encoded CAS ticket validation error

Andrew Morgan morgan at orst.edu
Fri Dec 8 12:03:38 EST 2017


On Fri, 8 Dec 2017, Marvin Addison wrote:

> On Fri, Dec 8, 2017 at 2:28 AM Andrew Morgan <morgan at orst.edu> wrote:
>
>> it seems to be failing at line 93:
>>
>>    session = sessionResolver.resolveSingle(new CriteriaSet(new
>> SessionIdCriterion(ticket.getSessionId())));
>>
>> I don't see anything in system/flows/cas/validate-abstract-flow.xml that
>> would make UpdateIdPSessionWithSPSession conditional on server-side
>> storage (especially since the original CAS code required server-side
>> storage).
>
> You're basically running an unsupported configuration, which I fully admit
> is not well documented. You simply can't look up the IdP session with
> client storage since the ticket validation is back-channel where you have
> no access to the browser-based data store. The IdP session is needed in
> order to track SP sessions for logout purposes. With that knowledge in
> hand, you can get around this limitation by disabling SP tracking for CAS
> services in cas-protocol.xml:
>
> <bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
>      c:regex="https://service\.example\.edu(:\d+)?/.*"
>      p:group="urn:mace:example.edu:sso:cas"
>      p:authorizedToProxy="false"
>      p:singleLogoutParticipant="false" />
>
> The consequence of that change is that CAS services will not participate in
> single logout. I realize the security implications of that change may be
> too great for a workaround, but it will get you past that error.

Setting singleLogoutParticipant="false" fixed the problem (removed the 
errors from the log).  I thought that idp.session.trackSPSessions = false 
would do it, but of course CAS has it's own per-SP control of Single 
Logout.

Would you mind if I updated the CasProtocolConfiguration wiki page to 
include information about encoded tickets, including this "gotcha"? 
Assuming I have access, I guess.

Thanks,
 	Andy


More information about the users mailing list