I've been digging into how CAS builds the SAML response and it appears that the issue is related to the
DefaultCasProtocolAttributeEncoder and how it hex encodes attribute names that contain the ":" or "@" character. When it encodes "
https://aws.amazon.com/SAML/Attributes/SessionDuration" the resulting value is "68747470733a2f2f6177732e616d617a6f6e2e636f6d2f53414d4c2f417474726962757465732f53657373696f6e4475726174696f6e", so the resulting casServiceValidationSuccess response is as follows:
<cas:authenticationSuccess>
<cas:user>T9HpcKRRSSigqWVCNdViTqijyvQ=</cas:user>
<cas:attributes>
<cas:68747470733a2f2f6177732e616d617a6f6e2e636f6d2f53414d4c2f417474726962757465732f53657373696f6e4475726174696f6e>43200</cas:68747470733a2f2f6177732e616d617a6f6e2e636f6d2f53414d4c2f417474726962757465732f53657373696f6e4475726174696f6e>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>
However, cas:68747470733a2f2f6177732e616d617a6f6e2e636f6d2f53414d4c2f417474726962757465732f53657373696f6e4475726174696f6e is not valid xml as the namespace string can only start with a letter or '_'. This causes Cas20ServiceTicketValidator.extractCustomAttributes(xml) to fail when it delegates to the cas-client's
XmlUtils.getTextForElement(response, "authenticationFailure").
I'm not sure how to fix this issue as it seems like the encoding and decoding of attribute names are quite decoupled. Is there something that I'm missing with my configuration?