Hi Ray, Thanks for info. It turns out cas cannot create certificates because I did not set the right entity id in idp configuration. After fixing that, I managed to get SSO working with elasticsearch.
However, upon logging out from elasticsearch, I got another error message saying "Error: Logout request is not signed but should be." Is this because of misconfiguration on SP or Idp side? Ray Bon <[email protected]> 於 2021年7月23日 週五 下午11:42寫道: > Your error is about signing credentials for the IdP. > > Cas should create metadata and certificates. Perhaps cas is unable to > write into the default directory, /etc/cas > > If this is a just a POC, you could turn off signing. See service config > here, > https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Authentication.html > > Ray > > On Thu, 2021-07-22 at 20:47 -0700, cheekian yap wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > I'm doing a POC to integrate elastic cloud with apereo using SAML2 > protocol. > > Here is my service registry configuration: > { > "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", > "serviceId" : "^https://yyy.kb.ap-northeast-1.aws.found.io.*";, > "name" : "ElasticsearchSAMLService", > "id" : 2, > "evaluationOrder" : 2, > "metadataLocation" : > "file:/root/cas-overlay-template/saml-metadata/elasticsearch.xml", > "issuerEntityId": "https://cas.sinlead.com/cas/idp"; > } > > I'm able to redirect from kibana to apereo login page. However, after > authenticate myself, I got an 500 Internal server error page. > > Here is the application log: > > 2021-07-23 11:39:49,831 INFO > [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] > - <Resolved metadata chain from > [file:/root/cas-overlay-template/saml-metadata/elasticsearch.xml]. > Filtering the chain by entity ID [ > https://yyy.kb.ap-northeast-1.aws.found.io:9243/]> > 2021-07-23 11:39:49,834 INFO > [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] > - <Resolved metadata chain from > [file:/root/cas-overlay-template/saml-metadata/elasticsearch.xml]. > Filtering the chain by entity ID [ > https://yyy.kb.ap-northeast-1.aws.found.io:9243/]> > 2021-07-23 11:39:49,886 ERROR > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] > - <Unable to locate any signing credentials for service > [ElasticsearchSAMLService]> > 2021-07-23 11:39:49,889 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: audit:unknown > WHAT: Unable to locate signing credentials > ACTION: SAML2_RESPONSE_CREATED > APPLICATION: CAS > WHEN: Fri Jul 23 11:39:49 CST 2021 > CLIENT IP ADDRESS: 127.0.0.1 > SERVER IP ADDRESS: 127.0.0.1 > > I was wondering what did I do wrong. I pretty sure the file path is > correct. > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/cfa0907cefb07b217b45332bcdfaa677ee4aed15.camel%40uvic.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/cfa0907cefb07b217b45332bcdfaa677ee4aed15.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAF1PyA2_7EqxZfSJRm0FtUW-rKEEt_sWLPs6F0xF1EC3F4S0Eg%40mail.gmail.com.
