Error with one pac4j SAML2 IdP affects entire setup
61 views
Skip to first unread message
Ganesh Prasad
Aug 28, 2018, 11:25:50 AM8/28/18
to CAS Community
My application has a number of client organisations that want their users to use their Active Directory through a SAML2 Identity Provider (IdP).
No problem, CAS supports this by being able to define multiple sets of properties using cas.authn.pac4j.saml[0], cas.authn.pac4j.saml[1], cas.authn.pac4j.saml[2], etc.
Yesterday, I got a nasty surprise when one of those external IdPs went down. This affected my application, because other users started getting errors when trying to log in.
2018-08-29 01:13:26,917 ERROR [net.shibboleth.utilities.java.support.xml.BasicParserPool] - <XML Parsing Error>
org.xml.sax.SAXParseException: The element type "br" must be terminated by the matching end-tag "</br>".
at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:203) ~[?:1.8.0_171]
I had to edit cas.properties, comment out all the config options for the misbehaving IdP and restart CAS. That was the only way to isolate the problem and let the functioning parts of the system continue working.
But this shouldn't have been necessary. Shouldn't CAS be able to isolate a misbehaving IdP and merely suppress the display of its link on the login page?
Ganesh
Ganesh Prasad
Aug 28, 2018, 11:46:02 AM8/28/18
to CAS Community
I should add that this IdP configuration was being added for the first time on this server.
We have Dev, Test and Prod environments. The Dev version of the client's IdP was working a couple of weeks ago, so I added the corresponding IdP config in the Test environment today, after adding the certificate file to the Test CAS server's /etc/ssl/certs directory and configuring the cas.properties file to point to the Test IdP's metadata URL. Exactly the same thing I had done a couple of weeks ago in Dev.
Today in Test, it appears the login URL being sent back in the IdP metadata XML (the Location attribute of the md:SingleSignOnService tag) was unreachable, so CAS was unable to create the local SP metadata XML file, and all other problems then resulted from that. The list of services was not being loaded from the JSON file, and the error message shown to users was 'Application not authorised to use CAS'.
The problems went away as soon as I commented out all of the offending IdP's parameters in cas.properties. That was the only way I could isolate it.
The problems went away as soon as I commented out all of the offending IdP's parameters in cas.properties. That was the only way I could isolate it.
Ganesh
sairam aagiru
Jan 7, 2019, 2:51:19 AM1/7/19
to CAS Community
Hello Ganesh,
I'm trying to integrate CAS with SAML using pac4j(CAS-server-support-pac4j-web flow) support project from CAS by following below document :
I am using SSO(ACS) URL as https://witty.wavity.net/saml/login to consume SAML assertion. Now, when the user gets logged in at IDP i,e at okta it was redirecting to ACS URL with the forbidden error. So how can I configure CAS to consume SAML assertion from IDP and assert CAS to grant TGT to the SAML asserted user?
Can you please help me out with the steps I need to follow at CAS once it receives SAML assertion from any of the IDP.
Reply all
Reply to author
Forward
0 new messages