CAS Issue
Morgan, Andrew Jason
morgan at oregonstate.edu
Mon Jul 22 19:12:47 EDT 2019
Gerry,
Did you follow the instructions in the release notes for v3.4.2? There was a specific change related to CAS proxy configuration. See here:
https://wiki.shibboleth.net/confluence/display/IDP30/ReleaseNotes
Thanks,
Andy
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Hall, Gerry <gerry.hall at emory.edu>
Sent: Thursday, July 18, 2019 10:30 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: CAS Issue
I am having an issue after updating the IdP code from v3.4.1 to v3.4.4 as relates to CAS. I have a service that uses a CAS proxy that has stopped working after the upgrade. A different service which also uses CAS but with no proxy is working as expected. From looking at the IdP logs, it appears that the CAS ticket is granted, but then the IdP does not release user attributes to the application. Rolling back to the v3.4.1 code which works as expected.
One thing that I do see is that the CAS ticket in the IDP logs (ST-1563450375616-UzODIMJQVZdQVB8Uem7ggaiCV) is different from what I see in the browser (ST-1563470383623-Z6PiopN9TTfYkihkBlIOA1Zpm) but I am only guessing as I have no idea as to if this is the issue or not and if it is, how to resolve.
Can anyone offer any advice?
CAS configuration (abbreviated) is a follows (conf/cas-protocol.xml)
<bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
c:regex="https://i2b2srvsqa1\.cc\.emory\.edu(.*)?"
p:group="I2B2-CAS-QA-Svc"
p:authorizedToProxy="true" />
<bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
c:regex="https://i2b2webqa1\.cc\.emory\.edu(.*)?"
p:group="I2B2-CAS-QA-Svc2"
p:authorizedToProxy="true" />
Attribute filter (conf/attribute-filter.xml):
<AttributeFilterPolicy>
<PolicyRequirementRule xsi:type="RequesterRegex"
regex="^https\:\/\/i2b2srvsqa1\.cc\.emory\.edu(.*)?" />
<AttributeRule attributeID="uid">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="sn">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="title">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="ou">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="academiccareer">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="organizationalStatus">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
</AttributeFilterPolicy>
<AttributeFilterPolicy>
<PolicyRequirementRule xsi:type="RequesterRegex"
regex="^https:\/\/i2b2webqa1\.cc\.emory\.edu(.*)?" />
<AttributeRule attributeID="uid">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="sn">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="title">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="ou">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="academiccareer">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="organizationalStatus">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
</AttributeFilterPolicy>
Here is what I am seeing in the IdP logs:
127.0.0.1|2019-07-18 07:46:13,830|CB7D145117B5B4213D9C47D6889045C8| - INFO [org.ldaptive.auth.Authenticator:311] - Authentication succeeded for dn: CN=ghall4,OU=People,DC=emory,DC=edu
127.0.0.1|2019-07-18 07:46:13,832|CB7D145117B5B4213D9C47D6889045C8| - INFO [net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:152] - Profile Action ValidateUsernamePasswordAgainstLDAP: Login by 'ghall4' succeeded
127.0.0.1|2019-07-18 07:46:15,625|CB7D145117B5B4213D9C47D6889045C8| - INFO [net.shibboleth.idp.cas.flow.impl.GrantServiceTicketAction:138] - Granted service ticket for https://i2b2webqa1.cc.emory.edu/eurekaclinical-i2b2-integration-webapp/protected/login?webclient=https%3A%2F%2Fi2b2webqa1.cc.emory.edu%2Fi2b2%2Fwebclient%2F
127.0.0.1|2019-07-18 07:46:15,707|CB7D145117B5B4213D9C47D6889045C8| - INFO [Shibboleth-Audit.SSO:275] - 20190718T114615Z|||https://i2b2webqa1.cc.emory.edu/eurekaclinical-i2b2-integration-webapp/protected/login?webclient=https%3A%2F%2Fi2b2webqa1.cc.emory.edu%2Fi2b2%2Fwebclient%2F|https://www.apereo.org/cas/protocol/login||||ghall4|||ghall4|ST-1563450375616-UzODIMJQVZdQVB8Uem7ggaiCV|
The browser displays the following (URL: https://i2b2webqa1.cc.emory.edu/eurekaclinical-i2b2-integration-webapp/protected/login?webclient=https%3A%2F%2Fi2b2webqa1.cc.emory.edu%2Fi2b2%2Fwebclient%2F&ticket=ST-1563470383623-Z6PiopN9TTfYkihkBlIOA1Zpm)
HTTP Status 500 - org.jasig.cas.client.validation.TicketValidationException:
type Exception report
message org.jasig.cas.client.validation.TicketValidationException:
description The server encountered an internal error that prevented it from fulfilling this request.
exception
javax.servlet.ServletException: org.jasig.cas.client.validation.TicketValidationException:
E_TICKET_EXPIRED
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:194)
com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:163)
com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58)
com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:168)
com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58)
org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:116)
com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:163)
com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58)
com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:168)
com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58)
org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:116)
com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:163)
com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58)
org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:76)
com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:163)
com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58)
org.eurekaclinical.common.filter.InvalidateSessionFilter.doFilter(InvalidateSessionFilter.java:57)
com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:163)
com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58)
com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:118)
com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:113)
root cause
org.jasig.cas.client.validation.TicketValidationException:
E_TICKET_EXPIRED
org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:86)
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:217)
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169)
com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:163)
com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58)
com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:168)
com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58)
org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:116)
com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:163)
com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58)
com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:168)
com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58)
org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:116)
com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:163)
com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58)
org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:76)
com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:163)
com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58)
org.eurekaclinical.common.filter.InvalidateSessionFilter.doFilter(InvalidateSessionFilter.java:57)
com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:163)
com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:58)
com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:118)
com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:113)
note The full stack trace of the root cause is available in the Apache Tomcat/7.0.53 logs.
Apache Tomcat/7.0.53
________________________________
This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.
If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190722/43324f17/attachment.html>
More information about the users
mailing list