Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
If they have a public metadata file you can put the URL in the metadata configuration element instead of the static file. CAS will download and cache the metadata file on some sort of updating schedule ( I don't remember the specifics), but it will help ensure you have updated metadata. On Mon, 2021-04-19 at 19:56 +, Keith Alston (Staff) wrote: Scratch that. I needed an updated metadata file. Now I can authenticate and get forwarded to the sp. Then I get an error there. I may not be registered in their system. Waiting on a response from them. Thanks!!! This has been very helpful! Keith Alston Regent University IT Department keit...@regent.edu 757.619.3421 From: cas-user@apereo.org on behalf of Keith Alston (Staff) Sent: Monday, April 19, 2021 3:36 PM To: cas-user@apereo.org Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14?? Hmmm, metadata expired. So I changed the expire date in the metadata. Now I'm getting this: RootCasException(code=UNSATISFIED_SAML_REQUEST) at org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator.validateSignatureOnProfileRequest(SamlObjectSignatureValidator.java:226) Progress!!! But still not quite there. Maybe I need to request a new metadata file. from the log: 2021-04-19 15:23:52,554 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - https://licensing.minitab.com<https://urldefense.com/v3/__https://licensing.minitab.com__;!!CHfpmW4!3uMiPkpoDIgZuFHIzfjlweIzaYwUFwQbj17GKnp8dOMl3fu-7E2C7LzeQeFwVfWF$>]. Metadata is valid until [forever]>2021-04-19 15:23:52,554 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - 2021-04-19 15:23:52,558 DEBUG [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator] - 2021-04-19 15:23:52,561 DEBUG [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator] - 2021-04-19 15:23:52,570 DEBUG [org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] - 2021-04-19 15:23:52,570 DEBUG [org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] - 2021-04-19 15:23:52,570 DEBUG [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator] - ... 2021-04-19 15:23:52,614 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - org.apereo.cas.support.saml.SamlException: Signing credentials for validation could not be resolved based on the provided signature Keith Alston Regent University IT Department keit...@regent.edu 757.619.3421 From: 'Richard Frovarp' via CAS Community Sent: Monday, April 19, 2021 2:19 PM To: cas-user@apereo.org Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14?? You are probably going to need to take a look in the CAS logs. It seems that it should match, but the logs should tell you exactly what it is searching for. It will also tell you if there was an error loading the service file when it first tried to update it. On Mon, 2021-04-19 at 17:26 +, Keith Alston (Staff) wrote: I take that back. Zoom works and it does a post request. saml-tracer show this. Zoom works, minitab doesnt. minitab request--- https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO%22 > https://licensing.minitab.com zoom request-- https://regent.zoom.us/saml/SSO%22 Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO%22 ForceAuthn="false" ID="a3e6a45e921c2290-5af0f9c82h9cheh" IsPassive="false" IssueInstant="2021-04-19T17:15:37.720Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > regent.zoom.us here are the service files for each: zoom service file: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "regent.zoom.us", "name" : "regent.zoom.us", "id" : 1008, "metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml", "evaluationOrder" : 6, "requiredNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute" : "mail", } } minitab servic
Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Scratch that. I needed an updated metadata file. Now I can authenticate and get forwarded to the sp. Then I get an error there. I may not be registered in their system. Waiting on a response from them. Thanks!!! This has been very helpful! Keith Alston Regent University IT Department keit...@regent.edu 757.619.3421 From: cas-user@apereo.org on behalf of Keith Alston (Staff) Sent: Monday, April 19, 2021 3:36 PM To: cas-user@apereo.org Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14?? Hmmm, metadata expired. So I changed the expire date in the metadata. Now I'm getting this: RootCasException(code=UNSATISFIED_SAML_REQUEST) at org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator.validateSignatureOnProfileRequest(SamlObjectSignatureValidator.java:226) Progress!!! But still not quite there. Maybe I need to request a new metadata file. from the log: 2021-04-19 15:23:52,554 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - https://licensing.minitab.com<https://urldefense.com/v3/__https://licensing.minitab.com__;!!CHfpmW4!3uMiPkpoDIgZuFHIzfjlweIzaYwUFwQbj17GKnp8dOMl3fu-7E2C7LzeQeFwVfWF$>]. Metadata is valid until [forever]>2021-04-19 15:23:52,554 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - 2021-04-19 15:23:52,558 DEBUG [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator] - 2021-04-19 15:23:52,561 DEBUG [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator] - 2021-04-19 15:23:52,570 DEBUG [org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] - 2021-04-19 15:23:52,570 DEBUG [org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] - 2021-04-19 15:23:52,570 DEBUG [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator] - ... 