We identified why the behavior is different for new vs existing sessions. There was a bug fixed in 6.3.7
correct filtering of authn extension attributes to · apereo/cas@c8811dd · GitHub <https://github.com/apereo/cas/commit/c8811dd5fc50e6cea1801f00a10d703b9776eee1#diff-6aac21e62f9409d7bf11f54e00f80f823aacb030a768452724fbc47883d9ab8e> This just leaves the issue of the error being suppressed and not logged without enabling debug. Is there an official way of creating issue reports within the project? On Monday, January 10, 2022 at 6:51:45 PM UTC+1 Peter Barnes wrote: > Copy paste erro, missed the top of the previously posted stacktrace > > determineEndpointForRequest:203, SamlIdPUtils > (org.apereo.cas.support.saml) determineEndpointForRequest:144, SamlIdPUtils > (org.apereo.cas.support.saml) buildSubject:79, > SamlProfileSamlSubjectBuilder > (org.apereo.cas.support.saml.web.idp.profile.builders.subject) build:64, > SamlProfileSamlSubjectBuilder > (org.apereo.cas.support.saml.web.idp.profile.builders.subject) build:35, > SamlProfileSamlSubjectBuilder > (org.apereo.cas.support.saml.web.idp.profile.builders.subject) invoke:-1, > GeneratedMethodAccessor303 (jdk.internal.reflect) invoke:43, > DelegatingMethodAccessorImpl (jdk.internal.reflect) invoke:566, Method > (java.lang.reflect) invokeMethod:282, ReflectionUtils > (org.springframework.util) invoke:499, > GenericScope$LockedScopedProxyFactoryBean > (org.springframework.cloud.context.scope) proceed:186, > ReflectiveMethodInvocation (org.springframework.aop.framework) invoke:212, > JdkDynamicAopProxy (org.springframework.aop.framework) build:-1, $Proxy287 > (com.sun.proxy) build:97, SamlProfileSamlAssertionBuilder > (org.apereo.cas.support.saml.web.idp.profile.builders.assertion) build:37, > SamlProfileSamlAssertionBuilder > (org.apereo.cas.support.saml.web.idp.profile.builders.assertion) invoke:-1, > GeneratedMethodAccessor303 (jdk.internal.reflect) invoke:43, > DelegatingMethodAccessorImpl (jdk.internal.reflect) invoke:566, Method > (java.lang.reflect) > ...... > > On Friday, January 7, 2022 at 6:09:16 PM UTC+1 Ray Bon wrote: > >> Peter, >> >> You can use samltracer to see the saml being sent. You can verify the ACS. >> If the ACS in the request does not match the metadata, the unauthorized >> service error should always be thrown. >> >> It should be logged at warn, I would think. >> >> Ray >> >> On Fri, 2022-01-07 at 05:17 -0800, Peter Barnes wrote: >> >> Notice: This message was sent from outside the University of Victoria >> email system. Please be cautious with links and sensitive information. >> >> >> We recently had an issue with a service provider generating errors for an >> unauthorized service that we could not identify. >> When performing SSO if there was no established session on cas the user >> could successfully authenticate and the SSO flow would successfully >> complete for the SP. However if there was already an established cas >> session i.e. the user already logging into a different SP, when attempting >> SSO for the initial SP it generates the unauthorized service error. >> >> In both cases the flow is started using SP initiated using the exact same >> url. >> >> There were no errors/warnings in the cas logs to give any indication as >> to what was at fault, it wasn't until we enabled debug logging that we >> found the following. >> >> Resolved [org.apereo.cas.support.saml.SamlException: Assertion consumer >> service [https://xxxxxxxxxxx/saml2/auth/login] cannot be located in >> metadata [[https://xxxxxxxxx/employee/saml2/post]]] to ModelAndView >> [view="casServiceErrorView"; >> model={rootCauseException=org.apereo.cas.services.UnauthorizedServiceException: >> >> }] >> >> Using this we identified that the consumer url in the saml request did >> not match the consumer url in the metadata and we were able to workaround >> the issue. >> >> What we cannot identify is >> >> 1. Why is the behavior different based on existing/new session >> 2. Why is this not logged anywhere as an error? Using debug logging >> to find this is not practical >> >> Cas Version: 6.3.5 >> Assumed location of original error: SamlIdpUtils#207 >> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5f887e0b-7a1a-4be0-93bb-bcab145a8746n%40apereo.org.
