Делегированная проверка подлинности завершается сбоем после входа в систему IDP с исключением несоблюденной службы

Информация о версии

CAS Version: 6.2.0-RC2
CAS Branch: master
CAS Commit Id: 9299f7af9064f13e81828a60376466b3c25334fe
CAS Build Date/Time: 2020-06-06T03:12:52Z
Spring Boot Version: 2.2.2.RELEASE
Spring Version: 5.2.2.RELEASE
Java Home: /usr/lib/jvm/java-11-openjdk-11.0.7.10-1.el8_1.x86_64
Java Vendor: Oracle Corporation
Java Version: 11.0.7
JVM Free Memory: 501 MB
JVM Maximum Memory: 910 MB
JVM Total Memory: 652 MB
JCE Installed: Yes
OS Architecture: amd64
OS Name: Linux
OS Version: 4.18.0-147.8.1.el8_1.x86_64
OS Date/Time: 2020-06-05T23:14:25.044612
OS Temp Directory: /opt/tomcat/latest/temp
------------------------------------------------------------
Apache Tomcat Version: Apache Tomcat/9.0.31
------------------------------------------------------------

Рабочий процесс для этой проблемы выглядит следующим образом:

  1. Пользователь пытается получить доступ к https://dev-myapp.test.com/
  2. Приложение определяет, что сеанс не был установлен, и перенаправляет его в CAS.
  3. Настройка службы CAS для делегированной аутентификации (pac4j) и перенаправления на IDP через SAML2
  4. IDP аутентифицирует и передает подтверждение обратно в CAS, где CAS затем определяет, что услуга неавторизована.

Ожидается, что CAS оценит утверждение SAML2 и установит JWT, с помощью которого dev-myapp затем создаст сеанс. Приведенные ниже сообщения журнала начинаются, когда я пытаюсь войти в систему на "dev-myapp", и заканчиваются неудачей.

Я полагаю, что основная причина смотрит мне в лицо, но я недостаточно знаком с внутренностями CAS, чтобы понять, куда он пытается указать мне. Одно время у меня это работало, но я не знаю, что я сделал, чтобы это сломать.

2020-06-08 14:33:58,335 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing service in context scope: [https://dev-myapp.test.com]>
2020-06-08 14:33:58,336 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing registered service [^https://dev-myapp.test.com] with id [20] in context scope>
2020-06-08 14:33:58,336 WARN [org.apereo.cas.web.flow.actions.AbstractNonInteractiveCredentialsAction] - <No credentials detected. Navigating to error...>
2020-06-08 14:33:58,336 INFO [org.apereo.cas.web.flow.TokenAuthenticationAction] - <Action execution disallowed; pre-execution result is 'error'>
2020-06-08 14:33:58,336 DEBUG [org.apereo.cas.web.flow.actions.ClearWebflowCredentialAction] - <Current event signaled a failure. Recreating credentials instance from the context>
2020-06-08 14:33:58,336 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [result=Client Access Granted,client=SAML2_TEST_Portal,registeredService=Dynamic Sandbox Tool:^https://dev-myapp.test.com]
ACTION: DELEGATED_CLIENT_SUCCESS
APPLICATION: CAS
WHEN: Mon Jun 08 14:33:58 EDT 2020
CLIENT IP ADDRESS: 10.192.0.4
SERVER IP ADDRESS: 10.192.0.69
=============================================================

