On Tue, 10 Jun 2014, Matthew B. Brookover wrote:
Hi, I am new to CAS and am having some problems with getting attributes
released through SAML. I have setup cas 3.2.5.1 and
mod_auth_cas-1.0.9.1. The users and the attributes I would like to
release are stored in LDAP. If CASValidateSAML to Off, the user can log
in, but the attributes are not released. If I set CASValidateSAML to
On, I get:
This server could not verify that you are authorized to access
the document requested. Either you supplied the wrong
credentials (e.g., bad password) or your browser doesn't
understand how to supply the credentials required
and the user is not able to see the protected web pages.
I turned on debugging in both CAS and mod_auth_cas, and the attributes
are in the cas.log so they are making it to CAS from LDAP.
When CASValidateSAML is On, I get errors from CasArgumentExtractor and
ServiceValidatecontroller:
2014-06-09 15:42:54,038 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor]
- Extractor did not generate service.
2014-06-09 15:42:54,038 DEBUG [org.jasig.cas.web.ServiceValidateController] -
Could not process request; Service: null, Service Ticket Id: null
There are corresponding errors from mod_auth_cas:
[Mon Jun 09 15:42:54 2014] [debug] mod_auth_cas.c(1674): [client 138.67.125.10] Validation response:
\n\n\n<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>\n\t<cas:authenticationFailure
code='INVALID_REQUEST'>\n\t\t'service' and 'ticket' parameters are both
required\n\t</cas:authenticationFailure>\n</cas:serviceResponse>\n, referer:
https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f
[Mon Jun 09 15:42:54 2014] [debug] mod_auth_cas.c(1293): [client 138.67.125.10]
entering isValidCASTicket(), referer:
https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f
[Mon Jun 09 15:42:54 2014] [debug] mod_auth_cas.c(1299): [client 138.67.125.10] MOD_AUTH_CAS: response =
\n\n\n<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>\n\t<cas:authenticationFailure
code='INVALID_REQUEST'>\n\t\t'service' and 'ticket' parameters are both
required\n\t</cas:authenticationFailure>\n</cas:serviceResponse>\n, referer:
https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f
Why does the validation response include 'http://www.yale.edu/tp/cas'?
Did I miss something in the configuration? If I had to guess, it is
some sort of XML documentation reference, but, to be honest, I do not
know that much about XML. There is no reference to yale in either
cas.properties or deployerConfigContext.xml.
Below, I have included the configuration from the test web server for
mod_auth_cas, more of the debug logs from the CAS server and
mod_auth_cas and I have attached my deployerConfigContext.xml and the
cas.properties files.
Here is the mod_auth_cas configuration in httpd:
LoadModule auth_cas_module modules/mod_auth_cas.so
<IfModule mod_auth_cas.c>
CASLoginURL https://cas-dev.mines.edu/cas/login
CASVersion 2
CASValidateURL https://cas-dev.mines.edu/cas/serviceValidate
CASValidateSAML On
Shouldn't the CASValidateURL be changed to:
CASValidateURL https://cas-dev.mines.edu/cas/samlValidate
serviceValidate only works for the CAS protocol. Clients must contact
samlValidate for the SAML protocol ticket validation. This might also
explain your errors from CasArgumentExtractor and
ServiceValidatecontroller.
Andy
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
