[cas-user] Integrating CAS with the SAML2 plugin from GIP-RECIA
130 views
Skip to first unread message
Jaroslav Kacer
Jun 24, 2014, 5:10:13 AM6/24/14
to cas-...@lists.jasig.org
Hello everybody!
I'm trying to integrate CAS and the SAML2 plugin which was discussed in this list on Oct 22 2013 by Maxime Bossard (https://groups.google.com/d/msg/jasig-cas-user/FVrTSnXMJbk/SHzarllCF2kJ). As I am experiencing some issues, I wonder if someone (possibly Maxime) could help me. I have already asked directly in the Google group but the message did not propagate to this list, so I am posting the question again.
The version of CAS I use is 3.4.12.1 because the plugin's POM file points to 3.4.11-RC1 and 3.4.12.1 is the latest version in the 3.4.x line.
I have merged the provided sample XML configuration files with those of CAS, also the two properies files, some JSPs and web.xml. Now I am getting errors from the plugin complaining about SP metadata. Obviously the plugin expects some SAML2 endpoints with various bindings that are not in my SP metadata.
Maxime, could you please provide a list of all expected endpoints with their bindings and URLs that should be enumerated in the SP metadata file? Or, an example SP metadata file would be even better :-)
Although the error message clearly says what service/binding the plugin expects, I don't know how to create the URLs for the bindings. Are they fixed or does the plugin first read the metadata file and then uses the URLs specified there?
I would also like to ask about the IdP side. I assume you used the plugin against Shibboleth. Have you tested it against other IdP servers? I'd like to use Microsoft ADFS. Are any special settings needed? (I don't have access to the server yet so I cannot test it at the moment.) At the moment, I am using an example IdP metadata file from Shibboleth (just to make it run) but I will have to adapt it later.
It would be great if the documentation for the plugin could be more elaborated, mainly the section "Plugin Configuration". I've already spent 2 days putting CAS and the plugin together.
Or is there anything else than the ReadMe.md file from Github?
Thank you in advance for your answer!
Best Regards,
Jarda Kacer, IDC
I'm trying to integrate CAS and the SAML2 plugin which was discussed in this list on Oct 22 2013 by Maxime Bossard (https://groups.google.com/d/msg/jasig-cas-user/FVrTSnXMJbk/SHzarllCF2kJ). As I am experiencing some issues, I wonder if someone (possibly Maxime) could help me. I have already asked directly in the Google group but the message did not propagate to this list, so I am posting the question again.
The version of CAS I use is 3.4.12.1 because the plugin's POM file points to 3.4.11-RC1 and 3.4.12.1 is the latest version in the 3.4.x line.
I have merged the provided sample XML configuration files with those of CAS, also the two properies files, some JSPs and web.xml. Now I am getting errors from the plugin complaining about SP metadata. Obviously the plugin expects some SAML2 endpoints with various bindings that are not in my SP metadata.
Maxime, could you please provide a list of all expected endpoints with their bindings and URLs that should be enumerated in the SP metadata file? Or, an example SP metadata file would be even better :-)
Although the error message clearly says what service/binding the plugin expects, I don't know how to create the URLs for the bindings. Are they fixed or does the plugin first read the metadata file and then uses the URLs specified there?
I would also like to ask about the IdP side. I assume you used the plugin against Shibboleth. Have you tested it against other IdP servers? I'd like to use Microsoft ADFS. Are any special settings needed? (I don't have access to the server yet so I cannot test it at the moment.) At the moment, I am using an example IdP metadata file from Shibboleth (just to make it run) but I will have to adapt it later.
It would be great if the documentation for the plugin could be more elaborated, mainly the section "Plugin Configuration". I've already spent 2 days putting CAS and the plugin together.
Or is there anything else than the ReadMe.md file from Github?
Thank you in advance for your answer!
Best Regards,
Jarda Kacer, IDC
-- You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Julien Gribonvald
Jun 24, 2014, 6:39:04 AM6/24/14
to cas-...@lists.jasig.org
Hi,
I would suggest that you look at pac4j, it should replace the SAML plugin developped by Maxime in the furtur for our use (Maxime worked for us in this plugin before something more "generic" as pac4j comes). This "toolbox" (i see it like that) will help to use the last version of CAS as the Maxime's plugin should be reviewed for version of CAS after 3.4.x. After I don't know if we can use it for that, but maybe Jérome Leleu could give some words of this use or point to a documentation ?
Else for the use of this pluugin see in attachment an example of our SP metadata file that we use in production on our CAS (obviously without certificates and custom datas, so replace A_DOMAIN_NAME by your domain name,ADD CERTIFICATE HERE, and see on other custom datas).
About IDP it was tested over a shibboleth idp and in production with an other idp than shibboleth (seems a fork for private use, or something related with ibm, but we don't know a lot about it), but working in the same way as all is based on SAML specs so i think this should works.
After about configuration all files that you have to modify and deploy are on https://github.com/GIP-RECIA/cas/tree/feature-saml2/cas-server-support-saml2/sample-* but i think you don't have to modify a lot, setting all properties should do the works.
