Re: [cas-user] Re: Jasig CAS and ADFS Troobleshooting blank screen after successfull login

John Gasper Wed, 20 Apr 2016 09:52:39 -0700

It's been a while since I looked at that code, but it would not surprise me 
that the identity attribute is case sensitive. The other possibility is that 
the attributeMutator is renaming or removing the UPN attribute. That depends 
upon the code implemented in the class and is designed to be customized. In 
your log you do not show sAMAccountName being returned by ADFS, so I'm guessing 
that your mutator is creating it. Otherwise I'm not sure what is going on.


-- 
John Gasper
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef


From:  <cas-user@apereo.org> on behalf of Yves <yves.moya....@gmail.com>
Date:  Wednesday, April 20, 2016 at 9:46 AM
To:  CAS Community <cas-user@apereo.org>
Subject:  [cas-user] Re: Jasig CAS and ADFS Troobleshooting blank screen after 
successfull login

Hello,

I've solved this by modify wsfederation.xml

<property name="identityProviderIdentifier" 
value="http://adfs.ict-toulouse.fr/adfs/services/trust"; />
        <property name="identityProviderUrl" 
value="https://adfs.ict-toulouse.fr/adfs/ls/"; />
<!--        <property name="identityAttribute" value="upn" /> -->
        <property name="identityAttribute" value="sAMAccountName" />
        <property name="relyingPartyIdentifier" value="urn:federation:cas" />
        <property name="tolerance" value="60000" />
        <property name="attributeMutator">
            <bean 
class="org.example.cas.support.wsfederation.WsFedAttributeMutatorImpl" />

I didn't know why upn didn't work. Does it be case sensitive ? ADFS return UPN 
not upn

Or maybe caused by WsFedAttributeMutatorImpl.java who remove @ict-toulouse.fr 
form UPN but for me it's made after. isn't it ?

Thanks

Le mercredi 20 avril 2016 12:15:20 UTC+2, Yves a écrit :
Hello,
 
I've setup Jasig Central Authentication System (CAS) 4.0.2 with 
adfs-support-wsfederation
I've used the maven overlay cas-adfs-integration-master

I've setup an adfs server (Windows Server 2012 R2)

When I try logon to https://srv-jasig01.ict-toulouse.fr:4443/cas I've been 
redirected to 
https://adfs.ict-toulouse.fr/adfs/ls/?wa=wsignin1.0&wtrealm=urn:federation:cas

That produces this log :

2016-04-20 11:58:31,103 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] 
- <Extractor did not generate service.>
2016-04-20 11:58:31,105 DEBUG 
[net.unicon.cas.support.wsfederation.web.flow.WsFederationAction] - <wresult : 
<t:RequestSecurityTokenResponse [truncated]
2016-04-20 11:58:31,115 DEBUG 
[net.unicon.cas.support.wsfederation.WsFederationUtils] - 
<parseTokenFromString: org.opensaml.saml1.core.impl.AssertionImpl@304d6837>
2016-04-20 11:58:31,125 DEBUG 
[net.unicon.cas.support.wsfederation.WsFederationUtils] - <validateSignature: 
Signature is valid.>
2016-04-20 11:58:31,126 DEBUG 
[net.unicon.cas.support.wsfederation.WsFederationUtils] - 
<createCredentialFromToken: retrieved on 2016-04-20T09:58:31.126Z>
2016-04-20 11:58:31,126 DEBUG 
[net.unicon.cas.support.wsfederation.WsFederationUtils] - 
<createCredentialFromToken: processed attribute: UPN>
2016-04-20 11:58:31,127 DEBUG 
[net.unicon.cas.support.wsfederation.WsFederationUtils] - 
<createCredentialFromToken: processed attribute: surname>
2016-04-20 11:58:31,127 DEBUG 
[net.unicon.cas.support.wsfederation.WsFederationUtils] - 
<createCredentialFromToken: processed attribute: givenname>
2016-04-20 11:58:31,127 DEBUG 
[net.unicon.cas.support.wsfederation.WsFederationUtils] - 
<createCredentialFromToken: processed attribute: Group>
2016-04-20 11:58:31,127 DEBUG 
[net.unicon.cas.support.wsfederation.WsFederationUtils] - 
<createCredentialFromToken: processed attribute: Email>
2016-04-20 11:58:31,127 DEBUG 
[net.unicon.cas.support.wsfederation.WsFederationUtils] - 
<createCredentialFromToken: ID: _d9fdfc33-6787-4bd9-8b4f-eb7b5c25d704
Issuer: http://adfs.ict-toulouse.fr/adfs/services/trust
Audience: urn:federation:cas
Audience Method: 
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Issued On: 2016-04-20T09:58:31.246Z
Valid After: 2016-04-20T09:58:31.239Z
Valid Before: 2016-04-20T10:58:31.239Z
Attributes:
  Group: [ict\oSecretariats, ict\Utilisa. du domaine, ict\oDES-SG, ict\Groupe 
Projet Aurion, ict\Utilisateurs Info, ict\oAdministratif, ict\Utilisateurs ICT, 
ict\oDES-SG-SystemesDInformations]
  UPN: yves.m...@ict-toulouse.fr
  Email: yves.m...@ict-toulouse.fr
  surname: MOYA
  givenname: Yves
>
2016-04-20 11:58:31,128 DEBUG 
[net.unicon.cas.support.wsfederation.authentication.principal.WsFederationCredential]
 - <.isValid: credential is valid.>

