On 11/08/2017 12:53 PM, David Curry wrote:
Scott,
Glad you're finding the documentation helpful. I've never used phpCAS
so I can't be much help with that (but it looks like others have
jumped in), but in regard to your dependencies question, the
cas-server-support-saml dependency adds support for SAML1.1-based
attribute release, so yes, you do need that to release attributes to
CAS-based clients.*
The cas-server-support-saml-idp dependency adds support to enable the
CAS server to also function as a SAML2 Identity Provider (like
Shibboleth, for example). You do not need that to perform attribute
release to CAS clients; you only need it if you have clients that want
to speak the SAML2 protocol instead of the CAS protocol.
--Dave
* Unless your CAS client is speaking v3.x of the CAS protocol, but
there aren't many (any?) of those.
Hi Dave and CAS gang,
Ok, that makes sense. I opted to forgo phpCAS testing and went ahead
with setting up an apache CAS client instead and it works as advertised.
The mapped SAML attributes are releasing correctly!
LDAP:
At this point in the test phase, cas.properties is using a privileged
LDAP account, otherwise attributes such as 'employeeNumber' would not
release .
cas.authn.ldap[0].bindDn=cn=admin,dc=simons-rock,dc=edu
cas.authn.ldap[0].bindCredential=xxxxxxxxxxxx
So this needs to change before going into production. Is there a way
have CAS bind "as the user" who is trying to login for LDAP
authentication? That way they are viewing their own credentials and can
release all their related attributes.
Or would the best practice to create something like a
cn=cas,ou=serviceaccounts entry in LDAP and adjust permissions to
release privileged attributes?
Scott
On Wed, Nov 8, 2017 at 9:55 AM, Scott Gennari
<[email protected] <mailto:[email protected]>> wrote:
Hi All,
We're are in the process of testing a CAS 5.1.5 server instance
with the eventual goal of authentication with SSO Banner. The
project installation guide
<https://dacurry-tns.github.io/deploying-apereo-cas/building_server_ldap_authentication_overview.html>
kindly provided by David Curry has been a great help as I am new
to CAS. Many thanks to David for making this available.
This will be a low volume server used by a handful of staff
members so no need for multiple servers/load balancing or Duo. I
have completed the setup through 'Adding SAML support' and to most
extents for 'building the SAML client', although I'm not certain I
need this. At this point I thought we could use phpCAS to test for
SAML attribute release but I cannot get this to work and am
seeking your help.
The CAS server successfully authenticates against our LDAP
(openldap) service. There is a single wildcard JSON in the service
registry (/etc/cas/services) that catches all requests and
includes basic attribute releases sn,cn and employeeNumber
(remapped to UDC_IDENTIFER).
/etc/cas/services/wildcard.json
/{//
// /*//
// * Wildcard service definition that applies to any https or
imaps url.//
// * Do not use this definition in a production environment.//
// *///
// "@class" :
"org.apereo.cas.services.RegexRegisteredService",//
// "serviceId" : "^(https|http|imaps)://.*",//
// "name" : "Service entry for Banner SSO",//
// "id" : 20170828090137,//
//
// "attributeReleasePolicy" : {//
// "@class" :
"org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",//
// "allowedAttributes" : {//
// "@class" : "java.util.TreeMap",//
// "sn" : "sn",//
// "cn" : "cn",//
// "employeeNumber" : "UDC_IDENTIFIER"//
// }//
// },//
//
// "evaluationOrder" : 6//
//}//
/
Dependencies in pom.xml (do I need saml-ipd for phpCAS examples?)
/
// <dependencies>//
// <dependency>//
// <groupId>org.apereo.cas</groupId>//
//
<artifactId>cas-server-webapp${app.server}</artifactId>//
// <version>${cas.version}</version>//
// <type>war</type>//
// <scope>runtime</scope>//
// </dependency>//
// <dependency>//
// <groupId>org.apereo.cas</groupId>//
//<artifactId>cas-server-support-json-service-registry</artifactId>//
// <version>${cas.version}</version>//
// </dependency>//
//<dependency>//
// <groupId>org.apereo.cas</groupId>//
// <artifactId>cas-server-support-ldap</artifactId>//
// <version>${cas.version}</version>//
// </dependency>//
// <dependency>//
// <groupId>org.apereo.cas</groupId>//
// <artifactId>*cas-server-support-saml*</artifactId>//
// <version>${cas.version}</version>//
// </dependency>//
//<dependency>//
// <groupId>org.apereo.cas</groupId>//
// <artifactId>*cas-server-support-saml-idp*</artifactId>//
// <version>${cas.version}</version>//
// </dependency>//
//</dependencies>//
/
The goal is to successfully release these attributes via phpCAS
using example_advanced_saml11.php but it fails with
CAS Authentication failed!
You were not authenticated.
You may submit your request again by clicking here
<https://d2h157.sta-fac.simons-rock.edu/example_advanced_saml11.php>.
If the problem persists, you may contact the administrator of this
site <mailto:webmaster@localhost>.
------------------------------------------------------------------------
phpCAS 1.3.4 using server
https://srcastic.simons-rock.edu:8443/cas/
<https://srcastic.simons-rock.edu:8443/cas/> (CAS S1)
In the CAS log all I see is the ticket was generated despite
phpCAS's authentication failure after a successful LDAP login.
/2017-11-08 09:48:04,773 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager]
- <Audit trail record BEGIN//
//=============================================================//
//WHO: audit:unknown//
//WHAT: [event=success,timestamp=Wed Nov 08 09:48:04 EST
2017,source=InitialAuthenticationAttemptWebflowEventResolver]//
//ACTION: AUTHENTICATION_EVENT_TRIGGERED//
//APPLICATION: CAS//
//WHEN: Wed Nov 08 09:48:04 EST 2017//
//CLIENT IP ADDRESS: 10.30.2.157//
//SERVER IP ADDRESS: 192.168.2.105//
//=============================================================//
//
//>//
//2017-11-08 09:48:04,784 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager]
- <Audit trail record BEGIN//
//=============================================================//
//WHO: sgennari//
//WHAT: ST-10-Krnl7ST1bj2wyKFNuMTn-srcastic for
http://localhost/example_advanced_saml11.php
<http://localhost/example_advanced_saml11.php>//
//ACTION: SERVICE_TICKET_CREATED//
//APPLICATION: CAS//
//WHEN: Wed Nov 08 09:48:04 EST 2017//
//CLIENT IP ADDRESS: 10.30.2.157//
//SERVER IP ADDRESS: 192.168.2.105//
//=============================================================//
//
//
/
The script example_simple.php is successful. It redirects to cas
login, authenticates with LDAP and returns user ID.
/Successfull Authentication!/
//
/Current script/
/example_simple.php/
/session_name():/
/session_for:example_simple_php/
/session_id():/
/ST-8-dKPGD2LytcWA2lQ1wtAu-srcastic/
//
/the user's login is //*sgennari*//./
//
/phpCAS version is //*1.3.4*//./
//
/Logout <http://localhost/example_simple.php?logout=>/
/
//
/Any assistance or advice would be greatly appreciated.
Thank you,
Scott Gennari
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f76ed465-32bc-e064-ba80-b044081c1f53%40simons-rock.edu.
