[cas-user] Re: SAML2 bug: Unable to locate any signing credentials

[Pablo Vidaurri]

Just saw this reply ...

That did not seem to work. I have my sp metata with x509 certs embedded. I 
have my service definition like the following:

{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "description": "my super super service",
  "serviceId" : "^https://my.super.duper.svc.com";,   <-- entity id of my sp 
metadata file
  "name" : "super_duper",
  "id" : 20210115134141,
  "evaluationOrder" : 30,
  "metadataLocation" : "file:/apps//cas/metadata/super_duper_metadata.xml",
  "attributeReleasePolicy" : {
    "@class" : 
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
    "allowedAttributes" : [ "java.util.ArrayList", [ 
"firstName","lastName"] ]
  },
  "signAssertions": true,
  "signingCredentialType": X509
}

Still getting error:
Unable to locate any signing credentials for service [super_duper]

Do I need a separate crt somewhere instead of relying on the embbeded cert 
in the sp metadata?
 
On Thursday, August 26, 2021 at 2:11:50 AM UTC-5 Marcin Roman wrote:

> Entityid in metadata must match entityid in cas properties. 
> Use cas 6.3.4 or 6.4. i couldn't get it working with other versions
>
> On Wed, Aug 25, 2021, 9:06 PM Pablo Vidaurri <psvid...@gmail.com> wrote:
>
>> Any solution or work around for this? Gettign the same issue on CAS 
>> 6.3.2. Only way to get it to work is if i set my entityId to be same as 
>> hostname which will not work in a production env.
>>
>> On Monday, April 5, 2021 at 3:41:02 AM UTC-5 Marcin Roman wrote:
>>
>>> Hi, I have discovered yet another bug in SAML2 support in 6.3.4-SNAPSHOT 
>>> and 6.4.0-SNAPSHOT.
>>> It looks like SamlIdPMetadataResolver is provided with cas url instead 
>>> of entityId while resolving signing credentials.
>>>
>>> cas_1 | TRACE [org.apereo.cas.support.saml.SamlUtils] Attempting to 
>>> create SAMLObject for type: [interface org.opensaml.saml.saml2.core.Status] 
>>> and QName: [{urn:oasis:names:tc:SAML:2.0:protocol}Status]
>>> cas_1 | TRACE [org.apereo.cas.support.saml.SamlUtils] Attempting to 
>>> create SAMLObject for type: [interface 
>>> org.opensaml.saml.saml2.core.StatusCode] and QName: 
>>> [{urn:oasis:names:tc:SAML:2.0:protocol}StatusCode]
>>> cas_1 | DEBUG [org.apereo.cas.support.saml.SamlUtils] 
>>> ********************************************************************************
>>> cas_1 | DEBUG [org.apereo.cas.support.saml.SamlUtils] Logging 
>>> [org.opensaml.saml.saml2.core.impl.ResponseImpl]
>>> cas_1 | 
>>> cas_1 | [<?xml version="1.0" encoding="UTF-8"?><saml2p:Response 
>>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="
>>> https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp";
>>>  
>>> ID="_111942357346883584" 
>>> InResponseTo="_f23e8fe1993a1a61287f3d30288ee5700f936c0631" 
>>> IssueInstant="2021-04-05T07:55:18.827Z" Version="2.0">
>>> cas_1 | <saml2:Issuer 
>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
>>> https://login.umcs.pl/cas/idp/metadata</saml2:Issuer>
>>> cas_1 | <saml2p:Status>
>>> cas_1 | <saml2p:StatusCode 
>>> Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
>>> cas_1 | </saml2p:Status>
>>> cas_1 | <saml2:Assertion 
>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
>>> ID="_5878410931315849216" IssueInstant="2021-04-05T07:55:18.753Z" 
>>> Version="2.0">
>>> cas_1 | <saml2:Issuer>https://login.umcs.pl/cas/idp/metadata
>>> </saml2:Issuer>
>>> cas_1 | <saml2:Subject>
>>> // DELETED
>>> cas_1 | </saml2:Assertion>
>>> cas_1 | </saml2p:Response>
>>> cas_1 | ]
>>> cas_1 | 
>>> cas_1 | 
>>> cas_1 | DEBUG [org.apereo.cas.support.saml.SamlUtils] 
>>> ********************************************************************************
