Hi, I am still attempting to get CAS to release attributes and not having much luck.
My user goes to the the web site, logs in, and gets a 401 http code with the message "This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g. bad password), or your browser does't understand how to supply the credentials required." My cas configuration points CASValidateURL to the samlValidate (thank you Andrew Morgan for that tip) target: LoadModule auth_cas_module modules/mod_auth_cas.so <IfModule mod_auth_cas.c> CASLoginURL https://cas-dev.mines.edu/cas/login CASVersion 2 CASValidateURL https://cas-dev.mines.edu/cas/samlValidate CASValidateSAML On CASCertificatePath /etc/pki/tls/certs/ca-bundle.crt CASCookiePath /var/tmp/cas/ CASSSOEnabled On CASValidateServer On CASAttributePrefix boobooboo CASDebug On </IfModule> Grasping at straws, I moved from a server running CentOS 5.10 to one running 6.5. Mostly hoping that the newer version of curl and other libraries would help, but the result is the same. When I use CASValidateURL pointed at https://cas-dev.mines.edu/cas/serviceValidate, the user can log in and see the content, but no attributes. When I use https://cas-dev.mines.edu/cas/samlValidate I get the 401, but the attributes do show up in the debug logs so attributes are getting released, but the session is not getting valided. Here are the debug logs from mod_auth_cas from httpd: [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(1745): [client 138.67.125.10] Entering cas_authenticate() [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(519): [client 138.67.125.10] entering getCASService() [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(539): [client 138.67.125.10] CAS Service 'https%3a%2f%2fw4.mines.edu%2fcastest' [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(485): [client 138.67.125.10] entering getCASLoginURL() [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(462): [client 138.67.125.10] entering getCASGateway() [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(555): [client 138.67.125.10] entering redirectRequest() [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(567): [client 138.67.125.10] Adding outgoing header: Location: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest [Mon Jun 16 15:45:20 2014] [debug] mod_auth_cas.c(1745): [client 138.67.125.10] Entering cas_authenticate(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest [Mon Jun 16 15:45:20 2014] [debug] mod_auth_cas.c(607): [client 138.67.125.10] Modified r->args (old 'ticket=ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu', new ''), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest [Mon Jun 16 15:45:20 2014] [debug] mod_auth_cas.c(1600): [client 138.67.125.10] entering getResponseFromServer(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest [Mon Jun 16 15:45:20 2014] [debug] mod_auth_cas.c(519): [client 138.67.125.10] entering getCASService(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest [Mon Jun 16 15:45:20 2014] [debug] mod_auth_cas.c(539): [client 138.67.125.10] CAS Service 'https%3a%2f%2fw4.mines.edu%2fcastest', referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest [Mon Jun 16 15:45:21 2014] [debug] mod_auth_cas.c(1674): [client 138.67.125.10] Validation response: <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Body><saml1p:Response xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2014-06-16T21:45:20.963Z" MajorVersion="1" MinorVersion="1" Recipient="https://w4.mines.edu/castest"; ResponseID="_4e06e9d9ac93a830cbd92e27e3eb9cd4"><saml1p:Status><saml1p:StatusCode Value="saml1p:Success"/></saml1p:Status><saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_8a9db6ecf524737797da624df57f5e70" IssueInstant="2014-06-16T21:45:20.963Z" Issuer="localhost" MajorVersion="1" MinorVersion="1"><saml1:Conditions NotBefore="2014-06-16T21:45:20.963Z" NotOnOrAfter="2014-06-16T21:45:50.963Z"><saml1:AudienceRestrictionCondition><saml1:Audience>https://w4.mines.edu/castest</saml1:Audience></saml1:AudienceRestrictionCondition></saml1:Conditions><saml1:AuthenticationStatement AuthenticationInstant="2014-06-16T21:45:20.725Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml1:Subject><saml1:NameIdentifier>testua</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement><saml1:AttributeStatement><saml1:Subject><saml1:NameIdentifier>testua</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject><saml1:Attribute AttributeName="uid" AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">testua</saml1:AttributeValue></saml1:Attribute><saml1:Attribute AttributeName="mail" AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">tes...