as I go through the debug looking for differences I've noticed that on the initial session cas does not send a SAML response to the application. The second session does send a saml response. Why would that be?
-- Erik Mallory Server Analyst Wichita State University On Wed, 2020-07-01 at 21:43 +0000, 'Mallory, Erik' via CAS Community wrote: > CAUTION: This email originated from outside of Wichita State > University. Do not click links or open attachments unless you > recognize the sender and know the content is safe. > > > I discovered that if I open a second tab I can get logged into the > banner app just fine. Here's what I did: > I browse to the application I am attempting to authenticate to. I get > redirected to cas which redirects me to ADFS where I enter my > credentials and then get passed to cas and then to the application. I > get a "user/login denied invalid username/password" message from the > application. I open a second browser tab and point it at the > application and vola, I'm in. It works. > The only real difference I see in the logs is > DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - > <Signaling flow to redirect to service > [AbstractWebApplicationService(id= > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check > , originalUrl= > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check > , artifactId=null, principal=f282c439, source=service, > loggedOutAlready=false, format=XML, attributes={})] via event > [redirect]> > > DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - > <Signaling flow to redirect to service > [AbstractWebApplicationService(id= > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check > , originalUrl= > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check > , artifactId=null, principal=f282c439, source=TARGET, > loggedOutAlready=false, format=XML, attributes={})] via event > [redirect]> > Again, any help would be greatly appreciated. > > -- > Erik Mallory > Server Analyst > Wichita State University > > On Wed, 2020-07-01 at 20:25 +0000, 'Mallory, Erik' via CAS Community > wrote: > > CAUTION: This email originated from outside of Wichita State > > University. Do not click links or open attachments unless you > > recognize the sender and know the content is safe. > > > > > > Hello, > > My institution would like to make cas a client of ADFS. I started > > working through the config and it mostly works EXCEPT passing the > > banner UDC_IDENTIFIER to a Banner application. > > Here is the relevant config for adfs: > > > > cas.authn.wsfed[0].identityProviderUrl= > > https://sts.wichita.edu/adfs/ls/ > > cas.authn.wsfed[0].identityProviderIdentifier= > > http://sts.wichita.edu/adfs/services/trust > > cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:cas-dev > > #cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:cas- > > dev.wichita.edu > > cas.authn.wsfed[0].signingCertificateResources=file:/etc/cas/adfs/w > > su > > - > > adfs-signing.crt > > cas.authn.wsfed[0].identityAttribute=upn > > cas.authn.wsfed[0].attributesType=BOTH > > #cas.authn.wsfed[0].attributesType=WSFED > > cas.authn.wsfed[0].tolerance=10000 > > cas.authn.wsfed[0].attributeResolverEnabled=true > > cas.authn.wsfed[0].autoRedirect=true > > cas.authn.wsfed[0].name= > > cas.authn.wsfed[0].attributeMutatorScript.location=file:/etc/cas/ad > > fs > > /m > > utator.groovy > > cas.authn.wsfed[0].principal.principalAttribute=upn > > cas.authn.wsfed[0].principal.returnNull=false > > > > # Private/Public keypair used to decrypt assertions, if any. > > cas.authn.wsfed[0].encryptionPrivateKey=file:/etc/cas/adfs/assertio > > ns > > - > > private.key > > cas.authn.wsfed[0].encryptionCertificate=file:/etc/cas/adfs/asserti > > on > > s- > > certificate.crt > > #cas.authn.wsfed[0].encryptionPrivateKeyPassword=NONE > > > > here is the groovy script > > import org.apereo.cas.* > > import java.util.* > > import org.apereo.cas.authentication.* > > > > def Map run(final Object... args) { > > def attributes = args[0] > > def logger = args[1] > > logger.warn("Mutating attributes {}", attributes) > > return [UDC_IDENTIFIER: attributes.upn, upn: attributes.upn] > > } > > > > The service is configured to use the principal as UDC_IDENTIFIER, > > and > > this configuration works for "regular" CAS logins. > > > > I noticed these differences in the CAS logs between "regular" cas > > auth > > and ADFS Client auth. > > > > 2:41 PM > >  > > ADFS > > > > DEBUG > > [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowE > > ve > > nt > > Resolver] - <Resolving candidate authentication event for service > > [AbstractWebApplicationService(id= > > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check > > , originalUrl= > > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check > > , artifactId=null, principal=null, source=service, > > loggedOutAlready=false, format=XML, attributes={})] using > > [DefaultMultifactorAuthenticationProviderWebflowEventResolver]> > > reg cas...2020-07-01 14:16:12,807 DEBUG > > [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - > > > > reg cas > > > > DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - > > <Located service response builder > > [org.apereo.cas.support.saml.authentication.principal.SamlServiceRe > > sp > > on > > seBuilder@71d2261e] for [AbstractWebApplicationService(id= > > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check > > , originalUrl= > > https://banxe-appdev.wichita.edu/applicationNavigator/j_spring_cas_security_check > > , artifactId=null, principal=f282c439, source=TARGET, > > loggedOutAlready=false, format=XML, attributes={})]> > > > > Looks like the principal is not making it to the banner application > > in > > the ADFS config > > Any help would be greatly appreciated. > > > > -- > > Erik Mallory > > Server Analyst > > Wichita State University > > > > -- > > - Website: https://apereo.github.io/cas > > - Gitter Chatroom: https://gitter.im/apereo/cas > > - List Guidelines: https://goo.gl/1VRrw7 > > - Contributions: https://goo.gl/mh7qDG > > --- > > You received this message because you are subscribed to the Google > > Groups "CAS Community" group. > > To unsubscribe from this group and stop receiving emails from it, > > send an email to cas-user+unsubscr...@apereo.org. > > To view this discussion on the web visit > > https://groups.google.com/a/apereo.org/d/msgid/cas-user/c87084b75a940a6aa31e3c76fa1206c97133d645.camel%40wichita.edu > > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ffec9813eb48302449d72adfe08d9f11d0ea11e.camel%40wichita.edu > . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/db557b86cb54f358218c27873fd8d15ebdba282f.camel%40wichita.edu.
