Thanks for replying Ray, Yes, I have that config and I see crt, keys, and idp-metadata created in it that was auto-generated.
Error seems misleading .... it sounds like it is looking for sp metadata signing credentials. -psv On Thursday, January 6, 2022 at 1:02:30 PM UTC-6 Ray Bon wrote: > Pablo, > > The signing credentials are yours, not the service. They are not read out > of metadata since it requires the key. You set the location with (your cert > and key are stored in same location as metadata): > cas.authn.saml-idp.metadata.file-system.location= > > Cas will generate the metadata and certs on start up, make sure cas can > write to the directory. > > > https://apereo.github.io/cas/6.4.x/installation/Configuring-SAML2-DynamicMetadata.html#file-system > > Ray > > On Wed, 2022-01-05 at 18:38 -0800, Pablo Vidaurri wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Just saw this reply ... > > That did not seem to work. I have my sp metata with x509 certs embedded. I > have my service definition like the following: > > { > "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", > "description": "my super super service", > "serviceId" : "^https://my.super.duper.svc.com";, <-- entity id of my > sp metadata file > "name" : "super_duper", > "id" : 20210115134141, > "evaluationOrder" : 30, > "metadataLocation" : "file:/apps//cas/metadata/super_duper_metadata.xml", > "attributeReleasePolicy" : { > "@class" : > "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", > "allowedAttributes" : [ "java.util.ArrayList", [ > "firstName","lastName"] ] > }, > "signAssertions": true, > "signingCredentialType": X509 > } > > Still getting error: > Unable to locate any signing credentials for service [super_duper] > > Do I need a separate crt somewhere instead of relying on the embbeded cert > in the sp metadata? > > On Thursday, August 26, 2021 at 2:11:50 AM UTC-5 Marcin Roman wrote: > > Entityid in metadata must match entityid in cas properties. > Use cas 6.3.4 or 6.4. i couldn't get it working with other versions > > On Wed, Aug 25, 2021, 9:06 PM Pablo Vidaurri <[email protected]> wrote: > > Any solution or work around for this? Gettign the same issue on CAS 6.3.2. > Only way to get it to work is if i set my entityId to be same as hostname > which will not work in a production env. > > On Monday, April 5, 2021 at 3:41:02 AM UTC-5 Marcin Roman wrote: > > Hi, I have discovered yet another bug in SAML2 support in 6.3.4-SNAPSHOT > and 6.4.0-SNAPSHOT. > It looks like SamlIdPMetadataResolver is provided with cas url instead of > entityId while resolving signing credentials. > > cas_1 | TRACE [org.apereo.cas.support.saml.SamlUtils] Attempting to create > SAMLObject for type: [interface org.opensaml.saml.saml2.core.Status] and > QName: [{urn:oasis:names:tc:SAML:2.0:protocol}Status] > cas_1 | TRACE [org.apereo.cas.support.saml.SamlUtils] Attempting to create > SAMLObject for type: [interface org.opensaml.saml.saml2.core.StatusCode] > and QName: [{urn:oasis:names:tc:SAML:2.0:protocol}StatusCode] > cas_1 | DEBUG [org.apereo.cas.support.saml.SamlUtils] > ******************************************************************************** > cas_1 | DEBUG [org.apereo.cas.support.saml.SamlUtils] Logging > [org.opensaml.saml.saml2.core.impl.ResponseImpl] > cas_1 | > cas_1 | [<?xml version="1.0" encoding="UTF-8"?><saml2p:Response > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination=" > https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp"; > ID="_111942357346883584" > InResponseTo="_f23e8fe1993a1a61287f3d30288ee5700f936c0631" > IssueInstant="2021-04-05T07:55:18.827Z" Version="2.0"> > cas_1 | <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> > https://login.umcs.pl/cas/idp/metadata</saml2:Issuer> > cas_1 | <saml2p:Status> > cas_1 | <saml2p:StatusCode > Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> > cas_1 | </saml2p:Status> > cas_1 | <saml2:Assertion > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > ID="_5878410931315849216" IssueInstant="2021-04-05T07:55:18.753Z" > Version="2.0"> > cas_1 | <saml2:Issuer>https://login.umcs.pl/cas/idp/metadata > </saml2:Issuer> > cas_1 | <saml2:Subject> > // DELETED > cas_1 | </saml2:Assertion> > cas_1 | </saml2p:Response> > cas_1 | ] > cas_1 | > cas_1 | > cas_1 | DEBUG [org.apereo.cas.support.saml.SamlUtils] > ******************************************************************************** > cas_1 | DEBUG > [org.apereo.cas.support.saml.web.idp.profile.builders.response.SamlProfileSaml2ResponseBuilder] > > SAML entity id [ > https://aai.pionier.net.pl/test/module.php/saml/sp/metadata.php/default-sp] > indicates that SAML responses should be signed > cas_1 | TRACE > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] > > Attempting to encode [org.opensaml.saml.saml2.core.impl.ResponseImpl] for [ > https://aai.pionier.net.pl/test/module.php/saml/sp/metadata.php/default-sp > ] > cas_1 | TRACE > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] > > Outbound saml object to use is > [org.opensaml.saml.saml2.core.impl.ResponseImpl] > cas_1 | DEBUG [org.apereo.cas.support.saml.SamlIdPUtils] Fetched assertion > consumer service url [ > https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp] > with binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST] from > authentication request > cas_1 | DEBUG [org.apereo.cas.support.saml.SamlIdPUtils] Configured peer > entity endpoint to be [ > https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp] > with binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST] > cas_1 | TRACE > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] > > Default signature signing blocked algorithms: [[ > http://www.w3.org/2001/04/xmldsig-more#hmac-md5, > http://www.w3.org/2001/04/xmldsig-more#md5, > http://www.w3.org/2001/04/xmldsig-more#rsa-md5]] > cas_1 | TRACE > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] > > Default signature signing signature algorithms: [[ > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256, > http://www.w3.org/2001/04/xmldsig-more#rsa-sha384, > http://www.w3.org/2001/04/xmldsig-more#rsa-sha512, > http://www.w3.org/2000/09/xmldsig#rsa-sha1, > http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256, > http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384, > http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512, > http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1, > http://www.w3.org/2000/09/xmldsig#dsa-sha1, > http://www.w3.org/2001/04/xmldsig-more#hmac-sha256, > http://www.w3.org/2001/04/xmldsig-more#hmac-sha384, > http://www.w3.org/2001/04/xmldsig-more#hmac-sha512, > http://www.w3.org/2000/09/xmldsig#hmac-sha1]] > cas_1 | TRACE > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] > > Default signature signing signature canonicalization algorithm: [ > http://www.w3.org/2001/10/xml-exc-c14n#] > cas_1 | TRACE > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] > > Default signature signing allowed algorithms: [[]] > cas_1 | TRACE > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] > > Default signature signing reference digest methods: [[ > http://www.w3.org/2001/04/xmlenc#sha256, > http://www.w3.org/2001/04/xmldsig-more#sha384, > http://www.w3.org/2001/04/xmlenc#sha512, > http://www.w3.org/2000/09/xmldsig#sha1]] > cas_1 | TRACE > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] > > Finalized signature signing blocked algorithms: [[ > http://www.w3.org/2001/04/xmldsig-more#hmac-md5, > http://www.w3.org/2001/04/xmldsig-more#md5, > http://www.w3.org/2001/04/xmldsig-more#rsa-md5]] > cas_1 | TRACE > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] > > Finalized signature signing signature algorithms: [[ > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256, > http://www.w3.org/2001/04/xmldsig-more#rsa-sha384, > http://www.w3.org/2001/04/xmldsig-more#rsa-sha512, > http://www.w3.org/2000/09/xmldsig#rsa-sha1, > http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256, > http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384, > http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512, > http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1, > http://www.w3.org/2000/09/xmldsig#dsa-sha1, > http://www.w3.org/2001/04/xmldsig-more#hmac-sha256, > http://www.w3.org/2001/04/xmldsig-more#hmac-sha384, > http://www.w3.org/2001/04/xmldsig-more#hmac-sha512, > http://www.w3.org/2000/09/xmldsig#hmac-sha1]] > cas_1 | TRACE > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] > > Finalized signature signing signature canonicalization algorithm: [ > http://www.w3.org/2001/10/xml-exc-c14n#] > cas_1 | TRACE > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] > > Finalized signature signing allowed algorithms: [[]] > cas_1 | TRACE > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] > > Finalized signature signing reference digest methods: [[ > http://www.w3.org/2001/04/xmlenc#sha256, > http://www.w3.org/2001/04/xmldsig-more#sha384, > http://www.w3.org/2001/04/xmlenc#sha512, > http://www.w3.org/2000/09/xmldsig#sha1]] > cas_1 | TRACE > [org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator] > > Metadata directory location for [aai_pionier_net_pl_test] is > [/etc/cas/saml/aai_pionier_net_pl_test-1001] > cas_1 | DEBUG > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] > > Locating signature signing key for > [SamlRegisteredService(super=AbstractRegisteredService(serviceId= > https://aai\.pionier\.net\.pl/test/.*, name=aai_pionier_net_pl_test, > theme=null, informationUrl=null, privacyUrl=null, responseType=null, > id=1001, description=null, > expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, > > notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null), > acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true, > > messageCode=null, text=null), > proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, > proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null, > ticketGrantingTicketExpirationPolicy=null, > serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null, > evaluationOrder=999, > usernameAttributeProvider=org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider@9d20af0c, > > logoutType=BACK_CHANNEL, environments=[], > attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[MetadataEntityAttributesAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, > > principalAttributesRepository=DefaultPrincipalAttributesRepository(), > consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, > excludedAttributes=null, includeOnlyAttributes=null, order=0), > authorizedToReleaseCredentialPassword=false, > authorizedToReleaseProxyGrantingTicket=false, > excludeDefaultAttributes=false, > authorizedToReleaseAuthenticationAttributes=true, > principalIdAttribute=null, order=0), > allowedAttributes=[eduPersonPrincipalName, eduPersonTargetedID, mail, > displayName, givenName, sn, eduPersonScopedAffiliation]), > entityAttribute=null, entityAttributeFormat=null, > entityAttributeValues=[]), > EduPersonTargetedIdAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, > > principalAttributesRepository=DefaultPrincipalAttributesRepository(), > consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, > excludedAttributes=null, includeOnlyAttributes=null, order=0), > authorizedToReleaseCredentialPassword=false, > authorizedToReleaseProxyGrantingTicket=false, > excludeDefaultAttributes=false, > authorizedToReleaseAuthenticationAttributes=true, > principalIdAttribute=null, order=0), allowedAttributes=[]), salt=abc, > attribute=uidNumber)], mergingPolicy=replace, order=0), > multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], > > failureMode=UNDEFINED, principalAttributeNameTrigger=null, > principalAttributeValueToMatch=null, bypassEnabled=false, > forceExecution=false, bypassTrustedDeviceEnabled=false, > bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, > script=null), > matchingStrategy=FullRegexRegisteredServiceMatchingStrategy(servicePattern= > https://aai\.pionier\.net\.pl/test/.