>
> Hi everyone,
>
> I'm trying to use a local installation of simplesamlphp as a SP to log
> through a local CAS 5.0.4 server using the saml 2 protocol.
> The issue I have at the moment, is that the response I get from the CAS
> server is missing the inResponseTo attribute in the response Element.
>
> The saml 2 spec specifies that the InResponseTo must be present in the
> response element if the response is associated to a request.
> Do I have something missing in my configuration or is it a bug ?
>
> Any help would be apreciated.
>
> Thanks
>
>
> relevent part application.properties
>
> cas.authn.samlIdp.metadata.location=${user.home}/work/metadata/
> cas.authn.samlIdp.entityId=http://localhost:8042/cas/idp
> cas.authn.samlIdp.hostName=http://localhost:8042
> cas.samlCore.ticketidSaml2=true
>
> IDP metadata in php format
> <?php
> /**
> * SAML 2.0 remote IdP metadata for SimpleSAMLphp.
> *
> * Remember to remove the IdPs you don't use from this file.
> *
> * See:
> https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote
> */
>
>
> $metadata['http://localhost:8042/cas/idp'] = array (
> 'entityid' => 'http://localhost:8042/cas/idp',
> 'contacts' =>
> array (
> ),
> 'metadata-set' => 'saml20-idp-remote',
> 'SingleSignOnService' =>
> array (
> 0 =>
> array (
> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
> 'Location' => '
> http://localhost:8042/cas/idp/profile/SAML2/Redirect/SSO',
> ),
> 1 =>
> array (
> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
> 'Location' => 'http://localhost:8042/cas/idp/profile/SAML2/POST/SSO'
> ,
> ),
> 2 =>
> array (
> 'Binding' =>
> 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign',
> 'Location' => '
> http://localhost:8042/idp/profile/SAML2/POST-SimpleSign/SSO',
> ),
> ),
> 'ArtifactResolutionService' =>
> array (
> 0 =>
> array (
> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
> 'Location' => '
> http://localhost:8042/cas/idp/profile/SAML2/SOAP/ArtifactResolution',
> 'index' => 2,
> ),
> ),
> 'NameIDFormats' =>
> array (
> 0 => 'urn:mace:shibboleth:1.0:nameIdentifier',
> 1 => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
> ),
> 'keys' =>
> array (
> 0 =>
> array (
> 'encryption' => false,
> 'signing' => true,
> 'type' => 'X509Certificate',
> 'X509Certificate' => '
> MIIDGDCCAgCgAwIBAgIUTHtu3X3oSmNnElYPdxoY3QzjOgwwDQYJKoZIhvcNAQEL
> BQAwGTEXMBUGA1UEAwwObG9jYWxob3N0OjgwNDIwHhcNMTcwMzA3MTA1NzI0WhcN
> MzcwMzA3MTA1NzI0WjAZMRcwFQYDVQQDDA5sb2NhbGhvc3Q6ODA0MjCCASIwDQYJ
> KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ7L2leA8jlRxrkWm0q3prVAMOJBxr0J
> A2Z74h+9k3c4vAzb7FlvWV3TIY8YDXDZ29YZ0dtTIodeleVJfAcUMpZ6RLcHdiBK
> C5VgAQ8ci98aM5aXxS+kXxjjilOHB8ckKFqjb8asPlvpN368Z1Qk/lKNbsE35hxb
> f/9V2oiHtbShG0vrSC7da2uOTpBiguO2yB6mJO92FymBWS7zlZ+G9pWTE4EuizWk
> 10kz7jHYfUm/BKgVOnEDTL4e+eb5cTIxnpZ9iA3+dfi8qU2bOQ0PlXW7nW4ZMSzW
> 4BlWjuK4G78HnlZu+FqgNlQwjR9tjbvma6aovE3UH1nHJWy93uALrnECAwEAAaNY
> MFYwHQYDVR0OBBYEFKTnbarNb/ik8VO/dkLDxyrRWeDcMDUGA1UdEQQuMCyCDmxv
> Y2FsaG9zdDo4MDQyhhpsb2NhbGhvc3Q6ODA0MmlkcC9tZXRhZGF0YTANBgkqhkiG
> 9w0BAQsFAAOCAQEANnk4BeurZaPWVdVDalg+jQdBlfi6DtF8oKGWoc3tlmA414Cu
