Unicon / shib-cas-authn3

Integrates an external CAS Server and Shibboleth IdPv3.
Apache License 2.0
22 stars 16 forks source link

No redirection to CAS with Skype Entreprise #25

Closed shteevy closed 7 years ago

shteevy commented 7 years ago

Hello,

I have a problem with Skype for Business 2016 client. My configuration to connect to Office 365 is Office365 -> ADFS -> Shibboleth(3.3.1) with ShibCas (3.2.2) -> CAS portal (5.0.5). It works via the Office365 web portal. But not with Skype for Business (windows client)

The "modern authentication" for Skype for Business is activated. When connecting, the login screen of Shibboleth appear instead of my Cas portal.

Is it normal ? I don't understand why the CAS portal is not called.

Many thanks for your help, Steve.

jtgasper3 commented 7 years ago

Hi,

My guess would be that the authnContextClassRef that Skype ID using doesn't match the value matched by Shib-cas-authn3, so it doesn't choose it and just handles it itself.

On May 21, 2017, at 2:56 PM, shteevy notifications@github.com wrote:

Hello,

I have a problem with Skype for Business 2016 client. My configuration to connect to Office 365 is Office365 -> ADFS -> Shibboleth(3.3.1) with ShibCas (3.2.2) -> CAS portal (5.0.5). It works via the Office365 web portal. But not with Skype for Business (windows client)

The "modern authentication" for Skype for Business is activated. When connecting, the login screen of Shibboleth appear instead of my Cas portal.

Is it normal ? I don't understand why the CAS portal is not called.

Many thanks for your help, Steve.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

This email has been scanned for spam and viruses by Proofpoint Essentials. Click here to report this email as spam.

shteevy commented 7 years ago

Hello,

Here is the content of my general-authn.xml :

general-authn.pdf

Do you think the problem is related to " p:nonBrowserSupported="false" />" ?

Many thanks for your help,

Steve.

jtgasper3 commented 7 years ago

Look at

<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef=
"http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod
/password" />
</list>
</property>

That tell's Shib to use the Password flow to complete Microsoft's requested authn type. Try moving it up to shib-cas-authn3. You may need to explicitly add "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport to shib-cas-authn3 as well.

shteevy commented 7 years ago

Hello, Many thanks, it's working following your advises.

I made this configuration :

`<bean id="authn/Shibcas" parent="shibboleth.AuthenticationFlow" p:passiveAuthenticationSupported="true" p:forcedAuthenticationSupported="true" p:nonBrowserSupported="false" >

    </bean>`

and commented these lines :

`<bean id="authn/Password" parent="shibboleth.AuthenticationFlow" p:passiveAuthenticationSupported="true" p:forcedAuthenticationSupported="true" > <!--

       </property>**-->**`

Many thanks,

Steve.

jtgasper3 commented 7 years ago

Excellent.