On Tue, 2014-06-10 at 12:35 -0700, Andrew Morgan wrote: > On Tue, 10 Jun 2014, Matthew B. Brookover wrote: > > > Hi, I am new to CAS and am having some problems with getting attributes > > released through SAML. I have setup cas 3.2.5.1 and > > > > Here is the mod_auth_cas configuration in httpd: > > LoadModule auth_cas_module modules/mod_auth_cas.so > > <IfModule mod_auth_cas.c> > > CASLoginURL https://cas-dev.mines.edu/cas/login > > CASVersion 2 > > CASValidateURL https://cas-dev.mines.edu/cas/serviceValidate > > CASValidateSAML On > > Shouldn't the CASValidateURL be changed to: > > CASValidateURL https://cas-dev.mines.edu/cas/samlValidate > > serviceValidate only works for the CAS protocol. Clients must contact > samlValidate for the SAML protocol ticket validation. This might also > explain your errors from CasArgumentExtractor and > ServiceValidatecontroller. > > Andy
Hi Andy, I tried the /cas/samlValidate URL and the attributes show up in the logs. In fact, the logs make it look like things are working except for the fact that I still get the "this server could not verify that you are..." message in the web browser. The logs: [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(1745): [client 138.67.125.10] Entering cas_authenticate() [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(519): [client 138.67.125.10] entering getCASService() [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(539): [client 138.67.125.10] CAS Service 'https%3a%2f%2fnineoften.mines.edu%2fcastest%2f' [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(485): [client 138.67.125.10] entering getCASLoginURL() [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(462): [client 138.67.125.10] entering getCASGateway() [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(555): [client 138.67.125.10] entering redirectRequest() [Tue Jun 10 14:40:23 2014] [debug] mod_auth_cas.c(567): [client 138.67.125.10] Adding outgoing header: Location: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(1745): [client 138.67.125.10] Entering cas_authenticate(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(607): [client 138.67.125.10] Modified r->args (old 'ticket=ST-3-HiJjnoAPVtfGGgi4YxaQ-cas-dev.mines.edu', new ''), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(1600): [client 138.67.125.10] entering getResponseFromServer(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(519): [client 138.67.125.10] entering getCASService(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(539): [client 138.67.125.10] CAS Service 'https%3a%2f%2fnineoften.mines.edu%2fcastest%2f', referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(1674): [client 138.67.125.10] Validation response: <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Body><saml1p:Response xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2014-06-10T20:40:47.253Z" MajorVersion="1" MinorVersion="1" Recipient="https://nineoften.mines.edu/castest/"; ResponseID="_978d48864e870edb73451795582858cb"><saml1p:Status><saml1p:StatusCode Value="saml1p:Success"/></saml1p:Status><saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_8691358e49dd25dc8f2bb7b376d47a15" IssueInstant="2014-06-10T20:40:47.253Z" Issuer="localhost" MajorVersion="1" MinorVersion="1"><saml1:Conditions NotBefore="2014-06-10T20:40:47.253Z" NotOnOrAfter="2014-06-10T20:41:17.253Z"><saml1:AudienceRestrictionCondition><saml1:Audience>https://nineoften.mines.edu/castest/</saml1:Audience></saml1:AudienceRestrictionCondition></saml1:Conditions><saml1:AuthenticationStatement AuthenticationInstant="2014-06-10T20:40:47.147Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml1:Subject><saml1:NameIdentifier>testua</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement><saml1:AttributeStatement><saml1:Subject><saml1:NameIdentifier>testua</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject><saml1:Attribute AttributeName="uid" AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">testua</saml1:AttributeValue></saml1:Attribute><saml1:Attribute AttributeName="mail" AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">[email protected]</saml1:AttributeValue></saml1:Attribute><saml1:Attribute AttributeName="sn" AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">estua</saml1:AttributeValue></saml1:Attribute><saml1:Attribute AttributeName="cn" AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">estua, t</saml1:AttributeValue></saml1:Attribute></saml1:AttributeStatement></saml1:Assertion></saml1p:Response></SOAP-ENV:Body></SOAP-ENV:Envelope>, referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(1293): [client 138.67.125.10] entering isValidCASTicket(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:40:47 2014] [debug] mod_auth_cas.c(1299): [client 138.67.125.10] MOD_AUTH_CAS: response = <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Body><saml1p:Response xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2014-06-10T20:40:47.253Z" MajorVersion="1" MinorVersion="1" Recipient="https://nineoften.mines.edu/castest/"; ResponseID="_978d48864e870edb73451795582858cb"><saml1p:Status><saml1p:StatusCode Value="saml1p:Success"/></saml1p:Status><saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_8691358e49dd25dc8f2bb7b376d47a15" IssueInstant="2014-06-10T20:40:47.253Z" Issuer="localhost" MajorVersion="1" MinorVersion="1"><saml1:Conditions