Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
If they have a public metadata file you can put the URL in the metadata
configuration element instead of the static file. CAS will download and cache
the metadata file on some sort of updating schedule ( I don't remember the
specifics), but it will help ensure you have updated metadata.
On Mon, 2021-04-19 at 19:56 +, Keith Alston (Staff) wrote:
Scratch that. I needed an updated metadata file. Now I can authenticate and get
forwarded to the sp. Then
I get an error there. I may not be registered in their system. Waiting on a
response from them.
Thanks!!! This has been very helpful!
Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421
From: cas-user@apereo.org on behalf of Keith Alston
(Staff)
Sent: Monday, April 19, 2021 3:36 PM
To: cas-user@apereo.org
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Hmmm, metadata expired. So I changed the expire date in the metadata. Now I'm
getting this:
RootCasException(code=UNSATISFIED_SAML_REQUEST)
at
org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator.validateSignatureOnProfileRequest(SamlObjectSignatureValidator.java:226)
Progress!!! But still not quite there. Maybe I need to request a new metadata
file.
from the log:
2021-04-19 15:23:52,554 DEBUG
[org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade]
- https://licensing.minitab.com<https://urldefense.com/v3/__https://licensing.minitab.com__;!!CHfpmW4!3uMiPkpoDIgZuFHIzfjlweIzaYwUFwQbj17GKnp8dOMl3fu-7E2C7LzeQeFwVfWF$>].
Metadata is valid until [forever]>2021-04-19 15:23:52,554 DEBUG
[org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
-
2021-04-19 15:23:52,558 DEBUG
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator]
- 2021-04-19 15:23:52,561
DEBUG
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator]
- 2021-04-19 15:23:52,570 DEBUG
[org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] -
2021-04-19 15:23:52,570 DEBUG
[org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] - 2021-04-19 15:23:52,570 DEBUG
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator]
-
...
2021-04-19 15:23:52,614 DEBUG
[org.apereo.cas.web.FlowExecutionExceptionResolver] - org.apereo.cas.support.saml.SamlException:
Signing credentials for validation could not be resolved based on the provided
signature
Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421
From: 'Richard Frovarp' via CAS Community
Sent: Monday, April 19, 2021 2:19 PM
To: cas-user@apereo.org
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
You are probably going to need to take a look in the CAS logs. It seems that it
should match, but the logs should tell you exactly what it is searching for. It
will also tell you if there was an error loading the service file when it first
tried to update it.
On Mon, 2021-04-19 at 17:26 +, Keith Alston (Staff) wrote:
I take that back. Zoom works and it does a post request.
saml-tracer show this. Zoom works, minitab doesnt.
minitab
request---
https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO%22
>
https://licensing.minitab.com
zoom
request--
https://regent.zoom.us/saml/SSO%22
Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO%22
ForceAuthn="false"
ID="a3e6a45e921c2290-5af0f9c82h9cheh"
IsPassive="false"
IssueInstant="2021-04-19T17:15:37.720Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
regent.zoom.us
here are the service files for each:
zoom service file:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "regent.zoom.us",
"name" : "regent.zoom.us",
"id" : 1008,
"metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml",
"evaluationOrder" : 6,
"requiredNameIdFormat":
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail",
}
}
minitab servic
Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Scratch that. I needed an updated metadata file. Now I can authenticate and get
forwarded to the sp. Then
I get an error there. I may not be registered in their system. Waiting on a
response from them.
Thanks!!! This has been very helpful!
Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421
From: cas-user@apereo.org on behalf of Keith Alston
(Staff)
Sent: Monday, April 19, 2021 3:36 PM
To: cas-user@apereo.org
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Hmmm, metadata expired. So I changed the expire date in the metadata. Now I'm
getting this:
RootCasException(code=UNSATISFIED_SAML_REQUEST)
at
org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator.validateSignatureOnProfileRequest(SamlObjectSignatureValidator.java:226)
Progress!!! But still not quite there. Maybe I need to request a new metadata
file.
from the log:
2021-04-19 15:23:52,554 DEBUG
[org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade]
- https://licensing.minitab.com<https://urldefense.com/v3/__https://licensing.minitab.com__;!!CHfpmW4!3uMiPkpoDIgZuFHIzfjlweIzaYwUFwQbj17GKnp8dOMl3fu-7E2C7LzeQeFwVfWF$>].
