>
> Hi everyone,
>
> I'm trying to use a local installation of simplesamlphp as a SP to log
> through a local CAS 5.0.4 server using the saml 2 protocol.
> The issue I have at the moment, is that the response I get from the CAS
> server is missing the inResponseTo attribute in the response Element.
>
> The saml 2 spec specifies that the InResponseTo must be present in the
> response element if the response is associated to a request.
> Do I have something missing in my configuration or is it a bug ?
>
> Any help would be apreciated.
>
> Thanks
>
>
> relevent part application.properties
>
> cas.authn.samlIdp.metadata.location=${user.home}/work/metadata/
> cas.authn.samlIdp.entityId=http://localhost:8042/cas/idp
> cas.authn.samlIdp.hostName=http://localhost:8042
> cas.samlCore.ticketidSaml2=true
>
> IDP metadata in php format
> <?php
> /**
> * SAML 2.0 remote IdP metadata for SimpleSAMLphp.
> *
> * Remember to remove the IdPs you don't use from this file.
> *
> * See:
> https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote
> */
>
>
> $metadata['http://localhost:8042/cas/idp'] = array (
> 'entityid' => 'http://localhost:8042/cas/idp',
> 'contacts' =>
> array (
> ),
> 'metadata-set' => 'saml20-idp-remote',
> 'SingleSignOnService' =>
> array (
> 0 =>
> array (
> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
> 'Location' => '
> http://localhost:8042/cas/idp/profile/SAML2/Redirect/SSO',
> ),
> 1 =>
> array (
> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
> 'Location' => 'http://localhost:8042/cas/idp/profile/SAML2/POST/SSO'
> ,
> ),
> 2 =>
> array (
> 'Binding' =>
> 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign',
> 'Location' => '
> http://localhost:8042/idp/profile/SAML2/POST-SimpleSign/SSO',
> ),
> ),
> 'ArtifactResolutionService' =>
> array (
> 0 =>
> array (
> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
> 'Location' => '
> http://localhost:8042/cas/idp/profile/SAML2/SOAP/ArtifactResolution',
> 'index' => 2,
> ),
> ),
> 'NameIDFormats' =>
> array (
> 0 => 'urn:mace:shibboleth:1.0:nameIdentifier',
> 1 => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
> ),
> 'keys' =>
> array (
> 0 =>
> array (
> 'encryption' => false,
> 'signing' => true,
> 'type' => 'X509Certificate',
> 'X509Certificate' => '
> MIIDGDCCAgCgAwIBAgIUTHtu3X3oSmNnElYPdxoY3QzjOgwwDQYJKoZIhvcNAQEL
> BQAwGTEXMBUGA1UEAwwObG9jYWxob3N0OjgwNDIwHhcNMTcwMzA3MTA1NzI0WhcN
> MzcwMzA3MTA1NzI0WjAZMRcwFQYDVQQDDA5sb2NhbGhvc3Q6ODA0MjCCASIwDQYJ
> KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ7L2leA8jlRxrkWm0q3prVAMOJBxr0J
> A2Z74h+9k3c4vAzb7FlvWV3TIY8YDXDZ29YZ0dtTIodeleVJfAcUMpZ6RLcHdiBK
> C5VgAQ8ci98aM5aXxS+kXxjjilOHB8ckKFqjb8asPlvpN368Z1Qk/lKNbsE35hxb
> f/9V2oiHtbShG0vrSC7da2uOTpBiguO2yB6mJO92FymBWS7zlZ+G9pWTE4EuizWk
> 10kz7jHYfUm/BKgVOnEDTL4e+eb5cTIxnpZ9iA3+dfi8qU2bOQ0PlXW7nW4ZMSzW
> 4BlWjuK4G78HnlZu+FqgNlQwjR9tjbvma6aovE3UH1nHJWy93uALrnECAwEAAaNY
> MFYwHQYDVR0OBBYEFKTnbarNb/ik8VO/dkLDxyrRWeDcMDUGA1UdEQQuMCyCDmxv
> Y2FsaG9zdDo4MDQyhhpsb2NhbGhvc3Q6ODA0MmlkcC9tZXRhZGF0YTANBgkqhkiG
> 9w0BAQsFAAOCAQEANnk4BeurZaPWVdVDalg+jQdBlfi6DtF8oKGWoc3tlmA414Cu
