Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[David Curry]

Does the vendor require you to configure your IdP (CAS server) to obtain
the metadata from them dynamically? Or could you:

   1. Use curl to grab a copy of their metadata from
   https://vendor.com/metadata
   2. Edit the metadata yourself and get rid of the "validUntil" attribute
   3. Put the edited metadata on the CAS server somewhere (e.g.,
   /etc/cas/saml/sp-metadata/vendor.xml) and make sure it has the right
   owner/permissions so CAS can read it
   4. Change the "metadataLocation" field in your service registry entry to
   point at the file instead of the vendor's URL

Should work...

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Tue, May 8, 2018 at 3:01 PM, John D Giotta  wrote:

> We're the identify provider and the vendor is the service provider.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/125fbfc6-d66b-46c8-8922-
> 069d914944c8%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANQ8HduJbiC%3DJXz1PhMQ-_OL3bc601popa0q%2BM%2BSVerpA%40mail.gmail.com.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[John D Giotta]

We're the identify provider and the vendor is the service provider.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/125fbfc6-d66b-46c8-8922-069d914944c8%40apereo.org.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[John D Giotta]

Ok, this is just a guess here, but the vendor I'm trying to implement CAS 
SAML to is for Identity Provider. Is it possible we've got this confused, 
because our metadata.xml is setup for SPSSODescriptor.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f70ba402-2e30-4950-8be4-23ef0ab04e62%40apereo.org.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[David Curry]

I do not see it in the metadata from any of the SPs we have in production
here, so my guess would be probably not. But that's just a guess; I don't
pretend to be an authority on SAML.

--Dave




--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Tue, May 8, 2018 at 1:36 PM, John D Giotta  wrote:

> Is that attribute required? Right now it is static.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/fcb7ecd8-9207-4257-ab5e-
> 7fb43504a9de%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAP1sKkxR8%3D2G_LzKGr%3Ds%3DaAKx5-ncijpLMNNUbDgpDa5g%40mail.gmail.com.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[John D Giotta]

Is that attribute required? Right now it is static.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fcb7ecd8-9207-4257-ab5e-7fb43504a9de%40apereo.org.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[David Curry]

This may be your problem, then?

validUntil="2018-05-03T20:29:06Z

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Tue, May 8, 2018 at 1:14 PM, Matthew Uribe 
wrote:

> What do you get back when you do a curl on https://link-to-metadata.com  ?
>
> On Tuesday, May 8, 2018 at 11:10:44 AM UTC-6, John D Giotta wrote:
>>
>> Looking at the logs more I did find these WARNs:
>>
>> 2018-05-08 17:02:31,227 WARN [org.apereo.cas.support.saml.s
>>> ervices.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade]
>>> - https://vendor-site.com/Pages/Auth/Login.aspx]
>>> in metadata provider Ensure the metadata is valid and has not expired.>
>>
>> 2018-05-08 17:02:31,227 WARN [org.apereo.cas.support.saml.w
>>> eb.idp.profile.AbstractSamlProfileHandlerController] - >> could be found for [https://vendor-site.com/Pages/Auth/Login.aspx]>
>>
>>
>> The service is loaded, but metadata is wrong?
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/01ed8331-53df-4bbd-93f7-
> 520370e536df%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAP68McOmkxsC33QNjEJgcUvJTU44F9Lr7dGnKm5t%2B%3Dc%2BQ%40mail.gmail.com.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[John D Giotta]

I get the XML output as expected.


https://vendor-site.com/Pages/Auth/Login.aspx;>

https://vendor-site.com/Pages/Auth/Login.aspx; index="1" />




-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b61978b4-807b-443f-bc95-b1cbaf5f88f5%40apereo.org.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[Matthew Uribe]

What do you get back when you do a curl on https://link-to-metadata.com  ?

