ok, good to know, thanks. i've been using that extension, as well as one on firefox. That's how i was getting the SAML exchanges and saw the empty SubjectLocality
May seem like a silly question, but i'm gonna just ask it: does CAS, the application, require knowledge of DNS servers/network configurations in its own configs, or does it piggy back off of the OS connections. Just trying to think of a reason that, given the reverse DNS entry is there, CAS itself would not pick up on it, while the server host OS would. I'll keep you posted, and I appreciate the time you have given me on this! On Friday, November 13, 2020 at 4:53:11 PM UTC-5 [email protected] wrote: > > Back when I was debugging this the last time, I ran a bunch of tests > against all the SAML SPs we have authenticating against our CAS servers and > captured the SAML being exchanged, and in every case the SubjectLocality > element contained the IP address of the SP, not the CAS server. > > For example, when I log in to Workday: > > <saml2:AuthnStatement AuthnInstant="2020-09-24T11:10:34.218Z" > SessionIndex="_9074398769568118801"> > <saml2:SubjectLocality Address="209.177.165.18"/> > > <saml2:AuthnContext> > > <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> > </saml2:AuthnContext> > </saml2:AuthnStatement> > > > The 209.177.165.18 address belongs to Workday, not to us. > > You might want to grab the "SAML Chrome Panel" extension, which will let > you examine the entire SAML exchange between the SP and the IdP. > > --Dave > > > -- > > DAVID A. CURRY, CISSP > *DIRECTOR • INFORMATION SECURITY & PRIVACY* > THE NEW SCHOOL • INFORMATION TECHNOLOGY > > 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 > +1 646 909-4728 <(646)%20909-4728> • [email protected] > > On Fri, Nov 13, 2020 at 3:01 PM Nathan Lewan <[email protected]> wrote: > >> thanks everyone for the help so far. >> I did just do a restart of the service, and it would not populate that >> field. I checks another service with a similar setup, and that also does >> not have the subjectLocality populated, but that one works just fine. >> >> >> >> >> so here's the actual error i'm seeing: >> xmltooling::ValidationException at (https://[hostname]/SAML2/POST) >> SubjectLocality must have Address or DNSName. >> >> >> >> >> >> >> Looking at the code for CAS, this appears to be the function to populate >> the subjectLocality, but if i'm reading that right, it's trying to populate >> it with the CAS host address? >> >> >> protected SubjectLocality buildSubjectLocality(final Assertion assertion, >> final RequestAbstractType authnRequest, >> final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, >> final String binding) throws SamlException { >> val subjectLocality = SamlUtils.newSamlObject(SubjectLocality.class); >> *val hostAddress = >> InetAddressUtils.getCasServerHostAddress(casProperties.getServer().getName());* >> val issuer = SamlIdPUtils.getIssuerFromSamlObject(authnRequest); >> LOGGER.debug("Built subject locality address [{}] for the saml >> authentication statement prepped for [{}]", hostAddress, issuer); >> *subjectLocality.setAddress(hostAddress);* >> return subjectLocality; >> } >> >> is the subjectLocality supposed to be my address, or their address? >> >> >> On Friday, November 13, 2020 at 2:39:04 PM UTC-5 Mike Osterman wrote: >> >>> Hi Nathan, >>> >>> I highly expect that #2 is why it's not yet working. Java, by default, >>> never lets go of a DNS resolution record until the application restarts. >>> You have to pass an argument at startup of your CAS application to indicate >>> an expiry TTL. >>> >>> I did this recently on our CAS server when we did some work with our >>> Activity Directory that provides group membership and needed it to get a >>> new IP address for the AD LDAP server(s). >>> >>> -Mike >>> >>> On Fri, Nov 13, 2020 at 11:18 AM Nathan Lewan <[email protected]> >>> wrote: >>> >>>> very interesting, thanks! >>>> >>>> so i tried to do a reverse dns lookup on the entity host based on the >>>> shibboleth entityid's hostname, and came up with no record. >>>> >>>> they are not being super helpful with me, so I tried to cheat. I just >>>> added a reverse lookup zone on the dns server that CAS talks to, and added >>>> the entry in there as a test. It did not seem to help, but: >>>> >>>> 1. I don't