And the properties in config.properties should be added in the original file cas.properties.
If I look on our deployment and something that i don't see in the source are :
- in deployerConfigContext.xml : in the bean authenticationManager, in the property credentialsToPrincipalResolvers, added the credentialResolver mapped to the saml service, we use the EmailAddressesCredentialsToPrincipalResolver.java as example :
<bean id="emailAddressesCredsToPrincipal" class="org.esco.cas.authentication.principal.EmailAddressesCredentialsToPrincipalResolver">
<property name="attributeRepository" ref="attributeRepository" />
</bean>
<bean id="ldapEmailAddressesAuthenticationHandler" class="org.esco.cas.authentication.handler.support.LdapEmailAddressesAuthenticationHandler">
<property name="searchBase" value="${ldap.basedn}" />
<property name="contextSource" ref="contextSource" />
<property name="principalAttributeName" value="${ldap.identifier.attribute}" />
<property name="timeout" value="5000" />
<property name="authenticationLdapFiltersArray" value="${ldap.authentication.email.filters}" />
</bean>
- in cas-servlet.xml youd should add the import of cas-servlet-saml2.xml
I hope this will help, but don't hesitate to ask, i can provide some other examples...
After for the documentation, we have one in french explaining properties and how it works but that's all, after you are welcome to make a pull request for contributions if you succeed to install the plugin.
Thanks
Julien Gribonvald
I would suggest that you look at pac4j, it should replace the SAML plugin developped by Maxime in the furtur for our use (Maxime worked for us in this plugin before something more "generic" as pac4j comes). This "toolbox" (i see it like that) will help to use the last version of CAS as the Maxime's plugin should be reviewed for version of CAS after 3.4.x. After I don't know if we can use it for that, but maybe Jérome Leleu could give some words of this use or point to a documentation ?
Else for the use of this pluugin see in attachment an example of our SP metadata file that we use in production on our CAS (obviously without certificates and custom datas, so replace A_DOMAIN_NAME by your domain name,ADD CERTIFICATE HERE, and see on other custom datas).
About IDP it was tested over a shibboleth idp and in production with an other idp than shibboleth (seems a fork for private use, or something related with ibm, but we don't know a lot about it), but working in the same way as all is based on SAML specs so i think this should works.
After about configuration all files that you have to modify and deploy are on https://github.com/GIP-RECIA/cas/tree/feature-saml2/cas-server-support-saml2/sample-* but i think you don't have to modify a lot, setting all properties should do the works.
And the properties in config.properties should be added in the original file cas.properties.
If I look on our deployment and something that i don't see in the source are :
- in deployerConfigContext.xml : in the bean authenticationManager, in the property credentialsToPrincipalResolvers, added the credentialResolver mapped to the saml service, we use the EmailAddressesCredentialsToPrincipalResolver.java as example :
<bean id="emailAddressesCredsToPrincipal" class="org.esco.cas.authentication.principal.EmailAddressesCredentialsToPrincipalResolver">
<property name="attributeRepository" ref="attributeRepository" />
</bean>
<bean id="ldapEmailAddressesAuthenticationHandler" class="org.esco.cas.authentication.handler.support.LdapEmailAddressesAuthenticationHandler">
<property name="searchBase" value="${ldap.basedn}" />
<property name="contextSource" ref="contextSource" />
<property name="principalAttributeName" value="${ldap.identifier.attribute}" />
<property name="timeout" value="5000" />
<property name="authenticationLdapFiltersArray" value="${ldap.authentication.email.filters}" />
</bean>
- in cas-servlet.xml youd should add the import of cas-servlet-saml2.xml
I hope this will help, but don't hesitate to ask, i can provide some other examples...
After for the documentation, we have one in french explaining properties and how it works but that's all, after you are welcome to make a pull request for contributions if you succeed to install the plugin.
Thanks
Julien Gribonvald
-- You are currently subscribed to cas-...@lists.jasig.org as: julien.g...@recia.fr
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Julien Gribonvald
Jun 24, 2014, 6:53:36 AM6/24/14
to cas-...@lists.jasig.org
One more information to the use of
pac4j, you can look at
http://jasig.github.io/cas/4.0.0/integration/Delegate-Authentication.html,
this explain how to integrate in CAS 4 pac4j with somes examples
(not the SAML but it's a begining).
But if you go on this solution please give a feed back ;)
Thanks
Julien Gribonvald
But if you go on this solution please give a feed back ;)
Thanks
Julien Gribonvald
Jaroslav Kacer
Jun 24, 2014, 7:18:53 AM6/24/14
to cas-...@lists.jasig.org
Hello Julien!
Thank you very much for replying and helping me.
PAC4J - I will definitely have a look, so far I haven't read anything about it.
Could you please send the example of SP metadata directly to me or paste it inline? It seems the list does not accept attachments :-(
Concerning the samples: Yes, this is the place where I took the files from, this seems to be OK, I managed to copy/merge them into CAS. I kept the properties files independent and added them to propertyFileConfigurer.xml.
Concerning deployerConfigContext.xml: So far I haven't made any modifications here, thank you for pointing this out.
