Shibboleth CAS Integration: HTTP Status 500 - Error processing ShibCas authentication request

You need to integrate Shibboleth IDP 3 with CAS This means that Shibboleth uses CAS as the authentication module to authenticate users. This is a Shibboleth IDP external authentication plugin that delegates to CAS
December 13, 2016
ShibbolethIDPCASAuthentication

Integrate Shibboleth IDP with CAS

This ensures that all authentication has taken place within CAS (which is better for auditing, session management etc.) Furthermore, if someone has already authenticated against CAS and needs access to a SAML application, Shibboleth can pass the take place within CAS and not within other systems for application access.


The error...

https://technicalconfessions.com/images/postimages/postimages/_438_2_Error processing ShibCas authentication request.png

However the issue is as follows:


Step 1: Download repository

https://technicalconfessions.com/images/postimages/postimages/_438_3_Download shibCAS SVN.png

You need to download the github https://github.com/Unicon/shib-cas-authn3


Step 2: Clone repository

https://technicalconfessions.com/images/postimages/postimages/_438_4_Clone the SVN.png

Step 2: Within your eclipse IDE, go to the Java EE window, locate the git repository and clone a new repository


Step 3: Confirm repository

https://technicalconfessions.com/images/postimages/postimages/_438_5_github for shbcas.png

Keep everything as default and click finish


Step 4: Move the shibcas into the Shibboleth IDP directory

https://technicalconfessions.com/images/postimages/postimages/_438_6_move shibcas to the flow auth.png

You then need to locate the Shib-cas directory that can be located outside your eclipse IDE. The Shibcas directory needs to be copied over to your shibbolethIDP\flows\authn directory as illustrated in the diagram


Step 5: Move the shibcas

https://technicalconfessions.com/images/postimages/postimages/_438_7_modify the web xml file.png

Move the shibcas into the Shibboleth IDP directory


Step 6: Modify the IDP web.xml

Modify the IDP web.xml


Step 7: Modify the idp.properties

Then add the following values within the idp.properties file (notice the hostnames are dependent based on the environment)
# Regular expression matching login flows to enable, e.g. IPAddress|Password
idp.authn.flows=Shibcas
shibcas.casServerUrlPrefix=https://CASSERVER/cas
shibcas.casServerLoginUrl = ${shibcas.casServerUrlPrefix}/login
shibcas.serverName=https://SHIBSEVER

About the author

Daniel is a Technical Manager with over 10 years of consulting expertise in the Identity and Access Management space.
Daniel has built from scratch this blog as well as technicalconfessions.com
Follow Daniel on twitter @nervouswiggles

Comments

Other Posts

NameID element must be present as part of the Subject in the Response message

ShibbolethSAML

August 7, 2018
Created by: Daniel Redfern
NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration.
Read More...

HOW TO provision AD group membership from OpenIDM

OpenIDMICFAD-connector

June 15, 2018
Created by: Daniel Redfern
For what I see, there's not too many supportive documentations out there that will demonstrate how provision AD group membership with the ICF connector using OpenIDM. The use of the special ldapGroups attribute is not explained anywhere in the Integrators guides to to the date of this blog. This quick blog identifies the tasks required to provision AD group membership from OpenIDM to AD using the LDAP ICF connector. However this doesn't really explain what ldapGroups actually does and there's no real worked example of how to go from an Assignment to ldapGroups to an assigned group in AD. I wrote up a wiki article for my own reference: AD group memberships automatically to users This is just my view, others may disagree, but I think the implementation experience could be improved with some more documentation and a more detailed example here.
Read More...

ForgeRock OpenIDM - InvalidCredentialException: Remote framework key is invalid

ICFIDMOpenIDMOpenICF

November 8, 2017
Created by: Daniel Redfern
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...

org.forgerock.script.exception.ScriptCompilationException: missing ; before statement

IDMsync.confforgerockopenidm

November 8, 2017
Created by: Daniel Redfern
org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...

ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statemen

OpenIDMsync.confForgeRock

September 17, 2017
Created by: Daniel Redfern
ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...

Caused by: org.forgerock.json.resource.BadRequestException: Target does not support attribute groups

OpenIDMForgeRockICFConnector

September 17, 2017
Created by: Daniel Redfern
When performing the attempt of a reconciliation from ForgeRock IDM to Active Directory, I would get the following error
Read More...

ForgeRock OpenIDM - InvalidCredentialException: Remote framework key is invalid

OpenIDMForgeRockICFConnectorAD

September 17, 2017
Created by: Daniel Redfern
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...

ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_g

OpenIDMIDMGoogleGoogle-AppsICFreconciliation

September 12, 2017
Created by: Daniel Redfern
During the reconcilation from OpenIDM to the ICF google apps connector, the following error response would occur. ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_grant
Read More...

forgerock-openidm-encryptedjwt-error

OpenIDMIDMForgeRockJWTIAM

August 29, 2017
Created by: Daniel Redfern
Received the JWT error
Read More...

Unexpected character ('¾' (code 190)): expected a valid value

ForgeRock-OpenIDMOpenIDMIDMKeystore

June 25, 2017
Created by: Daniel Redfern
Unexpected character occurred when the IP addresses changes and the virtual instance was migrated into a separate network subnet.
Read More...