Hello, I've been trying to determine for several hours now why a SAML-based SP is being sent different values of the Id as part of the authentication flow. Here's a sample of the "WHO" line from a single login in transaction:
WHO: [email protected] WHO: [email protected] WHO: YfXXXXXXXXXXXXXXXo= WHO: YfXXXXXXXXXXXXXXXo= Note that first, the username is provided, but later a (presumably) signed/encoded value is being returned. (Yep, those Xs are intentional--redaction) I turned on debug for "org.apereo.cas.support.saml" and found that it seems to be happening in building the NameID response: org.apereo.cas.support.saml.web.idp.profile.builders.nameid.SamlProfileSamlNameIdBuilder] - <NameID attribute value is set to [StringAttributeValue{value=YfXXXXXXXXXXXXXXXo=}]> None of this would be a big deal if we hadn't run into a bizarre problem that the encoded attribute being sent *CHANGED*. I have one crackpot theory for what might have changed: On January 10, we enabled Google Apps support by compiling in the dependency and generating keys, which are referenced as such in our cas.properties file: cas.googleApps.publicKeyLocation=file:public.key cas.googleApps.keyAlgorithm=RSA cas.googleApps.privateKeyLocation=file:private.key So my two questions: 1) Is there any chance that the google apps keys have somehow superseded the ones that general SAML services were using previously, such that my non-Google SAML service switched to using the Google keys instead? This is the only reason why I can fathom that the NameID attribute value suddenly changed. 2) Does anyone have ideas of how to disable the signing/encoding of the NameID attribute so I can get visibility into what's getting sent? Or is that happening at the direction of the SAML SP? Thank you! Mike -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUTd9d-COYaZzN1%2B_V6tKf3Rhma9CECtXBLby5wTtn1Gg%40mail.gmail.com.
