Jasig › Jasig uPortal › uPortal Users

Re: Ticket does not match supplied service. The original service was 'https://...' and the supplied service was 'http://...'.

Classic

List

Threaded

3 messages Options

Julien Gribonvald

Re: Ticket does not match supplied service. The original service was 'https://...' and the supplied service was 'http://...'.

You should also debug your CAS, maybe the problem is there ;)

The serviceURL encoding is depending on your CAS version/settings. It won't validate the service URL in the wrong case.

Julien

Le 13/11/2020 à 11:34, Tom Reijnders a écrit :

Thanks for your answer. Yes, I am sure. The login URL is correct. Although I am surprised that the service url is not encoded although I switched that on. So I am going to double check the settings again and make sure that they are applied.

But, apparently something goes wrong during ticket validation.

I moved some settings to global.properties, but this did not make any difference.
On Fri, Nov 13, 2020 at 10:25 AM Julien Gribonvald <[hidden email]> wrote:
Hi,

Are you sure when you are redirected to CAS that the service url provided as parameter have a https ? something like : https://cas.domain.fr/cas/login?service=https://.....

Because it's like CAS register the service without https and it's at this moment of the exchange that the url is mapped to the ticket.

Else on my side my uPortal.properties:
##
## Portal Server
##
#portal.protocol=http
#portal.server=localhost:8080
#portal.context=/uPortal

##
## Central Authentication Service (CAS)
##
#cas.protocol=http
#cas.server=localhost:8080
#cas.context=/cas
cas.ticketValidationFilter.service=${portal.protocol}://${portal.server}${portal.context}/Login
cas.ticketValidationFilter.proxyReceptorUrl=/CasProxyServlet
cas.ticketValidationFilter.ticketValidator.server=${cas.protocol}://${cas.server}${cas.context}
cas.ticketValidationFilter.ticketValidator.proxyCallbackUrl=${portal.protocol}://${portal.lbServerName}${portal.context}${cas.ticketValidationFilter.proxyReceptorUrl}
# depending on CAS version/conf
cas.ticketValidationFilter.encodeServiceUrl=false
org.apereo.portal.security.provider.cas.CasAssertionSecurityContextFactory.enabled=true
org.apereo.portal.security.provider.cas.CasAssertionSecurityContextFactory.credentialToken=ticket

org.apereo.portal.security.cas.assertion.copyAttributesToUserAttributes=true
And my global.properties (to share values with portlets):
portal.protocol=https
portal.server=my.domain.fr
# in load-balanced conf we need to be able to request a specific server for proxy CAS
portal.lbServerName=portailX.domaine.fr
portal.context=/portail
# I use a pattern replacement for dynamic domaine as I manage several public servername on same instance
# you can replace that by ${portal.protocol}://${portal.server}${portal.context}
portal.protocol.server.context=${portal.protocol}://_CURRENT_SERVER_NAME_${portal.context}
portal.login.url=${portal.protocol.server.context}/Login


cas.protocol=https
cas.server=cas.domain.fr
cas.context=/cas
In my mind you should watch on portal.login.url value that is used by the portlet to connect.

Thanks,

Julien

Le 13/11/2020 à 09:30, Tom Reijnders a écrit :

I can't seem to authenticate to my extarnal CAS service.

- uPortal is deployed using latest uPortal-start (using embedded tomcat)

- CAS is also latest (in a different container)

- uPortal is added as a service to CAS

- Both CAS and uPortal are behind an apache reverse proxy that offloads SSL

I have the follwing in uPortal.properties:

##

## Portal Server

##

portal.protocol=https

portal.server=<PORTAL URL to reverse proxy>

portal.context=/uPortal

##

## Central Authentication Service (CAS)

##

cas.protocol=https

cas.server=<CAS URL to reverse proxy>

cas.context=/cas

cas.ticketValidationFilter.service=${portal.protocol}://${portal.server}${portal.context}/Login

#cas.ticketValidationFilter.proxyReceptorUrl=/CasProxyServlet

cas.ticketValidationFilter.ticketValidator.server=${cas.protocol}://${cas.server}${cas.context}

#cas.ticketValidationFilter.ticketValidator.proxyCallbackUrl=${portal.protocol}://${portal.server}${portal.context}/CasProxyServlet

org.apereo.portal.security.provider.cas.CasAssertionSecurityContextFactory.enabled=true

I am redirected to CAS (with the correct service) and on successfull login, I get this error from uPortal:

Ticket 'xxxxx' does not match supplied service. The original service was 'https://<uportal login url>' and the supplied service was 'http://<uportal login url>'.

Any ideas?

Tom
--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/2c41d91f-2ec1-440e-b362-790a73602d77n%40apereo.org.

--
Julien Gribonvald
--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/519108a4-214c-1f34-e2ee-01516d47829f%40recia.fr.
--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/CAEKnHSRZSiGZatDtbJS9ZK07jhd%3DrY5phufsw7UnJpXaJ0fbFA%40mail.gmail.com.

--
Julien Gribonvald

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/b25f3744-2043-174c-ebb0-2ec84bdc222c%40recia.fr.

Tom Reijnders

Re: Ticket does not match supplied service. The original service was 'https://...' and the supplied service was 'http://...'.

