CAS 7.1.0 as SAML Idp
226 views
Skip to first unread message
SW Genis
Sep 25, 2024, 2:23:17 PM9/25/24
to CAS Community
Hi,
I have CAS set up as a SAML Identity Provider and trying to connect the sample SAML app: https://github.com/apereo/saml2-sample-java-webapp in order to test my configuration.
The sample app redirects to the CAS login screen and it seems that the authentication is successful however it is not redirecting back to the sample application.
In the CAS logs i get the following error:
2024-09-25 19:28:59,487 INFO [org.apereo.inspektr.audit.AuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHEN: 2024-09-25T17:28:59.487808200
WHO: sisa...@example.org
WHAT: {ticket=ST-1-****************57w9CoE-LTP-59, service=https://localhost:9876/sp}
ACTION: SERVICE_TICKET_VALIDATE_SUCCESS
CLIENT_IP: 0:0:0:0:0:0:0:1
SERVER_IP: 0:0:0:0:0:0:0:1
=============================================================
>
2024-09-25 19:28:59,507 ERROR [org.apereo.cas.web.support.filters.AbstractSecurityFilter] - <Request processing failed: org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.web.flow.actions.RedirectToServiceAction@1272ba19 in state 'redirect' of flow 'login' -- action execution attributes were 'map[[empty]]'
FrameworkServlet.java:processRequest:1022
FrameworkServlet.java:doPost:914
HttpServlet.java:service:653
FrameworkServlet.java:service:885
>
2024-09-25 19:28:59,544 ERROR [org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas].[dispatcherServlet]] - <Servlet.service() for servlet [dispatcherServlet] in context with path [/cas] threw exception>
java.lang.RuntimeException: jakarta.servlet.ServletException: Request processing failed: org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.web.flow.actions.RedirectToServiceAction@1272ba19 in state 'redirect' of flow 'login' -- action execution attributes were 'map[[empty]]'
at org.apereo.cas.web.support.filters.AbstractSecurityFilter.throwException(AbstractSecurityFilter.java:42)
at org.apereo.cas.web.support.filters.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:190)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at org.apereo.cas.web.support.filters.AddResponseHeadersFilter.doFilter(AddResponseHeadersFilter.java:62)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:108)
at org.springframework.security.web.FilterChainProxy.lambda$doFilterInternal$3(FilterChainProxy.java:231)
=============================================================
WHEN: 2024-09-25T17:28:59.487808200
WHO: sisa...@example.org
WHAT: {ticket=ST-1-****************57w9CoE-LTP-59, service=https://localhost:9876/sp}
ACTION: SERVICE_TICKET_VALIDATE_SUCCESS
CLIENT_IP: 0:0:0:0:0:0:0:1
SERVER_IP: 0:0:0:0:0:0:0:1
=============================================================
>
2024-09-25 19:28:59,507 ERROR [org.apereo.cas.web.support.filters.AbstractSecurityFilter] - <Request processing failed: org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.web.flow.actions.RedirectToServiceAction@1272ba19 in state 'redirect' of flow 'login' -- action execution attributes were 'map[[empty]]'
FrameworkServlet.java:processRequest:1022
FrameworkServlet.java:doPost:914
HttpServlet.java:service:653
FrameworkServlet.java:service:885
>
2024-09-25 19:28:59,544 ERROR [org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas].[dispatcherServlet]] - <Servlet.service() for servlet [dispatcherServlet] in context with path [/cas] threw exception>
java.lang.RuntimeException: jakarta.servlet.ServletException: Request processing failed: org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.web.flow.actions.RedirectToServiceAction@1272ba19 in state 'redirect' of flow 'login' -- action execution attributes were 'map[[empty]]'
at org.apereo.cas.web.support.filters.AbstractSecurityFilter.throwException(AbstractSecurityFilter.java:42)
at org.apereo.cas.web.support.filters.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:190)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at org.apereo.cas.web.support.filters.AddResponseHeadersFilter.doFilter(AddResponseHeadersFilter.java:62)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:108)
at org.springframework.security.web.FilterChainProxy.lambda$doFilterInternal$3(FilterChainProxy.java:231)
My Service config:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "https://localhost:9876/sp",
"name" : "Sample",
"id" : 100,
"metadataLocation" : "C:\\etc\\cas\\services\\sp\\sp-metadata.xml",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"requiredNameIdFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "https://localhost:9876/sp",
"name" : "Sample",
"id" : 100,
"metadataLocation" : "C:\\etc\\cas\\services\\sp\\sp-metadata.xml",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"requiredNameIdFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
Any help will be appreciated.
Thanks in advance.
Ray Bon
Sep 25, 2024, 3:17:09 PM9/25/24
to cas-...@apereo.org
The serviceId should be the entityId from metadata, https://spring.io/security/saml-sp
Unless you changed it.
If you are trying to access unsolicited login, see https://apereo.github.io/cas/7.0.x/authentication/Configuring-SAML2-Authentication.html#unsolicited-sso
Ray
On Wed, 2024-09-25 at 10:38 -0700, SW Genis wrote:
Ray Bon
Sep 26, 2024, 12:01:56 AM9/26/24
to s...@opencollab.co.za, cas-...@apereo.org
You can also try SAML-tracer browser plugin to verify what is being sent for the login request (and response, when you get there).
You should not need to change the entityId nor serviceId for testing. You can change the metadata and service definition. If you use file system services, changes can be quick, https://apereo.github.io/cas/7.0.x/services/JSON-Service-Management.html
You are correct about unsolicited.
Is it possible that the entityId in the request matched a service pointing to different metadata?
