Redirect after login with simpleSAMLphp + CAS
1,434 views
Skip to first unread message
Dorian Dodo
Jun 22, 2015, 11:34:27 AM6/22/15
to simple...@googlegroups.com
Hello,
I try to use simpleSAMLphp with CAS.
SP : in shib13-idp-remote i've defined :
$metadata['example'] = array(
'SingleSignOnService' => 'https://example.com/cas/login',
'SingleLogoutService' => 'https://example.com/cas/logout'
);The CAS server does not redirect after successful authentication.
Is it possible? What must be set ? Should we change the CAS IdP or SP ?
Thanks you,
Dorian
Peter Schober
Jun 22, 2015, 11:49:42 AM6/22/15
to simple...@googlegroups.com
* Dorian Dodo <dori...@gmail.com> [2015-06-22 17:34]:
but the proprietary CAS protocol?
https://github.com/simplesamlphp/simplesamlphp/blob/master/modules/cas/docs/cas.txt
If CAS supports SAML sufficiently to interop with SSP you can ignore
everything specific to CAS in the SSP modules and documentation.
No idea whether the metadata above is correct. When processing
terminates at the CAS SAML IDP I guess you'd have to look at that
system's log files for errors (or ask the people running it).
-peter
> I try to use simpleSAMLphp with CAS.
>
> SP : in *shib13-idp-remote* i've defined :
>
>
> $metadata['example'] = array(
> 'SingleSignOnService' => 'https://example.com/cas/login',
> 'SingleLogoutService' => 'https://example.com/cas/logout'
> );
>
> The CAS server does not redirect after successful authentication.
> Is it possible? What must be set ? Should we change the CAS IdP or SP ?
The docs don't seem to suggest the use of the SAML protocol to CAS,
> $metadata['example'] = array(
> 'SingleSignOnService' => 'https://example.com/cas/login',
> 'SingleLogoutService' => 'https://example.com/cas/logout'
> );
>
> The CAS server does not redirect after successful authentication.
> Is it possible? What must be set ? Should we change the CAS IdP or SP ?
but the proprietary CAS protocol?
https://github.com/simplesamlphp/simplesamlphp/blob/master/modules/cas/docs/cas.txt
If CAS supports SAML sufficiently to interop with SSP you can ignore
everything specific to CAS in the SSP modules and documentation.
No idea whether the metadata above is correct. When processing
terminates at the CAS SAML IDP I guess you'd have to look at that
system's log files for errors (or ask the people running it).
-peter
Dorian Dodo
Jun 22, 2015, 11:57:07 AM6/22/15
to simple...@googlegroups.com, peter....@univie.ac.at
The CAS server is hosted at the customer, I need to configure a solution that connects to it with SAML 1.1
I don't understand this example, i've no LDAP in my SP https://github.com/simplesamlphp/simplesamlphp/blob/master/modules/cas/docs/cas.txt ?
Thanks
Thijs Kinkhorst
Jun 22, 2015, 12:21:40 PM6/22/15
to simple...@googlegroups.com
On 22-06-15 17:57, Dorian Dodo wrote:
> The CAS server is hosted at the customer, I need to configure a solution
> that connects to it with SAML 1.1
>
> I don't understand this example, i've no LDAP in my SP
> https://github.com/simplesamlphp/simplesamlphp/blob/master/modules/cas/docs/cas.txt
> ?
Here's some documentation about the CAS server supporting SAML 1.1:
> The CAS server is hosted at the customer, I need to configure a solution
> that connects to it with SAML 1.1
>
> I don't understand this example, i've no LDAP in my SP
> https://github.com/simplesamlphp/simplesamlphp/blob/master/modules/cas/docs/cas.txt
> ?
http://jasig.github.io/cas/4.0.x/protocol/SAML-Protocol.html
It seems that the endpoint is not /cas/login but /cas/samlValidate?
In any case, if you really want to talk SAML 1.1 to the CAS server, you
don't need the simpleSAMLphp "cas" module since that's for speaking the
CAS protocol.
Cheers,
Thijs
Dorian Dodo
Jun 23, 2015, 4:37:52 AM6/23/15
to simple...@googlegroups.com, thijs.k...@surfnet.nl
Response with "samlValidate" route is
"service" and "ticket" parameters are both requiredI really do not know how to authenticate me to a remote server with CAS simpleSAMLphp ?
