Weblogic read encrypted principal SAML 2 [CAS 5.3.3]

[Ahmed Sayed]

Hello,

I'm using CAS v5.3.3 as a SAML 2 IdP to login to a service deployed on weblogic 12c, I can successfully login and authenticate and access the restricted resource but when I read the user name I find it in encrypted format (something like this PQvMiIj9jM6xat75f+su/tZI6LU=).

This is the registered service I'm using, and I tried to send the username in plain format by adding "encryptUsername" : "false" but there was no difference. What I am missing here?

{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "WLS_SP_for_CAS",
  "name" : "saml-weblogic-console",
  "id" : 20180924104930,
  "description" : "CAS development Apache mod_shib/shibd server with username/password protection",
  "metadataLocation" : "file:///C:/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/meta.xml",
  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
  },
  "usernameAttributeProvider" :{
    "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
    "canonicalizationMode" : "NONE",
    "encryptUsername" : "false",
    "usernameAttribute" : "uid"
  },
  "evaluationOrder" : 1125
}

Weblogic log:

<Sep 26, 2018 3:48:18,518 PM EET> <Debug> <SecurityAtn> <BEA-000000> <PrincipalAuthenticator.validateIdentity>
<Sep 26, 2018 3:48:18,518 PM EET> <Debug> <SecurityAtn> <BEA-000000> <PrincipalAuthenticator.validateIdentity will use common security service>
<Sep 26, 2018 3:48:18,518 PM EET> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals, identityDomain)>
<Sep 26, 2018 3:48:18,518 PM EET> <Debug> <SecurityAtn> <BEA-000000> <identity domain: null>
<Sep 26, 2018 3:48:18,519 PM EET> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) Principal=PQvMiIj9jM6xat75f+su/tZI6LU=>
<Sep 26, 2018 3:48:18,519 PM EET> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
<Sep 26, 2018 3:48:18,519 PM EET> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
<Sep 26, 2018 3:48:18,519 PM EET> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator handles this PrincipalClass>
<Sep 26, 2018 3:48:18,519 PM EET> <Debug> <SecurityAtn> <BEA-000000> <Validate WLS principal PQvMiIj9jM6xat75f+su/tZI6LU= returns true>
<Sep 26, 2018 3:48:18,519 PM EET> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator said the principal is valid>
<Sep 26, 2018 3:48:18,519 PM EET> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) One or more PrincipalValidators handled this PrincipalClass>
<Sep 26, 2018 3:48:18,519 PM EET> <Debug> <SecurityAtn> <BEA-000000> <Returning the result of validation: true>
<Sep 26, 2018 3:48:18,519 PM EET> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals, identityDomain) validated all principals>
<Sep 26, 2018 3:48:18,521 PM EET> <Debug> <SecurityAtz> <BEA-000000> <AuthorizationManager will use common security for ATZ>
<Sep 26, 2018 3:48:18,521 PM EET> <Debug> <SecurityAtz> <BEA-000000> <weblogic.security.service.WLSAuthorizationServiceWrapper.isAccessAllowed>
<Sep 26, 2018 3:48:18,521 PM EET> <Debug> <SecurityAtz> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Identity=Subject: 1
 Principal = class weblogic.security.principal.WLSUserImpl("PQvMiIj9jM6xat75f+su/tZI6LU=")
>
<Sep 26, 2018 3:48:18,524 PM EET> <Debug> <SecurityAtz> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Roles=[ "**" "Anonymous" ]>
<Sep 26, 2018 3:48:18,524 PM EET> <Debug> <SecurityAtz> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Resource=type=<url>, application=Weblogic_SP_sample_App, contextPath=/Weblogic_SP_sample_App, uri=/restricted/protected_page.jsp, httpMethod=GET>
<Sep 26, 2018 3:48:18,524 PM EET> <Debug> <SecurityAtz> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Direction=ONCE>
<Sep 26, 2018 3:48:18,524 PM EET> <Debug> <SecurityAtz> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
<Sep 26, 2018 3:48:18,524 PM EET> <Debug> <SecurityAtz> <BEA-000000> < Subject: 1
 Principal = weblogic.security.principal.WLSUserImpl("PQvMiIj9jM6xat75f+su/tZI6LU=")
>
<Sep 26, 2018 3:48:18,524 PM EET> <Debug> <SecurityAtz> <BEA-000000> < Roles:**, Anonymous>
<Sep 26, 2018 3:48:18,524 PM EET> <Debug> <SecurityAtz> <BEA-000000> < Resource: type=<url>, application=Weblogic_SP_sample_App, contextPath=/Weblogic_SP_sample_App, uri=/restricted/protected_page.jsp, httpMethod=GET>
<Sep 26, 2018 3:48:18,524 PM EET> <Debug> <SecurityAtz> <BEA-000000> < Direction: ONCE>
<Sep 26, 2018 3:48:18,524 PM EET> <Debug> <SecurityAtz> <BEA-000000> < Context Handler: >
<Sep 26, 2018 3:48:18,525 PM EET> <Debug> <SecurityAtz> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:role, SC=null, Value=[**,Anonymous]>
<Sep 26, 2018 3:48:18,525 PM EET> <Debug> <SecurityAtz> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of([authenticated-users,authenticated-users],[**,Anonymous]) -> false>
<Sep 26, 2018 3:48:18,525 PM EET> <Debug> <SecurityAtz> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<Sep 26, 2018 3:48:18,525 PM EET> <Debug> <SecurityAtz> <BEA-000000> <urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@EWeblogic_SP_sample_App@M@OcontextPath@E@UWeblogic_SP_sample_App@M@Ouri@E@Urestricted@U@K@M@OhttpMethod@EGET, 1.0 evaluates to Deny>
<Sep 26, 2018 3:48:18,526 PM EET> <Debug> <SecurityAtz> <BEA-000000> <XACML Authorization isAccessAllowed(): returning DENY>
<Sep 26, 2018 3:48:18,526 PM EET> <Debug> <SecurityAtz> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned DENY>
<Sep 26, 2018 3:48:18,526 PM EET> <Debug> <SecurityAtz> <BEA-000000> <com.bea.common.security.internal.service.AuthorizationServiceImpl.isAccessAllowed returning adjudicated: false>
<Sep 26, 2018 3:48:18,526 PM EET> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '9' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.wrap(ByteBuffer,ByteBuffer) called: result=Status = OK HandshakeStatus = NOT_HANDSHAKING
bytesConsumed = 212 bytesProduced = 241.>
<Sep 26, 2018 3:48:18,527 PM EET> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '9' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.wrap(ByteBuffer,ByteBuffer) called: result=Status = OK HandshakeStatus = NOT_HANDSHAKING
bytesConsumed = 1166 bytesProduced = 1195.>
<Sep 26, 2018 3:48:23,346 PM EET> <Debug> <SecuritySAML2Atn> <BEA-000000> <used_assertion - item: _7759500559727659749 expired.>

Thanks,

Ahmed Sayed