In case anyone else is interested or runs into this problem, I was able to get SSO working by running CAS in Tomcat 7 instead of Jetty 8. I also changed to using a DSA key instead of RSA, because Marvin Addison found a possible problem with RSA support.
I haven't spent the time to track down why dig signatures fail with Jetty. I'm guessing Jetty's class loader finds a different JSR 105 provider or jdom implementation than Tomcat. I was hoping to use Jetty, but Tomcat will also work for us. Thanks Marvin and everyone else who has offered help. David On Feb 8, 2013, at 11:24 AM, Marvin Addison <[email protected]> wrote: >> I can't see how it could be a mismatched certificate problem. I've >> independently tested the SAML produced by cas with xmlsec1 using the >> certificate I uploaded to Google. > > Would it be possible to share a test SAML payload and your cert? While > it may be a little uncomfortable to share these, it's perfectly safe > from a crypto perspective. It would save some time generating test > vectors. I can likely do it myself, but it would be a considerable > time sink for me and our dev Google apps domain admin. I'd rather > concentrate on analyzing a potential integration problem with existing > data. > > Thanks, > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
