Hi, I have discovered yet another bug in SAML2 support in 6.3.4-SNAPSHOT
and 6.4.0-SNAPSHOT.
It looks like SamlIdPMetadataResolver is provided with cas url instead of
entityId while resolving signing credentials.
cas_1 | TRACE [org.apereo.cas.support.saml.SamlUtils] Attempting to create
SAMLObject for type: [interface org.opensaml.saml.saml2.core.Status] and
QName: [{urn:oasis:names:tc:SAML:2.0:protocol}Status]
cas_1 | TRACE [org.apereo.cas.support.saml.SamlUtils] Attempting to create
SAMLObject for type: [interface org.opensaml.saml.saml2.core.StatusCode]
and QName: [{urn:oasis:names:tc:SAML:2.0:protocol}StatusCode]
cas_1 | DEBUG [org.apereo.cas.support.saml.SamlUtils]
********************************************************************************
cas_1 | DEBUG [org.apereo.cas.support.saml.SamlUtils] Logging
[org.opensaml.saml.saml2.core.impl.ResponseImpl]
cas_1 |
cas_1 | [<?xml version="1.0" encoding="UTF-8"?><saml2p:Response
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp";
ID="_111942357346883584"
InResponseTo="_f23e8fe1993a1a61287f3d30288ee5700f936c0631"
IssueInstant="2021-04-05T07:55:18.827Z" Version="2.0">
cas_1 | <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://login.umcs.pl/cas/idp/metadata</saml2:Issuer>
cas_1 | <saml2p:Status>
cas_1 | <saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
cas_1 | </saml2p:Status>
cas_1 | <saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_5878410931315849216" IssueInstant="2021-04-05T07:55:18.753Z"
Version="2.0">
cas_1 | <saml2:Issuer>https://login.umcs.pl/cas/idp/metadata</saml2:Issuer>
cas_1 | <saml2:Subject>
// DELETED
cas_1 | </saml2:Assertion>
cas_1 | </saml2p:Response>
cas_1 | ]
cas_1 |
cas_1 |
cas_1 | DEBUG [org.apereo.cas.support.saml.SamlUtils]
********************************************************************************
cas_1 | DEBUG
[org.apereo.cas.support.saml.web.idp.profile.builders.response.SamlProfileSaml2ResponseBuilder]
SAML entity id
[https://aai.pionier.net.pl/test/module.php/saml/sp/metadata.php/default-sp]
indicates that SAML responses should be signed
cas_1 | TRACE
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
Attempting to encode [org.opensaml.saml.saml2.core.impl.ResponseImpl] for
[https://aai.pionier.net.pl/test/module.php/saml/sp/metadata.php/default-sp]
cas_1 | TRACE
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
Outbound saml object to use is
[org.opensaml.saml.saml2.core.impl.ResponseImpl]
cas_1 | DEBUG [org.apereo.cas.support.saml.SamlIdPUtils] Fetched assertion
consumer service url
[https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp]
with binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST] from
authentication request
cas_1 | DEBUG [org.apereo.cas.support.saml.SamlIdPUtils] Configured peer
entity endpoint to be
[https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp]
with binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST]
cas_1 | TRACE
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
Default signature signing blocked algorithms:
[[http://www.w3.org/2001/04/xmldsig-more#hmac-md5,
http://www.w3.org/2001/04/xmldsig-more#md5,
http://www.w3.org/2001/04/xmldsig-more#rsa-md5]]
cas_1 | TRACE
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
Default signature signing signature algorithms:
[[http://www.w3.org/2001/04/xmldsig-more#rsa-sha256,
http://www.w3.org/2001/04/xmldsig-more#rsa-sha384,
http://www.w3.org/2001/04/xmldsig-more#rsa-sha512,
http://www.w3.org/2000/09/xmldsig#rsa-sha1,
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256,
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384,
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512,
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1,
http://www.w3.org/2000/09/xmldsig#dsa-sha1,
http://www.w3.org/2001/04/xmldsig-more#hmac-sha256,
http://www.w3.org/2001/04/xmldsig-more#hmac-sha384,
http://www.w3.org/2001/04/xmldsig-more#hmac-sha512,
http://www.w3.org/2000/09/xmldsig#hmac-sha1]]
cas_1 | TRACE
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
Default signature signing signature canonicalization algorithm:
[http://www.w3.org/2001/10/xml-exc-c14n#]
cas_1 | TRACE
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
