Hi, reading your post I think the problem is that the files in "/etc/cas/saml" (idp-encryption.*, idp-signing.*) are created every time CAS is restarted. I know that in a production environment this won't be an issue, but right now it is.
Is there a way to prevent these files to recreating everytime my CAS container is restarted? Thanks in advance. On Monday, October 7, 2024 at 12:43:28 PM UTC-6 Ray Bon wrote: > Juan, > > Can you clarify your description of the certificates and metadata? > > Liferay will create SP metadata with encryption certificate (and maybe > signing too); you will create IdP metadata (cas will do this if it does not > exist) with signing and encryption certificates. You point cas config at > the certificates that you (or cas) created. Liferay SP certificates should > be different from your IdP certificates. > > Ray > > On Sun, 2024-10-06 at 14:53 -0700, Juan Fernando Rivera wrote: > > You don't often get email from [email protected]. Learn why this is > important <https://aka.ms/LearnAboutSenderIdentification> > > Hi, I'm following the guidelines of configuring a SAML service in CAS, but > I'm having trouble connecting to Liferay portal. > > In Liferay were created the certificates and imported in the idp-metadata > file which was sent back to Liferay and imported. Everything runs fine, BUT > after entering the credentials in CAS, this error (or similar) appears in > Liferay logs: > > 2024-10-04 21:51:11.830 DEBUG > [http-nio-0.0.0.0-9444-exec-4][ApacheSantuarioSignatureValidationProviderImpl:65] > > Validating signature with signature algorithm URI: > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 > 2024-10-04 21:51:11.830 DEBUG > [http-nio-0.0.0.0-9444-exec-4][ApacheSantuarioSignatureValidationProviderImpl:66] > > Validation credential key algorithm 'RSA', key instance class > 'sun.security.rsa.RSAPublicKeyImpl' > 2024-10-04 21:51:11.831 WARN > [http-nio-0.0.0.0-9444-exec-4][XMLSignature:891] Signature verification > failed. > 2024-10-04 21:51:11.831 DEBUG > [http-nio-0.0.0.0-9444-exec-4][ApacheSantuarioSignatureValidationProviderImpl:78] > > Signature cryptographic validation not successful > 2024-10-04 21:51:11.831 DEBUG > [http-nio-0.0.0.0-9444-exec-4][BaseSignatureTrustEngine:244] Signature > validation using candidate validation credential failed > org.opensaml.xmlsec.signature.support.SignatureException: Signature > cryptographic validation not successful > ..... > 2024-10-04 21:51:11.832 DEBUG > [http-nio-0.0.0.0-9444-exec-4][ExplicitKeySignatureTrustEngine:124] Failed > to verify signature using either KeyInfo-derived or directly trusted > credentials > 2024-10-04 21:51:11.833 DEBUG > [http-nio-0.0.0.0-9444-exec-4][SAMLProtocolMessageXMLSignatureSecurityHandler:142] > > Message Handler: Validation of protocol message signature failed for > context issuer 'ENTITY_ID', message type: > {urn:oasis:names:tc:SAML:2.0:protocol}Response > 2024-10-04 21:51:11.833 DEBUG > [http-nio-0.0.0.0-9444-exec-4][WebSsoProfileImpl:210] Validation of > protocol message signature failed > ..... > > According to the Liferay admin, the main issue may come from CAS, because > is not using the right key to generate the values in the SAML Response. > Other reason may be encryption or signature. > I have tried both encryption and signature options in service.json file, > but no avail, the errors are th same. > How can I verify this suspicions of Liferay admin? how can I force CAS to > use a certain private key to generate the data in SAML response? > > Thanks in advance. > > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ccb67559-435f-4284-b9cd-4319f4cd3d2fn%40apereo.org.
