Hello Jarda, Ok so :
- for first problem: The use case is that the idp is passing an attribute that can be found in a datasource (for us ldap) that CAS use to find users, it's an attibute for the federated identity. In our development we considered that the user exist in the CAS datasource, and to find it the idp provide the email and we look in an ldap but you can replace all this part. For your use case you will have to make some implementation/configuration as you will need to save the users parameters in a "datasource" (in memory or database or ...) that CAS will be able to obtain easily during at list all the user session - look at the persondir lib in this case there are several tools to define a user from several datasources - or maybe save user's informations in a datasource. That is needed because the CAS won't request again the users parameters to the idp since the user is authenticated, this isn't intended and i don't know if it will be possible to request each times the saml attribute from the idp. Our development is a specific use case but you should be able to replace some part by custom or CAS classes. For the sources you shoul be able to find all from : https://github.com/GIP-RECIA/cas/tree/feature-saml2/cas-server-support-saml2 after it uses some CAS module like cas-server-support-ldap that you should activate. - for the second : It's a cutom change to be able to authenticate over the cas from different CAS domains name but sharing the same sessionId over all (sub-)domain names that we manage, so you can remove this part and all related. Thanks Julien G. Le 27/06/2014 18:02, Jaroslav Kacer a écrit : > Hello Julien (and others)! > > I have already achieved a state when CAS starts without problems with > the plugin, however it throws an error when the user accesses the > /login page. > I'd like to ask two more questions about the plugin configuration. > > *1. Configuration in deployerConfigContext.xml:* > > You provided me (see your email from 24/06/2014 12:38) with 2 Spring > beans that should be inserted into deployerConfigContext.xml: > > * *emailAddressesCredsToPrincipal*, which goes to > authenticationManager/credentialsToPrincipalResolvers > * *ldapEmailAddressesAuthenticationHandler*, which goes to > authenticationManager/authenticationHandlers > > > Concerning ldapEmailAddressesAuthenticationHandler, I don't quite > understand its purpose. I have looked into the source and it seems it > only communicates with an LDAP server. Does it mean the plugin > requires an LDAP server in addition to the SAML IdP? Because I > expected that all user attributes would come from the IdP as > attributes. I'm afraid I will have no LDAP server available for people > authenticating via the SAML IdP. Or maybe I misunderstood something > here... > > I would assume the deployerConfigContext.xml file will contain a > handler that communicates with the IdP using SAML messages. But I > can't find any in the source code, so maybe I am wrong. > > *2. Configuration in login-webflow.xml - expression initMultiDomainAction* > > File login-webflow.xml now contains the following definition of > initializeFlow: > > <action-state id="initializeFlow"> > <evaluate expression="initialFlowSetupAction" /> > *<evaluate expression="initMultiDomainAction">* > <attribute name="name" value="initFinished" /> > </evaluate> > <transition on="initFinished.success" to="checkSamlResponse" /> > </action-state> > > When I try to go to the /login page, I get an error and there is the > following stack trace in the log: > > SEVERE: Servlet.service() for servlet [cas] in context with path > [/cas-web-app] threw exception [Request processing failed; nested > exception is > org.springframework.webflow.execution.ActionExecutionException: > Exception thrown executing [AnnotatedAction@709f98e4 targetAction = > [EvaluateAction@7deeda7f expression = *initMultiDomainAction*, > resultExpression = [null]], attributes = map['name' -> > 'initFinished']] in state 'initializeFlow' of flow 'login' -- action > execution attributes were 'map[[empty]]'] with root cause > *ognl.NoSuchPropertyException: > org.springframework.webflow.engine.impl.RequestControlContextImpl.initMultiDomainAction* > at > ognl.ObjectPropertyAccessor.getProperty(ObjectPropertyAccessor.java:151) > at > org.springframework.webflow.expression.WebFlowOgnlExpressionParser$RequestContextPropertyAccessor.getProperty(WebFlowOgnlExpressionParser.java:118) > at ognl.OgnlRuntime.getProperty(OgnlRuntime.java:2210) > at ognl.ASTProperty.getValueBody(ASTProperty.java:114) > at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:212) > at ognl.SimpleNode.getValue(SimpleNode.java:258) > at ognl.Ognl.getValue(Ognl.java:494) > at > org.springframework.binding.expression.ognl.OgnlExpression.getValue(OgnlExpression.java:85) > at > org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:75) > at > org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) > at > org.springframework.webflow.execution.AnnotatedAction.execute(AnnotatedAction.java:145) > at > org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) > at > org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101) > at org.springframework.webflow.engine.State.enter(State.java:194) > at org.springframework.webflow.engine.Flow.start(Flow.java:535) > at > org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:364) > at > org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:222) > at > org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140) > at > org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:193) > etc. > > A colleague who is familiar with Spring WebFlow says there should be a > Spring bean named "initMultiDomainAction" defined somewhere, most > likely in cas-servlet.xml, but there is not any. I merged everything > from cas-servlet-saml2.xml, there is no such bean. Isn't it an > omission? Could you please have a look into your complete > cas-servlet.xml, if there is such a bean? > > Thank you very much for your answer! > > Best Regards, > Jarda > > > > > From: Julien Gribonvald <julien.gribonv...