Jorge, Assuming you are east of UTC by one hour, the issue instant is 36 seconds ahead of your log entries. Not sure if this is enough drift to cause a problem. I would also expect a different error.
Make sure your IdP metadata has the Redirect/SSO endpoint. Again I would expect a different error message. You may not need the metadata entry in the service definition. See https://apereo.github.io/cas/6.4.x/installation/Configuring-SAML2-DynamicMetadata.html#per-service Ray On Fri, 2022-02-18 at 09:27 +0100, Jorge Rodríguez wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi Ray, I have defined another service provider and I have the same problem with it, but let me focus on the first one. This is the log generated when connecting the SP to the CAS via SAML: 2022-02-18 09:17:00,781 DEBUG [org.apereo.cas.support.saml.web.idp.profile.sso.request.DefaultSSOSamlHttpRequestExtractor] - <Decoded SAML object [{urn:oasis:names:tc:SAML:2.0:protocol}AuthnRequest] from http request> 2022-02-18 09:17:00,789 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Located issuer [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719] from authentication request> 2022-02-18 09:17:00,810 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Checking service access in CAS service registry for [AbstractWebApplicationService(id=https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719, originalUrl=https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719, artifactId=null, principal=null, source=null, loggedOutAlready=false, format=XML, attributes={entityId=[https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719], SAMLRequest=[tVRNj9owEL33V0S+k8QhJMECVhS6KhLbRcD20Evl2BOw5Nip7bC7/74OH1tatVSq1FMkz5t5897MZHT3UsvgAMYKrcYIhzEKQDHNhdqN0dP2vlegu8m7kaW1TBoybd1ereFbC9YFU2vBOJ8308q2NZgNmINg8LRejtHeucaSKKLc2uZ5H/p6oATlUGtJyxAsGSYDHHV1l3onVJRznKc4rmhWAi76wAYZGxQlx+UA8z6nWVVlgxwPUTD35EJRd+z4wsOoDc/FPZvUjEpSpGm/C0SCN1FjdCUkRJvpwzKJ1sCFAeaizeYRBYv5GH3N+zxj8QAneRYD62c0zVkKMeVlmfXztPAwa1tYKOuocmOUxEnSi5MeLrZxQXBGkjRMh8MvKFgZ7TTT8r1QJx9bo4imVliiaO2lO0a6NkgSxqQ8gSz5uN2ueqvHzfZY4CA4mE8ePUYPVNEdfFDeJQim8w3I6ux0sJKtRcHny/iSbnx+oMqS08BuUzfnPtHkNF9yFGiCe21q6m7ndi+C96ojlIBywr3+xH07nV52B03+26aMomtVk8sOd6Yu5istBXsNplLq55kB6rzRzrSA/qoeh/gX9a2yDTBRCeAoeuM5nwnw49H4G3Hw4oKZrhtqhO3GBS+UuTfzr2Ez6Q1aQ/VPht6EMcK62v555T/P2vBuW/0lAN8a6oVo4y7G/a6jyTn4B30/wte/isl3], RelayState=[aHR0cHM6Ly9hZHNzcHdoLmluZ2VuaWFkZW1vbGFiLmVzOjkyNTEvc2FtbExvZ2luL0xPR0lOX0FVVEg=]})]> 2022-02-18 09:17:00,818 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Locating metadata for entityID [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719] by attempting to run through the metadata chain...> 2022-02-18 09:17:00,819 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Resolving metadata for [mfasaml] at [/etc/cas/saml/mfa-metadata.xml]> 2022-02-18 09:17:00,828 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Loading metadata resolver from the cache using [/etc/cas/saml/mfa-metadata.xml]> 2022-02-18 09:17:00,830 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceMetadataResolverCacheLoader] - <There are [6] metadata resolver(s) available in the chain> 2022-02-18 09:17:00,833 INFO [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.FileSystemResourceMetadataResolver] - <Loading SAML metadata from [/etc/cas/saml/mfa-metadata.xml]> 2022-02-18 09:17:00,835 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver] - <No metadata maximum validity criteria is defined for [/etc/cas/saml/mfa-metadata.xml], so RequiredValidUntilFilter will not be invoked> 2022-02-18 09:17:00,837 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver] - <Building SAML2 signature validation filter based on [/etc/cas/saml/mfa-signing.crt]> 2022-02-18 09:17:00,842 DEBUG [org.apereo.cas.support.saml.SamlUtils] - <Attempting to resolve credentials from [file [/etc/cas/saml/mfa-signing.crt]]> 2022-02-18 09:17:00,850 INFO [org.apereo.cas.support.saml.SamlUtils] - <Successfully resolved credentials from [file [/etc/cas/saml/mfa-signing.crt]]> 2022-02-18 09:17:00,851 DEBUG [org.apereo.cas.support.saml.SamlUtils] - <Configuring credential resolver for key signature trust engine @ [X509Credential]> 2022-02-18 09:17:00,859 DEBUG [org.apereo.cas.support.saml.SamlUtils] - <Adding signature validation filter based on the configured trust engine> 2022-02-18 09:17:00,869 DEBUG [org.apereo.cas.support.saml.SamlUtils] - <Added metadata SignatureValidationFilter with signature from [file [/etc/cas/saml/mfa-signing.crt]]> 2022-02-18 09:17:00,870 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver] - <Added metadata SignatureValidationFilter for [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]> 2022-02-18 09:17:00,872 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver] - <Added entity role filter [{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor]> 2022-02-18 09:17:00,875 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver] - <Added entity role filter with roles [[{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor]]> 2022-02-18 09:17:00,877 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver] - <Metadata filter chain initialized with [2] filters> 2022-02-18 09:17:00,877 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver] - <Initializing metadata resolver from [/etc/cas/saml/mfa-metadata.xml]> 2022-02-18 09:17:00,907 INFO [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver] - <Initialized metadata resolver from [/etc/cas/saml/mfa-metadata.xml]> 2022-02-18 09:17:00,912 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceMetadataResolverCacheLoader] - <Metadata resolvers active for this request are [[org.apereo.cas.support.saml.InMemoryResourceMetadataResolver@71935899]]> 2022-02-18 09:17:00,918 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceMetadataExpirationPolicy] - <Located cache duration [PT168H] specified in SP metadata for [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]> 2022-02-18 09:17:00,920 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Loaded and cached SAML metadata [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver] from [/etc/cas/saml/mfa-metadata.xml]> 2022-02-18 09:17:00,921 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Resolved metadata chain from [/etc/cas/saml/mfa-metadata.xml] using [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver]. Filtering the chain by entity ID [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]> 2022-02-18 09:17:00,923 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Located SP SSODescriptor in metadata for [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]. Metadata is valid until [forever]> 2022-02-18 09:17:00,925 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Located SAML service in the registry as [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719] with the metadata location of [/etc/cas/saml/mfa-metadata.xml]> 2022-02-18 09:17:00,926 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Fetching saml metadata adaptor for [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]> 2022-02-18 09:17:00,926 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Locating metadata for entityID [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719] by attempting to run through the metadata chain...> 2022-02-18 09:17:00,928 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Resolving metadata for [mfasaml] at [/etc/cas/saml/mfa-metadata.xml]> 2022-02-18 09:17:00,929 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Loading metadata resolver from the cache using [/etc/cas/saml/mfa-metadata.xml]> 2022-02-18 09:17:00,934 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Loaded and cached SAML metadata [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver] from [/etc/cas/saml/mfa-metadata.xml]> 2022-02-18 09:17:00,935 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Resolved metadata chain from [/etc/cas/saml/mfa-metadata.xml] using [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver]. Filtering the chain by entity ID [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]> 2022-02-18 09:17:00,939 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Located SP SSODescriptor in metadata for [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]. Metadata is valid until [forever]> 2022-02-18 09:17:00,940 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Located issuer [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719] from authentication context> 2022-02-18 09:17:00,941 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Checking service access in CAS service registry for [AbstractWebApplicationService(id=https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719, originalUrl=https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719, artifactId=null, principal=null, source=null, loggedOutAlready=false, format=XML, attributes={entityId=[https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719], SAMLRequest=[tVRNj9owEL33V0S+k8QhJMECVhS6KhLbRcD20Evl2BOw5Nip7bC7/74OH1tatVSq1FMkz5t5897MZHT3UsvgAMYKrcYIhzEKQDHNhdqN0dP2vlegu8m7kaW1TBoybd1ereFbC9YFU2vBOJ8308q2NZgNmINg8LRejtHeucaSKKLc2uZ5H/p6oATlUGtJyxAsGSYDHHV1l3onVJRznKc4rmhWAi76wAYZGxQlx+UA8z6nWVVlgxwPUTD35EJRd+z4wsOoDc/FPZvUjEpSpGm/C0SCN1FjdCUkRJvpwzKJ1sCFAeaizeYRBYv5GH3N+zxj8QAneRYD62c0zVkKMeVlmfXztPAwa1tYKOuocmOUxEnSi5MeLrZxQXBGkjRMh8MvKFgZ7TTT8r1QJx9bo4imVliiaO2lO0a6NkgSxqQ8gSz5uN2ueqvHzfZY4CA4mE8ePUYPVNEdfFDeJQim8w3I6ux0sJKtRcHny/iSbnx+oMqS08BuUzfnPtHkNF9yFGiCe21q6m7ndi+C96ojlIBywr3+xH07nV52B03+26aMomtVk8sOd6Yu5istBXsNplLq55kB6rzRzrSA/qoeh/gX9a2yDTBRCeAoeuM5nwnw49H4G3Hw4oKZrhtqhO3GBS+UuTfzr2Ez6Q1aQ/VPht6EMcK62v555T/P2vBuW/0lAN8a6oVo4y7G/a6jyTn4B30/wte/isl3], RelayState=[aHR0cHM6Ly9hZHNzcHdoLmluZ2VuaWFkZW1vbGFiLmVzOjkyNTEvc2FtbExvZ2luL0xPR0lOX0FVVEg=]})]> 2022-02-18 09:17:00,942 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Locating metadata for entityID [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719] by attempting to run through the metadata chain...> 2022-02-18 09:17:00,943 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Resolving metadata for [mfasaml] at [/etc/cas/saml/mfa-metadata.xml]> 2022-02-18 09:17:00,944 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Loading metadata resolver from the cache using [/etc/cas/saml/mfa-metadata.xml]> 2022-02-18 09:17:00,945 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Loaded and cached SAML metadata [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver] from [/etc/cas/saml/mfa-metadata.xml]> 2022-02-18 09:17:00,946 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Resolved metadata chain from [/etc/cas/saml/mfa-metadata.xml] using [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver]. Filtering the chain by entity ID [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]> 2022-02-18 09:17:00,946 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Located SP SSODescriptor in metadata for [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]. Metadata is valid until [forever]> 2022-02-18 09:17:00,947 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Located SAML service in the registry as [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719] with the metadata location of [/etc/cas/saml/mfa-metadata.xml]> 2022-02-18 09:17:00,948 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Located SAML metadata for [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]> 2022-02-18 09:17:00,948 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Locating metadata for entityID [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719] by attempting to run through the metadata chain...> 2022-02-18 09:17:00,949 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Resolving metadata for [mfasaml] at [/etc/cas/saml/mfa-metadata.xml]> 2022-02-18 09:17:00,949 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Loading metadata resolver from the cache using [/etc/cas/saml/mfa-metadata.xml]> 2022-02-18 09:17:00,949 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Loaded and cached SAML metadata [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver] from [/etc/cas/saml/mfa-metadata.xml]> 2022-02-18 09:17:00,949 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Resolved metadata chain from [/etc/cas/saml/mfa-metadata.xml] using [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver]. Filtering the chain by entity ID [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]> 2022-02-18 09:17:00,949 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Located SP SSODescriptor in metadata for [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]. Metadata is valid until [forever]> 2022-02-18 09:17:00,949 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Determined authentication request binding is [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], issued by [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]> 2022-02-18 09:17:00,949 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Checking metadata for [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719] to see if binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST] is supported> 2022-02-18 09:17:00,956 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST] is supported by [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]> 2022-02-18 09:17:00,956 DEBUG [org.apereo.cas.support.saml.SamlIdPUtils] - <Fetched assertion consumer service url [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719] with binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST] from authentication request> 2022-02-18 09:17:00,958 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Determined SAML2 endpoint for authentication request as [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]> 2022-02-18 09:17:00,959 DEBUG [org.apereo.cas.support.saml.SamlUtils] - <********************************************************************************> 2022-02-18 09:17:01,007 DEBUG [org.apereo.cas.support.saml.SamlUtils] - <Logging [org.opensaml.saml.saml2.core.impl.AuthnRequestImpl] [<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719" Destination="https://cas.demolabwh.local:8443/cas/idp/profile/SAML2/Redirect/SSO" ID="_73d6c0512760ec36a47c4e0adbb63748" IssueInstant="2022-02-18T08:16:24.499Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="ManageEngine ADSelfService Plus" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719</saml2:Issuer> <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/> <saml2p:RequestedAuthnContext Comparison="exact"> <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2p:RequestedAuthnContext> </saml2p:AuthnRequest> ] > 2022-02-18 09:17:01,009 DEBUG [org.apereo.cas.support.saml.SamlUtils] - <********************************************************************************> 2022-02-18 09:17:01,048 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Created service url [https://cas.demolabwh.local:8443/cas/idp/profile/SAML2/Callback?entityId=https%3A%2F%2Fadsspwh.ingeniademolab.es%3A9251%2F...]> 2022-02-18 09:17:01,050 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Redirecting SAML authN request to [https://cas.demolabwh.local:8443/cas/login?service=https%3A%2F%2Fcas.demolabwh.local%3A8443%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3FentityId%3Dhttps%253A%252F%252Fadsspwh.ingeniademolab.es%253A9251%252FsamlLogin%252F7d17410fa6be183ec56c58bd1b51d3da6ff65719]> 2022-02-18 09:17:01,051 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Redirecting SAML authN request to [https://cas.demolabwh.local:8443/cas/login?service=https%3A%2F%2Fcas.demolabwh.local%3A8443%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3FentityId%3Dhttps%253A%252F%252Fadsspwh.ingeniademolab.es%253A9251%252FsamlLogin%252F7d17410fa6be183ec56c58bd1b51d3da6ff65719]> 2022-02-18 09:17:01,088 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: {result=Service Access Denied} ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Fri Feb 18 09:17:01 CET 2022 CLIENT IP ADDRESS: 10.238.238.129 SERVER IP ADDRESS: 10.238.238.182 ============================================================= > 2022-02-18 09:17:01,091 ERROR [org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter] - <Service unauthorized> 2022-02-18 09:17:01,215 WARN [javax.persistence.spi] - <javax.persistence.spi::No valid providers found.> 2022-02-18 09:17:01,276 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for cookies for warn cookie generator to: [/cas/]> 2022-02-18 09:17:01,277 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for cookies for TGC cookie generator to: [/cas/]> 2022-02-18 09:17:03,774 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [file:/etc/cas/config/custom_messages_es_ES] - neither plain properties nor XML> 2022-02-18 09:17:03,777 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:custom_messages_es_ES] - neither plain properties nor XML> 2022-02-18 09:17:03,780 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:messages_es_ES] - neither plain properties nor XML> 2022-02-18 09:17:03,781 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [file:/etc/cas/config/custom_messages_es] - neither plain properties nor XML> 2022-02-18 09:17:03,781 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [file:/etc/cas/config/custom_messages] - neither plain properties nor XML> 2022-02-18 09:17:03,784 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:custom_messages_es] - neither plain properties nor XML> 2022-02-18 09:17:03,787 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:custom_messages] - neither plain properties nor XML> 2022-02-18 09:17:03,791 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <Loading properties [messages_es.properties] with encoding 'UTF-8'> 2022-02-18 09:17:03,796 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <Loading properties [messages.properties] with encoding 'UTF-8'> --------------------------------------- It seems that all SAML traffic is ok, but then I receive the service unauthorized error. By now this is the service definition: mfasaml-2.json: { @class: org.apereo.cas.support.saml.services.SamlRegisteredService serviceId: https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719 name: mfasaml id: 2 expirationPolicy: null proxyTicketExpirationPolicy: { @class: org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy } serviceTicketExpirationPolicy: { @class: org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy } evaluationOrder: 1 usernameAttributeProvider: { @class: org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider usernameAttribute: sAMAccountName } environments: null attributeReleasePolicy: { @class: org.apereo.cas.services.ReturnAllAttributeReleasePolicy } metadataLocation: /etc/cas/saml/mfa-metadata.xml metadataSignatureLocation: /etc/cas/saml/mfa-signing.crt signingCredentialType: BASIC } and this is the metadata file for the SP: mfa-metadata.xml: <?xml version="1.0" encoding="UTF-8"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" cacheDuration="PT604800S" entityID="https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719"> <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>xxxxxxxNT9A==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://adsspwh.ingeniademolab.es:9251/samlLogout/7d17410fa6be183ec56c58bd1b51d3da6ff65719"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719" index="0"/> </md:SPSSODescriptor> </md:EntityDescriptor> All I see is right, but there's something I'm missing... Regards, Jorge El vie, 18 feb 2022 a las 6:53, Ray Bon (<r...@uvic.ca<mailto:r...@uvic.ca>>) escribió: Jorge, That error means the requestor does not match the service. What is being sent to cas in the saml request? Ray On Thu, 2022-02-17 at 04:28 -0800, Jorge Rodríguez wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi people, I'm receiving Service unauthorized error for one saml service, and I think it's well-defined. Let's see if you could help me, please. The service descripcion is: mfasaml-2.json { @class: org.apereo.cas.support.saml.services.SamlRegisteredService serviceId: https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719 name: mfasaml responseType: POST id: 2 expirationPolicy: null proxyTicketExpirationPolicy: { @class: org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy } serviceTicketExpirationPolicy: { @class: org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy } evaluationOrder: 1 usernameAttributeProvider: { @class: org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider usernameAttribute: sAMAccountName } environments: null attributeReleasePolicy: { @class: org.apereo.cas.services.ReturnAllAttributeReleasePolicy } metadataLocation: /etc/cas/saml/mfa-metadata.xml metadataSignatureLocation: /etc/cas/saml/idp-signing.crt signingCredentialType: BASIC } --------------------------- And the metadata for the SP: mfa-metadata.xml <?xml version="1.0"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" cacheDuration="PT604800S" entityID="https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719"> <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>xxxxxxx9A==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://adsspwh.ingeniademolab.es:9251/samlLogout/7d17410fa6be183ec56c58bd1b51d3da6ff65719"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719" index="0"/> </md:SPSSODescriptor> </md:EntityDescriptor> Are you able to see where the error is? Thanks! Jorge -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/14e79ea988cb0e4970633fd61ff78a050ecb5148.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/14e79ea988cb0e4970633fd61ff78a050ecb5148.camel%40uvic.ca?utm_medium=email&utm_source=footer>. -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/57f3a57e9a85f20d5bcecc8c2bd0f7c68dad55ef.camel%40uvic.ca.