Joel, could you turn up logging on the CAS server to verify that you are indeed collecting the attributes that should be delivered to the service?
-Matt On Thu, Jan 19, 2012 at 7:38 AM, Joel Goguen <joel.gog...@unb.ca> wrote: > In case I defined something wrong, here's my attributeRepository bean > defined using https://wiki.jasig.org/display/CASUM/Attributes as a > reference. Each of the three attributes is guaranteed to be available on > the LDAP record. > > <bean id="attributeRepository" > class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> > <!-- Same contextSource used for > the org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler bean --> > <property name="contextSource" ref="contextSource" /> > > <!-- No difference if I directly set this in a "value" attribute instead > of using a "ref" --> > <!-- No difference if this is the root of the LDAP tree or a specific OU > --> > <property name="baseDN" ref="cas.ldap.query.base.dn" /> > > <!-- "true" or not defined makes no difference --> > <property name="requireAllQueryAttributes" value="false" /> > > <property name="queryAttributeMapping"> > <map> > <!-- "key" is what CAS has, "value" is what LDAP attribute to translate > this to --> > <entry key="username" value="uid" /> > </map> > </property> > <property name="resultAttributeMapping"> > <map> > <!-- "key" is the LDAP attribute, "value" is what the attribute should be > in the SAML response --> > <entry key="uid" value="uid" /> > <entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> > <entry key="eduPersonEntitlement" value="eduPersonEntitlement" /> > </map> > </property> > </bean> > > On 2012-01-19, at 08:05, Joel Goguen wrote: > > I haven't defined any ordering (I left the Order field set to "0") and > the only other service is the service manager itself ( > https://fortran.its.unb.ca/cas/services/**). That service isn't set to > release any attributes, but if I allow it to release all attributes I see > no differences in the logs or in the headers returned. > > On 2012-01-18, at 23:48, Matt Smith wrote: > > Joel, > We need to first figure out why you have no attributes in the SAML > response. Do you have any other URLs configured in service manager, perhaps > one taking precedence and delivering no attributes? > -Matt > On Jan 18, 2012 10:08 PM, "Joel Goguen" <joel.gog...@unb.ca> wrote: > >> Heh...I can see where that would cause a problem. Once I switch to >> samlValidate CAS authentication works fine, but now I'm not getting the >> attributes released like I expect. I've defined uid, eduPersonEntitlement >> and eduPersonAffiliation as attributes (the resultAttributeMapping property >> in the attributeRepository bean, which has >> class org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao) and >> they show up in the service manager. When I defined the service definition >> (service URL: https://webtest.its.unb.ca/**) I chose all three >> attributes and selected "Enabled", "SSO Participant" and "Allowed to >> proxy", but not "Anonymous Access" or "Ignore Attribute Management via this >> Tool". >> >> The SOAP response revealed in the debug logs is virtually identical to >> the example response at https://wiki.jasig.org/display/CASUM/SAML+1.1except >> the response I get has no AttributeStatement block. In addition to >> the configuration I previously posted and changing CASValidateURL to >> https://fortran.its.unb.ca/cas/samlValidate, I've also added the >> following server-level directives: >> >> CASAttributePrefix UNB_ >> CASAttributeDelimiter ; >> >> And also "CASAuthNHeader UNBAUTH" in the Location directive for the >> protected service. The closest thing I see to headers from CAS is the >> HTTP_UNBAUTH header (HTTP_CAS_USER if I remove CASAuthNHeader) set to my >> username or the MOD_AUTH_CAS_S header. >> >> Should the attributes released be accessible as HTTP headers? What I've >> found so far indicates they should if I set CASAttributePrefix (or both >> CASAttributePrefix and CASAuthNHeader according to some search results), >> but any concrete examples using mod_auth_cas seem to deal strictly with >> using the attributes for Apache authorization and require a patch from >> MAS-60. >> >> On 2012-01-18, at 21:09, Matt Smith wrote: >> >> Joel, >> >> If you are looking to use SAML, set CASValidateURL to the SAML >> endpoint on your server, likely >> https://fortran.its.unb.ca/cas/samlValidate . Right now, your >> configuration is attempting to speak SAML to your CASv2 protocol endpoint >> (sorry I didn't catch that sooner). >> >> HTH, >> -Matt >> >> On Wed, Jan 18, 2012 at 8:12 AM, Joel Goguen <joel.gog...