On 11/08/2017 11:11 AM, Ray Bon wrote:
Scott,
In saml11 example, what is in the CAS log after ticket creation?
Ray
Hi Ray,
Thanks for responding. On the CAS server side, in /var/log/cas/cas.log
there is nothing other than
/2017-11-08 09:48:04,773 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
<Audit trail record BEGIN//
//=============================================================//
//WHO: audit:unknown//
//WHAT: [event=success,timestamp=Wed Nov 08 09:48:04 EST
2017,source=InitialAuthenticationAttemptWebflowEventResolver]//
//ACTION: AUTHENTICATION_EVENT_TRIGGERED//
//APPLICATION: CAS//
//WHEN: Wed Nov 08 09:48:04 EST 2017//
//CLIENT IP ADDRESS: 10.30.2.157//
//SERVER IP ADDRESS: 192.168.2.105//
//=============================================================//
//
//>//
//2017-11-08 09:48:04,784 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
<Audit trail record BEGIN//
//=============================================================//
//WHO: sgennari//
//WHAT: ST-10-Krnl7ST1bj2wyKFNuMTn-srcastic for
http://localhost/example_advanced_saml11.php
<http://localhost/example_advanced_saml11.php>//
//ACTION: SERVICE_TICKET_CREATED//
//APPLICATION: CAS//
//WHEN: Wed Nov 08 09:48:04 EST 2017//
//CLIENT IP ADDRESS: 10.30.2.157//
//SERVER IP ADDRESS: 192.168.2.105//
//=============================================================//
//
/
but on the phpCAS side (requestor) in /tmp/phpCAS.log there is:
AF9B .| | | | | => CAS_Client::getURL()
[AuthenticationException.php:76]
AF9B .| | | | | <=
'https://d2h157.sta-fac.simons-rock.edu/example_advanced_saml11.php'
AF9B .| | | | | CAS URL:
https://srcastic.simons-rock.edu:8443/cas/samlValidate?TARGET=https%3A%2F%2Fd2h157.sta-fac.simons-rock.edu%2Fexample_advanced_saml11.php
[AuthenticationException.php:79]
AF9B .| | | | | Authentication failure: SA not validated
[AuthenticationException.php:80]
AF9B .| | | | | Reason: bad response from the CAS server
[AuthenticationException.php:85]
AF9B .| | | | | CAS response: <!doctype html><html
lang="en"><head><title>HTTP Status 406 – Not Acceptable</title><style
type="text/css">h1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
h2
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
h3
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
body
{font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;}
b
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
p
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}
a {color:black;} a.name {color:black;} .line
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
Status 406 – Not Acceptable</h1><hr class="line" /><p><b>Type</b> Status
Report</p><p><b>Description</b> The target resource does not have a
current representation that would be acceptable to the user agent,
according to the proactive negotiation header fields received in the
request, and the server is unwilling to supply a default
representation.</p><hr class="line" /><h3>Apache
Tomcat/8.5.23</h3></body></html> [AuthenticationException.php:101]
Thanks,
Scott
On Wed, 2017-11-08 at 09:55 -0500, Scott Gennari wrote:
Hi All,
We're are in the process of testing a CAS 5.1.5 server instance with
the eventual goal of authentication with SSO Banner. The project
installation guide
<https://dacurry-tns.github.io/deploying-apereo-cas/building_server_ldap_authentication_overview.html>
kindly provided by David Curry has been a great help as I am new to
CAS. Many thanks to David for making this available.
This will be a low volume server used by a handful of staff members
so no need for multiple servers/load balancing or Duo. I have
completed the setup through 'Adding SAML support' and to most extents
for 'building the SAML client', although I'm not certain I need
this. At this point I thought we could use phpCAS to test for SAML
attribute release but I cannot get this to work and am seeking your help.
The CAS server successfully authenticates against our LDAP (openldap)
service. There is a single wildcard JSON in the service registry
(/etc/cas/services) that catches all requests and includes basic
attribute releases sn,cn and employeeNumber (remapped to UDC_IDENTIFER).
/etc/cas/services/wildcard.json
/{//
// /*//
// * Wildcard service definition that applies to any https or imaps
url.//
// * Do not use this definition in a production environment.//
// *///
// "@class" : "org.apereo.cas.services.RegexRegisteredService",//
// "serviceId" : "^(https|http|imaps)://.*",//
// "name" : "Service entry for Banner SSO",//
// "id" : 20170828090137,//
//
// "attributeReleasePolicy" : {//
// "@class" :
"org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",//
// "allowedAttributes" : {//
// "@class" : "java.util.TreeMap",//
// "sn" : "sn",//
// "cn" : "cn",//
// "employeeNumber" : "UDC_IDENTIFIER"//
// }//
// },//
//
// "evaluationOrder" : 6//
//}//
/
Dependencies in pom.xml (do I need saml-ipd for phpCAS examples?)
