[CAS 6.0] Attribute Mappings to SAML Identifiers Broken in CAS 6.0
675 views
Skip to first unread message
Josh G
Jul 26, 2019, 10:25:33 AM7/26/19
to CAS Community
Attribute Mappings to SAML Identifiers (e.g. urn:oid:2.5.4.42) is broken in CAS 6.0.
In CAS 5.2 (and earlier releases of CAS 5.x) it was possible to map an attribute to a SAML compatible URI by leveraging the attributeReleasePolicy within a service definition.
A working (CAS 5.2) example is outlined below:
Here is an snippet of an HJSON entry for a SAML service:
attributeReleasePolicy : {
@class : org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
allowedAttributes : {
@class : java.util.TreeMap
sn : "urn:oid:2.5.4.4"
givenName : "urn:oid:2.5.4.42"
displayName : "urn:oid:2.16.840.1.113730.3.1.241"
eduPersonPrincipalName : "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
sAMAccountName : "urn:oid:1.2.840.113556.1.4.221"
}
}
@class : org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
allowedAttributes : {
@class : java.util.TreeMap
sn : "urn:oid:2.5.4.4"
givenName : "urn:oid:2.5.4.42"
displayName : "urn:oid:2.16.840.1.113730.3.1.241"
eduPersonPrincipalName : "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
sAMAccountName : "urn:oid:1.2.840.113556.1.4.221"
}
}
Here is a snippet of a single attribute from a working response (CAS 5.2):
<saml2:Attribute FriendlyName="urn:oid:0.9.2342.19200300.100.1.3"
Name="urn:oid:0.9.2342.19200300.100.1.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue>EMAIL_ADDRESS_HERE</saml2:AttributeValue>
</saml2:Attribute>
The FriendlyName / Name values are mapped to the same value in CAS 5.2 and below, but this was a limitation of CAS at the time which appears to be addressed in CAS 6.0.
The above functionality is not working as expected, nor do any of my workarounds seem to work either.
If the exact attributeReleasePolicy is run in CAS 6.0, it appears to mangle the Principal ID of the response; CAS returns the following:
Error: No principal was found in the response from the CAS server.
The dump provided on the CAS login page is available here: https://pastebin.com/raw/Ur3Ce5UN
However, if we look through the server logs a bit more the following error message appears:
2019-07-25 17:34:19,491 ERROR [org.jasig.cas.client.util.XmlUtils] - <Element or attribute do not match QName production: QName::=(NCName':')?NCName.>
org.xml.sax.SAXParseException: Element or attribute do not match QName production: QName::=(NCName':')?NCName.
It appears that CAS is attempting to validate the attribute mappings in the attributeReleasePolicy and is failing on the colon (:).
If I remove the colon and periods from the above attributeReleasePolicy (for testing purposes only), the login goes through as expected and the SAML response looks as expected (sans the missing colons and periods):
<saml2:Attribute FriendlyName="urnoid25442"
Name="urnoid25442"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue>FIRST_NAME_HERE</saml2:AttributeValue>
</saml2:Attribute>
I've tried a variety of workarounds for this, but none has been successful (same error messages, same behaviors).
The latest attempt involves feeding the released attributes to their respective urn:oid values, explicitly stating the urn:oid values are uri formatted attributes, and mapping the urn:oid values to their friendly name counterparts.
This results in the same error above:
attributeReleasePolicy : {
@class : org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
allowedAttributes : {
@class : java.util.TreeMap
"urn:oid:2.5.4.4" : "groovy { return attributes['sn'].get(0) }"
"urn:oid:2.5.4.42" : "groovy { return attributes['givenName'].get(0) }"
"urn:oid:2.16.840.1.113730.3.1.241" : "groovy { return attributes['displayName'].get(0) }"
}
}
attributeNameFormats : {
@class : java.util.HashMap
"urn:oid:2.5.4.4" : uri
"urn:oid:2.5.4.42" : uri
"urn:oid:2.16.840.1.113730.3.1.241" : uri
}
attributeFriendlyNames : {
@class : java.util.HashMap
"urn:oid:2.5.4.4" : sn
"urn:oid:2.5.4.42" : givenName
"urn:oid:2.16.840.1.113730.3.1.241" : displayName
}
This seems to be a pretty significant bug, unless I am (hopefully!) missing something obvious.
