idp 3.3 CAS SSO to portal problem
Mathis, Bradley
bmathis at pima.edu
Tue Aug 7 12:36:10 EDT 2018
Howdy all,
I'm using idp v3.3. in our test enviornment. We are attempting combine our
current SSO environment which consists of a combination of
a idp v2.x server and a CAS 3.4.x server to idp 3.3. So far I've been
fairly successful in my testing. I have gmail and testshib working
correctly on
the shib/idp side of the house, and I have several Ellucian/Banner
applications that are working correctly using the CAS protocol, and have
successfully configured DUO athentication as well. OK so much for all the
success. We use CampusEAI portal (liferay backend I think).
In production it's authenticating against our CAS 3.4.x server. For
testing I'm working with CampusEAI support to configure our TEST portal
to use the our new idp v.3 server's CAS funtionality and I'm not able to
login successfully. As I metioned other CAS based apps are working.
When I attempt to login to our test portal https://mypima-stage.pima.edu
I'm redirected to the login screen
and authenticate successfully. Then I'm sent to the portal and just get a
blank screen, with a URL like
the following "
https://mypima-stage.pima.edu/paf/authorize?ticket=ST-1533653680905-mYdWI7UHoJMRv1S0Nton335Ti
"
The error on my side is
"Service issued for https://mypima-stage.pima.edu/paf/authorize does not
match https://mypima-stage.pima.edu/paf/configuration/saml"
The erron the portal side is
"Caused by: javax.servlet.ServletException:
org.jasig.cas.client.validation.TicketValidationException:
org.opensaml.SAMLException: E_SERVICE_MISMATCH
at
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:194)"
I will list some of the log file information below along with part of an
SSO Trace. Let me also add that while
researching this problem, I found a reference here "
http://shibboleth.1660669.n2.nabble.com/CAS-validation-error-td7632584.html"
that appears to be very similar what I'm seeing. I have added the section
to my relying party xml as suggested by Marvin Addison, and
I believe I have added correctly. Input, insight and suggestions
appreciated. BTW campusEAI is also checking things on their side.
+++++++++++++++++ portions of relying-party.xml
++++++++++++++++++++++++++++++
<bean id="CAS.ValidateConfiguration.default"
parent="CAS.ValidateConfiguration"
p:resolveAttributes="false">
<property name="serviceComparator">
<bean
class="net.shibboleth.idp.cas.service.impl.DefaultServiceComparator"
c:parameterNames="[a-z]+sessionid" />
</property>
</bean>
........
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
<property name="profileConfigurations">
<list>
<bean parent="Shibboleth.SSO"
p:postAuthenticationFlows="attribute-release" />
<ref bean="SAML1.AttributeQuery" />
<ref bean="SAML1.ArtifactResolution" />
<bean parent="SAML2.SSO"
p:postAuthenticationFlows="attribute-release" />
<ref bean="SAML2.ECP" />
<ref bean="SAML2.Logout" />
<ref bean="SAML2.AttributeQuery" />
<ref bean="SAML2.ArtifactResolution" />
<ref bean="Liberty.SSOS" />
<ref bean="CAS.LoginConfiguration" />
<ref bean="CAS.ProxyConfiguration" />
<ref bean="CAS.ValidateConfiguration.default" />
</list>
</property>
</bean>
......
<bean parent="RelyingPartyByGroup" c:groupNames="mypima-stage">
<property name="profileConfigurations">
<list>
<bean parent="CAS.LoginConfiguration" />
<bean parent="CAS.ProxyConfiguration" />
<bean parent="CAS.ValidateConfiguration.default" />
</list>
</property>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
INFO:
our idp v3.3 server: https://login-stage.pima.edu
our hosted stage portal: https://mypima-stage.pima.edu
here's what's logged.
idp-auduit.log
20180807T145441Z|||
https://mypima-stage.pima.edu/paf/authorize|https://www.apereo.org/cas/protocol/login||||bmathis|||bmathis|ST-1533653680905-mYdWI7UHoJMRv1S0Nton335Ti|
20180807T145442Z|||
https://mypima-stage.pima.edu/paf/configuration/saml|https://www.apereo.org/cas/protocol/serviceValidate||||||||ST-1533653680905-mYdWI7UHoJMRv1S0Nton335Ti|
portion of idp-process.log
2018 08-07 07:54:42,631 - DEBUG
[net.shibboleth.idp.cas.flow.impl.ValidateTicketAction:92] - Attempting to
validate ST-1533653680905-mYdWI7UHoJMRv1S0Nton335Ti
2018-08-07 07:54:42,631 - DEBUG
[net.shibboleth.idp.cas.ticket.impl.AbstractTicketService:212] - Reading
ST-1533653680905-mYdWI7UHoJMRv1S0Nton335Ti
2018-08-07 07:54:42,633 - DEBUG
[net.shibboleth.idp.cas.ticket.impl.AbstractTicketService:244] - Attempting
to delete ST-1533653680905-mYdWI7UHoJMRv1S0Nton335Ti from context
https://www.apereo.org/cas/protocol/login
2018-08-07 07:54:42,633 - DEBUG
[net.shibboleth.idp.cas.flow.impl.ValidateTicketAction:101] - Found and
removed
ST-1533653680905-mYdWI7UHoJMRv1S0Nton335Ti/891c7f00018882bee354d9c952811dff949600b2d770d15d5516ee5a1f956f15
from ticket store
2018-08-07 07:54:42,633 - DEBUG
[net.shibboleth.idp.cas.flow.impl.ValidateTicketAction:113] - Service
issued for https://mypima-stage.pima.edu/paf/authorize does not match
https://mypima-stage.pima.edu/paf/configuration/saml
2018-08-07 07:54:42,634 - DEBUG
[org.springframework.webflow.execution.ActionExecutor:53] - Finished
executing net.shibboleth.idp.cas.flow.impl.ValidateTicketAction at 56f2c3b8;
result = ServiceMismatch
SSO trace of login attempt to https://mypima-stage.pima.edu
+++++++++++++++++++++++++++++
GET
https://mypima-stage.pima.edu/group/mycampus/home;jsessionid=46471601AEB449254D4ED5764855D75F
HTTP/1.1
GET Parameters:
jsessionid: 46471601AEB449254D4ED5764855D75F
Host: mypima-stage.pima.edu
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101
Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cookie: JSESSIONID=46471601AEB449254D4ED5764855D75F;
GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true
HTTP/?.? 302 Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=6C345416FA54420EFDDD2DEF9E451E7C; Path=/; Secure;
HttpOnly
GUEST_LANGUAGE_ID=en_US; Expires=Wed, 07-Aug-2019 15:00:39 GMT; Path=/;
Secure
Location:
https://mypima-stage.pima.edu/c/portal/login?redirect=%2Fgroup%2Fmycampus%2Fhome%3Bjsessionid%3D46471601AEB449254D4ED5764855D75F&p_l_id=2379501
Content-Length: 0
Date: Tue, 07 Aug 2018 15:00:39 GMT
+++++++++++++++++++++++++++++
GET
https://mypima-stage.pima.edu/c/portal/login?redirect=%2Fgroup%2Fmycampus%2Fhome%3Bjsessionid%3D46471601AEB449254D4ED5764855D75F&p_l_id=2379501
HTTP/1.1
GET Parameters:
redirect: /group/mycampus/home;jsessionid=46471601AEB449254D4ED5764855D75F
p_l_id: 2379501
Host: mypima-stage.pima.edu
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101
Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cookie: JSESSIONID=6C345416FA54420EFDDD2DEF9E451E7C;
GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true
HTTP/?.? 302 Found
Server: Apache-Coyote/1.1
Location:
https://login-stage.pima.edu/idp/profile/cas/login?service=https%3A%2F%2Fmypima-stage.pima.edu%2Fpaf%2Fauthorize
Content-Length: 0
Date: Tue, 07 Aug 2018 15:00:39 GMT
+++++++++++++++++++++++++++++
GET
https://login-stage.pima.edu/idp/profile/cas/login?service=https%3A%2F%2Fmypima-stage.pima.edu%2Fpaf%2Fauthorize
HTTP/1.1
GET Parameters:
service: https://mypima-stage.pima.edu/paf/authorize
Host: login-stage.pima.edu
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101
Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cookie: JSESSIONID=node0i2bwjezx6fm31vsocqogin35o6.node0; UqZBpD3n=v16FbUgw@
@j9y
HTTP/?.? 302 Found
Set-Cookie:
JSESSIONID=node0pe6d5phmq50i1qgaf4nlqby0k8.node0;Path=/idp;Secure
Expires:
Cache-Control: no-store
Location: https://login-stage.pima.edu/idp/profile/cas/login?execution=e1s1
Content-Length: 0
Server: Jetty(9.4.11.v20180605)
+++++++++++++++++++++++++++++
GET https://login-stage.pima.edu/idp/profile/cas/login?execution=e1s1
HTTP/1.1
GET Parameters:
execution: e1s1
Host: login-stage.pima.edu
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101
Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cookie: JSESSIONID=node0pe6d5phmq50i1qgaf4nlqby0k8.node0; UqZBpD3n=v16FbUgw@
@j9y
HTTP/?.? 200 OK
Cache-Control: no-store
Content-Type: text/html;charset=utf-8
Content-Length: 2754
Server: Jetty(9.4.11.v20180605)
+++++++++++++++++++++++++++++
POST https://login-stage.pima.edu/idp/profile/cas/login?execution=e1s1
HTTP/1.1
GET Parameters:
execution: e1s1
Host: login-stage.pima.edu
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101
Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://login-stage.pima.edu/idp/profile/cas/login?execution=e1s1
Cookie: JSESSIONID=node0pe6d5phmq50i1qgaf4nlqby0k8.node0; UqZBpD3n=v16FbUgw@
@j9y
Content-Type: application/x-www-form-urlencoded
Content-Length: 76
POST Parameters:
j_username: bmathis
j_password: xxxxxxxxxxxxxxxxxxxxx
_eventId_proceed:
HTTP/?.? 302 Found
Cache-Control: no-store
Set-Cookie:
shib_idp_session=891c7f00018882bee354d9c952811dff949600b2d770d15d5516ee5a1f956f15;Path=/idp;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location:
https://mypima-stage.pima.edu/paf/authorize?ticket=ST-1533653680905-mYdWI7UHoJMRv1S0Nton335Ti
Content-Length: 0
Server: Jetty(9.4.11.v20180605)
+++++++++++++++++++++++++++++
GET
https://mypima-stage.pima.edu/paf/authorize?ticket=ST-1533653680905-mYdWI7UHoJMRv1S0Nton335Ti
HTTP/1.1
GET Parameters:
ticket: ST-1533653680905-mYdWI7UHoJMRv1S0Nton335Ti
Host: mypima-stage.pima.edu
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101
Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://login-stage.pima.edu/idp/profile/cas/login?execution=e1s1
Cookie: JSESSIONID=6C345416FA54420EFDDD2DEF9E451E7C;
GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true
HTTP/?.? 500 Internal Server Error
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Tue, 07 Aug 2018 15:00:45 GMT
Connection: close
Brad Mathis
Principal Systems Analyst
Pima Community College
IT - Technical Services
520.206.4826
bmathis at pima.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180807/506bda8c/attachment.html>
More information about the users
mailing list