No registered service found/Freshworks SAML2/ CAS 5.3

[Keith Alston (Staff)]

Any ideas on what might be going on here?

I get the "Application Not Authorized to Use CAS" page when redirected to CAS.

2021-04-12 14:21:32,474 WARN [org.apereo.cas.services.web.RegisteredServiceThemeResolver] - <No registered service is found to match [AbstractWebApplicationService(id=https://regent-team.myfreshworks.com/sp/SAML/269126576089314274/callback, originalUrl=https://regent-team.myfreshworks.com/sp/SAML/26912657608931/callback, artifactId=null, principal=null, source=AssertionConsumerServiceURL, loggedOutAlready=true, format=XML, attributes={})] or access is denied. Using default theme [cas-theme-default]>

here's my service file:

{

  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",

  "serviceId" : "^(https|http)://regent-team.myfresh*",

  "name" : "freshregistrar",

  "id" : 1608070210,

  "metadataLocation" : "https://regent-team.myfreshworks.com/sp/SAML/26912657608931/metadata",

  "evaluationOrder" : 17,

  "requiredNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

",

  "attributeReleasePolicy" : {

    @class : org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy

    allowedAttributes :  [ "java.util.ArrayList", [ "firstname","lastname","email","nameid","phone","mobile","title" ]]

  },

}

Keith Alston

Regent University

IT Department

kei...@regent.edu

757.619.3421

[Richard Frovarp]

Don't do a regex for the serviceId for SAML2. Do the entityId instead.

[Richard Frovarp]

Or rather

serviceId : <entityId> 

instead of the regex you have there.

[Trenton Adams]

I’m pretty sure the serviced is supposed to be a regular expression, no?.  * after an ‘h’ means repeat the ‘h’.  Put ‘.*’ and you’ll repeat anything, but that wouldn’t be what you want either, as that would allow any domain with a DNS prefix of ‘regent-team.myfresh’, to authenticate against your CAS instance.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BL0PR10MB29952DEBE257C8F1901C6B25D9709%40BL0PR10MB2995.namprd10.prod.outlook.com.

--

This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed.

---

[Gadde Sainadh]

Try using /* 

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/A96F1C24-41F0-47CF-A721-5B6E817C76DC%40athabascau.ca.

[Trenton Adams]

Oops, I had meant to paste this.  This should allow anything with domain.com and prefix regent-team.myfresh to authenticate against your CAS server.

^(https|http):\/\/regent-team\.myfresh.*domain\.com(:[0-9]{1,5})?\/.*$"

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/A96F1C24-41F0-47CF-A721-5B6E817C76DC%40athabascau.ca.

[Keith Alston (Staff)]

replaced the serviceid with the entityid from the sp metadata

which is:

https://regent-team.myfreshworks.com/sp/SAML/26912657608931/metadata

yes, this is the entityid in the sp metadata!

now I'm getting this:

2021-04-12 16:27:27,481 WARN [org.apereo.cas.web.flow.ServiceAuthorizationCheck]

 - <Service Management: missing service. Service [https://regent-team.myfreshwor

ks.com/sp/SAML/26912657608931/callback] is not found in service registry.>

2021-04-12 16:27:27,481 DEBUG [org.springframework.webflow.engine.impl.FlowExecu

tionImpl] - <Attempting to handle [org.springframework.webflow.execution.ActionE

xecutionException: Exception thrown executing org.apereo.cas.web.flow.ServiceAut

horizationCheck@2262e7de in state 'serviceAuthorizationCheck' of flow 'login' --

 action execution attributes were 'map[[empty]]'] with root cause [org.apereo.ca

s.services.UnauthorizedServiceException: Service Management: missing service. Se

rvice [https://regent-team.myfreshworks.com/sp/SAML/26912657608931/callback]

 is not found in service registry.]>

2021-04-12 16:27:27,481 DEBUG [org.springframework.webflow.engine.support.Transi

tionExecutingFlowExecutionExceptionHandler] - <Handling flow execution exception

 org.springframework.webflow.execution.ActionExecutionException: Exception throw

n executing org.apereo.cas.web.flow.ServiceAuthorizationCheck@2262e7de in state

'serviceAuthorizationCheck' of flow 'login' -- action execution attributes were

'map[[empty]]'>

Keith Alston

Regent University

IT Department

kei...@regent.edu

757.352.4081

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Trenton Adams <tre...@athabascau.ca>
Sent: Monday, April 12, 2021 2:56 PM
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: [External] Re: [cas-user] No registered service found/Freshworks SAML2/ CAS 5.3

 

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7A6B6B44-384B-485D-8ABD-B1FCA9BED183%40athabascau.ca.

[Ray Bon]

Keith,

What is the value of the Issuer in the authentication request?

It should be the same as the entityId in the metadata.

Ray

On Mon, 2021-04-12 at 20:41 +0000, Keith Alston (Staff) wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[Mike Osterman]

I'm also a little surprised that the metadata url above is throwing an exception. My understanding is that if your SP metadata is based on a URL, it has to return metadata XML. I suppose there could be some form of ACLs at the SP level that is causing me to get an error when trying to access https://regent-team.myfreshworks.com/sp/SAML/26912657608931/metadata, but that seems worth looking at as well. 

-Mike

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4a8f6cf1fd9b9c08558c4360518f35e25abf90f5.camel%40uvic.ca.

[Trenton Adams]

It matches this…

https://regex101.com/r/evGIgs/1

 

You also need to make sure the ‘id’ of each service definition don’t conflict.

 

Also, according to the docs, . has to be doubling escaped, so perhaps ‘\\.’ Rather than ‘\.’ ??

 

https://apereo.github.io/cas/5.3.x/installation/JSON-Service-Management.html

Escaping Characters

Please make sure all field values in the JSON blob are correctly escaped, specially for the service id. If the service is defined as a regular expression, certain regex constructs such as "." and "\d" need to be doubly escaped.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BL0PR10MB299574EB33769F3D3240FDFBD9709%40BL0PR10MB2995.namprd10.prod.outlook.com.

[Keith Alston (Staff)]

Good question. Oddly I never see a SAML2 request in the audit log.

Could be that the sp is not doing SAML2.0. Would that make sense??

Keith Alston

Regent University

IT Department

kei...@regent.edu

757.619.3421

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Ray Bon <rb...@uvic.ca>
Sent: Tuesday, April 13, 2021 11:31 AM

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4a8f6cf1fd9b9c08558c4360518f35e25abf90f5.camel%40uvic.ca.