[cas-user] empty SAML response with mod_auth_cas from v1.2/master

Mon, 03 Jun 2019 14:13:33 -0700 

Hi, all,

Our previous Apache client (mod_auth_cas v1.0.9.1) worked seamlessly with 
our organization's CAS server, and retrieving SAML attributes was no 
problem at all. Currently, we're working toward a rollout of CAS 5.3.3, and 
I'm trying to integrate an Apache client built from the master branch (v1.2 
tag).

If I return only the CAS user from serviceValidate, that response is good; 
however, I'm getting a null response from the samlValidate endpoint, where 
Apache reports "Validation response: (null)" with no additional logging. 
Could I please get some troubleshooting advice for returning proper SAML 
using the latest Apache module?

Here's what I believe to be relevant. I'm happy to provide further details 
and logs:


*Preflight and build steps*
==========================================
openssl: Installed: 1.1.0g-2ubuntu4.3
libapr1: Installed: 1.6.3-2
libaprutil1: Installed: 1.6.1-2
apache2: Installed: 2.4.29-1ubuntu4.6
libcurl4: Installed: 7.58.0-2ubuntu3.7
libpcre3: Installed: 2:8.39-9

Installation:
    $ git clone https://github.com/apereo/mod_auth_cas.git
    $ cd mod_auth_cas
    $ autoreconf -ivf
    $ ./configure
    $ make
    $ sudo make install

(Libraries have been installed in:  /usr/lib/apache2/modules)


*Apache vhost configuration*
==========================================
LoadModule auth_cas_module /usr/lib/apache2/modules/mod_auth_cas.so

CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://[CAS_SERVER]/cas/login
CASValidateURL https://[CAS_SERVER]/cas/samlValidate
CASValidateSAML On
CASAttributePrefix SAML-
# I've also specified the following while troubleshooting:
#CASVersion 2
CASDebug On

<LocationMatch "^/authtest">
    AuthType CAS
    AuthName "Test Group"
    CASAuthNHeader CAS-User
    # Both requirement targets fail with the SAML endpoint:
    #Require valid-user
    Require cas-attribute memberof~CN=[SOME_GROUP]
</LocationMatch>


*Apache debug log*
==========================================
[ssl:debug] [pid 8565:tid 140140085245696] ssl_engine_kernel.c(377):
    [client [APPLICATION_SERVER_IP]:35184]
    AH02034: Initial (No.1) HTTPS request received for child 69 (server 
[APPLICATION_SERVER]:443),
    referer: 
https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f

[auth_cas:debug] [pid 8565:tid 140140085245696] mod_auth_cas.c(2429):
    [client [APPLICATION_SERVER_IP]:35184]
    Entering cas_check_authorization.,
    referer: 
https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f

[authz_core:debug] [pid 8565:tid 140140085245696] mod_authz_core.c(809):
    [client [APPLICATION_SERVER_IP]:35184]
    AH01626: authorization result of Require cas-attribute 
memberof~CN=[SOME_GROUP]: denied (no authenticated user yet),
    referer: 
https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f

[authz_core:debug] [pid 8565:tid 140140085245696] mod_authz_core.c(809):
    [client [APPLICATION_SERVER_IP]:35184]
    AH01626: authorization result of <RequireAny>: denied (no authenticated 
user yet),
    referer: 
https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f

[auth_cas:debug] [pid 8565:tid 140140085245696] mod_auth_cas.c(2152):
    [client [APPLICATION_SERVER_IP]:35184]
    Entering cas_authenticate(),
    referer: 
https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f

[auth_cas:debug] [pid 8565:tid 140140085245696] mod_auth_cas.c(682):
    [client [APPLICATION_SERVER_IP]:35184]
    Modified r->args (now ''),
    referer: 
https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f

[auth_cas:debug] [pid 8565:tid 140140085245696] mod_auth_cas.c(1830):
    [client [APPLICATION_SERVER_IP]:35184]
    entering getResponseFromServer(),
    referer: 
https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f

[auth_cas:debug] [pid 8565:tid 140140085245696] mod_auth_cas.c(610):
    [client [APPLICATION_SERVER_IP]:35184]
    CAS Service 'https%3a%2f%2f[APPLICATION_SERVER]%2f',
    referer: 
https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f

[auth_cas:debug] [pid 8565:tid 140140085245696] mod_auth_cas.c(1910):
    [client [APPLICATION_SERVER_IP]:35184]
    Validation response: (null),
    referer: 
https://[CAS_SERVER]/cas/login?service=https%3a%2f%2f[APPLICATION_SERVER]%2f
==========================================

Thank you very much for your time.
-Alan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/55f27aa5-2eef-4fda-9e23-57f295efbb6e%40apereo.org.

Reply via email to