Hmmm, metadata expired. So I changed the expire date in the metadata. Now I'm getting this:
RootCasException(code=UNSATISFIED_SAML_REQUEST) at org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator.validateSignatureOnProfileRequest(SamlObjectSignatureValidator.java:226) Progress!!! But still not quite there. Maybe I need to request a new metadata file. from the log: 2021-04-19 15:23:52,554 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Located SP SSODescriptor in metadata for [https://licensing.minitab.com]. Metadata is valid until [forever]>2021-04-19 15:23:52,554 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - <The authentication context is signed; Proceeding to validate signatures...> 2021-04-19 15:23:52,558 DEBUG [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator] - <Validating signature for [org.opensaml.saml.saml2.core.impl.AuthnRequestImpl]>2021-04-19 15:23:52,561 DEBUG [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator] - <Validating profile signature for [org.opensaml.saml.saml2.core.impl.IssuerImpl@131b7db5] via [SAMLSignatureProfileValidator]...>2021-04-19 15:23:52,570 DEBUG [org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] - <Saw Enveloped signature transform> 2021-04-19 15:23:52,570 DEBUG [org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] - <Saw Exclusive C14N signature transform>2021-04-19 15:23:52,570 DEBUG [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator] - <Successfully validated profile signature for [org.opensaml.saml.saml2.core.impl.IssuerImpl@131b7db5].> ... 2021-04-19 15:23:52,614 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the received exception due to a type mismatch>org.apereo.cas.support.saml.SamlException: Signing credentials for validation could not be resolved based on the provided signature Keith Alston Regent University IT Department [email protected] 757.619.3421 ________________________________ From: 'Richard Frovarp' via CAS Community <[email protected]> Sent: Monday, April 19, 2021 2:19 PM To: [email protected] <[email protected]> Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14?? You are probably going to need to take a look in the CAS logs. It seems that it should match, but the logs should tell you exactly what it is searching for. It will also tell you if there was an error loading the service file when it first tried to update it. On Mon, 2021-04-19 at 17:26 +0000, Keith Alston (Staff) wrote: I take that back. Zoom works and it does a post request. saml-tracer show this. Zoom works, minitab doesnt. minitab request--------------------------------------------------------------------------- <samlp:AuthnRequest ID="id8f7ae58c-c17e-4090-a89d-f18b8bb5e9f0" Version="2.0" IssueInstant="2021-04-19T17:07:59.6881619Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO%22 > <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://licensing.minitab.com</Issuer> zoom request------------------------------------------------------------------------------ <saml2p:AuthnRequest AssertionConsumerServiceURL="https://regent.zoom.us/saml/SSO%22 Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO%22 ForceAuthn="false" ID="a3e6a45e921c2290-5af0f9c82h9cheh" IsPassive="false" IssueInstant="2021-04-19T17:15:37.720Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">regent.zoom.us</saml2:Issuer> here are the service files for each: zoom service file: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "regent.zoom.us", "name" : "regent.zoom.us", "id" : 10000008, "metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml", "evaluationOrder" : 6, "requiredNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute" : "mail", } } minitab service file: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "https://licensing.minitab.com";<https://urldefense.com/v3/__https://licensing.minitab.com*22__;JQ!!CHfpmW4!zRNLPAHvZkQXR2ciFxd_ZoKi-7memeygoXKL8UkBrAESOjjkOsK-bZcs1wPrshKo$>, "name" : "minitab", "id" : 1617641399, "metadataLocation" : "file:/etc/cas/config/minitab-com-metadata.xml", "evaluationOrder" : 2, "requiredNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute" : "emailAddress", }, "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy", "allowedAttributes" : { "@class" : "java.util.TreeMap", "ExtensionAttribute1" : "Email", "givenname" : "FirstName", "sn" : "LastName" } } } Keith Alston Regent University IT Department [email protected] 757.619.3421 ________________________________ From: [email protected] <[email protected]> on behalf of Keith Alston (Staff) <[email protected]> Sent: Monday, April 19, 2021 1:00 PM To: [email protected] <[email protected]> Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14?? Looks like my post URL is: https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO I guess the get url has