@mines.edu</saml1:AttributeValue></saml1:Attribute><saml1:Attribute AttributeName="sn" AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">estua</saml1:AttributeValue></saml1:Attribute><saml1:Attribute AttributeName="cn" AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">estua, t</saml1:AttributeValue></saml1:Attribute></saml1:AttributeStatement></saml1:Assertion></saml1p:Response></SOAP-ENV:Body></SOAP-ENV:Envelope>, referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest [Mon Jun 16 15:45:21 2014] [debug] mod_auth_cas.c(1293): [client 138.67.125.10] entering isValidCASTicket(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest [Mon Jun 16 15:45:21 2014] [debug] mod_auth_cas.c(1299): [client 138.67.125.10] MOD_AUTH_CAS: response = <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Body><saml1p:Response xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2014-06-16T21:45:20.963Z" MajorVersion="1" MinorVersion="1" Recipient="https://w4.mines.edu/castest"; ResponseID="_4e06e9d9ac93a830cbd92e27e3eb9cd4"><saml1p:Status><saml1p:StatusCode Value="saml1p:Success"/></saml1p:Status><saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_8a9db6ecf524737797da624df57f5e70" IssueInstant="2014-06-16T21:45:20.963Z" Issuer="localhost" MajorVersion="1" MinorVersion="1"><saml1:Conditions NotBefore="2014-06-16T21:45:20.963Z" NotOnOrAfter="2014-06-16T21:45:50.963Z"><saml1:AudienceRestrictionCondition><saml1:Audience>https://w4.mines.edu/castest</saml1:Audience></saml1:AudienceRestrictionCondition></saml1:Conditions><saml1:AuthenticationStatement AuthenticationInstant="2014-06-16T21:45:20.725Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml1:Subject><saml1:NameIdentifier>testua</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement><saml1:AttributeStatement><saml1:Subject><saml1:NameIdentifier>testua</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject><saml1:Attribute AttributeName="uid" AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">testua</saml1:AttributeValue></saml1:Attribute><saml1:Attribute AttributeName="mail" AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">tes...@mines.edu</saml1:AttributeValue></saml1:Attribute><saml1:Attribute AttributeName="sn" AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">estua</saml1:AttributeValue></saml1:Attribute><saml1:Attribute AttributeName="cn" AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">estua, t</saml1:AttributeValue></saml1:Attribute></saml1:AttributeStatement></saml1:Assertion></saml1p:Response></SOAP-ENV:Body></SOAP-ENV:Envelope>, referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest The access_log from htpd contains: 138.67.125.10 - - [16/Jun/2014:15:45:07 -0600] "GET /castest HTTP/1.1" 302 343 138.67.125.10 - - [16/Jun/2014:15:45:20 -0600] "GET /castest?ticket=ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu HTTP/1.1" 401 480 The cas.log contains: 2014-06-16 15:45:08,523 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - Setting path for cookies to: /cas/ 2014-06-16 15:45:08,523 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - Setting path for cookies to: /cas/ 2014-06-16 15:45:08,527 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated service for: https://w4.mines.edu/castest 2014-06-16 15:45:08,528 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - Placing service in FlowScope: https://w4.mines.edu/castest 2014-06-16 15:45:08,528 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - Placing service in FlowScope: https://w4.mines.edu/castest 2014-06-16 15:45:08,540 DEBUG [org.jasig.cas.web.flow.GenerateLoginTicketAction] - Generated login ticket LT-1-iaxGA2hwSntjatkYl7j7HZknxcEfll 2014-06-16 15:45:08,540 DEBUG [org.jasig.cas.web.flow.GenerateLoginTicketAction] - Generated login ticket LT-1-iaxGA2hwSntjatkYl7j7HZknxcEfll 2014-06-16 15:45:10,461 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated service for: https://w4.mines.edu/castest 2014-06-16 15:45:20,185 DEBUG [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - Performing LDAP bind with credential: uid=testua,ou=People2,dc=mines,dc=edu 2014-06-16 15:45:20,311 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully authenticated [username: testua] 2014-06-16 15:45:20,311 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - Attempting to resolve a principal... 2014-06-16 15:45:20,312 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - Attempting to resolve a principal... 2014-06-16 15:45:20,312 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - Creating SimplePrincipal for [testua] 2014-06-16 15:45:20,313 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - Resolved testua. Trying LDAP resolve now... 2014-06-16 15:45:20,313 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - LDAP search with filter "(uid=testua)" 2014-06-16 15:45:20,313 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - returning searchcontrols: scope=2; search base=ou=People2,dc=mines,dc=edu; attributes=[uid]; timeout=1000 2014-06-16 15:45:20,576 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - Resolved testua to testua 2014-06-16 15:45:20,576 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - Creating SimplePrincipal for [testua] 2014-06-16 15:45:20,577 DEBUG [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Created seed map='{username=[testua]}' for uid='testua' 2014-06-16 15:45:20,577 DEBUG [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Adding attribute 'uid' with value '[testua]' to query builder 'null' 2014-06-16 15:45:20,580 DEBUG [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Generated query builder '(uid=testua)' from query Map {username=[testua]}. 2014-06-16 15:45:20,722 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Resolved principal testua 2014-06-16 15:45:20,723 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler@3d90de9e authenticated testua with credential [username: testua]. 2014-06-16 15:45:20,723 DEBUG [org.jasig.cas.authentication.AuthenticationManagerImpl] - Attribute map for testua: {uid=testua, mail=tes...@mines.edu, sn=estua, cn=estua, t} 2014-06-16 15:45:20,729 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN ============================================================= WHO: [username: testua] WHAT: supplied credentials: [username: testua] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Mon Jun 16 15:45:20 MDT 2014 CLIENT IP ADDRESS: 138.67.125.10 SERVER IP ADDRESS: 138.67.208.149 ============================================================= 2014-06-16 15:45:20,732 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Added ticket [TGT-1-1xi4cSujXc26h5b1a7zYlsPNZgiMTFH5TSjYYvkbtYGaNcbIP0-cas-dev.mines.edu] to registry. 2014-06-16 15:45:20,733 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN ============================================================= WHO: [username: testua] WHAT: TGT-1-1xi4cSujXc26h5b1a7zYlsPNZgiMTFH5TSjYYvkbtYGaNcbIP0-cas-dev.mines.edu ACTION: TICKET_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Mon Jun 16 15:45:20 MDT 2014 CLIENT IP ADDRESS: 138.67.125.10 SERVER IP ADDRESS: 138.67.208.149 ============================================================= 2014-06-16 15:45:20,733 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - Removed cookie with name [CASPRIVACY] 2014-06-16 15:45:20,734 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - Added cookie with name [CASTGC] and value [TGT-1-1xi4cSujXc26h5b1a7zYlsPNZgiMTFH5TSjYYvkbtYGaNcbIP0-cas-dev.mines.edu] 2014-06-16 15:45:20,737 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [TGT-1-1xi4cSujXc26h5b1a7zYlsPNZgiMTFH5TSjYYvkbtYGaNcbIP0-cas-dev.mines.edu] 2014-06-16 15:45:20,737 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [TGT-1-1xi4cSujXc26h5b1a7zYlsPNZgiMTFH5TSjYYvkbtYGaNcbIP0-cas-dev.mines.edu] found in registry. 2014-06-16 15:45:20,739 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Added ticket [ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu] to registry. 2014-06-16 15:45:20,740 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu] for service [https://w4.mines.edu/castest] for user [testua] 2014-06-16 15:45:20,740 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [TGT-1-1xi4cSujXc26h5b1a7zYlsPNZgiMTFH5TSjYYvkbtYGaNcbIP0-cas-dev.mines.edu] 2014-06-16 15:45:20,740 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [TGT-1-1xi4cSujXc26h5b1a7zYlsPNZgiMTFH5TSjYYvkbtYGaNcbIP0-cas-dev.mines.edu] found in registry. 2014-06-16 15:45:20,740 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN ============================================================= WHO: testua WHAT: ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu for https://w4.mines.edu/castest ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Mon Jun 16 15:45:20 MDT 2014 CLIENT IP ADDRESS: 138.67.125.10 SERVER IP ADDRESS: 138.67.208.149 ============================================================= 2014-06-16 15:45:20,749 DEBUG [org.jasig.cas.web.flow.TerminateWebSessionListener] - Terminate web session B4993A5F1694DB20C6E607A442AA466B in 2 seconds 2014-06-16 15:45:20,749 DEBUG [org.jasig.cas.web.flow.TerminateWebSessionListener] - Terminate web session B4993A5F1694DB20C6E607A442AA466B in 2 seconds 2014-06-16 15:45:20,881 DEBUG [org.jasig.cas.authentication.principal.SamlService] - Attempted to extract Request from HttpServletRequest. Results: 2014-06-16 15:45:20,881 DEBUG [org.jasig.cas.authentication.principal.SamlService] - Request Body: <?xml version="1.0" encoding="utf-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1" MinorVersion="1"><samlp:AssertionArtifact>ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu</samlp:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope> 2014-06-16 15:45:20,881 DEBUG [org.jasig.cas.authentication.principal.SamlService] - Extracted ArtifactId: ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu 2014-06-16 15:45:20,881 DEBUG [org.jasig.cas.authentication.principal.SamlService] - Extracted Request Id: null 2014-06-16 15:45:20,881 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - Extractor generated service for: https://w4.mines.edu/castest 2014-06-16 15:45:20,884 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu] 2014-06-16 15:45:20,884 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu] found in registry. 