SAML Service not authorized

[Jorge Rodríguez]

Hi people,

I'm receiving Service unauthorized error for one saml service, and I think it's well-defined. Let's see if you could help me, please.

The service descripcion is:

mfasaml-2.json

{
  @class: org.apereo.cas.support.saml.services.SamlRegisteredService
  serviceId: https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719
  name: mfasaml
  responseType: POST
  id: 2
  expirationPolicy: null
  proxyTicketExpirationPolicy:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy
  }
  serviceTicketExpirationPolicy:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy
  }
  evaluationOrder: 1
  usernameAttributeProvider:
  {
    @class: org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider
    usernameAttribute: sAMAccountName
  }
  environments: null
  attributeReleasePolicy:
  {
    @class: org.apereo.cas.services.ReturnAllAttributeReleasePolicy
  }
  metadataLocation: /etc/cas/saml/mfa-metadata.xml
  metadataSignatureLocation: /etc/cas/saml/idp-signing.crt
  signingCredentialType: BASIC
}

---------------------------

And the metadata for the SP:

mfa-metadata.xml

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" cacheDuration="PT604800S" entityID="https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719">
  <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>xxxxxxx9A==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://adsspwh.ingeniademolab.es:9251/samlLogout/7d17410fa6be183ec56c58bd1b51d3da6ff65719"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719" index="0"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>

Are you able to see where the error is?

Thanks!

Jorge

[Ray Bon]

Jorge,

That error means the requestor does not match the service.

What is being sent to cas in the saml request?

Ray

On Thu, 2022-02-17 at 04:28 -0800, Jorge Rodríguez wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day.

[Jorge Rodríguez]

Hi Ray, I have defined another service provider and I have the same problem with it, but let me focus on the first one.

This is the log generated when connecting the SP to the CAS via SAML:

2022-02-18 09:17:00,781 DEBUG [org.apereo.cas.support.saml.web.idp.profile.sso.request.DefaultSSOSamlHttpRequestExtractor] - <Decoded SAML object [{urn:oasis:names:tc:SAML:2.0:protocol}AuthnRequest] from http request>
2022-02-18 09:17:00,789 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Located issuer [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719] from authentication request>
2022-02-18 09:17:00,810 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Checking service access in CAS service registry for [AbstractWebApplicationService(id=https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719, originalUrl=https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719, artifactId=null, principal=null, source=null, loggedOutAlready=false, format=XML, attributes={entityId=[https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719], SAMLRequest=[tVRNj9owEL33V0S+k8QhJMECVhS6KhLbRcD20Evl2BOw5Nip7bC7/74OH1tatVSq1FMkz5t5897MZHT3UsvgAMYKrcYIhzEKQDHNhdqN0dP2vlegu8m7kaW1TBoybd1ereFbC9YFU2vBOJ8308q2NZgNmINg8LRejtHeucaSKKLc2uZ5H/p6oATlUGtJyxAsGSYDHHV1l3onVJRznKc4rmhWAi76wAYZGxQlx+UA8z6nWVVlgxwPUTD35EJRd+z4wsOoDc/FPZvUjEpSpGm/C0SCN1FjdCUkRJvpwzKJ1sCFAeaizeYRBYv5GH3N+zxj8QAneRYD62c0zVkKMeVlmfXztPAwa1tYKOuocmOUxEnSi5MeLrZxQXBGkjRMh8MvKFgZ7TTT8r1QJx9bo4imVliiaO2lO0a6NkgSxqQ8gSz5uN2ueqvHzfZY4CA4mE8ePUYPVNEdfFDeJQim8w3I6ux0sJKtRcHny/iSbnx+oMqS08BuUzfnPtHkNF9yFGiCe21q6m7ndi+C96ojlIBywr3+xH07nV52B03+26aMomtVk8sOd6Yu5istBXsNplLq55kB6rzRzrSA/qoeh/gX9a2yDTBRCeAoeuM5nwnw49H4G3Hw4oKZrhtqhO3GBS+UuTfzr2Ez6Q1aQ/VPht6EMcK62v555T/P2vBuW/0lAN8a6oVo4y7G/a6jyTn4B30/wte/isl3], RelayState=[aHR0cHM6Ly9hZHNzcHdoLmluZ2VuaWFkZW1vbGFiLmVzOjkyNTEvc2FtbExvZ2luL0xPR0lOX0FVVEg=]})]>
2022-02-18 09:17:00,818 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Locating metadata for entityID [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719] by attempting to run through the metadata chain...>
2022-02-18 09:17:00,819 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Resolving metadata for [mfasaml] at [/etc/cas/saml/mfa-metadata.xml]>
2022-02-18 09:17:00,828 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Loading metadata resolver from the cache using [/etc/cas/saml/mfa-metadata.xml]>
2022-02-18 09:17:00,830 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceMetadataResolverCacheLoader] - <There are [6] metadata resolver(s) available in the chain>
2022-02-18 09:17:00,833 INFO [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.FileSystemResourceMetadataResolver] - <Loading SAML metadata from [/etc/cas/saml/mfa-metadata.xml]>
2022-02-18 09:17:00,835 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver] - <No metadata maximum validity criteria is defined for [/etc/cas/saml/mfa-metadata.xml], so RequiredValidUntilFilter will not be invoked>
2022-02-18 09:17:00,837 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver] - <Building SAML2 signature validation filter based on [/etc/cas/saml/mfa-signing.crt]>
2022-02-18 09:17:00,842 DEBUG [org.apereo.cas.support.saml.SamlUtils] - <Attempting to resolve credentials from [file [/etc/cas/saml/mfa-signing.crt]]>
2022-02-18 09:17:00,850 INFO [org.apereo.cas.support.saml.SamlUtils] - <Successfully resolved credentials from [file [/etc/cas/saml/mfa-signing.crt]]>
2022-02-18 09:17:00,851 DEBUG [org.apereo.cas.support.saml.SamlUtils] - <Configuring credential resolver for key signature trust engine @ [X509Credential]>
2022-02-18 09:17:00,859 DEBUG [org.apereo.cas.support.saml.SamlUtils] - <Adding signature validation filter based on the configured trust engine>
2022-02-18 09:17:00,869 DEBUG [org.apereo.cas.support.saml.SamlUtils] - <Added metadata SignatureValidationFilter with signature from [file [/etc/cas/saml/mfa-signing.crt]]>
2022-02-18 09:17:00,870 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver] - <Added metadata SignatureValidationFilter for [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]>
2022-02-18 09:17:00,872 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver] - <Added entity role filter [{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor]>
2022-02-18 09:17:00,875 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver] - <Added entity role filter with roles [[{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor]]>
2022-02-18 09:17:00,877 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver] - <Metadata filter chain initialized with [2] filters>
2022-02-18 09:17:00,877 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver] - <Initializing metadata resolver from [/etc/cas/saml/mfa-metadata.xml]>
2022-02-18 09:17:00,907 INFO [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver] - <Initialized metadata resolver from [/etc/cas/saml/mfa-metadata.xml]>
2022-02-18 09:17:00,912 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceMetadataResolverCacheLoader] - <Metadata resolvers active for this request are [[org.apereo.cas.support.saml.InMemoryResourceMetadataResolver@71935899]]>
2022-02-18 09:17:00,918 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceMetadataExpirationPolicy] - <Located cache duration [PT168H] specified in SP metadata for [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]>
2022-02-18 09:17:00,920 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Loaded and cached SAML metadata [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver] from [/etc/cas/saml/mfa-metadata.xml]>
2022-02-18 09:17:00,921 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Resolved metadata chain from [/etc/cas/saml/mfa-metadata.xml] using [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver]. Filtering the chain by entity ID [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]>
2022-02-18 09:17:00,923 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Located SP SSODescriptor in metadata for [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]. Metadata is valid until [forever]>
2022-02-18 09:17:00,925 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Located SAML service in the registry as [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719] with the metadata location of [/etc/cas/saml/mfa-metadata.xml]>
2022-02-18 09:17:00,926 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Fetching saml metadata adaptor for [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]>
2022-02-18 09:17:00,926 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Locating metadata for entityID [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719] by attempting to run through the metadata chain...>
2022-02-18 09:17:00,928 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Resolving metadata for [mfasaml] at [/etc/cas/saml/mfa-metadata.xml]>
