Back when I was debugging this the last time, I ran a bunch of tests against all the SAML SPs we have authenticating against our CAS servers and captured the SAML being exchanged, and in every case the SubjectLocality element contained the IP address of the SP, not the CAS server.
For example, when I log in to Workday: <saml2:AuthnStatement AuthnInstant="2020-09-24T11:10:34.218Z" SessionIndex="_9074398769568118801"> <saml2:SubjectLocality Address="209.177.165.18"/> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> The 209.177.165.18 address belongs to Workday, not to us. You might want to grab the "SAML Chrome Panel" extension, which will let you examine the entire SAML exchange between the SP and the IdP. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR • INFORMATION SECURITY & PRIVACY* THE NEW SCHOOL • INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 646 909-4728 • david.cu...@newschool.edu On Fri, Nov 13, 2020 at 3:01 PM Nathan Lewan <nathanle...@gmail.com> wrote: > thanks everyone for the help so far. > I did just do a restart of the service, and it would not populate that > field. I checks another service with a similar setup, and that also does > not have the subjectLocality populated, but that one works just fine. > > > > > so here's the actual error i'm seeing: > xmltooling::ValidationException at (https://[hostname]/SAML2/POST) > SubjectLocality must have Address or DNSName. > > > > > > > Looking at the code for CAS, this appears to be the function to populate > the subjectLocality, but if i'm reading that right, it's trying to populate > it with the CAS host address? > > > protected SubjectLocality buildSubjectLocality(final Assertion assertion, > final RequestAbstractType authnRequest, > final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, > final String binding) throws SamlException { > val subjectLocality = SamlUtils.newSamlObject(SubjectLocality.class); > *val hostAddress = > InetAddressUtils.getCasServerHostAddress(casProperties.getServer().getName());* > val issuer = SamlIdPUtils.getIssuerFromSamlObject(authnRequest); > LOGGER.debug("Built subject locality address [{}] for the saml > authentication statement prepped for [{}]", hostAddress, issuer); > *subjectLocality.setAddress(hostAddress);* > return subjectLocality; > } > > is the subjectLocality supposed to be my address, or their address? > > > On Friday, November 13, 2020 at 2:39:04 PM UTC-5 Mike Osterman wrote: > >> Hi Nathan, >> >> I highly expect that #2 is why it's not yet working. Java, by default, >> never lets go of a DNS resolution record until the application restarts. >> You have to pass an argument at startup of your CAS application to indicate >> an expiry TTL. >> >> I did this recently on our CAS server when we did some work with our >> Activity Directory that provides group membership and needed it to get a >> new IP address for the AD LDAP server(s). >> >> -Mike >> >> On Fri, Nov 13, 2020 at 11:18 AM Nathan Lewan <natha...@gmail.com> wrote: >> >>> very interesting, thanks! >>> >>> so i tried to do a reverse dns lookup on the entity host based on the >>> shibboleth entityid's hostname, and came up with no record. >>> >>> they are not being super helpful with me, so I tried to cheat. I just >>> added a reverse lookup zone on the dns server that CAS talks to, and added >>> the entry in there as a test. It did not seem to help, but: >>> >>> 1. I don't know if a cheat like that would actually work (this is just >>> temporary, proof of concept, no way would I leave it like that in >>> production) >>> 2. I have not restarted CAS. I did do a dig -x on the CAS host, and it >>> successfully reverse-resolved the IP of the entity server >>> >>> thanks very much for the quick response, i have a lead which feels very >>> good! >>> >>> >>> >>> On Fri, Nov 13, 2020 at 1:30 PM David Curry <david...@newschool.edu> >>> wrote: >>> >>>> We just ran into this recently with an older version of CAS (5.2.9). >>>> >>>> CAS populates the SubjectLocality by doing a reverse DNS lookup on the >>>> IP address of the entity that's calling it (the application the user is >>>> trying to log into). If the DNS lookup fails, then it doesn't put >>>> anything in there, which makes Shibboleth very unhappy. >>>> >>>> In our case, the fix was to get the company running the application >>>> that was calling CAS to register DNS entries for their IP addresses. All of >>>> a sudden everything started working. >>>> >>>> --Dave >>>> >>>> >>>> -- >>>> >>>> DAVID A. CURRY, CISSP >>>> *DIRECTOR • INFORMATION SECURITY & PRIVACY* >>>> THE NEW SCHOOL • INFORMATION TECHNOLOGY >>>> >>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >>>> +1 646 909-4728 <(646)%20909-4728> • david...@newschool.edu >>>> >>>> >>>> On Fri, Nov 13, 2020 at 1:12 PM Nathan Lewan <natha...@gmail.com> >>>> wrote: >>>> >>>>> hello! >>>>> >>>>> I am trying to get CAS 6.1.0 to integrate with a SP that uses >>>>> shibboleth. >>>>> >>>>> i appear to have everything in place, however they are requiring my >>>>> responses to have in the *AuthnStatement* a *SubjectLocality* entry. >>>>> >>>>> It is currently empty in all my responses. Here's what it looks like: >>>>> >>>>> <saml2:AuthnStatement AuthnInstant="[removed]" SessionIndex= >>>>> "[removed]" > >>>>> *<saml2:SubjectLocality/>* >>>>> <saml2:AuthnContext> >>>>> <saml2:AuthnContextClassRef> >>>>> >>>>> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport >>>>> </saml2:AuthnContextClassRef> >>>>> </saml2:AuthnContext> >>>>> </saml2:AuthnStatement> >>>>> >>>>> As you can see, it's blank, and I have no idea how to get it populated! >>>>> Any hints would be appreciated. Looking for info on this, you can find >>>>> much related to shibboleth, but I have not found anything on how one could >>>>> get CAS to populate this. >>>>> >>>>> thanks! >>>>> >>>>> >>>>> -- >>>>> - Website: https://apereo.github.io/cas >>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>> - Contributions: https://goo.gl/mh7qDG >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "CAS Community" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to cas-user+u...@apereo.org. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABeAwjkrJ8hk5geJbz_tbN1NgVSxESjAGUAfqcmOd8vpTHuUYQ%40mail.gmail.com >>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABeAwjkrJ8hk5geJbz_tbN1NgVSxESjAGUAfqcmOd8vpTHuUYQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>>> - Website: https://apereo.github.io/cas >>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>> - List Guidelines: https://goo.gl/1VRrw7 >>>> - Contributions: https://goo.gl/mh7qDG >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to cas-user+u...@apereo.org. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPbf2nhAiOuG7_R8-M7v4KUgjbCDnJunNU47V%2BVc%2BgHsw%40mail.gmail.com >>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPbf2nhAiOuG7_R8-M7v4KUgjbCDnJunNU47V%2BVc%2BgHsw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to cas-user+u...@apereo.org. >>> >> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABeAwjmoAjjV4ryjQ3yhXfMsky9gWAQZf2CBi7FtzDJ8m-yt2w%40mail.gmail.com >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABeAwjmoAjjV4ryjQ3yhXfMsky9gWAQZf2CBi7FtzDJ8m-yt2w%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/cb8710c4-10a0-438f-a0a4-56c146a11bcfn%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/cb8710c4-10a0-438f-a0a4-56c146a11bcfn%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPt1HNqtSiQ2FWvr%3DX95EtnOR5r918j6t6HGu%3DRffqoyA%40mail.gmail.com.
