Shib v3.2.1 cas-protocol authentication to BannerXe

Fri May 13 12:08:30 EDT 2016

Thanks so much for your reply Marvin!
Not sure how to put the org.jasig.cas package in DEBUG – I added a <logger name="org.jasig.cas" level="DEBUG"/> statement to logback.xml, but don’t really see more info, so am probably missing some steps..

I do have a small test website which is working fine with cas-protocol and the UDC_IDENTIFIER attribute is displayed in the ticket validation response.  The Idp cas setup is the same for both,  the client on the test website is using mod_auth_cas and  Banner is using the CAS grails springsecurity plugin.

Test site:
2016-05-13 10:45:26,981 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:167] - Attribute filtering engine 'ShibbolethAttributeFilter': 1 values for attribute 'UDC_IDENTIFIER' remained after filtering
2016-05-13 10:45:26,981 - DEBUG [net.shibboleth.idp.cas.flow.impl.PrepareTicketValidationResponseAction:111] - Processing IdPAttribute{id=UDC_IDENTIFIER, displayNames={}, displayDescriptions={}, encoders=[net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder at 6911144], values=[StringAttributeValue{value=B591Fxxxx84Exxx41EDED67xxxxxxxxxxxxx}]}
2016-05-13 10:45:26,982 - INFO [Shibboleth-Audit.SSO:241] - 20160513T144526Z||487882949f58dc2208855ba5d772ffca3844a1a4e396e240928b4b39b4b61a86|https://np-fimsp.temple.edu/secure|https://www.apereo.org/cas/protocol/serviceValidate||||nagmon||UDC_IDENTIFIER|nagmon|ST-1463150726622-hIhVJp2RD0gj20n6CZgdXyZSI
2016-05-13 10:45:26,982 - DEBUG [net.shibboleth.idp.cas.flow.impl.BuildSamlValidationSuccessMessageAction:90] - Building SAML response for https://xxx-xxx.temple.edu/secure in IdP session 487882949f58dc2208855ba5d772ffca3844a1a4e396e240928b4b39b4b61a86
..

BannerXe authentication:

2016-05-13 10:43:11,160 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:167] - Attribute filtering engine 'ShibbolethAttributeFilter': 1 values for attribute 'UDC_IDENTIFIER' remained after filtering
2016-05-13 10:43:11,162 - DEBUG [net.shibboleth.idp.cas.flow.impl.GrantServiceTicketAction:89] - Granting service ticket for http://np-weblogic1.erp.temple.edu:8180/StudentAdvisorSSB/j_spring_cas_security_check
2016-05-13 10:43:11,162 - DEBUG [net.shibboleth.idp.cas.ticket.impl.SimpleTicketService:193] - Storing ST-1463150591162-Asf0z3JPr18I64zTpHGJQsIUW in context https://www.apereo.org/cas/protocol/login
2016-05-13 10:43:11,165 - INFO [net.shibboleth.idp.cas.flow.impl.GrantServiceTicketAction:100] - Granted service ticket for http://xxx-xxxx.erp.temple.edu:8180/StudentAdvisorSSB/j_spring_cas_security_check
2016-05-13 10:43:11,166 - INFO [Shibboleth-Audit.SSO:241] - 20160513T144311Z||487882949f58dc2208855ba5d772ffca3844a1a4e396e240928b4b39b4b61a86|http://xxx-xxxx.temple.edu:8180/StudentAdvisorSSB/j_spring_cas_security_check|https://www.apereo.org/cas/protocol/login||||nagmon|||nagmon|ST-1463150591162-Asf0z3JPr18I64zTpHGJQsIUW

From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Marvin Addison
Sent: Friday, May 13, 2016 7:56 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Shib v3.2.1 cas-protocol authentication to BannerXe

On Thu, May 12, 2016 at 1:50 PM Niva Agmon <nagmon at temple.edu<mailto:nagmon at temple.edu>> wrote:
Has anyone been able to successfully configure authentication to BannerXe (Banner9) using Shib v3.2.1 cas-protocol?
I'm fairly certain we have successfully done this.
We are getting access denied on the Banner side and it looks like the user is null.
I've seen a number of Banner/CAS integration problems and most of them are related to attribute release. You must ensure that the UDC_IDENTIFIER attribute is coming over the wire. Put the org.jasig.cas package in DEBUG and make sure you see it in the ticket validation response.

M

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160513/36bd4a9a/attachment.html>