FB workplace saml sp cas integration

36 views

Skip to first unread message

Fotis Memis

unread,

Dec 24, 2022, 7:47:31 AM12/24/22

to cas-...@apereo.org

Hello all,

Has anyone successfully managed to configure CAS as the SSO for fb's workplace sp (https://www.workplace.com/resources/tech/authentication/sso) ?

I have been at it for days but I always end up with the following error message:

"SSO Not Authenticated
The SAML Response was invalid. Please check that all fields are correct and try again"

The steps I have followed are:

1) Include the implementation "org.apereo.cas:cas-server-support-saml-idp dependency in my build.gradle
2) Allow cas to autogenerate the idp-metadata xml along with the signing and encryption crts.
3) fill the workplace's saml configuration field with these values:

Saml url: https://mycas:8443/idp/profile/SAML2/Redirect/SSO
Saml issuer: https://mycas:8443/idp/
Saml certificate: the idp-signing.crt produced by CAS

4) Take workplace's provided audience url, recipient url and ACS url and generate the below sp metadata xml file:

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     entityID="https://www.workplace.com/company/******">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                                Location="https://******.workplace.com/work/saml.php" />
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                     Location="https://******.workplace.com/work/saml.php"
                                     index="1" />    </md:SPSSODescriptor>
</md:EntityDescriptor>

5) Create the following json service:

{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "https://www.workplace.com/company/******",
  "name" : "saml-test-service",
  "id" : 10000003,
  "evaluationOrder" : 10,
  "metadataLocation" : "file://etc/cas/saml/fb-sp-metadata.xml",
  "requiredNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "usernameAttributeProvider" : {
    "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
    "usernameAttribute" : "mail"
  }
}

6) Tapping the Test sso button on workplace's side.

The authentication proceeds without a problem from CAS but fails with the message I provided at the start of the email on workplace's side.

Any help from anyone who has come across this behavior in the past would be great!

Best regards,

Fotis

Reply all

Reply to author

Forward

0 new messages