mmoayyed
commented
6 years ago Is there more in the CAS logs? Do you have it at DEBUG level?
Open pernin opened 6 years ago
mmoayyed
commented
6 years ago Is there more in the CAS logs? Do you have it at DEBUG level?
pernin
commented
6 years ago The CAS logs are regular:
2018-01-10 18:32:15,245 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - Attribute policy [org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy@56d3d58e[attributeFilter=<null>,principalAttributesRepository=org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository@7dfc7ddc[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseProxyGrantingTicket=false,allowedAttributes=[]]] is associated with service [id=0,name=HTTPS and IMAPS,description=Allows HTTPS and IMAPS protocols, serviceId=^https://****************/idp/Authn/ExtCas.*, usernameAttributeProvider=org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider@d, theme=cas, evaluationOrder=0, logoutType=BACK_CHANNEL, attributeReleasePolicy = org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy@56d3d58e[attributeFilter = null>, principalAttributesRepository = org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository@7dfc7ddc[], authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, allowedAttributes=[]],accessStrategy=org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy@4bab3722[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={}],publicKey=<null>,proxyPolicy=org.jasig.cas.services.RefuseRegisteredServiceProxyPolicy@55b0c6be,logo=<null>,logoutUrl=<null>,requiredHandlers=[],<null>]
2018-01-10 18:32:15,257 DEBUG [org.jasig.cas.ticket.registry.MemCacheTicketRegistry] - Deleting ticket ST-736-qgjtO9HI63nL3LEkGElF
2018-01-10 18:32:15,273 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - Ticket [ST-736-qgjtO9HI63nL3LEkGElF] by type [Ticket] cannot be found in the ticket registry.
2018-01-10 18:32:15,275 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-736-qgjtO9HI63nL3LEkGElF
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Wed Jan 10 18:32:15 CET 2018
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================But when Shib try to use the ST to obtain the attributes, the CAS response is
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationFailure code='INVALID_TICKET'>
Il ticket ''{0}'' non � stato riconosciuto
</cas:authenticationFailure>
</cas:serviceResponse>
2018-01-10 12:57:13,116 - ERROR [net.unicon.idp.externalauth.ShibcasAuthServlet:?] - Ticket validation failed, returning InvalidTicket
org.jasig.cas.client.validation.TicketValidationException:
Il ticket ''{0}'' non � stato riconosciuto
The strangest thing is that this behaviour happens only when there is already a session active for the user (so the SSO feature is exploited without the insertion of credentials) and only for a few Service Providers...
mmoayyed
commented
6 years ago Please reformat the logs so they are easier to read and review.
nebtag
commented
6 years ago Hello, Did you find a solution for this problem? I have the same behaviour
pernin
commented
6 years ago I don't remember it exactly, but you should try to force the "renew" parameter to true value to bypass the problem.
auxepaul
commented
5 years ago We identify a similar problem with IdP 3.4 and CAS 6.0 with shib-cas-authn3. In our case, empty attributes sent by CAS to Shib-cas-auth3 produce "InvalidTIcket" errors and it breaks authentication workflow.
Hi to all, I've a problem during the ticket validation: when the shib-cas-authn call the cas/serviceValidate I obtain an error. The log is: