CAS OOB exception
Liam Hoekenga
liamr at umich.edu
Fri May 31 14:30:24 EDT 2019
>
> In your example, assuming what you have in the entity ID is what the
> CAS client is emitting for the service URL, then you would need
> something like the following in the metadata:
>
> <AssertionConsumerService
> Binding="https://www.apereo.org/cas/protocol/login"
> Location="
> https://testing.vialivetext.com/auth/cas/callback"
> index="1"/>
>
It doesn't even appear to try the metadata. It falls right through to the
service registry.
Here's the applicable configuration.
metadata-providers.xml:
<MetadataProvider id="cas" xsi:type="FilesystemMetadataProvider"
indexesRef="shibboleth.CASMetadataIndices"
metadataFile="%{idp.home}/metadata/cas.xml"/>
cas.xml:
<EntityDescriptor entityID="
https://testing.vialivetext.com/auth/cas/callback"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="
https://www.apereo.org/cas/protocol">
<SingleLogoutService
Binding="https://www.apereo.org/cas/protocol/logout"
Location="urn:mace:shibboleth:profile:CAS:logout"/>
<AssertionConsumerService
Binding="https://www.apereo.org/cas/protocol/login"
Location="https://testing.vialivetext.com/auth/cas/callback"
index="1"/>
</SPSSODescriptor>
</EntityDescriptor>
Acc'd to the logs, it seems to load ok.
2019-05-31 14:20:25,444 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:350]
- - Metadata Resolver FilesystemMetadataResolver cas: Beginning refresh of
metadata from '/usr/local/mcomm/shibboleth-idp/metadata/cas.xml'
2019-05-31 14:20:25,445 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:357]
- - Metadata Resolver FilesystemMetadataResolver cas: Processing new
metadata from '/usr/local/mcomm/shibboleth-idp/metadata/cas.xml'
2019-05-31 14:20:25,446 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:487]
- - Metadata Resolver FilesystemMetadataResolver cas: Unmarshalling
metadata from '/usr/local/mcomm/shibboleth-idp/metadata/cas.xml'
2019-05-31 14:20:25,467 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:531]
- - Metadata Resolver FilesystemMetadataResolver cas: Preprocessing
metadata from '/usr/local/mcomm/shibboleth-idp/metadata/cas.xml'
2019-05-31 14:20:25,468 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:376] -
- Metadata Resolver FilesystemMetadataResolver cas: Applying metadata
filter
2019-05-31 14:20:25,532 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:541]
- - Metadata Resolver FilesystemMetadataResolver cas: Releasing cached DOM
for metadata from '/usr/local/mcomm/shibboleth-idp/metadata/cas.xml'
2019-05-31 14:20:25,532 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:545]
- - Metadata Resolver FilesystemMetadataResolver cas: Post-processing
metadata from '/usr/local/mcomm/shibboleth-idp/metadata/cas.xml'
2019-05-31 14:20:25,533 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:549]
- - Metadata Resolver FilesystemMetadataResolver cas: Computing expiration
time for metadata from '/usr/local/mcomm/shibboleth-idp/metadata/cas.xml'
2019-05-31 14:20:25,534 - DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:554]
- - Metadata Resolver FilesystemMetadataResolver cas: Expiration of
metadata from '/usr/local/mcomm/shibboleth-idp/metadata/cas.xml' will occur
at 2019-05-31T22:20:25.444Z
2019-05-31 14:20:25,534 - INFO
[org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:574]
- - Metadata Resolver FilesystemMetadataResolver cas: New metadata
successfully loaded for '/usr/local/mcomm/shibboleth-idp/metadata/cas.xml'
2019-05-31 14:20:25,535 - INFO
[org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:384]
- - Metadata Resolver FilesystemMetadataResolver cas: Next refresh cycle
for metadata provider '/usr/local/mcomm/shibboleth-idp/metadata/cas.xml'
will occur on '2019-05-31T21:20:25.466Z' ('2019-05-31T17:20:25.466-04:00'
local time)
I want to use metadata, but since it seems to want to use the service
resigstry, for testing purposes, I made the rules in cas-protocol.xml fit
vendor's hostname...
<bean id="reloadableServiceRegistry"
class="%{idp.cas.serviceRegistryClass:net.shibboleth.idp.cas.service.PatternServiceRegistry}">
<property name="definitions">
<list>
<bean
class="net.shibboleth.idp.cas.service.ServiceDefinition"
c:regex="https://
([A-Za-z0-9_-]+\.)*vialivetext\.org(:\d+)?/.*"
p:group="proxying-services"
p:authorizedToProxy="true"
p:singleLogoutParticipant="true" />
<bean
class="net.shibboleth.idp.cas.service.ServiceDefinition"
c:regex="http://
([A-Za-z0-9_-]+\.)*vialivetext\.org(:\d+)?/.*"
p:group="non-proxying-services"
p:authorizedToProxy="false" />
</list>
</property>
</bean>
And the IDP is throws the OOB..
2019-05-31 14:23:58,935 - DEBUG
[net.shibboleth.idp.cas.flow.impl.BuildRelyingPartyContextAction:103] -
x.x.x.x - Querying
net.shibboleth.idp.cas.service.impl.MetadataServiceRegistry for CAS service
URL
https://testing.vialivetext.com/auth/cas/callback?organization_id=1234567890abc&redirect_url=&url
2019-05-31 14:23:58,951 - ERROR [net.shibboleth.idp.cas:-2] - x.x.x.x -
Uncaught runtime exception
java.lang.ArrayIndexOutOfBoundsException: 1
at
net.shibboleth.utilities.java.support.net.URLBuilder.<init>(URLBuilder.java:119)
2019-05-31 14:23:58,977 - WARN
[org.opensaml.profile.action.impl.LogEvent:105] - x.x.x.x - A non-proceed
event occurred while processing the request: RuntimeException
2019-05-31 14:23:59,021 - INFO [Shibboleth-Audit.SSO:275] - x.x.x.x -
20190531T182359Z||||https://www.apereo.org/cas/protocol/login|||||||||
I'm not sure what else to try. The configuration options from the vendor
are very limited.
Liam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190531/29ae4cdc/attachment.html>
More information about the users
mailing list