Thank you so much, Ray. Turning up log to trace was helpful. Turns out I had MetadataSignatureLocation pointing to a copy of my signing cert instead of theirs (at least CAS stopped complaining when I pointed it to theirs). Getting a SMLTracer for my browser was helpful too...both parties now appear to be talking civilly (i.e. returning 200).
Unfortunately, I'm still not 100% of the way there...I end up on either a blank white page on the Microsoft side after signin or a page that says "Sorry that didn't work out, try again." Any further hints? Best Regards, Stewart On Monday, October 26, 2020 at 11:10:59 AM UTC-5 Ray Bon wrote: > Stewart, > > Turn up logging to TRACE. > I would think the signature is referring to O365, since cas knows its own > certificate. > You should not have to add anything to the local trust store, this would > become a maintenance nightmare. Metadata includes self signed certificates, > almost exclusively. > Make sure the O365 certificate is what is in your relying party metadata. > > Get a tool like SAMLTracer for your browser. You can see what is being > sent between parties. > > Ray > > > On Sat, 2020-10-24 at 06:23 -0700, Stewart wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hey Folks, > > I'm trying to get CAS to act as an idp for Office365. I've tried both the > built-in integration and configuring it manually. Either way I keep getting > this: > > 2020-10-24 06:14:56,070 INFO > [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.FileSystemResourceMetadataResolver] > > - <Loading SAML metadata from [/etc/cas/saml/federationmetadata.xml]> > 2020-10-24 06:14:56,108 INFO [org.apereo.cas.support.saml.SamlUtils] - > <Successfully resolved credentials from [file > [/etc/cas/saml/idp-signing.crt]]> > 2020-10-24 06:14:56,341 WARN > [org.apache.xml.security.signature.XMLSignature] - <Signature verification > failed.> > 2020-10-24 06:14:56,341 ERROR > [org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter] > - <Signature trust establishment failed for metadata entry > urn:federation:MicrosoftOnline> > 2020-10-24 06:14:56,342 ERROR > [org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver] - <Metadata > Resolver InMemoryResourceMetadataResolver > org.apereo.cas.support.saml.InMemoryResourceMetadataResolver: Unable to > filter metadata: Signature trust establishment failed for metadata entry> > > Is this referring to Microsoft's signature or (more likely) my > idp-signature.crt? I've already tried adding my own certs to the system > trust store (via update-ca-trust on Linux)...nothing changed. Can anybody > offer any clues as to what I might have done wrong or how to fix this? > > Thanks > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | [email protected] > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a0b70121-b2b5-4f92-8ca8-e0537c27650en%40apereo.org.
