Re: [cas-user] CAS attributes via SAML not working
On Mon, Jun 16, 2014 at 6:16 PM, Matthew B. Brookover mbroo...@mines.edu wrote: Hi, I am still attempting to get CAS to release attributes and not having much luck. My user goes to the the web site, logs in, and gets a 401 http code with the message This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g. bad password), or your browser does't understand how to supply the credentials required. My cas configuration points CASValidateURL to the samlValidate (thank you Andrew Morgan for that tip) target: LoadModule auth_cas_module modules/mod_auth_cas.so IfModule mod_auth_cas.c CASLoginURL https://cas-dev.mines.edu/cas/login CASVersion 2 CASValidateURL https://cas-dev.mines.edu/cas/samlValidate CASValidateSAML On CASCertificatePath /etc/pki/tls/certs/ca-bundle.crt CASCookiePath /var/tmp/cas/ CASSSOEnabled On CASValidateServer On CASAttributePrefix boobooboo CASDebug On /IfModule Grasping at straws, I moved from a server running CentOS 5.10 to one running 6.5. Mostly hoping that the newer version of curl and other libraries would help, but the result is the same. When I use CASValidateURL pointed at https://cas-dev.mines.edu/cas/serviceValidate, the user can log in and see the content, but no attributes. When I use https://cas-dev.mines.edu/cas/samlValidate I get the 401, but the attributes do show up in the debug logs so attributes are getting released, but the session is not getting valided. Here are the debug logs from mod_auth_cas from httpd: [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(1745): [client 138.67.125.10] Entering cas_authenticate() [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(519): [client 138.67.125.10] entering getCASService() [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(539): [client 138.67.125.10] CAS Service 'https%3a%2f%2fw4.mines.edu%2fcastest' [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(485): [client 138.67.125.10] entering getCASLoginURL() [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(462): [client 138.67.125.10] entering getCASGateway() [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(555): [client 138.67.125.10] entering redirectRequest() [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(567): [client 138.67.125.10] Adding outgoing header: Location: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest [Mon Jun 16 15:45:20 2014] [debug] mod_auth_cas.c(1745): [client 138.67.125.10] Entering cas_authenticate(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest [Mon Jun 16 15:45:20 2014] [debug] mod_auth_cas.c(607): [client 138.67.125.10] Modified r-args (old 'ticket=ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu', new ''), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest [Mon Jun 16 15:45:20 2014] [debug] mod_auth_cas.c(1600): [client 138.67.125.10] entering getResponseFromServer(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest [Mon Jun 16 15:45:20 2014] [debug] mod_auth_cas.c(519): [client 138.67.125.10] entering getCASService(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest [Mon Jun 16 15:45:20 2014] [debug] mod_auth_cas.c(539): [client 138.67.125.10] CAS Service 'https%3a%2f%2fw4.mines.edu%2fcastest', referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest [Mon Jun 16 15:45:21 2014] [debug] mod_auth_cas.c(1674): [client 138.67.125.10] Validation response: ?xml version=1.0 encoding=UTF-8?SOAP-ENV:Envelope xmlns:SOAP-ENV=http://schemas.xmlsoap.org/soap/envelope/;SOAP-ENV:Bodysaml1p:Response xmlns:saml1p=urn:oasis:names:tc:SAML:1.0:protocol IssueInstant=2014-06-16T21:45:20.963Z MajorVersion=1 MinorVersion=1 Recipient=https://w4.mines.edu/castest; ResponseID=_4e06e9d9ac93a830cbd92e27e3eb9cd4saml1p:Statussaml1p:StatusCode Value=saml1p:Success//saml1p:Statussaml1:Assertion xmlns:saml1=urn:oasis:names:tc:SAML:1.0:assertion AssertionID=_8a9db6ecf524737797da624df57f5e70 IssueInstant=2014-06-16T21:45:20.963Z Issuer=localhost MajorVersion=1 MinorVersion=1saml1:Conditions NotBefore=2014-06-16T21:45:20.963Z NotOnOrAfter=2014-06-16T21:45:50.963Zsaml1:AudienceRestrictionConditionsaml1:Audiencehttps://w4.mines.edu/castest/saml1:Audience/saml1:AudienceRestrictionCondition/saml1:Conditionssaml1:AuthenticationStatement AuthenticationInstant=2014-06-16T21:45:20.725Z