>>> cas_1 | DEBUG 
>>> [org.apereo.cas.support.saml.web.idp.profile.builders.response.SamlProfileSaml2ResponseBuilder]
>>>  
>>> SAML entity id [
>>> https://aai.pionier.net.pl/test/module.php/saml/sp/metadata.php/default-sp] 
>>> indicates that SAML responses should be signed
>>> cas_1 | TRACE 
>>> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>>>  
>>> Attempting to encode [org.opensaml.saml.saml2.core.impl.ResponseImpl] for [
>>> https://aai.pionier.net.pl/test/module.php/saml/sp/metadata.php/default-sp
>>> ]
>>> cas_1 | TRACE 
>>> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>>>  
>>> Outbound saml object to use is 
>>> [org.opensaml.saml.saml2.core.impl.ResponseImpl]
>>> cas_1 | DEBUG [org.apereo.cas.support.saml.SamlIdPUtils] Fetched 
>>> assertion consumer service url [
>>> https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp]
>>>  
>>> with binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST] from 
>>> authentication request
>>> cas_1 | DEBUG [org.apereo.cas.support.saml.SamlIdPUtils] Configured peer 
>>> entity endpoint to be [
>>> https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp]
>>>  
>>> with binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST]
>>> cas_1 | TRACE 
>>> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>>>  
>>> Default signature signing blocked algorithms: [[
>>> http://www.w3.org/2001/04/xmldsig-more#hmac-md5, 
>>> http://www.w3.org/2001/04/xmldsig-more#md5, 
>>> http://www.w3.org/2001/04/xmldsig-more#rsa-md5]]
>>> cas_1 | TRACE 
>>> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>>>  
>>> Default signature signing signature algorithms: [[
>>> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256, 
>>> http://www.w3.org/2001/04/xmldsig-more#rsa-sha384, 
>>> http://www.w3.org/2001/04/xmldsig-more#rsa-sha512, 
>>> http://www.w3.org/2000/09/xmldsig#rsa-sha1, 
>>> http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256, 
>>> http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384, 
>>> http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512, 
>>> http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1, 
>>> http://www.w3.org/2000/09/xmldsig#dsa-sha1, 
>>> http://www.w3.org/2001/04/xmldsig-more#hmac-sha256, 
>>> http://www.w3.org/2001/04/xmldsig-more#hmac-sha384, 
>>> http://www.w3.org/2001/04/xmldsig-more#hmac-sha512, 
>>> http://www.w3.org/2000/09/xmldsig#hmac-sha1]]
>>> cas_1 | TRACE 
>>> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>>>  
>>> Default signature signing signature canonicalization algorithm: [
>>> http://www.w3.org/2001/10/xml-exc-c14n#]
>>> cas_1 | TRACE 
>>> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>>>  
>>> Default signature signing allowed algorithms: [[]]
>>> cas_1 | TRACE 
>>> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>>>  
>>> Default signature signing reference digest methods: [[
>>> http://www.w3.org/2001/04/xmlenc#sha256, 
>>> http://www.w3.org/2001/04/xmldsig-more#sha384, 
>>> http://www.w3.org/2001/04/xmlenc#sha512, 
>>> http://www.w3.org/2000/09/xmldsig#sha1]]
>>> cas_1 | TRACE 
>>> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>>>  
>>> Finalized signature signing blocked algorithms: [[
>>> http://www.w3.org/2001/04/xmldsig-more#hmac-md5, 
>>> http://www.w3.org/2001/04/xmldsig-more#md5, 
>>> http://www.w3.org/2001/04/xmldsig-more#rsa-md5]]
>>> cas_1 | TRACE 
>>> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>>>  
>>> Finalized signature signing signature algorithms: [[
>>> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256, 
>>> http://www.w3.org/2001/04/xmldsig-more#rsa-sha384, 
>>> http://www.w3.org/2001/04/xmldsig-more#rsa-sha512, 
>>> http://www.w3.org/2000/09/xmldsig#rsa-sha1, 
