SAML federation and service entries

34 views
Skip to first unread message

King, Robert

unread,
Jun 24, 2022, 12:51:49 PM6/24/22
to cas-...@apereo.org

I am attempting to integrate a SAML federation into our CAS instance.  I seem to be stuck on service entry defeind access.

 

It seems that to allow SAML federation I have to configure a wildcard for entityId/serviceId.  I was assuming that saml service entries would require both a positive metadata match and entityId match.  Seems that by entering the SAML service entry the wildcard match also applies to CAS services.

 

example SAML service entry

{

  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",

  "serviceId" : "^https://.*$",

  "name" : "Federation Test",

  "id" : 10000003,

  "evaluationOrder" : 10,

  "metadataLocation" : "https://url/to/metadata.xml"

}

 

After entering the above service entry, any request to “/cas/login?service=anything” will match.  Makes sense if only serviceId is used for the match.  But I figured, incorrectly, that metadata was also involved.

 

Am I missing something, or do I have to iteratively add every possible entity id into the regex for serviceId.  That seems unmaintainable at scale.

Ray Bon

unread,
Jun 24, 2022, 2:21:01 PM6/24/22
to cas-...@apereo.org
Robert,

Are you intending to register _every_ SP in a federation feed, or add the service entries only when you are asked by your user base?

You will still have to group SP by similar characteristics, such as attributes released, policy, or MFA, etc.

If you want to have a single catch all entry, you may be able to shift the load to a groovy script.

Ray

On Fri, 2022-06-24 at 16:51 +0000, King, Robert wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Olivier Begon

unread,
Jun 27, 2022, 2:16:54 PM6/27/22
to CAS Community, ro...@mun.ca
Hi Robert, 

There used to be a bug in CAS where a wildcard SAML service would catch undefined CAS services.
That issue should have been fixed in releases 6.4.0 and up.

What version of CAS are you using?

Thanks
Olivier B.
ITS Middleware
Florida State University

King, Robert

unread,
Jun 28, 2022, 9:51:15 AM6/28/22
to CAS Community

That is likely the issue.  We are on the latest 6.3.x branch.  Will mark it as a known bug to be resolved when we get our version to 6.5.  Thank you.

Reply all
Reply to author
Forward
0 new messages