Connecting SAML SP to CAS 6

[Fabian Schipp]

Hi everyone,

I am currently trying to connect Confluence as SAML SP with a CAS 6 instance.

CAS Server on its own is running fine. I added a SAML service I created using the docs chapter on SAML services:
https://apereo.github.io/cas/6.0.x/installation/Configuring-SAML2-Authentication.html#saml-services

My SAML service:

{
        "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
        "serviceId" : "https://<CONFLUENCE_DOMAIN>/plugins/servlet/samlsso",
        "name" : "dev Confluence Application",
        "id" : 1558621301329267,
        "metadataLocation" : "https://<CONFLUENCE_DOMAIN>/plugins/servlet/samlsso/metadata",
        "evaluationOrder" : 10
}

But CAS does load the service but it looks like it is malformed in some way.

I checked some things that might have gone wrong:

- the metadata-URL does link to the correct metadata of the SP

- the serviceId matches the corresponding URL from the confluence system

- the id field matches the name of the service-filename (it is called devConfluence-1558621301329267.json)

The output I get is this:

2019-06-06 14:56:58,002 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - <Located issuer [https://<CONFLUENCE_DOMAIN>/plugins/servlet/samlsso] from authentication request>

2019-06-06 14:56:58,004 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - <Checking service access in CAS service registry for [AbstractWebApplicationService(id=https://<CONFLUENCE_DOMAIN>/plugins/servlet/samlsso, originalUrl=https://<CONFLUENCE_DOMAIN>/plugins/servlet/samlsso, artifactId=null, principal=null, source=null, loggedOutAlready=false, format=XML, attributes={})]>

2019-06-06 14:56:58,024 WARN [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - <[https://<CONFLUENCE_DOMAIN>/plugins/servlet/samlsso] is not found in the registry or service access is denied. Ensure service is registered in service registry>

So there is another service registry I have to register my service in?

Are there any more fields that are mandatory to include in the service? If so I can't find the correct pafe on the docs that says so.

I am realy lost on this one. Any help is appreciated.

Thank you very much.

[Matthew Uribe]

Is the devConfluence-1558621301329267.json file readable for whatever user/service is running CAS? When I forget to change ownership of my json files to the tomcat user, I run into the same issue.

[Fabian Schipp]

I am running the .war overlay. therefore I have no tomcat user.

But I checked the file, it's owned by the root user.

I then checked the process running the war file environment in the jdk folder - it is also the root user.

[Matthew Uribe]

OK. So if root is running CAS, and root owns the json file, then that part should be fine. Do you have any other services registered that CAS is reading correctly? 

[Fabian Schipp]

There is one more service called SAML2CallbackProfile wich was suggested in a tutorial:
https://dacurry-tns.github.io/deploying-apereo-cas/building_server_saml_update-the-service-registry.html#create-a-service-definition-for-the-idp-endpoint

{
  /*
   * The CAS SAML IdP creates this endpoint as part of its initialization
   * process at server startup time. If the service registry doesn't already
   * contain an entry whose serviceId matches the endpoint, CAS will create
   * a new service definition and save it to the registry. If the CAS server
   * doesn't have write access to the registry, then the save will fail and
   * the server will not start.
   *
   * To avoid that situation, and to make it clear that this endpoint is a
   * "desired" service, it is defined explicitly here.
   */
  "@class" :            "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" :         "https://<CAS-URL>/cas/idp/profile/SAML2/Callback.+",
  "name" :              "SAML Authentication Request",
  "id" :                1558621367337136,
  "evaluationOrder" :   100
}

But I am not sure if this is needed - but CAS loads it successfully on boot.

Is there any other simplistic service I could try to see if CAS loads anything correct?

[David Curry]

> But I am not sure if this is needed - but CAS loads it successfully on boot.

At least in CAS 5, SAML2 will not work if you do not have that service. I don't know if CAS 6 still requires it, but I would assume that it does unless you can find something that says it doesn't.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david...@newschool.edu

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8dd6b366-77b8-4d1e-9bec-4a97063efcdc%40apereo.org.

[Matthew Uribe]

Is there any other simplistic service I could try to see if CAS loads anything correct?

That same tutorial you mentioned contains steps for setting up a basic CAS or SAML client in order to test your CAS server.

Since you don't have any other services currently working with this CAS server, I would just ask you to confirm that your json files are in the location specified in your cas.properties cas.serviceRegistry.json.location line.

[David Curry]

If you don't feel like (or can't) setting up a web server as an SP, you can also use this:

https://sptest.iamshowcase.com/ 

Click on Instructions > SP Initiated SSO to begin.

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david...@newschool.edu

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/62aaf973-6768-41f9-ba47-a386e01b190a%40apereo.org.

[Fabian Schipp]

The cas.properties contains this line:

cas.serviceRegistry.json.location:      classpath:/services

This should refer to /etc/cas/services. Wich is the location my services are stored.

Also the build.gradle file contains the corresponding dependency

compile "org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"

[Matthew Uribe]

In my experience that is not the same as /etc/cas/services. I would recommend you change that to /etc/cas/services explicitly and restart.

[Fabian Schipp]

I thought about using this tool too, but my dev-environment is not accessible from the internet. So it sadly is of no use for me.

Am Donnerstag, 6. Juni 2019 20:19:53 UTC+2 schrieb David Curry:

If you don't feel like (or can't) setting up a web server as an SP, you can also use this:

https://sptest.iamshowcase.com/ 

Click on Instructions > SP Initiated SSO to begin.

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david...@newschool.edu

On Thu, Jun 6, 2019 at 2:14 PM Matthew Uribe <matthe...@aims.edu> wrote:

Is there any other simplistic service I could try to see if CAS loads anything correct?

That same tutorial you mentioned contains steps for setting up a basic CAS or SAML client in order to test your CAS server.

Since you don't have any other services currently working with this CAS server, I would just ask you to confirm that your json files are in the location specified in your cas.properties cas.serviceRegistry.json.location line.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

[Fabian Schipp]

I tried both now, but there seems to be no difference.

I have noticed however that whatever I put into the <cas-war-repo>/etc/cas/services or /etc/cas/services the output always states 2 services being loaded from the JSON Registry. Even if I delete all services from those folders, clean build and run.

2019-06-07 11:01:43,051 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [2] service(s) from [JsonServiceRegistry].>

I would like to see what services these are and tried to enable the actuator registeredServices using these properties (https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties.html#actuator-management-endpoints):

management.endpoints.enabled-by-default: true
management.endpoints.web.base-path:     /actuator
management.endpoints.web.exposure.include:      info,health,status,configurationMetadata,registeredServices

But the actuator is not available after booting on <cas-url>/cas/actuator/registeredServices

[Ray Bon]

Fabian,

I suggest you turn up logging to at least debug until you are ready to move to production. If I remember correctly, the service location is logged on start up.

Previous advice still stands but add this:

        <!-- INFO Loaded [#] service(s) from [???ServiceRegistryDAO]

             DEBUG Adding registered service [service URL] -->

        <AsyncLogger name="org.apereo.cas.services.AbstractServicesManager" level="debug" />

Ray

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.