Hello ,
just wanted post an update here that we got CAS working , Ill post our json
and metadata incase anyone is implementing it in future, our CAS is v6.x
for reference
the service json is below (serviceid path names etc, redacted)
{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": " redacted ",
"name": " redacted ",
"id": redacted ,
"description": "lol",
"proxyTicketExpirationPolicy": {
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy"
},
"usernameAttributeProvider": {
"@class":
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute": "mail"
},
"serviceTicketExpirationPolicy": {
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy"
},
"evaluationOrder": 27,
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"accessStrategy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"requireAllAttributes": false
},
"metadataLocation": "/etc/ redacted .xml",
"signingCredentialType": "X509"
}
here is metadata.xml, the cert is redacted but make sure to use same cert
for signing and encryption in metadata and we used signing cert for it,
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
validUntil="2025-01-19T14:44:57Z" cacheDuration="PT604800S"
entityID="redacted">
<md:SPSSODescriptor AuthnRequestsSigned="false"
WantAssertionsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:X509Data>
<ds:X509Certificate>redacted</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:X509Data>
<ds:X509Certificate>redacted</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="redacted" index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
On Friday, January 17, 2025 at 10:04:55 AM UTC-5 K. Asef Erfan wrote:
> Hi, is there a way you could share your Atlassian Service json file, you
> can edit out the serviceid for privacy reasons,
>
> for some reason in our cas, giving it "@class":
> "org.apereo.cas.support.saml.services.SamlRegisteredService" causes it to
> not be recognized by CAS as a valid aplication but if we change it to REGEX
> registered service it is recognized but then it does not send out correct
> POST to Atlassian which causes the Atlassian to fail the id.
>
> Thank you, we appreciate everyone's help here!
>
> On Tuesday, January 14, 2025 at 9:56:27 PM UTC-5 Neon Dazzle wrote:
>
>> I dont have access to my files right now, but I think everything needed
>> is in this thread right now.
>> If you have any specific question, maybe I can help.
>>
>> On Tue, Jan 14, 2025, 12:59 PM Mark Thompson <[email protected]>
>> wrote:
>>
>>>
>>> Hello
>>>
>>> Any chance you can share your setup , we have been fighting with CAS and
>>> Atlassian for a bit.
>>>
>>> On Tuesday, December 3, 2024 at 9:36:42 AM UTC-5 Neon Dazzle wrote:
>>>
>>>> Hi everyone, I finally got it working.
>>>> The attribute was the problem. I was passing email as a NameID as per
>>>> the Atlassian doc, but it needs to be the primare attribute.
>>>> This line made it work:
>>>>
>>>> {
>>>> @class:
>>>> org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider
>>>> usernameAttribute: mail
>>>> }
>>>>
>>>>
>>>> Thank you so much to all of you for helping me with this. I appreciate!
>>>>
>>>> Have a nice day.
>>>>
>>>>
>>>> Le lundi 18 novembre 2024 à 22:04:21 UTC-5, Ray Bon a écrit :
>>>>
>>>>> Neon,
>>>>>
>>>>> I wonder if the empty issuerEntityId could cause a problem. Remove it.
>>>>> As Robert suggested, check the logs. Perhaps turn up logging for
>>>>> opensaml.