know if a cheat like that would actually work (this is just >>>> temporary, proof of concept, no way would I leave it like that in >>>> production) >>>> 2. I have not restarted CAS. I did do a dig -x on the CAS host, and it >>>> successfully reverse-resolved the IP of the entity server >>>> >>>> thanks very much for the quick response, i have a lead which feels very >>>> good! >>>> >>>> >>>> >>>> On Fri, Nov 13, 2020 at 1:30 PM David Curry <[email protected]> >>>> wrote: >>>> >>>>> We just ran into this recently with an older version of CAS (5.2.9). >>>>> >>>>> CAS populates the SubjectLocality by doing a reverse DNS lookup on the >>>>> IP address of the entity that's calling it (the application the user is >>>>> trying to log into). If the DNS lookup fails, then it doesn't put >>>>> anything in there, which makes Shibboleth very unhappy. >>>>> >>>>> In our case, the fix was to get the company running the application >>>>> that was calling CAS to register DNS entries for their IP addresses. All >>>>> of >>>>> a sudden everything started working. >>>>> >>>>> --Dave >>>>> >>>>> >>>>> -- >>>>> >>>>> DAVID A. CURRY, CISSP >>>>> *DIRECTOR • INFORMATION SECURITY & PRIVACY* >>>>> THE NEW SCHOOL • INFORMATION TECHNOLOGY >>>>> >>>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >>>>> +1 646 909-4728 <(646)%20909-4728> • [email protected] >>>>> >>>>> >>>>> On Fri, Nov 13, 2020 at 1:12 PM Nathan Lewan <[email protected]> >>>>> wrote: >>>>> >>>>>> hello! >>>>>> >>>>>> I am trying to get CAS 6.1.0 to integrate with a SP that uses >>>>>> shibboleth. >>>>>> >>>>>> i appear to have everything in place, however they are requiring my >>>>>> responses to have in the *AuthnStatement* a *SubjectLocality* entry. >>>>>> >>>>>> It is currently empty in all my responses. Here's what it looks like: >>>>>> >>>>>> <saml2:AuthnStatement AuthnInstant="[removed]" SessionIndex= >>>>>> "[removed]" > >>>>>> *<saml2:SubjectLocality/>* >>>>>> <saml2:AuthnContext> >>>>>> <saml2:AuthnContextClassRef> >>>>>> >>>>>> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport >>>>>> </saml2:AuthnContextClassRef> >>>>>> </saml2:AuthnContext> >>>>>> </saml2:AuthnStatement> >>>>>> >>>>>> As you can see, it's blank, and I have no idea how to get it >>>>>> populated! >>>>>> Any hints would be appreciated. Looking for info on this, you can >>>>>> find much related to shibboleth, but I have not found anything on how >>>>>> one >>>>>> could get CAS to populate this. >>>>>> >>>>>> thanks! >>>>>> >>>>>> >>>>>> -- >>>>>> - Website: https://apereo.github.io/cas >>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>>> - Contributions: https://goo.gl/mh7qDG >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "CAS Community" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABeAwjkrJ8hk5geJbz_tbN1NgVSxESjAGUAfqcmOd8vpTHuUYQ%40mail.gmail.com >>>>>> >>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABeAwjkrJ8hk5geJbz_tbN1NgVSxESjAGUAfqcmOd8vpTHuUYQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> -- >>>>> - Website: https://apereo.github.io/cas >>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>> - Contributions: https://goo.gl/mh7qDG >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "CAS Community" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPbf2nhAiOuG7_R8-M7v4KUgjbCDnJunNU47V%2BVc%2BgHsw%40mail.gmail.com >>>>> >>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPbf2nhAiOuG7_R8-M7v4KUgjbCDnJunNU47V%2BVc%2BgHsw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>>> - Website: https://apereo.github.io/cas >>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>> - List Guidelines: https://goo.gl/1VRrw7 >>>> - Contributions: https://goo.gl/mh7qDG >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> >>> To view this discussion on the web visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABeAwjmoAjjV4ryjQ3yhXfMsky9gWAQZf2CBi7FtzDJ8m-yt2w%40mail.gmail.com >>>> >>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABeAwjmoAjjV4ryjQ3yhXfMsky9gWAQZf2CBi7FtzDJ8m-yt2w%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/cb8710c4-10a0-438f-a0a4-56c146a11bcfn%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/cb8710c4-10a0-438f-a0a4-56c146a11bcfn%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/248fcd21-fc67-4d89-bb34-f44ca1494b42n%40apereo.org.
