[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-users
Subject: shib-cas-authn3 Different service URLs between login and validation when entityIdLocation=embed
From: Carlos Fernandez <cfernand () sju ! edu>
Date: 2017-07-31 19:22:29
Message-ID: CAE7KU84VHPU27zkBZPRhOsm23coQ8tJkEQXCEjGj7bOC4CKc2Q () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Setup: IdP 3.3.0, shib-cas-authn 3.2.2, CAS 5.0.5, CAS client 3.4.1
When shibcas.entityIdLocation=embed, the service URL sent with the
validation request differs from the one sent for the login request.
From the logs:
`org.jasig.cas.client.validation.TicketValidationException: Ticket '
ST-8997-qwrkgYqHLZqAHEvlf2EZ-cas.sju.edu' does not match supplied service.
The original service was '
https://cas.sju.edu/idp/Authn/ExtCas?conversation=e1s1&entityId=https://sju.zoom.us'
and the supplied service was '
https://cas.sju.edu/idp/Authn/ExtCas?conversation=e1s1&entityId=https%3A%2F%2Fsju.zoom.us&entityId=https://sju.zoom.us'.`
The validation service URL appears to have the entityID embedded twice,
which CAS flags as invalid and refuses to validate. This results in our IdP
returning an AuthnFailed to the SP (we don't have any other authn methods
in our IdP).
From rifling through the code a bit, it seems that the CAS CommonUtils
class returns a service URL with the entityID already embedded when the
browser returns from login with the service ticket, after which ShibCAS
embeds the entityID again.
Has anyone else run into this issue? I think this might not be an issue
with older CAS releases -- I know from experience that CAS 3.5 doesn't care
about the service URL during validation, which we discovered when we
upgraded to CAS 5.0.5 and one of our applications no longer worked.
Best regards,
--
Carlos M. Fernández
Enterprise Systems Manager
*Saint Joseph's University*
Philadelphia PA 19131
T: +1 610 660 1501
[Attachment #5 (text/html)]
<div dir="ltr"><div><div>Setup: IdP 3.3.0, shib-cas-authn 3.2.2, CAS 5.0.5, CAS \
client 3.4.1<br><br>When shibcas.entityIdLocation=embed, the service URL sent with \
the validation request differs from the one sent for the login request.<br><br>From \
the logs:<br>`org.jasig.cas.client.validation.TicketValidationException: Ticket \
'<a href="http://ST-8997-qwrkgYqHLZqAHEvlf2EZ-cas.sju.edu">ST-8997-qwrkgYqHLZqAHEvlf2EZ-cas.sju.edu</a>' \
does not match supplied service. The original service was '<a \
href="https://cas.sju.edu/idp/Authn/ExtCas?conversation=e1s1&amp;entityId=https:// \
sju.zoom.us">https://cas.sju.edu/idp/Authn/ExtCas?conversation=e1s1&amp;entityId=https://sju.zoom.us</a>' \
and the supplied service was '<a \
href="https://cas.sju.edu/idp/Authn/ExtCas?conversation=e1s1&amp;entityId=https%3A \
%2F%2Fsju.zoom.us&amp;entityId=https://sju.zoom.us'.`">https://cas.sju.edu/idp \
/Authn/ExtCas?conversation=e1s1&amp;entityId=https%3A%2F%2Fsju.zoom.us&amp;entityId=https://sju.zoom.us'.`</a><br><br>The \
validation service URL appears to have the entityID embedded twice, which CAS flags \
as invalid and refuses to validate. This results in our IdP returning an AuthnFailed \
to the SP (we don't have any other authn methods in our IdP).<br><br></div>From \
rifling through the code a bit, it seems that the CAS CommonUtils class returns a \
service URL with the entityID already embedded when the browser returns from login \
with the service ticket, after which ShibCAS embeds the entityID \
again.<br><br></div>Has anyone else run into this issue? I think this might not be an \
issue with older CAS releases -- I know from experience that CAS 3.5 doesn't care \
about the service URL during validation, which we discovered when we upgraded to CAS \
5.0.5 and one of our applications no longer worked.<br \
clear="all"><div><div><div><div><div class="gmail_signature"><div dir="ltr"><div><div \
dir="ltr"><p>Best regards,<br>--<br><span style="font-family:"Baskerville Old \
Face","serif";color:rgb(80,78,79)">Carlos M. Fernández<br>Enterprise \
Systems Manager</span><br><b><span style="font-family:"Baskerville Old \
Face","serif";color:rgb(155,12,39)">Saint Joseph's \
University</span></b><br><span style="font-family:"Baskerville Old \
Face","serif";color:rgb(80,78,79)">Philadelphia PA 19131<br>T: <span \
title="Call with Google Voice">+1 610 660 \
1501</span></span></p></div></div></div></div></div> </div></div></div></div>
--
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic