Hello, My institution would like to make cas a client of ADFS. I started working through the config and it mostly works EXCEPT passing the banner UDC_IDENTIFIER to a Banner application. Here is the relevant config for adfs:
cas.authn.wsfed[0].identityProviderUrl=https://sts.wichita.edu/adfs/ls/ cas.authn.wsfed[0].identityProviderIdentifier= http://sts.wichita.edu/adfs/services/trust cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:cas-dev #cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:cas-dev.wichita.edu cas.authn.wsfed[0].signingCertificateResources=file:/etc/cas/adfs/wsu- adfs-signing.crt cas.authn.wsfed[0].identityAttribute=upn cas.authn.wsfed[0].attributesType=BOTH #cas.authn.wsfed[0].attributesType=WSFED cas.authn.wsfed[0].tolerance=10000 cas.authn.wsfed[0].attributeResolverEnabled=true cas.authn.wsfed[0].autoRedirect=true cas.authn.wsfed[0].name= cas.authn.wsfed[0].attributeMutatorScript.location=file:/etc/cas/adfs/m utator.groovy cas.authn.wsfed[0].principal.principalAttribute=upn cas.authn.wsfed[0].principal.returnNull=false # Private/Public keypair used to decrypt assertions, if any. cas.authn.wsfed[0].encryptionPrivateKey=file:/etc/cas/adfs/assertions- private.key cas.authn.wsfed[0].encryptionCertificate=file:/etc/cas/adfs/assertions- certificate.crt #cas.authn.wsfed[0].encryptionPrivateKeyPassword=NONE here is the groovy script import org.apereo.cas.* import java.util.* import org.apereo.cas.authentication.* def Map run(final Object... args) { def attributes = args[0] def logger = args[1] logger.warn("Mutating attributes {}", attributes) return [UDC_IDENTIFIER: attributes.upn, upn: attributes.upn] } The service is configured to use the principal as UDC_IDENTIFIER, and this configuration works for "regular" CAS logins. I noticed these differences in the CAS logs between "regular" cas auth and ADFS Client auth. 2:41 PM  ADFS DEBUG [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEvent Resolver] - <Resolving candidate authentication event for service [AbstractWebApplicationService(id= https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check , originalUrl= https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check , artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})] using [DefaultMultifactorAuthenticationProviderWebflowEventResolver]> reg cas...2020-07-01 14:16:12,807 DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - reg cas DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - <Located service response builder [org.apereo.cas.support.saml.authentication.principal.SamlServiceRespon seBuilder@71d2261e] for [AbstractWebApplicationService(id= https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check , originalUrl= https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check , artifactId=null, principal=f282c439, source=TARGET, loggedOutAlready=false, format=XML, attributes={})]> Looks like the principal is not making it to the banner application in the ADFS config Any help would be greatly appreciated. -- Erik Mallory Server Analyst Wichita State University -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c87084b75a940a6aa31e3c76fa1206c97133d645.camel%40wichita.edu.