>>> http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256, 
>>> http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384, 
>>> http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512, 
>>> http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1, 
>>> http://www.w3.org/2000/09/xmldsig#dsa-sha1, 
>>> http://www.w3.org/2001/04/xmldsig-more#hmac-sha256, 
>>> http://www.w3.org/2001/04/xmldsig-more#hmac-sha384, 
>>> http://www.w3.org/2001/04/xmldsig-more#hmac-sha512, 
>>> http://www.w3.org/2000/09/xmldsig#hmac-sha1]]
>>> cas_1 | TRACE 
>>> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>>>  
>>> Finalized signature signing signature canonicalization algorithm: [
>>> http://www.w3.org/2001/10/xml-exc-c14n#]
>>> cas_1 | TRACE 
>>> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>>>  
>>> Finalized signature signing allowed algorithms: [[]]
>>> cas_1 | TRACE 
>>> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>>>  
>>> Finalized signature signing reference digest methods: [[
>>> http://www.w3.org/2001/04/xmlenc#sha256, 
>>> http://www.w3.org/2001/04/xmldsig-more#sha384, 
>>> http://www.w3.org/2001/04/xmlenc#sha512, 
>>> http://www.w3.org/2000/09/xmldsig#sha1]]
>>> cas_1 | TRACE 
>>> [org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator]
>>>  
>>> Metadata directory location for [aai_pionier_net_pl_test] is 
>>> [/etc/cas/saml/aai_pionier_net_pl_test-1001]
>>> cas_1 | DEBUG 
>>> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>>>  
>>> Locating signature signing key for 
>>> [SamlRegisteredService(super=AbstractRegisteredService(serviceId=
>>> https://aai\.pionier\.net\.pl/test/.*, name=aai_pionier_net_pl_test, 
>>> theme=null, informationUrl=null, privacyUrl=null, responseType=null, 
>>> id=1001, description=null, 
>>> expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
>>>  
>>> notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null), 
>>> acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true,
>>>  
>>> messageCode=null, text=null), 
>>> proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, 
>>> proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null, 
>>> ticketGrantingTicketExpirationPolicy=null, 
>>> serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null, 
>>> evaluationOrder=999, 
>>> usernameAttributeProvider=org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider@9d20af0c,
>>>  
>>> logoutType=BACK_CHANNEL, environments=[], 
>>> attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[MetadataEntityAttributesAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
>>>  
>>> principalAttributesRepository=DefaultPrincipalAttributesRepository(), 
>>> consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, 
>>> excludedAttributes=null, includeOnlyAttributes=null, order=0), 
>>> authorizedToReleaseCredentialPassword=false, 
>>> authorizedToReleaseProxyGrantingTicket=false, 
>>> excludeDefaultAttributes=false, 
>>> authorizedToReleaseAuthenticationAttributes=true, 
>>> principalIdAttribute=null, order=0), 
>>> allowedAttributes=[eduPersonPrincipalName, eduPersonTargetedID, mail, 
>>> displayName, givenName, sn, eduPersonScopedAffiliation]), 
>>> entityAttribute=null, entityAttributeFormat=null, 
>>> entityAttributeValues=[]), 
>>> EduPersonTargetedIdAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
>>>  
>>> principalAttributesRepository=DefaultPrincipalAttributesRepository(), 
>>> consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, 
>>> excludedAttributes=null, includeOnlyAttributes=null, order=0), 
>>> authorizedToReleaseCredentialPassword=false, 
>>> authorizedToReleaseProxyGrantingTicket=false, 
>>> excludeDefaultAttributes=false, 
