Hi Jason, I know we had problems with CAS 5.3.x, PAC4J and SAML due to additional Parameters sent in the AuthN request were not accepted by Azure IDP. However, we fell back to CAS 5.2.6, with PAC4J delegation to Azure. It looks like CAS does not like the Signature on the Azure assertion. Do you have PAC4J requiring Signing? Make sure you have a valid URL in CAS properties for the Azure CAS Applications Metadata. Also make sure your endpoints match, especially the Assertion Consumer URL that you configure in Azure matches what is in your CAS SP-metadata.xml file and also that the index matches. CAS supports multiple delegations and therefore could have multiple PAC4J SP definitions. Just to test, try disabling signed responses requirement and see if it works or you get further.
I will have to open up our Azure App config and Cas.properties to give more details. Mike K. On Thu, Dec 20, 2018 at 9:32 PM Raghavan TV <[email protected]> wrote: > Hi Jason > > We configured the CAS server as SP with used Azure AD SAML endpoint as > the Idp. There was issues in the latest 5.2.6 and I remember falling > back to 5.2.3 (will cross check) > Let me know if you still facing issues and I shall share our configuration > > Thanks > -Raghav > > On Tue, Dec 4, 2018 at 2:57 AM Jason Brooks <[email protected]> wrote: > > > > We're looking at integrating CAS with Azure AD for authentication. How > did you get CAS linked up with Azure AD? We've not been able to find any > docs to help on this. > > > > Thanks, > > J > > > > > > > > On Wednesday, September 19, 2018 at 3:34:41 PM UTC-4, Raghavan TV wrote: > >> > >> Hi All > >> > >> Am testing CAS 5.2.6 to work on a delegated authentication mode against > Azure AD > >> > >> When we get a SAML response back from the Idp, am getting redirect to > CAS > UnAuthorized Access page > >> > >> The logs indicate the following errors > >> > >> 2018-09-19 19:28:09,358 ERROR > [org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator] - <Current > assertion validation failed, continue with the next one> > >> org.pac4j.saml.exceptions.SAMLException: Signature is not trusted > >> at > org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateSignature(SAML2DefaultResponseValidator.java:704) > ~[pac4j-saml-2.3.1.jar:?] > >> ... > >> ... > >> 2018-09-19 19:28:09,363 DEBUG > [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] > - <The request requires http action> > >> org.pac4j.saml.exceptions.SAMLException: No valid subject assertion > found in response > >> ... > >> ... > >> > >> Any pointers on which cert should be imported into the keystore ? > >> > >> > >> Thanks > >> Raghavan > >> > >> > >> > > -- > > - Website: https://apereo.github.io/cas > > - Gitter Chatroom: https://gitter.im/apereo/cas > > - List Guidelines: https://goo.gl/1VRrw7 > > - Contributions: https://goo.gl/mh7qDG > > --- > > You received this message because you are subscribed to a topic in the > Google Groups "CAS Community" group. > > To unsubscribe from this topic, visit > https://groups.google.com/a/apereo.org/d/topic/cas-user/hTqhOVubd88/unsubscribe > . > > To unsubscribe from this group and all its topics, send an email to > [email protected]. > > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/acedfef4-3f18-41d8-923b-f7b94feec03c%40apereo.org > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CADNy93pXtSQfmpxHQtrfD-kyt5qNuq5L3hiqzh-q%2BSnK%2BG5wLQ%40mail.gmail.com > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAM%3DmG%2BLi9GWBNt1bGbu9LKpNxAVV_qMfaYL6hzNg%2BoL9yqMn0w%40mail.gmail.com.
