Thank you! Missed the TARGET parameter... The page https://wiki.jasig.org/display/CASUM/SAML+1.1 could a slight mod to that fact :).
When I read this page https://sp.princeton.edu/oit/sdp/CAS/Wiki%20Pages/CAS%20samlValidate%20walkthrough.aspx , it was quite apparent, but I didn't see it :( -John -----Original Message----- From: Andrew Morgan [mailto:[email protected]] Sent: Tuesday, November 27, 2012 1:02 PM To: [email protected] Subject: Re: [cas-user] samlValidate fatal error >From my CAS PHP client debug log, here is what the handshake looks like: CC76 .| | | | => CAS_Client::_readURL('https://login.oregonstate.edu/cas/samlValidate?TARGET=http%3A%2F%2Fpeople.oregonstate.edu%2F%7Emorgan%2FCAS-1.3.1%2Ftest.php', NULL, NULL, NULL) [Client.php:1748] CC76 .| | | | | => CAS_Client::_buildSAMLPayload() [Client.php:2432] CC76 .| | | | | <= '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1" MinorVersion="1" RequestID="_192.168.16.51.1024506224022" IssueInstant="2002-06-19T17:03:44.022Z"><samlp:AssertionArtifact>ST-80425-UvrgjbOmAeFWTLco2BOy-login2</samlp:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope>' You can see the URL that it POSTed to and an example payload. Andy On Tue, 27 Nov 2012, Scott Battaglia wrote: > I don't believe the SAML parameters are service and ticket. Its > something like TARGET and SAMLart: > https://github.com/Jasig/cas/blob/master/cas-server-core/src/main/java > /org/jasig/cas/authentication/principal/SamlService.java > > > On Tue, Nov 27, 2012 at 1:51 PM, Ourada, John <[email protected]> wrote: > >> Originally we had a custom authenticator to authenticate against an >> internal authentication service. As part of the customization, the >> person's university id was returned as part of the username >> (username:ID)* >> *** >> >> ** ** >> >> We moving to use MS-AD so I have started working on setting CAS up to >> use AD/LDAP. I don't want to modify the LDAP authenticators to >> return the hacked username so I want to use SAML to get the >> University ID from AD.*** >> * >> >> ** ** >> >> I am using 3.4.12 to test with and am using the uber-webapp war for >> now.** >> ** >> >> ** ** >> >> I have LDAP working correctly using FastBind and am filling the >> Attribute >> Repository.**** >> >> ** ** >> >> SAML on the other hand isn't playing nice. I am doing this all from >> my desktop (Windows 7) for now.**** >> >> ** ** >> >> After authenticating a service, I am using Fiddler to post to the >> samlValidate service.**** >> >> ** ** >> >> POST à >> https://140.192.89.33/cas/serviceValidate?ticket=ST-1-2acg0RAFuewme4D >> Wnvi0-logintst.depaul.edu&service=http://www.depaul.edu/ >> **** >> >> Headers:**** >> >> Host: 140.192.89.33**** >> >> Content-Length: 465**** >> >> Content-Type: text/xml**** >> >> SOAPAction: http://www.oasis-open.org/committees/security**** >> >> ** ** >> >> Request Body:**** >> >> <SOAP-ENV:Envelope xmlns:SOAP-ENV=" >> http://schemas.xmlsoap.org/soap/envelope/";>**** >> >> <SOAP-ENV:Header/>**** >> >> <SOAP-ENV:Body>**** >> >> <samlp:Request**** >> >> xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"**** >> >> MajorVersion="1"**** >> >> MinorVersion="1"**** >> >> RequestID="_192.168.16.51.1024506224022"**** >> >> IssueInstant="2002-06-19T17:03:44.022Z">**** >> >> <samlp:AssertionArtifact>**** >> >> ST-1-2acg0RAFuewme4DWnvi0-logintst.depaul.edu**** >> >> </samlp:AssertionArtifact>**** >> >> </samlp:Request>**** >> >> </SOAP-ENV:Body>**** >> >> </SOAP-ENV:Envelope>**** >> >> ** ** >> >> Unfortunately, I am getting 500 errors all the time. I can >> successfully GET serviceValidate though with the same URL**** >> >> ** ** >> >> What I see in the logs is:**** >> >> 2012-11-27 11:39:02,031 INFO >> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >> <Audit