>>> authorizedToReleaseAuthenticationAttributes=true, 
>>> principalIdAttribute=null, order=0), allowedAttributes=[]), salt=abc, 
>>> attribute=uidNumber)], mergingPolicy=replace, order=0), 
>>> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[],
>>>  
>>> failureMode=UNDEFINED, principalAttributeNameTrigger=null, 
>>> principalAttributeValueToMatch=null, bypassEnabled=false, 
>>> forceExecution=false, bypassTrustedDeviceEnabled=false, 
>>> bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, 
>>> script=null), 
>>> matchingStrategy=FullRegexRegisteredServiceMatchingStrategy(servicePattern=
>>> https://aai\.pionier\.net\.pl/test/.*), logo=null, logoutUrl=null, 
>>> redirectUrl=null, 
>>> accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, 
>>> enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, 
>>> delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[],
>>>  
>>> permitUndefined=true, exclusive=false), requireAllAttributes=true, 
>>> requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), 
>>> publicKey=null, 
>>> authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[],
>>>  
>>> excludedAuthenticationHandlers=[], 
>>> criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(tryAll=false)),
>>>  
>>> properties={}, contacts=[]), 
>>> metadataLocation=/etc/cas/metadata/aai.pionier.net.pl.xml, 
>>> metadataProxyLocation=null, metadataMaxValidity=0, 
>>> requiredAuthenticationContextClass=null, metadataCriteriaDirection=null, 
>>> metadataCriteriaPattern=null, 
>>> requiredNameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, 
>>> metadataSignatureLocation=null, logoutResponseBinding=null, 
>>> requireSignedRoot=true, serviceProviderNameIdQualifier=null, 
>>> nameIdQualifier=null, metadataExpirationDuration=PT60M, 
>>> signingCredentialFingerprint=null, issuerEntityId=null, 
>>> signingKeyAlgorithm=null, signAssertions=false, 
>>> signUnsolicitedAuthnRequest=false, skipGeneratingAssertionNameId=false, 
>>> skipGeneratingSubjectConfirmationInResponseTo=false, 
>>> skipGeneratingSubjectConfirmationNotOnOrAfter=false, 
>>> skipGeneratingSubjectConfirmationRecipient=false, 
>>> skipGeneratingSubjectConfirmationNotBefore=true, 
>>> skipGeneratingSubjectConfirmationNameId=true, 
>>> skipGeneratingNameIdQualifiers=false, skipGeneratingTransientNameId=false, 
>>> signResponses=true, encryptAssertions=false, encryptAttributes=false, 
>>> encryptionOptional=false, metadataCriteriaRoles=SPSSODescriptor, 
>>> metadataCriteriaRemoveEmptyEntitiesDescriptors=true, 
>>> metadataCriteriaRemoveRolelessEntityDescriptors=true, 
>>> signingCredentialType=null, assertionAudiences=null, skewAllowance=0, 
>>> whiteListBlackListPrecedence=null, attributeNameFormats={}, 
>>> attributeFriendlyNames={}, attributeValueTypes={}, 
>>> encryptableAttributes=[], signingSignatureReferenceDigestMethods=[], 
>>> signingSignatureAlgorithms=[], signingSignatureBlackListedAlgorithms=[], 
>>> signingSignatureWhiteListedAlgorithms=[], 
>>> signingSignatureCanonicalizationAlgorithm=null, 
>>> encryptionDataAlgorithms=[], encryptionKeyAlgorithms=[], 
>>> encryptionBlackListedAlgorithms=[], encryptionWhiteListedAlgorithms=[])] 
>>> using algorithm [RSA]
>>> cas_1 | DEBUG 
>>> [org.opensaml.saml.security.impl.MetadataCredentialResolver] Resolving 
>>> credentials from metadata using entityID: 
>>> https://login.umcs.pl/cas/idp/metadata, role: 
>>> {urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor, protocol: null, 
>>> usage: SIGNING
>>> cas_1 | TRACE 
>>> [org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator]
>>>  
>>> Metadata directory location for [aai_pionier_net_pl_test] is 
>>> [/etc/cas/saml/aai_pionier_net_pl_test-1001]
>>> cas_1 | TRACE 
