Hello,

I am currently using shib-cas-authn3 to successfully authenticate Shib through my CAS server. I am trying to write my attribute-resolver.xml file for use with a vendor. I need to access the user fields defined in my CAS deployerConfigContext.xml. However I can only figure out how to get the PrincipalName. Is it possible to see all the information provided by CAS in a resolver? Or do I have to take the PrincipalName and search LDAP for the fields I need?

My issue appears very similar to that posted by eryaza01 on Apr 21, 2015 (#4). I have installed a new instance of Shibboleth IDP v3.2.1.1 on a Windows Server 2012 platform, and am attempting to install/configure shib-cas-authn3. I am also receiving the "No flow definition 'authn/Shibcas' found" error. The relevant error messages in idp-process.log are:

--BEGIN--
2016-09-14 16:07:07,806 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception
org.springframework.webflow.definition.registry.NoSuchFlowDefinitionException: No flow definition 'authn/Shibcas' found
at org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl.getFlowDefinitionHolder(FlowDefinitionRegistryImpl.java:123)
2016-09-14 16:07:07,915 - WARN [org.opensaml.profile.action.impl.LogEvent:76] - An error event occurred while processing the request: RuntimeException
--END--

When I installed the IDP, I set idp.home to E:\shibboleth3\idp . My shibcas-authn-beans.xml and shibcas-authn-flow.xml files are both located E:\shibboleth3\idp\flows\authn\Shibcas . I am not sure why I am getting the error message.

This is definitely a need.

RE:

• #19
• #20
• #21

The response needs to work something like this:

log.info("Passive authentication requested without a valid SSO session. Returning SAML error to SP [{}]", entityId);
AuthenticationException ae = isPassive ? new PassiveAuthenticationException("Passive authentication not supported without a previous session.")
    : new AuthenticationException("The user could not be authenticated for an unknown reason.");

It looks like the mechanism from the v2 CasLoginHandler for adding custom IParameterBuilders to add additional parameters to the CAS login URL was not ported to the v3 plugin.

As there is no login.vm displayed, but we have the CAS login theme, there should be some way to let the user revoke their release attribute grants on CAS side.
So first there should be some UI on the CAS Login Page, like the checkbox defined in shibboleth' login.vm

              <div class="form-element-wrapper">
                <input id="_shib_idp_revokeConsent" type="checkbox" name="_shib_idp_revokeConsent" value="true">
                #springMessageText("idp.attribute-release.revoke", "Clear prior granting of permission for release of your information to this service.")
              </div>

And second there should be some worker, setting a request param for shibboleth, so that this decision flow from system/flows/intercept/attribute-release-flow.xml is executed.

    <!-- If consent revocation was requested, skip reading from storage. -->

    <decision-state id="TestForRevokeConsent">
        <if test="opensamlProfileRequestContext.getSubcontext(T(net.shibboleth.idp.consent.context.ConsentManagementContext), true).getRevokeConsent()"
            then="RevokeConsent" else="ReadConsentFromStorage" />
    </decision-state>

We have our ShibCas configured to embed the entity-id in the URL sent to CAS. We're having a problem with an entity-id that ends in == the full value is:: https://login.adaptiveinsights.com:443/samlsso/S0FOU0FTVU1DMg==. Users are able to login with CAS, but when the ticket is validated, the service url is encoded and appears to have dropped the == at the end of the url.

ERROR [net.unicon.idp.externalauth.ShibcasAuthServlet:109] - Ticket validation failed, returning InvalidTicket
org.jasig.cas.client.validation.TicketValidationException: Ticket 'ST-60-PDiukKqi-CD-e-CcUT8902hF2V4cas2-t' does not match supplied service. The original service was 'https://castest.kumc.edu/idp/Authn/ExtCas?conversation=e1s1&entityId=https://login.adaptiveinsights.com:443/samlsso/S0FOU0FTVU1DMg==' and the supplied service was 'https://castest.kumc.edu/idp/Authn/ExtCas?conversation=e1s1&entityId=https%3A%2F%2Flogin.adaptiveinsights.com%3A443%2Fsamlsso%2FS0FOU0FTVU1DMg'.

I haven't located any configurations to change this. Changing back to appending the entity-id works, but we need the entity-id embedded to apply rules in CAS.

Hello,

I have a problem with Skype for Business 2016 client. My configuration to connect to Office 365 is Office365 -> ADFS -> Shibboleth(3.3.1) with ShibCas (3.2.2) -> CAS portal (5.0.5). It works via the Office365 web portal.
But not with Skype for Business (windows client)

The "modern authentication" for Skype for Business is activated.
When connecting, the login screen of Shibboleth appear instead of my Cas portal.

Is it normal ? I don't understand why the CAS portal is not called.

Many thanks for your help,
Steve.

I am using shibcas.entityidlocation = embed on 3.2.3 and using the example in the documentation of a CAS serviceID, CAS does not load the service.

Using this example:

https://shibserver.example.edu/idp/Authn/ExtCas\?conversation=[a-z0-9]*&entityId=http://testsp.school.edu/sp

In the CAS log, it is rejecting the service file that I created with this error:

2018-02-07 11:51:58,207 ERROR [org.apereo.cas.services.AbstractResourceBasedServiceRegistryDao] - <Error reading configuration file [SRVC1-10000007.json]>
java.lang.IllegalArgumentException: org.hjson.ParseException: Expected valid escape sequence at 3:54

My service file is:

{
"@Class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "https://idp.myu.edu/idp/Authn/ExtCas\?conversation=[a-z0-9]*&entityId=https://sso.srvc1.com/sp/shibboleth",
"name" : "SRVC1",
"id" : 10000007,
"description" : "SRVC1 Login",
"evaluationOrder" : 1
}

Thanks.
Al

I am using ShibCas that delegates the authentication to an external Central
Authentication Server.

