Re: [cas-user] Delegated Authentication SAML2 : Single EntityID

Fri, 12 Jul 2024 05:07:28 -0700 

Ray,
   I am familiar with the documentation you refer to, but I think that there is no client for external discovery service (as specified by http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery-cs-01.pdf) implemented in CAS. All of the methods for choosing specific IdP (or rather SAML2 client) to delegate authentication to (be it MENU, DYNAMIC or even the SAML Discovery implemented in CAS server) work only with clients configured explicitly in CAS properties. 


At least for CAS version 6.6.x, from the implementation point of view, 
it seems to me that input to all selection methods is taken through the 
bean "builtClients", which proxies to "pac4jDelegatedClientFactory", 
bulk of which is implemented by "BaseDelegatedClientFactory" 
(https://github.com/apereo/cas/blob/6.6.x/support/cas-server-support-pac4j-core-clients/src/main/java/org/apereo/cas/support/pac4j/authentication/clients/BaseDelegatedClientFactory.java).



So the question is: is single SAML2 client configured in the CAS server 
able to delegate to and process assertions from different IdPs?


Thanks,

Michal

On 7/11/24 19:24, Ray Bon wrote:

Michal,


Hmmm, you could create a custom discovery service that could pull the 
IdPs out or the federation metadata. Better would be if the federation 
provided the discovery service (or some other third party).

https://wiki.geant.org/display/eduGAIN/How+to+use+as+a+Service+Provider
https://apereo.github.io/cas/7.0.x/integration/Delegate-Authentication-SAML-Discovery.html
https://apereo.github.io/cas/7.0.x/integration/Delegate-Authentication-SAML.html

Ray
------------------------------------------------------------------------
*From:* Michal Voců <[email protected]>
*Sent:* 10 July 2024 23:53
*To:* [email protected] <[email protected]>; Ray Bon <[email protected]>

*Subject:* Re: [cas-user] Delegated Authentication SAML2 : Single 
EntityID


        

You don't often get email from [email protected]. Learn why this 
is important <https://aka.ms/LearnAboutSenderIdentification>

        

Ray,

  if I understand this correctly, the MENU and other methods only 
present (or select from) IdPs explicitly defined and configured in CAS 
properties? Meaning, if we configure single delegation to SAML2 IdP 
and point it to metadata of all our federation IdPs, only the first 
IdP is used by CAS server and only the first one is presented by CAS 
internal MENU discovery method, right? And should we need to delegate 
to more federation IdPs, all of them must be added to CAS server 
properties?


Regards,

Michal V.

On 7/11/24 00:30, Ray Bon wrote:

wouldsmina,


Are you getting a menu of IdPs to select from, or does cas always 
default to cas.authn.pac4j.saml[0]
At the bottom of the cas doc page are a set of tabs 'MENU', 
'DYMANIC', 'CUSTOM'. Dynamic has example JSON. If you want a menu, 
you could try creating a list of IdP entityId's in a JSON file. (We 
are only beginning with using cas for SAML, so I am doing a bit of 
guessing.)


RequestInitiator is optional, you can remove it from metadata.
SP do not usually need the signing cert.

Ray
------------------------------------------------------------------------

*From:* [email protected] <mailto:[email protected]> 
<[email protected]> <mailto:[email protected]> on behalf of 
wouldsmina <[email protected]> <mailto:[email protected]>

*Sent:* 10 July 2024 12:58

*To:* [email protected] <mailto:[email protected]> 
<[email protected]> <mailto:[email protected]>
*Subject:* Re: [cas-user] Delegated Authentication SAML2 : Single 
EntityID


        

You don't often get email from [email protected] 
<mailto:[email protected]>. Learn why this is important 
<https://aka.ms/LearnAboutSenderIdentification>

        


I've tried configuring all the IdPs with the same values (as in the 
example), but only the first one used works. In the metadata file 
generated by CAS, I find data specific to the first IdP:
<init:RequestInitiator 
Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" 
Location="https://auth.icoopeb.org/cas/login?client_name= 
<https://auth.icoopeb.org/cas/login?client_name=>*lmu*"/>



CAS also generates the saml-signing-cert-*lmu*.crt 
saml-signing-cert-*lmu*.key files, but I don't think that's a problem.



Thanks for the link, I had seen this documentation, but I don't 
understand what the json file of 
cas.authn.pac4j.core.discovery-selection.json.location should 
contain. Is there any documentation or an example ?


Wouldsmina.



Le mer. 10 juil. 2024 à 21:06, Ray Bon <[email protected] 
<mailto:[email protected]>> a écrit :


    Yes.
    There is a section on IdP selection,
    
https://apereo.github.io/cas/7.0.x/integration/Delegate-Authentication-DiscoverySelection.html
    
<https://apereo.github.io/cas/7.0.x/integration/Delegate-Authentication-DiscoverySelection.html>


    Ray
    ------------------------------------------------------------------------
    *From:* [email protected] <mailto:[email protected]>
    <[email protected] <mailto:[email protected]>> on behalf of
    wouldsmina <[email protected] <mailto:[email protected]>>
    *Sent:* 10 July 2024 03:16
    *To:* [email protected] <mailto:[email protected]>
    <[email protected] <mailto:[email protected]>>
    *Subject:* Re: [cas-user] Delegated Authentication SAML2 : Single
    EntityID

        
    You don't often get email from [email protected]
    <mailto:[email protected]>. Learn why this is important
    <https://aka.ms/LearnAboutSenderIdentification>
        

    Hello Ray,
    Thanks for your reply.
    Here is an example of what I did:

    cas.authn.pac4j.saml[6].keystore-password=password1
    cas.authn.pac4j.saml[6].private-key-password=password2
    
cas.authn.pac4j.saml[6].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/ufra
    <https://auth.icoopeb.org/cas/sp/ufra>
    
cas.authn.pac4j.saml[6].service-provider-metadata-path=/etc/cas/config/sp-metadata-ufra.xml
    cas.authn.pac4j.saml[6].keystore-path=/etc/cas/config/samlKeystore-ufra.jks
    
cas.authn.pac4j.saml[6].identity-provider-metadata-path=https://idp-cafe.ufra.edu.br/idp/shibboleth
    <https://idp-cafe.ufra.edu.br/idp/shibboleth>
    
cas.authn.pac4j.saml[6].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
    cas.authn.pac4j.saml[6].client-name=idpufra
    cas.authn.pac4j.saml[6].display-name=UFRA
    cas.authn.pac4j.saml[6].logout-request-binding=

    cas.authn.pac4j.saml[7].keystore-password=password3
    cas.authn.pac4j.saml[7].private-key-password=password4
    
cas.authn.pac4j.saml[7].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/uce
    <https://auth.icoopeb.org/cas/sp/uce>
    
cas.authn.pac4j.saml[7].service-provider-metadata-path=/etc/cas/config/sp-metadata-uce.xml
    cas.authn.pac4j.saml[7].keystore-path=/etc/cas/config/samlKeystore-uce.jks
    
cas.authn.pac4j.saml[7].identity-provider-metadata-path=https://login.uce.cedia.edu.ec/saml2/idp/metadata.php
    <https://login.uce.cedia.edu.ec/saml2/idp/metadata.php>
    
cas.authn.pac4j.saml[7].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
    cas.authn.pac4j.saml[7].client-name=idpuce
    cas.authn.pac4j.saml[7].display-name=Universidad Central del Ecuador
    cas.authn.pac4j.saml[7].logout-request-binding=

    cas.authn.pac4j.saml[8].keystore-password=password5
    cas.authn.pac4j.saml[8].private-key-password=password6
    
cas.authn.pac4j.saml[8].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/uniandes
    <https://auth.icoopeb.org/cas/sp/uniandes>
    
cas.authn.pac4j.saml[8].service-provider-metadata-path=/etc/cas/config/sp-metadata-uniandes.xml
    
cas.authn.pac4j.saml[8].keystore-path=/etc/cas/config/samlKeystore-uniandes.jks
    
cas.authn.pac4j.saml[8].identity-provider-metadata-path=https://login.uniandes.cedia.edu.ec/saml2/idp/metadata.php
    <https://login.uniandes.cedia.edu.ec/saml2/idp/metadata.php>
    
cas.authn.pac4j.saml[8].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
    cas.authn.pac4j.saml[8].client-name=idpuniandes
    cas.authn.pac4j.saml[8].display-name=UNIANDES
    cas.authn.pac4j.saml[8].logout-request-binding=

