Hey, everyone, I'm trying to get SAML2 authentication working against my CAS server. I've got CAS protocol authentications working just fine, but am struggling getting the SAML IdP configured correctly. I have the following items configured in my main CAS configuration:
## SAML Provider cas.authn.samlIdp.entityId=https://server.domain.com/cas/idp cas.authn.samlIdp.hostName=server.domain.com cas.authn.samlIdp.scope=domain.com cas.authn.samlIdp.metadata.cacheExpirationMinutes=30 cas.authn.samlIdp.metadata.failFast=true cas.authn.samlIdp.metadata.location=file:///etc/cas/saml cas.authn.samlIdp.metadata.privateKeyAlgName=RSA cas.authn.samlIdp.metadata.requireValidMetadata=true cas.authn.samlIdp.logout.forceSignedLogoutRequests=true cas.authn.samlIdp.logout.singleLogoutCallbacksDisabled=false cas.authn.samlIdp.response.skewAllowance=0 cas.authn.samlIdp.response.signError=false cas.authn.samlIdp.response.useAttributeFriendlyName=true I also have a JSON-based service registry configured, and have the following entry for the SP that I'm trying to authenticate with: { "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId": "https://1.2.3.4/guacamole/api/tokens", "name": "GuacamoleSAML", "id": 1002, "evaluationsOrder": 1002, "metadataLocation": "file:///etc/cas/saml/sp-guacamole.xml" } and, finally, I used the web site mentioned in the CAS SAML IdP documentation to generate the metadata: <?xml version="1.0"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2018-02-17T03:16:28Z" cacheDuration="PT604800S" entityID="https://1.2.3.4/guacamole/api/tokens"> <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://1.2.3.4/guacamole/api/ext/saml/callback" index="1" /> </md:SPSSODescriptor> </md:EntityDescriptor> However, every time I try to authenticate with this app, I receive the following error: 2018-02-15 12:12:52,559 INFO [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - <Received SAML profile request [/cas/idp/profile/SAML2/Redirect/SSO]> 2018-02-15 12:12:52,581 ERROR [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - <CAS has found a match for service [https://1.2.3.4/guacamole/api/tokens] in registry but the match is not defined as a SAML service> I can't seem to get much more detail - I think something must be wrong with my logging configuration, because I can't get any debugging. Also, most of the parameters in the cas configuration file for SAML (cas.authn.samlIdp.*) seem to lack documentation - for example, I feel like this could be related to the "cas.authn.samlIdp.scope=domain.com", but there's no documentation on what's expected or acceptable for the scope, and whether this would generate the error message I'm seeing above? Other than that, as far as I can tell, my JSON service entry matches the documentation, is valid JSON, and defines the mentioned service as a SAML service, so its unclear to me what's leading to this error. Any pointers would be appreciated! -Nick -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/abc5ef3d-26d5-4070-a08f-aa40db37a7fc%40apereo.org.