[cas-user] Casifying Shib (idP)

[Niva Agmon]

We looking to implement CAS as the Authentication provider for Shib IDP. I am following the instructions in the “Designate CAS the Authentication Provider for Shib IDP” (https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration#Shibboleth-CASIntegration-ShibbolizeCAS) but am getting errors like:
12:38:44.685 - ERROR [edu.internet2.middleware.shibboleth.common.config.BaseService:188] - Configuration was not loaded for shibboleth.HandlerManager service, error creating components.  The root cause of this error was: org.xml.sax.SAXParseException: cvc-complex-type.2

.4.a: Invalid content was found starting with element 'LoginHandler'. One of '{"urn:mace:shibboleth:2.0:idp:profile-handler":LoginHandler}' is expected.

And:

: Line 98 in XML document from /opt/shibboleth-idp/conf/handler.xml is invalid; nested exception is org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element 'LoginHandler'. One of '{"urn:mace:shibboleth:2.0:idp:profile-handler":LoginHandler}' is expected.

 

Line 98 in handler.xml is:

<LoginHandler xsi:type="RemoteUser">

 

Per the document, the only addition to handler.xml was:

<!-- Remote User handler for CAS support -->

<LoginHandler xsi:type="RemoteUser">

  <AuthenticationMethod>

    urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

  </AuthenticationMethod>

  <AuthenticationMethod>

    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

  </AuthenticationMethod>

</LoginHandler>

 

Are more changes need to be done to handler.xml (or other config files)?

The other changes I made were to the web.xml file

 

Thanks,

Niva

 

 

Niva Agmon

Temple University

nag...@temple.edu

 

 

 

-- 
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

[Paul B. Henson]

On Wed, Mar 18, 2015 at 05:03:53PM +0000, Niva Agmon wrote:
> We looking to implement CAS as the Authentication provider for Shib
> IDP.

Have you looked at Unicon's shib-cas-authn2 package?

https://github.com/Unicon/shib-cas-authn2

That's what we use and it works great. As I recall it was also fairly
easy to set up.


--
Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/
Operating Systems and Network Analyst | hen...@cpp.edu
California State Polytechnic University | Pomona CA 91768

[Christopher Myers]

I am not an expert in this, so I might not be able to be of much help. But conveniently, I did just complete this process last week and it seems to work fine. Here are the notes I took along the way, using CAS 4.0.1 and shib 2.4.4:

Configuring Tomcat: https://spaces.internet2.edu/display/SHIB2/IdPApacheTomcatPrepare

Download the IDP source zip file from: http://shibboleth.internet2.edu/downloads/shibboleth/idp/latest/
Extract it to /opt/shibboleth-src/

Download the tomcat6-dta-ssl-1.0.0.jar file from http://shibboleth.internet2.edu/downloads/maven2/edu/internet2/middleware/security/tomcat6/tomcat6-dta-ssl/1.0.0/tomcat6-dta-ssl-1.0.0.jar into the /usr/share/tomcat6/lib folder
Edit /usr/share/tomcat6/conf/server.xml, add the following connector:

<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Protocol"
SSLImplementation="edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation"
scheme="https"
SSLEnabled="true"
clientAuth="true"
keystoreFile="/opt/shibboleth-idp/credentials/idp.jks"
keystorePass="changemeplease" />

Install the IDP: https://spaces.internet2.edu/display/SHIB2/IdPInstall

Run ./install.sh from where you extracted the IDP source from above.
--This will installed to /opt/shibboleth-idp by default
--Enter the fdn of the server
--Enter the password you want to use for the keystore (make sure it's the same one as you used in the tomcat config file change above.)
--Restart tomcat after this is done, but before deploying the war file so that the new connector will come online
--Move the idp.war file from /opt/shibboleth-idp/war/ into /usr/share/tomcat6/webapps/

To verify that the IDP was installed correctly, browsing to this page: http://servername.domain.edu/idp/profile/Status should say "ok"

Connect Shibboleth to CAS: http://www.ja-sig.org/wiki/display/CASUM/Shibboleth-CAS+Integration

Download the latest cas-client-x.x.x.zip from http://www.ja-sig.org/downloads/cas-clients/
Copy cas-client-x.x.x/modules/cas-client-core-x.x.x.jar to /opt/shibboleth-src/lib/

Edit /opt/shibboleth-idp/conf/handler.xml, add:

<!-- Remote User handler for CAS support -->
<LoginHandler xsi:type="RemoteUser">
<AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</AuthenticationMethod>
<AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthenticationMethod>
</LoginHandler

to the LoginHandler section.

Edit /opt/shibboleth-src/src/main/webapp/WEB-INF/web.xml, add the following to the "context-param" section:

<!-- For CAS client support -->
<context-param>
<param-name>serverName</param-name>
<param-value>shib_server.domain.edu</param-value>
</context-param>

Add the following to the "filter" section:

<!-- CAS client filters -->
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://cas_server.domain.edu/cas/login</param-value>
</init-param>
</filter>

<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/Authn/RemoteUser</url-pattern>
</filter-mapping>

<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://cas_server.domain.edu/cas/</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
</filter>

<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/Authn/RemoteUser</url-pattern>
</filter-mapping>

<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>

<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/Authn/RemoteUser</url-pattern>
</filter-mapping>

To re-deply Shibboleth after making these changes:

run /opt/shibboleth-src/install.sh
Hit <return> when prompted for the location for the IDP software install location (answer is for /opt/shibboleth-idp)
Hit <return> when asked if you want to overwrite the Shibboleth config (answer is for "no")
Move the idp.war file from /opt/shibboleth-idp/war/ to /usr/share/tomcat6/webapps/

When you're testing with testshib.org, if you get random errors trying to deploy the war after changing the relying-party.xml file while following the instructions at https://www.testshib.org/testshib-two/configure.jsp - make sure the file used in "something like testshib.xml" is owned by tomcat:tomcat

ALSO COMMENT: Make sure to copy relying-party.xml.prod back to relying-party.xml when done testing!!

