CAS 5 with ADFS 3.0
284 views
Skip to first unread message
Lê Thà nh
Nov 22, 2016, 5:37:36 AM11/22/16
to CAS Community
Hi,
I'm configuring CAS 5.0.0 (Release) to work with AD FS 3 by SAML2 Authentication. In my case CAS act as an IdP, everything work fine but AD FS can't parse SAMLResponse. It throws an exeption:
agains SAMLResponse:
I don't know the reason while the SAMLResponse from shibboleth I got before had the same tags except attribute name.
Please help!
Thanks
I'm configuring CAS 5.0.0 (Release) to work with AD FS 3 by SAML2 Authentication. In my case CAS act as an IdP, everything work fine but AD FS can't parse SAMLResponse. It throws an exeption:
Microsoft.IdentityServer.Web.UnsupportedSamlResponseException: MSIS7029: The SAML response has content that is not supported.
  at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.GetSecurityTokenFromSignInResponse(ProtocolContext context)
  at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
  at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
agains SAMLResponse:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
Destination="https://leth.teca.vn/adfs/ls/"
ID="_8125126804174747431" InResponseTo="id-4ca6451f-338b-42a3-acc5-b7eec80628a8"
IssueInstant="2016-11-22T09:07:03.187Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://cas.bhxh.vn:8443/cas/idp
</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_8125126804174747431">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xsd" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>DlBC3aKXqTSiFelrBEk5jbgsQeMlDWLMvkeZ7wuaPGA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
OG+wEuMdzIyM3yLTpB2RnbicKcCBHRt9et9Cti60Qs8N3G+maQCiOvgbKmzdoZsM9y2HTGiNkgkB
9qUsAO072PyOhtH5IkDe72eMB5QzhVkNPPOkhME0wo4lxTI/gvfG/vnJwkYtAignlOkl9/zppWeG
2FEeZFA/MoirpiheP2R+hEZVQw8aftF0a2Quy/GpVs3dWRN5nZXSPAkoYEtTmLcWGOjkZYul563X
GUbHreYxHBLFT8IYvcD6bJwKp9S1MNOfGOBddkH5FiA1Ena0gP4ONCGZ/Q+JDshTBuPZ3yJrjGMl
oOjRlw2sk741f+jHcATtxk7r6pyq71PwgwrJXg==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDDDCCAfSgAwIBAgIUaj/aKmtID0ZmU8zjayH9rf6aypwwDQYJKoZIhvcNAQELBQAwFjEUMBIG
A1UEAwwLY2FzLmJoeGgudm4wHhcNMTYxMTIxMDM1NjQwWhcNMzYxMTIxMDM1NjQwWjAWMRQwEgYD
VQQDDAtjYXMuYmh4aC52bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJOC6i6yKuPS
zRHAMs97klECba7I6bdl7mILf4aqTna56ZvUloTtrlaGgMju0ujTj5VdI/W1/UWeRf382rLT4LGl
unkBH/gFeHaz++kP2xlkh3zZSY7lCqY3tiwIoHXMEJz6tYYaJmaSMhlwbbhL762ZYvjjLF8AJPVe
/15Zg4fF3h4cC1vFjwRw1UjYfXcQ960My2WH9GjNekkoN88QYOL9+QWemjC+CpFMgnKBcCqG1f04
y7wW6q1BhqM77300htkvsqLqj2WjMk+qSqzBnlFfurkdolB5R5zyh9Uk+bfWvt5xHlcqWYIbqTkK
bRscIzxVUb/9SYCq9NNn7TG3au8CAwEAAaNSMFAwHQYDVR0OBBYEFL9JEvLIpzJIvP8kfCijTK0R
1kRIMC8GA1UdEQQoMCaCC2Nhcy5iaHhoLnZuhhdjYXMuYmh4aC52bmlkcC9tZXRhZGF0YTANBgkq
hkiG9w0BAQsFAAOCAQEAEjqBVBAio1V1mwIqL5m+RaRhZi5E9qelPlFygbK/Yt6lMMiHPXjYIgzu
SY5vcriPRMDnsWJepnGKefizvGMuw2dTYKO5ry/wLuqKotXyF9AaVOfORs+A6M+RzWl9dX2mRCIA
Gh8xYIJgmXVDpxZJ8B/d4ldM2aCtkOpd6jxnIeP5pmUqsw1k+fY04sLeLnySpraeHdoApH7PBpTU
zdhcZ+cpJsBIDoU0SUqiX8HFO4FOy5Sr5j8arZ5O6QVjPRdjA4hnti5M+4ayFkGPRg2qDUhYlODC
7abWpJ+eeM/q2NqOAicWx1tHAdNaLSuEB+42MIHgr3umrZZ3R8UYGDp6vQ==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
<saml2p:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</saml2p:StatusMessage>
