It is finally working after debug Source code, I am so grateful with open
source, here is the key.
thanks Ray!
on CAS side, the generated sp-metadata.xml says:
<md:Extensions
xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init">
<init:RequestInitiator
Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
Location="https://localhost:8443/cas/login?client_name=bootsp2"/>
</md:Extensions>
But, on my client, where I specify IDP XML, it needs to use CAS_CLIENT_ID,
as opposed to client_name, Does anyone know why?
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://localhost:8443/cas/login?CAS_CLIENT_ID=bootsp2"/>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://localhost:8443/cas/login?CAS_CLIENT_ID=bootsp2"/>
here is CAS client definition json.
=============================
{
"@class" : "org.apereo.cas.services.CasRegisteredService",
"serviceId" : "^(https?|imaps)://.*",
"name" : "bootsp2",
"id" : 1005,
"description" : "sample",
"attributeReleasePolicy" : {
"@class" :
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "name", "first_name",
"middle_name" ] ]
}
}
SSO URL, if I use: https://localhost:8443/cas/login?client_name=bootsp2,
got this error (it cannot find the matching, i have to use CAS_CLIENT_ID
as parameter name, then it will work.).
2023-08-15 11:25:01,951 DEBUG [https-jsse-nio-8443-exec-4]
[org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager]
- <Client identifier could not found in request parameters. Looking at
relay-state for the SAML2 client>
2023-08-15 11:25:01,951 DEBUG [https-jsse-nio-8443-exec-4]
[org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager]
- <Located delegated client identifier []>
2023-08-15 11:25:01,952 ERROR [https-jsse-nio-8443-exec-4]
[org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager]
- <Delegated client identifier cannot be located in the authentication
request [https://localhost:8443/cas/login?client_name=bootsp2]>
2023-08-15 11:25:01,955 ERROR [https-jsse-nio-8443-exec-4]
[org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <>
org.apereo.cas.services.UnauthorizedServiceException:
at
org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager.retrieveSessionTicketViaClientId(DefaultDelegatedClientAuthenticationWebflowManager.java:236)
~[cas-server-support-pac4j-core-6.6.9.jar!/:6.6.9]
at
org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager.retrieve(DefaultDelegatedClientAuthenticationWebflowManager.java:84)
~[cas-server-support-pac4j-core-6.6.9.jar!/:6.6.9]
at
DefaultDelegatedClientAuthenticationWebflowManager: it is looking for
CAS_CLIENT_ID_SESSION_KEY in request parameter.
===================================================
protected String getDelegatedClientId(final WebContext webContext, final Client
client) {
var clientId = webContext.getRequestParameter(PARAMETER_CLIENT_ID)
.map(String::valueOf).orElse(StringUtils.EMPTY);
if (StringUtils.isBlank(clientId)) {
if (client instanceof SAML2Client) {
LOGGER.debug("Client identifier could not found in request parameters.
Looking at relay-state for the SAML2 client");
clientId = webContext.getRequestParameter(SamlProtocolConstants.
PARAMETER_SAML_RELAY_STATE)
.map(String::valueOf).orElse(StringUtils.EMPTY);
}
}
clientId = getDelegatedClientIdFromSessionStore(webContext, client, clientId,
OAuth20Client.class, OAUTH20_CLIENT_ID_SESSION_KEY);
clientId = getDelegatedClientIdFromSessionStore(webContext, client, clientId,
OidcClient.class, OIDC_CLIENT_ID_SESSION_KEY);
clientId = getDelegatedClientIdFromSessionStore(webContext, client, clientId,
OAuth10Client.class, OAUTH10_CLIENT_ID_SESSION_KEY);
clientId = getDelegatedClientIdFromSessionStore(webContext, client, clientId,
CasClient.class, CAS_CLIENT_ID_SESSION_KEY);
LOGGER.debug("Located delegated client identifier [{}]", clientId);
return clientId;
}
If you know whether I missed anything, I would love to know. I still do
not understand why I cannot just use client_name in SSO URL parameter on
client side.
thanks,
Yan
On Tuesday, August 15, 2023 at 10:53:50 AM UTC-4 Yan Zhou wrote:
>
> on my client side where it loads IDP xml, what should SSO URL be, when CAS
> delegates SAML authN to Okta?
>
>
> <SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
> https://localhost:8443/cas/idp/profile/SAML2/POST/SSO"/>
> - this results in error on CAS, it tries to load from service registry,
> matching SAML Service, which is not the case in delegated authN
>
> OR
>
> <SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
> https://localhost:8443/cas/login?client_name=bootsp2"/>
> - this matches in error on CAS,
>
> 2023-08-15 10:30:16,666 ERROR [https-jsse-nio-8443-exec-4]
> [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager]
> - <Delegated client identifier cannot be located in the authentication
> request [https://localhost:8443/cas/login?client_name=bootsp2]>
> 2023-08-15 10:30:16,667 ERROR [https-jsse-nio-8443-exec-4]
> [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <
>
> DefaultDelegatedClientAuthenticationWebflowManager.java:retrieveSessionTicketViaClientId:236
> DefaultDelegatedClientAuthenticationWebflowManager.java:retrieve:84
>
> DelegatedClientAuthenticationAction.java:restoreAuthenticationRequestInContext:285
> >
> 2023-08-15 10:30:16,667 WARN [https-jsse-nio-8443-exec-4]
> [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <>
> org.apereo.cas.services.UnauthorizedServiceException:
> at
> org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.restoreAuthenticationRequestInContext(DelegatedClientAuthenticationAction.java:292)
>
> ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9]
> at
> org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.populateContextWithService(DelegatedClientAuthenticationAction.java:205)
>
> ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9]
> at
>
>
> On Tuesday, August 15, 2023 at 9:39:52 AM UTC-4 Yan Zhou wrote:
>
>> Thanks Ray, making some progress, I now see the SP Meta data and
>> keystore being generated.
>>
>> for delegated AuthN, here is the SAML request from my client app, it goes
>> to CAS, the authN request seems correct.
>>
>> <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>> AssertionConsumerServiceURL="http://localhost:8081/saml/SSO"; Destination=
>> "https://localhost:8443/cas/idp/profile/SAML2/POST/SSO";
>> ................... > <saml2:Issuer xmlns:saml2=
>> "urn:oasis:names:tc:SAML:2.0:assertion">
>> http://localhost:8081/saml/metadata</saml2:Issuer>
>>
>>
>> But then I run into error in CAS, it is stilling loading IDP
>> functionality and tries to find the client in service registry, this is
>> where I do not understand how SAML delegated authN works different from CAS
>> as IDP itself.
>>
>> this is my service definition as CAS documentation says.
>> {
>> "@class" : "org.apereo.cas.services.CasRegisteredService",
>> "serviceId" : "bootsp2",
>> "name" : "bootsp2",
>> "id" : 1005,
>> "description" : "sample",
>> "attributeReleasePolicy" : {
>> "@class" :
>> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
>> "allowedAttributes" : [ "java.util.ArrayList", [ "name",
>> "first_name", "middle_name" ] ]
>> }
>> }
>>
>> 2023-08-15 09:30:23,875 WARN [https-jsse-nio-8443-exec-9]
>> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController]
>>
>> - <[http://localhost:8081/saml/metadata] is not found in the registry or
>> service access is denied.>
>> 2023-08-15 09:30:23,875 WARN [https-jsse-nio-8443-exec-9]
>> [org.apereo.cas.util.function.FunctionUtils] -
>> <screen.service.error.message>
>> org.apereo.cas.services.UnauthorizedServiceException:
>> screen.service.error.message
>> at
>> org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.verifySamlRegisteredService(AbstractSamlIdPProfileHandlerController.java:172)
>>
>> ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9]
>> at
>> org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.verifySamlAuthenticationRequest(AbstractSamlIdPProfileHandlerController.java:490)
>>
>> ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9]
>> at
>> org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.initiateAuthenticationRequest(AbstractSamlIdPProfileHandlerController.java:315)
>>
>> ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9]
>> at
>> org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.lambda$handleSsoPostProfileRequest$4(AbstractSamlIdPProfileHandlerController.java:652)
>>
>> ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9]
>> at
>> org.apereo.cas.util.function.FunctionUtils.lambda$doAndHandle$9(FunctionUtils.java:330)
>>
>> ~[cas-server-core-util-api-6.6.9.jar!/:6.6.9]
>> at
>> org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.handleSsoPostProfileRequest(AbstractSamlIdPProfileHandlerController.java:653)
>>
>> ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9]
>> at
>> org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPPostProfileHandlerController.handleSaml2ProfileSsoPostRequest(SSOSamlIdPPostProfileHandlerController.java:74)
>>
>> ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9]
>> at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
>> Method) ~[?:?]
>> at
>> jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>
>> ~[?:?]
>>
>> On Monday, August 14, 2023 at 5:05:26 PM UTC-4 Ray Bon wrote:
>>
>>> Yan,
>>>
>>> I was browsing the docs and
>>> cas.authn.pac4j.saml[0].serviceProviderMetadataPath
>>> cas.authn.pac4j.saml[0].serviceProviderEntityId
>>> are for cas as a service provider metadata, not the destination
>>> application.
>>>
>>> https://apereo.github.io/cas/6.6.x/integration/Delegate-Authentication-SAML.html
>>>
>>> Ray
>>>
>>>
>>> On Mon, 2023-08-14 at 12:25 -0700, Yan Zhou wrote:
>>>
>>> Notice: This message was sent from outside the University of Victoria
>>> email system. Please be cautious with links and sensitive information.
>>>
>>> i think i am missing something fundamentally, but I do not know what it
>>> is.
>>>
>>> I first excluded the dependency on cas-server-support-saml-idp because
>>> CAS is delegating authN to Okta, I realize the login page does not even
>>> come up, nothing shows in SAML Tracer. Then, I added this dependency, see
>>> below.
>>>
>>> implementation
>>> "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
>>> implementation
>>> "org.apereo.cas:cas-server-support-pac4j-webflow:${project.'cas.version'}"
>>>
>>> Now the login page comes up, and I can see authN request coming to CAS,
>>> but I do not see how CAS delegates authN. It seems that something is
>>> missing so that CAS is -not- generating SP meta data, which it should. Not
>>> sure what I am missing.
>>>
>>> I based on cas.properties from the following documentation, but it is
>>> not working, i.e., nothing is being generated by CAS, no error, either.
>>>
>>> in delegated AutN, when client come to CAS, which then delegate to Okta,
>>> should /cas/idp/profile/SAML2/POST/SSO be called at all?
>>> # Settings required for CAS SP metadata generation process # The
>>> keystore will be automatically generated by CAS with # keys required
>>> for the metadata generation and/or exchange. # #
>>> cas.authn.pac4j.saml[0].keystorePassword= #
>>> cas.authn.pac4j.saml[0].privateKeyPassword= #
>>> cas.authn.pac4j.saml[0].keystorePath= # The entityID assigned to CAS
>>> acting as the SP # cas.authn.pac4j.saml[0].serviceProviderEntityId= #
>>> Path to the auto-generated CAS SP metadata #
>>> cas.authn.pac4j.saml[0].serviceProviderMetadataPath= #
>>> cas.authn.pac4j.saml[0].maximumAuthenticationLifetime= # Path/URL to
>>> delegated IdP metadata #
>>> cas.authn.pac4j.saml[0].identityProviderMetadataPath=
>>> On Monday, August 14, 2023 at 1:53:24 PM UTC-4 Ray Bon wrote:
>>>
>>> Yan,
>>>
>>> Is it possible that the okta-cas config is incorrect and okta is
>>> returning an error response which cas does not understand?
>>> Are you using SAML Tracer to see the exchanges between SPs and IdPs?
>>> If the keystore is not created, you can create it yourself. Or, turn off
>>> SAML encryption between SPs and IdPs.
