CAS proxy validation failure - Configured TLS trust engine was not used
Paul B. Henson
henson at cpp.edu
Mon Aug 17 03:29:14 UTC 2020
I'm testing idp 4.0.1, and found a weird failure with CAS proxy auth. If
I have no SSO session, it works fine:
2020-08-16 20:13:07,435 - 2620:df:8000:ff10:0:1:247:16/node0np5dpf62x7qd1xpq7vzwncvwi1 - INFO [net.shibboleth.idp.cas.flow.impl.ValidateTicketAction:153] - Profile Action ValidateTicketAction: Successfully validated ST-AADXGZLDOJSXIMPCXDWYYTI3TYSIZNNR5NVOYQ7L4MN2B7SP4SNLTIKY3ZMDVJJWIDZ66OISNE7X3O5VPSPPATZRC3BVXDMRDOCSY7RS5WTX6CFEKHGO7TS3EHANWCENLNQG76UJUZNELW6WSJNTJ2NA3SGJKP3CUKHOBS5EQYTVWCSNKJBMEYSKEHH5ESVS4Z3AXYYK42CJKLHKY3SJTBPPCWMI5EUHJTAGX3HHXUM4SSBD62LMBKTHMNY4WCBZLV4MYETY7ROYTF5254UYMESLUF4CHPPMPZKSLTKQZLVJTTY3VNGWX3TMJL4TCZQL3DMBATAN3EJ2XAW5LN62LYMBLQM7Y6KXRK44RZQCTUYEPRJKGSKJS6M4FAKA---- for https://www.idm.unx.cpp.edu/webui-dev
2020-08-16 20:13:07,441 - 2620:df:8000:ff10:0:1:247:16/node0np5dpf62x7qd1xpq7vzwncvwi1 - DEBUG [net.shibboleth.idp.cas.flow.impl.ValidateProxyCallbackAction:159] - Profile Action ValidateProxyCallbackAction: Attempting proxy authentication to https://www.idm.unx.cpp.edu/cas_pgt-dev?pgtId=PGT-1597633987438-RimfopY1FUF9y1MSUwjd5E4EM4rJq0KImM94M22Dekq0HbsSvT&pgtIou=PGTIOU-1597633987441-AWOqUCZFoKlTj5C7QgD2OwVKBF8wFmpUaBEe3MjdHLOrdQl8Sk
2020-08-16 20:13:07,442 - 2620:df:8000:ff10:0:1:247:16/node0np5dpf62x7qd1xpq7vzwncvwi1 - DEBUG [net.shibboleth.idp.cas.proxy.impl.HttpClientProxyValidator:162] - Attempting to validate CAS proxy callback URI https://www.idm.unx.cpp.edu/cas_pgt-dev?pgtId=PGT-1597633987438-RimfopY1FUF9y1MSUwjd5E4EM4rJq0KImM94M22Dekq0HbsSvT&pgtIou=PGTIOU-1597633987441-AWOqUCZFoKlTj5C7QgD2OwVKBF8wFmpUaBEe3MjdHLOrdQl8Sk
2020-08-16 20:13:07,456 - 2620:df:8000:ff10:0:1:247:16/node0np5dpf62x7qd1xpq7vzwncvwi1 - DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver:285] - Resolving credentials from metadata using entityID: https://www.idm.unx.cpp.edu/, role: {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor, protocol: https://www.apereo.org/cas/protocol, usage: SIGNING
2020-08-16 20:13:07,456 - 2620:df:8000:ff10:0:1:247:16/node0np5dpf62x7qd1xpq7vzwncvwi1 - DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver:434] - Retrieving role descriptor metadata for entity 'https://www.idm.unx.cpp.edu/' in role '{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor' for protocol 'https://www.apereo.org/cas/protocol'
olver.impl.AbstractBatchMetadataResolver:178] - Metadata Resolver FilesystemMetadataResolver cpp-cas: Resolved 1 c
andidates via EntityIdCriterion: EntityIdCriterion [id=https://www.idm.unx.cpp.edu/]
2020-08-16 20:13:07,460 - 2620:df:8000:ff10:0:1:247:16/node0np5dpf62x7qd1xpq7vzwncvwi1 - DEBUG [org.opensaml.saml.metada
ta.resolver.impl.AbstractMetadataResolver:610] - Metadata Resolver FilesystemMetadataResolver cpp-cas: Attempting to fil
ter candidate EntityDescriptors via resolved Predicates
2020-08-16 20:13:07,460 - 2620:df:8000:ff10:0:1:247:16/node0np5dpf62x7qd1xpq7vzwncvwi1 - DEBUG [org.opensaml.saml.metada
ta.resolver.impl.AbstractMetadataResolver:632] - Metadata Resolver FilesystemMetadataResolver cpp-cas: After predicate filtering 1 EntityDescriptors remain
