Working on Setting Up SAML 2.0 for the First Time

[John D Giotta]

I'm not too familiar with SAML 2.0 and I need to set up our existing CAS (currently using CAS protocol).

I've followed documentation, but unfortunately I'm unable to get the application to authorize.

The error I get in logs is:

CAS has found a match for service [https://vendor-site.com/Pages/Auth/Login.aspx] in registry but the match is not defined as a SAML service>

[Matthew Uribe]

What do you have in your json for "@class"? Is it "org.apereo.cas.support.saml.services.SamlRegisteredService"?

[John D Giotta]

Yes, it is.

{
 "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
 "serviceId": "https://vendor-site.com/Pages/Auth/Login.aspx",
 "name": "SAML Authentication Request",
 "id": 10000003,
 "evaluationOrder": 1,
 "metadataLocation": "https://s3.amazonaws.com/jdgiotta/sp-metadata/metadata.xml"
}

[Matthew Uribe]

Have you also added the service definition for the IdP endpoint? 

If you haven't already, you may want to walk through the steps for adding SAML support in this guide:  https://dacurry-tns.github.io/deploying-apereo-cas/building_server_saml_update-the-service-registry.html

[David Curry]

Just a thought, do you still have the "HTTP|IMAP" wildcard service in there? And does it have a lower evaluation order than your service-specific entry?

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f226ed6c-34a3-4d92-b8fa-a609b983a380%40apereo.org.

[John D Giotta]

Are there 2 service JSON files I'm supposed to create?

[David Curry]

Well, I used the one file per service model with them all in the /etc/cas/services directory. But I believe you can keep them all in one big JSON file if you want.

David A. Curry,  CISSP
Director of Information Security
The New School - Information Technology
71 Fifth Ave., 9th Fl. ~ New York, NY 10003
+1 212 229-5300 x4728 ~ david...@newschool.edu
Sent from my phone; please excuse typos and inane auto-corrections.
   

On Mon, May 7, 2018, 12:21 John D Giotta <jdgi...@gmail.com> wrote:

Are there 2 service JSON files I'm supposed to create?

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c2cc73eb-1368-4b6d-b4e7-4c0f832c30ac%40apereo.org.

[John D Giotta]

What I meant was that Matthew asked about my JSON using the @class org.apereo.cas.support.saml.services.SamlRegisteredService

Then asked if I registered the IdP endpoint. From the tutorial he pointed me towards, I can't tell if I'm creating both a SamlRegisteredService and a RegexRegisteredService JSON in registry.

[John D Giotta]

I noticed that my /cas/idp/metadata endpoint returns the following

<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://cas.example.org/idp">

Shouldn't the entityID attribute read something else?

[Matthew Uribe]

I would expect your entityID to be https://cas.example.org/cas/idp but it depends on what you've set it to in cas.properties under cas.authn.samlIdp.entityId

[John D Giotta]

If I don't set this property does it affect the vendor integration I'm attempting to do?

[Matthew Uribe]

What does the SP expect the entityID to be? 

I have not experimented with anything other than setting the entityId to ${cas.server.prefix}/idp   and I don't know whether the CAS server will have issues with responding to https://cas.example.org/idp since CAS itself is at https://cas.example.org/cas, based on where you say your metadata is. Why would you not set this property? 

[David Curry]

For the service definition, you should only have one, which is a SamlRegisteredService. You do not need (or want)  a RegexRegisteredService for a SAML service.

And as Matthew said, you should also set

cas.authn.samlIdp.entityId:             ${cas.server.prefix}/idp

cas.authn.samlIdp.scope:                yourdomain.com

I'm not sure it actually matters from the perspective of your CAS SAML IdP working or not, but it may matter to the service provider ("client"), especially if that's a third party, who probably wants a "real" name there instead of "example.org".

As for why you're not matching the service, ASSUMING you only have the single SamlRegisteredService definition (and not also a RegexRegisteredService), then you should check that the entityId being sent by the service is identical to what you have in the "serviceId" field of your service registry entry.