>
2020-06-08 14:33:58,336 DEBUG [org.apereo.cas.validation.DelegatedAuthenticationAccessStrategyHelper] - <Delegated authentication policy for [AbstractRegisteredService(serviceId=^https://dev-myapp.test.com, name=Dynamic Sandbox Tool, theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=20, description=null, expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, proxyTicketExpirationPolicy=null, serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null, evaluationOrder=0, usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2, logoutType=BACK_CHANNEL, requiredHandlers=[], environments=[], attributeReleasePolicy=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, excludedAttributes=null, includeOnlyAttributes=null, order=0), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null, order=0), allowedAttributes=[]), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], failureMode=UNDEFINED, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false, forceExecution=false, bypassTrustedDeviceEnabled=false), logo=null, logoutUrl=null, redirectUrl=null, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[SAML2_TEST_Portal], permitUndefined=true, exclusive=false), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, properties={jwtAsServiceTicket=DefaultRegisteredServiceProperty(values=[true]), jwtAsServiceTicketSigningKey=DefaultRegisteredServiceProperty(values=[])}, contacts=[])] allows for using client [SAML2_TEST_Portal]>
2020-06-08 14:33:58,337 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Resolved single event [success] via [org.apereo.cas.web.flow.resolver.impl.RankedMultifactorAuthenticationProviderWebflowEventResolver] for this context>
2020-06-08 14:33:58,337 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [event=success,timestamp=Mon Jun 08 14:33:58 EDT 2020,source=RankedMultifactorAuthenticationProviderWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Mon Jun 08 14:33:58 EDT 2020
CLIENT IP ADDRESS: 10.192.0.4
SERVER IP ADDRESS: 10.192.0.69
=============================================================