For that at first I have installed shibboleth IdP 3.3.3.1 with Getty and
then I have downloaded the shibboleth IdP V 3.X plugin for authentication
via an external CAS server from the gihub. Then from there

I have copied the Spring Webflow files, jsp, and included jar files into

the IDP_HOME.
1st Copied the gradle-wrapper.jar and pasted it to
Shibboleth\IdP\edit-webapp\WEB-INF\lib. Then copied the jsp and put it in
Shibboleth\IdP\edit-webapp\WEB-INF\jsp. also copied the
shibcas-authn-flow.xml and shibcas-authn-beans.xml to
Shibboleth\IdP\flows\authn\Shibcas
couldn't update the IdP's web.xml. as after adding the ShibCas Auth
Servlet I am getting a
https://localhost:8443/idp/status
https://localhost:8443/idp/shibboleth
https://localhost:8443/idp/profile/cas/login?service=https://myservice.mydomain.edu.countrycode/
HTTP ERROR: 503
Problem accessing /idp/profile/cas/login. Reason:

Service Unavailable 

    <servlet>
        <servlet-name>ShibCas Auth Servlet</servlet-name>
       
<servlet-class>net.unicon.idp.externalauth.ShibcasAuthServlet</servlet-class>
        <load-on-startup>2</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>ShibCas Auth Servlet</servlet-name>
        <url-pattern>/Authn/ExtCas/*</url-pattern>
    </servlet-mapping>

Problem accessing /idp/profile/cas/login. Reason:

Service Unavailable 

As it is optional so I have escaped this step.

Updated the IdP's idp.properties file.

# Regular expression matching login flows to enable, e.g. IPAddress|Password
#idp.authn.flows = Password
idp.authn.flows = Shibcas

# CAS Client properties (usage loosely matches that of the Java CAS Client)
## CAS Server Properties
shibcas.casServerUrlPrefix = https://cas.mycasserver.edu/cas
shibcas.casServerLoginUrl = ${shibcas.casServerUrlPrefix}/login

## Shibboleth Server Properties
shibcas.serverName = https://idp.myshibbolethserver.edu

# By default you always get the AuthenticatedNameTranslator, add additional
code to cover your custom needs.
# Takes a comma separated list of fully qualified class names
# shibcas.casToShibTranslators =
com.your.institution.MyCustomNamedTranslatorClass
# shibcas.parameterBuilders = com.your.institution.MyParameterBuilderClass

# Specify CAS validator to use - either 'cas10', 'cas20' or 'cas30'
(default)
# shibcas.ticketValidatorName = cas30


# Specify if the Relying Party/Service Provider entityId should be appended
as a separate entityId query string parameter
# or embedded in the "service" querystring parameter - `append` (default) or
`embed`
# shibcas.entityIdLocation = append

Updated the IdP's general-authn.xml file.

    <util:list id="shibboleth.AvailableAuthenticationFlows">

        <bean id="authn/Shibcas" parent="shibboleth.AuthenticationFlow"
                p:passiveAuthenticationSupported="true"
                p:forcedAuthenticationSupported="true"
                p:nonBrowserSupported="false" />

Rebuilded the war file.

after this
https://cas.myserver.edu/cas/login?service=https://localhost:8443/idp/shibboleth&entityId=https://myservice.myserver.edu/
now If I visit this link I can see the metadata of Shibboleth not redirecting me to the web service after login
https://localhost:8443/idp/shibboleth?ticket=ST-xxxx-xxxxxxxxxxxS5uoDofwygwI-ip-172-32-52-248

Now can you please let me know what step should I follow and how can I check
whether it will delegate the authentication to cas? what should be the
correct url to check too.

Hello,
I can"t get my CAS 2.0 attributes propagated to Shibboleth (only uid)
Could you send a working attribute-resolver.xml file for example ? I guess i shall use a DataConnector..

Thank you

In re: the ShibcasAuthServlet, could the class support doPost()? I ran into this limitation recently in connection with a "warn" page that intercepts CAS login responses that are redirected after successful CAS login back to the Shib-Cas authenticator. For a couple of reasons, it was convenient to POST the request. Is there a spec limitation or some other reason?

I have a service that has specified an entityId like so:
https://test.edu/sp?alias=1234-1234-1234-1234

An entityId containing a "?" appears to suffer from the "Original service xyz and the supplied service do not match" issue.

Hi to all,
I've a problem during the ticket validation: when the shib-cas-authn call the cas/serviceValidate I obtain an error. The log is:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationFailure code='INVALID_TICKET'>
Il ticket ''{0}'' non � stato riconosciuto
</cas:authenticationFailure>
</cas:serviceResponse>

But if I look at the CAS logs, I obtain that the service ticket has been correctly validated. So, what is the problem?
Thank you in advance.

We have working Shib IdP v2.4 integrated with cas-server-3.4.12 (as described in https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration).
Our goal is to integrate IdPv3 with the same cas server.
We have installed IdP v3.1.1 on the same server as Shib IdP v2.4 (just a different directory).
IdP basic login works but integration with cas-server-3.4.12 is not. We are getting an error message "No flow definition 'authn/Shibcas' found" after having completed all the steps following as described in README:

1. Copy the Spring Webflow files into the IDP_HOME.
   ls /opt/shibboleth-idp/flows/authn/|grep cas
   shibcas-authn-beans.xml
   shibcas-authn-flow.xml

2. Update the IdP's web.xml. (optional)
   added to /opt/shibboleth-idp/webapp/WEB-INF/web.xml

   ShibCas Auth Servlet net.unicon.idp.externalauth.ShibcasAuthServlet 2 ShibCas Auth Servlet /Authn/ExtCas/*

3. Update the IdP's idp.properties file.

   Regular expression matching login flows to enable, e.g. IPAddress|Password

   idp.authn.flows= Shibcas

   idp.authn.flows = Password

CAS Client properties (usage loosely matches that of the Java CAS Client)

CAS Server Properties

shibcas.casServerUrlPrefix = https://logindev.bc.edu/cas
shibcas.casServerLoginUrl = ${shibcas.casServerUrlPrefix}/login

Shibboleth Server Properties

shibcas.serverName = https://logindev.bc.edu

1. Update the IdP's general-authn.xml file.
   /opt/shibboleth-idp/conf/authn/general-authn.xml:
   <util:list id="shibboleth.AvailableAuthenticationFlows">

   <bean id="authn/Shibcas" parent="shibboleth.AuthenticationFlow"
           p:passiveAuthenticationSupported="true"
           p:forcedAuthenticationSupported="true"
           p:nonBrowserSupported="false" />
   