Then I've been redirected back to 
https://srv-jasig01.ict-toulouse.fr:8443/cas/login

That show me a blank page. source code of this page is :
<html><head><title>Opération en cours...</title></head><body><form 
method="POST" name="hiddenform" 
action="https://srv-jasig01.ict-toulouse.fr:8443/cas/login";>
<input type="hidden" name="wa" value="wsignin1.0" /><input type="hidden" 
name="wresult" value="&lt;t:RequestSecurityTokenResponse 
xmlns:t=&quot;http://schemas.xmlsoap.org/ws/2005/02/trust&quot;>&lt;t:Lifetime>&lt;wsu:Created
 
xmlns:wsu=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd&quot;>2016-04-20T10:02:08.672Z&lt;/wsu:Created>&lt;wsu:Expires
 
xmlns:wsu=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd&quot;>2016-04-20T11:02:08.672Z&lt;/wsu:Expires>&lt;/t:Lifetime>&lt;wsp:AppliesTo
 
xmlns:wsp=&quot;http://schemas.xmlsoap.org/ws/2004/09/policy&quot;>&lt;wsa:EndpointReference
 
xmlns:wsa=&quot;http://www.w3.org/2005/08/addressing&quot;>&lt;wsa:Address>urn:federation:cas&lt;/wsa:Address>&lt;/wsa:EndpointReference>&lt;/wsp:AppliesTo>&lt;t:RequestedSecurityToken>&lt;saml:Assertion
 MajorVersion=&quot;1&quot; MinorVersion=&quot;1&quot; 
AssertionID=&quot;_97282ee8-e8af-4e1d-a809-d050b0f34c5c&quot; 
Issuer=&quot;http://adfs.ict-toulouse.fr/adfs/services/trust&quot; 
IssueInstant=&quot;2016-04-20T10:02:08.682Z&quot; 
xmlns:saml=&quot;urn:oasis:names:tc:SAML:1.0:assertion&quot;>&lt;saml:Conditions
 NotBefore=&quot;2016-04-20T10:02:08.672Z&quot; 
NotOnOrAfter=&quot;2016-04-20T11:02:08.672Z&quot;>&lt;saml:AudienceRestrictionCondition>&lt;saml:Audience>urn:federation:cas&lt;/saml:Audience>&lt;/saml:AudienceRestrictionCondition>&lt;/saml:Conditions>&lt;saml:AttributeStatement>&lt;saml:Subject>&lt;saml:SubjectConfirmation>&lt;saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer&lt;/saml:ConfirmationMethod>&lt;/saml:SubjectConfirmation>&lt;/saml:Subject>&lt;saml:Attribute
 AttributeName=&quot;UPN&quot; 
AttributeNamespace=&quot;urn:federation:cas&quot;>&lt;saml:AttributeValue>yves.m...@ict-toulouse.fr&lt;/saml:AttributeValue>&lt;/saml:Attribute>&lt;saml:Attribute
 AttributeName=&quot;surname&quot; 
AttributeNamespace=&quot;urn:federation:cas&quot;>&lt;saml:AttributeValue>MOYA&lt;/saml:AttributeValue>&lt;/saml:Attribute>&lt;saml:Attribute
 AttributeName=&quot;givenname&quot; 
AttributeNamespace=&quot;urn:federation:cas&quot;>&lt;saml:AttributeValue>Yves&lt;/saml:AttributeValue>&lt;/saml:Attribute>&lt;saml:Attribute
