How did you generate the IDP certs? What are your exact versions ? On Tue, Mar 7, 2017 at 9:21 AM, Lê Thành <[email protected]> wrote:
> I have fixed this issue. The problem occurs when CAS redirect to the AD > FS, it did not retain Relying State. You can fix this by saving this param > and resend it with the redirecting url to AD FS. > Good luck > > On Tue, Mar 7, 2017, 8:50 PM Robert Ledermüller < > [email protected]> wrote: > >> Hi, >> >> I'm having the exact same issue. Did you found any solution yet? >> >> Best >> -- Robert >> >> >> On Tuesday, November 22, 2016 at 11:37:36 AM UTC+1, Lê Thành wrote: >> >> Hi, >> >> I'm configuring CAS 5.0.0 (Release) to work with AD FS 3 by SAML2 >> Authentication. In my case CAS act as an IdP, everything work fine but AD >> FS can't parse SAMLResponse. It throws an exeption: >> >> Microsoft.IdentityServer.Web.UnsupportedSamlResponseException: MSIS7029: >> The SAML response has content that is not supported. >> at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler. >> GetSecurityTokenFromSignInResponse(ProtocolContext context) >> at Microsoft.IdentityServer.Web.PassiveProtocolListener. >> ProcessProtocolRequest(ProtocolContext protocolContext, >> PassiveProtocolHandler protocolHandler) >> at >> Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext >> context) >> >> >> agains SAMLResponse: >> >> <?xml version="1.0" encoding="UTF-8"?> >> <saml2p:Response Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" >> Destination="https://leth.teca.vn/adfs/ls/"; >> ID="_8125126804174747431" >> InResponseTo="id-4ca6451f-338b-42a3-acc5-b7eec80628a8" >> IssueInstant="2016-11-22T09:07:03.187Z" Version="2.0" >> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" >> xmlns:xsd="http://www.w3.org/2001/XMLSchema";> >> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >> >> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://cas.bhxh.vn:8443/cas/idp >> </saml2:Issuer> >> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >> <ds:SignedInfo> >> <ds:CanonicalizationMethod >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >> <ds:SignatureMethod >> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> >> <ds:Reference URI="#_8125126804174747431"> >> <ds:Transforms> >> <ds:Transform >> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> >> <ds:Transform >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> >> <ec:InclusiveNamespaces PrefixList="xsd" >> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> >> </ds:Transform> >> </ds:Transforms> >> <ds:DigestMethod >> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> >> >> <ds:DigestValue>DlBC3aKXqTSiFelrBEk5jbgsQeMlDWLMvkeZ7wuaPGA=</ds:DigestValue> >> </ds:Reference> >> </ds:SignedInfo> >> <ds:SignatureValue> >> >> OG+wEuMdzIyM3yLTpB2RnbicKcCBHRt9et9Cti60Qs8N3G+maQCiOvgbKmzdoZsM9y2HTGiNkgkB >> >> 9qUsAO072PyOhtH5IkDe72eMB5QzhVkNPPOkhME0wo4lxTI/gvfG/vnJwkYtAignlOkl9/zppWeG >> >> 2FEeZFA/MoirpiheP2R+hEZVQw8aftF0a2Quy/GpVs3dWRN5nZXSPAkoYEtTmLcWGOjkZYul563X >> >> GUbHreYxHBLFT8IYvcD6bJwKp9S1MNOfGOBddkH5FiA1Ena0gP4ONCGZ/Q+JDshTBuPZ3yJrjGMl >> oOjRlw2sk741f+jHcATtxk7r6pyq71PwgwrJXg== >> </ds:SignatureValue> >> <ds:KeyInfo> >> <ds:X509Data> >> >> <ds:X509Certificate>MIIDDDCCAfSgAwIBAgIUaj/aKmtID0ZmU8zjayH9rf6aypwwDQYJKoZIhvcNAQELBQAwFjEUMBIG >> >> A1UEAwwLY2FzLmJoeGgudm4wHhcNMTYxMTIxMDM1NjQwWhcNMzYxMTIxMDM1NjQwWjAWMRQwEgYD >> >> VQQDDAtjYXMuYmh4aC52bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJOC6i6yKuPS >> >> zRHAMs97klECba7I6bdl7mILf4aqTna56ZvUloTtrlaGgMju0ujTj5VdI/W1/UWeRf382rLT4LGl >> >> unkBH/gFeHaz++kP2xlkh3zZSY7lCqY3tiwIoHXMEJz6tYYaJmaSMhlwbbhL762ZYvjjLF8AJPVe >> >> /15Zg4fF3h4cC1vFjwRw1UjYfXcQ960My2WH9GjNekkoN88QYOL9+QWemjC+CpFMgnKBcCqG1f04 >> >> y7wW6q1BhqM77300htkvsqLqj2WjMk+qSqzBnlFfurkdolB5R5zyh9Uk+bfWvt5xHlcqWYIbqTkK >> >> bRscIzxVUb/9SYCq9NNn7TG3au8CAwEAAaNSMFAwHQYDVR0OBBYEFL9JEvLIpzJIvP8kfCijTK0R >> >> 1kRIMC8GA1UdEQQoMCaCC2Nhcy5iaHhoLnZuhhdjYXMuYmh4aC52bmlkcC9tZXRhZGF0YTANBgkq >> >> hkiG9w0BAQsFAAOCAQEAEjqBVBAio1V1mwIqL5m+RaRhZi5E9qelPlFygbK/Yt6lMMiHPXjYIgzu >> >> SY5vcriPRMDnsWJepnGKefizvGMuw2dTYKO5ry/wLuqKotXyF9AaVOfORs+A6M+RzWl9dX2mRCIA >> >> Gh8xYIJgmXVDpxZJ8B/d4ldM2aCtkOpd6jxnIeP5pmUqsw1k+fY04sLeLnySpraeHdoApH7PBpTU >> >> zdhcZ+cpJsBIDoU0SUqiX8HFO4FOy5Sr5j8arZ5O6QVjPRdjA4hnti5M+4ayFkGPRg2qDUhYlODC >> >> 7abWpJ+eeM/q2NqOAicWx1tHAdNaLSuEB+42MIHgr3umrZZ3R8UYGDp6vQ== >> </ds:X509Certificate> >> </ds:X509Data> >> </ds:KeyInfo> >> </ds:Signature> >> <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> >> <saml2p:StatusCode >> Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> >> >> <saml2p:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</saml2p:StatusMessage> >> </saml2p:Status> >> <saml2:Assertion ID="_6777774035950654943" >> IssueInstant="2016-11-22T09:07:03.128Z" Version="2.0" >> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >> xmlns:xsd="http://www.w3.org/2001/XMLSchema";> >> <saml2:Issuer>https://cas.bhxh.vn:8443/cas/idp</saml2:Issuer> >> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >> <ds:SignedInfo> >> <ds:CanonicalizationMethod >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> >> <ds:SignatureMethod >> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> >> <ds:Reference URI="#_6777774035950654943"> >> <ds:Transforms> >> <ds:Transform >> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> >> <ds:Transform >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> >> <ec:InclusiveNamespaces PrefixList="xsd" >> >> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> >> </ds:Transform> >> </ds:Transforms> >> <ds:DigestMethod >> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> >> >> <ds:DigestValue>7kDPmghSrp8C7L0RW1LxToCS1KlKEXV3T3oUJjhorAk=</ds:DigestValue> >> </ds:Reference> >> </ds:SignedInfo> >> <ds:SignatureValue> >> >> cmuGUsUU2vUYQW4+enWyDi/eSUYHMAU2NTVqZFjksIIwR7Pp192fBlDmoFsmLDBVx77yOdjeQ1yh >> >> jOMCMk1zljpwRhAVvUzk6Oi8wr9VKkMl5jX15cKb7mZnABAG7R3/H5uLPzPCWhxlai/T2XwC4it9 >> >> L/4kj7yLJsyLcWQjYTmomsdBWPD52P9YQ5pOZ8xbbayA1nT6J9LV0MkixsNvQ6FK5Pe20XY1W8ev >> >> 9qSg1YUeqr9rpQnOWiZHPx/pCyHIJFGFfvBjc29FJUwJmLsrRnrtLA7ZJJGJfys1+Z9LnJ4Wrv75 >> u8a3yOOhDZi63mBlhAAMiy51OTfMaFLOg3U45w== >> </ds:SignatureValue> >> <ds:KeyInfo> >> <ds:X509Data> >> >> <ds:X509Certificate>MIIDDDCCAfSgAwIBAgIUaj/aKmtID0ZmU8zjayH9rf6aypwwDQYJKoZIhvcNAQELBQAwFjEUMBIG >> >> A1UEAwwLY2FzLmJoeGgudm4wHhcNMTYxMTIxMDM1NjQwWhcNMzYxMTIxMDM1NjQwWjAWMRQwEgYD >> >> VQQDDAtjYXMuYmh4aC52bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJOC6i6yKuPS >> >> zRHAMs97klECba7I6bdl7mILf4aqTna56ZvUloTtrlaGgMju0ujTj5VdI/W1/UWeRf382rLT4LGl >> >> unkBH/gFeHaz++kP2xlkh3zZSY7lCqY3tiwIoHXMEJz6tYYaJmaSMhlwbbhL762ZYvjjLF8AJPVe >> >> /15Zg4fF3h4cC1vFjwRw1UjYfXcQ960My2WH9GjNekkoN88QYOL9+QWemjC+CpFMgnKBcCqG1f04 >> >> y7wW6q1BhqM77300htkvsqLqj2WjMk+qSqzBnlFfurkdolB5R5zyh9Uk+bfWvt5xHlcqWYIbqTkK >> >> bRscIzxVUb/9SYCq9NNn7TG3au8CAwEAAaNSMFAwHQYDVR0OBBYEFL9JEvLIpzJIvP8kfCijTK0R >> >> 1kRIMC8GA1UdEQQoMCaCC2Nhcy5iaHhoLnZuhhdjYXMuYmh4aC52bmlkcC9tZXRhZGF0YTANBgkq >> >> hkiG9w0BAQsFAAOCAQEAEjqBVBAio1V1mwIqL5m+RaRhZi5E9qelPlFygbK/Yt6lMMiHPXjYIgzu >> >> SY5vcriPRMDnsWJepnGKefizvGMuw2dTYKO5ry/wLuqKotXyF9AaVOfORs+A6M+RzWl9dX2mRCIA >> >> Gh8xYIJgmXVDpxZJ8B/d4ldM2aCtkOpd6jxnIeP5pmUqsw1k+fY04sLeLnySpraeHdoApH7PBpTU >> >> zdhcZ+cpJsBIDoU0SUqiX8HFO4FOy5Sr5j8arZ5O6QVjPRdjA4hnti5M+4ayFkGPRg2qDUhYlODC >> >> 7abWpJ+eeM/q2NqOAicWx1tHAdNaLSuEB+42MIHgr3umrZZ3R8UYGDp6vQ== >> </ds:X509Certificate> >> </ds:X509Data> >> </ds:KeyInfo> >> </ds:Signature> >> <saml2:Subject> >> >> <saml2:NameID >> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">[email protected] >> >> >> </saml2:NameID> >> <saml2:SubjectConfirmation >> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> >> <saml2:SubjectConfirmationData >> InResponseTo="id-4ca6451f-338b-42a3-acc5-b7eec80628a8" >> >> NotOnOrAfter="2016-11-22T09:12:03.022Z"/> >> </saml2:SubjectConfirmation> >> </saml2:Subject> >> <saml2:Conditions NotBefore="2016-11-22T09:07:03.151Z" >> NotOnOrAfter="2016-11-22T09:12:03.151Z"> >> <saml2:AudienceRestriction> >> >> <saml2:Audience>http://leth.teca.vn/adfs/services/trust</saml2:Audience> >> </saml2:AudienceRestriction> >> </saml2:Conditions> >> <saml2:AuthnStatement AuthnInstant="2016-11-22T09:07:03.022Z"> >> <saml2:SubjectLocality >> Address="http://leth.teca.vn/adfs/services/trust"/> >> <saml2:AuthnContext> >> >> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport >> </saml2:AuthnContextClassRef> >> </saml2:AuthnContext> >> </saml2:AuthnStatement> >> <saml2:AttributeStatement> >> <saml2:Attribute >> FriendlyName="samlAuthenticationStatementAuthMethod" >> Name="samlAuthenticationStatementAuthMethod"> >> <saml2:AttributeValue >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string"> >> urn:oasis:names:tc:SAML:1.0:am:password >> </saml2:AttributeValue> >> </saml2:Attribute> >> <saml2:Attribute FriendlyName="isFromNewLogin" >> Name="isFromNewLogin"> >> <saml2:AttributeValue >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >> xsi:type="xsd:string">true >> </saml2:AttributeValue> >> </saml2:Attribute> >> <saml2:Attribute FriendlyName="authenticationDate" >> Name="authenticationDate"> >> <saml2:AttributeValue >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string"> >> 2016-11-22T16:07:02.927+07:00[Asia/Bangkok] >> </saml2:AttributeValue> >> </saml2:Attribute> >> <saml2:Attribute FriendlyName="authenticationMethod" >> Name="authenticationMethod"> >> <saml2:AttributeValue >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string"> >> WsAuthenticationHandler >> </saml2:AttributeValue> >> </saml2:Attribute> >> <saml2:Attribute FriendlyName="successfulAuthenticationHandlers" >> Name="successfulAuthenticationHandlers"> >> <saml2:AttributeValue >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string"> >> WsAuthenticationHandler >> </saml2:AttributeValue> >> </saml2:Attribute> >> <saml2:Attribute >> FriendlyName="longTermAuthenticationRequestTokenUsed" >> Name="longTermAuthenticationRequestTokenUsed"> >> <saml2:AttributeValue >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string"> >> false >> </saml2:AttributeValue> >> </saml2:Attribute> >> <saml2:Attribute FriendlyName="email" Name="email"> >> <saml2:AttributeValue >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string"> >> >> [email protected] >> >> >> </saml2:AttributeValue> >> </saml2:Attribute> >> </saml2:AttributeStatement> >> </saml2:Assertion> >> </saml2p:Response> >> >> >> I don't know the reason while the SAMLResponse from shibboleth I got >> before had the same tags except attribute name. >> Please help! >> >> Thanks >> >> -- >> - CAS gitter chatroom: https://gitter.im/apereo/cas >> - CAS mailing list guidelines: https://apereo.github.io/cas/ >> Mailing-Lists.html >> - CAS documentation website: https://apereo.github.io/cas >> - CAS project website: https://github.com/apereo/cas >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "CAS Community" group. >> To unsubscribe from this topic, visit https://groups.google.com/a/ >> apereo.org/d/topic/cas-user/aBqlYZsbQFY/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> To view this discussion on the web visit https://groups.google.com/a/ >> apereo.org/d/msgid/cas-user/123bc5bc-a305-4946-be4a- >> d31726a2ac69%40apereo.org >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/123bc5bc-a305-4946-be4a-d31726a2ac69%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- > - CAS gitter chatroom: https://gitter.im/apereo/cas > - CAS mailing list guidelines: https://apereo.github.io/cas/ > Mailing-Lists.html > - CAS documentation website: https://apereo.github.io/cas > - CAS project website: https://github.com/apereo/cas > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/CAF0y-pihFdkgtCt6FGu%3DU6Ckb% > 3Ddo6y8-rJQWW0GG58AZ8w2a1A%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAF0y-pihFdkgtCt6FGu%3DU6Ckb%3Ddo6y8-rJQWW0GG58AZ8w2a1A%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CACNfiM%2BHxYZBW_06pZr5E5kgMwUyo9bWE%2BJ8jpAio8Bx5Hwgcw%40mail.gmail.com.
