Re: [cas-user] Configure SAML2 IdP functionality to provide SSO for G Suite

[Joseph Zhou]

We have got the answers for my questions, feel free to ignore them please. 
For those experiencing the same issue: The answers are , 1. "
https://login/cas/idp/profile/SAML2/Redirect/SSO; for "Sign-in page URL" 
needs to be set to get the contents decrypted, did not find other ways so 
far to keep it on https://login/cas/login. 2. After the decryption worked, 
we would get https://login/..service=.. 

On Sunday, February 13, 2022 at 10:27:33 AM UTC-5 Joseph Zhou wrote:

> Hi, Doug,
>
> This is a great article we came across !
> We met the same issue  - could not redirect back to Google after a 
> successful log in our 3rd party IDp server running CAS 6.2.2 and configured 
> mostly as what your instruction indicated. We are having an old version CAS 
> 3.5.2 server working well with Google Workspace. However, we'd like to get 
> it replaced with the new version server. Then we hit this problem.
>
> We tried to match with the old certificate by renaming the copied 
> certificate/key to idp-signing.crt/key from the old server to the new one. 
> Tested again, still not working and the Web browser staled at the 
> following, could not go back to Google site:
>
>
> https://login/cas/login?SAMLRequest=fVJNT%2BMwEL2vxH%2BwfM8nIK2sJqiAEJXYJaLpHrg5zjRxccbB4zTLv980BQGH7fX5zfsYz%2BLqb2fYHhxpixlPwpgzQGVrjU3GN%2BVd8JNf5Wc%2FFiQ704vl4Ft8gtcByLNpEknMDxkfHAorSZNA2QEJr8R6%2BetBpGEseme9VdZwtrrNeN9UuFMN9C22IF92qNRLA92ut7qqK2x3pq23VaM5%2B%2FMRKz3EWhENsELyEv0ExWkaxGmQnJdJLNJEXF48c1a8O11rPDY4Fas6kkjcl2URFI%2FrchbY6xrc74md8cbaxkCobHewLySR3k%2FwVhoCzpZE4PwU8MYiDR24Nbi9VrB5esh4631PIorGcQw%2FZSIZjUoh%2BBDqIZKKeD5vVszl3JeVno4uP6x5%2Fim%2BiL5I5e8%2Fdiiyui2s0eqNLY2x440D6acW3g1TiTvrOun%2F75aEyYzoOtjOVDEg9aD0VkPNWZQfXb%2BfxnQw%2FwA%3D=https%3A%2F%2Faccounts.google.com%2FCheckCookie%3Fcontinue%3Dhttps%253A%252F%252Fmail.google.com%252Fmail%252F%26service%3Dmail%26ifkv%3DAU9NCcypcYDQKWRdjhacvr7DhikwSR09KKGWWYVDKWiE9idgAlBNjzjnURt0QKtiOLKcOXmR1iAB-g
>
> My questions are:
>
> For your instruction step 8 -  b.  Entered "
> https://login/cas/idp/profile/SAML2/Redirect/SSO; for "Sign-in page URL", 
> is that mandatory that needs to be set? 
> I am asking this question is due to usually we had our   "Sign-in page 
> URL" set to https://login/cas/login, and it was working well for all 
> other websites running SAML 2, and it is also configured as is on Google 
> Workspace currently for our old version server, we did not try to change it 
> yet.
>
> My 2nd question is:
> On your current configuration running well, are you getting the web link 
> from Google in the format of:
> https://login/cas/login?SAMLRequest=. or something like 
> https://login/..service=..
>
> Appreciated your kind help and time very much!
>
> Joe
>
> On Wednesday, September 23, 2020 at 11:46:37 PM UTC-4 Doug C wrote:
>
>> Yep.  The certificate was the issue.  I do have it working now but I have 
>> two questions regarding warnings I am seeing.
>>
>>  
>>
>> I get the following warning:
>>
>>  
>>
>> WARN [org.opensaml.saml.common.binding.SAMLBindingSupport] - > exceeds 80 bytes: 
>> https://www.google.com/a/example.com/ServiceLogin?service=mail=true=false=https%3A%2F%2Fmail.google.com%2Fmail%2F=1=default=2=1=1
>> >
>>
>>  
>>
>> Is this normal and a result of the way G Suite does SAML?  Or is there 
>> something I can configure to make CAS happy and not feel the need to warn 
>> me.
>>
>>  
>>
>> Also, I get this warning upon signing out of G Suite:
>>
>>  
>>
>> WARN 
>> [org.apereo.cas.support.saml.web.idp.profile.slo.SamlIdPSingleLogoutServiceLogoutUrlBuilder]
>>  
>> - > google.com/a/example.com]>
>>
>>  
>>
>> I read somewhere online that Google does not provide Single Log Out 
>> (SLO).  Is there a way to disable SLO for a service so I don't get this 
>> warning?  I want to keep SLO enabled in general.
>>
>>  
>>
>> Thanks!
>>
>>  
>>
>> *Instructions for Others*
>>
>>  
>>
>> In case someone else is trying to figure this out.  Here are what I think 
>> constitutes all the steps that I took to get this working.  You should 
>> replace all instances of example.com and cas-server-url with what is 
>> appropriate the system being configured.
>>
>>  
>>
>> 1.   Add the following dependency in the WAR overlay build.gradle 
>> file.
>>
>>  
>>
>> implementation 
>> "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
>>
>>  
>>
>> 2.  Add the following line to cas.properties.
>>
>>  
>>
>> cas.authn.saml-idp.entity-id=https://cas-server-url/cas/idp
>>
>>  
>>
>> 3.  Create a service definition file in /etc/cas/services.
>>
>>  
>>
>> {
>>
>>   "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
>>
>>   "serviceId" : "google.com/a/example.com",
>>
>>   "name" : "G Suite",
>>
>>   "id" : 1002,
>>
>>   "evaluationOrder" : 1,
>>
>>   "attributeReleasePolicy" : {
>>
>> "@class" : 
>> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
>>
>> "allowedAttributes" : [ 

