cannot redirect to g-suite with samlrequest

[Muhammad Ikhsan]

please help I have a problem in sso because it does not redirect the page to google after logging in cas.

Cas version: 6.6.10

url not redirect:
https://example.com/cas/login?SAMLRequest=XXXXXXXXXXX&RelayState=https://accounts.google.com/CheckCookie?continue%3Dhttps://mail.google.com/mail/%26service%3Dmail%26checkedDomains%3Dyoutube%26checkConnection%3Dyoutube:153%26pstMsg%3D1%26osid%3D1%26flowName%3DGlifWebSignIn%26ltmpl%3Ddefault%26ifkv%3DAdBytiPbW68qdO8IkGQ2DGT2cLedFmYOCEhplUtBIgxp8uUOmKXqcR-mNxyeC2acB02MtICIjtbhiw

metadata sp:
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     validUntil="2025-08-06T07:27:46Z"
                     cacheDuration="PT604800S"
                     entityID="google.com/a/example.com">
    <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                     Location="https://www.google.com/a/example.com/acs"
                                     index="1" />
    </md:SPSSODescriptor>
</md:EntityDescriptor>

services:
{
    "@class": "org.apereo.cas.services.CasRegisteredService",
    "serviceId": "https://www.google.com/a/example.com/acs",
    "name": "gapps",
    "id": 1680247200,
    "evaluationOrder": 10,
    "metadataLocation": "C:/etc/cas/saml/metadatasp.xml",
    "usernameAttributeProvider": {
        "@class": "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
        "usernameAttribute": "email"
    },
    "accessStrategy": {
        "@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
        "enabled": true,
        "ssoEnabled": true
    },
    "delegatedAuthenticationPolicy": {
        "@class": "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
        "allowedProviders": ["java.util.ArrayList", ["Google"]],
        "exclusive": true
    },
    "serviceTicketExpirationPolicy": {
      "@class": "org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy",
      "numberOfUses": 1,
      "timeToLive": "10"
    },
    "attributeReleasePolicy" : {
      "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
      "authorizedToReleaseProxyGrantingTicket" : true
    },
    "proxyPolicy" : {
      "@class" : "org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
      "pattern": ".+"
    },
    "publicKey" : {
      "@class" : "org.apereo.cas.services.RegisteredServicePublicKeyImpl",
      "location" : "file:/etc/cas/keys/public2025.key",
      "algorithm": "RSA"
    },
    "properties" : {
      "@class" : "java.util.HashMap",
      "skipRequiredServiceCheck" : {
        "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
        "values" : [ "java.util.HashSet", [ "true" ] ]
      }
    }
}

[Jeremiah Garmatter]

Muhammad,

As far as I know, Google only supports SAML2 for SSO but you declare the service as a CasRegisteredService.

CAS can be operated as a SAML2 Identity Provider by using this info: https://apereo.github.io/cas/7.2.x/authentication/Configuring-SAML2-Authentication.html

Keep in mind that documentation is for CAS 7.2.X, not your version, so your mileage may very.

My Gsuite service file is very simple compared to yours:

{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "google.com/a/<my customer domain>",
  "name" : "GSuite",
  "id" : 1599507217,
  "description" : "Gsuite Sign On for <my customer domain>",
  "metadataLocation" : "/etc/cas/saml/metadata/gsuite.xml",
  "evaluationOrder" : 10,
  "logoutType" : "NONE"
}

That logoutType:None value is from a few versions back, It is probably unnecessary now...

Other than that, you'll probably want to remove the validUntil="2025-08-06T07:27:46Z" portion from your metadata.

I'm not sure if you left the "Location="https://www.google.com/a/example.com/acs"" as example.com for security concerns but that value must reflect your real Google login page. I believe Google gives you this info somewhere on the third-party SSO config page.

[Richard Frovarp]

The two the pop out to me is that 1) your entityID and serviceId don't match, 2) you don't have it registered as a SAML service.

} --
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7c92a7dc-f8ff-423d-97be-cf7877f6c133n%40apereo.org.

[Muhammad Ikhsan]

Thank you for your advice. Finally, my CAS IDP authentication was successful and I was redirected to https://www.google.com/a/example.com/acs.

However, an error message appears:
Google Workspace - This account cannot be accessed because the login credentials could not be verified.
This account cannot be accessed because the login credentials could not be verified.
We are unable to process your request at this time, please try again later.

What's wrong?