2014-06-16 15:45:20,888 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - Principal id to return for service [W4 Test Service] is [testua]. The default principal id is [testua]. 2014-06-16 15:45:20,890 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Removing ticket [ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu] from registry 2014-06-16 15:45:20,891 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu] 2014-06-16 15:45:20,891 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu ACTION: SERVICE_TICKET_VALIDATED APPLICATION: CAS WHEN: Mon Jun 16 15:45:20 MDT 2014 CLIENT IP ADDRESS: 138.67.1.18 SERVER IP ADDRESS: 138.67.208.149 ============================================================= 2014-06-16 15:45:20,903 DEBUG [org.jasig.cas.web.ServiceValidateController] - Successfully validated service ticket: ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu 2014-06-16 15:45:20,903 DEBUG [org.jasig.cas.authentication.principal.SamlService] - Attempted to extract Request from HttpServletRequest. Results: 2014-06-16 15:45:20,903 DEBUG [org.jasig.cas.authentication.principal.SamlService] - Request Body: 2014-06-16 15:45:20,903 DEBUG [org.jasig.cas.authentication.principal.SamlService] - Extracted ArtifactId: null 2014-06-16 15:45:20,903 DEBUG [org.jasig.cas.authentication.principal.SamlService] - Extracted Request Id: null At this point, I am out of ideas. If you have any suggestions, please let me know. Matt On Tue, 2014-06-10 at 15:30 -0600, Matthew B. Brookover wrote: > On Tue, 2014-06-10 at 12:35 -0700, Andrew Morgan wrote: > > On Tue, 10 Jun 2014, Matthew B. Brookover wrote: > > > > > Hi, I am new to CAS and am having some problems with getting attributes > > > released through SAML. I have setup cas 3.2.5.1 and > > > > > > Here is the mod_auth_cas configuration in httpd: > > > LoadModule auth_cas_module modules/mod_auth_cas.so > > > <IfModule mod_auth_cas.c> > > > CASLoginURL https://cas-dev.mines.edu/cas/login > > > CASVersion 2 > > > CASValidateURL https://cas-dev.mines.edu/cas/serviceValidate > > > CASValidateSAML On > > > > Shouldn't the CASValidateURL be changed to: > > > > CASValidateURL https://cas-dev.mines.edu/cas/samlValidate > > > > serviceValidate only works for the CAS protocol. Clients must contact > > samlValidate for the SAML protocol ticket validation. This might also > > explain your errors from CasArgumentExtractor and > > ServiceValidatecontroller. > > > > Andy > > Hi Andy, I tried the /cas/samlValidate URL and the attributes show up in > the logs. In fact, the logs make it look like things are working except > for the fact that I still get the "this server could not verify that you > are..." message in the web browser. > > The logs: > [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(1745): [client > 138.67.125.10] Entering cas_authenticate() > [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(519): [client > 138.67.125.10] entering getCASService() > [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(539): [client > 138.67.125.10] CAS Service 'https%3a%2f%2fnineoften.mines.edu%2fcastest%2f' > [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(485): [client > 138.67.125.10] entering getCASLoginURL() > [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(462): [client > 138.67.125.10] entering getCASGateway() > [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(555): [client > 138.67.125.10] entering redirectRequest() > [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(567): [client > 138.67.125.10] Adding outgoing header: Location: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f > [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(1745): [client > 138.67.125.10] Entering cas_authenticate(), referer: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f > [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(607): [client > 138.67.125.10] Modified r->args (old > 'ticket=ST-3-HiJjnoAPVtfGGgi4YxaQ-cas-dev.mines.edu', new ''), referer: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f > [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(1600): [client > 138.67.125.10] entering getResponseFromServer(), referer: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f > [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(519): [client > 138.67.125.10] entering getCASService(), referer: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f > [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(539): [client > 138.67.125.10] CAS Service 'https%3a%2f%2fnineoften.mines.edu%2fcastest%2f', > referer: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f > [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(1674): [client > 138.67.125.10] Validation response: <?xml version="1.0" > encoding="UTF-8"?