Re: [cas-user] Configure SAML2 IdP functionality to provide SSO for G Suite
lowing line to cas.properties.
>>
>>
>>
>> cas.authn.saml-idp.entity-id=https://cas-server-url/cas/idp
>>
>>
>>
>> 3. Create a service definition file in /etc/cas/services.
>>
>>
>>
>> {
>>
>> "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
>>
>> "serviceId" : "google.com/a/example.com",
>>
>> "name" : "G Suite",
>>
>> "id" : 1002,
>>
>> "evaluationOrder" : 1,
>>
>> "attributeReleasePolicy" : {
>>
>> "@class" :
>> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
>>
>> "allowedAttributes" : [ "java.util.ArrayList", [ "mail" ] ]
>>
>> },
>>
>> "usernameAttributeProvider" : {
>>
>> "@class" :
>> "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
>>
>> "usernameAttribute" : "mail"
>>
>> }
>>
>> "metadataLocation" : "/etc/cas/saml/sp-metadata.xml",
>>
>> "metadataSignatureLocation" : "/etc/cas/saml/idp-signing.crt"
>>
>> }
>>
>>
>>
>> 4. Create a directory /etc/cas/saml.
>>
>> 5. Generate certificates.
>>
>>
>>
>> openssl genrsa -out /etc/cas/saml/idp-encryption.key 2048
>>
>> openssl req -new -x509 -key /etc/cas/small/idp-encryption.key -out
>> /etc/cas/saml/idp-encryption.crt -days 3650
>>
>> openssl genrsa -out /etc/cas/saml/idp-signing.key 2048
>>
>> openssl req -new -x509 -key /etc/cas/saml/idp-signing.key -out
>> /etc/cas/saml/idp-signing.crt -days 3650
>>
>>
>>
>> 6. Create idp-metadata.xml in /etc/cas/saml with the following
>> contents.
>>
>>
>>
>> Note: REPLACE_WITH_..._CERTIFICATE should be replaced with everything
>> between the “-BEGIN CERTIFICATE-“ and “-END CERTIFICATE-“
>> in the corresponding .crt file.
>>
>>
>>
>>
>>
>> http://www.w3.org/2000/09/xmldsig#;
>> xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="
>> http://www.w3.org/XML/1998/namespace;
>> xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://
>> cas-server-url/cas/idp">
>>
>> > protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
>> urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
>>
>>
>>
>>
>>
>>
>>
>> REPLACE_WITH_SIGNING_CERTIFICATE
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> REPLACE_WITH_ENCRYPTION_CERTIFICATE
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://
>> cas-server-url/cas/idp/profile/SAML2/POST/SLO"/>
>>
>> > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
>> Location="https://cas-server-url/cas/idp/profile/SAML2/Redirect/SLO; />
>>
>>
>>
>>
>> urn:mace:shibboleth:1.0:nameIdentifier
>>
>>
>> urn:oasis:names:tc:SAML:2.0:nameid-format:transient
>>
>>
>>
>> > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://
>> cas-server-url/cas/idp/profile/SAML2/POST/SSO"/>
>>
>> > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
>> Location="https://cas-server-url
>> /cas/idp/profile/SAML2/POST-SimpleSign/SSO"/>
>>
>> > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
>> Location="https://cas-server-url/cas/idp/profile/SAML2/Redirect/SSO"/>
>>
>> > Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://
>> cas-server-url/cas/idp/profile/SAML2/SOAP/ECP"/>
>>
>>
>>
>>
>>
>>
>>
>> 7. Create sp-metadata.xml in /etc/cas/saml with the following
>>
Re: [cas-user] Configure SAML2 IdP functionality to provide SSO for G Suite
teredServiceUsernameProvider", > > "usernameAttribute" : "mail" > > } > > "metadataLocation" : "/etc/cas/saml/sp-metadata.xml", > > "metadataSignatureLocation" : "/etc/cas/saml/idp-signing.crt" > > } > > > > 4. Create a directory /etc/cas/saml. > > 5. Generate certificates. > > > > openssl genrsa -out /etc/cas/saml/idp-encryption.key 2048 > > openssl req -new -x509 -key /etc/cas/small/idp-encryption.key -out > /etc/cas/saml/idp-encryption.crt -days 3650 > > openssl genrsa -out /etc/cas/saml/idp-signing.key 2048 > > openssl req -new -x509 -key /etc/cas/saml/idp-signing.key -out > /etc/cas/saml/idp-signing.crt -days 3650 > > > > 6. Create idp-metadata.xml in /etc/cas/saml with the following > contents. > > > > Note: REPLACE_WITH_..._CERTIFICATE should be replaced with everything > between the “-BEGIN CERTIFICATE-“ and “-END CERTIFICATE-“ > in the corresponding .crt file. > > > > > > http://www.w3.org/2000/09/xmldsig#; > xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml=" > http://www.w3.org/XML/1998/namespace; > xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https:// > cas-server-url/cas/idp"> > > protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol > urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0"> > > > > > > > > REPLACE_WITH_SIGNING_CERTIFICATE > > > > > > > > > > > > > > > > REPLACE_WITH_ENCRYPTION_CERTIFICATE > > > > > > > > > > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https:// > cas-server-url/cas/idp/profile/SAML2/POST/SLO"/> > > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" > Location="https://cas-server-url/cas/idp/profile/SAML2/Redirect/SLO; /> > > > > urn:mace:shibboleth:1.0:nameIdentifier > > > urn:oasis:names:tc:SAML:2.0:nameid-format:transient > > > > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https:// > cas-server-url/cas/idp/profile/SAML2/POST/SSO"/> > > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" > Location="https://cas-server-url > /cas/idp/profile/SAML2/POST-SimpleSign/SSO"/> > > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" > Location="https://cas-server-url/cas/idp/profile/SAML2/Redirect/SSO"/> > > Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https:// > cas-server-url/cas/idp/profile/SAML2/SOAP/ECP"/> > > > > > > > > 7. Create sp-metadata.xml in /etc/cas/saml with the following > contents. > > > > > > validUntil="2020-09-25T20:17:03Z" cacheDuration="PT604800S" entityID=" > google.com/a/example.com"> > >WantAssertionsSigned="false" > protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> > > > > http://www.w3.org/2000/09/xmldsig#;> > > > > REPLACE_WITH_SIGNING_CERTIFICATE > > > > > > > > > > > http://www.w3.org/2000/09/xmldsig#;> > > > > REPLACE_WITH_ENCRYPTION_CERTIFICATE > > > > > > > > > > urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified > > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" > https://www.google.com/a/example.com/acs; index="1"/> > > > > > > > > 8. In the G Suite Admin Console "Set up single sign-on (SSO) with a > third party IdP" section: > > a. Checked the box for "Set up SSO with third-party identity > provider" > > b. Entered "https://cas-server-url/cas/idp/profile/SAML2/Redirect/SSO; > for "Sign-in page URL" > > c. Entered "https://cas-server-url/cas/logout; for "Sign-out page > URL" > > d. Checked "Use a domain specific identifier" > > e. Uploaded the idp-signing.crt certificate. > > > > Hopeful
Re: [cas-user] Configure SAML2 IdP functionality to provide SSO for G Suite
I think I got the difference, so never mind the question.
Kelly
On Mon, Jun 28, 2021 at 5:10 PM Geng, Kelly wrote:
> Hi Doug,
>
> Thanks for posting the instructions. We are trying to do the same thing
> and will try out your instructions. I do have 1 question about the
> instruction: You mentioned to bring in this dependency:
> implementation "org.apereo.cas:cas-server-support-saml-idp:${project.'
> cas.version'}"
>
> But when I read CAS documentation:
> https://apereo.github.io/cas/6.3.x/integration/Configuring-SAML-SP-Integrations.html
>
> it mentions * cas-server-support-saml-sp-integrations *as the dependency.
>
> Do you know what's the difference between the two?
>
> Thanks,
> Kelly
>
>
>
> On Sat, Sep 26, 2020 at 3:44 PM Doug Campbell
> wrote:
>
>> A warning to others on what I wrote as instructions. I accidently left
>> in validUntil="2020-09-25T20:17:03Z" in the sp-metadata.xml file. You
>> would want to remove this or otherwise things won’t work.
>>
>>
>>
>> *From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *Doug
>> Campbell
>> *Sent:* Wednesday, September 23, 2020 11:46 PM
>> *To:* cas-user@apereo.org
>> *Subject:* RE: [cas-user] Configure SAML2 IdP functionality to provide
>> SSO for G Suite
>>
>>
>>
>> Yep. The certificate was the issue. I do have it working now but I have
>> two questions regarding warnings I am seeing.
>>
>>
>>
>> I get the following warning:
>>
>>
>>
>> WARN [org.opensaml.saml.common.binding.SAMLBindingSupport] - > exceeds 80 bytes:
>> https://www.google.com/a/example.com/ServiceLogin?service=mail=true=false=https%3A%2F%2Fmail.google.com%2Fmail%2F=1=default=2=1=1
>> >
>>
>>
>>
>> Is this normal and a result of the way G Suite does SAML? Or is there
>> something I can configure to make CAS happy and not feel the need to warn
>> me.
>>
>>
>>
>> Also, I get this warning upon signing out of G Suite:
>>
>>
>>
>> WARN
>> [org.apereo.cas.support.saml.web.idp.profile.slo.SamlIdPSingleLogoutServiceLogoutUrlBuilder]
>> - > google.com/a/example.com]>
>>
>>
>>
>> I read somewhere online that Google does not provide Single Log Out
>> (SLO). Is there a way to disable SLO for a service so I don't get this
>> warning? I want to keep SLO enabled in general.
>>
>>
>>
>> Thanks!
>>
>>
>>
>> *Instructions for Others*
>>
>>
>>
>> In case someone else is trying to figure this out. Here are what I think
>> constitutes all the steps that I took to get this working. You should
>> replace all instances of example.com and cas-server-url with what is
>> appropriate the system being configured.
>>
>>
>>
>> 1. Add the following dependency in the WAR overlay build.gradle
>> file.
>>
>>
>>
>> implementation
>> "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
>>
>>
>>
>> 2. Add the following line to cas.properties.
>>
>>
>>
>> cas.authn.saml-idp.entity-id=https://cas-server-url/cas/idp
>>
>>
>>
>> 3. Create a service definition file in /etc/cas/services.
>>
>>
>>
>> {
>>
>> "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
>>
>> "serviceId" : "google.com/a/example.com",
>>
>> "name" : "G Suite",
>>
>> "id" : 1002,
>>
>> "evaluationOrder" : 1,
>>
>> "attributeReleasePolicy" : {
>>
>> "@class" :
>> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
>>
>> "allowedAttributes" : [ "java.util.ArrayList", [ "mail" ] ]
>>
>> },
>>
>> "usernameAttributeProvider" : {
>>
>> "@class" :
>> "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
>>
>> "usernameAttribute" : "mail"
>>
>> }
>>
>> "metadataLocation" : "/etc/cas/saml/sp-metadata.xml",
>>
>> "metadataSignatureLocation" : "/etc/cas/saml/idp-signing.crt"
>>
>> }
>>
>>
>>
>> 4. Create a dir
RE: [cas-user] Configure SAML2 IdP functionality to provide SSO for G Suite
A warning to others on what I wrote as instructions. I accidently left in
validUntil="2020-09-25T20:17:03Z" in the sp-metadata.xml file. You would want
to remove this or otherwise things won’t work.
From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Doug
Campbell
Sent: Wednesday, September 23, 2020 11:46 PM
To: cas-user@apereo.org
Subject: RE: [cas-user] Configure SAML2 IdP functionality to provide SSO for G
Suite
Yep. The certificate was the issue. I do have it working now but I have two
questions regarding warnings I am seeing.
I get the following warning:
WARN [org.opensaml.saml.common.binding.SAMLBindingSupport] - https://www.google.com/a/example.com/ServiceLogin?service=mail
<https://www.google.com/a/example.com/ServiceLogin?service=mail=true=false=https%3A%2F%2Fmail.google.com%2Fmail%2F=1=default=2=1=1>
=true=false=https%3A%2F%2Fmail.google.com%2Fmail%2F=1=default=2=1=1>
Is this normal and a result of the way G Suite does SAML? Or is there
something I can configure to make CAS happy and not feel the need to warn me.
Also, I get this warning upon signing out of G Suite:
WARN
[org.apereo.cas.support.saml.web.idp.profile.slo.SamlIdPSingleLogoutServiceLogoutUrlBuilder]
-
I read somewhere online that Google does not provide Single Log Out (SLO). Is
there a way to disable SLO for a service so I don't get this warning? I want
to keep SLO enabled in general.
