How to register a service in CAS while using SAM2.0 protocol

[Pameliya Mukherjee]

While I am hitting an endpoint like : "https://localhost:8443/cas/login?service=https://cas.example.org/cas/idp/profile/SAML2/Redirect/SSO&entityId=https://cas.org.example/cas/idp"

I am getting error like: 

2019-02-22 12:31:13,015 WARN [org.apereo.cas.web.flow.ServiceAuthorizationCheck] -<Service Management: missing service. Service [https://cas.example.org/cas/idp/profile/SAML2/Redirect/SSO] is not found in service registry.>

2019-02-22 12:31:13,017 WARN [org.apereo.cas.services.web.RegisteredServiceThemeResolver] - <No registered service is found to match [AbstractWebApplicationService(id=https://cas.example.org/cas/idp/profile/SAML2/Redirect/SSO, originalUrl=https://cas.example.org/cas/idp/profile/SAML2/Redirect/SSO, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})] or access is denied. Using default theme [cas-theme-default]>

Please Help. I am new to this.

[Charafeddine Youssef]

Hi,

Because you have not defined which service management you will use to store services. 

I do not know the version you are using but you can refer to this: https://apereo.github.io/cas/5.3.x/installation/Service-Management.html#service-management

Charaf

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/886fb227-7f84-46c3-a229-911fb749faaa%40apereo.org.

[Pameliya Mukherjee]

I am using CAS 5.3.8.

I have created the service like below and kept the file in etc\cas\services:

{

   "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "^https://.+",

  "name" :      "SAML Authentication Request",

  "id" : 20190219131300,

  "accessStrategy" : {

    "@class" : "org.apereo.cas.services.RemoteEndpointServiceAccessStrategy",

    "endpointUrl" : "https://cas.example.org/idp/profile/SAML2/Redirect/SSO",

    "acceptableResponseCodes" : "200,202"

  }

}

  

CAS properties like:

cas.authn.samlIdp.entityId=https://cas.example.org/cas/idp

cas.authn.samlIdp.scope=example.org

[Charafeddine Youssef]

I do not see where you specify the service registry location in cas.properties:

https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties.html#json-service-registry

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/765da512-fd68-4fcd-8df5-b95e98154bd8%40apereo.org.

[Matthew Uribe]

I don't think you can use regex in the service id for SAML services. You have to specify the service name exactly.

[David Curry]

For SAML2 to work, you need a single entry like this in your service registry:

{

  "@class" :            "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" :         "https://cas.example.org/cas/idp/profile/SAML2/Callback.+",

  "name" :              "SAML Authentication Request",

  "id" :                12345678,

  "evaluationOrder" :   123

}

You do not need to have a registry entry for any other "/SAML2" path.

And then of course you need the service registry entry for the service itself:

{

    "@class" :                "org.apereo.cas.support.saml.services.SamlRegisteredService",

    "serviceId" :             "http://www.workday.com/tenant",

    "name" :                  "Workday",

    "id" :                    23456789,

    "description" :           "Workday",

    "metadataLocation" :      "/etc/cas/saml/sp-metadata/workday.xml",

    "attributeReleasePolicy" : {

        "@class" :            "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",

        "allowedAttributes" : [

            "uid"

        ],

    },

    "evaluationOrder" :       234

}

Or something like that.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bdxy9dTq7r-cJh-vAQXgDh%2BYXPbqpcZjYDCXbNbDQ80kVo5-w%40mail.gmail.com.

[Misagh Moayyed]

Just to clarify: service identifiers can be a regex.