CAS not redirecting to service after successful authentication.
2,782 views
Skip to first unread message
Neha Gupta
May 7, 2018, 10:12:34 AM5/7/18
to CAS Community
Dear All,
I am trying to integrate CAS with ASP.NET application.
Everything is working fine but CAS is not able to redirect to the destination service and showing its own logged in page.
Final URL is: - https://idiv-dev1:8443/cas/login?TARGET=http%3a%2f%2flocalhost%3a60397%2f
where in TARGET my service URL is defined where i want CAS to redirect .
Following configuration i have done in "web.config" file: -
<casClientConfig
casServerLoginUrl="https://idiv-dev1:8443/cas/login"
casServerUrlPrefix="https://idiv-dev1:8443/cas/"
serverName="http://localhost:60397/"
notAuthorizedUrl="~/NotAuthorized.aspx"
redirectAfterValidation="true"
renew="false"
singleSignOut="true"
ticketValidatorName="Saml11"
serviceTicketManager="CacheServiceTicketManager"
/>
<authentication mode="Forms">
<forms name=".DotNetCasClientAuth" loginUrl="https://idiv-dev1:8443/cas/login" cookieless="UseCookies" />
</authentication>
Along with this configuration i have also mentioned in "FilterConfig.cs" below two lines: -
filters.Add(new System.Web.Mvc.AuthorizeAttribute());
filters.Add(new RequireHttpsAttribute());
Please let me know where is the problem as i have no clue.
PS: - I have registered the service with CAS and also below service is present which authorizes all services to pass through CAS: -
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https|imaps|http)://.*",
"name" : "Apereo",
"theme" : "apereo",
"id" : 10000002,
"description" : "Apereo foundation sample service",
"evaluationOrder" : 1
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
}
}
Regards
Neha Gupta
Andy Ng
May 7, 2018, 9:40:21 PM5/7/18
to CAS Community
Hi Neha,
Would like to know in which documentation do you know about the parameter TARGET in "https://idiv-dev1:8443/cas/login?TARGET=http%3a%2f%2flocalhost%3a60397%2f", I didn't see this parameter in the official documentation.
Maybe it is something related to ASP.NET?
Anyway, the usual parameter for defining service in CAS is "service", that means your url should be "https://idiv-dev1:8443/cas/login?service=http%3a%2f%2flocalhost%3a60397%2f"
It is nice that you attached the debug log:
- I can see that the service is register successfully based on "<Adding registered service [^(https|imaps|http)://.*]>", so your service registration is correct.
Maybe it is something related to ASP.NET?
Anyway, the usual parameter for defining service in CAS is "service", that means your url should be "https://idiv-dev1:8443/cas/login?service=http%3a%2f%2flocalhost%3a60397%2f"
It is nice that you attached the debug log:
- I can see that the service is register successfully based on "<Adding registered service [^(https|imaps|http)://.*]>", so your service registration is correct.
Regarding the part related to ASP.NET, I have no idea so I would not comment on that. But i think since you can login success, the ASP.NET part should be fine as is.
Cheers!
- Andy
Neha Gupta
May 8, 2018, 6:56:14 AM5/8/18
to CAS Community
Hello Andy,
Thanks for reply.
I was also wondering about the TARGET in the URL and i think its because of the ticketValidatorName="Saml11" mentioned in the web.config file of ASP.NET application and when i change the value of "ticketValidatorName" to Cas10 or Cas20 then it does not work at all.Also please find attached traces of the same.
Hope this will help.
Regards
Neha Gupta
Ray Bon
May 8, 2018, 12:39:44 PM5/8/18
to cas-...@apereo.org
Neha,
There may be other settings that need to be modified when switching from SAML11 to CAS20. ST are being created but not validated. Your ASP.NET client is not configured correctly.
Ray
-- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | rb...@uvic.ca
Neha Gupta
May 9, 2018, 4:25:46 AM5/9/18
to CAS Community
Hello Ray,
Yes that what is clear from the traces that service ticket are getting generated but not validated. I have done all the configuration required in ASP.NET application.