>
2020-06-08 14:33:58,396 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:custom_messages_en] - neither plain properties nor XML>
2020-06-08 14:33:58,396 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:custom_messages] - neither plain properties nor XML>
2020-06-08 14:33:58,397 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:messages_en] - neither plain properties nor XML>
2020-06-08 14:33:58,397 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <Re-caching properties for filename [classpath:messages] - file hasn't been modified>
2020-06-08 14:33:59,978 DEBUG [org.apereo.cas.web.DelegatedClientWebflowManager] - <Storing delegated authentication request ticket [TST-14-B2SOaEgWgO--EnlevYK-4YqJZAal0C1v] for service [AbstractWebApplicationService(id=https://dev-myapp.test.com, originalUrl=https://dev-myapp.test.com, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})] with properties [{theme=, targetService=AbstractWebApplicationService(id=https://dev-myapp.test.com, originalUrl=https://dev-myapp.test.com, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={}), method=, locale=, service=AbstractWebApplicationService(id=https://dev-myapp.test.com, originalUrl=https://dev-myapp.test.com, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})}]>
2020-06-08 14:33:59,978 DEBUG [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - <Added ticket [TST-14-B2SOaEgWgO--EnlevYK-4YqJZAal0C1v] to registry.>
2020-06-08 14:33:59,978 DEBUG [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - <Added ticket [TST-5730d71e-9e2d-44b9-aa3e-68ef8171be43] to registry.>
2020-06-08 14:33:59,979 DEBUG [org.pac4j.saml.context.SAML2ContextProvider] - <Creating message store by org.pac4j.saml.store.EmptyStoreFactory>
2020-06-08 14:33:59,979 DEBUG [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - <Added ticket [TST-5730d71e-9e2d-44b9-aa3e-68ef8171be43] to registry.>
2020-06-08 14:33:59,980 DEBUG [org.pac4j.saml.sso.impl.SAML2WebSSOMessageSender] - <The identity provider metadata indicates that authn requests may be signed>
2020-06-08 14:34:00,041 INFO [org.pac4j.saml.crypto.DefaultSignatureSigningParametersProvider] - <Created signature signing parameters.
Signature algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
Signature canonicalization algorithm: http://www.w3.org/2001/10/xml-exc-c14n#
Signature reference digest methods: http://www.w3.org/2001/04/xmlenc#sha256>
2020-06-08 14:34:00,041 DEBUG [org.pac4j.saml.transport.Pac4jHTTPRedirectDeflateEncoder] - <Initialized Pac4jHTTPRedirectDeflateEncoder>
2020-06-08 14:34:00,041 DEBUG [org.pac4j.saml.transport.Pac4jHTTPRedirectDeflateEncoder] - <Deflating and Base64 encoding SAML message>
2020-06-08 14:34:00,041 DEBUG [org.pac4j.saml.transport.Pac4jHTTPRedirectDeflateEncoder] - <Marshalling message>
2020-06-08 14:34:00,043 DEBUG [org.pac4j.saml.transport.Pac4jHTTPRedirectDeflateEncoder] - <Building URL to redirect client to>
2020-06-08 14:34:00,043 DEBUG [org.pac4j.saml.transport.Pac4jHTTPRedirectDeflateEncoder] - <Generating signature with key type 'RSA', algorithm URI 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' over query string 'q=initiatelogon&SAMLRequest=fVJNc5swEL33VzC6AzK2MWgMHqeZTDOTtjQmPfTiWYvFVgckohXux68vxvEkOdRHrd57%2B3bfLle%2F28Y7oiVldMYmAWceamkqpfcZeyrv%2FISt8g9LgraJOrHu3UE%2F4nOP5Lw1EVo38D4aTX2LdoP2qCQ%2BPT5k7OBcRyIMKzz6FTkYiHwSSNTOQtNTIBvTV9B1AfztLQbStKEEChuzV3olGzUAtxpazDbrzw%2FR9qbYFsY6aJh3O%2FRWGtxo%2BNJm1%2Fnd%2BB9UoA%2Fwi0bF1XOmtHIKHA7CRjPvzliJ4xQZq6EhZN79bca20zqOK6irGY%2FT2ZxDUs8rXu0WuEOOi3SWLNI4idIBTQUQqSO%2B8ol6vNfDjNplLOIR93ns86ScJGI6FfM0SBP%2Bg3mFNc5I09wofd5ub7UwQIrEaVASTorTsCIKuNidQSQ%2BlWXhF183JfO%2BX1KKTikNuWkS51yua3UvjVl%2BjlGMju1pFy2469xTRVV%2BPULFEIpyf5j3Zah%2B66FRtUJ7FmhB4uhGdCBnPwNj9%2B88Xm8Dl1Ni%2BX%2FEluFb7%2FnL8%2F1F5v8A&RelayState=TST-14-B2SOaEgWgO--EnlevYK-4YqJZAal0C1v&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256'>
