CAS 5.2 SAML IdP, with Internet Explorer, fails building "service" parameter sent to CAS login page

103 views
Skip to first unread message

JON

unread,
Jul 15, 2018, 5:53:50 AM7/15/18
to CAS Community


Hi all


With Firefox and Chrome, everything works correctly, but with Internet Explorer, the URL built by AbstractSamlProfileHandlerController is different from the one built with Firefox and Chrome.


This URL is sent to the CAS login page as the "service" parameter.



With Firefox or Chrome:


2018-07-14 17:06:18,081 DEBUG [org.apereo.cas.support.saml.SamlUtils] - <Logging [org.opensaml.saml.saml2.core.impl.AuthnRequestImpl]

<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest
......
</ds:Signature>
</saml2p:AuthnRequest>
 
2018-07-14 17:06:18,081 DEBUG [org.apereo.cas.support.saml.SamlUtils] - <********************************************************************************>
2018-07-14 17:06:18,086 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - <Created service url [https://cas.saml.idp:8443/cas/idp/profile/SAML2/Callback.+?entityId=http%3A%2F%2Flocalhost.cas.example.org%3A8082%2FTestSamlPac4j%2Fcallback%3Fclient_name%3DSAML2Client&SAMLRequest=PD94bWwgdmVyc2lvbj0iMS............8L3NhbWwycDpBdXRoblJlcXVlc3Q%2B&RelayState=http%3A%2F%2Flocalhost.cas.example.org%3A8082%2FTestSamlPac4j%2Fcallback%3Fclient_name%3DSAML2Client]>


With Internet Explorer:


2018-07-14 17:54:40,978 DEBUG [org.apereo.cas.support.saml.SamlUtils] - <Logging [org.opensaml.saml.saml2.core.impl.AuthnRequestImpl]

<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest
......
</ds:Signature>
</saml2p:AuthnRequest>
2018-07-14 17:54:40,978 DEBUG [org.apereo.cas.support.saml.SamlUtils] - <********************************************************************************>
2018-07-14 17:54:40,979 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - <Created service url [https://cas.saml.idp:8443/cas/idp/profile/SAML2/Callback.+?entityId=http%3A%2F%2Flocalhost.cas.example.org%3A8082%2FTestSamlPac4j%2Fcallback%3Fclient_name%3DSAML2Client&SAMLRequest=PD94bWwgdmVyc2lvbj0iMS............8L3NhbWwycDpBdXRoblJlcXVlc3Q%2B&RelayState]>



I don't know if Internet Explorer may be deleting the value of the RelayState parameter, or even truncating the value of the SAMLRequest parameter


Finally, after several exchanges, it ends up failing with the following error


2018-07-14 17: 54: 40,978 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - <Retrieving authentication request from scope>
2018-07-14 17: 54: 40,978 ERROR [net.shibboleth.utilities.java.support.xml.BasicParserPool] - <XML Parsing Error>
org.xml.sax.SAXParseException: XML document structures must start and end within the same entity.
at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException (ErrorHandlerWrapper.java:203) ~ [?: 1.8.0_172]
at
.........
at
org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController.retrieveSamlAuthenticationRequestFromHttpRequest(AbstractSamlProfileHandlerController.java:283) ~[cas-server-support-saml-idp-5.2.2.jar:5.2.2]

 


Does anyone know what may be happening?



Thank you

            Jon



David Curry

unread,
Jul 15, 2018, 1:16:09 PM7/15/18
to cas-...@apereo.org
Internet Explorer has a ridiculously short maximum length of 2,083 characters for URLs. If you are exceeding that length, that's why it's not working.

Empirically, I believe the problem mostly occurs when you're using a SAML SP that requires signed and/or encrypted assertions, because the CAS-generated URLs are much longer. If you're using a SAML SP that doesn't require signed/encrypted assertions, the URLs are not nearly as long. I've never really tested this thoroughly to confirm it, but it's what I observed when comparing SAML SPs that worked with Internet Explorer to SAML SPs that didn't.

We ran into this when combining CAS SAML IdP, Duo MFA, and Internet Explorer -- the Duo iframe would just come up blank instead of displaying the text/buttons the user needed to complete the second factor authentication. We managed to work around it by modifying the Duo Web SDK JavaScript to be a little smarter; I posted that fix here a week or two ago. But if you're not using Duo, then that fix isn't going to help you.

In our installation, for the month or so between when we encountered the problem and we finally figured out what the cause was, we modified the CAS Duo view page (appears after the login/password page and before the service) to detect the user's browser and, if it was Internet Explorer, put up a message that told the user to use a different browser because IE sucks. We didn't get too much push-back on that, but since we were in a pilot mode, it was only a couple of hundred users total, and only a few dozen affected.

--Dave
  

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728david...@newschool.edu

The New School



--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/38ed545e-d447-4913-be15-c2f5ba22ef90%40apereo.org.

JON

unread,
Jul 15, 2018, 2:32:07 PM7/15/18
to CAS Community
Hi Dave

In my case, it's not possible to ask the user to use another browser. Internet Explorer is no longer the corporate browser, but it can not be discarded.

As a horizontal security system, we must accept Internet Explorer.

This is an improvement opportunity for CAS as SAML IdP.


Thank you very much
            
             Jon
Reply all
Reply to author
Forward
0 new messages