empty SAML response with mod_auth_cas from v1.2/master
34 views
Skip to first unread message
Alan S
Jun 3, 2019, 5:13:13 PM6/3/19
to CAS Community
Hi, all,
Our previous Apache client (mod_auth_cas v1.0.9.1) worked seamlessly with our organization's CAS server, and retrieving SAML attributes was no problem at all. Currently, we're working toward a rollout of CAS 5.3.3, and I'm trying to integrate an Apache client built from the master branch (v1.2 tag).
If I return only the CAS user from serviceValidate, that response is good; however, I'm getting a null response from the samlValidate endpoint, where Apache reports "Validation response: (null)" with no additional logging. Could I please get some troubleshooting advice for returning proper SAML using the latest Apache module?
Here's what I believe to be relevant. I'm happy to provide further details and logs:
Preflight and build steps
==========================================
openssl: Installed: 1.1.0g-2ubuntu4.3
libapr1: Installed: 1.6.3-2
libaprutil1: Installed: 1.6.1-2
apache2: Installed: 2.4.29-1ubuntu4.6
libcurl4: Installed: 7.58.0-2ubuntu3.7
libpcre3: Installed: 2:8.39-9
Installation:
$ git clone https://github.com/apereo/mod_auth_cas.git
$ cd mod_auth_cas
$ autoreconf -ivf
$ ./configure
$ make
$ sudo make install
(Libraries have been installed in: /usr/lib/apache2/modules)
Apache vhost configuration
==========================================
LoadModule auth_cas_module /usr/lib/apache2/modules/mod_auth_cas.so
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://[CAS_SERVER]/cas/login
CASValidateURL https://[CAS_SERVER]/cas/samlValidate
CASValidateSAML On
CASAttributePrefix SAML-
# I've also specified the following while troubleshooting:
#CASVersion 2
CASDebug On
<LocationMatch "^/authtest">
AuthType CAS
AuthName "Test Group"
CASAuthNHeader CAS-User
# Both requirement targets fail with the SAML endpoint:
#Require valid-user
Require cas-attribute memberof~CN=[SOME_GROUP]
</LocationMatch>
Apache debug log
==========================================
[ssl:debug] [pid 8565:tid 140140085245696] ssl_engine_kernel.c(377):
[client [APPLICATION_SERVER_IP]:35184]
AH02034: Initial (No.1) HTTPS request received for child 69 (server [APPLICATION_SERVER]:443),
referer: https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f
[auth_cas:debug] [pid 8565:tid 140140085245696] mod_auth_cas.c(2429):
[client [APPLICATION_SERVER_IP]:35184]
Entering cas_check_authorization.,
referer: https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f
[authz_core:debug] [pid 8565:tid 140140085245696] mod_authz_core.c(809):
[client [APPLICATION_SERVER_IP]:35184]
AH01626: authorization result of Require cas-attribute memberof~CN=[SOME_GROUP]: denied (no authenticated user yet),
referer: https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f
[authz_core:debug] [pid 8565:tid 140140085245696] mod_authz_core.c(809):
[client [APPLICATION_SERVER_IP]:35184]
AH01626: authorization result of <RequireAny>: denied (no authenticated user yet),
referer: https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f
[auth_cas:debug] [pid 8565:tid 140140085245696] mod_auth_cas.c(2152):
[client [APPLICATION_SERVER_IP]:35184]
Entering cas_authenticate(),
referer: https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f
[auth_cas:debug] [pid 8565:tid 140140085245696] mod_auth_cas.c(682):
[client [APPLICATION_SERVER_IP]:35184]
Modified r->args (now ''),
referer: https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f
[auth_cas:debug] [pid 8565:tid 140140085245696] mod_auth_cas.c(1830):
[client [APPLICATION_SERVER_IP]:35184]
entering getResponseFromServer(),
referer: https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f
[auth_cas:debug] [pid 8565:tid 140140085245696] mod_auth_cas.c(610):
[client [APPLICATION_SERVER_IP]:35184]
CAS Service 'https%3a%2f%2f[APPLICATION_SERVER]%2f',
referer: https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f
[auth_cas:debug] [pid 8565:tid 140140085245696] mod_auth_cas.c(1910):
[client [APPLICATION_SERVER_IP]:35184]
Validation response: (null),
referer: https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f
==========================================
Thank you very much for your time.