I will post my results here when I finish, hopefully soon...
And, any documentation is fine, even if it's only in French ( I speak French) :-)
Best Regards,
Jarda Kacer--
You are currently subscribed to cas-...@lists.jasig.orgas: julien.g...@recia.fr
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-...@lists.jasig.org as: jka...@idc.com
To unsubscribe, change settings or access archives, seehttp://www.ja-sig.org/wiki/display/JSG/cas-user
Thank you very much for replying and helping me.
PAC4J - I will definitely have a look, so far I haven't read anything about it.
Could you please send the example of SP metadata directly to me or paste it inline? It seems the list does not accept attachments :-(
Concerning the samples: Yes, this is the place where I took the files from, this seems to be OK, I managed to copy/merge them into CAS. I kept the properties files independent and added them to propertyFileConfigurer.xml.
Concerning deployerConfigContext.xml: So far I haven't made any modifications here, thank you for pointing this out.
I will post my results here when I finish, hopefully soon...
And, any documentation is fine, even if it's only in French ( I speak French) :-)
Best Regards,
Jarda Kacer
You are currently subscribed to cas-...@lists.jasig.orgas: julien.g...@recia.fr
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-...@lists.jasig.org as: jka...@idc.com
To unsubscribe, change settings or access archives, see
Julien Gribonvald
Jun 24, 2014, 8:07:13 AM6/24/14
to cas-...@lists.jasig.org
With the attachment it's better I
forgot to add it :-P
Thanks
Julien
Thanks
Julien
-- You are currently subscribed to cas-...@lists.jasig.org as: julien.g...@recia.fr
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Jaroslav Kacer
Jun 24, 2014, 8:23:07 AM6/24/14
to cas-...@lists.jasig.org
Great! Thanks a lot / merci beaucoup!
Jarda
--
You are currently subscribed to cas-...@lists.jasig.orgas: jka...@idc.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-...@lists.jasig.orgas: julien.g...@recia.fr
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user[attachment
"sp-lycees.netocentre.fr-metadata.xml" deleted by Jaroslav Kacer/Czech_Rep/Europe/IDC]
Jarda
--
You are currently subscribed to cas-...@lists.jasig.orgas: jka...@idc.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-...@lists.jasig.orgas: julien.g...@recia.fr
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Jaroslav Kacer
Jun 27, 2014, 12:03:23 PM6/27/14
to cas-...@lists.jasig.org
Hello Julien (and others)!
I have already achieved a state when CAS starts without problems with the plugin, however it throws an error when the user accesses the /login page.
I'd like to ask two more questions about the plugin configuration.
1. Configuration in deployerConfigContext.xml:
You provided me (see your email from 24/06/2014 12:38) with 2 Spring beans that should be inserted into deployerConfigContext.xml:
Concerning ldapEmailAddressesAuthenticationHandler, I don't quite understand its purpose. I have looked into the source and it seems it only communicates with an LDAP server. Does it mean the plugin requires an LDAP server in addition to the SAML IdP? Because I expected that all user attributes would come from the IdP as attributes. I'm afraid I will have no LDAP server available for people authenticating via the SAML IdP. Or maybe I misunderstood something here...
I would assume the deployerConfigContext.xml file will contain a handler that communicates with the IdP using SAML messages. But I can't find any in the source code, so maybe I am wrong.
2. Configuration in login-webflow.xml - expression initMultiDomainAction
File login-webflow.xml now contains the following definition of initializeFlow:
<action-state id="initializeFlow">
<evaluate expression="initialFlowSetupAction" />
<evaluate expression="initMultiDomainAction">
<attribute name="name" value="initFinished" />
</evaluate>
<transition on="initFinished.success" to="checkSamlResponse" />
</action-state>
When I try to go to the /login page, I get an error and there is the following stack trace in the log:
SEVERE: Servlet.service() for servlet [cas] in context with path [/cas-web-app] threw exception [Request processing failed; nested exception is org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing [AnnotatedAction@709f98e4 targetAction = [EvaluateAction@7deeda7f expression = initMultiDomainAction, resultExpression = [null]], attributes = map['name' -> 'initFinished']] in state 'initializeFlow' of flow 'login' -- action execution attributes were 'map[[empty]]'] with root cause
ognl.NoSuchPropertyException: org.springframework.webflow.engine.impl.RequestControlContextImpl.initMultiDomainAction
at ognl.ObjectPropertyAccessor.getProperty(ObjectPropertyAccessor.java:151)
at org.springframework.webflow.expression.WebFlowOgnlExpressionParser$RequestContextPropertyAccessor.getProperty(WebFlowOgnlExpressionParser.java:118)
at ognl.OgnlRuntime.getProperty(OgnlRuntime.java:2210)
at ognl.ASTProperty.getValueBody(ASTProperty.java:114)
at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:212)
at ognl.SimpleNode.getValue(SimpleNode.java:258)
at ognl.Ognl.getValue(Ognl.java:494)
at org.springframework.binding.expression.ognl.OgnlExpression.getValue(OgnlExpression.java:85)
at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:75)
at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
at org.springframework.webflow.execution.AnnotatedAction.execute(AnnotatedAction.java:145)
at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Flow.start(Flow.java:535)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:364)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:222)
at org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140)
at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:193)
etc.
