Re: [cas-user] Re: Connecting SAML SP to CAS 6

2019-06-07 Thread Ray Bon 
Fabian,

I suggest you turn up logging to at least debug until you are ready to move to 
production. If I remember correctly, the service location is logged on start up.

Previous advice still stands but add this:




Ray

On Fri, 2019-06-07 at 02:10 -0700, Fabian Schipp wrote:
I tried both now, but there seems to be no difference.
I have noticed however that whatever I put into the 
/etc/cas/services or /etc/cas/services the output always states 2 
services being loaded from the JSON Registry. Even if I delete all services 
from those folders, clean build and run.
2019-06-07 11:01:43,051 INFO [org.apereo.cas.services.AbstractServicesManager] 
- 

I would like to see what services these are and tried to enable the actuator 
registeredServices using these properties 
(https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties.html#actuator-management-endpoints):
management.endpoints.enabled-by-default: true
management.endpoints.web.base-path: /actuator
management.endpoints.web.exposure.include:  
info,health,status,configurationMetadata,registeredServices

But the actuator is not available after booting on 
/cas/actuator/registeredServices

Am Freitag, 7. Juni 2019 09:39:19 UTC+2 schrieb Matthew Uribe:
In my experience that is not the same as /etc/cas/services. I would recommend 
you change that to /etc/cas/services explicitly and restart.

On Friday, June 7, 2019 at 1:29:30 AM UTC-6, Fabian Schipp wrote:
The cas.properties contains this line:
cas.serviceRegistry.json.location:  classpath:/services

This should refer to /etc/cas/services. Wich is the location my services are 
stored.
Also the build.gradle file contains the corresponding dependency
compile 
"org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"



Am Donnerstag, 6. Juni 2019 20:14:39 UTC+2 schrieb Matthew Uribe:
Is there any other simplistic service I could try to see if CAS loads anything 
correct?

That same tutorial you mentioned contains steps for setting up a basic CAS or 
SAML client in order to test your CAS server.

Since you don't have any other services currently working with this CAS server, 
I would just ask you to confirm that your json files are in the location 
specified in your cas.properties cas.serviceRegistry.json.location line.

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7107c94ba4bc7d8dc3b75267ebaaa28d017a3ba4.camel%40uvic.ca.

Re: [cas-user] Re: Connecting SAML SP to CAS 6

2019-06-07 Thread Fabian Schipp 
I thought about using this tool too, but my dev-environment is not 
accessible from the internet. So it sadly is of no use for me.

Am Donnerstag, 6. Juni 2019 20:19:53 UTC+2 schrieb David Curry:
>
> If you don't feel like (or can't) setting up a web server as an SP, you 
> can also use this:
>
> https://sptest.iamshowcase.com/ 
>
> Click on Instructions > SP Initiated SSO to begin.
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 646 909-4728 • david...@newschool.edu 
>
>
> On Thu, Jun 6, 2019 at 2:14 PM Matthew Uribe  > wrote:
>
>> Is there any other simplistic service I could try to see if CAS loads 
>>> anything correct?
>>
>>
>> That same tutorial you mentioned contains steps for setting up a basic 
>> CAS or SAML client in order to test your CAS server.
>>
>> Since you don't have any other services currently working with this CAS 
>> server, I would just ask you to confirm that your json files are in the 
>> location specified in your cas.properties cas.serviceRegistry.json.location 
>> line.
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/62aaf973-6768-41f9-ba47-a386e01b190a%40apereo.org
>>  
>> 
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/12267ad8-189a-4625-b6c2-cf75399953b9%40apereo.org.

Re: [cas-user] Re: Connecting SAML SP to CAS 6

2019-06-06 Thread David Curry 
If you don't feel like (or can't) setting up a web server as an SP, you can
also use this:

https://sptest.iamshowcase.com/

Click on Instructions > SP Initiated SSO to begin.

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Thu, Jun 6, 2019 at 2:14 PM Matthew Uribe  wrote:

> Is there any other simplistic service I could try to see if CAS loads
>> anything correct?
>
>
> That same tutorial you mentioned contains steps for setting up a basic CAS
> or SAML client in order to test your CAS server.
>
> Since you don't have any other services currently working with this CAS
> server, I would just ask you to confirm that your json files are in the
> location specified in your cas.properties cas.serviceRegistry.json.location
> line.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/62aaf973-6768-41f9-ba47-a386e01b190a%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAP7Y6QwFAqf6Rb9mzg4HyVcEoWsprPw7sWZnc0kmmOoAg%40mail.gmail.com.

