Wso2 Identity Server: identity-inbound-auth-cas

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Wso2 Identity Server: identity-inbound-auth-cas

Mohammed Al Nagdy

Greeting Team,



I would like to express that i am really grateful to the work you guys put for the open source community.

I have 1 small comment/issue regarding the "identity-inbound-auth-cas" i will try to describe my issue and how i want to solve it.


Thanks a lot

Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Wso2 Identity Server: identity-inbound-auth-cas

Mohammed Yousef M. Alnajdi

Greeting Team,



I would like to express that i am really grateful to the work you guys put for the open source community.

I have 1 small comment/issue regarding the "identity-inbound-auth-cas" i will try to describe my issue and how i want to solve it.


Thanks a lot





Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Wso2 Identity Server: identity-inbound-auth-cas

Mohammed Yousef M. Alnajdi

​​Greeting Team,



I would like to express that i am really grateful to the work you guys put for the open source community.

I have 1 small comment/issue regarding the "identity-inbound-auth-cas" i will try to describe my issue and how i want to solve it.


Thanks a lot





Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Fwd: Wso2 Identity Server: identity-inbound-auth-cas

Shakila Sivagnanarajah
[Forwarding to dev]

---------- Forwarded message ---------
From: Mohammed Yousef M. Alnajdi <[hidden email]>
Date: Tue, Feb 5, 2019 at 3:31 PM
Subject: Wso2 Identity Server: identity-inbound-auth-cas
To: [hidden email] <[hidden email]>
Cc: [hidden email] <[hidden email]>


Greeting Team,

I would like to express that i am really grateful to the work you guys put for the open source community.

I have 1 small comment/issue regarding the "identity-inbound-auth-cas" i will try to describe my issue and how i want to solve it.


Thanks a lot

Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Wso2 Identity Server: identity-inbound-auth-cas

Kanapriya
Hi Mohammed Yousef,

Actually, CAS service URL is the identifier of the application that the client is trying to access. In almost all cases, this will be the URL of the application (https://[server-address]/cas-client-webapp/) and the server-address should always point to the location where this sample application (cas-client-webapp) is deployed.

If I understood you correctly, you are setting Service Url: https://test.kfupm.edu.sa in the service provider configuration and trying to access that service using some other URL say https://test.kfupm.edu.sa/en/?next=/details and you end up with 500 internal server error.

If that so, the reason for this error is, When we processing the login response we are getting the serviceUrlFromRequest [1] (ie,https://test.kfupm.edu.sa/en/?next=/details) and with this URL, the service provider details get retrieved [2]. Since you are not registering the service provider with the service URL: https://test.kfupm.edu.sa/en/?next=/details it returns the default service provider configurations. That causes an issue here.

As a workaround, you may extend the source code [3] and you may pass the exact base URL of the service instead of getting the service URL from the request then hopefully, it will give the exact service provider configurations.


Thanks,
Kanapriya Kuleswararajan
Software Engineer
Mobile : - 0774894438
Mail: - [hidden email]
LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
WSO2, Inc. 
lean. enterprise. middleware 



On Wed, Feb 6, 2019 at 3:47 PM Shakila Sasikaran <[hidden email]> wrote:
[Forwarding to dev]

---------- Forwarded message ---------
From: Mohammed Yousef M. Alnajdi <[hidden email]>
Date: Tue, Feb 5, 2019 at 3:31 PM
Subject: Wso2 Identity Server: identity-inbound-auth-cas
To: [hidden email] <[hidden email]>
Cc: [hidden email] <[hidden email]>


Greeting Team,

I would like to express that i am really grateful to the work you guys put for the open source community.

I have 1 small comment/issue regarding the "identity-inbound-auth-cas" i will try to describe my issue and how i want to solve it.


Thanks a lot

Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Wso2 Identity Server: identity-inbound-auth-cas

Mohammed Al Nagdy
Thanks a lot for your reply. I actually did try before i post this question to extend the source code. I want to just be guided to apply the fix and hopefully submit a PR.

On Fri, Feb 8, 2019 at 2:14 PM Kanapriya Kuleswararajan <[hidden email]> wrote:
Hi Mohammed Yousef,

Actually, CAS service URL is the identifier of the application that the client is trying to access. In almost all cases, this will be the URL of the application (https://[server-address]/cas-client-webapp/) and the server-address should always point to the location where this sample application (cas-client-webapp) is deployed.

If I understood you correctly, you are setting Service Url: https://test.kfupm.edu.sa in the service provider configuration and trying to access that service using some other URL say https://test.kfupm.edu.sa/en/?next=/details and you end up with 500 internal server error.

If that so, the reason for this error is, When we processing the login response we are getting the serviceUrlFromRequest [1] (ie,https://test.kfupm.edu.sa/en/?next=/details) and with this URL, the service provider details get retrieved [2]. Since you are not registering the service provider with the service URL: https://test.kfupm.edu.sa/en/?next=/details it returns the default service provider configurations. That causes an issue here.

As a workaround, you may extend the source code [3] and you may pass the exact base URL of the service instead of getting the service URL from the request then hopefully, it will give the exact service provider configurations.


Thanks,
Kanapriya Kuleswararajan
Software Engineer
Mobile : - 0774894438
Mail: - [hidden email]
LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
WSO2, Inc. 
lean. enterprise. middleware 



On Wed, Feb 6, 2019 at 3:47 PM Shakila Sasikaran <[hidden email]> wrote:
[Forwarding to dev]

---------- Forwarded message ---------
From: Mohammed Yousef M. Alnajdi <[hidden email]>
Date: Tue, Feb 5, 2019 at 3:31 PM
Subject: Wso2 Identity Server: identity-inbound-auth-cas
To: [hidden email] <[hidden email]>
Cc: [hidden email] <[hidden email]>


Greeting Team,

I would like to express that i am really grateful to the work you guys put for the open source community.

I have 1 small comment/issue regarding the "identity-inbound-auth-cas" i will try to describe my issue and how i want to solve it.


Thanks a lot

Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Wso2 Identity Server: identity-inbound-auth-cas

Mohammed Yousef M. Alnajdi
In reply to this post by Kanapriya

Greeting, 


Thanks for your answer. 


Here is the fix i did based on your comment:

within the file SSOLoginProcessor.java i did this fix

String serviceUrlFromRequest = casMessageContext.getServiceURL();
URL url = null;
try {
url = new URL(serviceUrlFromRequest);
} catch (MalformedURLException e) {
e.printStackTrace();
}
String base = url.getProtocol() + "://" + url.getHost();
log.error(serviceUrlFromRequest);
log.error(base);
AuthenticationResult authnResult = processResponseFromFrameworkLogin(casMessageContext, identityRequest);
String acsURL = CASSSOUtil.getAcsUrl(base, casMessageContext.getRequest().getTenantDomain());

I deployed this and i did try with my application to login and i got the correct url now but it's not able to process it, here is the log.


TID: [-1234] [] [2019-02-10 08:50:13,101] ERROR {org.wso2.carbon.identity.sso.cas.processor.SSOLoginProcessor} -  https://test.kfupm.edu.sa/en/login/?next=/en/ 
TID: [-1234] [] [2019-02-10 08:50:13,103] ERROR {org.wso2.carbon.identity.sso.cas.processor.SSOLoginProcessor} -  https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2ftest.kfupm.edu.sa&umid=1D3EF014-8183-E105-B82C-CEC3FC47E5C0&auth=ec34f7633709e8bd85e48c7fc0c92c09c079e558-a3cb3eea7c1e6afb757c20066ce8e75a24dc0ed3
TID: [-1234] [] [2019-02-10 08:50:13,103] ERROR {org.wso2.carbon.identity.sso.cas.util.CASSSOUtil} -  https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2ftest.kfupm.edu.sa&umid=1D3EF014-8183-E105-B82C-CEC3FC47E5C0&auth=ec34f7633709e8bd85e48c7fc0c92c09c079e558-a3cb3eea7c1e6afb757c20066ce8e75a24dc0ed3


and the url of the site after login is this "https://test.kfupm.edu.sa/en/?ticket=ST-4790bbcb218b4bf88e0a3b87dc824757-login-3.test.kfupm.edu.sa"


Now i believe that all of this process should happen while building the request not at the response. On that note when i click on "login" in my application and i get the SSO login page i should see in the url

sp=test.kfupm.edu.sa not sp=default. 


I am not sure if you see the limitation here but i will explain it once more. 

my application is accessible without login in but when you reach to some pages within the application they require login so they get redirected with a query parameter called "next"

which hold where to go back to after the authentication, which makes the issue i can't rely on a static URL and it has to match it. it should be more than enough to match the service url

that is defined in the SP which is the base of URL of this application aka "https://test.kfupm.edu.sa". 


Kindly Let me know if there is any way you can guide me to fix this.



Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Kanapriya Kuleswararajan <[hidden email]>
Sent: Friday, February 8, 2019 2:14 PM
To: Shakila Sasikaran
Cc: WSO2 Developers' List; Mohammed Yousef M. Alnajdi; [hidden email]
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________
Hi Mohammed Yousef,

Actually, CAS service URL is the identifier of the application that the client is trying to access. In almost all cases, this will be the URL of the application (https://[server-address]/cas-client-webapp/) and the server-address should always point to the location where this sample application (cas-client-webapp) is deployed.

If I understood you correctly, you are setting Service Url: https://test.kfupm.edu.sa in the service provider configuration and trying to access that service using some other URL say https://test.kfupm.edu.sa/en/?next=/details and you end up with 500 internal server error.

If that so, the reason for this error is, When we processing the login response we are getting the serviceUrlFromRequest [1] (ie,https://test.kfupm.edu.sa/en/?next=/details) and with this URL, the service provider details get retrieved [2]. Since you are not registering the service provider with the service URL: https://test.kfupm.edu.sa/en/?next=/details it returns the default service provider configurations. That causes an issue here.

As a workaround, you may extend the source code [3] and you may pass the exact base URL of the service instead of getting the service URL from the request then hopefully, it will give the exact service provider configurations.


Thanks,
Kanapriya Kuleswararajan
Software Engineer
Mobile : - 0774894438
Mail: - [hidden email]
LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
WSO2, Inc. 
lean. enterprise. middleware 



On Wed, Feb 6, 2019 at 3:47 PM Shakila Sasikaran <[hidden email]> wrote:
[Forwarding to dev]

---------- Forwarded message ---------
From: Mohammed Yousef M. Alnajdi <[hidden email]>
Date: Tue, Feb 5, 2019 at 3:31 PM
Subject: Wso2 Identity Server: identity-inbound-auth-cas
To: [hidden email] <[hidden email]>
Cc: [hidden email] <[hidden email]>


Greeting Team,

I would like to express that i am really grateful to the work you guys put for the open source community.

I have 1 small comment/issue regarding the "identity-inbound-auth-cas" i will try to describe my issue and how i want to solve it.


Thanks a lot

Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Wso2 Identity Server: identity-inbound-auth-cas

Mohammed Al Nagdy

Greeting, 


Thanks for your answer. 


Here is the fix i did based on your comment:

within the file SSOLoginProcessor.java i did this fix

String serviceUrlFromRequest = casMessageContext.getServiceURL();
URL url = null;
try {
url = new URL(serviceUrlFromRequest);
} catch (MalformedURLException e) {
e.printStackTrace();
}
String base = url.getProtocol() + "://" + url.getHost();
log.error(serviceUrlFromRequest);
log.error(base);
AuthenticationResult authnResult = processResponseFromFrameworkLogin(casMessageContext, identityRequest);
String acsURL = CASSSOUtil.getAcsUrl(base, casMessageContext.getRequest().getTenantDomain());

I deployed this and i did try with my application to login and i got the correct url now but it's not able to process it, here is the log.