>>>>>
>>>>> Ray
>>>>>
>>>>> On Mon, 2024-11-18 at 07:14 -0800, Neon Dazzle wrote:
>>>>>
>>>>> You don't often get email from [email protected]. Learn why this is
>>>>> important <https://aka.ms/LearnAboutSenderIdentification>
>>>>>
>>>>> Thank you for your help, I changed the file and added the line as per
>>>>> your suggestion:
>>>>>
>>>>> {
>>>>> "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
>>>>>
>>>>>
>>>>> "serviceId": "
>>>>> https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc";,
>>>>> "name": "JIRA",
>>>>> "id": 1726778135108,
>>>>> "description": "JIRA",
>>>>> "proxyTicketExpirationPolicy": {
>>>>> "@class":
>>>>> "org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy"
>>>>> },
>>>>> "serviceTicketExpirationPolicy": {
>>>>> "@class":
>>>>> "org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy"
>>>>> },
>>>>> "evaluationOrder": 27,
>>>>> "attributeReleasePolicy": {
>>>>> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>>>>> },
>>>>> "accessStrategy": {
>>>>> "@class":
>>>>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>>>>> "requireAllAttributes": false
>>>>> },
>>>>> "metadataLocation": "/etc/cas/saml/jira-metadat.xml",
>>>>> "issuerEntityId": "",
>>>>> "signingCredentialType": "X509"
>>>>> }
>>>>>
>>>>>
>>>>> Unfortunately, I get the same error that the application is not
>>>>> authorized to use CAS.
>>>>> I can see the service on the gui:
>>>>> [image: 314f2ac1-6df1-46ab-a35f-5bee1417b88c.PNG][image:
>>>>> 6cd1e9a5-ab4d-4d16-9ea7-e3971a91b115.PNG]
>>>>>
>>>>> I'm very confused. I feel like everything is there. What am I missing?
>>>>>
>>>>> Le vendredi 15 novembre 2024 à 16:51:56 UTC-5, Ocean Liu a écrit :
>>>>>
>>>>> Please check
>>>>> https://apereo.github.io/cas/7.1.x/services/SAML2-Service-Management.html
>>>>> for the example.
>>>>>
>>>>> I think you are missing `"@class" :
>>>>> "org.apereo.cas.support.saml.services.SamlRegisteredService",`
>>>>>
>>>>> On Fri, Nov 15, 2024 at 12:38 PM Neon Dazzle <[email protected]>
>>>>> wrote:
>>>>>
>>>>> Thank you so much.
>>>>> I changed endpoint and now it's telling my application is not
>>>>> authorized to use CAS. It's weird because I can see the service entry
>>>>> when
>>>>> I go to this endpoint:cas/actuator/registeredService
>>>>>
>>>>> {
>>>>> "serviceId": "
>>>>> https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc";,
>>>>> "name": "JIRA",
>>>>> "id": 1726778135108,
>>>>> "description": "JIRA",
>>>>> "proxyTicketExpirationPolicy": {
>>>>> "@class":
>>>>> "org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy"
>>>>> },
>>>>> "serviceTicketExpirationPolicy": {
>>>>> "@class":
>>>>> "org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy"
>>>>> },
>>>>> "evaluationOrder": 27,
>>>>> "attributeReleasePolicy": {
>>>>> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>>>>> },
>>>>> "accessStrategy": {
>>>>> "@class":
>>>>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>>>>> "requireAllAttributes": false
>>>>> },
>>>>> "metadataLocation": "/etc/cas/saml/jira-metadat.xml",
>>>>> "issuerEntityId": "",
>>>>> "signingCredentialType": "X509"
>>>>> },
>>>>>
>>>>> I must be still missing something.
>>>>> Le vendredi 15 novembre 2024 à 13:38:43 UTC-5, Ocean Liu a écrit :
>>>>>
>>>>> Neon, the Destination in the SAMLRequest does not look right.
>>>>>
>>>>> It should be something like
>>>>> https://cas.example.com/idp/profile/SAML2/Redirect/SSO, please check
>>>>> your IdP metadata <SingleSignOnService
>>>>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" part.
>>>>>
>>>>> And then, you need to change the Identity provider SSO URL in your
>>>>> atlassian admin panel.
>>>>> https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on-with-an-identity-provider/#Copy-details-from-your-identity-provider-to-your-Atlassian-organization
>>>>>
>>>>>
>>>>> [image: SCR-20241115-ikwy.png]
>>>>>
>>>>> If you look at the dev tool, atlassian was probably redirecting the
>>>>> client to the CAS home page (/cas), instead of the SSO page (
>>>>> /cas/idp/profile/SAML2/Redirect/SSO), so the cas app does not know to
>>>>> handle the parameters.
