(Same post as previouly, but forget the cas-user list. sorry). 2011/4/12 xenom <[email protected]>: > I get http://myserver/secureCAS. I don't need to click on a special > URL, or something. > > I'm redirected to > https://myCASserver/ideosso/login?service=http://myserver/secureCAS > > I log me in, and then I'm redirectered to > https://myserver/secureCAS?casaction=check&ticket=ST-218-GEiLAq4LJjFfvVIQuPfa-ideosso > (It's the same URL (the ticket number change of course) when I am > already logged in, and I tried to reach myserver/secureCAS) > and I get a 401 Authorization Required page, and the ServiceURL error in my > log. > > > > 2011/4/11 Smith, Matthew J. <[email protected]>: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Is that URL returned by the CAS server after authentication, as part >> of your redirection back to the application? Could you show me the >> URL for the CAS server which has the original "service=" parameter? >> >> Does your application require a link to be clicked, or some similar >> action, before being sent to CAS for authentication? I'm still not >> sure where the "casaction=check" parameter is being added, but it >> appears to be the cause of the problem. >> >> - -Matt >> >> >> On 04/11/2011 12:03 PM, xenom wrote: >>> No, the casaction=check is added when I try to validate the >>> ticket. The URL returned is >>> >>> https://myserver/secureCAS?casaction=check&ticket=ST-184-sDQZjvhRgSXrsO72TuaI-ideosso >>> >>> >>> >> Apache configuration : >>> >>> # ... >>> >>> ServerName myserver DocumentRoot /var/www/html/web >>> >>> #TEST SSO <IfModule mod_auth_cas.c> CASCertificatePath >>> /etc/pki/tls/certs/ca-bundle.crt CASLoginURL >>> https://myCASserver/ideosso/login?service=http://myserver/secureCAS >>> >>> >> CASValidateURL https://myCASserver/ideosso/serviceValidate >>> >>> CASCookiePath /tmp/ CASValidateServer Off CASDebug On LogLevel >>> Debug </IfModule> >>> >>> <Directory "/var/www/html/web/secureCAS"> <IfModule >>> mod_auth_cas.c> CASAuthNHeader REMOTE_USER AuthType CAS AuthName >>> "CAS test" Require valid-user </IfModule> </Directory> >>> >>> >>> >>> >>> 2011/4/11 Smith, Matthew J. <[email protected]>: >>>> >>> >>> Are you appending the "casaction=check" yourself, either in an >>> application or in your mod_auth_cas configuration? Could you post >>> your Apache config, with the mod_auth_cas configuration and the >>> configuration block for "/secureCAS" ? >>> >>> -Matt >>> >>> On 04/11/2011 05:00 AM, xenom wrote: >>>>>> Thanks for the answer. >>>>>> >>>>>> 1) Yes this URL http://myserver/secureCAS/* is declared. (I >>>>>> don't directly use the CAS Services Management, but a >>>>>> commercial solution, who respect CAS 2, and act like CAS >>>>>> Service Management). But if I declare this, when I try, I got >>>>>> an error like this >>>>>> >>>>>> Validation response: <cas:serviceResponse >>>>>> >>> xmlns:cas='http://www.yale.edu/tp/cas'>\r\n\t<cas:authenticationFailure >>> >>> >>>>> >>>>>> >>> code='INVALID_SERVICE'>\r\n\t\tticket >>>>>> 'ST-192-Ud5VfUvlaadrKng2E93E-ideosso' does not >>>>>> match supplied service. The original service was >>>>>> 'http://myserver/secureCAS' and the supplied >>>>>> service was >>>>>> >>> >>> 'http://myserver/secureCAS?casaction=check'.