Re: [cas-user] CAS attributes via SAML not working
to retrieve ticket [TGT-1-1xi4cSujXc26h5b1a7zYlsPNZgiMTFH5TSjYYvkbtYGaNcbIP0-cas-dev.mines.edu] 2014-06-16 15:45:20,737 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [TGT-1-1xi4cSujXc26h5b1a7zYlsPNZgiMTFH5TSjYYvkbtYGaNcbIP0-cas-dev.mines.edu] found in registry. 2014-06-16 15:45:20,739 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Added ticket [ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu] to registry. 2014-06-16 15:45:20,740 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu] for service [https://w4.mines.edu/castest] for user [testua] 2014-06-16 15:45:20,740 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [TGT-1-1xi4cSujXc26h5b1a7zYlsPNZgiMTFH5TSjYYvkbtYGaNcbIP0-cas-dev.mines.edu] 2014-06-16 15:45:20,740 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [TGT-1-1xi4cSujXc26h5b1a7zYlsPNZgiMTFH5TSjYYvkbtYGaNcbIP0-cas-dev.mines.edu] found in registry. 2014-06-16 15:45:20,740 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN = WHO: testua WHAT: ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu for https://w4.mines.edu/castest ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Mon Jun 16 15:45:20 MDT 2014 CLIENT IP ADDRESS: 138.67.125.10 SERVER IP ADDRESS: 138.67.208.149 = 2014-06-16 15:45:20,749 DEBUG [org.jasig.cas.web.flow.TerminateWebSessionListener] - Terminate web session B4993A5F1694DB20C6E607A442AA466B in 2 seconds 2014-06-16 15:45:20,749 DEBUG [org.jasig.cas.web.flow.TerminateWebSessionListener] - Terminate web session B4993A5F1694DB20C6E607A442AA466B in 2 seconds 2014-06-16 15:45:20,881 DEBUG [org.jasig.cas.authentication.principal.SamlService] - Attempted to extract Request from HttpServletRequest. Results: 2014-06-16 15:45:20,881 DEBUG [org.jasig.cas.authentication.principal.SamlService] - Request Body: ?xml version=1.0 encoding=utf-8?SOAP-ENV:Envelope xmlns:SOAP-ENV=http://schemas.xmlsoap.org/soap/envelope/;SOAP-ENV:Header/SOAP-ENV:Bodysamlp:Request xmlns:samlp=urn:oasis:names:tc:SAML:1.0:protocol MajorVersion=1 MinorVersion=1samlp:AssertionArtifactST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu/samlp:AssertionArtifact/samlp:Request/SOAP-ENV:Body/SOAP-ENV:Envelope 2014-06-16 15:45:20,881 DEBUG [org.jasig.cas.authentication.principal.SamlService] - Extracted ArtifactId: ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu 2014-06-16 15:45:20,881 DEBUG [org.jasig.cas.authentication.principal.SamlService] - Extracted Request Id: null 2014-06-16 15:45:20,881 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - Extractor generated service for: https://w4.mines.edu/castest 2014-06-16 15:45:20,884 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu] 2014-06-16 15:45:20,884 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu] found in registry. 2014-06-16 15:45:20,888 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - Principal id to return for service [W4 Test Service] is [testua]. The default principal id is [testua]. 2014-06-16 15:45:20,890 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Removing ticket [ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu] from registry 2014-06-16 15:45:20,891 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu] 2014-06-16 15:45:20,891 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN = WHO: audit:unknown WHAT: ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu ACTION: SERVICE_TICKET_VALIDATED APPLICATION: CAS WHEN: Mon Jun 16 15:45:20 MDT 2014 CLIENT IP ADDRESS: 138.67.1.18 SERVER IP ADDRESS: 138.67.208.149 = 2014-06-16 15:45:20,903 DEBUG [org.jasig.cas.web.ServiceValidateController] - Successfully validated service ticket: ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu 2014-06-16 15:45:20,903 DEBUG [org.jasig.cas.authentication.principal.SamlService] - Attempted to extract Request from HttpServletRequest. Results: 2014-06-16 15:45:20,903 DEBUG [org.jasig.cas.authentication.principal.SamlService] - Request Body: 2014-06-16 15:45:20,903 DEBUG [org.jasig.cas.authentication.principal.SamlService] - Extracted ArtifactId: null 2014-06-16 15:45:20,903 DEBUG [org.jasig.cas.authentication.principal.SamlService] - Extracted Request Id: null At this point, I am out of ideas. If you have any suggestions, please let me know. Matt On Tue, 2014-06-10 at 15:30 -0600, Matthew B. Brookover wrote: On Tue, 2014
[cas-user] CAS attributes via SAML not working
