You should also debug your CAS, maybe the problem is there ;)
The serviceURL encoding is depending on your CAS
version/settings. It won't validate the service URL in the wrong
case.
Julien
Le 13/11/2020 à 11:34, Tom Reijnders a
écrit :
Thanks for your answer. Yes, I am sure. The login
URL is correct. Although I am surprised that the service url is
not encoded although I switched that on. So I am going to double
check the settings again and make sure that they are applied.
But, apparently something goes wrong during ticket
validation.
I moved some settings to global.properties, but this did
not make any difference.
On Fri, Nov 13, 2020 at 10:25
AM Julien Gribonvald <
[hidden email]>
wrote:
Hi,
Are you sure when you are redirected to CAS that the
service url provided as parameter have a https ? something
like : https://cas.domain.fr/cas/login?service=https://.....
Because it's like CAS register the service without https
and it's at this moment of the exchange that the url is
mapped to the ticket.
Else on my side my uPortal.properties:
##
## Portal Server
##
#portal.protocol=http
#portal.server=localhost:8080
#portal.context=/uPortal
##
## Central Authentication Service (CAS)
##
#cas.protocol=http
#cas.server=localhost:8080
#cas.context=/cas
cas.ticketValidationFilter.service=${portal.protocol}://${portal.server}${portal.context}/Login
cas.ticketValidationFilter.proxyReceptorUrl=/CasProxyServlet
cas.ticketValidationFilter.ticketValidator.server=${cas.protocol}://${cas.server}${cas.context}
cas.ticketValidationFilter.ticketValidator.proxyCallbackUrl=${portal.protocol}://${portal.lbServerName}${portal.context}${cas.ticketValidationFilter.proxyReceptorUrl}
# depending on CAS version/conf
cas.ticketValidationFilter.encodeServiceUrl=false
org.apereo.portal.security.provider.cas.CasAssertionSecurityContextFactory.enabled=true
org.apereo.portal.security.provider.cas.CasAssertionSecurityContextFactory.credentialToken=ticket
org.apereo.portal.security.cas.assertion.copyAttributesToUserAttributes=true
And my global.properties (to share values with portlets):
portal.protocol=https
portal.server=my.domain.fr
# in load-balanced conf we need to be able to request a specific server for proxy CAS
portal.lbServerName=portailX.domaine.fr
portal.context=/portail
# I use a pattern replacement for dynamic domaine as I manage several public servername on same instance
# you can replace that by ${portal.protocol}://${portal.server}${portal.context}
portal.protocol.server.context=${portal.protocol}://_CURRENT_SERVER_NAME_${portal.context}
portal.login.url=${portal.protocol.server.context}/Login
cas.protocol=https
cas.server=cas.domain.fr
cas.context=/cas
In my mind you should watch on portal.login.url value
that is used by the portlet to connect.
Thanks,
Julien
Le 13/11/2020 à 09:30, Tom Reijnders a écrit :
I can't seem to authenticate to my
extarnal CAS service.
- uPortal is deployed using latest uPortal-start
(using embedded tomcat)
- CAS is also latest (in a different container)
- uPortal is added as a service to CAS
- Both CAS and uPortal are behind an apache reverse
proxy that offloads SSL
I have the follwing in uPortal.properties:
##
## Portal Server
##
portal.protocol=https
portal.server=<PORTAL URL to reverse proxy>
portal.context=/uPortal
##
## Central Authentication Service (CAS)
##
cas.protocol=https
cas.server=<CAS URL to reverse proxy>
cas.context=/cas
cas.ticketValidationFilter.service=${portal.protocol}://${portal.server}${portal.context}/Login
#cas.ticketValidationFilter.proxyReceptorUrl=/CasProxyServlet
cas.ticketValidationFilter.ticketValidator.server=${cas.protocol}://${cas.server}${cas.context}
#cas.ticketValidationFilter.ticketValidator.proxyCallbackUrl=${portal.protocol}://${portal.server}${portal.context}/CasProxyServlet
org.apereo.portal.security.provider.cas.CasAssertionSecurityContextFactory.enabled=true
I am redirected to CAS (with the correct service) and
on successfull login, I get this error from uPortal:
Ticket 'xxxxx' does not match supplied service. The
original service was 'https://<uportal login
url>' and the supplied service was 'http://<uportal
login url>'.
Any ideas?
Tom
--
You received this message because you are subscribed to
the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/2c41d91f-2ec1-440e-b362-790a73602d77n%40apereo.org.
--
Julien Gribonvald
--
You received this message because you are subscribed to the
Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/519108a4-214c-1f34-e2ee-01516d47829f%40recia.fr.
--
You received this message because you are subscribed to the Google
Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/CAEKnHSRZSiGZatDtbJS9ZK07jhd%3DrY5phufsw7UnJpXaJ0fbFA%40mail.gmail.com.
--
Julien Gribonvald
--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
[hidden email].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/uportal-user/b25f3744-2043-174c-ebb0-2ec84bdc222c%40recia.fr.