Hi, I am new to CAS and am having some problems with getting attributes
released through SAML. I have setup cas 3.2.5.1 and
mod_auth_cas-1.0.9.1. The users and the attributes I would like to
release are stored in LDAP. If CASValidateSAML to Off, the user can log
in, but the attributes are not released. If I set CASValidateSAML to
On, I get:
This server could not verify that you are authorized to access
the document requested. Either you supplied the wrong
credentials (e.g., bad password) or your browser doesn't
understand how to supply the credentials required
and the user is not able to see the protected web pages.I turned on debugging in both CAS and mod_auth_cas, and the attributes are in the cas.log so they are making it to CAS from LDAP. When CASValidateSAML is On, I get errors from CasArgumentExtractor and ServiceValidatecontroller: 2014-06-09 15:42:54,038 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor did not generate service. 2014-06-09 15:42:54,038 DEBUG [org.jasig.cas.web.ServiceValidateController] - Could not process request; Service: null, Service Ticket Id: null There are corresponding errors from mod_auth_cas: [Mon Jun 09 15:42:54 2014] [debug] mod_auth_cas.c(1674): [client 138.67.125.10] Validation response: \n\n\n<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>\n\t<cas:authenticationFailure code='INVALID_REQUEST'>\n\t\t'service' and 'ticket' parameters are both required\n\t</cas:authenticationFailure>\n</cas:serviceResponse>\n, referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Mon Jun 09 15:42:54 2014] [debug] mod_auth_cas.c(1293): [client 138.67.125.10] entering isValidCASTicket(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Mon Jun 09 15:42:54 2014] [debug] mod_auth_cas.c(1299): [client 138.67.125.10] MOD_AUTH_CAS: response = \n\n\n<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>\n\t<cas:authenticationFailure code='INVALID_REQUEST'>\n\t\t'service' and 'ticket' parameters are both required\n\t</cas:authenticationFailure>\n</cas:serviceResponse>\n, referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f Why does the validation response include 'http://www.yale.edu/tp/cas'? Did I miss something in the configuration? If I had to guess, it is some sort of XML documentation reference, but, to be honest, I do not know that much about XML. There is no reference to yale in either cas.properties or deployerConfigContext.xml. Below, I have included the configuration from the test web server for mod_auth_cas, more of the debug logs from the CAS server and mod_auth_cas and I have attached my deployerConfigContext.xml and the cas.properties files. Here is the mod_auth_cas configuration in httpd: LoadModule auth_cas_module modules/mod_auth_cas.so <IfModule mod_auth_cas.c> CASLoginURL https://cas-dev.mines.edu/cas/login CASVersion 2 CASValidateURL https://cas-dev.mines.edu/cas/serviceValidate CASValidateSAML On CASCertificatePath /etc/pki/tls/certs/ca-bundle.crt CASCookiePath /var/tmp/cas/ CASSSOEnabled On CASValidateServer On CASDebug On </IfModule> <Directory "/var/www/html/castest"> AuthType CAS AuthName "Mines development CAS" CASAuthNHeader On Require valid-user </Directory> The CASValidateSAML attribute is not listed in the documentation on https://wiki.jasig.org/display/CASC/mod_auth_cas , but is listed in the README file that is included with the mod_auth_cas source code. Is CASValidateSAML the correct way to get mod_auth_CAS to process SAML attributes? Here is a bigger section of the CAS log file that includes the attribute map for my test user (testua): 2014-06-09 15:42:53,569 DEBUG [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - Performing LDAP bind with credential: uid=testua,ou=People2,dc=mines,dc=edu 2014-06-09 15:42:53,683 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully authenticated [username: testua] 2014-06-09 15:42:53,683 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - Attempting to resolve a principal... 2014-06-09 15:42:53,683 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - Attempting to resolve a principal... 2014-06-09 15:42:53,683 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - Creating SimplePrincipal for [testua] 2014-06-09 15:42:53,683 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - Resolved testua. Trying LDAP resolve now... 2014-06-09 15:42:53,684 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - LDAP search with filter "(uid=testua)" 2014-06-09 15:42:53,684 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - returning searchcontrols: scope=2; search base=ou=People2,dc=mines,dc=edu; attributes=[uid]; timeout=1000 2014-06-09 15:42:53,799 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - Resolved testua to testua 2014-06-09 15:42:53,800 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - Creating SimplePrincipal for [testua] 2014-06-09 15:42:53,800 DEBUG [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Created seed map='{username=[testua]}' for uid='testua' 2014-06-09 15:42:53,800 DEBUG [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Adding attribute 'uid' with value '[testua]' to query builder 'null' 2014-06-09 15:42:53,800 DEBUG [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Generated query builder '(uid=testua)' from query Map {username=[testua]}. 