 AttributeName=&quot;Group&quot; 
AttributeNamespace=&quot;urn:federation:cas&quot;>&lt;saml:AttributeValue>ict\oSecretariats&lt;/saml:AttributeValue>&lt;saml:AttributeValue>ict\Utilisa.
 du 
domaine&lt;/saml:AttributeValue>&lt;saml:AttributeValue>ict\oDES-SG&lt;/saml:AttributeValue>&lt;saml:AttributeValue>ict\Groupe
 Projet Aurion&lt;/saml:AttributeValue>&lt;saml:AttributeValue>ict\Utilisateurs 
Info&lt;/saml:AttributeValue>&lt;saml:AttributeValue>ict\oAdministratif&lt;/saml:AttributeValue>&lt;saml:AttributeValue>ict\Utilisateurs
 
ICT&lt;/saml:AttributeValue>&lt;saml:AttributeValue>ict\oDES-SG-SystemesDInformations&lt;/saml:AttributeValue>&lt;/saml:Attribute>&lt;saml:Attribute
 AttributeName=&quot;Email&quot; 
AttributeNamespace=&quot;urn:federation:cas&quot;>&lt;saml:AttributeValue>yves.m...@ict-toulouse.fr&lt;/saml:AttributeValue>&lt;/saml:Attribute>&lt;/saml:AttributeStatement>&lt;saml:AuthenticationStatement
 
AuthenticationMethod=&quot;urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport&quot;
 
AuthenticationInstant=&quot;2016-04-20T09:58:31.205Z&quot;>&lt;saml:Subject>&lt;saml:SubjectConfirmation>&lt;saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer&lt;/saml:ConfirmationMethod>&lt;/saml:SubjectConfirmation>&lt;/saml:Subject>&lt;/saml:AuthenticationStatement>&lt;ds:Signature
 
xmlns:ds=&quot;http://www.w3.org/2000/09/xmldsig#&quot;>&lt;ds:SignedInfo>&lt;ds:CanonicalizationMethod
 Algorithm=&quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot; 
/>&lt;ds:SignatureMethod 
Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#rsa-sha1&quot; 
/>&lt;ds:Reference 
URI=&quot;#_97282ee8-e8af-4e1d-a809-d050b0f34c5c&quot;>&lt;ds:Transforms>&lt;ds:Transform
 Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#enveloped-signature&quot; 
/>&lt;ds:Transform 
Algorithm=&quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot; 
/>&lt;/ds:Transforms>&lt;ds:DigestMethod 
Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#sha1&quot; 
/>&lt;ds:DigestValue>FM+gP64NCIMiXtXR/Dc0ayjfA2c=&lt;/ds:DigestValue>&lt;/ds:Reference>&lt;/ds:SignedInfo>&lt;ds:SignatureValue>VhHMXjliT/69Sbx8XvkQxx8s1oTsWd1wVUsqbBBNROGZnkt7lKsZDV/XM8Kmdgt9mIWOZnStauRCwzevxKKzDr0HRBp4YkSDjA1A5i4F5neqQR+amztCac93yZyF1G22wGeyr2YZgSVUNYikhppQlkR1kjeg12AStzTURkDK4bzChbABeDW01KDMDx+CP0Cz9+m542bUxIblnauH8K8tQs4C2yznT6v8BU1nbDh/sO0S3NiDdwHwBF2txHLZ+08j5KZcpeBV8CUUUkm37APvTzKz7rxwpBErd8x7Osju6sJT92wSGxs3uqMHfpwhJftZNpCLC9VuHS4s3VtAz/Bfxg==&lt;/ds:SignatureValue>&lt;KeyInfo
 
