Recent versions (I believe 3.2 or older) of Central Authentication System (a.k.a. CAS) include Security Assertion Markup Language (a.k.a. SAML) support, out of the box. The beauty if it is that it is already “there” accessible through the URL ‘/cas/samlValidate’ instead of the usual ‘/cas/serviceValidate’.
One thing to be noted is that it is not so easy to communicate with your CAS instance using SAML protocol since the requests need to be HTTP POST (which put browsers out of the picture) using a properly formed SAML payload.
Here is when soapUI comes in, which is an excellent tool for web services testing using SOAP requests (there should not be any problem/limitation by using the open source version of the tool) since it can be used to complete the SAML communication and see what the CAS server is actually returning back.
So, in order to complete that, you would need to connect to your CAS server, login by providing valid credentials and then get a CAS ticket. This can be done by opening the following URL on a browser:
The browser should be now displaying an error because it should have been redirected back to the URL http://localhost/foo which probably does not exist. No problem. What is important though is that you would be able to retrieve the ticket from the URL. Example:# URL http://localhost/foo?ticket=ST-3-j6RIZfeaNTxilsFYr3xe-cas # TICKET ST-3-j6RIZfeaNTxilsFYr3xe-cas
Now using SoapUI you need to send CAS a proper SAML request. You may do that using the “submit a request to a specified end point” action. The URL where to send the request should be:https://CAS_DOMAIN:PORT/cas/samlValidate? -&gt; TARGET=http://localhost/foo&amp;ticket=ST-3-j6RIZfeaNTxilsFYr3xe-cas
the request body should be:ST-3-j6RIZfeaNTxilsFYr3xe-cas
CAS’ response should be similar to this:http://localhost/foo juan.huerta urn:oasis:names:tc:SAML:1.0:cm:artifact
The returned username can be found in the ‘NameIdentifier’ tag.
Note.- special thanks to Juan Huerta, Julien Gribonvald and Marvin Addison for their tips which inspired me to write this post.
Leave a Reply