A colleague who is familiar with Spring WebFlow says there should be a Spring bean named "initMultiDomainAction" defined somewhere, most likely in cas-servlet.xml, but there is not any. I merged everything from cas-servlet-saml2.xml, there is no such bean. Isn't it an omission? Could you please have a look into your complete cas-servlet.xml, if there is such a bean?
Thank you very much for your answer!
Best Regards,
Jarda
From: Julien Gribonvald <julien.g...@recia.fr>
To: cas-...@lists.jasig.org
Date: 24.06.2014 12:53
Subject: Re: [cas-user] Integrating CAS with the SAML2 plugin from GIP-RECIA
--
You are currently subscribed to cas-...@lists.jasig.orgas: julien.g...@recia.fr
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-...@lists.jasig.orgas: julien.g...@recia.fr
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-...@lists.jasig.org as: jka...@idc.com
To unsubscribe, change settings or access archives, seehttp://www.ja-sig.org/wiki/display/JSG/cas-user
I have already achieved a state when CAS starts without problems with the plugin, however it throws an error when the user accesses the /login page.
I'd like to ask two more questions about the plugin configuration.
1. Configuration in deployerConfigContext.xml:
You provided me (see your email from 24/06/2014 12:38) with 2 Spring beans that should be inserted into deployerConfigContext.xml:
- emailAddressesCredsToPrincipal, which goes to authenticationManager/credentialsToPrincipalResolvers
- ldapEmailAddressesAuthenticationHandler, which goes to authenticationManager/authenticationHandlers
Concerning ldapEmailAddressesAuthenticationHandler, I don't quite understand its purpose. I have looked into the source and it seems it only communicates with an LDAP server. Does it mean the plugin requires an LDAP server in addition to the SAML IdP? Because I expected that all user attributes would come from the IdP as attributes. I'm afraid I will have no LDAP server available for people authenticating via the SAML IdP. Or maybe I misunderstood something here...
I would assume the deployerConfigContext.xml file will contain a handler that communicates with the IdP using SAML messages. But I can't find any in the source code, so maybe I am wrong.
2. Configuration in login-webflow.xml - expression initMultiDomainAction
File login-webflow.xml now contains the following definition of initializeFlow:
<action-state id="initializeFlow">
<evaluate expression="initialFlowSetupAction" />
<evaluate expression="initMultiDomainAction">
<attribute name="name" value="initFinished" />
</evaluate>
<transition on="initFinished.success" to="checkSamlResponse" />
</action-state>
When I try to go to the /login page, I get an error and there is the following stack trace in the log:
SEVERE: Servlet.service() for servlet [cas] in context with path [/cas-web-app] threw exception [Request processing failed; nested exception is org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing [AnnotatedAction@709f98e4 targetAction = [EvaluateAction@7deeda7f expression = initMultiDomainAction, resultExpression = [null]], attributes = map['name' -> 'initFinished']] in state 'initializeFlow' of flow 'login' -- action execution attributes were 'map[[empty]]'] with root cause
ognl.NoSuchPropertyException: org.springframework.webflow.engine.impl.RequestControlContextImpl.initMultiDomainAction
at ognl.ObjectPropertyAccessor.getProperty(ObjectPropertyAccessor.java:151)
at org.springframework.webflow.expression.WebFlowOgnlExpressionParser$RequestContextPropertyAccessor.getProperty(WebFlowOgnlExpressionParser.java:118)
at ognl.OgnlRuntime.getProperty(OgnlRuntime.java:2210)
at ognl.ASTProperty.getValueBody(ASTProperty.java:114)
at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:212)
at ognl.SimpleNode.getValue(SimpleNode.java:258)
at ognl.Ognl.getValue(Ognl.java:494)
at org.springframework.binding.expression.ognl.OgnlExpression.getValue(OgnlExpression.java:85)
at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:75)
at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
at org.springframework.webflow.execution.AnnotatedAction.execute(AnnotatedAction.java:145)
at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Flow.start(Flow.java:535)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:364)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:222)
at org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140)
at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:193)
etc.
A colleague who is familiar with Spring WebFlow says there should be a Spring bean named "initMultiDomainAction" defined somewhere, most likely in cas-servlet.xml, but there is not any. I merged everything from cas-servlet-saml2.xml, there is no such bean. Isn't it an omission? Could you please have a look into your complete cas-servlet.xml, if there is such a bean?
Thank you very much for your answer!
Best Regards,
Jarda
From: Julien Gribonvald <julien.g...@recia.fr>
To: cas-...@lists.jasig.org
Date: 24.06.2014 12:53
Subject: Re: [cas-user] Integrating CAS with the SAML2 plugin from GIP-RECIA
You are currently subscribed to cas-...@lists.jasig.orgas: julien.g...@recia.fr
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
You are currently subscribed to cas-...@lists.jasig.orgas: julien.g...@recia.fr
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-...@lists.jasig.org as: jka...@idc.com
To unsubscribe, change settings or access archives, see
Owens, Patricia
Jun 30, 2014, 1:55:08 AM6/30/14
to cas-...@lists.jasig.org
Ok I'll let you know on Monday
________________________________________
From: Julien Gribonvald [julien.g...@recia.fr]
Sent: Tuesday, June 24, 2014 4:38 AM
To: cas-...@lists.jasig.org
I hope this will help, but don't hesitate to ask, i can provide some other examples...
