CAS 6.6, shib-cas-authn v4, entityId?
87 views
Skip to first unread message
Baron Fujimoto
Jun 15, 2023, 2:54:55 AM6/15/23
to CAS Community
We're using CAS 6.6 as an AuthN front end using Unicon's shib-casn-authn (v4)[*] plugin for the Shibboleth IdP.
We have it working for the IdP generally, but now we'd like to apply more specific actions based for certain entityIds.
For example, given an entityId="FooBar", this may appear in the Tomcat access log as:
"GET /cas/login?renew=true&service=https%3A%2F%2Fexample%2Eedu%2Fidp%2FAuthn%2FExternal%3Fconversation%3De1s2&entityId=FooBar HTTP/1.1"
If I use a serviceId regex like:
"^https://example\\.edu/idp/Authn/External.+"
It will match anything coming from the IdP via the shib-cas plugin.
However, as soon as I try to match on a particular entityId of interest, the serviceId regex fails. E.g.:
"^https://example\\.edu/idp/Authn/External.+entityId=FooBar.+"
CAS appears to drop all the parameters after the "&". I.e. this is sufficient to cause a non-match for anything:
"^https://example\\.edu/idp/Authn/External.+entityId.+"
On the CAS side, it only appears to see the service as:
Is there a way to use the entityId serviceId regex to accomplish our goal?
CAS does seem to actually capture the entityId, because it shows up in logs like:
DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - <Located service [AbstractWebApplicationService(id=https://example.edu/idp/Authn/External?conversation=e1s2, originalUrl=https://example.edu/idp/Authn/External?conver
sation=e1s2, artifactId=null, principal=foo_user, source=service, loggedOutAlready=false, format=XML, attributes={service=[https://example.edu/idp/Authn/External?conversation=e1s2], entityId=[FooBar], renew=[true], conversation=[e1s2]})] from the context>
sation=e1s2, artifactId=null, principal=foo_user, source=service, loggedOutAlready=false, format=XML, attributes={service=[https://example.edu/idp/Authn/External?conversation=e1s2], entityId=[FooBar], renew=[true], conversation=[e1s2]})] from the context>
Although the log suggests it is assigned to an (context?) attribute, this doesn't seem to be accessible to the ABAC type accessStrategy. For example, this doesn't seem to work in the service registration:
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"requiredAttributes" : {
"@class" : "java.util.HashMap",
"entityId" : [ "java.util.HashSet", [ "FooBar" ] ],
}
}
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"requiredAttributes" : {
"@class" : "java.util.HashMap",
"entityId" : [ "java.util.HashSet", [ "FooBar" ] ],
}
}
Is there a way to accomplish our goal using entityId via an accessStrategy if not via the serviceId regex?
Or is there some other recommended way of going about this?
[*] shib-cas-authn: <https://github.com/Unicon/shib-cas-authn>
-- Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
Pascal Rigaux
Jun 15, 2023, 3:10:19 AM6/15/23
to cas-...@apereo.org
Hi,
You need to use "shibcas.entityIdLocation=embed" in shib-cas-authn
You may also need "idp.session.enabled = false" (or my simple
alternative https://github.com/Unicon/shib-cas-authn/pull/8 which does
not break shib idp SLO)
cu
Baron Fujimoto <ba...@hawaii.edu> a écrit :
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL3OSz1wh_d8UOEYsVKwcAQoUB0z8GNJq8rS9pQGFb4rdg%40mail.gmail.com.
--
Pascal Rigaux
You need to use "shibcas.entityIdLocation=embed" in shib-cas-authn
You may also need "idp.session.enabled = false" (or my simple
alternative https://github.com/Unicon/shib-cas-authn/pull/8 which does
not break shib idp SLO)
cu
Baron Fujimoto <ba...@hawaii.edu> a écrit :
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL3OSz1wh_d8UOEYsVKwcAQoUB0z8GNJq8rS9pQGFb4rdg%40mail.gmail.com.
--
Pascal Rigaux
Ray Bon
Jun 15, 2023, 12:33:59 PM6/15/23
to cas-...@apereo.org
Baron,
You could configure Shib to use SAML2 proxy with Cas as a SAML2 IdP.
With the Shib Cas plugin, you are authenticating for Shib as a service, rather than the entity which is the destination (FooBar).
Ray
On Wed, 2023-06-14 at 09:44 -1000, Baron Fujimoto wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
Baron Fujimoto
Jun 15, 2023, 4:43:14 PM6/15/23
to cas-...@apereo.org
Hi Pascal,
Shouldn't I be able to simulate this from CAS itself for testing purposes? E.g. If I try the following as a test URL:
It appears to generate a request to our CAS that is functionally equivalent to one coming from our IdP using the shib-cas-authn plugin. If that's the case, then it seems like what's awry should be on the CAS config side, and not the IdP/shib-cas-authn config?
Ray,
Our longer term plan is to consolidate our CAS and SAML protocols into one service, but until we do so, we're trying to keep their legacy division of labor separate.
