Still struggling with the SAML 1.1 set-up. If somebody can help me, I'd be very grateful.
This is the CAS server URL: https://inf069766.ad.vl-brabant.be:11143/cas This is the URL of the first service (of two) I'm trying to CASify: https://inf069766.ad.vl-brabant.be:11043/additionservice/ When not using SAML 1.1 everything works fine. However, I need to get some attributes "to the other side", so I have to use SAML. The client URL corresponds with the serviceID persisted through the service manager: https://inf069766.ad.vl-brabant.be:11043/additionservice/ This is how I have set up SAML on the client side in web.xml: <filter> <filter-name>CAS Authentication Filter</filter-name> <!--filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class--> <filter-class>org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://inf069766.ad.vl-brabant.be:11143/cas/login</param-value> </init-param> <!-- <init-param> <param-name>service</param-name> <param-value>https://inf069766.ad.vl-brabant.be:11043/additionservice/</param-value> </init-param> --> <init-param> <param-name>serverName</param-name> <param-value>https://inf069766.ad.vl-brabant.be:11043</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Authentication Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>CAS Validation Filter</filter-name> <!--filter-class>org.jasig.cas.client.validation.Cas10TicketValidationFilter</filter-class--> <filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://inf069766.ad.vl-brabant.be:11143/cas</param-value> </init-param> <!-- <init-param> <param-name>service</param-name> <param-value>https://inf069766.ad.vl-brabant.be:11043/additionservice/</param-value> </init-param> --> <init-param> <param-name>serverName</param-name> <param-value>https://inf069766.ad.vl-brabant.be:11043</param-value> </init-param> <init-param> <param-name>redirectAfterValidation</param-name> <param-value>true</param-value> </init-param> <init-param> <!-- Adjust to accommodate clock drift between client/server. Increasing tolerance has security consequences, so it is preferable to correct the source of clock drift instead. --> <param-name>tolerance</param-name> <param-value>5000</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>CAS Assertion Thread Local Filter</filter-name> <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Assertion Thread Local Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> When I try to access the additionservice I'm first redirected to the CAS login page. The entered credentials are accepted, but then I get the following exception: org.opensaml.SAMLException: Service not allowed to validate tickets. org.opensaml.SAMLException.getInstance(Unknown Source) org.opensaml.SAMLResponse.fromDOM(Unknown Source) org.opensaml.SAMLResponse.<init>(Unknown Source) org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:75) org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:217) org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169) org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:116) This is the complete log of the attempt to run the additionservice: 22 okt 2012 10:05:23,728 DEBUG CommonUtils:271 - serviceUrl generated: https://inf069766.ad.vl-brabant.be:11043/additionservice/ 22 okt 2012 10:05:23,728 DEBUG Saml11AuthenticationFilter:122 - no ticket and no assertion found 22 okt 2012 10:05:23,744 DEBUG Saml11AuthenticationFilter:131 - Constructed service url: https://inf069766.ad.vl-brabant.be:11043/additionservice/ 22 okt 2012 10:05:23,744 DEBUG Saml11AuthenticationFilter:137 - redirecting to "https://inf069766.ad.vl-brabant.be:11143/cas/login?TARGET=https%3A%2F%2Finf069766.ad.vl-brabant.be%3A11043%2Fadditionservice%2F"; 22 okt 2012 10:05:29,609 DEBUG CommonUtils:271 - serviceUrl generated: https://inf069766.ad.vl-brabant.be:11043/additionservice/ 22 okt 2012 10:05:29,609 DEBUG Saml11AuthenticationFilter:122 - no ticket and no assertion found 22 okt 2012 10:05:29,625 DEBUG Saml11AuthenticationFilter:131 - Constructed service url: https://inf069766.ad.vl-brabant.be:11043/additionservice/ 