[uportal-user] Ticket does not match supplied service. The original service was 'https://...' and the supplied service was 'http://...'.

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[uportal-user] Ticket does not match supplied service. The original service was 'https://...' and the supplied service was 'http://...'.

Tom Reijnders
I can't seem to authenticate to my extarnal CAS service.

 - uPortal is deployed using latest uPortal-start (using embedded tomcat)
 - CAS is also latest (in a different container)
 - uPortal is added as a service to CAS
 - Both CAS and uPortal are behind an apache reverse proxy that offloads SSL

I have the follwing in uPortal.properties:

##
## Portal Server
##
portal.protocol=https
portal.server=<PORTAL URL to reverse proxy>
portal.context=/uPortal

##
## Central Authentication Service (CAS)
##
cas.protocol=https
cas.server=<CAS URL to reverse proxy>
cas.context=/cas
cas.ticketValidationFilter.service=${portal.protocol}://${portal.server}${portal.context}/Login
#cas.ticketValidationFilter.proxyReceptorUrl=/CasProxyServlet
cas.ticketValidationFilter.ticketValidator.server=${cas.protocol}://${cas.server}${cas.context}
#cas.ticketValidationFilter.ticketValidator.proxyCallbackUrl=${portal.protocol}://${portal.server}${portal.context}/CasProxyServlet
org.apereo.portal.security.provider.cas.CasAssertionSecurityContextFactory.enabled=true


I am redirected to CAS (with the correct service) and on successfull login, I get this error from uPortal:

Ticket 'xxxxx' does not match supplied service. The original service was 'https://<uportal login url>' and the supplied service was 'http://<uportal login url>'.

Any ideas?

Tom

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/2c41d91f-2ec1-440e-b362-790a73602d77n%40apereo.org.
Reply | Threaded
Open this post in threaded view
|

Re: [uportal-user] Ticket does not match supplied service. The original service was 'https://...' and the supplied service was 'http://...'.

Julien Gribonvald

Hi,

Are you sure when you are redirected to CAS that the service url provided as parameter have a https ? something like : https://cas.domain.fr/cas/login?service=https://.....

Because it's like CAS register the service without https and it's at this moment of the exchange that the url is mapped to the ticket.

Else on my side my uPortal.properties:

##
## Portal Server
##
#portal.protocol=http
#portal.server=localhost:8080
#portal.context=/uPortal

##
## Central Authentication Service (CAS)
##
#cas.protocol=http
#cas.server=localhost:8080
#cas.context=/cas
cas.ticketValidationFilter.service=${portal.protocol}://${portal.server}${portal.context}/Login
cas.ticketValidationFilter.proxyReceptorUrl=/CasProxyServlet
cas.ticketValidationFilter.ticketValidator.server=${cas.protocol}://${cas.server}${cas.context}
cas.ticketValidationFilter.ticketValidator.proxyCallbackUrl=${portal.protocol}://${portal.lbServerName}${portal.context}${cas.ticketValidationFilter.proxyReceptorUrl}
# depending on CAS version/conf
cas.ticketValidationFilter.encodeServiceUrl=false
org.apereo.portal.security.provider.cas.CasAssertionSecurityContextFactory.enabled=true
org.apereo.portal.security.provider.cas.CasAssertionSecurityContextFactory.credentialToken=ticket

org.apereo.portal.security.cas.assertion.copyAttributesToUserAttributes=true



And my global.properties (to share values with portlets):

portal.protocol=https
portal.server=my.domain.fr
# in load-balanced conf we need to be able to request a specific server for proxy CAS
portal.lbServerName=portailX.domaine.fr
portal.context=/portail
# I use a pattern replacement for dynamic domaine as I manage several public servername on same instance
# you can replace that by ${portal.protocol}://${portal.server}${portal.context}
portal.protocol.server.context=${portal.protocol}://_CURRENT_SERVER_NAME_${portal.context}
portal.login.url=${portal.protocol.server.context}/Login


cas.protocol=https
cas.server=cas.domain.fr
cas.context=/cas


In my mind you should watch on portal.login.url value that is used by the portlet to connect.

Thanks,

Julien


Le 13/11/2020 à 09:30, Tom Reijnders a écrit :
I can't seem to authenticate to my extarnal CAS service.

 - uPortal is deployed using latest uPortal-start (using embedded tomcat)
 - CAS is also latest (in a different container)
 - uPortal is added as a service to CAS
 - Both CAS and uPortal are behind an apache reverse proxy that offloads SSL

I have the follwing in uPortal.properties:

##
## Portal Server
##
portal.protocol=https
portal.server=<PORTAL URL to reverse proxy>
portal.context=/uPortal

##
## Central Authentication Service (CAS)
##
cas.protocol=https
cas.server=<CAS URL to reverse proxy>
cas.context=/cas
cas.ticketValidationFilter.service=${portal.protocol}://${portal.server}${portal.context}/Login
#cas.ticketValidationFilter.proxyReceptorUrl=/CasProxyServlet
cas.ticketValidationFilter.ticketValidator.server=${cas.protocol}://${cas.server}${cas.context}
#cas.ticketValidationFilter.ticketValidator.proxyCallbackUrl=${portal.protocol}://${portal.server}${portal.context}/CasProxyServlet
org.apereo.portal.security.provider.cas.CasAssertionSecurityContextFactory.enabled=true


I am redirected to CAS (with the correct service) and on successfull login, I get this error from uPortal:

Ticket 'xxxxx' does not match supplied service. The original service was 'https://<uportal login url>' and the supplied service was 'http://<uportal login url>'.

Any ideas?

