Shibboleth idp and CAS

This is a multi-part message in MIME format.

I am trying to set up a shibboleth idp with the yale CAS client.

 

CAS is working in that I have cassified the tomcat servlets-examples and that all works just fine.

 

Shibboleth, by itself (using Tomcat Forms authentication) is working with another sp.

 

Combining the two seems to be a problem for me. I'm posting this to both the shibboleth and the CAS lists in the hopes someone can shed some light.

 

When I have shibboleth and CAS configured to work together the first redirect to my  -idp/SSO takes me to my CAS login. I then login thru CAS which is just fine. I send back a AuthN saml response but then get nothing back from the Sp. I am expecting a POST to my idp/AA asking form attributes (which is the next thing sent in the working shibboleth configuration)

 

Both AuthN saml responses (working vs non-working) seem to be identical (barring the time specific details)

 

My configuration is Win2K server with IIS 5.0 frontending Tomcat 5.5 on ports 80 and 443. Tomcat is managing 8080, 8009 and 8443 itself.

 

 

My shibboleth-idp/WEB-INF/web.xml contains the following

 

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app

PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"

"http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>

    <context-param>

        <param-name>IdPConfigFile</param-name>

        <param-value>file:/e:/opt/shibboleth-idp//etc/idp.xml</param-value>

    </context-param>

    <!--added CASFilter -->

    <filter>

    <filter-name>CASFilter</filter-name>

    <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>

        <!-- URL of login page of CAS Server -->

        <init-param>

            <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>

            <param-value>https://web2.ametsoc.org/cas/login</param-value>

        </init-param>

        <!-- URL to validation URL of CAS Server -->

        <init-param>

            <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>

            <param-value>https://web2.ametsoc.org/cas/serviceValidate</param-value>

        </init-param>

        <!-- Full hostname with port number to be filtered. The port

        number is not required for standard ports (80,443) -->

        <init-param>

            <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>

            <param-value>web2.ametsoc.org</param-value>

        </init-param>

        <!-- expose REMOTE_USER (from CAS Client version 2.1.0) -->

        <init-param>

            <param-name>edu.yale.its.tp.cas.client.filter.wrapRequest</param-name>

            <param-value>true</param-value>

        </init-param>

    </filter>

    <filter-mapping>

        <filter-name>CASFilter</filter-name>

        <url-pattern>/SSO/*</url-pattern>

    </filter-mapping>

    <!-- ########################### -->

    <servlet>

    <servlet-name>IdP</servlet-name>

        <display-name>Shibboleth Identity Provider</display-name>

        <servlet-class>edu.internet2.middleware.shibboleth.idp.IdPResponder</servlet-class>

    </servlet>

    <servlet-mapping>

        <servlet-name>IdP</servlet-name>

        <url-pattern>/SSO</url-pattern>

    </servlet-mapping>

    <servlet-mapping>

        <servlet-name>IdP</servlet-name>

        <url-pattern>/AA</url-pattern>

    </servlet-mapping>

    <servlet-mapping>

        <servlet-name>IdP</servlet-name>

        <url-pattern>/Artifact</url-pattern>

    </servlet-mapping>

    <servlet-mapping>

        <servlet-name>IdP</servlet-name>

        <url-pattern>/Status</url-pattern>

    </servlet-mapping>

    <mime-mapping>

        <extension>css</extension>

        <mime-type>text/css</mime-type>

    </mime-mapping>

</web-app>

 

Thanks, Pat MacDonald