During the CAS integration for a protected web application, there was always the question on how to see the CAS response once someone has authenticated.
The session of the user would be established, though the application would require the attributes to be retrieved for the use of the application.
This wouldn't be during the authentication process but in fact after the ticket has been passed to the application. The application would then use that ticket (also known as the service ticket)
To validate the user and to retrieve the information of that user. The service ticket would only be valid for a few seconds and could only be used once and has to be used shortly after the ST was created. CAS purposely uses the ST tickets with a short life. The second attribute request would fail if the ST- ticket was used twice. If you did attempt to use the ST ticket twice, you will receive something like, 'ServiceTicket [ST-2124-xxxxxxxxxxxxxxxx-cas] does not exist.' within the audit logs
The question would be, how would you grab that ST ticket to then see the messages and attributes?
To replicate the initial authentication and to receive the ST ticket, I created a CAS client (I called it the CASTicketValidationClient application), which can be located within my git.
The client used to initially receive a service ticket (ST=xxxx) to then retrieve the expected CAS response to the application (service) along with reviewing the attributes.
The CAS agent can be located here: CAS Agent
Steps to view the serviceResponse from CAS
1. Create a maven project by using the pom.xml file
2. Download the .java file and place this into your IDE
3. Change the 5 variables to match your environment
4. When you run the application, it should then present a ST-ticket
5. You then use this ticket to run the URL below. Remember to change the 2 URLs as well as replacing the ticket at the end. Make sure you do this no fewer than a few seconds after receving the ST ticket https://CASSERVER/sso/serviceValidate?service=https://APPLICATIONSERVER/WHATEVER/WHATEVER&ticket=ST-271-K3v21d6pvqTmp1tCR3gi-sso
Make CAS changes
Make sure your service is acknowledged by your CAS server. If you don't setup your application URL within CAS, you'll receive a Service Management initial error, which looks something like this:
CAS ticket validation
If you want to see additional information other than the standard payload response, You can replace the casServiceValidationSuccess file with the one from my git. https://github.com/nervouswiggles/CASTicketValidationClient/blob/master/casServiceValidationSuccess.jsp That way, you should then see all the available attributes that are being sent
About the author
Daniel is a Technical Manager with over 10 years of consulting expertise in the Identity and Access Management space.Daniel has built from scratch this blog as well as technicalconfessions.com
Follow Daniel on twitter @nervouswiggles
Comments
Other Posts
AS I was migrating my environment into an S3 environment, I wanted to leverage off the SES services that AWS provide, more specifically, to leverage the off the SMTP functionality by sending an email via PHP
Read More...
The WeMos D1 is a ESP8266 WiFi based board is an extension to the current out-of-the-box library that comes with the Arduino installation. Because of this, you need to import in the libraries as well as acknowledging the specific board. This process is highly confusion with a number of different individuals talking about a number of different ways to integrate.
Read More...
NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration.
Read More...
For what I see, there's not too many supportive documentations out there that will demonstrate how provision AD group membership with the ICF connector using OpenIDM. The use of the special ldapGroups attribute is not explained anywhere in the Integrators guides to to the date of this blog. This quick blog identifies the tasks required to provision AD group membership from OpenIDM to AD using the LDAP ICF connector. However this doesn't really explain what ldapGroups actually does and there's no real worked example of how to go from an Assignment to ldapGroups to an assigned group in AD. I wrote up a wiki article for my own reference: AD group memberships automatically to users This is just my view, others may disagree, but I think the implementation experience could be improved with some more documentation and a more detailed example here.
Read More...
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...
org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...
ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...
When performing the attempt of a reconciliation from ForgeRock IDM to Active Directory, I would get the following error
Read More...
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...
During the reconcilation from OpenIDM to the ICF google apps connector, the following error response would occur. ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_grant
Read More...