>>> [org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator]
>>>  
>>> Metadata directory location for [aai_pionier_net_pl_test] is 
>>> [/etc/cas/saml/aai_pionier_net_pl_test-1001]
>>> cas_1 | TRACE 
>>> [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] 
>>> Resolved metadata resource is [file [/etc/cas/saml/idp-metadata.xml]]
>>> cas_1 | TRACE 
>>> [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] 
>>> Located metadata root element [EntityDescriptor]
>>> cas_1 | TRACE 
>>> [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] 
>>> Initializing metadata resolver [SamlIdPMetadataResolver]
>>> cas_1 | TRACE 
>>> [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] 
>>> Resolving metadata for criteria [[UsageCriterion [credUsage=SIGNING], 
>>> EntityRoleCriterion 
>>> [role={urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor], 
>>> SamlIdPSamlRegisteredServiceCriterion(registeredService=SamlRegisteredService(super=AbstractRegisteredService(serviceId=
>>> https://aai\.pionier\.net\.pl/test/.*, name=aai_pionier_net_pl_test, 
>>> theme=null, informationUrl=null, privacyUrl=null, responseType=null, 
>>> id=1001, description=null, 
>>> expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
>>>  
>>> notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null), 
>>> acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true,
>>>  
>>> messageCode=null, text=null), 
>>> proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, 
>>> proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null, 
>>> ticketGrantingTicketExpirationPolicy=null, 
>>> serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null, 
>>> evaluationOrder=999, 
>>> usernameAttributeProvider=org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider@9d20af0c,
>>>  
>>> logoutType=BACK_CHANNEL, environments=[], 
>>> attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[MetadataEntityAttributesAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
>>>  
>>> principalAttributesRepository=DefaultPrincipalAttributesRepository(), 
>>> consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, 
>>> excludedAttributes=null, includeOnlyAttributes=null, order=0), 
>>> authorizedToReleaseCredentialPassword=false, 
>>> authorizedToReleaseProxyGrantingTicket=false, 
>>> excludeDefaultAttributes=false, 
>>> authorizedToReleaseAuthenticationAttributes=true, 
>>> principalIdAttribute=null, order=0), 
>>> allowedAttributes=[eduPersonPrincipalName, eduPersonTargetedID, mail, 
>>> displayName, givenName, sn, eduPersonScopedAffiliation]), 
>>> entityAttribute=null, entityAttributeFormat=null, 
>>> entityAttributeValues=[]), 
>>> EduPersonTargetedIdAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
>>>  
>>> principalAttributesRepository=DefaultPrincipalAttributesRepository(), 
>>> consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, 
>>> excludedAttributes=null, includeOnlyAttributes=null, order=0), 
>>> authorizedToReleaseCredentialPassword=false, 
>>> authorizedToReleaseProxyGrantingTicket=false, 
>>> excludeDefaultAttributes=false, 
>>> authorizedToReleaseAuthenticationAttributes=true, 
>>> principalIdAttribute=null, order=0), allowedAttributes=[]), salt=abc, 
>>> attribute=uidNumber)], mergingPolicy=replace, order=0), 
>>> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[],
>>>  
>>> failureMode=UNDEFINED, principalAttributeNameTrigger=null, 
>>> principalAttributeValueToMatch=null, bypassEnabled=false, 
>>> forceExecution=false, bypassTrustedDeviceEnabled=false, 
>>> bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, 
>>> script=null), 
>>> matchingStrategy=FullRegexRegisteredServiceMatchingStrategy(servicePattern=
>>> https://aai\.pionier\.net\.pl/test/.*), logo=null, logoutUrl=null, 
