porting forward fixes on saml2 destination, logging, and doc updates

core/cas-server-core-authentication-api/src/main/java/org/apereo/cas/authentication/CoreAuthenticationUtils.java

@@ -100,7 +100,7 @@ public static Map<String, Object> mergeAttributes(final Map<String, Object> curr
             .map(entry -> Pair.of(entry.getKey(), CollectionUtils.toCollection(entry.getValue(), ArrayList.class)))
             .collect(Collectors.toMap(Pair::getKey, Pair::getValue));
 
-        LOGGER.debug("Merging current attributes [{}] with [{}]", currentAttributes, attributesToMerge);
+        LOGGER.trace("Merging current attributes [{}] with [{}]", toModify, toMerge);
         val results = merger.mergeAttributes((Map) toModify, (Map) toMerge);
         LOGGER.debug("Merged attributes with the final result as [{}]", results);
         return results;

core/cas-server-core-authentication-api/src/main/java/org/apereo/cas/authentication/DefaultAuthenticationResultBuilder.java

@@ -92,7 +92,7 @@ public AuthenticationResult build(final PrincipalElectionStrategy principalElect
             LOGGER.info("Authentication result cannot be produced because no authentication is recorded into in the chain. Returning null");
             return null;
         }
-        LOGGER.debug("Building an authentication result for authentication [{}] and service [{}]", authentication, service);
+        LOGGER.trace("Building an authentication result for authentication [{}] and service [{}]", authentication, service);
         val res = new DefaultAuthenticationResult(authentication, service);
         res.setCredentialProvided(!this.providedCredentials.isEmpty());
         return res;
@@ -117,11 +117,11 @@ private Authentication buildAuthentication(final PrincipalElectionStrategy princ
         LOGGER.debug("Determined primary authentication principal to be [{}]", primaryPrincipal);
 
         authenticationBuilder.setAttributes(authenticationAttributes);
-        LOGGER.debug("Collected authentication attributes for this result are [{}]", authenticationAttributes);
+        LOGGER.trace("Collected authentication attributes for this result are [{}]", authenticationAttributes);
 
         authenticationBuilder.setAuthenticationDate(ZonedDateTime.now());
         val auth = authenticationBuilder.build();
-        LOGGER.debug("Authentication result commenced at [{}]", auth.getAuthenticationDate());
+        LOGGER.trace("Authentication result commenced at [{}]", auth.getAuthenticationDate());
         return auth;
     }
 

docs/cas-server-documentation/installation/Configuring-SAML2-Authentication.md

@@ -30,31 +30,6 @@ The following CAS endpoints respond to supported SAML2 profiles:
 - `/idp/profile/SAML2/SOAP/AttributeQuery`
 - `/idp/profile/SAML1/SOAP/ArtifactResolution`
 
-## Unsolicited SSO
-
-SAML2 IdP `Unsolicited/SSO` profile supports the following parameters:
-
-| Parameter                         | Description
-|-----------------------------------|-----------------------------------------------------------------
-| `providerId`                      | Required. Entity ID of the service provider.
-| `shire`                           | Optional. Response location (ACS URL) of the service provider.
-| `target`                          | Optional. Relay state.
-| `time`                            | Optional. Skew the authentication request.
-
-## Attribute Queries
-
-In order to allow CAS to support and respond to attribute queries, you need to make sure the generated metadata has
-the `AttributeAuthorityDescriptor` element enabled, with protocol support enabled for `urn:oasis:names:tc:SAML:2.0:protocol`
-and relevant binding that corresponds to the CAS endpoint(s). You also must ensure the `AttributeAuthorityDescriptor` tag lists all
-`KeyDescriptor` elements and certificates that are used for signing as well as authentication, specially if the SOAP client of the service provider 
-needs to cross-compare the certificate behind the CAS endpoint with what is defined for the `AttributeAuthorityDescriptor`. CAS by default 
-will always use its own signing certificate for signing of the responses generated as a result of an attribute query.
-
-Also note that support for attribute queries need to be explicitly enabled and the behavior is off by default, given it imposes a burden on 
-CAS and the underlying ticket registry to keep track of attributes and responses as tickets and have them be later used and looked up.
-
-To see the relevant list of CAS properties, please [review this guide](../configuration/Configuration-Properties.html#saml-idp).
-
 ## IdP Metadata
 
