[cas-user] CAS as IDP for AzureAD (WS Federation)
3 views
Skip to first unread message
Enrique Guerrero
Jan 19, 2022, 11:10:58 AM1/19/22
to CAS Community
Hi there.
I want to use my custom CAS instance (v.6.4.4.1) as IDP for AzureAD. I would like to authenticate users from a certain domain which I configure in AzureAD against my CAS.
It's necessary to configure the integration through Ws-Fed protocol (not SAML), because the authentication would be during the users login in theirs Windows laptops.
I configured my CAS as follow:
1. Enabling following dependencies in build.gradle file:
compile "org.apereo.cas:cas-server-support-ws-sts:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-ws-idp:${casServerVersion}"
2. Including following properties in cas.properties file:
#################
# Ws Federation #
#################
cas.authn.wsfed-idp.idp.realm=urn:org:apereo:cas:ws:idp:realm-CAS
cas.authn.wsfed-idp.idp.realm-name=CAS
cas.authn.wsfed-idp.sts.signing-keystore-file=/etc/cas/ws/ststrust.jks
cas.authn.wsfed-idp.sts.signing-keystore-password=<PASSWORD>
cas.authn.wsfed-idp.sts.encryption-keystore-file=/etc/cas/config/stsencrypt.jks
cas.authn.wsfed-idp.sts.encryption-keystore-password=<PASSWORD>
cas.authn.wsfed-idp.sts.subject-name-id-format=unspecified
cas.authn.wsfed-idp.sts.subject-name-qualifier=http://cxf.apache.org/sts
cas.authn.wsfed-idp.sts.encrypt-tokens=true
cas.authn.wsfed-idp.sts.sign-tokens=true
cas.authn.wsfed-idp.sts.conditions-accept-client-lifetime=true
cas.authn.wsfed-idp.sts.conditions-fail-lifetime-exceedance=false
cas.authn.wsfed-idp.sts.conditions-future-time-to-live=PT60S
cas.authn.wsfed-idp.sts.conditions-lifetime=PT30M
cas.authn.wsfed-idp.sts.conditions-max-lifetime=PT12H
cas.authn.wsfed-idp.sts.realm.keystore-file=/etc/cas/ws/stscasrealm.jks
cas.authn.wsfed-idp.sts.realm.keystore-password=<PASSWORD>
cas.authn.wsfed-idp.sts.realm.keystore-alias=<CUSTOM_CAS_ALIAS>
cas.authn.wsfed-idp.sts.realm.key-password=<PASSWORD>
cas.authn.wsfed-idp.sts.realm.issuer=CAS
3. CAS MongoDB client:
{
"_id" : 290,
"_class" : "org.apereo.cas.ws.idp.services.WSFederationRegisteredService",
"serviceId" : "https://login.microsoftonline.com/login.srf",
"realm" : "urn:federation:MicrosoftOnline",
"name" : "WSFED",
"attributeReleasePolicy" : {
"_class" : "org.apereo.cas.ws.idp.services.WSFederationClaimsReleasePolicy",
"allowedAttributes" : {
"EMAIL_ADDRESS_2005" : [
"email"
],
"GIVEN_NAME" : [
"givenName"
],
"COMMON_NAME" : [
"cn"
],
"SURNAME" : [
"sn"
],
"PUID" : [
"uid"
]
}
},
"tokenType" : "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
}
4. After that, next services have been enabled in my web CAS instance:
https://<CUSTOM_CAS_ALIAS>/cas/ws/idpmetadata
https://<CUSTOM_CAS_ALIAS>/cas/ws/idp/federation
https://<CUSTOM_CAS_ALIAS>/cas/ws/sts/
https://<CUSTOM_CAS_ALIAS>/cas/ws/sts/CAS/STSServiceTransportUT?wsdl
https://<CUSTOM_CAS_ALIAS>/cas/ws/sts/CAS/STSServiceTransportUT?wsdl=ws-trust-1.4.wsdl
I don't know so much about WsFed protocol, and looking for some login service url into https://<CUSTOM_CAS_ALIAS>/cas/ws/sts/CAS/STSServiceTransportUT?wsdl I didn't find any clue.
Do you know what is the CAS WsFed login service url that need to be use for this purpose? I tried with https://<CUSTOM_CAS_ALIAS>/cas/ws/idp/federation (CAS documentation says "Endpoint to receive initial GET authentication requests from clients, typically identified as the issuer." in https://apereo.github.io/cas/6.3.x/protocol/WS-Federation-Protocol.html). But when Microsfot attempt to redirect to CAS I get the message "Application Not Authorized to Use CAS". CAS logs message as this point:
2022-01-19 16:11:38,419 INFO [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0] expired tickets removed.>
2022-01-19 16:11:51,856 WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Unauthorized Service Access. Service [null] is not found in service registry.>
2022-01-19 16:12:35,203 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [25] service(s) from [JsonServiceRegistry,MongoDbServiceRegistry].>
Probably I need to configure better the CAS MongoDB Client? I need to use other CAS WsFed login service url ? Other issue?
Thanks so much for your support!
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8cfe9b1c-fd3d-456f-a2b4-52747ea53843n%40apereo.org.
I want to use my custom CAS instance (v.6.4.4.1) as IDP for AzureAD. I would like to authenticate users from a certain domain which I configure in AzureAD against my CAS.
It's necessary to configure the integration through Ws-Fed protocol (not SAML), because the authentication would be during the users login in theirs Windows laptops.
I configured my CAS as follow:
1. Enabling following dependencies in build.gradle file:
compile "org.apereo.cas:cas-server-support-ws-sts:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-ws-idp:${casServerVersion}"
2. Including following properties in cas.properties file:
#################
# Ws Federation #
#################
cas.authn.wsfed-idp.idp.realm=urn:org:apereo:cas:ws:idp:realm-CAS
cas.authn.wsfed-idp.idp.realm-name=CAS
cas.authn.wsfed-idp.sts.signing-keystore-file=/etc/cas/ws/ststrust.jks
cas.authn.wsfed-idp.sts.signing-keystore-password=<PASSWORD>
cas.authn.wsfed-idp.sts.encryption-keystore-file=/etc/cas/config/stsencrypt.jks
cas.authn.wsfed-idp.sts.encryption-keystore-password=<PASSWORD>
cas.authn.wsfed-idp.sts.subject-name-id-format=unspecified
cas.authn.wsfed-idp.sts.subject-name-qualifier=http://cxf.apache.org/sts
cas.authn.wsfed-idp.sts.encrypt-tokens=true
cas.authn.wsfed-idp.sts.sign-tokens=true
cas.authn.wsfed-idp.sts.conditions-accept-client-lifetime=true
cas.authn.wsfed-idp.sts.conditions-fail-lifetime-exceedance=false
cas.authn.wsfed-idp.sts.conditions-future-time-to-live=PT60S
cas.authn.wsfed-idp.sts.conditions-lifetime=PT30M
cas.authn.wsfed-idp.sts.conditions-max-lifetime=PT12H
cas.authn.wsfed-idp.sts.realm.keystore-file=/etc/cas/ws/stscasrealm.jks
cas.authn.wsfed-idp.sts.realm.keystore-password=<PASSWORD>
cas.authn.wsfed-idp.sts.realm.keystore-alias=<CUSTOM_CAS_ALIAS>
cas.authn.wsfed-idp.sts.realm.key-password=<PASSWORD>
cas.authn.wsfed-idp.sts.realm.issuer=CAS
3. CAS MongoDB client:
{
"_id" : 290,
"_class" : "org.apereo.cas.ws.idp.services.WSFederationRegisteredService",
"serviceId" : "https://login.microsoftonline.com/login.srf",
"realm" : "urn:federation:MicrosoftOnline",
"name" : "WSFED",
"attributeReleasePolicy" : {
"_class" : "org.apereo.cas.ws.idp.services.WSFederationClaimsReleasePolicy",
"allowedAttributes" : {
"EMAIL_ADDRESS_2005" : [
"email"
],
"GIVEN_NAME" : [
"givenName"
],
"COMMON_NAME" : [
"cn"
],
"SURNAME" : [
"sn"
],
"PUID" : [
"uid"
]
}
},
"tokenType" : "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
}
4. After that, next services have been enabled in my web CAS instance:
https://<CUSTOM_CAS_ALIAS>/cas/ws/idpmetadata
https://<CUSTOM_CAS_ALIAS>/cas/ws/idp/federation
https://<CUSTOM_CAS_ALIAS>/cas/ws/sts/
https://<CUSTOM_CAS_ALIAS>/cas/ws/sts/CAS/STSServiceTransportUT?wsdl
https://<CUSTOM_CAS_ALIAS>/cas/ws/sts/CAS/STSServiceTransportUT?wsdl=ws-trust-1.4.wsdl
I don't know so much about WsFed protocol, and looking for some login service url into https://<CUSTOM_CAS_ALIAS>/cas/ws/sts/CAS/STSServiceTransportUT?wsdl I didn't find any clue.
Do you know what is the CAS WsFed login service url that need to be use for this purpose? I tried with https://<CUSTOM_CAS_ALIAS>/cas/ws/idp/federation (CAS documentation says "Endpoint to receive initial GET authentication requests from clients, typically identified as the issuer." in https://apereo.github.io/cas/6.3.x/protocol/WS-Federation-Protocol.html). But when Microsfot attempt to redirect to CAS I get the message "Application Not Authorized to Use CAS". CAS logs message as this point:
2022-01-19 16:11:38,419 INFO [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0] expired tickets removed.>
2022-01-19 16:11:51,856 WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Unauthorized Service Access. Service [null] is not found in service registry.>
2022-01-19 16:12:35,203 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [25] service(s) from [JsonServiceRegistry,MongoDbServiceRegistry].>
Probably I need to configure better the CAS MongoDB Client? I need to use other CAS WsFed login service url ? Other issue?
Thanks so much for your support!
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8cfe9b1c-fd3d-456f-a2b4-52747ea53843n%40apereo.org.
Reply all
Reply to author
Forward
0 new messages