><SOAP-ENV:Envelope > xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Body><saml1p:Response > xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" > IssueInstant="2014-06-10T20:40:47.253Z" MajorVersion="1" MinorVersion="1" > Recipient="https://nineoften.mines.edu/castest/"; > ResponseID="_978d48864e870edb73451795582858cb"><saml1p:Status><saml1p:StatusCode > Value="saml1p:Success"/></saml1p:Status><saml1:Assertion > xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" > AssertionID="_8691358e49dd25dc8f2bb7b376d47a15" > IssueInstant="2014-06-10T20:40:47.253Z" Issuer="localhost" MajorVersion="1" > MinorVersion="1"><saml1:Conditions NotBefore="2014-06-10T20:40:47.253Z" > NotOnOrAfter="2014-06-10T20:41:17.253Z"><saml1:AudienceRestrictionCondition><saml1:Audience>https://nineoften.mines.edu/castest/</saml1:Audience></saml1:AudienceRestrictionCondition></saml1:Conditions><saml1:AuthenticationStatement > AuthenticationInstant="2014-06-10T20:40:47.147Z" > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml1:Subject><saml1:NameIdentifier>testua</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement><saml1:AttributeStatement><saml1:Subject><saml1:NameIdentifier>testua</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject><saml1:Attribute > AttributeName="uid" > AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="xs:string">testua</saml1:AttributeValue></saml1:Attribute><saml1:Attribute > AttributeName="mail" > AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="xs:string">tes...@mines.edu</saml1:AttributeValue></saml1:Attribute><saml1:Attribute > AttributeName="sn" > AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="xs:string">estua</saml1:AttributeValue></saml1:Attribute><saml1:Attribute > AttributeName="cn" > AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="xs:string">estua, > t</saml1:AttributeValue></saml1:Attribute></saml1:AttributeStatement></saml1:Assertion></saml1p:Response></SOAP-ENV:Body></SOAP-ENV:Envelope>, > referer: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f > [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(1293): [client > 138.67.125.10] entering isValidCASTicket(), referer: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f > [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(1299): [client > 138.67.125.10] MOD_AUTH_CAS: response = <?xml version="1.0" > encoding="UTF-8"?><SOAP-ENV:Envelope > xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Body><saml1p:Response > xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" > IssueInstant="2014-06-10T20:40:47.253Z" MajorVersion="1" MinorVersion="1" > Recipient="https://nineoften.mines.edu/castest/"; > ResponseID="_978d48864e870edb73451795582858cb"><saml1p:Status><saml1p:StatusCode > Value="saml1p:Success"/></saml1p:Status><saml1:Assertion > xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" > AssertionID="_8691358e49dd25dc8f2bb7b376d47a15" > IssueInstant="2014-06-10T20:40:47.253Z" Issuer="localhost" MajorVersion="1" > MinorVersion="1"><saml1:Conditions NotBefore="2014-06-10T20:40:47.253Z" > NotOnOrAfter="2014-06-10T20:41:17.253Z"><saml1:AudienceRestrictionCondition><saml1:Audience>https://nineoften.mines.edu/castest/</saml1:Audience></saml1:AudienceRestrictionCondition></saml1:Conditions><saml1:AuthenticationStatement > AuthenticationInstant="2014-06-10T20:40:47.147Z" > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml1:Subject><saml1:NameIdentifier>testua</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement><saml1:AttributeStatement><saml1:Subject><saml1:NameIdentifier>testua</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject><saml1:Attribute > AttributeName="uid" > AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="xs:string">testua</saml1:AttributeValue></saml1:Attribute><saml1:Attribute > AttributeName="mail" > AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="xs:string">tes...