Shibboleth IdP Web Login Service - Unsupported Request

fazla fazlarabby043264 at gmail.com
Thu Sep 6 00:57:48 EDT 2018 

Nate. 

Thanks a lot for your detailed response. 

I am using ShibCas that delegates the authentication to an external Central
Authentication Server. 


For that at first I have installed shibboleth IdP 3.3.3.1 with Getty and
then I have downloaded the shibboleth IdP V 3.X plugin for authentication
via an external CAS server from the gihub. Then from there 


    I have copied the Spring Webflow files, jsp, and included jar files into
the IDP_HOME.
1st Copied the gradle-wrapper.jar and pasted it to
Shibboleth\IdP\edit-webapp\WEB-INF\lib. Then copied the jsp and put it in
Shibboleth\IdP\edit-webapp\WEB-INF\jsp. also copied the
shibcas-authn-flow.xml and shibcas-authn-beans.xml to
Shibboleth\IdP\flows\authn\Shibcas
    couldn't update the IdP's web.xml. as after adding the ShibCas Auth
Servlet I am getting a 503

    <servlet>
        <servlet-name>ShibCas Auth Servlet</servlet-name>
       
<servlet-class>net.unicon.idp.externalauth.ShibcasAuthServlet</servlet-class>
        <load-on-startup>2</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>ShibCas Auth Servlet</servlet-name>
        <url-pattern>/Authn/ExtCas/*</url-pattern>
    </servlet-mapping>

As it is optional so I have escape this step.

    Updated the IdP's idp.properties file.

# Regular expression matching login flows to enable, e.g. IPAddress|Password
#idp.authn.flows = Password
idp.authn.flows = Shibcas

# CAS Client properties (usage loosely matches that of the Java CAS Client)
## CAS Server Properties
shibcas.casServerUrlPrefix = https://cas.mycasserver.edu/cas
shibcas.casServerLoginUrl = ${shibcas.casServerUrlPrefix}/login

## Shibboleth Server Properties
shibcas.serverName = https://idp.myshibbolethserver.edu

# By default you always get the AuthenticatedNameTranslator, add additional
code to cover your custom needs.
# Takes a comma separated list of fully qualified class names
# shibcas.casToShibTranslators =
com.your.institution.MyCustomNamedTranslatorClass
# shibcas.parameterBuilders = com.your.institution.MyParameterBuilderClass

# Specify CAS validator to use - either 'cas10', 'cas20' or 'cas30'
(default)
# shibcas.ticketValidatorName = cas30


# Specify if the Relying Party/Service Provider entityId should be appended
as a separate entityId query string parameter
# or embedded in the "service" querystring parameter - `append` (default) or
`embed`
# shibcas.entityIdLocation = append


    Updated the IdP's general-authn.xml file.

    <util:list id="shibboleth.AvailableAuthenticationFlows">

        <bean id="authn/Shibcas" parent="shibboleth.AuthenticationFlow"
                p:passiveAuthenticationSupported="true"
                p:forcedAuthenticationSupported="true"
                p:nonBrowserSupported="false" />


    Rebuilded the war file.

Now can you please let me know what step should I follow and how can I check
whether it will delegate the authentication to cas? what should be the
correct url to check too.




Fazla,

I think you're still conflating the two ways that Shibboleth can interact
with CAS.

It can either act as a CAS server(which is the endpoint you're accessing,
and which does not need ShibCas) for CAS client applications using the CAS
protocol

or

it can be a CAS client(ShibCas) of an actual CAS server.  ShibCas then uses
the authentication provided by that CAS protocol transaction to perform a
secondary assertion of user information to another service, typically using
SAML as a protocol.

I think you want Shibboleth to be a CAS client, which means the CAS server
functionality built into Shibboleth is not relevant.  The flow through the
system would typically be:

SAML Service Provider -> Shibboleth SAML login point -> CAS Server ->
Shibboleth ShibCas plugin -> Shibboleth SAML assertion generation -> SAML
service provider

I think you should step back and understand how you want users to flow
through the system you're building.  There needs to be a clear vector that
is followed.

I'm not quite sure what else to write, I'm afraid.

I hope this helps,
Nate.

On Thu, Sep 6, 2018 at 1:11 AM, fazla <fazlarabby043264@> wrote:

> We are trying to delegate the shibboleth IdP authentication to CAS. The
> ShibCas plugin is already added and then the service was also added in the
> cas-protocol.xml. I have attached relying-party.xml
> <http://shibboleth.1660669.n2.nabble.com/file/t398743/relying-party.xml>
>  ,
> cas-protocol.xml
> <http://shibboleth.1660669.n2.nabble.com/file/t398743/cas-protocol.xml>
> and  general-authn.xml
> <http://shibboleth.1660669.n2.nabble.com/file/t398743/general-authn.xml>
>  .
>
> Now if we try
> https://localhost:8443/idp/profile/cas/login?service=
> https://myservice.example.edu
> instead of redirecting us to cas we are getting this error on the browser.
>
> Web Login Service - Unsupported Request
> The application you have accessed is not registered for use with this
> service.
>
>
> This is the logs.
>
>
>
>
>
>
> --
> Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-
> f1660767.html
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe@
>

-- 
For Consortium Member technical support, see
https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe@





--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html

More information about the users mailing list