Adding org.apereo.cas:cas-server-support-saml to the build certainly made a
difference: CAS now recognizes the JSON entry for our Ellucian Banner
related service.
Unfortunately, I am still not out of the woods. The Banner service is now
reporting "HTTP Status 500 -
org.jasig.cas.client.validation.TicketValidationException: No assertions
found."
>From looking at the cas.log, it seems that CAS has the correct information
for me (UDC_IDENTIFIER, sAMAccountName (same as my UDC_IDENTIFIER),
displayName, mail, and memberOf (security groups I belong to)). My
assumption is that the last few lines of my json file should release all of
these to Banner, i.e., the following lines:
---LAST FEW LINES---
"usernameAttributeProvider":
{
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",
"canonicalizationMode": "LOWER"
}
"attributeReleasePolicy":
{
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
}
}
---END LAST FEW LINES---
Thanks for getting me over an important hurdle with getting saml support
into the build.
I would appreciate some ideas for how to satisfy the Ellucian Banner
service with the required assertions.
Carl
On Friday, January 24, 2020 at 8:39:54 AM UTC-5, crdaudt wrote:
>
> Oh, no -- What I have is the following. I have:
> compile "org.apereo.cas:cas-server-support-saml-idp:${casServerVersion}"
> ...but I do not have:
> compile "org.apereo.cas:cas-server-support-saml:${casServerVersion}"
>
> I will let you know what I find after adding, re-building, and testing.
>
> Carl
>
> On Friday, January 24, 2020 at 8:22:41 AM UTC-5, crdaudt wrote:
>>
>> Yes, that line is included in my build.gradle file.
>>
>> On Thursday, January 23, 2020 at 7:10:16 PM UTC-5, rbon wrote:
>>>
>>> Carl,
>>>
>>> Do you have saml support enabled:
>>> compile "org.apereo.cas:cas-server-support-saml:${casServerVersion}"
>>>
>>> Ray
>>>
>>>
>>> On Thu, 2020-01-23 at 15:32 -0800, crdaudt wrote:
>>>
>>> Here is the entire JSON file (using the real server names, but blanking
>>> out the "memberOf" security groups):
>>> ---BEGIN---
>>> {
>>> "@class" : "org.apereo.cas.services.RegexRegisteredService",
>>> "serviceId": "^http(s)?://servicespre\\.taylor(u)?\\.edu(/.*)?$",
>>> "name": "TOWER -- services",
>>> "id": 11000904,
>>> "description": "You are authenticating to
>>> ___servicespre.taylor.edu___",
>>> "evaluationOrder": 104,
>>> "accessStrategy" :
>>> {
>>> "@class" :
>>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>>> "enabled" : true,
>>> "unauthorizedRedirectUrl" : "
>>> https://sso.taylor.edu/cas_access_denied/bannersso.html";,
>>> "requireAllAttributes" : false,
>>> "ssoEnabled" : true,
>>> "requiredAttributes" :
>>> {
>>> "@class" : "java.util.HashMap",
>>> "memberOf" : [ "java.util.HashSet", [
>>> "CN=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx","CN=xx2,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx",(and
>>>
>>> so forth...)" ] ]
>>> }
>>> }
>>> "usernameAttributeProvider":
>>> {
>>> "@class":
>>> "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",
>>> "canonicalizationMode": "LOWER"
>>> }
>>> "attributeReleasePolicy":
>>> {
>>> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>>> }
>>> }
>>> ---END---
>>>
>>> On Thursday, January 23, 2020 at 6:09:49 PM UTC-5, crdaudt wrote:
>>>
>>> {
>>> "serviceId":
>>> "^http(s)?://our_banner_server\\.taylor(u)?\\.edu(/.*)?$",
>>> "name": "TOWER -- services",
>>> (and so forth)
>>> }
>>>
>>> On Thursday, January 23, 2020 at 5:48:01 PM UTC-5, rbon wrote:
>>>
>>> Carl,
>>>
>>> TARGET is used with SAML 1.1 protocol (which Banner uses), service with
>>> CAS protocol(s).
>>> What is your service Id?
>>> It is odd that it works with service= and not TARGET=.
>>>
>>> Ray
>>>
>>>
>>> On Thu, 2020-01-23 at 14:24 -0800, crdaudt wrote:
>>>
>>> We have had our Ellucian Banner service authenticating users through our
>>> CAS 5.2.2 service for several years, and are now attempting to migrate to
>>> our CAS 6.1.3 service. However, CAS does not recognize the JSON entry that
>>> we have in place for Banner. I believe the issue is related to the fact
>>> that the service ticket request includes the parameter "TARGET=..." rather
>>> than "service=..." in the URL. I.e.,:
>>>
>>>
>>> https://our.cas.server.edu/cas/login?TARGET=https%3A%2F%2Four.banner.server.edu%2FEmployeeSelfService%2Flogin%2Fcas
>>>
>>> rather than:
>>>
>>>
>>> https://our.cas.server.edu/cas/login?service=https%3A%2F%2Four.banner.server.edu%2FEmployeeSelfService%2Flogin%2Fcas
>>>
>>> If I manually replace 'TARGET=' with 'service=', the JSON entry is
>>> recognized and a service ticket is created. However, the banner service
>>> itself fails to do anything with the service ticket.
>>>
>>> Let me reiterate that the same JSON entry worked in our CAS 5
>>> environment, but fails to work in our CAS 6.1 environment.
>>>
>>> Any ideas?
>>> Carl
>>>
>>> --
>>>
>>>
>>> Ray Bon
>>> Programmer Analyst
>>> Development Services, University Systems
>>> 2507218831 | CLE 019 | [email protected]
>>>
>>> I respectfully acknowledge that my place of work is located within the
>>> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
>>> WSÁNEĆ Nations.
>>>
>>> --
>>>
>>> Ray Bon
>>> Programmer Analyst
>>> Development Services, University Systems
>>> 2507218831 | CLE 019 | [email protected]
>>>
>>> I respectfully acknowledge that my place of work is located within the
>>> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
>>> WSÁNEĆ Nations.
>>>
>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/62755640-cf3a-4e73-bedb-0e08453575eb%40apereo.org.
