This isn't so helpful, but I once tried to get a CAS5 to speak SAML2 with an SP but delegate the auth to older existing CAS server. I ended up giving up on delegation, because I could never get it to finish the SAML2 conversation. It would come back from the delegated authentication, forget that it was in the middle of a SAML conversation and try to finish with the SP speaking CAS. ________________________________________ From: 'Mallory, Erik' via CAS Community [[email protected]] Sent: Thursday, July 23, 2020 9:12 AM To: [email protected] Subject: Re: [cas-user] CAS 6.1.7 ADFS Client Banner Applications
CAUTION: THIS EMAIL ORIGINATED FROM OUTSIDE OF ORU So basically, what happens here is CAS "forgets" to speak SAML back to the Banner Application. When the conversation is between the CAS server and the banner app all is well. When the CAS server communicates to the Banner app, the banner app does not receive SAML data. So how would one configure CAS to send SAML data in addition to responding to a saml request? Really I'm at a dead end here. -- Erik Mallory Server Analyst Wichita State University On Fri, 2020-07-17 at 20:22 +0000, 'Mallory, Erik' via CAS Community wrote: > CAUTION: This email originated from outside of Wichita State > University. Do not click links or open attachments unless you > recognize the sender and know the content is safe. > > > So I've increased the logging for the Banner Application I'm trying > to > get configured. the Banner application uses SAML 1.1 to communicate. > CAS hands off the authentication to ADFS and then back to CAS which > then sends the user back to the Banner Application. CAS is not > sending > a SAML response at that time. > > If you open a second tab, and navigate to the application, it sends > you > to cas, you're authenticated, so cas sends you back with a SAML > response and you are able to log in. > I've attached the application logs if anyone is interested. > > -- > Erik Mallory > Server Analyst > Wichita State University > > On Fri, 2020-07-17 at 16:29 +0000, 'Mallory, Erik' via CAS Community > wrote: > > CAUTION: This email originated from outside of Wichita State > > University. Do not click links or open attachments unless you > > recognize the sender and know the content is safe. > > > > > > Thanks! > > I'm working with Elluician now. It's strange to me that it works > > with > > just CAS but then does not work when CAS is configured as an ADFS > > client. It's as if CAS is not speaking SAML for that initial log in > > but > > it is speaking SAML for subsequent logins. > > > > -- > > Erik Mallory > > Server Analyst > > Wichita State University > > > > On Thu, 2020-07-16 at 22:29 +0000, Ray Bon wrote: > > > CAUTION: This email originated from outside of Wichita State > > > University. Do not click links or open attachments unless you > > > recognize the sender and know the content is safe. > > > > > > Erik, > > > > > > Our Banner setup uses SAML 1.1. During the log in request it is > > > /cas/login?TARGET=blah/banner/applicationnavigator > > > 'service' is used for CAS protocol. Check your banner setup. > > > > > > Ray > > > > > > On Thu, 2020-07-16 at 21:07 +0000, 'Mallory, Erik' via CAS > > > Community > > > wrote: > > > > Hello I think I've narrowed the problem and I *think* it's on > > > > the > > > > application side... but... is there any way to control the > > > > source > > > > parameter that we see