> Aih+4nopXl8/xByk0DQdBcnhYJ59hPNm5BBwlM66T0eUP7kzOoVw2PgOhjEfCbqG
> a8S3Cu0fULL2OxrxSozAhz2fTsd+zn6cla0KJGMjQmEjiORs8ThHFZhPlueqAtwp
> cyrNyeO3vSt8A28kyY5TOZPjWickk39ilveuRZKMkBN4TAFAHciKZP8Y3foESB6+
> rC/guihxOCgUNKfUEREVveBxaFEV6xUYNcnIFAQNnTzwDbSM63+Sq2hAKh8ynnML
> cVl0ONhI47hxf1HWQN5TGhip2rcARx2T0v+mfA==
> ',Hi everyone,
>
> I'm trying to use a local installation of simplesamlphp as a SP to log
> through a local CAS 5.0.4 server using the saml 2 protocol.
> The issue I have at the moment is that the response I get from the CAS
> server is missing the inResponseTo attribute in the response Element.
>
> The saml 2 spec specifies that the InResponseTo must be present in the
> response element if the response is associated to a request.
> Do I have something missing in my configuration or is it a bug ?
>
> Any help would be apreciated.
>
> Thanks
>
>
> relevent part application.properties
>
> cas.authn.samlIdp.metadata.location=${user.home}/work/metadata/
> cas.authn.samlIdp.entityId=http://localhost:8042/cas/idp
> cas.authn.samlIdp.hostName=http://localhost:8042
> cas.samlCore.ticketidSaml2=true
>
> IDP metadata in php format
> <?php
> /**
> * SAML 2.0 remote IdP metadata for SimpleSAMLphp.
> *
> * Remember to remove the IdPs you don't use from this file.
> *
> * See:
> https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote
> */
>
>
> $metadata['http://localhost:8042/cas/idp'] = array (
> 'entityid' => 'http://localhost:8042/cas/idp',
> 'contacts' =>
> array (
> ),
> 'metadata-set' => 'saml20-idp-remote',
> 'SingleSignOnService' =>
> array (
> 0 =>
> array (
> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
> 'Location' =>
> 'http://localhost:8042/cas/idp/profile/SAML2/Redirect/SSO',
> ),
> 1 =>
> array (
> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
> 'Location' => 'http://localhost:8042/cas/idp/profile/SAML2/POST/SSO',
> ),
> 2 =>
> array (
> 'Binding' =>
> 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign',
> 'Location' =>
> 'http://localhost:8042/idp/profile/SAML2/POST-SimpleSign/SSO',
> ),
> ),
> 'ArtifactResolutionService' =>
> array (
> 0 =>
> array (
> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
> 'Location' =>
> 'http://localhost:8042/cas/idp/profile/SAML2/SOAP/ArtifactResolution',
> 'index' => 2,
> ),
> ),
> 'NameIDFormats' =>
> array (
> 0 => 'urn:mace:shibboleth:1.0:nameIdentifier',
> 1 => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
> ),
> 'keys' =>
> array (
> 0 =>
> array (
> 'encryption' => false,
> 'signing' => true,
> 'type' => 'X509Certificate',
> 'X509Certificate' => '
> MIIDGDCCAgCgAwIBAgIUTHtu3X3oSmNnElYPdxoY3QzjOgwwDQYJKoZIhvcNAQEL
> BQAwGTEXMBUGA1UEAwwObG9jYWxob3N0OjgwNDIwHhcNMTcwMzA3MTA1NzI0WhcN
> MzcwMzA3MTA1NzI0WjAZMRcwFQYDVQQDDA5sb2NhbGhvc3Q6ODA0MjCCASIwDQYJ
> KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ7L2leA8jlRxrkWm0q3prVAMOJBxr0J
> A2Z74h+9k3c4vAzb7FlvWV3TIY8YDXDZ29YZ0dtTIodeleVJfAcUMpZ6RLcHdiBK
> C5VgAQ8ci98aM5aXxS+kXxjjilOHB8ckKFqjb8asPlvpN368Z1Qk/lKNbsE35hxb
> ),
> 1 =>
> array (
> 'encryption' => true,
> 'signing' => false,