Tom
--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/2c41d91f-2ec1-440e-b362-790a73602d77n%40apereo.org.
--
Julien Gribonvald

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/519108a4-214c-1f34-e2ee-01516d47829f%40recia.fr.
Reply | Threaded
Open this post in threaded view
|

Re: [uportal-user] Ticket does not match supplied service. The original service was 'https://...' and the supplied service was 'http://...'.

Tom Reijnders
Thanks for your answer. Yes, I am sure. The login URL is correct. Although I am surprised that the service url is not encoded although I switched that on. So I am going to double check the settings again and make sure that they are applied.

But, apparently something goes wrong during ticket validation.

I moved some settings to global.properties, but this did not make any difference.

On Fri, Nov 13, 2020 at 10:25 AM Julien Gribonvald <[hidden email]> wrote:

Hi,

Are you sure when you are redirected to CAS that the service url provided as parameter have a https ? something like : https://cas.domain.fr/cas/login?service=https://.....

Because it's like CAS register the service without https and it's at this moment of the exchange that the url is mapped to the ticket.

Else on my side my uPortal.properties:

##
## Portal Server
##
#portal.protocol=http
#portal.server=localhost:8080
#portal.context=/uPortal

##
## Central Authentication Service (CAS)
##
#cas.protocol=http
#cas.server=localhost:8080
#cas.context=/cas
cas.ticketValidationFilter.service=${portal.protocol}://${portal.server}${portal.context}/Login
cas.ticketValidationFilter.proxyReceptorUrl=/CasProxyServlet
cas.ticketValidationFilter.ticketValidator.server=${cas.protocol}://${cas.server}${cas.context}
cas.ticketValidationFilter.ticketValidator.proxyCallbackUrl=${portal.protocol}://${portal.lbServerName}${portal.context}${cas.ticketValidationFilter.proxyReceptorUrl}
# depending on CAS version/conf
cas.ticketValidationFilter.encodeServiceUrl=false
org.apereo.portal.security.provider.cas.CasAssertionSecurityContextFactory.enabled=true
org.apereo.portal.security.provider.cas.CasAssertionSecurityContextFactory.credentialToken=ticket

org.apereo.portal.security.cas.assertion.copyAttributesToUserAttributes=true



And my global.properties (to share values with portlets):

portal.protocol=https
portal.server=my.domain.fr
# in load-balanced conf we need to be able to request a specific server for proxy CAS
portal.lbServerName=portailX.domaine.fr
portal.context=/portail
# I use a pattern replacement for dynamic domaine as I manage several public servername on same instance
# you can replace that by ${portal.protocol}://${portal.server}${portal.context}
portal.protocol.server.context=${portal.protocol}://_CURRENT_SERVER_NAME_${portal.context}
portal.login.url=${portal.protocol.server.context}/Login


cas.protocol=https
cas.server=cas.domain.fr
cas.context=/cas


In my mind you should watch on portal.login.url value that is used by the portlet to connect.

Thanks,

Julien


Le 13/11/2020 à 09:30, Tom Reijnders a écrit :
I can't seem to authenticate to my extarnal CAS service.

 - uPortal is deployed using latest uPortal-start (using embedded tomcat)
 - CAS is also latest (in a different container)
 - uPortal is added as a service to CAS
 - Both CAS and uPortal are behind an apache reverse proxy that offloads SSL

I have the follwing in uPortal.properties:

##
## Portal Server
##
portal.protocol=https
portal.server=<PORTAL URL to reverse proxy>
portal.context=/uPortal

##
## Central Authentication Service (CAS)
##
cas.protocol=https
cas.server=<CAS URL to reverse proxy>
cas.context=/cas
cas.ticketValidationFilter.service=${portal.protocol}://${portal.server}${portal.context}/Login
#cas.ticketValidationFilter.proxyReceptorUrl=/CasProxyServlet
cas.ticketValidationFilter.ticketValidator.server=${cas.protocol}://${cas.server}${cas.context}
#cas.ticketValidationFilter.ticketValidator.proxyCallbackUrl=${portal.protocol}://${portal.server}${portal.context}/CasProxyServlet
org.apereo.portal.security.provider.cas.CasAssertionSecurityContextFactory.enabled=true


I am redirected to CAS (with the correct service) and on successfull login, I get this error from uPortal:

Ticket 'xxxxx' does not match supplied service. The original service was 'https://<uportal login url>' and the supplied service was 'http://<uportal login url>'.

Any ideas?

Tom
--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/2c41d91f-2ec1-440e-b362-790a73602d77n%40apereo.org.
--
Julien Gribonvald

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/519108a4-214c-1f34-e2ee-01516d47829f%40recia.fr.

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/CAEKnHSRZSiGZatDtbJS9ZK07jhd%3DrY5phufsw7UnJpXaJ0fbFA%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: [uportal-user] Ticket does not match supplied service. The original service was 'https://...' and the supplied service was 'http://...'.

Benito Gonzalez-2
Great!

On Thu, Nov 26, 2020 at 1:18 AM Tom Reijnders <[hidden email]> wrote:
I've got it working now, using proxy authentication. In the end, the issues that I had, were caused by a firewall that is not able to redirect an external IP address from an internal server to an a different internal server, so I had to use the internal domainname for the cas.ticketValidationFilter.ticketValidator.proxyCallbackUrl and everything started working.

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/CAEKnHSSbPTK58VwxzXZQ1OPpjBHObp_usGk2NP81HhBJ6FMzfg%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/CAJ_1GkR-4m5DMSJq1QAXMwmVtbV5sT0-bbkB7SVQPOhTZhYn6Q%40mail.gmail.com.