 The following CAS endpoints handle the generation of SAML2 metadata:
@@ -104,18 +79,7 @@ Here is a generated metadata file as an example:
 </EntityDescriptor>
 ```
 
-### Server Configuration
-
-If you have deployed CAS in an external application server/servlet container (i.e. Apache Tomcat) you will 
-need to make sure that the server is adjusted to handle large-enough `HttpHeaderSize` and `HttpPostSize` values (i.e. `2097152`). 
-The embedded container that ships with CAS handles this automatically.
-
-### Mapping Endpoints
-
-Note that CAS metadata endpoints for various bindings are typically available under `/cas/idp/...`. If you
-mean you use an existing metadata file whose binding endpoints begin with `/idp/...`, you may need to deploy
-CAS at the root context path so it's able to respond to those requests. (i.e. `https://sso.example.org/cas/login` becomes
-`https://sso.example.org/login`). Alternatively, you may try to use URL-rewriting route requests from `/idp/` to `/cas/idp/`,etc.
+SAML2 identity provider metadata can be managed in dynamics ways as well. To learn more, please [review this guide](Configuring-SAML2-DynamicMetadata.html).
 
 ## SP Metadata
 
@@ -292,6 +256,30 @@ decide to configure CAS to return a particular attribute as
 [the authenticated user name for this service](../integration/Attribute-Release-PrincipalId.html),
 that value will then be used to construct the Name ID along with the right format.
 
+## Unsolicited SSO
+
+SAML2 IdP `Unsolicited/SSO` profile supports the following parameters:
+
+| Parameter                         | Description
+|-----------------------------------|-----------------------------------------------------------------
+| `providerId`                      | Required. Entity ID of the service provider.
+| `shire`                           | Optional. Response location (ACS URL) of the service provider.
+| `target`                          | Optional. Relay state.
+| `time`                            | Optional. Skew the authentication request.
+
+## Attribute Queries
+
+In order to allow CAS to support and respond to attribute queries, you need to make sure the generated metadata has
+the `AttributeAuthorityDescriptor` element enabled, with protocol support enabled for `urn:oasis:names:tc:SAML:2.0:protocol`
+and relevant binding that corresponds to the CAS endpoint(s). You also must ensure the `AttributeAuthorityDescriptor` tag lists all
+`KeyDescriptor` elements and certificates that are used for signing as well as authentication, specially if the SOAP client of the service provider 
+needs to cross-compare the certificate behind the CAS endpoint with what is defined for the `AttributeAuthorityDescriptor`. CAS by default 
+will always use its own signing certificate for signing of the responses generated as a result of an attribute query.
+
+Also note that support for attribute queries need to be explicitly enabled and the behavior is off by default, given it imposes a burden on 
+CAS and the underlying ticket registry to keep track of attributes and responses as tickets and have them be later used and looked up.
+
+To see the relevant list of CAS properties, please [review this guide](../configuration/Configuration-Properties.html#saml-idp).
 
 ## SP Integrations
 
@@ -314,4 +302,8 @@ To enable additional logging, modify the logging configuration file to add the f
     <AppenderRef ref="console"/>
     <AppenderRef ref="file"/>
 </AsyncLogger>
+<AsyncLogger name="PROTOCOL_MESSAGE" level="debug" additivity="false">
+    <AppenderRef ref="console"/>
+    <AppenderRef ref="file"/>
+</AsyncLogger>
 ```

docs/cas-server-documentation/installation/Logging.md

@@ -25,9 +25,6 @@ It is often time helpful to externalize the `log4j2.xml` file to a system path t
 The location of `log4j2.xml` file by default is on the runtime classpath and can be controlled
 via the CAS properties. To see the relevant list of CAS properties, please [review this guide](../configuration/Configuration-Properties.html#logging).
 
