OKTA as IDP CAS as SP problems (Apereo Cas 5.2.2)

773 views

Skip to first unread message

Efren Pérez

unread,

Jul 4, 2018, 5:35:30 AM7/4/18

to CAS Community

Hello,

could someone help me?

I follow this tutorial link to use OKTA as IDP. When I deploy the cas server, it prepare sp-metadata.xml, keystore, ... and it show me in login panel SAML2Client option.

After click in SAML2Client it redirect me to okta application login.

After login I see this message:

Unauthorized Access

Either the authentication request was rejected/cancelled, or the authentication provider denied access due to permissions, etc. Review logs to find the root cause of the issue.

My log does not show any error (pac4j log is in debug mode)

2018-07-04 10:25:49,731 INFO [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0] expired tickets removed.>

2018-07-04 10:26:39,754 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [3] service(s) from [JsonServiceRegistryDao].>

2018-07-04 10:26:57,043 DEBUG [org.pac4j.saml.context.SAML2ContextProvider] - <Creating message storage by org.pac4j.saml.storage.EmptyStorageFactory>

2018-07-04 10:26:57,044 DEBUG [org.pac4j.saml.transport.Pac4jHTTPPostDecoder] - <Initialized Pac4jHTTPPostDecoder>

2018-07-04 10:26:57,044 DEBUG [org.pac4j.saml.transport.Pac4jHTTPPostDecoder] - <Decoded SAML relay state of: https://localhost:8443/cas/login?client_name=SAML2Client>

2018-07-04 10:26:57,045 DEBUG [org.pac4j.saml.transport.Pac4jHTTPPostDecoder] - <Getting Base64 encoded message from context, ignoring the given request>

2018-07-04 10:26:57,051 DEBUG [org.pac4j.saml.transport.Pac4jHTTPPostDecoder] - <Decoded SAML message>

2018-07-04 10:27:39,762 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [3] service(s) from [JsonServiceRegistryDao].>

2018-07-04 10:27:49,732 INFO [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0] expired tickets removed.>

I have configured the cas server as follow:

application.properties:

# CAS Server Context Configuration

server.context-path=/cas

server.port=8443

server.ssl.key-store=file:/etc/cas/thekeystore

server.ssl.key-store-password=changeit

server.ssl.key-password=changeit

cas.serviceRegistry.initFromJson=true

cas.serviceRegistry.config.location=file:/etc/cas/services

cas.authn.pac4j.typedIdUsed=true

cas.authn.pac4j.autoRedirect=false

cas.authn.pac4j.name=Delegate SAML Correos

server.max-http-header-size=2097152

server.use-forward-headers=true

server.connection-timeout=20000

server.error.include-stacktrace=ALWAYS

server.compression.enabled=true

server.compression.mime-types=application/javascript,application/json,application/xml,text/html,text/xml,text/plain

server.tomcat.max-http-post-size=2097152

server.tomcat.basedir=build/tomcat

server.tomcat.accesslog.enabled=true

server.tomcat.accesslog.pattern=%t %a "%r" %s (%D ms)

server.tomcat.accesslog.suffix=.log

server.tomcat.max-threads=10

server.tomcat.port-header=X-Forwarded-Port

server.tomcat.protocol-header=X-Forwarded-Proto

server.tomcat.protocol-header-https-value=https

server.tomcat.remote-ip-header=X-FORWARDED-FOR

server.tomcat.uri-encoding=UTF-8

spring.http.encoding.charset=UTF-8

spring.http.encoding.enabled=true

spring.http.encoding.force=true

# CAS Cloud Bus Configuration

spring.cloud.bus.enabled=false

endpoints.enabled=false

endpoints.sensitive=true

endpoints.restart.enabled=false

endpoints.shutdown.enabled=false

management.security.enabled=true

management.security.roles=ACTUATOR,ADMIN

management.security.sessions=if_required

management.context-path=/status

management.add-application-context-header=false

security.basic.authorize-mode=role

security.basic.enabled=false

security.basic.path=/cas/status/**

# CAS Web Application Session Configuration

server.session.timeout=300

server.session.cookie.http-only=true

server.session.tracking-modes=COOKIE

# CAS Thymeleaf View Configuration

spring.thymeleaf.encoding=UTF-8

spring.thymeleaf.cache=true

spring.thymeleaf.mode=HTML

# CAS Log4j Configuration

# logging.config=file:/etc/cas/log4j2.xml

server.context-parameters.isLog4jAutoInitializationDisabled=true

# CAS AspectJ Configuration

spring.aop.auto=true

spring.aop.proxy-target-class=true

# CAS Authentication Credentials

cas.authn.accept.users=casuser::Mellon

cas.authn.pac4j.saml[0].keystorePassword=pac4j-demo-passwd

cas.authn.pac4j.saml[0].privateKeyPassword=pac4j-demo-passwd

cas.authn.pac4j.saml[0].serviceProviderEntityId=https://localhost:8443/

cas.authn.pac4j.saml[0].serviceProviderMetadataPath=/etc/cas/config/sp-metadata.xml

cas.authn.pac4j.saml[0].keystorePath=/etc/cas/config/samlKeystore.jks

cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://dev-369529.oktapreview.com/app/exkfn4r8tkzRSbSFN0h7/sso/saml/metadata

cas.server.name=https://localhost:8443

cas.server.prefix=https://localhost:8443/cas

in services I has addded:

{

"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",

"serviceId" : "https://localhost:8443",

"name" : "saml",

"id" : 10000003,

"evaluationOrder" : 10,

"metadataLocation" : "https://dev-369529.oktapreview.com/app/exkfn4r8tkzRSbSFN0h7/sso/saml/metadata",

}

The idp metadata url is https://dev-369529.oktapreview.com/app/exkfn4r8tkzRSbSFN0h7/sso/saml/metadata

The sp metadata is:

<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_zgdsnp01yfvw92b6i9r9uueheooyzdqxeg4z8oj" entityID="https://localhost:8443/" validUntil="2038-07-04T09:12:34.003Z">

<md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">

<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>

<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>

<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>

<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>

<alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>

<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>

<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>

<alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

<alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>

</md:Extensions>

<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">

<md:Extensions xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init">

<init:RequestInitiator Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://localhost:8443/cas/login?client_name=SAML2Client"/>

</md:Extensions>

<md:KeyDescriptor use="signing">

<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:X509Data>

<ds:X509Certificate>MIICtzCCAZ+gAwIBAgIBATANBgkqhkiG9w0BAQUFADAfMR0wGwYDVQQDDBRlZnJlbi1MYXRpdHVk

ZS1FNjQ0MDAeFw0xODA3MDQwNzUyNDBaFw0xOTA3MDQwNzUyNDBaMB8xHTAbBgNVBAMMFGVmcmVu

LUxhdGl0dWRlLUU2NDQwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxKdqYc2UmCKa

+VuciMOnRkvKO6F2b4hNpcKfICxTliO49oUEwvjVFeHSsMrIdBI/uG61S2v+45hGRXzE0cVkkLsL

rLPd5MVHqZSjoWLZddQn+6cL/pEEpY7xs9r2gRswVsPdjNgsnhXhuNPBDGAsv89IyC5IIFKS7KN/

h+NZC7SVuTWujhfpGuuVdSJA0XqdkiJK4cQkeqd7iV+V5KEhYyvjyQciNzsH9oiCfeJGKBpHcPy1

XrDyb3LRfX5MDBC733WXIM0gE2vCv9dfit4NbMKoqkz59Q1EB4mVXVhx4bbI0VNmkNkxBBXf99gV

tZNkcdcTMhQKVXTOndWHkrdeFwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBBdQjs7TYV3Apd3Mix

MzGiKHyvtIl2GoMsP44V318tHmMt+IVhP/4qL+aMhVFtrknzPkVT1l0n6q5x2DXPybX9/9R1/rth

Y2nMzjUAHzMrVKWZ+xOjNQIoje3uS33D04oKCY53gP0Zdxs/UzgOP9T4JdrmHvdQLTkYqB6qoSTN

rWE9+74F7PSPsMZidP7fc/OmM0tCbeWHsKvfuPbWKpMuQmlHqh7aKKZUf5dgHnyUbn9DC4xqDnwC

Q6qTdM1rqAph8ZgwJGEDDn6C7dQ6u7OThN5yTQTX6PP457uh64ZpLdYMmSjWsJ4JdOrVuKrBHwd4

UZr/hIFhFqvRq4OU6eyR</ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

</md:KeyDescriptor>

<md:KeyDescriptor use="encryption">