Stewart, Turn up logging to TRACE. I would think the signature is referring to O365, since cas knows its own certificate. You should not have to add anything to the local trust store, this would become a maintenance nightmare. Metadata includes self signed certificates, almost exclusively. Make sure the O365 certificate is what is in your relying party metadata.
Get a tool like SAMLTracer for your browser. You can see what is being sent between parties. Ray On Sat, 2020-10-24 at 06:23 -0700, Stewart wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hey Folks, I'm trying to get CAS to act as an idp for Office365. I've tried both the built-in integration and configuring it manually. Either way I keep getting this: 2020-10-24 06:14:56,070 INFO [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.FileSystemResourceMetadataResolver] - <Loading SAML metadata from [/etc/cas/saml/federationmetadata.xml]> 2020-10-24 06:14:56,108 INFO [org.apereo.cas.support.saml.SamlUtils] - <Successfully resolved credentials from [file [/etc/cas/saml/idp-signing.crt]]> 2020-10-24 06:14:56,341 WARN [org.apache.xml.security.signature.XMLSignature] - <Signature verification failed.> 2020-10-24 06:14:56,341 ERROR [org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter] - <Signature trust establishment failed for metadata entry urn:federation:MicrosoftOnline> 2020-10-24 06:14:56,342 ERROR [org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver] - <Metadata Resolver InMemoryResourceMetadataResolver org.apereo.cas.support.saml.InMemoryResourceMetadataResolver: Unable to filter metadata: Signature trust establishment failed for metadata entry> Is this referring to Microsoft's signature or (more likely) my idp-signature.crt? I've already tried adding my own certs to the system trust store (via update-ca-trust on Linux)...nothing changed. Can anybody offer any clues as to what I might have done wrong or how to fix this? Thanks -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected]<mailto:[email protected]> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f00782dea8d24b082b1fc56137d101ce591f9fb5.camel%40uvic.ca.
