CAS with shib 3

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

CAS with shib 3

Pablo Vidaurri
I am trying to do SSO using CAS and having shib 3 as SAML provider. I have setup the cas plugin as outlined in https://github.com/Unicon/shib-cas-authn3

When testing, I am being redirected to my CAS sso login page. I am seeing a successful login and tickets being generated on the CAS side. But when I get sent back to shib I am getting an error::
 ---------------------------------

opensaml::FatalProfileException at (https://sp.testshib.org/Shibboleth.sso/SAML2/POST)

SAML response reported an IdP error.

Error from identity provider:

Status: urn:oasis:names:tc:SAML:2.0:status:Requester
Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
Message: An error occurred
 ---------------------------------

Am I missing anything in the config?

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: CAS with shib 3

Peter Schober
* Pablo Vidaurri <[hidden email]> [2018-07-20 23:09]:
> I am trying to do SSO using CAS and having shib 3 as SAML provider.

Note that the Shibboleth IDP speaks CAS we well, so ideally you could
replace your CAS server and use just one system for all use-cases.

> SAML response reported an IdP error.
>
> Error from identity provider:

Well, what does the Identity Provider's logs say, then?

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: CAS with shib 3

Pablo Vidaurri
in idp log:
ERROR [org.jasig.cas.client.util.XmlUtils:194] - The markup in the document following the root element must be well-formed.
org.xml.sax.SAXParseException: The markup in the document following the root element must be well-formed.
Looking at cas-client-3.4.1 source, error above is happening for each of the XmlUtils.getTextForElement which eventually produces:
ERROR [net.unicon.idp.externalauth.ShibcasAuthServlet:109] - Ticket validation failed, returning InvalidTicket
org.jasig.cas.client.validation.TicketValidationException: No principal was found in the response from the CAS server.
Now to figure out what cas is sending back.
Thanks.
-psv

On Sat, Jul 21, 2018 at 4:36 AM Peter Schober <[hidden email]> wrote:
* Pablo Vidaurri <[hidden email]> [2018-07-20 23:09]:
> I am trying to do SSO using CAS and having shib 3 as SAML provider.

Note that the Shibboleth IDP speaks CAS we well, so ideally you could
replace your CAS server and use just one system for all use-cases.

> SAML response reported an IdP error.
>
> Error from identity provider:

Well, what does the Identity Provider's logs say, then?

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: CAS with shib 3

Pablo Vidaurri
[SOLVED] updated idp.properties file to have cas20 instead of cas30:
# Specify CAS validator to use - either 'cas10', 'cas20' or 'cas30' (default)
shibcas.ticketValidatorName = cas20


On Wed, Jul 25, 2018 at 12:33 PM Pablo Vidaurri <[hidden email]> wrote:
in idp log:
ERROR [org.jasig.cas.client.util.XmlUtils:194] - The markup in the document following the root element must be well-formed.
org.xml.sax.SAXParseException: The markup in the document following the root element must be well-formed.
Looking at cas-client-3.4.1 source, error above is happening for each of the XmlUtils.getTextForElement which eventually produces:
ERROR [net.unicon.idp.externalauth.ShibcasAuthServlet:109] - Ticket validation failed, returning InvalidTicket
org.jasig.cas.client.validation.TicketValidationException: No principal was found in the response from the CAS server.
Now to figure out what cas is sending back.
Thanks.
-psv

On Sat, Jul 21, 2018 at 4:36 AM Peter Schober <[hidden email]> wrote:
* Pablo Vidaurri <[hidden email]> [2018-07-20 23:09]:
> I am trying to do SSO using CAS and having shib 3 as SAML provider.

Note that the Shibboleth IDP speaks CAS we well, so ideally you could
replace your CAS server and use just one system for all use-cases.

> SAML response reported an IdP error.
>
> Error from identity provider:

Well, what does the Identity Provider's logs say, then?

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]