Thanks!
Instructions for Others
In case someone else is trying to figure this out. Here are what I think
constitutes all the steps that I took to get this working. You should replace
all instances of example.com and cas-server-url with what is appropriate the
system being configured.
1. Add the following dependency in the WAR overlay build.gradle file.
implementation
"org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
2. Add the following line to cas.properties.
cas.authn.saml-idp.entity-id=https://cas-server-url/cas/idp
3. Create a service definition file in /etc/cas/services.
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "google.com/a/example.com",
"name" : "G Suite",
"id" : 1002,
"evaluationOrder" : 1,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "mail" ] ]
},
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail"
}
"metadataLocation" : "/etc/cas/saml/sp-metadata.xml",
"metadataSignatureLocation" : "/etc/cas/saml/idp-signing.crt"
}
4. Create a directory /etc/cas/saml.
5. Generate certificates.
openssl genrsa -out /etc/cas/saml/idp-encryption.key 2048
openssl req -new -x509 -key /etc/cas/small/idp-encryption.key -out
/etc/cas/saml/idp-encryption.crt -days 3650
openssl genrsa -out /etc/cas/saml/idp-signing.key 2048
openssl req -new -x509 -key /etc/cas/saml/idp-signing.key -out
/etc/cas/saml/idp-signing.crt -days 3650
6. Create idp-metadata.xml in /etc/cas/saml with the following contents.
Note: REPLACE_WITH_..._CERTIFICATE should be replaced with everything between
the “-BEGIN CERTIFICATE-“ and “-END CERTIFICATE-“ in the
corresponding .crt file.
http://www.w3.org/2000/09/xmldsig#;
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xmlns:xml="http://www.w3.org/XML/1998/namespace;
xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://
<https://cas-server-url/cas/idp> cas-server-url/cas/idp">
REPLACE_WITH_SIGNING_CERTIFICATE
REPLACE_WITH_ENCRYPTION_CERTIFICATE
https://cas-server-url/cas/idp/profile/SAML2/POST/SLO>
cas-server-url/cas/idp/profile/SAML2/POST/SLO"/>
https://cas-server-url/cas/idp/profile/SAML2/Redirect/SLO>
cas-server-url/cas/idp/profile/SAML2/Redirect/SLO" />
urn:mace:shibboleth:1.0:nameIdentifier
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
https://cas-server-url/cas/idp/profile/SAML2/POST/SSO>
cas-server-url/cas/idp/profile/SAML2/POST/SSO"/>
https://cas-server-url/cas/idp/profile/SAML2/POST-SimpleSign/SSO>
cas-server-url/cas/idp/profile/SAML2/POST-SimpleSign/SSO"/>
https://cas-server
RE: [cas-user] Configure SAML2 IdP functionality to provide SSO for G Suite
r-url/cas/idp/profile/SAML2/Redirect/SSO; for
"Sign-in page URL"
c. Entered "https://cas-server-url/cas/logout; for "Sign-out page URL"
d. Checked "Use a domain specific identifier"
e. Uploaded the idp-signing.crt certificate.
Hopefully I didn’t leave anything out and this will help out the next person.
Doug
From: 'Richard Frovarp' via CAS Community [mailto:cas-user@apereo.org]
Sent: Wednesday, September 23, 2020 9:54 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] Configure SAML2 IdP functionality to provide SSO for G
Suite
The cert you were using under the old integration likely doesn't match your
SAML cert. You would need to upload your new SAML cert to Google. And yeah, you
want to remove the old bits of the old method, in particular the jars
associated with it as it fires before the generic SAML can.
On Tue, 2020-09-22 at 23:15 -0400, Doug Campbell wrote:
Responding a little to my own question. I don’t have it fully figured out yet
but I did find a significant issue. I had left my service file for the old
Google Apps SAML integration method in my services directory and I think this
was intercepting things. I’m not getting the same error as before but when I
authenticated I got back a page from Google indicating that no such account
existed. I’m going to try again and see what I can find perhaps see if I can
turn of the debugging.
From: cas-user@apereo.org <mailto:cas-user@apereo.org>
[mailto:cas-user@apereo.org] On Behalf Of Doug C
Sent: Tuesday, September 22, 2020 12:12 AM
To: CAS Community mailto:cas-user@apereo.org> >
Subject: [cas-user] Configure SAML2 IdP functionality to provide SSO for G Suite
I have been working toward updating from CAS 6.0.x to CAS 6.2.x. Most
everything has gone smoothly but I am having trouble with setting up CAS to be
my G Suite third-party Idp. Previously I had been using the Google Apps
Integration (org.apereo.cas:cas-server-support-saml-googleapps) but the page
for that
(https://apereo.github.io/cas/6.2.x/integration/Google-Apps-Integration.html)
now indicates that it is deprecated and that I should consider using the SAML2
identity provider functionality to handle this. I have tried to piece together
information in the documentation and in other folk's questions in the cas-user
forum but I seem to be missing something. This is likely due to my lack of
familiarity with SAML.
I would appreciate any help or direction on getting this working.
This is what I have done so far.
Note: I have replaced the references to my G Suite primary domain with
example.com for this posting.
I created a services file (etc/cas/services/GSuite-1003.json) with the
following content:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "google.com/a/example.com",
"name" : "SAMLService",
"id" : 1003,
"evaluationOrder" : 1,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "mail" ] ]
},
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail"
}
"metadataLocation" : "/etc/cas/saml/sp-metadata.xml"
}
I also created an sp-metadata.xml file using
https://www.samltool.com/sp_metadata.php with the following contents:
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
https://www.google.com/a/example.com/acs;
index="1" />
I also included the following dependency in the CAS overlay:
implementation
"org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
In G Suite Admin Console "Set up single sign-on (SSO) with a third party IdP" I:
1. Checked the box for "Set up SSO with third-party identity provider"
2. Entered
"https://signin.my-cas-server.com/cas/idp/profile/SAML2/Redirect/SSO; for
"Sign-in page URL"
3. Entered "https://signin.my-cas-server.com/cas/logout; for "Sign-out page URL"
4. Checked "Use a domain specific identifier"
5. Uploaded the previous x.509 certificate that I had used when using the
previous method.
At the moment, when I attempt to load a Google service I am redirected back to
my CAS server but I receive the following error message:
Error: No metadata resolvers could be configured for service SAMLService with
metadata location /etc/cas/saml/sp-metadata.xml
I am guessing that this is something to do with m
Re: [cas-user] Configure SAML2 IdP functionality to provide SSO for G Suite
The cert you were using under the old integration likely doesn't match your
SAML cert. You would need to upload your new SAML cert to Google. And yeah, you
want to remove the old bits of the old method, in particular the jars
associated with it as it fires before the generic SAML can.
On Tue, 2020-09-22 at 23:15 -0400, Doug Campbell wrote:
Responding a little to my own question. I don’t have it fully figured out yet
but I did find a significant issue. I had left my service file for the old
Google Apps SAML integration method in my services directory and I think this
was intercepting things. I’m not getting the same error as before but when I
authenticated I got back a page from Google indicating that no such account
existed. I’m going to try again and see what I can find perhaps see if I can
turn of the debugging.
From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Doug C
Sent: Tuesday, September 22, 2020 12:12 AM
To: CAS Community
Subject: [cas-user] Configure SAML2 IdP functionality to provide SSO for G Suite
I have been working toward updating from CAS 6.0.x to CAS 6.2.x. Most
everything has gone smoothly but I am having trouble with setting up CAS to be
my G Suite third-party Idp. Previously I had been using the Google Apps
Integration (org.apereo.cas:cas-server-support-saml-googleapps) but the page
for that
(https://apereo.github.io/cas/6.2.x/integration/Google-Apps-Integration.html)
now indicates that it is deprecated and that I should consider using the SAML2
identity provider functionality to handle this. I have tried to piece together
information in the documentation and in other folk's questions in the cas-user
forum but I seem to be missing something. This is likely due to my lack of
familiarity with SAML.
I would appreciate any help or direction on getting this working.
This is what I have done so far.
Note: I have replaced the references to my G Suite primary domain with
example.com for this posting.
I created a services file (etc/cas/services/GSuite-1003.json) with the
following content:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "google.com/a/example.com",
"name" : "SAMLService",
"id" : 1003,
"evaluationOrder" : 1,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "mail" ] ]
},
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail"
}
"metadataLocation" : "/etc/cas/saml/sp-metadata.xml"
}
I also created an sp-metadata.xml file using
https://www.samltool.com/sp_metadata.php with the following contents:
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
https://www.google.com/a/example.com/acs;
index="1" />
I also included the following dependency in the CAS overlay:
implementation
"org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
In G Suite Admin Console "Set up single sign-on (SSO) with a third party IdP" I:
1. Checked the box for "Set up SSO with third-party identity provider"
2. Entered
"https://signin.my-cas-server.com/cas/idp/profile/SAML2/Redirect/SSO; for
"Sign-in page URL"
3. Entered "https://signin.my-cas-server.com/cas/logout; for "Sign-out page URL"
4. Checked "Use a domain specific identifier"
5. Uploaded the previous x.509 certificate that I had used when using the
previous method.
At the moment, when I attempt to load a Google service I am redirected back to
my CAS server but I receive the following error message:
Error: No metadata resolvers could be configured for service SAMLService with
metadata location /etc/cas/saml/sp-metadata.xml
I am guessing that this is something to do with my sp-metadata.xml file missing
something but I am at a loss as to what I need to do.
Any help appreciated. Thanks!
Doug
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8326668d-8a37-41cc-9d7a-aef2aaf987bcn%40apereo.org.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are
RE: [cas-user] Configure SAML2 IdP functionality to provide SSO for G Suite
Responding a little to my own question. I don’t have it fully figured out yet
but I did find a significant issue. I had left my service file for the old
Google Apps SAML integration method in my services directory and I think this
was intercepting things. I’m not getting the same error as before but when I
authenticated I got back a page from Google indicating that no such account
existed. I’m going to try again and see what I can find perhaps see if I can
turn of the debugging.
From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Doug C
Sent: Tuesday, September 22, 2020 12:12 AM
To: CAS Community
Subject: [cas-user] Configure SAML2 IdP functionality to provide SSO for G Suite
I have been working toward updating from CAS 6.0.x to CAS 6.2.x. Most
everything has gone smoothly but I am having trouble with setting up CAS to be
my G Suite third-party Idp. Previously I had been using the Google Apps
Integration (org.apereo.cas:cas-server-support-saml-googleapps) but the page
for that
(https://apereo.github.io/cas/6.2.x/integration/Google-Apps-Integration.html)
now indicates that it is deprecated and that I should consider using the SAML2
identity provider functionality to handle this. I have tried to piece together
information in the documentation and in other folk's questions in the cas-user
forum but I seem to be missing something. This is likely due to my lack of
familiarity with SAML.
I would appreciate any help or direction on getting this working.
This is what I have done so far.
Note: I have replaced the references to my G Suite primary domain with
example.com for this posting.
I created a services file (etc/cas/services/GSuite-1003.json) with the
following content:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "google.com/a/example.com",
"name" : "SAMLService",
"id" : 1003,
"evaluationOrder" : 1,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "mail" ] ]
},
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail"
}
"metadataLocation" : "/etc/cas/saml/sp-metadata.xml"
}
I also created an sp-metadata.xml file using
https://www.samltool.com/sp_metadata.php with the following contents:
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
https://www.google.com/a/example.com/acs;
index="1" />
I also included the following dependency in the CAS overlay:
implementation
"org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
In G Suite Admin Console "Set up single sign-on (SSO) with a third party IdP" I:
1. Checked the box for "Set up SSO with third-party identity provider"
2. Entered
"https://signin.my-cas-server.com/cas/idp/profile/SAML2/Redirect/SSO; for
"Sign-in page URL"
3. Entered "https://signin.my-cas-server.com/cas/logout; for "Sign-out page URL"
4. Checked "Use a domain specific identifier"
5. Uploaded the previous x.509 certificate that I had used when using the
previous method.
At the moment, when I attempt to load a Google service I am redirected back to
my CAS server but I receive the following error message:
Error: No metadata resolvers could be configured for service SAMLService with
metadata location /etc/cas/saml/sp-metadata.xml
I am guessing that this is something to do with my sp-metadata.xml file missing
something but I am at a loss as to what I need to do.
Any help appreciated. Thanks!
Doug
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org .
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8326668d-8a37-41cc-9d7a-aef2aaf987bcn%40apereo.org
.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