2022-02-18 09:17:00,929 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Loading metadata resolver from the cache using [/etc/cas/saml/mfa-metadata.xml]>
2022-02-18 09:17:00,934 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Loaded and cached SAML metadata [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver] from [/etc/cas/saml/mfa-metadata.xml]>
2022-02-18 09:17:00,935 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Resolved metadata chain from [/etc/cas/saml/mfa-metadata.xml] using [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver]. Filtering the chain by entity ID [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]>
2022-02-18 09:17:00,939 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Located SP SSODescriptor in metadata for [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]. Metadata is valid until [forever]>
2022-02-18 09:17:00,940 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Located issuer [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719] from authentication context>
2022-02-18 09:17:00,941 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Checking service access in CAS service registry for [AbstractWebApplicationService(id=https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719, originalUrl=https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719, artifactId=null, principal=null, source=null, loggedOutAlready=false, format=XML, attributes={entityId=[https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719], SAMLRequest=[tVRNj9owEL33V0S+k8QhJMECVhS6KhLbRcD20Evl2BOw5Nip7bC7/74OH1tatVSq1FMkz5t5897MZHT3UsvgAMYKrcYIhzEKQDHNhdqN0dP2vlegu8m7kaW1TBoybd1ereFbC9YFU2vBOJ8308q2NZgNmINg8LRejtHeucaSKKLc2uZ5H/p6oATlUGtJyxAsGSYDHHV1l3onVJRznKc4rmhWAi76wAYZGxQlx+UA8z6nWVVlgxwPUTD35EJRd+z4wsOoDc/FPZvUjEpSpGm/C0SCN1FjdCUkRJvpwzKJ1sCFAeaizeYRBYv5GH3N+zxj8QAneRYD62c0zVkKMeVlmfXztPAwa1tYKOuocmOUxEnSi5MeLrZxQXBGkjRMh8MvKFgZ7TTT8r1QJx9bo4imVliiaO2lO0a6NkgSxqQ8gSz5uN2ueqvHzfZY4CA4mE8ePUYPVNEdfFDeJQim8w3I6ux0sJKtRcHny/iSbnx+oMqS08BuUzfnPtHkNF9yFGiCe21q6m7ndi+C96ojlIBywr3+xH07nV52B03+26aMomtVk8sOd6Yu5istBXsNplLq55kB6rzRzrSA/qoeh/gX9a2yDTBRCeAoeuM5nwnw49H4G3Hw4oKZrhtqhO3GBS+UuTfzr2Ez6Q1aQ/VPht6EMcK62v555T/P2vBuW/0lAN8a6oVo4y7G/a6jyTn4B30/wte/isl3], RelayState=[aHR0cHM6Ly9hZHNzcHdoLmluZ2VuaWFkZW1vbGFiLmVzOjkyNTEvc2FtbExvZ2luL0xPR0lOX0FVVEg=]})]>
2022-02-18 09:17:00,942 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Locating metadata for entityID [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719] by attempting to run through the metadata chain...>
2022-02-18 09:17:00,943 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Resolving metadata for [mfasaml] at [/etc/cas/saml/mfa-metadata.xml]>
2022-02-18 09:17:00,944 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Loading metadata resolver from the cache using [/etc/cas/saml/mfa-metadata.xml]>
2022-02-18 09:17:00,945 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Loaded and cached SAML metadata [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver] from [/etc/cas/saml/mfa-metadata.xml]>
2022-02-18 09:17:00,946 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Resolved metadata chain from [/etc/cas/saml/mfa-metadata.xml] using [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver]. Filtering the chain by entity ID [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]>
2022-02-18 09:17:00,946 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Located SP SSODescriptor in metadata for [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]. Metadata is valid until [forever]>
2022-02-18 09:17:00,947 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Located SAML service in the registry as [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719] with the metadata location of [/etc/cas/saml/mfa-metadata.xml]>
2022-02-18 09:17:00,948 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Located SAML metadata for [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]>
2022-02-18 09:17:00,948 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Locating metadata for entityID [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719] by attempting to run through the metadata chain...>
2022-02-18 09:17:00,949 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Resolving metadata for [mfasaml] at [/etc/cas/saml/mfa-metadata.xml]>
2022-02-18 09:17:00,949 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Loading metadata resolver from the cache using [/etc/cas/saml/mfa-metadata.xml]>
2022-02-18 09:17:00,949 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Loaded and cached SAML metadata [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver] from [/etc/cas/saml/mfa-metadata.xml]>
2022-02-18 09:17:00,949 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Resolved metadata chain from [/etc/cas/saml/mfa-metadata.xml] using [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver]. Filtering the chain by entity ID [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]>
2022-02-18 09:17:00,949 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Located SP SSODescriptor in metadata for [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]. Metadata is valid until [forever]>
2022-02-18 09:17:00,949 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Determined authentication request binding is [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], issued by [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]>
2022-02-18 09:17:00,949 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Checking metadata for [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719] to see if binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST] is supported>
2022-02-18 09:17:00,956 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST] is supported by [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]>
2022-02-18 09:17:00,956 DEBUG [org.apereo.cas.support.saml.SamlIdPUtils] - <Fetched assertion consumer service url [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719] with binding [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST] from authentication request>
2022-02-18 09:17:00,958 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Determined SAML2 endpoint for authentication request as [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]>
2022-02-18 09:17:00,959 DEBUG [org.apereo.cas.support.saml.SamlUtils] - <********************************************************************************>
2022-02-18 09:17:01,007 DEBUG [org.apereo.cas.support.saml.SamlUtils] - <Logging [org.opensaml.saml.saml2.core.impl.AuthnRequestImpl]

