On Mon, Jun 16, 2014 at 6:16 PM, Matthew B. Brookover <mbroo...@mines.edu> wrote: > Hi, I am still attempting to get CAS to release attributes and not > having much luck. > > My user goes to the the web site, logs in, and gets a 401 http code with > the message "This server could not verify that you are authorized to > access the document requested. Either you supplied the wrong > credentials (e.g. bad password), or your browser does't understand how > to supply the credentials required." > > My cas configuration points CASValidateURL to the samlValidate (thank > you Andrew Morgan for that tip) target: > LoadModule auth_cas_module modules/mod_auth_cas.so > <IfModule mod_auth_cas.c> > CASLoginURL https://cas-dev.mines.edu/cas/login > CASVersion 2 > > CASValidateURL https://cas-dev.mines.edu/cas/samlValidate > CASValidateSAML On > > CASCertificatePath /etc/pki/tls/certs/ca-bundle.crt > CASCookiePath /var/tmp/cas/ > CASSSOEnabled On > CASValidateServer On > CASAttributePrefix boobooboo > CASDebug On > </IfModule> > > Grasping at straws, I moved from a server running CentOS 5.10 to one > running 6.5. Mostly hoping that the newer version of curl and other > libraries would help, but the result is the same. > > When I use CASValidateURL pointed at > https://cas-dev.mines.edu/cas/serviceValidate, the user can log in and > see the content, but no attributes. When I use > https://cas-dev.mines.edu/cas/samlValidate I get the 401, but the > attributes do show up in the debug logs so attributes are getting > released, but the session is not getting valided. > > Here are the debug logs from mod_auth_cas from httpd: > [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(1745): [client > 138.67.125.10] Entering cas_authenticate() > [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(519): [client > 138.67.125.10] entering getCASService() > [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(539): [client > 138.67.125.10] CAS Service 'https%3a%2f%2fw4.mines.edu%2fcastest' > [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(485): [client > 138.67.125.10] entering getCASLoginURL() > [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(462): [client > 138.67.125.10] entering getCASGateway() > [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(555): [client > 138.67.125.10] entering redirectRequest() > [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(567): [client > 138.67.125.10] Adding outgoing header: Location: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest > [Mon Jun 16 15:45:20 2014] [debug] mod_auth_cas.c(1745): [client > 138.67.125.10] Entering cas_authenticate(), referer: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest > [Mon Jun 16 15:45:20 2014] [debug] mod_auth_cas.c(607): [client > 138.67.125.10] Modified r->args (old > 'ticket=ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu', new ''), referer: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest > [Mon Jun 16 15:45:20 2014] [debug] mod_auth_cas.c(1600): [client > 138.67.125.10] entering getResponseFromServer(), referer: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest > [Mon Jun 16 15:45:20 2014] [debug] mod_auth_cas.c(519): [client > 138.67.125.10] entering getCASService(), referer: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest > [Mon Jun 16 15:45:20 2014] [debug] mod_auth_cas.c(539): [client > 138.67.125.10] CAS Service 'https%3a%2f%2fw4.mines.edu%2fcastest', referer: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest > [Mon Jun 16 15:45:21 2014] [debug] mod_auth_cas.c(1674): [client > 138.67.125.10] Validation response: <?xml version="1.0" > encoding="UTF-8"?