below in the logs. If I could configure > > > > cas > > > > to > > > > always send source=TARGET I think this configuration would work > > > > for > > > > the > > > > banner apps. > > > > > > > > Log from inital login which produces "Invalid login/access > > > > denied" > > > > <Built response > > > > [ > > > > org.apereo.cas.authentication.principal.DefaultResponse@323ac4df > > > > ] > > > > for > > > > [AbstractWebApplicationService(id= > > > > > > > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fbanxe-appdev.wichita.edu%2fapplicationNavigator%2fj_spring_cas_security_check&c=E,1,_wHiMvng_umeKmvsxV0b3328jsb34qW0q1W_weUee4fnXxJyrgejj3nMZTCgps9Vt_en1k2fBbpiw_X_To8y-7dMXLV7PhL2sBiPpC_tmZaRF5RGxQ,,&typo=1 > > > > > > > > , originalUrl= > > > > > > > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fbanxe-appdev.wichita.edu%2fapplicationNavigator%2fj_spring_cas_security_check&c=E,1,pSSItGy53_1U4UzaUTeJ2dUbepUjbyD_A1pSR_B-ybTfXXguJqBQLTdme0d6NPSlArjfSpGnSypiX7rXwNvrGnF0ycXR2HdM-56f6svEonBW4sICUDNu4QHEG04,&typo=1 > > > > > > > > , artifactId=null, principal=f282c439, source=service, > > > > loggedOutAlready=false, format=XML, attributes={})]> > > > > ^^ Invalid login access denied. > > > > > > > > Log from the an established CAS/ADFS session gaining access to > > > > the > > > > application > > > > > > > > <Located service [AbstractWebApplicationService(id= > > > > > > > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fbanxe-appdev.wichita.edu%2fapplicationNavigator%2fj_spring_cas_security_check&c=E,1,APvz6WmNsFgbhbr4vXVyxmbsWNHMA1X7mU6bw9e1XYzKl93VLJxY1i45LGbLAHgnPsRtn5VmCzKDGajGaFenI6XNvaYZKmMhedHMdJkm3SFl&typo=1 > > > > > > > > , originalUrl= > > > > > > > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fbanxe-appdev.wichita.edu%2fapplicationNavigator%2fj_spring_cas_security_check&c=E,1,_4qKWJwqdJ7oJ72ItZL7A-4Qplk9cKai0qJIIIusfQN1EsFomVeRNZm2IGj3zehAWf0rr_BzdB9UGsho5KgCdgKC-tVc6RZZZFJOFxRhUg,,&typo=1 > > > > > > > > , artifactId=null, principal=f282c439, source=TARGET, > > > > loggedOutAlready=false, format=XML, attributes={})] from the > > > > context> > > > > ^^ works > > > > > > > > In the applications there is a groovy file with a parameter > > > > > > > > serviceParameter = 'TARGET' > > > > > > > > I tried changing it to 'service' but had no luck. > > > > -- > > > > Erik Mallory > > > > Server Analyst > > > > Wichita State University > > > > > > > > > > -- > > > Ray Bon > > > Programmer Analyst > > > Development Services, University Systems > > > 2507218831 | CLE 019 | [email protected] > > > > > > I respectfully acknowledge that my place of work is located > > > within > > > the ancestral, traditional and unceded territory of the Songhees, > > > Esquimalt and WSÁNEĆ Nations. > > > > -- > > - Website: > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fapereo.github.io%2fcas&c=E,1,XtiU0obUEY-CpWh4morjDxtIU2crYjIkCtrgR3nC5-jKawEZTuRQtwNL5S0118XSjQIEHSwL9rhWKUZxecBi7Xe6xLsArJdvROX_KUKucXMrnGCawawc8vNb&typo=1 > > - Gitter Chatroom: > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgitter.im%2fapereo%2fcas&c=E,1,Uzqdg7zYOi9bv8c7mJCFt5mEJFwR8ZCyqSbODDTxCDQ5yLFvAMO822RGkD05qpxNOmicsTDVlxN4YHU8P61X70b15hdDYtETi1n4gvf79RqLzWpYNC1mocQ,&typo=1 > > - List Guidelines: > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgoo.gl%2f1VRrw7&c=E,1,8080D7uKkJO3gejp8tzq_AVosGmXij9hwKxXm0xiFiaIvdZmI75eattfvyr6_hNWbIgnQ2RCVckXqePtw2vg-7HgbfZ0xiZjvhLEGVxcMdiggF4,&typo=1 > > - Contributions: > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgoo.gl%2fmh7qDG&c=E,1,RAQZ8ppXp6hLS62P8rLyX3Zvx0AQAjS-B6TFdMp75_h3vZKn1COEMvvIFZtYi0fpbZSBimG1-htQuaI6r6pNea2bEGj96FB35I9gOgtF-JmYgjy-hfZ0EmY,&typo=1 > > --- > > You received this message because you are subscribed to the Google > > Groups "CAS Community" group. > > To unsubscribe from this group and stop receiving emails from it, > > send an email to [email protected]. > > To view this discussion on the web visit > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgroups.google.com%2fa%2fapereo.org%2fd%2fmsgid%2fcas-user%2f6f456a2cc561e9552639d6e94a0b2956c51dcd2c.camel%40wichita.edu&c=E,1,uaksXkzgNuylj7T0tAPe39H32cUBc2bmx1cMTqUudAAW4b3v6y49HLOQuek7keqGsLkaNRtt1X6kEqbhyPteo18b7q7AyFgnAki9tBbJ82LnpB__&typo=1 > > . > > -- > - Website: > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fapereo.github.io%2fcas&c=E,1,_YwJPrOE2Fsol9b5tn0NQbw4XjxgBKmbPRJfVzh_7c1Uqv0Yt8Vlhd0w1q02oyq-o8iG4pAzZkl-D7IlifZ1_-x01xdeLBxzjEwD3CgYXYIe2FE,&typo=1 > - Gitter Chatroom: > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgitter.im%2fapereo%2fcas&c=E,1,luEDtZk1pRh3kzQOq9RfMudmg0SC569XkV2eXnM45xu7_g0G62TiB2Ui-oA9lrJ-cT093CQQbza0AX4M7DIods3zuWFgT0ckArqziEpbsq7HDG-bpA,,&typo=1 > - List Guidelines: > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgoo.gl%2f1VRrw7&c=E,1,Qi3TJNhyWlZk4w6rRKqu_ukpdQriq3uUZ9Lo7EgMhdRVIoPegMCvnmgZp11KCawvIGgZsxOHRQVCSHGQqVe76BuoTm8e-kV859Z41Gx1WQ5XWQqRspMo3Q,,&typo=1 > - Contributions: > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgoo.gl%2fmh7qDG&c=E,1,tg5BX5rg74VSCz4iH-XGCUwpR07JohbP-ug0FMxlRnBM0NIoTrfPko3jQk9cNM9hMZ9No2SM3ElyxCgZo1b_ponOL3eb9rHcnRIcZ9ADAqvenZlz1FHg_UZKVJEw&typo=1 > --- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > To view this discussion on the web visit > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgroups.google.com%2fa%2fapereo.org%2fd%2fmsgid%2fcas-user%2fdf7f6d4d48cfe420812672b7aa399234d145f24a.camel%40wichita.edu&c=E,1,_wxJmHmThBxDlhC-qYV0txwvEr8k6wXF9ITyZwrXikAjlSUdnSVMnuGduzmyAZgD_qt7DdC8w4Cqkm6S3cN2KDoMzWoCJH2uvXxYdmUmwg,,&typo=1 > . -- - Website: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fapereo.github.io%2fcas&c=E,1,t46UGb0W3tIsoZFvXgrDPq9KKwj0N8G4b_TcoZwqwuxwq_m6-LSfIYAHfxJwcrQoQSM0o6o21rw0ME1Ab5KGPIOv6Lec25l0TlDxysF7NA,,&typo=1 - Gitter Chatroom: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgitter.im%2fapereo%2fcas&c=E,1,ZaMpQttlbxUrIqZXZhUXpDjfn4jxkFsrupuh8t0d7Xd8bP_UZ08c51k-8WsVkPxniNIx0V3Y29IdS8M2jldDt5gIJE7L92A_ZVNi8cQuFk_iuhj7krsw&typo=1 - List Guidelines: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgoo.gl%2f1VRrw7&c=E,1,5Jq3gAOeEzGaVTKNi4wyt_2oCoC3-MKyrnWFpBr7zdQWIyJdw4m-_qS1Zy8uaL7-xyiAQzirzeLF39jaEjBSsY7TUc7ovu2VROtpt7XiAF5lMSNdIYRMg_a82hOE&typo=1 - Contributions: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgoo.gl%2fmh7qDG&c=E,1,i2HZ1RYYlUOlgnmePut9c6GCSi81UKvP45elDrnj1gSvVb5qWF4sW-KtHUxgHdNGOMMBwbPzsmxxk92T1ZIs-q9gopRBTqpxWoPI9l6KE28,&typo=1 --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgroups.google.com%2fa%2fapereo.org%2fd%2fmsgid%2fcas-user%2f1fb61eebfc9965f0d7d0f4c5062c9e4bf9b7b86b.camel%40wichita.edu.&c=E,1,qsvfGDsKoMwG3NKiOJt3s2vU1igdrRnmJYVQmwu60GrvZyjkkqqv7eTkqGTN4qSsexjijvBVfw76wX2LFm1a3bRTA4qyNfv--IBmo9dLesEKTOjw8yPNIFI,&typo=1 -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0A9BC9099B13904AA1708A7F1B6C840401556D941C%40Ntsrv75.int.oru.edu.