</saml2p:Status>
<saml2:Assertion ID="_6777774035950654943" IssueInstant="2016-11-22T09:07:03.128Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer>https://cas.bhxh.vn:8443/cas/idp</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_6777774035950654943">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xsd"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>7kDPmghSrp8C7L0RW1LxToCS1KlKEXV3T3oUJjhorAk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
cmuGUsUU2vUYQW4+enWyDi/eSUYHMAU2NTVqZFjksIIwR7Pp192fBlDmoFsmLDBVx77yOdjeQ1yh
jOMCMk1zljpwRhAVvUzk6Oi8wr9VKkMl5jX15cKb7mZnABAG7R3/H5uLPzPCWhxlai/T2XwC4it9
L/4kj7yLJsyLcWQjYTmomsdBWPD52P9YQ5pOZ8xbbayA1nT6J9LV0MkixsNvQ6FK5Pe20XY1W8ev
9qSg1YUeqr9rpQnOWiZHPx/pCyHIJFGFfvBjc29FJUwJmLsrRnrtLA7ZJJGJfys1+Z9LnJ4Wrv75
u8a3yOOhDZi63mBlhAAMiy51OTfMaFLOg3U45w==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDDDCCAfSgAwIBAgIUaj/aKmtID0ZmU8zjayH9rf6aypwwDQYJKoZIhvcNAQELBQAwFjEUMBIG
A1UEAwwLY2FzLmJoeGgudm4wHhcNMTYxMTIxMDM1NjQwWhcNMzYxMTIxMDM1NjQwWjAWMRQwEgYD
VQQDDAtjYXMuYmh4aC52bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJOC6i6yKuPS
zRHAMs97klECba7I6bdl7mILf4aqTna56ZvUloTtrlaGgMju0ujTj5VdI/W1/UWeRf382rLT4LGl
unkBH/gFeHaz++kP2xlkh3zZSY7lCqY3tiwIoHXMEJz6tYYaJmaSMhlwbbhL762ZYvjjLF8AJPVe
/15Zg4fF3h4cC1vFjwRw1UjYfXcQ960My2WH9GjNekkoN88QYOL9+QWemjC+CpFMgnKBcCqG1f04
y7wW6q1BhqM77300htkvsqLqj2WjMk+qSqzBnlFfurkdolB5R5zyh9Uk+bfWvt5xHlcqWYIbqTkK
bRscIzxVUb/9SYCq9NNn7TG3au8CAwEAAaNSMFAwHQYDVR0OBBYEFL9JEvLIpzJIvP8kfCijTK0R
1kRIMC8GA1UdEQQoMCaCC2Nhcy5iaHhoLnZuhhdjYXMuYmh4aC52bmlkcC9tZXRhZGF0YTANBgkq
hkiG9w0BAQsFAAOCAQEAEjqBVBAio1V1mwIqL5m+RaRhZi5E9qelPlFygbK/Yt6lMMiHPXjYIgzu
SY5vcriPRMDnsWJepnGKefizvGMuw2dTYKO5ry/wLuqKotXyF9AaVOfORs+A6M+RzWl9dX2mRCIA
Gh8xYIJgmXVDpxZJ8B/d4ldM2aCtkOpd6jxnIeP5pmUqsw1k+fY04sLeLnySpraeHdoApH7PBpTU
zdhcZ+cpJsBIDoU0SUqiX8HFO4FOy5Sr5j8arZ5O6QVjPRdjA4hnti5M+4ayFkGPRg2qDUhYlODC
7abWpJ+eeM/q2NqOAicWx1tHAdNaLSuEB+42MIHgr3umrZZ3R8UYGDp6vQ==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">taikho...@gmail.com
</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="id-4ca6451f-338b-42a3-acc5-b7eec80628a8"
NotOnOrAfter="2016-11-22T09:12:03.022Z"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2016-11-22T09:07:03.151Z" NotOnOrAfter="2016-11-22T09:12:03.151Z">
<saml2:AudienceRestriction>
<saml2:Audience>http://leth.teca.vn/adfs/services/trust</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2016-11-22T09:07:03.022Z">
<saml2:SubjectLocality Address="http://leth.teca.vn/adfs/services/trust"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="samlAuthenticationStatementAuthMethod"
Name="samlAuthenticationStatementAuthMethod">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
urn:oasis:names:tc:SAML:1.0:am:password
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="isFromNewLogin" Name="isFromNewLogin">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">true
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="authenticationDate" Name="authenticationDate">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
2016-11-22T16:07:02.927+07:00[Asia/Bangkok]
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="authenticationMethod" Name="authenticationMethod">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
