SAML IDP AUTHENTICATION

[Papeace Ndiaye]

I am configuring CAS SAML2 to authenticate my applications like Moodle, WAYF, Shibboleth, etc., but the issue is that I can obtain the metadata, yet I still encounter authorization errors.  

cas.server.name=https://cas.exemple.com
cas.server.prefix=${cas.server.name}/cas
logging.config=file:/etc/cas/config/log4j2.xml

cas.authn.attributeRepository.ldap[0].attributes.mail=mail
cas.authn.attributeRepository.ldap[0].attributes.sn=sn
cas.authn.attributeRepository.ldap[0].attributes.givenName=givenName
cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName

cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://10.10.10.10
cas.authn.ldap[0].baseDn=dc=exemple,dc=com
cas.authn.ldap[0].searchFilter=uid={user}
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].bindDn=cn=admin,dc=exemple,dc=com
cas.authn.ldap[0].bindCredential=password
cas.authn.ldap[0].principalAttributeId=uid
cas.authn.ldap[0].principalAttributeList=sn,givenName,mail,eduPersonPrimaryAffiliation,displayName
cas.service-registry.core.init-from-json=false
cas.service-registry.json.location=file:/etc/cas/services

#################### SAML2 ##############################

cas.authn.saml-idp.core.entity-id=https://cas.exemple.com/cas/idp
cas.authn.saml-idp.metadata.file-system.location=file:/etc/cas/saml/
cas.server.scope=exemple.com
cas.authn.saml-idp.metadata.file-system.sign-metadata=false
cas.authn.saml-idp.metadata.core.cache-expiration=PT5M

my service saml-1001.json
{
  @class: org.apereo.cas.support.saml.services.SamlRegisteredService
  serviceId: https://moodle.exemple.com
  name: sml
  id: 1001
  evaluationOrder: 3
  attributeReleasePolicy:
  {
    @class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
    excludeDefaultAttributes: true
  }
  metadataLocation: https://moodle.unchk.sn/auth/mo_saml/index.php?option=mosaml_metadata
  requiredNameIdFormat: org.opensaml.saml.saml2.metadata.impl.NameIDFormatImpl@6bb1a595
  signAssertions: TRUE
  signingCredentialType: BASIC
}

@ray
@jeremy

please can you help me

[Jeremiah Garmatter]

Papeace,

If you haven't already, I'd recommend installing a web-browser plugin called "SAMLTracer". It'll decode SAML requests and responses which you can use to troubleshoot the authentication process.

I'm not sure if this is an copy-paste issue or some sort of encoding problem, but your requiredNameIdFormat has an "@6bb1a595" at the end. I'm not sure that is a valid nameID format.

Typically, I obtain the nameID format from the SP metadata. I'll copy the string directly from the SP's metadata and paste it into the json file. Then, if necessary, I'll map it to another attribute with something like this:

  "requiredNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:persistent",
  "usernameAttributeProvider" : {
    "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
    "usernameAttribute" : "myPersistentIDAttribute",
  }

[Papeace Ndiaye]

Thank you Jeremiah for your answer
my service.json file
{
  @class: org.apereo.cas.support.saml.services.SamlRegisteredService
  serviceId: https://test-moodle.exemple.com
  name: testpra
  id: 1730131468521
  evaluationOrder: 2
  attributeReleasePolicy:
  {
    @class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
    attributeFilter:
    {
      @class: org.apereo.cas.services.support.RegisteredServiceChainingAttributeFilter
      filters:
      [
        java.util.ArrayList
        [
          {
            @class: org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter
            patterns:
            {
              @class: java.util.LinkedHashMap
              givenName: givenName
              sn: sn
              mail: mail
            }
          }
        ]
      ]
      order: -2147483648
    }
    excludeDefaultAttributes: true
    principalIdAttribute: mail
  }
  metadataLocation: https://test-moodle.exemple.com/Shibboleth.sso/Metadata
  requiredNameIdFormat: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  encryptAssertions: true
  signingCredentialType: X509
  attributeNameFormats:
  {
    @class: java.util.LinkedHashMap
    mail: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
    givenName: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
    sn: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  }
}
##########################################################
 i have this log 
2024-10-28 19:17:30,982 INFO [org.apereo.cas.authentication.DefaultAuthenticationManager] - <Authenticated principal te...@exemple.com] with attributes [{displayName=[personnel], eduPersonPrimaryAffiliation=[Personnel], givenName=[user  ], mail=[te...@exemple.com], sn=[personnel]}] via credentials [[UsernamePasswordCredential(username=te...@exemple.com source=null, customFields={})]].>
2024-10-28 19:17:30,982 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: te...@exemple.com
WHAT: [UsernamePasswordCredential(username=te...@exemple.com, source=null, customFields={})]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Mon Oct 28 19:17:30 UTC 2024
CLIENT IP ADDRESS: x.x.x.x
SERVER IP ADDRESS: 127.0.0.1
=============================================================

