Responding a little to my own question. I don’t have it fully figured out yet but I did find a significant issue. I had left my service file for the old Google Apps SAML integration method in my services directory and I think this was intercepting things. I’m not getting the same error as before but when I authenticated I got back a page from Google indicating that no such account existed. I’m going to try again and see what I can find perhaps see if I can turn of the debugging.
From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Doug C Sent: Tuesday, September 22, 2020 12:12 AM To: CAS Community <cas-user@apereo.org> Subject: [cas-user] Configure SAML2 IdP functionality to provide SSO for G Suite I have been working toward updating from CAS 6.0.x to CAS 6.2.x. Most everything has gone smoothly but I am having trouble with setting up CAS to be my G Suite third-party Idp. Previously I had been using the Google Apps Integration (org.apereo.cas:cas-server-support-saml-googleapps) but the page for that (https://apereo.github.io/cas/6.2.x/integration/Google-Apps-Integration.html) now indicates that it is deprecated and that I should consider using the SAML2 identity provider functionality to handle this. I have tried to piece together information in the documentation and in other folk's questions in the cas-user forum but I seem to be missing something. This is likely due to my lack of familiarity with SAML. I would appreciate any help or direction on getting this working. This is what I have done so far. Note: I have replaced the references to my G Suite primary domain with example.com for this posting. I created a services file (etc/cas/services/GSuite-10000003.json) with the following content: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "google.com/a/example.com", "name" : "SAMLService", "id" : 10000003, "evaluationOrder" : 1, "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", "allowedAttributes" : [ "java.util.ArrayList", [ "mail" ] ] }, "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute" : "mail" } "metadataLocation" : "/etc/cas/saml/sp-metadata.xml" } I also created an sp-metadata.xml file using https://www.samltool.com/sp_metadata.php with the following contents: <?xml version="1.0"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" cacheDuration="PT604800S" entityID="google.com/a/example.com"> <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/example.com/acs" index="1" /> </md:SPSSODescriptor> </md:EntityDescriptor> I also included the following dependency in the CAS overlay: implementation "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}" In G Suite Admin Console "Set up single sign-on (SSO) with a third party IdP" I: 1. Checked the box for "Set up SSO with third-party identity provider" 2. Entered "https://signin.my-cas-server.com/cas/idp/profile/SAML2/Redirect/SSO" for "Sign-in page URL" 3. Entered "https://signin.my-cas-server.com/cas/logout" for "Sign-out page URL" 4. Checked "Use a domain specific identifier" 5. Uploaded the previous x.509 certificate that I had used when using the previous method. At the moment, when I attempt to load a Google service I am redirected back to my CAS server but I receive the following error message: Error: No metadata resolvers could be configured for service SAMLService with metadata location /etc/cas/saml/sp-metadata.xml I am guessing that this is something to do with my sp-metadata.xml file missing something but I am at a loss as to what I need to do. Any help appreciated. Thanks! Doug -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscr...@apereo.org> . To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8326668d-8a37-41cc-9d7a-aef2aaf987bcn%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/8326668d-8a37-41cc-9d7a-aef2aaf987bcn%40apereo.org?utm_medium=email&utm_source=footer> . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/007801d69158%240d39f520%2427addf60%24%40hotmail.com.