CAS 5.1 and SAML2 parsing error

54 views
Skip to first unread message

sgennari

unread,
Aug 12, 2020, 8:50:53 AM8/12/20
to cas-...@apereo.org

Hi all,

I'm seeking help with an existing CAS 5.1.5 instance SAML1.1 setup with David Curry's outstanding CAS setup guide. It's been working just fine for our basic needs with our LDAP using SAML 1.1.

We recently took on a COVID-related project that requires use of a third-party SAML2 SSO authentication method, which CAS 5.1.5 appears to support (I think).

We've submitted the IdP 509x signing cert (from certs auto-generated in /etc/cas/saml) to the vendor who in turn generated our sign on information for their auth0 mechanism and we generated the json service entry for our CAS instance:

file: /etc/cas/services/vendor-1597152880.json [redacted vendor and ourconnectionname]

{
    "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
    "serviceId": "urn:auth0:vendor:ourconnectionname",
    "name": "Vendor",
    "id": 1597152880,
    "metadataLocation": "https://vendor.us.auth0.com/samlp/metadata?connection=ourconnectionname",
    "signingSignatureAlgorithms": [
        "java.util.ArrayList",
        [
            "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
        ]
    ],
    "signingSignatureReferenceDigestMethods": [
        "java.util.ArrayList",
        [
            "http://www.w3.org/2001/04/xmlenc#sha256"
        ]
    ],
    "attributeReleasePolicy": {
        "@class": "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes": [
            "java.util.ArrayList",
            [
                        "UDC_IDENTIFIER",
                /* some other attributes here*/   
            ]
        ]
    }
}


Here's /etc/cas/config/cas.properties [edited/redacted]

cas.server.name: https://hostname:8443
cas.server.prefix: ${cas.server.name}:8443/cas


cas.adminPagesSecurity.actuatorEndpointsEnabled:        true
cas.monitor.endpoints.enabled:          true
endpoints.enabled:                      true
cas.monitor.endpoints.sensitive:        false
endpoints.sensitive:                    false
cas.adminPagesSecurity.loginUrl:        ${cas.server.prefix}/login
cas.adminPagesSecurity.service:         ${cas.server.prefix}/status/dashboard
cas.adminPagesSecurity.users:           file:/etc/cas/config/admusers.properties
cas.adminPagesSecurity.adminRoles[0]:   ROLE_ADMIN
logging.config: file:/etc/cas/config/log4j2.xml

#location of service registry files
cas.serviceRegistry.config.location: file:/etc/cas/services

cas.tgc.secure:                       true
cas.tgc.crypto.signing.key:   [redacted]
cas.tgc.crypto.encryption.key:    [redacted]

cas.webflow.crypto.signing.key:    [redacted]
cas.webflow.crypto.encryption.key:    [redacted]


cas.authn.accept.users:
cas.authn.ldap[0].name:                 LDAP
cas.authn.ldap[0].type=AUTHENTICATED

#rest of  LDAP config omitted but it works

cas.authn.samlIdp.entityId=https://hostname.simons-rock.edu/idp
cas.authn.samlIdp.scope=simons-rock.edu

cas.samlidp.metadata.location=file:/etc/cas/saml
cas.samlidp.hostname=hostname.simons-rock.edu
cas.samlidp.scope=simons-rock.edu
cas.samlidp.entityid=https://hostname.simons-rock.edu/idp
cas.samlidp.response.skewAllowance=0
cas.samlidp.metadata.cache.exp.minutes=30
cas.samlidp.metadata.failfast.init=true
cas.samlidp.metadata.require.valid=true


cas.authn.ldap[0].principalAttributeId=uid
cas.logout.followServiceRedirects=true



The parsing error is as follows:

2020-08-12 08:26:16,658 ERROR [org.apereo.cas.util.serialization.AbstractJacksonBackedStringSerializer] - <Cannot read/parse JSON [{"
@class":"org.apereo.cas.support.saml.services.SamlRegisteredService","serviceId":"urn:auth0:cov...] to deserialize into type [interfa
ce org.apereo.cas.services.RegisteredService]. This may be caused in the absence of a configuration/support module that knows how to
interpret the JSON fragment, specially if the fragment describes a CAS registered service definition. Internal parsing error is [Coul
d not resolve type id 'org.apereo.cas.support.saml.services.SamlRegisteredService' into a subtype of [simple type, class org.apereo.c
as.services.RegisteredService]: no such class found
 at [Source: {"@class":"org.apereo.cas.support.saml.services.SamlRegisteredService","serviceId":"urn:auth0:vendor:connectionname","name":"CoVerified","id":1597152880,"metadataLocation":"https://vendor.us.auth0.com/samlp/metadata?connection=connectionname
imonrock","signingSignatureAlgorithms":["java.util.ArrayList",["http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"]],"signingSignatur
eReferenceDigestMethods":["java.util.ArrayList",["http://www.w3.org/2001/04/xmlenc#sha256"]],"attributeReleasePolicy":{"@class":"org.
apereo.cas.services.ReturnAllowedAttributeReleasePolicy","allowedAttributes":["java.util.ArrayList",["UDC_IDENTIFIER"]]}}; line: 1, c
olumn: 11]]>
2020-08-12 08:26:16,658 ERROR [org.apereo.cas.services.AbstractResourceBasedServiceRegistryDao] - <Could not load service definition
from file [/etc/cas/services/vendor-1597152880.json]>

I'm not sure if I have this setup properly or if using this somewhat older version of CAS part issue?

Any advise you have to offer would be greatly appreciated.

Thanks in advance,

Scott

-- 
Scott Gennari
System Administrator
Information Technology Services
Bard College at Simon's Rock

Jeremiah Garmatter

unread,
Aug 13, 2020, 12:00:18 PM8/13/20
to CAS Community, Scott G
Scott,

To me, it sounds like the org.apereo.cas.support.saml.services.SamlRegisteredService class is not defined. If you're using the Maven or Gradle overlay template, did you include the  dependency for cas-server-support-saml-idp?
Here is the CAS documentation for more info on 5.1.x saml 2 protocol: https://apereo.github.io/cas/5.1.x/installation/Configuring-SAML2-Authentication.html#configuration

Hope this helps!
Reply all
Reply to author
Forward
0 new messages