Sounds like a bug to me. PS There is no such thing as CAS 5.0.4. Did you mean SNAPSHOT?
-- Misagh From: Paul Legeay <dev.pleg...@gmail.com> Reply: cas-user@apereo.org <cas-user@apereo.org> Date: March 8, 2017 at 7:37:16 PM To: CAS Community <cas-user@apereo.org> Subject: [cas-user] [cas user] missing inResponeTo attribute Hi everyone, I'm trying to use a local installation of simplesamlphp as a SP to log through a local CAS 5.0.4 server using the saml 2 protocol. The issue I have at the moment, is that the response I get from the CAS server is missing the inResponseTo attribute in the response Element. The saml 2 spec specifies that the InResponseTo must be present in the response element if the response is associated to a request. Do I have something missing in my configuration or is it a bug ? Any help would be apreciated. Thanks relevent part application.properties cas.authn.samlIdp.metadata.location=${user.home}/work/metadata/ cas.authn.samlIdp.entityId=http://localhost:8042/cas/idp cas.authn.samlIdp.hostName=http://localhost:8042 cas.samlCore.ticketidSaml2=true IDP metadata in php format <?php /** * SAML 2.0 remote IdP metadata for SimpleSAMLphp. * * Remember to remove the IdPs you don't use from this file. * * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote */ $metadata['http://localhost:8042/cas/idp'] = array ( 'entityid' => 'http://localhost:8042/cas/idp', 'contacts' => array ( ), 'metadata-set' => 'saml20-idp-remote', 'SingleSignOnService' => array ( 0 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'Location' => 'http://localhost:8042/cas/idp/profile/SAML2/Redirect/SSO', ), 1 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'Location' => 'http://localhost:8042/cas/idp/profile/SAML2/POST/SSO', ), 2 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign', 'Location' => 'http://localhost:8042/idp/profile/SAML2/POST-SimpleSign/SSO', ), ), 'ArtifactResolutionService' => array ( 0 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP', 'Location' => 'http://localhost:8042/cas/idp/profile/SAML2/SOAP/ArtifactResolution', 'index' => 2, ), ), 'NameIDFormats' => array ( 0 => 'urn:mace:shibboleth:1.0:nameIdentifier', 1 => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient', ), 'keys' => array ( 0 => array ( 'encryption' => false, 'signing' => true, 'type' => 'X509Certificate', 'X509Certificate' => ' MIIDGDCCAgCgAwIBAgIUTHtu3X3oSmNnElYPdxoY3QzjOgwwDQYJKoZIhvcNAQEL BQAwGTEXMBUGA1UEAwwObG9jYWxob3N0OjgwNDIwHhcNMTcwMzA3MTA1NzI0WhcN MzcwMzA3MTA1NzI0WjAZMRcwFQYDVQQDDA5sb2NhbGhvc3Q6ODA0MjCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ7L2leA8jlRxrkWm0q3prVAMOJBxr0J A2Z74h+9k3c4vAzb7FlvWV3TIY8YDXDZ29YZ0dtTIodeleVJfAcUMpZ6RLcHdiBK C5VgAQ8ci98aM5aXxS+kXxjjilOHB8ckKFqjb8asPlvpN368Z1Qk/lKNbsE35hxb f/9V2oiHtbShG0vrSC7da2uOTpBiguO2yB6mJO92FymBWS7zlZ+G9pWTE4EuizWk 10kz7jHYfUm/BKgVOnEDTL4e+eb5cTIxnpZ9iA3+dfi8qU2bOQ0PlXW7nW4ZMSzW 4BlWjuK4G78HnlZu+FqgNlQwjR9tjbvma6aovE3UH1nHJWy93uALrnECAwEAAaNY MFYwHQYDVR0OBBYEFKTnbarNb/ik8VO/dkLDxyrRWeDcMDUGA1UdEQQuMCyCDmxv Y2FsaG9zdDo4MDQyhhpsb2NhbGhvc3Q6ODA0MmlkcC9tZXRhZGF0YTANBgkqhkiG 9w0BAQsFAAOCAQEANnk4BeurZaPWVdVDalg+jQdBlfi6DtF8oKGWoc3tlmA414Cu Aih+4nopXl8/xByk0DQdBcnhYJ59hPNm5BBwlM66T0eUP7kzOoVw2PgOhjEfCbqG a8S3Cu0fULL2OxrxSozAhz2fTsd+zn6cla0KJGMjQmEjiORs8ThHFZhPlueqAtwp cyrNyeO3vSt8A28kyY5TOZPjWickk39ilveuRZKMkBN4TAFAHciKZP8Y3foESB6+ rC/guihxOCgUNKfUEREVveBxaFEV6xUYNcnIFAQNnTzwDbSM63+Sq2hAKh8ynnML cVl0ONhI47hxf1HWQN5TGhip2rcARx2T0v+mfA== ',Hi everyone, I'm trying to use a local installation of simplesamlphp as a SP to log through a local CAS 5.0.4 server using the saml 2 protocol. The issue I have at the moment is that the response I get from the CAS server is missing the inResponseTo attribute in the response Element. The saml 2 spec