redirect in it?? Keith Alston Regent University IT Department [email protected] 757.619.3421 ________________________________ From: 'Richard Frovarp' via CAS Community <[email protected]> Sent: Monday, April 19, 2021 12:49 PM To: [email protected] <[email protected]> Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14?? Since I saw someone create the URL by hand the other day, I'm going to ask the simple question: is the request hitting the HTTP-POST binding location? POST and Redirect are two different URLs in CAS (and I'm guessing most IdPs). I've never had to do anything different to handle the two different types of SPs on that version. On Mon, 2021-04-19 at 16:41 +0000, Keith Alston (Staff) wrote: It seems that my CAS SAML2.0 idp is handling SAML2 services that do GET requests just fine. But when I have an SP that does a SAML2 POST request my idp is not reading the parameters and I get the "Application Not Authorized to Use CAS" message instead of the auth page. Difference being parameters in the URI vs parameters in the POST body. Anyone have any idea where I might look to resolve this issue? Are there certain parameters in the service definition that I should be including? Something I'm missing in cas.properties? The audit log does not show POST requests as SAML2_POST though SAML trace does show it as a SAML request. Any clue here would be helpful. TIA! Keith Alston Regent University IT Department [email protected] 757.619.3421 -- - Website: https://apereo.github.io/cas<https://urldefense.com/v3/__https://apereo.github.io/cas__;!!CHfpmW4!ylfLzpLOw1bgGBd7C4RrcffnpDSY10MimXjwm6X7ijLb_swDKnrOPLTX6x_g6xxY$> - Gitter Chatroom: https://gitter.im/apereo/cas<https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!CHfpmW4!ylfLzpLOw1bgGBd7C4RrcffnpDSY10MimXjwm6X7ijLb_swDKnrOPLTX62p1iyB-$> - List Guidelines: https://goo.gl/1VRrw7<https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!CHfpmW4!ylfLzpLOw1bgGBd7C4RrcffnpDSY10MimXjwm6X7ijLb_swDKnrOPLTX6wJ1CAT9$> - Contributions: https://goo.gl/mh7qDG<https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!CHfpmW4!ylfLzpLOw1bgGBd7C4RrcffnpDSY10MimXjwm6X7ijLb_swDKnrOPLTX67l2dT7R$> --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6bad321c10587be379a7cec181afa435c58c8b3e.camel%40ndsu.edu<https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/6bad321c10587be379a7cec181afa435c58c8b3e.camel*40ndsu.edu?utm_medium=email&utm_source=footer__;JQ!!CHfpmW4!ylfLzpLOw1bgGBd7C4RrcffnpDSY10MimXjwm6X7ijLb_swDKnrOPLTX6zax_K28$>. -- - Website: https://apereo.github.io/cas<https://urldefense.com/v3/__https://apereo.github.io/cas__;!!CHfpmW4!yHGfhXf-4ZC6_IaW40Nff78fR16L5OlT3HsrH5sH8y3xk1ADhhP2K0YWH3da3eNF$> - Gitter Chatroom: https://gitter.im/apereo/cas<https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!CHfpmW4!yHGfhXf-4ZC6_IaW40Nff78fR16L5OlT3HsrH5sH8y3xk1ADhhP2K0YWH_monqDy$> - List Guidelines: https://goo.gl/1VRrw7<https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!CHfpmW4!yHGfhXf-4ZC6_IaW40Nff78fR16L5OlT3HsrH5sH8y3xk1ADhhP2K0YWH4qpl3hU$> - Contributions: https://goo.gl/mh7qDG<https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!CHfpmW4!yHGfhXf-4ZC6_IaW40Nff78fR16L5OlT3HsrH5sH8y3xk1ADhhP2K0YWH7tngMik$> --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BL0PR10MB29951DBBD5A7BD78EFACD709D9499%40BL0PR10MB2995.namprd10.prod.outlook.com<https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/BL0PR10MB29951DBBD5A7BD78EFACD709D9499*40BL0PR10MB2995.namprd10.prod.outlook.com?utm_medium=email&utm_source=footer__;JQ!!CHfpmW4!yHGfhXf-4ZC6_IaW40Nff78fR16L5OlT3HsrH5sH8y3xk1ADhhP2K0YWH8g6ZW0j$>. -- - Website: https://apereo.github.io/cas<https://urldefense.com/v3/__https://apereo.github.io/cas__;!!CHfpmW4!zRNLPAHvZkQXR2ciFxd_ZoKi-7memeygoXKL8UkBrAESOjjkOsK-bZcs17Q34yJY$> - Gitter Chatroom: https://gitter.im/apereo/cas<https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!CHfpmW4!zRNLPAHvZkQXR2ciFxd_ZoKi-7memeygoXKL8UkBrAESOjjkOsK-bZcs1_7KWRto$> - List Guidelines: https://goo.gl/1VRrw7<https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!CHfpmW4!zRNLPAHvZkQXR2ciFxd_ZoKi-7memeygoXKL8UkBrAESOjjkOsK-bZcs19Uo1h4S$> - Contributions: https://goo.gl/mh7qDG<https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!CHfpmW4!zRNLPAHvZkQXR2ciFxd_ZoKi-7memeygoXKL8UkBrAESOjjkOsK-bZcs19QqHBh9$> --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/29b1f3b3117fdd231aa7ab3be4e81e686dcea904.camel%40ndsu.edu<https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/29b1f3b3117fdd231aa7ab3be4e81e686dcea904.camel*40ndsu.edu?utm_medium=email&utm_source=footer__;JQ!!CHfpmW4!zRNLPAHvZkQXR2ciFxd_ZoKi-7memeygoXKL8UkBrAESOjjkOsK-bZcs1wS4Cr5-$>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BL0PR10MB299560C2DA52A00D76EA8FB3D9499%40BL0PR10MB2995.namprd10.prod.outlook.com.
