Any solution or work around for this? Gettign the same issue on CAS 6.3.2.
Only way to get it to work is if i set my entityId to be same as hostname
which will not work in a production env.
On Monday, April 5, 2021 at 3:41:02 AM UTC-5 Marcin Roman wrote:
> Hi, I have discovered yet another bug in SAML2 support in 6.3.4-SNAPSHOT
> and 6.4.0-SNAPSHOT.
> It looks like SamlIdPMetadataResolver is provided with cas url instead of
> entityId while resolving signing credentials.
>
> cas_1 | TRACE [org.apereo.cas.support.saml.SamlUtils] Attempting to create
> SAMLObject for type: [interface org.opensaml.saml.saml2.core.Status] and
> QName: [{urn:oasis:names:tc:SAML:2.0:protocol}Status]
> cas_1 | TRACE [org.apereo.cas.support.saml.SamlUtils] Attempting to create
> SAMLObject for type: [interface org.opensaml.saml.saml2.core.StatusCode]
> and QName: [{urn:oasis:names:tc:SAML:2.0:protocol}StatusCode]
> cas_1 | DEBUG [org.apereo.cas.support.saml.SamlUtils]
> ********************************************************************************
> cas_1 | DEBUG [org.apereo.cas.support.saml.SamlUtils] Logging
> [org.opensaml.saml.saml2.core.impl.ResponseImpl]
> cas_1 |
> cas_1 | [<?xml version="1.0" encoding="UTF-8"?><saml2p:Response
> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="
> https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp";
> ID="_111942357346883584"
> InResponseTo="_f23e8fe1993a1a61287f3d30288ee5700f936c0631"
> IssueInstant="2021-04-05T07:55:18.827Z" Version="2.0">
> cas_1 | <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
> https://login.umcs.pl/cas/idp/metadata</saml2:Issuer>
> cas_1 | <saml2p:Status>
> cas_1 | <saml2p:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
> cas_1 | </saml2p:Status>
> cas_1 | <saml2:Assertion
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="_5878410931315849216" IssueInstant="2021-04-05T07:55:18.753Z"
> Version="2.0">
> cas_1 | <saml2:Issuer>https://login.umcs.pl/cas/idp/metadata
> </saml2:Issuer>
> cas_1 | <saml2:Subject>
> // DELETED
> cas_1 | </saml2:Assertion>
> cas_1 | </saml2p:Response>
> cas_1 | ]
> cas_1 |
> cas_1 |
> cas_1 | DEBUG [org.apereo.cas.support.saml.SamlUtils]
> ********************************************************************************
> cas_1 | DEBUG
> [org.apereo.cas.support.saml.web.idp.profile.builders.response.SamlProfileSaml2ResponseBuilder]
>
> SAML entity id [
> https://aai.pionier.net.pl/test/module.php/saml/sp/metadata.php/default-sp]
> indicates that SAML responses should be signed
> cas_1 | TRACE
> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>
> Attempting to encode [org.opensaml.saml.saml2.core.impl.ResponseImpl] for [
> https://aai.pionier.net.pl/test/module.php/saml/sp/metadata.php/default-sp
> ]
> cas_1 | TRACE
> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>
> Outbound saml object to use is
> [org.opensaml.saml.saml2.core.impl.ResponseImpl]
> cas_1 | DEBUG [org.apereo.cas.support.saml.SamlIdPUtils] Fetched assertion
> consumer service url [
> https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp]
> with binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST] from
> authentication request
> cas_1 | DEBUG [org.apereo.cas.support.saml.SamlIdPUtils] Configured peer
> entity endpoint to be [
> https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp]
> with binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST]
> cas_1 | TRACE
> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>
> Default signature signing blocked algorithms: [[
> http://www.w3.org/2001/04/xmldsig-more#hmac-md5,
> http://www.w3.org/2001/04/xmldsig-more#md5,
> http://www.w3.org/2001/04/xmldsig-more#rsa-md5]]
> cas_1 | TRACE
> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>
> Default signature signing signature algorithms: [[
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256,
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha384,
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha512,
> http://www.w3.org/2000/09/xmldsig#rsa-sha1,
> http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256,
> http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384,
> http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512,
> http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1,
> http://www.w3.org/2000/09/xmldsig#dsa-sha1,
> http://www.w3.org/2001/04/xmldsig-more#hmac-sha256,
> http://www.w3.org/2001/04/xmldsig-more#hmac-sha384,
> http://www.w3.org/2001/04/xmldsig-more#hmac-sha512,