For non cas protocol logins, there are a few extra steps involved. I am not sure where in the flow metadata is checked.
Some other loggers that may help:
<!-- DEBUG service definitions -->
<Logger name="org.apereo.cas.adaptors.ldap.services.DefaultLdapRegisteredServiceMapper" level="warn" />
<Logger name="org.apereo.cas.services" level="${sys:cas.log.level}" />
<!-- TRACE Registered service template directory contains ...
once for each service -->
<Logger name="org.apereo.cas.services.DefaultRegisteredServicesTemplatesManager" level="warn" />
<!-- DEBUG Attempting to read and parse [path/to/file.name]
TRACE Loading files from [path/to/file.name]
Located [[type]] files from [path/to/file.name] -->
<Logger name="org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry" level="warn">
Or just turn on debug for all cas loggers.
Ray
On Wed, 2024-09-25 at 12:39 -0700, SW Genis wrote:
Thank you for the response.
I've changed the serviceId in order to test different scenarios. Also i'm I don't think the serviceId is the problem as the service is picked up and the correct login screen is displayed by CAS and as far as i can see the user is authenticated based on the following log output:=============================================================
WHEN: 2024-09-25T19:19:48.214011700
WHO: sisa...@opencollab.co.za
WHAT: {result=Service Access Granted, service=https://spring.io/security/saml-sp, requiredAttributes={}}
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
CLIENT_IP: 0:0:0:0:0:0:0:1
SERVER_IP: 0:0:0:0:0:0:0:1
=============================================================
With regards to Solicited vs Unsolicited, my understanding is that this is solicited as the process is initiated by the sample application.
The error occurs when the ticket is validated, see this part of the stacktrace:Caused by: java.lang.NullPointerException: Cannot invoke "org.apereo.cas.services.RegisteredService.getAttributeReleasePolicy()" because "service" is null
at org.apereo.cas.authentication.DefaultAuthenticationAttributeReleasePolicy.getAuthenticationAttributesForRelease(DefaultAuthenticationAttributeReleasePolicy.java:49)
at org.apereo.cas.util.InternalTicketValidator.validate(InternalTicketValidator.java:39)
at org.apereo.cas.token.JwtTicketBuilder.lambda$build$0(JwtTicketBuilder.java:51)
Regards
On Wednesday, 25 September 2024 at 21:17:09 UTC+2 Ray Bon wrote:
The serviceId should be the entityId from metadata, https://spring.io/security/saml-spUnless you changed it.
If you are trying to access unsolicited login, see https://apereo.github.io/cas/7.0.x/authentication/Configuring-SAML2-Authentication.html#unsolicited-sso
Ray
On Wed, 2024-09-25 at 10:38 -0700, SW Genis wrote:
SW Genis
Sep 26, 2024, 12:02:00 AM9/26/24
to CAS Community, Ray Bon
Thank you for the response.
I've changed the serviceId in order to test different scenarios. Also i'm I don't think the serviceId is the problem as the service is picked up and the correct login screen is displayed by CAS and as far as i can see the user is authenticated based on the following log output:
=============================================================
WHEN: 2024-09-25T19:19:48.214011700
WHO: sisa...@opencollab.co.za
WHAT: {result=Service Access Granted, service=https://spring.io/security/saml-sp, requiredAttributes={}}
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
WHEN: 2024-09-25T19:19:48.214011700
WHO: sisa...@opencollab.co.za
WHAT: {result=Service Access Granted, service=https://spring.io/security/saml-sp, requiredAttributes={}}
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
CLIENT_IP: 0:0:0:0:0:0:0:1
SERVER_IP: 0:0:0:0:0:0:0:1
=============================================================
SERVER_IP: 0:0:0:0:0:0:0:1
=============================================================
With regards to Solicited vs Unsolicited, my understanding is that this is solicited as the process is initiated by the sample application.
The error occurs when the ticket is validated, see this part of the stacktrace:
Caused by: java.lang.NullPointerException: Cannot invoke "org.apereo.cas.services.RegisteredService.getAttributeReleasePolicy()" because "service" is null
at org.apereo.cas.authentication.DefaultAuthenticationAttributeReleasePolicy.getAuthenticationAttributesForRelease(DefaultAuthenticationAttributeReleasePolicy.java:49)
at org.apereo.cas.util.InternalTicketValidator.validate(InternalTicketValidator.java:39)
at org.apereo.cas.token.JwtTicketBuilder.lambda$build$0(JwtTicketBuilder.java:51)
at org.apereo.cas.authentication.DefaultAuthenticationAttributeReleasePolicy.getAuthenticationAttributesForRelease(DefaultAuthenticationAttributeReleasePolicy.java:49)
at org.apereo.cas.util.InternalTicketValidator.validate(InternalTicketValidator.java:39)
at org.apereo.cas.token.JwtTicketBuilder.lambda$build$0(JwtTicketBuilder.java:51)
Regards
On Wednesday, 25 September 2024 at 21:17:09 UTC+2 Ray Bon wrote:
Mohamed Amdouni
Sep 26, 2024, 12:02:06 AM9/26/24
to cas-...@apereo.org
Hi,
What I suggest you to check are:
- does the path to metadata accessible by cas ?
- is there traces that this service was loaded by cas ?
- is it present in the declared services, there is an endpoint for this check but you should include some reporting dependencies
- does the sp-metadata.xml contains the ACS url : Assertion consumer service
- you can install the Saml tools chrome plugin to check requests and responses
Good luck 🤞
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d7812213-7990-4f0c-a5fc-9183514ccb98n%40apereo.org.
Reply all
Reply to author
Forward
0 new messages