CAS OKTA integration

[Антон Шихмат]

Hello everyone,

I'm trying to integrate CAS SAML 2 delegated auth with OKTA using this tutorial https://apereo.github.io/2017/03/22/cas51-delauthn-tutorial/

CAS properties file should contain such values: keystore path (that contains OKTA signing certificate), keystore password and private key password.
OKTA provides signing certificate, so I can create a keystore using it. But OKTA does not provide private key for this certificate (or at least I cannot find it). I cannot left this value empty, because I will receive an exception during CAS startup.
Can anyone help me, how can I configure OKTA integration without private key or where I can find it?

Thanks

[Антон Шихмат]

Response from Misagh Moayyed‏:

"The private key is auto-generated when path is defined. You don't need to get one from Okta. That's not how #SAML works. The signing certificate from Okta is in their metadata file. The keystore contains your private/public keys as a SAML SP."

[sarika deshmukh]

We are working with CAS with OKTA integration. But we are facing issues while integration.

We have referred link: https://apereo.github.io/2017/03/22/cas51-delauthn-tutorial/  for integration. 

We followed below steps:

1.Deployed CAS overlay template

2.Configured Okta account for Saml 

3.Configure CAS properties for Okta integration

But still we were unable to connect CAS application with OKTA and facing below issue in CAS logs.

 '<No delegated authentication providers could be determined based on the provided configuration. Either no clients are configured, or the current access strategy rules prohibit CAS from using authentication providers for this request.>'

 

Your help is appreciated in advanced.

Thanks,

Sarika D. 

[Ganesh and Sashi Prasad]

I have recently integrated my CAS 5.2.5 server with a client organisation's Okta Identity provider. I will share with you the relevant section of my cas.properties file, with some parts redacted for client confidentiality reasons:

cas.authn.pac4j.saml[0].keystorePassword=my-saml2-password

cas.authn.pac4j.saml[0].privateKeyPassword=my-saml2-password

cas.authn.pac4j.saml[0].keystorePath=/etc/cas/config/samlKeystore.jks

cas.authn.pac4j.saml[0].serviceProviderMetadataPath=/etc/cas/config/sp-metadata-myclient.xml

cas.authn.pac4j.saml[0].serviceProviderEntityId=urn:federation:myapp

cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=36000

cas.authn.pac4j.saml[0].destinationBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://myclient-okta.com/app/qjk1vvhgin9u0xTR40i7/sso/saml/metadata

cas.authn.pac4j.saml[0].clientName=My-Client-Name

cas.authn.pac4j.saml[0].passive=false

cas.authn.pac4j.saml[0].wantsAssertionsSigned=true

# Specifies the AttributeConsumingServiceIndex attribute (positive values to enable)

cas.authn.pac4j.saml[0].attributeConsumingServiceIndex=1

You could also use:

cas.authn.pac4j.saml[0].destinationBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

The value of identityProviderMetadataPath should be such that you can paste it in your browser and receive an XML document describing the service.

Hope this helps.

Regards,

Ganesh

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e5857f3d-b28d-4cd3-bfcc-d33fb8aa980a%40apereo.org.

[Ganesh and Sashi Prasad]

Do you have these dependencies defined in your Maven pom.xml file?

<dependency>
    <groupId>org.apereo.cas</groupId>
    <artifactId>cas-server-support-pac4j-webflow</artifactId>
    <version>${cas.version}</version>
</dependency>

<dependency>
    <groupId>org.apereo.cas</groupId>
    <artifactId>cas-server-support-saml</artifactId>
    <version>${cas.version}</version>
</dependency>

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

[sarika deshmukh]

From where did you get this sp-metadata-myclient.xml file for cas.authn.pac4j.saml[0].serviceProviderMetadataPath property?

[Ganesh and Sashi Prasad]

> From where did you get this sp-metadata-myclient.xml file

You just provide a name. The file itself gets automatically generated after a restart if it doesn't already exist.

Ganesh

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4f1e40e5-9644-453a-98f8-89f279c4368a%40apereo.org.

[Ganesh and Sashi Prasad]

Make sure that the /etc/cas/config directory is writeable.

On 30 July 2018 at 17:32, Ganesh and Sashi Prasad <g.c.p...@gmail.com> wrote:

> From where did you get this sp-metadata-myclient.xml file

You just provide a name. The file itself gets automatically generated after a restart if it doesn't already exist.

Ganesh

On 30 July 2018 at 16:43, sarika deshmukh <deshmu...@gmail.com> wrote:

From where did you get this sp-metadata-myclient.xml file for cas.authn.pac4j.saml[0].serviceProviderMetadataPath property?

On Monday, 2 October 2017 12:49:48 UTC+5:30, Антон Шихмат wrote:

Hello everyone,

I'm trying to integrate CAS SAML 2 delegated auth with OKTA using this tutorial https://apereo.github.io/2017/03/22/cas51-delauthn-tutorial/

CAS properties file should contain such values: keystore path (that contains OKTA signing certificate), keystore password and private key password.
OKTA provides signing certificate, so I can create a keystore using it. But OKTA does not provide private key for this certificate (or at least I cannot find it). I cannot left this value empty, because I will receive an exception during CAS startup.
Can anyone help me, how can I configure OKTA integration without private key or where I can find it?

Thanks

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

[sarika deshmukh]

Thanks. It works as expected...really appreciate your help.

On Monday, 2 October 2017 12:49:48 UTC+5:30, Антон Шихмат wrote:

[sarika deshmukh]

Hello everyone,

I am working on OKTA Logout and facing some issues while implementing it.

I have added signout parameters in OKTA account as below:

Single Logout URL: https://localhost:8443/cas/logout

SP issuer: urn:herb:saml:pac4j.org

and also got Signature Certificate from OKTA and added it.

but still, OKTA account is not properly logged out from the application.

Do we need to add the service registry for Logout so that CAS will be able to connect with OKTA for logout?

Is there anything missing from my side?

Thanks,

Sarika D.

On Monday, 2 October 2017 12:49:48 UTC+5:30, Антон Шихмат wrote:

[Ganesh and Sashi Prasad]

Have you got these entries in your properties file?

cas.logout.followServiceRedirects=true

cas.logout.redirectParameter=service

# cas.logout.confirmLogout=false

# cas.logout.removeDescendantTickets=false

The first two are particularly important.

I'm assuming that your application has a logout button that is linked to the CAS logout page. These settings above will cascade the logout to Okta and therefore to all other applications depending on Okta as the Identity Provider (IdP).

Regards,

Ganesh

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e44064f5-6069-4b99-82d3-f1b9248625be%40apereo.org.

[sarika deshmukh]

Hi Ganesh,

I have added those properties in cas.properties.But no luck.

 what exactly that service stands for in this property below,

cas.logout.redirectParameter =service 

Is there anything still missing? 

On Monday, 2 October 2017 12:49:48 UTC+5:30, Антон Шихмат wrote:

[Ganesh and Sashi Prasad]

When you click on a Logout link, it goes to

https://cas.mydomain.com/cas/logout?service=http://www.myapp.mydomain.com

The name of the application from where the logout was triggered is passed as the value of the parameter "service".

If you had said

cas.logout.redirectParameter=ratatouille

Then the link will go to https://cas.mydomain.com/cas/logout?ratatouille=http://www.myapp.mydomain.com

I'm not sure why it's not working. Have you looked at the logs?

Ganesh

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e34c00f4-ec5b-44e3-84a0-8789e288f918%40apereo.org.

[sarika deshmukh]

Hi Ganesh,

Sorry for the late reply.

I have checked logs as well, it seems like CAS is not connecting with OKTA at the time of logout.

log details:

2018-09-04 17:29:21,173 DEBUG [org.apereo.cas.support.saml.services.SamlIdPSingleLogoutServiceLogoutUrlBuilder] - <Service [AbstractRegisteredService(serviceId=^https://.*, name=HTTPS, theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=10000001, description=This service definition authorizes all application urls that support HTTPS and IMAPS protocols., expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, expirationDate=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, evaluationOrder=10000, usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2, logoutType=BACK_CHANNEL, requiredHandlers=[], attributeReleasePolicy=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, excludedAttributes=null, includeOnlyAttributes=null), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null), allowedAttributes=[]), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], failureMode=NOT_SET, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false), logo=null, logoutUrl=https://localhost:8443/cas/logout, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[SAML2Client]), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, properties={}, contacts=[])] is not a SAML service, or its logout url could not be determined>

2018-09-04 17:29:21,173 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder] - <Logout request will be sent to [https://localhost:8443/cas/logout] for service [AbstractWebApplicationService(id=https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, principal=us...@company.com, source=service, loggedOutAlready=false, format=XML, attributes={})]>

2018-09-04 17:29:21,174 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Prepared logout url [[https://localhost:8443/cas/logout]] for service [AbstractWebApplicationService(id=https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, principal=us...@company.com, source=service, loggedOutAlready=false, format=XML, attributes={})]>

2018-09-04 17:29:21,174 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Creating logout request for [AbstractWebApplicationService(id=https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, principal=us...@company.com, source=service, loggedOutAlready=false, format=XML, attributes={})] and ticket id [ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12]>

2018-09-04 17:29:21,401 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Logout request [DefaultLogoutRequest(ticketId=ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12, service=AbstractWebApplicationService(id=https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, principal=us...@company.com, source=service, loggedOutAlready=false, format=XML, attributes={}), status=NOT_ATTEMPTED, logoutUrl=https://localhost:8443/cas/logout)] created for [AbstractWebApplicationService(id=https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, principal=us...@company.com, source=service, loggedOutAlready=false, format=XML, attributes={})] and ticket id [ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12]>

