Hmmm, no debug lines are being added to the log. Either I do not have the
debug line entered correctly in log4j2.xml, or none of these attributes are
being released.
Here is a portion of my log4j2.xml:
---BEGIN PORTION OF log4j2.xml---
...
<AsyncLogger name="com.couchbase" level="warn"
includeLocation="true"/>
<AsyncLogger name="de.codecentric"
level="${sys:spring.boot.admin.log.level}" includeLocation="true"/>
<AsyncLogger name="net.jradius" level="warn" includeLocation="true"
/>
<AsyncLogger name="org.openid4java" level="warn"
includeLocation="true" />
<AsyncLogger name="org.ldaptive" level="${sys:ldap.log.level}"
includeLocation="true"/>
<AsyncLogger name="com.hazelcast"
level="${sys:hazelcast.log.level}" includeLocation="true"/>
<!-- following line added by CRDaudt 20200124 on recommendation by
cas-user forum post -->
<AsyncLogger
name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
level="debug" includeLocation="true"/>
<!-- Log audit to all root appenders, and also to audit log
(additivity is not false) -->
<AsyncLogger name="org.apereo.inspektr.audit.support" level="debug"
includeLocation="true" >
<AppenderRef ref="casAudit"/>
</AsyncLogger>
<!-- All Loggers inherit appenders specified here, unless
additivity="false" on the Logger -->
<AsyncRoot level="warn">
<AppenderRef ref="casFile"/>
...
---END PORTION OF log4j2.xml---
Carl
On Friday, January 24, 2020 at 12:11:21 PM UTC-5, rbon wrote:
>
> Carl,
>
> This debug line will let you know what is being returned:
>
> <!-- DEBUG Found principal attributes [...] for [username]
> Attribute policy [???] allows release of [...] for
> [username]
> Final collection of attributes allowed are: [...] -->
> <AsyncLogger
> name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
>
> level="debug"/>
>
> Ray
>
> On Fri, 2020-01-24 at 06:42 -0800, crdaudt wrote:
>
> Adding org.apereo.cas:cas-server-support-saml to the build certainly made
> a difference: CAS now recognizes the JSON entry for our Ellucian Banner
> related service.
>
> Unfortunately, I am still not out of the woods. The Banner service is now
> reporting "HTTP Status 500 -
> org.jasig.cas.client.validation.TicketValidationException: No assertions
> found."
> From looking at the cas.log, it seems that CAS has the correct information
> for me (UDC_IDENTIFIER, sAMAccountName (same as my UDC_IDENTIFIER),
> displayName, mail, and memberOf (security groups I belong to)). My
> assumption is that the last few lines of my json file should release all of
> these to Banner, i.e., the following lines:
> ---LAST FEW LINES---
> "usernameAttributeProvider":
> {
> "@class":
> "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",
> "canonicalizationMode": "LOWER"
> }
> "attributeReleasePolicy":
> {
> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
> }
> }
> ---END LAST FEW LINES---
>
> Thanks for getting me over an important hurdle with getting saml support
> into the build.
>
> I would appreciate some ideas for how to satisfy the Ellucian Banner
> service with the required assertions.
>
> Carl
>
> On Friday, January 24, 2020 at 8:39:54 AM UTC-5, crdaudt wrote:
>
> Oh, no -- What I have is the following. I have:
> compile "org.apereo.cas:cas-server-support-saml-idp:${casServerVersion}"
> ...but I do not have:
> compile "org.apereo.cas:cas-server-support-saml:${casServerVersion}"
>
> I will let you know what I find after adding, re-building, and testing.
>
> Carl
>
> On Friday, January 24, 2020 at 8:22:41 AM UTC-5, crdaudt wrote:
>
> Yes, that line is included in my build.gradle file.
>
> On Thursday, January 23, 2020 at 7:10:16 PM UTC-5, rbon wrote:
>
> Carl,
>
> Do you have saml support enabled:
> compile "org.apereo.cas:cas-server-support-saml:${casServerVersion}"
>
> Ray
>
>
> On Thu, 2020-01-23 at 15:32 -0800, crdaudt wrote:
>
> Here is the entire JSON file (using the real server names, but blanking
> out the "memberOf" security groups):
> ---BEGIN---
> {
> "@class" : "org.apereo.cas.services.RegexRegisteredService",
> "serviceId": "^http(s)?://servicespre\\.taylor(u)?\\.edu(/.*)?$",
> "name": "TOWER -- services",
> "id": 11000904,
> "description": "You are authenticating to ___servicespre.taylor.edu___",
> "evaluationOrder": 104,
> "accessStrategy" :
> {
> "@class" :
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "enabled" : true,
> "unauthorizedRedirectUrl" : "
> https://sso.taylor.edu/cas_access_denied/bannersso.html";,
> "requireAllAttributes" : false,
> "ssoEnabled" : true,
> "requiredAttributes" :
> {
> "@class" : "java.util.HashMap",
> "memberOf" : [ "java.util.HashSet", [
> "CN=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx","CN=xx2,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx",(and
>
> so forth...)" ] ]
> }
> }
> "usernameAttributeProvider":
> {
> "@class":
> "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",
> "canonicalizationMode": "LOWER"
> }
> "attributeReleasePolicy":
> {
> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
> }
> }
> ---END---
>
> On Thursday, January 23, 2020 at 6:09:49 PM UTC-5, crdaudt wrote:
>
> {
> "serviceId": "^http(s)?://our_banner_server\\.taylor(u)?\\.edu(/.*)?$",
> "name": "TOWER -- services",
> (and so forth)
> }
>
> On Thursday, January 23, 2020 at 5:48:01 PM UTC-5, rbon wrote:
>
> Carl,
>
> TARGET is used with SAML 1.1 protocol (which Banner uses), service with
> CAS protocol(s).
> What is your service Id?
> It is odd that it works with service= and not TARGET=.
>
> Ray
>
>
> On Thu, 2020-01-23 at 14:24 -0800, crdaudt wrote:
>
> We have had our Ellucian Banner service authenticating users through our
> CAS 5.2.2 service for several years, and are now attempting to migrate to
> our CAS 6.1.3 service. However, CAS does not recognize the JSON entry that
> we have in place for Banner. I believe the issue is related to the fact
> that the service ticket request includes the parameter "TARGET=..." rather
> than "service=..." in the URL. I.e.,:
>
>
> https://our.cas.server.edu/cas/login?TARGET=https%3A%2F%2Four.banner.server.edu%2FEmployeeSelfService%2Flogin%2Fcas
>
> rather than:
>
>
> https://our.cas.server.edu/cas/login?service=https%3A%2F%2Four.banner.server.edu%2FEmployeeSelfService%2Flogin%2Fcas
>
> If I manually replace 'TARGET=' with 'service=', the JSON entry is
> recognized and a service ticket is created. However, the banner service
> itself fails to do anything with the service ticket.
>
> Let me reiterate that the same JSON entry worked in our CAS 5 environment,
> but fails to work in our CAS 6.1 environment.
>
> Any ideas?
> Carl
>
> --
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected]
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected]
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected] <javascript:>
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0e5a4407-8a53-482f-89c2-1b20517b4d5f%40apereo.org.
