Shibboleth IdP v3.X plugin for authentication via an external CAS Server
Mathew, Sunil
smathew at hbs.edu
Tue Jun 23 08:07:34 UTC 2020
Hi Michael,
We were using RemoteUser authentication using MOD_AUTH_CAS client. Instead I am trying to use the CAS plugin.
Here are my idp.properties changes:
#idp.authn.flows=Password|RemoteUser
idp.authn.flows = External
# CAS Client properties (usage loosely matches that of the Java CAS Client)
## CAS Server Properties
shibcas.casServerUrlPrefix = https://cas.hbsstg.org/cas
shibcas.casServerLoginUrl = ${shibcas.casServerUrlPrefix}/login
## Shibboleth Server Properties
shibcas.serverName = https://sso.hbsstg.org
# By default you always get the AuthenticatedNameTranslator, add additional code to cover your custom needs.
# Takes a comma separated list of fully qualified class names
# shibcas.casToShibTranslators = com.your.institution.MyCustomNamedTranslatorClass
# shibcas.parameterBuilders = com.your.institution.MyParameterBuilderClass
# Specify CAS validator to use - either 'cas10', 'cas20' or 'cas30' (default)
shibcas.ticketValidatorName = cas20
Here is the general-authn.xml file:
<!-- <bean id="authn/External" parent="shibboleth.AuthenticationFlow"
p:nonBrowserSupported="false" /> -->
<bean id="authn/External" parent="shibboleth.AuthenticationFlow"
p:passiveAuthenticationSupported="true"
p:forcedAuthenticationSupported="true"
p:nonBrowserSupported="false">
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://refeds.org/profile/mfa" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
</list>
</property>
</bean>
Here is the edit-webapp/WEB-INF/web.xml change:
<!-- Servlet for receiving a callback from an external CAS Server and continues the IdP login flow -->
<servlet>
<servlet-name>ShibCas Auth Servlet</servlet-name>
<servlet-class>net.unicon.idp.externalauth.ShibcasAuthServlet</servlet-class>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>ShibCas Auth Servlet</servlet-name>
<url-pattern>/Authn/External/*</url-pattern>
</servlet-mapping>
I added no-conversation-state.jsp file to edit-webapp folder. I also added cas-client-core-3.6.0.jar and shib-cas-authenticator-3.3.0.jar files to edit-webapp/WEB-INF/lib folder.
I confirmed that the changes are reflected inside the docker container.
Sunil
From: users <users-bounces at shibboleth.net> on behalf of Michael A Grady <mgrady at unicon.net>
Reply-To: Shib Users <users at shibboleth.net>
Date: Monday, June 22, 2020 at 10:19 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Shibboleth IdP v3.X plugin for authentication via an external CAS Server
On Jun 21, 2020, at 6:00 AM, Mathew, Sunil <smathew at hbs.edu<mailto:smathew at hbs.edu>> wrote:
Thanks, I am not using MFA (only CAS). I should have mentioned that I am using Shibboleth docker image
As Peter indicated, how you are deploying the IdP does not matter. And whether you are using MFA does not matter. You sitll need to update the IdP to tell it what types of authentication the authn/External flow is intended to support. So just list the Password context if you aren't also using MFA,
Have you used the Shib-CAS-Authn3 plugin in the past, back when it required you to add a new flow, the authn/Shibcas one?
And what flow(s) do you have listed in your idp.properties as being active?
--
Michael A. Grady
IAM Architect, Unicon, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200623/f32644e5/attachment.htm>
More information about the users
mailing list