/
// <dependencies>//
// <dependency>//
//<groupId>org.apereo.cas</groupId>//
//<artifactId>cas-server-webapp${app.server}</artifactId>//
//<version>${cas.version}</version>//
// <type>war</type>//
// <scope>runtime</scope>//
// </dependency>//
// <dependency>//
// <groupId>org.apereo.cas</groupId>//
//<artifactId>cas-server-support-json-service-registry</artifactId>//
// <version>${cas.version}</version>//
// </dependency>//
//<dependency>//
// <groupId>org.apereo.cas</groupId>//
//<artifactId>cas-server-support-ldap</artifactId>//
// <version>${cas.version}</version>//
// </dependency>//
// <dependency>//
// <groupId>org.apereo.cas</groupId>//
// <artifactId>*cas-server-support-saml*</artifactId>//
// <version>${cas.version}</version>//
// </dependency>//
//<dependency>//
// <groupId>org.apereo.cas</groupId>//
// <artifactId>*cas-server-support-saml-idp*</artifactId>//
// <version>${cas.version}</version>//
// </dependency>//
//</dependencies>//
/
The goal is to successfully release these attributes via phpCAS using
example_advanced_saml11.php but it fails with
CAS Authentication failed!
You were not authenticated.
You may submit your request again by clicking here
<https://d2h157.sta-fac.simons-rock.edu/example_advanced_saml11.php>.
If the problem persists, you may contact the administrator of this
site <mailto:webmaster@localhost>.
------------------------------------------------------------------------
phpCAS 1.3.4 using server https://srcastic.simons-rock.edu:8443/cas/
<https://srcastic.simons-rock.edu:8443/cas/> (CAS S1)
In the CAS log all I see is the ticket was generated despite phpCAS's
authentication failure after a successful LDAP login.
/2017-11-08 09:48:04,773 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
<Audit trail record BEGIN//
//=============================================================//
//WHO: audit:unknown//
//WHAT: [event=success,timestamp=Wed Nov 08 09:48:04 EST
2017,source=InitialAuthenticationAttemptWebflowEventResolver]//
//ACTION: AUTHENTICATION_EVENT_TRIGGERED//
//APPLICATION: CAS//
//WHEN: Wed Nov 08 09:48:04 EST 2017//
//CLIENT IP ADDRESS: 10.30.2.157//
//SERVER IP ADDRESS: 192.168.2.105//
//=============================================================//
//
//>//
//2017-11-08 09:48:04,784 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
<Audit trail record BEGIN//
//=============================================================//
//WHO: sgennari//
//WHAT: ST-10-Krnl7ST1bj2wyKFNuMTn-srcastic for
http://localhost/example_advanced_saml11.php
<http://localhost/example_advanced_saml11.php>//
//ACTION: SERVICE_TICKET_CREATED//
//APPLICATION: CAS//
//WHEN: Wed Nov 08 09:48:04 EST 2017//
//CLIENT IP ADDRESS: 10.30.2.157//
//SERVER IP ADDRESS: 192.168.2.105//
//=============================================================//
//
//
/
The script example_simple.php is successful. It redirects to cas
login, authenticates with LDAP and returns user ID.
/Successfull Authentication!/
/Current script/
/example_simple.php/
/session_name():/
/session_for:example_simple_php/
/session_id():/
/ST-8-dKPGD2LytcWA2lQ1wtAu-srcastic/
/the user's login is //*sgennari*//./
/phpCAS version is //*1.3.4*//./
/Logout <http://localhost/example_simple.php?logout=>/
/
//
/Any assistance or advice would be greatly appreciated.
Thank you,
Scott Gennari
--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1510157468.1757.64.camel%40uvic.ca
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/1510157468.1757.64.camel%40uvic.ca?utm_medium=email&utm_source=footer>.
--
Scott Gennari
ITS System Administrator
Bard College at Simon's Rock
84 Alford Road
Great Barrington, MA 01230
(413) 644-4286 (voice)
(413) 528-7405 (fax)
[email protected]
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e0554e56-7bde-269c-f0d0-fe49f8621a69%40simons-rock.edu.
