Okay, my issue is resolved. I had inadvertently left a local host entry
that was pointing my server for Ellucian Banner applications pointing to
the wrong CAS host (oops!).
In summary:
--I now have included the following two lines in my build.gradle file for
building the war file (Thanks Ray):
compile "org.apereo.cas:cas-server-support-saml-idp:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-saml:${casServerVersion}"
The first line was already in the build, but I also needed the second line.
Let me point out that without the second line compiled into the build,
there were no warnings present in the log to indicate that my cas build was
not equipped to handle a "...TARGET=..." saml request that was being made
from the Ellucian Banner SSO service provider. Does it make sense for cas
to be designed to detect and log this fact with a warning?
--I am not sure that the following is necessary, but I have also included
the following in cas.properties as recommended by Mike:
cas.samlCore.ticketidSaml2=false
--Contrary to Mike's recommendation I am not limiting my attribute release
to "udc_identifier", because we also need the LDAP "member_of" attribute in
order to limit our authorization of CAS logins to a subset of our users.
Currently, I am using the following in our JSON entry for Banner:
---BEGIN---
...
"attributeReleasePolicy":
{
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
}
...
---END---
Perhaps I need to trim this down.
--As might be predicted, the DEBUG lines suggested by Ray were important in
figuring out what was happening.
Thank you Ray and Mike for your assistance in leading me to a quick fix.
Take care,
Carl
On Friday, January 24, 2020 at 7:55:25 PM UTC-5, rbon wrote:
>
> There should be output right after audit line, SERVICE_TICKET_VALIDATED.
>
> You could also set cas.log.level to debug or trace.
>
> Ray
>
> On Fri, 2020-01-24 at 12:55 -0800, crdaudt wrote:
>
> Hmmm, no debug lines are being added to the log. Either I do not have the
> debug line entered correctly in log4j2.xml, or none of these attributes are
> being released.
> Here is a portion of my log4j2.xml:
>
> ---BEGIN PORTION OF log4j2.xml---
> ...
> <AsyncLogger name="com.couchbase" level="warn"
> includeLocation="true"/>
> <AsyncLogger name="de.codecentric"
> level="${sys:spring.boot.admin.log.level}" includeLocation="true"/>
> <AsyncLogger name="net.jradius" level="warn"
> includeLocation="true" />
> <AsyncLogger name="org.openid4java" level="warn"
> includeLocation="true" />
> <AsyncLogger name="org.ldaptive" level="${sys:ldap.log.level}"
> includeLocation="true"/>
> <AsyncLogger name="com.hazelcast"
> level="${sys:hazelcast.log.level}" includeLocation="true"/>
>
> <!-- following line added by CRDaudt 20200124 on recommendation by
> cas-user forum post -->
> <AsyncLogger
> name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
>
> level="debug" includeLocation="true"/>
>
> <!-- Log audit to all root appenders, and also to audit log
> (additivity is not false) -->
> <AsyncLogger name="org.apereo.inspektr.audit.support"
> level="debug" includeLocation="true" >
> <AppenderRef ref="casAudit"/>
> </AsyncLogger>
>
> <!-- All Loggers inherit appenders specified here, unless
> additivity="false" on the Logger -->
> <AsyncRoot level="warn">
> <AppenderRef ref="casFile"/>
> ...
> ---END PORTION OF log4j2.xml---
>
> Carl
>
> On Friday, January 24, 2020 at 12:11:21 PM UTC-5, rbon wrote:
>
> Carl,
>
> This debug line will let you know what is being returned:
>
> <!-- DEBUG Found principal attributes [...] for [username]
> Attribute policy [???] allows release of [...] for
> [username]
> Final collection of attributes allowed are: [...] -->
> <AsyncLogger
> name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
>
> level="debug"/>
>
> Ray
>
> On Fri, 2020-01-24 at 06:42 -0800, crdaudt wrote:
>
> Adding org.apereo.cas:cas-server-support-saml to the build certainly made
> a difference: CAS now recognizes the JSON entry for our Ellucian Banner
> related service.
>
> Unfortunately, I am still not out of the woods. The Banner service is now
> reporting "HTTP Status 500 -
> org.jasig.cas.client.validation.TicketValidationException: No assertions
> found."
> From looking at the cas.log, it seems that CAS has the correct information
> for me (UDC_IDENTIFIER, sAMAccountName (same as my UDC_IDENTIFIER),
> displayName, mail, and memberOf (security groups I belong to)). My
> assumption is that the last few lines of my json file should release all of
> these to Banner, i.e., the following lines:
> ---LAST FEW LINES---
> "usernameAttributeProvider":
> {
> "@class":
> "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",
> "canonicalizationMode": "LOWER"
> }
> "attributeReleasePolicy":
> {
> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
> }
> }
> ---END LAST FEW LINES---
>
> Thanks for getting me over an important hurdle with getting saml support
> into the build.