2014-06-09 15:42:53,920 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Resolved principal testua 2014-06-09 15:42:53,921 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler@2dae66c6 authenticated testua with credential [username: testua]. 2014-06-09 15:42:53,921 DEBUG [org.jasig.cas.authentication.AuthenticationManagerImpl] - Attribute map for testua: {uid=testua, [email protected], sn=estua, cn=estua, t} 2014-06-09 15:42:53,927 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN ============================================================= WHO: [username: testua] WHAT: supplied credentials: [username: testua] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Mon Jun 09 15:42:53 MDT 2014 CLIENT IP ADDRESS: 138.67.125.10 SERVER IP ADDRESS: 138.67.208.149 ============================================================= 2014-06-09 15:42:53,928 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Added ticket [TGT-2-eaKp93evR29Qd4K3HxVCvbdSNPSpHTeeOXCHJsK1N2DKhYTDq1-cas-dev.mines.edu] to registry. 2014-06-09 15:42:53,929 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN ============================================================= WHO: [username: testua] WHAT: TGT-2-eaKp93evR29Qd4K3HxVCvbdSNPSpHTeeOXCHJsK1N2DKhYTDq1-cas-dev.mines.edu ACTION: TICKET_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Mon Jun 09 15:42:53 MDT 2014 CLIENT IP ADDRESS: 138.67.125.10 SERVER IP ADDRESS: 138.67.208.149 ============================================================= 2014-06-09 15:42:53,933 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - Removed cookie with name [CASPRIVACY] 2014-06-09 15:42:53,935 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - Added cookie with name [CASTGC] and value [TGT-2-eaKp93evR29Qd4K3HxVCvbdSNPSpHTeeOXCHJsK1N2DKhYTDq1-cas-dev.mines.edu] 2014-06-09 15:42:53,940 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [TGT-2-eaKp93evR29Qd4K3HxVCvbdSNPSpHTeeOXCHJsK1N2DKhYTDq1-cas-dev.mines.edu] 2014-06-09 15:42:53,940 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [TGT-2-eaKp93evR29Qd4K3HxVCvbdSNPSpHTeeOXCHJsK1N2DKhYTDq1-cas-dev.mines.edu] found in registry. 2014-06-09 15:42:53,945 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Added ticket [ST-2-lwrGgrrnGNVVW6dOCfsa-cas-dev.mines.edu] to registry. 2014-06-09 15:42:53,945 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-2-lwrGgrrnGNVVW6dOCfsa-cas-dev.mines.edu] for service [https://nineoften.mines.edu/castest/] for user [testua] 2014-06-09 15:42:53,946 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [TGT-2-eaKp93evR29Qd4K3HxVCvbdSNPSpHTeeOXCHJsK1N2DKhYTDq1-cas-dev.mines.edu] 2014-06-09 15:42:53,946 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [TGT-2-eaKp93evR29Qd4K3HxVCvbdSNPSpHTeeOXCHJsK1N2DKhYTDq1-cas-dev.mines.edu] found in registry. 2014-06-09 15:42:53,947 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN ============================================================= WHO: testua WHAT: ST-2-lwrGgrrnGNVVW6dOCfsa-cas-dev.mines.edu for https://nineoften.mines.edu/castest/ ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Mon Jun 09 15:42:53 MDT 2014 CLIENT IP ADDRESS: 138.67.125.10 SERVER IP ADDRESS: 138.67.208.149 ============================================================= 2014-06-09 15:42:53,958 DEBUG [org.jasig.cas.web.flow.TerminateWebSessionListener] - Terminate web session 6EC0BD503F2D1A4595F759A93B94E7E6 in 2 seconds 2014-06-09 15:42:53,958 DEBUG [org.jasig.cas.web.flow.TerminateWebSessionListener] - Terminate web session 6EC0BD503F2D1A4595F759A93B94E7E6 in 2 seconds 2014-06-09 15:42:54,038 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor did not generate service. 2014-06-09 15:42:54,038 DEBUG [org.jasig.cas.web.ServiceValidateController] - Could not process request; Service: null, Service Ticket Id: null Here are the log entries from mod_auth_cas: [Mon Jun 09 15:42:53 2014] [debug] mod_auth_cas.c(1745): [client 138.67.125.10] Entering cas_authenticate(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Mon Jun 09 15:42:53 2014] [debug] mod_auth_cas.c(607): [client 138.67.125.10] Modified r->args (old 'ticket=ST-2-lwrGgrrnGNVVW6dOCfsa-cas-dev.mines.edu', new ''), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Mon Jun 09 15:42:53 2014] [debug] mod_auth_cas.c(1600): [client 138.67.125.10] entering getResponseFromServer(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Mon Jun 09 15:42:53 2014] [debug] mod_auth_cas.c(519): [client 138.67.125.10] entering getCASService(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Mon Jun 09 15:42:53 2014] [debug] mod_auth_cas.c(539): [client 138.67.125.10] CAS Service 'https%3a%2f%2fnineoften.mines.edu%2fcastest%2f', referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Mon Jun 09 15:42:54 2014] [debug] mod_auth_cas.c(1674): [client 138.67.125.10] Validation response: \n\n\n<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>\n\t<cas:authenticationFailure code='INVALID_REQUEST'>\n\t\t'service' and 'ticket' parameters are both required\n\t</cas:authenticationFailure>\n</cas:serviceResponse>\n, referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Mon Jun 09 15:42:54 2014] [debug] mod_auth_cas.c(1293): [client 138.67.125.10] entering isValidCASTicket(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Mon Jun 09 15:42:54 2014] [debug] mod_auth_cas.c(1299): [client 138.67.125.10] MOD_AUTH_CAS: response = \n\n\n<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>\n\t<cas:authenticationFailure code='INVALID_REQUEST'>\n\t\t'service' and 'ticket' parameters are both required\n\t</cas:authenticationFailure>\n</cas:serviceResponse>\n, referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f I have attached both the deployerConfigContext.xml and the cas.properties. If you have any ideas how to get attributes working, please let me know. For now, I need to get LDAP attributes working, eventually, I would like to add data from MySQL tables as well as the attributes from LDAP. Thank you, Matt Brookover [email protected]
