CAS protocol violation

Andrew Morgan morgan at
Mon Mar 12 17:54:36 EDT 2018

On Mon, 12 Mar 2018, Marvin Addison wrote:

> On Mon, Mar 12, 2018 at 4:51 PM Andrew Morgan <morgan at> wrote:
>> It appears that Shibboleth v3.3.1 does not generate Service Tickets that
>> are compliant with the CAS Protocol specification....
> The IdP CAS protocol support targets the v2 specification [1] that puts no
> restrictions on ticket entity character sets.
> This issue was also identified in
> Did you try Dave's patch? I'm pretty sure the issue is "fixed" but we're
> waiting for some positive feedback before merging his patch. Your feedback
> would be helpful to moving it along.
> Personally, I'm not too keen on trying to make the EncodingTicketService
> compatible with such a restrictive character set as defined in the v3
> protocol spec. I suppose we don't _have_ to use a baseN encoding scheme,
> but it's a justifiable choice that is non-compliant due to the '=' padding
> character.

I haven't tried the patch myself.  My use of mod_auth_cas is v1.0.9.1 in 
Debian 8.  It looks like I'll have this same problem in Debian 9 though. 
One of our departments on-campus is using mod_auth_cas v1.1 and ran into 
this problem.

At first, I thought this was a new restriction in v3 of the protocol too. 
However, take a look at section 3.7 of the v2 spec...  Same character 
class restriction.

Given the character class restriction, I wonder if the patch will ever be 
accepted into mod_auth_cas.  :/


More information about the users mailing list