I'm trying to configure my CAS test setup (CAS Server and 2 services) for SAML 1.1.
I read what I could find about CAS&SAML configuration, but I'm still at a loss. On the service (client) side I followed this doc: https://wiki.jasig.org/display/CASC/Configuring+the+Jasig+CAS+Client+for+Java+in+the+web.xml In web.xml I selected the SAML filters mentioned in the doc. (next to the other required filters) I read somewhere that the CAS client must be configured to request a SAML service ticket validation response, e.g., /samlValidate. I suppose this condition is met by opting for the SAML filters in web.xml. I also added the required libs to the services (https://wiki.jasig.org/display/CASC/Saml11TicketValidationFilter+Example) When I try to access a service I get the exception "The server encountered an internal error (org.jasig.cas.client.validation.TicketValidationException: org.opensaml.SAMLException: Service not allowed to validate tickets.) that prevented it from fulfilling this request." What is lacking on the server side? Some background information: - I created a self-signed certificate which I added to the cacerts keystore file of the JVM used by the CAS and services Tomcats. Can SAML1.1 be used with self-signed certificates? - I get the authentication data through a web service that I integrated in the CAS server. The web service gets the data from an Oracle database. In the non-SAML set-up this works fine. - I derived a class DomainSecurityCredentials from UsernamePasswordCredentials that has an additional domain property. - In the class DomainSecurityCredentialsToPrincipalResolver that implements CredentialsToPrincipalResolver I add the following attributes to SimplePrincipal: the domain and the roles the principal can have in the domain. The attribute map is written out in the log: 19 okt 2012 12:10:37,331 DEBUG AuthenticationManagerImpl:63 - Attribute map for guy.tho...@vlaamsbrabant.be: {roles=[ROLE_DOMAIN_USER], domain=provraad} [Additional question: how do I get the "roles" array in a SAML response?] Guy Thomas Analist-Programmeur Dienst Projecten en Ontwikkelingen Provinciehuis Provincieplein 1 3010 Leuven Tel: 016267945 -------------------------------------------------------------------------------- Aan dit bericht kunnen geen rechten worden ontleend. Alle berichten naar dit professioneel e-mailadres kunnen door de werkgever gelezen worden. In het kader van de vervulling van onze taak van openbaar belang nemen wij uw relevante persoonlijke gegevens op in onze bestanden. U kunt deze inzien en verbeteren conform de Wet Verwerking Persoonsgegevens van 8 december 1992. Het ondernemingsnummer van het provinciebestuur is 0253.973.219 -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