><SOAP-ENV:Envelope > xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Body><saml1p:Response > xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" > IssueInstant="2014-06-16T21:45:20.963Z" MajorVersion="1" MinorVersion="1" > Recipient="https://w4.mines.edu/castest"; > ResponseID="_4e06e9d9ac93a830cbd92e27e3eb9cd4"><saml1p:Status><saml1p:StatusCode > Value="saml1p:Success"/></saml1p:Status><saml1:Assertion > xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" > AssertionID="_8a9db6ecf524737797da624df57f5e70" > IssueInstant="2014-06-16T21:45:20.963Z" Issuer="localhost" MajorVersion="1" > MinorVersion="1"><saml1:Conditions NotBefore="2014-06-16T21:45:20.963Z" > NotOnOrAfter="2014-06-16T21:45:50.963Z"><saml1:AudienceRestrictionCondition><saml1:Audience>https://w4.mines.edu/castest</saml1:Audience></saml1:AudienceRestrictionCondition></saml1:Conditions><saml1:AuthenticationStatement > AuthenticationInstant="2014-06-16T21:45:20.725Z" > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml1:Subject><saml1:NameIdentifier>testua</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement><saml1:AttributeStatement><saml1:Subject><saml1:NameIdentifier>testua</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject><saml1:Attribute > AttributeName="uid" > AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="xs:string">testua</saml1:AttributeValue></saml1:Attribute><saml1:Attribute > AttributeName="mail" > AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="xs:string">tes...@mines.edu</saml1:AttributeValue></saml1:Attribute><saml1:Attribute > AttributeName="sn" > AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="xs:string">estua</saml1:AttributeValue></saml1:Attribute><saml1:Attribute > AttributeName="cn" > AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="xs:string">estua, > t</saml1:AttributeValue></saml1:Attribute></saml1:AttributeStatement></saml1:Assertion></saml1p:Response></SOAP-ENV:Body></SOAP-ENV:Envelope>, > referer: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest > [Mon Jun 16 15:45:21 2014] [debug] mod_auth_cas.c(1293): [client > 138.67.125.10] entering isValidCASTicket(), referer: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest > [Mon Jun 16 15:45:21 2014] [debug] mod_auth_cas.c(1299): [client > 138.67.125.10] MOD_AUTH_CAS: response = <?xml version="1.0" > encoding="UTF-8"?><SOAP-ENV:Envelope > xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Body><saml1p:Response > xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" > IssueInstant="2014-06-16T21:45:20.963Z" MajorVersion="1" MinorVersion="1" > Recipient="https://w4.mines.edu/castest"; > ResponseID="_4e06e9d9ac93a830cbd92e27e3eb9cd4"><saml1p:Status><saml1p:StatusCode > Value="saml1p:Success"/></saml1p:Status><saml1:Assertion > xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" > AssertionID="_8a9db6ecf524737797da624df57f5e70" > IssueInstant="2014-06-16T21:45:20.963Z" Issuer="localhost" MajorVersion="1" > MinorVersion="1"><saml1:Conditions NotBefore="2014-06-16T21:45:20.963Z" > NotOnOrAfter="2014-06-16T21:45:50.963Z"><saml1:AudienceRestrictionCondition><saml1:Audience>https://w4.mines.edu/castest</saml1:Audience></saml1:AudienceRestrictionCondition></saml1:Conditions><saml1:AuthenticationStatement > AuthenticationInstant="2014-06-16T21:45:20.725Z" > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml1:Subject><saml1:NameIdentifier>testua</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement><saml1:AttributeStatement><saml1:Subject><saml1:NameIdentifier>testua</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject><saml1:Attribute > AttributeName="uid" > AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="xs:string">testua</saml1:AttributeValue></saml1:Attribute><saml1:Attribute > AttributeName="mail" > AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="xs:string">tes...@mines.edu</saml1:AttributeValue></saml1:Attribute><saml1:Attribute > AttributeName="sn" > AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="xs:string">estua</saml1:AttributeValue></saml1:Attribute><saml1:Attribute > AttributeName="cn" > AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="xs:string">estua, > t</saml1:AttributeValue></saml1:Attribute></saml1:AttributeStatement></saml1:Assertion></saml1p:Response></SOAP-ENV:Body></SOAP-ENV:Envelope>, > referer: > https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest
mod_auth_cas 1.0.9.1 cannot parse the <saml1p:StatusCode Value="saml1p:Success"/> part of this response. To get around this, either use git master or use the patch from https://github.com/Jasig/mod_auth_cas/pull/46/files. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
