We are trying to configure our Workday Preview tenant to authenticate via 
SAML2 to a CAS 5.2.2 IdP. 

In the management webapp, we have defined a "SAML2 Service Provider" 
service. The EntityID is set to:

https://impl.workday.com/xxxxx


which matches the EntityID in the SP's metadata.  When we try to log in to 
Workday, we receive this error from the Workday side:

Invalid Audience in SAML token: URL should start with 
http://www.workday.com, or end with /xxxxx/login-saml.htmld


The string they're saying it should end with is the tenant name ("xxxxx") 
and the name of the web page (login-saml.htmld) that is listed in the 
metadata as the AssertionConsumerService. However, CAS is sending back the 
EntityID as the audience:

        <saml2:Conditions NotBefore="2018-03-13T16:39:12.776Z" 
NotOnOrAfter="2018-03-13T16:39:17.776Z">
            <saml2:AudienceRestriction>
                
<saml2:Audience>https://impl.workday.com/xxxxx</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>

which appears to be correct behavior in the normal (non-Workday) world.

On our old CAS 3.5.x/Shibboleth 2.4.0 setup (which the same Workday tenant 
works successfully with), we had to add a line in the relying party profile 
configuration (in relying-party.xml) to address this:

<saml:Audience>http://www.workday.com</saml:Audience>


which results in the SAML2 response sent back to Workday containing two 
audiences:

      <saml2:Conditions NotBefore="2018-03-13T13:44:01.503Z" 
NotOnOrAfter="2018-03-13T13:49:01.503Z">
         <saml2:AudienceRestriction>
            <saml2:Audience>https://impl.workday.com/xxxxx</saml2:Audience>
            <saml2:Audience>http://www.workday.com</saml2:Audience>
         </saml2:AudienceRestriction>
      </saml2:Conditions>

However, I don't see any way to perform the equivalent, either through the 
management webapp's user interface or by editing the service registry 
manually. And I don't see anything in the documentation or searching the 
code on GitHub.

We are NOT using the cas-server-support-saml-sp-integrations dependency.... 
should we be?

Does anyone have CAS 5.2.x SAML IdP working with Workday, especially a 
sandbox/implementation/preview tenant?

Any ideas (even crazy ones) gladly accepted...

Thanks,
--Dave

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/93ff6e18-8090-4664-b84f-a01702cbf053%40apereo.org.

Reply via email to