@recia.fr> > To: cas-user@lists.jasig.org > Date: 24.06.2014 12:53 > Subject: Re: [cas-user] Integrating CAS with the SAML2 plugin from > GIP-RECIA > ------------------------------------------------------------------------ > > > > One more information to the use of pac4j, you can look at > _http://jasig.github.io/cas/4.0.0/integration/Delegate-Authentication.html_, > this explain how to integrate in CAS 4 pac4j with somes examples (not > the SAML but it's a begining). > > But if you go on this solution please give a feed back ;) > > Thanks > Julien Gribonvald > > > Le 24/06/2014 12:38, Julien Gribonvald a écrit : > Hi, > > I would suggest that you look at pac4j, it should replace the SAML > plugin developped by Maxime in the furtur for our use (Maxime worked > for us in this plugin before something more "generic" as pac4j comes). > This "toolbox" (i see it like that) will help to use the last version > of CAS as the Maxime's plugin should be reviewed for version of CAS > after 3.4.x. After I don't know if we can use it for that, but maybe > Jérome Leleu could give some words of this use or point to a > documentation ? > > Else for the use of this pluugin see in attachment an example of our > SP metadata file that we use in production on our CAS (obviously > without certificates and custom datas, so replace A_DOMAIN_NAME by > your domain name,ADD CERTIFICATE HERE, and see on other custom datas). > > About IDP it was tested over a shibboleth idp and in production with > an other idp than shibboleth (seems a fork for private use, or > something related with ibm, but we don't know a lot about it), but > working in the same way as all is based on SAML specs so i think this > should works. > > After about configuration all files that you have to modify and deploy > are on > _https://github.com/GIP-RECIA/cas/tree/feature-saml2/cas-server-support-saml2/_sample-* > > but i think you don't have to modify a lot, setting all properties > should do the works. > And the properties in config.properties should be added in the > original file cas.properties. > > If I look on our deployment and something that i don't see in the > source are : > - in deployerConfigContext.xml : in the bean authenticationManager, in > the property credentialsToPrincipalResolvers, added the > credentialResolver mapped to the saml service, we use the > EmailAddressesCredentialsToPrincipalResolver.java as example : > <bean id="emailAddressesCredsToPrincipal" > class="org.esco.cas.authentication.principal.EmailAddressesCredentialsToPrincipalResolver"> > <property name="attributeRepository" ref="attributeRepository" /> > </bean> > > <bean id="ldapEmailAddressesAuthenticationHandler" > class="org.esco.cas.authentication.handler.support.LdapEmailAddressesAuthenticationHandler"> > <property name="searchBase" value="${ldap.basedn}" /> > <property name="contextSource" ref="contextSource" /> > <property name="principalAttributeName" > value="${ldap.identifier.attribute}" /> > > <property name="timeout" value="5000" /> > > <property name="authenticationLdapFiltersArray" > value="${ldap.authentication.email.filters}" /> > </bean> > > - in cas-servlet.xml youd should add the import of > _cas-servlet-saml2.xml_ > <https://github.com/GIP-RECIA/cas/blob/feature-saml2/cas-server-support-saml2/sample-config/cas-servlet-saml2.xml> > > I hope this will help, but don't hesitate to ask, i can provide some > other examples... > > After for the documentation, we have one in french explaining > properties and how it works but that's all, after you are welcome to > make a pull request for contributions if you succeed to install the > plugin. > > Thanks > > Julien Gribonvald > > > Le 24/06/2014 11:09, Jaroslav Kacer a écrit : > Hello everybody! > > I'm trying to integrate CAS and the SAML2 plugin which was discussed > in this list on Oct 22 2013 by Maxime Bossard > (_https://groups.google.com/d/msg/jasig-cas-user/FVrTSnXMJbk/SHzarllCF2kJ_). > As I am experiencing some issues, I wonder if someone (possibly > Maxime) could help me. I have already asked directly in the Google > group but the message did not propagate to this list, so I am posting > the question again. > > The version of CAS I use is 3.4.12.1 because the plugin's POM file > points to 3.4.11-RC1 and 3.4.12.1 is the latest version in the 3.4.x line. > > I have merged the provided sample XML configuration files with those > of CAS, also the two properies files, some JSPs and web.xml. Now I am > getting errors from the plugin complaining about SP metadata. > Obviously the plugin expects some SAML2 endpoints with various > bindings that are not in my SP metadata. > > > Maxime, could you please provide a list of all expected endpoints with > their bindings and URLs that should be enumerated in the SP metadata > file? Or, an example SP metadata file would be even better :-) > Although the error message clearly says what service/binding the > plugin expects, I don't know how to create the URLs for the bindings. > Are they fixed or does the plugin first read the metadata file and > then uses the URLs specified there? > > > I would also like to ask about the IdP side. I assume you used the > plugin against Shibboleth. Have you tested it against other IdP > servers? I'd like to use Microsoft ADFS. Are any special settings > needed? (I don't have access to the server yet so I cannot test it at > the moment.) At the moment, I am using an example IdP metadata file > from Shibboleth (just to make it run) but I will have to adapt it later. > > > It would be great if the documentation for the plugin could be more > elaborated, mainly the section "Plugin Configuration". I've already > spent 2 days putting CAS and the plugin together. > Or is there anything else than the ReadMe.md file from Github? > > > Thank you in advance for your answer! > > Best Regards, > Jarda Kacer, IDC > > -- > You are currently subscribed to _cas-user@lists.jasig.org_ > <mailto:cas-user@lists.jasig.org>as: _julien.gribonvald@recia.fr_ > <mailto:julien.gribonv...@recia.fr> > To unsubscribe, change settings or access archives, see > _http://www.ja-sig.org/wiki/display/JSG/cas-user_ > > -- > You are currently subscribed to _cas-user@lists.jasig.org_ > <mailto:cas-user@lists.jasig.org>as: _julien.gribonvald@recia.fr_ > <mailto:julien.gribonv...@recia.fr> > To unsubscribe, change settings or access archives, see > _http://www.ja-sig.org/wiki/display/JSG/cas-user_ > > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > jka...@idc.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > julien.gribonv...@recia.fr > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
