You are probably going to need to take a look in the CAS logs. It seems that it
should match, but the logs should tell you exactly what it is searching for. It
will also tell you if there was an error loading the service file when it first
tried to update it.
On Mon, 2021-04-19 at 17:26 +0000, Keith Alston (Staff) wrote:
I take that back. Zoom works and it does a post request.
saml-tracer show this. Zoom works, minitab doesnt.
minitab
request---------------------------------------------------------------------------
<samlp:AuthnRequest ID="id8f7ae58c-c17e-4090-a89d-f18b8bb5e9f0"
Version="2.0"
IssueInstant="2021-04-19T17:07:59.6881619Z"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO";
>
<Issuer
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://licensing.minitab.com</Issuer>
zoom
request------------------------------------------------------------------------------
<saml2p:AuthnRequest
AssertionConsumerServiceURL="https://regent.zoom.us/saml/SSO";
Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO";
ForceAuthn="false"
ID="a3e6a45e921c2290-5af0f9c82h9cheh"
IsPassive="false"
IssueInstant="2021-04-19T17:15:37.720Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">regent.zoom.us</saml2:Issuer>
here are the service files for each:
zoom service file:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "regent.zoom.us",
"name" : "regent.zoom.us",
"id" : 10000008,
"metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml",
"evaluationOrder" : 6,
"requiredNameIdFormat":
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail",
}
}
minitab service file:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "https://licensing.minitab.com";,
"name" : "minitab",
"id" : 1617641399,
"metadataLocation" : "file:/etc/cas/config/minitab-com-metadata.xml",
"evaluationOrder" : 2,
"requiredNameIdFormat":
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "emailAddress",
},
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"ExtensionAttribute1" : "Email",
"givenname" : "FirstName",
"sn" : "LastName"
}
}
}
Keith Alston
Regent University
IT Department
[email protected]
757.619.3421
________________________________
From: [email protected] <[email protected]> on behalf of Keith Alston
(Staff) <[email protected]>
Sent: Monday, April 19, 2021 1:00 PM
To: [email protected] <[email protected]>
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Looks like my post URL is:
https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO
I guess the get url has redirect in it??
Keith Alston
Regent University
IT Department
[email protected]
757.619.3421
________________________________
From: 'Richard Frovarp' via CAS Community <[email protected]>
Sent: Monday, April 19, 2021 12:49 PM
To: [email protected] <[email protected]>
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Since I saw someone create the URL by hand the other day, I'm going to ask the
simple question: is the request hitting the HTTP-POST binding location? POST
and Redirect are two different URLs in CAS (and I'm guessing most IdPs).
I've never had to do anything different to handle the two different types of
SPs on that version.
On Mon, 2021-04-19 at 16:41 +0000, Keith Alston (Staff) wrote:
It seems that my CAS SAML2.0 idp is handling SAML2 services that do GET
requests just fine.
But when I have an SP that does a SAML2 POST request my idp is not reading the
parameters
and I get the "Application Not Authorized to Use CAS" message instead of the
auth page. Difference being
parameters in the URI vs parameters in the POST body. Anyone have
any idea where I might look to resolve this issue? Are there certain parameters
in the service definition
that I should be including? Something I'm missing in cas.properties? The audit
log does not show POST
requests as SAML2_POST though SAML trace does show it as a SAML request. Any
clue here would be
helpful. TIA!
Keith Alston
Regent University
IT Department
[email protected]
757.619.3421
--
- Website:
https://apereo.github.io/cas<https://urldefense.com/v3/__https://apereo.github.io/cas__;!!CHfpmW4!ylfLzpLOw1bgGBd7C4RrcffnpDSY10MimXjwm6X7ijLb_swDKnrOPLTX6x_g6xxY$>
- Gitter Chatroom:
https://gitter.im/apereo/cas<https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!CHfpmW4!ylfLzpLOw1bgGBd7C4RrcffnpDSY10MimXjwm6X7ijLb_swDKnrOPLTX62p1iyB-$>
- List Guidelines:
https://goo.gl/1VRrw7<https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!CHfpmW4!ylfLzpLOw1bgGBd7C4RrcffnpDSY10MimXjwm6X7ijLb_swDKnrOPLTX6wJ1CAT9$>
- Contributions:
https://goo.gl/mh7qDG<https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!CHfpmW4!ylfLzpLOw1bgGBd7C4RrcffnpDSY10MimXjwm6X7ijLb_swDKnrOPLTX67l2dT7R$>
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected]<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6bad321c10587be379a7cec181afa435c58c8b3e.camel%40ndsu.edu<https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/6bad321c10587be379a7cec181afa435c58c8b3e.camel*40ndsu.edu?utm_medium=email&utm_source=footer__;JQ!!CHfpmW4!ylfLzpLOw1bgGBd7C4RrcffnpDSY10MimXjwm6X7ijLb_swDKnrOPLTX6zax_K28$>.
--
- Website:
https://apereo.github.io/cas<https://urldefense.com/v3/__https://apereo.github.io/cas__;!!CHfpmW4!yHGfhXf-4ZC6_IaW40Nff78fR16L5OlT3HsrH5sH8y3xk1ADhhP2K0YWH3da3eNF$>
- Gitter Chatroom:
https://gitter.im/apereo/cas<https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!CHfpmW4!yHGfhXf-4ZC6_IaW40Nff78fR16L5OlT3HsrH5sH8y3xk1ADhhP2K0YWH_monqDy$>
- List Guidelines:
https://goo.gl/1VRrw7<https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!CHfpmW4!yHGfhXf-4ZC6_IaW40Nff78fR16L5OlT3HsrH5sH8y3xk1ADhhP2K0YWH4qpl3hU$>
- Contributions:
https://goo.gl/mh7qDG<https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!CHfpmW4!yHGfhXf-4ZC6_IaW40Nff78fR16L5OlT3HsrH5sH8y3xk1ADhhP2K0YWH7tngMik$>
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected]<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BL0PR10MB29951DBBD5A7BD78EFACD709D9499%40BL0PR10MB2995.namprd10.prod.outlook.com<https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/BL0PR10MB29951DBBD5A7BD78EFACD709D9499*40BL0PR10MB2995.namprd10.prod.outlook.com?utm_medium=email&utm_source=footer__;JQ!!CHfpmW4!yHGfhXf-4ZC6_IaW40Nff78fR16L5OlT3HsrH5sH8y3xk1ADhhP2K0YWH8g6ZW0j$>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/29b1f3b3117fdd231aa7ab3be4e81e686dcea904.camel%40ndsu.edu.
