IdP 3.4.6 with Unicon plugin for external CAS

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

IdP 3.4.6 with Unicon plugin for external CAS

Leonard J. Peirce-2
We've been using the plugin for a while and I'm attempting to
test the latest Unicon plugin for authentication via an
external CAS server for a new install of IdP 3.4.6.

The few steps in CAS plugin's README.md are simple.  I copy
in the requisite files (no-conversation-state.jsp and both .jar
files), update idp.properties, and update web.xml with the
provided snippet:

     <!-- Servlet for receiving a callback from an external CAS Server
and continues the IdP login flow -->
     <servlet>
         <servlet-name>ShibCas Auth Servlet</servlet-name>
 
<servlet-class>net.unicon.idp.externalauth.ShibcasAuthServlet</servlet-class>
         <load-on-startup>2</load-on-startup>
     </servlet>
     <servlet-mapping>
         <servlet-name>ShibCas Auth Servlet</servlet-name>
         <url-pattern>/Authn/External/*</url-pattern>
     </servlet-mapping>

When I redeploy the IdP refuses to start.  In jetty.log I get

    java.lang.IllegalStateException: Multiple servlets map to path:
/Authn/External/*: ShibCas Auth Servlet,ShibcasAuthServlet

When I do not add the above snippet to web.xml things seem to
work fine.

Is anyone else seeing this?  Or am I missing something?

TIA....

--
Leonard J. Peirce
Western Michigan University
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: IdP 3.4.6 with Unicon plugin for external CAS

Jones, Brian
Hi Leonard,

There is a little more detail in the release notes for shib-cas-authn3 v3.3.0:  

https://github.com/Unicon/shib-cas-authn3/releases/tag/3.3.0

I don't know for sure but maybe the error is related to the 3rd bulletpoint on that page (pasted below):  

## begin paste ##

    Remove the authn/Shibcas bean in IDP_HOME/conf/authn/general-authn.xml:

...
    <util:list id="shibboleth.AvailableAuthenticationFlows">

        <bean id="authn/Shibcas" parent="shibboleth.AuthenticationFlow"
                p:passiveAuthenticationSupported="true"
                p:forcedAuthenticationSupported="true"
                p:nonBrowserSupported="false" />
...

Note that if you an additional settings for this bean defined, such as one for supportedPrincipals, they need to be moved and applied to the authn/External bean instead in the same file, such that:

<bean id="authn/External" parent="shibboleth.AuthenticationFlow"
  p:passiveAuthenticationSupported="true"
  p:forcedAuthenticationSupported="true"
  p:nonBrowserSupported="false">
    <property name="supportedPrincipals">
        <list>
            <bean parent="shibboleth.SAML2AuthnContextClassRef"
                  c:classRef="https://refeds.org/profile/mfa" />
              <bean parent="shibboleth.SAML2AuthnContextClassRef"
                  c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
        </list>
    </property>
</bean>

## end paste ##

Again, I don't know if that's what's going on, but I did a similar upgrade awhile back and I seem to recall consulting the release notes page linked above and the README file to get it done.  

Hope this helps and hope I'm not wasting your time!

Thanks,

Brian


Brian Jones
Programmer Analyst IV
Enterprise Development and Application Support, OIT
The University of Alabama




-----Original Message-----
From: users <[hidden email]> On Behalf Of Leonard J Peirce
Sent: Tuesday, January 28, 2020 1:54 PM
To: [hidden email]
Subject: IdP 3.4.6 with Unicon plugin for external CAS

We've been using the plugin for a while and I'm attempting to test the latest Unicon plugin for authentication via an external CAS server for a new install of IdP 3.4.6.

The few steps in CAS plugin's README.md are simple.  I copy in the requisite files (no-conversation-state.jsp and both .jar files), update idp.properties, and update web.xml with the provided snippet:

     <!-- Servlet for receiving a callback from an external CAS Server and continues the IdP login flow -->
     <servlet>
         <servlet-name>ShibCas Auth Servlet</servlet-name>
 
<servlet-class>net.unicon.idp.externalauth.ShibcasAuthServlet</servlet-class>
         <load-on-startup>2</load-on-startup>
     </servlet>
     <servlet-mapping>
         <servlet-name>ShibCas Auth Servlet</servlet-name>
         <url-pattern>/Authn/External/*</url-pattern>
     </servlet-mapping>

When I redeploy the IdP refuses to start.  In jetty.log I get

    java.lang.IllegalStateException: Multiple servlets map to path:
/Authn/External/*: ShibCas Auth Servlet,ShibcasAuthServlet

When I do not add the above snippet to web.xml things seem to work fine.

