Still struggling with the SAML 1.1 set-up. If somebody can help me, I'd be very 
grateful.

This is the CAS server URL: https://inf069766.ad.vl-brabant.be:11143/cas
This is the URL of the first service (of two) I'm trying to CASify: 
https://inf069766.ad.vl-brabant.be:11043/additionservice/

When not using SAML 1.1 everything works fine. However, I need to get some 
attributes "to the other side", so I have to use SAML.

The client URL corresponds with the serviceID persisted through the service 
manager: https://inf069766.ad.vl-brabant.be:11043/additionservice/

This is how I have set up SAML on the client side in web.xml:

   <filter>
      <filter-name>CAS Authentication Filter</filter-name>
      
<!--filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class-->
      
<filter-class>org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>
      <init-param>
         <param-name>casServerLoginUrl</param-name>
         
<param-value>https://inf069766.ad.vl-brabant.be:11143/cas/login</param-value>
      </init-param>
      <!--
      <init-param>
         <param-name>service</param-name>
         
<param-value>https://inf069766.ad.vl-brabant.be:11043/additionservice/</param-value>
      </init-param>
      -->
      <init-param>
         <param-name>serverName</param-name>
         <param-value>https://inf069766.ad.vl-brabant.be:11043</param-value>
      </init-param>
   </filter>

   <filter-mapping>
      <filter-name>CAS Authentication Filter</filter-name>
      <url-pattern>/*</url-pattern>
   </filter-mapping>

   <filter>
      <filter-name>CAS Validation Filter</filter-name>
      
<!--filter-class>org.jasig.cas.client.validation.Cas10TicketValidationFilter</filter-class-->
      
<filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
      <init-param>
         <param-name>casServerUrlPrefix</param-name>
         <param-value>https://inf069766.ad.vl-brabant.be:11143/cas</param-value>
      </init-param>
      <!--
      <init-param>
         <param-name>service</param-name>
         
<param-value>https://inf069766.ad.vl-brabant.be:11043/additionservice/</param-value>
      </init-param>
      -->
      <init-param>
         <param-name>serverName</param-name>
         <param-value>https://inf069766.ad.vl-brabant.be:11043</param-value>
      </init-param>
      <init-param>
         <param-name>redirectAfterValidation</param-name>
         <param-value>true</param-value>
      </init-param>
      <init-param>
         <!--
         Adjust to accommodate clock drift between client/server.
         Increasing tolerance has security consequences, so it is preferable to
         correct the source of clock drift instead.
         -->
         <param-name>tolerance</param-name>
         <param-value>5000</param-value>
      </init-param>
   </filter>

   <filter-mapping>
      <filter-name>CAS Validation Filter</filter-name>
      <url-pattern>/*</url-pattern>
   </filter-mapping>

   <filter>
      <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
      
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
   </filter>

   <filter-mapping>
      <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
      <url-pattern>/*</url-pattern>
   </filter-mapping>

   <filter>
      <filter-name>CAS Assertion Thread Local Filter</filter-name>
      
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
   </filter>

   <filter-mapping>
      <filter-name>CAS Assertion Thread Local Filter</filter-name>
      <url-pattern>/*</url-pattern>
   </filter-mapping>

When I try to access the additionservice I'm first redirected to the CAS login 
page. The entered credentials are accepted, but then I get the following 
exception:

org.opensaml.SAMLException: Service not allowed to validate tickets.
org.opensaml.SAMLException.getInstance(Unknown Source)
org.opensaml.SAMLResponse.fromDOM(Unknown Source)
org.opensaml.SAMLResponse.<init>(Unknown Source)
org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:75)
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:217)
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169)
org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:116)

This is the complete log of the attempt to run the additionservice:

