Integrating elastic cloud with apereo cas saml

[cheekian yap]

I'm doing a POC to integrate elastic cloud with apereo using SAML2 protocol. 

Here is my service registry configuration:

{

 "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",

 "serviceId" : "^https://yyy.kb.ap-northeast-1.aws.found.io.*",

 "name" : "ElasticsearchSAMLService",

 "id" : 2,

 "evaluationOrder" : 2,

 "metadataLocation" : "file:/root/cas-overlay-template/saml-metadata/elasticsearch.xml",

 "issuerEntityId": "https://cas.sinlead.com/cas/idp"

}

I'm able to redirect from kibana to apereo login page. However, after authenticate myself, I got an 500 Internal server error page.

Here is the application log:

2021-07-23 11:39:49,831 INFO [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Resolved metadata chain from [file:/root/cas-overlay-template/saml-metadata/elasticsearch.xml]. Filtering the chain by entity ID [https://yyy.kb.ap-northeast-1.aws.found.io:9243/]>

2021-07-23 11:39:49,834 INFO [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Resolved metadata chain from [file:/root/cas-overlay-template/saml-metadata/elasticsearch.xml]. Filtering the chain by entity ID [https://yyy.kb.ap-northeast-1.aws.found.io:9243/]>

2021-07-23 11:39:49,886 ERROR [org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner] - <Unable to locate any signing credentials for service [ElasticsearchSAMLService]>

2021-07-23 11:39:49,889 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: audit:unknown

WHAT: Unable to locate signing credentials

ACTION: SAML2_RESPONSE_CREATED

APPLICATION: CAS

WHEN: Fri Jul 23 11:39:49 CST 2021

CLIENT IP ADDRESS: 127.0.0.1

SERVER IP ADDRESS: 127.0.0.1

I was wondering what did I do wrong. I pretty sure the file path is correct.

[Ray Bon]

Your error is about signing credentials for the IdP.

Cas should create metadata and certificates. Perhaps cas is unable to write into the default directory, /etc/cas

If this is a just a POC, you could turn off signing. See service config here, https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Authentication.html

Ray

On Thu, 2021-07-22 at 20:47 -0700, cheekian yap wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

[cheekian yap]

Hi Ray,

Thanks for info. It turns out cas cannot create certificates because I did not set the right entity id in idp configuration. After fixing that, I managed to get SSO working with elasticsearch.

However, upon logging out from elasticsearch, I got another error message saying "Error: Logout request is not signed but should be."

Is this because of misconfiguration on SP or Idp side?

Ray Bon <rb...@uvic.ca> 於 2021年7月23日 週五 下午11:42寫道：

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/cfa0907cefb07b217b45332bcdfaa677ee4aed15.camel%40uvic.ca.

[Ray Bon]

Logout requests should be signed as a best practice. This should be done on the SP.

If you can not get the SP to sign, there are IdP settings to turn it off, https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#saml-logout

Ray

[cheekian yap]

I get it now. Thanks a lot for your help.

Ray Bon <rb...@uvic.ca> 於 2021年7月28日 週三 下午11:31寫道：

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f4bfbe290bb4cad2029a112af6e51c73f3f81564.camel%40uvic.ca.