Issue with CAS client when using CAS as an SP

[thai.q.nguyen]

Hi, community

We are using CAS as an SP (using pac4j) and delegating the authentication to an IdP.

We have this configured: cas.authn.pac4j.autoRedirect=true

so the flow will not stop at the CAS login page.

We are using CAS 5.1.8

So the flow is:

A user clicked a CAS client, redirected to CAS, redirected to IdP for login.

After successfully logged-in to the IdP, the user (should) redirected to the CAS client.

We have it working but randomly the user is ended at the CAS successful login page (which confused the user).

CAS redirected the user to send an AuthnRequest to IdP:

<saml2p:AuthnRequest AssertionConsumerServiceURL="https://my.edu/cas/login?client_name=SAML2Client"

                     Destination="https:/my.edu/sso/SSORedirect/metaAlias/usfca-sb/idp"

                     ForceAuthn="false"

                     ID="_fv6mluvdxnozugdvd9fielq8xpjiuf87bujvcep"

                     IsPassive="false"

                     IssueInstant="2018-03-29T19:46:56.082Z"

                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

                     ProviderName="pac4j-saml"

                     Version="2.0"

                     xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"

                     > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://my.edu/cas-sp</saml2:Issuer> 

</saml2p:AuthnRequest>

 

with a RelayState: https://my.edu/cas/login?client_name=SAML2Client (same as ACS)

IdP redirected the user (browser) to POST an AuthnReponse back to CAS at https://my.edu/cas/login?client_name=SAML2Client (ACS)

at this point: 

1. sometimes the browser received a 302 response code with Location: CAS-Client/apps/?ticket=ST-30-FOAfm3AOLbQLshnIdyZd-ip-10-255-0-10, therefore the CAS client validates the ticket with CAS server and ends up with the CAS client landing page.
   
2. sometimes the browser received a 200 response code and therefore stay at this URL https://my.edu/cas/login?client_name=SAML2Client and display the CAS successful login page which we don't want. Reading further I found, at this point, the CAS client didn't establish an SSO session yet.

Any help and/or pointer is appreciated 

Thanks in advance,

Thai Nguyen

[daniel.h]

I am having a very similar (if not the same) problem as what Thai had posted and was hoping for some help.

My setup:

• CAS 6.1.2
• CAS setup as SP
• Azure AD is IdP
• Application service configuration in CAS:
  
• SSO is disabled (users are forced to re-auth when they log out of My App)
• Auth flow:
• My App --> CAS --> Azure AD --> CAS --> My App

Problem:

• RelayState in SAML request is not always the same. Sometimes it is the Assertion Consumer Service (ACS) url, sometimes it is a Transient Session Ticket (TST). I could only have one reference to TST in the docs here https://apereo.github.io/cas/6.1.x/configuration/Configuration-Properties.html#transient-session-tickets-behavior
• When RelayState is ACS url, SAML response to CAS fails because of "application not authorized"
• When RelayState is TST, SAML response to CAS succeeds and CAS correctly redirects to My App
• Conditions:
• CAS session cookie not set or expired
• User access My App --> CAS --> Azure AD --> CAS fails to process SAML response -> CAS displays "Application Not Authorized to Use CAS" error page --> CAS session cookie is set
• CAS session cookie is set
• User access My App --> CAS --> Azure AD -> CAS process SAML response --> CAS redirects user to My App

From my testing, it appears that the RelayState is set the ACS url when there is no existing CAS session (user hitting CAS for the first time or user logs out of CAS). SAML request to Azure AD looks something like:

https://login.microsoftonline.com/f8f35f5d-1f7b-4427-90f7-f4565c5177aa/saml2?SAMLRequest=hVLLbtswELz3KwReCz0oS5ZMWDLUB...opHyP7Xahv9qK8%2FP970t%2FwA%3D&RelayState=https%3A%2F%2Fexample.com%3A8081%2Fcas%2Flogin%3Fclient_name%3DMicrosoft%2BAccount

When there is an existing CAS session, the RelayState is the TST and the SAML request looks something like:

https://login.microsoftonline.com/f8f35f5d-1f7b-4427-90f7-f4565c5177aa/saml2?SAMLRequest=hVLLbtswELz3KwReCz0tRRJhyVAbBDWQtEas9NBLQF...6nV1v9XW3l%2Bvu9t%2BQc%3D&RelayState=TST-2-67ODXnlOu4PBmS3PMeEdZcbbAvnw5nkV

I can log in using different AD users and everything works fine. It's only when I delete the session cookie set by CAS does it fail and revert back to the RelayState being the ACS url.