Re: [cas-user] CAS attributes via SAML not working
Hi, I am still attempting to get CAS to release attributes and not having much luck. My user goes to the the web site, logs in, and gets a 401 http code with the message This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g. bad password), or your browser does't understand how to supply the credentials required. My cas configuration points CASValidateURL to the samlValidate (thank you Andrew Morgan for that tip) target: LoadModule auth_cas_module modules/mod_auth_cas.so IfModule mod_auth_cas.c CASLoginURL https://cas-dev.mines.edu/cas/login CASVersion 2 CASValidateURL https://cas-dev.mines.edu/cas/samlValidate CASValidateSAML On CASCertificatePath /etc/pki/tls/certs/ca-bundle.crt CASCookiePath /var/tmp/cas/ CASSSOEnabled On CASValidateServer On CASAttributePrefix boobooboo CASDebug On /IfModule Grasping at straws, I moved from a server running CentOS 5.10 to one running 6.5. Mostly hoping that the newer version of curl and other libraries would help, but the result is the same. When I use CASValidateURL pointed at https://cas-dev.mines.edu/cas/serviceValidate, the user can log in and see the content, but no attributes. When I use https://cas-dev.mines.edu/cas/samlValidate I get the 401, but the attributes do show up in the debug logs so attributes are getting released, but the session is not getting valided. Here are the debug logs from mod_auth_cas from httpd: [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(1745): [client 138.67.125.10] Entering cas_authenticate() [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(519): [client 138.67.125.10] entering getCASService() [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(539): [client 138.67.125.10] CAS Service 'https%3a%2f%2fw4.mines.edu%2fcastest' [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(485): [client 138.67.125.10] entering getCASLoginURL() [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(462): [client 138.67.125.10] entering getCASGateway() [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(555): [client 138.67.125.10] entering redirectRequest() [Mon Jun 16 15:45:07 2014] [debug] mod_auth_cas.c(567): [client 138.67.125.10] Adding outgoing header: Location: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest [Mon Jun 16 15:45:20 2014] [debug] mod_auth_cas.c(1745): [client 138.67.125.10] Entering cas_authenticate(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest [Mon Jun 16 15:45:20 2014] [debug] mod_auth_cas.c(607): [client 138.67.125.10] Modified r-args (old 'ticket=ST-1-ZNUMSFN4lgafoxDSH5g0-cas-dev.mines.edu', new ''), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest [Mon Jun 16 15:45:20 2014] [debug] mod_auth_cas.c(1600): [client 138.67.125.10] entering getResponseFromServer(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest [Mon Jun 16 15:45:20 2014] [debug] mod_auth_cas.c(519): [client 138.67.125.10] entering getCASService(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest [Mon Jun 16 15:45:20 2014] [debug] mod_auth_cas.c(539): [client 138.67.125.10] CAS Service 'https%3a%2f%2fw4.mines.edu%2fcastest', referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fw4.mines.edu%2fcastest [Mon Jun 16 15:45:21 2014] [debug] mod_auth_cas.c(1674): [client 138.67.125.10] Validation response: ?xml version=1.0 encoding=UTF-8?SOAP-ENV:Envelope xmlns:SOAP-ENV=http://schemas.xmlsoap.org/soap/envelope/;SOAP-ENV:Bodysaml1p:Response xmlns:saml1p=urn:oasis:names:tc:SAML:1.0:protocol IssueInstant=2014-06-16T21:45:20.963Z MajorVersion=1 MinorVersion=1 Recipient=https://w4.mines.edu/castest; ResponseID=_4e06e9d9ac93a830cbd92e27e3eb9cd4saml1p:Statussaml1p:StatusCode Value=saml1p:Success//saml1p:Statussaml1:Assertion xmlns:saml1=urn:oasis:names:tc:SAML:1.0:assertion AssertionID=_8a9db6ecf524737797da624df57f5e70 IssueInstant=2014-06-16T21:45:20.963Z Issuer=localhost MajorVersion=1 MinorVersion=1saml1:Conditions NotBefore=2014-06-16T21:45:20.963Z NotOnOrAfter=2014-06-16T21:45:50.963Zsaml1:AudienceRestrictionConditionsaml1:Audiencehttps://w4.mines.edu/castest/saml1:Audience/saml1:AudienceRestrictionCondition/saml1:Conditionssaml1:AuthenticationStatement AuthenticationInstant=2014-06-16T21:45:20.725Z AuthenticationMethod=urn:oasis:names:tc:SAML:1.0:am:unspecifiedsaml1:Subjectsaml1:NameIdentifiertestua/saml1:NameIdentifiersaml1:SubjectConfirmationsaml1:ConfirmationMethodurn:oasis:names:tc:SAML:1.0:cm:artifact/saml1:ConfirmationMethod/saml1:SubjectConfirmation/saml1:Subject/saml1:AuthenticationStatementsaml1:AttributeStatementsaml1:Subjectsaml1:NameIdentifiertestua/saml1:NameIdentifiersaml1:SubjectConfirmationsaml1:ConfirmationMethodurn:oasis:names:tc:SAML:1.0:cm:artifact/saml1:ConfirmationMethod/saml1:SubjectConfirmation/saml1:Subjectsaml1:Attribute
Re: [cas-user] CAS attributes via SAML not working
On Tue, 10 Jun 2014, Matthew B. Brookover wrote: Hi, I am new to CAS and am having some problems with getting attributes released through SAML. I have setup cas 3.2.5.1 and mod_auth_cas-1.0.9.1. The users and the attributes I would like to release are stored in LDAP. If CASValidateSAML to Off, the user can log in, but the attributes are not released. If I set CASValidateSAML to On, I get: This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password) or your browser doesn't understand how to supply the credentials required and the user is not able to see the protected web pages. I turned on debugging in both CAS and mod_auth_cas, and the attributes are in the cas.log so they are making it to CAS from LDAP. When CASValidateSAML is On, I get errors from CasArgumentExtractor and ServiceValidatecontroller: 2014-06-09 15:42:54,038 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor did not generate service. 2014-06-09 15:42:54,038 DEBUG [org.jasig.cas.web.ServiceValidateController] - Could not process request; Service: null, Service Ticket Id: null There are corresponding errors from mod_auth_cas: [Mon Jun 09 15:42:54 2014] [debug] mod_auth_cas.c(1674): [client 138.67.125.10] Validation response: \n\n\ncas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'\n\tcas:authenticationFailure code='INVALID_REQUEST'\n\t\t#039;service#039; and #039;ticket#039; parameters are both required\n\t/cas:authenticationFailure\n/cas:serviceResponse\n, referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Mon Jun 09 15:42:54 2014] [debug] mod_auth_cas.c(1293): [client 138.67.125.10] entering isValidCASTicket(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Mon Jun 09 15:42:54 2014] [debug] mod_auth_cas.c(1299): [client 138.67.125.10] MOD_AUTH_CAS: response = \n\n\ncas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'\n\tcas:authenticationFailure code='INVALID_REQUEST'\n\t\t#039;service#039; and #039;ticket#039; parameters are both required\n\t/cas:authenticationFailure\n/cas:serviceResponse\n, referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f Why does the validation response include 'http://www.yale.edu/tp/cas'? Did I miss something in the configuration? If I had to guess, it is some sort of XML documentation reference, but, to be honest, I do not know that much about XML. There is no reference to yale in either cas.properties or deployerConfigContext.xml. Below, I have included the configuration from the test web server for mod_auth_cas, more of the debug logs from the CAS server and mod_auth_cas and I have attached my deployerConfigContext.xml and the cas.properties files. Here is the mod_auth_cas configuration in httpd: LoadModule auth_cas_module modules/mod_auth_cas.so IfModule mod_auth_cas.c CASLoginURL https://cas-dev.mines.edu/cas/login CASVersion 2 CASValidateURL https://cas-dev.mines.edu/cas/serviceValidate CASValidateSAML On Shouldn't the CASValidateURL be changed to: CASValidateURL https://cas-dev.mines.edu/cas/samlValidate serviceValidate only works for the CAS protocol. Clients must contact samlValidate for the SAML protocol ticket validation. This might also explain your errors from CasArgumentExtractor and ServiceValidatecontroller. Andy -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS attributes via SAML not working
