Thanks, Andres! That was exactly the problem. --Dave
-- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* THE NEW SCHOOL • INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • [email protected] On Thu, Dec 13, 2018 at 10:43 AM Andres Rattur <[email protected]> wrote: > Hi Dave, > > Yes, we are using this combination: Pulse Secure VPN + CAS as SAML2 IdP > and it works well. > > If this highlighted string from log is exactly the same as in your service > registry id then perhaps the problem is in question mark, it has to be > escaped: > As-Is: "serviceId" : "^ > https://vpn.newschool.edu/dana-na/auth/saml-endpoint.cgi?p=sp1"; > To-Be: "serviceId" : "^ > https://vpn.newschool.edu/dana-na/auth/saml-endpoint.cgi\\?p=sp1"; > > From documentation: > https://apereo.github.io/cas/5.2.x/installation/JSON-Service-Management.html > > "If the service is defined as a regular expression, certain regex > constructs such as "." and "\d" need to be doubly escaped." > > With best regards, > Andres > > Kontakt <[email protected]> kirjutas kuupäeval N, 13. detsember 2018 > kell 17:13: > >> Has anyone managed to configure their Pulse Secure VPN as a SAML2 SP to >> use CAS as a SAML2 IdP? >> >> I've got (according to the documentation) all the configuration bits on >> the Pulse Secure box set up, and I've put an entry into the CAS service >> registry for a SAML2 service with the correct entityId. >> >> And when I access the VPN endpoint that's supposed to go to CAS, it does >> indeed redirect to the CAS server. But CAS fails with: >> >> 2018-12-13 09:56:25,661 WARN >> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] >> - <[https://vpn.newschool.edu/dana-na/auth/saml-endpoint.cgi?p=sp1] is >> not found in the registry or service access is denied. Ensure service is >> registered in service registry> >> >> despite the fact that the string highlighted above is exactly what's >> listed in the service registry and as the entityId in the metadata >> downloaded from the Pulse Secure appliance. I have also tried with the >> entityId set to that string minus the "?p=sp1" bit (because depending on >> where you download the metadata from in the Pulse UI, it's either a part of >> the entityId or it's not), but the string in the warning message is always >> the same. >> >> Clearly I'm missing something fundamental here, but turning on DEBUG >> logging on the CAS server doesn't offer any clues, nor do the logs on the >> Pulse. >> >> Any ideas / answers / guesses appreciated... >> >> CAS 5.2.7 / Pulse 8.2R3.1 >> >> Thanks, >> --Dave >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a1e8ff0b-10b4-41f2-852b-9358d9c875c9%40apereo.org >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/a1e8ff0b-10b4-41f2-852b-9358d9c875c9%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOQH-Q37sVvEaXfnrL5LTpqHgY_ncgLVR3toG7ECsOpL169CGA%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOQH-Q37sVvEaXfnrL5LTpqHgY_ncgLVR3toG7ECsOpL169CGA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > On Thu, Dec 13, 2018 at 10:43 AM Andres Rattur <[email protected]> wrote: > Hi Dave, > > Yes, we are using this combination: Pulse Secure VPN + CAS as SAML2 IdP > and it works well. > > If this highlighted string from log is exactly the same as in your service > registry id then perhaps the problem is in question mark, it has to be > escaped: > As-Is: "serviceId" : "^ > https://vpn.newschool.edu/dana-na/auth/saml-endpoint.cgi?p=sp1"; > To-Be: "serviceId" : "^ > https://vpn.newschool.edu/dana-na/auth/saml-endpoint.cgi\\?p=sp1"; > > From documentation: > https://apereo.github.io/cas/5.2.x/installation/JSON-Service-Management.html > > "If the service is defined as a regular expression, certain regex > constructs such as "." and "\d" need to be doubly escaped." > > With best regards, > Andres > > Kontakt <[email protected]> kirjutas kuupäeval N, 13. detsember 2018 > kell 17:13: > >> Has anyone managed to configure their Pulse Secure VPN as a SAML2 SP to >> use CAS as a SAML2 IdP? >> >> I've got (according to the documentation) all the configuration bits on >> the Pulse Secure box set up, and I've put an entry into the CAS service >> registry for a SAML2 service with the correct entityId. >> >> And when I access the VPN endpoint that's supposed to go to CAS, it does >> indeed redirect to the CAS server. But CAS fails with: >> >> 2018-12-13 09:56:25,661 WARN >> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] >> - <[https://vpn.newschool.edu/dana-na/auth/saml-endpoint.cgi?p=sp1] is >> not found in the registry or service access is denied. Ensure service is >> registered in service registry> >> >> despite the fact that the string highlighted above is exactly what's >> listed in the service registry and as the entityId in the metadata >> downloaded from the Pulse Secure appliance. I have also tried with the >> entityId set to that string minus the "?p=sp1" bit (because depending on >> where you download the metadata from in the Pulse UI, it's either a part of >> the entityId or it's not), but the string in the warning message is always >> the same. >> >> Clearly I'm missing something fundamental here, but turning on DEBUG >> logging on the CAS server doesn't offer any clues, nor do the logs on the >> Pulse. >> >> Any ideas / answers / guesses appreciated... >> >> CAS 5.2.7 / Pulse 8.2R3.1 >> >> Thanks, >> --Dave >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a1e8ff0b-10b4-41f2-852b-9358d9c875c9%40apereo.org >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/a1e8ff0b-10b4-41f2-852b-9358d9c875c9%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOQH-Q37sVvEaXfnrL5LTpqHgY_ncgLVR3toG7ECsOpL169CGA%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOQH-Q37sVvEaXfnrL5LTpqHgY_ncgLVR3toG7ECsOpL169CGA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMy8XY0oTREPHN0K%2BVZxuxpORTBoxFEdRcemVdkZOB5LQ%40mail.gmail.com.