2018-09-04 17:29:21,401 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Logout type registered for [AbstractWebApplicationService(id=https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, principal=us...@company.com, source=service, loggedOutAlready=false, format=XML, attributes={})] is [BACK_CHANNEL]>

2018-09-04 17:29:21,402 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Creating back-channel logout request based on [DefaultLogoutRequest(ticketId=ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12, service=AbstractWebApplicationService(id=https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, principal=us...@company.com, source=service, loggedOutAlready=false, format=XML, attributes={}), status=NOT_ATTEMPTED, logoutUrl=https://localhost:8443/cas/logout)]>

2018-09-04 17:29:21,478 DEBUG [org.apereo.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-1-Zkra8FA-8YIF7kVhWkRWyAWy" Version="2.0" IssueInstant="2018-09-04T17:29:21Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12</samlp:SessionIndex></samlp:LogoutRequest>]>

2018-09-04 17:29:21,478 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Preparing logout request for [https://localhost:8443/vcm/j_spring_cas_security_check] to [https://localhost:8443/cas/logout]>

2018-09-04 17:29:21,485 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Prepared logout message to send is [HttpMessage(url=https://localhost:8443/cas/logout, message=logoutRequest=%3Csamlp%3ALogoutRequest+xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22+ID%3D%22LR-1-Zkra8FA-8YIF7kVhWkRWyAWy%22+Version%3D%222.0%22+IssueInstant%3D%222018-09-04T17%3A29%3A21Z%22%3E%3Csaml%3ANameID+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%40NOT_USED%40%3C%2Fsaml%3ANameID%3E%3Csamlp%3ASessionIndex%3EST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12%3C%2Fsamlp%3ASessionIndex%3E%3C%2Fsamlp%3ALogoutRequest%3E, responseCode=0, asynchronous=true, contentType=application/x-www-form-urlencoded)]. Sending...>

2018-09-04 17:29:21,532 DEBUG [org.apereo.cas.util.http.SimpleHttpClient] - <Created HTTP post message payload [POST https://localhost:8443/cas/logout HTTP/1.1]>

2018-09-04 17:29:21,558 INFO [org.apereo.cas.logout.DefaultLogoutManager] - <[1] logout requests were processed>

I have gone through the CAS codebase, as per my understanding, CAS is not getting some SAML metadata for a given SP for logout.

I have added "SamlRegisteredService" service registry for the same but no luck.

service registry:

{

  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",

  "serviceId" :  "urn:herb:saml:pac4j.org",

  "name" : "SAMLService",

  "id" : 10000003,

  "evaluationOrder" : 10,

  "metadataLocation" : "https://myoktaClient.com/app/exkfsyqtvxlhZ2i9f0h7/sso/saml/metadata"

}

Also, I have added logoutType and logoutUrl in HTTPSandIMAPS-10000001.json registry file as below,

 "logoutType": "BACK_CHANNEL",

 "logoutUrl":"https://localhost:8443/cas/logout",

 

Is there anything missing?

Thanks,

Sarika D.

On Monday, 2 October 2017 12:49:48 UTC+5:30, Антон Шихмат wrote:

[sarika deshmukh]

Hi,

Is there any update on this issue?

Thanks in advance.

[Filip Majernik]

Hi Sarika,

I am facing the same issue. The SAML logout request to Okta does not work. After debugging I have found out that in pac4j's implementation in SAML2LogoutRequestBuilder the UserProfile cannot be retrieved from the context, hence no sessionIndex as nameId is added to the request. This UserProfile should be created and kept in session after the user has successfully authenticated in the IdP, but it isn't. Looking at the Pac4J documentation I assume, that there is no CallbackFilter in CAS initialized which would store the UserProfile in the session, but I cannot confirm this.

Does anybody know how to make this work?

Thanks,

Filip

[Jérôme LELEU]

Hi,

Which version of CAS (and pac4j) do you use? Do you have one or more CAS servers?

Thanks.

Best regards,

Jérôme

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8991dc0a-fdb9-4ec4-8056-49beff69d714%40apereo.org.

[Filip Majernik]

I am using CAS 5.1.1 which comes with pac4j 2.0.0

On Friday, December 20, 2019 at 8:34:55 AM UTC+1, leleuj wrote:

Hi,

Which version of CAS (and pac4j) do you use? Do you have one or more CAS servers?

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

[Jérôme LELEU]

Hi,

If you use the SAML authentication delegation to Okta, there is a SAML2ClientLogoutAction component which should retrieve the user profile and send a logout request to Okta when you trigger a CAS logout (https://github.com/apereo/cas/blob/5.1.x/support/cas-server-support-pac4j-core-clients/src/main/java/org/apereo/cas/support/pac4j/web/flow/SAML2ClientLogoutAction.java).

This may not work for a cluster. Turn on DEBUG logs on this component to see what happens.

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b3cb5d8-452a-4c28-bb74-d330584d1aba%40apereo.org.