specifies that the InResponseTo must be present in the response element if the response is associated to a request. Do I have something missing in my configuration or is it a bug ? Any help would be apreciated. Thanks relevent part application.properties cas.authn.samlIdp.metadata.location=${user.home}/work/metadata/ cas.authn.samlIdp.entityId=http://localhost:8042/cas/idp cas.authn.samlIdp.hostName=http://localhost:8042 cas.samlCore.ticketidSaml2=true IDP metadata in php format <?php /** * SAML 2.0 remote IdP metadata for SimpleSAMLphp. * * Remember to remove the IdPs you don't use from this file. * * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote */ $metadata['http://localhost:8042/cas/idp'] = array ( 'entityid' => 'http://localhost:8042/cas/idp', 'contacts' => array ( ), 'metadata-set' => 'saml20-idp-remote', 'SingleSignOnService' => array ( 0 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'Location' => 'http://localhost:8042/cas/idp/profile/SAML2/Redirect/SSO', ), 1 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'Location' => 'http://localhost:8042/cas/idp/profile/SAML2/POST/SSO', ), 2 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign', 'Location' => 'http://localhost:8042/idp/profile/SAML2/POST-SimpleSign/SSO', ), ), 'ArtifactResolutionService' => array ( 0 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP', 'Location' => 'http://localhost:8042/cas/idp/profile/SAML2/SOAP/ArtifactResolution', 'index' => 2, ), ), 'NameIDFormats' => array ( 0 => 'urn:mace:shibboleth:1.0:nameIdentifier', 1 => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient', ), 'keys' => array ( 0 => array ( 'encryption' => false, 'signing' => true, 'type' => 'X509Certificate', 'X509Certificate' => ' MIIDGDCCAgCgAwIBAgIUTHtu3X3oSmNnElYPdxoY3QzjOgwwDQYJKoZIhvcNAQEL BQAwGTEXMBUGA1UEAwwObG9jYWxob3N0OjgwNDIwHhcNMTcwMzA3MTA1NzI0WhcN MzcwMzA3MTA1NzI0WjAZMRcwFQYDVQQDDA5sb2NhbGhvc3Q6ODA0MjCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ7L2leA8jlRxrkWm0q3prVAMOJBxr0J A2Z74h+9k3c4vAzb7FlvWV3TIY8YDXDZ29YZ0dtTIodeleVJfAcUMpZ6RLcHdiBK C5VgAQ8ci98aM5aXxS+kXxjjilOHB8ckKFqjb8asPlvpN368Z1Qk/lKNbsE35hxb ), 1 => array ( 'encryption' => true, 'signing' => false, 'type' => 'X509Certificate', 'X509Certificate' => ' MIIDGDCCAgCgAwIBAgIUMTFA5LKKiMYwxBvZ8xPv8zXccWcwDQYJKoZIhvcNAQEL BQAwGTEXMBUGA1UEAwwObG9jYWxob3N0OjgwNDIwHhcNMTcwMzA3MTA1NzI0WhcN MzcwMzA3MTA1NzI0WjAZMRcwFQYDVQQDDA5sb2NhbGhvc3Q6ODA0MjCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBALdk2QNzLvTaGQ+JfzbqzEvUR4Rbl0yt gksokiknda446QTJDMCXRibeQ0jJks5i8IDSDH0CMTHg3RtO0UNCR1tLQ/5Ocnx0 ZK7CdBHtnKc++vQ7nX3IcJD1Qt7lrI3K8s2JcpJLL796vsiDcfCXo19zQnZGA+NM xiaOnytW/GiTSDbeHIGkaJK0GzEOGdf2a523WaMZtCWhO2Q2DHRphkb5Iz40piQ1 JBmf5Cx0iPCmJXZwommV8MjaYvxfQUHLHe9VYKMSJUJXkeFunyLV/VbX3rwE7fJK YACnc/l49jmCcffuFPoSyfeBxO/5V/NP2R6KThLITE9yYiGnpDGkt2UCAwEAAaNY MFYwHQYDVR0OBBYEFICPhiHbxQHx2TeVcoeS3Q9WNyaQMDUGA1UdEQQuMCyCDmxv Y2FsaG9zdDo4MDQyhhpsb2NhbGhvc3Q6ODA0MmlkcC9tZXRhZGF0YTANBgkqhkiG 9w0BAQsFAAOCAQEAgv7XbF+macOs+OLswlX0IEGfV2489zZyCbuyHq/wT+uYMMfC YhPP1g7nWObcE4O7nWeRM2AiAIE5l/6bTVtn1buc06QWJZyPH+dRJG26MQqrD6I2 9o0Sw/q9pL+p/BGfB8nyxvD2PsYg1VhL64G7TLWOfpTQgWMxJrkPzYrLYTif06fj fotMcnmIzMtYP8TMUEyynPUTD5TUNjeBvalIO/pzXP8GuDy5qGczhjz6pgFlN1Oi MED+9FiXP/ZJ+97w1MUPUTXpQqY+POWiqlHQ3by9VgRfBj4ju/4TuGKclC4e6ntK EwXO+bVDxCMlkcHiAtUfu7JaY0IId1uM90lbxw== ', ), ), 'scope' => array ( 0 => 'localhost:8042', ), ); SP metadatas <?xml version="1.0"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://localhost:8000/simplesaml"> <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol"> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8000/simplesaml/module.php/saml/sp/saml2-logout.php/local-sso"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8000/simplesaml/module.php/saml/sp/saml2-acs.php/local-sso" index="0"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="http://localhost:8000/simplesaml/module.php/saml/sp/saml1-acs.php/local-sso" index="1"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://localhost:8000/simplesaml/module.php/saml/sp/saml2-acs.php/local-sso" index="2"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="http://localhost:8000/simplesaml/module.php/saml/sp/saml1-acs.php/local-sso/artifact" index="3"/> </md:SPSSODescriptor> </md:EntityDescriptor> auth request <?xml version="1.0" encoding="UTF-8"?> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="http://localhost:8000/simplesaml/module.php/saml/sp/saml2-acs.php/local-sso" Destination="http://localhost:8042/cas/idp/profile/SAML2/Redirect/SSO" ID="_dba8369b90c24b172fb07fc8bde77e9b323ba71f30" IssueInstant="2017-03-08T14:57:07Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"> <saml:Issuer>http://localhost:8000/simplesaml</saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/> </samlp:AuthnRequest> response <?xml version="1.0" encoding="UTF-8"?> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" ID="_5525762746082961547" IssueInstant="2017-03-08T10:36:39.837Z" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://localhost:8042/cas/idp</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> <saml2p:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</saml2p:StatusMessage> </saml2p:Status> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_759790977264922675" IssueInstant="2017-03-08T10:36:39.830Z" Version="2.0"> <saml2:Issuer>http://localhost:8042/cas/idp</saml2:Issuer> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">plegeay</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData InResponseTo="_30cd159c03da7a2226630390df87f49edb3ab09381" NotOnOrAfter="2017-03-08T10:36:39.823Z" Recipient="http://localhost:8000/simplesaml/module.php/saml/sp/saml2-acs.php/local-sso"/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2017-03-08T10:36:39.836Z" NotOnOrAfter="2017-03-08T10:36:39.836Z"> <saml2:AudienceRestriction> <saml2:Audience>http://localhost:8000/simplesaml</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2017-03-08T10:36:39.823Z"> <saml2:SubjectLocality Address="http://localhost:8000/simplesaml"/> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute FriendlyName="samlAuthenticationStatementAuthMethod" Name="samlAuthenticationStatementAuthMethod"> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">urn:oasis:names:tc:SAML:1.0:am:password</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="isFromNewLogin" Name="isFromNewLogin"> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">true</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="authenticationDate" Name="authenticationDate"> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">2017-03-08T11:36:39.645+01:00[Europe/Paris]</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="authenticationMethod" Name="authenticationMethod"> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">LdapAuthenticationHandler</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="successfulAuthenticationHandlers" Name="successfulAuthenticationHandlers"> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">LdapAuthenticationHandler</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="longTermAuthenticationRequestTokenUsed" Name="longTermAuthenticationRequestTokenUsed"> <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">false</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response> -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/54926d2d-a00e-4f29-a768-1d8e20045b60%40apereo.org. -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.58c04b4a.130d0eb4.378a%40unicon.net.