[cas-user] CAS5.3.x Error in CAS as IDP

[Jay]

Hello everyone,

We have configured the CAS as idp and exposed the entityid and metadata file generated by CAs as idp to the Service Provider application.

When we try to hit the application, the SP is redirecting to the CAS login page but there no request information in the url (neither the SAML request or redirection url)

Also in the logs we see,

2018-06-13 00:06:12,656 DEBUG [org.apereo.cas.support.saml.authentication.principal.SamlServiceFactory] - <Request does not specify a [TARGET] or request body is empty> [m

2018-06-13 00:06:12,657 DEBUG [org.apereo.cas.authentication.principal.WebApplicationServiceFactory] - <No service is specified in the request. Skipping service creation> [m

2018-06-13 00:06:12,661 ERROR [org.apereo.cas.util.CompressionUtils] - <Base64 decoding failed> [m

java.util.zip.ZipException: incorrect header check

at java.util.zip.InflaterInputStream.read(InflaterInputStream.java:164) ~[?:1.8.0_31]

at java.io.FilterInputStream.read(FilterInputStream.java:107) ~[?:1.8.0_31]

at org.apereo.cas.util.CompressionUtils.decodeByteArrayToString(CompressionUtils.java:106) ~[cas-server-core-util-api-5.3.0-RC2.jar:5.3.0-RC2]

at org.apereo.cas.support.saml.util.AbstractSaml20ObjectBuilder.decodeSamlAuthnRequest(AbstractSaml20ObjectBuilder.java:444) ~[cas-server-support-saml-5.3.0-RC2.jar:5.3.0-RC2]

at org.apereo.cas.support.saml.authentication.principal.GoogleAccountsServiceFactory.createService(GoogleAccountsServiceFactory.java:30) ~[cas-server-support-saml-googleapps-core-5.3.0-RC2.jar:5.3.0-RC2]

at org.apereo.cas.support.saml.authentication.principal.GoogleAccountsServiceFactory.createService(GoogleAccountsServiceFactory.java:21) ~[cas-server-support-saml-googleapps-core-5.3.0-RC2.jar:5.3.0-RC2]

at sun.reflect.GeneratedMethodAccessor202.invoke(Unknown Source) ~[?:?]

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_31]

at java.lang.reflect.Method.invoke(Method.java:483) ~[?:1.8.0_31]

at org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:216) ~[spring-core-4.3.14.RELEASE.jar:4.3.14.RELEASE]

at org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:470) ~[spring-cloud-context-1.3.0.RELEASE.jar:1.3.0.RELEASE]

at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) ~[spring-aop-4.3.14.RELEASE.jar:4.3.14.RELEASE]

at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213) ~[spring-aop-4.3.14.RELEASE.jar:4.3.14.RELEASE]

at com.sun.proxy.$Proxy156.createService(Unknown Source) ~[?:?]

at org.apereo.cas.web.support.DefaultArgumentExtractor.lambda$extractServiceInternal$0(DefaultArgumentExtractor.java:46) ~[cas-server-core-web-api-5.3.0-RC2.jar:5.3.0-RC2]

at org.apereo.cas.web.support.DefaultArgumentExtractor$$Lambda$193/172916214.apply(Unknown Source) ~[?:?]

at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[?:1.8.0_31]

at java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1351) ~[?:1.8.0_31]

at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126) ~[?:1.8.0_31]

at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:529) ~[?:1.8.0_31]

at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:516) ~[?:1.8.0_31]

at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:502) ~[?:1.8.0_31]

at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152) ~[?:1.8.0_31]

at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_31]

at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464) ~[?:1.8.0_31]

at org.apereo.cas.web.support.DefaultArgumentExtractor.extractServiceInternal(DefaultArgumentExtractor.java:52) ~[cas-server-core-web-api-5.3.0-RC2.jar:5.3.0-RC2]

at org.apereo.cas.web.support.AbstractArgumentExtractor.extractService(AbstractArgumentExtractor.java:33) ~[cas-server-core-web-api-5.3.0-RC2.jar:5.3.0-RC2]

at org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter.getRegisteredServiceFromRequest(RegisteredServiceResponseHeadersEnforcementFilter.java:105) ~[cas-server-core-web-api-5.3.0-RC2.jar:5.3.0-RC2]

at org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter.shouldHttpHeaderBeInjectedIntoResponse(RegisteredServiceResponseHeadersEnforcementFilter.java:93) ~[cas-server-core-web-api-5.3.0-RC2.jar:5.3.0-RC2]

at org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter.decideInsertCacheControlHeader(RegisteredServiceResponseHeadersEnforcementFilter.java:73) ~[cas-server-core-web-api-5.3.0-RC2.jar:5.3.0-RC2]

