Shibboleth IdP v3.X plugin for authentication via an external CAS Server

Mathew, Sunil smathew at hbs.edu
Sun Jun 21 11:00:24 UTC 2020 

Thanks, I am not using MFA (only CAS). I should have mentioned that I am using Shibboleth docker image.

Sunil

From: users <users-bounces at shibboleth.net> on behalf of Michael A Grady <mgrady at unicon.net>
Reply-To: Shib Users <users at shibboleth.net>
Date: Saturday, June 20, 2020 at 5:21 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Shibboleth IdP v3.X plugin for authentication via an external CAS Server

I thought that someone had fixed the documentation to be clearer, but it doesn't appear that they have. You need to be be sure that in the IdPs' conf/authn/gneeral-authn.xml file that you add any and all needed principal names to the authn/External bean. E.g. (if you wanted the usual Password class and also wanted it to handle REFEDS MFA. You might need to add other password-type principals depending on what any services you are integrated with might be sending as a requested authn context. You will need whateve principals you had previously listed on the authn./Shibcas bean in that same file, if you were using an older version of this plugin.)


<bean id="authn/External" parent="shibboleth.AuthenticationFlow"

  p:passiveAuthenticationSupported="true"

  p:forcedAuthenticationSupported="true"

  p:nonBrowserSupported="false">

    <property name="supportedPrincipals">

        <list>

            <bean parent="shibboleth.SAML2AuthnContextClassRef"

                  c:classRef="https://refeds.org/profile/mfa<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Frefeds.org%2Fprofile%2Fmfa&data=02%7C01%7Csmathew%40hbs.edu%7C4c905f56512b4487e02f08d8155fd70b%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637282848674309081&sdata=PKdK02s2KbGwGtPfwgW7uGX2HlxB4CEWkQMgR1kQS8o%3D&reserved=0>" />

              <bean parent="shibboleth.SAML2AuthnContextClassRef"

                  c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />

        </list>

    </property>

</bean>



On Jun 20, 2020, at 5:55 AM, Mathew, Sunil <smathew at hbs.edu<mailto:smathew at hbs.edu>> wrote:

Hi,

We have CAS as the external server and Shibboleth (3.1.1) used to authenticate with Remote User. Instead I am trying to use CAS plugin for Shibboleth (3.4.6) authentication: https://github.com/Unicon/shib-cas-authn3<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FUnicon%2Fshib-cas-authn3&data=02%7C01%7Csmathew%40hbs.edu%7C4c905f56512b4487e02f08d8155fd70b%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637282848674309081&sdata=Op68KOaMndVTaq8ImW76nZU3Cvwsd50N1fCZYls3B2s%3D&reserved=0>

But I am getting the following error:
2020-06-20T10:47:25.099968500Z shib-idp;idp-process.log;dev;nothing;2020-06-20 10:47:25,099 - 172.22.0.1 - WARN [net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:219] - Profile Action PopulateAuthenticationContext: No authentication flows are active for this request
2020-06-20T10:47:25.100032900Z shib-idp;idp-warn.log;dev;nothing;2020-06-20 10:47:25,099 - 172.22.0.1 - WARN [net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:219] - Profile Action PopulateAuthenticationContext: No authentication flows are active for this request
2020-06-20T10:47:25.199464800Z shib-idp;idp-process.log;dev;nothing;2020-06-20 10:47:25,197 - 172.22.0.1 - INFO [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:313] - Profile Action SelectAuthenticationFlow: No potential flows left to choose from, authentication failed

Has anyone been able to use the CAS plugin for Shibboleth authentication?


Regards,
Sunil


________________________________
This email has been scanned for spam and viruses by Proofpoint Essentials. Click here<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fus2.proofpointessentials.com%2Findex01.php%3Fmod_id%3D11%26mod_option%3Dlogitem%26mail_id%3D1592650518-xrBgQv6nvMot%26r_address%3Dmgrady%2540unicon.net%26report%3D1&data=02%7C01%7Csmathew%40hbs.edu%7C4c905f56512b4487e02f08d8155fd70b%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637282848674319078&sdata=0MT%2FAcBImBY5%2BBkBrRghyS2eI6dfp6DwCJNHUDWJjXE%3D&reserved=0> to report this email as spam.
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg&data=02%7C01%7Csmathew%40hbs.edu%7C4c905f56512b4487e02f08d8155fd70b%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637282848674319078&sdata=wEJp9tNjQ4aso%2BaqRcv8fnZkdrgkkNkByndxzQaI5HQ%3D&reserved=0>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

--
Michael A. Grady
IAM Architect, Unicon, Inc.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200621/8cd1848c/attachment.htm>

More information about the users mailing list