SAML Delegation in 6.2.0-RC2

[Francisco Castel-Branco]

Hi all.

I'm having trouble setting up SAML2 delegation with the version mentioned in the subject.

The IdP I'm working with only provides me the SAML specification for requesting attributes, their certificate chain (including mine, which is signed by them). So, to work with CAS, I had to build the metadata files for both IdP (them) and SP (mine).

I've already built a KeyStore containing only the private key for my certificate and its loaded. When I change the key alias in the properties, an exception is thrown in CAS.

When I try to access the IdP through the button provided in the login page, CAS throws an exception:

2020-01-20 15:31:17,406 DEBUG [org.opensaml.saml.common.binding.security.impl.MessageReplaySecurityHandler] - <Message Handler:  Evaluating message replay for message ID 'xxxxf0ax-xxxx-xxxx-xxxx-xxxxe7bd26ce', issue instant '2020-01-20T15:31:49.019Z', entityID 'saml.xxx.xxxx.xxx'>

2020-01-20 15:31:17,407 DEBUG [org.opensaml.storage.AbstractMapBackedStorageService] - <Read failed, context 'org.opensaml.saml.common.binding.security.impl.MessageReplaySecurityHandler' not found>
2020-01-20 15:31:17,408 DEBUG [org.opensaml.storage.ReplayCache] - <Value 'xxxxf0ax-xxxx-xxxx-xxxx-xxxxe7bd26ce' was not a replay, adding to cache with expiration time 1579534609019>
2020-01-20 15:31:17,419 ERROR [org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas].[dispatcherServlet]] - <Servlet.service() for servlet [dispatcherServlet] in context with path [/cas] threw exception [Request processing failed; nested exception is org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.web.flow.DelegatedClientAuthenticationAction@5a9d26d6 in state 'delegatedAuthenticationAction' of flow 'login' -- action execution attributes were 'map[[empty]]'] with root cause>
org.pac4j.saml.exceptions.SAMLException: Response is not success ; actual urn:oasis:names:tc:SAML:2.0:status:Requester / urn:oasis:names:tc:SAML:2.0:status:RequestDenied (The issuer is unknown)
at org.pac4j.saml.profile.impl.AbstractSAML2ResponseValidator.validateSuccess(AbstractSAML2ResponseValidator.java:105) ~[pac4j-saml-4.0.0-RC2.jar!/:?]
at org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator.validateSamlProtocolResponse(SAML2AuthnResponseValidator.java:190) ~[pac4j-saml-4.0.0-RC2.jar!/:?]
at org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator.validate(SAML2AuthnResponseValidator.java:106) ~[pac4j-saml-4.0.0-RC2.jar!/:?]

 ...

I don't know what to look for. I know there's a <saml:issuer> tag on the request standard for SAML, but the documentation is not clear about this subject.

Can you guys give me some advice or point me in the right direction?

Thanks 

--

Francisco Castel-Branco

[Misagh Moayyed]

I don't know what to look for. I know there's a <saml:issuer> tag on the request standard for SAML, but the documentation is not clear about this subject.

Can you guys give me some advice or point me in the right direction?

There is no issuer tag in the saml2 response you get back from the identity provider, because your attempt at authentication has somehow failed there. The IdP is sending you an error response. You need to look into your IdP and figure out what is causing it to error out.  Or examine the CAS logs to see what that response looks like before it's parsed.