at org.apereo.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:225) ~[cas-server-security-filter-2.0.10.2.jar:2.0.10.2]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) ~[catalina.jar:8.0.29]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) ~[catalina.jar:8.0.29]

at org.apereo.cas.security.AddResponseHeadersFilter.doFilter(AddResponseHeadersFilter.java:94) ~[cas-server-security-filter-2.0.10.2.jar:2.0.10.2]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) ~[catalina.jar:8.0.29]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) ~[catalina.jar:8.0.29]

at org.springframework.boot.actuate.trace.WebRequestTraceFilter.doFilterInternal(WebRequestTraceFilter.java:110) ~[spring-boot-actuator-1.5.9.RELEASE.jar:1.5.9.RELEASE]

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) ~[catalina.jar:8.0.29]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) ~[catalina.jar:8.0.29]

at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) ~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) ~[catalina.jar:8.0.29]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) ~[catalina.jar:8.0.29]

at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:108) ~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) ~[catalina.jar:8.0.29]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) ~[catalina.jar:8.0.29]

at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81) ~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) ~[catalina.jar:8.0.29]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) ~[catalina.jar:8.0.29]

at org.apereo.cas.logging.web.ThreadContextMDCServletFilter.doFilter(ThreadContextMDCServletFilter.java:91) ~[cas-server-core-logging-5.3.0-RC2.jar:5.3.0-RC2]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) ~[catalina.jar:8.0.29]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) ~[catalina.jar:8.0.29]

at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:106) ~[spring-boot-actuator-1.5.9.RELEASE.jar:1.5.9.RELEASE]

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) ~[catalina.jar:8.0.29]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) ~[catalina.jar:8.0.29]

at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197) ~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) ~[catalina.jar:8.0.29]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) ~[catalina.jar:8.0.29]

at org.springframework.boot.web.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:115) ~[spring-boot-1.5.9.RELEASE.jar:1.5.9.RELEASE]

at org.springframework.boot.web.support.ErrorPageFilter.access$000(ErrorPageFilter.java:59) ~[spring-boot-1.5.9.RELEASE.jar:1.5.9.RELEASE]

at org.springframework.boot.web.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:90) ~[spring-boot-1.5.9.RELEASE.jar:1.5.9.RELEASE]

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]

at org.springframework.boot.web.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:108) ~[spring-boot-1.5.9.RELEASE.jar:1.5.9.RELEASE]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) ~[catalina.jar:8.0.29]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) ~[catalina.jar:8.0.29]

at org.apereo.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:66) ~[inspektr-common-1.8.1.GA.jar:1.8.1.GA]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) ~[catalina.jar:8.0.29]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) ~[catalina.jar:8.0.29]

at org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) ~[log4j-web-2.10.0.jar:2.10.0]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) ~[catalina.jar:8.0.29]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) ~[catalina.jar:8.0.29]

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) ~[catalina.jar:8.0.29]

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) ~[catalina.jar:8.0.29]

at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) ~[catalina.jar:8.0.29]

at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616) ~[catalina.jar:8.0.29]

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) ~[catalina.jar:8.0.29]

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) ~[catalina.jar:8.0.29]

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) ~[catalina.jar:8.0.29]

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518) ~[catalina.jar:8.0.29]

at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096) ~[tomcat-coyote.jar:8.0.29]

at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674) ~[tomcat-coyote.jar:8.0.29]

at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:277) ~[tomcat-coyote.jar:8.0.29]

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[?:1.8.0_31]

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ~[?:1.8.0_31]

at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:8.0.29]

at java.lang.Thread.run(Thread.java:745) [?:1.8.0_31]

any help here would be grateful

Thanks,

Jay

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b1fad3c9-1a9a-4e68-b2e4-33ab10a0f282%40apereo.org.

[David Curry]

What does your service registry entry look like? Did you install the SP's metadata somewhere that CAS can read it (either in a file on the CAS server or at a URL the CAS server can fetch it from)? The Base64 decoding error suggests that either the SP's metadata or the XML SAML request the SP is sending is garbled.

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOOFvaUdw6dRPm9hck9D375miA%3DAbob6f_O1yXTe3280A%40mail.gmail.com.

[Jay]

Thank you David for your response.

Below is my service registry entry,

SP's metadata is read from url which is on the SP server.

Thanks,

Jay

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e3860c37-3b16-48bd-8414-ab285050886a%40apereo.org.

[David Curry]

The serviceId looks wrong to me. It's supposed to be the entityID of the service, i.e., the same value that's in the entityID attribute of the EntityDescriptor element in the SP's metadata. Anything's possible, I suppose, but I would not expect that to be the URL of the SP's metadata. I would expect it to either be the URL of the service itself (or its login page), or just a string that doesn't even have a URL-like format.

