Do you have the dashboard endpoints enabled? Can you go to the "services"
endpoint, which dumps the service registry, and see if there's something
else in there?
Alternatively, I think if you turn on debug mode logging, it will tell you
what services are loaded.
I'm thinking you might be getting a wildcard match through no fault of your
own.
--Dave
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu
[image: The New School]
On Mon, May 7, 2018 at 3:48 PM, Patrick Sutton <
patrick.sutton.w...@gmail.com> wrote:
> Hello everyone,
>
> I'm the developer who has been working on implementing the SAML
> authentication referenced by the OP, and the provided responses seem to
> align with what I've come across while researching the issue, so I wanted
> to try and provide a little more information in the hopes that it'll help
> better explain the issue.
>
> From what I've been able to discern while attempting to debug the issue,
> it appears that the SAML service definition isn't even being loaded by CAS
> for some reason. I've tried everything from manually modifying the
> evaulationOrder property of the existing services to ensure the SAML
> service definition would be loaded first to deleting the other service
> definitions to eliminate load order issues, but to no avail.
>
> I've attached "scrubbed" versions of our current service definitions,
> along with the metadata returned from the SP we are attempting to integrate
> with CAS. If there is any additional information I can provide, please
> don't hesitate to ask.
>
> For reference, here are the property values related to SAML that we are
> currently using:
>
> cas.authn.samlIdp.entityId=${cas.server.prefix}/idp
> cas.authn.samlIdp.scope=cas-idp-domain.com
>
>
> {
> /*
> Generic service definition that applies to https/imaps urls
> that wish to register with CAS for authentication.
> */
> "@class" : "org.apereo.cas.services.RegexRegisteredService",
> "serviceId" : "^(https):\\/\\/.*\\.cas-idp-domain\\.com\\/.*",
> "name" : "HTTPS for genius",
> "id" : 10000006,
> "evaluationOrder": 300,
> }
>
>
> {
> /*
> Generic service definition that applies to https/imaps urls
> that wish to register with CAS for authentication.
> */
> "@class" : "org.apereo.cas.services.RegexRegisteredService",
> "serviceId" : "^(https):\\/\\/portal\\.cas-idp-domain\\.com\\/.*",
> "name" : "HTTPS for another Vendor",
> "id" : 10000004,
> "evaluationOrder": 200,
> }
>
>
> {
> /*
> * The CAS SAML IdP creates this endpoint as part of its initialization
> * process at server startup time. If the service registry doesn't already
> * contain an entry whose serviceId matches the endpoint, CAS will create
> * a new service definition and save it to the registry. If the CAS server
> * doesn't have write access to the registry, then the save will fail and
> * the server will not start.
> *
> * To avoid that situation, and to make it clear that this endpoint is a
> * "desired" service, it is defined explicitly here.
> */
> "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
> "serviceId" : "https://vendor-site.com/Pages/Auth/Login.aspx
> <https://www.google.com/url?q=https%3A%2F%2Fvendor-site.com%2FPages%2FAuth%2FLogin.aspx&sa=D&sntz=1&usg=AFQjCNFDab_tX4Ov0hfnrhQeRj3AfY8P-Q>",
> "name" : "SAML Authentication Request",
> "id" : 10000003,
> "metadataLocation" : "https://link-to-metadata.com";,
> "evaluationOrder": 1
> }
>
>
> SP Metadata:
>
> <?xml version="1.0"?>
> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
> validUntil="2018-05-03T20:29:06Z" cacheDuration="PT604800S" entityID="
> https://vendor-site.com/Pages/Auth/Login.aspx";>
> <md:SPSSODescriptor AuthnRequestsSigned="false"
> WantAssertionsSigned="false" protocolSupportEnumeration="
> urn:oasis:names:tc:SAML:2.0:protocol">
> <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Location="https://vendor-site.com/Pages/Auth/Login.aspx"; index="1" />
> </md:SPSSODescriptor>
> </md:EntityDescriptor>
>
> On Monday, May 7, 2018 at 8:19:58 AM UTC-7, John D Giotta wrote:
>>
>> I'm not too familiar with SAML 2.0 and I need to set up our existing CAS
>> (currently using CAS protocol).
>>
>> I've followed documentation, but unfortunately I'm unable to get the
>> application to authorize.
>>
>> The error I get in logs is:
>>
>> CAS has found a match for service [https://vendor-site.com/Pages
>>> /Auth/Login.aspx] in registry but the match is not defined as a SAML
>>> service>
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/e4069196-0a04-4c66-9013-
> e7cd865a8f8d%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/e4069196-0a04-4c66-9013-e7cd865a8f8d%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPwDPksD58AeP_pF3aHCzT6LbX4iLg0zxgpaiiDGYPqLA%40mail.gmail.com.