Re: [cas-user] Re: Connecting SAML SP to CAS 6

2019-06-06 Thread David Curry 
> But I am not sure if this is needed - but CAS loads it successfully on
boot.

At least in CAS 5, SAML2 will not work if you do not have that service. I
don't know if CAS 6 still requires it, but I would assume that it does
unless you can find something that says it doesn't.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Thu, Jun 6, 2019 at 10:41 AM Fabian Schipp  wrote:

> There is one more service called SAML2CallbackProfile wich was suggested
> in a tutorial:
>
> https://dacurry-tns.github.io/deploying-apereo-cas/building_server_saml_update-the-service-registry.html#create-a-service-definition-for-the-idp-endpoint
>
> {
>   /*
>* The CAS SAML IdP creates this endpoint as part of its initialization
>* process at server startup time. If the service registry doesn't
> already
>* contain an entry whose serviceId matches the endpoint, CAS will create
>* a new service definition and save it to the registry. If the CAS
> server
>* doesn't have write access to the registry, then the save will fail and
>* the server will not start.
>*
>* To avoid that situation, and to make it clear that this endpoint is a
>* "desired" service, it is defined explicitly here.
>*/
>   "@class" :"org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "https://
> /cas/idp/profile/SAML2/Callback.+",
>   "name" :  "SAML Authentication Request",
>   "id" :1558621367337136,
>   "evaluationOrder" :   100
> }
>
>
>
> But I am not sure if this is needed - but CAS loads it successfully on
> boot.
>
> Is there any other simplistic service I could try to see if CAS loads
> anything correct?
>
> On Thursday, June 6, 2019 at 4:21:04 PM UTC+2, Matthew Uribe wrote:
>>
>> OK. So if root is running CAS, and root owns the json file, then that
>> part should be fine. Do you have any other services registered that CAS is
>> reading correctly?
>>
>> On Thursday, June 6, 2019 at 7:54:52 AM UTC-6, Fabian Schipp wrote:
>>>
>>> I am running the .war overlay. therefore I have no tomcat user.
>>> But I checked the file, it's owned by the root user.
>>> I then checked the process running the war file environment in the jdk
>>> folder - it is also the root user.
>>>
>>> Am Donnerstag, 6. Juni 2019 15:37:05 UTC+2 schrieb Matthew Uribe:

 Is the devConfluence-1558621301329267.json file readable for whatever
 user/service is running CAS? When I forget to change ownership of my json
 files to the tomcat user, I run into the same issue.


 On Thursday, June 6, 2019 at 7:06:50 AM UTC-6, Fabian Schipp wrote:
>
> Hi everyone,
>
> I am currently trying to connect Confluence as SAML SP with a CAS 6
> instance.
> CAS Server on its own is running fine. I added a SAML service I
> created using the docs chapter on SAML services:
>
> https://apereo.github.io/cas/6.0.x/installation/Configuring-SAML2-Authentication.html#saml-services
>
> My SAML service:
> {
> "@class" :
> "org.apereo.cas.support.saml.services.SamlRegisteredService",
> "serviceId" : "https:///
> plugins/servlet/samlsso",
> "name" : "dev Confluence Application",
> "id" : 1558621301329267,
> "metadataLocation" : "https://
> /plugins/servlet/samlsso/metadata",
> "evaluationOrder" : 10
> }
>
> But CAS does load the service but it looks like it is malformed in
> some way.
>
> I checked some things that might have gone wrong:
> - the metadata-URL does link to the correct metadata of the SP
> - the serviceId matches the corresponding URL from the confluence
> system
> - the id field matches the name of the service-filename (it is called
> devConfluence-1558621301329267.json)
>
> The output I get is this:
> 2019-06-06 14:56:58,002 DEBUG
> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
> - /plugins/servlet/samlsso]
> from authentication request>
>
> 2019-06-06 14:56:58,004 DEBUG
> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
> -  [AbstractWebApplicationService(id=https:///plugins/servlet/samlsso,
> originalUrl=https:///plugins/servlet/samlsso,
> artifactId=null, principal=null, source=null, loggedOutAlready=false,
> format=XML, attributes={})]>
>
> 2019-06-06 14:56:58,024 WARN
> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
> - <[https:///plugins/servlet/samlsso] is not found
> in the registry or service access is denied. Ensure service is registered
> in service registry>
>
> So there is another service registry I have to register my service in?
> Are there any more