i think i am missing something fundamentally, but I do not know what it is.
I first excluded the dependency on cas-server-support-saml-idp because CAS
is delegating authN to Okta, I realize the login page does not even come
up, nothing shows in SAML Tracer. Then, I added this dependency, see
below.
implementation
"org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-pac4j-webflow:${project.'cas.version'}"
Now the login page comes up, and I can see authN request coming to CAS, but
I do not see how CAS delegates authN. It seems that something is missing
so that CAS is -not- generating SP meta data, which it should. Not sure
what I am missing.
I based on cas.properties from the following documentation, but it is not
working, i.e., nothing is being generated by CAS, no error, either.
in delegated AutN, when client come to CAS, which then delegate to Okta,
should /cas/idp/profile/SAML2/POST/SSO be called at all?
# Settings required for CAS SP metadata generation process # The keystore
will be automatically generated by CAS with # keys required for the
metadata generation and/or exchange. # #
cas.authn.pac4j.saml[0].keystorePassword= #
cas.authn.pac4j.saml[0].privateKeyPassword= #
cas.authn.pac4j.saml[0].keystorePath= # The entityID assigned to CAS acting
as the SP # cas.authn.pac4j.saml[0].serviceProviderEntityId= # Path to the
auto-generated CAS SP metadata #
cas.authn.pac4j.saml[0].serviceProviderMetadataPath= #
cas.authn.pac4j.saml[0].maximumAuthenticationLifetime= # Path/URL to
delegated IdP metadata #
cas.authn.pac4j.saml[0].identityProviderMetadataPath=
On Monday, August 14, 2023 at 1:53:24 PM UTC-4 Ray Bon wrote:
> Yan,
>
> Is it possible that the okta-cas config is incorrect and okta is returning
> an error response which cas does not understand?
> Are you using SAML Tracer to see the exchanges between SPs and IdPs?
> If the keystore is not created, you can create it yourself. Or, turn off
> SAML encryption between SPs and IdPs.
>
> Ray
>
> On Fri, 2023-08-11 at 13:42 -0700, Yan Zhou wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
>
> Hi there,
>
> When CAS is the SAML2 IDP, I am able to run a client app authenticating
> successfully. But have trouble when CAS delegates authN to Okta (cas is
> set up as a SP in Okta)
>
> Client app runs on localhost:8081, CAS 6.6.x runs on localhost:8443,
> delegate to Okta SAML2 IDP.
>
> Here is my problem, i likely misunderstood how delegated authN should
> work, but do not know how.
>
> When go to client: localhost:8081, redirects to:
> http://localhost:8081/saml/login?idp=https%3A%2F%2Flocalhost%3A8443%2Fidp
>
> Redirects to: https://localhost:8443/cas/idp/profile/SAML2/POST/SSO
>
> I would expect Okta login page comes up, but I am getting CAS error page
> that says: page Not found, I did not see any error in cas log.
>
>
>
> In Okta, i configured my local CAS as a SAML 2.0 application
>
> ==================================================
>
> SSO URL: https://localhost:8443/cas/login
>
> Audience URI: https://localhost:8443/cas/idp
>
>
>
> cas.properties
>
> ==============
>
>
> cas.authn.pac4j.saml[0].keystorePath=file:///C:/apereocas66x/config/casas-samlsp/samlkeystore
>
> <== i do not see keystore being created, why is this not
> created?
>
> cas.authn.pac4j.saml[0].keystorePassword=changeit
>
> cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp
>
> cas.authn.pac4j.saml[0].privateKeyPassword=changeit
>
> cas.authn.pac4j.saml[0].serviceProviderEntityId=
> http://localhost:8081/saml/metadata
>
> <== same SP entity ID when CAS was the IDP itself, without
> delegated authN
>
> cas.authn.pac4j.saml[0].clientName=bootsp2
>
> cas.authn.pac4j.saml[0].forceAuth=false
>
> cas.authn.pac4j.saml[0].passive=false
>
> cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=1209600
>
>
> cas.authn.pac4j.saml[0].serviceProviderMetadataPath=file:///C:/apereocas66x/config/spmetadata/1005-metadata.xml
>
> <== same SP meta data when CAS was the IDP itself, without
> delegated authN
>
> cas.authn.pac4j.saml[0].identityProviderMetadataPath=
> https://dev-11792448.okta.com/app/exkas4vj25jdUfJEx5d7/sso/saml/metadata
>
>
> cas.authn.pac4j.saml[0].destinationBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
>
> cas.authn.pac4j.saml[0].userNameQualifier=false
>
>
>
>
>
> JSON file in service registry
>
> ======================
>
> {
>
> "@class" : "org.apereo.cas.services.CasRegisteredService",
>
> "serviceId" : "bootsp2",
>
> "name" : "bootsp2",
>
> "id" : 1005,
>
> "description" : "sample",
>
> "attributeReleasePolicy" : {
>
> "@class" :
> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
>
> "allowedAttributes" : [ "java.util.ArrayList", [ "name", "first_name",
> "middle_name" ] ]
>
> }
>
> }
>
>
> thanks,
>
> Yan
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8b32b58b-eca8-47de-972d-b90f01773f24n%40apereo.org.