22 okt 2012 10:05:29,625 DEBUG Saml11AuthenticationFilter:137 - redirecting to "https://inf069766.ad.vl-brabant.be:11143/cas/login?TARGET=https%3A%2F%2Finf069766.ad.vl-brabant.be%3A11043%2Fadditionservice%2F"; 22 okt 2012 10:05:39,703 DEBUG CommonUtils:271 - serviceUrl generated: https://inf069766.ad.vl-brabant.be:11043/additionservice/?TARGET=https%3A%2F%2Finf069766.ad.vl-brabant.be%3A11043%2Fadditionservice%2F 22 okt 2012 10:05:39,703 DEBUG Saml11TicketValidationFilter:165 - Attempting to validate ticket: AAGlvFPRZLNTUtTDW5B5D1oxlq9wuJoFb8Y3M/Jw20mM3MXfQbcqkO7O 22 okt 2012 10:05:39,703 DEBUG CommonUtils:271 - serviceUrl generated: https://inf069766.ad.vl-brabant.be:11043/additionservice/?TARGET=https%3A%2F%2Finf069766.ad.vl-brabant.be%3A11043%2Fadditionservice%2F 22 okt 2012 10:05:39,703 DEBUG Saml11TicketValidator:116 - Placing URL parameters in map. 22 okt 2012 10:05:39,703 DEBUG Saml11TicketValidator:124 - Calling template URL attribute map. 22 okt 2012 10:05:39,703 DEBUG Saml11TicketValidator:127 - Loading custom parameters from configuration. 22 okt 2012 10:05:39,703 DEBUG Saml11TicketValidator:202 - Constructing validation url: https://inf069766.ad.vl-brabant.be:11143/cas/samlValidate?TARGET=https%3A%2F%2Finf069766.ad.vl-brabant.be%3A11043%2Fadditionservice%2F%3FTARGET%3Dhttps%253A%252F%252Finf069766.ad.vl-brabant.be%253A11043%252Fadditionservice%252F 22 okt 2012 10:05:39,703 DEBUG Saml11TicketValidator:206 - Retrieving response from server. 22 okt 2012 10:05:39,734 DEBUG Saml11TicketValidator:214 - Server response: <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header/><SOAP-ENV:Body><Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; IssueInstant="2012-10-22T08:05:39.734Z" MajorVersion="1" MinorVersion="1" Recipient="https://inf069766.ad.vl-brabant.be:11043/additionservice/?TARGET=https%3A%2F%2Finf069766.ad.vl-brabant.be%3A11043%2Fadditionservice%2F"; ResponseID="_90527b0a3f75a550b98a54f0c84a0415"><Status><StatusCode Value="samlp:Responder"></StatusCode><StatusMessage>Service not allowed to validate tickets.</StatusMessage></Status></Response></SOAP-ENV:Body></SOAP-ENV:Envelope> 22 okt 2012 10:05:39,734 WARN Saml11TicketValidationFilter:189 - org.jasig.cas.client.validation.TicketValidationException: org.opensaml.SAMLException: Service not allowed to validate tickets. org.jasig.cas.client.validation.TicketValidationException: org.opensaml.SAMLException: Service not allowed to validate tickets. at org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:115) at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:217) at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:116) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1001) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run(Thread.java:662) Caused by: org.opensaml.SAMLException: Service not allowed to validate tickets. at org.opensaml.SAMLException.getInstance(Unknown Source) at org.opensaml.SAMLResponse.fromDOM(Unknown Source) at org.opensaml.SAMLResponse.<init>(Unknown Source) at org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:75) ... 21 more Additional question: on the CAS server there's a file UniqueIdGenerators.xml. I suppose I have to change the constructor argument for samlServiceTicketUniqueIdGenerator from https://localhost:8443 to https://inf069766.ad.vl-brabant.be:11143? Guy Thomas Analist-Programmeur Dienst Projecten en Ontwikkelingen Provinciehuis Provincieplein 1 3010 Leuven Tel: 016267945 -------------------------------------------------------------------------------- Aan dit bericht kunnen geen rechten worden ontleend. Alle berichten naar dit professioneel e-mailadres kunnen door de werkgever gelezen worden. In het kader van de vervulling van onze taak van openbaar belang nemen wij uw relevante persoonlijke gegevens op in onze bestanden. U kunt deze inzien en verbeteren conform de Wet Verwerking Persoonsgegevens van 8 december 1992. Het ondernemingsnummer van het provinciebestuur is 0253.973.219 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
