pac4j SAML2 authn request protocol binding

[Scott Koranda]

Hi,

I am using pac4j delegated authentication with SAML2 so that CAS uses a
SAML2 Identity Provider (IdP) for authentication.

With CAS version 5.1.3 the <AuthnRequest> sent to the IdP has

ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

as I expect, and that matches the metadata for the CAS server SP that
was given to the IdP. The CAS server auto-generated SP SAML metadata
contains

<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://my.server/cas/login?client_name=SAML2Client"
index="0"/>

So this is consistent and the SAML flow works as expected.

With CAS version 5.2.3 the <AuthnRequest> sent to the IdP has instead

ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"

That is not what I expect and appears to be a regression.

Further if I delete the auto-generated SP metadata so that CAS version
5.2.3 re-generates it I see in the metadata

<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://my.server/cas/login?client_name=SAML2Client"
index="0"/>

Again, this is not what I expect for the SP ACS. I would expect it to
be using the HTTP-POST binding.

Can someone confirm that this is a regression somewhere between 5.1.3
and 5.2.3?

Thanks,

Scott K

[Scott Koranda]

I used a Maven overlay to build version 5.2.3 but then after Tomcat
exploded the WAR I did

cd /var/lib/tomcat8/webapps/cas/WEB-INF/lib
rm pac4j-saml-2.2.0.jar
cp /home/skoranda/pac4j/pac4j-saml/target/pac4j-saml-2.3.1-SNAPSHOT.jar .

and restarted Tomcat. The pac4j version 2.3.1 jar was one I built from source by doing

git clone g...@github.com:pac4j/pac4j.git
cd pac4j
git checkout 2.2.x
mvn install -DskipTests

That caused the issue to go away: the <AuthnRequest> from the CAS SP to
the remote IdP included

ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

as I expected and it matched the <AssertionConsumerService> element in
the existing SP metadata.

By default when CAS 5.2.3 is deployed with a Maven overly version 2.2.0
of pac4j is used but with version 2.3.1 of pac4j the issue is resolved.

I edited my pom.xml file and changed

<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-pac4j-webflow</artifactId>
<version>${cas.version}</version>
</dependency>

to be instead

<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-pac4j-webflow</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.pac4j</groupId>
<artifactId>pac4j-saml</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.pac4j</groupId>
<artifactId>pac4j-saml</artifactId>
<version>2.3.1</version>
</dependency>

This allowed CAS version 5.2.3 to leverage pac4j version 2.3.1 and resolved
the issue.

Thanks,

Scott K

[Jérôme LELEU]

Hi,

Yes, there is an issue with pac4j v2.2.0 regarding the SAML support. Upgrading to pac4j v2.2.1 should be enough to fix the problem.

That said, the latest release is indeed the version 2.3.1.

I submitted a PR to fix that: https://github.com/apereo/cas/pull/3255

Thanks.

Best regards,

Jérôme

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180325203321.4jxx32nojpmisywx%40paprika.local.