CAS Shib issues

Terry Soucy

unread,

Sep 16, 2011, 1:51:38 PM9/16/11

to us...@shibboleth.net, Joel Goguen

Heya,

We just installed our first IdP (latest version) and SP (again, latest
version in the yum repository) and are having some issues with the
CASShib module. We are able to auth to the IdP without error with
apache, but once we put CASShib into the mix, we get errors.

The assertion is telling the IdP that the endpoint is
https://myunbtest.its.unb.ca/casshib/shib/myunb/Shibboleth.sso/SAML2/POST,
but the metadata says that the ACS is
https://myunbtest.its.unb.ca/Shibboleth.sso/SAML2/POST. We tried
modifying the handlerURL on the SP, but that doesn't update the metadata
information. What are we missing?

Terry

--
Terry Soucy, Systems Analyst Integrated Technology Services
University of New Brunswick, Fredericton Campus http://www.unbf.ca/its
Voice: 506.447.3018 Fax: 506.453.3590 E-mail: terry...@unb.ca
** ITS is a scent-reduced workplace - www.unbf.ca/its/policies **
--
To unsubscribe from this list send an email to users-un...@shibboleth.net

Nate Klingenstein

unread,

Sep 16, 2011, 2:13:08 PM9/16/11

to Shib Users, Joel Goguen

Terry,

For standard Shibboleth rather than CASShib, the endpoint as described in the metadata would be correct. The first one, in the request as generated by Shibboleth for CASShib I presume, may or may not be correct -- it's not our code nor our product. From a quick glance at their guide at:

http://code.google.com/p/casshib/wiki/ShibbolethApacheTomcatInstallationAndConfigurationForCASShib

It would be the special Sessions element handlerURL described there that is causing the mismatch.

I don't have the spare cycles at this very moment to investigate how CASShib works in more detail, but you can try modifying the SP metadata as loaded by the IdP so that the AssertionConsumerService Location attribute matches that in the AuthnRequest, e.g. https://myunbtest.its.unb.ca/casshib/shib/myunb/Shibboleth.sso/SAML2/POST.

            <AssertionConsumerService index="1" isDefault="true"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                Location="https://myunbtest.its.unb.ca/casshib/shib/myunb/Shibboleth.sso/SAML2/POST"/>

That will resolve the immediate complaint of the IdP. You may encounter other issues. If they're primarily related to CASShib, then you might try their mailing list at:

http://groups.google.com/group/casshib

How I wish I was in Sherbrooke now,

Nate.

Nate Klingenstein

unread,

Sep 16, 2011, 2:22:34 PM9/16/11

to Shib Users, Joel Goguen

I should add that this falls into the category of non-trivial deployment, and as such, you'll have to maintain a metadata file that describes the SP yourself and not rely on the built-in generator, if you were using that. You can certainly use what the generator spits out as a starting point, and you shouldn't need to change more than the AssertionConsumerService Location I referenced in the first email. Host it anywhere, or load it as a file.

John Mitchell

unread,

Sep 16, 2011, 2:53:26 PM9/16/11

to Shib Users, Joel Goguen

Terry,

I have been able to make casshib work. Its a thorny thing to setup
and difficult to maintain but it does work. I would recommend you look
at simplesamlphp though as it bridges CAS to SAML with a Shibboleth
IdP without all the effort and configuration complexity. I can help
you with either if you like (although free help is always fairly slow,
so beware :-)).

--
John P. Mitchell <jpmit...@alaska.edu>
907.450.8320
http://www.alaska.edu/oit/iam

"All mankind is divided into three classes: those that are immovable,
those that are movable, and those that move." - Benjamin Franklin

Reply all

Reply to author

Forward