2. Copy the libraries/jars.
   jar tvf shibboleth-idp/war/idp.war |grep cas
   108465 Tue Apr 21 14:42:38 EDT 2015 WEB-INF/lib/cas-client-core-3.3.3.jar
   21033 Thu Apr 02 15:35:12 EDT 2015 WEB-INF/lib/idp-cas-api-3.1.1.jar
   79967 Thu Apr 02 15:35:12 EDT 2015 WEB-INF/lib/idp-cas-impl-3.1.1.jar
   8654 Tue Apr 21 14:42:38 EDT 2015 WEB-INF/lib/shib-cas-authenticator-3.0.0.jar

3. Rebuild the war file.
   war file rebuilt

Here is what I see in IdP logs:
2015-04-21 14:45:07,274 - INFO [net.shibboleth.utilities.java.support.service.AbstractReloadableService:199] - Service 'shibboleth.ReloadableAccessControlService': Reload time set to: 300000, starting refresh thread
2015-04-21 14:45:07,767 - INFO [net.shibboleth.ext.spring.context.DeferPlaceholderFileSystemXmlWebApplicationContext:510] - Refreshing WebApplicationContext for namespace 'idp-servlet': startup date [Tue Apr 21 14:45:07 EDT 2015]; parent: Root WebApplicationContext
2015-04-21 14:45:11,302 - INFO [net.shibboleth.idp.authn.impl.RemoteUserAuthServlet:135] - RemoteUserAuthServlet will process REMOTE_USER, along with attributes [] and headers []
2015-04-21 14:46:31,015 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:198] - Profile Action PopulateAuditContext: Skipping field 'fauth' not included in audit format
2015-04-21 14:46:31,016 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:198] - Profile Action PopulateAuditContext: Skipping field 'D' not included in audit format
2015-04-21 14:46:31,016 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:198] - Profile Action PopulateAuditContext: Skipping field 'pasv' not included in audit format
2015-04-21 14:46:31,016 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:220] - Profile Action PopulateAuditContext: Adding 1 value for field 'b'
2015-04-21 14:46:31,017 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:220] - Profile Action PopulateAuditContext: Adding 1 value for field 'I'
2015-04-21 14:46:31,018 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:198] - Profile Action PopulateAuditContext: Skipping field 'p' not included in audit format
2015-04-21 14:46:31,068 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:154] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.CheckMessageVersionHandler' on INBOUND message context
2015-04-21 14:46:31,068 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:175] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2015-04-21 14:46:31,092 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:154] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml1.binding.impl.SAML1ArtifactRequestIssuerHandler' on INBOUND message context
2015-04-21 14:46:31,093 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:175] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2015-04-21 14:46:31,104 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:154] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLProtocolAndRoleHandler' on INBOUND message context
2015-04-21 14:46:31,104 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:175] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2015-04-21 14:46:31,133 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:154] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler' on INBOUND message context
2015-04-21 14:46:31,133 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:175] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2015-04-21 14:46:31,157 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:154] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler' on INBOUND message context
2015-04-21 14:46:31,157 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:175] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2015-04-21 14:46:31,194 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeRelyingPartyContextFromSAMLPeer:132] - Profile Action InitializeRelyingPartyContextFromSAMLPeer: Attaching RelyingPartyContext based on SAML peer https://sp.testshib.org/shibboleth-sp
2015-04-21 14:46:31,204 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:284] - Resolving relying party configuration
2015-04-21 14:46:31,204 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:296] - Checking if relying party configuration EntityNames[https://instructure.com,] is applicable
2015-04-21 14:46:31,204 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:301] - Relying party configuration EntityNames[https://instructure.com,] is not applicable
2015-04-21 14:46:31,205 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:296] - Checking if relying party configuration EntityNames[https://google.com,] is applicable
2015-04-21 14:46:31,205 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:301] - Relying party configuration EntityNames[https://google.com,] is not applicable
2015-04-21 14:46:31,205 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:305] - No relying party configurations are applicable, returning the default configuration shibboleth.DefaultRelyingParty
2015-04-21 14:46:31,205 - DEBUG [net.shibboleth.idp.profile.impl.SelectRelyingPartyConfiguration:136] - Profile Action SelectRelyingPartyConfiguration: Found relying party configuration shibboleth.DefaultRelyingParty for request
2015-04-21 14:46:31,215 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:220] - Profile Action PopulateAuditContext: Adding 1 value for field 'SP'
2015-04-21 14:46:31,215 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:220] - Profile Action PopulateAuditContext: Adding 1 value for field 'IDP'
2015-04-21 14:46:31,314 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.PopulateProfileInterceptorContext:126] - Profile Action PopulateProfileInterceptorContext: Installing flow intercept/security-policy/saml2-sso into interceptor context
2015-04-21 14:46:31,516 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.FilterFlowsByNonBrowserSupport:52] - Profile Action FilterFlowsByNonBrowserSupport: Request does not have non-browser requirement, nothing to do
2015-04-21 14:46:31,525 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:101] - Profile Action SelectProfileInterceptorFlow: Checking flow intercept/security-policy/saml2-sso for applicability...
2015-04-21 14:46:31,526 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:84] - Profile Action SelectProfileInterceptorFlow: Selecting flow intercept/security-policy/saml2-sso
2015-04-21 14:46:31,752 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:154] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler' on INBOUND message context
2015-04-21 14:46:31,753 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:175] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2015-04-21 14:46:31,776 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:154] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.security.impl.MessageReplaySecurityHandler' on INBOUND message context
2015-04-21 14:46:31,777 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:175] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2015-04-21 14:46:31,790 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:154] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.security.impl.MessageLifetimeSecurityHandler' on INBOUND message context