NotBefore="2014-06-10T20:40:47.253Z" NotOnOrAfter="2014-06-10T20:41:17.253Z"><saml1:AudienceRestrictionCondition><saml1:Audience>https://nineoften.mines.edu/castest/</saml1:Audience></saml1:AudienceRestrictionCondition></saml1:Conditions><saml1:AuthenticationStatement AuthenticationInstant="2014-06-10T20:40:47.147Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml1:Subject><saml1:NameIdentifier>testua</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement><saml1:AttributeStatement><saml1:Subject><saml1:NameIdentifier>testua</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject><saml1:Attribute AttributeName="uid" AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">testua</saml1:AttributeValue></saml1:Attribute><saml1:Attribute AttributeName="mail" AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">[email protected]</saml1:AttributeValue></saml1:Attribute><saml1:Attribute AttributeName="sn" AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">estua</saml1:AttributeValue></saml1:Attribute><saml1:Attribute AttributeName="cn" AttributeNamespace="http://www.ja-sig.org/products/cas/";><saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">estua, t</saml1:AttributeValue></saml1:Attribute></saml1:AttributeStatement></saml1:Assertion></saml1p:Response></SOAP-ENV:Body></SOAP-ENV:Envelope>, referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f The log entries above were with: CASValidateURL https://cas-dev.mines.edu/cas/samlValidate CASValidateSAML On Just grasping at straws, I set CASValiadate to Off and got the same "this server could not verify that you are..." message. Rather then the attributes, I got the 'service' and 'ticket' parameters are both required. messages. Setting cASValidateURL to samlValidate and CASValidteSML to On is a big step forward, but, there is still something missing. FYI, here are the logs from the run with CASValidateSAML Off: [Tue Jun 10 14:42:54 2014] [debug] mod_auth_cas.c(1745): [client 138.67.125.10] Entering cas_authenticate() [Tue Jun 10 14:42:54 2014] [debug] mod_auth_cas.c(519): [client 138.67.125.10] entering getCASService() [Tue Jun 10 14:42:54 2014] [debug] mod_auth_cas.c(539): [client 138.67.125.10] CAS Service 'https%3a%2f%2fnineoften.mines.edu%2fcastest%2f' [Tue Jun 10 14:42:54 2014] [debug] mod_auth_cas.c(485): [client 138.67.125.10] entering getCASLoginURL() [Tue Jun 10 14:42:54 2014] [debug] mod_auth_cas.c(462): [client 138.67.125.10] entering getCASGateway() [Tue Jun 10 14:42:54 2014] [debug] mod_auth_cas.c(555): [client 138.67.125.10] entering redirectRequest() [Tue Jun 10 14:42:54 2014] [debug] mod_auth_cas.c(567): [client 138.67.125.10] Adding outgoing header: Location: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:43:01 2014] [debug] mod_auth_cas.c(1745): [client 138.67.125.10] Entering cas_authenticate(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:43:01 2014] [debug] mod_auth_cas.c(607): [client 138.67.125.10] Modified r->args (old 'ticket=ST-4-efgS7hJisZWtcAsew4cO-cas-dev.mines.edu', new ''), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:43:01 2014] [debug] mod_auth_cas.c(1600): [client 138.67.125.10] entering getResponseFromServer(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:43:01 2014] [debug] mod_auth_cas.c(519): [client 138.67.125.10] entering getCASService(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:43:01 2014] [debug] mod_auth_cas.c(539): [client 138.67.125.10] CAS Service 'https%3a%2f%2fnineoften.mines.edu%2fcastest%2f', referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:43:01 2014] [debug] mod_auth_cas.c(1674): [client 138.67.125.10] Validation response: <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Body><saml1p:Response xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2014-06-10T20:43:01.401Z" MajorVersion="1" MinorVersion="1" Recipient="UNKNOWN" ResponseID="_560a430b410a59a61d548b7af3fbdc36"><saml1p:Status><saml1p:StatusCode Value="saml1p:RequestDenied"/><saml1p:StatusMessage>'service' and 'ticket' parameters are both required</saml1p:StatusMessage></saml1p:Status></saml1p:Response></SOAP-ENV:Body></SOAP-ENV:Envelope>, referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:43:01 2014] [debug] mod_auth_cas.c(1293): [client 138.67.125.10] entering isValidCASTicket(), referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f [Tue Jun 10 14:43:01 2014] [debug] mod_auth_cas.c(1299): [client 138.67.125.10] MOD_AUTH_CAS: response = <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Body><saml1p:Response xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2014-06-10T20:43:01.401Z" MajorVersion="1" MinorVersion="1" Recipient="UNKNOWN" ResponseID="_560a430b410a59a61d548b7af3fbdc36"><saml1p:Status><saml1p:StatusCode Value="saml1p:RequestDenied"/><saml1p:StatusMessage>'service' and 'ticket' parameters are both required</saml1p:StatusMessage></saml1p:Status></saml1p:Response></SOAP-ENV:Body></SOAP-ENV:Envelope>, referer: https://cas-dev.mines.edu/cas/login?service=https%3a%2f%2fnineoften.mines.edu%2fcastest%2f Besides setting CASValidateURL to ..../cas/samlValidate, is there a change to the deployerConfigContext.xml for SAML? Looks like SAML is working, the attributes I wanted to release are showing up in the logs with the changes you suggested. Any ideas? thanks Matt
smime.p7s
Description: S/MIME cryptographic signature
