Hello everyone,
I'm the developer who has been working on implementing the SAML
authentication referenced by the OP, and the provided responses seem to
align with what I've come across while researching the issue, so I wanted
to try and provide a little more information in the hopes that it'll help
better explain the issue.
>From what I've been able to discern while attempting to debug the issue, it
appears that the SAML service definition isn't even being loaded by CAS for
some reason. I've tried everything from manually modifying the
evaulationOrder property of the existing services to ensure the SAML
service definition would be loaded first to deleting the other service
definitions to eliminate load order issues, but to no avail.
I've attached "scrubbed" versions of our current service definitions, along
with the metadata returned from the SP we are attempting to integrate with
CAS. If there is any additional information I can provide, please don't
hesitate to ask.
For reference, here are the property values related to SAML that we are
currently using:
cas.authn.samlIdp.entityId=${cas.server.prefix}/idp
cas.authn.samlIdp.scope=cas-idp-domain.com
{
/*
Generic service definition that applies to https/imaps urls
that wish to register with CAS for authentication.
*/
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https):\\/\\/.*\\.cas-idp-domain\\.com\\/.*",
"name" : "HTTPS for genius",
"id" : 10000006,
"evaluationOrder": 300,
}
{
/*
Generic service definition that applies to https/imaps urls
that wish to register with CAS for authentication.
*/
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https):\\/\\/portal\\.cas-idp-domain\\.com\\/.*",
"name" : "HTTPS for another Vendor",
"id" : 10000004,
"evaluationOrder": 200,
}
{
/*
* The CAS SAML IdP creates this endpoint as part of its initialization
* process at server startup time. If the service registry doesn't already
* contain an entry whose serviceId matches the endpoint, CAS will create
* a new service definition and save it to the registry. If the CAS server
* doesn't have write access to the registry, then the save will fail and
* the server will not start.
*
* To avoid that situation, and to make it clear that this endpoint is a
* "desired" service, it is defined explicitly here.
*/
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "https://vendor-site.com/Pages/Auth/Login.aspx
<https://www.google.com/url?q=https%3A%2F%2Fvendor-site.com%2FPages%2FAuth%2FLogin.aspx&sa=D&sntz=1&usg=AFQjCNFDab_tX4Ov0hfnrhQeRj3AfY8P-Q>",
"name" : "SAML Authentication Request",
"id" : 10000003,
"metadataLocation" : "https://link-to-metadata.com";,
"evaluationOrder": 1
}
SP Metadata:
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
validUntil="2018-05-03T20:29:06Z" cacheDuration="PT604800S"
entityID="https://vendor-site.com/Pages/Auth/Login.aspx";>
<md:SPSSODescriptor AuthnRequestsSigned="false"
WantAssertionsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://vendor-site.com/Pages/Auth/Login.aspx"; index="1" />
</md:SPSSODescriptor>
</md:EntityDescriptor>
On Monday, May 7, 2018 at 8:19:58 AM UTC-7, John D Giotta wrote:
>
> I'm not too familiar with SAML 2.0 and I need to set up our existing CAS
> (currently using CAS protocol).
>
> I've followed documentation, but unfortunately I'm unable to get the
> application to authorize.
>
> The error I get in logs is:
>
> CAS has found a match for service [
>> https://vendor-site.com/Pages/Auth/Login.aspx] in registry but the match
>> is not defined as a SAML service>
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e4069196-0a04-4c66-9013-e7cd865a8f8d%40apereo.org.