2015-04-21 14:46:31,791 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:175] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2015-04-21 14:46:31,821 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:154] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml2.binding.security.impl.SAML2AuthnRequestsSignedSecurityHandler' on INBOUND message context
2015-04-21 14:46:31,821 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:175] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2015-04-21 14:46:31,844 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:154] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXMLSignatureSecurityHandler' on INBOUND message context
2015-04-21 14:46:31,844 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:175] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2015-04-21 14:46:31,887 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:154] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler' on INBOUND message context
2015-04-21 14:46:31,887 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:175] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2015-04-21 14:46:31,925 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:154] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPPostSimpleSignSecurityHandler' on INBOUND message context
2015-04-21 14:46:31,925 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:175] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2015-04-21 14:46:31,941 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:154] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.messaging.handler.impl.CheckMandatoryIssuer' on INBOUND message context
2015-04-21 14:46:31,942 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:175] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl'
2015-04-21 14:46:31,951 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.WriteProfileInterceptorResultToStorage:68] - Profile Action WriteProfileInterceptorResultToStorage: No results available from interceptor context, nothing to store
2015-04-21 14:46:31,952 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.FilterFlowsByNonBrowserSupport:52] - Profile Action FilterFlowsByNonBrowserSupport: Request does not have non-browser requirement, nothing to do
2015-04-21 14:46:31,952 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:65] - Profile Action SelectProfileInterceptorFlow: Moving completed flow intercept/security-policy/saml2-sso to completed set, selecting next one
2015-04-21 14:46:31,953 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:80] - Profile Action SelectProfileInterceptorFlow: No flows available to choose from
2015-04-21 14:46:31,966 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeOutboundMessageContext:149] - Profile Action InitializeOutboundMessageContext: Initialized outbound message context
2015-04-21 14:46:32,010 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:367] - Profile Action PopulateBindingAndEndpointContexts: Attempting to resolve endpoint of type {urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService for outbound message
2015-04-21 14:46:32,026 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:505] - Profile Action PopulateBindingAndEndpointContexts: Populating template endpoint for resolution from SAML AuthnRequest
2015-04-21 14:46:32,032 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:409] - Profile Action PopulateBindingAndEndpointContexts: Resolved endpoint at location https://sp.testshib.org/Shibboleth.sso/SAML2/POST using binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
2015-04-21 14:46:32,121 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:304] - Profile Action PopulateEncryptionParameters: Encryption for assertions (true), identifiers (false), attributes(false)
2015-04-21 14:46:32,122 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:314] - Profile Action PopulateEncryptionParameters: Resolving EncryptionParameters for request
2015-04-21 14:46:32,127 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:376] - Profile Action PopulateEncryptionParameters: Adding entityID to resolution criteria
2015-04-21 14:46:32,127 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:387] - Profile Action PopulateEncryptionParameters: Adding role metadata to resolution criteria
2015-04-21 14:46:32,130 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:330] - Profile Action PopulateEncryptionParameters: Resolved EncryptionParameters
2015-04-21 14:46:32,246 - DEBUG [net.shibboleth.idp.saml.profile.impl.ExtractSubjectFromRequest:144] - Profile Action ExtractSubjectFromRequest: No Subject NameID or NameIdentifier in message
2015-04-21 14:46:32,281 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeAuthenticationContext:101] - Profile Action InitializeAuthenticationContext: Created authentication context AuthenticationContext{initiationInstant=2015-04-21T14:46:32.281-04:00, isPassive=false, forceAuthn=false, hintedName=null, potentialFlows=[], activeResults=[], attemptedFlow=null, signaledFlowId=null, resultCacheable=true, completionInstant=1969-12-31T19:00:00.000-05:00}
2015-04-21 14:46:32,677 - DEBUG [net.shibboleth.idp.session.impl.PopulateSessionContext:131] - Profile Action PopulateSessionContext: No session found for client
2015-04-21 14:46:32,696 - DEBUG [net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:125] - Profile Action PopulateAuthenticationContext: Installing custom PrincipalEvalPredicateFactoryRegistry into AuthenticationContext
2015-04-21 14:46:32,697 - DEBUG [net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:158] - Profile Action PopulateAuthenticationContext: Installed 1 authentication flows into AuthenticationContext
2015-04-21 14:46:32,711 - DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByForcedAuthn:53] - Profile Action FilterFlowsByForcedAuthn: Request does not have forced authentication requirement, nothing to do
2015-04-21 14:46:32,727 - DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByPassivity:53] - Profile Action FilterFlowsByPassivity: Request does not have passive requirement, nothing to do
2015-04-21 14:46:32,750 - DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByNonBrowserSupport:53] - Profile Action FilterFlowsByNonBrowserSupport: Request does not have non-browser requirement, nothing to do
2015-04-21 14:46:32,775 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:241] - Profile Action SelectAuthenticationFlow: No specific Principals requested
2015-04-21 14:46:32,775 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:267] - Profile Action SelectAuthenticationFlow: No usable active results available, selecting an inactive flow
2015-04-21 14:46:32,776 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:309] - Profile Action SelectAuthenticationFlow: Selecting inactive authentication flow authn/Shibcas
2015-04-21 14:46:32,923 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception
org.springframework.webflow.definition.registry.NoSuchFlowDefinitionException: No flow definition 'authn/Shibcas' found
at org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl.getFlowDefinitionHolder(FlowDefinitionRegistryImpl.java:123)
2015-04-21 14:59:30,880 - INFO [net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategy:327] - Default key version has not changed, still still...

Any help would be appreciated.
Thank you,
Elena

IdP 3.3 has been released. I tested the plugin with the new release and the functionality that was in 3.2.1 still works as expected. I tried using the plugin as part of the new MFA flow and the Duo would error out with a null pointer because username was null. Here is a possible explanation of the issue from Scott Cantor:

Overnight epiphany...if the flow you're using is based on the External flow, but is a copy of it, not just a servlet that's receiving and handling the external authentication request, it probably is a copy of the pre-3.3 flow that leaves out a step to get the user identity in place.

Older login flows are still compatible with 3.3, but the Duo flow's assumptions are only met by the modified versions of the flows that ship with 3.3. Specifically, I moved subject canonicalization into each login flow instead of relying on the master authn flow to handle it.

So yes, you're probably correct that there's a compatibility issue there.

I'm working with Shibboleth IDP 3.1.2 and CAS 4.0. My goal is to integrate the shibboleth IDP with CAS to get SAML 2.0 support.
I've installed Shibboleth IDP 3.1.2 on a tomcat server. I've installed CAS 4.0 on an other tomcat server. And I installed shib-cas-authn3 using the installation guide on the idp tomcat server.

Here is the scenario:

1. Go to http://shibboleth_idp_server:8080/idp/profile/cas/login?service=http://whatever_url.com

Expected Result: Redirect (302) to http://cas_server:8080/cas/login?service=http%3A%2F%2Fshibboleth_idp_server%3A8080%2Fidp%2FAuthn%2FExtCas%3Fconversation%3De1s1&entityId=http%3A%2F%2Fwhatever_url.com
        CAS display the login page

Obtained Result: Redirect (302) to http://cas_server:8080/cas/login?service=http%3A%2F%2Fshibboleth_idp_server%3A8080%2Fidp%2FAuthn%2FExtCas%3Fconversation%3De1s1&entityId=http%3A%2F%2Fwhatever_url.com
        CAS display the login page

2. Fill login/password and validate

Expected Result: CAS generate a service ticket and redirect to http://shibboleth_idp_server:8080/idp/Authn/ExtCas?conversation=e1s1&entityId=http://whatever_url.com&ticket=ST-XXXXXXXXXXXXXXXXXX
                 Then ShibcasAuthServlet should call service validate on the CAS server.

Obtained Result: CAS generate a service ticket and redirect to http://shibboleth_idp_server:8080/idp/Authn/ExtCas?conversation=e1s1&ticket=ST-XXXXXXXXXXXXXXXXXX
                 And ends with the http error 500 with the following stack trace:

                 HTTP Status 500 - Error processing ShibCas authentication request

                type Exception report

                message Error processing ShibCas authentication request

                description The server encountered an internal error that prevented it from fulfilling this request.

                exception

                javax.servlet.ServletException: Error processing ShibCas authentication request
                    net.unicon.idp.externalauth.ShibcasAuthServlet.doGet(ShibcasAuthServlet.java:152)
                    javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
                    javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
                    net.shibboleth.idp.log.SLF4JMDCServletFilter.doFilter(SLF4JMDCServletFilter.java:64)
                    net.shibboleth.utilities.java.support.net.RequestResponseContextFilter.doFilter(RequestResponseContextFilter.java:60)
                    org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
                    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
                root cause

                net.shibboleth.idp.authn.ExternalAuthenticationException: No conversation state found in session
                    net.shibboleth.idp.authn.ExternalAuthentication.startExternalAuthentication(ExternalAuthentication.java:89)
                    net.unicon.idp.externalauth.ShibcasAuthServlet.doGet(ShibcasAuthServlet.java:113)
                    javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
                    javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
                    net.shibboleth.idp.log.SLF4JMDCServletFilter.doFilter(SLF4JMDCServletFilter.java:64)
                    net.shibboleth.utilities.java.support.net.RequestResponseContextFilter.doFilter(RequestResponseContextFilter.java:60)
                    org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
                    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

                Here is the idp-proceed log:

                    2015-08-27 16:01:26,884 - INFO [net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategy:327] - Default key version has not changed, still secret1
                    2015-08-27 16:09:46,156 - DEBUG [net.shibboleth.idp.session.impl.PopulateSessionContext:131] - Profile Action PopulateSessionContext: No session found for client
                    2015-08-27 16:09:46,157 - DEBUG [net.shibboleth.idp.cas.service.PatternServiceRegistry:60] - Evaluating whether http://success_url.com matches http://*
                    2015-08-27 16:09:46,157 - DEBUG [net.shibboleth.idp.cas.flow.BuildRelyingPartyContextAction:86] - Setting up RP context for unverified relying party http://success_url.com
                    2015-08-27 16:09:46,216 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:284] - Resolving relying party configuration
                    2015-08-27 16:09:46,217 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:290] - Profile request is unverified, returning configuration shibboleth.UnverifiedRelyingParty
                    2015-08-27 16:09:46,217 - DEBUG [net.shibboleth.idp.profile.impl.SelectRelyingPartyConfiguration:136] - Profile Action SelectRelyingPartyConfiguration: Found relying party configuration shibboleth.UnverifiedRelyingParty for request
                    2015-08-27 16:09:46,218 - DEBUG [net.shibboleth.idp.cas.flow.CheckAuthenticationRequiredAction:82] - IdP session not found
                    2015-08-27 16:09:46,220 - DEBUG [net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:125] - Profile Action PopulateAuthenticationContext: Installing custom PrincipalEvalPredicateFactoryRegistry into AuthenticationContext
                    2015-08-27 16:09:46,221 - DEBUG [net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:158] - Profile Action PopulateAuthenticationContext: Installed 1 authentication flows into AuthenticationContext
                    2015-08-27 16:09:46,222 - DEBUG [net.shibboleth.idp.session.impl.PopulateSessionContext:131] - Profile Action PopulateSessionContext: No session found for client
                    2015-08-27 16:09:46,223 - DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByForcedAuthn:53] - Profile Action FilterFlowsByForcedAuthn: Request does not have forced authentication requirement, nothing to do
                    2015-08-27 16:09:46,224 - DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByPassivity:53] - Profile Action FilterFlowsByPassivity: Request does not have passive requirement, nothing to do
                    2015-08-27 16:09:46,225 - DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByNonBrowserSupport:53] - Profile Action FilterFlowsByNonBrowserSupport: Request does not have non-browser requirement, nothing to do
                    2015-08-27 16:09:46,226 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:241] - Profile Action SelectAuthenticationFlow: No specific Principals requested
                    2015-08-27 16:09:46,227 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:267] - Profile Action SelectAuthenticationFlow: No usable active results available, selecting an inactive flow
                    2015-08-27 16:09:46,228 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:309] - Profile Action SelectAuthenticationFlow: Selecting inactive authentication flow authn/Shibcas

                Here is the tomcat log:

                    Aug 27, 2015 4:13:55 PM org.apache.catalina.core.StandardWrapperValve invoke
                    SEVERE: Servlet.service() for servlet [ShibCas Auth Servlet] in context with path [/idp] threw exception [Error processing ShibCas authentication request] with root cause
                    net.shibboleth.idp.authn.ExternalAuthenticationException: No conversation state found in session
                            at net.shibboleth.idp.authn.ExternalAuthentication.startExternalAuthentication(ExternalAuthentication.java:89)
                            at net.unicon.idp.externalauth.ShibcasAuthServlet.doGet(ShibcasAuthServlet.java:113)
                            at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
                            at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
                            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
                            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
                            at net.shibboleth.idp.log.SLF4JMDCServletFilter.doFilter(SLF4JMDCServletFilter.java:64)
                            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
                            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
                            at net.shibboleth.utilities.java.support.net.RequestResponseContextFilter.doFilter(RequestResponseContextFilter.java:60)
                            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
                            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
                            at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
                            at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
                            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
                            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
                            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:205)
                            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
                            at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
                            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
                            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
                            at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
                            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
                            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
                            at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
                            at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
                            at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
                            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
                            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
                            at java.lang.Thread.run(Thread.java:724)

While reading the Shibboleth code, it seems like the conversation id is not setted in the session. Can you explain me why? What did I miss?

Regards

Where are the JAR files we're supposed to "copy into the IDP_HOME directory?"

Attempting to build them with .\gradlew on Windows also fails:

10:25:57.274 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] Caused by: java.io.IOException: Cannot run program "docker-compose" (in directory ".\shib-cas-authn3\build\docker"): CreateProces
s error=267, The directory name is invalid
10:25:57.274 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at net.rubygrapefruit.platform.internal.DefaultProcessLauncher.start(DefaultProcessLauncher.java:25)
10:25:57.274 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   ... 5 more
10:25:57.274 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] Caused by: java.io.IOException: CreateProcess error=267, The directory name is invalid
10:25:57.274 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   ... 6 more

While I see the URL contains the entityId for the SP, I'm not seeing it show up in the logs on the CAS side. Is there any extra config that needs to be done on CAS 4 to utilize the entityId being passed to it?

We added:

parametersToCheck
entityId ticket SAMLArt service renew gateway warn logoutUrl pgtUrl

but don't see the entityId show up as part of the org.jasig.cas.web.support.CasArgumentExtractor log entries. The extractor does show the IDP "service" parameter including the trailing conversation parameter from the login URL, but not the entityID. It's potentially be properly extracted and used somehow, but I'm not seeing it.

Setup: IdP 3.3.0, shib-cas-authn 3.2.2, CAS 5.0.5

When shibcas.entityIdLocation=embed, the service URL sent with the validation request differs from the one sent for the login request.

From the logs:
org.jasig.cas.client.validation.TicketValidationException: Ticket 'ST-8997-qwrkgYqHLZqAHEvlf2EZ-cas.sju.edu' does not match supplied service. The original service was 'https://cas.sju.edu/idp/Authn/ExtCas?conversation=e1s1&entityId=https://sju.zoom.us' and the supplied service was 'https://cas.sju.edu/idp/Authn/ExtCas?conversation=e1s1&entityId=https%3A%2F%2Fsju.zoom.us&entityId=https://sju.zoom.us'.

The validation service URL appears to have the entityID embedded twice, which CAS flags as invalid and refuses to validate. This results in our IdP returning an AuthnFailed to the SP (we don't have any other authn methods in our IdP). From rifling through the code a bit, it seems that the CAS CommonUtils class returns a service URL with the entityID already embedded when the browser returns from login with the service ticket, after which ShibCAS embeds the entityID again. Namely, HttpServletRequest.getRequestUrl() returns https://cas.sju.edu/idp/Authn/ExtCas?conversation=e1s1, but during validation it returns https://cas.sju.edu/idp/Authn/ExtCas?conversation=e1s1&amp;entityId=https://sju.zoom.us because CAS always redirects to the service URL (with the service ticket in tow) upon successful login. When Shibcas constructs the service URL it appends the entity ID in either situation, resulting in the doubled-up embedded entity ID.

I've successfully tested a simple patch for this, overloading the method ShibcasAuthServlet.constructServiceUrl() to take a boolean indicating whether or not a ticket is being validated; if true, it'll return the string from CommonUtils unmodified (attached below).

shib-cas-authn3-ShibcasAuthServlet.txt

Hi,
My CAS server (custom CASino app) uses UTF-8-encoded attributes.
Shib-Cas module does not set defaut encoding, so i just on method to set it on UTF-8 .

diff --git a/src/main/java/net/unicon/idp/externalauth/ShibcasAuthServlet.java b/src/main/java/net/unicon/idp/externalauth/ShibcasAuthServlet.java
index 4ce5284..696dd79 100644
--- a/src/main/java/net/unicon/idp/externalauth/ShibcasAuthServlet.java
+++ b/src/main/java/net/unicon/idp/externalauth/ShibcasAuthServlet.java
@@ -98,6 +98,7 @@ public class ShibcasAuthServlet extends HttpServlet {
                                            final String authenticationKey, final boolean force) throws ExternalAuthenticationException, IOException {
         try {
             ticketValidator.setRenew(force);
+            ticketValidator.setEncoding("UTF-8");
             final String serviceUrl = constructServiceUrl(request, response, true);
             logger.debug("validating ticket: {} with service url: {}", ticket, serviceUrl);
             final Assertion assertion = ticketValidator.validate(ticket, serviceUrl);

Could parameter to set CAS server encoding (since aperero doesn't support auto-detection bases on xml header) be added, or in 2018 i think we cas set UTF-8 as default encoding.

Sorry for my english,
Regards;

Hi.
Should the logout on CAS work correctly?
After login, when i hit logout on application it ends up on shibboleth logout page, but it keeps me login on CAS.
No error in logs. Can this be wrong configuration ?

Hi,

I am using Shibcas with my Shibboleth IDP v3 and a CAS v5.3. All works fine with login and password.
When I use multifactor "Google Authenticator" on my CAS, I have a strange return :

2019-02-15 16:17:54,149 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:44] - principalName found and being passed on: XXXXXX
2019-02-15 16:17:54,150 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute credentialType with values [UsernamePasswordCredential, GoogleAuthenticatorTokenCredential]
2019-02-15 16:17:54,150 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute samlAuthenticationStatementAuthMethod with values [urn:oasis:names:tc:SAML:1.0:am:password, urn:oasis:names:tc:SAML:1.0:am:unspecified]
2019-02-15 16:17:54,150 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute uid with values XXXXXXX
2019-02-15 16:17:54,151 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute isFromNewLogin with values true
2019-02-15 16:17:54,151 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute bypassMultifactorAuthentication with values false
2019-02-15 16:17:54,151 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute authenticationDate with values 2019-02-15T16:17:53.562+01:00[Europe/Paris]
2019-02-15 16:17:54,152 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute authenticationMethod with values [LdapAuthenticationHandler, GoogleAuthenticatorAuthenticationHandler]
2019-02-15 16:17:54,152 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute authnContextClass with values mfa-gauth
2019-02-15 16:17:54,152 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute successfulAuthenticationHandlers with values [LdapAuthenticationHandler, GoogleAuthenticatorAuthenticationHandler]
2019-02-15 16:17:54,159 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute longTermAuthenticationRequestTokenUsed with values false
2019-02-15 16:17:54,160 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:51] - Found attributes from CAS. Processing...

So my Shibboleth sent to the SP : urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Is there a missing configuration or a translation to add ?

Thanks for reading.

Is the SLO procedure covered by this project?
When I send a SLO request from a SP to the IdP, the IdP correctly terminates its session and correctly propagates the logout to all the related SP, but CAS does not terminate the session.
There is a method inside this project to communicate the logout to CAS from the SLO flow of the IdP?

IdP 3.2.1+ supports SAML SLO. I see that some versions of CAS do support SLO as well. I did a short search in this code but couldn't find SLO or Logout mentioned. Suggestion would be to add this feature.

Note: Opening this issue in response to this post.

Based upon the release notes for IdP 3.4.6, ShibCas is incompatible with this release of Identity Provider because it functions by "directly instantiating/adding an instance of the ExternalAuthenticationContext class to the profile request context tree."

This manifests as the following Shibboleth error:

2019-10-03 09:20:17,080 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception

org.springframework.binding.expression.EvaluationException: An ELException occurred getting the value for expression 'opensamlProfileRequestContext.getSubcontext(T(net.shibboleth.idp.authn.context.AuthenticationContext)).addSubcontext(new net.shibboleth.idp.authn.context.ExternalAuthenticationContext(), true).setFlowExecutionUrl(flowExecutionUrl + '&_eventId_proceed=1')' on context [class org.springframework.webflow.engine.impl.RequestControlContextImpl]
    at org.springframework.binding.expression.spel.SpringELExpression.getValue(SpringELExpression.java:94)
Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1002E: Constructor call: No suitable constructor found on type net.shibboleth.idp.authn.context.ExternalAuthenticationContext for arguments ()
    at org.springframework.expression.spel.ast.ConstructorReference.findExecutorForConstructor(ConstructorReference.java:203)

There is a modification provided in the thread which will return functionality to the plugin, but at the expense of re-introducing the vulnerability that the 3.4.6 release was meant to patch.

We are currently using shib-cas-authn3 with version 3.3.2 and are trying to upgrade to Shibboleth 3.4.3. In both cases, we are using shib-cas-authn version 3.2.3 and in both cases we are using the Unicon Shibboleth docker image. I'm happy to file this in that repo if it is more appropriate.

We created a script to inject the shibcas configuration in during the docker build:

#!/usr/bin/env python

import subprocess,re,os

idp_home = "/opt/shibboleth-idp/"
prod_web_xml = idp_home + "webapp/WEB-INF/web.xml"
web_str = ""
shibcas_reg = re.compile(r'<servlet(\-mapping)?>\n.*ShibCas.*\n.*(\n.*)?\s+</servlet(\-mapping)?>')

print "Rebuilding war for ShibCas support."
subprocess.call([idp_home + "bin/build.sh", "-Didp.target.dir=" + idp_home])

with open(prod_web_xml,'r') as xml_f:
        xml_str = xml_f.read()
        web_str = shibcas_reg.sub('',xml_str)

with open(prod_web_xml,'w') as xml_f:
        xml_f.write(web_str)

This works fine in 3.3.x, but in 3.4.x, this fails with:
/opt/shibboleth-idp/bin/build.xml:564: /opt/shibboleth-idp/dist/webapp does not exist.

I've been searching the github issue and mailing lists but haven't as of yet found a way to get this to work. I'm otherwise able to build the image without including this step for shib-cas-authn. Is there something I'm missing in order to make shib-cas-authn3 compatible with shibboleth-idp 3.4.3?

Hello, I followed everything on README but when navigating to /idp/Authn/ExtCas

It shows:

HTTP ERROR 404

Problem accessing /idp/Authn/ExtCas. Reason:

    Not Found
Powered by Jetty:// 9.3.9.v20160517

idp.properties:

# Regular expression matching login flows to enable, e.g. IPAddress|Password
idp.authn.flows= Shibcas

# CAS Client properties (usage loosely matches that of the Java CAS Client)
## CAS Server Properties
shibcas.casServerUrlPrefix = https://idp.nxtstp.com:8443/cas
shibcas.casServerLoginUrl = https://idp.nxtstp.com:8443/cas/login

## Shibboleth Server Properties
shibcas.serverName = https://idp.nxtstp.com:1443/idp

As there is no login.vm displayed, but we use the CAS login theme. There should be some way to let the user revoke their release attribute grants.
So first there should be some UI on the CAS Login Page, like the checkbox defined in shibboleth' login.vm

              <div class="form-element-wrapper">
                <input id="_shib_idp_revokeConsent" type="checkbox" name="_shib_idp_revokeConsent" value="true">
                #springMessageText("idp.attribute-release.revoke", "Clear prior granting of permission for release of your information to this service.")
              </div>

And second there should be some worker, setting a request param for shibboleth, so that this decision flow from system/flows/intercept/attribute-release-flow.xml is executed.

    <decision-state id="TestForRevokeConsent">
        <if test="requestParameters._shib_idp_revokeConsent" then="RevokeConsent" else="ReadConsentFromStorage" />
    </decision-state>

Line

"Set the idp.authn.flows to ShibCas. Or, for advance cases, add ShibCas to the list."

should say

Set the idp.authn.flows to Shibcas. Or, for advance cases, add Shibcas to the list.

