> I am using pac4j delegated authentication with SAML2 so that CAS uses a > SAML2 Identity Provider (IdP) for authentication. > > With CAS version 5.1.3 the <AuthnRequest> sent to the IdP has > > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > > as I expect, and that matches the metadata for the CAS server SP that > was given to the IdP. The CAS server auto-generated SP SAML metadata > contains > > <md:AssertionConsumerService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > Location="https://my.server/cas/login?client_name=SAML2Client"; > index="0"/> > > So this is consistent and the SAML flow works as expected. > > With CAS version 5.2.3 the <AuthnRequest> sent to the IdP has instead > > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" > > That is not what I expect and appears to be a regression. > > Further if I delete the auto-generated SP metadata so that CAS version > 5.2.3 re-generates it I see in the metadata > > <md:AssertionConsumerService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" > Location="https://my.server/cas/login?client_name=SAML2Client"; > index="0"/> > > Again, this is not what I expect for the SP ACS. I would expect it to > be using the HTTP-POST binding. > > Can someone confirm that this is a regression somewhere between 5.1.3 > and 5.2.3?
I used a Maven overlay to build version 5.2.3 but then after Tomcat exploded the WAR I did cd /var/lib/tomcat8/webapps/cas/WEB-INF/lib rm pac4j-saml-2.2.0.jar cp /home/skoranda/pac4j/pac4j-saml/target/pac4j-saml-2.3.1-SNAPSHOT.jar . and restarted Tomcat. The pac4j version 2.3.1 jar was one I built from source by doing git clone [email protected]:pac4j/pac4j.git cd pac4j git checkout 2.2.x mvn install -DskipTests That caused the issue to go away: the <AuthnRequest> from the CAS SP to the remote IdP included ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" as I expected and it matched the <AssertionConsumerService> element in the existing SP metadata. By default when CAS 5.2.3 is deployed with a Maven overly version 2.2.0 of pac4j is used but with version 2.3.1 of pac4j the issue is resolved. I edited my pom.xml file and changed <dependency> <groupId>org.apereo.cas</groupId> <artifactId>cas-server-support-pac4j-webflow</artifactId> <version>${cas.version}</version> </dependency> to be instead <dependency> <groupId>org.apereo.cas</groupId> <artifactId>cas-server-support-pac4j-webflow</artifactId> <version>${cas.version}</version> <exclusions> <exclusion> <groupId>org.pac4j</groupId> <artifactId>pac4j-saml</artifactId> </exclusion> </exclusions> </dependency> <dependency> <groupId>org.pac4j</groupId> <artifactId>pac4j-saml</artifactId> <version>2.3.1</version> </dependency> This allowed CAS version 5.2.3 to leverage pac4j version 2.3.1 and resolved the issue. Thanks, Scott K -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180325203321.4jxx32nojpmisywx%40paprika.local.
