Entityid in metadata must match entityid in cas properties. Use cas 6.3.4 or 6.4. i couldn't get it working with other versions
On Wed, Aug 25, 2021, 9:06 PM Pablo Vidaurri <[email protected]> wrote: > Any solution or work around for this? Gettign the same issue on CAS 6.3.2. > Only way to get it to work is if i set my entityId to be same as hostname > which will not work in a production env. > > On Monday, April 5, 2021 at 3:41:02 AM UTC-5 Marcin Roman wrote: > >> Hi, I have discovered yet another bug in SAML2 support in 6.3.4-SNAPSHOT >> and 6.4.0-SNAPSHOT. >> It looks like SamlIdPMetadataResolver is provided with cas url instead of >> entityId while resolving signing credentials. >> >> cas_1 | TRACE [org.apereo.cas.support.saml.SamlUtils] Attempting to >> create SAMLObject for type: [interface org.opensaml.saml.saml2.core.Status] >> and QName: [{urn:oasis:names:tc:SAML:2.0:protocol}Status] >> cas_1 | TRACE [org.apereo.cas.support.saml.SamlUtils] Attempting to >> create SAMLObject for type: [interface >> org.opensaml.saml.saml2.core.StatusCode] and QName: >> [{urn:oasis:names:tc:SAML:2.0:protocol}StatusCode] >> cas_1 | DEBUG [org.apereo.cas.support.saml.SamlUtils] >> ******************************************************************************** >> cas_1 | DEBUG [org.apereo.cas.support.saml.SamlUtils] Logging >> [org.opensaml.saml.saml2.core.impl.ResponseImpl] >> cas_1 | >> cas_1 | [<?xml version="1.0" encoding="UTF-8"?><saml2p:Response >> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination=" >> https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp"; >> ID="_111942357346883584" >> InResponseTo="_f23e8fe1993a1a61287f3d30288ee5700f936c0631" >> IssueInstant="2021-04-05T07:55:18.827Z" Version="2.0"> >> cas_1 | <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> >> https://login.umcs.pl/cas/idp/metadata</saml2:Issuer> >> cas_1 | <saml2p:Status> >> cas_1 | <saml2p:StatusCode >> Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> >> cas_1 | </saml2p:Status> >> cas_1 | <saml2:Assertion >> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >> ID="_5878410931315849216" IssueInstant="2021-04-05T07:55:18.753Z" >> Version="2.0"> >> cas_1 | <saml2:Issuer>https://login.umcs.pl/cas/idp/metadata >> </saml2:Issuer> >> cas_1 | <saml2:Subject> >> // DELETED >> cas_1 | </saml2:Assertion> >> cas_1 | </saml2p:Response> >> cas_1 | ] >> cas_1 | >> cas_1 | >> cas_1 | DEBUG [org.apereo.cas.support.saml.SamlUtils] >> ******************************************************************************** >> cas_1 | DEBUG >> [org.apereo.cas.support.saml.web.idp.profile.builders.response.SamlProfileSaml2ResponseBuilder] >> SAML entity id [ >> https://aai.pionier.net.pl/test/module.php/saml/sp/metadata.php/default-sp] >> indicates that SAML responses should be signed >> cas_1 | TRACE >> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] >> Attempting to encode [org.opensaml.saml.saml2.core.impl.ResponseImpl] for [ >> https://aai.pionier.net.pl/test/module.php/saml/sp/metadata.php/default-sp >> ] >> cas_1 | TRACE >> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] >> Outbound saml object to use is >> [org.opensaml.saml.saml2.core.impl.ResponseImpl] >> cas_1 | DEBUG [org.apereo.cas.support.saml.SamlIdPUtils] Fetched >> assertion consumer service url [ >> https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp] >> with binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST] from >> authentication request >> cas_1 | DEBUG [org.apereo.cas.support.saml.SamlIdPUtils] Configured peer >> entity endpoint to be [ >> https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp] >> with binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST] >> cas_1 | TRACE >> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] >> Default signature signing blocked algorithms: [[ >> http://www.w3.org/2001/04/xmldsig-more#hmac-md5, >> http://www.w3.org/2001/04/xmldsig-more#md5, >> http://www.w3.org/2001/04/xmldsig-more#rsa-md5]] >> cas_1 | TRACE >> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] >> Default signature signing signature algorithms: [[ >> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256, >> http://www.w3.org/2001/04/xmldsig-more#rsa-sha384, >> http://www.w3.org/2001/04/xmldsig-more#rsa-sha512, >> http://www.w3.org/2000/09/xmldsig#rsa-sha1, >> http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256, >> http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384, >> http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512, >> http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1, >> http://www.w3.org/2000/09/xmldsig#dsa-sha1, >> http://www.w3.org/2001/04/xmldsig-more#hmac-sha256, >> http://www.w3.org/2001/04/xmldsig-more#hmac-sha384, >> http://www.w3.org/2001/04/xmldsig-more#hmac-sha512, >> http://www.w3.org/2000/09/xmldsig#hmac-sha1]] >> cas_1 | TRACE >> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] >> Default signature signing signature canonicalization algorithm: [ >> http://www.w3.org/2001/10/xml-exc-c14n#] >> cas_1 | TRACE >> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] >> Default signature signing allowed algorithms: [[]] >> cas_1 | TRACE >> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] >> Default signature signing reference digest methods: [[ >> http://www.w3.org/2001/04/xmlenc#sha256, >> http://www.w3.org/2001/04/xmldsig-more#sha384, >> http://www.w3.org/2001/04/xmlenc#sha512, >> http://www.w3.org/2000/09/xmldsig#sha1]] >> cas_1 | TRACE >> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] >> Finalized signature signing blocked algorithms: [[ >> http://www.w3.org/2001/04/xmldsig-more#hmac-md5, >> http://www.w3.org/2001/04/xmldsig-more#md5, >> http://www.w3.org/2001/04/xmldsig-more#rsa-md5]] >> cas_1 | TRACE >> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] >> Finalized signature signing signature algorithms: [[ >> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256, >> http://www.w3.org/2001/04/xmldsig-more#rsa-sha384, >> http://www.w3.org/2001/04/xmldsig-more#rsa-sha512, >> http://www.w3.org/2000/09/xmldsig#rsa-sha1, >> http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256, >> http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384, >> http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512, >> http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1, >> http://www.w3.org/2000/09/xmldsig#dsa-sha1, >> http://www.w3.org/2001/04/xmldsig-more#hmac-sha256, >> http://www.w3.org/2001/04/xmldsig-more#hmac-sha384, >> http://www.w3.org/2001/04/xmldsig-more#hmac-sha512, >> http://www.w3.org/2000/09/xmldsig#hmac-sha1]] >> cas_1 | TRACE >> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] >> Finalized signature signing signature canonicalization algorithm: [ >> http://www.w3.org/2001/10/xml-exc-c14n#] >> cas_1 | TRACE >> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] >> Finalized signature signing allowed algorithms: [[]] >> cas_1 | TRACE >> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] >> Finalized signature signing reference digest methods: [[ >> http://www.w3.org/2001/04/xmlenc#sha256, >> http://www.w3.org/2001/04/xmldsig-more#sha384, >> http://www.w3.org/2001/04/xmlenc#sha512, >> http://www.w3.org/2000/09/xmldsig#sha1]] >> cas_1 | TRACE >> [org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator] >> Metadata directory location for [aai_pionier_net_pl_test] is >> [/etc/cas/saml/aai_pionier_net_pl_test-1001] >> cas_1 | DEBUG >> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] >> Locating signature signing key for >> [SamlRegisteredService(super=AbstractRegisteredService(serviceId= >> https://aai\.pionier\.net\.pl/test/.*, name=aai_pionier_net_pl_test, >> theme=null, informationUrl=null, privacyUrl=null, responseType=null, >> id=1001, description=null, >> expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, >> notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null), >> acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true, >> messageCode=null, text=null), >> proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, >> proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null, >> ticketGrantingTicketExpirationPolicy=null, >> serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null, >> evaluationOrder=999, >> usernameAttributeProvider=org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider@9d20af0c, >> logoutType=BACK_CHANNEL, environments=[], >> attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[MetadataEntityAttributesAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, >> principalAttributesRepository=DefaultPrincipalAttributesRepository(), >> consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, >> excludedAttributes=null, includeOnlyAttributes=null, order=0), >> authorizedToReleaseCredentialPassword=false, >> authorizedToReleaseProxyGrantingTicket=false, >> excludeDefaultAttributes=false, >> authorizedToReleaseAuthenticationAttributes=true, >> principalIdAttribute=null, order=0), >> allowedAttributes=[eduPersonPrincipalName, eduPersonTargetedID, mail, >> displayName, givenName, sn, eduPersonScopedAffiliation]), >> entityAttribute=null, entityAttributeFormat=null, >> entityAttributeValues=[]), >> EduPersonTargetedIdAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, >> principalAttributesRepository=DefaultPrincipalAttributesRepository(), >> consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, >> excludedAttributes=null, includeOnlyAttributes=null, order=0), >> authorizedToReleaseCredentialPassword=false, >> authorizedToReleaseProxyGrantingTicket=false, >> excludeDefaultAttributes=false, >> authorizedToReleaseAuthenticationAttributes=true, >> principalIdAttribute=null, order=0), allowedAttributes=[]), salt=abc, >> attribute=uidNumber)], mergingPolicy=replace, order=0), >> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], >> failureMode=UNDEFINED, principalAttributeNameTrigger=null, >> principalAttributeValueToMatch=null, bypassEnabled=false, >> forceExecution=false, bypassTrustedDeviceEnabled=false, >> bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, >> script=null), >> matchingStrategy=FullRegexRegisteredServiceMatchingStrategy(servicePattern= >> https://aai\.pionier\.net\.pl/test/.*), logo=null, logoutUrl=null, >> redirectUrl=null, >> accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, >> enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, >> delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[], >> permitUndefined=true, exclusive=false), requireAllAttributes=true, >> requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), >> publicKey=null, >> authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], >> excludedAuthenticationHandlers=[], >> criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(tryAll=false)), >> properties={}, contacts=[]), >> metadataLocation=/etc/cas/metadata/aai.pionier.net.pl.xml, >> metadataProxyLocation=null, metadataMaxValidity=0, >> requiredAuthenticationContextClass=null, metadataCriteriaDirection=null, >> metadataCriteriaPattern=null, >> requiredNameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, >> metadataSignatureLocation=null, logoutResponseBinding=null, >> requireSignedRoot=true, serviceProviderNameIdQualifier=null, >> nameIdQualifier=null, metadataExpirationDuration=PT60M, >> signingCredentialFingerprint=null, issuerEntityId=null, >> signingKeyAlgorithm=null, signAssertions=false, >> signUnsolicitedAuthnRequest=false, skipGeneratingAssertionNameId=false, >> skipGeneratingSubjectConfirmationInResponseTo=false, >> skipGeneratingSubjectConfirmationNotOnOrAfter=false, >> skipGeneratingSubjectConfirmationRecipient=false, >> skipGeneratingSubjectConfirmationNotBefore=true, >> skipGeneratingSubjectConfirmationNameId=true, >> skipGeneratingNameIdQualifiers=false, skipGeneratingTransientNameId=false, >> signResponses=true, encryptAssertions=false, encryptAttributes=false, >> encryptionOptional=false, metadataCriteriaRoles=SPSSODescriptor, >> metadataCriteriaRemoveEmptyEntitiesDescriptors=true, >> metadataCriteriaRemoveRolelessEntityDescriptors=true, >> signingCredentialType=null, assertionAudiences=null, skewAllowance=0, >> whiteListBlackListPrecedence=null, attributeNameFormats={}, >> attributeFriendlyNames={}, attributeValueTypes={}, >> encryptableAttributes=[], signingSignatureReferenceDigestMethods=[], >> signingSignatureAlgorithms=[], signingSignatureBlackListedAlgorithms=[], >> signingSignatureWhiteListedAlgorithms=[], >> signingSignatureCanonicalizationAlgorithm=null, >> encryptionDataAlgorithms=[], encryptionKeyAlgorithms=[], >> encryptionBlackListedAlgorithms=[], encryptionWhiteListedAlgorithms=[])] >> using algorithm [RSA] >> cas_1 | DEBUG >> [org.opensaml.saml.security.impl.MetadataCredentialResolver] Resolving >> credentials from metadata using entityID: >> https://login.umcs.pl/cas/idp/metadata, role: >> {urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor, protocol: null, >> usage: SIGNING >> cas_1 | TRACE >> [org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator] >> Metadata directory location for [aai_pionier_net_pl_test] is >> [/etc/cas/saml/aai_pionier_net_pl_test-1001] >> cas_1 | TRACE >> [org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator] >> Metadata directory location for [aai_pionier_net_pl_test] is >> [/etc/cas/saml/aai_pionier_net_pl_test-1001] >> cas_1 | TRACE >> [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] >> Resolved metadata resource is [file [/etc/cas/saml/idp-metadata.xml]] >> cas_1 | TRACE >> [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] >> Located metadata root element [EntityDescriptor] >> cas_1 | TRACE >> [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] >> Initializing metadata resolver [SamlIdPMetadataResolver] >> cas_1 | TRACE >> [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] >> Resolving metadata for criteria [[UsageCriterion [credUsage=SIGNING], >> EntityRoleCriterion >> [role={urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor], >> SamlIdPSamlRegisteredServiceCriterion(registeredService=SamlRegisteredService(super=AbstractRegisteredService(serviceId= >> https://aai\.pionier\.net\.pl/test/.