TID: [-1234] [] [2019-02-10 08:50:13,101] ERROR {org.wso2.carbon.identity.sso.cas.processor.SSOLoginProcessor} -  https://test.kfupm.edu.sa/en/login/?next=/en/ 


and the url of the site after login is this "https://test.kfupm.edu.sa/en/?ticket=ST-4790bbcb218b4bf88e0a3b87dc824757-login-3.test.kfupm.edu.sa"


Now i believe that all of this process should happen while building the request not at the response. On that note when i click on "login" in my application and i get the SSO login page i should see in the url

sp=test.kfupm.edu.sa not sp=default. 


I am not sure if you see the limitation here but i will explain it once more. 

my application is accessible without login in but when you reach to some pages within the application they require login so they get redirected with a query parameter called "next"

which hold where to go back to after the authentication, which makes the issue i can't rely on a static URL and it has to match it. it should be more than enough to match the service url

that is defined in the SP which is the base of URL of this application aka "https://test.kfupm.edu.sa". 


Kindly Let me know if there is any way you can guide me to fix this.


On Sun, Feb 10, 2019 at 8:58 AM Mohammed Yousef M. Alnajdi <[hidden email]> wrote:

Greeting, 


Thanks for your answer. 


Here is the fix i did based on your comment:

within the file SSOLoginProcessor.java i did this fix

String serviceUrlFromRequest = casMessageContext.getServiceURL();
URL url = null;
try {
url = new URL(serviceUrlFromRequest);
} catch (MalformedURLException e) {
e.printStackTrace();
}
String base = url.getProtocol() + "://" + url.getHost();
log.error(serviceUrlFromRequest);
log.error(base);
AuthenticationResult authnResult = processResponseFromFrameworkLogin(casMessageContext, identityRequest);
String acsURL = CASSSOUtil.getAcsUrl(base, casMessageContext.getRequest().getTenantDomain());

I deployed this and i did try with my application to login and i got the correct url now but it's not able to process it, here is the log.


TID: [-1234] [] [2019-02-10 08:50:13,101] ERROR {org.wso2.carbon.identity.sso.cas.processor.SSOLoginProcessor} -  https://test.kfupm.edu.sa/en/login/?next=/en/ 


and the url of the site after login is this "https://test.kfupm.edu.sa/en/?ticket=ST-4790bbcb218b4bf88e0a3b87dc824757-login-3.test.kfupm.edu.sa"


Now i believe that all of this process should happen while building the request not at the response. On that note when i click on "login" in my application and i get the SSO login page i should see in the url

sp=test.kfupm.edu.sa not sp=default. 


I am not sure if you see the limitation here but i will explain it once more. 

my application is accessible without login in but when you reach to some pages within the application they require login so they get redirected with a query parameter called "next"

which hold where to go back to after the authentication, which makes the issue i can't rely on a static URL and it has to match it. it should be more than enough to match the service url

that is defined in the SP which is the base of URL of this application aka "https://test.kfupm.edu.sa". 


Kindly Let me know if there is any way you can guide me to fix this.



Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Kanapriya Kuleswararajan <[hidden email]>
Sent: Friday, February 8, 2019 2:14 PM
To: Shakila Sasikaran
Cc: WSO2 Developers' List; Mohammed Yousef M. Alnajdi; [hidden email]
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________
Hi Mohammed Yousef,

Actually, CAS service URL is the identifier of the application that the client is trying to access. In almost all cases, this will be the URL of the application (https://[server-address]/cas-client-webapp/) and the server-address should always point to the location where this sample application (cas-client-webapp) is deployed.

If I understood you correctly, you are setting Service Url: https://test.kfupm.edu.sa in the service provider configuration and trying to access that service using some other URL say https://test.kfupm.edu.sa/en/?next=/details and you end up with 500 internal server error.

If that so, the reason for this error is, When we processing the login response we are getting the serviceUrlFromRequest [1] (ie,https://test.kfupm.edu.sa/en/?next=/details) and with this URL, the service provider details get retrieved [2]. Since you are not registering the service provider with the service URL: https://test.kfupm.edu.sa/en/?next=/details it returns the default service provider configurations. That causes an issue here.

As a workaround, you may extend the source code [3] and you may pass the exact base URL of the service instead of getting the service URL from the request then hopefully, it will give the exact service provider configurations.


Thanks,
Kanapriya Kuleswararajan
Software Engineer
Mobile : - 0774894438
Mail: - [hidden email]
LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
WSO2, Inc. 
lean. enterprise. middleware 



On Wed, Feb 6, 2019 at 3:47 PM Shakila Sasikaran <[hidden email]> wrote:
[Forwarding to dev]

---------- Forwarded message ---------
From: Mohammed Yousef M. Alnajdi <[hidden email]>
Date: Tue, Feb 5, 2019 at 3:31 PM
Subject: Wso2 Identity Server: identity-inbound-auth-cas
To: [hidden email] <[hidden email]>
Cc: [hidden email] <[hidden email]>


Greeting Team,

I would like to express that i am really grateful to the work you guys put for the open source community.

I have 1 small comment/issue regarding the "identity-inbound-auth-cas" i will try to describe my issue and how i want to solve it.


Thanks a lot

Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Wso2 Identity Server: identity-inbound-auth-cas

Mohammed Yousef M. Alnajdi

I really hope i get some faster feed back guys q.q.




Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Mohammed Al Nagdy <[hidden email]>
Sent: Monday, February 11, 2019 5:42 PM
To: Mohammed Yousef M. Alnajdi
Cc: Kanapriya Kuleswararajan; Shakila Sasikaran; WSO2 Developers' List
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________

Greeting, 


Thanks for your answer. 


Here is the fix i did based on your comment:

within the file SSOLoginProcessor.java i did this fix

String serviceUrlFromRequest = casMessageContext.getServiceURL();
URL url = null;
try {
url = new URL(serviceUrlFromRequest);
} catch (MalformedURLException e) {
e.printStackTrace();
}
String base = url.getProtocol() + "://" + url.getHost();
log.error(serviceUrlFromRequest);
log.error(base);
AuthenticationResult authnResult = processResponseFromFrameworkLogin(casMessageContext, identityRequest);
String acsURL = CASSSOUtil.getAcsUrl(base, casMessageContext.getRequest().getTenantDomain());

I deployed this and i did try with my application to login and i got the correct url now but it's not able to process it, here is the log.


TID: [-1234] [] [2019-02-10 08:50:13,101] ERROR {org.wso2.carbon.identity.sso.cas.processor.SSOLoginProcessor} -  https://test.kfupm.edu.sa/en/login/?next=/en/ 


and the url of the site after login is this "https://test.kfupm.edu.sa/en/?ticket=ST-4790bbcb218b4bf88e0a3b87dc824757-login-3.test.kfupm.edu.sa"


Now i believe that all of this process should happen while building the request not at the response. On that note when i click on "login" in my application and i get the SSO login page i should see in the url

sp=test.kfupm.edu.sa not sp=default. 


I am not sure if you see the limitation here but i will explain it once more. 

my application is accessible without login in but when you reach to some pages within the application they require login so they get redirected with a query parameter called "next"

which hold where to go back to after the authentication, which makes the issue i can't rely on a static URL and it has to match it. it should be more than enough to match the service url

that is defined in the SP which is the base of URL of this application aka "https://test.kfupm.edu.sa". 


Kindly Let me know if there is any way you can guide me to fix this.


On Sun, Feb 10, 2019 at 8:58 AM Mohammed Yousef M. Alnajdi <[hidden email]> wrote:

Greeting, 


Thanks for your answer. 


Here is the fix i did based on your comment:

within the file SSOLoginProcessor.java i did this fix

String serviceUrlFromRequest = casMessageContext.getServiceURL();
URL url = null;
try {
url = new URL(serviceUrlFromRequest);
} catch (MalformedURLException e) {
e.printStackTrace();
}
String base = url.getProtocol() + "://" + url.getHost();
log.error(serviceUrlFromRequest);
log.error(base);
AuthenticationResult authnResult = processResponseFromFrameworkLogin(casMessageContext, identityRequest);
String acsURL = CASSSOUtil.getAcsUrl(base, casMessageContext.getRequest().getTenantDomain());

I deployed this and i did try with my application to login and i got the correct url now but it's not able to process it, here is the log.


TID: [-1234] [] [2019-02-10 08:50:13,101] ERROR {org.wso2.carbon.identity.sso.cas.processor.SSOLoginProcessor} -  https://test.kfupm.edu.sa/en/login/?next=/en/ 


and the url of the site after login is this "https://test.kfupm.edu.sa/en/?ticket=ST-4790bbcb218b4bf88e0a3b87dc824757-login-3.test.kfupm.edu.sa"


Now i believe that all of this process should happen while building the request not at the response. On that note when i click on "login" in my application and i get the SSO login page i should see in the url

sp=test.kfupm.edu.sa not sp=default. 


I am not sure if you see the limitation here but i will explain it once more. 

my application is accessible without login in but when you reach to some pages within the application they require login so they get redirected with a query parameter called "next"

which hold where to go back to after the authentication, which makes the issue i can't rely on a static URL and it has to match it. it should be more than enough to match the service url

that is defined in the SP which is the base of URL of this application aka "https://test.kfupm.edu.sa". 


Kindly Let me know if there is any way you can guide me to fix this.



Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Kanapriya Kuleswararajan <[hidden email]>
Sent: Friday, February 8, 2019 2:14 PM
To: Shakila Sasikaran
Cc: WSO2 Developers' List; Mohammed Yousef M. Alnajdi; [hidden email]
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________
Hi Mohammed Yousef,

Actually, CAS service URL is the identifier of the application that the client is trying to access. In almost all cases, this will be the URL of the application (https://[server-address]/cas-client-webapp/) and the server-address should always point to the location where this sample application (cas-client-webapp) is deployed.

If I understood you correctly, you are setting Service Url: https://test.kfupm.edu.sa in the service provider configuration and trying to access that service using some other URL say https://test.kfupm.edu.sa/en/?next=/details and you end up with 500 internal server error.

If that so, the reason for this error is, When we processing the login response we are getting the serviceUrlFromRequest [1] (ie,https://test.kfupm.edu.sa/en/?next=/details) and with this URL, the service provider details get retrieved [2]. Since you are not registering the service provider with the service URL: https://test.kfupm.edu.sa/en/?next=/details it returns the default service provider configurations. That causes an issue here.

As a workaround, you may extend the source code [3] and you may pass the exact base URL of the service instead of getting the service URL from the request then hopefully, it will give the exact service provider configurations.


Thanks,
Kanapriya Kuleswararajan
Software Engineer
Mobile : - 0774894438
Mail: - [hidden email]
LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
WSO2, Inc. 
lean. enterprise. middleware 



On Wed, Feb 6, 2019 at 3:47 PM Shakila Sasikaran <[hidden email]> wrote:
[Forwarding to dev]

---------- Forwarded message ---------
From: Mohammed Yousef M. Alnajdi <[hidden email]>
Date: Tue, Feb 5, 2019 at 3:31 PM
Subject: Wso2 Identity Server: identity-inbound-auth-cas
To: [hidden email] <[hidden email]>
Cc: [hidden email] <[hidden email]>


Greeting Team,

I would like to express that i am really grateful to the work you guys put for the open source community.

I have 1 small comment/issue regarding the "identity-inbound-auth-cas" i will try to describe my issue and how i want to solve it.