And I trust that you've pointed a web browser, or curl, or something at the URL contained in metadataLocation to make sure it actually returns correct, readable metadata?

Also, can you confirm that you copied the IdP (CAS server) metadata and crypto key files:

/etc/cas/saml/idp-encryption.crt

/etc/cas/saml/idp-encryption.key

/etc/cas/saml/idp-metadata.xml

/etc/cas/saml/idp-signing.crt

/etc/cas/saml/idp-signing.key

(or wherever you store them) into your overlay so that they get re-deployed whenever you rebuild/redeploy/restart the server? If those files aren't there when the server starts, it will generate new ones. The new ones will be different than the ones generated previously, which means the server's "running" metadata will not match the server metadata you gave the SP. And since the metadata includes crypto keys...

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPtOEV%2B2kVK60kLVSZHM8xS8CU3hE9Wg-ws-KOVd6rVgQ%40mail.gmail.com.

[Jay]

Hi Dave,

Thanks again.

Yes I did verify the EntityId field in the metadata xml shared by the SP. It happens to be the same. 

i.e. Their metadata xml file location and the entityId value matches.

Yes, curl command with the metadata url returns me readable metadata information.

Yes, the IdP metadata and crypto files are placed in the overlay and I am sure they are not generated when I deploy the overlay.

Could you please let me know, what information should I share with the SP. (Is it only Idp metadata file?)

Thanks and Regards,

Jay

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0871546c-5834-4495-861b-d30d08235f20%40apereo.org.

[Bergner, Arnold]

Hi Jay,

 

maybe it has to do with the HTTP header size?

https://apereo.github.io/cas/development/installation/Configuring-SAML2-Authentication.html#server-configuration

 

Regards,

Arnold

--

 

 

On Thu, Jun 14, 2018 at 1:23 AM Jay <sjayanth....@lifetouch.com> wrote:

Thank you David for your response.

Below is my service registry entry,

 

 

 

 

 

 

 

 

 

 

 

 

SP's metadata is read from url which is on the SP server.

 

Thanks,

Jay

 

 

 

On Wednesday, June 13, 2018 at 5:52:34 PM UTC+5:30, David Curry wrote:

What does your service registry entry look like? Did you install the SP's metadata somewhere that CAS can read it (either in a file on the CAS server or at a URL the CAS server can fetch it from)? The Base64 decoding error suggests that either the SP's metadata or the XML SAML request the SP is sending is garbled.

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

 

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/56887f22157a4a84aa04769e503a04dc%40hrz.tu-darmstadt.de.

[David Curry]

The SP should only need the IdP's metadata and the base url (https://your.cas.server/cas/idp).

Arnold's suggestion is a good one -- check your Tomcat settings for HTTP header size.

You could also try configuring another SP and see if the issue is on the IdP side or the SP side...

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANvT3x5LjqDXO2LmWm2w0GDhvtJYgBKOwnZSBDt8Km3wg%40mail.gmail.com.

[Jay]

Thank you Dave and Arnold.

I will check the HTTP Header size and I guess right now it might be using the default value.

I asked the SP application team to recheck/update the signing key and encryption generated by the IdP. Seems after updating CAS IdP application is not able to read the metadata from the location mentioned in the ServiceRegistry.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/337f2f03-66e5-413c-8deb-62b82b51c182%40apereo.org.

[Jay]

I placed the metadata information as a xml file in the classpath and updated the location of the path in the service registry. I do not see any issue now with the below error.

As part of the SAML response to the calling SP, we need to send back the email Id only. Is it right way to define in the registry file.

{

"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",

"serviceId" : "https://<sp-server-url>/protocol/saml2/metadata",

"name" : "SPProfile",

"id" : 428485768118272,

"evaluationOrder" : 10,

"metadataLocation" : "classpath:/cas-qa/saml/sp-metadata/metadata.xml",

"attributeReleasePolicy": {

"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",

"allowedAttributes" : ["mail"]

}

}

Thanks,

Jay

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d85d0726-f1e5-4fe4-a079-71ff6282b98c%40apereo.org.

[David Curry]

Assuming you want to return email I'd as an attribute, yes, that looks right. If you need to return it as the principal id, that would be a bit different.

David A. Curry,  CISSP
Director of Information Security
The New School - Information Technology
71 Fifth Ave., 9th Fl. ~ New York, NY 10003
+1 212 229-5300 x4728 ~ david...@newschool.edu
Sent from my phone; please excuse typos and inane auto-corrections.
   

