CAS SAML with Atlassian Cloud
Neon Dazzle
It seems like there is not json parameters for redirection so I'm wondering where we should put the ACS adresse given by Atlassian.
All our other services connected with CAS provide metadata files so it's easy, but Atlassian doesnt provide that.
Has anyone been able to setup SSO with Atlassian Cloud?
Ray Bon
Neon Dazzle
I created the metadata file using a web service and added:
<md:AssertionConsumerService
index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Ocean Liu
Hi Neon,
The ACS url doesn’t look right in your metadata file.
Since you mentioned Atlassian will redirect you to your CAS, please check the SAMLRequest xml using a saml dev tool.
It should be something like this:
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://auth.atlassian.com/login/callback?connection=saml-xxxx-xxxx-xxxx" Destination="https://cas.example.com/idp/profile/SAML2/Redirect/SSO" ID="_51xxxxxxxxxxxxxxxxxxxxxxxxxxxx" IssueInstant="2024-11-05T19:45:53.620Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://auth.atlassian.com/saml/xxxx-xxxx-xxxx</saml2:Issuer> <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </saml2p:AuthnRequest>So the AssertionConsumerServiceURL in above SAMLRequest XML will be what you need to put in the SP metadata. And make sure the Issuer from SAMLRequest is matching the entityID in the SP metadata.
Good luck!
Ray Bon
Thank you so much for your answer.
I created the metadata file using a web service and added:
<md:AssertionConsumerService
index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://atlassian.start.com" />
I'm still getting no redirection and I stay on the CAS website.
Le lundi 4 novembre 2024 à 13:38:22 UTC-5, Ray Bon a écrit :
Neon,
ACS is required in metadata.You can create the metadata file if the vendor does not supply it. There are some online services that will help.
Ray
On Fri, 2024-11-01 at 12:17 -0700, Neon Dazzle wrote:
Neon Dazzle
Thank you so much to both of you for your answers! It's very appreciated.
I did more tests and I still can't get this to work. I get the same result: I get sent to CAS from Atlassian, I enter my credentials, and then I dont get sent back to Atlassian, I'm stuck in CAS. The message says that I see this page because CAS doesnt know my final destination.
I installed samltracer as suggested to try and find my mistake but I can't see it :(.
Here is my metadata file:
<?xml version="1.0"?>
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
validUntil="2024-11-03T19:47:00Z" cacheDuration="PT604800S"
entityID="https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc">
<md:SPSSODescriptor AuthnRequestsSigned="false"
WantAssertionsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDoTCCAomgAwIBAgIUNhHfnD6GS6Vpe0UmMu5RLDe9SMwwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9udHJlYWwxEDAOBgNVBAoMB1BvbHltdGwxGzAZBgNVBAMMEmNhczZkZXYucG9seW10bC5jYTAeFw0yNDA5MTkxODIxNDVaFw0zNDA5MTcxODIxNDVaMGAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAPBgNVBAcMCE1vbnRyZWFsMRAwDgYDVQQKDAdQb2x5bXRsMRswGQYDVQQDDBJjYXM2ZGV2LnBvbHltdGwuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgaX5dGAb2xA02O8H1ozE4hmTYvbvV0uemh4DPUjsaybUCIn2Yx4U8HDNn9WigcibfEeD9nTq++jaV8+Gl5LepX5FjmFCNWn+f6t9Oz0h8NFqGj+gcFJURK0ZFOWsB1C7aut/ZRVh3mlJdl8X36BgO1Aufx+C9gQbvUVkWnX3NV3+2TRBB7WrgMFPAw8Y9CMexGK7hYqYQkL0xrau7+swRYZJLhqWU78x0YrOq5kg5Z00RThWPuzyAoif9U0dfUgjo7rXZd489ae3+fpNKAJxtJBif4Y/gq1RII32iNzDp4rpOzO88pZgy8UNJWAPkAYjD8g50RnlW7w8nCWsi6cbZAgMBAAGjUzBRMB0GA1UdDgQWBBRpR8obg/zDQnzAyKGh3bcXyyQlVDAfBgNVHSMEGDAWgBRpR8obg/zDQnzAyKGh3bcXyyQlVDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAqVdUgcOyQ+QhRJXTKhhF7z7RxMGjvqnwfWzR3ZE4PADew/J48ULEcEa6VUrNXeyrgAa+YJQivXW4SbVqRzf3RSkwneL4b5ln7oH3eL5Q0ZvKOlxljQvTbhtjPn0jwuWhFtNc/7miBbURb1ywG0DUHD6IpzOjrnzKYCHZkISxFDKSLEkHb3lo0bs31nakA0NqFnbGg2D37T1C95vhPUdbb7xzQqQfa/1qm35vB05hnI2NrIEWyEztLEb30PPizNM6fyLy0U/snA9fgS6Xb++vvN5M2JcbytundR1RupARcguWLe1vprqnYumg9Quph6wjBki0ntH11ZvmNgZDT1K1U</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDoTCCAomgAwIBAgIUNhHfnD6GS6Vpe0UmMu5RLDe9SMwwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9udHJlYWwxEDAOBgNVBAoMB1BvbHltdGwxGzAZBgNVBAMMEmNhczZkZXYucG9seW10bC5jYTAeFw0yNDA5MTkxODIxNDVaFw0zNDA5MTcxODIxNDVaMGAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAPBgNVBAcMCE1vbnRyZWFsMRAwDgYDVQQKDAdQb2x5bXRsMRswGQYDVQQDDBJjYXM2ZGV2LnBvbHltdGwuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgaX5dGAb2xA02O8H1ozE4hmTYvbvV0uemh4DPUjsaybUCIn2Yx4U8HDNn9WigcibfEeD9nTq++jaV8+Gl5LepX5FjmFCNWn+f6t9Oz0h8NFqGj+gcFJURK0ZFOWsB1C7aut/ZRVh3mlJdl8X36BgO1Aufx+C9gQbvUVkWnX3NV3+2TRBB7WrgMFPAw8Y9CMexGK7hYqYQkL0xrau7+swRYZJLhqWU78x0YrOq5kg5Z00RThWPuzyAoif9U0dfUgjo7rXZd489ae3+fpNKAJxtJBif4Y/gq1RII32iNzDp4rpOzO88pZgy8UNJWAPkAYjD8g50RnlW7w8nCWsi6cbZAgMBAAGjUzBRMB0GA1UdDgQWBBRpR8obg/zDQnzAyKGh3bcXyyQlVDAfBgNVHSMEGDAWgBRpR8obg/zDQnzAyKGh3bcXyyQlVDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAqVdUgcOyQ+QhRJXTKhhF7z7RxMGjvqnwfWzR3ZE4PADew/J48ULEcEa6VUrNXeyrgAa+YJQivXW4SbVqRzf3RSkwneL4b5ln7oH3eL5Q0ZvKOlxljQvTbhtjPn0jwuWhFtNc/7miBbURb1ywG0DUHD6IpzOjrnzKYCHZkISxFDKSLEkHb3lo0bs31nakA0NqFnbGg2D37T1C95vhPUdbb7xzQqQfa/1qm35vB05hnI2NrIEWyEztLEb30PPizNM6fyLy0U/snA9fgS6Xb++vvN5M2JcbytundR1RupARcguWLe1vprqnYumg9Quph6wjBki0ntH11ZvmNgZDT1K1U</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://auth.atlassian.com/login/callback?connection=saml-b87b0545-cb70-4fe0-8c96-61034fefb7cc"
index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Ocean Liu
Neon, the Destination in the SAMLRequest does not look right.
It should be something like https://cas.example.com/idp/profile/SAML2/Redirect/SSO, please check your IdP metadata <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" part.
And then, you need to change the Identity provider SSO URL in your atlassian admin panel. https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on-with-an-identity-provider/#Copy-details-from-your-identity-provider-to-your-Atlassian-organization
If you look at the dev tool, atlassian was probably redirecting the client to the CAS home page (/cas), instead of the SSO page (/cas/idp/profile/SAML2/Redirect/SSO), so the cas app does not know to handle the parameters.
Good luck!