Thanks a lot

Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Wso2 Identity Server: identity-inbound-auth-cas

Kanapriya
Hi Mohammed,

In our existing authenticator, we are only supporting static service URL (which is configured in the sp configurations) and running the flow (generting ST and CASTGC Cookie) based on that service URL upon the successful authentication. I have attached the flow diagram [1] which depicts the flow of existing authenticator.
But, in your case, you mentioned that, you can't rely on static URL as you wanted to switch to some other pages inside your application and that pages only need the login to access the resource based on some query params (next).  Could you please attach your flow diagram with detailed explanation,  the error log and the fix that you have done (may be you can share the code with your git link). So that we can get better understand of your requirement?

[1]

cas-3-web-flow-first-access.png

Thanks,
Kanapriya Kuleswararajan
Software Engineer
Mobile : - 0774894438
Mail : - [hidden email]
LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
WSO2, Inc. 
lean . enterprise . middleware 



On Tue, Feb 12, 2019 at 10:25 PM Mohammed Yousef M. Alnajdi <[hidden email]> wrote:

I really hope i get some faster feed back guys q.q.




Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Mohammed Al Nagdy <[hidden email]>
Sent: Monday, February 11, 2019 5:42 PM
To: Mohammed Yousef M. Alnajdi
Cc: Kanapriya Kuleswararajan; Shakila Sasikaran; WSO2 Developers' List
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________

Greeting, 


Thanks for your answer. 


Here is the fix i did based on your comment:

within the file SSOLoginProcessor.java i did this fix

String serviceUrlFromRequest = casMessageContext.getServiceURL();
URL url = null;
try {
url = new URL(serviceUrlFromRequest);
} catch (MalformedURLException e) {
e.printStackTrace();
}
String base = url.getProtocol() + "://" + url.getHost();
log.error(serviceUrlFromRequest);
log.error(base);
AuthenticationResult authnResult = processResponseFromFrameworkLogin(casMessageContext, identityRequest);
String acsURL = CASSSOUtil.getAcsUrl(base, casMessageContext.getRequest().getTenantDomain());

I deployed this and i did try with my application to login and i got the correct url now but it's not able to process it, here is the log.


TID: [-1234] [] [2019-02-10 08:50:13,101] ERROR {org.wso2.carbon.identity.sso.cas.processor.SSOLoginProcessor} -  https://test.kfupm.edu.sa/en/login/?next=/en/ 


and the url of the site after login is this "https://test.kfupm.edu.sa/en/?ticket=ST-4790bbcb218b4bf88e0a3b87dc824757-login-3.test.kfupm.edu.sa"


Now i believe that all of this process should happen while building the request not at the response. On that note when i click on "login" in my application and i get the SSO login page i should see in the url

sp=test.kfupm.edu.sa not sp=default. 


I am not sure if you see the limitation here but i will explain it once more. 

my application is accessible without login in but when you reach to some pages within the application they require login so they get redirected with a query parameter called "next"

which hold where to go back to after the authentication, which makes the issue i can't rely on a static URL and it has to match it. it should be more than enough to match the service url

that is defined in the SP which is the base of URL of this application aka "https://test.kfupm.edu.sa". 


Kindly Let me know if there is any way you can guide me to fix this.


On Sun, Feb 10, 2019 at 8:58 AM Mohammed Yousef M. Alnajdi <[hidden email]> wrote:

Greeting, 


Thanks for your answer. 


Here is the fix i did based on your comment:

within the file SSOLoginProcessor.java i did this fix

String serviceUrlFromRequest = casMessageContext.getServiceURL();
URL url = null;
try {
url = new URL(serviceUrlFromRequest);
} catch (MalformedURLException e) {
e.printStackTrace();
}
String base = url.getProtocol() + "://" + url.getHost();
log.error(serviceUrlFromRequest);
log.error(base);
AuthenticationResult authnResult = processResponseFromFrameworkLogin(casMessageContext, identityRequest);
String acsURL = CASSSOUtil.getAcsUrl(base, casMessageContext.getRequest().getTenantDomain());

I deployed this and i did try with my application to login and i got the correct url now but it's not able to process it, here is the log.


TID: [-1234] [] [2019-02-10 08:50:13,101] ERROR {org.wso2.carbon.identity.sso.cas.processor.SSOLoginProcessor} -  https://test.kfupm.edu.sa/en/login/?next=/en/ 


and the url of the site after login is this "https://test.kfupm.edu.sa/en/?ticket=ST-4790bbcb218b4bf88e0a3b87dc824757-login-3.test.kfupm.edu.sa"


Now i believe that all of this process should happen while building the request not at the response. On that note when i click on "login" in my application and i get the SSO login page i should see in the url

sp=test.kfupm.edu.sa not sp=default. 


I am not sure if you see the limitation here but i will explain it once more. 

my application is accessible without login in but when you reach to some pages within the application they require login so they get redirected with a query parameter called "next"

which hold where to go back to after the authentication, which makes the issue i can't rely on a static URL and it has to match it. it should be more than enough to match the service url

that is defined in the SP which is the base of URL of this application aka "https://test.kfupm.edu.sa". 


Kindly Let me know if there is any way you can guide me to fix this.



Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Kanapriya Kuleswararajan <[hidden email]>
Sent: Friday, February 8, 2019 2:14 PM
To: Shakila Sasikaran
Cc: WSO2 Developers' List; Mohammed Yousef M. Alnajdi; [hidden email]
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________
Hi Mohammed Yousef,

Actually, CAS service URL is the identifier of the application that the client is trying to access. In almost all cases, this will be the URL of the application (https://[server-address]/cas-client-webapp/) and the server-address should always point to the location where this sample application (cas-client-webapp) is deployed.

If I understood you correctly, you are setting Service Url: https://test.kfupm.edu.sa in the service provider configuration and trying to access that service using some other URL say https://test.kfupm.edu.sa/en/?next=/details and you end up with 500 internal server error.

If that so, the reason for this error is, When we processing the login response we are getting the serviceUrlFromRequest [1] (ie,https://test.kfupm.edu.sa/en/?next=/details) and with this URL, the service provider details get retrieved [2]. Since you are not registering the service provider with the service URL: https://test.kfupm.edu.sa/en/?next=/details it returns the default service provider configurations. That causes an issue here.

As a workaround, you may extend the source code [3] and you may pass the exact base URL of the service instead of getting the service URL from the request then hopefully, it will give the exact service provider configurations.


Thanks,
Kanapriya Kuleswararajan
Software Engineer
Mobile : - 0774894438
Mail: - [hidden email]
LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
WSO2, Inc. 
lean. enterprise. middleware 



On Wed, Feb 6, 2019 at 3:47 PM Shakila Sasikaran <[hidden email]> wrote:
[Forwarding to dev]

---------- Forwarded message ---------
From: Mohammed Yousef M. Alnajdi <[hidden email]>
Date: Tue, Feb 5, 2019 at 3:31 PM
Subject: Wso2 Identity Server: identity-inbound-auth-cas
To: [hidden email] <[hidden email]>
Cc: [hidden email] <[hidden email]>


Greeting Team,

I would like to express that i am really grateful to the work you guys put for the open source community.

I have 1 small comment/issue regarding the "identity-inbound-auth-cas" i will try to describe my issue and how i want to solve it.


Thanks a lot

Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Wso2 Identity Server: identity-inbound-auth-cas

Mohammed Yousef M. Alnajdi

Greeting, 


Thanks a lot for the quick reply.

You can find my changes here [1].


For my requirements i will explain it in details.

General idea about our projects in the university: We have 2 type of sites [fully protected sites] and [partially protected sites] I will talk about the second type.

  1. ​User opens the site https://test.kfupm.edu.sa/ and they will get redirected to https://test.kfupm.edu.sa/en/
  2. Users can navigate through the site and access it fully. But some content will only be shown if the user logged in.
  3. User clicks on the login button which is https://test.kfupm.edu.sa/login/ this url is CAS protected. 
  4. Now here is the issue starts, the query parameter "Next" imply that after a successful login go back to the url specified in the "Next" query parameter.
  5. The url will look like this https://test.kfupm.edu.sa/login/?next=/en/user/details/101010/ so after logging in send me back to https://test.kfupm.edu.sa/en/user/details/101010/
  6. Since the authenticator only accept a static url this would never work since the ?next=<value> is changing all time. 
  7. What i want to be able to do is if the authenticator only checks the base url of what ever is passed. example if i try to go to this url https://test.kfupm.edu.sa/login/?next=/en/user/details/101010/
    The https://cas.example.com/identity/cas/login?service=https://test.kfupm.edu.sa not https://cas.example.com/identity/cas/login?service=https://test.kfupm.edu.sa/login/?next=/en/user/details/101010/
  8. I have added a picture of the same flow diagram the only difference is the starting url other wise everything should be the same. Meaning i don't care what other resources i am​
    having in my application /login/ or /detail/ or what ever as long i can validate if there is a service based on the base url of the site.


I hope this is detailed enough if not please let me know and i will respond again.


From: Kanapriya Kuleswararajan <[hidden email]>
Sent: Wednesday, February 13, 2019 8:51 AM
To: Mohammed Yousef M. Alnajdi
Cc: WSO2 Developers' List; Shakila Sasikaran; Mohammed Al Nagdy
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________
Hi Mohammed,

In our existing authenticator, we are only supporting static service URL (which is configured in the sp configurations) and running the flow (generting ST and CASTGC Cookie) based on that service URL upon the successful authentication. I have attached the flow diagram [1] which depicts the flow of existing authenticator.
But, in your case, you mentioned that, you can't rely on static URL as you wanted to switch to some other pages inside your application and that pages only need the login to access the resource based on some query params (next).  Could you please attach your flow diagram with detailed explanation,  the error log and the fix that you have done (may be you can share the code with your git link). So that we can get better understand of your requirement?

[1]

cas-3-web-flow-first-access.png

Thanks,
Kanapriya Kuleswararajan
Software Engineer
Mobile : - 0774894438
Mail : - [hidden email]
LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
WSO2, Inc. 
lean . enterprise . middleware 



On Tue, Feb 12, 2019 at 10:25 PM Mohammed Yousef M. Alnajdi <[hidden email]> wrote:

I really hope i get some faster feed back guys q.q.




Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Mohammed Al Nagdy <[hidden email]>
Sent: Monday, February 11, 2019 5:42 PM
To: Mohammed Yousef M. Alnajdi
Cc: Kanapriya Kuleswararajan; Shakila Sasikaran; WSO2 Developers' List
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________

Greeting, 


Thanks for your answer. 


Here is the fix i did based on your comment:

within the file SSOLoginProcessor.java i did this fix

String serviceUrlFromRequest = casMessageContext.getServiceURL();
URL url = null;
try {
url = new URL(serviceUrlFromRequest);
} catch (MalformedURLException e) {
e.printStackTrace();
}
String base = url.getProtocol() + "://" + url.getHost();
log.error(serviceUrlFromRequest);
log.error(base);
AuthenticationResult authnResult = processResponseFromFrameworkLogin(casMessageContext, identityRequest);
String acsURL = CASSSOUtil.getAcsUrl(base, casMessageContext.getRequest().getTenantDomain());

I deployed this and i did try with my application to login and i got the correct url now but it's not able to process it, here is the log.


TID: [-1234] [] [2019-02-10 08:50:13,101] ERROR {org.wso2.carbon.identity.sso.cas.processor.SSOLoginProcessor} -  https://test.kfupm.edu.sa/en/login/?next=/en/ 


and the url of the site after login is this "https://test.kfupm.edu.sa/en/?ticket=ST-4790bbcb218b4bf88e0a3b87dc824757-login-3.test.kfupm.edu.sa"


Now i believe that all of this process should happen while building the request not at the response. On that note when i click on "login" in my application and i get the SSO login page i should see in the url

sp=test.kfupm.edu.sa not sp=default. 


