CAS 6.1.6 and SAML service registry
62 views
Skip to first unread message
Matthieu Marc
May 5, 2020, 7:27:10 AM5/5/20
to CAS Community
Hello,
I am using CAS 6.1.6 and I am trying to configure CAS as SAML2 IDP.
I included compile "org.apereo.cas:cas-server-support-saml-idp:${casServerVersion}" in build.gradle.
I am able to retrieve metadata information : https://cas.localhost/cas/idp/metadata
To test, I installed php-saml demo1 script from https://developers.onelogin.com/saml/php. Client URL is http://saml.localhost/demo1/
My client settings are :
$settingsInfo = array (
'sp' => array (
'entityId' => $spBaseUrl.'/demo1/metadata.php',
'assertionConsumerService' => array (
'url' => $spBaseUrl.'/demo1/index.php?acs',
),
'singleLogoutService' => array (
'url' => $spBaseUrl.'/demo1/index.php?sls',
),
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
),
'idp' => array (
'entityId' => 'https://cas.example.org/idp',
'singleSignOnService' => array (
'url' => 'https://cas.localhost/cas/idp/profile/SAML2/Redirect/SSO',
),
'singleLogoutService' => array (
'url' => 'https://cas.localhost/cas/idp/profile/SAML2/POST/SLO',
),
'x509cert' => 'MIIDF...==',
),
);
'sp' => array (
'entityId' => $spBaseUrl.'/demo1/metadata.php',
'assertionConsumerService' => array (
'url' => $spBaseUrl.'/demo1/index.php?acs',
),
'singleLogoutService' => array (
'url' => $spBaseUrl.'/demo1/index.php?sls',
),
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
),
'idp' => array (
'entityId' => 'https://cas.example.org/idp',
'singleSignOnService' => array (
'url' => 'https://cas.localhost/cas/idp/profile/SAML2/Redirect/SSO',
),
'singleLogoutService' => array (
'url' => 'https://cas.localhost/cas/idp/profile/SAML2/POST/SLO',
),
'x509cert' => 'MIIDF...==',
),
);
When trying to login, I get an error on CAS : service is not authorized.
I installed service registry as json file :
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "http://saml.localhost/demo1/metadata.php",
"name" : "saml",
"id" : 2000,
"evaluationOrder" : 10,
"metadataLocation" : "http://saml.localhost/demo1/metadata.php",
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
}
}
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "http://saml.localhost/demo1/metadata.php",
"name" : "saml",
"id" : 2000,
"evaluationOrder" : 10,
"metadataLocation" : "http://saml.localhost/demo1/metadata.php",
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
}
}
In CAS log, I can see :
[org.apereo.cas.services.AbstractServicesManager] - <Adding registered service [http://saml.localhost/demo1/metadata.php] with name [saml] and internal identifier [2000]>
[org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - <Checking service access in CAS service registry for [AbstractWebApplicationService(id=http://saml.localhost/demo1/metadata.php, originalUrl=http://saml.localhost/demo1/metadata.php, artifactId=null, principal=null, source=null, loggedOutAlready=false, format=XML, attributes={})]>
[org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - <[http://saml.localhost/demo1/metadata.php] is not found in the registry or service access is denied. Ensure service is registered in service registry>
Where is my error ? I tried to configure serviceId with regex, without success.
Can someone help ? Thanks
Ray Bon
May 5, 2020, 11:20:05 AM5/5/20
to cas-...@apereo.org
Marc,
This looks like the service is not being read/loaded.
Check which services are loaded.
<!-- INFO Loaded [#] service(s) from [???ServiceRegistryDAO]
DEBUG Adding registered service [service URL] -->
<AsyncLogger name="org.apereo.cas.services.AbstractServicesManager" level="debug" />
Ray
On Tue, 2020-05-05 at 04:27 -0700, Matthieu Marc wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
Matthieu Marc
May 5, 2020, 11:32:32 AM5/5/20
to CAS Community
I've already activated all logger to debug level and in my log I can see my service definition :
[org.apereo.cas.services.
AbstractServicesManager] - <Adding registered service [http://saml.localhost/demo1/metadata.php] with name [saml] and internal identifier [2000]>
Is this mean my service is loaded and accepted ?
Ray Bon
May 5, 2020, 11:56:16 AM5/5/20
to cas-...@apereo.org
Marc,
I have not used cas as a SAML IdP and am relatively new to metadata.
Your service definition is being loaded.
Do you need SP metadata as well or instead of the service definition?
Ray
Matthieu Marc
May 6, 2020, 4:57:30 AM5/6/20
to CAS Community
I configured my 5.2.9 cas instance acting as SAML IDP the same way.
I declared the service with the same json file and I got no problem connecting, the service (SP) is authorized.
Matthieu
Matthieu Marc
May 6, 2020, 10:47:02 AM5/6/20
to CAS Community
SOLVED.
I found my problem.
I defined service for the url twice.
The first one for web application, the second one for saml application. It found the web application first, so denied because it was not a saml service.
For my dev, I permit all .*.localhost application to use CAS :
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^http://..localhost/.",
"serviceId" : "^http://..localhost/.",
And for my SAML test, I permit :
@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "http://saml.localhost/demo1/metadata.php",
"serviceId" : "http://saml.localhost/demo1/metadata.php",
Le mardi 5 mai 2020 13:27:10 UTC+2, Matthieu Marc a écrit :
Reply all
Reply to author
Forward
0 new messages