I am having the exact same problem and have opened a ticket with our support vendor. I will let you know if it yields any results. -Jason
On Thursday, September 12, 2019 at 10:14:42 AM UTC-7, Sean Gottschalk wrote: > > Hello, > > I'm using CAS 6.0.4 and I'm trying to do a SAML SP integration with AWS > but it seems that having an attribute with name " > https://aws.amazon.com/SAML/Attributes/SessionDuration"; causes CAS to > fail when redirecting to itself after the initial authentication. > > I've been digging into how CAS builds the SAML response and it appears > that the issue is related to the DefaultCasProtocolAttributeEncoder > <https://github.com/apereo/cas/blob/9da2aceba83bfbef57f7a856efa8656d7013a028/core/cas-server-core-services-authentication/src/main/java/org/apereo/cas/authentication/support/DefaultCasProtocolAttributeEncoder.java#L103> > > and how it hex encodes attribute names that contain the ":" or "@" > character. When it encodes " > https://aws.amazon.com/SAML/Attributes/SessionDuration"; the resulting > value is > "68747470733a2f2f6177732e616d617a6f6e2e636f6d2f53414d4c2f417474726962757465732f53657373696f6e4475726174696f6e", > > so the resulting casServiceValidationSuccess response is as follows: > > > <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> > <cas:authenticationSuccess> > <cas:user>T9HpcKRRSSigqWVCNdViTqijyvQ=</cas:user> > <cas:attributes> > > <cas:68747470733a2f2f6177732e616d617a6f6e2e636f6d2f53414d4c2f417474726962757465732f53657373696f6e4475726174696f6e>43200</cas:68747470733a2f2f6177732e616d617a6f6e2e636f6d2f53414d4c2f417474726962757465732f53657373696f6e4475726174696f6e> > </cas:attributes> > </cas:authenticationSuccess> > </cas:serviceResponse> > > However, > cas:68747470733a2f2f6177732e616d617a6f6e2e636f6d2f53414d4c2f417474726962757465732f53657373696f6e4475726174696f6e > > is not valid xml as the namespace string can only start with a letter or > '_'. This causes Cas20ServiceTicketValidator.extractCustomAttributes(xml) > to fail when it delegates to the cas-client's > XmlUtils.getTextForElement(response, > "authenticationFailure") > <https://github.com/apereo/java-cas-client/blob/master/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas20ServiceTicketValidator.java#L165> > . > > I'm not sure how to fix this issue as it seems like the encoding and > decoding of attribute names are quite decoupled. Is there something that > I'm missing with my configuration? > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8c54f34a-becf-4689-b61f-11db87c32f6a%40apereo.org.