I am not sure if you see the limitation here but i will explain it once more. 

my application is accessible without login in but when you reach to some pages within the application they require login so they get redirected with a query parameter called "next"

which hold where to go back to after the authentication, which makes the issue i can't rely on a static URL and it has to match it. it should be more than enough to match the service url

that is defined in the SP which is the base of URL of this application aka "https://test.kfupm.edu.sa". 


Kindly Let me know if there is any way you can guide me to fix this.


On Sun, Feb 10, 2019 at 8:58 AM Mohammed Yousef M. Alnajdi <[hidden email]> wrote:

Greeting, 


Thanks for your answer. 


Here is the fix i did based on your comment:

within the file SSOLoginProcessor.java i did this fix

String serviceUrlFromRequest = casMessageContext.getServiceURL();
URL url = null;
try {
url = new URL(serviceUrlFromRequest);
} catch (MalformedURLException e) {
e.printStackTrace();
}
String base = url.getProtocol() + "://" + url.getHost();
log.error(serviceUrlFromRequest);
log.error(base);
AuthenticationResult authnResult = processResponseFromFrameworkLogin(casMessageContext, identityRequest);
String acsURL = CASSSOUtil.getAcsUrl(base, casMessageContext.getRequest().getTenantDomain());

I deployed this and i did try with my application to login and i got the correct url now but it's not able to process it, here is the log.


TID: [-1234] [] [2019-02-10 08:50:13,101] ERROR {org.wso2.carbon.identity.sso.cas.processor.SSOLoginProcessor} -  https://test.kfupm.edu.sa/en/login/?next=/en/ 


and the url of the site after login is this "https://test.kfupm.edu.sa/en/?ticket=ST-4790bbcb218b4bf88e0a3b87dc824757-login-3.test.kfupm.edu.sa"


Now i believe that all of this process should happen while building the request not at the response. On that note when i click on "login" in my application and i get the SSO login page i should see in the url

sp=test.kfupm.edu.sa not sp=default. 


I am not sure if you see the limitation here but i will explain it once more. 

my application is accessible without login in but when you reach to some pages within the application they require login so they get redirected with a query parameter called "next"

which hold where to go back to after the authentication, which makes the issue i can't rely on a static URL and it has to match it. it should be more than enough to match the service url

that is defined in the SP which is the base of URL of this application aka "https://test.kfupm.edu.sa". 


Kindly Let me know if there is any way you can guide me to fix this.



Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Kanapriya Kuleswararajan <[hidden email]>
Sent: Friday, February 8, 2019 2:14 PM
To: Shakila Sasikaran
Cc: WSO2 Developers' List; Mohammed Yousef M. Alnajdi; [hidden email]
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________
Hi Mohammed Yousef,

Actually, CAS service URL is the identifier of the application that the client is trying to access. In almost all cases, this will be the URL of the application (https://[server-address]/cas-client-webapp/) and the server-address should always point to the location where this sample application (cas-client-webapp) is deployed.

If I understood you correctly, you are setting Service Url: https://test.kfupm.edu.sa in the service provider configuration and trying to access that service using some other URL say https://test.kfupm.edu.sa/en/?next=/details and you end up with 500 internal server error.

If that so, the reason for this error is, When we processing the login response we are getting the serviceUrlFromRequest [1] (ie,https://test.kfupm.edu.sa/en/?next=/details) and with this URL, the service provider details get retrieved [2]. Since you are not registering the service provider with the service URL: https://test.kfupm.edu.sa/en/?next=/details it returns the default service provider configurations. That causes an issue here.

As a workaround, you may extend the source code [3] and you may pass the exact base URL of the service instead of getting the service URL from the request then hopefully, it will give the exact service provider configurations.


Thanks,
Kanapriya Kuleswararajan
Software Engineer
Mobile : - 0774894438
Mail: - [hidden email]
LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
WSO2, Inc. 
lean. enterprise. middleware 



On Wed, Feb 6, 2019 at 3:47 PM Shakila Sasikaran <[hidden email]> wrote:
[Forwarding to dev]

---------- Forwarded message ---------
From: Mohammed Yousef M. Alnajdi <[hidden email]>
Date: Tue, Feb 5, 2019 at 3:31 PM
Subject: Wso2 Identity Server: identity-inbound-auth-cas
To: [hidden email] <[hidden email]>
Cc: [hidden email] <[hidden email]>


Greeting Team,

I would like to express that i am really grateful to the work you guys put for the open source community.

I have 1 small comment/issue regarding the "identity-inbound-auth-cas" i will try to describe my issue and how i want to solve it.


Thanks a lot

Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Wso2 Identity Server: identity-inbound-auth-cas

Mohammed Yousef M. Alnajdi

​Greeting, I have responded with requested feedback i hope it's what you needed.




Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Mohammed Yousef M. Alnajdi
Sent: Wednesday, February 13, 2019 9:48 AM
To: Kanapriya Kuleswararajan; WSO2 Developers' List; Shakila Sasikaran
Cc: Mohammed Al Nagdy
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 

Greeting, 


Thanks a lot for the quick reply.

You can find my changes here [1].


For my requirements i will explain it in details.

General idea about our projects in the university: We have 2 type of sites [fully protected sites] and [partially protected sites] I will talk about the second type.

  1. ​User opens the site https://test.kfupm.edu.sa/ and they will get redirected to https://test.kfupm.edu.sa/en/
  2. Users can navigate through the site and access it fully. But some content will only be shown if the user logged in.
  3. User clicks on the login button which is https://test.kfupm.edu.sa/login/ this url is CAS protected. 
  4. Now here is the issue starts, the query parameter "Next" imply that after a successful login go back to the url specified in the "Next" query parameter.
  5. The url will look like this https://test.kfupm.edu.sa/login/?next=/en/user/details/101010/ so after logging in send me back to https://test.kfupm.edu.sa/en/user/details/101010/
  6. Since the authenticator only accept a static url this would never work since the ?next=<value> is changing all time. 
  7. What i want to be able to do is if the authenticator only checks the base url of what ever is passed. example if i try to go to this url https://test.kfupm.edu.sa/login/?next=/en/user/details/101010/
    The https://cas.example.com/identity/cas/login?service=https://test.kfupm.edu.sa not https://cas.example.com/identity/cas/login?service=https://test.kfupm.edu.sa/login/?next=/en/user/details/101010/
  8. I have added a picture of the same flow diagram the only difference is the starting url other wise everything should be the same. Meaning i don't care what other resources i am​
    having in my application /login/ or /detail/ or what ever as long i can validate if there is a service based on the base url of the site.


I hope this is detailed enough if not please let me know and i will respond again.


From: Kanapriya Kuleswararajan <[hidden email]>
Sent: Wednesday, February 13, 2019 8:51 AM
To: Mohammed Yousef M. Alnajdi
Cc: WSO2 Developers' List; Shakila Sasikaran; Mohammed Al Nagdy
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________
Hi Mohammed,

In our existing authenticator, we are only supporting static service URL (which is configured in the sp configurations) and running the flow (generting ST and CASTGC Cookie) based on that service URL upon the successful authentication. I have attached the flow diagram [1] which depicts the flow of existing authenticator.
But, in your case, you mentioned that, you can't rely on static URL as you wanted to switch to some other pages inside your application and that pages only need the login to access the resource based on some query params (next).  Could you please attach your flow diagram with detailed explanation,  the error log and the fix that you have done (may be you can share the code with your git link). So that we can get better understand of your requirement?

[1]

cas-3-web-flow-first-access.png

Thanks,
Kanapriya Kuleswararajan
Software Engineer
Mobile : - 0774894438
Mail : - [hidden email]
LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
WSO2, Inc. 
lean . enterprise . middleware 



On Tue, Feb 12, 2019 at 10:25 PM Mohammed Yousef M. Alnajdi <[hidden email]> wrote:

I really hope i get some faster feed back guys q.q.




Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Mohammed Al Nagdy <[hidden email]>
Sent: Monday, February 11, 2019 5:42 PM
To: Mohammed Yousef M. Alnajdi
Cc: Kanapriya Kuleswararajan; Shakila Sasikaran; WSO2 Developers' List
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________

Greeting, 


Thanks for your answer. 


Here is the fix i did based on your comment:

within the file SSOLoginProcessor.java i did this fix

String serviceUrlFromRequest = casMessageContext.getServiceURL();
URL url = null;
try {
url = new URL(serviceUrlFromRequest);
} catch (MalformedURLException e) {
e.printStackTrace();
}
String base = url.getProtocol() + "://" + url.getHost();
log.error(serviceUrlFromRequest);
log.error(base);
AuthenticationResult authnResult = processResponseFromFrameworkLogin(casMessageContext, identityRequest);
String acsURL = CASSSOUtil.getAcsUrl(base, casMessageContext.getRequest().getTenantDomain());

I deployed this and i did try with my application to login and i got the correct url now but it's not able to process it, here is the log.


TID: [-1234] [] [2019-02-10 08:50:13,101] ERROR {org.wso2.carbon.identity.sso.cas.processor.SSOLoginProcessor} -  https://test.kfupm.edu.sa/en/login/?next=/en/ 


and the url of the site after login is this "https://test.kfupm.edu.sa/en/?ticket=ST-4790bbcb218b4bf88e0a3b87dc824757-login-3.test.kfupm.edu.sa"


Now i believe that all of this process should happen while building the request not at the response. On that note when i click on "login" in my application and i get the SSO login page i should see in the url

sp=test.kfupm.edu.sa not sp=default. 


I am not sure if you see the limitation here but i will explain it once more. 

my application is accessible without login in but when you reach to some pages within the application they require login so they get redirected with a query parameter called "next"

which hold where to go back to after the authentication, which makes the issue i can't rely on a static URL and it has to match it. it should be more than enough to match the service url

that is defined in the SP which is the base of URL of this application aka "https://test.kfupm.edu.sa". 


Kindly Let me know if there is any way you can guide me to fix this.


On Sun, Feb 10, 2019 at 8:58 AM Mohammed Yousef M. Alnajdi <[hidden email]> wrote:

Greeting, 


Thanks for your answer. 


Here is the fix i did based on your comment:

within the file SSOLoginProcessor.java i did this fix

String serviceUrlFromRequest = casMessageContext.getServiceURL();
URL url = null;
try {
url = new URL(serviceUrlFromRequest);
} catch (MalformedURLException e) {
e.printStackTrace();
}
String base = url.getProtocol() + "://" + url.getHost();
log.error(serviceUrlFromRequest);
log.error(base);
AuthenticationResult authnResult = processResponseFromFrameworkLogin(casMessageContext, identityRequest);
String acsURL = CASSSOUtil.getAcsUrl(base, casMessageContext.getRequest().getTenantDomain());

I deployed this and i did try with my application to login and i got the correct url now but it's not able to process it, here is the log.


TID: [-1234] [] [2019-02-10 08:50:13,101] ERROR {org.wso2.carbon.identity.sso.cas.processor.SSOLoginProcessor} -  https://test.kfupm.edu.sa/en/login/?next=/en/ 


and the url of the site after login is this "https://test.kfupm.edu.sa/en/?ticket=ST-4790bbcb218b4bf88e0a3b87dc824757-login-3.test.kfupm.edu.sa"


Now i believe that all of this process should happen while building the request not at the response. On that note when i click on "login" in my application and i get the SSO login page i should see in the url

sp=test.kfupm.edu.sa not sp=default. 


I am not sure if you see the limitation here but i will explain it once more. 

my application is accessible without login in but when you reach to some pages within the application they require login so they get redirected with a query parameter called "next"

which hold where to go back to after the authentication, which makes the issue i can't rely on a static URL and it has to match it. it should be more than enough to match the service url

that is defined in the SP which is the base of URL of this application aka "https://test.kfupm.edu.sa". 