Default signature signing allowed algorithms: [[]]
cas_1 | TRACE
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
Default signature signing reference digest methods:
[[http://www.w3.org/2001/04/xmlenc#sha256,
http://www.w3.org/2001/04/xmldsig-more#sha384,
http://www.w3.org/2001/04/xmlenc#sha512,
http://www.w3.org/2000/09/xmldsig#sha1]]
cas_1 | TRACE
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
Finalized signature signing blocked algorithms:
[[http://www.w3.org/2001/04/xmldsig-more#hmac-md5,
http://www.w3.org/2001/04/xmldsig-more#md5,
http://www.w3.org/2001/04/xmldsig-more#rsa-md5]]
cas_1 | TRACE
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
Finalized signature signing signature algorithms:
[[http://www.w3.org/2001/04/xmldsig-more#rsa-sha256,
http://www.w3.org/2001/04/xmldsig-more#rsa-sha384,
http://www.w3.org/2001/04/xmldsig-more#rsa-sha512,
http://www.w3.org/2000/09/xmldsig#rsa-sha1,
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256,
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384,
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512,
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1,
http://www.w3.org/2000/09/xmldsig#dsa-sha1,
http://www.w3.org/2001/04/xmldsig-more#hmac-sha256,
http://www.w3.org/2001/04/xmldsig-more#hmac-sha384,
http://www.w3.org/2001/04/xmldsig-more#hmac-sha512,
http://www.w3.org/2000/09/xmldsig#hmac-sha1]]
cas_1 | TRACE
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
Finalized signature signing signature canonicalization algorithm:
[http://www.w3.org/2001/10/xml-exc-c14n#]
cas_1 | TRACE
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
Finalized signature signing allowed algorithms: [[]]
cas_1 | TRACE
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
Finalized signature signing reference digest methods:
[[http://www.w3.org/2001/04/xmlenc#sha256,
http://www.w3.org/2001/04/xmldsig-more#sha384,
http://www.w3.org/2001/04/xmlenc#sha512,
http://www.w3.org/2000/09/xmldsig#sha1]]
cas_1 | TRACE
[org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator]
Metadata directory location for [aai_pionier_net_pl_test] is
[/etc/cas/saml/aai_pionier_net_pl_test-1001]
cas_1 | DEBUG
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
Locating signature signing key for
[SamlRegisteredService(super=AbstractRegisteredService(serviceId=https://aai\.pionier\.net\.pl/test/.*,
name=aai_pionier_net_pl_test, theme=null, informationUrl=null,
privacyUrl=null, responseType=null, id=1001, description=null,
expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null),
acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true,
messageCode=null, text=null),
proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1,
proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null,
ticketGrantingTicketExpirationPolicy=null,
serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null,
evaluationOrder=999,
usernameAttributeProvider=org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider@9d20af0c,
logoutType=BACK_CHANNEL, environments=[],
attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[MetadataEntityAttributesAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
principalAttributesRepository=DefaultPrincipalAttributesRepository(),
consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED,
excludedAttributes=null, includeOnlyAttributes=null, order=0),
authorizedToReleaseCredentialPassword=false,
authorizedToReleaseProxyGrantingTicket=false,
excludeDefaultAttributes=false,
authorizedToReleaseAuthenticationAttributes=true,
principalIdAttribute=null, order=0),
allowedAttributes=[eduPersonPrincipalName, eduPersonTargetedID, mail,
displayName, givenName, sn, eduPersonScopedAffiliation]),
entityAttribute=null, entityAttributeFormat=null,
entityAttributeValues=[]),
EduPersonTargetedIdAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
principalAttributesRepository=DefaultPrincipalAttributesRepository(),
consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED,
excludedAttributes=null, includeOnlyAttributes=null, order=0),
authorizedToReleaseCredentialPassword=false,
authorizedToReleaseProxyGrantingTicket=false,
excludeDefaultAttributes=false,
authorizedToReleaseAuthenticationAttributes=true,