-<div class="alert alert-info"><strong>Monitoring Logs</strong><p>To review log settings and output,
- you may also use the <a href="Monitoring-Statistics.html">CAS administration panels.</a></p></div>
-
 ### Log Levels
 
 While log levels can directly be massaged via the native `log4j2.xml` syntax, they may also be modified
@@ -133,4 +130,4 @@ SERVER IP ADDRESS: ...
 Certain number of characters are left at the trailing end of the ticket id to assist with
 troubleshooting and diagnostics.
 
-To see the relevant list of CAS properties, please [review this guide](../configuration/Configuration-Properties.html#logging).
+To see the relevant list of CAS properties, please [review this guide](../configuration/Configuration-Properties.html#logging).

docs/cas-server-documentation/sidebar.md

@@ -212,6 +212,8 @@ layout: null
     *   [SAML](#samlprotocol)
         *   [SAML1](/$version/protocol/SAML-Protocol.html)
         *   [SAML2](/$version/installation/Configuring-SAML2-Authentication.html)
+            *   [Attribute Release](/$version/installation/Configuring-SAML2-Attribute-Release.html)
+            *   [Metadata Management](/$version/installation/Configuring-SAML2-DynamicMetadata.html)
     *   [REST](/$version/protocol/REST-Protocol.html)
 
 * [Notifications](#casnotifications)

gradle/springboot.gradle

@@ -79,7 +79,7 @@ or the build is signaled to skip the plugin explicitly.
 int findAvailableTcpPort(List<Integer> portRange) {
     for (int port : portRange) {
         try {
-            println "Checking port ${port}"
+            logger.debug "Checking port ${port}"
             def serverSocket = new ServerSocket(port)
             serverSocket.close()
             return port

style/dependency-check-suppressions.xml

@@ -3,6 +3,9 @@
     <suppress>
         <cve>CVE-2016-7048</cve>
     </suppress>
+    <suppress>
+        <cve>CVE-2018-15728</cve>
+    </suppress>
     <suppress>
         <cve>CVE-2011-4461</cve>
     </suppress>

support/cas-server-support-saml-idp-web/src/main/java/org/apereo/cas/support/saml/web/idp/profile/builders/response/SamlProfileSaml2ResponseBuilder.java

@@ -2,6 +2,7 @@
 
 import org.apereo.cas.support.saml.OpenSamlConfigBean;
 import org.apereo.cas.support.saml.SamlException;
+import org.apereo.cas.support.saml.SamlIdPUtils;
 import org.apereo.cas.support.saml.SamlUtils;
 import org.apereo.cas.support.saml.services.SamlRegisteredService;
 import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
@@ -20,6 +21,7 @@
 
 import lombok.extern.slf4j.Slf4j;
 import lombok.val;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.velocity.app.VelocityEngine;
 import org.opensaml.messaging.context.MessageContext;
 import org.opensaml.saml.common.SAMLVersion;
@@ -85,6 +87,10 @@ public Response buildResponse(final Assertion assertion,
         samlResponse.setVersion(SAMLVersion.VERSION_20);
         samlResponse.setIssuer(buildEntityIssuer());
 
+        val acs = SamlIdPUtils.determineEndpointForRequest(authnRequest, adaptor, binding);
+        val location = StringUtils.isBlank(acs.getResponseLocation()) ? acs.getLocation() : acs.getResponseLocation();
+        samlResponse.setDestination(location);
+
         if (casProperties.getAuthn().getSamlIdp().isAttributeQueryProfileEnabled()) {
             storeAttributeQueryTicketInRegistry(assertion, request, adaptor);
         }