Hello, I'm using CAS 6.0.4 and I'm trying to do a SAML SP integration with AWS but it seems that having an attribute with name "https://aws.amazon.com/SAML/Attributes/SessionDuration"; causes CAS to fail when redirecting to itself after the initial authentication.
I've been digging into how CAS builds the SAML response and it appears that the issue is related to the DefaultCasProtocolAttributeEncoder <https://github.com/apereo/cas/blob/9da2aceba83bfbef57f7a856efa8656d7013a028/core/cas-server-core-services-authentication/src/main/java/org/apereo/cas/authentication/support/DefaultCasProtocolAttributeEncoder.java#L103> and how it hex encodes attribute names that contain the ":" or "@" character. When it encodes "https://aws.amazon.com/SAML/Attributes/SessionDuration"; the resulting value is "68747470733a2f2f6177732e616d617a6f6e2e636f6d2f53414d4c2f417474726962757465732f53657373696f6e4475726174696f6e", so the resulting casServiceValidationSuccess response is as follows: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>T9HpcKRRSSigqWVCNdViTqijyvQ=</cas:user> <cas:attributes> <cas:68747470733a2f2f6177732e616d617a6f6e2e636f6d2f53414d4c2f417474726962757465732f53657373696f6e4475726174696f6e>43200</cas:68747470733a2f2f6177732e616d617a6f6e2e636f6d2f53414d4c2f417474726962757465732f53657373696f6e4475726174696f6e> </cas:attributes> </cas:authenticationSuccess> </cas:serviceResponse> However, cas:68747470733a2f2f6177732e616d617a6f6e2e636f6d2f53414d4c2f417474726962757465732f53657373696f6e4475726174696f6e is not valid xml as the namespace string can only start with a letter or '_'. This causes Cas20ServiceTicketValidator.extractCustomAttributes(xml) to fail when it delegates to the cas-client's XmlUtils.getTextForElement(response, "authenticationFailure") <https://github.com/apereo/java-cas-client/blob/master/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas20ServiceTicketValidator.java#L165> . I'm not sure how to fix this issue as it seems like the encoding and decoding of attribute names are quite decoupled. Is there something that I'm missing with my configuration? -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ca12748-2a53-400b-93b0-39bb5eb482a9%40apereo.org.
