SAML Response Destination

[Josh G]

Hi all -

We are working on integrating a service (dmp.cdlib.org) in our CAS 5.2.x environment, but are having trouble accommodating a specific requirement, specifically setting the Destination in the SAML response.

In order to validate our configuration, the vendor offers a test Shibboleth SP instance at https://dmptool.org/cgi-bin/PrintShibInfo.pl.

Upon logging into the service, we are receiving the following error:

opensaml::BindingException

The system encountered an error at Wed Aug 21 04:40:17 2019

To report this problem, please contact the site administrator at u...@ucop.edu.

Please include the following message in any email:

opensaml::BindingException at (https://uc3-dmpx2-prd-2c.cdlib.org/Shibboleth.sso/SAML2/POST)

SAML message delivered with POST to incorrect server URL.

The issue appears to be the SAML Response Destination is incorrect:

Here is an example of the SAML Request:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    AssertionConsumerServiceURL="https://dmptool.org/Shibboleth.sso/SAML2/POST"
                    Destination="https://<CAS URL>.edu/cas/idp/profile/SAML2/Redirect/SSO"
                    ID="_16cb2cd64c7aab9b86d5766ec9a86cf9"
                    IssueInstant="2019-08-20T18:19:10Z"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    Version="2.0"
                    >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://dmp.cdlib.org</saml:Issuer>
    <samlp:NameIDPolicy AllowCreate="1" />

</samlp:AuthnRequest>

Here is a snipped of the SAML Response:

<saml2p:Response Destination="https://dmp.cdlib.org/Shibboleth.sso/SAML2/POST"
                 ID="_1919448364467476034"
                 InResponseTo="_16cb2cd64c7aab9b86d5766ec9a86cf9"
                 IssueInstant="2019-08-20T18:19:10.862Z"
                 Version="2.0"
                 xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                 >

The item in red above is incorrect, the Destination should be https://dmptool.org/Shibboleth.sso/SAML2/POST.

Is there a way in CAS to specify the Destination redirect?

This is possible to do natively in Shibboleth IdP, however we run all of our InCommon SAML configuration (this is an InCommon Federated service) through CAS.

[Josh G]

Apologies for the bump - just wanted to see if anyone else has run into this before?

[Misagh Moayyed]

Can you try this with 5.3.12?

[Josh G]

Hi Misagh -

Thank you for your reply.

I have tested and confirms this works as expected in CAS 6.1.0-RC5 which we are planning on upgrading to in January (assuming a non-RC version of 6.1.x is released by then).

Is there any work around that can be applied to 5.2.x, or should we wait until our 6.1.0 upgrade?

[Misagh Moayyed]

You’re quite welcome. 5.2.x is EOLed [1]. So aside from manually patching your deployment with the right set of changes, I’d wait until 6.1 is out, or better yet, I’d keep testing RCs to make sure no surprises pop up when it’s fully out [2].

[1] https://apereo.github.io/cas/developer/Maintenance-Policy.html 

[2] https://apereo.github.io/2017/03/08/the-myth-of-ga-rel/ 

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6eb7ceae-6023-4718-874d-13496839257e%40apereo.org.