Hi everyone, I finally got it working.
The attribute was the problem. I was passing email as a NameID as per the
Atlassian doc, but it needs to be the primare attribute.
This line made it work:
{
@class:
org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider
usernameAttribute: mail
}
Thank you so much to all of you for helping me with this. I appreciate!
Have a nice day.
Le lundi 18 novembre 2024 à 22:04:21 UTC-5, Ray Bon a écrit :
> Neon,
>
> I wonder if the empty issuerEntityId could cause a problem. Remove it.
> As Robert suggested, check the logs. Perhaps turn up logging for opensaml.
>
> Ray
>
> On Mon, 2024-11-18 at 07:14 -0800, Neon Dazzle wrote:
>
> You don't often get email from [email protected]. Learn why this is
> important <https://aka.ms/LearnAboutSenderIdentification>
>
> Thank you for your help, I changed the file and added the line as per your
> suggestion:
>
> {
> "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
>
>
> "serviceId": "
> https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc";,
> "name": "JIRA",
> "id": 1726778135108,
> "description": "JIRA",
> "proxyTicketExpirationPolicy": {
> "@class":
> "org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy"
> },
> "serviceTicketExpirationPolicy": {
> "@class":
> "org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy"
> },
> "evaluationOrder": 27,
> "attributeReleasePolicy": {
> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
> },
> "accessStrategy": {
> "@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "requireAllAttributes": false
> },
> "metadataLocation": "/etc/cas/saml/jira-metadat.xml",
> "issuerEntityId": "",
> "signingCredentialType": "X509"
> }
>
>
> Unfortunately, I get the same error that the application is not authorized
> to use CAS.
> I can see the service on the gui:
> [image: 314f2ac1-6df1-46ab-a35f-5bee1417b88c.PNG][image:
> 6cd1e9a5-ab4d-4d16-9ea7-e3971a91b115.PNG]
>
> I'm very confused. I feel like everything is there. What am I missing?
>
> Le vendredi 15 novembre 2024 à 16:51:56 UTC-5, Ocean Liu a écrit :
>
> Please check
> https://apereo.github.io/cas/7.1.x/services/SAML2-Service-Management.html
> for the example.
>
> I think you are missing `"@class" :
> "org.apereo.cas.support.saml.services.SamlRegisteredService",`
>
> On Fri, Nov 15, 2024 at 12:38 PM Neon Dazzle <[email protected]> wrote:
>
> Thank you so much.
> I changed endpoint and now it's telling my application is not authorized
> to use CAS. It's weird because I can see the service entry when I go to
> this endpoint:cas/actuator/registeredService
>
> {
> "serviceId": "
> https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc";,
> "name": "JIRA",
> "id": 1726778135108,
> "description": "JIRA",
> "proxyTicketExpirationPolicy": {
> "@class":
> "org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy"
> },
> "serviceTicketExpirationPolicy": {
> "@class":
> "org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy"
> },
> "evaluationOrder": 27,
> "attributeReleasePolicy": {
> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
> },
> "accessStrategy": {
> "@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "requireAllAttributes": false
> },
> "metadataLocation": "/etc/cas/saml/jira-metadat.xml",
> "issuerEntityId": "",
> "signingCredentialType": "X509"
> },
>
> I must be still missing something.
> Le vendredi 15 novembre 2024 à 13:38:43 UTC-5, Ocean Liu a écrit :
>
> Neon, the Destination in the SAMLRequest does not look right.
>
> It should be something like
> https://cas.example.com/idp/profile/SAML2/Redirect/SSO, please check your
> IdP metadata <SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" part.
>
> And then, you need to change the Identity provider SSO URL in your
> atlassian admin panel.
> https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on-with-an-identity-provider/#Copy-details-from-your-identity-provider-to-your-Atlassian-organization
>
>
> [image: SCR-20241115-ikwy.png]
>
> If you look at the dev tool, atlassian was probably redirecting the client
> to the CAS home page (/cas), instead of the SSO page (
> /cas/idp/profile/SAML2/Redirect/SSO), so the cas app does not know to
> handle the parameters.
>
> Good luck!
>
> On Friday, November 15, 2024 at 8:46:18 AM UTC-8 Neon Dazzle wrote:
>
>
> Thank you so much to both of you for your answers! It's very appreciated.
> I did more tests and I still can't get this to work. I get the same
> result: I get sent to CAS from Atlassian, I enter my credentials, and then
> I dont get sent back to Atlassian, I'm stuck in CAS. The message says that
> I see this page because CAS doesnt know my final destination.
> I installed samltracer as suggested to try and find my mistake but I can't
> see it :(.
>
> Here is my metadata file:
>
> <?xml version="1.0"?>
> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
> validUntil="2024-11-03T19:47:00Z" cacheDuration="PT604800S" entityID="
> https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc";>
> <md:SPSSODescriptor AuthnRequestsSigned="false"
> WantAssertionsSigned="false"
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
> <md:KeyDescriptor use="signing">
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <ds:X509Data>
>
> <ds:X509Certificate>MIIDoTCCAomgAwIBAgIUNhHfnD6GS6Vpe0UmMu5RLDe9SMwwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9udHJlYWwxEDAOBgNVBAoMB1BvbHltdGwxGzAZBgNVBAMMEmNhczZkZXYucG9seW10bC5jYTAeFw0yNDA5MTkxODIxNDVaFw0zNDA5MTcxODIxNDVaMGAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAPBgNVBAcMCE1vbnRyZWFsMRAwDgYDVQQKDAdQb2x5bXRsMRswGQYDVQQDDBJjYXM2ZGV2LnBvbHltdGwuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgaX5dGAb2xA02O8H1ozE4hmTYvbvV0uemh4DPUjsaybUCIn2Yx4U8HDNn9WigcibfEeD9nTq++jaV8+Gl5LepX5FjmFCNWn+f6t9Oz0h8NFqGj+gcFJURK0ZFOWsB1C7aut/ZRVh3mlJdl8X36BgO1Aufx+C9gQbvUVkWnX3NV3+2TRBB7WrgMFPAw8Y9CMexGK7hYqYQkL0xrau7+swRYZJLhqWU78x0YrOq5kg5Z00RThWPuzyAoif9U0dfUgjo7rXZd489ae3+fpNKAJxtJBif4Y/gq1RII32iNzDp4rpOzO88pZgy8UNJWAPkAYjD8g50RnlW7w8nCWsi6cbZAgMBAAGjUzBRMB0GA1UdDgQWBBRpR8obg/zDQnzAyKGh3bcXyyQlVDAfBgNVHSMEGDAWgBRpR8obg/zDQnzAyKGh3bcXyyQlVDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAqVdUgcOyQ+QhRJXTKhhF7z7RxMGjvqnwfWzR3ZE4PADew/J48ULEcEa6VUrNXeyrgAa+YJQivXW4SbVqRzf3RSkwneL4b5ln7oH3eL5Q0ZvKOlxljQvTbhtjPn0jwuWhFtNc/7miBbURb1ywG0DUHD6IpzOjrnzKYCHZkISxFDKSLEkHb3lo0bs31nakA0NqFnbGg2D37T1C95vhPUdbb7xzQqQfa/1qm35vB05hnI2NrIEWyEztLEb30PPizNM6fyLy0U/snA9fgS6Xb++vvN5M2JcbytundR1RupARcguWLe1vprqnYumg9Quph6wjBki0ntH11ZvmNgZDT1K1U</ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> </md:KeyDescriptor>
> <md:KeyDescriptor use="encryption">
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <ds:X509Data>
>
> <ds:X509Certificate>MIIDoTCCAomgAwIBAgIUNhHfnD6GS6Vpe0UmMu5RLDe9SMwwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9udHJlYWwxEDAOBgNVBAoMB1BvbHltdGwxGzAZBgNVBAMMEmNhczZkZXYucG9seW10bC5jYTAeFw0yNDA5MTkxODIxNDVaFw0zNDA5MTcxODIxNDVaMGAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAPBgNVBAcMCE1vbnRyZWFsMRAwDgYDVQQKDAdQb2x5bXRsMRswGQYDVQQDDBJjYXM2ZGV2LnBvbHltdGwuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgaX5dGAb2xA02O8H1ozE4hmTYvbvV0uemh4DPUjsaybUCIn2Yx4U8HDNn9WigcibfEeD9nTq++jaV8+Gl5LepX5FjmFCNWn+f6t9Oz0h8NFqGj+gcFJURK0ZFOWsB1C7aut/ZRVh3mlJdl8X36BgO1Aufx+C9gQbvUVkWnX3NV3+2TRBB7WrgMFPAw8Y9CMexGK7hYqYQkL0xrau7+swRYZJLhqWU78x0YrOq5kg5Z00RThWPuzyAoif9U0dfUgjo7rXZd489ae3+fpNKAJxtJBif4Y/gq1RII32iNzDp4rpOzO88pZgy8UNJWAPkAYjD8g50RnlW7w8nCWsi6cbZAgMBAAGjUzBRMB0GA1UdDgQWBBRpR8obg/zDQnzAyKGh3bcXyyQlVDAfBgNVHSMEGDAWgBRpR8obg/zDQnzAyKGh3bcXyyQlVDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAqVdUgcOyQ+QhRJXTKhhF7z7RxMGjvqnwfWzR3ZE4PADew/J48ULEcEa6VUrNXeyrgAa+YJQivXW4SbVqRzf3RSkwneL4b5ln7oH3eL5Q0ZvKOlxljQvTbhtjPn0jwuWhFtNc/7miBbURb1ywG0DUHD6IpzOjrnzKYCHZkISxFDKSLEkHb3lo0bs31nakA0NqFnbGg2D37T1C95vhPUdbb7xzQqQfa/1qm35vB05hnI2NrIEWyEztLEb30PPizNM6fyLy0U/snA9fgS6Xb++vvN5M2JcbytundR1RupARcguWLe1vprqnYumg9Quph6wjBki0ntH11ZvmNgZDT1K1U</ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> </md:KeyDescriptor>
>
> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
> <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
> https://auth.atlassian.com/login/callback?connection=saml-b87b0545-cb70-4fe0-8c96-61034fefb7cc";
>
> index="1"/>
> </md:SPSSODescriptor>
> </md:EntityDescriptor>
>
>
> And here is the request I see using saml-tracer:
>
> <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
> AssertionConsumerServiceURL="
> https://auth.atlassian.com/login/callback?connection=saml-b87b0545-cb70-4fe0-8c96-61034fefb7cc
> " Destination="https://cas6dev.polymtl.ca/cas"; ID=
> "_c59ebaed7f8b7fbc8dd55d5b0afb84fb" IssueInstant=
> "2024-11-15T15:59:41.525Z" ProtocolBinding=
> "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <
> saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
> https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc</
> saml2:Issuer> <saml2p:NameIDPolicy AllowCreate="true" Format=
> "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </
> saml2p:AuthnRequest>
> Can you see any obvious mistake I am making?
>
> Le mardi 5 novembre 2024 à 23:38:01 UTC-5, Ray Bon a écrit :
>
> Neon,
>
> The Location and Binding protocol must match what is sent in the request.
> You can use a browser plugin like samltracer to see what the
> request/response looks like.
> Also check cas logs.
>
> Ray
>
> On Tue, 2024-11-05 at 10:44 -0800, Neon Dazzle wrote:
>
> You don't often get email from [email protected]. Learn why this is
> important <https://aka.ms/LearnAboutSenderIdentification>
>
> Thank you so much for your answer.
> I created the metadata file using a web service and added:
>
> <md:AssertionConsumerService
> index="1"
>
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Location="https://atlassian.start.com"; />
>
> I'm still getting no redirection and I stay on the CAS website.
>
> Le lundi 4 novembre 2024 à 13:38:22 UTC-5, Ray Bon a écrit :
>
> Neon,
>
> ACS is required in metadata.
> You can create the metadata file if the vendor does not supply it. There
> are some online services that will help.
>
> Ray
>
> On Fri, 2024-11-01 at 12:17 -0700, Neon Dazzle wrote:
>
> You don't often get email from [email protected] why this is
> important <https://aka.ms/LearnAboutSenderIdentification>
>
> Hi everyone, we have CAS6 and are trying to setup SSO with our Atlassian
> org on the cloud. It seems like we almost have it, we get redirected to CAS
> and the login works, but we can't get redirected to Atlassian after, we are
> stuck in CAS.
> It seems like there is not json parameters for redirection so I'm
> wondering where we should put the ACS adresse given by Atlassian.
> All our other services connected with CAS provide metadata files so it's
> easy, but Atlassian doesnt provide that.
> Has anyone been able to setup SSO with Atlassian Cloud?
>
>
>
>
>
>
>
>
> --
>
> Ocean Liu | Enterprise Web Developer | Whitman College
> WCTS Building 105F - 509.527.4973 <(509)%20527-4973>
>
>
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2e1ef43f-79ef-45a9-8a7c-5da17c5fb30en%40apereo.org.