2020-08-16 20:13:07,500 - 2620:df:8000:ff10:0:1:247:16/node0np5dpf62x7qd1xpq7vzwncvwi1 - DEBUG [net.shibboleth.idp.cas.ticket.impl.AbstractTicketService:179] - Storing mapping of PGT-1597633987438-RimfopY1FUF9y1MSUwjd5E4EM4rJq0KImM94M22Dekq0HbsSvT to 04e5585eeb8b0fb39cc59214aa90122cc066ddf9effde81253465458eafb5fbd in context https://www.apereo.org/cas/protocol/serviceValidate
2020-08-16 20:13:07,501 - 2620:df:8000:ff10:0:1:247:16/node0np5dpf62x7qd1xpq7vzwncvwi1 - DEBUG [net.shibboleth.idp.cas.ticket.impl.AbstractTicketService:183] - Storing PGT-1597633987438-RimfopY1FUF9y1MSUwjd5E4EM4rJq0KImM94M22Dekq0HbsSvT in context 04e5585eeb8b0fb39cc59214aa90122cc066ddf9effde81253465458eafb5fbd
If I have an established SSO session, it fails with an untrusted cert and
a warning that the "Configured TLS trust engine was not used":
2020-08-16 20:14:56,646 - 2620:df:8000:ff10:0:1:247:16/node01pf4gxx0vbayfq9f6avlhfaxu2 - INFO [net.shibboleth.idp.cas.fl
ow.impl.ValidateTicketAction:153] - Profile Action ValidateTicketAction: Successfully validated ST-AADXGZLDOJSXIMIXKFELT
Y3E7JWSD2TLC5AVKPSRU3QNMI2GPRPQ6TI25AYYZK56C7GHVNWE3XT4GFJN56KZ5CSB2J47LUEWFZBRAY6FJOARPNPUNTUIWV2WP5APZ4E67ZHWUCRKQI5HQ
BCMGTMO7R5ERXHQBCY47W6S33E2HPVZU6GMZIS4YSSFTIV57OGAP7CF3HJFKW5CDZAHYODA26I74NGDQBWY2OGNU2NYCGQWOGMBKQR6TF6KO2WCZB53EAVXZ
BBH6CXBFPIIBE54WNXRINMCFTDB2YCZEAIVSKOTK5XFFN3H5QXRHY7RVC6AIG5EGYYBRLACDQD46E3ORAOUBGD4HGOL4UPUNARYCI2XFQ7PUAXFCVFVZBZQ-
--- for https://www.idm.unx.cpp.edu/webui-dev
2020-08-16 20:14:56,647 - 2620:df:8000:ff10:0:1:247:16/node01pf4gxx0vbayfq9f6avlhfaxu2 - DEBUG [net.shibboleth.idp.cas.f
low.impl.ValidateProxyCallbackAction:159] - Profile Action ValidateProxyCallbackAction: Attempting proxy authentication
to https://www.idm.unx.cpp.edu/cas_pgt-dev?pgtId=PGT-1597634096647-2G7mZZANKA9j6GHzcyIyr1lJp92DwuhUB3PiTJPonGFDtMLb9w&pg
tIou=PGTIOU-1597634096647-WG3okNIyBA7UN42qCQMArT8TKlHSn8JsXghTscSeVN6kBAWGdf
2020-08-16 20:14:56,648 - 2620:df:8000:ff10:0:1:247:16/node01pf4gxx0vbayfq9f6avlhfaxu2 - DEBUG [net.shibboleth.idp.cas.proxy.impl.HttpClientProxyValidator:162] - Attempting to validate CAS proxy callback URI https://www.idm.unx.cpp.edu/cas_pgt-dev?pgtId=PGT-1597634096647-2G7mZZANKA9j6GHzcyIyr1lJp92DwuhUB3PiTJPonGFDtMLb9w&pgtIou=PGTIOU-1597634096647-WG3okNIyBA7UN42qCQMArT8TKlHSn8JsXghTscSeVN6kBAWGdf
2020-08-16 20:14:56,680 - 2620:df:8000:ff10:0:1:247:16/node01pf4gxx0vbayfq9f6avlhfaxu2 - WARN [org.opensaml.security.httpclient.HttpClientSecuritySupport:109] - Configured TLS trust engine was not used to verify server TLS credential, the appropriate socket factory was likely not configured
2020-08-16 20:14:56,683 - 2620:df:8000:ff10:0:1:247:16/node01pf4gxx0vbayfq9f6avlhfaxu2 - WARN [net.shibboleth.idp.cas.flow.impl.ValidateProxyCallbackAction:170] - Profile Action ValidateProxyCallbackAction: Proxy authentication failed for https://www.idm.unx.cpp.edu/cas_pgt-dev
javax.security.auth.login.CredentialException: Untrusted certificate presented by CAS proxy callback endpoint
Any thoughts on what's going on here?
--
Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/
Operating Systems and Network Analyst | henson at cpp.edu
California State Polytechnic University | Pomona CA 91768
More information about the users
mailing list