Does the vendor require you to configure your IdP (CAS server) to obtain
the metadata from them dynamically? Or could you:
1. Use curl to grab a copy of their metadata from
https://vendor.com/metadata
2. Edit the metadata yourself and get rid of the "validUntil" attribute
3. Put the
We're the identify provider and the vendor is the service provider.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed
Ok, this is just a guess here, but the vendor I'm trying to implement CAS
SAML to is for Identity Provider. Is it possible we've got this confused,
because our metadata.xml is setup for SPSSODescriptor.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
I do not see it in the metadata from any of the SPs we have in production
here, so my guess would be probably not. But that's just a guess; I don't
pretend to be an authority on SAML.
--Dave
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY
71 FIFTH AVE.,
Is that attribute required? Right now it is static.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
This may be your problem, then?
validUntil="2018-05-03T20:29:06Z
--Dave
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu
[image: The New School]
On Tue, May 8, 2018
I get the XML output as expected.
https://vendor-site.com/Pages/Auth/Login.aspx;>
https://vendor-site.com/Pages/Auth/Login.aspx; index="1" />
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
What do you get back when you do a curl on https://link-to-metadata.com ?
On Tuesday, May 8, 2018 at 11:10:44 AM UTC-6, John D Giotta wrote:
>
> Looking at the logs more I did find these WARNs:
>
> 2018-05-08 17:02:31,227 WARN
>>
Looking at the logs more I did find these WARNs:
2018-05-08 17:02:31,227 WARN
> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade]
>
> - https://vendor-site.com/Pages/Auth/Login.aspx] in
> metadata provider Ensure the metadata is valid and
No, it's the "adminpages" stuff:
https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_overview.html
It's enabled solely in the CAS server; you don't need the management webapp.
--Dave
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY
Thanks, David. Is the dashboard the management overlay?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the
Do you have the dashboard endpoints enabled? Can you go to the "services"
endpoint, which dumps the service registry, and see if there's something
else in there?
Alternatively, I think if you turn on debug mode logging, it will tell you
what services are loaded.
I'm thinking you might be getting
Hello everyone,
I'm the developer who has been working on implementing the SAML
authentication referenced by the OP, and the provided responses seem to
align with what I've come across while researching the issue, so I wanted
to try and provide a little more information in the hopes that it'll
For the service definition, you should only have one, which is a
SamlRegisteredService. You do not need (or want) a RegexRegisteredService
for a SAML service.
And as Matthew said, you should also set
cas.authn.samlIdp.entityId: ${cas.server.prefix}/idp
cas.authn.samlIdp.scope:
What does the SP expect the entityID to be?
I have not experimented with anything other than setting the entityId to
${cas.server.prefix}/idp and I don't know whether the CAS server will
have issues with responding to https://cas.example.org/idp since CAS itself
is at
If I don't set this property does it affect the vendor integration I'm
attempting to do?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message
I would expect your entityID to be https://cas.example.org/cas/idp but it
depends on what you've set it to in cas.properties under
cas.authn.samlIdp.entityId
On Monday, May 7, 2018 at 10:39:28 AM UTC-6, John D Giotta wrote:
>
> I noticed that my /cas/idp/metadata endpoint returns the following
I noticed that my /cas/idp/metadata endpoint returns the following
http://www.w3.org/2000/09/xmldsig#; xmlns:shibmd=
"urn:mace:shibboleth:metadata:1.0" xmlns:xml=
"http://www.w3.org/XML/1998/namespace; xmlns:mdui=
"urn:oasis:names:tc:SAML:metadata:ui" entityID="https://cas.example.org/idp;
>
What I meant was that Matthew asked about my JSON using the @class
org.apereo.cas.support.saml.services.SamlRegisteredService
Then asked if I registered the IdP endpoint. From the tutorial he pointed
me towards, I can't tell if I'm creating both a SamlRegisteredService and a
Well, I used the one file per service model with them all in the
/etc/cas/services directory. But I believe you can keep them all in one big
JSON file if you want.
David A. Curry, CISSP
Director of Information Security
The New School - Information Technology
71 Fifth Ave., 9th Fl. ~ New York,
Are there 2 service JSON files I'm supposed to create?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the
Just a thought, do you still have the "HTTP|IMAP" wildcard service in
there? And does it have a lower evaluation order than your service-specific
entry?
--Dave
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212
Have you also added the service definition for the IdP endpoint?
If you haven't already, you may want to walk through the steps for adding
SAML support in this guide:
https://dacurry-tns.github.io/deploying-apereo-cas/building_server_saml_update-the-service-registry.html
On Monday, May 7,
Yes, it is.
{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": "https://vendor-site.com/Pages/Auth/Login.aspx;,
"name": "SAML Authentication Request",
"id": 1003,
"evaluationOrder": 1,
"metadataLocation":
What do you have in your json for "@class"? Is it
"org.apereo.cas.support.saml.services.SamlRegisteredService"?
On Monday, May 7, 2018 at 9:19:58 AM UTC-6, John D Giotta wrote:
>
> I'm not too familiar with SAML 2.0 and I need to set up our existing CAS
> (currently using CAS protocol).
>
>
25 matches
Mail list logo