On Tuesday, May 8, 2018 at 11:10:44 AM UTC-6, John D Giotta wrote:
>
> Looking at the logs more I did find these WARNs:
>
> 2018-05-08 17:02:31,227 WARN 
>> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade]
>>  
>> - https://vendor-site.com/Pages/Auth/Login.aspx] in 
>> metadata provider Ensure the metadata is valid and has not expired.>
>
> 2018-05-08 17:02:31,227 WARN 
>> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
>>  
>> - > https://vendor-site.com/Pages/Auth/Login.aspx]> 
>
>
> The service is loaded, but metadata is wrong? 
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/01ed8331-53df-4bbd-93f7-520370e536df%40apereo.org.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[John D Giotta]

Looking at the logs more I did find these WARNs:

2018-05-08 17:02:31,227 WARN 
> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade]
>  
> - https://vendor-site.com/Pages/Auth/Login.aspx] in 
> metadata provider Ensure the metadata is valid and has not expired.>

2018-05-08 17:02:31,227 WARN 
> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
>  
> -  https://vendor-site.com/Pages/Auth/Login.aspx]> 


The service is loaded, but metadata is wrong? 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/56c9fadc-e3a9-4821-8131-63e388a3864c%40apereo.org.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[David Curry]

No, it's the "adminpages" stuff:

https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_overview.html

It's enabled solely in the CAS server; you don't need the management webapp.

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Tue, May 8, 2018 at 9:25 AM, John D Giotta  wrote:

> Thanks, David. Is the dashboard the management overlay?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/aac77cff-6bb0-46b4-a386-
> 9493d716c690%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAN91PNtWMRn%2BZRBCye2JRnAgKBhSV1Z08TVyJ2MXfaPLg%40mail.gmail.com.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[John D Giotta]

Thanks, David. Is the dashboard the management overlay?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/aac77cff-6bb0-46b4-a386-9493d716c690%40apereo.org.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[David Curry]

Do you have the dashboard endpoints enabled? Can you go to the "services"
endpoint, which dumps the service registry, and see if there's something
else in there?

Alternatively, I think if you turn on debug mode logging, it will tell you
what services are loaded.

I'm thinking you might be getting a wildcard match through no fault of your
own.

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Mon, May 7, 2018 at 3:48 PM, Patrick Sutton <
patrick.sutton.w...@gmail.com> wrote:

> Hello everyone,
>
> I'm the developer who has been working on implementing the SAML
> authentication referenced by the OP, and the provided responses seem to
> align with what I've come across while researching the issue, so I wanted
> to try and provide a little more information in the hopes that it'll help
> better explain the issue.
>
> From what I've been able to discern while attempting to debug the issue,
> it appears that the SAML service definition isn't even being loaded by CAS
> for some reason. I've tried everything from manually modifying the
> evaulationOrder property of the existing services to ensure the SAML
> service definition would be loaded first to deleting the other service
> definitions to eliminate load order issues, but to no avail.
>
> I've attached "scrubbed" versions of our current service definitions,
> along with the metadata returned from the SP we are attempting to integrate
> with CAS. If there is any additional information I can provide, please
> don't hesitate to ask.
>
> For reference, here are the property values related to SAML that we are
> currently using:
>
> cas.authn.samlIdp.entityId=${cas.server.prefix}/idp
> cas.authn.samlIdp.scope=cas-idp-domain.com
>
>
> {
> /*
>   Generic service definition that applies to https/imaps urls
>   that wish to register with CAS for authentication.
> */
> "@class" : "org.apereo.cas.services.RegexRegisteredService",
> "serviceId" : "^(https):\\/\\/.*\\.cas-idp-domain\\.com\\/.*",
> "name" : "HTTPS for genius",
> "id" : 1006,
> "evaluationOrder": 300,
> }
>
>
> {
>   /*
> Generic service definition that applies to https/imaps urls
> that wish to register with CAS for authentication.
>   */
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "^(https):\\/\\/portal\\.cas-idp-domain\\.com\\/.*",
>   "name" : "HTTPS for another Vendor",
>   "id" : 1004,
>   "evaluationOrder": 200,
> }
>
>
> {
>   /*
>* The CAS SAML IdP creates this endpoint as part of its initialization
>* process at server startup time. If the service registry doesn't already
>* contain an entry whose serviceId matches the endpoint, CAS will create
>* a new service definition and save it to the registry. If the CAS server
>* doesn't have write access to the registry, then the save will fail and
>* the server will not start.
>*
>* To avoid that situation, and to make it clear that this endpoint is a
>* "desired" service, it is defined explicitly here.
>*/
>   "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
>   "serviceId" : "https://vendor-site.com/Pages/Auth/Login.aspx 
> ",
>   "name" : "SAML Authentication Request",
>   "id" : 1003,
>   "metadataLocation" : "https://link-to-metadata.com;,
>   "evaluationOrder": 1
> }
>
>
> SP Metadata:
>
> 
>  validUntil="2018-05-03T20:29:06Z" cacheDuration="PT604800S" entityID="
> https://vendor-site.com/Pages/Auth/Login.aspx;>
>  WantAssertionsSigned="false" protocolSupportEnumeration="
> urn:oasis:names:tc:SAML:2.0:protocol">
>  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Location="https://vendor-site.com/Pages/Auth/Login.aspx; index="1" />
> 
> 
>
> On Monday, May 7, 2018 at 8:19:58 AM UTC-7, John D Giotta wrote:
>>
>> I'm not too familiar with SAML 2.0 and I need to set up our existing CAS
>> (currently using CAS protocol).
>>
>> I've followed documentation, but unfortunately I'm unable to get the
>> application to authorize.
>>
>> The error I get in logs is:
>>
>> CAS has found a match for service [https://vendor-site.com/Pages
>>> /Auth/Login.aspx] in registry but the match is not defined as a SAML
>>> service>
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit 

[cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[Patrick Sutton]

Hello everyone,

I'm the developer who has been working on implementing the SAML 
authentication referenced by the OP, and the provided responses seem to 
align with what I've come across while researching the issue, so I wanted 
to try and provide a little more information in the hopes that it'll help 
better explain the issue.

>From what I've been able to discern while attempting to debug the issue, it 
appears that the SAML service definition isn't even being loaded by CAS for 
some reason. I've tried everything from manually modifying the 
evaulationOrder property of the existing services to ensure the SAML 
service definition would be loaded first to deleting the other service 
definitions to eliminate load order issues, but to no avail.

I've attached "scrubbed" versions of our current service definitions, along 
with the metadata returned from the SP we are attempting to integrate with 
CAS. If there is any additional information I can provide, please don't 
hesitate to ask.

For reference, here are the property values related to SAML that we are 
currently using:

cas.authn.samlIdp.entityId=${cas.server.prefix}/idp
cas.authn.samlIdp.scope=cas-idp-domain.com


{
/*
  Generic service definition that applies to https/imaps urls
  that wish to register with CAS for authentication.
*/
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https):\\/\\/.*\\.cas-idp-domain\\.com\\/.*",
"name" : "HTTPS for genius",
"id" : 1006,
"evaluationOrder": 300,
}


{
  /*
Generic service definition that applies to https/imaps urls
that wish to register with CAS for authentication.
  */
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^(https):\\/\\/portal\\.cas-idp-domain\\.com\\/.*",
  "name" : "HTTPS for another Vendor",
  "id" : 1004,
  "evaluationOrder": 200,
}


{
  /*
   * The CAS SAML IdP creates this endpoint as part of its initialization
   * process at server startup time. If the service registry doesn't already
   * contain an entry whose serviceId matches the endpoint, CAS will create
   * a new service definition and save it to the registry. If the CAS server
   * doesn't have write access to the registry, then the save will fail and
   * the server will not start.
   *
   * To avoid that situation, and to make it clear that this endpoint is a
   * "desired" service, it is defined explicitly here.
   */
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "https://vendor-site.com/Pages/Auth/Login.aspx 
",
  "name" : "SAML Authentication Request",
  "id" : 1003,
  "metadataLocation" : "https://link-to-metadata.com;,
  "evaluationOrder": 1
}


SP Metadata:


https://vendor-site.com/Pages/Auth/Login.aspx;>

https://vendor-site.com/Pages/Auth/Login.aspx; index="1" />



On Monday, May 7, 2018 at 8:19:58 AM UTC-7, John D Giotta wrote:
>
> I'm not too familiar with SAML 2.0 and I need to set up our existing CAS 
> (currently using CAS protocol).
>
> I've followed documentation, but unfortunately I'm unable to get the 
> application to authorize.
>
> The error I get in logs is:
>
> CAS has found a match for service [
>> https://vendor-site.com/Pages/Auth/Login.aspx] in registry but the match 
>> is not defined as a SAML service>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e4069196-0a04-4c66-9013-e7cd865a8f8d%40apereo.org.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[David Curry]

For the service definition, you should only have one, which is a
SamlRegisteredService. You do not need (or want)  a RegexRegisteredService
for a SAML service.