@unb.ca> wrote: >> >>> Hi Matt, >>> >>> I am running behind Apache via AJP. Adding debug logging shows that >>> mod_auth_cas seems to be posting to what I think is the right URL with the >>> wrong parameters; the POST request is sent to >>> https://fortran.its.unb.ca/cas/serviceValidate?TARGET=https%3a%2f%2fwebtest.its.unb.ca%2fcas-dev%2fwith >>> Content-Type text/xml and Content-Length 382, but no indication of >>> what the content may be. I would have expected the POST request to go to >>> https://fortran.its.unb.ca/cas/serviceValidate?service=https%3a%2f%2fwebtest.its.unb.ca%2fcas-dev%2f&ticket=ST-1-mar9N3FJDp2LbT6U274g-cas >>> or to https://fortran.its.unb.ca/cas/serviceValidate with the service >>> and ticket as POST data. >>> >>> If I look for the ticket associated with the request in log files, all >>> I see is this, which in context are the lines associated with my successful >>> authentication and CAS redirecting me to the service with my shiny new >>> ticket. >>> >>> /var/log/tomcat6/cas.log:2012-01-18 08:51:12,644 DEBUG >>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Added ticket >>> [ST-1-mar9N3FJDp2LbT6U274g-cas] to registry. >>> /var/log/tomcat6/cas.log:2012-01-18 08:51:12,645 INFO >>> [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket >>> [ST-1-mar9N3FJDp2LbT6U274g-cas] for service >>> [https://webtest.its.unb.ca/cas-dev/] >>> for user >>> [jgoguen<https://webtest.its.unb.ca/cas-dev/%5D%20for%20user%20%5Bjgoguen> >>> ] >>> /var/log/httpd/ssl_error_log:[Wed Jan 18 08:51:12 2012] [debug] >>> ajp_header.c(599): ajp_unmarshal_response: Header[6] [Location] = [ >>> https://webtest.its.unb.ca/cas-dev/?ticket=ST-1-mar9N3FJDp2LbT6U274g-cas >>> ] >>> >>> Searching the Apache logs on the service's server, I only have this: >>> >>> /var/log/httpd/ssl_access_log:131.202.75.5 - - [18/Jan/2012:08:51:12 >>> -0400] "GET /cas-dev/?ticket=ST-1-mar9N3FJDp2LbT6U274g-cas HTTP/1.1" 401 486 >>> /var/log/httpd/ssl_error_log:[Wed Jan 18 08:51:12 2012] [debug] >>> mod_auth_cas.c(607): [client 131.202.75.5] Modified r->args (old >>> 'ticket=ST-1-mar9N3FJDp2LbT6U274g-cas', new ''), referer: >>> https://fortran.its.unb.ca/cas/login?service=https%3a%2f%2fwebtest.its.unb.ca%2fcas-dev%2f >>> >>> I realized a crucial difference between our production environment and >>> development: production does not have "CASValidateSAML On" in auth_cas.conf >>> while the development environment does. If I remove CASValidateSAML from >>> the development service, everything works perfectly and the serviceValidate >>> POST request is done exactly as I would have expected. Is there perhaps an >>> issue with newer versions of mod_auth_cas (I'm using 1.0.9.1) with CAS >>> Server 3.3.5 when enabling SAML? >>> >>> On 2012-01-17, at 20:14, Matt Smith wrote: >>> >>> Joel, >>> Is your CAS server running behind an Apache server (via AJP)? It appears >>> that the ticket is somehow being dropped from the validation request. Could >>> you increase either the CAS logging or the Apache logging (if CAS is behind >>> Apache) to show the parameters of the validation request? >>> -Matt >>> On Jan 17, 2012 10:14 AM, "Joel Goguen" <joel.gog...