Is anyone else seeing this?  Or am I missing something?

TIA....

--
Leonard J. Peirce
Western Michigan University
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: IdP 3.4.6 with Unicon plugin for external CAS

Cantor, Scott E.
I would imagine you have two servlet mappings for one servlet, or possibly Jetty (justifiably) doesn't care for those spaces in the servlet name and it's collapsing them internally and causing a duplication. It's a web.xml problem in any event, nothing to do with the IdP.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: IdP 3.4.6 with Unicon plugin for external CAS

Leonard J. Peirce-2
In reply to this post by Jones, Brian
On 2020-01-28 3:25 p.m., Jones, Brian wrote:

> Hi Leonard,
>
> There is a little more detail in the release notes for shib-cas-authn3 v3.3.0:
>
> https://github.com/Unicon/shib-cas-authn3/releases/tag/3.3.0
>
> I don't know for sure but maybe the error is related to the 3rd bulletpoint on that page (pasted below):
>
> ## begin paste ##
>
>      Remove the authn/Shibcas bean in IDP_HOME/conf/authn/general-authn.xml:
>
> ...
>      <util:list id="shibboleth.AvailableAuthenticationFlows">
>
>          <bean id="authn/Shibcas" parent="shibboleth.AuthenticationFlow"
>                  p:passiveAuthenticationSupported="true"
>                  p:forcedAuthenticationSupported="true"
>                  p:nonBrowserSupported="false" />
> ...
>
> Note that if you an additional settings for this bean defined, such as one for supportedPrincipals, they need to be moved and applied to the authn/External bean instead in the same file, such that:
>
> <bean id="authn/External" parent="shibboleth.AuthenticationFlow"
>    p:passiveAuthenticationSupported="true"
>    p:forcedAuthenticationSupported="true"
>    p:nonBrowserSupported="false">
>      <property name="supportedPrincipals">
>          <list>
>              <bean parent="shibboleth.SAML2AuthnContextClassRef"
>                    c:classRef="https://refeds.org/profile/mfa" />
>                <bean parent="shibboleth.SAML2AuthnContextClassRef"
>                    c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
>          </list>
>      </property>
> </bean>
>
> ## end paste ##

I saw that but at least in the README it appears to be related
to 2FA which we aren't running.  At any rate I'm running the
general-authn.xml unmodified.

The online README also mentions removing IDP_HOME/flows/authn/Shibcas
which I don't have.  Same result.

Does anyone from Unicon have an idea?

- Leonard
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: IdP 3.4.6 with Unicon plugin for external CAS

Terry Smith
Hi Leonard,

I had the same issue when attempting to upgrade to the latest CAS plugin. I found that the additions to web.xml where not required.  

I think the following line of code in the file main/java/net/unicon/idp/externalauth/ShibcasAuthServlet.java 

@WebServlet(name = "ShibcasAuthServlet", urlPatterns = {"/Authn/External/*"}) 

is clashing with recommended changes to web.xml. The IdPs I have tested the new CAS extensions on seem to work just fine without changes to web.xml.

Thanks,
Terry.


On Wed, Jan 29, 2020 at 6:59 AM Leonard J Peirce <[hidden email]> wrote:
On 2020-01-28 3:25 p.m., Jones, Brian wrote:
> Hi Leonard,
>
> There is a little more detail in the release notes for shib-cas-authn3 v3.3.0:
>
> https://github.com/Unicon/shib-cas-authn3/releases/tag/3.3.0
>
> I don't know for sure but maybe the error is related to the 3rd bulletpoint on that page (pasted below):
>
> ## begin paste ##
>
>      Remove the authn/Shibcas bean in IDP_HOME/conf/authn/general-authn.xml:
>
> ...
>      <util:list id="shibboleth.AvailableAuthenticationFlows">
>
>          <bean id="authn/Shibcas" parent="shibboleth.AuthenticationFlow"
>                  p:passiveAuthenticationSupported="true"
>                  p:forcedAuthenticationSupported="true"
>                  p:nonBrowserSupported="false" />
> ...
>
> Note that if you an additional settings for this bean defined, such as one for supportedPrincipals, they need to be moved and applied to the authn/External bean instead in the same file, such that:
>
> <bean id="authn/External" parent="shibboleth.AuthenticationFlow"
>    p:passiveAuthenticationSupported="true"
>    p:forcedAuthenticationSupported="true"
>    p:nonBrowserSupported="false">
>      <property name="supportedPrincipals">
>          <list>
>              <bean parent="shibboleth.SAML2AuthnContextClassRef"
>                    c:classRef="https://refeds.org/profile/mfa" />
>                <bean parent="shibboleth.SAML2AuthnContextClassRef"
>                    c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
>          </list>
>      </property>
> </bean>
>
> ## end paste ##

