SAML Authentication. Application can't authorize to use cas

1,006 views
Skip to first unread message

Marco Osorio

unread,
Jun 29, 2017, 5:31:39 AM6/29/17
to CAS Community
Hello everyone,
I have managed to configure SAML2 and load the Idp-metadata, which generates it automatically and the sp-metadata generated by the SP plugin.
I have entered the CAS manager and added the SP, but when I try to authenticate, CAS tells me that the application is not authorized to use cas.
I loaded the idp-metadata into the plugin to render the parameters and ok.

My question is what do I need to be able to authenticate correctly?
jira-test-metadata.xml
idp-metadata.xml
cas.log

Richard Frovarp

unread,
Jun 29, 2017, 8:53:14 AM6/29/17
to cas-...@apereo.org
Last line of your log file:

<CAS has found a match for service
[https://jira.myDomain.com/plugins/servlet/samlsso] in registry but the
match is not defined as a SAML service>

You need to define the service as a SAML 2 service. If you are using the
manager, change the service type. If you are doing it via direct JSON,
follow the instructions in the documentation.

Marco Osorio

unread,
Jun 29, 2017, 9:27:20 AM6/29/17
to CAS Community
Hi Richard,
Thanks for you answer.

This is my JSON Service

{
  @class: org.apereo.cas.support.saml.services.SamlRegisteredService
  name: JIRA-SAMLTest
  id: 3032504042888199
  description: JIRA SAML Testing
  proxyPolicy:
  {
    @class: org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy
  }
  evaluationOrder: 1
  usernameAttributeProvider:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider
    canonicalizationMode: NONE
    encryptUsername: false
  }
  attributeReleasePolicy:
  {
    @class: org.apereo.cas.services.ReturnAllAttributeReleasePolicy
    principalAttributesRepository:
    {
      @class: org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository
      expiration: 2
      timeUnit: HOURS
    }
    authorizedToReleaseCredentialPassword: false
    authorizedToReleaseProxyGrantingTicket: false
    excludeDefaultAttributes: false
  }
  multifactorPolicy:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
    failureMode: CLOSED
    bypassEnabled: false
  }
  accessStrategy:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
    enabled: true
    ssoEnabled: true
    requireAllAttributes: true
    caseInsensitive: false
  }
  metadataLocation: /etc/cas/saml/sp/jira-test-metadata.xml
  metadataMaxValidity: 0
  metadataSignatureLocation: 
  signAssertions: false
  signResponses: true
  encryptAssertions: true
  metadataCriteriaRoles: SPSSODescriptor
  metadataCriteriaRemoveEmptyEntitiesDescriptors: false
  metadataCriteriaRemoveRolelessEntityDescriptors: false
}


I don't know if is correct

Song, Doe-Hyun

unread,
Jul 5, 2017, 2:36:34 PM7/5/17
to cas-...@apereo.org

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9798020d-443f-4f30-8ba1-4dce12864a05%40apereo.org.


The information contained in this e-mail and any attachments is confidential and
intended only for the recipient. If you are not the intended recipient, the
information contained in this message may not be used, copied, or forwarded to
third parties or otherwise distributed for any other purpose. Please notify the
sender if you received this e-mail in error and delete the e-mail and its
attachments promptly.  Nothing in this e-mail may be used or deemed to form the
basis of a contractual or any other legally binding obligation unless separately
confirmed in writing by an authorized representative of ARMADA.

Marco Osorio

unread,
Jul 6, 2017, 4:05:04 AM7/6/17
to CAS Community, DS...@armada.net
Hi,
This is the trace after authentication process

2017-07-06 09:52:35,951 DEBUG [org.apereo.cas.web.support.DefaultCasCookieValueManager] - <Decoded cookie value is [TGT-**********************************************lPkvVW2p2M...@127.0.0.1@Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0]>
2017-07-06 09:52:35,951 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Creating new transaction with name [org.apereo.cas.ticket.registry.DefaultTicketRegistrySupport.getAuthenticatedPrincipalFrom]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>
2017-07-06 09:52:35,951 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Creating new transaction with name [org.apereo.cas.ticket.registry.DefaultTicketRegistrySupport.getAuthenticatedPrincipalFrom]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>
2017-07-06 09:52:35,956 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Initiating transaction commit>
2017-07-06 09:52:35,956 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Resuming suspended transaction after completion of inner transaction>
2017-07-06 09:52:35,956 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Initiating transaction commit>
2017-07-06 09:52:35,975 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Creating new transaction with name [org.apereo.cas.DefaultCentralAuthenticationService.getTicket]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager',+org.apereo.cas.ticket.InvalidTicketException>
2017-07-06 09:52:35,976 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Creating new transaction with name [org.apereo.cas.DefaultCentralAuthenticationService.getTicket]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager',+org.apereo.cas.ticket.InvalidTicketException>
2017-07-06 09:52:35,979 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Initiating transaction commit>
2017-07-06 09:52:35,980 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Resuming suspended transaction after completion of inner transaction>
2017-07-06 09:52:35,980 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Initiating transaction commit>
2017-07-06 09:52:35,982 DEBUG [org.apereo.cas.support.saml.authentication.principal.SamlServiceFactory] - <Request does not specify a [TARGET] or request body is empty>
2017-07-06 09:52:35,982 DEBUG [org.apereo.cas.authentication.principal.WebApplicationServiceFactory] - <No service is specified in the request. Skipping service creation>
2017-07-06 09:52:35,982 DEBUG [org.apereo.cas.web.support.DefaultArgumentExtractor] - <No service could be extracted based on the given request>
2017-07-06 09:52:35,983 DEBUG [org.apereo.cas.web.support.AbstractArgumentExtractor] - <Extractor did not generate service.>
2017-07-06 09:53:02,655 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Creating new transaction with name [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner.clean]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>
2017-07-06 09:53:02,655 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Creating new transaction with name [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner.clean]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>


I do not know if something is missing to configure.

