We have got the answers for my questions, feel free to ignore them please. For those experiencing the same issue: The answers are , 1. " https://login/cas/idp/profile/SAML2/Redirect/SSO"; for "Sign-in page URL" needs to be set to get the contents decrypted, did not find other ways so far to keep it on https://login/cas/login. 2. After the decryption worked, we would get https://login/..service=..........
On Sunday, February 13, 2022 at 10:27:33 AM UTC-5 Joseph Zhou wrote: > Hi, Doug, > > This is a great article we came across ! > We met the same issue - could not redirect back to Google after a > successful log in our 3rd party IDp server running CAS 6.2.2 and configured > mostly as what your instruction indicated. We are having an old version CAS > 3.5.2 server working well with Google Workspace. However, we'd like to get > it replaced with the new version server. Then we hit this problem. > > We tried to match with the old certificate by renaming the copied > certificate/key to idp-signing.crt/key from the old server to the new one. > Tested again, still not working and the Web browser staled at the > following, could not go back to Google site: > > > https://login/cas/login?SAMLRequest=fVJNT%2BMwEL2vxH%2BwfM8nIK2sJqiAEJXYJaLpHrg5zjRxccbB4zTLv980BQGH7fX5zfsYz%2BLqb2fYHhxpixlPwpgzQGVrjU3GN%2BVd8JNf5Wc%2FFiQ704vl4Ft8gtcByLNpEknMDxkfHAorSZNA2QEJr8R6%2BetBpGEseme9VdZwtrrNeN9UuFMN9C22IF92qNRLA92ut7qqK2x3pq23VaM5%2B%2FMRKz3EWhENsELyEv0ExWkaxGmQnJdJLNJEXF48c1a8O11rPDY4Fas6kkjcl2URFI%2FrchbY6xrc74md8cbaxkCobHewLySR3k%2FwVhoCzpZE4PwU8MYiDR24Nbi9VrB5esh4631PIorGcQw%2FZSIZjUoh%2BBDqIZKKeD5vVszl3JeVno4uP6x5%2Fim%2BiL5I5e8%2Fdiiyui2s0eqNLY2x440D6acW3g1TiTvrOun%2F75aEyYzoOtjOVDEg9aD0VkPNWZQfXb%2BfxnQw%2FwA%3D&RelayState=https%3A%2F%2Faccounts.google.com%2FCheckCookie%3Fcontinue%3Dhttps%253A%252F%252Fmail.google.com%252Fmail%252F%26service%3Dmail%26ifkv%3DAU9NCcypcYDQKWRdjhacvr7DhikwSR09KKGWWYVDKWiE9idgAlBNjzjnURt0QKtiOLKcOXmR1iAB-g > > My questions are: > > For your instruction step 8 - b. Entered " > https://login/cas/idp/profile/SAML2/Redirect/SSO"; for "Sign-in page URL", > is that mandatory that needs to be set? > I am asking this question is due to usually we had our "Sign-in page > URL" set to https://login/cas/login, and it was working well for all > other websites running SAML 2, and it is also configured as is on Google > Workspace currently for our old version server, we did not try to change it > yet. > > My 2nd question is: > On your current configuration running well, are you getting the web link > from Google in the format of: > https://login/cas/login?SAMLRequest=......... or something like > https://login/..service=.......... > > Appreciated your kind help and time very much! > > Joe > > On Wednesday, September 23, 2020 at 11:46:37 PM UTC-4 Doug C wrote: > >> Yep. The certificate was the issue. I do have it working now but I have >> two questions regarding warnings I am seeing. >> >> >> >> I get the following warning: >> >> >> >> WARN [org.opensaml.saml.common.binding.SAMLBindingSupport] - <Relay state >> exceeds 80 bytes: >> https://www.google.com/a/example.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&ss=1<mpl=default<mplcache=2&emr=1&osid=1 >> > >> >> >> >> Is this normal and a result of the way G Suite does SAML? Or is there >> something I can configure to make CAS happy and not feel the need to warn >> me. >> >> >> >> Also, I get this warning upon signing out of G Suite: >> >> >> >> WARN >> [org.apereo.cas.support.saml.web.idp.profile.slo.SamlIdPSingleLogoutServiceLogoutUrlBuilder] >> >> - <Cannot find SLO service in metadata for entity id [ >> google.com/a/example.com]> >> >> >> >> I read somewhere online that Google does not provide Single Log Out >> (SLO). Is there a way to disable SLO for a service so I don't get this >> warning? I want to keep SLO enabled in general. >> >> >> >> Thanks! >> >> >> >> *Instructions for Others* >> >> >> >> In case someone else is trying to figure this out. Here are what I think >> constitutes all the steps that I took to get this working. You should >> replace all instances of example.com and cas-server-url with what is >> appropriate the system being configured. >> >> >> >> 1. Add the following dependency in the WAR overlay build.gradle >> file. >> >> >> >> implementation >> "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}" >> >> >> >> 2. Add the following line to cas.properties. >> >> >> >> cas.authn.saml-idp.entity-id=https://cas-server-url/cas/idp >> >> >> >> 3. Create a service definition file in /etc/cas/services. >> >> >> >> { >> >> "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", >> >> "serviceId" : "google.com/a/example.com", >> >> "name" : "G Suite", >> >> "id" : 10000002, >> >> "evaluationOrder" : 1, >> >> "attributeReleasePolicy" : { >> >> "@class" : >> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", >> >> "allowedAttributes" : [ "java.util.ArrayList", [ "mail" ] ] >> >> }, >> >> "usernameAttributeProvider" : { >> >> "@class" : >> "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", >> >> "usernameAttribute" : "mail" >> >> } >> >> "metadataLocation" : "/etc/cas/saml/sp-metadata.xml", >> >> "metadataSignatureLocation" : "/etc/cas/saml/idp-signing.crt" >> >> } >> >> >> >> 4. Create a directory /etc/cas/saml. >> >> 5. Generate certificates. >> >> >> >> openssl genrsa -out /etc/cas/saml/idp-encryption.key 2048 >> >> openssl req -new -x509 -key /etc/cas/small/idp-encryption.key -out >> /etc/cas/saml/idp-encryption.crt -days 3650 >> >> openssl genrsa -out /etc/cas/saml/idp-signing.key 2048 >> >> openssl req -new -x509 -key /etc/cas/saml/idp-signing.key -out >> /etc/cas/saml/idp-signing.crt -days 3650 >> >> >> >> 6. Create idp-metadata.xml in /etc/cas/saml with the following >> contents. >> >> >> >> Note: REPLACE_WITH_..._CERTIFICATE should be replaced with everything >> between the “-----BEGIN CERTIFICATE-----“ and “-----END CERTIFICATE-----“ >> in the corresponding .crt file. >> >> >> >> <?xml version="1.0" encoding="UTF-8"?> >> >> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds=" >> http://www.w3.org/2000/09/xmldsig#"; >> xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml=" >> http://www.w3.org/XML/1998/namespace"; >> xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https:// >> cas-server-url/cas/idp"> >> >> <IDPSSODescriptor >> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol >> urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0"> >> >> <KeyDescriptor use="signing"> >> >> <ds:KeyInfo> >> >> <ds:X509Data> >> >> <ds:X509Certificate>REPLACE_WITH_SIGNING_CERTIFICATE >> </ds:X509Certificate> >> >> </ds:X509Data> >> >> </ds:KeyInfo> >> >> </KeyDescriptor> >> >> <KeyDescriptor use="encryption"> >> >> <ds:KeyInfo> >> >> <ds:X509Data> >> >> <ds:X509Certificate> >> REPLACE_WITH_ENCRYPTION_CERTIFICATE</ds:X509Certificate> >> >> </ds:X509Data> >> >> </ds:KeyInfo> >> >> </KeyDescriptor> >> >> >> >> <SingleLogoutService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https:// >> cas-server-url/cas/idp/profile/SAML2/POST/SLO"/> >> >> <SingleLogoutService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" >> Location="https://cas-server-url/cas/idp/profile/SAML2/Redirect/SLO"; /> >> >> >> >> >> <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> >> >> >> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> >> >> >> >> <SingleSignOnService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https:// >> cas-server-url/cas/idp/profile/SAML2/POST/SSO"/> >> >> <SingleSignOnService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" >> Location="https://cas-server-url >> /cas/idp/profile/SAML2/POST-SimpleSign/SSO"/> >> >> <SingleSignOnService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" >> Location="https://cas-server-url/cas/idp/profile/SAML2/Redirect/SSO"/> >> >> <SingleSignOnService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https:// >> cas-server-url/cas/idp/profile/SAML2/SOAP/ECP"/> >> >> </IDPSSODescriptor> >> >> </EntityDescriptor> >> >> >> >> 7. Create sp-metadata.xml in /etc/cas/saml with the following >> contents. >> >> >> >> <?xml version="1.0"?> >> >> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" >> validUntil="2020-09-25T20:17:03Z" cacheDuration="PT604800S" entityID=" >> google.com/a/example.com"> >> >> <md:SPSSODescriptor AuthnRequestsSigned="false" >> WantAssertionsSigned="false" >> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> >> >> <md:KeyDescriptor use="signing"> >> >> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >> >> <ds:X509Data> >> >> <ds:X509Certificate>REPLACE_WITH_SIGNING_CERTIFICATE >> </ds:X509Certificate> >> >> </ds:X509Data> >> >> </ds:KeyInfo> >> >> </md:KeyDescriptor> >> >> <md:KeyDescriptor use="encryption"> >> >> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >> >> <ds:X509Data> >> >> <ds:X509Certificate>REPLACE_WITH_ENCRYPTION_CERTIFICATE >> </ds:X509Certificate> >> >> </ds:X509Data> >> >> </ds:KeyInfo> >> >> </md:KeyDescriptor> >> >> >> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> >> >> <md:AssertionConsumerService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" >> https://www.google.com/a/example.com/acs"; index="1"/> >> >> </md:SPSSODescriptor> >> >> </md:EntityDescriptor> >> >> >> >> 8. In the G Suite Admin Console "Set up single sign-on (SSO) with a >> third party IdP" section: >> >> a. Checked the box for "Set up SSO with third-party identity >> provider" >> >> b. Entered "https://cas-server-url/cas/idp/profile/SAML2/Redirect/SSO"; >> for "Sign-in page URL" >> >> c. Entered "https://cas-server-url/cas/logout"; for "Sign-out page >> URL" >> >> d. Checked "Use a domain specific identifier" >> >> e. Uploaded the idp-signing.crt certificate. >> >> >> >> Hopefully I didn’t leave anything out and this will help out the next >> person. >> >> >> >> Doug >> >> >> >> *From:* 'Richard Frovarp' via CAS Community [mailto:[email protected]] >> *Sent:* Wednesday, September 23, 2020 9:54 AM >> *To:* [email protected] >> *Subject:* Re: [cas-user] Configure SAML2 IdP functionality to provide >> SSO for G Suite >> >> >> >> The cert you were using under the old integration likely doesn't match >> your SAML cert. You would need to upload your new SAML cert to Google. And >> yeah, you want to remove the old bits of the old method, in particular the >> jars associated with it as it fires before the generic SAML can. >> >> >> >> On Tue, 2020-09-22 at 23:15 -0400, Doug Campbell wrote: >> >> Responding a little to my own question. I don’t have it fully figured >> out yet but I did find a significant issue. I had left my service file for >> the old Google Apps SAML integration method in my services directory and I >> think this was intercepting things. I’m not getting the same error as >> before but when I authenticated I got back a page from Google indicating >> that no such account existed. I’m going to try again and see what I can >> find perhaps see if I can turn of the debugging. >> >> >> >> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Doug >> C >> *Sent:* Tuesday, September 22, 2020 12:12 AM >> *To:* CAS Community <[email protected]> >> *Subject:* [cas-user] Configure SAML2 IdP functionality to provide SSO >> for G Suite >> >> >> >> I have been working toward updating from CAS 6.0.x to CAS 6.2.x. Most >> everything has gone smoothly but I am having trouble with setting up CAS to >> be my G Suite third-party Idp. Previously I had been using the Google Apps >> Integration (org.apereo.cas:cas-server-support-saml-googleapps) but the >> page for that ( >> https://apereo.github.io/cas/6.2.x/integration/Google-Apps-Integration.html) >> now indicates that it is deprecated and that I should consider using the >> SAML2 identity provider functionality to handle this. I have tried to >> piece together information in the documentation and in other folk's >> questions in the cas-user forum but I seem to be missing something. This >> is likely due to my lack of familiarity with SAML. >> >> >> >> I would appreciate any help or direction on getting this working. >> >> >> >> This is what I have done so far. >> >> >> >> Note: I have replaced the references to my G Suite primary domain with >> example.com for this posting. >> >> >> >> I created a services file (etc/cas/services/GSuite-10000003.json) with >> the following content: >> >> >> >> { >> >> "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", >> >> "serviceId" : "google.com/a/example.com", >> >> "name" : "SAMLService", >> >> "id" : 10000003, >> >> "evaluationOrder" : 1, >> >> "attributeReleasePolicy" : { >> >> "@class" : >> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", >> >> "allowedAttributes" : [ "java.util.ArrayList", [ "mail" ] ] >> >> }, >> >> "usernameAttributeProvider" : { >> >> "@class" : >> "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", >> >> "usernameAttribute" : "mail" >> >> } >> >> "metadataLocation" : "/etc/cas/saml/sp-metadata.xml" >> >> } >> >> >> >> >> >> I also created an sp-metadata.xml file using >> https://www.samltool.com/sp_metadata.php with the following contents: >> >> >> >> <?xml version="1.0"?> >> >> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" >> >> cacheDuration="PT604800S" >> >> entityID="google.com/a/example.com"> >> >> <md:SPSSODescriptor AuthnRequestsSigned="false" >> WantAssertionsSigned="false" >> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> >> >> >> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> >> >> <md:AssertionConsumerService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >> >> Location=" >> https://www.google.com/a/example.com/acs"; >> >> index="1" /> >> >> >> >> </md:SPSSODescriptor> >> >> </md:EntityDescriptor> >> >> >> >> >> >> I also included the following dependency in the CAS overlay: >> >> >> >> implementation >> "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}" >> >> >> >> >> >> In G Suite Admin Console "Set up single sign-on (SSO) with a third party >> IdP" I: >> >> 1. Checked the box for "Set up SSO with third-party identity provider" >> >> 2. Entered " >> https://signin.my-cas-server.com/cas/idp/profile/SAML2/Redirect/SSO"; for >> "Sign-in page URL" >> >> 3. Entered "https://signin.my-cas-server.com/cas/logout"; for "Sign-out >> page URL" >> >> 4. Checked "Use a domain specific identifier" >> >> 5. Uploaded the previous x.509 certificate that I had used when using the >> previous method. >> >> >> >> >> >> At the moment, when I attempt to load a Google service I am redirected >> back to my CAS server but I receive the following error message: >> >> >> >> Error: No metadata resolvers could be configured for service SAMLService >> with metadata location /etc/cas/saml/sp-metadata.xml >> >> >> >> >> >> I am guessing that this is something to do with my sp-metadata.xml file >> missing something but I am at a loss as to what I need to do. >> >> >> >> Any help appreciated. Thanks! >> >> >> >> Doug >> >> >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8326668d-8a37-41cc-9d7a-aef2aaf987bcn%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/8326668d-8a37-41cc-9d7a-aef2aaf987bcn%40apereo.org?utm_medium=email&utm_source=footer> >> . >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/eaade8f58e2b9df93ee8300abeecdb4fb13a568a.camel%40ndsu.edu >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/eaade8f58e2b9df93ee8300abeecdb4fb13a568a.camel%40ndsu.edu?utm_medium=email&utm_source=footer> >> . >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/390ee3dc-4612-40b6-9db5-71cbc31e3438n%40apereo.org.