Hi, I am new to CAS and am having some problems with getting attributes released through SAML. I have setup cas 3.2.5.1 and mod_auth_cas-1.0.9.1. The users and the attributes I would like to release are stored in LDAP. If CASValidateSAML to Off, the user can log in, but the attributes are not released. If I set CASValidateSAML to On, I get: This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password) or your browser doesn't understand how to supply the credentials required and the user is not able to see the protected web pages. I turned on debugging in both CAS and mod_auth_cas, and the attributes are in the cas.log so they are making it to CAS from LDAP. When CASValidateSAML is On, I get errors from CasArgumentExtractor and ServiceValidatecontroller: 2014-06-09 15:42:54,038 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor did not generate service. 2014-06-09 15:42:54,038 DEBUG [org.jasig.cas.web.ServiceValidateController] - Could not process request; Service: null, Service Ticket Id: null There are corresponding errors from mod_auth_cas: [Mon Jun 09 15:42:54 2014] [debug] mod_auth_cas.c(1674): [client 138.67.125.10] Validation response: \n\n\ncas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'\n\tcas:authenticationFailure code='INVALID_REQUEST'\n\t\t#039;service#039; and #039;ticket#039; parameters are both required\n\t/cas:authenticationFailure\n/cas:serviceResponse\n, referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Mon Jun 09 15:42:54 2014] [debug] mod_auth_cas.c(1293): [client 138.67.125.10] entering isValidCASTicket(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Mon Jun 09 15:42:54 2014] [debug] mod_auth_cas.c(1299): [client 138.67.125.10] MOD_AUTH_CAS: response = \n\n\ncas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'\n\tcas:authenticationFailure code='INVALID_REQUEST'\n\t\t#039;service#039; and #039;ticket#039; parameters are both required\n\t/cas:authenticationFailure\n/cas:serviceResponse\n, referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f Why does the validation response include 'http://www.yale.edu/tp/cas'? Did I miss something in the configuration? If I had to guess, it is some sort of XML documentation reference, but, to be honest, I do not know that much about XML. There is no reference to yale in either cas.properties or deployerConfigContext.xml. Below, I have included the configuration from the test web server for mod_auth_cas, more of the debug logs from the CAS server and mod_auth_cas and I have attached my deployerConfigContext.xml and the cas.properties files. Here is the mod_auth_cas configuration in httpd: LoadModule auth_cas_module modules/mod_auth_cas.so IfModule mod_auth_cas.c CASLoginURL https://cas-dev.mines.edu/cas/login CASVersion 2 CASValidateURL https://cas-dev.mines.edu/cas/serviceValidate CASValidateSAML On CASCertificatePath /etc/pki/tls/certs/ca-bundle.crt CASCookiePath /var/tmp/cas/ CASSSOEnabled On CASValidateServer On CASDebug On /IfModule Directory /var/www/html/castest AuthType CAS AuthName Mines development CAS CASAuthNHeader On Require valid-user /Directory The CASValidateSAML attribute is not listed in the documentation on https://wiki.jasig.org/display/CASC/mod_auth_cas , but is listed in the README file that is included with the mod_auth_cas source code. Is CASValidateSAML the correct way to get mod_auth_CAS to process SAML attributes? Here is a bigger section of the CAS log file that includes the attribute map for my test user (testua): 2014-06-09 15:42:53,569 DEBUG [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - Performing LDAP bind with credential: uid=testua,ou=People2,dc=mines,dc=edu 2014-06-09 15:42:53,683 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully authenticated [username: testua] 2014-06-09 15:42:53,683 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - Attempting to resolve a principal... 2014-06-09 15:42:53,683 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - Attempting to resolve a principal... 2014-06-09 15:42:53,683 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - Creating SimplePrincipal for [testua] 2014-06-09 15:42:53,683 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - Resolved testua. Trying LDAP resolve now... 2014-06-09 15:42:53,684 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - LDAP search with filter (uid=testua) 2014-06-09 15:42:53,684