After for the documentation, we have one in french explaining properties and how it works but that's all, after you are welcome to make a pull request for contributions if you succeed to install the plugin.
Thanks
Julien Gribonvald
Le 24/06/2014 11:09, Jaroslav Kacer a écrit :
Hello everybody!
I'm trying to integrate CAS and the SAML2 plugin which was discussed in this list on Oct 22 2013 by Maxime Bossard (https://groups.google.com/d/msg/jasig-cas-user/FVrTSnXMJbk/SHzarllCF2kJ). As I am experiencing some issues, I wonder if someone (possibly Maxime) could help me. I have already asked directly in the Google group but the message did not propagate to this list, so I am posting the question again.
The version of CAS I use is 3.4.12.1 because the plugin's POM file points to 3.4.11-RC1 and 3.4.12.1 is the latest version in the 3.4.x line.
I have merged the provided sample XML configuration files with those of CAS, also the two properies files, some JSPs and web.xml. Now I am getting errors from the plugin complaining about SP metadata. Obviously the plugin expects some SAML2 endpoints with various bindings that are not in my SP metadata.
Maxime, could you please provide a list of all expected endpoints with their bindings and URLs that should be enumerated in the SP metadata file? Or, an example SP metadata file would be even better :-)
Although the error message clearly says what service/binding the plugin expects, I don't know how to create the URLs for the bindings. Are they fixed or does the plugin first read the metadata file and then uses the URLs specified there?
I would also like to ask about the IdP side. I assume you used the plugin against Shibboleth. Have you tested it against other IdP servers? I'd like to use Microsoft ADFS. Are any special settings needed? (I don't have access to the server yet so I cannot test it at the moment.) At the moment, I am using an example IdP metadata file from Shibboleth (just to make it run) but I will have to adapt it later.
It would be great if the documentation for the plugin could be more elaborated, mainly the section "Plugin Configuration". I've already spent 2 days putting CAS and the plugin together.
Or is there anything else than the ReadMe.md file from Github?
Thank you in advance for your answer!
Best Regards,
Jarda Kacer, IDC
--
You are currently subscribed to cas-...@lists.jasig.org<mailto:cas-...@lists.jasig.org> as: julien.g...@recia.fr<mailto:julien.g...@recia.fr>
________________________________________
From: Julien Gribonvald [julien.g...@recia.fr]
Sent: Tuesday, June 24, 2014 4:38 AM
To: cas-...@lists.jasig.org
Subject: Re: [cas-user] Integrating CAS with the SAML2 plugin from GIP-RECIA
Hi,
I would suggest that you look at pac4j, it should replace the SAML plugin developped by Maxime in the furtur for our use (Maxime worked for us in this plugin before something more "generic" as pac4j comes). This "toolbox" (i see it like that) will help to use the last version of CAS as the Maxime's plugin should be reviewed for version of CAS after 3.4.x. After I don't know if we can use it for that, but maybe Jérome Leleu could give some words of this use or point to a documentation ?
Else for the use of this pluugin see in attachment an example of our SP metadata file that we use in production on our CAS (obviously without certificates and custom datas, so replace A_DOMAIN_NAME by your domain name,ADD CERTIFICATE HERE, and see on other custom datas).
About IDP it was tested over a shibboleth idp and in production with an other idp than shibboleth (seems a fork for private use, or something related with ibm, but we don't know a lot about it), but working in the same way as all is based on SAML specs so i think this should works.
After about configuration all files that you have to modify and deploy are on https://github.com/GIP-RECIA/cas/tree/feature-saml2/cas-server-support-saml2/sample-* but i think you don't have to modify a lot, setting all properties should do the works.
And the properties in config.properties should be added in the original file cas.properties.
If I look on our deployment and something that i don't see in the source are :
- in deployerConfigContext.xml : in the bean authenticationManager, in the property credentialsToPrincipalResolvers, added the credentialResolver mapped to the saml service, we use the EmailAddressesCredentialsToPrincipalResolver.java as example :
<bean id="emailAddressesCredsToPrincipal" class="org.esco.cas.authentication.principal.EmailAddressesCredentialsToPrincipalResolver">
<property name="attributeRepository" ref="attributeRepository" />
</bean>
<bean id="ldapEmailAddressesAuthenticationHandler" class="org.esco.cas.authentication.handler.support.LdapEmailAddressesAuthenticationHandler">
<property name="searchBase" value="${ldap.basedn}" />
<property name="contextSource" ref="contextSource" />
<property name="principalAttributeName" value="${ldap.identifier.attribute}" />
<property name="timeout" value="5000" />
<property name="authenticationLdapFiltersArray" value="${ldap.authentication.email.filters}" />
</bean>
- in cas-servlet.xml youd should add the import of cas-servlet-saml2.xml<https://github.com/GIP-RECIA/cas/blob/feature-saml2/cas-server-support-saml2/sample-config/cas-servlet-saml2.xml>
I would suggest that you look at pac4j, it should replace the SAML plugin developped by Maxime in the furtur for our use (Maxime worked for us in this plugin before something more "generic" as pac4j comes). This "toolbox" (i see it like that) will help to use the last version of CAS as the Maxime's plugin should be reviewed for version of CAS after 3.4.x. After I don't know if we can use it for that, but maybe Jérome Leleu could give some words of this use or point to a documentation ?
