On Thu, 12 Feb 2015, Misagh Moayyed wrote: > The message is misleading and incorrect, yes, and we should correctly > describe the error, which is: your samlValidate endpoint requires not a > service and a ticket, but a TARGET and artifactId. > > I’ll open up an issue to fix this. > > - Misagh
I tried to send xml as described in http://jasig.github.io/cas/4.0.x/protocol/SAML-Protocol.html to /cas/samlValidate CAS_LOGIN=https://cas.quretec.com:8443/cas/login; # SERVICE_VALIDATE=https://cas.quretec.com:8443/cas/serviceValidate; SERVICE_VALIDATE=https://cas.quretec.com:8443/cas/samlValidate; SERVICE='https://nagios.quretec.com/cas'; TGT='TGT-7-pbHVDuT1AjDf3w7mCPON2Aqkm1Pu562wxGPYBacueNswJJ3t7G-cas.quretec.com'; TZ=238 date=`date` timesec=`date -d "${date}" +%s` equestID=_192.168.7.108.${timesec}${TZ} IDtime=`date -d "${date}" +%Y-%m-%dT%H:%M:%S` IssueInstant="${IDtime}.${TZ}Z" echo "RequestID=${RequestID}" echo "IssueInstant=${IssueInstant}" # ST=$(http "$CAS_LOGIN" "Cookie:CASTGC=${TGT}" service=="$SERVICE" | \ # grep -e ticket= | sed -e 's/^.*ticket=//' -e 's/\r//') && \ # http "$SERVICE_VALIDATE" service=="$SERVICE" ticket=="$ST" ST=$(curl -k -v --get --data service="$SERVICE" --cookie CASTGC="$TGT" "$CAS_LOGIN" 2>&1 | \ grep -e '^< Location:' | grep -e ticket= | sed -e 's/^.*ticket=//' -e 's/\r//') xml="<?xml version="1.0" encoding="utf-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\";><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:Request xmlns:samlp=\"urn:oasis:names:tc:SAML:1.0:protocol\" MajorVersion=\"1\" MinorVersion=\"1\" RequestID=\"${RequestID}\" IssueInstant=\"${IssueInstant}\"><samlp:AssertionArtifact>${ST}</samlp:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope>" echo "xml=${xml}" curl -k -v --get --data-urlencode service="$SERVICE" --data-urlencode ticket="${xml}" $SERVICE_VALIDATE But result is still: > GET /cas/samlValidate?service=https%3A%2F%2Fnagios.quretec.com%2Fcas&ticket=%3C%3Fxml%20version%3D1.0%20encoding%3Dutf-8%3F%3E%3CSOAP-ENV%3AEnvelope%20xmlns%3ASOAP-ENV%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fsoap%2Fenvelope%2F%22%3E%3CSOAP-ENV%3AHeader%2F%3E%3CSOAP-ENV%3ABody%3E%3Csamlp%3ARequest%20xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A1.0%3Aprotocol%22%20%20MajorVersion%3D%221%22%20MinorVersion%3D%221%22%20RequestID%3D%22_192.168.7.108.1424086899238%22%20IssueInstant%3D%222015-02-16T13%3A41%3A39.238Z%22%3E%3Csamlp%3AAssertionArtifact%3EST-64-Y4TqyaR9ngCoYnGVfaEv-cas.quretec.com%3C%2Fsamlp%3AAssertionArtifact%3E%3C%2Fsamlp%3ARequest%3E%3C%2FSOAP-ENV%3ABody%3E%3C%2FSOAP-ENV%3AEnvelope%3E HTTP/1.1 > User-Agent: curl/7.26.0 > Host: cas.quretec.com:8443 > Accept: */* > * additional stuff not fine transfer.c:1037: 0 0 * HTTP 1.1 or later with persistent connection, pipelining supported < HTTP/1.1 200 OK < Server: Apache-Coyote/1.1 < Cache-control: no-cache, no-store < Pragma: no-cache < SOAPAction: http://www.oasis-open.org/committees/security < Content-Type: text/xml;charset=UTF-8 < Content-Language: en < Transfer-Encoding: chunked < Date: Mon, 16 Feb 2015 11:41:39 GMT < * Connection #0 to host cas.quretec.com left intact <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Body><saml1p:Response xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2015-02-16T11:41:39.515Z" MajorVersion="1" MinorVersion="1" Recipient="UNKNOWN" ResponseID="_f4350423ec0735b1a76dd48b3e535a17"><saml1p:Status><saml1p:StatusCode Value="saml1p:RequestDenied"/><saml1p:StatusMessage>'service' and 'ticket' parameters are both required</saml1p:StatusMessage></saml1p:Status></saml1p:Response></SOAP-ENV:Body></SOAP-ENV:Envelope>* Closing connection #0 * SSLv3, TLS alert, Client hello (1): > >> On Feb 12, 2015, at 1:44 PM, Tiit Kaeeli <[email protected]> wrote: >> >> Thanks. >> >> CAS is https://github.com/UniconLabs/simple-cas4-overlay-template master >> from 28 nov. 2014 >> >> mod_auth_cas is https://github.com/Jasig/mod_auth_cas master from 19.01.2015 >> >> >> When I use serviceValidate in curl script, the result is: >> >> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> >> <cas:authenticationSuccess> >> <cas:user>kaeeli</cas:user> >> >> >> </cas:authenticationSuccess> >> * Connection #0 to host cas.quretec.com left intact >> </cas:serviceResponse> >> >> >> When turning to samlValidate, the output is >> >>> GET >> /cas/samlValidate?service=https://nagios.quretec.com/cas&ticket=ST-27-u7pHxJeireBDF1BOef0c-cas.quretec.com >> HTTP/1.1 >>> User-Agent: curl/7.26.0 >>> Host: cas.quretec.com:8443 >>> Accept: */* >>> >> * additional stuff not fine transfer.c:1037: 0 0 >> * HTTP 1.1 or later with persistent connection, pipelining supported >> < HTTP/1.1 200 OK >> < Server: Apache-Coyote/1.1 >> < Cache-control: no-cache, no-store >> < Pragma: no-cache >> < SOAPAction: http://www.oasis-open.org/committees/security >> < Content-Type: text/xml;charset=UTF-8 >> < Content-Language: en >> < Transfer-Encoding: chunked >> < Date: Thu, 12 Feb 2015 12:28:05 GMT >> < >> * Connection #0 to host cas.quretec.com left intact >> <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope >> xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Body><saml1p:Response >> xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" >> IssueInstant="2015-02-12T12:28:05.897Z" MajorVersion="1" MinorVersion="1" >> Recipient="UNKNOWN" >> ResponseID="_109405fffabb202dbcc8915292aaf3a9"><saml1p:Status><saml1p:StatusCode >> Value="saml1p:RequestDenied"/><saml1p:StatusMessage>'service' and 'ticket' >> parameters are both >> required</saml1p:StatusMessage></saml1p:Status></saml1p:Response></SOAP-ENV:Body></SOAP-ENV:Envelope>* >> Closing connection #0 >> * SSLv3, TLS alert, Client hello (1): >> >> Seems like something is wrong with the curl command. I tried \'\' and \"\" >> around $SERVICE and $ST, but results are always the same. >> >> curl -k -v --get --data service="$SERVICE" --data ticket="$ST" >> $SERVICE_VALIDATE >> >> >> >> >> On Wed, 11 Feb 2015, Waldbieser, Carl wrote: >> >>> >>> Can you use a command line HTTP client like cURL[1] or httpie[2] to request >>> an ST and validate it? Here is a unix shell script I use with httpie to >>> inspect CAS validation responses: >>> >>> #! /bin/sh >>> >>> CAS_LOGIN=https://cas.example.net/cas/login; >>> SERVICE_VALIDATE=https://cas.example.net/cas/serviceValidate; >>> SERVICE='https://service.example.com/login'; >>> TGT='Enter TGT here'; >>> ST=$(http -v "$CAS_LOGIN" "Cookie:CASTGC=${TGT}" service=="$SERVICE" | \ >>> grep -e ticket= | sed -e 's/^.*ticket=//' -e 's/\r//') && \ >>> http "$SERVICE_VALIDATE" service=="$SERVICE" ticket=="$ST" >>> >>> Here is a similar `curl` version: >>> >>> #! /bin/sh >>> >>> CAS_LOGIN=https://cas.example.net/cas/login; >>> SERVICE_VALIDATE=https://cas.example.net/cas/serviceValidate; >>> SERVICE='https://service.example.com/login'; >>> TGT='Enter TGT here'; >>> ST=$(curl -v --get --data service="$SERVICE" --cookie CASTGC="$TGT" >>> "$CAS_LOGIN" 2>&1 | \ >>> grep -e '^< Location:' | grep -e ticket= | sed -e 's/^.*ticket=//' -e >>> 's/\r//') && \ >>> curl -v --get --data service="$SERVICE" --data ticket="$ST" >>> "$SERVICE_VALIDATE" >>> >>> You set the variables like CAS_LOGIN, SERVICE, TGT, etc. You can get a >>> valid TGT from your CAS logs or dig it out of your browser cookies after >>> you authenticate successfully. The lines starting with `ST=` request an ST >>> and validate it. The response is spit out to the console so you can see >>> what the response looks like. Hopefully, that will help you figure out why >>> mod_auth_cas doesn't like the XML it is getting back. >>> >>> Thanks, >>> Carl >>> >>> [1] http://curl.haxx.se/ >>> [2] https://github.com/jakubroztocil/httpie >>> >>> ----- Original Message ----- >>> From: "Tiit Kaeeli" <[email protected]> >>> To: [email protected] >>> Sent: Wednesday, February 11, 2015 11:50:32 AM >>> Subject: Re: [cas-user] <ServiceTicket [...] does not exist.> after >>> <Removing ticket [...] from registry> >>> >>> mod_auth_cas log of the first try. Fails with >>> >>> MOD_AUTH_CAS: Error parsing XML content (Internal error) >>> >>> >>> >>> >>> [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(2026): [client >>> 192.168.8.218] Entering cas_authenticate() >>> [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(645): [client >>> 192.168.8.218] Modified r->args (now '') >>> [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1729): [client >>> 192.168.8.218] entering getResponseFromServer() >>> [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(575): [client >>> 192.168.8.218] CAS Service 'https%3a%2f%2fnagios.quretec.com%2fcas' >>> [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1806): [client >>> 192.168.8.218] Validation response: <?xml version="1.0" >>> encoding="UTF-8"?