>>> redirectUrl=null, 
>>> accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, 
>>> enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, 
>>> delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[],
>>>  
>>> permitUndefined=true, exclusive=false), requireAllAttributes=true, 
>>> requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), 
>>> publicKey=null, 
>>> authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[],
>>>  
>>> excludedAuthenticationHandlers=[], 
>>> criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(tryAll=false)),
>>>  
>>> properties={}, contacts=[]), 
>>> metadataLocation=/etc/cas/metadata/aai.pionier.net.pl.xml, 
>>> metadataProxyLocation=null, metadataMaxValidity=0, 
>>> requiredAuthenticationContextClass=null, metadataCriteriaDirection=null, 
>>> metadataCriteriaPattern=null, 
>>> requiredNameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, 
>>> metadataSignatureLocation=null, logoutResponseBinding=null, 
>>> requireSignedRoot=true, serviceProviderNameIdQualifier=null, 
>>> nameIdQualifier=null, metadataExpirationDuration=PT60M, 
>>> signingCredentialFingerprint=null, issuerEntityId=null, 
>>> signingKeyAlgorithm=null, signAssertions=false, 
>>> signUnsolicitedAuthnRequest=false, skipGeneratingAssertionNameId=false, 
>>> skipGeneratingSubjectConfirmationInResponseTo=false, 
>>> skipGeneratingSubjectConfirmationNotOnOrAfter=false, 
>>> skipGeneratingSubjectConfirmationRecipient=false, 
>>> skipGeneratingSubjectConfirmationNotBefore=true, 
>>> skipGeneratingSubjectConfirmationNameId=true, 
>>> skipGeneratingNameIdQualifiers=false, skipGeneratingTransientNameId=false, 
>>> signResponses=true, encryptAssertions=false, encryptAttributes=false, 
>>> encryptionOptional=false, metadataCriteriaRoles=SPSSODescriptor, 
>>> metadataCriteriaRemoveEmptyEntitiesDescriptors=true, 
>>> metadataCriteriaRemoveRolelessEntityDescriptors=true, 
>>> signingCredentialType=null, assertionAudiences=null, skewAllowance=0, 
>>> whiteListBlackListPrecedence=null, attributeNameFormats={}, 
>>> attributeFriendlyNames={}, attributeValueTypes={}, 
>>> encryptableAttributes=[], signingSignatureReferenceDigestMethods=[], 
>>> signingSignatureAlgorithms=[], signingSignatureBlackListedAlgorithms=[], 
>>> signingSignatureWhiteListedAlgorithms=[], 
>>> signingSignatureCanonicalizationAlgorithm=null, 
>>> encryptionDataAlgorithms=[], encryptionKeyAlgorithms=[], 
>>> encryptionBlackListedAlgorithms=[], encryptionWhiteListedAlgorithms=[])), 
>>> SignatureSigningConfigurationCriterion 
>>> [configs=[org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration@3df6e0b2]],
>>>  
>>> EntityIdCriterion [id=https://login.umcs.pl/cas/idp/metadata]]]
>>> cas_1 | DEBUG 
>>> [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] 
>>> Metadata Resolver SamlIdPMetadataResolver 
>>> https://login.umcs.pl/cas/idp/metadata: Metadata backing store does not 
>>> contain any EntityDescriptors with the ID: 
>>> https://login.umcs.pl/cas/idp/metadata
>>> cas_1 | DEBUG 
>>> [org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver] 
>>> Metadata Resolver SamlIdPMetadataResolver 
>>> https://login.umcs.pl/cas/idp/metadata: Resolved 0 candidates via 
>>> EntityIdCriterion: EntityIdCriterion [id=
>>> https://login.umcs.pl/cas/idp/metadata]
>>> cas_1 | DEBUG 
>>> [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] 
>>> Metadata Resolver SamlIdPMetadataResolver 
>>> https://login.umcs.pl/cas/idp/metadata: Candidates iteration was empty, 
>>> nothing to filter via predicates
>>> cas_1 | TRACE 
>>> [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] 
>>> Resolved metadata resource is [file [/etc/cas/saml/idp-metadata.xml]]
