Copy paste erro, missed the top of the previously posted stacktrace determineEndpointForRequest:203, SamlIdPUtils (org.apereo.cas.support.saml) determineEndpointForRequest:144, SamlIdPUtils (org.apereo.cas.support.saml) buildSubject:79, SamlProfileSamlSubjectBuilder (org.apereo.cas.support.saml.web.idp.profile.builders.subject) build:64, SamlProfileSamlSubjectBuilder (org.apereo.cas.support.saml.web.idp.profile.builders.subject) build:35, SamlProfileSamlSubjectBuilder (org.apereo.cas.support.saml.web.idp.profile.builders.subject) invoke:-1, GeneratedMethodAccessor303 (jdk.internal.reflect) invoke:43, DelegatingMethodAccessorImpl (jdk.internal.reflect) invoke:566, Method (java.lang.reflect) invokeMethod:282, ReflectionUtils (org.springframework.util) invoke:499, GenericScope$LockedScopedProxyFactoryBean (org.springframework.cloud.context.scope) proceed:186, ReflectiveMethodInvocation (org.springframework.aop.framework) invoke:212, JdkDynamicAopProxy (org.springframework.aop.framework) build:-1, $Proxy287 (com.sun.proxy) build:97, SamlProfileSamlAssertionBuilder (org.apereo.cas.support.saml.web.idp.profile.builders.assertion) build:37, SamlProfileSamlAssertionBuilder (org.apereo.cas.support.saml.web.idp.profile.builders.assertion) invoke:-1, GeneratedMethodAccessor303 (jdk.internal.reflect) invoke:43, DelegatingMethodAccessorImpl (jdk.internal.reflect) invoke:566, Method (java.lang.reflect) ......
On Friday, January 7, 2022 at 6:09:16 PM UTC+1 Ray Bon wrote: > Peter, > > You can use samltracer to see the saml being sent. You can verify the ACS. > If the ACS in the request does not match the metadata, the unauthorized > service error should always be thrown. > > It should be logged at warn, I would think. > > Ray > > On Fri, 2022-01-07 at 05:17 -0800, Peter Barnes wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > We recently had an issue with a service provider generating errors for an > unauthorized service that we could not identify. > When performing SSO if there was no established session on cas the user > could successfully authenticate and the SSO flow would successfully > complete for the SP. However if there was already an established cas > session i.e. the user already logging into a different SP, when attempting > SSO for the initial SP it generates the unauthorized service error. > > In both cases the flow is started using SP initiated using the exact same > url. > > There were no errors/warnings in the cas logs to give any indication as to > what was at fault, it wasn't until we enabled debug logging that we found > the following. > > Resolved [org.apereo.cas.support.saml.SamlException: Assertion consumer > service [https://xxxxxxxxxxx/saml2/auth/login] cannot be located in > metadata [[https://xxxxxxxxx/employee/saml2/post]]] to ModelAndView > [view="casServiceErrorView"; > model={rootCauseException=org.apereo.cas.services.UnauthorizedServiceException: > > }] > > Using this we identified that the consumer url in the saml request did not > match the consumer url in the metadata and we were able to workaround the > issue. > > What we cannot identify is > > 1. Why is the behavior different based on existing/new session > 2. Why is this not logged anywhere as an error? Using debug logging to > find this is not practical > > Cas Version: 6.3.5 > Assumed location of original error: SamlIdpUtils#207 > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/74038596-2cfc-4eec-bc82-cb64f61ede80n%40apereo.org.
