New CAS metadata support in 3.4
Paul B. Henson
henson at cpp.edu
Tue Nov 27 20:04:01 EST 2018
Ok, now I've moved on to testing proxy support with the new CAS
metadata. It doesn't seem like it's enforcing properly?
I have a metadata entry as such:
<EntityDescriptor entityID="https://www.idm.unx.cpp.edu/">
<SPSSODescriptor protocolSupportEnumeration="https://www.apereo.org/cas/protocol">
<AssertionConsumerService Binding="https://www.apereo.org/cas/protocol/login"
Location="https://www.idm.unx.cpp.edu/"
index="1"/>
<AssertionConsumerService Binding="https://www.apereo.org/cas/protocol/proxy"
Location="https://www.idm.unx.cpp.edu/cas_pgt"
index="2"/>
<!-- proxy trust certificates -->
<KeyDescriptor use="signing">
<KeyInfo><X509Data><X509Certificate>
MIIFnjCCBIagAwIBAgIRAPSKjMXAugmBIYmNBrK3ZyQwDQYJKoZIhvcNAQELBQAw
djELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4gQXJib3Ix
EjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5Db21tb24xHzAdBgNVBAMT
FkluQ29tbW9uIFJTQSBTZXJ2ZXIgQ0EwHhcNMTYwMTIwMDAwMDAwWhcNMTkwMTE5
MjM1OTU5WjCBxDELMAkGA1UEBhMCVVMxDjAMBgNVBBETBTkxNzY4MQswCQYDVQQI
EwJDQTEPMA0GA1UEBxMGUG9tb25hMSAwHgYDVQQJExczODAxIFdlc3QgVGVtcGxl
IEF2ZW51ZTE4MDYGA1UEChMvQ2FsaWZvcm5pYSBTdGF0ZSBQb2x5dGVjaG5pYyBV
bml2ZXJzaXR5LCBQb21vbmExETAPBgNVBAsTCElJVC1Vbml4MRgwFgYDVQQDEw9p
ZG0udW54LmNwcC5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5
kpXaGmVasKMDpmHOXupFohvh09vIWUu9bsAXIzZXPlHtwUhiG4PXmgcpHunh/j8S
8IQWI0cWq9R979Qx2ZBt8omggnHZ+XaSOhk6xO4kci3F5ZZwkiPnnRFSN1+sqlvC
b8xALeuPrQqMTHjzX79Uiodrvzzktbh6EYwamgJJY7pelnqsIxoTBF/I4UgXP0Bz
l7QUkvXr9it3fnIbJcejIz4K+q+EFcvstyCZ6WLBdctSPxi043iLedb/GGqoUBA8
rmcVNxNorkz0NdGMDkTh/EGWxHgPrXnbgNo3QGGZp0rAql/ymOuEDuUUmHrxm4iE
/8XqrXdrkyqXn6nWmKvFAgMBAAGjggHWMIIB0jAfBgNVHSMEGDAWgBQeBaN3j2yW
4luHS6a0hqxxAAznODAdBgNVHQ4EFgQUbnxC0EVoyTj6lYEGgfkgSG8yfH8wDgYD
VR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMGcGA1UdIARgMF4wUgYMKwYBBAGuIwEEAwEBMEIwQAYIKwYBBQUH
AgEWNGh0dHBzOi8vd3d3LmluY29tbW9uLm9yZy9jZXJ0L3JlcG9zaXRvcnkvY3Bz
X3NzbC5wZGYwCAYGZ4EMAQICMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwu
aW5jb21tb24tcnNhLm9yZy9JbkNvbW1vblJTQVNlcnZlckNBLmNybDB1BggrBgEF
BQcBAQRpMGcwPgYIKwYBBQUHMAKGMmh0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9J
bkNvbW1vblJTQVNlcnZlckNBXzIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2Nz
cC51c2VydHJ1c3QuY29tMC0GA1UdEQQmMCSCD2lkbS51bnguY3BwLmVkdYIRKi5p
ZG0udW54LmNwcC5lZHUwDQYJKoZIhvcNAQELBQADggEBAHX/vVR82GhV5LUu393o
8z9amkCyPaDcY8rAtVQCI4TVOmKPgVn6ERM4NuAA57TQiTgCPXd/g6Qq8ek5jFeb
D+ff2/0pInSXZAlLd2j5o6lxDztWDuk650Kb9UsUkTr0eiMNcU9gH5fcdVZ2CPPg
wLzg6y55wm2huhvUetpaX1oyZBbVGDBejWZiZy6dUEOF/t4Z6tCDqnNlsbgPaxk4
arBzUpJffzDIYMlqRYX7TgquXIJEe0pXP54blZbGq/sBoZz3TNeKzNyd8iNOCGhS
NotSa50zTEwlFO85/uHTftN9Gr3UOWgfCQ/Pqm4tUgmIIgcnF71ja/p1zwLsCv/P
k4U=
</X509Certificate></X509Data></KeyInfo>
</KeyDescriptor>
</SPSSODescriptor>
</EntityDescriptor>
I tested the app, and it worked fine. Then, to double check, I swapped
out the correct certificate in the metadata with a completely unrelated
one, and it *still* worked 8-/.
