idp 3.3 CAS SSO to portal problem
Paul B. Henson
henson at cpp.edu
Tue Aug 14 00:33:58 EDT 2018
On Tue, Aug 07, 2018 at 09:36:10AM -0700, Mathis, Bradley wrote:
> The error on my side is
> "Service issued for https://mypima-stage.pima.edu/paf/authorize does not
> match https://mypima-stage.pima.edu/paf/configuration/saml"
I believe this error occurs when the CAS service ticket is issued for
one URL, but the service tries to validate it with a different one.
For example, if I look in my access log for the idp for a CAS
authentication, you see a login request for
https://my.cpp.edu/uPortal/Login -
108.73.149.194 - - [13/Aug/2018:21:30:19 -0700] "GET
/idp/profile/cas/login?service=https://my.cpp.edu/uPortal/Login
HTTP/1.1" 302 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106
Safari/537.36"
Then a serviceValidate for the same URL:
134.71.247.204 - - [13/Aug/2018:21:30:21 -0700] "GET
/idp/profile/cas/serviceValidate?pgtUrl=&ticket=ST-1534221021616-aD78COVmE2ON3Jtyv4priLZqb&service=https%3A%2F%2Fmy.cpp.edu%2FuPortal%2FLogin
HTTP/1.1" 200 231 "-" "Java/1.8.0_162"
Your service appears to be sending the user to /idp/profile/cas/login
with one URL, but then calling /idp/profile/cas/serviceValidate to
verify the ticket passing a different URL...
You should be able to verify this in the access log, and then you just
need to figure out why it's doing it :).
--
Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/
Operating Systems and Network Analyst | henson at cpp.edu
California State Polytechnic University | Pomona CA 91768
More information about the users
mailing list