We have got the answers for my questions, feel free to ignore them please. For those experiencing the same issue: The answers are , 1. " https://login/cas/idp/profile/SAML2/Redirect/SSO"; for "Sign-in page URL" needs to be set to get the contents decrypted, did not find other ways so far to keep it on https://login/cas/login. 2. After the decryption worked, we would get https://login/..service=..........
On Sunday, February 13, 2022 at 10:27:33 AM UTC-5 Joseph Zhou wrote: > Hi, Doug, > > This is a great article we came across ! > We met the same issue - could not redirect back to Google after a > successful log in our 3rd party IDp server running CAS 6.2.2 and configured > mostly as what your instruction indicated. We are having an old version CAS > 3.5.2 server working well with Google Workspace. However, we'd like to get > it replaced with the new version server. Then we hit this problem. > > We tried to match with the old certificate by renaming the copied > certificate/key to idp-signing.crt/key from the old server to the new one. > Tested again, still not working and the Web browser staled at the > following, could not go back to Google site: > > > https://login/cas/login?SAMLRequest=fVJNT%2BMwEL2vxH%2BwfM8nIK2sJqiAEJXYJaLpHrg5zjRxccbB4zTLv980BQGH7fX5zfsYz%2BLqb2fYHhxpixlPwpgzQGVrjU3GN%2BVd8JNf5Wc%2FFiQ704vl4Ft8gtcByLNpEknMDxkfHAorSZNA2QEJr8R6%2BetBpGEseme9VdZwtrrNeN9UuFMN9C22IF92qNRLA92ut7qqK2x3pq23VaM5%2B%2FMRKz3EWhENsELyEv0ExWkaxGmQnJdJLNJEXF48c1a8O11rPDY4Fas6kkjcl2URFI%2FrchbY6xrc74md8cbaxkCobHewLySR3k%2FwVhoCzpZE4PwU8MYiDR24Nbi9VrB5esh4631PIorGcQw%2FZSIZjUoh%2BBDqIZKKeD5vVszl3JeVno4uP6x5%2Fim%2BiL5I5e8%2Fdiiyui2s0eqNLY2x440D6acW3g1TiTvrOun%2F75aEyYzoOtjOVDEg9aD0VkPNWZQfXb%2BfxnQw%2FwA%3D&RelayState=https%3A%2F%2Faccounts.google.com%2FCheckCookie%3Fcontinue%3Dhttps%253A%252F%252Fmail.google.com%252Fmail%252F%26service%3Dmail%26ifkv%3DAU9NCcypcYDQKWRdjhacvr7DhikwSR09KKGWWYVDKWiE9idgAlBNjzjnURt0QKtiOLKcOXmR1iAB-g > > My questions are: > > For your instruction step 8 - b. Entered " > https://login/cas/idp/profile/SAML2/Redirect/SSO"; for "Sign-in page URL", > is that mandatory that needs to be set? > I am asking this question is due to usually we had our "Sign-in page > URL" set to https://login/cas/login, and it was working well for all > other websites running SAML 2, and it is also configured as is on Google > Workspace currently for our old version server, we did not try to change it > yet. > > My 2nd question is: > On your current configuration running well, are you getting the web link > from Google in the format of: > https://login/cas/login?SAMLRequest=......... or something like > https://login/..service=.......... > > Appreciated your kind help and time very much! > > Joe > > On Wednesday, September 23, 2020 at 11:46:37 PM UTC-4 Doug C wrote: > >> Yep. The certificate was the issue. I do have it working now but I have >> two questions regarding warnings I am seeing. >> >> >> >> I get the following warning: >> >> >> >> WARN [org.opensaml.saml.common.binding.SAMLBindingSupport] - <Relay state >> exceeds 80 bytes: >> https://www.google.com/a/example.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&ss=1<mpl=default<mplcache=2&emr=1&osid=1 >> > >> >> >> >> Is this normal and a result of the way G Suite does SAML? Or is there >> something I can configure to make CAS happy and not feel the need to warn >> me. >> >> >> >> Also, I get this warning upon signing out of G Suite: >> >> >> >> WARN >> [org.apereo.cas.support.saml.web.idp.profile.slo.SamlIdPSingleLogoutServiceLogoutUrlBuilder] >> >> - <Cannot find SLO service in metadata for entity id [ >> google.com/a/example.com]> >> >> >> >> I read somewhere online that Google does not provide Single Log Out >> (SLO). Is there a way to disable SLO for a service so I don't get this >> warning? I want to keep SLO enabled in general. >> >> >> >> Thanks! >> >> >> >> *Instructions for Others* >> >> >> >> In