> http://www.w3.org/2000/09/xmldsig#hmac-sha1]]
> cas_1 | TRACE
> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>
> Default signature signing signature canonicalization algorithm: [
> http://www.w3.org/2001/10/xml-exc-c14n#]
> cas_1 | TRACE
> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>
> Default signature signing allowed algorithms: [[]]
> cas_1 | TRACE
> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>
> Default signature signing reference digest methods: [[
> http://www.w3.org/2001/04/xmlenc#sha256,
> http://www.w3.org/2001/04/xmldsig-more#sha384,
> http://www.w3.org/2001/04/xmlenc#sha512,
> http://www.w3.org/2000/09/xmldsig#sha1]]
> cas_1 | TRACE
> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>
> Finalized signature signing blocked algorithms: [[
> http://www.w3.org/2001/04/xmldsig-more#hmac-md5,
> http://www.w3.org/2001/04/xmldsig-more#md5,
> http://www.w3.org/2001/04/xmldsig-more#rsa-md5]]
> cas_1 | TRACE
> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>
> Finalized signature signing signature algorithms: [[
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256,
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha384,
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha512,
> http://www.w3.org/2000/09/xmldsig#rsa-sha1,
> http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256,
> http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384,
> http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512,
> http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1,
> http://www.w3.org/2000/09/xmldsig#dsa-sha1,
> http://www.w3.org/2001/04/xmldsig-more#hmac-sha256,
> http://www.w3.org/2001/04/xmldsig-more#hmac-sha384,
> http://www.w3.org/2001/04/xmldsig-more#hmac-sha512,
> http://www.w3.org/2000/09/xmldsig#hmac-sha1]]
> cas_1 | TRACE
> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>
> Finalized signature signing signature canonicalization algorithm: [
> http://www.w3.org/2001/10/xml-exc-c14n#]
> cas_1 | TRACE
> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>
> Finalized signature signing allowed algorithms: [[]]
> cas_1 | TRACE
> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>
> Finalized signature signing reference digest methods: [[
> http://www.w3.org/2001/04/xmlenc#sha256,
> http://www.w3.org/2001/04/xmldsig-more#sha384,
> http://www.w3.org/2001/04/xmlenc#sha512,
> http://www.w3.org/2000/09/xmldsig#sha1]]
> cas_1 | TRACE
> [org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator]
>
> Metadata directory location for [aai_pionier_net_pl_test] is
> [/etc/cas/saml/aai_pionier_net_pl_test-1001]
> cas_1 | DEBUG
> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>
> Locating signature signing key for
> [SamlRegisteredService(super=AbstractRegisteredService(serviceId=
> https://aai\.pionier\.net\.pl/test/.*, name=aai_pionier_net_pl_test,
> theme=null, informationUrl=null, privacyUrl=null, responseType=null,
> id=1001, description=null,
> expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
>
> notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null),
> acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true,
>
> messageCode=null, text=null),
> proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1,
> proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null,
> ticketGrantingTicketExpirationPolicy=null,
> serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null,
> evaluationOrder=999,
> usernameAttributeProvider=org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider@9d20af0c,
>
> logoutType=BACK_CHANNEL, environments=[],
> attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[MetadataEntityAttributesAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
>
> principalAttributesRepository=DefaultPrincipalAttributesRepository(),
> consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED,
> excludedAttributes=null, includeOnlyAttributes=null, order=0),
> authorizedToReleaseCredentialPassword=false,
> authorizedToReleaseProxyGrantingTicket=false,
> excludeDefaultAttributes=false,
> authorizedToReleaseAuthenticationAttributes=true,
> principalIdAttribute=null, order=0),
> allowedAttributes=[eduPersonPrincipalName, eduPersonTargetedID, mail,
> displayName, givenName, sn, eduPersonScopedAffiliation]),
> entityAttribute=null, entityAttributeFormat=null,
> entityAttributeValues=[]),
> EduPersonTargetedIdAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
>
> principalAttributesRepository=DefaultPrincipalAttributesRepository(),
> consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED,
> excludedAttributes=null, includeOnlyAttributes=null, order=0),
> authorizedToReleaseCredentialPassword=false,
> authorizedToReleaseProxyGrantingTicket=false,
> excludeDefaultAttributes=false,
> authorizedToReleaseAuthenticationAttributes=true,
> principalIdAttribute=null, order=0), allowedAttributes=[]), salt=abc,
> attribute=uidNumber)], mergingPolicy=replace, order=0),
> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[],
>
> failureMode=UNDEFINED, principalAttributeNameTrigger=null,
> principalAttributeValueToMatch=null, bypassEnabled=false,
> forceExecution=false, bypassTrustedDeviceEnabled=false,
> bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null,
> script=null),
> matchingStrategy=FullRegexRegisteredServiceMatchingStrategy(servicePattern=
> https://aai\.pionier\.net\.pl/test/.*), logo=null, logoutUrl=null,
> redirectUrl=null,
> accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0,
> enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null,
> delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[],
>
> permitUndefined=true, exclusive=false), requireAllAttributes=true,
> requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false),
> publicKey=null,
> authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[],
>
> excludedAuthenticationHandlers=[],
> criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(tryAll=false)),
>
> properties={}, contacts=[]),
> metadataLocation=/etc/cas/metadata/aai.pionier.net.pl.xml,
> metadataProxyLocation=null, metadataMaxValidity=0,
> requiredAuthenticationContextClass=null, metadataCriteriaDirection=null,
> metadataCriteriaPattern=null,
> requiredNameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent,
> metadataSignatureLocation=null, logoutResponseBinding=null,
> requireSignedRoot=true, serviceProviderNameIdQualifier=null,
> nameIdQualifier=null, metadataExpirationDuration=PT60M,
> signingCredentialFingerprint=null, issuerEntityId=null,
> signingKeyAlgorithm=null, signAssertions=false,
> signUnsolicitedAuthnRequest=false, skipGeneratingAssertionNameId=false,
> skipGeneratingSubjectConfirmationInResponseTo=false,
> skipGeneratingSubjectConfirmationNotOnOrAfter=false,
> skipGeneratingSubjectConfirmationRecipient=false,
> skipGeneratingSubjectConfirmationNotBefore=true,
> skipGeneratingSubjectConfirmationNameId=true,
> skipGeneratingNameIdQualifiers=false, skipGeneratingTransientNameId=false,
> signResponses=true, encryptAssertions=false, encryptAttributes=false,
> encryptionOptional=false, metadataCriteriaRoles=SPSSODescriptor,
> metadataCriteriaRemoveEmptyEntitiesDescriptors=true,
> metadataCriteriaRemoveRolelessEntityDescriptors=true,
> signingCredentialType=null, assertionAudiences=null, skewAllowance=0,
> whiteListBlackListPrecedence=null, attributeNameFormats={},
> attributeFriendlyNames={}, attributeValueTypes={},
> encryptableAttributes=[], signingSignatureReferenceDigestMethods=[],
> signingSignatureAlgorithms=[], signingSignatureBlackListedAlgorithms=[],
> signingSignatureWhiteListedAlgorithms=[],
> signingSignatureCanonicalizationAlgorithm=null,
> encryptionDataAlgorithms=[], encryptionKeyAlgorithms=[],
> encryptionBlackListedAlgorithms=[], encryptionWhiteListedAlgorithms=[])]
> using algorithm [RSA]
> cas_1 | DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver]
> Resolving credentials from metadata using entityID:
> https://login.umcs.pl/cas/idp/metadata, role:
> {urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor, protocol: null,
> usage: SIGNING
> cas_1 | TRACE
> [org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator]
>
> Metadata directory location for [aai_pionier_net_pl_test] is
> [/etc/cas/saml/aai_pionier_net_pl_test-1001]
> cas_1 | TRACE
> [org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator]
>
> Metadata directory location for [aai_pionier_net_pl_test] is
> [/etc/cas/saml/aai_pionier_net_pl_test-1001]
> cas_1 | TRACE
> [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver]
> Resolved metadata resource is [file [/etc/cas/saml/idp-metadata.xml]]
> cas_1 | TRACE
> [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver]
> Located metadata root element [EntityDescriptor]
> cas_1 | TRACE
> [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver]
> Initializing metadata resolver [SamlIdPMetadataResolver]
> cas_1 | TRACE
> [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver]
