trouble getting saml idp to work with O365

107 views
Skip to first unread message

Stewart

unread,
Oct 24, 2020, 9:23:27 AM10/24/20
to CAS Community
Hey Folks,

I'm trying to get CAS to act as an idp for Office365. I've tried both the built-in integration and configuring it manually. Either way I keep getting this:

2020-10-24 06:14:56,070 INFO [org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.FileSystemResourceMetadataResolver] - <Loading SAML metadata from [/etc/cas/saml/federationmetadata.xml]>
2020-10-24 06:14:56,108 INFO [org.apereo.cas.support.saml.SamlUtils] - <Successfully resolved credentials from [file [/etc/cas/saml/idp-signing.crt]]>
2020-10-24 06:14:56,341 WARN [org.apache.xml.security.signature.XMLSignature] - <Signature verification failed.>
2020-10-24 06:14:56,341 ERROR [org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter] - <Signature trust establishment failed for metadata entry urn:federation:MicrosoftOnline>
2020-10-24 06:14:56,342 ERROR [org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver] - <Metadata Resolver InMemoryResourceMetadataResolver org.apereo.cas.support.saml.InMemoryResourceMetadataResolver: Unable to filter metadata: Signature trust establishment failed for metadata entry>

Is this referring to Microsoft's signature or (more likely) my idp-signature.crt?   I've already tried adding my own certs to the system trust store (via update-ca-trust on Linux)...nothing changed. Can anybody offer any clues as to what I might have done wrong or how to fix this? 

Thanks

Ray Bon

unread,
Oct 26, 2020, 12:10:59 PM10/26/20
to cas-...@apereo.org
Stewart,

Turn up logging to TRACE.
I would think the signature is referring to O365, since cas knows its own certificate.
You should not have to add anything to the local trust store, this would become a maintenance nightmare. Metadata includes self signed certificates, almost exclusively.
Make sure the O365 certificate is what is in your relying party metadata.

Get a tool like SAMLTracer for your browser. You can see what is being sent between parties.

Ray


On Sat, 2020-10-24 at 06:23 -0700, Stewart wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. 
--
Ray Bon
Programmer Analyst
Development Services, University Systems

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

Stewart

unread,
Oct 27, 2020, 7:03:29 PM10/27/20
to CAS Community, Ray Bon
Thank you so much, Ray.  Turning up log to trace was helpful.  Turns out I had MetadataSignatureLocation pointing to a copy of my signing cert instead of theirs (at least CAS stopped complaining when I pointed it to theirs).  Getting a SMLTracer for my browser was helpful too...both parties now appear to be talking civilly (i.e. returning 200). 

Unfortunately, I'm still not 100% of the way there...I end up on either a blank white page on the Microsoft side after signin or a page that says "Sorry that didn't work out, try again."  Any further hints?

Best Regards,

Stewart

Tom O'Neill

unread,
Oct 28, 2020, 8:53:12 AM10/28/20
to cas-...@apereo.org

Stewart,

 

I would recommend double checking the contents of the assertion that is captured through the SAML tracer.

You’ll want to verify that you’re providing the correct attributes as well:

                Name ID               Immutable ID (objectGUID)

IDPEmail              UPN

 

You’ll also want to confirm that your objectGUID is coming back correctly and in a binary format.

Hopefully that helps!

 

Thanks,

Tom

 

From: cas-...@apereo.org <cas-...@apereo.org> On Behalf Of Stewart
Sent: Tuesday, October 27, 2020 7:03 PM
To: CAS Community <cas-...@apereo.org>
Cc: Ray Bon <rb...@uvic.ca>
Subject: [EXT] Re: [cas-user] trouble getting saml idp to work with O365

 

CAUTION: This email originated from outside of SIG. Exercise caution when opening attachments or clicking links, especially from unknown senders.

[EXT-STAMP-ADDED]

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a0b70121-b2b5-4f92-8ca8-e0537c27650en%40apereo.org.

Reply all
Reply to author
Forward
0 new messages