Mysterious ADFS Issue: CAS Doesn't seem to know what to do with the saml.
74 views
Skip to first unread message
Toby Archer
Oct 31, 2018, 3:06:21 PM10/31/18
to CAS Community
So I've got a mysterious problem. This morning we were going to go live with our new cas 5 servers, but when I tried to login to them, through ADFS, my login got redirected five times and landed on an ADFS error page. The logs looked like this:
2018-10-31 11:47:57,680 INFO [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <Preparing to redirect to the IdP [https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu]>
2018-10-31 11:48:08,947 WARN [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential] - <Ticket is issued before the allowed drift. Issued on [2018-10-31T16:47:51.558Z] while allowed drift is [2018-10-31T11:47:58.925-05:00[America/Chicago]]>
2018-10-31 11:48:08,948 WARN [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <SAML assertions are blank or no longer valid based on RP identifier [urn:cas:cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust]>
2018-10-31 11:48:08,948 WARN [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <Created authentication url [https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu] and returning error>
2018-10-31 11:48:09,253 WARN [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential] - <Ticket is issued before the allowed drift. Issued on [2018-10-31T16:47:56.615Z] while allowed drift is [2018-10-31T11:47:59.251-05:00[America/Chicago]]>
2018-10-31 11:48:09,254 WARN [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <SAML assertions are blank or no longer valid based on RP identifier [urn:cas:cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust]>
2018-10-31 11:48:09,254 WARN [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <Created authentication url [https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu] and returning error>
2018-10-31 11:48:09,612 WARN [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential] - <Ticket is issued before the allowed drift. Issued on [2018-10-31T16:47:57.017Z] while allowed drift is [2018-10-31T11:47:59.610-05:00[America/Chicago]]>
2018-10-31 11:48:09,612 WARN [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <SAML assertions are blank or no longer valid based on RP identifier [urn:cas:cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust]>
2018-10-31 11:48:09,613 WARN [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <Created authentication url [https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu] and returning error>
2018-10-31 11:48:09,846 WARN [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential] - <Ticket is issued before the allowed drift. Issued on [2018-10-31T16:47:57.264Z] while allowed drift is [2018-10-31T11:47:59.844-05:00[America/Chicago]]>
2018-10-31 11:48:09,847 WARN [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <SAML assertions are blank or no longer valid based on RP identifier [urn:cas:cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust]>
2018-10-31 11:48:09,847 WARN [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <Created authentication url [https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu] and returning error>
2018-10-31 11:48:10,122 WARN [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential] - <Ticket is issued before the allowed drift. Issued on [2018-10-31T16:47:57.532Z] while allowed drift is [2018-10-31T11:48:00.121-05:00[America/Chicago]]>
2018-10-31 11:48:10,123 WARN [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <SAML assertions are blank or no longer valid based on RP identifier [urn:cas:cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust]>
2018-10-31 11:48:10,124 WARN [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <Created authentication url [https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu] and returning error>
2018-10-31 11:48:10,373 WARN [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential] - <Ticket is issued before the allowed drift. Issued on [2018-10-31T16:47:57.796Z] while allowed drift is [2018-10-31T11:48:00.359-05:00[America/Chicago]]>
2018-10-31 11:48:10,373 WARN [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <SAML assertions are blank or no longer valid based on RP identifier [urn:cas:cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust]>
2018-10-31 11:48:10,374 WARN [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <Created authentication url [https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu] and returning error>
I discussed it with the guy who manages our ADFS instance and he asked me if the dev cas server works. We have no dev instance of ADFS so both dev and production hit the same ADFS server. Dev worked just fine. Login, hit ADFS, return, successful login cas page.
I discussed this further and he sent me the saml for both attempts.
<saml:AudienceRestrictionCondition>
<saml:Audience>urn:cas:cas.usd.edu</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="upn"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"
>
<saml:AttributeValue>the_users_username</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
in production and
<saml:AudienceRestrictionCondition>
<saml:Audience>urn:cas:test-sso.usd.edu</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="upn"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"
>
<saml:AttributeValue>the_users_username</saml:AttributeValue>
</saml:Attribute>
In dev(also called test in places). The saml is the same (except for some bits chopped off when he copied them). The only difference is the audience. If both dev and prod weren't working this would make sense. But why only prod? I looked at the git log and blames and the dev and production configurations are identical except for their name. It feels like CAS gets the saml back and it doesn't know what to do with it, so it passes the user back to ADFS, which authenticates them again, sends them back, and round we go. I'm utterly confused and out of ideas. Anyone have any suggestions?
~TA
Travis Schmidt
Oct 31, 2018, 3:14:54 PM10/31/18
to cas-...@apereo.org
Possible the date compare with the different timezones is off somehow?
- <Ticket is issued before the allowed drift. Issued on [2018-10-31T16:47:51.558Z] while allowed drift is [2018-10-31T11:47:58.925-05:00[America/Chicago]]>
Maybe dev CAS and dev ADFS are same timezone and only prod is different?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/917d95dd-3b14-427f-aa28-ebbad1027de5%40apereo.org.
Toby Archer
Oct 31, 2018, 3:23:17 PM10/31/18
to CAS Community
I just typed "date" into both the dev cas and prod cas. Both gave the same time. So that doesn't seem to be the case. Unless you have a better suggestion on how to check. Thanks for the suggestion, I hadn't thought of that.
Reply all
Reply to author
Forward
0 new messages