Edit: I downgraded to the version 5.0.0.RC5-SNAPSHOT and this issue is not
be present anymore. I have a inResponseTo attribute for my response element.
Le mercredi 8 mars 2017 17:04:59 UTC+1, Paul Legeay a écrit :
>
> Hi everyone,
>>
>> I'm trying to use a local installation of simplesamlphp as a SP to log
>> through a local CAS 5.0.4 server using the saml 2 protocol.
>> The issue I have at the moment, is that the response I get from the CAS
>> server is missing the inResponseTo attribute in the response Element.
>>
>> The saml 2 spec specifies that the InResponseTo must be present in the
>> response element if the response is associated to a request.
>> Do I have something missing in my configuration or is it a bug ?
>>
>> Any help would be apreciated.
>>
>> Thanks
>>
>>
>> relevent part application.properties
>>
>> cas.authn.samlIdp.metadata.location=${user.home}/work/metadata/
>> cas.authn.samlIdp.entityId=http://localhost:8042/cas/idp
>> cas.authn.samlIdp.hostName=http://localhost:8042
>> cas.samlCore.ticketidSaml2=true
>>
>> IDP metadata in php format
>> <?php
>> /**
>> * SAML 2.0 remote IdP metadata for SimpleSAMLphp.
>> *
>> * Remember to remove the IdPs you don't use from this file.
>> *
>> * See:
>> https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote
>> */
>>
>>
>> $metadata['http://localhost:8042/cas/idp'] = array (
>> 'entityid' => 'http://localhost:8042/cas/idp',
>> 'contacts' =>
>> array (
>> ),
>> 'metadata-set' => 'saml20-idp-remote',
>> 'SingleSignOnService' =>
>> array (
>> 0 =>
>> array (
>> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
>> 'Location' => '
>> http://localhost:8042/cas/idp/profile/SAML2/Redirect/SSO',
>> ),
>> 1 =>
>> array (
>> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
>> 'Location' => 'http://localhost:8042/cas/idp/profile/SAML2/POST/SSO
>> ',
>> ),
>> 2 =>
>> array (
>> 'Binding' =>
>> 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign',
>> 'Location' => '
>> http://localhost:8042/idp/profile/SAML2/POST-SimpleSign/SSO',
>> ),
>> ),
>> 'ArtifactResolutionService' =>
>> array (
>> 0 =>
>> array (
>> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
>> 'Location' => '
>> http://localhost:8042/cas/idp/profile/SAML2/SOAP/ArtifactResolution',
>> 'index' => 2,
>> ),
>> ),
>> 'NameIDFormats' =>
>> array (
>> 0 => 'urn:mace:shibboleth:1.0:nameIdentifier',
>> 1 => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
>> ),
>> 'keys' =>
>> array (
>> 0 =>
>> array (
>> 'encryption' => false,
>> 'signing' => true,
>> 'type' => 'X509Certificate',
>> 'X509Certificate' => '
>> MIIDGDCCAgCgAwIBAgIUTHtu3X3oSmNnElYPdxoY3QzjOgwwDQYJKoZIhvcNAQEL
>> BQAwGTEXMBUGA1UEAwwObG9jYWxob3N0OjgwNDIwHhcNMTcwMzA3MTA1NzI0WhcN
>> MzcwMzA3MTA1NzI0WjAZMRcwFQYDVQQDDA5sb2NhbGhvc3Q6ODA0MjCCASIwDQYJ
>> KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ7L2leA8jlRxrkWm0q3prVAMOJBxr0J
>> A2Z74h+9k3c4vAzb7FlvWV3TIY8YDXDZ29YZ0dtTIodeleVJfAcUMpZ6RLcHdiBK
>> C5VgAQ8ci98aM5aXxS+kXxjjilOHB8ckKFqjb8asPlvpN368Z1Qk/lKNbsE35hxb
>> f/9V2oiHtbShG0vrSC7da2uOTpBiguO2yB6mJO92FymBWS7zlZ+G9pWTE4EuizWk
>> 10kz7jHYfUm/BKgVOnEDTL4e+eb5cTIxnpZ9iA3+dfi8qU2bOQ0PlXW7nW4ZMSzW
>> 4BlWjuK4G78HnlZu+FqgNlQwjR9tjbvma6aovE3UH1nHJWy93uALrnECAwEAAaNY
>> MFYwHQYDVR0OBBYEFKTnbarNb/ik8VO/dkLDxyrRWeDcMDUGA1UdEQQuMCyCDmxv
>> Y2FsaG9zdDo4MDQyhhpsb2NhbGhvc3Q6ODA0MmlkcC9tZXRhZGF0YTANBgkqhkiG
>> 9w0BAQsFAAOCAQEANnk4BeurZaPWVdVDalg+jQdBlfi6DtF8oKGWoc3tlmA414Cu
>> Aih+4nopXl8/xByk0DQdBcnhYJ59hPNm5BBwlM66T0eUP7kzOoVw2PgOhjEfCbqG
>> a8S3Cu0fULL2OxrxSozAhz2fTsd+zn6cla0KJGMjQmEjiORs8ThHFZhPlueqAtwp
>> cyrNyeO3vSt8A28kyY5TOZPjWickk39ilveuRZKMkBN4TAFAHciKZP8Y3foESB6+
>> rC/guihxOCgUNKfUEREVveBxaFEV6xUYNcnIFAQNnTzwDbSM63+Sq2hAKh8ynnML
>> cVl0ONhI47hxf1HWQN5TGhip2rcARx2T0v+mfA==
>> ',Hi everyone,
>>
>> I'm trying to use a local installation of simplesamlphp as a SP to log
>> through a local CAS 5.0.4 server using the saml 2 protocol.
