shibcas + ECP

Michael O Holstein michael.holstein at
Thu Dec 3 15:10:34 EST 2015

(cross-posted to both lists since I'm not sure who to ask)

I have a deployment of both Shibboleth3 and Cas3 whereby authentication is delegated (to CAS) via Shibcas. I'm running into a wall trying to get ECP working.

I am front-ending Tomcat with Apache and using AJP, configured per the wiki .. and basic auth works, but the scripts on for ECP testing generate this in the idp-process.log :

2015-12-03 15:02:23,634 - INFO [net.shibboleth.idp.authn.impl.FilterFlowsByNonBrowserSupport:82] - Profile Action FilterFlowsByNonBrowserSupport: No potential authentication flows remain after filtering

2015-12-03 15:02:23,635 - ERROR [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:271] - Profile Action SelectAuthenticationFlow: No potential flows left to choose from, authentication will fail

.. and also fail from the script as :

<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/>

The various web-based methods (SAML and CAS) *do* work against the springSMAL or javaCAS test apps.

The reason behind the complexity is to take advantage of the multifactor modules available for CAS. In this particular situation MFA isn't needed for the ECP endpoint, as that is only used for MS Outlook.

Many thanks,

Michael Holstein

Cleveland State University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list