ADFS + Shib 2 Idp + CAS

seth underhill seth.underhill at cuw.edu
Fri May 1 17:32:11 EDT 2015 

Thanks for the reply Scott.

The only time that MS auth method comes through is when students are coming into the Shib IdP from ADFS via the Office Mobile App.

Interestingly the CAS config still works with logins into O365 (I assume that O365 doesn't require http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password for an authentication method).

Given what you have explained I will modify web.xml thus:

<servlet>
    <servlet-name>UsernamePassword</servlet-name>
    <servlet-class> edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet</servlet-class>
    <load-on-startup>3</load-on-startup>
    <init-param>
        <param-name>authnMethod</param-name>
        <param-value> http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</param-value>
    </init-param>
</servlet>

Hopefully that will get me to where I need to be.

Thanks again.

~Seth

From: Cantor, Scott E. [via Shibboleth] [mailto:ml-node+s1660669n7614500h70 at n2.nabble.com]
Sent: Friday, May 01, 2015 4:20 PM
To: Underhill, Seth T
Subject: Re: ADFS + Shib 2 Idp + CAS

On 5/1/15, 4:55 PM, "seth underhill" <[hidden email]</user/SendEmail.jtp?type=node&node=7614500&i=0>> wrote:

>Would that mean the example for ADFS V2 here:
>
>https://wiki.shibboleth.net/confluence/display/SHIB2/MicrosoftInterop
>
>is wrong in showing multiple <AuthenticationMethod>s in the UsernamePassword
>handler?

Incomplete or imperfect at least.

>I thought I would use two different types of handlers for this scenario
>instead of two of the same, so I tried setting the IdP to respond to the
>Microsoft password method in the UsernamePassword handler in my IdP instead
>of in RemoteUser:

That's up to you, but that means no CAS obviously.

>but I still get the same error if I go ADFS -> Shib IdP ->
>https://myidp/idp/Authn/UserPassword after
>the a successful auth comes back from the ldap.

That handler also returns PPT by default. Basically all of them do.

>So is it not possible for me to set the MS method in the servlet init
>parameter even if it is the only one for a given handler?

It's possible, but you didn't set that parameter in web.xml, at least based on the log.

-- Scott

--
To unsubscribe from this list send an email to [hidden email]</user/SendEmail.jtp?type=node&node=7614500&i=1>

________________________________
If you reply to this email, your message will be added to the discussion below:
http://shibboleth.1660669.n2.nabble.com/ADFS-Shib-2-Idp-CAS-tp7614487p7614500.html
To unsubscribe from ADFS + Shib 2 Idp + CAS, click here<http://shibboleth.1660669.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=7614487&code=c2V0aC51bmRlcmhpbGxAY3V3LmVkdXw3NjE0NDg3fC0zMjc0MjE4OTA=>.
NAML<http://shibboleth.1660669.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>




--
View this message in context: http://shibboleth.1660669.n2.nabble.com/ADFS-Shib-2-Idp-CAS-tp7614487p7614501.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150501/c193d6ee/attachment.html>

More information about the users mailing list