Error SAML 2.0 + Access Strategy
51 views
Skip to first unread message
Alexi Pascual
Oct 30, 2018, 12:18:43 PM10/30/18
to CAS Community
hi,
We have a SAML 2.0 integration with Coursera and it works well. However, when I add an access rule, the following error appears:
org.jasig.cas.client.validation.TicketValidationException: UNAUTHORIZED_SERVICE at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:84) at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:201) at org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlProfileCallbackHandlerController.validateRequestAndBuildCasAssertion(SSOSamlProfileCallbackHandlerController.java:149) at org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlProfileCallbackHandlerController.handleCallbackProfileRequest(SSOSamlProfileCallbackHandlerController.java:115) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190) at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:741) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:133) at org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:121) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:673) at org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlProfileCallbackHandlerController$$EnhancerBySpringCGLIB$$4a57c9b7.handleCallbackProfileRequest(<generated>) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205) at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:133) at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:97) at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:827) at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:738) at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
The rule is as follows:
"requiredAttributes" : {
"@class" : "java.util.HashMap",
"employeeType" : [
"java.util.HashSet",
[
"1",
"2",
"3"
]
]
}
We can not continue with the integration without having resolved
the Access Strategy, so I would appreciate any help.
regards,
-- Alexi Pascual
Alexi Pascual
Oct 30, 2018, 1:05:38 PM10/30/18
to cas-...@apereo.org
Sorry, I'm missing add our version of CAS. It is 5.2.8
El 30/10/18 a las 13:18, Alexi Pascual
escribió:
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/99d865b1-545a-2f81-3daa-0535e7579a48%40uc.cl.
-- Alexi Pascual García Jefe de Arquitectura e Integración Subdirección de Operaciones y Plataforma Dirección de Informática Pontificia Universidad Católica de Chile Teléfono: (56 2) 2354 5759
Misagh Moayyed
Oct 31, 2018, 3:22:10 PM10/31/18
to CAS Community, alexi....@uc.cl
I can't recall specifically, but I do know this has been fixed in later versions of 5.3.x.
Alexi Pascual
Nov 8, 2018, 2:30:26 PM11/8/18
to cas-...@apereo.org
Thanks Misagh. We did some tests with version 5.3.4, and found the same error. However, in this version we were able to detect the problem.
The problem occurs when we try to make a use an access rule with requiredAttributes, and we have not sent this attribute via attributeReleasePolicy. Without this the parameter arrives in white in the SAMLRequest.
regards,
El 31/10/18 a las 16:22, Misagh Moayyed
escribió:
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7c743e59-c11e-415a-80cd-8f7c06541bc5%40apereo.org.
-- Alexi Pascual
Reply all
Reply to author
Forward
0 new messages