Exposing SAML attribute with ":" character breaks CAS flow

50 views
Skip to first unread message

Sean Gottschalk

unread,
Sep 12, 2019, 1:14:42 PM9/12/19
to CAS Community
Hello,

I'm using CAS 6.0.4 and I'm trying to do a SAML SP integration with AWS but it seems that having an attribute with name "https://aws.amazon.com/SAML/Attributes/SessionDuration" causes CAS to fail when redirecting to itself after the initial authentication.

I've been digging into how CAS builds the SAML response and it appears that the issue is related to the DefaultCasProtocolAttributeEncoder and how it hex encodes attribute names that contain the ":" or "@" character. When it encodes "https://aws.amazon.com/SAML/Attributes/SessionDuration" the resulting value is "68747470733a2f2f6177732e616d617a6f6e2e636f6d2f53414d4c2f417474726962757465732f53657373696f6e4475726174696f6e", so the resulting casServiceValidationSuccess response is as follows:


<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
    <cas:authenticationSuccess>
        <cas:user>T9HpcKRRSSigqWVCNdViTqijyvQ=</cas:user>
        <cas:attributes>
            <cas:68747470733a2f2f6177732e616d617a6f6e2e636f6d2f53414d4c2f417474726962757465732f53657373696f6e4475726174696f6e>43200</cas:68747470733a2f2f6177732e616d617a6f6e2e636f6d2f53414d4c2f417474726962757465732f53657373696f6e4475726174696f6e>
            </cas:attributes>
    </cas:authenticationSuccess>
</cas:serviceResponse>

However, cas:68747470733a2f2f6177732e616d617a6f6e2e636f6d2f53414d4c2f417474726962757465732f53657373696f6e4475726174696f6e is not valid xml as the namespace string can only start with a letter or '_'. This causes Cas20ServiceTicketValidator.extractCustomAttributes(xml) to fail when it delegates to the cas-client's XmlUtils.getTextForElement(response, "authenticationFailure").

I'm not sure how to fix this issue as it seems like the encoding and decoding of attribute names are quite decoupled. Is there something that I'm missing with my configuration?

Jason E

unread,
Apr 24, 2020, 6:24:18 PM4/24/20
to CAS Community
I am having the exact same problem and have opened a ticket with our support vendor. I will let you know if it yields any results. -Jason

Sean Gottschalk

unread,
Apr 25, 2020, 6:07:22 PM4/25/20
to CAS Community
We upgraded our CAS version from 6.0.x to 6.1.x and it works out of the box with the special characters.

Jason Eggleston

unread,
Apr 26, 2020, 3:17:44 PM4/26/20
to cas-...@apereo.org
Thanks for the info! We'll give that a try. I was informed this is a "known issue" with our version of CAS, so it seems the only fix is an updated version.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/THs1XYKL0zI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/05fd228a-9cfe-442f-b354-9e57071c9588%40apereo.org.


--
Jason Eggleston, M.A.
Lead Application Analyst
Pepperdine University
Information Technology
Reply all
Reply to author
Forward
0 new messages