RE: [cas-user] CAS 4.1.1 Google Apps SAML issue
Abhijit Gaikwad
From: Abhijit Gaikwad
Sent: Tuesday, November 24, 2015 4:39 PM
To: cas-...@lists.jasig.org
Subject: RE: [cas-user] CAS 4.1.1 Google Apps SAML issue
Hello,
I saw the release of CAS 4.1.2 and tried using the skew allowance but it still doesn’t work for me. I still get the your credentials have expired. I noticed two things:
1. Only one of the two NotOnOrAfter values get skewed. The other one is still set to the current time. On our production setup CAS 3.5.1 both values get increased by a year. I suspect that is the issue and may be you guys could skew both?
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<Assertion ID="<<skdjfskjsdfslkjlksjdlfjskd>>" IssueInstant="2003-04-17T00:46:02.000Z" Version="2.0">
<Issuer>https://www.opensaml.org/IDP</Issuer>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"><<personDetails>></NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="<<somerandomstringlksjdlfkjsflksdjflks>>" NotOnOrAfter="2015-11-24T15:39:00.000Z" Recipient="https://www.google.com/a/<<mydomain>>/acs"/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2003-04-17T00:46:02.000Z" NotOnOrAfter="2015-11-24T15:41:00.000Z">
<AudienceRestriction>
<Audience>https://www.google.com/a/<<mydomain>>/acs</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2015-11-24T15:39:00.000Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
2. The skew value is being subtracted from the current time. So instead of adding say 2 seconds, 2 seconds get subtracted from current time. I am not sure if that was the intended purpose, I got around that by adding a negative skep in test (-120)
Help will be greatly appreciated.
Thanks,
From: Abhijit Gaikwad [mailto:agai...@fit.edu]
Sent: Monday, November 09, 2015 1:16 PM
To: cas-...@lists.jasig.org
Subject: RE: [cas-user] CAS 4.1.1 Google Apps SAML issue
Thanks Misagh,
Created an issue for it on github: https://github.com/Jasig/cas/issues/1266
From: Misagh Moayyed [mailto:mmoa...@unicon.net]
Sent: Monday, November 09, 2015 12:33 PM
To: cas-...@lists.jasig.org
Subject: RE: [cas-user] CAS 4.1.1 Google Apps SAML issue
Looks like there is a skewAllowance setting for SAML1 but not for SAML2. Do file an issue please.
From: Abhijit Gaikwad [mailto:agai...@fit.edu]
Sent: Monday, November 9, 2015 9:31 AM
To: cas-...@lists.jasig.org
Subject: [cas-user] CAS 4.1.1 Google Apps SAML issue
Hello,
We are working on deploying CAS 4.1.1 to production and were trying to get google apps for education SSO to work. Unfortunately I get a “Google Apps - This service cannot be accessed because your login credentials have expired. Please log in and try again.” Error from google. Looking around it seemed to be an issue with clocks set on servers, but I have confirmed the clock and ntp is configured correctly on the server.
Looking at the saml response I noticed “NotOnOrAfter="2015-11-09T09:59:14.000Z"” is set to the current time. Which if I understand correctly means by the time it makes it to google a second
has passed and the credentials have expired.
We have CAS 3.5.x in production and working and looking at the saml response from it “NotOnOrAfter="2016-11-09T10:03:00Z"” the date is set to 1 year ahead so the credentials don’t expire
by the time it makes it to google’s servers.
(The date
I was able to confirm both of these behavious in code:
Looking at the forums it seems appears the above configuration is working for people, although I don’t see how it would if NotOnOrAfter is set to a time 1 second is the past. Am I missing something here?
Any guidance will be highly appreciated.
Thanks,
---
Abhijit Gaikwad
Applications Programmer | agai...@fit.edu
--
You are currently subscribed to cas-...@lists.jasig.org as: mmoa...@unicon.net
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-...@lists.jasig.org as: agai...@fit.edu
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-...@lists.jasig.org as: agai...@fit.edu
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Misagh Moayyed
Abhijit Gaikwad
I’m curious to know what the use case would be where one would want to subtract a skew value. I’ll go ahead and create an issue for update the other NotOnOrAfter value.
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
cas-user+u...@apereo.org.
Visit this group at
http://groups.google.com/a/apereo.org/group/cas-user/.
Abhijit Gaikwad
Hey Misagh,
Thanks for pushing the fix for the issue. In addition to the skew I am also having an issue with the dates themselves, specifically the time zones. I have been testing with the custom code as you suggested and the below statement creates problems for me.
final DateTime currentDateTime = DateTime.parse(new ISOStandardDateFormat().getCurrentDateAndTime());
From what I can tell it creates a date and uses my local time (EST) but creates a date object that is Zulu time (If I am understanding it correctly). So no matter what the skew (unless it is > 5 hours as zulu time is about +5 hours eastern standard time) my authentication always expires.
If I change the above line in the code to just
final DateTime currentDateTime = new DateTime();
It creates a time that is close to UTC which works fine.
I have ensured that my centos7 box has timezone and locale set to EST as seen below. Is there something else I should be looking at in terms of timezones? What am I missing?
#timedatectl
Local time: Tue 2015-12-01 15:48:32 EST
Universal time: Tue 2015-12-01 20:48:32 UTC
RTC time: Tue 2015-12-01 20:48:32
Timezone: America/New_York (EST, -0500)
NTP enabled: yes
NTP synchronized: yes
RTC in local TZ: no
DST active: no
Last DST change: DST ended at
Sun 2015-11-01 01:59:59 EDT
Sun 2015-11-01 01:00:00 EST
Next DST change: DST begins (the clock jumps one hour forward) at
Sun 2016-03-13 01:59:59 EST
Sun 2016-03-13 03:00:00 EDT
# locale
LANG=en_US.UTF-8
LC_CTYPE="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_PAPER="en_US.UTF-8"
LC_NAME="en_US.UTF-8"
LC_ADDRESS="en_US.UTF-8"
LC_TELEPHONE="en_US.UTF-8"
LC_MEASUREMENT="en_US.UTF-8"
LC_IDENTIFICATION="en_US.UTF-8"
LC_ALL=
Thanks,
Misagh Moayyed
Abhijit Gaikwad
Misagh,
Just to confirm since I don’t know the code base very well and I don’t know what the ISOStandardDateFormat class is actually supposed to do, I am not very sure if the issue is with the code or if I am doing something wrong to get the incorrect dates. My fix works for me though. But did you wanted me to submit a PR to replace that line with just the new DateTime line as below?
Original line:
final DateTime currentDateTime = DateTime.parse(new ISOStandardDateFormat().getCurrentDateAndTime());
New line:
final DateTime currentDateTime = new DateTime();
---
Abhijit Gaikwad
Applications Programmer | T 321-674-8208 | agai...@fit.edu
Misagh Moayyed
Abhijit Gaikwad
Ok great. I just submitted a pull request for 4.1. Thanks Misagh for all your help!