deployerConfigContext.xml
Description: XML document
# # Licensed to Jasig under one or more contributor license # agreements. See the NOTICE file distributed with this work # for additional information regarding copyright ownership. # Jasig licenses this file to you under the Apache License, # Version 2.0 (the "License"); you may not use this file # except in compliance with the License. You may obtain a # copy of the License at the following location: # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. # ## # Services Management Web UI Security server.name=https://cas-dev.mines.edu server.prefix=${server.name}/cas cas.securityContext.serviceProperties.service=${server.prefix}/services/j_acegi_cas_security_check # Names of roles allowed to access the CAS service manager cas.securityContext.serviceProperties.adminRoles=ROLE_ADMIN cas.securityContext.casProcessingFilterEntryPoint.loginUrl=${server.prefix}/login cas.securityContext.ticketValidator.casServerUrlPrefix=${server.prefix} # IP address or CIDR subnet allowed to access the /status URI of CAS that exposes health check information cas.securityContext.status.allowedSubnet=127.0.0.1 cas.themeResolver.defaultThemeName=cas-theme-default cas.viewResolver.basename=default_views ## # Unique CAS node name # host.name is used to generate unique Service Ticket IDs and SAMLArtifacts. This is usually set to the specific # hostname of the machine running the CAS node, but it could be any label so long as it is unique in the cluster. host.name=cas-dev.mines.edu ## #LDAP configuration ldap.pool.minIdle=3 ldap.pool.maxIdle=5 ldap.pool.maxSize=10 # Maximum time in ms to wait for connection to become available # under pool exhausted condition. ldap.pool.maxWait=10000 # == Evictor configuration == # Period in ms at which evictor process runs. ldap.pool.evictionPeriod=600000 # Maximum time in ms at which connections can remain idle before # they become liable to eviction. ldap.pool.idleTime=1200000 # == Connection testing settings == # Set to true to enable connection liveliness testing on evictor # process runs. Probably results in best performance. ldap.pool.testWhileIdle=true # Set to true to enable connection liveliness testing before every # request to borrow an object from the pool. ldap.pool.testOnBorrow=false ## # Database flavors for Hibernate # # One of these is needed if you are storing Services or Tickets in an RDBMS via JPA. # # database.hibernate.dialect=org.hibernate.dialect.OracleDialect # database.hibernate.dialect=org.hibernate.dialect.MySQLInnoDBDialect # database.hibernate.dialect=org.hibernate.dialect.HSQLDialect ## # CAS Logout Behavior # WEB-INF/cas-servlet.xml # # Specify whether CAS should redirect to the specifyed service parameter on /logout requests # cas.logout.followServiceRedirects=false ## # Single Sign-On Session Timeouts # Defaults sourced from WEB-INF/spring-configuration/ticketExpirationPolices.xml # # Maximum session timeout - TGT will expire in maxTimeToLiveInSeconds regardless of usage # tgt.maxTimeToLiveInSeconds=28800 # # Idle session timeout - TGT will expire sooner than maxTimeToLiveInSeconds if no further requests # for STs occur within timeToKillInSeconds # tgt.timeToKillInSeconds=7200 ## # Service Ticket Timeout # Default sourced from WEB-INF/spring-configuration/ticketExpirationPolices.xml # # Service Ticket timeout - typically kept short as a control against replay attacks, default is 10s. You'll want to # increase this timeout if you are manually testing service ticket creation/validation via tamperdata or similar tools # st.timeToKillInSeconds=10 ## # Single Logout Out Callbacks # Default sourced from WEB-INF/spring-configuration/argumentExtractorsConfiguration.xml # # To turn off all back channel SLO requests set slo.disabled to true # slo.callbacks.disabled=false ## # Service Registry Periodic Reloading Scheduler # Default sourced from WEB-INF/spring-configuration/applicationContext.xml # # Force a startup delay of 2 minutes. # service.registry.quartz.reloader.startDelay=120000 # # Reload services every 2 minutes # service.registry.quartz.reloader.repeatInterval=120000 ## # Log4j # Default sourced from WEB-INF/spring-configuration/log4jConfiguration.xml: # # It is often time helpful to externalize log4j.xml to a system path to preserve settings between upgrades. # e.g. log4j.config.location=/etc/cas/log4j.xml # log4j.config.location=classpath:log4j.xml # # log4j refresh interval in millis # log4j.refresh.interval=60000
smime.p7s
Description: S/MIME cryptographic signature