Thanks
Peter Schober
Jun 23, 2015, 8:59:29 AM6/23/15
to simple...@googlegroups.com
* Dorian Dodo <dori...@gmail.com> [2015-06-23 10:37]:
> *I really do not know how to authenticate me to a remote server with CAS
> simpleSAMLphp ?*
I told you. So did Thijs. You forget there ever was something called
"CAS" and install and configure your SSP software as a SAML SP,
exchanging SAML protocol messages to a SAML IDP (that happens to be
another implementation). All of this is covered in the SSP
documentation.
-peter
> *I really do not know how to authenticate me to a remote server with CAS
> simpleSAMLphp ?*
I told you. So did Thijs. You forget there ever was something called
"CAS" and install and configure your SSP software as a SAML SP,
exchanging SAML protocol messages to a SAML IDP (that happens to be
another implementation). All of this is covered in the SSP
documentation.
-peter
Message has been deleted
Dorian Dodo
Jun 23, 2015, 10:10:28 AM6/23/15
to simple...@googlegroups.com, peter....@univie.ac.at
You forget there ever was something called
"CAS" and install and configure your SSP software as a SAML SP,
exchanging SAML protocol messages to a SAML IDP (that happens to be
another implementation).
I try.
authsources.php
'default-sp' => array(
'saml:SP',
// The entity ID of this SP.
// Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
'entityID' => null,
// The entity ID of the IdP this should SP should contact.
// Can be NULL/unset, in which case the user will be shown a list of available IdPs.
'idp' => 'example',
// The URL to the discovery service.
// Can be NULL/unset, in which case a builtin discovery service will be used.
'discoURL' => null,
'acs.Bindings' => array(
'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
),1/ With metadata in saml20-idp-remote
$metadata['example'] = array(
'SingleSignOnService' => 'https://example.com/cas/login',
'SingleLogoutService' => 'https://example.com/cas/logout',
'RelayState' => 'https://my.app.local/',
'target' => 'https://my.app.local/',
);SP redirect to CAS, after login redirect to SP but :
0 /home/me/www/local.app.my/application/simplesaml/web/module.php:179 (N/A)Caused by: InvalidArgumentException: Invalid input parameters.Backtrace:5 /home/me/www/local.app.my/application/simplesaml/lib/SimpleSAML/Utils/XML.php:83 (SimpleSAML\Utils\XML::debugSAMLMessage)4 /home/me/www/local.app.my/application/simplesaml/lib/SimpleSAML/Utilities.php:612 (SimpleSAML_Utilities::debugMessage)3 /home/me/www/local.app.my/application/simplesaml/vendor/simplesamlphp/saml2/src/SAML2/Compat/Ssp/Container.php:39 (SAML2_Compat_Ssp_Container::debugMessage)2 /home/me/www/local.app.my/application/simplesaml/vendor/simplesamlphp/saml2/src/SAML2/HTTPPost.php:69 (SAML2_HTTPPost::receive)1 /home/me/www/local.app.my/application/simplesaml/modules/saml/www/sp/saml2-acs.php:31 (require)0 /home/me/www/local.app.my/application/simplesaml/web/module.php:134 (N/A)2/ With metadata in shib13-idp-hosted
$metadata['example'] = array(
'SingleSignOnService' => 'https://example.com/cas/login',
'SingleLogoutService' => 'https://example.com/cas/logout',
'RelayState' => 'https://my.app.local/',
'target' => 'https://my.app.local/',
);SP redirect to CAS, after login no redirection.
Any ideas ?
Thanks
Peter Schober
Jun 23, 2015, 12:13:24 PM6/23/15
to simple...@googlegroups.com
* Dorian Dodo <dori...@gmail.com> [2015-06-23 16:10]:
> 'acs.Bindings' => array(
> 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
> 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
> ),
> 1/ With metadata in saml20-idp-remote
Yeah, if the IDP only speaks SAML1 putting it into saml20-* won't work.
Note that if the IDP can suppy you with SAML Metadata describing their
IDP you can feed that to SSP's metadata converter to generate
SSP-format metadata automatically.
> 2/ With metadata in shib13-idp-hosted
>
> $metadata['example'] = array(
> 'SingleSignOnService' => 'https://example.com/cas/login',
> 'SingleLogoutService' => 'https://example.com/cas/logout',
> 'RelayState' => 'https://my.app.local/',
> 'target' => 'https://my.app.local/',
> );
>
> SP redirect to CAS, after login no redirection.