Josh G
Jul 31, 2019, 11:10:06 AM7/31/19
to CAS Community
Has anyone else experienced this issue? This is holding up our CAS 6.0 deployment.
Additional context, we're running our environment in Docker with the following dependencies:
compile "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-ldap:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-hazelcast-ticket-registry:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-saml-idp:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-saml-googleapps:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-saml:${casServerVersion}"
compile group: 'net.unicon.iam', name: 'duo-client', version: '0.2.2'
compile "org.apereo.cas:cas-server-support-duo:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-ldap:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-hazelcast-ticket-registry:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-saml-idp:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-saml-googleapps:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-saml:${casServerVersion}"
compile group: 'net.unicon.iam', name: 'duo-client', version: '0.2.2'
compile "org.apereo.cas:cas-server-support-duo:${casServerVersion}"
CAS Splash
__ ____ _ ____ __
/ / / ___| / \ / ___| \ \
| | | | / _ \ \___ \ | |
| | | |___ / ___ \ ___) | | |
| | \____| /_/ \_\ |____/ | |
\_\ /_/
CAS Version: 6.0.4
CAS Commit Id: 0f37f54d06b9a43523fdecd5bc3a8a0f31c407eb
CAS Build Date/Time: 2019-07-25T19:42:36Z
Spring Boot Version: 2.1.2.RELEASE
Spring Version: 5.1.3.RELEASE
Java Home: /opt/java/openjdk
Java Vendor: AdoptOpenJDK
Java Version: 11.0.3
JVM Free Memory: 148 MB
JVM Maximum Memory: 2 GB
JVM Total Memory: 261 MB
JCE Installed: Yes
Node Version: N/A
NPM Version: N/A
OS Architecture: amd64
OS Name: Linux
OS Version: 3.10.0-957.el7.x86_64
OS Date/Time: 2019-07-25T19:43:19.511687
OS Temp Directory: /tmp
------------------------------------------------------------
Apache Tomcat Version: Apache Tomcat/9.0.20
------------------------------------------------------------
dim...@gmail.com
Aug 8, 2019, 10:27:40 AM8/8/19
to CAS Community
Yep, I just hit it on 6.0.4
D.
Dmitriy Kopylenko
Aug 8, 2019, 11:36:03 AM8/8/19
to cas-...@apereo.org
Just confirmed - fixed in 6.1.0-RC4
Best,
D.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1d468c44-ea0d-4c9c-94e1-e288a13d3b8b%40apereo.org.
L. Auxepaules
Oct 16, 2019, 4:26:12 AM10/16/19
to CAS Community, dkopy...@unicon.net
Hi,
This
issue isn't fixed on 6.0.5.1 version and "SAML2 authn" seems to be broken on
6.1.0-RC6 version (when I test it, there is an exception with
opensaml-4.5 that interrupts the authn process).
Where is the patch in master branch, for the exception "org.xml.sax.SAXParseException: Element or attribute do not match QName production: QName::=(NCName':')?NCName."
when CAS use "urn:oid:...." attribute name) ?
Can it backport to the current CAS release (6.0.x)?
Generally,
friendly-names configuration on CAS IdP doesn't seem to work very well ;
so, how can we configure the CAS server to produce the assertions
(required by federations) described in an AttributeConsumerService : https://apereo.github.io/cas/6.0.x/installation/Configuring-SAML2-Attribute-Release.html#requested-attributes-filter?
