Shibboleth IdP v3.X plugin for authentication via an external CAS Server

Michael A Grady mgrady at unicon.net
Sat Jun 20 21:20:56 UTC 2020 

I thought that someone had fixed the documentation to be clearer, but it doesn't appear that they have. You need to be be sure that in the IdPs' conf/authn/gneeral-authn.xml file that you add any and all needed principal names to the authn/External bean. E.g. (if you wanted the usual Password class and also wanted it to handle REFEDS MFA. You might need to add other password-type principals depending on what any services you are integrated with might be sending as a requested authn context. You will need whateve principals you had previously listed on the authn./Shibcas bean in that same file, if you were using an older version of this plugin.)

<bean id="authn/External" parent="shibboleth.AuthenticationFlow"
  p:passiveAuthenticationSupported="true"
  p:forcedAuthenticationSupported="true"
  p:nonBrowserSupported="false">
    <property name="supportedPrincipals">
        <list>
            <bean parent="shibboleth.SAML2AuthnContextClassRef"
                  c:classRef="https://refeds.org/profile/mfa" />
              <bean parent="shibboleth.SAML2AuthnContextClassRef"
                  c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
        </list>
    </property>
</bean>


> On Jun 20, 2020, at 5:55 AM, Mathew, Sunil <smathew at hbs.edu> wrote:
> 
> Hi,
>  
> We have CAS as the external server and Shibboleth (3.1.1) used to authenticate with Remote User. Instead I am trying to use CAS plugin for Shibboleth (3.4.6) authentication: https://github.com/Unicon/shib-cas-authn3 <https://github.com/Unicon/shib-cas-authn3>
>  
> But I am getting the following error:
> 2020-06-20T10:47:25.099968500Z shib-idp;idp-process.log;dev;nothing;2020-06-20 10:47:25,099 - 172.22.0.1 - WARN [net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:219] - Profile Action PopulateAuthenticationContext: No authentication flows are active for this request
> 2020-06-20T10:47:25.100032900Z shib-idp;idp-warn.log;dev;nothing;2020-06-20 10:47:25,099 - 172.22.0.1 - WARN [net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:219] - Profile Action PopulateAuthenticationContext: No authentication flows are active for this request
> 2020-06-20T10:47:25.199464800Z shib-idp;idp-process.log;dev;nothing;2020-06-20 10:47:25,197 - 172.22.0.1 - INFO [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:313] - Profile Action SelectAuthenticationFlow: No potential flows left to choose from, authentication failed
>  
> Has anyone been able to use the CAS plugin for Shibboleth authentication?
>  
>  
> Regards,
> Sunil
>  
>  
> This email has been scanned for spam and viruses by Proofpoint Essentials. Click here <https://us2.proofpointessentials.com/index01.php?mod_id=11&mod_option=logitem&mail_id=1592650518-xrBgQv6nvMot&r_address=mgrady%40unicon.net&report=1> to report this email as spam.
> 
> -- 
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg <https://wiki.shibboleth.net/confluence/x/coFAAg>
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net <mailto:users-unsubscribe at shibboleth.net>
--
Michael A. Grady
IAM Architect, Unicon, Inc.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200620/8219a45e/attachment.htm>

More information about the users mailing list