Do you have the dashboard endpoints enabled? Can you go to the "services" endpoint, which dumps the service registry, and see if there's something else in there?
Alternatively, I think if you turn on debug mode logging, it will tell you what services are loaded. I'm thinking you might be getting a wildcard match through no fault of your own. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • [email protected] [image: The New School] On Mon, May 7, 2018 at 3:48 PM, Patrick Sutton < [email protected]> wrote: > Hello everyone, > > I'm the developer who has been working on implementing the SAML > authentication referenced by the OP, and the provided responses seem to > align with what I've come across while researching the issue, so I wanted > to try and provide a little more information in the hopes that it'll help > better explain the issue. > > From what I've been able to discern while attempting to debug the issue, > it appears that the SAML service definition isn't even being loaded by CAS > for some reason. I've tried everything from manually modifying the > evaulationOrder property of the existing services to ensure the SAML > service definition would be loaded first to deleting the other service > definitions to eliminate load order issues, but to no avail. > > I've attached "scrubbed" versions of our current service definitions, > along with the metadata returned from the SP we are attempting to integrate > with CAS. If there is any additional information I can provide, please > don't hesitate to ask. > > For reference, here are the property values related to SAML that we are > currently using: > > cas.authn.samlIdp.entityId=${cas.server.prefix}/idp > cas.authn.samlIdp.scope=cas-idp-domain.com > > > { > /* > Generic service definition that applies to https/imaps urls > that wish to register with CAS for authentication. > */ > "@class" : "org.apereo.cas.services.RegexRegisteredService", > "serviceId" : "^(https):\\/\\/.*\\.cas-idp-domain\\.com\\/.*", > "name" : "HTTPS for genius", > "id" : 10000006, > "evaluationOrder": 300, > } > > > { > /* > Generic service definition that applies to https/imaps urls > that wish to register with CAS for authentication. > */ > "@class" : "org.apereo.cas.services.RegexRegisteredService", > "serviceId" : "^(https):\\/\\/portal\\.cas-idp-domain\\.com\\/.*", > "name" : "HTTPS for another Vendor", > "id" : 10000004, > "evaluationOrder": 200, > } > > > { > /* > * The CAS SAML IdP creates this endpoint as part of its initialization > * process at server startup time. If the service registry doesn't already > * contain an entry whose serviceId matches the endpoint, CAS will create > * a new service definition and save it to the registry. If the CAS server > * doesn't have write access to the registry, then the save will fail and > * the server will not start. > * > * To avoid that situation, and to make it clear that this endpoint is a > * "desired" service, it is defined explicitly here. > */ > "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", > "serviceId" : "https://vendor-site.com/Pages/Auth/Login.aspx > <https://www.google.com/url?q=https%3A%2F%2Fvendor-site.com%2FPages%2FAuth%2FLogin.aspx&sa=D&sntz=1&usg=AFQjCNFDab_tX4Ov0hfnrhQeRj3AfY8P-Q>", > "name" : "SAML Authentication Request", > "id" : 10000003, > "metadataLocation" : "https://link-to-metadata.com";, > "evaluationOrder": 1 > } > > > SP Metadata: > > <?xml version="1.0"?> > <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" > validUntil="2018-05-03T20:29:06Z" cacheDuration="PT604800S" entityID=" > https://vendor-site.com/Pages/Auth/Login.aspx";> > <md:SPSSODescriptor AuthnRequestsSigned="false" > WantAssertionsSigned="false" protocolSupportEnumeration=" > urn:oasis:names:tc:SAML:2.0:protocol"> > <md:AssertionConsumerService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > Location="https://vendor-site.com/Pages/Auth/Login.aspx"; index="1" /> > </md:SPSSODescriptor> > </md:EntityDescriptor> > > On Monday, May 7, 2018 at 8:19:58 AM UTC-7, John D Giotta wrote: >> >> I'm not too familiar with SAML 2.0 and I need to set up our existing CAS >> (currently using CAS protocol). >> >> I've followed documentation, but unfortunately I'm unable to get the >> application to authorize. >> >> The error I get in logs is: >> >> CAS has found a match for service [https://vendor-site.com/Pages >>> /Auth/Login.aspx] in registry but the match is not defined as a SAML >>> service> >> >> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/e4069196-0a04-4c66-9013- > e7cd865a8f8d%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/e4069196-0a04-4c66-9013-e7cd865a8f8d%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPwDPksD58AeP_pF3aHCzT6LbX4iLg0zxgpaiiDGYPqLA%40mail.gmail.com.
