We were able to integrate CAS 5.2.6 using delegated authentication with Azure AD (Saml Idp)
The integrated is working fine when the client webapp is deployed on Tomcat-9
The same client WAR fails in JBoss-EAP or Wildfly because of SaxParing exception This is because Jboss is using xercesImpl for parsing Xml which fails when the xml element is numeric.
So, a standard solution will be to use AttributeResolver configuration on CAS server side to ensure that we map the attribute to standard names (vs numeric names)
Attached herewith the SAML response and CAS Client Response
<samlp:Response
Destination="https://somedomain.cloudapp.azure.com:8443/cas/login?client_name=MY_SAML"
ID="_6a00b756-53f4-4702-b329-7a6af0145fa0" InResponseTo="_d5nkosrzkcj29rlldngsuozq3uwtb5znanfm616"
IssueInstant="2018-10-04T13:22:05.275Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/</Issuer>
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
<Assertion ID="_337eded3-a927-4674-b78a-77259cfbf784" IssueInstant="2018-10-04T13:22:05.275Z"
Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_337eded3-a927-4674-b78a-77259cfbf784">
<Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>BkenglDOQwAFlKJ3hLrZ4vUzAg9gOD9EFUjGKH9hsI4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>...</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">nX16LJA-9igFhluTHQGlDUOK0CNPy_XfliMDJ3iud88</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_d5nkosrzkcj29rlldngsuozq3uwtb5znanfm616"
NotOnOrAfter="2018-10-04T13:27:05.275Z"
Recipient="https://somedomain.cloudapp.azure.com:8443/cas/login?client_name=MY_SAML"/></SubjectConfirmation>
</Subject>
<Conditions NotBefore="2018-10-04T13:17:05.275Z" NotOnOrAfter="2018-10-04T14:17:05.275Z">
<AudienceRestriction>
<Audience>spn:8b4fcc4d-6781-4da0-acc9-0c28a3317695</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
<AttributeValue>522b3803-a001-4675-b3b5-1d727d43585a</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
<AttributeValue>8fa1e8a3-41b8-440e-91cf-fafa246ab571</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>xxxxx@AAAA.onmicrosoft.com</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
<AttributeValue>Firstname Lastname</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
<AttributeValue>https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
<AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2018-10-04T09:50:06.611Z"
SessionIndex="_337eded3-a927-4674-b78a-77259cfbf784">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
CAS Client Response
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>nX16LJA-9igFhluTHQGlDUOK0CNPy_XfliMDJ3iud88</cas:user>
<cas:attributes>
<cas:isFromNewLogin>true</cas:isFromNewLogin>
<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6f626a6563746964656e746966696572>8fa1e8a3-41b8-440e-91cf-fafa246ab571</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6f626a6563746964656e746966696572>
<cas:authenticationDate>2018-10-04T13:22:05.643Z[Etc/UTC]</cas:authenticationDate>
<cas:clientName>MY_SAML</cas:clientName>
<cas:successfulAuthenticationHandlers>ClientAuthenticationHandler</cas:successfulAuthenticationHandlers>
<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f646973706c61796e616d65>Firstname Lastname</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f646973706c61796e616d65>
<cas:notBefore>2018-10-04T13:17:05.275Z</cas:notBefore>
<cas:credentialType>ClientCredential</cas:credentialType>
<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573>
<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573>http://schemas.microsoft.com/claims/multipleauthn</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573>
<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f74656e616e746964>522b3803-a001-4675-b3b5-1d727d43585a</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f74656e616e746964>
<cas:687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f6e616d65>myuserID@MYDOMAIN.onmicrosoft.com</cas:687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f6e616d65>
<cas:authenticationMethod>ClientAuthenticationHandler</cas:authenticationMethod>
<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6964656e7469747970726f7669646572>https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6964656e7469747970726f7669646572>
<cas:notOnOrAfter>2018-10-04T14:17:05.275Z</cas:notOnOrAfter>
<cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed>
<cas:sessionindex>_337eded3-a927-4674-b78a-77259cfbf784</cas:sessionindex>
</cas:attributes>
</cas:authenticationSuccess>
So, we need to map this attribute - 687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f6e616d65
to a standard attribute name via AttributeResolver
We have tried the following configuration but its not working out
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"name" : "username",
"displayname" : "userdisplayname",
"someattrname" : "groovy { return attributes['name']}"
}
}
So, anyone who was able to map the attributeNames via AttributeReleasePolicies ? Any help related to this configuration will be really helpful
This issue is resolved. We had to give the complete path of the attribute and not just part of the name
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https|imaps)://.*"
"name" : "SOME-NAME",
"id" : 200,
"description" : "This configuration is for app",
"evaluationOrder" : 10000
"logoutType" : "BACK_CHANNEL",
"logoutUrl" : "https://login.microsoftonline.com/522b3803-a001-4675-b3b5-1d727d43585a/saml2"
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"userid" : "groovy { return attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name']}"
"displayname" : "groovy { return attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname']}"
}
}
}
So, post this configuration change, now the SAML Response is returning meaningful names
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>Elsbhy4pa-ZLcZ7OWNZ-0vKWjqzV4F7UfVYjRJTCjDY</cas:user>
<cas:attributes>
<cas:credentialType>ClientCredential</cas:credentialType>
<cas:isFromNewLogin>false</cas:isFromNewLogin>
<cas:authenticationDate>2018-10-05T09:20:07.216Z[Etc/UTC]</cas:authenticationDate>
<cas:authenticationMethod>ClientAuthenticationHandler</cas:authenticationMethod>
<cas:clientName>SOME_CLIENT</cas:clientName>
<cas:displayname>FirstName Lastname</cas:displayname>
<cas:successfulAuthenticationHandlers>ClientAuthenticationHandler</cas:successfulAuthenticationHandlers>
<cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed>
<cas:userid>myusername@MYDOMAIN.onmicrosoft.com</cas:userid>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>