Ticket does not match supplied service. The original service was 'https://...' and the supplied service was 'http://...'.

42 views
Skip to first unread message

Tom Reijnders

unread,
Nov 13, 2020, 3:30:38 AM11/13/20
to uPortal Community
I can't seem to authenticate to my extarnal CAS service.

 - uPortal is deployed using latest uPortal-start (using embedded tomcat)
 - CAS is also latest (in a different container)
 - uPortal is added as a service to CAS
 - Both CAS and uPortal are behind an apache reverse proxy that offloads SSL

I have the follwing in uPortal.properties:

##
## Portal Server
##
portal.protocol=https
portal.server=<PORTAL URL to reverse proxy>
portal.context=/uPortal

##
## Central Authentication Service (CAS)
##
cas.protocol=https
cas.server=<CAS URL to reverse proxy>
cas.context=/cas
cas.ticketValidationFilter.service=${portal.protocol}://${portal.server}${portal.context}/Login
#cas.ticketValidationFilter.proxyReceptorUrl=/CasProxyServlet
cas.ticketValidationFilter.ticketValidator.server=${cas.protocol}://${cas.server}${cas.context}
#cas.ticketValidationFilter.ticketValidator.proxyCallbackUrl=${portal.protocol}://${portal.server}${portal.context}/CasProxyServlet
org.apereo.portal.security.provider.cas.CasAssertionSecurityContextFactory.enabled=true


I am redirected to CAS (with the correct service) and on successfull login, I get this error from uPortal:

Ticket 'xxxxx' does not match supplied service. The original service was 'https://<uportal login url>' and the supplied service was 'http://<uportal login url>'.

Any ideas?

Tom

Julien Gribonvald

unread,
Nov 13, 2020, 4:25:44 AM11/13/20
to uporta...@apereo.org

Hi,

Are you sure when you are redirected to CAS that the service url provided as parameter have a https ? something like : https://cas.domain.fr/cas/login?service=https://.....

Because it's like CAS register the service without https and it's at this moment of the exchange that the url is mapped to the ticket.

Else on my side my uPortal.properties:

##
## Portal Server
##
#portal.protocol=http
#portal.server=localhost:8080
#portal.context=/uPortal

##
## Central Authentication Service (CAS)
##
#cas.protocol=http
#cas.server=localhost:8080
#cas.context=/cas
cas.ticketValidationFilter.service=${portal.protocol}://${portal.server}${portal.context}/Login
cas.ticketValidationFilter.proxyReceptorUrl=/CasProxyServlet
cas.ticketValidationFilter.ticketValidator.server=${cas.protocol}://${cas.server}${cas.context}
cas.ticketValidationFilter.ticketValidator.proxyCallbackUrl=${portal.protocol}://${portal.lbServerName}${portal.context}${cas.ticketValidationFilter.proxyReceptorUrl}
# depending on CAS version/conf
cas.ticketValidationFilter.encodeServiceUrl=false
org.apereo.portal.security.provider.cas.CasAssertionSecurityContextFactory.enabled=true
org.apereo.portal.security.provider.cas.CasAssertionSecurityContextFactory.credentialToken=ticket

org.apereo.portal.security.cas.assertion.copyAttributesToUserAttributes=true



And my global.properties (to share values with portlets):

portal.protocol=https
portal.server=my.domain.fr
# in load-balanced conf we need to be able to request a specific server for proxy CAS
portal.lbServerName=portailX.domaine.fr
portal.context=/portail
# I use a pattern replacement for dynamic domaine as I manage several public servername on same instance
# you can replace that by ${portal.protocol}://${portal.server}${portal.context}
portal.protocol.server.context=${portal.protocol}://_CURRENT_SERVER_NAME_${portal.context}
portal.login.url=${portal.protocol.server.context}/Login


cas.protocol=https
cas.server=cas.domain.fr
cas.context=/cas


In my mind you should watch on portal.login.url value that is used by the portlet to connect.

Thanks,

Julien

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to uportal-user...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/2c41d91f-2ec1-440e-b362-790a73602d77n%40apereo.org.
--
Julien Gribonvald

Tom Reijnders

unread,
Nov 13, 2020, 5:34:58 AM11/13/20
to uporta...@apereo.org
Thanks for your answer. Yes, I am sure. The login URL is correct. Although I am surprised that the service url is not encoded although I switched that on. So I am going to double check the settings again and make sure that they are applied.

But, apparently something goes wrong during ticket validation.

I moved some settings to global.properties, but this did not make any difference.

Julien Gribonvald

unread,
Nov 13, 2020, 5:49:07 AM11/13/20
to uporta...@apereo.org

You should also debug your CAS, maybe the problem is there ;)

The serviceURL encoding is depending on your CAS version/settings. It won't validate the service URL in the wrong case.

Julien

Tom Reijnders

unread,
Nov 25, 2020, 3:39:35 AM11/25/20
to uPortal Community
Is proxy authentication needed. The 6.2.x documentation recommend not to use it. The ticket issue is resolved now, but I still have issues with authentication. The proxy callback is not permitted (I have configured the service in CAS to allow proxy authentication, but it still does not work). I just wondered seeing the warning, if there is an alternative.

Tom

Tom Reijnders

unread,
Nov 26, 2020, 4:18:24 AM11/26/20
to uPortal Community
I've got it working now, using proxy authentication. In the end, the issues that I had, were caused by a firewall that is not able to redirect an external IP address from an internal server to an a different internal server, so I had to use the internal domainname for the cas.ticketValidationFilter.ticketValidator.proxyCallbackUrl and everything started working.

Benito Gonzalez

unread,
Dec 1, 2020, 12:51:32 PM12/1/20
to Tom Reijnders, uPortal Community
Great!

On Thu, Nov 26, 2020 at 1:18 AM Tom Reijnders <ajjrei...@gmail.com> wrote:
I've got it working now, using proxy authentication. In the end, the issues that I had, were caused by a firewall that is not able to redirect an external IP address from an internal server to an a different internal server, so I had to use the internal domainname for the cas.ticketValidationFilter.ticketValidator.proxyCallbackUrl and everything started working.

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to uportal-user...@apereo.org.
Reply all
Reply to author
Forward
0 new messages