Pablo, Is the aai... service the same as super duper? The aai... service is configured to have a per service signing / encryption certs (this line in the log: Metadata directory location for [aai_pionier_net_pl_test] is [/etc/cas/saml/aai_pionier_net_pl_test-1001] ). https://apereo.github.io/cas/6.4.x/installation/Configuring-SAML2-DynamicMetadata.html#per-service
If the two services are different, then you will need two idp metadata and two signing and 2 encryption certs (if you are using encryption). Ray On Thu, 2022-01-06 at 18:16 -0800, Pablo Vidaurri wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Thanks for replying Ray, Yes, I have that config and I see crt, keys, and idp-metadata created in it that was auto-generated. Error seems misleading .... it sounds like it is looking for sp metadata signing credentials. -psv On Thursday, January 6, 2022 at 1:02:30 PM UTC-6 Ray Bon wrote: Pablo, The signing credentials are yours, not the service. They are not read out of metadata since it requires the key. You set the location with (your cert and key are stored in same location as metadata): cas.authn.saml-idp.metadata.file-system.location= Cas will generate the metadata and certs on start up, make sure cas can write to the directory. https://apereo.github.io/cas/6.4.x/installation/Configuring-SAML2-DynamicMetadata.html#file-system Ray On Wed, 2022-01-05 at 18:38 -0800, Pablo Vidaurri wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Just saw this reply ... That did not seem to work. I have my sp metata with x509 certs embedded. I have my service definition like the following: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "description": "my super super service", "serviceId" : "^https://my.super.duper.svc.com";, <-- entity id of my sp metadata file "name" : "super_duper", "id" : 20210115134141, "evaluationOrder" : 30, "metadataLocation" : "file:/apps//cas/metadata/super_duper_metadata.xml", "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", "allowedAttributes" : [ "java.util.ArrayList", [ "firstName","lastName"] ] }, "signAssertions": true, "signingCredentialType": X509 } Still getting error: Unable to locate any signing credentials for service [super_duper] Do I need a separate crt somewhere instead of relying on the embbeded cert in the sp metadata? On Thursday, August 26, 2021 at 2:11:50 AM UTC-5 Marcin Roman wrote: Entityid in metadata must match entityid in cas properties. Use cas 6.3.4 or 6.4. i couldn't get it working with other versions On Wed, Aug 25, 2021, 9:06 PM Pablo Vidaurri <psvid...@gmail.com> wrote: Any solution or work around for this? Gettign the same issue on CAS 6.3.2. Only way to get it to work is if i set my entityId to be same as hostname which will not work in a production env. On Monday, April 5, 2021 at 3:41:02 AM UTC-5 Marcin Roman wrote: Hi, I have discovered yet another bug in SAML2 support in 6.3.4-SNAPSHOT and 6.4.0-SNAPSHOT. It looks like SamlIdPMetadataResolver is provided with cas url instead of entityId while resolving signing credentials. cas_1 | TRACE [org.apereo.cas.support.saml.SamlUtils] Attempting to create SAMLObject for type: [interface org.opensaml.saml.saml2.core.Status] and QName: [{urn:oasis:names:tc:SAML:2.0:protocol}Status] cas_1 | TRACE [org.apereo.cas.support.saml.SamlUtils] Attempting to create SAMLObject for type: [interface org.opensaml.saml.saml2.core.StatusCode] and QName: [{urn:oasis:names:tc:SAML:2.0:protocol}StatusCode] cas_1 | DEBUG [org.apereo.cas.support.saml.SamlUtils] ******************************************************************************** cas_1 | DEBUG [org.apereo.cas.support.saml.SamlUtils] Logging [org.opensaml.saml.saml2.core.impl.ResponseImpl] cas_1 | cas_1 | [<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp"; ID="_111942357346883584" InResponseTo="_f23e8fe1993a1a61287f3d30288ee5700f936c0631" IssueInstant="2021-04-05T07:55:18.827Z" Version="2.0"> cas_1 | <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://login.umcs.pl/cas/idp/metadata</saml2:Issuer> cas_1 | <saml2p:Status> cas_1 | <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> cas_1 | </saml2p:Status> cas_1 | <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_5878410931315849216" IssueInstant="2021-04-05T07:55:18.753Z" Version="2.0"> cas_1 | <saml2:Issuer>https://login.umcs.pl/cas/idp/metadata</saml2:Issuer> cas_1 | <saml2:Subject> // DELETED cas_1 | </saml2:Assertion> cas_1 | </saml2p:Response> cas_1 | ] cas_1 | cas_1 | cas_1 | DEBUG [org.apereo.cas.support.saml.SamlUtils] ******************************************************************************** cas_1 | DEBUG [org.apereo.cas.support.saml.web.idp.profile.builders.response.SamlProfileSaml2ResponseBuilder] SAML entity id [https://aai.pionier.net.pl/test/module.php/saml/sp/metadata.php/default-sp] indicates that SAML responses should be signed cas_1 | TRACE [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Attempting to encode [org.opensaml.saml.saml2.core.impl.ResponseImpl] for [https://aai.pionier.net.pl/test/module.php/saml/sp/metadata.php/default-sp] cas_1 | TRACE [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Outbound saml object to use is [org.opensaml.saml.saml2.core.impl.ResponseImpl] cas_1 | DEBUG [org.apereo.cas.support.saml.SamlIdPUtils] Fetched assertion consumer service url [https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp] with binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST] from authentication request cas_1 | DEBUG [org.apereo.cas.support.saml.SamlIdPUtils] Configured peer entity endpoint to be [https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp] with binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST] cas_1 | TRACE [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Default signature signing blocked algorithms: [[http://www.w3.org/2001/04/xmldsig-more#hmac-md5, http://www.w3.org/2001/04/xmldsig-more#md5, http://www.w3.org/2001/04/xmldsig-more#rsa-md5]] cas_1 | TRACE [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Default signature signing signature algorithms: [[http://www.w3.org/2001/04/xmldsig-more#rsa-sha256, http://www.w3.org/2001/04/xmldsig-more#rsa-sha384, http://www.w3.org/2001/04/xmldsig-more#rsa-sha512, http://www.w3.org/2000/09/xmldsig#rsa-sha1, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1, http://www.w3.org/2000/09/xmldsig#dsa-sha1, http://www.w3.org/2001/04/xmldsig-more#hmac-sha256, http://www.w3.org/2001/04/xmldsig-more#hmac-sha384, http://www.w3.org/2001/04/xmldsig-more#hmac-sha512, http://www.w3.org/2000/09/xmldsig#hmac-sha1]] cas_1 | TRACE [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Default signature signing signature canonicalization algorithm: [http://www.w3.org/2001/10/xml-exc-c14n#] cas_1 | TRACE [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Default signature signing allowed algorithms: [[]] cas_1 | TRACE [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Default signature signing reference digest methods: [[http://www.w3.org/2001/04/xmlenc#sha256, http://www.w3.org/2001/04/xmldsig-more#sha384, http://www.w3.org/2001/04/xmlenc#sha512, http://www.w3.org/2000/09/xmldsig#sha1]] cas_1 | TRACE [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Finalized signature signing blocked algorithms: [[http://www.w3.org/2001/04/xmldsig-more#hmac-md5, http://www.w3.org/2001/04/xmldsig-more#md5, http://www.w3.org/2001/04/xmldsig-more#rsa-md5]] cas_1 | TRACE [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Finalized signature signing signature algorithms: [[http://www.w3.org/2001/04/xmldsig-more#rsa-sha256, http://www.w3.org/2001/04/xmldsig-more#rsa-sha384, http://www.w3.org/2001/04/xmldsig-more#rsa-sha512, http://www.w3.org/2000/09/xmldsig#rsa-sha1, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1, http://www.w3.org/2000/09/xmldsig#dsa-sha1, http://www.w3.org/2001/04/xmldsig-more#hmac-sha256, http://www.w3.org/2001/04/xmldsig-more#hmac-sha384, http://www.w3.org/2001/04/xmldsig-more#hmac-sha512, http://www.w3.org/2000/09/xmldsig#hmac-sha1]] cas_1 | TRACE [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Finalized signature signing signature canonicalization algorithm: [http://www.w3.org/2001/10/xml-exc-c14n#] cas_1 | TRACE [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Finalized signature signing allowed