-Alan
Our previous Apache client (mod_auth_cas v1.0.9.1) worked seamlessly with our organization's CAS server, and retrieving SAML attributes was no problem at all. Currently, we're working toward a rollout of CAS 5.3.3, and I'm trying to integrate an Apache client built from the master branch (v1.2 tag).
If I return only the CAS user from serviceValidate, that response is good; however, I'm getting a null response from the samlValidate endpoint, where Apache reports "Validation response: (null)" with no additional logging. Could I please get some troubleshooting advice for returning proper SAML using the latest Apache module?
Here's what I believe to be relevant. I'm happy to provide further details and logs:
Preflight and build steps
==========================================
openssl: Installed: 1.1.0g-2ubuntu4.3
libapr1: Installed: 1.6.3-2
libaprutil1: Installed: 1.6.1-2
apache2: Installed: 2.4.29-1ubuntu4.6
libcurl4: Installed: 7.58.0-2ubuntu3.7
libpcre3: Installed: 2:8.39-9
Installation:
$ git clone https://github.com/apereo/mod_auth_cas.git
$ cd mod_auth_cas
$ autoreconf -ivf
$ ./configure
$ make
$ sudo make install
(Libraries have been installed in: /usr/lib/apache2/modules)
Apache vhost configuration
==========================================
LoadModule auth_cas_module /usr/lib/apache2/modules/mod_auth_cas.so
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://[CAS_SERVER]/cas/login
CASValidateURL https://[CAS_SERVER]/cas/samlValidate
CASValidateSAML On
CASAttributePrefix SAML-
# I've also specified the following while troubleshooting:
#CASVersion 2
CASDebug On
<LocationMatch "^/authtest">
AuthType CAS
AuthName "Test Group"
CASAuthNHeader CAS-User
# Both requirement targets fail with the SAML endpoint:
#Require valid-user
Require cas-attribute memberof~CN=[SOME_GROUP]
</LocationMatch>
Apache debug log
==========================================
[ssl:debug] [pid 8565:tid 140140085245696] ssl_engine_kernel.c(377):
[client [APPLICATION_SERVER_IP]:35184]
AH02034: Initial (No.1) HTTPS request received for child 69 (server [APPLICATION_SERVER]:443),
referer: https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f
[auth_cas:debug] [pid 8565:tid 140140085245696] mod_auth_cas.c(2429):
[client [APPLICATION_SERVER_IP]:35184]
Entering cas_check_authorization.,
referer: https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f
[authz_core:debug] [pid 8565:tid 140140085245696] mod_authz_core.c(809):
[client [APPLICATION_SERVER_IP]:35184]
AH01626: authorization result of Require cas-attribute memberof~CN=[SOME_GROUP]: denied (no authenticated user yet),
referer: https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f
[authz_core:debug] [pid 8565:tid 140140085245696] mod_authz_core.c(809):
[client [APPLICATION_SERVER_IP]:35184]
AH01626: authorization result of <RequireAny>: denied (no authenticated user yet),
referer: https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f
[auth_cas:debug] [pid 8565:tid 140140085245696] mod_auth_cas.c(2152):
[client [APPLICATION_SERVER_IP]:35184]
Entering cas_authenticate(),
referer: https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f
[auth_cas:debug] [pid 8565:tid 140140085245696] mod_auth_cas.c(682):
[client [APPLICATION_SERVER_IP]:35184]
Modified r->args (now ''),
referer: https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f
[auth_cas:debug] [pid 8565:tid 140140085245696] mod_auth_cas.c(1830):
[client [APPLICATION_SERVER_IP]:35184]
entering getResponseFromServer(),
referer: https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f
[auth_cas:debug] [pid 8565:tid 140140085245696] mod_auth_cas.c(610):
[client [APPLICATION_SERVER_IP]:35184]
CAS Service 'https%3a%2f%2f[APPLICATION_SERVER]%2f',
referer: https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f
[auth_cas:debug] [pid 8565:tid 140140085245696] mod_auth_cas.c(1910):
[client [APPLICATION_SERVER_IP]:35184]
Validation response: (null),
referer: https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f
==========================================
Thank you very much for your time.
-Alan
David Hawes
Jun 4, 2019, 4:17:30 PM6/4/19
to CAS Community
On Mon, 3 Jun 2019 at 17:13, Alan S <sco...@sfasu.edu> wrote:
>
> Hi, all,
>
> Our previous Apache client (mod_auth_cas v1.0.9.1) worked seamlessly with our organization's CAS server, and retrieving SAML attributes was no problem at all. Currently, we're working toward a rollout of CAS 5.3.3, and I'm trying to integrate an Apache client built from the master branch (v1.2 tag).