>>>>>
>>>>> Good luck!
>>>>>
>>>>> On Friday, November 15, 2024 at 8:46:18 AM UTC-8 Neon Dazzle wrote:
>>>>>
>>>>>
>>>>> Thank you so much to both of you for your answers! It's very
>>>>> appreciated.
>>>>> I did more tests and I still can't get this to work. I get the same
>>>>> result: I get sent to CAS from Atlassian, I enter my credentials, and
>>>>> then
>>>>> I dont get sent back to Atlassian, I'm stuck in CAS. The message says
>>>>> that
>>>>> I see this page because CAS doesnt know my final destination.
>>>>> I installed samltracer as suggested to try and find my mistake but I
>>>>> can't see it :(.
>>>>>
>>>>> Here is my metadata file:
>>>>>
>>>>> <?xml version="1.0"?>
>>>>> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
>>>>> validUntil="2024-11-03T19:47:00Z" cacheDuration="PT604800S" entityID="
>>>>> https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc";>
>>>>> <md:SPSSODescriptor AuthnRequestsSigned="false"
>>>>> WantAssertionsSigned="false"
>>>>> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>>>>> <md:KeyDescriptor use="signing">
>>>>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>>>>> <ds:X509Data>
>>>>>
>>>>> <ds:X509Certificate>MIIDoTCCAomgAwIBAgIUNhHfnD6GS6Vpe0UmMu5RLDe9SMwwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9udHJlYWwxEDAOBgNVBAoMB1BvbHltdGwxGzAZBgNVBAMMEmNhczZkZXYucG9seW10bC5jYTAeFw0yNDA5MTkxODIxNDVaFw0zNDA5MTcxODIxNDVaMGAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAPBgNVBAcMCE1vbnRyZWFsMRAwDgYDVQQKDAdQb2x5bXRsMRswGQYDVQQDDBJjYXM2ZGV2LnBvbHltdGwuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgaX5dGAb2xA02O8H1ozE4hmTYvbvV0uemh4DPUjsaybUCIn2Yx4U8HDNn9WigcibfEeD9nTq++jaV8+Gl5LepX5FjmFCNWn+f6t9Oz0h8NFqGj+gcFJURK0ZFOWsB1C7aut/ZRVh3mlJdl8X36BgO1Aufx+C9gQbvUVkWnX3NV3+2TRBB7WrgMFPAw8Y9CMexGK7hYqYQkL0xrau7+swRYZJLhqWU78x0YrOq5kg5Z00RThWPuzyAoif9U0dfUgjo7rXZd489ae3+fpNKAJxtJBif4Y/gq1RII32iNzDp4rpOzO88pZgy8UNJWAPkAYjD8g50RnlW7w8nCWsi6cbZAgMBAAGjUzBRMB0GA1UdDgQWBBRpR8obg/zDQnzAyKGh3bcXyyQlVDAfBgNVHSMEGDAWgBRpR8obg/zDQnzAyKGh3bcXyyQlVDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAqVdUgcOyQ+QhRJXTKhhF7z7RxMGjvqnwfWzR3ZE4PADew/J48ULEcEa6VUrNXeyrgAa+YJQivXW4SbVqRzf3RSkwneL4b5ln7oH3eL5Q0ZvKOlxljQvTbhtjPn0jwuWhFtNc/7miBbURb1ywG0DUHD6IpzOjrnzKYCHZkISxFDKSLEkHb3lo0bs31nakA0NqFnbGg2D37T1C95vhPUdbb7xzQqQfa/1qm35vB05hnI2NrIEWyEztLEb30PPizNM6fyLy0U/snA9fgS6Xb++vvN5M2JcbytundR1RupARcguWLe1vprqnYumg9Quph6wjBki0ntH11ZvmNgZDT1K1U</ds:X509Certificate>
>>>>> </ds:X509Data>
>>>>> </ds:KeyInfo>
>>>>> </md:KeyDescriptor>
>>>>> <md:KeyDescriptor use="encryption">
>>>>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>>>>> <ds:X509Data>
>>>>>
>>>>> <ds:X509Certificate>MIIDoTCCAomgAwIBAgIUNhHfnD6GS6Vpe0UmMu5RLDe9SMwwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9udHJlYWwxEDAOBgNVBAoMB1BvbHltdGwxGzAZBgNVBAMMEmNhczZkZXYucG9seW10bC5jYTAeFw0yNDA5MTkxODIxNDVaFw0zNDA5MTcxODIxNDVaMGAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAPBgNVBAcMCE1vbnRyZWFsMRAwDgYDVQQKDAdQb2x5bXRsMRswGQYDVQQDDBJjYXM2ZGV2LnBvbHltdGwuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgaX5dGAb2xA02O8H1ozE4hmTYvbvV0uemh4DPUjsaybUCIn2Yx4U8HDNn9WigcibfEeD9nTq++jaV8+Gl5LepX5FjmFCNWn+f6t9Oz0h8NFqGj+gcFJURK0ZFOWsB1C7aut/ZRVh3mlJdl8X36BgO1Aufx+C9gQbvUVkWnX3NV3+2TRBB7WrgMFPAw8Y9CMexGK7hYqYQkL0xrau7+swRYZJLhqWU78x0YrOq5kg5Z00RThWPuzyAoif9U0dfUgjo7rXZd489ae3+fpNKAJxtJBif4Y/gq1RII32iNzDp4rpOzO88pZgy8UNJWAPkAYjD8g50RnlW7w8nCWsi6cbZAgMBAAGjUzBRMB0GA1UdDgQWBBRpR8obg/zDQnzAyKGh3bcXyyQlVDAfBgNVHSMEGDAWgBRpR8obg/zDQnzAyKGh3bcXyyQlVDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAqVdUgcOyQ+QhRJXTKhhF7z7RxMGjvqnwfWzR3ZE4PADew/J48ULEcEa6VUrNXeyrgAa+YJQivXW4SbVqRzf3RSkwneL4b5ln7oH3eL5Q0ZvKOlxljQvTbhtjPn0jwuWhFtNc/7miBbURb1ywG0DUHD6IpzOjrnzKYCHZkISxFDKSLEkHb3lo0bs31nakA0NqFnbGg2D37T1C95vhPUdbb7xzQqQfa/1qm35vB05hnI2NrIEWyEztLEb30PPizNM6fyLy0U/snA9fgS6Xb++vvN5M2JcbytundR1RupARcguWLe1vprqnYumg9Quph6wjBki0ntH11ZvmNgZDT1K1U</ds:X509Certificate>
>>>>> </ds:X509Data>
>>>>> </ds:KeyInfo>
>>>>> </md:KeyDescriptor>
>>>>>
>>>>> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
>>>>> <md:AssertionConsumerService
>>>>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
>>>>> https://auth.atlassian.com/login/callback?connection=saml-b87b0545-cb70-4fe0-8c96-61034fefb7cc";
>>>>>
>>>>> index="1"/>
>>>>> </md:SPSSODescriptor>
>>>>> </md:EntityDescriptor>
>>>>>
>>>>>
>>>>> And here is the request I see using saml-tracer:
>>>>>
>>>>> <saml2p:AuthnRequest xmlns:saml2p=
>>>>> "urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="
>>>>> https://auth.atlassian.com/login/callback?connection=saml-b87b0545-cb70-4fe0-8c96-61034fefb7cc
>>>>> " Destination="https://cas6dev.polymtl.ca/cas"; ID=
>>>>> "_c59ebaed7f8b7fbc8dd55d5b0afb84fb" IssueInstant=
>>>>> "2024-11-15T15:59:41.525Z" ProtocolBinding=
>>>>> "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <
>>>>> saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
>>>>> https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc</
>>>>> saml2:Issuer> <saml2p:NameIDPolicy AllowCreate="true" Format=
>>>>> "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </
>>>>> saml2p:AuthnRequest>
>>>>> Can you see any obvious mistake I am making?
>>>>>
>>>>> Le mardi 5 novembre 2024 à 23:38:01 UTC-5, Ray Bon a écrit :
>>>>>
>>>>> Neon,
>>>>>
>>>>> The Location and Binding protocol must match what is sent in the
>>>>> request.
>>>>> You can use a browser plugin like samltracer to see what the
>>>>> request/response looks like.
>>>>> Also check cas logs.
>>>>>
>>>>> Ray
>>>>>
>>>>> On Tue, 2024-11-05 at 10:44 -0800, Neon Dazzle wrote:
>>>>>
>>>>> You don't often get email from [email protected]. Learn why this is
>>>>> important <https://aka.ms/LearnAboutSenderIdentification>
>>>>>
>>>>> Thank you so much for your answer.
>>>>> I created the metadata file using a web service and added:
>>>>>
>>>>> <md:AssertionConsumerService
>>>>> index="1"
>>>>>
>>>>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>>>>> Location="https://atlassian.start.com"; />
>>>>>
>>>>> I'm still getting no redirection and I stay on the CAS website.
>>>>>
>>>>> Le lundi 4 novembre 2024 à 13:38:22 UTC-5, Ray Bon a écrit :
>>>>>
>>>>> Neon,
>>>>>
>>>>> ACS is required in metadata.
>>>>> You can create the metadata file if the vendor does not supply it.
>>>>> There are some online services that will help.
>>>>>
>>>>> Ray
>>>>>
>>>>> On Fri, 2024-11-01 at 12:17 -0700, Neon Dazzle wrote:
>>>>>
>>>>> You don't often get email from [email protected] why this is
>>>>> important <https://aka.ms/LearnAboutSenderIdentification>
>>>>>
>>>>> Hi everyone, we have CAS6 and are trying to setup SSO with our
>>>>> Atlassian org on the cloud. It seems like we almost have it, we get
>>>>> redirected to CAS and the login works, but we can't get redirected to
>>>>> Atlassian after, we are stuck in CAS.
>>>>> It seems like there is not json parameters for redirection so I'm
>>>>> wondering where we should put the ACS adresse given by Atlassian.
>>>>> All our other services connected with CAS provide metadata files so
>>>>> it's easy, but Atlassian doesnt provide that.
>>>>> Has anyone been able to setup SSO with Atlassian Cloud?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> Ocean Liu | Enterprise Web Developer | Whitman College
>>>>> WCTS Building 105F - 509.527.4973 <(509)%20527-4973>
>>>>>
>>>>>
>>> CONFIDENTIALITY NOTE <https://laurentian.ca/confidentiality> - AVIS:
>>> COURRIEL CONFIDENTIEL.
>>> You can view the confidentiality terms at
>>> https://laurentian.ca/confidentiality. Notre avis de confidentialité
>>> est disponible au site https://laurentienne.ca/avis
>>
>>
> CONFIDENTIALITY NOTE <https://laurentian.ca/confidentiality> - AVIS:
> COURRIEL CONFIDENTIEL.
> You can view the confidentiality terms at
> https://laurentian.ca/confidentiality. Notre avis de confidentialité est
> disponible au site https://laurentienne.ca/avis
--
CONFIDENTIALITY NOTE <https://laurentian.ca/confidentiality> - AVIS:
COURRIEL CONFIDENTIEL. You can view the confidentiality terms at
https://laurentian.ca/confidentiality
<https://laurentian.ca/confidentiality>. Notre avis de confidentialité est
disponible au site https://laurentienne.ca/avis
<https://laurentienne.ca/avis>
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e6532174-31a7-4b0f-9a73-06432369e534n%40apereo.org.