><SOAP-ENV:Envelope >>> >>> xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Body><saml1p:Response >>> xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant= >>> "2015-02-11T16:40:02.454Z" MajorVersion="1" MinorVersion="1" >>> Recipient="https://nagios.quretec.com/cas"; >>> ResponseID="_e4cafa37cb4c77fe55aae7c0d482e40e"><saml1 >>> p:Status><saml1p:StatusCode >>> Value="saml1p:Success"/></saml1p:Status><saml1:Assertion >>> xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_2121b0 >>> 19c9fedf9b287bb811280e227c" IssueInstant="2015-02-11T16:40:02.454Z" >>> Issuer="localhost" MajorVersion="1" MinorVersion="1"><saml1:Conditions >>> NotBefore="2015-02 >>> -11T16:40:02.454Z" >>> NotOnOrAfter="2015-02-11T16:40:32.454Z"><saml1:AudienceRestrictionCondition><saml1:Audience>https://nagios.quretec.com/cas</saml1:Audience >>>> </saml1:AudienceRestrictionCondition></saml1:Conditions><saml1:AuthenticationStatement >>> AuthenticationInstant="2015-02-11T15:07:56.192Z" AuthenticationMethod >>> ="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml1:Subject><saml1:NameIdentifier>kaeeli</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:Confirmatio >>> nMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement></saml1 >>> :Assertion></saml1p:Response></SOAP-ENV:Body></SOAP-ENV:Envelope> >>> [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1434): [client >>> 192.168.8.218] entering isValidCASTicket() >>> [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1440): [client >>> 192.168.8.218] MOD_AUTH_CAS: response = <?xml version="1.0" >>> encoding="UTF-8"?><SOAP-ENV:Enve >>> lope >>> xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Body><saml1p:Response >>> xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" IssueInst >>> ant="2015-02-11T16:40:02.454Z" MajorVersion="1" MinorVersion="1" >>> Recipient="https://nagios.quretec.com/cas"; >>> ResponseID="_e4cafa37cb4c77fe55aae7c0d482e40e"><s >>> aml1p:Status><saml1p:StatusCode >>> Value="saml1p:Success"/></saml1p:Status><saml1:Assertion >>> xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_21 >>> 21b019c9fedf9b287bb811280e227c" IssueInstant="2015-02-11T16:40:02.454Z" >>> Issuer="localhost" MajorVersion="1" MinorVersion="1"><saml1:Conditions >>> NotBefore="201 >>> 5-02-11T16:40:02.454Z" >>> NotOnOrAfter="2015-02-11T16:40:32.454Z"><saml1:AudienceRestrictionCondition><saml1:Audience>https://nagios.quretec.com/cas</saml1:Audi >>> ence></saml1:AudienceRestrictionCondition></saml1:Conditions><saml1:AuthenticationStatement >>> AuthenticationInstant="2015-02-11T15:07:56.192Z" AuthenticationMe >>> thod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml1:Subject><saml1:NameIdentifier>kaeeli</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:Confirm >>> ationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement></s >>> aml1:Assertion></saml1p:Response></SOAP-ENV:Body></SOAP-ENV:Envelope> >>> [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1266): [client >>> 192.168.8.218] entering createCASCookie() >>> [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1061): [client >>> 192.168.8.218] entering CASCleanCache() >>> [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1117): [client >>> 192.168.8.218] Beginning cache clean >>> [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1140): [client >>> 192.168.8.218] Processing cache file 'd76eaa64b28d6adf641e9d8fe59e39bb' >>> [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(890): [client >>> 192.168.8.218] entering readCASCacheFile() >>> [Wed Feb 11 18:40:02 2015] [error] [client 192.168.8.218] MOD_AUTH_CAS: >>> Error parsing XML content (Internal error) >>> [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1156): [client >>> 192.168.8.218] Removing corrupt cache entry >>> 'd76eaa64b28d6adf641e9d8fe59e39bb' >>> [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1406): [client >>> 192.168.8.218] entering deleteCASCacheFile() >>> [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(890): [client >>> 192.168.8.218] entering readCASCacheFile() >>> [Wed Feb 11 18:40:02 2015] [error] [client 192.168.8.218] MOD_AUTH_CAS: >>> Error parsing XML content (Internal error) >>> [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1178): [client >>> 192.168.8.218] entering writeCASCacheEntry() >>> >>> >>> >>> >>>> >>>> Yes. >>>> The service ticket can only be used once. >>>> Once a service validates the service ticket, it ought to establish some >>>> kind of local application specific session. >>>> The fact that the ticket is being validated twice suggests that maybe the >>>> client is configured incorrectly. >>>> >>>> Thanks, >>>> Carl Waldbieser >>>> ITS System Programmer >>>> Lafayette College >>>> >>>> ----- Original Message ----- >>>> From: "Tiit Kaeeli" <[email protected]> >>>> To: [email protected] >>>> Sent: Wednesday, February 11, 2015 8:10:56 AM >>>> Subject: [cas-user] <ServiceTicket [...] does not exist.> after <Removing >>>> ticket [...] from registry> >>>> >>>> Hi, >>>> >>>> I got mod_auth_cas working without SAML. Now I am trying to enable SAML >>>> for LDAP group based auth. But unfortunately apache returns 401. So I am >>>> in need for help again. >>>> >>>> In tomcat logs, there are no errors, but final result is >>>> >>>> WHAT: ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com >>>> ACTION: SERVICE_TICKET_VALIDATE_FAILED >>>> >>>> >>>> >>>> Before this I see: >>>> >>>> 2015-02-11 14:38:16,202 DEBUG >>>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to >>>> retrieve ticket [ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com]> >>>> 2015-02-11 14:38:16,202 DEBUG >>>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket >>>> [ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com] found in registry.> >>>> 2015-02-11 14:38:16,202 DEBUG >>>> [org.jasig.cas.CentralAuthenticationServiceImpl] - <Principal id to return >>>> for service [HTTP and IMAP] is [kaeeli]. The default principal id is >>>> [kaeeli].> >>>> 2015-02-11 14:38:16,202 DEBUG >>>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket >>>> [ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com] from registry> >>>> 2015-02-11 14:38:16,202 DEBUG >>>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to >>>> retrieve ticket [ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com]> >>>> 2015-02-11 14:38:16,202 INFO >>>> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit >>>> trail record BEGIN >>>> ============================================================= >>>> WHO: audit:unknown >>>> WHAT: ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com >>>> ACTION: SERVICE_TICKET_VALIDATED >>>> APPLICATION: CAS >>>> WHEN: Wed Feb 11 14:38:16 EET 2015 >>>> CLIENT IP ADDRESS: 192.168.7.108 >>>> SERVER IP ADDRESS: 192.168.7.183 >>>> ============================================================= >>>> >>>> >>>> ... >>>> >>>> 2015-02-11 14:38:16,562 DEBUG >>>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to >>>> retrieve ticket [ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com]> >>>> 2015-02-11 14:38:16,562 INFO >>>> [org.jasig.cas.CentralAuthenticationServiceImpl] - <ServiceTicket >>>> [ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com] does not exist.> >>>> 2015-02-11 14:38:16,566 DEBUG >>>> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to >>>> retrieve ticket [ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com]> >>>> 2015-02-11 14:38:16,566 INFO >>>> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit >>>> trail record BEGIN >>>> ============================================================= >>>> WHO: audit:unknown >>>> WHAT: ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com >>>> ACTION: SERVICE_TICKET_VALIDATE_FAILED >>>> APPLICATION: CAS >>>> WHEN: Wed Feb 11 14:38:16 EET 2015 >>>> CLIENT IP ADDRESS: 192.168.7.108 >>>> SERVER IP ADDRESS: 192.168.7.183 >>>> ============================================================= >>>> >>>> >>>> >>>> >>>> It seems, that service ticket is looked for twice, first time it succeeds. >>>> Then the ticket is removed from the registry. The other attemp after that >>>> fails. >>>> >>>> Is this normal and expected behaviour? >>>> >>>> >>>> >>>> >>> >>> >>> >> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