To check what the SP is sending, look in the XML file for the SP's metadata near the top of the file:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"

        ID="http://workday.workday.com/newschool_preview"

        entityID="http://www.workday.com/newschool_preview">

or

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"

    xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="IAMShowcase"

    validUntil="2025-12-09T09:13:31.006Z">

Whatever you see in the "entityID" attribute is what you should have, exactly, in the "serviceId" field of your service registry entry. Note that  there's no requirement that the entityId be a "real" URL, or even URL-shaped. The only requirement is that the SP and IdP agree on what it should be.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

On Mon, May 7, 2018 at 12:57 PM, John D Giotta <jdgi...@gmail.com> wrote:

If I don't set this property does it affect the vendor integration I'm attempting to do?

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e5262492-62ae-480c-abc5-2a4e5c429c5c%40apereo.org.

[Patrick Sutton]

Hello everyone,

I'm the developer who has been working on implementing the SAML authentication referenced by the OP, and the provided responses seem to align with what I've come across while researching the issue, so I wanted to try and provide a little more information in the hopes that it'll help better explain the issue.

From what I've been able to discern while attempting to debug the issue, it appears that the SAML service definition isn't even being loaded by CAS for some reason. I've tried everything from manually modifying the evaulationOrder property of the existing services to ensure the SAML service definition would be loaded first to deleting the other service definitions to eliminate load order issues, but to no avail.

I've attached "scrubbed" versions of our current service definitions, along with the metadata returned from the SP we are attempting to integrate with CAS. If there is any additional information I can provide, please don't hesitate to ask.

For reference, here are the property values related to SAML that we are currently using:

cas.authn.samlIdp.entityId=${cas.server.prefix}/idp
cas.authn.samlIdp.scope=cas-idp-domain.com

{
    /*
      Generic service definition that applies to https/imaps urls
      that wish to register with CAS for authentication.
    */
    "@class" : "org.apereo.cas.services.RegexRegisteredService",
    "serviceId" : "^(https):\\/\\/.*\\.cas-idp-domain\\.com\\/.*",
    "name" : "HTTPS for genius",
    "id" : 10000006,
    "evaluationOrder": 300,
}

{
  /*
    Generic service definition that applies to https/imaps urls
    that wish to register with CAS for authentication.
  */
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^(https):\\/\\/portal\\.cas-idp-domain\\.com\\/.*",
  "name" : "HTTPS for another Vendor",
  "id" : 10000004,
  "evaluationOrder": 200,
}

{
  /*
   * The CAS SAML IdP creates this endpoint as part of its initialization
   * process at server startup time. If the service registry doesn't already
   * contain an entry whose serviceId matches the endpoint, CAS will create
   * a new service definition and save it to the registry. If the CAS server
   * doesn't have write access to the registry, then the save will fail and
   * the server will not start.
   *
   * To avoid that situation, and to make it clear that this endpoint is a
   * "desired" service, it is defined explicitly here.
   */

  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "https://vendor-site.com/Pages/Auth/Login.aspx",
  "name" : "SAML Authentication Request",
  "id" : 10000003,

  "metadataLocation" : "https://link-to-metadata.com",
  "evaluationOrder": 1
}

SP Metadata:

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2018-05-03T20:29:06Z" cacheDuration="PT604800S" entityID="https://vendor-site.com/Pages/Auth/Login.aspx">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://vendor-site.com/Pages/Auth/Login.aspx" index="1" />
    </md:SPSSODescriptor>
</md:EntityDescriptor>

[David Curry]

Do you have the dashboard endpoints enabled? Can you go to the "services" endpoint, which dumps the service registry, and see if there's something else in there?

Alternatively, I think if you turn on debug mode logging, it will tell you what services are loaded.

I'm thinking you might be getting a wildcard match through no fault of your own.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e4069196-0a04-4c66-9013-e7cd865a8f8d%40apereo.org.

[John D Giotta]

Thanks, David. Is the dashboard the management overlay?

[David Curry]

No, it's the "adminpages" stuff:

https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_overview.html

It's enabled solely in the CAS server; you don't need the management webapp.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

On Tue, May 8, 2018 at 9:25 AM, John D Giotta <jdgi...@gmail.com> wrote:

Thanks, David. Is the dashboard the management overlay?

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/aac77cff-6bb0-46b4-a386-9493d716c690%40apereo.org.