principalIdAttribute=null, order=0), allowedAttributes=[]), salt=abc,
attribute=uidNumber)], mergingPolicy=replace, order=0),
multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[],
failureMode=UNDEFINED, principalAttributeNameTrigger=null,
principalAttributeValueToMatch=null, bypassEnabled=false,
forceExecution=false, bypassTrustedDeviceEnabled=false,
bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null,
script=null),
matchingStrategy=FullRegexRegisteredServiceMatchingStrategy(servicePattern=https://aai\.pionier\.net\.pl/test/.*),
logo=null, logoutUrl=null, redirectUrl=null,
accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0,
enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null,
delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[],
permitUndefined=true, exclusive=false), requireAllAttributes=true,
requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false),
publicKey=null,
authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[],
excludedAuthenticationHandlers=[],
criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(tryAll=false)),
properties={}, contacts=[]),
metadataLocation=/etc/cas/metadata/aai.pionier.net.pl.xml,
metadataProxyLocation=null, metadataMaxValidity=0,
requiredAuthenticationContextClass=null, metadataCriteriaDirection=null,
metadataCriteriaPattern=null,
requiredNameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent,
metadataSignatureLocation=null, logoutResponseBinding=null,
requireSignedRoot=true, serviceProviderNameIdQualifier=null,
nameIdQualifier=null, metadataExpirationDuration=PT60M,
signingCredentialFingerprint=null, issuerEntityId=null,
signingKeyAlgorithm=null, signAssertions=false,
signUnsolicitedAuthnRequest=false, skipGeneratingAssertionNameId=false,
skipGeneratingSubjectConfirmationInResponseTo=false,
skipGeneratingSubjectConfirmationNotOnOrAfter=false,
skipGeneratingSubjectConfirmationRecipient=false,
skipGeneratingSubjectConfirmationNotBefore=true,
skipGeneratingSubjectConfirmationNameId=true,
skipGeneratingNameIdQualifiers=false, skipGeneratingTransientNameId=false,
signResponses=true, encryptAssertions=false, encryptAttributes=false,
encryptionOptional=false, metadataCriteriaRoles=SPSSODescriptor,
metadataCriteriaRemoveEmptyEntitiesDescriptors=true,
metadataCriteriaRemoveRolelessEntityDescriptors=true,
signingCredentialType=null, assertionAudiences=null, skewAllowance=0,
whiteListBlackListPrecedence=null, attributeNameFormats={},
attributeFriendlyNames={}, attributeValueTypes={},
encryptableAttributes=[], signingSignatureReferenceDigestMethods=[],
signingSignatureAlgorithms=[], signingSignatureBlackListedAlgorithms=[],
signingSignatureWhiteListedAlgorithms=[],
signingSignatureCanonicalizationAlgorithm=null,
encryptionDataAlgorithms=[], encryptionKeyAlgorithms=[],
encryptionBlackListedAlgorithms=[], encryptionWhiteListedAlgorithms=[])]
using algorithm [RSA]
cas_1 | DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver]
Resolving credentials from metadata using entityID:
https://login.umcs.pl/cas/idp/metadata, role:
{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor, protocol: null,
usage: SIGNING
cas_1 | TRACE
[org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator]
Metadata directory location for [aai_pionier_net_pl_test] is
[/etc/cas/saml/aai_pionier_net_pl_test-1001]
cas_1 | TRACE
[org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator]
Metadata directory location for [aai_pionier_net_pl_test] is
[/etc/cas/saml/aai_pionier_net_pl_test-1001]
cas_1 | TRACE
[org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver]
Resolved metadata resource is [file [/etc/cas/saml/idp-metadata.xml]]
cas_1 | TRACE
[org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver]
Located metadata root element [EntityDescriptor]
cas_1 | TRACE
[org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver]
Initializing metadata resolver [SamlIdPMetadataResolver]
cas_1 | TRACE
[org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver]
Resolving metadata for criteria [[UsageCriterion [credUsage=SIGNING],
EntityRoleCriterion
[role={urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor],
SamlIdPSamlRegisteredServiceCriterion(registeredService=SamlRegisteredService(super=AbstractRegisteredService(serviceId=https://aai\.pionier\.net\.pl/test/.*,
name=aai_pionier_net_pl_test, theme=null, informationUrl=null,
privacyUrl=null, responseType=null, id=1001, description=null,
expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null),
acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true,
messageCode=null, text=null),
proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1,
proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null,
ticketGrantingTicketExpirationPolicy=null,
serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null,
evaluationOrder=999,
usernameAttributeProvider=org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider@9d20af0c,
logoutType=BACK_CHANNEL, environments=[],
attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[MetadataEntityAttributesAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
principalAttributesRepository=DefaultPrincipalAttributesRepository(),
consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED,
excludedAttributes=null, includeOnlyAttributes=null, order=0),
authorizedToReleaseCredentialPassword=false,
authorizedToReleaseProxyGrantingTicket=false,
excludeDefaultAttributes=false,
authorizedToReleaseAuthenticationAttributes=true,
principalIdAttribute=null, order=0),
allowedAttributes=[eduPersonPrincipalName, eduPersonTargetedID, mail,
displayName, givenName, sn, eduPersonScopedAffiliation]),
entityAttribute=null, entityAttributeFormat=null,
entityAttributeValues=[]),
EduPersonTargetedIdAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
principalAttributesRepository=DefaultPrincipalAttributesRepository(),
consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED,
excludedAttributes=null, includeOnlyAttributes=null, order=0),
authorizedToReleaseCredentialPassword=false,
authorizedToReleaseProxyGrantingTicket=false,
excludeDefaultAttributes=false,
authorizedToReleaseAuthenticationAttributes=true,
principalIdAttribute=null, order=0), allowedAttributes=[]), salt=abc,
attribute=uidNumber)], mergingPolicy=replace, order=0),
multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[],
failureMode=UNDEFINED, principalAttributeNameTrigger=null,
principalAttributeValueToMatch=null, bypassEnabled=false,
forceExecution=false, bypassTrustedDeviceEnabled=false,
bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null,
script=null),
matchingStrategy=FullRegexRegisteredServiceMatchingStrategy(servicePattern=https://aai\.pionier\.net\.pl/test/.*),
logo=null, logoutUrl=null, redirectUrl=null,
accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0,
enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null,
delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[],
permitUndefined=true, exclusive=false), requireAllAttributes=true,
requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false),
publicKey=null,
authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[],
excludedAuthenticationHandlers=[],
criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(tryAll=false)),
properties={}, contacts=[]),
metadataLocation=/etc/cas/metadata/aai.pionier.net.pl.xml,
metadataProxyLocation=null, metadataMaxValidity=0,
requiredAuthenticationContextClass=null, metadataCriteriaDirection=null,
metadataCriteriaPattern=null,
requiredNameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent,
metadataSignatureLocation=null, logoutResponseBinding=null,
requireSignedRoot=true, serviceProviderNameIdQualifier=null,
nameIdQualifier=null, metadataExpirationDuration=PT60M,
signingCredentialFingerprint=null, issuerEntityId=null,
signingKeyAlgorithm=null, signAssertions=false,
signUnsolicitedAuthnRequest=false, skipGeneratingAssertionNameId=false,
skipGeneratingSubjectConfirmationInResponseTo=false,
skipGeneratingSubjectConfirmationNotOnOrAfter=false,
skipGeneratingSubjectConfirmationRecipient=false,
skipGeneratingSubjectConfirmationNotBefore=true,
skipGeneratingSubjectConfirmationNameId=true,
skipGeneratingNameIdQualifiers=false, skipGeneratingTransientNameId=false,
signResponses=true, encryptAssertions=false, encryptAttributes=false,
encryptionOptional=false, metadataCriteriaRoles=SPSSODescriptor,
