Hello CAS users, I'm configuring CAS 5.0.5 to work with ADFS by SAML2 Authentication. CAS is an IdP and ADFS is our SP. When I generates SAMLResponse. It throws an exeption at ADFS.
Two questions. 1. Do you think it is related to SAML RelayState not returned ? (refer to https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/aBqlYZsbQFY ) . If so, is the issue still occurring at 5.0.5 ? If so, what version should I use to avoid this issue? 2. In my SAMLRespone, from log, as log said, 2017-07-03 11:57:07,280 while IssueInstant="2017-07-03T15:57:07.221Z . The issuInstant is used NotBefore. I can see four hour difference from the actual authentication process occurring. Is the IssueInstant time is passed from SAMLRequest? Do you think the time NotBefore which is four hour later causes the error? Encountered error during federation passive request. Additional Data Exception details: Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: The creator of this fault did not specify a Reason. at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request) at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest) at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest) at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.Issue(HttpSamlMessage httpSamlMessage, SecurityTokenElement onBehalfOf, String sessionState, String& newSessionState, String& authenticatingProvider) This is SAML assertion from our cas generates 2017-07-03 11:57:07,280 DEBUG [org.apereo.cas.support.saml.SamlUtils] - <Logging [org.opensaml.saml.saml2.core.impl.ResponseImpl] <?xml version="1.0" encoding="UTF-8"?> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" ID="_5848870503793324563" IssueInstant="2017-07-03T15:57:07.221Z" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://cas.example.net/idp</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/><saml2p:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</saml2p:StatusMessage> </saml2p:Status> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_8000357209572541924" IssueInstant="2017-07-03T15:57:07.056Z" Version="2.0"> <saml2:Issuer>https://cas.example.net/idp</saml2:Issuer<https://cas.example.net/idp%3c/saml2:Issuer>> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">example</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData InResponseTo="id-c7e7c485-1055-445f-b26f-d02f6150783e" NotOnOrAfter="2017-07-03T19:57:06.828Z"/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2017-07-03T15:57:07.208Z" NotOnOrAfter="2017-07-03T19:57:07.208Z"> <saml2:AudienceRestriction> <saml2:Audience>http://fs.ultiproworkplace.com/adfs/services/trust</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2017-07-03T15:57:06.828Z"> <saml2:SubjectLocality Address="http://fs.ultiproworkplace.com/adfs/services/trust"/> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement><saml2:Attribute FriendlyName="samlAuthenticationStatementAuthMethod" Name="samlAuthenticationStatementAuthMethod"><saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string">urn:oasis:names:tc:SAML:1.0:am:password</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="isFromNewLogin" Name="isFromNewLogin"><saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string">true</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="authenticationDate" Name="authenticationDate"><saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string">2017-07-03T11:57:05.526-04:00[America/New_York]</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="authenticationMethod" Name="authenticationMethod"><saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string">LdapAuthenticationHandler</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="successfulAuthenticationHandlers" Name="successfulAuthenticationHandlers"><saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string">LdapAuthenticationHandler</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="longTermAuthenticationRequestTokenUsed" Name="longTermAuthenticationRequestTokenUsed"><saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string">false</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response> Best, Doe The information contained in this e-mail and any attachments is confidential and intended only for the recipient. If you are not the intended recipient, the information contained in this message may not be used, copied, or forwarded to third parties or otherwise distributed for any other purpose. Please notify the sender if you received this e-mail in error and delete the e-mail and its attachments promptly. Nothing in this e-mail may be used or deemed to form the basis of a contractual or any other legally binding obligation unless separately confirmed in writing by an authorized representative of ARMADA. -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7C27C94EB0F1AD41BB2FA62533E661E201DA8086D7%40MailS01P.hub1.com.