    If I understand what you're proposing, I have to do this:

    cas.authn.pac4j.saml[6].keystore-password=password1
    cas.authn.pac4j.saml[6].private-key-password=password2
    
cas.authn.pac4j.saml[6].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/all
    <https://auth.icoopeb.org/cas/sp/all>
    
cas.authn.pac4j.saml[6].service-provider-metadata-path=/etc/cas/config/sp-metadata-all.xml
    cas.authn.pac4j.saml[6].keystore-path=/etc/cas/config/samlKeystore-all.jks
    
cas.authn.pac4j.saml[6].identity-provider-metadata-path=https://idp-cafe.ufra.edu.br/idp/shibboleth
    <https://idp-cafe.ufra.edu.br/idp/shibboleth>
    
cas.authn.pac4j.saml[6].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
    cas.authn.pac4j.saml[6].client-name=idpufra
    cas.authn.pac4j.saml[6].display-name=UFRA
    cas.authn.pac4j.saml[6].logout-request-binding=

    cas.authn.pac4j.saml[7].keystore-password=password1
    cas.authn.pac4j.saml[7].private-key-password=password2
    
cas.authn.pac4j.saml[7].service-provider-entity-id=https://auth.icoopeb.org/cas/sp/all
    <https://auth.icoopeb.org/cas/sp/all>
    
cas.authn.pac4j.saml[7].service-provider-metadata-path=/etc/cas/config/sp-metadata-all.xml
    cas.authn.pac4j.saml[7].keystore-path=/etc/cas/config/samlKeystore-all.jks
    
cas.authn.pac4j.saml[7].identity-provider-metadata-path=https://login.uce.cedia.edu.ec/saml2/idp/metadata.php
    <https://login.uce.cedia.edu.ec/saml2/idp/metadata.php>
    
cas.authn.pac4j.saml[7].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
    cas.authn.pac4j.saml[7].client-name=idpuce
    cas.authn.pac4j.saml[7].display-name=Universidad Central del Ecuador
    cas.authn.pac4j.saml[7].logout-request-binding=

    Best regards

    Le mer. 10 juil. 2024 à 00:37, Ray Bon <[email protected]
    <mailto:[email protected]>> a écrit :

        Wouldsmina,

        Once your SP metadata is in the specified location, cas will
        not recreate it.
        Are you using a different entityId or key for each IdP? That
        is not necessary.

        Ray
        ------------------------------------------------------------------------
        *From:* [email protected] <mailto:[email protected]>
        <[email protected] <mailto:[email protected]>> on behalf
        of wouldsmina <[email protected]
        <mailto:[email protected]>>
        *Sent:* 09 July 2024 02:03
        *To:* CAS Community <[email protected]
        <mailto:[email protected]>>
        *Subject:* [cas-user] Delegated Authentication SAML2 : Single
        EntityID

                
        You don't often get email from [email protected]
        <mailto:[email protected]>. Learn why this is important
        <https://aka.ms/LearnAboutSenderIdentification>
                

        Hello,
        I want to use identity delegation to allow other IdPs to
        authenticate a number of my services. I was inspired by this
        documentation:
        https://fawnoos.com/2023/10/04/cas66-delegate-authn-saml2-idp/
        <https://fawnoos.com/2023/10/04/cas66-delegate-authn-saml2-idp/>.
        But I notice that for each declared IdP, CAS produces
        different EntityId and metadatas.

        The IdPs concerned are part of the EduGain identity
        federation and I'd like to declare a single SP (for
        simplicity and to comply with the charter). Do you know if
        it's possible to configure CAS to create a single EntityId
        for all declared IdPs?

        Best regards,
        Wouldsmina

        -- 
        - Website: https://apereo.github.io/cas

        <https://apereo.github.io/cas>
        - Gitter Chatroom: https://gitter.im/apereo/cas
        <https://gitter.im/apereo/cas>
        - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
        - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
        ---
        You received this message because you are subscribed to the
        Google Groups "CAS Community" group.
        To unsubscribe from this group and stop receiving emails from
        it, send an email to [email protected]
        <mailto:[email protected]>.
        To view this discussion on the web visit
        
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNbBoMTU5rSOvnupAoykoEmyV-1_GtRtmkU2%3D4j7Lih2Hw%40mail.gmail.com
        
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNbBoMTU5rSOvnupAoykoEmyV-1_GtRtmkU2%3D4j7Lih2Hw%40mail.gmail.com?utm_medium=email&utm_source=footer>.

        -- 
        - Website: https://apereo.github.io/cas

        <https://apereo.github.io/cas>
        - Gitter Chatroom: https://gitter.im/apereo/cas
        <https://gitter.im/apereo/cas>
        - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
        - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
        ---
        You received this message because you are subscribed to the
        Google Groups "CAS Community" group.
        To unsubscribe from this group and stop receiving emails from
        it, send an email to [email protected]
        <mailto:[email protected]>.
        To view this discussion on the web visit
        
https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946D4056045A7C6FDEBA002CEDB2%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM
        
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946D4056045A7C6FDEBA002CEDB2%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer>.


    -- 
    - Website: https://apereo.github.io/cas

    <https://apereo.github.io/cas>
    - Gitter Chatroom: https://gitter.im/apereo/cas
    <https://gitter.im/apereo/cas>
    - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
    - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
    ---
    You received this message because you are subscribed to the
    Google Groups "CAS Community" group.
    To unsubscribe from this group and stop receiving emails from it,
    send an email to [email protected]
    <mailto:[email protected]>.
    To view this discussion on the web visit
    
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZLM%3DwDRQ-peG2fX0Ezfx9UNA-NecFNNqBSn-yTN%2BoPcQ%40mail.gmail.com
    
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZLM%3DwDRQ-peG2fX0Ezfx9UNA-NecFNNqBSn-yTN%2BoPcQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.

    -- 
    - Website: https://apereo.github.io/cas

    <https://apereo.github.io/cas>
    - Gitter Chatroom: https://gitter.im/apereo/cas
    <https://gitter.im/apereo/cas>
    - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
    - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
    ---
    You received this message because you are subscribed to the
    Google Groups "CAS Community" group.
    To unsubscribe from this group and stop receiving emails from it,
    send an email to [email protected]
    <mailto:[email protected]>.
    To view this discussion on the web visit
    
https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946FF4EC590B835D54D6978CEA42%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM
    
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB9946FF4EC590B835D54D6978CEA42%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer>.

--
- Website: https://apereo.github.io/cas <https://apereo.github.io/cas>

- Gitter Chatroom: https://gitter.im/apereo/cas 
<https://gitter.im/apereo/cas>

- List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
- Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
---

You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, 
send an email to [email protected] 
<mailto:[email protected]>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZU2VcunDgV4Q%3DRhc6AEWM6qdgOnLZ%2BJBLFQS9TSf4Fmg%40mail.gmail.com 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZU2VcunDgV4Q%3DRhc6AEWM6qdgOnLZ%2BJBLFQS9TSf4Fmg%40mail.gmail.com?utm_medium=email&utm_source=footer>.

--
- Website: https://apereo.github.io/cas <https://apereo.github.io/cas>

- Gitter Chatroom: https://gitter.im/apereo/cas 
<https://gitter.im/apereo/cas>

- List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
- Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
---

You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, 
send an email to [email protected] 
<mailto:[email protected]>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB99469E6F007F799D4527DD02CEA42%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT3PR01MB99469E6F007F799D4527DD02CEA42%40YT3PR01MB9946.CANPRD01.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer>.





--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG

--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3fb44fa5-ef30-4bc2-bcfc-574f0d4ff6fc%40gmail.com.
























					Reply via email to