Thank you so much.
I changed endpoint and now it's telling my application is not authorized to
use CAS. It's weird because I can see the service entry when I go to this
endpoint: cas/actuator/registeredService
{
"serviceId": "
https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc";,
"name": "JIRA",
"id": 1726778135108,
"description": "JIRA",
"proxyTicketExpirationPolicy": {
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy"
},
"serviceTicketExpirationPolicy": {
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy"
},
"evaluationOrder": 27,
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"accessStrategy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"requireAllAttributes": false
},
"metadataLocation": "/etc/cas/saml/jira-metadat.xml",
"issuerEntityId": "",
"signingCredentialType": "X509"
},
I must be still missing something.
Le vendredi 15 novembre 2024 à 13:38:43 UTC-5, Ocean Liu a écrit :
> Neon, the Destination in the SAMLRequest does not look right.
>
> It should be something like
> https://cas.example.com/idp/profile/SAML2/Redirect/SSO, please check your
> IdP metadata <SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" part.
>
> And then, you need to change the Identity provider SSO URL in your
> atlassian admin panel.
> https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on-with-an-identity-provider/#Copy-details-from-your-identity-provider-to-your-Atlassian-organization
>
>
> [image: SCR-20241115-ikwy.png]
>
> If you look at the dev tool, atlassian was probably redirecting the client
> to the CAS home page (/cas), instead of the SSO page (
> /cas/idp/profile/SAML2/Redirect/SSO), so the cas app does not know to
> handle the parameters.
>
> Good luck!
>
> On Friday, November 15, 2024 at 8:46:18 AM UTC-8 Neon Dazzle wrote:
>
>>
>> Thank you so much to both of you for your answers! It's very appreciated.
>> I did more tests and I still can't get this to work. I get the same
>> result: I get sent to CAS from Atlassian, I enter my credentials, and then
>> I dont get sent back to Atlassian, I'm stuck in CAS. The message says that
>> I see this page because CAS doesnt know my final destination.
>> I installed samltracer as suggested to try and find my mistake but I
>> can't see it :(.
>>
>> Here is my metadata file:
>>
>> <?xml version="1.0"?>
>> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
>> validUntil="2024-11-03T19:47:00Z" cacheDuration="PT604800S" entityID="
>> https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc";>
>> <md:SPSSODescriptor AuthnRequestsSigned="false"
>> WantAssertionsSigned="false"
>> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>> <md:KeyDescriptor use="signing">
>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>> <ds:X509Data>
>>
>> <ds:X509Certificate>MIIDoTCCAomgAwIBAgIUNhHfnD6GS6Vpe0UmMu5RLDe9SMwwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9udHJlYWwxEDAOBgNVBAoMB1BvbHltdGwxGzAZBgNVBAMMEmNhczZkZXYucG9seW10bC5jYTAeFw0yNDA5MTkxODIxNDVaFw0zNDA5MTcxODIxNDVaMGAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAPBgNVBAcMCE1vbnRyZWFsMRAwDgYDVQQKDAdQb2x5bXRsMRswGQYDVQQDDBJjYXM2ZGV2LnBvbHltdGwuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgaX5dGAb2xA02O8H1ozE4hmTYvbvV0uemh4DPUjsaybUCIn2Yx4U8HDNn9WigcibfEeD9nTq++jaV8+Gl5LepX5FjmFCNWn+f6t9Oz0h8NFqGj+gcFJURK0ZFOWsB1C7aut/ZRVh3mlJdl8X36BgO1Aufx+C9gQbvUVkWnX3NV3+2TRBB7WrgMFPAw8Y9CMexGK7hYqYQkL0xrau7+swRYZJLhqWU78x0YrOq5kg5Z00RThWPuzyAoif9U0dfUgjo7rXZd489ae3+fpNKAJxtJBif4Y/gq1RII32iNzDp4rpOzO88pZgy8UNJWAPkAYjD8g50RnlW7w8nCWsi6cbZAgMBAAGjUzBRMB0GA1UdDgQWBBRpR8obg/zDQnzAyKGh3bcXyyQlVDAfBgNVHSMEGDAWgBRpR8obg/zDQnzAyKGh3bcXyyQlVDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAqVdUgcOyQ+QhRJXTKhhF7z7RxMGjvqnwfWzR3ZE4PADew/J48ULEcEa6VUrNXeyrgAa+YJQivXW4SbVqRzf3RSkwneL4b5ln7oH3eL5Q0ZvKOlxljQvTbhtjPn0jwuWhFtNc/7miBbURb1ywG0DUHD6IpzOjrnzKYCHZkISxFDKSLEkHb3lo0bs31nakA0NqFnbGg2D37T1C95vhPUdbb7xzQqQfa/1qm35vB05hnI2NrIEWyEztLEb30PPizNM6fyLy0U/snA9fgS6Xb++vvN5M2JcbytundR1RupARcguWLe1vprqnYumg9Quph6wjBki0ntH11ZvmNgZDT1K1U</ds:X509Certificate>
>> </ds:X509Data>
>> </ds:KeyInfo>
>> </md:KeyDescriptor>
>> <md:KeyDescriptor use="encryption">
>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>> <ds:X509Data>
>>
>> <ds:X509Certificate>MIIDoTCCAomgAwIBAgIUNhHfnD6GS6Vpe0UmMu5RLDe9SMwwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9udHJlYWwxEDAOBgNVBAoMB1BvbHltdGwxGzAZBgNVBAMMEmNhczZkZXYucG9seW10bC5jYTAeFw0yNDA5MTkxODIxNDVaFw0zNDA5MTcxODIxNDVaMGAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAPBgNVBAcMCE1vbnRyZWFsMRAwDgYDVQQKDAdQb2x5bXRsMRswGQYDVQQDDBJjYXM2ZGV2LnBvbHltdGwuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgaX5dGAb2xA02O8H1ozE4hmTYvbvV0uemh4DPUjsaybUCIn2Yx4U8HDNn9WigcibfEeD9nTq++jaV8+Gl5LepX5FjmFCNWn+f6t9Oz0h8NFqGj+gcFJURK0ZFOWsB1C7aut/ZRVh3mlJdl8X36BgO1Aufx+C9gQbvUVkWnX3NV3+2TRBB7WrgMFPAw8Y9CMexGK7hYqYQkL0xrau7+swRYZJLhqWU78x0YrOq5kg5Z00RThWPuzyAoif9U0dfUgjo7rXZd489ae3+fpNKAJxtJBif4Y/gq1RII32iNzDp4rpOzO88pZgy8UNJWAPkAYjD8g50RnlW7w8nCWsi6cbZAgMBAAGjUzBRMB0GA1UdDgQWBBRpR8obg/zDQnzAyKGh3bcXyyQlVDAfBgNVHSMEGDAWgBRpR8obg/zDQnzAyKGh3bcXyyQlVDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAqVdUgcOyQ+QhRJXTKhhF7z7RxMGjvqnwfWzR3ZE4PADew/J48ULEcEa6VUrNXeyrgAa+YJQivXW4SbVqRzf3RSkwneL4b5ln7oH3eL5Q0ZvKOlxljQvTbhtjPn0jwuWhFtNc/7miBbURb1ywG0DUHD6IpzOjrnzKYCHZkISxFDKSLEkHb3lo0bs31nakA0NqFnbGg2D37T1C95vhPUdbb7xzQqQfa/1qm35vB05hnI2NrIEWyEztLEb30PPizNM6fyLy0U/snA9fgS6Xb++vvN5M2JcbytundR1RupARcguWLe1vprqnYumg9Quph6wjBki0ntH11ZvmNgZDT1K1U</ds:X509Certificate>
>> </ds:X509Data>
>> </ds:KeyInfo>
>> </md:KeyDescriptor>
>>
>> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
>> <md:AssertionConsumerService
>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
>> https://auth.atlassian.com/login/callback?connection=saml-b87b0545-cb70-4fe0-8c96-61034fefb7cc";
>>
>> index="1"/>
>> </md:SPSSODescriptor>
>> </md:EntityDescriptor>
>>
>>
>> And here is the request I see using saml-tracer:
>>
>> <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>> AssertionConsumerServiceURL="
>> https://auth.atlassian.com/login/callback?connection=saml-b87b0545-cb70-4fe0-8c96-61034fefb7cc
>> " Destination="https://cas6dev.polymtl.ca/cas"; ID=
>> "_c59ebaed7f8b7fbc8dd55d5b0afb84fb" IssueInstant=
>> "2024-11-15T15:59:41.525Z" ProtocolBinding=
>> "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <
>> saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
>> https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc</
>> saml2:Issuer> <saml2p:NameIDPolicy AllowCreate="true" Format=
>> "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </
>> saml2p:AuthnRequest>
>> Can you see any obvious mistake I am making?
>>
>> Le mardi 5 novembre 2024 à 23:38:01 UTC-5, Ray Bon a écrit :
>>
>>> Neon,
>>>
>>> The Location and Binding protocol must match what is sent in the request.
>>> You can use a browser plugin like samltracer to see what the
>>> request/response looks like.
>>> Also check cas logs.
>>>
>>> Ray
>>>
>>> On Tue, 2024-11-05 at 10:44 -0800, Neon Dazzle wrote:
>>>
>>> You don't often get email from [email protected]. Learn why this is
>>> important <https://aka.ms/LearnAboutSenderIdentification>
>>>
>>> Thank you so much for your answer.
>>> I created the metadata file using a web service and added:
>>>
>>> <md:AssertionConsumerService
>>> index="1"
>>>
>>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>>> Location="https://atlassian.start.com"; />
>>>
>>> I'm still getting no redirection and I stay on the CAS website.
>>>
>>> Le lundi 4 novembre 2024 à 13:38:22 UTC-5, Ray Bon a écrit :
>>>
>>> Neon,
>>>
>>> ACS is required in metadata.
>>> You can create the metadata file if the vendor does not supply it. There
>>> are some online services that will help.
>>>
>>> Ray
>>>
>>> On Fri, 2024-11-01 at 12:17 -0700, Neon Dazzle wrote:
>>>
>>> You don't often get email from [email protected] why this is
>>> important <https://aka.ms/LearnAboutSenderIdentification>
>>>
>>> Hi everyone, we have CAS6 and are trying to setup SSO with our Atlassian
>>> org on the cloud. It seems like we almost have it, we get redirected to CAS
>>> and the login works, but we can't get redirected to Atlassian after, we are
>>> stuck in CAS.
>>> It seems like there is not json parameters for redirection so I'm
>>> wondering where we should put the ACS adresse given by Atlassian.
>>> All our other services connected with CAS provide metadata files so it's
>>> easy, but Atlassian doesnt provide that.
>>> Has anyone been able to setup SSO with Atlassian Cloud?
>>>
>>>
>>>
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/36da2d9e-0878-49c7-befc-3cb253f912b4n%40apereo.org.