xmlns=&quot;http://www.w3.org/2000/09/xmldsig#&quot;>&lt;X509Data>&lt;X509Certificate>MIIC5DCCAcygAwIBAgIQX/hzgUzQraZAdHY06sGvdDANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNBREZTIFNpZ25pbmcgLSBhZGZzLmljdC10b3Vsb3VzZS5mcjAeFw0xNjAzMDkxMDE1MTBaFw0xNzAzMDkxMDE1MTBaMC4xLDAqBgNVBAMTI0FERlMgU2lnbmluZyAtIGFkZnMuaWN0LXRvdWxvdXNlLmZyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4ucaOaY0fD0YKHqLtKecU/AYHMgiyXWngaEWx+soBfjI8eqICCCg0f9P/PrtN5OFC8p7cmb0T/cYlow7gBZEwfEF6V5Hc4P7OFM0UOMuFm51a2fiDDY3NmYasrfn/3cvvH/DjVrxwFmgiteNCf6motCiHRbpfE4bZo4b/szct3x8ftICjkDYVzUxauOy6xrCarHNzq907fFM8bwqLqGJ338WzX1dMwSzQSwzO1m4h3cwNmNv6dbLdJg0BDZnLROg8BxqRBdcn2ZT143SLRar5Bt0eWOmM4g0hqQLcBsf7rHOgr8u84lJ85GSLoe9jUqp5JFu4N/dMbYEcsvFVuBfpwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAfDl/biqaMedwhrazYrEmvtA+eWFaIGNGkl4dUT3Zrx6KrGsXANXuSm9ZrqX4TcrGLH3Z1wiFypC7128IXXwHOAAs2RluO8ojMGIFvAr6dF43sIYLwV6Yhg8dr//MPn4ZcFr1xr3BAOIWpGTYsr/yaQ/HtCWtv1oQTBdgfQxVWqj8lhja4jhFT1hKpUa78ml2w+Dif440j5We58/5yIODru1PxzMNGiIme3wvuccvuQY7G0JL1Iab3j/A32903OcKHM1ca9fBCbUG2nuPRIXdOmPcypyFkbQXP/Embfg9o+LC3xz82e/USf/fExa+jl3rocNataeTD9Dexv3ITnW3p&lt;/X509Certificate>&lt;/X509Data>&lt;/KeyInfo>&lt;/ds:Signature>&lt;/saml:Assertion>&lt;/t:RequestedSecurityToken>&lt;t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion&lt;/t:TokenType>&lt;t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue&lt;/t:RequestType>&lt;t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey&lt;/t:KeyType>&lt;/t:RequestSecurityTokenResponse>"
 /><noscript><p>Le script est désactivé. Cliquez sur Envoyer pour 
continuer.</p><input type="submit" value="Envoyer" /></noscript></form><script 
language="javascript">window.setTimeout('document.forms[0].submit()', 
0);</script></body></html>

