Hi Doug,
Thanks for posting the instructions. We are trying to do the same thing and
will try out your instructions. I do have 1 question about the instruction:
You mentioned to bring in this dependency:
implementation "org.apereo.cas:cas-server-support-saml-idp:${project.'
cas.version'}"
But when I read CAS documentation:
https://apereo.github.io/cas/6.3.x/integration/Configuring-SAML-SP-Integrations.html
it mentions * cas-server-support-saml-sp-integrations *as the dependency.
Do you know what's the difference between the two?
Thanks,
Kelly
On Sat, Sep 26, 2020 at 3:44 PM Doug Campbell <[email protected]>
wrote:
> A warning to others on what I wrote as instructions. I accidently left in
> validUntil="2020-09-25T20:17:03Z"
> in the sp-metadata.xml file. You would want to remove this or otherwise
> things won’t work.
>
>
>
> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Doug
> Campbell
> *Sent:* Wednesday, September 23, 2020 11:46 PM
> *To:* [email protected]
> *Subject:* RE: [cas-user] Configure SAML2 IdP functionality to provide
> SSO for G Suite
>
>
>
> Yep. The certificate was the issue. I do have it working now but I have
> two questions regarding warnings I am seeing.
>
>
>
> I get the following warning:
>
>
>
> WARN [org.opensaml.saml.common.binding.SAMLBindingSupport] - <Relay state
> exceeds 80 bytes:
> https://www.google.com/a/example.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&ss=1<mpl=default<mplcache=2&emr=1&osid=1
> >
>
>
>
> Is this normal and a result of the way G Suite does SAML? Or is there
> something I can configure to make CAS happy and not feel the need to warn
> me.
>
>
>
> Also, I get this warning upon signing out of G Suite:
>
>
>
> WARN
> [org.apereo.cas.support.saml.web.idp.profile.slo.SamlIdPSingleLogoutServiceLogoutUrlBuilder]
> - <Cannot find SLO service in metadata for entity id [
> google.com/a/example.com]>
>
>
>
> I read somewhere online that Google does not provide Single Log Out
> (SLO). Is there a way to disable SLO for a service so I don't get this
> warning? I want to keep SLO enabled in general.
>
>
>
> Thanks!
>
>
>
> *Instructions for Others*
>
>
>
> In case someone else is trying to figure this out. Here are what I think
> constitutes all the steps that I took to get this working. You should
> replace all instances of example.com and cas-server-url with what is
> appropriate the system being configured.
>
>
>
> 1. Add the following dependency in the WAR overlay build.gradle
> file.
>
>
>
> implementation
> "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
>
>
>
> 2. Add the following line to cas.properties.
>
>
>
> cas.authn.saml-idp.entity-id=https://cas-server-url/cas/idp
>
>
>
> 3. Create a service definition file in /etc/cas/services.
>
>
>
> {
>
> "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
>
> "serviceId" : "google.com/a/example.com",
>
> "name" : "G Suite",
>
> "id" : 10000002,
>
> "evaluationOrder" : 1,
>
> "attributeReleasePolicy" : {
>
> "@class" :
> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
>
> "allowedAttributes" : [ "java.util.ArrayList", [ "mail" ] ]
>
> },
>
> "usernameAttributeProvider" : {
>
> "@class" :
> "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
>
> "usernameAttribute" : "mail"
>
> }
>
> "metadataLocation" : "/etc/cas/saml/sp-metadata.xml",
>
> "metadataSignatureLocation" : "/etc/cas/saml/idp-signing.crt"
>
> }
>
>
>
> 4. Create a directory /etc/cas/saml.
>
> 5. Generate certificates.
>
>
>
> openssl genrsa -out /etc/cas/saml/idp-encryption.key 2048
>
> openssl req -new -x509 -key /etc/cas/small/idp-encryption.key -out
> /etc/cas/saml/idp-encryption.crt -days 3650
>
> openssl genrsa -out /etc/cas/saml/idp-signing.key 2048
>
> openssl req -new -x509 -key /etc/cas/saml/idp-signing.key -out
> /etc/cas/saml/idp-signing.crt -days 3650
>
>
>
> 6. Create idp-metadata.xml in /etc/cas/saml with the following
> contents.
>
>
>
> Note: REPLACE_WITH_..._CERTIFICATE should be replaced with everything
> between the “-----BEGIN CERTIFICATE-----“ and “-----END CERTIFICATE-----“
> in the corresponding .crt file.
