Jasig CAS implementation in .NET

Question

I am using webforms on .net 4.0 and am really struggling to get this to work. I have used the documentation from the jasig site – and installed the nuget package for the client.

https://wiki.jasig.org/display/CASC/.Net+Cas+Client

I'm logging in sucessfully and am getting a token back from the CAS server, but cannot seem to authenticate it. As far as I can see there are three different service methods to call to validate the token:

/validate

/serviceValidate

/samlValidate

The validate method simply returns a web response of “no” while when I call the serverValidate method it returns a code of INVALID_TICKET in the XML response. I have tried also the samlValidate but receive a 403 error (I understand that this is a potentially valid response).

My validate code is something like this:

 var validateurl = APPLICATION + "validate?" +
                    "ticket=" + tkt + "&" +
                    "service=" + service;


  StreamReader Reader = new StreamReader(new WebClient().OpenRead(validateurl));
  string resp = Reader.ReadToEnd();

My CAS config is:

<casClientConfig casServerLoginUrl="https://*IPSERVER*/cas/login"
                   casServerUrlPrefix="https://*IPSERVER*/cas/"
                   serverName="http://*MYSITE*/"
            notAuthorizedUrl="~/NotAuthorized.aspx"
                   cookiesRequiredUrl="~/CookiesRequired.aspx"
                   redirectAfterValidation="true" gateway="false" renew="false" singleSignOut="true"
                   ticketTimeTolerance="5000" ticketValidatorName="Cas20" proxyTicketManager="CacheProxyTicketManager"
           serviceTicketManager="CacheServiceTicketManager"
           gatewayStatusCookieName="CasGatewayStatus" />

I figure it must be a setting of some sort, but for the life of me I cannot work out what the setting might be.

Can anyone tell me why I cannot validate the token?

Edit: Having thought about this a little more, I'm even more confused. If as @Steven V below says, the client app cookie is created by the httpmodule - how does any page get authenticated? For example if I am in my client (RP) app page (landing.aspx, say) and click a link to the (IP) authentication server to restricted content (restricted.aspx, say) - how does the server magically create a cookie on the client before it redirects to restricted.aspx after logging me in. Using WIF I'd still have to do a FormsAuthentication.CreateAuthCookie() or similar in code.

What is happening if I click on the link to my restricted page, is that I am redirected to the (IP) CAS server pages as expected, and after sucessful login get an infinite redirect, because presumably the app does not have a local client cookie and tries to authenticate, so redirects to the server which has already authenticated and redirects back to the client, which does not have a local cookie, so needs to authenticate.. forever.

Edit again: I have read further on this (there is not much available out there) and found that this authentication happens at a very low level and is supposed to happen on the client app (RP) setting the cookie before the page redirect. This clearly is not happening for me, and I have no clue as to how to go about working out what is going wrong.

Answer 1

I ended up having to download the source for the Jasig CAS client and implement a new ticket validator. The IP that we are using is ECAS, the European Commission's Authentication Service, and it did not support my client's permission level.

For anyone interested, or anyone who happens to be trying to connect to ECAS (.NET is not one of their supported platforms). From the .NET client in the /Validation/Schema/TicketValidator folder, you can implement something like:

namespace DotNetCasClient.Validation.TicketValidator
{
    internal class ECasServiceTicketValidator : Cas20ServiceTicketValidator
    {

In the CasAuthentication.cs file you need to add these snippets:

        // Names for the supported ticket validators
        public const string CAS10_TICKET_VALIDATOR_NAME = "Cas10";
        public const string CAS20_TICKET_VALIDATOR_NAME = "Cas20";
        public const string ECAS_TICKET_VALIDATOR_NAME = "ECas";
        public const string SAML11_TICKET_VALIDATOR_NAME = "Saml11";

And

if (String.Compare(ticketValidatorName, CasClientConfiguration.CAS10_TICKET_VALIDATOR_NAME, true) == 0)
                        {
                            ticketValidator = new Cas10TicketValidator();
                        }
                        else if (String.Compare(ticketValidatorName, CasClientConfiguration.CAS20_TICKET_VALIDATOR_NAME, true) == 0)
                        {
                            ticketValidator = new Cas20ServiceTicketValidator();
                        }
                        else if (String.Compare(ticketValidatorName, CasClientConfiguration.ECAS_TICKET_VALIDATOR_NAME, true) == 0)
                        {
                            ticketValidator = new ECasServiceTicketValidator();
                        } 
                        else if (String.Compare(ticketValidatorName, CasClientConfiguration.SAML11_TICKET_VALIDATOR_NAME, true) == 0)
                        {
                            ticketValidator = new Saml11TicketValidator();
                        }

Then, in the casConfigClient setting in the web.config of the website, add this:

ticketValidatorName="ECas"

Hope this helps someone out there..