only build requirement is:
implementation "org.apereo.cas:cas-server-support-pac4j-webflow:${casServerVersion}"
Ray
On Fri, 2021-01-08 at 15:58 +0000, Paul Chauvet wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
Paul Chauvet
Jan 13, 2021, 12:50:15 PM1/13/21
to cas-...@apereo.org
Hi all,
First - thanks to Ray for his response last week!
I'm still hoping to get this working via SAML - but I don't know where else to go here. Has anyone gotten this working (delegated authentication via SAML
to Azure)?
Alternatively - I'm trying to do this via OIDC as Ray indicated - but I'm not sure what I should be using for the "Redirect URI" in Azure? Should that be just our CAS server URL (i.e.
https://cas.domain.edu/cas/login)?
Thanks all!
Paul Chauvet, CISSP
Information Security Officer
State University of New York at New Paltz
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Ray Bon <rb...@uvic.ca>
Sent: Friday, January 8, 2021 12:38 PM
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: Re: [cas-user] CAS (6.2.6) using delegated authentication to Azure
Sent: Friday, January 8, 2021 12:38 PM
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: Re: [cas-user] CAS (6.2.6) using delegated authentication to Azure
CAUTION: Message from a non-New Paltz email server. Treat message, links, and attachments with extra caution.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2e3d978680da13451fa51cb6a5b365fbdbd48dad.camel%40uvic.ca.
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2e3d978680da13451fa51cb6a5b365fbdbd48dad.camel%40uvic.ca.
Richard Schneider
Mar 2, 2021, 4:32:40 PM3/2/21
to CAS Community, chauvetp
Paul,
I got delegated SAML2 to Azure AD working for us. I had been hitting the same error message; after some manually-crafted XML trial-and-error, I found that I needed to set:
cas.authn.pac4j.saml[0].use-name-qualifier=false
Hopefully that helps!
Reply all
Reply to author
Forward
0 new messages