>
>
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#";
> xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="
> http://www.w3.org/XML/1998/namespace";
> xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://
> cas-server-url/cas/idp">
>
> <IDPSSODescriptor
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
> urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
>
> <KeyDescriptor use="signing">
>
> <ds:KeyInfo>
>
> <ds:X509Data>
>
> <ds:X509Certificate>REPLACE_WITH_SIGNING_CERTIFICATE
> </ds:X509Certificate>
>
> </ds:X509Data>
>
> </ds:KeyInfo>
>
> </KeyDescriptor>
>
> <KeyDescriptor use="encryption">
>
> <ds:KeyInfo>
>
> <ds:X509Data>
>
> <ds:X509Certificate>
> REPLACE_WITH_ENCRYPTION_CERTIFICATE</ds:X509Certificate>
>
> </ds:X509Data>
>
> </ds:KeyInfo>
>
> </KeyDescriptor>
>
>
>
> <SingleLogoutService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
> https://cas-server-url/cas/idp/profile/SAML2/POST/SLO"/>
>
> <SingleLogoutService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
> https://cas-server-url/cas/idp/profile/SAML2/Redirect/SLO"; />
>
>
>
> <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
>
>
> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
>
>
>
> <SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
> https://cas-server-url/cas/idp/profile/SAML2/POST/SSO"/>
>
> <SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
> Location="https://cas-server-url/cas/idp/profile/SAML2/POST-SimpleSign/SSO
> "/>
>
> <SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
> https://cas-server-url/cas/idp/profile/SAML2/Redirect/SSO"/>
>
> <SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://
> cas-server-url/cas/idp/profile/SAML2/SOAP/ECP"/>
>
> </IDPSSODescriptor>
>
> </EntityDescriptor>
>
>
>
> 7. Create sp-metadata.xml in /etc/cas/saml with the following
> contents.
>
>
>
> <?xml version="1.0"?>
>
> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
> validUntil="2020-09-25T20:17:03Z" cacheDuration="PT604800S" entityID="
> google.com/a/example.com">
>
> <md:SPSSODescriptor AuthnRequestsSigned="false"
> WantAssertionsSigned="false"
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>
> <md:KeyDescriptor use="signing">
>
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>
> <ds:X509Data>
>
> <ds:X509Certificate>REPLACE_WITH_SIGNING_CERTIFICATE
> </ds:X509Certificate>
>
> </ds:X509Data>
>
> </ds:KeyInfo>
>
> </md:KeyDescriptor>
>
> <md:KeyDescriptor use="encryption">
>
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>
> <ds:X509Data>
>
> <ds:X509Certificate>REPLACE_WITH_ENCRYPTION_CERTIFICATE
> </ds:X509Certificate>
>
> </ds:X509Data>
>
> </ds:KeyInfo>
>
> </md:KeyDescriptor>
>
>
> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
>
> <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
> https://www.google.com/a/example.com/acs"; index="1"/>
>
> </md:SPSSODescriptor>
>
> </md:EntityDescriptor>
>
>
>
> 8. In the G Suite Admin Console "Set up single sign-on (SSO) with a
> third party IdP" section:
>
> a. Checked the box for "Set up SSO with third-party identity
> provider"
>
> b. Entered "https://cas-server-url/cas/idp/profile/SAML2/Redirect/SSO";
> for "Sign-in page URL"
>
> c. Entered "https://cas-server-url/cas/logout"; for "Sign-out page
> URL"
>
> d. Checked "Use a domain specific identifier"
>
> e. Uploaded the idp-signing.crt certificate.
>
>
>
> Hopefully I didn’t leave anything out and this will help out the next
> person.
>
>
>
> Doug
>
>
>
> *From:* 'Richard Frovarp' via CAS Community [mailto:[email protected]
> <[email protected]>]
> *Sent:* Wednesday, September 23, 2020 9:54 AM
> *To:* [email protected]
> *Subject:* Re: [cas-user] Configure SAML2 IdP functionality to provide
> SSO for G Suite
>
>
>
> The cert you were using under the old integration likely doesn't match
> your SAML cert. You would need to upload your new SAML cert to Google. And
> yeah, you want to remove the old bits of the old method, in particular the
> jars associated with it as it fires before the generic SAML can.
>
>
>
> On Tue, 2020-09-22 at 23:15 -0400, Doug Campbell wrote:
>
> Responding a little to my own question. I don’t have it fully figured out
> yet but I did find a significant issue. I had left my service file for the
> old Google Apps SAML integration method in my services directory and I
> think this was intercepting things. I’m not getting the same error as
> before but when I authenticated I got back a page from Google indicating
> that no such account existed. I’m going to try again and see what I can
> find perhaps see if I can turn of the debugging.
