I think I got the difference, so never mind the question. Kelly
On Mon, Jun 28, 2021 at 5:10 PM Geng, Kelly <[email protected]> wrote: > Hi Doug, > > Thanks for posting the instructions. We are trying to do the same thing > and will try out your instructions. I do have 1 question about the > instruction: You mentioned to bring in this dependency: > implementation "org.apereo.cas:cas-server-support-saml-idp:${project.' > cas.version'}" > > But when I read CAS documentation: > https://apereo.github.io/cas/6.3.x/integration/Configuring-SAML-SP-Integrations.html > > it mentions * cas-server-support-saml-sp-integrations *as the dependency. > > Do you know what's the difference between the two? > > Thanks, > Kelly > > > > On Sat, Sep 26, 2020 at 3:44 PM Doug Campbell <[email protected]> > wrote: > >> A warning to others on what I wrote as instructions. I accidently left >> in validUntil="2020-09-25T20:17:03Z" in the sp-metadata.xml file. You >> would want to remove this or otherwise things won’t work. >> >> >> >> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Doug >> Campbell >> *Sent:* Wednesday, September 23, 2020 11:46 PM >> *To:* [email protected] >> *Subject:* RE: [cas-user] Configure SAML2 IdP functionality to provide >> SSO for G Suite >> >> >> >> Yep. The certificate was the issue. I do have it working now but I have >> two questions regarding warnings I am seeing. >> >> >> >> I get the following warning: >> >> >> >> WARN [org.opensaml.saml.common.binding.SAMLBindingSupport] - <Relay state >> exceeds 80 bytes: >> https://www.google.com/a/example.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&ss=1<mpl=default<mplcache=2&emr=1&osid=1 >> > >> >> >> >> Is this normal and a result of the way G Suite does SAML? Or is there >> something I can configure to make CAS happy and not feel the need to warn >> me. >> >> >> >> Also, I get this warning upon signing out of G Suite: >> >> >> >> WARN >> [org.apereo.cas.support.saml.web.idp.profile.slo.SamlIdPSingleLogoutServiceLogoutUrlBuilder] >> - <Cannot find SLO service in metadata for entity id [ >> google.com/a/example.com]> >> >> >> >> I read somewhere online that Google does not provide Single Log Out >> (SLO). Is there a way to disable SLO for a service so I don't get this >> warning? I want to keep SLO enabled in general. >> >> >> >> Thanks! >> >> >> >> *Instructions for Others* >> >> >> >> In case someone else is trying to figure this out. Here are what I think >> constitutes all the steps that I took to get this working. You should >> replace all instances of example.com and cas-server-url with what is >> appropriate the system being configured. >> >> >> >> 1. Add the following dependency in the WAR overlay build.gradle >> file. >> >> >> >> implementation >> "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}" >> >> >> >> 2. Add the following line to cas.properties. >> >> >> >> cas.authn.saml-idp.entity-id=https://cas-server-url/cas/idp >> >> >> >> 3. Create a service definition file in /etc/cas/services. >> >> >> >> { >> >> "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", >> >> "serviceId" : "google.com/a/example.com", >> >> "name" : "G Suite", >> >> "id" : 10000002, >> >> "evaluationOrder" : 1, >> >> "attributeReleasePolicy" : { >> >> "@class" : >> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", >> >> "allowedAttributes" : [ "java.util.ArrayList", [ "mail" ] ] >> >> }, >> >> "usernameAttributeProvider" : { >> >> "@class" : >> "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", >> >> "usernameAttribute" : "mail" >> >> } >> >> "metadataLocation" : "/etc/cas/saml/sp-metadata.xml", >> >> "metadataSignatureLocation" : "/etc/cas/saml/idp-signing.crt" >> >> } >> >> >> >> 4. Create a directory /etc/cas/saml. >> >> 5. Generate certificates. >> >> >> >> openssl genrsa -out /etc/cas/saml/idp-encryption.key 2048 >> >> openssl req -new -x509 -key /etc/cas/small/idp-encryption.key -out >> /etc/cas/saml/idp-encryption.crt -days 3650 >> >> openssl genrsa -out /etc/cas/saml/idp-signing.key 2048 >> >> openssl req -new -x509 -key /etc/cas/saml/idp-signing.key -out >> /etc/cas/saml/idp-signing.crt -days 3650 >> >> >> >> 6. Create idp-metadata.xml in /etc/cas/saml with the following >> contents. >> >> >> >> Note: REPLACE_WITH_..._CERTIFICATE should be replaced with everything >> between the “-----BEGIN CERTIFICATE-----“ and “-----END CERTIFICATE-----“ >> in the corresponding .crt file. >> >> >> >> <?xml version="1.0" encoding="UTF-8"?> >> >> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds=" >> http://www.w3.org/2000/09/xmldsig#"; >> xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml=" >> http://www.w3.org/XML/1998/namespace"; >> xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https:// >> cas-server-url/cas/idp"> >> >> <IDPSSODescriptor >> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol >> urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0"> >> >> <KeyDescriptor use="signing"> >> >> <ds:KeyInfo> >> >> <ds:X509Data> >> >> <ds:X509Certificate>REPLACE_WITH_SIGNING_CERTIFICATE >> </ds:X509Certificate> >> >> </ds:X509Data> >> >> </ds:KeyInfo> >> >> </KeyDescriptor> >> >> <KeyDescriptor use="encryption"> >> >> <ds:KeyInfo> >> >> <ds:X509Data> >> >> <ds:X509Certificate> >> REPLACE_WITH_ENCRYPTION_CERTIFICATE</ds:X509Certificate> >> >> </ds:X509Data> >> >> </ds:KeyInfo> >> >> </KeyDescriptor> >> >> >> >> <SingleLogoutService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" >> https://cas-server-url/cas/idp/profile/SAML2/POST/SLO"/> >> >> <SingleLogoutService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=" >> https://cas-server-url/cas/idp/profile/SAML2/Redirect/SLO"; /> >> >> >> >> >> <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> >> >> >> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> >> >> >> >> <SingleSignOnService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" >> https://cas-server-url/cas/idp/profile/SAML2/POST/SSO"/> >> >> <SingleSignOnService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" >> Location="https://cas-server-url >> /cas/idp/profile/SAML2/POST-SimpleSign/SSO"/> >> >> <SingleSignOnService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=" >> https://cas-server-url/cas/idp/profile/SAML2/Redirect/SSO"/> >> >> <SingleSignOnService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https:// >> cas-server-url/cas/idp/profile/SAML2/SOAP/ECP"/> >> >> </IDPSSODescriptor> >> >> </EntityDescriptor> >> >> >> >> 7. Create sp-metadata.xml in /etc/cas/saml with the following >> contents. >> >> >> >> <?xml version="1.0"?> >> >> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" >> validUntil="2020-09-25T20:17:03Z" cacheDuration="PT604800S" entityID=" >> google.com/a/example.com"> >> >> <md:SPSSODescriptor AuthnRequestsSigned="false" >> WantAssertionsSigned="false" >> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> >> >> <md:KeyDescriptor use="signing"> >> >> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >> >> <ds:X509Data> >> >> <ds:X509Certificate>REPLACE_WITH_SIGNING_CERTIFICATE >> </ds:X509Certificate> >> >> </ds:X509Data> >> >> </ds:KeyInfo> >> >> </md:KeyDescriptor> >> >> <md:KeyDescriptor use="encryption"> >> >> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >> >> <ds:X509Data> >> >> <ds:X509Certificate>REPLACE_WITH_ENCRYPTION_CERTIFICATE >> </ds:X509Certificate> >> >> </ds:X509Data> >> >> </ds:KeyInfo> >> >> </md:KeyDescriptor> >> >> >> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> >> >> <md:AssertionConsumerService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" >> https://www.google.com/a/example.com/acs"; index="1"/> >> >> </md:SPSSODescriptor> >> >> </md:EntityDescriptor> >> >> >> >> 8. In the G Suite Admin Console "Set up single sign-on (SSO) with a >> third party IdP" section: >> >> a. Checked the box for "Set up SSO with third-party identity >> provider" >> >> b. Entered "https://cas-server-url >> /cas/idp/profile/SAML2/Redirect/SSO" for "Sign-in page URL" >> >> c. Entered "https://cas-server-url/cas/logout"; for "Sign-out page >> URL" >> >> d. Checked "Use a domain specific identifier" >> >> e. Uploaded the idp-signing.crt certificate. >> >> >> >> Hopefully I didn’t leave anything out and this will help out the next >> person. >> >> >> >> Doug >> >> >> >> *From:* 'Richard Frovarp' via CAS Community [mailto:[email protected] >> <[email protected]>] >> *Sent:* Wednesday, September 23, 2020 9:54 AM >> *To:* [email protected] >> *Subject:* Re: [cas-user] Configure SAML2 IdP functionality to provide >> SSO for G Suite >> >> >> >> The cert you were using under the old integration likely doesn't match >> your SAML cert. You would need to upload your new SAML cert to Google. And >> yeah, you want to remove the old bits of the old method, in particular the >> jars associated with it as it fires before the generic SAML can. >> >> >> >> On Tue, 2020-09-22 at 23:15 -0400, Doug Campbell wrote: >> >> Responding a little to my own question. I don’t have it fully figured >> out yet but I did find a significant issue. I had left my service file for >> the old Google Apps SAML integration method in my services directory and I >> think this was intercepting things. I’m not getting the same error as >> before but when I authenticated I got back a page from Google indicating >> that no such account existed. I’m going to try again and see what I can >> find perhaps see if I can turn of the debugging. >> >> >> >> *From:* [email protected] [mailto:[email protected] >> <[email protected]>] *On Behalf Of *Doug C >> *Sent:* Tuesday, September 22, 2020 12:12 AM >> *To:* CAS Community <[email protected]> >> *Subject:* [cas-user] Configure SAML2 IdP functionality to