If you're pointing to a CAS with a self-signed cert, you can run this:

/usr/lib/jvm/java-1_6_0-ibm-1.6.0/jre/bin/keytool -import -aliasmyalias  -keystore /usr/java/latest/jre/lib/security/cacerts -file /home/installers/my_root.cer

(where my_root.cer is a b64 version of the self-signed root CA cert)

if you get errors like:

SEVERE: Servlet.service() for servlet RemoteUserAuthHandler threw exception
Throwable occurred: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by OU=Organizational CA, O=MY_ROOT is not trusted ...

If you get errors like:

Unable to establish security of incoming assertion.

Look at your /opt/shibboleth-idp/conf/relying-party.xml file and make sure your AnonymousRelyingParty and DefaultRelyingParty providers match the actual hostname, etc.

http://groups.google.com/group/shibboleth-users/browse_thread/thread/e3665fb0f9b23265?pli=1

[Niva Agmon]

Thanks Christopher and Paul for the quick responses.

 

I couldn’t solve the error that I was getting with the RemoteUser login option

“Invalid content was found starting with element 'LoginHandler'. One of '{"urn:mace:shibboleth:2.0:idp:profile-handler":LoginHandler}' is expected”

 

So, as Paul suggested, I installed Unicon's shib-cas-authn2 package (the CAS plugin) and now our default gateway does come up but authentication fails with error:

 

javax.security.auth.login.LoginException: No LoginModules configured for ShibUserPassAuth

        at javax.security.auth.login.LoginContext.init(LoginContext.java:287) ~[na:1.6.0_32]

        at javax.security.auth.login.LoginContext.<init>(LoginContext.java:432) ~[na:1.6.0_32]

 

Thanks again for any help or tips.

 

Niva

You are currently subscribed to cas-...@lists.jasig.org as: nag...@temple.edu

To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

[Paul B. Henson]

On Wed, Mar 18, 2015 at 10:34:49PM +0000, Niva Agmon wrote:

> javax.security.auth.login.LoginException: No LoginModules configured for ShibUserPassAuth
> at javax.security.auth.login.LoginContext.init(LoginContext.java:287) ~[na:1.6.0_32]
> at javax.security.auth.login.LoginContext.<init>(LoginContext.java:432) ~[na:1.6.0_32]
>
> Thanks again for any help or tips.

Hmm, did you update handler.xml?

Here's what mine looks like:

<!-- Login Handlers -->
<!-- Delegate authentication to CAS -->
<ph:LoginHandler xsi:type="shib-cas:CasLoginHandler">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
<shib-cas:paramBuilder class="net.unicon.idp.authn.provider.extra.EntityIdParameterBuilder" />
</ph:LoginHandler>

<!-- Username/password login handler -->
<!-- <ph:LoginHandler xsi:type="ph:UsernamePassword"
jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config"
authenticationDuration="PT8H">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
</ph:LoginHandler> -->

<!--
Removal of this login handler will disable SSO support, that is it will require the user to authenticate
on every request.
-->
<!-- <ph:LoginHandler xsi:type="ph:PreviousSession">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</ph:AuthenticationMethod>
</ph:LoginHandler> -->


Basically, I commented out the "UsernamePassword" login handler to disable
shib's native auth, added the "shib-cas:CasLoginHandler" to enable CAS
auth, and disabled the "PreviousSession" handler as session state is
handled on the CAS side, not the shib side.

As I recall, the instructions are pretty accurate. Update web.xml, create
the external properties file, update handler.xml... Install the
idp-cas-invoker and cas-client-core jars, and you should be good to go.

If you double check these steps and it still doesn't work you might try
asking on the shib list, there's some crossover between this one but
they might have a better idea on this shib specific error.

--
Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/
Operating Systems and Network Analyst | hen...@cpp.edu
California State Polytechnic University | Pomona CA 91768

[Niva Agmon]

Thanks a lot for your reply and the information, Paul.

I verified that the handler.xml file is correct, but still end up at the error page whenever I try to login using the cas plugin and the log shows:

21:21:34.936 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:464] - Selecting appropriate login handler from filtered set {urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=net.unicon.idp.authn.provider.CasLoginHandler@29669b01}
21:21:34.936 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:497] - Authenticating user with login handler of type net.unicon.idp.authn.provider.CasLoginHandler
21:21:34.937 - TRACE [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:349] - Looking up LoginContext with key 42cc6b24fef6e25efc0c67d02515d43d5860ec6d2b3f1e4fd94bc5d5a643c684 from StorageService parition: loginContexts
Looking up LoginContext with key 42cc6b24fef6e25efc0c67d02515d43d5860ec6d2b3f1e4fd94bc5d5a643c684 from StorageService parition: loginContexts
21:21:34.969 - TRACE [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:355] - Retrieved LoginContext with key 42cc6b24fef6e25efc0c67d02515d43d5860ec6d2b3f1e4fd94bc5d5a643c684 from StorageService parition: loginContexts
21:21:35.013 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:117] - Attempting to retrieve IdP session cookie.

Thanks,
Niva

-----Original Message-----
From: Paul B. Henson [mailto:hen...@cpp.edu]
Sent: Thursday, March 19, 2015 1:17 PM
To: cas-...@lists.jasig.org
Subject: Re: [cas-user] Casifying Shib (idP)

You are currently subscribed to cas-...@lists.jasig.org as: nag...@temple.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user