Problem with CAS renew re-authentication

Tue Mar 24 14:46:01 EDT 2020

Is the renew=true being sent with both the login and the serviceValidate?
If I recall correctly we had issues with some CAS clients because they
would do one but not the other. A strict reading of the CAS spec says it
has to be present on both or neither.

For at least one client that we just flat-out couldn't get to renew
properly I ended up using metadata-driven configuration to set
forceAuthn=true to accomplish the same thing.

-- 
Paul Engle
IAM Architect
Identity & Access Management
pengle at rice.edu 713-348-4702

On Tue, Mar 24, 2020 at 11:00 AM p1995s <p1995s at yahoo.com> wrote:

> We have a CAS client that we try to setup using the renew parameter to
> force
> a re-auth.  The IDP will prompt for re-auth but after entering login
> credentials will fail.
> If renew parameter is set to false the authentication is working.
> In the idp logs we see the following:
>
> 2020-03-23 15:26:48,620 - 172.20.6.33 - DEBUG
> [net.shibboleth.idp.cas.flow.impl.ValidateTicketAction:92] - Attempting to
> validate
>
> ST-AADXGZLDOJSXIMKVZMUYG2CTZZJWA2N7TSRVM2HXTJ6YNGONX5TSRMVNGOH55OE2XGSP4KV3BRJKY7TZGXKYAAMJOJLMUQVXK3Z7CF23S27CRLOSWUUFDAALZKZN7AWOBGM6AVYHDN4SLEM6KQUXLUH26MDX76JYFNQGMXXXW4VRCVZTJ5EU3AZYWPF3EV3CTN3S6ZXNYVZFRTDOH2MEZMTDIKFIDJHIABF25M77OU2EDBGXSWA3IVTSLVGVU6LV2YDNFGUUEW2FVEH4IGNX2ILREWIMPUGYTA6MMI53EYCXTALOTTRXODE3BAPYEPHPQHSAARLDPQ6LLPCDNMDXRWEFFLTJ7FMDT6LLNEJGP4DSFMN3QOP7OYECOZPRLHCCKHPHILTFN5HOQCER4EILG4MYMY------
> 2020-03-23 15:26:48,621 - 172.20.6.33 - DEBUG
> [net.shibboleth.idp.cas.flow.impl.ValidateTicketAction:101] - Found and
> removed
>
> ST-AADXGZLDOJSXIMKVZMUYG2CTZZJWA2N7TSRVM2HXTJ6YNGONX5TSRMVNGOH55OE2XGSP4KV3BRJKY7TZGXKYAAMJOJLMUQVXK3Z7CF23S27CRLOSWUUFDAALZKZN7AWOBGM6AVYHDN4SLEM6KQUXLUH26MDX76JYFNQGMXXXW4VRCVZTJ5EU3AZYWPF3EV3CTN3S6ZXNYVZFRTDOH2MEZMTDIKFIDJHIABF25M77OU2EDBGXSWA3IVTSLVGVU6LV2YDNFGUUEW2FVEH4IGNX2ILREWIMPUGYTA6MMI53EYCXTALOTTRXODE3BAPYEPHPQHSAARLDPQ6LLPCDNMDXRWEFFLTJ7FMDT6LLNEJGP4DSFMN3QOP7OYECOZPRLHCCKHPHILTFN5HOQCER4EILG4MYMY------/8ce34ad2fb1b4ac15ef9bb031b83ddd99cc5041bde951964fb236b0b455da9ea
> from ticket store
> 2020-03-23 15:26:48,621 - 172.20.6.33 - INFO
> [net.shibboleth.idp.cas.flow.impl.ValidateTicketAction:117] - Successfully
> validated
>
> ST-AADXGZLDOJSXIMKVZMUYG2CTZZJWA2N7TSRVM2HXTJ6YNGONX5TSRMVNGOH55OE2XGSP4KV3BRJKY7TZGXKYAAMJOJLMUQVXK3Z7CF23S27CRLOSWUUFDAALZKZN7AWOBGM6AVYHDN4SLEM6KQUXLUH26MDX76JYFNQGMXXXW4VRCVZTJ5EU3AZYWPF3EV3CTN3S6ZXNYVZFRTDOH2MEZMTDIKFIDJHIABF25M77OU2EDBGXSWA3IVTSLVGVU6LV2YDNFGUUEW2FVEH4IGNX2ILREWIMPUGYTA6MMI53EYCXTALOTTRXODE3BAPYEPHPQHSAARLDPQ6LLPCDNMDXRWEFFLTJ7FMDT6LLNEJGP4DSFMN3QOP7OYECOZPRLHCCKHPHILTFN5HOQCER4EILG4MYMY------
> for https://appnavu.wheaton.edu/applicationNavigator/login/cas
> 2020-03-23 15:26:48,622 - 172.20.6.33 - DEBUG
> [net.shibboleth.idp.cas.flow.impl.ValidateRenewAction:60] - Renew=true
> requested at validation time but ticket not issued with renew=true.
> 2020-03-23 15:26:48,631 - 172.20.6.33 - WARN
> [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event
> occurred while processing the request: TicketNotFromRenew
> 2020-03-23 15:26:48,651 - 172.20.6.33 - INFO [Shibboleth-Audit.SSO:275] -
> 20200323T202648Z|||
> https://appnavu.wheaton.edu/applicationNavigator/login/cas|https://www.apereo.org/cas/protocol/serviceValidate||||||||ST-AADXGZLDOJSXIMKVZMUYG2CTZZJWA2N7TSRVM2HXTJ6YNGONX5TSRMVNGOH55OE2XGSP4KV3BRJKY7TZGXKYAAMJOJLMUQVXK3Z7CF23S27CRLOSWUUFDAALZKZN7AWOBGM6AVYHDN4SLEM6KQUXLUH26MDX76JYFNQGMXXXW4VRCVZTJ5EU3AZYWPF3EV3CTN3S6ZXNYVZFRTDOH2MEZMTDIKFIDJHIABF25M77OU2EDBGXSWA3IVTSLVGVU6LV2YDNFGUUEW2FVEH4IGNX2ILREWIMPUGYTA6MMI53EYCXTALOTTRXODE3BAPYEPHPQHSAARLDPQ6LLPCDNMDXRWEFFLTJ7FMDT6LLNEJGP4DSFMN3QOP7OYECOZPRLHCCKHPHILTFN5HOQCER4EILG4MYMY------|
> 2020-03-23
> <https://appnavu.wheaton.edu/applicationNavigator/login/cas%7Chttps://www.apereo.org/cas/protocol/serviceValidate%7C%7C%7C%7C%7C%7C%7C%7CST-AADXGZLDOJSXIMKVZMUYG2CTZZJWA2N7TSRVM2HXTJ6YNGONX5TSRMVNGOH55OE2XGSP4KV3BRJKY7TZGXKYAAMJOJLMUQVXK3Z7CF23S27CRLOSWUUFDAALZKZN7AWOBGM6AVYHDN4SLEM6KQUXLUH26MDX76JYFNQGMXXXW4VRCVZTJ5EU3AZYWPF3EV3CTN3S6ZXNYVZFRTDOH2MEZMTDIKFIDJHIABF25M77OU2EDBGXSWA3IVTSLVGVU6LV2YDNFGUUEW2FVEH4IGNX2ILREWIMPUGYTA6MMI53EYCXTALOTTRXODE3BAPYEPHPQHSAARLDPQ6LLPCDNMDXRWEFFLTJ7FMDT6LLNEJGP4DSFMN3QOP7OYECOZPRLHCCKHPHILTFN5HOQCER4EILG4MYMY------%7C2020-03-23>
> 15:26:48,660 - 172.20.6.33 - DEBUG
> [net.shibboleth.idp.saml.profile.impl.SpringAwareMessageEncoderFactory:100]
> - Looking up message encoder based on binding URI:
> urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding
> 2020-03-23 15:26:48,685 - 172.20.6.33 - DEBUG [PROTOCOL_MESSAGE:70] -
> <?xml version="1.0" encoding="UTF-8"?>
> <SOAP-ENV:Envelope
> xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
>     <SOAP-ENV:Body>
>         <saml1p:Response IssueInstant="2020-03-23T20:26:48.653Z"
>             MajorVersion="1" MinorVersion="1"
>
>
> ResponseID="ST-AADXGZLDOJSXIMKVZMUYG2CTZZJWA2N7TSRVM2HXTJ6YNGONX5TSRMVNGOH55OE2XGSP4KV3BRJKY7TZGXKYAAMJOJLMUQVXK3Z7CF23S27CRLOSWUUFDAALZKZN7AWOBGM6AVYHDN4SLEM6KQUXLUH26MDX76JYFNQGMXXXW4VRCVZTJ5EU3AZYWPF3EV3CTN3S6ZXNYVZFRTDOH2MEZMTDIKFIDJHIABF25M77OU2EDBGXSWA3IVTSLVGVU6LV2YDNFGUUEW2FVEH4IGNX2ILREWIMPUGYTA6MMI53EYCXTALOTTRXODE3BAPYEPHPQHSAARLDPQ6LLPCDNMDXRWEFFLTJ7FMDT6LLNEJGP4DSFMN3QOP7OYECOZPRLHCCKHPHILTFN5HOQCER4EILG4MYMY------"
> xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol">
>             <saml1p:Status>
>                 <saml1p:StatusCode Value="INVALID_TICKET"
> xmlns="http://www.ja-sig.org/products/cas/"/>
>
> <saml1p:StatusMessage>E_TICKET_NOT_FROM_RENEW</saml1p:StatusMessage>
>             </saml1p:Status>
>         </saml1p:Response>
>     </SOAP-ENV:Body>
> </SOAP-ENV:Envelope>
>
> 2020-03-23 15:26:48,695 - 172.20.6.33 - DEBUG
> [net.shibboleth.idp.profile.impl.RecordResponseComplete:89] - Profile
> Action
> RecordResponseComplete: Record response complete
>
> Any suggestions?
> Please help.
>
> Thanks,
> Paul
>
>
>
>
> --
> Sent from:
> https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200324/bb6e0961/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5355 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20200324/bb6e0961/attachment.p7s>