Re: [cas-user] SAML Service not authorized
Hi Ray, do you mean that I have to remove the labels metadataLocation and
metadataSignatureLocation ??
El mar, 22 feb 2022 a las 18:12, Ray Bon () escribió:
> Jorge,
>
> In your service definition. You only need to add metadata location to the
> service if you are using custom IdP metadata for that service.
>
> Ray
>
> On Mon, 2022-02-21 at 11:10 +0100, Jorge Rodríguez wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> Hi Ray,
>
> the time is synchronized at CAS server and SP, they have the same time.
>
> The Redirect/SSO endpoint is defined at IDP Metadata.
>
> Which metadate entry do you refer? The metadataSignatureLocation label??
>
> El vie, 18 feb 2022 a las 17:07, Ray Bon () escribió:
>
> Jorge,
>
> Assuming you are east of UTC by one hour, the issue instant is 36 seconds
> ahead of your log entries. Not sure if this is enough drift to cause a
> problem. I would also expect a different error.
>
> Make sure your IdP metadata has the Redirect/SSO endpoint. Again I would
> expect a different error message.
>
> You may not need the metadata entry in the service definition. See
> https://apereo.github.io/cas/6.4.x/installation/Configuring-SAML2-DynamicMetadata.html#per-service
>
> Ray
>
> On Fri, 2022-02-18 at 09:27 +0100, Jorge Rodríguez wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> Hi Ray, I have defined another service provider and I have the same
> problem with it, but let me focus on the first one.
>
> This is the log generated when connecting the SP to the CAS via SAML:
>
> 2022-02-18 09:17:00,781 DEBUG
> [org.apereo.cas.support.saml.web.idp.profile.sso.request.DefaultSSOSamlHttpRequestExtractor]
> - from http request>
> 2022-02-18 09:17:00,789 DEBUG
> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController]
> - https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]
> from authentication request>
> 2022-02-18 09:17:00,810 DEBUG
> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController]
> - [AbstractWebApplicationService(id=
> https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719,
> originalUrl=
> https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719,
> artifactId=null, principal=null, source=null, loggedOutAlready=false,
> format=XML, attributes={entityId=[
> https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719],
> SAMLRequest=[tVRNj9owEL33V0S+k8QhJMECVhS6KhLbRcD20Evl2BOw5Nip7bC7/74OH1tatVSq1FMkz5t5897MZHT3UsvgAMYKrcYIhzEKQDHNhdqN0dP2vlegu8m7kaW1TBoybd1ereFbC9YFU2vBOJ8308q2NZgNmINg8LRejtHeucaSKKLc2uZ5H/p6oATlUGtJyxAsGSYDHHV1l3onVJRznKc4rmhWAi76wAYZGxQlx+UA8z6nWVVlgxwPUTD35EJRd+z4wsOoDc/FPZvUjEpSpGm/C0SCN1FjdCUkRJvpwzKJ1sCFAeaizeYRBYv5GH3N+zxj8QAneRYD62c0zVkKMeVlmfXztPAwa1tYKOuocmOUxEnSi5MeLrZxQXBGkjRMh8MvKFgZ7TTT8r1QJx9bo4imVliiaO2lO0a6NkgSxqQ8gSz5uN2ueqvHzfZY4CA4mE8ePUYPVNEdfFDeJQim8w3I6ux0sJKtRcHny/iSbnx+oMqS08BuUzfnPtHkNF9yFGiCe21q6m7ndi+C96ojlIBywr3+xH07nV52B03+26aMomtVk8sOd6Yu5istBXsNplLq55kB6rzRzrSA/qoeh/gX9a2yDTBRCeAoeuM5nwnw49H4G3Hw4oKZrhtqhO3GBS+UuTfzr2Ez6Q1aQ/VPht6EMcK62v555T/P2vBuW/0lAN8a6oVo4y7G/a6jyTn4B30/wte/isl3],
> RelayState=[aHR0cHM6Ly9hZHNzcHdoLmluZ2VuaWFkZW1vbGFiLmVzOjkyNTEvc2FtbExvZ2luL0xPR0lOX0FVVEg=]})]>
> 2022-02-18 09:17:00,818 DEBUG
> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade]
> - https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]
> by attempting to run through the metadata chain...>
> 2022-02-18 09:17:00,819 DEBUG
> [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver]
> -
> 2022-02-18 09:17:00,828 DEBUG
> [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver]
> - [/etc/cas/saml/mfa-metadata.xml]>
> 2022-02-18 09:17:00,830 DEBUG
> [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceMetadataResolverCacheLoader]
> -
> 2022-02-18 09:17:00,833 INFO
> [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.FileSystemResourceMetadataResolver]
> -
> 2022-02-18 09:17:00,835 DEBUG
> [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver]
> - [/etc/cas/saml/mfa-metadata.xml], so RequiredValidUntilFilter will not be
> invoked>
> 2022-02-18 09:17:00,837 DEBUG
> [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver]
> - [/etc/cas/saml/mfa-signing.crt]>
> 2022-02-18 09:17:00,842 DEBUG [org.apereo.cas.support.saml.SamlUtils] -
> [/etc/cas/saml/mfa-signing.crt]]>
> 2022-02-18 09:17:00,850 INFO
[cas-user] SPNEGO/Kerberos config
Hi, I am setting a new CAS server in order to replace our well working 3.5.1,
and I was I not able to have a working SPNEGO auth. Of course, it was
impossible to use the good old configuration files because of so many changes
in implementation. I have been following the instructions here :
https://apereo.github.io/cas/6.4.x/authentication/SPNEGO-Authentication.html
but it was not working and some informations were missing (how to configure the
JCIFS principal in the configuration file, as we only want to rely on Kerberos,
NTLM is not considered). It seems I had an almost working configuration for
some times, but I suspect a typo in the documentation. Here is why. If I use
a JAAS configuration file like this one :
jcifs.spnego.initiate { com.sun.security.auth.module.Krb5LoginModule \ required
storeKey=true useKeyTab=true keyTab="/home/cas/kerberos/myspnaccount.keytab";
}; jcifs.spnego.accept { com.sun.security.auth.module.Krb5LoginModule \
required storeKey=true useKeyTab=true
keyTab="/home/cas/kerberos/myspnaccount.keytab"; };
Authentication fails and I get the following exceptions :
2022-02-24 09:10:09,340 DEBUG [org.springframework.webflow.engine.ActionState]
-
2022-02-24 09:10:09,342 DEBUG
[org.springframework.webflow.execution.ActionExecutor] -
2022-02-24 09:10:09,342 DEBUG
[org.springframework.webflow.execution.ActionExecutor] -
2022-02-24 09:10:09,342 DEBUG [org.apereo.cas.web.flow.SpnegoCredentialsAction]
-
2022-02-24 09:10:09,342 DEBUG [org.apereo.cas.web.flow.SpnegoCredentialsAction]
-
2022-02-24 09:10:09,342 DEBUG [org.apereo.cas.web.flow.SpnegoCredentialsAction]
-
2022-02-24 09:10:09,343 DEBUG [org.apereo.cas.web.flow.SpnegoCredentialsAction]
-
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20220224102859.E4F4DC005D%40smtp04.mail.de.
Re: [cas-user] SAML Service not authorized
Jorge,
Yes.
You only have to put your SP metadata in the directory cas expects. See
https://apereo.github.io/cas/6.4.x/installation/Configuring-SAML2-DynamicMetadata.html#file-system
for how to set this up.
Ray
On Thu, 2022-02-24 at 09:43 +0100, Jorge Rodríguez wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Hi Ray, do you mean that I have to remove the labels metadataLocation and
metadataSignatureLocation ??
El mar, 22 feb 2022 a las 18:12, Ray Bon (mailto:r...@uvic.ca>>)
escribió:
Jorge,
In your service definition. You only need to add metadata location to the
service if you are using custom IdP metadata for that service.
Ray
On Mon, 2022-02-21 at 11:10 +0100, Jorge Rodríguez wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Hi Ray,
the time is synchronized at CAS server and SP, they have the same time.
The Redirect/SSO endpoint is defined at IDP Metadata.
Which metadate entry do you refer? The metadataSignatureLocation label??
El vie, 18 feb 2022 a las 17:07, Ray Bon (mailto:r...@uvic.ca>>)
escribió:
Jorge,
Assuming you are east of UTC by one hour, the issue instant is 36 seconds ahead
of your log entries. Not sure if this is enough drift to cause a problem. I
would also expect a different error.
Make sure your IdP metadata has the Redirect/SSO endpoint. Again I would expect
a different error message.
You may not need the metadata entry in the service definition. See
https://apereo.github.io/cas/6.4.x/installation/Configuring-SAML2-DynamicMetadata.html#per-service
Ray
On Fri, 2022-02-18 at 09:27 +0100, Jorge Rodríguez wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Hi Ray, I have defined another service provider and I have the same problem
with it, but let me focus on the first one.
This is the log generated when connecting the SP to the CAS via SAML:
2022-02-18 09:17:00,781 DEBUG
[org.apereo.cas.support.saml.web.idp.profile.sso.request.DefaultSSOSamlHttpRequestExtractor]
-
2022-02-18 09:17:00,789 DEBUG
[org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController]
- https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]
from authentication request>
2022-02-18 09:17:00,810 DEBUG
[org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController]
- https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719,
originalUrl=https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719,
artifactId=null, principal=null, source=null, loggedOutAlready=false,
format=XML,
attributes={entityId=[https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719],
SAMLRequest=[tVRNj9owEL33V0S+k8QhJMECVhS6KhLbRcD20Evl2BOw5Nip7bC7/74OH1tatVSq1FMkz5t5897MZHT3UsvgAMYKrcYIhzEKQDHNhdqN0dP2vlegu8m7kaW1TBoybd1ereFbC9YFU2vBOJ8308q2NZgNmINg8LRejtHeucaSKKLc2uZ5H/p6oATlUGtJyxAsGSYDHHV1l3onVJRznKc4rmhWAi76wAYZGxQlx+UA8z6nWVVlgxwPUTD35EJRd+z4wsOoDc/FPZvUjEpSpGm/C0SCN1FjdCUkRJvpwzKJ1sCFAeaizeYRBYv5GH3N+zxj8QAneRYD62c0zVkKMeVlmfXztPAwa1tYKOuocmOUxEnSi5MeLrZxQXBGkjRMh8MvKFgZ7TTT8r1QJx9bo4imVliiaO2lO0a6NkgSxqQ8gSz5uN2ueqvHzfZY4CA4mE8ePUYPVNEdfFDeJQim8w3I6ux0sJKtRcHny/iSbnx+oMqS08BuUzfnPtHkNF9yFGiCe21q6m7ndi+C96ojlIBywr3+xH07nV52B03+26aMomtVk8sOd6Yu5istBXsNplLq55kB6rzRzrSA/qoeh/gX9a2yDTBRCeAoeuM5nwnw49H4G3Hw4oKZrhtqhO3GBS+UuTfzr2Ez6Q1aQ/VPht6EMcK62v555T/P2vBuW/0lAN8a6oVo4y7G/a6jyTn4B30/wte/isl3],
RelayState=[aHR0cHM6Ly9hZHNzcHdoLmluZ2VuaWFkZW1vbGFiLmVzOjkyNTEvc2FtbExvZ2luL0xPR0lOX0FVVEg=]})]>
2022-02-18 09:17:00,818 DEBUG
[org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade]
- https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]
by attempting to run through the metadata chain...>
2022-02-18 09:17:00,819 DEBUG
[org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver]
-
2022-02-18 09:17:00,828 DEBUG
[org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver]
-
2022-02-18 09:17:00,830 DEBUG
[org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceMetadataResolverCacheLoader]
-
2022-02-18 09:17:00,833 INFO
[org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.FileSystemResourceMetadataResolver]
-
2022-02-18 09:17:00,835 DEBUG
[org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver]
-
2022-02-18 09:17:00,837 DEBUG
[org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver]
-
2022-02-18 09:17:00,842
[cas-user] Dynamic error message to login page
Hi all, Can any one please help me with a solution for below. I am using AbstractUsernamePasswordAuthenticationHandler(custom authentication handler) to authenticate the request. In the method i do a api call for validating the username and password. Now i want to send a custom dynamic error message to the UI or login page in case of failure. Rather that using the static one from message.properties. Thanks in Advance. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1c56216-e6c2-4c4b-9c38-fbadd5228c6an%40apereo.org.
