CAS 3 Ticket Validation Response
CAS 3 Successful Ticket Validation Response (formatted for legibility)[1]:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> [2] <cas:authenticationSuccess> [3] <cas:user>de3</cas:user> [4] <cas:attributes> [5] <cas:lastName>Ellentuck</cas:lastName> <cas:isFromNewLogin>true</cas:isFromNewLogin> <cas:mail>[email protected]</cas:mail> <cas:bypassMultifactorAuthentication>false</cas:bypassMultifactorAuthentication> <cas:authenticationDate>2020-07-17T13:58:37.159-04:00[US/Eastern]</cas:authenticationDate> <cas:authnContextClass>mfa-duo</cas:authnContextClass> <cas:givenName>Daniel</cas:givenName> <cas:successfulAuthenticationHandlers>JaasAuthenticationHandler</cas:successfulAuthenticationHandlers> <cas:successfulAuthenticationHandlers>mfa-duo</cas:successfulAuthenticationHandlers> <cas:lastPasswordChangeDate>Mon Dec 30 15:32:53 EST 2019</cas:lastPasswordChangeDate> [6] <cas:samlAuthenticationStatementAuthMethod>urn:oasis:names:tc:SAML:1.0:am:password</cas:samlAuthenticationStatementAuthMethod> <cas:samlAuthenticationStatementAuthMethod>urn:oasis:names:tc:SAML:1.0:am:unspecified</cas:samlAuthenticationStatementAuthMethod> <cas:credentialType>UsernamePasswordCredential</cas:credentialType> <cas:credentialType>DuoCredential</cas:credentialType> <cas:affiliation>OAUTH_auth-columbia</cas:affiliation> [7] <cas:affiliation>CUNIX_idmserv</cas:affiliation> <cas:affiliation>CUNIX_casadmin</cas:affiliation> <cas:affiliation>CUNIX_src</cas:affiliation> <cas:affiliation>LM_ou_TeamLion</cas:affiliation> <cas:affiliation>VPN_Users</cas:affiliation> <cas:affiliation>CU_IT</cas:affiliation> <cas:affiliation>MFA_all</cas:affiliation> <cas:affiliation>PAC</cas:affiliation> <cas:affiliation>CUstaff</cas:affiliation> <cas:affiliation>AcisLibraryLabUser</cas:affiliation> <cas:authenticationMethod>JaasAuthenticationHandler</cas:authenticationMethod> <cas:authenticationMethod>mfa-duo</cas:authenticationMethod> [8] <cas:eduPersonPrincipalName>[email protected]</cas:eduPersonPrincipalName> <cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed> <cas:username>de3</cas:username> </cas:attributes> </cas:authenticationSuccess> </cas:serviceResponse>
CAS 3 Unsuccessful Ticket Validation Response (formatted for legibility)[1]:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> [2] <cas:authenticationFailure code="INVALID_TICKET"> Ticket 'ST-1402-0RwQL4YfoydrrJwiI80WitPnFiccasdevapp01' not recognized </cas:authenticationFailure> </cas:serviceResponse>
Notes:
1. Available via:
https://[cas-hostname]/cas/p3/serviceValidate?service=[service-URL]&ticket=[service-ticket]
2. A ticket validation response consists of a <serviceResponse> element which contains either an <authenticationSuccess> element or an <authenticationFailure> element.
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
3. The presence of the <authenticationSuccess> element means the user has successfully logged in and contains a <user> element and an <attributes> element.
<cas:authenticationSuccess>
4. The <user> element contains the UNI:
<cas:user>de3</cas:user>
5. The multi-valued <attributes> element contains various user and authentication attributes. User attributes are selectively returned to the application and must be specifically requested as part of service registration:
<cas:attributes> <cas:lastName>Ellentuck</cas:lastName> [...other attributes...] <cas:username>de3</cas:username> </cas:attributes>
6. Date of last password change is available in an attribute called "lastPasswordChangeDate":
<cas:lastPasswordChangeDate>Mon Dec 30 15:32:53 EST 2019</cas:lastPasswordChangeDate>
7. LDAP affiliations are available in a multi-valued attribute called "affiliation." Affiliations are selectively returned to the application and must be specifically requested as part of service registration. The order in which they appear is arbitrary:
<cas:affiliation>OAUTH_auth-columbia</cas:affiliation> <cas:affiliation>CUNIX_idmserv</cas:affiliation> <cas:affiliation>CUNIX_casadmin</cas:affiliation> <cas:affiliation>CUNIX_src</cas:affiliation> <cas:affiliation>LM_ou_TeamLion</cas:affiliation> <cas:affiliation>VPN_Users</cas:affiliation> <cas:affiliation>CU_IT</cas:affiliation> <cas:affiliation>MFA_all</cas:affiliation> <cas:affiliation>PAC</cas:affiliation> <cas:affiliation>CUstaff</cas:affiliation> <cas:affiliation>AcisLibraryLabUser</cas:affiliation>
8. Indicates the user has authenticated with Duo MFA:
<cas:authenticationMethod>mfa-duo</cas:authenticationMethod>