metadataCriteriaRemoveEmptyEntitiesDescriptors=true,
metadataCriteriaRemoveRolelessEntityDescriptors=true,
signingCredentialType=null, assertionAudiences=null, skewAllowance=0,
whiteListBlackListPrecedence=null, attributeNameFormats={},
attributeFriendlyNames={}, attributeValueTypes={},
encryptableAttributes=[], signingSignatureReferenceDigestMethods=[],
signingSignatureAlgorithms=[], signingSignatureBlackListedAlgorithms=[],
signingSignatureWhiteListedAlgorithms=[],
signingSignatureCanonicalizationAlgorithm=null,
encryptionDataAlgorithms=[], encryptionKeyAlgorithms=[],
encryptionBlackListedAlgorithms=[], encryptionWhiteListedAlgorithms=[])),
SignatureSigningConfigurationCriterion
[configs=[org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration@3df6e0b2]],
EntityIdCriterion [id=https://login.umcs.pl/cas/idp/metadata]]]
cas_1 | DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver]
Metadata Resolver SamlIdPMetadataResolver
https://login.umcs.pl/cas/idp/metadata: Metadata backing store does not
contain any EntityDescriptors with the ID:
https://login.umcs.pl/cas/idp/metadata
cas_1 | DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver]
Metadata Resolver SamlIdPMetadataResolver
https://login.umcs.pl/cas/idp/metadata: Resolved 0 candidates via
EntityIdCriterion: EntityIdCriterion
[id=https://login.umcs.pl/cas/idp/metadata]
cas_1 | DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver]
Metadata Resolver SamlIdPMetadataResolver
https://login.umcs.pl/cas/idp/metadata: Candidates iteration was empty,
nothing to filter via predicates
cas_1 | TRACE
[org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver]
Resolved metadata resource is [file [/etc/cas/saml/idp-metadata.xml]]
cas_1 | TRACE
[org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver]
Located metadata root element [EntityDescriptor]
cas_1 | TRACE
[org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver]
Initializing metadata resolver [SamlIdPMetadataResolver]
cas_1 | TRACE
[org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver]
Resolving metadata for criteria [[UsageCriterion [credUsage=SIGNING],
EntityRoleCriterion
[role={urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor],
SamlIdPSamlRegisteredServiceCriterion(registeredService=SamlRegisteredService(super=AbstractRegisteredService(serviceId=https://aai\.pionier\.net\.pl/test/.*,
name=aai_pionier_net_pl_test, theme=null, informationUrl=null,
privacyUrl=null, responseType=null, id=1001, description=null,
expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null),
acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true,
messageCode=null, text=null),
proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1,
proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null,
ticketGrantingTicketExpirationPolicy=null,
serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null,
evaluationOrder=999,
usernameAttributeProvider=org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider@9d20af0c,
logoutType=BACK_CHANNEL, environments=[],
attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[MetadataEntityAttributesAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
principalAttributesRepository=DefaultPrincipalAttributesRepository(),
consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED,
excludedAttributes=null, includeOnlyAttributes=null, order=0),
authorizedToReleaseCredentialPassword=false,
authorizedToReleaseProxyGrantingTicket=false,
excludeDefaultAttributes=false,
authorizedToReleaseAuthenticationAttributes=true,
principalIdAttribute=null, order=0),
allowedAttributes=[eduPersonPrincipalName, eduPersonTargetedID, mail,
displayName, givenName, sn, eduPersonScopedAffiliation]),
entityAttribute=null, entityAttributeFormat=null,
entityAttributeValues=[]),
EduPersonTargetedIdAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
principalAttributesRepository=DefaultPrincipalAttributesRepository(),
consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED,
excludedAttributes=null, includeOnlyAttributes=null, order=0),
authorizedToReleaseCredentialPassword=false,
authorizedToReleaseProxyGrantingTicket=false,
excludeDefaultAttributes=false,
authorizedToReleaseAuthenticationAttributes=true,
