Problem in SAML delegation: TICKET_GRANTING_TICKET_DESTROYED

34 views

Skip to first unread message

Riccardo Saponi

unread,

Mar 11, 2019, 2:41:11 AM3/11/19

to CAS Community

Hi everyone!

we would like to have some support about this event in login webflow

TICKET_GRANTING_TICKET_DESTROYED

We have CAS 5.1.3 with a SAML delegation to another IDP and some web applications that are using CAS as SSO provider.

In some case, when the user leave the browser open and inactive for many hours (e.g. the night), we got the event TICKET_GRANTING_TICKET_DESTROYED during the login webflow. This event seems to loose the original service of the web-app we used to call the Cas. We saw this event before SAML IDP is called.

After the login on the IDP SAML the user is redirect on the success page of the CAS, instead of the initial service page. Our Cas version is 5.1.3. Anyone knows if this behaviour is correct or is a bug. We have default configurations on TGT and ST duration on cas.properties.

We have look for any documentation about the event TICKET_GRANTING_TICKET_DESTROYED but with no success.

This an example of cas_audit.log with wrong login web-flow.

2019-03-08 05:33:21,073 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN

=============================================================

WHO: audit:unknown

WHAT: [event=success,timestamp=Fri Mar 08 05:33:21 CET 2019,source=RankedAuthenticationProviderWebflowEventResolver]

ACTION: AUTHENTICATION_EVENT_TRIGGERED

APPLICATION: CAS

WHEN: Fri Mar 08 05:33:21 CET 2019

CLIENT IP ADDRESS: 82.185.105.200

SERVER IP ADDRESS: 10.132.0.5

=============================================================

2019-03-08 05:33:21,076 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN

=============================================================

WHO: audit:unknown

WHAT: TGT-**************************************************9yyIGd5HwW-cascredem

ACTION: TICKET_GRANTING_TICKET_DESTROYED

APPLICATION: CAS

WHEN: Fri Mar 08 05:33:21 CET 2019

CLIENT IP ADDRESS: 82.185.105.200

SERVER IP ADDRESS: 10.132.0.5

=============================================================

2019-03-08 05:33:24,948 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN

=============================================================

WHO: UT01097

WHAT: Supplied credentials: [org.apereo.cas.authentication.principal.ClientCredential@578b862c[id=UT01097]] (return of SAML IDP)

ACTION: AUTHENTICATION_SUCCESS

APPLICATION: CAS

WHEN: Fri Mar 08 05:33:24 CET 2019

CLIENT IP ADDRESS: 82.185.105.200

SERVER IP ADDRESS: 10.132.0.5

=============================================================

2019-03-08 05:33:24,955 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN

=============================================================

WHO: UT01097

WHAT: TGT-**************************************************XGzd4xOnGb-cascredem

ACTION: TICKET_GRANTING_TICKET_CREATED

APPLICATION: CAS

WHEN: Fri Mar 08 05:33:24 CET 2019

CLIENT IP ADDRESS: 82.185.105.200

SERVER IP ADDRESS: 10.132.0.5

=============================================================

2019-03-08 05:33:25,521 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN

=============================================================

WHO: audit:unknown

WHAT: [event=success,timestamp=Fri Mar 08 05:33:25 CET 2019,source=InitialAuthenticationAttemptWebflowEventResolver]

ACTION: AUTHENTICATION_EVENT_TRIGGERED

APPLICATION: CAS

WHEN: Fri Mar 08 05:33:25 CET 2019

CLIENT IP ADDRESS: 82.185.105.200

SERVER IP ADDRESS: 10.132.0.5

=============================================================

2019-03-08 05:33:25,533 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN

=============================================================

WHO: UT01097

WHAT: ST-75355-2etLNdlkQtnkmDSq2DGd-cascredem for https://myhostname/c/portal/login whitout service!

