[WS Federation] Claims encoded in the SAML Assertion, unrecognized

[Dimitri Mockelyn]

Hello,

I’m trying to send claims with CAS to a SharePoint application. CAS is sending a SAML assertion, but it is unrecognized by SharePoint

My Service is configured as follows :

{

  "@class" : "org.apereo.cas.ws.idp.services.WSFederationRegisteredService",

  "serviceId" : "^https://xxxxx(/?|/.*)",

  "name" : "Sample WsFed Application",

  "id" : "102",

  "realm": "urn:org:apereo:cas:ws:idp:realm-CAS",

  "tokenType" : "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1",

  "attributeReleasePolicy" : {

    "@class" : "org.apereo.cas.ws.idp.services.WSFederationClaimsReleasePolicy",

    "allowedAttributes" : {

      "@class" : "java.util.TreeMap",

      "USER_PRINCIPAL_NAME_2005" : "name",

      "EMAIL_ADDRESS_2005": "mail",

      "PRIMARY_SID": "sid",

      "MS_ROLE": "roles"

    }

  }

}

The SAML Assertion is supposed to send back 4 claims, but when I look at the returned Assertion, I have this :

018-04-19 10:34:21,693 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Formatted attribute for the response: [<cas:687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f726f6c65>xxxx</cas:687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f726f6c65>]>
2018-04-19 10:34:21,694 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Formatted attribute for the response: [<cas:687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f656d61696c61646472657373>xx</cas:687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f656d61696c61646472657373>]>
2018-04-19 10:34:21,696 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Formatted attribute for the response: [<cas:687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f75706e>xxx</cas:687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f75706e>]>
2018-04-19 10:34:21,696 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Formatted attribute for the response: [<cas:credentialType>UsernamePasswordCredential</cas:credentialType>]>
2018-04-19 10:34:21,700 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Formatted attribute for the response: [<cas:securityToken>[…]</cas:securityToken>]>
2018-04-19 10:34:21,701 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Formatted attribute for the response: [<cas:samlAuthenticationStatementAuthMethod>urn:oasis:names:tc:SAML:1.0:am:password</cas:samlAuthenticationStatementAuthMethod>]>
2018-04-19 10:34:21,701 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Formatted attribute for the response: [<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f77732f323030382f30362f6964656e746974792f636c61696d732f7072696d617279736964>xxxx</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f77732f323030382f30362f6964656e746974792f636c61696d732f7072696d617279736964>]>

I looked into the code, and it seems to me that theses strange attributes are the SharePoint claims, Hex Encoded, but are not decoded during the assertion generation.

Am I doing something wrong ?

Thanks in advance

[Alin Tomoiaga]

Hi Dimitri, were you able to get past the reflection STS error you reported in https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/MrgpGK-kxjM? I am debugging the same code you were talking about and hitting the same error... Thank you.