Stewart,
I would recommend double checking the contents of the assertion that is
captured through the SAML tracer.
You’ll want to verify that you’re providing the correct attributes as well:
Name ID Immutable ID (objectGUID)
IDPEmail UPN
You’ll also want to confirm that your objectGUID is coming back correctly and
in a binary format.
Hopefully that helps!
Thanks,
Tom
From: [email protected] <[email protected]> On Behalf Of Stewart
Sent: Tuesday, October 27, 2020 7:03 PM
To: CAS Community <[email protected]>
Cc: Ray Bon <[email protected]>
Subject: [EXT] Re: [cas-user] trouble getting saml idp to work with O365
CAUTION: This email originated from outside of SIG. Exercise caution when
opening attachments or clicking links, especially from unknown senders.
[EXT-STAMP-ADDED]
Thank you so much, Ray. Turning up log to trace was helpful. Turns out I had
MetadataSignatureLocation pointing to a copy of my signing cert instead of
theirs (at least CAS stopped complaining when I pointed it to theirs). Getting
a SMLTracer for my browser was helpful too...both parties now appear to be
talking civilly (i.e. returning 200).
Unfortunately, I'm still not 100% of the way there...I end up on either a blank
white page on the Microsoft side after signin or a page that says "Sorry that
didn't work out, try again." Any further hints?
Best Regards,
Stewart
On Monday, October 26, 2020 at 11:10:59 AM UTC-5 Ray Bon wrote:
Stewart,
Turn up logging to TRACE.
I would think the signature is referring to O365, since cas knows its own
certificate.
You should not have to add anything to the local trust store, this would become
a maintenance nightmare. Metadata includes self signed certificates, almost
exclusively.
Make sure the O365 certificate is what is in your relying party metadata.
Get a tool like SAMLTracer for your browser. You can see what is being sent
between parties.
Ray
On Sat, 2020-10-24 at 06:23 -0700, Stewart wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Hey Folks,
I'm trying to get CAS to act as an idp for Office365. I've tried both the
built-in integration and configuring it manually. Either way I keep getting
this:
2020-10-24 06:14:56,070 INFO
[org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.FileSystemResourceMetadataResolver]
- <Loading SAML metadata from [/etc/cas/saml/federationmetadata.xml]>
2020-10-24 06:14:56,108 INFO [org.apereo.cas.support.saml.SamlUtils] -
<Successfully resolved credentials from [file [/etc/cas/saml/idp-signing.crt]]>
2020-10-24 06:14:56,341 WARN [org.apache.xml.security.signature.XMLSignature] -
<Signature verification failed.>
2020-10-24 06:14:56,341 ERROR
[org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter] -
<Signature trust establishment failed for metadata entry
urn:federation:MicrosoftOnline>
2020-10-24 06:14:56,342 ERROR
[org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver] - <Metadata
Resolver InMemoryResourceMetadataResolver
org.apereo.cas.support.saml.InMemoryResourceMetadataResolver: Unable to filter
metadata: Signature trust establishment failed for metadata entry>
Is this referring to Microsoft's signature or (more likely) my
idp-signature.crt? I've already tried adding my own certs to the system trust
store (via update-ca-trust on Linux)...nothing changed. Can anybody offer any
clues as to what I might have done wrong or how to fix this?
Thanks
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831<tel:(250)%20721-8831> | CLE 019 | [email protected]
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected]<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a0b70121-b2b5-4f92-8ca8-e0537c27650en%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/a0b70121-b2b5-4f92-8ca8-e0537c27650en%40apereo.org?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CH2PR02MB6646AF4E98AC6843AC40EE13CB170%40CH2PR02MB6646.namprd02.prod.outlook.com.
