ADFS + Shib 2 Idp + CAS
seth underhill
seth.underhill at cuw.edu
Fri May 1 14:14:08 EDT 2015
Hello Everyone,
I recently integrated our CAS with Shibboleth IdP 2.4.4 and then integrated
the Shib IdP with ADFS 2.0 in order to allow users logging into O365 to hit
our CAS.
This has worked well for us so far using the browser to SSO into O365.
However I am now facing an issue similar to the one described in this thread
when trying to activate Office Mobile on iOS or Android:
http://shibboleth.1660669.n2.nabble.com/iOS-Adfs-Shibboleth-IDP-td7613584.html#a7613595.
I followed the updated documentation on the MicrosoftInterop and modified my
handler.xml to have the following snippet:
---------------------------
<ph:LoginHandler xsi:type="ph:RemoteUser">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
<ph:AuthenticationMethod>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</ph:AuthenticationMethod>
</ph:LoginHandler>
---------------------------
When I fire up the Office Mobile app and put in my email address I
successfully transit from ADFS to Shib to CAS. However, when coming back
from CAS to Shib after a successful CAS authentication I see the following
error in the idp-process.log:
---------------------------
09:57:24.923 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:240] -
Beginning user authentication process.
09:57:24.923 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:283] -
Filtering configured LoginHandlers:
{urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth.idp.authn.provider.PreviousSessionLoginHandler at 190cbcd8,
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler at 134215c1,
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password=edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler@134215c1}
09:57:24.923 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:288] -
Filtering possible login handlers by requested authentication methods:
[http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password]
09:57:24.923 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:296] -
Filtering out login handler for authentication
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified, it does not provide a
requested authentication method
09:57:24.923 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:332] -
Filtering out previous session login handler because there is no existing
IdP session
09:57:24.923 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:385] -
Forced authentication is required, filtering possible login handlers
accordingly
09:57:24.924 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:406] -
Authentication handlers remaining after forced authentication requirement
filtering:
{http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password=edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler@134215c1}
09:57:24.924 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:464] -
Selecting appropriate login handler from filtered set
{http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password=edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler@134215c1}
09:57:24.924 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:497] -
Authenticating user with login handler of type
edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler
09:57:24.924 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler:66]
- Redirecting to https://shib.cuw.edu:443/idp/Authn/RemoteUser
09:57:25.004 - TRACE
[edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:117] -
Attempting to retrieve IdP session cookie.
09:57:25.007 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserAuthServlet:73]
- Remote user identified as a_test_user returning control back to
authentication engine
09:57:25.010 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:144] -
Returning control to authentication engine
09:57:25.010 - TRACE
[edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:349] -
Looking up LoginContext with key
d7deed02d68d896451701247cf89f5aa740a2cf6f996b2a5863d326de691ae2d from
StorageService parition: loginContexts
09:57:25.010 - TRACE
[edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:355] -
Retrieved LoginContext with key
d7deed02d68d896451701247cf89f5aa740a2cf6f996b2a5863d326de691ae2d from
StorageService parition: loginContexts
09:57:25.012 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:209] -
Processing incoming request
09:57:25.013 - TRACE
[edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:349] -
Looking up LoginContext with key
d7deed02d68d896451701247cf89f5aa740a2cf6f996b2a5863d326de691ae2d from
StorageService parition: loginContexts
09:57:25.013 - TRACE
[edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:355] -
Retrieved LoginContext with key
d7deed02d68d896451701247cf89f5aa740a2cf6f996b2a5863d326de691ae2d from
StorageService parition: loginContexts
09:57:25.013 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:514] -
Completing user authentication process
09:57:25.013 - ERROR
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:529] -
Relying patry required an authentication method of
[http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password]
but the login handler performed
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
09:57:25.018 - ERROR
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:563] -
Authentication failed with the error:
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationException:
Relying patry required an authentication method of
[http://schemas.microsoft.com/ws/2008/06/identit
---------------------------
I am not sure why this is so. Does the CAS authentication filter use
PasswordProtectedTransport no matter what I would specify in my RemoteUser
filter in handler.xml?
Thank you for the help,
Seth
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/ADFS-Shib-2-Idp-CAS-tp7614487.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
More information about the users
mailing list