>
> If I return only the CAS user from serviceValidate, that response is good; however, I'm getting a null response from the samlValidate endpoint, where Apache reports "Validation response: (null)" with no additional logging. Could I please get some troubleshooting advice for returning proper SAML using the latest Apache module?
Do versions prior to v1.2 work with CAS 5.3.3?
>
> Hi, all,
>
> Our previous Apache client (mod_auth_cas v1.0.9.1) worked seamlessly with our organization's CAS server, and retrieving SAML attributes was no problem at all. Currently, we're working toward a rollout of CAS 5.3.3, and I'm trying to integrate an Apache client built from the master branch (v1.2 tag).
>
> If I return only the CAS user from serviceValidate, that response is good; however, I'm getting a null response from the samlValidate endpoint, where Apache reports "Validation response: (null)" with no additional logging. Could I please get some troubleshooting advice for returning proper SAML using the latest Apache module?
Do your CAS server logs show anything about the CAS validation response sent?
Alan S
Jun 4, 2019, 4:58:39 PM6/4/19
to CAS Community
Hi, David. I'll need to check the previous server version, but I've made significant progress using the unmerged patch on your fork (apereo#148). I'm still testing, but planned to reach out to you regarding a PR.
The ticketing server reports "samlValidate failing due to NullPointerException." I followed your lead in this thread to troubleshoot the empty requestID issue:
Continuing here:
I cloned your repo (https://github.com/dhawes/mod_auth_cas.git) and merged the fix:
"issue-148-missing-requestid"
For my tests, I needed to replace "SSL_library_init" with "OPENSSL_init_ssl." From there, the build process was smooth.
I am now getting the proper XML with the validation response and mod_auth_cas response, and I can view attributes in the cached ticket. This just works.
What additional testing would be required to merge this fix?
Thanks for you work!
-Alan
David Hawes
Jun 5, 2019, 9:52:00 AM6/5/19
to CAS Community
On Tue, 4 Jun 2019 at 16:58, Alan S <sco...@sfasu.edu> wrote:
>
>
> Hi, David. I'll need to check the previous server version, but I've made significant progress using the unmerged patch on your fork (apereo#148). I'm still testing, but planned to reach out to you regarding a PR.
>
> The ticketing server reports "samlValidate failing due to NullPointerException." I followed your lead in this thread to troubleshoot the empty requestID issue:
>
> https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/tm8aQrzKDbc
>
> Continuing here:
>
> https://github.com/apereo/mod_auth_cas/issues/148
>
> I cloned your repo (https://github.com/dhawes/mod_auth_cas.git) and merged the fix:
>
> "issue-148-missing-requestid"
> https://github.com/dhawes/mod_auth_cas/commit/1ca702b08c47f15451014201718b9e78a114b3e9
>
> For my tests, I needed to replace "SSL_library_init" with "OPENSSL_init_ssl." From there, the build process was smooth.
I went ahead and rebased master on my branch. It should compile
>
>
> Hi, David. I'll need to check the previous server version, but I've made significant progress using the unmerged patch on your fork (apereo#148). I'm still testing, but planned to reach out to you regarding a PR.
>
> The ticketing server reports "samlValidate failing due to NullPointerException." I followed your lead in this thread to troubleshoot the empty requestID issue:
>
> https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/tm8aQrzKDbc
>
> Continuing here:
>
> https://github.com/apereo/mod_auth_cas/issues/148
>
> I cloned your repo (https://github.com/dhawes/mod_auth_cas.git) and merged the fix:
>
> "issue-148-missing-requestid"
> https://github.com/dhawes/mod_auth_cas/commit/1ca702b08c47f15451014201718b9e78a114b3e9
>
> For my tests, I needed to replace "SSL_library_init" with "OPENSSL_init_ssl." From there, the build process was smooth.
without modification now.
> I am now getting the proper XML with the validation response and mod_auth_cas response, and I can view attributes in the cached ticket. This just works.
> What additional testing would be required to merge this fix?
generate the RequestID. I'd also like to look at the CAS server code
to see how it is used. This solution generates a random value, but it
could just be "1" since it's not really used.
Basically, I just want to verify that the solution not only works, but
is correct.
Alan S
Jun 5, 2019, 11:38:27 AM6/5/19
to CAS Community
Great! If you need additional testing, feel free to reach out.
-Alan
Reply all
Reply to author
Forward
0 new messages