Shib v3.2.1 cas-protocol authentication to BannerXe

Jason Rotunno jrotunno at swarthmore.edu
Tue May 31 14:15:34 EDT 2016 

It turns out this has nothing to do with CAS. I tried with a different user
and it was successful. Apparently, for some users far fewer attributes are
being returned from LDAP (attributes such as displayName, givenName,
surname, email, etc aren't coming back from AD despite being populated). No
idea why but it's not a CAS or Banner issue.

Jason


On Tue, May 31, 2016 at 11:44 AM, Jason Rotunno <jrotunno at swarthmore.edu>
wrote:

> Hi,
>
> On Fri, May 13, 2016 at 7:55 AM, Marvin Addison <marvin.addison at gmail.com>
> wrote:
>
>> On Thu, May 12, 2016 at 1:50 PM Niva Agmon <nagmon at temple.edu> wrote:
>>
>>> Has anyone been able to successfully configure authentication to
>>> BannerXe (Banner9) using Shib v3.2.1 cas-protocol?
>>>
>> I'm fairly certain we have successfully done this.
>>
>>> We are getting access denied on the Banner side and it looks like the
>>> user is null.
>>>
>> I've seen a number of Banner/CAS integration problems and most of them
>> are related to attribute release. You must ensure that the UDC_IDENTIFIER
>> attribute is coming over the wire. Put the org.jasig.cas package in DEBUG
>> and make sure you see it in the ticket validation response.
>>
>>
>
> We're attempting to get BEIS v8.3.2 working with Shibboleth/CAS v3.2 and sending
> the UDC_IDENTIFIER attribute with the correct value over the wire seems to
> be the issue we're having. The attribute is in the ticket validation
> response but the Banner logs show the following:
>
> INFO [com.ellucian.sso.ssb.dao.impl.SessionInitDaoImpl.<initSession>] -
> Initializing a session for the Udc Id:ZERO_LENGTH_VALUE
>
> Likewise, the Shibboleth logs produce this:
>
> DEBUG
> [net.shibboleth.idp.attribute.resolver.ad.impl.ScriptedIdPAttributeImpl:220]
> - Attribute Definition 'UDC_IDENTIFIER': scripted attribute
> 'UDC_IDENTIFIER': recreated attribute contents are
> [EmptyAttributeValue{value=ZERO_LENGTH_VALUE}]
>
> When testing Shibboleth with the aacli.sh script, the correct value for
> UDC_IDENTIFIER is returned. When testing it with testshib, the shibd.log
> says that it's "skipping unmapped SAML 2.0 Attribute with Name:
> UDC_IDENTIFIER" but despite that the logs show that it has the correct
> value.
>
> When authenticating with Banner via CAS, however, it seems to send the
> UDC_IDENTIFIER attribute with an empty value.
>
> Unfortunately, I'm not particularly strong with Shibboleth or CAS and I'm
> learning this as I go along.
>
> Any tips would be appreciated.
>
> Thanks,
> Jason
>
>
>
> --
>
> Jason Rotunno
> Systems Administrator
> Swarthmore College
> 500 College Ave
> Swarthmore, PA 19081
> 610.328.8505
>
> IMPORTANT: Swarthmore College ITS staff will NEVER ask you for your
> password, including by email!  Please keep your passwords private to
> protect yourself and the security of our network.
>
>


-- 

Jason Rotunno
Systems Administrator
Swarthmore College
500 College Ave
Swarthmore, PA 19081
610.328.8505

IMPORTANT: Swarthmore College ITS staff will NEVER ask you for your
password, including by email!  Please keep your passwords private to
protect yourself and the security of our network.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160531/f4ee2c16/attachment.html>

More information about the users mailing list