Thanks for the info! We'll give that a try. I was informed this is a "known issue" with our version of CAS, so it seems the only fix is an updated version.
On Sat, Apr 25, 2020 at 3:07 PM Sean Gottschalk <[email protected]> wrote: > We upgraded our CAS version from 6.0.x to 6.1.x and it works out of the > box with the special characters. > > On Friday, April 24, 2020 at 3:24:18 PM UTC-7, Jason E wrote: >> >> I am having the exact same problem and have opened a ticket with our >> support vendor. I will let you know if it yields any results. -Jason >> >> On Thursday, September 12, 2019 at 10:14:42 AM UTC-7, Sean Gottschalk >> wrote: >>> >>> Hello, >>> >>> I'm using CAS 6.0.4 and I'm trying to do a SAML SP integration with AWS >>> but it seems that having an attribute with name " >>> https://aws.amazon.com/SAML/Attributes/SessionDuration"; causes CAS to >>> fail when redirecting to itself after the initial authentication. >>> >>> I've been digging into how CAS builds the SAML response and it appears >>> that the issue is related to the DefaultCasProtocolAttributeEncoder >>> <https://github.com/apereo/cas/blob/9da2aceba83bfbef57f7a856efa8656d7013a028/core/cas-server-core-services-authentication/src/main/java/org/apereo/cas/authentication/support/DefaultCasProtocolAttributeEncoder.java#L103> >>> and how it hex encodes attribute names that contain the ":" or "@" >>> character. When it encodes " >>> https://aws.amazon.com/SAML/Attributes/SessionDuration"; the resulting >>> value is >>> "68747470733a2f2f6177732e616d617a6f6e2e636f6d2f53414d4c2f417474726962757465732f53657373696f6e4475726174696f6e", >>> so the resulting casServiceValidationSuccess response is as follows: >>> >>> >>> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> >>> <cas:authenticationSuccess> >>> <cas:user>T9HpcKRRSSigqWVCNdViTqijyvQ=</cas:user> >>> <cas:attributes> >>> >>> <cas:68747470733a2f2f6177732e616d617a6f6e2e636f6d2f53414d4c2f417474726962757465732f53657373696f6e4475726174696f6e>43200</cas:68747470733a2f2f6177732e616d617a6f6e2e636f6d2f53414d4c2f417474726962757465732f53657373696f6e4475726174696f6e> >>> </cas:attributes> >>> </cas:authenticationSuccess> >>> </cas:serviceResponse> >>> >>> However, >>> cas:68747470733a2f2f6177732e616d617a6f6e2e636f6d2f53414d4c2f417474726962757465732f53657373696f6e4475726174696f6e >>> is not valid xml as the namespace string can only start with a letter or >>> '_'. This causes Cas20ServiceTicketValidator.extractCustomAttributes(xml) >>> to fail when it delegates to the cas-client's >>> XmlUtils.getTextForElement(response, >>> "authenticationFailure") >>> <https://github.com/apereo/java-cas-client/blob/master/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas20ServiceTicketValidator.java#L165> >>> . >>> >>> I'm not sure how to fix this issue as it seems like the encoding and >>> decoding of attribute names are quite decoupled. Is there something that >>> I'm missing with my configuration? >>> >> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to a topic in the > Google Groups "CAS Community" group. > To unsubscribe from this topic, visit > https://groups.google.com/a/apereo.org/d/topic/cas-user/THs1XYKL0zI/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/05fd228a-9cfe-442f-b354-9e57071c9588%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/05fd228a-9cfe-442f-b354-9e57071c9588%40apereo.org?utm_medium=email&utm_source=footer> > . > -- Jason Eggleston, M.A. Lead Application Analyst Pepperdine University Information Technology 310-506-4341 -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMgLgNAUBJ1%2B50LwgkF6o_69YRXrAVg6Sop%3DsuM5b8FcOM531A%40mail.gmail.com.
