New CAS metadata support in 3.4

Marvin Addison serac at vt.edu
Wed Nov 28 07:15:52 EST 2018 

On Tue, Nov 27, 2018 at 8:04 PM Paul B. Henson <henson at cpp.edu> wrote:
> Ok, now I've moved on to testing proxy support with the new CAS
> metadata. It doesn't seem like it's enforcing properly?

I'm eager to get your feedback on this feature.

> I have a metadata entry as such:
>
>         <EntityDescriptor entityID="https://www.idm.unx.cpp.edu/">
>             <SPSSODescriptor protocolSupportEnumeration="https://www.apereo.org/cas/protocol">
>                 <AssertionConsumerService Binding="https://www.apereo.org/cas/protocol/login"
>                                           Location="https://www.idm.unx.cpp.edu/"
>                                           index="1"/>
>                 <AssertionConsumerService Binding="https://www.apereo.org/cas/protocol/proxy"
>                                           Location="https://www.idm.unx.cpp.edu/cas_pgt"
>                                           index="2"/>
>                 <!-- proxy trust certificates -->
>                 <KeyDescriptor use="signing">
>                         <KeyInfo><X509Data><X509Certificate>

I believe your problem is here. You need to use the KeyInfo and
children from the http://www.w3.org/2000/09/xmldsig# namespace, not
the SAML metadata namespace. I was burned by that myself recently.


> The logs show:
>
> 2018-11-27 16:51:56,574 - 134.71.247.16/60D0B679F02E5B4C04F2D49082F332E2 - DEBUG [net.shibboleth.idp.cas.flow.impl.ValidateProxyCallbackAction:129] - Attempting proxy authentication to https://www.idm.unx.cpp.edu/cas_pgt?pgtId=PGT-1543366316574-9gchHmZotUIfmDgygSxkG5NVhASpaPRVevrQZ2jWSNLytcYgZR&pgtIou=PGTIOU-1543366316574-k9Oz1zRKI1elNIFFswoEXyF2AvVKxc1MLOfTfVoI0oSgCHKVvy
> 2018-11-27 16:51:56,595 - 134.71.247.16/60D0B679F02E5B4C04F2D49082F332E2 - DEBUG [net.shibboleth.idp.cas.proxy.impl.HttpClientProxyValidator:180] - Attempting to connect to https://www.idm.unx.cpp.edu/cas_pgt?pgtId=PGT-1543366316574-9gchHmZotUIfmDgygSxkG5NVhASpaPRVevrQZ2jWSNLytcYgZR&pgtIou=PGTIOU-1543366316574-k9Oz1zRKI1elNIFFswoEXyF2AvVKxc1MLOfTfVoI0oSgCHKVvy
> 2018-11-27 16:51:56,600 - 134.71.247.16/60D0B679F02E5B4C04F2D49082F332E2 - DEBUG [net.shibboleth.idp.cas.proxy.impl.HttpClientProxyValidator$TrustEngineTrustStrategy:265] - Validating cert CN=idm.unx.cpp.edu, OU=IIT-Unix, O="California State Polytechnic University, Pomona", STREET=3801 West Temple Avenue, L=Pomona, ST=CA, OID.2.5.4.17=91768, C=US issued by CN=InCommon RSA Server CA, OU=InCommon, O=Internet2, L=Ann Arbor, ST=MI, C=US
> 2018-11-27 16:51:56,641 - 134.71.247.16/60D0B679F02E5B4C04F2D49082F332E2 - ERROR [org.opensaml.security.x509.impl.CertPathPKIXTrustEvaluator:164] - PKIX validation failure
> java.security.GeneralSecurityException: Unable to validate X509 certificate, no trust anchors found in the PKIX validation information
>         at org.opensaml.security.x509.impl.CertPathPKIXTrustEvaluator.getPKIXBuilderParameters(CertPathPKIXTrustEvaluator.java:183)
> 2018-11-27 16:51:56,664 - 134.71.247.16/60D0B679F02E5B4C04F2D49082F332E2 - DEBUG [net.shibboleth.idp.cas.ticket.impl.AbstractTicketService:190] - Storing mapping of PGT-1543366316574-9gchHmZotUIfmDgygSxkG5NVhASpaPRVevrQZ2jWSNLytcYgZR to a289aa635e7860acee5511644fa0592c57a2675e3753879ffd4f7d14d72c98f9 in context https://www.apereo.org/cas/protocol/serviceValidate

This line is troubling. A certificate validation error _should_ cause
the proxy callback check to fail and prevent issuing a PGT. Could you
please file a Jira issue and attach the logs above and your redacted
cas-protocol.xml and relying-party.xml files?

> So in 3.3, I had this in my relying-party config:
> <ref bean="CAS.ValidateConfiguration.proxy" />
> ...
> and:
>
> <bean id="standardProxyTLSConfig"
>           class="org.opensaml.security.x509.tls.impl.BasicClientTLSValidationConfiguration">
>         <property name="x509TrustEngine">
> ...
> I didn't think this was needed anymore with certs defined in metadata,
> so I switched to just:
>
> <ref bean="CAS.ValidateConfiguration" />

That's correct, the trust engine configuration in relying-party.xml is
not needed anymore, whether or not you're using metadata. The new
facility for defining static PKIX trust anchors is simply to add them
to the new "shibboleth.CASProxyTrustedCertificates" list bean in
cas-protocol.xml.

M

More information about the users mailing list