OK, I finally found the problem... First, I had not configured as specified in the link below.
Second, the default installation does not include the required JAR files to support SAML. I added the jars for open SAML and also for cas-server-support-saml. Now I redirect back to my client application. Most of the error logs were in a log file I was not inspecting. From: John Gasper [mailto:[email protected]] Sent: Monday, November 10, 2014 12:01 PM To: [email protected] Subject: Re: [cas-user] Configure CAS 4 to redirect back to client OK, you are using the SAML 1.1 protocol support. Did you wire in the saml11 support in the spring-configuration/ argumentExtractorsConfiguration.xml? See, http://jasig.github.io/cas/4.0.0/protocol/SAML-Protocol.html, SAML Argument Extractor. --- John Gasper IAM Consultant Unicon, Inc. PGP/GPG Key: 0xbafee3ef On 11/10/14 8:38 AM, Pitonyak, Andrew D wrote: While navigating to the login page, I have the following: https://pitonyakvm-02:8443/cas-server-webapp-4.0.0/cas/login?TARGET=http%3a%2f%2flocalhost%3a60503%2fauth%2flogin%3fp%3d%252FCM2S.html After login, I have the following: https://pitonyakvm-02:8443/cas-server-webapp-4.0.0/login;jsessionid=8D94A04A840871AC67C9885A70239DDD?TARGET=http%3a%2f%2flocalhost%3a60503%2fauth%2flogin%3fp%3d%252FCM2S.html I even tried changing my server name (for the client) and I have these: While redirecting TO CAS: https://pitonyakvm-02:8443/cas-server-webapp-4.0.0/cas/login?TARGET=http%3a%2f%2fpitonyakvm-02%3a60503%2fauth%2flogin%3fp%3d%252FCM2S.html While login page is displayed: https://pitonyakvm-02:8443/cas-server-webapp-4.0.0/login?TARGET=http%3a%2f%2fpitonyakvm-02%3a60503%2fauth%2flogin%3fp%3d%252FCM2S.html After I login and am looking at the CAS page that says "hey, you logged in" https://pitonyakvm-02:8443/cas-server-webapp-4.0.0/login;jsessionid=B5AF217DBCC7AC3E364E29E524D1C8B4?TARGET=http%3a%2f%2fpitonyakvm-02%3a60503%2fauth%2flogin%3fp%3d%252FCM2S.html A single URL decode yields this (more readable) https://pitonyakvm-02:8443/cas-server-webapp-4.0.0/cas/login?TARGET=http://pitonyakvm-02:60503/auth/login?p=%2FCM2S.html https://pitonyakvm-02:8443/cas-server-webapp-4.0.0/login?TARGET=http://pitonyakvm-02:60503/auth/login?p=%2FCM2S.html https://pitonyakvm-02:8443/cas-server-webapp-4.0.0/login;jsessionid=B5AF217DBCC7AC3E364E29E524D1C8B4?TARGET=http://pitonyakvm-02:60503/auth/login?p=%2FCM2S.html Of course, that final parameter decodes to /CM2S.html (not that it probably matters). From: John Gasper [mailto:[email protected]] Sent: Monday, November 10, 2014 11:22 AM To: [email protected]<mailto:[email protected]> Subject: Re: [cas-user] Configure CAS 4 to redirect back to client Hi Andrew, What's the service= querystring parameter look like when you are sitting at the CAS login page after your client redirected you to CAS Server? --- John Gasper IAM Consultant Unicon, Inc. PGP/GPG Key: 0xbafee3ef On 11/10/14 7:58 AM, Pitonyak, Andrew D wrote: I have a .NET client that uses CAS single sign on. When I hit CAS 3.x setup by someone else, I redirect to CAS, authenticate to CAS and then redirect back to my site. I setup a CAS 4 server on my local machine to test in development. In Windows, I installed tomcat 8.0.14 (the latest). I then auto-deployed CAS mostly out-of-the box no changes made from the original I can navigate directly to the site and login using the default "casuser / Mellon" credentials. (note that my machine name is pitonyakvm-02 and everything is running locally for this test). https://pitonyakvm-02:8443<https://pitonyakvm-02:8443/>/cas-server-webapp-4.0.0/login<http://localhost:8080/cas-server-webapp-4.0.0/login> When I use my client to login, it properly redirects to CAS, CAS shows the login page, I use the default credentials, I am then told that I authenticated but I do not redirect back to my client. Did I miss a simple property that tells CAS to redirect back after login rather than simply showing the screen that tells me that I successfully authenticated? I assume that my client is sending the correct things since I am able to hit the 3.x version, login, and redirect back correctly. In this case, CAS is external to my machine. My first thought is that I need to change something in the login-webflow.xml, but I thought that it was configured by default to redirect. Is it possible that tomcat deploys by default to not allow redirections? [cid:[email protected]] Andrew D. Pitonyak Principal Research Scientist Health & Analytics 505 King Avenue, Columbus, OH 43201 P: 614-424-5252 -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