trail record BEGIN**** >> >> =============================================================**** >> >> WHO: JOURADA**** >> >> WHAT: ST-2-jpmMvmFN5R3qCDm6WszA-logintst.depaul.edu for >> http://www.depaul.edu/**** >> >> ACTION: SERVICE_TICKET_CREATED**** >> >> APPLICATION: CAS**** >> >> WHEN: Tue Nov 27 11:39:02 CST 2012**** >> >> CLIENT IP ADDRESS: 140.192.89.33**** >> >> SERVER IP ADDRESS: 140.192.89.33**** >> >> =============================================================**** >> >> ** ** >> >>> ** ** >> >> 2012-11-27 11:39:36,741 DEBUG >> [org.jasig.cas.authentication.principal.SamlService] - <Attempted to >> extract Request from HttpServletRequest. Results:>**** >> >> 2012-11-27 11:39:36,741 DEBUG >> [org.jasig.cas.authentication.principal.SamlService] - <Request Body: >> <SOAP-ENV:Envelope xmlns:SOAP-ENV=" >> http://schemas.xmlsoap.org/soap/envelope/ >> "><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:Requestxmlns:samlp="urn:oas >> is:names:tc:SAML:1.0:protocol"MajorVersion="1"MinorVersion="1"Request >> ID="_192.168.16.51.1024506224022"IssueInstant="2002-06-19T17:03:44.02 >> 2Z"><samlp:AssertionArtifact> >> ST-2-jpmMvmFN5R3qCDm6WszA-logintst.depaul.edu >> </samlp:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV: >> Envelope>> >> **** >> >> 2012-11-27 11:39:36,741 DEBUG >> [org.jasig.cas.authentication.principal.SamlService] - <Extracted >> ArtifactId: ST-2-jpmMvmFN5R3qCDm6WszA-logintst.depaul.edu>**** >> >> 2012-11-27 11:39:36,741 DEBUG >> [org.jasig.cas.authentication.principal.SamlService] - <Extracted >> Request >> Id: _192.168.16.51.1024506224022>**** >> >> 2012-11-27 11:39:36,741 DEBUG >> [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor >> generated service for: null>**** >> >> 2012-11-27 11:39:36,741 DEBUG >> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting >> to retrieve ticket >> [ST-2-jpmMvmFN5R3qCDm6WszA-logintst.depaul.edu]>**** >> >> 2012-11-27 11:39:36,741 DEBUG >> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [ >> ST-2-jpmMvmFN5R3qCDm6WszA-logintst.depaul.edu] found in >> registry.>**** >> >> 2012-11-27 11:39:36,741 DEBUG >> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting >> to retrieve ticket >> [ST-2-jpmMvmFN5R3qCDm6WszA-logintst.depaul.edu]>**** >> >> 2012-11-27 11:39:36,741 DEBUG >> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [ >> ST-2-jpmMvmFN5R3qCDm6WszA-logintst.depaul.edu] found in >> registry.>**** >> >> 2012-11-27 11:39:36,741 INFO >> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >> <Audit trail record BEGIN**** >> >> =============================================================**** >> >> WHO: JOURADA**** >> >> WHAT: ST-2-jpmMvmFN5R3qCDm6WszA-logintst.depaul.edu**** >> >> ACTION: SERVICE_TICKET_VALIDATE_FAILED**** >> >> APPLICATION: CAS**** >> >> WHEN: Tue Nov 27 11:39:36 CST 2012**** >> >> CLIENT IP ADDRESS: 140.192.89.33**** >> >> SERVER IP ADDRESS: 140.192.89.33**** >> >> =============================================================**** >> >> ** ** >> >>> ** ** >> >> 2012-11-27 11:39:36,757 DEBUG >> [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor >> generated service for: http://www.depaul.edu/>**** >> >> ** ** >> >> And a corresponding null reference exception in the catalina log that >> I won't put here, but have included. I feel like I have missed >> something simple in configuring and have attached all configs that I changed >> for this. >> **** >> >> ** ** >> >> Thank you for looking at this!**** >> >> -John**** >> >> ** ** >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > > -- > You are currently subscribed to [email protected] as: > [email protected] To unsubscribe, change settings or access archives, > see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
