Yan, Does samlkeystore exist and is writable (same for path to sp metadata)? But there should be no metadata file when cas starts if you want it to be generated.
You can also create metadata manually, see https://www.samltool.com/sp_metadata.php Ray On Tue, 2023-10-24 at 13:15 -0700, Yan Zhou wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi there, I am using CAS 6.4.6.6 for delegated authN using SAML, CAS delegates authN to Okta. I run into a strange error, on Windows, this works fine (i.e., once I point to /cas/login, it generates SP metadata and keystore), but on Linux, CAS does not generate SP meta data and SP keystore. I am not sure why. I did not see any error in logs. This is the portion of relevant cas.properties. cas.authn.saml-idp.core.entity-id= https://qa.......com/idp cas.authn.saml-idp.metadata.fileSystem.location=file:///opt/jboss/ssoconf/idpmetadata cas.authn.pac4j.saml[0].keystorePath=/opt/jboss/ssoconf/samlsp/samlkeystore cas.authn.pac4j.saml[0].keystorePassword=changeit cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp cas.authn.pac4j.saml[0].privateKeyPassword=changeit cas.authn.pac4j.saml[0].serviceProviderEntityId=https://qa.......com/cas/samlsp cas.authn.pac4j.saml[0].clientName=Okta cas.authn.pac4j.saml[0].forceAuth=false cas.authn.pac4j.saml[0].passive=false cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=3600 cas.authn.pac4j.saml[0].serviceProviderMetadataPath=/opt/jboss/ssoconf/samlsp/sp-metadata.xml cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://dev-1......8.okta.com/app/e.......b5d7/sso/saml/metadata cas.authn.pac4j.saml[0].useNameQualifier=false cas.authn.pac4j.saml[0].signAuthnRequest=true cas.authn.pac4j.saml[0].signServiceProviderLogoutRequest=true On windows (it says: Initializing: SAML2Client), then it generates keystore and SP metadata. ====== > 2023-10-24 16:05:23,317 DEBUG [https-openssl-nio-8443-exec-7] [org.apereo.cas.support.pac4j.RefreshableDelegatedClients] - <The following clients are built: [[#SAML2Client# | name: Okta | callbackUrl:https://localhost:8443/cas/login | urlResolver: null | callbackUrlResolver:org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@59d1889c<mailto:org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@59d1889c> | ajaxRequestResolver: null | redirectionActionBuilder: null | credentialsExtractor: null | authenticator: null | profileCreator:org.pac4j.core.profile.creator.AuthenticatorProfileCreator@4ddff72c<mailto:org.pac4j.core.profile.creator.AuthenticatorProfileCreator@4ddff72c> | logoutActionBuilder:org.pac4j.core.logout.NoLogoutActionBuilder@1d8000ee<mailto:org.pac4j.core.logout.NoLogoutActionBuilder@1d8000ee> | authorizationGenerators: [] | checkAuthenticationAttempt: true |]]> 2023-10-24 16:05:23,317 DEBUG [https-openssl-nio-8443-exec-7] [org.apereo.cas.validation.DelegatedAuthenticationAccessStrategyHelper] - <Can not evaluate delegated authentication policy without a service> 2023-10-24 16:05:23,318 DEBUG [https-openssl-nio-8443-exec-7] [org.pac4j.core.util.InitializableObject] - <Initializing: SAML2Client (nb: 0, last: null)> 2023-10-24 16:05:23,321 INFO [https-openssl-nio-8443-exec-7] [org.pac4j.saml.config.SAML2Configuration] - <Using service provider entity IDhttps://localhost:8443/cas/samlsp> 2023-10-24 16:05:23,321 DEBUG [https-openssl-nio-8443-exec-7] [org.pac4j.core.util.InitializableObject] - <Initializing: SAML2Configuration (nb: 0, last: null)> 2023-10-24 16:05:23,326 WARN [https-openssl-nio-8443-exec-7] [org.pac4j.saml.config.SAML2Configuration] - <Generating keystore one for/via: file [C:\apereocas66x\config\casas-samlsp\samlkeystore]> 2023-10-24 16:05:23,326 WARN [https-openssl-nio-8443-exec-7] [org.pac4j.saml.metadata.keystore.BaseSAML2KeystoreGenerator] - <Defaulting keystore type pkcs12> 2023-10-24 16:05:23,435 INFO [https-openssl-nio-8443-exec-7] [org.pac4j.saml.metadata.keystore.BaseSAML2KeystoreGenerator] - <Created keystore file [C:\apereocas66x\config\casas-samlsp\samlkeystore] with key alias cas-samlsp> On linux, notice it says: Initializing: RefreshableDelegatedClients ..... Not sure why it does not recognize it is a SAML2Client. Any idea? Thanks, ====== ^[[m^[[36m2023-10-24 15:59:35,488 DEBUG [main] [org.apereo.cas.support.pac4j.authentication.DefaultDelegatedClientFactory] - <Created delegated client [#SAML2Client# | name: Okta | callbackUrl: https://qa....com/cas/login | urlResolver: null | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@76eec7bb<mailto:org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@76eec7bb> | ajaxRequestResolver: null | redirectionActionBuilder: null | credentialsExtractor: null | authenticator: null | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@6c83322b<mailto:org.pac4j.core.profile.creator.AuthenticatorProfileCreator@6c83322b> | logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@241532d3<mailto:org.pac4j.core.logout.NoLogoutActionBuilder@241532d3> | authorizationGenerators: [] | checkAuthenticationAttempt: true |]> ^[[m^[[36m2023-10-24 15:59:35,489 DEBUG [main] [org.apereo.cas.support.pac4j.RefreshableDelegatedClients] - <The following clients are built: [[#SAML2Client# | name: Okta | callbackUrl: https://qa....com/cas/login | urlResolver: null | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@76eec7bb<mailto:org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@76eec7bb> | ajaxRequestResolver: null | redirectionActionBuilder: null | credentialsExtractor: null | authenticator: null | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@6c83322b<mailto:org.pac4j.core.profile.creator.AuthenticatorProfileCreator@6c83322b> | logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@241532d3<mailto:org.pac4j.core.logout.NoLogoutActionBuilder@241532d3> | authorizationGenerators: [] | checkAuthenticationAttempt: true |]]> ^[[m^[[36m2023-10-24 15:59:35,489 DEBUG [main] [org.pac4j.core.util.InitializableObject] - <Initializing: RefreshableDelegatedClients (nb: 0, last: null)> ^[[m^[[32m2023-10-24 15:59:35,489 INFO [main] [org.apereo.cas.config.Pac4jAuthenticationEventExecutionPlanConfiguration] - <Registering delegated authentication clients...> ^[[m^[[36m2023-10-24 15:59:35,744 DEBUG [main] [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Attribute repository sources are not available for person-directory principal resolution> ^[[m^[[32m2023-10-24 15:59:36,180 INFO [main] [org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] - <Watching service registry directory at [/opt/jboss/whitelist/....]> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/50362a97522f29bb0e2fae3e3a6f2503552c390d.camel%40uvic.ca.