Kindly Let me know if there is any way you can guide me to fix this.



Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Kanapriya Kuleswararajan <[hidden email]>
Sent: Friday, February 8, 2019 2:14 PM
To: Shakila Sasikaran
Cc: WSO2 Developers' List; Mohammed Yousef M. Alnajdi; [hidden email]
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________
Hi Mohammed Yousef,

Actually, CAS service URL is the identifier of the application that the client is trying to access. In almost all cases, this will be the URL of the application (https://[server-address]/cas-client-webapp/) and the server-address should always point to the location where this sample application (cas-client-webapp) is deployed.

If I understood you correctly, you are setting Service Url: https://test.kfupm.edu.sa in the service provider configuration and trying to access that service using some other URL say https://test.kfupm.edu.sa/en/?next=/details and you end up with 500 internal server error.

If that so, the reason for this error is, When we processing the login response we are getting the serviceUrlFromRequest [1] (ie,https://test.kfupm.edu.sa/en/?next=/details) and with this URL, the service provider details get retrieved [2]. Since you are not registering the service provider with the service URL: https://test.kfupm.edu.sa/en/?next=/details it returns the default service provider configurations. That causes an issue here.

As a workaround, you may extend the source code [3] and you may pass the exact base URL of the service instead of getting the service URL from the request then hopefully, it will give the exact service provider configurations.


Thanks,
Kanapriya Kuleswararajan
Software Engineer
Mobile : - 0774894438
Mail: - [hidden email]
LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
WSO2, Inc. 
lean. enterprise. middleware 



On Wed, Feb 6, 2019 at 3:47 PM Shakila Sasikaran <[hidden email]> wrote:
[Forwarding to dev]

---------- Forwarded message ---------
From: Mohammed Yousef M. Alnajdi <[hidden email]>
Date: Tue, Feb 5, 2019 at 3:31 PM
Subject: Wso2 Identity Server: identity-inbound-auth-cas
To: [hidden email] <[hidden email]>
Cc: [hidden email] <[hidden email]>


Greeting Team,

I would like to express that i am really grateful to the work you guys put for the open source community.

I have 1 small comment/issue regarding the "identity-inbound-auth-cas" i will try to describe my issue and how i want to solve it.


Thanks a lot

Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Wso2 Identity Server: identity-inbound-auth-cas

Kanapriya
Hi Mohammed,

Greeting, I have responded with requested feedback i hope it's what you needed.




Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Mohammed Yousef M. Alnajdi
Sent: Wednesday, February 13, 2019 9:48 AM
To: Kanapriya Kuleswararajan; WSO2 Developers' List; Shakila Sasikaran
Cc: Mohammed Al Nagdy
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 

Greeting, 


Thanks a lot for the quick reply.

You can find my changes here [1].


For my requirements i will explain it in details.

General idea about our projects in the university: We have 2 type of sites [fully protected sites] and [partially protected sites] I will talk about the second type.

  1. User opens the site https://test.kfupm.edu.sa/ and they will get redirected to https://test.kfupm.edu.sa/en/
  2. Users can navigate through the site and access it fully. But some content will only be shown if the user logged in.
  3. User clicks on the login button which is https://test.kfupm.edu.sa/login/ this url is CAS protected. 
  4. Now here is the issue starts, the query parameter "Next" imply that after a successful login go back to the url specified in the "Next" query parameter.
  5. The url will look like this https://test.kfupm.edu.sa/login/?next=/en/user/details/101010/ so after logging in send me back to https://test.kfupm.edu.sa/en/user/details/101010/
  6. Since the authenticator only accept a static url this would never work since the ?next=<value> is changing all time. 
  7. What i want to be able to do is if the authenticator only checks the base url of what ever is passed. example if i try to go to this url https://test.kfupm.edu.sa/login/?next=/en/user/details/101010/
    The https://cas.example.com/identity/cas/login?service=https://test.kfupm.edu.sa not https://cas.example.com/identity/cas/login?service=https://test.kfupm.edu.sa/login/?next=/en/user/details/101010/
  8. I have added a picture of the same flow diagram the only difference is the starting url other wise everything should be the same. Meaning i don't care what other resources i am
    having in my application /login/ or /detail/ or what ever as long i can validate if there is a service based on the base url of the site.
So your are invoking one of the services from  https://test.kfupm.edu.sa and this is the actual CAS protected service you are expecting to work with. Hence to fix this, I hope,  you should pass that service URL (https://test.kfupm.edu.sa) instead of the url  which gets from the request . And you should register the service provider with this service URL (https://test.kfupm.edu.sa) and make sure there is no white spaces in the URL.

As I looked into the fix [2], once the user redirect to the https://test.kfupm.edu.sa/en/ from https://test.kfupm.edu.sa/ based on the Next query params, your base url will change to "https://test.kfupm.edu.sa/en/ " which is not exactly the service url that you used in the service provider configurations.

To check this, can you just hardcode the value (https://test.kfupm.edu.sa) in [1] as same as the url which you used to register in service provider configurations and check whether you able to see the following :





I hope this is detailed enough if not please let me know and i will respond again.


From: Kanapriya Kuleswararajan <[hidden email]>
Sent: Wednesday, February 13, 2019 8:51 AM
To: Mohammed Yousef M. Alnajdi
Cc: WSO2 Developers' List; Shakila Sasikaran; Mohammed Al Nagdy
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________
Hi Mohammed,

In our existing authenticator, we are only supporting static service URL (which is configured in the sp configurations) and running the flow (generting ST and CASTGC Cookie) based on that service URL upon the successful authentication. I have attached the flow diagram [1] which depicts the flow of existing authenticator.
But, in your case, you mentioned that, you can't rely on static URL as you wanted to switch to some other pages inside your application and that pages only need the login to access the resource based on some query params (next).  Could you please attach your flow diagram with detailed explanation,  the error log and the fix that you have done (may be you can share the code with your git link). So that we can get better understand of your requirement?

[1]

cas-3-web-flow-first-access.png

Thanks,
Kanapriya Kuleswararajan
Software Engineer
Mobile : - 0774894438
Mail : - [hidden email]
LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
WSO2, Inc. 
lean . enterprise . middleware 



On Tue, Feb 12, 2019 at 10:25 PM Mohammed Yousef M. Alnajdi <[hidden email]> wrote:

I really hope i get some faster feed back guys q.q.




Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Mohammed Al Nagdy <[hidden email]>
Sent: Monday, February 11, 2019 5:42 PM
To: Mohammed Yousef M. Alnajdi
Cc: Kanapriya Kuleswararajan; Shakila Sasikaran; WSO2 Developers' List
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________

Greeting, 


Thanks for your answer. 


Here is the fix i did based on your comment:

within the file SSOLoginProcessor.java i did this fix

String serviceUrlFromRequest = casMessageContext.getServiceURL();
URL url = null;
try {
url = new URL(serviceUrlFromRequest);
} catch (MalformedURLException e) {
e.printStackTrace();
}
String base = url.getProtocol() + "://" + url.getHost();
log.error(serviceUrlFromRequest);
log.error(base);
AuthenticationResult authnResult = processResponseFromFrameworkLogin(casMessageContext, identityRequest);
String acsURL = CASSSOUtil.getAcsUrl(base, casMessageContext.getRequest().getTenantDomain());

I deployed this and i did try with my application to login and i got the correct url now but it's not able to process it, here is the log.


TID: [-1234] [] [2019-02-10 08:50:13,101] ERROR {org.wso2.carbon.identity.sso.cas.processor.SSOLoginProcessor} -  https://test.kfupm.edu.sa/en/login/?next=/en/ 


and the url of the site after login is this "https://test.kfupm.edu.sa/en/?ticket=ST-4790bbcb218b4bf88e0a3b87dc824757-login-3.test.kfupm.edu.sa"


Now i believe that all of this process should happen while building the request not at the response. On that note when i click on "login" in my application and i get the SSO login page i should see in the url

sp=test.kfupm.edu.sa not sp=default. 


I am not sure if you see the limitation here but i will explain it once more. 

my application is accessible without login in but when you reach to some pages within the application they require login so they get redirected with a query parameter called "next"

which hold where to go back to after the authentication, which makes the issue i can't rely on a static URL and it has to match it. it should be more than enough to match the service url

that is defined in the SP which is the base of URL of this application aka "https://test.kfupm.edu.sa". 


Kindly Let me know if there is any way you can guide me to fix this.


On Sun, Feb 10, 2019 at 8:58 AM Mohammed Yousef M. Alnajdi <[hidden email]> wrote:

Greeting, 


Thanks for your answer. 


Here is the fix i did based on your comment:

within the file SSOLoginProcessor.java i did this fix

String serviceUrlFromRequest = casMessageContext.getServiceURL();
URL url = null;
try {
url = new URL(serviceUrlFromRequest);
} catch (MalformedURLException e) {
e.printStackTrace();
}
String base = url.getProtocol() + "://" + url.getHost();
log.error(serviceUrlFromRequest);
log.error(base);
AuthenticationResult authnResult = processResponseFromFrameworkLogin(casMessageContext, identityRequest);
String acsURL = CASSSOUtil.getAcsUrl(base, casMessageContext.getRequest().getTenantDomain());

I deployed this and i did try with my application to login and i got the correct url now but it's not able to process it, here is the log.


TID: [-1234] [] [2019-02-10 08:50:13,101] ERROR {org.wso2.carbon.identity.sso.cas.processor.SSOLoginProcessor} -  https://test.kfupm.edu.sa/en/login/?next=/en/ 


and the url of the site after login is this "https://test.kfupm.edu.sa/en/?ticket=ST-4790bbcb218b4bf88e0a3b87dc824757-login-3.test.kfupm.edu.sa"


Now i believe that all of this process should happen while building the request not at the response. On that note when i click on "login" in my application and i get the SSO login page i should see in the url

sp=test.kfupm.edu.sa not sp=default. 


I am not sure if you see the limitation here but i will explain it once more. 

my application is accessible without login in but when you reach to some pages within the application they require login so they get redirected with a query parameter called "next"

which hold where to go back to after the authentication, which makes the issue i can't rely on a static URL and it has to match it. it should be more than enough to match the service url

that is defined in the SP which is the base of URL of this application aka "https://test.kfupm.edu.sa". 


Kindly Let me know if there is any way you can guide me to fix this.



Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Kanapriya Kuleswararajan <[hidden email]>
Sent: Friday, February 8, 2019 2:14 PM
To: Shakila Sasikaran
Cc: WSO2 Developers' List; Mohammed Yousef M. Alnajdi; [hidden email]
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________
Hi Mohammed Yousef,

Actually, CAS service URL is the identifier of the application that the client is trying to access. In almost all cases, this will be the URL of the application (https://[server-address]/cas-client-webapp/) and the server-address should always point to the location where this sample application (cas-client-webapp) is deployed.

If I understood you correctly, you are setting Service Url: https://test.kfupm.edu.sa in the service provider configuration and trying to access that service using some other URL say https://test.kfupm.edu.sa/en/?next=/details and you end up with 500 internal server error.

If that so, the reason for this error is, When we processing the login response we are getting the serviceUrlFromRequest [1] (ie,https://test.kfupm.edu.sa/en/?next=/details) and with this URL, the service provider details get retrieved [2]. Since you are not registering the service provider with the service URL: https://test.kfupm.edu.sa/en/?next=/details it returns the default service provider configurations. That causes an issue here.

As a workaround, you may extend the source code [3] and you may pass the exact base URL of the service instead of getting the service URL from the request then hopefully, it will give the exact service provider configurations.


Thanks,
Kanapriya Kuleswararajan
Software Engineer
Mobile : - 0774894438
Mail: - [hidden email]
LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
WSO2, Inc. 
lean. enterprise. middleware 



On Wed, Feb 6, 2019 at 3:47 PM Shakila Sasikaran <[hidden email]> wrote:
[Forwarding to dev]

---------- Forwarded message ---------
From: Mohammed Yousef M. Alnajdi <[hidden email]>
Date: Tue, Feb 5, 2019 at 3:31 PM
Subject: Wso2 Identity Server: identity-inbound-auth-cas
To: [hidden email] <[hidden email]>
Cc: [hidden email] <[hidden email]>


Greeting Team,

I would like to express that i am really grateful to the work you guys put for the open source community.

I have 1 small comment/issue regarding the "identity-inbound-auth-cas" i will try to describe my issue and how i want to solve it.


Thanks a lot

Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Wso2 Identity Server: identity-inbound-auth-cas

Mohammed Al Nagdy
Greeting Kanapriya Kuleswararajan, 

Kindly Please understand my issue and how i want to fix it. I have a SP defined in the UI called test.kfupm.edu.sa, and in the CAS configuration i set a service url which is https://test.kfupm.edu.sa
Now regardless of what comes after or where i will be redirected CAS authentication should work just fine. << this is what i want to achieve. Hard coding the value works even for the old case but i am not sure what the user will try to login from
and what is query parameter it will be requested. I want this fix to happen before the entering the username and password of the user i want the CAS to pick it's correct sp=test.kfupm.edu.sa before i authenticate.

 

On Sun, Feb 17, 2019 at 9:46 PM Kanapriya Kuleswararajan <[hidden email]> wrote:
Hi Mohammed,

Greeting, I have responded with requested feedback i hope it's what you needed.




Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Mohammed Yousef M. Alnajdi
Sent: Wednesday, February 13, 2019 9:48 AM
To: Kanapriya Kuleswararajan; WSO2 Developers' List; Shakila Sasikaran
Cc: Mohammed Al Nagdy
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 

Greeting, 


Thanks a lot for the quick reply.

You can find my changes here [1].


For my requirements i will explain it in details.

General idea about our projects in the university: We have 2 type of sites [fully protected sites] and [partially protected sites] I will talk about the second type.

  1. User opens the site https://test.kfupm.edu.sa/ and they will get redirected to https://test.kfupm.edu.sa/en/
  2. Users can navigate through the site and access it fully. But some content will only be shown if the user logged in.
  3. User clicks on the login button which is https://test.kfupm.edu.sa/login/ this url is CAS protected. 
  4. Now here is the issue starts, the query parameter "Next" imply that after a successful login go back to the url specified in the "Next" query parameter.
  5. The url will look like this https://test.kfupm.edu.sa/login/?next=/en/user/details/101010/ so after logging in send me back to https://test.kfupm.edu.sa/en/user/details/101010/
  6. Since the authenticator only accept a static url this would never work since the ?next=<value> is changing all time. 
  7. What i want to be able to do is if the authenticator only checks the base url of what ever is passed. example if i try to go to this url https://test.kfupm.edu.sa/login/?next=/en/user/details/101010/
    The https://cas.example.com/identity/cas/login?service=https://test.kfupm.edu.sa not https://cas.example.com/identity/cas/login?service=https://test.kfupm.edu.sa/login/?next=/en/user/details/101010/
  8. I have added a picture of the same flow diagram the only difference is the starting url other wise everything should be the same. Meaning i don't care what other resources i am
    having in my application /login/ or /detail/ or what ever as long i can validate if there is a service based on the base url of the site.
So your are invoking one of the services from  https://test.kfupm.edu.sa and this is the actual CAS protected service you are expecting to work with. Hence to fix this, I hope,  you should pass that service URL (https://test.kfupm.edu.sa) instead of the url  which gets from the request . And you should register the service provider with this service URL (https://test.kfupm.edu.sa) and make sure there is no white spaces in the URL.

As I looked into the fix [2], once the user redirect to the https://test.kfupm.edu.sa/en/ from https://test.kfupm.edu.sa/ based on the Next query params, your base url will change to "https://test.kfupm.edu.sa/en/ " which is not exactly the service url that you used in the service provider configurations.

To check this, can you just hardcode the value (https://test.kfupm.edu.sa) in [1] as same as the url which you used to register in service provider configurations and check whether you able to see the following :





I hope this is detailed enough if not please let me know and i will respond again.


From: Kanapriya Kuleswararajan <[hidden email]>
Sent: Wednesday, February 13, 2019 8:51 AM
To: Mohammed Yousef M. Alnajdi
Cc: WSO2 Developers' List; Shakila Sasikaran; Mohammed Al Nagdy
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________
Hi Mohammed,

In our existing authenticator, we are only supporting static service URL (which is configured in the sp configurations) and running the flow (generting ST and CASTGC Cookie) based on that service URL upon the successful authentication. I have attached the flow diagram [1] which depicts the flow of existing authenticator.
But, in your case, you mentioned that, you can't rely on static URL as you wanted to switch to some other pages inside your application and that pages only need the login to access the resource based on some query params (next).  Could you please attach your flow diagram with detailed explanation,  the error log and the fix that you have done (may be you can share the code with your git link). So that we can get better understand of your requirement?

[1]

cas-3-web-flow-first-access.png

Thanks,
Kanapriya Kuleswararajan
Software Engineer
Mobile : - 0774894438
Mail : - [hidden email]
LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
WSO2, Inc. 
lean . enterprise . middleware 



On Tue, Feb 12, 2019 at 10:25 PM Mohammed Yousef M. Alnajdi <[hidden email]> wrote:

I really hope i get some faster feed back guys q.q.




Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Mohammed Al Nagdy <[hidden email]>
Sent: Monday, February 11, 2019 5:42 PM
To: Mohammed Yousef M. Alnajdi
Cc: Kanapriya Kuleswararajan; Shakila Sasikaran; WSO2 Developers' List
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________

Greeting, 


Thanks for your answer. 


Here is the fix i did based on your comment:

within the file SSOLoginProcessor.java i did this fix

String serviceUrlFromRequest = casMessageContext.getServiceURL();
URL url = null;
try {
url = new URL(serviceUrlFromRequest);
} catch (MalformedURLException e) {
e.printStackTrace();
}
String base = url.getProtocol() + "://" + url.getHost();
log.error(serviceUrlFromRequest);
log.error(base);
AuthenticationResult authnResult = processResponseFromFrameworkLogin(casMessageContext, identityRequest);
String acsURL = CASSSOUtil.getAcsUrl(base, casMessageContext.getRequest().getTenantDomain());

I deployed this and i did try with my application to login and i got the correct url now but it's not able to process it, here is the log.


TID: [-1234] [] [2019-02-10 08:50:13,101] ERROR {org.wso2.carbon.identity.sso.cas.processor.SSOLoginProcessor} -  https://test.kfupm.edu.sa/en/login/?next=/en/ 


and the url of the site after login is this "https://test.kfupm.edu.sa/en/?ticket=ST-4790bbcb218b4bf88e0a3b87dc824757-login-3.test.kfupm.edu.sa"


Now i believe that all of this process should happen while building the request not at the response. On that note when i click on "login" in my application and i get the SSO login page i should see in the url

sp=test.kfupm.edu.sa not sp=default. 


I am not sure if you see the limitation here but i will explain it once more. 

my application is accessible without login in but when you reach to some pages within the application they require login so they get redirected with a query parameter called "next"

which hold where to go back to after the authentication, which makes the issue i can't rely on a static URL and it has to match it. it should be more than enough to match the service url

that is defined in the SP which is the base of URL of this application aka "https://test.kfupm.edu.sa". 


Kindly Let me know if there is any way you can guide me to fix this.


On Sun, Feb 10, 2019 at 8:58 AM Mohammed Yousef M. Alnajdi <[hidden email]> wrote:

Greeting, 


Thanks for your answer. 


Here is the fix i did based on your comment:

within the file SSOLoginProcessor.java i did this fix

String serviceUrlFromRequest = casMessageContext.getServiceURL();
URL url = null;
try {
url = new URL(serviceUrlFromRequest);
} catch (MalformedURLException e) {
e.printStackTrace();
}
String base = url.getProtocol() + "://" + url.getHost();
log.error(serviceUrlFromRequest);
log.error(base);
AuthenticationResult authnResult = processResponseFromFrameworkLogin(casMessageContext, identityRequest);
String acsURL = CASSSOUtil.getAcsUrl(base, casMessageContext.getRequest().getTenantDomain());

I deployed this and i did try with my application to login and i got the correct url now but it's not able to process it, here is the log.


TID: [-1234] [] [2019-02-10 08:50:13,101] ERROR {org.wso2.carbon.identity.sso.cas.processor.SSOLoginProcessor} -  https://test.kfupm.edu.sa/en/login/?next=/en/ 


and the url of the site after login is this "https://test.kfupm.edu.sa/en/?ticket=ST-4790bbcb218b4bf88e0a3b87dc824757-login-3.test.kfupm.edu.sa"


Now i believe that all of this process should happen while building the request not at the response. On that note when i click on "login" in my application and i get the SSO login page i should see in the url

sp=test.kfupm.edu.sa not sp=default. 


I am not sure if you see the limitation here but i will explain it once more. 

my application is accessible without login in but when you reach to some pages within the application they require login so they get redirected with a query parameter called "next"

which hold where to go back to after the authentication, which makes the issue i can't rely on a static URL and it has to match it. it should be more than enough to match the service url

that is defined in the SP which is the base of URL of this application aka "https://test.kfupm.edu.sa". 


Kindly Let me know if there is any way you can guide me to fix this.



Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Kanapriya Kuleswararajan <[hidden email]>
Sent: Friday, February 8, 2019 2:14 PM
To: Shakila Sasikaran
Cc: WSO2 Developers' List; Mohammed Yousef M. Alnajdi; [hidden email]
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________
Hi Mohammed Yousef,

Actually, CAS service URL is the identifier of the application that the client is trying to access. In almost all cases, this will be the URL of the application (https://[server-address]/cas-client-webapp/) and the server-address should always point to the location where this sample application (cas-client-webapp) is deployed.

If I understood you correctly, you are setting Service Url: https://test.kfupm.edu.sa in the service provider configuration and trying to access that service using some other URL say https://test.kfupm.edu.sa/en/?next=/details and you end up with 500 internal server error.

If that so, the reason for this error is, When we processing the login response we are getting the serviceUrlFromRequest [1] (ie,https://test.kfupm.edu.sa/en/?next=/details) and with this URL, the service provider details get retrieved [2]. Since you are not registering the service provider with the service URL: https://test.kfupm.edu.sa/en/?next=/details it returns the default service provider configurations. That causes an issue here.

As a workaround, you may extend the source code [3] and you may pass the exact base URL of the service instead of getting the service URL from the request then hopefully, it will give the exact service provider configurations.


Thanks,
Kanapriya Kuleswararajan
Software Engineer
Mobile : - 0774894438
Mail: - [hidden email]
LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
WSO2, Inc. 
lean. enterprise. middleware 



On Wed, Feb 6, 2019 at 3:47 PM Shakila Sasikaran <[hidden email]> wrote:
[Forwarding to dev]

---------- Forwarded message ---------
From: Mohammed Yousef M. Alnajdi <[hidden email]>
Date: Tue, Feb 5, 2019 at 3:31 PM
Subject: Wso2 Identity Server: identity-inbound-auth-cas
To: [hidden email] <[hidden email]>
Cc: [hidden email] <[hidden email]>


Greeting Team,

I would like to express that i am really grateful to the work you guys put for the open source community.

I have 1 small comment/issue regarding the "identity-inbound-auth-cas" i will try to describe my issue and how i want to solve it.


Thanks a lot

Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Wso2 Identity Server: identity-inbound-auth-cas

Mohammed Yousef M. Alnajdi
In reply to this post by Kanapriya

Greeting Kanapriya Kuleswararajan, 

Kindly Please understand my issue and how i want to fix it. I have a SP defined in the UI called test.kfupm.edu.sa, and in the CAS configuration i set a service url which is https://test.kfupm.edu.sa
Now regardless of what comes after or where i will be redirected CAS authentication should work just fine. << this is what i want to achieve. Hard coding the value works even for the old case but i am not sure what the user will try to login from
and what is query parameter it will be requested. I want this fix to happen before the entering the username and password of the user i want the CAS to pick it's correct sp=test.kfupm.edu.sa before i authenticate.​





Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Kanapriya Kuleswararajan <[hidden email]>
Sent: Sunday, February 17, 2019 9:45 PM
To: Mohammed Yousef M. Alnajdi
Cc: WSO2 Developers' List; Shakila Sasikaran; Mohammed Al Nagdy
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________
Hi Mohammed,

Greeting, I have responded with requested feedback i hope it's what you needed.




Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Mohammed Yousef M. Alnajdi
Sent: Wednesday, February 13, 2019 9:48 AM
To: Kanapriya Kuleswararajan; WSO2 Developers' List; Shakila Sasikaran
Cc: Mohammed Al Nagdy
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 

Greeting, 


Thanks a lot for the quick reply.

You can find my changes here [1].


For my requirements i will explain it in details.

General idea about our projects in the university: We have 2 type of sites [fully protected sites] and [partially protected sites] I will talk about the second type.

  1. User opens the site https://test.kfupm.edu.sa/ and they will get redirected to https://test.kfupm.edu.sa/en/
  2. Users can navigate through the site and access it fully. But some content will only be shown if the user logged in.
  3. User clicks on the login button which is https://test.kfupm.edu.sa/login/ this url is CAS protected. 
  4. Now here is the issue starts, the query parameter "Next" imply that after a successful login go back to the url specified in the "Next" query parameter.
  5. The url will look like this https://test.kfupm.edu.sa/login/?next=/en/user/details/101010/ so after logging in send me back to https://test.kfupm.edu.sa/en/user/details/101010/
  6. Since the authenticator only accept a static url this would never work since the ?next=<value> is changing all time. 
  7. What i want to be able to do is if the authenticator only checks the base url of what ever is passed. example if i try to go to this url https://test.kfupm.edu.sa/login/?next=/en/user/details/101010/
    The https://cas.example.com/identity/cas/login?service=https://test.kfupm.edu.sa not https://cas.example.com/identity/cas/login?service=https://test.kfupm.edu.sa/login/?next=/en/user/details/101010/
  8. I have added a picture of the same flow diagram the only difference is the starting url other wise everything should be the same. Meaning i don't care what other resources i am
    having in my application /login/ or /detail/ or what ever as long i can validate if there is a service based on the base url of the site.
So your are invoking one of the services from  https://test.kfupm.edu.sa and this is the actual CAS protected service you are expecting to work with. Hence to fix this, I hope,  you should pass that service URL (https://test.kfupm.edu.sa) instead of the url  which gets from the request . And you should register the service provider with this service URL (https://test.kfupm.edu.sa) and make sure there is no white spaces in the URL.

As I looked into the fix [2], once the user redirect to the https://test.kfupm.edu.sa/en/ from https://test.kfupm.edu.sa/ based on the Next query params, your base url will change to "https://test.kfupm.edu.sa/en/ " which is not exactly the service url that you used in the service provider configurations.

To check this, can you just hardcode the value (https://test.kfupm.edu.sa) in [1] as same as the url which you used to register in service provider configurations and check whether you able to see the following :





I hope this is detailed enough if not please let me know and i will respond again.


From: Kanapriya Kuleswararajan <[hidden email]>
Sent: Wednesday, February 13, 2019 8:51 AM
To: Mohammed Yousef M. Alnajdi
Cc: WSO2 Developers' List; Shakila Sasikaran; Mohammed Al Nagdy
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________
Hi Mohammed,

In our existing authenticator, we are only supporting static service URL (which is configured in the sp configurations) and running the flow (generting ST and CASTGC Cookie) based on that service URL upon the successful authentication. I have attached the flow diagram [1] which depicts the flow of existing authenticator.
But, in your case, you mentioned that, you can't rely on static URL as you wanted to switch to some other pages inside your application and that pages only need the login to access the resource based on some query params (next).  Could you please attach your flow diagram with detailed explanation,  the error log and the fix that you have done (may be you can share the code with your git link). So that we can get better understand of your requirement?

[1]

cas-3-web-flow-first-access.png

Thanks,
Kanapriya Kuleswararajan
Software Engineer
Mobile : - 0774894438
Mail : - [hidden email]
LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
WSO2, Inc. 
lean . enterprise . middleware 



On Tue, Feb 12, 2019 at 10:25 PM Mohammed Yousef M. Alnajdi <[hidden email]> wrote:

I really hope i get some faster feed back guys q.q.




Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Mohammed Al Nagdy <[hidden email]>
Sent: Monday, February 11, 2019 5:42 PM
To: Mohammed Yousef M. Alnajdi
Cc: Kanapriya Kuleswararajan; Shakila Sasikaran; WSO2 Developers' List
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________

Greeting, 


Thanks for your answer. 


Here is the fix i did based on your comment:

within the file SSOLoginProcessor.java i did this fix

String serviceUrlFromRequest = casMessageContext.getServiceURL();
URL url = null;
try {
url = new URL(serviceUrlFromRequest);
} catch (MalformedURLException e) {
e.printStackTrace();
}
String base = url.getProtocol() + "://" + url.getHost();
log.error(serviceUrlFromRequest);
log.error(base);
AuthenticationResult authnResult = processResponseFromFrameworkLogin(casMessageContext, identityRequest);
String acsURL = CASSSOUtil.getAcsUrl(base, casMessageContext.getRequest().getTenantDomain());

I deployed this and i did try with my application to login and i got the correct url now but it's not able to process it, here is the log.


TID: [-1234] [] [2019-02-10 08:50:13,101] ERROR {org.wso2.carbon.identity.sso.cas.processor.SSOLoginProcessor} -  https://test.kfupm.edu.sa/en/login/?next=/en/ 


and the url of the site after login is this "https://test.kfupm.edu.sa/en/?ticket=ST-4790bbcb218b4bf88e0a3b87dc824757-login-3.test.kfupm.edu.sa"


Now i believe that all of this process should happen while building the request not at the response. On that note when i click on "login" in my application and i get the SSO login page i should see in the url

sp=test.kfupm.edu.sa not sp=default. 


I am not sure if you see the limitation here but i will explain it once more. 

my application is accessible without login in but when you reach to some pages within the application they require login so they get redirected with a query parameter called "next"

which hold where to go back to after the authentication, which makes the issue i can't rely on a static URL and it has to match it. it should be more than enough to match the service url

that is defined in the SP which is the base of URL of this application aka "https://test.kfupm.edu.sa". 


Kindly Let me know if there is any way you can guide me to fix this.


On Sun, Feb 10, 2019 at 8:58 AM Mohammed Yousef M. Alnajdi <[hidden email]> wrote:

Greeting, 


Thanks for your answer. 


Here is the fix i did based on your comment:

within the file SSOLoginProcessor.java i did this fix

String serviceUrlFromRequest = casMessageContext.getServiceURL();
URL url = null;
try {
url = new URL(serviceUrlFromRequest);
} catch (MalformedURLException e) {
e.printStackTrace();
}
String base = url.getProtocol() + "://" + url.getHost();
log.error(serviceUrlFromRequest);
log.error(base);
AuthenticationResult authnResult = processResponseFromFrameworkLogin(casMessageContext, identityRequest);
String acsURL = CASSSOUtil.getAcsUrl(base, casMessageContext.getRequest().getTenantDomain());

I deployed this and i did try with my application to login and i got the correct url now but it's not able to process it, here is the log.


TID: [-1234] [] [2019-02-10 08:50:13,101] ERROR {org.wso2.carbon.identity.sso.cas.processor.SSOLoginProcessor} -  https://test.kfupm.edu.sa/en/login/?next=/en/ 


and the url of the site after login is this "https://test.kfupm.edu.sa/en/?ticket=ST-4790bbcb218b4bf88e0a3b87dc824757-login-3.test.kfupm.edu.sa"


Now i believe that all of this process should happen while building the request not at the response. On that note when i click on "login" in my application and i get the SSO login page i should see in the url

sp=test.kfupm.edu.sa not sp=default. 


I am not sure if you see the limitation here but i will explain it once more. 

my application is accessible without login in but when you reach to some pages within the application they require login so they get redirected with a query parameter called "next"

which hold where to go back to after the authentication, which makes the issue i can't rely on a static URL and it has to match it. it should be more than enough to match the service url

that is defined in the SP which is the base of URL of this application aka "https://test.kfupm.edu.sa". 


Kindly Let me know if there is any way you can guide me to fix this.



Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Kanapriya Kuleswararajan <[hidden email]>
Sent: Friday, February 8, 2019 2:14 PM
To: Shakila Sasikaran
Cc: WSO2 Developers' List; Mohammed Yousef M. Alnajdi; [hidden email]
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________
Hi Mohammed Yousef,

Actually, CAS service URL is the identifier of the application that the client is trying to access. In almost all cases, this will be the URL of the application (https://[server-address]/cas-client-webapp/) and the server-address should always point to the location where this sample application (cas-client-webapp) is deployed.

If I understood you correctly, you are setting Service Url: https://test.kfupm.edu.sa in the service provider configuration and trying to access that service using some other URL say https://test.kfupm.edu.sa/en/?next=/details and you end up with 500 internal server error.

If that so, the reason for this error is, When we processing the login response we are getting the serviceUrlFromRequest [1] (ie,https://test.kfupm.edu.sa/en/?next=/details) and with this URL, the service provider details get retrieved [2]. Since you are not registering the service provider with the service URL: https://test.kfupm.edu.sa/en/?next=/details it returns the default service provider configurations. That causes an issue here.

As a workaround, you may extend the source code [3] and you may pass the exact base URL of the service instead of getting the service URL from the request then hopefully, it will give the exact service provider configurations.


Thanks,
Kanapriya Kuleswararajan
Software Engineer
Mobile : - 0774894438
Mail: - [hidden email]
LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
WSO2, Inc. 
lean. enterprise. middleware 



On Wed, Feb 6, 2019 at 3:47 PM Shakila Sasikaran <[hidden email]> wrote:
[Forwarding to dev]

---------- Forwarded message ---------
From: Mohammed Yousef M. Alnajdi <[hidden email]>
Date: Tue, Feb 5, 2019 at 3:31 PM
Subject: Wso2 Identity Server: identity-inbound-auth-cas
To: [hidden email] <[hidden email]>
Cc: [hidden email] <[hidden email]>


Greeting Team,

I would like to express that i am really grateful to the work you guys put for the open source community.

I have 1 small comment/issue regarding the "identity-inbound-auth-cas" i will try to describe my issue and how i want to solve it.


Thanks a lot

Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Wso2 Identity Server: identity-inbound-auth-cas

Mohammed Yousef M. Alnajdi

​Okay, Is there any possibility to have a video meeting with you guys to explain the issue and show you that what i did it correct but still not working?




Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Mohammed Yousef M. Alnajdi
Sent: Sunday, February 24, 2019 7:13 AM
To: Kanapriya Kuleswararajan
Cc: WSO2 Developers' List; Shakila Sasikaran; Mohammed Al Nagdy
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 

Greeting Kanapriya Kuleswararajan, 

Kindly Please understand my issue and how i want to fix it. I have a SP defined in the UI called test.kfupm.edu.sa, and in the CAS configuration i set a service url which is https://test.kfupm.edu.sa
Now regardless of what comes after or where i will be redirected CAS authentication should work just fine. << this is what i want to achieve. Hard coding the value works even for the old case but i am not sure what the user will try to login from
and what is query parameter it will be requested. I want this fix to happen before the entering the username and password of the user i want the CAS to pick it's correct sp=test.kfupm.edu.sa before i authenticate.​





Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Kanapriya Kuleswararajan <[hidden email]>
Sent: Sunday, February 17, 2019 9:45 PM
To: Mohammed Yousef M. Alnajdi
Cc: WSO2 Developers' List; Shakila Sasikaran; Mohammed Al Nagdy
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________
Hi Mohammed,

Greeting, I have responded with requested feedback i hope it's what you needed.




Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Mohammed Yousef M. Alnajdi
Sent: Wednesday, February 13, 2019 9:48 AM
To: Kanapriya Kuleswararajan; WSO2 Developers' List; Shakila Sasikaran
Cc: Mohammed Al Nagdy
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 

Greeting, 


Thanks a lot for the quick reply.

You can find my changes here [1].


For my requirements i will explain it in details.

General idea about our projects in the university: We have 2 type of sites [fully protected sites] and [partially protected sites] I will talk about the second type.

  1. User opens the site https://test.kfupm.edu.sa/ and they will get redirected to https://test.kfupm.edu.sa/en/
  2. Users can navigate through the site and access it fully. But some content will only be shown if the user logged in.
  3. User clicks on the login button which is https://test.kfupm.edu.sa/login/ this url is CAS protected. 
  4. Now here is the issue starts, the query parameter "Next" imply that after a successful login go back to the url specified in the "Next" query parameter.
  5. The url will look like this https://test.kfupm.edu.sa/login/?next=/en/user/details/101010/ so after logging in send me back to https://test.kfupm.edu.sa/en/user/details/101010/
  6. Since the authenticator only accept a static url this would never work since the ?next=<value> is changing all time. 
  7. What i want to be able to do is if the authenticator only checks the base url of what ever is passed. example if i try to go to this url https://test.kfupm.edu.sa/login/?next=/en/user/details/101010/
    The https://cas.example.com/identity/cas/login?service=https://test.kfupm.edu.sa not https://cas.example.com/identity/cas/login?service=https://test.kfupm.edu.sa/login/?next=/en/user/details/101010/
  8. I have added a picture of the same flow diagram the only difference is the starting url other wise everything should be the same. Meaning i don't care what other resources i am
    having in my application /login/ or /detail/ or what ever as long i can validate if there is a service based on the base url of the site.
So your are invoking one of the services from  https://test.kfupm.edu.sa and this is the actual CAS protected service you are expecting to work with. Hence to fix this, I hope,  you should pass that service URL (https://test.kfupm.edu.sa) instead of the url  which gets from the request . And you should register the service provider with this service URL (https://test.kfupm.edu.sa) and make sure there is no white spaces in the URL.

As I looked into the fix [2], once the user redirect to the https://test.kfupm.edu.sa/en/ from https://test.kfupm.edu.sa/ based on the Next query params, your base url will change to "https://test.kfupm.edu.sa/en/ " which is not exactly the service url that you used in the service provider configurations.

To check this, can you just hardcode the value (https://test.kfupm.edu.sa) in [1] as same as the url which you used to register in service provider configurations and check whether you able to see the following :





I hope this is detailed enough if not please let me know and i will respond again.


From: Kanapriya Kuleswararajan <[hidden email]>
Sent: Wednesday, February 13, 2019 8:51 AM
To: Mohammed Yousef M. Alnajdi
Cc: WSO2 Developers' List; Shakila Sasikaran; Mohammed Al Nagdy
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________
Hi Mohammed,

In our existing authenticator, we are only supporting static service URL (which is configured in the sp configurations) and running the flow (generting ST and CASTGC Cookie) based on that service URL upon the successful authentication. I have attached the flow diagram [1] which depicts the flow of existing authenticator.
But, in your case, you mentioned that, you can't rely on static URL as you wanted to switch to some other pages inside your application and that pages only need the login to access the resource based on some query params (next).  Could you please attach your flow diagram with detailed explanation,  the error log and the fix that you have done (may be you can share the code with your git link). So that we can get better understand of your requirement?

[1]

cas-3-web-flow-first-access.png

Thanks,
Kanapriya Kuleswararajan
Software Engineer
Mobile : - 0774894438
Mail : - [hidden email]
LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
WSO2, Inc. 
lean . enterprise . middleware 



On Tue, Feb 12, 2019 at 10:25 PM Mohammed Yousef M. Alnajdi <[hidden email]> wrote:

I really hope i get some faster feed back guys q.q.




Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Mohammed Al Nagdy <[hidden email]>
Sent: Monday, February 11, 2019 5:42 PM
To: Mohammed Yousef M. Alnajdi
Cc: Kanapriya Kuleswararajan; Shakila Sasikaran; WSO2 Developers' List
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________

Greeting, 


Thanks for your answer. 


Here is the fix i did based on your comment:

within the file SSOLoginProcessor.java i did this fix

String serviceUrlFromRequest = casMessageContext.getServiceURL();
URL url = null;
try {
url = new URL(serviceUrlFromRequest);
} catch (MalformedURLException e) {
e.printStackTrace();
}
String base = url.getProtocol() + "://" + url.getHost();
log.error(serviceUrlFromRequest);
log.error(base);
AuthenticationResult authnResult = processResponseFromFrameworkLogin(casMessageContext, identityRequest);
String acsURL = CASSSOUtil.getAcsUrl(base, casMessageContext.getRequest().getTenantDomain());

I deployed this and i did try with my application to login and i got the correct url now but it's not able to process it, here is the log.


TID: [-1234] [] [2019-02-10 08:50:13,101] ERROR {org.wso2.carbon.identity.sso.cas.processor.SSOLoginProcessor} -  https://test.kfupm.edu.sa/en/login/?next=/en/ 


and the url of the site after login is this "https://test.kfupm.edu.sa/en/?ticket=ST-4790bbcb218b4bf88e0a3b87dc824757-login-3.test.kfupm.edu.sa"


Now i believe that all of this process should happen while building the request not at the response. On that note when i click on "login" in my application and i get the SSO login page i should see in the url

sp=test.kfupm.edu.sa not sp=default. 


I am not sure if you see the limitation here but i will explain it once more. 

my application is accessible without login in but when you reach to some pages within the application they require login so they get redirected with a query parameter called "next"

which hold where to go back to after the authentication, which makes the issue i can't rely on a static URL and it has to match it. it should be more than enough to match the service url

that is defined in the SP which is the base of URL of this application aka "https://test.kfupm.edu.sa". 


Kindly Let me know if there is any way you can guide me to fix this.


On Sun, Feb 10, 2019 at 8:58 AM Mohammed Yousef M. Alnajdi <[hidden email]> wrote:

Greeting, 


Thanks for your answer. 


Here is the fix i did based on your comment:

within the file SSOLoginProcessor.java i did this fix

String serviceUrlFromRequest = casMessageContext.getServiceURL();
URL url = null;
try {
url = new URL(serviceUrlFromRequest);
} catch (MalformedURLException e) {
e.printStackTrace();
}
String base = url.getProtocol() + "://" + url.getHost();
log.error(serviceUrlFromRequest);
log.error(base);
AuthenticationResult authnResult = processResponseFromFrameworkLogin(casMessageContext, identityRequest);
String acsURL = CASSSOUtil.getAcsUrl(base, casMessageContext.getRequest().getTenantDomain());

I deployed this and i did try with my application to login and i got the correct url now but it's not able to process it, here is the log.


TID: [-1234] [] [2019-02-10 08:50:13,101] ERROR {org.wso2.carbon.identity.sso.cas.processor.SSOLoginProcessor} -  https://test.kfupm.edu.sa/en/login/?next=/en/ 


and the url of the site after login is this "https://test.kfupm.edu.sa/en/?ticket=ST-4790bbcb218b4bf88e0a3b87dc824757-login-3.test.kfupm.edu.sa"


Now i believe that all of this process should happen while building the request not at the response. On that note when i click on "login" in my application and i get the SSO login page i should see in the url

sp=test.kfupm.edu.sa not sp=default. 


I am not sure if you see the limitation here but i will explain it once more. 

my application is accessible without login in but when you reach to some pages within the application they require login so they get redirected with a query parameter called "next"

which hold where to go back to after the authentication, which makes the issue i can't rely on a static URL and it has to match it. it should be more than enough to match the service url

that is defined in the SP which is the base of URL of this application aka "https://test.kfupm.edu.sa". 


Kindly Let me know if there is any way you can guide me to fix this.



Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

From: Kanapriya Kuleswararajan <[hidden email]>
Sent: Friday, February 8, 2019 2:14 PM
To: Shakila Sasikaran
Cc: WSO2 Developers' List; Mohammed Yousef M. Alnajdi; [hidden email]
Subject: Re: [Dev] Fwd: Wso2 Identity Server: identity-inbound-auth-cas
 
تحذير: هذه الرسالة مرسلة من خارج الجامعة. لا تفتح أي مرفق أو رابط ما لم تكن متأكداً من أنه آمن
Warning: This mail has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.
____________________________________________________________
Hi Mohammed Yousef,

Actually, CAS service URL is the identifier of the application that the client is trying to access. In almost all cases, this will be the URL of the application (https://[server-address]/cas-client-webapp/) and the server-address should always point to the location where this sample application (cas-client-webapp) is deployed.

If I understood you correctly, you are setting Service Url: https://test.kfupm.edu.sa in the service provider configuration and trying to access that service using some other URL say https://test.kfupm.edu.sa/en/?next=/details and you end up with 500 internal server error.

If that so, the reason for this error is, When we processing the login response we are getting the serviceUrlFromRequest [1] (ie,https://test.kfupm.edu.sa/en/?next=/details) and with this URL, the service provider details get retrieved [2]. Since you are not registering the service provider with the service URL: https://test.kfupm.edu.sa/en/?next=/details it returns the default service provider configurations. That causes an issue here.

As a workaround, you may extend the source code [3] and you may pass the exact base URL of the service instead of getting the service URL from the request then hopefully, it will give the exact service provider configurations.


Thanks,
Kanapriya Kuleswararajan
Software Engineer
Mobile : - 0774894438
Mail: - [hidden email]
LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
WSO2, Inc. 
lean. enterprise. middleware 



On Wed, Feb 6, 2019 at 3:47 PM Shakila Sasikaran <[hidden email]> wrote:
[Forwarding to dev]

---------- Forwarded message ---------
From: Mohammed Yousef M. Alnajdi <[hidden email]>
Date: Tue, Feb 5, 2019 at 3:31 PM
Subject: Wso2 Identity Server: identity-inbound-auth-cas
To: [hidden email] <[hidden email]>
Cc: [hidden email] <[hidden email]>


Greeting Team,

I would like to express that i am really grateful to the work you guys put for the open source community.

I have 1 small comment/issue regarding the "identity-inbound-auth-cas" i will try to describe my issue and how i want to solve it.


Thanks a lot

Best Regards.
Mohammed Y. Alnajdi.
Software Developer.
ICTC - Solution Delivery Team.

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev