Agustín, Cas needs access to your certificates as well. My certificates are in the same directory as the metadata. They are idp-signing.crt idp-signing.key idp-encryption.crt idp-encryption.key
Cas creates them when it creates metadata. I assume that 'My Signing Cert' is a stand in for the actual cert. Just make sure it matches the file above. I could not find anything in the docs to change the location of the certificates. I would prefer to have my keys in a different directory. Ray On Tue, 2022-02-01 at 07:34 -0800, Agustín Ezequiel Pereyra wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hello, When I configure Apereo CAS version 6.4.5 to act as an IdP for the SAML2 protocol, I get a weird error. If I don't create the directory /etc/cas/saml, and leave CAS free to handle the creation of the idp-metadata.xml file, it works fine. But if I try to use my own idp-metadata.xml file, and put it at /etc/cas/saml, I get the error: 2022-02-01 11:59:29,715 ERROR [org.apereo.cas.support.saml.web.idp.profile.builders.enc.DefaultSamlIdPObjectSigner] - <Unable to locate any signing credentials for service [Mi cool service]> I have verified my metadata file with this site: https://www.samltool.com/validate_xml.php, and seems to be correct. I put it down here in case it is useful, changing sensible names and that stuff: <?xml version="1.0"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" validUntil="2021-12-30T15:55:49Z" cacheDuration="PT1641311749S" entityID="http://mycas.com/cas/idp/metadata";> <md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:Extensions> <mdui:UIInfo> <mdui:DisplayName xml:lang="en">My Site</mdui:DisplayName> <mdui:Description xml:lang="en">The identity provider at My Site</mdui:Description> <mdui:Logo height="32" width="32" xml:lang="en">https://logo_url</mdui:Logo> </mdui:UIInfo> </md:Extensions> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:X509Data> <ds:X509Certificate>My Signing Cert</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:X509Data> <ds:X509Certificate>My Encription Cert</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://mycas.com/cas/idp/profile/SAML2/POST/SLO"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://mycas.com/cas/logout"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://mycas.com/cas/idp/profile/SAML2/POST/SSO"/> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="http://mycas.com/cas/idp/profile/SAML2/POST-SimpleSign/SSO"/> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://mycas.com/cas/idp/profile/SAML2/SOAP/ECP"/> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://mycas.com/cas/login"/> </md:IDPSSODescriptor> <md:Organization> <md:OrganizationName xml:lang="en-US">Organization Name</md:OrganizationName> <md:OrganizationDisplayName xml:lang="en-US">Name</md:OrganizationDisplayName> <md:OrganizationURL xml:lang="en-US">https://mysite.com</md:OrganizationURL> </md:Organization> <md:ContactPerson contactType="administrative"> <md:GivenName>Some Guy</md:GivenName> <md:EmailAddress>mailto:[email protected]</md:EmailAddress> </md:ContactPerson> <md:ContactPerson contactType="technical"> <md:GivenName>Other Guy</md:GivenName> <md:EmailAddress>[email protected]</md:EmailAddress> </md:ContactPerson> <md:ContactPerson contactType="support"> <md:GivenName>Another One</md:GivenName> <md:EmailAddress>[email protected]</md:EmailAddress> </md:ContactPerson> </md:EntityDescriptor> Do you have any idea of what could be the problem? Thanks -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected]<mailto:[email protected]> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8287362dd17173adfa671a5ceef15817ec7b2b23.camel%40uvic.ca.
