Pulse Secure VPN SAML2 SP to CAS SAML2 IdP?

[cur...@newschool.edu]

Has anyone managed to configure their Pulse Secure VPN as a SAML2 SP to use CAS as a SAML2 IdP?

I've got (according to the documentation) all the configuration bits on the Pulse Secure box set up, and I've put an entry into the CAS service registry for a SAML2 service with the correct entityId.

And when I access the VPN endpoint that's supposed to go to CAS, it does indeed redirect to the CAS server. But CAS fails with:

2018-12-13 09:56:25,661 WARN [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - <[https://vpn.newschool.edu/dana-na/auth/saml-endpoint.cgi?p=sp1] is not found in the registry or service access is denied. Ensure service is registered in service registry>

despite the fact that the string highlighted above is exactly what's listed in the service registry and as the entityId in the metadata downloaded from the Pulse Secure appliance. I have also tried with the entityId set to that string minus the "?p=sp1" bit (because depending on where you download the metadata from in the Pulse UI, it's either a part of the entityId or it's not), but the string in the warning message is always the same.

Clearly I'm missing something fundamental here, but turning on DEBUG logging on the CAS server doesn't offer any clues, nor do the logs on the Pulse.

Any ideas / answers / guesses appreciated...

CAS 5.2.7 / Pulse 8.2R3.1

Thanks,

--Dave

[Andres Rattur]

Hi Dave,

Yes, we are using this combination: Pulse Secure VPN + CAS as SAML2 IdP and it works well.

If this highlighted string from log is exactly the same as in your service registry id then perhaps the problem is in question mark, it has to be escaped:

As-Is: "serviceId" : "^https://vpn.newschool.edu/dana-na/auth/saml-endpoint.cgi?p=sp1"

To-Be: "serviceId" : "^https://vpn.newschool.edu/dana-na/auth/saml-endpoint.cgi\\?p=sp1"

From documentation: https://apereo.github.io/cas/5.2.x/installation/JSON-Service-Management.html 

"If the service is defined as a regular expression, certain regex constructs such as "." and "\d" need to be doubly escaped."

With best regards,

Andres

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a1e8ff0b-10b4-41f2-852b-9358d9c875c9%40apereo.org.

[David Curry]

Thanks, Andres! That was exactly the problem.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOQH-Q37sVvEaXfnrL5LTpqHgY_ncgLVR3toG7ECsOpL169CGA%40mail.gmail.com.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOQH-Q37sVvEaXfnrL5LTpqHgY_ncgLVR3toG7ECsOpL169CGA%40mail.gmail.com.

[Andres Rattur]

You are welcome, David! 
I would like to thank you for CAS Deployment step-by-step guide, it has been a great help for me.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMy8XY0oTREPHN0K%2BVZxuxpORTBoxFEdRcemVdkZOB5LQ%40mail.gmail.com.