[cas-user] CAS cas-overlay-template branch 6.3 not available

[Jorge Rodríguez]

Hi,

does anyone know what's up with branch 6.3 of cas-overlay-template in 
GitHub?

https://github.com/apereo/cas-overlay-template/tree/6.3 displays no files, 
just a readme.md:

IMPORTANT NOTE

*This repository is always automatically generated from the CAS Initializr. 
Do NOT submit pull requests here as the change-set will be overwritten on 
the next sync.To learn more, please visit the CAS documentation 
.*

REgards,

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/88516029-b5bc-48af-b58a-7d86322525e9n%40apereo.org.

Re: [cas-user] SAML Service not authorized

[Jorge Rodríguez]

Hi Ray,

the time is synchronized at CAS server and SP, they have the same time.

The Redirect/SSO endpoint is defined at IDP Metadata.

Which metadate entry do you refer? The metadataSignatureLocation label??

El vie, 18 feb 2022 a las 17:07, Ray Bon () escribió:

> Jorge,
>
> Assuming you are east of UTC by one hour, the issue instant is 36 seconds
> ahead of your log entries. Not sure if this is enough drift to cause a
> problem. I would also expect a different error.
>
> Make sure your IdP metadata has the Redirect/SSO endpoint. Again I would
> expect a different error message.
>
> You may not need the metadata entry in the service definition. See
> https://apereo.github.io/cas/6.4.x/installation/Configuring-SAML2-DynamicMetadata.html#per-service
>
> Ray
>
> On Fri, 2022-02-18 at 09:27 +0100, Jorge Rodríguez wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> Hi Ray, I have defined another service provider and I have the same
> problem with it, but let me focus on the first one.
>
> This is the log generated when connecting the SP to the CAS via SAML:
>
> 2022-02-18 09:17:00,781 DEBUG
> [org.apereo.cas.support.saml.web.idp.profile.sso.request.DefaultSSOSamlHttpRequestExtractor]
> -  from http request>
> 2022-02-18 09:17:00,789 DEBUG
> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController]
> -  https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]
> from authentication request>
> 2022-02-18 09:17:00,810 DEBUG
> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController]
> -  [AbstractWebApplicationService(id=
> https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719,
> originalUrl=
> https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719,
> artifactId=null, principal=null, source=null, loggedOutAlready=false,
> format=XML, attributes={entityId=[
