[cas-dev] SAML problems

Mon, 28 Oct 2013 01:27:50 -0700 

(Changed subject to be more relevant)
Hi,

I'm having trouble getting the logout messages (I've switched logging to 
DEBUG but not seeing anything - will see what else I can do when I've 
time but pointers welcome)
but this does seem readily reproducible

I refer you to my message of 10th September copied below - I haven't yet 
reproduced this with RC2 for samlValidate with a small amount of testing

Summary of earlier problem
Intermittent but frequent problem
Have logged as early as possible in multiple clients e.g. perl and the 
input seems corrupt
Default logging on the server side seems to indicate that the message is 
being correctly created

Thanks,
Ian


Hi,

I seem to be having frequent problems with invalid XML in the SAML response

I've seen this with different clients (mod_auth_cas and perl) and 
different versions of CAS (4.0_RC1 and 3.5.2)

Some times it works and everything is fine, but often not - the XML 
errors are not always in the same place.
I am using attribute release.

Any ideas how to track this down very welcome!

Thanks,
Ian

One example:
I've checked that the ResponseID and AssertionID match. (changed the 
name identifier but otherwise as from the logs)

In the server logs I see:
2013-09-10 13:54:39,078 DEBUG [PROTOCOL_MESSAGE] -
......
<saml1:AuthenticationStatement 
AuthenticationInstant="2013-09-10T13:47:19.447Z" 
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">
                <saml1:Subject>
<saml1:NameIdentifier>m...@example.org</saml1:NameIdentifier>
                   <saml1:SubjectConfirmation>
<saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod>
 

                   </saml1:SubjectConfirmation>
                </saml1:Subject>
             </saml1:AuthenticationStatement>


In the client I see:

         <saml1:AuthenticationStatement 
AuthenticationInstant="2013-09-10T13:47:19.447Z" 
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">
             <saml1:Subject>
<saml1:NameIdentifier>m...@example.urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod>
 

</saml1:SubjectConfirmation></saml1:Subject>


On 25/10/13 18:48, Misagh Moayyed wrote:
> On #1, that is the "expected" behavior. Proxy authentication is no 
> longer turned on by default for tighter security purposes. Explicit 
> configuration by turning on that flag though, as you indicated, would 
> allow that back in.
>
> On #2, would you be able to capture the logout messages sent on the 
> CAS server side so that we could examine what is actually being sent 
> back?
>
> -Misagh
> ------------------------------------------------------------------------
> *From: *"Ian Wright" <ian.wri...@well.ox.ac.uk>
> *To: *cas-dev@lists.jasig.org
> *Sent: *Friday, October 25, 2013 5:03:56 AM
> *Subject: *Re: [cas-dev] CAS 4.0.0-RC2 released
>
> On 24/10/13 20:17, Jérôme LELEU wrote:
>
>     Hi,
>
>     CAS 4.0.0-RC2 has been released. It is now available in the Maven
>     central repository.
>     Please report any issue on the mailing lists.
>     Thanks.
>     Best regards,
>     Jérôme
>
>     -- 
>     You are currently subscribed tocas-...@lists.jasig.org  
> <mailto:cas-dev@lists.jasig.org>  as:ian.wri...@well.ox.ac.uk
>     To unsubscribe, change settings or access archives, 
> seehttp://www.ja-sig.org/wiki/display/JSG/cas-dev
>
> Hi,
>
> I've upgraded to RC2 from a working RC1 and thought I'd report on my 
> experience in case it's useful.
>
> With as pwm as client (uses clearpass) CAS client 3.2.1 running in STS 
> using VMware vFabric tc Server Developer Edition v2.8 (cas and pwm 
> only apps running)
>
> 1.  I get the following log message
>
>     ] with root cause
> org.jasig.cas.client.validation.TicketValidationException:
>         service.not.authorized.proxy
>
> This is solved by adding:
>             <property name="allowedToProxy" value="true" />
> to the relevant bean in the service registry
>
>
> 2.
>
> I think this one might be related to the problem I posted about 
> previously where I've been sometimes seeing corrupt XML in the 
> samlValidate response (also seen running in tomcat7 on Ubuntu 12.04 
> with multiple clients)
>
> 2013-10-25 09:51:30, ERROR, util.XmlUtils, 
> org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 132; 
> Element type "samlp:LogoutRequest" must be followed by either 
> attribute specifications, ">" or "/>".
> org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 132; 
> Element type "samlp:LogoutRequest" must be followed by either 
> attribute specifications, ">" or "/>".
>     at 
> com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:198)
>     at 
> com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError(ErrorHandlerWrapper.java:177)
>     at 
> com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:441)
>     at 
> com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:368)
>     at 
> com.sun.org.apache.xerces.internal.impl.XMLScanner.reportFatalError(XMLScanner.java:1388)
>     at 
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.seekCloseOfStartTag(XMLDocumentFragmentScannerImpl.java:1355)
>     at 
> com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.scanStartElement(XMLNSDocumentScannerImpl.java:261)
>     at 
> com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl$NSContentDriver.scanRootElementHook(XMLNSDocumentScannerImpl.java:602)
>     at 
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:3065)
>     at 
> com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$PrologDriver.next(XMLDocumentScannerImpl.java:881)
>     at 
> com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:607)
>     at 
> com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:116)
>     at 
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:489)
>     at 
> com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:835)
>     at 
> com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:764)
>     at 
> com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:123)
>     at 
> com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1210)
>     at 
> org.jasig.cas.client.util.XmlUtils.getTextForElement(XmlUtils.java:164)
> -- 
> You are currently subscribed tocas-...@lists.jasig.org  
> <mailto:cas-dev@lists.jasig.org>  as: mmoay...@unicon.net
> To unsubscribe, change settings or access archives, see 
> http://www.ja-sig.org/wiki/display/JSG/cas-dev
>
> -- 
> You are currently subscribed tocas-...@lists.jasig.org  
> <mailto:cas-dev@lists.jasig.org>  as: ian.wri...@well.ox.ac.uk
> To unsubscribe, change settings or access archives, see 
> http://www.ja-sig.org/wiki/display/JSG/cas-dev


-- 
You are currently subscribed to cas-dev@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-dev

Reply via email to