I'm trying to write a script to log in using the CAS REST API and load a resource. I've got it working for a resource that uses the Java CAS client, but mod_auth_cas isn't working so well. I've got an Apache 2.2 server using mod_auth_cas 1.0.9.1 and when I try to load a protected resource (using Perl and LWP::UserAgent) by fetching https://servername/protected/test.html the server closes the connection without sending any data.
Turning on CASDebug and setting Apache's LogLevel to 'debug' shows that mod_auth_cas is rewriting the URL to remove the ticket parameter, and it's validating the ticket using samlValidate. The response that comes back and gets logged is a successful SAML response and it contains the correct username. In the logs, I get: Entering cas_authenticate() Modified r->args (now '') entering getResponseFromServer() CAS Service '<URL-encoded service URL>' Validation response: <SAML response> entering isValidCASTicket() MOD_AUTH_CAS: response = <SAML response> entering createCASCookie() entering writeCASCacheEntry() Immediately after that the log stops, the connection is closed, and I never see the corresponding entry in ssl_access_log. I'm not sure where to go for debugging this, or what would be useful for people trying to help me. The SAML response referred to above is: <?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";> <SOAP-ENV:Body> <saml1p:Response xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2013-07-16T13:34:51.271Z" MajorVersion="1" MinorVersion="1" Recipient="https://servername/protected/test.html"; ResponseID="_80b6750c1581f786e3355b9f61d97ea3"> <saml1p:Status> <saml1p:StatusCode Value="saml1p:Success"/> </saml1p:Status> <saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_04dba8b0559cba81ee68d6473545a74a" IssueInstant="2013-07-16T13:34:51.271Z" Issuer="localhost" MajorVersion="1" MinorVersion="1"> <saml1:Conditions NotBefore="2013-07-16T13:34:51.271Z" NotOnOrAfter="2013-07-16T13:35:21.271Z"> <saml1:AudienceRestrictionCondition> <saml1:Audience>https://servername/protected/test.html</saml1:Audience> </saml1:AudienceRestrictionCondition> </saml1:Conditions> <saml1:AuthenticationStatement AuthenticationInstant="2013-07-16T13:34:51.031Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"> <saml1:Subject> <saml1:NameIdentifier>monitoringuser</saml1:NameIdentifier> <saml1:SubjectConfirmation> <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod> </saml1:SubjectConfirmation> </saml1:Subject> </saml1:AuthenticationStatement> </saml1:Assertion> </saml1p:Response> </SOAP-ENV:Body> </SOAP-ENV:Envelope> My mod_auth_cas configuration is: CASLoginURL https://casserver/cas/login CASValidateURL https://casserver/cas/samlValidate CASProxyValidateURL https://casserver/cas/proxyValidate CASCookiePath /var/cache/mod_auth_cas/ CASCertificatePath /etc/pki/tls/certs/ CASAllowWildcardCert On CASValidateServer On CASValidateSAML On CASAttributeDelimiter ; If anything else is needed, please let me know and I'll supply whatever I can. If I authenticate to the same resource through a browser, it works. -- Joel Goguen Developer / System Administrator Enterprise Solutions Information Technology Services University of New Brunswick E-mail: [email protected] Phone: (506) 453-4872 Fax: (506) 453-3590 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
