CAS Shib issues

Nate Klingenstein ndk at
Fri Sep 16 19:22:34 BST 2011

I should add that this falls into the category of non-trivial  
deployment, and as such, you'll have to maintain a metadata file that  
describes the SP yourself and not rely on the built-in generator, if  
you were using that.  You can certainly use what the generator spits  
out as a starting point, and you shouldn't need to change more than  
the AssertionConsumerService Location I referenced in the first  
email.  Host it anywhere, or load it as a file.

On Sep 16, 2011, at 18:13 , Nate Klingenstein wrote:

> Terry,
> For standard Shibboleth rather than CASShib, the endpoint as  
> described in the metadata would be correct.  The first one, in the  
> request as generated by Shibboleth for CASShib I presume, may or may  
> not be correct -- it's not our code nor our product.  From a quick  
> glance at their guide at:
> It would be the special Sessions element handlerURL described there  
> that is causing the mismatch.
> I don't have the spare cycles at this very moment to investigate how  
> CASShib works in more detail, but you can try modifying the SP  
> metadata as loaded by the IdP so that the AssertionConsumerService  
> Location attribute matches that in the AuthnRequest, e.g. 
> .
>             <AssertionConsumerService index="1" isDefault="true"
>                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST 
> "
>                 Location=" 
> "/>
> That will resolve the immediate complaint of the IdP.  You may  
> encounter other issues.  If they're primarily related to CASShib,  
> then you might try their mailing list at:
> How I wish I was in Sherbrooke now,
> Nate.
> On Sep 16, 2011, at 17:51 , Terry Soucy wrote:
>> Heya,
>> We just installed our first IdP (latest version) and SP (again,  
>> latest
>> version in the yum repository) and are having some issues with the
>> CASShib module.  We are able to auth to the IdP without error with
>> apache, but once we put CASShib into the mix, we get errors.
>> The assertion is telling the IdP that the endpoint is
>> ,
>> but the metadata says that the ACS is
>>  We tried
>> modifying the handlerURL on the SP, but that doesn't update the  
>> metadata
>> information.  What are we missing?
> --
> To unsubscribe from this list send an email to users-unsubscribe at

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list