I saw that but at least in the README it appears to be related
to 2FA which we aren't running.  At any rate I'm running the
general-authn.xml unmodified.

The online README also mentions removing IDP_HOME/flows/authn/Shibcas
which I don't have.  Same result.

Does anyone from Unicon have an idea?

- Leonard
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: IdP 3.4.6 with Unicon plugin for external CAS

Michael A Grady
How this is configured, and what all is required,  for a given version of shib-cas-authn3 and the Shib IdP has changed over time. Which is why -- but clearly not anywheres obvious enough -- the top-level Github page does say, in the Installation section:

 NOTE: You should ALWAYS refers to the README.md file that is packaged with the release for instructions.

and which links to this:


It is clear that top-level README page needs some modification, perhaps best to have very little and point of to the release documentation much more boldly. I'll ask th team to take a look at, and to double-check the shib-cas-authn3 release 3.3.0 specific instructions.

On Jan 28, 2020, at 6:56 PM, Terry Smith <[hidden email]> wrote:

Hi Leonard,

I had the same issue when attempting to upgrade to the latest CAS plugin. I found that the additions to web.xml where not required.  

I think the following line of code in the file main/java/net/unicon/idp/externalauth/ShibcasAuthServlet.java 

@WebServlet(name = "ShibcasAuthServlet", urlPatterns = {"/Authn/External/*"}) 

is clashing with recommended changes to web.xml. The IdPs I have tested the new CAS extensions on seem to work just fine without changes to web.xml.

Thanks,
Terry.


On Wed, Jan 29, 2020 at 6:59 AM Leonard J Peirce <[hidden email]> wrote:
On 2020-01-28 3:25 p.m., Jones, Brian wrote:

> Hi Leonard,
> 
> There is a little more detail in the release notes for shib-cas-authn3 v3.3.0:
> 
> https://github.com/Unicon/shib-cas-authn3/releases/tag/3.3.0
> 
> I don't know for sure but maybe the error is related to the 3rd bulletpoint on that page (pasted below):
> 
> ## begin paste ##
> 
>      Remove the authn/Shibcas bean in IDP_HOME/conf/authn/general-authn.xml:
> 
> ...
>      <util:list id="shibboleth.AvailableAuthenticationFlows">
> 
>          <bean id="authn/Shibcas" parent="shibboleth.AuthenticationFlow"
>                  p:passiveAuthenticationSupported="true"
>                  p:forcedAuthenticationSupported="true"
>                  p:nonBrowserSupported="false" />
> ...
> 
> Note that if you an additional settings for this bean defined, such as one for supportedPrincipals, they need to be moved and applied to the authn/External bean instead in the same file, such that:
> 
> <bean id="authn/External" parent="shibboleth.AuthenticationFlow"
>    p:passiveAuthenticationSupported="true"
>    p:forcedAuthenticationSupported="true"
>    p:nonBrowserSupported="false">
>      <property name="supportedPrincipals">
>          <list>
>              <bean parent="shibboleth.SAML2AuthnContextClassRef"
>                    c:classRef="https://refeds.org/profile/mfa" />
>                <bean parent="shibboleth.SAML2AuthnContextClassRef"
>                    c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
>          </list>
>      </property>
> </bean>
> 
> ## end paste ##

I saw that but at least in the README it appears to be related
to 2FA which we aren't running.  At any rate I'm running the
general-authn.xml unmodified.

The online README also mentions removing IDP_HOME/flows/authn/Shibcas
which I don't have.  Same result.

Does anyone from Unicon have an idea?

- Leonard
-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

 

This email has been scanned for spam and viruses by Proofpoint Essentials. Click here to report this email as spam.


-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
Michael A. Grady
IAM Architect, Unicon, Inc.




--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]