When a SP tell this in its metadata :
<md:AttributeConsumingService index="0">
<md:RequestedAttribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"></md:RequestedAttribute>
</md:AttributeConsumingService>
<md:RequestedAttribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"></md:RequestedAttribute>
</md:AttributeConsumingService>
The CAS IdP will produce assertions in the response like this :
<saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue>mail...@test.fr</saml2:AttributeValue>
not that : <saml2:Attribute FriendlyName="mail"
not that :
<saml2:Attribute
Best regards,
Ludovic Auxepaules
PS : this exception with SAML on CAS 6.1.0-RC6 version :
ERROR [org.apache.velocity] - <ResourceManager : unable to find resource '/templates/saml2-post-binding.vm' in any resource loader.>
ERROR [org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder] - <Error invoking Velocity template>
org.apache.velocity.exception.ResourceNotFoundException: Unable to find resource '/templates/saml2-post-binding.vm'
at org.apache.velocity.runtime.resource.ResourceManagerImpl.loadResource(ResourceManagerImpl.java:474) ~[velocity-1.7.jar:1.7]
at org.apache.velocity.runtime.resource.ResourceManagerImpl.getResource(ResourceManagerImpl.java:352) ~[velocity-1.7.jar:1.7]
at org.apache.velocity.runtime.RuntimeInstance.getTemplate(RuntimeInstance.java:1533) ~[velocity-1.7.jar:1.7]
at org.apache.velocity.app.VelocityEngine.mergeTemplate(VelocityEngine.java:343) ~[velocity-1.7.jar:1.7]
at org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder.postEncode(HTTPPostEncoder.java:172) ~[opensaml-saml-impl-3.4.5.jar:?]
at org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder.doEncode(HTTPPostEncoder.java:146) ~[opensaml-saml-impl-3.4.5.jar:?]
at org.opensaml.messaging.encoder.AbstractMessageEncoder.encode(AbstractMessageEncoder.java:53) ~[opensaml-messaging-api-3.4.5.jar:?]
at org.opensaml.messaging.encoder.servlet.BaseHttpServletResponseXMLMessageEncoder.encode(BaseHttpServletResponseXMLMessageEncoder.java:50) ~[opensaml-messaging-api-3.4.5.jar:?]
at org.apereo.cas.support.saml.web.idp.profile.builders.enc.encoder.BaseHttpServletAwareSamlObjectEncoder.finalizeEncode(BaseHttpServletAwareSamlObjectEncoder.java:102) ~[cas-server-support-saml-idp-web-6.1.0-RC6.jar:6.1.0-RC6]
at org.apereo.cas.support.saml.web.idp.profile.builders.enc.encoder.BaseHttpServletAwareSamlObjectEncoder.encode(BaseHttpServletAwareSamlObjectEncoder.java:63) ~[cas-server-support-saml-idp-web-6.1.0-RC6.jar:6.1.0-RC6]
at org.apereo.cas.support.saml.web.idp.profile.builders.response.SamlProfileSaml2ResponseBuilder.encode(SamlProfileSaml2ResponseBuilder.java:130) ~[cas-server-support-saml-idp-web-6.1.0-RC6.jar:6.1.0-RC6]
at org.apereo.cas.support.saml.web.idp.profile.builders.response.SamlProfileSaml2ResponseBuilder.encode(SamlProfileSaml2ResponseBuilder.java:37) ~[cas-server-support-saml-idp-web-6.1.0-RC6.jar:6.1.0-RC6]
at org.apereo.cas.support.saml.web.idp.profile.builders.response.BaseSamlProfileSamlResponseBuilder.encodeFinalResponse(BaseSamlProfileSamlResponseBuilder.java:97) ~[cas-server-support-saml-idp-web-6.1.0-RC6.jar:6.1.0-RC6]
at org.apereo.cas.support.saml.web.idp.profile.builders.response.BaseSamlProfileSamlResponseBuilder.build(BaseSamlProfileSamlResponseBuilder.java:63) ~[cas-server-support-saml-idp-web-6.1.0-RC6.jar:6.1.0-RC6]
at org.apereo.cas.support.saml.web.idp.profile.builders.response.BaseSamlProfileSamlResponseBuilder$$FastClassBySpringCGLIB$$f1322d9c.invoke(<generated>) ~[cas-server-support-saml-idp-web-6.1.0-RC6.jar:6.1.0-RC6]
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:769) ~[spring-aop-5.2.0.RELEASE.jar:5.2.0.RELEASE]
ERROR [org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder] - <Error invoking Velocity template>
org.apache.velocity.exception.ResourceNotFoundException: Unable to find resource '/templates/saml2-post-binding.vm'
at org.apache.velocity.runtime.resource.ResourceManagerImpl.loadResource(ResourceManagerImpl.java:474) ~[velocity-1.7.jar:1.7]
at org.apache.velocity.runtime.resource.ResourceManagerImpl.getResource(ResourceManagerImpl.java:352) ~[velocity-1.7.jar:1.7]
at org.apache.velocity.runtime.RuntimeInstance.getTemplate(RuntimeInstance.java:1533) ~[velocity-1.7.jar:1.7]
at org.apache.velocity.app.VelocityEngine.mergeTemplate(VelocityEngine.java:343) ~[velocity-1.7.jar:1.7]
at org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder.postEncode(HTTPPostEncoder.java:172) ~[opensaml-saml-impl-3.4.5.jar:?]
at org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder.doEncode(HTTPPostEncoder.java:146) ~[opensaml-saml-impl-3.4.5.jar:?]
at org.opensaml.messaging.encoder.AbstractMessageEncoder.encode(AbstractMessageEncoder.java:53) ~[opensaml-messaging-api-3.4.5.jar:?]
at org.opensaml.messaging.encoder.servlet.BaseHttpServletResponseXMLMessageEncoder.encode(BaseHttpServletResponseXMLMessageEncoder.java:50) ~[opensaml-messaging-api-3.4.5.jar:?]
at org.apereo.cas.support.saml.web.idp.profile.builders.enc.encoder.BaseHttpServletAwareSamlObjectEncoder.finalizeEncode(BaseHttpServletAwareSamlObjectEncoder.java:102) ~[cas-server-support-saml-idp-web-6.1.0-RC6.jar:6.1.0-RC6]
at org.apereo.cas.support.saml.web.idp.profile.builders.enc.encoder.BaseHttpServletAwareSamlObjectEncoder.encode(BaseHttpServletAwareSamlObjectEncoder.java:63) ~[cas-server-support-saml-idp-web-6.1.0-RC6.jar:6.1.0-RC6]
at org.apereo.cas.support.saml.web.idp.profile.builders.response.SamlProfileSaml2ResponseBuilder.encode(SamlProfileSaml2ResponseBuilder.java:130) ~[cas-server-support-saml-idp-web-6.1.0-RC6.jar:6.1.0-RC6]
at org.apereo.cas.support.saml.web.idp.profile.builders.response.SamlProfileSaml2ResponseBuilder.encode(SamlProfileSaml2ResponseBuilder.java:37) ~[cas-server-support-saml-idp-web-6.1.0-RC6.jar:6.1.0-RC6]
at org.apereo.cas.support.saml.web.idp.profile.builders.response.BaseSamlProfileSamlResponseBuilder.encodeFinalResponse(BaseSamlProfileSamlResponseBuilder.java:97) ~[cas-server-support-saml-idp-web-6.1.0-RC6.jar:6.1.0-RC6]
at org.apereo.cas.support.saml.web.idp.profile.builders.response.BaseSamlProfileSamlResponseBuilder.build(BaseSamlProfileSamlResponseBuilder.java:63) ~[cas-server-support-saml-idp-web-6.1.0-RC6.jar:6.1.0-RC6]
at org.apereo.cas.support.saml.web.idp.profile.builders.response.BaseSamlProfileSamlResponseBuilder$$FastClassBySpringCGLIB$$f1322d9c.invoke(<generated>) ~[cas-server-support-saml-idp-web-6.1.0-RC6.jar:6.1.0-RC6]
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:769) ~[spring-aop-5.2.0.RELEASE.jar:5.2.0.RELEASE]
Le jeudi 8 août 2019 17:36:03 UTC+2, Dmitriy Kopylenko a écrit :
Just confirmed - fixed in 6.1.0-RC4Best,D.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1d468c44-ea0d-4c9c-94e1-e288a13d3b8b%40apereo.org.
Le jeudi 8 août 2019 17:36:03 UTC+2, Dmitriy Kopylenko a écrit :
Just confirmed - fixed in 6.1.0-RC4Best,D.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.
john.sebert
Nov 19, 2020, 9:58:13 AM11/19/20
to CAS Community, L. Auxepaules, dkopylenko
How do we get past this? I'm seeing the same issue in CAS 6.2.5. We heavily use this feature and we need to know how to present the attributes in the proper naming formats that were done with the Mapping in the past.
Reply all
Reply to author
Forward
0 new messages