case someone else is trying to figure this out. Here are what I think >> constitutes all the steps that I took to get this working. You should >> replace all instances of example.com and cas-server-url with what is >> appropriate the system being configured. >> >> >> >> 1. Add the following dependency in the WAR overlay build.gradle >> file. >> >> >> >> implementation >> "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}" >> >> >> >> 2. Add the following line to cas.properties. >> >> >> >> cas.authn.saml-idp.entity-id=https://cas-server-url/cas/idp >> >> >> >> 3. Create a service definition file in /etc/cas/services. >> >> >> >> { >> >> "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", >> >> "serviceId" : "google.com/a/example.com", >> >> "name" : "G Suite", >> >> "id" : 10000002, >> >> "evaluationOrder" : 1, >> >> "attributeReleasePolicy" : { >> >> "@class" : >> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", >> >> "allowedAttributes" : [ "java.util.ArrayList", [ "mail" ] ] >> >> }, >> >> "usernameAttributeProvider" : { >> >> "@class" : >> "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", >> >> "usernameAttribute" : "mail" >> >> } >> >> "metadataLocation" : "/etc/cas/saml/sp-metadata.xml", >> >> "metadataSignatureLocation" : "/etc/cas/saml/idp-signing.crt" >> >> } >> >> >> >> 4. Create a directory /etc/cas/saml. >> >> 5. Generate certificates. >> >> >> >> openssl genrsa -out /etc/cas/saml/idp-encryption.key 2048 >> >> openssl req -new -x509 -key /etc/cas/small/idp-encryption.key -out >> /etc/cas/saml/idp-encryption.crt -days 3650 >> >> openssl genrsa -out /etc/cas/saml/idp-signing.key 2048 >> >> openssl req -new -x509 -key /etc/cas/saml/idp-signing.key -out >> /etc/cas/saml/idp-signing.crt -days 3650 >> >> >> >> 6. Create idp-metadata.xml in /etc/cas/saml with the following >> contents. >> >> >> >> Note: REPLACE_WITH_..._CERTIFICATE should be replaced with everything >> between the “-----BEGIN CERTIFICATE-----“ and “-----END CERTIFICATE-----“ >> in the corresponding .crt file. >> >> >> >> <?xml version="1.0" encoding="UTF-8"?> >> >> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds=" >> http://www.w3.org/2000/09/xmldsig#"; >> xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml=" >> http://www.w3.org/XML/1998/namespace"; >> xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https:// >> cas-server-url/cas/idp"> >> >> <IDPSSODescriptor >> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol >> urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0"> >> >> <KeyDescriptor use="signing"> >> >> <ds:KeyInfo> >> >> <ds:X509Data> >> >> <ds:X509Certificate>REPLACE_WITH_SIGNING_CERTIFICATE >> </ds:X509Certificate> >> >> </ds:X509Data> >> >> </ds:KeyInfo> >> >> </KeyDescriptor> >> >> <KeyDescriptor use="encryption"> >> >> <ds:KeyInfo> >> >> <ds:X509Data> >> >> <ds:X509Certificate> >> REPLACE_WITH_ENCRYPTION_CERTIFICATE</ds:X509Certificate> >> >> </ds:X509Data> >> >> </ds:KeyInfo> >> >> </KeyDescriptor> >> >> >> >> <SingleLogoutService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https:// >> cas-server-url/cas/idp/profile/SAML2/POST/SLO"/> >> >> <SingleLogoutService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" >> Location="https://cas-server-url/cas/idp/profile/SAML2/Redirect/SLO"; /> >> >> >> >> >> <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> >> >> >> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> >> >> >> >> <SingleSignOnService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https:// >> cas-server-url/cas/idp/profile/SAML2/POST/SSO"/> >> >> <SingleSignOnService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" >> Location="https://cas-server-url >> /cas/idp/profile/SAML2/POST-SimpleSign/SSO"/> >> >> <SingleSignOnService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" >> Location="https://cas-server-url/cas/idp/profile/SAML2/Redirect/SSO"/> >> >> <SingleSignOnService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https:// >> cas-server-url/cas/idp/profile/SAML2/SOAP/ECP"/> >> >> </IDPSSODescriptor> >> >> </EntityDescriptor> >> >> >> >> 7. Create sp-metadata.xml in /etc/cas/saml with the following >> contents. >> >> >> >> <?xml version="1.0"?> >> >> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" >> validUntil="2020-09-25T20:17:03Z" cacheDuration="PT604800S" entityID=" >> google.com/a/example.com"> >> >> <md:SPSSODescriptor AuthnRequestsSigned="false" >> WantAssertionsSigned="false" >> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> >> >> <md:KeyDescriptor use="signing"> >> >> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >> >> <ds:X509Data> >> >> <ds:X509Certificate>REPLACE_WITH_SIGNING_CERTIFICATE >> </ds:X509Certificate> >> >> </ds:X509Data> >> >> </ds:KeyInfo> >> >> </md:KeyDescriptor> >> >> <md:KeyDescriptor use="encryption"> >> >> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >> >> <ds:X509Data> >> >> <ds:X509Certificate>REPLACE_WITH_ENCRYPTION_CERTIFICATE >> </ds:X509Certificate> >> >> </ds:X509Data> >> >> </ds:KeyInfo> >> >> </md:KeyDescriptor> >> >> >> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> >> >> <md:AssertionConsumerService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" >> https://www.google.com/a/example.com/acs"; index="1"/> >> >> </md:SPSSODescriptor> >> >> </md:EntityDescriptor> >> >> >> >> 8. In the G Suite Admin Console "Set up single sign-on (SSO) with a >> third party IdP" section: >> >> a. Checked the box for "Set up SSO with third-party identity >> provider" >> >> b. Entered "https://cas-server-url/cas/idp/profile/SAML2/Redirect/SSO"; >> for "Sign-in page URL" >> >> c. Entered "https://cas-server-url/cas/logout"; for "Sign-out page >> URL" >> >> d. Checked "Use a domain specific identifier" >> >> e. Uploaded the idp-signing.crt certificate. >> >> >> >> Hopefully I didn’t leave anything out and this will help out the next >> person. >> >> >> >> Doug >> >> >> >> *From:* 'Richard Frovarp' via CAS Community [mailto:cas-...@apereo.org] >> *Sent:* Wednesday, September 23, 2020 9:54 AM >> *To:* cas-...@apereo.org >> *Subject:* Re: [cas-user] Configure SAML2 IdP functionality to provide >> SSO for G Suite >> >> >> >> The cert you were using under the old integration likely doesn't match >> your SAML cert. You would need to upload your new SAML cert to Google. And >> yeah, you want to remove the old bits of the old method, in particular the >> jars associated with it as it fires before the generic SAML can. >> >> >> >> On Tue, 2020-09-22 at 23:15 -0400, Doug Campbell wrote: >> >> Responding a little to my own question. I don’t have it fully figured >> out yet but I did find a significant issue. I had left my service file for >> the old Google Apps SAML integration method in my services directory and I >> think this was intercepting things. I’m not getting the same error as >> before but when I authenticated I got back a page from Google indicating >> that no such account existed. I’m going to try again and see what I can >> find perhaps see if I can turn of the debugging. >> >> >> >> *From:* cas-...@apereo.org [mailto:cas-...@apereo.org] *On Behalf Of *Doug >> C >> *Sent:* Tuesday, September 22, 2020 12:12 AM >> *To:* CAS Community <cas-...@apereo.org> >> *Subject:* [cas-user] Configure SAML2 IdP functionality to provide SSO >> for G Suite >> >> >> >> I have been working toward updating from CAS 6.0.x to CAS 6.2.x. Most >> everything has gone smoothly but I am having trouble with setting up CAS to >> be my G Suite third-party Idp. Previously I had been using the Google Apps >> Integration (org.apereo.cas:cas-server-support-saml-googleapps) but the >> page for that ( >> https://apereo.github.io/cas/6.2.x/integration/Google-Apps-Integration.html) >> now indicates that it is deprecated and that I should consider using the >> SAML2 identity provider functionality to handle this. I have tried to >> piece together information in the documentation and in other folk's >> questions in the cas-user forum but I seem to be missing something. This >> is likely due to my lack of familiarity with SAML. >> >> >> >> I would appreciate any help or direction on getting this working. >> >> >> >> This is what I have done so far. >> >> >> >> Note: I have replaced the references to my G Suite primary domain with >> example.com for this posting. >> >> >> >> I created a services file (etc/cas/services/GSuite-10000003.json) with >> the following content: >> >> >> >> { >> >> "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", >> >> "serviceId" : "google.com/a/example.com", >> >> "name" : "SAMLService", >> >> "id" : 10000003, >> >> "evaluationOrder" : 1, >> >> "attributeReleasePolicy" : { >> >> "@class" : >> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", >> >> "allowedAttributes" : [ "java.util.ArrayList", [ "mail" ] ] >> >> }, >> >> "usernameAttributeProvider" : { >> >> "@class" : >> "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", >> >> "usernameAttribute" : "mail" >> >> } >> >> "metadataLocation" : "/etc/cas/saml/sp-metadata.xml" >> >> } >> >> >> >> >> >> I also created an sp-metadata.xml file using >> https://www.samltool.com/sp_metadata.php with the following contents: >> >> >> >> <?xml version="1.0"?> >> >> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" >> >> cacheDuration="PT604800S" >> >> entityID="google.com/a/example.com"> >> >> <md:SPSSODescriptor AuthnRequestsSigned="false" >> WantAssertionsSigned="false" >> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> >> >> >> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> >> >> <md:AssertionConsumerService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >> >> Location=" >> https://www.google.com/a/example.com/acs"; >> >> index="1" /> >> >> >> >> </md:SPSSODescriptor> >> >> </md:EntityDescriptor> >> >> >> >> >> >> I also included the following dependency in the CAS overlay: >> >> >> >> implementation >> "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}" >> >> >> >> >> >> In G Suite Admin Console "Set up single sign-on (SSO) with a third party >> IdP" I: >> >> 1. Checked the box for "Set up SSO with third-party identity provider" >> >> 2. Entered " >> https://signin.my-cas-server.com/cas/idp/profile/SAML2/Redirect/SSO"; for >> "Sign-in page URL" >> >> 3. Entered "https://signin.my-cas-server.com/cas/logout"; for "Sign-out >> page URL" >> >> 4. Checked "Use a domain specific identifier" >> >> 5. Uploaded the previous x.509 certificate that I had used when using the >> previous method. >> >> >> >> >> >> At the moment, when I attempt to load a Google service I am redirected >> back to my CAS server but I receive the following error message: >> >> >> >> Error: No metadata resolvers could be configured for service SAMLService >> with metadata location /etc/cas/saml/sp-metadata.xml >> >> >> >> >> >> I am guessing that this is something to do with my sp-metadata.xml file >> missing something but I am at a loss as to what I need to do. >> >> >> >> Any help appreciated. Thanks! >> >> >> >> Doug >> >> >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+u...@apereo.org. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8326668d-8a37-41cc-9d7a-aef2aaf987bcn%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/8326668d-8a37-41cc-9d7a-aef2aaf987bcn%40apereo.org?utm_medium=email&utm_source=footer> >> . >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+u...@apereo.org. >> >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/eaade8f58e2b9df93ee8300abeecdb4fb13a568a.camel%40ndsu.edu >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/eaade8f58e2b9df93ee8300abeecdb4fb13a568a.camel%40ndsu.edu?utm_medium=email&utm_source=footer> >> . >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/390ee3dc-4612-40b6-9db5-71cbc31e3438n%40apereo.org.
