I'm writing a SAML authentication extension for the Guacamole Project (http://guacamole.apache.org).
-Nick On Thursday, February 15, 2018 at 1:24:24 PM UTC-5, Misagh Moayyed wrote: > > Cool. Who exactly is the SP in this scenario? > > --Misagh > > ------------------------------ > > *From: *"vnick" <nick.e....@gmail.com <javascript:>> > *To: *"CAS Community" <cas-...@apereo.org <javascript:>> > *Cc: *"Misagh Moayyed" <mmoa...@unicon.net <javascript:>> > *Sent: *Thursday, February 15, 2018 10:48:25 AM > *Subject: *[SOLVED] Re: [cas-user] CAS 5.2.x SAML IdP Issues > > Well, this put me on the right path - turns out the number of services the > log file told me was loading just happened to match what was in the > services directory, but the CAS configuration was not pointing at anything > but the default location, so it wasn't actually loading my services. > Problem is resolved - all works well, now! > -Nick > > On Thursday, February 15, 2018 at 12:29:00 PM UTC-5, Misagh Moayyed wrote: >> >> Do you have other JSON service definitions in the registry? Anything with >> a lower evaluation order or a more relaxed regex pattern? >> >> --Misagh >> >> ------------------------------ >> >> *From: *"vnick" <nick.e....@gmail.com <http://JAVASCRIPT-BLOCKED>> >> *To: *"CAS Community" <cas-...@apereo.org <http://JAVASCRIPT-BLOCKED>> >> *Sent: *Thursday, February 15, 2018 10:15:40 AM >> *Subject: *[cas-user] CAS 5.2.x SAML IdP Issues >> >> Hey, everyone, >> I'm trying to get SAML2 authentication working against my CAS server. >> I've got CAS protocol authentications working just fine, but am struggling >> getting the SAML IdP configured correctly. I have the following items >> configured in my main CAS configuration: >> >> ## SAML Provider >> cas.authn.samlIdp.entityId=https://server.domain.com/cas/idp >> cas.authn.samlIdp.hostName=server.domain.com >> cas.authn.samlIdp.scope=domain.com >> cas.authn.samlIdp.metadata.cacheExpirationMinutes=30 >> cas.authn.samlIdp.metadata.failFast=true >> cas.authn.samlIdp.metadata.location=file:///etc/cas/saml >> cas.authn.samlIdp.metadata.privateKeyAlgName=RSA >> cas.authn.samlIdp.metadata.requireValidMetadata=true >> cas.authn.samlIdp.logout.forceSignedLogoutRequests=true >> cas.authn.samlIdp.logout.singleLogoutCallbacksDisabled=false >> cas.authn.samlIdp.response.skewAllowance=0 >> cas.authn.samlIdp.response.signError=false >> cas.authn.samlIdp.response.useAttributeFriendlyName=true >> >> I also have a JSON-based service registry configured, and have the >> following entry for the SP that I'm trying to authenticate with: >> >> { >> "@class": >> "org.apereo.cas.support.saml.services.SamlRegisteredService", >> "serviceId": "https://1.2.3.4/guacamole/api/tokens";, >> "name": "GuacamoleSAML", >> "id": 1002, >> "evaluationsOrder": 1002, >> "metadataLocation": "file:///etc/cas/saml/sp-guacamole.xml" >> } >> >> and, finally, I used the web site mentioned in the CAS SAML IdP >> documentation to generate the metadata: >> >> <?xml version="1.0"?> >> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" >> validUntil="2018-02-17T03:16:28Z" >> cacheDuration="PT604800S" >> entityID="https://1.2.3.4/guacamole/api/tokens";> >> <md:SPSSODescriptor AuthnRequestsSigned="false" >> WantAssertionsSigned="false" >> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> >> >> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> >> <md:AssertionConsumerService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >> Location=" >> https://1.2.3.4/guacamole/api/ext/saml/callback"; >> index="1" /> >> >> </md:SPSSODescriptor> >> </md:EntityDescriptor> >> >> However, every time I try to authenticate with this app, I receive the >> following error: >> >> 2018-02-15 12:12:52,559 INFO >> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] >> >> - <Received SAML profile request [/cas/idp/profile/SAML2/Redirect/SSO]> >> 2018-02-15 12:12:52,581 ERROR >> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] >> >> - <CAS has found a match for service [ >> https://1.2.3.4/guacamole/api/tokens] in registry but the match is not >> defined as a SAML service> >> >> I can't seem to get much more detail - I think something must be wrong >> with my logging configuration, because I can't get any debugging. Also, >> most of the parameters in the cas configuration file for SAML >> (cas.authn.samlIdp.*) seem to lack documentation - for example, I feel like >> this could be related to the "cas.authn.samlIdp.scope=domain.com", but >> there's no documentation on what's expected or acceptable for the scope, >> and whether this would generate the error message I'm seeing above? Other >> than that, as far as I can tell, my JSON service entry matches the >> documentation, is valid JSON, and defines the mentioned service as a SAML >> service, so its unclear to me what's leading to this error. >> >> Any pointers would be appreciated! >> >> -Nick >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+u...@apereo.org <http://JAVASCRIPT-BLOCKED>. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/abc5ef3d-26d5-4070-a08f-aa40db37a7fc%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/abc5ef3d-26d5-4070-a08f-aa40db37a7fc%40apereo.org?utm_medium=email&utm_source=footer> >> . >> >> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+u...@apereo.org <javascript:>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/b90e201e-a2aa-4116-aadc-4eea986b54f9%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b90e201e-a2aa-4116-aadc-4eea986b54f9%40apereo.org?utm_medium=email&utm_source=footer> > . > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a73bc1a6-1b6a-4d11-b33e-8185c466e0c9%40apereo.org.