>>>
>>> Ray
>>>
>>> On Fri, 2023-08-11 at 13:42 -0700, Yan Zhou wrote:
>>>
>>> Notice: This message was sent from outside the University of Victoria
>>> email system. Please be cautious with links and sensitive information.
>>>
>>>
>>> Hi there,
>>>
>>> When CAS is the SAML2 IDP, I am able to run a client app authenticating
>>> successfully. But have trouble when CAS delegates authN to Okta (cas is
>>> set up as a SP in Okta)
>>>
>>> Client app runs on localhost:8081, CAS 6.6.x runs on localhost:8443,
>>> delegate to Okta SAML2 IDP.
>>>
>>> Here is my problem, i likely misunderstood how delegated authN should
>>> work, but do not know how.
>>>
>>> When go to client: localhost:8081, redirects to:
>>> http://localhost:8081/saml/login?idp=https%3A%2F%2Flocalhost%3A8443%2Fidp
>>>
>>> Redirects to: https://localhost:8443/cas/idp/profile/SAML2/POST/SSO
>>>
>>> I would expect Okta login page comes up, but I am getting CAS error
>>> page that says: page Not found, I did not see any error in cas log.
>>>
>>>
>>>
>>> In Okta, i configured my local CAS as a SAML 2.0 application
>>>
>>> ==================================================
>>>
>>> SSO URL: https://localhost:8443/cas/login
>>>
>>> Audience URI: https://localhost:8443/cas/idp
>>>
>>>
>>>
>>> cas.properties
>>>
>>> ==============
>>>
>>>
>>> cas.authn.pac4j.saml[0].keystorePath=file:///C:/apereocas66x/config/casas-samlsp/samlkeystore
>>>
>>> <== i do not see keystore being created, why is this not
>>> created?
>>>
>>> cas.authn.pac4j.saml[0].keystorePassword=changeit
>>>
>>> cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp
>>>
>>> cas.authn.pac4j.saml[0].privateKeyPassword=changeit
>>>
>>> cas.authn.pac4j.saml[0].serviceProviderEntityId=
>>> http://localhost:8081/saml/metadata
>>>
>>> <== same SP entity ID when CAS was the IDP itself,
>>> without delegated authN
>>>
>>> cas.authn.pac4j.saml[0].clientName=bootsp2
>>>
>>> cas.authn.pac4j.saml[0].forceAuth=false
>>>
>>> cas.authn.pac4j.saml[0].passive=false
>>>
>>> cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=1209600
>>>
>>>
>>> cas.authn.pac4j.saml[0].serviceProviderMetadataPath=file:///C:/apereocas66x/config/spmetadata/1005-metadata.xml
>>>
>>> <== same SP meta data when CAS was the IDP itself,
>>> without delegated authN
>>>
>>> cas.authn.pac4j.saml[0].identityProviderMetadataPath=
>>> https://dev-11792448.okta.com/app/exkas4vj25jdUfJEx5d7/sso/saml/metadata
>>>
>>>
>>> cas.authn.pac4j.saml[0].destinationBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
>>>
>>> cas.authn.pac4j.saml[0].userNameQualifier=false
>>>
>>>
>>>
>>>
>>>
>>> JSON file in service registry
>>>
>>> ======================
>>>
>>> {
>>>
>>> "@class" : "org.apereo.cas.services.CasRegisteredService",
>>>
>>> "serviceId" : "bootsp2",
>>>
>>> "name" : "bootsp2",
>>>
>>> "id" : 1005,
>>>
>>> "description" : "sample",
>>>
>>> "attributeReleasePolicy" : {
>>>
>>> "@class" :
>>> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
>>>
>>> "allowedAttributes" : [ "java.util.ArrayList", [ "name",
>>> "first_name", "middle_name" ] ]
>>>
>>> }
>>>
>>> }
>>>
>>>
>>> thanks,
>>>
>>> Yan
>>>
>>>
>>>
>>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/928541d8-0a2d-4adb-aa1f-70232600f0a8n%40apereo.org.