Not sure what you expect this forum to say based on that.
Does the SAML1-IDP support "Shibboleth" protocol requests? (SAML1
proper did not define a way to start the login process at the SP.)
Here's the old spec:
https://wiki.shibboleth.net/confluence/download/attachments/2162702/internet2-mace-shibboleth-arch-protocols-200509.pdf
If so make sure it looks sane, and matches what this IDP implements.
Also check what kind of endpoints the IDP configured for your SP.
Did you give them SAML metadata? Generated from SSP's endpoint for
that?
And again: If processing terminates at the IDP you'd have to ask the
IDP operator about any errors (from its log files).
"after login no redirection" isn't sufficient for anyone else to debug
that particular deployment.
-peter
> // The entity ID of the IdP this should SP should contact.
> // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
> 'idp' => 'example',
OK, if that's the actual entityID of the IDP (then discoURL is irrelevant).
> // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
> 'idp' => 'example',
> 'acs.Bindings' => array(
> 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
> 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
> ),
> 1/ With metadata in saml20-idp-remote
Note that if the IDP can suppy you with SAML Metadata describing their
IDP you can feed that to SSP's metadata converter to generate
SSP-format metadata automatically.
> 2/ With metadata in shib13-idp-hosted
>
> $metadata['example'] = array(
> 'SingleSignOnService' => 'https://example.com/cas/login',
> 'SingleLogoutService' => 'https://example.com/cas/logout',
> 'RelayState' => 'https://my.app.local/',
> 'target' => 'https://my.app.local/',
> );
>
> SP redirect to CAS, after login no redirection.
Does the SAML1-IDP support "Shibboleth" protocol requests? (SAML1
proper did not define a way to start the login process at the SP.)
Here's the old spec:
https://wiki.shibboleth.net/confluence/download/attachments/2162702/internet2-mace-shibboleth-arch-protocols-200509.pdf
If so make sure it looks sane, and matches what this IDP implements.
Also check what kind of endpoints the IDP configured for your SP.
Did you give them SAML metadata? Generated from SSP's endpoint for
that?
And again: If processing terminates at the IDP you'd have to ask the
IDP operator about any errors (from its log files).
"after login no redirection" isn't sufficient for anyone else to debug
that particular deployment.
-peter
李晓亮
Oct 12, 2015, 10:41:53 PM10/12/15
to SimpleSAMLphp
Hi, Dorian.
Did you resolve this issue?, if so, can you tell me how did you solve it?
Glenn Milingui
Aug 17, 2016, 1:04:22 PM8/17/16
to SimpleSAMLphp, peter....@univie.ac.at
Hi,
I have the same issue like you.
After so search, I didn't find a solution.
Have you resolved your promble ?
if possible can you help me please.
Thank you very much for your availability
Glenn
Peter Schober
Aug 18, 2016, 5:10:57 AM8/18/16
to SimpleSAMLphp
* Glenn Milingui <glenn.m...@crossknowledge.com> [2016-08-17 19:04]:
-peter
> I have the same issue like you.
> After so search, I didn't find a solution.
What *exactly* are you trying to do, and why?
> After so search, I didn't find a solution.
-peter
Glenn Milingui
Aug 18, 2016, 5:57:19 AM8/18/16
to SimpleSAMLphp, peter....@univie.ac.at
Thanks for your response.
Exactly, I try to do 2 main things (A and B) which represent 2 cases that I would like to do :
A/. Configure a simplesamlphp (Vhost 1) as a service provider in CAS authentication. In addition, configure simplesamlphp (Vhost 2) as a identity provider in CAS.
Both configuration will communicate together as (SP and Idp).
SP configuration:
in SP config/authsources.php, I added this authsource for the CAS. Morerover, I enabled the cas module ( in : modules/cas/ )
'Test_cas' => array(
'cas:CAS',
'cas' => array(
'login' => 'https://xgsimplesamlphp.fr/simplesaml/module.php/casserver/login.php',
'serviceValidate' => 'https://xgsimplesamlphp.fr/simplesaml/module.php/casserver/serviceValidate',
'logout' => 'https://xgsimplesamlphp.fr/simplesaml/module.php/casserver/logout',
'attributes' => array('uid' => '/cas:serviceResponse/cas:authenticationSuccess/cas:uid'),
),
'ldap' => array('servers' => false),
),
IdP configuration :
in IdP config/authsources.php, I added this authsource for the CAS. Morerover, I enabled the casserver module ( in : modules/casserver/ )
'saml2' => array(
'exampleauth:UserPass',
'admin1:admin1' => array(
'uid' => array('gle...@test.com'),
),
'admin2:admin2' => array(
'uid' => array('glen...@test.com'),
),
'admin3:admin3' => array(
'uid' => array('glen...@test.com'),
),
),
In the IdP config/module_casserver.php, I have this config :
<?php
/*
* Configuration for the module casserver.