Neon Dazzle
I changed endpoint and now it's telling my application is not authorized to use CAS. It's weird because I can see the service entry when I go to this endpoint: cas/actuator/registeredService
{
"serviceId": "https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc",
"name": "JIRA",
"id": 1726778135108,
"description": "JIRA",
"proxyTicketExpirationPolicy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy"
},
"serviceTicketExpirationPolicy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy"
},
"evaluationOrder": 27,
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"accessStrategy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"requireAllAttributes": false
},
"metadataLocation": "/etc/cas/saml/jira-metadat.xml",
"issuerEntityId": "",
"signingCredentialType": "X509"
},
I must be still missing something.
Ocean Liu
Ray Bon
Thank you for your help, I changed the file and added the line as per your suggestion:
{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": "https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc",
"name": "JIRA",
"id": 1726778135108,
"description": "JIRA",
"proxyTicketExpirationPolicy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy"
},
"serviceTicketExpirationPolicy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy"
},
"evaluationOrder": 27,
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"accessStrategy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"requireAllAttributes": false
},
"metadataLocation": "/etc/cas/saml/jira-metadat.xml",
"issuerEntityId": "",
"signingCredentialType": "X509"
}
Unfortunately, I get the same error that the application is not authorized to use CAS.I can see the service on the gui:
I'm very confused. I feel like everything is there. What am I missing?
King, Robert
What do your logs say about the service match failure?
From: cas-...@apereo.org <cas-...@apereo.org> On Behalf Of
Neon Dazzle
Sent: Monday, November 18, 2024 11:45 AM
To: CAS Community <cas-...@apereo.org>
Cc: Ocean Liu <li...@whitman.edu>; CAS Community <cas-...@apereo.org>; Ray Bon <rb...@uvic.ca>; Neon Dazzle <chico...@gmail.com>
Subject: [EXTERNAL SENDER] Re: [cas-user] CAS SAML with Atlassian Cloud
Thank you for your help, I changed the file and added the line as per your suggestion:
{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": "https://auth.atlassian.com/saml/b87b0545-cb70-4fe0-8c96-61034fefb7cc",
"name": "JIRA",
"id": 1726778135108,
"description": "JIRA",
"proxyTicketExpirationPolicy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy"
},
"serviceTicketExpirationPolicy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy"
},
"evaluationOrder": 27,
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"accessStrategy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"requireAllAttributes": false
},
"metadataLocation": "/etc/cas/saml/jira-metadat.xml",
"issuerEntityId": "",
"signingCredentialType": "X509"
}
Unfortunately, I get the same error that the application is not authorized to use CAS.
I can see the service on the gui:
I'm very confused. I feel like everything is there. What am I missing?
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
cas-user+u...@apereo.org.
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9248c12d-c8f0-4e35-9e12-89edb9b461b5n%40apereo.org.
Neon Dazzle
The attribute was the problem. I was passing email as a NameID as per the Atlassian doc, but it needs to be the primare attribute.
This line made it work:
{
@class: org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider
usernameAttribute: mail
}
Thank you so much to all of you for helping me with this. I appreciate!
Have a nice day.
Mark Thompson
Hello
CONFIDENTIALITY NOTE - AVIS: COURRIEL CONFIDENTIEL.
You can view the confidentiality terms at https://laurentian.ca/confidentiality. Notre avis de confidentialité est disponible au site https://laurentienne.ca/avisNeon Dazzle
I dont have access to my files right now, but I think everything needed is in this thread right now.
If you have any specific question, maybe I can help.
K. Asef Erfan
K. Asef Erfan
the service json is below (serviceid path names etc, redacted)
{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": " redacted ",
"name": " redacted ",
"id": redacted ,
"description": "lol",
"proxyTicketExpirationPolicy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy"
},
"usernameAttributeProvider": {
"@class": "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute": "mail"
},
"serviceTicketExpirationPolicy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy"
},
"evaluationOrder": 27,
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"accessStrategy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"requireAllAttributes": false
},
"signingCredentialType": "X509"
}
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2025-01-19T14:44:57Z" cacheDuration="PT604800S" entityID="redacted">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Mohamed Amdouni
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e6532174-31a7-4b0f-9a73-06432369e534n%40apereo.org.