CAS 6.1.7 attribute for person A released during Person B login
41 views
Skip to first unread message
Michael Daley
Oct 18, 2022, 8:58:07 AM10/18/22
to CAS Community
CAS: 6.1.7 Hazelcast ticket storage, ldap auth and attribute storage, duo MFA
Trying to track down if this is due to a hashkey collision in the attribute cache, or an issue with the attribute resolved itself? We use an inline groovy script to create the attributes that were mixed up.
I've disabled releasing cached attributes for this service as it's the only one where we have heard of this happening.
See in the logs how the attribute windowsaccountname shows PersonA, and the UPN shows PersonB.
60397 2022-10-16 17:59:58,415 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
60398 =============================================================
60399 WHO: PersonA
60400 WHAT: ST-15460616-qgcEiZFoXWfW3unFtlo8EbuTGWc-vlpcas01 for https://cas.example.edu/cas/idp/profile/SAML2/Callback?entityId=http%3A%2F%2Fcas-1.example.edu%2Fadfs%2Fservices%2Ftrust&SAMLReq ...
60401 ACTION: SERVICE_TICKET_CREATED
60402 APPLICATION: CAS
60403 WHEN: Sun Oct 16 17:59:58 EDT 2022
60404 CLIENT IP ADDRESS: 2600:8805:a980:e500:*:*:*:66ab
60405 SERVER IP ADDRESS: 10.19.*.*
60406 =============================================================
60407
60408
60409 2022-10-16 17:59:58,419 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
60410 =============================================================
60411 WHO: PersonB
60412 WHAT: ST-15460617-b9UL3ypUQKwGlb79Ax4AmyMN84c-vlpcas01 for https://cas.example.edu/cas/idp/profile/SAML2/Callback?entityId=http%3A%2F%2Fcas-1.example.edu%2Fadfs%2Fservices%2Ftrust&SAMLReq ...
60413 ACTION: SERVICE_TICKET_CREATED
60414 APPLICATION: CAS
60415 WHEN: Sun Oct 16 17:59:58 EDT 2022
60416 CLIENT IP ADDRESS: 68.9.*.102
60417 SERVER IP ADDRESS: 10.19.*.*
60418 =============================================================
60419
60420
60421 2022-10-16 17:59:58,528 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
60422 =============================================================
60423 WHO: audit:unknown
60424 WHAT: [result=Service Access Granted,service=http://cas-1.example.edu/adfs/services/t...,principal=SimplePrincipal(id=PersonB, attributes={http://schemas.microsoft.com/ws/2008/06/identi ty/claims/windowsaccountname=[DOMAIN\PersonA], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=[Per...@domain.example.edu]}),requiredAttributes={}]
60425 ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
60426 APPLICATION: CAS
60427 WHEN: Sun Oct 16 17:59:58 EDT 2022
60428 CLIENT IP ADDRESS: 10.19.*.*
60429 SERVER IP ADDRESS: 10.19.*.249
60430 =============================================================
60431
60398 =============================================================
60399 WHO: PersonA
60400 WHAT: ST-15460616-qgcEiZFoXWfW3unFtlo8EbuTGWc-vlpcas01 for https://cas.example.edu/cas/idp/profile/SAML2/Callback?entityId=http%3A%2F%2Fcas-1.example.edu%2Fadfs%2Fservices%2Ftrust&SAMLReq ...
60401 ACTION: SERVICE_TICKET_CREATED
60402 APPLICATION: CAS
60403 WHEN: Sun Oct 16 17:59:58 EDT 2022
60404 CLIENT IP ADDRESS: 2600:8805:a980:e500:*:*:*:66ab
60405 SERVER IP ADDRESS: 10.19.*.*
60406 =============================================================
60407
60408
60409 2022-10-16 17:59:58,419 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
60410 =============================================================
60411 WHO: PersonB
60412 WHAT: ST-15460617-b9UL3ypUQKwGlb79Ax4AmyMN84c-vlpcas01 for https://cas.example.edu/cas/idp/profile/SAML2/Callback?entityId=http%3A%2F%2Fcas-1.example.edu%2Fadfs%2Fservices%2Ftrust&SAMLReq ...