> Aih+4nopXl8/xByk0DQdBcnhYJ59hPNm5BBwlM66T0eUP7kzOoVw2PgOhjEfCbqG
> a8S3Cu0fULL2OxrxSozAhz2fTsd+zn6cla0KJGMjQmEjiORs8ThHFZhPlueqAtwp
> cyrNyeO3vSt8A28kyY5TOZPjWickk39ilveuRZKMkBN4TAFAHciKZP8Y3foESB6+
> rC/guihxOCgUNKfUEREVveBxaFEV6xUYNcnIFAQNnTzwDbSM63+Sq2hAKh8ynnML
> cVl0ONhI47hxf1HWQN5TGhip2rcARx2T0v+mfA==
> ',Hi everyone,
>
> I'm trying to use a local installation of simplesamlphp as a SP to log
> through a local CAS 5.0.4 server using the saml 2 protocol.
> The issue I have at the moment is that the response I get from the CAS
> server is missing the inResponseTo attribute in the response Element.
>
> The saml 2 spec specifies that the InResponseTo must be present in the
> response element if the response is associated to a request.
> Do I have something missing in my configuration or is it a bug ?
>
> Any help would be apreciated.
>
> Thanks
>
>
> relevent part application.properties
>
> cas.authn.samlIdp.metadata.location=${user.home}/work/metadata/
> cas.authn.samlIdp.entityId=http://localhost:8042/cas/idp
> cas.authn.samlIdp.hostName=http://localhost:8042
> cas.samlCore.ticketidSaml2=true
>
> IDP metadata in php format
> <?php
> /**
> * SAML 2.0 remote IdP metadata for SimpleSAMLphp.
> *
> * Remember to remove the IdPs you don't use from this file.
> *
> * See:
> https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote
> */
>
>
> $metadata['http://localhost:8042/cas/idp'] = array (
> 'entityid' => 'http://localhost:8042/cas/idp',
> 'contacts' =>
> array (
> ),
> 'metadata-set' => 'saml20-idp-remote',
> 'SingleSignOnService' =>
> array (
> 0 =>
> array (
> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
> 'Location' =>
> 'http://localhost:8042/cas/idp/profile/SAML2/Redirect/SSO',
> ),
> 1 =>
> array (
> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
> 'Location' => 'http://localhost:8042/cas/idp/profile/SAML2/POST/SSO',
> ),
> 2 =>
> array (
> 'Binding' =>
> 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign',
> 'Location' =>
> 'http://localhost:8042/idp/profile/SAML2/POST-SimpleSign/SSO',
> ),
> ),
> 'ArtifactResolutionService' =>
> array (
> 0 =>
> array (
> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
> 'Location' =>
> 'http://localhost:8042/cas/idp/profile/SAML2/SOAP/ArtifactResolution',
> 'index' => 2,
> ),
> ),
> 'NameIDFormats' =>
> array (
> 0 => 'urn:mace:shibboleth:1.0:nameIdentifier',
> 1 => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
> ),
> 'keys' =>
> array (
> 0 =>
> array (
> 'encryption' => false,
> 'signing' => true,
> 'type' => 'X509Certificate',
> 'X509Certificate' => '
> MIIDGDCCAgCgAwIBAgIUTHtu3X3oSmNnElYPdxoY3QzjOgwwDQYJKoZIhvcNAQEL
> BQAwGTEXMBUGA1UEAwwObG9jYWxob3N0OjgwNDIwHhcNMTcwMzA3MTA1NzI0WhcN
> MzcwMzA3MTA1NzI0WjAZMRcwFQYDVQQDDA5sb2NhbGhvc3Q6ODA0MjCCASIwDQYJ
> KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ7L2leA8jlRxrkWm0q3prVAMOJBxr0J
> A2Z74h+9k3c4vAzb7FlvWV3TIY8YDXDZ29YZ0dtTIodeleVJfAcUMpZ6RLcHdiBK
> C5VgAQ8ci98aM5aXxS+kXxjjilOHB8ckKFqjb8asPlvpN368Z1Qk/lKNbsE35hxb
> ),
> 1 =>
> array (
> 'encryption' => true,
> 'signing' => false,
