>From just a brief test, globally disabling the metadata cache seems to prevent this bug from manifesting. cas.authn.saml-idp.metadata.core.cache-expiration=PT0S
I don't know enough about the CAS codebase to determine why this is the case. It looks like each service is being assigned a unique cacheKey but the most recently resolved privateKey seems to take over all of the cache entities when used for signing. (See examples 2 and 4 in my previous post) -Mike On Monday, April 8, 2024 at 3:38:56 PM UTC-4 Michael Daley wrote: > The saml SP override works correctly on first use, but then the override > signing certificate is taking precedence over the default IdP signing > certificate, or even another override. This effectively breaks all other > SP-integrations. This seems to happen with each new override. > > The intent here is to have a different signing certificate for at least > one service provider with a different key and expiration than the default > IdP. I've adjusted the CN on the certificates to demonstrate the issue I'm > seeing. > > Also, this only seems to happen when the sp metadata requires response > signing. > > 1. Visit SP using default idp-signing.key/crt > > ^[[m^[[36m2024-04-08 12:57:05,729 DEBUG > [org.apereo.cas.support.saml.SamlUtils] - > <********************************************************************************> > ^[[m^[[36m2024-04-08 12:57:05,729 DEBUG > [org.apereo.cas.support.saml.web.idp.profile.builders.response.SamlProfileSaml2ResponseBuilder] > > - <SAML entity id [https://test-saml-566.example.com] indicates that SAML > responses should be signed> > ^[[m^[[36m2024-04-08 12:57:05,731 DEBUG > [org.apereo.cas.support.saml.SamlIdPUtils] - <Fetched assertion consumer > service url [https://testidp.example.com/cas/idp/profile/SAML2/POST/SSO] > with binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST] from > authentication request> > ^[[m^[[36m2024-04-08 12:57:05,732 DEBUG > [org.apereo.cas.support.saml.SamlIdPUtils] - <Configured peer entity > endpoint to be [https://testidp.example.com/cas/idp/profile/SAML2/POST/SSO] > with binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST]> > ^[[m^[[36m2024-04-08 12:57:05,780 DEBUG > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.DefaultSamlIdPObjectSigner] > > - <Locating signature signing key for > [/etc/cas66/services/sp-metadata/test_saml-566.xml] using algorithm [RSA]> > ^[[m^[[36m2024-04-08 12:57:05,947 DEBUG > [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] > - <Cache key for SAML IdP metadata is [test_saml566]> > ^[[m^[[36m2024-04-08 12:57:06,015 DEBUG > [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] > - <Cache key for SAML IdP metadata is [test_saml566]> > ^[[m^[[36m2024-04-08 12:57:06,048 DEBUG > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.DefaultSamlIdPObjectSigner] > > - <Locating signature signing certificate from credential [[subjectDn=CN= > testidp.example.com > ,serialNumber=314081278862115046149249165890986746486728921478]]> > ^[[m^[[36m2024-04-08 12:57:06,116 DEBUG > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.DefaultSamlIdPObjectSigner] > > - <Signed SAML message successfully> > ^[[m^[[36m2024-04-08 12:57:06,116 DEBUG > [org.apereo.cas.support.saml.SamlUtils] - > <********************************************************************************> > > > 1. Visit SP with an override. > > ^[[m^[[36m2024-04-08 12:59:22,648 DEBUG > [org.apereo.cas.support.saml.SamlUtils] - > <********************************************************************************> > ^[[m^[[36m2024-04-08 12:59:22,648 DEBUG > [org.apereo.cas.support.saml.web.idp.profile.builders.response.SamlProfileSaml2ResponseBuilder] > > - <SAML entity id [https://test.example.com] indicates that SAML > responses should be signed> > ^[[m^[[36m2024-04-08 12:59:22,648 DEBUG > [org.apereo.cas.support.saml.SamlIdPUtils] - <Fetched assertion consumer > service url [https://testidp.example.com/cas/idp/profile/SAML2/POST/SSO] > with binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST] from > authentication request> > ^[[m^[[36m2024-04-08 12:59:22,648 DEBUG > [org.apereo.cas.support.saml.SamlIdPUtils] - <Configured peer entity > endpoint to be [https://testidp.example.com/cas/idp/profile/SAML2/POST/SSO] > with binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST]> > ^[[m^[[36m2024-04-08 12:59:22,648 DEBUG > [org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator] > > - <Using