[<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719" Destination="https://cas.demolabwh.local:8443/cas/idp/profile/SAML2/Redirect/SSO" ID="_73d6c0512760ec36a47c4e0adbb63748" IssueInstant="2022-02-18T08:16:24.499Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="ManageEngine ADSelfService Plus" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719</saml2:Issuer>
    <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
    <saml2p:RequestedAuthnContext Comparison="exact">
        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>
]

>
2022-02-18 09:17:01,009 DEBUG [org.apereo.cas.support.saml.SamlUtils] - <********************************************************************************>
2022-02-18 09:17:01,048 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Created service url [https://cas.demolabwh.local:8443/cas/idp/profile/SAML2/Callback?entityId=https%3A%2F%2Fadsspwh.ingeniademolab.es%3A9251%2F...]>
2022-02-18 09:17:01,050 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Redirecting SAML authN request to [https://cas.demolabwh.local:8443/cas/login?service=https%3A%2F%2Fcas.demolabwh.local%3A8443%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3FentityId%3Dhttps%253A%252F%252Fadsspwh.ingeniademolab.es%253A9251%252FsamlLogin%252F7d17410fa6be183ec56c58bd1b51d3da6ff65719]>
2022-02-18 09:17:01,051 DEBUG [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Redirecting SAML authN request to [https://cas.demolabwh.local:8443/cas/login?service=https%3A%2F%2Fcas.demolabwh.local%3A8443%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3FentityId%3Dhttps%253A%252F%252Fadsspwh.ingeniademolab.es%253A9251%252FsamlLogin%252F7d17410fa6be183ec56c58bd1b51d3da6ff65719]>
2022-02-18 09:17:01,088 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: {result=Service Access Denied}
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Feb 18 09:17:01 CET 2022
CLIENT IP ADDRESS: 10.238.238.129
SERVER IP ADDRESS: 10.238.238.182
=============================================================

>
2022-02-18 09:17:01,091 ERROR [org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter] - <Service unauthorized>
2022-02-18 09:17:01,215 WARN [javax.persistence.spi] - <javax.persistence.spi::No valid providers found.>
2022-02-18 09:17:01,276 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for cookies for warn cookie generator to: [/cas/]>
2022-02-18 09:17:01,277 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for cookies for TGC cookie generator to: [/cas/]>
2022-02-18 09:17:03,774 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [file:/etc/cas/config/custom_messages_es_ES] - neither plain properties nor XML>
2022-02-18 09:17:03,777 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:custom_messages_es_ES] - neither plain properties nor XML>
2022-02-18 09:17:03,780 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:messages_es_ES] - neither plain properties nor XML>
2022-02-18 09:17:03,781 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [file:/etc/cas/config/custom_messages_es] - neither plain properties nor XML>
2022-02-18 09:17:03,781 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [file:/etc/cas/config/custom_messages] - neither plain properties nor XML>
2022-02-18 09:17:03,784 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:custom_messages_es] - neither plain properties nor XML>
2022-02-18 09:17:03,787 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:custom_messages] - neither plain properties nor XML>
2022-02-18 09:17:03,791 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <Loading properties [messages_es.properties] with encoding 'UTF-8'>
2022-02-18 09:17:03,796 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <Loading properties [messages.properties] with encoding 'UTF-8'>

---------------------------------------

It seems that all SAML traffic is ok, but then I receive the service unauthorized error.

By now this is the service definition:

mfasaml-2.json:

{
  @class: org.apereo.cas.support.saml.services.SamlRegisteredService
  serviceId: https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719
  name: mfasaml

  id: 2
  expirationPolicy: null
  proxyTicketExpirationPolicy:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy
  }
  serviceTicketExpirationPolicy:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy
  }
  evaluationOrder: 1
  usernameAttributeProvider:
  {
    @class: org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider
    usernameAttribute: sAMAccountName
  }
  environments: null
  attributeReleasePolicy:
  {
    @class: org.apereo.cas.services.ReturnAllAttributeReleasePolicy
  }
  metadataLocation: /etc/cas/saml/mfa-metadata.xml

  metadataSignatureLocation: /etc/cas/saml/mfa-signing.crt
  signingCredentialType: BASIC
}

and this is the metadata file for the SP:

mfa-metadata.xml:

<?xml version="1.0" encoding="UTF-8"?>

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" cacheDuration="PT604800S" entityID="https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719">
  <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>

          <ds:X509Certificate>xxxxxxxNT9A==</ds:X509Certificate>

        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://adsspwh.ingeniademolab.es:9251/samlLogout/7d17410fa6be183ec56c58bd1b51d3da6ff65719"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719" index="0"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>

All I see is right, but there's something I'm missing...