>
> I would appreciate some ideas for how to satisfy the Ellucian Banner
> service with the required assertions.
>
> Carl
>
> On Friday, January 24, 2020 at 8:39:54 AM UTC-5, crdaudt wrote:
>
> Oh, no -- What I have is the following. I have:
> compile "org.apereo.cas:cas-server-support-saml-idp:${casServerVersion}"
> ...but I do not have:
> compile "org.apereo.cas:cas-server-support-saml:${casServerVersion}"
>
> I will let you know what I find after adding, re-building, and testing.
>
> Carl
>
> On Friday, January 24, 2020 at 8:22:41 AM UTC-5, crdaudt wrote:
>
> Yes, that line is included in my build.gradle file.
>
> On Thursday, January 23, 2020 at 7:10:16 PM UTC-5, rbon wrote:
>
> Carl,
>
> Do you have saml support enabled:
> compile "org.apereo.cas:cas-server-support-saml:${casServerVersion}"
>
> Ray
>
>
> On Thu, 2020-01-23 at 15:32 -0800, crdaudt wrote:
>
> Here is the entire JSON file (using the real server names, but blanking
> out the "memberOf" security groups):
> ---BEGIN---
> {
> "@class" : "org.apereo.cas.services.RegexRegisteredService",
> "serviceId": "^http(s)?://servicespre\\.taylor(u)?\\.edu(/.*)?$",
> "name": "TOWER -- services",
> "id": 11000904,
> "description": "You are authenticating to ___servicespre.taylor.edu___",
> "evaluationOrder": 104,
> "accessStrategy" :
> {
> "@class" :
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "enabled" : true,
> "unauthorizedRedirectUrl" : "
> https://sso.taylor.edu/cas_access_denied/bannersso.html";,
> "requireAllAttributes" : false,
> "ssoEnabled" : true,
> "requiredAttributes" :
> {
> "@class" : "java.util.HashMap",
> "memberOf" : [ "java.util.HashSet", [
> "CN=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx","CN=xx2,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx",(and
>
> so forth...)" ] ]
> }
> }
> "usernameAttributeProvider":
> {
> "@class":
> "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",
> "canonicalizationMode": "LOWER"
> }
> "attributeReleasePolicy":
> {
> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
> }
> }
> ---END---
>
> On Thursday, January 23, 2020 at 6:09:49 PM UTC-5, crdaudt wrote:
>
> {
> "serviceId": "^http(s)?://our_banner_server\\.taylor(u)?\\.edu(/.*)?$",
> "name": "TOWER -- services",
> (and so forth)
> }
>
> On Thursday, January 23, 2020 at 5:48:01 PM UTC-5, rbon wrote:
>
> Carl,
>
> TARGET is used with SAML 1.1 protocol (which Banner uses), service with
> CAS protocol(s).
> What is your service Id?
> It is odd that it works with service= and not TARGET=.
>
> Ray
>
>
> On Thu, 2020-01-23 at 14:24 -0800, crdaudt wrote:
>
> We have had our Ellucian Banner service authenticating users through our
> CAS 5.2.2 service for several years, and are now attempting to migrate to
> our CAS 6.1.3 service. However, CAS does not recognize the JSON entry that
> we have in place for Banner. I believe the issue is related to the fact
> that the service ticket request includes the parameter "TARGET=..." rather
> than "service=..." in the URL. I.e.,:
>
>
> https://our.cas.server.edu/cas/login?TARGET=https%3A%2F%2Four.banner.server.edu%2FEmployeeSelfService%2Flogin%2Fcas
>
> rather than:
>
>
> https://our.cas.server.edu/cas/login?service=https%3A%2F%2Four.banner.server.edu%2FEmployeeSelfService%2Flogin%2Fcas
>
> If I manually replace 'TARGET=' with 'service=', the JSON entry is
> recognized and a service ticket is created. However, the banner service
> itself fails to do anything with the service ticket.
>
> Let me reiterate that the same JSON entry worked in our CAS 5 environment,
> but fails to work in our CAS 6.1 environment.
>
> Any ideas?
> Carl
>
> --
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected]
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected]
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected]
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected] <javascript:>
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2606672f-d8a0-4294-81c9-f1520fa65423%40apereo.org.
