Nice. If and when you get to it, turn it into once of these: https://apereo.github.io/cas/development/integration/Configuring-SAML-SP-Integrations.html
--Misagh > From: "vnick" <nick.e.couch...@gmail.com> > To: "CAS Community" <cas-user@apereo.org> > Cc: "Misagh Moayyed" <mmoay...@unicon.net> > Sent: Thursday, February 15, 2018 11:46:57 AM > Subject: Re: [SOLVED] Re: [cas-user] CAS 5.2.x SAML IdP Issues > I'm writing a SAML authentication extension for the Guacamole Project > (http://guacamole.apache.org). > -Nick > On Thursday, February 15, 2018 at 1:24:24 PM UTC-5, Misagh Moayyed wrote: >> Cool. Who exactly is the SP in this scenario? >> --Misagh >>> From: "vnick" < nick.e....@gmail.com > >>> To: "CAS Community" < cas-...@apereo.org > >>> Cc: "Misagh Moayyed" < mmoa...@unicon.net > >>> Sent: Thursday, February 15, 2018 10:48:25 AM >>> Subject: [SOLVED] Re: [cas-user] CAS 5.2.x SAML IdP Issues >>> Well, this put me on the right path - turns out the number of services the >>> log >>> file told me was loading just happened to match what was in the services >>> directory, but the CAS configuration was not pointing at anything but the >>> default location, so it wasn't actually loading my services. Problem is >>> resolved - all works well, now! >>> -Nick >>> On Thursday, February 15, 2018 at 12:29:00 PM UTC-5, Misagh Moayyed wrote: >>>> Do you have other JSON service definitions in the registry? Anything with a >>>> lower evaluation order or a more relaxed regex pattern? >>>> --Misagh >>>>> From: "vnick" < nick.e....@gmail.com > >>>>> To: "CAS Community" < cas-...@apereo.org > >>>>> Sent: Thursday, February 15, 2018 10:15:40 AM >>>>> Subject: [cas-user] CAS 5.2.x SAML IdP Issues >>>>> Hey, everyone, >>>>> I'm trying to get SAML2 authentication working against my CAS server. >>>>> I've got >>>>> CAS protocol authentications working just fine, but am struggling getting >>>>> the >>>>> SAML IdP configured correctly. I have the following items configured in >>>>> my main >>>>> CAS configuration: >>>>> ## SAML Provider >>>>> cas.authn.samlIdp.entityId= https://server.domain.com/cas/idp >>>>> cas.authn.samlIdp.hostName= server.domain.com >>>>> cas.authn.samlIdp.scope= domain.com >>>>> cas.authn.samlIdp.metadata.cacheExpirationMinutes=30 >>>>> cas.authn.samlIdp.metadata.failFast=true >>>>> cas.authn.samlIdp.metadata.location=file:///etc/cas/saml >>>>> cas.authn.samlIdp.metadata.privateKeyAlgName=RSA >>>>> cas.authn.samlIdp.metadata.requireValidMetadata=true >>>>> cas.authn.samlIdp.logout.forceSignedLogoutRequests=true >>>>> cas.authn.samlIdp.logout.singleLogoutCallbacksDisabled=false >>>>> cas.authn.samlIdp.response.skewAllowance=0 >>>>> cas.authn.samlIdp.response.signError=false >>>>> cas.authn.samlIdp.response.useAttributeFriendlyName=true >>>>> I also have a JSON-based service registry configured, and have the >>>>> following >>>>> entry for the SP that I'm trying to authenticate with: >>>>> { >>>>> "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService", >>>>> "serviceId": " https://1.2.3.4/guacamole/api/tokens ", >>>>> "name": "GuacamoleSAML", >>>>> "id": 1002, >>>>> "evaluationsOrder": 1002, >>>>> "metadataLocation": "file:///etc/cas/saml/sp-guacamole.xml" >>>>> } >>>>> and, finally, I used the web site mentioned in the CAS SAML IdP >>>>> documentation to >>>>> generate the metadata: >>>>> <?xml version="1.0"?> >>>>> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" >>>>> validUntil="2018-02-17T03:16:28Z" >>>>> cacheDuration="PT604800S" >>>>> entityID=" https://1.2.3.4/guacamole/api/tokens "> >>>>> <md:SPSSODescriptor AuthnRequestsSigned="false" >>>>> WantAssertionsSigned="false" >>>>> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> >>>>> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> >>>>> <md:AssertionConsumerService >>>>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >>>>> Location=" https://1.2.3.4/guacamole/api/ext/saml/callback " >>>>> index="1" /> >>>>> </md:SPSSODescriptor> >>>>> </md:EntityDescriptor> >>>>> However, every time I try to authenticate with this app, I receive the >>>>> following >>>>> error: >>>>> 2018-02-15 12:12:52,559 INFO >>>>> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] >>>>> - <Received SAML profile request [/cas/idp/profile/SAML2/Redirect/SSO]> >>>>> 2018-02-15 12:12:52,581 ERROR >>>>> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] >>>>> - <CAS has found a match for service [ >>>>> https://1.2.3.4/guacamole/api/tokens ] >>>>> in registry but the match is not defined as a SAML service> >>>>> I can't seem to get much more detail - I think something must be wrong >>>>> with my >>>>> logging configuration, because I can't get any debugging. Also, most of >>>>> the >>>>> parameters in the cas configuration file for SAML (cas.authn.samlIdp.*) >>>>> seem to >>>>> lack documentation - for example, I feel like this could be related to the >>>>> "cas.authn.samlIdp.scope= domain.com ", but there's no documentation on >>>>> what's >>>>> expected or acceptable for the scope, and whether this would generate the >>>>> error >>>>> message I'm seeing above? Other than that, as far as I can tell, my JSON >>>>> service entry matches the documentation, is valid JSON, and defines the >>>>> mentioned service as a SAML service, so its unclear to me what's leading >>>>> to >>>>> this error. >>>>> Any pointers would be appreciated! >>>>> -Nick >>>>> -- >>>>> - Website: https://apereo.github.io/cas >>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>> - Contributions: https://goo.gl/mh7qDG >>>>> --- >>>>> You received this message because you are subscribed to the Google Groups >>>>> "CAS >>>>> Community" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send an >>>>> email >>>>> to cas-user+u...@apereo.org . >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/abc5ef3d-26d5-4070-a08f-aa40db37a7fc%40apereo.org >>>>> . >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "CAS >>> Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email >>> to cas-user+u...@apereo.org . >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b90e201e-a2aa-4116-aadc-4eea986b54f9%40apereo.org >>> . > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups "CAS > Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email > to cas-user+unsubscr...@apereo.org . > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/a73bc1a6-1b6a-4d11-b33e-8185c466e0c9%40apereo.org > . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/293825973.14735530.1518726677811.JavaMail.zimbra%40unicon.net.
