SAML flow broken for HTTP since 6.2.0

67 views
Skip to first unread message

Ania Dabrowa

unread,
Nov 2, 2020, 9:28:21 AM11/2/20
to CAS Community

When upgrading CAS from 6.1.7.2 to 6.2.0, we noticed that the flow stopped working on the local server. After some investigation, it turned out to be happening only locally (where we are using HTTP) and only on Chrome, while it was working on Firefox. The problem does not occur in our other environments where HTTPS is used.

Details about the flow:

CAS is used as an IdP that authenticates users based on the provided JWT, generates a SAML request, and in the end, redirects to the third party.

The following endpoints are used:

  • /login?service=CAS_HOST%2Fidp%2Fprofile%2FSAML2%2FUnsolicited%2FSSO%3FproviderId%3DSERVICE_PROVIDER_ID%3Ftarget%3DEXTERNAL_URL_OR_PATH&token=JWT_TOKEN
  • /idp/profile/SAML2/Unsolicited/SSO?providerId=SERVICE_PROVIDER_ID&target=EXTERNAL_URL_OR_PATH&ticket=TICKET
  • /login?service=CAS_HOST/idp/profile/SAML2/Callback?entityId=SERVICE_PROVIDER_ID&SAMLRequest=SAML_REQUEST&RelayState
  • /idp/profile/SAML2/Callback?entityId=SERVICE_PROVIDER_ID&SAMLRequest=SAML_REQUEST&RelayState=EXTERNAL_URL_OR_PATH&ticket=TICKET

In Chrome the second to last endpoint (/login) returns an error (login page is shown), instead of redirecting to the last endpoint (/idp/profile/SAML2/Callback).

The logs do not help much, they just seem to drop at some point. It looks like retrieving the ticket is missing, and as the problems are only on Chrome, this may be somehow connected to the cookies.

Configuration details:

  • cas.properties (some irrelevant properties are removed)

# This is required to deploy behind a proxy: https://apereo.github.io/2018/01/05/cas-deployment-with-proxy/

server.port=8080
server.ssl.enabled=false
server.servlet.context-path=/

cas.server.prefix=${cas.server.name}
cas.server.scope=${cas.server.name}
cas.server.tomcat.http.enabled=false
cas.server.tomcat.httpProxy.enabled=true
cas.server.tomcat.httpProxy.secure=true
cas.server.tomcat.httpProxy.scheme=https
cas.server.tomcat.httpProxy.proxyPort=443
cas.server.tomcat.httpProxy.protocol=HTTP/1.1

cas.authn.accept.users=
cas.authn.samlIdp.entityId=${cas.server.name}/idp

cas.ticket.registry.jpa.driverClass=org.postgresql.Driver
cas.ticket.registry.jpa.dialect=org.hibernate.dialect.PostgreSQLDialect

# Tickets/Session TTL configuration
cas.ticket.tgt.timeToKillInSeconds=300
cas.ticket.tgt.maxTimeToLiveInSeconds=300
cas.ticket.tgt.rememberMe.enabled=false

cas.tgc.crypto.enabled=true
cas.ticket.registry.jpa.crypto.enabled=true
cas.webflow.crypto.enabled=true

  • Locally some configuration is overridden:
CAS_TGC_SECURE=false
CAS_SERVER_TOMCAT_HTTPPROXY_SECURE=false
CAS_SERVER_TOMCAT_HTTPPROXY_SCHEME=http
CAS_SERVER_TOMCAT_HTTPPROXY_PROXYPORT=80

  • JWT service definition
{
    "@class": "org.apereo.cas.services.RegexRegisteredService",
    "serviceId": "CAS_HOST/.*",
    "name": "JWT",
    "id": 1,
    "properties": {
        "@class": "java.util.HashMap",
        "jwtSigningSecret": {
            "@class": "org.apereo.cas.services.DefaultRegisteredServiceProperty",
            "values": [ "java.util.HashSet", ["KEY"] ]
        },
        "jwtSigningSecretAlg" : {
            "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
            "values" : [ "java.util.HashSet", [ "HS512" ] ]
        },
        "jwtSecretsAreBase64Encoded" : {
            "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
            "values" : [ "java.util.HashSet", [ "false" ] ]
        }
    }
}

Reply all
Reply to author
Forward
0 new messages