IDP 3.4.4 consent and CAS RuntimeException

Tobias Galéus tobias.galeus at gu.se
Thu May 23 04:36:06 EDT 2019 

After upgrading to IDP 3.4.4 (from 3.3.3) we've run into problems with our
terms-of-use agreement and CAS login.

An error message is display to the user at logon and the following is logged
in idp-process.log:
2019-05-23 08:05:13,454 - ERROR [net.shibboleth.idp.profile.interceptor:-1]
- Uncaught runtime exception|x.y.z.c|
org.springframework.binding.expression.EvaluationException: An ELException
occurred getting the value for expression
'opensamlProfileRequestContext.getSubcontext(T(net.shibboleth.idp.authn.context.AuthenticationContext)).isPassive()
and
opensamlProfileRequestContext.getSubcontext(T(net.shibboleth.idp.consent.context.ConsentContext)).getPreviousConsents().isEmpty()'
on context [class
org.springframework.webflow.engine.impl.RequestControlContextImpl]
        at
org.springframework.binding.expression.spel.SpringELExpression.getValue(SpringELExpression.java:94)
Caused by: org.springframework.expression.spel.SpelEvaluationException:
EL1011E: Method call: Attempted to call method isPassive() on null context
object
        at
org.springframework.expression.spel.ast.MethodReference.throwIfNotNullSafe(MethodReference.java:149)
2019-05-23 08:05:13,454 - WARN
[org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event
occurred while processing the request: RuntimeException|x.y.z.c|

Our relying-party.xml is configured as follows:
    <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
        <property name="profileConfigurations">
            <list>
                <bean parent="Shibboleth.SSO" />
                <ref bean="SAML1.AttributeQuery" />
                <ref bean="SAML1.ArtifactResolution" />
                <bean parent="SAML2.SSO"  p:postAuthenticationFlows="#{
{'terms-of-use'} }" />
                <ref bean="SAML2.ECP" />
                <ref bean="SAML2.Logout" />
                <ref bean="SAML2.AttributeQuery" />
                <ref bean="SAML2.ArtifactResolution" />
                <bean parent="CAS.LoginConfiguration"
p:postAuthenticationFlows="#{ {'terms-of-use'} }" />
                <ref bean="CAS.ProxyConfiguration" />
                <ref bean="CAS.ValidateConfiguration" />
            </list>
        </property>
    </bean>

The terms-of-use works fine when using SAML2.SSO. The error only occurs when
using CAS. I've temporarily removed 'p:postAuthenticationFlows="#{
{'terms-of-use'} }"' from Cas.LoginConfiguration for now.

How do I troubleshoot this?

Some of our configuration if that is of any help:
consent-intercept-config.xml:
<bean id="shibboleth.consent.terms-of-use.Key"
class="com.google.common.base.Functions" factory-method="constant">
  <constructor-arg value="gu-tou"/>
</bean>

idp.properties:
idp.consent.StorageService = shibboleth.JPAStorageService
idp.consent.maxStoredRecords = -1
idp.consent.storageRecordLifetime = P6M

mysql:
mysql> select * from StorageRecords where id like 'myusername%';
+------------------------+---------------------+---------------+-------------------------+---------+
| context                | id                  | expires       | value                  
| version |
+------------------------+---------------------+---------------+-------------------------+---------+
| intercept/terms-of-use | myusername:gu-tou   | 1574323228652 |
[{"id":"gu-tou-1"}]     |       1 |
| intercept/terms-of-use | myusername:_key_idx |          NULL |
["myusername:gu-tou"]   |       1 |
+------------------------+---------------------+---------------+-------------------------+---------+
2 rows in set (0.18 sec)

Best regards,
Tobias





--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html

More information about the users mailing list