2020-06-08 14:34:00,052 DEBUG [org.pac4j.saml.transport.Pac4jHTTPRedirectDeflateEncoder] - <Generated digital signature value (base64-encoded) VerBM7451Rp8trxMjMTEK5Y8CWq02GFVCQs6+5iWJlRjzts6xHa9ucAQFh2r6mx3GyCz5vQA+kw9CT6t7qHChX1uV5I28YcTEU46ueD1TJB9swalAl2G/mXMw/ArKvpQ0sNMWHiYeIOUOYwk1bTR+UVqSYOqhM1TZu1XI7jKfgG3/FmhRkxFr3JwK8sPlDJKNXcgvDPzOAB3+fG/ZZ3MfenqE8oZQrarkECn0t/3HADRe299Evdogun1GfYpIgXiqxT88VSBZ3dRyCXvCoM0lQ7TKeWJPhg2CqJNfyBGvkTtZ0GXiePc95WjLuUfPLq/kcgJ1LpBAE83BVLfa7NGfw==>
2020-06-08 14:34:00,052 DEBUG [org.apereo.cas.web.DelegatedClientNavigationController] - <Determined final redirect action for client [#SAML2Client# | name: SAML2_TEST_Portal | callbackUrl: https://dev-myappauth.centralus.cloudapp.azure.com/cas/login | urlResolver: org.pac4j.core.http.url.DefaultUrlResolver@21d50f3 | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@175de81e | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@c2e44cd | redirectionActionBuilder: org.pac4j.saml.redirect.SAML2RedirectionActionBuilder@37da909a | credentialsExtractor: org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@5f28d45a | authenticator: org.pac4j.saml.credentials.authenticator.SAML2Authenticator@27cdcab9 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@6d8c7b67 | logoutActionBuilder: org.pac4j.saml.logout.SAML2LogoutActionBuilder@59bbeaa1 | authorizationGenerators: [] |] as [#HttpAction# | code: 302 |]>
2020-06-08 14:34:00,053 DEBUG [org.apereo.cas.web.DelegatedClientNavigationController] - <Redirecting client [SAML2_TEST_Portal] to [https://TES-portal.test.com/?q=initiatelogon&SAMLRequest=fVJNc5swEL33VzC6AzK2MWgMHqeZTDOTtjQmPfTiWYvFVgckohXux68vxvEkOdRHrd57%2B3bfLle%2F28Y7oiVldMYmAWceamkqpfcZeyrv%2FISt8g9LgraJOrHu3UE%2F4nOP5Lw1EVo38D4aTX2LdoP2qCQ%2TEST5k7OBcRyIMKzz6FTkYiHwSSNTOQtNTIBvTV9B1AfztLQbStKEEChuzV3olGzUAtxpazDbrzw%2FR9qbYFsY6aJh3O%2FRWGtxo%2BNJm1%2Fnd%2BB9UoA%2Fwi0bF1XOmtHIKHA7CRjPvzliJ4xQZq6EhZN79bca20zqOK6irGY%2FT2ZxDUs8rXu0WuEOOi3SWLNI4idIBTQUQqSO%2B8ol6vNfDjNplLOIR93ns86ScJGI6FfM0SBP%2Bg3mFNc5I09wofd5ub7UwQIrEaVASTorTsCIKuNidQSQ%2BlWXhF183JfO%2BX1KKTikNuWkS51yua3UvjVl%2BjlGMju1pFy2469xTRVV%2BPULFEIpyf5j3Zah%2B66FRtUJ7FmhB4uhGdCBnPwNj9%2B88Xm8Dl1Ni%2BX%2FEluFb7%2FnL8%2F1F5v8A&RelayState=TST-14-B2SOaEgWgO--EnlevYK-4YqJZAal0C1v&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=VerBM7451Rp8trxMjMTEK5Y8CWq02GFVCQs6%2B5iWJlRjzts6xHa9ucAQFh2r6mx3GyCz5vQA%2Bkw9CT6t7qHChX1uV5I28YcTEU46ueD1TJB9swalAl2G%2FmXMw%2FArKvpQ0sNMWHiYeIOUOYwk1bTR%2BUVqSYOqhM1TZu1XI7jKfgG3%2FFmhRkxFr3JwK8sPlDJKNXcgvDPzOAB3%2BfG%2FZZ3MfenqE8oZQrarkECn0t%2F3HADRe299Evdogun1GfYpIgXiqxT88VSBZ3dRyCXvCoM0lQ7TKeWJPhg2CqJNfyBGvkTtZ0GXiePc95WjLuUfPLq%2FkcgJ1LpBAE83BVLfa7NGfw%3D%3D] based on identifier [TST-14-B2SOaEgWgO--EnlevYK-4YqJZAal0C1v]>
2020-06-08 14:34:00,972 WARN [org.apereo.cas.web.flow.actions.AbstractNonInteractiveCredentialsAction] - <No credentials detected. Navigating to error...>
2020-06-08 14:34:00,972 INFO [org.apereo.cas.web.flow.TokenAuthenticationAction] - <Action execution disallowed; pre-execution result is 'error'>
2020-06-08 14:34:00,972 DEBUG [org.apereo.cas.web.flow.actions.ClearWebflowCredentialAction] - <Current event signaled a failure. Recreating credentials instance from the context>
2020-06-08 14:34:00,972 DEBUG [org.apereo.cas.web.DelegatedClientWebflowManager] - <Client identifier could not found as part of the request parameters. Looking at relay-state for the SAML2 client>
2020-06-08 14:34:00,972 DEBUG [org.apereo.cas.web.DelegatedClientWebflowManager] - <Located delegated client identifier for this request as [Optional[https://dev-test.com]]>
2020-06-08 14:34:00,972 DEBUG [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - <Ticket [https://dev-test.com] could not be found>
2020-06-08 14:34:00,972 ERROR [org.apereo.cas.web.DelegatedClientWebflowManager] - <Delegated client identifier cannot be located in the authentication request [http://dev-myappauth.centralus.cloudapp.azure.com/cas/login?client_name=SAML2_TES_Portal]>  
2020-06-08 14:34:00,972 ERROR [org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <>
org.apereo.cas.services.UnauthorizedServiceException:
Источник

0 ответов

Другие вопросы по тегам