Lernaean Hydra and cas 6 ws-federation claims
46 views
Skip to first unread message
Assigned to misagh....@gmail.com by ali...@gmail.com
AT
Jun 27, 2019, 6:20:34 PM6/27/19
to CAS Community
Getting a new error for ws federation idp claims in all 6.0.1-6.0.5 versions ( I swear this ws-federation implementation is like the mythical Lernaean Hydra :) I have been trying with all cas versions between 5.0 - 6.0 and each time I find new, different errors... not sure if anyone ever got wsfederation to work?)
All suggestions are appreciated: https://apereo.github.io/cas/6.0.x/protocol/WS-Federation-Protocol.html
^[[1;31m2019-06-27 16:58:25,412 ERROR [org.jasig.cas.client.util.XmlUtils] - <Element or attribute do not match QName production: QName::=(NCName':')?NCName.>^[[m
org.xml.sax.SAXParseException: Element or attribute do not match QName production: QName::=(NCName':')?NCName.
at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source) ~[xercesImpl-2.12.0.jar:?]
at org.apache.xerces.util.ErrorHandlerWrapper.fatalError(Unknown Source) ~[xercesImpl-2.12.0.jar:?]
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source) ~[xercesImpl-2.12.0.jar:2.12.0]
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source) ~[xercesImpl-2.12.0.jar:2.12.0]
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source) ~[xercesImpl-2.12.0.jar:2.12.0]
at org.apache.xerces.impl.XMLEntityScanner.scanQName(Unknown Source) ~[xercesImpl-2.12.0.jar:2.12.0]
at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown Source) ~[xercesImpl-2.12.0.jar:2.12.0]
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source) ~[xercesImpl-2.12.0.jar:2.12.0]
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source) ~[xercesImpl-2.12.0.jar:2.12.0]
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) ~[xercesImpl-2.12.0.jar:?]
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) ~[xercesImpl-2.12.0.jar:?]
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) ~[xercesImpl-2.12.0.jar:?]
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) ~[xercesImpl-2.12.0.jar:?]
at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source) ~[xercesImpl-2.12.0.jar:?]
at org.jasig.cas.client.util.XmlUtils.getTextForElement(XmlUtils.java:192) ~[cas-client-core-3.5.1.jar:3.5.1]
at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseAuthenticationFailureFromResponse(Cas20ServiceTicketValidator.java:125) ~[cas-client-core-3.5.1.jar:3.5.1]
at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:81) ~[cas-client-core-3.5.1.jar:3.5.1]
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:198) ~[cas-client-core-3.5.1.jar:3.5.1]
at org.apereo.cas.ws.idp.web.WSFederationValidateRequestCallbackController.validateRequestAndBuildCasAssertion(WSFederationValidateRequestCallbackController.java:166) ~[cas-server-support-ws-idp-6.0.0.jar:6.0.0]
at org.apereo.cas.ws.idp.web.WSFederationValidateRequestCallbackController.handleFederationRequest(WSFederationValidateRequestCallbackController.java:128) ~[cas-server-support-ws-idp-6.0.0.jar:6.0.0]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
Claims were set up as:
{
"@class" : "org.apereo.cas.ws.idp.services.WSFederationRegisteredService",
"serviceId" : "https://xxx",
"realm" : "https://xxx",
"name" : "Sample WsFed Application",
"id" : 100,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.ws.idp.services.WSFederationClaimsReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"NAME" : "givenName",
"GIVEN_NAME" : "myName"
}
}
}
and attributes:
cas.authn.attributeRepository.stub.attributes.givenName=Billy
cas.authn.attributeRepository.stub.attributes.myName=Bob
Thank you.
All suggestions are appreciated: https://apereo.github.io/cas/6.0.x/protocol/WS-Federation-Protocol.html
^[[1;31m2019-06-27 16:58:25,412 ERROR [org.jasig.cas.client.util.XmlUtils] - <Element or attribute do not match QName production: QName::=(NCName':')?NCName.>^[[m
org.xml.sax.SAXParseException: Element or attribute do not match QName production: QName::=(NCName':')?NCName.
at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source) ~[xercesImpl-2.12.0.jar:?]
at org.apache.xerces.util.ErrorHandlerWrapper.fatalError(Unknown Source) ~[xercesImpl-2.12.0.jar:?]
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source) ~[xercesImpl-2.12.0.jar:2.12.0]
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source) ~[xercesImpl-2.12.0.jar:2.12.0]
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source) ~[xercesImpl-2.12.0.jar:2.12.0]
at org.apache.xerces.impl.XMLEntityScanner.scanQName(Unknown Source) ~[xercesImpl-2.12.0.jar:2.12.0]
at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown Source) ~[xercesImpl-2.12.0.jar:2.12.0]
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source) ~[xercesImpl-2.12.0.jar:2.12.0]
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source) ~[xercesImpl-2.12.0.jar:2.12.0]
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) ~[xercesImpl-2.12.0.jar:?]
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) ~[xercesImpl-2.12.0.jar:?]
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) ~[xercesImpl-2.12.0.jar:?]