60413 ACTION: SERVICE_TICKET_CREATED
60414 APPLICATION: CAS
60415 WHEN: Sun Oct 16 17:59:58 EDT 2022
60416 CLIENT IP ADDRESS: 68.9.*.102
60417 SERVER IP ADDRESS: 10.19.*.*
60418 =============================================================
60419
60420
60421 2022-10-16 17:59:58,528 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
60422 =============================================================
60423 WHO: audit:unknown
60424 WHAT: [result=Service Access Granted,service=http://cas-1.example.edu/adfs/services/t...,principal=SimplePrincipal(id=PersonB, attributes={http://schemas.microsoft.com/ws/2008/06/identi ty/claims/windowsaccountname=[DOMAIN\PersonA], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=[Per...@domain.example.edu]}),requiredAttributes={}]
60425 ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
60426 APPLICATION: CAS
60427 WHEN: Sun Oct 16 17:59:58 EDT 2022
60428 CLIENT IP ADDRESS: 10.19.*.*
60429 SERVER IP ADDRESS: 10.19.*.249
60430 =============================================================
60431
Daniel Fisher
Oct 18, 2022, 10:05:51 AM10/18/22
to cas-...@apereo.org
On Tue, Oct 18, 2022 at 8:58 AM Michael Daley <mjda...@ccri.edu> wrote:
CAS: 6.1.7 Hazelcast ticket storage, ldap auth and attribute storage, duo MFARecently experienced and issue where an attribute for Person A was released during Person B session.
You can put org.ldaptive in DEBUG to confirm the LDAP search results are what you expect.
--Daniel Fisher
Michael Daley
Oct 19, 2022, 7:18:43 AM10/19/22
to CAS Community, dfisher
Thanks Daniel. I can confirm this attribute works correctly most of the time. There have only been a few (very few) times that we have heard reports of this and I've configured our SIEM to monitor the logs looking for this in case it happens again. On a subsequent login the user did not experience this mix-up.
"allowedAttributes" : { "@class" : "java.util.TreeMap", "UserPrincipalName" : "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname": "groovy { return 'DOMAIN\\\\' + attributes['uid'][0] }" },
released:
principal=SimplePrincipal(id=PersonB, attributes={http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname=[DOMAIN\PersonA], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=[Per...@domain.example.edu]}),requiredAttributes={}]
This is what we are using for attribute release: the UserPrincipalName worked correctly in this specific case, but the inline groovy pulled the uid of a different login that was happening at the same time.
released:
principal=SimplePrincipal(id=PersonB, attributes={http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname=[DOMAIN\PersonA], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=[Per...@domain.example.edu]}),requiredAttributes={}]
Daniel Daher
Mar 22, 2023, 4:08:09 PM3/22/23
to CAS Community, Michael Daley, dfisher
Hi, I have the same problem as you and practically the same environment.
Did you find the problem? Were you able to fix it in some way?
Baldassare Agosta
Mar 23, 2023, 5:21:11 AM3/23/23
to cas-...@apereo.org, Michael Daley, dfisher
Dear Daniel,
we "solve" using a
AuthenticationMetaDataPopulator instead of groovy script as suggested by our partner Tirasa.Regards,
Baldassare Agosta
○●○●
Università degli Studi Firenze
Area per l'Innovazione e Gestione dei Sistemi Informativi ed Informatici
SIAF - Coordinamento tecnico applicativi
Piazza Ugo di Toscana, 5 - Edificio D15 - Campus Novoli
Tel. +39 055 2759103
www.siaf.unifi.it
○●○●
Università degli Studi Firenze
Area per l'Innovazione e Gestione dei Sistemi Informativi ed Informatici
SIAF - Coordinamento tecnico applicativi
Piazza Ugo di Toscana, 5 - Edificio D15 - Campus Novoli
Tel. +39 055 2759103
www.siaf.unifi.it
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20b8c1c2-7818-4729-b40a-049ece9e499en%40apereo.org.
Reply all
Reply to author
Forward
0 new messages