How to test CAS SAML using soapUI

Overview
Recent versions (I believe 3.2 or older) of Central Authentication System (a.k.a. CAS) include Security Assertion Markup Language (a.k.a. SAML) support, out of the box. The beauty if it is that it is already “there” accessible through the URL ‘/cas/samlValidate’ instead of the usual ‘/cas/serviceValidate’.

One thing to be noted is that it is not so easy to communicate with your CAS instance using SAML protocol since the requests need to be HTTP POST (which put browsers out of the picture) using a properly formed SAML payload.

Here is when soapUI comes in, which is an excellent tool for web services testing using SOAP requests (there should not be any problem/limitation by using the open source version of the tool) since it can be used to complete the SAML communication and see what the CAS server is actually returning back.

Steps
So, in order to complete that, you would need to connect to your CAS server, login by providing valid credentials and then get a CAS ticket. This can be done by opening the following URL on a browser:

https://CAS_DOMAIN:PORT/cas/login?service=http://localhost/foo

The browser should be now displaying an error because it should have been redirected back to the URL http://localhost/foo which probably does not exist. No problem. What is important though is that you would be able to retrieve the ticket from the URL. Example:

# URL
http://localhost/foo?ticket=ST-3-j6RIZfeaNTxilsFYr3xe-cas

# TICKET
ST-3-j6RIZfeaNTxilsFYr3xe-cas

Now using SoapUI you need to send CAS a proper SAML request. You may do that using the “submit a request to a specified end point” action. The URL where to send the request should be:

https://CAS_DOMAIN:PORT/cas/samlValidate? ->
     TARGET=http://localhost/foo&ticket=ST-3-j6RIZfeaNTxilsFYr3xe-cas

the request body should be:


								ST-3-j6RIZfeaNTxilsFYr3xe-cas

CAS’ response should be similar to this:


                  http://localhost/foo

                  juan.huerta

                     urn:oasis:names:tc:SAML:1.0:cm:artifact

The returned username can be found in the ‘NameIdentifier’ tag.

See Also

Note.- special thanks to Juan Huerta, Julien Gribonvald and Marvin Addison for their tips which inspired me to write this post.

Comments

0 responses to “How to test CAS SAML using soapUI”

  1. Magnus Blomstedt Avatar

    Hi,

    Great post 🙂 We at soapUI/SmartBear are in the process of implementing support for SAML 2 in soapUI, and are looking for users who can provide some feedback. Would be great if you could contribute!

    Drop me an email if you’re interested.

    Thanks