I tried various modifications, but all ended in failure. You're right Fiisch, it only seems to work with independently declared identity providers.
Thank you for your help. I will try to find another solution to my problem. Le jeu. 11 juil. 2024 à 10:06, Petr Fišer <[email protected]> a écrit : > Hello, > I am pretty sure the one entityid for all the IdP references will not > work. I did a bit of experimenting on 6.5.x and it works like this: > > 1) user selects a delegated IdP from the menu > 2) cas/pac4j/? looks up the entityid that is associated with it in the > properties > 3) opensaml library goes through its metadata cache and selects metadata > document where there is the same entityid as in step 2. > 4) this way, the correct IdP metadata has been found and the > authentication process follows what is written in them > 5) ... saml2 auth process ... etc. > > So no wonder only the first one works. > > Cheers, > Fiisch > > On 11. 07. 24 0:30, Ray Bon wrote: > > wouldsmina, > > Are you getting a menu of IdPs to select from, or does cas always default > to cas.authn.pac4j.saml[0] > At the bottom of the cas doc page are a set of tabs 'MENU', 'DYMANIC', > 'CUSTOM'. Dynamic has example JSON. If you want a menu, you could try > creating a list of IdP entityId's in a JSON file. (We are only beginning > with using cas for SAML, so I am doing a bit of guessing.) > > RequestInitiator is optional, you can remove it from metadata. > SP do not usually need the signing cert. > > Ray > ------------------------------ > *From:* [email protected] <[email protected]> <[email protected]> > on behalf of wouldsmina <[email protected]> <[email protected]> > *Sent:* 10 July 2024 12:58 > *To:* [email protected] <[email protected]> <[email protected]> > *Subject:* Re: [cas-user] Delegated Authentication SAML2 : Single EntityID > > > You don't often get email from [email protected]. Learn why this is > important <https://aka.ms/LearnAboutSenderIdentification> > > I've tried configuring all the IdPs with the same values (as in the > example), but only the first one used works. In the metadata file generated > by CAS, I find data specific to the first IdP: > <init:RequestInitiator > Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location=" > https://auth.icoopeb.org/cas/login?client_name=*lmu*"/> > > CAS also generates the saml-signing-cert-*lmu*.crt saml-signing-cert-*lmu*.key > files, but I don't think that's a problem. > > Thanks for the link, I had seen this documentation, but I don't understand > what the json file of > cas.authn.pac4j.core.discovery-selection.json.location should contain. Is > there any documentation or an example ? > > Wouldsmina. > > > Le mer. 10 juil. 2024 à 21:06, Ray Bon <[email protected]> a écrit : > > Yes. > There is a section on IdP selection, > https://apereo.github.io/cas/7.0.x/integration/Delegate-Authentication-DiscoverySelection.html > > > Ray > ------------------------------ > *From:* [email protected] <[email protected]> on behalf of wouldsmina > <[email protected]> > *Sent:* 10 July 2024 03:16 > *To:* [email protected] <[email protected]> > *Subject:* Re: [cas-user] Delegated Authentication SAML2 : Single EntityID > > > You don't often get email from [email protected]. Learn why this is > important <https://aka.ms/LearnAboutSenderIdentification> > > Hello Ray, > Thanks for your reply. > Here is an example of what I did: > > cas.authn.pac4j.saml[6].keystore-password=password1 > cas.authn.pac4j.saml[6].private-key-password=password2 > cas.authn.pac4j.saml[6].service-provider-entity-id= > https://auth.icoopeb.org/cas/sp/ufra > > cas.authn.pac4j.saml[6].service-provider-metadata-path=/etc/cas/config/sp-metadata-ufra.xml > cas.authn.pac4j.saml[6].keystore-path=/etc/cas/config/samlKeystore-ufra.jks > cas.authn.pac4j.saml[6].identity-provider-metadata-path= > https://idp-cafe.ufra.edu.br/idp/shibboleth > > cas.authn.pac4j.saml[6].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect > cas.authn.pac4j.saml[6].client-name=idpufra > cas.authn.pac4j.saml[6].display-name=UFRA > cas.authn.pac4j.saml[6].logout-request-binding= > > cas.authn.pac4j.saml[7].keystore-password=password3 > cas.authn.pac4j.saml[7].private-key-password=password4 > cas.authn.pac4j.saml[7].service-provider-entity-id= > https://auth.icoopeb.org/cas/sp/uce > > cas.authn.pac4j.saml[7].service-provider-metadata-path=/etc/cas/config/sp-metadata-uce.xml > cas.authn.pac4j.saml[7].keystore-path=/etc/cas/config/samlKeystore-uce.jks > cas.authn.pac4j.saml[7].identity-provider-metadata-path= > https://login.uce.cedia.edu.ec/saml2/idp/metadata.php > > cas.authn.pac4j.saml[7].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect > cas.authn.pac4j.saml[7].client-name=idpuce > cas.authn.pac4j.saml[7].display-name=Universidad Central del Ecuador > cas.authn.pac4j.saml[7].logout-request-binding= > > cas.authn.pac4j.saml[8].keystore-password=password5 > cas.authn.pac4j.saml[8].private-key-password=password6 > cas.authn.pac4j.saml[8].service-provider-entity-id= > https://auth.icoopeb.org/cas/sp/uniandes > > cas.authn.pac4j.saml[8].service-provider-metadata-path=/etc/cas/config/sp-metadata-uniandes.xml > > cas.authn.pac4j.saml[8].keystore-path=/etc/cas/config/samlKeystore-uniandes.jks > cas.authn.pac4j.saml[8].identity-provider-metadata-path= > https://login.uniandes.cedia.edu.ec/saml2/idp/metadata.php > > cas.authn.pac4j.saml[8].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect > cas.authn.pac4j.saml[8].client-name=idpuniandes > cas.authn.pac4j.saml[8].display-name=UNIANDES > cas.authn.pac4j.saml[8].logout-request-binding= > > If I understand what you're proposing, I have to do this: > > cas.authn.pac4j.saml[6].keystore-password=password1 > cas.authn.pac4j.saml[6].private-key-password=password2 > cas.authn.pac4j.saml[6].service-provider-entity-id= > https://auth.icoopeb.org/cas/sp/all > > cas.authn.pac4j.saml[6].service-provider-metadata-path=/etc/cas/config/sp-metadata-all.xml > cas.authn.pac4j.saml[6].keystore-path=/etc/cas/config/samlKeystore-all.jks > cas.authn.pac4j.saml[6].identity-provider-metadata-path= > https://idp-cafe.ufra.edu.br/idp/shibboleth > > cas.authn.pac4j.saml[6].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect > cas.authn.pac4j.saml[6].client-name=idpufra > cas.authn.pac4j.saml[6].display-name=UFRA > cas.authn.pac4j.saml[6].logout-request-binding= > > cas.authn.pac4j.saml[7].keystore-password=password1 > cas.authn.pac4j.saml[7].private-key-password=password2 > cas.authn.pac4j.saml[7].service-provider-entity-id= > https://auth.icoopeb.org/cas/sp/all > > cas.authn.pac4j.saml[7].service-provider-metadata-path=/etc/cas/config/sp-metadata-all.xml > cas.authn.pac4j.saml[7].keystore-path=/etc/cas/config/samlKeystore-all.jks > cas.authn.pac4j.saml[7].identity-provider-metadata-path= > https://login.uce.cedia.edu.ec/saml2/idp/metadata.php > > cas.authn.pac4j.saml[7].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect > cas.authn.pac4j.saml[7].client-name=idpuce > cas.authn.pac4j.saml[7].display-name=Universidad Central del Ecuador > cas.authn.pac4j.saml[7].logout-request-binding= > > Best regards > > Le mer. 10 juil. 2024 à 00:37, Ray Bon <[email protected]> a écrit : > > Wouldsmina, > > Once your SP metadata is in the specified location, cas will not recreate > it. > Are you using a different entityId or key for each IdP? That is not > necessary. > > Ray > ------------------------------ > *From:* [email protected] <[email protected]> on behalf of wouldsmina > <[email protected]> > *Sent:* 09 July 2024 02:03 > *To:* CAS Community <[email protected]> > *Subject:* [cas-user] Delegated Authentication SAML2 : Single EntityID > > > You don't often get email from [email protected]. Learn why this is > important <https://aka.ms/LearnAboutSenderIdentification> > > Hello, > I want to use identity delegation to allow other IdPs to authenticate a > number of my services. I was inspired by this documentation: > https://fawnoos.com/2023/10/04/cas66-delegate-authn-saml2-idp/. But I > notice that for each declared IdP, CAS produces different EntityId and > metadatas. > > The IdPs concerned are part of the EduGain identity federation and I'd > like to declare a single SP (for simplicity and to comply with the > charter). Do you know if it's possible to configure CAS to create a single > EntityId for all declared IdPs? > > Best regards, > Wouldsmina > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNbBoMTU5rSOvnupAoykoEmyV-1_GtRtmkU2%3D4j7Lih2Hw%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNbBoMTU5rSOvnupAoykoEmyV-1_GtRtmkU2%3D4j7Lih2Hw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946D4056045A7C6FDEBA002CEDB2%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946D4056045A7C6FDEBA002CEDB2%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZLM%3DwDRQ-peG2fX0Ezfx9UNA-NecFNNqBSn-yTN%2BoPcQ%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZLM%3DwDRQ-peG2fX0Ezfx9UNA-NecFNNqBSn-yTN%2BoPcQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946FF4EC590B835D54D6978CEA42%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946FF4EC590B835D54D6978CEA42%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZU2VcunDgV4Q%3DRhc6AEWM6qdgOnLZ%2BJBLFQS9TSf4Fmg%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZU2VcunDgV4Q%3DRhc6AEWM6qdgOnLZ%2BJBLFQS9TSf4Fmg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB99469E6F007F799D4527DD02CEA42%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB99469E6F007F799D4527DD02CEA42%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer> > . > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/55a23229-2e59-432a-bc17-1f44db253ecc%40gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/55a23229-2e59-432a-bc17-1f44db253ecc%40gmail.com?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNYyLPk-xz_UkFskphA8L4DiSHcMa7aM1D6AgtG-rw2Z3w%40mail.gmail.com.