\r\n\t</cas:authenticationFailure>\r\n</cas:serviceResponse> >>> >>> >>>>> >>>>>> >>>>>> >>> The service URL for the original service and the ticket validation >>> don't match. >>>>>> >>>>>> >>>>>> 2) Yes, I made a mistake in the URL. The right URL is : CAS >>>>>> Service >>>>>> 'http%3a%2f%2fmyserver%2fsecureCAS%3fcasaction%3dcheck' --> >>>>>> http://myserver/secureCAS?casaction=check, so no colon and a >>>>>> ? instead of / >>>>>> >>>>>> >>>>>> >>>>>> 2011/4/11 Smith, Matthew J. <[email protected]>: >>>>>>> A couple things to try: >>>>>>> >>>>>>> 1) From the error message you receive, I will assume you >>>>>>> are using the CAS Services Management. Could you confirm >>>>>>> that you have an entry for "http://myserver/secureCAS/*"; >>>>>>> (note the asterisk (*)) >>>>>>> >>>>>>> 2) If your error message below is a strict copy and paste, >>>>>>> you have a colon ":" in your service URL following >>>>>>> "myserver". Could you confirm in your mod_auth_cas or >>>>>>> Apache configuration (very likely Apache's "ServerName" >>>>>>> directive) that there is no trailing colon? >>>>>>> >>>>>>> HTH, -Matt >>>>>>> >>>>>>> Matthew J. Smith University of Connecticut UITS >>>>>>> [email protected] >>>>>>> ________________________________________ From: CedM >>>>>>> [[email protected]] Sent: Friday, April 08, 2011 5:23 AM >>>>>>> To: [email protected] Subject: [cas-user] >>>>>>> mod_auth_cas and serviceURL >>>>>>> >>>>>>> Hello. >>>>>>> >>>>>>> I am new to SSO CAS and tried to configure mod_auth_cas to >>>>>>> protect a folder on a CentOS server (for testing), and I >>>>>>> have problem with ServiceURL. The URL is >>>>>>> http://myserver/secureCAS >>>>>>> >>>>>>> In the CAS Server, the URL http://myserver/secureCAS is >>>>>>> declared as authorized. >>>>>>> >>>>>>> When I first try to connect to http://myserver/secureCAS, I >>>>>>> am redirected to the login page, then I am redirected to >>>>>>> http://myserver/secureCAS. Everything OK, but when the >>>>>>> server (=CAS client) tried to validate the ticket I get >>>>>>> this error : "Service not allowed to validate tickets", >>>>>>> because the CAS Service returned by mod_auth_cas is "CAS >>>>>>> Service 'http://myserver:/secureCAS/casaction=check', which >>>>>>> is not a correct URL for my CAS Server. >>>>>>> >>>>>>> It is a normal? Or a configuration error? >>>>>>> >>>>>>> I have a another problem, which I think related. If i >>>>>>> request the URL like http://myserver/secureCAS/asubfolder, >>>>>>> I get the same error, "Service not allowed", because >>>>>>> mod_auth_cas send >>>>>>> service=http://myserver/secureCAS/asubfolder. >>>>>>> >>>>>>> The CAS server is a commercial product, and we have other >>>>>>> services that work great with CAS (but with PHP or ASP or >>>>>>> Java Client). >>>>>>> >>>>>>> >>>>>>> -- You are currently subscribed to [email protected] >>>>>>> as: [email protected] To unsubscribe, change settings or >>>>>>> access archives, see >>>>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>>>>> >>>>>>> -- You are currently subscribed to [email protected] >>>>>>> as: [email protected] To unsubscribe, change settings or >>>>>>> access archives, see >>>>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>>>>> >>>>>>> >>>>>> >>> >>> >>>> >>>> >> >> - -- >> Matthew J. Smith >> University of Connecticut UITS >> [email protected] >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.10 (GNU/Linux) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >> >> iEYEARECAAYFAk2jKd8ACgkQGER0Au6g8xDeowCgvnq/H326ChQnuAmYfkT3Iw20 >> FW4AnAgJdBUmJasduTSVJjj0L+PZgHod >> =hjwY >> -----END PGP SIGNATURE----- >> >> >
-- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