>> The issue I have at the moment is that the response I get from the CAS
>> server is missing the inResponseTo attribute in the response Element.
>>
>> The saml 2 spec specifies that the InResponseTo must be present in the
>> response element if the response is associated to a request.
>> Do I have something missing in my configuration or is it a bug ?
>>
>> Any help would be apreciated.
>>
>> Thanks
>>
>>
>> relevent part application.properties
>>
>> cas.authn.samlIdp.metadata.location=${user.home}/work/metadata/
>> cas.authn.samlIdp.entityId=http://localhost:8042/cas/idp
>> cas.authn.samlIdp.hostName=http://localhost:8042
>> cas.samlCore.ticketidSaml2=true
>>
>> IDP metadata in php format
>> <?php
>> /**
>> * SAML 2.0 remote IdP metadata for SimpleSAMLphp.
>> *
>> * Remember to remove the IdPs you don't use from this file.
>> *
>> * See:
>> https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote
>> */
>>
>>
>> $metadata['http://localhost:8042/cas/idp'] = array (
>> 'entityid' => 'http://localhost:8042/cas/idp',
>> 'contacts' =>
>> array (
>> ),
>> 'metadata-set' => 'saml20-idp-remote',
>> 'SingleSignOnService' =>
>> array (
>> 0 =>
>> array (
>> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
>> 'Location' => '
>> http://localhost:8042/cas/idp/profile/SAML2/Redirect/SSO',
>> ),
>> 1 =>
>> array (
>> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
>> 'Location' => 'http://localhost:8042/cas/idp/profile/SAML2/POST/SSO
>> ',
>> ),
>> 2 =>
>> array (
>> 'Binding' =>
>> 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign',
>> 'Location' => '
>> http://localhost:8042/idp/profile/SAML2/POST-SimpleSign/SSO',
>> ),
>> ),
>> 'ArtifactResolutionService' =>
>> array (
>> 0 =>
>> array (
>> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
>> 'Location' => '
>> http://localhost:8042/cas/idp/profile/SAML2/SOAP/ArtifactResolution',
>> 'index' => 2,
>> ),
>> ),
>> 'NameIDFormats' =>
>> array (
>> 0 => 'urn:mace:shibboleth:1.0:nameIdentifier',
>> 1 => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
>> ),
>> 'keys' =>
>> array (
>> 0 =>
>> array (
>> 'encryption' => false,
>> 'signing' => true,
>> 'type' => 'X509Certificate',
>> 'X509Certificate' => '
>> MIIDGDCCAgCgAwIBAgIUTHtu3X3oSmNnElYPdxoY3QzjOgwwDQYJKoZIhvcNAQEL
>> BQAwGTEXMBUGA1UEAwwObG9jYWxob3N0OjgwNDIwHhcNMTcwMzA3MTA1NzI0WhcN
>> MzcwMzA3MTA1NzI0WjAZMRcwFQYDVQQDDA5sb2NhbGhvc3Q6ODA0MjCCASIwDQYJ
>> KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ7L2leA8jlRxrkWm0q3prVAMOJBxr0J
>> A2Z74h+9k3c4vAzb7FlvWV3TIY8YDXDZ29YZ0dtTIodeleVJfAcUMpZ6RLcHdiBK
>> C5VgAQ8ci98aM5aXxS+kXxjjilOHB8ckKFqjb8asPlvpN368Z1Qk/lKNbsE35hxb
>> ),
>> 1 =>
>> array (
>> 'encryption' => true,
>> 'signing' => false,
>> 'type' => 'X509Certificate',
>> 'X509Certificate' => '
>> MIIDGDCCAgCgAwIBAgIUMTFA5LKKiMYwxBvZ8xPv8zXccWcwDQYJKoZIhvcNAQEL
>> BQAwGTEXMBUGA1UEAwwObG9jYWxob3N0OjgwNDIwHhcNMTcwMzA3MTA1NzI0WhcN
>> MzcwMzA3MTA1NzI0WjAZMRcwFQYDVQQDDA5sb2NhbGhvc3Q6ODA0MjCCASIwDQYJ
>> KoZIhvcNAQEBBQADggEPADCCAQoCggEBALdk2QNzLvTaGQ+JfzbqzEvUR4Rbl0yt
>> gksokiknda446QTJDMCXRibeQ0jJks5i8IDSDH0CMTHg3RtO0UNCR1tLQ/5Ocnx0
>> ZK7CdBHtnKc++vQ7nX3IcJD1Qt7lrI3K8s2JcpJLL796vsiDcfCXo19zQnZGA+NM
>> xiaOnytW/GiTSDbeHIGkaJK0GzEOGdf2a523WaMZtCWhO2Q2DHRphkb5Iz40piQ1
