wouldsmina, Are you getting a menu of IdPs to select from, or does cas always default to cas.authn.pac4j.saml[0] At the bottom of the cas doc page are a set of tabs 'MENU', 'DYMANIC', 'CUSTOM'. Dynamic has example JSON. If you want a menu, you could try creating a list of IdP entityId's in a JSON file. (We are only beginning with using cas for SAML, so I am doing a bit of guessing.)
RequestInitiator is optional, you can remove it from metadata. SP do not usually need the signing cert. Ray ________________________________ From: [email protected] <[email protected]> on behalf of wouldsmina <[email protected]> Sent: 10 July 2024 12:58 To: [email protected] <[email protected]> Subject: Re: [cas-user] Delegated Authentication SAML2 : Single EntityID You don't often get email from [email protected]. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> I've tried configuring all the IdPs with the same values (as in the example), but only the first one used works. In the metadata file generated by CAS, I find data specific to the first IdP: <init:RequestInitiator Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://auth.icoopeb.org/cas/login?client_name=lmu"/> CAS also generates the saml-signing-cert-lmu.crt saml-signing-cert-lmu.key files, but I don't think that's a problem. Thanks for the link, I had seen this documentation, but I don't understand what the json file of cas.authn.pac4j.core.discovery-selection.json.location should contain. Is there any documentation or an example ? Wouldsmina. Le mer. 10 juil. 2024 à 21:06, Ray Bon <[email protected]<mailto:[email protected]>> a écrit : Yes. There is a section on IdP selection, https://apereo.github.io/cas/7.0.x/integration/Delegate-Authentication-DiscoverySelection.html Ray ________________________________ From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> on behalf of wouldsmina <[email protected]<mailto:[email protected]>> Sent: 10 July 2024 03:16 To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: Re: [cas-user] Delegated Authentication SAML2 : Single EntityID You don't often get email from [email protected]<mailto:[email protected]>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Hello Ray, Thanks for your reply. Here is an example of what I did: cas.authn.pac4j.saml[6].keystore-password=password1 cas.authn.pac4j.saml[6].private-key-password=password2 cas.authn.pac4j.saml[6].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/ufra cas.authn.pac4j.saml[6].service-provider-metadata-path=/etc/cas/config/sp-metadata-ufra.xml cas.authn.pac4j.saml[6].keystore-path=/etc/cas/config/samlKeystore-ufra.jks cas.authn.pac4j.saml[6].identity-provider-metadata-path=https://idp-cafe.ufra.edu.br/idp/shibboleth cas.authn.pac4j.saml[6].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect cas.authn.pac4j.saml[6].client-name=idpufra cas.authn.pac4j.saml[6].display-name=UFRA cas.authn.pac4j.saml[6].logout-request-binding= cas.authn.pac4j.saml[7].keystore-password=password3 cas.authn.pac4j.saml[7].private-key-password=password4 cas.authn.pac4j.saml[7].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/uce cas.authn.pac4j.saml[7].service-provider-metadata-path=/etc/cas/config/sp-metadata-uce.xml cas.authn.pac4j.saml[7].keystore-path=/etc/cas/config/samlKeystore-uce.jks cas.authn.pac4j.saml[7].identity-provider-metadata-path=https://login.uce.cedia.edu.ec/saml2/idp/metadata.php cas.authn.pac4j.saml[7].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect cas.authn.pac4j.saml[7].client-name=idpuce cas.authn.pac4j.saml[7].display-name=Universidad Central del Ecuador cas.authn.pac4j.saml[7].logout-request-binding= cas.authn.pac4j.saml[8].keystore-password=password5 cas.authn.pac4j.saml[8].private-key-password=password6 cas.authn.pac4j.saml[8].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/uniandes cas.authn.pac4j.saml[8].service-provider-metadata-path=/etc/cas/config/sp-metadata-uniandes.xml cas.authn.pac4j.saml[8].keystore-path=/etc/cas/config/samlKeystore-uniandes.jks cas.authn.pac4j.saml[8].identity-provider-metadata-path=https://login.uniandes.cedia.edu.ec/saml2/idp/metadata.php cas.authn.pac4j.saml[8].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect cas.authn.pac4j.saml[8].client-name=idpuniandes cas.authn.pac4j.saml[8].display-name=UNIANDES cas.authn.pac4j.saml[8].logout-request-binding= If I understand what you're proposing, I have to do this: cas.authn.pac4j.saml[6].keystore-password=password1 cas.authn.pac4j.saml[6].private-key-password=password2 cas.authn.pac4j.saml[6].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/all cas.authn.pac4j.saml[6].service-provider-metadata-path=/etc/cas/config/sp-metadata-all.xml cas.authn.pac4j.saml[6].keystore-path=/etc/cas/config/samlKeystore-all.jks cas.authn.pac4j.saml[6].identity-provider-metadata-path=https://idp-cafe.ufra.edu.br/idp/shibboleth cas.authn.pac4j.saml[6].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect cas.authn.pac4j.saml[6].client-name=idpufra cas.authn.pac4j.saml[6].display-name=UFRA cas.authn.pac4j.saml[6].logout-request-binding= cas.authn.pac4j.saml[7].keystore-password=password1 cas.authn.pac4j.saml[7].private-key-password=password2 cas.authn.pac4j.saml[7].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/all cas.authn.pac4j.saml[7].service-provider-metadata-path=/etc/cas/config/sp-metadata-all.xml cas.authn.pac4j.saml[7].keystore-path=/etc/cas/config/samlKeystore-all.jks cas.authn.pac4j.saml[7].identity-provider-metadata-path=https://login.uce.cedia.edu.ec/saml2/idp/metadata.php cas.authn.pac4j.saml[7].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect cas.authn.pac4j.saml[7].client-name=idpuce cas.authn.pac4j.saml[7].display-name=Universidad Central del Ecuador cas.authn.pac4j.saml[7].logout-request-binding= Best regards Le mer. 10 juil. 2024 à 00:37, Ray Bon <[email protected]<mailto:[email protected]>> a écrit : Wouldsmina, Once your SP metadata is in the specified location, cas will not recreate it. Are you using a different entityId or key for each IdP? That is not necessary. Ray ________________________________ From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> on behalf of wouldsmina <[email protected]<mailto:[email protected]>> Sent: 09 July 2024 02:03 To: CAS Community <[email protected]<mailto:[email protected]>> Subject: [cas-user] Delegated Authentication SAML2 : Single EntityID You don't often get email from [email protected]<mailto:[email protected]>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Hello, I want to use identity delegation to allow other IdPs to authenticate a number of my services. I was inspired by this documentation: https://fawnoos.com/2023/10/04/cas66-delegate-authn-saml2-idp/. But I notice that for each declared IdP, CAS produces different EntityId and metadatas. The IdPs concerned are part of the EduGain identity federation and I'd like to declare a single SP (for simplicity and to comply with the charter). Do you know if it's possible to configure CAS to create a single EntityId for all declared IdPs? Best regards, Wouldsmina -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNbBoMTU5rSOvnupAoykoEmyV-1_GtRtmkU2%3D4j7Lih2Hw%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNbBoMTU5rSOvnupAoykoEmyV-1_GtRtmkU2%3D4j7Lih2Hw%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946D4056045A7C6FDEBA002CEDB2%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM<https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946D4056045A7C6FDEBA002CEDB2%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZLM%3DwDRQ-peG2fX0Ezfx9UNA-NecFNNqBSn-yTN%2BoPcQ%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZLM%3DwDRQ-peG2fX0Ezfx9UNA-NecFNNqBSn-yTN%2BoPcQ%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946FF4EC590B835D54D6978CEA42%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM<https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946FF4EC590B835D54D6978CEA42%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZU2VcunDgV4Q%3DRhc6AEWM6qdgOnLZ%2BJBLFQS9TSf4Fmg%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZU2VcunDgV4Q%3DRhc6AEWM6qdgOnLZ%2BJBLFQS9TSf4Fmg%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB99469E6F007F799D4527DD02CEA42%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM.