ACTION: SERVICE_TICKET_CREATED

APPLICATION: CAS

WHEN: Fri Mar 08 05:33:25 CET 2019

CLIENT IP ADDRESS: 82.185.105.200

SERVER IP ADDRESS: 10.132.0.5

=============================================================

2019-03-08 05:33:25,738 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN

=============================================================

WHO: UT01097

WHAT: ST-75355-2etLNdlkQtnkmDSq2DGd-cascredem

ACTION: SERVICE_TICKET_VALIDATED

APPLICATION: CAS

WHEN: Fri Mar 08 05:33:25 CET 2019

CLIENT IP ADDRESS: 10.132.0.7

SERVER IP ADDRESS: 10.132.0.6

=============================================================

This an example of cas_aufit.log with correct login webflow (you can see the original service and there is not a TICKET_GRANTING_TICKET_DESTROYED event)

2019-03-08 04:15:13,897 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN

=============================================================

WHO: audit:unknown

WHAT: [event=success,timestamp=Fri Mar 08 04:15:13 CET 2019,source=RankedAuthenticationProviderWebflowEventResolver]

ACTION: AUTHENTICATION_EVENT_TRIGGERED

APPLICATION: CAS

WHEN: Fri Mar 08 04:15:13 CET 2019

CLIENT IP ADDRESS: 82.185.105.200

SERVER IP ADDRESS: 10.132.0.5

=============================================================

2019-03-08 04:15:18,663 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN

=============================================================

WHO: UT0A011

WHAT: Supplied credentials: [org.apereo.cas.authentication.principal.ClientCredential@3126759e[id=UT0A011]]

ACTION: AUTHENTICATION_SUCCESS

APPLICATION: CAS

WHEN: Fri Mar 08 04:15:18 CET 2019

CLIENT IP ADDRESS: 82.185.105.200

SERVER IP ADDRESS: 10.132.0.5

=============================================================

2019-03-08 04:15:18,673 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN

=============================================================

WHO: UT0A011

WHAT: TGT-**************************************************pBoZWWSfQ6-cascredem

ACTION: TICKET_GRANTING_TICKET_CREATED

APPLICATION: CAS

WHEN: Fri Mar 08 04:15:18 CET 2019

CLIENT IP ADDRESS: 82.185.105.200

SERVER IP ADDRESS: 10.132.0.5

=============================================================

2019-03-08 04:15:18,688 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN

=============================================================

WHO: UT0A011

WHAT: ST-75348-AAc95fO7MjnEmpjFeJbE-cascredem for https://myhostname/c/portal/login?redirect=%2Fgroup%2Fguest%2Fdocumenti%3Ffiltro1%3Dtipodoc%26filtro1val%3Doggetti%26filtro2%3Dtitle%26filtro2val%3DTool%2520People%26open%3Dtrue%26utm_source%3Dintranet&p_l_id=21280

ACTION: SERVICE_TICKET_CREATED

APPLICATION: CAS

WHEN: Fri Mar 08 04:15:18 CET 2019

2019-03-08 04:15:18,926 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN

=============================================================

WHO: UT0A011

WHAT: ST-75348-AAc95fO7MjnEmpjFeJbE-cascredem

ACTION: SERVICE_TICKET_VALIDATED

APPLICATION: CAS

WHEN: Fri Mar 08 04:15:18 CET 2019

CLIENT IP ADDRESS: 127.0.0.1

SERVER IP ADDRESS: 127.0.0.1

=============================================================

Ray Bon

unread,

Mar 11, 2019, 11:45:49 AM3/11/19

to cas-...@apereo.org

Riccardo,

The ticket granting ticket destroyed is the result of the stale session. Your browser has a TGC from the old session and sends it to CAS. CAS finds the expired TGT and discards it from the ticket store. CAS then initiates an new log in flow.

Check that your client application is sending the correct return URL on expired session (your client may also have an expired session).

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

Riccardo Saponi

unread,

Mar 11, 2019, 12:24:00 PM3/11/19

to CAS Community

Hi Ray and thank you for your answer.

Yes, what you say is correct. This situation happens when the session expires on my client application and the client application redirects to the cas server. During this redirect the Cas Client always sends the complete service url.

Sometime the user leaves the browser open and inactive for many hours, so the TGC remains in the browser (cookie on memory as default) but the TGT is expired. It's only in this situatution that we loose the service parameter and have a clean one.

Maybe we have to set the maxAge for the TGC?

Now we have the parameters for TGC and TGT

cas.tgc.maxAge=-1

cas.ticket.tgt.timeToKillInSeconds=30800

cas.ticket.tgt.maxTimeToLiveInSeconds=30800

cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=30800

cas.ticket.tgt.hardTimeout.timeToKillInSeconds=30800

Thanks!

Riccardo

Reply all

Reply to author

Forward

0 new messages