Login successful but service ticket not validated even if the service is the same

[Christian Poirier]

Hi

I have 4 stage environments. DEV, TEST, PREPROD and PROD

The authentification works on first 2 but not on the last 2.

The error code I recieved is INVALID_SERVICE as show in the following xml response

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
    <cas:authenticationFailure code="INVALID_SERVICE">
      Ticket &#39;ST-2-NebQkEA0E-s5uqwpvia2zg1RbtUtlqauth-l-prod1&#39; does not match supplied service.
      The original service was &#39;http://127.0.0.1/login/login.aspx?ReturnUrl=/bottin/liste.aspx&#39; and
      the supplied service was &#39;http://127.0.0.1/login/login.aspx?ReturnUrl=/bottin/liste.aspx&#39;.
    </cas:authenticationFailure>
</cas:serviceResponse>

If you look at the original service and supplied service, they are same string value.

http://127.0.0.1/login/login.aspx?ReturnUrl=/bottin/liste.aspx


==
http://127.0.0.1/login/login.aspx?ReturnUrl=/bottin/liste.aspx

If I use the DEV and TEST, they are OK.

The configuration is the same for all servers except minor settings like names and LDAP referenced.

Does anyone knows what is happening?

Thank's

[Christian Poirier]

I found why I have that error. When I define multiple requiredHandlers for the service, as shown in the following code, even if I am authenticated, the service can not be validated. The required handlers are not mandatory but mutually optional. I one does not work, use the second.

  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^https?://(((localhost(\\.uquebec\\.ca)?)|(127\\.0\\.0\\.1)|(.+-pc\\.teluq\\.uquebec\\.ca))(:[0-9]+)?)(/?.*)",
  "id" : 10000004,
  "name" : "Applications localhost",
  "theme" : "teluq",
  "description" : "Cette définition de service permet les connexions aux applications locales",
  "evaluationOrder" : 11004,
  "requiredHandlers" :  [ "java.util.HashSet", [ "ldapHandler1", "ldapHandler2" ] ],
  "excludeDefaultAttributes":"true",
  "attributeReleasePolicy" : {
      "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
  },
  "accessStrategy" : {
    "@class" : "org.apereo.cas.services.SurrogateRegisteredServiceAccessStrategy",
    "surrogateEnabled" : true,
    "enabled": true,
    "ssoEnabled": true
  }
}

If I need two handlers is because I have two groups of users in two differents AD with two different domain context.

[Christian Poirier]

Finally, I found why the authentication works and the service validation does not work.

The setting

cas.authn.policy.requiredHandlerAuthenticationPolicyEnabled=false
indicates to do not care about requiredHandlers defined in the service to allow authentication, but the service validation take it into account.

I tried to change the setting to true and the authentication did not work as well. This helped me understand the purpose of the required authentication managers.
I finally realized that all the required authentication managers all had to be successful in authenticating the user to authenticate the service. Since my 2 authentication managers contain 2 sets of different users, the authentication could never work.
I removed the requieredHandlers line from the service definition and each service is now authenticated correctly.
After I found the solution, I took time to read carefully the documentation, and the purpose of this setting is documented. But sometimes, it is not easy to understand the subtlety of a text where there is no example.

Le mercredi 5 juin 2019 15:58:46 UTC-4, Christian Poirier a écrit :