Strange delegated SAML Error on RHEL (CAS6.4.6.6)
Yan Zhou
cas.authn.saml-idp.metadata.fileSystem.location=file:///opt/jboss/ssoconf/idpmetadata
cas.authn.pac4j.saml[0].keystorePath=/opt/jboss/ssoconf/samlsp/samlkeystore
cas.authn.pac4j.saml[0].keystorePassword=changeit
cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp
cas.authn.pac4j.saml[0].privateKeyPassword=changeit
cas.authn.pac4j.saml[0].serviceProviderEntityId=https://qa.......com/cas/samlsp
cas.authn.pac4j.saml[0].clientName=Okta
cas.authn.pac4j.saml[0].forceAuth=false
cas.authn.pac4j.saml[0].passive=false
cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=3600
cas.authn.pac4j.saml[0].serviceProviderMetadataPath=/opt/jboss/ssoconf/samlsp/sp-metadata.xml
cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://dev-1......8.okta.com/app/e.......b5d7/sso/saml/metadata
cas.authn.pac4j.saml[0].useNameQualifier=false
cas.authn.pac4j.saml[0].signAuthnRequest=true
cas.authn.pac4j.saml[0].signServiceProviderLogoutRequest=true
On windows (it says: Initializing: SAML2Client), then it generates keystore and SP metadata.
======
>
2023-10-24 16:05:23,317 DEBUG [https-openssl-nio-8443-exec-7] [org.apereo.cas.support.pac4j.RefreshableDelegatedClients] - <The following clients are built: [[#SAML2Client# | name: Okta | callbackUrl: https://localhost:8443/cas/login | urlResolver: null | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@59d1889c | ajaxRequestResolver: null | redirectionActionBuilder: null | credentialsExtractor: null | authenticator: null | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@4ddff72c | logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@1d8000ee | authorizationGenerators: [] | checkAuthenticationAttempt: true |]]>
2023-10-24 16:05:23,317 DEBUG [https-openssl-nio-8443-exec-7] [org.apereo.cas.validation.DelegatedAuthenticationAccessStrategyHelper] - <Can not evaluate delegated authentication policy without a service>
2023-10-24 16:05:23,318 DEBUG [https-openssl-nio-8443-exec-7] [org.pac4j.core.util.InitializableObject] - <Initializing: SAML2Client (nb: 0, last: null)>
2023-10-24 16:05:23,321 INFO [https-openssl-nio-8443-exec-7] [org.pac4j.saml.config.SAML2Configuration] - <Using service provider entity ID https://localhost:8443/cas/samlsp>
2023-10-24 16:05:23,321 DEBUG [https-openssl-nio-8443-exec-7] [org.pac4j.core.util.InitializableObject] - <Initializing: SAML2Configuration (nb: 0, last: null)>
2023-10-24 16:05:23,326 WARN [https-openssl-nio-8443-exec-7] [org.pac4j.saml.config.SAML2Configuration] - <Generating keystore one for/via: file [C:\apereocas66x\config\casas-samlsp\samlkeystore]>
2023-10-24 16:05:23,326 WARN [https-openssl-nio-8443-exec-7] [org.pac4j.saml.metadata.keystore.BaseSAML2KeystoreGenerator] - <Defaulting keystore type pkcs12>
2023-10-24 16:05:23,435 INFO [https-openssl-nio-8443-exec-7] [org.pac4j.saml.metadata.keystore.BaseSAML2KeystoreGenerator] - <Created keystore file [C:\apereocas66x\config\casas-samlsp\samlkeystore] with key alias cas-samlsp>
On linux, notice it says: Initializing: RefreshableDelegatedClients ..... Not sure why it does not recognize it is a SAML2Client. Any idea?
