We looking to implement CAS as the Authentication provider for Shib IDP. I am following the instructions in the “Designate CAS the Authentication Provider for Shib IDP” (https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration#Shibboleth-CASIntegration-ShibbolizeCAS)
but am getting errors like:
12:38:44.685 - ERROR [edu.internet2.middleware.shibboleth.common.config.BaseService:188] - Configuration was not loaded for shibboleth.HandlerManager service, error creating components. The root cause of this error was: org.xml.sax.SAXParseException: cvc-complex-type.2
.4.a: Invalid content was found starting with element 'LoginHandler'. One of '{"urn:mace:shibboleth:2.0:idp:profile-handler":LoginHandler}' is expected.
And:
: Line 98 in XML document from /opt/shibboleth-idp/conf/handler.xml is invalid; nested exception is org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element 'LoginHandler'. One of '{"urn:mace:shibboleth:2.0:idp:profile-handler":LoginHandler}' is expected.
Line 98 in handler.xml is:
<LoginHandler xsi:type="RemoteUser">
Per the document, the only addition to handler.xml was:
<!-- Remote User handler for CAS support -->
<LoginHandler xsi:type="RemoteUser">
<AuthenticationMethod>
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
</AuthenticationMethod>
<AuthenticationMethod>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</AuthenticationMethod>
</LoginHandler>
Are more changes need to be done to handler.xml (or other config files)?
The other changes I made were to the web.xml file
Thanks,
Niva
Niva Agmon
Temple University
-- You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Configuring Tomcat: https://spaces.internet2.edu/display/SHIB2/IdPApacheTomcatPrepare
Download the IDP source zip file from: http://shibboleth.internet2.edu/downloads/shibboleth/idp/latest/
Extract it to /opt/shibboleth-src/
Download the tomcat6-dta-ssl-1.0.0.jar file from http://shibboleth.internet2.edu/downloads/maven2/edu/internet2/middleware/security/tomcat6/tomcat6-dta-ssl/1.0.0/tomcat6-dta-ssl-1.0.0.jar into the /usr/share/tomcat6/lib folder
Edit /usr/share/tomcat6/conf/server.xml, add the following connector:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Protocol"
SSLImplementation="edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation"
scheme="https"
SSLEnabled="true"
clientAuth="true"
keystoreFile="/opt/shibboleth-idp/credentials/idp.jks"
keystorePass="changemeplease" />
Install the IDP: https://spaces.internet2.edu/display/SHIB2/IdPInstall
Run ./install.sh from where you extracted the IDP source from above.
--This will installed to /opt/shibboleth-idp by default
--Enter the fdn of the server
--Enter the password you want to use for the keystore (make sure it's the same one as you used in the tomcat config file change above.)
--Restart tomcat after this is done, but before deploying the war file so that the new connector will come online
--Move the idp.war file from /opt/shibboleth-idp/war/ into /usr/share/tomcat6/webapps/
To verify that the IDP was installed correctly, browsing to this page: http://servername.domain.edu/idp/profile/Status should say "ok"
Connect Shibboleth to CAS: http://www.ja-sig.org/wiki/display/CASUM/Shibboleth-CAS+Integration
Download the latest cas-client-x.x.x.zip from http://www.ja-sig.org/downloads/cas-clients/
Copy cas-client-x.x.x/modules/cas-client-core-x.x.x.jar to
/opt/shibboleth-src/lib/
Edit /opt/shibboleth-idp/conf/handler.xml, add:
<!-- Remote User handler for CAS support -->
<LoginHandler xsi:type="RemoteUser">
<AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</AuthenticationMethod>
<AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthenticationMethod>
</LoginHandler
to the LoginHandler section.
Edit /opt/shibboleth-src/src/main/webapp/WEB-INF/web.xml, add the following to the "context-param" section:
<!-- For CAS client support -->
<context-param>
<param-name>serverName</param-name>
<param-value>shib_server.domain.edu</param-value>
</context-param>
Add the following to the "filter" section:
<!-- CAS client filters -->
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://cas_server.domain.edu/cas/login</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/Authn/RemoteUser</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://cas_server.domain.edu/cas/</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/Authn/RemoteUser</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/Authn/RemoteUser</url-pattern>
</filter-mapping>
To re-deply Shibboleth after making these changes:
run /opt/shibboleth-src/install.sh
Hit <return> when prompted for the location for the IDP software install location (answer is for /opt/shibboleth-idp)
Hit <return> when asked if you want to overwrite the Shibboleth config (answer is for "no")
Move the idp.war file from /opt/shibboleth-idp/war/ to /usr/share/tomcat6/webapps/
When you're testing with testshib.org, if you get random errors trying to deploy the war after changing the relying-party.xml file while following the instructions at https://www.testshib.org/testshib-two/configure.jsp - make sure the file used in "something like testshib.xml" is owned by tomcat:tomcat
ALSO COMMENT: Make sure to copy relying-party.xml.prod back to relying-party.xml when done testing!!
If you're pointing to a CAS with a self-signed cert, you can run this:
/usr/lib/jvm/java-1_6_0-ibm-1.6.0/jre/bin/keytool -import -aliasmyalias -keystore /usr/java/latest/jre/lib/security/cacerts -file /home/installers/my_root.cer
(where my_root.cer is a b64 version of the self-signed root CA cert)
if you get errors like:
SEVERE: Servlet.service() for servlet RemoteUserAuthHandler threw exception
Throwable occurred: java.lang.RuntimeException:
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path
building failed: java.security.cert.CertPathBuilderException:
PKIXCertPathBuilderImpl could not build a valid CertPath.; internal
cause is:
java.security.cert.CertPathValidatorException: The certificate issued
by OU=Organizational CA, O=MY_ROOT is not trusted ...
If you get errors like:
Unable to establish security of incoming assertion.
Look at your /opt/shibboleth-idp/conf/relying-party.xml file and make sure your AnonymousRelyingParty and DefaultRelyingParty providers match the actual hostname, etc.
http://groups.google.com/group/shibboleth-users/browse_thread/thread/e3665fb0f9b23265?pli=1
Thanks Christopher and Paul for the quick responses.
I couldn’t solve the error that I was getting with the RemoteUser login option
“Invalid content was found starting with element 'LoginHandler'. One of '{"urn:mace:shibboleth:2.0:idp:profile-handler":LoginHandler}' is expected”
So, as Paul suggested, I installed Unicon's shib-cas-authn2 package (the CAS plugin) and now our default gateway does come up but authentication fails with error:
javax.security.auth.login.LoginException: No LoginModules configured for ShibUserPassAuth
at javax.security.auth.login.LoginContext.init(LoginContext.java:287) ~[na:1.6.0_32]
at javax.security.auth.login.LoginContext.<init>(LoginContext.java:432) ~[na:1.6.0_32]
Thanks again for any help or tips.
Niva
You are currently subscribed to cas-...@lists.jasig.org as: nag...@temple.edu
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user