Note: This project has been deprecated. Active development on a related project is occurring at https://github.com/Unicon/cas-adfs-integration.
So you stumbled upon my WS-Federation module for CAS and want to connect it up to Microsoft’s Active Directory Federation Services (ADFS). Here’s how to do it with ADFS v2.0.
Assume that you have set your applicationContext.xml with the following chunk (numbers added for reference):
<bean class="org.jasig.cas.support.wsfederation.WsFederationConfiguration" id="wsFedConfig"> 1. <property value="https://login-test-env.ewu.edu/adfs/ls/" name="identityProviderUrl"/> 2. <property value="http://login-test-env.ewu.edu/adfs/services/trust" name="identityProviderIdentifier"/> 3. <property value="urn:federation:devcas" name="relyingPartyIdentifier"/> 4. <property value="upn" name="identityAttribute"/> <property value="60000" name="tolerance"/> <property name="attributeMutator"> <bean class="edu.ewu.cas.support.wsfederation.WsFedAttributeMutatorImpl"/> </property> <property name="signingCertificateFiles"> <list> <value>signing.cer</value> </list> </property> </bean>
You’ll want to create an RP entry in ADFS.
- Choose “Enter data about the relying party manually”
- Give it a display name and move on.
- Choose AD FS 1.0 and 1.1 profile.
- Specific the URL to of your CAS server’s login page (https://serverna.me/cas/login). This is where ADFS will redirect the user after ADFS authentication.
- The next screen you enter the CAS application’s identifier. By default the URL specified in Step 4 is added. In my example I used: urn:federation:devcas as the identifier (this is line #3) This can be pretty much any valid uri, but the two values must match.
- From there you just finish up the wizard.
- Add any attributes you issue to supply back to CAS. You’ll need at least one which is the NetID/username (which gets set in line #4 of my example).
While you are in ADFS, bring up the Federation Server Properties dialog and copy the Federation Service identifier string into line #2 of xml snippet.