Is proxy authentication needed. The 6.2.x documentation recommend not to use it. The ticket issue is resolved now, but I still have issues with authentication. The proxy callback is not permitted (I have configured the service in CAS to allow proxy authentication, but it still does not work). I just wondered seeing the warning, if there is an alternative.

Tom

On Friday, November 13, 2020 at 11:49:07 AM UTC+1 [hidden email] wrote:

You should also debug your CAS, maybe the problem is there ;)

The serviceURL encoding is depending on your CAS version/settings. It won't validate the service URL in the wrong case.

Julien

Le 13/11/2020 à 11:34, Tom Reijnders a écrit :
Thanks for your answer. Yes, I am sure. The login URL is correct. Although I am surprised that the service url is not encoded although I switched that on. So I am going to double check the settings again and make sure that they are applied.

But, apparently something goes wrong during ticket validation.

I moved some settings to global.properties, but this did not make any difference.
On Fri, Nov 13, 2020 at 10:25 AM Julien Gribonvald <[hidden email]> wrote:
Hi,

Are you sure when you are redirected to CAS that the service url provided as parameter have a https ? something like : https://cas.domain.fr/cas/login?service=https://.....

Because it's like CAS register the service without https and it's at this moment of the exchange that the url is mapped to the ticket.

Else on my side my uPortal.properties:
##
## Portal Server
##
#portal.protocol=http
#portal.server=localhost:8080
#portal.context=/uPortal

##
## Central Authentication Service (CAS)
##
#cas.protocol=http
#cas.server=localhost:8080
#cas.context=/cas
cas.ticketValidationFilter.service=${portal.protocol}://${portal.server}${portal.context}/Login
cas.ticketValidationFilter.proxyReceptorUrl=/CasProxyServlet
cas.ticketValidationFilter.ticketValidator.server=${cas.protocol}://${cas.server}${cas.context}
cas.ticketValidationFilter.ticketValidator.proxyCallbackUrl=${portal.protocol}://${portal.lbServerName}${portal.context}${cas.ticketValidationFilter.proxyReceptorUrl}
# depending on CAS version/conf
cas.ticketValidationFilter.encodeServiceUrl=false
org.apereo.portal.security.provider.cas.CasAssertionSecurityContextFactory.enabled=true
org.apereo.portal.security.provider.cas.CasAssertionSecurityContextFactory.credentialToken=ticket

org.apereo.portal.security.cas.assertion.copyAttributesToUserAttributes=true
And my global.properties (to share values with portlets):
portal.protocol=https
portal.server=my.domain.fr
# in load-balanced conf we need to be able to request a specific server for proxy CAS
portal.lbServerName=portailX.domaine.fr
portal.context=/portail
# I use a pattern replacement for dynamic domaine as I manage several public servername on same instance
# you can replace that by ${portal.protocol}://${portal.server}${portal.context}
portal.protocol.server.context=${portal.protocol}://_CURRENT_SERVER_NAME_${portal.context}
portal.login.url=${portal.protocol.server.context}/Login


cas.protocol=https
cas.server=cas.domain.fr
cas.context=/cas
In my mind you should watch on portal.login.url value that is used by the portlet to connect.

Thanks,

Julien

Le 13/11/2020 à 09:30, Tom Reijnders a écrit :

I can't seem to authenticate to my extarnal CAS service.

- uPortal is deployed using latest uPortal-start (using embedded tomcat)

- CAS is also latest (in a different container)

- uPortal is added as a service to CAS

- Both CAS and uPortal are behind an apache reverse proxy that offloads SSL

I have the follwing in uPortal.properties:

##

## Portal Server

##

portal.protocol=https

portal.server=<PORTAL URL to reverse proxy>

portal.context=/uPortal

##

## Central Authentication Service (CAS)

##

cas.protocol=https

cas.server=<CAS URL to reverse proxy>

cas.context=/cas

cas.ticketValidationFilter.service=${portal.protocol}://${portal.server}${portal.context}/Login

#cas.ticketValidationFilter.proxyReceptorUrl=/CasProxyServlet

cas.ticketValidationFilter.ticketValidator.server=${cas.protocol}://${cas.server}${cas.context}

#cas.ticketValidationFilter.ticketValidator.proxyCallbackUrl=${portal.protocol}://${portal.server}${portal.context}/CasProxyServlet

org.apereo.portal.security.provider.cas.CasAssertionSecurityContextFactory.enabled=true

I am redirected to CAS (with the correct service) and on successfull login, I get this error from uPortal:

Ticket 'xxxxx' does not match supplied service. The original service was 'https://<uportal login url>' and the supplied service was 'http://<uportal login url>'.

Any ideas?

Tom
--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/2c41d91f-2ec1-440e-b362-790a73602d77n%40apereo.org.

--
Julien Gribonvald
--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/519108a4-214c-1f34-e2ee-01516d47829f%40recia.fr.
--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/CAEKnHSRZSiGZatDtbJS9ZK07jhd%3DrY5phufsw7UnJpXaJ0fbFA%40mail.gmail.com.

--
Julien Gribonvald

Tom Reijnders

Re: Ticket does not match supplied service. The original service was 'https://...' and the supplied service was 'http://...'.

I've got it working now, using proxy authentication. In the end, the issues that I had, were caused by a firewall that is not able to redirect an external IP address from an internal server to an a different internal server, so I had to use the internal domainname for the cas.ticketValidationFilter.ticketValidator.proxyCallbackUrl and everything started working.