CAS 5.2.5 SSO don't work

[brionet]

Hi,

I recently installed cas 5.2.5 and tested SSO with 2  web applications which are running under version 3.5.3 installed in production.

The test sequence was the same as for 3.5.3 e.g. ( in chronological order):

1. Login to casified application A requires cas login.

Login OK, and redirect to A succesful.

2. Redirect to casified application B with SSO enabled does NOT require signing in.

but on 5.2.5 step 2. requires login in again.

Through cas-management I can see that services have SSO enabled by default. I made a revision of properties used but found no reason for this different behaviour.

I have checked the properties for TGC and I have made sure that enable SSO is set in the service manager but every service still requires login, and the TGC is retrieved.

If not service parameter send to login, SSO works fine, but with service parameter don't :  login page appears and login is required again.

Regards,  Luismi.

[Ray Bon]

Luismi,

What happens if you login in to application B first, then A?

Ray

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of brionet <correo...@gmail.com>
Sent: June 15, 2018 02:20
To: CAS Community
Subject: [cas-user] CAS 5.2.5 SSO don't work

 

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6d98c059-82a9-49de-907b-af038558a911%40apereo.org.

[Trenton D. Adams]

Hi Luismi,

I ran into this as well with 5.2.5.  You have to setup your domain name properly so that the CAS cookie will be sent to the server.  You can debug it using the chrome debug console.

server.port:8080

server.ssl.enabled=false

cas.server.name: http://localhost:8080

cas.server.prefix: http://localhost:8080/cas

# for development only, so we can use http

cas.tgc.secure=false

cas.tgc.domain=localhost

cas.tgc.path=/cas

cas.serviceRegistry.json.location=file:///etc/cas/config/services/

logging.config: file:/etc/cas/config/log4j2.xml

Then run "./build.sh run".

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6d98c059-82a9-49de-907b-af038558a911%40apereo.org.

-- 
Trenton D. Adams
Senior Systems Analyst/Web Software Developer
Applications Unit - ITS
Athabasca University
(780) 675-6195

It is only when you are surrounded by a supportive team, that you can achieve 
your best.  Instead of tearing people down, try building them up!

--

This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed.

---

[brionet]

I have attached a picture of the CAS screen after trying to go to the second application (B) where you can see the cookies and the behavior of the CAS. SSO does not work.

If not service parameter send to login, SSO works fine, but with 
service parameter don't :  login page appears and login is required 
again.

Regards,  Luismi.

[Ray Bon]

Luismi,

Check 'Access Strategy' tab in service manager.

If you have attributes and values listed under 'Required  Attributes', then the user will have to have those attributes to access that service.

What happens when you log in to service B first?

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

[brionet]

Service Attributes are (from debug log):

registeredService=id=10000001,
name=HTTPS and IMAPS,
description=This service definition authorizes all application urls that support HTTPS and IMAPS protocols.,
serviceId=^(https|imaps)://.*,
usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@d,
theme=<null>,
evaluationOrder=1,
logoutType=BACK_CHANNEL,
attributeReleasePolicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@7143c201[
    attributeFilter=<null>,
    principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@16d0bac5[],
    authorizedToReleaseCredentialPassword=false,
    authorizedToReleaseAuthenticationAttributes=true,
    authorizedToReleaseProxyGrantingTicket=false,
    excludeDefaultAttributes=false,
    principalIdAttribute=<null>,
    consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@2783b059[
        excludedAttributes=<null>,
        includeOnlyAttributes=<null>,
        enabled=true],
    allowedAttributes=[tipoAut, nombre, nombreSolo, apellido1, apellido2, nif, cif, email, entidad, tipoCert, emisor, certificado, sesItinerancia, oid, idP]],
accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@203bea7e[
    enabled=true,
    ssoEnabled=true,
    requireAllAttributes=true,
    requiredAttributes={},
    unauthorizedRedirectUrl=<null>,
    caseInsensitive=false,
    rejectedAttributes={}],
publicKey=<null>,
proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@2a47fed6,
logo=<null>,
logoutUrl=<null>,
requiredHandlers=[],
properties={},
multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@4f8777b2[
    multifactorAuthenticationProviders=[],
    failureMode=NOT_SET,
    principalAttributeNameTrigger=<null>,
    principalAttributeValueToMatch=<null>,
    bypassEnabled=false],
informationUrl=<null>,
privacyUrl=<null>,
contacts=[],
expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@5c92fa15[
    deleteWhenExpired=false,
    notifyWhenDeleted=false,
    expirationDate=<null>]
,<null>

Regards,  Luismi.