Re: [cas-user] CAS attributes via SAML not working
On Tue, 2014-06-10 at 12:35 -0700, Andrew Morgan wrote: On Tue, 10 Jun 2014, Matthew B. Brookover wrote: Hi, I am new to CAS and am having some problems with getting attributes released through SAML. I have setup cas 3.2.5.1 and Here is the mod_auth_cas configuration in httpd: LoadModule auth_cas_module modules/mod_auth_cas.so IfModule mod_auth_cas.c CASLoginURL https://cas-dev.mines.edu/cas/login CASVersion 2 CASValidateURL https://cas-dev.mines.edu/cas/serviceValidate CASValidateSAML On Shouldn't the CASValidateURL be changed to: CASValidateURL https://cas-dev.mines.edu/cas/samlValidate serviceValidate only works for the CAS protocol. Clients must contact samlValidate for the SAML protocol ticket validation. This might also explain your errors from CasArgumentExtractor and ServiceValidatecontroller. Andy Hi Andy, I tried the /cas/samlValidate URL and the attributes show up in the logs. In fact, the logs make it look like things are working except for the fact that I still get the this server could not verify that you are... message in the web browser. The logs: [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(1745): [client 138.67.125.10] Entering cas_authenticate() [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(519): [client 138.67.125.10] entering getCASService() [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(539): [client 138.67.125.10] CAS Service 'https%3a%2f%2fnineoften.mines.edu%2fcastest%2f' [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(485): [client 138.67.125.10] entering getCASLoginURL() [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(462): [client 138.67.125.10] entering getCASGateway() [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(555): [client 138.67.125.10] entering redirectRequest() [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(567): [client 138.67.125.10] Adding outgoing header: Location: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(1745): [client 138.67.125.10] Entering cas_authenticate(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(607): [client 138.67.125.10] Modified r-args (old 'ticket=ST-3-HiJjnoAPVtfGGgi4YxaQ-cas-dev.mines.edu', new ''), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(1600): [client 138.67.125.10] entering getResponseFromServer(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(519): [client 138.67.125.10] entering getCASService(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(539): [client 138.67.125.10] CAS Service 'https%3a%2f%2fnineoften.mines.edu%2fcastest%2f', referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(1674): [client 138.67.125.10] Validation response: ?xml version=1.0 encoding=UTF-8?SOAP-ENV:Envelope xmlns:SOAP-ENV=http://schemas.xmlsoap.org/soap/envelope/;SOAP-ENV:Bodysaml1p:Response xmlns:saml1p=urn:oasis:names:tc:SAML:1.0:protocol IssueInstant=2014-06-10T20:40:47.253Z MajorVersion=1 MinorVersion=1 Recipient=https://nineoften.mines.edu/castest/; ResponseID=_978d48864e870edb73451795582858cbsaml1p:Statussaml1p:StatusCode Value=saml1p:Success//saml1p:Statussaml1:Assertion xmlns:saml1=urn:oasis:names:tc:SAML:1.0:assertion AssertionID=_8691358e49dd25dc8f2bb7b376d47a15 IssueInstant=2014-06-10T20:40:47.253Z Issuer=localhost MajorVersion=1 MinorVersion=1saml1:Conditions NotBefore=2014-06-10T20:40:47.253Z NotOnOrAfter=2014-06-10T20:41:17.253Zsaml1:AudienceRestrictionConditionsaml1:Audiencehttps://nineoften.mines.edu/castest//saml1:Audience/saml1:AudienceRestrictionCondition/saml1:Conditionssaml1:AuthenticationStatement AuthenticationInstant=2014-06-10T20:40:47.147Z AuthenticationMethod=urn:oasis:names:tc:SAML:1.0:am:unspecifiedsaml1:Subjectsaml1:NameIdentifiertestua/saml1:NameIdentifiersaml1:SubjectConfirmationsaml1:ConfirmationMethodurn:oasis:names:tc:SAML:1.0:cm:artifact/saml1:ConfirmationMethod/saml1:SubjectConfirmation/saml1:Subject/saml1:AuthenticationStatementsaml1:AttributeStatementsaml1:Subjectsaml1:NameIdentifiertestua/saml1:NameIdentifiersaml1:SubjectConfirmationsaml1:ConfirmationMethodurn:oasis:names:tc:SAML:1.0:cm:artifact/saml1:ConfirmationMethod/saml1:SubjectConfirmation/saml1:Subjectsaml1:Attribute AttributeName=uid AttributeNamespace=http://www.ja-sig.org/products/cas/;saml1:AttributeValue xmlns:xs=http://www.w3.org/2001/XMLSchema; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:type=xs:stringtestua/saml1:AttributeValue