> Resolving metadata for criteria [[UsageCriterion [credUsage=SIGNING],
> EntityRoleCriterion
> [role={urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor],
> SamlIdPSamlRegisteredServiceCriterion(registeredService=SamlRegisteredService(super=AbstractRegisteredService(serviceId=
> https://aai\.pionier\.net\.pl/test/.*, name=aai_pionier_net_pl_test,
> theme=null, informationUrl=null, privacyUrl=null, responseType=null,
> id=1001, description=null,
> expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
>
> notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null),
> acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true,
>
> messageCode=null, text=null),
> proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1,
> proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null,
> ticketGrantingTicketExpirationPolicy=null,
> serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null,
> evaluationOrder=999,
> usernameAttributeProvider=org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider@9d20af0c,
>
> logoutType=BACK_CHANNEL, environments=[],
> attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[MetadataEntityAttributesAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
>
> principalAttributesRepository=DefaultPrincipalAttributesRepository(),
> consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED,
> excludedAttributes=null, includeOnlyAttributes=null, order=0),
> authorizedToReleaseCredentialPassword=false,
> authorizedToReleaseProxyGrantingTicket=false,
> excludeDefaultAttributes=false,
> authorizedToReleaseAuthenticationAttributes=true,
> principalIdAttribute=null, order=0),
> allowedAttributes=[eduPersonPrincipalName, eduPersonTargetedID, mail,
> displayName, givenName, sn, eduPersonScopedAffiliation]),
> entityAttribute=null, entityAttributeFormat=null,
> entityAttributeValues=[]),
> EduPersonTargetedIdAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
>
> principalAttributesRepository=DefaultPrincipalAttributesRepository(),
> consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED,
> excludedAttributes=null, includeOnlyAttributes=null, order=0),
> authorizedToReleaseCredentialPassword=false,
> authorizedToReleaseProxyGrantingTicket=false,
> excludeDefaultAttributes=false,
> authorizedToReleaseAuthenticationAttributes=true,
> principalIdAttribute=null, order=0), allowedAttributes=[]), salt=abc,
> attribute=uidNumber)], mergingPolicy=replace, order=0),
> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[],
>
> failureMode=UNDEFINED, principalAttributeNameTrigger=null,
> principalAttributeValueToMatch=null, bypassEnabled=false,
> forceExecution=false, bypassTrustedDeviceEnabled=false,
> bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null,
> script=null),
> matchingStrategy=FullRegexRegisteredServiceMatchingStrategy(servicePattern=
> https://aai\.pionier\.net\.pl/test/.*), logo=null, logoutUrl=null,
> redirectUrl=null,
> accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0,
> enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null,
> delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[],
>
> permitUndefined=true, exclusive=false), requireAllAttributes=true,
> requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false),
> publicKey=null,
> authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[],
>
> excludedAuthenticationHandlers=[],
> criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(tryAll=false)),
>
> properties={}, contacts=[]),
> metadataLocation=/etc/cas/metadata/aai.pionier.net.pl.xml,
> metadataProxyLocation=null, metadataMaxValidity=0,
> requiredAuthenticationContextClass=null, metadataCriteriaDirection=null,
> metadataCriteriaPattern=null,
> requiredNameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent,
> metadataSignatureLocation=null, logoutResponseBinding=null,
> requireSignedRoot=true, serviceProviderNameIdQualifier=null,
> nameIdQualifier=null, metadataExpirationDuration=PT60M,
> signingCredentialFingerprint=null, issuerEntityId=null,
> signingKeyAlgorithm=null, signAssertions=false,
> signUnsolicitedAuthnRequest=false, skipGeneratingAssertionNameId=false,
> skipGeneratingSubjectConfirmationInResponseTo=false,
> skipGeneratingSubjectConfirmationNotOnOrAfter=false,
> skipGeneratingSubjectConfirmationRecipient=false,
> skipGeneratingSubjectConfirmationNotBefore=true,
> skipGeneratingSubjectConfirmationNameId=true,
> skipGeneratingNameIdQualifiers=false, skipGeneratingTransientNameId=false,
