Shibboleth IdP Web Login Service - Unsupported Request

fazla fazlarabby043264 at
Thu Sep 6 00:57:48 EDT 2018


Thanks a lot for your detailed response. 

I am using ShibCas that delegates the authentication to an external Central
Authentication Server. 

For that at first I have installed shibboleth IdP with Getty and
then I have downloaded the shibboleth IdP V 3.X plugin for authentication
via an external CAS server from the gihub. Then from there 

    I have copied the Spring Webflow files, jsp, and included jar files into
1st Copied the gradle-wrapper.jar and pasted it to
Shibboleth\IdP\edit-webapp\WEB-INF\lib. Then copied the jsp and put it in
Shibboleth\IdP\edit-webapp\WEB-INF\jsp. also copied the
shibcas-authn-flow.xml and shibcas-authn-beans.xml to
    couldn't update the IdP's web.xml. as after adding the ShibCas Auth
Servlet I am getting a 503

        <servlet-name>ShibCas Auth Servlet</servlet-name>
        <servlet-name>ShibCas Auth Servlet</servlet-name>

As it is optional so I have escape this step.

    Updated the IdP's file.

# Regular expression matching login flows to enable, e.g. IPAddress|Password
#idp.authn.flows = Password
idp.authn.flows = Shibcas

# CAS Client properties (usage loosely matches that of the Java CAS Client)
## CAS Server Properties
shibcas.casServerUrlPrefix =
shibcas.casServerLoginUrl = ${shibcas.casServerUrlPrefix}/login

## Shibboleth Server Properties
shibcas.serverName =

# By default you always get the AuthenticatedNameTranslator, add additional
code to cover your custom needs.
# Takes a comma separated list of fully qualified class names
# shibcas.casToShibTranslators =
# shibcas.parameterBuilders = com.your.institution.MyParameterBuilderClass

# Specify CAS validator to use - either 'cas10', 'cas20' or 'cas30'
# shibcas.ticketValidatorName = cas30

# Specify if the Relying Party/Service Provider entityId should be appended
as a separate entityId query string parameter
# or embedded in the "service" querystring parameter - `append` (default) or
# shibcas.entityIdLocation = append

    Updated the IdP's general-authn.xml file.

    <util:list id="shibboleth.AvailableAuthenticationFlows">

        <bean id="authn/Shibcas" parent="shibboleth.AuthenticationFlow"
                p:nonBrowserSupported="false" />

    Rebuilded the war file.

Now can you please let me know what step should I follow and how can I check
whether it will delegate the authentication to cas? what should be the
correct url to check too.


I think you're still conflating the two ways that Shibboleth can interact
with CAS.

It can either act as a CAS server(which is the endpoint you're accessing,
and which does not need ShibCas) for CAS client applications using the CAS


it can be a CAS client(ShibCas) of an actual CAS server.  ShibCas then uses
the authentication provided by that CAS protocol transaction to perform a
secondary assertion of user information to another service, typically using
SAML as a protocol.

I think you want Shibboleth to be a CAS client, which means the CAS server
functionality built into Shibboleth is not relevant.  The flow through the
system would typically be:

SAML Service Provider -> Shibboleth SAML login point -> CAS Server ->
Shibboleth ShibCas plugin -> Shibboleth SAML assertion generation -> SAML
service provider

I think you should step back and understand how you want users to flow
through the system you're building.  There needs to be a clear vector that
is followed.

I'm not quite sure what else to write, I'm afraid.

I hope this helps,

On Thu, Sep 6, 2018 at 1:11 AM, fazla <fazlarabby043264@> wrote:

> We are trying to delegate the shibboleth IdP authentication to CAS. The
> ShibCas plugin is already added and then the service was also added in the
> cas-protocol.xml. I have attached relying-party.xml
> <>
>  ,
> cas-protocol.xml
> <>
> and  general-authn.xml
> <>
>  .
> Now if we try
> https://localhost:8443/idp/profile/cas/login?service=
> instead of redirecting us to cas we are getting this error on the browser.
> Web Login Service - Unsupported Request
> The application you have accessed is not registered for use with this
> service.
> This is the logs.
> --
> Sent from:
> f1660767.html
> --
> For Consortium Member technical support, see
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe@

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe@

Sent from:

More information about the users mailing list