>
>
>
> *From:* [email protected] [mailto:[email protected]
> <[email protected]>] *On Behalf Of *Doug C
> *Sent:* Tuesday, September 22, 2020 12:12 AM
> *To:* CAS Community <[email protected]>
> *Subject:* [cas-user] Configure SAML2 IdP functionality to provide SSO
> for G Suite
>
>
>
> I have been working toward updating from CAS 6.0.x to CAS 6.2.x. Most
> everything has gone smoothly but I am having trouble with setting up CAS to
> be my G Suite third-party Idp. Previously I had been using the Google Apps
> Integration (org.apereo.cas:cas-server-support-saml-googleapps) but the
> page for that (
> https://apereo.github.io/cas/6.2.x/integration/Google-Apps-Integration.html)
> now indicates that it is deprecated and that I should consider using the
> SAML2 identity provider functionality to handle this. I have tried to
> piece together information in the documentation and in other folk's
> questions in the cas-user forum but I seem to be missing something. This
> is likely due to my lack of familiarity with SAML.
>
>
>
> I would appreciate any help or direction on getting this working.
>
>
>
> This is what I have done so far.
>
>
>
> Note: I have replaced the references to my G Suite primary domain with
> example.com for this posting.
>
>
>
> I created a services file (etc/cas/services/GSuite-10000003.json) with the
> following content:
>
>
>
> {
>
> "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
>
> "serviceId" : "google.com/a/example.com",
>
> "name" : "SAMLService",
>
> "id" : 10000003,
>
> "evaluationOrder" : 1,
>
> "attributeReleasePolicy" : {
>
> "@class" :
> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
>
> "allowedAttributes" : [ "java.util.ArrayList", [ "mail" ] ]
>
> },
>
> "usernameAttributeProvider" : {
>
> "@class" :
> "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
>
> "usernameAttribute" : "mail"
>
> }
>
> "metadataLocation" : "/etc/cas/saml/sp-metadata.xml"
>
> }
>
>
>
>
>
> I also created an sp-metadata.xml file using
> https://www.samltool.com/sp_metadata.php with the following contents:
>
>
>
> <?xml version="1.0"?>
>
> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
>
> cacheDuration="PT604800S"
>
> entityID="google.com/a/example.com">
>
> <md:SPSSODescriptor AuthnRequestsSigned="false"
> WantAssertionsSigned="false"
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>
>
> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
>
> <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
> Location="
> https://www.google.com/a/example.com/acs";
>
> index="1" />
>
>
>
> </md:SPSSODescriptor>
>
> </md:EntityDescriptor>
>
>
>
>
>
> I also included the following dependency in the CAS overlay:
>
>
>
> implementation
> "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
>
>
>
>
>
> In G Suite Admin Console "Set up single sign-on (SSO) with a third party
> IdP" I:
>
> 1. Checked the box for "Set up SSO with third-party identity provider"
>
> 2. Entered "
> https://signin.my-cas-server.com/cas/idp/profile/SAML2/Redirect/SSO"; for
> "Sign-in page URL"
>
> 3. Entered "https://signin.my-cas-server.com/cas/logout"; for "Sign-out
> page URL"
>
> 4. Checked "Use a domain specific identifier"
>
> 5. Uploaded the previous x.509 certificate that I had used when using the
> previous method.
>
>
>
>
>
> At the moment, when I attempt to load a Google service I am redirected
> back to my CAS server but I receive the following error message:
>
>
>
> Error: No metadata resolvers could be configured for service SAMLService
> with metadata location /etc/cas/saml/sp-metadata.xml
>
>
>
>
>
> I am guessing that this is something to do with my sp-metadata.xml file
> missing something but I am at a loss as to what I need to do.
>
>
>
> Any help appreciated. Thanks!
>
>
>
> Doug
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8326668d-8a37-41cc-9d7a-aef2aaf987bcn%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/8326668d-8a37-41cc-9d7a-aef2aaf987bcn%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/eaade8f58e2b9df93ee8300abeecdb4fb13a568a.camel%40ndsu.edu
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/eaade8f58e2b9df93ee8300abeecdb4fb13a568a.camel%40ndsu.edu?utm_medium=email&utm_source=footer>
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/00c501d69225%2449a195e0%24dce4c1a0%24%40hotmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/00c501d69225%2449a195e0%24dce4c1a0%24%40hotmail.com?utm_medium=email&utm_source=footer>
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/000401d6943d%247f425da0%247dc718e0%24%40hotmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/000401d6943d%247f425da0%247dc718e0%24%40hotmail.com?utm_medium=email&utm_source=footer>
> .
>
--
Kelly
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANDcCJ%3DaDJrUtQpvzp6sYBrvCm72H7OYzJ7bxxQHyAxgHVx_yg%40mail.gmail.com.