>> JBmf5Cx0iPCmJXZwommV8MjaYvxfQUHLHe9VYKMSJUJXkeFunyLV/VbX3rwE7fJK
>> YACnc/l49jmCcffuFPoSyfeBxO/5V/NP2R6KThLITE9yYiGnpDGkt2UCAwEAAaNY
>> MFYwHQYDVR0OBBYEFICPhiHbxQHx2TeVcoeS3Q9WNyaQMDUGA1UdEQQuMCyCDmxv
>> Y2FsaG9zdDo4MDQyhhpsb2NhbGhvc3Q6ODA0MmlkcC9tZXRhZGF0YTANBgkqhkiG
>> 9w0BAQsFAAOCAQEAgv7XbF+macOs+OLswlX0IEGfV2489zZyCbuyHq/wT+uYMMfC
>> YhPP1g7nWObcE4O7nWeRM2AiAIE5l/6bTVtn1buc06QWJZyPH+dRJG26MQqrD6I2
>> 9o0Sw/q9pL+p/BGfB8nyxvD2PsYg1VhL64G7TLWOfpTQgWMxJrkPzYrLYTif06fj
>> fotMcnmIzMtYP8TMUEyynPUTD5TUNjeBvalIO/pzXP8GuDy5qGczhjz6pgFlN1Oi
>> MED+9FiXP/ZJ+97w1MUPUTXpQqY+POWiqlHQ3by9VgRfBj4ju/4TuGKclC4e6ntK
>> EwXO+bVDxCMlkcHiAtUfu7JaY0IId1uM90lbxw==
>> ',
>> ),
>> ),
>> 'scope' =>
>> array (
>> 0 => 'localhost:8042',
>> ),
>> );
>>
>>
>>
>>
>>
>>
>> SP metadatas
>>
>> <?xml version="1.0"?>
>> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
>> entityID="http://localhost:8000/simplesaml";>
>> <md:SPSSODescriptor
>> protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol
>> urn:oasis:names:tc:SAML:2.0:protocol">
>> <md:SingleLogoutService
>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
>> Location="http://localhost:8000/simplesaml/module.php/saml/sp/saml2-logout.php/local-sso"/>
>> <md:AssertionConsumerService
>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>> Location="http://localhost:8000/simplesaml/module.php/saml/sp/saml2-acs.php/local-sso";
>> index="0"/>
>> <md:AssertionConsumerService
>> Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
>> Location="http://localhost:8000/simplesaml/module.php/saml/sp/saml1-acs.php/local-sso";
>> index="1"/>
>> <md:AssertionConsumerService
>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
>> Location="http://localhost:8000/simplesaml/module.php/saml/sp/saml2-acs.php/local-sso";
>> index="2"/>
>> <md:AssertionConsumerService
>> Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
>> Location="http://localhost:8000/simplesaml/module.php/saml/sp/saml1-acs.php/local-sso/artifact";
>> index="3"/>
>> </md:SPSSODescriptor>
>> </md:EntityDescriptor>
>>
>>
>>
>> auth request
>>
>>
>>
>> <?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest
>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>> AssertionConsumerServiceURL="http://localhost:8000/simplesaml/module.php/saml/sp/saml2-acs.php/local-sso";
>> Destination="http://localhost:8042/cas/idp/profile/SAML2/Redirect/SSO";
>> ID="_dba8369b90c24b172fb07fc8bde77e9b323ba71f30"
>> IssueInstant="2017-03-08T14:57:07Z"
>> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>> Version="2.0">
>> <saml:Issuer>http://localhost:8000/simplesaml</saml:Issuer>
>> <samlp:NameIDPolicy AllowCreate="true"
>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/></samlp:AuthnRequest>
>>
>>
>>
>> response
>>
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>>
>> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>> Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
>> ID="_5525762746082961547" IssueInstant="2017-03-08T10:36:39.837Z"
>> Version="2.0">
>> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://localhost:8042/cas/idp</saml2:Issuer>
>> <saml2p:Status>
>> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
>>
>> <saml2p:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</saml2p:StatusMessage>
>> </saml2p:Status>
>> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>> ID="_759790977264922675" IssueInstant="2017-03-08T10:36:39.830Z"
>> Version="2.0">
>> <saml2:Issuer>http://localhost:8042/cas/idp</saml2:Issuer>
>> <saml2:Subject>
>> <saml2:NameID
>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">plegeay</saml2:NameID>
>> <saml2:SubjectConfirmation
>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>> <saml2:SubjectConfirmationData
>> InResponseTo="_30cd159c03da7a2226630390df87f49edb3ab09381"
>> NotOnOrAfter="2017-03-08T10:36:39.823Z"
>> Recipient="http://localhost:8000/simplesaml/module.php/saml/sp/saml2-acs.php/local-sso"/>
>> </saml2:SubjectConfirmation>
>> </saml2:Subject>
>> <saml2:Conditions NotBefore="2017-03-08T10:36:39.836Z"
>> NotOnOrAfter="2017-03-08T10:36:39.836Z">
>> <saml2:AudienceRestriction>
>> <saml2:Audience>http://localhost:8000/simplesaml</saml2:Audience>
>> </saml2:AudienceRestriction>
>> </saml2:Conditions>
>> <saml2:AuthnStatement AuthnInstant="2017-03-08T10:36:39.823Z">
>> <saml2:SubjectLocality Address="http://localhost:8000/simplesaml"/>
>> <saml2:AuthnContext>
>>
>> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
>> </saml2:AuthnContext>
>> </saml2:AuthnStatement>
>> <saml2:AttributeStatement>
>> <saml2:Attribute FriendlyName="samlAuthenticationStatementAuthMethod"
>> Name="samlAuthenticationStatementAuthMethod">
>> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema";
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>> xsi:type="xsd:string">urn:oasis:names:tc:SAML:1.0:am:password</saml2:AttributeValue>
>> </saml2:Attribute>
>> <saml2:Attribute FriendlyName="isFromNewLogin" Name="isFromNewLogin">
>> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema";
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>> xsi:type="xsd:string">true</saml2:AttributeValue>
>> </saml2:Attribute>
>> <saml2:Attribute FriendlyName="authenticationDate"
>> Name="authenticationDate">
>> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema";
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>> xsi:type="xsd:string">2017-03-08T11:36:39.645+01:00[Europe/Paris]</saml2:AttributeValue>
>> </saml2:Attribute>
>> <saml2:Attribute FriendlyName="authenticationMethod"
>> Name="authenticationMethod">
>> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema";
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>> xsi:type="xsd:string">LdapAuthenticationHandler</saml2:AttributeValue>
>> </saml2:Attribute>
>> <saml2:Attribute FriendlyName="successfulAuthenticationHandlers"
>> Name="successfulAuthenticationHandlers">
>> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema";
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>> xsi:type="xsd:string">LdapAuthenticationHandler</saml2:AttributeValue>
>> </saml2:Attribute>
>> <saml2:Attribute FriendlyName="longTermAuthenticationRequestTokenUsed"
>> Name="longTermAuthenticationRequestTokenUsed">
>> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema";
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>> xsi:type="xsd:string">false</saml2:AttributeValue>
>> </saml2:Attribute>
>> </saml2:AttributeStatement>
>> </saml2:Assertion></saml2p:Response>
>>
>>
>>
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c3ba11f3-919d-41e2-81f9-8b0253016fd3%40apereo.org.