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) ~[xercesImpl-2.12.0.jar:?]
at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source) ~[xercesImpl-2.12.0.jar:?]
at org.jasig.cas.client.util.XmlUtils.getTextForElement(XmlUtils.java:192) ~[cas-client-core-3.5.1.jar:3.5.1]
at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseAuthenticationFailureFromResponse(Cas20ServiceTicketValidator.java:125) ~[cas-client-core-3.5.1.jar:3.5.1]
at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:81) ~[cas-client-core-3.5.1.jar:3.5.1]
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:198) ~[cas-client-core-3.5.1.jar:3.5.1]
at org.apereo.cas.ws.idp.web.WSFederationValidateRequestCallbackController.validateRequestAndBuildCasAssertion(WSFederationValidateRequestCallbackController.java:166) ~[cas-server-support-ws-idp-6.0.0.jar:6.0.0]
at org.apereo.cas.ws.idp.web.WSFederationValidateRequestCallbackController.handleFederationRequest(WSFederationValidateRequestCallbackController.java:128) ~[cas-server-support-ws-idp-6.0.0.jar:6.0.0]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
Claims were set up as:
{
"@class" : "org.apereo.cas.ws.idp.services.WSFederationRegisteredService",
"serviceId" : "https://xxx",
"realm" : "https://xxx",
"name" : "Sample WsFed Application",
"id" : 100,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.ws.idp.services.WSFederationClaimsReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"NAME" : "givenName",
"GIVEN_NAME" : "myName"
}
}
}
and attributes:
cas.authn.attributeRepository.stub.attributes.givenName=Billy
cas.authn.attributeRepository.stub.attributes.myName=Bob
Thank you.
AT
Jun 28, 2019, 1:33:14 AM6/28/19
to CAS Community
For the SAML idp, there are plenty of examples and other people have shown how it works (the syntax seems switched)
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" :"urn:amazon:webservices",
"name" : "urn:amazon:webservices",
"id" : 10000008,
"evaluationOrder" : 14,
"metadataLocation" : "/usr/local/apache-tomcat-8.5.11/webapps/cas.sso/WEB-INF/classes/services/aws-metadata.xml",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"givenName": "urn:newschool:attribute-def:GIVEN_NAME"
}
}
}
but has anyone worked with the wsfed idp claims?
AT
Jun 30, 2019, 9:25:09 AM6/30/19
to CAS Community
Hi Misagh,
Would you please comment on my configuration? I am trying to set up a wsfed idp with claims: things work well (the redirect, the token, the response) but the claims are not being passed or they cause an error in the logs.
Am I missing something or doing something wrong?
Claims were set up as:
{
"@class" : "org.apereo.cas.ws.idp.services.WSFederationRegisteredService",
"serviceId" : "https://xxx",
"realm" : "https://xxx",
"name" : "Sample WsFed Application",
"id" : 100,
"attributeReleasePolicy" : {
{
"@class" : "org.apereo.cas.ws.idp.services.WSFederationRegisteredService",
"serviceId" : "https://xxx",
"realm" : "https://xxx",
"name" : "Sample WsFed Application",
"id" : 100,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.ws.idp.services.WSFederationClaimsReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"NAME" : "givenName",
"GIVEN_NAME" : "myName"
}
}
}
and attributes:
cas.authn.attributeRepository.stub.attributes.givenName=Billy
cas.authn.attributeRepository.stub.attributes.myName=Bob
Thank you.
AT
Jun 30, 2019, 9:32:16 AM6/30/19
to CAS Community
Here is my full idp configuration:
cas.authn.wsfedIdp.sts.signingKeystoreFile=/etc/cas/config/ststrust.jks
cas.authn.wsfedIdp.sts.signingKeystorePassword=storepass
cas.authn.wsfedIdp.sts.encryptionKeystoreFile=/etc/cas/config/stsencrypt.jks
cas.authn.wsfedIdp.sts.encryptionKeystorePassword=storepass
cas.authn.wsfedIdp.sts.subjectNameIdFormat=unspecified
cas.authn.wsfedIdp.sts.encryptTokens=true
cas.authn.wsfedIdp.sts.realm.keystoreFile=/etc/cas/config/stscasrealm.jks
cas.authn.wsfedIdp.sts.realm.keystorePassword=storepass
cas.authn.wsfedIdp.sts.realm.keystoreAlias=realmcas
cas.authn.wsfedIdp.sts.realm.keyPassword=cas123456
cas.authn.wsfedIdp.sts.realm.issuer=CAS
#The signing and encryption keys are both JWKs of size 512 and 256. The encryption algorithm is set to AES_128_CBC_HMAC_SHA_256
# Used to secure authentication requests between the IdP and STS
cas.authn.wsfedIdp.sts.crypto.enabled=false
cas.authn.wsfedIdp.sts.crypto.signing.keySize=512
#cas.authn.wsfedIdp.sts.crypto.signing.key=
cas.authn.wsfedIdp.sts.crypto.encryption.keySize=256
#cas.authn.wsfedIdp.sts.crypto.encryption.key=
and attributes:
cas.authn.attributeRepository.stub.attributes.givenName=Billy
cas.authn.attributeRepository.stub.attributes.myName=Bob
cas.authn.attributeRepository.stub.attributes.givenName=Billy
cas.authn.attributeRepository.stub.attributes.myName=Bob
Claims do not work but were set up as:
Reply all
Reply to author
Forward
0 new messages