I am having a very similar (if not the same) problem as what Thai had
posted and was hoping for some help.
My setup:
- CAS 6.1.2
- CAS setup as SP
- Azure AD is IdP
- Application service configuration in CAS:
- SSO is disabled (users are forced to re-auth when they log out of My
App)
- Auth flow:
- My App --> CAS --> Azure AD --> CAS --> My App
Problem:
- RelayState in SAML request is not always the same. Sometimes it is the
Assertion Consumer Service (ACS) url, sometimes it is a Transient Session
Ticket (TST). I could only have one reference to TST in the docs here
https://apereo.github.io/cas/6.1.x/configuration/Configuration-Properties.html#transient-session-tickets-behavior
- When RelayState is ACS url, SAML response to CAS fails because of
"application not authorized"
- When RelayState is TST, SAML response to CAS succeeds and CAS
correctly redirects to My App
- Conditions:
- CAS session cookie not set or expired
- User access My App --> CAS --> Azure AD --> CAS fails to process
SAML response -> CAS displays "Application Not Authorized to Use CAS"
error
page --> CAS session cookie is set
- CAS session cookie is set
- User access My App --> CAS --> Azure AD -> CAS process SAML
response --> CAS redirects user to My App
>From my testing, it appears that the RelayState is set the ACS url when
there is no existing CAS session (user hitting CAS for the first time or
user logs out of CAS). SAML request to Azure AD looks something like:
https://login.microsoftonline.com/f8f35f5d-1f7b-4427-90f7-f4565c5177aa/saml2?SAMLRequest=hVLLbtswELz3KwReCz0oS5ZMWDLUB...opHyP7Xahv9qK8%2FP970t%2FwA%3D&;
RelayState=https%3A%2F%2Fexample.com%3A8081%2Fcas%2Flogin%3Fclient_name%3DMicrosoft%2BAccount
When there is an existing CAS session, the RelayState is the TST and the
SAML request looks something like:
https://login.microsoftonline.com/f8f35f5d-1f7b-4427-90f7-f4565c5177aa/saml2?SAMLRequest=hVLLbtswELz3KwReCz0tRRJhyVAbBDWQtEas9NBLQF...6nV1v9XW3l%2Bvu9t%2BQc%3D&;
RelayState=TST-2-67ODXnlOu4PBmS3PMeEdZcbbAvnw5nkV
I can log in using different AD users and everything works fine. It's only
when I delete the session cookie set by CAS does it fail and revert back to
the RelayState being the ACS url.
Debug log when RelayState is ACS url:
tomcat_sandbox1 | 2019-12-11 00:02:53,348 DEBUG
> [org.pac4j.saml.transport.Pac4jHTTPRedirectDeflateEncoder] - <Building URL
> to redirect client to>
> tomcat_sandbox1 | 2019-12-11 00:02:53,349 DEBUG
> [org.apereo.cas.web.DelegatedClientNavigationController] - <Determined
> final redirect action for client [#SAML2Client# | name: Microsoft Account |
> callbackUrl: https://example.com:8081/cas/login | urlResolver:
> org.pac4j.core.http.url.DefaultUrlResolver@24b485e | callbackUrlResolver:
> org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@7c75b203 |
> ajaxRequestResolver:
> org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@2309065f |
> redirectionActionBuilder:
> org.pac4j.saml.redirect.SAML2RedirectionActionBuilder@4ff985a6 |
> credentialsExtractor:
> org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@17282dbf |
> authenticator:
> org.pac4j.saml.credentials.authenticator.SAML2Authenticator@461c60f3 |
> profileCreator:
> org.pac4j.core.profile.creator.AuthenticatorProfileCreator@60c19035 |
> logoutActionBuilder:
> org.pac4j.saml.logout.SAML2LogoutActionBuilder@2dccbd91 |
> authorizationGenerators: [] |] as [#HttpAction# | code: 302 |]>
> tomcat_sandbox1 | 2019-12-11 00:02:53,349 DEBUG
> [org.apereo.cas.web.DelegatedClientNavigationController] - <Redirecting
> client [Microsoft Account] to
> [https://login.microsoftonline.com/f8f35f5d-1f7b-4427-90f7-f4565c5177aa/saml2?SAMLRequest=hVLLbtswELz3KwReCz0oS5ZMWDLUB...opHyP7Xahv9qK8%2FP970t%2FwA%3D&RelayState=https%3A%2F%2Fexample.com%3A8081%2Fcas%2Flogin%3Fclient_name%3DMicrosoft%2BAccount]
>
> based on identifier [TST-17-QGT8LfgkBi3VsxEvwN42Y0nJKM8bFc4F]>
> tomcat_sandbox1 | 2019-12-11 00:03:00,218 DEBUG
> [org.apereo.cas.services.AbstractServicesManager] - <Adding registered
> service [https://example.com:8081/app\?client_name=CasClient] with name [My
> App] and internal identifier [8081]>
> tomcat_sandbox1 | 2019-12-11 00:03:00,218 INFO
> [org.apereo.cas.services.AbstractServicesManager] - <Loaded [1] service(s)
> from [JsonServiceRegistry].>
> tomcat_sandbox1 | 2019-12-11 00:03:10,094 INFO
> [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0]
> expired tickets removed.>
> tomcat_sandbox1 | 2019-12-11 00:03:10,094 DEBUG
> [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <Finished
> ticket cleanup.>
> tomcat_sandbox1 | 2019-12-11 00:04:00,221 DEBUG
> [org.apereo.cas.services.AbstractServicesManager] - <Adding registered
> service [https://example.com:8081/app\?client_name=CasClient] with name [My
> App] and internal identifier [8081]>
> tomcat_sandbox1 | 2019-12-11 00:04:00,221 INFO
> [org.apereo.cas.services.AbstractServicesManager] - <Loaded [1] service(s)
> from [JsonServiceRegistry].>
> tomcat_sandbox1 | 2019-12-11 00:04:32,742 DEBUG
> [org.apereo.cas.web.DelegatedClientWebflowManager] - <Client identifier
> could not found as part of the request parameters. Looking at relay-state
> for the SAML2 client>
> tomcat_sandbox1 | 2019-12-11 00:04:32,742 DEBUG
> [org.apereo.cas.web.DelegatedClientWebflowManager] - <Located delegated
> client identifier for this request as
> [Optional[https://example.com:8081/cas/login?client_name=Microsoft+Account]]>
> tomcat_sandbox1 | 2019-12-11 00:04:32,743 ERROR
> [org.apereo.cas.web.DelegatedClientWebflowManager] - <Delegated client
> identifier cannot be located in the authentication request
> [https://example.com:8081/cas/login?client_name=Microsoft+Account]>
> tomcat_sandbox1 | 2019-12-11 00:04:32,742 DEBUG
> [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - <Ticket
> [https://example.com:8081/cas/login?client_name=Microsoft+Account] could
> not be found>
Debug log when RelayState is TST:
tomcat_sandbox1 | 2019-12-11 00:04:47,247 DEBUG
> [org.pac4j.saml.transport.Pac4jHTTPRedirectDeflateEncoder] - <Building URL
> to redirect client to>
> tomcat_sandbox1 | 2019-12-11 00:04:47,247 DEBUG
> [org.apereo.cas.web.DelegatedClientNavigationController] - <Determined
> final redirect action for client [#SAML2Client# | name: Microsoft Account |
> callbackUrl: https://example.com:8081/cas/login | urlResolver:
> org.pac4j.core.http.url.DefaultUrlResolver@24b485e | callbackUrlResolver:
> org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@7c75b203 |
> ajaxRequestResolver:
> org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@2309065f |
> redirectionActionBuilder:
> org.pac4j.saml.redirect.SAML2RedirectionActionBuilder@4ff985a6 |
> credentialsExtractor:
> org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@17282dbf |
> authenticator:
> org.pac4j.saml.credentials.authenticator.SAML2Authenticator@461c60f3 |
> profileCreator:
> org.pac4j.core.profile.creator.AuthenticatorProfileCreator@60c19035 |
> logoutActionBuilder:
> org.pac4j.saml.logout.SAML2LogoutActionBuilder@2dccbd91 |
> authorizationGenerators: [] |] as [#HttpAction# | code: 302 |]>