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPfbF%3DbLDYtHMrjbd284Gu9wPjRs5j9qicUV4yiX4nx9Q%40mail.gmail.com.

[Jay]

yes David, I will need to return it as attribute to the SP calling application.

Is there anything I need to take care to add/update anything in the IdP metadata or any other properties to send the email attribute.

As always you are so awesome and I hoped you are in bed at this time early. :)

Thanks,

Jay

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c5704752-1ae5-466f-adaa-3f78ee34f421%40apereo.org.

[David Curry]

Nope, that should do it.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAM7%3DZ%3DDnhzzffwugWbgybUyfb2Safk4WAtL-R3y_%3DHGNA%40mail.gmail.com.

[Jay]

I having a working session with the SP application and noticed following error in the logs.

2018-06-20 11:15:17,532 ERROR [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - <CAS has found a match for service [https://sp-server.com/protocol/saml2/metadata] in registry but the match is not defined as a SAML service>

2018-06-20 11:19:35,662 ERROR [org.apereo.cas.util.serialization.AbstractJacksonBackedStringSerializer] - <Cannot read/parse [{"@class":"org.apereo.cas.support.saml.services.SamlRegisteredService","serviceId":"https://sp-server.com/pr...] to deserialize into type [interface org.apereo.cas.services.RegisteredService]. This may be caused in the absence of a configuration/support module that knows how to interpret the fragment, specially if the fragment describes a CAS registered service definition. Internal parsing error is [Could not resolve type id 'mail' as a subtype of [collection type; class java.util.List, contains [simple type, class java.lang.String]]: no such class found

 at [Source: (String)"{"@class":"org.apereo.cas.support.saml.services.SamlRegisteredService","serviceId":"https://sp-server.com/protocol/saml2/metadata","name":"SPProfile","id":428485768118272,"evaluationOrder":10,"metadataLocation":"classpath:/cas-qa/saml/sp-metadata/metadata.xml","attributeReleasePolicy":{"@class":"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy","allowedAttributes":["mail"]}}"; line: 1, column: 400] (through reference chain: org.apereo.cas.support.saml.services.SamlRegisteredService["attributeReleasePolicy"]->org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy["allowedAttributes"])]>

2018-06-20 11:19:35,663 DEBUG [org.apereo.cas.util.serialization.AbstractJacksonBackedStringSerializer] - <Could not resolve type id 'mail' as a subtype of [collection type; class java.util.List, contains [simple type, class java.lang.String]]: no such class found

 at [Source: (String)"{"@class":"org.apereo.cas.support.saml.services.SamlRegisteredService","serviceId":"https://sp-server.com/protocol/saml2/metadata","name":"SPProfile","id":428485768118272,"evaluationOrder":10,"metadataLocation":"classpath:/cas-qa/saml/sp-metadata/metadata.xml","attributeReleasePolicy":{"@class":"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy","allowedAttributes":["mail"]}}"; line: 1, column: 400] (through reference chain: org.apereo.cas.support.saml.services.SamlRegisteredService["attributeReleasePolicy"]->org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy["allowedAttributes"])>

com.fasterxml.jackson.databind.exc.InvalidTypeIdException: Could not resolve type id 'mail' as a subtype of [collection type; class java.util.List, contains [simple type, class java.lang.String]]: no such class found

 at [Source: (String)"{"@class":"org.apereo.cas.support.saml.services.SamlRegisteredService","serviceId":"https://sp-server.com/protocol/saml2/metadata","name":"SPProfile","id":428485768118272,"evaluationOrder":10,"metadataLocation":"classpath:/cas-qa/saml/sp-metadata/metadata.xml","attributeReleasePolicy":{"@class":"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy","allowedAttributes":["mail"]}}"; line: 1, column: 400] (through reference chain: org.apereo.cas.support.saml.services.SamlRegisteredService["attributeReleasePolicy"]->org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy["allowedAttributes"])

Any help would be much appreciated.

Thanks,

Jay

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b76d02bf-b13a-438f-bdfe-9d0ef4de0805%40apereo.org.

[Jay]

CAS is expecting a arraylist so I had to update the ReturnAttributes to arraylist as below,

"allowedAttributes" : [ "java.util.ArrayList", [ "mail" ] ]

Thanks,

Jay

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3b43200c-4e5b-483a-b0df-76af29ca0308%40apereo.org.

[teddyfran]

Hi Jay,

Sir would you mind sharing exactly what you did to clear the error you reported above.  I've checked my maxHttpHeaderSize in tomcat and set it to recommended value but still an issue.  Can you help?

Thanks!

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/27c78650-4f6c-48e5-ae51-d1ff258fda53%40apereo.org.