@mines.edu</saml1:AttributeValue></saml1:Attribute><saml1:Attribute > AttributeName="sn" > AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="xs:string">estua</saml1:AttributeValue></saml1:Attribute><saml1:Attribute > AttributeName="cn" > AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="xs:string">estua, > t</saml1:AttributeValue></saml1:Attribute></saml1:AttributeStatement></saml1:Assertion></saml1p:Response></SOAP-ENV:Body></SOAP-ENV:Envelope>, > referer: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f > > The log entries above were with: > CASValidateURL https://cas-dev.mines.edu/cas/samlValidate > CASValidateSAML On > > Just grasping at straws, I set CASValiadate to Off and got the same > "this server could not verify that you are..." message. Rather then the > attributes, I got the 'service' and 'ticket' parameters are both > required. messages. Setting cASValidateURL to samlValidate and > CASValidteSML to On is a big step forward, but, there is still something > missing. > > FYI, here are the logs from the run with CASValidateSAML Off: > [Tue Jun 10 14:42:54 2014] [debug] mod_auth_cas.c(1745): [client > 138.67.125.10] Entering cas_authenticate() > [Tue Jun 10 14:42:54 2014] [debug] mod_auth_cas.c(519): [client > 138.67.125.10] entering getCASService() > [Tue Jun 10 14:42:54 2014] [debug] mod_auth_cas.c(539): [client > 138.67.125.10] CAS Service 'https%3a%2f%2fnineoften.mines.edu%2fcastest%2f' > [Tue Jun 10 14:42:54 2014] [debug] mod_auth_cas.c(485): [client > 138.67.125.10] entering getCASLoginURL() > [Tue Jun 10 14:42:54 2014] [debug] mod_auth_cas.c(462): [client > 138.67.125.10] entering getCASGateway() > [Tue Jun 10 14:42:54 2014] [debug] mod_auth_cas.c(555): [client > 138.67.125.10] entering redirectRequest() > [Tue Jun 10 14:42:54 2014] [debug] mod_auth_cas.c(567): [client > 138.67.125.10] Adding outgoing header: Location: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f > [Tue Jun 10 14:43:01 2014] [debug] mod_auth_cas.c(1745): [client > 138.67.125.10] Entering cas_authenticate(), referer: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f > [Tue Jun 10 14:43:01 2014] [debug] mod_auth_cas.c(607): [client > 138.67.125.10] Modified r->args (old > 'ticket=ST-4-efgS7hJisZWtcAsew4cO-cas-dev.mines.edu', new ''), referer: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f > [Tue Jun 10 14:43:01 2014] [debug] mod_auth_cas.c(1600): [client > 138.67.125.10] entering getResponseFromServer(), referer: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f > [Tue Jun 10 14:43:01 2014] [debug] mod_auth_cas.c(519): [client > 138.67.125.10] entering getCASService(), referer: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f > [Tue Jun 10 14:43:01 2014] [debug] mod_auth_cas.c(539): [client > 138.67.125.10] CAS Service 'https%3a%2f%2fnineoften.mines.edu%2fcastest%2f', > referer: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f > [Tue Jun 10 14:43:01 2014] [debug] mod_auth_cas.c(1674): [client > 138.67.125.10] Validation response: <?xml version="1.0" > encoding="UTF-8"?><SOAP-ENV:Envelope > xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Body><saml1p:Response > xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" > IssueInstant="2014-06-10T20:43:01.401Z" MajorVersion="1" MinorVersion="1" > Recipient="UNKNOWN" > ResponseID="_560a430b410a59a61d548b7af3fbdc36"><saml1p:Status><saml1p:StatusCode > Value="saml1p:RequestDenied"/><saml1p:StatusMessage>'service' and 'ticket' > parameters are both > required</saml1p:StatusMessage></saml1p:Status></saml1p:Response></SOAP-ENV:Body></SOAP-ENV:Envelope>, > referer: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f > [Tue Jun 10 14:43:01 2014] [debug] mod_auth_cas.c(1293): [client > 138.67.125.10] entering isValidCASTicket(), referer: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f > [Tue Jun 10 14:43:01 2014] [debug] mod_auth_cas.c(1299): [client > 138.67.125.10] MOD_AUTH_CAS: response = <?xml version="1.0" > encoding="UTF-8"?><SOAP-ENV:Envelope > xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Body><saml1p:Response > xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" > IssueInstant="2014-06-10T20:43:01.401Z" MajorVersion="1" MinorVersion="1" > Recipient="UNKNOWN" > ResponseID="_560a430b410a59a61d548b7af3fbdc36"><saml1p:Status><saml1p:StatusCode > Value="saml1p:RequestDenied"/><saml1p:StatusMessage>'service' and 'ticket' > parameters are both > required</saml1p:StatusMessage></saml1p:Status></saml1p:Response></SOAP-ENV:Body></SOAP-ENV:Envelope>, > referer: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f > > Besides setting CASValidateURL to ..../cas/samlValidate, is there a > change to the deployerConfigContext.xml for SAML? Looks like SAML is > working, the attributes I wanted to release are showing up in the logs > with the changes you suggested. > > Any ideas? > > thanks > > Matt >
smime.p7s
Description: S/MIME cryptographic signature