WsAuthenticationHandler
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="successfulAuthenticationHandlers" Name="successfulAuthenticationHandlers">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
WsAuthenticationHandler
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="longTermAuthenticationRequestTokenUsed"
Name="longTermAuthenticationRequestTokenUsed">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
false
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="email" Name="email">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
taikho...@gmail.com
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
I don't know the reason while the SAMLResponse from shibboleth I got before had the same tags except attribute name.
Please help!
Thanks
Robert Ledermüller
Mar 7, 2017, 8:50:02 AM3/7/17
to CAS Community
Hi,
I'm having the exact same issue. Did you found any solution yet?
Best
-- Robert
Lê Thà nh
Mar 7, 2017, 9:21:18 AM3/7/17
to CAS Community
I have fixed this issue. The problem occurs when CAS redirect to the AD FS, it did not retain Relying State. You can fix this by saving this param and resend it with the redirecting url to AD FS.
Good luck
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/aBqlYZsbQFY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/123bc5bc-a305-4946-be4a-d31726a2ac69%40apereo.org.
RJ Guroo
Mar 7, 2017, 10:00:38 AM3/7/17
to cas-...@apereo.org
How did you generate the IDP certs? What are your exact versions ?
To unsubscribe from this group and all its topics, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/123bc5bc-a305-4946-be4a-d31726a2ac69%40apereo.org.
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAF0y-pihFdkgtCt6FGu%3DU6Ckb%3Ddo6y8-rJQWW0GG58AZ8w2a1A%40mail.gmail.com.
Robert Ledermüller
Mar 7, 2017, 10:57:30 AM3/7/17
to CAS Community
Thanks for your response! Could you give me a bit more details about the Relying State? Where did you made your fixes? Just in config files or did you patched any of the provided classes / thymeleaf templates from CAS?
In my logs I can at least see that CAS is recognizing the query param from ADFS.
...
2017-03-07 16:02:07,613 INFO [org.apereo.cas.support.saml.web.idp.profile.SSOPostProfileHandlerController] - <Received SAML profile request [/cas/idp/profile/SAML2/Redirect/SSO]>
2017-03-07 16:02:07,613 DEBUG [org.opensaml.messaging.decoder.servlet.BaseHttpServletRequestXMLMessageDecoder] - <Beginning to decode message from HttpServletRequest>
2017-03-07 16:02:07,613 DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder] - <Decoded RelayState: 53595943-1098-47ab-8f08-e24a00e8a7b1>
2017-03-07 16:02:07,613 DEBUG [org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder] - <Base64 decoding and inflating SAML message>
...
Any additional hints are very welcome :)
Best
-- Robert
Robert Ledermüller
Mar 7, 2017, 12:43:26 PM3/7/17
to CAS Community
Never mind. I've found the github issue regarding this problem. Many thanks for directing me into the right direction.
https://github.com/apereo/cas/issues/2148
https://github.com/apereo/cas/pull/2156
Reply all
Reply to author
Forward
0 new messages