provide SSO >> for G Suite >> >> >> >> I have been working toward updating from CAS 6.0.x to CAS 6.2.x. Most >> everything has gone smoothly but I am having trouble with setting up CAS to >> be my G Suite third-party Idp. Previously I had been using the Google Apps >> Integration (org.apereo.cas:cas-server-support-saml-googleapps) but the >> page for that ( >> https://apereo.github.io/cas/6.2.x/integration/Google-Apps-Integration.html) >> now indicates that it is deprecated and that I should consider using the >> SAML2 identity provider functionality to handle this. I have tried to >> piece together information in the documentation and in other folk's >> questions in the cas-user forum but I seem to be missing something. This >> is likely due to my lack of familiarity with SAML. >> >> >> >> I would appreciate any help or direction on getting this working. >> >> >> >> This is what I have done so far. >> >> >> >> Note: I have replaced the references to my G Suite primary domain with >> example.com for this posting. >> >> >> >> I created a services file (etc/cas/services/GSuite-10000003.json) with >> the following content: >> >> >> >> { >> >> "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", >> >> "serviceId" : "google.com/a/example.com", >> >> "name" : "SAMLService", >> >> "id" : 10000003, >> >> "evaluationOrder" : 1, >> >> "attributeReleasePolicy" : { >> >> "@class" : >> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", >> >> "allowedAttributes" : [ "java.util.ArrayList", [ "mail" ] ] >> >> }, >> >> "usernameAttributeProvider" : { >> >> "@class" : >> "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", >> >> "usernameAttribute" : "mail" >> >> } >> >> "metadataLocation" : "/etc/cas/saml/sp-metadata.xml" >> >> } >> >> >> >> >> >> I also created an sp-metadata.xml file using >> https://www.samltool.com/sp_metadata.php with the following contents: >> >> >> >> <?xml version="1.0"?> >> >> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" >> >> cacheDuration="PT604800S" >> >> entityID="google.com/a/example.com"> >> >> <md:SPSSODescriptor AuthnRequestsSigned="false" >> WantAssertionsSigned="false" >> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> >> >> >> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> >> >> <md:AssertionConsumerService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >> >> Location=" >> https://www.google.com/a/example.com/acs"; >> >> index="1" /> >> >> >> >> </md:SPSSODescriptor> >> >> </md:EntityDescriptor> >> >> >> >> >> >> I also included the following dependency in the CAS overlay: >> >> >> >> implementation >> "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}" >> >> >> >> >> >> In G Suite Admin Console "Set up single sign-on (SSO) with a third party >> IdP" I: >> >> 1. Checked the box for "Set up SSO with third-party identity provider" >> >> 2. Entered " >> https://signin.my-cas-server.com/cas/idp/profile/SAML2/Redirect/SSO"; for >> "Sign-in page URL" >> >> 3. Entered "https://signin.my-cas-server.com/cas/logout"; for "Sign-out >> page URL" >> >> 4. Checked "Use a domain specific identifier" >> >> 5. Uploaded the previous x.509 certificate that I had used when using the >> previous method. >> >> >> >> >> >> At the moment, when I attempt to load a Google service I am redirected >> back to my CAS server but I receive the following error message: >> >> >> >> Error: No metadata resolvers could be configured for service SAMLService >> with metadata location /etc/cas/saml/sp-metadata.xml >> >> >> >> >> >> I am guessing that this is something to do with my sp-metadata.xml file >> missing something but I am at a loss as to what I need to do. >> >> >> >> Any help appreciated. Thanks! >> >> >> >> Doug >> >> >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8326668d-8a37-41cc-9d7a-aef2aaf987bcn%40apereo.org >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/8326668d-8a37-41cc-9d7a-aef2aaf987bcn%40apereo.org?utm_medium=email&utm_source=footer> >> . >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/eaade8f58e2b9df93ee8300abeecdb4fb13a568a.camel%40ndsu.edu >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/eaade8f58e2b9df93ee8300abeecdb4fb13a568a.camel%40ndsu.edu?utm_medium=email&utm_source=footer> >> . >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/00c501d69225%2449a195e0%24dce4c1a0%24%40hotmail.com >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/00c501d69225%2449a195e0%24dce4c1a0%24%40hotmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/000401d6943d%247f425da0%247dc718e0%24%40hotmail.com >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/000401d6943d%247f425da0%247dc718e0%24%40hotmail.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > Kelly > -- Kelly -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANDcCJkCWfhHPyJG11bXWc61p9GH2%3DJcWXXi2azji4urz%3DCNTQ%40mail.gmail.com.