> signResponses=true, encryptAssertions=false, encryptAttributes=false,
> encryptionOptional=false, metadataCriteriaRoles=SPSSODescriptor,
> metadataCriteriaRemoveEmptyEntitiesDescriptors=true,
> metadataCriteriaRemoveRolelessEntityDescriptors=true,
> signingCredentialType=null, assertionAudiences=null, skewAllowance=0,
> whiteListBlackListPrecedence=null, attributeNameFormats={},
> attributeFriendlyNames={}, attributeValueTypes={},
> encryptableAttributes=[], signingSignatureReferenceDigestMethods=[],
> signingSignatureAlgorithms=[], signingSignatureBlackListedAlgorithms=[],
> signingSignatureWhiteListedAlgorithms=[],
> signingSignatureCanonicalizationAlgorithm=null,
> encryptionDataAlgorithms=[], encryptionKeyAlgorithms=[],
> encryptionBlackListedAlgorithms=[], encryptionWhiteListedAlgorithms=[])),
> SignatureSigningConfigurationCriterion
> [configs=[org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration@3df6e0b2]],
>
> EntityIdCriterion [id=https://login.umcs.pl/cas/idp/metadata]]]
> cas_1 | DEBUG
> [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver]
> Metadata Resolver SamlIdPMetadataResolver
> https://login.umcs.pl/cas/idp/metadata: Metadata backing store does not
> contain any EntityDescriptors with the ID:
> https://login.umcs.pl/cas/idp/metadata
> cas_1 | DEBUG
> [org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver]
> Metadata Resolver SamlIdPMetadataResolver
> https://login.umcs.pl/cas/idp/metadata: Resolved 0 candidates via
> EntityIdCriterion: EntityIdCriterion [id=
> https://login.umcs.pl/cas/idp/metadata]
> cas_1 | DEBUG
> [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver]
> Metadata Resolver SamlIdPMetadataResolver
> https://login.umcs.pl/cas/idp/metadata: Candidates iteration was empty,
> nothing to filter via predicates
> cas_1 | TRACE
> [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver]
> Resolved metadata resource is [file [/etc/cas/saml/idp-metadata.xml]]
> cas_1 | TRACE
> [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver]
> Located metadata root element [EntityDescriptor]
> cas_1 | TRACE
> [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver]
> Initializing metadata resolver [SamlIdPMetadataResolver]
> cas_1 | TRACE
> [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver]
> Resolving metadata for criteria [[UsageCriterion [credUsage=SIGNING],
> EntityRoleCriterion
> [role={urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor],
> SamlIdPSamlRegisteredServiceCriterion(registeredService=SamlRegisteredService(super=AbstractRegisteredService(serviceId=
> https://aai\.pionier\.net\.pl/test/.*, name=aai_pionier_net_pl_test,
> theme=null, informationUrl=null, privacyUrl=null, responseType=null,
> id=1001, description=null,
> expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
>
> notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null),
> acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true,
>
> messageCode=null, text=null),
> proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1,
> proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null,
> ticketGrantingTicketExpirationPolicy=null,
> serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null,
> evaluationOrder=999,
> usernameAttributeProvider=org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider@9d20af0c,
>
> logoutType=BACK_CHANNEL, environments=[],
> attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[MetadataEntityAttributesAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
>
> principalAttributesRepository=DefaultPrincipalAttributesRepository(),
> consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED,
> excludedAttributes=null, includeOnlyAttributes=null, order=0),
> authorizedToReleaseCredentialPassword=false,
> authorizedToReleaseProxyGrantingTicket=false,
> excludeDefaultAttributes=false,
> authorizedToReleaseAuthenticationAttributes=true,
> principalIdAttribute=null, order=0),
> allowedAttributes=[eduPersonPrincipalName, eduPersonTargetedID, mail,
> displayName, givenName, sn, eduPersonScopedAffiliation]),
> entityAttribute=null, entityAttributeFormat=null,
> entityAttributeValues=[]),
> EduPersonTargetedIdAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
>
> principalAttributesRepository=DefaultPrincipalAttributesRepository(),
> consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED,
> excludedAttributes=null, includeOnlyAttributes=null, order=0),
> authorizedToReleaseCredentialPassword=false,
> authorizedToReleaseProxyGrantingTicket=false,