Thanks,
======
^[[m^[[36m2023-10-24 15:59:35,488 DEBUG [main] [org.apereo.cas.support.pac4j.authentication.DefaultDelegatedClientFactory] - <Created delegated client [#SAML2Client# | name: Okta | callbackUrl: https://qa....com/cas/login | urlResolver: null | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@76eec7bb | ajaxRequestResolver: null | redirectionActionBuilder: null | credentialsExtractor: null | authenticator: null | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@6c83322b | logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@241532d3 | authorizationGenerators: [] | checkAuthenticationAttempt: true |]>
^[[m^[[36m2023-10-24 15:59:35,489 DEBUG [main] [org.apereo.cas.support.pac4j.RefreshableDelegatedClients] - <The following clients are built: [[#SAML2Client# | name: Okta | callbackUrl: https://qa....com/cas/login | urlResolver: null | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@76eec7bb | ajaxRequestResolver: null | redirectionActionBuilder: null | credentialsExtractor: null | authenticator: null | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@6c83322b | logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@241532d3 | authorizationGenerators: [] | checkAuthenticationAttempt: true |]]>
^[[m^[[36m2023-10-24 15:59:35,489 DEBUG [main] [org.pac4j.core.util.InitializableObject] - <Initializing: RefreshableDelegatedClients (nb: 0, last: null)>
^[[m^[[32m2023-10-24 15:59:35,489 INFO [main] [org.apereo.cas.config.Pac4jAuthenticationEventExecutionPlanConfiguration] - <Registering delegated authentication clients...>
^[[m^[[36m2023-10-24 15:59:35,744 DEBUG [main] [org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Attribute repository sources are not available for person-directory principal resolution>
^[[m^[[32m2023-10-24 15:59:36,180 INFO [main] [org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] - <Watching service registry directory at [/opt/jboss/whitelist/....]>
Ray Bon
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
Hi there,
I am using CAS 6.4.6.6 for delegated authN using SAML, CAS delegates authN to Okta. I run into a strange error, on Windows, this works fine (i.e., once I point to /cas/login, it generates SP metadata and keystore), but on Linux, CAS does not generate SP meta data and SP keystore. I am not sure why. I did not see any error in logs.
This is the portion of relevant cas.properties.
cas.authn.saml-idp.core.entity-id= https://qa.......com/idp
cas.authn.saml-idp.metadata.fileSystem.location=file:///opt/jboss/ssoconf/idpmetadata
cas.authn.pac4j.saml[0].keystorePath=/opt/jboss/ssoconf/samlsp/samlkeystore
cas.authn.pac4j.saml[0].keystorePassword=changeit
cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp
cas.authn.pac4j.saml[0].privateKeyPassword=changeit
cas.authn.pac4j.saml[0].serviceProviderEntityId=https://qa.......com/cas/samlsp
cas.authn.pac4j.saml[0].clientName=Okta
cas.authn.pac4j.saml[0].forceAuth=false
cas.authn.pac4j.saml[0].passive=false
cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=3600
cas.authn.pac4j.saml[0].serviceProviderMetadataPath=/opt/jboss/ssoconf/samlsp/sp-metadata.xml
cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://dev-1......8.okta.com/app/e.......b5d7/sso/saml/metadata
cas.authn.pac4j.saml[0].useNameQualifier=false
cas.authn.pac4j.saml[0].signAuthnRequest=true
cas.authn.pac4j.saml[0].signServiceProviderLogoutRequest=true
On windows (it says: Initializing: SAML2Client), then it generates keystore and SP metadata.
======
>
2023-10-24 16:05:23,317 DEBUG [https-openssl-nio-8443-exec-7] [org.apereo.cas.support.pac4j.RefreshableDelegatedClients] - <The following clients are built: [[#SAML2Client# | name: Okta | callbackUrl:https://localhost:8443/cas/login | urlResolver: null | callbackUrlResolver:org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@59d1889c | ajaxRequestResolver: null | redirectionActionBuilder: null | credentialsExtractor: null | authenticator: null | profileCreator:org.pac4j.core.profile.creator.AuthenticatorProfileCreator@4ddff72c | logoutActionBuilder:org.pac4j.core.logout.NoLogoutActionBuilder@1d8000ee | authorizationGenerators: [] | checkAuthenticationAttempt: true |]]>
2023-10-24 16:05:23,317 DEBUG [https-openssl-nio-8443-exec-7] [org.apereo.cas.validation.DelegatedAuthenticationAccessStrategyHelper] - <Can not evaluate delegated authentication policy without a service>
2023-10-24 16:05:23,318 DEBUG [https-openssl-nio-8443-exec-7] [org.pac4j.core.util.InitializableObject] - <Initializing: SAML2Client (nb: 0, last: null)>
2023-10-24 16:05:23,321 INFO [https-openssl-nio-8443-exec-7] [org.pac4j.saml.config.SAML2Configuration] - <Using service provider entity IDhttps://localhost:8443/cas/samlsp>