Paul,
I, too, received that error message with SAML delegation. I did get OIDC
working.
It looks like the only build requirement is:
implementation
"org.apereo.cas:cas-server-support-pac4j-webflow:${casServerVersion}"
Ray
On Fri, 2021-01-08 at 15:58 +0000, Paul Chauvet wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Hi all,
I'm trying to setup a new CAS 6.2.6 environment to eventually replace our 5.3.x
environment. Unlike our current environment (where we do regular LDAP
authentication against on-prem Active Directory) - I wanted to setup delegated
authentication, pointed at Azure AD.
I started by following the steps at the blog post below - but I feel like I'm
missing something as I can't get it working.
https://apereo.github.io/cas/6.2.x/integration/Delegate-Authentication.html
(Apologies for the long email - wanted to make sure I have as much info as
possible on my environment and the errors).
My environment is RHEL 8 with OpenJDK 11 and Tomcat 9.0.41.
What I've done:
* In Azure, I created an Enterprise Application within Azure, and within
Single Sign-on chose SAML.
* For CAS - I've built via gradle via the cas-overlay-template. Beyond the
default, I've included the following dependencies:
compile "org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-pm-webflow:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-jmx:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-hazelcast-ticket-registry:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-pac4j-webflow:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-saml:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-generic:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-reports:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-hazelcast-monitor:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-metrics:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-core-monitor:${project.'cas.version'}"
*
Within cas.properties I have:
cas.authn.pac4j.saml[0].keystorePassword=<REDACTED>
cas.authn.pac4j.saml[0].privateKeyPassword=<REDACTED>
cas.authn.pac4j.saml[0].keystorePath=/etc/cas/config/samlKeystore.jks
cas.authn.pac4j.saml[0].serviceProviderEntityId=urn:mace:saml:pac4j.org (is
this right?)
cas.authn.pac4j.saml[0].serviceProviderMetadataPath=/etc/cas/config/sp-metadata.xml
cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://login.microsoftonline.com/<REDACTED>/federationmetadata/2007-06/federationmetadata.xml?appid=<REDACTED>
cas.authn.pac4j.saml[0].clientName=AzureADDev
* And defined a single CAS service:
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" :
"https://sts.windows.net/ebd45737-b352-4722-bb0c-9f539bcbfa65/";,
"name" : "AzureAD-Dev",
"id" : 1593461500,
"evaluationOrder" : 50,
"accessStrategy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"delegatedAuthenticationPolicy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
"allowedProviders" : [ "java.util.ArrayList", [ "AzureADDev" ] ]
}
}
}
What happens is when I go to CAS and click on the external identity provider, I
get an error from Microsoft:
Sorry, but we’re having trouble signing you in.
AADSTS7500525: There was an XML error in the SAML message at line 2, position
701. Verify that the XML content of the SAML messages conforms to the SAML
protocol specifications.
Request Id: 70508434-e2f2-4e05-a2a5-2f10ddae9500
Correlation Id: e6abfced-3724-44ce-b005-b7f18aa812cf
Timestamp: 2020-07-07T16:21:31Z
Message: AADSTS7500525: There was an XML error in the SAML message at line 2,
position 701. Verify that the XML content of the SAML messages conforms to the
SAML protocol specifications.
If I try to go there from the Azure side (by choosing the CAS app in Azure),
CAS says the application isn't authorized and shows the following in the CAS
logs:
2021-01-08 10:54:10,298 ERROR
[org.apereo.cas.web.DelegatedClientWebflowManager] - <Delegated client
identifier cannot be located in the authentication request
[https://login6deva.newpaltz.edu/cas/login?client_name=AzureADDev]>
2021-01-08 10:54:10,298 ERROR
[org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <>
2021-01-08 10:54:10,298 WARN
[org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <>
org.apereo.cas.services.UnauthorizedServiceException:
at
org.apereo.cas.web.flow.DelegatedClientAuthenticationAction.restoreAuthenticationRequestInContext(DelegatedClientAuthenticationAction.java:322)
~[cas-server-support-pac4j-webflow-6.2.6.jar:6.2.6]
at
org.apereo.cas.web.flow.DelegatedClientAuthenticationAction.populateContextWithService(DelegatedClientAuthenticationAction.java:211)
~[cas-server-support-pac4j-webflow-6.2.6.jar:6.2.6]
at
org.apereo.cas.web.flow.DelegatedClientAuthenticationAction.doExecute(DelegatedClientAuthenticationAction.java:125)
~[cas-server-support-pac4j-webflow-6.2.6.jar:6.2.6]
at
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282)
~[spring-core-5.2.6.RELEASE.jar:5.2.6.RELEASE]
at
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499)
~[spring-cloud-context-2.2.2.RELEASE.jar:2.2.2.RELEASE]
....
(this continues for a long while - can provide the full stack trace if needed)
My apologies if I'm missing something obvious here - but I'd appreciate any
ideas you may have.
P.S. I tried this again back in the Fall on CAS 6.1.6 but had the same issues
(then pulled into a bunch of other unrelated projects so I'm only getting back
to this months later).
Thanks!
Paul Chauvet
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca>
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2e3d978680da13451fa51cb6a5b365fbdbd48dad.camel%40uvic.ca.
