well, we finally figured it out. It is not CAS, we have some network security that is blocking the request.
I was just wget to get the login page from one of the servers, it worked fine, that made me think; why it did not work when I access from laptop. Thx! On Tuesday, October 24, 2023 at 9:47:36 PM UTC-4 Ray Bon wrote: > Yan, > > Does samlkeystore exist and is writable (same for path to sp metadata)? > But there should be no metadata file when cas starts if you want it to be > generated. > > You can also create metadata manually, see > https://www.samltool.com/sp_metadata.php > > Ray > > On Tue, 2023-10-24 at 13:15 -0700, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hi there, > > I am using CAS 6.4.6.6 for delegated authN using SAML, CAS delegates authN > to Okta. I run into a strange error, on Windows, this works fine (i.e., > once I point to /cas/login, it generates SP metadata and keystore), but on > Linux, CAS does not generate SP meta data and SP keystore. I am not sure > why. I did not see any error in logs. > > This is the portion of relevant cas.properties. > > cas.authn.saml-idp.core.entity-id= https://qa.......com/idp > > > cas.authn.saml-idp.metadata.fileSystem.location=file:///opt/jboss/ssoconf/idpmetadata > > cas.authn.pac4j.saml[0].keystorePath=/opt/jboss/ssoconf/samlsp/samlkeystore > > cas.authn.pac4j.saml[0].keystorePassword=changeit > > cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp > > cas.authn.pac4j.saml[0].privateKeyPassword=changeit > > cas.authn.pac4j.saml[0].serviceProviderEntityId=https://qa. > ......com/cas/samlsp > > cas.authn.pac4j.saml[0].clientName=Okta > > cas.authn.pac4j.saml[0].forceAuth=false > > cas.authn.pac4j.saml[0].passive=false > > cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=3600 > > > cas.authn.pac4j.saml[0].serviceProviderMetadataPath=/opt/jboss/ssoconf/samlsp/sp-metadata.xml > > cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://dev-1...... > 8.okta.com/app/e.......b5d7/sso/saml/metadata > > cas.authn.pac4j.saml[0].useNameQualifier=false > > cas.authn.pac4j.saml[0].signAuthnRequest=true > > cas.authn.pac4j.saml[0].signServiceProviderLogoutRequest=true > > > > On windows (it says: Initializing: SAML2Client), then it generates > keystore and SP metadata. > > ====== > > > > > 2023-10-24 16:05:23,317 DEBUG [https-openssl-nio-8443-exec-7] > [org.apereo.cas.support.pac4j.RefreshableDelegatedClients] - <The following > clients are built: [[#SAML2Client# | name: Okta | callbackUrl: > https://localhost:8443/cas/login | urlResolver: null | > callbackUrlResolver: > org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@59d1889c | > ajaxRequestResolver: null | redirectionActionBuilder: null | > credentialsExtractor: null | authenticator: null | profileCreator: > org.pac4j.core.profile.creator.AuthenticatorProfileCreator@4ddff72c | > logoutActionBuilder:org.pac4j.core.logout.NoLogoutActionBuilder@1d8000ee > | authorizationGenerators: [] | checkAuthenticationAttempt: true |]]> > > > > 2023-10-24 16:05:23,317 DEBUG [https-openssl-nio-8443-exec-7] > [org.apereo.cas.validation.DelegatedAuthenticationAccessStrategyHelper] - > <Can not evaluate delegated authentication policy without a service> > > > > 2023-10-24 16:05:23,318 DEBUG [https-openssl-nio-8443-exec-7] > [org.pac4j.core.util.InitializableObject] - <Initializing: SAML2Client (nb: > 0, last: null)> > > > > 2023-10-24 16:05:23,321 INFO [https-openssl-nio-8443-exec-7] > [org.pac4j.saml.config.SAML2Configuration] - <Using service provider entity > IDhttps://localhost:8443/cas/samlsp> > > > > 2023-10-24 16:05:23,321 DEBUG [https-openssl-nio-8443-exec-7] > [org.pac4j.core.util.InitializableObject] - <Initializing: > SAML2Configuration (nb: 0, last: null)> > > > > 2023-10-24 16:05:23,326 WARN [https-openssl-nio-8443-exec-7] > [org.pac4j.saml.config.SAML2Configuration] - <Generating keystore one > for/via: file [C:\apereocas66x\config\casas-samlsp\samlkeystore]> > > > > 2023-10-24 16:05:23,326 WARN [https-openssl-nio-8443-exec-7] > [org.pac4j.saml.metadata.keystore.BaseSAML2KeystoreGenerator] - <Defaulting > keystore type pkcs12> > > > > 2023-10-24 16:05:23,435 INFO [https-openssl-nio-8443-exec-7] > [org.pac4j.saml.metadata.keystore.BaseSAML2KeystoreGenerator] - <Created > keystore file [C:\apereocas66x\config\casas-samlsp\samlkeystore] with key > alias cas-samlsp> > > > > On linux, notice it says: Initializing: RefreshableDelegatedClients > ..... Not sure why it does not recognize it is a SAML2Client. Any idea? > > Thanks, > > ====== > > ^[[m^[[36m2023-10-24 15:59:35,488 DEBUG [main] > [org.apereo.cas.support.pac4j.authentication.DefaultDelegatedClientFactory] > - <Created delegated client [#SAML2Client# | name: Okta | callbackUrl: > https://qa....com/cas/login | urlResolver: null | callbackUrlResolver: > org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@76eec7bb | > ajaxRequestResolver: null | redirectionActionBuilder: null | > credentialsExtractor: null | authenticator: null | profileCreator: > org.pac4j.core.profile.creator.AuthenticatorProfileCreator@6c83322b | > logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@241532d3 | > authorizationGenerators: [] | checkAuthenticationAttempt: true |]> > > > > ^[[m^[[36m2023-10-24 15:59:35,489 DEBUG [main] > [org.apereo.cas.support.pac4j.RefreshableDelegatedClients] - <The following > clients are built: [[#SAML2Client# | name: Okta | callbackUrl: > https://qa....com/cas/login | urlResolver: null | callbackUrlResolver: > org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@76eec7bb | > ajaxRequestResolver: null | redirectionActionBuilder: null | > credentialsExtractor: null | authenticator: null | profileCreator: > org.pac4j.core.profile.creator.AuthenticatorProfileCreator@6c83322b | > logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@241532d3 | > authorizationGenerators: [] | checkAuthenticationAttempt: true |]]> > > > > ^[[m^[[36m2023-10-24 15:59:35,489 DEBUG [main] > [org.pac4j.core.util.InitializableObject] - <Initializing: > RefreshableDelegatedClients (nb: 0, last: null)> > > > > ^[[m^[[32m2023-10-24 15:59:35,489 INFO [main] > [org.apereo.cas.config.Pac4jAuthenticationEventExecutionPlanConfiguration] > - <Registering delegated authentication clients...> > > ^[[m^[[36m2023-10-24 15:59:35,744 DEBUG [main] > [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Attribute > repository sources are not available for person-directory principal > resolution> > > ^[[m^[[32m2023-10-24 15:59:36,180 INFO [main] > [org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] - > <Watching service registry directory at [/opt/jboss/whitelist/....]> > > > > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c46062aa-9785-4e9b-961a-2d98a8f89188n%40apereo.org.
