Hi, It looks correct AFAIK. Don't you have any more logs on mod_auth_cas ? Best regards, Jérôme
2013/8/19 Steppacher Ralf <[email protected]> > Hi Jérôme, > > My mod_auth_cas configuration looks like this: > > CASCookiePath /var/cache/apache2/mod_auth_cas/ > CASValidateServer Off > CASDebug On > CASAllowWildcardCert On > CASLoginURL https://dev.local.fe2/cas/login > #CASValidateURL https://dev.local.fe2/cas/serviceValidate > CASValidateURL https://dev.local.fe2/cas/samlValidate > CASValidateSAML On > > ProxyPass /cas https://steppra1-linux-mint:8443/cas > ProxyPassReverse /cas https://steppra1-linux-mint:8443/cas > ProxyPassReverseCookieDomain steppra1-linux-mint dev.local.fe2 > ProxyPassReverseCookiePath /cas / > > <Location /> > Authtype CAS > CASScrubRequestHeaders On > Require valid-user > # CASAuthNHeader does not seem to work. Working around it for now... > Header set REMOTE_USER %{REMOTE_USER}s > </Location> > > <Location /cas> > Satisfy Any > </Location> > > > Thanks! > Ralf > > ------------------------------ > *From:* Jérôme LELEU [[email protected]] > *Sent:* Sunday, August 18, 2013 09:41 > *To:* [email protected] > *Subject:* Re: [cas-user] SAML Ticket Validation > > Hi, > > What's your mod_auth_cas configuration ? > Thanks. > Best regards, > Jérôme > > > > 2013/8/16 Ralf Steppacher <[email protected]> > >> Dear all, >> >> I am just getting started with CAS 3.5.2 and got stuck when I tried to >> employ SAML. Eventually I will need SAML to transport user group membership >> information from a LDAP-server to the client application. >> >> I have set up mod_auth_cas 1.0.10 for apach2. The same apache2 serves the >> application. CAS is proxied in on the apache. Authentication as such works >> until I switch to SAML. The same ST is validated twice. The ST is removed >> from the registry after the first (successfull) validation attempt and is >> therefor not available for the second attempt. >> I found a previous post describing the exact same effect. The author was >> advised to check for configuration issues. Unfortunately there was no hint >> as to where to look? >> >> This is the debug log output of a single request to the service >> https://dev.fe2.local: >> >> 2013-08-16 14:38:19,685 DEBUG >> [org.jasig.cas.authentication.principal.SamlService] - <Attempted to >> extract Request from HttpServletRequest. Results:> >> 2013-08-16 14:38:19,685 DEBUG >> [org.jasig.cas.authentication.principal.SamlService] - <Request Body: <?xml >> version="1.0" encoding="utf-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV=" >> http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:Request >> xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1" >> MinorVersion="1"><samlp:AssertionArtifact>ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint</samlp:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope>> >> 2013-08-16 14:38:19,685 DEBUG >> [org.jasig.cas.authentication.principal.SamlService] - <Extracted >> ArtifactId: ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint> >> 2013-08-16 14:38:19,685 DEBUG >> [org.jasig.cas.authentication.principal.SamlService] - <Extracted Request >> Id: null> >> 2013-08-16 14:38:19,685 DEBUG >> [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor generated >> service for: https://dev.local.fe2/fe2.html> >> 2013-08-16 14:38:19,685 DEBUG >> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to >> retrieve ticket [ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint]> >> 2013-08-16 14:38:19,685 DEBUG >> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket >> [ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint] found in registry.> >> 2013-08-16 14:38:19,686 DEBUG >> [org.jasig.cas.CentralAuthenticationServiceImpl] - <Principal id to return >> for service [HTTP and IMAP] is [[email protected]]. >> The default principal id is [[email protected]].> >> 2013-08-16 14:38:19,686 DEBUG >> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket >> [ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint] from registry> >> 2013-08-16 14:38:19,686 DEBUG >> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to >> retrieve ticket [ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint]> >> 2013-08-16 14:38:19,686 INFO >> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit >> trail record BEGIN >> ============================================================= >> WHO: audit:unknown >> WHAT: ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint >> ACTION: SERVICE_TICKET_VALIDATED >> APPLICATION: CAS >> WHEN: Fri Aug 16 14:38:19 CEST 2013 >> CLIENT IP ADDRESS: 127.0.0.1 >> SERVER IP ADDRESS: 127.0.1.1 >> ============================================================= >> >> > >> 2013-08-16 14:38:19,687 DEBUG >> [org.jasig.cas.web.ServiceValidateController] - <Successfully validated >> service ticket: ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint> >> 2013-08-16 14:38:19,687 DEBUG >> [org.jasig.cas.authentication.principal.SamlService] - <Attempted to >> extract Request from HttpServletRequest. Results:> >> 2013-08-16 14:38:19,687 DEBUG >> [org.jasig.cas.authentication.principal.SamlService] - <Request Body: > >> 2013-08-16 14:38:19,687 DEBUG >> [org.jasig.cas.authentication.principal.SamlService] - <Extracted >> ArtifactId: null> >> 2013-08-16 14:38:19,687 DEBUG >> [org.jasig.cas.authentication.principal.SamlService] - <Extracted Request >> Id: null> >> 2013-08-16 14:38:19,687 DEBUG >> [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor generated >> service for: https://dev.local.fe2/fe2.html> >> 2013-08-16 14:38:19,880 DEBUG >> [org.jasig.cas.authentication.principal.SamlService] - <Attempted to >> extract Request from HttpServletRequest. Results:> >> 2013-08-16 14:38:19,881 DEBUG >> [org.jasig.cas.authentication.principal.SamlService] - <Request Body: <?xml >> version="1.0" encoding="utf-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV=" >> http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:Request >> xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1" >> MinorVersion="1"><samlp:AssertionArtifact>ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint</samlp:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope>> >> 2013-08-16 14:38:19,881 DEBUG >> [org.jasig.cas.authentication.principal.SamlService] - <Extracted >> ArtifactId: ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint> >> 2013-08-16 14:38:19,881 DEBUG >> [org.jasig.cas.authentication.principal.SamlService] - <Extracted Request >> Id: null> >> 2013-08-16 14:38:19,881 DEBUG >> [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor generated >> service for: https://dev.local.fe2/fe2.html> >> 2013-08-16 14:38:19,881 DEBUG >> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to >> retrieve ticket [ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint]> >> 2013-08-16 14:38:19,881 INFO >> [org.jasig.cas.CentralAuthenticationServiceImpl] - <ServiceTicket >> [ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint] does not exist.> >> 2013-08-16 14:38:19,882 DEBUG >> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to >> retrieve ticket [ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint]> >> 2013-08-16 14:38:19,882 INFO >> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit >> trail record BEGIN >> ============================================================= >> WHO: audit:unknown >> WHAT: ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint >> ACTION: SERVICE_TICKET_VALIDATE_FAILED >> APPLICATION: CAS >> WHEN: Fri Aug 16 14:38:19 CEST 2013 >> CLIENT IP ADDRESS: 127.0.0.1 >> SERVER IP ADDRESS: 127.0.1.1 >> ============================================================= >> >> >> Please advise. >> >> >> Regards >> Ralf >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