> 'type' => 'X509Certificate',
> 'X509Certificate' => '
> MIIDGDCCAgCgAwIBAgIUMTFA5LKKiMYwxBvZ8xPv8zXccWcwDQYJKoZIhvcNAQEL
> BQAwGTEXMBUGA1UEAwwObG9jYWxob3N0OjgwNDIwHhcNMTcwMzA3MTA1NzI0WhcN
> MzcwMzA3MTA1NzI0WjAZMRcwFQYDVQQDDA5sb2NhbGhvc3Q6ODA0MjCCASIwDQYJ
> KoZIhvcNAQEBBQADggEPADCCAQoCggEBALdk2QNzLvTaGQ+JfzbqzEvUR4Rbl0yt
> gksokiknda446QTJDMCXRibeQ0jJks5i8IDSDH0CMTHg3RtO0UNCR1tLQ/5Ocnx0
> ZK7CdBHtnKc++vQ7nX3IcJD1Qt7lrI3K8s2JcpJLL796vsiDcfCXo19zQnZGA+NM
> xiaOnytW/GiTSDbeHIGkaJK0GzEOGdf2a523WaMZtCWhO2Q2DHRphkb5Iz40piQ1
> JBmf5Cx0iPCmJXZwommV8MjaYvxfQUHLHe9VYKMSJUJXkeFunyLV/VbX3rwE7fJK
> YACnc/l49jmCcffuFPoSyfeBxO/5V/NP2R6KThLITE9yYiGnpDGkt2UCAwEAAaNY
> MFYwHQYDVR0OBBYEFICPhiHbxQHx2TeVcoeS3Q9WNyaQMDUGA1UdEQQuMCyCDmxv
> Y2FsaG9zdDo4MDQyhhpsb2NhbGhvc3Q6ODA0MmlkcC9tZXRhZGF0YTANBgkqhkiG
> 9w0BAQsFAAOCAQEAgv7XbF+macOs+OLswlX0IEGfV2489zZyCbuyHq/wT+uYMMfC
> YhPP1g7nWObcE4O7nWeRM2AiAIE5l/6bTVtn1buc06QWJZyPH+dRJG26MQqrD6I2
> 9o0Sw/q9pL+p/BGfB8nyxvD2PsYg1VhL64G7TLWOfpTQgWMxJrkPzYrLYTif06fj
> fotMcnmIzMtYP8TMUEyynPUTD5TUNjeBvalIO/pzXP8GuDy5qGczhjz6pgFlN1Oi
> MED+9FiXP/ZJ+97w1MUPUTXpQqY+POWiqlHQ3by9VgRfBj4ju/4TuGKclC4e6ntK
> EwXO+bVDxCMlkcHiAtUfu7JaY0IId1uM90lbxw==
> ',
> ),
> ),
> 'scope' =>
> array (
> 0 => 'localhost:8042',
> ),
> );
>
>
>
>
>
>
> SP metadatas
>
> <?xml version="1.0"?>
> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
> entityID="http://localhost:8000/simplesaml";>
> <md:SPSSODescriptor
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol
> urn:oasis:names:tc:SAML:2.0:protocol">
> <md:SingleLogoutService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
> Location="http://localhost:8000/simplesaml/module.php/saml/sp/saml2-logout.php/local-sso"/>
> <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Location="http://localhost:8000/simplesaml/module.php/saml/sp/saml2-acs.php/local-sso";
> index="0"/>
> <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
> Location="http://localhost:8000/simplesaml/module.php/saml/sp/saml1-acs.php/local-sso";
> index="1"/>
> <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
> Location="http://localhost:8000/simplesaml/module.php/saml/sp/saml2-acs.php/local-sso";
> index="2"/>
> <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
> Location="http://localhost:8000/simplesaml/module.php/saml/sp/saml1-acs.php/local-sso/artifact";
> index="3"/>
> </md:SPSSODescriptor>
> </md:EntityDescriptor>
>
>
>
> auth request
>
>
>
> <?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> AssertionConsumerServiceURL="http://localhost:8000/simplesaml/module.php/saml/sp/saml2-acs.php/local-sso";
> Destination="http://localhost:8042/cas/idp/profile/SAML2/Redirect/SSO";
> ID="_dba8369b90c24b172fb07fc8bde77e9b323ba71f30"
> IssueInstant="2017-03-08T14:57:07Z"
> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Version="2.0">
> <saml:Issuer>http://localhost:8000/simplesaml</saml:Issuer>
> <samlp:NameIDPolicy AllowCreate="true"
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/></samlp:AuthnRequest>
>
>
>
> response
>
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
> Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
> ID="_5525762746082961547" IssueInstant="2017-03-08T10:36:39.837Z"
> Version="2.0">
> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://localhost:8042/cas/idp</saml2:Issuer>
> <saml2p:Status>
> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
>
> <saml2p:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</saml2p:StatusMessage>
> </saml2p:Status>
> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="_759790977264922675" IssueInstant="2017-03-08T10:36:39.830Z"
> Version="2.0">
> <saml2:Issuer>http://localhost:8042/cas/idp</saml2:Issuer>
> <saml2:Subject>
> <saml2:NameID
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">plegeay</saml2:NameID>
> <saml2:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
> <saml2:SubjectConfirmationData
> InResponseTo="_30cd159c03da7a2226630390df87f49edb3ab09381"
> NotOnOrAfter="2017-03-08T10:36:39.823Z"
> Recipient="http://localhost:8000/simplesaml/module.php/saml/sp/saml2-acs.php/local-sso"/>
> </saml2:SubjectConfirmation>
> </saml2:Subject>
> <saml2:Conditions NotBefore="2017-03-08T10:36:39.836Z"
> NotOnOrAfter="2017-03-08T10:36:39.836Z">
> <saml2:AudienceRestriction>
> <saml2:Audience>http://localhost:8000/simplesaml</saml2:Audience>
> </saml2:AudienceRestriction>
> </saml2:Conditions>
> <saml2:AuthnStatement AuthnInstant="2017-03-08T10:36:39.823Z">
> <saml2:SubjectLocality Address="http://localhost:8000/simplesaml"/>
> <saml2:AuthnContext>
>
> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
> </saml2:AuthnContext>
> </saml2:AuthnStatement>
> <saml2:AttributeStatement>
> <saml2:Attribute FriendlyName="samlAuthenticationStatementAuthMethod"
> Name="samlAuthenticationStatementAuthMethod">
> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xsd:string">urn:oasis:names:tc:SAML:1.0:am:password</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="isFromNewLogin" Name="isFromNewLogin">
> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xsd:string">true</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="authenticationDate"
> Name="authenticationDate">
> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xsd:string">2017-03-08T11:36:39.645+01:00[Europe/Paris]</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="authenticationMethod"
> Name="authenticationMethod">
> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xsd:string">LdapAuthenticationHandler</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="successfulAuthenticationHandlers"
> Name="successfulAuthenticationHandlers">
> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xsd:string">LdapAuthenticationHandler</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="longTermAuthenticationRequestTokenUsed"
> Name="longTermAuthenticationRequestTokenUsed">
> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xsd:string">false</saml2:AttributeValue>
> </saml2:Attribute>
> </saml2:AttributeStatement>
> </saml2:Assertion></saml2p:Response>
>
>
>
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/54926d2d-a00e-4f29-a768-1d8e20045b60%40apereo.org.
