So lets see if I can keep this simple.

I have a mostly working CAS 5.3.3 Server with SAML 1.1 working to the 
java-cas-client.  We have a vendor developed CAS Client for the CAS SAML 
1.1 protocol, that worked with CAS 3.3, 3.5, and 3.6.  Now on CAS 5.3.3, 
it's getting a samllp:RequestDenied samllp:Response.

Based on reviewing the code, it appears it's failing at 
DefaultCentralAuthenticationService.java:301 
<https://github.com/apereo/cas/blob/5.3.x/core/cas-server-core/src/main/java/org/apereo/cas/DefaultCentralAuthenticationService.java#L301>.
  
Do i need to create a SamlRegisteredService service definition for SAML 1.1 
instead of using RegexRegisteredService?  Based on the error, I expected to 
see service as part of the validation request to /samlValidate, but it's 
not part of the SAML 1.1 specification that I can find.

The received response:
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope 
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";>
    <SOAP-ENV:Body>
        <saml1p:Response
            InResponseTo="250c222f-6306-402c-ba3a-42f432137730"
            IssueInstant="2018-09-10T15:36:21.756Z" MajorVersion="1"
            MinorVersion="1"
            ResponseID="_ae589fdf84c6c72755cd450949f3b3c7" 
xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol">
            <saml1p:Status>
                <saml1p:StatusCode Value="saml1p:RequestDenied"/>
                <saml1p:StatusMessage>Ticket 'ST-104183-xxxxxxxxxxxxx-cas' 
does not match supplied service. The original service was 
'https://example.com/foo/bar' and the supplied service was 
'null'.</saml1p:StatusMessage>
            </saml1p:Status>
        </saml1p:Response>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/73251842-4c67-4fcc-9286-23d0a11aecff%40apereo.org.

Reply via email to