[cas-user] shibcas + ECP
Walter Forbes Hoehn (wassa)
wassa at memphis.edu
Thu Dec 3 15:16:31 EST 2015
You will need to exclude the ECP endpoint from CAS authN instead use “Basic Auth,” probably through the servlet container.
-WFH
> On Dec 3, 2015, at 2:10 PM, Michael O Holstein <michael.holstein at csuohio.edu> wrote:
>
> (cross-posted to both lists since I'm not sure who to ask)
>
> I have a deployment of both Shibboleth3 and Cas3 whereby authentication is delegated (to CAS) via Shibcas. I'm running into a wall trying to get ECP working.
>
> I am front-ending Tomcat with Apache and using AJP, configured per the wiki .. and basic auth works, but the scripts on CIlogin.org for ECP testing generate this in the idp-process.log :
>
> 2015-12-03 15:02:23,634 - INFO [net.shibboleth.idp.authn.impl.FilterFlowsByNonBrowserSupport:82] - Profile Action FilterFlowsByNonBrowserSupport: No potential authentication flows remain after filtering
> 2015-12-03 15:02:23,635 - ERROR [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:271] - Profile Action SelectAuthenticationFlow: No potential flows left to choose from, authentication will fail
>
> .. and also fail from the script as :
>
> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/>
>
> The various web-based methods (SAML and CAS) *do* work against the springSMAL or javaCAS test apps.
>
> The reason behind the complexity is to take advantage of the multifactor modules available for CAS. In this particular situation MFA isn't needed for the ECP endpoint, as that is only used for MS Outlook.
>
> Many thanks,
>
> Michael Holstein
> Cleveland State University
> --
> You received this message because you are subscribed to the Google Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe at apereo.org.
> Visit this group at http://groups.google.com/a/apereo.org/group/cas-user/.
More information about the users
mailing list