Responding a little to my own question. I don’t have it fully figured out yet but I did find a significant issue. I had left my service file for the old Google Apps SAML integration method in my services directory and I think this was intercepting things. I’m not getting the same error as before but when I authenticated I got back a page from Google indicating that no such account existed. I’m going to try again and see what I can find perhaps see if I can turn of the debugging.
From: [email protected] [mailto:[email protected]] On Behalf Of Doug C Sent: Tuesday, September 22, 2020 12:12 AM To: CAS Community <[email protected]> Subject: [cas-user] Configure SAML2 IdP functionality to provide SSO for G Suite I have been working toward updating from CAS 6.0.x to CAS 6.2.x. Most everything has gone smoothly but I am having trouble with setting up CAS to be my G Suite third-party Idp. Previously I had been using the Google Apps Integration (org.apereo.cas:cas-server-support-saml-googleapps) but the page for that (https://apereo.github.io/cas/6.2.x/integration/Google-Apps-Integration.html) now indicates that it is deprecated and that I should consider using the SAML2 identity provider functionality to handle this. I have tried to piece together information in the documentation and in other folk's questions in the cas-user forum but I seem to be missing something. This is likely due to my lack of familiarity with SAML. I would appreciate any help or direction on getting this working. This is what I have done so far. Note: I have replaced the references to my G Suite primary domain with example.com for this posting. I created a services file (etc/cas/services/GSuite-10000003.json) with the following content: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "google.com/a/example.com", "name" : "SAMLService", "id" : 10000003, "evaluationOrder" : 1, "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", "allowedAttributes" : [ "java.util.ArrayList", [ "mail" ] ] }, "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute" : "mail" } "metadataLocation" : "/etc/cas/saml/sp-metadata.xml" } I also created an sp-metadata.xml file using https://www.samltool.com/sp_metadata.php with the following contents: <?xml version="1.0"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" cacheDuration="PT604800S" entityID="google.com/a/example.com"> <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/example.com/acs"; index="1" /> </md:SPSSODescriptor> </md:EntityDescriptor> I also included the following dependency in the CAS overlay: implementation "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}" In G Suite Admin Console "Set up single sign-on (SSO) with a third party IdP" I: 1. Checked the box for "Set up SSO with third-party identity provider" 2. Entered "https://signin.my-cas-server.com/cas/idp/profile/SAML2/Redirect/SSO"; for "Sign-in page URL" 3. Entered "https://signin.my-cas-server.com/cas/logout"; for "Sign-out page URL" 4. Checked "Use a domain specific identifier" 5. Uploaded the previous x.509 certificate that I had used when using the previous method. At the moment, when I attempt to load a Google service I am redirected back to my CAS server but I receive the following error message: Error: No metadata resolvers could be configured for service SAMLService with metadata location /etc/cas/saml/sp-metadata.xml I am guessing that this is something to do with my sp-metadata.xml file missing something but I am at a loss as to what I need to do. Any help appreciated. Thanks! Doug -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8326668d-8a37-41cc-9d7a-aef2aaf987bcn%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/8326668d-8a37-41cc-9d7a-aef2aaf987bcn%40apereo.org?utm_medium=email&utm_source=footer> . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/007801d69158%240d39f520%2427addf60%24%40hotmail.com.
