well, we finally figured it out. It is not CAS, we have some network security that is blocking the request.
I was just wget to get the login page from one of the servers, it worked fine, that made me think; why it did not work when I access from laptop. Thx! On Tuesday, October 24, 2023 at 9:47:36 PM UTC-4 Ray Bon wrote: > Yan, > > Does samlkeystore exist and is writable (same for path to sp metadata)? > But there should be no metadata file when cas starts if you want it to be > generated. > > You can also create metadata manually, see > https://www.samltool.com/sp_metadata.php > > Ray > > On Tue, 2023-10-24 at 13:15 -0700, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hi there, > > I am using CAS 6.4.6.6 for delegated authN using SAML, CAS delegates authN > to Okta. I run into a strange error, on Windows, this works fine (i.e., > once I point to /cas/login, it generates SP metadata and keystore), but on > Linux, CAS does not generate SP meta data and SP keystore. I am not sure > why. I did not see any error in logs. > > This is the portion of relevant cas.properties. > > cas.authn.saml-idp.core.entity-id= https://qa.......com/idp > > > cas.authn.saml-idp.metadata.fileSystem.location=file:///opt/jboss/ssoconf/idpmetadata > > cas.authn.pac4j.saml[0].keystorePath=/opt/jboss/ssoconf/samlsp/samlkeystore > > cas.authn.pac4j.saml[0].keystorePassword=changeit > > cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp > > cas.authn.pac4j.saml[0].privateKeyPassword=changeit > > cas.authn.pac4j.saml[0].serviceProviderEntityId=https://qa. > ......com/cas/samlsp > > cas.authn.pac4j.saml[0].clientName=Okta > > cas.authn.pac4j.saml[0].forceAuth=false > > cas.authn.pac4j.saml[0].passive=false > > cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=3600 > > > cas.authn.pac4j.saml[0].serviceProviderMetadataPath=/opt/jboss/ssoconf/samlsp/sp-metadata.xml > > cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://dev-1...... > 8.okta.com/app/e.......b5d7/sso/saml/metadata > > cas.authn.pac4j.saml[0].useNameQualifier=false > > cas.authn.pac4j.saml[0].signAuthnRequest=true > > cas.authn.pac4j.saml[0].signServiceProviderLogoutRequest=true > > > > On windows (it says: Initializing: SAML2Client), then it generates > keystore and SP metadata. > > ====== > > > > > 2023-10-24 16:05:23,317 DEBUG [https-openssl-nio-8443-exec-7] > [org.apereo.cas.support.pac4j.RefreshableDelegatedClients] - <The following > clients are built: [[#SAML2Client# | name: Okta | callbackUrl: > https://localhost:8443/cas/login | urlResolver: null | > callbackUrlResolver: > org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@59d1889c | > ajaxRequestResolver: null | redirectionActionBuilder: null | > credentialsExtractor: null | authenticator: null | profileCreator: > org.pac4j.core.profile.creator.AuthenticatorProfileCreator@4ddff72c | > logoutActionBuilder:org.pac4j.core.logout.NoLogoutActionBuilder@1d8000ee > | authorizationGenerators: [] | checkAuthenticationAttempt: true |]]> > > > > 2023-10-24 16:05:23,317 DEBUG [https-openssl-nio-8443-exec-7] > [org.apereo.cas.validation.DelegatedAuthenticationAccessStrategyHelper] - > <Can not evaluate delegated authentication policy without a service> > > > > 2023-10-24 16:05:23,318 DEBUG [https-openssl-nio-8443-exec-7] > [org.pac4j.core.util.InitializableObject] - <Initializing: SAML2Client (nb: > 0, last: null)> > > > > 2023-10-24 16:05:23,321 INFO [https-openssl-nio-8443-exec-7] > [org.pac4j.saml.config.SAML2Configuration] - <Using service provider entity > IDhttps://localhost:8443/cas/samlsp> > > > > 2023-10-24 16:05:23,321 DEBUG [https-openssl-nio-8443-exec-7] > [org.pac4j.core.util.InitializableObject] - <Initializing: > SAML2Configuration (nb: 0, last: null)> > > > > 2023-10-24 16:05:23,326 WARN [https-openssl-nio-8443-exec-7] > [org.pac4j.saml.config.SAML2Configuration] - <Generating keystore one > for/via: file [C:\apereocas66x\config\casas-samlsp\samlkeystore]> > > > > 2023-10-24 16:05:23,326 WARN [https-openssl-nio-8443-exec-7] > [org.pac4j.saml.metadata.keystore.BaseSAML2KeystoreGenerator] - <Defaulting > keystore type pkcs12> > > > > 2023-10-24 16:05:23,435 INFO [https-openssl-nio-8443-exec-7] > [org.pac4j.saml.metadata.keystore.BaseSAML2KeystoreGenerator] - <Created > keystore file [C:\apereocas66x\config\casas-samlsp\samlkeystore] with key > alias cas-samlsp> > > > > On linux, notice it says: Initializing: RefreshableDelegatedClients > ..... Not sure why it does not recognize it is a SAML2Client. Any idea? > > Thanks, > > ====== > > ^[[m^[[36m2023-10-24 15:59:35,488 DEBUG [main] > [org.apereo.cas.support.pac4j.authentication.DefaultDelegatedClientFactory] > - <Created delegated client [#SAML2Client# | name: Okta | callbackUrl: > https://qa....com/cas/login | urlResolver: null | callbackUrlResolver: > org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@76eec7bb | > ajaxRequestResolver: null | redirectionActionBuilder: null | > credentialsExtractor: null | authenticator: null | profileCreator: > org.pac4j.core.profile.creator.AuthenticatorProfileCreator@6c83322b | > logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@241532d3 | > authorizationGenerators: [] | checkAuthenticationAttempt: true |]> > > > > ^[[m^[[36m2023-10-24 15:59:35,489 DEBUG [main] > [org.apereo.cas.support.pac4j.RefreshableDelegatedClients] - <The following > clients are built: [[#SAML2Client# | name: Okta | callbackUrl: > https://qa....com/cas/login | urlResolver: null | callbackUrlResolver: > org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@76eec7bb | > ajaxRequestResolver: null | redirectionActionBuilder: null | > credentialsExtractor: null | authenticator: null | profileCreator: > org.pac4j.core.profile.creator.AuthenticatorProfileCreator@6c83322b | > logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@241532d3 | > authorizationGenerators: [] | checkAuthenticationAttempt: true |]]> > > > > ^[[m^[[36m2023-10-24 15:59:35,489 DEBUG [main] > [org.pac4j.core.util.InitializableObject] - <Initializing: > RefreshableDelegatedClients (nb: 0, last: null)> > > > > ^[[m^[[32m2023-10-24 15:59:35,489 INFO [main] > [org.apereo.cas.config.Pac4jAuthenticationEventExecutionPlanConfiguration] > - <Registering delegated authentication clients...> > > ^[[m^[[36m2023-10-24 15:59:35,744 DEBUG [main] > [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Attribute > repository sources are not available for person-directory principal > resolution> > > ^[[m^[[32m2023-10-24 15:59:36,180 INFO [main] > [org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] - > <Watching service registry directory at [/opt/jboss/whitelist/....]> > > > > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c46062aa-9785-4e9b-961a-2d98a8f89188n%40apereo.org.
