Do you have other JSON service definitions in the registry? Anything with a lower evaluation order or a more relaxed regex pattern?
--Misagh > From: "vnick" <nick.e.couch...@gmail.com> > To: "CAS Community" <cas-user@apereo.org> > Sent: Thursday, February 15, 2018 10:15:40 AM > Subject: [cas-user] CAS 5.2.x SAML IdP Issues > Hey, everyone, > I'm trying to get SAML2 authentication working against my CAS server. I've got > CAS protocol authentications working just fine, but am struggling getting the > SAML IdP configured correctly. I have the following items configured in my > main > CAS configuration: > ## SAML Provider > cas.authn.samlIdp.entityId=https://server.domain.com/cas/idp > cas.authn.samlIdp.hostName=server.domain.com > cas.authn.samlIdp.scope=domain.com > cas.authn.samlIdp.metadata.cacheExpirationMinutes=30 > cas.authn.samlIdp.metadata.failFast=true > cas.authn.samlIdp.metadata.location=file:///etc/cas/saml > cas.authn.samlIdp.metadata.privateKeyAlgName=RSA > cas.authn.samlIdp.metadata.requireValidMetadata=true > cas.authn.samlIdp.logout.forceSignedLogoutRequests=true > cas.authn.samlIdp.logout.singleLogoutCallbacksDisabled=false > cas.authn.samlIdp.response.skewAllowance=0 > cas.authn.samlIdp.response.signError=false > cas.authn.samlIdp.response.useAttributeFriendlyName=true > I also have a JSON-based service registry configured, and have the following > entry for the SP that I'm trying to authenticate with: > { > "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService", > "serviceId": "https://1.2.3.4/guacamole/api/tokens";, > "name": "GuacamoleSAML", > "id": 1002, > "evaluationsOrder": 1002, > "metadataLocation": "file:///etc/cas/saml/sp-guacamole.xml" > } > and, finally, I used the web site mentioned in the CAS SAML IdP documentation > to > generate the metadata: > <?xml version="1.0"?> > <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" > validUntil="2018-02-17T03:16:28Z" > cacheDuration="PT604800S" > entityID="https://1.2.3.4/guacamole/api/tokens";> > <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" > protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> > <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> > <md:AssertionConsumerService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > Location="https://1.2.3.4/guacamole/api/ext/saml/callback"; > index="1" /> > </md:SPSSODescriptor> > </md:EntityDescriptor> > However, every time I try to authenticate with this app, I receive the > following > error: > 2018-02-15 12:12:52,559 INFO > [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] > - <Received SAML profile request [/cas/idp/profile/SAML2/Redirect/SSO]> > 2018-02-15 12:12:52,581 ERROR > [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] > - <CAS has found a match for service [https://1.2.3.4/guacamole/api/tokens] in > registry but the match is not defined as a SAML service> > I can't seem to get much more detail - I think something must be wrong with my > logging configuration, because I can't get any debugging. Also, most of the > parameters in the cas configuration file for SAML (cas.authn.samlIdp.*) seem > to > lack documentation - for example, I feel like this could be related to the > "cas.authn.samlIdp.scope=domain.com", but there's no documentation on what's > expected or acceptable for the scope, and whether this would generate the > error > message I'm seeing above? Other than that, as far as I can tell, my JSON > service entry matches the documentation, is valid JSON, and defines the > mentioned service as a SAML service, so its unclear to me what's leading to > this error. > Any pointers would be appreciated! > -Nick > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups "CAS > Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email > to cas-user+unsubscr...@apereo.org . > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/abc5ef3d-26d5-4070-a08f-aa40db37a7fc%40apereo.org > . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1493015488.14716721.1518715738613.JavaMail.zimbra%40unicon.net.
