Very good. Glad it is working for you. -----Original Message----- From: Brian Clayton [mailto:bclay...@clarku.edu] Sent: Friday, November 15, 2013 1:39 PM To: cas-user@lists.jasig.org Subject: RE: [cas-user] CAS/ADFS/WS-Federation
Hi John, Thanks for the feedback, you got me pointed in the right direction. I apparently didn't have the logging configured correctly in Tomcat, so it wasn't actually writing the CAS logs at all. Fixing this and looking for WsFederation errors revealed that it was an invalid signature. It seems I used the wrong certificate. Once I corrected that, it worked nicely! Thanks again, Brian -----Original Message----- From: Gasper, John [mailto:jgas...@ewu.edu] Sent: Thursday, November 14, 2013 8:01 PM To: cas-user@lists.jasig.org Subject: RE: [cas-user] CAS/ADFS/WS-Federation Hi Brian, You are welcome. Hopefully we can get you going here. Your saml11/wsfed response looks appropriate to me. Here's a copy of my backing map: <bean class="org.jasig.services.persondir.support.StubPersonAttributeDao" id="attributeRepository"> <!-- The attributes that are being made available must be listed here. --> <property name="backingMap"> <map> <entry value="" key="Ewuid"/> <entry value="" key="FirstName"/> <entry value="" key="LastName"/> <entry value="" key="Email"/> <entry value="" key="Telephone"/> <entry value="" key="Groups"/> <entry value="" key="UserType"/> <entry value="" key="UDC_IDENTIFIER"/> </map> </property> </bean> UPN is not listed here because the attribute is passed as the principal name. Is there an error message being dumped in the logs right before this exception? It would likely be labelled in the WsFederationAction class. The workflow action has a generic exception handler that might show more details before re-throwing the exception and then producing the trace you passed along. The other error handlers in the class should do the same thing. John -----Original Message----- From: Brian Clayton [mailto:bclay...@clarku.edu] Sent: Thursday, November 14, 2013 2:18 PM To: cas-user@lists.jasig.org Subject: RE: [cas-user] CAS/ADFS/WS-Federation Hi John, Thanks for the response (and creating the ws-federation module!). I haven't gotten it working yet, although I took a bit of a break to catch up on other stuff. I've attached the wresult form data as an XML file. The only other form element passed was "wa=wsignin1.0". The XML from ADFS looks reasonable to me, but I'm not at all well-versed in the ws-federation specification. It includes upn as the only attribute (as expected). On a related note, does the backingMap for the attributeRepository bean in deployerConfigContext.xml have to match the claims/attributes sent from ADFS? Or the modified attribute map? Thanks, Brian -----Original Message----- From: Gasper, John [mailto:jgas...@ewu.edu] Sent: Thursday, November 14, 2013 1:08 PM To: cas-user@lists.jasig.org Subject: RE: [cas-user] CAS/ADFS/WS-Federation Hi Brian, Sorry I'm late to the ball. Did you get this figured out? I'd start by examining the data posted to CAS from ADFS. In Chrome you can use the Network tab in the Dev tools and look at the post headers. I'd take the posted response and save it to an .xml and open it in IE or Chrome for easier reading. That will make it very clear what is being passed to ADFS. John -----Original Message----- From: Brian Clayton [mailto:bclay...@clarku.edu] Sent: Thursday, November 7, 2013 11:11 AM To: cas-user@lists.jasig.org Subject: [cas-user] CAS/ADFS/WS-Federation I'm using John Gasper's WS-Federation module, setup for full delegation. I have the configuration working to the point that it redirects to the ADFS server for login, then redirects back to the CAS server upon success. At that point, I get the attached error message from the CAS server. I'm speculating that it might have to do with the AD attributes passed from ADFS to CAS (claims/assertions), but I'm not sure. I've tried everything I can think of, simplifying the claims to just UPN, and doing my own version of WsFedAttributeMutatorImpl accordingly. Nothing seems to be working. I figure I must have something misconfigured, but I'm at a complete loss so I'm hoping someone might have seen this before or have some idea of what's going on. -- You are currently subscribed to cas-user@lists.jasig.org as: jgas...@ewu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: bclay...@clarku.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: jgas...@ewu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: bclay...@clarku.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: jgas...@ewu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user