CAS as IDp with Keycloak (org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController - No metadata could be found for [http://localhost:8080/auth/realms/master])

[Andrey Seledkov]

Hi team

My Keyclock setup on host localhost:8080

From Keycloak I call set CAS Idp by next URL  : https://localhost:8443/cas/idp/profile/SAML2/Redirect/SSO

CAS version is 6.0

My application.properties file is

cas.serviceRegistry.json.location=file:/etc/cas/services
cas.serviceRegistry.initFromJson=true


cas.authn.samlIdp.entityId=${cas.server.prefix}/idp
cas.authn.samlIdp.scope=localhost
cas.authn.samlIdp.metadata.privateKeyAlgName=RSA
cas.authn.samlIdp.metadata.location=file:/etc/cas/saml
cas.authn.samlIdp.attributeQueryProfileEnabled=true

And service

{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "^http://localhost:8080/auth/realms/master.*",
  "name" : "SAML",
  "id" : 10000010,
  "evaluationOrder" : 1,
  "usernameAttributeProvider" : {
    "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
    "usernameAttribute" : "sAMAccountName"
  },
  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy" ,
    "allowedAttributes" : {
      "@class" : "java.util.TreeMap",
      "sAMAccountName" : "Username",
      "mail" : "Email",
      "givenName" : "FirstName",
      "sn" : "LastName"
    }
  },
  "requiredNameIdFormat" : "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
  "metadataLocation" : "file:/etc/cas/saml/saml.xml",
  "signAssertions": true,
  "signResponses": false
}

File saml.xml from Keyclock

<?xml version="1.0" encoding="UTF-8"?>

<EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Name="urn:keycloak">

<EntityDescriptor entityID="http://localhost:8080/auth/realms/master">

<IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

<KeyDescriptor use="signing">

<dsig:KeyInfo>

<dsig:KeyName>28MEWm8hWj0zNxNI8VegsxRNMUEw69aZWW0btpcers8</dsig:KeyName>

<dsig:X509Data>

<dsig:X509Certificate>

MIICmzCCAYMCBgFp3PI4OTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMTkwNDAyMDcyNTU1WhcNMjkwNDAyMDcyNzM1WjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf8Rew1RGrlowLfKmuIul9sknJCQYbe5gzc/2tdU3U+xkOOmurMUo+L22xLHmd0dfvGBUM/NrxYSa2b/ck2hx2G8+Y4PHpPrlnWc1pQGR9FaTjAfKXGydeIs42cZ6qg3XYiNYSfHLKrEENJBMEhZQXSKb7xLMec38/Dz7/eSFGNQhYd3jGEowmYZpPVEjK5QvfNW8CalnbUD9vXFi2GTraSqJWLO35DkbgCCr8TRsbJa9PS245bT1dcvOdPKeOFmCf/XjUi7IL74R+jD10kZD3Fpn6ICztgq7ud8ZFa3gfSW0FR4+kBs0AkNoaXfIuDg0YXTDahF/0ooBX67YgvXgrAgMBAAEwDQYJKoZIhvcNAQELBQADggEBABx23a3/vL4X8ErlcvRT2qD9oEpmwYUqZD8LRyuZ9tZZpL1NrJ6j0xHkHzvw6xp19IMZigW7Tsz9suKJvL9zTDo1EZM+j91iD8uPVQe+0U8D2sHbdcQn7Z13ocLETeLuVAGNYTDwlZgL/tkRrTn6zxV6qyumaWAxDifBnOgzBirVNyMM1nvlDs18gMfgWX7glGwtXBidQM9RCOe754KL2ISK3BMYqh8B6XXUHD4bL/skUKWQYht+R59YHaWqp8naMTck9rk6zybKA2U32SKTgqR75Be7X24FnZ9atdjxdrvAgZznTT89qTCF0Zojf5+OAbJ/GKWQLABrNx2cAjJAKMw=

</dsig:X509Certificate>

</dsig:X509Data>

</dsig:KeyInfo>

</KeyDescriptor>

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/auth/realms/master/protocol/saml"/>

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8080/auth/realms/master/protocol/saml"/>

<NameIDFormat>

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

</NameIDFormat>

<NameIDFormat>

urn:oasis:names:tc:SAML:2.0:nameid-format:transient

</NameIDFormat>

<NameIDFormat>

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

</NameIDFormat>

<NameIDFormat>

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

</NameIDFormat>

<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/auth/realms/master/protocol/saml"/>

<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8080/auth/realms/master/protocol/saml"/>

<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://localhost:8080/auth/realms/master/protocol/saml"/>

</IDPSSODescriptor>

</EntityDescriptor>

</EntitiesDescriptor>

When it redirect I am getting next trace

11:22:20.806 [https-jsse-nio-8443-exec-7] DEBUG org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController - Located issuer [http://localhost:8080/auth/realms/master] from authentication request 11:22:20.806 [https-jsse-nio-8443-exec-7] DEBUG org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController - Checking service access in CAS service registry for [http://localhost:8080/auth/realms/master] 11:22:20.806 [https-jsse-nio-8443-exec-7] DEBUG org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController - Located SAML service in the registry as [^http://localhost:8080/auth/realms/master.*] with the metadata location of [http://localhost:8080/a uth/realms/master/protocol/saml/descriptor] 11:22:20.806 [https-jsse-nio-8443-exec-7] DEBUG org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController - Fetching saml metadata adaptor for [http://localhost:8080/auth/realms/master] 11:22:20.806 [https-jsse-nio-8443-exec-7] DEBUG org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade - Adapting SAML metadata for CAS service [SAML] issued by [http://localhost:8080/auth/realms/master] 11:22:20.806 [https-jsse-nio-8443-exec-7] DEBUG org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade - Locating metadata for entityID [http://localhost:8080/auth/realms/master] by attempting to run through the metadata chai n... 11:22:20.806 [https-jsse-nio-8443-exec-7] DEBUG org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver - Resolving metadata for [SAML] at [http://localhost:8080/auth/realms/master/protocol/saml/descriptor]. 11:22:20.806 [https-jsse-nio-8443-exec-7] DEBUG org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver - Loaded and cached SAML metadata [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver] from [http://local host:8080/auth/realms/master/protocol/saml/descriptor] 11:22:20.806 [https-jsse-nio-8443-exec-7] INFO org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade - Resolved metadata chain for service [^http://localhost:8080/auth/realms/master.*]. Filtering the chain by entity ID [htt p://localhost:8080/auth/realms/master] 11:22:20.806 [https-jsse-nio-8443-exec-7] WARN org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade - Cannot find entity [http://localhost:8080/auth/realms/master] in metadata provider Ensure the metadata is valid and has not expired. 11:22:20.806 [https-jsse-nio-8443-exec-7] WARN org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController - No metadata could be found for [http://localhost:8080/auth/realms/master] 11:22:20.814 [https-jsse-nio-8443-exec-7] DEBUG org.apereo.cas.web.view.CasReloadableMessageBundle - No properties file found for [classpath:custom_messages_ru_RU] - neither plain properties nor XML 11:22:20.814 [https-jsse-nio-8443-exec-7] DEBUG org.apereo.cas.web.view.CasReloadableMessageBundle - No properties file found for [classpath:messages_ru_RU] - neither plain properties nor XML 11:22:20.818 [https-jsse-nio-8443-exec-7] DEBUG org.apereo.cas.web.view.CasReloadableMessageBundle - No properties file found for [classpath:custom_messages_ru] - neither plain properties nor XML 11:22:20.822 [https-jsse-nio-8443-exec-7] DEBUG org.apereo.cas.web.view.CasReloadableMessageBundle - No properties file found for [classpath:custom_messages] - neither plain properties nor XML 11:22:20.822 [https-jsse-nio-8443-exec-7] DEBUG org.apereo.cas.web.view.CasReloadableMessageBundle - Re-caching properties for filename [classpath:messages_ru] - file hasn't been modified 11:22:20.822 [https-jsse-nio-8443-exec-7] DEBUG org.apereo.cas.web.view.CasReloadableMessageBundle - Re-caching properties for filename [classpath:messages] - file hasn't been modified 11:22:21.230 [https-jsse-nio-8443-exec-9] DEBUG org.apereo.cas.support.saml.web.idp.profile.sso.request.DefaultSSOSamlHttpRequestExtractor - Decoded SAML object [{urn:oasis:names:tc:SAML:2.0:protocol}AuthnRequest] from http request 11:22:21.230 [https-jsse-nio-8443-exec-9] INFO org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager - Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: [issuer=http://localhost:8080/auth/realms/master,binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect] ACTION: SAML2_REQUEST_CREATED APPLICATION: CAS WHEN: Sun Apr 07 11:22:21 EEST 2019 CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 ============================================================= 11:22:21.230 [https-jsse-nio-8443-exec-9] DEBUG org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController - Located issuer [http://localhost:8080/auth/realms/master] from authentication request 11:22:21.230 [https-jsse-nio-8443-exec-9] DEBUG org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController - Checking service access in CAS service registry for [http://localhost:8080/auth/realms/master] 11:22:21.230 [https-jsse-nio-8443-exec-9] DEBUG org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController - Located SAML service in the registry as [^http://localhost:8080/auth/realms/master.*] with the metadata location of [http://localhost:8080/a uth/realms/master/protocol/saml/descriptor] 11:22:21.230 [https-jsse-nio-8443-exec-9] DEBUG org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController - Fetching saml metadata adaptor for [http://localhost:8080/auth/realms/master] 11:22:21.230 [https-jsse-nio-8443-exec-9] DEBUG org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade - Adapting SAML metadata for CAS service [SAML] issued by [http://localhost:8080/auth/realms/master] 11:22:21.230 [https-jsse-nio-8443-exec-9] DEBUG org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade - Locating metadata for entityID [http://localhost:8080/auth/realms/master] by attempting to run through the metadata chai n... 11:22:21.230 [https-jsse-nio-8443-exec-9] DEBUG org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver - Resolving metadata for [SAML] at [http://localhost:8080/auth/realms/master/protocol/saml/descriptor]. 11:22:21.230 [https-jsse-nio-8443-exec-9] DEBUG org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver - Loaded and cached SAML metadata [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver] from [http://local host:8080/auth/realms/master/protocol/saml/descriptor] 11:22:21.230 [https-jsse-nio-8443-exec-9] INFO org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade - Resolved metadata chain for service [^http://localhost:8080/auth/realms/master.*]. Filtering the chain by entity ID [htt p://localhost:8080/auth/realms/master] 11:22:21.230 [https-jsse-nio-8443-exec-9] WARN org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade - Cannot find entity [http://localhost:8080/auth/realms/master] in metadata provider Ensure the metadata is valid and has not expired. 11:22:21.230 [https-jsse-nio-8443-exec-9] WARN org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController - No metadata could be found for [http://localhost:8080/auth/realms/master]

[Andrey Seledkov]

Issue resolved.

entityID and servceId must be equal

воскресенье, 7 апреля 2019 г., 11:34:24 UTC+3 пользователь Andrey Seledkov написал: