CAS as a SAML IDP adds a space within the entity ID when checking the service registry

85 views
Skip to first unread message

Jason B. Rappaport

unread,
Jul 2, 2021, 3:38:38 PM7/2/21
to cas-...@apereo.org

I am trying to figure out why CAS, acting as a SAML IDP is adding a space in the middle of an SP entity ID when doing a service registry evaluation. 

 

We have configured our CAS sever to act as a SAML IDP.  For an SP that is trying to authenticate against CAS, we are seeing an application is not registered error. 

 

When I look at the SAML tracer I see:

 

<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://myEntityIDOfMySP</saml2:Issuer>

 

Within the metadata file for the SP, the entity ID is the same as above.

 

Within CAS, I see this:

Jul 2 11:14:43 CASSERVERHostName user [https: //myEntityIDOfMySP] is not found in the registry or service access is denied. Ensure service is registered in service registry

 

Notice the space between https: and //.  I have no idea where this is coming from.  When I check the service registry entry, I don’t see this either:

"serviceId" : " https://myEntityIDOfMySP"

 

Has anyone seen this before?

 

Thanks, Jay

________________________________

Jason Rappaport (he/him)

Identity and Access Management Analyst

Office of Information Technology

Email:  jaso...@princeton.edu

Office:  609-258-8464

 

 

King, Robert

unread,
Jul 5, 2021, 9:02:40 AM7/5/21
to cas-...@apereo.org

Just a guess, but the serviced with the errant space likely comes from the SP.

 

For example…

 

·         hitting the login url - /cas/login?service=defnotaservice

 

Will result in the following WARN error message:

 

WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Unauthorized Service Access. Service [defnotaservice] is not found in service registry.>

 

Where defnotaservice is defined by the request to the cas login endpoint.  I am assuming it is likely the same the SAML IdP endpoint.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BL0PR04MB5156D96D43780CE0F82F8063CC1F9%40BL0PR04MB5156.namprd04.prod.outlook.com.

Ray Bon

unread,
Jul 5, 2021, 2:09:51 PM7/5/21
to cas-...@apereo.org
I will agree with Robert. The space is being sent to cas.

Use samltracer (or built in chrome dev tools) to see the request.

Ray

On Mon, 2021-07-05 at 13:01 +0000, King, Robert wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
Reply all
Reply to author
Forward
0 new messages