I have been working toward updating from CAS 6.0.x to CAS 6.2.x. Most
everything has gone smoothly but I am having trouble with setting up CAS to
be my G Suite third-party Idp. Previously I had been using the Google Apps
Integration (org.apereo.cas:cas-server-support-saml-googleapps) but the
page for that
(https://apereo.github.io/cas/6.2.x/integration/Google-Apps-Integration.html)
now indicates that it is deprecated and that I should consider using the
SAML2 identity provider functionality to handle this. I have tried to
piece together information in the documentation and in other folk's
questions in the cas-user forum but I seem to be missing something. This
is likely due to my lack of familiarity with SAML.
I would appreciate any help or direction on getting this working.
This is what I have done so far.
Note: I have replaced the references to my G Suite primary domain with
example.com for this posting.
I created a services file (etc/cas/services/GSuite-10000003.json) with the
following content:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "google.com/a/example.com",
"name" : "SAMLService",
"id" : 10000003,
"evaluationOrder" : 1,
"attributeReleasePolicy" : {
"@class" :
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "mail" ] ]
},
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail"
}
"metadataLocation" : "/etc/cas/saml/sp-metadata.xml"
}
I also created an sp-metadata.xml file using
https://www.samltool.com/sp_metadata.php with the following contents:
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
cacheDuration="PT604800S"
entityID="google.com/a/example.com">
<md:SPSSODescriptor AuthnRequestsSigned="false"
WantAssertionsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/example.com/acs";
index="1" />
</md:SPSSODescriptor>
</md:EntityDescriptor>
I also included the following dependency in the CAS overlay:
implementation
"org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
In G Suite Admin Console "Set up single sign-on (SSO) with a third party
IdP" I:
1. Checked the box for "Set up SSO with third-party identity provider"
2. Entered
"https://signin.my-cas-server.com/cas/idp/profile/SAML2/Redirect/SSO"; for
"Sign-in page URL"
3. Entered "https://signin.my-cas-server.com/cas/logout"; for "Sign-out page
URL"
4. Checked "Use a domain specific identifier"
5. Uploaded the previous x.509 certificate that I had used when using the
previous method.
At the moment, when I attempt to load a Google service I am redirected back
to my CAS server but I receive the following error message:
Error: No metadata resolvers could be configured for service SAMLService
with metadata location /etc/cas/saml/sp-metadata.xml
I am guessing that this is something to do with my sp-metadata.xml file
missing something but I am at a loss as to what I need to do.
Any help appreciated. Thanks!
Doug
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8326668d-8a37-41cc-9d7a-aef2aaf987bcn%40apereo.org.