Metadata is valid until [forever]>2021-04-19 15:23:52,554 DEBUG
[org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
-
2021-04-19 15:23:52,558 DEBUG
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator]
- 2021-04-19 15:23:52,561
DEBUG
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator]
- 2021-04-19 15:23:52,570 DEBUG
[org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] -
2021-04-19 15:23:52,570 DEBUG
[org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] - 2021-04-19 15:23:52,570 DEBUG
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator]
-
...
2021-04-19 15:23:52,614 DEBUG
[org.apereo.cas.web.FlowExecutionExceptionResolver] - org.apereo.cas.support.saml.SamlException:
Signing credentials for validation could not be resolved based on the provided
signature
Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421
From: 'Richard Frovarp' via CAS Community
Sent: Monday, April 19, 2021 2:19 PM
To: cas-user@apereo.org
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
You are probably going to need to take a look in the CAS logs. It seems that it
should match, but the logs should tell you exactly what it is searching for. It
will also tell you if there was an error loading the service file when it first
tried to update it.
On Mon, 2021-04-19 at 17:26 +, Keith Alston (Staff) wrote:
I take that back. Zoom works and it does a post request.
saml-tracer show this. Zoom works, minitab doesnt.
minitab
request---
https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO%22
>
https://licensing.minitab.com
zoom
request--
https://regent.zoom.us/saml/SSO%22
Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO%22
ForceAuthn="false"
ID="a3e6a45e921c2290-5af0f9c82h9cheh"
IsPassive="false"
IssueInstant="2021-04-19T17:15:37.720Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
regent.zoom.us
here are the service files for each:
zoom service file:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "regent.zoom.us",
"name" : "regent.zoom.us",
"id" : 1008,
"metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml",
"evaluationOrder" : 6,
"requiredNameIdFormat":
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail",
}
}
minitab service file:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" :
"https://licensing.minitab.com;<https://urldefense.com/v3/__https://licensing.minitab.com*22__;JQ!!CHfpmW4!zRNLPAHvZkQXR2ciFxd_ZoKi-7memeygoXKL8UkB
Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Hmmm, metadata expired. So I changed the expire date in the metadata. Now I'm
getting this:
RootCasException(code=UNSATISFIED_SAML_REQUEST)
at
org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator.validateSignatureOnProfileRequest(SamlObjectSignatureValidator.java:226)
Progress!!! But still not quite there. Maybe I need to request a new metadata
file.
from the log:
2021-04-19 15:23:52,554 DEBUG
[org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade]
- https://licensing.minitab.com].
Metadata is valid until [forever]>2021-04-19 15:23:52,554 DEBUG
[org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
-
2021-04-19 15:23:52,558 DEBUG
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator]
- 2021-04-19 15:23:52,561
DEBUG
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator]
- 2021-04-19 15:23:52,570 DEBUG
[org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] -
2021-04-19 15:23:52,570 DEBUG
[org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] - 2021-04-19 15:23:52,570 DEBUG
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator]
-
...
2021-04-19 15:23:52,614 DEBUG
[org.apereo.cas.web.FlowExecutionExceptionResolver] - org.apereo.cas.support.saml.SamlException:
Signing credentials for validation could not be resolved based on the provided
signature
Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421
From: 'Richard Frovarp' via CAS Community
Sent: Monday, April 19, 2021 2:19 PM
To: cas-user@apereo.org
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
You are probably going to need to take a look in the CAS logs. It seems that it
should match, but the logs should tell you exactly what it is searching for. It
will also tell you if there was an error loading the service file when it first
tried to update it.
On Mon, 2021-04-19 at 17:26 +, Keith Alston (Staff) wrote:
I take that back. Zoom works and it does a post request.
saml-tracer show this. Zoom works, minitab doesnt.
minitab
request---
https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO%22
>
https://licensing.minitab.com
zoom
request--
https://regent.zoom.us/saml/SSO%22
Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO%22
ForceAuthn="false"
ID="a3e6a45e921c2290-5af0f9c82h9cheh"
IsPassive="false"
IssueInstant="2021-04-19T17:15:37.720Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
regent.zoom.us
here are the service files for each:
zoom service file:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "regent.zoom.us",
"name" : "regent.zoom.us",
"id" : 1008,
"metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml",
"evaluationOrder" : 6,
"requiredNameIdFormat":
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail",
}
}
minitab service file:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" :
"https://licensing.minitab.com;<https://urldefense.com/v3/__https://licensing.minitab.com*22__;JQ!!CHfpmW4!zRNLPAHvZkQXR2ciFxd_ZoKi-7memeygoXKL8UkBrAESOjjkOsK-bZcs1wPrshKo$>,
"name" : "minitab",
"id" : 1617641399,
"metadataLocation" : "file:/etc/cas/config/minitab-com-metadata.xml",
"evaluationOrder" : 2,
"requiredNameIdFormat":
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "emailAddress",
},
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : &
Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Yes, zoom is in production. minitab in my dev environment. Both 5.3.14. pretty
much the exact same setup.
Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421
From: cas-user@apereo.org on behalf of Ray Bon
Sent: Monday, April 19, 2021 2:35 PM
To: cas-user@apereo.org
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Keith,
The destination URLs are different, cas and casdev.
Is minitab routing to cas or casdev and is your service defined there?
Ray
On Mon, 2021-04-19 at 17:26 +, Keith Alston (Staff) wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
I take that back. Zoom works and it does a post request.
saml-tracer show this. Zoom works, minitab doesnt.
minitab
request---
https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO%22
>
https://licensing.minitab.com
zoom
request--
https://regent.zoom.us/saml/SSO%22
Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO%22
ForceAuthn="false"
ID="a3e6a45e921c2290-5af0f9c82h9cheh"
IsPassive="false"
IssueInstant="2021-04-19T17:15:37.720Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
regent.zoom.us
here are the service files for each:
zoom service file:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "regent.zoom.us",
"name" : "regent.zoom.us",
"id" : 1008,
"metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml",
"evaluationOrder" : 6,
"requiredNameIdFormat":
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail",
}
}
minitab service file:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" :
"https://licensing.minitab.com;<https://urldefense.com/v3/__https://licensing.minitab.com*22__;JQ!!CHfpmW4!zYN_3oERuAUrH_LedoGZlh1aewdNkaoTJj7s-mbN4rqSga2SOnZZdddB1nuoHXgS$>,
"name" : "minitab",
"id" : 1617641399,
"metadataLocation" : "file:/etc/cas/config/minitab-com-metadata.xml",
"evaluationOrder" : 2,
"requiredNameIdFormat":
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "emailAddress",
},
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"ExtensionAttribute1" : "Email",
"givenname" : "FirstName",
"sn" : "LastName"
}
}
}
Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421
From: cas-user@apereo.org on behalf of Keith Alston
(Staff)
Sent: Monday, April 19, 2021 1:00 PM
To: cas-user@apereo.org
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Looks like my post URL is:
https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO
I guess the get url has redirect in it??
Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421
From: 'Richard Frovarp' via CAS Community
Sent: Monday, April 19, 2021 12:49 PM
To: cas-user@apereo.org
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Since I saw someone create the URL by hand the other day, I'm going to ask the
simple question: is the request hitting the HTTP-POST binding location? POST
and Redirect are two different URLs in CAS (and I'm guessing most IdPs).
I've never had to do anything different to handle the two different types of
SPs on that version.
On Mon, 2021-04-19 at 16:41 +, Keith Alston (Staff) wrote:
It seems that my CAS SAML2.0 idp is handling SAML2 services that
Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Keith,
The destination URLs are different, cas and casdev.
Is minitab routing to cas or casdev and is your service defined there?
Ray
On Mon, 2021-04-19 at 17:26 +, Keith Alston (Staff) wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
I take that back. Zoom works and it does a post request.
saml-tracer show this. Zoom works, minitab doesnt.
minitab
request---
https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO;
>
https://licensing.minitab.com
zoom
request--
https://regent.zoom.us/saml/SSO;
Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO;
ForceAuthn="false"
ID="a3e6a45e921c2290-5af0f9c82h9cheh"
IsPassive="false"
IssueInstant="2021-04-19T17:15:37.720Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
regent.zoom.us
here are the service files for each:
zoom service file:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "regent.zoom.us",
"name" : "regent.zoom.us",
"id" : 1008,
"metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml",
"evaluationOrder" : 6,
"requiredNameIdFormat":
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail",
}
}
minitab service file:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "https://licensing.minitab.com;,
"name" : "minitab",
"id" : 1617641399,
"metadataLocation" : "file:/etc/cas/config/minitab-com-metadata.xml",
"evaluationOrder" : 2,
"requiredNameIdFormat":
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "emailAddress",
},
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"ExtensionAttribute1" : "Email",
"givenname" : "FirstName",
"sn" : "LastName"
}
}
}
Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421
From: cas-user@apereo.org on behalf of Keith Alston
(Staff)
Sent: Monday, April 19, 2021 1:00 PM
To: cas-user@apereo.org
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Looks like my post URL is:
https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO
I guess the get url has redirect in it??
Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421
From: 'Richard Frovarp' via CAS Community
Sent: Monday, April 19, 2021 12:49 PM
To: cas-user@apereo.org
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Since I saw someone create the URL by hand the other day, I'm going to ask the
simple question: is the request hitting the HTTP-POST binding location? POST
and Redirect are two different URLs in CAS (and I'm guessing most IdPs).
I've never had to do anything different to handle the two different types of
SPs on that version.
On Mon, 2021-04-19 at 16:41 +, Keith Alston (Staff) wrote:
It seems that my CAS SAML2.0 idp is handling SAML2 services that do GET
requests just fine.
But when I have an SP that does a SAML2 POST request my idp is not reading the
parameters
and I get the "Application Not Authorized to Use CAS" message instead of the
auth page. Difference being
parameters in the URI vs parameters in the POST body. Anyone have
any idea where I might look to resolve this issue? Are there certain parameters
in the service definition
that I should be including? Something I'm missing in cas.properties? The audit
log does not show POST
requests as SAML2_POST though SAML trace do
Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
You are probably going to need to take a look in the CAS logs. It seems that it
should match, but the logs should tell you exactly what it is searching for. It
will also tell you if there was an error loading the service file when it first
tried to update it.
On Mon, 2021-04-19 at 17:26 +, Keith Alston (Staff) wrote:
I take that back. Zoom works and it does a post request.
saml-tracer show this. Zoom works, minitab doesnt.
minitab
request---
https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO;
>
https://licensing.minitab.com
zoom
request--
https://regent.zoom.us/saml/SSO;
Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO;
ForceAuthn="false"
ID="a3e6a45e921c2290-5af0f9c82h9cheh"
IsPassive="false"
IssueInstant="2021-04-19T17:15:37.720Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
regent.zoom.us
here are the service files for each:
zoom service file:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "regent.zoom.us",
"name" : "regent.zoom.us",
"id" : 1008,
"metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml",
"evaluationOrder" : 6,
"requiredNameIdFormat":
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail",
}
}
minitab service file:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "https://licensing.minitab.com;,
"name" : "minitab",
"id" : 1617641399,
"metadataLocation" : "file:/etc/cas/config/minitab-com-metadata.xml",
"evaluationOrder" : 2,
"requiredNameIdFormat":
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "emailAddress",
},
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"ExtensionAttribute1" : "Email",
"givenname" : "FirstName",
"sn" : "LastName"
}
}
}
Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421
From: cas-user@apereo.org on behalf of Keith Alston
(Staff)
Sent: Monday, April 19, 2021 1:00 PM
To: cas-user@apereo.org
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Looks like my post URL is:
https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO
I guess the get url has redirect in it??
Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421
From: 'Richard Frovarp' via CAS Community
Sent: Monday, April 19, 2021 12:49 PM
To: cas-user@apereo.org
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Since I saw someone create the URL by hand the other day, I'm going to ask the
simple question: is the request hitting the HTTP-POST binding location? POST
and Redirect are two different URLs in CAS (and I'm guessing most IdPs).
I've never had to do anything different to handle the two different types of
SPs on that version.
On Mon, 2021-04-19 at 16:41 +, Keith Alston (Staff) wrote:
It seems that my CAS SAML2.0 idp is handling SAML2 services that do GET
requests just fine.
But when I have an SP that does a SAML2 POST request my idp is not reading the
parameters
and I get the "Application Not Authorized to Use CAS" message instead of the
auth page. Difference being
parameters in the URI vs parameters in the POST body. Anyone have
any idea where I might look to resolve this issue? Are there certain parameters
in the service definition
that I should be including? Something I'm missing in cas.properties? The audit
log does not show POST
requests as SAML2_POST though SAML trace does show it as
Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
I take that back. Zoom works and it does a post request.
saml-tracer show this. Zoom works, minitab doesnt.
minitab
request---
https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO;
>
https://licensing.minitab.com
zoom
request--
https://regent.zoom.us/saml/SSO;
Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO;
ForceAuthn="false"
ID="a3e6a45e921c2290-5af0f9c82h9cheh"
IsPassive="false"
IssueInstant="2021-04-19T17:15:37.720Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
regent.zoom.us
here are the service files for each:
zoom service file:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "regent.zoom.us",
"name" : "regent.zoom.us",
"id" : 1008,
"metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml",
"evaluationOrder" : 6,
"requiredNameIdFormat":
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail",
}
}
minitab service file:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "https://licensing.minitab.com;,
"name" : "minitab",
"id" : 1617641399,
"metadataLocation" : "file:/etc/cas/config/minitab-com-metadata.xml",
"evaluationOrder" : 2,
"requiredNameIdFormat":
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "emailAddress",
},
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"ExtensionAttribute1" : "Email",
"givenname" : "FirstName",
"sn" : "LastName"
}
}
}
Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421
From: cas-user@apereo.org on behalf of Keith Alston
(Staff)
Sent: Monday, April 19, 2021 1:00 PM
To: cas-user@apereo.org
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Looks like my post URL is:
https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO
I guess the get url has redirect in it??
Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421
From: 'Richard Frovarp' via CAS Community
Sent: Monday, April 19, 2021 12:49 PM
To: cas-user@apereo.org
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Since I saw someone create the URL by hand the other day, I'm going to ask the
simple question: is the request hitting the HTTP-POST binding location? POST
and Redirect are two different URLs in CAS (and I'm guessing most IdPs).
I've never had to do anything different to handle the two different types of
SPs on that version.
On Mon, 2021-04-19 at 16:41 +, Keith Alston (Staff) wrote:
It seems that my CAS SAML2.0 idp is handling SAML2 services that do GET
requests just fine.
But when I have an SP that does a SAML2 POST request my idp is not reading the
parameters
and I get the "Application Not Authorized to Use CAS" message instead of the
auth page. Difference being
parameters in the URI vs parameters in the POST body. Anyone have
any idea where I might look to resolve this issue? Are there certain parameters
in the service definition
that I should be including? Something I'm missing in cas.properties? The audit
log does not show POST
requests as SAML2_POST though SAML trace does show it as a SAML request. Any
clue here would be
helpful. TIA!
Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421
--
- Website:
https://apereo.github.io/cas<https://urldefense.com/v3/__https://apereo.github.io/cas__;!!CHfpmW4!ylfLzpLOw1bgGBd7C4RrcffnpDSY10MimXjwm6X7ijLb_swDKnrOPLTX6x_g6xxY$>
- Gitter Chatr
Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Looks like my post URL is: https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO I guess the get url has redirect in it?? Keith Alston Regent University IT Department keit...@regent.edu 757.619.3421 From: 'Richard Frovarp' via CAS Community Sent: Monday, April 19, 2021 12:49 PM To: cas-user@apereo.org Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14?? Since I saw someone create the URL by hand the other day, I'm going to ask the simple question: is the request hitting the HTTP-POST binding location? POST and Redirect are two different URLs in CAS (and I'm guessing most IdPs). I've never had to do anything different to handle the two different types of SPs on that version. On Mon, 2021-04-19 at 16:41 +, Keith Alston (Staff) wrote: It seems that my CAS SAML2.0 idp is handling SAML2 services that do GET requests just fine. But when I have an SP that does a SAML2 POST request my idp is not reading the parameters and I get the "Application Not Authorized to Use CAS" message instead of the auth page. Difference being parameters in the URI vs parameters in the POST body. Anyone have any idea where I might look to resolve this issue? Are there certain parameters in the service definition that I should be including? Something I'm missing in cas.properties? The audit log does not show POST requests as SAML2_POST though SAML trace does show it as a SAML request. Any clue here would be helpful. TIA! Keith Alston Regent University IT Department keit...@regent.edu 757.619.3421 -- - Website: https://apereo.github.io/cas<https://urldefense.com/v3/__https://apereo.github.io/cas__;!!CHfpmW4!ylfLzpLOw1bgGBd7C4RrcffnpDSY10MimXjwm6X7ijLb_swDKnrOPLTX6x_g6xxY$> - Gitter Chatroom: https://gitter.im/apereo/cas<https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!CHfpmW4!ylfLzpLOw1bgGBd7C4RrcffnpDSY10MimXjwm6X7ijLb_swDKnrOPLTX62p1iyB-$> - List Guidelines: https://goo.gl/1VRrw7<https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!CHfpmW4!ylfLzpLOw1bgGBd7C4RrcffnpDSY10MimXjwm6X7ijLb_swDKnrOPLTX6wJ1CAT9$> - Contributions: https://goo.gl/mh7qDG<https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!CHfpmW4!ylfLzpLOw1bgGBd7C4RrcffnpDSY10MimXjwm6X7ijLb_swDKnrOPLTX67l2dT7R$> --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6bad321c10587be379a7cec181afa435c58c8b3e.camel%40ndsu.edu<https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/6bad321c10587be379a7cec181afa435c58c8b3e.camel*40ndsu.edu?utm_medium=email_source=footer__;JQ!!CHfpmW4!ylfLzpLOw1bgGBd7C4RrcffnpDSY10MimXjwm6X7ijLb_swDKnrOPLTX6zax_K28$>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BL0PR10MB29951DBBD5A7BD78EFACD709D9499%40BL0PR10MB2995.namprd10.prod.outlook.com.
Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Since I saw someone create the URL by hand the other day, I'm going to ask the simple question: is the request hitting the HTTP-POST binding location? POST and Redirect are two different URLs in CAS (and I'm guessing most IdPs). I've never had to do anything different to handle the two different types of SPs on that version. On Mon, 2021-04-19 at 16:41 +, Keith Alston (Staff) wrote: It seems that my CAS SAML2.0 idp is handling SAML2 services that do GET requests just fine. But when I have an SP that does a SAML2 POST request my idp is not reading the parameters and I get the "Application Not Authorized to Use CAS" message instead of the auth page. Difference being parameters in the URI vs parameters in the POST body. Anyone have any idea where I might look to resolve this issue? Are there certain parameters in the service definition that I should be including? Something I'm missing in cas.properties? The audit log does not show POST requests as SAML2_POST though SAML trace does show it as a SAML request. Any clue here would be helpful. TIA! Keith Alston Regent University IT Department keit...@regent.edu 757.619.3421 -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6bad321c10587be379a7cec181afa435c58c8b3e.camel%40ndsu.edu.
[cas-user] SAML2 request POST vs GET CAS 5.3.14??
It seems that my CAS SAML2.0 idp is handling SAML2 services that do GET requests just fine. But when I have an SP that does a SAML2 POST request my idp is not reading the parameters and I get the "Application Not Authorized to Use CAS" message instead of the auth page. Difference being parameters in the URI vs parameters in the POST body. Anyone have any idea where I might look to resolve this issue? Are there certain parameters in the service definition that I should be including? Something I'm missing in cas.properties? The audit log does not show POST requests as SAML2_POST though SAML trace does show it as a SAML request. Any clue here would be helpful. TIA! Keith Alston Regent University IT Department keit...@regent.edu 757.619.3421 -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BL0PR10MB29952D583FD8469A25748324D9499%40BL0PR10MB2995.namprd10.prod.outlook.com.
