encoded CAS ticket validation error
Andrew Morgan
morgan at orst.edu
Fri Dec 8 12:03:38 EST 2017
On Fri, 8 Dec 2017, Marvin Addison wrote:
> On Fri, Dec 8, 2017 at 2:28 AM Andrew Morgan <morgan at orst.edu> wrote:
>
>> it seems to be failing at line 93:
>>
>> session = sessionResolver.resolveSingle(new CriteriaSet(new
>> SessionIdCriterion(ticket.getSessionId())));
>>
>> I don't see anything in system/flows/cas/validate-abstract-flow.xml that
>> would make UpdateIdPSessionWithSPSession conditional on server-side
>> storage (especially since the original CAS code required server-side
>> storage).
>
> You're basically running an unsupported configuration, which I fully admit
> is not well documented. You simply can't look up the IdP session with
> client storage since the ticket validation is back-channel where you have
> no access to the browser-based data store. The IdP session is needed in
> order to track SP sessions for logout purposes. With that knowledge in
> hand, you can get around this limitation by disabling SP tracking for CAS
> services in cas-protocol.xml:
>
> <bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
> c:regex="https://service\.example\.edu(:\d+)?/.*"
> p:group="urn:mace:example.edu:sso:cas"
> p:authorizedToProxy="false"
> p:singleLogoutParticipant="false" />
>
> The consequence of that change is that CAS services will not participate in
> single logout. I realize the security implications of that change may be
> too great for a workaround, but it will get you past that error.
Setting singleLogoutParticipant="false" fixed the problem (removed the
errors from the log). I thought that idp.session.trackSPSessions = false
would do it, but of course CAS has it's own per-SP control of Single
Logout.
Would you mind if I updated the CasProtocolConfiguration wiki page to
include information about encoded tickets, including this "gotcha"?
Assuming I have access, I guess.
Thanks,
Andy
More information about the users
mailing list