And as Matthew said, you should also set

cas.authn.samlIdp.entityId: ${cas.server.prefix}/idp
cas.authn.samlIdp.scope:yourdomain.com

I'm not sure it actually matters from the perspective of your CAS SAML IdP
working or not, but it may matter to the service provider ("client"),
especially if that's a third party, who probably wants a "real" name there
instead of "example.org".

As for why you're not matching the service, ASSUMING you only have the
single SamlRegisteredService definition (and not also a
RegexRegisteredService), then you should check that the entityId being sent
by the service is identical to what you have in the "serviceId" field of
your service registry entry.

To check what the SP is sending, look in the XML file for the SP's metadata
near the top of the file:

http://workday.workday.com/newschool_preview;
entityID="http://www.workday.com/newschool_preview;>

or

http://www.w3.org/2000/09/xmldsig#; entityID="IAMShowcase"
validUntil="2025-12-09T09:13:31.006Z">

Whatever you see in the "entityID" attribute is what you should have,
exactly, in the "serviceId" field of your service registry entry. Note
that  there's no requirement that the entityId be a "real" URL, or even
URL-shaped. The only requirement is that the SP and IdP agree on what it
should be.

--Dave






--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Mon, May 7, 2018 at 12:57 PM, John D Giotta  wrote:

> If I don't set this property does it affect the vendor integration I'm
> attempting to do?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/e5262492-62ae-480c-abc5-
> 2a4e5c429c5c%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMyp6%2BAnCtJRh_e1-%2BNizgD6Q7LajdCYMW9pH-Q0kdJ3A%40mail.gmail.com.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[Matthew Uribe]

What does the SP expect the entityID to be? 

I have not experimented with anything other than setting the entityId to 
${cas.server.prefix}/idp   and I don't know whether the CAS server will 
have issues with responding to https://cas.example.org/idp since CAS itself 
is at https://cas.example.org/cas, based on where you say your metadata is. 
Why would you not set this property? 

On Monday, May 7, 2018 at 10:58:00 AM UTC-6, John D Giotta wrote:
>
> If I don't set this property does it affect the vendor integration I'm 
> attempting to do?
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4021e4b3-6a35-42ab-8022-d3400ec3bf72%40apereo.org.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[John D Giotta]

If I don't set this property does it affect the vendor integration I'm 
attempting to do?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e5262492-62ae-480c-abc5-2a4e5c429c5c%40apereo.org.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[Matthew Uribe]

I would expect your entityID to be https://cas.example.org/cas/idp but it 
depends on what you've set it to in cas.properties under 
cas.authn.samlIdp.entityId


On Monday, May 7, 2018 at 10:39:28 AM UTC-6, John D Giotta wrote:
>
> I noticed that my /cas/idp/metadata endpoint returns the following
>
> 
> http://www.w3.org/2000/09/xmldsig#; xmlns:shibmd=
> "urn:mace:shibboleth:metadata:1.0" xmlns:xml="
> http://www.w3.org/XML/1998/namespace; xmlns:mdui=
> "urn:oasis:names:tc:SAML:metadata:ui" entityID="
> https://cas.example.org/idp 
> 
> ">
>
>
> Shouldn't the entityID attribute read something else?
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/84cfd271-b179-46b7-8725-db264140da91%40apereo.org.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[John D Giotta]

I noticed that my /cas/idp/metadata endpoint returns the following


http://www.w3.org/2000/09/xmldsig#; xmlns:shibmd=
"urn:mace:shibboleth:metadata:1.0" xmlns:xml=
"http://www.w3.org/XML/1998/namespace; xmlns:mdui=
"urn:oasis:names:tc:SAML:metadata:ui" entityID="https://cas.example.org/idp;
>


Shouldn't the entityID attribute read something else?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8f9d1422-208f-4a97-9fed-0de2555c8f18%40apereo.org.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[John D Giotta]

What I meant was that Matthew asked about my JSON using the @class 
org.apereo.cas.support.saml.services.SamlRegisteredService
Then asked if I registered the IdP endpoint. From the tutorial he pointed 
me towards, I can't tell if I'm creating both a SamlRegisteredService and a 
RegexRegisteredService 
JSON in registry.


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/80c81fd6-5c41-48c1-99cd-099863d0701e%40apereo.org.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[David Curry]

Well, I used the one file per service model with them all in the
/etc/cas/services directory. But I believe you can keep them all in one big
JSON file if you want.


David A. Curry,  CISSP
Director of Information Security
The New School - Information Technology
71 Fifth Ave., 9th Fl. ~ New York, NY 10003
+1 212 229-5300 x4728 ~ david.cu...@newschool.edu
Sent from my phone; please excuse typos and inane auto-corrections.


On Mon, May 7, 2018, 12:21 John D Giotta  wrote:

> Are there 2 service JSON files I'm supposed to create?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c2cc73eb-1368-4b6d-b4e7-4c0f832c30ac%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPqROosTPHzVtMEVaAC2bd4SrqpPBEnu%2B9L803echtZ5g%40mail.gmail.com.

[cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[John D Giotta]

Are there 2 service JSON files I'm supposed to create?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c2cc73eb-1368-4b6d-b4e7-4c0f832c30ac%40apereo.org.

Re: [cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[David Curry]

Just a thought, do you still have the "HTTP|IMAP" wildcard service in
there? And does it have a lower evaluation order than your service-specific
entry?

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Mon, May 7, 2018 at 11:57 AM, John D Giotta  wrote:

> Yes, it is.
>
> {
>  "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
>  "serviceId": "https://vendor-site.com/Pages/Auth/Login.aspx;,
>  "name": "SAML Authentication Request",
>  "id": 1003,
>  "evaluationOrder": 1,
>  "metadataLocation": 
> "https://s3.amazonaws.com/jdgiotta/sp-metadata/metadata.xml;
> }
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/f226ed6c-34a3-4d92-b8fa-
> a609b983a380%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPgWO26CErx8x9Ti6f8979HZS8xoXP6KvcYKxEf%2BqqfQA%40mail.gmail.com.

[cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[Matthew Uribe]

Have you also added the service definition for the IdP endpoint? 

If you haven't already, you may want to walk through the steps for adding 
SAML support in this guide:  
https://dacurry-tns.github.io/deploying-apereo-cas/building_server_saml_update-the-service-registry.html

On Monday, May 7, 2018 at 9:57:23 AM UTC-6, John D Giotta wrote:
>
> Yes, it is.
>
> {
>  "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
>  "serviceId": "https://vendor-site.com/Pages/Auth/Login.aspx;,
>  "name": "SAML Authentication Request",
>  "id": 1003,
>  "evaluationOrder": 1,
>  "metadataLocation": 
> "https://s3.amazonaws.com/jdgiotta/sp-metadata/metadata.xml;
> }
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/937c7f12-9fd5-4d27-8723-b4e6c1e72572%40apereo.org.

[cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[John D Giotta]

Yes, it is.

{
 "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
 "serviceId": "https://vendor-site.com/Pages/Auth/Login.aspx;,
 "name": "SAML Authentication Request",
 "id": 1003,
 "evaluationOrder": 1,
 "metadataLocation": 
"https://s3.amazonaws.com/jdgiotta/sp-metadata/metadata.xml;
}

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f226ed6c-34a3-4d92-b8fa-a609b983a380%40apereo.org.

[cas-user] Re: Working on Setting Up SAML 2.0 for the First Time

[Matthew Uribe]

What do you have in your json for "@class"? Is it 
"org.apereo.cas.support.saml.services.SamlRegisteredService"?

On Monday, May 7, 2018 at 9:19:58 AM UTC-6, John D Giotta wrote:
>
> I'm not too familiar with SAML 2.0 and I need to set up our existing CAS 
> (currently using CAS protocol).
>
> I've followed documentation, but unfortunately I'm unable to get the 
> application to authorize.
>
> The error I get in logs is:
>
> CAS has found a match for service [
>> https://vendor-site.com/Pages/Auth/Login.aspx] in registry but the match 
>> is not defined as a SAML service>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/36158d03-cc35-4f0c-b301-b9ca33d28270%40apereo.org.