Else for the use of this pluugin see in attachment an example of our SP metadata file that we use in production on our CAS (obviously without certificates and custom datas, so replace A_DOMAIN_NAME by your domain name,ADD CERTIFICATE HERE, and see on other custom datas).
About IDP it was tested over a shibboleth idp and in production with an other idp than shibboleth (seems a fork for private use, or something related with ibm, but we don't know a lot about it), but working in the same way as all is based on SAML specs so i think this should works.
After about configuration all files that you have to modify and deploy are on https://github.com/GIP-RECIA/cas/tree/feature-saml2/cas-server-support-saml2/sample-* but i think you don't have to modify a lot, setting all properties should do the works.
And the properties in config.properties should be added in the original file cas.properties.
If I look on our deployment and something that i don't see in the source are :
- in deployerConfigContext.xml : in the bean authenticationManager, in the property credentialsToPrincipalResolvers, added the credentialResolver mapped to the saml service, we use the EmailAddressesCredentialsToPrincipalResolver.java as example :
<bean id="emailAddressesCredsToPrincipal" class="org.esco.cas.authentication.principal.EmailAddressesCredentialsToPrincipalResolver">
<property name="attributeRepository" ref="attributeRepository" />
</bean>
<bean id="ldapEmailAddressesAuthenticationHandler" class="org.esco.cas.authentication.handler.support.LdapEmailAddressesAuthenticationHandler">
<property name="searchBase" value="${ldap.basedn}" />
<property name="contextSource" ref="contextSource" />
<property name="principalAttributeName" value="${ldap.identifier.attribute}" />
<property name="timeout" value="5000" />
<property name="authenticationLdapFiltersArray" value="${ldap.authentication.email.filters}" />
</bean>
I hope this will help, but don't hesitate to ask, i can provide some other examples...
After for the documentation, we have one in french explaining properties and how it works but that's all, after you are welcome to make a pull request for contributions if you succeed to install the plugin.
Thanks
Julien Gribonvald
Le 24/06/2014 11:09, Jaroslav Kacer a écrit :
Hello everybody!
I'm trying to integrate CAS and the SAML2 plugin which was discussed in this list on Oct 22 2013 by Maxime Bossard (https://groups.google.com/d/msg/jasig-cas-user/FVrTSnXMJbk/SHzarllCF2kJ). As I am experiencing some issues, I wonder if someone (possibly Maxime) could help me. I have already asked directly in the Google group but the message did not propagate to this list, so I am posting the question again.
The version of CAS I use is 3.4.12.1 because the plugin's POM file points to 3.4.11-RC1 and 3.4.12.1 is the latest version in the 3.4.x line.
I have merged the provided sample XML configuration files with those of CAS, also the two properies files, some JSPs and web.xml. Now I am getting errors from the plugin complaining about SP metadata. Obviously the plugin expects some SAML2 endpoints with various bindings that are not in my SP metadata.
Maxime, could you please provide a list of all expected endpoints with their bindings and URLs that should be enumerated in the SP metadata file? Or, an example SP metadata file would be even better :-)
Although the error message clearly says what service/binding the plugin expects, I don't know how to create the URLs for the bindings. Are they fixed or does the plugin first read the metadata file and then uses the URLs specified there?
I would also like to ask about the IdP side. I assume you used the plugin against Shibboleth. Have you tested it against other IdP servers? I'd like to use Microsoft ADFS. Are any special settings needed? (I don't have access to the server yet so I cannot test it at the moment.) At the moment, I am using an example IdP metadata file from Shibboleth (just to make it run) but I will have to adapt it later.
It would be great if the documentation for the plugin could be more elaborated, mainly the section "Plugin Configuration". I've already spent 2 days putting CAS and the plugin together.
Or is there anything else than the ReadMe.md file from Github?
Thank you in advance for your answer!
Best Regards,
Jarda Kacer, IDC
--
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-...@lists.jasig.org as: pow...@liberty.edu
--
Julien Gribonvald
Jun 30, 2014, 3:00:33 AM6/30/14
to cas-...@lists.jasig.org
Hello Jarda,
Ok so :
- for first problem: The use case is that the idp is passing an attribute that can be found in a datasource (for us ldap) that CAS use to find users, it's an attibute for the federated identity. In our development we considered that the user exist in the CAS datasource, and to find it the idp provide the email and we look in an ldap but you can replace all this part. For your use case you will have to make some implementation/configuration as you will need to save the users parameters in a "datasource" (in memory or database or ...) that CAS will be able to obtain easily during at list all the user session - look at the persondir lib in this case there are several tools to define a user from several datasources - or maybe save user's informations in a datasource. That is needed because the CAS won't request again the users parameters to the idp since the user is authenticated, this isn't intended and i don't know if it will be possible to request each times the saml attribute from the idp. Our development is a specific use case but you should be able to replace some part by custom or CAS classes.
