For the service definition, you should only have one, which is a
SamlRegisteredService. You do not need (or want) a RegexRegisteredService
for a SAML service.
And as Matthew said, you should also set
cas.authn.samlIdp.entityId: ${cas.server.prefix}/idp
cas.authn.samlIdp.scope: yourdomain.com
I'm not sure it actually matters from the perspective of your CAS SAML IdP
working or not, but it may matter to the service provider ("client"),
especially if that's a third party, who probably wants a "real" name there
instead of "example.org".
As for why you're not matching the service, ASSUMING you only have the
single SamlRegisteredService definition (and not also a
RegexRegisteredService), then you should check that the entityId being sent
by the service is identical to what you have in the "serviceId" field of
your service registry entry.
To check what the SP is sending, look in the XML file for the SP's metadata
near the top of the file:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
ID="http://workday.workday.com/newschool_preview";
entityID="http://www.workday.com/newschool_preview";>
or
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; entityID="IAMShowcase"
validUntil="2025-12-09T09:13:31.006Z">
Whatever you see in the "entityID" attribute is what you should have,
exactly, in the "serviceId" field of your service registry entry. Note
that there's no requirement that the entityId be a "real" URL, or even
URL-shaped. The only requirement is that the SP and IdP agree on what it
should be.
--Dave
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu
[image: The New School]
On Mon, May 7, 2018 at 12:57 PM, John D Giotta <jdgio...@gmail.com> wrote:
> If I don't set this property does it affect the vendor integration I'm
> attempting to do?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/e5262492-62ae-480c-abc5-
> 2a4e5c429c5c%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/e5262492-62ae-480c-abc5-2a4e5c429c5c%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMyp6%2BAnCtJRh_e1-%2BNizgD6Q7LajdCYMW9pH-Q0kdJ3A%40mail.gmail.com.
