Jérôme, sorry for the long response times. Unfortunately I am making negative progress and cannot provide the mod_auth_cas logs at the moment. I have switched to a freshly built OpenLDAP 2.4.35. Not for the better though. A login attempt authenticated via fast ldap bind, yields an HTTP code 500 in about 9 out of 10 login attempts (after the tgt has been issued). There is no error in the CAS log. I will check the tomcat log first thing on Monday. I hope I can provide the mod_auth_cas logs in the near future...
Thanks! Ralf ________________________________ From: Jérôme LELEU [[email protected]] Sent: Tuesday, August 20, 2013 08:32 To: [email protected] Subject: Re: [cas-user] SAML Ticket Validation Hi, It looks correct AFAIK. Don't you have any more logs on mod_auth_cas ? Best regards, Jérôme 2013/8/19 Steppacher Ralf <[email protected]<mailto:[email protected]>> Hi Jérôme, My mod_auth_cas configuration looks like this: CASCookiePath /var/cache/apache2/mod_auth_cas/ CASValidateServer Off CASDebug On CASAllowWildcardCert On CASLoginURL https://dev.local.fe2/cas/login #CASValidateURL https://dev.local.fe2/cas/serviceValidate CASValidateURL https://dev.local.fe2/cas/samlValidate CASValidateSAML On ProxyPass /cas https://steppra1-linux-mint:8443/cas ProxyPassReverse /cas https://steppra1-linux-mint:8443/cas ProxyPassReverseCookieDomain steppra1-linux-mint dev.local.fe2 ProxyPassReverseCookiePath /cas / <Location /> Authtype CAS CASScrubRequestHeaders On Require valid-user # CASAuthNHeader does not seem to work. Working around it for now... Header set REMOTE_USER %{REMOTE_USER}s </Location> <Location /cas> Satisfy Any </Location> Thanks! Ralf ________________________________ From: Jérôme LELEU [[email protected]<mailto:[email protected]>] Sent: Sunday, August 18, 2013 09:41 To: [email protected]<mailto:[email protected]> Subject: Re: [cas-user] SAML Ticket Validation Hi, What's your mod_auth_cas configuration ? Thanks. Best regards, Jérôme 2013/8/16 Ralf Steppacher <[email protected]<mailto:[email protected]>> Dear all, I am just getting started with CAS 3.5.2 and got stuck when I tried to employ SAML. Eventually I will need SAML to transport user group membership information from a LDAP-server to the client application. I have set up mod_auth_cas 1.0.10 for apach2. The same apache2 serves the application. CAS is proxied in on the apache. Authentication as such works until I switch to SAML. The same ST is validated twice. The ST is removed from the registry after the first (successfull) validation attempt and is therefor not available for the second attempt. I found a previous post describing the exact same effect. The author was advised to check for configuration issues. Unfortunately there was no hint as to where to look? This is the debug log output of a single request to the service https://dev.fe2.local: 2013-08-16 14:38:19,685 DEBUG [org.jasig.cas.authentication.principal.SamlService] - <Attempted to extract Request from HttpServletRequest. Results:> 2013-08-16 14:38:19,685 DEBUG [org.jasig.cas.authentication.principal.SamlService] - <Request Body: <?xml version="1.0" encoding="utf-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1" MinorVersion="1"><samlp:AssertionArtifact>ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint</samlp:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope>> 2013-08-16 14:38:19,685 DEBUG [org.jasig.cas.authentication.principal.SamlService] - <Extracted ArtifactId: ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint> 2013-08-16 14:38:19,685 DEBUG [org.jasig.cas.authentication.principal.SamlService] - <Extracted Request Id: null> 2013-08-16 14:38:19,685 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor generated service for: https://dev.local.fe2/fe2.html> 2013-08-16 14:38:19,685 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint]> 2013-08-16 14:38:19,685 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint] found in registry.> 2013-08-16 14:38:19,686 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Principal id to return for service [HTTP and IMAP] is [[email protected]<mailto:[email protected]>]. The default principal id is [[email protected]<mailto:[email protected]>].> 2013-08-16 14:38:19,686 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket [ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint] from registry> 2013-08-16 14:38:19,686 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint]> 2013-08-16 14:38:19,686 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint ACTION: SERVICE_TICKET_VALIDATED APPLICATION: CAS WHEN: Fri Aug 16 14:38:19 CEST 2013 CLIENT IP ADDRESS: 127.0.0.1 SERVER IP ADDRESS: 127.0.1.1 ============================================================= > 2013-08-16 14:38:19,687 DEBUG [org.jasig.cas.web.ServiceValidateController] - <Successfully validated service ticket: ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint> 2013-08-16 14:38:19,687 DEBUG [org.jasig.cas.authentication.principal.SamlService] - <Attempted to extract Request from HttpServletRequest. Results:> 2013-08-16 14:38:19,687 DEBUG [org.jasig.cas.authentication.principal.SamlService] - <Request Body: > 2013-08-16 14:38:19,687 DEBUG [org.jasig.cas.authentication.principal.SamlService] - <Extracted ArtifactId: null> 2013-08-16 14:38:19,687 DEBUG [org.jasig.cas.authentication.principal.SamlService] - <Extracted Request Id: null> 2013-08-16 14:38:19,687 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor generated service for: https://dev.local.fe2/fe2.html> 2013-08-16 14:38:19,880 DEBUG [org.jasig.cas.authentication.principal.SamlService] - <Attempted to extract Request from HttpServletRequest. Results:> 2013-08-16 14:38:19,881 DEBUG [org.jasig.cas.authentication.principal.SamlService] - <Request Body: <?xml version="1.0" encoding="utf-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1" MinorVersion="1"><samlp:AssertionArtifact>ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint</samlp:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope>> 2013-08-16 14:38:19,881 DEBUG [org.jasig.cas.authentication.principal.SamlService] - <Extracted ArtifactId: ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint> 2013-08-16 14:38:19,881 DEBUG [org.jasig.cas.authentication.principal.SamlService] - <Extracted Request Id: null> 2013-08-16 14:38:19,881 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor generated service for: https://dev.local.fe2/fe2.html> 2013-08-16 14:38:19,881 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint]> 2013-08-16 14:38:19,881 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <ServiceTicket [ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint] does not exist.> 2013-08-16 14:38:19,882 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint]> 2013-08-16 14:38:19,882 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint ACTION: SERVICE_TICKET_VALIDATE_FAILED APPLICATION: CAS WHEN: Fri Aug 16 14:38:19 CEST 2013 CLIENT IP ADDRESS: 127.0.0.1 SERVER IP ADDRESS: 127.0.1.1 ============================================================= Please advise. Regards Ralf -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