algorithms: [[]] cas_1 | TRACE [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Finalized signature signing reference digest methods: [[http://www.w3.org/2001/04/xmlenc#sha256, http://www.w3.org/2001/04/xmldsig-more#sha384, http://www.w3.org/2001/04/xmlenc#sha512, http://www.w3.org/2000/09/xmldsig#sha1]] cas_1 | TRACE [org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator] Metadata directory location for [aai_pionier_net_pl_test] is [/etc/cas/saml/aai_pionier_net_pl_test-1001] cas_1 | DEBUG [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Locating signature signing key for [SamlRegisteredService(super=AbstractRegisteredService(serviceId=https://aai\.pionier\.net\.pl/test/.*, name=aai_pionier_net_pl_test, theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=1001, description=null, expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null), acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true, messageCode=null, text=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null, ticketGrantingTicketExpirationPolicy=null, serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null, evaluationOrder=999, usernameAttributeProvider=org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider@9d20af0c, logoutType=BACK_CHANNEL, environments=[], attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[MetadataEntityAttributesAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, excludedAttributes=null, includeOnlyAttributes=null, order=0), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null, order=0), allowedAttributes=[eduPersonPrincipalName, eduPersonTargetedID, mail, displayName, givenName, sn, eduPersonScopedAffiliation]), entityAttribute=null, entityAttributeFormat=null, entityAttributeValues=[]), EduPersonTargetedIdAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, excludedAttributes=null, includeOnlyAttributes=null, order=0), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null, order=0), allowedAttributes=[]), salt=abc, attribute=uidNumber)], mergingPolicy=replace, order=0), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], failureMode=UNDEFINED, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false, forceExecution=false, bypassTrustedDeviceEnabled=false, bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, script=null), matchingStrategy=FullRegexRegisteredServiceMatchingStrategy(servicePattern=https://aai\.pionier\.net\.pl/test/.*), logo=null, logoutUrl=null, redirectUrl=null, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[], permitUndefined=true, exclusive=false), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], excludedAuthenticationHandlers=[], criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(tryAll=false)), properties={}, contacts=[]), metadataLocation=/etc/cas/metadata/aai.pionier.net.pl.xml, metadataProxyLocation=null, metadataMaxValidity=0, requiredAuthenticationContextClass=null, metadataCriteriaDirection=null, metadataCriteriaPattern=null, requiredNameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, metadataSignatureLocation=null, logoutResponseBinding=null, requireSignedRoot=true, serviceProviderNameIdQualifier=null, nameIdQualifier=null, metadataExpirationDuration=PT60M, signingCredentialFingerprint=null, issuerEntityId=null, signingKeyAlgorithm=null, signAssertions=false, signUnsolicitedAuthnRequest=false, skipGeneratingAssertionNameId=false, skipGeneratingSubjectConfirmationInResponseTo=false, skipGeneratingSubjectConfirmationNotOnOrAfter=false, skipGeneratingSubjectConfirmationRecipient=false, skipGeneratingSubjectConfirmationNotBefore=true, skipGeneratingSubjectConfirmationNameId=true, skipGeneratingNameIdQualifiers=false, skipGeneratingTransientNameId=false, signResponses=true, encryptAssertions=false, encryptAttributes=false, encryptionOptional=false, metadataCriteriaRoles=SPSSODescriptor, metadataCriteriaRemoveEmptyEntitiesDescriptors=true, metadataCriteriaRemoveRolelessEntityDescriptors=true, signingCredentialType=null, assertionAudiences=null, skewAllowance=0, whiteListBlackListPrecedence=null, attributeNameFormats={}, attributeFriendlyNames={}, attributeValueTypes={}, encryptableAttributes=[], signingSignatureReferenceDigestMethods=[], signingSignatureAlgorithms=[], signingSignatureBlackListedAlgorithms=[], signingSignatureWhiteListedAlgorithms=[], signingSignatureCanonicalizationAlgorithm=null, encryptionDataAlgorithms=[], encryptionKeyAlgorithms=[], encryptionBlackListedAlgorithms=[], encryptionWhiteListedAlgorithms=[])] using algorithm [RSA] cas_1 | DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver] Resolving credentials from metadata using entityID: https://login.umcs.pl/cas/idp/metadata, role: {urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor, protocol: null, usage: SIGNING cas_1 | TRACE [org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator] Metadata directory location for [aai_pionier_net_pl_test] is [/etc/cas/saml/aai_pionier_net_pl_test-1001] cas_1 | TRACE [org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator] Metadata directory location for [aai_pionier_net_pl_test] is [/etc/cas/saml/aai_pionier_net_pl_test-1001] cas_1 | TRACE [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] Resolved metadata resource is [file [/etc/cas/saml/idp-metadata.xml]] cas_1 | TRACE [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] Located metadata root element [EntityDescriptor] cas_1 | TRACE [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] Initializing metadata resolver [SamlIdPMetadataResolver] cas_1 | TRACE [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] Resolving metadata for criteria [[UsageCriterion [credUsage=SIGNING], EntityRoleCriterion [role={urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor], SamlIdPSamlRegisteredServiceCriterion(registeredService=SamlRegisteredService(super=AbstractRegisteredService(serviceId=https://aai\.pionier\.net\.pl/test/.*, name=aai_pionier_net_pl_test, theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=1001, description=null, expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null), acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true, messageCode=null, text=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null, ticketGrantingTicketExpirationPolicy=null, serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null, evaluationOrder=999, usernameAttributeProvider=org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider@9d20af0c, logoutType=BACK_CHANNEL, environments=[], attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[MetadataEntityAttributesAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, excludedAttributes=null, includeOnlyAttributes=null, order=0), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null, order=0), allowedAttributes=[eduPersonPrincipalName, eduPersonTargetedID, mail, displayName, givenName, sn, eduPersonScopedAffiliation]), entityAttribute=null, entityAttributeFormat=null, entityAttributeValues=[]), EduPersonTargetedIdAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, excludedAttributes=null, includeOnlyAttributes=null, order=0), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null, order=0), allowedAttributes=[]), salt=abc, attribute=uidNumber)], mergingPolicy=replace, order=0), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], failureMode=UNDEFINED, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false, forceExecution=false, bypassTrustedDeviceEnabled=false, bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, script=null), matchingStrategy=FullRegexRegisteredServiceMatchingStrategy(servicePattern=https://aai\.pionier\.net\.pl/test/.*), logo=null, logoutUrl=null, redirectUrl=null, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[], permitUndefined=true, exclusive=false), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], excludedAuthenticationHandlers=[], criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(tryAll=false)), properties={}, contacts=[]), metadataLocation=/etc/cas/metadata/aai.pionier.net.pl.xml, metadataProxyLocation=null, metadataMaxValidity=0, requiredAuthenticationContextClass=null, metadataCriteriaDirection=null, metadataCriteriaPattern=null, requiredNameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, metadataSignatureLocation=null, logoutResponseBinding=null, requireSignedRoot=true, serviceProviderNameIdQualifier=null, nameIdQualifier=null, metadataExpirationDuration=PT60M, signingCredentialFingerprint=null, issuerEntityId=null, signingKeyAlgorithm=null, signAssertions=false, signUnsolicitedAuthnRequest=false, skipGeneratingAssertionNameId=false, skipGeneratingSubjectConfirmationInResponseTo=false, skipGeneratingSubjectConfirmationNotOnOrAfter=false, skipGeneratingSubjectConfirmationRecipient=false, skipGeneratingSubjectConfirmationNotBefore=true, skipGeneratingSubjectConfirmationNameId=true, skipGeneratingNameIdQualifiers=false, skipGeneratingTransientNameId=false, signResponses=true, encryptAssertions=false, encryptAttributes=false, encryptionOptional=false, metadataCriteriaRoles=SPSSODescriptor, metadataCriteriaRemoveEmptyEntitiesDescriptors=true, metadataCriteriaRemoveRolelessEntityDescriptors=true, signingCredentialType=null, assertionAudiences=null, skewAllowance=0, whiteListBlackListPrecedence=null, attributeNameFormats={}, attributeFriendlyNames={}, attributeValueTypes={}, encryptableAttributes=[], signingSignatureReferenceDigestMethods=[], signingSignatureAlgorithms=[], signingSignatureBlackListedAlgorithms=[], signingSignatureWhiteListedAlgorithms=[], signingSignatureCanonicalizationAlgorithm=null, encryptionDataAlgorithms=[], encryptionKeyAlgorithms=[], encryptionBlackListedAlgorithms=[], encryptionWhiteListedAlgorithms=[])), SignatureSigningConfigurationCriterion [configs=[org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration@3df6e0b2]], EntityIdCriterion [id=https://login.umcs.pl/cas/idp/metadata]<https://login.umcs.pl/cas/idp/metadata%5D>]] cas_1 | DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] Metadata Resolver SamlIdPMetadataResolver https://login.umcs.pl/cas/idp/metadata: Metadata backing store does not contain any EntityDescriptors with the ID: https://login.umcs.pl/cas/idp/metadata cas_1 | DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver] Metadata Resolver SamlIdPMetadataResolver https://login.umcs.pl/cas/idp/metadata: Resolved 0 candidates via EntityIdCriterion: EntityIdCriterion [id=https://login.umcs.pl/cas/idp/metadata] cas_1 | DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] Metadata Resolver SamlIdPMetadataResolver https://login.umcs.pl/cas/idp/metadata: Candidates iteration was empty, nothing to filter via predicates cas_1 | TRACE [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] Resolved metadata resource is [file [/etc/cas/saml/idp-metadata.xml]] cas_1 | TRACE [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] Located metadata root element [EntityDescriptor] cas_1 | TRACE [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] Initializing metadata resolver [SamlIdPMetadataResolver] cas_1 | TRACE [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] Resolving metadata for criteria [[UsageCriterion [credUsage=SIGNING], EntityRoleCriterion [role={urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor], SamlIdPSamlRegisteredServiceCriterion(registeredService=SamlRegisteredService(super=AbstractRegisteredService(serviceId=https://aai\.pionier\.net\.pl/test/.*, name=aai_pionier_net_pl_test, theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=1001, description=null, expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null), acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true, messageCode=null, text=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null, ticketGrantingTicketExpirationPolicy=null, serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null, evaluationOrder=999, usernameAttributeProvider=org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider@9d20af0c, logoutType=BACK_CHANNEL, environments=[], attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[MetadataEntityAttributesAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, excludedAttributes=null, includeOnlyAttributes=null, order=0), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null, order=0), allowedAttributes=[eduPersonPrincipalName, eduPersonTargetedID, mail, displayName, givenName, sn, eduPersonScopedAffiliation]), entityAttribute=null, entityAttributeFormat=null