22 okt 2012 10:05:23,728 DEBUG CommonUtils:271 - serviceUrl generated: 
https://inf069766.ad.vl-brabant.be:11043/additionservice/
22 okt 2012 10:05:23,728 DEBUG Saml11AuthenticationFilter:122 - no ticket and 
no assertion found
22 okt 2012 10:05:23,744 DEBUG Saml11AuthenticationFilter:131 - Constructed 
service url: https://inf069766.ad.vl-brabant.be:11043/additionservice/
22 okt 2012 10:05:23,744 DEBUG Saml11AuthenticationFilter:137 - redirecting to 
"https://inf069766.ad.vl-brabant.be:11143/cas/login?TARGET=https%3A%2F%2Finf069766.ad.vl-brabant.be%3A11043%2Fadditionservice%2F";
22 okt 2012 10:05:29,609 DEBUG CommonUtils:271 - serviceUrl generated: 
https://inf069766.ad.vl-brabant.be:11043/additionservice/
22 okt 2012 10:05:29,609 DEBUG Saml11AuthenticationFilter:122 - no ticket and 
no assertion found
22 okt 2012 10:05:29,625 DEBUG Saml11AuthenticationFilter:131 - Constructed 
service url: https://inf069766.ad.vl-brabant.be:11043/additionservice/
22 okt 2012 10:05:29,625 DEBUG Saml11AuthenticationFilter:137 - redirecting to 
"https://inf069766.ad.vl-brabant.be:11143/cas/login?TARGET=https%3A%2F%2Finf069766.ad.vl-brabant.be%3A11043%2Fadditionservice%2F";
22 okt 2012 10:05:39,703 DEBUG CommonUtils:271 - serviceUrl generated: 
https://inf069766.ad.vl-brabant.be:11043/additionservice/?TARGET=https%3A%2F%2Finf069766.ad.vl-brabant.be%3A11043%2Fadditionservice%2F
22 okt 2012 10:05:39,703 DEBUG Saml11TicketValidationFilter:165 - Attempting to 
validate ticket: AAGlvFPRZLNTUtTDW5B5D1oxlq9wuJoFb8Y3M/Jw20mM3MXfQbcqkO7O
22 okt 2012 10:05:39,703 DEBUG CommonUtils:271 - serviceUrl generated: 
https://inf069766.ad.vl-brabant.be:11043/additionservice/?TARGET=https%3A%2F%2Finf069766.ad.vl-brabant.be%3A11043%2Fadditionservice%2F
22 okt 2012 10:05:39,703 DEBUG Saml11TicketValidator:116 - Placing URL 
parameters in map.
22 okt 2012 10:05:39,703 DEBUG Saml11TicketValidator:124 - Calling template URL 
attribute map.
22 okt 2012 10:05:39,703 DEBUG Saml11TicketValidator:127 - Loading custom 
parameters from configuration.
22 okt 2012 10:05:39,703 DEBUG Saml11TicketValidator:202 - Constructing 
validation url: 
https://inf069766.ad.vl-brabant.be:11143/cas/samlValidate?TARGET=https%3A%2F%2Finf069766.ad.vl-brabant.be%3A11043%2Fadditionservice%2F%3FTARGET%3Dhttps%253A%252F%252Finf069766.ad.vl-brabant.be%253A11043%252Fadditionservice%252F
22 okt 2012 10:05:39,703 DEBUG Saml11TicketValidator:206 - Retrieving response 
from server.
22 okt 2012 10:05:39,734 DEBUG Saml11TicketValidator:214 - Server response: 
<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope 
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header/><SOAP-ENV:Body><Response
 xmlns="urn:oasis:names:tc:SAML:1.0:protocol" 
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" 
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" 
xmlns:xsd="http://www.w3.org/2001/XMLSchema"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
IssueInstant="2012-10-22T08:05:39.734Z" MajorVersion="1" MinorVersion="1" 
Recipient="https://inf069766.ad.vl-brabant.be:11043/additionservice/?TARGET=https%3A%2F%2Finf069766.ad.vl-brabant.be%3A11043%2Fadditionservice%2F";
 ResponseID="_90527b0a3f75a550b98a54f0c84a0415"><Status><StatusCode 
Value="samlp:Responder"></StatusCode><StatusMessage>Service not allowed to 
validate 
tickets.</StatusMessage></Status></Response></SOAP-ENV:Body></SOAP-ENV:Envelope>
22 okt 2012 10:05:39,734  WARN Saml11TicketValidationFilter:189 - 
org.jasig.cas.client.validation.TicketValidationException: 
org.opensaml.SAMLException: Service not allowed to validate tickets.
org.jasig.cas.client.validation.TicketValidationException: 
org.opensaml.SAMLException: Service not allowed to validate tickets.
        at 
org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:115)
        at 
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:217)
        at 
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169)
        at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at 
org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:116)
        at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
        at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
        at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
        at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
        at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
        at 
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
        at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
        at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
        at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1001)
        at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
        at 
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
        at java.lang.Thread.run(Thread.java:662)
Caused by: org.opensaml.SAMLException: Service not allowed to validate tickets.
        at org.opensaml.SAMLException.getInstance(Unknown Source)
        at org.opensaml.SAMLResponse.fromDOM(Unknown Source)
        at org.opensaml.SAMLResponse.<init>(Unknown Source)
        at 
org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:75)
        ... 21 more

Additional question: on the CAS server there's a file UniqueIdGenerators.xml. I 
suppose I have to change the constructor argument for 
samlServiceTicketUniqueIdGenerator from https://localhost:8443 to 
https://inf069766.ad.vl-brabant.be:11143?





Guy Thomas
Analist-Programmeur
Dienst Projecten en Ontwikkelingen

Provinciehuis
Provincieplein 1
3010 Leuven

Tel: 016267945



--------------------------------------------------------------------------------
Aan dit bericht kunnen geen rechten worden ontleend. Alle berichten naar dit
professioneel e-mailadres kunnen door de werkgever gelezen worden. In het kader
van de vervulling van onze taak van openbaar belang nemen wij uw relevante
persoonlijke gegevens op in onze bestanden. U kunt deze inzien en verbeteren
conform de Wet Verwerking Persoonsgegevens van 8 december 1992.

Het ondernemingsnummer van het provinciebestuur is 0253.973.219


-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to