Hi, Yes, there is an issue with pac4j v2.2.0 regarding the SAML support. Upgrading to pac4j v2.2.1 should be enough to fix the problem.
That said, the latest release is indeed the version 2.3.1. I submitted a PR to fix that: https://github.com/apereo/cas/pull/3255 Thanks. Best regards, Jérôme On Sun, Mar 25, 2018 at 10:33 PM, Scott Koranda <[email protected]> wrote: > > I am using pac4j delegated authentication with SAML2 so that CAS uses a > > SAML2 Identity Provider (IdP) for authentication. > > > > With CAS version 5.1.3 the <AuthnRequest> sent to the IdP has > > > > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > > > > as I expect, and that matches the metadata for the CAS server SP that > > was given to the IdP. The CAS server auto-generated SP SAML metadata > > contains > > > > <md:AssertionConsumerService > > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > > Location="https://my.server/cas/login?client_name=SAML2Client"; > > index="0"/> > > > > So this is consistent and the SAML flow works as expected. > > > > With CAS version 5.2.3 the <AuthnRequest> sent to the IdP has instead > > > > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" > > > > That is not what I expect and appears to be a regression. > > > > Further if I delete the auto-generated SP metadata so that CAS version > > 5.2.3 re-generates it I see in the metadata > > > > <md:AssertionConsumerService > > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" > > Location="https://my.server/cas/login?client_name=SAML2Client"; > > index="0"/> > > > > Again, this is not what I expect for the SP ACS. I would expect it to > > be using the HTTP-POST binding. > > > > Can someone confirm that this is a regression somewhere between 5.1.3 > > and 5.2.3? > > I used a Maven overlay to build version 5.2.3 but then after Tomcat > exploded the WAR I did > > cd /var/lib/tomcat8/webapps/cas/WEB-INF/lib > rm pac4j-saml-2.2.0.jar > cp /home/skoranda/pac4j/pac4j-saml/target/pac4j-saml-2.3.1-SNAPSHOT.jar . > > and restarted Tomcat. The pac4j version 2.3.1 jar was one I built from > source by doing > > git clone [email protected]:pac4j/pac4j.git > cd pac4j > git checkout 2.2.x > mvn install -DskipTests > > That caused the issue to go away: the <AuthnRequest> from the CAS SP to > the remote IdP included > > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > > as I expected and it matched the <AssertionConsumerService> element in > the existing SP metadata. > > By default when CAS 5.2.3 is deployed with a Maven overly version 2.2.0 > of pac4j is used but with version 2.3.1 of pac4j the issue is resolved. > > I edited my pom.xml file and changed > > <dependency> > <groupId>org.apereo.cas</groupId> > <artifactId>cas-server-support-pac4j-webflow</artifactId> > <version>${cas.version}</version> > </dependency> > > to be instead > > <dependency> > <groupId>org.apereo.cas</groupId> > <artifactId>cas-server-support-pac4j-webflow</artifactId> > <version>${cas.version}</version> > <exclusions> > <exclusion> > <groupId>org.pac4j</groupId> > <artifactId>pac4j-saml</artifactId> > </exclusion> > </exclusions> > </dependency> > <dependency> > <groupId>org.pac4j</groupId> > <artifactId>pac4j-saml</artifactId> > <version>2.3.1</version> > </dependency> > > This allowed CAS version 5.2.3 to leverage pac4j version 2.3.1 and resolved > the issue. > > Thanks, > > Scott K > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/20180325203321.4jxx32nojpmisywx%40paprika. > local. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LxiO8w81hGStuzDSKcXke7Sdt8ZHpqDnmp5-y4Mem%3Dkjw%40mail.gmail.com.
