Thanks for your response! Could you give me a bit more details about the Relying State? Where did you made your fixes? Just in config files or did you patched any of the provided classes / thymeleaf templates from CAS?
In my logs I can at least see that CAS is recognizing the query param from ADFS. ... 2017-03-07 16:02:07,613 INFO [org.apereo.cas.support.saml.web.idp.profile.SSOPostProfileHandlerController] - <Received SAML profile request [/cas/idp/profile/SAML2/Redirect/SSO]> 2017-03-07 16:02:07,613 DEBUG [org.opensaml.messaging.decoder.servlet.BaseHttpServletRequestXMLMessageDecoder] - <Beginning to decode message from HttpServletRequest> 2017-03-07 16:02:07,613 DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder] - <Decoded RelayState: 53595943-1098-47ab-8f08-e24a00e8a7b1> 2017-03-07 16:02:07,613 DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder] - <Base64 decoding and inflating SAML message> ... Any additional hints are very welcome :) Best -- Robert On Tuesday, March 7, 2017 at 3:21:18 PM UTC+1, Lê Thành wrote: > > I have fixed this issue. The problem occurs when CAS redirect to the AD > FS, it did not retain Relying State. You can fix this by saving this param > and resend it with the redirecting url to AD FS. > Good luck > > On Tue, Mar 7, 2017, 8:50 PM Robert Ledermüller <[email protected] > <javascript:>> wrote: > >> Hi, >> >> I'm having the exact same issue. Did you found any solution yet? >> >> Best >> -- Robert >> >> >> On Tuesday, November 22, 2016 at 11:37:36 AM UTC+1, Lê Thành wrote: >> >>> Hi, >>> >>> I'm configuring CAS 5.0.0 (Release) to work with AD FS 3 by SAML2 >>> Authentication. In my case CAS act as an IdP, everything work fine but AD >>> FS can't parse SAMLResponse. It throws an exeption: >>> >>> Microsoft.IdentityServer.Web.UnsupportedSamlResponseException: MSIS7029: >>>> The SAML response has content that is not supported. >>>> at >>>> Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.GetSecurityTokenFromSignInResponse(ProtocolContext >>>> >>>> context) >>>> at >>>> Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext >>>> >>>> protocolContext, PassiveProtocolHandler protocolHandler) >>>> at >>>> Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext >>>> >>>> context) >>>> >>> >>> agains SAMLResponse: >>> >>> <?xml version="1.0" encoding="UTF-8"?> >>>> <saml2p:Response Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" >>>> Destination="https://leth.teca.vn/adfs/ls/"; >>>> ID="_8125126804174747431" >>>> InResponseTo="id-4ca6451f-338b-42a3-acc5-b7eec80628a8" >>>> IssueInstant="2016-11-22T09:07:03.187Z" Version="2.0" >>>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" >>>> xmlns:xsd="http://www.w3.org/2001/XMLSchema";> >>>> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >>>> >>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://cas.bhxh.vn:8443/cas/idp >>>> </saml2:Issuer> >>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>>> <ds:SignedInfo> >>>> <ds:CanonicalizationMethod >>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >>>> <ds:SignatureMethod >>>> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> >>>> <ds:Reference URI="#_8125126804174747431"> >>>> <ds:Transforms> >>>> <ds:Transform >>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> >>>> <ds:Transform >>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> >>>> <ec:InclusiveNamespaces PrefixList="xsd" >>>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> >>>> </ds:Transform> >>>> </ds:Transforms> >>>> <ds:DigestMethod >>>> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> >>>> >>>> <ds:DigestValue>DlBC3aKXqTSiFelrBEk5jbgsQeMlDWLMvkeZ7wuaPGA=</ds:DigestValue> >>>> </ds:Reference> >>>> </ds:SignedInfo> >>>> <ds:SignatureValue> >>>> >>>> OG+wEuMdzIyM3yLTpB2RnbicKcCBHRt9et9Cti60Qs8N3G+maQCiOvgbKmzdoZsM9y2HTGiNkgkB >>>> >>>> 9qUsAO072PyOhtH5IkDe72eMB5QzhVkNPPOkhME0wo4lxTI/gvfG/vnJwkYtAignlOkl9/zppWeG >>>> >>>> 2FEeZFA/MoirpiheP2R+hEZVQw8aftF0a2Quy/GpVs3dWRN5nZXSPAkoYEtTmLcWGOjkZYul563X >>>> >>>> GUbHreYxHBLFT8IYvcD6bJwKp9S1MNOfGOBddkH5FiA1Ena0gP4ONCGZ/Q+JDshTBuPZ3yJrjGMl >>>> oOjRlw2sk741f+jHcATtxk7r6pyq71PwgwrJXg== >>>> </ds:SignatureValue> >>>> <ds:KeyInfo> >>>> <ds:X509Data> >>>> >>>> <ds:X509Certificate>MIIDDDCCAfSgAwIBAgIUaj/aKmtID0ZmU8zjayH9rf6aypwwDQYJKoZIhvcNAQELBQAwFjEUMBIG >>>> >>>> A1UEAwwLY2FzLmJoeGgudm4wHhcNMTYxMTIxMDM1NjQwWhcNMzYxMTIxMDM1NjQwWjAWMRQwEgYD >>>> >>>> VQQDDAtjYXMuYmh4aC52bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJOC6i6yKuPS >>>> >>>> zRHAMs97klECba7I6bdl7mILf4aqTna56ZvUloTtrlaGgMju0ujTj5VdI/W1/UWeRf382rLT4LGl >>>> >>>> unkBH/gFeHaz++kP2xlkh3zZSY7lCqY3tiwIoHXMEJz6tYYaJmaSMhlwbbhL762ZYvjjLF8AJPVe >>>> >>>> /15Zg4fF3h4cC1vFjwRw1UjYfXcQ960My2WH9GjNekkoN88QYOL9+QWemjC+CpFMgnKBcCqG1f04 >>>> >>>> y7wW6q1BhqM77300htkvsqLqj2WjMk+qSqzBnlFfurkdolB5R5zyh9Uk+bfWvt5xHlcqWYIbqTkK >>>> >>>> bRscIzxVUb/9SYCq9NNn7TG3au8CAwEAAaNSMFAwHQYDVR0OBBYEFL9JEvLIpzJIvP8kfCijTK0R >>>> >>>> 1kRIMC8GA1UdEQQoMCaCC2Nhcy5iaHhoLnZuhhdjYXMuYmh4aC52bmlkcC9tZXRhZGF0YTANBgkq >>>> >>>> hkiG9w0BAQsFAAOCAQEAEjqBVBAio1V1mwIqL5m+RaRhZi5E9qelPlFygbK/Yt6lMMiHPXjYIgzu >>>> >>>> SY5vcriPRMDnsWJepnGKefizvGMuw2dTYKO5ry/wLuqKotXyF9AaVOfORs+A6M+RzWl9dX2mRCIA >>>> >>>> Gh8xYIJgmXVDpxZJ8B/d4ldM2aCtkOpd6jxnIeP5pmUqsw1k+fY04sLeLnySpraeHdoApH7PBpTU >>>> >>>> zdhcZ+cpJsBIDoU0SUqiX8HFO4FOy5Sr5j8arZ5O6QVjPRdjA4hnti5M+4ayFkGPRg2qDUhYlODC >>>> >>>> 7abWpJ+eeM/q2NqOAicWx1tHAdNaLSuEB+42MIHgr3umrZZ3R8UYGDp6vQ== >>>> </ds:X509Certificate> >>>> </ds:X509Data> >>>> </ds:KeyInfo> >>>> </ds:Signature> >>>> <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> >>>> <saml2p:StatusCode >>>> Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> >>>> >>>> <saml2p:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</saml2p:StatusMessage> >>>> </saml2p:Status> >>>> <saml2:Assertion ID="_6777774035950654943" >>>> IssueInstant="2016-11-22T09:07:03.128Z" Version="2.0" >>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >>>> xmlns:xsd="http://www.w3.org/2001/XMLSchema";> >>>> <saml2:Issuer>https://cas.bhxh.vn:8443/cas/idp</saml2:Issuer> >>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>>> <ds:SignedInfo> >>>> <ds:CanonicalizationMethod >>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >>>> <ds:SignatureMethod >>>> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> >>>> <ds:Reference URI="#_6777774035950654943"> >>>> <ds:Transforms> >>>> <ds:Transform >>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> >>>> <ds:Transform >>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> >>>> <ec:InclusiveNamespaces PrefixList="xsd" >>>> >>>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> >>>> </ds:Transform> >>>> </ds:Transforms> >>>> <ds:DigestMethod >>>> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> >>>> >>>> <ds:DigestValue>7kDPmghSrp8C7L0RW1LxToCS1KlKEXV3T3oUJjhorAk=</ds:DigestValue> >>>> </ds:Reference> >>>> </ds:SignedInfo> >>>> <ds:SignatureValue> >>>> >>>> cmuGUsUU2vUYQW4+enWyDi/eSUYHMAU2NTVqZFjksIIwR7Pp192fBlDmoFsmLDBVx77yOdjeQ1yh >>>> >>>> jOMCMk1zljpwRhAVvUzk6Oi8wr9VKkMl5jX15cKb7mZnABAG7R3/H5uLPzPCWhxlai/T2XwC4it9 >>>> >>>> L/4kj7yLJsyLcWQjYTmomsdBWPD52P9YQ5pOZ8xbbayA1nT6J9LV0MkixsNvQ6FK5Pe20XY1W8ev >>>> >>>> 9qSg1YUeqr9rpQnOWiZHPx/pCyHIJFGFfvBjc29FJUwJmLsrRnrtLA7ZJJGJfys1+Z9LnJ4Wrv75 >>>> u8a3yOOhDZi63mBlhAAMiy51OTfMaFLOg3U45w== >>>> </ds:SignatureValue> >>>> <ds:KeyInfo> >>>> <ds:X509Data> >>>> >>>> <ds:X509Certificate>MIIDDDCCAfSgAwIBAgIUaj/aKmtID0ZmU8zjayH9rf6aypwwDQYJKoZIhvcNAQELBQAwFjEUMBIG >>>> >>>> A1UEAwwLY2FzLmJoeGgudm4wHhcNMTYxMTIxMDM1NjQwWhcNMzYxMTIxMDM1NjQwWjAWMRQwEgYD >>>> >>>> VQQDDAtjYXMuYmh4aC52bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJOC6i6yKuPS >>>> >>>> zRHAMs97klECba7I6bdl7mILf4aqTna56ZvUloTtrlaGgMju0ujTj5VdI/W1/UWeRf382rLT4LGl >>>> >>>> unkBH/gFeHaz++kP2xlkh3zZSY7lCqY3tiwIoHXMEJz6tYYaJmaSMhlwbbhL762ZYvjjLF8AJPVe >>>> >>>> /15Zg4fF3h4cC1vFjwRw1UjYfXcQ960My2WH9GjNekkoN88QYOL9+QWemjC+CpFMgnKBcCqG1f04 >>>> >>>> y7wW6q1BhqM77300htkvsqLqj2WjMk+qSqzBnlFfurkdolB5R5zyh9Uk+bfWvt5xHlcqWYIbqTkK >>>> >>>> bRscIzxVUb/9SYCq9NNn7TG3au8CAwEAAaNSMFAwHQYDVR0OBBYEFL9JEvLIpzJIvP8kfCijTK0R >>>> >>>> 1kRIMC8GA1UdEQQoMCaCC2Nhcy5iaHhoLnZuhhdjYXMuYmh4aC52bmlkcC9tZXRhZGF0YTANBgkq >>>> >>>> hkiG9w0BAQsFAAOCAQEAEjqBVBAio1V1mwIqL5m+RaRhZi5E9qelPlFygbK/Yt6lMMiHPXjYIgzu >>>> >>>> SY5vcriPRMDnsWJepnGKefizvGMuw2dTYKO5ry/wLuqKotXyF9AaVOfORs+A6M+RzWl9dX2mRCIA >>>> >>>> Gh8xYIJgmXVDpxZJ8B/d4ldM2aCtkOpd6jxnIeP5pmUqsw1k+fY04sLeLnySpraeHdoApH7PBpTU >>>> >>>> zdhcZ+cpJsBIDoU0SUqiX8HFO4FOy5Sr5j8arZ5O6QVjPRdjA4hnti5M+4ayFkGPRg2qDUhYlODC >>>> >>>> 7abWpJ+eeM/q2NqOAicWx1tHAdNaLSuEB+42MIHgr3umrZZ3R8UYGDp6vQ== >>>> </ds:X509Certificate> >>>> </ds:X509Data> >>>> </ds:KeyInfo> >>>> </ds:Signature> >>>> <saml2:Subject> >>>> >>>> <saml2:NameID >>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">[email protected] >>>> >>>> >>>> </saml2:NameID> >>>> <saml2:SubjectConfirmation >>>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> >>>> <saml2:SubjectConfirmationData >>>> InResponseTo="id-4ca6451f-338b-42a3-acc5-b7eec80628a8" >>>> >>>> NotOnOrAfter="2016-11-22T09:12:03.022Z"/> >>>> </saml2:SubjectConfirmation> >>>> </saml2:Subject> >>>> <saml2:Conditions NotBefore="2016-11-22T09:07:03.151Z" >>>> NotOnOrAfter="2016-11-22T09:12:03.151Z"> >>>> <saml2:AudienceRestriction> >>>> >>>> <saml2:Audience>http://leth.teca.vn/adfs/services/trust</saml2:Audience> >>>> </saml2:AudienceRestriction> >>>> </saml2:Conditions> >>>> <saml2:AuthnStatement AuthnInstant="2016-11-22T09:07:03.022Z"> >>>> <saml2:SubjectLocality >>>> Address="http://leth.teca.vn/adfs/services/trust"/> >>>> <saml2:AuthnContext> >>>> >>>> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport >>>> </saml2:AuthnContextClassRef> >>>> </saml2:AuthnContext> >>>> </saml2:AuthnStatement> >>>> <saml2:AttributeStatement> >>>> <saml2:Attribute >>>> FriendlyName="samlAuthenticationStatementAuthMethod" >>>> Name="samlAuthenticationStatementAuthMethod"> >>>> <saml2:AttributeValue >>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >>>> xsi:type="xsd:string"> >>>> urn:oasis:names:tc:SAML:1.0:am:password >>>> </saml2:AttributeValue> >>>> </saml2:Attribute> >>>> <saml2:Attribute FriendlyName="isFromNewLogin" >>>> Name="isFromNewLogin"> >>>> <saml2:AttributeValue >>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >>>> xsi:type="xsd:string">true >>>> </saml2:AttributeValue> >>>> </saml2:Attribute> >>>> <saml2:Attribute FriendlyName="authenticationDate" >>>> Name="authenticationDate"> >>>> <saml2:AttributeValue >>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >>>> xsi:type="xsd:string"> >>>> 2016-11-22T16:07:02.927+07:00[Asia/Bangkok] >>>> </saml2:AttributeValue> >>>> </saml2:Attribute> >>>> <saml2:Attribute FriendlyName="authenticationMethod" >>>> Name="authenticationMethod"> >>>> <saml2:AttributeValue >>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >>>> xsi:type="xsd:string"> >>>> WsAuthenticationHandler >>>> </saml2:AttributeValue> >>>> </saml2:Attribute> >>>> <saml2:Attribute >>>> FriendlyName="successfulAuthenticationHandlers" >>>> Name="successfulAuthenticationHandlers"> >>>> <saml2:AttributeValue >>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >>>> xsi:type="xsd:string"> >>>> WsAuthenticationHandler >>>> </saml2:AttributeValue> >>>> </saml2:Attribute> >>>> <saml2:Attribute >>>> FriendlyName="longTermAuthenticationRequestTokenUsed" >>>> Name="longTermAuthenticationRequestTokenUsed"> >>>> <saml2:AttributeValue >>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >>>> xsi:type="xsd:string"> >>>> false >>>> </saml2:AttributeValue> >>>> </saml2:Attribute> >>>> <saml2:Attribute FriendlyName="email" Name="email"> >>>> <saml2:AttributeValue >>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >>>> xsi:type="xsd:string"> >>>> >>>> [email protected] >>>> >>>> >>>> </saml2:AttributeValue> >>>> </saml2:Attribute> >>>> </saml2:AttributeStatement> >>>> </saml2:Assertion> >>>> </saml2p:Response> >>>> >>>> >>> I don't know the reason while the SAMLResponse from shibboleth I got >>> before had the same tags except attribute name. >>> Please help! >>> >>> Thanks >>> >> -- >> - CAS gitter chatroom: https://gitter.im/apereo/cas >> - CAS mailing list guidelines: >> https://apereo.github.io/cas/Mailing-Lists.html >> - CAS documentation website: https://apereo.github.io/cas >> - CAS project website: https://github.com/apereo/cas >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "CAS Community" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/a/apereo.org/d/topic/cas-user/aBqlYZsbQFY/unsubscribe >> . >> To unsubscribe from this group and all its topics, send an email to >> [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/123bc5bc-a305-4946-be4a-d31726a2ac69%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/123bc5bc-a305-4946-be4a-d31726a2ac69%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b966a19b-20d5-4d76-8bf5-b2f70f61ed26%40apereo.org.