> tomcat_sandbox1 | 2019-12-11 00:04:47,248 DEBUG
> [org.apereo.cas.web.DelegatedClientNavigationController] - <Redirecting
> client [Microsoft Account] to
> [https://login.microsoftonline.com/f8f35f5d-1f7b-4427-90f7-f4565c5177aa/saml2?SAMLRequest=hVLLbtswELz3KwReCz0tRRJhyVAbBDWQtEas9NBLQF...6nV1v9XW3l%2Bvu9t%2BQc%3D&RelayState=TST-18-wFsg-mhj51LmwtQ9t5hEghvgEGCtbfhO]
>
> based on identifier [TST-18-wFsg-mhj51LmwtQ9t5hEghvgEGCtbfhO]>
> tomcat_sandbox1 | 2019-12-11 00:04:47,722 DEBUG
> [org.apereo.cas.web.DelegatedClientWebflowManager] - <Client identifier
> could not found as part of the request parameters. Looking at relay-state
> for the SAML2 client>
> tomcat_sandbox1 | 2019-12-11 00:04:47,722 DEBUG
> [org.apereo.cas.web.DelegatedClientWebflowManager] - <Located delegated
> client identifier for this request as
> [Optional[TST-18-wFsg-mhj51LmwtQ9t5hEghvgEGCtbfhO]]>
> tomcat_sandbox1 | 2019-12-11 00:04:47,722 DEBUG
> [org.apereo.cas.web.DelegatedClientWebflowManager] - <Located delegated
> client identifier as [TST-18-wFsg-mhj51LmwtQ9t5hEghvgEGCtbfhO]>
> tomcat_sandbox1 | 2019-12-11 00:04:47,722 DEBUG
> [org.apereo.cas.web.DelegatedClientWebflowManager] - <Removing delegated
> client identifier [TST-18-wFsg-mhj51LmwtQ9t5hEghvgEGCtbfhO] from registry>
Any help will be appreciated. Thanks.
On Thursday, March 29, 2018 at 5:44:57 PM UTC-4, thai.q.nguyen wrote:
>
> Hi, community
>
> We are using CAS as an SP (using pac4j) and delegating the authentication
> to an IdP.
> We have this configured: cas.authn.pac4j.autoRedirect=true
> so the flow will not stop at the CAS login page.
> We are using CAS 5.1.8
>
> So the flow is:
> A user clicked a CAS client, redirected to CAS, redirected to IdP for
> login.
> After successfully logged-in to the IdP, the user (should) redirected to
> the CAS client.
>
> We have it working but randomly the user is ended at the CAS successful
> login page (which confused the user).
>
> CAS redirected the user to send an AuthnRequest to IdP:
> <saml2p:AuthnRequest AssertionConsumerServiceURL="
> https://my.edu/cas/login?client_name=SAML2Client";
> Destination="https:/
> my.edu/sso/SSORedirect/metaAlias/usfca-sb/idp"
> ForceAuthn="false"
> ID="_fv6mluvdxnozugdvd9fielq8xpjiuf87bujvcep"
> IsPassive="false"
> IssueInstant="2018-03-29T19:46:56.082Z"
>
> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> ProviderName="pac4j-saml"
> Version="2.0"
> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
> > <saml2:Issuer
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://my.edu/cas-sp
> </saml2:Issuer>
> </saml2p:AuthnRequest>
>
> with a RelayState: https://my.edu/cas/login?client_name=SAML2Client (same
> as ACS)
>
> IdP redirected the user (browser) to POST an AuthnReponse back to CAS at
> https://my.edu/cas/login?client_name=SAML2Client (ACS)
>
> at this point:
>
> 1. sometimes the browser received a 302 response code with Location:
> CAS-Client/apps/?ticket=ST-30-FOAfm3AOLbQLshnIdyZd-ip-10-255-0-10,
> therefore the CAS client validates the ticket with CAS server and ends up
> with the CAS client landing page.
> 2. sometimes the browser received a 200 response code and therefore
> stay at this URL https://my.edu/cas/login?client_name=SAML2Client and
> display the CAS successful login page which we don't want. Reading further
> I found, at this point, the CAS client didn't establish an SSO session yet.
>
> Any help and/or pointer is appreciated
>
> Thanks in advance,
>
> Thai Nguyen
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9a4236fe-f4a7-46a0-9365-964e3a3cc3da%40apereo.org.