> 'type' => 'X509Certificate',
> 'X509Certificate' => '
> MIIDGDCCAgCgAwIBAgIUMTFA5LKKiMYwxBvZ8xPv8zXccWcwDQYJKoZIhvcNAQEL
> BQAwGTEXMBUGA1UEAwwObG9jYWxob3N0OjgwNDIwHhcNMTcwMzA3MTA1NzI0WhcN
> MzcwMzA3MTA1NzI0WjAZMRcwFQYDVQQDDA5sb2NhbGhvc3Q6ODA0MjCCASIwDQYJ
> KoZIhvcNAQEBBQADggEPADCCAQoCggEBALdk2QNzLvTaGQ+JfzbqzEvUR4Rbl0yt
> gksokiknda446QTJDMCXRibeQ0jJks5i8IDSDH0CMTHg3RtO0UNCR1tLQ/5Ocnx0
> ZK7CdBHtnKc++vQ7nX3IcJD1Qt7lrI3K8s2JcpJLL796vsiDcfCXo19zQnZGA+NM
> xiaOnytW/GiTSDbeHIGkaJK0GzEOGdf2a523WaMZtCWhO2Q2DHRphkb5Iz40piQ1
> JBmf5Cx0iPCmJXZwommV8MjaYvxfQUHLHe9VYKMSJUJXkeFunyLV/VbX3rwE7fJK
> YACnc/l49jmCcffuFPoSyfeBxO/5V/NP2R6KThLITE9yYiGnpDGkt2UCAwEAAaNY
> MFYwHQYDVR0OBBYEFICPhiHbxQHx2TeVcoeS3Q9WNyaQMDUGA1UdEQQuMCyCDmxv
> Y2FsaG9zdDo4MDQyhhpsb2NhbGhvc3Q6ODA0MmlkcC9tZXRhZGF0YTANBgkqhkiG
> 9w0BAQsFAAOCAQEAgv7XbF+macOs+OLswlX0IEGfV2489zZyCbuyHq/wT+uYMMfC
> YhPP1g7nWObcE4O7nWeRM2AiAIE5l/6bTVtn1buc06QWJZyPH+dRJG26MQqrD6I2
> 9o0Sw/q9pL+p/BGfB8nyxvD2PsYg1VhL64G7TLWOfpTQgWMxJrkPzYrLYTif06fj
> fotMcnmIzMtYP8TMUEyynPUTD5TUNjeBvalIO/pzXP8GuDy5qGczhjz6pgFlN1Oi
> MED+9FiXP/ZJ+97w1MUPUTXpQqY+POWiqlHQ3by9VgRfBj4ju/4TuGKclC4e6ntK
> EwXO+bVDxCMlkcHiAtUfu7JaY0IId1uM90lbxw==
> ',
> ),
> ),
> 'scope' =>
> array (
> 0 => 'localhost:8042',
> ),
> );
>
>
>
>
>
>
> SP metadatas
>
> <?xml version="1.0"?>
> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
> entityID="http://localhost:8000/simplesaml";>
> <md:SPSSODescriptor
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol
> urn:oasis:names:tc:SAML:2.0:protocol">
> <md:SingleLogoutService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
> Location="http://localhost:8000/simplesaml/module.php/saml/sp/saml2-logout.php/local-sso"/>
> <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Location="http://localhost:8000/simplesaml/module.php/saml/sp/saml2-acs.php/local-sso";
> index="0"/>
> <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
> Location="http://localhost:8000/simplesaml/module.php/saml/sp/saml1-acs.php/local-sso";
> index="1"/>
> <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
> Location="http://localhost:8000/simplesaml/module.php/saml/sp/saml2-acs.php/local-sso";
> index="2"/>
> <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
> Location="http://localhost:8000/simplesaml/module.php/saml/sp/saml1-acs.php/local-sso/artifact";
> index="3"/>
> </md:SPSSODescriptor>
> </md:EntityDescriptor>
>
>
>
> auth request
>
>
>
> <?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> AssertionConsumerServiceURL="http://localhost:8000/simplesaml/module.php/saml/sp/saml2-acs.php/local-sso";
> Destination="http://localhost:8042/cas/idp/profile/SAML2/Redirect/SSO";
> ID="_dba8369b90c24b172fb07fc8bde77e9b323ba71f30"
> IssueInstant="2017-03-08T14:57:07Z"
> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Version="2.0">
> <saml:Issuer>http://localhost:8000/simplesaml</saml:Issuer>
> <samlp:NameIDPolicy AllowCreate="true"
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/></samlp:AuthnRequest>
>
>
>
> response
>
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
> Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
> ID="_5525762746082961547" IssueInstant="2017-03-08T10:36:39.837Z"
> Version="2.0">
> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://localhost:8042/cas/idp</saml2:Issuer>
> <saml2p:Status>
> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
>
> <saml2p:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</saml2p:StatusMessage>
> </saml2p:Status>
> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="_759790977264922675" IssueInstant="2017-03-08T10:36:39.830Z"
> Version="2.0">
> <saml2:Issuer>http://localhost:8042/cas/idp</saml2:Issuer>
> <saml2:Subject>
> <saml2:NameID
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">plegeay</saml2:NameID>
> <saml2:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
> <saml2:SubjectConfirmationData
> InResponseTo="_30cd159c03da7a2226630390df87f49edb3ab09381"
> NotOnOrAfter="2017-03-08T10:36:39.823Z"
> Recipient="http://localhost:8000/simplesaml/module.php/saml/sp/saml2-acs.php/local-sso"/>
> </saml2:SubjectConfirmation>
> </saml2:Subject>
> <saml2:Conditions NotBefore="2017-03-08T10:36:39.836Z"
> NotOnOrAfter="2017-03-08T10:36:39.836Z">
> <saml2:AudienceRestriction>
> <saml2:Audience>http://localhost:8000/simplesaml</saml2:Audience>
> </saml2:AudienceRestriction>
> </saml2:Conditions>
> <saml2:AuthnStatement AuthnInstant="2017-03-08T10:36:39.823Z">
> <saml2:SubjectLocality Address="http://localhost:8000/simplesaml"/>
> <saml2:AuthnContext>
>
> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
> </saml2:AuthnContext>
> </saml2:AuthnStatement>
> <saml2:AttributeStatement>
> <saml2:Attribute FriendlyName="samlAuthenticationStatementAuthMethod"
> Name="samlAuthenticationStatementAuthMethod">
> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xsd:string">urn:oasis:names:tc:SAML:1.0:am:password</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="isFromNewLogin" Name="isFromNewLogin">
> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xsd:string">true</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="authenticationDate"
> Name="authenticationDate">
> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xsd:string">2017-03-08T11:36:39.645+01:00[Europe/Paris]</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="authenticationMethod"
> Name="authenticationMethod">
> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xsd:string">LdapAuthenticationHandler</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="successfulAuthenticationHandlers"
> Name="successfulAuthenticationHandlers">
> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xsd:string">LdapAuthenticationHandler</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="longTermAuthenticationRequestTokenUsed"
> Name="longTermAuthenticationRequestTokenUsed">
> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xsd:string">false</saml2:AttributeValue>
> </saml2:Attribute>
> </saml2:AttributeStatement>
> </saml2:Assertion></saml2p:Response>
>
>
>
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/54926d2d-a00e-4f29-a768-1d8e20045b60%40apereo.org.