Then in log file I have 


2016-04-20 11:58:31,129 INFO 
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 
<WsFederationAuthenticationHandler successfully authenticated ID: 
_d9fdfc33-6787-4bd9-8b4f-eb7b5c25d704
Issuer: http://adfs.ict-toulouse.fr/adfs/services/trust
Audience: urn:federation:cas
Audience Method: 
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Issued On: 2016-04-20T09:58:31.246Z
Valid After: 2016-04-20T09:58:31.239Z
Valid Before: 2016-04-20T10:58:31.239Z
Attributes:
  UPN: yves.moya
  Email: yves.m...@ict-toulouse.fr
  FirstName: Yves
  Groups: [ict\oSecretariats, ict\Utilisa. du domaine, ict\oDES-SG, ict\Groupe 
Projet Aurion, ict\Utilisateurs Info, ict\oAdministratif, ict\Utilisateurs ICT, 
ict\oDES-SG-SystemesDInformations]
  LastName: MOYA
>
2016-04-20 11:58:31,129 DEBUG 
[net.unicon.cas.support.wsfederation.authentication.principal.WsFederationCredentialsToPrincipalResolver]
 - <Attempting to resolve a principal...>
2016-04-20 11:58:31,129 ERROR 
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 
<net.unicon.cas.support.wsfederation.authentication.principal.WsFederationCredentialsToPrincipalResolver@509cf131
 failed to resolve principal from ID: _d9fdfc33-6787-4bd9-8b4f-eb7b5c25d704
Issuer: http://adfs.ict-toulouse.fr/adfs/services/trust
Audience: urn:federation:cas
Audience Method: 
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Issued On: 2016-04-20T09:58:31.246Z
Valid After: 2016-04-20T09:58:31.239Z
Valid Before: 2016-04-20T10:58:31.239Z
Attributes:
  UPN: yves.moya
  Email: yves.m...@ict-toulouse.fr
  FirstName: Yves
  Groups: [ict\oSecretariats, ict\Utilisa. du domaine, ict\oDES-SG, ict\Groupe 
Projet Aurion, ict\Utilisateurs Info, ict\oAdministratif, ict\Utilisateurs ICT, 
ict\oDES-SG-SystemesDInformations]
  LastName: MOYA
>
java.lang.NullPointerException
        at 
net.unicon.cas.support.wsfederation.authentication.principal.WsFederationCredentialsToPrincipalResolver.extractPrincipalId(WsFederationCredentialsToPrincipalResolver.java:49)
[truncated]
2016-04-20 11:58:31,130 INFO 
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit 
trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: supplied credentials: [ID: _d9fdfc33-6787-4bd9-8b4f-eb7b5c25d704
Issuer: http://adfs.ict-toulouse.fr/adfs/services/trust
Audience: urn:federation:cas
Audience Method: 
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Issued On: 2016-04-20T09:58:31.246Z
Valid After: 2016-04-20T09:58:31.239Z
Valid Before: 2016-04-20T10:58:31.239Z
Attributes:
  UPN: yves.moya
  Email: yves.m...@ict-toulouse.fr
  FirstName: Yves
  Groups: [ict\oSecretariats, ict\Utilisa. du domaine, ict\oDES-SG, ict\Groupe 
Projet Aurion, ict\Utilisateurs Info, ict\oAdministratif, ict\Utilisateurs ICT, 
ict\oDES-SG-SystemesDInformations]
  LastName: MOYA
]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Wed Apr 20 11:58:31 CEST 2016
CLIENT IP ADDRESS: 172.21.10.106
SERVER IP ADDRESS: 192.168.254.113
=============================================================
>
2016-04-20 11:58:31,138 INFO 
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit 
trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: No resolver produced a principal.
ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Wed Apr 20 11:58:31 CEST 2016
CLIENT IP ADDRESS: 172.21.10.106
SERVER IP ADDRESS: 192.168.254.113
=============================================================

>
2016-04-20 11:58:31,138 ERROR 
[net.unicon.cas.support.wsfederation.web.flow.WsFederationAction] - <No 
resolver produced a principal.>
org.jasig.cas.authentication.UnresolvedPrincipalException: No resolver produced 
a principal.
[truncated]
avr. 20, 2016 11:58:34 AM org.apache.catalina.startup.HostConfig checkResources
PRÉCIS: Checking context[/cas] redeploy resource 
/var/lib/tomcat8/webapps/cas.war

Can you help me to solve this ?

Best regards

Yves
-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f83f2ede-93bc-4a91-9d36-394b3825b5fa%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/28D14315-15E5-4903-BA38-E87EFAD532EE%40unicon.net.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] Re: Jasig CAS and ADFS Troobleshooting blank screen after successfull login

Reply via email to