[brionet]

JSON Service Definition:

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^(https|imaps)://.*",
  "name" : "HTTPS and IMAPS",
  "id" : 10000001,
  "description" : "This service definition authorizes all application urls that support HTTPS and IMAPS protocols.",
  "evaluationOrder" : 1,
  "attributeReleasePolicy" : {
       "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
    "allowedAttributes" : [ "java.util.ArrayList", ["tipoAut", "nombre", "nombreSolo", "apellido1", "apellido2", "nif", "cif", "email", "entidad", "tipoCert", "emisor", "certificado", "sesItinerancia", "oid", "idP"] ]
  }
}

Regards,  Luismi.

[brionet]

Attachment 2 pieces of log in debug mode:

The 1 goes from the boot of tomcat until just after completing the identification of the application A (casEjemplo) and validate the ticket recovering the user SAML. It's ALL OK.

The 2 is what corresponds to when you try to login from application B (casEjemplo2), until the "wrong" login screen is displayed (that should not appear).

Regards,  Luismi.

[Ray Bon]

In a previous comment you provided the service entry for https... service. What is the service entry for the http... service which you are accessing?

2018-06-19 10:42:09,252 DEBUG [org.apereo.cas.web.flow.InitialFlowSetupAction] - <Placing service in context scope: [http://localhost:8080/casEjemplo2/LoginServlet]>
2018-06-19 10:42:09,252 DEBUG [org.apereo.cas.web.flow.InitialFlowSetupAction] - <Placing registered service [^(http|imap)://.*] with id [10000003] in context scope>

The last line below looks like a user name and password is required but is not supplied.

2018-06-19 10:42:09,721 DEBUG [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] - <No specific authentication handlers are required for this transaction>
2018-06-19 10:42:09,721 DEBUG [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] - <Authentication handlers used for this transaction are [HttpBasedServiceCredentialsAuthenticationHandler,miHandlerSSL,miHandlerIti,miHandlerLDAP,miHandler,ClientAuthenticationHandler,AcceptUsersAuthenticationHandler]>
2018-06-19 10:42:09,721 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Credential is not one of username/password and is not accepted by handler [AcceptUsersAuthenticationHandler]>

It would still be nice to know what happens when you attempt to log in to http://localhost:8080/casEjemplo2/LoginServlet first.

Ray

On Tue, 2018-06-19 at 02:13 -0700, brionet wrote:

2018-06-19 10:42:09,721 DEBUG [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] - <No specific authentication handlers are required for this transaction>
2018-06-19 10:42:09,721 DEBUG [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] - <Authentication handlers used for this transaction are [HttpBasedServiceCredentialsAuthenticationHandler,miHandlerSSL,miHandlerIti,miHandlerLDAP,miHandler,ClientAuthenticationHandler,AcceptUsersAuthenticationHandler]>
2018-06-19 10:42:09,721 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Credential is not one of username/password and is not accepted by handler [AcceptUsersAuthenticationHandler]>

[brionet]

The result is the same if you first login in application B (casEjemplo2) and then in A (casEjemplo).

Attached log of CAS as well as three images:

1.- CAS Login screen when accessing from application B (casEjemplo2). OK.

2.- Application screen B after redirection with the data obtained from CAS. OK.

3.- CAS Login screen when accessing from application A (casEjemplo). ERROR: SSO should work correctly and the login screen should not appear.

Thanks in advance.

Regards, Luismi.

[brionet]

Attached 2 files with service definitions (one for https and another for http).

[Ray Bon]

Luismi,

It looks like you have a custom handler, miHandlerIti. It processes the username password for first service login.

On log in to second service, the handler used is, AcceptUsersAuthenticationHandler and the credential is org.larioja.cas.adaptadores.Credenciales but should be org.apereo.cas.authentication.UsernamePasswordCredential.

You will need to add a handler that accepts org.larioja.cas.adaptadores.Credenciales or change the how miHandlerIti works or perhaps change the order of authentication handlers in cas.properties.

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

[henrique rocha]

drop the tables created in version 5.2.X and run the application again. The error will no longer appear.

:)

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1529519691.1807.61.camel%40uvic.ca.

[brionet]

SOLVED:

I had to put the following piece of code in the AuthenticationHandler to retrieve the existing authentication in the session and the Principal if exist before trying to authenticate again:

    @Override
    protected HandlerResult  doAuthentication(final Credential credential) throws GeneralSecurityException, PreventedException {
 
        final RequestContext context = RequestContextHolder.getRequestContext();
        final Authentication auth = WebUtils.getAuthentication(context);
        final Principal oPri = (auth != null) ? WebUtils.getAuthentication(context).getPrincipal() : null;
           
        return createHandlerResult(credential, ((oPri !=null ) ? oPri : authenticate(credential)), null);
    }

Thanks to all.