The logs show:
2018-11-27 16:51:56,574 - 134.71.247.16/60D0B679F02E5B4C04F2D49082F332E2 - DEBUG [net.shibboleth.idp.cas.flow.impl.ValidateProxyCallbackAction:129] - Attempting proxy authentication to https://www.idm.unx.cpp.edu/cas_pgt?pgtId=PGT-1543366316574-9gchHmZotUIfmDgygSxkG5NVhASpaPRVevrQZ2jWSNLytcYgZR&pgtIou=PGTIOU-1543366316574-k9Oz1zRKI1elNIFFswoEXyF2AvVKxc1MLOfTfVoI0oSgCHKVvy
2018-11-27 16:51:56,595 - 134.71.247.16/60D0B679F02E5B4C04F2D49082F332E2 - DEBUG [net.shibboleth.idp.cas.proxy.impl.HttpClientProxyValidator:180] - Attempting to connect to https://www.idm.unx.cpp.edu/cas_pgt?pgtId=PGT-1543366316574-9gchHmZotUIfmDgygSxkG5NVhASpaPRVevrQZ2jWSNLytcYgZR&pgtIou=PGTIOU-1543366316574-k9Oz1zRKI1elNIFFswoEXyF2AvVKxc1MLOfTfVoI0oSgCHKVvy
2018-11-27 16:51:56,600 - 134.71.247.16/60D0B679F02E5B4C04F2D49082F332E2 - DEBUG [net.shibboleth.idp.cas.proxy.impl.HttpClientProxyValidator$TrustEngineTrustStrategy:265] - Validating cert CN=idm.unx.cpp.edu, OU=IIT-Unix, O="California State Polytechnic University, Pomona", STREET=3801 West Temple Avenue, L=Pomona, ST=CA, OID.2.5.4.17=91768, C=US issued by CN=InCommon RSA Server CA, OU=InCommon, O=Internet2, L=Ann Arbor, ST=MI, C=US
2018-11-27 16:51:56,641 - 134.71.247.16/60D0B679F02E5B4C04F2D49082F332E2 - ERROR [org.opensaml.security.x509.impl.CertPathPKIXTrustEvaluator:164] - PKIX validation failure
java.security.GeneralSecurityException: Unable to validate X509 certificate, no trust anchors found in the PKIX validation information
at org.opensaml.security.x509.impl.CertPathPKIXTrustEvaluator.getPKIXBuilderParameters(CertPathPKIXTrustEvaluator.java:183)
2018-11-27 16:51:56,664 - 134.71.247.16/60D0B679F02E5B4C04F2D49082F332E2 - DEBUG [net.shibboleth.idp.cas.ticket.impl.AbstractTicketService:190] - Storing mapping of PGT-1543366316574-9gchHmZotUIfmDgygSxkG5NVhASpaPRVevrQZ2jWSNLytcYgZR to a289aa635e7860acee5511644fa0592c57a2675e3753879ffd4f7d14d72c98f9 in context https://www.apereo.org/cas/protocol/serviceValidate
2018-11-27 16:51:56,665 - 134.71.247.16/60D0B679F02E5B4C04F2D49082F332E2 - DEBUG [net.shibboleth.idp.cas.ticket.impl.AbstractTicketService:194] - Storing PGT-1543366316574-9gchHmZotUIfmDgygSxkG5NVhASpaPRVevrQZ2jWSNLytcYgZR in context a289aa635e7860acee5511644fa0592c57a2675e3753879ffd4f7d14d72c98f9
Looks like the same logs/failure show for both the correct and invalid cert
in the metadata.
So in 3.3, I had this in my relying-party config:
<ref bean="CAS.ValidateConfiguration.proxy" />
along with:
<bean id="CAS.ValidateConfiguration.proxy" parent="CAS.ValidateConfiguration">
<property name="securityConfiguration">
<bean class="net.shibboleth.idp.profile.config.SecurityConfiguration"
c:skew="PT5M" p:clientTLSValidationConfiguration-ref="standardProxyTLSConfig">
<constructor-arg name="generator">
<bean class="net.shibboleth.idp.cas.ticket.impl.TicketIdentifierGenerationStrategy"
c:prefix="PGT" c:randomLength="50" />
</constructor-arg>
</bean>
</property>
</bean>
and:
<bean id="standardProxyTLSConfig"
class="org.opensaml.security.x509.tls.impl.BasicClientTLSValidationConfiguration">
<property name="x509TrustEngine">
<bean class="org.opensaml.security.x509.impl.PKIXX509CredentialTrustEngine"
c:nameEvaluator="#{null}">
<constructor-arg name="resolver">
<bean class="org.opensaml.security.x509.impl.StaticPKIXValidationInformationResolver"
c:names="#{null}">
<constructor-arg name="info">
<bean class="org.opensaml.security.x509.impl.BasicPKIXValidationInformation"
c:crls="#{null}" c:depth="5">
<constructor-arg name="anchors">
<list>
<bean class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean"
p:resource="%{idp.home}/credentials/idm.unx.cpp.edu.crt" />
</list>
</constructor-arg>
</bean>
</constructor-arg>
</bean>
</constructor-arg>
<constructor-arg name="pkixEvaluator">
<bean class="org.opensaml.security.x509.impl.CertPathPKIXTrustEvaluator" />
</constructor-arg>
</bean>
</property>
</bean>
I didn't think this was needed anymore with certs defined in metadata,
so I switched to just:
<ref bean="CAS.ValidateConfiguration" />
and none of the explicit TLS config. Is that not right? Do I still need
to do something specific in relying-party to enable proxy TLS validatation?
Based on the log message, it seems I still need to define PKIX anchors?
How would I do that to tell it to use the ones in the metadata rather
than explicitly listing them in cas-protocol like the 3.3 config?
Thanks...
--
Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/
Operating Systems and Network Analyst | henson at cpp.edu
California State Polytechnic University | Pomona CA 91768
More information about the users
mailing list