Issue resolved. entityID and servceId must be equal
воскресенье, 7 апреля 2019 г., 11:34:24 UTC+3 пользователь Andrey Seledkov написал: > > Hi team > > My Keyclock setup on host localhost:8080 > > From Keycloak I call set CAS Idp by next URL : > https://localhost:8443/cas/idp/profile/SAML2/Redirect/SSO > > CAS version is 6.0 > > My application.properties file is > > cas.serviceRegistry.json.location=file:/etc/cas/services > cas.serviceRegistry.initFromJson=true > > > cas.authn.samlIdp.entityId=${cas.server.prefix}/idp > cas.authn.samlIdp.scope=localhost > cas.authn.samlIdp.metadata.privateKeyAlgName=RSA > cas.authn.samlIdp.metadata.location=file:/etc/cas/saml > cas.authn.samlIdp.attributeQueryProfileEnabled=true > > > And service > > { > "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", > "serviceId" : "^http://localhost:8080/auth/realms/master.*";, > "name" : "SAML", > "id" : 10000010, > "evaluationOrder" : 1, > "usernameAttributeProvider" : { > "@class" : > "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", > "usernameAttribute" : "sAMAccountName" > }, > "attributeReleasePolicy" : { > "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy" , > "allowedAttributes" : { > "@class" : "java.util.TreeMap", > "sAMAccountName" : "Username", > "mail" : "Email", > "givenName" : "FirstName", > "sn" : "LastName" > } > }, > "requiredNameIdFormat" : > "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", > "metadataLocation" : "file:/etc/cas/saml/saml.xml", > "signAssertions": true, > "signResponses": false > } > > > > File saml.xml from Keyclock > > <?xml version="1.0" encoding="UTF-8"?> > <EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" > xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"; Name="urn:keycloak"> > <EntityDescriptor entityID="http://localhost:8080/auth/realms/master";> > <IDPSSODescriptor WantAuthnRequestsSigned="true" > protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> > <KeyDescriptor use="signing"> > <dsig:KeyInfo> > <dsig:KeyName>28MEWm8hWj0zNxNI8VegsxRNMUEw69aZWW0btpcers8</dsig:KeyName> > <dsig:X509Data> > <dsig:X509Certificate> > > MIICmzCCAYMCBgFp3PI4OTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMTkwNDAyMDcyNTU1WhcNMjkwNDAyMDcyNzM1WjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf8Rew1RGrlowLfKmuIul9sknJCQYbe5gzc/2tdU3U+xkOOmurMUo+L22xLHmd0dfvGBUM/NrxYSa2b/ck2hx2G8+Y4PHpPrlnWc1pQGR9FaTjAfKXGydeIs42cZ6qg3XYiNYSfHLKrEENJBMEhZQXSKb7xLMec38/Dz7/eSFGNQhYd3jGEowmYZpPVEjK5QvfNW8CalnbUD9vXFi2GTraSqJWLO35DkbgCCr8TRsbJa9PS245bT1dcvOdPKeOFmCf/XjUi7IL74R+jD10kZD3Fpn6ICztgq7ud8ZFa3gfSW0FR4+kBs0AkNoaXfIuDg0YXTDahF/0ooBX67YgvXgrAgMBAAEwDQYJKoZIhvcNAQELBQADggEBABx23a3/vL4X8ErlcvRT2qD9oEpmwYUqZD8LRyuZ9tZZpL1NrJ6j0xHkHzvw6xp19IMZigW7Tsz9suKJvL9zTDo1EZM+j91iD8uPVQe+0U8D2sHbdcQn7Z13ocLETeLuVAGNYTDwlZgL/tkRrTn6zxV6qyumaWAxDifBnOgzBirVNyMM1nvlDs18gMfgWX7glGwtXBidQM9RCOe754KL2ISK3BMYqh8B6XXUHD4bL/skUKWQYht+R59YHaWqp8naMTck9rk6zybKA2U32SKTgqR75Be7X24FnZ9atdjxdrvAgZznTT89qTCF0Zojf5+OAbJ/GKWQLABrNx2cAjJAKMw= > </dsig:X509Certificate> > </dsig:X509Data> > </dsig:KeyInfo> > </KeyDescriptor> > <SingleLogoutService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" > http://localhost:8080/auth/realms/master/protocol/saml"/> > <SingleLogoutService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=" > http://localhost:8080/auth/realms/master/protocol/saml"/> > <NameIDFormat> > urn:oasis:names:tc:SAML:2.0:nameid-format:persistent > </NameIDFormat> > <NameIDFormat> > urn:oasis:names:tc:SAML:2.0:nameid-format:transient > </NameIDFormat> > <NameIDFormat> > urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified > </NameIDFormat> > <NameIDFormat> > urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress > </NameIDFormat> > <SingleSignOnService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" > http://localhost:8080/auth/realms/master/protocol/saml"/> > <SingleSignOnService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=" > http://localhost:8080/auth/realms/master/protocol/saml"/> > <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" > Location="http://localhost:8080/auth/realms/master/protocol/saml"/> > </IDPSSODescriptor> > </EntityDescriptor> > </EntitiesDescriptor> > > > > > When it redirect I am getting next trace > > 11:22:20.806 [https-jsse-nio-8443-exec-7] DEBUG > org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController > - Located issuer [http://localhost:8080/auth/realms/master] from > authentication request > 11:22:20.806 [https-jsse-nio-8443-exec-7] DEBUG > org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController > - Checking service access in CAS service registry for > [http://localhost:8080/auth/realms/master] > 11:22:20.806 [https-jsse-nio-8443-exec-7] DEBUG > org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController > - Located SAML service in the registry as > [^http://localhost:8080/auth/realms/master.*] with the metadata location of > [http://localhost:8080/auth/realms/master/protocol/saml/descriptor] > > > 11:22:20.806 > [https-jsse-nio-8443-exec-7] DEBUG > org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController > - Fetching saml metadata adaptor for > [http://localhost:8080/auth/realms/master] > 11:22:20.806 [https-jsse-nio-8443-exec-7] DEBUG > org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade > - Adapting SAML metadata for CAS service [SAML] issued by > [http://localhost:8080/auth/realms/master] 11:22:20.806 > [https-jsse-nio-8443-exec-7] DEBUG > org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade > - Locating metadata for entityID [http://localhost:8080/auth/realms/master] > by attempting to run through the metadata chain... > > > > 11:22:20.806 [https-jsse-nio-8443-exec-7] DEBUG > org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver > - Resolving metadata for [SAML] at > [http://localhost:8080/auth/realms/master/protocol/saml/descriptor]. > 11:22:20.806 [https-jsse-nio-8443-exec-7] DEBUG > org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver > - Loaded and cached SAML metadata > [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver] from > [http://localhost:8080/auth/realms/master/protocol/saml/descriptor] > > > 11:22:20.806 > [https-jsse-nio-8443-exec-7] INFO > org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade > - Resolved metadata chain for service > [^http://localhost:8080/auth/realms/master.*]. Filtering the chain by entity > ID [http://localhost:8080/auth/realms/master] > > > 11:22:20.806 > [https-jsse-nio-8443-exec-7] WARN > org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade > - Cannot find entity [http://localhost:8080/auth/realms/master] in metadata > provider Ensure the metadata is valid and has not expired. > > > > 11:22:20.806 [https-jsse-nio-8443-exec-7] WARN > org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController > - No metadata could be found for [http://localhost:8080/auth/realms/master] > 11:22:20.814 > [https-jsse-nio-8443-exec-7] DEBUG > org.apereo.cas.web.view.CasReloadableMessageBundle - No properties file found > for [classpath:custom_messages_ru_RU] - neither plain properties nor XML > > 11:22:20.814 [https-jsse-nio-8443-exec-7] DEBUG > org.apereo.cas.web.view.CasReloadableMessageBundle - No properties file found > for [classpath:messages_ru_RU] - neither plain properties nor XML > > 11:22:20.818 [https-jsse-nio-8443-exec-7] DEBUG > org.apereo.cas.web.view.CasReloadableMessageBundle - No properties file found > for [classpath:custom_messages_ru] - neither plain properties nor XML > > 11:22:20.822 [https-jsse-nio-8443-exec-7] DEBUG > org.apereo.cas.web.view.CasReloadableMessageBundle - No properties file found > for [classpath:custom_messages] - neither plain properties nor XML > > 11:22:20.822 [https-jsse-nio-8443-exec-7] DEBUG > org.apereo.cas.web.view.CasReloadableMessageBundle - Re-caching properties > for filename [classpath:messages_ru] - file hasn't been modified > > 11:22:20.822 [https-jsse-nio-8443-exec-7] DEBUG > org.apereo.cas.web.view.CasReloadableMessageBundle - Re-caching properties > for filename [classpath:messages] - file hasn't been modified > > 11:22:21.230 [https-jsse-nio-8443-exec-9] DEBUG > org.apereo.cas.support.saml.web.idp.profile.sso.request.DefaultSSOSamlHttpRequestExtractor > - Decoded SAML object [{urn:oasis:names:tc:SAML:2.0:protocol}AuthnRequest] > from http request 11:22:21.230 > [https-jsse-nio-8443-exec-9] INFO > org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager - Audit trail > record BEGIN > > ============================================================= > > > WHO: audit:unknown > > > > WHAT: > [issuer=http://localhost:8080/auth/realms/master,binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect] > > > ACTION: SAML2_REQUEST_CREATED > > > APPLICATION: CAS > > > > WHEN: Sun Apr 07 11:22:21 EEST 2019 > > > CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 > > > > SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 > > > > ============================================================= > > > > > > > > > > 11:22:21.230 [https-jsse-nio-8443-exec-9] > DEBUG > org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController > - Located issuer [http://localhost:8080/auth/realms/master] from > authentication request > 11:22:21.230 [https-jsse-nio-8443-exec-9] DEBUG > org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController > - Checking service access in CAS service registry for > [http://localhost:8080/auth/realms/master] > 11:22:21.230 [https-jsse-nio-8443-exec-9] DEBUG > org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController > - Located SAML service in the registry as > [^http://localhost:8080/auth/realms/master.*] with the metadata location of > [http://localhost:8080/auth/realms/master/protocol/saml/descriptor] > > > 11:22:21.230 > [https-jsse-nio-8443-exec-9] DEBUG > org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController > - Fetching saml metadata adaptor for > [http://localhost:8080/auth/realms/master] > 11:22:21.230 [https-jsse-nio-8443-exec-9] DEBUG > org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade > - Adapting SAML metadata for CAS service [SAML] issued by > [http://localhost:8080/auth/realms/master] 11:22:21.230 > [https-jsse-nio-8443-exec-9] DEBUG > org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade > - Locating metadata for entityID [http://localhost:8080/auth/realms/master] > by attempting to run through the metadata chain... > > > > 11:22:21.230 [https-jsse-nio-8443-exec-9] DEBUG > org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver > - Resolving metadata for [SAML] at > [http://localhost:8080/auth/realms/master/protocol/saml/descriptor]. > 11:22:21.230 [https-jsse-nio-8443-exec-9] DEBUG > org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver > - Loaded and cached SAML metadata > [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver] from > [http://localhost:8080/auth/realms/master/protocol/saml/descriptor] > > > 11:22:21.230 > [https-jsse-nio-8443-exec-9] INFO > org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade > - Resolved metadata chain for service > [^http://localhost:8080/auth/realms/master.*]. Filtering the chain by entity > ID [http://localhost:8080/auth/realms/master] > > > 11:22:21.230 > [https-jsse-nio-8443-exec-9] WARN > org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade > - Cannot find entity [http://localhost:8080/auth/realms/master] in metadata > provider Ensure the metadata is valid and has not expired. > > > > 11:22:21.230 [https-jsse-nio-8443-exec-9] WARN > org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController > - No metadata could be found for [http://localhost:8080/auth/realms/master] > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/210b39f9-4660-454c-a89b-52afdfa7761e%40apereo.org.
