When upgrading CAS from 6.1.7.2 to 6.2.0, we noticed that the flow stopped working on the local server. After some investigation, it turned out to be happening only locally (where we are using HTTP) and only on Chrome, while it was working on Firefox. The problem does not occur in our other environments where HTTPS is used.
*Details about the flow:* CAS is used as an IdP that authenticates users based on the provided JWT, generates a SAML request, and in the end, redirects to the third party. The following endpoints are used: - */login?service*=*CAS_HOST* %2Fidp%2Fprofile%2FSAML2%2FUnsolicited%2FSSO%*3FproviderId*%3D *SERVICE_PROVIDER_ID*%3F*target*%3D*EXTERNAL_URL_OR_PATH*&*token*= *JWT_TOKEN* - */idp/profile/SAML2/Unsolicited/SSO?providerId*=*SERVICE_PROVIDER_ID*& *target*=*EXTERNAL_URL_OR_PATH*&*ticket*=*TICKET* - */login?service*=*CAS_HOST*/idp/profile/SAML2/Callback?*entityId*= *SERVICE_PROVIDER_ID*&*SAMLRequest*=*SAML_REQUEST*&*RelayState* - */idp/profile/SAML2/Callback?entityId*=*SERVICE_PROVIDER_ID*& *SAMLRequest*=*SAML_REQUEST*&*RelayState*=*EXTERNAL_URL_OR_PATH*&*ticket* =*TICKET* In Chrome the second to last endpoint (/login) returns an error (login page is shown), instead of redirecting to the last endpoint (/idp/profile/SAML2/Callback). The logs do not help much, they just seem to drop at some point. It looks like retrieving the ticket is missing, and as the problems are only on Chrome, this may be somehow connected to the cookies. *Configuration details:* - cas.properties (some irrelevant properties are removed) # This is required to deploy behind a proxy: https://apereo.github.io/2018/01/05/cas-deployment-with-proxy/ server.port=8080 server.ssl.enabled=false server.servlet.context-path=/ cas.server.prefix=${cas.server.name} cas.server.scope=${cas.server.name} cas.server.tomcat.http.enabled=false cas.server.tomcat.httpProxy.enabled=true cas.server.tomcat.httpProxy.secure=true cas.server.tomcat.httpProxy.scheme=https cas.server.tomcat.httpProxy.proxyPort=443 cas.server.tomcat.httpProxy.protocol=HTTP/1.1 cas.authn.accept.users= cas.authn.samlIdp.entityId=${cas.server.name}/idp cas.ticket.registry.jpa.driverClass=org.postgresql.Driver cas.ticket.registry.jpa.dialect=org.hibernate.dialect.PostgreSQLDialect # Tickets/Session TTL configuration cas.ticket.tgt.timeToKillInSeconds=300 cas.ticket.tgt.maxTimeToLiveInSeconds=300 cas.ticket.tgt.rememberMe.enabled=false cas.tgc.crypto.enabled=true cas.ticket.registry.jpa.crypto.enabled=true cas.webflow.crypto.enabled=true - Locally some configuration is overridden: CAS_TGC_SECURE=false CAS_SERVER_TOMCAT_HTTPPROXY_SECURE=false CAS_SERVER_TOMCAT_HTTPPROXY_SCHEME=http CAS_SERVER_TOMCAT_HTTPPROXY_PROXYPORT=80 - JWT service definition { "@class": "org.apereo.cas.services.RegexRegisteredService", "serviceId": "*CAS_HOST*/.*", "name": "JWT", "id": 1, "properties": { "@class": "java.util.HashMap", "jwtSigningSecret": { "@class": "org.apereo.cas.services.DefaultRegisteredServiceProperty", "values": [ "java.util.HashSet", ["*KEY*"] ] }, "jwtSigningSecretAlg" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty", "values" : [ "java.util.HashSet", [ "HS512" ] ] }, "jwtSecretsAreBase64Encoded" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty", "values" : [ "java.util.HashSet", [ "false" ] ] } } } -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/57e9b60c-4328-4e40-b43b-f60842530a6fn%40apereo.org.