On Tue, 2014-06-10 at 12:35 -0700, Andrew Morgan wrote: On Tue, 10 Jun 2014, Matthew B. Brookover wrote: Hi, I am new to CAS and am having some problems with getting attributes released through SAML. I have setup cas 3.2.5.1 and Here is the mod_auth_cas configuration in httpd: LoadModule auth_cas_module modules/mod_auth_cas.so IfModule mod_auth_cas.c CASLoginURL https://cas-dev.mines.edu/cas/login CASVersion 2 CASValidateURL https://cas-dev.mines.edu/cas/serviceValidate CASValidateSAML On Shouldn't the CASValidateURL be changed to: CASValidateURL https://cas-dev.mines.edu/cas/samlValidate serviceValidate only works for the CAS protocol. Clients must contact samlValidate for the SAML protocol ticket validation. This might also explain your errors from CasArgumentExtractor and ServiceValidatecontroller. Andy Hi Andy, I tried the /cas/samlValidate URL and the attributes show up in the logs. In fact, the logs make it look like things are working except for the fact that I still get the this server could not verify that you are... message in the web browser. The logs: [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(1745): [client 138.67.125.10] Entering cas_authenticate() [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(519): [client 138.67.125.10] entering getCASService() [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(539): [client 138.67.125.10] CAS Service 'https%3a%2f%2fnineoften.mines.edu%2fcastest%2f' [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(485): [client 138.67.125.10] entering getCASLoginURL() [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(462): [client 138.67.125.10] entering getCASGateway() [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(555): [client 138.67.125.10] entering redirectRequest() [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(567): [client 138.67.125.10] Adding outgoing header: Location: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(1745): [client 138.67.125.10] Entering cas_authenticate(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(607): [client 138.67.125.10] Modified r-args (old 'ticket=ST-3-HiJjnoAPVtfGGgi4YxaQ-cas-dev.mines.edu', new ''), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(1600): [client 138.67.125.10] entering getResponseFromServer(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(519): [client 138.67.125.10] entering getCASService(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(539): [client 138.67.125.10] CAS Service 'https%3a%2f%2fnineoften.mines.edu%2fcastest%2f', referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(1674): [client 138.67.125.10] Validation response: ?xml version=1.0 encoding=UTF-8?SOAP-ENV:Envelope xmlns:SOAP-ENV=http://schemas.xmlsoap.org/soap/envelope/;SOAP-ENV:Bodysaml1p:Response xmlns:saml1p=urn:oasis:names:tc:SAML:1.0:protocol IssueInstant=2014-06-10T20:40:47.253Z MajorVersion=1 MinorVersion=1 Recipient=https://nineoften.mines.edu/castest/; ResponseID=_978d48864e870edb73451795582858cbsaml1p:Statussaml1p:StatusCode Value=saml1p:Success//saml1p:Statussaml1:Assertion xmlns:saml1=urn:oasis:names:tc:SAML:1.0:assertion AssertionID=_8691358e49dd25dc8f2bb7b376d47a15 IssueInstant=2014-06-10T20:40:47.253Z Issuer=localhost MajorVersion=1 MinorVersion=1saml1:Conditions NotBefore=2014-06-10T20:40:47.253Z NotOnOrAfter=2014-06-10T20:41:17.253Zsaml1:AudienceRestrictionConditionsaml1:Audiencehttps://nineoften.mines.edu/castest//saml1:Audience/saml1:AudienceRestrictionCondition/saml1:Conditionssaml1:AuthenticationStatement AuthenticationInstant=2014-06-10T20:40:47.147Z AuthenticationMethod=urn:oasis:names:tc:SAML:1.0:am:unspecifiedsaml1:Subjectsaml1:NameIdentifiertestua/saml1:NameIdentifiersaml1:SubjectConfirmationsaml1:ConfirmationMethodurn:oasis:names:tc:SAML:1.0:cm:artifact/saml1:ConfirmationMethod/saml1:SubjectConfirmation/saml1:Subject/saml1:AuthenticationStatementsaml1:AttributeStatementsaml1:Subjectsaml1:NameIdentifiertestua/saml1:NameIdentifiersaml1:SubjectConfirmationsaml1:ConfirmationMethodurn:oasis:names:tc:SAML:1.0:cm:artifact/saml1:ConfirmationMethod/saml1:SubjectConfirmation/saml1:Subjectsaml1:Attribute AttributeName=uid AttributeNamespace=http://www.ja-sig.org/products/cas/;saml1:AttributeValue xmlns:xs=http://www.w3.org/2001/XMLSchema; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance;