Different service URLs between login and validation when entityIdLocation=embed

[aremmes]

Setup: IdP 3.3.0, shib-cas-authn 3.2.2, CAS 5.0.5

When shibcas.entityIdLocation=embed, the service URL sent with the validation request differs from the one sent for the login request.

From the logs: org.jasig.cas.client.validation.TicketValidationException: Ticket 'ST-8997-qwrkgYqHLZqAHEvlf2EZ-cas.sju.edu' does not match supplied service. The original service was 'https://cas.sju.edu/idp/Authn/ExtCas?conversation=e1s1&entityId=https://sju.zoom.us' and the supplied service was 'https://cas.sju.edu/idp/Authn/ExtCas?conversation=e1s1&entityId=https%3A%2F%2Fsju.zoom.us&entityId=https://sju.zoom.us'.

The validation service URL appears to have the entityID embedded twice, which CAS flags as invalid and refuses to validate. This results in our IdP returning an AuthnFailed to the SP (we don't have any other authn methods in our IdP). From rifling through the code a bit, it seems that the CAS CommonUtils class returns a service URL with the entityID already embedded when the browser returns from login with the service ticket, after which ShibCAS embeds the entityID again. Namely, HttpServletRequest.getRequestUrl() returns https://cas.sju.edu/idp/Authn/ExtCas?conversation=e1s1, but during validation it returns https://cas.sju.edu/idp/Authn/ExtCas?conversation=e1s1&entityId=https://sju.zoom.us because CAS always redirects to the service URL (with the service ticket in tow) upon successful login. When Shibcas constructs the service URL it appends the entity ID in either situation, resulting in the doubled-up embedded entity ID.

I've successfully tested a simple patch for this, overloading the method ShibcasAuthServlet.constructServiceUrl() to take a boolean indicating whether or not a ticket is being validated; if true, it'll return the string from CommonUtils unmodified (attached below).

shib-cas-authn3-ShibcasAuthServlet.txt

[jtgasper3]

Yep, this looks like a bug. I'll look at the code changes the next time I break open the code.

[lexlimo]

Just bit us too.

[ajb2]

Here as well. I've reverted to append for now.

[jtgasper3]

Hi all,

I've applied @aremmes patch. Thanks for doing that leg work. I've also added in a couple of unit tests to hopefully prevent this from breaking again.

I don't have a good way of testing this right now. Can folks please grab the release at https://github.com/Unicon/shib-cas-authn3/releases/tag/3.2.3-beta1, and let me know if it works for you using the embedded functionality.

Thanks, John

[ajb2]

I still have the issue when I switch back to embed. I just replaced the .jar and .xml files, Anything else I need to do?

[jtgasper3]

Well, that’s no good.

Can you please attach your cas.log pertaining to the ST, particularly the validation area for the ST?

From: ajb2 notifications@github.com Reply-To: Unicon/shib-cas-authn3 reply@reply.github.com Date: Monday, September 11, 2017 at 9:59 AM To: Unicon/shib-cas-authn3 shib-cas-authn3@noreply.github.com Cc: John Gasper jgasper@unicon.net, Assign assign@noreply.github.com Subject: Re: [Unicon/shib-cas-authn3] Different service URLs between login and validation when entityIdLocation=embed (#26)

I still have the issue when I switch back to embed. I just replaced the .jar and .xml files, Anything else I need to do?

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub, or mute the thread.

This email has been scanned for spam and viruses by Proofpoint Essentials. Click here to report this email as spam.

[ajb2]

Below are the relevant entries when I try with testshib.org. Let me know if I can provide anything else.

2017-09-11 14:45:59,658 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [event=success,timestamp=Mon Sep 11 14:45:59 EDT 2017,source=InitialAuthenticationAttemptWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Mon Sep 11 14:45:59 EDT 2017
CLIENT IP ADDRESS: x.x.x.x
SERVER IP ADDRESS: 127.0.0.1
=============================================================

>
2017-09-11 14:45:59,661 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: xxx.xxx@xxx.xxx.xxx
WHAT: ST-1156-fpoplOwkarFmZRbljoGl-cas for https://xxx.xxx.xxx/idp/Authn/ExtCas?conversation=e2s1&entityId=https://sp.testshib.org/shibboleth-sp
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Mon Sep 11 14:45:59 EDT 2017
CLIENT IP ADDRESS: x.x.x.x
SERVER IP ADDRESS: 127.0.0.1
=============================================================

>
2017-09-11 14:45:59,685 ERROR [org.apereo.cas.DefaultCentralAuthenticationService] - <Service ticket [ST-1156-fpoplOwkarFmZRbljoGl-cas] with service [https://xxx.xxx.xxx/idp/Authn/ExtCas?conversation=e2s1&entityId=https://sp.testshib.org/shibboleth-sp] does not match supplied service [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@236f3564[id=https://xxx.xxx.xxx/idp/Authn/ExtCas?conversation=e2s1&entityId=https%3A%2F%2Fsp.testshib.org%2Fshibboleth-sp&entityId=https://sp.testshib.org/shibboleth-sp,originalUrl=https://xxx.xxx.xxx/idp/Authn/ExtCas?conversation=e2s1&entityId=https%3A%2F%2Fsp.testshib.org%2Fshibboleth-sp&entityId=https://sp.testshib.org/shibboleth-sp,artifactId=ST-1156-fpoplOwkarFmZRbljoGl-cas,principal=<null>,loggedOutAlready=false,format=XML]]>
2017-09-11 14:45:59,686 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-1156-fpoplOwkarFmZRbljoGl-cas
ACTION: SERVICE_TICKET_VALIDATE_FAILED
APPLICATION: CAS
WHEN: Mon Sep 11 14:45:59 EDT 2017
CLIENT IP ADDRESS: x.x.x.x
SERVER IP ADDRESS: 127.0.0.1
=============================================================

[jtgasper3]

Very interesting. And your jar file is shib-cas-authenticator-3.2.3.jar? 3.2.3?

From: ajb2 notifications@github.com Reply-To: Unicon/shib-cas-authn3 reply@reply.github.com Date: Monday, September 11, 2017 at 11:53 AM To: Unicon/shib-cas-authn3 shib-cas-authn3@noreply.github.com Cc: John Gasper jgasper@unicon.net, Assign assign@noreply.github.com Subject: Re: [Unicon/shib-cas-authn3] Different service URLs between login and validation when entityIdLocation=embed (#26)

Below are the relevant entries when I try with testshib.org. Let me know if I can provide anything else. 2017-09-11 14:45:59,658 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN WHO: audit:unknown WHAT: [event=success,timestamp=Mon Sep 11 14:45:59 EDT 2017,source=InitialAuthenticationAttemptWebflowEventResolver] ACTION: AUTHENTICATION_EVENT_TRIGGERED APPLICATION: CAS WHEN: Mon Sep 11 14:45:59 EDT 2017 CLIENT IP ADDRESS: x.x.x.x SERVER IP ADDRESS: 127.0.0.1 2017-09-11 14:45:59,661 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN WHO: xxx.xxx@xxx.xxx.xxx WHAT: ST-1156-fpoplOwkarFmZRbljoGl-cas for https://xxx.xxx.xxx/idp/Authn/ExtCas?conversation=e2s1&entityId=https://sp.testshib.org/shibboleth-sp ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Mon Sep 11 14:45:59 EDT 2017 CLIENT IP ADDRESS: x.x.x.x SERVER IP ADDRESS: 127.0.0.1 2017-09-11 14:45:59,685 ERROR [org.apereo.cas.DefaultCentralAuthenticationService] - <Service ticket [ST-1156-fpoplOwkarFmZRbljoGl-cas] with service [https://xxx.xxx.xxx/idp/Authn/ExtCas?conversation=e2s1&entityId=https://sp.testshib.org/shibboleth-sp] does not match supplied service [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@236f3564[id=https://xxx.xxx.xxx/idp/Authn/ExtCas?conversation=e2s1&entityId=https%3A%2F%2Fsp.testshib.org%2Fshibboleth-sp&entityId=https://sp.testshib.org/shibboleth-sp,originalUrl=https://xxx.xxx.xxx/idp/Authn/ExtCas?conversation=e2s1&entityId=https%3A%2F%2Fsp.testshib.org%2Fshibboleth-sp&entityId=https://sp.testshib.org/shibboleth-sp,artifactId=ST-1156-fpoplOwkarFmZRbljoGl-cas,principal=,loggedOutAlready=false,format=XML]]> 2017-09-11 14:45:59,686 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN WHO: audit:unknown WHAT: ST-1156-fpoplOwkarFmZRbljoGl-cas ACTION: SERVICE_TICKET_VALIDATE_FAILED APPLICATION: CAS WHEN: Mon Sep 11 14:45:59 EDT 2017 CLIENT IP ADDRESS: x.x.x.x SERVER IP ADDRESS: 127.0.0.1 — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub, or mute the thread.

This email has been scanned for spam and viruses by Proofpoint Essentials. Click here to report this email as spam.

=

[ajb2]

Yes, I deleted the old one and that's the only one present.

[jeffmc930]

ajb2: When one does the upgrade by adding the new jar file, it must be replacing the old one in two places, both under edit-webapp and webapp. It the second old jar still exists under the webapp directory (jar files are deleted by the build.sh) you'll have two jar files under webapp even though you have just one under edit-webapp.

Originally, I saw you note so I didn't try the install. Today, I had a further thought that it might be the above issue was at messing things up for you. Possible? I just did the install and the 3.2.3 beta 1 version works fine in embed mode.

[ajb2]

I don't think I did that initially, but I just tried that, replacing both and I am still getting the same behavior.
Here is what I see in my cas log.

2017-10-17 11:32:42,163 ERROR [org.apereo.cas.DefaultCentralAuthenticationService] - <Service ticket [ST-4309-XApfgEe5dnxraYzbO3ct-cas] with service [https://xxx.xxx.com/idp/Authn/ExtCas?conversation=e2s1&entityId=https://sp.testshib.org/shibboleth-sp] does not match supplied service [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@96a94a7[id=https://xxx.xxx.com/idp/Authn/ExtCas?conversation=e2s1&entityId=https%3A%2F%2Fsp.testshib.org%2Fshibboleth-sp&entityId=https://sp.testshib.org/shibboleth-sp,originalUrl=https://xxx.xxx.com/idp/Authn/ExtCas?conversation=e2s1&entityId=https%3A%2F%2Fsp.testshib.org%2Fshibboleth-sp&entityId=https://sp.testshib.org/shibboleth-sp,artifactId=ST-4309-XApfgEe5dnxraYzbO3ct-cas,principal=,loggedOutAlready=false,format=XML]]>

[jeffmc930]

Can you confirm the war file has been appropriately updated with only one version of jar file after running build.sh?

[ajb2]

I'm an idiot. I forgot to run build.bat. It is working. Thanks for pointing me in the right direction.

[jtgasper3]

Hey all,

Sorry, I'm just getting back to this. It's been a crazy few weeks. I have a few days before I head out on more business trips, so I want to get this wrapped up.

@jeffmc930 and @ajb2, from your testing is the 3.2.3-beta1 working as expected? Would you say it is good enough to release?

Is there anyone else following this thread that has input?

Thanks.

[jeffmc930]

Yes. It is good enough to release. Thank you for adding the extra code.

Jeff

On Oct 24, 2017, at 2:58 PM, John Gasper notifications@github.com wrote:

Hey all,

Sorry, I'm just getting back to this. It's been a crazy few weeks. I have a few days before I head out on more business trips, so I want to get this wrapped up.

@jeffmc930 https://github.com/jeffmc930 and @ajb2 https://github.com/ajb2, from your testing is the 3.2.3-beta1 working as expected? Would you say it is good enough to release?

Is there anyone else following this thread that has input?

Thanks.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Unicon/shib-cas-authn3/issues/26#issuecomment-339146449, or mute the thread https://github.com/notifications/unsubscribe-auth/AB1IL8wAEw5i8cR56alOm_iB_eUMD6BKks5svl2dgaJpZM4OqRtO.

[ajb2]

Yup works well.

On Oct 24, 2017, at 6:02 PM, jeffmc930 notifications@github.com wrote:

Yes. It is good enough to release. Thank you for adding the extra code.

Jeff

On Oct 24, 2017, at 2:58 PM, John Gasper notifications@github.com wrote:

Hey all,

Sorry, I'm just getting back to this. It's been a crazy few weeks. I have a few days before I head out on more business trips, so I want to get this wrapped up.

@jeffmc930 https://github.com/jeffmc930 and @ajb2 https://github.com/ajb2, from your testing is the 3.2.3-beta1 working as expected? Would you say it is good enough to release?

Is there anyone else following this thread that has input?

Thanks.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Unicon/shib-cas-authn3/issues/26#issuecomment-339146449, or mute the thread https://github.com/notifications/unsubscribe-auth/AB1IL8wAEw5i8cR56alOm_iB_eUMD6BKks5svl2dgaJpZM4OqRtO.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[jtgasper3]

Great. I'll get a formal release cut today.

[jtgasper3]

The formal release of 3.2.3 is out: https://github.com/Unicon/shib-cas-authn3/releases/tag/3.2.3

There are no code changes between this version and the beta. There were some documentation changes, gradle config changes, and this build explicitly targets Java 1.8.0 (vs the loose 1.8.0 that was used to build the beta.

Thanks for everyone's assistance with this issue.