>
2024-10-28 19:17:30,984 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: te...@exemple.com
WHAT: {result=Service Access Granted, service=https://test-moodle.exemple.com, requiredAttributes={}}
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Mon Oct 28 19:17:30 UTC 2024
CLIENT IP ADDRESS: x.x.x.x
SERVER IP ADDRESS: 127.0.0.1
=============================================================

>
2024-10-28 19:17:31,022 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: te...@exemple.com
WHAT: {result=Service Access Granted, service=https://test-moodle.exemple.com, requiredAttributes={}}
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Mon Oct 28 19:17:31 UTC 2024
CLIENT IP ADDRESS: x.x.x.x
SERVER IP ADDRESS: 127.0.0.1
=============================================================

>
2024-10-28 19:17:31,024 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: te...@exemple.com
WHAT: TGT-2-********EvlQ7eY-srv-casfree
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Mon Oct 28 19:17:31 UTC 2024
CLIENT IP ADDRESS: x.x.x.x
SERVER IP ADDRESS: 127.0.0.1
=============================================================

>
2024-10-28 19:17:31,030 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: te...@exemple.com
WHAT: {result=Service Access Granted, service=https://test-moodle.exemple.com, requiredAttributes={}}
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Mon Oct 28 19:17:31 UTC 2024
CLIENT IP ADDRESS: x.x.x.x
SERVER IP ADDRESS: 127.0.0.1
=============================================================

>
2024-10-28 19:17:31,031 INFO [org.apereo.cas.DefaultCentralAuthenticationService] - <Granted service ticket [ST-2-********QpYP9CE-srv-casfree] for service [https://test-moodle.exemple.com] and principal [te...@exemple.com]>
2024-10-28 19:17:31,031 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: te...@exemple.com
WHAT: {ticket=ST-2-********QpYP9CE-srv-casfree, service=https://test-moodle.exemple.com}
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Mon Oct 28 19:17:31 UTC 2024
CLIENT IP ADDRESS: x.x.x.x
SERVER IP ADDRESS: 127.0.0.1

[Papeace Ndiaye]

Now with SAML Tracer i see my attributes with this service
{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "https://test-moodle.exemple.com",
  "name" : "Sample",
  "id" : 1730131468521,
  "requiredNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "usernameAttributeProvider" : {
    "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
    "usernameAttribute" : "mail",
  }
  "metadataLocation" : "https://test-moodle.exemple.com/Shibboleth.sso/Metadata",
  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
  }
}
Now i want to have  mail urn:oid:0.9.2342.19200300.100.1.3
givenName urn:oid:2.5.4.42
sn urn:oid:2.5.4.42
mail urn:oid:0.9.2342.19200300.100.1.3

Le lundi 28 octobre 2024 à 13:10:47 UTC, Jeremiah Garmatter a écrit :

[Papa Amadou Baba NDIAYE]

U can use this service it's work for me

{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "^https://.+",
  "name" : "SAML SERVICE",
  "id" : 111222333,
  "metadataLocation" : "https://test-pra.exemple.com/Shibboleth.sso/Metadata",
  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
    "allowedAttributes" : {
      "@class" : "java.util.TreeMap",
      "cn" : "urn:oid:2.5.4.3",
      "displayName" : "urn:oid:2.16.840.1.113730.3.1.241",
      "givenName" : "urn:oid:2.5.4.42",
      "mail" : "urn:oid:0.9.2342.19200300.100.1.3",
      "sn" : "urn:oid:2.5.4.4",