Overview
The integration between the CAS Server and ADFS delegates user authentication from CAS Server to ADFS, making CAS Server a WS-Federation client. Claims released from ADFS are made available as attributes to CAS Server, and by extension CAS Clients.
The functionality described here allows CAS to use ADFS as an external identity provider. If you wish to do the opposite, allowing ADFS to become a CAS client and using CAS as an identity provider, you may take advantage of SAML2 support in CAS as one integration option.
Support is enabled by including the following dependency in the WAR overlay:
1
2
3
4
5
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-wsfederation-webflow</artifactId>
<version>${cas.version}</version>
</dependency>
1
implementation "org.apereo.cas:cas-server-support-wsfederation-webflow:${project.'cas.version'}"
1
2
3
4
5
6
7
8
9
dependencyManagement {
imports {
mavenBom "org.apereo.cas:cas-server-support-bom:${project.'cas.version'}"
}
}
dependencies {
implementation "org.apereo.cas:cas-server-support-wsfederation-webflow"
}
1
2
3
4
5
6
7
8
9
10
dependencies {
/*
The following platform references should be included automatically and are listed here for reference only.
implementation enforcedPlatform("org.apereo.cas:cas-server-support-bom:${project.'cas.version'}")
implementation platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)
*/
implementation "org.apereo.cas:cas-server-support-wsfederation-webflow"
}
You may also need to declare the following repository in your CAS Overlay to be able to resolve dependencies:
1
2
3
4
5
6
repositories {
maven {
mavenContent { releasesOnly() }
url "https://build.shibboleth.net/maven/releases/"
}
}
It's safe to make sure you have the proper JCE bundle
installed in your Java environment that is used by CAS, specially if you need to consume encrypted payloads issued by ADFS.
Be sure to pick the right version of the JCE for your Java version. Java
versions can be detected via the java -version command.
WsFed Configuration
Adjust and provide settings for the ADFS instance, and make sure you have obtained the ADFS signing certificate and made it available to CAS at a location that can be resolved at runtime.
The following settings and properties are available from the CAS configuration catalog:
cas.authn.wsfed[0].attribute-mutator-script.location=
The location of the resource. Resources can be URLS, or files found either on the classpath or outside somewhere in the file system. In the event the configured resource is a Groovy script, specially if the script set to reload on changes, you may need to adjust the total number ofinotify instances.
On Linux, you may need to add the following line to /etc/sysctl.conf:
fs.inotify.max_user_instances = 256.
You can check the current value via cat /proc/sys/fs/inotify/max_user_instances.
|
cas.authn.wsfed[0].cookie.crypto.encryption.key=EMPTY
The encryption key is a JWT whose length is defined by the encryption key size setting.
|
cas.authn.wsfed[0].cookie.crypto.signing.key=EMPTY
The signing key is a JWT whose length is defined by the signing key size setting.
|
cas.authn.wsfed[0].principal.principal-transformation.groovy.location=
The location of the resource. Resources can be URLS, or files found either on the classpath or outside somewhere in the file system. In the event the configured resource is a Groovy script, specially if the script set to reload on changes, you may need to adjust the total number ofinotify instances.
On Linux, you may need to add the following line to /etc/sysctl.conf:
fs.inotify.max_user_instances = 256.
You can check the current value via cat /proc/sys/fs/inotify/max_user_instances.
|
cas.authn.wsfed[0].id=
Internal identifier for this wsfed configuration. If undefined, the identifier would be auto-generated by CAS itself. In the event that there is more than on CAS server defined in a clustered deployment, this identifier must be statically defined in the configuration.
|
cas.authn.wsfed[0].identity-attribute=upn
The attribute extracted from the assertion and used to construct the CAS principal id.
|
cas.authn.wsfed[0].identity-provider-identifier=http://adfs.example.org/adfs/services/trust
The entity id or the identifier of the Wsfed instance. This setting supports the Spring Expression Language.
|
cas.authn.wsfed[0].identity-provider-url=https://adfs.example.org/adfs/ls/
Wsfed identity provider url. This setting supports the Spring Expression Language.
|
cas.authn.wsfed[0].relying-party-identifier=urn:cas:localhost
The identifier for CAS (RP) registered with wsfed. This setting supports the Spring Expression Language.
|
cas.authn.wsfed[0].signing-certificate-resources=classpath:adfs-signing.crt
Locations of signing certificates used to verify assertions.
Locations could be specified as static file-system resources(certificates)
or they could also be federation XML metadata, either as a URL or an XML file.
If federation metadata XML is provided, the signing certificate is extracted
from the
|
cas.authn.wsfed[0].principal.active-attribute-repository-ids=
Activated attribute repository identifiers that should be used for fetching attributes if attribute resolution is enabled. The list here may include identifiers separated by comma.
|
cas.authn.wsfed[0].principal.attribute-resolution-enabled=UNDEFINED
Whether attribute repositories should be contacted to fetch person attributes. Defaults to true if not set.
|
cas.authn.wsfed[0].principal.principal-attribute=
Attribute name to use to indicate the identifier of the principal constructed. If the attribute is blank or has no values, the default principal id will be used determined by the underlying authentication engine. The principal id attribute usually is removed from the collection of attributes collected, though this behavior depends on the schematics of the underlying authentication strategy.
|
cas.authn.wsfed[0].principal.principal-resolution-conflict-strategy=last
In the event that the principal resolution engine resolves
more than one principal, (specially if such principals in the chain
have different identifiers), this setting determines strategy by which
the principal id would be chosen from the chain.
Accepted values are:
|
cas.authn.wsfed[0].principal.principal-resolution-failure-fatal=UNDEFINED
When true, throws an error back indicating that principal resolution has failed and no principal can be found based on the authentication requirements. Otherwise, logs the condition as an error without raising a catastrophic error.
|
cas.authn.wsfed[0].principal.principal-transformation.blocking-pattern=
A regular expression that will be used against the username to match for blocking/forbidden values. If a match is found, an exception will be thrown and principal transformation will fail.
|
cas.authn.wsfed[0].principal.principal-transformation.case-conversion=NONE
Indicate whether the principal identifier should be transformed into upper-case, lower-case, etc. Available values are as follows:
|
cas.authn.wsfed[0].principal.principal-transformation.pattern=
A regular expression that will be used against the provided username for username extractions. On a successful match, the first matched group in the pattern will be used as the extracted username.
|
cas.authn.wsfed[0].principal.principal-transformation.prefix=
Prefix to add to the principal id prior to authentication.
|
cas.authn.wsfed[0].principal.principal-transformation.suffix=
Suffix to add to the principal id prior to authentication.
|
cas.authn.wsfed[0].principal.return-null=UNDEFINED
Return a null principal object if no attributes can be found for the principal.
|
cas.authn.wsfed[0].principal.use-existing-principal-id=UNDEFINED
Uses an existing principal id that may have already been established in order to run person directory queries. This is generally useful in situations where authentication is delegated to an external identity provider and a principal is first established to then query an attribute source.
|
cas.authn.wsfed[0].cookie.crypto.alg=DEFAULT_CONTENT_ENCRYPTION_ALGORITHM
The signing/encryption algorithm to use.
|
cas.authn.wsfed[0].cookie.crypto.enabled=true
Whether crypto operations are enabled.
|
cas.authn.wsfed[0].cookie.crypto.encryption.key-size=512
The encryption key size.
|
cas.authn.wsfed[0].cookie.crypto.signing.key-size=512
The signing key size.
|
cas.authn.wsfed[0].cookie.crypto.strategy-type=ENCRYPT_AND_SIGN
Control the cipher sequence of operations. The accepted values are:
|