Hi, sorry for the lateness, I was experimenting with the setup:
I have a service defined in "service.json" it has ID 1751, and serviceId is
the entityId for SAML.
The service has the following definition:
{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"id": 1751,
"evaluationOrder": 1751,
"serviceId": "SERVER/saml/liferay",
"name": "pruebaSAML",
"attributeReleasePolicy" : {
"@class" :
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "mail" ] ]
},
"usernameAttributeProvider": {
"@class":
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider"
,
"usernameAttribute": "mail",
"canonicalizationMode": "LOWER"
},
"metadataLocation": "file:///etc/cas/saml/sp-pruebaSAML-metadata.xml",
"metadataSignatureLocation":
"file:///etc/cas/saml/pruebaSAML-1751/idp-signing.crt"
}
The file sp-pruebaSAML-metadata.xml contains the certificate created at
Liferay. Also that certificate is stored in the file specified at the
metadataSignatureLocation property of the service.
I have the metadata in the dir "/etc/cas/saml/service-1751". That metadata
was constructed from the URL "casServer/idp/metadata" changing the
following:
- entityID (I changed it for the one defined in the service.json file)
- X509Certificate (using one created outside of CAS)
>From what I read in your post
"You point cas config at the certificates that you (or cas) created"
Surely this point is missing or misconfigured. How can I ensure that cas is
pointing to the certificates I created, and put into the idp-metadata
stored in the dir "/etc/cas/saml/service-1751" ?
Thanks in advance.
On Monday, October 7, 2024 at 12:43:28 PM UTC-6 Ray Bon wrote:
> Juan,
>
> Can you clarify your description of the certificates and metadata?
>
> Liferay will create SP metadata with encryption certificate (and maybe
> signing too); you will create IdP metadata (cas will do this if it does not
> exist) with signing and encryption certificates. You point cas config at
> the certificates that you (or cas) created. Liferay SP certificates should
> be different from your IdP certificates.
>
> Ray
>
> On Sun, 2024-10-06 at 14:53 -0700, Juan Fernando Rivera wrote:
>
> You don't often get email from [email protected]. Learn why this is
> important <https://aka.ms/LearnAboutSenderIdentification>
>
> Hi, I'm following the guidelines of configuring a SAML service in CAS, but
> I'm having trouble connecting to Liferay portal.
>
> In Liferay were created the certificates and imported in the idp-metadata
> file which was sent back to Liferay and imported. Everything runs fine, BUT
> after entering the credentials in CAS, this error (or similar) appears in
> Liferay logs:
>
> 2024-10-04 21:51:11.830 DEBUG
> [http-nio-0.0.0.0-9444-exec-4][ApacheSantuarioSignatureValidationProviderImpl:65]
>
> Validating signature with signature algorithm URI:
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
> 2024-10-04 21:51:11.830 DEBUG
> [http-nio-0.0.0.0-9444-exec-4][ApacheSantuarioSignatureValidationProviderImpl:66]
>
> Validation credential key algorithm 'RSA', key instance class
> 'sun.security.rsa.RSAPublicKeyImpl'
> 2024-10-04 21:51:11.831 WARN
> [http-nio-0.0.0.0-9444-exec-4][XMLSignature:891] Signature verification
> failed.
> 2024-10-04 21:51:11.831 DEBUG
> [http-nio-0.0.0.0-9444-exec-4][ApacheSantuarioSignatureValidationProviderImpl:78]
>
> Signature cryptographic validation not successful
> 2024-10-04 21:51:11.831 DEBUG
> [http-nio-0.0.0.0-9444-exec-4][BaseSignatureTrustEngine:244] Signature
> validation using candidate validation credential failed
> org.opensaml.xmlsec.signature.support.SignatureException: Signature
> cryptographic validation not successful
> .....
> 2024-10-04 21:51:11.832 DEBUG
> [http-nio-0.0.0.0-9444-exec-4][ExplicitKeySignatureTrustEngine:124] Failed
> to verify signature using either KeyInfo-derived or directly trusted
> credentials
> 2024-10-04 21:51:11.833 DEBUG
> [http-nio-0.0.0.0-9444-exec-4][SAMLProtocolMessageXMLSignatureSecurityHandler:142]
>
> Message Handler: Validation of protocol message signature failed for
> context issuer 'ENTITY_ID', message type:
> {urn:oasis:names:tc:SAML:2.0:protocol}Response
> 2024-10-04 21:51:11.833 DEBUG
> [http-nio-0.0.0.0-9444-exec-4][WebSsoProfileImpl:210] Validation of
> protocol message signature failed
> .....
>
> According to the Liferay admin, the main issue may come from CAS, because
> is not using the right key to generate the values in the SAML Response.
> Other reason may be encryption or signature.
> I have tried both encryption and signature options in service.json file,
> but no avail, the errors are th same.
> How can I verify this suspicions of Liferay admin? how can I force CAS to
> use a certain private key to generate the data in SAML response?
>
> Thanks in advance.
>
>
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4c00bc04-fe53-43ff-bca1-71a1d97d2b2an%40apereo.org.