> excludeDefaultAttributes=false,
> authorizedToReleaseAuthenticationAttributes=true,
> principalIdAttribute=null, order=0), allowedAttributes=[]), salt=abc,
> attribute=uidNumber)], mergingPolicy=replace, order=0),
> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[],
>
> failureMode=UNDEFINED, principalAttributeNameTrigger=null,
> principalAttributeValueToMatch=null, bypassEnabled=false,
> forceExecution=false, bypassTrustedDeviceEnabled=false,
> bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null,
> script=null),
> matchingStrategy=FullRegexRegisteredServiceMatchingStrategy(servicePattern=
> https://aai\.pionier\.net\.pl/test/.*), logo=null, logoutUrl=null,
> redirectUrl=null,
> accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0,
> enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null,
> delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[],
>
> permitUndefined=true, exclusive=false), requireAllAttributes=true,
> requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false),
> publicKey=null,
> authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[],
>
> excludedAuthenticationHandlers=[],
> criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(tryAll=false)),
>
> properties={}, contacts=[]),
> metadataLocation=/etc/cas/metadata/aai.pionier.net.pl.xml,
> metadataProxyLocation=null, metadataMaxValidity=0,
> requiredAuthenticationContextClass=null, metadataCriteriaDirection=null,
> metadataCriteriaPattern=null,
> requiredNameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent,
> metadataSignatureLocation=null, logoutResponseBinding=null,
> requireSignedRoot=true, serviceProviderNameIdQualifier=null,
> nameIdQualifier=null, metadataExpirationDuration=PT60M,
> signingCredentialFingerprint=null, issuerEntityId=null,
> signingKeyAlgorithm=null, signAssertions=false,
> signUnsolicitedAuthnRequest=false, skipGeneratingAssertionNameId=false,
> skipGeneratingSubjectConfirmationInResponseTo=false,
> skipGeneratingSubjectConfirmationNotOnOrAfter=false,
> skipGeneratingSubjectConfirmationRecipient=false,
> skipGeneratingSubjectConfirmationNotBefore=true,
> skipGeneratingSubjectConfirmationNameId=true,
> skipGeneratingNameIdQualifiers=false, skipGeneratingTransientNameId=false,
> signResponses=true, encryptAssertions=false, encryptAttributes=false,
> encryptionOptional=false, metadataCriteriaRoles=SPSSODescriptor,
> metadataCriteriaRemoveEmptyEntitiesDescriptors=true,
> metadataCriteriaRemoveRolelessEntityDescriptors=true,
> signingCredentialType=null, assertionAudiences=null, skewAllowance=0,
> whiteListBlackListPrecedence=null, attributeNameFormats={},
> attributeFriendlyNames={}, attributeValueTypes={},
> encryptableAttributes=[], signingSignatureReferenceDigestMethods=[],
> signingSignatureAlgorithms=[], signingSignatureBlackListedAlgorithms=[],
> signingSignatureWhiteListedAlgorithms=[],
> signingSignatureCanonicalizationAlgorithm=null,
> encryptionDataAlgorithms=[], encryptionKeyAlgorithms=[],
> encryptionBlackListedAlgorithms=[], encryptionWhiteListedAlgorithms=[])),
> SignatureSigningConfigurationCriterion
> [configs=[org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration@3df6e0b2]],
>
> EntityIdCriterion [id=https://login.umcs.pl/cas/idp/metadata]]]
> cas_1 | DEBUG
> [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver]
> Metadata Resolver SamlIdPMetadataResolver
> https://login.umcs.pl/cas/idp/metadata: Metadata backing store does not
> contain any EntityDescriptors with the ID:
> https://login.umcs.pl/cas/idp/metadata
> cas_1 | DEBUG
> [org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver]
> Metadata Resolver SamlIdPMetadataResolver
> https://login.umcs.pl/cas/idp/metadata: Resolved 0 candidates via
> EntityIdCriterion: EntityIdCriterion [id=
> https://login.umcs.pl/cas/idp/metadata]
> cas_1 | DEBUG
> [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver]
> Metadata Resolver SamlIdPMetadataResolver
> https://login.umcs.pl/cas/idp/metadata: Candidates iteration was empty,
> nothing to filter via predicates
> cas_1 | DEBUG
> [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver]
> Resolved no EntityDescriptors via underlying MetadataResolver, returning
> empty collection
> cas_1 | ERROR
> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>
> Unable to locate any signing credentials for service
> [aai_pionier_net_pl_test]
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/142c1a0a-60bf-4a18-a35f-9c9537279a77n%40apereo.org.