*), logo=null, logoutUrl=null, > redirectUrl=null, > accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, > enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, > delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[], > > permitUndefined=true, exclusive=false), requireAllAttributes=true, > requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), > publicKey=null, > authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], > > excludedAuthenticationHandlers=[], > criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(tryAll=false)), > > properties={}, contacts=[]), > metadataLocation=/etc/cas/metadata/aai.pionier.net.pl.xml, > metadataProxyLocation=null, metadataMaxValidity=0, > requiredAuthenticationContextClass=null, metadataCriteriaDirection=null, > metadataCriteriaPattern=null, > requiredNameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, > metadataSignatureLocation=null, logoutResponseBinding=null, > requireSignedRoot=true, serviceProviderNameIdQualifier=null, > nameIdQualifier=null, metadataExpirationDuration=PT60M, > signingCredentialFingerprint=null, issuerEntityId=null, > signingKeyAlgorithm=null, signAssertions=false, > signUnsolicitedAuthnRequest=false, skipGeneratingAssertionNameId=false, > skipGeneratingSubjectConfirmationInResponseTo=false, > skipGeneratingSubjectConfirmationNotOnOrAfter=false, > skipGeneratingSubjectConfirmationRecipient=false, > skipGeneratingSubjectConfirmationNotBefore=true, > skipGeneratingSubjectConfirmationNameId=true, > skipGeneratingNameIdQualifiers=false, skipGeneratingTransientNameId=false, > signResponses=true, encryptAssertions=false, encryptAttributes=false, > encryptionOptional=false, metadataCriteriaRoles=SPSSODescriptor, > metadataCriteriaRemoveEmptyEntitiesDescriptors=true, > metadataCriteriaRemoveRolelessEntityDescriptors=true, > signingCredentialType=null, assertionAudiences=null, skewAllowance=0, > whiteListBlackListPrecedence=null, attributeNameFormats={}, > attributeFriendlyNames={}, attributeValueTypes={}, > encryptableAttributes=[], signingSignatureReferenceDigestMethods=[], > signingSignatureAlgorithms=[], signingSignatureBlackListedAlgorithms=[], > signingSignatureWhiteListedAlgorithms=[], > signingSignatureCanonicalizationAlgorithm=null, > encryptionDataAlgorithms=[], encryptionKeyAlgorithms=[], > encryptionBlackListedAlgorithms=[], encryptionWhiteListedAlgorithms=[])] > using algorithm [RSA] > cas_1 | DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver] > Resolving credentials from metadata using entityID: > https://login.umcs.pl/cas/idp/metadata, role: > {urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor, protocol: null, > usage: SIGNING > cas_1 | TRACE > [org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator] > > Metadata directory location for [aai_pionier_net_pl_test] is > [/etc/cas/saml/aai_pionier_net_pl_test-1001] > cas_1 | TRACE > [org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator] > > Metadata directory location for [aai_pionier_net_pl_test] is > [/etc/cas/saml/aai_pionier_net_pl_test-1001] > cas_1 | TRACE > [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] > Resolved metadata resource is [file [/etc/cas/saml/idp-metadata.xml]] > cas_1 | TRACE > [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] > Located metadata root element [EntityDescriptor] > cas_1 | TRACE > [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] > Initializing metadata resolver [SamlIdPMetadataResolver] > cas_1 | TRACE > [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] > Resolving metadata for criteria [[UsageCriterion [credUsage=SIGNING], > EntityRoleCriterion > [role={urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor], > SamlIdPSamlRegisteredServiceCriterion(registeredService=SamlRegisteredService(super=AbstractRegisteredService(serviceId= > https://aai\.pionier\.net\.pl/test/.*, name=aai_pionier_net_pl_test, > theme=null, informationUrl=null, privacyUrl=null, responseType=null, > id=1001, description=null, > expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, > > notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null), > acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true, > > messageCode=null, text=null), > proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, > proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null, > ticketGrantingTicketExpirationPolicy=null, > serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null, > evaluationOrder=999, > usernameAttributeProvider=org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider@9d20af0c