Sudden failure of certain SAML Services after system updates

[Mike Osterman]

Hello,

We have two SAML services on CAS 5.3.x (yes, I know we need to get to 6.3.x STAT) that stopped working suddenly with behavior identical to this thread:

https://groups.google.com/a/apereo.org/g/cas-user/c/fc_biQnh1l4

The kicker is that we haven't rebuilt the cas.war file recently, and the behavior only began happening very recently. 

One of the services maps the mail attribute to a SOAP schema:

"attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
    "allowedAttributes" : {
      "@class" : "java.util.TreeMap",
      "sn" : "User.LastName",
      "givenName" : "User.FirstName",
      "mail" : "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
    }
  }

(note the : that others mentioned)

And the other uses friendlyNames:

"attributeFriendlyNames": {
    "@class": "java.util.HashMap",
    "urn:oid:1.3.6.1.4.1.5923.1.1.1.6": "eduPersonPrincipalName",
    "urn:oid:1.3.6.1.4.1.5923.1.1.1.9": "eduPersonScopedAffiliation"
  },

Again, these have worked for several months, and the compiled CAS binary hasn't changed in some time. The only thing that changed was the java binary itself via system updates on July 23, which coincides with this in the behavior beginning. It appears that this has somehow affected the attribute encoding.

Apart from rolling back the openjdk RPMs and cutting over to 6.3.x spontaneously, does anyone have any ideas for workarounds for this behavior? 

Thank you,

Mike

[Jason Cole]

Mike-

What was your ultimate resolution for this? We've experienced the same issue and are looking for ways around until we can update CAS.

Thanks

Jason

[Mike Osterman]

Hi Jason,

Our root cause was the openjdk runtime update we received via our Oracle Linux repo. I was able to roll back to the prior version to work around this issue. 

Good luck!

Mike