idp 3.3 CAS SSO to portal problem
Paul B. Henson
henson at cpp.edu
Tue Aug 14 00:33:58 EDT 2018
On Tue, Aug 07, 2018 at 09:36:10AM -0700, Mathis, Bradley wrote:
> The error on my side is
> "Service issued for https://mypima-stage.pima.edu/paf/authorize does not
> match https://mypima-stage.pima.edu/paf/configuration/saml"
I believe this error occurs when the CAS service ticket is issued for
one URL, but the service tries to validate it with a different one.
For example, if I look in my access log for the idp for a CAS
authentication, you see a login request for
126.96.36.199 - - [13/Aug/2018:21:30:19 -0700] "GET
HTTP/1.1" 302 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106
Then a serviceValidate for the same URL:
188.8.131.52 - - [13/Aug/2018:21:30:21 -0700] "GET
HTTP/1.1" 200 231 "-" "Java/1.8.0_162"
Your service appears to be sending the user to /idp/profile/cas/login
with one URL, but then calling /idp/profile/cas/serviceValidate to
verify the ticket passing a different URL...
You should be able to verify this in the access log, and then you just
need to figure out why it's doing it :).
Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/
Operating Systems and Network Analyst | henson at cpp.edu
California State Polytechnic University | Pomona CA 91768
More information about the users