ADD: I saw that the same error happend in CAS 6.3.X versions El viernes, 17 de diciembre de 2021 a las 11:02:22 UTC+1, Enrique Guerrero escribió:
> Hi there. > > I'm using CAS (v.6.4.4.1) as Idp for users who want to use Office 365. I > configure the integration following the next guide: > https://apereo.github.io/2018/12/06/cas53-office365-saml2-integration/ > > The login and SSO session was great through SAML protocol. The fail exits > at logout. We saw that Microsoft send the SAML Logout Request without > signing. This cause an error on CAS which inform that the validation of > request simple signature failed for context issuer: > "urn:federation:MicrosoftOnline". > > I attempted to allow saml logout request without signing following this > properties (cas.authn.saml-idp.logout.force-signed-logout-requests=false > ): > https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#saml-logout > > , but this doesn't do nothing. > > This SAML Logout fail doesn't happen in our integration with Cisco Webex. > Cisco send us the SAML logout request with a valid signing, this cause a > correct logout on CAS. > > ======================================================================= > > These are the Microsoft SAML Logout Request and CAS log: > > <samlp:LogoutRequest > ID="_432d86e3-f344-4f1e-b553-a6c49e38ce2c" > Version="2.0" > IssueInstant="2021-11-42T19:10:29.132Z" > > Destination="https://<OUR_CAS_INSTANCE>/cas/idp/profile/SAML2/Redirect/SLO" > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> > > <Issuer > xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer> > > <NameID > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" > xmlns="urn:oasis:names:tc:SAML:2.0:assertion">localUsername</NameID> > > <samlp:SessionIndex>ST-13-ZXChfuWEi-uGlIlVejtucpHznlw-sv0181</samlp:SessionIndex> > > </samlp:LogoutRequest> > > ======================================================================= > > 2021-11-24 19:10:29,947 ERROR > [org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter] > > - <NullPointerException> java.lang.NullPointerException: null at > org.apereo.cas.support.saml.services.SamlIdPEntityIdAuthenticationServiceSelectionStrategy.supports(SamlIdPEntityIdAuthenticationServiceSelectionStrategy.java:48) > > ~[cas-server-support-saml-idp-metadata-6.4.2.jar:6.4.2] at > org.apereo.cas.authentication.DefaultAuthenticationServiceSelectionPlan.lambda$resolveService$0(DefaultAuthenticationServiceSelectionPlan.java:38) > > ~[cas-server-core-authentication-api-6.4.2.jar:6.4.2] at > java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:176) > ~[?:?] at > java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1631) > ~[?:?] at > java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:127) > > ~[?:?] at > java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:502) > > ~[?:?] at > java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:488) > ~[?:?] at > java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) > ~[?:?] at > java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150) ~[?:?] > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) > ~[?:?] at > java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:543) > ~[?:?] at > org.apereo.cas.authentication.DefaultAuthenticationServiceSelectionPlan.resolveService(DefaultAuthenticationServiceSelectionPlan.java:39) > > ~[cas-server-core-authentication-api-6.4.2.jar:6.4.2] at > org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter.getRegisteredServiceFromRequest(RegisteredServiceResponseHeadersEnforcementFilter.java:205) > > ~[cas-server-core-web-api-6.4.2.jar:6.4.2] at > org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter.prepareFilterBeforeExecution(RegisteredServiceResponseHeadersEnforcementFilter.java:63) > > ~[cas-server-core-web-api-6.4.2.jar:6.4.2] at > org.apereo.cas.web.support.filters.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:184) > > ~[cas-server-core-web-api-6.4.2.jar:6.4.2] at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[catalina.jar:9.0.30] at > org.apereo.cas.web.support.filters.AddResponseHeadersFilter.doFilter(AddResponseHeadersFilter.java:62) > > ~[cas-server-core-web-api-6.4.2.jar:6.4.2] at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[catalina.jar:9.0.30] at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:204) > > ~[spring-security-web-5.5.2.jar:5.5.2] at > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183) > > ~[spring-security-web-5.5.2.jar:5.5.2] at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) > > ~[spring-web-5.3.9.jar:5.3.9] at > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) > > ~[spring-web-5.3.9.jar:5.3.9] at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[catalina.jar:9.0.30] at > org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) > > ~[spring-web-5.3.9.jar:5.3.9] at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) > > ~[spring-web-5.3.9.jar:5.3.9] at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[catalina.jar:9.0.30] at > org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) > > ~[spring-web-5.3.9.jar:5.3.9] at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) > > ~[spring-web-5.3.9.jar:5.3.9] at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[catalina.jar:9.0.30] at > org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:96) > > ~[spring-boot-actuator-2.5.4.jar:2.5.4] at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) > > ~[spring-web-5.3.9.jar:5.3.9] at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[catalina.jar:9.0.30] at > org.apereo.cas.logging.web.ThreadContextMDCServletFilter.doFilter(ThreadContextMDCServletFilter.java:99) > > ~[cas-server-core-logging-6.4.2.jar:6.4.2] at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[catalina.jar:9.0.30] at > org.apereo.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:66) > > ~[inspektr-common-1.8.16.GA.jar:1.8.16.GA] at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[catalina.jar:9.0.30] at > org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:126) > > ~[spring-boot-2.5.4.jar:2.5.4] at > org.springframework.boot.web.servlet.support.ErrorPageFilter.access$000(ErrorPageFilter.java:64) > > ~[spring-boot-2.5.4.jar:2.5.4] at > org.springframework.boot.web.servlet.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:101) > > ~[spring-boot-2.5.4.jar:2.5.4] at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) > > ~[spring-web-5.3.9.jar:5.3.9] at > org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:119) > > ~[spring-boot-2.5.4.jar:2.5.4] at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[catalina.jar:9.0.30] at > org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) > > ~[spring-web-5.3.9.jar:5.3.9] at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) > > ~[spring-web-5.3.9.jar:5.3.9] at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[catalina.jar:9.0.30] at > org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) > > ~[log4j-web-2.14.1.jar:2.14.1] at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) > ~[catalina.jar:9.0.30] at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) > ~[catalina.jar:9.0.30] at > org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) > ~[catalina.jar:9.0.30] at > org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367) > ~[tomcat-coyote.jar:9.0.30] at > org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) > > ~[tomcat-coyote.jar:9.0.30] at > org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) > > ~[tomcat-coyote.jar:9.0.30] at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598) > > ~[tomcat-coyote.jar:9.0.30] at > org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) > > ~[tomcat-coyote.jar:9.0.30] at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) > > ~[?:?] at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) > > ~[?:?] at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > > ~[tomcat-util.jar:9.0.30] at java.lang.Thread.run(Thread.java:834) [?:?] > 2021-11-24 19:10:30,031 WARN > [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler] > > - <Message Handler: Simple signature validation (with no request-derived > credentials) failed> 2021-11-24 19:10:30,032 WARN > [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler] > > - <Message Handler: Validation of request simple signature failed for > context issuer: urn:federation:MicrosoftOnline> > > Do you know the way to accept saml logout request without signing by CAS? > > Thanks so much for your support! > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1a5a1f28-55f5-41f6-b229-81c4aa341ee3n%40apereo.org.
