missing attributes in output from idpv3 /cas/serviceValidate

Paul B. Henson henson at cpp.edu
Wed Apr 6 15:55:42 EDT 2016 

Any other thoughts on this? I generated service tickets for the exact same
service by hand, and then validated them by hand with the serviceValidate
endpoint and the samlValidate endpoint. The serviceValidate endpoint
does not return attributes and the samlValidate endpoint does, for the
same service? Presumably using the same attribute release policies etc?
This seems buggy? My understanding was that the idp supported the
unofficial attribute extensions in the CAS protocol 2.0 serviceValidate
endpoint that were formalized in the 3.0 /p3/serviceValidate endpoint?

I have a number of applications that do not support the samlValidate
endpoint and rely on CAS 2.0 attribute support, so I'm stalled until I
get this sorted out. Any thoughts on further debugging this would be
much appreciated, thanks much...


$ curl -X POST -d service=https://login.proxy-dev.library.cpp.edu/login -d ticket=ST-1459971736202-Y4MhBaVNjJAttteTQJTPvOJmz 'https://idp-dev.cpp.edu/idp/profile/cas/serviceValidate'                                     
<?xml version="1.0" encoding="UTF-8"?>
<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
  <cas:authenticationSuccess>
    <cas:user>henson</cas:user>
              </cas:authenticationSuccess>
</cas:serviceResponse>

$ sed -e 's/TICKET/ST-1459971839232-mWLfGvigD4DSccWuovNl7xOFn/' < cas_saml.xml > sub.xml; curl -X POST --header "Content-type: text/xml" --data-binary @sub.xml 'https://idp-dev.cpp.edu/idp/profile/cas/samlValidate?TARGET=https://login.proxy-dev.library.cpp.edu/login'
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><saml1p:Response IssueInstant="2016-04-06T19:44:04.945Z" MajorVersion="1" MinorVersion="1" ResponseID="ST-1459971839232-mWLfGvigD4DSccWuovNl7xOFn" xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol"><saml1p:Status><saml1p:StatusCode Value="saml1p:Success"/></saml1p:Status><saml1:Assertion AssertionID="_2c1f45243cf664636ebe4ae1fc761e88" IssueInstant="2016-04-06T19:44:04.945Z" Issuer="https://idp-dev.cpp.edu/idp/shibboleth" MajorVersion="1" MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"><saml1:Conditions NotBefore="2016-04-06T19:44:04.945Z" NotOnOrAfter="2016-04-06T19:45:04.945Z"><saml1:AudienceRestrictionCondition><saml1:Audience>https://login.proxy-dev.library.cpp.edu/login</saml1:Audience></saml1:AudienceRestrictionCondition></saml1:Conditions><saml1:AuthenticationStatement AuthenticationInstant="2016-04-06T19:44:04.945Z" AuthenticationMethod="authn/Password"><saml1:Subject><saml1:NameIdentifier>henson</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement><saml1:AttributeStatement><saml1:Subject><saml1:NameIdentifier>henson</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject><saml1:Attribute AttributeName="cppEduPersonAffiliation" AttributeNamespace="http://www.ja-sig.org/products/cas/"><saml1:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">member</saml1:AttributeValue><saml1:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">staff</saml1:AttributeValue><saml1:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">eoc_essential</saml1:AttributeValue><saml1:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">employee</saml1:AttributeValue></saml1:Attribute></saml1:AttributeStatement></saml1:Assertion></saml1p:Response></SOAP-ENV:Body></SOAP-ENV:Envelope>

On Mon, Apr 04, 2016 at 12:16:10PM -0700, Paul B. Henson wrote:
> On Mon, Apr 04, 2016 at 01:50:07PM -0500, Tom Zeller wrote:
> 
> > > Any thoughts on why the attributes aren't showing up?
> > 
> > Are any attributes logged to idp-audit.log for serviceValidate ? 
> 
> No:
> 
> 20160404T173348Z||90997717d48801704a58ea86ecb0a3aad3f6ecd54057f093ea8aa81202a6cc44|https://login.proxy-dev.library.cpp.edu/login?qurl=ezp.2aHR0cHM6Ly9sb2dpbi5wcm94eS1kZXYubGlicmFyeS5jcHAuZWR1L215Z3JvdXBz|https://www.apereo.org/cas/protocol/serviceValidate||||||||ST-1459791228475-OfQ5j0WBuJA54pt2vZzJ26V2V|
> 
> They are for the mod_auth_cas service using the exact same attribute
> release policy but calling the saml validate endpoint:
> 
> 20160404T175053Z||66a8c410a02e3f2ca8f7638c21b59c2bd1d30d56615f9fd8ecc2b6b8b8a7dde9|https://dunkin.unx.cpp.edu/secured/|https://www.apereo.org/cas/protocol/serviceValidate||||henson||cppEduPersonAffiliation|henson|ST-1459792253445-WkRgbbbHzvaFBiCrNjfXeFwuS|

-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
Operating Systems and Network Analyst  |  henson at cpp.edu
California State Polytechnic University  |  Pomona CA 91768

More information about the users mailing list