Debug log when RelayState is ACS url:

tomcat_sandbox1 | 2019-12-11 00:02:53,348 DEBUG [org.pac4j.saml.transport.Pac4jHTTPRedirectDeflateEncoder] - <Building URL to redirect client to>
tomcat_sandbox1 | 2019-12-11 00:02:53,349 DEBUG [org.apereo.cas.web.DelegatedClientNavigationController] - <Determined final redirect action for client [#SAML2Client# | name: Microsoft Account | callbackUrl: https://example.com:8081/cas/login | urlResolver: org.pac4j.core.http.url.DefaultUrlResolver@24b485e | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@7c75b203 | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@2309065f | redirectionActionBuilder: org.pac4j.saml.redirect.SAML2RedirectionActionBuilder@4ff985a6 | credentialsExtractor: org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@17282dbf | authenticator: org.pac4j.saml.credentials.authenticator.SAML2Authenticator@461c60f3 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@60c19035 | logoutActionBuilder: org.pac4j.saml.logout.SAML2LogoutActionBuilder@2dccbd91 | authorizationGenerators: [] |] as [#HttpAction# | code: 302 |]>
tomcat_sandbox1 | 2019-12-11 00:02:53,349 DEBUG [org.apereo.cas.web.DelegatedClientNavigationController] - <Redirecting client [Microsoft Account] to [https://login.microsoftonline.com/f8f35f5d-1f7b-4427-90f7-f4565c5177aa/saml2?SAMLRequest=hVLLbtswELz3KwReCz0oS5ZMWDLUB...opHyP7Xahv9qK8%2FP970t%2FwA%3D&RelayState=https%3A%2F%2Fexample.com%3A8081%2Fcas%2Flogin%3Fclient_name%3DMicrosoft%2BAccount] based on identifier [TST-17-QGT8LfgkBi3VsxEvwN42Y0nJKM8bFc4F]>
tomcat_sandbox1 | 2019-12-11 00:03:00,218 DEBUG [org.apereo.cas.services.AbstractServicesManager] - <Adding registered service [https://example.com:8081/app\?client_name=CasClient] with name [My App] and internal identifier [8081]>
tomcat_sandbox1 | 2019-12-11 00:03:00,218 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [1] service(s) from [JsonServiceRegistry].>
tomcat_sandbox1 | 2019-12-11 00:03:10,094 INFO [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0] expired tickets removed.>
tomcat_sandbox1 | 2019-12-11 00:03:10,094 DEBUG [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <Finished ticket cleanup.>
tomcat_sandbox1 | 2019-12-11 00:04:00,221 DEBUG [org.apereo.cas.services.AbstractServicesManager] - <Adding registered service [https://example.com:8081/app\?client_name=CasClient] with name [My App] and internal identifier [8081]>
tomcat_sandbox1 | 2019-12-11 00:04:00,221 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [1] service(s) from [JsonServiceRegistry].>
tomcat_sandbox1 | 2019-12-11 00:04:32,742 DEBUG [org.apereo.cas.web.DelegatedClientWebflowManager] - <Client identifier could not found as part of the request parameters. Looking at relay-state for the SAML2 client>
tomcat_sandbox1 | 2019-12-11 00:04:32,742 DEBUG [org.apereo.cas.web.DelegatedClientWebflowManager] - <Located delegated client identifier for this request as [Optional[https://example.com:8081/cas/login?client_name=Microsoft+Account]]>
tomcat_sandbox1 | 2019-12-11 00:04:32,743 ERROR [org.apereo.cas.web.DelegatedClientWebflowManager] - <Delegated client identifier cannot be located in the authentication request [https://example.com:8081/cas/login?client_name=Microsoft+Account]>
tomcat_sandbox1 | 2019-12-11 00:04:32,742 DEBUG [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - <Ticket [https://example.com:8081/cas/login?client_name=Microsoft+Account] could not be found>