Regards,

Jorge

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/14e79ea988cb0e4970633fd61ff78a050ecb5148.camel%40uvic.ca.

[Ray Bon]

Jorge,

Assuming you are east of UTC by one hour, the issue instant is 36 seconds ahead of your log entries. Not sure if this is enough drift to cause a problem. I would also expect a different error.

Make sure your IdP metadata has the Redirect/SSO endpoint. Again I would expect a different error message.

You may not need the metadata entry in the service definition. See https://apereo.github.io/cas/6.4.x/installation/Configuring-SAML2-DynamicMetadata.html#per-service

Ray

[Jorge Rodríguez]

Hi Ray,

the time is synchronized at CAS server and SP, they have the same time.

The Redirect/SSO endpoint is defined at IDP Metadata. 

Which metadate entry do you refer? The metadataSignatureLocation label??

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/57f3a57e9a85f20d5bcecc8c2bd0f7c68dad55ef.camel%40uvic.ca.

[Ray Bon]

Jorge,

In your service definition. You only need to add metadata location to the service if you are using custom IdP metadata for that service. 

Ray

[Jorge Rodríguez]

Hi Ray, do you mean that I have to remove the labels metadataLocation and metadataSignatureLocation ??

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/911c077bf965aac4e3eba16bef24e98326980541.camel%40uvic.ca.

[Ray Bon]

Jorge,

Yes.

You only have to put your SP metadata in the directory cas expects. See https://apereo.github.io/cas/6.4.x/installation/Configuring-SAML2-DynamicMetadata.html#file-system  for how to set this up.

Ray

[Jorge Rodríguez]

Hi, I have changed version 6.4 to 6.3.7 and one of the service, with equal service definition and metadata, it's working fine. I think there must be something in 6.4 config that's not working.

El vie, 25 feb 2022 a las 12:44, Jorge Rodríguez (<jorgem...@gmail.com>) escribió:

Ray, If I remove both labels I get the following error:

[...]

2022-02-25 12:35:56,012 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Locating metadata for entityID [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719] by attempting to run through the metadata chain...>
2022-02-25 12:35:56,012 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Resolving metadata for [mfasaml] at [null]>
2022-02-25 12:35:56,012 ERROR [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <NullPointerException>
2022-02-25 12:35:56,012 WARN [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <No metadata could be found for [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]>
2022-02-25 12:35:56,013 ERROR [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Cannot find metadata linked to https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719>

[...]

If you see the doc at https://apereo.github.io/cas/6.4.x/services/SAML2-Service-Management.html you can see that the metadataLocation label is present in the service definition.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c914f5148396d1f581efd6450c8f892cb676a2b.camel%40uvic.ca.

[Jorge Rodríguez]

Ray, If I remove both labels I get the following error:

[...]

2022-02-25 12:35:56,012 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Locating metadata for entityID [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719] by attempting to run through the metadata chain...>
2022-02-25 12:35:56,012 DEBUG [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Resolving metadata for [mfasaml] at [null]>
2022-02-25 12:35:56,012 ERROR [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <NullPointerException>
2022-02-25 12:35:56,012 WARN [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <No metadata could be found for [https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]>
2022-02-25 12:35:56,013 ERROR [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Cannot find metadata linked to https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719>

[...]

If you see the doc at https://apereo.github.io/cas/6.4.x/services/SAML2-Service-Management.html you can see that the metadataLocation label is present in the service definition.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c914f5148396d1f581efd6450c8f892cb676a2b.camel%40uvic.ca.

[Ray Bon]

Jorge,

I must apologize. I was working from memory, which clearly was not working.

You are correct, metadata location is required.

It could be metadataSignatureLocation. This is for signing the metadata, not the request (in SP metadata) nor response (in IdP metadata and in directory with IdP metadata). It would be provided by the vendor of the service.

If metadataSignatureLocation is there, it is checked. Your IdP signing cert will not be correct.

Again I am sorry for leading you astray.

Ray

[Jorge Rodríguez]

Thanks Ray, it doesn't matter :D 

I have downloaded CAS to version 6.3.X and now it's working, I think there is "something" in 6.4 that's avoiding this to work... :S 

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c5da1b857d8ea76d86f4ea0d67f8a8c464cd437c.camel%40uvic.ca.