For the sources you shoul be able to find all from : https://github.com/GIP-RECIA/cas/tree/feature-saml2/cas-server-support-saml2 after it uses some CAS module like cas-server-support-ldap that you should activate.
- for the second : It's a cutom change to be able to authenticate over the cas from different CAS domains name but sharing the same sessionId over all (sub-)domain names that we manage, so you can remove this part and all related.
Thanks
Julien G.
Ok so :
- for first problem: The use case is that the idp is passing an attribute that can be found in a datasource (for us ldap) that CAS use to find users, it's an attibute for the federated identity. In our development we considered that the user exist in the CAS datasource, and to find it the idp provide the email and we look in an ldap but you can replace all this part. For your use case you will have to make some implementation/configuration as you will need to save the users parameters in a "datasource" (in memory or database or ...) that CAS will be able to obtain easily during at list all the user session - look at the persondir lib in this case there are several tools to define a user from several datasources - or maybe save user's informations in a datasource. That is needed because the CAS won't request again the users parameters to the idp since the user is authenticated, this isn't intended and i don't know if it will be possible to request each times the saml attribute from the idp. Our development is a specific use case but you should be able to replace some part by custom or CAS classes.
For the sources you shoul be able to find all from : https://github.com/GIP-RECIA/cas/tree/feature-saml2/cas-server-support-saml2 after it uses some CAS module like cas-server-support-ldap that you should activate.
- for the second : It's a cutom change to be able to authenticate over the cas from different CAS domains name but sharing the same sessionId over all (sub-)domain names that we manage, so you can remove this part and all related.
Thanks
Julien G.
-- You are currently subscribed to cas-...@lists.jasig.org as: julien.g...@recia.fr
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Jaroslav Kacer
Jun 30, 2014, 7:57:41 AM6/30/14
to cas-...@lists.jasig.org
Hello Julien!
Thank you very much for your answers!
Concerning the LDAP: Now I know the partner company has an LDAP server, I just don't know if they can share it with us together with ADFS. If they can, fine, I will use the same approach you used. If not, I will try to implement a simple in-memory storage, as you suggest.
Concerning the WebFlow beans: I'll try to remove it and see what happens. If it still does not work, I will have to learn Spring WebFlow :-)
Thank you once again for your support!
Best Regards,
Jarda
From: Julien Gribonvald <julien.g...@recia.fr>
To: cas-...@lists.jasig.org
Date: 30.06.2014 09:00
Subject: Re: [cas-user] Integrating CAS with the SAML2 plugin from GIP-RECIA
--
You are currently subscribed to cas-...@lists.jasig.orgas: jka...@idc.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-...@lists.jasig.orgas: julien.g...@recia.fr
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-...@lists.jasig.org as: jka...@idc.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Thank you very much for your answers!
Concerning the LDAP: Now I know the partner company has an LDAP server, I just don't know if they can share it with us together with ADFS. If they can, fine, I will use the same approach you used. If not, I will try to implement a simple in-memory storage, as you suggest.
Concerning the WebFlow beans: I'll try to remove it and see what happens. If it still does not work, I will have to learn Spring WebFlow :-)
Thank you once again for your support!
Best Regards,
Jarda
From: Julien Gribonvald <julien.g...@recia.fr>
To: cas-...@lists.jasig.org
Date: 30.06.2014 09:00
Subject: Re: [cas-user] Integrating CAS with the SAML2 plugin from GIP-RECIA
Hello Jarda,
Ok so :
- for first problem: The use case is that the idp is passing an attribute that can be found in a datasource (for us ldap) that CAS use to find users, it's an attibute for the federated identity. In our development we considered that the user exist in the CAS datasource, and to find it the idp provide the email and we look in an ldap but you can replace all this part. For your use case you will have to make some implementation/configuration as you will need to save the users parameters in a "datasource" (in memory or database or ...) that CAS will be able to obtain easily during at list all the user session - look at the persondir lib in this case there are several tools to define a user from several datasources - or maybe save user's informations in a datasource. That is needed because the CAS won't request again the users parameters to the idp since the user is authenticated, this isn't intended and i don't know if it will be possible to request each times the saml attribute from the idp. Our development is a specific use case but you should be able to replace some part by custom or CAS classes.
