New CAS metadata support in 3.4

Paul B. Henson henson at cpp.edu
Wed Nov 28 15:32:19 EST 2018 

> From: Marvin Addison
> Sent: Wednesday, November 28, 2018 4:16 AM
> 
> I believe your problem is here. You need to use the KeyInfo and
> children from the http://www.w3.org/2000/09/xmldsig# namespace, not
> the SAML metadata namespace. I was burned by that myself recently.

So at first I just added the prefix:

<ds:KeyInfo>

To match the example at:

https://wiki.shibboleth.net/confluence/display/IDP30/CASServiceSAMLMetadata

However, that resulted in an error:

Caused by: org.xml.sax.SAXParseException: The prefix "ds" for element "ds:KeyInfo" is not bound.

So I ended up doing this:

<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

I assume the example in the documentation has some context that is not included that defines that namespace? At this point, it seems to be successfully validating the certificate, or at least there are no longer any certificate validation errors in the logs:

2018-11-28 12:03:46,440 - 134.71.247.16/ECC2E243A7195DEF8EEAE77F735507EC - DEBUG [net.shibboleth.idp.cas.flow.impl.Validate
ProxyCallbackAction:129] - Attempting proxy authentication to https://www.idm.unx.cpp.edu/cas_pgt?pgtId=PGT-1543435426435-p
iqazUExpVtthIvZBkUTASlc9DKE6jGU6XirtNkB6I7M5WZKhG&pgtIou=PGTIOU-1543435426435-1J6vpWdwA290F1z2DwBW6MCjpNO5aD4J81ce5ULykf5oMYHqvB
2018-11-28 12:03:46,468 - 134.71.247.16/ECC2E243A7195DEF8EEAE77F735507EC - DEBUG [net.shibboleth.idp.cas.proxy.impl.HttpCli
entProxyValidator:180] - Attempting to connect to https://www.idm.unx.cpp.edu/cas_pgt?pgtId=PGT-1543435426435-piqazUExpVtth
IvZBkUTASlc9DKE6jGU6XirtNkB6I7M5WZKhG&pgtIou=PGTIOU-1543435426435-1J6vpWdwA290F1z2DwBW6MCjpNO5aD4J81ce5ULykf5oMYHqvB
2018-11-28 12:03:46,490 - 134.71.247.16/ECC2E243A7195DEF8EEAE77F735507EC - DEBUG [net.shibboleth.idp.cas.proxy.impl.HttpCli
entProxyValidator$TrustEngineTrustStrategy:265] - Validating cert CN=idm.unx.cpp.edu, OU=IIT-Unix, O="California State Poly
technic University, Pomona", STREET=3801 West Temple Avenue, L=Pomona, ST=CA, OID.2.5.4.17=91768, C=US issued by CN=InCommo
n RSA Server CA, OU=InCommon, O=Internet2, L=Ann Arbor, ST=MI, C=US
2018-11-28 12:03:46,566 - 134.71.247.16/ECC2E243A7195DEF8EEAE77F735507EC - DEBUG [net.shibboleth.idp.cas.ticket.impl.Abstra
ctTicketService:190] - Storing mapping of PGT-1543435426435-piqazUExpVtthIvZBkUTASlc9DKE6jGU6XirtNkB6I7M5WZKhG to 5d689c7da
9fd1a87917e3a7f1e33135576477e3d4010e1ee7fd1420a6fee87b4 in context https://www.apereo.org/cas/protocol/serviceValidate
2018-11-28 12:03:46,567 - 134.71.247.16/ECC2E243A7195DEF8EEAE77F735507EC - DEBUG [net.shibboleth.idp.cas.ticket.impl.Abstra
ctTicketService:194] - Storing PGT-1543435426435-piqazUExpVtthIvZBkUTASlc9DKE6jGU6XirtNkB6I7M5WZKhG in context 5d689c7da9fd
1a87917e3a7f1e33135576477e3d4010e1ee7fd1420a6fee87b4

However, if I swap out the certificate in the metadata to an invalid one, it generates the error and still issues the pgt, just like if there are no certificates supplied at all.

> This line is troubling. A certificate validation error _should_ cause
> the proxy callback check to fail and prevent issuing a PGT. Could you
> please file a Jira issue and attach the logs above and your redacted
> cas-protocol.xml and relying-party.xml files?

Okay, issue opened: IDP-1371

Let me know if I can assist any further in debugging this problem, thanks...

More information about the users mailing list