principalIdAttribute=null, order=0), allowedAttributes=[]), salt=abc,
attribute=uidNumber)], mergingPolicy=replace, order=0),
multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[],
failureMode=UNDEFINED, principalAttributeNameTrigger=null,
principalAttributeValueToMatch=null, bypassEnabled=false,
forceExecution=false, bypassTrustedDeviceEnabled=false,
bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null,
script=null),
matchingStrategy=FullRegexRegisteredServiceMatchingStrategy(servicePattern=https://aai\.pionier\.net\.pl/test/.*),
logo=null, logoutUrl=null, redirectUrl=null,
accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0,
enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null,
delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[],
permitUndefined=true, exclusive=false), requireAllAttributes=true,
requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false),
publicKey=null,
authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[],
excludedAuthenticationHandlers=[],
criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(tryAll=false)),
properties={}, contacts=[]),
metadataLocation=/etc/cas/metadata/aai.pionier.net.pl.xml,
metadataProxyLocation=null, metadataMaxValidity=0,
requiredAuthenticationContextClass=null, metadataCriteriaDirection=null,
metadataCriteriaPattern=null,
requiredNameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent,
metadataSignatureLocation=null, logoutResponseBinding=null,
requireSignedRoot=true, serviceProviderNameIdQualifier=null,
nameIdQualifier=null, metadataExpirationDuration=PT60M,
signingCredentialFingerprint=null, issuerEntityId=null,
signingKeyAlgorithm=null, signAssertions=false,
signUnsolicitedAuthnRequest=false, skipGeneratingAssertionNameId=false,
skipGeneratingSubjectConfirmationInResponseTo=false,
skipGeneratingSubjectConfirmationNotOnOrAfter=false,
skipGeneratingSubjectConfirmationRecipient=false,
skipGeneratingSubjectConfirmationNotBefore=true,
skipGeneratingSubjectConfirmationNameId=true,
skipGeneratingNameIdQualifiers=false, skipGeneratingTransientNameId=false,
signResponses=true, encryptAssertions=false, encryptAttributes=false,
encryptionOptional=false, metadataCriteriaRoles=SPSSODescriptor,
metadataCriteriaRemoveEmptyEntitiesDescriptors=true,
metadataCriteriaRemoveRolelessEntityDescriptors=true,
signingCredentialType=null, assertionAudiences=null, skewAllowance=0,
whiteListBlackListPrecedence=null, attributeNameFormats={},
attributeFriendlyNames={}, attributeValueTypes={},
encryptableAttributes=[], signingSignatureReferenceDigestMethods=[],
signingSignatureAlgorithms=[], signingSignatureBlackListedAlgorithms=[],
signingSignatureWhiteListedAlgorithms=[],
signingSignatureCanonicalizationAlgorithm=null,
encryptionDataAlgorithms=[], encryptionKeyAlgorithms=[],
encryptionBlackListedAlgorithms=[], encryptionWhiteListedAlgorithms=[])),
SignatureSigningConfigurationCriterion
[configs=[org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration@3df6e0b2]],
EntityIdCriterion [id=https://login.umcs.pl/cas/idp/metadata]]]
cas_1 | DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver]
Metadata Resolver SamlIdPMetadataResolver
https://login.umcs.pl/cas/idp/metadata: Metadata backing store does not
contain any EntityDescriptors with the ID:
https://login.umcs.pl/cas/idp/metadata
cas_1 | DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver]
Metadata Resolver SamlIdPMetadataResolver
https://login.umcs.pl/cas/idp/metadata: Resolved 0 candidates via
EntityIdCriterion: EntityIdCriterion
[id=https://login.umcs.pl/cas/idp/metadata]
cas_1 | DEBUG
[org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver]
Metadata Resolver SamlIdPMetadataResolver
https://login.umcs.pl/cas/idp/metadata: Candidates iteration was empty,
nothing to filter via predicates
cas_1 | DEBUG
[org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver]
Resolved no EntityDescriptors via underlying MetadataResolver, returning
empty collection
cas_1 | ERROR
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
Unable to locate any signing credentials for service
[aai_pionier_net_pl_test]
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/293dae3d-befb-4712-acc9-274133af2ef0n%40apereo.org.