Infact i just included the "DotNetCasClient" package and everything was done automatically. I just changed the values of some attributes like casServerLoginUrl, casServerUrlPrefix etc.
Below is the link which i followed for doing the changes in ASP.NET application: -
I don't have any idea as what can be done to solve this problem and i would greatly appreciate if your community can help me out to solve the issue.
I am attaching web.config file for reference here.
PS: - I don't have any intention of using any particular ticket validator. Initially i tried with Cas20 but as it was not working so i switched to Saml11 which though working but not redirecting to the ASP.NET application.
Regards
Neha Gupta
Neha Gupta
May 14, 2018, 7:13:00 AM5/14/18
to CAS Community
Hello Ray,
Request you to please help me out with this.
Please let me know in case you need any other information.
Regards
Neha Gupta
Ray Bon
May 15, 2018, 1:16:07 PM5/15/18
to cas-...@apereo.org
Neha,
I have not used the .NET client. There may be more configuration that can be done.
One possibility is certificate validity. For .NET client to connect to CAS during ticket validation, CAS needs to verify client certificate.
Are you using self signed certificates? If so, they need to be added to the JVM running CAS.
Ray
N&S Technical Channel NS
May 23, 2018, 5:27:11 AM5/23/18
to cas-...@apereo.org
Hello Ray,
Yes i am using self signed certificate and already added it.
My java application is working fine with CAS but not ASP.
What more can i try? Really stuck with the problem with no clue what to do next :(
Regards
Neha Gupta
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1526404559.1817.18.camel%40uvic.ca.
Ray Bon
May 23, 2018, 11:55:32 AM5/23/18
to cas-...@apereo.org
Neha,
I have not used ASP so am unfamiliar with its operation. Perhaps certificates need to be added to ASP environment?
Do you have way to watch ASP network communications?
Ray
Neha Gupta
Jun 20, 2018, 4:50:55 AM6/20/18
to CAS Community
Hello Ray,
An update to the problem: -
I switched on the traces as described under link: -
So if i am using ticketValidatorName as "Cas20" in web.config (casClientConfig) of my ASP.NET application then i am getting below error (Translated from German :) ): -
DotNetCasClient.Protocol Information: 3237 : Ticket validation failed: System.Net.WebException: The underlying connection has been closed: No trust could be established for the SSL / TLS protected channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid by validation method.
But when i am using ticketValidatorName as "Saml11" then i am not getting any error but still CAS is not able to forward to the ASP application and showing its own page as stated before.
So can this problem may be because of the self signed certificate?
PS:- I tried without the SSL certificate and accessed both CAS and ASP Application on "http" and it worked. I am properly getting redirected to the ASP application after validation at CAS side and used "ticketValidatorName" as "Cas20" but when i changed it to "Saml11" then again CAS page is displayed instead of ASP aaplication.
Regards
Neha Gupta
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1526404559.1817.18.camel%40uvic.ca.
Ray Bon
Jun 20, 2018, 2:43:55 PM6/20/18
to cas-...@apereo.org
Neha,
You may have to add the self signed certificate to .NET. Another item to consider when creating the self signed certs is CERT_SUBJ_ALT_NAMES since your cas server and test service are on different hosts.
Ray
Pablo Vidaurri
Mar 26, 2019, 6:30:29 PM3/26/19
to CAS Community
Have you found a solution for this? I'm using a java client also using saml11 filter and I cant get my cas server to redirect back to my application after login
Bryan Wooten
Mar 26, 2019, 6:37:31 PM3/26/19
to cas-...@apereo.org
Is there a load balancer involved?
I see you have a mix of https and http in the configuration.
We had a similar issue with .Net. Our load balancer was not configured to redirect http to https.
-Bryan
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/982757c8-ec4f-4625-a944-5700f7edaa63%40apereo.org.
Reply all
Reply to author
Forward
0 new messages