Thanks a lot!!

Marco Aurelio Osorio De León

unread,
Jul 6, 2017, 6:21:55 AM7/6/17
to cas-...@apereo.org
Thanks Song, Doe-Hyun for your answer.

I have been able to solve the problem of recognition of the application by CAS manager.
Now I have the problem with the redirection to the SP, I do not know if it is a problem of the JIRA plugin itself or it is a SP metadata problem.
The problem is that when doing the authentication does not redirect to the SP, it stays in the page of CAS indicating that the authentication has been correct.

Thanks again  


2017-07-05 20:25 GMT+02:00 Song, Doe-Hyun <DS...@armada.net>:

Look at Servie Registry. I used json to set up service for SAML. See the following links.

 

https://apereo.github.io/cas/5.0.x/installation/Configuring-SAML2-Authentication.html#saml-services

 

https://apereo.github.io/cas/5.0.x/installation/JSON-Service-Management.html

https://apereo.github.io/cas/5.0.x/installation/Service-Management.html

 

 

https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html#service-registry

https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html#resource-based-service-registry

 

 

 

 

From: cas-...@apereo.org [mailto:cas-...@apereo.org] On Behalf Of Marco Osorio
Sent: Thursday, June 29, 2017 5:32 AM
To: CAS Community
Subject: [cas-user] SAML Authentication. Application can't authorize to use cas

 

Hello everyone,

I have managed to configure SAML2 and load the Idp-metadata, which generates it automatically and the sp-metadata generated by the SP plugin.

I have entered the CAS manager and added the SP, but when I try to authenticate, CAS tells me that the application is not authorized to use cas.

I loaded the idp-metadata into the plugin to render the parameters and ok.

 

My question is what do I need to be able to authenticate correctly?

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

The information contained in this e-mail and any attachments is confidential and
intended only for the recipient. If you are not the intended recipient, the
information contained in this message may not be used, copied, or forwarded to
third parties or otherwise distributed for any other purpose. Please notify the
sender if you received this e-mail in error and delete the e-mail and its
attachments promptly.  Nothing in this e-mail may be used or deemed to form the
basis of a contractual or any other legally binding obligation unless separately
confirmed in writing by an authorized representative of ARMADA.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7C27C94EB0F1AD41BB2FA62533E661E201DA80898D%40MailS01P.hub1.com.

Marco Aurelio Osorio De León

unread,
Jul 6, 2017, 6:21:55 AM7/6/17
to cas-...@apereo.org
I think the problem may be in the JSON service that the metadata path is not correct, but how can I resolve the location of the metadata for the service manager to properly capture?

2017-07-05 20:25 GMT+02:00 Song, Doe-Hyun <DS...@armada.net>:

Look at Servie Registry. I used json to set up service for SAML. See the following links.

 

https://apereo.github.io/cas/5.0.x/installation/Configuring-SAML2-Authentication.html#saml-services

 

https://apereo.github.io/cas/5.0.x/installation/JSON-Service-Management.html

https://apereo.github.io/cas/5.0.x/installation/Service-Management.html

 

 

https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html#service-registry

https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html#resource-based-service-registry

 

 

 

 

From: cas-...@apereo.org [mailto:cas-...@apereo.org] On Behalf Of Marco Osorio
Sent: Thursday, June 29, 2017 5:32 AM
To: CAS Community
Subject: [cas-user] SAML Authentication. Application can't authorize to use cas

 

Hello everyone,

I have managed to configure SAML2 and load the Idp-metadata, which generates it automatically and the sp-metadata generated by the SP plugin.

I have entered the CAS manager and added the SP, but when I try to authenticate, CAS tells me that the application is not authorized to use cas.

I loaded the idp-metadata into the plugin to render the parameters and ok.

 

My question is what do I need to be able to authenticate correctly?

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

The information contained in this e-mail and any attachments is confidential and
intended only for the recipient. If you are not the intended recipient, the
information contained in this message may not be used, copied, or forwarded to
third parties or otherwise distributed for any other purpose. Please notify the
sender if you received this e-mail in error and delete the e-mail and its
attachments promptly.  Nothing in this e-mail may be used or deemed to form the
basis of a contractual or any other legally binding obligation unless separately
confirmed in writing by an authorized representative of ARMADA.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7C27C94EB0F1AD41BB2FA62533E661E201DA80898D%40MailS01P.hub1.com.

Jessica Hernandez

unread,
Jul 29, 2019, 4:50:54 PM7/29/19
to CAS Community, osorio...@gmail.com
Hi Marco!

can you tell me how did you resolve the issue? I mean, can I see your service json file?
I have the same issue with 2 services I want to register.

Thanks!! Your help is needed!!
Jessica

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

The information contained in this e-mail and any attachments is confidential and
intended only for the recipient. If you are not the intended recipient, the
information contained in this message may not be used, copied, or forwarded to
third parties or otherwise distributed for any other purpose. Please notify the
sender if you received this e-mail in error and delete the e-mail and its
attachments promptly.  Nothing in this e-mail may be used or deemed to form the
basis of a contractual or any other legally binding obligation unless separately
confirmed in writing by an authorized representative of ARMADA.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.
Reply all
Reply to author
Forward
0 new messages