On Wed, Jun 14, 2023 at 9:10 PM 'Pascal Rigaux' via CAS Community <cas-...@apereo.org> wrote:
Hi,
You need to use "shibcas.entityIdLocation=embed" in shib-cas-authn
You may also need "idp.session.enabled = false" (or my simple
alternative https://urldefense.com/v3/__https://github.com/Unicon/shib-cas-authn/pull/8__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd45lsG2K$ which does
not break shib idp SLO)
cu
Baron Fujimoto <ba...@hawaii.edu> a écrit :
> We're using CAS 6.6 as an AuthN front end using Unicon's shib-casn-authn
> (v4)[*] plugin for the Shibboleth IdP.
>
> We have it working for the IdP generally, but now we'd like to apply more
> specific actions based for certain entityIds.
>
> For example, given an entityId="FooBar", this may appear in the Tomcat
> access log as:
>
> "GET
> /cas/login?renew=true&service=https%3A%2F%2Fexample%2Eedu%2Fidp%2FAuthn%2FExternal%3Fconversation%3De1s2&entityId=FooBar
> HTTP/1.1"
>
> If I use a serviceId regex like:
>
> It will match anything coming from the IdP via the shib-cas plugin.
>
> However, as soon as I try to match on a particular entityId of interest,
> the serviceId regex fails. E.g.:
>
> CAS appears to drop all the parameters after the "&". I.e. this is
> sufficient to cause a non-match for anything:
>
> On the CAS side, it only appears to see the service as:
>
> Is there a way to use the entityId serviceId regex to accomplish our goal?
>
> CAS does seem to actually capture the entityId, because it shows up in logs
> like:
>
> DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - <Located
> service [AbstractWebApplicationService(id=
> https://urldefense.com/v3/__https://example.edu/idp/Authn/External?conversation=e1s2__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erdx9RrxnZ$ , originalUrl=
> https://urldefense.com/v3/__https://example.edu/idp/Authn/External?conver__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd1Bq1bMB$
> sation=e1s2, artifactId=null, principal=foo_user, source=service,
> loggedOutAlready=false, format=XML, attributes={service=[
> entityId=[FooBar], renew=[true], conversation=[e1s2]})] from the context>
>
> Although the log suggests it is assigned to an (context?) attribute, this
> doesn't seem to be accessible to the ABAC type accessStrategy. For example,
> this doesn't seem to work in the service registration:
> "accessStrategy" : {
> "@class" :
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "requiredAttributes" : {
> "@class" : "java.util.HashMap",
> "entityId" : [ "java.util.HashSet", [ "FooBar" ] ],
> }
> }
>
> Is there a way to accomplish our goal using entityId via an accessStrategy
> if not via the serviceId regex?
>
> Or is there some other recommended way of going about this?
>
> [*] shib-cas-authn: <https://urldefense.com/v3/__https://github.com/Unicon/shib-cas-authn__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd_8LZ0OQ$ >
> --
> Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services
> minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
>
> --
> - Website: https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd9snG5t-$
> - Gitter Chatroom: https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd9patjoi$
> - List Guidelines: https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd0XdBQ6V$
> - Contributions: https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd7UYH-OT$
> ---
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit
> https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL3OSz1wh_d8UOEYsVKwcAQoUB0z8GNJq8rS9pQGFb4rdg*40mail.gmail.com__;JQ!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd80iTwQ5$ .
--
Pascal Rigaux
--
- Website: https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd9snG5t-$
- Gitter Chatroom: https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd9patjoi$
- List Guidelines: https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd0XdBQ6V$
- Contributions: https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd7UYH-OT$
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/20230615091002.Horde.PpIVcaF2IsERIA1tLKtPJAC*40courrier.univ-paris1.fr__;JQ!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd0OjFMzA$ .
Daniel Ellentuck
Jun 15, 2023, 11:21:43 PM6/15/23
to cas-...@apereo.org
Hi Baron,
As Pascal Rigaux wrote earlier today, if you want CAS to distinguish shib-cas-authn plugin requests by entityId and match different entityIds with different registered services, you'll want to set "shibcas.entityIdLocation=embed" in shib-cas-authn, so that the entire service value including the '&' and entityId=[value] gets urlencoded, that is, with the entityId embedded. Likewise, when you mock up the shib-cas connector behavior, you'll want to urlencode the entire service value including the entityId.
Dan Ellentuck
Columbia University I.T.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0eXfzECyt6E6e20ph01sdjyAvffa%2BwiB7N99ZmSXD9Aw%40mail.gmail.com.
Baron Fujimoto
Jun 26, 2023, 3:17:13 PM6/26/23
to cas-...@apereo.org
Ah, I think my issue testing this in CAS was that I had missed a couple of characters that also needed to be urlencoded. Also, as noted shibcas.entityIdLocation=embed must be set in idp.properties to actually get shib-cas-authn to pass along the entityId as well. Mahalo!
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFqYg5JAHkBWUDvJNBMTBd0fjXibee5ubB-9Dn8W_38SeXvC2w%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages