Re: [cas-user] Re: Error SAML 2.0 + Access Strategy

Thu, 08 Nov 2018 11:31:10 -0800

Thanks Misagh. We did some tests with version 5.3.4, and found the same error. However, in this version we were able to detect the problem.
The problem occurs when we try to make a use an access rule with requiredAttributes, and we have not sent this attribute via attributeReleasePolicy. Without this the parameter arrives in white in the SAMLRequest. 

regards,


El 31/10/18 a las 16:22, Misagh Moayyed escribió:

I can't recall specifically, but I do know this has been fixed in 
later versions of 5.3.x.


On Tuesday, October 30, 2018 at 7:48:43 PM UTC+3:30, Alexi Pascual wrote:

    hi,

    We have a SAML 2.0 integration with Coursera and it works well.
    However, when I add an access rule, the following error appears:

    URL:
    
https://server.cl/cas/idp/profile/SAML2/Callback.+?entityId=https%3A%2F%2Fshibboleth.coursera.org%2Fsp&SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbHA6QXV0aG5SZXF1ZXN0IHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIEFzc2VydGlvbkNvbnN1bWVyU2VydmljZVVSTD0iaHR0cHM6Ly93d3cuY291cnNlcmEub3JnL2FwaS9zYW1sTG9naW4udjEvbG9naW4iIERlc3RpbmF0aW9uPSJodHRwczovL3Nzby51Yy5jbC9jYXMvaWRwL3Byb2ZpbGUvU0FNTDIvUmVkaXJlY3QvU1NPIiBGb3JjZUF1dGhuPSIwIiBJRD0ieUhsVjEwYWVTOS14YjhQLW5sUVhkZyIgSXNzdWVJbnN0YW50PSIyMDE4LTEwLTMwVDE2OjA5OjA3WiIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwczovL3NoaWJib2xldGguY291cnNlcmEub3JnL3NwPC9zYW1sOklzc3Vlcj48c2FtbHA6TmFtZUlEUG9saWN5IEFsbG93Q3JlYXRlPSIxIi8%2BPC9zYW1scDpBdXRoblJlcXVlc3Q%2B&RelayState&ticket=ST-1586-5sU7YpMxhVf22toid1e1msEd8oM-sso-prod3
    
<https://server.cl/cas/idp/profile/SAML2/Callback.+?entityId=https%3A%2F%2Fshibboleth.coursera.org%2Fsp&SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbHA6QXV0aG5SZXF1ZXN0IHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIEFzc2VydGlvbkNvbnN1bWVyU2VydmljZVVSTD0iaHR0cHM6Ly93d3cuY291cnNlcmEub3JnL2FwaS9zYW1sTG9naW4udjEvbG9naW4iIERlc3RpbmF0aW9uPSJodHRwczovL3Nzby51Yy5jbC9jYXMvaWRwL3Byb2ZpbGUvU0FNTDIvUmVkaXJlY3QvU1NPIiBGb3JjZUF1dGhuPSIwIiBJRD0ieUhsVjEwYWVTOS14YjhQLW5sUVhkZyIgSXNzdWVJbnN0YW50PSIyMDE4LTEwLTMwVDE2OjA5OjA3WiIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwczovL3NoaWJib2xldGguY291cnNlcmEub3JnL3NwPC9zYW1sOklzc3Vlcj48c2FtbHA6TmFtZUlEUG9saWN5IEFsbG93Q3JlYXRlPSIxIi8%2BPC9zYW1scDpBdXRoblJlcXVlc3Q%2B&RelayState&ticket=ST-1586-5sU7YpMxhVf22toid1e1msEd8oM-sso-prod3>

    org.jasig.cas.client.validation.TicketValidationException: 
UNAUTHORIZED_SERVICE
        at 
org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:84)
        at 
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:201)
        at 
org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlProfileCallbackHandlerController.validateRequestAndBuildCasAssertion(SSOSamlProfileCallbackHandlerController.java:149)
        at 
org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlProfileCallbackHandlerController.handleCallbackProfileRequest(SSOSamlProfileCallbackHandlerController.java:115)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at 
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333)
        at 
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
        at 
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:741)
        at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
        at 
org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:133)
        at 
org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:121)
        at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
        at 
org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:673)
        at 
org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlProfileCallbackHandlerController$$EnhancerBySpringCGLIB$$4a57c9b7.handleCallbackProfileRequest(<generated>)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at 
org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205)
        at 
org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:133)
        at 
org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:97)
        at 
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:827)
        at 
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:738)
        at 
org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)

    The rule is as follows:

            "requiredAttributes" : {
                "@class" : "java.util.HashMap",
                "employeeType" : [
                    "java.util.HashSet",
                    [
                        "1",
                        "2",
                        "3"
                    ]
                ]
            }

    We can not continue with the integration without having resolved
    the Access Strategy, so I would appreciate any help.

    regards,


    -- 
    Alexi Pascual


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---

You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to [email protected] 
<mailto:[email protected]>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7c743e59-c11e-415a-80cd-8f7c06541bc5%40apereo.org 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/7c743e59-c11e-415a-80cd-8f7c06541bc5%40apereo.org?utm_medium=email&utm_source=footer>.


--
Alexi Pascual

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG

--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c2d9d053-9b5a-edaf-fabb-7ccadb31deb2%40uc.cl.






















					Reply via email to