, entityAttributeValues=[]), EduPersonTargetedIdAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, excludedAttributes=null, includeOnlyAttributes=null, order=0), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null, order=0), allowedAttributes=[]), salt=abc, attribute=uidNumber)], mergingPolicy=replace, order=0), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], failureMode=UNDEFINED, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false, forceExecution=false, bypassTrustedDeviceEnabled=false, bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, script=null), matchingStrategy=FullRegexRegisteredServiceMatchingStrategy(servicePattern=https://aai\.pionier\.net\.pl/test/.*), logo=null, logoutUrl=null, redirectUrl=null, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[], permitUndefined=true, exclusive=false), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], excludedAuthenticationHandlers=[], criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(tryAll=false)), properties={}, contacts=[]), metadataLocation=/etc/cas/metadata/aai.pionier.net.pl.xml, metadataProxyLocation=null, metadataMaxValidity=0, requiredAuthenticationContextClass=null, metadataCriteriaDirection=null, metadataCriteriaPattern=null, requiredNameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, metadataSignatureLocation=null, logoutResponseBinding=null, requireSignedRoot=true, serviceProviderNameIdQualifier=null, nameIdQualifier=null, metadataExpirationDuration=PT60M, signingCredentialFingerprint=null, issuerEntityId=null, signingKeyAlgorithm=null, signAssertions=false, signUnsolicitedAuthnRequest=false, skipGeneratingAssertionNameId=false, skipGeneratingSubjectConfirmationInResponseTo=false, skipGeneratingSubjectConfirmationNotOnOrAfter=false, skipGeneratingSubjectConfirmationRecipient=false, skipGeneratingSubjectConfirmationNotBefore=true, skipGeneratingSubjectConfirmationNameId=true, skipGeneratingNameIdQualifiers=false, skipGeneratingTransientNameId=false, signResponses=true, encryptAssertions=false, encryptAttributes=false, encryptionOptional=false, metadataCriteriaRoles=SPSSODescriptor, metadataCriteriaRemoveEmptyEntitiesDescriptors=true, metadataCriteriaRemoveRolelessEntityDescriptors=true, signingCredentialType=null, assertionAudiences=null, skewAllowance=0, whiteListBlackListPrecedence=null, attributeNameFormats={}, attributeFriendlyNames={}, attributeValueTypes={}, encryptableAttributes=[], signingSignatureReferenceDigestMethods=[], signingSignatureAlgorithms=[], signingSignatureBlackListedAlgorithms=[], signingSignatureWhiteListedAlgorithms=[], signingSignatureCanonicalizationAlgorithm=null, encryptionDataAlgorithms=[], encryptionKeyAlgorithms=[], encryptionBlackListedAlgorithms=[], encryptionWhiteListedAlgorithms=[])), SignatureSigningConfigurationCriterion [configs=[org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration@3df6e0b2]], EntityIdCriterion [id=https://login.umcs.pl/cas/idp/metadata]<https://login.umcs.pl/cas/idp/metadata%5D>]] cas_1 | DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] Metadata Resolver SamlIdPMetadataResolver https://login.umcs.pl/cas/idp/metadata: Metadata backing store does not contain any EntityDescriptors with the ID: https://login.umcs.pl/cas/idp/metadata cas_1 | DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver] Metadata Resolver SamlIdPMetadataResolver https://login.umcs.pl/cas/idp/metadata: Resolved 0 candidates via EntityIdCriterion: EntityIdCriterion [id=https://login.umcs.pl/cas/idp/metadata] cas_1 | DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] Metadata Resolver SamlIdPMetadataResolver https://login.umcs.pl/cas/idp/metadata: Candidates iteration was empty, nothing to filter via predicates cas_1 | DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver] Resolved no EntityDescriptors via underlying MetadataResolver, returning empty collection cas_1 | ERROR [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] Unable to locate any signing credentials for service [aai_pionier_net_pl_test] -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/46b908da7a4e55a381632ea4c6042077a283edd0.camel%40uvic.ca.