*/
$config = array (
'legal_service_urls' => array(
'https://ck-test-simplesaml.fr',
//'https://ck-test-simplesaml.fr/simplesaml/module.php/cas/linkback.php',
'http://test.feide.no/casclient',
'http://test.feide.no/cas2',
),
// Legal values: saml2, shib13
'auth' => 'saml2',
'ticketcache' => 'ticketcache',
//'attrname' => 'uid','IdExterne','Nom','Prenom','IdExterne','login',
'attrname' => 'uid',
//'attributes' => TRUE, // enable transfer of attributes
);
But after some attempts, I have this error :
Caused by: SimpleSAML_Error_Exception: Error fetching 'https://xgsimplesamlphp.fr/simplesaml/module.php/casserver/serviceValidate?ticket=ST-ff366cc68c7f4c061aa462a3d7d01c24374a7cf402&service=https%3A%2F%2Fck-test-simplesaml.fr%2Fsimplesaml%2Fmodule.php%2Fcas%2Flinkback.php%3FstateID%3D_a9c2513a67600afb1b82689addc07d110eec9028d8%253Ahttps%253A%252F%252Fck-test-simplesaml.fr%252Fsimplesaml%252Fmodule.php%252Fcore%252Fas_login.php%253FAuthId%253DTest_cas%2526ReturnTo%253Dhttps%25253A%25252F%25252Fck-test-simplesaml.fr%25252Fsimplesaml%25252Fmodule.php%25252Fcore%25252Fauthenticate.php%25253Fas%25253DTest_cas':file_get_contents(https://xgsimplesamlphp.fr/simplesaml/module.php/casserver/serviceValidate?ticket=ST-ff366cc68c7f4c061aa462a3d7d01c24374a7cf402&service=https%3A%2F%2Fck-test-simplesaml.fr%2Fsimplesaml%2Fmodule.php%2Fcas%2Flinkback.php%3FstateID%3D_a9c2513a67600afb1b82689addc07d110eec9028d8%253Ahttps%253A%252F%252Fck-test-simplesaml.fr%252Fsimplesaml%252Fmodule.php%252Fcore%252Fas_login.php%253FAuthId%253DTest_cas%2526ReturnTo%253Dhttps%25253A%25252F%25252Fck-test-simplesaml.fr%25252Fsimplesaml%25252Fmodule.php%25252Fcore%25252Fauthenticate.php%25253Fas%25253DTest_cas): failed to open stream: operation failedB./ Configure a simplesamlphp as a service provider in CAS authentication to communicate with a JASIG CAS .Net implemented by anathor person.
This part comes after the last (A).
Thank you for your availablity at this subject and your help.
Glenn.
Patrick Radtke
Aug 18, 2016, 3:48:46 PM8/18/16
to SimpleSAMLphp, peter....@univie.ac.at
Interesting configuration.
? Do you get a reply from the CAS server or an SSP error?
The error you showed seems to be from the CAS client side not being able to query the server. It would be interesting to know using curl to mimic the client returns, and if the server returns an error.
It has better error reporting and is more flexible. The configuration is mostly the same - I think just 'auth' needs to be changed to 'authsource' and 'ticketcache' is now
What is the output if you curl:
The error you showed seems to be from the CAS client side not being able to query the server. It would be interesting to know using curl to mimic the client returns, and if the server returns an error.
Also, you are using the casserver module included with SSP. There is better version that you can install with composer. https://github.com/simplesamlphp/simplesamlphp-module-casserver I think you'll need to be on SSP 1.14 to use the latest version of the module.
'ticketstore' => array(
'class' => 'casserver:FileSystemTicketStore', //Not intended for production
'directory' => 'ticketcache',
),mhern...@grupoecce.com
Jul 12, 2018, 6:31:16 PM7/12/18
to SimpleSAMLphp
In config/config.php add domains allowes
Easy guys.
Reply all
Reply to author
Forward
0 new messages