Hello! We're on 6.1.0-RC6, and working on enabling surrogate authentication. However, we're getting the following error when authenticating (after submitting credentials):
ERROR > [org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/].[dispatcherServlet]] > > - <Servlet.service() for servlet [dispatcherServlet] in context with path > [] threw exception [Request processing failed; nested exception is > org.springframework.webflow.execution.ActionExecutionException: Exception > thrown executing > org.apereo.cas.web.flow.action.SurrogateAuthorizationAction@69f3e556 in > state 'generateServiceTicket' of flow 'login' -- action execution > attributes were 'map[[empty]]'] with root cause> > This error occurs whether or not surrogate authentication is being attempted. However, it only occurs when org.apereo.cas:cas-server-support-surrogate-webflow is compiled in. Removing that dependency while changing no other configuration will cause it to work (albeit without surrogate authentication capabilities). After some testing, we've determined this occurs when logging into specific services with a mapped attribute policy. If the attribute mapping (specifically, the USER_ID line in the service configuration) is removed, the authentication flow works (although the service application, which needs that attribute, does not). The other interesting thing is that if, after receiving the error message, you trigger another SSO event to the service, it works fine. So maybe it has something to do with CAS having trouble initially fetching the attributes? Thanks for any help! cas.properties: > cas.server.name=https://cas.example.com > cas.server.prefix=${cas.server.name} > > logging.config: file:/etc/cas/config/log4j2.xml > > # Disable CAS default 'casuser' user > cas.authn.accept.users= > > # Embedded server > server.port=8080 > server.servlet.context-path=/ > server.ssl.enabled=false > > # LDAP > cas.authn.ldap[0].ldapUrl=ldaps://ldap.example.com > cas.authn.ldap[0].bindDn=redacted > cas.authn.ldap[0].bindCredential=redacted > cas.authn.ldap[0].searchFilter=sAMAccountName={user} > cas.authn.ldap[0].type=AD > cas.authn.ldap[0].baseDn=ou=users,dc=example,dc=com > cas.authn.ldap[0].dnFormat=cn=%s,ou=users,dc=example,dc=com > cas.authn.ldap[0].principalAttributeList=memberOf,name,sAMAccountName > cas.authn.ldap[0].principalAttributeId=sAMAccountName > > cas.authn.file.separator=:: > cas.authn.file.filename=file:///tmp/passwords > > # Service registry > cas.serviceRegistry.json.location=file:/etc/cas/services/ > > > cas.authn.surrogate.separator=+ > cas.authn.surrogate.principal.principalAttribute=sAMAccountName,name > cas.authn.surrogate.ldap.ldapUrl=ldaps://ldap.example.com > cas.authn.surrogate.ldap.bindDn=redacted > cas.authn.surrogate.ldap.bindCredential=redacted > cas.authn.surrogate.ldap.searchFilter=sAMAccountName={user} > cas.authn.surrogate.ldap.baseDn=ou=users,dc=example,dc=com > cas.authn.surrogate.ldap.memberAttributeName=memberOf > > cas.authn.surrogate.ldap.surrogateSearchFilter=(&(cn={user})(cn=admin_username)) > > cas.authn.attributeRepository.ldap[0].attributes.name=name > > cas.authn.attributeRepository.ldap[0].ldapUrl=ldaps://ldap.example.com > cas.authn.attributeRepository.ldap[0].bindDn=redacted > cas.authn.attributeRepository.ldap[0].bindCredential=redacted > cas.authn.attributeRepository.ldap[0].searchFilter=sAMAccountName={user} > cas.authn.attributeRepository.ldap[0].baseDn=ou=users,dc=example,dc=com > cas.authn.attributeRepository.ldap[0].searchFilter=cn={user} > > > cas.authn.attributeRepository.ldap[0].attributes=memberOf,name,sAMAccountName > > cas.authn.samlIdp.entityId=https://cas.example.com/idp > cas.authn.samlIdp.scope=example.com > Configuration for service throwing the error: { > "@class": "org.apereo.cas.services.RegexRegisteredService", > "serviceId": "https://[^/]*\\.example\\.com(:[0-9]+)?(/.*)?", > "name": "Example Service, > "id": 12586, > "evaluationOrder": 100, > "attributeReleasePolicy": { > "@class" : > "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy", > "allowedAttributes": { > "@class" : "java.util.TreeMap", > "name": "USER_ID" > } > } > } > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/575b923d-77f6-4343-bf49-a5b7808a52ae%40apereo.org.
