Gordon, That sounds like a bug.
Cas should try all keys until one works. This is necessary for key rollover to take place. As you mentioned, this SP does this on a yearly basis. Hopefully one of the maintainers can comment on this. Ray On Mon, 2022-02-28 at 20:45 +0000, Gordon, Matthew wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi Ray, Thank you for the suggestion. I am attempting to use that method already, but the two signing keys in there metadata presents the problem. If I configure the service definition to pull their metadata via the https URL, it works. The problem is they sign their AuthN request and CAS is unable to verify the signature, since it picks the wrong signing key from their metadata, that was successfully obtained by CAS, via the URL. To make it work, I have to save the metadata, and remove the invalid signing key, then use a local copy of the metadata and a "metadataLocation":"file/....", rather than the URL. Thank you, Matt -----Original Message----- From: Ray Bon <r...@uvic.ca<mailto:ray%20bon%20%3cr...@uvic.ca%3e>> Reply-To: cas-user@apereo.org<mailto:cas-user@apereo.org> To: cas-user@apereo.org <cas-user@apereo.org<mailto:%22cas-u...@apereo.org%22%20%3ccas-u...@apereo.org%3e>> Subject: Re: [cas-user] SAML SP Metadata with multiple signing keys Date: Mon, 28 Feb 2022 19:59:12 +0000 Matthew, You can set SP metadataLocation to a URL, https://apereo.github.io/cas/6.4.x/services/SAML2-Service-Management.html Ray On Mon, 2022-02-28 at 09:41 -0800, Matthew Gordon wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. We have a SAML SP (3rd Party system) that has multiple signing keys in their metadata. They rotate keys, yearly, from a Public Certificate Authority. CAS picks either the first key or the one with the furthest expiration date, I don't know which, but I do know it's picking the wrong certificate. Is there a way to influence this behavior, so I can use their hosted, on the internet, metadata, rather than having to copy and update locally? Thank you in advance! Thank you, Matt -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day. To unsubscribe: email unsubscr...@hacc.edu with sender email address and subject. This email and any files attached from HACC, Central Pennsylvania's Community College are confidential and intended solely for use by the individual or entity to whom addressed. If you have received this email in error please notify postmas...@hacc.edu This message may contain confidential information and is intended only for the individual named. If you are not the named addressee do not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ce2d62e6d78f13e15a1fc59be31ca6baddef0e39.camel%40uvic.ca.
