Ticket validation error for embedded entity-id ending in double equal signs ("==")

[ghosler-kumc]

We have our ShibCas configured to embed the entity-id in the URL sent to CAS. We're having a problem with an entity-id that ends in == the full value is:: https://login.adaptiveinsights.com:443/samlsso/S0FOU0FTVU1DMg==. Users are able to login with CAS, but when the ticket is validated, the service url is encoded and appears to have dropped the == at the end of the url.

ERROR [net.unicon.idp.externalauth.ShibcasAuthServlet:109] - Ticket validation failed, returning InvalidTicket
org.jasig.cas.client.validation.TicketValidationException: Ticket 'ST-60-PDiukKqi-CD-e-CcUT8902hF2V4cas2-t' does not match supplied service. The original service was 'https://castest.kumc.edu/idp/Authn/ExtCas?conversation=e1s1&entityId=https://login.adaptiveinsights.com:443/samlsso/S0FOU0FTVU1DMg==' and the supplied service was 'https://castest.kumc.edu/idp/Authn/ExtCas?conversation=e1s1&entityId=https%3A%2F%2Flogin.adaptiveinsights.com%3A443%2Fsamlsso%2FS0FOU0FTVU1DMg'.

I haven't located any configurations to change this. Changing back to appending the entity-id works, but we need the entity-id embedded to apply rules in CAS.

[mapgrady]

FYI, that's not a valid entityID. EntityIDs are defined by the SAML standard as being a URI, either a URL or a URN. Equals sign is a reserved character in a URL, only for use in a query argument. So no entityID should include an equals sign in it. other than as an encoded character (which would be strange for an entityID.) As to whether anything can be done to work around that, short of changing the entityID, I'll leave it to others to respond.

…

On Apr 24, 2020, at 1:40 PM, ghosler-kumc ***@***.***> wrote: We have our ShibCas configured to embed the entity-id in the URL sent to CAS. We're having a problem with an entity-id that ends in == the full value is:: https://login.adaptiveinsights.com:443/samlsso/S0FOU0FTVU1DMg== <https://login.adaptiveinsights.com/samlsso/S0FOU0FTVU1DMg==>. Users are able to login with CAS, but when the ticket is validated, the service url is encoded and appears to have dropped the == at the end of the url. ERROR [net.unicon.idp.externalauth.ShibcasAuthServlet:109] - Ticket validation failed, returning InvalidTicket org.jasig.cas.client.validation.TicketValidationException: Ticket 'ST-60-PDiukKqi-CD-e-CcUT8902hF2V4cas2-t' does not match supplied service. The original service was 'https://castest.kumc.edu/idp/Authn/ExtCas?conversation=e1s1&amp;entityId=https://login.adaptiveinsights.com:443/samlsso/S0FOU0FTVU1DMg== <https://castest.kumc.edu/idp/Authn/ExtCas?conversation=e1s1&amp;entityId=https://login.adaptiveinsights.com:443/samlsso/S0FOU0FTVU1DMg==>' and the supplied service was 'https://castest.kumc.edu/idp/Authn/ExtCas?conversation=e1s1&amp;entityId=https%3A%2F%2Flogin.adaptiveinsights.com%3A443%2Fsamlsso%2FS0FOU0FTVU1DMg <https://castest.kumc.edu/idp/Authn/ExtCas?conversation=e1s1&amp;entityId=https%3A%2F%2Flogin.adaptiveinsights.com%3A443%2Fsamlsso%2FS0FOU0FTVU1DMg>'. I haven't located any configurations to change this. Changing back to appending the entity-id works, but we need the entity-id embedded to apply rules in CAS. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#44>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAG5BCDYF47SIHICLCAEO33ROHMJ3ANCNFSM4MQKK7MQ>. This email has been scanned for spam and viruses by Proofpoint Essentials. Click here <https://us2.proofpointessentials.com/index01.php?mod_id=11&mod_option=logitem&mail_id=1587753630-GFBuvKO-pWee&r_address=mgrady%40unicon.net&report=1> to report this email as spam.

-- Michael A. Grady IAM Architect, Unicon, Inc.