CAS 5.2.x SAML IdP Issues

[vnick]

Hey, everyone,

I'm trying to get SAML2 authentication working against my CAS server.  I've got CAS protocol authentications working just fine, but am struggling getting the SAML IdP configured correctly.  I have the following items configured in my main CAS configuration:

## SAML Provider

cas.authn.samlIdp.entityId=https://server.domain.com/cas/idp

cas.authn.samlIdp.hostName=server.domain.com

cas.authn.samlIdp.scope=domain.com

cas.authn.samlIdp.metadata.cacheExpirationMinutes=30

cas.authn.samlIdp.metadata.failFast=true

cas.authn.samlIdp.metadata.location=file:///etc/cas/saml

cas.authn.samlIdp.metadata.privateKeyAlgName=RSA

cas.authn.samlIdp.metadata.requireValidMetadata=true

cas.authn.samlIdp.logout.forceSignedLogoutRequests=true

cas.authn.samlIdp.logout.singleLogoutCallbacksDisabled=false

cas.authn.samlIdp.response.skewAllowance=0

cas.authn.samlIdp.response.signError=false

cas.authn.samlIdp.response.useAttributeFriendlyName=true

I also have a JSON-based service registry configured, and have the following entry for the SP that I'm trying to authenticate with:

{

    "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",

    "serviceId": "https://1.2.3.4/guacamole/api/tokens",

    "name": "GuacamoleSAML",

    "id": 1002,

    "evaluationsOrder": 1002,

    "metadataLocation": "file:///etc/cas/saml/sp-guacamole.xml"

}

and, finally, I used the web site mentioned in the CAS SAML IdP documentation to generate the metadata:

<?xml version="1.0"?>

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"

                     validUntil="2018-02-17T03:16:28Z"

                     cacheDuration="PT604800S"

                     entityID="https://1.2.3.4/guacamole/api/tokens">

    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>

        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

                                     Location="https://1.2.3.4/guacamole/api/ext/saml/callback"

                                     index="1" />

        

    </md:SPSSODescriptor>

</md:EntityDescriptor>

However, every time I try to authenticate with this app, I receive the following error:

2018-02-15 12:12:52,559 INFO [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - <Received SAML profile request [/cas/idp/profile/SAML2/Redirect/SSO]>

2018-02-15 12:12:52,581 ERROR [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - <CAS has found a match for service [https://1.2.3.4/guacamole/api/tokens] in registry but the match is not defined as a SAML service>

I can't seem to get much more detail - I think something must be wrong with my logging configuration, because I can't get any debugging.  Also, most of the parameters in the cas configuration file for SAML (cas.authn.samlIdp.*) seem to lack documentation - for example, I feel like this could be related to the "cas.authn.samlIdp.scope=domain.com", but there's no documentation on what's expected or acceptable for the scope, and whether this would generate the error message I'm seeing above?  Other than that, as far as I can tell, my JSON service entry matches the documentation, is valid JSON, and defines the mentioned service as a SAML service, so its unclear to me what's leading to this error.

Any pointers would be appreciated!

-Nick

[Misagh Moayyed]

Do you have other JSON service definitions in the registry? Anything with a lower evaluation order or a more relaxed regex pattern? 

--Misagh

---

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/abc5ef3d-26d5-4070-a08f-aa40db37a7fc%40apereo.org.

[vnick]

There are other service definitions in the registry, yes, but none that should overlap with this definition.  There are only two other service definitions - one is the OAuth Callback, which is automatically generated by CAS, and the other is one for the server on which CAS is running, which is different from the URL of the SAML application.  I will try disabling the one for the server where CAS is running just to be sure, but I the RegEx for that is pretty specific to that host and I don't see how it could overlap.

-Nick

[vnick]

Well, this put me on the right path - turns out the number of services the log file told me was loading just happened to match what was in the services directory, but the CAS configuration was not pointing at anything but the default location, so it wasn't actually loading my services.  Problem is resolved - all works well, now!

-Nick

On Thursday, February 15, 2018 at 12:29:00 PM UTC-5, Misagh Moayyed wrote:

[Misagh Moayyed]

Cool. Who exactly is the SP in this scenario? 

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b90e201e-a2aa-4116-aadc-4eea986b54f9%40apereo.org.

[vnick]

I'm writing a SAML authentication extension for the Guacamole Project (http://guacamole.apache.org).

-Nick

[Misagh Moayyed]

Nice. If and when you get to it, turn it into once of these:

https://apereo.github.io/cas/development/integration/Configuring-SAML-SP-Integrations.html

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a73bc1a6-1b6a-4d11-b33e-8185c466e0c9%40apereo.org.