CAS 5.3.8 - SAML2 IdP - match found for service in registry but the match is not defined as a SAML service

[Nicola Boldrin]

Hi all,

I'm trying to configure CAS 3.5.8 to be SAML2 IdP; I'm trying to do an SSO login with a Spring sample app too (https://github.com/spring-projects/spring-security-saml).

When the sample app send auth request, CAS says "Application Not Authorized to Use CAS".

Below the log's messages

INFO [org.apereo.cas.support.saml.web.idp.profile.sso.request.DefaultSSOSamlHttpRequestExtractor] Received SAML profile request [/cas-jpa/idp/profile/SAML2/POST/SSO]
DEBUG [org.apereo.cas.support.saml.web.idp.profile.sso.request.DefaultSSOSamlHttpRequestExtractor] Locating SAML object from message context...
DEBUG [org.apereo.cas.support.saml.web.idp.profile.sso.request.DefaultSSOSamlHttpRequestExtractor] Decoded SAML object [{urn:oasis:names:tc:SAML:2.0:protocol}AuthnRequest] from http request
INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [issuer=https://localhost:7777/saml/login,binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST]
ACTION: SAML2_REQUEST_CREATED
APPLICATION: CAS
WHEN: Thu May 16 17:27:10 CEST 2019
CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1
SERVER IP ADDRESS: 0:0:0:0:0:0:0:1
=============================================================




DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] Located issuer [https://localhost:7777/saml/login] from authentication request
DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] Checking service access in CAS service registry for [https://localhost:7777/saml/login]
ERROR [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] CAS has found a match for service [https://localhost:7777/saml/login] in registry but the match is not defined as a SAML service
WARN [org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver] Resolved [org.apereo.cas.services.UnauthorizedServiceException: screen.service.error.message] to ModelAndView: reference to view with name 'casServiceErrorView'; model is {rootCauseException=org.apereo.cas.services.UnauthorizedServiceException: }
INFO [org.apereo.cas.support.oauth.services.OAuth20AuthenticationServiceSelectionStrategy] service='null', svc='null', this.callbackUrl='https://localhost:6443/cas-jpa/oauth2.0/callbackAuthorize'
DEBUG [org.apereo.cas.support.oauth.services.OAuth20AuthenticationServiceSelectionStrategy] Authentication request is not identified as an OAuth request
INFO [org.apereo.cas.support.oauth.services.OAuth20AuthenticationServiceSelectionStrategy] service='null', svc='null', this.callbackUrl='https://localhost:6443/cas-jpa/oauth2.0/callbackAuthorize'
DEBUG [org.apereo.cas.support.oauth.services.OAuth20AuthenticationServiceSelectionStrategy] Authentication request is not identified as an OAuth request

Below my configuration

# === SAML 2 Idp


cas.authn.samlIdp.entityId=https://localhost:6443/cas-jpa/idp
cas.authn.samlIdp.metadata.location=file:${etc.cas.dir}saml
cas.authn.samlIdp.attributeQueryProfileEnabled=true

Thanks

[Ray Bon]

Nicola,

I assume you have imported SP metadata.

Perhaps you have to name your service registry entry "serviceId" : "https://localhost:7777/saml/login" to match the entityId.

Ray

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

[Nicola Boldrin]

Hi Ray,

the first declaration of serviceId was "https://localhost:7777/saml/login" as you suggested but the error was the same.

The file SAML2_client5-109005.xml  contains the demo app metadata and is imported by the service's JSON with declaration

"metadataLocation": "/home/user/Documents/eclipse-workspace/DEV_CERTIFICATE_UTIL/SAML2_client5-109005.xml"

Thanks