@unb.ca> wrote: >>> >>>> I'm using CAS 3.3.5 (which we're unfortunately stuck on due to some >>>> vendor compatibility issues) with Apache 2.2.3 and mod_auth_cas 1.0.9.1 to >>>> try and protect a directory so I can do some testing with SAML attributes. >>>> What I'm actually getting is the protected directory failing with HTTP401 >>>> and the CAS ticket being left in the URL. There are no other authentication >>>> mechanisms in any higher directory. I'm not sure what information would be >>>> useful, so if I've missed something important please let me know. >>>> >>>> In auth_cas.conf I've set these server directives: >>>> LoadModule auth_cas_module modules/mod_auth_cas.so >>>> CASVersion 2 >>>> CASLoginURL https://fortran.its.unb.ca/cas/login >>>> CASValidateURL https://fortran.its.unb.ca/cas/serviceValidate >>>> CASProxyValidateURL https://fortran.its.unb.ca/cas/proxyValidate >>>> CASCookiePath /var/cache/apache/mod_auth_cas/ >>>> CASCertificatePath /etc/pki/tls/certs/ca-bundle.crt >>>> CASAllowWildcardCert On >>>> CASValidateServer Off >>>> CASValidateSAML On >>>> CASDebug On >>>> >>>> In ssl.conf, at the VirtualHost level, I set "LogLevel debug" to get >>>> debug logs printed out. I have the following Location directive for the >>>> protected directory: >>>> <Location /cas-dev> >>>> Options +ExecCGI >>>> AuthType CAS >>>> CASScope / >>>> Require valid-user >>>> AddHandler cgi-script .cgi >>>> </Location> >>>> >>>> When I try to access this directory, Apache's logs (filtered for >>>> mod_auth_cas) give me: >>>> === Initial request: === >>>> [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(1745): [client >>>> 131.202.75.5] Entering cas_authenticate() >>>> [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(519): [client >>>> 131.202.75.5] entering getCASService() >>>> [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(539): [client >>>> 131.202.75.5] CAS Service 'https%3a%2f%2fwebtest.its.unb.ca >>>> %2fcas-dev%2findex.cgi' >>>> [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(485): [client >>>> 131.202.75.5] entering getCASLoginURL() >>>> [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(462): [client >>>> 131.202.75.5] entering getCASGateway() >>>> [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(555): [client >>>> 131.202.75.5] entering redirectRequest() >>>> [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(567): [client >>>> 131.202.75.5] Adding outgoing header: Location: >>>> https://fortran.its.unb.ca/cas/login?service=https%3a%2f%2fwebtest.its.unb.ca%2fcas-dev%2findex.cgi >>>> >>>> === After successful authentication and redirection from CAS === >>>> [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(1745): [client >>>> 131.202.75.5] Entering cas_authenticate() >>>> [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(607): [client >>>> 131.202.75.5] Modified r->args (old 'ticket=ST-3-eiSBy0oqb2BBL2df7gDc-cas', >>>> new '') >>>> [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(1600): [client >>>> 131.202.75.5] entering getResponseFromServer() >>>> [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(519): [client >>>> 131.202.75.5] entering getCASService() >>>> [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(539): [client >>>> 131.202.75.5] CAS Service 'https%3a%2f%2fwebtest.its.unb.ca >>>> %2fcas-dev%2findex.cgi' >>>> [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(1674): [client >>>> 131.202.75.5] Validation response: <cas:serviceResponse xmlns:cas=' >>>> http://www.yale.edu/tp/cas'>\n\t<cas:authenticationFailure >>>> code='INVALID_REQUEST'>\n\t\t'service' and 'ticket' >>>> parameters are both >>>> required\n\t</cas:authenticationFailure>\n</cas:serviceResponse> >>>> [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(1293): [client >>>> 131.202.75.5] entering isValidCASTicket() >>>> [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(1299): [client >>>> 131.202.75.5] MOD_AUTH_CAS: response = <cas:serviceResponse xmlns:cas=' >>>> http://www.yale.edu/tp/cas'>\n\t<cas:authenticationFailure >>>> code='INVALID_REQUEST'>\n\t\t'service' and 'ticket' >>>> parameters are both >>>> required\n\t</cas:authenticationFailure>\n</cas:serviceResponse> >>>> >>>> On the CAS server, I have these logging properties set: >>>> log4j.rootLogger=INFO, logfile >>>> log4j.appender.logfile=org.apache.log4j.RollingFileAppender >>>> log4j.appender.logfile.File=/var/log/tomcat6/cas.log >>>> log4j.appender.logfile.MaxFileSize=10120KB >>>> log4j.appender.logfile.MaxBackupIndex=10 >>>> log4j.appender.logfile.layout=org.apache.log4j.PatternLayout >>>> log4j.appender.logfile.layout.ConversionPattern=%d %p [%c] - %m%n >>>> log4j.logger.org.springframework=WARN >>>> log4j.logger.org.jasig=INFO >>>> log4j.logger.org.jasig.cas.web.flow=INFO >>>> log4j.logger.org.jasig.cas=DEBUG >>>> >>>> All