Such a thing as illegal characters in entityID for SAML?
36 views
Skip to first unread message
Mike Osterman
Oct 6, 2022, 3:03:48 PM10/6/22
to CAS Community
Hi all,
We are running into an issue with a new SP, and despite turning on DEBUG for both org.apereo.cas.services.AbstractServicesManager and org.apereo.cas.support.saml.web.idp we can't find any hints for why this is showing up in the logs:
2022-10-06 09:57:15,798 WARN [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - <[REDACTED/metadata?Z3JvdXBJZD0yNTMxNQ==] is not found in the registry or service access is denied. Ensure service is registered in service registry>
We've double and triple checked that the service is loading without error and that the service ID in the JSON file (snippet below) matches the
{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": "REDACTED/metadata?Z3JvdXBJZD0yNTMxNQ==",
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": "REDACTED/metadata?Z3JvdXBJZD0yNTMxNQ==",
My current crackpot theory is that entityID/ServiceID having either a "?" or a "=" in it is what's causing it not to be matching in the registry when resolving the SAML request.
Does anyone:
- Have experience with this issue?
- Have other class paths to recommend to get debug info?
- Have any other troubleshooting steps to try?
Thank you!
Mike
Nate Klingenstein
Oct 6, 2022, 3:10:24 PM10/6/22
to cas-...@apereo.org
Mike,
That smells like a bug to me. SAML allows for any valid URI, which that clearly is, and I've seen much worse registered and used successfully with SAMLtest.
So, I think your theory is correct.
Take care,
Nate
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHV11bvtO3v9eoE%2BhBWA3p9PkMxkFb-A9mmBD32z-V%3DY-Q%40mail.gmail.com.
Mike Osterman
Oct 6, 2022, 6:31:18 PM10/6/22
to n...@sudonym.me, cas-...@apereo.org
OK - update!
A co-worker much smarter than me did the research into the code, and found that the SAML service ID was being processed through a regex.
{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": "REDACTED/metadata\\?Z3JvdXBJZD0yNTMxNQ==",
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": "REDACTED/metadata\\?Z3JvdXBJZD0yNTMxNQ==",
We've got plenty of CAS org.apereo.cas.services.RegexRegisteredService services, but I had always assumed that the org.apereo.cas.support.saml.services.SamlRegisteredService class was a literal string. Guess that's not the case!
In any event, we escaped the "?" and we're off to the races!
-Mike
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BeXai676bafp19rbbfgL0uuQ%2B2rwiPjjyy3jpi2jY0oF9c-sw%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages