I dont have access to my files right now, but I think everything needed is in this thread right now. If you have any specific question, maybe I can help.
On Tue, Jan 14, 2025, 12:59 PM Mark Thompson <[email protected]> wrote: > > Hello > > Any chance you can share your setup , we have been fighting with CAS and > Atlassian for a bit. > > On Tuesday, December 3, 2024 at 9:36:42 AM UTC-5 Neon Dazzle wrote: > >> Hi everyone, I finally got it working. >> The attribute was the problem. I was passing email as a NameID as per the >> Atlassian doc, but it needs to be the primare attribute. >> This line made it work: >> >> { >> @class: >> org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider >> usernameAttribute: mail >> } >> >> >> Thank you so much to all of you for helping me with this. I appreciate! >> >> Have a nice day. >> >> >> Le lundi 18 novembre 2024 à 22:04:21 UTC-5, Ray Bon a écrit : >> >>> Neon, >>> >>> I wonder if the empty issuerEntityId could cause a problem. Remove it. >>> As Robert suggested, check the logs. Perhaps turn up logging for >>> opensaml. >>> >>> Ray >>> >>> On Mon, 2024-11-18 at 07:14 -0800, Neon Dazzle wrote: >>> >>> You don't often get email from [email protected]. Learn why this is >>> important <https://aka.ms/LearnAboutSenderIdentification> >>> >>> Thank you for your help, I changed the file and added the line as per >>> your suggestion: >>> >>> { >>> "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService", >>> >>> >>> "serviceId": " >>> https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc";, >>> "name": "JIRA", >>> "id": 1726778135108, >>> "description": "JIRA", >>> "proxyTicketExpirationPolicy": { >>> "@class": >>> "org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy" >>> }, >>> "serviceTicketExpirationPolicy": { >>> "@class": >>> "org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy" >>> }, >>> "evaluationOrder": 27, >>> "attributeReleasePolicy": { >>> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" >>> }, >>> "accessStrategy": { >>> "@class": >>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", >>> "requireAllAttributes": false >>> }, >>> "metadataLocation": "/etc/cas/saml/jira-metadat.xml", >>> "issuerEntityId": "", >>> "signingCredentialType": "X509" >>> } >>> >>> >>> Unfortunately, I get the same error that the application is not >>> authorized to use CAS. >>> I can see the service on the gui: >>> [image: 314f2ac1-6df1-46ab-a35f-5bee1417b88c.PNG][image: >>> 6cd1e9a5-ab4d-4d16-9ea7-e3971a91b115.PNG] >>> >>> I'm very confused. I feel like everything is there. What am I missing? >>> >>> Le vendredi 15 novembre 2024 à 16:51:56 UTC-5, Ocean Liu a écrit : >>> >>> Please check >>> https://apereo.github.io/cas/7.1.x/services/SAML2-Service-Management.html >>> for the example. >>> >>> I think you are missing `"@class" : >>> "org.apereo.cas.support.saml.services.SamlRegisteredService",` >>> >>> On Fri, Nov 15, 2024 at 12:38 PM Neon Dazzle <[email protected]> wrote: >>> >>> Thank you so much. >>> I changed endpoint and now it's telling my application is not authorized >>> to use CAS. It's weird because I can see the service entry when I go to >>> this endpoint:cas/actuator/registeredService >>> >>> { >>> "serviceId": " >>> https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc";, >>> "name": "JIRA", >>> "id": 1726778135108, >>> "description": "JIRA", >>> "proxyTicketExpirationPolicy": { >>> "@class": >>> "org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy" >>> }, >>> "serviceTicketExpirationPolicy": { >>> "@class": >>> "org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy" >>> }, >>> "evaluationOrder": 27, >>> "attributeReleasePolicy": { >>> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" >>> }, >>> "accessStrategy": { >>> "@class": >>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", >>> "requireAllAttributes": false >>> }, >>> "metadataLocation": "/etc/cas/saml/jira-metadat.xml", >>> "issuerEntityId": "", >>> "signingCredentialType": "X509" >>> }, >>> >>> I must be still missing something. >>> Le vendredi 15 novembre 2024 à 13:38:43 UTC-5, Ocean Liu a écrit : >>> >>> Neon, the Destination in the SAMLRequest does not look right. >>> >>> It should be something like >>> https://cas.example.com/idp/profile/SAML2/Redirect/SSO, please check >>> your IdP metadata <SingleSignOnService >>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" part. >>> >>> And then, you need to change the Identity provider SSO URL in your >>> atlassian admin panel. >>> https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on-with-an-identity-provider/#Copy-details-from-your-identity-provider-to-your-Atlassian-organization >>> >>> >>> [image: SCR-20241115-ikwy.png] >>> >>> If you look at the dev tool, atlassian was probably redirecting the >>> client to the CAS home page (/cas), instead of the SSO page ( >>> /cas/idp/profile/SAML2/Redirect/SSO), so the cas app does not know to >>> handle the parameters. >>> >>> Good luck! >>> >>> On Friday, November 15, 2024 at 8:46:18 AM UTC-8 Neon Dazzle wrote: >>> >>> >>> Thank you so much to both of you for your answers! It's very appreciated. >>> I did more tests and I still can't get this to work. I get the same >>> result: I get sent to CAS from Atlassian, I enter my credentials, and then >>> I dont get sent back to Atlassian, I'm stuck in CAS. The message says that >>> I see this page because CAS doesnt know my final destination. >>> I installed samltracer as suggested to try and find my mistake but I >>> can't see it :(. >>> >>> Here is my metadata file: >>> >>> <?xml version="1.0"?> >>> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" >>> validUntil="2024-11-03T19:47:00Z" cacheDuration="PT604800S" entityID=" >>> https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc";> >>> <md:SPSSODescriptor AuthnRequestsSigned="false" >>> WantAssertionsSigned="false" >>> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> >>> <md:KeyDescriptor use="signing"> >>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>> <ds:X509Data> >>> >>> <ds:X509Certificate>MIIDoTCCAomgAwIBAgIUNhHfnD6GS6Vpe0UmMu5RLDe9SMwwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9udHJlYWwxEDAOBgNVBAoMB1BvbHltdGwxGzAZBgNVBAMMEmNhczZkZXYucG9seW10bC5jYTAeFw0yNDA5MTkxODIxNDVaFw0zNDA5MTcxODIxNDVaMGAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAPBgNVBAcMCE1vbnRyZWFsMRAwDgYDVQQKDAdQb2x5bXRsMRswGQYDVQQDDBJjYXM2ZGV2LnBvbHltdGwuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgaX5dGAb2xA02O8H1ozE4hmTYvbvV0uemh4DPUjsaybUCIn2Yx4U8HDNn9WigcibfEeD9nTq++jaV8+Gl5LepX5FjmFCNWn+f6t9Oz0h8NFqGj+gcFJURK0ZFOWsB1C7aut/ZRVh3mlJdl8X36BgO1Aufx+C9gQbvUVkWnX3NV3+2TRBB7WrgMFPAw8Y9CMexGK7hYqYQkL0xrau7+swRYZJLhqWU78x0YrOq5kg5Z00RThWPuzyAoif9U0dfUgjo7rXZd489ae3+fpNKAJxtJBif4Y/gq1RII32iNzDp4rpOzO88pZgy8UNJWAPkAYjD8g50RnlW7w8nCWsi6cbZAgMBAAGjUzBRMB0GA1UdDgQWBBRpR8obg/zDQnzAyKGh3bcXyyQlVDAfBgNVHSMEGDAWgBRpR8obg/zDQnzAyKGh3bcXyyQlVDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAqVdUgcOyQ+QhRJXTKhhF7z7RxMGjvqnwfWzR3ZE4PADew/J48ULEcEa6VUrNXeyrgAa+YJQivXW4SbVqRzf3RSkwneL4b5ln7oH3eL5Q0ZvKOlxljQvTbhtjPn0jwuWhFtNc/7miBbURb1ywG0DUHD6IpzOjrnzKYCHZkISxFDKSLEkHb3lo0bs31nakA0NqFnbGg2D37T1C95vhPUdbb7xzQqQfa/1qm35vB05hnI2NrIEWyEztLEb30PPizNM6fyLy0U/snA9fgS6Xb++vvN5M2JcbytundR1RupARcguWLe1vprqnYumg9Quph6wjBki0ntH11ZvmNgZDT1K1U</ds:X509Certificate> >>> </ds:X509Data> >>> </ds:KeyInfo> >>> </md:KeyDescriptor> >>> <md:KeyDescriptor use="encryption"> >>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>> <ds:X509Data> >>> >>> <ds:X509Certificate>MIIDoTCCAomgAwIBAgIUNhHfnD6GS6Vpe0UmMu5RLDe9SMwwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9udHJlYWwxEDAOBgNVBAoMB1BvbHltdGwxGzAZBgNVBAMMEmNhczZkZXYucG9seW10bC5jYTAeFw0yNDA5MTkxODIxNDVaFw0zNDA5MTcxODIxNDVaMGAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAPBgNVBAcMCE1vbnRyZWFsMRAwDgYDVQQKDAdQb2x5bXRsMRswGQYDVQQDDBJjYXM2ZGV2LnBvbHltdGwuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgaX5dGAb2xA02O8H1ozE4hmTYvbvV0uemh4DPUjsaybUCIn2Yx4U8HDNn9WigcibfEeD9nTq++jaV8+Gl5LepX5FjmFCNWn+f6t9Oz0h8NFqGj+gcFJURK0ZFOWsB1C7aut/ZRVh3mlJdl8X36BgO1Aufx+C9gQbvUVkWnX3NV3+2TRBB7WrgMFPAw8Y9CMexGK7hYqYQkL0xrau7+swRYZJLhqWU78x0YrOq5kg5Z00RThWPuzyAoif9U0dfUgjo7rXZd489ae3+fpNKAJxtJBif4Y/gq1RII32iNzDp4rpOzO88pZgy8UNJWAPkAYjD8g50RnlW7w8nCWsi6cbZAgMBAAGjUzBRMB0GA1UdDgQWBBRpR8obg/zDQnzAyKGh3bcXyyQlVDAfBgNVHSMEGDAWgBRpR8obg/zDQnzAyKGh3bcXyyQlVDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAqVdUgcOyQ+QhRJXTKhhF7z7RxMGjvqnwfWzR3ZE4PADew/J48ULEcEa6VUrNXeyrgAa+YJQivXW4SbVqRzf3RSkwneL4b5ln7oH3eL5Q0ZvKOlxljQvTbhtjPn0jwuWhFtNc/7miBbURb1ywG0DUHD6IpzOjrnzKYCHZkISxFDKSLEkHb3lo0bs31nakA0NqFnbGg2D37T1C95vhPUdbb7xzQqQfa/1qm35vB05hnI2NrIEWyEztLEb30PPizNM6fyLy0U/snA9fgS6Xb++vvN5M2JcbytundR1RupARcguWLe1vprqnYumg9Quph6wjBki0ntH11ZvmNgZDT1K1U</ds:X509Certificate> >>> </ds:X509Data> >>> </ds:KeyInfo> >>> </md:KeyDescriptor> >>> >>> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> >>> <md:AssertionConsumerService >>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" >>> https://auth.atlassian.com/login/callback?connection=saml-b87b0545-cb70-4fe0-8c96-61034fefb7cc"; >>> index="1"/> >>> </md:SPSSODescriptor> >>> </md:EntityDescriptor> >>> >>> >>> And here is the request I see using saml-tracer: >>> >>> <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" >>> AssertionConsumerServiceURL=" >>> https://auth.atlassian.com/login/callback?connection=saml-b87b0545-cb70-4fe0-8c96-61034fefb7cc >>> " Destination="https://cas6dev.polymtl.ca/cas"; ID= >>> "_c59ebaed7f8b7fbc8dd55d5b0afb84fb" IssueInstant= >>> "2024-11-15T15:59:41.525Z" ProtocolBinding= >>> "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > < >>> saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> >>> https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc</ >>> saml2:Issuer> <saml2p:NameIDPolicy AllowCreate="true" Format= >>> "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </ >>> saml2p:AuthnRequest> >>> Can you see any obvious mistake I am making? >>> >>> Le mardi 5 novembre 2024 à 23:38:01 UTC-5, Ray Bon a écrit : >>> >>> Neon, >>> >>> The Location and Binding protocol must match what is sent in the request. >>> You can use a browser plugin like samltracer to see what the >>> request/response looks like. >>> Also check cas logs. >>> >>> Ray >>> >>> On Tue, 2024-11-05 at 10:44 -0800, Neon Dazzle wrote: >>> >>> You don't often get email from [email protected]. Learn why this is >>> important <https://aka.ms/LearnAboutSenderIdentification> >>> >>> Thank you so much for your answer. >>> I created the metadata file using a web service and added: >>> >>> <md:AssertionConsumerService >>> index="1" >>> >>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >>> Location="https://atlassian.start.com"; /> >>> >>> I'm still getting no redirection and I stay on the CAS website. >>> >>> Le lundi 4 novembre 2024 à 13:38:22 UTC-5, Ray Bon a écrit : >>> >>> Neon, >>> >>> ACS is required in metadata. >>> You can create the metadata file if the vendor does not supply it. There >>> are some online services that will help. >>> >>> Ray >>> >>> On Fri, 2024-11-01 at 12:17 -0700, Neon Dazzle wrote: >>> >>> You don't often get email from [email protected] why this is >>> important <https://aka.ms/LearnAboutSenderIdentification> >>> >>> Hi everyone, we have CAS6 and are trying to setup SSO with our Atlassian >>> org on the cloud. It seems like we almost have it, we get redirected to CAS >>> and the login works, but we can't get redirected to Atlassian after, we are >>> stuck in CAS. >>> It seems like there is not json parameters for redirection so I'm >>> wondering where we should put the ACS adresse given by Atlassian. >>> All our other services connected with CAS provide metadata files so it's >>> easy, but Atlassian doesnt provide that. >>> Has anyone been able to setup SSO with Atlassian Cloud? >>> >>> >>> >>> >>> >>> >>> >>> >>> -- >>> >>> Ocean Liu | Enterprise Web Developer | Whitman College >>> WCTS Building 105F - 509.527.4973 <(509)%20527-4973> >>> >>> > CONFIDENTIALITY NOTE <https://laurentian.ca/confidentiality> - AVIS: > COURRIEL CONFIDENTIEL. > You can view the confidentiality terms at > https://laurentian.ca/confidentiality. Notre avis de confidentialité est > disponible au site https://laurentienne.ca/avis -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMSBOXEJjUHgaaWkGwCnv9sUsDuwWbriWe87%2BiE%2BpQMaDF4iVw%40mail.gmail.com.
