Problems Negotiating Connection with CAS Server
52 views
Skip to first unread message
Bryan K. Walton
Aug 5, 2020, 5:25:46 PM8/5/20
to cas-...@apereo.org
We are working with a entity to authenticate their users to our
software application. We are using mod_auth_cas on a RHEL 7 server.
mod_auth_cas is working with some other entities, on this server, just
fine. With this one entity, however, we run into problems. Our
application correctly redirects to their CAS login page, for
authentication. But after successful authentication, we get one of
two results, in the browser:
In Firefox:
we get a blank page -- still on THEIR CAS server page.
In Chrome:
We get a 500 server error -- still on their CAS server page.
The Apache error log, on our side, shows a bunch of stuff happening
behind the scenes, however, and it looks to me like something is
looping. The URLs get longer and longer until it quits processing.
I'll attach the error log, showing one authentication request.
(I've replaced their domain name in the log file with # characters.
Does anybody have any idea what might be going on here?
Thanks,
Bryan
software application. We are using mod_auth_cas on a RHEL 7 server.
mod_auth_cas is working with some other entities, on this server, just
fine. With this one entity, however, we run into problems. Our
application correctly redirects to their CAS login page, for
authentication. But after successful authentication, we get one of
two results, in the browser:
In Firefox:
we get a blank page -- still on THEIR CAS server page.
In Chrome:
We get a 500 server error -- still on their CAS server page.
The Apache error log, on our side, shows a bunch of stuff happening
behind the scenes, however, and it looks to me like something is
looping. The URLs get longer and longer until it quits processing.
I'll attach the error log, showing one authentication request.
(I've replaced their domain name in the log file with # characters.
Does anybody have any idea what might be going on here?
Thanks,
Bryan
Ray Bon
Aug 6, 2020, 9:08:10 AM8/6/20
to cas-...@apereo.org
Bryan,
It looks like mod_auth_cas is not configured to handle SAML 1.1 service tickets or the page that cas redirects to is protected (which then goes back to cas instead of processing the ST).
Ray
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
Bryan K. Walton
Aug 6, 2020, 3:51:52 PM8/6/20
to cas-...@apereo.org
On Thu, Aug 06, 2020 at 01:07:53PM +0000, Ray Bon wrote:
> Bryan,
>
> It looks like mod_auth_cas is not configured to handle SAML 1.1 service tickets or the page that cas redirects to is protected (which then goes back to cas instead of processing the ST).
>
> Ray
Thanks for the reply, Ray. I think I've found the problem, though. The
> Bryan,
>
> It looks like mod_auth_cas is not configured to handle SAML 1.1 service tickets or the page that cas redirects to is protected (which then goes back to cas instead of processing the ST).
>
> Ray
service ticket has underscores in them, which isn't allowed, according
to this url:
https://apereo.github.io/cas/6.1.x/protocol/CAS-Protocol-Specification.html#37-ticket-and-ticket-granting-cookie-character-set
I've passed this information along to the people managing the CAS
server.
-Bryan
Reply all
Reply to author
Forward
0 new messages