2021-04-19 15:23:52,614 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - org.apereo.cas.support.saml.SamlException: Signing credentials for validation could not be resolved based on the provided signature Keith Alston Regent University IT Department keit...@regent.edu 757.619.3421 From: 'Richard Frovarp' via CAS Community Sent: Monday, April 19, 2021 2:19 PM To: cas-user@apereo.org Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14?? You are probably going to need to take a look in the CAS logs. It seems that it should match, but the logs should tell you exactly what it is searching for. It will also tell you if there was an error loading the service file when it first tried to update it. On Mon, 2021-04-19 at 17:26 +, Keith Alston (Staff) wrote: I take that back. Zoom works and it does a post request. saml-tracer show this. Zoom works, minitab doesnt. minitab request--- https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO%22 > https://licensing.minitab.com zoom request-- https://regent.zoom.us/saml/SSO%22 Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO%22 ForceAuthn="false" ID="a3e6a45e921c2290-5af0f9c82h9cheh" IsPassive="false" IssueInstant="2021-04-19T17:15:37.720Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > regent.zoom.us here are the service files for each: zoom service file: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "regent.zoom.us", "name" : "regent.zoom.us", "id" : 1008, "metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml", "evaluationOrder" : 6, "requiredNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute" : "mail", } } minitab service file: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "https://licensing.minitab.com;<https://urldefense.com/v3/__https://licensing.minitab.com*22__;JQ!!CHfpmW4!zRNLPAHvZkQXR2ciFxd_ZoKi-7memeygoXKL8UkB
Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Hmmm, metadata expired. So I changed the expire date in the metadata. Now I'm getting this: RootCasException(code=UNSATISFIED_SAML_REQUEST) at org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator.validateSignatureOnProfileRequest(SamlObjectSignatureValidator.java:226) Progress!!! But still not quite there. Maybe I need to request a new metadata file. from the log: 2021-04-19 15:23:52,554 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - https://licensing.minitab.com]. Metadata is valid until [forever]>2021-04-19 15:23:52,554 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - 2021-04-19 15:23:52,558 DEBUG [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator] - 2021-04-19 15:23:52,561 DEBUG [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator] - 2021-04-19 15:23:52,570 DEBUG [org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] - 2021-04-19 15:23:52,570 DEBUG [org.opensaml.saml.security.impl.SAMLSignatureProfileValidator] - 2021-04-19 15:23:52,570 DEBUG [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator] - ... 2021-04-19 15:23:52,614 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - org.apereo.cas.support.saml.SamlException: Signing credentials for validation could not be resolved based on the provided signature Keith Alston Regent University IT Department keit...@regent.edu 757.619.3421 From: 'Richard Frovarp' via CAS Community Sent: Monday, April 19, 2021 2:19 PM To: cas-user@apereo.org Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14?? You are probably going to need to take a look in the CAS logs. It seems that it should match, but the logs should tell you exactly what it is searching for. It will also tell you if there was an error loading the service file when it first tried to update it. On Mon, 2021-04-19 at 17:26 +, Keith Alston (Staff) wrote: I take that back. Zoom works and it does a post request. saml-tracer show this. Zoom works, minitab doesnt. minitab request--- https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO%22 > https://licensing.minitab.com zoom request-- https://regent.zoom.us/saml/SSO%22 Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO%22 ForceAuthn="false" ID="a3e6a45e921c2290-5af0f9c82h9cheh" IsPassive="false" IssueInstant="2021-04-19T17:15:37.720Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > regent.zoom.us here are the service files for each: zoom service file: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "regent.zoom.us", "name" : "regent.zoom.us", "id" : 1008, "metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml", "evaluationOrder" : 6, "requiredNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute" : "mail", } } minitab service file: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "https://licensing.minitab.com;<https://urldefense.com/v3/__https://licensing.minitab.com*22__;JQ!!CHfpmW4!zRNLPAHvZkQXR2ciFxd_ZoKi-7memeygoXKL8UkBrAESOjjkOsK-bZcs1wPrshKo$>, "name" : "minitab", "id" : 1617641399, "metadataLocation" : "file:/etc/cas/config/minitab-com-metadata.xml", "evaluationOrder" : 2, "requiredNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute" : "emailAddress", }, "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy", "allowedAttributes" : { "@class" : &
Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Yes, zoom is in production. minitab in my dev environment. Both 5.3.14. pretty much the exact same setup. Keith Alston Regent University IT Department keit...@regent.edu 757.619.3421 From: cas-user@apereo.org on behalf of Ray Bon Sent: Monday, April 19, 2021 2:35 PM To: cas-user@apereo.org Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14?? Keith, The destination URLs are different, cas and casdev. Is minitab routing to cas or casdev and is your service defined there? Ray On Mon, 2021-04-19 at 17:26 +, Keith Alston (Staff) wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. I take that back. Zoom works and it does a post request. saml-tracer show this. Zoom works, minitab doesnt. minitab request--- https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO%22 > https://licensing.minitab.com zoom request-- https://regent.zoom.us/saml/SSO%22 Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO%22 ForceAuthn="false" ID="a3e6a45e921c2290-5af0f9c82h9cheh" IsPassive="false" IssueInstant="2021-04-19T17:15:37.720Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > regent.zoom.us here are the service files for each: zoom service file: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "regent.zoom.us", "name" : "regent.zoom.us", "id" : 1008, "metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml", "evaluationOrder" : 6, "requiredNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute" : "mail", } } minitab service file: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "https://licensing.minitab.com;<https://urldefense.com/v3/__https://licensing.minitab.com*22__;JQ!!CHfpmW4!zYN_3oERuAUrH_LedoGZlh1aewdNkaoTJj7s-mbN4rqSga2SOnZZdddB1nuoHXgS$>, "name" : "minitab", "id" : 1617641399, "metadataLocation" : "file:/etc/cas/config/minitab-com-metadata.xml", "evaluationOrder" : 2, "requiredNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute" : "emailAddress", }, "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy", "allowedAttributes" : { "@class" : "java.util.TreeMap", "ExtensionAttribute1" : "Email", "givenname" : "FirstName", "sn" : "LastName" } } } Keith Alston Regent University IT Department keit...@regent.edu 757.619.3421 From: cas-user@apereo.org on behalf of Keith Alston (Staff) Sent: Monday, April 19, 2021 1:00 PM To: cas-user@apereo.org Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14?? Looks like my post URL is: https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO I guess the get url has redirect in it?? Keith Alston Regent University IT Department keit...@regent.edu 757.619.3421 From: 'Richard Frovarp' via CAS Community Sent: Monday, April 19, 2021 12:49 PM To: cas-user@apereo.org Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14?? Since I saw someone create the URL by hand the other day, I'm going to ask the simple question: is the request hitting the HTTP-POST binding location? POST and Redirect are two different URLs in CAS (and I'm guessing most IdPs). I've never had to do anything different to handle the two different types of SPs on that version. On Mon, 2021-04-19 at 16:41 +, Keith Alston (Staff) wrote: It seems that my CAS SAML2.0 idp is handling SAML2 services that
Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Keith, The destination URLs are different, cas and casdev. Is minitab routing to cas or casdev and is your service defined there? Ray On Mon, 2021-04-19 at 17:26 +, Keith Alston (Staff) wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. I take that back. Zoom works and it does a post request. saml-tracer show this. Zoom works, minitab doesnt. minitab request--- https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO; > https://licensing.minitab.com zoom request-- https://regent.zoom.us/saml/SSO; Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO; ForceAuthn="false" ID="a3e6a45e921c2290-5af0f9c82h9cheh" IsPassive="false" IssueInstant="2021-04-19T17:15:37.720Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > regent.zoom.us here are the service files for each: zoom service file: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "regent.zoom.us", "name" : "regent.zoom.us", "id" : 1008, "metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml", "evaluationOrder" : 6, "requiredNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute" : "mail", } } minitab service file: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "https://licensing.minitab.com;, "name" : "minitab", "id" : 1617641399, "metadataLocation" : "file:/etc/cas/config/minitab-com-metadata.xml", "evaluationOrder" : 2, "requiredNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute" : "emailAddress", }, "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy", "allowedAttributes" : { "@class" : "java.util.TreeMap", "ExtensionAttribute1" : "Email", "givenname" : "FirstName", "sn" : "LastName" } } } Keith Alston Regent University IT Department keit...@regent.edu 757.619.3421 From: cas-user@apereo.org on behalf of Keith Alston (Staff) Sent: Monday, April 19, 2021 1:00 PM To: cas-user@apereo.org Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14?? Looks like my post URL is: https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO I guess the get url has redirect in it?? Keith Alston Regent University IT Department keit...@regent.edu 757.619.3421 From: 'Richard Frovarp' via CAS Community Sent: Monday, April 19, 2021 12:49 PM To: cas-user@apereo.org Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14?? Since I saw someone create the URL by hand the other day, I'm going to ask the simple question: is the request hitting the HTTP-POST binding location? POST and Redirect are two different URLs in CAS (and I'm guessing most IdPs). I've never had to do anything different to handle the two different types of SPs on that version. On Mon, 2021-04-19 at 16:41 +, Keith Alston (Staff) wrote: It seems that my CAS SAML2.0 idp is handling SAML2 services that do GET requests just fine. But when I have an SP that does a SAML2 POST request my idp is not reading the parameters and I get the "Application Not Authorized to Use CAS" message instead of the auth page. Difference being parameters in the URI vs parameters in the POST body. Anyone have any idea where I might look to resolve this issue? Are there certain parameters in the service definition that I should be including? Something I'm missing in cas.properties? The audit log does not show POST requests as SAML2_POST though SAML trace do
Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
You are probably going to need to take a look in the CAS logs. It seems that it should match, but the logs should tell you exactly what it is searching for. It will also tell you if there was an error loading the service file when it first tried to update it. On Mon, 2021-04-19 at 17:26 +, Keith Alston (Staff) wrote: I take that back. Zoom works and it does a post request. saml-tracer show this. Zoom works, minitab doesnt. minitab request--- https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO; > https://licensing.minitab.com zoom request-- https://regent.zoom.us/saml/SSO; Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO; ForceAuthn="false" ID="a3e6a45e921c2290-5af0f9c82h9cheh" IsPassive="false" IssueInstant="2021-04-19T17:15:37.720Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > regent.zoom.us here are the service files for each: zoom service file: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "regent.zoom.us", "name" : "regent.zoom.us", "id" : 1008, "metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml", "evaluationOrder" : 6, "requiredNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute" : "mail", } } minitab service file: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "https://licensing.minitab.com;, "name" : "minitab", "id" : 1617641399, "metadataLocation" : "file:/etc/cas/config/minitab-com-metadata.xml", "evaluationOrder" : 2, "requiredNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute" : "emailAddress", }, "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy", "allowedAttributes" : { "@class" : "java.util.TreeMap", "ExtensionAttribute1" : "Email", "givenname" : "FirstName", "sn" : "LastName" } } } Keith Alston Regent University IT Department keit...@regent.edu 757.619.3421 From: cas-user@apereo.org on behalf of Keith Alston (Staff) Sent: Monday, April 19, 2021 1:00 PM To: cas-user@apereo.org Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14?? Looks like my post URL is: https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO I guess the get url has redirect in it?? Keith Alston Regent University IT Department keit...@regent.edu 757.619.3421 From: 'Richard Frovarp' via CAS Community Sent: Monday, April 19, 2021 12:49 PM To: cas-user@apereo.org Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14?? Since I saw someone create the URL by hand the other day, I'm going to ask the simple question: is the request hitting the HTTP-POST binding location? POST and Redirect are two different URLs in CAS (and I'm guessing most IdPs). I've never had to do anything different to handle the two different types of SPs on that version. On Mon, 2021-04-19 at 16:41 +, Keith Alston (Staff) wrote: It seems that my CAS SAML2.0 idp is handling SAML2 services that do GET requests just fine. But when I have an SP that does a SAML2 POST request my idp is not reading the parameters and I get the "Application Not Authorized to Use CAS" message instead of the auth page. Difference being parameters in the URI vs parameters in the POST body. Anyone have any idea where I might look to resolve this issue? Are there certain parameters in the service definition that I should be including? Something I'm missing in cas.properties? The audit log does not show POST requests as SAML2_POST though SAML trace does show it as
Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
I take that back. Zoom works and it does a post request. saml-tracer show this. Zoom works, minitab doesnt. minitab request--- https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO; > https://licensing.minitab.com zoom request-- https://regent.zoom.us/saml/SSO; Destination="https://cas.regent.edu/cas/idp/profile/SAML2/POST/SSO; ForceAuthn="false" ID="a3e6a45e921c2290-5af0f9c82h9cheh" IsPassive="false" IssueInstant="2021-04-19T17:15:37.720Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > regent.zoom.us here are the service files for each: zoom service file: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "regent.zoom.us", "name" : "regent.zoom.us", "id" : 1008, "metadataLocation" : "file:/etc/cas/config/zoom-metadata-prod.xml", "evaluationOrder" : 6, "requiredNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute" : "mail", } } minitab service file: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "https://licensing.minitab.com;, "name" : "minitab", "id" : 1617641399, "metadataLocation" : "file:/etc/cas/config/minitab-com-metadata.xml", "evaluationOrder" : 2, "requiredNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute" : "emailAddress", }, "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy", "allowedAttributes" : { "@class" : "java.util.TreeMap", "ExtensionAttribute1" : "Email", "givenname" : "FirstName", "sn" : "LastName" } } } Keith Alston Regent University IT Department keit...@regent.edu 757.619.3421 From: cas-user@apereo.org on behalf of Keith Alston (Staff) Sent: Monday, April 19, 2021 1:00 PM To: cas-user@apereo.org Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14?? Looks like my post URL is: https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO I guess the get url has redirect in it?? Keith Alston Regent University IT Department keit...@regent.edu 757.619.3421 From: 'Richard Frovarp' via CAS Community Sent: Monday, April 19, 2021 12:49 PM To: cas-user@apereo.org Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14?? Since I saw someone create the URL by hand the other day, I'm going to ask the simple question: is the request hitting the HTTP-POST binding location? POST and Redirect are two different URLs in CAS (and I'm guessing most IdPs). I've never had to do anything different to handle the two different types of SPs on that version. On Mon, 2021-04-19 at 16:41 +, Keith Alston (Staff) wrote: It seems that my CAS SAML2.0 idp is handling SAML2 services that do GET requests just fine. But when I have an SP that does a SAML2 POST request my idp is not reading the parameters and I get the "Application Not Authorized to Use CAS" message instead of the auth page. Difference being parameters in the URI vs parameters in the POST body. Anyone have any idea where I might look to resolve this issue? Are there certain parameters in the service definition that I should be including? Something I'm missing in cas.properties? The audit log does not show POST requests as SAML2_POST though SAML trace does show it as a SAML request. Any clue here would be helpful. TIA! Keith Alston Regent University IT Department keit...@regent.edu 757.619.3421 -- - Website: https://apereo.github.io/cas<https://urldefense.com/v3/__https://apereo.github.io/cas__;!!CHfpmW4!ylfLzpLOw1bgGBd7C4RrcffnpDSY10MimXjwm6X7ijLb_swDKnrOPLTX6x_g6xxY$> - Gitter Chatr
Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Looks like my post URL is: https://casdev.regent.edu/cas/idp/profile/SAML2/POST/SSO I guess the get url has redirect in it?? Keith Alston Regent University IT Department keit...@regent.edu 757.619.3421 From: 'Richard Frovarp' via CAS Community Sent: Monday, April 19, 2021 12:49 PM To: cas-user@apereo.org Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14?? Since I saw someone create the URL by hand the other day, I'm going to ask the simple question: is the request hitting the HTTP-POST binding location? POST and Redirect are two different URLs in CAS (and I'm guessing most IdPs). I've never had to do anything different to handle the two different types of SPs on that version. On Mon, 2021-04-19 at 16:41 +, Keith Alston (Staff) wrote: It seems that my CAS SAML2.0 idp is handling SAML2 services that do GET requests just fine. But when I have an SP that does a SAML2 POST request my idp is not reading the parameters and I get the "Application Not Authorized to Use CAS" message instead of the auth page. Difference being parameters in the URI vs parameters in the POST body. Anyone have any idea where I might look to resolve this issue? Are there certain parameters in the service definition that I should be including? Something I'm missing in cas.properties? The audit log does not show POST requests as SAML2_POST though SAML trace does show it as a SAML request. Any clue here would be helpful. TIA! Keith Alston Regent University IT Department keit...@regent.edu 757.619.3421 -- - Website: https://apereo.github.io/cas<https://urldefense.com/v3/__https://apereo.github.io/cas__;!!CHfpmW4!ylfLzpLOw1bgGBd7C4RrcffnpDSY10MimXjwm6X7ijLb_swDKnrOPLTX6x_g6xxY$> - Gitter Chatroom: https://gitter.im/apereo/cas<https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!CHfpmW4!ylfLzpLOw1bgGBd7C4RrcffnpDSY10MimXjwm6X7ijLb_swDKnrOPLTX62p1iyB-$> - List Guidelines: https://goo.gl/1VRrw7<https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!CHfpmW4!ylfLzpLOw1bgGBd7C4RrcffnpDSY10MimXjwm6X7ijLb_swDKnrOPLTX6wJ1CAT9$> - Contributions: https://goo.gl/mh7qDG<https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!CHfpmW4!ylfLzpLOw1bgGBd7C4RrcffnpDSY10MimXjwm6X7ijLb_swDKnrOPLTX67l2dT7R$> --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6bad321c10587be379a7cec181afa435c58c8b3e.camel%40ndsu.edu<https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/6bad321c10587be379a7cec181afa435c58c8b3e.camel*40ndsu.edu?utm_medium=email_source=footer__;JQ!!CHfpmW4!ylfLzpLOw1bgGBd7C4RrcffnpDSY10MimXjwm6X7ijLb_swDKnrOPLTX6zax_K28$>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BL0PR10MB29951DBBD5A7BD78EFACD709D9499%40BL0PR10MB2995.namprd10.prod.outlook.com.
Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Since I saw someone create the URL by hand the other day, I'm going to ask the simple question: is the request hitting the HTTP-POST binding location? POST and Redirect are two different URLs in CAS (and I'm guessing most IdPs). I've never had to do anything different to handle the two different types of SPs on that version. On Mon, 2021-04-19 at 16:41 +, Keith Alston (Staff) wrote: It seems that my CAS SAML2.0 idp is handling SAML2 services that do GET requests just fine. But when I have an SP that does a SAML2 POST request my idp is not reading the parameters and I get the "Application Not Authorized to Use CAS" message instead of the auth page. Difference being parameters in the URI vs parameters in the POST body. Anyone have any idea where I might look to resolve this issue? Are there certain parameters in the service definition that I should be including? Something I'm missing in cas.properties? The audit log does not show POST requests as SAML2_POST though SAML trace does show it as a SAML request. Any clue here would be helpful. TIA! Keith Alston Regent University IT Department keit...@regent.edu 757.619.3421 -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6bad321c10587be379a7cec181afa435c58c8b3e.camel%40ndsu.edu.
[cas-user] SAML2 request POST vs GET CAS 5.3.14??
It seems that my CAS SAML2.0 idp is handling SAML2 services that do GET requests just fine. But when I have an SP that does a SAML2 POST request my idp is not reading the parameters and I get the "Application Not Authorized to Use CAS" message instead of the auth page. Difference being parameters in the URI vs parameters in the POST body. Anyone have any idea where I might look to resolve this issue? Are there certain parameters in the service definition that I should be including? Something I'm missing in cas.properties? The audit log does not show POST requests as SAML2_POST though SAML trace does show it as a SAML request. Any clue here would be helpful. TIA! Keith Alston Regent University IT Department keit...@regent.edu 757.619.3421 -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BL0PR10MB29952D583FD8469A25748324D9499%40BL0PR10MB2995.namprd10.prod.outlook.com.