I get in cas.log when I authenticate is this: >>>> 2012-01-17 11:04:17,166 DEBUG >>>> [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated >>>> service for: https://webtest.its.unb.ca/cas-dev/index.cgi >>>> 2012-01-17 >>>> <https://webtest.its.unb.ca/cas-dev/index.cgi2012-01-17>11:04:17,168 DEBUG >>>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - >>>> Attempting to retrieve ticket >>>> [TGT-1-cyZZbf6fjsz6tWtEPZYJ00bmkVLSwSg5INB7Dr03uRGXxCvDNN-cas] >>>> 2012-01-17 11:04:17,168 DEBUG >>>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket >>>> [TGT-1-cyZZbf6fjsz6tWtEPZYJ00bmkVLSwSg5INB7Dr03uRGXxCvDNN-cas] found in >>>> registry. >>>> 2012-01-17 11:04:17,168 DEBUG >>>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Added ticket >>>> [ST-3-eiSBy0oqb2BBL2df7gDc-cas] to registry. >>>> 2012-01-17 11:04:17,168 INFO >>>> [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket >>>> [ST-3-eiSBy0oqb2BBL2df7gDc-cas] for service [ >>>> https://webtest.its.unb.ca/cas-dev/index.cgi] for user [jgoguen] >>>> 2012-01-17 11:04:17,168 DEBUG >>>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to >>>> retrieve ticket >>>> [TGT-1-cyZZbf6fjsz6tWtEPZYJ00bmkVLSwSg5INB7Dr03uRGXxCvDNN-cas] >>>> 2012-01-17 11:04:17,168 DEBUG >>>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket >>>> [TGT-1-cyZZbf6fjsz6tWtEPZYJ00bmkVLSwSg5INB7Dr03uRGXxCvDNN-cas] found in >>>> registry. >>>> 2012-01-17 11:04:17,238 DEBUG >>>> [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor did not >>>> generate service. >>>> >>>> I have two services defined currently, >>>> https://fortran.its.unb.ca/cas/services/** and >>>> https://webtest.its.unb.ca/**, but I get the same result (except the >>>> first cas.log line is the same as the last line) if I remove all service >>>> definitions. Any assistance with getting authentication working would be >>>> greatly appreciated. >>>> >>>> -- >>>> Joel Goguen >>>> Developer >>>> Enterprise Solutions >>>> Information Technology Services >>>> University of New Brunswick >>>> E-mail: jgog...@unb.ca >>>> Phone: (506) 453-4872 >>>> Fax: (506) 453-3590 >>>> >>>> >>>> >>>> -- >>>> You are currently subscribed to cas-user@lists.jasig.org as: >>>> m...@forsetti.com >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>> >>>> -- >>> You are currently subscribed to cas-user@lists.jasig.org as: >>> joel.gog...@unb.ca >>> >>> >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >>> -- >>> Joel Goguen >>> Developer >>> Enterprise Solutions >>> Information Technology Services >>> University of New Brunswick >>> E-mail: jgog...@unb.ca >>> Phone: (506) 453-4872 >>> Fax: (506) 453-3590 >>> >>> -- >>> You are currently subscribed to cas-user@lists.jasig.org as: >>> m...@forsetti.com >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> >> >> -- >> m...@forsetti.com >> Key ID:7208B5B4 >> >> -- >> You are currently subscribed to cas-user@lists.jasig.org as: >> joel.gog...@unb.ca >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> >> -- >> Joel Goguen >> Developer >> Enterprise Solutions >> Information Technology Services >> University of New Brunswick >> E-mail: jgog...@unb.ca >> Phone: (506) 453-4872 >> Fax: (506) 453-3590 >> >> -- >> You are currently subscribed to cas-user@lists.jasig.org as: >> m...@forsetti.com >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> -- > You are currently subscribed to cas-user@lists.jasig.org as: > joel.gog...@unb.ca > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > Joel Goguen > Developer > Enterprise Solutions > Information Technology Services > University of New Brunswick > E-mail: jgog...@unb.ca > Phone: (506) 453-4872 > Fax: (506) 453-3590 > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > joel.gog...@unb.ca > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > Joel Goguen > Developer > Enterprise Solutions > Information Technology Services > University of New Brunswick > E-mail: jgog...@unb.ca > Phone: (506) 453-4872 > Fax: (506) 453-3590 > > -- > You are currently subscribed to cas-user@lists.jasig.org as: m...@forsetti.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- m...@forsetti.com Key ID:7208B5B4 -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
