I can't see how it could be a mismatched certificate problem. I've independently tested the SAML produced by cas with xmlsec1 using the certificate I uploaded to Google. Xmlsec1 reports the signature is invalid. If I sign the same XML with xmlsec1 using the same private key I configured in CAS, the signature validates successfully using the same certificate.
I also tried rolling back to 3.4.12 with no effect, so it's not a 3.5.1 problem. I can only conclude that since this is working for other people there is something about my environment or build that is causing a XML digsig problem. I've built CAS using the overlay method, and I'm running it in Jetty 8 on Oracle Java 6. I did notice that there were conflicting jars in my WEB-INF/lib, including xmldsig and xmlsec jars that both had different implementations of JSR 105 digsig. It looks like xmldsig came from cas ldap support, and the xmlsec is used by opensaml. That made me think maybe there's a conflicting jar problem and other people didn't run into it because they don't pull in ldap support, or they fixed their poms to exclude it. However, after playing around with excluding one or the other dependency, it still doesn't work. I've just about spent all the time I can trying to get this working. If anyone else has any ideas, please let me know. Otherwise, I guess it's time for me to explore alternatives to CAS. David On Feb 8, 2013, at 9:32 AM, Carlos Fernandez <cfern...@sju.edu> wrote: > We're running 3.5.1 with Google Apps integration in production. Setting it > up was no different than with the old version that we were running prior > to the upgrade (3.4.3.1). The only attribute that we're releasing to > Google is 'uid', which contains the username. > > If the signature validation fails and you know that the private key is > correct, maybe the certificate that you're validating against is the wrong > one. > > Best regards, > -- > Carlos. > > -----Original Message----- > From: Marvin Addison [mailto:marvin.addi...@gmail.com] > Sent: Friday, 08 February, 2013 11:18 > To: cas-user@lists.jasig.org > Subject: Re: [cas-user] "login credentials could not be verified" with > Google SSO > >> I assume from other messages I've seen in this user group that Google >> Apps integration does work. Has anyone else run into this? Has anyone >> tried this on CAS 3.5.1? > > I have not, nor am I aware of confirmation from anyone else. It's > concerning because we have upgraded to OpenSAML 2.x as of the 3.5.1 > upgrade [1]. I may be able to jury-rig an integration test in our dev > environment and report back. I would love if someone else in the community > would save me the effort by confirming Google Apps Integration in 3.5.1+. > > Thanks, > M > > [1] > https://issues.jasig.org/secure/ReleaseNote.jspa?projectId=10007&version=1 > 2182 > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > cfern...@sju.edu To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > i...@lynxlogic.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
