yes it is part of the URL... Ok...I will speak with my app owner person
thank you Jen On Tue, Jan 8, 2019 at 2:28 PM Ray Bon <[email protected]> wrote: > Jen, > > When CAS redirects after login, is the GLMS... part of the URL? > If it is, then the fix will have to be on client side. > > Ray > > On Tue, 2019-01-08 at 10:58 -0800, Jennifer LaVoie wrote: > > Hi Ray > > I did try to put the .* in the services URL, but no joy. > > Here is my service file > > { > @class: org.apereo.cas.services.RegexRegisteredService > serviceId: ^https://travel.host.edu:4447/tvlexp/.*(\\z|.*) > name: Travel and Expense > id: 1546908138322 > description: Production > expirationPolicy: > { > @class: > org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy > deleteWhenExpired: false > notifyWhenDeleted: false > } > proxyPolicy: > { > @class: org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy > } > evaluationOrder: -1 > usernameAttributeProvider: > { > @class: > org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider > canonicalizationMode: NONE > encryptUsername: false > } > logoutType: BACK_CHANNEL > attributeReleasePolicy: > { > @class: org.apereo.cas.services.ReturnAllAttributeReleasePolicy > principalAttributesRepository: > { > @class: > org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository > expiration: 2 > timeUnit: HOURS > } > consentPolicy: > { > @class: > org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy > enabled: true > } > authorizedToReleaseCredentialPassword: false > authorizedToReleaseProxyGrantingTicket: false > excludeDefaultAttributes: false > authorizedToReleaseAuthenticationAttributes: true > } > multifactorPolicy: > { > @class: > org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy > failureMode: NOT_SET > bypassEnabled: false > } > accessStrategy: > { > @class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy > order: 0 > enabled: true > ssoEnabled: true > requireAllAttributes: true > caseInsensitive: false > } > > > On Tuesday, January 8, 2019 at 12:27:37 PM UTC-5, rbon wrote: > > Jen, > > What kind of control do you have over the client application? > > It is odd that GLMSSESSIONID is sent as a parameter rather than being > stored in a cookie, but stranger things have happened. > > What does your service entry look like? > > We have some entries that end in a fixed pattern and some that end with .* > It has been a while since I encountered this error and I am not sure if > changes to the service entry will affect the result. > > Ray > > On Tue, 2019-01-08 at 08:33 -0800, Jennifer LaVoie wrote: > > here is the complete error I get > > org.jasig.cas.client.validation.TicketValidationException: > org.opensaml.SAMLException: Ticket > 'ST-68-Ym0B6A15gcil-QfPnLUps5D8Zt8-cas3-test' does not match supplied > service. The original service was > 'https://travel-test.host.edu:4443/tvlexp/index.htm;GLMSSESSIONID=NUwuSWilRK-4UvO5dzEvnCinKPmZgMxDmvRnbuoSFXSp7uuseQk-!304726366' > and the supplied service was > 'https://travel-test.host.edu:4443/tvlexp/index.htm'. > at > org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:93) > at > org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:188) > at > org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:132) > at > weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60) > at > org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:111) > at > weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60) > at > org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:99) > at > weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60) > at > weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27) > at > weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60) > at > weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3748) > at > weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3714) > at > weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) > at > weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120) > at > weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2283) > at > weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2182) > at > weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1499) > at weblogic.work.ExecuteThread.execute(ExecuteThread.java:263) > at weblogic.work.ExecuteThread.run(ExecuteThread.java:221) > Caused by: org.opensaml.SAMLException: Ticket > 'ST-68-Ym0B6A15gcil-QfPnLUps5D8Zt8-cas3-test' does not match supplied > service. The original service was > 'https://travel-test.host.edu:4443/tvlexp/index.htm;GLMSSESSIONID=NUwuSWilRK-4UvO5dzEvnCinKPmZgMxDmvRnbuoSFXSp7uuseQk-!304726366' > and the supplied service was > 'https://travel-test.host.edu:4443/tvlexp/index.htm'. > at org.opensaml.SAMLException.getInstance(Unknown Source) > at org.opensaml.SAMLResponse.fromDOM(Unknown Source) > at org.opensaml.SAMLResponse.(Unknown Source) > at > org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:48) > > > On Tuesday, January 8, 2019 at 2:35:58 AM UTC-5, alberto wrote: > > On Tue, 8 Jan 2019 00:50:10 +0000 > Ray Bon <[email protected]> wrote: > > > Jen, > > > > The ST is being validated against a URL with GLMSSESSIONID... but > > this was not present with the log in request (the 2 need to match). > > Change the CAS client to not send GLMS... or send it with the log > > in request. > > > > Or maybe change the service registry id to something like > > https://travel.host.com:4447/tvlexp/tvlexp-flex/.* (memory may be > > rusty here). > > Hi, > > I don't think this will work: when service registry URL doesn't match > the supplied URL, the error message is different (something like "you > are not authorized to use CAS"). > > Greetings, > > -- > Alberto Cabello Sánchez > Servicio de Informática > Universidad de Extremadura > > -- > Ray Bon > Programmer analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > > -- > Ray Bon > Programmer analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/1546975675.5350.35.camel%40uvic.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1546975675.5350.35.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > -- "Confusion is a word we have invented for an order which is not understood." ~Henry Miller -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bwv1vH7M%2BoHe40s7L7oBKrtm4G%2B%2Bsns4h7Grs9jzfmq_M6_Vw%40mail.gmail.com.
