CAS-SAML integration
163 views
Skip to first unread message
nandini s
Aug 11, 2021, 8:35:54 AM8/11/21
to cas-...@apereo.org
Hi Everyone,
I am using CAS version 5.2.4 on my production server which is on CentOS7. I am trying to integrate the SAML( ADFS) with CAS, and trying to workout the SP initiated workflow. I have all these properties added in the properties file:
cas.authn.pac4j.saml[0].keystorePassword=********
cas.authn.pac4j.saml[0].privateKeyPassword=********
cas.authn.pac4j.saml[0].keystorePath=SigningFromCrt.jks
cas.authn.pac4j.saml[0].serviceProviderEntityId=https://<domainname>/cas/login
cas.authn.pac4j.saml[0].serviceProviderMetadataPath=sp-metadata.xml
cas.authn.pac4j.saml[0].identityProviderMetadataPath=FederationMetadata.xml
cas.authn.pac4j.saml[0].clientName=ClientName
cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=18000
cas.authn.pac4j.saml[0].privateKeyPassword=********
cas.authn.pac4j.saml[0].keystorePath=SigningFromCrt.jks
cas.authn.pac4j.saml[0].serviceProviderEntityId=https://<domainname>/cas/login
cas.authn.pac4j.saml[0].serviceProviderMetadataPath=sp-metadata.xml
cas.authn.pac4j.saml[0].identityProviderMetadataPath=FederationMetadata.xml
cas.authn.pac4j.saml[0].clientName=ClientName
cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=18000
The SP metadata xml and jks file are generated from CAS side.
The problem I am facing is that, when i login to my service, I get the option to login through ADFS, where I can input my username and password. But after login, I get the below error message:
When I check at adfs side, the error is as below:
The Federation Service encountered an error while processing the SAML authentication request.
Additional Data
Exception details:
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: MSIS0037: No signature verification certificate found for issuer 'https://<domainname>/cas/login'.
at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
Additional Data
Exception details:
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: MSIS0037: No signature verification certificate found for issuer 'https://<domainname>/cas/login'.
at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
Any help will be very much appreciated.
Thanks,
Nandini S
Ray Bon
Aug 26, 2021, 4:14:11 PM8/26/21
to cas-...@apereo.org
Nandini,
Does the certificate used for signing by cas match the one in the metadata added to ADFS?
Ray
On Wed, 2021-08-11 at 18:05 +0530, nandini s wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
Reply all
Reply to author
Forward
0 new messages