*, name=aai_pionier_net_pl_test, >> theme=null, informationUrl=null, privacyUrl=null, responseType=null, >> id=1001, description=null, >> expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, >> notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null), >> acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true, >> messageCode=null, text=null), >> proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, >> proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null, >> ticketGrantingTicketExpirationPolicy=null, >> serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null, >> evaluationOrder=999, >> usernameAttributeProvider=org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider@9d20af0c, >> logoutType=BACK_CHANNEL, environments=[], >> attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[MetadataEntityAttributesAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, >> principalAttributesRepository=DefaultPrincipalAttributesRepository(), >> consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, >> excludedAttributes=null, includeOnlyAttributes=null, order=0), >> authorizedToReleaseCredentialPassword=false, >> authorizedToReleaseProxyGrantingTicket=false, >> excludeDefaultAttributes=false, >> authorizedToReleaseAuthenticationAttributes=true, >> principalIdAttribute=null, order=0), >> allowedAttributes=[eduPersonPrincipalName, eduPersonTargetedID, mail, >> displayName, givenName, sn, eduPersonScopedAffiliation]), >> entityAttribute=null, entityAttributeFormat=null, >> entityAttributeValues=[]), >> EduPersonTargetedIdAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, >> principalAttributesRepository=DefaultPrincipalAttributesRepository(), >> consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, >> excludedAttributes=null, includeOnlyAttributes=null, order=0), >> authorizedToReleaseCredentialPassword=false, >> authorizedToReleaseProxyGrantingTicket=false, >> excludeDefaultAttributes=false, >> authorizedToReleaseAuthenticationAttributes=true, >> principalIdAttribute=null, order=0), allowedAttributes=[]), salt=abc, >> attribute=uidNumber)], mergingPolicy=replace, order=0), >> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], >> failureMode=UNDEFINED, principalAttributeNameTrigger=null, >> principalAttributeValueToMatch=null, bypassEnabled=false, >> forceExecution=false, bypassTrustedDeviceEnabled=false, >> bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, >> script=null), >> matchingStrategy=FullRegexRegisteredServiceMatchingStrategy(servicePattern= >> https://aai\.pionier\.net\.pl/test/.*), logo=null, logoutUrl=null, >> redirectUrl=null, >> accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, >> enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, >> delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[], >> permitUndefined=true, exclusive=false), requireAllAttributes=true, >> requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), >> publicKey=null, >> authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], >> excludedAuthenticationHandlers=[], >> criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(tryAll=false)), >> properties={}, contacts=[]), >> metadataLocation=/etc/cas/metadata/aai.pionier.net.pl.xml, >> metadataProxyLocation=null, metadataMaxValidity=0, >> requiredAuthenticationContextClass=null, metadataCriteriaDirection=null, >> metadataCriteriaPattern=null, >> requiredNameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, >> metadataSignatureLocation=null, logoutResponseBinding=null, >> requireSignedRoot=true, serviceProviderNameIdQualifier=null, >> nameIdQualifier=null, metadataExpirationDuration=PT60M, >> signingCredentialFingerprint=null, issuerEntityId=null, >> signingKeyAlgorithm=null, signAssertions=false, >> signUnsolicitedAuthnRequest=false, skipGeneratingAssertionNameId=false, >> skipGeneratingSubjectConfirmationInResponseTo=false, >> skipGeneratingSubjectConfirmationNotOnOrAfter=false, >> skipGeneratingSubjectConfirmationRecipient=false, >> skipGeneratingSubjectConfirmationNotBefore=true, >> skipGeneratingSubjectConfirmationNameId=true, >> skipGeneratingNameIdQualifiers=false, skipGeneratingTransientNameId=false, >> signResponses=true, encryptAssertions=false, encryptAttributes=false, >> encryptionOptional=false, metadataCriteriaRoles=SPSSODescriptor, >> metadataCriteriaRemoveEmptyEntitiesDescriptors=true, >> metadataCriteriaRemoveRolelessEntityDescriptors=true, >> signingCredentialType=null, assertionAudiences=null, skewAllowance=0, >> whiteListBlackListPrecedence=null, attributeNameFormats={}, >> attributeFriendlyNames={}, attributeValueTypes={}, >> encryptableAttributes=[], signingSignatureReferenceDigestMethods=[], >> signingSignatureAlgorithms=[], signingSignatureBlackListedAlgorithms=[], >> signingSignatureWhiteListedAlgorithms=[], >> signingSignatureCanonicalizationAlgorithm=null, >> encryptionDataAlgorithms=[], encryptionKeyAlgorithms=[], >> encryptionBlackListedAlgorithms=[], encryptionWhiteListedAlgorithms=[])), >> SignatureSigningConfigurationCriterion >> [configs=[org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration@3df6e0b2]], >> EntityIdCriterion [id=https://login.umcs.pl/cas/idp/metadata]]] >> cas_1 | DEBUG >> [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] >> Metadata Resolver SamlIdPMetadataResolver >> https://login.umcs.pl/cas/idp/metadata: Metadata backing store does not >> contain any EntityDescriptors with the ID: >> https://login.umcs.pl/cas/idp/metadata >> cas_1 | DEBUG >> [org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver] >> Metadata Resolver SamlIdPMetadataResolver >> https://login.umcs.pl/cas/idp/metadata: Resolved 0 candidates via >> EntityIdCriterion: EntityIdCriterion [id= >> https://login.umcs.pl/cas/idp/metadata] >> cas_1 | DEBUG >> [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] >> Metadata Resolver SamlIdPMetadataResolver >> https://login.umcs.pl/cas/idp/metadata: Candidates iteration was empty, >> nothing to filter via predicates >> cas_1 | TRACE >> [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] >> Resolved metadata resource is [file [/etc/cas/saml/idp-metadata.xml]] >> cas_1 | TRACE >> [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] >> Located metadata root element [EntityDescriptor] >> cas_1 | TRACE >> [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] >> Initializing metadata resolver [SamlIdPMetadataResolver] >> cas_1 | TRACE >> [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] >> Resolving metadata for criteria [[UsageCriterion [credUsage=SIGNING], >> EntityRoleCriterion >> [role={urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor], >> SamlIdPSamlRegisteredServiceCriterion(registeredService=SamlRegisteredService(super=AbstractRegisteredService(serviceId= >> https://aai\.pionier\.net\.pl/test/.*, name=aai_pionier_net_pl_test, >> theme=null, informationUrl=null, privacyUrl=null, responseType=null, >> id=1001, description=null, >> expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, >> notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null), >> acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true, >> messageCode=null, text=null), >> proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, >> proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null, >> ticketGrantingTicketExpirationPolicy=null, >> serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null, >> evaluationOrder=999, >> usernameAttributeProvider=org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider@9d20af0c, >> logoutType=BACK_CHANNEL, environments=[], >> attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[MetadataEntityAttributesAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, >> principalAttributesRepository=DefaultPrincipalAttributesRepository(), >> consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, >> excludedAttributes=null, includeOnlyAttributes=null, order=0), >> authorizedToReleaseCredentialPassword=false, >> authorizedToReleaseProxyGrantingTicket=false, >> excludeDefaultAttributes=false, >> authorizedToReleaseAuthenticationAttributes=true, >> principalIdAttribute=null, order=0), >> allowedAttributes=[eduPersonPrincipalName, eduPersonTargetedID, mail, >> displayName, givenName, sn, eduPersonScopedAffiliation]), >> entityAttribute=null, entityAttributeFormat=null, >> entityAttributeValues=[]), >> EduPersonTargetedIdAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, >> principalAttributesRepository=DefaultPrincipalAttributesRepository(), >> consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, >> excludedAttributes=null, includeOnlyAttributes=null, order=0), >> authorizedToReleaseCredentialPassword=false, >> authorizedToReleaseProxyGrantingTicket=false, >> excludeDefaultAttributes=false, >> authorizedToReleaseAuthenticationAttributes=true, >> principalIdAttribute=null, order=0), allowedAttributes=[]), salt=abc, >> attribute=uidNumber)], mergingPolicy=replace, order=0), >> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], >> failureMode=UNDEFINED, principalAttributeNameTrigger=null, >> principalAttributeValueToMatch=null, bypassEnabled=false, >> forceExecution=false, bypassTrustedDeviceEnabled=false, >> bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, >> script=null), >> matchingStrategy=FullRegexRegisteredServiceMatchingStrategy(servicePattern= >> https://aai\.pionier\.net\.pl/test/.*), logo=null, logoutUrl=null, >> redirectUrl=null, >> accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, >> enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, >> delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[], >> permitUndefined=true, exclusive=false), requireAllAttributes=true, >> requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), >> publicKey=null, >> authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], >> excludedAuthenticationHandlers=[], >> criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(tryAll=false)), >> properties={}, contacts=[]), >> metadataLocation=/etc/cas/metadata/aai.pionier.net.pl.xml, >> metadataProxyLocation=null, metadataMaxValidity=0, >> requiredAuthenticationContextClass=null, metadataCriteriaDirection=null, >> metadataCriteriaPattern=null, >> requiredNameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, >> metadataSignatureLocation=null, logoutResponseBinding=null, >> requireSignedRoot=true, serviceProviderNameIdQualifier=null, >> nameIdQualifier=null, metadataExpirationDuration=PT60M, >> signingCredentialFingerprint=null, issuerEntityId=null, >> signingKeyAlgorithm=null, signAssertions=false, >> signUnsolicitedAuthnRequest=false, skipGeneratingAssertionNameId=false, >> skipGeneratingSubjectConfirmationInResponseTo=false, >> skipGeneratingSubjectConfirmationNotOnOrAfter=false, >> skipGeneratingSubjectConfirmationRecipient=false, >> skipGeneratingSubjectConfirmationNotBefore=true, >> skipGeneratingSubjectConfirmationNameId=true, >> skipGeneratingNameIdQualifiers=false, skipGeneratingTransientNameId=false, >> signResponses=true, encryptAssertions=false, encryptAttributes=false, >> encryptionOptional=false, metadataCriteriaRoles=SPSSODescriptor, >> metadataCriteriaRemoveEmptyEntitiesDescriptors=true, >> metadataCriteriaRemoveRolelessEntityDescriptors=true, >> signingCredentialType=null, assertionAudiences=null, skewAllowance=0, >> whiteListBlackListPrecedence=null, attributeNameFormats={}, >> attributeFriendlyNames={}, attributeValueTypes={}, >> encryptableAttributes=[], signingSignatureReferenceDigestMethods=[], >> signingSignatureAlgorithms=[], signingSignatureBlackListedAlgorithms=[], >> signingSignatureWhiteListedAlgorithms=[], >> signingSignatureCanonicalizationAlgorithm=null, >> encryptionDataAlgorithms=[], encryptionKeyAlgorithms=[], >> encryptionBlackListedAlgorithms=[], encryptionWhiteListedAlgorithms=[])), >> SignatureSigningConfigurationCriterion >> [configs=[org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration@3df6e0b2]], >> EntityIdCriterion [id=https://login.umcs.pl/cas/idp/metadata]]] >> cas_1 | DEBUG >> [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] >> Metadata Resolver SamlIdPMetadataResolver >> https://login.umcs.pl/cas/idp/metadata: Metadata backing store does not >> contain any EntityDescriptors with the ID: >> https://login.umcs.pl/cas/idp/metadata >> cas_1 | DEBUG >> [org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver] >> Metadata Resolver SamlIdPMetadataResolver >> https://login.umcs.pl/cas/idp/metadata: Resolved 0 candidates via >> EntityIdCriterion: EntityIdCriterion [id= >> https://login.umcs.pl/cas/idp/metadata] >> cas_1 | DEBUG >> [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] >> Metadata Resolver SamlIdPMetadataResolver >> https://login.umcs.pl/cas/idp/metadata: Candidates iteration was empty, >> nothing to filter via predicates >> cas_1 | DEBUG >> [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver] >> Resolved no EntityDescriptors via underlying MetadataResolver, returning >> empty collection >> cas_1 | ERROR >> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] >> Unable to locate any signing credentials for service >> [aai_pionier_net_pl_test] >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAKxjP2OaAAEQR_vYbrVKMMrZt%2BoVJApj-D%3D-j9ri_KDTjmLYKg%40mail.gmail.com.