[John D Giotta]

Looking at the logs more I did find these WARNs:

2018-05-08 17:02:31,227 WARN [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Cannot find entity [https://vendor-site.com/Pages/Auth/Login.aspx] in metadata provider Ensure the metadata is valid and has not expired.>

2018-05-08 17:02:31,227 WARN [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - <No metadata could be found for [https://vendor-site.com/Pages/Auth/Login.aspx]> 

The service is loaded, but metadata is wrong? 

[Matthew Uribe]

What do you get back when you do a curl on https://link-to-metadata.com  ?

[John D Giotta]

I get the XML output as expected.

[David Curry]

This may be your problem, then?

validUntil="2018-05-03T20:29:06Z

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/01ed8331-53df-4bbd-93f7-520370e536df%40apereo.org.

[John D Giotta]

Is that attribute required? Right now it is static.

[David Curry]

I do not see it in the metadata from any of the SPs we have in production here, so my guess would be probably not. But that's just a guess; I don't pretend to be an authority on SAML.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

On Tue, May 8, 2018 at 1:36 PM, John D Giotta <jdgi...@gmail.com> wrote:

Is that attribute required? Right now it is static.

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fcb7ecd8-9207-4257-ab5e-7fb43504a9de%40apereo.org.

[John D Giotta]

Ok, this is just a guess here, but the vendor I'm trying to implement CAS SAML to is for Identity Provider. Is it possible we've got this confused, because our metadata.xml is setup for SPSSODescriptor.

[David Curry]

Just to make sure your terminology is right:

• The Service Provider is the service that you, as a user, want to use. For example, here at The New School we have Adobe Creative Cloud, Tableau, Workday, Zoom, etc. as SPs. 
• The Identity Provider (IdP) is the system that the user authenticates against.  The IdP is connected to our Active Directory, and prompts users for their usernames and passwords (and, perhaps, Duo MFA). It returns success/failure to the SP that called it, along with (perhaps) user attributes like name, email address, etc.

So if I go to https://newschool.workday.com (for example), that's the SP. Workday redirects me to our CAS server (sso.newschool.edu -- the IdP), where I enter my username and password, and then perform a Duo authentication. CAS then sends "success" and some attributes back to Workday, and I'm logged in.

So if the vendor you're trying to connect with is really the Identity Provider, then I assume what you're wanting to happen is, when a user gets redirected to your CAS server to authenticate, you want the CAS server to consult with the vendor IdP instead of with your local LDAP (or whatever) to authenticate the user. In that case, you don't want CAS to be an IdP, you want to configure it for delegated authentication:

That's described here: https://apereo.github.io/cas/development/integration/Delegate-Authentication.html

If, on the other hand, what you're expecting to happen is that when the user is talking to the vendor's IdP you want the user to be sent to your CAS server to authenticate instead of authenticating against whatever local user database the IdP has, you need to configure the IdP to redirect to CAS (usually as a CAS service). This is what we used to do with Shibboleth in the CAS 3.x days, for example, to let CAS "support" SAML2 SPs. But how you do that is IdP-dependent, and you'll probably need to talk to your vendor for help.

Does that clarify anything for you?

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

On Tue, May 8, 2018 at 2:29 PM, John D Giotta <jdgi...@gmail.com> wrote:

Ok, this is just a guess here, but the vendor I'm trying to implement CAS SAML to is for Identity Provider. Is it possible we've got this confused, because our metadata.xml is setup for SPSSODescriptor.

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f70ba402-2e30-4950-8be4-23ef0ab04e62%40apereo.org.

[John D Giotta]

We're the identify provider and the vendor is the service provider.

[David Curry]

Does the vendor require you to configure your IdP (CAS server) to obtain the metadata from them dynamically? Or could you:

1. Use curl to grab a copy of their metadata from https://vendor.com/metadata
2. Edit the metadata yourself and get rid of the "validUntil" attribute
3. Put the edited metadata on the CAS server somewhere (e.g., /etc/cas/saml/sp-metadata/vendor.xml) and make sure it has the right owner/permissions so CAS can read it
4. Change the "metadataLocation" field in your service registry entry to point at the file instead of the vendor's URL

Should work...

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

On Tue, May 8, 2018 at 3:01 PM, John D Giotta <jdgi...@gmail.com> wrote:

We're the identify provider and the vendor is the service provider.

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/125fbfc6-d66b-46c8-8922-069d914944c8%40apereo.org.