Jen,
When CAS redirects after login, is the GLMS... part of the URL?
If it is, then the fix will have to be on client side.
Ray
On Tue, 2019-01-08 at 10:58 -0800, Jennifer LaVoie wrote:
Hi Ray
I did try to put the .* in the services URL, but no joy.
Here is my service file
{
@class: org.apereo.cas.services.RegexRegisteredService
serviceId: ^https://travel.host.edu:4447/tvlexp/.*(\\z|.*)
name: Travel and Expense
id: 1546908138322
description: Production
expirationPolicy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy
deleteWhenExpired: false
notifyWhenDeleted: false
}
proxyPolicy:
{
@class: org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy
}
evaluationOrder: -1
usernameAttributeProvider:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider
canonicalizationMode: NONE
encryptUsername: false
}
logoutType: BACK_CHANNEL
attributeReleasePolicy:
{
@class: org.apereo.cas.services.ReturnAllAttributeReleasePolicy
principalAttributesRepository:
{
@class:
org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository
expiration: 2
timeUnit: HOURS
}
consentPolicy:
{
@class:
org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy
enabled: true
}
authorizedToReleaseCredentialPassword: false
authorizedToReleaseProxyGrantingTicket: false
excludeDefaultAttributes: false
authorizedToReleaseAuthenticationAttributes: true
}
multifactorPolicy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
failureMode: NOT_SET
bypassEnabled: false
}
accessStrategy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
order: 0
enabled: true
ssoEnabled: true
requireAllAttributes: true
caseInsensitive: false
}
On Tuesday, January 8, 2019 at 12:27:37 PM UTC-5, rbon wrote:
Jen,
What kind of control do you have over the client application?
It is odd that GLMSSESSIONID is sent as a parameter rather than being stored in
a cookie, but stranger things have happened.
What does your service entry look like?
We have some entries that end in a fixed pattern and some that end with .*
It has been a while since I encountered this error and I am not sure if changes
to the service entry will affect the result.
Ray
On Tue, 2019-01-08 at 08:33 -0800, Jennifer LaVoie wrote:
here is the complete error I get
org.jasig.cas.client.validation.TicketValidationException:
org.opensaml.SAMLException: Ticket
'ST-68-Ym0B6A15gcil-QfPnLUps5D8Zt8-cas3-test' does not match supplied service.
The original service was
'https://travel-test.host.edu:4443/tvlexp/index.htm;GLMSSESSIONID=NUwuSWilRK-4UvO5dzEvnCinKPmZgMxDmvRnbuoSFXSp7uuseQk-!304726366'
and the supplied service was
'https://travel-test.host.edu:4443/tvlexp/index.htm'.
at
org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:93)
at
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:188)
at
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:132)
at
weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at
org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:111)
at
weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at
org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:99)
at
weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at
weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
at
weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at
weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3748)
at
weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3714)
at
weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at
weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at
weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2283)
at
weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2182)
at
weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1499)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:263)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: org.opensaml.SAMLException: Ticket
'ST-68-Ym0B6A15gcil-QfPnLUps5D8Zt8-cas3-test' does not match supplied service.
The original service was
'https://travel-test.host.edu:4443/tvlexp/index.htm;GLMSSESSIONID=NUwuSWilRK-4UvO5dzEvnCinKPmZgMxDmvRnbuoSFXSp7uuseQk-!304726366'
and the supplied service was
'https://travel-test.host.edu:4443/tvlexp/index.htm'.
at org.opensaml.SAMLException.getInstance(Unknown Source)
at org.opensaml.SAMLResponse.fromDOM(Unknown Source)
at org.opensaml.SAMLResponse.(Unknown Source)
at
org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:48)
On Tuesday, January 8, 2019 at 2:35:58 AM UTC-5, alberto wrote:
On Tue, 8 Jan 2019 00:50:10 +0000
Ray Bon <[email protected]> wrote:
> Jen,
>
> The ST is being validated against a URL with GLMSSESSIONID... but
> this was not present with the log in request (the 2 need to match).
> Change the CAS client to not send GLMS... or send it with the log
> in request.
>
> Or maybe change the service registry id to something like
> https://travel.host.com:4447/tvlexp/tvlexp-flex/.* (memory may be
> rusty here).
Hi,
I don't think this will work: when service registry URL doesn't match
the supplied URL, the error message is different (something like "you
are not authorized to use CAS").
Greetings,
--
Alberto Cabello Sánchez
Servicio de Informática
Universidad de Extremadura
--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<javascript:>
--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1546975675.5350.35.camel%40uvic.ca.