I visit a protected page on an SP, get redirected to Shib, sent to CAS via shib-cas-authn3, log in, eventually get sent back to SP, get page. Great! Then I hit the back button.

On some browsers, I get a 500 exception "Error processing ShibCas authentication request", with root cause "No conversation state found in session for key (e1s1)". Exception at end of this issue. I'm running Tomcat on the IdP (for now).
The URL at this point is /idp/Authn/ExtCas?conversation=e1s1&ticket=ST-blah-blah-casa
It seems to happen on:
Edge on Windows 10.
Chrome in Windows 10.
Safari on Mac.
Chrome on Mac.
Opera on Mac.

In some browsers, I don't get the exception, I get directed to /idp/profile/SAML2/Redirect/SSO, which shows me a Shibboleth "Stale Request" message, which is nice.
This happens on:
IE 11 on Windows 10. But if I hit the back button again, I get the exception.
Firefox on Windows 10. Hitting the back button again remains on the page, which is very nice.
Firefox on Mac. Hitting the back button again remains on the page, which is very nice.

Anyway, is this expected, is Firefox doing something that the others aren't, am I missing something completely, or could you suggest any way I can avoid ever seeing the exception?

Thanks,
Kevin

HTTP Status 500 - Error processing ShibCas authentication request

type Exception report

message Error processing ShibCas authentication request

description The server encountered an internal error that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: Error processing ShibCas authentication request
net.unicon.idp.externalauth.ShibcasAuthServlet.doGet(ShibcasAuthServlet.java:152)
javax.servlet.http.HttpServlet.service(HttpServlet.java:620)
javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
net.shibboleth.idp.log.SLF4JMDCServletFilter.doFilter(SLF4JMDCServletFilter.java:72)
net.shibboleth.utilities.java.support.net.RequestResponseContextFilter.doFilter(RequestResponseContextFilter.java:60)
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
root cause

net.shibboleth.idp.authn.ExternalAuthenticationException: No conversation state found in session for key (e1s1)
net.shibboleth.idp.authn.ExternalAuthentication.startExternalAuthentication(ExternalAuthentication.java:132)
net.unicon.idp.externalauth.ShibcasAuthServlet.doGet(ShibcasAuthServlet.java:113)
javax.servlet.http.HttpServlet.service(HttpServlet.java:620)
javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
net.shibboleth.idp.log.SLF4JMDCServletFilter.doFilter(SLF4JMDCServletFilter.java:72)
net.shibboleth.utilities.java.support.net.RequestResponseContextFilter.doFilter(RequestResponseContextFilter.java:60)
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
note The full stack trace of the root cause is available in the Apache Tomcat/7.0.54 logs.

Apache Tomcat/7.0.54

Shibboleth.authn.External.populateUIInfo in line 26 (https://github.com/Unicon/shib-cas-authn3/blob/master/IDP_HOME/flows/authn/Shibcas/shibcas-authn-beans.xml#L26)

should read Shibboleth.authn.Cas.populateUIInfo so that it references the bean found in line 38 (https://github.com/Unicon/shib-cas-authn3/blob/master/IDP_HOME/flows/authn/Shibcas/shibcas-authn-beans.xml#L38).

It also looks like shibboleth.authn.External.resultCachingPredicate on line 36 (https://github.com/Unicon/shib-cas-authn3/blob/master/IDP_HOME/flows/authn/Shibcas/shibcas-authn-beans.xml#L36) should be updated as well.

Thanks to Scott Koranda with the Spherical Cow Group for reporting this issue.

Hello,

First of all, thanks for developing this useful authentication plugin for the 3.x Shibboleth IdP.

I've followed your documentation and installed the shib-cas-authn3-3.0.0 with a Shibboleth IdP 3.1.1.

I then got the following error while initiating a login session:
2015-06-02 09:38:29,972 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'SetRPUIInformation' defined in file [/opt/shibboleth-idp3/flows/authn/Shibcas/shibcas-authn-beans.xml]: Cannot resolve reference to bean 'shibboleth.authn.External.populateUIInfo' while setting bean property 'activationCondition'; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'shibboleth.authn.External.populateUIInfo' is defined at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:359)
Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'shibboleth.authn.External.populateUIInfo' is defined at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanDefinition(DefaultListableBeanFactory.java:687)

I had to change the flows/authn/Shibcas/shibcas-authn-beans.xml file as follows:

*** 23,29 ****

  <bean id="SetRPUIInformation"
        class="net.shibboleth.idp.ui.impl.SetRPUIInformation" scope="prototype"

! p:activationCondition-ref="shibboleth.authn.External.populateUIInfo"
p:httpServletRequest-ref="shibboleth.HttpServletRequest">


--- 23,29 ----

  <bean id="SetRPUIInformation"
        class="net.shibboleth.idp.ui.impl.SetRPUIInformation" scope="prototype"

! p:activationCondition-ref="shibboleth.authn.Cas.populateUIInfo"
p:httpServletRequest-ref="shibboleth.HttpServletRequest">

*** 33,39 ****
<bean id="ValidateExternalAuthentication"
class="net.shibboleth.idp.authn.impl.ValidateExternalAuthentication" scope="prototype"
p:classifiedMessages-ref="shibboleth.authn.Cas.ClassifiedMessageMap"
! p:resultCachingPredicate="#{getObject('shibboleth.authn.External.resultCachingPredicate')}" />

  <util:constant id="shibboleth.authn.Cas.populateUIInfo" static-field="java.lang.Boolean.FALSE" />

--- 33,39 ----
<bean id="ValidateExternalAuthentication"
class="net.shibboleth.idp.authn.impl.ValidateExternalAuthentication" scope="prototype"
p:classifiedMessages-ref="shibboleth.authn.Cas.ClassifiedMessageMap"
! p:resultCachingPredicate="#{getObject('shibboleth.authn.Cas.resultCachingPredicate')}" />

  <util:constant id="shibboleth.authn.Cas.populateUIInfo" static-field="java.lang.Boolean.FALSE" />

Maybe that bean definition should be changed on your end too?

Regards.

When will be updated the plugin for the Shibboleth IdP v4.X ?