I captured a SAML response CAS sent to Google and tried to verify the signature myself with xmlsec1. Sure enough, the signature is invalid:
xmlsec1 --verify --pubkey-cert-pem cert.pem samlresponse4.xml func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj=unknown:error=12:invalid data:data and digest do not match FAIL I used xmlsec1 to sign the file again using the same private key I provided CAS, and got a different (valid) result with a different digest and signature value. I've run CAS in a debugger and set a breakpoint in PrivateKeyFactoryBean to ensure the right key is being loaded. It just looks to me like SamlUtils.signSamlResponse() is not creating a valid signature. I assume from other messages I've seen in this user group that Google Apps integration does work. Has anyone else run into this? Has anyone tried this on CAS 3.5.1? Thanks, David On Feb 7, 2013, at 2:22 PM, Lynxlogic <i...@lynxlogic.com> wrote: > Hi Ed, > > Thanks for the pointer, but it doesn't look related to my problem. In my > case, a response is being sent to Google, but it's not being accepted at > their end. I'm also running CAS 3.5.1, in which that bug should already be > fixed. > > David > > On Feb 7, 2013, at 1:37 PM, Ed Hillis <hill...@southwestern.edu> wrote: > >> It may not apply to your CAS version, and it may not be related, but did you >> see https://issues.jasig.org/browse/CAS-868? >> >> Ed >> >> >> On Thu, Feb 7, 2013 at 2:05 PM, Lynxlogic <i...@lynxlogic.com> wrote: >> Hi, >> >> I'm getting started with CAS and my first chore is to setup SSO with Google >> apps. I followed the directions here: >> https://wiki.jasig.org/pages/viewpage.action?pageId=6063484 >> >> When I try to sign in Google redirects to my CAS server, I sign in, then CAS >> posts back to Google, but Google apparently has a problem with the SAML >> response. I get an error page saying "This account cannot be accessed >> because the login credentials could not be verified." >> >> According to Google's SSO FAQ, this is usually due to the private key used >> to sign the response not matching the uploaded certificate. I verified the >> cert matches the private key >> (https://kb.wisc.edu/middleware/page.php?id=4064). >> >> I've also tried sending the username in the NameID element as just >> "username" as well as "username@domain", with no change in result. >> >> I've even tried customizing the response template in the >> GoogleAccountsService class and tried changing the NameID format to email >> instead of emailAddress as well as other tweaks, such as setting the Issuer >> to a host matching the CN on the certificate. >> >> I've also run cas in a debugger and could see it loading the private key via >> the classpath, so I'm fairly confident the right private key is being used. >> >> At this point I'm stumped. Does anyone have any pointers? >> >> P.S. I built CAS using the maven overlay approach. >> >> Thanks, >> David >> >> -- >> You are currently subscribed to cas-user@lists.jasig.org as: >> hill...@southwestern.edu >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> >> >> -- >> Ed Hillis, Web Programmer >> Southwestern University >> 1001 East University Avenue, Georgetown, TX 78626 >> 512.863.1066 hill...@southwestern.edu >> -- >> You are currently subscribed to cas-user@lists.jasig.org as: >> i...@lynxlogic.com >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > i...@lynxlogic.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
