Error parsing incommon metadata

197 views
Skip to first unread message

atilling

unread,
Feb 2, 2024, 1:42:16 PM2/2/24
to CAS Community
Trying to add a service provider from incommon, have one service provider working getting an error when trying to access a second one:

2024-02-02 11:49:20,456 INFO [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.UrlResourceMetadataResolver] - <Metadata file designated for service [PeopleAdmin] already exists at path [/etc/cas/saml/idp/metadata-backups/382b60a9f8c9677793e7711043ee8d9805fe2572.xml].>

2024-02-02 11:49:23,410 INFO [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver] - <Metadata signature location is undefined for [https://md.incommon.org/InCommon/InCommon-metadata.xml]; metadata signature validation will not be invoked>

2024-02-02 11:49:42,961 INFO [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver] - <Initialized metadata resolver from [https://md.incommon.org/InCommon/InCommon-metadata.xml]>

2024-02-02 11:49:43,080 WARN [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <SAML metadata resolver [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver] obtained from the cache is unable to produce/resolve valid metadata from [https://md.incommon.org/InCommon/InCommon-metadata.xml]. Metadata resolver cache entry with key [ec3dbe763cb47bb5fb789f5daa2842e8fb8c7a8d76ae088017c5c20b2cdfe23d0406b562f2b6af931fbe2e4dce97fd1f7e2edf784be65dcc4c652eab1b37d147] has been invalidated. Retry attempt: [2]>

2024-02-02 11:49:43,080 ERROR [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Unable to locate a valid SAML metadata resolver for https://md.incommon.org/InCommon/InCommon-metadata.xml to locate [EntityRoleCriterion [role={urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor], EntityIdCriterion [id=https://pa4078.peopleadmin.com/shibboleth]]

SamlRegisteredServiceDefaultCachingMetadataResolver.java:lambda$resolve$1:94

RetryTemplate.java:doExecute:329

RetryTemplate.java:execute:209

>

2024-02-02 11:49:43,080 WARN [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <No metadata could be found for [https://pa4078.peopleadmin.com/shibboleth]>

2024-02-02 11:49:43,080 WARN [org.apereo.cas.util.function.FunctionUtils] - <Cannot find metadata linked to https://pa4078.peopleadmin.com/shibboleth

AbstractSamlIdPProfileHandlerController.java:verifySamlAuthenticationRequest:493

AbstractSamlIdPProfileHandlerController.java:initiateAuthenticationRequest:311

AbstractSamlIdPProfileHandlerController.java:lambda$handleSsoPostProfileRequest$4:648

>

2024-02-02 11:49:43,081 ERROR [org.apereo.cas.web.support.WebUtils] - <Cannot find metadata linked to https://pa4078.peopleadmin.com/shibboleth

AbstractSamlIdPProfileHandlerController.java:verifySamlAuthenticationRequest:493

AbstractSamlIdPProfileHandlerController.java:initiateAuthenticationRequest:311

AbstractSamlIdPProfileHandlerController.java:lambda$handleSsoPostProfileRequest$4:648

>


Also have the entry in cas.properties for:

cas.saml-sp.in-common.metadata=https://md.incommon.org/InCommon/InCommon-metadata.xml

