CAS protocol violation
Andrew Morgan
morgan at orst.edu
Mon Mar 12 16:51:30 EDT 2018
It appears that Shibboleth v3.3.1 does not generate Service Tickets that
are compliant with the CAS Protocol specification when the
encodingTicketService is used. Specifically, the Service Tickets contain
an underscore character. The CAS Protocol only allows {A-Z, a-z, 0-9},
and the hyphen character {-}:
https://apereo.github.io/cas/development/protocol/CAS-Protocol-Specification.html#37-ticket-and-ticket-granting-cookie-character-set
I found this issue while troubleshooting a problem with a mod_auth_cas
v1.1 client that was looping continuously, adding a new ticket with every
loop. v1.1 of mod_auth_cas has stricter character set validation that
earlier versions. This issue was also identified in
https://github.com/apereo/mod_auth_cas/issues/134, and is probably the
root cause of the incompatibility, not the ticket length.
Jira IDP-1018 mentions an incompatibility with mod_auth_cas that came up
during testing. Maybe this is it? Is it possible to fix this issue in
Shibboleth? If this hasn't come up already, I'm happy to file a new Jira
for it.
Thanks,
Andy
More information about the users
mailing list