metadata artifact [idp-signing.key] at > [/etc/cas66/config/saml/test_saml-567/idp-signing.key]> > ^[[m^[[36m2024-04-08 12:59:22,648 DEBUG > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.DefaultSamlIdPObjectSigner] > > - <Locating signature signing key for > [/etc/cas66/services/sp-metadata/test_saml-567.xml] using algorithm [RSA]> > ^[[m^[[36m2024-04-08 12:59:22,650 DEBUG > [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] > - <Cache key for SAML IdP metadata is [test_saml567]> > ^[[m^[[36m2024-04-08 12:59:22,650 DEBUG > [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] > - <Cache key for SAML IdP metadata is [test_saml567]> > ^[[m^[[36m2024-04-08 12:59:22,651 DEBUG > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.DefaultSamlIdPObjectSigner] > > - <Locating signature signing certificate from credential [[subjectDn=CN= > test567.testidp.example.com > ,serialNumber=173907680160128790975551770084230862871092444709]]> > ^[[m^[[36m2024-04-08 12:59:22,678 DEBUG > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.DefaultSamlIdPObjectSigner] > > - <Signed SAML message successfully> > ^[[m^[[36m2024-04-08 12:59:22,678 DEBUG > [org.apereo.cas.support.saml.SamlUtils] - > <********************************************************************************> > > > 2. Back to original SP (now using the override signing cert CN= > test567.testidp.example.com) > > ^[[m^[[36m2024-04-08 13:00:39,731 DEBUG > [org.apereo.cas.support.saml.SamlUtils] - > <********************************************************************************> > ^[[m^[[36m2024-04-08 13:00:39,731 DEBUG > [org.apereo.cas.support.saml.web.idp.profile.builders.response.SamlProfileSaml2ResponseBuilder] > > - <SAML entity id [https://test-saml-566.example.com] indicates that SAML > responses should be signed> > ^[[m^[[36m2024-04-08 13:00:39,731 DEBUG > [org.apereo.cas.support.saml.SamlIdPUtils] - <Fetched assertion consumer > service url [https://testidp.example.com/cas/idp/profile/SAML2/POST/SSO] > with binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST] from > authentication request> > ^[[m^[[36m2024-04-08 13:00:39,731 DEBUG > [org.apereo.cas.support.saml.SamlIdPUtils] - <Configured peer entity > endpoint to be [https://testidp.example.com/cas/idp/profile/SAML2/POST/SSO] > with binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST]> > ^[[m^[[36m2024-04-08 13:00:39,731 DEBUG > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.DefaultSamlIdPObjectSigner] > > - <Locating signature signing key for > [/etc/cas66/services/sp-metadata/test_saml-566.xml] using algorithm [RSA]> > ^[[m^[[36m2024-04-08 13:00:39,737 DEBUG > [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] > - <Cache key for SAML IdP metadata is [test_saml566]> > ^[[m^[[36m2024-04-08 13:00:39,742 DEBUG > [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] > - <Cache key for SAML IdP metadata is [test_saml566]> > ^[[m^[[36m2024-04-08 13:00:39,743 DEBUG > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.DefaultSamlIdPObjectSigner] > > - <Locating signature signing certificate from credential [[subjectDn=CN= > test567.testidp.example.com > ,serialNumber=173907680160128790975551770084230862871092444709]]> > ^[[m^[[36m2024-04-08 13:00:39,770 DEBUG > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.DefaultSamlIdPObjectSigner] > > - <Signed SAML message successfully> > ^[[m^[[36m2024-04-08 13:00:39,770 DEBUG > [org.apereo.cas.support.saml.SamlUtils] - > <********************************************************************************> > > 3. Vising additional SP with a different override. (pulls in the correct > override certificate) > > 2024-04-08 13:02:38,259 DEBUG [org.apereo.cas.support.saml.SamlUtils] - > <********************************************************************************> > 2024-04-08 13:02:38,259 DEBUG > [org.apereo.cas.support.saml.web.idp.profile.builders.response.SamlProfileSaml2ResponseBuilder] > > - <SAML entity id [https://test-saml-568.example.com] indicates that SAML > responses should be signed> > 2024-04-08 13:02:38,259 DEBUG [org.apereo.cas.support.saml.SamlIdPUtils] - > <Fetched assertion consumer service url [ > https://testidp.example.com/cas/idp/profile/SAML2/POST/SSO] with binding > [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST] from authentication > request> > 2024-04-08 13:02:38,259 DEBUG [org.apereo.cas.support.saml.SamlIdPUtils] - > <Configured peer entity endpoint to be [ > https://testidp.example.com/cas/idp/profile/SAML2/POST/SSO] with binding > [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST]> > 2024-04-08 13:02:38,259 DEBUG > [org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator] > > - <Using metadata artifact [idp-signing.key] at > [/etc/cas66/config/saml/test_saml-568/idp-signing.key]> > 2024-04-08 13:02:38,259 DEBUG > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.DefaultSamlIdPObjectSigner] > > - <Locating signature signing key for > [/etc/cas66/services/sp-metadata/test_saml-568.xml] using algorithm [RSA]> > 2024-04-08 13:02:38,261 DEBUG > [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] > - <Cache key for SAML IdP metadata is [test_saml568]> > 2024-04-08 13:02:38,261 DEBUG > [org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator] > > - <Using metadata artifact [idp-metadata.xml] at > [/etc/cas66/config/saml/test_saml-568/idp-metadata.xml]> > 2024-04-08 13:02:38,261 DEBUG > [org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator] > > - <Using metadata artifact [idp-metadata.xml] at > [/etc/cas66/config/saml/test_saml-568/idp-metadata.xml]> > 2024-04-08 13:02:38,276 DEBUG > [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] > - <Cache key for SAML IdP metadata is [test_saml568]> > 2024-04-08 13:02:38,277 DEBUG > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.DefaultSamlIdPObjectSigner] > > - <Locating signature signing certificate from credential [[subjectDn=CN= > test568.testidp.example.com > ,serialNumber=287894117138036180647362833833935432564855509796]]> > 2024-04-08 13:02:38,298 DEBUG > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.DefaultSamlIdPObjectSigner] > > - <Signed SAML message successfully> > 2024-04-08 13:02:38,298 DEBUG [org.apereo.cas.support.saml.SamlUtils] - > <********************************************************************************> > > 4. back to the original override, now using the 2nd overrides certificate. > (CN=test568.testidp.example.com, should be signed with CN= > test567.testidp.example.com) > > 2024-04-08 13:04:32,437 DEBUG [org.apereo.cas.support.saml.SamlUtils] - > <********************************************************************************> > 2024-04-08 13:04:32,437 DEBUG > [org.apereo.cas.support.saml.web.idp.profile.builders.response.SamlProfileSaml2ResponseBuilder] > > - <SAML entity id [https://test.example.com] indicates that SAML > responses should be signed> > 2024-04-08 13:04:32,437 DEBUG [org.apereo.cas.support.saml.SamlIdPUtils] - > <Fetched assertion consumer service url [ > https://testidp.example.com/cas/idp/profile/SAML2/POST/SSO] with binding > [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST] from authentication > request> > 2024-04-08 13:04:32,438 DEBUG [org.apereo.cas.support.saml.SamlIdPUtils] - > <Configured peer entity endpoint to be [ > https://testidp.example.com/cas/idp/profile/SAML2/POST/SSO] with binding > [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST]> > 2024-04-08 13:04:32,438 DEBUG > [org.apereo.cas.support.saml.idp.metadata.locator.FileSystemSamlIdPMetadataLocator] > > - <Using metadata artifact [idp-signing.key] at > [/etc/cas66/config/saml/test_saml-567/idp-signing.key]> > 2024-04-08 13:04:32,438 DEBUG > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.DefaultSamlIdPObjectSigner] > > - <Locating signature signing key for > [/etc/cas66/services/sp-metadata/test_saml-567.xml] using algorithm [RSA]> > 2024-04-08 13:04:32,445 DEBUG > [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] > - <Cache key for SAML IdP metadata is [test_saml567]> > 2024-04-08 13:04:32,445 DEBUG > [org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver] > - <Cache key for SAML IdP metadata is [test_saml567]> > 2024-04-08 13:04:32,446 DEBUG > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.DefaultSamlIdPObjectSigner] > > - <Locating signature signing certificate from credential [[subjectDn=CN= > test568.testidp.example.com > ,serialNumber=287894117138036180647362833833935432564855509796]]> > 2024-04-08 13:04:32,461 DEBUG > [org.apereo.cas.support.saml.web.idp.profile.builders.enc.DefaultSamlIdPObjectSigner] > > - <Signed SAML message successfully> > 2024-04-08 13:04:32,461 DEBUG [org.apereo.cas.support.saml.SamlUtils] - > <********************************************************************************> > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e9b35bdb-93b0-4aed-8bf3-9a8251b2823bn%40apereo.org.
