Hi, This issue isn't fixed on 6.0.5.1 version and "SAML2 authn" seems to be broken on 6.1.0-RC6 version (when I test it, there is an exception with opensaml-4.5 that interrupts the authn process).
Where is the patch in master branch,* for the exception "org.xml.sax.SAXParseException: Element or attribute do not match QName production: QName::=(NCName':')?NCName."* when CAS use "urn:oid:...." attribute name) ? Can it backport to the current CAS release (6.0.x)? Generally, friendly-names configuration on CAS IdP doesn't seem to work very well ; so, how can we configure the CAS server to produce the assertions (required by federations) described in an AttributeConsumerService : https://apereo.github.io/cas/6.0.x/installation/Configuring-SAML2-Attribute-Release.html#requested-attributes-filter ? When a SP tell this in its metadata : <md:AttributeConsumingService index="0"> <md:RequestedAttribute *FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" *NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"></md:RequestedAttribute> </md:AttributeConsumingService> The CAS IdP will produce assertions in the response like this : <saml2:Attribute *FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3"* NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue> [email protected]</saml2:AttributeValue> not that : <saml2:Attribute FriendlyName="mail" Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue> [email protected]</saml2:AttributeValue></saml2:Attribute> not that : <saml2:Attribute FriendlyName="urn:oid:0.9.2342.19200300.100.1.3" Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue> [email protected]</saml2:AttributeValue></saml2:Attribute> Best regards, Ludovic Auxepaules PS : this exception with SAML on CAS 6.1.0-RC6 version : ERROR [org.apache.velocity] - <ResourceManager : unable to find resource '/templates/saml2-post-binding.vm' in any resource loader.> ERROR [org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder] - <Error invoking Velocity template> org.apache.velocity.exception.ResourceNotFoundException: Unable to find resource '/templates/saml2-post-binding.vm' at org.apache.velocity.runtime.resource.ResourceManagerImpl.loadResource(ResourceManagerImpl.java:474) ~[velocity-1.7.jar:1.7] at org.apache.velocity.runtime.resource.ResourceManagerImpl.getResource(ResourceManagerImpl.java:352) ~[velocity-1.7.jar:1.7] at org.apache.velocity.runtime.RuntimeInstance.getTemplate(RuntimeInstance.java:1533) ~[velocity-1.7.jar:1.7] at org.apache.velocity.app.VelocityEngine.mergeTemplate(VelocityEngine.java:343) ~[velocity-1.7.jar:1.7] at org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder.postEncode(HTTPPostEncoder.java:172) ~[opensaml-saml-impl-3.4.5.jar:?] at org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder.doEncode(HTTPPostEncoder.java:146) ~[opensaml-saml-impl-3.4.5.jar:?] at org.opensaml.messaging.encoder.AbstractMessageEncoder.encode(AbstractMessageEncoder.java:53) ~[opensaml-messaging-api-3.4.5.jar:?] at org.opensaml.messaging.encoder.servlet.BaseHttpServletResponseXMLMessageEncoder.encode(BaseHttpServletResponseXMLMessageEncoder.java:50) ~[opensaml-messaging-api-3.4.5.jar:?] at org.apereo.cas.support.saml.web.idp.profile.builders.enc.encoder.BaseHttpServletAwareSamlObjectEncoder.finalizeEncode(BaseHttpServletAwareSamlObjectEncoder.java:102) ~[cas-server-support-saml-idp-web-6.1.0-RC6.jar:6.1.0-RC6] at org.apereo.cas.support.saml.web.idp.profile.builders.enc.encoder.BaseHttpServletAwareSamlObjectEncoder.encode(BaseHttpServletAwareSamlObjectEncoder.java:63) ~[cas-server-support-saml-idp-web-6.1.0-RC6.jar:6.1.0-RC6] at org.apereo.cas.support.saml.web.idp.profile.builders.response.SamlProfileSaml2ResponseBuilder.encode(SamlProfileSaml2ResponseBuilder.java:130) ~[cas-server-support-saml-idp-web-6.1.0-RC6.jar:6.1.0-RC6] at org.apereo.cas.support.saml.web.idp.profile.builders.response.SamlProfileSaml2ResponseBuilder.encode(SamlProfileSaml2ResponseBuilder.java:37) ~[cas-server-support-saml-idp-web-6.1.0-RC6.jar:6.1.0-RC6] at org.apereo.cas.support.saml.web.idp.profile.builders.response.BaseSamlProfileSamlResponseBuilder.encodeFinalResponse(BaseSamlProfileSamlResponseBuilder.java:97) ~[cas-server-support-saml-idp-web-6.1.0-RC6.jar:6.1.0-RC6] at org.apereo.cas.support.saml.web.idp.profile.builders.response.BaseSamlProfileSamlResponseBuilder.build(BaseSamlProfileSamlResponseBuilder.java:63) ~[cas-server-support-saml-idp-web-6.1.0-RC6.jar:6.1.0-RC6] at org.apereo.cas.support.saml.web.idp.profile.builders.response.BaseSamlProfileSamlResponseBuilder$$FastClassBySpringCGLIB$$f1322d9c.invoke(<generated>) ~[cas-server-support-saml-idp-web-6.1.0-RC6.jar:6.1.0-RC6] at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.2.0.RELEASE.jar:5.2.0.RELEASE] at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:769) ~[spring-aop-5.2.0.RELEASE.jar:5.2.0.RELEASE] Le jeudi 8 août 2019 17:36:03 UTC+2, Dmitriy Kopylenko a écrit : > > Just confirmed - fixed in 6.1.0-RC4 > > Best, > D. > > > From: Josh G <[email protected]> <javascript:> > Reply: [email protected] <javascript:> <[email protected]> <javascript:> > Date: July 31, 2019 at 11:10:11 AM > To: CAS Community <[email protected]> <javascript:> > Subject: [cas-user] Re: [CAS 6.0] Attribute Mappings to SAML Identifiers > Broken in CAS 6.0 > > Has anyone else experienced this issue? This is holding up our CAS 6.0 > deployment. > > Additional context, we're running our environment in Docker with the > following dependencies: > > compile > "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}" > compile "org.apereo.cas:cas-server-support-ldap:${casServerVersion}" > compile > "org.apereo.cas:cas-server-support-hazelcast-ticket-registry:${casServerVersion}" > compile > "org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}" > compile "org.apereo.cas:cas-server-support-saml-idp:${casServerVersion}" > compile > "org.apereo.cas:cas-server-support-saml-googleapps:${casServerVersion}" > compile "org.apereo.cas:cas-server-support-saml:${casServerVersion}" > compile group: 'net.unicon.iam', name: 'duo-client', version: '0.2.2' > compile "org.apereo.cas:cas-server-support-duo:${casServerVersion}" > > > CAS Splash > > > __ ____ _ ____ __ > / / / ___| / \ / ___| \ \ > | | | | / _ \ \___ \ | | > | | | |___ / ___ \ ___) | | | > | | \____| /_/ \_\ |____/ | | > \_\ /_/ > > CAS Version: 6.0.4 > CAS Commit Id: 0f37f54d06b9a43523fdecd5bc3a8a0f31c407eb > CAS Build Date/Time: 2019-07-25T19:42:36Z > Spring Boot Version: 2.1.2.RELEASE > Spring Version: 5.1.3.RELEASE > Java Home: /opt/java/openjdk > Java Vendor: AdoptOpenJDK > Java Version: 11.0.3 > JVM Free Memory: 148 MB > JVM Maximum Memory: 2 GB > JVM Total Memory: 261 MB > JCE Installed: Yes > Node Version: N/A > NPM Version: N/A > OS Architecture: amd64 > OS Name: Linux > OS Version: 3.10.0-957.el7.x86_64 > OS Date/Time: 2019-07-25T19:43:19.511687 > OS Temp Directory: /tmp > ------------------------------------------------------------ > Apache Tomcat Version: Apache Tomcat/9.0.20 > ------------------------------------------------------------ > > > > On Friday, July 26, 2019 at 2:25:33 PM UTC, Josh G wrote: >> >> Attribute Mappings to SAML Identifiers (e.g. urn:oid:2.5.4.42) is broken >> in CAS 6.0. >> >> In CAS 5.2 (and earlier releases of CAS 5.x) it was possible to map an >> attribute to a SAML compatible URI by leveraging the attributeReleasePolicy >> within a service definition. >> >> *A working (CAS 5.2) example is outlined below:* >> >> Here is an snippet of an HJSON entry for a SAML service: >> >> attributeReleasePolicy : { >> @class : >> org.apereo.cas.services.ReturnMappedAttributeReleasePolicy >> allowedAttributes : { >> @class : java.util.TreeMap >> sn : "urn:oid:2.5.4.4" >> givenName : "urn:oid:2.5.4.42" >> displayName : "urn:oid:2.16.840.1.113730.3.1.241" >> eduPersonPrincipalName : "urn:oid:1.3.6.1.4.1.5923.1.1.1.6" >> sAMAccountName : "urn:oid:1.2.840.113556.1.4.221" >> } >> } >> >> Here is a snippet of a single attribute from a working response (CAS 5.2): >> >> <saml2:Attribute FriendlyName="urn:oid:0.9.2342.19200300.100.1.3" >> Name="urn:oid:0.9.2342.19200300.100.1.3" >> NameFormat= >> "urn:oasis:names:tc:SAML:2.0:attrname-format:uri" >> > >> <saml2:AttributeValue>EMAIL_ADDRESS_HERE</saml2:AttributeValue> >> </saml2:Attribute> >> >> *The FriendlyName / Name values are mapped to the same value in CAS 5.2 >> and below, but this was a limitation of CAS at the time which appears to be >> addressed in CAS 6.0.* >> >> >> *The above functionality is not working as expected, nor do any of my >> workarounds seem to work either.* >> >> If the exact attributeReleasePolicy is run in CAS 6.0, it appears to >> mangle the Principal ID of the response; CAS returns the following: >> >> Error: No principal was found in the response from the CAS server. >> >> The dump provided on the CAS login page is available here: >> https://pastebin.com/raw/Ur3Ce5UN >> >> However, if we look through the server logs a bit more the following error >> message appears: >> >> 2019-07-25 17:34:19,491 ERROR [org.jasig.cas.client.util.XmlUtils] - >> <Element or attribute do not match QName production: >> QName::=(NCName':')?NCName.> >> org.xml.sax.SAXParseException: Element or attribute do not match QName >> production: QName::=(NCName':')?NCName. >> >> It appears that CAS is attempting to validate the attribute mappings in the >> attributeReleasePolicy and is failing on the colon (:). >> >> If I remove the colon and periods from the above attributeReleasePolicy (for >> testing purposes only), the login goes through as expected and the SAML >> response looks as expected (sans the missing colons and periods): >> >> <saml2:Attribute FriendlyName="urnoid25442" >> Name="urnoid25442" >> >> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" >> > >> <saml2:AttributeValue>FIRST_NAME_HERE</saml2:AttributeValue> >> </saml2:Attribute> >> >> >> I've tried a variety of workarounds for this, but none has been successful >> (same error messages, same behaviors). >> >> The latest attempt involves feeding the released attributes to their >> respective urn:oid values, explicitly stating the urn:oid values are uri >> formatted attributes, and mapping the urn:oid values to their friendly name >> counterparts. >> >> This results in the same error above: >> >> attributeReleasePolicy : { >> @class : org.apereo.cas.services.ReturnMappedAttributeReleasePolicy >> allowedAttributes : { >> @class : java.util.TreeMap >> "urn:oid:2.5.4.4" : "groovy { return attributes['sn'].get(0) }" >> "urn:oid:2.5.4.42" : "groovy { return >> attributes['givenName'].get(0) }" >> "urn:oid:2.16.840.1.113730.3.1.241" : "groovy { return >> attributes['displayName'].get(0) }" >> } >> } >> >> attributeNameFormats : { >> @class : java.util.HashMap >> "urn:oid:2.5.4.4" : uri >> "urn:oid:2.5.4.42" : uri >> "urn:oid:2.16.840.1.113730.3.1.241" : uri >> } >> >> attributeFriendlyNames : { >> @class : java.util.HashMap >> "urn:oid:2.5.4.4" : sn >> "urn:oid:2.5.4.42" : givenName >> "urn:oid:2.16.840.1.113730.3.1.241" : displayName >> } >> >> >> This seems to be a pretty significant bug, unless I am (hopefully!) missing >> something obvious. >> >> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/1d468c44-ea0d-4c9c-94e1-e288a13d3b8b%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1d468c44-ea0d-4c9c-94e1-e288a13d3b8b%40apereo.org?utm_medium=email&utm_source=footer> > . > > Le jeudi 8 août 2019 17:36:03 UTC+2, Dmitriy Kopylenko a écrit : > > Just confirmed - fixed in 6.1.0-RC4 > > Best, > D. > > > From: Josh G <[email protected]> <javascript:> > Reply: [email protected] <javascript:> <[email protected]> <javascript:> > Date: July 31, 2019 at 11:10:11 AM > To: CAS Community <[email protected]> <javascript:> > Subject: [cas-user] Re: [CAS 6.0] Attribute Mappings to SAML Identifiers > Broken in CAS 6.0 > > Has anyone else experienced this issue? This is holding up our CAS 6.0 > deployment. > > Additional context, we're running our environment in Docker with the > following dependencies: > > compile > "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}" > compile "org.apereo.cas:cas-server-support-ldap:${casServerVersion}" > compile > "org.apereo.cas:cas-server-support-hazelcast-ticket-registry:${casServerVersion}" > compile > "org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}" > compile "org.apereo.cas:cas-server-support-saml-idp:${casServerVersion}" > compile > "org.apereo.cas:cas-server-support-saml-googleapps:${casServerVersion}" > compile "org.apereo.cas:cas-server-support-saml:${casServerVersion}" > compile group: 'net.unicon.iam', name: 'duo-client', version: '0.2.2' > compile "org.apereo.cas:cas-server-support-duo:${casServerVersion}" > > > CAS Splash > > > __ ____ _ ____ __ > / / / ___| / \ / ___| \ \ > | | | | / _ \ \___ \ | | > | | | |___ / ___ \ ___) | | | > | | \____| /_/ \_\ |____/ | | > \_\ /_/ > > CAS Version: 6.0.4 > CAS Commit Id: 0f37f54d06b9a43523fdecd5bc3a8a0f31c407eb > CAS Build Date/Time: 2019-07-25T19:42:36Z > Spring Boot Version: 2.1.2.RELEASE > Spring Version: 5.1.3.RELEASE > Java Home: /opt/java/openjdk > Java Vendor: AdoptOpenJDK > Java Version: 11.0.3 > JVM Free Memory: 148 MB > JVM Maximum Memory: 2 GB > JVM Total Memory: 261 MB > JCE Installed: Yes > Node Version: N/A > NPM Version: N/A > OS Architecture: amd64 > OS Name: Linux > OS Version: 3.10.0-957.el7.x86_64 > OS Date/Time: 2019-07-25T19:43:19.511687 > OS Temp Directory: /tmp > ------------------------------------------------------------ > Apache Tomcat Version: Apache Tomcat/9.0.20 > ------------------------------------------------------------ > > > > On Friday, July 26, 2019 at 2:25:33 PM UTC, Josh G wrote: >> >> Attribute Mappings to SAML Identifiers (e.g. urn:oid:2.5.4.42) is broken >> in CAS 6.0. >> >> In CAS 5.2 (and earlier releases of CAS 5.x) it was possible to map an >> attribute to a SAML compatible URI by leveraging the attributeReleasePolicy >> within a service definition. >> >> *A working (CAS 5.2) example is outlined below:* >> >> Here is an snippet of an HJSON entry for a SAML service: >> >> attributeReleasePolicy : { >> @class : >> org.apereo.cas.services.ReturnMappedAttributeReleasePolicy >> allowedAttributes : { >> @class : java.util.TreeMap >> sn : "urn:oid:2.5.4.4" >> givenName : "urn:oid:2.5.4.42" >> displayName : "urn:oid:2.16.840.1.113730.3.1.241" >> eduPersonPrincipalName : "urn:oid:1.3.6.1.4.1.5923.1.1.1.6" >> sAMAccountName : "urn:oid:1.2.840.113556.1.4.221" >> } >> } >> >> Here is a snippet of a single attribute from a working response (CAS 5.2): >> >> <saml2:Attribute FriendlyName="urn:oid:0.9.2342.19200300.100.1.3" >> Name="urn:oid:0.9.2342.19200300.100.1.3" >> NameFormat= >> "urn:oasis:names:tc:SAML:2.0:attrname-format:uri" >> > >> <saml2:AttributeValue>EMAIL_ADDRESS_HERE</saml2:AttributeValue> >> </saml2:Attribute> >> >> *The FriendlyName / Name values are mapped to the same value in CAS 5.2 >> and below, but this was a limitation of CAS at the time which appears to be >> addressed in CAS 6.0.* >> >> >> *The above functionality is not working as expected, nor do any of my >> workarounds seem to work either.* >> >> If the exact attributeReleasePolicy is run in CAS 6.0, it appears to >> mangle the Principal ID of the response; CAS returns the following: >> >> Error: No principal was found in the response from the CAS server. >> >> The dump provided on the CAS login page is available here: >> https://pastebin.com/raw/Ur3Ce5UN >> >> However, if we look through the server logs a bit more the following error >> message appears: >> >> 2019-07-25 17:34:19,491 ERROR [org.jasig.cas.client.util.XmlUtils] - >> <Element or attribute do not match QName production: >> QName::=(NCName':')?NCName.> >> org.xml.sax.SAXParseException: Element or attribute do not match QName >> production: QName::=(NCName':')?NCName. >> >> It appears that CAS is attempting to validate the attribute mappings in the >> attributeReleasePolicy and is failing on the colon (:). >> >> If I remove the colon and periods from the above attributeReleasePolicy (for >> testing purposes only), the login goes through as expected and the SAML >> response looks as expected (sans the missing colons and periods): >> >> <saml2:Attribute FriendlyName="urnoid25442" >> Name="urnoid25442" >> >> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" >> > >> <saml2:AttributeValue>FIRST_NAME_HERE</saml2:AttributeValue> >> </saml2:Attribute> >> >> >> I've tried a variety of workarounds for this, but none has been successful >> (same error messages, same behaviors). >> >> The latest attempt involves feeding the released attributes to their >> respective urn:oid values, explicitly stating the urn:oid values are uri >> formatted attributes, and mapping the urn:oid values to their friendly name >> counterparts. >> >> This results in the same error above: >> >> attributeReleasePolicy : { >> @class : org.apereo.cas.services.ReturnMappedAttributeReleasePolicy >> allowedAttributes : { >> @class : java.util.TreeMap >> "urn:oid:2.5.4.4" : "groovy { return attributes['sn'].get(0) }" >> "urn:oid:2.5.4.42" : "groovy { return >> attributes['givenName'].get(0) }" >> "urn:oid:2.16.840.1.113730.3.1.241" : "groovy { return >> attributes['displayName'].get(0) }" >> } >> } >> >> attributeNameFormats : { >> @class : java.util.HashMap >> "urn:oid:2.5.4.4" : uri >> "urn:oid:2.5.4.42" : uri >> "urn:oid:2.16.840.1.113730.3.1.241" : uri >> } >> >> attributeFriendlyNames : { >> @class : java.util.HashMap >> "urn:oid:2.5.4.4" : sn >> "urn:oid:2.5.4.42" : givenName >> "urn:oid:2.16.840.1.113730.3.1.241" : displayName >> } >> >> >> This seems to be a pretty significant bug, unless I am (hopefully!) missing >> something obvious. >> >> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/1d468c44-ea0d-4c9c-94e1-e288a13d3b8b%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1d468c44-ea0d-4c9c-94e1-e288a13d3b8b%40apereo.org?utm_medium=email&utm_source=footer> > . > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a429e39c-c274-4584-9ddb-0680bc8f9e5b%40apereo.org.
