CAS v7.0.2 forced SSO not working for service registration

[Sreeja Pillai]

We are currently on v6.5.9 and trying to upgrade to v7. Most of our service registrations have SSO enabled and work fine.

However, forced SSO is not working for the ones where SSO access is disabled. Based on what we see in the logs, service ticket is NOT generated.

We did follow the documentation here: https://apereo.github.io/cas/development/services/Configuring-Service-SSO-Policy.html

Any ideas what could be missing?

JSON service registration:

{
  "@class" : "org.apereo.cas.services.CasRegisteredService",
  "serviceId" : "^(http|https)://authorizetest.hbsstg.org/.*",
  "name" : "authorizetest.hbsstg.org",
  "id" : "4020",
  "description" : "This service definition authorizes all application urls that support HTTPS protocols.",
  "evaluationOrder" : "4020",
  "logoutType" : "BACK_CHANNEL",
  "attributeReleasePolicy" :
  {
    "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
    "allowedAttributes" :
  {
      "@class" : "java.util.TreeMap",
      "employeeNumber" : "PERSON_ID"
    },
    "authorizedToReleaseCredentialPassword" : "false",
    "authorizedToReleaseProxyGrantingTicket" : "false"
  },
  "multifactorPolicy" :
  {
    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
    "failureMode" : "CLOSED"
  },
  "accessStrategy" :
  {
    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
    "enabled" : "true",
    "ssoEnabled" : "false",
    "requireAllAttributes" : "true",
    "caseInsensitive" : "false"
  }
}

Thank you!

--Sreeja

[Christopher McCurdy]

Sreeja,

Were you able to figure this out on your own? I'm experiencing the same issue in that SSO-enabled services work fine, but SSO-disabled services are denied a ticket after validating credentials.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8a034e21-9efe-4f42-851b-152ff96fb01an%40apereo.org.

--

Christopher McCurdy

Project Leader

IT-ESCS-Application Development

University of Delaware

(302) 831-3745

[Sreeja Pillai]

I haven't figured it out yet. I rolled back to 6.6.15, where forced SSO worked as expected. I am continuing to investigate what change might have broken it between 6.6.15 and 7.x.

--Sreeja

You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/LL1ZQ5rPOl8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEi3iFEmWk_tedwTmvvzRcd5XS30NhtP%2B0SW_-dN1ntpsmGtig%40mail.gmail.com.

[Christopher McCurdy]

It looks to me like this change is responsible for the error, though the change itself makes sense for the operation of the method, since it should throw an error if SSO is not enabled: https://github.com/apereo/cas/commit/4933e24a3b791ec6fbdb2e2bcf24a15365345358

I would guess that somewhere further up the chain should handle that error instead of just letting it interrupt the entire login process?

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bs%3D9eo_Hh0HBV2fstKZSBqh8yLeK2nmY63-zG1Q-V0JZ3a0Sw%40mail.gmail.com.

[Christopher McCurdy]

Following up with more research. After loading a completely bare bones installation of CAS 7.0.4-SNAPSHOT with only a single service with "ssoEnabled: false" in the service definition, I get the same error. The login page is able to determine that there is an active SSO session and prompts for credentials, but fails with this error message when the credentials are entered: WARN [org.apereo.cas.web.flow.GenerateServiceTicketAction] - <Could not grant service ticket [service.not.authorized.sso]. Routing to [authenticationFailure]>

[Sreeja Pillai]

Good find! Throwing the error when SSO is disabled, is interrupting the Service ticket granting flow. Based on where this method is called, I question if the intend should be to block the service registration flow. It should definitely validate certain attributes being set and throw exception if otherwise, but forced SSO is already being checked further up in the chain.

[Sreeja Pillai]

I agree with you. I looked through the code & it definitely fails in the method to grantServiceTicket (DefaultCentralAuthenticationService). I think the check for SSO enabled is redundant at the point in the code, and it's probably a validation check at best to check for proxy settings and credentials (which is what the check was doing earlier). It makes sense to contribute a bug fix for this. 

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6fe28e35-0a53-497b-b5d5-43a4de41fcfbn%40apereo.org.