>>> cas_1 | TRACE 
>>> [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] 
>>> Located metadata root element [EntityDescriptor]
>>> cas_1 | TRACE 
>>> [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] 
>>> Initializing metadata resolver [SamlIdPMetadataResolver]
>>> cas_1 | TRACE 
>>> [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] 
>>> Resolving metadata for criteria [[UsageCriterion [credUsage=SIGNING], 
>>> EntityRoleCriterion 
>>> [role={urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor], 
>>> SamlIdPSamlRegisteredServiceCriterion(registeredService=SamlRegisteredService(super=AbstractRegisteredService(serviceId=
>>> https://aai\.pionier\.net\.pl/test/.*, name=aai_pionier_net_pl_test, 
>>> theme=null, informationUrl=null, privacyUrl=null, responseType=null, 
>>> id=1001, description=null, 
>>> expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
>>>  
>>> notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null), 
>>> acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true,
>>>  
>>> messageCode=null, text=null), 
>>> proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, 
>>> proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null, 
>>> ticketGrantingTicketExpirationPolicy=null, 
>>> serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null, 
>>> evaluationOrder=999, 
>>> usernameAttributeProvider=org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider@9d20af0c,
>>>  
>>> logoutType=BACK_CHANNEL, environments=[], 
>>> attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[MetadataEntityAttributesAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
>>>  
>>> principalAttributesRepository=DefaultPrincipalAttributesRepository(), 
>>> consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, 
>>> excludedAttributes=null, includeOnlyAttributes=null, order=0), 
>>> authorizedToReleaseCredentialPassword=false, 
>>> authorizedToReleaseProxyGrantingTicket=false, 
>>> excludeDefaultAttributes=false, 
>>> authorizedToReleaseAuthenticationAttributes=true, 
>>> principalIdAttribute=null, order=0), 
>>> allowedAttributes=[eduPersonPrincipalName, eduPersonTargetedID, mail, 
>>> displayName, givenName, sn, eduPersonScopedAffiliation]), 
>>> entityAttribute=null, entityAttributeFormat=null, 
>>> entityAttributeValues=[]), 
>>> EduPersonTargetedIdAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
>>>  
>>> principalAttributesRepository=DefaultPrincipalAttributesRepository(), 
>>> consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, 
>>> excludedAttributes=null, includeOnlyAttributes=null, order=0), 
>>> authorizedToReleaseCredentialPassword=false, 
>>> authorizedToReleaseProxyGrantingTicket=false, 
>>> excludeDefaultAttributes=false, 
>>> authorizedToReleaseAuthenticationAttributes=true, 
>>> principalIdAttribute=null, order=0), allowedAttributes=[]), salt=abc, 
>>> attribute=uidNumber)], mergingPolicy=replace, order=0), 
>>> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[],
>>>  
>>> failureMode=UNDEFINED, principalAttributeNameTrigger=null, 
>>> principalAttributeValueToMatch=null, bypassEnabled=false, 
>>> forceExecution=false, bypassTrustedDeviceEnabled=false, 
>>> bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, 
>>> script=null), 
>>> matchingStrategy=FullRegexRegisteredServiceMatchingStrategy(servicePattern=
>>> https://aai\.pionier\.net\.pl/test/.*), logo=null, logoutUrl=null, 
>>> redirectUrl=null, 
>>> accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, 
>>> enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, 
>>> delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[],
>>>  
>>> permitUndefined=true, exclusive=false), requireAllAttributes=true, 
>>> requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), 
>>> publicKey=null, 
>>> authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[],
>>>  
>>> excludedAuthenticationHandlers=[], 
>>> criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(tryAll=false)),
>>>  
>>> properties={}, contacts=[]), 
>>> metadataLocation=/etc/cas/metadata/aai.pionier.net.pl.xml, 
>>> metadataProxyLocation=null, metadataMaxValidity=0, 
>>> requiredAuthenticationContextClass=null, metadataCriteriaDirection=null, 
>>> metadataCriteriaPattern=null, 
>>> requiredNameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, 
>>> metadataSignatureLocation=null, logoutResponseBinding=null, 
>>> requireSignedRoot=true, serviceProviderNameIdQualifier=null, 
>>> nameIdQualifier=null, metadataExpirationDuration=PT60M, 
>>> signingCredentialFingerprint=null, issuerEntityId=null, 
>>> signingKeyAlgorithm=null, signAssertions=false, 
>>> signUnsolicitedAuthnRequest=false, skipGeneratingAssertionNameId=false, 
>>> skipGeneratingSubjectConfirmationInResponseTo=false, 
>>> skipGeneratingSubjectConfirmationNotOnOrAfter=false, 
>>> skipGeneratingSubjectConfirmationRecipient=false, 
>>> skipGeneratingSubjectConfirmationNotBefore=true, 
>>> skipGeneratingSubjectConfirmationNameId=true, 
>>> skipGeneratingNameIdQualifiers=false, skipGeneratingTransientNameId=false, 
>>> signResponses=true, encryptAssertions=false, encryptAttributes=false, 
>>> encryptionOptional=false, metadataCriteriaRoles=SPSSODescriptor, 
>>> metadataCriteriaRemoveEmptyEntitiesDescriptors=true, 
>>> metadataCriteriaRemoveRolelessEntityDescriptors=true, 
>>> signingCredentialType=null, assertionAudiences=null, skewAllowance=0, 
>>> whiteListBlackListPrecedence=null, attributeNameFormats={}, 
>>> attributeFriendlyNames={}, attributeValueTypes={}, 
>>> encryptableAttributes=[], signingSignatureReferenceDigestMethods=[], 
>>> signingSignatureAlgorithms=[], signingSignatureBlackListedAlgorithms=[], 
>>> signingSignatureWhiteListedAlgorithms=[], 
>>> signingSignatureCanonicalizationAlgorithm=null, 
>>> encryptionDataAlgorithms=[], encryptionKeyAlgorithms=[], 
>>> encryptionBlackListedAlgorithms=[], encryptionWhiteListedAlgorithms=[])), 
>>> SignatureSigningConfigurationCriterion 
>>> [configs=[org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration@3df6e0b2]],
>>>  
>>> EntityIdCriterion [id=https://login.umcs.pl/cas/idp/metadata]]]
>>> cas_1 | DEBUG 
>>> [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] 
>>> Metadata Resolver SamlIdPMetadataResolver 
>>> https://login.umcs.pl/cas/idp/metadata: Metadata backing store does not 
>>> contain any EntityDescriptors with the ID: 
>>> https://login.umcs.pl/cas/idp/metadata
>>> cas_1 | DEBUG 
>>> [org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver] 
>>> Metadata Resolver SamlIdPMetadataResolver 
>>> https://login.umcs.pl/cas/idp/metadata: Resolved 0 candidates via 
>>> EntityIdCriterion: EntityIdCriterion [id=
>>> https://login.umcs.pl/cas/idp/metadata]
>>> cas_1 | DEBUG 
>>> [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] 
>>> Metadata Resolver SamlIdPMetadataResolver 
>>> https://login.umcs.pl/cas/idp/metadata: Candidates iteration was empty, 
>>> nothing to filter via predicates
>>> cas_1 | DEBUG 
>>> [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver] 
>>> Resolved no EntityDescriptors via underlying MetadataResolver, returning 
>>> empty collection
>>> cas_1 | ERROR 
>>> [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
>>>  
>>> Unable to locate any signing credentials for service 
>>> [aai_pionier_net_pl_test]
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/436606b0-6d77-4164-b807-c32e39182a96n%40apereo.org.