service json looks like this

{
  @class: org.apereo.cas.support.saml.services.SamlRegisteredService
  serviceId: https://pa4078.peopleadmin.com/shibboleth
  name: PeopleAdmin
  id: 1706734145472
  description: InCommon SAML SP Integration for PeopleAdmin
  evaluationOrder: 2147483642
  usernameAttributeProvider:
  {
    @class: org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider
    usernameAttribute: eduPersonPrincipalName
  }
  attributeReleasePolicy:
  {
    @class: org.apereo.cas.services.ChainingAttributeReleasePolicy
    policies:
    [
      java.util.ArrayList
      [
        {
          @class: org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
          allowedAttributes:
          {
            @class: java.util.TreeMap
  displayName:
  [
    java.util.ArrayList
    [
      urn:oid:2.16.840.1.113730.3.1.241
    ]
  ]
  eduPersonPrimaryAffiliation:
  [
    java.util.ArrayList
    [
      urn:oid:1.3.6.1.4.1.5923.1.1.1.5
    ]
  ]
  eduPersonPrincipalName:
  [
    java.util.ArrayList
    [
      urn:oid:1.3.6.1.4.1.5923.1.1.1.6
      emailaddress
    ]
  ]
  givenName:
  [
    java.util.ArrayList
    [
      givenname
    ]
  ]
  sn:
  [
    java.util.ArrayList
    [
      surname
    ]
  ]
          }
        }
      ]
    ]
    mergingPolicy: REPLACE
    principalAttributesRepository:
    {
      @class: org.apereo.cas.authentication.principal.ChainingPrincipalAttributesRepository
    }
    consentPolicy:
    {
      @class: org.apereo.cas.services.consent.ChainingRegisteredServiceConsentPolicy
    }
    authorizedToReleaseAuthenticationAttributes: true
  }
  metadataLocation: https://md.incommon.org/InCommon/InCommon-metadata.xml
  metadataCriteriaDirection: INCLUDE
  metadataCriteriaPattern: https://authproxy.conity.com/saml2
  signingCredentialType: BASIC
}


cas.saml-sp.in-common.metadata= 

atilling

unread,
Feb 19, 2024, 11:34:11 AM2/19/24
to CAS Community, atilling
Working now commented cas.saml-sp.in-common.metadata out of our cas.properties file and it's working now

atilling

unread,
Feb 19, 2024, 11:34:11 AM2/19/24
to CAS Community, atilling
Clarification attempting to follow https://fawnoos.com/2019/01/18/cas61-saml2-idp-incommon/+

Now have 3 SPs working using the incommon metadata all with the same metadataLocation, those 3 are working fine (Equivalent to the Almond and Coco in the example) but when attempting to add the "All Others" section getting an error that the metadata can't be parsed. Is there an issue with memory or something similar?
On Friday, February 2, 2024 at 1:42:16 PM UTC-5 atilling wrote:

David Gelhar

unread,
Feb 23, 2024, 11:22:42 AM2/23/24
to CAS Community, atilling
Rather than fetching the entire (huge) InCommon metadata aggregate for each service, it might work better to use the metadata query capability in your service definitions to do a dynamic query for just the specific service.

For incommon, you would put this in your service definition:

"metadataLocation" : "https://mdq.incommon.org/entities/{0}",



atilling

unread,
Feb 24, 2024, 1:14:12 AM2/24/24
to CAS Community, David Gelhar, atilling
This is an attempt to use "serviceId": ".+" as per the blog post. because it needs to be able to match any service it would need to load the whole metadata I would think. I can try to add the {0} but I was going off the example in https://fawnoos.com/2019/01/18/cas61-saml2-idp-incommon/

Andrew Tillinghast

unread,
May 7, 2024, 6:53:14 PM5/7/24
to CAS Community, David Gelhar
Tried the suggested change, now the error is:

ERROR [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - <Unable to locate a valid SAML metadata resolver for https://mdq.incommon.org/entities/{0} to locate [EntityIdCriterion [id=https://conncoll.reclaimhosting.com]


But the upside it fails faster.
--

Andrew Tillinghast
Sr. Tech Lead Identity and Access Management 
270 Mohegan Avenue
New London, CT 06320-4196
P Think before you print
CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the sender and delete this email from your system.

Papa Amadou Baba NDIAYE

unread,
Oct 28, 2024, 11:23:16 PM10/28/24
to CAS Community, Andrew Tillinghast, David Gelhar
Hello Andrew
I have the same issue EntityRoleCriterion i'm using miniorange SAML SSO for Moodle

Jonathon Taylor

unread,
Nov 6, 2024, 10:17:10 PM11/6/24
to cas-...@apereo.org, Andrew Tillinghast, David Gelhar
This might be a long shot but have you tried to URL encode the entity ID if that's what you are putting in the serviceID?  For example: https%3A%2F%2Fconncoll.reclaimhosting.com.  We are not yet using CAS for SAML2 so just a guess as I know the MDQ endpoint needs it that way.

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c84d0e50-ec83-4cb7-8c3e-d5b36230a4e0n%40apereo.org.


--
Jonathon Taylor (he/him)
Information Security Office
Reply all
Reply to author
Forward
0 new messages