CAS 5.2.6 + Delegated Authentication + SAML + Azure AD =>
665 views
Skip to first unread message
Raghavan TV
Sep 19, 2018, 3:34:41 PM9/19/18
to CAS Community
Hi All
Am testing CAS 5.2.6 to work on a delegated authentication mode against Azure AD
When we get a SAML response back from the Idp, am getting redirect to CAS > UnAuthorized Access page
The logs indicate the following errors
2018-09-19 19:28:09,358 ERROR [org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator] - <Current assertion validation failed, continue with the next one>
org.pac4j.saml.exceptions.SAMLException: Signature is not trusted
at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateSignature(SAML2DefaultResponseValidator.java:704) ~[pac4j-saml-2.3.1.jar:?]
...
...
2018-09-19 19:28:09,363 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <The request requires http action>
org.pac4j.saml.exceptions.SAMLException: No valid subject assertion found in response
...
...
Any pointers on which cert should be imported into the keystore ?
Thanks
Raghavan
Raghavan TV
Sep 23, 2018, 11:04:48 PM9/23/18
to CAS Community
This issue is resolved and I had to use the idp metadata obtained from the azure ad portal.
Now, the delegated authenticated against azure ad with Cas-5.2.6 is working. (The same with CAS-5.3.3 is failing. But that is a separate issue to be resolved)
Raghavan
Jason Brooks
Dec 3, 2018, 4:27:01 PM12/3/18
to CAS Community
We're looking at integrating CAS with Azure AD for authentication. How did you get CAS linked up with Azure AD? We've not been able to find any docs to help on this.
Thanks,
J
Raghavan TV
Dec 20, 2018, 9:32:58 PM12/20/18
to cas-...@apereo.org
Hi Jason
We configured the CAS server as SP with used Azure AD SAML endpoint as
the Idp. There was issues in the latest 5.2.6 and I remember falling
back to 5.2.3 (will cross check)
Let me know if you still facing issues and I shall share our configuration
Thanks
-Raghav
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
> To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/hTqhOVubd88/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/acedfef4-3f18-41d8-923b-f7b94feec03c%40apereo.org.
We configured the CAS server as SP with used Azure AD SAML endpoint as
the Idp. There was issues in the latest 5.2.6 and I remember falling
back to 5.2.3 (will cross check)
Let me know if you still facing issues and I shall share our configuration
Thanks
-Raghav
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
> To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/hTqhOVubd88/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/acedfef4-3f18-41d8-923b-f7b94feec03c%40apereo.org.
Mike Kriwonos
Dec 21, 2018, 3:59:52 PM12/21/18
to cas-...@apereo.org
Hi Jason,
I know we had problems with CAS 5.3.x, PAC4J and SAML due to additional Parameters sent in the AuthN request were not accepted by Azure IDP. However, we fell back to CAS 5.2.6, with PAC4J delegation to Azure. It looks like CAS does not like the Signature on the Azure assertion. Do you have PAC4J requiring Signing? Make sure you have a valid URL in CAS properties for the Azure CAS Applications Metadata. Also make sure your endpoints match, especially the Assertion Consumer URL that you configure in Azure matches what is in your CAS SP-metadata.xml file and also that the index matches. CAS supports multiple delegations and therefore could have multiple PAC4J SP definitions.
Just to test, try disabling signed responses requirement and see if it works or you get further.
I will have to open up our Azure App config and Cas.properties to give more details.
Mike K.
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CADNy93pXtSQfmpxHQtrfD-kyt5qNuq5L3hiqzh-q%2BSnK%2BG5wLQ%40mail.gmail.com.
Michael Dumdei
Jan 30, 2020, 10:58:24 AM1/30/20
to CAS Community
I know this is an old thread, but we are trying to do the same thing. I would like to see a sanitized version of your configs for a starting point if you don't mind sharing.
> To unsubscribe from this group and all its topics, send an email to cas-...@apereo.org.
Oscar Alonso
Jun 16, 2021, 9:29:00 AM6/16/21
to CAS Community, Michael Dumdei
Hello, Michael.
If you were able to make progress with that configuration, I would love to see your sanitized configuration files.
CAS documentation on this subject is very sparse and I'm having a hard time finding out what configuration I need to do.
Thanks in advance.
Raghavan TV
Jun 17, 2021, 12:03:35 PM6/17/21
to CAS Community, oal...@mailteck.com, Michael Dumdei
Hello
I've attached a sanitized cas.properties which worked for us. We used cas 5.2.6 with Azure Idp (SAML)
I've attached a sanitized cas.properties which worked for us. We used cas 5.2.6 with Azure Idp (SAML)
Tomcat - 9.0.46
JDK-8
We also use service registry to map SAML attribute translation
Hope this helps
-Raghav
Raghavan TV
Jun 17, 2021, 12:07:10 PM6/17/21
to CAS Community, Raghavan TV, oal...@mailteck.com, Michael Dumdei
Reply all
Reply to author
Forward
0 new messages