This behavior was observed in CAS Server 3.5.2 SCENARIO Given two service configurations in CAS: 1 - https://mysite.mydomain.com/pathtoapp 2 - http://*.mydomain.com/
A ticket is generated for a service via the following URL: https://casserver.mydomain.com/cas/login?service=https%3A%2F%2Fmysite.mydomain.com%2Fpathtoapp The ticket is then validated via SAML with the following URL: https://casserver.mydomain.com/cas/samlValidate?TARGET=http%3A%2F%2Fmysite.mydomain.com%2Fpathtoapp The ticket validation succeeds with the SAML attributes defined by configuration #2. However, because the service URLs differed on protocol, the ticket validation should have been refused. COMPLICATING FACTORS: This issue was caused because the CAS application was behind a hardware load balancer where SSL traffic is terminated on the hardware and all communication to the server is HTTP. It was a programming error in a custom client, but the CAS Server should have rejected the ticket validation. The CAS Servers are also load balanced and replicated. I'm currently working on procuring logs from a reproduction case. I'll post them shortly. Chad Killingsworth Assistant Director of Web & New Media Missouri State University -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user