Hello
Any chance you can share your setup , we have been fighting with CAS and
Atlassian for a bit.
On Tuesday, December 3, 2024 at 9:36:42 AM UTC-5 Neon Dazzle wrote:
> Hi everyone, I finally got it working.
> The attribute was the problem. I was passing email as a NameID as per the
> Atlassian doc, but it needs to be the primare attribute.
> This line made it work:
>
> {
> @class:
> org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider
> usernameAttribute: mail
> }
>
>
> Thank you so much to all of you for helping me with this. I appreciate!
>
> Have a nice day.
>
>
> Le lundi 18 novembre 2024 à 22:04:21 UTC-5, Ray Bon a écrit :
>
>> Neon,
>>
>> I wonder if the empty issuerEntityId could cause a problem. Remove it.
>> As Robert suggested, check the logs. Perhaps turn up logging for opensaml.
>>
>> Ray
>>
>> On Mon, 2024-11-18 at 07:14 -0800, Neon Dazzle wrote:
>>
>> You don't often get email from [email protected]. Learn why this is
>> important <https://aka.ms/LearnAboutSenderIdentification>
>>
>> Thank you for your help, I changed the file and added the line as per
>> your suggestion:
>>
>> {
>> "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
>>
>>
>> "serviceId": "
>> https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc";,
>> "name": "JIRA",
>> "id": 1726778135108,
>> "description": "JIRA",
>> "proxyTicketExpirationPolicy": {
>> "@class":
>> "org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy"
>> },
>> "serviceTicketExpirationPolicy": {
>> "@class":
>> "org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy"
>> },
>> "evaluationOrder": 27,
>> "attributeReleasePolicy": {
>> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>> },
>> "accessStrategy": {
>> "@class":
>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>> "requireAllAttributes": false
>> },
>> "metadataLocation": "/etc/cas/saml/jira-metadat.xml",
>> "issuerEntityId": "",
>> "signingCredentialType": "X509"
>> }
>>
>>
>> Unfortunately, I get the same error that the application is not
>> authorized to use CAS.
>> I can see the service on the gui:
>> [image: 314f2ac1-6df1-46ab-a35f-5bee1417b88c.PNG][image:
>> 6cd1e9a5-ab4d-4d16-9ea7-e3971a91b115.PNG]
>>
>> I'm very confused. I feel like everything is there. What am I missing?
>>
>> Le vendredi 15 novembre 2024 à 16:51:56 UTC-5, Ocean Liu a écrit :
>>
>> Please check
>> https://apereo.github.io/cas/7.1.x/services/SAML2-Service-Management.html
>> for the example.
>>
>> I think you are missing `"@class" :
>> "org.apereo.cas.support.saml.services.SamlRegisteredService",`
>>
>> On Fri, Nov 15, 2024 at 12:38 PM Neon Dazzle <[email protected]> wrote:
>>
>> Thank you so much.
>> I changed endpoint and now it's telling my application is not authorized
>> to use CAS. It's weird because I can see the service entry when I go to
>> this endpoint:cas/actuator/registeredService
>>
>> {
>> "serviceId": "
>> https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc";,
>> "name": "JIRA",
>> "id": 1726778135108,
>> "description": "JIRA",
>> "proxyTicketExpirationPolicy": {
>> "@class":
>> "org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy"
>> },
>> "serviceTicketExpirationPolicy": {
>> "@class":
>> "org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy"
>> },
>> "evaluationOrder": 27,
>> "attributeReleasePolicy": {
>> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>> },
>> "accessStrategy": {
>> "@class":
>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>> "requireAllAttributes": false
>> },
>> "metadataLocation": "/etc/cas/saml/jira-metadat.xml",
>> "issuerEntityId": "",
>> "signingCredentialType": "X509"
>> },
>>
>> I must be still missing something.
>> Le vendredi 15 novembre 2024 à 13:38:43 UTC-5, Ocean Liu a écrit :
>>
>> Neon, the Destination in the SAMLRequest does not look right.
>>
>> It should be something like
>> https://cas.example.com/idp/profile/SAML2/Redirect/SSO, please check
>> your IdP metadata <SingleSignOnService
>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" part.
>>
>> And then, you need to change the Identity provider SSO URL in your
>> atlassian admin panel.
>> https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on-with-an-identity-provider/#Copy-details-from-your-identity-provider-to-your-Atlassian-organization
>>
>>
>> [image: SCR-20241115-ikwy.png]
>>
>> If you look at the dev tool, atlassian was probably redirecting the
>> client to the CAS home page (/cas), instead of the SSO page (
>> /cas/idp/profile/SAML2/Redirect/SSO), so the cas app does not know to
>> handle the parameters.
>>
>> Good luck!
>>
>> On Friday, November 15, 2024 at 8:46:18 AM UTC-8 Neon Dazzle wrote:
>>
>>
>> Thank you so much to both of you for your answers! It's very appreciated.
>> I did more tests and I still can't get this to work. I get the same
>> result: I get sent to CAS from Atlassian, I enter my credentials, and then
>> I dont get sent back to Atlassian, I'm stuck in CAS. The message says that
>> I see this page because CAS doesnt know my final destination.
>> I installed samltracer as suggested to try and find my mistake but I
>> can't see it :(.
>>
>> Here is my metadata file:
>>
>> <?xml version="1.0"?>
>> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
>> validUntil="2024-11-03T19:47:00Z" cacheDuration="PT604800S" entityID="
>> https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc";>
>> <md:SPSSODescriptor AuthnRequestsSigned="false"
>> WantAssertionsSigned="false"
>> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>> <md:KeyDescriptor use="signing">
>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>> <ds:X509Data>
>>
>> <ds:X509Certificate>MIIDoTCCAomgAwIBAgIUNhHfnD6GS6Vpe0UmMu5RLDe9SMwwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9udHJlYWwxEDAOBgNVBAoMB1BvbHltdGwxGzAZBgNVBAMMEmNhczZkZXYucG9seW10bC5jYTAeFw0yNDA5MTkxODIxNDVaFw0zNDA5MTcxODIxNDVaMGAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAPBgNVBAcMCE1vbnRyZWFsMRAwDgYDVQQKDAdQb2x5bXRsMRswGQYDVQQDDBJjYXM2ZGV2LnBvbHltdGwuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgaX5dGAb2xA02O8H1ozE4hmTYvbvV0uemh4DPUjsaybUCIn2Yx4U8HDNn9WigcibfEeD9nTq++jaV8+Gl5LepX5FjmFCNWn+f6t9Oz0h8NFqGj+gcFJURK0ZFOWsB1C7aut/ZRVh3mlJdl8X36BgO1Aufx+C9gQbvUVkWnX3NV3+2TRBB7WrgMFPAw8Y9CMexGK7hYqYQkL0xrau7+swRYZJLhqWU78x0YrOq5kg5Z00RThWPuzyAoif9U0dfUgjo7rXZd489ae3+fpNKAJxtJBif4Y/gq1RII32iNzDp4rpOzO88pZgy8UNJWAPkAYjD8g50RnlW7w8nCWsi6cbZAgMBAAGjUzBRMB0GA1UdDgQWBBRpR8obg/zDQnzAyKGh3bcXyyQlVDAfBgNVHSMEGDAWgBRpR8obg/zDQnzAyKGh3bcXyyQlVDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAqVdUgcOyQ+QhRJXTKhhF7z7RxMGjvqnwfWzR3ZE4PADew/J48ULEcEa6VUrNXeyrgAa+YJQivXW4SbVqRzf3RSkwneL4b5ln7oH3eL5Q0ZvKOlxljQvTbhtjPn0jwuWhFtNc/7miBbURb1ywG0DUHD6IpzOjrnzKYCHZkISxFDKSLEkHb3lo0bs31nakA0NqFnbGg2D37T1C95vhPUdbb7xzQqQfa/1qm35vB05hnI2NrIEWyEztLEb30PPizNM6fyLy0U/snA9fgS6Xb++vvN5M2JcbytundR1RupARcguWLe1vprqnYumg9Quph6wjBki0ntH11ZvmNgZDT1K1U</ds:X509Certificate>
>> </ds:X509Data>
>> </ds:KeyInfo>
>> </md:KeyDescriptor>
>> <md:KeyDescriptor use="encryption">
>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>> <ds:X509Data>
>>
>> <ds:X509Certificate>MIIDoTCCAomgAwIBAgIUNhHfnD6GS6Vpe0UmMu5RLDe9SMwwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9udHJlYWwxEDAOBgNVBAoMB1BvbHltdGwxGzAZBgNVBAMMEmNhczZkZXYucG9seW10bC5jYTAeFw0yNDA5MTkxODIxNDVaFw0zNDA5MTcxODIxNDVaMGAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAPBgNVBAcMCE1vbnRyZWFsMRAwDgYDVQQKDAdQb2x5bXRsMRswGQYDVQQDDBJjYXM2ZGV2LnBvbHltdGwuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgaX5dGAb2xA02O8H1ozE4hmTYvbvV0uemh4DPUjsaybUCIn2Yx4U8HDNn9WigcibfEeD9nTq++jaV8+Gl5LepX5FjmFCNWn+f6t9Oz0h8NFqGj+gcFJURK0ZFOWsB1C7aut/ZRVh3mlJdl8X36BgO1Aufx+C9gQbvUVkWnX3NV3+2TRBB7WrgMFPAw8Y9CMexGK7hYqYQkL0xrau7+swRYZJLhqWU78x0YrOq5kg5Z00RThWPuzyAoif9U0dfUgjo7rXZd489ae3+fpNKAJxtJBif4Y/gq1RII32iNzDp4rpOzO88pZgy8UNJWAPkAYjD8g50RnlW7w8nCWsi6cbZAgMBAAGjUzBRMB0GA1UdDgQWBBRpR8obg/zDQnzAyKGh3bcXyyQlVDAfBgNVHSMEGDAWgBRpR8obg/zDQnzAyKGh3bcXyyQlVDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAqVdUgcOyQ+QhRJXTKhhF7z7RxMGjvqnwfWzR3ZE4PADew/J48ULEcEa6VUrNXeyrgAa+YJQivXW4SbVqRzf3RSkwneL4b5ln7oH3eL5Q0ZvKOlxljQvTbhtjPn0jwuWhFtNc/7miBbURb1ywG0DUHD6IpzOjrnzKYCHZkISxFDKSLEkHb3lo0bs31nakA0NqFnbGg2D37T1C95vhPUdbb7xzQqQfa/1qm35vB05hnI2NrIEWyEztLEb30PPizNM6fyLy0U/snA9fgS6Xb++vvN5M2JcbytundR1RupARcguWLe1vprqnYumg9Quph6wjBki0ntH11ZvmNgZDT1K1U</ds:X509Certificate>
>> </ds:X509Data>
>> </ds:KeyInfo>
>> </md:KeyDescriptor>
>>
>> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
>> <md:AssertionConsumerService
>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
>> https://auth.atlassian.com/login/callback?connection=saml-b87b0545-cb70-4fe0-8c96-61034fefb7cc";
>>
>> index="1"/>
>> </md:SPSSODescriptor>
>> </md:EntityDescriptor>
>>
>>
>> And here is the request I see using saml-tracer:
>>
>> <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>> AssertionConsumerServiceURL="
>> https://auth.atlassian.com/login/callback?connection=saml-b87b0545-cb70-4fe0-8c96-61034fefb7cc
>> " Destination="https://cas6dev.polymtl.ca/cas"; ID=
>> "_c59ebaed7f8b7fbc8dd55d5b0afb84fb" IssueInstant=
>> "2024-11-15T15:59:41.525Z" ProtocolBinding=
>> "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <
>> saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
>> https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc</
>> saml2:Issuer> <saml2p:NameIDPolicy AllowCreate="true" Format=
>> "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </
>> saml2p:AuthnRequest>
>> Can you see any obvious mistake I am making?
>>
>> Le mardi 5 novembre 2024 à 23:38:01 UTC-5, Ray Bon a écrit :
>>
>> Neon,
>>
>> The Location and Binding protocol must match what is sent in the request.
>> You can use a browser plugin like samltracer to see what the
>> request/response looks like.
>> Also check cas logs.
>>
>> Ray
>>
>> On Tue, 2024-11-05 at 10:44 -0800, Neon Dazzle wrote:
>>
>> You don't often get email from [email protected]. Learn why this is
>> important <https://aka.ms/LearnAboutSenderIdentification>
>>
>> Thank you so much for your answer.
>> I created the metadata file using a web service and added:
>>
>> <md:AssertionConsumerService
>> index="1"
>>
>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>> Location="https://atlassian.start.com"; />
>>
>> I'm still getting no redirection and I stay on the CAS website.
>>
>> Le lundi 4 novembre 2024 à 13:38:22 UTC-5, Ray Bon a écrit :
>>
>> Neon,
>>
>> ACS is required in metadata.
>> You can create the metadata file if the vendor does not supply it. There
>> are some online services that will help.
>>
>> Ray
>>
>> On Fri, 2024-11-01 at 12:17 -0700, Neon Dazzle wrote:
>>
>> You don't often get email from [email protected] why this is
>> important <https://aka.ms/LearnAboutSenderIdentification>
>>
>> Hi everyone, we have CAS6 and are trying to setup SSO with our Atlassian
>> org on the cloud. It seems like we almost have it, we get redirected to CAS
>> and the login works, but we can't get redirected to Atlassian after, we are
>> stuck in CAS.
>> It seems like there is not json parameters for redirection so I'm
>> wondering where we should put the ACS adresse given by Atlassian.
>> All our other services connected with CAS provide metadata files so it's
>> easy, but Atlassian doesnt provide that.
>> Has anyone been able to setup SSO with Atlassian Cloud?
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>>
>> Ocean Liu | Enterprise Web Developer | Whitman College
>> WCTS Building 105F - 509.527.4973 <(509)%20527-4973>
>>
>>
--
CONFIDENTIALITY NOTE <https://laurentian.ca/confidentiality> - AVIS:
COURRIEL CONFIDENTIEL. You can view the confidentiality terms at
https://laurentian.ca/confidentiality
<https://laurentian.ca/confidentiality>. Notre avis de confidentialité est
disponible au site https://laurentienne.ca/avis
<https://laurentienne.ca/avis>
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/62d0d4a2-f7c1-4135-b019-c1ad46095780n%40apereo.org.