For the sources you shoul be able to find all from : https://github.com/GIP-RECIA/cas/tree/feature-saml2/cas-server-support-saml2after it uses some CAS module like cas-server-support-ldap that you should
activate.Ok so :
- for first problem: The use case is that the idp is passing an attribute that can be found in a datasource (for us ldap) that CAS use to find users, it's an attibute for the federated identity. In our development we considered that the user exist in the CAS datasource, and to find it the idp provide the email and we look in an ldap but you can replace all this part. For your use case you will have to make some implementation/configuration as you will need to save the users parameters in a "datasource" (in memory or database or ...) that CAS will be able to obtain easily during at list all the user session - look at the persondir lib in this case there are several tools to define a user from several datasources - or maybe save user's informations in a datasource. That is needed because the CAS won't request again the users parameters to the idp since the user is authenticated, this isn't intended and i don't know if it will be possible to request each times the saml attribute from the idp. Our development is a specific use case but you should be able to replace some part by custom or CAS classes.
--
You are currently subscribed to cas-...@lists.jasig.orgas: jka...@idc.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-...@lists.jasig.orgas: julien.g...@recia.fr
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-...@lists.jasig.org as: jka...@idc.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
-- You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com
Jaroslav Kacer
Jul 3, 2014, 6:01:19 AM7/3/14
to cas-...@lists.jasig.org
Hi Julien!
I just would like to inform you about my current status of integrating CAS with a SAML IdP.
Unfortunately I did not get over the WebFlow issue in the SAML2 plugin.
Then I tried the PAC4J library (which you advised me to use) with a corresponding CAS plugin and I succeeded :-)
I used the following components:
The reason for the snapshot version is (I think) that CAS 4.0.0 still depends on PAC4J 1.4.1, which does not have SAML support.
I think I will use this method, the only drawback is I will have to migrate CAS to the newest version.
I hope this info will be useful for others as well.
Thank you once again for your support!
--
You are currently subscribed to cas-...@lists.jasig.orgas: jka...@idc.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-...@lists.jasig.orgas: julien.g...@recia.fr
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-...@lists.jasig.org as: jka...@idc.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
I just would like to inform you about my current status of integrating CAS with a SAML IdP.
Unfortunately I did not get over the WebFlow issue in the SAML2 plugin.
Then I tried the PAC4J library (which you advised me to use) with a corresponding CAS plugin and I succeeded :-)
I used the following components:
- CAS 4.1.0-SNAPSHOT - not yet released, checked out from GitHub
- PAC4J Core + SAML 1.5.1
- CAS PAC4J OAuth Client Demo 1.0.0-SNAPSHOT from GitHub
- Shibboleth IdP test server at https://idp.testshib.org/
The reason for the snapshot version is (I think) that CAS 4.0.0 still depends on PAC4J 1.4.1, which does not have SAML support.
I think I will use this method, the only drawback is I will have to migrate CAS to the newest version.
I hope this info will be useful for others as well.
Thank you once again for your support!
Best Regards,
Jarda
From: Julien Gribonvald <julien.g...@recia.fr>
To: cas-...@lists.jasig.org
Date: 30.06.2014 09:00
Subject: Re: [cas-user] Integrating CAS with the SAML2 plugin from GIP-RECIA
Jarda
From: Julien Gribonvald <julien.g...@recia.fr>
To: cas-...@lists.jasig.org
Date: 30.06.2014 09:00
Subject: Re: [cas-user] Integrating CAS with the SAML2 plugin from GIP-RECIA
Hello Jarda,
Ok so :
- for first problem: The use case is that the idp is passing an attribute that can be found in a datasource (for us ldap) that CAS use to find users, it's an attibute for the federated identity. In our development we considered that the user exist in the CAS datasource, and to find it the idp provide the email and we look in an ldap but you can replace all this part. For your use case you will have to make some implementation/configuration as you will need to save the users parameters in a "datasource" (in memory or database or ...) that CAS will be able to obtain easily during at list all the user session - look at the persondir lib in this case there are several tools to define a user from several datasources - or maybe save user's informations in a datasource. That is needed because the CAS won't request again the users parameters to the idp since the user is authenticated, this isn't intended and i don't know if it will be possible to request each times the saml attribute from the idp. Our development is a specific use case but you should be able to replace some part by custom or CAS classes.
For the sources you shoul be able to find all from : https://github.com/GIP-RECIA/cas/tree/feature-saml2/cas-server-support-saml2after it uses some CAS module like cas-server-support-ldap that you should
activate.Ok so :
- for first problem: The use case is that the idp is passing an attribute that can be found in a datasource (for us ldap) that CAS use to find users, it's an attibute for the federated identity. In our development we considered that the user exist in the CAS datasource, and to find it the idp provide the email and we look in an ldap but you can replace all this part. For your use case you will have to make some implementation/configuration as you will need to save the users parameters in a "datasource" (in memory or database or ...) that CAS will be able to obtain easily during at list all the user session - look at the persondir lib in this case there are several tools to define a user from several datasources - or maybe save user's informations in a datasource. That is needed because the CAS won't request again the users parameters to the idp since the user is authenticated, this isn't intended and i don't know if it will be possible to request each times the saml attribute from the idp. Our development is a specific use case but you should be able to replace some part by custom or CAS classes.
--
You are currently subscribed to cas-...@lists.jasig.orgas: jka...@idc.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-...@lists.jasig.orgas: julien.g...@recia.fr
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-...@lists.jasig.org as: jka...@idc.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
-- You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages