Re: [cas-user] CAS 6.4.5, SAML2 unable to locate any signing credentials

[Ray Bon]

Agustín,

Cas needs access to your certificates as well.

My certificates are in the same directory as the metadata. They are

idp-signing.crt

idp-signing.key

idp-encryption.crt

idp-encryption.key

Cas creates them when it creates metadata. 

I assume that 'My Signing Cert' is a stand in for the actual cert. Just make sure it matches the file above.

I could not find anything in the docs to change the location of the certificates. I would prefer to have my keys in a different directory.

Ray

On Tue, 2022-02-01 at 07:34 -0800, Agustín Ezequiel Pereyra wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Hello,

When I configure Apereo CAS version 6.4.5 to act as an IdP for the SAML2 protocol, I get a weird error. If I don't create the directory /etc/cas/saml, and leave CAS free to handle the creation of the idp-metadata.xml file, it works fine. But if I try to use my own idp-metadata.xml file, and put it at /etc/cas/saml, I get the error:

2022-02-01 11:59:29,715 ERROR [org.apereo.cas.support.saml.web.idp.profile.builders.enc.DefaultSamlIdPObjectSigner] - <Unable to locate any signing credentials for service [Mi cool service]>

I have verified my metadata file with this site: https://www.samltool.com/validate_xml.php, and seems to be correct. I put it down here in case it is useful, changing sensible names and that stuff:

<?xml version="1.0"?>

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" validUntil="2021-12-30T15:55:49Z" cacheDuration="PT1641311749S" entityID="http://mycas.com/cas/idp/metadata">

  <md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

    <md:Extensions>

      <mdui:UIInfo>

        <mdui:DisplayName xml:lang="en">My Site</mdui:DisplayName>

        <mdui:Description xml:lang="en">The identity provider at My Site</mdui:Description>

        <mdui:Logo height="32" width="32" xml:lang="en">https://logo_url</mdui:Logo>

      </mdui:UIInfo>

    </md:Extensions>

    <md:KeyDescriptor use="signing">

      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

        <ds:X509Data>

          <ds:X509Certificate>My Signing Cert</ds:X509Certificate>

        </ds:X509Data>

      </ds:KeyInfo>

    </md:KeyDescriptor>

    <md:KeyDescriptor use="encryption">

      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

        <ds:X509Data>

          <ds:X509Certificate>My Encription Cert</ds:X509Certificate>

        </ds:X509Data>

      </ds:KeyInfo>

    </md:KeyDescriptor>

    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://mycas.com/cas/idp/profile/SAML2/POST/SLO"/>

    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://mycas.com/cas/logout"/>

    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>

    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://mycas.com/cas/idp/profile/SAML2/POST/SSO"/>

    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="http://mycas.com/cas/idp/profile/SAML2/POST-SimpleSign/SSO"/>

    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://mycas.com/cas/idp/profile/SAML2/SOAP/ECP"/>

    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://mycas.com/cas/login"/>

  </md:IDPSSODescriptor>

  <md:Organization>

    <md:OrganizationName xml:lang="en-US">Organization Name</md:OrganizationName>

    <md:OrganizationDisplayName xml:lang="en-US">Name</md:OrganizationDisplayName>

    <md:OrganizationURL xml:lang="en-US">https://mysite.com</md:OrganizationURL>

  </md:Organization>

  <md:ContactPerson contactType="administrative">

    <md:GivenName>Some Guy</md:GivenName>

    <md:EmailAddress>mailto:som...@mail.com</md:EmailAddress>

  </md:ContactPerson>

  <md:ContactPerson contactType="technical">

    <md:GivenName>Other Guy</md:GivenName>

    <md:EmailAddress>othe...@mail.com</md:EmailAddress>

  </md:ContactPerson>

  <md:ContactPerson contactType="support">

    <md:GivenName>Another One</md:GivenName>

    <md:EmailAddress>ano...@mail.com</md:EmailAddress>

  </md:ContactPerson>

</md:EntityDescriptor>

Do you have any idea of what could be the problem?

Thanks

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day.

[Pablo Vidaurri]

Have you tried:

cas.authn.saml-idp.metadata.file-system.location=file:/somedir/somesubdir/saml

I have my idp certs/keys in location defined above. Note prior to 6.4.5 the key is simply  cas.authn.saml-idp.metadata.location
I have another metadata folder where I keep my  metadata and in my services I point to this metadata folder

@Agustin, also make sure you have property below with a value that is fitting for you.

cas.authn.saml-idp.core.entity-id=https://sso-idp.mydomain.com/idp/saml

[Agustín Ezequiel Pereyra]

Ray,

Thank you very much for your answer! I just found out that the real problem was that the idp-metadata.xml had expired. The validUntil="2021-12-30T15:55:49Z" in the xml was indicating a passed date. I changed that and now it works! I think that the error message from CAS could be more precise in this case, as when I read that CAS was "Unable to locate any signing credentials for service [Mi cool service]", I thought it wasn't even seeing the file.

And regarding the change of location you mention, I found this property that seems to change the location of saml data (should go in the cas.properties file):
cas.authn.saml-idp.metadata.file-system.location=file:/etc/cas/saml

I haven't tried it myself, but it may work. The part of the docs where it mentions that is here -> https://apereo.github.io/cas/6.4.x/installation/Configuring-SAML2-DynamicMetadata.html#file-system

Regards,

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8287362dd17173adfa671a5ceef15817ec7b2b23.camel%40uvic.ca.

[Agustín Ezequiel Pereyra]

Thank you for your answer Pablo. I haven't tried that, but in the end it wasn't necessary, as my mistake was that the validUntil field in the metadata file was set to a date in the past. I just changed that to match a future date, and it worked.

Thanks for pointing out the use of cas.authn.saml-idp.core.entity-id= and cas.authn.saml-idp.metadata.file-system.location=, I will take them into account in the future

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/17393553-0c37-4fbb-b7ac-565eaf049133n%40apereo.org.