CAS delegated authentication to SAML IDP and CAS to act as SAML SP configurations

sairam aagiru

unread,

Jan 7, 2019, 4:06:12 AM1/7/19

to CAS Community

Hi all,

I'm trying to integrate CAS with SAML using pac4j(CAS-server-support-pac4j-web flow) support project from CAS by following below document :

https://apereo.github.io/cas/5.1.x/integration/Delegate-Authentication.html

I am using SSO(ACS) URL as https://witty.wavity.net/saml/login to consume SAML assertion. Now, when the user gets logged in at IDP i,e at okta it was redirecting to ACS URL with the forbidden error. So how can I configure CAS to consume SAML assertion from IDP and assert CAS to grant TGT to the SAML asserted user?

Can you please help me out with the steps I need to follow at CAS once it receives SAML assertion from any of the IDP and also with the steps to be followed at java-cas-client.

Thanks & Regards,

Sairam

Mike Kriwonos

unread,

Jan 7, 2019, 12:36:34 PM1/7/19

to CAS Community

I am not sure exactly where you are having problems, but this is the high level process you need to work through:

1) Make sure CAS is built with the PAC4J-webflow depedency

Use the Maven or Gradle properties defined here and use them for the cas.war build: https://apereo.github.io/cas/5.1.x/integration/Delegate-Authentication.html

2) Configure SAML in the cas.properties file

Review pac4j.saml properties here: https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#saml

See: Delegate authentication to an external SAML2 IdP

You may be able to start with some of the SAML Keystore information (keystore password and private key password) blank and CAS can generate the keystore on an initial test.

THIS IS ONLY FOR DEV and test Purpose. In a working DEV/PROD environment you should set up a real private key and keystore with passwords and enter this information in cas.properties using pac4j.saml properties defined in the document above.

You need fill in the pac4j.saml properties to provide a path to the SAML keystore and CAS needs to be able to read from and write to that path to create and use the file

You need fill in the pac4j.saml properties to provide the IDP entity ID.

You need fill in the pac4j.saml properties to provide a path to the IDP metadata. This could be a file path or a URL.Either way CAS needs read permissions to the path.

I direct the metadata to /etc/cas/config and the keystores to another folder /etc/cas/keystore.

If set up correctly and keystore is usable CAS will generate sp-metada.xml file

The IDP will need the ACS and entity ID from the SP Metadata.

That should get you started. If you have done ALL of this then please include details from logs, etc of where you are having problems.

Mike

sairam aagiru

unread,

Jan 8, 2019, 1:42:47 AM1/8/19

to cas-...@apereo.org

Hi Mike,

Thanks for the reply, I have done the configurations in cas to delegate auth to external-idp so once after the delegation the idp will send the saml response. So what changes need to be done in cas in order to consume that saml assertion and to grant a TGT.

I mean the CAS webflow once after it gets SAML Response from idp.

Thanks & Regards,

Sairam

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ead2756-de50-4f44-8a77-b5380afd7917%40apereo.org.

Mike Kriwonos

unread,

Jan 8, 2019, 9:12:58 AM1/8/19

to CAS Community

Sairam,

If cas.properties is configured properly, the SAML Keystore is accessible to CAS, the SP metadata was created successfully AND CAS has access to the IDP metadata then that is it. PAC4J integration should include the code to consume the SAML response and issue a TGT. If that is not happening you need to check the logs and perhaps turn them to debug. Trace out the CAS startup and the loading of PAC4J modules and look for WARN and ERRORS.

Then, once CAS is READY, tail the logs and initiate a login to CAS and look for messages about bad signature, lack of trust, in the response was there a valid Principle to use to complete the Authn and issue the TGT.

I run CAS 5.2.6 on Tomcat 8.5x, Java 8.

It would be helpful to see the errors you are getting in the logs to better understand what exactly is wrong with the response. Is it encrypted and no matching key, is it not signed correctly, is there some time skew on CAS servers greater than 5 minutes. There are all kinds of reasons SAML will fail.

Mike

Reply all

Reply to author

Forward