> https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719],
> SAMLRequest=[tVRNj9owEL33V0S+k8QhJMECVhS6KhLbRcD20Evl2BOw5Nip7bC7/74OH1tatVSq1FMkz5t5897MZHT3UsvgAMYKrcYIhzEKQDHNhdqN0dP2vlegu8m7kaW1TBoybd1ereFbC9YFU2vBOJ8308q2NZgNmINg8LRejtHeucaSKKLc2uZ5H/p6oATlUGtJyxAsGSYDHHV1l3onVJRznKc4rmhWAi76wAYZGxQlx+UA8z6nWVVlgxwPUTD35EJRd+z4wsOoDc/FPZvUjEpSpGm/C0SCN1FjdCUkRJvpwzKJ1sCFAeaizeYRBYv5GH3N+zxj8QAneRYD62c0zVkKMeVlmfXztPAwa1tYKOuocmOUxEnSi5MeLrZxQXBGkjRMh8MvKFgZ7TTT8r1QJx9bo4imVliiaO2lO0a6NkgSxqQ8gSz5uN2ueqvHzfZY4CA4mE8ePUYPVNEdfFDeJQim8w3I6ux0sJKtRcHny/iSbnx+oMqS08BuUzfnPtHkNF9yFGiCe21q6m7ndi+C96ojlIBywr3+xH07nV52B03+26aMomtVk8sOd6Yu5istBXsNplLq55kB6rzRzrSA/qoeh/gX9a2yDTBRCeAoeuM5nwnw49H4G3Hw4oKZrhtqhO3GBS+UuTfzr2Ez6Q1aQ/VPht6EMcK62v555T/P2vBuW/0lAN8a6oVo4y7G/a6jyTn4B30/wte/isl3],
> RelayState=[aHR0cHM6Ly9hZHNzcHdoLmluZ2VuaWFkZW1vbGFiLmVzOjkyNTEvc2FtbExvZ2luL0xPR0lOX0FVVEg=]})]>
> 2022-02-18 09:17:00,818 DEBUG
> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade]
> -  https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]
> by attempting to run through the metadata chain...>
> 2022-02-18 09:17:00,819 DEBUG
> [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver]
> - 
> 2022-02-18 09:17:00,828 DEBUG
> [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver]
> -  [/etc/cas/saml/mfa-metadata.xml]>
> 2022-02-18 09:17:00,830 DEBUG
> [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceMetadataResolverCacheLoader]
> - 
> 2022-02-18 09:17:00,833 INFO
> [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.FileSystemResourceMetadataResolver]
> - 
> 2022-02-18 09:17:00,835 DEBUG
> [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver]
> -  [/etc/cas/saml/mfa-metadata.xml], so RequiredValidUntilFilter will not be
> invoked>
> 2022-02-18 09:17:00,837 DEBUG
> [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver]
> -  [/etc/cas/saml/mfa-signing.crt]>
> 2022-02-18 09:17:00,842 DEBUG [org.apereo.cas.support.saml.SamlUtils] -
>  [/etc/cas/saml/mfa-signing.crt]]>
> 2022-02-18 09:17:00,850 INFO [org.apereo.cas.support.saml.SamlUtils] -
>  [/etc/cas/saml/mfa-signing.crt]]>
> 2022-02-18 09:17:00,851 DEBUG [org.apereo.cas.support.saml.SamlUtils] -
>  [X509Credential]>
> 2022-02-18 09:17:00,859 DEBUG [org.apereo.cas.support.saml.SamlUtils] -
> 
> 2022-02-18 09:17:00,869 DEBUG [org.apereo.cas.support.saml.SamlUtils] -
>  [/etc/cas/saml/mfa-signing.crt]]>
> 2022-02-18 09:17:00,870 DEBUG
> [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver]
> -