Debug log when RelayState is TST:

tomcat_sandbox1 | 2019-12-11 00:04:47,247 DEBUG [org.pac4j.saml.transport.Pac4jHTTPRedirectDeflateEncoder] - <Building URL to redirect client to>
tomcat_sandbox1 | 2019-12-11 00:04:47,247 DEBUG [org.apereo.cas.web.DelegatedClientNavigationController] - <Determined final redirect action for client [#SAML2Client# | name: Microsoft Account | callbackUrl: https://example.com:8081/cas/login | urlResolver: org.pac4j.core.http.url.DefaultUrlResolver@24b485e | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@7c75b203 | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@2309065f | redirectionActionBuilder: org.pac4j.saml.redirect.SAML2RedirectionActionBuilder@4ff985a6 | credentialsExtractor: org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@17282dbf | authenticator: org.pac4j.saml.credentials.authenticator.SAML2Authenticator@461c60f3 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@60c19035 | logoutActionBuilder: org.pac4j.saml.logout.SAML2LogoutActionBuilder@2dccbd91 | authorizationGenerators: [] |] as [#HttpAction# | code: 302 |]>
tomcat_sandbox1 | 2019-12-11 00:04:47,248 DEBUG [org.apereo.cas.web.DelegatedClientNavigationController] - <Redirecting client [Microsoft Account] to [https://login.microsoftonline.com/f8f35f5d-1f7b-4427-90f7-f4565c5177aa/saml2?SAMLRequest=hVLLbtswELz3KwReCz0tRRJhyVAbBDWQtEas9NBLQF...6nV1v9XW3l%2Bvu9t%2BQc%3D&RelayState=TST-18-wFsg-mhj51LmwtQ9t5hEghvgEGCtbfhO] based on identifier [TST-18-wFsg-mhj51LmwtQ9t5hEghvgEGCtbfhO]>
tomcat_sandbox1 | 2019-12-11 00:04:47,722 DEBUG [org.apereo.cas.web.DelegatedClientWebflowManager] - <Client identifier could not found as part of the request parameters. Looking at relay-state for the SAML2 client>
tomcat_sandbox1 | 2019-12-11 00:04:47,722 DEBUG [org.apereo.cas.web.DelegatedClientWebflowManager] - <Located delegated client identifier for this request as [Optional[TST-18-wFsg-mhj51LmwtQ9t5hEghvgEGCtbfhO]]>
tomcat_sandbox1 | 2019-12-11 00:04:47,722 DEBUG [org.apereo.cas.web.DelegatedClientWebflowManager] - <Located delegated client identifier as [TST-18-wFsg-mhj51LmwtQ9t5hEghvgEGCtbfhO]>
tomcat_sandbox1 | 2019-12-11 00:04:47,722 DEBUG [org.apereo.cas.web.DelegatedClientWebflowManager] - <Removing delegated client identifier [TST-18-wFsg-mhj51LmwtQ9t5hEghvgEGCtbfhO] from registry>

Any help will be appreciated. Thanks.

[Sean Day]

I believe I am having the exact same issue, I have the same setup:

CAS 6.1.2 acting as an SP, delegating authentication to Azure AD.

All works fine but I intermittently get an Application is not authorised error.

With debug enabled I have the same entries in the error log (works when the RelayState is TST... does not work when it is the CAS server address with client.

Did you find a solution to this issue?

Thanks

Sean

[Sean Day]

I replied to the wrong thread, below was meant for this not the OIDC thread..

This seems to have been fixed in 6.2.0 RC2, I have not had the error at all on 6.2.0 RC2, I then spend a bit of time finding a reliable sequence of events that caused the error and found a way to reproduce consistently on 6.1.2 following a specific series of login/logout requests:

In the same browser window: 

Login to system A.

Login to system B.

Logout System B.

Login to system A.

Logout System A.

Login System B - results in error.

Above resulted in the error on every attempt, I then replaced the 6.1.2 cas.war file with 6.2.0 RC2 no other changes made to config etc and repeated above and did not get the error.