Per service specific SAML IDP configuration

144 views
Skip to first unread message

Jason Rappaport

unread,
Jun 15, 2021, 1:00:52 PM6/15/21
to CAS Community
Good afternoon.  We are trying to configure our CAS server as a SAML IDP with a per service IDP configuration using this guide: https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Authentication.html#per-service

We created a CAS service registry entry for a SAML SP called: Test_SAML-1363.json and placed that file in D:\etc\cas\config\services

To override the default IDP configured in cas.properties, we added this file (no extension) Test-1363 to D:\etc\cas\saml\metadata Note that we also tried it with a .xml extension.

What we got back from the SP indicated that it received a response from the default IDP configured in CAS, and not the one we attempted to override within the service specific configuration.  

Has anyone done this before and if so, what are we doing wrong?

Thanks, Jay 


Ray Bon

unread,
Jun 15, 2021, 1:31:45 PM6/15/21
to cas-...@apereo.org
Jason,

My reading of that doc section is that you need a directory named metatdata/Test_SAML-1363. The service specific IdP metadata et. al. goes in there.

Ray

On Tue, 2021-06-15 at 10:00 -0700, Jason Rappaport wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Jason B. Rappaport

unread,
Jun 15, 2021, 1:46:57 PM6/15/21
to cas-...@apereo.org

Ray – thank you for the reply! 

 

I believe we did indeed do that, within the D:\etc\cas\saml\metadata directory lives a file called Test_SAML-1363 with no file extension. 

 

Thanks, Jay

 

________________________________

Jason Rappaport (he/him)

Identity and Access Management Analyst

Office of Information Technology

Email:  jaso...@princeton.edu

Office:  609-258-8464

 

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f588b450ab78d25f5848786e20e6bb5d685aa747.camel%40uvic.ca.

Jason B. Rappaport

unread,
Jun 15, 2021, 1:57:08 PM6/15/21
to cas-...@apereo.org

Ray – I just reread your message, are you indicating we need a directory D:\etc\cas\saml\metadata\Test_SAML-1363 and then within that is the IDP metadata file?

Jason B. Rappaport

unread,
Jun 15, 2021, 4:35:43 PM6/15/21
to cas-...@apereo.org

I think we are making progress, now we are getting this error message

 

Unable to locate signing credentials

 

Any thoughts on how to fix this? 

Ray Bon

unread,
Jun 15, 2021, 5:08:46 PM6/15/21
to CAS Community, jaso...@princeton.edu
Does your IdP metadata have certificate(s)?

Ray

cheekian yap

unread,
Jul 23, 2021, 3:13:10 AM7/23/21
to CAS Community, Ray Bon, jaso...@princeton.edu
Hi Ray,

I'm getting the same error (Unable to locate signing credentials) when integrating elastic cloud with apereo using SAML2 protocol. My Idp metadata does not contain certificate. Is it mandatory to include certificate in Idp metadata?

Ray Bon 在 2021年6月16日 星期三上午5:08:46 [UTC+8] 的信中寫道:

Jason B. Rappaport

unread,
Jul 23, 2021, 10:19:32 AM7/23/21
to cas-...@apereo.org, Ray Bon

Please note that we abandoned this pursuit as it does not seem possible to do; have two completely different SAML IDPs on the same CAS server configured with service specific overrides.  It appears that you can override some aspects of a SAML IDPs configuration but not all of them.   

You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/D3jaHXCHGEo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/94adbf1f-11fc-4690-bb71-fe6f97767757n%40apereo.org.

Ray Bon

unread,
Jul 23, 2021, 11:46:06 AM7/23/21
to cas-...@apereo.org, jaso...@princeton.edu
It is possible to set a service attribute to not sign, signAssertions and signResponses. https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Authentication.html

Ray

JF Poulin

unread,
Sep 9, 2021, 7:51:14 AM9/9/21
to CAS Community, Ray Bon, jaso...@princeton.edu
I was scratching my head about this last night and I seem to have figured out some things. The documentation provided isn't clear as it references the path /etc/cas/config/saml/metadata which is different than the default path /etc/cas/saml

Then you need to create a directory inside that path with the exact name parameter of your service as defined in your service definition and place your files inside. Again, in the documentation they show the use of underscores in the service name which can be confusing but in our case we use spaces since that is what is shown to the end user on the login page.

For example:if you have a service with the following:
name:My Service Name
id:1005

You'd put your idp files here:
/etc/cas/saml/My Service Name-1005/idp-metadata.xml, idp-signing.key, ...

Just putting it here in case it helps someone understand the documentation.

JF Poulin

unread,
Sep 9, 2021, 9:24:37 AM9/9/21
to CAS Community
The code that handles this is located in FileSystemSamlIdPMetadataLocator > getMetadataArtifact(...)
Reply all
Reply to author
Forward
0 new messages