> But I am not sure if this is needed - but CAS loads it successfully on boot.
At least in CAS 5, SAML2 will not work if you do not have that service. I don't know if CAS 6 still requires it, but I would assume that it does unless you can find something that says it doesn't. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* THE NEW SCHOOL • INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 646 909-4728 • david.cu...@newschool.edu On Thu, Jun 6, 2019 at 10:41 AM Fabian Schipp <fschip...@gmail.com> wrote: > There is one more service called SAML2CallbackProfile wich was suggested > in a tutorial: > > https://dacurry-tns.github.io/deploying-apereo-cas/building_server_saml_update-the-service-registry.html#create-a-service-definition-for-the-idp-endpoint > > { > /* > * The CAS SAML IdP creates this endpoint as part of its initialization > * process at server startup time. If the service registry doesn't > already > * contain an entry whose serviceId matches the endpoint, CAS will create > * a new service definition and save it to the registry. If the CAS > server > * doesn't have write access to the registry, then the save will fail and > * the server will not start. > * > * To avoid that situation, and to make it clear that this endpoint is a > * "desired" service, it is defined explicitly here. > */ > "@class" : "org.apereo.cas.services.RegexRegisteredService", > "serviceId" : "https:// > <CAS-URL>/cas/idp/profile/SAML2/Callback.+", > "name" : "SAML Authentication Request", > "id" : 1558621367337136, > "evaluationOrder" : 100 > } > > > > But I am not sure if this is needed - but CAS loads it successfully on > boot. > > Is there any other simplistic service I could try to see if CAS loads > anything correct? > > On Thursday, June 6, 2019 at 4:21:04 PM UTC+2, Matthew Uribe wrote: >> >> OK. So if root is running CAS, and root owns the json file, then that >> part should be fine. Do you have any other services registered that CAS is >> reading correctly? >> >> On Thursday, June 6, 2019 at 7:54:52 AM UTC-6, Fabian Schipp wrote: >>> >>> I am running the .war overlay. therefore I have no tomcat user. >>> But I checked the file, it's owned by the root user. >>> I then checked the process running the war file environment in the jdk >>> folder - it is also the root user. >>> >>> Am Donnerstag, 6. Juni 2019 15:37:05 UTC+2 schrieb Matthew Uribe: >>>> >>>> Is the devConfluence-1558621301329267.json file readable for whatever >>>> user/service is running CAS? When I forget to change ownership of my json >>>> files to the tomcat user, I run into the same issue. >>>> >>>> >>>> On Thursday, June 6, 2019 at 7:06:50 AM UTC-6, Fabian Schipp wrote: >>>>> >>>>> Hi everyone, >>>>> >>>>> I am currently trying to connect Confluence as SAML SP with a CAS 6 >>>>> instance. >>>>> CAS Server on its own is running fine. I added a SAML service I >>>>> created using the docs chapter on SAML services: >>>>> >>>>> https://apereo.github.io/cas/6.0.x/installation/Configuring-SAML2-Authentication.html#saml-services >>>>> >>>>> My SAML service: >>>>> { >>>>> "@class" : >>>>> "org.apereo.cas.support.saml.services.SamlRegisteredService", >>>>> "serviceId" : "https://<CONFLUENCE_DOMAIN>/ >>>>> plugins/servlet/samlsso", >>>>> "name" : "dev Confluence Application", >>>>> "id" : 1558621301329267, >>>>> "metadataLocation" : "https:// >>>>> <CONFLUENCE_DOMAIN>/plugins/servlet/samlsso/metadata", >>>>> "evaluationOrder" : 10 >>>>> } >>>>> >>>>> But CAS does load the service but it looks like it is malformed in >>>>> some way. >>>>> >>>>> I checked some things that might have gone wrong: >>>>> - the metadata-URL does link to the correct metadata of the SP >>>>> - the serviceId matches the corresponding URL from the confluence >>>>> system >>>>> - the id field matches the name of the service-filename (it is called >>>>> devConfluence-1558621301329267.json) >>>>> >>>>> The output I get is this: >>>>> 2019-06-06 14:56:58,002 DEBUG >>>>> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] >>>>> - <Located issuer [https://<CONFLUENCE_DOMAIN>/plugins/servlet/samlsso] >>>>> from authentication request> >>>>> >>>>> 2019-06-06 14:56:58,004 DEBUG >>>>> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] >>>>> - <Checking service access in CAS service registry for >>>>> [AbstractWebApplicationService(id=https://<CONFLUENCE_DOMAIN>/plugins/servlet/samlsso, >>>>> originalUrl=https://<CONFLUENCE_DOMAIN>/plugins/servlet/samlsso, >>>>> artifactId=null, principal=null, source=null, loggedOutAlready=false, >>>>> format=XML, attributes={})]> >>>>> >>>>> 2019-06-06 14:56:58,024 WARN >>>>> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] >>>>> - <[https://<CONFLUENCE_DOMAIN>/plugins/servlet/samlsso] is not found >>>>> in the registry or service access is denied. Ensure service is registered >>>>> in service registry> >>>>> >>>>> So there is another service registry I have to register my service in? >>>>> Are there any more fields that are mandatory to include in the >>>>> service? If so I can't find the correct pafe on the docs that says so. >>>>> >>>>> I am realy lost on this one. Any help is appreciated. >>>>> >>>>> Thank you very much. >>>>> >>>> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/8dd6b366-77b8-4d1e-9bec-4a97063efcdc%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/8dd6b366-77b8-4d1e-9bec-4a97063efcdc%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPcLMbVNMRMUB6HV0uPZDCvxBBp4b0W1aBVaw2vZwws2Q%40mail.gmail.com.
