Responding a little to my own question. I don’t have it fully figured out yet but I did find a significant issue. I had left my service file for the old Google Apps SAML integration method in my services directory and I think this was intercepting things. I’m not getting the same error as before but when I authenticated I got back a page from Google indicating that no such account existed. I’m going to try again and see what I can find perhaps see if I can turn of the debugging.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8326668d-8a37-41cc-9d7a-aef2aaf987bcn%40apereo.org.
Yep. The certificate was the issue. I do have it working now but I have two questions regarding warnings I am seeing.
I get the following warning:
WARN [org.opensaml.saml.common.binding.SAMLBindingSupport] - <Relay state exceeds 80 bytes: https://www.google.com/a/example.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&ss=1<mpl=default<mplcache=2&emr=1&osid=1>
Is this normal and a result of the way G Suite does SAML? Or is there something I can configure to make CAS happy and not feel the need to warn me.
Also, I get this warning upon signing out of G Suite:
WARN [org.apereo.cas.support.saml.web.idp.profile.slo.SamlIdPSingleLogoutServiceLogoutUrlBuilder] - <Cannot find SLO service in metadata for entity id [google.com/a/example.com]>
I read somewhere online that Google does not provide Single Log Out (SLO). Is there a way to disable SLO for a service so I don't get this warning? I want to keep SLO enabled in general.
Thanks!
Instructions for Others
In case someone else is trying to figure this out. Here are what I think constitutes all the steps that I took to get this working. You should replace all instances of example.com and cas-server-url with what is appropriate the system being configured.
1. Add the following dependency in the WAR overlay build.gradle file.
implementation "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
2. Add the following line to cas.properties.
cas.authn.saml-idp.entity-id=https://cas-server-url/cas/idp
3. Create a service definition file in /etc/cas/services.
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "google.com/a/example.com",
"name" : "G Suite",
"id" : 10000002,
"evaluationOrder" : 1,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "mail" ] ]
},
"usernameAttributeProvider" : {
"@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "mail"
}
"metadataLocation" : "/etc/cas/saml/sp-metadata.xml",
"metadataSignatureLocation" : "/etc/cas/saml/idp-signing.crt"
}
4. Create a directory /etc/cas/saml.
5. Generate certificates.
openssl genrsa -out /etc/cas/saml/idp-encryption.key 2048
openssl req -new -x509 -key /etc/cas/small/idp-encryption.key -out /etc/cas/saml/idp-encryption.crt -days 3650
openssl genrsa -out /etc/cas/saml/idp-signing.key 2048
openssl req -new -x509 -key /etc/cas/saml/idp-signing.key -out /etc/cas/saml/idp-signing.crt -days 3650
6. Create idp-metadata.xml in /etc/cas/saml with the following contents.
Note: REPLACE_WITH_..._CERTIFICATE should be replaced with everything between the “-----BEGIN CERTIFICATE-----“ and “-----END CERTIFICATE-----“ in the corresponding .crt file.
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://cas-server-url/cas/idp">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>REPLACE_WITH_SIGNING_CERTIFICATE</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>REPLACE_WITH_ENCRYPTION_CERTIFICATE</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://cas-server-url/cas/idp/profile/SAML2/POST/SLO"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://cas-server-url/cas/idp/profile/SAML2/Redirect/SLO" />
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://cas-server-url/cas/idp/profile/SAML2/POST/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://cas-server-url/cas/idp/profile/SAML2/POST-SimpleSign/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://cas-server-url/cas/idp/profile/SAML2/Redirect/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://cas-server-url/cas/idp/profile/SAML2/SOAP/ECP"/>
</IDPSSODescriptor>
</EntityDescriptor>
7. Create sp-metadata.xml in /etc/cas/saml with the following contents.
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2020-09-25T20:17:03Z" cacheDuration="PT604800S" entityID="google.com/a/example.com">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>REPLACE_WITH_SIGNING_CERTIFICATE</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>REPLACE_WITH_ENCRYPTION_CERTIFICATE</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/example.com/acs" index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
8. In the G Suite Admin Console "Set up single sign-on (SSO) with a third party IdP" section:
a. Checked the box for "Set up SSO with third-party identity provider"
b. Entered "https://cas-server-url/cas/idp/profile/SAML2/Redirect/SSO" for "Sign-in page URL"
c. Entered "https://cas-server-url/cas/logout" for "Sign-out page URL"
d. Checked "Use a domain specific identifier"
e. Uploaded the idp-signing.crt certificate.
Hopefully I didn’t leave anything out and this will help out the next person.
Doug
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/eaade8f58e2b9df93ee8300abeecdb4fb13a568a.camel%40ndsu.edu.
A warning to others on what I wrote as instructions. I accidently left in validUntil="2020-09-25T20:17:03Z" in the sp-metadata.xml file. You would want to remove this or otherwise things won’t work.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/00c501d69225%2449a195e0%24dce4c1a0%24%40hotmail.com.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/000401d6943d%247f425da0%247dc718e0%24%40hotmail.com.