, > > logoutType=BACK_CHANNEL, environments=[], > attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[MetadataEntityAttributesAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, > > principalAttributesRepository=DefaultPrincipalAttributesRepository(), > consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, > excludedAttributes=null, includeOnlyAttributes=null, order=0), > authorizedToReleaseCredentialPassword=false, > authorizedToReleaseProxyGrantingTicket=false, > excludeDefaultAttributes=false, > authorizedToReleaseAuthenticationAttributes=true, > principalIdAttribute=null, order=0), > allowedAttributes=[eduPersonPrincipalName, eduPersonTargetedID, mail, > displayName, givenName, sn, eduPersonScopedAffiliation]), > entityAttribute=null, entityAttributeFormat=null, > entityAttributeValues=[]), > EduPersonTargetedIdAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, > > principalAttributesRepository=DefaultPrincipalAttributesRepository(), > consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, > excludedAttributes=null, includeOnlyAttributes=null, order=0), > authorizedToReleaseCredentialPassword=false, > authorizedToReleaseProxyGrantingTicket=false, > excludeDefaultAttributes=false, > authorizedToReleaseAuthenticationAttributes=true, > principalIdAttribute=null, order=0), allowedAttributes=[]), salt=abc, > attribute=uidNumber)], mergingPolicy=replace, order=0), > multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], > > failureMode=UNDEFINED, principalAttributeNameTrigger=null, > principalAttributeValueToMatch=null, bypassEnabled=false, > forceExecution=false, bypassTrustedDeviceEnabled=false, > bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, > script=null), > matchingStrategy=FullRegexRegisteredServiceMatchingStrategy(servicePattern= > https://aai\.pionier\.net\.pl/test/.*), logo=null, logoutUrl=null, > redirectUrl=null, > accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, > enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, > delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[], > > permitUndefined=true, exclusive=false), requireAllAttributes=true, > requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), > publicKey=null, > authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], > > excludedAuthenticationHandlers=[], > criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(tryAll=false)), > > properties={}, contacts=[]), > metadataLocation=/etc/cas/metadata/aai.pionier.net.pl.xml, > metadataProxyLocation=null, metadataMaxValidity=0, > requiredAuthenticationContextClass=null, metadataCriteriaDirection=null, > metadataCriteriaPattern=null, > requiredNameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, > metadataSignatureLocation=null, logoutResponseBinding=null, > requireSignedRoot=true, serviceProviderNameIdQualifier=null, > nameIdQualifier=null, metadataExpirationDuration=PT60M, > signingCredentialFingerprint=null, issuerEntityId=null, > signingKeyAlgorithm=null, signAssertions=false, > signUnsolicitedAuthnRequest=false, skipGeneratingAssertionNameId=false, > skipGeneratingSubjectConfirmationInResponseTo=false, > skipGeneratingSubjectConfirmationNotOnOrAfter=false, > skipGeneratingSubjectConfirmationRecipient=false, > skipGeneratingSubjectConfirmationNotBefore=true, > skipGeneratingSubjectConfirmationNameId=true, > skipGeneratingNameIdQualifiers=false, skipGeneratingTransientNameId=false, > signResponses=true, encryptAssertions=false, encryptAttributes=false, > encryptionOptional=false, metadataCriteriaRoles=SPSSODescriptor, > metadataCriteriaRemoveEmptyEntitiesDescriptors=true, > metadataCriteriaRemoveRolelessEntityDescriptors=true, > signingCredentialType=null, assertionAudiences=null, skewAllowance=0, > whiteListBlackListPrecedence=null, attributeNameFormats={}, > attributeFriendlyNames={}, attributeValueTypes={}, > encryptableAttributes=[], signingSignatureReferenceDigestMethods=[], > signingSignatureAlgorithms=[], signingSignatureBlackListedAlgorithms=[], > signingSignatureWhiteListedAlgorithms=[], > signingSignatureCanonicalizationAlgorithm=null, > encryptionDataAlgorithms=[], encryptionKeyAlgorithms=[], > encryptionBlackListedAlgorithms=[], encryptionWhiteListedAlgorithms=[])), > SignatureSigningConfigurationCriterion > [configs=[org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration@3df6e0b2]], > > EntityIdCriterion [id=https://login.umcs.pl/cas/idp/metadata]]] > cas_1 | DEBUG > [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] > Metadata Resolver SamlIdPMetadataResolver > https://login.umcs.pl/cas/idp/metadata: Metadata backing store does not > contain any EntityDescriptors with the ID: > https://login.umcs.pl/cas/idp/metadata > cas_1 | DEBUG > [org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver] > Metadata Resolver SamlIdPMetadataResolver > https://login.umcs.pl/cas/idp/metadata: Resolved 0 candidates via > EntityIdCriterion: EntityIdCriterion [id= > https://login.umcs.pl/cas/idp/metadata] > cas_1 | DEBUG > [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] > Metadata Resolver SamlIdPMetadataResolver > https://login.umcs.pl/cas/idp/metadata: Candidates iteration was empty, > nothing to filter via predicates > cas_1 | TRACE > [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] > Resolved metadata resource is [file [/etc/cas/saml/idp-metadata.xml]] > cas_1 | TRACE > [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] > Located metadata root element [EntityDescriptor] > cas_1 | TRACE > [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] > Initializing metadata resolver [SamlIdPMetadataResolver] > cas_1 | TRACE > [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] > Resolving metadata for criteria [[UsageCriterion [credUsage=SIGNING], > EntityRoleCriterion > [role={urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor], > SamlIdPSamlRegisteredServiceCriterion(registeredService=SamlRegisteredService(super=AbstractRegisteredService(serviceId= > https://aai\.pionier\.net\.pl/test/.*, name=aai_pionier_net_pl_test, > theme=null, informationUrl=null, privacyUrl=null, responseType=null, > id=1001, description=null, > expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, > > notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null), > acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(enabled=true, > > messageCode=null, text=null), > proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, > proxyTicketExpirationPolicy=null, proxyGrantingTicketExpirationPolicy=null, > ticketGrantingTicketExpirationPolicy=null, > serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null, > evaluationOrder=999, > usernameAttributeProvider=org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider@9d20af0c, > > logoutType=BACK_CHANNEL, environments=[], > attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[MetadataEntityAttributesAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, > > principalAttributesRepository=DefaultPrincipalAttributesRepository(), > consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, > excludedAttributes=null, includeOnlyAttributes=null, order=0), > authorizedToReleaseCredentialPassword=false, > authorizedToReleaseProxyGrantingTicket=false, > excludeDefaultAttributes=false, > authorizedToReleaseAuthenticationAttributes=true, > principalIdAttribute=null, order=0), > allowedAttributes=[eduPersonPrincipalName, eduPersonTargetedID, mail, > displayName, givenName, sn, eduPersonScopedAffiliation]), > entityAttribute=null, entityAttributeFormat=null, > entityAttributeValues=[]), > EduPersonTargetedIdAttributeReleasePolicy(super=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, > > principalAttributesRepository=DefaultPrincipalAttributesRepository(), > consentPolicy=DefaultRegisteredServiceConsentPolicy(status=UNDEFINED, > excludedAttributes=null, includeOnlyAttributes=null, order=0), > authorizedToReleaseCredentialPassword=false, > authorizedToReleaseProxyGrantingTicket=false, > excludeDefaultAttributes=false, > authorizedToReleaseAuthenticationAttributes=true, > principalIdAttribute=null, order=0), allowedAttributes=[]), salt=abc, > attribute=uidNumber)], mergingPolicy=replace, order=0), > multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], > > failureMode=UNDEFINED, principalAttributeNameTrigger=null, > principalAttributeValueToMatch=null, bypassEnabled=false, > forceExecution=false, bypassTrustedDeviceEnabled=false, > bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, > script=null), > matchingStrategy=FullRegexRegisteredServiceMatchingStrategy(servicePattern= > https://aai\.pionier\.net\.pl/test/.*), logo=null, logoutUrl=null, > redirectUrl=null, > accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, > enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, > delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[], > > permitUndefined=true, exclusive=false), requireAllAttributes=true, > requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), > publicKey=null, > authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], > > excludedAuthenticationHandlers=[], > criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(tryAll=false)), > > properties={}, contacts=[]), > metadataLocation=/etc/cas/metadata/aai.pionier.net.pl.xml, > metadataProxyLocation=null, metadataMaxValidity=0, > requiredAuthenticationContextClass=null, metadataCriteriaDirection=null, > metadataCriteriaPattern=null, > requiredNameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, > metadataSignatureLocation=null, logoutResponseBinding=null, > requireSignedRoot=true, serviceProviderNameIdQualifier=null, > nameIdQualifier=null, metadataExpirationDuration=PT60M, > signingCredentialFingerprint=null, issuerEntityId=null, > signingKeyAlgorithm=null, signAssertions=false, > signUnsolicitedAuthnRequest=false, skipGeneratingAssertionNameId=false, > skipGeneratingSubjectConfirmationInResponseTo=false, > skipGeneratingSubjectConfirmationNotOnOrAfter=false, > skipGeneratingSubjectConfirmationRecipient=false, > skipGeneratingSubjectConfirmationNotBefore=true, > skipGeneratingSubjectConfirmationNameId=true, > skipGeneratingNameIdQualifiers=false, skipGeneratingTransientNameId=false, > signResponses=true, encryptAssertions=false, encryptAttributes=false, > encryptionOptional=false, metadataCriteriaRoles=SPSSODescriptor, > metadataCriteriaRemoveEmptyEntitiesDescriptors=true, > metadataCriteriaRemoveRolelessEntityDescriptors=true, > signingCredentialType=null, assertionAudiences=null, skewAllowance=0, > whiteListBlackListPrecedence=null, attributeNameFormats={}, > attributeFriendlyNames={}, attributeValueTypes={}, > encryptableAttributes=[], signingSignatureReferenceDigestMethods=[], > signingSignatureAlgorithms=[], signingSignatureBlackListedAlgorithms=[], > signingSignatureWhiteListedAlgorithms=[], > signingSignatureCanonicalizationAlgorithm=null, > encryptionDataAlgorithms=[], encryptionKeyAlgorithms=[], > encryptionBlackListedAlgorithms=[], encryptionWhiteListedAlgorithms=[])), > SignatureSigningConfigurationCriterion > [configs=[org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration@3df6e0b2]], > > EntityIdCriterion [id=https://login.umcs.pl/cas/idp/metadata]]] > cas_1 | DEBUG > [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] > Metadata Resolver SamlIdPMetadataResolver > https://login.umcs.pl/cas/idp/metadata: Metadata backing store does not > contain any EntityDescriptors with the ID: > https://login.umcs.pl/cas/idp/metadata > cas_1 | DEBUG > [org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver] > Metadata Resolver SamlIdPMetadataResolver > https://login.umcs.pl/cas/idp/metadata: Resolved 0 candidates via > EntityIdCriterion: EntityIdCriterion [id= > https://login.umcs.pl/cas/idp/metadata] > cas_1 | DEBUG > [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] > Metadata Resolver SamlIdPMetadataResolver > https://login.umcs.pl/cas/idp/metadata: Candidates iteration was empty, > nothing to filter via predicates > cas_1 | DEBUG > [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver] > Resolved no EntityDescriptors via underlying MetadataResolver, returning > empty collection > cas_1 | ERROR > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] > > Unable to locate any signing credentials for service > [aai_pionier_net_pl_test] > > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a5b687e-fdbf-408a-b998-37dc3d5366c9n%40apereo.org.
