Richard, Thank you for the advice on this. We have started the creation process of our gsuitetest subdomain. While waiting for Google to verify ownership, I'd like to probe your brain some more. In the past (CAS 5.2), using that Googleapps SAML dependency allowed you to configure the Google service with the *org.apereo.cas.services.RegexRegisteredService* class, if memory serves. Are you saying that I'll have to change the service entry to use the *org.apereo.cas.support.saml.services.SamlRegisteredService* class and configure it as a SAML2 service now? That's not an issue if I do, but I'm confused by that difference.
Also, in the past vesion of CAS, I believe we sent uid attributes to Google , if I release that through SAML2, will I need to specify the namespace used (something like urn:oid:0.9.2342.19200300.100.1.1 )? On Monday, August 3, 2020 at 2:00:59 PM UTC-4 richard.frovarp wrote: > No, there isn't You configure it as a SAML 2 provider. This means you have > to craft the metadata by hand. Also, it is beyond deprecated as it will > kill your other SAML integrations. So it's best to just do a pure SAML > setup with it. Here's the draft set of instructions I put together. I need > to get these publish on the public Internet somewhere, as I suspect they > would be useful to others: > > G Suite now offers test domains for testing things. This can be used to > validate SSO settings and changes. > > So first you may want to change to "Use a domain specific issuer" to > differentiate between your normal instance and the test one. That will > result in a issuer looking like this: > > google.com/a/gsuitetest.ndsu.edu > > instead of > > google.com > > The Sign-in page URL is this off of your IdP > > cas/idp/profile/SAML2/Redirect/SSO > > The certificate provided needs to be your SAML 2 signing certificate. > > From here you will need to generate metadata to give CAS. You can use this > service to generate the metadata: > > https://www.samltool.com/sp_metadata.php > > Values: > > Entity ID: The issuer, which in my case is > google.com/a/gsuitetest.ndsu.edu > > ACS Endpoint: This can be got by doing a test auth from G Suite and using > SAML Tracer, but looks like this for my test domain: > https://www.google.com/a/gsuitetest.ndsu.edu/acs > > Nameid Format: Leave at 1.1 unspecified > > You don't need a cert. You need to upload your SAML certificate to Google > so that it can verify the response. > > You will need to edit the generated metadata to remove the "validUntil" > attribute, as it is set to expire very quickly. > > > On Mon, 2020-08-03 at 10:50 -0700, Jeremiah Garmatter wrote: > > Hello, > > I've recently upgraded my CAS server from 5.3.14 to 6.2.1 and had a > question about Google Apps integration. > > On the older system, there was a gradle dependency for google apps SAML: > implementation > "org.apereo.cas:cas-server-support-saml-googleapps:${project.'cas.version'}" > > > I get a deprecation warning when using this: > CAS integration with Google Apps is now deprecated and scheduled to be > removed in the future. The functionality is now redundant and unnecessary > with CAS able to provide SAML2 identity provider features.To handle the > integration, you should configure CAS to act as a SAML2 identity provider > and remove this integration from your deployment to protected against > future removals and surprises.> > > I've changed to use the SAML 2 dependency: > implementation > "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}" > but I'm not sure what to do about Google's properties. There were > properties defined for public and private keys within cas.properties: > cas.google-apps.private-key-location= > cas.google-apps.public-key-location= > cas.google-apps.key-algorithm=RSA > > Are there equivalent properties for SAML2? > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c4f39d1e-a05c-4983-bd5f-103f0824cd0an%40apereo.org.
